aboutsummaryrefslogtreecommitdiff
path: root/vendor/github.com/seccomp
diff options
context:
space:
mode:
Diffstat (limited to 'vendor/github.com/seccomp')
-rw-r--r--vendor/github.com/seccomp/libseccomp-golang/.travis.yml28
-rw-r--r--vendor/github.com/seccomp/libseccomp-golang/Makefile8
-rw-r--r--vendor/github.com/seccomp/libseccomp-golang/README.md2
-rw-r--r--vendor/github.com/seccomp/libseccomp-golang/seccomp.go225
-rw-r--r--vendor/github.com/seccomp/libseccomp-golang/seccomp_internal.go260
5 files changed, 492 insertions, 31 deletions
diff --git a/vendor/github.com/seccomp/libseccomp-golang/.travis.yml b/vendor/github.com/seccomp/libseccomp-golang/.travis.yml
index feef144d1..5240d4622 100644
--- a/vendor/github.com/seccomp/libseccomp-golang/.travis.yml
+++ b/vendor/github.com/seccomp/libseccomp-golang/.travis.yml
@@ -19,19 +19,39 @@ os:
language: go
+jobs:
+ include:
+ - name: "last libseccomp 2.5.0"
+ env:
+ - SECCOMP_VER=2.5.0
+ - SECCOMP_SHA256SUM=1ffa7038d2720ad191919816db3479295a4bcca1ec14e02f672539f4983014f3
+ - name: "compat libseccomp 2.4.4"
+ env:
+ - SECCOMP_VER=2.4.4
+ - SECCOMP_SHA256SUM=4e79738d1ef3c9b7ca9769f1f8b8d84fc17143c2c1c432e53b9c64787e0ff3eb
+ - name: "compat libseccomp 2.2.1"
+ env:
+ - SECCOMP_VER=2.2.1
+ - SECCOMP_SHA256SUM=0ba1789f54786c644af54cdffc9fd0dd0a8bb2b2ee153933f658855d2851a740
+
addons:
apt:
packages:
- build-essential
- # TODO: use the main libseccomp git repo instead of a distro package
- - libseccomp2
- - libseccomp-dev
+ - astyle
+ - golint
+ - gperf
install:
- go get -u golang.org/x/lint/golint
# run all of the tests independently, fail if any of the tests error
script:
+ - wget https://github.com/seccomp/libseccomp/releases/download/v$SECCOMP_VER/libseccomp-$SECCOMP_VER.tar.gz
+ - echo $SECCOMP_SHA256SUM libseccomp-$SECCOMP_VER.tar.gz | sha256sum -c
+ - tar xf libseccomp-$SECCOMP_VER.tar.gz
+ - pushd libseccomp-$SECCOMP_VER && ./configure --prefix=/opt/libseccomp-$SECCOMP_VER && make && sudo make install && popd
- make check-syntax
- make lint
- - make check
+ - PKG_CONFIG_PATH=/opt/libseccomp-$SECCOMP_VER/lib/pkgconfig LD_LIBRARY_PATH=/opt/libseccomp-$SECCOMP_VER/lib make vet
+ - PKG_CONFIG_PATH=/opt/libseccomp-$SECCOMP_VER/lib/pkgconfig LD_LIBRARY_PATH=/opt/libseccomp-$SECCOMP_VER/lib make test
diff --git a/vendor/github.com/seccomp/libseccomp-golang/Makefile b/vendor/github.com/seccomp/libseccomp-golang/Makefile
index 1ff4cc898..38cfa852c 100644
--- a/vendor/github.com/seccomp/libseccomp-golang/Makefile
+++ b/vendor/github.com/seccomp/libseccomp-golang/Makefile
@@ -18,8 +18,14 @@ fix-syntax:
vet:
go vet -v
+# Previous bugs have made the tests freeze until the timeout. Golang default
+# timeout for tests is 10 minutes, which is too long, considering current tests
+# can be executed in less than 1 second. Reduce the timeout, so problems can
+# be noticed earlier in the CI.
