seccomp groups (next round)

rusty-snake commented 4 years ago

I was playing with the seccomp filter of my tor-browser setup (https://github.com/rusty-snake/firejailed-tor-browser) and noticed a few things.

All syscall from @mount are in @default.

https://github.com/netblue30/firejail/blob/7180f26466a2186ed7b0ccddc7133591feb97518/etc/templates/syscalls.txt#L45

https://github.com/netblue30/firejail/blob/7180f26466a2186ed7b0ccddc7133591feb97518/etc/templates/syscalls.txt#L36

@aio is in @default, except io_pgetevents.

https://github.com/netblue30/firejail/blob/7180f26466a2186ed7b0ccddc7133591feb97518/etc/templates/syscalls.txt#L30

Line one: @aio syscalls in @default. Line two: @aio.

io_cancel,io_destroy,io_getevents,              io_setup,io_submit
io_cancel,io_destroy,io_getevents,io_pgetevents,io_setup,io_submit

@sysem-service should not be used. Why? Let my explain. @sysem-service is a group for seccomp.keep and not for seccomp.drop, therefore it is a whitelisting group (as in systemd). @default is a blacklisting only group for seccomp.drop. It includes @obsolete. @sysem-service includes @default and therefore also @obsolete, since @sysem-service has so much syscalls that it hardly never will be used for seccomp.drop. It will be used for seccomp.keep, but it includes @obsolete which should never be whitelisted except a program needs all the syscalls from there.

https://github.com/netblue30/firejail/blob/7180f26466a2186ed7b0ccddc7133591feb97518/etc/templates/syscalls.txt#L62-L88

topimiettinen commented 4 years ago

I think whitelists are good idea, especially now that exceptions can be made easily. But I agree that including @default in @system-service should be fixed. Maybe a new group could be added which would be designed for whitelisting unprivileged applications.

The documentation should perhaps also clarify which groups are mostly useful for blacklists and which for whitelists.

rusty-snake commented 4 years ago

@topimiettinen What do you think on generated the groups systemd-analyze syscall-filter with a script? Keep the groups from systemd, rename @default to @common and add your own @default* groups.

topimiettinen commented 4 years ago

@rusty-snake Nice idea, that way we'd be more easily in sync with systemd. That's not a goal stated anywhere, but why differ if there's no need to be different? It would help the users which could be already familiar with either software.

rusty-snake commented 4 years ago

Can we omit the #ifdef SYS_XXXX or would it do bad things?

