diff --git a/fix-build-error-for-libseccomp.patch b/fix-build-error-for-libseccomp.patch new file mode 100644 index 0000000000000000000000000000000000000000..98783f95414d4e0c518cdd9a030203d9062bef5f --- /dev/null +++ b/fix-build-error-for-libseccomp.patch @@ -0,0 +1,383 @@ +From 60f25b4dbe9b769df6a77f326e2bf811ea52d083 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Tue, 30 May 2023 09:03:05 +0000 +Subject: [PATCH] fix build error for libseccomp + +--- + include/seccomp-syscalls.h | 1 + + tests/06-sim-actions.tests | 1 - + tests/38-basic-pfc_coverage.c | 3 -- + tests/38-basic-pfc_coverage.pfc | 33 ---------------- + tests/53-sim-binary_tree.c | 1 - + tests/53-sim-binary_tree.py | 2 - + tests/53-sim-binary_tree.tests | 1 - + tests/55-basic-pfc_binary_tree.c | 1 - + tests/55-basic-pfc_binary_tree.pfc | 61 +++++++++++------------------- + 9 files changed, 24 insertions(+), 80 deletions(-) + +diff --git a/include/seccomp-syscalls.h b/include/seccomp-syscalls.h +index 8019d29..5468aee 100644 +--- a/include/seccomp-syscalls.h ++++ b/include/seccomp-syscalls.h +@@ -276,6 +276,7 @@ + #define __PNR_renameat -10242 + #define __PNR_riscv_flush_icache -10243 + #define __PNR_memfd_secret -10244 ++#define __PNR_fstat -10245 + + /* + * libseccomp syscall definitions +diff --git a/tests/06-sim-actions.tests b/tests/06-sim-actions.tests +index 1ef38b3..993d340 100644 +--- a/tests/06-sim-actions.tests ++++ b/tests/06-sim-actions.tests +@@ -12,7 +12,6 @@ test type: bpf-sim + 06-sim-actions all write 1 0x856B008 N N N N ERRNO(1) + 06-sim-actions all close 4 N N N N N TRAP + 06-sim-actions all openat 0 0x856B008 4 N N N TRACE(1234) +-06-sim-actions all fstat N N N N N N KILL_PROCESS + 06-sim-actions all rt_sigreturn N N N N N N LOG + 06-sim-actions x86 0-2 N N N N N N KILL + 06-sim-actions x86 7-107 N N N N N N KILL +diff --git a/tests/38-basic-pfc_coverage.c b/tests/38-basic-pfc_coverage.c +index d6ac796..b06b05a 100644 +--- a/tests/38-basic-pfc_coverage.c ++++ b/tests/38-basic-pfc_coverage.c +@@ -109,9 +109,6 @@ int main(int argc, char *argv[]) + if (rc < 0) + goto out; + rc = seccomp_rule_add(ctx, SCMP_ACT_TRACE(1), SCMP_SYS(exit), 0); +- if (rc < 0) +- goto out; +- rc = seccomp_rule_add(ctx, SCMP_ACT_KILL_PROCESS, SCMP_SYS(fstat), 0); + if (rc < 0) + goto out; + rc = seccomp_rule_add(ctx, SCMP_ACT_LOG, SCMP_SYS(exit_group), 0); +diff --git a/tests/38-basic-pfc_coverage.pfc b/tests/38-basic-pfc_coverage.pfc +index f287f1d..c4bec83 100644 +--- a/tests/38-basic-pfc_coverage.pfc ++++ b/tests/38-basic-pfc_coverage.pfc +@@ -9,9 +9,6 @@ if ($arch == 3221225534) + # filter for syscall "exit" (60) [priority: 65535] + if ($syscall == 60) + action TRACE(1); +- # filter for syscall "fstat" (5) [priority: 65535] +- if ($syscall == 5) +- action KILL_PROCESS; + # filter for syscall "close" (3) [priority: 65535] + if ($syscall == 3) + action ERRNO(1); +@@ -103,9 +100,6 @@ if ($arch == 1073741827) + # filter for syscall "exit_group" (252) [priority: 