Comments (22)
I didn't knew there was no significant syscall changes either. It's good to know release is not needed. We just wanted to have updated libseccomp for actual kernels.
For longarch support i can wait next major release.
from libseccomp.
This summer I'll work on paring down the open issues for 2.6.0. We have a lot of cool features there that I would love to get released.
from libseccomp.
For those watching this issue - I have just released libseccomp v2.5.5. Thanks for all the help π
from libseccomp.
This summer I'll work on paring down the open issues for 2.6.0. We have a lot of cool features there that I would love to get released.
Yeah, I've been trying to carve out one day a week to work on libseccomp lately ... although most weeks I've been failing miserably at that :/
from libseccomp.
@shaba I'm going to go ahead and close this out as I think we've resolved your concern, but if I'm mistaken please feel free to re-open.
from libseccomp.
Yeah, I've been trying to carve out one day a week to work on libseccomp lately ... although most weeks I've been failing miserably at that :/
Sounds all too familiar :)
from libseccomp.
Because it's impossible to add exact syscall that is present in kernel but not present in libseccomp (such as fchmodat2) it's impossible to create workarounds for adding syscalls (for example just ENOSYS them altogether) that are not yet supported by libseccomp.
Please make libseccomp synchronized with the current kernel version? Or allow adding unsupported syscalls?
from libseccomp.
Please make libseccomp synchronized with the current kernel version?
Or allow adding unsupported syscalls?
See seccomp_add_rule_exact()
, it should allow arbitrary syscall numbers; we use it all the time in the bundled regression tests.
from libseccomp.
See
seccomp_add_rule_exact()
, it should allow arbitrary syscall numbers; we use it all the time in the bundled regression tests.
Ah thanks. We misinterpreted -EFAULT
when adding a rule (with seccomp_add_rule_exact
) for non-native arch (for SCMP_ARCH_X86
on SCMP_ARCH_X86_64
). For native arch it works good.
from libseccomp.
@drakenclimber see above. I'll send you an email this morning.
from libseccomp.
Thoughts @drakenclimber?
It's been roughly a year since the last v2.5.x release and while I don't see any significant changes in the release-2.5 branch, and new release with an updated syscall table might be a good idea.
from libseccomp.
Thoughts @drakenclimber?
It's been roughly a year since the last v2.5.x release and while I don't see any significant changes in the release-2.5 branch, and new release with an updated syscall table might be a good idea.
Yeah, I definitely support doing a new 2.5.x release. I have some obligations that will likely consume the next few weeks, but I should have time after that. Does June or July sound reasonable?
from libseccomp.
Next week I'm going to be spending some quality time stuck on planes/airports, I might be able to put a release together next week, but I don't want to step on your toes :)
I am doing two PRs to update the syscall tables on main and release-2.5, and it looks like we don't need to update main (no syscall changes between v6.2 and v6.3).
from libseccomp.
Next week I'm going to be spending some quality time stuck on planes/airports, I might be able to put a release together next week, but I don't want to step on your toes :)
I am doing two PRs to update the syscall tables on main and release-2.5, and it looks like we don't need to update main (no syscall changes between v6.2 and v6.3).
If you have the time and the desire to release v2.5.5, I'm totally cool with that. I know you've been pretty busy lately, so I didn't want to burden you with more work.
from libseccomp.
I should have time to help review/test the v2.5.5 release if you want a second set of eyes.
from libseccomp.
Actually, wait a minute ... looking at the syscall table changes between Linux v5.17 (what we shipped in the libseccomp v2.5.4 release) and Linux v6.3 I only see one change: memfd_secret()
is defined for riscv64
. Given the limitations of memfd_secret()
I'm beginning to wonder if a new release is really worth it ... ?
@shaba what problems are you seeing with libseccomp v2.5.4 that you need a new release with updated kernel support?
from libseccomp.
Related PR to update the release-2.5 branch with the Linux v6.3 syscall information.:
from libseccomp.
There are three new syscalls since than already on v6.6-rc1 (cachestat
(since 6.5), fchmodat2
, and map_shadow_stack
) can you add them with a minor release?
from libseccomp.
We are working on a minor release, although there is not set date yet so please don't ask ;)
from libseccomp.
glibc starting using fchmodat2 to implement fchmod with flags [1], so the lack of support for fchmodat2 in libseccomp is causing problems with programs sandboxed by systemd. In particular, tar
now fails with the default SystemCallFilter="@system-service"
sandbox [2]. We'd appreciate a quick release to support fchmodat2.
[1] bminor/glibc@65341f7
[2] systemd/systemd#30250
from libseccomp.
systemd/systemd#30291 makes systemd handle unknown (to itself or libseccomp) syscalls gracefully by returning ENOSYS. So the ask here is less urgent: things should work as before, but we need an updated libseccomp to allow users to specify fchmodat2
in filters and/or to use it from sandboxed services.
from libseccomp.
Thanks, @keszybz. That looks like a good addition to systemd.
I'm going to start working on the 2.5.5 release right now. It's been long overdue.
from libseccomp.
Related Issues (20)
- Q: getting errno 14 and returned error code -13 when adding rule HOT 2
- BUG: libtool warning: '../src/libseccomp.la' has not been installed in '/usr/lib64' when running configure HOT 14
- RFE: add support for SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV (Linux 5.19) HOT 1
- Polish bitcoin with my power of the bakers act 1896 they were registering overall rating before 73 HOT 2
- Q: Abstract socket argument filter HOT 10
- Q: manually setting CFLAGS=-fvisibility=hidden does not work HOT 3
- BUG: problems with docker seccomp profiles on ARM HOT 5
- RFE: add SCMP_ACT_DEFAULT rule HOT 3
- ε HOT 2
- δΈζ΅η«η° HOT 3
- RFE: investigate the new SECCOMP_USER_NOTIF_FD_SYNC_WAKE_UP seccomp() flag HOT 1
- Q: new release request HOT 1
- BUG: test 29 is broken on aarch64 HOT 6
- Q: use a whitelist, and notify when the process tries to use a syscall that is not on the whitelist HOT 8
- BUG: Compiler warning in gen_bpf.c HOT 1
- Q: can this library be used for Android HOT 1
- RFE: update the syscall table in the main branch HOT 1
- Q: time schedule for the release of 2.6.0 HOT 2
- Q: Is there a next release plan HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from libseccomp.