+TEST_TIMEOUT=10s
+
test:
- go test -v
+ go test -v -timeout $(TEST_TIMEOUT)
lint:
@$(if $(shell which golint),true,$(error "install golint and include it in your PATH"))
diff --git a/vendor/github.com/seccomp/libseccomp-golang/README.md b/vendor/github.com/seccomp/libseccomp-golang/README.md
index 27423f2d9..806a5ddf2 100644
--- a/vendor/github.com/seccomp/libseccomp-golang/README.md
+++ b/vendor/github.com/seccomp/libseccomp-golang/README.md
@@ -2,7 +2,7 @@
===============================================================================
https://github.com/seccomp/libseccomp-golang
-[![Build Status](https://img.shields.io/travis/seccomp/libseccomp-golang/master.svg)](https://travis-ci.org/seccomp/libseccomp-golang)
+[![Build Status](https://img.shields.io/travis/seccomp/libseccomp-golang/main.svg)](https://travis-ci.org/seccomp/libseccomp-golang)
The libseccomp library provides an easy to use, platform independent, interface
to the Linux Kernel's syscall filtering mechanism. The libseccomp API is
diff --git a/vendor/github.com/seccomp/libseccomp-golang/seccomp.go b/vendor/github.com/seccomp/libseccomp-golang/seccomp.go
index e489b9ebd..e9b92e221 100644
--- a/vendor/github.com/seccomp/libseccomp-golang/seccomp.go
+++ b/vendor/github.com/seccomp/libseccomp-golang/seccomp.go
@@ -20,6 +20,13 @@ import (
// C wrapping code
+// To compile libseccomp-golang against a specific version of libseccomp:
+// cd ../libseccomp && mkdir -p prefix
+// ./configure --prefix=$PWD/prefix && make && make install
+// cd ../libseccomp-golang
+// PKG_CONFIG_PATH=$PWD/../libseccomp/prefix/lib/pkgconfig/ make
+// LD_PRELOAD=$PWD/../libseccomp/prefix/lib/libseccomp.so.2.5.0 PKG_CONFIG_PATH=$PWD/../libseccomp/prefix/lib/pkgconfig/ make test
+
// #cgo pkg-config: libseccomp
// #include <stdlib.h>
// #include <seccomp.h>
@@ -34,19 +41,25 @@ type VersionError struct {
minimum string
}
+func init() {
+ // This forces the cgo libseccomp to initialize its internal API support state,
+ // which is necessary on older versions of libseccomp in order to work
+ // correctly.
+ GetAPI()
+}
+
func (e VersionError) Error() string {
- format := "Libseccomp version too low: "
+ messageStr := ""
if e.message != "" {
- format += e.message + ": "
+ messageStr = e.message + ": "
}
- format += "minimum supported is "
+ minimumStr := ""
if e.minimum != "" {
- format += e.minimum + ": "
+ minimumStr = e.minimum
} else {
- format += "2.2.0: "
+ minimumStr = "2.2.0"
}
- format += "detected %d.%d.%d"
- return fmt.Sprintf(format, verMajor, verMinor, verMicro)
+ return fmt.Sprintf("Libseccomp version too low: %sminimum supported is %s: detected %d.%d.%d", messageStr, minimumStr, verMajor, verMinor, verMicro)
}
// ScmpArch represents a CPU architecture. Seccomp can restrict syscalls on a
@@ -69,9 +82,61 @@ type ScmpCondition struct {
Operand2 uint64 `json:"operand_two,omitempty"`
}
-// ScmpSyscall represents a Linux System Call
+// Seccomp userspace notification structures associated with filters that use the ActNotify action.
+
+// ScmpSyscall identifies a Linux System Call by its number.
type ScmpSyscall int32
+// ScmpFd represents a file-descriptor used for seccomp userspace notifications.
+type ScmpFd int32
+
+// ScmpNotifData describes the system call context that triggered a notification.
+//
+// Syscall: the syscall number
+// Arch: the filter architecture
+// InstrPointer: address of the instruction that triggered a notification
+// Args: arguments (up to 6) for the syscall
+//
+type ScmpNotifData struct {
+ Syscall ScmpSyscall `json:"syscall,omitempty"`
+ Arch ScmpArch `json:"arch,omitempty"`
+ InstrPointer uint64 `json:"instr_pointer,omitempty"`
+ Args []uint64 `json:"args,omitempty"`
+}
+
+// ScmpNotifReq represents a seccomp userspace notification. See NotifReceive() for
+// info on how to pull such a notification.
+//
+// ID: notification ID
+// Pid: process that triggered the notification event
+// Flags: filter flags (see seccomp(2))
+// Data: system call context that triggered the notification
+//
+type ScmpNotifReq struct {
+ ID uint64 `json:"id,omitempty"`
+ Pid uint32 `json:"pid,omitempty"`
+ Flags uint32 `json:"flags,omitempty"`
+ Data ScmpNotifData `json:"data,omitempty"`
+}
+
+// ScmpNotifResp represents a seccomp userspace notification response. See NotifRespond()
+// for info on how to push such a response.
