|
commit b37a453dce194f79819f6955e32ff8043e38b797
Author: Paul Moore <pmoore@redhat.com> Date: Tue Oct 21 16:14:10 2014 -0400 tests: allow the regression test to run properly from 'make distcheck' Signed-off-by: Paul Moore <pmoore@redhat.com> commit 97e09041741edce5197dfb0cc43e3a3cb0d9f8f0 Author: Paul Moore <pmoore@redhat.com> Date: Tue Oct 21 16:14:10 2014 -0400 build: fix some problems seen with 'make dist' tarballs Signed-off-by: Paul Moore <pmoore@redhat.com> commit 7aa14c4190d33dbd081f89b912ffc59f2d8cf0d0 Author: Paul Moore <pmoore@redhat.com> Date: Tue Oct 21 16:14:10 2014 -0400 build: allow the creation of a static library Signed-off-by: Paul Moore <pmoore@redhat.com> commit 7521c01d5dc9ca44d34e79688bbee0834ec5648a Author: Paul Moore <pmoore@redhat.com> Date: Tue Oct 21 16:07:27 2014 -0400 build: update the git ignore file Signed-off-by: Paul Moore <pmoore@redhat.com> commit f6c219703e3e654e60bb341ab4de362a133fdba6 Author: Paul Moore <pmoore@redhat.com> Date: Fri Aug 22 13:01:19 2014 -0400 all: fix a number of small bugs found by Coverity Also display the build revision to make things easier when submitting builds for scanning. Signed-off-by: Paul Moore <pmoore@redhat.com> commit 956fff9c15cec79525dd496d0561561eee6ca44c Author: Paul Moore <pmoore@redhat.com> Date: Fri Aug 29 14:41:29 2014 -0400 build: fixup b6da7a923a6200b115b5f48be7377e59b1537c3e As noted in the previous commit, I made some style changes, but forgot to include them in the commit. This patch includes those tweaks. Signed-off-by: Paul Moore <pmoore@redhat.com> commit b6da7a923a6200b115b5f48be7377e59b1537c3e Author: Vicente Olivert Riera <Vincent.Riera@imgtec.com> Date: Thu Aug 28 11:10:07 2014 +0100 build: only add 'serial-tests' for automake >= 1.12. This patch is based on the following patch written by Richard W.M. Jones from RedHat: https://www.redhat.com/archives/libguestfs/2013-February/msg00102.html Earlier versions of automake complain if they get a configuration parameter which they don't understand. The error is: configure.ac:27: error: option 'serial-tests' not recognized Use some m4 hackery to work around this. Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com> Signed-off-by: Markos Chandras <markos.chandras@imgtec.com> (minor style tweaks to the comments) Signed-off-by: Paul Moore <pmoore@redhat.com> commit 4dd234df40d0c228f5fe40fa45b05afb36e607f1 Author: Paul Moore <pmoore@redhat.com> Date: Fri Aug 22 14:57:48 2014 -0400 arch: perform a number of simplications in the arch code I've been putting off simplifing the arch specific code until we had enough ABIs to know what simplifications made sense. Well, our supported ABI list is not quite reasonable so go ahead and clean things up a bit. Signed-off-by: Paul Moore <pmoore@redhat.com> commit 4745bbae426addfc1f2a3764768662c5dd5af0a9 Author: Paul Moore <pmoore@redhat.com> Date: Fri Aug 22 14:57:48 2014 -0400 arch: perform a number of simplications in the arch code I've been putting off simplifing the arch specific code until we had enough ABIs to know what simplifications made sense. Well, our supported ABI list is not quite reasonable so go ahead and clean things up a bit. Signed-off-by: Paul Moore <pmoore@redhat.com> commit c188588835d060e41e484e7b7ad4a78e7282b33e Author: Paul Moore <pmoore@redhat.com> Date: Fri Aug 22 12:50:00 2014 -0400 tools: add the missing x32 check to arch-syscall-check Also, now that we've fixed arch-syscall-check to include x32, bring the x32 syscall table up to speed with the rest of the library. Signed-off-by: Paul Moore <pmoore@redhat.com> commit ab63dc7fec3d4e5552bf5f363231c3fe1a7436d7 Author: Marcin Juszkiewicz <mjuszkiewicz@redhat.com> Date: Thu Aug 21 17:30:40 2014 +0200 arch: Add AArch64 support This patch adds support for AArch64 (64-bit ARM) architecture. Signed-off-by: Marcin Juszkiewicz <mjuszkiewicz@redhat.com> (Additional fixes/corrections/etc.) Signed-off-by: Paul Moore <pmoore@redhat.com> create mode 100644 src/arch-aarch64-syscalls.c create mode 100644 src/arch-aarch64.c create mode 100644 src/arch-aarch64.h commit 52085b7dddf779746373e35d5c70546cc3633553 Author: Paul Moore <pmoore@redhat.com> Date: Tue Aug 26 15:58:42 2014 -0400 tests: better architecture selection support in the automated tests This patch adds support for a number of new enhancements to the automated test suite, all of which are focused on the architecture selection of the bpf-sim test type. With this patch, the architecture field can now contain a comma delimited list of architecture names with the following values: * all Add the current native arch to the list. * all_le Add the current native arch to the list only if it is little endian. * +all_le Add all of the supported little endian architectures to the list. * all_be Add the current native arch to the list only if it is big endian. * +all_be Add all of the supported big endian architectures to the list. * <arch> Add the architecture specified by "<arch>" if it is the native architecture. * +<arch> Add the architecture specified by "<arch>" to the list. * -<arch> Remove the architecture specified by "<arch>" to the list if present. Signed-off-by: Paul Moore <pmoore@redhat.com> commit e2b795068dd8ec92ce5cfaade81a915af0dbd61c Author: Paul Moore <pmoore@redhat.com> Date: Wed Aug 27 09:51:04 2014 -0400 arch: ensure that __AUDIT_ARCH_CONVENTION_MIPS64_N32 is defined Reported-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Paul Moore <pmoore@redhat.com> commit 9c6c5b326b1fb4aeca63dbfcfc52b5aa78490331 Author: Paul Moore <pmoore@redhat.com> Date: Tue Aug 26 14:27:00 2014 -0400 arch: ensure we have definitions for the MIPS N32 ABI Signed-off-by: Paul Moore <pmoore@redhat.com> commit b2adeeeeb00a23ed70df7f500add469e46d25400 Author: Paul Moore <pmoore@redhat.com> Date: Fri Aug 22 00:21:20 2014 -0400 api: remove unneeded pseudo syscall definitions (__PNR_*) Signed-off-by: Paul Moore <pmoore@redhat.com> commit f2b1827d0dd116f156d1a787d73b8df98815b2df Author: Paul Moore <pmoore@redhat.com> Date: Thu Aug 21 16:47:50 2014 -0400 arch: add mips64n32 to the defaults in arch-syscall-validate Signed-off-by: Paul Moore <pmoore@redhat.com> commit b8969be8264cc10125406228b0e893f647dbc321 Author: Paul Moore <pmoore@redhat.com> Date: Thu Aug 21 16:02:35 2014 -0400 tools: add the missing 64-bit MIPS support to tools/util.c Signed-off-by: Paul Moore <pmoore@redhat.com> commit 5a703f60136a2f375657446e1660904de1e39a85 Author: Paul Moore <pmoore@redhat.com> Date: Thu Aug 21 15:23:21 2014 -0400 python: add the missing 64-bit MIPS cython/python bindings Signed-off-by: Paul Moore <pmoore@redhat.com> commit b61f4065f76f3868a6c597f37932de2e65e4fa97 Author: Paul Moore <pmoore@redhat.com> Date: Thu Aug 21 12:05:08 2014 -0400 build: add support for Coverity scanning Thanks to the folks at Coverity for supporting Open Source projects such as this one. Signed-off-by: Paul Moore <pmoore@redhat.com> commit 76eaa8a1e41fe8295142811b74de53ea2474e79e Author: Paul Moore <pmoore@redhat.com> Date: Wed Aug 20 17:53:44 2014 -0400 system: add support for the thread sync functionality The thread sync functionality and the SECCOMP_FILTER_FLAG_TSYNC flag makes an appearance in Linux 3.17. Signed-off-by: Paul Moore <pmoore@redhat.com> commit 1123a31f7ab7dcc6e77f5b125aef9c605b379150 Author: Paul Moore <pmoore@redhat.com> Date: Wed Aug 20 16:42:38 2014 -0400 system: add initial support for the new seccomp() syscall The new seccomp() syscall makes an appearance in Linux 3.17. Signed-off-by: Paul Moore <pmoore@redhat.com> create mode 100644 src/system.c commit 97a1710da19e6365a826953e629bd5410cadc9d3 Author: Marcin Juszkiewicz <mjuszkiewicz@redhat.com> Date: Thu Aug 21 11:22:27 2014 +0200 arch: Handle MIPS code only on MIPS platforms MIPS stuff needs to be handled on MIPS platforms otherwise no new architectures can be added after MIPS block. Signed-off-by: Marcin Juszkiewicz <mjuszkiewicz@redhat.com> Signed-off-by: Paul Moore <pmoore@redhat.com> commit 60171f8899f94e5743a2f4567f1faf63cee1a864 Author: Markos Chandras <markos.chandras@imgtec.com> Date: Thu Aug 21 10:33:27 2014 +0100 tests: Add missing mips{el}64n32 case for live tests Signed-off-by: Markos Chandras <markos.chandras@imgtec.com> Signed-off-by: Paul Moore <pmoore@redhat.com> commit 6354f8cab5ac82a8d567005e58a9e7ff9dd843a9 Author: Paul Moore <pmoore@redhat.com> Date: Tue Aug 19 22:19:51 2014 -0400 arch: update the syscall tables to 3.17-rc1+ Signed-off-by: Paul Moore <pmoore@redhat.com> commit f8700e2901b882249348b7d0e63824e64420f5d9 Author: Paul Moore <pmoore@redhat.com> Date: Tue Aug 19 22:47:36 2014 -0400 arch: fix the arch-syscall-validate script for x86/x86_64/x32 Don't rely on the header files for x86/x86_64/x32, check the syscall source tables directly. Signed-off-by: Paul Moore <pmoore@redhat.com> commit 0783d0389450a4774f960b5af7a78cdb67c6f7ee Author: Paul Moore <pmoore@redhat.com> Date: Tue Aug 19 22:10:13 2014 -0400 all: add support for mips64n32 to the tools and tests Signed-off-by: Paul Moore <pmoore@redhat.com> commit 263fd5d1f29e4eb54782c89a8d6f29554a592708 Author: Paul Moore <pmoore@redhat.com> Date: Tue Aug 19 19:55:49 2014 -0400 arch: add mips64n32 support Signed-off-by: Paul Moore <pmoore@redhat.com> create mode 100644 src/arch-mips64n32-syscalls.c create mode 100644 src/arch-mips64n32.c create mode 100644 src/arch-mips64n32.h commit 9cd35f411eeb591e0a201063cb8cda5dee530953 Author: Paul Moore <pmoore@redhat.com> Date: Tue Aug 19 15:35:08 2014 -0400 all: add support for mips64 to the tools and tests Signed-off-by: Paul Moore <pmoore@redhat.com> commit 7d84274035bd7ec8969912ba3eb02620f9d73a0f Author: Paul Moore <pmoore@redhat.com> Date: Fri Jun 6 12:14:09 2014 -0400 arch: add mips64 support Signed-off-by: Paul Moore <pmoore@redhat.com> create mode 100644 src/arch-mips64-syscalls.c create mode 100644 src/arch-mips64.c create mode 100644 src/arch-mips64.h commit fbe50c70db7b88e46bb0cabe38ec9374dc1bceb3 Author: Paul Moore <pmoore@redhat.com> Date: Tue Aug 19 15:53:26 2014 -0400 pfc: add the missing MIPS definitions Signed-off-by: Paul Moore <pmoore@redhat.com> commit 2f65c7f4c723e3de9a4d25b37bcf0c1363c88a7b Author: Paul Moore <pmoore@redhat.com> Date: Tue Aug 19 23:52:46 2014 -0400 tests: check the number of arguments to the rule_add*() functions Without this check we run the risk of segfaults when the number of arguments reach beyond six. Signed-off-by: Paul Moore <pmoore@redhat.com> commit 257f8346e05b57d05b04616034bdab1ecaff0b22 Author: Paul Moore <pmoore@redhat.com> Date: Wed Aug 6 15:51:03 2014 -0400 tests: fix 11-basic-basic_errors.c The following test is unpredicatable as it relies on unitinitalized memory: seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(read), 6); This patch fixes this to ensure failure with -EINVAL. Reported-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Paul Moore <pmoore@redhat.com> commit f188785b03d2488eaecef5d982e41297f1cf7c45 Author: Paul Moore <pmoore@redhat.com> Date: Wed Jul 16 09:52:52 2014 -0400 docs: update the README file Signed-off-by: Paul Moore <pmoore@redhat.com> commit ce3598f01f172d0924712e4c2fef87743fe24285 Author: Paul Moore <pmoore@redhat.com> Date: Wed Jul 16 09:40:04 2014 -0400 docs: add information on submitting patches Signed-off-by: Paul Moore <pmoore@redhat.com> create mode 100644 SUBMITTING_PATCHES commit 446ea00675ab9e72141e796408bc31de786a419a Author: Marcus Meissner <meissner@suse.de> Date: Mon Jul 14 12:59:47 2014 +0200 tools: specify source relations more correct Include the header file dependencies. This