libseccomp: Releases =============================================================================== https://github.com/seccomp/libseccomp * Version 2.5.4 - April 21, 2022 - Update the syscall table for Linux v5.17 - Fix minor issues with binary tree testing and with empty binary trees - Minor documentation improvements including retiring the mailing list * Version 2.5.3 - November 5, 2021 - Update the syscall table for Linux v5.15 - Fix issues with multiplexed syscalls on mipsel introduced in v2.5.2 - Document that seccomp_rule_add() may return -EACCES - Fix issues with test 11-basic-basic_errors on old kernels (API level < 5) * Version 2.5.2 - August 31, 2021 - Update the syscall table for Linux v5.14-rc7 - Add a function, get_notify_fd(), to the Python bindings to get the nofication file descriptor - Consolidate multiplexed syscall handling for all architectures into one location - Add multiplexed syscall support to PPC - Add multiplexed syscall support to MIPS - The meaning of SECCOMP_IOCTL_NOTIF_ID_VALID changed within the kernel. Modify the libseccomp file descriptor notification logic to support the kernel's previous and new usage of SECCOMP_IOCTL_NOTIF_ID_VALID * Version 2.5.1 - November 20, 2020 - Fix a bug where seccomp_load() could only be called once - Change the notification fd handling to only request a notification fd if the filter has a _NOTIFY action - Add documentation about SCMP_ACT_NOTIFY to the seccomp_add_rule(3) manpage - Clarify the maintainers' GPG keys * Version 2.5.0 - July 20, 2020 - Add support for the seccomp user notifications, see the seccomp_notify_alloc(3), seccomp_notify_receive(3), seccomp_notify_respond(3) manpages for more information - Add support for new filter optimization approaches, including a balanced tree optimization, see the SCMP_FLTATR_CTL_OPTIMIZE filter attribute for more information - Add support for the 64-bit RISC-V architecture - Performance improvements when adding new rules to a filter thanks to the use of internal shadow transactions and improved syscall lookup tables - Properly document the libseccomp API return values and include them in the stable API promise - Improvements to the s390 and s390x multiplexed syscall handling - Multiple fixes and improvements to the libseccomp manpages - Moved from manually maintained syscall tables to an automatically generated syscall table in CSV format - Update the syscall tables to Linux v5.8.0-rc5 - Python bindings and build now default to Python 3.x - Improvements to the tests have boosted code coverage to over 93% - Enable Travis CI testing on the aarch64 and ppc64le architectures - Add code inspection via lgtm.com * Version 2.4.3 - March 4, 2020 - Add list of authorized release signatures to README.md - Fix multiplexing issue with s390/s390x shm* syscalls - Remove the static flag from libseccomp tools compilation - Add define for __SNR_ppoll - Update our Travis CI configuration to use Ubuntu 18.04 - Disable live python tests in Travis CI - Use default python, rather than nightly python, in TravisCI - Fix potential memory leak identified by clang in the scmp_bpf_sim tool * Version 2.4.2 - November 7, 2019 - Update the syscall table for Linux v5.4-rc4 - Stop defining __NR_x values for syscalls that don't exist. Libseccomp now uses __SNR_x internally - Update the Cython language level to "3str" - Add support for io-uring related system calls - Clarify the maintainer documentation and release process - Fix python module name issue introduced in the v2.4.0 release. The module is now named "seccomp" as it was previously - Deliver the SECURITY.md file in releases * Version 2.4.1 - April 17, 2019 - Fix a BPF generation bug where the optimizer mistakenly identified duplicate BPF code blocks * Version 2.4.0 - March 14, 2019 - Update the syscall table for Linux v5.0-rc5 - Added support for the SCMP_ACT_KILL_PROCESS action - Added support for the SCMP_ACT_LOG action and SCMP_FLTATR_CTL_LOG attribute - Added explicit 32-bit (SCMP_AX_32(...)) and 64-bit (SCMP_AX_64(...)) argument comparison macros to help protect against unexpected sign extension - Added support for the parisc and parisc64 architectures - Added the ability to query and set the libseccomp API level via seccomp_api_get(3) and seccomp_api_set(3) - Return -EDOM on an endian mismatch when adding an architecture to a filter - Renumber the pseudo syscall number for subpage_prot() so it no longer conflicts with spu_run() - Fix PFC generation when a syscall is prioritized, but no rule exists - Numerous fixes to the seccomp-bpf filter generation code - Switch our internal hashing