Merge 8ee089f into aa9589c

src/arch-syscall-dump.c

@@ -41,6 +41,7 @@
 #include "arch-parisc.h"
 #include "arch-ppc.h"
 #include "arch-ppc64.h"
+#include "arch-riscv64.h"
 #include "arch-s390.h"
 #include "arch-s390x.h"
 
@@ -127,6 +128,9 @@ int main(int argc, char *argv[])
 		case SCMP_ARCH_PPC64LE:
 			sys = ppc64_syscall_iterate(iter);
 			break;
+		case SCMP_ARCH_RISCV64:
+			sys = riscv64_syscall_iterate(iter);
+			break;
 		case SCMP_ARCH_S390:
 			sys = s390_syscall_iterate(iter);
 			break;

tests/53-sim-binary_tree.c

@@ -1,7 +1,7 @@
 /**
  * Seccomp Library test program
  *
- * Copyright (c) 2018 Oracle and/or its affiliates.  All rights reserved.
+ * Copyright (c) 2018-2020 Oracle and/or its affiliates.
  * Author: Tom Hromatka <tom.hromatka@oracle.com>
  */
 
@@ -29,9 +29,53 @@
 
 #include "util.h"
 
-#define MAX_SYSCALL		(330)
+struct syscall_errno {
+	int syscall;
+	int error;
+};
 
-#include <stdio.h>
+struct syscall_errno table[] = {
+	{ SCMP_SYS(read), 0 },
+	{ SCMP_SYS(write), 1 },
+	{ SCMP_SYS(open), 2 },
+	{ SCMP_SYS(close), 3 },
+	{ SCMP_SYS(stat), 4 },
+	{ SCMP_SYS(fstat), 5 },
+	{ SCMP_SYS(lstat), 6 },
+	{ SCMP_SYS(poll), 7 },
+	{ SCMP_SYS(lseek), 8 },
+	{ SCMP_SYS(mmap), 9 },
+	{ SCMP_SYS(mprotect), 10 },
+	{ SCMP_SYS(munmap), 11 },
+	{ SCMP_SYS(brk), 12 },
+	{ SCMP_SYS(rt_sigaction), 13 },
+	{ SCMP_SYS(rt_sigprocmask), 14 },
+	{ SCMP_SYS(rt_sigreturn), 15 },
+	{ SCMP_SYS(ioctl), 16 },
+	{ SCMP_SYS(pread64), 17 },
+	{ SCMP_SYS(pwrite64), 18 },
+	{ SCMP_SYS(readv), 19 },
+	{ SCMP_SYS(writev), 20 },
+	{ SCMP_SYS(access), 21 },
+	{ SCMP_SYS(pipe), 22 },
+	{ SCMP_SYS(select), 23 },
+	{ SCMP_SYS(sched_yield), 24 },
+	{ SCMP_SYS(mremap), 25 },
+	{ SCMP_SYS(msync), 26 },
+	{ SCMP_SYS(mincore), 27 },
+	{ SCMP_SYS(madvise), 28 },
+	{ SCMP_SYS(shmget), 29 },
+	{ SCMP_SYS(shmat), 30 },
+	{ SCMP_SYS(shmctl), 31 },
+	{ SCMP_SYS(dup), 32 },
+	{ SCMP_SYS(dup2), 33 },
+	{ SCMP_SYS(pause), 34 },
+	{ SCMP_SYS(nanosleep), 35 },
+	{ SCMP_SYS(getitimer), 36 },
+	{ SCMP_SYS(alarm), 37 },
+};
+
+const int table_size = sizeof(table) / sizeof(table[0]);
 
 int main(int argc, char *argv[])
 {
@@ -49,38 +93,26 @@ int main(int argc, char *argv[])
 		goto out;
 	}
 
-	rc = seccomp_arch_remove(ctx, SCMP_ARCH_NATIVE);
-	if (rc < 0)
-		goto out;
-	rc = seccomp_arch_add(ctx, SCMP_ARCH_X86_64);
-	if (rc < 0)
-		goto out;
-	rc = seccomp_arch_add(ctx, SCMP_ARCH_X86);
-	if (rc < 0)
-		goto out;
 	rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_OPTIMIZE, 2);
 	if (rc < 0)
 		goto out;
 
