seccomp-tools 1.1.0 → 1.5.0

data/lib/seccomp-tools/asm/compiler.rb

@@ -1,15 +1,24 @@
+# frozen_string_literal: true
+
 require 'seccomp-tools/asm/tokenizer'
 require 'seccomp-tools/bpf'
 require 'seccomp-tools/const'
 
 module SeccompTools
   module Asm
+    # @private
+    #
     # Compile seccomp rules.
     class Compiler
+      # Instantiate a {Compiler} object.
+      #
+      # @param [Symbol] arch
+      #   Architecture.
       def initialize(arch)
         @arch = arch
         @insts = []
         @labels = {}
+        @insts_linenum = {}
         @input = []
       end
 
@@ -24,13 +33,17 @@ module SeccompTools
         line = remove_comment(line)
         @token = Tokenizer.new(line)
         return if line.empty?
+
         begin
           res = case line
                 when /\?/ then cmp
                 when /^#{Tokenizer::LABEL_REGEXP}:/ then define_label
                 when /^return/ then ret
+                when /^A\s*=\s*-A/ then alu_neg
                 when /^(A|X)\s*=[^=]/ then assign
-                when /^A\s*.=/ then alu
+                when /^mem\[\d+\]\s*=\s*(A|X)/ then store
+                when /^A\s*.{1,2}=/ then alu
+                when /^(goto|jmp|jump)/ then jmp_abs
                 end
         rescue ArgumentError => e
           invalid(@input.size - 1, e.message)
@@ -40,11 +53,16 @@ module SeccompTools
           @labels[res.last] = @insts.size
         else
           @insts << res
+          @insts_linenum[@insts.size - 1] = @input.size - 1
         end
-        res
       end
 
+      # Compiles the processed instructions.
+      #
       # @return [Array<SeccompTools::BPF>]
+      #   Returns the compiled {BPF} array.
+      # @raise [ArgumentError]
+      #   Raises the error found during compilation.
       def compile!
         @insts.map.with_index do |inst, idx|
           @line = idx
@@ -53,17 +71,22 @@ module SeccompTools
           when :alu then compile_alu(inst[1], inst[2])
           when :ret then compile_ret(inst[1])
           when :cmp then compile_cmp(inst[1], inst[2], inst[3], inst[4])
+          when :jmp_abs then compile_jmp_abs(inst[1])
           end
         end
       rescue ArgumentError => e
-        invalid(@line, e.message)
+        invalid(@insts_linenum[@line], e.message)
       end
 
       private
 
+      # Emits a raw BPF object.
+      #
+      # @return [BPF]
+      #   Returns the emitted {BPF} object.
       def emit(*args, k: 0, jt: 0, jf: 0)
         code = 0
-        # bad idea, while keys are not duplicated so this is ok.
+        # bad idea, but keys are not duplicated so this is ok.
         args.each do |a|
           code |= Const::BPF::COMMAND.fetch(a, 0)
           code |= Const::BPF::JMP.fetch(a, 0)
@@ -76,27 +99,37 @@ module SeccompTools
       end
 
       # A = X / X = A
-      # <A|X> = mem[i]
+      # mem[i] = <A|X>
       # <A|X> = 123|sys_const
-      # A = args[i]|sys_number|arch
+      # A = len
+      # <A|X> = mem[i]
+      # A = args_h[i]|args[i]|sys_number|arch
       # A = data[4 * i]
       def compile_assign(dst, src)
         # misc txa / tax
-        return emit(:misc, :txa) if dst == :a && src == :x
-        return emit(:misc, :tax) if dst == :x && src == :a
+        return compile_assign_misc(dst, src) if (dst == :a && src == :x) || (dst == :x && src == :a)
+        # case of st / stx
+        return emit(src == :x ? :stx : :st, k: dst.last) if dst.is_a?(Array) && dst.first == :mem
+
         src = evaluate(src)
-        # TODO: handle store case.
         ld = dst == :x ? :ldx : :ld
         # <A|X> = <immi>
         return emit(ld, :imm, k: src) if src.is_a?(Integer)
-        # now src must be in form [:mem/:data, num]
-        return emit(ld, :mem, k: src.last) if src.first == :mem
+        # now src must be in form [:len/:mem/:data, num]
+        return emit(ld, src.first, k: src.last) if src.first == :mem || src.first == :len
         # check if num is multiple of 4
-        raise ArgumentError, 'Index of data[] must be multiplication of 4' if src.last % 4 != 0
+        raise ArgumentError, 'Index of data[] must be a multiple of 4' if src.last % 4 != 0
+
         emit(ld, :abs, k: src.last)
       end
 
