Q: request of new minor release with an updated syscall table to support newer kernels about libseccomp HOT 22 CLOSED

I didn't knew there was no significant syscall changes either. It's good to know release is not needed. We just wanted to have updated libseccomp for actual kernels.

For longarch support i can wait next major release.

from libseccomp.

This summer I'll work on paring down the open issues for 2.6.0. We have a lot of cool features there that I would love to get released.

from libseccomp.

For those watching this issue - I have just released libseccomp v2.5.5. Thanks for all the help 👍

from libseccomp.

This summer I'll work on paring down the open issues for 2.6.0. We have a lot of cool features there that I would love to get released.

Yeah, I've been trying to carve out one day a week to work on libseccomp lately ... although most weeks I've been failing miserably at that :/

from libseccomp.

@shaba I'm going to go ahead and close this out as I think we've resolved your concern, but if I'm mistaken please feel free to re-open.

from libseccomp.

Yeah, I've been trying to carve out one day a week to work on libseccomp lately ... although most weeks I've been failing miserably at that :/

Sounds all too familiar :)

from libseccomp.

Because it's impossible to add exact syscall that is present in kernel but not present in libseccomp (such as fchmodat2) it's impossible to create workarounds for adding syscalls (for example just ENOSYS them altogether) that are not yet supported by libseccomp.

Please make libseccomp synchronized with the current kernel version? Or allow adding unsupported syscalls?

from libseccomp.

Please make libseccomp synchronized with the current kernel version?

#406 (comment)

Or allow adding unsupported syscalls?

See seccomp_add_rule_exact(), it should allow arbitrary syscall numbers; we use it all the time in the bundled regression tests.

from libseccomp.

See seccomp_add_rule_exact(), it should allow arbitrary syscall numbers; we use it all the time in the bundled regression tests.

Ah thanks. We misinterpreted -EFAULT when adding a rule (with seccomp_add_rule_exact) for non-native arch (for SCMP_ARCH_X86 on SCMP_ARCH_X86_64). For native arch it works good.

from libseccomp.

@drakenclimber see above. I'll send you an email this morning.

from libseccomp.

Thoughts @drakenclimber?

It's been roughly a year since the last v2.5.x release and while I don't see any significant changes in the release-2.5 branch, and new release with an updated syscall table might be a good idea.

from libseccomp.

Thoughts @drakenclimber?

It's been roughly a year since the last v2.5.x release and while I don't see any significant changes in the release-2.5 branch, and new release with an updated syscall table might be a good idea.

Yeah, I definitely support doing a new 2.5.x release. I have some obligations that will likely consume the next few weeks, but I should have time after that. Does June or July sound reasonable?

from libseccomp.

Next week I'm going to be spending some quality time stuck on planes/airports, I might be able to put a release together next week, but I don't want to step on your toes :)

I am doing two PRs to update the syscall tables on main and release-2.5, and it looks like we don't need to update main (no syscall changes between v6.2 and v6.3).

from libseccomp.

Next week I'm going to be spending some quality time stuck on planes/airports, I might be able to put a release together next week, but I don't want to step on your toes :)

I am doing two PRs to update the syscall tables on main and release-2.5, and it looks like we don't need to update main (no syscall changes between v6.2 and v6.3).

If you have the time and the desire to release v2.5.5, I'm totally cool with that. I know you've been pretty busy lately, so I didn't want to burden you with more work.

from libseccomp.

I should have time to help review/test the v2.5.5 release if you want a second set of eyes.

from libseccomp.

Actually, wait a minute ... looking at the syscall table changes between Linux v5.17 (what we shipped in the libseccomp v2.5.4 release) and Linux v6.3 I only see one change: memfd_secret() is defined for riscv64. Given the limitations of memfd_secret() I'm beginning to wonder if a new release is really worth it ... ?

@shaba what problems are you seeing with libseccomp v2.5.4 that you need a new release with updated kernel support?

from libseccomp.

Related PR to update the release-2.5 branch with the Linux v6.3 syscall information.:

• #407

from libseccomp.

There are three new syscalls since than already on v6.6-rc1 (cachestat (since 6.5), fchmodat2, and map_shadow_stack) can you add them with a minor release?

from libseccomp.

We are working on a minor release, although there is not set date yet so please don't ask ;)

from libseccomp.

glibc starting using fchmodat2 to implement fchmod with flags [1], so the lack of support for fchmodat2 in libseccomp is causing problems with programs sandboxed by systemd. In particular, tar now fails with the default SystemCallFilter="@system-service" sandbox [2]. We'd appreciate a quick release to support fchmodat2.

[1] bminor/glibc@65341f7
[2] systemd/systemd#30250

from libseccomp.

systemd/systemd#30291 makes systemd handle unknown (to itself or libseccomp) syscalls gracefully by returning ENOSYS. So the ask here is less urgent: things should work as before, but we need an updated libseccomp to allow users to specify fchmodat2 in filters and/or to use it from sandboxed services.

from libseccomp.

Thanks, @keszybz. That looks like a good addition to systemd.

I'm going to start working on the 2.5.5 release right now. It's been long overdue.

from libseccomp.