On Sun, 10 Oct 2021 14:34:30 +0200 Felix Geyer <fge...@debian.org> wrote:
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian....@packages.debian.org
Usertags: pu
[ Reason ]
libseccomp 2.5.1 only knows about syscall up to Linux 5.8.
The proposed changes add the syscalls up to Linux 5.14.
[ Impact ]
Syscalls for Linux 5.9 and 5.10 can't be allowed.
Software built with support for newer kernels (often the case in containers)
expect newer syscalls to work or return ENOSYS.
If that syscall is not supported by libseccomp and a default filter action of
returning EPERM is used, such software will break.
Therefore you often need to be able to allow a syscall even when the running
kernel doesn't support it.
[ Tests ]
* autopkgtest passes on amd64
* Verified adding a filter for the close_range() syscall works (new in 5.9)
* Verified that systemd and Docker run
[ Risks ]
The changes only extend the syscall csv table and add new syscall defines.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
Cherry-pick upstream commits to support syscalls up to Linux 5.14.
I've updated the debdiff to include two more cherry-picked patches that add
a new syscalls from Linux 5.15 and missing syscall defines.
Felix
diff -Nru libseccomp-2.5.1/debian/changelog libseccomp-2.5.1/debian/changelog
--- libseccomp-2.5.1/debian/changelog 2020-12-21 10:50:30.000000000 +0100
+++ libseccomp-2.5.1/debian/changelog 2021-11-25 19:18:20.000000000 +0100
@@ -1,3 +1,9 @@
+libseccomp (2.5.1-1+deb11u1) bullseye; urgency=medium
+
+ * Add support for syscalls up to Linux 5.15.
+
+ -- Felix Geyer <fge...@debian.org> Thu, 25 Nov 2021 19:18:20 +0100
+
libseccomp (2.5.1-1) unstable; urgency=medium
* New upstream release.
diff -Nru libseccomp-2.5.1/debian/patches/api_update_seccomp-syscalls.h.patch
libseccomp-2.5.1/debian/patches/api_update_seccomp-syscalls.h.patch
--- libseccomp-2.5.1/debian/patches/api_update_seccomp-syscalls.h.patch
1970-01-01 01:00:00.000000000 +0100
+++ libseccomp-2.5.1/debian/patches/api_update_seccomp-syscalls.h.patch
2021-11-24 19:09:09.000000000 +0100
@@ -0,0 +1,104 @@
+From 8379ee877612f027f75592c8de5bf7969aa7fb51 Mon Sep 17 00:00:00 2001
+From: Paul Moore <p...@paul-moore.com>
+Date: Wed, 27 Oct 2021 15:39:17 -0400
+Subject: [PATCH] api: update seccomp-syscalls.h
+
+It appears that the seccomp-syscalls.h header file had gotten out of
+sync with the syscalls.csv syscall table, this patch fixes this
+disconnect.
+
+The only edit that is somewhat interesting is that the oldwait4(2)
+syscall probably never should have been included in the header file
+as it appears to no longer exist (?).
