forked from seccomp/libseccomp
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
arch: basic infrastructure for tracking per-syscall/ABI kernel versions
This commit adds basic support for tracking what kernel introduced a syscall for a given arch/ABI. It does not provide any of that kernel version information, leaving only a SCMP_KV_UNDEF placeholder, nor does it attempt to do anything meaningful with this new source of information; this patch simply establishes a new syscalls.csv format so that we can start properly recording the kernel versions. Acked-by: Tom Hromatka <[email protected]> Signed-off-by: Paul Moore <[email protected]>
- Loading branch information
Showing
23 changed files
with
699 additions
and
532 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -5,6 +5,7 @@ | |
# | ||
# Copyright (c) 2014 Red Hat <[email protected]> | ||
# Copyright (c) 2020 Cisco Systems, Inc. <[email protected]> | ||
# Copyright (c) 2022 Microsoft Corporation. <[email protected]> | ||
# | ||
# Author: Paul Moore <[email protected]> | ||
# | ||
|
@@ -59,15 +60,15 @@ function verify_deps() { | |
# | ||
function usage() { | ||
cat << EOF | ||
usage: arch-syscall-validate [-h] [-c] [-a <arch>] <kernel_directory> | ||
usage: arch-syscall-validate [-h] [-c <file>] [-a <arch>] <kernel_directory> | ||
libseccomp syscall validation script | ||
optional arguments: | ||
-h show this help message and exit | ||
-a architecture | ||
-l output the library's syscall definitions | ||
-s output the kernel's syscall definitions | ||
-c generate a CSV of the kernel's syscall definitions | ||
-c <file> generate a CSV of the kernel's syscall definitions | ||
EOF | ||
} | ||
|
||
|
@@ -733,6 +734,7 @@ function dump_lib() { | |
# Arguments: | ||
# 1 path to the kernel source | ||
# 2 "sys" or "lib" depending on the syscall list to use | ||
# 3 csv file to use as input for saved fields | ||
# | ||
# Generare a syscall csv file from the given kernel sources. | ||
# | ||
|
@@ -755,6 +757,26 @@ function gen_csv() { | |
abi_list+=" s390 s390x" | ||
abi_list+=" sh" | ||
|
||
# read the csv to get the existing data | ||
local -A csv | ||
local csv_has_kver=0 | ||
local csv_input="$3" | ||
[[ ! -e "$3" ]] && csv_input=/dev/null | ||
grep -q "KV_" "$csv_input" && csv_has_kver=1 | ||
while read line; do | ||
sc=$(echo $line | cut -d, -f 1) | ||
local field=2 | ||
for abi in $abi_list; do | ||
csv[$sc,$abi]=$(echo $line | cut -d, -f $field) | ||
((field++)) | ||
if [[ $csv_has_kver -eq 1 ]]; then | ||
csv[$sc,${abi}_KVER]=$(echo $line | \ | ||
cut -d, -f $field) | ||
((field++)) | ||
fi | ||
done | ||
done < <(sed 's/#.*//;/^[ \t]*$/d' "$csv_input") | ||
|
||
# get the full syscall list | ||
for abi in $abi_list; do | ||
eval output_$abi=$(mktemp -t syscall_validate_XXXXXX) | ||
|
@@ -764,26 +786,31 @@ function gen_csv() { | |
cat $(eval echo $`eval echo output_$abi`); | ||
done) | awk -F "," '{ print $1 }' | sort -u) | ||
# output a simple header | ||
printf "#syscall (v%s %s)" \ | ||
"$(kernel_version "$1")" "$(TZ=UTC date "+%Y-%m-%d")" | ||
for abi in $abi_list; do | ||
printf ",%s" $abi | ||
done | ||
printf "\n" | ||
# output the syscall csv details | ||
for sc in $sc_list; do | ||
printf "%s" $sc | ||
# redirect the subshell to the csv file | ||
( | ||
# output a simple header | ||
printf "#syscall (v%s %s)" \ | ||
"$(kernel_version "$1")" "$(TZ=UTC date "+%Y-%m-%d")" | ||
for abi in $abi_list; do | ||
num=$(grep "^$sc," \ | ||
$(eval echo $`eval echo output_$abi`) | \ | ||
awk -F "," '{ print $2 }' ) | ||
[[ -z $num ]] && num="PNR" | ||
printf ",%s" $num | ||
printf ",%s,%s_kver" $abi $abi | ||
done | ||
printf "\n" | ||
done | ||
# output the syscall csv details | ||
for sc in $sc_list; do | ||
printf "%s" $sc | ||
for abi in $abi_list; do | ||
num=$(grep "^$sc," \ | ||
