seccomp-tools 1.1.0 → 1.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 52d71ec73ddfa5dab7d22d982b27b2d4c3610080
-  data.tar.gz: '08439390a2e4a08d8619eba08b7b66a2814372b1'
+SHA256:
+  metadata.gz: fa755fd2e7ed97279b094dfa28bd668aef4ee638005f0b38405066502fc8a30d
+  data.tar.gz: 56b0d51796d97a89f67262c36716833d078ce19ea6b58fbb83c2f8bee88b8685
 SHA512:
-  metadata.gz: c69c741edae030e7a775dcad768fa983c627cda1d849947c079d45148453a018cbba249abd18faced059b4c4cdc793e746d707e178b2e845804e7bb9a4c70437
-  data.tar.gz: fc8cc5926cba54d561822b3a75b57c8721b1113ef16117f455c8a91f651dbad16ced7f6e09209d2adcd7a8183f4a1f8d327aa490652fe5f8ee7a3be187fe361a
+  metadata.gz: 027f57a717cb63fadeefd4a60213115a27ed51bb1eb3e6b58251690ed7c1d42335086ff4448b480296b77d395ba2e8718fa662e227394abfddaf80b19b769b74
+  data.tar.gz: f6aca254b4a43d6c60d5df7e6694b976de1e56fbb6d6585bd46fd17c0849820d76c81f25bbc872dc785576e05eeaaab5d0276a3f065b730988973c5073ace761

data/README.md

@@ -1,4 +1,5 @@
-[![Build Status](https://travis-ci.org/david942j/seccomp-tools.svg?branch=master)](https://travis-ci.org/david942j/seccomp-tools)
+[![Build Status](https://github.com/david942j/seccomp-tools/workflows/build/badge.svg)](https://github.com/david942j/seccomp-tools/actions)
+[![Dependabot Status](https://api.dependabot.com/badges/status?host=github&repo=david942j/seccomp-tools)](https://dependabot.com)
 [![Code Climate](https://codeclimate.com/github/david942j/seccomp-tools/badges/gpa.svg)](https://codeclimate.com/github/david942j/seccomp-tools)
 [![Issue Count](https://codeclimate.com/github/david942j/seccomp-tools/badges/issue_count.svg)](https://codeclimate.com/github/david942j/seccomp-tools)
 [![Test Coverage](https://codeclimate.com/github/david942j/seccomp-tools/badges/coverage.svg)](https://codeclimate.com/github/david942j/seccomp-tools/coverage)
@@ -6,20 +7,20 @@
 [![MIT License](https://img.shields.io/badge/license-MIT-blue.svg)](http://choosealicense.com/licenses/mit/)
 
 # Seccomp Tools
-Provides powerful tools for seccomp analysis.
+Provide powerful tools for seccomp analysis.
 
 This project is targeted to (but not limited to) analyze seccomp sandbox in CTF pwn challenges.
-Some features might be CTF-specific, but still useful for analysis of seccomp in real-case.
+Some features might be CTF-specific, but still useful for analyzing seccomp in real-case.
 
 ## Features
-* Dump - Automatically dump seccomp-bpf from binary.
-* Disasm - Convert bpf to human readable format.
+* Dump - Automatically dumps seccomp-bpf from execution file(s).
+* Disasm - Converts bpf to human readable format.
   - Simple decompile.
-  - Show syscall names.
+  - Display syscall names and arguments when possible.
+  - Colorful!
 * Asm - Write seccomp rules is so easy!
-* Emu - Emulate seccomp rules.
-* (TODO) Solve constraints for executing syscalls (e.g. `execve/open/read/write`).
-* Support multi-architectures.
+* Emu - Emulates seccomp rules.
+* Supports multi-architectures.
 