rusty-snake commented 4 years ago

current code in syscalls.c

```C static const SyscallGroupList sysgroups[] = { { .name = "@aio", .list = #ifdef SYS_io_cancel "io_cancel," #endif #ifdef SYS_io_destroy "io_destroy," #endif #ifdef SYS_io_getevents "io_getevents," #endif #ifdef SYS_io_pgetevents "io_pgetevents," #endif #ifdef SYS_io_setup "io_setup," #endif #ifdef SYS_io_submit "io_submit" #endif }, { .name = "@basic-io", .list = #ifdef SYS__llseek "_llseek," #endif #ifdef SYS_close "close," #endif #ifdef SYS_dup "dup," #endif #ifdef SYS_dup2 "dup2," #endif #ifdef SYS_dup3 "dup3," #endif #ifdef SYS_lseek "lseek," #endif #ifdef SYS_pread64 "pread64," #endif #ifdef SYS_preadv "preadv," #endif #ifdef SYS_preadv2 "preadv2," #endif #ifdef SYS_pwrite64 "pwrite64," #endif #ifdef SYS_pwritev "pwritev," #endif #ifdef SYS_pwritev2 "pwritev2," #endif #ifdef SYS_read "read," #endif #ifdef SYS_readv "readv," #endif #ifdef SYS_write "write," #endif #ifdef SYS_writev "writev" #endif }, { .name = "@chown", .list = #ifdef SYS_chown "chown," #endif #ifdef SYS_chown32 "chown32," #endif #ifdef SYS_fchown "fchown," #endif #ifdef SYS_fchown32 "fchown32," #endif #ifdef SYS_fchownat "fchownat," #endif #ifdef SYS_lchown "lchown," #endif #ifdef SYS_lchown32 "lchown32" #endif }, { .name = "@clock", .list = #ifdef SYS_adjtimex "adjtimex," #endif #ifdef SYS_clock_adjtime "clock_adjtime," #endif #ifdef SYS_clock_settime "clock_settime," #endif #ifdef SYS_settimeofday "settimeofday," #endif #ifdef SYS_stime "stime" #endif }, { .name = "@cpu-emulation", .list = #ifdef SYS_modify_ldt "modify_ldt," #endif #ifdef SYS_subpage_prot "subpage_prot," #endif #ifdef SYS_switch_endian "switch_endian," #endif #ifdef SYS_vm86 "vm86," #endif #ifdef SYS_vm86old "vm86old" #endif #if !defined(SYS_modify_ldt) && !defined(SYS_subpage_prot) && !defined(SYS_switch_endian) && !defined(SYS_vm86) && !defined(SYS_vm86old) "__dummy_syscall__" // workaround for arm64, s390x and sparc64 which don't have any of above defined and empty syscall lists are not allowed #endif }, { .name = "@debug", .list = #ifdef SYS_lookup_dcookie "lookup_dcookie," #endif #ifdef SYS_perf_event_open "perf_event_open," #endif #ifdef SYS_process_vm_writev "process_vm_writev," #endif #ifdef SYS_rtas "rtas," #endif #ifdef SYS_s390_runtime_instr "s390_runtime_instr," #endif #ifdef SYS_sys_debug_setcontext "sys_debug_setcontext," #endif }, { .name = "@default", .list = "@clock," "@cpu-emulation," "@debug," "@module," "@mount," "@obsolete," "@raw-io," "@reboot," "@swap," #ifdef SYS_open_by_handle_at "open_by_handle_at," #endif #ifdef SYS_name_to_handle_at "name_to_handle_at," #endif #ifdef SYS_ioprio_set "ioprio_set," #endif #ifdef SYS_ni_syscall "ni_syscall," #endif #ifdef SYS_syslog "syslog," #endif #ifdef SYS_fanotify_init "fanotify_init," #endif #ifdef SYS_kcmp "kcmp," #endif #ifdef SYS_add_key "add_key," #endif #ifdef SYS_request_key "request_key," #endif #ifdef SYS_mbind "mbind," #endif #ifdef SYS_migrate_pages "migrate_pages," #endif #ifdef SYS_move_pages "move_pages," #endif #ifdef SYS_keyctl "keyctl," #endif #ifdef SYS_io_setup "io_setup," #endif #ifdef SYS_io_destroy "io_destroy," #endif #ifdef SYS_io_getevents "io_getevents," #endif #ifdef SYS_io_submit "io_submit," #endif #ifdef SYS_io_cancel "io_cancel," #endif #ifdef SYS_remap_file_pages "remap_file_pages," #endif #ifdef SYS_set_mempolicy "set_mempolicy" #endif #ifdef SYS_vmsplice "vmsplice," #endif #ifdef SYS_userfaultfd "userfaultfd," #endif #ifdef SYS_acct "acct," #endif #ifdef SYS_bpf "bpf," #endif #ifdef SYS_nfsservctl "nfsservctl," #endif #ifdef SYS_setdomainname "setdomainname," #endif #ifdef SYS_sethostname "sethostname," #endif #ifdef SYS_vhangup "vhangup" #endif //#ifdef SYS_mincore // 0.9.57 - problem fixed in Linux kernel 5.0; on 4.x it will break kodi, mpv, totem // "mincore" //#endif }, { .name = "@default-nodebuggers", .list = "@default," #ifdef SYS_ptrace "ptrace," #endif #ifdef SYS_personality "personality," #endif #ifdef SYS_process_vm_readv "process_vm_readv" #endif }, { .name = "@default-keep", .list = "execve," "prctl" }, { .name = "@file-system", .list = #ifdef SYS_access "access," #endif #ifdef SYS_chdir "chdir," #endif #ifdef SYS_chmod "chmod," #endif #ifdef SYS_close "close," #endif #ifdef SYS_creat "creat," #endif #ifdef SYS_faccessat "faccessat," #endif #ifdef SYS_fallocate "fallocate," #endif #ifdef SYS_fchdir "fchdir," #endif #ifdef SYS_fchmod "fchmod," #endif #ifdef SYS_fchmodat "fchmodat," #endif #ifdef SYS_fcntl "fcntl," #endif #ifdef SYS_fcntl64 "fcntl64," #endif #ifdef SYS_fgetxattr "fgetxattr," #endif #ifdef SYS_flistxattr "flistxattr," #endif #ifdef SYS_fremovexattr "fremovexattr," #endif #ifdef SYS_fsetxattr "fsetxattr," #endif #ifdef SYS_fstat "fstat," #endif #ifdef SYS_fstat64 "fstat64," #endif #ifdef SYS_fstatat64 "fstatat64," #endif #ifdef SYS_fstatfs "fstatfs," #endif #ifdef SYS_fstatfs64 "fstatfs64," #endif #ifdef SYS_ftruncate "ftruncate," #endif #ifdef SYS_ftruncate64 "ftruncate64," #endif #ifdef SYS_futimesat "futimesat," #endif #ifdef SYS_getcwd "getcwd," #endif #ifdef SYS_getdents "getdents," #endif #ifdef SYS_getdents64 "getdents64," #endif #ifdef SYS_getxattr "getxattr," #endif #ifdef SYS_inotify_add_watch "inotify_add_watch," #endif #ifdef SYS_inotify_init "inotify_init," #endif #ifdef SYS_inotify_init1 "inotify_init1," #endif #ifdef SYS_inotify_rm_watch "inotify_rm_watch," #endif #ifdef SYS_lgetxattr "lgetxattr," #endif #ifdef SYS_link "link," #endif #ifdef SYS_linkat "linkat," #endif #ifdef SYS_listxattr "listxattr," #endif #ifdef SYS_llistxattr "llistxattr," #endif #ifdef SYS_lremovexattr "lremovexattr," #endif #ifdef SYS_lsetxattr "lsetxattr," #endif #ifdef SYS_lstat "lstat," #endif #ifdef SYS_lstat64 "lstat64," #endif #ifdef SYS_mkdir "mkdir," #endif #ifdef SYS_mkdirat "mkdirat," #endif #ifdef SYS_mknod "mknod," #endif #ifdef SYS_mknodat "mknodat," #endif #ifdef SYS_mmap "mmap," #endif #ifdef SYS_mmap2 "mmap2," #endif #ifdef SYS_munmap "munmap," #endif #ifdef SYS_newfstatat "newfstatat," #endif #ifdef SYS_oldfstat "oldfstat," #endif #ifdef SYS_oldlstat "oldlstat," #endif #ifdef SYS_oldstat "oldstat," #endif #ifdef SYS_open "open," #endif #ifdef SYS_openat "openat," #endif #ifdef SYS_readlink "readlink," #endif #ifdef SYS_readlinkat "readlinkat," #endif #ifdef SYS_removexattr "removexattr," #endif #ifdef SYS_rename "rename," #endif #ifdef SYS_renameat "renameat," #endif #ifdef SYS_renameat2 "renameat2," #endif #ifdef SYS_rmdir "rmdir," #endif #ifdef SYS_setxattr "setxattr," #endif #ifdef SYS_stat "stat," #endif #ifdef SYS_stat64 "stat64," #endif #ifdef SYS_statfs "statfs," #endif #ifdef SYS_statfs64 "statfs64," #endif #ifdef SYS_statx "statx," #endif #ifdef SYS_symlink "symlink," #endif #ifdef SYS_symlinkat "symlinkat," #endif #ifdef SYS_truncate "truncate," #endif #ifdef SYS_truncate64 "truncate64," #endif #ifdef SYS_unlink "unlink," #endif #ifdef SYS_unlinkat "unlinkat," #endif #ifdef SYS_utime "utime," #endif #ifdef SYS_utimensat "utimensat," #endif #ifdef SYS_utimes "utimes" #endif }, { .name = "@io-event", .list = #ifdef SYS__newselect "_newselect," #endif #ifdef SYS_epoll_create "epoll_create," #endif #ifdef SYS_epoll_create1 "epoll_create1," #endif #ifdef SYS_epoll_ctl "epoll_ctl," #endif #ifdef SYS_epoll_ctl_old "epoll_ctl_old," #endif #ifdef SYS_epoll_pwait "epoll_pwait," #endif #ifdef SYS_epoll_wait "epoll_wait," #endif #ifdef SYS_epoll_wait_old "epoll_wait_old," #endif #ifdef SYS_eventfd "eventfd," #endif #ifdef SYS_eventfd2 "eventfd2," #endif #ifdef SYS_poll "poll," #endif #ifdef SYS_ppoll "ppoll," #endif #ifdef SYS_pselect6 "pselect6," #endif #ifdef SYS_select "select" #endif }, { .name = "@ipc", .list = #ifdef SYS_ipc "ipc," #endif #ifdef SYS_memfd_create "memfd_create," #endif #ifdef SYS_mq_getsetattr "mq_getsetattr," #endif #ifdef SYS_mq_notify "mq_notify," #endif #ifdef SYS_mq_open "mq_open," #endif #ifdef SYS_mq_timedreceive "mq_timedreceive," #endif #ifdef SYS_mq_timedsend "mq_timedsend," #endif #ifdef SYS_mq_unlink "mq_unlink," #endif #ifdef SYS_msgctl "msgctl," #endif #ifdef SYS_msgget "msgget," #endif #ifdef SYS_msgrcv "msgrcv," #endif #ifdef SYS_msgsnd "msgsnd," #endif #ifdef SYS_pipe "pipe," #endif #ifdef SYS_pipe2 "pipe2," #endif #ifdef SYS_process_vm_readv "process_vm_readv," #endif #ifdef SYS_process_vm_writev "process_vm_writev," #endif #ifdef SYS_semctl "semctl," #endif #ifdef SYS_semget "semget," #endif #ifdef SYS_semop "semop," #endif #ifdef SYS_semtimedop "semtimedop," #endif #ifdef SYS_shmat "shmat," #endif #ifdef SYS_shmctl "shmctl," #endif #ifdef SYS_shmdt "shmdt," #endif #ifdef SYS_shmget "shmget" #endif }, { .name = "@keyring", .list = #ifdef SYS_add_key "add_key," #endif #ifdef SYS_keyctl "keyctl," #endif #ifdef SYS_request_key "request_key" #endif }, { .name = "@memlock", .list = #ifdef SYS_mlock "mlock," #endif #ifdef SYS_mlock2 "mlock2," #endif #ifdef SYS_mlockall "mlockall," #endif #ifdef SYS_munlock "munlock," #endif #ifdef SYS_munlockall "munlockall" #endif }, { .name = "@module", .list = #ifdef SYS_delete_module "delete_module," #endif #ifdef SYS_finit_module "finit_module," #endif #ifdef SYS_init_module "init_module" #endif }, { .name = "@mount", .list = #ifdef SYS_chroot "chroot," #endif #ifdef SYS_mount "mount," #endif #ifdef SYS_pivot_root "pivot_root," #endif #ifdef SYS_umount "umount," #endif #ifdef SYS_umount2 "umount2" #endif }, { .name = "@network-io", .list = #ifdef SYS_accept "accept," #endif #ifdef SYS_accept4 "accept4," #endif #ifdef SYS_bind "bind," #endif #ifdef SYS_connect "connect," #endif #ifdef SYS_getpeername "getpeername," #endif #ifdef SYS_getsockname "getsockname," #endif #ifdef SYS_getsockopt "getsockopt," #endif #ifdef SYS_listen "listen," #endif #ifdef SYS_recv "recv," #endif #ifdef SYS_recvfrom "recvfrom," #endif #ifdef SYS_recvmmsg "recvmmsg," #endif #ifdef SYS_recvmsg "recvmsg," #endif #ifdef SYS_send "send," #endif #ifdef SYS_sendmmsg "sendmmsg," #endif #ifdef SYS_sendmsg "sendmsg," #endif #ifdef SYS_sendto "sendto," #endif #ifdef SYS_setsockopt "setsockopt," #endif #ifdef SYS_shutdown "shutdown," #endif #ifdef SYS_socket "socket," #endif #ifdef SYS_socketcall "socketcall," #endif #ifdef SYS_socketpair "socketpair" #endif }, { .name = "@obsolete", .list = #ifdef SYS__sysctl "_sysctl," #endif #ifdef SYS_afs_syscall "afs_syscall," #endif #ifdef SYS_bdflush "bdflush," #endif #ifdef SYS_break "break," #endif #ifdef SYS_create_module "create_module," #endif #ifdef SYS_ftime "ftime," #endif #ifdef SYS_get_kernel_syms "get_kernel_syms," #endif #ifdef SYS_getpmsg "getpmsg," #endif #ifdef SYS_gtty "gtty," #endif #ifdef SYS_idle "idle," #endif #ifdef SYS_lock "lock," #endif #ifdef SYS_mpx "mpx," #endif #ifdef SYS_prof "prof," #endif #ifdef SYS_profil "profil," #endif #ifdef SYS_putpmsg "putpmsg," #endif #ifdef SYS_query_module "query_module," #endif #ifdef SYS_security "security," #endif #ifdef SYS_sgetmask "sgetmask," #endif #ifdef SYS_ssetmask "ssetmask," #endif #ifdef SYS_stty "stty," #endif #ifdef SYS_sysfs "sysfs," #endif #ifdef SYS_tuxcall "tuxcall," #endif #ifdef SYS_ulimit "ulimit," #endif #ifdef SYS_uselib "uselib," #endif #ifdef SYS_ustat "ustat," #endif #ifdef SYS_vserver "vserver" #endif #if !defined(SYS__sysctl) && !defined(SYS_afs_syscall) && !defined(SYS_bdflush) && !defined(SYS_break) && !defined(SYS_create_module) && !defined(SYS_ftime) && !defined(SYS_get_kernel_syms) && !defined(SYS_getpmsg) && !defined(SYS_gtty) && !defined(SYS_lock) && !defined(SYS_mpx) && !defined(SYS_prof) && !defined(SYS_profil) && !defined(SYS_putpmsg) && !defined(SYS_query_module) && !defined(SYS_security) && !defined(SYS_sgetmask) && !defined(SYS_ssetmask) && !defined(SYS_stty) && !defined(SYS_sysfs) && !defined(SYS_tuxcall) && !defined(SYS_ulimit) && !defined(SYS_uselib) && !defined(SYS_ustat) && !defined(SYS_vserver) "__dummy_syscall__" // workaround for arm64 which doesn't have any of above defined and empty syscall lists are not allowed #endif }, { .name = "@privileged", .list = "@chown," "@clock," "@module," "@raw-io," "@reboot," "@swap," #ifdef SYS__sysctl "_sysctl," #endif #ifdef SYS_acct "acct," #endif #ifdef SYS_bpf "bpf," #endif #ifdef SYS_capset "capset," #endif #ifdef SYS_chroot "chroot," #endif #ifdef SYS_fanotify_init "fanotify_init," #endif #ifdef SYS_mount "mount," #endif #ifdef SYS_nfsservctl "nfsservctl," #endif #ifdef SYS_open_by_handle_at "open_by_handle_at," #endif #ifdef SYS_pivot_root "pivot_root," #endif #ifdef SYS_quotactl "quotactl," #endif #ifdef SYS_setdomainname "setdomainname," #endif #ifdef SYS_setfsuid "setfsuid," #endif #ifdef SYS_setfsuid32 "setfsuid32," #endif #ifdef SYS_setgroups "setgroups," #endif #ifdef SYS_setgroups32 "setgroups32," #endif #ifdef SYS_sethostname "sethostname," #endif #ifdef SYS_setresuid "setresuid," #endif #ifdef SYS_setresuid32 "setresuid32," #endif #ifdef SYS_setreuid "setreuid," #endif #ifdef SYS_setreuid32 "setreuid32," #endif #ifdef SYS_setuid "setuid," #endif #ifdef SYS_setuid32 "setuid32," #endif #ifdef SYS_umount2 "umount2," #endif #ifdef SYS_vhangup "vhangup" #endif }, { .name = "@process", .list = #ifdef SYS_arch_prctl "arch_prctl," #endif #ifdef SYS_capget "capget," #endif #ifdef SYS_clone "clone," #endif #ifdef SYS_execveat "execveat," #endif #ifdef SYS_fork "fork," #endif #ifdef SYS_getrusage "getrusage," #endif #ifdef SYS_kill "kill," #endif #ifdef SYS_pidfd_send_signal "pidfd_send_signal," #endif #ifdef SYS_prctl "prctl," #endif #ifdef SYS_rt_sigqueueinfo "rt_sigqueueinfo," #endif #ifdef SYS_rt_tgsigqueueinfo "rt_tgsigqueueinfo," #endif #ifdef SYS_setns "setns," #endif #ifdef SYS_swapcontext "swapcontext," #endif #ifdef SYS_tgkill "tgkill," #endif #ifdef SYS_times "times," #endif #ifdef SYS_tkill "tkill," #endif #ifdef SYS_unshare "unshare," #endif #ifdef SYS_vfork "vfork," #endif #ifdef SYS_wait4 "wait4," #endif #ifdef SYS_waitid "waitid," #endif #ifdef SYS_waitpid "waitpid" #endif }, { .name = "@raw-io", .list = #ifdef SYS_ioperm "ioperm," #endif #ifdef SYS_iopl "iopl," #endif #ifdef SYS_pciconfig_iobase "pciconfig_iobase," #endif #ifdef SYS_pciconfig_read "pciconfig_read," #endif #ifdef SYS_pciconfig_write "pciconfig_write," #endif #ifdef SYS_s390_mmio_read "s390_mmio_read," #endif #ifdef SYS_s390_mmio_write "s390_mmio_write" #endif #if !defined(SYS_ioperm) && !defined(SYS_iopl) && !defined(SYS_pciconfig_iobase) && !defined(SYS_pciconfig_read) && !defined(SYS_pciconfig_write) && !defined(SYS_s390_mmio_read) && !defined(SYS_s390_mmio_write) "__dummy_syscall__" // workaround for s390x which doesn't have any of above defined and empty syscall lists are not allowed #endif }, { .name = "@reboot", .list = #ifdef SYS_kexec_load "kexec_load," #endif #ifdef SYS_kexec_file_load "kexec_file_load," #endif #ifdef SYS_reboot "reboot," #endif }, { .name = "@resources", .list = #ifdef SYS_ioprio_set "ioprio_set," #endif #ifdef SYS_mbind "mbind," #endif #ifdef SYS_migrate_pages "migrate_pages," #endif #ifdef SYS_move_pages "move_pages," #endif #ifdef SYS_nice "nice," #endif #ifdef SYS_sched_setaffinity "sched_setaffinity," #endif #ifdef SYS_sched_setattr "sched_setattr," #endif #ifdef SYS_sched_setparam "sched_setparam," #endif #ifdef SYS_sched_setscheduler "sched_setscheduler," #endif #ifdef SYS_set_mempolicy "set_mempolicy" #endif }, { .name = "@setuid", .list = #ifdef SYS_setgid "setgid," #endif #ifdef SYS_setgid32 "setgid32," #endif #ifdef SYS_setgroups "setgroups," #endif #ifdef SYS_setgroups32 "setgroups32," #endif #ifdef SYS_setregid "setregid," #endif #ifdef SYS_setregid32 "setregid32," #endif #ifdef SYS_setresgid "setresgid," #endif #ifdef SYS_setresgid32 "setresgid32," #endif #ifdef SYS_setresuid "setresuid," #endif #ifdef SYS_setresuid32 "setresuid32," #endif #ifdef SYS_setreuid "setreuid," #endif #ifdef SYS_setreuid32 "setreuid32," #endif #ifdef SYS_setuid "setuid," #endif #ifdef SYS_setuid32 "setuid32" #endif }, { .name = "@signal", .list = #ifdef SYS_rt_sigaction "rt_sigaction," #endif #ifdef SYS_rt_sigpending "rt_sigpending," #endif #ifdef SYS_rt_sigprocmask "rt_sigprocmask," #endif #ifdef SYS_rt_sigsuspend "rt_sigsuspend," #endif #ifdef SYS_rt_sigtimedwait "rt_sigtimedwait," #endif #ifdef SYS_sigaction "sigaction," #endif #ifdef SYS_sigaltstack "sigaltstack," #endif #ifdef SYS_signal "signal," #endif #ifdef SYS_signalfd "signalfd," #endif #ifdef SYS_signalfd4 "signalfd4," #endif #ifdef SYS_sigpending "sigpending," #endif #ifdef SYS_sigprocmask "sigprocmask," #endif #ifdef SYS_sigsuspend "sigsuspend" #endif }, { .name = "@swap", .list = #ifdef SYS_swapon "swapon," #endif #ifdef SYS_swapoff "swapoff" #endif }, { .name = "@sync", .list = #ifdef SYS_fdatasync "fdatasync," #endif #ifdef SYS_fsync "fsync," #endif #ifdef SYS_msync "msync," #endif #ifdef SYS_sync "sync," #endif #ifdef SYS_sync_file_range "sync_file_range," #endif #ifdef SYS_sync_file_range2 "sync_file_range2," #endif #ifdef SYS_syncfs "syncfs" #endif }, { .name = "@system-service", .list = "@aio," "@basic-io," "@chown," "@default," "@file-system," "@io-event," "@ipc," "@keyring," "@memlock," "@network-io," "@process," "@resources," "@setuid," "@signal," "@sync," "@timer," #ifdef SYS_brk "brk," #endif #ifdef SYS_capget "capget," #endif #ifdef SYS_capset "capset," #endif #ifdef SYS_copy_file_range "copy_file_range," #endif #ifdef SYS_fadvise64 "fadvise64," #endif #ifdef SYS_fadvise64_64 "fadvise64_64," #endif #ifdef SYS_flock "flock," #endif #ifdef SYS_get_mempolicy "get_mempolicy," #endif #ifdef SYS_getcpu "getcpu," #endif #ifdef SYS_getpriority "getpriority," #endif #ifdef SYS_getrandom "getrandom," #endif #ifdef SYS_ioctl "ioctl," #endif #ifdef SYS_ioprio_get "ioprio_get," #endif #ifdef SYS_kcmp "kcmp," #endif #ifdef SYS_madvise "madvise," #endif #ifdef SYS_mprotect "mprotect," #endif #ifdef SYS_mremap "mremap," #endif #ifdef SYS_name_to_handle_at "name_to_handle_at," #endif #ifdef SYS_oldolduname "oldolduname," #endif #ifdef SYS_olduname "olduname," #endif #ifdef SYS_personality "personality," #endif #ifdef SYS_readahead "readahead," #endif #ifdef SYS_readdir "readdir," #endif #ifdef SYS_remap_file_pages "remap_file_pages," #endif #ifdef SYS_sched_get_priority_max "sched_get_priority_max," #endif #ifdef SYS_sched_get_priority_min "sched_get_priority_min," #endif #ifdef SYS_sched_getaffinity "sched_getaffinity," #endif #ifdef SYS_sched_getattr "sched_getattr," #endif #ifdef SYS_sched_getparam "sched_getparam," #endif #ifdef SYS_sched_getscheduler "sched_getscheduler," #endif #ifdef SYS_sched_rr_get_interval "sched_rr_get_interval," #endif #ifdef SYS_sched_yield "sched_yield," #endif #ifdef SYS_sendfile "sendfile," #endif #ifdef SYS_sendfile64 "sendfile64," #endif #ifdef SYS_setfsgid "setfsgid," #endif #ifdef SYS_setfsgid32 "setfsgid32," #endif #ifdef SYS_setfsuid "setfsuid," #endif #ifdef SYS_setfsuid32 "setfsuid32," #endif #ifdef SYS_setpgid "setpgid," #endif #ifdef SYS_setsid "setsid," #endif #ifdef SYS_splice "splice," #endif #ifdef SYS_sysinfo "sysinfo," #endif #ifdef SYS_tee "tee," #endif #ifdef SYS_umask "umask," #endif #ifdef SYS_uname "uname," #endif #ifdef SYS_userfaultfd "userfaultfd," #endif #ifdef SYS_vmsplice "vmsplice" #endif }, { .name = "@timer", .list = #ifdef SYS_alarm "alarm," #endif #ifdef SYS_getitimer "getitimer," #endif #ifdef SYS_setitimer "setitimer," #endif #ifdef SYS_timer_create "timer_create," #endif #ifdef SYS_timer_delete "timer_delete," #endif #ifdef SYS_timer_getoverrun "timer_getoverrun," #endif #ifdef SYS_timer_gettime "timer_gettime," #endif #ifdef SYS_timer_settime "timer_settime," #endif #ifdef SYS_timerfd_create "timerfd_create," #endif #ifdef SYS_timerfd_gettime "timerfd_gettime," #endif #ifdef SYS_timerfd_settime "timerfd_settime," #endif #ifdef SYS_times "times" #endif } }; ```

code generated by my script

