From bce74bdfad0b0d0216fe456efad374353fedf1af Mon Sep 17 00:00:00 2001 From: Richard Patel Date: Mon, 29 Jan 2024 18:57:53 +0000 Subject: [PATCH] Use SYS_syscall instead of __NR_syscall The SYS_{...} variant is more portable. __NR_{...} does not work on musl libc. --- contrib/codegen/generate_filters.py | 6 +++--- src/app/fdctl/monitor/generated/monitor_seccomp.h | 12 ++++++------ src/app/fdctl/run/generated/main_seccomp.h | 10 +++++----- src/app/fdctl/run/generated/pidns_seccomp.h | 10 +++++----- src/app/fdctl/run/tiles/generated/dedup_seccomp.h | 4 ++-- src/app/fdctl/run/tiles/generated/metric_seccomp.h | 12 ++++++------ src/app/fdctl/run/tiles/generated/net_seccomp.h | 8 ++++---- src/app/fdctl/run/tiles/generated/netmux_seccomp.h | 4 ++-- src/app/fdctl/run/tiles/generated/pack_seccomp.h | 4 ++-- src/app/fdctl/run/tiles/generated/quic_seccomp.h | 10 +++++----- src/app/fdctl/run/tiles/generated/shred_seccomp.h | 8 ++++---- src/app/fdctl/run/tiles/generated/sign_seccomp.h | 4 ++-- src/app/fdctl/run/tiles/generated/verify_seccomp.h | 4 ++-- src/util/sandbox/generated/test_sandbox_seccomp.h | 6 +++--- src/util/shmem/fd_numa_linux.c | 4 ++-- 15 files changed, 53 insertions(+), 53 deletions(-) diff --git a/contrib/codegen/generate_filters.py b/contrib/codegen/generate_filters.py index 46e2f070b0..832ece5114 100755 --- a/contrib/codegen/generate_filters.py +++ b/contrib/codegen/generate_filters.py @@ -101,10 +101,10 @@ def codegen(policy_lines, filt): if len(lineparts) == 1: syscall = lineparts[0] - filt.append(ReloCondJump("BPF_JMP | BPF_JEQ | BPF_K, %s" % ('__NR_'+syscall), 'RET_ALLOW', 0, pre_comment="simply allow %s" % syscall)) + filt.append(ReloCondJump("BPF_JMP | BPF_JEQ | BPF_K, %s" % ('SYS_'+syscall), 'RET_ALLOW', 0, pre_comment="simply allow %s" % syscall)) elif len(lineparts) == 2: syscall = lineparts[0] - filt.append(ReloCondJump("BPF_JMP | BPF_JEQ | BPF_K, %s" % ('__NR_'+syscall), f'check_{syscall}', 0, pre_comment=f"allow {syscall} based on expression")) + filt.append(ReloCondJump("BPF_JMP | BPF_JEQ | BPF_K, %s" % ('SYS_'+syscall), f'check_{syscall}', 0, pre_comment=f"allow {syscall} based on expression")) syscall_to_expression[lineparts[0]] = lineparts[1] else: print("malformed line @ %s" % (line_number+1), file=sys.stderr) @@ -146,7 +146,7 @@ def expression(name, expr, filt): elif type(expr) == edn_format.Symbol: # Treat the symbol as the desired effect - filt.append(ReloCondJump("BPF_JMP | BPF_JEQ | BPF_K, %s" % ('__NR_'+name), str(expr), 0)) + filt.append(ReloCondJump("BPF_JMP | BPF_JEQ | BPF_K, %s" % ('SYS_'+name), str(expr), 0)) # eval_ walks through the expression tree and lays instructions down diff --git a/src/app/fdctl/monitor/generated/monitor_seccomp.h b/src/app/fdctl/monitor/generated/monitor_seccomp.h index 9653f32477..a60301fcaf 100644 --- a/src/app/fdctl/monitor/generated/monitor_seccomp.h +++ b/src/app/fdctl/monitor/generated/monitor_seccomp.h @@ -32,17 +32,17 @@ static void populate_sock_filter_policy_monitor( ulong out_cnt, struct sock_filt /* loading syscall number in accumulator */ BPF_STMT( BPF_LD | BPF_W | BPF_ABS, ( offsetof( struct seccomp_data, nr ) ) ), /* allow write based on expression */ - BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, __NR_write, /* check_write */ 6, 0 ), + BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, SYS_write, /* check_write */ 6, 0 ), /* allow fsync based on expression */ - BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, __NR_fsync, /* check_fsync */ 11, 0 ), + BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, SYS_fsync, /* check_fsync */ 11, 0 ), /* simply allow nanosleep */ - BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, __NR_nanosleep, /* RET_ALLOW */ 15, 0 ), + BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, SYS_nanosleep, /* RET_ALLOW */ 15, 0 ), /* simply allow sched_yield */ - BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, __NR_sched_yield, /* RET_ALLOW */ 14, 0 ), + BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, SYS_sched_yield, /* RET_ALLOW */ 14, 0 ), /* simply allow exit_group */ - BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, __NR_exit_group, /* RET_ALLOW */ 13, 0 ), + BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, SYS_exit_group, /* RET_ALLOW */ 13, 0 ), /* allow read based on expression */ - BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, __NR_read, /* check_read */ 9, 0 ), + BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, SYS_read, /* check_read */ 9, 0 ), /* none of the syscalls matched */ { BPF_JMP | BPF_JA, 0, 0, /* RET_KILL_PROCESS */ 10 }, // check_write: diff --git a/src/app/fdctl/run/generated/main_seccomp.h b/src/app/fdctl/run/generated/main_seccomp.h index 39b3633af4..8ecd5ad315 100644 --- a/src/app/fdctl/run/generated/main_seccomp.h +++ b/src/app/fdctl/run/generated/main_seccomp.h @@ -32,15 +32,15 @@ static void populate_sock_filter_policy_main( ulong out_cnt, struct sock_filter /* loading syscall number in accumulator */ BPF_STMT( BPF_LD | BPF_W | BPF_ABS, ( offsetof( struct seccomp_data, nr ) ) ), /* allow write based on expression */ - BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, __NR_write, /* check_write */ 5, 0 ), + BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, SYS_write, /* check_write */ 5, 0 ), /* allow fsync based on expression */ - BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, __NR_fsync, /* check_fsync */ 8, 0 ), + BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, SYS_fsync, /* check_fsync */ 8, 0 ), /* allow wait4 based on expression */ - BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, __NR_wait4, /* check_wait4 */ 9, 0 ), + BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, SYS_wait4, /* check_wait4 */ 9, 0 ), /* allow kill based on expression */ - BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, __NR_kill, /* check_kill */ 14, 0 ), + BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, SYS_kill, /* check_kill */ 14, 0 ), /* simply allow exit_group */ - BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, __NR_exit_group, /* RET_ALLOW */ 16, 0 ), + BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, SYS_exit_group, /* RET_ALLOW */ 16, 0 ), /* none of the syscalls matched */ { BPF_JMP | BPF_JA, 0, 0, /* RET_KILL_PROCESS */ 14 }, // check_write: diff --git a/src/app/fdctl/run/generated/pidns_seccomp.h b/src/app/fdctl/run/generated/pidns_seccomp.h index db89b751ff..9164d847e5 100644 --- a/src/app/fdctl/run/generated/pidns_seccomp.h +++ b/src/app/fdctl/run/generated/pidns_seccomp.h @@ -32,15 +32,15 @@ static void populate_sock_filter_policy_pidns( ulong out_cnt, struct sock_filter /* loading syscall number in accumulator */ BPF_STMT( BPF_LD | BPF_W | BPF_ABS, ( offsetof( struct seccomp_data, nr ) ) ), /* allow write based on expression */ - BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, __NR_write, /* check_write */ 5, 0 ), + BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, SYS_write, /* check_write */ 5, 0 ), /* allow fsync based on expression */ - BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, __NR_fsync, /* check_fsync */ 8, 0 ), + BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, SYS_fsync, /* check_fsync */ 8, 0 ), /* allow poll based