Bug#996025: bullseye-pu: package libseccomp/2.5.1-1+deb11u1
On 03.12.21 17:40, Adam D. Barratt wrote: Control: tags -1 + confirmed On Thu, 2021-11-25 at 19:29 +0100, Felix Geyer wrote: On Sun, 10 Oct 2021 14:34:30 +0200 Felix Geyer wrote: libseccomp 2.5.1 only knows about syscall up to Linux 5.8. The proposed changes add the syscalls up to Linux 5.14. [...] I've updated the debdiff to include two more cherry-picked patches that add a new syscalls from Linux 5.15 and missing syscall defines. Please go ahead. Uploaded, thanks! Felix
Bug#996025: bullseye-pu: package libseccomp/2.5.1-1+deb11u1
Control: tags -1 + confirmed On Thu, 2021-11-25 at 19:29 +0100, Felix Geyer wrote: > On Sun, 10 Oct 2021 14:34:30 +0200 Felix Geyer > wrote: > > libseccomp 2.5.1 only knows about syscall up to Linux 5.8. > > The proposed changes add the syscalls up to Linux 5.14. > [...] > I've updated the debdiff to include two more cherry-picked patches > that add > a new syscalls from Linux 5.15 and missing syscall defines. > Please go ahead. Regards, Adam
Bug#996025: bullseye-pu: package libseccomp/2.5.1-1+deb11u1
On Sun, 10 Oct 2021 14:34:30 +0200 Felix Geyer wrote: Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu [ Reason ] libseccomp 2.5.1 only knows about syscall up to Linux 5.8. The proposed changes add the syscalls up to Linux 5.14. [ Impact ] Syscalls for Linux 5.9 and 5.10 can't be allowed. Software built with support for newer kernels (often the case in containers) expect newer syscalls to work or return ENOSYS. If that syscall is not supported by libseccomp and a default filter action of returning EPERM is used, such software will break. Therefore you often need to be able to allow a syscall even when the running kernel doesn't support it. [ Tests ] * autopkgtest passes on amd64 * Verified adding a filter for the close_range() syscall works (new in 5.9) * Verified that systemd and Docker run [ Risks ] The changes only extend the syscall csv table and add new syscall defines. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] Cherry-pick upstream commits to support syscalls up to Linux 5.14. I've updated the debdiff to include two more cherry-picked patches that add a new syscalls from Linux 5.15 and missing syscall defines. Felixdiff -Nru libseccomp-2.5.1/debian/changelog libseccomp-2.5.1/debian/changelog --- libseccomp-2.5.1/debian/changelog 2020-12-21 10:50:30.0 +0100 +++ libseccomp-2.5.1/debian/changelog 2021-11-25 19:18:20.0 +0100 @@ -1,3 +1,9 @@ +libseccomp (2.5.1-1+deb11u1) bullseye; urgency=medium + + * Add support for syscalls up to Linux 5.15. + + -- Felix Geyer Thu, 25 Nov 2021 19:18:20 +0100 + libseccomp (2.5.1-1) unstable; urgency=medium * New upstream release. diff -Nru libseccomp-2.5.1/debian/patches/api_update_seccomp-syscalls.h.patch libseccomp-2.5.1/debian/patches/api_update_seccomp-syscalls.h.patch --- libseccomp-2.5.1/debian/patches/api_update_seccomp-syscalls.h.patch 1970-01-01 01:00:00.0 +0100 +++ libseccomp-2.5.1/debian/patches/api_update_seccomp-syscalls.h.patch 2021-11-24 19:09:09.0 +0100 @@ -0,0 +1,104 @@ +From 8379ee877612f027f75592c8de5bf7969aa7fb51 Mon Sep 17 00:00:00 2001 +From: Paul Moore +Date: Wed, 27 Oct 2021 15:39:17 -0400 +Subject: [PATCH] api: update seccomp-syscalls.h + +It appears that the seccomp-syscalls.h header file had gotten