diff --git a/Godeps/Godeps.json b/Godeps/Godeps.json index cc8bf3d..ee9ca30 100644 --- a/Godeps/Godeps.json +++ b/Godeps/Godeps.json @@ -1,6 +1,6 @@ { "ImportPath": "github.com/subgraph/oz", - "GoVersion": "go1.4.2", + "GoVersion": "go1.3.3", "Packages": [ "./..." ], @@ -35,6 +35,10 @@ { "ImportPath": "github.com/op/go-logging", "Rev": "e8d5414f0947014548c2334044a0fac13187dfee" + }, + { + "ImportPath": "github.com/subgraph/go-seccomp", + "Rev": "2eb74b38c2f37e0f48efa3a0974fd2e4edbd0ef5" } ] } diff --git a/Godeps/_workspace/src/github.com/subgraph/go-seccomp/LICENSE b/Godeps/_workspace/src/github.com/subgraph/go-seccomp/LICENSE new file mode 100644 index 0000000..972bb2e --- /dev/null +++ b/Godeps/_workspace/src/github.com/subgraph/go-seccomp/LICENSE @@ -0,0 +1,27 @@ +// Copyright 2014 The Chromium Authors. All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions are +// met: +// +// * Redistributions of source code must retain the above copyright +// notice, this list of conditions and the following disclaimer. +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following disclaimer +// in the documentation and/or other materials provided with the +// distribution. +// * Neither the name of Google Inc. nor the names of its +// contributors may be used to endorse or promote products derived from +// this software without specific prior written permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. diff --git a/Godeps/_workspace/src/github.com/subgraph/go-seccomp/audit_386.go b/Godeps/_workspace/src/github.com/subgraph/go-seccomp/audit_386.go new file mode 100644 index 0000000..ac1fc54 --- /dev/null +++ b/Godeps/_workspace/src/github.com/subgraph/go-seccomp/audit_386.go @@ -0,0 +1,13 @@ +// Copyright 2015 The Chromium OS Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +package seccomp + +// #include +import "C" + +const ( + auditArch = C.AUDIT_ARCH_I386 + nbits = 32 +) diff --git a/Godeps/_workspace/src/github.com/subgraph/go-seccomp/audit_amd64.go b/Godeps/_workspace/src/github.com/subgraph/go-seccomp/audit_amd64.go new file mode 100644 index 0000000..90b5e6c --- /dev/null +++ b/Godeps/_workspace/src/github.com/subgraph/go-seccomp/audit_amd64.go @@ -0,0 +1,13 @@ +// Copyright 2015 The Chromium OS Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +package seccomp + +// #include +import "C" + +const ( + auditArch = C.AUDIT_ARCH_X86_64 + nbits = 64 +) diff --git a/Godeps/_workspace/src/github.com/subgraph/go-seccomp/audit_arm.go b/Godeps/_workspace/src/github.com/subgraph/go-seccomp/audit_arm.go new file mode 100644 index 0000000..d720ec4 --- /dev/null +++ b/Godeps/_workspace/src/github.com/subgraph/go-seccomp/audit_arm.go @@ -0,0 +1,13 @@ +// Copyright 2015 The Chromium OS Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +package seccomp + +// #include +import "C" + +const ( + auditArch = C.AUDIT_ARCH_ARM + nbits = 32 +) diff --git a/Godeps/_workspace/src/github.com/subgraph/go-seccomp/bpf.go b/Godeps/_workspace/src/github.com/subgraph/go-seccomp/bpf.go new file mode 100644 index 0000000..ebd6f23 --- /dev/null +++ b/Godeps/_workspace/src/github.com/subgraph/go-seccomp/bpf.go @@ -0,0 +1,107 @@ +// Copyright 2015 The Chromium OS Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +package seccomp + +import ( + "fmt" +) + +// #include +import "C" + +// BPF machine opcodes. These are the only ones we use. +const ( + opLOAD = C.BPF_LD + C.BPF_W + C.BPF_ABS + opJEQ = C.BPF_JMP + C.BPF_JEQ + C.BPF_K + opJSET = C.BPF_JMP + C.BPF_JSET + C.BPF_K + opJUMP = C.BPF_JMP + C.BPF_JA + opRET = C.BPF_RET + C.BPF_K +) + +// SockFilter encodes one BPF machine instruction. +// This struct mirrors struct sock_filter from . +type SockFilter struct { + Code uint16 // Actual filter code. + JT uint8 // Jump true. + JF uint8 // Jump false. + K uint32 // Generic multiuse field. +} + +// SockFprog encodes a BPF machine program. +// This struct mirrors struct sock_fprog from . +type SockFprog struct { + Len uint16 // Number of BPF machine instructions. + Filter *SockFilter // Pointer to the first instruction. +} + +// C versions of the structs used for sanity checking. +type sock_filter C.struct_sock_filter +type sock_fprog C.struct_sock_fprog + +// bpfInsn constructs one BPF machine instruction. +func bpfInsn(code uint16, k uint32, jt, jf uint8) SockFilter { + return SockFilter{code, jt, jf, k} +} + +// bpfStmt constructs one BPF machine statement. +func bpfStmt(code uint16, k uint32) SockFilter { + return bpfInsn(code, k, 0, 0) +} + +// bpfLoad returns the instruction to load the word at the given offset. +func bpfLoad(offset uintptr) SockFilter { + return bpfStmt(opLOAD, uint32(offset)) +} + +// bpfJeq returns an instruction encoding "jump-if-equal". +// Register A is compared with val. +// Both jt and jf are relative offsets. Offset 0 means fallthrough. +func bpfJeq(val uint32, jt, jf uint8) SockFilter { + return bpfInsn(opJEQ, val, jt, jf) +} + +// bpfJset returns an instruction encoding "jump-if-set". +// Register A is bitwise anded with val and result compared with zero. +// Both jt and jf are relative offsets. Offset 0 means fallthrough. +func bpfJset(val uint32, jt, jf uint8) SockFilter { + return bpfInsn(opJSET, val, jt, jf) +} + +// bpfJump returns an instruction encoding an unconditional jump to a relative offset. +// Offset 0 means fallthrough (NOP). +func bpfJump(offset int) SockFilter { + return bpfStmt(opJUMP, uint32(offset)) +} + +// bpfRet returns the instruction to return the value val. +func bpfRet(val uint32) SockFilter { + return bpfStmt(opRET, val) +} + +// String returns a readable representation of a BPF machine instruction. +func (f SockFilter) String() string { + var code string + switch f.Code { + case opLOAD: + code = "Load" + case opJEQ: + code = "Jeq" + case opJSET: + code = "Jset" + case opJUMP: + code = "Jump" + case opRET: + code = "Return" + default: + code = fmt.Sprintf("%04x", f.Code) + } + return fmt.Sprintf("%8s %08x, %02x, %02x\n", code, f.K, f.JT, f.JF) +} + +// ptr returns a pointer to a copy of the argument, useful in cases +// where the & syntax isn't allowed. e.g. ptr(bpfInsn(...)). +func ptr(f SockFilter) *SockFilter { + return &f +} diff --git a/Godeps/_workspace/src/github.com/subgraph/go-seccomp/sanity_test.go b/Godeps/_workspace/src/github.com/subgraph/go-seccomp/sanity_test.go new file mode 100644 index 0000000..5f5741e --- /dev/null +++ b/Godeps/_workspace/src/github.com/subgraph/go-seccomp/sanity_test.go @@ -0,0 +1,175 @@ +// Copyright 2015 The Chromium OS Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +package seccomp + +import ( + "testing" + "unsafe" +) + +func TestSockFilter(t *testing.T) { + var f SockFilter + var cf sock_filter + tests := []struct { + desc string + g, c uintptr + }{ + { + "Sizeof(SockFilter)", + unsafe.Sizeof(f), + unsafe.Sizeof(cf), + }, + { + "Sizeof(SockFilter.Code)", + unsafe.Sizeof(f.Code), + unsafe.Sizeof(cf.code), + }, + { + "Offsetof(SockFilter.Code)", + unsafe.Offsetof(f.Code), + unsafe.Offsetof(cf.code), + }, + { + "Sizeof(SockFilter.Jt)", + unsafe.Sizeof(f.JT), + unsafe.Sizeof(cf.jt), + }, + { + "Offsetof(SockFilter.Jt)", + unsafe.Offsetof(f.JT), + unsafe.Offsetof(cf.jt), + }, + { + "Sizeof(SockFilter.Jf)", + unsafe.Sizeof(f.JF), + unsafe.Sizeof(cf.jf), + }, + { + "Offsetof(SockFilter.Jf)", + unsafe.Offsetof(f.JF), + unsafe.Offsetof(cf.jf), + }, + { + "Sizeof(SockFilter.K)", + unsafe.Sizeof(f.K), + unsafe.Sizeof(cf.k), + }, + { + "Offsetof(SockFilter.K)", + unsafe.Offsetof(f.K), + unsafe.Offsetof(cf.k), + }, + } + for _, test := range tests { + if test.g != test.c { + t.Errorf("%s = %v; want %v", test.desc, test.g, test.c) + } + } +} + +func TestSockFprog(t *testing.T) { + var p SockFprog + var cp sock_fprog + tests := []struct { + desc string + g, c uintptr + }{ + { + "Sizeof(SockFprog)", + unsafe.Sizeof(p), + unsafe.Sizeof(cp), + }, + { + "Sizeof(SockFprog.Len)", + unsafe.Sizeof(p.Len), + unsafe.Sizeof(cp.len), + }, + { + "Offsetof(SockFprog.Len)", + unsafe.Offsetof(p.Len), + unsafe.Offsetof(cp.len), + }, + { + "Sizeof(SockFprog.Filter)", + unsafe.Sizeof(p.Filter), + unsafe.Sizeof(cp.filter), + }, + { + "Offsetof(SockFprog.Filter)", + unsafe.Offsetof(p.Filter), + unsafe.Offsetof(cp.filter), + }, + } + for _, test := range tests { + if test.g != test.c { + t.Errorf("%s = %v; want %v", test.desc, test.g, test.c) + } + } +} + +func TestSeccompData(t *testing.T) { + var d SeccompData + var cd seccomp_data + tests := []struct { + desc string + g, c uintptr + }{ + { + "Sizeof(SeccompData)", + unsafe.Sizeof(d), + unsafe.Sizeof(cd), + }, + { + "Sizeof(SeccompData.NR)", + unsafe.Sizeof(d.NR), + unsafe.Sizeof(cd.nr), + }, + { + "Offsetof(SeccompData.NR)", + unsafe.Offsetof(d.NR), + unsafe.Offsetof(cd.nr), + }, + { + "Sizeof(SeccompData.Arch)", + unsafe.Sizeof(d.Arch), + unsafe.Sizeof(cd.arch), + }, + { + "Offsetof(SeccompData.Arch)", + unsafe.Offsetof(d.Arch), + unsafe.Offsetof(cd.arch), + }, + { + "Sizeof(SeccompData.InstructionPointer)", + unsafe.Sizeof(d.InstructionPointer), + unsafe.Sizeof(cd.instruction_pointer), + }, + { + "Offsetof(SeccompData.InstructionPointer)", + unsafe.Offsetof(d.InstructionPointer), + unsafe.Offsetof(cd.instruction_pointer), + }, + { + "Sizeof(SeccompData.Args)", + unsafe.Sizeof(d.Args), + unsafe.Sizeof(cd.args), + }, + { + "Offsetof(SeccompData.Args)", + unsafe.Offsetof(d.Args), + unsafe.Offsetof(cd.args), + }, + { + "Sizeof(SeccompData.Args[0])", + unsafe.Sizeof(d.Args[0]), + unsafe.Sizeof(cd.args[0]), + }, + } + for _, test := range tests { + if test.g != test.c { + t.Errorf("%s = %v; want %v", test.desc, test.g, test.c) + } + } +} diff --git a/Godeps/_workspace/src/github.com/subgraph/go-seccomp/seccomp.go b/Godeps/_workspace/src/github.com/subgraph/go-seccomp/seccomp.go new file mode 100644 index 0000000..eda7f34 --- /dev/null +++ b/Godeps/_workspace/src/github.com/subgraph/go-seccomp/seccomp.go @@ -0,0 +1,494 @@ +// Copyright 2015 The Chromium OS Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// Package seccomp implements support for compiling and installing Seccomp-BPF policy files. +// - http://www.chromium.org/chromium-os/developer-guide/chromium-os-sandboxing +// +// Typical usage: +// // Check for the required kernel support for seccomp. +// if err := seccomp.CheckSupport(); err != nil { +// log.Fatal(err) +// } +// +// // Compile BPF program from a Chromium-OS policy file. +// bpf, err := seccomp.Compile(path) +// if err != nil { +// log.Fatal(err) +// } +// +// // Install Seccomp-BPF filter program with the kernel. +// if err := seccomp.Install(bpf); err != nil { +// log.Fatal(err) +// } +// +// For background and more information: +// - http://www.tcpdump.org/papers/bpf-usenix93.pdf +// - http://en.wikipedia.org/wiki/Seccomp +// - http://lwn.net/Articles/475043/ +// - http://outflux.net/teach-seccomp/ +// - http://www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt +// - http://github.com/torvalds/linux/blob/master/kernel/seccomp.c +// +// TODO: +// - Exit the program if any thread is killed because of seccomp violation. +// - Provide a debug mode to log system calls used during normal operation. +package seccomp + +import ( + "bytes" + "fmt" + "io/ioutil" + "regexp" + "runtime" + "strconv" + "strings" + "syscall" + "unsafe" +) + +// #include +// #include "unistd_64.h" +// #include "seccomp.h" +import "C" + +// SeccompData is the format the BPF program executes over. +// This struct mirrors struct seccomp_data from . +type SeccompData struct { + NR int32 // The system call number. + Arch uint32 // System call convention as an AUDIT_ARCH_* value. + InstructionPointer uint64 // At the time of the system call. + Args [6]uint64 // System call arguments (always stored as 64-bit values). +} + +// C version of the struct used for sanity checking. +type seccomp_data C.struct_seccomp_data + +// bpfLoadNR returns the instruction to load the NR field in SeccompData. +func bpfLoadNR() SockFilter { + return bpfLoad(unsafe.Offsetof(SeccompData{}.NR)) +} + +// bpfLoadArch returns the instruction to load the Arch field in SeccompData. +func bpfLoadArch() SockFilter { + return bpfLoad(unsafe.Offsetof(SeccompData{}.Arch)) +} + +// bpfLoadArg returns the instruction to load one word of an argument in SeccompData. +func bpfLoadArg(arg, word int) SockFilter { + return bpfLoad(unsafe.Offsetof(SeccompData{}.Args) + uintptr(((2*arg)+word)*4)) +} + +// retKill returns the code for seccomp kill action. +func retKill() uint32 { + return C.SECCOMP_RET_KILL +} + +// retTrap returns the code for seccomp trap action. +func retTrap() uint32 { + return C.SECCOMP_RET_TRAP +} + +// retErrno returns the code for seccomp errno action with the specified errno embedded. +func retErrno(errno syscall.Errno) uint32 { + return C.SECCOMP_RET_ERRNO | (uint32(errno) & C.SECCOMP_RET_DATA) +} + +// retAllow returns the code for seccomp allow action. +func retAllow() uint32 { + return C.SECCOMP_RET_ALLOW +} + +// policy represents the seccomp policy for a single syscall. +type policy struct { + // name of the syscall. + name string + + // expr is evaluated on the syscall arguments. + // nil expr evaluates to false. + expr orExpr + + // then is executed if the expr evaluates to true. + // (cannot be specified in policy file, used in tests only). + then SockFilter + + // default action (else) if the expr evaluates to false. + // nil means jump to end of program for the overall default. + def *SockFilter +} + +// orExpr is a list of and expressions. +type orExpr []andExpr + +// andExpr is a list of arg comparisons. +type andExpr []argComp + +// argComp represents a basic argument comparison in the policy. +type argComp struct { + idx int // 0..5 for indexing into SeccompData.Args. + oper string // comparison operator: "==", "!=", or "&". + val uint64 // upper 32 bits compared only if nbits>32. +} + +// String converts the internal policy representation back to policy file syntax. +func (p policy) String() string { + var buf bytes.Buffer + fmt.Fprintf(&buf, "%s: ", p.name) + + for i, and := range p.expr { + if i > 0 { + fmt.Fprintf(&buf, " || ") + } + for j, arg := range and { + if j > 0 { + fmt.Fprintf(&buf, " && ") + } + fmt.Fprintf(&buf, "arg%d %s %#x", arg.idx, arg.oper, arg.val) + } + } + + pret := func(f SockFilter) { + if f.Code == opRET { + switch f.K & C.SECCOMP_RET_ACTION { + case C.SECCOMP_RET_ALLOW: + fmt.Fprintf(&buf, "1") + return + case C.SECCOMP_RET_ERRNO: + fmt.Fprintf(&buf, "return %d", f.K&C.SECCOMP_RET_DATA) + return + } + } + fmt.Fprintf(&buf, "%s", f) + } + if p.then != bpfRet(retAllow()) { + fmt.Fprintf(&buf, " ? ") + pret(p.then) + } + if p.def != nil { + if p.expr != nil { + fmt.Fprintf(&buf, "; ") + } + pret(*p.def) + } + + return buf.String() +} + +// Syntax of policy line for a single syscall. +var ( + allowRE = regexp.MustCompile(`^([[:word:]]+) *: *1$`) + returnRE = regexp.MustCompile(`^([[:word:]]+) *: *return *([[:word:]]+)$`) + exprRE = regexp.MustCompile(`^([[:word:]]+) *:([^;]+)$`) + exprReturnRE = regexp.MustCompile(`^([[:word:]]+) *:([^;]+); *return *([[:word:]]+)$`) + + argRE = regexp.MustCompile(`^arg([0-5]) *(==|!=|&) *([[:word:]]+)$`) +) + +// parseLine parses the policy line for a single syscall. +func parseLine(line string) (policy, error) { + var name, expr, ret string + var then SockFilter + var def *SockFilter + + line = strings.TrimSpace(line) + if match := allowRE.FindStringSubmatch(line); match != nil { + name = match[1] + def = ptr(bpfRet(retAllow())) + } else if match = returnRE.FindStringSubmatch(line); match != nil { + name = match[1] + ret = match[2] + } else if match = exprRE.FindStringSubmatch(line); match != nil { + name = match[1] + expr = match[2] + } else if match = exprReturnRE.FindStringSubmatch(line); match != nil { + name = match[1] + expr = match[2] + ret = match[3] + } else { + return policy{}, fmt.Errorf("invalid syntax") + } + + if _, ok := syscallNum[name]; !ok { + return policy{}, fmt.Errorf("unknown syscall: %s", name) + } + + var or orExpr + if expr != "" { + for _, sub := range strings.Split(expr, "||") { + var and andExpr + for _, arg := range strings.Split(sub, "&&") { + arg = strings.TrimSpace(arg) + match := argRE.FindStringSubmatch(arg) + if match == nil { + return policy{}, fmt.Errorf("invalid expression: %s", arg) + } + idx, err := strconv.Atoi(match[1]) + if err != nil { + return policy{}, fmt.Errorf("invalid arg: %s", arg) + } + oper := match[2] + val, err := strconv.ParseUint(match[3], 0, 64) + if err != nil { + return policy{}, fmt.Errorf("invalid value: %s", arg) + } + and = append(and, argComp{idx, oper, val}) + } + or = append(or, and) + } + } + + then = bpfRet(retAllow()) + + if ret != "" { + errno, err := strconv.ParseUint(ret, 0, 16) + if err != nil { + return policy{}, fmt.Errorf("invalid errno: %s", ret) + } + def = ptr(bpfRet(retErrno(syscall.Errno(errno)))) + } + + return policy{name, or, then, def}, nil +} + +// parseLines parses multiple policy lines, each one for a single syscall. +// Empty lines and lines beginning with "#" are ignored. +// Multiple policies for a syscall are detected and reported as error. +func parseLines(lines []string) ([]policy, error) { + var ps []policy + seen := make(map[string]int) + for i, line := range lines { + lineno := i + 1 + if line == "" || strings.HasPrefix(line, "#") { + continue + } + p, err := parseLine(line) + if err != nil { + return nil, fmt.Errorf("line %d: %v", lineno, err) + } + if seen[p.name] > 0 { + return nil, fmt.Errorf("lines %d,%d: multiple policies for %s", + seen[p.name], lineno, p.name) + } + seen[p.name] = lineno + ps = append(ps, p) + } + return ps, nil +} + +// parseFile reads a Chromium-OS Seccomp-BPF policy file and parses its contents. +func parseFile(path string) ([]policy, error) { + file, err := ioutil.ReadFile(path) + if err != nil { + return nil, err + } + return parseLines(strings.Split(string(file), "\n")) +} + +// compile compiles a Seccomp-BPF program implementing the syscall policies. +// long specifies whether to generate 32-bit or 64-bit argument comparisons. +// def is the overall default action to take when the syscall does not match +// any policy in the filter. +func compile(ps []policy, long bool, def SockFilter) ([]SockFilter, error) { + var bpf []SockFilter + do := func(insn SockFilter) { + bpf = append(bpf, insn) + } + + // ref maps a label to addresses of all the instructions that jump to it. + ref := make(map[string][]int) + jump := func(name string) { + // jump to a label with unresolved address: insert a placeholder instruction. + ref[name] = append(ref[name], len(bpf)) + do(SockFilter{}) + } + label := func(name string) { + // label address resolved: replace placeholder instructions with actual jumps. + for _, i := range ref[name] { + bpf[i] = bpfJump(len(bpf) - (i + 1)) + } + delete(ref, name) + } + + // Conditional jumps: jump if condition is true, fall through otherwise. + jeq := func(val uint32, target string) { + // if A == val { goto target } + do(bpfJeq(val, 0, 1)) + jump(target) + } + jne := func(val uint32, target string) { + // if A != val { goto target } + do(bpfJeq(val, 1, 0)) + jump(target) + } + jset := func(val uint32, target string) { + // if A&val != 0 { goto target } + do(bpfJset(val, 0, 1)) + jump(target) + } + jnset := func(val uint32, target string) { + // if A&val == 0 { goto target } + do(bpfJset(val, 1, 0)) + jump(target) + } + + do(bpfLoadArch()) + do(bpfJeq(auditArch, 1, 0)) + do(bpfRet(retKill())) + + do(bpfLoadNR()) + for _, p := range ps { + nr, ok := syscallNum[p.name] + if !ok { + return nil, fmt.Errorf("unknown syscall: %s", p.name) + } + jne(uint32(nr), "nextcall") + for _, and := range p.expr { + for _, arg := range and { + val := struct{ high, low uint32 }{uint32(arg.val >> 32), uint32(arg.val)} + switch arg.oper { + case "==": + if long { + do(bpfLoadArg(arg.idx, 1)) + jne(val.high, "nextor") + } + do(bpfLoadArg(arg.idx, 0)) + jne(val.low, "nextor") + case "!=": + if long { + do(bpfLoadArg(arg.idx, 1)) + jne(val.high, "nextand") + } + do(bpfLoadArg(arg.idx, 0)) + jeq(val.low, "nextor") + case "&": + if long { + do(bpfLoadArg(arg.idx, 1)) + jset(val.high, "nextand") + } + do(bpfLoadArg(arg.idx, 0)) + jnset(val.low, "nextor") + default: + return nil, fmt.Errorf("unknown operator: %q", arg.oper) + } + + // Comparison was satisfied. Move on to the next comparison in &&. + label("nextand") + } + + // All comparisons in && were satisfied. + do(p.then) + + // Some comparison in && was false. Move on to the next expression in ||. + label("nextor") + } + + // All expressions in || evaluated to false (or expr was nil). + if p.def != nil { + do(*p.def) + } else { + jump("default") + } + + label("nextcall") + } + + label("default") + do(def) + + if len(ref) > 0 { + return nil, fmt.Errorf("unresolved labels: %v\n%v", ref, bpf) + } + return bpf, nil +} + +// Compile reads a Chromium-OS policy file and compiles a +// Seccomp-BPF filter program implementing the policies. +func Compile(path string) ([]SockFilter, error) { + ps, err := parseFile(path) + if err != nil { + return nil, err + } + return compile(ps, nbits > 32, bpfRet(retKill())) +} + +// prctl is a wrapper for the 'prctl' system call. +// See 'man prctl' for details. +func prctl(option uintptr, args ...uintptr) error { + if len(args) > 4 { + return syscall.E2BIG + } + var arg [4]uintptr + copy(arg[:], args) + _, _, e := syscall.Syscall6(C.