seccomp-tools 0.1.0 → 1.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: afb07d55f6cf7b437b6829709c0897af34ae112e
-  data.tar.gz: 72b290bd53662794f8b588d59912733096d7d79d
+  metadata.gz: bd34a83058ba2aee13d7ddc08a6547fc70eac825
+  data.tar.gz: 0e07f97dfc60b2a21a26a584eadaae86055c3578
 SHA512:
-  metadata.gz: 0d38df515ef8dc6474b3b407be4c3e0959cd2e28227e863c3826d8b437154c65ca7e5b385d1db4ba6ae1010f1058c25b089d2918bbe6b6b805a9bbdbe438ad07
-  data.tar.gz: 54730dafe8e3a77743f0d2eaa8cb947767d00b9aa3b5f2cd4a8d77386eb65decc664f74d84998d7630c7216a985cf8d8e7ca7345a63eae99aa3d9ae449d495db
+  metadata.gz: 1415f2f48d7a626f3390f0a6705871da51448c92a086c6321bd201e7d5666be1f1691b561d0fbbf91265419905b44052fa1a89d7f59140ff922cba15c737549e
+  data.tar.gz: c5496c8708fb0f88e8dca0b967bcedd5221bc66ccdc0fd2f93f45d3b76ed8e8446677f5694b1c34d2ce2b4bfa18a12fb56e433187c8ece9d2dc7f9f719e21c5b

data/README.md

@@ -16,14 +16,16 @@ Some features might be CTF-specific, but still useful for analysis of seccomp in
 * Disasm - Convert bpf to human readable format.
   - Simple decompile.
   - Show syscall names.
-  - (TODO) Simplify disassemble result.
+* Emu - Emulate seccomp rules.
 * (TODO) Solve constraints for executing syscalls (e.g. `execve/open/read/write`).
 * Support multi-architectures.
 
 ## Installation
 
-Will be available on RubyGems.org!
-(TODO)
+Available on RubyGems.org!
+```
+$ gem install seccomp-tools
+```
 
 ## Command Line Interface
 
@@ -36,7 +38,8 @@ $ seccomp-tools --help
 # List of commands:
 #
 # 	dump	Automatically dump seccomp bpf from execution file.
-# 	disasm	Disassembly seccomp bpf.
+# 	disasm	Disassemble seccomp bpf.
+# 	emu	Emulate seccomp rules.
 #
 # See 'seccomp-tools --help <command>' to read about a specific subcommand.
 
@@ -139,11 +142,46 @@ $ seccomp-tools disasm spec/data/twctf-2016-diary.bpf
 
 ```
 
+### Emu
+
+Emulate seccomp given `sys_nr`, `arg0`, `arg1`, etc.
+```bash
+$ seccomp-tools emu --help
+# emu - Emulate seccomp rules.
+#
+# Usage: seccomp-tools emu [options] BPF_FILE [sys_nr [arg0 [arg1 ... arg5]]]
+#     -a, --arch ARCH                  Specify architecture.
+#                                      Supported architectures are <amd64|i386>.
+#     -q, --[no-]quiet                 Run quietly, only show emulation result.
+
+$ seccomp-tools emu spec/data/libseccomp.bpf 0x3
+#  line  CODE  JT   JF      K
+# =================================
+#  0000: 0x20 0x00 0x00 0x00000004  A = arch
+#  0001: 0x15 0x00 0x08 0xc000003e  if (A != ARCH_X86_64) goto 0010
+#  0002: 0x20 0x00 0x00 0x00000000  A = sys_number
+#  0003: 0x35 0x06 0x00 0x40000000  if (A >= 0x40000000) goto 0010
+#  0004: 0x15 0x04 0x00 0x00000001  if (A == write) goto 0009
+#  0005: 0x15 0x03 0x00 0x00000003  if (A == close) goto 0009
+#  0006: 0x15 0x02 0x00 0x00000020  if (A == dup) goto 0009
+#  0007: 0x15 0x01 0x00 0x0000003c  if (A == exit) goto 0009
+#  0008: 0x06 0x00 0x00 0x00050005  return ERRNO
+#  0009: 0x06 0x00 0x00 0x7fff0000  return ALLOW
+#  0010: 0x06 0x00 0x00 0x00000000  return KILL
+#
+# return ALLOW at line 0009
+
+```
+
 ## Screenshots
 
 ### Dump
 ![dump](https://github.com/david942j/seccomp-tools/blob/master/examples/dump-diary.png?raw=true)
 
+### Emu
+![emu](https://github.com/david942j/seccomp-tools/blob/master/examples/emu-libseccomp.png?raw=true)
+
+![emu](https://github.com/david942j/seccomp-tools/blob/master/examples/emu-amigo.png?raw=true)
 
 ## I Need You
 Any suggestion or feature request is welcome!

data/lib/seccomp-tools/bpf.rb

@@ -4,10 +4,22 @@ require 'seccomp-tools/instruction/instruction'
 module SeccompTools
   # Define the +struct sock_filter+, while more powerful.
   class BPF
-    attr_reader :line, :code, :jt, :jf, :k, :arch
-    # @return [Array<SeccompTools::Context>]
+    # @return [Integer] Line number.
