seccomp-tools 1.1.0 → 1.5.0

data/lib/seccomp-tools/consts/sys_nr/aarch64.rb

@@ -0,0 +1,284 @@
+# frozen_string_literal: true
+
+{
+  io_setup: 0,
+  io_destroy: 1,
+  io_submit: 2,
+  io_cancel: 3,
+  io_getevents: 4,
+  setxattr: 5,
+  lsetxattr: 6,
+  fsetxattr: 7,
+  getxattr: 8,
+  lgetxattr: 9,
+  fgetxattr: 10,
+  listxattr: 11,
+  llistxattr: 12,
+  flistxattr: 13,
+  removexattr: 14,
+  lremovexattr: 15,
+  fremovexattr: 16,
+  getcwd: 17,
+  lookup_dcookie: 18,
+  eventfd2: 19,
+  epoll_create1: 20,
+  epoll_ctl: 21,
+  epoll_pwait: 22,
+  dup: 23,
+  dup3: 24,
+  fcntl: 25,
+  inotify_init1: 26,
+  inotify_add_watch: 27,
+  inotify_rm_watch: 28,
+  ioctl: 29,
+  ioprio_set: 30,
+  ioprio_get: 31,
+  flock: 32,
+  mknodat: 33,
+  mkdirat: 34,
+  unlinkat: 35,
+  symlinkat: 36,
+  linkat: 37,
+  renameat: 38,
+  umount2: 39,
+  mount: 40,
+  pivot_root: 41,
+  nfsservctl: 42,
+  statfs: 43,
+  fstatfs: 44,
+  truncate: 45,
+  ftruncate: 46,
+  fallocate: 47,
+  faccessat: 48,
+  chdir: 49,
+  fchdir: 50,
+  chroot: 51,
+  fchmod: 52,
+  fchmodat: 53,
+  fchownat: 54,
+  fchown: 55,
+  openat: 56,
+  close: 57,
+  vhangup: 58,
+  pipe2: 59,
+  quotactl: 60,
+  getdents: 61,
+  getdents64: 61,
+  lseek: 62,
+  read: 63,
+  write: 64,
+  readv: 65,
+  writev: 66,
+  pread: 67,
+  pread64: 67,
+  pwrite: 68,
+  pwrite64: 68,
+  preadv: 69,
+  pwritev: 70,
+  sendfile: 71,
+  pselect6: 72,
+  ppoll: 73,
+  signalfd4: 74,
+  vmsplice: 75,
+  splice: 76,
+  tee: 77,
+  readlinkat: 78,
+  newfstatat: 79,
+  fstat: 80,
+  newfstat: 80,
+  sync: 81,
+  fsync: 82,
+  fdatasync: 83,
+  sync_file_range: 84,
+  timerfd_create: 85,
+  timerfd_settime: 86,
+  timerfd_gettime: 87,
+  utimensat: 88,
+  acct: 89,
+  capget: 90,
+  capset: 91,
+  personality: 92,
+  exit: 93,
+  exit_group: 94,
+  waitid: 95,
+  set_tid_address: 96,
+  unshare: 97,
+  futex: 98,
+  set_robust_list: 99,
+  get_robust_list: 100,
+  nanosleep: 101,
+  getitimer: 102,
+  setitimer: 103,
+  kexec_load: 104,
+  init_module: 105,
+  delete_module: 106,
+  timer_create: 107,
+  timer_gettime: 108,
+  timer_getoverrun: 109,
+  timer_settime: 110,
+  timer_delete: 111,
+  clock_settime: 112,
+  clock_gettime: 113,
+  clock_getres: 114,
+  clock_nanosleep: 115,
+  syslog: 116,
+  ptrace: 117,
+  sched_setparam: 118,
+  sched_setscheduler: 119,
+  sched_getscheduler: 120,
+  sched_getparam: 121,
+  sched_setaffinity: 122,
+  sched_getaffinity: 123,
+  sched_yield: 124,
+  sched_get_priority_max: 125,
+  sched_get_priority_min: 126,
+  sched_rr_get_interval: 127,
+  restart_syscall: 128,
+  kill: 129,
+  tkill: 130,
+  tgkill: 131,
+  sigaltstack: 132,
