W dniu 04.06.2014 11:18, Marcin Juszkiewicz pisze: > I worked on tests part today and went from terrible results to much better > ones > (but still not so good).
Rebased patch on top of git repository which resulted in more tests being run. Syscall check passed fine. >From 8f21957091583cb948c207448fc112d74d98c6aa Mon Sep 17 00:00:00 2001 From: Marcin Juszkiewicz <[email protected]> Date: Wed, 4 Jun 2014 11:35:53 +0200 Subject: [PATCH] Add AArch64 support Changelog V1 - 28.05.2014 V2 - 03.06.2014 - filled syscalls table - added new __PNR_ macros for alarm, mmap, open, select, time, utime V3 - 04.06.2014 - added AArch64 detection into tools/ - added AArch64 detection into tests/{16,23} Regression Test Summary tests run: 423 tests skipped: 59 tests passed: 403 tests failed: 20 tests errored: 167 V4 - 2014.06.04 - rebased on top of git Regression Test Summary tests run: 935 tests skipped: 59 tests passed: 902 tests failed: 33 tests errored: 141 --- include/seccomp.h.in | 37 +++ src/Makefile.am | 3 +- src/arch-aarch64-syscalls.c | 470 +++++++++++++++++++++++++++++++++++++++ src/arch-aarch64.c | 34 +++ src/arch-aarch64.h | 37 +++ src/arch.c | 3 + tests/16-sim-arch_basic.c | 3 + tests/23-sim-arch_all_le_basic.c | 3 + tools/scmp_arch_detect.c | 3 + tools/scmp_bpf_sim.c | 7 + 10 files changed, 599 insertions(+), 1 deletion(-) create mode 100644 src/arch-aarch64-syscalls.c create mode 100644 src/arch-aarch64.c create mode 100644 src/arch-aarch64.h diff --git a/include/seccomp.h.in b/include/seccomp.h.in index ff9326a..d931680 100644 --- a/include/seccomp.h.in +++ b/include/seccomp.h.in @@ -128,6 +128,17 @@ struct scmp_arg_cmp { #define SCMP_ARCH_MIPSEL AUDIT_ARCH_MIPSEL /** + * The AARCH64 architecture token + */ + +/* AArch64 support for audit is still not in mainline */ +#ifndef AUDIT_ARCH_AARCH64 +#define AUDIT_ARCH_AARCH64 (EM_AARCH64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE) +#endif + +#define SCMP_ARCH_AARCH64 AUDIT_ARCH_AARCH64 + +/** * Convert a syscall name into the associated syscall number * @param x the syscall name */ @@ -1196,6 +1207,32 @@ int seccomp_export_bpf(const scmp_filter_ctx ctx, int fd); #define __NR_vfork __PNR_vfork #endif /* __NR_vfork */ +#define __PNR_alarm -10103 +#ifndef __NR_alarm +#define __NR_alarm __PNR_alarm +#endif /* __NR_alarm */ + +#define __PNR_mmap -10104 +#ifndef __NR_mmap +#define __NR_mmap __PNR_mmap +#endif /* __NR_mmap */ + +#define __PNR_open -10105 +#ifndef __NR_open +#define __NR_open __PNR_open +#endif /* __NR_open */ + +#define __PNR_time -10106 +#ifndef __NR_time +#define __NR_time __PNR_time +#endif /* __NR_time */ + +#define __PNR_utime -10107 +#ifndef __NR_utime +#define __NR_utime __PNR_utime +#endif /* __NR_utime */ + + #ifdef __cplusplus } #endif diff --git a/src/Makefile.am b/src/Makefile.am index d95c0a6..a05b1ef 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -27,7 +27,8 @@ SOURCES_ARCH = \ arch-x86_64.h arch-x86_64.c arch-x86_64-syscalls.c \ arch-x32.h arch-x32.c arch-x32-syscalls.c \ arch-arm.h arch-arm.c arch-arm-syscalls.c \ - arch-mips.h arch-mips.c arch-mips-syscalls.c + arch-mips.h arch-mips.c arch-mips-syscalls.c \ + arch-aarch64.h arch-aarch64.c arch-aarch64-syscalls.c SOURCES_GEN = \ api.c system.h \ diff --git a/src/arch-aarch64-syscalls.c b/src/arch-aarch64-syscalls.c new file mode 100644 index 0000000..386233a --- /dev/null +++ b/src/arch-aarch64-syscalls.c @@ -0,0 +1,470 @@ +/** + * Enhanced Seccomp AArch64 Syscall Table + * + * Copyright (c) 2014 Red Hat + * Author: Marcin Juszkiewicz <[email protected]> + */ + +/* + * This library is free software; you can redistribute it and/or modify it + * under the terms of version 2.1 of the GNU Lesser General Public License as + * published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License + * for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this library; if not, see <http://www.gnu.org/licenses>. + */ + +#include <string.h> + +#include <seccomp.h> + +#include "arch.h" +#include "arch-aarch64.h" + +#define __NR_SYSCALL_BASE 0 + +/* NOTE: based on Linux 3.13.0-rc7 */ +const struct arch_syscall_def aarch64_syscall_table[] = { \ + { "accept", (__NR_SYSCALL_BASE + 285) }, + { "accept4", (__NR_SYSCALL_BASE + 366) }, + { "access", (__NR_SYSCALL_BASE + 33) }, + { "acct", (__NR_SYSCALL_BASE + 51) }, + { "add_key", (__NR_SYSCALL_BASE + 309) }, + { "adjtimex", (__NR_SYSCALL_BASE + 124) }, + { "afs_syscall", __PNR_afs_syscall }, + { "alarm", (__PNR_alarm) }, + { "arm_fadvise64_64", (__NR_SYSCALL_BASE + 270) }, + { "arm_sync_file_range", (__PNR_arm_sync_file_range) }, + { "arch_prctl", __PNR_arch_prctl }, + { "bdflush", (__NR_SYSCALL_BASE + 134) }, + { "bind", (__NR_SYSCALL_BASE + 282) }, + { "break", __PNR_break }, + { "brk", (__NR_SYSCALL_BASE + 45) }, + { "capget", (__NR_SYSCALL_BASE + 184) }, + { "capset", (__NR_SYSCALL_BASE + 185) }, + { "chdir", (__NR_SYSCALL_BASE + 12) }, + { "chmod", (__NR_SYSCALL_BASE + 15) }, + { "chown", (__NR_SYSCALL_BASE + 182) }, + { "chown32", (__NR_SYSCALL_BASE + 212) }, + { "chroot", (__NR_SYSCALL_BASE + 61) }, + { "clock_adjtime", (__NR_SYSCALL_BASE + 372) }, + { "clock_getres", (__NR_SYSCALL_BASE + 264) }, + { "clock_gettime", (__NR_SYSCALL_BASE + 263) }, + { "clock_nanosleep", (__NR_SYSCALL_BASE + 265) }, + { "clock_settime", (__NR_SYSCALL_BASE + 262) }, + { "clone", (__NR_SYSCALL_BASE + 120) }, + { "close", (__NR_SYSCALL_BASE + 6) }, + { "connect", (__NR_SYSCALL_BASE + 283) }, + { "creat", (__NR_SYSCALL_BASE + 8) }, + { "create_module", __PNR_create_module }, + { "delete_module", (__NR_SYSCALL_BASE + 129) }, + { "dup", (__NR_SYSCALL_BASE + 41) }, + { "dup2", (__NR_SYSCALL_BASE + 63) }, + { "dup3", (__NR_SYSCALL_BASE + 358) }, + { "epoll_create", (__NR_SYSCALL_BASE + 250) }, + { "epoll_create1", (__NR_SYSCALL_BASE + 357) }, + { "epoll_ctl", (__NR_SYSCALL_BASE + 251) }, + { "epoll_ctl_old", __PNR_epoll_ctl_old }, + { "epoll_pwait", (__NR_SYSCALL_BASE + 346) }, + { "epoll_wait", (__NR_SYSCALL_BASE + 252) }, + { "epoll_wait_old", __PNR_epoll_wait_old }, + { "eventfd", (__NR_SYSCALL_BASE + 351) }, + { "eventfd2", (__NR_SYSCALL_BASE + 356) }, + { "execve", (__NR_SYSCALL_BASE + 11) }, + { "exit", (__NR_SYSCALL_BASE + 1) }, + { "exit_group", (__NR_SYSCALL_BASE + 248) }, + { "faccessat", (__NR_SYSCALL_BASE + 334) }, + { "fadvise64", __PNR_fadvise64 }, + { "fadvise64_64", __PNR_fadvise64_64 }, + { "fallocate", (__NR_SYSCALL_BASE + 352) }, + { "fanotify_init", (__NR_SYSCALL_BASE + 367) }, + { "fanotify_mark", (__NR_SYSCALL_BASE + 368) }, + { "fchdir", (__NR_SYSCALL_BASE + 133) }, + { "fchmod", (__NR_SYSCALL_BASE + 94) }, + { "fchmodat", (__NR_SYSCALL_BASE + 333) }, + { "fchown", (__NR_SYSCALL_BASE + 95) }, + { "fchown32", (__NR_SYSCALL_BASE + 207) }, + { "fchownat", (__NR_SYSCALL_BASE + 325) }, + { "fcntl", (__NR_SYSCALL_BASE + 55) }, + { "fcntl64", (__NR_SYSCALL_BASE + 221) }, + { "fdatasync", (__NR_SYSCALL_BASE + 148) }, + { "fgetxattr", (__NR_SYSCALL_BASE + 231) }, + { "finit_module", (__NR_SYSCALL_BASE + 379) }, + { "flistxattr", (__NR_SYSCALL_BASE + 234) }, + { "flock", (__NR_SYSCALL_BASE + 143) }, + { "fork", (__NR_SYSCALL_BASE + 2) }, + { "fremovexattr", (__NR_SYSCALL_BASE + 237) }, + { "fsetxattr", (__NR_SYSCALL_BASE + 228) }, + { "fstat", (__NR_SYSCALL_BASE + 108) }, + { "fstat64", (__NR_SYSCALL_BASE + 197) }, + { "fstatat64", (__NR_SYSCALL_BASE + 327) }, + { "fstatfs", (__NR_SYSCALL_BASE + 100) }, + { "fstatfs64", (__NR_SYSCALL_BASE + 267) }, + { "fsync", (__NR_SYSCALL_BASE + 118) }, + { "ftime", __PNR_ftime }, + { "ftruncate", (__NR_SYSCALL_BASE + 93) }, + { "ftruncate64", (__NR_SYSCALL_BASE + 194) }, + { "futex", (__NR_SYSCALL_BASE + 240) }, + { "futimesat", (__NR_SYSCALL_BASE + 326) }, + { "get_kernel_syms", __PNR_get_kernel_syms }, + { "get_thread_area", __PNR_get_thread_area }, + { "getcpu", (__NR_SYSCALL_BASE + 345) }, + { "getcwd", (__NR_SYSCALL_BASE + 183) }, + { "getdents", (__NR_SYSCALL_BASE + 141) }, + { "getdents64", (__NR_SYSCALL_BASE + 217) }, + { "getegid", (__NR_SYSCALL_BASE + 50) }, + { "getegid32", (__NR_SYSCALL_BASE + 202) }, + { "geteuid", (__NR_SYSCALL_BASE + 49) }, + { "geteuid32", (__NR_SYSCALL_BASE + 201) }, + { "getgid", (__NR_SYSCALL_BASE + 47) }, + { "getgid32", (__NR_SYSCALL_BASE + 200) }, + { "getgroups", (__NR_SYSCALL_BASE + 80) }, + { "getgroups32", (__NR_SYSCALL_BASE + 205) }, + { "getitimer", (__NR_SYSCALL_BASE + 105) }, + { "get_mempolicy", (__NR_SYSCALL_BASE + 320) }, + { "getpeername", (__NR_SYSCALL_BASE + 287) }, + { "getpgid", (__NR_SYSCALL_BASE + 132) }, + { "getpgrp", (__NR_SYSCALL_BASE + 65) }, + { "getpid", (__NR_SYSCALL_BASE + 20) }, + { "getpmsg", __PNR_getpmsg }, + { "getppid", (__NR_SYSCALL_BASE + 64) }, + { "getpriority", (__NR_SYSCALL_BASE + 96) }, + { "getresgid", (__NR_SYSCALL_BASE + 171) }, + { "getresgid32", (__NR_SYSCALL_BASE + 211) }, + { "getresuid", (__NR_SYSCALL_BASE + 165) }, + { "getresuid32", (__NR_SYSCALL_BASE + 209) }, + { "get_robust_list", (__NR_SYSCALL_BASE + 339) }, + { "getrusage", (__NR_SYSCALL_BASE + 77) }, + { "getsid", (__NR_SYSCALL_BASE + 147) }, + { "getsockname", (__NR_SYSCALL_BASE + 286) }, + { "getsockopt", (__NR_SYSCALL_BASE + 295) }, + { "gettid", (__NR_SYSCALL_BASE + 224) }, + { "gettimeofday", (__NR_SYSCALL_BASE + 78) }, + { "getuid", (__NR_SYSCALL_BASE + 24) }, + { "getuid32", (__NR_SYSCALL_BASE + 199) }, + { "getxattr", (__NR_SYSCALL_BASE + 229) }, + { "gtty", __PNR_gtty }, + { "idle", __PNR_idle }, + { "init_module", (__NR_SYSCALL_BASE + 128) }, + { "inotify_add_watch", (__NR_SYSCALL_BASE + 317) }, + { "inotify_init", (__NR_SYSCALL_BASE + 316) }, + { "inotify_init1", (__NR_SYSCALL_BASE + 360) }, + { "inotify_rm_watch", (__NR_SYSCALL_BASE + 318) }, + { "io_cancel", (__NR_SYSCALL_BASE + 247) }, + { "io_destroy", (__NR_SYSCALL_BASE + 244) }, + { "io_getevents", (__NR_SYSCALL_BASE + 245) }, + { "io_setup", (__NR_SYSCALL_BASE + 243) }, + { "io_submit", (__NR_SYSCALL_BASE + 246) }, + { "ioctl", (__NR_SYSCALL_BASE + 54) }, + { "ioperm", __PNR_ioperm }, + { "iopl", __PNR_iopl }, + { "ioprio_get", (__NR_SYSCALL_BASE + 315) }, + { "ioprio_set", (__NR_SYSCALL_BASE + 314) }, + { "ipc", (__NR_SYSCALL_BASE + 117) }, + { "kcmp", __PNR_kcmp }, + { "kexec_load", (__NR_SYSCALL_BASE + 347) }, + { "keyctl", (__NR_SYSCALL_BASE + 