+    attr_reader :line
+    # @return [Integer] BPF code.
+    attr_reader :code
+    # @return [Integer] BPF JT.
+    attr_reader :jt
+    # @return [Integer] BPF JF.
+    attr_reader :jf
+    # @return [Integer] BPF K.
+    attr_reader :k
+    # @return [Symbol] Architecture.
+    attr_reader :arch
+    # @return [Set<Context>] Possible contexts before this instruction.
     attr_accessor :contexts
 
+    # Instantiate a {BPF} object.
     # @param [String] raw
     #   One +struct sock_filter+ in bytes, should exactly 8 bytes.
     # @param [Symbol] arch
@@ -22,6 +34,7 @@ module SeccompTools
       @k = io.read(4).unpack('L').first
       @arch = arch
       @line = line
+      @contexts = Set.new
     end
 
     # Pretty display the disassemble result.
@@ -31,12 +44,16 @@ module SeccompTools
              line, code, jt, jf, k, decompile)
     end
 
+    # Command according to +code+.
     # @return [Symbol]
+    #   See {Const::BPF::COMMAND} for list of commands.
     def command
       Const::BPF::COMMAND.invert[code & 7]
     end
 
+    # Decompile.
     # @return [String]
+    #   Decompile string.
     def decompile
       inst.decompile
     end
@@ -49,12 +66,11 @@ module SeccompTools
     #   Context after this instruction.
     # @return [void]
     def branch(context, &block)
-      # TODO: consider alu
       inst.branch(context).each(&block)
     end
 
-    private
-
+    # Corresponding instruction object.
+    # @return [SeccompTools::Instruction::Base]
     def inst
       @inst ||= case command
                 when :alu  then SeccompTools::Instruction::ALU

data/lib/seccomp-tools/cli/base.rb

@@ -1,10 +1,19 @@
 require 'optparse'
 
+require 'seccomp-tools/util'
+
 module SeccompTools
   module CLI
     # Base class for handlers.
     class Base
-      attr_reader :option, :argv
+      # @return [Hash{Symbol => Object}] Options.
+      attr_reader :option
+      # @return [Array<String>] Arguments array.
+      attr_reader :argv
+
+      # Instantiate a {Base} object.
+      # @param [Array<String>] argv
+      #   Arguments array.
       def initialize(argv)
         @option = {}
         @argv = argv
@@ -22,15 +31,19 @@ module SeccompTools
       end
 
       # Write data to stdout or file(s).
-      # @param [String] data
-      #   Data.
+      # @yieldreturn [String]
+      #   The data to be written.
       # @return [void]
-      def output(data)
+      def output
         # if file name not present, just output to stdout.
-        return $stdout.write(data) if option[:ofile].nil?
+        return $stdout.write(yield) if option[:ofile].nil?
         # times of calling output
         @serial ||= 0
-        IO.binwrite(file_of(option[:ofile], @serial), data)
+        # Write to file, we should disable colorize
+        enabled = Util.colorize_enabled?
+        Util.disable_color! if enabled
+        IO.binwrite(file_of(option[:ofile], @serial), yield)
+        Util.enable_color! if enabled
         @serial += 1
       end
 
@@ -62,6 +75,14 @@ module SeccompTools
       def usage
         self.class.const_get(:USAGE)
       end
+
+      def option_arch(opt)
+        supported = Util.supported_archs
+        opt.on('-a', '--arch ARCH', supported, 'Specify architecture.',
+               "Supported architectures are <#{supported.join('|')}>.") do |a|
+          option[:arch] = a
+        end
+      end
     end
   end
 end

data/lib/seccomp-tools/cli/cli.rb

@@ -1,5 +1,6 @@
 require 'seccomp-tools/cli/disasm'
 require 'seccomp-tools/cli/dump'
+require 'seccomp-tools/cli/emu'
 require 'seccomp-tools/version'
 
 module SeccompTools
@@ -8,7 +9,8 @@ module SeccompTools
     # Handled commands
     COMMANDS = {
       'dump' => SeccompTools::CLI::Dump,
-      'disasm' => SeccompTools::CLI::Disasm
+      'disasm' => SeccompTools::CLI::Disasm,
+      'emu' => SeccompTools::CLI::Emu
     }.freeze
 
     # Main usage message.

data/lib/seccomp-tools/cli/disasm.rb

@@ -1,13 +1,12 @@
 require 'seccomp-tools/cli/base'
-require 'seccomp-tools/disasm'
-require 'seccomp-tools/util'
+require 'seccomp-tools/disasm/disasm'
 
 module SeccompTools
   module CLI
     # Handle 'dump' command.
     class Disasm < Base
       # Summary of this command.
-      SUMMARY = 'Disassembly seccomp bpf.'.freeze
+      SUMMARY = 'Disassemble seccomp bpf.'.freeze
       # Usage of this command.
       USAGE = ('disasm - ' + SUMMARY + "\n\n" + 'Usage: seccomp-tools disasm BPF_FILE [options]').freeze
 
@@ -20,11 +19,7 @@ module SeccompTools
             option[:ofile] = o
           end
 
-          supported = Util.supported_archs
-          opt.on('-a', '--arch ARCH', supported, 'Specify architecture.',
-                 "Supported architectures are <#{supported.join('|')}>.") do |a|
-            option[:arch] = a
-          end
+          option_arch(opt)
         end
       end
 
@@ -34,7 +29,7 @@ module SeccompTools
         return unless super
         option[:ifile] = argv.shift
         return CLI.show(parser.help) if option[:ifile].nil?
