seccomp-tools 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,41 @@
1
+ require 'seccomp-tools/cli/base'
2
+ require 'seccomp-tools/disasm'
3
+ require 'seccomp-tools/util'
4
+
5
+ module SeccompTools
6
+ module CLI
7
+ # Handle 'dump' command.
8
+ class Disasm < Base
9
+ # Summary of this command.
10
+ SUMMARY = 'Disassembly seccomp bpf.'.freeze
11
+ # Usage of this command.
12
+ USAGE = ('disasm - ' + SUMMARY + "\n\n" + 'Usage: seccomp-tools disasm BPF_FILE [options]').freeze
13
+
14
+ # Define option parser.
15
+ # @return [OptionParser]
16
+ def parser
17
+ @parser ||= OptionParser.new do |opt|
18
+ opt.banner = usage
19
+ opt.on('-o', '--output FILE', 'Output result into FILE instead of stdout.') do |o|
20
+ option[:ofile] = o
21
+ end
22
+
23
+ supported = Util.supported_archs
24
+ opt.on('-a', '--arch ARCH', supported, 'Specify architecture.',
25
+ "Supported architectures are <#{supported.join('|')}>.") do |a|
26
+ option[:arch] = a
27
+ end
28
+ end
29
+ end
30
+
31
+ # Handle options.
32
+ # @return [void]
33
+ def handle
34
+ return unless super
35
+ option[:ifile] = argv.shift
36
+ return CLI.show(parser.help) if option[:ifile].nil?
37
+ output(SeccompTools::Disasm.disasm(IO.binread(option[:ifile]), arch: option[:arch]))
38
+ end
39
+ end
40
+ end
41
+ end
@@ -0,0 +1,66 @@
1
+ require 'seccomp-tools/cli/base'
2
+ require 'seccomp-tools/disasm'
3
+ require 'seccomp-tools/dumper'
4
+
5
+ module SeccompTools
6
+ module CLI
7
+ # Handle 'dump' command.
8
+ class Dump < Base
9
+ # Summary of this command.
10
+ SUMMARY = 'Automatically dump seccomp bpf from execution file.'.freeze
11
+ # Usage of this command.
12
+ USAGE = ('dump - ' + SUMMARY + "\n\n" + 'Usage: seccomp-tools dump [exec] [options]').freeze
13
+
14
+ def initialize(*)
15
+ super
16
+ option[:format] = :disasm
17
+ option[:limit] = 1
18
+ end
19
+
20
+ # Define option parser.
21
+ # @return [OptionParser]
22
+ def parser
23
+ @parser ||= OptionParser.new do |opt|
24
+ opt.banner = usage
25
+ opt.on('-c', '--sh-exec <command>', 'Executes the given command (via sh).',
26
+ 'Use this option if want to pass arguments or do pipe things to the execution file.') do |command|
27
+ option[:command] = command
28
+ end
29
+
30
+ opt.on('-f', '--format FORMAT', %i[disasm raw inspect],
31
+ 'Output format. FORMAT can only be one of <disasm|raw|inspect>.',
32
+ 'Default: disasm') do |f|
33
+ option[:format] = f
34
+ end
35
+
36
+ opt.on('-l', '--limit LIMIT', 'Limit the number of calling "prctl(PR_SET_SECCOMP)".',
37
+ 'The target process will be killed whenever its calling times reaches LIMIT.',
38
+ 'Default: 1', Integer) do |l|
39
+ option[:limit] = l
40
+ end
41
+
42
+ opt.on('-o', '--output FILE', 'Output result into FILE instead of stdout.',
43
+ 'If multiple seccomp syscalls have been invoked (see --limit),',
44
+ 'results will be written to FILE, FILE_1, FILE_2.. etc.',
45
+ 'For example, "--output out.bpf" and the output files are out.bpf, out_1.bpf, ...') do |o|
46
+ option[:ofile] = o
47
+ end
48
+ end
49
+ end
50
+
51
+ # Handle options.
