diff --git a/backport-bpf-pfc-Add-handling-for-0-syscalls-in-the-binary-tr.patch b/backport-bpf-pfc-Add-handling-for-0-syscalls-in-the-binary-tr.patch new file mode 100644 index 0000000000000000000000000000000000000000..e26abdea87f4167ec45d1f22dd2349223800c1f0 --- /dev/null +++ b/backport-bpf-pfc-Add-handling-for-0-syscalls-in-the-binary-tr.patch @@ -0,0 +1,49 @@ +From 2de3b87122c18b58b3e2b32ab2e81ac43774a7aa Mon Sep 17 00:00:00 2001 +From: Tom Hromatka +Date: Wed, 16 Mar 2022 11:19:14 -0600 +Subject: [PATCH] bpf: pfc: Add handling for 0 syscalls in the binary tree + +Handle the unlikely case where a user has chosen the +binary tree optimization but has zero syscalls in their +filter. + +Fixes: https://github.com/seccomp/libseccomp/issues/370 +Fixes: a3732b32b8e67 ("bpf:pfc: Add optimization option to use a binary tree") +Signed-off-by: Tom Hromatka +Acked-by: Paul Moore +--- + src/gen_bpf.c | 3 +++ + src/gen_pfc.c | 3 +++ + 2 files changed, 6 insertions(+) + +diff --git a/src/gen_bpf.c b/src/gen_bpf.c +index c878f44..7131761 100644 +--- a/src/gen_bpf.c ++++ b/src/gen_bpf.c +@@ -1348,6 +1348,9 @@ static int _get_bintree_levels(unsigned int syscall_cnt) + { + unsigned int i = 2, max_level = SYSCALLS_PER_NODE * 2; + ++ if (syscall_cnt == 0) ++ return 0; ++ + while (max_level < syscall_cnt) { + max_level <<= 1; + i++; +diff --git a/src/gen_pfc.c b/src/gen_pfc.c +index c7fb536..4916055 100644 +--- a/src/gen_pfc.c ++++ b/src/gen_pfc.c +@@ -275,6 +275,9 @@ static int _get_bintree_levels(unsigned int syscall_cnt, + /* Only use a binary tree if requested */ + return 0; + ++ if (syscall_cnt == 0) ++ return 0; ++ + do { + max_level = SYSCALLS_PER_NODE << i; + i++; +-- +2.27.0 + diff --git a/backport-tests-Add-a-binary-tree-test-with-zero-syscalls.patch b/backport-tests-Add-a-binary-tree-test-with-zero-syscalls.patch new file mode 100644 index 0000000000000000000000000000000000000000..510fa564e69998531acc8142b591af1056d49fcc --- /dev/null +++ b/backport-tests-Add-a-binary-tree-test-with-zero-syscalls.patch @@ -0,0 +1,187 @@ +From 5731dd9f73df9025b2c8924e2f4ce78a7d94af00 Mon Sep 17 00:00:00 2001 +From: Tom Hromatka +Date: Wed, 16 Mar 2022 11:24:40 -0600 +Subject: [PATCH] tests: Add a binary tree test with zero syscalls + +Add a test that exercises the binary tree optimization but +the seccomp filter has zero syscalls in it. + +Related-bug: https://github.com/seccomp/libseccomp/issues/370 +Signed-off-by: Tom Hromatka +Acked-by: Paul Moore +--- + tests/59-basic-empty_binary_tree.c | 54 ++++++++++++++++++++++++++ + tests/59-basic-empty_binary_tree.py | 41 +++++++++++++++++++ + tests/59-basic-empty_binary_tree.tests | 16 ++++++++ + tests/Makefile.am | 9 +++-- + 4 files changed, 117 insertions(+), 3 deletions(-) + create mode 100644 tests/59-basic-empty_binary_tree.c + create mode 100755 tests/59-basic-empty_binary_tree.py + create mode 100644 tests/59-basic-empty_binary_tree.tests + +diff --git a/tests/59-basic-empty_binary_tree.c b/tests/59-basic-empty_binary_tree.c +new file mode 100644 +index 0000000..6b6485e +--- /dev/null ++++ b/tests/59-basic-empty_binary_tree.c +@@ -0,0 +1,54 @@ ++/** ++ * Seccomp Library test program ++ * ++ * Copyright (c) 2018-2020 Oracle and/or its affiliates. ++ * Author: Tom Hromatka ++ */ ++ ++/* ++ * This library is free software; you can redistribute it and/or modify it ++ * under the terms of version 2.1 of the GNU Lesser General Public License as ++ * published by the Free Software Foundation. ++ * ++ * This library is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License ++ * for more details. ++ * ++ * You should have received a copy of the GNU Lesser General Public License ++ * along with this library; if not, see . ++ */ ++ ++#include ++#include ++ ++#include ++ ++#include "util.h" ++ ++int main(int argc, char *argv[]) ++{ ++ int rc; ++ struct util_options opts; ++ scmp_filter_ctx ctx = NULL; ++ ++ rc = util_getopt(argc, argv, &opts); ++ if (rc < 0) ++ goto out; ++ ++ ctx = seccomp_init(SCMP_ACT_ALLOW); ++ if (ctx == NULL) ++ return ENOMEM; ++ ++ rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_OPTIMIZE, 2); ++ if (rc < 0) ++ goto out; ++ ++ rc = util_filter_output(&opts, ctx); ++ if (rc) ++ goto out; ++ ++out: ++ seccomp_release(ctx); ++ return (rc < 0 ? -rc : rc); ++} +diff --git a/tests/59-basic-empty_binary_tree.py b/tests/59-basic-empty_binary_tree.py +new file mode 100755 +index 0000000..5acbbd4 +--- /dev/null ++++ b/tests/59-basic-empty_binary_tree.py +@@ -0,0 +1,41 @@ ++#!