From: Marcin Juszkiewicz <***@redhat.com>

This patch adds support for AArch64 (64-bit ARM) architecture.

Signed-off-by: Marcin Juszkiewicz <***@redhat.com>
(Additional fixes/corrections/etc.)
Signed-off-by: Paul Moore <***@redhat.com>
---
include/seccomp.h.in | 184 +++++++++++++
src/Makefile.am | 1
src/arch-aarch64-syscalls.c | 495 ++++++++++++++++++++++++++++++++++
src/arch-aarch64.c | 34 ++
src/arch-aarch64.h | 42 +++
src/arch-arm-syscalls.c | 1
src/arch-mips-syscalls.c | 1
src/arch-mips64-syscalls.c | 1
src/arch-mips64n32-syscalls.c | 1
src/arch-syscall-check.c | 14 +
src/arch-syscall-dump.c | 4
src/arch-syscall-validate | 48 +++
src/arch-x32-syscalls.c | 1
src/arch-x86-syscalls.c | 1
src/arch-x86_64-syscalls.c | 1
src/arch.c | 20 +
src/gen_pfc.c | 2
src/python/libseccomp.pxd | 1
src/python/seccomp.pyx | 4
tests/04-sim-multilevel_chains.c | 33 +-
tests/04-sim-multilevel_chains.py | 32 +-
tests/04-sim-multilevel_chains.tests | 46 ++-
tests/06-sim-actions.c | 10 -
tests/06-sim-actions.tests | 16 +
tests/16-sim-arch_basic.c | 3
tests/16-sim-arch_basic.py | 1
tests/20-live-basic_die.c | 6
tests/20-live-basic_die.py | 4
tests/21-live-basic_allow.c | 15 +
tests/21-live-basic_allow.py | 23 +-
tests/23-sim-arch_all_le_basic.c | 3
tests/23-sim-arch_all_le_basic.py | 1
tests/24-live-arg_allow.c | 12 -
tests/24-live-arg_allow.py | 10 -
tests/regression | 4
tools/scmp_arch_detect.c | 3
tools/scmp_bpf_disasm.c | 2
tools/scmp_bpf_sim.c | 2
tools/util.c | 2
tools/util.h | 6
40 files changed, 978 insertions(+), 112 deletions(-)
create mode 100644 src/arch-aarch64-syscalls.c
create mode 100644 src/arch-aarch64.c
create mode 100644 src/arch-aarch64.h

diff --git a/include/seccomp.h.in b/include/seccomp.h.in
index 99a0bc5..658107e 100644
--- a/include/seccomp.h.in
+++ b/include/seccomp.h.in
@@ -118,9 +118,14 @@ struct scmp_arg_cmp {
#define SCMP_ARCH_X32 (EM_X86_64|__AUDIT_ARCH_LE)

/**
- * The ARM architecture token
+ * The ARM architecture tokens
*/
#define SCMP_ARCH_ARM AUDIT_ARCH_ARM
+#ifndef AUDIT_ARCH_AARCH64
+/* AArch64 support for audit was merged in 3.17-rc1 */
+#define AUDIT_ARCH_AARCH64 (EM_AARCH64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
+#endif
+#define SCMP_ARCH_AARCH64 AUDIT_ARCH_AARCH64

/**
* The MIPS architecture tokens
@@ -1232,7 +1237,7 @@ int seccomp_export_bpf(const scmp_filter_ctx ctx, int fd);
#define __PNR_getrandom -10109
#ifndef __NR_getrandom
#define __NR_getrandom __PNR_getrandom
-#endif /* __NR_time */
+#endif /* __NR_getrandom */

#define __PNR_memfd_create -10110
#ifndef __NR_memfd_create
@@ -1244,6 +1249,181 @@ int seccomp_export_bpf(const scmp_filter_ctx ctx, int fd);
#define __NR_kexec_file_load __PNR_kexec_file_load
#endif /* __NR_kexec_file_load */