```C static const SyscallGroupList sysgroups[] = { { .name = "@aio", .list = #ifdef SYS_io_cancel "io_cancel," #endif #ifdef SYS_io_destroy "io_destroy," #endif #ifdef SYS_io_getevents "io_getevents," #endif #ifdef SYS_io_pgetevents "io_pgetevents," #endif #ifdef SYS_io_pgetevents_time64 "io_pgetevents_time64," #endif #ifdef SYS_io_setup "io_setup," #endif #ifdef SYS_io_submit "io_submit," #endif #ifdef SYS_io_uring_enter "io_uring_enter," #endif #ifdef SYS_io_uring_register "io_uring_register," #endif #ifdef SYS_io_uring_setup "io_uring_setup," #endif }, { .name = "@basic-io", .list = #ifdef SYS__llseek "_llseek," #endif #ifdef SYS_close "close," #endif #ifdef SYS_dup "dup," #endif #ifdef SYS_dup2 "dup2," #endif #ifdef SYS_dup3 "dup3," #endif #ifdef SYS_lseek "lseek," #endif #ifdef SYS_pread64 "pread64," #endif #ifdef SYS_preadv "preadv," #endif #ifdef SYS_preadv2 "preadv2," #endif #ifdef SYS_pwrite64 "pwrite64," #endif #ifdef SYS_pwritev "pwritev," #endif #ifdef SYS_pwritev2 "pwritev2," #endif #ifdef SYS_read "read," #endif #ifdef SYS_readv "readv," #endif #ifdef SYS_write "write," #endif #ifdef SYS_writev "writev," #endif }, { .name = "@chown", .list = #ifdef SYS_chown "chown," #endif #ifdef SYS_chown32 "chown32," #endif #ifdef SYS_fchown "fchown," #endif #ifdef SYS_fchown32 "fchown32," #endif #ifdef SYS_fchownat "fchownat," #endif #ifdef SYS_lchown "lchown," #endif #ifdef SYS_lchown32 "lchown32," #endif }, { .name = "@clock", .list = #ifdef SYS_adjtimex "adjtimex," #endif #ifdef SYS_clock_adjtime "clock_adjtime," #endif #ifdef SYS_clock_adjtime64 "clock_adjtime64," #endif #ifdef SYS_clock_settime "clock_settime," #endif #ifdef SYS_clock_settime64 "clock_settime64," #endif #ifdef SYS_settimeofday "settimeofday," #endif #ifdef SYS_stime "stime," #endif }, { .name = "@common", .list = #ifdef SYS_clock_getres "clock_getres," #endif #ifdef SYS_clock_getres_time64 "clock_getres_time64," #endif #ifdef SYS_clock_gettime "clock_gettime," #endif #ifdef SYS_clock_gettime64 "clock_gettime64," #endif #ifdef SYS_clock_nanosleep "clock_nanosleep," #endif #ifdef SYS_clock_nanosleep_time64 "clock_nanosleep_time64," #endif #ifdef SYS_execve "execve," #endif #ifdef SYS_exit "exit," #endif #ifdef SYS_exit_group "exit_group," #endif #ifdef SYS_futex "futex," #endif #ifdef SYS_futex_time64 "futex_time64," #endif #ifdef SYS_get_robust_list "get_robust_list," #endif #ifdef SYS_get_thread_area "get_thread_area," #endif #ifdef SYS_getegid "getegid," #endif #ifdef SYS_getegid32 "getegid32," #endif #ifdef SYS_geteuid "geteuid," #endif #ifdef SYS_geteuid32 "geteuid32," #endif #ifdef SYS_getgid "getgid," #endif #ifdef SYS_getgid32 "getgid32," #endif #ifdef SYS_getgroups "getgroups," #endif #ifdef SYS_getgroups32 "getgroups32," #endif #ifdef SYS_getpgid "getpgid," #endif #ifdef SYS_getpgrp "getpgrp," #endif #ifdef SYS_getpid "getpid," #endif #ifdef SYS_getppid "getppid," #endif #ifdef SYS_getresgid "getresgid," #endif #ifdef SYS_getresgid32 "getresgid32," #endif #ifdef SYS_getresuid "getresuid," #endif #ifdef SYS_getresuid32 "getresuid32," #endif #ifdef SYS_getrlimit "getrlimit," #endif #ifdef SYS_getsid "getsid," #endif #ifdef SYS_gettid "gettid," #endif #ifdef SYS_gettimeofday "gettimeofday," #endif #ifdef SYS_getuid "getuid," #endif #ifdef SYS_getuid32 "getuid32," #endif #ifdef SYS_membarrier "membarrier," #endif #ifdef SYS_nanosleep "nanosleep," #endif #ifdef SYS_pause "pause," #endif #ifdef SYS_prlimit64 "prlimit64," #endif #ifdef SYS_restart_syscall "restart_syscall," #endif #ifdef SYS_rseq "rseq," #endif #ifdef SYS_rt_sigreturn "rt_sigreturn," #endif #ifdef SYS_sched_yield "sched_yield," #endif #ifdef SYS_set_robust_list "set_robust_list," #endif #ifdef SYS_set_thread_area "set_thread_area," #endif #ifdef SYS_set_tid_address "set_tid_address," #endif #ifdef SYS_set_tls "set_tls," #endif #ifdef SYS_sigreturn "sigreturn," #endif #ifdef SYS_time "time," #endif #ifdef SYS_ugetrlimit "ugetrlimit," #endif }, { .name = "@cpu-emulation", .list = #ifdef SYS_modify_ldt "modify_ldt," #endif #ifdef SYS_subpage_prot "subpage_prot," #endif #ifdef SYS_switch_endian "switch_endian," #endif #ifdef SYS_vm86 "vm86," #endif #ifdef SYS_vm86old "vm86old," #endif }, { .name = "@debug", .list = #ifdef SYS_lookup_dcookie "lookup_dcookie," #endif #ifdef SYS_perf_event_open "perf_event_open," #endif #ifdef SYS_pidfd_getfd "pidfd_getfd," #endif #ifdef SYS_ptrace "ptrace," #endif #ifdef SYS_rtas "rtas," #endif #ifdef SYS_sys_debug_setcontext "sys_debug_setcontext," #endif }, { .name = "@default", .list = "@clock," "@cpu-emulation," "@debug," "@module," "@mount," "@obsolete," "@raw-io," "@reboot," "@swap," #ifdef SYS_add_key "add_key," #endif #ifdef SYS_bpf "bpf," #endif #ifdef SYS_fanotify_init "fanotify_init," #endif #ifdef SYS_io_cancel "io_cancel," #endif #ifdef SYS_io_destroyio_getevents "io_destroyio_getevents," #endif #ifdef SYS_io_setup "io_setup," #endif #ifdef SYS_io_submit "io_submit," #endif #ifdef SYS_ioprio_set "ioprio_set," #endif #ifdef SYS_kcmp "kcmp," #endif #ifdef SYS_keyctl "keyctl," #endif #ifdef SYS_mbind "mbind," #endif #ifdef SYS_migrate_pagesmove_pages "migrate_pagesmove_pages," #endif #ifdef SYS_name_to_handle_at "name_to_handle_at," #endif #ifdef SYS_nfsservctl "nfsservctl," #endif #ifdef SYS_ni_syscall "ni_syscall," #endif #ifdef SYS_open_by_handle_at "open_by_handle_at," #endif #ifdef SYS_remap_file_pages "remap_file_pages," #endif #ifdef SYS_request_key "request_key," #endif #ifdef SYS_set_mempolicy "set_mempolicy," #endif #ifdef SYS_setdomainname "setdomainname," #endif #ifdef SYS_sethostname "sethostname," #endif #ifdef SYS_syslog "syslog," #endif #ifdef SYS_userfaultfdacct "userfaultfdacct," #endif #ifdef SYS_vhangup "vhangup," #endif #ifdef SYS_vmsplice "vmsplice," #endif }, { .name = "@default-keep", .list = #ifdef SYS_execve "execve," #endif #ifdef SYS_prctl "prctl," #endif }, { .name = "@default-nodebuggers", .list = "@default," #ifdef SYS_personality "personality," #endif #ifdef SYS_process_vm_readv "process_vm_readv," #endif #ifdef SYS_ptrace "ptrace," #endif }, { .name = "@file-system", .list = #ifdef SYS_access "access," #endif #ifdef SYS_chdir "chdir," #endif #ifdef SYS_chmod "chmod," #endif #ifdef SYS_close "close," #endif #ifdef SYS_creat "creat," #endif #ifdef SYS_faccessat "faccessat," #endif #ifdef SYS_fallocate "fallocate," #endif #ifdef SYS_fchdir "fchdir," #endif #ifdef SYS_fchmod "fchmod," #endif #ifdef SYS_fchmodat "fchmodat," #endif #ifdef SYS_fcntl "fcntl," #endif #ifdef SYS_fcntl64 "fcntl64," #endif #ifdef SYS_fgetxattr "fgetxattr," #endif #ifdef SYS_flistxattr "flistxattr," #endif #ifdef SYS_fremovexattr "fremovexattr," #endif #ifdef SYS_fsetxattr "fsetxattr," #endif #ifdef SYS_fstat "fstat," #endif #ifdef SYS_fstat64 "fstat64," #endif #ifdef SYS_fstatat64 "fstatat64," #endif #ifdef SYS_fstatfs "fstatfs," #endif #ifdef SYS_fstatfs64 "fstatfs64," #endif #ifdef SYS_ftruncate "ftruncate," #endif #ifdef SYS_ftruncate64 "ftruncate64," #endif #ifdef SYS_futimesat "futimesat," #endif #ifdef SYS_getcwd "getcwd," #endif #ifdef SYS_getdents "getdents," #endif #ifdef SYS_getdents64 "getdents64," #endif #ifdef SYS_getxattr "getxattr," #endif #ifdef SYS_inotify_add_watch "inotify_add_watch," #endif #ifdef SYS_inotify_init "inotify_init," #endif #ifdef