/usr/bin/env python ++ ++# ++# Seccomp Library test program ++# ++# Copyright (c) 2022 Oracle and/or its affiliates. ++# Author: Tom Hromatka ++# ++ ++# ++# This library is free software; you can redistribute it and/or modify it ++# under the terms of version 2.1 of the GNU Lesser General Public License as ++# published by the Free Software Foundation. ++# ++# This library is distributed in the hope that it will be useful, but WITHOUT ++# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License ++# for more details. ++# ++# You should have received a copy of the GNU Lesser General Public License ++# along with this library; if not, see . ++# ++ ++import argparse ++import sys ++ ++import util ++ ++from seccomp import * ++ ++def test(args): ++ f = SyscallFilter(ALLOW) ++ f.set_attr(Attr.CTL_OPTIMIZE, 2) ++ return f ++ ++args = util.get_opt() ++ctx = test(args) ++util.filter_output(args, ctx) ++ ++# kate: syntax python; ++# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; +diff --git a/tests/59-basic-empty_binary_tree.tests b/tests/59-basic-empty_binary_tree.tests +new file mode 100644 +index 0000000..ff6dbc3 +--- /dev/null ++++ b/tests/59-basic-empty_binary_tree.tests +@@ -0,0 +1,16 @@ ++# ++# libseccomp regression test automation data ++# ++# Copyright (c) 2022 Oracle and/or its affiliates. ++# Author: Tom Hromatka ++# ++ ++test type: bpf-sim ++ ++# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result ++59-basic-empty_binary_tree all,-x32 0-350 N N N N N N ALLOW ++ ++test type: bpf-valgrind ++ ++# Testname ++59-basic-empty_binary_tree +diff --git a/tests/Makefile.am b/tests/Makefile.am +index b39ee06..f0a1f8e 100644 +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -93,7 +93,8 @@ check_PROGRAMS = \ + 55-basic-pfc_binary_tree \ + 56-basic-iterate_syscalls \ + 57-basic-rawsysrc \ +- 58-live-tsync_notify ++ 58-live-tsync_notify \ ++ 59-basic-empty_binary_tree + + EXTRA_DIST_TESTPYTHON = \ + util.py \ +@@ -152,7 +153,8 @@ EXTRA_DIST_TESTPYTHON = \ + 54-live-binary_tree.py \ + 56-basic-iterate_syscalls.py \ + 57-basic-rawsysrc.py \ +- 58-live-tsync_notify.py ++ 58-live-tsync_notify.py \ ++ 59-basic-empty_binary_tree.py + + EXTRA_DIST_TESTCFGS = \ + 01-sim-allow.tests \ +@@ -212,7 +214,8 @@ EXTRA_DIST_TESTCFGS = \ + 55-basic-pfc_binary_tree.tests \ + 56-basic-iterate_syscalls.tests \ + 57-basic-rawsysrc.tests \ +- 58-live-tsync_notify.tests ++ 58-live-tsync_notify.tests \ ++ 59-basic-empty_binary_tree.tests + + EXTRA_DIST_TESTSCRIPTS = \ + 38-basic-pfc_coverage.sh 38-basic-pfc_coverage.pfc \ +-- +2.27.0 + diff --git a/libseccomp.spec b/libseccomp.spec index 33ace9e96c1e3ac4336f4d7edf899fc754821d88..0a0992d5f3f8752e1ff843c7da966696fa114395 100644 --- a/libseccomp.spec +++ b/libseccomp.spec @@ -1,12 +1,15 @@ Name: libseccomp Version: 2.5.3 -Release: 1 +Release: 2 Summary: Interface to the syscall filtering mechanism License: LGPLv2 URL: https://github.com/seccomp/libseccomp Source0: https://github.com/seccomp/libseccomp/releases/download/v%{version}/%{name}-%{version}.tar.gz -BuildRequires: gcc git gperf +Patch0: backport-bpf-pfc-Add-handling-for-0-syscalls-in-the-binary-tr.patch +Patch1: backport-tests-Add-a-binary-tree-test-with-zero-syscalls.patch + +BuildRequires: gcc git gperf autoconf automake %description The libseccomp library provides an easy to use, platform independent, interface to @@ -31,6 +34,7 @@ developing applications that use %{name}. %autosetup -n %{name}-%{version} -p1 -S git %build +autoreconf %configure %make_build @@ -67,6 +71,9 @@ make check %{_mandir}/man*/* %changelog +* Sat Aug 27 2022 zoulin - 2.5.3-2 +- backport patches from upstream + * Sat Nov 27 2021 fuanan - 2.5.3-1 - update version to 2.5.3