Package: libseccomp Version: 2.2.1-1 Severity: wishlist Tags: patch User: ubuntu-de...@lists.ubuntu.com Usertags: origin-ubuntu wily ubuntu-patch
Dear Maintainer, In Ubuntu, the attached patch was applied to achieve the following: - add autopkgtests Thanks for considering the patch. -- System Information: Debian Release: jessie/sid APT prefers vivid-updates APT policy: (500, 'vivid-updates'), (500, 'vivid-security'), (500, 'vivid') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.19.0-20-generic (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
diff -Nru libseccomp-2.2.1/debian/changelog libseccomp-2.2.1/debian/changelog diff -Nru libseccomp-2.2.1/debian/control libseccomp-2.2.1/debian/control --- libseccomp-2.2.1/debian/control 2015-05-17 12:05:40.000000000 -0500 +++ libseccomp-2.2.1/debian/control 2015-06-12 15:59:10.000000000 -0500 @@ -5,6 +5,7 @@ Build-Depends: debhelper (>= 9), dh-autoreconf, linux-libc-dev Standards-Version: 3.9.6 Homepage: https://sourceforge.net/projects/libseccomp/ +XS-Testsuite: autopkgtest Package: libseccomp-dev Section: libdevel diff -Nru libseccomp-2.2.1/debian/tests/control libseccomp-2.2.1/debian/tests/control --- libseccomp-2.2.1/debian/tests/control 1969-12-31 18:00:00.000000000 -0600 +++ libseccomp-2.2.1/debian/tests/control 2015-05-04 15:21:11.000000000 -0500 @@ -0,0 +1,3 @@ +Tests: test-filter test-scmp_sys_resolver +Restrictions: allow-stderr +Depends: @, build-essential, linux-libc-dev diff -Nru libseccomp-2.2.1/debian/tests/data/all-3.19.filter libseccomp-2.2.1/debian/tests/data/all-3.19.filter --- libseccomp-2.2.1/debian/tests/data/all-3.19.filter 1969-12-31 18:00:00.000000000 -0600 +++ libseccomp-2.2.1/debian/tests/data/all-3.19.filter 2015-05-01 13:04:43.000000000 -0500 @@ -0,0 +1,414 @@ +# all syscalls from 3.19 +syscalls: +accept +accept4 +access +acct +add_key +adjtimex +afs_syscall +alarm +arch_prctl +arm_fadvise64_64 +arm_sync_file_range +bdflush +bind +bpf +break +breakpoint +brk +cacheflush +capget +capset +chdir +chmod +chown +chown32 +chroot +clock_adjtime +clock_getres +clock_gettime +clock_nanosleep +clock_settime +clone +close +connect +creat +create_module +delete_module +dup +dup2 +dup3 +epoll_create +epoll_create1 +epoll_ctl +epoll_ctl_old +epoll_pwait +epoll_wait +epoll_wait_old +eventfd +eventfd2 +execve +execveat +exit +exit_group +faccessat +fadvise64 +fadvise64_64 +fallocate +fanotify_init +fanotify_mark +fchdir +fchmod +fchmodat +fchown +fchown32 +fchownat +fcntl +fcntl64 +fdatasync +fgetxattr +finit_module +flistxattr +flock +fork +fremovexattr +fsetxattr +fstat +fstat64 +fstatat64 +fstatfs +fstatfs64 +fsync +ftime +ftruncate +ftruncate64 +futex +futimesat +getcpu +getcwd +getdents +getdents64 +getegid +getegid32 +geteuid +geteuid32 +getgid +getgid32 +getgroups +getgroups32 +getitimer +get_kernel_syms +get_mempolicy +getpeername +getpgid +getpgrp +getpid +getpmsg +getppid +getpriority +getrandom +getresgid +getresgid32 +getresuid +getresuid32 +getrlimit +get_robust_list +getrusage +getsid +getsockname +getsockopt +get_thread_area +gettid +gettimeofday +getuid +getuid32 +getxattr +gtty +idle +init_module +inotify_add_watch +inotify_init +inotify_init1 +inotify_rm_watch +io_cancel +ioctl +io_destroy +io_getevents +ioperm +iopl +ioprio_get +ioprio_set +io_setup +io_submit +ipc +kcmp +kexec_file_load +kexec_load +keyctl +kill +lchown +lchown32 +lgetxattr +link +linkat +listen +listxattr +llistxattr +_llseek +lock +lookup_dcookie +lremovexattr +lseek +lsetxattr +lstat +lstat64 +madvise +mbind +memfd_create +migrate_pages +mincore +mkdir +mkdirat +mknod +mknodat +mlock +mlockall +mmap +mmap2 +modify_ldt +mount +move_pages +mprotect +mpx +mq_getsetattr +mq_notify +mq_open +mq_timedreceive +mq_timedsend +mq_unlink +mremap +msgctl +msgget +msgrcv +msgsnd +msync +multiplexer +munlock +munlockall +munmap +name_to_handle_at +nanosleep +newfstatat +_newselect +nfsservctl +nice +oldfstat +oldlstat +oldolduname +oldstat +olduname +open +openat +open_by_handle_at +pause +pciconfig_iobase +pciconfig_read +pciconfig_write +perf_event_open +personality +pipe +pipe2 +pivot_root +poll +ppoll +prctl +pread64 +preadv +prlimit64 +process_vm_readv +process_vm_writev +prof +profil +pselect6 +ptrace +putpmsg +pwrite64 +pwritev +query_module +quotactl +read +readahead +readdir +readlink +readlinkat +readv +reboot +recv +recvfrom +recvmmsg +recvmsg +remap_file_pages +removexattr +rename +renameat +renameat2 +request_key +restart_syscall +rmdir +rtas +rt_sigaction +rt_sigpending +rt_sigprocmask +rt_sigqueueinfo +rt_sigreturn +rt_sigsuspend +rt_sigtimedwait +rt_tgsigqueueinfo +sched_getaffinity +sched_getattr +sched_getparam +sched_get_priority_max +sched_get_priority_min +sched_getscheduler +sched_rr_get_interval +sched_setaffinity +sched_setattr +sched_setparam +sched_setscheduler +sched_yield +seccomp +security +select +semctl +semget +semop +semtimedop +send +sendfile +sendfile64 +sendmmsg +sendmsg +sendto +setdomainname +setfsgid +setfsgid32 +setfsuid +setfsuid32 +setgid +setgid32 +setgroups +setgroups32 +sethostname +setitimer +set_mempolicy +setns +setpgid +setpriority +setregid +setregid32 +setresgid +setresgid32 +setresuid +setresuid32 +setreuid +setreuid32 +setrlimit +set_robust_list +setsid +setsockopt +set_thread_area +set_tid_address +settimeofday +set_tls +setuid +setuid32 +setxattr +sgetmask +shmat +shmctl +shmdt +shmget +shutdown +sigaction +sigaltstack +signal +signalfd +signalfd4 +sigpending +sigprocmask +sigreturn +sigsuspend +socket +socketcall +socketpair +splice +spu_create +spu_run +ssetmask +stat +stat64 +statfs +statfs64 +stime +stty +subpage_prot +swapcontext +swapoff +swapon +switch_endian +symlink +symlinkat +sync +sync_file_range +sync_file_range2 +syncfs +syscall +_sysctl +sys_debug_setcontext +sysfs +sysinfo +syslog +tee +tgkill +time +timer_create +timer_delete +timerfd_create +timerfd_gettime +timerfd_settime +timer_getoverrun +timer_gettime +timer_settime +times +tkill +truncate +truncate64 +tuxcall +ugetrlimit +ulimit +umask +umount +umount2 +uname +unlink +unlinkat +unshare +uselib +usr26 +usr32 +ustat +utime +utimensat +utimes +vfork +vhangup +vm86 +vm86old +vmsplice +vserver +wait4 +waitid +waitpid +write +writev diff -Nru libseccomp-2.2.1/debian/tests/data/getrandom.fail_filter libseccomp-2.2.1/debian/tests/data/getrandom.fail_filter --- libseccomp-2.2.1/debian/tests/data/getrandom.fail_filter 1969-12-31 18:00:00.000000000 -0600 +++ libseccomp-2.2.1/debian/tests/data/getrandom.fail_filter 2015-05-04 15:12:18.000000000 -0500 @@ -0,0 +1,293 @@ +# 'safe' syscalls as allowed by snappy, but missing 'open' +accept +accept4 +access +alarm +arch_prctl +arm_fadvise64_64 +arm_sync_file_range +bind +breakpoint +brk +cacheflush +capget +chdir +chmod +clock_getres +clock_gettime +clock_nanosleep +clone +close +connect +creat +dup +dup2 +dup3 +epoll_create +epoll_create1 +epoll_ctl +epoll_ctl_old +epoll_pwait +epoll_wait +epoll_wait_old +eventfd +eventfd2 +execve +execveat +exit +exit_group +faccessat +fadvise64 +fadvise64_64 +fallocate +fchdir +fchmod +fchmodat +fcntl +fcntl64 +fdatasync +fgetxattr +flistxattr +flock +fork +fremovexattr +fsetxattr +fstat +fstat64 +fstatat64 +fstatfs +fstatfs64 +fstatvfs +fsync +ftime +ftruncate +ftruncate64 +futex +futimesat +getcpu +getcwd +getdents +getdents64 +getegid +getegid32 +geteuid +geteuid32 +getgid +getgid32 +getgroups +getgroups32 +getitimer +get_mempolicy +getpeername +getpgid +getpgrp +getpid +getppid +getpriority +# omit this to cause failures +# getrandom +getresgid +getresgid32 +getresuid +getresuid32 +getrlimit +get_robust_list +getrusage +getsid +getsockname +getsockopt +get_thread_area +gettid +gettimeofday +getuid +getuid32 +getxattr +inotify_add_watch +inotify_init +inotify_init1 +inotify_rm_watch +io_cancel +ioctl +io_destroy +io_getevents +ioprio_get +io_setup +io_submit +ipc +kill +lgetxattr +link +linkat +listen +listxattr +llistxattr +llseek +lremovexattr +lseek +lsetxattr +lstat +lstat64 +madvise +mbind +mincore +mkdir +mkdirat +mlock +mlockall +mmap +mmap2 +mprotect +mremap +msgctl +msgget +msgrcv +msgsnd +msync +munlock +munlockall +munmap +nanosleep +newfstatat +oldfstat +oldlstat +oldolduname +oldstat +olduname +oldwait4 +open +openat +pause +pipe +pipe2 +poll +ppoll +prctl +pread +pread64 +preadv +prlimit64 +pselect +pselect6 +pwrite +pwrite64 +pwritev +read +readahead +readdir +readlink +readlinkat +readv +recv +recvfrom +recvmmsg +recvmsg +remap_file_pages +removexattr +rename +renameat +renameat2 +restart_syscall +rmdir +rt_sigaction +rt_sigpending +rt_sigprocmask +rt_sigqueueinfo +rt_sigreturn +rt_sigsuspend +rt_sigtimedwait +rt_tgsigqueueinfo +sched_getaffinity +sched_getattr +sched_getparam +sched_get_priority_max +sched_get_priority_min +sched_getscheduler +sched_rr_get_interval +sched_setscheduler +sched_yield +select +semctl +semget +semop +semtimedop +send +sendfile +sendfile64 +sendmmsg +sendmsg +sendto +setitimer +set_mempolicy +setrlimit +set_robust_list +setsid +setsockopt +set_thread_area +set_tid_address +set_tls +setxattr +shmat +shmctl +shmdt +shmget +shutdown +sigaction +sigaltstack +signal +signalfd +signalfd4 +sigpending +sigprocmask +sigreturn +sigsuspend +sigtimedwait +sigwaitinfo +socket +socketpair +splice +stat +stat64 +statfs +statfs64 +statvfs +symlink +symlinkat +sync +sync_file_range +sync_file_range2 +syncfs +sysinfo +syslog +tee +tgkill +time +timer_create +timer_delete +timerfd_create +timerfd_gettime +timerfd_settime +timer_getoverrun +timer_gettime +timer_settime +times +tkill +truncate +truncate64 +ugetrlimit +umask +uname +unlink +unlinkat +usr26 +usr32 +ustat +utime +utimensat +utimes +vfork +vmsplice +wait4 +waitid +waitpid +write +writev diff -Nru libseccomp-2.2.1/debian/tests/data/getrandom.filter libseccomp-2.2.1/debian/tests/data/getrandom.filter --- libseccomp-2.2.1/debian/tests/data/getrandom.filter 1969-12-31 18:00:00.000000000 -0600 +++ libseccomp-2.2.1/debian/tests/data/getrandom.filter 2015-05-04 15:18:08.000000000 -0500 @@ -0,0 +1,294 @@ +accept +accept4 +access +alarm +arch_prctl +arm_fadvise64_64 +arm_sync_file_range +bind +breakpoint +brk +cacheflush +capget +chdir +chmod +clock_getres +clock_gettime +clock_nanosleep +clone +close +connect +creat +dup +dup2 +dup3 +epoll_create +epoll_create1 +epoll_ctl +epoll_ctl_old +epoll_pwait +epoll_wait +epoll_wait_old +eventfd +eventfd2 +execve +execveat +exit +_exit +exit_group +faccessat +fadvise64 +fadvise64_64 +fallocate +fchdir +fchmod +fchmodat +fcntl +fcntl64 +fdatasync +fgetxattr +flistxattr +flock +fork +fremovexattr +fsetxattr +fstat +fstat64 +fstatat64 +fstatfs +fstatfs64 +fstatvfs +fsync +ftime +ftruncate +ftruncate64 +futex +futimesat +getcpu +getcwd +getdents +getdents64 +getegid +getegid32 +geteuid +geteuid32 +getgid +getgid32 +getgroups +getgroups32 +getitimer +get_mempolicy +getpeername +getpgid +getpgrp +getpid +getppid +getpriority +getrandom +getresgid +getresgid32 +getresuid +getresuid32 +getrlimit +get_robust_list +getrusage +getsid +getsockname +getsockopt +get_thread_area +gettid +gettimeofday +getuid +getuid32 +getxattr +inotify_add_watch +inotify_init +inotify_init1 +inotify_rm_watch +io_cancel +ioctl +io_destroy +io_getevents +ioprio_get +io_setup +io_submit +ipc +kill +lgetxattr +link +linkat +listen +listxattr +llistxattr +llseek +_llseek +lremovexattr +lseek +lsetxattr +lstat +lstat64 +madvise +mbind +mincore +mkdir +mkdirat +mlock +mlockall +mmap +mmap2 +mprotect +mremap +msgctl +msgget +msgrcv +msgsnd +msync +munlock +munlockall +munmap +nanosleep +newfstatat +_newselect +oldfstat +oldlstat +oldolduname +oldstat +olduname +oldwait4 +open +openat +pause +pipe +pipe2 +poll +ppoll +prctl +pread +pread64 +preadv +prlimit64 +pselect +pselect6 +pwrite +pwrite64 +pwritev +read +readahead +readdir +readlink +readlinkat +readv +recv +recvfrom +recvmmsg +recvmsg +remap_file_pages +removexattr +rename +renameat +renameat2 +restart_syscall +rmdir +rt_sigaction +rt_sigpending +rt_sigprocmask +rt_sigqueueinfo +rt_sigreturn +rt_sigsuspend +rt_sigtimedwait +rt_tgsigqueueinfo +sched_getaffinity +sched_getattr +sched_getparam +sched_get_priority_max +sched_get_priority_min +sched_getscheduler +sched_rr_get_interval +sched_setscheduler +sched_yield +select +semctl +semget +semop +semtimedop +send +sendfile +sendfile64 +sendmmsg +sendmsg +sendto +setitimer +set_mempolicy +setrlimit +set_robust_list +setsid +setsockopt +set_thread_area +set_tid_address +set_tls +setxattr +shmat +shmctl +shmdt +shmget +shutdown +sigaction +sigaltstack +signal +signalfd +signalfd4 +sigpending +sigprocmask +sigreturn +sigsuspend +sigtimedwait +sigwaitinfo +socket +socketpair +splice +stat +stat64 +statfs +statfs64 +statvfs +symlink +symlinkat +sync +sync_file_range +sync_file_range2 +syncfs +sysinfo +syslog +tee +tgkill +time +timer_create +timer_delete +timerfd_create +timerfd_gettime +timerfd_settime +timer_getoverrun +timer_gettime +timer_settime +times +tkill +truncate +truncate64 +ugetrlimit +umask +uname +unlink +unlinkat +usr26 +usr32 +ustat +utime +utimensat +utimes +vfork +vmsplice +wait4 +waitid +waitpid +write +writev diff -Nru libseccomp-2.2.1/debian/tests/data/open.fail_filter libseccomp-2.2.1/debian/tests/data/open.fail_filter --- libseccomp-2.2.1/debian/tests/data/open.fail_filter 1969-12-31 18:00:00.000000000 -0600 +++ libseccomp-2.2.1/debian/tests/data/open.fail_filter 2015-05-01 13:04:43.000000000 -0500 @@ -0,0 +1,293 @@ +# 'safe' syscalls as allowed by snappy, but missing 'open' +accept +accept4 +access +alarm +arch_prctl +arm_fadvise64_64 +arm_sync_file_range +bind +breakpoint +brk +cacheflush +capget +chdir +chmod +clock_getres +clock_gettime +clock_nanosleep +clone +close +connect +creat +dup +dup2 +dup3 +epoll_create +epoll_create1 +epoll_ctl +epoll_ctl_old +epoll_pwait +epoll_wait +epoll_wait_old +eventfd +eventfd2 +execve +execveat +exit +exit_group +faccessat +fadvise64 +fadvise64_64 +fallocate +fchdir +fchmod +fchmodat +fcntl +fcntl64 +fdatasync +fgetxattr +flistxattr +flock +fork +fremovexattr +fsetxattr +fstat +fstat64 +fstatat64 +fstatfs +fstatfs64 +fstatvfs +fsync +ftime +ftruncate +ftruncate64 +futex +futimesat +getcpu +getcwd +getdents +getdents64 +getegid +getegid32 +geteuid +geteuid32 +getgid +getgid32 +getgroups +getgroups32 +getitimer +get_mempolicy +getpeername +getpgid +getpgrp +getpid +getppid +getpriority +getrandom +getresgid +getresgid32 +getresuid +getresuid32 +getrlimit +get_robust_list +getrusage +getsid +getsockname +getsockopt +get_thread_area +gettid +gettimeofday +getuid +getuid32 +getxattr +inotify_add_watch +inotify_init +inotify_init1 +inotify_rm_watch +io_cancel +ioctl +io_destroy +io_getevents +ioprio_get +io_setup +io_submit +ipc +kill +lgetxattr +link +linkat +listen +listxattr +llistxattr +llseek +lremovexattr +lseek +lsetxattr +lstat +lstat64 +madvise +mbind +mincore +mkdir +mkdirat +mlock +mlockall +mmap +mmap2 +mprotect +mremap +msgctl +msgget +msgrcv +msgsnd +msync +munlock +munlockall +munmap +nanosleep +newfstatat +oldfstat +oldlstat +oldolduname +oldstat +olduname +oldwait4 +# omit this for causing failures +# open +openat +pause +pipe +pipe2 +poll +ppoll +prctl +pread +pread64 +preadv +prlimit64 +pselect +pselect6 +pwrite +pwrite64 +pwritev +read +readahead +readdir +readlink +readlinkat +readv +recv +recvfrom +recvmmsg +recvmsg +remap_file_pages +removexattr +rename +renameat +renameat2 +restart_syscall +rmdir +rt_sigaction +rt_sigpending +rt_sigprocmask +rt_sigqueueinfo +rt_sigreturn +rt_sigsuspend +rt_sigtimedwait +rt_tgsigqueueinfo +sched_getaffinity +sched_getattr +sched_getparam +sched_get_priority_max +sched_get_priority_min +sched_getscheduler +sched_rr_get_interval +sched_setscheduler +sched_yield +select +semctl +semget +semop +semtimedop +send +sendfile +sendfile64 +sendmmsg +sendmsg +sendto +setitimer +set_mempolicy +setrlimit +set_robust_list +setsid +setsockopt +set_thread_area +set_tid_address +set_tls +setxattr +shmat +shmctl +shmdt +shmget +shutdown +sigaction +sigaltstack +signal +signalfd +signalfd4 +sigpending +sigprocmask +sigreturn +sigsuspend +sigtimedwait +sigwaitinfo +socket +socketpair +splice +stat +stat64 +statfs +statfs64 +statvfs +symlink +symlinkat +sync +sync_file_range +sync_file_range2 +syncfs +sysinfo +syslog +tee +tgkill +time +timer_create +timer_delete +timerfd_create +timerfd_gettime +timerfd_settime +timer_getoverrun +timer_gettime +timer_settime +times +tkill +truncate +truncate64 +ugetrlimit +umask +uname +unlink +unlinkat +usr26 +usr32 +ustat +utime +utimensat +utimes +vfork +vmsplice +wait4 +waitid +waitpid +write +writev diff -Nru libseccomp-2.2.1/debian/tests/data/safe.filter libseccomp-2.2.1/debian/tests/data/safe.filter --- libseccomp-2.2.1/debian/tests/data/safe.filter 1969-12-31 18:00:00.000000000 -0600 +++ libseccomp-2.2.1/debian/tests/data/safe.filter 2015-05-01 16:08:52.000000000 -0500 @@ -0,0 +1,294 @@ +accept +accept4 +access +alarm +arch_prctl +arm_fadvise64_64 +arm_sync_file_range +bind +breakpoint +brk +cacheflush +capget +chdir +chmod +clock_getres +clock_gettime +clock_nanosleep +clone +close +connect +creat +dup +dup2 +dup3 +epoll_create +epoll_create1 +epoll_ctl +epoll_ctl_old +epoll_pwait +epoll_wait +epoll_wait_old +eventfd +eventfd2 +execve +execveat +exit +_exit +exit_group +faccessat +fadvise64 +fadvise64_64 +fallocate +fchdir +fchmod +fchmodat +fcntl +fcntl64 +fdatasync +fgetxattr +flistxattr +flock +fork +fremovexattr +fsetxattr +fstat +fstat64 +fstatat64 +fstatfs +fstatfs64 +fstatvfs +fsync +ftime +ftruncate +ftruncate64 +futex +futimesat +getcpu +getcwd +getdents +getdents64 +getegid +getegid32 +geteuid +geteuid32 +getgid +getgid32 +getgroups +getgroups32 +getitimer +get_mempolicy +getpeername +getpgid +getpgrp +getpid +getppid +getpriority +getrandom +getresgid +getresgid32 +getresuid +getresuid32 +getrlimit +get_robust_list +getrusage +getsid +getsockname +getsockopt +get_thread_area +gettid +gettimeofday +getuid +getuid32 +getxattr +inotify_add_watch +inotify_init +inotify_init1 +inotify_rm_watch +io_cancel +ioctl +io_destroy +io_getevents +ioprio_get +io_setup +io_submit +ipc +kill +lgetxattr +link +linkat +listen +listxattr +llistxattr +llseek +_llseek +lremovexattr +lseek +lsetxattr +lstat +lstat64 +madvise +mbind +mincore +mkdir +mkdirat +mlock +mlockall +mmap +mmap2 +mprotect +mremap +msgctl +msgget +msgrcv +msgsnd +msync +munlock +munlockall +munmap +nanosleep +newfstatat +_newselect +oldfstat +oldlstat +oldolduname +oldstat +olduname +oldwait4 +open +openat +pause +pipe +pipe2 +poll +ppoll +prctl +pread +pread64 +preadv +prlimit64 +pselect +pselect6 +pwrite +pwrite64 +pwritev +read +readahead +readdir +readlink +readlinkat +readv +recv +recvfrom +recvmmsg +recvmsg +remap_file_pages +removexattr +rename +renameat +renameat2 +restart_syscall +rmdir +rt_sigaction +rt_sigpending +rt_sigprocmask +rt_sigqueueinfo +rt_sigreturn +rt_sigsuspend +rt_sigtimedwait +rt_tgsigqueueinfo +sched_getaffinity +sched_getattr +sched_getparam +sched_get_priority_max +sched_get_priority_min +sched_getscheduler +sched_rr_get_interval +sched_setscheduler +sched_yield +select +semctl +semget +semop +semtimedop +send +sendfile +sendfile64 +sendmmsg +sendmsg +sendto +setitimer +set_mempolicy +setrlimit +set_robust_list +setsid +setsockopt +set_thread_area +set_tid_address +set_tls +setxattr +shmat +shmctl +shmdt +shmget +shutdown +sigaction +sigaltstack +signal +signalfd +signalfd4 +sigpending +sigprocmask +sigreturn +sigsuspend +sigtimedwait +sigwaitinfo +socket +socketpair +splice +stat +stat64 +statfs +statfs64 +statvfs +symlink +symlinkat +sync +sync_file_range +sync_file_range2 +syncfs +sysinfo +syslog +tee +tgkill +time +timer_create +timer_delete +timerfd_create +timerfd_gettime +timerfd_settime +timer_getoverrun +timer_gettime +timer_settime +times +tkill +truncate +truncate64 +ugetrlimit +umask +uname +unlink +unlinkat +usr26 +usr32 +ustat +utime +utimensat +utimes +vfork +vmsplice +wait4 +waitid +waitpid +write +writev diff -Nru libseccomp-2.2.1/debian/tests/data/unrestricted.filter libseccomp-2.2.1/debian/tests/data/unrestricted.filter --- libseccomp-2.2.1/debian/tests/data/unrestricted.filter 1969-12-31 18:00:00.000000000 -0600 +++ libseccomp-2.2.1/debian/tests/data/unrestricted.filter 2015-05-01 13:04:43.000000000 -0500 @@ -0,0 +1 @@ +@unrestricted diff -Nru libseccomp-2.2.1/debian/tests/src/getrandom.c libseccomp-2.2.1/debian/tests/src/getrandom.c --- libseccomp-2.2.1/debian/tests/src/getrandom.c 1969-12-31 18:00:00.000000000 -0600 +++ libseccomp-2.2.1/debian/tests/src/getrandom.c 2015-05-04 15:11:22.000000000 -0500 @@ -0,0 +1,30 @@ +#include <stdio.h> +#include <stdlib.h> +#include <unistd.h> +#include <sys/syscall.h> +#include <errno.h> + +#include <linux/random.h> + +int main (void) { + int ret; + int buflen = 256; + char buf[buflen]; + buf[0] = '\0'; + + ret = syscall(SYS_getrandom, buf, buflen, 0); + if (ret < 0) { + printf("FAIL (error)\n"); + return ret; + } + if (ret == buflen) { + printf("PASS\n"); + return 0; + } + printf("FAIL (short read: %i)\n", ret); + return 1; + +failure: + errno = EIO; + return -1; +} diff -Nru libseccomp-2.2.1/debian/tests/src/test-seccomp.c libseccomp-2.2.1/debian/tests/src/test-seccomp.c --- libseccomp-2.2.1/debian/tests/src/test-seccomp.c 1969-12-31 18:00:00.000000000 -0600 +++ libseccomp-2.2.1/debian/tests/src/test-seccomp.c 2015-05-04 13:53:38.000000000 -0500 @@ -0,0 +1,159 @@ +/* + * Copyright (C) 2015 Canonical Ltd + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 3 as + * published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * Based on ubuntu-core-launcher from: lp:ubuntu-core-launcher + * + * gcc -o test-seccomp test-seccomp.c -lseccomp + */ +#include <unistd.h> +#include <stdio.h> +#include <stdlib.h> +#include <errno.h> +#include <string.h> +#include <fcntl.h> +#include <stdarg.h> +#include <seccomp.h> + +void die(const char *msg, ...) +{ + va_list va; + va_start(va, msg); + vfprintf(stderr, msg, va); + va_end(va); + + fprintf(stderr, "\n"); + exit(1); +} + +void debug(const char *msg, ...) +{ + va_list va; + va_start(va, msg); + fprintf(stderr, "DEBUG: "); + vfprintf(stderr, msg, va); + fprintf(stderr, "\n"); + va_end(va); +} + +// strip whitespace from the end of the given string (inplace) +size_t trim_right(char *s, size_t slen) { + while(slen > 0 && isspace(s[slen - 1])) { + s[--slen] = 0; + } + return slen; +} + +int seccomp_load_filters(const char *profile_path) +{ + debug("seccomp_load_filters %s", profile_path); + int rc = 0; + int syscall_nr = -1; + scmp_filter_ctx ctx = NULL; + FILE *f = NULL; + size_t lineno = 0; + + ctx = seccomp_init(SCMP_ACT_KILL); + if (ctx == NULL) + return ENOMEM; + + f = fopen(profile_path, "r"); + if (f == NULL) { + fprintf(stderr, "Can not open %s (%s)\n", profile_path, strerror(errno)); + return -1; + } + // 80 characters + '\n' + '\0' + char buf[82]; + while (fgets(buf, sizeof(buf), f) != NULL) + { + size_t len; + + lineno++; + + // comment, ignore + if(buf[0] == '#') + continue; + + // ensure the entire line was read + len = strlen(buf); + if (len == 0) + continue; + else if (buf[len - 1] != '\n' && len > (sizeof(buf) - 2)) { + fprintf(stderr, "seccomp filter line %zu was too long (%zu characters max)\n", lineno, sizeof(buf) - 2); + rc = -1; + goto out; + } + + // kill final newline + len = trim_right(buf, len); + if (len == 0) + continue; + + // check for special "@unrestricted" command + if (strncmp(buf, "@unrestricted", sizeof(buf)) == 0) + goto out; + + // syscall not available on this arch/kernel + // as this is a syscall whitelist its ok and the error can be ignored + syscall_nr = seccomp_syscall_resolve_name(buf); + if (syscall_nr == __NR_SCMP_ERROR) + continue; + + // a normal line with a syscall + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, syscall_nr, 0); + if (rc != 0) { + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, syscall_nr, 0); + if (rc != 0) { + fprintf(stderr, "seccomp_rule_add failed with %i for '%s'\n", rc, buf); + goto out; + } + } + } + + // load it into the