Compare commits

..

3 Commits

Author SHA1 Message Date
Mike Gilbert fb4b0465ab seccomp: real syscall numbers are >= 0
Real syscall numbers start at 0. The fake seccomp values seem to be
strictly less than 0.

Fixes: 4df8fe8415
2019-12-09 11:29:06 +01:00
Yong Cong Sin 0cab1f1976 Add Cube iWork 11 Stylus 2019-12-09 11:28:15 +01:00
Yu Watanabe 8ee08dc564 test: do not fail if new device is plugged during enumeration 2019-12-09 08:45:25 +00:00
4 changed files with 50 additions and 30 deletions

View File

@ -223,6 +223,10 @@ sensor:modalias:acpi:KIOX000A*:dmi:*:svnCube:pni8-L:*
sensor:modalias:acpi:BOSC0200*:dmi:*:svnCube:pnI15-TC:* sensor:modalias:acpi:BOSC0200*:dmi:*:svnCube:pnI15-TC:*
ACCEL_MOUNT_MATRIX=1, 0, 0; 0, -1, 0; 0, 0, 1 ACCEL_MOUNT_MATRIX=1, 0, 0; 0, -1, 0; 0, 0, 1
# Cube iWork 11 Stylus
sensor:modalias:acpi:KIOX000A*:dmi:*:svncube:pni8-T:*
ACCEL_MOUNT_MATRIX=0, 1, 0; 1, 0, 0; 0, 0, 1
######################################### #########################################
# Cytrix (Mytrix) # Cytrix (Mytrix)
######################################### #########################################