 ## Installation
 
@@ -28,6 +29,12 @@ Available on RubyGems.org!
 $ gem install seccomp-tools
 ```
 
+If you failed when compiling, try:
+```
+sudo apt install gcc ruby-dev
+```
+and install seccomp-tools again.
+
 ## Command Line Interface
 
 ### seccomp-tools
@@ -38,19 +45,21 @@ $ seccomp-tools --help
 #
 # List of commands:
 #
-# 	dump	Automatically dump seccomp bpf from execution file.
-# 	disasm	Disassemble seccomp bpf.
 # 	asm	Seccomp bpf assembler.
+# 	disasm	Disassemble seccomp bpf.
+# 	dump	Automatically dump seccomp bpf from execution file(s).
 # 	emu	Emulate seccomp rules.
 #
-# See 'seccomp-tools --help <command>' to read about a specific subcommand.
+# See 'seccomp-tools <command> --help' to read about a specific subcommand.
 
-$ seccomp-tools --help dump
-# dump - Automatically dump seccomp bpf from execution file.
+$ seccomp-tools dump --help
+# dump - Automatically dump seccomp bpf from execution file(s).
+# NOTE : This function is only available on Linux.
 #
 # Usage: seccomp-tools dump [exec] [options]
 #     -c, --sh-exec <command>          Executes the given command (via sh).
 #                                      Use this option if want to pass arguments or do pipe things to the execution file.
+#                                      e.g. use `-c "./bin > /dev/null"` to dump seccomp without being mixed with stdout.
 #     -f, --format FORMAT              Output format. FORMAT can only be one of <disasm|raw|inspect>.
 #                                      Default: disasm
 #     -l, --limit LIMIT                Limit the number of calling "prctl(PR_SET_SECCOMP)".
@@ -60,12 +69,14 @@ $ seccomp-tools --help dump
 #                                      If multiple seccomp syscalls have been invoked (see --limit),
 #                                      results will be written to FILE, FILE_1, FILE_2.. etc.
 #                                      For example, "--output out.bpf" and the output files are out.bpf, out_1.bpf, ...
+#     -p, --pid PID                    Dump installed seccomp filters of the existing process.
+#                                      You must have CAP_SYS_ADMIN (e.g. be root) in order to use this option.
 
 ```
 
 ### dump
 
-Dump the seccomp bpf from an execution file.
+Dumps the seccomp bpf from an execution file.
 This work is done by the `ptrace` syscall.
 
 NOTICE: beware of the execution file will be executed.
@@ -113,7 +124,7 @@ $ seccomp-tools dump spec/binary/twctf-2016-diary -f raw | xxd
 
 ### disasm
 
-Disassemble the seccomp from raw bpf.
+Disassembles the seccomp from raw bpf.
 ```bash
 $ xxd spec/data/twctf-2016-diary.bpf | head -n 3
 # 00000000: 2000 0000 0000 0000 1500 0001 0200 0000   ...............
@@ -146,26 +157,27 @@ $ seccomp-tools disasm spec/data/twctf-2016-diary.bpf
 
 ### asm
 
-Assemble the seccomp rules into raw bytes.
-Very useful when want to write custom seccomp rules.
+Assembles the seccomp rules into raw bytes.
+It's very useful when one wants to write custom seccomp rules.
 
-Supports labels for jumping and use syscall names directly. See example below.
+Supports labels for jumping and uses syscall names directly. See examples below.
 ```bash
 $ seccomp-tools asm
 # asm - Seccomp bpf assembler.
 #
 # Usage: seccomp-tools asm IN_FILE [options]
 #     -o, --output FILE                Output result into FILE instead of stdout.
-#     -f, --format FORMAT              Output format. FORMAT can only be one of <inspect|raw|carray>.
+#     -f, --format FORMAT              Output format. FORMAT can only be one of <inspect|raw|c_array|c_source|assembly>.
 #                                      Default: inspect
 #     -a, --arch ARCH                  Specify architecture.
-#                                      Supported architectures are <amd64|i386>.
+#                                      Supported architectures are <aarch64|amd64|i386>.
+#                                      Default: amd64
 