-        output(SeccompTools::Disasm.disasm(IO.binread(option[:ifile]), arch: option[:arch]))
+        output { SeccompTools::Disasm.disasm(IO.binread(option[:ifile]), arch: option[:arch]) }
       end
     end
   end

data/lib/seccomp-tools/cli/dump.rb

@@ -1,5 +1,5 @@
 require 'seccomp-tools/cli/base'
-require 'seccomp-tools/disasm'
+require 'seccomp-tools/disasm/disasm'
 require 'seccomp-tools/dumper'
 
 module SeccompTools
@@ -55,9 +55,9 @@ module SeccompTools
         option[:command] = argv.shift unless argv.empty?
         SeccompTools::Dumper.dump('/bin/sh', '-c', option[:command], limit: option[:limit]) do |bpf, arch|
           case option[:format]
-          when :inspect then output('"' + bpf.bytes.map { |b| format('\\x%02X', b) }.join + "\"\n")
-          when :raw then output(bpf)
-          when :disasm then output(SeccompTools::Disasm.disasm(bpf, arch: arch))
+          when :inspect then output { '"' + bpf.bytes.map { |b| format('\\x%02X', b) }.join + "\"\n" }
+          when :raw then output { bpf }
+          when :disasm then output { SeccompTools::Disasm.disasm(bpf, arch: arch) }
           end
         end
       end

data/lib/seccomp-tools/cli/emu.rb

@@ -0,0 +1,79 @@
+require 'set'
+
+require 'seccomp-tools/cli/base'
+require 'seccomp-tools/disasm/disasm'
+require 'seccomp-tools/emulator'
+require 'seccomp-tools/util'
+
+module SeccompTools
+  module CLI
+    # Handle 'emu' command.
+    class Emu < Base
+      # Summary of this command.
+      SUMMARY = 'Emulate seccomp rules.'.freeze
+      # Usage of this command.
+      USAGE = ('emu - ' +
+               SUMMARY +
+               "\n\n" \
+               'Usage: seccomp-tools emu [options] BPF_FILE [sys_nr [arg0 [arg1 ... arg5]]]').freeze
+
+      def initialize(*)
+        super
+        option[:verbose] = 1
+      end
+
+      # Define option parser.
+      # @return [OptionParser]
+      def parser
+        @parser ||= OptionParser.new do |opt|
+          opt.banner = usage
+
+          option_arch(opt)
+
+          opt.on('-q', '--[no-]quiet', 'Run quietly, only show emulation result.') do |v|
+            option[:verbose] = 0 if v
+          end
+        end
+      end
+
+      # Handle options.
+      # @return [void]
+      def handle
+        return unless super
+        option[:ifile] = argv.shift
+        return CLI.show(parser.help) if option[:ifile].nil?
+        raw = IO.binread(option[:ifile])
+        insts = SeccompTools::Disasm.to_bpf(raw, option[:arch]).map(&:inst)
+        disasm = SeccompTools::Disasm.disasm(raw, arch: option[:arch])
+        sys, *args = argv
+        sys = Integer(sys) if sys
+        args.map! { |v| Integer(v) }
+        trace = Set.new
+        res = SeccompTools::Emulator.new(insts, sys_nr: sys, args: args, arch: option[:arch]).run do |ctx|
+          trace << ctx[:pc]
+        end
+
+        if option[:verbose] >= 1
+          disasm = disasm.lines
+          output { disasm.shift }
+          output { disasm.shift }
+          disasm.each_with_index do |line, idx|
+            output do
+              next line if trace.member?(idx)
+              Util.colorize(line, t: :gray)
+            end
+            # Too much remain, omit them.
+            rem = disasm.size - idx - 1
+            break output { Util.colorize("... (omitting #{rem} lines)\n", t: :gray) } if rem > 3 && idx > res[:pc] + 4
+          end
+          output { "\n" }
+        end
+        output do
+          ret_type = Const::BPF::ACTION.invert[res[:ret] & 0x7fff0000]
+          errno = ret_type == :ERRNO ? "(#{res[:ret] & 0xffff})" : ''
+          format("return %s%s at line %04d\n", ret_type, errno, res[:pc])
+        end
+      end
+    end
+  end
+end

data/lib/seccomp-tools/const.rb

@@ -87,11 +87,18 @@ module SeccompTools
       module_function
 
       # To dynamically fetch constants from files.
+      # @param [Symbol] cons
+      #   Name of const.