311) }, + { "kill", (__NR_SYSCALL_BASE + 37) }, + { "lchown", (__NR_SYSCALL_BASE + 16) }, + { "lchown32", (__NR_SYSCALL_BASE + 198) }, + { "lgetxattr", (__NR_SYSCALL_BASE + 230) }, + { "link", (__NR_SYSCALL_BASE + 9) }, + { "linkat", (__NR_SYSCALL_BASE + 330) }, + { "listen", (__NR_SYSCALL_BASE + 284) }, + { "listxattr", (__NR_SYSCALL_BASE + 232) }, + { "llistxattr", (__NR_SYSCALL_BASE + 233) }, + { "_llseek", (__NR_SYSCALL_BASE + 140) }, + { "lock", __PNR_lock }, + { "lookup_dcookie", (__NR_SYSCALL_BASE + 249) }, + { "lremovexattr", (__NR_SYSCALL_BASE + 236) }, + { "lseek", (__NR_SYSCALL_BASE + 19) }, + { "lsetxattr", (__NR_SYSCALL_BASE + 227) }, + { "lstat", (__NR_SYSCALL_BASE + 107) }, + { "lstat64", (__NR_SYSCALL_BASE + 196) }, + { "madvise", (__NR_SYSCALL_BASE + 220) }, + { "mbind", (__NR_SYSCALL_BASE + 319) }, + { "migrate_pages", __PNR_migrate_pages }, + { "mincore", (__NR_SYSCALL_BASE + 219) }, + { "mkdir", (__NR_SYSCALL_BASE + 39) }, + { "mkdirat", (__NR_SYSCALL_BASE + 323) }, + { "mknod", (__NR_SYSCALL_BASE + 14) }, + { "mknodat", (__NR_SYSCALL_BASE + 324) }, + { "mlock", (__NR_SYSCALL_BASE + 150) }, + { "mlockall", (__NR_SYSCALL_BASE + 152) }, + { "mmap", (__PNR_mmap) }, + { "mmap2", (__NR_SYSCALL_BASE + 192) }, + { "modify_ldt", __PNR_modify_ldt }, + { "mount", (__NR_SYSCALL_BASE + 21) }, + { "move_pages", (__NR_SYSCALL_BASE + 344) }, + { "mprotect", (__NR_SYSCALL_BASE + 125) }, + { "mpx", __PNR_mpx }, + { "mq_getsetattr", (__NR_SYSCALL_BASE + 279) }, + { "mq_notify", (__NR_SYSCALL_BASE + 278) }, + { "mq_open", (__NR_SYSCALL_BASE + 274) }, + { "mq_timedreceive", (__NR_SYSCALL_BASE + 277) }, + { "mq_timedsend", (__NR_SYSCALL_BASE + 276) }, + { "mq_unlink", (__NR_SYSCALL_BASE + 275) }, + { "mremap", (__NR_SYSCALL_BASE + 163) }, + { "msgctl", (__NR_SYSCALL_BASE + 304) }, + { "msgget", (__NR_SYSCALL_BASE + 303) }, + { "msgrcv", (__NR_SYSCALL_BASE + 302) }, + { "msgsnd", (__NR_SYSCALL_BASE + 301) }, + { "msync", (__NR_SYSCALL_BASE + 144) }, + { "munlock", (__NR_SYSCALL_BASE + 151) }, + { "munlockall", (__NR_SYSCALL_BASE + 153) }, + { "munmap", (__NR_SYSCALL_BASE + 91) }, + { "name_to_handle_at", (__NR_SYSCALL_BASE + 370) }, + { "nanosleep", (__NR_SYSCALL_BASE + 162) }, + { "_newselect", (__NR_SYSCALL_BASE + 142) }, + { "newfstatat", __PNR_newfstatat }, + { "nfsservctl", (__NR_SYSCALL_BASE + 169) }, + { "nice", (__NR_SYSCALL_BASE + 34) }, + { "oldfstat", __PNR_oldfstat }, + { "oldlstat", __PNR_oldlstat }, + { "oldolduname", __PNR_oldolduname }, + { "oldstat", __PNR_oldstat }, + { "olduname", __PNR_olduname }, + { "open", (__PNR_open) }, + { "openat", (__NR_SYSCALL_BASE + 322) }, + { "open_by_handle_at", (__NR_SYSCALL_BASE + 371) }, + { "pause", (__NR_SYSCALL_BASE + 29) }, + { "pciconfig_iobase", (__NR_SYSCALL_BASE + 271) }, + { "pciconfig_read", (__NR_SYSCALL_BASE + 272) }, + { "pciconfig_write", (__NR_SYSCALL_BASE + 273) }, + { "perf_event_open", (__NR_SYSCALL_BASE + 364) }, + { "personality", (__NR_SYSCALL_BASE + 136) }, + { "pipe", (__NR_SYSCALL_BASE + 42) }, + { "pipe2", (__NR_SYSCALL_BASE + 359) }, + { "pivot_root", (__NR_SYSCALL_BASE + 218) }, + { "poll", (__NR_SYSCALL_BASE + 168) }, + { "ppoll", (__NR_SYSCALL_BASE + 336) }, + { "prctl", (__NR_SYSCALL_BASE + 172) }, + { "pread64", (__NR_SYSCALL_BASE + 180) }, + { "preadv", (__NR_SYSCALL_BASE + 361) }, + { "prlimit64", (__NR_SYSCALL_BASE + 369) }, + { "process_vm_readv", (__NR_SYSCALL_BASE + 