+//
+// ID: notification ID (must match the corresponding ScmpNotifReq ID)
+// Error: must be 0 if no error occurred, or an error constant from package
+// syscall (e.g., syscall.EPERM, etc). In the latter case, it's used
+// as an error return from the syscall that created the notification.
+// Val: return value for the syscall that created the notification. Only
+// relevant if Error is 0.
+// Flags: userspace notification response flag (e.g., NotifRespFlagContinue)
+//
+type ScmpNotifResp struct {
+ ID uint64 `json:"id,omitempty"`
+ Error int32 `json:"error,omitempty"`
+ Val uint64 `json:"val,omitempty"`
+ Flags uint32 `json:"flags,omitempty"`
+}
+
// Exported Constants
const (
@@ -117,6 +182,10 @@ const (
ArchS390 ScmpArch = iota
// ArchS390X represents 64-bit System z/390 syscalls
ArchS390X ScmpArch = iota
+ // ArchPARISC represents 32-bit PA-RISC
+ ArchPARISC ScmpArch = iota
+ // ArchPARISC64 represents 64-bit PA-RISC
+ ArchPARISC64 ScmpArch = iota
)
const (
@@ -130,6 +199,9 @@ const (
ActKill ScmpAction = iota
// ActTrap throws SIGSYS
ActTrap ScmpAction = iota
+ // ActNotify triggers a userspace notification. This action is only usable when
+ // libseccomp API level 6 or higher is supported.
+ ActNotify ScmpAction = iota
// ActErrno causes the syscall to return a negative error code. This
// code can be set with the SetReturnCode method
ActErrno ScmpAction = iota
@@ -181,6 +253,21 @@ const (
CompareMaskedEqual ScmpCompareOp = iota
)
+var (
+ // ErrSyscallDoesNotExist represents an error condition where
+ // libseccomp is unable to resolve the syscall
+ ErrSyscallDoesNotExist = fmt.Errorf("could not resolve syscall name")
+)
+
+const (
+ // Userspace notification response flags
+
+ // NotifRespFlagContinue tells the kernel to continue executing the system
+ // call that triggered the notification. Must only be used when the notication
+ // response's error is 0.
+ NotifRespFlagContinue uint32 = 1
+)
+
// Helpers for types
// GetArchFromString returns an ScmpArch constant from a string representing an
@@ -223,6 +310,10 @@ func GetArchFromString(arch string) (ScmpArch, error) {
return ArchS390, nil
case "s390x":
return ArchS390X, nil
+ case "parisc":
+ return ArchPARISC, nil
+ case "parisc64":
+ return ArchPARISC64, nil
default:
return ArchInvalid, fmt.Errorf("cannot convert unrecognized string %q", arch)
}
@@ -263,6 +354,10 @@ func (a ScmpArch) String() string {
return "s390"
case ArchS390X:
return "s390x"
+ case ArchPARISC:
+ return "parisc"
+ case ArchPARISC64:
+ return "parisc64"
case ArchNative:
return "native"
case ArchInvalid:
@@ -310,6 +405,8 @@ func (a ScmpAction) String() string {
case ActTrace:
return fmt.Sprintf("Action: Notify tracing processes with code %d",
(a >> 16))
+ case ActNotify:
+ return "Action: Notify userspace"
case ActLog:
return "Action: Log system call"
case ActAllow:
@@ -349,7 +446,7 @@ func GetLibraryVersion() (major, minor, micro uint) {
// Returns a positive int containing the API level, or 0 with an error if the
// API level could not be detected due to the library being older than v2.4.0.