will improve "make dist" generated tarballs. Signed-off-by: Marcus Meissner <meissner@suse.de> Signed-off-by: Paul Moore <pmoore@redhat.com> commit d051e7c0f1d982e4ba505190a7ab431c0d0b36d0 Author: Paul Moore <pmoore@redhat.com> Date: Wed Jul 9 15:08:37 2014 -0400 build: don't build arch-syscall-dump by default Signed-off-by: Paul Moore <pmoore@redhat.com> commit 76739812a3e23182504cde43403ddb9921e0e05a Author: Paul Moore <pmoore@redhat.com> Date: Fri Jun 27 17:50:43 2014 -0400 api: fix a typo in the header file Signed-off-by: Paul Moore <pmoore@redhat.com> commit c6205d9600983aa3fa68ca952b7624f2fec86718 Author: Paul Moore <pmoore@redhat.com> Date: Wed Jun 25 12:28:57 2014 -0400 arch: sync the syscall table entries Signed-off-by: Paul Moore <pmoore@redhat.com> commit ac6802b300922ef2ad3e95e2c80f89b575073aeb Author: Paul Moore <pmoore@redhat.com> Date: Wed Jun 25 11:57:33 2014 -0400 arch: update the x32 syscall table It turns out there are enough differences between x86_64 and x32 that unique syscall tables are warranted. Signed-off-by: Paul Moore <pmoore@redhat.com> commit c8c65de5d4df4e736240412a3961d73c87f63e3c Author: Paul Moore <pmoore@redhat.com> Date: Wed Jun 25 11:46:19 2014 -0400 arch: update the mips syscall table Signed-off-by: Paul Moore <pmoore@redhat.com> commit 689f19e7488535c775c1db415b8d9895905ef8dd Author: Paul Moore <pmoore@redhat.com> Date: Wed Jun 25 11:39:38 2014 -0400 arch: update the arm syscall table Signed-off-by: Paul Moore <pmoore@redhat.com> commit 3f319a9a5bc2e32f5a3c296fb0476c040b6f46c4 Author: Paul Moore <pmoore@redhat.com> Date: Wed Jun 25 11:35:40 2014 -0400 arch: update the x86_64 syscall table Signed-off-by: Paul Moore <pmoore@redhat.com> commit 9186136be7696ed63a8ddc06c9b397057abc5c75 Author: Paul Moore <pmoore@redhat.com> Date: Wed Jun 25 11:30:51 2014 -0400 arch: update the x86 syscall table Signed-off-by: Paul Moore <pmoore@redhat.com> commit 111eb1b7468afa80b4be973ad642345de53c5f78 Author: Paul Moore <pmoore@redhat.com> Date: Tue Jun 24 15:04:33 2014 -0400 tests: provide a simple syscall validation tool Signed-off-by: Paul Moore <pmoore@redhat.com> create mode 100644 src/arch-syscall-dump.c create mode 100755 src/arch-syscall-validate commit b52b18c76803199a999cdc75c3823a957bb50c93 Author: Paul Moore <pmoore@redhat.com> Date: Tue Jun 24 17:59:31 2014 -0400 tests: add the missing function comments to arch-syscall-check Signed-off-by: Paul Moore <pmoore@redhat.com> commit 18a7986141a07a9a0bb07866baac952b3451ef70 Author: Paul Moore <pmoore@redhat.com> Date: Tue Jun 24 13:13:35 2014 -0400 all: minor style fixes to pass 'make check-syntax' Signed-off-by: Paul Moore <pmoore@redhat.com> commit 7ef006ce62ba385880d5fe7f71534ad8d48273c9 Author: Paul Moore <pmoore@redhat.com> Date: Tue Jun 24 13:05:34 2014 -0400 tools: better check-syntax output Change the check-syntax output so that the output can be more easily fed back into patch. Signed-off-by: Paul Moore <pmoore@redhat.com> commit 64152018ffdf971efefd84466db4a92002bb8b15 Author: Serge Hallyn <serge.hallyn@canonical.com> Date: Mon Jun 23 16:19:49 2014 -0500 add finit_module syscalls to x86 and x86-64 syscall tables Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Signed-off-by: Paul Moore <pmoore@redhat.com> commit 10383c95be9beabf76d22e5e0ed62f2a4789dae9 Author: Paul Moore <pmoore@redhat.com> Date: Thu May 22 16:28:17 2014 -0400 tests: create a simple program to test the internal syscall tables This patch adds a dead simple, and a bit hack-ish, little program that checks the internal syscall tables for consistency across the different supported architectures. We also tie this test into the autotools test infrastructure. This should be of particular importance when adding or updating architectures. This patch also fixed some automake/libtool problems which were causing us to double-build some objects under src/. Signed-off-by: Paul Moore <pmoore@redhat.com> create mode 100644 src/arch-syscall-check.c commit 8139f5f7b71044fe21969e944d162e9e98c6e5eb Author: Paul Moore <pmoore@redhat.com> Date: Fri May 9 09:24:20 2014 -0400 tools: convert the tools over to the public APIs Signed-off-by: Paul Moore <pmoore@redhat.com> commit 7eb16b2bfa9dfd42226b84f171a26afb290a9c0d Author: Paul Moore <pmoore@redhat.com> Date: Fri May 9 09:34:45 2014 -0400 api: rename seccomp_syscall_resolve_name_rewrite_arch() Change the API name to seccomp_syscall_resolve_name_rewrite(). Signed-off-by: Paul Moore <pmoore@redhat.com> create mode 100644 doc/man/man3/seccomp_syscall_resolve_name_rewrite.3 delete mode 100644 doc/man/man3/seccomp_syscall_resolve_name_rewrite_arch.3 commit 4dae02fefcc52e8a4cc1584293deb743e4cf22b1 Author: Paul Moore <pmoore@redhat.com> Date: Thu May 8 17:37:56 2014 -0400 api: add an API to do translated/rewriten syscall resolution This patch also converts the seccomp.resolve_syscall() method to use the new resolution API. Signed-off-by: Paul Moore <pmoore@redhat.com> create mode 100644 doc/man/man3/seccomp_syscall_resolve_name_rewrite_arch.3 commit e9bb8dee7fef7e4c5971eee59a6e0cb12564c5f6 Author: Paul Moore <pmoore@redhat.com> Date: Thu May 8 18:11:34 2014 -0400 doc: fix a missing manpage link Signed-off-by: Paul Moore <pmoore@redhat.com> create mode 100644 doc/man/man3/seccomp_arch_resolve_name.3 commit 5bfd306219835ff01efd611921ab64fd7ea10918 Author: Paul Moore <pmoore@redhat.com> Date: Thu May 8 10:59:11 2014 -0400 tests: update the tests to use the new architecture resolving functionality Signed-off-by: Paul Moore <pmoore@redhat.com> commit f05fc7cbc294f95fd62fb0aea52561c14f52aba9 Author: Paul Moore <pmoore@redhat.com> Date: Wed May 7 17:00:44 2014 -0400 api: add the seccomp_arch_resolve_name() API call As requested by the systemd developers and used by our own tools. Signed-off-by: Paul Moore <pmoore@redhat.com> commit e8a449fb5b87ba0479524b661fe962a5d977d400 Author: Paul Moore <pmoore@redhat.com> Date: Wed May 7 12:05:59 2014 -0400 build: create a 'check-build' target Sometimes it is helpful to build the test without executing them, add a new target, 'check-build' to do just that. Signed-off-by: Paul Moore <pmoore@redhat.com> commit 430419e312ceb7c3ca1255b97c8b4ec0151e8bb3 Author: Paul Moore <pmoore@redhat.com> Date: Wed May 7 11:51:58 2014 -0400 python: fix a build problem related to PEP 3123 We also add some comments to setup.py to explain the "extra" options so we remember why we are doing this in the future. Signed-off-by: Paul Moore <pmoore@redhat.com> commit d21ff2890b891ce3e64bc71b49e6948224c414a0 Author: Paul Moore <pmoore@redhat.com> Date: Wed May 7 11:15:13 2014 -0400 python: fix the autotools build for the python bindings Python's distutils/setup.py doesn't play well with libtool libraries so directly reference the static libseccomp library inside setup.py. Also fix a problem with the automake configuration which likely masked this problem in the first place. Signed-off-by: Paul Moore <pmoore@redhat.com> commit 42badbc70fc93b622b9aa2dba74f434d0334a870 Author: Paul Moore <pmoore@redhat.com> Date: Wed Apr 23 18:34:49 2014 -0400 tests: correctly return an error if seccomp_init() fails Signed-off-by: Paul Moore <pmoore@redhat.com> commit 0fa292323f4b214a0c2f17206f183719fe382215 Author: Paul Moore <pmoore@redhat.com> Date: Wed Apr 23 17:52:34 2014 -0400 tests: detect the python bindings automatically Signed-off-by: Paul Moore <pmoore@redhat.com> commit b7870b9554baa83e89aa26399b49d426255d8c48 Author: Paul Moore <pmoore@redhat.com> Date: Wed Apr 23 17:35:36 2014 -0400 build: add the "check-syntax" target to the autotools build Signed-off-by: Paul Moore <pmoore@redhat.com> commit 0a579bb40aff2d206212e0563190352ce60db3e6 Author: Paul Moore <pmoore@redhat.com> Date: Wed Apr 23 17:06:39 2014 -0400 build: add silent build support to automake Signed-off-by: Paul Moore <pmoore@redhat.com> commit 54a87cb7b04049fc2f61238446e8625898e35eb7 Author: Paul Moore <pmoore@redhat.com> Date: Wed Apr 23 16:34:22 2014 -0400 build: add headers to all of the autotools files There are also some minor cosmetic tweaks to the files. Signed-off-by: Paul Moore <pmoore@redhat.com> commit 1f4013fe223960231f614431eef13b82c75f85d6 Author: Paul Moore <pmoore@redhat.com> Date: Wed Apr 23 15:55:43 2014 -0400 build: cleanup and document the remaining autoconf bits Signed-off-by: Paul Moore <pmoore@redhat.com> commit 3b82469ed95797372d9ec5515cf1518ac4f0b5c8 Author: Paul Moore <pmoore@redhat.com> Date: Wed Apr 23 11:41:37 2014 -0400 build: regression test fixes Signed-off-by: Paul Moore <pmoore@redhat.com> create mode 100644 src/.gitignore commit bb34e96b15a6c8928cabccc2418ef904c24368eb Author: Paul Moore <pmoore@redhat.com> Date: Wed Apr 23 10:24:06 2014 -0400 build: fixup the autotools build flags Signed-off-by: Paul Moore <pmoore@redhat.com> commit fd42fda82ff0732b1b43b738eb0c5dda1381d2e0 Author: Paul Moore <pmoore@redhat.com> Date: Wed Apr 23 15:50:10 2014 -0400 build: general cleanup and reorganization of the autotools configuration Signed-off-by: Paul Moore <pmoore@redhat.com> create mode 100644 doc/Makefile.am create mode 100644 include/Makefile.am commit e460e96512ebe1a52770cfe4a728b77c70b05443 Author: Paul Moore <pmoore@redhat.com> Date: Tue Apr 22 17:35:59 2014 -0400 build: cleanup version dependent aspects of the autotools build Signed-off-by: Paul Moore <pmoore@redhat.com> commit 45b7b49a04eafb544e4bd1768b46a407fc696ff9 Author: Paul Moore <pmoore@redhat.com> Date: Tue Apr 22 10:03:02 2014 -0400 build: enable python bindings support in the autotools framework Signed-off-by: Paul Moore <pmoore@redhat.com> delete mode 100644 configure.mk commit c92404d08090a67a019776d5478f4dd615306968 Author: Jan Engelhardt <jengelh@inai.de> Date: Tue Jun 18 03:55:08 2013 +0200 build: initial attempt to use autotools as the build system With my apologies to Jan for delaying this patch for so long, there are a number of differences between Jan's original patch and what is being merged in this patch; almost all of the changes are due to changes in the underlying code base, but there are a few minor fixes as well. Signed-off-by: Jan Engelhardt <jengelh@inai.de> Signed-off-by: Paul Moore <pmoore@redhat.com> delete mode 100644 Makefile create mode 100644 Makefile.am create mode 100755 autogen.sh delete mode 100755 configure create mode 100644 configure.ac create mode 100644 configure.mk delete mode 100644 doc/Makefile delete mode 100644 include/Makefile delete mode 100644 install.mk delete mode 100644 macros.mk delete mode 100644 src/.gitignore delete mode 100644 src/Makefile create mode 100644 src/Makefile.am delete mode 100644 src/python/Makefile create mode 100644 src/python/Makefile.am delete mode 100644 tests/Makefile create mode 100644 tests/Makefile.am delete mode 100644 tools/Makefile create mode 100644 tools/Makefile.am delete mode 100644 version_info commit eca0c1ecb7b7f7a0d390b3c84f0099f8ce688f27 Author: Paul Moore <pmoore@redhat.com> Date: Mon Apr 28 16:30:58 2014 -0400 tests: remove the fuzz test from more architecture specific tests Signed-off-by: Paul Moore <pmoore@redhat.com> commit acd060a5f87811db59da1d58dbb01757f544df70 Author: Paul Moore <pmoore@redhat.com> Date: Mon Apr 28 14:24:13 2014 -0400 tests: fix 11-basic-basic_errors to work on big endian architectures Signed-off-by: Paul Moore <pmoore@redhat.com> commit 770b11d4d329194d98ab4fe4660fa41c5a08cc8d Author: Paul Moore <pmoore@redhat.com> Date: Fri Apr 25 16:44:14 2014 -0400 tests: remove assumptions about the native architecture A number of the tests made assumptions about the native architecture