__NR_prctl, option, arg[0], arg[1], arg[2], arg[3], 0) + if e != 0 { + return e + } + return nil +} + +// seccomp is a wrapper for the 'seccomp' system call. +// See for valid op and flag values. +// uargs is typically a pointer to struct sock_fprog. +func seccomp(op, flags uintptr, uargs unsafe.Pointer) error { + _, _, e := syscall.Syscall(C.__NR_seccomp, op, flags, uintptr(uargs)) + if e != 0 { + return e + } + return nil +} + +// CheckSupport checks for the required seccomp support in the kernel. +func CheckSupport() error { + // This is based on http://outflux.net/teach-seccomp/autodetect.html. + if err := prctl(C.PR_GET_SECCOMP); err != nil { + return fmt.Errorf("seccomp not available: %v", err) + } + if err := prctl(C.PR_SET_SECCOMP, C.SECCOMP_MODE_FILTER, 0); err != syscall.EFAULT { + return fmt.Errorf("seccomp filter not available: %v", err) + } + if err := seccomp(C.SECCOMP_SET_MODE_FILTER, 0, nil); err != syscall.EFAULT { + return fmt.Errorf("seccomp syscall not available: %v", err) + } + if err := seccomp(C.SECCOMP_SET_MODE_FILTER, C.SECCOMP_FILTER_FLAG_TSYNC, nil); err != syscall.EFAULT { + return fmt.Errorf("seccomp tsync not available: %v", err) + } + return nil +} + +// Load makes the seccomp system call to install the bpf filter for +// all threads (with tsync). prctl(set_no_new_privs, 1) must have +// been called (from the same thread) before calling Load for the +// first time. +// Most users of this library should use Install instead of calling +// Load directly. There are a couple of situations where it may be +// necessary to use Load instead of Install: +// - If a previous call to Install has disabled the 'prctl' system +// call, Install cannot be called again. In that case, it is safe +// to add additional filters directly with Load. +// - If the process is running as a priviledged user, and you want +// to load the seccomp filter without setting no_new_privs. +func Load(bpf []SockFilter) error { + if size, limit := len(bpf), 0xffff; size > limit { + return fmt.Errorf("filter program too big: %d bpf instructions (limit = %d)", size, limit) + } + prog := &SockFprog{ + Filter: &bpf[0], + Len: uint16(len(bpf)), + } + return seccomp(C.SECCOMP_SET_MODE_FILTER, C.SECCOMP_FILTER_FLAG_TSYNC, unsafe.Pointer(prog)) +} + +// Install makes the necessary system calls to install the Seccomp-BPF +// filter for the current process (all threads). Install can be called +// multiple times to install additional filters. +func Install(bpf []SockFilter) error { + // prctl(set_no_new_privs, 1) must be called (from the same thread) + // before a seccomp filter can be installed by an unprivileged user: + // - http://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt. + runtime.LockOSThread() + defer runtime.UnlockOSThread() + if err := prctl(C.PR_SET_NO_NEW_PRIVS, 1); err != nil { + return err + } + return Load(bpf) +} diff --git a/Godeps/_workspace/src/github.com/subgraph/go-seccomp/seccomp.h b/Godeps/_workspace/src/github.com/subgraph/go-seccomp/seccomp.h new file mode 100644 index 0000000..df94ea0 --- /dev/null +++ b/Godeps/_workspace/src/github.com/subgraph/go-seccomp/seccomp.h @@ -0,0 +1,54 @@ +#ifndef _UAPI_LINUX_SECCOMP_H +#define _UAPI_LINUX_SECCOMP_H + +// #include +#include + + +/* Valid values for seccomp.mode and prctl(PR_SET_SECCOMP, ) */ +#define SECCOMP_MODE_DISABLED 0 /* seccomp is not in use. */ +#define SECCOMP_MODE_STRICT 1 /* uses hard-coded filter. */ +#define SECCOMP_MODE_FILTER 2 /* uses user-supplied filter. */ + +/* Valid operations for seccomp syscall. */ +#define SECCOMP_SET_MODE_STRICT 0 +#define SECCOMP_SET_MODE_FILTER 1 + +/* Valid flags for SECCOMP_SET_MODE_FILTER */ +#define SECCOMP_FILTER_FLAG_TSYNC 1 + +/* + * All BPF programs must return a 32-bit value. + * The bottom 16-bits are for optional return data. + * The upper 16-bits are ordered from least permissive values to most. + * + * The ordering ensures that a min_t() over composed return values always + * selects the least permissive choice. + */ +#define SECCOMP_RET_KILL 0x00000000U /* kill the task immediately */ +#define SECCOMP_RET_TRAP 0x00030000U /* disallow and force a SIGSYS */ +#define SECCOMP_RET_ERRNO 0x00050000U /* returns an errno */ +#define SECCOMP_RET_TRACE 0x7ff00000U /* pass to a tracer or disallow */ +#define SECCOMP_RET_ALLOW 0x7fff0000U /* allow */ + +/* Masks for the return value sections. */ +#define SECCOMP_RET_ACTION 0x7fff0000U +#define SECCOMP_RET_DATA 0x0000ffffU + +/** + * struct seccomp_data - the format the BPF program executes over. + * @nr: the system call number + * @arch: indicates system call convention as an AUDIT_ARCH_* value + * as defined in . + * @instruction_pointer: at the time of the system call. + * @args: up to 6 system call arguments always stored as 64-bit values + * regardless of the architecture. + */ +struct seccomp_data { + int nr; + __u32 arch; + __u64 instruction_pointer; + __u64 args[6]; +}; + +#endif /* _UAPI_LINUX_SECCOMP_H */ diff --git a/Godeps/_workspace/src/github.com/subgraph/go-seccomp/seccomp_test.go b/Godeps/_workspace/src/github.com/subgraph/go-seccomp/seccomp_test.go new file mode 100644 index 0000000..a5b90ab --- /dev/null +++ b/Godeps/_workspace/src/github.com/subgraph/go-seccomp/seccomp_test.go @@ -0,0 +1,529 @@ +// Copyright 2015 The Chromium OS Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +package seccomp + +import ( + "flag" + "os" + "runtime" + "syscall" + "testing" + "unsafe" +) + +var ( + parseFilePath = flag.String("parse_file", "", "path for TestParseFile") + testInstall = flag.Bool("test_install", false, "enable TestInstall (use with -cpu=N)") + testEndian = flag.Bool("test_endian", false, "enable TestEndian") +) + +func TestParseLine(t *testing.T) { + tests := []struct { + policy string + want string + err string + }{ + {policy: "read: 1"}, + {policy: "open: return 1"}, + {policy: "prctl: arg0 == 0xf"}, + {policy: "prctl: arg0 != 0xf"}, + {policy: "ioctl: arg1 & 0x5401"}, + {policy: "ioctl: arg1 == 0x4024700a || arg1 == 0x541b"}, + {policy: "ioctl: arg1 == 0x4024700a && arg1 == 0x541b"}, + {policy: "ioctl: arg1 == 0x5401 || arg1 == 0x700a || arg2 & 0x541b"}, + {policy: "ioctl: arg1 == 0x5401 && arg1 == 0x700a && arg3 & 0x541b"}, + {policy: "ioctl: arg1 == 0x5401 || arg1 == 0x700a && arg4 & 0x541b"}, + {policy: "ioctl: arg1 == 0x5401 && arg1 == 0x700a || arg5 & 0x541b"}, + {policy: "ioctl: arg1 == 0x5401 && arg1 == 0x700a || arg5 & 0x541b; return 1"}, + { + // different spacing around colon. + policy: "read :1", + want: "read: 1", + }, + { + // leading and trailing whitespace. + policy: " open : return 1 ", + want: "open: return 1", + }, + { + // return hexadecimal errno. + policy: "open: return 0x10", + want: "open: return 16", + }, + { + // return octal errno. + policy: "open: return 010", + want: "open: return 8", + }, + { + // return highest errno. + policy: "open: return 0xffff", + want: "open: return 65535", + }, + { + // expression with no spaces. + policy: "ioctl:arg1==0x5401&&arg1==0x700a||arg2&0x541b", + want: "ioctl: arg1 == 0x5401 && arg1 == 0x700a || arg2 & 0x541b", + }, + { + // compare with decimal value. + policy: "ioctl: arg1 == 5401 && arg1 == 0x700a || arg2 & 0x541b", + want: "ioctl: arg1 == 0x1519 && arg1 == 0x700a || arg2 & 0x541b", + }, + { + // compare with octal value. + policy: "ioctl: arg1 == 05401 && arg1 == 0x700a || arg2 & 0x541b", + want: "ioctl: arg1 == 0xb01 && arg1 == 0x700a || arg2 & 0x541b", + }, + { + // all decimal comparisons. + policy: "clone: arg0 == 1 || arg0 == 2 || arg0 == 16", + want: "clone: arg0 == 0x1 || arg0 == 0x2 || arg0 == 0x10", + }, + { + // missing syscall name. + policy: ": 1", + err: "invalid syntax", + }, + { + // malformed syscall name. + policy: "two words: 1", + err: "invalid syntax", + }, + { + // missing colon. + policy: "read = 1", + err: "invalid syntax", + }, + { + // trailing semicolon after return. + policy: "open: return 1;", + err: "invalid syntax", + }, + { + // trailing semicolon after expression. + policy: "prctl: arg0 == 0xf;", + err: "invalid syntax", + }, + { + // missing return after semicolon. + policy: "prctl: arg0 == 0xf; 1", + err: "invalid syntax", + }, + { + // bad syscall name. + policy: "bad: 1", + err: "unknown syscall: bad", + }, + { + // symbolic errno is not supported. + policy: "open: return EPERM", + err: "invalid errno: EPERM", + }, + { + // errno must fit in 16 bits. + policy: "open: return 0x10000", + err: "invalid errno: 0x10000", + }, + { + // missing argument index. + policy: "prctl: arg == 0xf", + err: "invalid expression: arg == 0xf", + }, + { + // arg index out of range. + policy: "prctl: arg6 == 0xf", + err: "invalid expression: arg6 == 0xf", + }, + { + // bitwise and with argument not supported. + policy: "prctl: arg0 & 0xf == 0xf", + err: "invalid expression: arg0 & 0xf == 0xf", + }, + { + // unknown operator. + policy: "prctl: arg0 !== 0xf", + err: "invalid expression: arg0 !== 0xf", + }, + { + // invalid hexadecimal value. + policy: "prctl: arg0 == 0xfdx", + err: "invalid value: arg0 == 0xfdx", + }, + { + // invalid decimal value. + policy: "prctl: arg0 == 123a", + err: "invalid value: arg0 == 123a", + }, + { + // invalid octal value. + policy: "prctl: arg0 == 0129", + err: "invalid value: arg0 == 0129", + }, + { + // invalid subexpression. + policy: "prctl: arg0 == 0x100 && arg1 = 0x101 || arg2 == 0x102", + err: "invalid expression: arg1 = 0x101", + }, + } + for _, test := range tests { + var err string + p, e := parseLine(test.policy) + if e != nil { + err = e.Error() + } + if err != "" || test.err != "" { + if err != test.err { + t.Errorf("parseLine(%q): error = %q; want %q", test.policy, err, test.err) + } + continue + } + want := test.want + if want == "" { + want = test.policy + } + if got := p.String(); got != want { + t.Errorf("parseLine(%q) = %q; want %q", test.policy, got, test.want) + } + } +} + +func TestParseLines(t *testing.T) { + tests := []struct { + file []string + err string + }{ + { + // simple policy file. + file: []string{ + "read: 1", + "write: 1", + "open: return 1", + }, + }, + { + // comment lines are ignored. + file: []string{ + "read: 1", + "write: 1", + "# open: return EPERM", + "open: return 1", + }, + }, + { + // blank lines are ignored. + file: []string{ + "read: 1", + "write: 1", + "", + "open: return 1", + }, + }, + { + // leading space on comment line. + file: []string{ + "read: 1", + "write: 1", + " # open: return EPERM", + "open: return 1", + }, + err: "line 3: invalid syntax", + }, + { + // line consisting of whitespace only. + file: []string{ + "read: 1", + "write: 1", + " ", + "open: return 1", + }, + err: "line 3: invalid syntax", + }, + { + // parse error on one line. + file: []string{ + "read: 1", + "write: return 019", + "open: return 1", + }, + err: "line 2: invalid errno: 019", + }, + { + // multiple policies for a syscall. + file: []string{ + "read: 1", + "write: 1", + "read: return 1", + "open: return 1", + }, + err: "lines 1,3: multiple policies for read", + }, + } + for _, test := range tests { + var err string + _, e := parseLines(test.file) + if e != nil { + err = e.Error() + } + if err != "" || test.err != "" { + if err != test.err { + t.Errorf("parseLines(%q): error = %q; want %q", test.file, err, test.err) + } + } + } +} + +func TestParseFile(t *testing.T) { + if *parseFilePath == "" { + t.Skip("use -parse_file to enable.") + } + + if _, err := parseFile(*parseFilePath); err != nil { + t.Errorf("parseFile(%q): %v", *parseFilePath, err) + } +} + +func TestCompile(t *testing.T) { + syscallName := make(map[int32]string) + for name, nr := range syscallNum { + syscallName[int32(nr)] = name + } + + call := func(name string, args ...uint64) SeccompData { + nr, ok := syscallNum[name] + if !ok { + t.Fatalf("unknown syscall: %s", name) + } + data := SeccompData{ + NR: int32(nr), + Arch: auditArch, + } + copy(data.Args[:], args) + return data + } + + eval := func(bpf []SockFilter, data SeccompData) uint32 { + var A uint32 + IP := 0 + for { + Insn := bpf[IP] + IP++ + switch Insn.Code { + case opLOAD: + A = *(*uint32)(unsafe.Pointer(uintptr(unsafe.Pointer(&data)) + uintptr(Insn.K))) + case opJEQ: + if A == Insn.K { + IP += int(Insn.JT) + } else { + IP += int(Insn.JF) + } + case opJSET: + if A&Insn.K != 0 { + IP += int(Insn.JT) + } else { + IP += int(Insn.JF) + } + case opJUMP: + IP += int(Insn.K) + case opRET: + return Insn.K + default: + t.Fatalf("unsupported instruction: %v", Insn) + } + } + } + + file := []string{ + "read: 1", + "open: return 1", + "write: arg0 == 1", + "close: arg0 == 2; return 9", + "dup: arg0 == 1 || arg0 == 2", + "pipe: arg0 == 1 && arg1 == 2", + "link: arg0 != 1 && arg1 != 2 || arg2 == 3", + "unlink: arg0 != 1 || arg1 != 2 && arg2 == 3", + "creat: arg0 & 0xf00 && arg1 & 0x0f0 && arg2 & 0x00f", + "lseek: arg0 & 0x0f000f000f000f00 && arg1 & 0x00f000f000f000f0 && arg2 & 0x000f000f000f000f", + "stat: arg0 != 0x0123456789abcdef && arg1 != 0x123456789abcdef0 || arg2 == 0x00f000f000000000", + "fstat: arg0 != 0x0123456789abcdef || arg1 != 0x123456789abcdef0 && arg2 == 0x00f000f000000000", + } + tests := []struct { + data SeccompData + want uint32 + }{ + {call("fork"), retKill()}, + {call("read"), retAllow()}, + {call("open"), retErrno(1)}, + {call("write", 0), retKill()}, + {call("write", 1), retAllow()}, + {call("close", 1), retErrno(9)}, + {call("close", 2), retAllow()}, + {call("dup", 0), retKill()}, + {call("dup", 1), retAllow()}, + {call("dup", 2), retAllow()}, + {call("dup", 3), retKill()}, + {call("pipe", 1, 1), retKill()}, + {call("pipe", 1, 2), retAllow()}, + {call("pipe", 2, 1), retKill()}, + {call("pipe", 2, 2), retKill()}, + {call("link", 1, 2, 3), retAllow()}, + {call("link", 1, 2, 2), retKill()}, + {call("link", 2, 2, 2), retKill()}, + {call("link", 2, 1, 2), retAllow()}, + {call("unlink", 2, 1, 2), retAllow()}, + {call("unlink", 1, 1, 2), retKill()}, + {call("unlink", 1, 1, 3), retAllow()}, + {call("unlink", 1, 2, 3), retKill()}, + {call("creat", 0x100, 0x100, 0x101), retKill()}, + {call("creat", 0x200, 0x110, 0x101), retAllow()}, + {call("creat", 0x400, 0x110, 0x110), retKill()}, + {call("creat", 0x800, 0x110, 0x007), retAllow()}, + {call("lseek", 0x0100, 0x0100, 0x0101), retKill()}, + {call("lseek", 0x0200, 0x0110, 0x0101), retAllow()}, + {call("lseek", 0x0400, 0x0110, 0x0110), retKill()}, + {call("lseek", 0x0800, 0x0110, 0x0007), retAllow()}, + {call("lseek", 0x0100000000000000, 0x0100000000000000, 0x0101000000000000), retKill()}, + {call("lseek", 0x0200000000000000, 0x0110000000000000, 0x0101000000000000), retAllow()}, + {call("lseek", 0x0400000000000000, 0x0110000000000000, 0x0110000000000000), retKill()}, + {call("lseek", 0x0800000000000000, 0x0110000000000000, 0x0007000000000000), retAllow()}, + {call("stat", 0x0123456789abcdef, 0x123456789abcdef0, 0x00f000f000000000), retAllow()}, + {call("stat", 0x0123456789abcdef, 0x123456789abcdef0, 0x007000f000000000), retKill()}, + {call("stat", 0x0133456789abcdef, 0x123457789abcdef0, 0x007000f000000000), retAllow()}, + {call("stat", 0x0133456789abcdef, 0x123456789abcdef0, 0x007000f000000000), retKill()}, + {call("fstat", 0x0123456789abcdef, 0x123456789abcdef0, 0x00f000f000000000), retKill()}, + {call("fstat", 0x0133456789abcdef, 0x123456789abcdef0, 0x00f000f000000000), retAllow()}, + {call("fstat", 0x0123456789abcdef, 0x123457789abcdef0, 0x00f000f000000000), retAllow()}, + {call("fstat", 0x0123456789abcdef, 0x123457789abcdef0, 0x007000f000000000), retKill()}, + } + + ps, err := parseLines(file) + if err != nil { + t.Fatalf("parse failed: %v", err) + } + bpf, err := compile(ps, true, bpfRet(retKill())) + if err != nil { + t.Fatalf("compile failed: %v", err) + } + t.Logf("len(bpf) = %d", len(bpf)) + for _, test := range tests { + if got := eval(bpf, test.data); got != test.want { + t.Errorf("%s%#x = %#08x; want %#08x", syscallName[test.data.NR], test.data.Args, got, test.want) + } + } +} + +func TestSupport(t *testing.T) { + if err := CheckSupport(); err != nil { + t.Error(err) + } +} + +func TestInstall(t *testing.T) { + if !*testInstall { + t.Skip("use -test_install (with -cpu=N) to enable.") + } + + file := []string{ + "# open: return EPERM", + "open: return 1", + "# default: ALLOW", + } + + ps, err := parseLines(file) + if err != nil { + t.Fatalf("parse failed: %v", err) + } + bpf, err := compile(ps, nbits > 32, bpfRet(retAllow())) + if err != nil { + t.Fatalf("compile failed: %v", err) + } + if err = Install(bpf); err != nil { + t.Fatalf("install failed: %v", err) + } + + N := runtime.GOMAXPROCS(0) + opened := make(chan bool) + for i := 0; i < N; i++ { + go func() { + if f, err := os.Open("/dev/null"); err != nil { + t.Logf("open() failed: %v", err) + opened <- false + } else { + t.Logf("open() succeeded") + f.Close() + opened <- true + } + }() + } + for i := 0; i < N; i++ { + if <-opened { + t.Fail() + } + } +} + +func TestEndian(t *testing.T) { + if !*testEndian { + t.Skip("use -test_endian to enable.") + } + + pass := syscall.EDOM + fail := syscall.ERANGE + name := map[error]string{ + pass: "pass", + fail: "fail", + nil: "", + } + + type seccomp [3]uintptr + ps := []policy{ + { + name: "seccomp", + expr: orExpr{ + andExpr{ + argComp{0, "==", 0x0123456789abcdef}, + }, + andExpr{ + argComp{1, "!=", 0x01234567}, + argComp{2, "&", 0x01010101}, + }, + }, + then: bpfRet(retErrno(pass)), + def: ptr(bpfRet(retErrno(fail))), + }, + } + tests := []struct { + args seccomp + want error + }{ + {seccomp{0x01234567, 0, 0}, fail}, + {seccomp{0x89abcdef, 0, 0}, pass}, + {seccomp{0, 0x01234567, 0}, fail}, + {seccomp{0, 0x12345678, 0}, fail}, + {seccomp{0, 0x01234567, 1}, fail}, + {seccomp{0, 0x12345678, 1}, pass}, + } + call := func(args seccomp) error { + if nr, ok := syscallNum["seccomp"]; ok { + if _, _, e := syscall.Syscall(uintptr(nr), args[0], args[1], args[2]); e != 0 { + return e + } + } + return nil + } + + bpf, err := compile(ps, false, bpfRet(retAllow())) + if err != nil { + t.Fatalf("compile failed: %v", err) + } + if err = Install(bpf); err != nil { + t.Fatalf("install failed: %v", err) + } + for _, test := range tests { + if got := call(test.args); got != test.want { + t.Errorf("seccomp%#x = %v; want %v", test.args, name[got], name[test.want]) + } + } +} diff --git a/Godeps/_workspace/src/github.com/subgraph/go-seccomp/syscalls_386.go b/Godeps/_workspace/src/github.com/subgraph/go-seccomp/syscalls_386.go new file mode 100644 index 0000000..152634d --- /dev/null +++ b/Godeps/_workspace/src/github.com/subgraph/go-seccomp/syscalls_386.go @@ -0,0 +1,365 @@ +// DO NOT EDIT. Autogenerated by syscalls_gen.go + +package seccomp + +// #include "unistd.h" +import "C" + +// syscallNum maps system call names to numbers. +var syscallNum = map[string]int{ + "restart_syscall": C.__NR_restart_syscall, + "exit": C.__NR_exit, + "fork": C.__NR_fork, + "read": C.__NR_read, + "write": C.__NR_write, + "open": C.__NR_open, + "close": C.__NR_close, + "waitpid": C.__NR_waitpid, + "creat": C.__NR_creat, + "link": C.__NR_link, + "unlink": C.__NR_unlink, + "execve": C.__NR_execve, + "chdir": C.__NR_chdir, + "time": C.__NR_time, + "mknod": C.__NR_mknod, + "chmod": C.__NR_chmod, + "lchown": C.__NR_lchown, + "break": C.__NR_break, + "oldstat": C.__NR_oldstat, + "lseek": C.__NR_lseek, + "getpid": C.__NR_getpid, + "mount": C.__NR_mount, + "umount": C.__NR_umount, + "setuid": C.__NR_setuid, + "getuid": C.__NR_getuid, + "stime": C.__NR_stime, + "ptrace": C.__NR_ptrace, + "alarm": C.__NR_alarm, + "oldfstat": C.__NR_oldfstat, + "pause": C.__NR_pause, + "utime": C.__NR_utime, + "stty": C.__NR_stty, + "gtty": C.__NR_gtty, + "access": C.__NR_access, + "nice": C.__NR_nice, + "ftime": C.__NR_ftime, + "sync": C.__NR_sync, + "kill": C.__NR_kill, + "rename": C.__NR_rename, + "mkdir": C.__NR_mkdir, + "rmdir": C.__NR_rmdir, + "dup": C.__NR_dup, + "pipe": C.__NR_pipe, + "times": C.__NR_times, + "prof": C.__NR_prof, + "brk": C.__NR_brk, + "setgid": C.__NR_setgid, + "getgid": C.__NR_getgid, + "signal": C.__NR_signal, + "geteuid": C.__NR_geteuid, + "getegid": C.__NR_getegid, + "acct": C.__NR_acct, + "umount2": C.__NR_umount2, + "lock": C.__NR_lock, + "ioctl": C.__NR_ioctl, + "fcntl": C.__NR_fcntl, + "mpx": C.__NR_mpx, + "setpgid": C.__NR_setpgid, + "ulimit": C.__NR_ulimit, + "oldolduname": C.__NR_oldolduname, + "umask": C.__NR_umask, + "chroot": C.__NR_chroot, + "ustat": C.__NR_ustat, + "dup2": C.__NR_dup2, + "getppid": C.__NR_getppid, + "getpgrp": C.__NR_getpgrp, + "setsid": C.__NR_setsid, + "sigaction": C.__NR_sigaction, + "sgetmask": C.__NR_sgetmask, + "ssetmask": C.__NR_ssetmask, + "setreuid": C.__NR_setreuid, + "setregid": C.__NR_setregid, + "sigsuspend": C.__NR_sigsuspend, + "sigpending": C.__NR_sigpending, + "sethostname": C.__NR_sethostname, + "setrlimit": C.__NR_setrlimit, + "getrlimit": C.__NR_getrlimit, + "getrusage": C.__NR_getrusage, + "gettimeofday": C.__NR_gettimeofday, + "settimeofday": C.__NR_settimeofday, + "getgroups": C.__NR_getgroups, + "setgroups": C.__NR_setgroups, + "select": C.__NR_select, + "symlink": C.__NR_symlink, + "oldlstat": C.__NR_oldlstat, + "readlink": C.__NR_readlink, + "uselib": C.__NR_uselib, + "swapon": C.__NR_swapon, + "reboot": C.__NR_reboot, + "readdir": C.__NR_readdir, + "mmap": C.__NR_mmap, + "munmap": C.__NR_munmap, + "truncate": C.__NR_truncate, + "ftruncate": C.__NR_ftruncate, + "fchmod": C.__NR_fchmod, + "fchown": C.__NR_fchown, + "getpriority": C.__NR_getpriority, + "setpriority": C.__NR_setpriority, + "profil": C.__NR_profil, + "statfs": C.