Bug#996025: bullseye-pu: package libseccomp/2.5.1-1+deb11u1
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
[ Reason ]
libseccomp 2.5.1 only knows about syscall up to Linux 5.8.
The proposed changes add the syscalls up to Linux 5.14.
[ Impact ]
Syscalls for Linux 5.9 and 5.10 can't be allowed.
Software built with support for newer kernels (often the case in containers)
expect newer syscalls to work or return ENOSYS.
If that syscall is not supported by libseccomp and a default filter action of
returning EPERM is used, such software will break.
Therefore you often need to be able to allow a syscall even when the running
kernel doesn't support it.
[ Tests ]
* autopkgtest passes on amd64
* Verified adding a filter for the close_range() syscall works (new in 5.9)
* Verified that systemd and Docker run
[ Risks ]
The changes only extend the syscall csv table and add new syscall defines.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
Cherry-pick upstream commits to support syscalls up to Linux 5.14.
diff -Nru libseccomp-2.5.1/debian/changelog libseccomp-2.5.1/debian/changelog
--- libseccomp-2.5.1/debian/changelog 2020-12-21 10:50:30.000000000 +0100
+++ libseccomp-2.5.1/debian/changelog 2021-10-10 13:35:59.000000000 +0200
@@ -1,3 +1,9 @@
+libseccomp (2.5.1-1+deb11u1) bullseye; urgency=medium
+
+ * Add support for syscalls up to Linux 5.14.
+
+ -- Felix Geyer <fgeyer@debian.org> Sun, 10 Oct 2021 13:35:59 +0200
+
libseccomp (2.5.1-1) unstable; urgency=medium
* New upstream release.
diff -Nru libseccomp-2.5.1/debian/patches/series libseccomp-2.5.1/debian/patches/series
--- libseccomp-2.5.1/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ libseccomp-2.5.1/debian/patches/series 2021-10-10 13:05:00.000000000 +0200
@@ -0,0 +1,3 @@
+syscalls_update_the_syscall_table_to_v5.12-rc7.patch
+syscalls_add_close_range_syscall.patch
+syscalls_update_to_Linux_v5.14-rc7.patch
diff -Nru libseccomp-2.5.1/debian/patches/syscalls_add_close_range_syscall.patch libseccomp-2.5.1/debian/patches/syscalls_add_close_range_syscall.patch
--- libseccomp-2.5.1/debian/patches/syscalls_add_close_range_syscall.patch 1970-01-01 01:00:00.000000000 +0100
+++ libseccomp-2.5.1/debian/patches/syscalls_add_close_range_syscall.patch 2021-10-10 13:05:00.000000000 +0200
@@ -0,0 +1,30 @@
+From ac849e7960547d418009a783da654d5917dbfe2d Mon Sep 17 00:00:00 2001
+From: Sascha Grunert <sgrunert@redhat.com>
+Date: Fri, 16 Jul 2021 12:13:36 +0200
+Subject: [PATCH] syscalls: add close_range() syscall
+
+The syscall has been added a while ago so we should support resolving
+it, too.
+
+Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
+Reviewed-by: Tom Hromatka <tom.hromatka@oracle.com>
+[PM: subject line tweak]
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+(imported from commit 01e5750e7c84bb14e5a5410c924bed519209db06)
+---
+ include/seccomp-syscalls.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/include/seccomp-syscalls.h b/include/seccomp-syscalls.h
+index 7b69214c..1ca500be 100644
+--- a/include/seccomp-syscalls.h
++++ b/include/seccomp-syscalls.h
+@@ -476,6 +476,8 @@
+
+ #define __SNR_close __NR_close
+
++#define __SNR_close_range __NR_close_range
++
+ #ifdef __NR_connect
+ #define __SNR_connect __NR_connect
+ #else
diff -Nru libseccomp-2.5.1/debian/patches/syscalls_update_the_syscall_table_to_v5.12-rc7.patch libseccomp-2.5.1/debian/patches/syscalls_update_the_syscall_table_to_v5.12-rc7.patch
--- libseccomp-2.5.1/debian/patches/syscalls_update_the_syscall_table_to_v5.12-rc7.patch 1970-01-01 01:00:00.000000000 +0100
+++ libseccomp-2.5.1/debian/patches/syscalls_update_the_syscall_table_to_v5.12-rc7.patch 2021-10-10 13:05:00.000000000 +0200
@@ -0,0 +1,73 @@
+From c56a00fe173a7dd5a8326431ae28863ce432bbc1 Mon Sep 17 00:00:00 2001
+From: Paul Moore <paul@paul-moore.com>
+Date: Sat, 17 Apr 2021 16:30:48 -0400
+Subject: [PATCH] syscalls: update the syscall table to v5.12-rc7
+
+Due to additional ABIs in main we can't do a simple backport or copy
+of the syscall table so we are generating it directly in the
+release-2.5 branch.