 # Input file for asm
 $ cat spec/data/libseccomp.asm
 # # check if arch is X86_64
 # A = arch
-# A == 0xc000003e ? next : dead
+# A == ARCH_X86_64 ? next : dead
 # A = sys_number
 # A >= 0x40000000 ? dead : next
 # A == write ? ok : next
@@ -181,8 +193,52 @@ $ cat spec/data/libseccomp.asm
 $ seccomp-tools asm spec/data/libseccomp.asm
 # " \x00\x00\x00\x04\x00\x00\x00\x15\x00\x00\b>\x00\x00\xC0 \x00\x00\x00\x00\x00\x00\x005\x00\x06\x00\x00\x00\x00@\x15\x00\x04\x00\x01\x00\x00\x00\x15\x00\x03\x00\x03\x00\x00\x00\x15\x00\x02\x00 \x00\x00\x00\x15\x00\x01\x00<\x00\x00\x00\x06\x00\x00\x00\x05\x00\x05\x00\x06\x00\x00\x00\x00\x00\xFF\x7F\x06\x00\x00\x00\x00\x00\x00\x00"
 
-$ seccomp-tools asm spec/data/libseccomp.asm -f carray
-# unsigned char bpf[] = {32,0,0,0,4,0,0,0,21,0,0,8,62,0,0,192,32,0,0,0,0,0,0,0,53,0,6,0,0,0,0,64,21,0,4,0,1,0,0,0,21,0,3,0,3,0,0,0,21,0,2,0,32,0,0,0,21,0,1,0,60,0,0,0,6,0,0,0,5,0,5,0,6,0,0,0,0,0,255,127,6,0,0,0,0,0,0,0};
+$ seccomp-tools asm spec/data/libseccomp.asm -f c_source
+# #include <linux/seccomp.h>
+# #include <stdio.h>
+# #include <stdlib.h>
+# #include <sys/prctl.h>
+#
+# static void install_seccomp() {
+#   static unsigned char filter[] = {32,0,0,0,4,0,0,0,21,0,0,8,62,0,0,192,32,0,0,0,0,0,0,0,53,0,6,0,0,0,0,64,21,0,4,0,1,0,0,0,21,0,3,0,3,0,0,0,21,0,2,0,32,0,0,0,21,0,1,0,60,0,0,0,6,0,0,0,5,0,5,0,6,0,0,0,0,0,255,127,6,0,0,0,0,0,0,0};
+#   struct prog {
+#     unsigned short len;
+#     unsigned char *filter;
+#   } rule = {
+#     .len = sizeof(filter) >> 3,
+#     .filter = filter
+#   };
+#   if(prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) { perror("prctl(PR_SET_NO_NEW_PRIVS)"); exit(2); }
+#   if(prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &rule) < 0) { perror("prctl(PR_SET_SECCOMP)"); exit(2); }
+# }
+
+$ seccomp-tools asm spec/data/libseccomp.asm -f assembly
+# install_seccomp:
+#   push   rbp
+#   mov    rbp, rsp
+#   push   38
+#   pop    rdi
+#   push   0x1
+#   pop    rsi
+#   xor    eax, eax
+#   mov    al, 0x9d
+#   syscall
+#   push   22
+#   pop    rdi
+#   lea    rdx, [rip + _filter]
+#   push   rdx /* .filter */
+#   push   _filter_end - _filter >> 3 /* .len */
+#   mov    rdx, rsp
+#   push   0x2
+#   pop    rsi
+#   xor    eax, eax
+#   mov    al, 0x9d
+#   syscall
+#   leave
+#   ret
+# _filter:
+# .ascii "\040\000\000\000\004\000\000\000\025\000\000\010\076\000\000\300\040\000\000\000\000\000\000\000\065\000\006\000\000\000\000\100\025\000\004\000\001\000\000\000\025\000\003\000\003\000\000\000\025\000\002\000\040\000\000\000\025\000\001\000\074\000\000\000\006\000\000\000\005\000\005\000\006\000\000\000\000\000\377\177\006\000\000\000\000\000\000\000"
+# _filter_end:
 
