|
Packit Service |
8eee21 |
![Enhanced Seccomp Helper Library](https://github.com/seccomp/libseccomp-artwork/blob/master/logo/libseccomp-color_text.png)
|
|
Packit Service |
8eee21 |
===============================================================================
|
|
Packit Service |
8eee21 |
https://github.com/seccomp/libseccomp
|
|
Packit Service |
8eee21 |
|
|
Packit Service |
8eee21 |
[![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/608/badge)](https://bestpractices.coreinfrastructure.org/projects/608)
|
|
Packit Service |
8eee21 |
[![Build Status](https://img.shields.io/travis/seccomp/libseccomp/master.svg)](https://travis-ci.org/seccomp/libseccomp)
|
|
Packit Service |
8eee21 |
[![Coverage Status](https://img.shields.io/coveralls/github/seccomp/libseccomp/master.svg)](https://coveralls.io/github/seccomp/libseccomp?branch=master)
|
|
Packit Service |
8eee21 |
|
|
Packit Service |
8eee21 |
The libseccomp library provides an easy to use, platform independent, interface
|
|
Packit Service |
8eee21 |
to the Linux Kernel's syscall filtering mechanism. The libseccomp API is
|
|
Packit Service |
8eee21 |
designed to abstract away the underlying BPF based syscall filter language and
|
|
Packit Service |
8eee21 |
present a more conventional function-call based filtering interface that should
|
|
Packit Service |
8eee21 |
be familiar to, and easily adopted by, application developers.
|
|
Packit Service |
8eee21 |
|
|
Packit Service |
8eee21 |
## Online Resources
|
|
Packit Service |
8eee21 |
|
|
Packit Service |
8eee21 |
The library source repository currently lives on GitHub at the following URL:
|
|
Packit Service |
8eee21 |
|
|
Packit Service |
8eee21 |
* https://github.com/seccomp/libseccomp
|
|
Packit Service |
8eee21 |
|
|
Packit Service |
8eee21 |
The Go language bindings repository currently lives on GitHub at the following
|
|
Packit Service |
8eee21 |
URL:
|
|
Packit Service |
8eee21 |
|
|
Packit Service |
8eee21 |
* https://github.com/seccomp/libseccomp-golang
|
|
Packit Service |
8eee21 |
|
|
Packit Service |
8eee21 |
The project mailing list is currently hosted on Google Groups at the URL below,
|
|
Packit Service |
8eee21 |
please note that a Google account is not required to subscribe to the mailing
|
|
Packit Service |
8eee21 |
list.
|
|
Packit Service |
8eee21 |
|
|
Packit Service |
8eee21 |
* https://groups.google.com/forum/#!forum/libseccomp
|
|
Packit Service |
8eee21 |
* https://groups.google.com/forum/#!forum/libseccomp/join
|
|
Packit Service |
8eee21 |
|
|
Packit Service |
8eee21 |
## Supported Architectures
|
|
Packit Service |
8eee21 |
|
|
Packit Service |
8eee21 |
The libseccomp library currently supports the architectures listed below:
|
|
Packit Service |
8eee21 |
|
|
Packit Service |
8eee21 |
* 32-bit x86 (x86)
|
|
Packit Service |
8eee21 |
* 64-bit x86 (x86_64)
|
|
Packit Service |
8eee21 |
* 64-bit x86 x32 ABI (x32)
|
|
Packit Service |
8eee21 |
* 32-bit ARM EABI (arm)
|
|
Packit Service |
8eee21 |
* 64-bit ARM (aarch64)
|
|
Packit Service |
8eee21 |
* 32-bit MIPS (mips)
|
|
Packit Service |
8eee21 |
* 32-bit MIPS little endian (mipsel)
|
|
Packit Service |
8eee21 |
* 64-bit MIPS (mips64)
|
|
Packit Service |
8eee21 |
* 64-bit MIPS little endian (mipsel64)
|
|
Packit Service |
8eee21 |
* 64-bit MIPS n32 ABI (mips64n32)
|
|
Packit Service |
8eee21 |
* 64-bit MIPS n32 ABI little endian (mipsel64n32)
|
|
Packit Service |
8eee21 |
* 32-bit PA-RISC (parisc)
|
|
Packit Service |
8eee21 |
* 64-bit PA-RISC (parisc64)
|
|
Packit Service |
8eee21 |
* 32-bit PowerPC (ppc)
|
|
Packit Service |
8eee21 |
* 64-bit PowerPC (ppc64)
|
|
Packit Service |
8eee21 |
* 64-bit PowerPC little endian (ppc64le)
|
|
Packit Service |
8eee21 |
* 32-bit s390 (s390)
|
|
Packit Service |
8eee21 |
* 64-bit s390x (s390x)
|
|
Packit Service |
8eee21 |
|
|
Packit Service |
8eee21 |
## Documentation
|
|
Packit Service |
8eee21 |
|
|
Packit Service |
8eee21 |
The "doc/" directory contains all of the currently available documentation,
|
|
Packit Service |
8eee21 |
mostly in the form of manpages. The top level directory also contains a README
|
|
Packit Service |
8eee21 |
file (this file) as well as the LICENSE, CREDITS, CONTRIBUTING, and
|
|
Packit Service |
8eee21 |
CHANGELOG files.