+#define __PNR_sysfs -10145
+#ifndef __NR_sysfs
+#define __NR_sysfs __PNR_sysfs
+#endif /* __NR_sysfs */
+
+#define __PNR_oldwait4 -10146
+#ifndef __NR_oldwait4
+#define __NR_oldwait4 __PNR_oldwait4
+#endif /* __NR_sysfs */
+
+#define __PNR_access -10147
+#ifndef __NR_access
+#define __NR_access __PNR_access
+#endif /* __NR_access */
+
+#define __PNR_alarm -10148
+#ifndef __NR_alarm
+#define __NR_alarm __PNR_alarm
+#endif /* __NR_alarm */
+
+#define __PNR_chmod -10149
+#ifndef __NR_chmod
+#define __NR_chmod __PNR_chmod
+#endif /* __NR_chmod */
+
+#define __PNR_chown -10150
+#ifndef __NR_chown
+#define __NR_chown __PNR_chown
+#endif /* __NR_chown */
+
+#define __PNR_creat -10151
+#ifndef __NR_creat
+#define __NR_creat __PNR_creat
+#endif /* __NR_creat */
+
+#define __PNR_dup2 -10152
+#ifndef __NR_dup2
+#define __NR_dup2 __PNR_dup2
+#endif /* __NR_dup2 */
+
+#define __PNR_epoll_create -10153
+#ifndef __NR_epoll_create
+#define __NR_epoll_create __PNR_epoll_create
+#endif /* __NR_epoll_create */
+
+#define __PNR_epoll_wait -10154
+#ifndef __NR_epoll_wait
+#define __NR_epoll_wait __PNR_epoll_wait
+#endif /* __NR_epoll_wait */
+
+#define __PNR_eventfd -10155
+#ifndef __NR_eventfd
+#define __NR_eventfd __PNR_eventfd
+#endif /* __NR_eventfd */
+
+#define __PNR_fork -10156
+#ifndef __NR_fork
+#define __NR_fork __PNR_fork
+#endif /* __NR_fork */
+
+#define __PNR_futimesat -10157
+#ifndef __NR_futimesat
+#define __NR_futimesat __PNR_futimesat
+#endif /* __NR_futimesat */
+
+#define __PNR_getdents -10158
+#ifndef __NR_getdents
+#define __NR_getdents __PNR_getdents
+#endif /* __NR_getdents */
+
+#define __PNR_getpgrp -10159
+#ifndef __NR_getpgrp
+#define __NR_getpgrp __PNR_getpgrp
+#endif /* __NR_getpgrp */
+
+#define __PNR_inotify_init -10160
+#ifndef __NR_inotify_init
+#define __NR_inotify_init __PNR_inotify_init
+#endif /* __NR_inotify_init */
+
+#define __PNR_lchown -10161
+#ifndef __NR_lchown
+#define __NR_lchown __PNR_lchown
+#endif /* __NR_lchown */
+
+#define __PNR_link -10162
+#ifndef __NR_link
+#define __NR_link __PNR_link
+#endif /* __NR_link */
+
+#define __PNR_lstat -10163
+#ifndef __NR_lstat
+#define __NR_lstat __PNR_lstat
+#endif /* __NR_lstat */
+
+#define __PNR_mkdir -10164
+#ifndef __NR_mkdir
+#define __NR_mkdir __PNR_mkdir
+#endif /* __NR_mkdir */
+
+#define __PNR_mknod -10165
+#ifndef __NR_mknod
+#define __NR_mknod __PNR_mknod
+#endif /* __NR_mknod */
+
+#define __PNR_open -10166
+#ifndef __NR_open
+#define __NR_open __PNR_open
+#endif /* __NR_open */
+
+#define __PNR_pause -10167
+#ifndef __NR_pause
+#define __NR_pause __PNR_pause
+#endif /* __NR_pause */
+
+#define __PNR_pipe -10168
+#ifndef __NR_pipe
+#define __NR_pipe __PNR_pipe
+#endif /* __NR_pipe */
+
+#define __PNR_poll -10169
+#ifndef __NR_poll
+#define __NR_poll __PNR_poll
+#endif /* __NR_poll */
+
+#define __PNR_readlink -10170
+#ifndef __NR_readlink
+#define __NR_readlink __PNR_readlink
+#endif /* __NR_readlink */
+
+#define __PNR_rename -10171
+#ifndef __NR_rename
+#define __NR_rename __PNR_rename
+#endif /* __NR_rename */
+
+#define __PNR_rmdir -10172
+#ifndef __NR_rmdir
+#define __NR_rmdir __PNR_rmdir
+#endif /* __NR_rmdir */
+
+#define __PNR_signalfd -10173
+#ifndef __NR_signalfd
+#define __NR_signalfd __PNR_signalfd
+#endif /* __NR_signalfd */
+
+#define __PNR_stat -10174
+#ifndef __NR_stat
+#define __NR_stat __PNR_stat
+#endif /* __NR_stat */
+
+#define __PNR_symlink -10175
+#ifndef __NR_symlink
+#define __NR_symlink __PNR_symlink
+#endif /* __NR_symlink */
+
+#define __PNR_unlink -10176
+#ifndef __NR_unlink
+#define __NR_unlink __PNR_unlink
+#endif /* __NR_unlink */
+
+#define __PNR_ustat -10177
+#ifndef __NR_ustat
+#define __NR_ustat __PNR_ustat
+#endif /* __NR_ustat */
+
+#define __PNR_utime -10178
+#ifndef __NR_utime
+#define __NR_utime __PNR_utime
+#endif /* __NR_utime */
+
+#define __PNR_utimes -10179
+#ifndef __NR_utimes
+#define __NR_utimes __PNR_utimes
+#endif /* __NR_utimes */
+
#ifdef __cplusplus
}
#endif
diff --git a/src/Makefile.am b/src/Makefile.am
index 2d1db37..f3cce7b 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -27,6 +27,7 @@ SOURCES_ARCH = \
arch-x86_64.h arch-x86_64.c arch-x86_64-syscalls.c \
arch-x32.h arch-x32.c arch-x32-syscalls.c \
arch-arm.h arch-arm.c arch-arm-syscalls.c \
+ arch-aarch64.h arch-aarch64.c arch-aarch64-syscalls.c \
arch-mips.h arch-mips.c arch-mips-syscalls.c \
arch-mips64.h arch-mips64.c arch-mips64-syscalls.c \
arch-mips64n32.h arch-mips64n32.c arch-mips64n32-syscalls.c
diff --git a/src/arch-aarch64-syscalls.c b/src/arch-aarch64-syscalls.c
new file mode 100644
index 0000000..650c50c
--- /dev/null
+++ b/src/arch-aarch64-syscalls.c
@@ -0,0 +1,495 @@
+/**
+ * Enhanced Seccomp AArch64 Syscall Table
+ *
+ * Copyright (c) 2014 Red Hat <***@redhat.com>
+ * Author: Marcin Juszkiewicz <***@redhat.com>
+ */
+
+/*
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+ * for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
+ */
+
+#include <string.h>
+
+#include <seccomp.h>
+
+#include "arch.h"
+#include "arch-aarch64.h"
+
+/* NOTE: based on Linux 3.17-rc1+ */
+const struct arch_syscall_def aarch64_syscall_table[] = { \
+ { "_llseek", __PNR__llseek },
+ { "_newselect", __PNR__newselect },
+ { "_sysctl", __PNR__sysctl },
+ { "accept", 202 },
+ { "accept4", 242 },
+ { "access", __PNR_access },
+ { "acct", 89 },
+ { "add_key", 217 },
+ { "adjtimex", 171 },
+ { "afs_syscall", __PNR_afs_syscall },
+ { "alarm", __PNR_alarm },
+ { "arm_fadvise64_64", __PNR_arm_fadvise64_64 },
+ { "arm_sync_file_range", __PNR_arm_sync_file_range },
+ { "arch_prctl", __PNR_arch_prctl },
+ { "bdflush", __PNR_bdflush },
+ { "bind", 200 },
+ { "break", __PNR_break },
+ { "brk", 214 },
+ { "cachectl", __PNR_cachectl },
+ { "cacheflush", __PNR_cacheflush },
+ { "capget", 90 },
+ { "capset", 91 },
+ { "chdir", 49 },
+ { "chmod", __PNR_chmod },
+ { "chown", __PNR_chown },
+ { "chown32", __PNR_chown32 },
+ { "chroot", 51 },
+ { "clock_adjtime", 266 },
+ { "clock_getres", 114 },
+ { "clock_gettime", 113 },
+ { "clock_nanosleep", 115 },
+ { "clock_settime", 112 },
+ { "clone", 220 },
+ { "close", 57 },
+ { "connect", 203 },
+ { "creat", __PNR_creat },
+ { "create_module", __PNR_create_module },
+ { "delete_module", 106 },
+ { "dup", 23 },
+ { "dup2", __PNR_dup2 },
+ { "dup3", 24 },
+ { "epoll_create", __PNR_epoll_create },
+ { "epoll_create1", 20 },
+ { "epoll_ctl", 21 },
+ { "epoll_ctl_old", __PNR_epoll_ctl_old },
+ { "epoll_pwait", 22 },
+ { "epoll_wait", __PNR_epoll_wait },
+ { "epoll_wait_old", __PNR_epoll_wait_old },
+ { "eventfd", __PNR_eventfd },
+ { "eventfd2", 19 },
+ { "execve", 221 },
+ { "exit", 93 },
+ { "exit_group", 94 },
+ { "faccessat", 48 },
+ { "fadvise64", 223 },
+ { "fadvise64_64", __PNR_fadvise64_64 },
+ { "fallocate", 47 },
+ { "fanotify_init", 262 },
+ { "fanotify_mark", 263 },
+ { "fchdir", 50 },
+ { "fchmod", 52 },
+ { "fchmodat", 53 },
+ { "fchown", 55 },
+ { "fchown32", __PNR_fchown32 },
+ { "fchownat", 54 },
+ { "fcntl", 25 },
+ { "fcntl64", __PNR_fcntl64 },
+ { "fdatasync", 83 },
+ { "fgetxattr", 10 },
+ { "finit_module", 273 },
+ { "flistxattr", 13 },
+ { "flock", 32 },
+ { "fork", __PNR_fork },
+ { "fremovexattr", 16 },
+ { "fsetxattr", 7 },
+ { "fstat", 80 },
+ { "fstat64", __PNR_fstat64 },
+ { "fstatat64", __PNR_fstatat64 },
+ { "fstatfs", 44 },
+ { "fstatfs64", __PNR_fstatfs64 },
+ { "fsync", 82 },
+ { "ftime", __PNR_ftime },
+ { "ftruncate", 46 },
+ { "ftruncate64", __PNR_ftruncate64 },
+ { "futex", 98 },
+ { "futimesat", __PNR_futimesat },
+ { "get_kernel_syms", __PNR_get_kernel_syms },
+ { "get_mempolicy", 236 },
+ { "get_robust_list", 100 },
+ { "get_thread_area", __PNR_get_thread_area },
+ { "getcpu", 168 },
+ { "getcwd", 17 },
+ { "getdents", __PNR_getdents },
+ { "getdents64", 61 },
+ { "getegid", 177 },
+ { "getegid32", __PNR_getegid32 },
+ { "geteuid", 175 },
+ { "geteuid32", __PNR_geteuid32 },
+ { "getgid", 176 },
+ { "getgid32", __PNR_getgid32 },
+ { "getgroups", 158 },
+ { "getgroups32", __PNR_getgroups32 },
+ { "getitimer", 102 },
+ { "getpeername", 205 },
+ { "getpgid", 155 },
+ { "getpgrp", __PNR_getpgrp },
+ { "getpid", 172 },
+ { "getpmsg", __PNR_getpmsg },
+ { "getppid", 173 },
+ { "getpriority", 141 },
+ { "getrandom", 278 },
+ { "getresgid", 150 },
+ { "getresgid32", __PNR_getresgid32 },
+ { "getresuid", 148 },
+ { "getresuid32", __PNR_getresuid32 },
+ { "getrlimit", 163 },
+ { "getrusage", 165 },
+ { "getsid", 156 },
+ { "getsockname", 204 },
+ { "getsockopt", 209 },
+ { "gettid", 178 },
+ { "gettimeofday", 169 },
+ { "getuid", 174 },
+ { "getuid32", __PNR_getuid32 },
+ { "getxattr", 8 },
+ { "gtty", __PNR_gtty },
+ { "idle", __PNR_idle },
+ { "init_module", 105 },
+ { "inotify_add_watch", 27 },
+ { "inotify_init", __PNR_inotify_init },
+ { "inotify_init1", 26 },
+ { "inotify_rm_watch", 28 },
+ { "io_cancel", 3 },
+ { "io_destroy", 1 },
+ { "io_getevents", 4 },
+ { "io_setup", 0 },
+ { "io_submit", 2 },
+ { "ioctl", 29 },
+ { "ioperm", __PNR_ioperm },
+ { "iopl", __PNR_iopl },
+ { "ioprio_get", 31 },
+ { "ioprio_set", 30 },
+ { "ipc", __PNR_ipc },
+ { "kcmp", 272 },
+ { "kexec_file_load", __PNR_kexec_file_load },
+ { "kexec_load", 104 },
+ { "keyctl", 219 },
+ { "kill", 129 },
+ { "lchown", __PNR_lchown },
+ { "lchown32", __PNR_lchown32 },
+ { "lgetxattr", 9 },
+ { "link", __PNR_link },
+ { "linkat", 37 },
+ { "listen", 201 },
+ { "listxattr", 11 },
+ { "llistxattr", 12 },
+ { "lock", __PNR_lock },
+ { "lookup_dcookie", 18 },
+ { "lremovexattr", 15 },
+ { "lseek", 62 },
+ { "lsetxattr", 6 },
+ { "lstat", __PNR_lstat },
+ { "lstat64", __PNR_lstat64 },
+ { "madvise", 233 },
+ { "mbind", 235 },
+ { "memfd_create", __PNR_memfd_create },
+ { "migrate_pages", 238 },
+ { "mincore", 232 },
+ { "mkdir", __PNR_mkdir },
+ { "mkdirat", 34 },
+ { "mknod", __PNR_mknod },
+ { "mknodat", 33 },
+ { "mlock", 228 },
+ { "mlockall", 230 },
+ { "mmap", 222 },
+ { "mmap2", __PNR_mmap2 },
+ { "modify_ldt", __PNR_modify_ldt },
+ { "mount", 40 },
+ { "move_pages", 239 },
+ { "mprotect", 226 },
+ { "mpx", __PNR_mpx },
+ { "mq_getsetattr", 185 },
+ { "mq_notify", 184 },
+ { "mq_open", 180 },
+ { "mq_timedreceive", 183 },
+ { "mq_timedsend", 182 },
+ { "mq_unlink", 181 },
+ { "mremap", 216 },
+ { "msgctl", 187 },
+ { "msgget", 186 },
+ { "msgrcv", 188 },
+ { "msgsnd", 189 },
+ { "msync", 227 },
+ { "munlock", 229 },
+ { "munlockall", 231 },
+ { "munmap", 215 },
+ { "name_to_handle_at", 264 },
+ { "nanosleep", 101 },
+ { "newfstatat", 79 },
+ { "nfsservctl", 42 },
+ { "nice", __PNR_nice },
+ { "oldfstat", __PNR_oldfstat },
+ { "oldlstat", __PNR_oldlstat },
+ { "oldolduname", __PNR_oldolduname },
+ { "oldstat", __PNR_oldstat },
+ { "olduname", __PNR_olduname },
+ { "oldwait4", __PNR_oldwait4 },
+ { "open", __PNR_open },
+ { "open_by_handle_at", 265 },
+ { "openat", 56 },
+ { "pause", __PNR_pause },
+ { "pciconfig_iobase", __PNR_pciconfig_iobase },
+ { "pciconfig_read", __PNR_pciconfig_read },
+ { "pciconfig_write", __PNR_pciconfig_write },
+ { "perf_event_open", 241 },
+ { "personality", 92 },
+ { "pipe", __PNR_pipe },
+ { "pipe2", 59 },
+ { "pivot_root", 41 },
+ { "poll", __PNR_poll },
+ { "ppoll", 73 },
+ { "prctl", 167 },
+ { "pread64", 67 },
+ { "preadv", 69 },
+ { "prlimit64", 261 },
+ { "process_vm_readv", 270 },
+ { "process_vm_writev", 271 },
+ { "prof", __PNR_prof },
+ { "profil", __PNR_profil },
+ { "pselect6", 72 },
+ { "ptrace", 117 },
+ { "putpmsg", __PNR_putpmsg },