SYS_inotify_init1 "inotify_init1," #endif #ifdef SYS_inotify_rm_watch "inotify_rm_watch," #endif #ifdef SYS_lgetxattr "lgetxattr," #endif #ifdef SYS_link "link," #endif #ifdef SYS_linkat "linkat," #endif #ifdef SYS_listxattr "listxattr," #endif #ifdef SYS_llistxattr "llistxattr," #endif #ifdef SYS_lremovexattr "lremovexattr," #endif #ifdef SYS_lsetxattr "lsetxattr," #endif #ifdef SYS_lstat "lstat," #endif #ifdef SYS_lstat64 "lstat64," #endif #ifdef SYS_mkdir "mkdir," #endif #ifdef SYS_mkdirat "mkdirat," #endif #ifdef SYS_mknod "mknod," #endif #ifdef SYS_mknodat "mknodat," #endif #ifdef SYS_mmap "mmap," #endif #ifdef SYS_mmap2 "mmap2," #endif #ifdef SYS_munmap "munmap," #endif #ifdef SYS_newfstatat "newfstatat," #endif #ifdef SYS_oldfstat "oldfstat," #endif #ifdef SYS_oldlstat "oldlstat," #endif #ifdef SYS_oldstat "oldstat," #endif #ifdef SYS_open "open," #endif #ifdef SYS_openat "openat," #endif #ifdef SYS_openat2 "openat2," #endif #ifdef SYS_readlink "readlink," #endif #ifdef SYS_readlinkat "readlinkat," #endif #ifdef SYS_removexattr "removexattr," #endif #ifdef SYS_rename "rename," #endif #ifdef SYS_renameat "renameat," #endif #ifdef SYS_renameat2 "renameat2," #endif #ifdef SYS_rmdir "rmdir," #endif #ifdef SYS_setxattr "setxattr," #endif #ifdef SYS_stat "stat," #endif #ifdef SYS_stat64 "stat64," #endif #ifdef SYS_statfs "statfs," #endif #ifdef SYS_statfs64 "statfs64," #endif #ifdef SYS_statx "statx," #endif #ifdef SYS_symlink "symlink," #endif #ifdef SYS_symlinkat "symlinkat," #endif #ifdef SYS_truncate "truncate," #endif #ifdef SYS_truncate64 "truncate64," #endif #ifdef SYS_unlink "unlink," #endif #ifdef SYS_unlinkat "unlinkat," #endif #ifdef SYS_utime "utime," #endif #ifdef SYS_utimensat "utimensat," #endif #ifdef SYS_utimensat_time64 "utimensat_time64," #endif #ifdef SYS_utimes "utimes," #endif }, { .name = "@io-event", .list = #ifdef SYS__newselect "_newselect," #endif #ifdef SYS_epoll_create "epoll_create," #endif #ifdef SYS_epoll_create1 "epoll_create1," #endif #ifdef SYS_epoll_ctl "epoll_ctl," #endif #ifdef SYS_epoll_ctl_old "epoll_ctl_old," #endif #ifdef SYS_epoll_pwait "epoll_pwait," #endif #ifdef SYS_epoll_wait "epoll_wait," #endif #ifdef SYS_epoll_wait_old "epoll_wait_old," #endif #ifdef SYS_eventfd "eventfd," #endif #ifdef SYS_eventfd2 "eventfd2," #endif #ifdef SYS_poll "poll," #endif #ifdef SYS_ppoll "ppoll," #endif #ifdef SYS_ppoll_time64 "ppoll_time64," #endif #ifdef SYS_pselect6 "pselect6," #endif #ifdef SYS_pselect6_time64 "pselect6_time64," #endif #ifdef SYS_select "select," #endif }, { .name = "@ipc", .list = #ifdef SYS_ipc "ipc," #endif #ifdef SYS_memfd_create "memfd_create," #endif #ifdef SYS_mq_getsetattr "mq_getsetattr," #endif #ifdef SYS_mq_notify "mq_notify," #endif #ifdef SYS_mq_open "mq_open," #endif #ifdef SYS_mq_timedreceive "mq_timedreceive," #endif #ifdef SYS_mq_timedreceive_time64 "mq_timedreceive_time64," #endif #ifdef SYS_mq_timedsend "mq_timedsend," #endif #ifdef SYS_mq_timedsend_time64 "mq_timedsend_time64," #endif #ifdef SYS_mq_unlink "mq_unlink," #endif #ifdef SYS_msgctl "msgctl," #endif #ifdef SYS_msgget "msgget," #endif #ifdef SYS_msgrcv "msgrcv," #endif #ifdef SYS_msgsnd "msgsnd," #endif #ifdef SYS_pipe "pipe," #endif #ifdef SYS_pipe2 "pipe2," #endif #ifdef SYS_process_vm_readv "process_vm_readv," #endif #ifdef SYS_process_vm_writev "process_vm_writev," #endif #ifdef SYS_semctl "semctl," #endif #ifdef SYS_semget "semget," #endif #ifdef SYS_semop "semop," #endif #ifdef SYS_semtimedop "semtimedop," #endif #ifdef SYS_semtimedop_time64 "semtimedop_time64," #endif #ifdef SYS_shmat "shmat," #endif #ifdef SYS_shmctl "shmctl," #endif #ifdef SYS_shmdt "shmdt," #endif #ifdef SYS_shmget "shmget," #endif }, { .name = "@keyring", .list = #ifdef SYS_add_key "add_key," #endif #ifdef SYS_keyctl "keyctl," #endif #ifdef SYS_request_key "request_key," #endif }, { .name = "@memlock", .list = #ifdef SYS_mlock "mlock," #endif #ifdef SYS_mlock2 "mlock2," #endif #ifdef SYS_mlockall "mlockall," #endif #ifdef SYS_munlock "munlock," #endif #ifdef SYS_munlockall "munlockall," #endif }, { .name = "@module", .list = #ifdef SYS_delete_module "delete_module," #endif #ifdef SYS_finit_module "finit_module," #endif #ifdef SYS_init_module "init_module," #endif }, { .name = "@mount", .list = #ifdef SYS_chroot "chroot," #endif #ifdef SYS_fsconfig "fsconfig," #endif #ifdef SYS_fsmount "fsmount," #endif #ifdef SYS_fsopen "fsopen," #endif #ifdef SYS_fspick "fspick," #endif #ifdef SYS_mount "mount," #endif #ifdef SYS_move_mount "move_mount," #endif #ifdef SYS_open_tree "open_tree," #endif #ifdef SYS_pivot_root "pivot_root," #endif #ifdef SYS_umount "umount," #endif #ifdef SYS_umount2 "umount2," #endif }, { .name = "@network-io", .list = #ifdef SYS_accept "accept," #endif #ifdef SYS_accept4 "accept4," #endif #ifdef SYS_bind "bind," #endif #ifdef SYS_connect "connect," #endif #ifdef SYS_getpeername "getpeername," #endif #ifdef SYS_getsockname "getsockname," #endif #ifdef SYS_getsockopt "getsockopt," #endif #ifdef SYS_listen "listen," #endif #ifdef SYS_recv "recv," #endif #ifdef SYS_recvfrom "recvfrom," #endif #ifdef SYS_recvmmsg "recvmmsg," #endif #ifdef SYS_recvmmsg_time64 "recvmmsg_time64," #endif #ifdef SYS_recvmsg "recvmsg," #endif #ifdef SYS_send "send," #endif #ifdef SYS_sendmmsg "sendmmsg," #endif #ifdef SYS_sendmsg "sendmsg," #endif #ifdef SYS_sendto "sendto," #endif #ifdef SYS_setsockopt "setsockopt," #endif #ifdef SYS_shutdown "shutdown," #endif #ifdef SYS_socket "socket," #endif #ifdef SYS_socketcall "socketcall," #endif #ifdef SYS_socketpair "socketpair," #endif }, { .name = "@obsolete", .list = #ifdef SYS__sysctl "_sysctl," #endif #ifdef SYS_afs_syscall "afs_syscall," #endif #ifdef SYS_bdflush "bdflush," #endif #ifdef SYS_break "break," #endif #ifdef SYS_create_module "create_module," #endif #ifdef SYS_ftime "ftime," #endif #ifdef SYS_get_kernel_syms "get_kernel_syms," #endif #ifdef SYS_getpmsg "getpmsg," #endif #ifdef SYS_gtty "gtty," #endif #ifdef SYS_idle "idle," #endif #ifdef SYS_lock "lock," #endif #ifdef SYS_mpx "mpx," #endif #ifdef SYS_prof "prof," #endif #ifdef SYS_profil "profil," #endif #ifdef SYS_putpmsg "putpmsg," #endif #ifdef SYS_query_module "query_module," #endif #ifdef SYS_security "security," #endif #ifdef SYS_sgetmask "sgetmask," #endif #ifdef SYS_ssetmask "ssetmask," #endif #ifdef SYS_stty "stty," #endif #ifdef SYS_sysfs "sysfs," #endif #ifdef SYS_tuxcall "tuxcall," #endif #ifdef SYS_ulimit "ulimit," #endif #ifdef SYS_uselib "uselib," #endif #ifdef SYS_ustat "ustat," #endif #ifdef SYS_vserver "vserver," #endif }, { .name = "@pkey", .list = #ifdef SYS_pkey_alloc "pkey_alloc," #endif #ifdef SYS_pkey_free "pkey_free," #endif #ifdef SYS_pkey_mprotect "pkey_mprotect," #endif }, { .name = "@privileged", .list = "@chown," "@clock," "@module," "@raw-io," "@reboot," "@swap," #ifdef SYS__sysctl "_sysctl," #endif #ifdef SYS_acct "acct," #endif #ifdef SYS_bpf "bpf," #endif #ifdef SYS_capset "capset," #endif #ifdef SYS_chroot "chroot," #endif #ifdef SYS_fanotify_init "fanotify_init," #endif #ifdef SYS_fanotify_mark "fanotify_mark," #endif #ifdef SYS_nfsservctl "nfsservctl," #endif #ifdef SYS_open_by_handle_at "open_by_handle_at," #endif #ifdef SYS_pivot_root "pivot_root," #endif #ifdef SYS_quotactl "quotactl," #endif #ifdef