+      def compile_assign_misc(dst, _src)
+        emit(:misc, dst == :a ? :txa : :tax)
+      end
+
       def compile_alu(op, val)
+        return emit(:alu, :neg) if op == :neg
+
         val = evaluate(val)
         src = val == :x ? :x : :k
         val = 0 if val == :x
@@ -104,9 +137,19 @@ module SeccompTools
       end
 
       def compile_ret(val)
-        emit(:ret, k: val)
+        if val == :a
+          src = :a
+          val = 0
+        end
+        emit(:ret, src, k: val)
       end
 
+      def compile_jmp_abs(target)
+        targ = label_offset(target)
+        emit(:jmp, :ja, k: targ)
+      end
+
+      # Compiles comparison.
       def compile_cmp(op, val, jt, jf)
         jt = label_offset(jt)
         jf = label_offset(jf)
@@ -120,26 +163,48 @@ module SeccompTools
         return label if label.is_a?(Integer)
         return 0 if label == 'next'
         raise ArgumentError, "Undefined label #{label.inspect}" if @labels[label].nil?
+        raise ArgumentError, "Does not support backward jumping to #{label.inspect}" if @labels[label] < @line
+
         @labels[label] - @line - 1
       end
 
       def evaluate(val)
-        return val if val.is_a?(Integer) || val == :x
+        return val if val.is_a?(Integer) || val == :x || val == :a
+
         # keywords
         val = case val
               when 'sys_number' then [:data, 0]
               when 'arch' then [:data, 4]
+              when 'len' then [:len, 0]
               else val
               end
-        return Const::Syscall.const_get(@arch.upcase.to_sym)[val.to_sym] if val.is_a?(String)
-        # remains are [:mem/:data/:args, <num>]
+        return eval_constants(val) if val.is_a?(String)
+
+        # remains are [:mem/:data/:args/:args_h, <num>]
         # first convert args to data
         val = [:data, val.last * 8 + 16] if val.first == :args
+        val = [:data, val.last * 8 + 20] if val.first == :args_h
         val
       end
 
+      def eval_constants(str)
+        Const::Syscall.const_get(@arch.upcase.to_sym)[str.to_sym] ||
+          Const::Audit::ARCH[str] ||
+          raise(ArgumentError, "Invalid constant: #{str.inspect}")
+      end
+
       attr_reader :token
 
+      # <goto|jmp|jump> <label|Integer>
+      def jmp_abs
+        token.fetch('goto') ||
+          token.fetch('jmp') ||
+          token.fetch('jump') ||
+          raise(ArgumentError, "Invalid jump alias: #{token.cur.inspect}")
+        target = token.fetch!(:goto)
+        [:jmp_abs, target]
+      end
+
       # A <comparison> <sys_str|X|Integer> ? <label|Integer> : <label|Integer>
       def cmp
         token.fetch!('A')
@@ -179,6 +244,7 @@ module SeccompTools
       #   A = mem[i]
       #   A = args[i]
       #   A = sys_number|arch
+      #   A = len
       def assign
         dst = token.fetch!(:ax)
         token.fetch!('=')
@@ -186,10 +252,17 @@ module SeccompTools
               token.fetch(:sys_num_x) ||
               token.fetch(:ary) ||
               token.fetch('sys_number') ||
-              token.fetch('arch')
+              token.fetch('arch') ||
+              token.fetch('len') ||
+              raise(ArgumentError, "Invalid source: #{token.cur.inspect}")
         [:assign, dst, src]
       end
 
+      # returns same format as assign
+      def store
+        [:assign, token.fetch!(:ary), token.fetch!('=') && token.fetch!(:ax)]
+      end
+
       def define_label
         name = token.fetch!(:goto)
         token.fetch(':')
@@ -205,6 +278,11 @@ module SeccompTools
         [:alu, op, src]
       end
 
+      # A = -A
+      def alu_neg
+        %i[alu neg]
+      end
+
       def remove_comment(line)
         line = line.to_s.dup
         line.slice!(/#.*\Z/m)
@@ -213,7 +291,7 @@ module SeccompTools
 
       def invalid(line, extra_msg = nil)
         message = "Invalid instruction at line #{line + 1}: #{@input[line].inspect}"
-        message += "\n" + 'Error: ' + extra_msg if extra_msg
+        message += "\nError: #{extra_msg}" if extra_msg
         raise ArgumentError, message
       end
     end

data/lib/seccomp-tools/asm/tokenizer.rb

@@ -1,13 +1,17 @@
+# frozen_string_literal: true
+
 require 'seccomp-tools/const'
 require 'seccomp-tools/instruction/alu'
 
 module SeccompTools
   module Asm
-    # Fetch tokens from string.
-    # This class is for internel usage, used by {Compiler}.
+    # Fetch tokens from a string.
+    #
+    # Internal used by {Compiler}.
+    # @private
     class Tokenizer
       # a valid label
-      LABEL_REGEXP = /[a-z_][a-z0-9_]+/
+      LABEL_REGEXP = /[A-Za-z_]\w*/.freeze
       attr_accessor :cur
 