function to jhash/Lookup3 to MurmurHash3 - Numerous tests added to the included test suite, coverage now at ~92% - Update our Travis CI configuration to use Ubuntu 16.04 - Numerous documentation fixes and updates * Version 2.3.3 - January 10, 2018 - Updated the syscall table for Linux v4.15-rc7 * Version 2.3.2 - February 27, 2017 - Achieved full compliance with the CII Best Practices program - Added Travis CI builds to the GitHub repository - Added code coverage reporting with the "--enable-code-coverage" configure flag and added Coveralls to the GitHub repository - Updated the syscall tables to match Linux v4.10-rc6+ - Support for building with Python v3.x - Allow rules with the -1 syscall if the SCMP_FLTATR_API_TSKIP attribute is set to true - Several small documentation fixes * Version 2.3.1 - April 20, 2016 - Fixed a problem with 32-bit x86 socket syscalls on some systems - Fixed problems with ipc syscalls on 32-bit x86 - Fixed problems with socket and ipc syscalls on s390 and s390x * Version 2.3.0 - February 29, 2016 - Added support for the s390 and s390x architectures - Added support for the ppc, ppc64, and ppc64le architectures - Update the internal syscall tables to match the Linux 4.5-rcX releases - Filter generation for both multiplexed and direct socket syscalls on x86 - Support for the musl libc implementation - Additions to the API to enable runtime version checking of the library - Enable the use of seccomp() instead of prctl() on supported systems - Added additional tests to the regression test suite * Version 2.2.3 - July 8, 2015 - Fix a problem with 'make check' on 32-bit ARM systems * Version 2.2.2 - July 6, 2015 - Fix a problem with the masked equality operator - Fix a problem on x86_64/x32 involving invalid architectures - Fix a problem with the ARM specific syscalls - Fix a build problem when the source and build directories differ * Version 2.2.1 - May 13, 2015 - Fix a problem with syscall argument filtering on 64-bit systems - Fix some problems with the 32-bit ARM syscall table - Fix build problems on very old systems - Update the README file with the GitHub and Google Groups information * Version 2.2.0 - February 12, 2015 - Migrated the build system to autotools - Added support for the aarch64 architecture - Added support for the mips, mips64, and mips64n32 architectures for both big and little endian systems - Added support for using the new seccomp() syscall and the thread sync functionality - Added Python bindings - Updated the internal syscall tables to Linux v3.19 - Added documentation to help contributors wishing to submit patches - Migrated to GitHub for git hosting and Google Groups for the mailing list - Numerous minor bug fixes * Version 2.1.1 - October 31, 2013 - Build system improvements - Automated test improvements, including a "check" target for use by packagers to verify the build - Numerous bug fixes related to the filter's internal rule database which affect those creating rules with syscall arguments - Introduced tools to verify the style/formatting of the code, including a "check-syntax" target for use by developers - Non-public symbols are now hidden in the library * Version 2.1.0 - June 11, 2013 - Add support for the x32 and ARM architectures - Improvements to the regression tests, including support for live tests - More verbose PFC output, including translation of syscall numbers to names - Several assorted bugfixes affecting the seccomp BPF generation - The syscall number/name resolver tool is now available to install * Version 2.0.0 - January 28, 2013 - Fixes for the x86 multiplexed syscalls - Additions to the API to better support non-native architectures - Additions to the API to support multiple architectures in one filter - Additions to the API to resolve syscall name/number mappings - Assorted minor bug fixes - Improved build messages regardless of build verbosity - More automated tests added as well as a number of improvements to the test harness * Version 1.0.1 - November 12, 2012 - The header file is now easier to use with C++ compilers - Minor documentation fixes - Minor memory leak fixes - Corrected x86 filter generation on x86_64 systems - Corrected problems with small filters and filters with arguments * Version 1.0.0 - July 31, 2012 - Change the API to be context-aware; eliminates all internal state but breaks compatibility with the previous 0.1.0 release - Added support for multiple build jobs ("make -j8") and verbose builds using the "V=1" build variable ("make V=1") - Minor tweaks to the regression test script output * Version 0.1.0 - June 8, 2012 - Initial release