View File

@ -35,7 +35,7 @@ static inline int missing_pivot_root(const char *new_root, const char *put_old)
#if !HAVE_MEMFD_CREATE #if !HAVE_MEMFD_CREATE
/* may be (invalid) negative number due to libseccomp, see PR 13319 */ /* may be (invalid) negative number due to libseccomp, see PR 13319 */
# if ! (defined __NR_memfd_create && __NR_memfd_create > 0) # if ! (defined __NR_memfd_create && __NR_memfd_create >= 0)
# if defined __NR_memfd_create # if defined __NR_memfd_create
# undef __NR_memfd_create # undef __NR_memfd_create
# endif # endif
@ -82,7 +82,7 @@ static inline int missing_memfd_create(const char *name, unsigned int flags) {
#if !HAVE_GETRANDOM #if !HAVE_GETRANDOM
/* may be (invalid) negative number due to libseccomp, see PR 13319 */ /* may be (invalid) negative number due to libseccomp, see PR 13319 */
# if ! (defined __NR_getrandom && __NR_getrandom > 0) # if ! (defined __NR_getrandom && __NR_getrandom >= 0)
# if defined __NR_getrandom # if defined __NR_getrandom
# undef __NR_getrandom # undef __NR_getrandom
# endif # endif
@ -145,7 +145,7 @@ static inline pid_t missing_gettid(void) {
#if !HAVE_NAME_TO_HANDLE_AT #if !HAVE_NAME_TO_HANDLE_AT
/* may be (invalid) negative number due to libseccomp, see PR 13319 */ /* may be (invalid) negative number due to libseccomp, see PR 13319 */
# if ! (defined __NR_name_to_handle_at && __NR_name_to_handle_at > 0) # if ! (defined __NR_name_to_handle_at && __NR_name_to_handle_at >= 0)
# if defined __NR_name_to_handle_at # if defined __NR_name_to_handle_at
# undef __NR_name_to_handle_at # undef __NR_name_to_handle_at
# endif # endif
@ -186,7 +186,7 @@ static inline int missing_name_to_handle_at(int fd, const char *name, struct fil
#if !HAVE_SETNS #if !HAVE_SETNS
/* may be (invalid) negative number due to libseccomp, see PR 13319 */ /* may be (invalid) negative number due to libseccomp, see PR 13319 */
# if ! (defined __NR_setns && __NR_setns > 0) # if ! (defined __NR_setns && __NR_setns >= 0)
# if defined __NR_setns # if defined __NR_setns
# undef __NR_setns # undef __NR_setns
# endif # endif
@ -227,7 +227,7 @@ static inline pid_t raw_getpid(void) {
#if !HAVE_RENAMEAT2 #if !HAVE_RENAMEAT2
/* may be (invalid) negative number due to libseccomp, see PR 13319 */ /* may be (invalid) negative number due to libseccomp, see PR 13319 */
# if ! (defined __NR_renameat2 && __NR_renameat2 > 0) # if ! (defined __NR_renameat2 && __NR_renameat2 >= 0)
# if defined __NR_renameat2 # if defined __NR_renameat2
# undef __NR_renameat2 # undef __NR_renameat2
# endif # endif
@ -276,7 +276,7 @@ static inline int missing_renameat2(int oldfd, const char *oldname, int newfd, c
#if !HAVE_KCMP #if !HAVE_KCMP
static inline int missing_kcmp(pid_t pid1, pid_t pid2, int type, unsigned long idx1, unsigned long idx2) { static inline int missing_kcmp(pid_t pid1, pid_t pid2, int type, unsigned long idx1, unsigned long idx2) {
# if defined __NR_kcmp && __NR_kcmp > 0 # if defined __NR_kcmp && __NR_kcmp >= 0
return syscall(__NR_kcmp, pid1, pid2, type, idx1, idx2); return syscall(__NR_kcmp, pid1, pid2, type, idx1, idx2);
# else # else
errno = ENOSYS; errno = ENOSYS;
@ -291,7 +291,7 @@ static inline int missing_kcmp(pid_t pid1, pid_t pid2, int type, unsigned long i
#if !HAVE_KEYCTL #if !HAVE_KEYCTL
static inline long missing_keyctl(int cmd, unsigned long arg2, unsigned long arg3, unsigned long arg4, unsigned long arg5) { static inline long missing_keyctl(int cmd, unsigned long arg2, unsigned long arg3, unsigned long arg4, unsigned long arg5) {
# if defined __NR_keyctl && __NR_keyctl > 0 # if defined __NR_keyctl && __NR_keyctl >= 0
return syscall(__NR_keyctl, cmd, arg2, arg3, arg4, arg5); return syscall(__NR_keyctl, cmd, arg2, arg3, arg4, arg5);
# else # else
errno = ENOSYS; errno = ENOSYS;
@ -302,7 +302,7 @@ static inline long missing_keyctl(int cmd, unsigned long arg2, unsigned long arg
} }
static inline key_serial_t missing_add_key(const char *type, const char *description, const void *payload, size_t plen, key_serial_t ringid) { static inline key_serial_t missing_add_key(const char *type, const char *description, const void *payload, size_t plen, key_serial_t ringid) {
# if defined __NR_add_key && __NR_add_key > 0 # if defined __NR_add_key && __NR_add_key >= 0
return syscall(__NR_add_key, type, description, payload, plen, ringid); return syscall(__NR_add_key, type, description, payload, plen, ringid);