+ { "pwrite64", 68 },
+ { "pwritev", 70 },
+ { "query_module", __PNR_query_module },
+ { "quotactl", 60 },
+ { "read", 63 },
+ { "readahead", 213 },
+ { "readdir", __PNR_readdir },
+ { "readlink", __PNR_readlink },
+ { "readlinkat", 78 },
+ { "readv", 65 },
+ { "reboot", 142 },
+ { "recv", __PNR_recv },
+ { "recvfrom", 207 },
+ { "recvmmsg", 243 },
+ { "recvmsg", 212 },
+ { "remap_file_pages", 234 },
+ { "removexattr", 14 },
+ { "rename", __PNR_rename },
+ { "renameat", 38 },
+ { "renameat2", 276 },
+ { "request_key", 218 },
+ { "restart_syscall", 128 },
+ { "rmdir", __PNR_rmdir },
+ { "rt_sigaction", 134 },
+ { "rt_sigpending", 136 },
+ { "rt_sigprocmask", 135 },
+ { "rt_sigqueueinfo", 138 },
+ { "rt_sigreturn", 139 },
+ { "rt_sigsuspend", 133 },
+ { "rt_sigtimedwait", 137 },
+ { "rt_tgsigqueueinfo", 240 },
+ { "sched_get_priority_max", 125 },
+ { "sched_get_priority_min", 126 },
+ { "sched_getaffinity", 123 },
+ { "sched_getattr", 275 },
+ { "sched_getparam", 121 },
+ { "sched_getscheduler", 120 },
+ { "sched_rr_get_interval", 127 },
+ { "sched_setaffinity", 122 },
+ { "sched_setattr", 274 },
+ { "sched_setparam", 118 },
+ { "sched_setscheduler", 119 },
+ { "sched_yield", 124 },
+ { "seccomp", 277 },
+ { "security", __PNR_security },
+ { "select", __PNR_select },
+ { "semctl", 191 },
+ { "semget", 190 },
+ { "semop", 193 },
+ { "semtimedop", 192 },
+ { "send", __PNR_send },
+ { "sendfile", 71 },
+ { "sendfile64", __PNR_sendfile64 },
+ { "sendmmsg", 269 },
+ { "sendmsg", 211 },
+ { "sendto", 206 },
+ { "set_mempolicy", 237 },
+ { "set_robust_list", 99 },
+ { "set_thread_area", __PNR_set_thread_area },
+ { "set_tid_address", 96 },
+ { "setdomainname", 162 },
+ { "setfsgid", 152 },
+ { "setfsgid32", __PNR_setfsgid32 },
+ { "setfsuid", 151 },
+ { "setfsuid32", __PNR_setfsuid32 },
+ { "setgid", 144 },
+ { "setgid32", __PNR_setgid32 },
+ { "setgroups", 159 },
+ { "setgroups32", __PNR_setgroups32 },
+ { "sethostname", 161 },
+ { "setitimer", 103 },
+ { "setns", 268 },
+ { "setpgid", 154 },
+ { "setpriority", 140 },
+ { "setregid", 143 },
+ { "setregid32", __PNR_setregid32 },
+ { "setresgid", 149 },
+ { "setresgid32", __PNR_setresgid32 },
+ { "setresuid", 147 },
+ { "setresuid32", __PNR_setresuid32 },
+ { "setreuid", 145 },
+ { "setreuid32", __PNR_setreuid32 },
+ { "setrlimit", 164 },
+ { "setsid", 157 },
+ { "setsockopt", 208 },
+ { "settimeofday", 170 },
+ { "setuid", 146 },
+ { "setuid32", __PNR_setuid32 },
+ { "setxattr", 5 },
+ { "sgetmask", __PNR_sgetmask },
+ { "shmat", 196 },
+ { "shmctl", 195 },
+ { "shmdt", 197 },
+ { "shmget", 194 },
+ { "shutdown", 210 },
+ { "sigaction", __PNR_sigaction },
+ { "sigaltstack", 132 },
+ { "signal", __PNR_signal },
+ { "signalfd", __PNR_signalfd },
+ { "signalfd4", 74 },
+ { "sigpending", __PNR_sigpending },
+ { "sigprocmask", __PNR_sigprocmask },
+ { "sigreturn", __PNR_sigreturn },
+ { "sigsuspend", __PNR_sigsuspend },
+ { "socket", 198 },
+ { "socketcall", __PNR_socketcall },
+ { "socketpair", 199 },
+ { "splice", 76 },
+ { "ssetmask", __PNR_ssetmask },
+ { "stat", __PNR_stat },
+ { "stat64", __PNR_stat64 },
+ { "statfs", 43 },
+ { "statfs64", __PNR_statfs64 },
+ { "stime", __PNR_stime },
+ { "stty", __PNR_stty },
+ { "swapoff", 225 },
+ { "swapon", 224 },
+ { "symlink", __PNR_symlink },
+ { "symlinkat", 36 },
+ { "sync", 81 },
+ { "sync_file_range", 84 },
+ { "sync_file_range2", __PNR_sync_file_range2 },
+ { "syncfs", 267 },
+ { "syscall", __PNR_syscall },
+ { "sysfs", __PNR_sysfs },
+ { "sysinfo", 179 },
+ { "syslog", 116 },
+ { "sysmips", __PNR_sysmips },
+ { "tee", 77 },
+ { "tgkill", 131 },
+ { "time", __PNR_time },
+ { "timer_create", 107 },
+ { "timer_delete", 111 },
+ { "timer_getoverrun", 109 },
+ { "timer_gettime", 108 },
+ { "timer_settime", 110 },
+ { "timerfd", __PNR_timerfd },
+ { "timerfd_create", 85 },
+ { "timerfd_gettime", 87 },
+ { "timerfd_settime", 86 },
+ { "times", 153 },
+ { "tkill", 130 },
+ { "truncate", 45 },
+ { "truncate64", __PNR_truncate64 },
+ { "tuxcall", __PNR_tuxcall },
+ { "ugetrlimit", __PNR_ugetrlimit },
+ { "ulimit", __PNR_ulimit },
+ { "umask", 166 },
+ { "umount", __PNR_umount },
+ { "umount2", 39 },
+ { "uname", 160 },
+ { "unlink", __PNR_unlink },
+ { "unlinkat", 35 },
+ { "unshare", 97 },
+ { "uselib", __PNR_uselib },
+ { "ustat", __PNR_ustat },
+ { "utime", __PNR_utime },
+ { "utimensat", 88 },
+ { "utimes", __PNR_utimes },
+ { "vfork", __PNR_vfork },
+ { "vhangup", 58 },
+ { "vm86", __PNR_vm86 },
+ { "vm86old", __PNR_vm86old },
+ { "vmsplice", 75 },
+ { "vserver", __PNR_vserver },
+ { "wait4", 260 },
+ { "waitid", 95 },
+ { "waitpid", __PNR_waitpid },
+ { "write", 64 },
+ { "writev", 66 },
+ { NULL, __NR_SCMP_ERROR },
+};
+
+/**
+ * Resolve a syscall name to a number
+ * @param name the syscall name
+ *
+ * Resolve the given syscall name to the syscall number using the syscall table.
+ * Returns the syscall number on success, including negative pseudo syscall
+ * numbers; returns __NR_SCMP_ERROR on failure.
+ *
+ */
+int aarch64_syscall_resolve_name(const char *name)
+{
+ unsigned int iter;
+ const struct arch_syscall_def *table = aarch64_syscall_table;
+
+ /* XXX - plenty of room for future improvement here */
+ for (iter = 0; table[iter].name != NULL; iter++) {
+ if (strcmp(name, table[iter].name) == 0)
+ return table[iter].num;
+ }
+
+ return __NR_SCMP_ERROR;
+}
+
+/**
+ * Resolve a syscall number to a name
+ * @param num the syscall number
+ *
+ * Resolve the given syscall number to the syscall name using the syscall table.
+ * Returns a pointer to the syscall name string on success, including pseudo
+ * syscall names; returns NULL on failure.
+ *
+ */
+const char *aarch64_syscall_resolve_num(int num)
+{
+ unsigned int iter;
+ const struct arch_syscall_def *table = aarch64_syscall_table;
+
+ /* XXX - plenty of room for future improvement here */
+ for (iter = 0; table[iter].num != __NR_SCMP_ERROR; iter++) {
+ if (num == table[iter].num)
+ return table[iter].name;
+ }
+
+ return NULL;
+}
+
+
+/**
+ * Iterate through the syscall table and return the syscall name
+ * @param spot the offset into the syscall table
+ *
+ * Return the syscall name at position @spot or NULL on failure. This function
+ * should only ever be used internally by libseccomp.
+ *
+ */
+const char *aarch64_syscall_iterate_name(unsigned int spot)
+{
+ /* XXX - no safety checks here */
+ return aarch64_syscall_table[spot].name;
+}
diff --git a/src/arch-aarch64.c b/src/arch-aarch64.c
new file mode 100644
index 0000000..a4fbffb
--- /dev/null
+++ b/src/arch-aarch64.c
@@ -0,0 +1,34 @@
+/**
+ * Enhanced Seccomp AArch64 Syscall Table
+ *
+ * Copyright (c) 2014 Red Hat <***@redhat.com>
+ * Author: Marcin Juszkiewicz <***@redhat.com>
+ */
+
+/*
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+ * for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
+ */
+
+#include <stdlib.h>
+#include <errno.h>
+#include <linux/audit.h>
+
+#include "arch.h"
+#include "arch-aarch64.h"
+
+const struct arch_def arch_def_aarch64 = {
+ .token = SCMP_ARCH_AARCH64,
+ .token_bpf = AUDIT_ARCH_AARCH64,
+ .size = ARCH_SIZE_64,
+ .endian = ARCH_ENDIAN_LITTLE,
+};
diff --git a/src/arch-aarch64.h b/src/arch-aarch64.h
new file mode 100644
index 0000000..9d80311
--- /dev/null
+++ b/src/arch-aarch64.h
@@ -0,0 +1,42 @@
+/**
+ * Enhanced Seccomp AArch64 Syscall Table
+ *
+ * Copyright (c) 2014 Red Hat <***@redhat.com>
+ * Author: Marcin Juszkiewicz <***@redhat.com>
+ */
+
+/*
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
+ * for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
+ */
+
+#ifndef _ARCH_AARCH64_H
+#define _ARCH_AARCH64_H
+
+#include <inttypes.h>
+
+#include "arch.h"
+#include "system.h"
+
+#define aarch64_arg_count_max 6
+
+extern const struct arch_def arch_def_aarch64;
+
+#define aarch64_arg_offset(x) (offsetof(struct seccomp_data, args[x]))
+#define aarch64_arg_offset_lo(x) (aarch64_arg_offset(x))
+#define aarch64_arg_offset_hi(x) (aarch64_arg_offset(x) + 4)
+
+int aarch64_syscall_resolve_name(const char *name);
+const char *aarch64_syscall_resolve_num(int num);
+
+const char *aarch64_syscall_iterate_name(unsigned int spot);
+#endif
diff --git a/src/arch-arm-syscalls.c b/src/arch-arm-syscalls.c
index 80ca92f..79af9f0 100644
--- a/src/arch-arm-syscalls.c
+++ b/src/arch-arm-syscalls.c
@@ -245,6 +245,7 @@ const struct arch_syscall_def arm_syscall_table[] = { \
{ "oldolduname", __PNR_oldolduname },
{ "oldstat", __PNR_oldstat },
{ "olduname", __PNR_olduname },
+ { "oldwait4", __PNR_oldwait4 },
{ "open", (__NR_SYSCALL_BASE + 5) },
{ "open_by_handle_at", (__NR_SYSCALL_BASE + 371) },
{ "openat", (__NR_SYSCALL_BASE + 322) },
diff --git a/src/arch-mips-syscalls.c b/src/arch-mips-syscalls.c
index 0ae3f06..3a5cec4 100644
--- a/src/arch-mips-syscalls.c
+++ b/src/arch-mips-syscalls.c
@@ -238,6 +238,7 @@ const struct arch_syscall_def mips_syscall_table[] = { \
{ "oldolduname", __PNR_oldolduname },
{ "oldstat", __PNR_oldstat },
{ "olduname", __PNR_olduname },
+ { "oldwait4", __PNR_oldwait4 },
{ "open", (__NR_SYSCALL_BASE + 5) },
{ "open_by_handle_at", (__NR_SYSCALL_BASE + 340) },
{ "openat", (__NR_SYSCALL_BASE + 288) },
diff --git a/src/arch-mips64-syscalls.c b/src/arch-mips64-syscalls.c
index c4eaa97..9300f75 100644
--- a/src/arch-mips64-syscalls.c
+++ b/src/arch-mips64-syscalls.c
@@ -238,6 +238,7 @@ const struct arch_syscall_def mips64_syscall_table[] = { \
{ "oldolduname", __PNR_oldolduname },
{ "oldstat", __PNR_oldstat },
{ "olduname", __PNR_olduname },
+ { "oldwait4", __PNR_oldwait4 },
{ "open", (__NR_SYSCALL_BASE + 2) },
{ "open_by_handle_at", (__NR_SYSCALL_BASE + 299) },
{ "openat", (__NR_SYSCALL_BASE + 247) },
diff --git a/src/arch-mips64n32-syscalls.c b/src/arch-mips64n32-syscalls.c
index 3aa5269..47ce97a 100644
--- a/src/arch-mips64n32-syscalls.c
+++ b/src/arch-mips64n32-syscalls.c
@@ -238,6 +238,7 @@ const struct arch_syscall_def mips64n32_syscall_table[] = { \
{ "oldolduname", __PNR_oldolduname },
{ "oldstat", __PNR_oldstat },
{ "olduname", __PNR_olduname },
+ { "oldwait4", __PNR_oldwait4 },
{ "open", (__NR_SYSCALL_BASE + 2) },
{ "open_by_handle_at", (__NR_SYSCALL_BASE + 304) },
{ "openat", (__NR_SYSCALL_BASE + 251) },
diff --git a/src/arch-syscall-check.c b/src/arch-syscall-check.c
index 7a14a8b..e60050e 100644
--- a/src/arch-syscall-check.c
+++ b/src/arch-syscall-check.c
@@ -28,6 +28,7 @@
#include "arch-x86.h"
#include "arch-x86_64.h"
#include "arch-arm.h"
+#include "arch-aarch64.h"
#include "arch-mips.h"
#include "arch-mips64.h"
#include "arch-mips64n32.h"
@@ -60,6 +61,7 @@ int main(int argc, char *argv[])
int i_x86 = 0;
int i_x86_64 = 0;
int i_arm = 0;
+ int i_aarch64 = 0;
int i_mips = 0;
int i_mips64 = 0;
int i_mips64n32 = 0;
@@ -77,6 +79,8 @@ int main(int argc, char *argv[])
x86_64_syscall_iterate_name(i_x86_64));
syscall_check(str_miss, sys_name, "arm",
arm_syscall_iterate_name(i_arm));
+ syscall_check(str_miss, sys_name, "aarch64",
+ aarch64_syscall_iterate_name(i_aarch64));
syscall_check(str_miss, sys_name, "mips",
mips_syscall_iterate_name(i_mips));
syscall_check(str_miss, sys_name, "mips64",
@@ -105,7 +109,10 @@ int main(int argc, char *argv[])
i_mips64 = -1;
if (!mips64n32_syscall_iterate_name(++i_mips64n32))
i_mips64n32 = -1;
- } while (i_x86_64 >= 0 && i_arm >= 0 &&
+ if (!aarch64_syscall_iterate_name(++i_aarch64))
+ i_aarch64 = -1;
+ } while (i_x86_64 >= 0 &&
+ i_arm >= 0 && i_aarch64 >= 0 &&
i_mips >= 0 && i_mips64 >= 0 && i_mips64n32 >= 0);