// See the seccomp_api_get(3) man page for details on available API levels:
-// https://github.com/seccomp/libseccomp/blob/master/doc/man/man3/seccomp_api_get.3
+// https://github.com/seccomp/libseccomp/blob/main/doc/man/man3/seccomp_api_get.3
func GetAPI() (uint, error) {
return getAPI()
}
@@ -359,7 +456,7 @@ func GetAPI() (uint, error) {
// Returns an error if the API level could not be set. An error is always
// returned if the library is older than v2.4.0
// See the seccomp_api_get(3) man page for details on available API levels:
-// https://github.com/seccomp/libseccomp/blob/master/doc/man/man3/seccomp_api_get.3
+// https://github.com/seccomp/libseccomp/blob/main/doc/man/man3/seccomp_api_get.3
func SetAPI(api uint) error {
return setAPI(api)
}
@@ -386,7 +483,7 @@ func (s ScmpSyscall) GetNameByArch(arch ScmpArch) (string, error) {
cString := C.seccomp_syscall_resolve_num_arch(arch.toNative(), C.int(s))
if cString == nil {
- return "", fmt.Errorf("could not resolve syscall name for %#x", int32(s))
+ return "", ErrSyscallDoesNotExist
}
defer C.free(unsafe.Pointer(cString))
@@ -409,7 +506,7 @@ func GetSyscallFromName(name string) (ScmpSyscall, error) {
result := C.seccomp_syscall_resolve_name(cString)
if result == scmpError {
- return 0, fmt.Errorf("could not resolve name to syscall: %q", name)
+ return 0, ErrSyscallDoesNotExist
}
return ScmpSyscall(result), nil
@@ -433,7 +530,7 @@ func GetSyscallFromNameByArch(name string, arch ScmpArch) (ScmpSyscall, error) {
result := C.seccomp_syscall_resolve_name_arch(arch.toNative(), cString)
if result == scmpError {
- return 0, fmt.Errorf("could not resolve name to syscall: %q on %v", name, arch)
+ return 0, ErrSyscallDoesNotExist
}
return ScmpSyscall(result), nil
@@ -506,11 +603,10 @@ type ScmpFilter struct {
lock sync.Mutex
}
-// NewFilter creates and returns a new filter context.
-// Accepts a default action to be taken for syscalls which match no rules in
-// the filter.
-// Returns a reference to a valid filter context, or nil and an error if the
-// filter context could not be created or an invalid default action was given.
+// NewFilter creates and returns a new filter context. Accepts a default action to be
+// taken for syscalls which match no rules in the filter.
+// Returns a reference to a valid filter context, or nil and an error
+// if the filter context could not be created or an invalid default action was given.
func NewFilter(defaultAction ScmpAction) (*ScmpFilter, error) {
if err := ensureSupportedVersion(); err != nil {
return nil, err
@@ -530,8 +626,8 @@ func NewFilter(defaultAction ScmpAction) (*ScmpFilter, error) {
filter.valid = true
runtime.SetFinalizer(filter, filterFinalizer)
- // Enable TSync so all goroutines will receive the same rules
- // If the kernel does not support TSYNC, allow us to continue without error
+ // Enable TSync so all goroutines will receive the same rules.
+ // If the kernel does not support TSYNC, allow us to continue without error.
if err := filter.setFilterAttr(filterAttrTsync, 0x1); err != nil && err != syscall.ENOTSUP {
filter.Release()
return nil, fmt.Errorf("could not create filter - error setting tsync bit: %v", err)
@@ -778,8 +874,9 @@ func (f *ScmpFilter) GetNoNewPrivsBit() (bool, error) {
func (f *ScmpFilter) GetLogBit() (bool, error) {
log, err := f.getFilterAttr(filterAttrLog)
if err != nil {
- api, apiErr := getAPI()
- if (apiErr != nil && api == 0) || (apiErr == nil && api < 3) {
+ // Ignore error, if not supported returns apiLevel == 0
+ apiLevel, _ := GetAPI()
+ if apiLevel < 3 {
return false, fmt.Errorf("getting the log bit is only supported in libseccomp 2.4.0 and newer with API level 3 or higher")
}
@@ -793,6 +890,30 @@ func (f *ScmpFilter) GetLogBit() (bool, error) {
return true, nil
}
+// GetSSB returns the current state the SSB bit will be set to on the filter
+// being loaded, or an error if an issue was encountered retrieving the value.
+// The SSB bit tells the kernel that a seccomp user is not interested in enabling
+// Speculative Store Bypass mitigation.
+// The SSB bit is only usable when libseccomp API level 4 or higher is
+// supported.
+func (f *ScmpFilter) GetSSB() (bool, error) {
+ ssb, err := f.getFilterAttr(filterAttrSSB)
+ if err != nil {
+ api, apiErr := getAPI()
+ if (apiErr != nil && api == 0) || (apiErr == nil && api < 4) {
+ return false, fmt.Errorf("getting the SSB flag is only supported in libseccomp 2.5.0 and newer with API level 4 or higher")
+ }
+
+ return false, err
+ }
+
+ if ssb == 0 {
+ return false, nil
+ }
+
+ return true, nil
+}
+
// SetBadArchAction sets the default action taken on a syscall for an
// architecture not in the filter, or an error if an issue was encountered
// setting the value.