on expression */ - BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, __NR_poll, /* check_poll */ 9, 0 ), + BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, SYS_poll, /* check_poll */ 9, 0 ), /* allow wait4 based on expression */ - BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, __NR_wait4, /* check_wait4 */ 10, 0 ), + BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, SYS_wait4, /* check_wait4 */ 10, 0 ), /* simply allow exit_group */ - BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, __NR_exit_group, /* RET_ALLOW */ 16, 0 ), + BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, SYS_exit_group, /* RET_ALLOW */ 16, 0 ), /* none of the syscalls matched */ { BPF_JMP | BPF_JA, 0, 0, /* RET_KILL_PROCESS */ 14 }, // check_write: diff --git a/src/app/fdctl/run/tiles/generated/dedup_seccomp.h b/src/app/fdctl/run/tiles/generated/dedup_seccomp.h index 3c3d6d0b07..9522651dcf 100644 --- a/src/app/fdctl/run/tiles/generated/dedup_seccomp.h +++ b/src/app/fdctl/run/tiles/generated/dedup_seccomp.h @@ -32,9 +32,9 @@ static void populate_sock_filter_policy_dedup( ulong out_cnt, struct sock_filter /* loading syscall number in accumulator */ BPF_STMT( BPF_LD | BPF_W | BPF_ABS, ( offsetof( struct seccomp_data, nr ) ) ), /* allow write based on expression */ - BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, __NR_write, /* check_write */ 2, 0 ), + BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, SYS_write, /* check_write */ 2, 0 ), /* allow fsync based on expression */ - BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, __NR_fsync, /* check_fsync */ 5, 0 ), + BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, SYS_fsync, /* check_fsync */ 5, 0 ), /* none of the syscalls matched */ { BPF_JMP | BPF_JA, 0, 0, /* RET_KILL_PROCESS */ 6 }, // check_write: diff --git a/src/app/fdctl/run/tiles/generated/metric_seccomp.h b/src/app/fdctl/run/tiles/generated/metric_seccomp.h index bb2c5649d4..287b68d2fb 100644 --- a/src/app/fdctl/run/tiles/generated/metric_seccomp.h +++ b/src/app/fdctl/run/tiles/generated/metric_seccomp.h @@ -32,17 +32,17 @@ static void populate_sock_filter_policy_metric( ulong out_cnt, struct sock_filte /* loading syscall number in accumulator */ BPF_STMT( BPF_LD | BPF_W | BPF_ABS, ( offsetof( struct seccomp_data, nr ) ) ), /* allow fsync based on expression */ - BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, __NR_fsync, /* check_fsync */ 6, 0 ), + BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, SYS_fsync, /* check_fsync */ 6, 0 ), /* allow accept based on expression */ - BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, __NR_accept, /* check_accept */ 7, 0 ), + BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, SYS_accept, /* check_accept */ 7, 0 ), /* simply allow read */ - BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, __NR_read, /* RET_ALLOW */ 13, 0 ), + BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, SYS_read, /* RET_ALLOW */ 13, 0 ), /* simply allow write */ - BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, __NR_write, /* RET_ALLOW */ 12, 0 ), + BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, SYS_write, /* RET_ALLOW */ 12, 0 ), /* simply allow close */ - BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, __NR_close, /* RET_ALLOW */ 11, 0 ), + BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, SYS_close, /* RET_ALLOW */ 11, 0 ), /* simply allow poll */ - BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, __NR_poll, /* RET_ALLOW */ 10, 0 ), + BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, SYS_poll, /* RET_ALLOW */ 10, 0 ), /* none of the