Skip to content

Commit

Permalink
Merge branch 'seccomp:main' into main
Browse files Browse the repository at this point in the history
  • Loading branch information
aledbf authored Apr 29, 2024
2 parents 6966428 + 9c91e1e commit 7615711
Show file tree
Hide file tree
Showing 6 changed files with 42 additions and 68 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ jobs:
strategy:
fail-fast: false
matrix:
go-version: [1.16.x, 1.17.x, 1.18.x]
go-version: [1.19.x, 1.20.x]
libseccomp: ["v2.3.3", "v2.4.3", "v2.5.4", "HEAD"]

steps:
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/validate.yml
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ jobs:
sudo apt -q install libseccomp-dev
- uses: golangci/golangci-lint-action@v3
with:
version: v1.45
version: v1.51

codespell:
runs-on: ubuntu-20.04
Expand Down
2 changes: 1 addition & 1 deletion go.mod
Original file line number Diff line number Diff line change
@@ -1,3 +1,3 @@
module github.com/seccomp/libseccomp-golang

go 1.14
go 1.19
62 changes: 29 additions & 33 deletions seccomp.go
Original file line number Diff line number Diff line change
Expand Up @@ -33,8 +33,9 @@ type VersionError struct {

func init() {
// This forces the cgo libseccomp to initialize its internal API support state,
// which is necessary on older versions of libseccomp in order to work
// which is necessary on older versions of libseccomp (< 2.5.0) in order to work
// correctly.
// TODO: remove once libseccomp < v2.5.0 is not supported.
_, _ = getAPI()
}

Expand Down Expand Up @@ -78,49 +79,44 @@ type ScmpSyscall int32
type ScmpFd int32

// ScmpNotifData describes the system call context that triggered a notification.
//
// Syscall: the syscall number
// Arch: the filter architecture
// InstrPointer: address of the instruction that triggered a notification
// Args: arguments (up to 6) for the syscall
//
type ScmpNotifData struct {
Syscall ScmpSyscall `json:"syscall,omitempty"`
Arch ScmpArch `json:"arch,omitempty"`
InstrPointer uint64 `json:"instr_pointer,omitempty"`
Args []uint64 `json:"args,omitempty"`
// Syscall is the syscall number.
Syscall ScmpSyscall `json:"syscall,omitempty"`
// Arch is the filter architecture.
Arch ScmpArch `json:"arch,omitempty"`
// InstrPointer is the address of the instruction that triggered a notification.
InstrPointer uint64 `json:"instr_pointer,omitempty"`
// Args are the arguments (up to 6) for the syscall.
Args []uint64 `json:"args,omitempty"`
}

// ScmpNotifReq represents a seccomp userspace notification. See NotifReceive() for
// info on how to pull such a notification.
//
// ID: notification ID
// Pid: process that triggered the notification event
// Flags: filter flags (see seccomp(2))
// Data: system call context that triggered the notification
//
type ScmpNotifReq struct {
ID uint64 `json:"id,omitempty"`
Pid uint32 `json:"pid,omitempty"`
Flags uint32 `json:"flags,omitempty"`
Data ScmpNotifData `json:"data,omitempty"`
// ID is the notification ID.
ID uint64 `json:"id,omitempty"`
// Pid is the process that triggered the notification event.
Pid uint32 `json:"pid,omitempty"`
// Flags is filter flags (see seccomp(2)).
Flags uint32 `json:"flags,omitempty"`
// Data is system call context that triggered the notification.
Data ScmpNotifData `json:"data,omitempty"`
}

// ScmpNotifResp represents a seccomp userspace notification response. See NotifRespond()
// for info on how to push such a response.
//
// ID: notification ID (must match the corresponding ScmpNotifReq ID)
// Error: must be 0 if no error occurred, or an error constant from package
// syscall (e.g., syscall.EPERM, etc). In the latter case, it's used
// as an error return from the syscall that created the notification.
// Val: return value for the syscall that created the notification. Only
// relevant if Error is 0.
// Flags: userspace notification response flag (e.g., NotifRespFlagContinue)
//
type ScmpNotifResp struct {
ID uint64 `json:"id,omitempty"`
Error int32 `json:"error,omitempty"`
Val uint64 `json:"val,omitempty"`
// ID is the notification ID (must match the corresponding ScmpNotifReq ID).
ID uint64 `json:"id,omitempty"`
// Error must be 0 if no error occurred, or an error constant from
// package syscall (e.g., syscall.EPERM, etc). In the latter case, it
// is used as an error return from the syscall that created the
// notification.
Error int32 `json:"error,omitempty"`
// Val is a return value for the syscall that created the notification.
// Only relevant if Error is 0.
Val uint64 `json:"val,omitempty"`
// Flags is userspace notification response flag (e.g., NotifRespFlagContinue).
Flags uint32 `json:"flags,omitempty"`
}

Expand Down
21 changes: 0 additions & 21 deletions seccomp_internal.go
Original file line number Diff line number Diff line change
Expand Up @@ -145,11 +145,6 @@ const int C_CMP_GE = (int)SCMP_CMP_GE;
const int C_CMP_GT = (int)SCMP_CMP_GT;
const int C_CMP_MASKED_EQ = (int)SCMP_CMP_MASKED_EQ;
const int C_VERSION_MAJOR = SCMP_VER_MAJOR;
const int C_VERSION_MINOR = SCMP_VER_MINOR;
const int C_VERSION_MICRO = SCMP_VER_MICRO;
#if SCMP_VER_MAJOR == 2 && SCMP_VER_MINOR >= 3
unsigned int get_major_version()
{
return seccomp_version()->major;
Expand All @@ -164,22 +159,6 @@ unsigned int get_micro_version()
{
return seccomp_version()->micro;
}
#else
unsigned int get_major_version()
{
return (unsigned int)C_VERSION_MAJOR;
}
unsigned int get_minor_version()
{
return (unsigned int)C_VERSION_MINOR;
}
unsigned int get_micro_version()
{
return (unsigned int)C_VERSION_MICRO;
}
#endif
// The libseccomp API level functions were added in v2.4.0
#if SCMP_VER_MAJOR == 2 && SCMP_VER_MINOR < 4
Expand Down
21 changes: 10 additions & 11 deletions seccomp_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -590,9 +590,14 @@ func subprocessRuleAddAndLoad(t *testing.T) {
}
defer filter1.Release()

call, err := GetSyscallFromName("getpid")
const expErr = syscall.ENOSPC // Can be anything not usually returned by listen(2).
call, err := GetSyscallFromName("listen")
if err != nil {
t.Errorf("Error getting syscall number of getpid: %s", err)
t.Errorf("Error getting syscall number of listen: %s", err)
}
err = filter1.AddRule(call, ActErrno.SetReturnCode(int16(expErr)))
if err != nil {
t.Errorf("Error adding rule to restrict syscall: %s", err)
}

call2, err := GetSyscallFromName("setreuid")
Expand All @@ -608,11 +613,6 @@ func subprocessRuleAddAndLoad(t *testing.T) {
uid := syscall.Getuid()
euid := syscall.Geteuid()

err = filter1.AddRule(call, ActErrno.SetReturnCode(0x1))
if err != nil {
t.Errorf("Error adding rule to restrict syscall: %s", err)
}

cond, err := MakeCondition(1, CompareEqual, uint64(euid))
if err != nil {
t.Errorf("Error making rule to restrict syscall: %s", err)
Expand Down Expand Up @@ -640,10 +640,9 @@ func subprocessRuleAddAndLoad(t *testing.T) {
t.Errorf("Error loading filter: %s", err)
}

// Try making a simple syscall, it should error
pid := syscall.Getpid()
if pid != -1 {
t.Errorf("Syscall should have returned error code!")
// Try making a simple syscall which should return an error.
if err := syscall.Listen(0, 0); err != expErr {
t.Errorf("Syscall listen: want %v, got %v", expErr, err)
}

// Try making a Geteuid syscall that should normally succeed
Expand Down

0 comments on commit 7615711

Please sign in to comment.