52
+ # @return [void]
53
+ def handle
54
+ return unless super
55
+ option[:command] = argv.shift unless argv.empty?
56
+ SeccompTools::Dumper.dump('/bin/sh', '-c', option[:command], limit: option[:limit]) do |bpf, arch|
57
+ case option[:format]
58
+ when :inspect then output('"' + bpf.bytes.map { |b| format('\\x%02X', b) }.join + "\"\n")
59
+ when :raw then output(bpf)
60
+ when :disasm then output(SeccompTools::Disasm.disasm(bpf, arch: arch))
61
+ end
62
+ end
63
+ end
64
+ end
65
+ end
66
+ end
@@ -0,0 +1,112 @@
1
+ module SeccompTools
2
+ # Define constant values.
3
+ module Const
4
+ # For BPF / seccomp.
5
+ module BPF
6
+ # sizeof(struct seccomp_data)
7
+ SIZEOF_SECCOMP_DATA = 64
8
+
9
+ # option set seccomp
10
+ PR_SET_SECCOMP = 22
11
+
12
+ # filter mode
13
+ SECCOMP_MODE_FILTER = 2
14
+
15
+ # bpf command classes
16
+ COMMAND = {
17
+ ld: 0x0,
18
+ ldx: 0x1,
19
+ st: 0x2,
20
+ stx: 0x3,
21
+ alu: 0x4,
22
+ jmp: 0x5,
23
+ ret: 0x6,
24
+ misc: 0x7
25
+ }.freeze
26
+
27
+ # types in jmp command
28
+ JMP = {
29
+ ja: 0x00,
30
+ jeq: 0x10,
31
+ jgt: 0x20,
32
+ jge: 0x30,
33
+ jset: 0x40
34
+ }.freeze
35
+
36
+ # register
37
+ SRC = {
38
+ k: 0x0,
39
+ x: 0x8,
40
+ a: 0x10
41
+ }.freeze
42
+
43
+ # seccomp action values
44
+ ACTION = {
45
+ KILL: 0x00000000,
46
+ TRAP: 0x00030000,
47
+ ERRNO: 0x00050000,
48
+ TRACE: 0x7ff00000,
49
+ ALLOW: 0x7fff0000
50
+ }.freeze
51
+
52
+ # mode used in ld / ldx
53
+ MODE = {
54
+ imm: 0x00,
55
+ abs: 0x20,
56
+ ind: 0x40,
57
+ mem: 0x60,
58
+ len: 0x80,
59
+ msh: 0xa0
60
+ }.freeze
61
+
62
+ # operation for alu
63
+ OP = {
64
+ add: 0x00,
65
+ sub: 0x10,
66
+ mul: 0x20,
67
+ div: 0x30,
68
+ or: 0x40,
69
+ and: 0x50,
70
+ lsh: 0x60,
71
+ rsh: 0x70,
72
+ neg: 0x80,
73
+ # mod: 0x90, # not support
74
+ xor: 0xa0
75
+ }.freeze
76
+
77
+ # operation for misc
78
+ MISCOP = {
79
+ tax: 0x00,
80
+ txa: 0x80
81
+ }.freeze
82
+ end
83
+
84
+ # Define syscall numbers for all architectures.
85
+ # Since the list is too long, split it to files in consts/*.rb and load them in this module.
86
+ module Syscall
87
+ module_function
88
+
89
+ # To dynamically fetch constants from files.
90
+ def const_missing(cons)
91
+ load_const(cons) || super
92
+ end
93
+
94
+ # Load from file and define const value.
95
+ def load_const(cons)
96
+ arch = cons.to_s.downcase
97
+ filename = File.join(__dir__, 'consts', "#{arch}.rb")
98
+ return unless File.exist?(filename)
99
+ const_set(cons, instance_eval(IO.read(filename)))
100
+ end
101
+ end
102
+
103
+ # Constants from https://github.com/torvalds/linux/blob/master/include/uapi/linux/audit.h.