376) }, + { "process_vm_writev", (__NR_SYSCALL_BASE + 377) }, + { "prof", __PNR_prof }, + { "profil", __PNR_profil }, + { "pselect6", (__NR_SYSCALL_BASE + 335) }, + { "ptrace", (__NR_SYSCALL_BASE + 26) }, + { "putpmsg", __PNR_putpmsg }, + { "pwrite64", (__NR_SYSCALL_BASE + 181) }, + { "pwritev", (__NR_SYSCALL_BASE + 362) }, + { "query_module", __PNR_query_module }, + { "quotactl", (__NR_SYSCALL_BASE + 131) }, + { "read", (__NR_SYSCALL_BASE + 3) }, + { "readahead", (__NR_SYSCALL_BASE + 225) }, + { "readdir", (__PNR_readdir) }, + { "readlink", (__NR_SYSCALL_BASE + 85) }, + { "readlinkat", (__NR_SYSCALL_BASE + 332) }, + { "readv", (__NR_SYSCALL_BASE + 145) }, + { "reboot", (__NR_SYSCALL_BASE + 88) }, + { "recv", (__NR_SYSCALL_BASE + 291) }, + { "recvfrom", (__NR_SYSCALL_BASE + 292) }, + { "recvmmsg", (__NR_SYSCALL_BASE + 365) }, + { "recvmsg", (__NR_SYSCALL_BASE + 297) }, + { "remap_file_pages", (__NR_SYSCALL_BASE + 253) }, + { "removexattr", (__NR_SYSCALL_BASE + 235) }, + { "rename", (__NR_SYSCALL_BASE + 38) }, + { "renameat", (__NR_SYSCALL_BASE + 329) }, + { "request_key", (__NR_SYSCALL_BASE + 310) }, + { "restart_syscall", (__NR_SYSCALL_BASE + 0) }, + { "rmdir", (__NR_SYSCALL_BASE + 40) }, + { "rt_sigaction", (__NR_SYSCALL_BASE + 174) }, + { "rt_sigpending", (__NR_SYSCALL_BASE + 176) }, + { "rt_sigprocmask", (__NR_SYSCALL_BASE + 175) }, + { "rt_sigqueueinfo", (__NR_SYSCALL_BASE + 178) }, + { "rt_sigreturn", (__NR_SYSCALL_BASE + 173) }, + { "rt_sigsuspend", (__NR_SYSCALL_BASE + 179) }, + { "rt_sigtimedwait", (__NR_SYSCALL_BASE + 177) }, + { "rt_tgsigqueueinfo", (__NR_SYSCALL_BASE + 363) }, + { "sched_getaffinity", (__NR_SYSCALL_BASE + 242) }, + { "sched_getparam", (__NR_SYSCALL_BASE + 155) }, + { "sched_get_priority_max", (__NR_SYSCALL_BASE + 159) }, + { "sched_get_priority_min", (__NR_SYSCALL_BASE + 160) }, + { "sched_getscheduler", (__NR_SYSCALL_BASE + 157) }, + { "sched_rr_get_interval", (__NR_SYSCALL_BASE + 161) }, + { "sched_setaffinity", (__NR_SYSCALL_BASE + 241) }, + { "sched_setparam", (__NR_SYSCALL_BASE + 154) }, + { "sched_setscheduler", (__NR_SYSCALL_BASE + 156) }, + { "sched_yield", (__NR_SYSCALL_BASE + 158) }, + { "security", __PNR_security }, + { "select", (__PNR_select) }, + { "semctl", (__NR_SYSCALL_BASE + 300) }, + { "semget", (__NR_SYSCALL_BASE + 299) }, + { "semop", (__NR_SYSCALL_BASE + 298) }, + { "semtimedop", (__NR_SYSCALL_BASE + 312) }, + { "send", (__NR_SYSCALL_BASE + 289) }, + { "sendfile", (__NR_SYSCALL_BASE + 187) }, + { "sendfile64", (__NR_SYSCALL_BASE + 239) }, + { "sendmmsg", (__NR_SYSCALL_BASE + 374) }, + { "sendmsg", (__NR_SYSCALL_BASE + 296) }, + { "sendto", (__NR_SYSCALL_BASE + 290) }, + { "setdomainname", (__NR_SYSCALL_BASE + 121) }, + { "setfsgid", (__NR_SYSCALL_BASE + 139) }, + { "setfsgid32", (__NR_SYSCALL_BASE + 216) }, + { "setfsuid", (__NR_SYSCALL_BASE + 138) }, + { "setfsuid32", (__NR_SYSCALL_BASE + 215) }, + { "setgid", (__NR_SYSCALL_BASE + 46) }, + { "setgid32", (__NR_SYSCALL_BASE + 214) }, + { "setgroups", (__NR_SYSCALL_BASE + 81) }, + { "setgroups32", (__NR_SYSCALL_BASE + 206) }, + { "sethostname", (__NR_SYSCALL_BASE + 74) }, + { "setitimer", (__NR_SYSCALL_BASE + 104) }, + { "set_mempolicy", (__NR_SYSCALL_BASE + 321) }, + { "setns", (__NR_SYSCALL_BASE + 375) }, + { "setpgid", (__NR_SYSCALL_BASE + 57) }, + { "setpriority", (__NR_SYSCALL_BASE + 97) }, + { "setregid", (__NR_SYSCALL_BASE + 71) }, + { "setregid32", (__NR_SYSCALL_BASE + 