+
+Reported-by: Mike Frysinger <vap...@gentoo.org>
+Acked-by: Tom Hromatka <tom.hroma...@oracle.com>
+Signed-off-by: Paul Moore <p...@paul-moore.com>
+
+(imported from commit 3f47bba7c5c8cc18be80e625eedb2c1823233708)
+---
+ include/seccomp-syscalls.h | 22 ++++++++++++++++------
+ 1 file changed, 16 insertions(+), 6 deletions(-)
+
+diff --git a/include/seccomp-syscalls.h b/include/seccomp-syscalls.h
+index 7075f3f6..4baa307a 100644
+--- a/include/seccomp-syscalls.h
++++ b/include/seccomp-syscalls.h
+@@ -537,6 +537,8 @@
+
+ #define __SNR_epoll_pwait __NR_epoll_pwait
+
++#define __SNR_epoll_pwait2 __NR_epoll_pwait2
++
+ #ifdef __NR_epoll_wait
+ #define __SNR_epoll_wait __NR_epoll_wait
+ #else
+@@ -1007,6 +1009,10 @@
+
+ #define __SNR_kill __NR_kill
+
++#define __SNR_landlock_add_rule __NR_landlock_add_rule
++#define __SNR_landlock_create_ruleset __NR_landlock_create_ruleset
++#define __SNR_landlock_restrict_self __NR_landlock_restrict_self
++
+ #ifdef __NR_lchown
+ #define __SNR_lchown __NR_lchown
+ #else
+@@ -1141,6 +1147,8 @@
+
+ #define __SNR_mount __NR_mount
+
++#define __SNR_mount_setattr __NR_mount_setattr
++
+ #ifdef __NR_move_mount
+ #define __SNR_move_mount __NR_move_mount
+ #else
+@@ -1277,12 +1285,6 @@
+ #define __SNR_olduname __PNR_olduname
+ #endif
+
+-#ifdef __NR_oldwait4
+-#define __SNR_oldwait4 __NR_oldwait4
+-#else
+-#define __SNR_oldwait4 __PNR_oldwait4
+-#endif
+-
+ #ifdef __NR_open
+ #define __SNR_open __NR_open
+ #else
+@@ -1299,6 +1301,8 @@
+
+ #define __SNR_openat __NR_openat
+
++#define __SNR_openat2 __NR_openat2
++
+ #ifdef __NR_pause
+ #define __SNR_pause __NR_pause
+ #else
+@@ -1327,6 +1331,8 @@
+
+ #define __SNR_personality __NR_personality
+
++#define __SNR_pidfd_getfd __NR_pidfd_getfd
++
+ #ifdef __NR_pidfd_open
+ #define __SNR_pidfd_open __NR_pidfd_open
+ #else
+@@ -1395,6 +1401,8 @@
+
+ #define __SNR_prlimit64 __NR_prlimit64
+
++#define __SNR_process_madvise __NR_process_madvise
++
+ #define __SNR_process_vm_readv __NR_process_vm_readv
+
+ #define __SNR_process_vm_writev __NR_process_vm_writev
+@@ -1441,6 +1449,8 @@
+
+ #define __SNR_quotactl __NR_quotactl
+
++#define __SNR_quotactl_fd __NR_quotactl_fd
++
+ #ifdef __NR_read
+ #define __SNR_read __NR_read
+ #else
diff -Nru libseccomp-2.5.1/debian/patches/series
libseccomp-2.5.1/debian/patches/series
--- libseccomp-2.5.1/debian/patches/series 1970-01-01 01:00:00.000000000
+0100
+++ libseccomp-2.5.1/debian/patches/series 2021-11-24 19:10:36.000000000
+0100
@@ -0,0 +1,5 @@
+syscalls_update_the_syscall_table_to_v5.12-rc7.patch
+syscalls_add_close_range_syscall.patch
+syscalls_update_to_Linux_v5.14-rc7.patch
+api_update_seccomp-syscalls.h.patch
+syscalls_update_the_syscall_table_to_Linux_v5.15.patch
diff -Nru
libseccomp-2.5.1/debian/patches/syscalls_add_close_range_syscall.patch
libseccomp-2.5.1/debian/patches/syscalls_add_close_range_syscall.patch
--- libseccomp-2.5.1/debian/patches/syscalls_add_close_range_syscall.patch
1970-01-01 01:00:00.000000000 +0100
+++ libseccomp-2.5.1/debian/patches/syscalls_add_close_range_syscall.patch
2021-11-24 19:06:00.000000000 +0100
@@ -0,0 +1,30 @@
+From ac849e7960547d418009a783da654d5917dbfe2d Mon Sep 17 00:00:00 2001
+From: Sascha Grunert <sgrun...@redhat.com>
+Date: Fri, 16 Jul 2021 12:13:36 +0200
+Subject: [PATCH] syscalls: add close_range() syscall
+
+The syscall has been added a while ago so we should support resolving
+it, too.