104
+ module Audit
105
+ # AUDIT_ARCH_*
106
+ ARCH = {
107
+ 'ARCH_X86_64' => 0xc000003e,
108
+ 'ARCH_I386' => 0x40000003
109
+ }.freeze
110
+ end
111
+ end
112
+ end
@@ -0,0 +1,335 @@
1
+ {
2
+ read: 0,
3
+ write: 1,
4
+ open: 2,
5
+ close: 3,
6
+ stat: 4,
7
+ fstat: 5,
8
+ lstat: 6,
9
+ poll: 7,
10
+ lseek: 8,
11
+ mmap: 9,
12
+ mprotect: 10,
13
+ munmap: 11,
14
+ brk: 12,
15
+ rt_sigaction: 13,
16
+ rt_sigprocmask: 14,
17
+ rt_sigreturn: 15,
18
+ ioctl: 16,
19
+ pread: 17,
20
+ pwrite: 18,
21
+ readv: 19,
22
+ writev: 20,
23
+ access: 21,
24
+ pipe: 22,
25
+ select: 23,
26
+ sched_yield: 24,
27
+ mremap: 25,
28
+ msync: 26,
29
+ mincore: 27,
30
+ madvise: 28,
31
+ shmget: 29,
32
+ shmat: 30,
33
+ shmctl: 31,
34
+ dup: 32,
35
+ dup2: 33,
36
+ pause: 34,
37
+ nanosleep: 35,
38
+ getitimer: 36,
39
+ alarm: 37,
40
+ setitimer: 38,
41
+ getpid: 39,
42
+ sendfile: 40,
43
+ socket: 41,
44
+ connect: 42,
45
+ accept: 43,
46
+ sendto: 44,
47
+ recvfrom: 45,
48
+ sendmsg: 46,
49
+ recvmsg: 47,
50
+ shutdown: 48,
51
+ bind: 49,
52
+ listen: 50,
53
+ getsockname: 51,
54
+ getpeername: 52,
55
+ socketpair: 53,
56
+ setsockopt: 54,
57
+ getsockopt: 55,
58
+ clone: 56,
59
+ fork: 57,
60
+ vfork: 58,
61
+ execve: 59,
62
+ exit: 60,
63
+ wait4: 61,
64
+ kill: 62,
65
+ uname: 63,
66
+ semget: 64,
67
+ semop: 65,
68
+ semctl: 66,
69
+ shmdt: 67,
70
+ msgget: 68,
71
+ msgsnd: 69,
72
+ msgrcv: 70,
73
+ msgctl: 71,
74
+ fcntl: 72,
75
+ flock: 73,
76
+ fsync: 74,
77
+ fdatasync: 75,
78
+ truncate: 76,
79
+ ftruncate: 77,
80
+ getdents: 78,
81
+ getcwd: 79,
82
+ chdir: 80,
83
+ fchdir: 81,
84
+ rename: 82,
85
+ mkdir: 83,
86
+ rmdir: 84,
87
+ creat: 85,
88
+ link: 86,
89
+ unlink: 87,
90
+ symlink: 88,
91
+ readlink: 89,
92
+ chmod: 90,
93
+ fchmod: 91,
94
+ chown: 92,
95
+ fchown: 93,
96
+ lchown: 94,
97
+ umask: 95,
98
+ gettimeofday: 96,
99
+ getrlimit: 97,
100
+ getrusage: 98,
101
+ sysinfo: 99,
102
+ times: 100,
103
+ ptrace: 101,
104
+ getuid: 102,
105
+ syslog: 103,
106
+ getgid: 104,
107
+ setuid: 105,
108
+ setgid: 106,
109
+ geteuid: 107,
110
+ getegid: 108,
111
+ setpgid: 109,
112
+ getppid: 110,
113
+ getpgrp: 111,
114
+ setsid: 112,
115
+ setreuid: 113,
116
+ setregid: 114,
117
+ getgroups: 115,
118
+ setgroups: 116,
119
+ setresuid: 117,
120
+ getresuid: 118,
121
+ setresgid: 119,
122
+ getresgid: 120,
123
+ getpgid: 121,
124
+ setfsuid: 122,
125
+ setfsgid: 123,
126
