diff options
Diffstat (limited to 'vendor/github.com/seccomp/libseccomp-golang')
5 files changed, 31 insertions, 492 deletions
diff --git a/vendor/github.com/seccomp/libseccomp-golang/.travis.yml b/vendor/github.com/seccomp/libseccomp-golang/.travis.yml index 5240d4622..feef144d1 100644 --- a/vendor/github.com/seccomp/libseccomp-golang/.travis.yml +++ b/vendor/github.com/seccomp/libseccomp-golang/.travis.yml @@ -19,39 +19,19 @@ os: language: go -jobs: - include: - - name: "last libseccomp 2.5.0" - env: - - SECCOMP_VER=2.5.0 - - SECCOMP_SHA256SUM=1ffa7038d2720ad191919816db3479295a4bcca1ec14e02f672539f4983014f3 - - name: "compat libseccomp 2.4.4" - env: - - SECCOMP_VER=2.4.4 - - SECCOMP_SHA256SUM=4e79738d1ef3c9b7ca9769f1f8b8d84fc17143c2c1c432e53b9c64787e0ff3eb - - name: "compat libseccomp 2.2.1" - env: - - SECCOMP_VER=2.2.1 - - SECCOMP_SHA256SUM=0ba1789f54786c644af54cdffc9fd0dd0a8bb2b2ee153933f658855d2851a740 - addons: apt: packages: - build-essential - - astyle - - golint - - gperf + # TODO: use the main libseccomp git repo instead of a distro package + - libseccomp2 + - libseccomp-dev install: - go get -u golang.org/x/lint/golint # run all of the tests independently, fail if any of the tests error script: - - wget https://github.com/seccomp/libseccomp/releases/download/v$SECCOMP_VER/libseccomp-$SECCOMP_VER.tar.gz - - echo $SECCOMP_SHA256SUM libseccomp-$SECCOMP_VER.tar.gz | sha256sum -c - - tar xf libseccomp-$SECCOMP_VER.tar.gz - - pushd libseccomp-$SECCOMP_VER && ./configure --prefix=/opt/libseccomp-$SECCOMP_VER && make && sudo make install && popd - make check-syntax - make lint - - PKG_CONFIG_PATH=/opt/libseccomp-$SECCOMP_VER/lib/pkgconfig LD_LIBRARY_PATH=/opt/libseccomp-$SECCOMP_VER/lib make vet - - PKG_CONFIG_PATH=/opt/libseccomp-$SECCOMP_VER/lib/pkgconfig LD_LIBRARY_PATH=/opt/libseccomp-$SECCOMP_VER/lib make test + - make check diff --git a/vendor/github.com/seccomp/libseccomp-golang/Makefile b/vendor/github.com/seccomp/libseccomp-golang/Makefile index 38cfa852c..1ff4cc898 100644 --- a/vendor/github.com/seccomp/libseccomp-golang/Makefile +++ b/vendor/github.com/seccomp/libseccomp-golang/Makefile @@ -18,14 +18,8 @@ fix-syntax: vet: go vet -v -# Previous bugs have made the tests freeze until the timeout. Golang default -# timeout for tests is 10 minutes, which is too long, considering current tests -# can be executed in less than 1 second. Reduce the timeout, so problems can -# be noticed earlier in the CI. -TEST_TIMEOUT=10s - test: - go test -v -timeout $(TEST_TIMEOUT) + go test -v lint: @$(if $(shell which golint),true,$(error "install golint and include it in your PATH")) diff --git a/vendor/github.com/seccomp/libseccomp-golang/README.md b/vendor/github.com/seccomp/libseccomp-golang/README.md index 806a5ddf2..27423f2d9 100644 --- a/vendor/github.com/seccomp/libseccomp-golang/README.md +++ b/vendor/github.com/seccomp/libseccomp-golang/README.md @@ -2,7 +2,7 @@ =============================================================================== https://github.com/seccomp/libseccomp-golang -[![Build Status](https://img.shields.io/travis/seccomp/libseccomp-golang/main.svg)](https://travis-ci.org/seccomp/libseccomp-golang) +[![Build Status](https://img.shields.io/travis/seccomp/libseccomp-golang/master.svg)](https://travis-ci.org/seccomp/libseccomp-golang) The libseccomp library provides an easy to use, platform independent, interface to