+
+Signed-off-by: Sascha Grunert <sgrun...@redhat.com>
+Reviewed-by: Tom Hromatka <tom.hroma...@oracle.com>
+[PM: subject line tweak]
+Signed-off-by: Paul Moore <p...@paul-moore.com>
+(imported from commit 01e5750e7c84bb14e5a5410c924bed519209db06)
+---
+ include/seccomp-syscalls.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/include/seccomp-syscalls.h b/include/seccomp-syscalls.h
+index 7b69214c..1ca500be 100644
+--- a/include/seccomp-syscalls.h
++++ b/include/seccomp-syscalls.h
+@@ -476,6 +476,8 @@
+
+ #define __SNR_close __NR_close
+
++#define __SNR_close_range __NR_close_range
++
+ #ifdef __NR_connect
+ #define __SNR_connect __NR_connect
+ #else
diff -Nru
libseccomp-2.5.1/debian/patches/syscalls_update_the_syscall_table_to_Linux_v5.15.patch
libseccomp-2.5.1/debian/patches/syscalls_update_the_syscall_table_to_Linux_v5.15.patch
---
libseccomp-2.5.1/debian/patches/syscalls_update_the_syscall_table_to_Linux_v5.15.patch
1970-01-01 01:00:00.000000000 +0100
+++
libseccomp-2.5.1/debian/patches/syscalls_update_the_syscall_table_to_Linux_v5.15.patch
2021-11-24 19:09:31.000000000 +0100
@@ -0,0 +1,43 @@
+From 9cfe96d42385b3000e2afd96360007fd554417c1 Mon Sep 17 00:00:00 2001
+From: Paul Moore <p...@paul-moore.com>
+Date: Thu, 4 Nov 2021 09:09:49 -0600
+Subject: [PATCH] syscalls: update the syscall table to Linux v5.15
+
+Signed-off-by: Paul Moore <p...@paul-moore.com>
+Signed-off-by: Tom Hromatka <tom.hroma...@oracle.com>
+---
+ include/seccomp-syscalls.h | 2 ++
+ src/syscalls.csv | 3 ++-
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/include/seccomp-syscalls.h b/include/seccomp-syscalls.h
+index 4baa307a..8019d29e 100644
+--- a/include/seccomp-syscalls.h
++++ b/include/seccomp-syscalls.h
+@@ -1403,6 +1403,8 @@
+
+ #define __SNR_process_madvise __NR_process_madvise
+
++#define __SNR_process_mrelease __NR_process_mrelease
++
+ #define __SNR_process_vm_readv __NR_process_vm_readv
+
+ #define __SNR_process_vm_writev __NR_process_vm_writev
+diff --git a/src/syscalls.csv b/src/syscalls.csv
+index af06a64d..53a639a5 100644
+--- a/src/syscalls.csv
++++ b/src/syscalls.csv
+@@ -1,4 +1,4 @@
+-#syscall (v5.14.0-rc7
2021-08-23),x86,x86_64,x32,arm,aarch64,mips,mips64,mips64n32,parisc,parisc64,ppc,ppc64,riscv64,s390,s390x
++#syscall (v5.15.0
2021-11-03),x86,x86_64,x32,arm,aarch64,mips,mips64,mips64n32,parisc,parisc64,ppc,ppc64,riscv64,s390,s390x
+ accept,PNR,43,43,285,202,168,42,42,35,35,330,330,202,PNR,PNR
+ accept4,364,288,288,366,242,334,293,297,320,320,344,344,242,364,364
+ access,33,21,21,33,PNR,33,20,20,33,33,33,33,PNR,33,33
+@@ -268,6 +268,7 @@
preadv,333,295,534,361,69,330,289,293,315,315,320,320,69,328,328
+ preadv2,378,327,546,392,286,361,321,325,347,347,380,380,286,376,376
+ prlimit64,340,302,302,369,261,338,297,302,321,321,325,325,261,334,334
+ process_madvise,440,440,440,440,440,440,440,440,440,440,440,440,440,440,440
++process_mrelease,448,448,448,448,448,448,448,448,448,448,448,448,448,448,448
+ process_vm_readv,347,310,539,376,270,345,304,309,330,330,351,351,270,340,340
+ process_vm_writev,348,311,540,377,271,346,305,310,331,331,352,352,271,341,341
+ prof,44,PNR,PNR,PNR,PNR,44,PNR,PNR,PNR,PNR,44,44,PNR,PNR,PNR
diff -Nru
libseccomp-2.5.1/debian/patches/syscalls_update_the_syscall_table_to_v5.12-rc7.patch
libseccomp-2.5.1/debian/patches/syscalls_update_the_syscall_table_to_v5.12-rc7.patch
---
libseccomp-2.5.1/debian/patches/syscalls_update_the_syscall_table_to_v5.12-rc7.patch
1970-01-01 01:00:00.000000000 +0100
+++
libseccomp-2.5.1/debian/patches/syscalls_update_the_syscall_table_to_v5.12-rc7.patch
2021-11-24 19:06:00.000000000 +0100
@@ -0,0 +1,73 @@
+From c56a00fe173a7dd5a8326431ae28863ce432bbc1 Mon Sep 17 00:00:00 2001
+From: Paul Moore <p...@paul-moore.com>
+Date: Sat, 17 Apr 2021 16:30:48 -0400
+Subject: [PATCH] syscalls: update the syscall table to v5.12-rc7
+
+Due to additional ABIs in main we can't do a simple backport or copy
+of the syscall table so we are generating it directly in the
+release-2.5 branch.