 
 # let's asm then disasm!
@@ -197,7 +253,7 @@ $ seccomp-tools asm spec/data/libseccomp.asm -f raw | seccomp-tools disasm -
 #  0005: 0x15 0x03 0x00 0x00000003  if (A == close) goto 0009
 #  0006: 0x15 0x02 0x00 0x00000020  if (A == dup) goto 0009
 #  0007: 0x15 0x01 0x00 0x0000003c  if (A == exit) goto 0009
-#  0008: 0x06 0x00 0x00 0x00050005  return ERRNO
+#  0008: 0x06 0x00 0x00 0x00050005  return ERRNO(5)
 #  0009: 0x06 0x00 0x00 0x7fff0000  return ALLOW
 #  0010: 0x06 0x00 0x00 0x00000000  return KILL
 
@@ -205,17 +261,18 @@ $ seccomp-tools asm spec/data/libseccomp.asm -f raw | seccomp-tools disasm -
 
 ### Emu
 
-Emulate seccomp given `sys_nr`, `arg0`, `arg1`, etc.
+Emulates seccomp given `sys_nr`, `arg0`, `arg1`, etc.
 ```bash
 $ seccomp-tools emu --help
 # emu - Emulate seccomp rules.
 #
 # Usage: seccomp-tools emu [options] BPF_FILE [sys_nr [arg0 [arg1 ... arg5]]]
 #     -a, --arch ARCH                  Specify architecture.
-#                                      Supported architectures are <amd64|i386>.
+#                                      Supported architectures are <aarch64|amd64|i386>.
+#                                      Default: amd64
 #     -q, --[no-]quiet                 Run quietly, only show emulation result.
 
-$ seccomp-tools emu spec/data/libseccomp.bpf 0x3
+$ seccomp-tools emu spec/data/libseccomp.bpf write 0x3
 #  line  CODE  JT   JF      K
 # =================================
 #  0000: 0x20 0x00 0x00 0x00000004  A = arch
@@ -226,7 +283,7 @@ $ seccomp-tools emu spec/data/libseccomp.bpf 0x3
 #  0005: 0x15 0x03 0x00 0x00000003  if (A == close) goto 0009
 #  0006: 0x15 0x02 0x00 0x00000020  if (A == dup) goto 0009
 #  0007: 0x15 0x01 0x00 0x0000003c  if (A == exit) goto 0009
-#  0008: 0x06 0x00 0x00 0x00050005  return ERRNO
+#  0008: 0x06 0x00 0x00 0x00050005  return ERRNO(5)
 #  0009: 0x06 0x00 0x00 0x7fff0000  return ALLOW
 #  0010: 0x06 0x00 0x00 0x00000000  return KILL
 #
@@ -244,7 +301,32 @@ $ seccomp-tools emu spec/data/libseccomp.bpf 0x3
 
 ![emu](https://github.com/david942j/seccomp-tools/blob/master/examples/emu-amigo.png?raw=true)
 
+## Architecture Supported
+
+- [x] x86_64
+- [x] x32
+- [x] x86
+- [x] arm64 (Thanks to @saagarjha!)
+
+## Development
+
+I recommend to use [rbenv](https://github.com/rbenv/rbenv) for your Ruby environment.
+
+### Setup
+
+- Install bundler
+  - `$ gem install bundler`
+- Clone the source
+  - `$ git clone https://github.com/david942j/seccomp-tools && cd seccomp-tools`
+- Install dependencies
+  - `$ bundle install`
+
+### Run tests
+
+`$ bundle exec rake`
+
 ## I Need You
+
 Any suggestion or feature request is welcome!
 Feel free to file an issue or send a pull request.
-And, if you like this work, I'll be happy to be [stared](https://github.com/david942j/seccomp-tools/stargazers) :grimacing:
+And, if you like this work, I'll be happy to be [starred](https://github.com/david942j/seccomp-tools/stargazers) :grimacing:

data/bin/seccomp-tools

@@ -1,4 +1,5 @@
 #!/usr/bin/env ruby
+# frozen_string_literal: true
 
 require 'seccomp-tools/cli/cli'
 

data/ext/ptrace/extconf.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'mkmf'
 
 extension_name = 'seccomp-tools/ptrace'