+      # @return [Object]
+      #   Value of that +cons+.
       def const_missing(cons)
         load_const(cons) || super
       end
 
       # Load from file and define const value.
+      # @param [Symbol] cons
+      #   Name of const.
+      # @return [Object]
       def load_const(cons)
         arch = cons.to_s.downcase
         filename = File.join(__dir__, 'consts', "#{arch}.rb")

data/lib/seccomp-tools/disasm/context.rb

@@ -0,0 +1,80 @@
+module SeccompTools
+  module Disasm
+    # Context for disassembler to analyze.
+    #
+    # This context only care if +reg/mem+ can be one of +data[*]+.
+    class Context
+      # @return [Hash{Integer, Symbol => Integer?}] Records reg and mem values.
+      attr_reader :values
+
+      # Instantiate a {Context} object.
+      # @param [Integer?] a
+      #   Value to be set to +A+ register.
+      # @param [Integer?] x
+      #   Value to be set to +X+ register.
+      # @param [Hash{Integer => Integer?}] mem
+      #   Value to be set to +mem+.
+      def initialize(a: nil, x: nil, mem: {})
+        @values = mem
+        16.times { |i| @values[i] ||= nil } # make @values always has all keys
+        @values[:a] = a
+        @values[:x] = x
+      end
+
+      # Implement a deep dup.
+      # @return [Context]
+      def dup
+        Context.new(a: a, x: x, mem: values.dup)
+      end
+
+      # Register A.
+      # @return [Integer?]
+      def a
+        values[:a]
+      end
+
+      # Register X.
+      # @return [Integer?]
+      def x
+        values[:x]
+      end
+
+      # For conveniently get instance variable.
+      # @param [String, Symbol, Integer] key
+      # @return [Integer?]
+      def [](key)
+        return values[key] if key.is_a?(Integer) # mem
+        values[key.downcase.to_sym]
+      end
+
+      # For conveniently set instance variable.
+      # @param [#downcase, Integer] key
+      #   Can be +'A', 'a', :a, 'X', 'x', :x+ or an integer.
+      # @param [Integer?] val
+      #   Value to set.
+      # @return [void]
+      def []=(key, val)
+        if key.is_a?(Integer)
+          raise RangeError, "Expect 0 <= key < 16, got #{key}." unless key.between?(0, 15)
+          raise RangeError, "Expect 0 <= val < 64, got #{val}." unless val.nil? || val.between?(0, 63)
+          values[key] = val
+        else
+          values[key.downcase.to_sym] = val
+        end
+      end
+
+      # For +Set+ to compare two {Context} object.
+      # @param [Context] other
+      # @return [Boolean]
+      def eql?(other)
+        values.eql?(other.values)
+      end
+
+      # For +Set+ to get hash key.
+      # @return [Integer]
+      def hash
+        values.hash
+      end
+    end
+  end
+end

data/lib/seccomp-tools/disasm/disasm.rb

@@ -0,0 +1,46 @@
+require 'set'
+
+require 'seccomp-tools/bpf'
+require 'seccomp-tools/disasm/context'
+require 'seccomp-tools/util'
+
+module SeccompTools
+  # Disassembler of seccomp bpf.
+  module Disasm
+    module_function
+
+    # Disassemble bpf codes.
+    # @param [String] raw
+    #   The raw bpf bytes.
+    # @param [Symbol] arch
+    #   Architecture.
+    def disasm(raw, arch: nil)
+      codes = to_bpf(raw, arch)
+      contexts = Array.new(codes.size) { Set.new }
+      contexts[0].add(Context.new)
+      # all we care is if A is exactly one of data[*]
+      dis = codes.zip(contexts).map do |code, ctxs|
+        ctxs.each do |ctx|
+          code.branch(ctx) do |pc, c|
+            contexts[pc].add(c) unless pc >= contexts.size
+          end
+        end
+        code.contexts = ctxs
+        code.disasm
+      end.join("\n")
+      <<EOS + dis + "\n"
+ line  CODE  JT   JF      K
+=================================
+EOS
+    end
+
+    # Convert raw bpf string to array of {BPF}.
+    # @param [String] raw
+    # @param [Symbol] arch
+    # @return [Array<BPF>]
+    def to_bpf(raw, arch)
+      arch ||= Util.system_arch
+      raw.scan(/.{8}/m).map.with_index { |b, i| BPF.new(b, arch, i) }
+    end
+  end
+end

data/lib/seccomp-tools/dumper.rb

@@ -30,8 +30,6 @@ module SeccompTools
     #   dump('spec/binary/twctf-2016-diary') { |c| c[0, 10] }
     #   #=> [" \x00\x00\x00\x00\x00\x00\x00\x15\x00"]
     # @todo
-    #   Detect execution file architecture to know which syscall number should be traced.
-    # @todo
     #   +timeout+ option.
     def dump(*args, limit: 1, &block)
       pid = fork { handle_child(*args) }
@@ -40,6 +38,9 @@ module SeccompTools
 
     # Do the tracer things.
     class Handler
+      # Instantiate a {Handler} object.