the Linux Kernel's syscall filtering mechanism. The libseccomp API is diff --git a/vendor/github.com/seccomp/libseccomp-golang/seccomp.go b/vendor/github.com/seccomp/libseccomp-golang/seccomp.go index e9b92e221..e489b9ebd 100644 --- a/vendor/github.com/seccomp/libseccomp-golang/seccomp.go +++ b/vendor/github.com/seccomp/libseccomp-golang/seccomp.go @@ -20,13 +20,6 @@ import ( // C wrapping code -// To compile libseccomp-golang against a specific version of libseccomp: -// cd ../libseccomp && mkdir -p prefix -// ./configure --prefix=$PWD/prefix && make && make install -// cd ../libseccomp-golang -// PKG_CONFIG_PATH=$PWD/../libseccomp/prefix/lib/pkgconfig/ make -// LD_PRELOAD=$PWD/../libseccomp/prefix/lib/libseccomp.so.2.5.0 PKG_CONFIG_PATH=$PWD/../libseccomp/prefix/lib/pkgconfig/ make test - // #cgo pkg-config: libseccomp // #include <stdlib.h> // #include <seccomp.h> @@ -41,25 +34,19 @@ type VersionError struct { minimum string } -func init() { - // This forces the cgo libseccomp to initialize its internal API support state, - // which is necessary on older versions of libseccomp in order to work - // correctly. - GetAPI() -} - func (e VersionError) Error() string { - messageStr := "" + format := "Libseccomp version too low: " if e.message != "" { - messageStr = e.message + ": " + format += e.message + ": " } - minimumStr := "" + format += "minimum supported is " if e.minimum != "" { - minimumStr = e.minimum + format += e.minimum + ": " } else { - minimumStr = "2.2.0" + format += "2.2.0: " } - return fmt.Sprintf("Libseccomp version too low: %sminimum supported is %s: detected %d.%d.%d", messageStr, minimumStr, verMajor, verMinor, verMicro) + format += "detected %d.%d.%d" + return fmt.Sprintf(format, verMajor, verMinor, verMicro) } // ScmpArch represents a CPU architecture. Seccomp can restrict syscalls on a @@ -82,61 +69,9 @@ type ScmpCondition struct { Operand2 uint64 `json:"operand_two,omitempty"` } -// Seccomp userspace notification structures associated with filters that use the ActNotify action. - -// ScmpSyscall identifies a Linux System Call by its number. +// ScmpSyscall represents a Linux System Call type ScmpSyscall int32 -// ScmpFd represents a file-descriptor used for seccomp userspace notifications. -type ScmpFd int32 - -// ScmpNotifData describes the system call context that triggered a notification. -// -// Syscall: the syscall number -// Arch: the filter architecture -// InstrPointer: address of the instruction that triggered a notification -// Args: arguments (up to 6) for the syscall -// -type ScmpNotifData struct { - Syscall ScmpSyscall `json:"syscall,omitempty"` - Arch ScmpArch `json:"arch,omitempty"` - InstrPointer uint64 `json:"instr_pointer,omitempty"` - Args []uint64 `json:"args,omitempty"` -} - -// ScmpNotifReq represents a seccomp userspace notification. See NotifReceive() for -// info on how to pull such a notification. -// -// ID: notification ID -// Pid: process that triggered the notification event -// Flags: filter flags (see seccomp(2)) -// Data: system call context that triggered the notification -// -type ScmpNotifReq struct { - ID uint64 `json:"id,omitempty"` - Pid uint32 `json:"pid,omitempty"` - Flags uint32 `json:"flags,omitempty"` - Data ScmpNotifData `json:"data,omitempty"` -} - -// ScmpNotifResp represents a seccomp userspace notification response. See NotifRespond() -// for info on how to push