$(eval echo $`eval echo output_$abi`) | \ | ||
awk -F "," '{ print $2 }' ) | ||
kver=${csv[$sc,${abi}_KVER]} | ||
[[ -z $num ]] && num="PNR" | ||
[[ -z $kver ]] && kver="KV_UNDEF" | ||
printf ",%s,%s" $num $kver | ||
done | ||
printf "\n" | ||
done | ||
) > "$3" | ||
# cleanup | ||
for abi in $abi_list; do | ||
|
@@ -799,29 +826,29 @@ verify_deps gcc | |
verify_deps grep | ||
verify_deps mktemp | ||
verify_deps sed | ||
if [[ ! -x $LIB_SYS_DUMP ]]; then | ||
echo "error: \"$LIB_SYS_DUMP\" is not in the current working directory" | ||
exit 1 | ||
fi | ||
opt_arches="" | ||
opt_csv=0 | ||
opt_csv="" | ||
opt_sys=0 | ||
opt_lib=0 | ||
while getopts "a:cslh" opt; do | ||
while getopts "a:c:slh" opt; do | ||
case $opt in | ||
a) | ||
opt_arches+="$OPTARG " | ||
;; | ||
c) | ||
opt_csv=1 | ||
opt_csv="$OPTARG" | ||
;; | ||
s) | ||
opt_sys=1 | ||
opt_lib=0 | ||
;; | ||
l) | ||
if [[ ! -x $LIB_SYS_DUMP ]]; then | ||
echo "error: \"$LIB_SYS_DUMP\" is not present" | ||
exit 1 | ||
fi | ||
opt_sys=0 | ||
opt_lib=1 | ||
;; | ||
|
@@ -860,12 +887,12 @@ fi | |
tmp_lib=$(mktemp -t syscall_validate_XXXXXX) | ||
tmp_sys=$(mktemp -t syscall_validate_XXXXXX) | ||
|
||
if [[ $opt_csv -eq 1 ]]; then | ||
if [[ -n $opt_csv ]]; then | ||
# generate the syscall csv file | ||
if [[ $opt_lib -eq 1 ]]; then | ||
gen_csv $kernel_dir "lib" | ||
gen_csv $kernel_dir "lib" $opt_csv | ||
else | ||
gen_csv $kernel_dir "sys" | ||
gen_csv $kernel_dir "sys" $opt_csv | ||
fi | ||
else | ||
# loop through the architectures and compare | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -2,6 +2,8 @@ | |
* Enhanced Seccomp Architecture/Machine Specific Code | ||
* | ||
* Copyright (c) 2012 Red Hat <[email protected]> | ||
* Copyright (c) 2022 Microsoft Corporation. <[email protected]> | ||
* | ||
* Author: Paul Moore <[email protected]> | ||
*/ | ||
|
||
|
@@ -62,6 +64,8 @@ struct arch_def { | |
const char *(*syscall_resolve_num_raw)(int num); | ||
int (*syscall_rewrite)(const struct arch_def *arch, int *syscall); | ||
int (*rule_add)(struct db_filter *db, struct db_api_rule_list *rule); | ||
enum scmp_kver (*syscall_name_kver)(const char *name); | ||
enum scmp_kver (*syscall_num_kver)(int num); | ||
}; | ||
|
||
/* arch_def for the current architecture */ | ||
|
@@ -72,21 +76,34 @@ extern const struct arch_def *arch_def_native; | |
extern const struct arch_def arch_def_##NAME; \ | ||
int NAME##_syscall_resolve_name(const char *name); \ | ||
const char *NAME##_syscall_resolve_num(int num); \ | ||
enum scmp_kver NAME##_syscall_name_kver(const char *name); \ | ||
enum scmp_kver NAME##_syscall_num_kver(int num); \ | ||
const struct arch_syscall_def *NAME##_syscall_iterate(unsigned int spot); | ||
|
||
/* macro to define the arch specific structures and functions */ | ||
#define ARCH_DEF(NAME) \ | ||
int NAME##_syscall_resolve_name(const char *name) \ | ||
{ \ | ||
return syscall_resolve_name(name, OFFSET_ARCH(NAME)); \ | ||
return syscall_resolve_name(name, SYSTBL_OFFSET(NAME)); \ | ||
} \ | ||
const char *NAME##_syscall_resolve_num(int num) \ | ||
{ \ | ||
return syscall_resolve_num(num, OFFSET_ARCH(NAME)); \ | ||
return syscall_resolve_num(num, SYSTBL_OFFSET(NAME)); \ | ||
} \ | ||
enum scmp_kver NAME##_syscall_name_kver(const char *name) \ | ||
{ \ | ||
return syscall_resolve_name_kver(name, \ | ||
SYSTBL_OFFSET(NAME##_kver)); \ | ||
} \ | ||
enum scmp_kver NAME##_syscall_num_kver(int num) \ | ||
{ \ | ||
return syscall_resolve_num_kver(num, \ | ||
SYSTBL_OFFSET(NAME), \ | ||
SYSTBL_OFFSET(NAME##_kver)); \ | ||
} \ | ||
const struct arch_syscall_def *NAME##_syscall_iterate(unsigned int spot) \ | ||
{ \ | ||
return syscall_iterate(spot, OFFSET_ARCH(NAME)); \ | ||
return syscall_iterate(spot, SYSTBL_OFFSET(NAME)); \ | ||
} | ||
|
||
/* syscall name/num mapping */ | ||
|
Oops, something went wrong.