SYS_setdomainname "setdomainname," #endif #ifdef SYS_setfsuid "setfsuid," #endif #ifdef SYS_setfsuid32 "setfsuid32," #endif #ifdef SYS_setgroups "setgroups," #endif #ifdef SYS_setgroups32 "setgroups32," #endif #ifdef SYS_sethostname "sethostname," #endif #ifdef SYS_setresuid "setresuid," #endif #ifdef SYS_setresuid32 "setresuid32," #endif #ifdef SYS_setreuid "setreuid," #endif #ifdef SYS_setreuid32 "setreuid32," #endif #ifdef SYS_setuid "setuid," #endif #ifdef SYS_setuid32 "setuid32," #endif #ifdef SYS_vhangup "vhangup," #endif }, { .name = "@process", .list = #ifdef SYS_arch_prctl "arch_prctl," #endif #ifdef SYS_capget "capget," #endif #ifdef SYS_clone "clone," #endif #ifdef SYS_clone3 "clone3," #endif #ifdef SYS_execveat "execveat," #endif #ifdef SYS_fork "fork," #endif #ifdef SYS_getrusage "getrusage," #endif #ifdef SYS_kill "kill," #endif #ifdef SYS_pidfd_open "pidfd_open," #endif #ifdef SYS_pidfd_send_signal "pidfd_send_signal," #endif #ifdef SYS_prctl "prctl," #endif #ifdef SYS_rt_sigqueueinfo "rt_sigqueueinfo," #endif #ifdef SYS_rt_tgsigqueueinfo "rt_tgsigqueueinfo," #endif #ifdef SYS_setns "setns," #endif #ifdef SYS_swapcontext "swapcontext," #endif #ifdef SYS_tgkill "tgkill," #endif #ifdef SYS_times "times," #endif #ifdef SYS_tkill "tkill," #endif #ifdef SYS_unshare "unshare," #endif #ifdef SYS_vfork "vfork," #endif #ifdef SYS_wait4 "wait4," #endif #ifdef SYS_waitid "waitid," #endif #ifdef SYS_waitpid "waitpid," #endif }, { .name = "@raw-io", .list = #ifdef SYS_ioperm "ioperm," #endif #ifdef SYS_iopl "iopl," #endif #ifdef SYS_pciconfig_iobase "pciconfig_iobase," #endif #ifdef SYS_pciconfig_read "pciconfig_read," #endif #ifdef SYS_pciconfig_write "pciconfig_write," #endif }, { .name = "@reboot", .list = #ifdef SYS_kexec_file_load "kexec_file_load," #endif #ifdef SYS_kexec_load "kexec_load," #endif #ifdef SYS_reboot "reboot," #endif }, { .name = "@resources", .list = #ifdef SYS_ioprio_set "ioprio_set," #endif #ifdef SYS_mbind "mbind," #endif #ifdef SYS_migrate_pages "migrate_pages," #endif #ifdef SYS_move_pages "move_pages," #endif #ifdef SYS_nice "nice," #endif #ifdef SYS_sched_setaffinity "sched_setaffinity," #endif #ifdef SYS_sched_setattr "sched_setattr," #endif #ifdef SYS_sched_setparam "sched_setparam," #endif #ifdef SYS_sched_setscheduler "sched_setscheduler," #endif #ifdef SYS_set_mempolicy "set_mempolicy," #endif #ifdef SYS_setpriority "setpriority," #endif #ifdef SYS_setrlimit "setrlimit," #endif }, { .name = "@setuid", .list = #ifdef SYS_setgid "setgid," #endif #ifdef SYS_setgid32 "setgid32," #endif #ifdef SYS_setgroups "setgroups," #endif #ifdef SYS_setgroups32 "setgroups32," #endif #ifdef SYS_setregid "setregid," #endif #ifdef SYS_setregid32 "setregid32," #endif #ifdef SYS_setresgid "setresgid," #endif #ifdef SYS_setresgid32 "setresgid32," #endif #ifdef SYS_setresuid "setresuid," #endif #ifdef SYS_setresuid32 "setresuid32," #endif #ifdef SYS_setreuid "setreuid," #endif #ifdef SYS_setreuid32 "setreuid32," #endif #ifdef SYS_setuid "setuid," #endif #ifdef SYS_setuid32 "setuid32," #endif }, { .name = "@signal", .list = #ifdef SYS_rt_sigaction "rt_sigaction," #endif #ifdef SYS_rt_sigpending "rt_sigpending," #endif #ifdef SYS_rt_sigprocmask "rt_sigprocmask," #endif #ifdef SYS_rt_sigsuspend "rt_sigsuspend," #endif #ifdef SYS_rt_sigtimedwait "rt_sigtimedwait," #endif #ifdef SYS_rt_sigtimedwait_time64 "rt_sigtimedwait_time64," #endif #ifdef SYS_sigaction "sigaction," #endif #ifdef SYS_sigaltstack "sigaltstack," #endif #ifdef SYS_signal "signal," #endif #ifdef SYS_signalfd "signalfd," #endif #ifdef SYS_signalfd4 "signalfd4," #endif #ifdef SYS_sigpending "sigpending," #endif #ifdef SYS_sigprocmask "sigprocmask," #endif #ifdef SYS_sigsuspend "sigsuspend," #endif }, { .name = "@swap", .list = #ifdef SYS_swapoff "swapoff," #endif #ifdef SYS_swapon "swapon," #endif }, { .name = "@sync", .list = #ifdef SYS_fdatasync "fdatasync," #endif #ifdef SYS_fsync "fsync," #endif #ifdef SYS_msync "msync," #endif #ifdef SYS_sync "sync," #endif #ifdef SYS_sync_file_range "sync_file_range," #endif #ifdef SYS_sync_file_range2 "sync_file_range2," #endif #ifdef SYS_syncfs "syncfs," #endif }, { .name = "@system-service", .list = "@aio," "@basic-io," "@chown," "@common," "@file-system," "@io-event," "@ipc," "@keyring," "@memlock," "@network-io," "@process," "@resources," "@setuid," "@signal," "@sync," "@timer," #ifdef SYS_brk "brk," #endif #ifdef SYS_capget "capget," #endif #ifdef SYS_capset "capset," #endif #ifdef SYS_copy_file_range "copy_file_range," #endif #ifdef SYS_fadvise64 "fadvise64," #endif #ifdef SYS_fadvise64_64 "fadvise64_64," #endif #ifdef SYS_flock "flock," #endif #ifdef SYS_get_mempolicy "get_mempolicy," #endif #ifdef SYS_getcpu "getcpu," #endif #ifdef SYS_getpriority "getpriority," #endif #ifdef SYS_getrandom "getrandom," #endif #ifdef SYS_ioctl "ioctl," #endif #ifdef SYS_ioprio_get "ioprio_get," #endif #ifdef SYS_kcmp "kcmp," #endif #ifdef SYS_madvise "madvise," #endif #ifdef SYS_mprotect "mprotect," #endif #ifdef SYS_mremap "mremap," #endif #ifdef SYS_name_to_handle_at "name_to_handle_at," #endif #ifdef SYS_oldolduname "oldolduname," #endif #ifdef SYS_olduname "olduname," #endif #ifdef SYS_personality "personality," #endif #ifdef SYS_readahead "readahead," #endif #ifdef SYS_readdir "readdir," #endif #ifdef SYS_remap_file_pages "remap_file_pages," #endif #ifdef SYS_sched_get_priority_max "sched_get_priority_max," #endif #ifdef SYS_sched_get_priority_min "sched_get_priority_min," #endif #ifdef SYS_sched_getaffinity "sched_getaffinity," #endif #ifdef SYS_sched_getattr "sched_getattr," #endif #ifdef SYS_sched_getparam "sched_getparam," #endif #ifdef SYS_sched_getscheduler "sched_getscheduler," #endif #ifdef SYS_sched_rr_get_interval "sched_rr_get_interval," #endif #ifdef SYS_sched_rr_get_interval_time64 "sched_rr_get_interval_time64," #endif #ifdef SYS_sched_yield "sched_yield," #endif #ifdef SYS_sendfile "sendfile," #endif #ifdef SYS_sendfile64 "sendfile64," #endif #ifdef SYS_setfsgid "setfsgid," #endif #ifdef SYS_setfsgid32 "setfsgid32," #endif #ifdef SYS_setfsuid "setfsuid," #endif #ifdef SYS_setfsuid32 "setfsuid32," #endif #ifdef SYS_setpgid "setpgid," #endif #ifdef SYS_setsid "setsid," #endif #ifdef SYS_splice "splice," #endif #ifdef SYS_sysinfo "sysinfo," #endif #ifdef SYS_tee "tee," #endif #ifdef SYS_umask "umask," #endif #ifdef SYS_uname "uname," #endif #ifdef SYS_userfaultfd "userfaultfd," #endif #ifdef SYS_vmsplice "vmsplice," #endif }, { .name = "@timer", .list = #ifdef SYS_alarm "alarm," #endif #ifdef SYS_getitimer "getitimer," #endif #ifdef SYS_setitimer "setitimer," #endif #ifdef SYS_timer_create "timer_create," #endif #ifdef SYS_timer_delete "timer_delete," #endif #ifdef SYS_timer_getoverrun "timer_getoverrun," #endif #ifdef SYS_timer_gettime "timer_gettime," #endif #ifdef SYS_timer_gettime64 "timer_gettime64," #endif #ifdef SYS_timer_settime "timer_settime," #endif #ifdef SYS_timer_settime64 "timer_settime64," #endif #ifdef SYS_timerfd_create "timerfd_create," #endif #ifdef SYS_timerfd_gettime "timerfd_gettime," #endif #ifdef SYS_timerfd_gettime64 "timerfd_gettime64," #endif #ifdef SYS_timerfd_settime "timerfd_settime," #endif #ifdef SYS_timerfd_settime64 "timerfd_settime64," #endif #ifdef SYS_times "times," #endif }, }; ```