# else # else
errno = ENOSYS; errno = ENOSYS;
@ -313,7 +313,7 @@ static inline key_serial_t missing_add_key(const char *type, const char *descrip
} }
static inline key_serial_t missing_request_key(const char *type, const char *description, const char * callout_info, key_serial_t destringid) { static inline key_serial_t missing_request_key(const char *type, const char *description, const char * callout_info, key_serial_t destringid) {
# if defined __NR_request_key && __NR_request_key > 0 # if defined __NR_request_key && __NR_request_key >= 0
return syscall(__NR_request_key, type, description, callout_info, destringid); return syscall(__NR_request_key, type, description, callout_info, destringid);
# else # else
errno = ENOSYS; errno = ENOSYS;
@ -328,7 +328,7 @@ static inline key_serial_t missing_request_key(const char *type, const char *des
#if !HAVE_COPY_FILE_RANGE #if !HAVE_COPY_FILE_RANGE
/* may be (invalid) negative number due to libseccomp, see PR 13319 */ /* may be (invalid) negative number due to libseccomp, see PR 13319 */
# if ! (defined __NR_copy_file_range && __NR_copy_file_range > 0) # if ! (defined __NR_copy_file_range && __NR_copy_file_range >= 0)
# if defined __NR_copy_file_range # if defined __NR_copy_file_range
# undef __NR_copy_file_range # undef __NR_copy_file_range
# endif # endif
@ -370,7 +370,7 @@ static inline ssize_t missing_copy_file_range(int fd_in, loff_t *off_in,
#if !HAVE_BPF #if !HAVE_BPF
/* may be (invalid) negative number due to libseccomp, see PR 13319 */ /* may be (invalid) negative number due to libseccomp, see PR 13319 */
# if ! (defined __NR_bpf && __NR_bpf > 0) # if ! (defined __NR_bpf && __NR_bpf >= 0)
# if defined __NR_bpf # if defined __NR_bpf
# undef __NR_bpf # undef __NR_bpf
# endif # endif
@ -411,7 +411,7 @@ static inline int missing_bpf(int cmd, union bpf_attr *attr, size_t size) {
#ifndef __IGNORE_pkey_mprotect #ifndef __IGNORE_pkey_mprotect
/* may be (invalid) negative number due to libseccomp, see PR 13319 */ /* may be (invalid) negative number due to libseccomp, see PR 13319 */
# if ! (defined __NR_pkey_mprotect && __NR_pkey_mprotect > 0) # if ! (defined __NR_pkey_mprotect && __NR_pkey_mprotect >= 0)
# if defined __NR_pkey_mprotect # if defined __NR_pkey_mprotect
# undef __NR_pkey_mprotect # undef __NR_pkey_mprotect
# endif # endif
@ -447,7 +447,7 @@ static inline int missing_bpf(int cmd, union bpf_attr *attr, size_t size) {
#if !HAVE_STATX #if !HAVE_STATX
/* may be (invalid) negative number due to libseccomp, see PR 13319 */ /* may be (invalid) negative number due to libseccomp, see PR 13319 */
# if ! (defined __NR_statx && __NR_statx > 0) # if ! (defined __NR_statx && __NR_statx >= 0)
# if defined __NR_statx # if defined __NR_statx
# undef __NR_statx # undef __NR_statx
# endif # endif
@ -498,7 +498,7 @@ enum {
static inline long missing_set_mempolicy(int mode, const unsigned long *nodemask, static inline long missing_set_mempolicy(int mode, const unsigned long *nodemask,
unsigned long maxnode) { unsigned long maxnode) {
long i; long i;
# if defined __NR_set_mempolicy && __NR_set_mempolicy > 0 # if defined __NR_set_mempolicy && __NR_set_mempolicy >= 0
i = syscall(__NR_set_mempolicy, mode, nodemask, maxnode); i = syscall(__NR_set_mempolicy, mode, nodemask, maxnode);
# else # else
errno = ENOSYS; errno = ENOSYS;
@ -529,7 +529,7 @@ static inline long missing_get_mempolicy(int *mode, unsigned long *nodemask,
#if !HAVE_PIDFD_OPEN #if !HAVE_PIDFD_OPEN
/* may be (invalid) negative number due to libseccomp, see PR 13319 */ /* may be (invalid) negative number due to libseccomp, see PR 13319 */
# if ! (defined __NR_pidfd_open && __NR_pidfd_open > 0) # if ! (defined __NR_pidfd_open && __NR_pidfd_open >= 0)
# if defined __NR_pidfd_open # if defined __NR_pidfd_open
# undef __NR_pidfd_open # undef __NR_pidfd_open
# endif # endif
@ -547,7 +547,7 @@ static inline int pidfd_open(pid_t pid, unsigned flags) {
#if !HAVE_PIDFD_SEND_SIGNAL #if !HAVE_PIDFD_SEND_SIGNAL
/* may be (invalid) negative number due to libseccomp, see PR 13319 */ /* may be (invalid) negative number due to libseccomp, see PR 13319 */
# if ! (defined __NR_pidfd_send_signal && __NR_pidfd_send_signal > 0) # if ! (defined __NR_pidfd_send_signal && __NR_pidfd_send_signal >= 0)
# if defined __NR_pidfd_send_signal # if defined __NR_pidfd_send_signal
# undef __NR_pidfd_send_signal # undef __NR_pidfd_send_signal
# endif # endif