__NR_statfs, + "fstatfs": C.__NR_fstatfs, + "ioperm": C.__NR_ioperm, + "socketcall": C.__NR_socketcall, + "syslog": C.__NR_syslog, + "setitimer": C.__NR_setitimer, + "getitimer": C.__NR_getitimer, + "stat": C.__NR_stat, + "lstat": C.__NR_lstat, + "fstat": C.__NR_fstat, + "olduname": C.__NR_olduname, + "iopl": C.__NR_iopl, + "vhangup": C.__NR_vhangup, + "idle": C.__NR_idle, + "vm86old": C.__NR_vm86old, + "wait4": C.__NR_wait4, + "swapoff": C.__NR_swapoff, + "sysinfo": C.__NR_sysinfo, + "ipc": C.__NR_ipc, + "fsync": C.__NR_fsync, + "sigreturn": C.__NR_sigreturn, + "clone": C.__NR_clone, + "setdomainname": C.__NR_setdomainname, + "uname": C.__NR_uname, + "modify_ldt": C.__NR_modify_ldt, + "adjtimex": C.__NR_adjtimex, + "mprotect": C.__NR_mprotect, + "sigprocmask": C.__NR_sigprocmask, + "create_module": C.__NR_create_module, + "init_module": C.__NR_init_module, + "delete_module": C.__NR_delete_module, + "get_kernel_syms": C.__NR_get_kernel_syms, + "quotactl": C.__NR_quotactl, + "getpgid": C.__NR_getpgid, + "fchdir": C.__NR_fchdir, + "bdflush": C.__NR_bdflush, + "sysfs": C.__NR_sysfs, + "personality": C.__NR_personality, + "afs_syscall": C.__NR_afs_syscall, + "setfsuid": C.__NR_setfsuid, + "setfsgid": C.__NR_setfsgid, + "_llseek": C.__NR__llseek, + "getdents": C.__NR_getdents, + "_newselect": C.__NR__newselect, + "flock": C.__NR_flock, + "msync": C.__NR_msync, + "readv": C.__NR_readv, + "writev": C.__NR_writev, + "getsid": C.__NR_getsid, + "fdatasync": C.__NR_fdatasync, + "_sysctl": C.__NR__sysctl, + "mlock": C.__NR_mlock, + "munlock": C.__NR_munlock, + "mlockall": C.__NR_mlockall, + "munlockall": C.__NR_munlockall, + "sched_setparam": C.__NR_sched_setparam, + "sched_getparam": C.__NR_sched_getparam, + "sched_setscheduler": C.__NR_sched_setscheduler, + "sched_getscheduler": C.__NR_sched_getscheduler, + "sched_yield": C.__NR_sched_yield, + "sched_get_priority_max": C.__NR_sched_get_priority_max, + "sched_get_priority_min": C.__NR_sched_get_priority_min, + "sched_rr_get_interval": C.__NR_sched_rr_get_interval, + "nanosleep": C.__NR_nanosleep, + "mremap": C.__NR_mremap, + "setresuid": C.__NR_setresuid, + "getresuid": C.__NR_getresuid, + "vm86": C.__NR_vm86, + "query_module": C.__NR_query_module, + "poll": C.__NR_poll, + "nfsservctl": C.__NR_nfsservctl, + "setresgid": C.__NR_setresgid, + "getresgid": C.__NR_getresgid, + "prctl": C.__NR_prctl, + "rt_sigreturn": C.__NR_rt_sigreturn, + "rt_sigaction": C.__NR_rt_sigaction, + "rt_sigprocmask": C.__NR_rt_sigprocmask, + "rt_sigpending": C.__NR_rt_sigpending, + "rt_sigtimedwait": C.__NR_rt_sigtimedwait, + "rt_sigqueueinfo": C.__NR_rt_sigqueueinfo, + "rt_sigsuspend": C.__NR_rt_sigsuspend, + "pread64": C.__NR_pread64, + "pwrite64": C.__NR_pwrite64, + "chown": C.__NR_chown, + "getcwd": C.__NR_getcwd, + "capget": C.__NR_capget, + "capset": C.__NR_capset, + "sigaltstack": C.__NR_sigaltstack, + "sendfile": C.__NR_sendfile, + "getpmsg": C.__NR_getpmsg, + "putpmsg": C.__NR_putpmsg, + "vfork": C.__NR_vfork, + "ugetrlimit": C.__NR_ugetrlimit, + "mmap2": C.__NR_mmap2, + "truncate64": C.__NR_truncate64, + "ftruncate64": C.__NR_ftruncate64, + "stat64": C.__NR_stat64, + "lstat64": C.__NR_lstat64, + "fstat64": C.__NR_fstat64, + "lchown32": C.__NR_lchown32, + "getuid32": C.__NR_getuid32, + "getgid32": C.__NR_getgid32, + "geteuid32": C.__NR_geteuid32, + "getegid32": C.__NR_getegid32, + "setreuid32": C.__NR_setreuid32, + "setregid32": C.__NR_setregid32, + "getgroups32": C.__NR_getgroups32, + "setgroups32": C.__NR_setgroups32, + "fchown32": C.__NR_fchown32, + "setresuid32": C.__NR_setresuid32, + "getresuid32": C.__NR_getresuid32, + "setresgid32": C.__NR_setresgid32, + "getresgid32": C.__NR_getresgid32, + "chown32": C.__NR_chown32, + "setuid32": C.__NR_setuid32, + "setgid32": C.__NR_setgid32, + "setfsuid32": C.__NR_setfsuid32, + "setfsgid32": C.__NR_setfsgid32, + "pivot_root": C.__NR_pivot_root, + "mincore": C.__NR_mincore, + "madvise": C.__NR_madvise, + "getdents64": C.__NR_getdents64, + "fcntl64": C.__NR_fcntl64, + "gettid": C.__NR_gettid, + "readahead": C.__NR_readahead, + "setxattr": C.__NR_setxattr, + "lsetxattr": C.__NR_lsetxattr, + "fsetxattr": C.__NR_fsetxattr, + "getxattr": C.__NR_getxattr, + "lgetxattr": C.__NR_lgetxattr, + "fgetxattr": C.__NR_fgetxattr, + "listxattr": C.__NR_listxattr, + "llistxattr": C.__NR_llistxattr, + "flistxattr": C.__NR_flistxattr, + "removexattr": C.__NR_removexattr, + "lremovexattr": C.__NR_lremovexattr, + "fremovexattr": C.__NR_fremovexattr, + "tkill": C.__NR_tkill, + "sendfile64": C.__NR_sendfile64, + "futex": C.__NR_futex, + "sched_setaffinity": C.__NR_sched_setaffinity, + "sched_getaffinity": C.__NR_sched_getaffinity, + "set_thread_area": C.__NR_set_thread_area, + "get_thread_area": C.__NR_get_thread_area, + "io_setup": C.__NR_io_setup, + "io_destroy": C.__NR_io_destroy, + "io_getevents": C.__NR_io_getevents, + "io_submit": C.__NR_io_submit, + "io_cancel": C.__NR_io_cancel, + "fadvise64": C.__NR_fadvise64, + "exit_group": C.__NR_exit_group, + "lookup_dcookie": C.__NR_lookup_dcookie, + "epoll_create": C.__NR_epoll_create, + "epoll_ctl": C.__NR_epoll_ctl, + "epoll_wait": C.__NR_epoll_wait, + "remap_file_pages": C.__NR_remap_file_pages, + "set_tid_address": C.__NR_set_tid_address, + "timer_create": C.__NR_timer_create, + "timer_settime": C.__NR_timer_settime, + "timer_gettime": C.__NR_timer_gettime, + "timer_getoverrun": C.__NR_timer_getoverrun, + "timer_delete": C.__NR_timer_delete, + "clock_settime": C.__NR_clock_settime, + "clock_gettime": C.__NR_clock_gettime, + "clock_getres": C.__NR_clock_getres, + "clock_nanosleep": C.__NR_clock_nanosleep, + "statfs64": C.__NR_statfs64, + "fstatfs64": C.__NR_fstatfs64, + "tgkill": C.__NR_tgkill, + "utimes": C.__NR_utimes, + "fadvise64_64": C.__NR_fadvise64_64, + "vserver": C.__NR_vserver, + "mbind": C.__NR_mbind, + "get_mempolicy": C.__NR_get_mempolicy, + "set_mempolicy": C.__NR_set_mempolicy, + "mq_open": C.__NR_mq_open, + "mq_unlink": C.__NR_mq_unlink, + "mq_timedsend": C.__NR_mq_timedsend, + "mq_timedreceive": C.__NR_mq_timedreceive, + "mq_notify": C.__NR_mq_notify, + "mq_getsetattr": C.__NR_mq_getsetattr, + "kexec_load": C.__NR_kexec_load, + "waitid": C.__NR_waitid, + "add_key": C.__NR_add_key, + "request_key": C.__NR_request_key, + "keyctl": C.__NR_keyctl, + "ioprio_set": C.__NR_ioprio_set, + "ioprio_get": C.__NR_ioprio_get, + "inotify_init": C.__NR_inotify_init, + "inotify_add_watch": C.__NR_inotify_add_watch, + "inotify_rm_watch": C.__NR_inotify_rm_watch, + "migrate_pages": C.__NR_migrate_pages, + "openat": C.__NR_openat, + "mkdirat": C.__NR_mkdirat, + "mknodat": C.__NR_mknodat, + "fchownat": C.__NR_fchownat, + "futimesat": C.__NR_futimesat, + "fstatat64": C.__NR_fstatat64, + "unlinkat": C.__NR_unlinkat, + "renameat": C.__NR_renameat, + "linkat": C.__NR_linkat, + "symlinkat": C.__NR_symlinkat, + "readlinkat": C.__NR_readlinkat, + "fchmodat": C.__NR_fchmodat, + "faccessat": C.__NR_faccessat, + "pselect6": C.__NR_pselect6, + "ppoll": C.__NR_ppoll, + "unshare": C.__NR_unshare, + "set_robust_list": C.__NR_set_robust_list, + "get_robust_list": C.__NR_get_robust_list, + "splice": C.__NR_splice, + "sync_file_range": C.__NR_sync_file_range, + "tee": C.__NR_tee, + "vmsplice": C.__NR_vmsplice, + "move_pages": C.__NR_move_pages, + "getcpu": C.__NR_getcpu, + "epoll_pwait": C.__NR_epoll_pwait, + "utimensat": C.__NR_utimensat, + "signalfd": C.__NR_signalfd, + "timerfd_create": C.__NR_timerfd_create, + "eventfd": C.__NR_eventfd, + "fallocate": C.__NR_fallocate, + "timerfd_settime": C.__NR_timerfd_settime, + "timerfd_gettime": C.__NR_timerfd_gettime, + "signalfd4": C.__NR_signalfd4, + "eventfd2": C.__NR_eventfd2, + "epoll_create1": C.__NR_epoll_create1, + "dup3": C.__NR_dup3, + "pipe2": C.__NR_pipe2, + "inotify_init1": C.__NR_inotify_init1, + "preadv": C.__NR_preadv, + "pwritev": C.__NR_pwritev, + "rt_tgsigqueueinfo": C.__NR_rt_tgsigqueueinfo, + "perf_event_open": C.__NR_perf_event_open, + "recvmmsg": C.__NR_recvmmsg, + "fanotify_init": C.__NR_fanotify_init, + "fanotify_mark": C.__NR_fanotify_mark, + "prlimit64": C.__NR_prlimit64, + "name_to_handle_at": C.__NR_name_to_handle_at, + "open_by_handle_at": C.__NR_open_by_handle_at, + "clock_adjtime": C.__NR_clock_adjtime, + "syncfs": C.__NR_syncfs, + "sendmmsg": C.__NR_sendmmsg, + "setns": C.__NR_setns, + "process_vm_readv": C.__NR_process_vm_readv, + "process_vm_writev": C.__NR_process_vm_writev, + "kcmp": C.__NR_kcmp, + "finit_module": C.__NR_finit_module, + "sched_setattr": C.__NR_sched_setattr, + "sched_getattr": C.__NR_sched_getattr, + "renameat2": C.__NR_renameat2, + "seccomp": C.__NR_seccomp, + "getrandom": C.__NR_getrandom, + "memfd_create": C.__NR_memfd_create, + "bpf": C.__NR_bpf, + "execveat": C.__NR_execveat, +} diff --git a/Godeps/_workspace/src/github.com/subgraph/go-seccomp/syscalls_amd64.go b/Godeps/_workspace/src/github.com/subgraph/go-seccomp/syscalls_amd64.go new file mode 100644 index 0000000..c4511c9 --- /dev/null +++ b/Godeps/_workspace/src/github.com/subgraph/go-seccomp/syscalls_amd64.go @@ -0,0 +1,333 @@ +// DO NOT EDIT. Autogenerated by syscalls_gen.go + +package seccomp + +// #include "unistd_64.h" +import "C" + +// syscallNum maps system call names to numbers. +var syscallNum = map[string]int{ + "read": C.__NR_read, + "write": C.__NR_write, + "open": C.__NR_open, + "close": C.__NR_close, + "stat": C.__NR_stat, + "fstat": C.__NR_fstat, + "lstat": C.__NR_lstat, + "poll": C.__NR_poll, + "lseek": C.__NR_lseek, + "mmap": C.__NR_mmap, + "mprotect": C.__NR_mprotect, + "munmap": C.__NR_munmap, + "brk": C.__NR_brk, + "rt_sigaction": C.__NR_rt_sigaction, + "rt_sigprocmask": C.__NR_rt_sigprocmask, + "rt_sigreturn": C.__NR_rt_sigreturn, + "ioctl": C.__NR_ioctl, + "pread64": C.__NR_pread64, + "pwrite64": C.__NR_pwrite64, + "readv": C.__NR_readv, + "writev": C.__NR_writev, + "access": C.__NR_access, + "pipe": C.__NR_pipe, + "select": C.__NR_select, + "sched_yield": C.__NR_sched_yield, + "mremap": C.__NR_mremap, + "msync": C.__NR_msync, + "mincore": C.__NR_mincore, + "madvise": C.__NR_madvise, + "shmget": C.__NR_shmget, + "shmat": C.__NR_shmat, + "shmctl": C.__NR_shmctl, + "dup": C.__NR_dup, + "dup2": C.__NR_dup2, + "pause": C.__NR_pause, + "nanosleep": C.__NR_nanosleep, + "getitimer": C.__NR_getitimer, + "alarm": C.__NR_alarm, + "setitimer": C.__NR_setitimer, + "getpid": C.__NR_getpid, + "sendfile": C.__NR_sendfile, + "socket": C.__NR_socket, + "connect": C.__NR_connect, + "accept": C.__NR_accept, + "sendto": C.__NR_sendto, + "recvfrom": C.__NR_recvfrom, + "sendmsg": C.__NR_sendmsg, + "recvmsg": C.__NR_recvmsg, + "shutdown": C.__NR_shutdown, + "bind": C.__NR_bind, + "listen": C.__NR_listen, + "getsockname": C.__NR_getsockname, + "getpeername": C.__NR_getpeername, + "socketpair": C.