+
+This patch also fixes the missing faccessat2() #defines in the
+seccomp-syscalls.h header file.
+
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+---
+ include/seccomp-syscalls.h | 2 ++
+ src/syscalls.csv | 6 +++++-
+ 2 files changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/include/seccomp-syscalls.h b/include/seccomp-syscalls.h
+index 2a4ebd3d..7b69214c 100644
+--- a/include/seccomp-syscalls.h
++++ b/include/seccomp-syscalls.h
+@@ -564,6 +564,8 @@
+
+ #define __SNR_faccessat __NR_faccessat
+
++#define __SNR_faccessat2 __NR_faccessat2
++
+ #ifdef __NR_fadvise64
+ #define __SNR_fadvise64 __NR_fadvise64
+ #else
+diff --git a/src/syscalls.csv b/src/syscalls.csv
+index 11d087a6..4c828697 100644
+--- a/src/syscalls.csv
++++ b/src/syscalls.csv
+@@ -1,4 +1,4 @@
+-#syscall (v5.8.0-rc5 2020-07-14),x86,x86_64,x32,arm,aarch64,mips,mips64,mips64n32,parisc,parisc64,ppc,ppc64,riscv64,s390,s390x
++#syscall (v5.12.0-rc7 2021-04-17),x86,x86_64,x32,arm,aarch64,mips,mips64,mips64n32,parisc,parisc64,ppc,ppc64,riscv64,s390,s390x
+ accept,PNR,43,43,285,202,168,42,42,35,35,330,330,202,PNR,PNR
+ accept4,364,288,288,366,242,334,293,297,320,320,344,344,242,364,364
+ access,33,21,21,33,PNR,33,20,20,33,33,33,33,PNR,33,33
+@@ -38,6 +38,7 @@ clock_settime64,404,PNR,PNR,404,PNR,404,PNR,404,404,PNR,404,PNR,PNR,404,PNR
+ clone,120,56,56,120,220,120,55,55,120,120,120,120,220,120,120
+ clone3,435,435,435,435,435,435,435,435,435,435,435,435,435,435,435
+ close,6,3,3,6,57,6,3,3,6,6,6,6,57,6,6
++close_range,436,436,436,436,436,436,436,436,436,436,436,436,436,436,436
+ connect,362,42,42,283,203,170,41,41,31,31,328,328,203,362,362
+ copy_file_range,377,326,326,391,285,360,320,324,346,346,379,379,285,375,375
+ creat,8,85,85,8,PNR,8,83,83,8,8,8,8,PNR,8,8
+@@ -51,6 +52,7 @@ epoll_create1,329,291,291,357,20,326,285,289,311,311,315,315,20,327,327
+ epoll_ctl,255,233,233,251,21,249,208,208,225,225,237,237,21,250,250
+ epoll_ctl_old,PNR,214,PNR,PNR,PNR,PNR,PNR,PNR,PNR,PNR,PNR,PNR,PNR,PNR,PNR
+ epoll_pwait,319,281,281,346,22,313,272,276,297,297,303,303,22,312,312
++epoll_pwait2,441,441,441,441,441,441,441,441,441,441,441,441,441,441,441
+ epoll_wait,256,232,232,252,PNR,250,209,209,226,226,238,238,PNR,251,251
+ epoll_wait_old,PNR,215,PNR,PNR,PNR,PNR,PNR,PNR,PNR,PNR,PNR,PNR,PNR,PNR,PNR
+ eventfd,323,284,284,351,PNR,319,278,282,304,304,307,307,PNR,318,318
+@@ -199,6 +201,7 @@ mmap,90,9,9,PNR,222,90,9,9,90,90,90,90,222,90,90
+ mmap2,192,PNR,PNR,192,PNR,210,PNR,PNR,89,89,192,PNR,PNR,192,PNR
