RFE: Add support for maximum supported kernel version

include/Makefile.am

@@ -16,4 +16,4 @@
 # along with this library; if not, see <http://www.gnu.org/licenses>.
 #
 
-include_HEADERS = seccomp.h seccomp-syscalls.h
+include_HEADERS = seccomp.h seccomp-syscalls.h seccomp-kvers.h

include/seccomp-kvers.h

@@ -0,0 +1,111 @@
+/**
+ * Seccomp Library
+ *
+ * Copyright (c) 2025 Oracle and/or its affiliates.
+ * Author: Tom Hromatka <tom.hromatka@oracle.com>
+ */
+
+/*
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public License
+ * for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
+ */
+
+#ifndef _SECCOMP_H
+#error "do not include seccomp-kvers.h directly, use seccomp.h instead"
+#endif
+
+/**
+ * Kernel versions
+ */
+enum scmp_kver {
+	__SCMP_KV_NULL = 0,
+	SCMP_KV_UNDEF = 1,
+	SCMP_KV_3_0 = 2,
+	SCMP_KV_3_1 = 3,
+	SCMP_KV_3_2 = 4,
+	SCMP_KV_3_3 = 5,
+	SCMP_KV_3_4 = 6,
+	SCMP_KV_3_5 = 7,
+	SCMP_KV_3_6 = 8,
+	SCMP_KV_3_7 = 9,
+	SCMP_KV_3_8 = 10,
+	SCMP_KV_3_9 = 11,
+	SCMP_KV_3_10 = 12,
+	SCMP_KV_3_11 = 13,
+	SCMP_KV_3_12 = 14,
+	SCMP_KV_3_13 = 15,
+	SCMP_KV_3_14 = 16,
+	SCMP_KV_3_15 = 17,
+	SCMP_KV_3_16 = 18,
+	SCMP_KV_3_17 = 19,
+	SCMP_KV_3_18 = 20,
+	SCMP_KV_3_19 = 21,
+	SCMP_KV_4_0 = 22,
+	SCMP_KV_4_1 = 23,
+	SCMP_KV_4_2 = 24,
+	SCMP_KV_4_3 = 25,
+	SCMP_KV_4_4 = 26,
+	SCMP_KV_4_5 = 27,
+	SCMP_KV_4_6 = 28,
+	SCMP_KV_4_7 = 29,
+	SCMP_KV_4_8 = 30,
+	SCMP_KV_4_9 = 31,
+	SCMP_KV_4_10 = 32,
+	SCMP_KV_4_11 = 33,
+	SCMP_KV_4_12 = 34,
+	SCMP_KV_4_13 = 35,
+	SCMP_KV_4_14 = 36,
+	SCMP_KV_4_15 = 37,
+	SCMP_KV_4_16 = 38,
+	SCMP_KV_4_17 = 39,
+	SCMP_KV_4_18 = 40,
+	SCMP_KV_4_19 = 41,
+	SCMP_KV_4_20 = 42,
+	SCMP_KV_5_0 = 43,
+	SCMP_KV_5_1 = 44,
+	SCMP_KV_5_2 = 45,
+	SCMP_KV_5_3 = 46,
+	SCMP_KV_5_4 = 47,
+	SCMP_KV_5_5 = 48,
+	SCMP_KV_5_6 = 49,
+	SCMP_KV_5_7 = 50,
+	SCMP_KV_5_8 = 51,
+	SCMP_KV_5_9 = 52,
+	SCMP_KV_5_10 = 53,
+	SCMP_KV_5_11 = 54,
+	SCMP_KV_5_12 = 55,
+	SCMP_KV_5_13 = 56,
+	SCMP_KV_5_14 = 57,
+	SCMP_KV_5_15 = 58,
+	SCMP_KV_5_16 = 59,
+	SCMP_KV_5_17 = 60,
+	SCMP_KV_5_18 = 61,
+	SCMP_KV_5_19 = 62,
+	SCMP_KV_6_0 = 63,
+	SCMP_KV_6_1 = 64,
+	SCMP_KV_6_2 = 65,
+	SCMP_KV_6_3 = 66,
+	SCMP_KV_6_4 = 67,
+	SCMP_KV_6_5 = 68,
+	SCMP_KV_6_6 = 69,
+	SCMP_KV_6_7 = 70,
+	SCMP_KV_6_8 = 71,
+	SCMP_KV_6_9 = 72,
+	SCMP_KV_6_10 = 73,
+	SCMP_KV_6_11 = 74,
+	SCMP_KV_6_12 = 75,
+	SCMP_KV_6_13 = 76,
+	SCMP_KV_6_14 = 77,
+	SCMP_KV_6_15 = 78,
+	SCMP_KV_6_16 = 79,
+	__SCMP_KV_MAX,
+};

include/seccomp-syscalls.h

@@ -283,6 +283,7 @@
 #define __PNR_getpagesize			-10249
 #define __PNR_riscv_hwprobe			-10250
 #define __PNR_uretprobe				-10251
+#define __PNR_open_tree_attr			-10252
 
 /*
  * libseccomp syscall definitions
@@ -1356,6 +1357,12 @@
 #define __SNR_open_tree			__PNR_open_tree
 #endif
 
+#ifdef __NR_open_tree_attr
+#define __SNR_open_tree_attr		__NR_open_tree_attr
+#else
+#define __SNR_open_tree_attr		__PNR_open_tree_attr
+#endif
+
 #define __SNR_openat			__NR_openat
 
 #define __SNR_openat2			__NR_openat2

include/seccomp.h.in

@@ -898,6 +898,7 @@ int seccomp_precompute(const scmp_filter_ctx ctx);
 #define __NR_SCMP_UNDEF		-2
 