+
+This patch also fixes the missing faccessat2() #defines in the
+seccomp-syscalls.h header file.
+
+Signed-off-by: Paul Moore <p...@paul-moore.com>
+---
+ include/seccomp-syscalls.h | 2 ++
+ src/syscalls.csv | 6 +++++-
+ 2 files changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/include/seccomp-syscalls.h b/include/seccomp-syscalls.h
+index 2a4ebd3d..7b69214c 100644
+--- a/include/seccomp-syscalls.h
++++ b/include/seccomp-syscalls.h
+@@ -564,6 +564,8 @@
+
+ #define __SNR_faccessat __NR_faccessat
+
++#define __SNR_faccessat2 __NR_faccessat2
++
+ #ifdef __NR_fadvise64
+ #define __SNR_fadvise64 __NR_fadvise64
+ #else
+diff --git a/src/syscalls.csv b/src/syscalls.csv
+index 11d087a6..4c828697 100644
+--- a/src/syscalls.csv
++++ b/src/syscalls.csv
+@@ -1,4 +1,4 @@
+-#syscall (v5.8.0-rc5
2020-07-14),x86,x86_64,x32,arm,aarch64,mips,mips64,mips64n32,parisc,parisc64,ppc,ppc64,riscv64,s390,s390x
++#syscall (v5.12.0-rc7
2021-04-17),x86,x86_64,x32,arm,aarch64,mips,mips64,mips64n32,parisc,parisc64,ppc,ppc64,riscv64,s390,s390x
+ accept,PNR,43,43,285,202,168,42,42,35,35,330,330,202,PNR,PNR
+ accept4,364,288,288,366,242,334,293,297,320,320,344,344,242,364,364
+ access,33,21,21,33,PNR,33,20,20,33,33,33,33,PNR,33,33
+@@ -38,6 +38,7 @@
clock_settime64,404,PNR,PNR,404,PNR,404,PNR,404,404,PNR,404,PNR,PNR,404,PNR
+ clone,120,56,56,120,220,120,55,55,120,120,120,120,220,120,120
+ clone3,435,435,435,435,435,435,435,435,435,435,435,435,435,435,435
+ close,6,3,3,6,57,6,3,3,6,6,6,6,57,6,6
++close_range,436,436,436,436,436,436,436,436,436,436,436,436,436,436,436
+ connect,362,42,42,283,203,170,41,41,31,31,328,328,203,362,362
+ copy_file_range,377,326,326,391,285,360,320,324,346,346,379,379,285,375,375
+ creat,8,85,85,8,PNR,8,83,83,8,8,8,8,PNR,8,8
+@@ -51,6 +52,7 @@
epoll_create1,329,291,291,357,20,326,285,289,311,311,315,315,20,327,327
+ epoll_ctl,255,233,233,251,21,249,208,208,225,225,237,237,21,250,250
+ epoll_ctl_old,PNR,214,PNR,PNR,PNR,PNR,PNR,PNR,PNR,PNR,PNR,PNR,PNR,PNR,PNR
+ epoll_pwait,319,281,281,346,22,313,272,276,297,297,303,303,22,312,312
++epoll_pwait2,441,441,441,441,441,441,441,441,441,441,441,441,441,441,441
+ epoll_wait,256,232,232,252,PNR,250,209,209,226,226,238,238,PNR,251,251
+ epoll_wait_old,PNR,215,PNR,PNR,PNR,PNR,PNR,PNR,PNR,PNR,PNR,PNR,PNR,PNR,PNR
+ eventfd,323,284,284,351,PNR,319,278,282,304,304,307,307,PNR,318,318
+@@ -199,6 +201,7 @@ mmap,90,9,9,PNR,222,90,9,9,90,90,90,90,222,90,90
+ mmap2,192,PNR,PNR,192,PNR,210,PNR,PNR,89,89,192,PNR,PNR,192,PNR