+      # @param [Integer] pid
+      #   The process id after fork.
       def initialize(pid)
         Process.waitpid(pid)
         opt = Ptrace::O_TRACESYSGOOD | Ptrace::O_TRACECLONE | Ptrace::O_TRACEFORK | Ptrace::O_TRACEVFORK

data/lib/seccomp-tools/emulator.rb

@@ -0,0 +1,155 @@
+require 'seccomp-tools/const'
+
+module SeccompTools
+  # For emulation seccomp.
+  class Emulator
+    # Instantiate a {Emulator} object.
+    #
+    # All parameters except +instructions+ are optional, while a warning will be shown if unset data being accessed.
+    # @param [Array<Instruction::Base>] instructions
+    # @param [Integer] sys_nr
+    #   Syscall number.
+    # @param [Array<Integer>] args
+    #   Syscall arguments
+    # @param [Integer] instruction_pointer
+    #   Program counter address when this syscall invoked.
+    # @param [Symbol] arch
+    #   If not given, use system architecture as default.
+    #
+    #   See {SeccompTools::Util.supported_archs} for list of supported architectures.
+    def initialize(instructions, sys_nr: nil, args: [], instruction_pointer: nil, arch: nil)
+      @instructions = instructions
+      @sys_nr = sys_nr
+      @args = args
+      @ip = instruction_pointer
+      @arch = audit(arch || Util.system_arch)
+    end
+
+    # Run emulation!
+    # @return [Hash{Symbol, Integer => Integer}]
+    def run
+      @values = { pc: 0 }
+      loop do
+        break if @values[:ret] # break when returned
+        yield(@values) if block_given?
+        inst = @instructions[pc]
+        op, *args = inst.symbolize
+        case op
+        when :ret then ret(args.first) # ret
+        when :ld then ld(args[0], args[1]) # ld/ldx
+        when :st then st(args[0], args[1]) # st/stx
+        when :jmp then jmp(args[0]) # directly jmp
+        when :cmp then cmp(*args[0, 4]) # jmp with comparsion
+        when :alu then alu(args[0], args[1]) # alu
+        when :misc then misc(args[0]) # misc: txa/tax
+        end
+        set(:pc, get(:pc) + 1) if %i[ld st alu misc].include?(op)
+      end
+      @values
+    end
+
+    private
+
+    def pc
+      @values[:pc]
+    end
+
+    def audit(arch)
+      type = case arch
+             when :amd64 then 'ARCH_X86_64'
+             when :i386 then 'ARCH_I386'
+             end
+      Const::Audit::ARCH[type]
+    end
+
+    def ret(num)
+      set(:ret, num == :a ? get(:a) : num)
+    end
+
+    # @param [:a, :x] dst
+    # @param [{rel: <:mem, :immi, :data>, val: Integer}] src
+    def ld(dst, src)
+      val = case src[:rel]
+            when :immi then src[:val]
+            when :mem then get(:mem, src[:val])
+            when :data then get(:data, src[:val])
+            end
+      set(dst, val)
+    end
+
+    def st(reg, index)
+      raise IndexError, "Expect 0 <= index < 16, got: #{index}" unless index.between?(0, 15)
+      set(:mem, index, get(reg))
+    end
+
+    def jmp(k)
+      set(:pc, get(:pc) + k + 1)
+    end
+
+    def cmp(op, src, jt, jf)
+      src = get(:x) if src == :x
+      a = get(:a)
+      val = a.send(op, src)
+      val = (val != 0) if val.is_a?(Integer) # handle & operator
+      j = val ? jt : jf
+      set(:pc, get(:pc) + j + 1)
+    end
+
+    def alu(op, src)
+      if op == :neg
+        set(:a, 2**32 - get(:a))
+      else
+        src = get(:x) if src == :x
+        set(:a, get(:a).send(op, src))
+      end
+    end
+
+    def misc(op)
+      case op
+      when :txa then set(:a, get(:x))
+      when :tax then set(:x, get(:a))
+      end
+    end
+
+    def set(*arg, val)
+      if arg.size == 1
+        arg = arg.first
+        raise ArgumentError, "Invalid #{arg}" unless %i[a x pc ret].include?(arg)
+        @values[arg] = val & 0xffffffff
+      else
+        raise ArgumentError, arg.to_s unless arg.first == :mem
+        raise IndexError, "Invalid index: #{arg[1]}" unless arg[1].between?(0, 15)
+        @values[arg[1]] = val & 0xffffffff
+      end
+    end
+
+    def get(*arg)
+      if arg.size == 1
+        arg = arg.first
+        raise ArgumentError, "Invalid #{arg}" unless %i[a x pc ret].include?(arg)
+        undefined(arg.upcase) if @values[arg].nil?