/* check for any leftovers */
@@ -124,6 +131,11 @@ int main(int argc, char *argv[])
arm_syscall_iterate_name(i_arm));
return 1;
}
+ if (i_aarch64 >= 0) {
+ printf("%s: ERROR, aarch64 has additional syscalls\n",
+ aarch64_syscall_iterate_name(i_aarch64));
+ return 1;
+ }
if (i_mips >= 0) {
printf("%s: ERROR, mips has additional syscalls\n",
mips_syscall_iterate_name(i_mips));
diff --git a/src/arch-syscall-dump.c b/src/arch-syscall-dump.c
index 9b5e181..4a4d22e 100644
--- a/src/arch-syscall-dump.c
+++ b/src/arch-syscall-dump.c
@@ -37,6 +37,7 @@
#include "arch-mips.h"
#include "arch-mips64.h"
#include "arch-mips64n32.h"
+#include "arch-aarch64.h"

/**
* Print the usage information to stderr and exit
@@ -111,6 +112,9 @@ int main(int argc, char *argv[])
case SCMP_ARCH_MIPSEL64N32:
sys_name = mips64n32_syscall_iterate_name(iter);
break;
+ case SCMP_ARCH_AARCH64:
+ sys_name = aarch64_syscall_iterate_name(iter);
+ break;
default:
/* invalid arch */
exit_usage(argv[0]);
diff --git a/src/arch-syscall-validate b/src/arch-syscall-validate
index 7c7cd7f..2cbf696 100755
--- a/src/arch-syscall-validate
+++ b/src/arch-syscall-validate
@@ -166,6 +166,44 @@ function dump_lib_arm() {
}