out of +sync with the syscalls.csv syscall table, this patch fixes this +disconnect. + +The only edit that is somewhat interesting is that the oldwait4(2) +syscall probably never should have been included in the header file +as it appears to no longer exist (?). + +Reported-by: Mike Frysinger +Acked-by: Tom Hromatka +Signed-off-by: Paul Moore + +(imported from commit 3f47bba7c5c8cc18be80e625eedb2c1823233708) +--- + include/seccomp-syscalls.h | 22 -- + 1 file changed, 16 insertions(+), 6 deletions(-) + +diff --git a/include/seccomp-syscalls.h b/include/seccomp-syscalls.h +index 7075f3f6..4baa307a 100644 +--- a/include/seccomp-syscalls.h b/include/seccomp-syscalls.h +@@ -537,6 +537,8 @@ + + #define __SNR_epoll_pwait __NR_epoll_pwait + ++#define __SNR_epoll_pwait2__NR_epoll_pwait2 ++ + #ifdef __NR_epoll_wait + #define __SNR_epoll_wait __NR_epoll_wait + #else +@@ -1007,6 +1009,10 @@ + + #define __SNR_kill__NR_kill + ++#define __SNR_landlock_add_rule __NR_landlock_add_rule ++#define __SNR_landlock_create_ruleset __NR_landlock_create_ruleset ++#define __SNR_landlock_restrict_self __NR_landlock_restrict_self ++ + #ifdef __NR_lchown + #define __SNR_lchown __NR_lchown + #else +@@ -1141,6 +1147,8 @@ + + #define __SNR_mount __NR_mount + ++#define __SNR_mount_setattr __NR_mount_setattr ++ + #ifdef __NR_move_mount + #define __SNR_move_mount __NR_move_mount + #else +@@ -1277,12 +1285,6 @@ + #define __SNR_olduname__PNR_olduname + #endif + +-#ifdef __NR_oldwait4 +-#define __SNR_oldwait4__NR_oldwait4 +-#else +-#define __SNR_oldwait4__PNR_oldwait4 +-#endif +- + #ifdef __NR_open + #define __SNR_open__NR_open + #else +@@ -1299,6 +1301,8 @@ + + #define __SNR_openat __NR_openat + ++#define __SNR_openat2 __NR_openat2 ++ + #ifdef __NR_pause + #define __SNR_pause __NR_pause + #else +@@ -1327,6 +1331,8 @@ + + #define __SNR_personality __NR_personality + ++#define __SNR_pidfd_getfd __NR_pidfd_getfd ++ + #ifdef __NR_pidfd_open + #define __SNR_pidfd_open __NR_pidfd_open + #else +@@ -1395,6 +1401,8 @@ + + #define __SNR_prlimit64 __NR_prlimit64 + ++#define __SNR_process_madvise __NR_proc
Bug#996025: bullseye-pu: package libseccomp/2.5.1-1+deb11u1
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu [ Reason ] libseccomp 2.5.1 only knows about syscall up to Linux 5.8. The proposed changes add the syscalls up to Linux 5.14. [ Impact ] Syscalls for Linux 5.9 and 5.10 can't be allowed. Software built with support for newer kernels (often the case in containers) expect newer syscalls to work or return ENOSYS. If that syscall is not supported by libseccomp and a default filter action of returning EPERM is used, such software will break. Therefore you often need to be able to allow a syscall even when the running kernel doesn't support it. [ Tests ] * autopkgtest passes on amd64 * Verified adding a filter for the close_range() syscall works (new in 5.9) * Verified that systemd and Docker run [ Risks ] The changes only extend the syscall csv table and add new syscall defines. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] Cherry-pick upstream commits to support syscalls up to Linux 5.14.diff -Nru libseccomp-2.5.1/debian/changelog libseccomp-2.5.1/debian/changelog --- libseccomp-2.5.1/debian/changelog 2020-12-21 10:50:30.0 +0100 +++ libseccomp-2.5.1/debian/changelog 2021-10-10 13:35:59.0 +0200 @@ -1,3 +1,9 @@ +libseccomp (2.5.1-1+deb11u1) bullseye; urgency=medium + + * Add support for syscalls up to Linux 5.14. + + -- Felix Geyer Sun, 10 Oct 2021 13:35:59 +0200 + libseccomp (2.5.1-1) unstable; urgency=medium * New upstream release. diff -Nru libseccomp-2.5.1/debian/patches/series libseccomp-2.5.1/debian/patches/series --- libseccomp-2.5.1/debian/patches/series 1970-01-01 01:00:00.0 +0100 +++ libseccomp-2.5.1/debian/patches/series 2021-10-10 13:05:00.0 +0200 @@ -0,0 +1,3 @@ +syscalls_update_the_syscall_table_to_v5.12-rc7.patch +syscalls_add_close_range_syscall.patch +syscalls_update_to_Linux_v5.14-rc7.patch diff -Nru libseccomp-2.5.1/debian/patches/syscalls_add_close_range_syscall.patch libseccomp-2.5.1/debian/patches/syscalls_add_close_range_syscall.patch --- libseccomp-2.5.1/debian/patches/syscalls_add_close_range_syscall.patch 1970-01-01 01:00:00.0 +0100 +++ libseccomp-2.5.1/debian/patches/syscalls_add_close_range_syscall.patch 2021-10-10 13:05:00.0 +0200 @@ -0,0 +1,30 @@ +From ac849e7960547d418009a783da654d5917dbfe2d Mon Sep 17 00:00:00 2001 +From: Sascha Grunert +Date: Fri, 16 Jul 2021 12:13:36 +0200 +Subject: [PATCH] syscalls: add close_range() syscall + +The syscall has been added a while ago so we should support resolving +it, too. + +Signed-off-by: Sascha Grunert +Reviewed-by: Tom Hromatka +[PM: subject line tweak] +Signed-off-by: Paul Moore +(imported from commit 01e5750e7c84bb14e5a5410c924bed519209db06) +--- + include/seccomp-syscalls.h | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/include/seccomp-syscalls.h b/include/seccomp-syscalls.h +index 7b69214c..1ca500be 100644 +--- a/include/seccomp-syscalls.h b/include/seccomp-syscalls.h +@@ -476,6 +476,8 @@ + + #define __SNR_close __NR_close + ++#define __SNR_close_range __NR_close_range ++ + #ifdef __NR_connect + #define __SNR_connect __NR_connect + #else diff -Nru libseccomp-2.5.1/debian/patches/syscalls_update_the_syscall_table_to_v5.12-rc7.patch libseccomp-2.5.1/debian/patches/syscalls_update_the_syscall_table_to_v5.12-rc7.patch --- libseccomp-2.5.1/debian/patches/syscalls_update_the_syscall_table_to_v5.12-rc7.patch 1970-01-01 01:00:00.0 +0100 +++ libseccomp-2.5.1/debian/patches/syscalls_update_the_syscall_table_to_v5.12-rc7.patch 2021-10-10 13:05:00.0 +0200 @@ -0,0 +1,73 @@ +From c56a00fe173a7dd5a8326431ae28863ce432bbc1 Mon Sep 17 00:00:00 2001 +From: Paul Moore +Date: Sat, 17 Apr 2021 16:30:48 -0400 +Subject: [PATCH] syscalls: update the syscall table to v5.12-rc7 + +Due to additional ABIs in main we can't do a simple backport or copy +of the syscall table so we are generating it directly in the +release-2.5 branch. + +This patch also fixes the missing faccessat2() #defines in the +seccomp-syscalls.h header file. + +Signed-off-by: Paul Moore +--- + include/seccomp-syscalls.h | 2 ++ + src/syscalls.csv | 6 +- + 2 files changed, 7 insertions(+), 1 deletion(-) + +diff --git a/include/seccomp-syscalls.h b/include/seccomp-syscalls.h +index 2a4ebd3d..7b69214c 100644 +--- a/include/seccomp-syscalls.h b/include/seccomp-syscalls.h +@@ -564,6 +564,8 @@ + + #define __SNR_faccessat __NR_faccessat + ++#define __SNR_faccessat2 __NR_faccessat2 ++ + #ifdef __NR_fadvise64 + #define __SNR_fadvise64 __NR_fadvise64 + #else +diff --git a/src/syscalls.csv b/src/syscalls.csv +index 11d087a6..4c82869