such a response. -// -// ID: notification ID (must match the corresponding ScmpNotifReq ID) -// Error: must be 0 if no error occurred, or an error constant from package -// syscall (e.g., syscall.EPERM, etc). In the latter case, it's used -// as an error return from the syscall that created the notification. -// Val: return value for the syscall that created the notification. Only -// relevant if Error is 0. -// Flags: userspace notification response flag (e.g., NotifRespFlagContinue) -// -type ScmpNotifResp struct { - ID uint64 `json:"id,omitempty"` - Error int32 `json:"error,omitempty"` - Val uint64 `json:"val,omitempty"` - Flags uint32 `json:"flags,omitempty"` -} - // Exported Constants const ( @@ -182,10 +117,6 @@ const ( ArchS390 ScmpArch = iota // ArchS390X represents 64-bit System z/390 syscalls ArchS390X ScmpArch = iota - // ArchPARISC represents 32-bit PA-RISC - ArchPARISC ScmpArch = iota - // ArchPARISC64 represents 64-bit PA-RISC - ArchPARISC64 ScmpArch = iota ) const ( @@ -199,9 +130,6 @@ const ( ActKill ScmpAction = iota // ActTrap throws SIGSYS ActTrap ScmpAction = iota - // ActNotify triggers a userspace notification. This action is only usable when - // libseccomp API level 6 or higher is supported. - ActNotify ScmpAction = iota // ActErrno causes the syscall to return a negative error code. This // code can be set with the SetReturnCode method ActErrno ScmpAction = iota @@ -253,21 +181,6 @@ const ( CompareMaskedEqual ScmpCompareOp = iota ) -var ( - // ErrSyscallDoesNotExist represents an error condition where - // libseccomp is unable to resolve the syscall - ErrSyscallDoesNotExist = fmt.Errorf("could not resolve syscall name") -) - -const ( - // Userspace notification response flags - - // NotifRespFlagContinue tells the kernel to continue executing the system - // call that triggered the notification. Must only be used when the notication - // response's error is 0. - NotifRespFlagContinue uint32 = 1 -) - // Helpers for types // GetArchFromString returns an ScmpArch constant from a string representing an @@ -310,10 +223,6 @@ func GetArchFromString(arch string) (ScmpArch, error) { return ArchS390, nil case "s390x": return ArchS390X, nil - case "parisc": - return ArchPARISC, nil - case "parisc64": - return ArchPARISC64, nil default: return ArchInvalid, fmt.Errorf("cannot convert unrecognized string %q", arch) } @@ -354,10 +263,6 @@ func (a ScmpArch) String() string { return "s390" case ArchS390X: return "s390x" - case ArchPARISC: - return "parisc" - case ArchPARISC64: - return "parisc64" case ArchNative: return "native" case ArchInvalid: @@ -405,8 +310,6 @@ func (a ScmpAction) String() string { case ActTrace: return fmt.Sprintf("Action: Notify tracing processes with code %d", (a >> 16)) - case ActNotify: - return "Action: Notify userspace" case ActLog: return "Action: Log system call" case ActAllow: @@ -446,7 +349,7 @@ func GetLibraryVersion() (major, minor, micro uint) { // Returns a positive int containing the API level, or 0 with an error if the // API level could not be detected due to the library being older than v2.4.0. // See the seccomp_api_get(3) man page for details on available API levels: -// https://github.com/seccomp/libseccomp/blob/main/doc/man/man3/seccomp_api_get.3 +// https://github.com/seccomp/libseccomp/blob/master/doc/man/man3/seccomp_api_get.3 func GetAPI() (uint, error) { return getAPI() } @@ -456,7 +359,7 @@ func GetAPI() (uint, error) { // Returns an error if the API level could not be set. An error is always // returned if the library is older than v2.4.0 // See the seccomp_api_get(3) man page for details on available API levels: -// https://github.com/seccomp/libseccomp/blob/main/doc/man/man3/seccomp_api_get.3 +// https://github.com/seccomp/libseccomp/blob/master/doc/man/man3/seccomp_api_get.3 func SetAPI(api uint) error { return setAPI(api) } @@ -483,7 +386,7 @@ func (s ScmpSyscall) GetNameByArch(arch ScmpArch) (string, error) { cString := C.seccomp_syscall_resolve_num_arch(arch.toNative(), C.int(s)) if cString == nil { - return "", ErrSyscallDoesNotExist + return "", fmt.Errorf("could not resolve syscall name for %#x", int32(s)) } defer C.free(unsafe.Pointer(cString)) @@ -506,7 +409,7 @@ func GetSyscallFromName(name string) (ScmpSyscall, error) { result := C.seccomp_syscall_resolve_name(cString) if result == scmpError { - return 0, ErrSyscallDoesNotExist + return 0, fmt.Errorf("could not resolve name to syscall: %q", name) } return ScmpSyscall(result), nil @@ -530,7 +433,7 @@ func GetSyscallFromNameByArch(name string, arch ScmpArch) (ScmpSyscall, error) { result := C.seccomp_syscall_resolve_name_arch(arch.toNative(), cString) if result == scmpError { - return 0, ErrSyscallDoesNotExist + return 0, fmt.Errorf("could not resolve name to syscall: %q on %v", name, arch) } return ScmpSyscall(result), nil @@ -603,10 +506,11 @@ type ScmpFilter struct { lock sync.Mutex } -// NewFilter creates and returns a new filter context. Accepts a default action to be -// taken for syscalls which match no rules in the filter. -// Returns a reference to a valid filter context, or nil and an error -// if the filter context could not be created or an invalid default action was given. +// NewFilter creates and returns a new filter context. +// Accepts a default action to be taken for syscalls which match no rules in +// the filter. +// Returns a reference to a valid filter context, or nil and an error if the +// filter context could not be created or an invalid default action was given. func NewFilter(defaultAction ScmpAction) (*ScmpFilter, error) { if err := ensureSupportedVersion(); err != nil { return nil, err @@ -626,8 +530,8 @@ func NewFilter(defaultAction ScmpAction) (*ScmpFilter, error) { filter.valid = true runtime.SetFinalizer(filter, filterFinalizer) - // Enable TSync so all goroutines will receive the same rules. - // If the kernel does not support TSYNC, allow us to continue without error. + // Enable TSync so all goroutines will receive the same rules + // If the kernel does not support TSYNC, allow us to continue without error if err := filter.setFilterAttr(filterAttrTsync, 0x1); err != nil && err != syscall.ENOTSUP { filter.Release() return nil, fmt.Errorf("could not create filter - error setting tsync bit: %v", err) @@ -874,9 +778,8 @@ func (f *ScmpFilter) GetNoNewPrivsBit() (bool, error) { func (f *ScmpFilter) GetLogBit() (bool, error) { log, err := f.getFilterAttr(filterAttrLog) if err != nil { - // Ignore error, if not supported returns apiLevel == 0 - apiLevel, _ := GetAPI() - if apiLevel < 3 { + api, apiErr := getAPI() + if (apiErr != nil && api == 0) || (apiErr == nil && api < 3) { return false, fmt.Errorf("getting the log bit is only supported in libseccomp 2.4.0 and newer with API level 3 or higher") } @@ -890,30 +793,6 @@ func (f *ScmpFilter) GetLogBit() (bool, error) { return true, nil } -// GetSSB returns the current state the SSB bit will be set to on the filter -// being loaded, or an error if an issue was encountered retrieving the value. -// The SSB bit tells the kernel that a seccomp user is not interested in enabling -// Speculative Store Bypass mitigation. -// The SSB bit is only usable when libseccomp API level 4 or higher is -// supported. -func (f *ScmpFilter) GetSSB() (bool, error) { - ssb, err := f.getFilterAttr(filterAttrSSB) - if err != nil { - api, apiErr := getAPI() - if (apiErr != nil && api == 0) || (apiErr == nil && api < 4) { - return false, fmt.Errorf("getting the SSB flag is only supported in libseccomp 2.5.0 and newer with API level 4 or higher") - } - - return false, err - } - - if ssb == 0 { - return false, nil - } - - return true, nil -} - // SetBadArchAction sets the default action taken on a syscall for an // architecture not in the filter, or an error if an issue was encountered // setting the value. @@ -953,32 +832,9 @@ func (f *ScmpFilter) SetLogBit(state bool) error { err := f.setFilterAttr(filterAttrLog, toSet) if err != nil { - // Ignore error, if not supported returns apiLevel == 0 - apiLevel, _ := GetAPI() - if apiLevel < 3 { - return fmt.Errorf("setting the log bit is only supported in libseccomp 2.4.0 and newer with API level 3 or higher") - } - } - - return err -} - -// SetSSB sets the state of the SSB bit, which will be applied on filter -// load, or an error if an issue was encountered setting the value. -// The SSB bit is only usable when libseccomp API level 4 or higher is -// supported. -func (f *ScmpFilter) SetSSB(state bool) error { - var toSet C.uint32_t = 0x0 - - if state { - toSet = 0x1 - } - - err := f.setFilterAttr(filterAttrSSB, toSet) - if err != nil { api, apiErr := getAPI() - if (apiErr != nil && api == 0) || (apiErr == nil && api < 4) { - return fmt.Errorf("setting the SSB flag is only supported in libseccomp 2.5.0 and newer with API level 4 or higher") + if (apiErr != nil && api == 0) || (apiErr == nil && api < 3) { + return fmt.Errorf("setting the log bit is only supported in libseccomp 2.4.0 and newer with API level 3 or higher") } } @@ -1091,36 +947,3 @@ func (f *ScmpFilter) ExportBPF(file *os.File) error { return nil } - -// Userspace Notification API - -// GetNotifFd returns the userspace notification file descriptor associated with the given -// filter context. Such a file descriptor is only valid after the filter has been loaded -// and only when the filter uses the ActNotify action. The file descriptor can be used to -// retrieve and respond to notifications associated with the filter (see NotifReceive(), -// NotifRespond(), and NotifIDValid()). -func (f *ScmpFilter) GetNotifFd() (ScmpFd, error) { - return f.getNotifFd() -} - -// NotifReceive retrieves a seccomp userspace notification from a filter whose ActNotify -// action has triggered. The caller is expected to process the notification and return a -// response via NotifRespond(). Each invocation of this function returns one -// notification. As multiple notifications may be pending at any time, this function is -// normally called within a polling loop. -func NotifReceive(fd ScmpFd) (*ScmpNotifReq, error) { - return notifReceive(fd) -} - -// NotifRespond responds to a notification retrieved via NotifReceive(). The response Id -// must