* AUDIT_ARCH_ and __NR_syscall constants for seccomp filters @ 2021-06-28 7:31 ` Thomas Weißschuh 0 siblings, 0 replies; 16+ messages in thread From: Thomas Weißschuh @ 2021-06-28 7:31 UTC (permalink / raw) To: linux-audit, bpf Hi everyone, there does not seem to be a way to access the AUDIT_ARCH_ constant that matches the currently visible syscall numbers (__NR_...) from the kernel uapi headers. Background: I am writing a seccomp BPF filter using the syscall constants to get the correct syscall numbers for the target architecture. seccomp_filter.rst tells users to always check the arch values. But there does not seem a way to get the correct AUDIT_ARCH_ value from the kernel headers. Questions: Is it really necessary to validate the arch value when syscall numbers are already target-specific? (If not, should this be added to the docs?) Would it make sense to expose the audit arch matching the syscall numbers in the uapi headers? Link to the actual BPF code: https://github.com/t-8ch/qmk_firmware/blob/optimize-udev/util/udev/qmk_id.c#L154 Thanks, Thomas ^ permalink raw reply [flat|nested] 16+ messages in thread
* AUDIT_ARCH_ and __NR_syscall constants for seccomp filters @ 2021-06-28 7:31 ` Thomas Weißschuh 0 siblings, 0 replies; 16+ messages in thread From: Thomas Weißschuh @ 2021-06-28 7:31 UTC (permalink / raw) To: linux-audit, bpf Hi everyone, there does not seem to be a way to access the AUDIT_ARCH_ constant that matches the currently visible syscall numbers (__NR_...) from the kernel uapi headers. Background: I am writing a seccomp BPF filter using the syscall constants to get the correct syscall numbers for the target architecture. seccomp_filter.rst tells users to always check the arch values. But there does not seem a way to get the correct AUDIT_ARCH_ value from the kernel headers. Questions: Is it really necessary to validate the arch value when syscall numbers are already target-specific? (If not, should this be added to the docs?) Would it make sense to expose the audit arch matching the syscall numbers in the uapi headers? Link to the actual BPF code: https://github.com/t-8ch/qmk_firmware/blob/optimize-udev/util/udev/qmk_id.c#L154 Thanks, Thomas -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: AUDIT_ARCH_ and __NR_syscall constants for seccomp filters 2021-06-28 7:31 ` Thomas Weißschuh @ 2021-06-28 16:59 ` Paul Moore -1 siblings, 0 replies; 16+ messages in thread From: Paul Moore @ 2021-06-28 16:59 UTC (permalink / raw) To: Thomas Weißschuh; +Cc: linux-audit, bpf On Mon, Jun 28, 2021 at 9:25 AM Thomas Weißschuh <linux@weissschuh.net> wrote: > > Hi everyone, > > there does not seem to be a way to access the AUDIT_ARCH_ constant that matches > the currently visible syscall numbers (__NR_...) from the kernel uapi headers. Looking at Linus' current tree I see the AUDIT_ARCH_* defines in include/uapi/linux/audit.h; looking on my system right now I see the defines in /usr/include/linux/audit.h. What kernel repository and distribution are you using? > Questions: > > Is it really necessary to validate the arch value when syscall numbers are > already target-specific? > (If not, should this be added to the docs?) Checking the arch/ABI value is important so that you can ensure that you are using the syscall number in the proper context. For example, look at the access(2) syscall: it is undefined on some ABIs and can take either a value of 20, 21, or 33 depending on the arch/ABI. Unfortunately this is rather common. Checking the arch/ABI value is also handy if you want to quickly disallow certain ABIs on a system that supports multiple ABI, e.g. disabling 32-bit x86 on a 64-bit x86_64 system. > Would it make sense to expose the audit arch matching the syscall numbers in > the uapi headers? Yes, which is why the existing headers do so ;) If you don't see the header files I mentioned above, it may be worth checking your kernel source repository and your distribution's installed kernel header files. -- paul moore www.paul-moore.com ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: AUDIT_ARCH_ and __NR_syscall constants for seccomp filters @ 2021-06-28 16:59 ` Paul Moore 0 siblings, 0 replies; 16+ messages in thread From: Paul Moore @ 2021-06-28 16:59 UTC (permalink / raw) To: Thomas Weißschuh; +Cc: bpf, linux-audit On Mon, Jun 28, 2021 at 9:25 AM Thomas Weißschuh <linux@weissschuh.net> wrote: > > Hi everyone, > > there does not seem to be a way to access the AUDIT_ARCH_ constant that matches > the currently visible syscall numbers (__NR_...) from the kernel uapi headers. Looking at Linus' current tree I see the AUDIT_ARCH_* defines in include/uapi/linux/audit.h; looking on my system right now I see the defines in /usr/include/linux/audit.h. What kernel repository and distribution are you using? > Questions: > > Is it really necessary to validate the arch value when syscall numbers are > already target-specific? > (If not, should this be added to the docs?) Checking the arch/ABI value is important so that you can ensure that you are using the syscall number in the proper context. For example, look at the access(2) syscall: it is undefined on some ABIs and can take either a value of 20, 21, or 33 depending on the arch/ABI. Unfortunately this is rather common. Checking the arch/ABI value is also handy if you want to quickly disallow certain ABIs on a system that supports multiple ABI, e.g. disabling 32-bit x86 on a 64-bit x86_64 system. > Would it make sense to expose the audit arch matching the syscall numbers in > the uapi headers? Yes, which is why the existing headers do so ;) If you don't see the header files I mentioned above, it may be worth checking your kernel source repository and your distribution's installed kernel header files. -- paul moore www.paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: AUDIT_ARCH_ and __NR_syscall constants for seccomp filters 2021-06-28 16:59 ` Paul Moore @ 2021-06-28 17:13 ` Thomas Weißschuh -1 siblings, 0 replies; 16+ messages in thread From: Thomas Weißschuh @ 2021-06-28 17:13 UTC (permalink / raw) To: Paul Moore; +Cc: linux-audit, bpf Hi Paul, thanks for your response! On Mo, 2021-06-28T12:59-0400, Paul Moore wrote: > On Mon, Jun 28, 2021 at 9:25 AM Thomas Weißschuh <linux@weissschuh.net> wrote: > > > > Hi everyone, > > > > there does not seem to be a way to access the AUDIT_ARCH_ constant that matches > > the currently visible syscall numbers (__NR_...) from the kernel uapi headers. > > Looking at Linus' current tree I see the AUDIT_ARCH_* defines in > include/uapi/linux/audit.h; looking on my system right now I see the > defines in /usr/include/linux/audit.h. What kernel repository and > distribution are you using? I am using ArchLinux and also have all these defines. > > Questions: > > > > Is it really necessary to validate the arch value when syscall numbers are > > already target-specific? > > (If not, should this be added to the docs?) > > Checking the arch/ABI value is important so that you can ensure that > you are using the syscall number in the proper context. For example, > look at the access(2) syscall: it is undefined on some ABIs and can > take either a value of 20, 21, or 33 depending on the arch/ABI. > Unfortunately this is rather common. But when if I am not hardcoding the syscall numbers but use the __NR_access kernel define then I should always get the correct number for the ABI I am compiling for (or an error if the syscall does not exist), no? > Checking the arch/ABI value is also handy if you want to quickly > disallow certain ABIs on a system that supports multiple ABI, e.g. > disabling 32-bit x86 on a 64-bit x86_64 system. > > > Would it make sense to expose the audit arch matching the syscall numbers in > > the uapi headers? > > Yes, which is why the existing headers do so ;) If you don't see the > header files I mentioned above, it may be worth checking your kernel > source repository and your distribution's installed kernel header > files. I do see constants for all the possible ABIs but not one constant that always represents the one I am currently compiling for. The same way the syscall number defines always give me the syscall number for the currently targeted ABI. Thomas ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: AUDIT_ARCH_ and __NR_syscall constants for seccomp filters @ 2021-06-28 17:13 ` Thomas Weißschuh 0 siblings, 0 replies; 16+ messages in thread From: Thomas Weißschuh @ 2021-06-28 17:13 UTC (permalink / raw) To: Paul Moore; +Cc: bpf, linux-audit Hi Paul, thanks for your response! On Mo, 2021-06-28T12:59-0400, Paul Moore wrote: > On Mon, Jun 28, 2021 at 9:25 AM Thomas Weißschuh <linux@weissschuh.net> wrote: > > > > Hi everyone, > > > > there does not seem to be a way to access the AUDIT_ARCH_ constant that matches > > the currently visible syscall numbers (__NR_...) from the kernel uapi headers. > > Looking at Linus' current tree I see the AUDIT_ARCH_* defines in > include/uapi/linux/audit.h; looking on my system right now I see the > defines in /usr/include/linux/audit.h. What kernel repository and > distribution are you using? I am using ArchLinux and also have all these defines. > > Questions: > > > > Is it really necessary to validate the arch value when syscall numbers are > > already target-specific? > > (If not, should this be added to the docs?) > > Checking the arch/ABI value is important so that you can ensure that > you are using the syscall number in the proper context. For example, > look at the access(2) syscall: it is undefined on some ABIs and can > take either a value of 20, 21, or 33 depending on the arch/ABI. > Unfortunately this is rather common. But when if I am not hardcoding the syscall numbers but use the __NR_access kernel define then I should always get the correct number for the ABI I am compiling for (or an error if the syscall does not exist), no? > Checking the arch/ABI value is also handy if you want to quickly > disallow certain ABIs on a system that supports multiple ABI, e.g. > disabling 32-bit x86 on a 64-bit x86_64 system. > > > Would it make sense to expose the audit arch matching the syscall numbers in > > the uapi headers? > > Yes, which is why the existing headers do so ;) If you don't see the > header files I mentioned above, it may be worth checking your kernel > source repository and your distribution's installed kernel header > files. I do see constants for all the possible ABIs but not one constant that always represents the one I am currently compiling for. The same way the syscall number defines always give me the syscall number for the currently targeted ABI. Thomas -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: AUDIT_ARCH_ and __NR_syscall constants for seccomp filters 2021-06-28 17:13 ` Thomas Weißschuh @ 2021-06-28 17:34 ` Paul Moore -1 siblings, 0 replies; 16+ messages in thread From: Paul Moore @ 2021-06-28 17:34 UTC (permalink / raw) To: Thomas Weißschuh; +Cc: linux-audit, bpf On Mon, Jun 28, 2021 at 1:13 PM Thomas Weißschuh <linux@weissschuh.net> wrote: > > Hi Paul, > > thanks for your response! Hi :) > On Mo, 2021-06-28T12:59-0400, Paul Moore wrote: > > On Mon, Jun 28, 2021 at 9:25 AM Thomas Weißschuh <linux@weissschuh.net> wrote: > > > > > > Hi everyone, > > > > > > there does not seem to be a way to access the AUDIT_ARCH_ constant that matches > > > the currently visible syscall numbers (__NR_...) from the kernel uapi headers. > > > > Looking at Linus' current tree I see the AUDIT_ARCH_* defines in > > include/uapi/linux/audit.h; looking on my system right now I see the > > defines in /usr/include/linux/audit.h. What kernel repository and > > distribution are you using? > > I am using ArchLinux and also have all these defines. > > > > Questions: > > > > > > Is it really necessary to validate the arch value when syscall numbers are > > > already target-specific? > > > (If not, should this be added to the docs?) > > > > Checking the arch/ABI value is important so that you can ensure that > > you are using the syscall number in the proper context. For example, > > look at the access(2) syscall: it is undefined on some ABIs and can > > take either a value of 20, 21, or 33 depending on the arch/ABI. > > Unfortunately this is rather common. > > But when if I am not hardcoding the syscall numbers but use the > __NR_access kernel define then I should always get the correct number for the > ABI I am compiling for (or an error if the syscall does not exist), no? Remember that seccomp filters are inherited across forks, so if your application loads an ABI specific filter and then fork()/exec()'s an application with a different ABI you could be in trouble. We saw this some years ago when people started running containers with ABIs other than the native system; if the container orchestrator didn't load a filter that knew about these non-native ABIs Bad Things happened. I'm sure you are already aware of libseccomp, but if not you may want to consider it for your application. Not only does it provide a safe and easy way to handle multiple ABIs in a single filter, it handles other seccomp problem areas like build/runtime system differences in the syscall tables/defines as well as the oddball nature of direct-call and