Package: release.debian.org
User: release.debian....@packages.debian.org
Usertags: pu
Tags: bookworm
Severity: normal
[ Reason ]
libseccomp 2.5.4 only knows about syscall up to Linux 6.4.
The proposed changes add the syscalls up to Linux 6.7.
[ Impact ]
Syscalls for Linux 6.5 to 6.7 can't be allowed.
Software built with support for newer kernels (often the case in containers)
expect newer syscalls to work or return ENOSYS.
If that syscall is not supported by libseccomp and a default filter action of
returning EPERM is used, such software will break.
Therefore you often need to be able to allow a syscall even when the running
kernel doesn't support it.
[ Tests ]
* autopkgtest passes on amd64
* Verified adding a filter for the fchmodat2() syscall works (new in 6.6)
* Verified that systemd and Docker run
[ Risks ]
The changes only extend the syscall csv table and add new syscall defines.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
Cherry-pick upstream commit to support new syscalls.
diff -Nru libseccomp-2.5.4/debian/changelog libseccomp-2.5.4/debian/changelog
--- libseccomp-2.5.4/debian/changelog 2022-04-21 22:23:12.000000000 +0200
+++ libseccomp-2.5.4/debian/changelog 2024-05-25 20:36:52.000000000 +0200
@@ -1,3 +1,9 @@
+libseccomp (2.5.4-1+deb12u1) bookworm; urgency=medium
+
+ * Add support for syscalls up to Linux 6.7. (Closes: #1071822)
+
+ -- Felix Geyer <fge...@debian.org> Sat, 25 May 2024 20:36:52 +0200
+
libseccomp (2.5.4-1) unstable; urgency=medium
* New upstream release.
diff -Nru libseccomp-2.5.4/debian/patches/series
libseccomp-2.5.4/debian/patches/series
--- libseccomp-2.5.4/debian/patches/series 1970-01-01 01:00:00.000000000
+0100
+++ libseccomp-2.5.4/debian/patches/series 2024-05-25 20:08:25.000000000
+0200
@@ -0,0 +1 @@
+update_the_syscall_table_for_Linux_v6.7-rc3.patch
diff -Nru
libseccomp-2.5.4/debian/patches/update_the_syscall_table_for_Linux_v6.7-rc3.patch
libseccomp-2.5.4/debian/patches/update_the_syscall_table_for_Linux_v6.7-rc3.patch
---
libseccomp-2.5.4/debian/patches/update_the_syscall_table_for_Linux_v6.7-rc3.patch
1970-01-01 01:00:00.000000000 +0100
+++
libseccomp-2.5.4/debian/patches/update_the_syscall_table_for_Linux_v6.7-rc3.patch
2024-05-25 20:06:55.000000000 +0200
@@ -0,0 +1,129 @@
+From 53267af3fb56eed93a50b8ef92f41825c97a7813 Mon Sep 17 00:00:00 2001
+From: Paul Moore <p...@paul-moore.com>
+Date: Fri, 5 May 2023 14:03:38 -0400
+Subject: [PATCH] all: update the syscall table for Linux v6.7-rc3
+
+Signed-off-by: Paul Moore <p...@paul-moore.com>
+Signed-off-by: Tom Hromatka <tom.hroma...@oracle.com>
+---
+ include/seccomp-syscalls.h | 17 +++++++++++++++++
+ src/syscalls.csv | 12 +++++++++---
+ 2 files changed, 26 insertions(+), 3 deletions(-)
+
+diff --git a/include/seccomp-syscalls.h b/include/seccomp-syscalls.h
+index ee467183..611c78db 100644
+--- a/include/seccomp-syscalls.h
++++ b/include/seccomp-syscalls.h
+@@ -276,6 +276,7 @@
+ #define __PNR_renameat -10242
+ #define __PNR_riscv_flush_icache -10243
+ #define __PNR_memfd_secret -10244
++#define __PNR_map_shadow_stack -10245
+
+ /*
+ * libseccomp syscall definitions
+@@ -401,6 +402,8 @@
+ #define __SNR_cacheflush __PNR_cacheflush
+ #endif
+
++#define __SNR_cachestat __NR_cachestat
++
+ #define __SNR_capget __NR_capget
+
+ #define __SNR_capset __NR_capset
+@@ -595,6 +598,8 @@
+
+ #define __SNR_fchmodat __NR_fchmodat
+
++#define __SNR_fchmodat2 __NR_fchmodat2
++
+ #ifdef __NR_fchown
+ #define __SNR_fchown __NR_fchown
+ #else
+@@ -717,14 +722,20 @@
+
+ #define __SNR_futex __NR_futex
+
++#define __SNR_futex_requeue __NR_futex_requeue
++
+ #ifdef __NR_futex_time64
+ #define __SNR_futex_time64 __NR_futex_time64
+ #else
+ #define __SNR_futex_time64 __PNR_futex_time64
+ #endif
+
++#define __SNR_futex_wait __NR_futex_wait
++
+ #define __SNR_futex_waitv __NR_futex_waitv
+
++#define __SNR_futex_wake __NR_futex_wake
++
+ #ifdef __NR_futimesat
+ #define __SNR_futimesat __NR_futimesat