match that of the corresponding notification retrieved via NotifReceive(). -func NotifRespond(fd ScmpFd, scmpResp *ScmpNotifResp) error { - return notifRespond(fd, scmpResp) -} - -// NotifIDValid checks if a notification is still valid. An return value of nil means the -// notification is still valid. Otherwise the notification is not valid. This can be used -// to mitigate time-of-check-time-of-use (TOCTOU) attacks as described in seccomp_notify_id_valid(2). -func NotifIDValid(fd ScmpFd, id uint64) error { - return notifIDValid(fd, id) -} diff --git a/vendor/github.com/seccomp/libseccomp-golang/seccomp_internal.go b/vendor/github.com/seccomp/libseccomp-golang/seccomp_internal.go index 8dc7b296f..0982e930f 100644 --- a/vendor/github.com/seccomp/libseccomp-golang/seccomp_internal.go +++ b/vendor/github.com/seccomp/libseccomp-golang/seccomp_internal.go @@ -14,13 +14,6 @@ import ( // Get the seccomp header in scope // Need stdlib.h for free() on cstrings -// To compile libseccomp-golang against a specific version of libseccomp: -// cd ../libseccomp && mkdir -p prefix -// ./configure --prefix=$PWD/prefix && make && make install -// cd ../libseccomp-golang -// PKG_CONFIG_PATH=$PWD/../libseccomp/prefix/lib/pkgconfig/ make -// LD_PRELOAD=$PWD/../libseccomp/prefix/lib/libseccomp.so.2.5.0 PKG_CONFIG_PATH=$PWD/../libseccomp/prefix/lib/pkgconfig/ make test - // #cgo pkg-config: libseccomp /* #include <errno.h> @@ -57,14 +50,6 @@ const uint32_t C_ARCH_BAD = ARCH_BAD; #define SCMP_ARCH_S390X ARCH_BAD #endif -#ifndef SCMP_ARCH_PARISC -#define SCMP_ARCH_PARISC ARCH_BAD -#endif - -#ifndef SCMP_ARCH_PARISC64 -#define SCMP_ARCH_PARISC64 ARCH_BAD -#endif - const uint32_t C_ARCH_NATIVE = SCMP_ARCH_NATIVE; const uint32_t C_ARCH_X86 = SCMP_ARCH_X86; const uint32_t C_ARCH_X86_64 = SCMP_ARCH_X86_64; @@ -82,8 +67,6 @@ const uint32_t C_ARCH_PPC64 = SCMP_ARCH_PPC64; const uint32_t C_ARCH_PPC64LE = SCMP_ARCH_PPC64LE; const uint32_t C_ARCH_S390 = SCMP_ARCH_S390; const uint32_t C_ARCH_S390X = SCMP_ARCH_S390X; -const uint32_t C_ARCH_PARISC = SCMP_ARCH_PARISC; -const uint32_t C_ARCH_PARISC64 = SCMP_ARCH_PARISC64; #ifndef SCMP_ACT_LOG #define SCMP_ACT_LOG 0x7ffc0000U @@ -97,10 +80,6 @@ const uint32_t C_ARCH_PARISC64 = SCMP_ARCH_PARISC64; #define SCMP_ACT_KILL_THREAD 0x00000000U #endif -#ifndef SCMP_ACT_NOTIFY -#define SCMP_ACT_NOTIFY 0x7fc00000U -#endif - const uint32_t C_ACT_KILL = SCMP_ACT_KILL; const uint32_t C_ACT_KILL_PROCESS = SCMP_ACT_KILL_PROCESS; const uint32_t C_ACT_KILL_THREAD = SCMP_ACT_KILL_THREAD; @@ -109,7 +88,6 @@ const uint32_t C_ACT_ERRNO = SCMP_ACT_ERRNO(0); const uint32_t C_ACT_TRACE = SCMP_ACT_TRACE(0); const uint32_t C_ACT_LOG = SCMP_ACT_LOG; const uint32_t C_ACT_ALLOW = SCMP_ACT_ALLOW; -const uint32_t C_ACT_NOTIFY = SCMP_ACT_NOTIFY; // The libseccomp SCMP_FLTATR_CTL_LOG member of the scmp_filter_attr enum was // added in v2.4.0 @@ -117,16 +95,12 @@ const uint32_t C_ACT_NOTIFY = SCMP_ACT_NOTIFY; (SCMP_VER_MAJOR == 2 && SCMP_VER_MINOR < 4) #define SCMP_FLTATR_CTL_LOG _SCMP_FLTATR_MIN #endif -#if SCMP_VER_MAJOR == 2 && SCMP_VER_MINOR < 5 -#define SCMP_FLTATR_CTL_SSB _SCMP_FLTATR_MIN -#endif const uint32_t C_ATTRIBUTE_DEFAULT = (uint32_t)SCMP_FLTATR_ACT_DEFAULT; const uint32_t C_ATTRIBUTE_BADARCH = (uint32_t)SCMP_FLTATR_ACT_BADARCH; const uint32_t C_ATTRIBUTE_NNP = (uint32_t)SCMP_FLTATR_CTL_NNP; const uint32_t C_ATTRIBUTE_TSYNC = (uint32_t)SCMP_FLTATR_CTL_TSYNC; const uint32_t C_ATTRIBUTE_LOG = (uint32_t)SCMP_FLTATR_CTL_LOG; -const uint32_t C_ATTRIBUTE_SSB = (uint32_t)SCMP_FLTATR_CTL_SSB; const int C_CMP_NE = (int)SCMP_CMP_NE; const int C_CMP_LT = (int)SCMP_CMP_LT; @@ -215,51 +189,6 @@ void add_struct_arg_cmp( return; } - -// The seccomp notify API functions were added in v2.5.0 -#if (SCMP_VER_MAJOR < 2) || \ - (SCMP_VER_MAJOR == 2 && SCMP_VER_MINOR < 5) - -struct seccomp_data { - int nr; - __u32 arch; - __u64 instruction_pointer; - __u64 args[6]; -}; - -struct seccomp_notif { - __u64 id; - __u32 pid; - __u32 flags; - struct seccomp_data data; -}; - -struct seccomp_notif_resp { - __u64 id; - __s64 val; - __s32 error; - __u32 flags; -}; - -int seccomp_notify_alloc(struct seccomp_notif **req, struct seccomp_notif_resp **resp) { - return -EOPNOTSUPP; -} -int seccomp_notify_fd(const scmp_filter_ctx ctx) { - return -EOPNOTSUPP; -} -void seccomp_notify_free(struct seccomp_notif *req, struct seccomp_notif_resp *resp) { -} -int seccomp_notify_id_valid(int fd, uint64_t id) { - return -EOPNOTSUPP; -} -int seccomp_notify_receive(int fd, struct seccomp_notif *req) { - return -EOPNOTSUPP; -} -int seccomp_notify_respond(int fd, struct seccomp_notif_resp *resp) { - return -EOPNOTSUPP; -} - -#endif */ import "C" @@ -274,7 +203,6 @@ const ( filterAttrNNP scmpFilterAttr = iota filterAttrTsync scmpFilterAttr = iota filterAttrLog scmpFilterAttr = iota - filterAttrSSB scmpFilterAttr = iota ) const ( @@ -282,7 +210,7 @@ const ( scmpError C.int = -1 // Comparison boundaries to check for architecture validity archStart ScmpArch = ArchNative - archEnd ScmpArch = ArchPARISC64 + archEnd ScmpArch = ArchS390X // Comparison boundaries to check for action validity actionStart ScmpAction = ActKill actionEnd ScmpAction = ActKillProcess @@ -532,10 +460,6 @@ func archFromNative(a C.uint32_t) (ScmpArch, error) { return ArchS390, nil case C.C_ARCH_S390X: return ArchS390X, nil - case C.C_ARCH_PARISC: - return ArchPARISC, nil - case C.C_ARCH_PARISC64: - return ArchPARISC64, nil default: return 0x0, fmt.Errorf("unrecognized architecture %#x", uint32(a)) } @@ -576,10 +500,6 @@ func (a ScmpArch) toNative() C.uint32_t { return C.C_ARCH_S390 case ArchS390X: return C.C_ARCH_S390X - case ArchPARISC: - return C.C_ARCH_PARISC - case ArchPARISC64: - return C.C_ARCH_PARISC64 case ArchNative: return C.C_ARCH_NATIVE default: @@ -628,8 +548,6 @@ func actionFromNative(a C.uint32_t) (ScmpAction, error) { return ActLog, nil case C.C_ACT_ALLOW: return ActAllow, nil - case C.C_ACT_NOTIFY: - return ActNotify, nil default: return 0x0, fmt.Errorf("unrecognized action %#x", uint32(a)) } @@ -654,8 +572,6 @@ func (a ScmpAction) toNative() C.uint32_t { return C.C_ACT_LOG case ActAllow: return C.C_ACT_ALLOW - case ActNotify: - return C.C_ACT_NOTIFY default: return 0x0 } @@ -674,181 +590,7 @@ func (a scmpFilterAttr) toNative() uint32 { return uint32(C.C_ATTRIBUTE_TSYNC) case filterAttrLog: return uint32(C.C_ATTRIBUTE_LOG) - case filterAttrSSB: - return uint32(C.C_ATTRIBUTE_SSB) default: return 0x0 } } - -func (a ScmpSyscall) toNative() C.uint32_t { - return C.uint32_t(a) -} - -func syscallFromNative(a C.int) ScmpSyscall { - return ScmpSyscall(a) -} - -func notifReqFromNative(req *C.struct_seccomp_notif) (*ScmpNotifReq, error) { - scmpArgs := make([]uint64, 6) - for i := 0; i < len(scmpArgs); i++ { - scmpArgs[i] = uint64(req.data.args[i]) - } - - arch, err := archFromNative(req.data.arch) - if err != nil { - return nil, err - } - - scmpData := ScmpNotifData{ - Syscall: syscallFromNative(req.data.nr), - Arch: arch, - InstrPointer: uint64(req.data.instruction_pointer), - Args: scmpArgs, - } - - scmpReq := &ScmpNotifReq{ - ID: uint64(req.id), - Pid: uint32(req.pid), - Flags: uint32(req.flags), - Data: scmpData, - } - - return scmpReq, nil -} - -func (scmpResp *ScmpNotifResp) toNative(resp *C.struct_seccomp_notif_resp) { - resp.id = C.