multiplexed socket related syscalls, i.e. socketcall() vs socket(), etc. > > Checking the arch/ABI value is also handy if you want to quickly > > disallow certain ABIs on a system that supports multiple ABI, e.g. > > disabling 32-bit x86 on a 64-bit x86_64 system. > > > > > Would it make sense to expose the audit arch matching the syscall numbers in > > > the uapi headers? > > > > Yes, which is why the existing headers do so ;) If you don't see the > > header files I mentioned above, it may be worth checking your kernel > > source repository and your distribution's installed kernel header > > files. > > I do see constants for all the possible ABIs but not one constant that always > represents the one I am currently compiling for. > The same way the syscall number defines always give me the syscall number for > the currently targeted ABI. I'm sorry, but I don't quite understand what you are looking for in the header files ... ? It might help if you could provide a concrete example of what you would like to see in the header files? -- paul moore www.paul-moore.com ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: AUDIT_ARCH_ and __NR_syscall constants for seccomp filters @ 2021-06-28 17:34 ` Paul Moore 0 siblings, 0 replies; 16+ messages in thread From: Paul Moore @ 2021-06-28 17:34 UTC (permalink / raw) To: Thomas Weißschuh; +Cc: bpf, linux-audit On Mon, Jun 28, 2021 at 1:13 PM Thomas Weißschuh <linux@weissschuh.net> wrote: > > Hi Paul, > > thanks for your response! Hi :) > On Mo, 2021-06-28T12:59-0400, Paul Moore wrote: > > On Mon, Jun 28, 2021 at 9:25 AM Thomas Weißschuh <linux@weissschuh.net> wrote: > > > > > > Hi everyone, > > > > > > there does not seem to be a way to access the AUDIT_ARCH_ constant that matches > > > the currently visible syscall numbers (__NR_...) from the kernel uapi headers. > > > > Looking at Linus' current tree I see the AUDIT_ARCH_* defines in > > include/uapi/linux/audit.h; looking on my system right now I see the > > defines in /usr/include/linux/audit.h. What kernel repository and > > distribution are you using? > > I am using ArchLinux and also have all these defines. > > > > Questions: > > > > > > Is it really necessary to validate the arch value when syscall numbers are > > > already target-specific? > > > (If not, should this be added to the docs?) > > > > Checking the arch/ABI value is important so that you can ensure that > > you are using the syscall number in the proper context. For example, > > look at the access(2) syscall: it is undefined on some ABIs and can > > take either a value of 20, 21, or 33 depending on the arch/ABI. > > Unfortunately this is rather common. > > But when if I am not hardcoding the syscall numbers but use the > __NR_access kernel define then I should always get the correct number for the > ABI I am compiling for (or an error if the syscall does not exist), no? Remember that seccomp filters are inherited across forks, so if your application loads an ABI specific filter and then fork()/exec()'s an application with a different ABI you could be in trouble. We saw this some years ago when people started running containers with ABIs other than the native system; if the container orchestrator didn't load a filter that knew about these non-native ABIs Bad Things happened. I'm sure you are already aware of libseccomp, but if not you may want to consider it for your application. Not only does it provide a safe and easy way to handle multiple ABIs in a single filter, it handles other seccomp problem areas like build/runtime system differences in the syscall tables/defines as well as the oddball nature of direct-call and multiplexed socket related syscalls, i.e. socketcall() vs socket(), etc. > > Checking the arch/ABI value is also handy if you want to quickly > > disallow certain ABIs on a system that supports multiple ABI, e.g. > > disabling 32-bit x86 on a 64-bit x86_64 system. > > > > > Would it make sense to expose the audit arch matching the syscall numbers in > > > the uapi headers? > > > > Yes, which is why the existing headers do so ;) If you don't see the > > header files I mentioned above, it may be worth checking your kernel > > source repository and your distribution's installed kernel header > > files. > > I do see constants for all the possible ABIs but not one constant that always > represents the one I am currently compiling for. > The same way the syscall number defines always give me the syscall number for > the currently targeted ABI. I'm sorry, but I don't quite understand what you are looking for in the header files ... ? It might help if you could provide a concrete example of what you would like to see in the header files? -- paul moore www.paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: AUDIT_ARCH_ and __NR_syscall constants for seccomp filters 2021-06-28 17:34 ` Paul Moore @ 2021-06-28 17:58 ` Thomas Weißschuh -1 siblings, 0 replies; 16+ messages in thread From: Thomas Weißschuh @ 2021-06-28 17:58 UTC (permalink / raw) To: Paul Moore; +Cc: linux-audit, bpf Hi again! On Mo, 2021-06-28T13:34-0400, Paul Moore wrote: > On Mon, Jun 28, 2021 at 1:13 PM Thomas Weißschuh <linux@weissschuh.net> wrote: > > On Mo, 2021-06-28T12:59-0400, Paul Moore wrote: > > > On Mon, Jun 28, 2021 at 9:25 AM Thomas Weißschuh <linux@weissschuh.net> wrote: > > > > > > > > Hi everyone, > > > > > > > > there does not seem to be a way to access the AUDIT_ARCH_ constant that matches > > > > the currently visible syscall numbers (__NR_...) from the kernel uapi headers. > > > > > > Looking at Linus' current tree I see the AUDIT_ARCH_* defines in > > > include/uapi/linux/audit.h; looking on my system right now I see the > > > defines in /usr/include/linux/audit.h. What kernel repository and > > > distribution are you using? > > > > I am using ArchLinux and also have all these defines. > > > > > > Questions: > > > > > > > > Is it really necessary to validate the arch value when syscall numbers are > > > > already target-specific? > > > > (If not, should this be added to the docs?) > > > > > > Checking the arch/ABI value is important so that you can ensure that > > > you are using the syscall number in the proper context. For example, > > > look at the access(2) syscall: it is undefined on some ABIs and can > > > take either a value of 20, 21, or 33 depending on the arch/ABI. > > > Unfortunately this is rather common. > > > > But when if I am not hardcoding the syscall numbers but use the > > __NR_access kernel define then I should always get the correct number for the > > ABI I am compiling for (or an error if the syscall does not