204) }, + { "setresgid", (__NR_SYSCALL_BASE + 170) }, + { "setresgid32", (__NR_SYSCALL_BASE + 210) }, + { "setresuid", (__NR_SYSCALL_BASE + 164) }, + { "setresuid32", (__NR_SYSCALL_BASE + 208) }, + { "setreuid", (__NR_SYSCALL_BASE + 70) }, + { "setreuid32", (__NR_SYSCALL_BASE + 203) }, + { "setrlimit", (__NR_SYSCALL_BASE + 75) }, + { "set_robust_list", (__NR_SYSCALL_BASE + 338) }, + { "setsid", (__NR_SYSCALL_BASE + 66) }, + { "setsockopt", (__NR_SYSCALL_BASE + 294) }, + { "set_thread_area", __PNR_set_thread_area }, + { "set_tid_address", (__NR_SYSCALL_BASE + 256) }, + { "settimeofday", (__NR_SYSCALL_BASE + 79) }, + { "setuid", (__NR_SYSCALL_BASE + 23) }, + { "setuid32", (__NR_SYSCALL_BASE + 213) }, + { "setxattr", (__NR_SYSCALL_BASE + 226) }, + { "sgetmask", __PNR_sgetmask }, + { "shmat", (__NR_SYSCALL_BASE + 305) }, + { "shmctl", (__NR_SYSCALL_BASE + 308) }, + { "shmdt", (__NR_SYSCALL_BASE + 306) }, + { "shmget", (__NR_SYSCALL_BASE + 307) }, + { "shutdown", (__NR_SYSCALL_BASE + 293) }, + { "sigaction", (__NR_SYSCALL_BASE + 67) }, + { "sigaltstack", (__NR_SYSCALL_BASE + 186) }, + { "signal", __PNR_signal }, + { "signalfd", (__NR_SYSCALL_BASE + 349) }, + { "signalfd4", (__NR_SYSCALL_BASE + 355) }, + { "sigpending", (__NR_SYSCALL_BASE + 73) }, + { "sigprocmask", (__NR_SYSCALL_BASE + 126) }, + { "sigreturn", (__NR_SYSCALL_BASE + 119) }, + { "sigsuspend", (__NR_SYSCALL_BASE + 72) }, + { "socket", (__NR_SYSCALL_BASE + 281) }, + { "socketcall", (__PNR_socketcall) }, + { "socketpair", (__NR_SYSCALL_BASE + 288) }, + { "splice", (__NR_SYSCALL_BASE + 340) }, + { "ssetmask", __PNR_ssetmask }, + { "stat", (__NR_SYSCALL_BASE + 106) }, + { "stat64", (__NR_SYSCALL_BASE + 195) }, + { "statfs", (__NR_SYSCALL_BASE + 99) }, + { "statfs64", (__NR_SYSCALL_BASE + 266) }, + { "stime", (__PNR_stime) }, + { "stty", __PNR_stty }, + { "swapoff", (__NR_SYSCALL_BASE + 115) }, + { "swapon", (__NR_SYSCALL_BASE + 87) }, + { "symlink", (__NR_SYSCALL_BASE + 83) }, + { "symlinkat", (__NR_SYSCALL_BASE + 331) }, + { "sync", (__NR_SYSCALL_BASE + 36) }, + { "sync_file_range", __PNR_sync_file_range }, + { "sync_file_range2", (__NR_SYSCALL_BASE + 341) }, + { "syncfs", (__NR_SYSCALL_BASE + 373) }, + { "syscall", (__PNR_syscall) }, + { "_sysctl", (__NR_SYSCALL_BASE + 149) }, + { "sysfs", (__NR_SYSCALL_BASE + 135) }, + { "sysinfo", (__NR_SYSCALL_BASE + 116) }, + { "syslog", (__NR_SYSCALL_BASE + 103) }, + { "tee", (__NR_SYSCALL_BASE + 342) }, + { "tgkill", (__NR_SYSCALL_BASE + 268) }, + { "time", (__PNR_time) }, + { "timer_create", (__NR_SYSCALL_BASE + 257) }, + { "timer_delete", (__NR_SYSCALL_BASE + 261) }, + { "timerfd_create", (__NR_SYSCALL_BASE + 350) }, + { "timerfd_gettime", (__NR_SYSCALL_BASE + 354) }, + { "timerfd_settime", (__NR_SYSCALL_BASE + 353) }, + { "timer_getoverrun", (__NR_SYSCALL_BASE + 260) }, + { "timer_gettime", (__NR_SYSCALL_BASE + 259) }, + { "timer_settime", (__NR_SYSCALL_BASE + 258) }, + { "times", (__NR_SYSCALL_BASE + 43) }, + { "tkill", (__NR_SYSCALL_BASE + 238) }, + { "truncate", (__NR_SYSCALL_BASE + 92) }, + { "truncate64", (__NR_SYSCALL_BASE + 193) }, + { "tuxcall", __PNR_tuxcall }, + { "ugetrlimit", (__NR_SYSCALL_BASE + 191) }, /* SuS compliant getrlimit */ + { "ulimit", __PNR_ulimit }, + { "umask", (__NR_SYSCALL_BASE + 60) }, + { "umount", (__PNR_umount) }, + { "umount2", (__NR_SYSCALL_BASE + 52) }, + { "uname", (__NR_SYSCALL_BASE + 122) }, + { "unlink", (__NR_SYSCALL_BASE + 10) }, + { "unlinkat", (__NR_SYSCALL_BASE + 328) }, + { "unshare", (__NR_SYSCALL_BASE + 337) }, + { "uselib", (__NR_SYSCALL_BASE + 86) }, + { "ustat", (__NR_SYSCALL_BASE + 62) }, + { "utime", (__PNR_utime) }, + { "utimensat", (__NR_SYSCALL_BASE + 348) }, + { "utimes", (__NR_SYSCALL_BASE + 269) }, + { "vfork", (__NR_SYSCALL_BASE + 190) }, + { "vhangup", (__NR_SYSCALL_BASE + 111) }, + { "vm86", __PNR_vm86 }, + { "vm86old", __PNR_vm86old }, + { "vmsplice", (__NR_SYSCALL_BASE + 343) }, + { "vserver", (__NR_SYSCALL_BASE + 313) }, + { "wait4", (__NR_SYSCALL_BASE + 114) }, + { "waitid", (__NR_SYSCALL_BASE + 280) }, + { "waitpid", __PNR_waitpid }, + { "write", (__NR_SYSCALL_BASE + 4) }, + { "writev", (__NR_SYSCALL_BASE + 146) }, + { NULL, __NR_SCMP_ERROR }, +}; + +/** + * Resolve a syscall name to a number + * @param name the syscall name + * + * Resolve the given syscall name to the syscall number using the syscall table. + * Returns the syscall number on success, including negative pseudo syscall + * numbers; returns __NR_SCMP_ERROR on failure. + * + */ +int aarch64_syscall_resolve_name(const char *name) +{ + unsigned int iter; + const struct arch_syscall_def *table = aarch64_syscall_table; + + /* XXX - plenty of room for future improvement here */ + for (iter = 0; table[iter].name != NULL; iter++) { + if (strcmp(name, table[iter].name) == 0) + return table[iter].num; + } + + return __NR_SCMP_ERROR; +} + +/** + * Resolve a syscall number to a name + * @param num the syscall number + * + * Resolve the given syscall number to the syscall name using the syscall table. + * Returns a pointer to the syscall name string on success, including pseudo + * syscall names; returns NULL on failure. + * + */ +const char *aarch64_syscall_resolve_num(int num) +{ + unsigned int iter; + const struct arch_syscall_def *table = aarch64_syscall_table; + + /* XXX - plenty of room for future improvement here */ + for (iter = 0; table[iter].num != __NR_SCMP_ERROR; iter++) { + if (num == table[iter].num) + return table[iter].name; + } + + return NULL; +} + diff --git a/src/arch-aarch64.c b/src/arch-aarch64.c new file mode 100644 index 0000000..a4fbffb --- /dev/null +++ b/src/arch-aarch64.c @@ -0,0 +1,34 @@ +/** + * Enhanced Seccomp AArch64 Syscall Table + * + * Copyright (c) 2014 Red Hat + * Author: Marcin Juszkiewicz <[email protected]> + */ + +/* + * This library is free software; you can redistribute it and/or modify it + * under the terms of version 2.1 of the GNU Lesser General Public License as + * published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License + * for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this library; if not, see <http://www.gnu.org/licenses>. + */ + +#include <stdlib.h> +#include <errno.h> +#include <linux/audit.h> + +#include "arch.h" +#include "arch-aarch64.h" + +const struct arch_def arch_def_aarch64 = { + .token = SCMP_ARCH_AARCH64, + .token_bpf = AUDIT_ARCH_AARCH64, + .size = ARCH_SIZE_64, + .endian = ARCH_ENDIAN_LITTLE, +}; diff --git a/src/arch-aarch64.h b/src/arch-aarch64.h new file mode 100644 index 0000000..9c1c0d3 --- /dev/null +++ b/src/arch-aarch64.h @@ -0,0 +1,37 @@ +/** + * Enhanced Seccomp AArch64 Syscall Table + * + * Copyright (c) 2014 Red Hat + * Author: Marcin Juszkiewicz <[email protected]> + */ + +/* + * This library is free software; you can redistribute it and/or modify it + * under the terms of version 2.1 of the GNU