seccomp-tools 0.1.0

data/lib/seccomp-tools/dumper.rb

@@ -0,0 +1,128 @@
+require 'seccomp-tools/ptrace'
+require 'seccomp-tools/syscall'
+
+module SeccompTools
+  # Dump seccomp-bpf using ptrace of binary.
+  # Currently only support x86_64.
+  module Dumper
+    module_function
+
+    # Main bpf dump function.
+    # Yield seccomp bpf whenever find a +prctl(SET_SECCOMP)+ call.
+    #
+    # @param [Array<String>] args
+    #   The arguments for target execution file.
+    # @param [Integer] limit
+    #   By default, +dump+ will only dump the first +SET_SECCOMP+ call.
+    #   Set +limit+ to the number of calling +prctl(SET_SECCOMP)+ then the child process will be killed when number of
+    #   calling +prctl+ reaches +limit+.
+    #
+    #   Negative number for unlimited.
+    # @yieldparam [String] bpf
+    #   Seccomp bpf in raw bytes.
+    # @yieldparam [Symbol] arch
+    #   Architecture of the target process.
+    # @return [Array<Object>, Array<String>]
+    #   Return the block returned. If block is not given, array of raw bytes will be returned.
+    # @example
+    #   dump('ls', '-l', '-a')
+    #   #=> []
+    #   dump('spec/binary/twctf-2016-diary') { |c| c[0, 10] }
+    #   #=> [" \x00\x00\x00\x00\x00\x00\x00\x15\x00"]
+    # @todo
+    #   Detect execution file architecture to know which syscall number should be traced.
+    # @todo
+    #   +timeout+ option.
+    def dump(*args, limit: 1, &block)
+      pid = fork { handle_child(*args) }
+      Handler.new(pid).handle(limit, &block)
+    end
+
+    # Do the tracer things.
+    class Handler
+      def initialize(pid)
+        Process.waitpid(pid)
+        opt = Ptrace::O_TRACESYSGOOD | Ptrace::O_TRACECLONE | Ptrace::O_TRACEFORK | Ptrace::O_TRACEVFORK
+        Ptrace.setoptions(pid, 0, opt)
+        Ptrace.syscall(pid, 0, 0)
+      end
+
+      # Tracer.
+      #
+      # @param [Integer] limit
+      #   Child will be killed when number of calling +prctl(SET_SECCOMP)+ reaches +limit+.
+      # @yieldparam [String] bpf
+      #   Seccomp bpf in raw bytes.
+      # @return [Array<Object>, Array<String>]
+      #   Return the block returned. If block is not given, array of raw bytes will be returned.
+      def handle(limit, &block)
+        collect = []
+        syscalls = {} # record last syscall
+        loop while wait_syscall do |child|
+          if syscalls[child].nil? # invoke syscall
+            syscalls[child] = syscall(child)
+            next true
+          end
+          # syscall finished
+          sys = syscalls[child]
+          syscalls[child] = nil
+          if sys.set_seccomp? && syscall(child).ret.zero? # consider successful call only
+            bpf = sys.dump_bpf
+            collect << (block.nil? ? bpf : yield(bpf, sys.arch))
+            limit -= 1
+          end
+          !limit.zero?
+        end
+        syscalls.keys.each { |cpid| Process.kill('KILL', cpid) if alive?(cpid) }
+        collect
+      end
+
+      private
+
+      # @yieldparam [Integer] pid
+      # @return [Boolean]
+      #   +true+ for continue,
+      #   +false+ for break.
+      def wait_syscall
+        child, status = Process.wait2
+        cont = true
+        # TODO: Test if clone / vfork works
+        if [Ptrace::EVENT_CLONE, Ptrace::EVENT_FORK, Ptrace::EVENT_VFORK].include?(status >> 16)
+          # New child launched!
+          # newpid = SeccompTools::Ptrace.geteventmsg(child)
+        elsif status.stopped? && status.stopsig & 0x80 != 0
+          cont = yield(child)
+        end
+        Ptrace.syscall(child, 0, 0) unless status.exited?
+        return cont
+      rescue Errno::ECHILD
+        return false
+      end
+
+      # @return [SeccompTools::Syscall]
+      def syscall(pid)
+        SeccompTools::Syscall.new(pid)
+      end
+
+      def alive?(pid)
+        Process.getpgid(pid)
+        true
+      rescue Errno::ESRCH
+        false
+      end
+    end
+
+    class << self
+      private
+
+      def handle_child(*args)
+        Ptrace.traceme_and_stop
+        exec(*args)
+      rescue # exec fail
+        # TODO: use logger
+        $stderr.puts("Failed to execute #{args.join(' ')}")
+        exit(1)
+      end
+    end
+  end
+end