+ #else
+@@ -1075,6 +1086,12 @@
+
+ #define __SNR_madvise __NR_madvise
+
++#ifdef __NR_map_shadow_stack
++#define __SNR_map_shadow_stack __NR_map_shadow_stack
++#else
++#define __SNR_map_shadow_stack __PNR_map_shadow_stack
++#endif
++
+ #ifdef __NR_mbind
+ #define __SNR_mbind __NR_mbind
+ #else
+diff --git a/src/syscalls.csv b/src/syscalls.csv
+index ea13a0eb..b0da8e6e 100644
+--- a/src/syscalls.csv
++++ b/src/syscalls.csv
+@@ -1,4 +1,4 @@
+-#syscall (v5.17.0
2022-04-05),x86,x86_64,x32,arm,aarch64,mips,mips64,mips64n32,parisc,parisc64,ppc,ppc64,riscv64,s390,s390x
++#syscall (v6.7.0-rc3
2023-11-30),x86,x86_64,x32,arm,aarch64,mips,mips64,mips64n32,parisc,parisc64,ppc,ppc64,riscv64,s390,s390x
+ accept,PNR,43,43,285,202,168,42,42,35,35,330,330,202,PNR,PNR
+ accept4,364,288,288,366,242,334,293,297,320,320,344,344,242,364,364
+ access,33,21,21,33,PNR,33,20,20,33,33,33,33,PNR,33,33
+@@ -17,7 +17,8 @@ break,17,PNR,PNR,PNR,PNR,17,PNR,PNR,PNR,PNR,17,17,PNR,PNR,PNR
+ breakpoint,PNR,PNR,PNR,983041,PNR,PNR,PNR,PNR,PNR,PNR,PNR,PNR,PNR,PNR,PNR
+ brk,45,12,12,45,214,45,12,12,45,45,45,45,214,45,45
+ cachectl,PNR,PNR,PNR,PNR,PNR,148,198,198,PNR,PNR,PNR,PNR,PNR,PNR,PNR
+-cacheflush,PNR,PNR,PNR,983042,PNR,147,197,197,PNR,PNR,PNR,PNR,PNR,PNR,PNR
++cacheflush,PNR,PNR,PNR,983042,PNR,147,197,197,356,356,PNR,PNR,PNR,PNR,PNR
++cachestat,451,451,451,451,451,451,451,451,451,451,451,451,451,451,451
+ capget,184,125,125,184,90,204,123,123,106,106,183,183,90,184,184
+ capset,185,126,126,185,91,205,124,124,107,107,184,184,91,185,185
+ chdir,12,80,80,12,49,12,78,78,12,12,12,12,49,12,12
+@@ -71,6 +72,7 @@
fanotify_mark,339,301,301,368,263,337,296,301,323,323,324,324,263,333,333
+ fchdir,133,81,81,133,50,133,79,79,133,133,133,133,50,133,133
+ fchmod,94,91,91,94,52,94,89,89,94,94,94,94,52,94,94
+ fchmodat,306,268,268,333,53,299,258,262,286,286,297,297,53,299,299
++fchmodat2,452,452,452,452,452,452,452,452,452,452,452,452,452,452,452
+ fchown,95,93,93,95,55,95,91,91,95,95,95,95,55,95,207
+ fchown32,207,PNR,PNR,207,PNR,PNR,PNR,PNR,PNR,PNR,PNR,PNR,PNR,207,PNR
+ fchownat,298,260,260,325,54,291,250,254,278,278,289,289,54,291,291
+@@ -98,8 +100,11 @@
ftime,35,PNR,PNR,PNR,PNR,35,PNR,PNR,PNR,PNR,35,35,PNR,PNR,PNR
+ ftruncate,93,77,77,93,46,93,75,75,93,93,93,93,46,93,93
+ ftruncate64,194,PNR,PNR,194,PNR,212,PNR,PNR,200,200,194,PNR,PNR,194,PNR
+ futex,240,202,202,240,98,238,194,194,210,210,221,221,98,238,238
++futex_requeue,456,456,456,456,456,456,456,456,456,456,456,456,456,456,456
+ futex_time64,422,PNR,PNR,422,PNR,422,PNR,422,422,PNR,422,PNR,PNR,422,PNR
++futex_wait,455,455,455,455,455,455,455,455,455,455,455,455,455,455,455
+ futex_waitv,449,449,449,449,449,449,449,449,449,449,449,449,449,449,449
++futex_wake,454,454,454,454,454,454,454,454,454,454,454,454,454,454,454
+ futimesat,299,261,261,326,PNR,292,251,255,279,279,290,290,PNR,292,292
+ getcpu,318,309,309,345,168,312,271,275,296,296,302,302,168,311,311
+ getcwd,183,79,79,183,17,203,77,77,110,110,182,182,17,183,183
+@@ -189,10 +194,11 @@
lsetxattr,227,189,189,227,6,225,181,181,239,239,210,210,6,225,225
+ lstat,107,6,6,107,PNR,107,6,6,84,84,107,107,PNR,107,107
+ lstat64,196,PNR,PNR,196,PNR,214,PNR,PNR,198,198,196,PNR,PNR,196,PNR
+ madvise,219,28,28,220,233,218,27,27,119,119,205,205,233,219,219
++map_shadow_stack,453,453,PNR,453,453,453,453,453,453,453,453,453,453,453,453
+ mbind,274,237,237,319,235,268,227,231,260,260,259,259,235,268,268
+ membarrier,375,324,324,389,283,358,318,322,343,343,365,365,283,356,356
+ memfd_create,356,319,319,385,279,354,314,318,340,340,360,360,279,350,350
+-memfd_secret,447,447,447,PNR,447,PNR,PNR,PNR,PNR,PNR,PNR,PNR,PNR,PNR,PNR
++memfd_secret,447,447,447,PNR,447,PNR,PNR,PNR,PNR,PNR,PNR,PNR,447,447,447
+ migrate_pages,294,256,256,400,238,287,246,250,272,272,258,258,238,287,287
+ mincore,218,27,27,219,232,217,26,26,72,72,206,206,232,218,218
+ mkdir,39,83,83,39,PNR,39,81,81,39,39,39,39,PNR,39,39