__NR_socketpair, + "setsockopt": C.__NR_setsockopt, + "getsockopt": C.__NR_getsockopt, + "clone": C.__NR_clone, + "fork": C.__NR_fork, + "vfork": C.__NR_vfork, + "execve": C.__NR_execve, + "exit": C.__NR_exit, + "wait4": C.__NR_wait4, + "kill": C.__NR_kill, + "uname": C.__NR_uname, + "semget": C.__NR_semget, + "semop": C.__NR_semop, + "semctl": C.__NR_semctl, + "shmdt": C.__NR_shmdt, + "msgget": C.__NR_msgget, + "msgsnd": C.__NR_msgsnd, + "msgrcv": C.__NR_msgrcv, + "msgctl": C.__NR_msgctl, + "fcntl": C.__NR_fcntl, + "flock": C.__NR_flock, + "fsync": C.__NR_fsync, + "fdatasync": C.__NR_fdatasync, + "truncate": C.__NR_truncate, + "ftruncate": C.__NR_ftruncate, + "getdents": C.__NR_getdents, + "getcwd": C.__NR_getcwd, + "chdir": C.__NR_chdir, + "fchdir": C.__NR_fchdir, + "rename": C.__NR_rename, + "mkdir": C.__NR_mkdir, + "rmdir": C.__NR_rmdir, + "creat": C.__NR_creat, + "link": C.__NR_link, + "unlink": C.__NR_unlink, + "symlink": C.__NR_symlink, + "readlink": C.__NR_readlink, + "chmod": C.__NR_chmod, + "fchmod": C.__NR_fchmod, + "chown": C.__NR_chown, + "fchown": C.__NR_fchown, + "lchown": C.__NR_lchown, + "umask": C.__NR_umask, + "gettimeofday": C.__NR_gettimeofday, + "getrlimit": C.__NR_getrlimit, + "getrusage": C.__NR_getrusage, + "sysinfo": C.__NR_sysinfo, + "times": C.__NR_times, + "ptrace": C.__NR_ptrace, + "getuid": C.__NR_getuid, + "syslog": C.__NR_syslog, + "getgid": C.__NR_getgid, + "setuid": C.__NR_setuid, + "setgid": C.__NR_setgid, + "geteuid": C.__NR_geteuid, + "getegid": C.__NR_getegid, + "setpgid": C.__NR_setpgid, + "getppid": C.__NR_getppid, + "getpgrp": C.__NR_getpgrp, + "setsid": C.__NR_setsid, + "setreuid": C.__NR_setreuid, + "setregid": C.__NR_setregid, + "getgroups": C.__NR_getgroups, + "setgroups": C.__NR_setgroups, + "setresuid": C.__NR_setresuid, + "getresuid": C.__NR_getresuid, + "setresgid": C.__NR_setresgid, + "getresgid": C.__NR_getresgid, + "getpgid": C.__NR_getpgid, + "setfsuid": C.__NR_setfsuid, + "setfsgid": C.__NR_setfsgid, + "getsid": C.__NR_getsid, + "capget": C.__NR_capget, + "capset": C.__NR_capset, + "rt_sigpending": C.__NR_rt_sigpending, + "rt_sigtimedwait": C.__NR_rt_sigtimedwait, + "rt_sigqueueinfo": C.__NR_rt_sigqueueinfo, + "rt_sigsuspend": C.__NR_rt_sigsuspend, + "sigaltstack": C.__NR_sigaltstack, + "utime": C.__NR_utime, + "mknod": C.__NR_mknod, + "uselib": C.__NR_uselib, + "personality": C.__NR_personality, + "ustat": C.__NR_ustat, + "statfs": C.__NR_statfs, + "fstatfs": C.__NR_fstatfs, + "sysfs": C.__NR_sysfs, + "getpriority": C.__NR_getpriority, + "setpriority": C.__NR_setpriority, + "sched_setparam": C.__NR_sched_setparam, + "sched_getparam": C.__NR_sched_getparam, + "sched_setscheduler": C.__NR_sched_setscheduler, + "sched_getscheduler": C.__NR_sched_getscheduler, + "sched_get_priority_max": C.__NR_sched_get_priority_max, + "sched_get_priority_min": C.__NR_sched_get_priority_min, + "sched_rr_get_interval": C.__NR_sched_rr_get_interval, + "mlock": C.__NR_mlock, + "munlock": C.__NR_munlock, + "mlockall": C.__NR_mlockall, + "munlockall": C.__NR_munlockall, + "vhangup": C.__NR_vhangup, + "modify_ldt": C.__NR_modify_ldt, + "pivot_root": C.__NR_pivot_root, + "_sysctl": C.__NR__sysctl, + "prctl": C.__NR_prctl, + "arch_prctl": C.__NR_arch_prctl, + "adjtimex": C.__NR_adjtimex, + "setrlimit": C.__NR_setrlimit, + "chroot": C.__NR_chroot, + "sync": C.__NR_sync, + "acct": C.__NR_acct, + "settimeofday": C.__NR_settimeofday, + "mount": C.__NR_mount, + "umount2": C.__NR_umount2, + "swapon": C.__NR_swapon, + "swapoff": C.__NR_swapoff, + "reboot": C.__NR_reboot, + "sethostname": C.__NR_sethostname, + "setdomainname": C.__NR_setdomainname, + "iopl": C.__NR_iopl, + "ioperm": C.__NR_ioperm, + "create_module": C.__NR_create_module, + "init_module": C.__NR_init_module, + "delete_module": C.__NR_delete_module, + "get_kernel_syms": C.__NR_get_kernel_syms, + "query_module": C.__NR_query_module, + "quotactl": C.__NR_quotactl, + "nfsservctl": C.__NR_nfsservctl, + "getpmsg": C.__NR_getpmsg, + "putpmsg": C.__NR_putpmsg, + "afs_syscall": C.__NR_afs_syscall, + "tuxcall": C.__NR_tuxcall, + "security": C.__NR_security, + "gettid": C.__NR_gettid, + "readahead": C.__NR_readahead, + "setxattr": C.__NR_setxattr, + "lsetxattr": C.__NR_lsetxattr, + "fsetxattr": C.__NR_fsetxattr, + "getxattr": C.__NR_getxattr, + "lgetxattr": C.__NR_lgetxattr, + "fgetxattr": C.__NR_fgetxattr, + "listxattr": C.__NR_listxattr, + "llistxattr": C.__NR_llistxattr, + "flistxattr": C.__NR_flistxattr, + "removexattr": C.__NR_removexattr, + "lremovexattr": C.__NR_lremovexattr, + "fremovexattr": C.__NR_fremovexattr, + "tkill": C.__NR_tkill, + "time": C.__NR_time, + "futex": C.__NR_futex, + "sched_setaffinity": C.__NR_sched_setaffinity, + "sched_getaffinity": C.__NR_sched_getaffinity, + "set_thread_area": C.__NR_set_thread_area, + "io_setup": C.__NR_io_setup, + "io_destroy": C.__NR_io_destroy, + "io_getevents": C.__NR_io_getevents, + "io_submit": C.__NR_io_submit, + "io_cancel": C.__NR_io_cancel, + "get_thread_area": C.__NR_get_thread_area, + "lookup_dcookie": C.__NR_lookup_dcookie, + "epoll_create": C.__NR_epoll_create, + "epoll_ctl_old": C.__NR_epoll_ctl_old, + "epoll_wait_old": C.__NR_epoll_wait_old, + "remap_file_pages": C.__NR_remap_file_pages, + "getdents64": C.__NR_getdents64, + "set_tid_address": C.__NR_set_tid_address, + "restart_syscall": C.__NR_restart_syscall, + "semtimedop": C.__NR_semtimedop, + "fadvise64": C.__NR_fadvise64, + "timer_create": C.__NR_timer_create, + "timer_settime": C.__NR_timer_settime, + "timer_gettime": C.__NR_timer_gettime, + "timer_getoverrun": C.__NR_timer_getoverrun, + "timer_delete": C.__NR_timer_delete, + "clock_settime": C.__NR_clock_settime, + "clock_gettime": C.__NR_clock_gettime, + "clock_getres": C.__NR_clock_getres, + "clock_nanosleep": C.__NR_clock_nanosleep, + "exit_group": C.__NR_exit_group, + "epoll_wait": C.__NR_epoll_wait, + "epoll_ctl": C.__NR_epoll_ctl, + "tgkill": C.__NR_tgkill, + "utimes": C.__NR_utimes, + "vserver": C.__NR_vserver, + "mbind": C.__NR_mbind, + "set_mempolicy": C.__NR_set_mempolicy, + "get_mempolicy": C.__NR_get_mempolicy, + "mq_open": C.__NR_mq_open, + "mq_unlink": C.__NR_mq_unlink, + "mq_timedsend": C.__NR_mq_timedsend, + "mq_timedreceive": C.__NR_mq_timedreceive, + "mq_notify": C.__NR_mq_notify, + "mq_getsetattr": C.__NR_mq_getsetattr, + "kexec_load": C.__NR_kexec_load, + "waitid": C.__NR_waitid, + "add_key": C.__NR_add_key, + "request_key": C.__NR_request_key, + "keyctl": C.__NR_keyctl, + "ioprio_set": C.__NR_ioprio_set, + "ioprio_get": C.__NR_ioprio_get, + "inotify_init": C.__NR_inotify_init, + "inotify_add_watch": C.__NR_inotify_add_watch, + "inotify_rm_watch": C.__NR_inotify_rm_watch, + "migrate_pages": C.__NR_migrate_pages, + "openat": C.__NR_openat, + "mkdirat": C.__NR_mkdirat, + "mknodat": C.__NR_mknodat, + "fchownat": C.__NR_fchownat, + "futimesat": C.__NR_futimesat, + "newfstatat": C.__NR_newfstatat, + "unlinkat": C.__NR_unlinkat, + "renameat": C.__NR_renameat, + "linkat": C.__NR_linkat, + "symlinkat": C.__NR_symlinkat, + "readlinkat": C.__NR_readlinkat, + "fchmodat": C.__NR_fchmodat, + "faccessat": C.__NR_faccessat, + "pselect6": C.__NR_pselect6, + "ppoll": C.__NR_ppoll, + "unshare": C.__NR_unshare, + "set_robust_list": C.__NR_set_robust_list, + "get_robust_list": C.__NR_get_robust_list, + "splice": C.__NR_splice, + "tee": C.__NR_tee, + "sync_file_range": C.__NR_sync_file_range, + "vmsplice": C.__NR_vmsplice, + "move_pages": C.__NR_move_pages, + "utimensat": C.__NR_utimensat, + "epoll_pwait": C.__NR_epoll_pwait, + "signalfd": C.__NR_signalfd, + "timerfd_create": C.__NR_timerfd_create, + "eventfd": C.__NR_eventfd, + "fallocate": C.__NR_fallocate, + "timerfd_settime": C.__NR_timerfd_settime, + "timerfd_gettime": C.__NR_timerfd_gettime, + "accept4": C.__NR_accept4, + "signalfd4": C.__NR_signalfd4, + "eventfd2": C.__NR_eventfd2, + "epoll_create1": C.__NR_epoll_create1, + "dup3": C.__NR_dup3, + "pipe2": C.__NR_pipe2, + "inotify_init1": C.__NR_inotify_init1, + "preadv": C.__NR_preadv, + "pwritev": C.__NR_pwritev, + "rt_tgsigqueueinfo": C.__NR_rt_tgsigqueueinfo, + "perf_event_open": C.__NR_perf_event_open, + "recvmmsg": C.__NR_recvmmsg, + "fanotify_init": C.__NR_fanotify_init, + "fanotify_mark": C.__NR_fanotify_mark, + "prlimit64": C.__NR_prlimit64, + "name_to_handle_at": C.__NR_name_to_handle_at, + "open_by_handle_at": C.__NR_open_by_handle_at, + "clock_adjtime": C.__NR_clock_adjtime, + "syncfs": C.__NR_syncfs, + "sendmmsg": C.__NR_sendmmsg, + "setns": C.__NR_setns, + "getcpu": C.__NR_getcpu, + "process_vm_readv": C.__NR_process_vm_readv, + "process_vm_writev": C.__NR_process_vm_writev, + "kcmp": C.__NR_kcmp, + "finit_module": C.__NR_finit_module, + "sched_setattr": C.__NR_sched_setattr, + "sched_getattr": C.__NR_sched_getattr, + "renameat2": C.__NR_renameat2, + "seccomp": C.__NR_seccomp, + "getrandom": C.__NR_getrandom, + "memfd_create": C.__NR_memfd_create, + "kexec_file_load": C.__NR_kexec_file_load, + "bpf": C.__NR_bpf, + "execveat": C.__NR_execveat, +} diff --git a/Godeps/_workspace/src/github.com/subgraph/go-seccomp/syscalls_arm.go b/Godeps/_workspace/src/github.com/subgraph/go-seccomp/syscalls_arm.go new file mode 100644 index 0000000..829a0ac --- /dev/null +++ b/Godeps/_workspace/src/github.com/subgraph/go-seccomp/syscalls_arm.go @@ -0,0 +1,359 @@ +// DO NOT EDIT. Autogenerated by syscalls_gen.go + +package seccomp + +// #include +import "C" + +// syscallNum maps system call names to numbers. +var syscallNum = map[string]int{ + "restart_syscall": C.__NR_restart_syscall, + "exit": C.__NR_exit, + "fork": C.__NR_fork, + "read": C.__NR_read, + "write": C.__NR_write, + "open": C.__NR_open, + "close": C.__NR_close, + "creat": C.__NR_creat, + "link": C.__NR_link, + "unlink": C.__NR_unlink, + "execve": C.__NR_execve, + "chdir": C.__NR_chdir, + "mknod": C.__NR_mknod, + "chmod": C.__NR_chmod, + "lchown": C.__NR_lchown, + "lseek": C.__NR_lseek, + "getpid": C.__NR_getpid, + "mount": C.__NR_mount, + "setuid": C.__NR_setuid, + "getuid": C.__NR_getuid, + "ptrace": C.__NR_ptrace, + "pause": C.__NR_pause, + "access": C.__NR_access, + "nice": C.__NR_nice, + "sync": C.__NR_sync, + "kill": C.__NR_kill, + "rename": C.__NR_rename, + "mkdir": C.__NR_mkdir, + "rmdir": C.__NR_rmdir, + "dup": C.__NR_dup, + "pipe": C.__NR_pipe, + "times": C.__NR_times, + "brk": C.__NR_brk, + "setgid": C.__NR_setgid, + "getgid": C.__NR_getgid, + "geteuid": C.__NR_geteuid, + "getegid": C.__NR_getegid, + "acct": C.__NR_acct, + "umount2": C.__NR_umount2, + "ioctl": C.__NR_ioctl, + "fcntl": C.__NR_fcntl, + "setpgid": C.__NR_setpgid, + "umask": C.__NR_umask, + "chroot": C.__NR_chroot, + "ustat": C.__NR_ustat, + "dup2": C.__NR_dup2, + "getppid": C.__NR_getppid, + "getpgrp": C.