@@ -832,8 +953,9 @@ func (f *ScmpFilter) SetLogBit(state bool) error {
err := f.setFilterAttr(filterAttrLog, toSet)
if err != nil {
- api, apiErr := getAPI()
- if (apiErr != nil && api == 0) || (apiErr == nil && api < 3) {
+ // Ignore error, if not supported returns apiLevel == 0
+ apiLevel, _ := GetAPI()
+ if apiLevel < 3 {
return fmt.Errorf("setting the log bit is only supported in libseccomp 2.4.0 and newer with API level 3 or higher")
}
}
@@ -841,6 +963,28 @@ func (f *ScmpFilter) SetLogBit(state bool) error {
return err
}
+// SetSSB sets the state of the SSB bit, which will be applied on filter
+// load, or an error if an issue was encountered setting the value.
+// The SSB bit is only usable when libseccomp API level 4 or higher is
+// supported.
+func (f *ScmpFilter) SetSSB(state bool) error {
+ var toSet C.uint32_t = 0x0
+
+ if state {
+ toSet = 0x1
+ }
+
+ err := f.setFilterAttr(filterAttrSSB, toSet)
+ if err != nil {
+ api, apiErr := getAPI()
+ if (apiErr != nil && api == 0) || (apiErr == nil && api < 4) {
+ return fmt.Errorf("setting the SSB flag is only supported in libseccomp 2.5.0 and newer with API level 4 or higher")
+ }
+ }
+
+ return err
+}
+
// SetSyscallPriority sets a syscall's priority.
// This provides a hint to the filter generator in libseccomp about the
// importance of this syscall. High-priority syscalls are placed
@@ -947,3 +1091,36 @@ func (f *ScmpFilter) ExportBPF(file *os.File) error {
return nil
}
+
+// Userspace Notification API
+
+// GetNotifFd returns the userspace notification file descriptor associated with the given
+// filter context. Such a file descriptor is only valid after the filter has been loaded
+// and only when the filter uses the ActNotify action. The file descriptor can be used to
+// retrieve and respond to notifications associated with the filter (see NotifReceive(),
+// NotifRespond(), and NotifIDValid()).
+func (f *ScmpFilter) GetNotifFd() (ScmpFd, error) {
+ return f.getNotifFd()
+}
+
+// NotifReceive retrieves a seccomp userspace notification from a filter whose ActNotify
+// action has triggered. The caller is expected to process the notification and return a
+// response via NotifRespond(). Each invocation of this function returns one
+// notification. As multiple notifications may be pending at any time, this function is
+// normally called within a polling loop.
+func NotifReceive(fd ScmpFd) (*ScmpNotifReq, error) {
+ return notifReceive(fd)
+}
+
+// NotifRespond responds to a notification retrieved via NotifReceive(). The response Id
+// must match that of the corresponding notification retrieved via NotifReceive().
+func NotifRespond(fd ScmpFd, scmpResp *ScmpNotifResp) error {
+ return notifRespond(fd, scmpResp)
+}
+
+// NotifIDValid checks if a notification is still valid. An return value of nil means the
+// notification is still valid. Otherwise the notification is not valid. This can be used
+// to mitigate time-of-check-time-of-use (TOCTOU) attacks as described in seccomp_notify_id_valid(2).