       # @param [String] str
@@ -40,7 +44,7 @@ module SeccompTools
         res = case type
               when String then fetch_str(type) || raise_expected("token #{type.inspect}")
               when :comparison then fetch_strs(COMPARISON).to_sym || raise_expected('a comparison operator')
-              when :sys_num_x then fetch_sys_num_x || raise_expected("a syscall number or 'X'")
+              when :sys_num_x then fetch_sys_num_arch_x || raise_expected("a syscall number or 'X'")
               when :goto then fetch_number || fetch_label || raise_expected('a number or label name')
               when :ret then fetch_return || raise(ArgumentError, <<-EOS)
 Invalid return type: #{cur.inspect}.
@@ -64,6 +68,8 @@ Invalid return type: #{cur.inspect}.
 
       def fetch_str(str)
         return nil unless cur.start_with?(str)
+        return nil if str =~ /\A[A-Za-z0-9_]+\Z/ && cur[str.size] =~ /[A-Za-z0-9_]/
+
         @last_match_size = str.size
         str
       end
@@ -71,18 +77,21 @@ Invalid return type: #{cur.inspect}.
       def fetch_ax
         return :a if fetch_str('A')
         return :x if fetch_str('X')
+
         nil
       end
 
-      def fetch_sys_num_x
+      def fetch_sys_num_arch_x
         return :x if fetch_str('X')
-        fetch_number || fetch_syscall
+
+        fetch_number || fetch_syscall || fetch_arch
       end
 
       # Currently only supports 10-based decimal numbers.
       def fetch_number
         res = fetch_regexp(/^0x[0-9a-f]+/) || fetch_regexp(/^[0-9]+/)
         return nil if res.nil?
+
         Integer(res)
       end
 
@@ -92,9 +101,14 @@ Invalid return type: #{cur.inspect}.
         fetch_strs(sys.keys.map(&:to_s).sort_by(&:size).reverse)
       end
 
+      def fetch_arch
+        fetch_strs(Const::Audit::ARCH.keys)
+      end
+
       def fetch_regexp(regexp)
         idx = cur =~ regexp
         return nil if idx.nil? || idx != 0
+
         match = cur.match(regexp)[0]
         @last_match_size = match.size
         match
@@ -110,6 +124,7 @@ Invalid return type: #{cur.inspect}.
         regexp = /(#{Const::BPF::ACTION.keys.join('|')})(\([0-9]{1,5}\))?/
         action = fetch_regexp(regexp)
         return fetch_str('A') && :a if action.nil?
+
         # check if action contains '('the next bytes are (<num>)
         ret_val = 0
         if action.include?('(')
@@ -120,10 +135,11 @@ Invalid return type: #{cur.inspect}.
       end
 
       def fetch_ary
-        support_name = %w[data mem args]
+        support_name = %w[data mem args args_h]
         regexp = /(#{support_name.join('|')})\[[0-9]{1,2}\]/
         match = fetch_regexp(regexp)
         return nil if match.nil?
+
         res, val = match.split('[')
         val = val.to_i
         [res.to_sym, val]
@@ -133,6 +149,7 @@ Invalid return type: #{cur.inspect}.
         ops = %w[+ - * / | & ^ << >>]
         op = fetch_strs(ops)
         return nil if op.nil?
+
         Instruction::ALU::OP_SYM.invert[op.to_sym]
       end
 
@@ -144,7 +161,7 @@ Invalid return type: #{cur.inspect}.
 
       def raise_expected(msg)
         raise ArgumentError, <<-EOS
-Expected #{msg}, while #{cur.split[0].inspect} occured.
+Expected #{msg} but found #{cur.split[0].inspect}.
         EOS
       end
     end

data/lib/seccomp-tools/bpf.rb

@@ -1,4 +1,7 @@
+# frozen_string_literal: true
+
 require 'set'
+require 'stringio'
 
 require 'seccomp-tools/const'
 require 'seccomp-tools/instruction/instruction'
@@ -30,11 +33,11 @@ module SeccompTools
     #   Line number of this filter.
     def initialize(raw, arch, line)
       if raw.is_a?(String)
-        io = StringIO.new(raw)
-        @code = io.read(2).unpack('S').first
+        io = ::StringIO.new(raw)
+        @code = io.read(2).unpack1('S')
         @jt = io.read(1).ord
         @jf = io.read(1).ord
-        @k = io.read(4).unpack('L').first
+        @k = io.read(4).unpack1('L')
       else
         @code = raw[:code]
         @jt = raw[:jt]
@@ -77,7 +80,7 @@ module SeccompTools
     # @param [Context] context
     #   Current context.
     # @yieldparam [Integer] pc
-    #   Program conter after this instruction.
+    #   Program counter after this instruction.
     # @yieldparam [Context] ctx
     #   Context after this instruction.
     # @return [void]

data/lib/seccomp-tools/cli/asm.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'seccomp-tools/cli/base'
 require 'seccomp-tools/asm/asm'
 