kernel + rc = seccomp_load(ctx); + if (rc != 0) { + fprintf(stderr, "seccomp_load failed with %i\n", rc); + goto out; + } + + out: + if (f != NULL) { + fclose(f); + } + seccomp_release(ctx); + return rc; +} + +int main(int argc, char **argv) +{ + int rc; + const int NR_ARGS = 1; + if(argc < NR_ARGS+1) + die("Usage: %s <filter file> <binary>", argv[0]); + + const char *filter = argv[1]; + const char *binary = argv[2]; + + // set seccomp + rc = seccomp_load_filters(filter); + if (rc != 0) + die("seccomp_load_filters failed with %i\n", rc); + + // and exec the new binary + argv[NR_ARGS] = (char*)binary, + execv(binary, (char *const*)&argv[NR_ARGS+1]); + perror("execv failed"); + return 1; +} diff -Nru libseccomp-2.2.1/debian/tests/test-filter libseccomp-2.2.1/debian/tests/test-filter --- libseccomp-2.2.1/debian/tests/test-filter 1969-12-31 18:00:00.000000000 -0600 +++ libseccomp-2.2.1/debian/tests/test-filter 2015-05-04 15:19:49.000000000 -0500 @@ -0,0 +1,75 @@ +#!/bin/sh +# ------------------------------------------------------------------ +# +# Copyright (C) 2015 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +set -e + +if [ -z "$ADTTMP" ]; then + echo "Please set ADTTMP" >&2 + exit 1 +fi + +if [ ! -d "$ADTTMP" ]; then + echo "Could not find ADTTMP ($ADTTMP)" >&2 + exit 1 +fi + +exe="$ADTTMP/exe" + +run_filter() { + if [ ! -x "$exe" ]; then + gcc -o "$exe" ./debian/tests/src/test-seccomp.c -lseccomp + fi + + filter="$1" + + exe2="$ADTTMP/getrandom" + if [ "`basename $filter`" = "getrandom.fail_filter" ]; then + if [ ! -x "$exe2" ]; then + gcc -o "$exe2" ./debian/tests/src/getrandom.c + fi + + "$exe" "$filter" "$exe2" + elif [ "`basename $filter`" = "getrandom.filter" ]; then + if [ ! -x "$exe2" ]; then + gcc -o "$exe2" ./debian/tests/src/getrandom.c + fi + + "$exe" "$filter" "$exe2" + else + "$exe" "$filter" /bin/date + fi +} + +failed= +# expected pass +for i in ./debian/tests/data/*.filter ; do + echo "= $i =" + run_filter $i || { + echo "FAIL: expected to pass" + failed="yes" + } +done + +# expected fail +for i in ./debian/tests/data/*.fail_filter ; do + echo "= $i =" + run_filter $i 2>&1 && { + echo "FAIL: expected to error" + failed="yes" + } +done + +echo "" +if [ "$failed" = "yes" ]; then + echo FAIL + exit 1 +fi +echo PASS diff -Nru libseccomp-2.2.1/debian/tests/test-scmp_sys_resolver libseccomp-2.2.1/debian/tests/test-scmp_sys_resolver --- libseccomp-2.2.1/debian/tests/test-scmp_sys_resolver 1969-12-31 18:00:00.000000000 -0600 +++ libseccomp-2.2.1/debian/tests/test-scmp_sys_resolver 2015-05-04 13:51:51.000000000 -0500 @@ -0,0 +1,54 @@ +#!/bin/sh +# ------------------------------------------------------------------ +# +# Copyright (C) 2015 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +set -e + +failed= + +test_range() { + low=$1 + high=$2 + echo "Testing syscalls $low-$high" + for i in `seq $low $high` ; do + res=`scmp_sys_resolver $i` || { + echo "'$i' failed" + failed="yes" + } + if [ "$res" = "UNKNOWN" ]; then + continue + fi + res2=`scmp_sys_resolver $res` || { + echo "'$res' failed" + failed="yes" + } + if [ "$res2" != "$i" ]; then + echo "FAIL: $i ($res) != $res ($res2)" + failed="yes" + else + echo "pass: $i ($res) == $res ($res2)" + fi + done +} + +echo "= normal range =" +test_range 0 1024 +echo "" + +echo "= arm private =" +test_range 983000 984024 +echo "" + +echo "" +if [ "$failed" = "yes" ]; then + echo FAIL + exit 1 +fi +echo PASS