+ modify_ldt,123,154,154,PNR,PNR,123,PNR,PNR,PNR,PNR,123,123,PNR,PNR,PNR
+ mount,21,165,165,21,40,21,160,160,21,21,21,21,40,21,21
++mount_setattr,442,442,442,442,442,442,442,442,442,442,442,442,442,442,442
+ move_mount,429,429,429,429,429,429,429,429,429,429,429,429,429,429,429
+ move_pages,317,279,533,344,239,308,267,271,295,295,301,301,239,310,310
+ mprotect,125,10,10,125,226,125,10,10,125,125,125,125,226,125,125
+@@ -260,6 +263,7 @@ pread64,180,17,17,180,67,200,16,16,108,108,179,179,67,180,180
+ preadv,333,295,534,361,69,330,289,293,315,315,320,320,69,328,328
+ preadv2,378,327,546,392,286,361,321,325,347,347,380,380,286,376,376
+ prlimit64,340,302,302,369,261,338,297,302,321,321,325,325,261,334,334
++process_madvise,440,440,440,440,440,440,440,440,440,440,440,440,440,440,440
+ process_vm_readv,347,310,539,376,270,345,304,309,330,330,351,351,270,340,340
+ process_vm_writev,348,311,540,377,271,346,305,310,331,331,352,352,271,341,341
+ prof,44,PNR,PNR,PNR,PNR,44,PNR,PNR,PNR,PNR,44,44,PNR,PNR,PNR
diff -Nru libseccomp-2.5.1/debian/patches/syscalls_update_to_Linux_v5.14-rc7.patch libseccomp-2.5.1/debian/patches/syscalls_update_to_Linux_v5.14-rc7.patch
--- libseccomp-2.5.1/debian/patches/syscalls_update_to_Linux_v5.14-rc7.patch 1970-01-01 01:00:00.000000000 +0100
+++ libseccomp-2.5.1/debian/patches/syscalls_update_to_Linux_v5.14-rc7.patch 2021-10-10 13:05:00.000000000 +0200
@@ -0,0 +1,72 @@
+From c3559610ffdcda23a7fbd38fea86f8ed81fb16b0 Mon Sep 17 00:00:00 2001
+From: Paul Moore <paul@paul-moore.com>
+Date: Mon, 23 Aug 2021 11:21:39 -0400
+Subject: [PATCH] syscalls: update to Linux v5.14-rc7
+
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+---
+ include/seccomp-syscalls.h | 7 +++++++
+ src/syscalls.csv | 7 ++++++-
+ 2 files changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/include/seccomp-syscalls.h b/include/seccomp-syscalls.h
+index 1ca500be..7075f3f6 100644
+--- a/include/seccomp-syscalls.h
++++ b/include/seccomp-syscalls.h
+@@ -275,6 +275,7 @@
+ #define __PNR_ppoll -10241
+ #define __PNR_renameat -10242
+ #define __PNR_riscv_flush_icache -10243
++#define __PNR_memfd_secret -10244
+
+ /*
+ * libseccomp syscall definitions
+@@ -1084,6 +1085,12 @@
+ #define __SNR_memfd_create __PNR_memfd_create
+ #endif
+
++#ifdef __NR_memfd_secret
++#define __SNR_memfd_secret __NR_memfd_secret
++#else
++#define __SNR_memfd_secret __PNR_memfd_secret
++#endif
++
+ #ifdef __NR_migrate_pages
+ #define __SNR_migrate_pages __NR_migrate_pages