syscalls matched */ { BPF_JMP | BPF_JA, 0, 0, /* RET_KILL_PROCESS */ 8 }, // check_fsync: diff --git a/src/app/fdctl/run/tiles/generated/net_seccomp.h b/src/app/fdctl/run/tiles/generated/net_seccomp.h index 85dce65dcb..722937974f 100644 --- a/src/app/fdctl/run/tiles/generated/net_seccomp.h +++ b/src/app/fdctl/run/tiles/generated/net_seccomp.h @@ -32,13 +32,13 @@ static void populate_sock_filter_policy_net( ulong out_cnt, struct sock_filter * /* loading syscall number in accumulator */ BPF_STMT( BPF_LD | BPF_W | BPF_ABS, ( offsetof( struct seccomp_data, nr ) ) ), /* allow write based on expression */ - BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, __NR_write, /* check_write */ 4, 0 ), + BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, SYS_write, /* check_write */ 4, 0 ), /* allow fsync based on expression */ - BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, __NR_fsync, /* check_fsync */ 7, 0 ), + BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, SYS_fsync, /* check_fsync */ 7, 0 ), /* allow sendto based on expression */ - BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, __NR_sendto, /* check_sendto */ 8, 0 ), + BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, SYS_sendto, /* check_sendto */ 8, 0 ), /* allow recvmsg based on expression */ - BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, __NR_recvmsg, /* check_recvmsg */ 21, 0 ), + BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, SYS_recvmsg, /* check_recvmsg */ 21, 0 ), /* none of the syscalls matched */ { BPF_JMP | BPF_JA, 0, 0, /* RET_KILL_PROCESS */ 30 }, // check_write: diff --git a/src/app/fdctl/run/tiles/generated/netmux_seccomp.h b/src/app/fdctl/run/tiles/generated/netmux_seccomp.h index b5f16d497e..e10ced9b9a 100644 --- a/src/app/fdctl/run/tiles/generated/netmux_seccomp.h +++ b/src/app/fdctl/run/tiles/generated/netmux_seccomp.h @@ -32,9 +32,9 @@ static void populate_sock_filter_policy_netmux( ulong out_cnt, struct sock_filte /* loading syscall number in accumulator */ BPF_STMT( BPF_LD | BPF_W | BPF_ABS, ( offsetof( struct seccomp_data, nr ) ) ), /* allow write based on expression */ - BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, __NR_write, /* check_write */ 2, 0 ), + BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, SYS_write, /* check_write */ 2, 0 ), /* allow fsync based on expression */ - BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, __NR_fsync, /* check_fsync */ 5, 0 ), + BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, SYS_fsync, /* check_fsync */ 5, 0 ), /* none of the syscalls matched */ { BPF_JMP | BPF_JA, 0, 0, /* RET_KILL_PROCESS */ 6 }, // check_write: diff --git a/src/app/fdctl/run/tiles/generated/pack_seccomp.h b/src/app/fdctl/run/tiles/generated/pack_seccomp.h index 03b5e9872f..dafdd6224e 100644 --- a/src/app/fdctl/run/tiles/generated/pack_seccomp.h +++ b/src/app/fdctl/run/tiles/generated/pack_seccomp.h @@ -32,9 +32,9 @@ static void populate_sock_filter_policy_pack( ulong out_cnt, struct sock_filter /* loading syscall number in accumulator */ BPF_STMT( BPF_LD | BPF_W | BPF_ABS, ( offsetof( struct seccomp_data, nr ) ) ), /* allow write based on expression */ - BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, __NR_write, /* check_write */ 2, 0 ), + BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, SYS_write, /* check_write */ 2, 0 ), /* allow fsync based on expression */ - BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, __NR_fsync, /* check_fsync */ 5, 0 ), + BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, SYS_fsync, /* check_fsync */ 5, 0 ), /* none of the syscalls matched */ { BPF_JMP | BPF_JA, 0, 0, /* RET_KILL_PROCESS */ 6 }, // check_write: diff --git a/src/app/fdctl/run/tiles/generated/quic_seccomp.h b/src/app/fdctl/run/tiles/generated/quic_seccomp.h index 58aa14a6e6..ac25337e9a 100644 --- a/src/app/fdctl/run/tiles/generated/quic_seccomp.h +++ b/src/app/fdctl/run/tiles/generated/quic_seccomp.h @@ -32,15 +32,15 @@ static void populate_sock_filter_policy_quic( ulong out_cnt, struct sock_filter /* loading syscall number in accumulator */ BPF_STMT( BPF_LD | BPF_W | BPF_ABS, ( offsetof( struct seccomp_data, nr ) ) ), /* allow write based on expression */ - BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, __NR_write, /* check_write */ 5, 0 ), + BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, SYS_write, /* check_write */ 5, 0 ), /* allow fsync based on expression */ - BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, __NR_fsync, /* check_fsync */ 8, 0 ), + BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, SYS_fsync, /* check_fsync */ 8, 0 ), /* simply allow getrandom */ - BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, __NR_getrandom, /* RET_ALLOW */ 26, 0 ), + BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, SYS_getrandom, /* RET_ALLOW */ 26, 0 ), /* allow sendto based on expression */ - BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, __NR_sendto, /* check_sendto */ 8, 0 ), + BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, SYS_sendto, /* check_sendto */ 8, 0 ), /* allow recvfrom based on expression */ - BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, __NR_recvfrom, /* check_recvfrom */ 15, 0 ), + BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, SYS_recvfrom, /* check_recvfrom */ 15, 0 ), /* none of the syscalls matched */ { BPF_JMP | BPF_JA, 0, 0, /* RET_KILL_PROCESS */ 22 }, // check_write: diff --git a/src/app/fdctl/run/tiles/generated/shred_seccomp.h b/src/app/fdctl/run/tiles/generated/shred_seccomp.h index 4c25ab8d6e..9105bcb039 100644 --- a/src/app/fdctl/run/tiles/generated/shred_seccomp.h +++ b/src/app/fdctl/run/tiles/generated/shred_seccomp.h @@ -32,13 +32,13 @@ static void populate_sock_filter_policy_shred( ulong out_cnt, struct sock_filter /* loading syscall number in accumulator */ BPF_STMT( BPF_LD | BPF_W | BPF_ABS, ( offsetof( struct seccomp_data, nr ) ) ), /* allow write based on expression */ - BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, __NR_write, /* check_write */ 4, 0 ), + BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, SYS_write, /* check_write */ 4, 0 ), /* allow fsync based on expression */ - BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, __NR_fsync, /* check_fsync */ 7, 0 ), + BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, SYS_fsync, /* check_fsync */ 7, 0 ), /* allow sendto based on expression */ - BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, __NR_sendto, /* check_sendto */ 8, 0 ), + BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, SYS_sendto, /* check_sendto */ 8, 0 ), /* allow recvfrom based on expression */ - BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, __NR_recvfrom, /* check_recvfrom */ 15, 0 ), + BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, SYS_recvfrom, /* check_recvfrom */ 15, 0 ), /* none of the syscalls matched */ { BPF_JMP | BPF_JA, 0, 0, /* RET_KILL_PROCESS */ 22 }, // check_write: diff --git a/src/app/fdctl/run/tiles/generated/sign_seccomp.h b/src/app/fdctl/run/tiles/generated/sign_seccomp.h index 2be8263034..5ea8906d2e 100644 --- a/src/app/fdctl/run/tiles/generated/sign_seccomp.h +++ b/src/app/fdctl/run/tiles/generated/sign_seccomp.h @@ -32,9 +32,9 @@ static