+        return @values[arg]
+      end
+      return @values[arg[1]] if arg.first == :mem
+      data_of(arg[1])
+    end
+
+    def data_of(index)
+      raise IndexError, "Invalid index: #{index}" unless (index & 3).zero? && index.between?(0, 63)
+      index /= 4
+      case index
+      when 0 then @sys_nr || undefined('sys_number')
+      when 1 then @arch || undefined('arch')
+      when 2 then @ip & 0xffffffff || undefined('instruction_pointer')
+      when 3 then @ip >> 32 || undefined('instruction_pointer')
+      else
+        val = @args[(index - 4) / 2] || undefined("args[#{(index - 4) / 2}]")
+        (val >> (index.even? ? 0 : 32)) & 0xffffffff
+      end
+    end
+
+    def undefined(var)
+      raise format("Undefined Variable\n\t%04d: %s <- `%s` is undefined", pc, @instructions[pc].decompile, var)
+    end
+  end
+end

data/lib/seccomp-tools/instruction/alu.rb

@@ -7,7 +7,24 @@ module SeccompTools
       # Decompile instruction.
       def decompile
         return 'A = -A' if op == :neg
-        "A #{op_sym}= #{src}"
+        "A #{op_sym}= #{src_str}"
+      end
+
+      # See {Instruction::Base#symbolize}.
+      # @return [[:alu, Symbol, (:x, Integer, nil)]]
+      def symbolize
+        return [:alu, :neg, nil] if op == :neg
+        [:alu, op_sym, src]
+      end
+
+      # See {Base#branch}.
+      # @param [Context] context
+      #   Current context.
+      # @return [Array<(Integer, Context)>]
+      def branch(context)
+        ctx = context.dup
+        ctx[:a] = nil
+        [[line + 1, ctx]]
       end
 
       private
@@ -34,8 +51,12 @@ module SeccompTools
         end
       end
 
+      def src_str
+        src == :x ? 'X' : src.to_s
+      end
+
       def src
-        SRC.invert[code & 0x8] == :k ? k : 'X'
+        SRC.invert[code & 0x8] == :k ? k : :x
       end
     end
   end

data/lib/seccomp-tools/instruction/base.rb

@@ -7,17 +7,42 @@ module SeccompTools
     class Base
       include SeccompTools::Const::BPF
 
+      # Instantiate a {Base} object.
       # @param [SeccompTools::BPF] bpf
       #   An instruction.
       def initialize(bpf)
         @bpf = bpf
       end
 
+      # Helper to raise exception with message.
+      # @param [String] msg
+      #   Error message.
       # @raise [ArgumentError]
       def invalid(msg = 'unknown')
         raise ArgumentError, "Line #{line} is invalid: #{msg}"
       end
 
+      # Return the possible branches after executing this instruction.
+      # @param [Context] _context
+      #   Current context.
+      # @return [Array<(Integer, Context)>]
+      # @example
+      #   # For ALU, LD, LDX, ST, STX
+      #   inst.line #=> 10
+      #   inst.branch(ctx)
+      #   #=> [[11, ctx]]
+      def branch(_context); raise NotImplmentedError
+      end
+
+      # Return tokens stand for this instruction.
+      # @return [Array<Symbol, Integer>]
+      # @example
+      #   ret_a.symbolize #=> [:ret, :a]
+      #   ret_k.symbolize #=> [:ret, 0x7fff0000]
+      #   jeq.symbolize #=> [:cmp, :==, 0, 0, 1]
+      def symbolize; raise NotImplmentedError
+      end
+
       private
 
       %i(code jt jf k arch line contexts).each do |sym|

data/lib/seccomp-tools/instruction/jmp.rb

@@ -19,6 +19,16 @@ module SeccompTools
         if_str(true) + goto(jf)
       end
 
+      # See {Instruction::Base#symbolize}.
+      # @return [[:cmp, Symbol, (:x, Integer), Integer, Integer], [:jmp, Integer]]
+      def symbolize
+        return [:jmp, k] if jop == :none
+        [:cmp, jop, src, jt, jf]
+      end
+
+      # See {Base#branch}.
+      # @param [Context] context
+      #   Current context.
       # @return [Array<(Integer, Context)>]
       def branch(context)
         return [[at(k), context]] if jop == :none
@@ -40,19 +50,24 @@ module SeccompTools
       end
 
       def src_str
-        return 'X' if SRC.invert[code & 8] == :x
+        return 'X' if src == :x
         # if A in all contexts are same
         a = contexts.map(&:a).uniq
         return k.to_s if a.size != 1
         a = a[0]
-        return k.to_s unless a.instance_of?(Array) && a.first == :data
-        case a.last
-        when 0 then Util.colorize((Const::Syscall.const_get(arch.upcase.to_sym).invert[k] || k).to_s, t: :syscall)
-        when 4 then Util.colorize(Const::Audit::ARCH.invert[k] || k.to_s(16), t: :arch)
-        else '0x' + k.to_s(16)
+        return k.to_s if a.nil?