data/ext/ptrace/ptrace.c

@@ -1,5 +1,16 @@
+// ptrace is only available on Linux, therefore let this file be an empty
+// object when installing on other platforms.
+#if __linux__
+
+#include <assert.h>
+#include <errno.h>
+#include <linux/elf.h>
+#include <linux/filter.h>
+#include <stdint.h>
 #include <sys/ptrace.h>
 #include <sys/signal.h>
+#include <sys/uio.h>
+#include <sys/wait.h>
 
 #include "ruby.h"
 
@@ -16,10 +27,53 @@ ptrace_peekdata(VALUE _mod, VALUE pid, VALUE addr, VALUE _data) {
   return LONG2NUM(val);  
 }
 
+// aarch64 doesn't support PTRACE_PEEKUSER, but it does support
+// PTRACE_GETREGSET which is fairly similar. Since i386 and x86_64 support it
+// too, just use that unconditionally to present the same API for the registers
+// we care about.
 static VALUE
-ptrace_peekuser(VALUE _mod, VALUE pid, VALUE off, VALUE _data) {
-  long val = ptrace(PTRACE_PEEKUSER, NUM2LONG(pid), NUM2LONG(off), NULL);
-  return LONG2NUM(val);  
+ptrace_peekuser(VALUE _mod, VALUE pid, VALUE off, VALUE _data, VALUE bits) {
+  size_t offset = NUM2LONG(off);
+  // Unless your registers fill an entire page, an offset greater than this is
+  // probably wrong.
+  if (offset >= 4096) {
+    return LONG2NUM(-1);
+  }
+  size_t width = NUM2LONG(bits);
+  if (width != 32 && width != 64) {
+    return LONG2NUM(-1);
+  }
+  width /= 8;
+  union {
+    uint32_t val32;
+    uint64_t val64;
+  } val;
+  // Dynamically allocate a buffer to store registers-well, at least enough
+  // registers to reach the offset we want. Normally we'd want to use
+  // user_pt_regs or similar, but it's difficult to find it available in the
+  // the same header across different versions of Linux or libcs, or even with
+  // the same *name*, so this is the compromise.
+  size_t size = offset + width;
+  char *regs = malloc(size);
+  if (!regs) {
+    return LONG2NUM(-1);
+  }
+  struct iovec vec = { regs, size };
+  if (ptrace(PTRACE_GETREGSET, NUM2LONG(pid), NT_PRSTATUS, &vec) != -1 && vec.iov_len >= size) {
+    memcpy(&val, regs + offset, width);
+  } else {
+    free(regs);
+    return LONG2NUM(-1);
+  }
+  free(regs);
+  if (width == sizeof(val.val32)) {
+    return LONG2NUM(val.val32);
+  } else if (width == sizeof(val.val64)) {
+    return LONG2NUM(val.val64);
+  } else {
+    assert(!"Unreachable");
+    return LONG2NUM(-1);
+  }
 }
 
 static VALUE
@@ -50,9 +104,44 @@ ptrace_traceme_and_stop(VALUE mod) {
   return Qnil;
 }
 
+static VALUE
+ptrace_attach_and_wait(VALUE _mod, VALUE pid) {
+  long val = ptrace(PTRACE_ATTACH, NUM2LONG(pid), 0, 0);
+  if(val < 0)
+    rb_sys_fail("ptrace attach failed");
+  waitpid(NUM2LONG(pid), NULL, 0);
+  return Qnil;
+}
+
+static VALUE
+ptrace_seccomp_get_filter(VALUE _mod, VALUE pid, VALUE index) {
+  long count = ptrace(PTRACE_SECCOMP_GET_FILTER, NUM2LONG(pid), NUM2LONG(index), NULL);
+  struct sock_filter *filter;
+  VALUE result;
+  if(count < 0)
+    rb_sys_fail("ptrace seccomp_get_filter failed");
+  filter = ALLOC_N(struct sock_filter, count);
+  if(ptrace(PTRACE_SECCOMP_GET_FILTER, NUM2LONG(pid), NUM2LONG(index), filter) != count) {
+    xfree(filter);
+    rb_sys_fail("ptrace seccomp_get_filter failed");