#
+# Dump the aarch64 system syscall table
+#
+# Arguments:
+# 1 path to the kernel source
+#
+# Dump the architecture's syscall table to stdout.
+#
+function dump_sys_aarch64() {
+ gcc -E -dM -I$1/include/uapi -D__BITS_PER_LONG=64 $1/include/uapi/asm-generic/unistd.h | \
+ grep "^#define __NR_" | sort | \
+ sed -e '/__NR_syscalls/d' | \
+ sed -e '/__NR_arch_specific_syscall/d' | \
+ sed -e 's/#define[ \t]\+__NR_\([^ \t]\+\)[ \t]\+\(.*\)/\1\t\2/' | \
+ sed -e 's/__NR3264_statfs/43/' | \
+ sed -e 's/__NR3264_ftruncate/46/' | \
+ sed -e 's/__NR3264_truncate/45/' | \
+ sed -e 's/__NR3264_lseek/62/' | \
+ sed -e 's/__NR3264_sendfile/71/' | \
+ sed -e 's/__NR3264_fstatat/79/' | \
+ sed -e 's/__NR3264_fstatfs/44/' | \
+ sed -e 's/__NR3264_fcntl/25/' | \
+ sed -e 's/__NR3264_fadvise64/223/' | \
+ sed -e 's/__NR3264_mmap/222/' | \
+ sed -e 's/__NR3264_fstat/80/' | \
+ sed -e 's/__NR3264_lstat/1039/' | \
+ sed -e 's/__NR3264_stat/1038/'
+}
+
+#
+# Dump the aarch64 library syscall table
+#
+# Dump the library's syscall table to stdout.
+#
+function dump_lib_aarch64() {
+ $LIB_SYS_DUMP -a aarch64 | sed -e '/[^\t]\+\t-[0-9]\+/d'
+}
+
+#
# Dump the mips system syscall table
#
# Arguments:
@@ -287,6 +325,9 @@ function dump_sys() {
arm)
dump_sys_arm "$2"
;;
+ aarch64)
+ dump_sys_aarch64 "$2"
+ ;;
mips)
dump_sys_mips "$2"
;;
@@ -324,6 +365,9 @@ function dump_lib() {
arm)
dump_lib_arm "$2"
;;
+ aarch64)
+ dump_lib_aarch64 "$2"
+ ;;
mips)
dump_lib_mips "$2"
;;
@@ -368,7 +412,9 @@ done
shift $(($OPTIND - 1))

# defaults
-[[ $arches == "" ]] && arches="x86 x86_64 x32 arm mips mips64 mips64n32"
+if [[ $arches == "" ]]; then
+ arches="x86 x86_64 x32 arm aarch64 mips mips64 mips64n32"
+fi

# sanity checks
kernel_dir="$1"
diff --git a/src/arch-x32-syscalls.c b/src/arch-x32-syscalls.c
index 3d4d5ec..9e6b7c8 100644
--- a/src/arch-x32-syscalls.c
+++ b/src/arch-x32-syscalls.c
@@ -232,6 +232,7 @@ const struct arch_syscall_def x32_syscall_table[] = { \
{ "oldolduname", __PNR_oldolduname },
{ "oldstat", __PNR_oldstat },
{ "olduname", __PNR_olduname },
+ { "oldwait4", __PNR_oldwait4 },
{ "open", (X32_SYSCALL_BIT + 2) },
{ "open_by_handle_at", (X32_SYSCALL_BIT + 304) },
{ "openat", (X32_SYSCALL_BIT + 257) },
diff --git a/src/arch-x86-syscalls.c b/src/arch-x86-syscalls.c
index b8bcd48..8005d28 100644
--- a/src/arch-x86-syscalls.c
+++ b/src/arch-x86-syscalls.c
@@ -234,6 +234,7 @@ const struct arch_syscall_def x86_syscall_table[] = { \
{ "oldolduname", 59 },
{ "oldstat", 18 },
{ "olduname", 109 },
+ { "oldwait4", __PNR_oldwait4 },
{ "open", 5 },
{ "open_by_handle_at", 342 },
{ "openat", 295 },
diff --git a/src/arch-x86_64-syscalls.c b/src/arch-x86_64-syscalls.c
index aa901e3..1f4d67c 100644
--- a/src/arch-x86_64-syscalls.c
+++ b/src/arch-x86_64-syscalls.c
@@ -234,6 +234,7 @@ const struct arch_syscall_def x86_64_syscall_table[] = { \
{ "oldolduname", __PNR_oldolduname },
{ "oldstat", __PNR_oldstat },
{ "olduname", __PNR_olduname },
+ { "oldwait4", __PNR_oldwait4 },
{ "open", 2 },
{ "open_by_handle_at", 304 },
{ "openat", 257 },
diff --git a/src/arch.c b/src/arch.c
index 3b2903d..12acfbf 100644
--- a/src/arch.c
+++ b/src/arch.c
@@ -34,6 +34,7 @@
#include "arch-x86_64.h"
#include "arch-x32.h"
#include "arch-arm.h"
+#include "arch-aarch64.h"
#include "arch-mips.h"
#include "arch-mips64.h"
#include "arch-mips64n32.h"
@@ -49,6 +50,8 @@ const struct arch_def *arch_def_native = &arch_def_x86_64;
#endif /* __ILP32__ */
#elif __arm__
const struct arch_def *arch_def_native = &arch_def_arm;
+#elif __aarch64__
+const struct arch_def *arch_def_native = &arch_def_aarch64;
#elif __mips__ && _MIPS_SIM == _MIPS_SIM_ABI32
#if __MIPSEB__
const struct arch_def *arch_def_native = &arch_def_mips;
@@ -91,6 +94,7 @@ int arch_valid(uint32_t arch)
case SCMP_ARCH_MIPSEL64:
case SCMP_ARCH_MIPS64N32:
case SCMP_ARCH_MIPSEL64N32:
+ case SCMP_ARCH_AARCH64:
return 0;
}