|
|
Packit Service |
8eee21 |
|
|
Packit Service |
8eee21 |
Those who are interested in contributing to the the project are encouraged to
|
|
Packit Service |
8eee21 |
read the CONTRIBUTING in the top level directory.
|
|
Packit Service |
8eee21 |
|
|
Packit Service |
8eee21 |
## Verifying Release Tarballs
|
|
Packit Service |
8eee21 |
|
|
Packit Service |
8eee21 |
Before use you should verify the downloaded release tarballs and checksums
|
|
Packit Service |
8eee21 |
using the detached signatures supplied as part of the release; the detached
|
|
Packit Service |
8eee21 |
signature files are the "*.asc" files. If you have GnuPG installed you can
|
|
Packit Service |
8eee21 |
verify detached signatures using the following command:
|
|
Packit Service |
8eee21 |
|
|
Packit Service |
8eee21 |
# gpg --verify file.asc file
|
|
Packit Service |
8eee21 |
|
|
Packit Service |
8eee21 |
At present, only the following keys are authorized to sign official libseccomp
|
|
Packit Service |
8eee21 |
releases:
|
|
Packit Service |
8eee21 |
|
|
Packit Service |
8eee21 |
Paul Moore <paul@paul-moore.com>
|
|
Packit Service |
8eee21 |
7100 AADF AE6E 6E94 0D2E 0AD6 55E4 5A5A E8CA 7C8A
|
|
Packit Service |
8eee21 |
|
|
Packit Service |
8eee21 |
Tom Hromatka <tom.hromatka@oracle.com>
|
|
Packit Service |
8eee21 |
47A6 8FCE 37C7 D702 4FD6 5E11 356C E62C 2B52 4099
|
|
Packit Service |
8eee21 |
|
|
Packit Service |
8eee21 |
## Building and Installing the Library
|
|
Packit Service |
8eee21 |
|
|
Packit Service |
8eee21 |
If you are building the libseccomp library from an official release tarball,
|
|
Packit Service |
8eee21 |
you should follow the familiar three step process used by most autotools based
|
|
Packit Service |
8eee21 |
applications:
|
|
Packit Service |
8eee21 |
|
|
Packit Service |
8eee21 |
# ./configure
|
|
Packit Service |
8eee21 |
# make [V=0|1]
|
|
Packit Service |
8eee21 |
# make install
|
|
Packit Service |
8eee21 |
|
|
Packit Service |
8eee21 |
However, if you are building the library from sources retrieved from the source
|
|
Packit Service |
8eee21 |
repository you may need to run the autogen.sh script before running configure.
|
|
Packit Service |
8eee21 |
In both cases, running "./configure -h" will display a list of build-time
|
|
Packit Service |
8eee21 |
configuration options.
|
|
Packit Service |
8eee21 |
|
|
Packit Service |
8eee21 |
## Testing the Library
|
|
Packit Service |
8eee21 |
|
|
Packit Service |
8eee21 |
There are a number of tests located in the "tests/" directory and a make target
|
|
Packit Service |
8eee21 |
which can be used to help automate their execution. If you want to run the
|
|
Packit Service |
8eee21 |
standard regression tests you can execute the following after building the
|
|
Packit Service |
8eee21 |
library:
|
|
Packit Service |
8eee21 |
|
|
Packit Service |
8eee21 |
# make check
|
|
Packit Service |
8eee21 |
|
|
Packit Service |
8eee21 |
These tests can be safely run on any Linux system, even those where the kernel
|
|
Packit Service |
8eee21 |
does not support seccomp-bpf (seccomp mode 2). However, be warned that the
|
|
Packit Service |
8eee21 |
test run can take a while to run and produces a lot of output.
|
|
Packit Service |
8eee21 |
|
|
Packit Service |
8eee21 |
The generated seccomp-bpf filters can be tested on a live system using the
|
|
Packit Service |
8eee21 |
"live" tests; they can be executed using the following commands:
|
|
Packit Service |
8eee21 |
|
|
Packit Service |
8eee21 |
# make check-build
|
|
Packit Service |
8eee21 |
# (cd tests; ./regression -T live)
|
|
Packit Service |
8eee21 |
|
|
Packit Service |
8eee21 |
These tests will fail if the running Linux Kernel does not provide the
|
|
Packit Service |
8eee21 |
necessary support.
|
|
Packit Service |
8eee21 |
|
|
Packit Service |
8eee21 |
## Developer Tools
|
|
Packit Service |
8eee21 |
|
|
Packit Service |
8eee21 |
The "tools/" directory includes a number of tools which may be helpful in the
|
|
Packit Service |
8eee21 |
development of the library, or applications using the library. Not all of
|
|
Packit Service |
8eee21 |
these tools are installed by default.
|
|
Packit Service |
8eee21 |
|
|
Packit Service |
8eee21 |
## Bug and Vulnerability Reporting
|
|
Packit Service |
8eee21 |
|
|
Packit Service |
8eee21 |
Problems with the libseccomp library can be reported using the GitHub issue
|
|
Packit Service |
8eee21 |
tracking system or the mailing list. Those who wish to privately report
|
|
Packit Service |
8eee21 |
potential vulnerabilities should follow the directions in SECURITY.md.
|