View File

@ -81,9 +81,10 @@ static void test_sd_device_enumerator_subsystems(void) {
test_sd_device_one(d); test_sd_device_one(d);
} }
static void test_sd_device_enumerator_filter_subsystem_one(const char *subsystem, Hashmap *h) { static unsigned test_sd_device_enumerator_filter_subsystem_one(const char *subsystem, Hashmap *h) {
_cleanup_(sd_device_enumerator_unrefp) sd_device_enumerator *e = NULL; _cleanup_(sd_device_enumerator_unrefp) sd_device_enumerator *e = NULL;
sd_device *d, *t; sd_device *d, *t;
unsigned n_new_dev = 0;
assert_se(sd_device_enumerator_new(&e) >= 0); assert_se(sd_device_enumerator_new(&e) >= 0);
assert_se(sd_device_enumerator_add_match_subsystem(e, subsystem, true) >= 0); assert_se(sd_device_enumerator_add_match_subsystem(e, subsystem, true) >= 0);
@ -92,18 +93,27 @@ static void test_sd_device_enumerator_filter_subsystem_one(const char *subsystem
const char *syspath; const char *syspath;
assert_se(sd_device_get_syspath(d, &syspath) >= 0); assert_se(sd_device_get_syspath(d, &syspath) >= 0);
assert_se(t = hashmap_remove(h, syspath)); t = hashmap_remove(h, syspath);
assert_se(!sd_device_unref(t)); assert_se(!sd_device_unref(t));
if (t)
log_debug("Removed subsystem:%s syspath:%s", subsystem, syspath); log_debug("Removed subsystem:%s syspath:%s", subsystem, syspath);
else {
log_warning("New device found: subsystem:%s syspath:%s", subsystem, syspath);
n_new_dev++;
}
} }
/* Assume no device is unplugged. */
assert_se(hashmap_isempty(h)); assert_se(hashmap_isempty(h));
return n_new_dev;
} }
static void test_sd_device_enumerator_filter_subsystem(void) { static void test_sd_device_enumerator_filter_subsystem(void) {
_cleanup_(sd_device_enumerator_unrefp) sd_device_enumerator *e = NULL; _cleanup_(sd_device_enumerator_unrefp) sd_device_enumerator *e = NULL;
_cleanup_(hashmap_freep) Hashmap *subsystems; _cleanup_(hashmap_freep) Hashmap *subsystems;
unsigned n_new_dev = 0;
sd_device *d; sd_device *d;
Hashmap *h; Hashmap *h;
char *s; char *s;
@ -139,10 +149,16 @@ static void test_sd_device_enumerator_filter_subsystem(void) {
} }
while ((h = hashmap_steal_first_key_and_value(subsystems, (void**) &s))) { while ((h = hashmap_steal_first_key_and_value(subsystems, (void**) &s))) {
test_sd_device_enumerator_filter_subsystem_one(s, h); n_new_dev += test_sd_device_enumerator_filter_subsystem_one(s, h);
hashmap_free(h); hashmap_free(h);
free(s); free(s);
} }
if (n_new_dev > 0)
log_warning("%u new device is found in re-scan", n_new_dev);
/* Assume that not so many devices are plugged. */
assert_se(n_new_dev <= 10);
} }
int main(int argc, char **argv) { int main(int argc, char **argv) {