65535] + if ($syscall == 252) + action LOG; +- # filter for syscall "fstat" (108) [priority: 65535] +- if ($syscall == 108) +- action KILL_PROCESS; + # filter for syscall "close" (6) [priority: 65535] + if ($syscall == 6) + action ERRNO(1); +@@ -141,9 +135,6 @@ if ($arch == 3221225534) + # filter for syscall "exit" (1073741884) [priority: 65535] + if ($syscall == 1073741884) + action TRACE(1); +- # filter for syscall "fstat" (1073741829) [priority: 65535] +- if ($syscall == 1073741829) +- action KILL_PROCESS; + # filter for syscall "close" (1073741827) [priority: 65535] + if ($syscall == 1073741827) + action ERRNO(1); +@@ -173,9 +164,6 @@ if ($arch == 1073741864) + # filter for syscall "exit_group" (248) [priority: 65535] + if ($syscall == 248) + action LOG; +- # filter for syscall "fstat" (108) [priority: 65535] +- if ($syscall == 108) +- action KILL_PROCESS; + # filter for syscall "close" (6) [priority: 65535] + if ($syscall == 6) + action ERRNO(1); +@@ -214,9 +202,6 @@ if ($arch == 3221225655) + # filter for syscall "exit" (93) [priority: 65535] + if ($syscall == 93) + action TRACE(1); +- # filter for syscall "fstat" (80) [priority: 65535] +- if ($syscall == 80) +- action KILL_PROCESS; + # filter for syscall "close" (57) [priority: 65535] + if ($syscall == 57) + action ERRNO(1); +@@ -311,9 +296,6 @@ if ($arch == 3221225730) + # filter for syscall "exit" (93) [priority: 65535] + if ($syscall == 93) + action TRACE(1); +- # filter for syscall "fstat" (80) [priority: 65535] +- if ($syscall == 80) +- action KILL_PROCESS; + # filter for syscall "close" (57) [priority: 65535] + if ($syscall == 57) + action ERRNO(1); +@@ -402,9 +384,6 @@ if ($arch == 1073741832) + # filter for syscall "exit_group" (4246) [priority: 65535] + if ($syscall == 4246) + action LOG; +- # filter for syscall "fstat" (4108) [priority: 65535] +- if ($syscall == 4108) +- action KILL_PROCESS; + # filter for syscall "close" (4006) [priority: 65535] + if ($syscall == 4006) + action ERRNO(1); +@@ -440,9 +419,6 @@ if ($arch == 3221225480) + # filter for syscall "exit" (5058) [priority: 65535] + if ($syscall == 5058) + action TRACE(1); +- # filter for syscall "fstat" (5005) [priority: 65535] +- if ($syscall == 5005) +- action KILL_PROCESS; + # filter for syscall "close" (5003) [priority: 65535] + if ($syscall == 5003) + action ERRNO(1); +@@ -537,9 +513,6 @@ if ($arch == 3758096392) + # filter for syscall "exit" (6058) [priority: 65535] + if ($syscall == 6058) + action TRACE(1); +- # filter for syscall "fstat" (6005) [priority: 65535] +- if ($syscall == 6005) +- action KILL_PROCESS; + # filter for syscall "close" (6003) [priority: 65535] + if ($syscall == 6003) + action ERRNO(1); +@@ -569,9 +542,6 @@ if ($arch == 3221225493) + # filter for syscall "exit_group" (234) [priority: 65535] + if ($syscall == 234) + action LOG; +- # filter for syscall "fstat" (108) [priority: 65535] +- if ($syscall == 108) +- action KILL_PROCESS; + # filter for syscall "close" (6) [priority: 