+  rt_sigsuspend: 133,
+  rt_sigaction: 134,
+  rt_sigprocmask: 135,
+  rt_sigpending: 136,
+  rt_sigtimedwait: 137,
+  rt_sigqueueinfo: 138,
+  rt_sigreturn: 139,
+  setpriority: 140,
+  getpriority: 141,
+  reboot: 142,
+  setregid: 143,
+  setgid: 144,
+  setreuid: 145,
+  setuid: 146,
+  setresuid: 147,
+  getresuid: 148,
+  setresgid: 149,
+  getresgid: 150,
+  setfsuid: 151,
+  setfsgid: 152,
+  times: 153,
+  setpgid: 154,
+  getpgid: 155,
+  getsid: 156,
+  setsid: 157,
+  getgroups: 158,
+  setgroups: 159,
+  uname: 160,
+  sethostname: 161,
+  setdomainname: 162,
+  getrlimit: 163,
+  setrlimit: 164,
+  getrusage: 165,
+  umask: 166,
+  prctl: 167,
+  getcpu: 168,
+  gettimeofday: 169,
+  settimeofday: 170,
+  adjtimex: 171,
+  getpid: 172,
+  getppid: 173,
+  getuid: 174,
+  geteuid: 175,
+  getgid: 176,
+  getegid: 177,
+  gettid: 178,
+  sysinfo: 179,
+  mq_open: 180,
+  mq_unlink: 181,
+  mq_timedsend: 182,
+  mq_timedreceive: 183,
+  mq_notify: 184,
+  mq_getsetattr: 185,
+  msgget: 186,
+  msgctl: 187,
+  msgrcv: 188,
+  msgsnd: 189,
+  semget: 190,
+  semctl: 191,
+  semtimedop: 192,
+  semop: 193,
+  shmget: 194,
+  shmctl: 195,
+  shmat: 196,
+  shmdt: 197,
+  socket: 198,
+  socketpair: 199,
+  bind: 200,
+  listen: 201,
+  accept: 202,
+  connect: 203,
+  getsockname: 204,
+  getpeername: 205,
+  sendto: 206,
+  recvfrom: 207,
+  setsockopt: 208,
+  getsockopt: 209,
+  shutdown: 210,
+  sendmsg: 211,
+  recvmsg: 212,
+  readahead: 213,
+  brk: 214,
+  munmap: 215,
+  mremap: 216,
+  add_key: 217,
+  request_key: 218,
+  keyctl: 219,
+  clone: 220,
+  execve: 221,
+  mmap: 222,
+  fadvise64: 223,
+  swapon: 224,
+  swapoff: 225,
+  mprotect: 226,
+  msync: 227,
+  mlock: 228,
+  munlock: 229,
+  mlockall: 230,
+  munlockall: 231,
+  mincore: 232,
+  madvise: 233,
+  remap_file_pages: 234,
+  mbind: 235,
+  get_mempolicy: 236,
+  set_mempolicy: 237,
+  migrate_pages: 238,
+  move_pages: 239,
+  rt_tgsigqueueinfo: 240,
+  perf_event_open: 241,
+  accept4: 242,
+  recvmmsg: 243,
+  wait4: 260,
+  prlimit64: 261,
+  fanotify_init: 262,
+  fanotify_mark: 263,
+  name_to_handle_at: 264,
+  open_by_handle_at: 265,
+  clock_adjtime: 266,
+  syncfs: 267,
+  setns: 268,
+  sendmmsg: 269,
+  process_vm_readv: 270,
+  process_vm_writev: 271,
+  kcmp: 272,
+  finit_module: 273,
+  sched_setattr: 274,
+  sched_getattr: 275,
+  renameat2: 276,
+  seccomp: 277,
+  getrandom: 278,
+  memfd_create: 279,
+  bpf: 280,
+  execveat: 281,
+  userfaultfd: 282,
+  membarrier: 283,
+  mlock2: 284,
+  copy_file_range: 285,
+  preadv2: 286,
+  pwritev2: 287,
+  pkey_mprotect: 288,
+  pkey_alloc: 289,
+  pkey_free: 290,
+  statx: 291
+}