 #include <seccomp-syscalls.h>
+#include <seccomp-kvers.h>
 
 #ifdef __cplusplus
 }

src/arch-build-kver-tables.py

@@ -0,0 +1,145 @@
+#!/usr/bin/env python3
+#
+# Seccomp Library program to build the kernel version tables
+#
+# Copyright (c) 2025 Oracle and/or its affiliates.  All rights reserved.
+# Author: Tom Hromatka <tom.hromatka@oracle.com>
+#
+
+#
+# This library is free software; you can redistribute it and/or modify it
+# under the terms of version 2.1 of the GNU Lesser General Public License as
+# published by the Free Software Foundation.
+#
+# This library is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public License
+# for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library; if not, see <http://www.gnu.org/licenses>.
+#
+
+#######################################################
+#### WARNING - to generate proper headers for x32, you
+####           must install the glibc 32-bit headers
+####
+####           apt install libc6-dev-x32
+####
+#######################################################
+
+from subprocess import TimeoutExpired
+import subprocess
+import argparse
+import os
+
+kernel_versions = ['3.0', '3.1', '3.2', '3.3', '3.4', '3.5', '3.6', '3.7',
+                   '3.8', '3.9', '3.10', '3.11', '3.12', '3.13', '3.14',
+                   '3.15', '3.16', '3.17', '3.18', '3.19', '4.0', '4.1',
+                   '4.2', '4.3', '4.4', '4.5', '4.6', '4.7', '4.8', '4.9',
+                   '4.10', '4.11', '4.12', '4.13', '4.14', '4.15', '4.16',
+                   '4.17', '4.18', '4.19', '4.20', '5.0', '5.1', '5.2',
+                   '5.3', '5.4', '5.5', '5.6', '5.7', '5.8', '5.9', '5.10',
+                   '5.11', '5.12', '5.13', '5.14', '5.15', '5.16', '5.17',
+                   '5.18', '5.19', '6.0', '6.1', '6.2', '6.3', '6.4', '6.5',
+                   '6.6', '6.7', '6.8', '6.9', '6.10', '6.11', '6.12',
+                   '6.13', '6.14', '6.15', '6.16']
+
+def parse_args():
+    parser = argparse.ArgumentParser('Script to populate the syscalls.csv kernel versions',
+                                     formatter_class=argparse.RawTextHelpFormatter)
+    parser.add_argument('-d', '--datapath', required=True, type=str, default=None,
+                        help="Path to the local copy of @hrw's syscalls-table tool")
+    parser.add_argument('-k', '--kernelpath', required=True, type=str, default=None,
+                        help="Path to the kernel source directory")
+    parser.add_argument('-V', '--versions', required=False, type=str, default=None,
+                        help="Comma-separated list of kernel versions to build, e.g "
+                        "3.0,6.1,6.10.  If not specified all known kernel version "
+                        "tables are built")
+    parser.add_argument('-v', '--verbose', action='store_true',
+                        help='Show verbose warnings')
+
+    args = parser.parse_args()
+
+    if not args.versions:
+        args.versions = kernel_versions
+    else:
+        args.versions = args.versions.split(',')
+
+    return args
+
+def run(command, verbose=False, shell=False, timeout=None):
+    if shell:
+        if isinstance(command, str):
+            # nothing to do.  command is already formatted as a string
+            pass
+        elif isinstance(command, list):
+            command = ' '.join(command)
+        else:
+            raise ValueError('Unsupported command type')
+
+    subproc = subprocess.Popen(command, shell=shell,
+                               stdout=subprocess.PIPE,
+                               stderr=subprocess.PIPE)
+
+    if timeout:
+        try:
+            out, err = subproc.communicate(timeout=timeout)
+            ret = subproc.returncode
+
+            out = out.strip().decode('UTF-8')
+            err = err.strip().decode('UTF-8')
+        except TimeoutExpired as timeout:
+            if timeout.stdout:
+                out = timeout.stdout.strip().decode('UTF-8')
+            else:
+                out = ''
+            if timeout.stderr:
+                    err = timeout.stderr.strip().decode('UTF-8')
+            else:
+                err = ''
+
+            if len(err):
+                ret = -1
+            else:
+                ret = 0
+    else:
+        out, err = subproc.communicate()
+        ret = subproc.returncode
+
+        out = out.strip().decode('UTF-8')
+        err = err.strip().decode('UTF-8')
+
+    if verbose:
+        if not shell:
+            command = ' '.join(command)
+        print('run:\n\tcmd = {}\n\tret = {}\n\tstdout = {}\n\tstderr = {}\n'.format(
+              command, ret, out, err))
+
+    return ret, out, err
+
+def main(args):
+    for kver in args.versions:
+        print('Building version table for kernel {}'.format(kver))
+
+        checkout_cmd = 'cd {};git checkout v{}'.format(args.kernelpath, kver)
+        ret, out, err = run(checkout_cmd, shell=True)
+        if ret != 0:
+            raise KeyError('Failed to checkout v{}: {}'.format(kver, ret))
+
+        update_cmd = 'cd {};bash scripts/update-tables.sh {}'.format(
+                     args.datapath, args.kernelpath)
+        ret, out, err = run(update_cmd, shell=True)
+        if ret != 0:
+            raise RuntimeError('Failed to update tables: {}'.format(ret))
+
+        src_path = os.path.join(args.datapath, 'data/tables')
+        dest_path = os.path.join(os.getcwd(), 'tables-{}'.format(kver))
+        cp_cmd = 'cp -r {} {}'.format(src_path, dest_path)
+        ret, out, err = run(cp_cmd, shell=True)
+        if ret != 0:
+            raise RuntimeError('Table copy failed: {}'.format(ret))
+
+if __name__ == '__main__':
+    args = parse_args()
+    main(args)