which would cause problems when there was a byte-ordering mis-match between the native system and the architectures used in the test. Signed-off-by: Paul Moore <pmoore@redhat.com> commit c23be79b7f2fe69e684b3f362ae911aa19e5d1a6 Author: Markos Chandras <markos.chandras@imgtec.com> Date: Fri Apr 25 17:21:20 2014 +0100 tests: Add MIPS BE return codes for live tests Signed-off-by: Markos Chandras <markos.chandras@imgtec.com> Signed-off-by: Paul Moore <pmoore@redhat.com> commit 0294b5867feddc02661e67a4909ea99e8e4aa082 Author: Markos Chandras <markos.chandras@imgtec.com> Date: Wed Apr 23 16:06:30 2014 +0100 tests: Add new test for big-endian architectures The new test is similar to 23-sim-arch_all_le_basic Signed-off-by: Markos Chandras <markos.chandras@imgtec.com> Signed-off-by: Paul Moore <pmoore@redhat.com> create mode 100644 tests/26-sim-arch_all_be_basic.c create mode 100755 tests/26-sim-arch_all_be_basic.py create mode 100644 tests/26-sim-arch_all_be_basic.tests commit 6b98114f4e4755d1911730fd303cb8e3a1057873 Author: Markos Chandras <markos.chandras@imgtec.com> Date: Wed Apr 23 16:06:29 2014 +0100 tests: Rename 23-sim-arch_all_basic to 23-sim-arch_all_le_basic This test is for little endian architectures, so we rename it to make that clear. This is in preparation for a new test, identical to this one, which will test big-endian architectures. Signed-off-by: Markos Chandras <markos.chandras@imgtec.com> Signed-off-by: Paul Moore <pmoore@redhat.com> delete mode 100644 tests/23-sim-arch_all_basic.c delete mode 100755 tests/23-sim-arch_all_basic.py delete mode 100644 tests/23-sim-arch_all_basic.tests create mode 100644 tests/23-sim-arch_all_le_basic.c create mode 100755 tests/23-sim-arch_all_le_basic.py create mode 100644 tests/23-sim-arch_all_le_basic.tests commit a7ab522fa9b2d3edcef9cae01df139eb8b7b7d74 Author: Paul Moore <pmoore@redhat.com> Date: Thu Apr 17 16:45:51 2014 -0400 docs: update the CREDITS file Signed-off-by: Paul Moore <pmoore@redhat.com> commit 9013ff76b9f2d4e5b40cedac4a20622aef823c1a Author: Paul Moore <pmoore@redhat.com> Date: Thu Apr 17 12:05:36 2014 -0400 tests: arch specific tests can't be fuzzed on all systems The architecture specific tests can't be "fuzzed" on all architectures, specifically those with a different byte order, as the bpf-sim-fuzz test type relies on the native system. Signed-off-by: Paul Moore <pmoore@redhat.com> commit 6e8f16e0a95a38d5988b68950e996c20eb84865c Author: Paul Moore <pmoore@redhat.com> Date: Thu Apr 17 11:18:18 2014 -0400 build: fix a number of build problems There were three issues that needed fixing: LIBFLAGS was always being cleared, tools/util.o was not being cleaned up correctly, and the arch token for 32-bit x86 was not defined correctly for the tools. Signed-off-by: Paul Moore <pmoore@redhat.com> commit b969e4405c3c27d42937c0ba2fdb3e5fac0e5982 Author: Paul Moore <pmoore@redhat.com> Date: Tue Apr 15 18:56:44 2014 -0400 tests: support both big and little endian test architectures Replace the "+all" architecture tokens in the test files with the "+all_le" and "+all_be" tokens to represent all the little endian and big endian architectures respectively. Signed-off-by: Paul Moore <pmoore@redhat.com> commit b850d62fefca24446f1cb5558d7154cee0985431 Author: Paul Moore <pmoore@redhat.com> Date: Tue Apr 15 19:32:01 2014 -0400 tools: fix problems with non-native byte ordering Signed-off-by: Paul Moore <pmoore@redhat.com> create mode 100644 tools/util.c create mode 100644 tools/util.h commit 8fd7b920e27a7e6e7681848d31f0495fac42f382 Author: Paul Moore <pmoore@redhat.com> Date: Tue Apr 15 19:14:11 2014 -0400 db: allow all architectures to be removed from a filter In order to add architectures with byte ordering that differs from the native architecture it is necessary to remove all architectures from a filter. Signed-off-by: Paul Moore <pmoore@redhat.com> commit 2b9c637c6834ff377f209bf7f4c829b3a22d7d16 Author: Paul Moore <pmoore@redhat.com> Date: Tue Apr 15 14:30:04 2014 -0400 python: add MIPS and MIPSEL to the python bindings Signed-off-by: Paul Moore <pmoore@redhat.com> commit 9b119de38267358f6e776e826adad0b1be58ed53 Author: Markos Chandras <markos.chandras@imgtec.com> Date: Tue Apr 15 09:36:36 2014 +0100 arch: Add support for MIPS Little Endian Add support for MIPS 32-bit (O32 ABI) Little Endian Signed-off-by: Markos Chandras <markos.chandras@imgtec.com> Signed-off-by: Paul Moore <pmoore@redhat.com> commit 87a826b20e9485f6de12404d347b69e98a4ab972 Author: Markos Chandras <markos.chandras@imgtec.com> Date: Tue Apr 15 09:36:35 2014 +0100 arch: Add support for MIPS Big Endian Add support for MIPS 32-bit (O32 ABI) Big Endian Signed-off-by: Markos Chandras <markos.chandras@imgtec.com> Signed-off-by: Paul Moore <pmoore@redhat.com> create mode 100644 src/arch-mips-syscalls.c create mode 100644 src/arch-mips.c create mode 100644 src/arch-mips.h commit 3fd039b9f32f0cb7ef4afed8d4bf0f8f93a159d3 Author: Paul Moore <pmoore@redhat.com> Date: Tue Apr 15 12:34:30 2014 -0400 tests: fix some small spelling mistakes Signed-off-by: Paul Moore <pmoore@redhat.com> commit 2ad075dc8cb33b2a3be905813ad0d30ebf07f862 Author: Paul Moore <pmoore@redhat.com> Date: Tue Apr 15 10:09:03 2014 -0400 tests: add support for valgrind suppressions Add support for valgrind suppressions files to the test tools. As part of this patch include a fix for valgrind 3.9.0 and glibc 2.19. Signed-off-by: Paul Moore <pmoore@redhat.com> create mode 100644 tests/valgrind_test.supp commit 330c51a7c484a592eaab7127157d09a55f87f1a2 Author: Kees Cook <keescook@chromium.org> Date: Sat Apr 12 10:51:43 2014 -0700 build: fix use of LIBFLAGS vs LDFLAGS LIBFLAGS are for libraries and LDFLAGS are for linker arguments. Without this change, externally defined LDFLAGS are not correctly imported into the build. Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Paul Moore <pmoore@redhat.com> commit 6c22d386b07f6cb79ed2f50667361915656c9e07 Author: Kees Cook <keescook@chromium.org> Date: Sat Apr 12 10:51:11 2014 -0700 doc: fix typo in scmp_sys_resolver.1 Fixes tiny spelling mistake in scmp_sys_resolver.1. Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Paul Moore <pmoore@redhat.com> commit 01c752ad4c4282f1c576521d40add2895eea07d2 Author: Paul Moore <pmoore@redhat.com> Date: Thu Feb 27 14:12:55 2014 -0500 tests: fix a uninitialized use warning Many, if not all, of the tests had an uninitialized use warning relating to the use of the libseccomp context variable. Signed-off-by: Paul Moore <pmoore@redhat.com> commit 655af28c82c46cd59353a33a8d002b789d1ac5a6 Author: Paul Moore <pmoore@redhat.com> Date: Thu Feb 13 17:51:00 2014 -0500 tests: add basic support for arch specific return values for the live tests Evidently the return value for a killed process can differ between architectures/ABIs due to differences in the SIGSYS value. Signed-off-by: Paul Moore <pmoore@redhat.com> commit 1c3b1b6c241ed64868f8bb7712b65217f548a38f Author: Paul Moore <pmoore@redhat.com> Date: Tue Feb 11 10:11:13 2014 -0500 tools: ensure the simulator always has a valid architecture value Without this fix the bpf-sim-fuzz tests might fail as they do not explicitly set the architecture value as part of the test framework. Reported-by: Markos Chandras <Markos.Chandras@imgtec.com> Signed-off-by: Paul Moore <pmoore@redhat.com> commit 29a7cdd285dac747230b11d8d4039045dc796590 Author: Serge Hallyn <serge.hallyn@ubuntu.com> Date: Mon Feb 10 23:46:16 2014 -0600 doc: fix seccomp_syscall_resolve_name manpage typo Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Signed-off-by: Paul Moore <pmoore@redhat.com> commit 61fee77783fd458739eb6104f13d53bddfa389ac Author: Paul Moore <pmoore@redhat.com> Date: Sun Feb 9 07:51:04 2014 -0500 all: resolve issues caused by big endian systems There are two major issues resolved in this patch: proper support for generating BPF on big endian systems, and ensuring we build the BPF correctly when the host system does not share the same endianess as the target platform. Relevant discussion in LKML regarding BPF on big endian systems: https://lkml.org/lkml/2012/4/8/87 Inspired by an earlier patch from Markos Chandras. Signed-off-by: Paul Moore <pmoore@redhat.com> commit 206da04b8b2366d9efb963569bb89fe82ed2d1ba Author: Paul Moore <pmoore@redhat.com> Date: Sun Feb 9 07:29:26 2014 -0500 db: require all filters in a collection to share the same endianess There is almost no good reason why you would need to create a single filter which included architectures/ABIs that did not share the same endianess so explicitly disallow it. Signed-off-by: Paul Moore <pmoore@redhat.com> commit 9ca83f455562fe8a972823d0e101cc71a8063547 Author: Paul Moore <pmoore@redhat.com> Date: Sat Feb 8 10:24:05 2014 -0500 bpf: use state->arch instead of db->arch in _gen_bpf_arch() Signed-off-by: Paul Moore <pmoore@redhat.com> commit 5a0453ab97277be18b48305699d7a51fc7cc947d Author: Paul Moore <pmoore@redhat.com> Date: Fri Feb 7 09:05:25 2014 -0500 python: fix runtime problems with Cython 0.20 The uint32_t type used for the arch_token was causing problems with Cython/Python as some (all?) of the arch tokens were considered to be negative numbers. This patch changes the unsigned int type to int to make Cython/Python happy; this should not cause any problems. Signed-off-by: Paul Moore <pmoore@redhat.com> commit dd673b5124b725d4ec531c482d312f7f7fd0b01a Author: Paul Moore <pmoore@redhat.com> Date: Fri Feb 7 07:52:46 2014 -0500 python: fix build problems with Cython 0.20 Resolve the following build problem with Cython 0.20; I've also tested this change on Cython 0.19.2 without problem. >>> Error compiling Cython file: ------------------------------------------------------------ ... Helper function which should only be used internally by SyscallFilter objects and exists for the sole purpose of making it easier to deal with the varadic functions of the libseccomp API, e.g. seccomp_rule_add(). """ return self._arg ^ ------------------------------------------------------------ seccomp.pyx:194:19: Cannot convert 'scmp_arg_cmp' to Python object >>> Signed-off-by: Paul Moore <pmoore@redhat.com> commit 2d09a74c7f04d29ae740db1e2187ff1a1886b2c3 Author: Paul Moore <pmoore@redhat.com> Date: Mon Jan 6 16:43:51 2014 -0500 tools: fix a segfault for invalid syscall numbers Signed-off-by: Paul Moore <pmoore@redhat.com> commit 053bcac036c09966f6b2c8aba38fbcdd3209b63f Author: Paul Moore <pmoore@redhat.com> Date: Tue Nov 12 15:14:41 2013 -0500 api: ensure we return the proper error codes in the syscall resolver functions At some point we may want to expand __NR_SCMP_ERROR out to different error codes, but for right now this seems okay. Reported-by: Andy Lutomirski <luto@amacapital.net> Signed-off-by: Paul Moore <pmoore@redhat.com> commit 2537127be66891fd42392b581518ad44da6fd6b4 Author: Michael Forney <mforney@mforney.org> Date: Mon Nov 11 14:11:08 2013 -0800 build: allow user to override objdump Signed-off-by: Michael Forney <mforney@mforney.org> Signed-off-by: Paul Moore <pmoore@redhat.com> commit f7c11d674d1f0a56c3d282d4de3c28135a7fa081 Author: Andy Lutomirski <luto@amacapital.net> Date: Fri Nov 8 17:09:42 2013 -0800 python: fix a crash when resolve_syscall fails Signed-off-by: Andy Lutomirski <luto@amacapital.net> Signed-off-by: Paul Moore <pmoore@redhat.com> (changed KeyError to ValueError) commit 21d4da247605149e913d6e727354ab3530c2fcd1 Author: Paul Moore <pmoore@redhat.com> Date: Tue Nov 12 12:02:38 2013 -0500 Revert "doc: fix documentation mistakes relating to the syscall resolver