-	/* NOTE: this test is entirely fabricated and should not be
-	 * 	 replicated in the real world.
-	 *
-	 *	 The MAX_SYSCALL number (330) was chosen to force seccomp to
-	 *	 build an unbalanced binary tree - and it happens to be less
-	 *	 than the current syscall max.  The syscall numbers are
-	 *	 hardcoded to simplify the test.  A few syscalls have
-	 *	 argument chains to further complicate the filter.
-	 */
-
-	for (i = 0; i < MAX_SYSCALL; i++) {
+	for (i = 0; i < table_size; i++) {
 		/* arbitrarily make the filter more complex by filtering
 		 * on arguments for a few syscalls
 		 */
-		if (i == 10 || i == 53 || i == 61 || i == 255)
-			rc = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(i), i, 1,
-					      SCMP_A0(SCMP_CMP_EQ, i));
+		if (table[i].syscall == SCMP_SYS(mprotect) ||
+		    table[i].syscall == SCMP_SYS(dup) ||
+		    table[i].syscall == SCMP_SYS(alarm))
+			rc = seccomp_rule_add(ctx,
+					      SCMP_ACT_ERRNO(table[i].error),
+					      table[i].syscall, 1,
+					      SCMP_A0(SCMP_CMP_EQ,
+						      table[i].error));
 		else
-			rc = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(i), i, 0);
+			rc = seccomp_rule_add(ctx,
+					      SCMP_ACT_ERRNO(table[i].error),
+					      table[i].syscall, 0);
 		if (rc < 0)
 			goto out;
 	}

tests/53-sim-binary_tree.py

@@ -28,6 +28,47 @@
 
 from seccomp import *
 
+table = [
+    {"syscall": "read", "error": 0 },
+    {"syscall": "write", "error": 1 },
+    {"syscall": "open", "error": 2 },
+    {"syscall": "close", "error": 3 },
+    {"syscall": "stat", "error": 4 },
+    {"syscall": "fstat", "error": 5 },
+    {"syscall": "lstat", "error": 6 },
+    {"syscall": "poll", "error": 7 },
+    {"syscall": "lseek", "error": 8 },
+    {"syscall": "mmap", "error": 9 },
+    {"syscall": "mprotect", "error": 10 },
+    {"syscall": "munmap", "error": 11 },
+    {"syscall": "brk", "error": 12 },
+    {"syscall": "rt_sigaction", "error": 13 },
+    {"syscall": "rt_sigprocmask", "error": 14 },
+    {"syscall": "rt_sigreturn", "error": 15 },
+    {"syscall": "ioctl", "error": 16 },
+    {"syscall": "pread64", "error": 17 },
+    {"syscall": "pwrite64", "error": 18 },
+    {"syscall": "readv", "error": 19 },
+    {"syscall": "writev", "error": 20 },
+    {"syscall": "access", "error": 21 },
+    {"syscall": "pipe", "error": 22 },
+    {"syscall": "select", "error": 23 },
+    {"syscall": "sched_yield", "error": 24 },
+    {"syscall": "mremap", "error": 25 },
+    {"syscall": "msync", "error": 26 },
+    {"syscall": "mincore", "error": 27 },
+    {"syscall": "madvise", "error": 28 },
+    {"syscall": "shmget", "error": 29 },
+    {"syscall": "shmat", "error": 30 },
+    {"syscall": "shmctl", "error": 31 },
+    {"syscall": "dup", "error": 32 },
+    {"syscall": "dup2", "error": 33 },
+    {"syscall": "pause", "error": 34 },
+    {"syscall": "nanosleep", "error": 35 },
+    {"syscall": "getitimer", "error": 36 },
+    {"syscall": "alarm", "error": 37 },
+]
+
 def test(args):
     f = SyscallFilter(ALLOW)
 
@@ -36,11 +77,15 @@ def test(args):
     f.add_arch(Arch("x86"))
     f.set_attr(Attr.CTL_OPTIMIZE, 2)
 
-    for i in range(330):
-        if (i == 10 or i == 53 or i == 61 or i == 255):
-            f.add_rule(ERRNO(i), i, Arg(0, EQ, i))
+    for entry in table:
+        print(entry)
+        if entry["syscall"] == "mprotect" or \
+           entry["syscall"] == "dup" or \
+           entry["syscall"] == "alarm":
+            f.add_rule(ERRNO(entry["error"]), entry["syscall"],
+                       Arg(0, EQ, entry["error"]))
         else:
-            f.add_rule(ERRNO(i), i)
+            f.add_rule(ERRNO(entry["error"]), entry["syscall"])
 
     return f