+ modify_ldt,123,154,154,PNR,PNR,123,PNR,PNR,PNR,PNR,123,123,PNR,PNR,PNR
+ mount,21,165,165,21,40,21,160,160,21,21,21,21,40,21,21
++mount_setattr,442,442,442,442,442,442,442,442,442,442,442,442,442,442,442
+ move_mount,429,429,429,429,429,429,429,429,429,429,429,429,429,429,429
+ move_pages,317,279,533,344,239,308,267,271,295,295,301,301,239,310,310
+ mprotect,125,10,10,125,226,125,10,10,125,125,125,125,226,125,125
+@@ -260,6 +263,7 @@
pread64,180,17,17,180,67,200,16,16,108,108,179,179,67,180,180
+ preadv,333,295,534,361,69,330,289,293,315,315,320,320,69,328,328
+ preadv2,378,327,546,392,286,361,321,325,347,347,380,380,286,376,376
+ prlimit64,340,302,302,369,261,338,297,302,321,321,325,325,261,334,334
++process_madvise,440,440,440,440,440,440,440,440,440,440,440,440,440,440,440
+ process_vm_readv,347,310,539,376,270,345,304,309,330,330,351,351,270,340,340
+ process_vm_writev,348,311,540,377,271,346,305,310,331,331,352,352,271,341,341
+ prof,44,PNR,PNR,PNR,PNR,44,PNR,PNR,PNR,PNR,44,44,PNR,PNR,PNR
diff -Nru
libseccomp-2.5.1/debian/patches/syscalls_update_to_Linux_v5.14-rc7.patch
libseccomp-2.5.1/debian/patches/syscalls_update_to_Linux_v5.14-rc7.patch
--- libseccomp-2.5.1/debian/patches/syscalls_update_to_Linux_v5.14-rc7.patch
1970-01-01 01:00:00.000000000 +0100
+++ libseccomp-2.5.1/debian/patches/syscalls_update_to_Linux_v5.14-rc7.patch
2021-11-24 19:06:00.000000000 +0100
@@ -0,0 +1,72 @@
+From c3559610ffdcda23a7fbd38fea86f8ed81fb16b0 Mon Sep 17 00:00:00 2001
+From: Paul Moore <p...@paul-moore.com>
+Date: Mon, 23 Aug 2021 11:21:39 -0400
+Subject: [PATCH] syscalls: update to Linux v5.14-rc7
+
+Signed-off-by: Paul Moore <p...@paul-moore.com>
+---
+ include/seccomp-syscalls.h | 7 +++++++
+ src/syscalls.csv | 7 ++++++-
+ 2 files changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/include/seccomp-syscalls.h b/include/seccomp-syscalls.h
+index 1ca500be..7075f3f6 100644
+--- a/include/seccomp-syscalls.h
++++ b/include/seccomp-syscalls.h
+@@ -275,6 +275,7 @@
+ #define __PNR_ppoll -10241
+ #define __PNR_renameat -10242
+ #define __PNR_riscv_flush_icache -10243
++#define __PNR_memfd_secret -10244
+
+ /*
+ * libseccomp syscall definitions
+@@ -1084,6 +1085,12 @@
+ #define __SNR_memfd_create __PNR_memfd_create
+ #endif
+
++#ifdef __NR_memfd_secret
++#define __SNR_memfd_secret __NR_memfd_secret
++#else
++#define __SNR_memfd_secret __PNR_memfd_secret
++#endif
++
+ #ifdef __NR_migrate_pages
+ #define __SNR_migrate_pages __NR_migrate_pages