exist), no? > > Remember that seccomp filters are inherited across forks, so if your > application loads an ABI specific filter and then fork()/exec()'s an > application with a different ABI you could be in trouble. We saw this > some years ago when people started running containers with ABIs other > than the native system; if the container orchestrator didn't load a > filter that knew about these non-native ABIs Bad Things happened. My application will not be able to spawn any new processes. It is limited to write() and exit(). Also this is a low-level system application so it should always be compiled for the native ABI. So this should not be an issue. > I'm sure you are already aware of libseccomp, but if not you may want > to consider it for your application. Not only does it provide a safe > and easy way to handle multiple ABIs in a single filter, it handles > other seccomp problem areas like build/runtime system differences in > the syscall tables/defines as well as the oddball nature of > direct-call and multiplexed socket related syscalls, i.e. socketcall() > vs socket(), etc. For a larger application this would be indeed my choice. But for a small application like mine I don't think it is worth it. libseccomp for example does provide a way to get the native audit arch: `uint32_t seccomp_arch_native(void);`. It is implemented by ifdef-ing on various compiler defines to detect the ABI compiled for. I'd like the kernel to provide this out-of-the box, so I don't have to have the same ifdefs in my application(s) and keep them up to date. I found that the kernel internally already has a definition for my usecase: SECCOMP_ARCH_NATIVE. It is just not exported to userspace. > > > Checking the arch/ABI value is also handy if you want to quickly > > > disallow certain ABIs on a system that supports multiple ABI, e.g. > > > disabling 32-bit x86 on a 64-bit x86_64 system. > > > > > > > Would it make sense to expose the audit arch matching the syscall numbers in > > > > the uapi headers? > > > > > > Yes, which is why the existing headers do so ;) If you don't see the > > > header files I mentioned above, it may be worth checking your kernel > > > source repository and your distribution's installed kernel header > > > files. > > > > I do see constants for all the possible ABIs but not one constant that always > > represents the one I am currently compiling for. > > The same way the syscall number defines always give me the syscall number for > > the currently targeted ABI. > > I'm sorry, but I don't quite understand what you are looking for in > the header files ... ? It might help if you could provide a concrete > example of what you would like to see in the header files? I want to do something like the follwing inside my program to assemble a seccomp filter that will be loaded before the error-prone parts of the application will begin. 1: BPF_STMT(BPF_LD | BPF_W | BPF_ABS, syscall_arch), 2: BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, SECCOMP_ARCH_NATIVE, 0, $KILL) 3: BPF_STMT(BPF_LD | BPF_W | BPF_ABS, syscall_nr), 4: BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_write, $ALLOW, $KILL), In line 4 I can already have the kernel headers provide me the correct syscall number for the ABI my application is compiled for. For line 2 however I need to define AUDIT_ARCH_CURRENT on my own instead of having a kernel header provide the correct value. Thomas ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: AUDIT_ARCH_ and __NR_syscall constants for seccomp filters @ 2021-06-28 17:58 ` Thomas Weißschuh 0 siblings, 0 replies; 16+ messages in thread From: Thomas Weißschuh @ 2021-06-28 17:58 UTC (permalink / raw) To: Paul Moore; +Cc: bpf, linux-audit Hi again! On Mo, 2021-06-28T13:34-0400, Paul Moore wrote: > On Mon, Jun 28, 2021 at 1:13 PM Thomas Weißschuh <linux@weissschuh.net> wrote: > > On Mo, 2021-06-28T12:59-0400, Paul Moore wrote: > > > On Mon, Jun 28, 2021 at 9:25 AM Thomas Weißschuh <linux@weissschuh.net> wrote: > > > > > > > > Hi everyone, > > > > > > > > there does not seem to be a way to access the AUDIT_ARCH_ constant that matches > > > > the currently visible syscall numbers (__NR_...) from the kernel uapi headers. > > > > > > Looking at Linus' current tree I see the AUDIT_ARCH_* defines in > > > include/uapi/linux/audit.h; looking on my system right now I see the > > > defines in /usr/include/linux/audit.h. What kernel repository and > > > distribution are you using? > > > > I am using ArchLinux and also have all these defines. > > > > > > Questions: > > > > > > > > Is it really necessary to validate the arch value when syscall numbers are > > > > already target-specific? > > > > (If not, should this be added to the docs?) > > > > > > Checking the arch/ABI value is important so that you can ensure that > > > you are using the syscall number in the proper context. For example, > > > look at the access(2) syscall: it is undefined on some ABIs and can > > > take either a value of 20, 21, or 33 depending on the arch/ABI. > > > Unfortunately this is rather common. > > > > But when if I am not hardcoding the syscall numbers but use the > > __NR_access kernel define then I should always get the correct number for the > > ABI I am compiling for (or an error if the syscall does not exist), no? > > Remember that seccomp filters are inherited across forks, so if your > application loads an ABI specific filter and then fork()/exec()'s an > application with a different ABI you could be in trouble. We saw this > some years ago when people started running containers with ABIs other > than the native system; if the container orchestrator didn't load a > filter that knew about these non-native ABIs Bad Things happened. My application will not be able to spawn any new processes. It is limited to write() and exit(). Also this is a low-level system application so it should always be compiled for the native ABI. So this should not be an issue. > I'm sure you are already aware of libseccomp, but if not you may want > to consider it for your application. Not only does it provide a safe > and easy way to handle multiple ABIs in a single filter, it handles > other seccomp problem areas like build/runtime system differences in > the syscall tables/defines as well as the oddball nature of > direct-call and multiplexed socket related syscalls, i.e. socketcall() > vs socket(), etc. For a larger application this would be indeed my choice. But for a small application like mine I don't think it is worth it. libseccomp for example does provide a way to get the native audit arch: `uint32_t seccomp_arch_native(void);`. It