__NR_getpgrp, + "setsid": C.__NR_setsid, + "sigaction": C.__NR_sigaction, + "setreuid": C.__NR_setreuid, + "setregid": C.__NR_setregid, + "sigsuspend": C.__NR_sigsuspend, + "sigpending": C.__NR_sigpending, + "sethostname": C.__NR_sethostname, + "setrlimit": C.__NR_setrlimit, + "getrusage": C.__NR_getrusage, + "gettimeofday": C.__NR_gettimeofday, + "settimeofday": C.__NR_settimeofday, + "getgroups": C.__NR_getgroups, + "setgroups": C.__NR_setgroups, + "symlink": C.__NR_symlink, + "readlink": C.__NR_readlink, + "uselib": C.__NR_uselib, + "swapon": C.__NR_swapon, + "reboot": C.__NR_reboot, + "munmap": C.__NR_munmap, + "truncate": C.__NR_truncate, + "ftruncate": C.__NR_ftruncate, + "fchmod": C.__NR_fchmod, + "fchown": C.__NR_fchown, + "getpriority": C.__NR_getpriority, + "setpriority": C.__NR_setpriority, + "statfs": C.__NR_statfs, + "fstatfs": C.__NR_fstatfs, + "syslog": C.__NR_syslog, + "setitimer": C.__NR_setitimer, + "getitimer": C.__NR_getitimer, + "stat": C.__NR_stat, + "lstat": C.__NR_lstat, + "fstat": C.__NR_fstat, + "vhangup": C.__NR_vhangup, + "wait4": C.__NR_wait4, + "swapoff": C.__NR_swapoff, + "sysinfo": C.__NR_sysinfo, + "fsync": C.__NR_fsync, + "sigreturn": C.__NR_sigreturn, + "clone": C.__NR_clone, + "setdomainname": C.__NR_setdomainname, + "uname": C.__NR_uname, + "adjtimex": C.__NR_adjtimex, + "mprotect": C.__NR_mprotect, + "sigprocmask": C.__NR_sigprocmask, + "init_module": C.__NR_init_module, + "delete_module": C.__NR_delete_module, + "quotactl": C.__NR_quotactl, + "getpgid": C.__NR_getpgid, + "fchdir": C.__NR_fchdir, + "bdflush": C.__NR_bdflush, + "sysfs": C.__NR_sysfs, + "personality": C.__NR_personality, + "setfsuid": C.__NR_setfsuid, + "setfsgid": C.__NR_setfsgid, + "_llseek": C.__NR__llseek, + "getdents": C.__NR_getdents, + "_newselect": C.__NR__newselect, + "flock": C.__NR_flock, + "msync": C.__NR_msync, + "readv": C.__NR_readv, + "writev": C.__NR_writev, + "getsid": C.__NR_getsid, + "fdatasync": C.__NR_fdatasync, + "_sysctl": C.__NR__sysctl, + "mlock": C.__NR_mlock, + "munlock": C.__NR_munlock, + "mlockall": C.__NR_mlockall, + "munlockall": C.__NR_munlockall, + "sched_setparam": C.__NR_sched_setparam, + "sched_getparam": C.__NR_sched_getparam, + "sched_setscheduler": C.__NR_sched_setscheduler, + "sched_getscheduler": C.__NR_sched_getscheduler, + "sched_yield": C.__NR_sched_yield, + "sched_get_priority_max": C.__NR_sched_get_priority_max, + "sched_get_priority_min": C.__NR_sched_get_priority_min, + "sched_rr_get_interval": C.__NR_sched_rr_get_interval, + "nanosleep": C.__NR_nanosleep, + "mremap": C.__NR_mremap, + "setresuid": C.__NR_setresuid, + "getresuid": C.__NR_getresuid, + "poll": C.__NR_poll, + "nfsservctl": C.__NR_nfsservctl, + "setresgid": C.__NR_setresgid, + "getresgid": C.__NR_getresgid, + "prctl": C.__NR_prctl, + "rt_sigreturn": C.__NR_rt_sigreturn, + "rt_sigaction": C.__NR_rt_sigaction, + "rt_sigprocmask": C.__NR_rt_sigprocmask, + "rt_sigpending": C.__NR_rt_sigpending, + "rt_sigtimedwait": C.__NR_rt_sigtimedwait, + "rt_sigqueueinfo": C.__NR_rt_sigqueueinfo, + "rt_sigsuspend": C.__NR_rt_sigsuspend, + "pread64": C.__NR_pread64, + "pwrite64": C.__NR_pwrite64, + "chown": C.__NR_chown, + "getcwd": C.__NR_getcwd, + "capget": C.__NR_capget, + "capset": C.__NR_capset, + "sigaltstack": C.__NR_sigaltstack, + "sendfile": C.__NR_sendfile, + "vfork": C.__NR_vfork, + "ugetrlimit": C.__NR_ugetrlimit, + "mmap2": C.__NR_mmap2, + "truncate64": C.__NR_truncate64, + "ftruncate64": C.__NR_ftruncate64, + "stat64": C.__NR_stat64, + "lstat64": C.__NR_lstat64, + "fstat64": C.__NR_fstat64, + "lchown32": C.__NR_lchown32, + "getuid32": C.__NR_getuid32, + "getgid32": C.__NR_getgid32, + "geteuid32": C.__NR_geteuid32, + "getegid32": C.__NR_getegid32, + "setreuid32": C.__NR_setreuid32, + "setregid32": C.__NR_setregid32, + "getgroups32": C.__NR_getgroups32, + "setgroups32": C.__NR_setgroups32, + "fchown32": C.__NR_fchown32, + "setresuid32": C.__NR_setresuid32, + "getresuid32": C.__NR_getresuid32, + "setresgid32": C.__NR_setresgid32, + "getresgid32": C.__NR_getresgid32, + "chown32": C.__NR_chown32, + "setuid32": C.__NR_setuid32, + "setgid32": C.__NR_setgid32, + "setfsuid32": C.__NR_setfsuid32, + "setfsgid32": C.__NR_setfsgid32, + "getdents64": C.__NR_getdents64, + "pivot_root": C.__NR_pivot_root, + "mincore": C.__NR_mincore, + "madvise": C.__NR_madvise, + "fcntl64": C.__NR_fcntl64, + "gettid": C.__NR_gettid, + "readahead": C.__NR_readahead, + "setxattr": C.__NR_setxattr, + "lsetxattr": C.__NR_lsetxattr, + "fsetxattr": C.__NR_fsetxattr, + "getxattr": C.__NR_getxattr, + "lgetxattr": C.__NR_lgetxattr, + "fgetxattr": C.__NR_fgetxattr, + "listxattr": C.__NR_listxattr, + "llistxattr": C.__NR_llistxattr, + "flistxattr": C.__NR_flistxattr, + "removexattr": C.__NR_removexattr, + "lremovexattr": C.__NR_lremovexattr, + "fremovexattr": C.__NR_fremovexattr, + "tkill": C.__NR_tkill, + "sendfile64": C.__NR_sendfile64, + "futex": C.__NR_futex, + "sched_setaffinity": C.__NR_sched_setaffinity, + "sched_getaffinity": C.__NR_sched_getaffinity, + "io_setup": C.__NR_io_setup, + "io_destroy": C.__NR_io_destroy, + "io_getevents": C.__NR_io_getevents, + "io_submit": C.__NR_io_submit, + "io_cancel": C.__NR_io_cancel, + "exit_group": C.__NR_exit_group, + "lookup_dcookie": C.__NR_lookup_dcookie, + "epoll_create": C.__NR_epoll_create, + "epoll_ctl": C.__NR_epoll_ctl, + "epoll_wait": C.__NR_epoll_wait, + "remap_file_pages": C.__NR_remap_file_pages, + "set_tid_address": C.__NR_set_tid_address, + "timer_create": C.__NR_timer_create, + "timer_settime": C.__NR_timer_settime, + "timer_gettime": C.__NR_timer_gettime, + "timer_getoverrun": C.__NR_timer_getoverrun, + "timer_delete": C.__NR_timer_delete, + "clock_settime": C.__NR_clock_settime, + "clock_gettime": C.__NR_clock_gettime, + "clock_getres": C.__NR_clock_getres, + "clock_nanosleep": C.__NR_clock_nanosleep, + "statfs64": C.__NR_statfs64, + "fstatfs64": C.__NR_fstatfs64, + "tgkill": C.__NR_tgkill, + "utimes": C.__NR_utimes, + "arm_fadvise64_64": C.__NR_arm_fadvise64_64, + "pciconfig_iobase": C.__NR_pciconfig_iobase, + "pciconfig_read": C.__NR_pciconfig_read, + "pciconfig_write": C.__NR_pciconfig_write, + "mq_open": C.__NR_mq_open, + "mq_unlink": C.__NR_mq_unlink, + "mq_timedsend": C.__NR_mq_timedsend, + "mq_timedreceive": C.__NR_mq_timedreceive, + "mq_notify": C.__NR_mq_notify, + "mq_getsetattr": C.__NR_mq_getsetattr, + "waitid": C.__NR_waitid, + "socket": C.__NR_socket, + "bind": C.__NR_bind, + "connect": C.__NR_connect, + "listen": C.__NR_listen, + "accept": C.__NR_accept, + "getsockname": C.__NR_getsockname, + "getpeername": C.__NR_getpeername, + "socketpair": C.__NR_socketpair, + "send": C.__NR_send, + "sendto": C.__NR_sendto, + "recv": C.__NR_recv, + "recvfrom": C.__NR_recvfrom, + "shutdown": C.__NR_shutdown, + "setsockopt": C.__NR_setsockopt, + "getsockopt": C.__NR_getsockopt, + "sendmsg": C.__NR_sendmsg, + "recvmsg": C.__NR_recvmsg, + "semop": C.__NR_semop, + "semget": C.__NR_semget, + "semctl": C.__NR_semctl, + "msgsnd": C.__NR_msgsnd, + "msgrcv": C.__NR_msgrcv, + "msgget": C.__NR_msgget, + "msgctl": C.__NR_msgctl, + "shmat": C.__NR_shmat, + "shmdt": C.__NR_shmdt, + "shmget": C.__NR_shmget, + "shmctl": C.__NR_shmctl, + "add_key": C.__NR_add_key, + "request_key": C.__NR_request_key, + "keyctl": C.__NR_keyctl, + "semtimedop": C.__NR_semtimedop, + "vserver": C.__NR_vserver, + "ioprio_set": C.__NR_ioprio_set, + "ioprio_get": C.__NR_ioprio_get, + "inotify_init": C.__NR_inotify_init, + "inotify_add_watch": C.__NR_inotify_add_watch, + "inotify_rm_watch": C.__NR_inotify_rm_watch, + "mbind": C.__NR_mbind, + "get_mempolicy": C.__NR_get_mempolicy, + "set_mempolicy": C.__NR_set_mempolicy, + "openat": C.__NR_openat, + "mkdirat": C.__NR_mkdirat, + "mknodat": C.__NR_mknodat, + "fchownat": C.__NR_fchownat, + "futimesat": C.__NR_futimesat, + "fstatat64": C.__NR_fstatat64, + "unlinkat": C.__NR_unlinkat, + "renameat": C.__NR_renameat, + "linkat": C.__NR_linkat, + "symlinkat": C.__NR_symlinkat, + "readlinkat": C.__NR_readlinkat, + "fchmodat": C.__NR_fchmodat, + "faccessat": C.__NR_faccessat, + "pselect6": C.__NR_pselect6, + "ppoll": C.__NR_ppoll, + "unshare": C.__NR_unshare, + "set_robust_list": C.__NR_set_robust_list, + "get_robust_list": C.__NR_get_robust_list, + "splice": C.__NR_splice, + "arm_sync_file_range": C.__NR_arm_sync_file_range, + "sync_file_range2": C.__NR_sync_file_range2, + "tee": C.__NR_tee, + "vmsplice": C.__NR_vmsplice, + "move_pages": C.__NR_move_pages, + "getcpu": C.__NR_getcpu, + "epoll_pwait": C.__NR_epoll_pwait, + "kexec_load": C.__NR_kexec_load, + "utimensat": C.__NR_utimensat, + "signalfd": C.__NR_signalfd, + "timerfd_create": C.__NR_timerfd_create, + "eventfd": C.__NR_eventfd, + "fallocate": C.__NR_fallocate, + "timerfd_settime": C.__NR_timerfd_settime, + "timerfd_gettime": C.__NR_timerfd_gettime, + "signalfd4": C.__NR_signalfd4, + "eventfd2": C.__NR_eventfd2, + "epoll_create1": C.__NR_epoll_create1, + "dup3": C.__NR_dup3, + "pipe2": C.__NR_pipe2, + "inotify_init1": C.__NR_inotify_init1, + "preadv": C.__NR_preadv, + "pwritev": C.__NR_pwritev, + "rt_tgsigqueueinfo": C.__NR_rt_tgsigqueueinfo, + "perf_event_open": C.__NR_perf_event_open, + "recvmmsg": C.__NR_recvmmsg, + "accept4": C.__NR_accept4, + "fanotify_init": C.__NR_fanotify_init, + "fanotify_mark": C.__NR_fanotify_mark, + "prlimit64": C.__NR_prlimit64, + "name_to_handle_at": C.__NR_name_to_handle_at, + "open_by_handle_at": C.__NR_open_by_handle_at, + "clock_adjtime": C.__NR_clock_adjtime, + "syncfs": C.__NR_syncfs, + "sendmmsg": C.__NR_sendmmsg, + "setns": C.__NR_setns, + "process_vm_readv": C.__NR_process_vm_readv, + "process_vm_writev": C.__NR_process_vm_writev, + "kcmp": C.__NR_kcmp, + "finit_module": C.__NR_finit_module, + "sched_setattr": C.__NR_sched_setattr, + "sched_getattr": C.__NR_sched_getattr, + "renameat2": C.__NR_renameat2, + "seccomp": C.__NR_seccomp, + "getrandom": C.__NR_getrandom, + "memfd_create": C.__NR_memfd_create, + "bpf": C.__NR_bpf, + "execveat": C.__NR_execveat, + "ARM_breakpoint": C.__ARM_NR_breakpoint, + "ARM_cacheflush": C.__ARM_NR_cacheflush, + "ARM_usr26": C.__ARM_NR_usr26, + "ARM_usr32": C.__ARM_NR_usr32, + "ARM_set_tls": C.