functions" This reverts commit 2fa593e06bcb345f0302a5662c82fd542b849f0c. Decided that the better solution is to leave the documentation as-is and change the code instead. commit 2fa593e06bcb345f0302a5662c82fd542b849f0c Author: Paul Moore <pmoore@redhat.com> Date: Mon Nov 11 10:08:41 2013 -0500 doc: fix documentation mistakes relating to the syscall resolver functions Signed-off-by: Paul Moore <pmoore@redhat.com> commit 46a0ab2f1be238d60cbaa491b98f1320b0bf6b9b Author: Andy Lutomirski <luto@amacapital.net> Date: Tue Nov 5 11:36:39 2013 -0800 python: Fix a typo in a comment Signed-off-by: Andy Lutomirski <luto@amacapital.net> Signed-off-by: Paul Moore <pmoore@redhat.com> commit 28a57d88561ae518b1325166022d15eae2a8b908 Author: Andy Lutomirski <luto@amacapital.net> Date: Mon Nov 4 22:10:59 2013 -0800 python: Add docstrings for the ERRNO and TRACE actions Signed-off-by: Andy Lutomirski <luto@amacapital.net> Signed-off-by: Paul Moore <pmoore@redhat.com> commit 255a75c6c92758f3e8434a7fcaebe635904040f2 Author: Paul Moore <pmoore@redhat.com> Date: Thu Oct 31 11:06:06 2013 -0400 build: reset the version for the master branch Signed-off-by: Paul Moore <pmoore@redhat.com> commit 4931e44a5b4ba756236567ced862f5aeb07e4eba Author: Paul Moore <pmoore@redhat.com> Date: Thu Oct 31 11:04:16 2013 -0400 build:revert "build: disable the python bindings for the v2.1.x release" This reverts commit a363a8dfd73821a0086fe985daf8c8e7c81cd8e0. We want to keep this in the master branch. commit 7772ad82a4368be473826615747180b44f286fab Author: Paul Moore <pmoore@redhat.com> Date: Wed Oct 30 16:08:22 2013 -0400 build: update the version number for 2.1.1 Signed-off-by: Paul Moore <pmoore@redhat.com> commit 902f3f254aaa052ca9266363d5f83d75c86bac6c Author: Paul Moore <pmoore@redhat.com> Date: Wed Oct 30 16:02:26 2013 -0400 doc: update the CREDITS and CHANGELOG files Signed-off-by: Paul Moore <pmoore@redhat.com> commit bbac038b75ec9df641e774b470d56d9e0a587850 Author: Paul Moore <pmoore@redhat.com> Date: Tue Oct 22 17:36:55 2013 -0400 api: fix some vertical whitespace mistakes Signed-off-by: Paul Moore <pmoore@redhat.com> commit f95041f5dd08e98f5c5a5a7fb2e5a17da17eb1ef Author: Andy Lutomirski <luto@amacapital.net> Date: Tue Oct 22 09:36:53 2013 -0700 build: Hide non-public symbols Set -fvisibility=hidden and explicitly unhide public APIs. This overrides it with -fvisibility=default for Python because otherwise initseccomp gets hidden and the module won't load. Signed-off-by: Andy Lutomirski <luto@amacapital.net> (minor style fixes and macro renames) Signed-off-by: Paul Moore <pmoore@redhat.com> commit 8e1b4634733dcd59713c43d7d1e53c277767b2fb Author: Andy Lutomirski <luto@amacapital.net> Date: Tue Oct 22 09:35:50 2013 -0700 python: Remove file object support from Arg It's still possible to pass file descriptors into the Arg data, but safe uses are already complicated enough that making the user call fileno() themselves seems reasonable. Signed-off-by: Andy Lutomirski <luto@amacapital.net> (corrected the python test cases to take into account the change) Signed-off-by: Paul Moore <pmoore@redhat.com> commit 9de19061978d990dc9fc25a20e145218cf66806c Author: Paul Moore <pmoore@redhat.com> Date: Mon Oct 21 17:13:47 2013 -0400 tests: fix a problem with the python bindings and the bpf-valgrind tests Reported-by: Andy Lutomirski <luto@amacapital.net> Signed-off-by: Paul Moore <pmoore@redhat.com> commit d0a3b33eb62f31954526689042b8d2e6744518b5 Author: Paul Moore <pmoore@redhat.com> Date: Mon Oct 21 16:00:15 2013 -0400 hash: cleanup the Jenkins hash source to better match our code Style improvements as well as a wrapper function to select the "best" hash for a given situation. Some unused functions were also removed. Signed-off-by: Paul Moore <pmoore@redhat.com> commit 906ab67d32f75ea783e6f5350ae593241154c7e1 Author: Paul Moore <pmoore@redhat.com> Date: Mon Oct 21 10:34:19 2013 -0400 all: apply basic formatting fixes to src/hash.c There is still a lot of style/formatting work that should probably be done to this file, but this cleans it up enough so it passes our basic style checks. Signed-off-by: Paul Moore <pmoore@redhat.com> commit 53dcfa3ff0eadd09adc0925e676f8ba320a1ca30 Author: Paul Moore <pmoore@redhat.com> Date: Fri Oct 18 16:17:59 2013 -0400 all: assorted formatting fixes Since we have a tool to verify the source code style/formatting, let's put it to good use. Signed-off-by: Paul Moore <pmoore@redhat.com> commit 5e85302663fc6dc172b96a34fd4a440676a4d42d Author: Paul Moore <pmoore@redhat.com> Date: Mon Oct 21 10:50:18 2013 -0400 tools: add a basic C style/format checking tool This is far from perfect, but it is something, and it provides an objective answer to "how do I style my code for this project?". Signed-off-by: Paul Moore <pmoore@redhat.com> create mode 100755 tools/check-syntax commit 5c10b92a1525325e58ca9b32670f34836f65596d Author: Paul Moore <pmoore@redhat.com> Date: Fri Oct 18 15:46:47 2013 -0400 tests: small typo fix in testdiff Signed-off-by: Paul Moore <pmoore@redhat.com> commit 779801e35c41a17ba6d1e3f55d46b0b097cf130c Author: Paul Moore <pmoore@redhat.com> Date: Thu Oct 17 14:12:30 2013 -0400 bpf: fix a number of valgrind issues This patch fixes a number of uninitialized memory problems caught by valgrind. These aren't the typical uninitialized memory issues, but rather an issue with our block hashing and the structure padding areas not being init/reset. This isn't something that I expect would have caused a lot of problems, but they would have been a major head-scratcher and difficult to reproduce. Signed-off-by: Paul Moore <pmoore@redhat.com> commit c659c39814e65e086a66eeeafbea4b6980b78680 Author: Paul Moore <pmoore@redhat.com> Date: Fri Oct 18 07:57:07 2013 -0400 db: fix a realloc() problem in db_col_merge() Another stupid mistake of mine; we weren't correctly reassigning a pointer after a successful realloc() in db_col_merge(). Signed-off-by: Paul Moore <pmoore@redhat.com> commit fee3e3f7fc1a5a081a8b7b62b2a904d73dcb0628 Author: Paul Moore <pmoore@redhat.com> Date: Fri Sep 6 16:39:19 2013 -0400 db: perform sub-tree "pruning" correctly The existing sub-tree pruning was bad, so very bad. It was obviously broken on 32-bit platforms (our own tests were failing), and somewhat less obviously broken on 64-bit platforms. Reported-by: Kees Cook <keescook@chromium.org> Signed-off-by: Paul Moore <pmoore@redhat.com> commit c2355b09b281111f6197002ade193fd760c3b0a9 Author: Paul Moore <pmoore@redhat.com> Date: Mon Sep 9 14:57:51 2013 -0400 build: enable "make check" to run the regression tests Signed-off-by: Paul Moore <pmoore@redhat.com> commit cad1fefb4689713b18bd29f82c8825150070ca1e Author: Paul Moore <pmoore@redhat.com> Date: Mon Sep 9 15:05:44 2013 -0400 tests: add some scripts to compare test output from different test runs Signed-off-by: Paul Moore <pmoore@redhat.com> create mode 100755 tests/testdiff create mode 100755 tests/testgen commit b3fede4d549f0e92a4f4cda0b4c0c12762ae58d1 Author: Paul Moore <pmoore@redhat.com> Date: Fri Oct 18 09:15:26 2013 -0400 tests: make the regression test valgrind mode more useful We don't really need to run valgrind multiple times for each test case, just once should be enough. Signed-off-by: Paul Moore <pmoore@redhat.com> commit 58950121c48693dc086f2856a1ff30fdd0512996 Author: Paul Moore <pmoore@redhat.com> Date: Mon Sep 9 11:29:24 2013 -0400 tests: correct some architecture problems with 25-sim-multilevel_chains_adv The current tests are not safe for non-native architectures. Signed-off-by: Paul Moore <pmoore@redhat.com> commit b411c57b0e05ed569a8d6fb4ee5e53a51d696a0f Author: Paul Moore <pmoore@redhat.com> Date: Mon Oct 7 15:54:25 2013 -0400 build: fixup the "clean" portions of the build process Reported-by: Kees Cook <keescook@chromium.org> Signed-off-by: Paul Moore <pmoore@redhat.com> commit 15752e8cf4eb95e463e496de44e005a8b6b24ca8 Author: Paul Moore <pmoore@redhat.com> Date: Tue Sep 3 18:24:37 2013 -0400 tests: return a useful error code from the test harness With this patch the test harness returns 0 if there were no errors or failures detected, positive values if a error or failure was detected. Signed-off-by: Paul Moore <pmoore@redhat.com> commit 3b6b69184196189d3b53ae695c0d130b9cf70784 Author: Paul Moore <pmoore@redhat.com> Date: Thu Sep 12 10:23:17 2013 -0400 build: correct some build dependencies Signed-off-by: Paul Moore <pmoore@redhat.com> commit 4021195b83f6d7fd50c382928cb522feadaea842 Author: Andy Lutomirski <luto@amacapital.net> Date: Tue Oct 8 15:36:13 2013 -0400 python: Add a docstring for the SyscallFilter constructor Cython doesn't support docstrings for __cinit__. This change will (very slightly) slow down construction, but it makes ipython happer. Signed-off-by: Andy Lutomirski <luto@amacapital.net> Signed-off-by: Paul Moore <pmoore@redhat.com> commit cb528e0ed26eb6cf1f308e5f4db784b96610b562 Author: Joe MacDonald <joe@deserted.net> Date: Fri Oct 4 08:25:21 2013 -0400 build: remove quotes in the INSTALL_BIN_MACRO macro The double-quotes around $^ in INSTALL_BIN_MACRO prevented it from being used to install more than a single binary to INSTALL_BIN_DIR at a time. Signed-off-by: Joe MacDonald <joe@deserted.net> Signed-off-by: Paul Moore <pmoore@redhat.com> commit 70c894341f0b397730c8f3aef56b95c037c7a6e6 Author: Paul Moore <pmoore@redhat.com> Date: Fri Oct 4 08:19:25 2013 -0400 python: improve the argument comparison documentation Expand on the comments made by Andy Lutomirski. Signed-off-by: Paul Moore <pmoore@redhat.com> commit 8af9ba443ff1c678b3f5037ca936f11edc697ae7 Author: Andy Lutomirski <luto@amacapital.net> Date: Fri Oct 4 08:14:30 2013 -0400 python: Improve MASKED_EQ docs It wasn't clear before which datum was the mask and which was the value. Signed-off-by: Andy Lutomirski <luto@amacapital.net> Signed-off-by: Paul Moore <pmoore@redhat.com> commit a363a8dfd73821a0086fe985daf8c8e7c81cd8e0 Author: Paul Moore <pmoore@redhat.com> Date: Mon Jun 10 16:54:56 2013 -0400 build: disable the python bindings for the v2.1.x release Signed-off-by: Paul Moore <pmoore@redhat.com> commit 909d254a4dcbc5b593c79b565a0e8c2de74c6781 Author: Paul Moore <pmoore@redhat.com> Date: Mon Jun 10 16:53:48 2013 -0400 doc: trim the development stuff from the top of the changelog Signed-off-by: Paul Moore <pmoore@redhat.com> commit 464394b05fc3e34a9854595ef923979752cdd8bd Author: Paul Moore <pmoore@redhat.com> Date: Mon Jun 10 16:52:57 2013 -0400 build: set the version to v2.1.0 Signed-off-by: Paul Moore <pmoore@redhat.com> commit 77b91dc863ef8279741c96f0848062eff64adac3 Author: Paul Moore <pmoore@redhat.com> Date: Mon Jun 10 15:13:14 2013 -0400 doc: update the changelog for the v2.1 release commit 35ec3c71e336300e0cb36a2435499057a96e6a9d Author: Paul Moore <pmoore@redhat.com> Date: Thu May 23 17:06:58 2013 -0400 doc: add a manpage for scmp_sys_resolver Signed-off-by: Paul Moore <pmoore@redhat.com> create mode 100644 doc/man/man1/scmp_sys_resolver.1 commit a90fc8e32cfa66db5602b0c9088dc68f1b88208c Author: Paul Moore <pmoore@redhat.com> Date: Wed May 29 13:57:53 2013 -0400 tools: allow the syscall resolver to resolve both names and numbers Often we need to resolve syscall numbers into syscall names, add this functionality to our existing resolver. Thanks to Eduardo Otubo who originally came up with the idea and inspired this patch. Reported-by: Eduardo Otubo <otubo@linux.vnet.ibm.com> Signed-off-by: Paul Moore <pmoore@redhat.com> commit c0d9fc5950fb28adae649b71938368915db31908 Author: Paul Moore <pmoore@redhat.com> Date: Thu May 23 16:51:55 2013 -0400 build: install the scmp_sys_resolver tool Signed-off-by: Paul Moore <pmoore@redhat.com> commit 2408afa7c975216378a254eacacb86925068f77e Author: Paul Moore <pmoore@redhat.com> Date: Thu May 23 16:41:12 2013 -0400 tools: rename some of the tools in preparation for installation Some of the tools are quite handy and would likely be useful for developers incorporating libseccomp into their applications so let's go ahead and namespace the tools in preparation for installing them. Signed-off-by: Paul Moore <pmoore@redhat.com> delete mode 100644 tools/arch_detect.c delete mode 100644 tools/bpf_disasm.c delete mode 100644 tools/bpf_sim.c create mode 100755 tools/scmp_app_inspector create mode 100644 tools/scmp_arch_detect.c create mode 100644 tools/scmp_bpf_disasm.c create mode 100644 tools/scmp_bpf_sim.c create mode 100644 tools/scmp_sys_resolver.c delete mode 100755 tools/sys_inspector delete mode 100644 tools/sys_resolver.c commit ddb71810c78a9c3d2b20a3b7685aca5c281d1e24 Author: Eduardo Otubo <otubo@linux.vnet.ibm.com> Date: Tue May 7 16:00:50 2013 -0300 api: wrong variable name was failing seccomp_syscall_priority The wrong variable name was erroneous failing the function seccomp_syscall_priority() when trying to set a priority on a negative (pseudo-syscall) is added. Signed-off-by: Eduardo Otubo <otubo@linux.vnet.ibm.com> Signed-off-by: Paul Moore <pmoore@redhat.com> commit b0ed84ca8d4abc88984881049d572f558aaf1838 Author: Paul Moore <pmoore@redhat.com> Date: Mon Apr 22 16:04:23 2013 -0400 bpf: fix the bpf_program struct In a previous commit I reordered the bpf_program struct, and in the process I broke the prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, ...) API. This patch restores the proper bpf_program structure ordering. Signed-off-by: Paul Moore <pmoore@redhat.com> commit e9466c0aa50293418d7244b0b57f586761e4c14f Author: Paul Moore <pmoore@redhat.com> Date: Mon Apr 22 15:58:54 2013 -0400 tests: add a placeholder for 00-test During the course of development there are often times when we want to temporarily add a test; to help with this problem, this patch adds a placeholder for test "00-test" which can be used as a temporary test case. In order to use this, simply copy your temporary test case into the file tests/00-test.c and do the following from the top-level build directory: # make clean all # make -C tests 00-test Signed-off-by: Paul Moore <pmoore@redhat.com> commit 208772e98813a589cf0326e00d10ab48517858dc Author: Paul Moore <pmoore@redhat.com> Date: Fri Apr 19 16:13:42 2013 -0400 all: improved structure ordering/alignment Shuffle some structure fields to improve packing and cacheline ordering. Signed-off-by: Paul Moore <pmoore@redhat.com> commit b29fcac12735967f594223389cd06e41d3d07b48 Author: Paul Moore <pmoore@redhat.com> Date: Fri Apr 19 15:29:50 2013 -0400 all: convert some booleans from ints to bools Make it more obvious that these variables are booleans. Signed-off-by: Paul Moore <pmoore@redhat.com> commit 3bcbcd0389f6e7ee7fba0a3fee4c30e21c3625f0 Author: Paul Moore <pmoore@redhat.com> Date: Fri Apr 19 15:26:49 2013 -0400 db: remove unused macros Signed-off-by: Paul Moore <pmoore@redhat.com> commit 3733174a72365674c856d0bc1b5623ee1cf51346 Author: Paul Moore <pmoore@redhat.com> Date: Wed Apr 17 14:47:48 2013 -0400 db: correctly compare syscall arguments on 64-bit systems This patch corrects a number of problems on 64-bit systems that were preventing us from correctly comparing the high 32-bit word of a syscall argument in some cases. Reported-by: Thiago Marcos P. Santos <tmpsantos@gmail.com> Signed-off-by: Paul Moore <pmoore@redhat.com> create mode 100644 tests/25-sim-multilevel_chains_adv.c create mode 100755 tests/25-sim-multilevel_chains_adv.py create mode 100644 tests/25-sim-multilevel_chains_adv.tests commit edc3a0dedb72f5ff374c536a740af5e7ba45dbf6 Author: Paul Moore <pmoore@redhat.com> Date: Wed Apr 17 12:29:17 2013 -0400 pfc: display syscall names instead of numbers in the comments Signed-off-by: Paul Moore <pmoore@redhat.com> commit 17ee994f5f1099c1e81c76feba8fb503deb1f6cb Author: Paul Moore <pmoore@redhat.com> Date: Wed Apr 3 13:23:53 2013 -0400 build: ensure that cython 0.16 or higher is installed when building python bindings Our Cython code only builds properly on Cython 0.16 or higher so verify that a proper version of Cython is installed if we are building the Python bindings. Signed-off-by: Paul Moore <pmoore@redhat.com> commit b9ea299f69a15b237fd5f992dbadad0d6b19f768 Author: Paul Moore <pmoore@redhat.com> Date: Wed Apr 3 10:49:05 2013 -0400 bpf: correctly manage the BPF accumulator state We weren't correctly tracking the accumulator state as we built the BPF code, in an effort to fix this we now store the initial state of the accumulator along with the BPF instruction block. Signed-off-by: Paul Moore <pmoore@redhat.com> commit 61fd28b0d8f3c7f3e6eea4091f9551125b4ae8e1 Author: Paul Moore <pmoore@redhat.com> Date: Wed Mar 27 11:42:30 2013 -0400 arch: ensure that we handle x32 correctly when checking the architecture Since x86_64 and x32 share the same seccomp filter architecture token in the kernel we need to do an extra step and verify the syscall number when checking the architecture. Signed-off-by: Paul Moore <pmoore@redhat.com> commit 5d059846f6e7352cf06b74bf2642d86d45970897 Author: Paul Moore <pmoore@redhat.com> Date: Tue Feb 19 17:32:57 2013 -0500 tests: add a live test to exercise the syscall argument matching Signed-off-by: Paul Moore <pmoore@redhat.com> create mode 100644 tests/24-live-arg_allow.c create mode 100755 tests/24-live-arg_allow.py create mode 100644 tests/24-live-arg_allow.tests commit cecb030e75f3c996fda0e2753c998e50b92bb09a Author: Paul Moore <pmoore@redhat.com> Date: Tue Feb 19 17:26:01 2013 -0500 tests: add a test to exercise the x32 and arm architectures Signed-off-by: Paul Moore <pmoore@redhat.com> create mode 100644 tests/23-sim-arch_all_basic.c create mode 100755 tests/23-sim-arch_all_basic.py create mode 100644 tests/23-sim-arch_all_basic.tests commit 505bf8270ea9dc389580b7c51b356a852bea92e9 Author: Paul Moore <pmoore@redhat.com> Date: Thu Jan 31 09:26:55 2013 -0500 tests: minor fixups due to the new arch support Signed-off-by: Paul Moore <pmoore@redhat.com> commit adac51bd79a2c289355ef53cb804b524427a0c96 Author: Paul Moore <pmoore@redhat.com> Date: Wed Jan 30 14:50:31 2013 -0500 tests: add support for the x32 and arm architectures Signed-off-by: Paul Moore <pmoore@redhat.com> commit a3c6fffd7d883f889e01f3d662edbad15a62a209 Author: Paul Moore <pmoore@redhat.com> Date: Mon Feb 11 13:43:21 2013 -0500 tools: add a new architecture detection tool Signed-off-by: Paul Moore <pmoore@redhat.com> create mode 100644 tools/arch_detect.c commit 75ee9e71f858b183d9649755722f0ed4e67de923 Author: Paul Moore <pmoore@redhat.com> Date: Tue Feb 19 14:27:03 2013 -0500 arch: leverage the x86_64 syscall table in x32 Since the Linux Kernel really uses the same syscall table for both x86_64 and x32 we should do the same and make life easier. Signed-off-by: Paul Moore <pmoore@redhat.com> commit ab53042bbfc6a9a14d9e24b4944568c2c3c5e954 Author: Paul Moore <pmoore@redhat.com> Date: Tue Feb 19 12:39:11 2013 -0500 arch: remove direct access to the syscall tables We may not always want to have statically defined syscall tables, e.g. x32, so create a series of functions to access the syscall tables which should provide us some flexibility. Signed-off-by: Paul Moore <pmoore@redhat.com> commit ab8d762e398577a65fb588c6fcf8d43c85bf23dc Author: Paul Moore <pmoore@redhat.com> Date: Wed Jan 30 10:38:59 2013 -0500 arch: rename arch-i386* to arch-x86* No code chanages here, just an effort to improve naming consistency a bit. Signed-off-by: Paul Moore <pmoore@redhat.com> delete mode 100644 src/arch-i386-syscalls.c delete mode 100644 src/arch-i386.c delete mode 100644 src/arch-i386.h create mode 100644 src/arch-x86-syscalls.c create mode 100644 src/arch-x86.c create mode 100644 src/arch-x86.h commit 161f00d9ec6beb35b9517de3aff000208fe002c4 Author: Paul Moore <pmoore@redhat.com> Date: Wed Jan 30 10:37:30 2013 -0500 tools: trim unsupported architectures from the BPF simulator Signed-off-by: Paul Moore <pmoore@redhat.com> commit db440d1e4fb6b620d8e4f4463036fbc89986fb9d Author: Paul Moore <pmoore@redhat.com> Date: Fri Jul 20 16:22:36 2012 -0400 arch: add basic ARM support Signed-off-by: Paul Moore <pmoore@redhat.com> create mode 100644 src/arch-arm-syscalls.c create mode 100644 src/arch-arm.c create mode 100644 src/arch-arm.h commit e9b5a6eb238856bf73f53890119aab559afcb0f0 Author: Paul Moore <pmoore@redhat.com> Date: Mon Jan 28 18:00:24 2013 -0500 arch: add basic x32 support Signed-off-by: Paul Moore <pmoore@redhat.com> create mode 100644 src/arch-x32-syscalls.c create mode 100644 src/arch-x32.c create mode 100644 src/arch-x32.h commit 0dd63c16e5be76a1f6d0c1e4d9f06f8a700d75f8 Author: Paul Moore <pmoore@redhat.com> Date: Thu Jan 31 09:07:44 2013 -0500 bpf: fix a problem with duplicate syscalls across architectures Normally the DB layer handles duplicate syscalls, but in the case of multiple architectures we can hit a scenario where we do have multiple syscalls with the same syscall number and duplicate BPF hash values; this can cause significant problems when trying to do the final BPF generation/block-assembly. This patch allows duplicate BPF blocks in certain cases - most importantly syscalls - to resolve this problem. Signed-off-by: Paul Moore <pmoore@redhat.com> commit bb6075384f8cf3286d3109222a2d022ac730ef6a Author: Paul Moore <pmoore@redhat.com> Date: Wed Jan 30 15:33:39 2013 -0500 bpf: support multiple architectures sharing the same BPF arch token This is necessary for x32 support. Signed-off-by: Paul Moore <pmoore@redhat.com> commit 7d04a6cf698b2ac9e2fd2a80d1ffb356dfe5d370 Author: Paul Moore <pmoore@redhat.com> Date: Tue Jan 29 10:18:07 2013 -0500 arch: disconnect the BPF arch token from the libseccomp token Unfortunately, the x32 ABI shares the same architecture token with x86_64 in the kernel so we need to separate the arch token we use in the BPF filter with the arch token we use for idenitfying the arch/ABI to libseccomp callers. Signed-off-by: Paul Moore <pmoore@redhat.com> commit e086d439fe8a5cc428de1144d3ee13ea71da5121 Author: Vitaly Vi Shukela <vi0oss@gmail.com> Date: Tue Mar 26 17:22:08 2013 -0400 tests: add 22-sim-basic_chains_array Like 03-sim-basic_chains, but with seccomp_rule_add_array instead of seccomp_rule_add. Signed-off-by: Vitaly Vi Shukela <vi0oss@gmail.com> Signed-off-by: Paul Moore <pmoore@redhat.com> create mode 100644 tests/22-sim-basic_chains_array.c create mode 100755 tests/22-sim-basic_chains_array.py create mode 100644 tests/22-sim-basic_chains_array.tests commit ff207702dce7a3191e1509870f887bdd1f84b118 Author: Vitaly Vi Shukela <vi0oss@gmail.com> Date: Tue Mar 26 10:58:31 2013 -0400 doc: document seccomp_rule_add_array* Signed-off-by: Vitaly Vi Shukela <vi0oss@gmail.com> Signed-off-by: Paul Moore <pmoore@redhat.com> create mode 100644 doc/man/man3/seccomp_rule_add_array.3 create mode 100644 doc/man/man3/seccomp_rule_add_exact_array.3 commit 10e75c277a14ce7ea4f03ba13042a915f1439060 Author: Vitaly Vi Shukela <vi0oss@gmail.com> Date: Tue Mar 26 10:58:28 2013 -0400 api: Add array versions of seccomp_rule_add functions Signed-off-by: Vitaly Vi Shukela <vi0oss@gmail.com> Signed-off-by: Paul Moore <pmoore@redhat.com> commit 746ee19e3e253ce7580a2aad0d03e51029d2259f Author: Paul Moore <pmoore@redhat.com> Date: Tue Feb 19 17:54:35 