is implemented by ifdef-ing on various compiler defines to detect the ABI compiled for. I'd like the kernel to provide this out-of-the box, so I don't have to have the same ifdefs in my application(s) and keep them up to date. I found that the kernel internally already has a definition for my usecase: SECCOMP_ARCH_NATIVE. It is just not exported to userspace. > > > Checking the arch/ABI value is also handy if you want to quickly > > > disallow certain ABIs on a system that supports multiple ABI, e.g. > > > disabling 32-bit x86 on a 64-bit x86_64 system. > > > > > > > Would it make sense to expose the audit arch matching the syscall numbers in > > > > the uapi headers? > > > > > > Yes, which is why the existing headers do so ;) If you don't see the > > > header files I mentioned above, it may be worth checking your kernel > > > source repository and your distribution's installed kernel header > > > files. > > > > I do see constants for all the possible ABIs but not one constant that always > > represents the one I am currently compiling for. > > The same way the syscall number defines always give me the syscall number for > > the currently targeted ABI. > > I'm sorry, but I don't quite understand what you are looking for in > the header files ... ? It might help if you could provide a concrete > example of what you would like to see in the header files? I want to do something like the follwing inside my program to assemble a seccomp filter that will be loaded before the error-prone parts of the application will begin. 1: BPF_STMT(BPF_LD | BPF_W | BPF_ABS, syscall_arch), 2: BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, SECCOMP_ARCH_NATIVE, 0, $KILL) 3: BPF_STMT(BPF_LD | BPF_W | BPF_ABS, syscall_nr), 4: BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_write, $ALLOW, $KILL), In line 4 I can already have the kernel headers provide me the correct syscall number for the ABI my application is compiled for. For line 2 however I need to define AUDIT_ARCH_CURRENT on my own instead of having a kernel header provide the correct value. Thomas -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: AUDIT_ARCH_ and __NR_syscall constants for seccomp filters 2021-06-28 17:58 ` Thomas Weißschuh @ 2021-06-28 22:43 ` Paul Moore -1 siblings, 0 replies; 16+ messages in thread From: Paul Moore @ 2021-06-28 22:43 UTC (permalink / raw) To: Thomas Weißschuh; +Cc: linux-audit, bpf On Mon, Jun 28, 2021 at 1:58 PM Thomas Weißschuh <linux@weissschuh.net> wrote: > > Hi again! !!! :) > On Mo, 2021-06-28T13:34-0400, Paul Moore wrote: > > On Mon, Jun 28, 2021 at 1:13 PM Thomas Weißschuh <linux@weissschuh.net> wrote: > > > On Mo, 2021-06-28T12:59-0400, Paul Moore wrote: > > > > On Mon, Jun 28, 2021 at 9:25 AM Thomas Weißschuh <linux@weissschuh.net> wrote: ... > > Remember that seccomp filters are inherited across forks, so if your > > application loads an ABI specific filter and then fork()/exec()'s an > > application with a different ABI you could be in trouble. We saw this > > some years ago when people started running containers with ABIs other > > than the native system; if the container orchestrator didn't load a > > filter that knew about these non-native ABIs Bad Things happened. > > My application will not be able to spawn any new processes. > It is limited to write() and exit(). > Also this is a low-level system application so it should always be compiled for > the native ABI. > So this should not be an issue. > > > I'm sure you are already aware of libseccomp, but if not you may want > > to consider it for your application. Not only does it provide a safe > > and easy way to handle multiple ABIs in a single filter, it handles > > other seccomp problem areas like build/runtime system differences in > > the syscall tables/defines as well as the oddball nature of > > direct-call and multiplexed socket related syscalls, i.e. socketcall() > > vs socket(), etc. > > For a larger application this would be indeed my choice. > But for a small application like mine I don't think it is worth it. > libseccomp for example does provide a way to get the native audit arch: > `uint32_t seccomp_arch_native(void);`. It is implemented by ifdef-ing on > various compiler defines to detect the ABI compiled for. > > I'd like the kernel to provide this out-of-the box, so I don't have to have the > same ifdefs in my application(s) and keep them up to date. > > I found that the kernel internally already has a definition for my usecase: > SECCOMP_ARCH_NATIVE. > It is just not exported to userspace. I'm not sure that keeping the ifdefs up to date is going to be that hard, and honestly that is the right place to do it IMHO. The kernel can support any number of ABIs, but in the narrow use case you are describing in this thread you only care about the ABI of your own application; it doesn't sound like you really care about the kernel's ABI, but rather your application's ABI. > > I'm sorry, but I don't quite understand what you are looking for in > > the header files ... ? It might help if you could provide a concrete > > example of what you would like to see in the header files? > > I want to do something like the follwing inside my program to assemble a > seccomp filter that will be loaded before the error-prone parts of the > application will begin. > > 1: BPF_STMT(BPF_LD | BPF_W | BPF_ABS, syscall_arch), > 2: BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, SECCOMP_ARCH_NATIVE, 0, $KILL) > 3: BPF_STMT(BPF_LD | BPF_W | BPF_ABS, syscall_nr), > 4: BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_write, $ALLOW, $KILL), > > In line 4 I can already have the kernel headers provide me the correct syscall > number for the ABI my application is compiled for. > > For line 2 however I need to define AUDIT_ARCH_CURRENT on my own instead of > having a kernel header provide the correct value. -- paul moore www.paul-moore.com ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: AUDIT_ARCH_ and __NR_syscall constants for seccomp filters @ 2021-06-28 22:43 ` Paul Moore 0 siblings, 0 replies; 16+ messages in thread From: Paul Moore @ 2021-06-28 22:43 UTC (permalink / raw) To: Thomas Weißschuh; +Cc: bpf, linux-audit On Mon, Jun 28, 2021 at 1:58 PM Thomas Weißschuh <linux@weissschuh.net> wrote: > > Hi again! !!! :) > On Mo, 2021-06-28T13:34-0400, Paul Moore wrote: > > On Mon, Jun 28, 2021 at 1:13 PM Thomas Weißschuh <linux@weissschuh.net> wrote: > > > On Mo, 2021-06-28T12:59-0400, Paul Moore wrote: > > > > On Mon, Jun 28, 2021 at 9:25 AM Thomas Weißschuh <linux@weissschuh.net> wrote: ... > > Remember that seccomp filters are