+        hex = '0x' + k.to_s(16)
+        case a
+        when 0 then Util.colorize(Const::Syscall.const_get(arch.upcase.to_sym).invert[k] || hex, t: :syscall)
+        when 4 then Util.colorize(Const::Audit::ARCH.invert[k] || hex, t: :arch)
+        else hex
         end
       end
 
+      def src
+        SRC.invert[code & 8] == :x ? :x : k
+      end
+
       def goto(off)
         format('goto %04d', at(off))
       end

data/lib/seccomp-tools/instruction/ld.rb

@@ -7,26 +7,35 @@ module SeccompTools
       # Decompile instruction.
       def decompile
         ret = reg + ' = '
-        type = load_val
+        _, _reg, type = symbolize
         return ret + type[:val].to_s if type[:rel] == :immi
         return ret + "mem[#{type[:val]}]" if type[:rel] == :mem
         ret + seccomp_data_str
       end
 
+      # @return [void]
+      def symbolize
+        type = load_val
+        [:ld, reg.downcase.to_sym, type]
+      end
+
       # Accumulator register.
       # @return ['A']
       def reg
         'A'
       end
 
+      # See {Base#branch}.
+      # @param [Context] context
+      #   Current context.
       # @return [Array<(Integer, Context)>]
       def branch(context)
         nctx = context.dup
         type = load_val
         nctx[reg] = case type[:rel]
-                    when :immi then type[:val]
-                    when :mem then context.mem[type[:val]]
-                    when :data then [:data, type[:val]]
+                    when :immi then nil
+                    when :mem then context[type[:val]]
+                    when :data then type[:val]
                     end
         [[line + 1, nctx]]
       end
@@ -58,6 +67,7 @@ module SeccompTools
         when 0 then 'sys_number'
         when 4 then 'arch'
         when 8 then 'instruction_pointer'
+        when 12 then 'instruction_pointer >> 32'
         else
           idx = Array.new(12) { |i| i * 4 + 16 }.index(k)
           return 'INVALID' if idx.nil?

data/lib/seccomp-tools/instruction/misc.rb

@@ -12,6 +12,25 @@ module SeccompTools
         end
       end
 
+      # See {Instruction::Base#symbolize}.
+      # @return [[:misc, (:tax, :txa)]]
+      def symbolize
+        [:misc, op]
+      end
+
+      # See {Base#branch}.
+      # @param [Context] context
+      #   Current context.
+      # @return [Array<(Integer, Context)>]
+      def branch(context)
+        ctx = context.dup
+        case op
+        when :txa then ctx['A'] = ctx['X']
+        when :tax then ctx['X'] = ctx['A']
+        end
+        [[line + 1, ctx]]
+      end
+
       private
 
       def op

data/lib/seccomp-tools/instruction/ret.rb

@@ -6,11 +6,19 @@ module SeccompTools
     class RET < Base
       # Decompile instruction.
       def decompile
-        return 'return A' if code & 0x18 == SRC[:a]
-        "return #{ACTION.invert[k & 0x7fff0000]}"
+        _, type = symbolize
+        "return #{type == :a ? 'A' : ACTION.invert[type & 0x7fff0000]}"
       end
 
+      # See {Instruction::Base#symbolize}.
+      # @return [[:ret, (:a, Integer)]]
+      def symbolize
+        [:ret, code & 0x18 == SRC[:a] ? :a : k]
+      end
+
+      # See {Base#branch}.
       # @return [[]]
+      #   Always return an empty array.
       def branch(*)
         []
       end

data/lib/seccomp-tools/instruction/st.rb

@@ -9,10 +9,16 @@ module SeccompTools
         "mem[#{k}] = #{reg}"
       end
 
+      # See {Instruction::Base#symbolize}.
+      # @return [[:misc, (:a, :x), Integer]]
+      def symbolize
+        [:st, reg.downcase.to_sym, k]
+      end
+
       # @return [Array<(Integer, Context)>]
       def branch(context)
         ctx = context.dup
-        ctx.mem[k] = ctx[reg]
+        ctx[k] = ctx[reg]
         [[line + 1, ctx]]
       end
     end

data/lib/seccomp-tools/syscall.rb

@@ -10,7 +10,18 @@ module SeccompTools
       i386: { number: 120, args: [40, 88, 96, 104, 112, 32], ret: 80, SYS_prctl: 172 }
     }.freeze
 
-    attr_reader :pid, :abi, :number, :args, :ret
+    # @return [Integer] Process id.
+    attr_reader :pid
+    # @return [Hash{Symbol => Integer, Array<Integer>}] See {ABI}.
+    attr_reader :abi
+    # @return [Integer] Syscall number.
+    attr_reader :number
+    # @return [Integer] Syscall arguments.
+    attr_reader :args
+    # @return [Integer] Syscall return value.
+    attr_reader :ret
+
+    # Instantiate a {Syscall} object.
     # @param [String] pid
     #   Process-id.
     def initialize(pid)

data/lib/seccomp-tools/util.rb

@@ -20,6 +20,14 @@ module SeccompTools
       end
     end
 
+    # Enable colorize.
+    # @return [void]
+    def enable_color!
+      @disable_color = false
+    end
+
+    # Disable colorize.