+ #else
+diff --git a/src/syscalls.csv b/src/syscalls.csv
+index 4c828697..af06a64d 100644
+--- a/src/syscalls.csv
++++ b/src/syscalls.csv
+@@ -1,4 +1,4 @@
+-#syscall (v5.12.0-rc7 2021-04-17),x86,x86_64,x32,arm,aarch64,mips,mips64,mips64n32,parisc,parisc64,ppc,ppc64,riscv64,s390,s390x
++#syscall (v5.14.0-rc7 2021-08-23),x86,x86_64,x32,arm,aarch64,mips,mips64,mips64n32,parisc,parisc64,ppc,ppc64,riscv64,s390,s390x
+ accept,PNR,43,43,285,202,168,42,42,35,35,330,330,202,PNR,PNR
+ accept4,364,288,288,366,242,334,293,297,320,320,344,344,242,364,364
+ access,33,21,21,33,PNR,33,20,20,33,33,33,33,PNR,33,33
+@@ -168,6 +168,9 @@ kexec_file_load,PNR,320,320,401,294,PNR,PNR,PNR,355,355,382,382,294,381,381
+ kexec_load,283,246,528,347,104,311,270,274,300,300,268,268,104,277,277
+ keyctl,288,250,250,311,219,282,241,245,266,266,271,271,219,280,280
+ kill,37,62,62,37,129,37,60,60,37,37,37,37,129,37,37
++landlock_add_rule,445,445,445,445,445,445,445,445,445,445,445,445,445,445,445
++landlock_create_ruleset,444,444,444,444,444,444,444,444,444,444,444,444,444,444,444
++landlock_restrict_self,446,446,446,446,446,446,446,446,446,446,446,446,446,446,446
+ lchown,16,94,94,16,PNR,16,92,92,16,16,16,16,PNR,16,198
+ lchown32,198,PNR,PNR,198,PNR,PNR,PNR,PNR,PNR,PNR,PNR,PNR,PNR,198,PNR
+ lgetxattr,230,192,192,230,9,228,184,184,242,242,213,213,9,228,228
+@@ -188,6 +191,7 @@ madvise,219,28,28,220,233,218,27,27,119,119,205,205,233,219,219
+ mbind,274,237,237,319,235,268,227,231,260,260,259,259,235,268,268
+ membarrier,375,324,324,389,283,358,318,322,343,343,365,365,283,356,356
+ memfd_create,356,319,319,385,279,354,314,318,340,340,360,360,279,350,350
++memfd_secret,447,447,447,PNR,447,PNR,PNR,PNR,PNR,PNR,PNR,PNR,PNR,PNR,PNR
+ migrate_pages,294,256,256,400,238,287,246,250,272,272,258,258,238,287,287
+ mincore,218,27,27,219,232,217,26,26,72,72,206,206,232,218,218
+ mkdir,39,83,83,39,PNR,39,81,81,39,39,39,39,PNR,39,39
+@@ -277,6 +281,7 @@ pwritev,334,296,535,362,70,331,290,294,316,316,321,321,70,329,329
+ pwritev2,379,328,547,393,287,362,322,326,348,348,381,381,287,377,377
+ query_module,167,178,PNR,PNR,PNR,187,171,171,PNR,PNR,166,166,PNR,167,167
+ quotactl,131,179,179,131,60,131,172,172,131,131,131,131,60,131,131
++quotactl_fd,443,443,443,443,443,443,443,443,443,443,443,443,443,443,443
+ read,3,0,0,3,63,3,0,0,3,3,3,3,63,3,3
+ readahead,225,187,187,225,213,223,179,179,207,207,191,191,213,222,222
+ readdir,89,PNR,PNR,PNR,PNR,89,PNR,PNR,PNR,PNR,89,89,PNR,89,89
Reply to: