forked from seccomp/libseccomp
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathCHANGELOG
237 lines (211 loc) · 10.9 KB
/
CHANGELOG
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
libseccomp: Releases
===============================================================================
https://github.com/seccomp/libseccomp
* Version 2.6.0 - January 23, 2025
- Update the syscall table for Linux v6.13
- Add support for new arches: SuperH little and big endian, LoongArch, and
32-bit Motorola 68000
- Add multiplexed syscall support for more arches: MIPS, SuperH, and PPC
- Consolidate and simplify handling of multiplexed syscalls
- Add support for the SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV flag
- Add support for transactions with the seccomp_transaction_start(),
seccomp_transaction_commit(), and seccomp_transaction_reject() APIs
- Add a seccomp_precompute() API to generate the seccomp BPF filter prior to
seccomp_load() or seccomp_export_bpf_mem()
- Add support for binary tree filters without syscalls
- Add support for the kernel’s implementation change of
SECCOMP_IOCTL_NOTIF_ID_VALID
- Add Python binding support for retrieving the notification file descriptor
- Improved tooling to help track syscall table updates in the Linux kernel
- Handle EINVAL error from the kernel when the WAIT_KILLABLE_RECV flag is
erroneously provided to the kernel
- Fix a seccomp userspace notification issue where the file descriptor was
being requested more than once
- Fix a bug where the internal filter state could be corrupted when a filter
rule addition fails
- Fix potential memory leak in the internal management of filter snapshots
- Utilize Cython rather than distutils in the Python bindings, due to
distutils’ deprecation
- Many test and CI improvements and fixes
- Many documentation improvements and updates
* Version 2.5.6 - January 24, 2025
- Update the syscall table for Linux v6.13
- Fix a bug where the internal filter state could be corrupted when a filter
rule addition fails
- Fix potential memory leak in the internal management of filter snapshots
* Version 2.5.5 - December 1, 2023
- Update the syscall table for Linux v6.7-rc3
* Version 2.5.4 - April 21, 2022
- Update the syscall table for Linux v5.17
- Fix minor issues with binary tree testing and with empty binary trees
- Minor documentation improvements including retiring the mailing list
* Version 2.5.3 - November 5, 2021
- Update the syscall table for Linux v5.15
- Fix issues with multiplexed syscalls on mipsel introduced in v2.5.2
- Document that seccomp_rule_add() may return -EACCES
- Fix issues with test 11-basic-basic_errors on old kernels (API level < 5)
* Version 2.5.2 - August 31, 2021
- Update the syscall table for Linux v5.14-rc7
- Add a function, get_notify_fd(), to the Python bindings to get the
nofication file descriptor
- Consolidate multiplexed syscall handling for all architectures into one
location
- Add multiplexed syscall support to PPC
- Add multiplexed syscall support to MIPS
- The meaning of SECCOMP_IOCTL_NOTIF_ID_VALID changed within the kernel.
Modify the libseccomp file descriptor notification logic to support the
kernel's previous and new usage of SECCOMP_IOCTL_NOTIF_ID_VALID
* Version 2.5.1 - November 20, 2020
- Fix a bug where seccomp_load() could only be called once
- Change the notification fd handling to only request a notification fd if
the filter has a _NOTIFY action
- Add documentation about SCMP_ACT_NOTIFY to the seccomp_add_rule(3) manpage
- Clarify the maintainers' GPG keys
* Version 2.5.0 - July 20, 2020
- Add support for the seccomp user notifications, see the
seccomp_notify_alloc(3), seccomp_notify_receive(3), seccomp_notify_respond(3)
manpages for more information
- Add support for new filter optimization approaches, including a balanced tree
optimization, see the SCMP_FLTATR_CTL_OPTIMIZE filter attribute for more
information
- Add support for the 64-bit RISC-V architecture
- Performance improvements when adding new rules to a filter thanks to the use
of internal shadow transactions and improved syscall lookup tables
- Properly document the libseccomp API return values and include them in the
stable API promise
- Improvements to the s390 and s390x multiplexed syscall handling
- Multiple fixes and improvements to the libseccomp manpages
- Moved from manually maintained syscall tables to an automatically generated
syscall table in CSV format
- Update the syscall tables to Linux v5.8.0-rc5
- Python bindings and build now default to Python 3.x
- Improvements to the tests have boosted code coverage to over 93%
- Enable Travis CI testing on the aarch64 and ppc64le architectures
- Add code inspection via lgtm.com
* Version 2.4.3 - March 4, 2020
- Add list of authorized release signatures to README.md
- Fix multiplexing issue with s390/s390x shm* syscalls
- Remove the static flag from libseccomp tools compilation
- Add define for __SNR_ppoll
- Update our Travis CI configuration to use Ubuntu 18.04
- Disable live python tests in Travis CI
- Use default python, rather than nightly python, in TravisCI
- Fix potential memory leak identified by clang in the scmp_bpf_sim tool
* Version 2.4.2 - November 7, 2019
- Update the syscall table for Linux v5.4-rc4
- Stop defining __NR_x values for syscalls that don't exist. Libseccomp
now uses __SNR_x internally
- Update the Cython language level to "3str"
- Add support for io-uring related system calls
- Clarify the maintainer documentation and release process
- Fix python module name issue introduced in the v2.4.0 release. The module
is now named "seccomp" as it was previously