+    # @return [void]
     def disable_color!
       @disable_color = true
     end
@@ -34,13 +42,14 @@ module SeccompTools
     COLOR_CODE = {
       esc_m: "\e[0m",
       syscall: "\e[38;5;120m", # light green
-      arch: "\e[38;5;230m" # light yellow
+      arch: "\e[38;5;230m", # light yellow
+      gray: "\e[2m"
     }.freeze
     # Wrapper color codes.
     # @param [String] s
     #   Contents to wrapper.
-    # @param [Symbol?] sev
-    #   Specific which kind of color to use, valid symbols are defined in +#COLOR_CODE+.
+    # @param [Symbol?] t
+    #   Specific which kind of color to use, valid symbols are defined in {Util.COLOR_CODE}.
     # @return [String]
     #   Wrapper with color codes.
     def colorize(s, t: nil)
@@ -48,7 +57,7 @@ module SeccompTools
       return s unless colorize_enabled?
       cc = COLOR_CODE
       color = cc[t]
-      "#{color}#{s.sub(cc[:esc_m], color)}#{cc[:esc_m]}"
+      "#{color}#{s.sub(cc[:esc_m], cc[:esc_m] + color)}#{cc[:esc_m]}"
     end
   end
 end

data/lib/seccomp-tools/version.rb

@@ -1,4 +1,4 @@
 module SeccompTools
   # Gem version.
-  VERSION = '0.1.0'.freeze
+  VERSION = '1.0.0'.freeze
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: seccomp-tools
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 1.0.0
 platform: ruby
 authors:
 - david942j
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-06-08 00:00:00.000000000 Z
+date: 2017-06-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: codeclimate-test-reporter
@@ -108,7 +108,9 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0.9'
-description: ''
+description: |
+  Provide useful tools to analyze seccomp rules.
+  Visit https://github.com/david942j/seccomp-tools for more details.
 email:
 - david942j@gmail.com
 executables:
@@ -127,12 +129,14 @@ files:
 - lib/seccomp-tools/cli/cli.rb
 - lib/seccomp-tools/cli/disasm.rb
 - lib/seccomp-tools/cli/dump.rb
+- lib/seccomp-tools/cli/emu.rb
 - lib/seccomp-tools/const.rb
 - lib/seccomp-tools/consts/amd64.rb
 - lib/seccomp-tools/consts/i386.rb
-- lib/seccomp-tools/context.rb
-- lib/seccomp-tools/disasm.rb
+- lib/seccomp-tools/disasm/context.rb
+- lib/seccomp-tools/disasm/disasm.rb
 - lib/seccomp-tools/dumper.rb
+- lib/seccomp-tools/emulator.rb
 - lib/seccomp-tools/instruction/alu.rb
 - lib/seccomp-tools/instruction/base.rb
 - lib/seccomp-tools/instruction/instruction.rb

data/lib/seccomp-tools/context.rb

@@ -1,31 +0,0 @@
-module SeccompTools
-  # The context when emulating.
-  #
-  # @todo
-  #   No lambda value, not support ALU instructions.
-  class Context
-    attr_accessor :a, :x, :mem
-    def initialize(a: nil, x: nil, mem: {})
-      @a = a
-      @x = x
-      @mem = mem
-    end
-
-    # Implement a deep dup.
-    # @return [Context]
-    def dup
-      Context.new(a: a, x: x, mem: mem.dup)
-    end
-
-    # For conveniently get instance variable.
-    # @param [String, Symbol] key
-    def [](key)
-      instance_variable_get(('@' + key.downcase).to_sym)
-    end
-
-    # For conveniently set instance variable.
-    def []=(key, val)
-      instance_variable_set(('@' + key.downcase).to_sym, val)
-    end
-  end
-end

data/lib/seccomp-tools/disasm.rb

@@ -1,37 +0,0 @@
-require 'seccomp-tools/bpf'
-require 'seccomp-tools/context'
-require 'seccomp-tools/util'
-
-module SeccompTools
-  # Disassembler of seccomp bpf.
-  module Disasm
-    module_function
-
-    # Disassemble bpf codes.
-    # @param [String] bpf
-    #   The bpf codes.
-    # @param [Symbol] arch
-    #   Architecture.
-    # @todo
-    #   Detect system architecture as default.
-    def disasm(bpf, arch: nil)
-      arch ||= Util.system_arch
-      codes = bpf.scan(/.{8}/m).map.with_index { |b, i| BPF.new(b, arch, i) }
-      contexts = Array.new(codes.size) { [] }
-      contexts[0].push(Context.new)
-      dis = codes.zip(contexts).map do |code, ctxs|
-        ctxs.each do |ctx|
-          code.branch(ctx) do |pc, c|
-            contexts[pc].push(c) unless c.nil? || pc >= contexts.size
-          end
-        end
-        code.contexts = ctxs
-        code.disasm
-      end.join("\n")
-      <<EOS + dis + "\n"
- line  CODE  JT   JF      K
-=================================
-EOS
-    end
-  end
-end