+  }
+  result = rb_str_new((const char *)filter, sizeof(struct sock_filter) * count);
+  xfree(filter);
+  return result;
+}
+
+static VALUE
+ptrace_detach(VALUE _mod, VALUE pid) {
+  long val = ptrace(PTRACE_DETACH, NUM2LONG(pid), 0, 0);
+  if(val < 0)
+    rb_sys_fail(0);
+  return Qnil;
+}
+
 
 void Init_ptrace(void) {
   VALUE mSeccompTools = rb_define_module("SeccompTools");
+  /* The module to wrap ptrace syscall */
   VALUE mPtrace = rb_define_module_under(mSeccompTools, "Ptrace");
 
   /* consts */
@@ -64,13 +153,26 @@ void Init_ptrace(void) {
   rb_define_const(mPtrace, "O_TRACESYSGOOD", UINT2NUM(PTRACE_O_TRACESYSGOOD));
   rb_define_const(mPtrace, "O_TRACEVFORK", UINT2NUM(PTRACE_O_TRACEVFORK));
 
-  /* ptrace wrapper */
+  /* geteventmsg */
   rb_define_module_function(mPtrace, "geteventmsg", ptrace_geteventmsg, 1);
+  /* get data */
   rb_define_module_function(mPtrace, "peekdata", ptrace_peekdata, 3);
-  rb_define_module_function(mPtrace, "peekuser", ptrace_peekuser, 3);
+  /* get registers */
+  rb_define_module_function(mPtrace, "peekuser", ptrace_peekuser, 4);
+  /* set ptrace options */
   rb_define_module_function(mPtrace, "setoptions", ptrace_setoptions, 3);
+  /* wait for syscall */
   rb_define_module_function(mPtrace, "syscall", ptrace_syscall, 3);
+  /* wait for its parent to attach */
   rb_define_module_function(mPtrace, "traceme", ptrace_traceme, 0);
+  /* stop itself before parent attaching */
   rb_define_module_function(mPtrace, "traceme_and_stop", ptrace_traceme_and_stop, 0);
+  /* attach to an existing process */
+  rb_define_module_function(mPtrace, "attach_and_wait", ptrace_attach_and_wait, 1);
+  /* retrieve seccomp filter */
+  rb_define_module_function(mPtrace, "seccomp_get_filter", ptrace_seccomp_get_filter, 2);
+  /* detach from an existing process */
+  rb_define_module_function(mPtrace, "detach", ptrace_detach, 1);
 }
 
+#endif  /* __linux__ */

data/lib/seccomp-tools.rb

@@ -1,8 +1,13 @@
+# frozen_string_literal: true
+
 # @author david942j
 
 # Main module.
 module SeccompTools
 end
 
+require 'seccomp-tools/asm/asm'
+require 'seccomp-tools/disasm/disasm'
 require 'seccomp-tools/dumper'
+require 'seccomp-tools/emulator'
 require 'seccomp-tools/version'

data/lib/seccomp-tools/asm/asm.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'seccomp-tools/asm/compiler'
 require 'seccomp-tools/util'
 
@@ -8,10 +10,11 @@ module SeccompTools
 
     # Assembler of seccomp bpf.
     # @param [String] str
+    # @param [:amd64, :i386] arch
     # @return [String]
     #   Raw bpf bytes.
     # @example
-    #   asm(<<EOS)
+    #   SeccompTools::Asm.asm(<<-EOS)
     #     # lines start with '#' are comments
     #     A = sys_number                # here's a comment, too
     #     A >= 0x40000000 ? dead : next # 'next' is a keyword, denote the next instruction
@@ -25,7 +28,7 @@ module SeccompTools
     #   EOS
     #   #=> <raw binary bytes>
     def asm(str, arch: nil)
-      arch = Util.system_arch if arch.nil? # TODO: show warning
+      arch = Util.system_arch if arch.nil?
       compiler = Compiler.new(arch)
       str.lines.each { |l| compiler.process(l) }
       compiler.compile!.map(&:asm).join