- Deliver the SECURITY.md file in releases
* Version 2.4.1 - April 17, 2019
- Fix a BPF generation bug where the optimizer mistakenly identified duplicate
BPF code blocks
* Version 2.4.0 - March 14, 2019
- Update the syscall table for Linux v5.0-rc5
- Added support for the SCMP_ACT_KILL_PROCESS action
- Added support for the SCMP_ACT_LOG action and SCMP_FLTATR_CTL_LOG attribute
- Added explicit 32-bit (SCMP_AX_32(...)) and 64-bit (SCMP_AX_64(...)) argument
comparison macros to help protect against unexpected sign extension
- Added support for the parisc and parisc64 architectures
- Added the ability to query and set the libseccomp API level via
seccomp_api_get(3) and seccomp_api_set(3)
- Return -EDOM on an endian mismatch when adding an architecture to a filter
- Renumber the pseudo syscall number for subpage_prot() so it no longer
conflicts with spu_run()
- Fix PFC generation when a syscall is prioritized, but no rule exists
- Numerous fixes to the seccomp-bpf filter generation code
- Switch our internal hashing function to jhash/Lookup3 to MurmurHash3
- Numerous tests added to the included test suite, coverage now at ~92%
- Update our Travis CI configuration to use Ubuntu 16.04
- Numerous documentation fixes and updates
* Version 2.3.3 - January 10, 2018
- Updated the syscall table for Linux v4.15-rc7
* Version 2.3.2 - February 27, 2017
- Achieved full compliance with the CII Best Practices program
- Added Travis CI builds to the GitHub repository
- Added code coverage reporting with the "--enable-code-coverage" configure
flag and added Coveralls to the GitHub repository
- Updated the syscall tables to match Linux v4.10-rc6+
- Support for building with Python v3.x
- Allow rules with the -1 syscall if the SCMP_FLTATR_API_TSKIP attribute is
set to true
- Several small documentation fixes
* Version 2.3.1 - April 20, 2016
- Fixed a problem with 32-bit x86 socket syscalls on some systems
- Fixed problems with ipc syscalls on 32-bit x86
- Fixed problems with socket and ipc syscalls on s390 and s390x
* Version 2.3.0 - February 29, 2016
- Added support for the s390 and s390x architectures
- Added support for the ppc, ppc64, and ppc64le architectures
- Update the internal syscall tables to match the Linux 4.5-rcX releases
- Filter generation for both multiplexed and direct socket syscalls on x86
- Support for the musl libc implementation
- Additions to the API to enable runtime version checking of the library
- Enable the use of seccomp() instead of prctl() on supported systems
- Added additional tests to the regression test suite
* Version 2.2.3 - July 8, 2015
- Fix a problem with 'make check' on 32-bit ARM systems
* Version 2.2.2 - July 6, 2015
- Fix a problem with the masked equality operator
- Fix a problem on x86_64/x32 involving invalid architectures
- Fix a problem with the ARM specific syscalls
- Fix a build problem when the source and build directories differ
* Version 2.2.1 - May 13, 2015
- Fix a problem with syscall argument filtering on 64-bit systems
- Fix some problems with the 32-bit ARM syscall table
- Fix build problems on very old systems
- Update the README file with the GitHub and Google Groups information
* Version 2.2.0 - February 12, 2015
- Migrated the build system to autotools
- Added support for the aarch64 architecture
- Added support for the mips, mips64, and mips64n32 architectures for both big
and little endian systems
- Added support for using the new seccomp() syscall and the thread sync
functionality
- Added Python bindings
- Updated the internal syscall tables to Linux v3.19
- Added documentation to help contributors wishing to submit patches
- Migrated to GitHub for git hosting and Google Groups for the mailing list
- Numerous minor bug fixes
* Version 2.1.1 - October 31, 2013
- Build system improvements
- Automated test improvements, including a "check" target for use by
packagers to verify the build
- Numerous bug fixes related to the filter's internal rule database which
affect those creating rules with syscall arguments
- Introduced tools to verify the style/formatting of the code, including a
"check-syntax" target for use by developers
- Non-public symbols are now hidden in the library
* Version 2.1.0 - June 11, 2013
- Add support for the x32 and ARM architectures
- Improvements to the regression tests, including support for live tests
- More verbose PFC output, including translation of syscall numbers to names
- Several assorted bugfixes affecting the seccomp BPF generation
- The syscall number/name resolver tool is now available to install
* Version 2.0.0 - January 28, 2013
- Fixes for the x86 multiplexed syscalls
- Additions to the API to better support non-native architectures
- Additions to the API to support multiple architectures in one filter
- Additions to the API to resolve syscall name/number mappings
- Assorted minor bug fixes
- Improved build messages regardless of build verbosity
- More automated tests added as well as a number of improvements to the test
harness
* Version 1.0.1 - November 12, 2012
- The header file is now easier to use with C++ compilers
- Minor documentation fixes
- Minor memory leak fixes
- Corrected x86 filter generation on x86_64 systems
- Corrected problems with small filters and filters with arguments
* Version 1.0.0 - July 31, 2012
- Change the API to be context-aware; eliminates all internal state but breaks
compatibility with the previous 0.1.0 release
- Added support for multiple build jobs ("make -j8") and verbose builds using
the "V=1" build variable ("make V=1")
- Minor tweaks to the regression test script output
* Version 0.1.0 - June 8, 2012
- Initial release