void populate_sock_filter_policy_sign( ulong out_cnt, struct sock_filter /* loading syscall number in accumulator */ BPF_STMT( BPF_LD | BPF_W | BPF_ABS, ( offsetof( struct seccomp_data, nr ) ) ), /* allow write based on expression */ - BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, __NR_write, /* check_write */ 2, 0 ), + BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, SYS_write, /* check_write */ 2, 0 ), /* allow fsync based on expression */ - BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, __NR_fsync, /* check_fsync */ 5, 0 ), + BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, SYS_fsync, /* check_fsync */ 5, 0 ), /* none of the syscalls matched */ { BPF_JMP | BPF_JA, 0, 0, /* RET_KILL_PROCESS */ 6 }, // check_write: diff --git a/src/app/fdctl/run/tiles/generated/verify_seccomp.h b/src/app/fdctl/run/tiles/generated/verify_seccomp.h index bf87c4d36f..5f957c593a 100644 --- a/src/app/fdctl/run/tiles/generated/verify_seccomp.h +++ b/src/app/fdctl/run/tiles/generated/verify_seccomp.h @@ -32,9 +32,9 @@ static void populate_sock_filter_policy_verify( ulong out_cnt, struct sock_filte /* loading syscall number in accumulator */ BPF_STMT( BPF_LD | BPF_W | BPF_ABS, ( offsetof( struct seccomp_data, nr ) ) ), /* allow write based on expression */ - BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, __NR_write, /* check_write */ 2, 0 ), + BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, SYS_write, /* check_write */ 2, 0 ), /* allow fsync based on expression */ - BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, __NR_fsync, /* check_fsync */ 5, 0 ), + BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, SYS_fsync, /* check_fsync */ 5, 0 ), /* none of the syscalls matched */ { BPF_JMP | BPF_JA, 0, 0, /* RET_KILL_PROCESS */ 6 }, // check_write: diff --git a/src/util/sandbox/generated/test_sandbox_seccomp.h b/src/util/sandbox/generated/test_sandbox_seccomp.h index 4bc4f88c5b..0904b90483 100644 --- a/src/util/sandbox/generated/test_sandbox_seccomp.h +++ b/src/util/sandbox/generated/test_sandbox_seccomp.h @@ -32,11 +32,11 @@ static void populate_sock_filter_policy_test_sandbox( ulong out_cnt, struct sock /* loading syscall number in accumulator */ BPF_STMT( BPF_LD | BPF_W | BPF_ABS, ( offsetof( struct seccomp_data, nr ) ) ), /* allow write based on expression */ - BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, __NR_write, /* check_write */ 3, 0 ), + BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, SYS_write, /* check_write */ 3, 0 ), /* allow fsync based on expression */ - BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, __NR_fsync, /* check_fsync */ 6, 0 ), + BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, SYS_fsync, /* check_fsync */ 6, 0 ), /* simply allow exit_group */ - BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, __NR_exit_group, /* RET_ALLOW */ 8, 0 ), + BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, SYS_exit_group, /* RET_ALLOW */ 8, 0 ), /* none of the syscalls matched */ { BPF_JMP | BPF_JA, 0, 0, /* RET_KILL_PROCESS */ 6 }, // check_write: diff --git a/src/util/shmem/fd_numa_linux.c b/src/util/shmem/fd_numa_linux.c index 246e752128..5d76f63f23 100644 --- a/src/util/shmem/fd_numa_linux.c +++ b/src/util/shmem/fd_numa_linux.c @@ -161,13 +161,13 @@ fd_numa_node_idx( ulong cpu_idx ) { int fd_numa_mlock( void const * addr, ulong len ) { - return (int)syscall( __NR_mlock, addr, len ); + return (int)syscall( SYS_mlock, addr, len ); } int fd_numa_munlock( void const * addr, ulong len ) { - return (int)syscall( __NR_mlock, addr, len ); + return (int)syscall( SYS_mlock, addr, len ); } long