+ getsid: 124,
127
+ capget: 125,
128
+ capset: 126,
129
+ rt_sigpending: 127,
130
+ rt_sigtimedwait: 128,
131
+ rt_sigqueueinfo: 129,
132
+ rt_sigsuspend: 130,
133
+ sigaltstack: 131,
134
+ utime: 132,
135
+ mknod: 133,
136
+ uselib: 134,
137
+ personality: 135,
138
+ ustat: 136,
139
+ statfs: 137,
140
+ fstatfs: 138,
141
+ sysfs: 139,
142
+ getpriority: 140,
143
+ setpriority: 141,
144
+ sched_setparam: 142,
145
+ sched_getparam: 143,
146
+ sched_setscheduler: 144,
147
+ sched_getscheduler: 145,
148
+ sched_get_priority_max: 146,
149
+ sched_get_priority_min: 147,
150
+ sched_rr_get_interval: 148,
151
+ mlock: 149,
152
+ munlock: 150,
153
+ mlockall: 151,
154
+ munlockall: 152,
155
+ vhangup: 153,
156
+ modify_ldt: 154,
157
+ pivot_root: 155,
158
+ _sysctl: 156,
159
+ prctl: 157,
160
+ arch_prctl: 158,
161
+ adjtimex: 159,
162
+ setrlimit: 160,
163
+ chroot: 161,
164
+ sync: 162,
165
+ acct: 163,
166
+ settimeofday: 164,
167
+ mount: 165,
168
+ umount2: 166,
169
+ swapon: 167,
170
+ swapoff: 168,
171
+ reboot: 169,
172
+ sethostname: 170,
173
+ setdomainname: 171,
174
+ iopl: 172,
175
+ ioperm: 173,
176
+ create_module: 174,
177
+ init_module: 175,
178
+ delete_module: 176,
179
+ get_kernel_syms: 177,
180
+ query_module: 178,
181
+ quotactl: 179,
182
+ nfsservctl: 180,
183
+ getpmsg: 181,
184
+ putpmsg: 182,
185
+ afs_syscall: 183,
186
+ tuxcall: 184,
187
+ security: 185,
188
+ gettid: 186,
189
+ readahead: 187,
190
+ setxattr: 188,
191
+ lsetxattr: 189,
192
+ fsetxattr: 190,
193
+ getxattr: 191,
194
+ lgetxattr: 192,
195
+ fgetxattr: 193,
196
+ listxattr: 194,
197
+ llistxattr: 195,
198
+ flistxattr: 196,
199
+ removexattr: 197,
200
+ lremovexattr: 198,
201
+ fremovexattr: 199,
202
+ tkill: 200,
203
+ time: 201,
204
+ futex: 202,
205
+ sched_setaffinity: 203,
206
+ sched_getaffinity: 204,
207
+ set_thread_area: 205,
208
+ io_setup: 206,
209
+ io_destroy: 207,
210
+ io_getevents: 208,
211
+ io_submit: 209,
212
+ io_cancel: 210,
213
+ get_thread_area: 211,
214
+ lookup_dcookie: 212,
215
+ epoll_create: 213,
216
+ epoll_ctl_old: 214,
217
+ epoll_wait_old: 215,
218
+ remap_file_pages: 216,
219
+ getdents64: 217,
220
+ set_tid_address: 218,
221
+ restart_syscall: 219,
222
+ semtimedop: 220,
223
+ fadvise64: 221,
224
+ timer_create: 222,
225
+ timer_settime: 223,
226
+ timer_gettime: 224,
227
+ timer_getoverrun: 225,
228
+ timer_delete: 226,
229
+ clock_settime: 227,