+func NotifIDValid(fd ScmpFd, id uint64) error {
+ return notifIDValid(fd, id)
+}
diff --git a/vendor/github.com/seccomp/libseccomp-golang/seccomp_internal.go b/vendor/github.com/seccomp/libseccomp-golang/seccomp_internal.go
index 0982e930f..8dc7b296f 100644
--- a/vendor/github.com/seccomp/libseccomp-golang/seccomp_internal.go
+++ b/vendor/github.com/seccomp/libseccomp-golang/seccomp_internal.go
@@ -14,6 +14,13 @@ import (
// Get the seccomp header in scope
// Need stdlib.h for free() on cstrings
+// To compile libseccomp-golang against a specific version of libseccomp:
+// cd ../libseccomp && mkdir -p prefix
+// ./configure --prefix=$PWD/prefix && make && make install
+// cd ../libseccomp-golang
+// PKG_CONFIG_PATH=$PWD/../libseccomp/prefix/lib/pkgconfig/ make
+// LD_PRELOAD=$PWD/../libseccomp/prefix/lib/libseccomp.so.2.5.0 PKG_CONFIG_PATH=$PWD/../libseccomp/prefix/lib/pkgconfig/ make test
+
// #cgo pkg-config: libseccomp
/*
#include <errno.h>
@@ -50,6 +57,14 @@ const uint32_t C_ARCH_BAD = ARCH_BAD;
#define SCMP_ARCH_S390X ARCH_BAD
#endif
+#ifndef SCMP_ARCH_PARISC
+#define SCMP_ARCH_PARISC ARCH_BAD
+#endif
+
+#ifndef SCMP_ARCH_PARISC64
+#define SCMP_ARCH_PARISC64 ARCH_BAD
+#endif
+
const uint32_t C_ARCH_NATIVE = SCMP_ARCH_NATIVE;
const uint32_t C_ARCH_X86 = SCMP_ARCH_X86;
const uint32_t C_ARCH_X86_64 = SCMP_ARCH_X86_64;
@@ -67,6 +82,8 @@ const uint32_t C_ARCH_PPC64 = SCMP_ARCH_PPC64;
const uint32_t C_ARCH_PPC64LE = SCMP_ARCH_PPC64LE;
const uint32_t C_ARCH_S390 = SCMP_ARCH_S390;
const uint32_t C_ARCH_S390X = SCMP_ARCH_S390X;
+const uint32_t C_ARCH_PARISC = SCMP_ARCH_PARISC;
+const uint32_t C_ARCH_PARISC64 = SCMP_ARCH_PARISC64;
#ifndef SCMP_ACT_LOG
#define SCMP_ACT_LOG 0x7ffc0000U
@@ -80,6 +97,10 @@ const uint32_t C_ARCH_S390X = SCMP_ARCH_S390X;
#define SCMP_ACT_KILL_THREAD 0x00000000U
#endif
+#ifndef SCMP_ACT_NOTIFY
+#define SCMP_ACT_NOTIFY 0x7fc00000U
+#endif
+
const uint32_t C_ACT_KILL = SCMP_ACT_KILL;
const uint32_t C_ACT_KILL_PROCESS = SCMP_ACT_KILL_PROCESS;
const uint32_t C_ACT_KILL_THREAD = SCMP_ACT_KILL_THREAD;
@@ -88,6 +109,7 @@ const uint32_t C_ACT_ERRNO = SCMP_ACT_ERRNO(0);
const uint32_t C_ACT_TRACE = SCMP_ACT_TRACE(0);
const uint32_t C_ACT_LOG = SCMP_ACT_LOG;
const uint32_t C_ACT_ALLOW = SCMP_ACT_ALLOW;
+const uint32_t C_ACT_NOTIFY = SCMP_ACT_NOTIFY;
// The libseccomp SCMP_FLTATR_CTL_LOG member of the scmp_filter_attr enum was
// added in v2.4.0
@@ -95,12 +117,16 @@ const uint32_t C_ACT_ALLOW = SCMP_ACT_ALLOW;
(SCMP_VER_MAJOR == 2 && SCMP_VER_MINOR < 4)
#define SCMP_FLTATR_CTL_LOG _SCMP_FLTATR_MIN
#endif
+#if SCMP_VER_MAJOR == 2 && SCMP_VER_MINOR < 5
+#define SCMP_FLTATR_CTL_SSB _SCMP_FLTATR_MIN
+#endif
const uint32_t C_ATTRIBUTE_DEFAULT = (uint32_t)SCMP_FLTATR_ACT_DEFAULT;
const uint32_t C_ATTRIBUTE_BADARCH = (uint32_t)SCMP_FLTATR_ACT_BADARCH;
const uint32_t C_ATTRIBUTE_NNP = (uint32_t)SCMP_FLTATR_CTL_NNP;
const uint32_t C_ATTRIBUTE_TSYNC = (uint32_t)SCMP_FLTATR_CTL_TSYNC;
const uint32_t C_ATTRIBUTE_LOG = (uint32_t)SCMP_FLTATR_CTL_LOG;
+const uint32_t C_ATTRIBUTE_SSB = (uint32_t)SCMP_FLTATR_CTL_SSB;
const int C_CMP_NE = (int)SCMP_CMP_NE;
const int C_CMP_LT = (int)SCMP_CMP_LT;
@@ -189,6 +215,51 @@ void add_struct_arg_cmp(
return;
}
+
+// The seccomp notify API functions were added in v2.5.0