2013 -0500 tests: add the execute bit to some python tests Signed-off-by: Paul Moore <pmoore@redhat.com> mode change 100644 => 100755 tests/20-live-basic_die.py mode change 100644 => 100755 tests/21-live-basic_allow.py commit 18dc5c0827f72df92b2c3637f715c1ccc9005ebf Author: Paul Moore <pmoore@redhat.com> Date: Thu Feb 14 11:08:37 2013 -0500 api: ensure filter chains are preserved with multiple architectures We currently have a bug where an architecture that mangles the filter chain could affect the filter chain of other architectures. This patch corrects this problem by ensuring that each architecture that mangles the filter chain does so only with a private copy of the filter chain. Signed-off-by: Paul Moore <pmoore@redhat.com> commit 9108121a9e230c45796967cb6c426d4baaf50df1 Author: Paul Moore <pmoore@redhat.com> Date: Wed Feb 6 12:19:10 2013 -0500 tests: add some basic live tests Signed-off-by: Paul Moore <pmoore@redhat.com> create mode 100644 tests/20-live-basic_die.c create mode 100644 tests/20-live-basic_die.py create mode 100644 tests/20-live-basic_die.tests create mode 100644 tests/21-live-basic_allow.c create mode 100644 tests/21-live-basic_allow.py create mode 100644 tests/21-live-basic_allow.tests commit 85d1b10aa40a471bb437f9f84c1c2e8791862291 Author: Paul Moore <pmoore@redhat.com> Date: Mon Feb 4 11:52:13 2013 -0500 tests: enable the "live" test type This test type enables the creation of "live", not simulated, tests which can be used to verify proper operation of the library on systems that support seccomp mode 2. Signed-off-by: Paul Moore <pmoore@redhat.com> commit 50f8b6261416a8f92329e4e9d2c1ae2a044d3707 Author: Paul Moore <pmoore@redhat.com> Date: Wed Feb 6 11:31:45 2013 -0500 tests: rename the tests to make it clear which are simulator/basic/live based This patch only renames files, it makes not changes to the content. Signed-off-by: Paul Moore <pmoore@redhat.com> delete mode 100644 tests/01-allow.c delete mode 100755 tests/01-allow.py delete mode 100644 tests/01-allow.tests create mode 100644 tests/01-sim-allow.c create mode 100755 tests/01-sim-allow.py create mode 100644 tests/01-sim-allow.tests delete mode 100644 tests/02-basic.c delete mode 100755 tests/02-basic.py delete mode 100644 tests/02-basic.tests create mode 100644 tests/02-sim-basic.c create mode 100755 tests/02-sim-basic.py create mode 100644 tests/02-sim-basic.tests delete mode 100644 tests/03-basic-chains.c delete mode 100755 tests/03-basic-chains.py delete mode 100644 tests/03-basic-chains.tests create mode 100644 tests/03-sim-basic_chains.c create mode 100755 tests/03-sim-basic_chains.py create mode 100644 tests/03-sim-basic_chains.tests delete mode 100644 tests/04-multilevel-chains.c delete mode 100755 tests/04-multilevel-chains.py delete mode 100644 tests/04-multilevel-chains.tests create mode 100644 tests/04-sim-multilevel_chains.c create mode 100755 tests/04-sim-multilevel_chains.py create mode 100644 tests/04-sim-multilevel_chains.tests delete mode 100644 tests/05-long-jumps.c delete mode 100755 tests/05-long-jumps.py delete mode 100644 tests/05-long-jumps.tests create mode 100644 tests/05-sim-long_jumps.c create mode 100755 tests/05-sim-long_jumps.py create mode 100644 tests/05-sim-long_jumps.tests delete mode 100644 tests/06-actions.c delete mode 100755 tests/06-actions.py delete mode 100644 tests/06-actions.tests create mode 100644 tests/06-sim-actions.c create mode 100755 tests/06-sim-actions.py create mode 100644 tests/06-sim-actions.tests delete mode 100644 tests/07-db-bug-looping.c delete mode 100755 tests/07-db-bug-looping.py delete mode 100644 tests/07-db-bug-looping.tests create mode 100644 tests/07-sim-db_bug_looping.c create mode 100755 tests/07-sim-db_bug_looping.py create mode 100644 tests/07-sim-db_bug_looping.tests create mode 100644 tests/08-sim-subtree_checks.c create mode 100755 tests/08-sim-subtree_checks.py create mode 100644 tests/08-sim-subtree_checks.tests delete mode 100644 tests/08-subtree-checks.c delete mode 100755 tests/08-subtree-checks.py delete mode 100644 tests/08-subtree-checks.tests create mode 100644 tests/09-sim-syscall_priority_pre.c create mode 100755 tests/09-sim-syscall_priority_pre.py create mode 100644 tests/09-sim-syscall_priority_pre.tests delete mode 100644 tests/09-syscall-priority-pre.c delete mode 100755 tests/09-syscall-priority-pre.py delete mode 100644 tests/09-syscall-priority-pre.tests create mode 100644 tests/10-sim-syscall_priority_post.c create mode 100755 tests/10-sim-syscall_priority_post.py create mode 100644 tests/10-sim-syscall_priority_post.tests delete mode 100644 tests/10-syscall-priority-post.c delete mode 100755 tests/10-syscall-priority-post.py delete mode 100644 tests/10-syscall-priority-post.tests create mode 100644 tests/11-basic-basic_errors.c create mode 100755 tests/11-basic-basic_errors.py create mode 100644 tests/11-basic-basic_errors.tests delete mode 100644 tests/11-basic-errors.c delete mode 100755 tests/11-basic-errors.py delete mode 100644 tests/11-basic-errors.tests delete mode 100644 tests/12-basic-masked-ops.c delete mode 100755 tests/12-basic-masked-ops.py delete mode 100644 tests/12-basic-masked-ops.tests create mode 100644 tests/12-sim-basic_masked_ops.c create mode 100755 tests/12-sim-basic_masked_ops.py create mode 100644 tests/12-sim-basic_masked_ops.tests delete mode 100644 tests/13-attrs.c delete mode 100755 tests/13-attrs.py delete mode 100644 tests/13-attrs.tests create mode 100644 tests/13-basic-attrs.c create mode 100755 tests/13-basic-attrs.py create mode 100644 tests/13-basic-attrs.tests delete mode 100644 tests/14-reset.c delete mode 100755 tests/14-reset.py delete mode 100644 tests/14-reset.tests create mode 100644 tests/14-sim-reset.c create mode 100755 tests/14-sim-reset.py create mode 100644 tests/14-sim-reset.tests create mode 100644 tests/15-basic-resolver.c create mode 100755 tests/15-basic-resolver.py create mode 100644 tests/15-basic-resolver.tests delete mode 100644 tests/15-resolver.c delete mode 100755 tests/15-resolver.py delete mode 100644 tests/15-resolver.tests delete mode 100644 tests/16-arch-basic.c delete mode 100755 tests/16-arch-basic.py delete mode 100644 tests/16-arch-basic.tests create mode 100644 tests/16-sim-arch_basic.c create mode 100755 tests/16-sim-arch_basic.py create mode 100644 tests/16-sim-arch_basic.tests delete mode 100644 tests/17-arch-merge.c delete mode 100755 tests/17-arch-merge.py delete mode 100644 tests/17-arch-merge.tests create mode 100644 tests/17-sim-arch_merge.c create mode 100755 tests/17-sim-arch_merge.py create mode 100644 tests/17-sim-arch_merge.tests delete mode 100644 tests/18-basic-whitelist.c delete mode 100755 tests/18-basic-whitelist.py delete mode 100644 tests/18-basic-whitelist.tests create mode 100644 tests/18-sim-basic_whitelist.c create mode 100755 tests/18-sim-basic_whitelist.py create mode 100644 tests/18-sim-basic_whitelist.tests delete mode 100644 tests/19-missing-syscalls.c delete mode 100755 tests/19-missing-syscalls.py delete mode 100644 tests/19-missing-syscalls.tests create mode 100644 tests/19-sim-missing_syscalls.c create mode 100755 tests/19-sim-missing_syscalls.py create mode 100644 tests/19-sim-missing_syscalls.tests commit f8cfd96455081b70b4a5d91e1972c9055b46a5e0 Author: Paul Moore <pmoore@redhat.com> Date: Mon Feb 4 11:43:07 2013 -0500 tests: allow the selective running of test types Signed-off-by: Paul Moore <pmoore@redhat.com> commit 1387eb6ab43cf9073426463c577bac3f73b84470 Author: Paul Moore <pmoore@redhat.com> Date: Tue Feb 5 17:23:38 2013 -0500 tests: improve the flexibility of the test logging Improve the test logging by separating the stdout and stderr logging and make both more comprehensive. Signed-off-by: Paul Moore <pmoore@redhat.com> commit a15655caa2a6ecfe3654d4b8ad8d61e6792e4bb3 Author: Paul Moore <pmoore@redhat.com> Date: Mon Feb 4 13:02:11 2013 -0500 tests: fix the error reporting with the basic test type Signed-off-by: Paul Moore <pmoore@redhat.com> commit 6e1c0839056e853f5503625d50b65a75294e6d25 Author: Paul Moore <pmoore@redhat.com> Date: Mon Jan 28 16:11:30 2013 -0500 api: add an API to query version information Signed-off-by: Paul Moore <pmoore@redhat.com> create mode 100644 include/.gitignore delete mode 100644 include/seccomp.h create mode 100644 include/seccomp.h.in commit e6e6a278be9a922945e916df640665e7269e0269 Author: Paul Moore <pmoore@redhat.com> Date: Mon Jan 28 10:50:58 2013 -0500 doc: update the master CHANGELOG for the v2.0.0 release Signed-off-by: Paul Moore <pmoore@redhat.com> commit 05807bd29232bb811f3d8cd6b73de1f2e3047457 Author: Paul Moore <pmoore@redhat.com> Date: Fri Jan 25 14:00:24 2013 -0500 api: revert the change to the SCMP_SYS() macro It turns out that it is fairly common for people to use SCMP_SYS() as a constant/initializer so the change to have it point at a function breaks a few things. Signed-off-by: Paul Moore <pmoore@redhat.com> commit 92edc180e0405835ec319edf9212a0e44cd49479 Author: Paul Moore <pmoore@redhat.com> Date: Thu Jan 24 16:36:07 2013 -0500 doc: escape some manpage dashes/minus-signs Reported-by: Kees Cook <keescook@chromium.org> Signed-off-by: Paul Moore <pmoore@redhat.com> commit bb3cc144d5ef50788094828ceedebf3b8a073c27 Author: Paul Moore <pmoore@redhat.com> Date: Thu Jan 24 15:37:25 2013 -0500 tools: remove the old syscall resolver script The new syscall resolver program which leverages the internal syscall tables is much better suited to our mult-arch capabilities so were just going to drop this script. Signed-off-by: Paul Moore <pmoore@redhat.com> delete mode 100755 tools/sys_resolver.sh commit 6c8fdd0eef7b59d81e3cdee376831b4c9cdb0134 Author: Kees Cook <keescook@chromium.org> Date: Wed Jan 23 14:13:33 2013 -0800 tests: fix x86 tests to skip write The 14-reset test on x86 wasn't correctly skipping the "write" sycall (number 4). This moves the ranges over by one to line up correctly. Without this, "regression -b 14-reset -s 007" would always fail. Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Paul Moore <pmoore@redhat.com> commit d4765e872b1c9b3b0ae712e1beba9474bbae3aa2 Author: Paul Moore <pmoore@redhat.com> Date: Wed Jan 23 13:59:16 2013 -0500 doc: update the CHANGELOG Signed-off-by: Paul Moore <pmoore@redhat.com> commit f38160bed5e31b421e803df490981e56e0216e0c Author: Paul Moore <pmoore@redhat.com> Date: Mon Jan 21 15:34:02 2013 -0500 tests: test for missing syscalls on an architecture Signed-off-by: Paul Moore <pmoore@redhat.com> create mode 100644 tests/19-missing-syscalls.c create mode 100755 tests/19-missing-syscalls.py create mode 100644 tests/19-missing-syscalls.tests commit affce10eef52b1bcd7d15ce8e572272f8c0b6d56 Author: Paul Moore <pmoore@redhat.com> Date: Tue Jan 22 17:10:30 2013 -0500 tests: remove arch specific code from the tests when possible Signed-off-by: Paul Moore <pmoore@redhat.com> commit d76450119d16a92eb313be09612856cc7b34713f Author: Paul Moore <pmoore@redhat.com> Date: Mon Jan 21 16:56:52 2013 -0500 arch: ensure full syscall coverage across x86 and x86_64 This patch ensures that you can create non-native filters using syscalls not present in the native architecture. Signed-off-by: Paul Moore <pmoore@redhat.com> commit feb4661dddca8442bff27f5431472d020d530412 Author: Paul Moore <pmoore@redhat.com> Date: Mon Jan 21 14:26:00 2013 -0500 tests: enable multi-arch testing for some of the existing tests Signed-off-by: Paul Moore <pmoore@redhat.com> commit 669c52fe44063c4634b3cfa072708a842526ef2e Author: Paul Moore <pmoore@redhat.com> Date: Mon Jan 21 14:05:54 2013 -0500 tests: do some cleanup and assorted changes in the regression script Random changes, including but not limited to: - Fix test numbering, again, as I screwed it up a bit last time - Use $(...) consistently for sub-shells - Comment tweaks - Added some verify_deps checks - Cleaned up some of the output formatting in the test functions Signed-off-by: Paul Moore <pmoore@redhat.com> commit ca7275e851714608efafbfb76dada0768c89b986 Author: Paul Moore <pmoore@redhat.com> Date: Thu Jan 17 11:44:05 2013 -0500 tests: support running tests on all supported architectures Signed-off-by: Paul Moore <pmoore@redhat.com> commit fc8d50b97fd391deccaed932d07df26959e81f1b Author: Paul Moore <pmoore@redhat.com> Date: Fri Jan 18 15:15:08 2013 -0500 tools: allow sys_resolver to translate syscalls Normally sys_resolver does not translate syscalls which means that in some cases, e.g. socket() on x86, the returned syscall number could be a negative number (__PNR_socket). This patch adds a new option, '-t', which causes sys_resolver to attempt to do the translation and return the translated syscall number instead, e.g. socketcall() for socket() on x86. Signed-off-by: Paul Moore <pmoore@redhat.com> commit 69fc22101affc5defe9bd52b34384d63f09f41ec Author: Paul Moore <pmoore@redhat.com> Date: Thu Jan 17 10:47:03 2013 -0500 tests: allow the regression script to run multiple test modes Signed-off-by: Paul Moore <pmoore@redhat.com> commit 151c372e25935ee5d02aa1c0cca9dc91faaa88cd Author: Paul Moore <pmoore@redhat.com> Date: Thu Jan 17 10:21:00 2013 -0500 tests: reduce the number of fuzz tests Signed-off-by: Paul Moore <pmoore@redhat.com> commit 7c8111d5c00f440200ed4eddce92076f5e045562 Author: Paul Moore <pmoore@redhat.com> Date: Thu Jan 17 10:26:25 2013 -0500 tests: start the fuzz tests at zero like the other tests Also remove some dead code while we are in there making changes. Signed-off-by: Paul Moore <pmoore@redhat.com> commit 37700ac08d01fb8d8d8448f4a46591bbe1020043 Author: Paul Moore <pmoore@redhat.com> Date: Thu Nov 8 10:39:12 2012 -0500 tests: add a basic whitelist test Signed-off-by: Paul Moore <pmoore@redhat.com> create mode 100644 tests/18-basic-whitelist.c create mode 100755 tests/18-basic-whitelist.py create mode 100644 tests/18-basic-whitelist.tests commit ce7bb153c6253b0a33beb1ddd1a7bf775c27c65d Author: Paul Moore <pmoore@redhat.com> Date: Wed Jan 16 15:01:07 2013 -0500 build: quiet the build INFO messages during verbose builds The ">> INFO: ..." messages aren't needed in verbose builds. Signed-off-by: Paul Moore <pmoore@redhat.com> commit 7f103093598d9c13eb9037e537969b146b6edf91 Author: Paul Moore <pmoore@redhat.com> Date: Mon Jan 7 18:25:38 2013 -0500 api: use the syscall resolver API in the SCMP_SYS() macro Signed-off-by: Paul Moore <pmoore@redhat.com> commit f2c375212425f1bd33bb5df318b8156f53fdef33 Author: Paul Moore <pmoore@redhat.com> Date: Mon Jan 7 18:16:26 2013 -0500 tests: add tests for the new syscall resolver APIs Signed-off-by: Paul Moore <pmoore@redhat.com> commit c190887dd7f8863729faea78eef1ad9df20ad773 Author: Paul Moore <pmoore@redhat.com> Date: Mon Jan 7 17:56:58 2013 -0500 doc: add the manpages for the new syscall resolving APIs Signed-off-by: Paul Moore <pmoore@redhat.com> create mode 100644 doc/man/man3/seccomp_syscall_resolve_name_arch.3 create mode 100644 doc/man/man3/seccomp_syscall_resolve_num_arch.3 commit 6220c8c0fc479d97b6d3e3166a4e46fbfe25a3c0 Author: Paul Moore <pmoore@redhat.com> Date: Sun Jan 6 16:34:21 2013 -0500 api: add syscall resolution functions that take an architecture argument Similar to the existing seccomp_syscall_resolve_name() function, but they work for arbitrary architectures (assuming libseccomp support of course) and not just the native architecture. Signed-off-by: Paul Moore <pmoore@redhat.com> commit aeac2736f600f887b42e4aca83ae6b466725aec2 Author: Paul Moore <pmoore@redhat.com> Date: Tue Jan 15 14:29:22 2013 -0500 tests: fix 16-arch-basic.py Fix the following problem: Traceback (most recent call last): File "./16-arch-basic.py", line 47, in <module> ctx = test(args) File "./16-arch-basic.py", line 33, in test if not Arch.system() == Arch.X86: TypeError: descriptor 'system' of 'seccomp.Arch' object needs an argument Signed-off-by: Paul Moore <pmoore@redhat.com> commit d69be167cde617fee9a0d81098c707b60be4cdf8 Author: Paul Moore <pmoore@redhat.com> Date: Tue Jan 15 10:11:17 2013 -0500 tests: update 05-long-jumps.py to match the C version Signed-off-by: Paul Moore <pmoore@redhat.com> commit e4178f92dfb225c2678b91ffd80fb6d72a52c1ea Author: Paul Moore <pmoore@redhat.com> Date: Mon Jan 14 16:54:46 2013 -0500 build: fix the makefile verbosity Signed-off-by: Paul Moore <pmoore@redhat.com> commit 06b3ec77c57ce58d1b3ebb97cb81867d542a4979 Author: Kees Cook <kees@ubuntu.com> Date: Mon Dec 10 11:47:26 2012 -0500 doc: fix up unescaped minus signs in man-pages Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Paul Moore <pmoore@redhat.com> commit ca646d40343462d5d9f593a97297550a856b3352 Author: Thiago Marcos P. Santos <thiago.santos@intel.com> Date: Tue Dec 4 21:44:59 2012 +0200 doc: fix seccomp_syscall_resolve_name manpage Signed-off-by: Thiago Marcos P. Santos <thiago.santos@intel.com> Signed-off-by: Paul Moore <pmoore@redhat.com> commit 27f5c8598d3415faf901a8a9e714ee0ef0ca3875 Author: Paul Moore <pmoore@redhat.com> Date: Mon Nov 26 11:20:55 2012 -0500 api: add an API to query the system's architecture In C we add seccomp_arch_native(void), in Python we add Arch.system(). Both functions return an architecture token value. Signed-off-by: Paul Moore <pmoore@redhat.com> create mode 100644 doc/man/man3/seccomp_arch_native.3 commit 300d5f23017233945a741c85038649466e30ee9c Author: Paul Moore <pmoore@redhat.com> Date: Tue Nov 20 12:38:30 2012 -0500 arch: fix the i386 ipc syscalls Correct all of the i386 ipc syscalls using glibc sources as a reference. Signed-off-by: Paul Moore <pmoore@redhat.com> commit 81467a79a78eab769775e995334b4a774ae5e5aa Author: Paul Moore <pmoore@redhat.com> Date: Tue Nov 20 12:26:32 2012 -0500 arch: fix the i386 socket syscalls Correct all of the i386 socket syscalls via the socketcall() syscall using the glibc and kernel sources as a reference. Signed-off-by: Paul Moore <pmoore@redhat.com> commit c592b3e3a596b85b52333d5d62e8daec28efe429 Author: Paul Moore <pmoore@redhat.com> Date: Mon Nov 12 16:36:38 2012 -0500 doc: update the CHANGELOG for the 1.0.1 release Signed-off-by: Paul Moore <pmoore@redhat.com> commit 90882e79996a9212472215a3325141784e964791 Author: Paul Moore <pmoore@redhat.com> Date: Thu Nov 8 11:38:38 2012 -0500 bpf: fix a problem when creating filters that include syscall arguments In some cases when generating BPF filters, if a particular argument chain did not match, the filter would fall through to the default action for the architecture instead of checking on other argument chains for the same syscall. This patch corrects this problem by ensuring that all argument chains are evaluated. Signed-off-by: Paul Moore <pmoore@redhat.com> commit 3dcf596c8bda4e165c3e392a0f8538c649095804 Author: Paul Moore <pmoore@redhat.com> Date: Thu Nov 8 11:38:38 2012 -0500 bpf: fix a problem when creating filters that include syscall arguments In some cases when generating BPF filters, if a particular argument chain did not match, the filter would fall through to the default action for the architecture instead of checking on other argument chains for the same syscall. This patch corrects this problem by ensuring that all argument chains are evaluated. Signed-off-by: Paul Moore <pmoore@redhat.com> commit c60d96f4f6b2fb0af6d101e94908ac21db457d6b Author: Paul Moore <pmoore@redhat.com> Date: Thu Nov 8 09:53:26 2012 -0500 bpf: fix a problem with small filters Signed-off-by: Paul Moore <pmoore@redhat.com> commit 6c116be02202ef9788e9859b151d5027c6424888 Author: Paul Moore <pmoore@redhat.com> Date: Sun Nov 11 18:55:54 2012 -0500 tests: fix a problem with the correct results for 08-subtree-checks Signed-off-by: Paul Moore <pmoore@redhat.com> commit 4d978ebac97c1ab6084681753b4474dd48d8fe6f Author: Paul Moore <pmoore@redhat.com> Date: Mon Nov 12 10:49:27 2012 -0500 tests: shrink the 05-long-jumps tests The existing test is too large to fit within the standard Linux Kernel BPF size limit if generated correctly so shrink it so we don't run into size problems. Signed-off-by: Paul Moore <pmoore@redhat.com> commit 4d72af73857813b5a35e1d984e6b30fe616d05cd Author: Paul Moore <pmoore@redhat.com> Date: Tue Nov 6 16:13:51 2012 -0500 tests: enable running non-native architecture tests Support running non-native architecture tests buy prefixing the architecture with a "+" in the test file. Example: test type: bpf-sim 00-test +x86 read N N N N N N 00-test +x86_64 read N N N N N N Signed-off-by: Paul Moore <pmoore@redhat.com> commit f2e5bd048894ec53cdee9ec00911ca206f09b43b Author: Paul Moore <pmoore@redhat.com> Date: Tue Nov 6 17:30:07 2012 -0500 tools: make the sys_resolver tool work for non-native architectures In order to test non-native architectures using our existing regression test infrastructure and BPF simulator we need to be able to resolve syscall names on arbitrary architectures. This patch moves aside the existing bash script and replaces it with a small C progream which uses some internal libseccomp routines to resolve the syscall. Signed-off-by: Paul Moore <pmoore@redhat.com> delete mode 100755 tools/sys_resolver create mode 100644 tools/sys_resolver.c create mode 100755 tools/sys_resolver.sh commit e72c5080f11df86d7a501ed0e0b6e563f12d61b8 Author: Paul Moore <pmoore@redhat.com> Date: Thu Oct 4 15:38:19 2012 -0400 tests: add python versions of the existing tests Signed-off-by: Paul Moore <pmoore@redhat.com> create mode 100755 tests/01-allow.py create mode 100755 tests/02-basic.py create mode 100755 tests/03-basic-chains.py create mode 100755 tests/04-multilevel-chains.py create mode 100755 tests/05-long-jumps.py create mode 100755 tests/06-actions.py create mode 100755 tests/07-db-bug-looping.py create mode 100755 tests/08-subtree-checks.py create mode 100755 tests/09-syscall-priority-pre.py create mode 100755 tests/10-syscall-priority-post.py create mode 100755 tests/11-basic-errors.py create mode 100755 tests/12-basic-masked-ops.py create mode 100755 tests/13-attrs.py create mode 100755 tests/14-reset.py create mode 100755 tests/15-resolver.py create mode 100755 tests/16-arch-basic.py create mode 100755 tests/17-arch-merge.py commit 2f087c90a863a0cb12343b8f0be1c2e754ceda85 Author: Paul Moore <pmoore@redhat.com> Date: Thu Oct 4 14:45:02 2012 -0400 tests: add basic support for python tests Signed-off-by: Paul Moore <pmoore@redhat.com> create mode 100644 tests/util.py commit 62c6598e23a0b52e3687751d652e9e21e1920fc4 Author: Paul Moore <pmoore@redhat.com> Date: Thu Aug 2 18:37:55 2012 -0400 api: add Python bindings via Cython This patch adds Python bindings using Cython, see http://www.cython.org for more information. There are also some minor tweaks to the build macros while we are mucking around in macros.mk; nothing major. Signed-off-by: Paul Moore <pmoore@redhat.com> create mode 100644 src/python/.gitignore create mode 100644 src/python/Makefile create mode 100644 src/python/libseccomp.pxd create mode 100644 src/python/seccomp.pyx create mode 100644 src/python/setup.py commit 9ccbd8d4465f57a28e734d1fcf589107bc6f779e Author: Paul Moore <pmoore@redhat.com> Date: Fri Sep 28 11:21:30 2012 -0400 docs: add manpages for the seccomp_arch_{exist,add,remove}() and