View File

@ -29,7 +29,7 @@
#include "virt.h" #include "virt.h"
/* __NR_socket may be invalid due to libseccomp */ /* __NR_socket may be invalid due to libseccomp */
#if !defined(__NR_socket) || __NR_socket <= 0 || defined(__i386__) || defined(__s390x__) || defined(__s390__) #if !defined(__NR_socket) || __NR_socket < 0 || defined(__i386__) || defined(__s390x__) || defined(__s390__)
/* On these archs, socket() is implemented via the socketcall() syscall multiplexer, /* On these archs, socket() is implemented via the socketcall() syscall multiplexer,
* and we can't restrict it hence via seccomp. */ * and we can't restrict it hence via seccomp. */
# define SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN 1 # define SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN 1
@ -305,14 +305,14 @@ static void test_protect_sysctl(void) {
assert_se(pid >= 0); assert_se(pid >= 0);
if (pid == 0) { if (pid == 0) {
#if defined __NR__sysctl && __NR__sysctl > 0 #if defined __NR__sysctl && __NR__sysctl >= 0
assert_se(syscall(__NR__sysctl, NULL) < 0); assert_se(syscall(__NR__sysctl, NULL) < 0);
assert_se(errno == EFAULT); assert_se(errno == EFAULT);
#endif #endif
assert_se(seccomp_protect_sysctl() >= 0); assert_se(seccomp_protect_sysctl() >= 0);
#if defined __NR__sysctl && __NR__sysctl > 0 #if defined __NR__sysctl && __NR__sysctl >= 0
assert_se(syscall(__NR__sysctl, 0, 0, 0) < 0); assert_se(syscall(__NR__sysctl, 0, 0, 0) < 0);
assert_se(errno == EPERM); assert_se(errno == EPERM);
#endif #endif
@ -347,14 +347,14 @@ static void test_protect_syslog(void) {
assert_se(pid >= 0); assert_se(pid >= 0);
if (pid == 0) { if (pid == 0) {
#if defined __NR_syslog && __NR_syslog > 0 #if defined __NR_syslog && __NR_syslog >= 0
assert_se(syscall(__NR_syslog, -1, NULL, 0) < 0); assert_se(syscall(__NR_syslog, -1, NULL, 0) < 0);
assert_se(errno == EINVAL); assert_se(errno == EINVAL);
#endif #endif
assert_se(seccomp_protect_syslog() >= 0); assert_se(seccomp_protect_syslog() >= 0);
#if defined __NR_syslog && __NR_syslog > 0 #if defined __NR_syslog && __NR_syslog >= 0
assert_se(syscall(__NR_syslog, 0, 0, 0) < 0); assert_se(syscall(__NR_syslog, 0, 0, 0) < 0);
assert_se(errno == EPERM); assert_se(errno == EPERM);
#endif #endif
@ -684,7 +684,7 @@ static void test_load_syscall_filter_set_raw(void) {
assert_se(poll(NULL, 0, 0) == 0); assert_se(poll(NULL, 0, 0) == 0);
assert_se(s = hashmap_new(NULL)); assert_se(s = hashmap_new(NULL));
#if defined __NR_access && __NR_access > 0 #if defined __NR_access && __NR_access >= 0
assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_access + 1), INT_TO_PTR(-1)) >= 0); assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_access + 1), INT_TO_PTR(-1)) >= 0);
#else #else
assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_faccessat + 1), INT_TO_PTR(-1)) >= 0); assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_faccessat + 1), INT_TO_PTR(-1)) >= 0);
@ -700,7 +700,7 @@ static void test_load_syscall_filter_set_raw(void) {
s = hashmap_free(s); s = hashmap_free(s);
assert_se(s = hashmap_new(NULL)); assert_se(s = hashmap_new(NULL));
#if defined __NR_access && __NR_access > 0 #if defined __NR_access && __NR_access >= 0
assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_access + 1), INT_TO_PTR(EILSEQ)) >= 0); assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_access + 1), INT_TO_PTR(EILSEQ)) >= 0);
#else #else
assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_faccessat + 1), INT_TO_PTR(EILSEQ)) >= 0); assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_faccessat + 1), INT_TO_PTR(EILSEQ)) >= 0);
@ -716,7 +716,7 @@ static void test_load_syscall_filter_set_raw(void) {
s = hashmap_free(s); s = hashmap_free(s);
assert_se(s = hashmap_new(NULL)); assert_se(s = hashmap_new(NULL));
#if defined __NR_poll && __NR_poll > 0 #if defined __NR_poll && __NR_poll >= 0
assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_poll + 1), INT_TO_PTR(-1)) >= 0); assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_poll + 1), INT_TO_PTR(-1)) >= 0);
#else #else
assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_ppoll + 1), INT_TO_PTR(-1)) >= 0); assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_ppoll + 1), INT_TO_PTR(-1)) >= 0);
@ -733,7 +733,7 @@ static void test_load_syscall_filter_set_raw(void) {
s = hashmap_free(s); s = hashmap_free(s);
assert_se(s = hashmap_new(NULL)); assert_se(s = hashmap_new(NULL));
#if defined __NR_poll && __NR_poll > 0 #if defined __NR_poll && __NR_poll >= 0
assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_poll + 1), INT_TO_PTR(EILSEQ)) >= 0); assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_poll + 1), INT_TO_PTR(EILSEQ)) >= 0);
#else #else
assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_ppoll + 1), INT_TO_PTR(EILSEQ)) >= 0); assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_ppoll + 1), INT_TO_PTR(EILSEQ)) >= 0);
@ -811,7 +811,7 @@ static int real_open(const char *path, int flags, mode_t mode) {
* testing purposes that calls the real syscall, on architectures where SYS_open is defined. On * testing purposes that calls the real syscall, on architectures where SYS_open is defined. On
* other architectures, let's just fall back to the glibc call. */ * other architectures, let's just fall back to the glibc call. */
#if defined __NR_open && __NR_open > 0 #if defined __NR_open && __NR_open >= 0
return (int) syscall(__NR_open, path, flags, mode); return (int) syscall(__NR_open, path, flags, mode);
#else #else
return open(path, flags, mode); return open(path, flags, mode);