+ #else
+diff --git a/src/syscalls.csv b/src/syscalls.csv
+index 4c828697..af06a64d 100644
+--- a/src/syscalls.csv
++++ b/src/syscalls.csv
+@@ -1,4 +1,4 @@
+-#syscall (v5.12.0-rc7
2021-04-17),x86,x86_64,x32,arm,aarch64,mips,mips64,mips64n32,parisc,parisc64,ppc,ppc64,riscv64,s390,s390x
++#syscall (v5.14.0-rc7
2021-08-23),x86,x86_64,x32,arm,aarch64,mips,mips64,mips64n32,parisc,parisc64,ppc,ppc64,riscv64,s390,s390x
+ accept,PNR,43,43,285,202,168,42,42,35,35,330,330,202,PNR,PNR
+ accept4,364,288,288,366,242,334,293,297,320,320,344,344,242,364,364
+ access,33,21,21,33,PNR,33,20,20,33,33,33,33,PNR,33,33
+@@ -168,6 +168,9 @@
kexec_file_load,PNR,320,320,401,294,PNR,PNR,PNR,355,355,382,382,294,381,381
+ kexec_load,283,246,528,347,104,311,270,274,300,300,268,268,104,277,277
+ keyctl,288,250,250,311,219,282,241,245,266,266,271,271,219,280,280
+ kill,37,62,62,37,129,37,60,60,37,37,37,37,129,37,37
++landlock_add_rule,445,445,445,445,445,445,445,445,445,445,445,445,445,445,445
++landlock_create_ruleset,444,444,444,444,444,444,444,444,444,444,444,444,444,444,444
++landlock_restrict_self,446,446,446,446,446,446,446,446,446,446,446,446,446,446,446
+ lchown,16,94,94,16,PNR,16,92,92,16,16,16,16,PNR,16,198
+ lchown32,198,PNR,PNR,198,PNR,PNR,PNR,PNR,PNR,PNR,PNR,PNR,PNR,198,PNR
+ lgetxattr,230,192,192,230,9,228,184,184,242,242,213,213,9,228,228
+@@ -188,6 +191,7 @@
madvise,219,28,28,220,233,218,27,27,119,119,205,205,233,219,219
+ mbind,274,237,237,319,235,268,227,231,260,260,259,259,235,268,268
+ membarrier,375,324,324,389,283,358,318,322,343,343,365,365,283,356,356
+ memfd_create,356,319,319,385,279,354,314,318,340,340,360,360,279,350,350
++memfd_secret,447,447,447,PNR,447,PNR,PNR,PNR,PNR,PNR,PNR,PNR,PNR,PNR,PNR
+ migrate_pages,294,256,256,400,238,287,246,250,272,272,258,258,238,287,287
+ mincore,218,27,27,219,232,217,26,26,72,72,206,206,232,218,218
+ mkdir,39,83,83,39,PNR,39,81,81,39,39,39,39,PNR,39,39
+@@ -277,6 +281,7 @@
pwritev,334,296,535,362,70,331,290,294,316,316,321,321,70,329,329
+ pwritev2,379,328,547,393,287,362,322,326,348,348,381,381,287,377,377
+ query_module,167,178,PNR,PNR,PNR,187,171,171,PNR,PNR,166,166,PNR,167,167
+ quotactl,131,179,179,131,60,131,172,172,131,131,131,131,60,131,131
++quotactl_fd,443,443,443,443,443,443,443,443,443,443,443,443,443,443,443
+ read,3,0,0,3,63,3,0,0,3,3,3,3,63,3,3
+ readahead,225,187,187,225,213,223,179,179,207,207,191,191,213,222,222
+ readdir,89,PNR,PNR,PNR,PNR,89,PNR,PNR,PNR,PNR,89,89,PNR,89,89