+#if (SCMP_VER_MAJOR < 2) || \
+ (SCMP_VER_MAJOR == 2 && SCMP_VER_MINOR < 5)
+
+struct seccomp_data {
+ int nr;
+ __u32 arch;
+ __u64 instruction_pointer;
+ __u64 args[6];
+};
+
+struct seccomp_notif {
+ __u64 id;
+ __u32 pid;
+ __u32 flags;
+ struct seccomp_data data;
+};
+
+struct seccomp_notif_resp {
+ __u64 id;
+ __s64 val;
+ __s32 error;
+ __u32 flags;
+};
+
+int seccomp_notify_alloc(struct seccomp_notif **req, struct seccomp_notif_resp **resp) {
+ return -EOPNOTSUPP;
+}
+int seccomp_notify_fd(const scmp_filter_ctx ctx) {
+ return -EOPNOTSUPP;
+}
+void seccomp_notify_free(struct seccomp_notif *req, struct seccomp_notif_resp *resp) {
+}
+int seccomp_notify_id_valid(int fd, uint64_t id) {
+ return -EOPNOTSUPP;
+}
+int seccomp_notify_receive(int fd, struct seccomp_notif *req) {
+ return -EOPNOTSUPP;
+}
+int seccomp_notify_respond(int fd, struct seccomp_notif_resp *resp) {
+ return -EOPNOTSUPP;
+}
+
+#endif
*/
import "C"
@@ -203,6 +274,7 @@ const (
filterAttrNNP scmpFilterAttr = iota
filterAttrTsync scmpFilterAttr = iota
filterAttrLog scmpFilterAttr = iota
+ filterAttrSSB scmpFilterAttr = iota
)
const (
@@ -210,7 +282,7 @@ const (
scmpError C.int = -1
// Comparison boundaries to check for architecture validity
archStart ScmpArch = ArchNative
- archEnd ScmpArch = ArchS390X
+ archEnd ScmpArch = ArchPARISC64
// Comparison boundaries to check for action validity
actionStart ScmpAction = ActKill
actionEnd ScmpAction = ActKillProcess
@@ -460,6 +532,10 @@ func archFromNative(a C.uint32_t) (ScmpArch, error) {
return ArchS390, nil
case C.C_ARCH_S390X:
return ArchS390X, nil
+ case C.C_ARCH_PARISC:
+ return ArchPARISC, nil
+ case C.C_ARCH_PARISC64:
+ return ArchPARISC64, nil
default:
return 0x0, fmt.Errorf("unrecognized architecture %#x", uint32(a))
}
@@ -500,6 +576,10 @@ func (a ScmpArch) toNative() C.uint32_t {
return C.C_ARCH_S390
case ArchS390X:
return C.C_ARCH_S390X
+ case ArchPARISC:
+ return C.C_ARCH_PARISC
+ case ArchPARISC64:
+ return C.C_ARCH_PARISC64
case ArchNative:
return C.C_ARCH_NATIVE
default:
@@ -548,6 +628,8 @@ func actionFromNative(a C.uint32_t) (ScmpAction, error) {
return ActLog, nil
case C.C_ACT_ALLOW:
return ActAllow, nil
+ case C.C_ACT_NOTIFY:
+ return ActNotify, nil
default:
return 0x0, fmt.Errorf("unrecognized action %#x", uint32(a))
}
@@ -572,6 +654,8 @@ func (a ScmpAction) toNative() C.uint32_t {
return C.C_ACT_LOG
case ActAllow:
return C.C_ACT_ALLOW
+ case ActNotify:
+ return C.C_ACT_NOTIFY
default:
return 0x0
}
@@ -590,7 +674,181 @@ func (a scmpFilterAttr) toNative() uint32 {
return uint32(C.C_ATTRIBUTE_TSYNC)
case filterAttrLog:
return uint32(C.C_ATTRIBUTE_LOG)
+ case filterAttrSSB:
+ return uint32(C.C_ATTRIBUTE_SSB)
default:
return 0x0
}
}
+
+func (a ScmpSyscall) toNative() C.uint32_t {
+ return C.uint32_t(a)
+}
+
+func syscallFromNative(a C.int) ScmpSyscall {
+ return ScmpSyscall(a)
+}
+
+func notifReqFromNative(req *C.struct_seccomp_notif) (*ScmpNotifReq, error) {
+ scmpArgs := make([]uint64, 6)
+ for i := 0; i < len(scmpArgs); i++ {
+ scmpArgs[i] = uint64(req.data.args[i])
+ }
+
+ arch, err := archFromNative(req.data.arch)
+ if err != nil {
+ return nil, err
+ }
+
+ scmpData := ScmpNotifData{
+ Syscall: syscallFromNative(req.data.nr),