__u64(scmpResp.ID) - resp.val = C.__s64(scmpResp.Val) - resp.error = (C.__s32(scmpResp.Error) * -1) // kernel requires a negated value - resp.flags = C.__u32(scmpResp.Flags) -} - -// Userspace Notification API -// Calls to C.seccomp_notify* hidden from seccomp.go - -func (f *ScmpFilter) getNotifFd() (ScmpFd, error) { - f.lock.Lock() - defer f.lock.Unlock() - - if !f.valid { - return -1, errBadFilter - } - - // Ignore error, if not supported returns apiLevel == 0 - apiLevel, _ := GetAPI() - if apiLevel < 6 { - return -1, fmt.Errorf("seccomp notification requires API level >= 6; current level = %d", apiLevel) - } - - fd := C.seccomp_notify_fd(f.filterCtx) - - return ScmpFd(fd), nil -} - -func notifReceive(fd ScmpFd) (*ScmpNotifReq, error) { - var req *C.struct_seccomp_notif - var resp *C.struct_seccomp_notif_resp - - // Ignore error, if not supported returns apiLevel == 0 - apiLevel, _ := GetAPI() - if apiLevel < 6 { - return nil, fmt.Errorf("seccomp notification requires API level >= 6; current level = %d", apiLevel) - } - - // we only use the request here; the response is unused - if retCode := C.seccomp_notify_alloc(&req, &resp); retCode != 0 { - return nil, errRc(retCode) - } - - defer func() { - C.seccomp_notify_free(req, resp) - }() - - for { - retCode, errno := C.seccomp_notify_receive(C.int(fd), req) - if retCode == 0 { - break - } - - if errno == syscall.EINTR { - continue - } - - if errno == syscall.ENOENT { - return nil, errno - } - - return nil, errRc(retCode) - } - - return notifReqFromNative(req) -} - -func notifRespond(fd ScmpFd, scmpResp *ScmpNotifResp) error { - var req *C.struct_seccomp_notif - var resp *C.struct_seccomp_notif_resp - - // Ignore error, if not supported returns apiLevel == 0 - apiLevel, _ := GetAPI() - if apiLevel < 6 { - return fmt.Errorf("seccomp notification requires API level >= 6; current level = %d", apiLevel) - } - - // we only use the reponse here; the request is discarded - if retCode := C.seccomp_notify_alloc(&req, &resp); retCode != 0 { - return errRc(retCode) - } - - defer func() { - C.seccomp_notify_free(req, resp) - }() - - scmpResp.toNative(resp) - - for { - retCode, errno := C.seccomp_notify_respond(C.int(fd), resp) - if retCode == 0 { - break - } - - if errno == syscall.EINTR { - continue - } - - if errno == syscall.ENOENT { - return errno - } - - return errRc(retCode) - } - - return nil -} - -func notifIDValid(fd ScmpFd, id uint64) error { - // Ignore error, if not supported returns apiLevel == 0 - apiLevel, _ := GetAPI() - if apiLevel < 6 { - return fmt.Errorf("seccomp notification requires API level >= 6; current level = %d", apiLevel) - } - - for { - retCode, errno := C.seccomp_notify_id_valid(C.int(fd), C.uint64_t(id)) - if retCode == 0 { - break - } - - if errno == syscall.EINTR { - continue - } - - if errno == syscall.ENOENT { - return errno - } - - return errRc(retCode) - } - - return nil -} |