__ARM_NR_set_tls, +} diff --git a/Godeps/_workspace/src/github.com/subgraph/go-seccomp/syscalls_gen.go b/Godeps/_workspace/src/github.com/subgraph/go-seccomp/syscalls_gen.go new file mode 100644 index 0000000..d75f552 --- /dev/null +++ b/Godeps/_workspace/src/github.com/subgraph/go-seccomp/syscalls_gen.go @@ -0,0 +1,61 @@ +// Copyright 2015 The Chromium OS Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// +build ignore + +// syscalls_gen processes system headers and generates a mapping from system call names to numbers. +// Usage: +// $ echo "#include \"unistd_64.h\"" | x86_64-cros-linux-gnu-gcc -E -dD - | go run syscalls_gen.go | gofmt > syscalls_amd64.go +// $ echo "#include \"unistd_64.h\"" | i686-pc-linux-gnu-gcc -E -dD - | go run syscalls_gen.go | gofmt > syscalls_386.go +// $ echo "#include " | armv7a-cros-linux-gnueabi-gcc -E -dD - | go run syscalls_gen.go | gofmt > syscalls_arm.go +package main + +import ( + "bufio" + "fmt" + "log" + "os" + "regexp" +) + +func main() { + type syscall struct { + prefix string + name string + } + + define := regexp.MustCompile(`^#define __([A-Z]+_)?NR_([a-z0-9_]+)`) + undef := regexp.MustCompile(`^#undef __([A-Z]+_)?NR_([a-z0-9_]+)`) + + defined := []syscall{} + undefed := map[syscall]bool{} + + scanner := bufio.NewScanner(os.Stdin) + for scanner.Scan() { + line := scanner.Text() + if match := define.FindStringSubmatch(line); match != nil { + defined = append(defined, syscall{match[1], match[2]}) + } + if match := undef.FindStringSubmatch(line); match != nil { + undefed[syscall{match[1], match[2]}] = true + } + } + if err := scanner.Err(); err != nil { + log.Fatalf("Error reading standard input: %v", err) + } + + fmt.Println("// DO NOT EDIT. Autogenerated by syscalls_gen.go") + fmt.Println() + fmt.Println("package seccomp") + fmt.Println("// #include ") + fmt.Println("import \"C\"") + fmt.Println("// syscallNum maps system call names to numbers.") + fmt.Println("var syscallNum = map[string]int{") + for _, call := range defined { + if !undefed[call] { + fmt.Printf("%q: C.__%sNR_%s,\n", call.prefix+call.name, call.prefix, call.name) + } + } + fmt.Println("}") +} diff --git a/Godeps/_workspace/src/github.com/subgraph/go-seccomp/unistd_64.h b/Godeps/_workspace/src/github.com/subgraph/go-seccomp/unistd_64.h new file mode 100644 index 0000000..0ffa105 --- /dev/null +++ b/Godeps/_workspace/src/github.com/subgraph/go-seccomp/unistd_64.h @@ -0,0 +1,325 @@ + +#define __NR_read 0 +#define __NR_write 1 +#define __NR_open 2 +#define __NR_close 3 +#define __NR_stat 4 +#define __NR_fstat 5 +#define __NR_lstat 6 +#define __NR_poll 7 +#define __NR_lseek 8 +#define __NR_mmap 9 +#define __NR_mprotect 10 +#define __NR_munmap 11 +#define __NR_brk 12 +#define __NR_rt_sigaction 13 +#define __NR_rt_sigprocmask 14 +#define __NR_rt_sigreturn 15 +#define __NR_ioctl 16 +#define __NR_pread64 17 +#define __NR_pwrite64 18 +#define __NR_readv 19 +#define __NR_writev 20 +#define __NR_access 21 +#define __NR_pipe 22 +#define __NR_select 23 +#define __NR_sched_yield 24 +#define __NR_mremap 25 +#define __NR_msync 26 +#define __NR_mincore 27 +#define __NR_madvise 28 +#define __NR_shmget 29 +#define __NR_shmat 30 +#define __NR_shmctl 31 +#define __NR_dup 32 +#define __NR_dup2 33 +#define __NR_pause 34 +#define __NR_nanosleep 35 +#define __NR_getitimer 36 +#define __NR_alarm 37 +#define __NR_setitimer 38 +#define __NR_getpid 39 +#define __NR_sendfile 40 +#define __NR_socket 41 +#define __NR_connect 42 +#define __NR_accept 43 +#define __NR_sendto 44 +#define __NR_recvfrom 45 +#define __NR_sendmsg 46 +#define __NR_recvmsg 47 +#define __NR_shutdown 48 +#define __NR_bind 49 +#define __NR_listen 50 +#define __NR_getsockname 51 +#define __NR_getpeername 52 +#define __NR_socketpair 53 +#define __NR_setsockopt 54 +#define __NR_getsockopt 55 +#define __NR_clone 56 +#define __NR_fork 57 +#define __NR_vfork 58 +#define __NR_execve 59 +#define __NR_exit 60 +#define __NR_wait4 61 +#define __NR_kill 62 +#define __NR_uname 63 +#define __NR_semget 64 +#define __NR_semop 65 +#define __NR_semctl 66 +#define __NR_shmdt 67 +#define __NR_msgget 68 +#define __NR_msgsnd 69 +#define __NR_msgrcv 70 +#define __NR_msgctl 71 +#define __NR_fcntl 72 +#define __NR_flock 73 +#define __NR_fsync 74 +#define __NR_fdatasync 75 +#define __NR_truncate 76 +#define __NR_ftruncate 77 +#define __NR_getdents 78 +#define __NR_getcwd 79 +#define __NR_chdir 80 +#define __NR_fchdir 81 +#define __NR_rename 82 +#define __NR_mkdir 83 +#define __NR_rmdir 84 +#define __NR_creat 85 +#define __NR_link 86 +#define __NR_unlink 87 +#define __NR_symlink 88 +#define __NR_readlink 89 +#define __NR_chmod 90 +#define __NR_fchmod 91 +#define __NR_chown 92 +#define __NR_fchown 93 +#define __NR_lchown 94 +#define __NR_umask 95 +#define __NR_gettimeofday 96 +#define __NR_getrlimit 97 +#define __NR_getrusage 98 +#define __NR_sysinfo 99 +#define __NR_times 100 +#define __NR_ptrace 101 +#define __NR_getuid 102 +#define __NR_syslog 103 +#define __NR_getgid 104 +#define __NR_setuid 105 +#define __NR_setgid 106 +#define __NR_geteuid 107 +#define __NR_getegid 108 +#define __NR_setpgid 109 +#define __NR_getppid 110 +#define __NR_getpgrp 111 +#define __NR_setsid 112 +#define __NR_setreuid 113 +#define __NR_setregid 114 +#define __NR_getgroups 115 +#define __NR_setgroups 116 +#define __NR_setresuid 117 +#define __NR_getresuid 118 +#define __NR_setresgid 119 +#define __NR_getresgid 120 +#define __NR_getpgid 121 +#define __NR_setfsuid 122 +#define __NR_setfsgid 123 +#define __NR_getsid 124 +#define __NR_capget 125 +#define __NR_capset 126 +#define __NR_rt_sigpending 127 +#define __NR_rt_sigtimedwait 128 +#define __NR_rt_sigqueueinfo 129 +#define __NR_rt_sigsuspend 130 +#define __NR_sigaltstack 131 +#define __NR_utime 132 +#define __NR_mknod 133 +#define __NR_uselib 134 +#define __NR_personality 135 +#define __NR_ustat 136 +#define __NR_statfs 137 +#define __NR_fstatfs 138 +#define __NR_sysfs 139 +#define __NR_getpriority 140 +#define __NR_setpriority 141 +#define __NR_sched_setparam 142 +#define __NR_sched_getparam 143 +#define __NR_sched_setscheduler 144 +#define __NR_sched_getscheduler 145 +#define __NR_sched_get_priority_max 146 +#define __NR_sched_get_priority_min 147 +#define __NR_sched_rr_get_interval 148 +#define __NR_mlock 149 +#define __NR_munlock 150 +#define __NR_mlockall 151 +#define __NR_munlockall 152 +#define __NR_vhangup 153 +#define __NR_modify_ldt 154 +#define __NR_pivot_root 155 +#define __NR__sysctl 156 +#define __NR_prctl 157 +#define __NR_arch_prctl 158 +#define __NR_adjtimex 159 +#define __NR_setrlimit 160 +#define __NR_chroot 161 +#define __NR_sync 162 +#define __NR_acct 163 +#define __NR_settimeofday 164 +#define __NR_mount 165 +#define __NR_umount2 166 +#define __NR_swapon 167 +#define __NR_swapoff 168 +#define __NR_reboot 169 +#define __NR_sethostname 170 +#define __NR_setdomainname 171 +#define __NR_iopl 172 +#define __NR_ioperm 173 +#define __NR_create_module 174 +#define __NR_init_module 175 +#define __NR_delete_module 176 +#define __NR_get_kernel_syms 177 +#define __NR_query_module 178 +#define __NR_quotactl 179 +#define __NR_nfsservctl 180 +#define __NR_getpmsg 181 +#define __NR_putpmsg 182 +#define __NR_afs_syscall 183 +#define __NR_tuxcall 184 +#define __NR_security 185 +#define __NR_gettid 186 +#define __NR_readahead 187 +#define __NR_setxattr 188 +#define __NR_lsetxattr 189 +#define __NR_fsetxattr 190 +#define __NR_getxattr 191 +#define __NR_lgetxattr 192 +#define __NR_fgetxattr 193 +#define __NR_listxattr 194 +#define __NR_llistxattr 195 +#define __NR_flistxattr 196 +#define __NR_removexattr 197 +#define __NR_lremovexattr 198 +#define __NR_fremovexattr 199 +#define __NR_tkill 200 +#define __NR_time 201 +#define __NR_futex 202 +#define __NR_sched_setaffinity 203 +#define __NR_sched_getaffinity 204 +#define __NR_set_thread_area 205 +#define __NR_io_setup 206 +#define __NR_io_destroy 207 +#define __NR_io_getevents 208 +#define __NR_io_submit 209 +#define __NR_io_cancel 210 +#define __NR_get_thread_area 211 +#define __NR_lookup_dcookie 212 +#define __NR_epoll_create 213 +#define __NR_epoll_ctl_old 214 +#define __NR_epoll_wait_old 215 +#define __NR_remap_file_pages 216 +#define __NR_getdents64 217 +#define __NR_set_tid_address 218 +#define __NR_restart_syscall 219 +#define __NR_semtimedop 220 +#define __NR_fadvise64 221 +#define __NR_timer_create 222 +#define __NR_timer_settime 223 +#define __NR_timer_gettime 224 +#define __NR_timer_getoverrun 225 +#define __NR_timer_delete 226 +#define __NR_clock_settime 227 +#define __NR_clock_gettime 228 +#define __NR_clock_getres 229 +#define __NR_clock_nanosleep 230 +#define __NR_exit_group 231 +#define __NR_epoll_wait 232 +#define __NR_epoll_ctl 233 +#define __NR_tgkill 234 +#define __NR_utimes 235 +#define __NR_vserver 236 +#define __NR_mbind 237 +#define __NR_set_mempolicy 238 +#define __NR_get_mempolicy 239 +#define __NR_mq_open 240 +#define __NR_mq_unlink 241 +#define __NR_mq_timedsend 242 +#define __NR_mq_timedreceive 243 +#define __NR_mq_notify 244 +#define __NR_mq_getsetattr 245 +#define __NR_kexec_load 246 +#define __NR_waitid 247 +#define __NR_add_key 248 +#define __NR_request_key 249 +#define __NR_keyctl 250 +#define __NR_ioprio_set 251 +#define __NR_ioprio_get 252 +#define __NR_inotify_init 253 +#define __NR_inotify_add_watch 254 +#define __NR_inotify_rm_watch 255 +#define __NR_migrate_pages 256 +#define __NR_openat 257 +#define __NR_mkdirat 258 +#define __NR_mknodat 259 +#define __NR_fchownat 260 +#define __NR_futimesat 261 +#define __NR_newfstatat 262 +#define __NR_unlinkat 263 +#define __NR_renameat 264 +#define __NR_linkat 265 +#define __NR_symlinkat 266 +#define __NR_readlinkat 267 +#define __NR_fchmodat 268 +#define __NR_faccessat 269 +#define __NR_pselect6 270 +#define __NR_ppoll 271 +#define __NR_unshare 272 +#define __NR_set_robust_list 273 +#define __NR_get_robust_list 274 +#define __NR_splice 275 +#define __NR_tee 276 +#define __NR_sync_file_range 277 +#define __NR_vmsplice 278 +#define __NR_move_pages 279 +#define __NR_utimensat 280 +#define __NR_epoll_pwait 281 +#define __NR_signalfd 282 +#define __NR_timerfd_create 283 +#define __NR_eventfd 284 +#define __NR_fallocate 285 +#define __NR_timerfd_settime 286 +#define __NR_timerfd_gettime 287 +#define __NR_accept4 288 +#define __NR_signalfd4 289 +#define __NR_eventfd2 290 +#define __NR_epoll_create1 291 +#define __NR_dup3 292 +#define __NR_pipe2 293 +#define __NR_inotify_init1 294 +#define __NR_preadv 295 +#define __NR_pwritev 296 +#define __NR_rt_tgsigqueueinfo 297 +#define __NR_perf_event_open 298 +#define __NR_recvmmsg 299 +#define __NR_fanotify_init 300 +#define __NR_fanotify_mark 301 +#define __NR_prlimit64 302 +#define __NR_name_to_handle_at 303 +#define __NR_open_by_handle_at 304 +#define __NR_clock_adjtime 305 +#define __NR_syncfs 306 +#define __NR_sendmmsg 307 +#define __NR_setns 308 +#define __NR_getcpu 309 +#define __NR_process_vm_readv 310 +#define __NR_process_vm_writev 311 +#define __NR_kcmp 312 +#define __NR_finit_module 313 +#define __NR_sched_setattr 314 +#define __NR_sched_getattr 315 +#define __NR_renameat2 316 +#define __NR_seccomp 317 +#define __NR_getrandom 318 +#define __NR_memfd_create 319 +#define __NR_kexec_file_load 320 +#define __NR_bpf 321 +#define __NR_execveat 322 +