230
+ clock_gettime: 228,
231
+ clock_getres: 229,
232
+ clock_nanosleep: 230,
233
+ exit_group: 231,
234
+ epoll_wait: 232,
235
+ epoll_ctl: 233,
236
+ tgkill: 234,
237
+ utimes: 235,
238
+ vserver: 236,
239
+ mbind: 237,
240
+ set_mempolicy: 238,
241
+ get_mempolicy: 239,
242
+ mq_open: 240,
243
+ mq_unlink: 241,
244
+ mq_timedsend: 242,
245
+ mq_timedreceive: 243,
246
+ mq_notify: 244,
247
+ mq_getsetattr: 245,
248
+ kexec_load: 246,
249
+ waitid: 247,
250
+ add_key: 248,
251
+ request_key: 249,
252
+ keyctl: 250,
253
+ ioprio_set: 251,
254
+ ioprio_get: 252,
255
+ inotify_init: 253,
256
+ inotify_add_watch: 254,
257
+ inotify_rm_watch: 255,
258
+ migrate_pages: 256,
259
+ openat: 257,
260
+ mkdirat: 258,
261
+ mknodat: 259,
262
+ fchownat: 260,
263
+ futimesat: 261,
264
+ newfstatat: 262,
265
+ unlinkat: 263,
266
+ renameat: 264,
267
+ linkat: 265,
268
+ symlinkat: 266,
269
+ readlinkat: 267,
270
+ fchmodat: 268,
271
+ faccessat: 269,
272
+ pselect6: 270,
273
+ ppoll: 271,
274
+ unshare: 272,
275
+ set_robust_list: 273,
276
+ get_robust_list: 274,
277
+ splice: 275,
278
+ tee: 276,
279
+ sync_file_range: 277,
280
+ vmsplice: 278,
281
+ move_pages: 279,
282
+ utimensat: 280,
283
+ epoll_pwait: 281,
284
+ signalfd: 282,
285
+ timerfd: 283,
286
+ eventfd: 284,
287
+ fallocate: 285,
288
+ timerfd_settime: 286,
289
+ timerfd_gettime: 287,
290
+ accept4: 288,
291
+ signalfd4: 289,
292
+ eventfd2: 290,
293
+ epoll_create1: 291,
294
+ dup3: 292,
295
+ pipe2: 293,
296
+ inotify_init1: 294,
297
+ preadv: 295,
298
+ pwritev: 296,
299
+ rt_tgsigqueueinfo: 297,
300
+ perf_event_open: 298,
301
+ recvmmsg: 299,
302
+ fanotify_init: 300,
303
+ fanotify_mark: 301,
304
+ prlimit64: 302,
305
+ name_to_handle_at: 303,
306
+ open_by_handle_at: 304,
307
+ clock_adjtime: 305,
308
+ syncfs: 306,
309
+ sendmmsg: 307,
310
+ setns: 308,
311
+ getcpu: 309,
312
+ process_vm_readv: 310,
313
+ process_vm_writev: 311,
314
+ kcmp: 312,
315
+ finit_module: 313,
316
+ sched_setattr: 314,
317
+ sched_getattr: 315,
318
+ renameat2: 316,
319
+ seccomp: 317,
320
+ getrandom: 318,
321
+ memfd_create: 319,
322
+ kexec_file_load: 320,
323
+ bpf: 321,
324
+ execveat: 322,
325
+ userfaultfd: 323,
326
+ membarrier: 324,
327
+ mlock2: 325,
328
+ copy_file_range: 326,
329
+ preadv2: 327,
330
+ pwritev2: 328,
331
+ pkey_mprotect: 329,
332
+ pkey_alloc: 330,
333
+ pkey_free: 331,
334
+ statx: 332
335
+ }