@@ -115,6 +119,8 @@ const struct arch_def *arch_def_lookup(uint32_t token)
return &arch_def_x32;
case SCMP_ARCH_ARM:
return &arch_def_arm;
+ case SCMP_ARCH_AARCH64:
+ return &arch_def_aarch64;
case SCMP_ARCH_MIPS:
return &arch_def_mips;
case SCMP_ARCH_MIPSEL:
@@ -149,6 +155,8 @@ const struct arch_def *arch_def_lookup_name(const char *arch_name)
return &arch_def_x32;
else if (strcmp(arch_name, "arm") == 0)
return &arch_def_arm;
+ else if (strcmp(arch_name, "aarch64") == 0)
+ return &arch_def_aarch64;
else if (strcmp(arch_name, "mips") == 0)
return &arch_def_mips;
else if (strcmp(arch_name, "mipsel") == 0)
@@ -184,6 +192,8 @@ int arch_arg_count_max(const struct arch_def *arch)
return x32_arg_count_max;
case SCMP_ARCH_ARM:
return arm_arg_count_max;
+ case SCMP_ARCH_AARCH64:
+ return aarch64_arg_count_max;
case SCMP_ARCH_MIPS:
case SCMP_ARCH_MIPSEL:
return mips_arg_count_max;
@@ -213,6 +223,8 @@ int arch_arg_offset_lo(const struct arch_def *arch, unsigned int arg)
switch (arch->token) {
case SCMP_ARCH_X86_64:
return x86_64_arg_offset_lo(arg);
+ case SCMP_ARCH_AARCH64:
+ return aarch64_arg_offset_lo(arg);
case SCMP_ARCH_MIPS64:
return mips64_arg_offset_lo(arg);
case SCMP_ARCH_MIPSEL64:
@@ -237,6 +249,8 @@ int arch_arg_offset_hi(const struct arch_def *arch, unsigned int arg)
switch (arch->token) {
case SCMP_ARCH_X86_64:
return x86_64_arg_offset_hi(arg);
+ case SCMP_ARCH_AARCH64:
+ return aarch64_arg_offset_hi(arg);
case SCMP_ARCH_MIPS64:
return mips64_arg_offset_hi(arg);
case SCMP_ARCH_MIPSEL64:
@@ -267,6 +281,8 @@ int arch_arg_offset(const struct arch_def *arch, unsigned int arg)
return x32_arg_offset(arg);
case SCMP_ARCH_ARM:
return arm_arg_offset(arg);
+ case SCMP_ARCH_AARCH64:
+ return aarch64_arg_offset(arg);
case SCMP_ARCH_MIPS:
return mips_arg_offset(arg);
case SCMP_ARCH_MIPSEL:
@@ -305,6 +321,8 @@ int arch_syscall_resolve_name(const struct arch_def *arch, const char *name)
return x32_syscall_resolve_name(name);
case SCMP_ARCH_ARM:
return arm_syscall_resolve_name(name);
+ case SCMP_ARCH_AARCH64:
+ return aarch64_syscall_resolve_name(name);
case SCMP_ARCH_MIPS:
case SCMP_ARCH_MIPSEL:
return mips_syscall_resolve_name(name);
@@ -340,6 +358,8 @@ const char *arch_syscall_resolve_num(const struct arch_def *arch, int num)
return x32_syscall_resolve_num(num);
case SCMP_ARCH_ARM:
return arm_syscall_resolve_num(num);
+ case SCMP_ARCH_AARCH64:
+ return aarch64_syscall_resolve_num(num);
case SCMP_ARCH_MIPS:
case SCMP_ARCH_MIPSEL:
return mips_syscall_resolve_num(num);
diff --git a/src/gen_pfc.c b/src/gen_pfc.c
index 8fb66f1..3484dab 100644
--- a/src/gen_pfc.c
+++ b/src/gen_pfc.c
@@ -57,6 +57,8 @@ static const char *_pfc_arch(const struct arch_def *arch)
return "x32";
case SCMP_ARCH_ARM:
return "arm";
+ case SCMP_ARCH_AARCH64:
+ return "aarch64";
case SCMP_ARCH_MIPS:
return "mips";
case SCMP_ARCH_MIPSEL:
diff --git a/src/python/libseccomp.pxd b/src/python/libseccomp.pxd
index 24cbe68..2b50f3f 100644
--- a/src/python/libseccomp.pxd
+++ b/src/python/libseccomp.pxd
@@ -31,6 +31,7 @@ cdef extern from "seccomp.h":
SCMP_ARCH_X86_64
SCMP_ARCH_X32
SCMP_ARCH_ARM
+ SCMP_ARCH_AARCH64
SCMP_ARCH_MIPS
SCMP_ARCH_MIPS64
SCMP_ARCH_MIPS64N32
diff --git a/src/python/seccomp.pyx b/src/python/seccomp.pyx
index 3721c50..d2f7c90 100644
--- a/src/python/seccomp.pyx
+++ b/src/python/seccomp.pyx
@@ -140,6 +140,7 @@ cdef class Arch:
X86_64 - 64-bit x86
X32 - 64-bit x86 using the x32 ABI
ARM - ARM
+ AARCH64 - 64-bit ARM
MIPS - MIPS O32 ABI
MIPS64 - MIPS 64-bit ABI
MIPS64N32 - MIPS N32 ABI
@@ -155,6 +156,7 @@ cdef class Arch:
X86_64 = libseccomp.SCMP_ARCH_X86_64
X32 = libseccomp.SCMP_ARCH_X32
ARM = libseccomp.SCMP_ARCH_ARM
+ AARCH64 = libseccomp.SCMP_ARCH_AARCH64
MIPS = libseccomp.SCMP_ARCH_MIPS
MIPS64 = libseccomp.SCMP_ARCH_MIPS64
MIPS64N32 = libseccomp.SCMP_ARCH_MIPS64N32
@@ -182,6 +184,8 @@ cdef class Arch:
self._token = libseccomp.SCMP_ARCH_X32
elif arch == libseccomp.SCMP_ARCH_ARM:
self._token = libseccomp.SCMP_ARCH_ARM
+ elif arch == libseccomp.SCMP_ARCH_AARCH64:
+ self._token = libseccomp.SCMP_ARCH_AARCH64
elif arch == libseccomp.SCMP_ARCH_MIPS:
self._token = libseccomp.SCMP_ARCH_MIPS
elif arch == libseccomp.SCMP_ARCH_MIPS64:
diff --git a/tests/04-sim-multilevel_chains.c b/tests/04-sim-multilevel_chains.c
index 83bbfd5..20577ef 100644
--- a/tests/04-sim-multilevel_chains.c
+++ b/tests/04-sim-multilevel_chains.c
@@ -41,40 +41,39 @@ int main(int argc, char *argv[])
if (ctx == NULL)
return ENOMEM;

- rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 0);
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 0);
if (rc != 0)
goto out;

- rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, SCMP_SYS(close), 0);
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(close), 0);
if (rc != 0)
goto out;

- rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 3,
- SCMP_A0(SCMP_CMP_EQ, STDIN_FILENO),
- SCMP_A1(SCMP_CMP_NE, 0x0),
- SCMP_A2(SCMP_CMP_LT, SSIZE_MAX));
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 3,
+ SCMP_A0(SCMP_CMP_EQ, STDIN_FILENO),
+ SCMP_A1(SCMP_CMP_NE, 0x0),
+ SCMP_A2(SCMP_CMP_LT, SSIZE_MAX));
if (rc != 0)
goto out;

- rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 3,
- SCMP_A0(SCMP_CMP_EQ, STDOUT_FILENO),
- SCMP_A1(SCMP_CMP_NE, 0x0),
- SCMP_A2(SCMP_CMP_LT, SSIZE_MAX));
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 3,
+ SCMP_A0(SCMP_CMP_EQ, STDOUT_FILENO),
+ SCMP_A1(SCMP_CMP_NE, 0x0),
+ SCMP_A2(SCMP_CMP_LT, SSIZE_MAX));
if (rc != 0)
goto out;
- rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 3,
- SCMP_A0(SCMP_CMP_EQ, STDERR_FILENO),
- SCMP_A1(SCMP_CMP_NE, 0x0),
- SCMP_A2(SCMP_CMP_LT, SSIZE_MAX));
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 3,
+ SCMP_A0(SCMP_CMP_EQ, STDERR_FILENO),
+ SCMP_A1(SCMP_CMP_NE, 0x0),
+ SCMP_A2(SCMP_CMP_LT, SSIZE_MAX));
if (rc != 0)
goto out;

- rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, SCMP_SYS(close), 0);
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(close), 0);
if (rc != 0)
goto out;

- rc = seccomp_rule_add_exact(ctx,
- SCMP_ACT_ALLOW, SCMP_SYS(rt_sigreturn), 0);
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigreturn), 0);
if (rc != 0)
goto out;

diff --git a/tests/04-sim-multilevel_chains.py b/tests/04-sim-multilevel_chains.py
index e40deee..73a6921 100755
--- a/tests/04-sim-multilevel_chains.py
+++ b/tests/04-sim-multilevel_chains.py
@@ -30,22 +30,22 @@ from seccomp import *

def test(args):
f = SyscallFilter(KILL)
- f.add_rule_exactly(ALLOW, "open");
- f.add_rule_exactly(ALLOW, "close");
- f.add_rule_exactly(ALLOW, "read",
- Arg(0, EQ, sys.stdin.fileno()),
- Arg(1, NE, 0),
- Arg(2, LT, sys.maxsize));
- f.add_rule_exactly(ALLOW, "write",
- Arg(0, EQ, sys.stdout.fileno()),
- Arg(1, NE, 0),
- Arg(2, LT, sys.maxsize));
- f.add_rule_exactly(ALLOW, "write",
- Arg(0, EQ, sys.stderr.fileno()),
- Arg(1, NE, 0),
- Arg(2, LT, sys.maxsize));
- f.add_rule_exactly(ALLOW, "close");
- f.add_rule_exactly(ALLOW, "rt_sigreturn");
+ f.add_rule(ALLOW, "open");
+ f.add_rule(ALLOW, "close");
+ f.add_rule(ALLOW, "read",
+ Arg(0, EQ, sys.stdin.fileno()),
+ Arg(1, NE, 0),
+ Arg(2, LT, sys.maxsize));
+ f.add_rule(ALLOW, "write",
+ Arg(0, EQ, sys.stdout.fileno()),
+ Arg(1, NE, 0),
+ Arg(2, LT, sys.maxsize));
+ f.add_rule(ALLOW, "write",
+ Arg(0, EQ, sys.stderr.fileno()),
+ Arg(1, NE, 0),
+ Arg(2, LT, sys.maxsize));
+ f.add_rule(ALLOW, "close");
+ f.add_rule(ALLOW, "rt_sigreturn");
return f

args = util.get_opt()
diff --git a/tests/04-sim-multilevel_chains.tests b/tests/04-sim-multilevel_chains.tests
index cefbc4f..6613f9a 100644
--- a/tests/04-sim-multilevel_chains.tests
+++ b/tests/04-sim-multilevel_chains.tests
@@ -7,29 +7,29 @@