inherited across forks, so if your > > application loads an ABI specific filter and then fork()/exec()'s an > > application with a different ABI you could be in trouble. We saw this > > some years ago when people started running containers with ABIs other > > than the native system; if the container orchestrator didn't load a > > filter that knew about these non-native ABIs Bad Things happened. > > My application will not be able to spawn any new processes. > It is limited to write() and exit(). > Also this is a low-level system application so it should always be compiled for > the native ABI. > So this should not be an issue. > > > I'm sure you are already aware of libseccomp, but if not you may want > > to consider it for your application. Not only does it provide a safe > > and easy way to handle multiple ABIs in a single filter, it handles > > other seccomp problem areas like build/runtime system differences in > > the syscall tables/defines as well as the oddball nature of > > direct-call and multiplexed socket related syscalls, i.e. socketcall() > > vs socket(), etc. > > For a larger application this would be indeed my choice. > But for a small application like mine I don't think it is worth it. > libseccomp for example does provide a way to get the native audit arch: > `uint32_t seccomp_arch_native(void);`. It is implemented by ifdef-ing on > various compiler defines to detect the ABI compiled for. > > I'd like the kernel to provide this out-of-the box, so I don't have to have the > same ifdefs in my application(s) and keep them up to date. > > I found that the kernel internally already has a definition for my usecase: > SECCOMP_ARCH_NATIVE. > It is just not exported to userspace. I'm not sure that keeping the ifdefs up to date is going to be that hard, and honestly that is the right place to do it IMHO. The kernel can support any number of ABIs, but in the narrow use case you are describing in this thread you only care about the ABI of your own application; it doesn't sound like you really care about the kernel's ABI, but rather your application's ABI. > > I'm sorry, but I don't quite understand what you are looking for in > > the header files ... ? It might help if you could provide a concrete > > example of what you would like to see in the header files? > > I want to do something like the follwing inside my program to assemble a > seccomp filter that will be loaded before the error-prone parts of the > application will begin. > > 1: BPF_STMT(BPF_LD | BPF_W | BPF_ABS, syscall_arch), > 2: BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, SECCOMP_ARCH_NATIVE, 0, $KILL) > 3: BPF_STMT(BPF_LD | BPF_W | BPF_ABS, syscall_nr), > 4: BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_write, $ALLOW, $KILL), > > In line 4 I can already have the kernel headers provide me the correct syscall > number for the ABI my application is compiled for. > > For line 2 however I need to define AUDIT_ARCH_CURRENT on my own instead of > having a kernel header provide the correct value. -- paul moore www.paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: AUDIT_ARCH_ and __NR_syscall constants for seccomp filters 2021-06-28 22:43 ` Paul Moore @ 2021-06-29 10:40 ` Thomas Weißschuh -1 siblings, 0 replies; 16+ messages in thread From: Thomas Weißschuh @ 2021-06-29 10:40 UTC (permalink / raw) To: Paul Moore; +Cc: linux-audit, bpf On Mo, 2021-06-28T18:43-0400, Paul Moore wrote: > On Mon, Jun 28, 2021 at 1:58 PM Thomas Weißschuh <linux@weissschuh.net> wrote: > > > > Hi again! > > !!! :) Indeed, hi! > > On Mo, 2021-06-28T13:34-0400, Paul Moore wrote: > > > On Mon, Jun 28, 2021 at 1:13 PM Thomas Weißschuh <linux@weissschuh.net> wrote: > > > > On Mo, 2021-06-28T12:59-0400, Paul Moore wrote: > > > > > On Mon, Jun 28, 2021 at 9:25 AM Thomas Weißschuh <linux@weissschuh.net> wrote: > > ... > > > > Remember that seccomp filters are inherited across forks, so if your > > > application loads an ABI specific filter and then fork()/exec()'s an > > > application with a different ABI you could be in trouble. We saw this > > > some years ago when people started running containers with ABIs other > > > than the native system; if the container orchestrator didn't load a > > > filter that knew about these non-native ABIs Bad Things happened. > > > > My application will not be able to spawn any new processes. > > It is limited to write() and exit(). > > Also this is a low-level system application so it should always be compiled for > > the native ABI. > > So this should not be an issue. > > > > > I'm sure you are already aware of libseccomp, but if not you may want > > > to consider it for your application. Not only does it provide a safe > > > and easy way to handle multiple ABIs in a single filter, it handles > > > other seccomp problem areas like build/runtime system differences in > > > the syscall tables/defines as well as the oddball nature of > > > direct-call and multiplexed socket related syscalls, i.e. socketcall() > > > vs socket(), etc. > > > > For a larger application this would be indeed my choice. > > But for a small application like mine I don't think it is worth it. > > libseccomp for example does provide a way to get the native audit arch: > > `uint32_t seccomp_arch_native(void);`. It is implemented by ifdef-ing on > > various compiler defines to detect the ABI compiled for. > > > > I'd like the kernel to provide this out-of-the box, so I don't have to have the > > same ifdefs in my application(s) and keep them up to date. > > > > I found that the kernel internally already has a definition for my usecase: > > SECCOMP_ARCH_NATIVE. > > It is just not exported to userspace. > > I'm not sure that keeping the ifdefs up to date is going to be that > hard, and honestly that is the right place to do it IMHO. The kernel > can support any number of ABIs, but in the narrow use case you are > describing in this thread you only care about the ABI of your own > application; it doesn't sound like you really care about the kernel's > ABI, but rather your application's ABI. Ok, fair enough. My goal was to keep the amount of support code in my application small. Out of 250 lines of code 100 are actual business logic, 50 are the current seccomp code and the ifdefs would be another 50 (looking at those in libseccomp). Having a #define provided by the kernel headers, which already cares about my application ABI when providing the syscall numbers, would have sidestepped all clutter and maintenance issues neatly. I'll add my own logic then. To get back to my other question: Is there any chance a single given process can have