65535] + if ($syscall == 6) + action ERRNO(1); +@@ -672,9 +642,6 @@ if ($arch == 3221225715) + # filter for syscall "exit" (93) [priority: 65535] + if ($syscall == 93) + action TRACE(1); +- # filter for syscall "fstat" (80) [priority: 65535] +- if ($syscall == 80) +- action KILL_PROCESS; + # filter for syscall "close" (57) [priority: 65535] + if ($syscall == 57) + action ERRNO(1); +diff --git a/tests/53-sim-binary_tree.c b/tests/53-sim-binary_tree.c +index 98b9e2c..39acbe7 100644 +--- a/tests/53-sim-binary_tree.c ++++ b/tests/53-sim-binary_tree.c +@@ -48,7 +48,6 @@ struct syscall_errno table[] = { + { SCMP_SYS(open), 2, 0, { 0, 0 } }, + { SCMP_SYS(close), 3, 2, { 100, 101 } }, + { SCMP_SYS(stat), 4, 0, { 0, 0 } }, +- { SCMP_SYS(fstat), 5, 0, { 0, 0 } }, + { SCMP_SYS(lstat), 6, 0, { 0, 0 } }, + { SCMP_SYS(poll), 7, 1, { 102, 0 } }, + { SCMP_SYS(lseek), 8, 2, { 103, 104 } }, +diff --git a/tests/53-sim-binary_tree.py b/tests/53-sim-binary_tree.py +index cc49890..75e7bd3 100755 +--- a/tests/53-sim-binary_tree.py ++++ b/tests/53-sim-binary_tree.py +@@ -34,7 +34,6 @@ table = [ + {"syscall": "open", "error": 2, "arg_cnt": 0 }, + {"syscall": "close", "error": 3, "arg_cnt": 2, "arg1": 100, "arg2": 101 }, + {"syscall": "stat", "error": 4, "arg_cnt": 0 }, +- {"syscall": "fstat", "error": 5, "arg_cnt": 0 }, + {"syscall": "lstat", "error": 6, "arg_cnt": 0 }, + {"syscall": "poll", "error": 7, "arg_cnt": 1, "arg1": 102 }, + {"syscall": "lseek", "error": 8, "arg_cnt": 2, "arg1": 103, "arg2": 104 }, +@@ -71,7 +70,6 @@ def test(args): + + f.remove_arch(Arch()) + f.add_arch(Arch("aarch64")) +- f.add_arch(Arch("loongarch64")) + f.add_arch(Arch("ppc64le")) + f.add_arch(Arch("x86_64")) + +diff --git a/tests/53-sim-binary_tree.tests b/tests/53-sim-binary_tree.tests +index 87380d6..2cdb076 100644 +--- a/tests/53-sim-binary_tree.tests ++++ b/tests/53-sim-binary_tree.tests +@@ -17,7 +17,6 @@ test type: bpf-sim + 53-sim-binary_tree +x86_64,+ppc64le,+aarch64,+loongarch64 close 100 101 N N N N ERRNO(3) + 53-sim-binary_tree +x86_64,+ppc64le stat N N N N N N ERRNO(4) + 53-sim-binary_tree +aarch64,+loongarch64 stat N N N N N N ALLOW +-53-sim-binary_tree +x86_64,+ppc64le,+aarch64,+loongarch64 fstat N N N N N N ERRNO(5) + 53-sim-binary_tree +x86_64,+ppc64le lstat N N N N N N ERRNO(6) + 53-sim-binary_tree +aarch64,+loongarch64 lstat N N N N N N ALLOW + 53-sim-binary_tree +x86_64,+ppc64le poll 102 N N N N N ERRNO(7) +diff --git a/tests/55-basic-pfc_binary_tree.c b/tests/55-basic-pfc_binary_tree.c +index 0919f6b..d542e5b 100644 +--- a/tests/55-basic-pfc_binary_tree.c ++++ b/tests/55-basic-pfc_binary_tree.c +@@ -48,7 +48,6 @@ struct syscall_errno table[] = { + { SCMP_SYS(open), 2, 0, { 0, 0 } }, + { SCMP_SYS(close), 3, 0, { 0, 0 } }, + { SCMP_SYS(stat), 4, 0, { 0, 0 } }, +- { SCMP_SYS(fstat), 5, 1, { 103, 0 } }, + { SCMP_SYS(lstat), 6, 0, { 0, 0 } }, + { SCMP_SYS(poll), 7, 0, { 0, 0 } }, + { SCMP_SYS(lseek), 8, 1, { 104, 0 } }, +diff --git