test type: bpf-sim

-# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result
-04-sim-multilevel_chains all open 0x856B008 4 N N N N ALLOW
-04-sim-multilevel_chains all close 4 N N N N N ALLOW
-04-sim-multilevel_chains x86 read 0 0x856B008 0x7FFFFFFE N N N ALLOW
-04-sim-multilevel_chains x86_64 read 0 0x856B008 0x7FFFFFFFFFFFFFFE N N N ALLOW
-04-sim-multilevel_chains x86 read 0 0x856B008 0x7FFFFFFF N N N KILL
-04-sim-multilevel_chains x86_64 read 0 0x856B008 0x7FFFFFFFFFFFFFFF N N N KILL
-04-sim-multilevel_chains x86 read 0 0 0x7FFFFFFE N N N KILL
-04-sim-multilevel_chains x86_64 read 0 0 0x7FFFFFFFFFFFFFFE N N N KILL
-04-sim-multilevel_chains all read 1-10 0x856B008 0x7FFFFFFE N N N KILL
-04-sim-multilevel_chains x86 write 1-2 0x856B008 0x7FFFFFFE N N N ALLOW
-04-sim-multilevel_chains x86_64 write 1-2 0x856B008 0x7FFFFFFFFFFFFFFE N N N ALLOW
-04-sim-multilevel_chains x86 write 1-2 0 0x7FFFFFFE N N N KILL
-04-sim-multilevel_chains x86_64 write 1-2 0 0x7FFFFFFFFFFFFFFE N N N KILL
-04-sim-multilevel_chains x86 write 1-2 0x856B008 0x7FFFFFFF N N N KILL
-04-sim-multilevel_chains x86_64 write 1-2 0x856B008 0x7FFFFFFFFFFFFFFF N N N KILL
-04-sim-multilevel_chains all write 3-10 0x856B008 0x7FFFFFFE N N N KILL
-04-sim-multilevel_chains all rt_sigreturn N N N N N N ALLOW
-04-sim-multilevel_chains x86 0-2 N N N N N N KILL
-04-sim-multilevel_chains x86 7-172 N N N N N N KILL
-04-sim-multilevel_chains x86 174-350 N N N N N N KILL
-04-sim-multilevel_chains x86_64 4-14 N N N N N N KILL
-04-sim-multilevel_chains x86_64 16-350 N N N N N N KILL
+# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result
+04-sim-multilevel_chains all,-aarch64 open 0x856B008 4 N N N N ALLOW
+04-sim-multilevel_chains all close 4 N N N N N ALLOW
+04-sim-multilevel_chains x86 read 0 0x856B008 0x7FFFFFFE N N N ALLOW
+04-sim-multilevel_chains x86_64 read 0 0x856B008 0x7FFFFFFFFFFFFFFE N N N ALLOW
+04-sim-multilevel_chains x86 read 0 0x856B008 0x7FFFFFFF N N N KILL
+04-sim-multilevel_chains x86_64 read 0 0x856B008 0x7FFFFFFFFFFFFFFF N N N KILL
+04-sim-multilevel_chains x86 read 0 0 0x7FFFFFFE N N N KILL
+04-sim-multilevel_chains x86_64 read 0 0 0x7FFFFFFFFFFFFFFE N N N KILL
+04-sim-multilevel_chains all read 1-10 0x856B008 0x7FFFFFFE N N N KILL
+04-sim-multilevel_chains x86 write 1-2 0x856B008 0x7FFFFFFE N N N ALLOW
+04-sim-multilevel_chains x86_64 write 1-2 0x856B008 0x7FFFFFFFFFFFFFFE N N N ALLOW
+04-sim-multilevel_chains x86 write 1-2 0 0x7FFFFFFE N N N KILL
+04-sim-multilevel_chains x86_64 write 1-2 0 0x7FFFFFFFFFFFFFFE N N N KILL
+04-sim-multilevel_chains x86 write 1-2 0x856B008 0x7FFFFFFF N N N KILL
+04-sim-multilevel_chains x86_64 write 1-2 0x856B008 0x7FFFFFFFFFFFFFFF N N N KILL
+04-sim-multilevel_chains all write 3-10 0x856B008 0x7FFFFFFE N N N KILL
+04-sim-multilevel_chains all rt_sigreturn N N N N N N ALLOW
+04-sim-multilevel_chains x86 0-2 N N N N N N KILL
+04-sim-multilevel_chains x86 7-172 N N N N N N KILL
+04-sim-multilevel_chains x86 174-350 N N N N N N KILL
+04-sim-multilevel_chains x86_64 4-14 N N N N N N KILL
+04-sim-multilevel_chains x86_64 16-350 N N N N N N KILL

test type: bpf-sim-fuzz

diff --git a/tests/06-sim-actions.c b/tests/06-sim-actions.c
index 4dbe19f..0490783 100644
--- a/tests/06-sim-actions.c
+++ b/tests/06-sim-actions.c
@@ -40,21 +40,19 @@ int main(int argc, char *argv[])
if (ctx == NULL)
return ENOMEM;

- rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 0);
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 0);
if (rc != 0)
goto out;

- rc = seccomp_rule_add_exact(ctx,
- SCMP_ACT_ERRNO(EPERM), SCMP_SYS(write), 0);
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(write), 0);
if (rc != 0)
goto out;

- rc = seccomp_rule_add_exact(ctx, SCMP_ACT_TRAP, SCMP_SYS(close), 0);
+ rc = seccomp_rule_add(ctx, SCMP_ACT_TRAP, SCMP_SYS(close), 0);
if (rc != 0)
goto out;

- rc = seccomp_rule_add_exact(ctx,
- SCMP_ACT_TRACE(1234), SCMP_SYS(open), 0);
+ rc = seccomp_rule_add(ctx, SCMP_ACT_TRACE(1234), SCMP_SYS(open), 0);
if (rc != 0)
goto out;

diff --git a/tests/06-sim-actions.tests b/tests/06-sim-actions.tests
index f09f0a0..d0c2e44 100644
--- a/tests/06-sim-actions.tests
+++ b/tests/06-sim-actions.tests
@@ -7,14 +7,14 @@

test type: bpf-sim

-# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result
-06-sim-actions all read 4 0x856B008 80 N N N ALLOW
-06-sim-actions all write 1 0x856B008 N N N N ERRNO(1)
-06-sim-actions all close 4 N N N N N TRAP
-06-sim-actions all open 0x856B008 4 N N N N TRACE(1234)
-06-sim-actions x86 0-2 N N N N N N KILL
-06-sim-actions x86 7-350 N N N N N N KILL
-06-sim-actions x86_64 4-350 N N N N N N KILL
+# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result
+06-sim-actions all read 4 0x856B008 80 N N N ALLOW
+06-sim-actions all write 1 0x856B008 N N N N ERRNO(1)
+06-sim-actions all close 4 N N N N N TRAP
+06-sim-actions all,-aarch64 open 0x856B008 4 N N N N TRACE(1234)
+06-sim-actions x86 0-2 N N N N N N KILL
+06-sim-actions x86 7-350 N N N N N N KILL
+06-sim-actions x86_64 4-350 N N N N N N KILL

test type: bpf-sim-fuzz

diff --git a/tests/16-sim-arch_basic.c b/tests/16-sim-arch_basic.c
index efc8696..9771913 100644
--- a/tests/16-sim-arch_basic.c
+++ b/tests/16-sim-arch_basic.c
@@ -56,6 +56,9 @@ int main(int argc, char *argv[])
rc = seccomp_arch_add(ctx, SCMP_ARCH_ARM);
if (rc != 0)
goto out;
+ rc = seccomp_arch_add(ctx, SCMP_ARCH_AARCH64);
+ if (rc != 0)
+ goto out;
rc = seccomp_arch_add(ctx, SCMP_ARCH_MIPSEL);
if (rc != 0)
goto out;
diff --git a/tests/16-sim-arch_basic.py b/tests/16-sim-arch_basic.py
index ddd3f65..57a5ac3 100755
--- a/tests/16-sim-arch_basic.py
+++ b/tests/16-sim-arch_basic.py
@@ -35,6 +35,7 @@ def test(args):
f.add_arch(Arch("x86_64"))
f.add_arch(Arch("x32"))
f.add_arch(Arch("arm"))
+ f.add_arch(Arch("aarch64"))
f.add_arch(Arch("mipsel"))
f.add_arch(Arch("mipsel64"))
f.add_arch(Arch("mipsel64n32"))
diff --git a/tests/20-live-basic_die.c b/tests/20-live-basic_die.c
index 5e6a99b..926875f 100644
--- a/tests/20-live-basic_die.c
+++ b/tests/20-live-basic_die.c
@@ -47,12 +47,10 @@ int main(int argc, char *argv[])
if (ctx == NULL)
return ENOMEM;

- rc = seccomp_rule_add_exact(ctx,
- SCMP_ACT_ALLOW, SCMP_SYS(rt_sigreturn), 0);
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigreturn), 0);
if (rc != 0)
goto out;
- rc = seccomp_rule_add_exact(ctx,
- SCMP_ACT_ALLOW, SCMP_SYS(exit_group), 0);
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit_group), 0);
if (rc != 0)
goto out;

diff --git a/tests/20-live-basic_die.py b/tests/20-live-basic_die.py
index 2b07776..c9f437f 100755
--- a/tests/20-live-basic_die.py
+++ b/tests/20-live-basic_die.py
@@ -33,8 +33,8 @@ def test():
if action == TRAP:
util.install_trap()
f = SyscallFilter(action)
- f.add_rule_exactly(ALLOW, "rt_sigreturn")
- f.add_rule_exactly(ALLOW, "exit_group")
+ f.add_rule(ALLOW, "rt_sigreturn")
+ f.add_rule(ALLOW, "exit_group")
f.load()
try:
util.write_file("/dev/null")
diff --git a/tests/21-live-basic_allow.c b/tests/21-live-basic_allow.c
index 690f98e..4960e1b 100644
--- a/tests/21-live-basic_allow.c
+++ b/tests/21-live-basic_allow.c
@@ -45,21 +45,22 @@ int main(int argc, char *argv[])
if (ctx == NULL)
return ENOMEM;

- rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 0);
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 0);
if (rc != 0)
goto out;
- rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 0);
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 0);
if (rc != 0)
goto out;
- rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, SCMP_SYS(close), 0);
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 0);
if (rc != 0)
goto out;
- rc = seccomp_rule_add_exact(ctx,
- SCMP_ACT_ALLOW, SCMP_SYS(rt_sigreturn), 0);
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(close), 0);
if (rc != 0)
goto out;
- rc = seccomp_rule_add_exact(ctx,
- SCMP_ACT_ALLOW, SCMP_SYS(exit_group), 0);
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigreturn), 0);
+ if (rc != 0)
+ goto out;
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit_group), 0);
if (rc != 0)
goto out;

diff --git a/tests/21-live-basic_allow.py b/tests/21-live-basic_allow.py
index 1332f2e..97dd61a 100755
--- a/tests/21-live-basic_allow.py
+++ b/tests/21-live-basic_allow.py
@@ -35,17 +35,18 @@ def test():
util.install_trap()
f = SyscallFilter(TRAP)
# NOTE: additional syscalls required for python
- f.add_rule_exactly(ALLOW, "stat")
- f.add_rule_exactly(ALLOW, "fstat")
- f.add_rule_exactly(ALLOW, "open")
- f.add_rule_exactly(ALLOW, "mmap")
- f.add_rule_exactly(ALLOW, "munmap")
- f.add_rule_exactly(ALLOW, "read")
- f.add_rule_exactly(ALLOW, "write")
- f.add_rule_exactly(ALLOW, "close")
- f.add_rule_exactly(ALLOW, "rt_sigaction")
- f.add_rule_exactly(ALLOW, "rt_sigreturn")
- f.add_rule_exactly(ALLOW, "exit_group")
+ f.add_rule(ALLOW, "stat")
+ f.add_rule(ALLOW, "fstat")
+ f.add_rule(ALLOW, "open")
+ f.add_rule(ALLOW, "openat")
+ f.add_rule(ALLOW, "mmap")
+ f.add_rule(ALLOW, "munmap")
+ f.add_rule(ALLOW, "read")
+ f.add_rule(ALLOW, "write")
+ f.add_rule(ALLOW, "close")
+ f.add_rule(ALLOW, "rt_sigaction")
+ f.add_rule(ALLOW, "rt_sigreturn")
+ f.add_rule(ALLOW, "exit_group")
f.load()
try:
util.write_file("/dev/null")
diff --git a/tests/23-sim-arch_all_le_basic.c b/tests/23-sim-arch_all_le_basic.c
index 9e820e1..eeb8556 100644
--- a/tests/23-sim-arch_all_le_basic.c
+++ b/tests/23-sim-arch_all_le_basic.c
@@ -56,6 +56,9 @@ int main(int argc, char *argv[])
rc = seccomp_arch_add(ctx, seccomp_arch_resolve_name("arm"));
if (rc != 0)
goto out;
+ rc = seccomp_arch_add(ctx, seccomp_arch_resolve_name("aarch64"));
+ if (rc != 0)
+ goto out;
rc = seccomp_arch_add(ctx, seccomp_arch_resolve_name("mipsel"));
if (rc != 0)
goto out;
diff --git a/tests/23-sim-arch_all_le_basic.py b/tests/23-sim-arch_all_le_basic.py
index eba5152..36ab139 100755
--- a/tests/23-sim-arch_all_le_basic.py
+++ b/tests/23-sim-arch_all_le_basic.py
@@ -35,6 +35,7 @@ def test(args):
f.add_arch(Arch("x86_64"))
f.add_arch(Arch("x32"))
f.add_arch(Arch("arm"))
+ f.add_arch(Arch("aarch64"))
f.add_arch(Arch("mipsel"))
f.add_arch(Arch("mipsel64"))
f.add_arch(Arch("mipsel64n32"))
diff --git a/tests/24-live-arg_allow.c b/tests/24-live-arg_allow.c
index 2ee8377..a13caa8 100644
--- a/tests/24-live-arg_allow.c
+++ b/tests/24-live-arg_allow.c
@@ -58,19 +58,17 @@ int main(int argc, char *argv[])
if (ctx == NULL)
return ENOMEM;

- rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 1,
- SCMP_A0(SCMP_CMP_EQ, fd));
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 1,
+ SCMP_A0(SCMP_CMP_EQ, fd));
if (rc != 0)
goto out;
- rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, SCMP_SYS(close), 0);
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(close), 0);
if (rc != 0)
goto out;
- rc = seccomp_rule_add_exact(ctx,
- SCMP_ACT_ALLOW, SCMP_SYS(rt_sigreturn), 0);
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigreturn), 0);
if (rc != 0)
goto out;
- rc = seccomp_rule_add_exact(ctx,
- SCMP_ACT_ALLOW, SCMP_SYS(exit_group), 0);
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit_group), 0);
if (rc != 0)
goto out;

diff --git a/tests/24-live-arg_allow.py b/tests/24-live-arg_allow.py
index 32c63ec..7df970a 100755
--- a/tests/24-live-arg_allow.py
+++ b/tests/24-live-arg_allow.py
@@ -39,11 +39,11 @@ def test():

f = SyscallFilter(TRAP)
# NOTE: additional syscalls required for python
- f.add_rule_exactly(ALLOW, "write", Arg(0, EQ, fd))
- f.add_rule_exactly(ALLOW, "close")
- f.add_rule_exactly(ALLOW, "rt_sigaction")
- f.add_rule_exactly(ALLOW, "rt_sigreturn")
- f.add_rule_exactly(ALLOW, "exit_group")
+ f.add_rule(ALLOW, "write", Arg(0, EQ, fd))
+ f.add_rule(ALLOW, "close")
+ f.add_rule(ALLOW, "rt_sigaction")
+ f.add_rule(ALLOW, "rt_sigreturn")
+ f.add_rule(ALLOW, "exit_group")
f.load()

try:
diff --git a/tests/regression b/tests/regression
index e7465d3..1d68ebc 100755
--- a/tests/regression
+++ b/tests/regression
@@ -21,7 +21,7 @@
# along with this library; if not, see <http://www.gnu.org/licenses>.
#

-GLBL_ARCH_LE_SUPPORT="x86 x86_64 x32 arm mipsel mipsel64 mipsel64n32"
+GLBL_ARCH_LE_SUPPORT="x86 x86_64 x32 arm aarch64 mipsel mipsel64 mipsel64n32"
GLBL_ARCH_BE_SUPPORT="mips mips64 mips64n32"

GLBL_SYS_ARCH="../tools/scmp_arch_detect"
@@ -669,7 +669,7 @@ function run_test_live() {

# setup the arch specific return values
case "$arch" in
- x86|x86_64|x32|arm)
+ x86|x86_64|x32|arm|aarch64)
rc_kill=159
rc_allow=160
rc_trap=161
diff --git a/tools/scmp_arch_detect.c b/tools/scmp_arch_detect.c
index d7f91b3..5a87252 100644
--- a/tools/scmp_arch_detect.c
+++ b/tools/scmp_arch_detect.c
@@ -78,6 +78,9 @@ int main(int argc, char *argv[])
case SCMP_ARCH_ARM:
printf("arm\n");
break;
+ case SCMP_ARCH_AARCH64:
+ printf("aarch64\n");
+ break;
case SCMP_ARCH_MIPS:
printf("mips\n");
break;
diff --git a/tools/scmp_bpf_disasm.c b/tools/scmp_bpf_disasm.c
index 98021dc..349b8a8 100644
--- a/tools/scmp_bpf_disasm.c
+++ b/tools/scmp_bpf_disasm.c
@@ -320,6 +320,8 @@ int main(int argc, char *argv[])
arch = AUDIT_ARCH_X86_64;
else if (strcmp(optarg, "arm") == 0)
arch = AUDIT_ARCH_ARM;
+ else if (strcmp(optarg, "aarch64") == 0)
+ arch = AUDIT_ARCH_AARCH64;
else if (strcmp(optarg, "mips") == 0)
arch = AUDIT_ARCH_MIPS;
else if (strcmp(optarg, "mipsel") == 0)
diff --git a/tools/scmp_bpf_sim.c b/tools/scmp_bpf_sim.c
index c9333f3..bb3a2e7 100644
--- a/tools/scmp_bpf_sim.c
+++ b/tools/scmp_bpf_sim.c
@@ -235,6 +235,8 @@ int main(int argc, char *argv[])
arch = AUDIT_ARCH_X86_64;
else if (strcmp(optarg, "arm") == 0)
arch = AUDIT_ARCH_ARM;
+ else if (strcmp(optarg, "aarch64") == 0)
+ arch = AUDIT_ARCH_AARCH64;
else if (strcmp(optarg, "mips") == 0)
arch = AUDIT_ARCH_MIPS;
else if (strcmp(optarg, "mipsel") == 0)
diff --git a/tools/util.c b/tools/util.c
index 4927faa..9b58bbb 100644
--- a/tools/util.c
+++ b/tools/util.c
@@ -42,6 +42,8 @@
#endif /* __ILP32__ */
#elif __arm__
#define ARCH_NATIVE AUDIT_ARCH_ARM
+#elif __aarch64__
+#define ARCH_NATIVE AUDIT_ARCH_AARCH64
#elif __mips__ && _MIPS_SIM == _MIPS_SIM_ABI32
#if __MIPSEB__
#define ARCH_NATIVE AUDIT_ARCH_MIPS
diff --git a/tools/util.h b/tools/util.h
index 6564472..13ef59f 100644
--- a/tools/util.h
+++ b/tools/util.h
@@ -23,6 +23,7 @@
#define _UTIL_H

#include <inttypes.h>
+#include <linux/audit.h>

#ifndef __AUDIT_ARCH_CONVENTION_MIPS64_N32
#define __AUDIT_ARCH_CONVENTION_MIPS64_N32 0x20000000
@@ -40,6 +41,11 @@
__AUDIT_ARCH_CONVENTION_MIPS64_N32)
#endif

+#ifndef AUDIT_ARCH_AARCH64
+/* AArch64 support for audit was merged in 3.17-rc1 */
+#define AUDIT_ARCH_AARCH64 (EM_AARCH64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
+#endif
+
extern uint32_t arch;

void exit_usage(const char *program);