multiple different ABIs active at the same time? Without using special syscalls to switch between them. Because if that is not possible I can skip the checks for the arch completely because the filter is constructed at compile time for the specific ABI targetted and all funky syscalls are forbidden anyways. > > > I'm sorry, but I don't quite understand what you are looking for in > > > the header files ... ? It might help if you could provide a concrete > > > example of what you would like to see in the header files? > > > > I want to do something like the follwing inside my program to assemble a > > seccomp filter that will be loaded before the error-prone parts of the > > application will begin. > > > > 1: BPF_STMT(BPF_LD | BPF_W | BPF_ABS, syscall_arch), > > 2: BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, SECCOMP_ARCH_NATIVE, 0, $KILL) > > 3: BPF_STMT(BPF_LD | BPF_W | BPF_ABS, syscall_nr), > > 4: BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_write, $ALLOW, $KILL), > > > > In line 4 I can already have the kernel headers provide me the correct syscall > > number for the ABI my application is compiled for. > > > > For line 2 however I need to define AUDIT_ARCH_CURRENT on my own instead of > > having a kernel header provide the correct value. PS: I know that this seems to be a lot of discussion for fairly little gain in this specific case, but I'd like to use seccomp filters in the future more and am trying to find the most unobtrusive way to add them to applications for each given usecase. (For any larger applications that will certainly include libseccomp, but that feels overkill for very specific, zero-runtime-dependency utilities) Thanks again! Thomas ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: AUDIT_ARCH_ and __NR_syscall constants for seccomp filters @ 2021-06-29 10:40 ` Thomas Weißschuh 0 siblings, 0 replies; 16+ messages in thread From: Thomas Weißschuh @ 2021-06-29 10:40 UTC (permalink / raw) To: Paul Moore; +Cc: bpf, linux-audit On Mo, 2021-06-28T18:43-0400, Paul Moore wrote: > On Mon, Jun 28, 2021 at 1:58 PM Thomas Weißschuh <linux@weissschuh.net> wrote: > > > > Hi again! > > !!! :) Indeed, hi! > > On Mo, 2021-06-28T13:34-0400, Paul Moore wrote: > > > On Mon, Jun 28, 2021 at 1:13 PM Thomas Weißschuh <linux@weissschuh.net> wrote: > > > > On Mo, 2021-06-28T12:59-0400, Paul Moore wrote: > > > > > On Mon, Jun 28, 2021 at 9:25 AM Thomas Weißschuh <linux@weissschuh.net> wrote: > > ... > > > > Remember that seccomp filters are inherited across forks, so if your > > > application loads an ABI specific filter and then fork()/exec()'s an > > > application with a different ABI you could be in trouble. We saw this > > > some years ago when people started running containers with ABIs other > > > than the native system; if the container orchestrator didn't load a > > > filter that knew about these non-native ABIs Bad Things happened. > > > > My application will not be able to spawn any new processes. > > It is limited to write() and exit(). > > Also this is a low-level system application so it should always be compiled for > > the native ABI. > > So this should not be an issue. > > > > > I'm sure you are already aware of libseccomp, but if not you may want > > > to consider it for your application. Not only does it provide a safe > > > and easy way to handle multiple ABIs in a single filter, it handles > > > other seccomp problem areas like build/runtime system differences in > > > the syscall tables/defines as well as the oddball nature of > > > direct-call and multiplexed socket related syscalls, i.e. socketcall() > > > vs socket(), etc. > > > > For a larger application this would be indeed my choice. > > But for a small application like mine I don't think it is worth it. > > libseccomp for example does provide a way to get the native audit arch: > > `uint32_t seccomp_arch_native(void);`. It is implemented by ifdef-ing on > > various compiler defines to detect the ABI compiled for. > > > > I'd like the kernel to provide this out-of-the box, so I don't have to have the > > same ifdefs in my application(s) and keep them up to date. > > > > I found that the kernel internally already has a definition for my usecase: > > SECCOMP_ARCH_NATIVE. > > It is just not exported to userspace. > > I'm not sure that keeping the ifdefs up to date is going to be that > hard, and honestly that is the right place to do it IMHO. The kernel > can support any number of ABIs, but in the narrow use case you are > describing in this thread you only care about the ABI of your own > application; it doesn't sound like you really care about the kernel's > ABI, but rather your application's ABI. Ok, fair enough. My goal was to keep the amount of support code in my application small. Out of 250 lines of code 100 are actual business logic, 50 are the current seccomp code and the ifdefs would be another 50 (looking at those in libseccomp). Having a #define provided by the kernel headers, which already cares about my application ABI when providing the syscall numbers, would have sidestepped all clutter and maintenance issues neatly. I'll add my own logic then. To get back to my other question: Is there any chance a single given process can have multiple different ABIs active at the same time? Without using special syscalls to switch between them. Because if that is not possible I can skip the checks for the arch completely because the filter is constructed at compile time for the specific ABI targetted and all funky syscalls are forbidden anyways. > > > I'm sorry, but I don't quite understand what you are looking for in > > > the header files ... ? It might help if you could provide a concrete > > > example of what you would like to see in the header files? > > > > I want to do something like the follwing inside my program to assemble a > > seccomp filter that will be loaded before the error-prone parts of the > > application will begin. > > > > 1: BPF_STMT(BPF_LD | BPF_W | BPF_ABS, syscall_arch), > > 2: BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, SECCOMP_ARCH_NATIVE, 0, $KILL) > > 3: BPF_STMT(BPF_LD | BPF_W | BPF_ABS, syscall_nr), > > 4: BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_write, $ALLOW, $KILL), > > > > In line 4 I can already have the kernel headers provide me the correct syscall > > number for the ABI my application is compiled for. > > > > For line 2 however I need to define AUDIT_ARCH_CURRENT on my own instead of > > having a kernel header provide the correct value. PS: I know that this seems to be a lot of discussion for fairly little gain in this specific case, but I'd like to use seccomp filters in the future more and am trying to find the most unobtrusive way to add them to applications for each given usecase. (For any larger applications that will certainly include libseccomp, but that feels overkill for very specific, zero-runtime-dependency utilities) Thanks again! Thomas -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: AUDIT_ARCH_ and __NR_syscall constants for seccomp filters 2021-06-29 10:40 ` Thomas Weißschuh @ 2021-06-29 23:41 ` Paul Moore -1 siblings, 0 replies; 16+ messages in thread From: Paul Moore @ 2021-06-29 23:41 UTC (permalink / raw) To: Thomas Weißschuh; +Cc: linux-audit, bpf On Tue, Jun 29, 2021 at 6:40 AM Thomas Weißschuh <linux@weissschuh.net> wrote: > > On Mo, 2021-06-28T18:43-0400, Paul Moore wrote: > > On Mon, Jun 28, 2021 at 1:58 PM Thomas Weißschuh <linux@weissschuh.net> wrote: > > > > > > Hi again! > > > > !!! :) > > Indeed, hi! 