data/lib/seccomp-tools/consts/{amd64.rb → sys_nr/amd64.rb}

@@ -1,3 +1,6 @@
+# frozen_string_literal: true
+
+X32_MODE_BIT = 0x40000000
 {
   read: 0,
   write: 1,
@@ -17,7 +20,9 @@
   rt_sigreturn: 15,
   ioctl: 16,
   pread: 17,
+  pread64: 17,
   pwrite: 18,
+  pwrite64: 18,
   readv: 19,
   writev: 20,
   access: 21,
@@ -332,4 +337,4 @@
   pkey_alloc: 330,
   pkey_free: 331,
   statx: 332
-}
+}.tap { |h| h.keys.each { |k| h["x32_#{k}".to_sym] = h[k] | X32_MODE_BIT } } # rubocop:disable Style/HashEachMethods

data/lib/seccomp-tools/consts/{i386.rb → sys_nr/i386.rb}

@@ -1,4 +1,7 @@
+# frozen_string_literal: true
+
 {
+  restart_syscall: 0,
   exit: 1,
   fork: 2,
   read: 3,
@@ -178,8 +181,8 @@
   rt_sigtimedwait: 177,
   rt_sigqueueinfo: 178,
   rt_sigsuspend: 179,
-  pread: 180,
-  pwrite: 181,
+  pread64: 180,
+  pwrite64: 181,
   chown: 182,
   getcwd: 183,
   capget: 184,
@@ -256,14 +259,14 @@
   remap_file_pages: 257,
   set_tid_address: 258,
   timer_create: 259,
-  timer_settime: (259 + 1),
-  timer_gettime: (259 + 2),
-  timer_getoverrun: (259 + 3),
-  timer_delete: (259 + 4),
-  clock_settime: (259 + 5),
-  clock_gettime: (259 + 6),
-  clock_getres: (259 + 7),
-  clock_nanosleep: (259 + 8),
+  timer_settime: 260,
+  timer_gettime: 261,
+  timer_getoverrun: 262,
+  timer_delete: 263,
+  clock_settime: 264,
+  clock_gettime: 265,
+  clock_getres: 266,
+  clock_nanosleep: 267,
   statfs64: 268,
   fstatfs64: 269,
   tgkill: 270,
@@ -274,11 +277,11 @@
   get_mempolicy: 275,
   set_mempolicy: 276,
   mq_open: 277,
-  mq_unlink: (277 + 1),
-  mq_timedsend: (277 + 2),
-  mq_timedreceive: (277 + 3),
-  mq_notify: (277 + 4),
-  mq_getsetattr: (277 + 5),
+  mq_unlink: 278,
+  mq_timedsend: 279,
+  mq_timedreceive: 280,
+  mq_notify: 281,
+  mq_getsetattr: 282,
   sys_kexec_load: 283,
   waitid: 284,
   add_key: 286,

data/lib/seccomp-tools/disasm/context.rb

@@ -1,79 +1,170 @@
+# frozen_string_literal: true
+
 module SeccompTools
   module Disasm
+    # @private
+    #
     # Context for disassembler to analyze.
     #
-    # This context only care if +reg/mem+ can be one of +data[*]+.
+    # This class maintains:
+    # * if +reg/mem+ can be one of +data[*]+
+    # * if +data[0]+ (i.e. sys_number) is a known value
     class Context
-      # @return [Hash{Integer, Symbol => Integer?}] Records reg and mem values.
+      # @private
+      #
+      # Records the type and value.
+      class Value
+        attr_reader :val # @return [Integer]
+
+        # @param [:imm, :data, :mem] rel
+        # @param [Integer?] val
+        def initialize(rel: :imm, val: nil)
+          @rel = rel
+          @val = val
+        end
+
+        # @return [Boolean]
+        def data?
+          @rel == :data
+        end
+
+        # @return [Boolean]
+        def imm?
+          @rel == :imm && @val.is_a?(Integer)
+        end
+
+        # Defines hash function.
+        # @return [Integer]
+        def hash
+          @rel.hash ^ @val.hash
+        end
+
+        # Defines +eql?+.
+        #
+        # @param [Context::Value] other
+        # @return [Boolean]
+        def eql?(other)
+          @val == other.val && @rel == other.instance_variable_get(:@rel)
+        end
+      end
+
+      # @return [{Integer, Symbol => Context::Value}] Records reg and mem values.
       attr_reader :values
+      # @return [Array<Integer?>] Records the known value of data.
+      attr_reader :known_data
 