@@ -6,9 +8,9 @@ module SeccompTools
     # Handle 'asm' command.
     class Asm < Base
       # Summary of this command.
-      SUMMARY = 'Seccomp bpf assembler.'.freeze
+      SUMMARY = 'Seccomp bpf assembler.'
       # Usage of this command.
-      USAGE = ('asm - ' + SUMMARY + "\n\n" + 'Usage: seccomp-tools asm IN_FILE [options]').freeze
+      USAGE = "asm - #{SUMMARY}\n\nUsage: seccomp-tools asm IN_FILE [options]"
 
       def initialize(*)
         super
@@ -24,8 +26,8 @@ module SeccompTools
             option[:ofile] = o
           end
 
-          opt.on('-f', '--format FORMAT', %i[inspect raw carray],
-                 'Output format. FORMAT can only be one of <inspect|raw|carray>.',
+          opt.on('-f', '--format FORMAT', %i[inspect raw c_array carray c_source assembly],
+                 'Output format. FORMAT can only be one of <inspect|raw|c_array|c_source|assembly>.',
                  'Default: inspect') do |f|
                    option[:format] = f
                  end
@@ -38,14 +40,22 @@ module SeccompTools
       # @return [void]
       def handle
         return unless super
+
         option[:ifile] = argv.shift
         return CLI.show(parser.help) if option[:ifile].nil?
+
         res = SeccompTools::Asm.asm(input, arch: option[:arch])
         output do
           case option[:format]
-          when :inspect then res.inspect + "\n"
+          when :inspect then "#{res.inspect}\n"
           when :raw then res
-          when :carray then "unsigned char bpf[] = {#{res.bytes.join(',')}};\n"
+          when :c_array, :carray then "unsigned char bpf[] = {#{res.bytes.join(',')}};\n"
+          when :c_source then SeccompTools::Util.template('asm.c').sub('<TO_BE_REPLACED>', res.bytes.join(','))
+          when :assembly
+            SeccompTools::Util.template("asm.#{option[:arch]}.asm").sub(
+              '<TO_BE_REPLACED>',
+              res.bytes.map { |b| format('\\\%03o', b) }.join
+            )
           end
         end
       end

data/lib/seccomp-tools/cli/base.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'optparse'
 
 require 'seccomp-tools/util'
@@ -23,10 +25,12 @@ module SeccompTools
 
       # Handle show help message.
       # @return [Boolean]
-      #   For decestors to check if needs to conitnue.
+      #   For decestors to check if need to continue.
       def handle
         return CLI.show(parser.help) if argv.empty? || %w[-h --help].any? { |h| argv.include?(h) }
+
         parser.parse!(argv)
+        option[:arch] ||= Util.system_arch
         true
       end
 
@@ -35,7 +39,7 @@ module SeccompTools
       # @return [String]
       #   String read from file.
       def input
-        option[:ifile] == '-' ? STDIN.read.force_encoding('ascii-8bit') : IO.binread(option[:ifile])
+        option[:ifile] == '-' ? $stdin.read.force_encoding('ascii-8bit') : IO.binread(option[:ifile])
       end
 
       # Write data to stdout or file(s).
@@ -45,6 +49,7 @@ module SeccompTools
       def output
         # if file name not present, just output to stdout.
         return $stdout.write(yield) if option[:ofile].nil?
+
         # times of calling output
         @serial ||= 0
         # Write to file, we should disable colorize
@@ -77,7 +82,7 @@ module SeccompTools
         File.join(File.dirname(file), base + suffix) + ext
       end
 
-      # For decestors easy to define usage message.
+      # For descendants to define usage message easily.
       # @return [String]
       #   Usage information.
       def usage
@@ -87,7 +92,8 @@ module SeccompTools
       def option_arch(opt)
         supported = Util.supported_archs
         opt.on('-a', '--arch ARCH', supported, 'Specify architecture.',
-               "Supported architectures are <#{supported.join('|')}>.") do |a|
+               "Supported architectures are <#{supported.join('|')}>.",
+               "Default: #{Util.system_arch}") do |a|
           option[:arch] = a
         end
       end