'sup. > > > On Mo, 2021-06-28T13:34-0400, Paul Moore wrote: > > > > On Mon, Jun 28, 2021 at 1:13 PM Thomas Weißschuh <linux@weissschuh.net> wrote: > > > > > On Mo, 2021-06-28T12:59-0400, Paul Moore wrote: > > > > > > On Mon, Jun 28, 2021 at 9:25 AM Thomas Weißschuh <linux@weissschuh.net> wrote: ... > To get back to my other question: > > Is there any chance a single given process can have multiple different ABIs > active at the same time? > Without using special syscalls to switch between them. > > Because if that is not possible I can skip the checks for the arch completely > because the filter is constructed at compile time for the specific ABI > targetted and all funky syscalls are forbidden anyways. Is it common for a single executing process/executable to use multiple ABIs? No, I don't think so, although maybe someone can provide an example where this happens normally. However, don't ignore what might be possible from a malicious userspace. :) > PS: I know that this seems to be a lot of discussion for fairly little gain in > this specific case, but I'd like to use seccomp filters in the future more and > am trying to find the most unobtrusive way to add them to applications for each > given usecase. > (For any larger applications that will certainly include libseccomp, but that > feels overkill for very specific, zero-runtime-dependency utilities) One thing to keep in mind is the maintainability of these tools you are creating. For example, several years ago there was no such thing as direct socket syscalls on 32-bit x86, but now they exist alongside the legacy socketcall() syscall. Do your custom seccomp filters handle that properly, for all combinations of kernel and libc? What about your older tools that were written back when socketcall() was the only option? There is also the issue of x86_64 and x32, but that may be of little interest to you, and I hear that x32 may be deprecated in the future (woo hoo!). Regardless, there are lots of interesting corner cases with seccomp so I would urge you to do your homework before using custom filters in critical tools. Good luck! -- paul moore www.paul-moore.com ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: AUDIT_ARCH_ and __NR_syscall constants for seccomp filters @ 2021-06-29 23:41 ` Paul Moore 0 siblings, 0 replies; 16+ messages in thread From: Paul Moore @ 2021-06-29 23:41 UTC (permalink / raw) To: Thomas Weißschuh; +Cc: bpf, linux-audit On Tue, Jun 29, 2021 at 6:40 AM Thomas Weißschuh <linux@weissschuh.net> wrote: > > On Mo, 2021-06-28T18:43-0400, Paul Moore wrote: > > On Mon, Jun 28, 2021 at 1:58 PM Thomas Weißschuh <linux@weissschuh.net> wrote: > > > > > > Hi again! > > > > !!! :) > > Indeed, hi! 'sup. > > > On Mo, 2021-06-28T13:34-0400, Paul Moore wrote: > > > > On Mon, Jun 28, 2021 at 1:13 PM Thomas Weißschuh <linux@weissschuh.net> wrote: > > > > > On Mo, 2021-06-28T12:59-0400, Paul Moore wrote: > > > > > > On Mon, Jun 28, 2021 at 9:25 AM Thomas Weißschuh <linux@weissschuh.net> wrote: ... > To get back to my other question: > > Is there any chance a single given process can have multiple different ABIs > active at the same time? > Without using special syscalls to switch between them. > > Because if that is not possible I can skip the checks for the arch completely > because the filter is constructed at compile time for the specific ABI > targetted and all funky syscalls are forbidden anyways. Is it common for a single executing process/executable to use multiple ABIs? No, I don't think so, although maybe someone can provide an example where this happens normally. However, don't ignore what might be possible from a malicious userspace. :) > PS: I know that this seems to be a lot of discussion for fairly little gain in > this specific case, but I'd like to use seccomp filters in the future more and > am trying to find the most unobtrusive way to add them to applications for each > given usecase. > (For any larger applications that will certainly include libseccomp, but that > feels overkill for very specific, zero-runtime-dependency utilities) One thing to keep in mind is the maintainability of these tools you are creating. For example, several years ago there was no such thing as direct socket syscalls on 32-bit x86, but now they exist alongside the legacy socketcall() syscall. Do your custom seccomp filters handle that properly, for all combinations of kernel and libc? What about your older tools that were written back when socketcall() was the only option? There is also the issue of x86_64 and x32, but that may be of little interest to you, and I hear that x32 may be deprecated in the future (woo hoo!). Regardless, there are lots of interesting corner cases with seccomp so I would urge you to do your homework before using custom filters in critical tools. Good luck! -- paul moore www.paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 16+ messages in thread
end of thread, other threads:[~2021-06-29 23:42 UTC | newest] Thread overview: 16+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2021-06-28 7:31 AUDIT_ARCH_ and __NR_syscall constants for seccomp filters Thomas Weißschuh 2021-06-28 7:31 ` Thomas Weißschuh 2021-06-28 16:59 ` Paul Moore 2021-06-28 16:59 ` Paul Moore 2021-06-28 17:13 ` Thomas Weißschuh 2021-06-28 17:13 ` Thomas Weißschuh 2021-06-28 17:34 ` Paul Moore 2021-06-28 17:34 ` Paul Moore 2021-06-28 17:58 ` Thomas Weißschuh 2021-06-28 17:58 ` Thomas Weißschuh 2021-06-28 22:43 ` Paul Moore 2021-06-28 22:43 ` Paul Moore 2021-06-29 10:40 ` Thomas Weißschuh 2021-06-29 10:40 ` Thomas Weißschuh 2021-06-29 23:41 ` Paul Moore 2021-06-29 23:41 ` Paul Moore
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.