Lesser General Public License as + * published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License + * for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this library; if not, see <http://www.gnu.org/licenses>. + */ + +#ifndef _ARCH_AARCH64_H +#define _ARCH_AARCH64_H + +#include <inttypes.h> + +#include "arch.h" +#include "system.h" + +#define aarch64_arg_count_max 6 + +extern const struct arch_def arch_def_aarch64; + +int aarch64_syscall_resolve_name(const char *name); +const char *aarch64_syscall_resolve_num(int num); + +#endif diff --git a/src/arch.c b/src/arch.c index 2d2644d..3af4832 100644 --- a/src/arch.c +++ b/src/arch.c @@ -35,6 +35,7 @@ #include "arch-x32.h" #include "arch-arm.h" #include "arch-mips.h" +#include "arch-aarch64.h" #include "system.h" #if __i386__ @@ -51,6 +52,8 @@ const struct arch_def *arch_def_native = &arch_def_arm; const struct arch_def *arch_def_native = &arch_def_mips; #elif __MIPSEL__ const struct arch_def *arch_def_native = &arch_def_mipsel; +#elif __aarch64__ +const struct arch_def *arch_def_native = &arch_def_aarch64; #else #error the arch code needs to know about your machine type #endif /* machine type guess */ diff --git a/tests/16-sim-arch_basic.c b/tests/16-sim-arch_basic.c index 8e54c0a..6819d52 100644 --- a/tests/16-sim-arch_basic.c +++ b/tests/16-sim-arch_basic.c @@ -59,6 +59,9 @@ int main(int argc, char *argv[]) rc = seccomp_arch_add(ctx, SCMP_ARCH_MIPSEL); if (rc != 0) goto out; + rc = seccomp_arch_add(ctx, SCMP_ARCH_AARCH64); + if (rc != 0) + goto out; rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 1, SCMP_A0(SCMP_CMP_EQ, STDIN_FILENO)); diff --git a/tests/23-sim-arch_all_le_basic.c b/tests/23-sim-arch_all_le_basic.c index 1035d1d..25938e7 100644 --- a/tests/23-sim-arch_all_le_basic.c +++ b/tests/23-sim-arch_all_le_basic.c @@ -59,6 +59,9 @@ int main(int argc, char *argv[]) rc = seccomp_arch_add(ctx, seccomp_arch_resolve_name("mipsel")); if (rc != 0) goto out; + rc = seccomp_arch_add(ctx, seccomp_arch_resolve_name("aarch64")); + if (rc != 0) + goto out; rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 1, SCMP_A0(SCMP_CMP_EQ, STDIN_FILENO)); diff --git a/tools/scmp_arch_detect.c b/tools/scmp_arch_detect.c index 02d291b..f914e98 100644 --- a/tools/scmp_arch_detect.c +++ b/tools/scmp_arch_detect.c @@ -84,6 +84,9 @@ int main(int argc, char *argv[]) case SCMP_ARCH_MIPSEL: printf("mipsel\n"); break; + case SCMP_ARCH_AARCH64: + printf("aarch64\n"); + break; default: printf("unknown\n"); } diff --git a/tools/scmp_bpf_sim.c b/tools/scmp_bpf_sim.c index e910c64..5e3c4ee 100644 --- a/tools/scmp_bpf_sim.c +++ b/tools/scmp_bpf_sim.c @@ -36,6 +36,11 @@ #define BPF_PRG_MAX_LEN 4096 +/* AArch64 support for audit is still not in mainline */ +#ifndef AUDIT_ARCH_AARCH64 +#define AUDIT_ARCH_AARCH64 (EM_AARCH64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE) +#endif + /** * BPF simulator machine state */ @@ -239,6 +244,8 @@ int main(int argc, char *argv[]) arch = AUDIT_ARCH_MIPS; else if (strcmp(optarg, "mipsel") == 0) arch = AUDIT_ARCH_MIPSEL; + else if (strcmp(optarg, "aarch64") == 0) + sys_data.arch = AUDIT_ARCH_AARCH64; else exit_fault(EINVAL); break; -- 2.0.0 ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download your free book today! http://p.sf.net/sfu/NeoTech _______________________________________________ libseccomp-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/libseccomp-discuss