a/tests/55-basic-pfc_binary_tree.pfc b/tests/55-basic-pfc_binary_tree.pfc +index e63aa12..44f8498 100644 +--- a/tests/55-basic-pfc_binary_tree.pfc ++++ b/tests/55-basic-pfc_binary_tree.pfc +@@ -3,7 +3,7 @@ + # + # filter for arch x86_64 (3221225534) + if ($arch == 3221225534) +- if ($syscall > 2) ++ if ($syscall > 1) + if ($syscall > 10) + if ($syscall > 14) + # filter for syscall "pwrite64" (18) [priority: 65531] +@@ -59,21 +59,16 @@ if ($arch == 3221225534) + # filter for syscall "lstat" (6) [priority: 65535] + if ($syscall == 6) + action ERRNO(6); +- # filter for syscall "fstat" (5) [priority: 65533] +- if ($syscall == 5) +- if ($a0.hi32 == 0) +- if ($a0.lo32 == 103) +- action ERRNO(5); + # filter for syscall "stat" (4) [priority: 65535] + if ($syscall == 4) + action ERRNO(4); + # filter for syscall "close" (3) [priority: 65535] + if ($syscall == 3) + action ERRNO(3); +- else # ($syscall <= 2) +- # filter for syscall "open" (2) [priority: 65535] +- if ($syscall == 2) +- action ERRNO(2); ++ # filter for syscall "open" (2) [priority: 65535] ++ if ($syscall == 2) ++ action ERRNO(2); ++ else # ($syscall <= 1) + # filter for syscall "write" (1) [priority: 65533] + if ($syscall == 1) + if ($a0.hi32 == 0) +@@ -90,7 +85,7 @@ if ($arch == 3221225534) + action ALLOW; + # filter for arch aarch64 (3221225655) + if ($arch == 3221225655) +- if ($syscall > 62) ++ if ($syscall > 57) + if ($syscall > 139) + if ($syscall > 226) + # filter for syscall "lstat" (4294957133) [priority: 65535] +@@ -121,7 +116,7 @@ if ($arch == 3221225655) + if ($syscall == 214) + action ERRNO(12); + else # ($syscall <= 139) +- if ($syscall > 68) ++ if ($syscall > 67) + # filter for syscall "rt_sigreturn" (139) [priority: 65535] + if ($syscall == 139) + action ERRNO(15); +@@ -131,12 +126,6 @@ if ($arch == 3221225655) + # filter for syscall "rt_sigaction" (134) [priority: 65535] + if ($syscall == 134) + action ERRNO(13); +- # filter for syscall "fstat" (80) [priority: 65533] +- if ($syscall == 80) +- if ($a0.hi32 == 0) +- if ($a0.lo32 == 103) +- action ERRNO(5); +- else # ($syscall <= 68) + # filter for syscall "pwrite64" (68) [priority: 65531] + if ($syscall == 68) + if ($a0.hi32 == 0) +@@ -144,6 +133,7 @@ if ($arch == 3221225655) + if ($a1.hi32 == 0) + if ($a1.lo32 == 108) + action ERRNO(18); ++ else # ($syscall <= 67) + # filter for syscall "pread64" (67) [priority: 65533] + if ($syscall == 67) + if ($a0.hi32 == 0) +@@ -161,12 +151,12 @@ if ($arch == 3221225655) + if ($a1.hi32 == 0) + if ($a1.lo32 == 101) + action ERRNO(0); +- else # ($syscall <= 62) +- # filter for syscall "lseek" (62) [priority: 65533] +- if ($syscall == 62) +- if ($a0.hi32 == 0) +- if ($a0.lo32 == 104) +- action ERRNO(8); ++ # filter for syscall "lseek" (62) [priority: 65533] ++ if ($syscall == 62) ++ if ($a0.hi32 == 0) ++ if ($a0.lo32 == 104) ++ action ERRNO(8); ++ else # ($syscall <= 57) + # filter for syscall "close" (57) [priority: 65535] + if ($syscall == 57) + action ERRNO(3); +@@ -177,7 +167,7 @@ if ($arch == 3221225655) + action ALLOW; + # filter for arch loongarch64 (3221225730) + if ($arch == 3221225730) +- if ($syscall > 62) ++ if ($syscall > 57) + if ($syscall > 139) + if ($syscall > 226) + # filter for syscall "lstat" (4294957133) [priority: 65535] +@@ -208,7 +198,7 @@ if ($arch == 3221225730) + if ($syscall == 214) + action ERRNO(12); + else # ($syscall <= 139) +- if ($syscall > 68) ++ if ($syscall > 67) + # filter for syscall "rt_sigreturn" (139) [priority: 65535] + if ($syscall == 139) + action ERRNO(15); +@@ -218,12 +208,6 @@ if ($arch == 3221225730) + # filter for syscall "rt_sigaction" (134) [priority: 65535] + if ($syscall == 134) + action ERRNO(13); +- # filter for syscall "fstat" (80) [priority: 65533] +- if ($syscall == 80) +- if ($a0.hi32 == 0) +- if ($a0.lo32 == 103) +- action ERRNO(5); +- else # ($syscall <= 68) + # filter for syscall "pwrite64" (68) [priority: 65531] + if ($syscall == 68) + if ($a0.hi32 == 0) +@@ -231,6 +215,7 @@ if ($arch == 3221225730) + if ($a1.hi32 == 0) + if ($a1.lo32 == 108) + action ERRNO(18); ++ else # ($syscall <= 67) + # filter for syscall "pread64" (67) [priority: 65533] + if ($syscall == 67) + if ($a0.hi32 == 0) +@@ -248,12 +233,12 @@ if ($arch == 3221225730) + if ($a1.hi32 == 0) + if ($a1.lo32 == 101) + action ERRNO(0); +- else # ($syscall <= 62) +- # filter for syscall "lseek" (62) [priority: 65533] +- if ($syscall == 62) +- if ($a0.hi32 == 0) +- if ($a0.lo32 == 104) +- action ERRNO(8); ++ # filter for syscall "lseek" (62) [priority: 65533] ++ if ($syscall == 62) ++ if ($a0.hi32 == 0) ++ if ($a0.lo32 == 104) ++ action ERRNO(8); ++ else # ($syscall <= 57) + # filter for syscall "close" (57) [priority: 65535] + if ($syscall == 57) + action ERRNO(3); +-- +2.33.0 + diff --git a/libseccomp.spec b/libseccomp.spec index 01abdef544266ff68b33bee839472ff94e95e37c..d3d5a14913482953a95c7b94cf2c663f56ed848e 100644 --- a/libseccomp.spec +++ b/libseccomp.spec @@ -1,6 +1,6 @@ Name: libseccomp Version: 2.5.3 -Release: 4 +Release: 5 Summary: Interface to the syscall filtering mechanism License: LGPLv2 URL: https://github.com/seccomp/libseccomp @@ -10,6 +10,7 @@ Patch0: backport-bpf-pfc-Add-handling-for-0-syscalls-in-the-binary-tr.pa Patch1: backport-tests-Add-a-binary-tree-test-with-zero-syscalls.patch Patch2: backport-arch-disambiguate-in-arch-syscall-validate.patch Patch3: fix-add-64-bit-LoongArch-support.patch +Patch4: fix-build-error-for-libseccomp.patch BuildRequires: gcc git gperf autoconf automake @@ -35,6 +36,7 @@ developing applications that use %{name}. %prep %autosetup -n %{name}-%{version} -p1 -S git %ifnarch loongarch64 +%patch4 -R -p1 %patch3 -R -p1 %endif @@ -76,8 +78,12 @@ make check %{_mandir}/man*/* %changelog +* Tue May 30 2023 Wenlong Zhang - 2.5.3-5 +- fix build error for libseccomp + * Mon Feb 13 2023 Wenlong Zhang - 2.5.3-4 - add loongarch64 support for libseccomp + * Mon Nov 14 2022 shixuantong - 2.5.3-3 - arch: disambiguate in arch-syscall-validate