diff

```diff @@ -12,11 +12,23 @@ static const SyscallGroupList sysgroups[ #ifdef SYS_io_pgetevents "io_pgetevents," #endif +#ifdef SYS_io_pgetevents_time64 + "io_pgetevents_time64," +#endif #ifdef SYS_io_setup "io_setup," #endif #ifdef SYS_io_submit - "io_submit" + "io_submit," +#endif +#ifdef SYS_io_uring_enter + "io_uring_enter," +#endif +#ifdef SYS_io_uring_register + "io_uring_register," +#endif +#ifdef SYS_io_uring_setup + "io_uring_setup," #endif }, { .name = "@basic-io", .list = @@ -66,7 +78,7 @@ static const SyscallGroupList sysgroups[ "write," #endif #ifdef SYS_writev - "writev" + "writev," #endif }, { .name = "@chown", .list = @@ -89,7 +101,7 @@ static const SyscallGroupList sysgroups[ "lchown," #endif #ifdef SYS_lchown32 - "lchown32" + "lchown32," #endif }, { .name = "@clock", .list = @@ -99,14 +111,172 @@ static const SyscallGroupList sysgroups[ #ifdef SYS_clock_adjtime "clock_adjtime," #endif +#ifdef SYS_clock_adjtime64 + "clock_adjtime64," +#endif #ifdef SYS_clock_settime "clock_settime," #endif +#ifdef SYS_clock_settime64 + "clock_settime64," +#endif #ifdef SYS_settimeofday "settimeofday," #endif #ifdef SYS_stime - "stime" + "stime," +#endif + }, + { .name = "@common", .list = +#ifdef SYS_clock_getres + "clock_getres," +#endif +#ifdef SYS_clock_getres_time64 + "clock_getres_time64," +#endif +#ifdef SYS_clock_gettime + "clock_gettime," +#endif +#ifdef SYS_clock_gettime64 + "clock_gettime64," +#endif +#ifdef SYS_clock_nanosleep + "clock_nanosleep," +#endif +#ifdef SYS_clock_nanosleep_time64 + "clock_nanosleep_time64," +#endif +#ifdef SYS_execve + "execve," +#endif +#ifdef SYS_exit + "exit," +#endif +#ifdef SYS_exit_group + "exit_group," +#endif +#ifdef SYS_futex + "futex," +#endif +#ifdef SYS_futex_time64 + "futex_time64," +#endif +#ifdef SYS_get_robust_list + "get_robust_list," +#endif +#ifdef SYS_get_thread_area + "get_thread_area," +#endif +#ifdef SYS_getegid + "getegid," +#endif +#ifdef SYS_getegid32 + "getegid32," +#endif +#ifdef SYS_geteuid + "geteuid," +#endif +#ifdef SYS_geteuid32 + "geteuid32," +#endif +#ifdef SYS_getgid + "getgid," +#endif +#ifdef SYS_getgid32 + "getgid32," +#endif +#ifdef SYS_getgroups + "getgroups," +#endif +#ifdef SYS_getgroups32 + "getgroups32," +#endif +#ifdef SYS_getpgid + "getpgid," +#endif +#ifdef SYS_getpgrp + "getpgrp," +#endif +#ifdef SYS_getpid + "getpid," +#endif +#ifdef SYS_getppid + "getppid," +#endif +#ifdef SYS_getresgid + "getresgid," +#endif +#ifdef SYS_getresgid32 + "getresgid32," +#endif +#ifdef SYS_getresuid + "getresuid," +#endif +#ifdef SYS_getresuid32 + "getresuid32," +#endif +#ifdef SYS_getrlimit + "getrlimit," +#endif +#ifdef SYS_getsid + "getsid," +#endif +#ifdef SYS_gettid + "gettid," +#endif +#ifdef SYS_gettimeofday + "gettimeofday," +#endif +#ifdef SYS_getuid + "getuid," +#endif +#ifdef SYS_getuid32 + "getuid32," +#endif +#ifdef SYS_membarrier + "membarrier," +#endif +#ifdef SYS_nanosleep + "nanosleep," +#endif +#ifdef SYS_pause + "pause," +#endif +#ifdef SYS_prlimit64 + "prlimit64," +#endif +#ifdef SYS_restart_syscall + "restart_syscall," +#endif +#ifdef SYS_rseq + "rseq," +#endif +#ifdef SYS_rt_sigreturn + "rt_sigreturn," +#endif +#ifdef SYS_sched_yield + "sched_yield," +#endif +#ifdef SYS_set_robust_list + "set_robust_list," +#endif +#ifdef SYS_set_thread_area + "set_thread_area," +#endif +#ifdef SYS_set_tid_address + "set_tid_address," +#endif +#ifdef SYS_set_tls + "set_tls," +#endif +#ifdef SYS_sigreturn + "sigreturn," +#endif +#ifdef SYS_time + "time," +#endif +#ifdef SYS_ugetrlimit + "ugetrlimit," #endif }, { .name = "@cpu-emulation", .list = @@ -123,10 +293,7 @@ static const SyscallGroupList sysgroups[ "vm86," #endif #ifdef SYS_vm86old - "vm86old" -#endif -#if !defined(SYS_modify_ldt) && !defined(SYS_subpage_prot) && !defined(SYS_switch_endian) && !defined(SYS_vm86) && !defined(SYS_vm86old) - "__dummy_syscall__" // workaround for arm64, s390x and sparc64 which don't have any of above defined and empty syscall lists are not allowed + "vm86old," #endif }, { .name = "@debug", .list = @@ -136,15 +303,15 @@ static const SyscallGroupList sysgroups[ #ifdef SYS_perf_event_open "perf_event_open," #endif -#ifdef SYS_process_vm_writev - "process_vm_writev," +#ifdef SYS_pidfd_getfd + "pidfd_getfd," +#endif +#ifdef SYS_ptrace + "ptrace," #endif #ifdef SYS_rtas "rtas," #endif -#ifdef SYS_s390_runtime_instr - "s390_runtime_instr," -#endif #ifdef SYS_sys_debug_setcontext "sys_debug_setcontext," #endif @@ -159,80 +326,62 @@ static const SyscallGroupList sysgroups[ "@raw-io," "@reboot," "@swap," -#ifdef SYS_open_by_handle_at - "open_by_handle_at," -#endif -#ifdef SYS_name_to_handle_at - "name_to_handle_at," -#endif -#ifdef SYS_ioprio_set - "ioprio_set," -#endif -#ifdef SYS_ni_syscall - "ni_syscall," +#ifdef SYS_add_key + "add_key," #endif -#ifdef SYS_syslog - "syslog," +#ifdef SYS_bpf + "bpf," #endif #ifdef SYS_fanotify_init "fanotify_init," #endif -#ifdef SYS_kcmp - "kcmp," +#ifdef SYS_io_cancel + "io_cancel," #endif -#ifdef SYS_add_key - "add_key," +#ifdef SYS_io_destroyio_getevents + "io_destroyio_getevents," #endif -#ifdef SYS_request_key - "request_key," +#ifdef SYS_io_setup + "io_setup," #endif -#ifdef SYS_mbind - "mbind," +#ifdef SYS_io_submit + "io_submit," #endif -#ifdef SYS_migrate_pages - "migrate_pages," +#ifdef SYS_ioprio_set + "ioprio_set," #endif -#ifdef SYS_move_pages - "move_pages," +#ifdef SYS_kcmp + "kcmp," #endif #ifdef SYS_keyctl "keyctl," #endif -#ifdef SYS_io_setup - "io_setup," +#ifdef SYS_mbind + "mbind," #endif -#ifdef SYS_io_destroy - "io_destroy," +#ifdef SYS_migrate_pagesmove_pages + "migrate_pagesmove_pages," #endif -#ifdef SYS_io_getevents - "io_getevents," +#ifdef SYS_name_to_handle_at + "name_to_handle_at," #endif -#ifdef SYS_io_submit - "io_submit," +#ifdef SYS_nfsservctl + "nfsservctl," #endif -#ifdef SYS_io_cancel - "io_cancel," +#ifdef SYS_ni_syscall + "ni_syscall," +#endif +#ifdef SYS_open_by_handle_at + "open_by_handle_at," #endif #ifdef SYS_remap_file_pages "remap_file_pages," #endif -#ifdef SYS_set_mempolicy - "set_mempolicy" -#endif -#ifdef SYS_vmsplice - "vmsplice," -#endif -#ifdef SYS_userfaultfd - "userfaultfd," -#endif -#ifdef SYS_acct - "acct," -#endif -#ifdef SYS_bpf - "bpf," +#ifdef SYS_request_key + "request_key," #endif -#ifdef SYS_nfsservctl - "nfsservctl," +#ifdef SYS_set_mempolicy + "set_mempolicy," #endif #ifdef SYS_setdomainname "setdomainname," @@ -240,28 +389,38 @@ static const SyscallGroupList sysgroups[ #ifdef SYS_sethostname "sethostname," #endif +#ifdef SYS_syslog + "syslog," +#endif +#ifdef SYS_userfaultfdacct + "userfaultfdacct," +#endif #ifdef SYS_vhangup - "vhangup" + "vhangup," +#endif +#ifdef SYS_vmsplice + "vmsplice," +#endif + }, + { .name = "@default-keep", .list = +#ifdef SYS_execve + "execve," +#endif +#ifdef SYS_prctl + "prctl," #endif -//#ifdef SYS_mincore // 0.9.57 - problem fixed in Linux kernel 5.0; on 4.x it will break kodi, mpv, totem -// "mincore" -//#endif }, { .name = "@default-nodebuggers", .list = "@default," -#ifdef SYS_ptrace - "ptrace," -#endif #ifdef SYS_personality "personality," #endif #ifdef SYS_process_vm_readv - "process_vm_readv" + "process_vm_readv," +#endif +#ifdef SYS_ptrace + "ptrace," #endif - }, - { .name = "@default-keep", .list = - "execve," - "prctl" }, { .name = "@file-system", .list = #ifdef SYS_access @@ -426,6 +585,9 @@ static const SyscallGroupList sysgroups[ #ifdef SYS_openat "openat," #endif +#ifdef SYS_openat2 + "openat2," +#endif #ifdef SYS_readlink "readlink," #endif @@ -489,8 +651,11 @@ static const SyscallGroupList sysgroups[ #ifdef SYS_utimensat "utimensat," #endif +#ifdef SYS_utimensat_time64 + "utimensat_time64," +#endif #ifdef SYS_utimes - "utimes" + "utimes," #endif }, { .name = "@io-event", .list = @@ -530,11 +695,17 @@ static const SyscallGroupList sysgroups[ #ifdef SYS_ppoll "ppoll," #endif +#ifdef SYS_ppoll_time64 + "ppoll_time64," +#endif #ifdef SYS_pselect6 "pselect6," #endif +#ifdef SYS_pselect6_time64 + "pselect6_time64," +#endif #ifdef SYS_select - "select" + "select," #endif }, { .name = "@ipc", .list = @@ -556,9 +727,15 @@ static const SyscallGroupList sysgroups[ #ifdef SYS_mq_timedreceive "mq_timedreceive," #endif +#ifdef SYS_mq_timedreceive_time64 + "mq_timedreceive_time64," +#endif #ifdef SYS_mq_timedsend "mq_timedsend," #endif +#ifdef SYS_mq_timedsend_time64 + "mq_timedsend_time64," +#endif #ifdef SYS_mq_unlink "mq_unlink," #endif @@ -598,6 +775,9 @@ static const SyscallGroupList sysgroups[ #ifdef SYS_semtimedop "semtimedop," #endif +#ifdef SYS_semtimedop_time64 + "semtimedop_time64," +#endif #ifdef SYS_shmat "shmat," #endif @@ -608,7 +788,7 @@ static const SyscallGroupList sysgroups[ "shmdt," #endif #ifdef SYS_shmget - "shmget" + "shmget," #endif }, { .name = "@keyring", .list = @@ -619,7 +799,7 @@ static const SyscallGroupList sysgroups[ "keyctl," #endif #ifdef SYS_request_key - "request_key" + "request_key," #endif }, { .name = "@memlock", .list = @@ -636,7 +816,7 @@ static const SyscallGroupList sysgroups[ "munlock," #endif #ifdef SYS_munlockall - "munlockall" + "munlockall," #endif }, { .name = "@module", .list = @@ -647,16 +827,34 @@ static const SyscallGroupList sysgroups[ "finit_module," #endif #ifdef SYS_init_module - "init_module" + "init_module," #endif }, { .name = "@mount", .list = #ifdef SYS_chroot "chroot," #endif +#ifdef SYS_fsconfig + "fsconfig," +#endif +#ifdef SYS_fsmount + "fsmount," +#endif +#ifdef SYS_fsopen + "fsopen," +#endif +#ifdef SYS_fspick + "fspick," +#endif #ifdef SYS_mount "mount," #endif +#ifdef SYS_move_mount + "move_mount," +#endif +#ifdef SYS_open_tree + "open_tree," +#endif #ifdef SYS_pivot_root "pivot_root," #endif @@ -664,7 +862,7 @@ static const SyscallGroupList sysgroups[ "umount," #endif #ifdef SYS_umount2 - "umount2" + "umount2," #endif }, { .name = "@network-io", .list = @@ -701,6 +899,9 @@ static const SyscallGroupList sysgroups[ #ifdef SYS_recvmmsg "recvmmsg," #endif +#ifdef SYS_recvmmsg_time64 + "recvmmsg_time64," +#endif #ifdef SYS_recvmsg "recvmsg," #endif @@ -729,7 +930,7 @@ static const SyscallGroupList sysgroups[ "socketcall," #endif #ifdef SYS_socketpair - "socketpair" + "socketpair," #endif }, { .name = "@obsolete", .list = @@ -809,10 +1010,18 @@ static const SyscallGroupList sysgroups[ "ustat," #endif #ifdef SYS_vserver - "vserver" + "vserver," +#endif + }, + { .name = "@pkey", .list = +#ifdef SYS_pkey_alloc + "pkey_alloc," +#endif +#ifdef SYS_pkey_free + "pkey_free," #endif -#if !defined(SYS__sysctl) && !defined(SYS_afs_syscall) && !defined(SYS_bdflush) && !defined(SYS_break) && !defined(SYS_create_module) && !defined(SYS_ftime) && !defined(SYS_get_kernel_syms) && !defined(SYS_getpmsg) && !defined(SYS_gtty) && !defined(SYS_lock) && !defined(SYS_mpx) && !defined(SYS_prof) && !defined(SYS_profil) && !defined(SYS_putpmsg) && !defined(SYS_query_module) && !defined(SYS_security) && !defined(SYS_sgetmask) && !defined(SYS_ssetmask) && !defined(SYS_stty) && !defined(SYS_sysfs) && !defined(SYS_tuxcall) && !defined(SYS_ulimit) && !defined(SYS_uselib) && !defined(SYS_ustat) && !defined(SYS_vserver) - "__dummy_syscall__" // workaround for arm64 which doesn't have any of above defined and empty syscall lists are not allowed +#ifdef SYS_pkey_mprotect + "pkey_mprotect," #endif }, { .name = "@privileged", .list = @@ -840,8 +1049,8 @@ static const SyscallGroupList sysgroups[ #ifdef SYS_fanotify_init "fanotify_init," #endif -#ifdef SYS_mount - "mount," +#ifdef SYS_fanotify_mark + "fanotify_mark," #endif #ifdef SYS_nfsservctl "nfsservctl," @@ -891,11 +1100,8 @@ static const SyscallGroupList sysgroups[ #ifdef SYS_setuid32 "setuid32," #endif -#ifdef SYS_umount2 - "umount2," -#endif #ifdef SYS_vhangup - "vhangup" + "vhangup," #endif }, { .name = "@process", .list = @@ -908,6 +1114,9 @@ static const SyscallGroupList sysgroups[ #ifdef SYS_clone "clone," #endif +#ifdef SYS_clone3 + "clone3," +#endif #ifdef SYS_execveat "execveat," #endif @@ -920,6 +1129,9 @@ static const SyscallGroupList sysgroups[ #ifdef SYS_kill "kill," #endif +#ifdef SYS_pidfd_open + "pidfd_open," +#endif #ifdef SYS_pidfd_send_signal "pidfd_send_signal," #endif @@ -960,7 +1172,7 @@ static const SyscallGroupList sysgroups[ "waitid," #endif #ifdef SYS_waitpid - "waitpid" + "waitpid," #endif }, { .name = "@raw-io", .list = @@ -979,23 +1191,14 @@ static const SyscallGroupList sysgroups[ #ifdef SYS_pciconfig_write "pciconfig_write," #endif -#ifdef SYS_s390_mmio_read - "s390_mmio_read," -#endif -#ifdef SYS_s390_mmio_write - "s390_mmio_write" -#endif -#if !defined(SYS_ioperm) && !defined(SYS_iopl) && !defined(SYS_pciconfig_iobase) && !defined(SYS_pciconfig_read) && !defined(SYS_pciconfig_write) && !defined(SYS_s390_mmio_read) && !defined(SYS_s390_mmio_write) - "__dummy_syscall__" // workaround for s390x which doesn't have any of above defined and empty syscall lists are not allowed -#endif }, { .name = "@reboot", .list = -#ifdef SYS_kexec_load - "kexec_load," -#endif #ifdef SYS_kexec_file_load "kexec_file_load," #endif +#ifdef SYS_kexec_load + "kexec_load," +#endif #ifdef SYS_reboot "reboot," #endif @@ -1029,7 +1232,13 @@ static const SyscallGroupList sysgroups[ "sched_setscheduler," #endif #ifdef SYS_set_mempolicy - "set_mempolicy" + "set_mempolicy," +#endif +#ifdef SYS_setpriority + "setpriority," +#endif +#ifdef SYS_setrlimit + "setrlimit," #endif }, { .name = "@setuid", .list = @@ -1073,7 +1282,7 @@ static const SyscallGroupList sysgroups[ "setuid," #endif #ifdef SYS_setuid32 - "setuid32" + "setuid32," #endif }, { .name = "@signal", .list = @@ -1092,6 +1301,9 @@ static const SyscallGroupList sysgroups[ #ifdef SYS_rt_sigtimedwait "rt_sigtimedwait," #endif +#ifdef SYS_rt_sigtimedwait_time64 + "rt_sigtimedwait_time64," +#endif #ifdef SYS_sigaction "sigaction," #endif @@ -1114,16 +1326,16 @@ static const SyscallGroupList sysgroups[ "sigprocmask," #endif #ifdef SYS_sigsuspend - "sigsuspend" + "sigsuspend," #endif }, { .name = "@swap", .list = +#ifdef SYS_swapoff + "swapoff," +#endif #ifdef SYS_swapon "swapon," #endif -#ifdef SYS_swapoff - "swapoff" -#endif }, { .name = "@sync", .list = #ifdef SYS_fdatasync @@ -1145,14 +1357,14 @@ static const SyscallGroupList sysgroups[ "sync_file_range2," #endif #ifdef SYS_syncfs - "syncfs" + "syncfs," #endif }, { .name = "@system-service", .list = "@aio," "@basic-io," "@chown," - "@default," + "@common," "@file-system," "@io-event," "@ipc," @@ -1258,6 +1470,9 @@ static const SyscallGroupList sysgroups[ #ifdef SYS_sched_rr_get_interval "sched_rr_get_interval," #endif +#ifdef SYS_sched_rr_get_interval_time64 + "sched_rr_get_interval_time64," +#endif #ifdef SYS_sched_yield "sched_yield," #endif @@ -1304,7 +1519,7 @@ static const SyscallGroupList sysgroups[ "userfaultfd," #endif #ifdef SYS_vmsplice - "vmsplice" + "vmsplice," #endif }, { .name = "@timer", .list = @@ -1329,20 +1544,32 @@ static const SyscallGroupList sysgroups[ #ifdef SYS_timer_gettime "timer_gettime," #endif +#ifdef SYS_timer_gettime64 + "timer_gettime64," +#endif #ifdef SYS_timer_settime "timer_settime," #endif +#ifdef SYS_timer_settime64 + "timer_settime64," +#endif #ifdef SYS_timerfd_create "timerfd_create," #endif #ifdef SYS_timerfd_gettime "timerfd_gettime," #endif +#ifdef SYS_timerfd_gettime64 + "timerfd_gettime64," +#endif #ifdef SYS_timerfd_settime "timerfd_settime," #endif +#ifdef SYS_timerfd_settime64 + "timerfd_settime64," +#endif #ifdef SYS_times - "times" + "times," #endif - } + }, }; ```

TODOs:

__dummy_syscall__
add src/lib/syscalls_list.c (or whatever)
change src/lib/syscalls.c to #include syscalls_list.c

topimiettinen commented 4 years ago

Looks great!

__dummy_syscall__ is needed because empty system call lists are not allowed, so alternatively that restriction could be relaxed. It would allow dropping some ugly #ifdeffery.

rusty-snake commented 4 years ago

There is one thing I do not understand. Why do we need the __dummy_syscall__? It is a invalid syscall, but the other syscall in these groups are also invalid on these platforms.

topimiettinen commented 4 years ago

Without __dummy_syscall__, system call groups could become empty if none of the system calls are defined (because they don't exist for an architecture). Empty system call lists are not allowed.

Actually I like your suggestion of dropping the #ifdef SYS_XXXX. We know all Linux system call names and their numbers and it doesn't matter if the libc doesn't define SYS_XXXX for some of them, so we could just always use our own definitions and simply ignore non-existent system calls for an architecture later. Then the system call group lists would always be the same and non-empty, so __dummy_syscall__ could be removed. A downside would be that x86 groups would be "polluted" with arm groups etc.

One problem with copying systemd system call groups mechanically is that systemd uses libseccomp, which doesn't use exactly the same names for all system calls as kernel. It probably doesn't matter much.

rusty-snake commented 2 years ago

Ping @smitsohu as you're working on syscall definitions.

smitsohu commented 2 years ago

@rusty-snake Can you open a pull request (or commit right away) ?

netblue30 / firejail

seccomp groups (next round) #3106