seccomp_merge() API Signed-off-by: Paul Moore <pmoore@redhat.com> create mode 100644 doc/man/man3/seccomp_arch_add.3 create mode 100644 doc/man/man3/seccomp_arch_exist.3 create mode 100644 doc/man/man3/seccomp_arch_remove.3 create mode 100644 doc/man/man3/seccomp_merge.3 commit a89fc8901fe263acffad26ec397000ad1bd6e736 Author: Paul Moore <pmoore@redhat.com> Date: Thu Sep 27 15:18:57 2012 -0400 tests: add tests for the new multi-arch/filter support Signed-off-by: Paul Moore <pmoore@redhat.com> create mode 100644 tests/16-arch-basic.c create mode 100644 tests/16-arch-basic.tests create mode 100644 tests/17-arch-merge.c create mode 100644 tests/17-arch-merge.tests commit e81a7f37489d5715f6a429678f5585f7019d0469 Author: Paul Moore <pmoore@redhat.com> Date: Mon Sep 24 12:28:59 2012 -0400 api: add support for multiple architectures Add the seccomp_arch_add() and seccomp_arch_remove() functions to add and remove architectures from the filter. This patch also adds the seccomp_merge() function which merges two filter contexts together assuming there is no architecture conflicts. Signed-off-by: Paul Moore <pmoore@redhat.com> commit 18f9aa8bb547b55d1eb53025b21cdd07194d4c06 Author: Paul Moore <pmoore@redhat.com> Date: Tue Sep 25 18:06:39 2012 -0400 api: disable certain operations with multiple architectures Certain operations don't make sense with multiple architectures so we disable them only when more than one architecture has been added to the given filter. Signed-off-by: Paul Moore <pmoore@redhat.com> commit 6ebd717ad64d51eaca892026e937e6da866b0f94 Author: Paul Moore <pmoore@redhat.com> Date: Fri Sep 21 12:07:02 2012 -0400 pfc: provide basic multiple arch/filter support Add support for multiple architectures/filters to the PFC filter generation code. This patch also cleans up the PFC output a bit in hopes of making it more readable and consistent. Signed-off-by: Paul Moore <pmoore@redhat.com> commit b3416eb2d7295b8f217eeaf0f5213a9ea5f9e202 Author: Paul Moore <pmoore@redhat.com> Date: Thu Sep 20 16:27:41 2012 -0400 bpf: remove _gen_bpf_chain_lvl() Since only _gen_bpf_chain() called _gen_bpf_chain_lvl() move the function inside _gen_bpf_chain(). Signed-off-by: Paul Moore <pmoore@redhat.com> commit d73651f1d7b17a91a56e7e9639f281e5f581a034 Author: Paul Moore <pmoore@redhat.com> Date: Tue Aug 28 15:05:31 2012 -0400 bpf: provide basic multiple arch/filter support Add support for multiple architectures/filters to the BPF filter generation code. While this patch passes all the single filter regression tests, it wouldn't surprise me if additional fixes were needed once we actually start using multiple filters. This patch also brings the architecture check and action into the instruction block hashing mechanism which means a slight reduction in BPF code size for most filters. Signed-off-by: Paul Moore <pmoore@redhat.com> commit 2bc4a32037649359df0d04e5b308ada77dc01225 Author: Paul Moore <pmoore@redhat.com> Date: Mon Aug 27 19:21:12 2012 -0400 db: enable basic filter collection support In order to support systems that can run applications from multiple architectures we need to be able to support multiple filter DBs; were calling this "filter collections". This patch adds the basic collection support such that it passes all of the existing tests; further work may be necessary once we start using the multiple filter capabilities. Signed-off-by: Paul Moore <pmoore@redhat.com> commit 5bd86eb56fb4fcc1d82bb199cf8ab580dff82133 Author: Paul Moore <pmoore@redhat.com> Date: Mon Aug 27 14:37:20 2012 -0400 arch: provide the basic infrastructure for non-native architecture support Add the arch_syscall_translate() function which converts the syscall table from the native architecture to the desired architecture. Signed-off-by: Paul Moore <pmoore@redhat.com> create mode 100644 src/arch-x86_64.c commit 9afd17fe656489854597dc73ae61c0eaf69f8c61 Author: Paul Moore <pmoore@redhat.com> Date: Thu Aug 16 11:08:27 2012 -0400 arch: add support for syscall name resolution Provide syscall name to syscall number resolution. Signed-off-by: Paul Moore <pmoore@redhat.com> create mode 100644 doc/man/man3/seccomp_syscall_resolve_name.3 create mode 100644 src/arch-i386-syscalls.c create mode 100644 src/arch-x86_64-syscalls.c create mode 100644 tests/15-resolver.c create mode 100644 tests/15-resolver.tests commit 2bdeb486149b446c333f9ba9b220af53270d967d Author: Paul Moore <pmoore@redhat.com> Date: Tue Sep 25 16:36:11 2012 -0400 api: fix some comments in seccomp.h Signed-off-by: Paul Moore <pmoore@redhat.com> commit 71ef2d4c95b33d2cdd9a3c17c286ba4371660c30 Author: Paul Moore <pmoore@redhat.com> Date: Thu Sep 27 16:29:58 2012 -0400 arch: fix a problem with filter rewrites for 32 bit x86 architectures Signed-off-by: Paul Moore <pmoore@redhat.com> commit 5acf31d97f9d11c93ce0d7e346c6696545d0e338 Author: Paul Moore <pmoore@redhat.com> Date: Thu Sep 20 16:45:09 2012 -0400 db: fix a compile time warning Signed-off-by: Paul Moore <pmoore@redhat.com> commit f08622cda8ff41d8d77d70ab034ab26413289013 Author: Paul Moore <pmoore@redhat.com> Date: Thu Sep 20 10:34:31 2012 -0400 db: fix a 64bit filter DB problem Fix a problem when generating 64bit filters where the individual nodes were overly connected, making some of the optimizations ineffective. This fix should result in smaller filters on 64bit systems that use syscall argument filtering. The examples below were taken from the 08-subtree-checks test. Before this patch (incorrect): # filter code for syscall #1006 (priority: 65529) if ($syscall != 1006) goto syscal_1006_end; if ($a1.hi32 == 0) if ($a1.lo32 == 1) if ($a2.hi32 == 0) if ($a2.lo32 == 2) action ALLOW; else action ALLOW; else if ($a2.hi32 == 0) if ($a2.lo32 == 0) action ALLOW; syscall_1006_end: After this patch (correct): # filter code for syscall #1006 (priority: 65531) if ($syscall != 1006) goto syscal_1006_end; if ($a1.hi32 == 0) if ($a1.lo32 == 1) if ($a2.hi32 == 0) if ($a2.lo32 == 2) action ALLOW; else action ALLOW; syscall_1006_end: Signed-off-by: Paul Moore <pmoore@redhat.com> commit c495484d82d71fd52d2387165bc233fc1a689ab4 Author: Paul Moore <pmoore@redhat.com> Date: Tue Sep 18 16:15:25 2012 -0400 db: fix some memory leaks in the filter DB code Fix the following memory leaks, found via valgrind, when running the 08-subtree-checks test. HEAP SUMMARY: in use at exit: 280 bytes in 4 blocks total heap usage: 371 allocs, 367 frees, 33,800 bytes allocated 80 bytes in 1 blocks are definitely lost at 0x4C2C58B: malloc (vg_replace_malloc.c:270) by 0x4038D4: _db_rule_gen_64 (db.c:593) by 0x403FE5: db_rule_add (db.c:813) by 0x4027D5: _seccomp_rule_add (api.c:236) by 0x40296D: seccomp_rule_add_exact (api.c:267) by 0x401FD5: main (08-subtree-checks.c:146) 200 (40 direct, 160 indirect) bytes in 1 blocks are definitely lost at 0x4C2C58B: malloc (vg_replace_malloc.c:270) by 0x403796: _db_rule_gen_64 (db.c:576) by 0x403FE5: db_rule_add (db.c:813) by 0x4027D5: _seccomp_rule_add (api.c:236) by 0x40296D: seccomp_rule_add_exact (api.c:267) by 0x402065: main (08-subtree-checks.c:151) Signed-off-by: Paul Moore <pmoore@redhat.com> commit a37ec7c8cddf7656e2d8bf0b56594f08624974ae Author: Kees Cook <keescook@chromium.org> Date: Mon Aug 13 15:36:23 2012 -0400 doc: add linking note to manpage synopsis To match other manpages that require libraries at link time, add a single line naming the required library. Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Paul Moore <pmoore@redhat.com> commit d47bf13ac18c5336f3efd84b84036cbe399c4337 Author: Thiago Marcos P. Santos <thiago.santos@intel.com> Date: Thu Aug 2 13:46:35 2012 -0400 api: make the header usable by a c++ compiler Signed-off-by: Thiago Marcos P. Santos <thiago.santos@intel.com> Signed-off-by: Paul Moore <pmoore@redhat.com> commit c2f7bb66bdc3908219edbc2647cbbb03458c1f50 Author: Paul Moore <pmoore@redhat.com> Date: Tue Jul 31 11:34:38 2012 -0400 doc: update CHANGELOG for the 1.0.0 release Signed-off-by: Paul Moore <pmoore@redhat.com> commit 2b44aea0bbd80d5092dbe0e61831552ca08dc0c1 Author: Paul Moore <pmoore@redhat.com> Date: Tue Jul 31 11:24:00 2012 -0400 doc: add a CHANGELOG file Signed-off-by: Paul Moore <pmoore@redhat.com> create mode 100644 CHANGELOG commit fff9eed6810313325a15cb4716369f979a0618c1 Author: Paul Moore <pmoore@redhat.com> Date: Tue Jul 31 11:31:25 2012 -0400 doc: update the CREDITS file header Signed-off-by: Paul Moore <pmoore@redhat.com> commit 8f83dc3907b5babcc7ef1e8ac54fbab2ef2ff020 Author: Paul Moore <pmoore@redhat.com> Date: Thu Jul 26 11:52:40 2012 -0400 doc: update the CREDITS file Signed-off-by: Paul Moore <pmoore@redhat.com> commit 10995ba42e70b18127779f3142f41a5817463f09 Author: Paul Moore <pmoore@redhat.com> Date: Fri Jul 27 16:52:01 2012 -0400 build: remove/cleanup some of the install macros Also make the "INFO" messages easier to identify. Signed-off-by: Paul Moore <pmoore@redhat.com> commit b734546b0bc31af0e93960b987ad2a1576a4e2e4 Author: Thiago Marcos P. Santos <thiago.santos@intel.com> Date: Fri Jul 27 16:35:05 2012 -0400 build: fix some pkgconfig problems during configure/install libseccomp should not assume the existence of the prefix and library directory since it can be an empty directory used for testing. The best we can do is check if the destination path is not a directory if it exists. Added a macro for installing .pc files that creates a directory if it doesn't exists and copy the file to the destination, respecting ownership with proper file permissions. Signed-off-by: Thiago Marcos P. Santos <thiago.santos@intel.com> Signed-off-by: Paul Moore <pmoore@redhat.com> commit 1e957c88bd641634bb0eb36431ba979fe8e425b2 Author: Paul Moore <pmoore@redhat.com> Date: Thu Jul 26 16:33:15 2012 -0400 tests: summarize the regression test run Signed-off-by: Paul Moore <pmoore@redhat.com> commit 1d902ec92f41203346631c35264cafd1037bfe3b Author: Paul Moore <pmoore@redhat.com> Date: Thu Jul 26 16:03:43 2012 -0400 tests: add the batch name to regression test test number output Previous example: Test 002-00004 result: SUCCESS New example: Test 01-allow%%002-00004 result: SUCCESS Signed-off-by: Paul Moore <pmoore@redhat.com> commit 643c25295814768204dccac4cbe54cd01aa58fb6 Author: Paul Moore <pmoore@redhat.com> Date: Tue Jul 24 16:49:17 2012 -0400 db: add a filter initialization check Now that we are allowing users to specify a filter DB via the public API we should so some simple checking to ensure the passed DB is valid. Signed-off-by: Paul Moore <pmoore@redhat.com> commit 33d5892346bb0e2d06d92a1160f045d079e2ed62 Author: Paul Moore <pmoore@redhat.com> Date: Mon Jul 23 17:44:49 2012 -0400 doc: update the API to reflect the new filter context parameter Signed-off-by: Paul Moore <pmoore@redhat.com> commit f8e7dad60a767c75e1923742fd6336780d2a66b5 Author: Paul Moore <pmoore@redhat.com> Date: Tue Jul 24 14:52:03 2012 -0400 tests: add a test for the seccomp_reset() API Signed-off-by: Paul Moore <pmoore@redhat.com> create mode 100644 tests/14-reset.c create mode 100644 tests/14-reset.tests commit 3c19d845928884feae3b0d3cdac70d5c19893082 Author: Paul Moore <pmoore@redhat.com> Date: Mon Jul 23 14:58:41 2012 -0400 api: remove the internal state and make the API context-aware IMPORTANT: WILL CAUSE BREAKAGE WITH v0.1.x API The current API relies on the library storing internal state about the filter context. While this is okay in several cases, it may cause problems in others, e.g. threaded applications. Since the bulk of the library already operates on a filter context, known as "struct db_filter", this patc ... |