data/lib/seccomp-tools/instruction/alu.rb

@@ -0,0 +1,42 @@
+require 'seccomp-tools/instruction/base'
+
+module SeccompTools
+  module Instruction
+    # Instruction alu.
+    class ALU < Base
+      # Decompile instruction.
+      def decompile
+        return 'A = -A' if op == :neg
+        "A #{op_sym}= #{src}"
+      end
+
+      private
+
+      def op
+        o = OP.invert[code & 0xf0]
+        invalid('unknown op') if o.nil?
+        o
+      end
+
+      def op_sym
+        case op
+        when :add then :+
+        when :sub then :-
+        when :mul then :*
+        when :div then :/
+        when :or  then :|
+        when :and then :&
+        when :lsh then :<<
+        when :rsh then :>>
+        # when :neg then :- # should not invoke this method
+        # when :mod then :% # unsupported
+        when :xor then :^
+        end
+      end
+
+      def src
+        SRC.invert[code & 0x8] == :k ? k : 'X'
+      end
+    end
+  end
+end

data/lib/seccomp-tools/instruction/base.rb

@@ -0,0 +1,30 @@
+require 'seccomp-tools/const'
+
+module SeccompTools
+  # For instructions' class.
+  module Instruction
+    # Base class for different instruction.
+    class Base
+      include SeccompTools::Const::BPF
+
+      # @param [SeccompTools::BPF] bpf
+      #   An instruction.
+      def initialize(bpf)
+        @bpf = bpf
+      end
+
+      # @raise [ArgumentError]
+      def invalid(msg = 'unknown')
+        raise ArgumentError, "Line #{line} is invalid: #{msg}"
+      end
+
+      private
+
+      %i(code jt jf k arch line contexts).each do |sym|
+        define_method(sym) do
+          @bpf.send(sym)
+        end
+      end
+    end
+  end
+end

data/lib/seccomp-tools/instruction/instruction.rb

@@ -0,0 +1,8 @@
+require 'seccomp-tools/instruction/alu'
+require 'seccomp-tools/instruction/jmp'
+require 'seccomp-tools/instruction/ld'
+require 'seccomp-tools/instruction/ldx'
+require 'seccomp-tools/instruction/misc'
+require 'seccomp-tools/instruction/ret'
+require 'seccomp-tools/instruction/st'
+require 'seccomp-tools/instruction/stx'

data/lib/seccomp-tools/instruction/jmp.rb

@@ -0,0 +1,76 @@
+require 'seccomp-tools/const'
+require 'seccomp-tools/instruction/base'
+
+module SeccompTools
+  module Instruction
+    # Instruction jmp.
+    class JMP < Base
+      # Decompile instruction.
+      def decompile
+        return goto(k) if jop == :none
+        # if jt == 0 && jf == 0 => no-op # should not happen
+        # jt == 0 => if(!) goto jf
+        # jf == 0 => if() goto jt;
+        # otherwise => if () goto jt; else goto jf;
+        return '/* no-op */' if jt.zero? && jf.zero?
+        return goto(jt) if jt == jf
+        return if_str + goto(jt) + ' else ' + goto(jf) unless jt.zero? || jf.zero?
+        return if_str + goto(jt) if jf.zero?
+        if_str(true) + goto(jf)
+      end
+
+      # @return [Array<(Integer, Context)>]
+      def branch(context)
+        return [[at(k), context]] if jop == :none
+        return [[at(jt), context]] if jt == jf
+        [[at(jt), context], [at(jf), context]]
+      end
+
+      private
+
+      def jop
+        case Const::BPF::JMP.invert[code & 0x70]
+        when :ja then :none
+        when :jgt then :>
+        when :jge then :>=
+        when :jeq then :==
+        when :jset then :&
+        else invalid('unknown jmp type')
+        end
+      end
+
+      def src_str
+        return 'X' if SRC.invert[code & 8] == :x
+        # if A in all contexts are same
+        a = contexts.map(&:a).uniq
+        return k.to_s if a.size != 1
+        a = a[0]
+        return k.to_s unless a.instance_of?(Array) && a.first == :data
+        case a.last
+        when 0 then Util.colorize((Const::Syscall.const_get(arch.upcase.to_sym).invert[k] || k).to_s, t: :syscall)
+        when 4 then Util.colorize(Const::Audit::ARCH.invert[k] || k.to_s(16), t: :arch)
+        else '0x' + k.to_s(16)
+        end
+      end
+
+      def goto(off)
+        format('goto %04d', at(off))
+      end
+
+      def at(off)
+        line + off + 1
+      end
+
+      def if_str(neg = false)
+        return "if (A #{jop} #{src_str}) " unless neg
+        return "if (!(A & #{src_str})) " if jop == :&
+        op = case jop
+             when :>= then :<
+             when :> then :<=
+             when :== then :!=
+             end
+        "if (A #{op} #{src_str}) "
+      end
+    end
+  end
+end