+ Arch: arch,
+ InstrPointer: uint64(req.data.instruction_pointer),
+ Args: scmpArgs,
+ }
+
+ scmpReq := &ScmpNotifReq{
+ ID: uint64(req.id),
+ Pid: uint32(req.pid),
+ Flags: uint32(req.flags),
+ Data: scmpData,
+ }
+
+ return scmpReq, nil
+}
+
+func (scmpResp *ScmpNotifResp) toNative(resp *C.struct_seccomp_notif_resp) {
+ resp.id = C.__u64(scmpResp.ID)
+ resp.val = C.__s64(scmpResp.Val)
+ resp.error = (C.__s32(scmpResp.Error) * -1) // kernel requires a negated value
+ resp.flags = C.__u32(scmpResp.Flags)
+}
+
+// Userspace Notification API
+// Calls to C.seccomp_notify* hidden from seccomp.go
+
+func (f *ScmpFilter) getNotifFd() (ScmpFd, error) {
+ f.lock.Lock()
+ defer f.lock.Unlock()
+
+ if !f.valid {
+ return -1, errBadFilter
+ }
+
+ // Ignore error, if not supported returns apiLevel == 0
+ apiLevel, _ := GetAPI()
+ if apiLevel < 6 {
+ return -1, fmt.Errorf("seccomp notification requires API level >= 6; current level = %d", apiLevel)
+ }
+
+ fd := C.seccomp_notify_fd(f.filterCtx)
+
+ return ScmpFd(fd), nil
+}
+
+func notifReceive(fd ScmpFd) (*ScmpNotifReq, error) {
+ var req *C.struct_seccomp_notif
+ var resp *C.struct_seccomp_notif_resp
+
+ // Ignore error, if not supported returns apiLevel == 0
+ apiLevel, _ := GetAPI()
+ if apiLevel < 6 {
+ return nil, fmt.Errorf("seccomp notification requires API level >= 6; current level = %d", apiLevel)
+ }
+
+ // we only use the request here; the response is unused
+ if retCode := C.seccomp_notify_alloc(&req, &resp); retCode != 0 {
+ return nil, errRc(retCode)
+ }
+
+ defer func() {
+ C.seccomp_notify_free(req, resp)
+ }()
+
+ for {
+ retCode, errno := C.seccomp_notify_receive(C.int(fd), req)
+ if retCode == 0 {
+ break
+ }
+
+ if errno == syscall.EINTR {
+ continue
+ }
+
+ if errno == syscall.ENOENT {
+ return nil, errno
+ }
+
+ return nil, errRc(retCode)
+ }
+
+ return notifReqFromNative(req)
+}
+
+func notifRespond(fd ScmpFd, scmpResp *ScmpNotifResp) error {
+ var req *C.struct_seccomp_notif
+ var resp *C.struct_seccomp_notif_resp
+
+ // Ignore error, if not supported returns apiLevel == 0
+ apiLevel, _ := GetAPI()
+ if apiLevel < 6 {
+ return fmt.Errorf("seccomp notification requires API level >= 6; current level = %d", apiLevel)
+ }
+
+ // we only use the reponse here; the request is discarded
+ if retCode := C.seccomp_notify_alloc(&req, &resp); retCode != 0 {
+ return errRc(retCode)
+ }
+
+ defer func() {
+ C.seccomp_notify_free(req, resp)
+ }()
+
+ scmpResp.toNative(resp)
+
+ for {
+ retCode, errno := C.seccomp_notify_respond(C.int(fd), resp)
+ if retCode == 0 {
+ break
+ }
+
+ if errno == syscall.EINTR {
+ continue
+ }
+
+ if errno == syscall.ENOENT {
+ return errno
+ }
+
+ return errRc(retCode)
+ }
+
+ return nil
+}
+
+func notifIDValid(fd ScmpFd, id uint64) error {
+ // Ignore error, if not supported returns apiLevel == 0
+ apiLevel, _ := GetAPI()
+ if apiLevel < 6 {
+ return fmt.Errorf("seccomp notification requires API level >= 6; current level = %d", apiLevel)
+ }
+
+ for {
+ retCode, errno := C.seccomp_notify_id_valid(C.int(fd), C.uint64_t(id))
+ if retCode == 0 {
+ break
+ }
+
+ if errno == syscall.EINTR {
+ continue
+ }
+
+ if errno == syscall.ENOENT {
+ return errno
+ }
+
+ return errRc(retCode)
+ }
+
+ return nil
+}