data/lib/seccomp-tools/instruction/ld.rb

@@ -0,0 +1,69 @@
+require 'seccomp-tools/instruction/base'
+
+module SeccompTools
+  module Instruction
+    # Instruction ld.
+    class LD < Base
+      # Decompile instruction.
+      def decompile
+        ret = reg + ' = '
+        type = load_val
+        return ret + type[:val].to_s if type[:rel] == :immi
+        return ret + "mem[#{type[:val]}]" if type[:rel] == :mem
+        ret + seccomp_data_str
+      end
+
+      # Accumulator register.
+      # @return ['A']
+      def reg
+        'A'
+      end
+
+      # @return [Array<(Integer, Context)>]
+      def branch(context)
+        nctx = context.dup
+        type = load_val
+        nctx[reg] = case type[:rel]
+                    when :immi then type[:val]
+                    when :mem then context.mem[type[:val]]
+                    when :data then [:data, type[:val]]
+                    end
+        [[line + 1, nctx]]
+      end
+
+      private
+
+      def mode
+        @mode ||= MODE.invert[code & 0xe0]
+        # Seccomp doesn't support this mode
+        invalid if @mode.nil? || @mode == :ind
+        @mode
+      end
+
+      def load_val
+        return { rel: :immi, val: k } if mode == :imm
+        return { rel: :immi, val: SIZEOF_SECCOMP_DATA } if mode == :len
+        return { rel: :mem, val: k } if mode == :mem
+        { rel: :data, val: k }
+      end
+
+      # struct seccomp_data {
+      #   int nr;
+      #   __u32 arch;
+      #   __u64 instruction_pointer;
+      #   __u64 args[6];
+      # };
+      def seccomp_data_str
+        case k
+        when 0 then 'sys_number'
+        when 4 then 'arch'
+        when 8 then 'instruction_pointer'
+        else
+          idx = Array.new(12) { |i| i * 4 + 16 }.index(k)
+          return 'INVALID' if idx.nil?
+          idx.even? ? "args[#{idx / 2}]" : "args[#{idx / 2}] >> 32"
+        end
+      end
+    end
+  end
+end

data/lib/seccomp-tools/instruction/ldx.rb

@@ -0,0 +1,14 @@
+require 'seccomp-tools/instruction/ld'
+
+module SeccompTools
+  module Instruction
+    # Instruction ldx.
+    class LDX < LD
+      # Index register.
+      # @return ['X']
+      def reg
+        'X'
+      end
+    end
+  end
+end

data/lib/seccomp-tools/instruction/misc.rb

@@ -0,0 +1,24 @@
+require 'seccomp-tools/instruction/base'
+
+module SeccompTools
+  module Instruction
+    # Instruction misc.
+    class MISC < Base
+      # Decompile instruction.
+      def decompile
+        case op
+        when :txa then 'A = X'
+        when :tax then 'X = A'
+        end
+      end
+
+      private
+
+      def op
+        o = MISCOP.invert[code & 0xf8]
+        invalid('MISC operation only supports txa/tax') if o.nil?
+        o
+      end
+    end
+  end
+end

data/lib/seccomp-tools/instruction/ret.rb

@@ -0,0 +1,19 @@
+require 'seccomp-tools/instruction/base'
+
+module SeccompTools
+  module Instruction
+    # Instruction ret.
+    class RET < Base
+      # Decompile instruction.
+      def decompile
+        return 'return A' if code & 0x18 == SRC[:a]
+        "return #{ACTION.invert[k & 0x7fff0000]}"
+      end
+
+      # @return [[]]
+      def branch(*)
+        []
+      end
+    end
+  end
+end

data/lib/seccomp-tools/instruction/st.rb

@@ -0,0 +1,20 @@
+require 'seccomp-tools/instruction/ld'
+
+module SeccompTools
+  module Instruction
+    # Instruction st.
+    class ST < LD
+      # Decompile instruction.
+      def decompile
+        "mem[#{k}] = #{reg}"
+      end
+
+      # @return [Array<(Integer, Context)>]
+      def branch(context)
+        ctx = context.dup
+        ctx.mem[k] = ctx[reg]
+        [[line + 1, ctx]]
+      end
+    end
+  end
+end

data/lib/seccomp-tools/instruction/stx.rb

@@ -0,0 +1,14 @@
+require 'seccomp-tools/instruction/st'
+
+module SeccompTools
+  module Instruction
+    # Instruction stx.
+    class STX < ST
+      # Index register.
+      # @return ['X']
+      def reg
+        'X'
+      end
+    end
+  end
+end