       # Instantiate a {Context} object.
-      # @param [Integer?] a
-      #   Value to be set to +A+ register.
-      # @param [Integer?] x
-      #   Value to be set to +X+ register.
-      # @param [Hash{Integer => Integer?}] mem
-      #   Value to be set to +mem+.
-      def initialize(a: nil, x: nil, mem: {})
-        @values = mem
-        16.times { |i| @values[i] ||= nil } # make @values always has all keys
-        @values[:a] = a
-        @values[:x] = x
+      # @param [{Integer, Symbol => Context::Value?}] values
+      #   Value to be set to +reg/mem+.
+      # @param [Array<Integer?>] known_data
+      #   Records which index of data is known.
+      #   It's used for tracking if the syscall number is known, which can be used to display argument names of the
+      #   syscall.
+      def initialize(values: {}, known_data: [])
+        @values = values
+        16.times { |i| @values[i] ||= Value.new(rel: :mem, val: i) } # make @values always has all keys
+        @values[:a] ||= Value.new
+        @values[:x] ||= Value.new
+        @known_data = known_data
       end
 
-      # Implement a deep dup.
+      # Is used for the ld/ldx instructions.
+      #
+      # @param [#downcase, :a, :x] reg
+      #   Register to be set
+      # @return [void]
+      def load(reg, rel: nil, val: nil)
+        reg = reg.downcase.to_sym
+        values[reg] = if rel == :mem
+                        values[val]
+                      else
+                        Value.new(rel: rel, val: val)
+                      end
+      end
+
+      # Is used for the st/stx instructions.
+      #
+      # @param [Integer] idx
+      #   Index of +mem+ array.
+      # @param [#downcase, :a, :x] reg
+      #   Register.
+      #
+      # @return [void]
+      def store(idx, reg)
+        raise RangeError, "Expect 0 <= idx < 16, got #{idx}." unless idx.between?(0, 15)
+
+        values[idx] = values[reg.downcase.to_sym]
+      end
+
+      # Hints context that current value of register A equals to +val+.
+      #
+      # @param [Integer, :x] val
+      #   An immediate value or the symbol x.
+      # @return [self]
+      #   Returns the object itself.
+      def eql!(val)
+        tap do
+          # only cares if A is fetched from data
+          next unless a.data?
+          next known_data[a.val] = val if val.is_a?(Integer)
+          # A == X, we can handle these cases:
+          # * X is an immi
+          # * X is a known data
+          next unless x.data? || x.imm?
+          next known_data[a.val] = x.val if x.imm?
+
+          known_data[a.val] = known_data[x.val]
+        end
+      end
+
+      # Implements a deep dup.
       # @return [Context]
       def dup
-        Context.new(a: a, x: x, mem: values.dup)
+        Context.new(values: values.dup, known_data: known_data.dup)
       end
 
       # Register A.
-      # @return [Integer?]
+      # @return [Context::Value]
       def a
         values[:a]
       end
 
       # Register X.
-      # @return [Integer?]
+      # @return [Context::Value]
       def x
         values[:x]
       end
 
       # For conveniently get instance variable.
       # @param [String, Symbol, Integer] key
-      # @return [Integer?]
+      # @return [Context::Value]
       def [](key)
         return values[key] if key.is_a?(Integer) # mem
+
         values[key.downcase.to_sym]
       end
 
-      # For conveniently set instance variable.
-      # @param [#downcase, Integer] key
-      #   Can be +'A', 'a', :a, 'X', 'x', :x+ or an integer.
-      # @param [Integer?] val
+      # For conveniently set an instance variable.
+      # @param [#downcase, :a, :x] reg
+      #   Can be +'A', 'a', :a, 'X', 'x', :x+.
+      # @param [Value] val
       #   Value to set.
       # @return [void]
-      def []=(key, val)
-        if key.is_a?(Integer)
-          raise RangeError, "Expect 0 <= key < 16, got #{key}." unless key.between?(0, 15)
-          raise RangeError, "Expect 0 <= val < 64, got #{val}." unless val.nil? || val.between?(0, 63)
-          values[key] = val
-        else
-          values[key.downcase.to_sym] = val
-        end
+      def []=(reg, val)
+        values[reg.downcase.to_sym] = val
       end
 
-      # For +Set+ to compare two {Context} object.
+      # For +Set+ to compare two {Context} objects.
       # @param [Context] other
       # @return [Boolean]
       def eql?(other)
-        values.eql?(other.values)
+        values.eql?(other.values) && known_data.eql?(other.known_data)
       end
 
-      # For +Set+ to get hash key.
+      # For +Set+ to get the hash value.
       # @return [Integer]
       def hash
-        values.hash
+        values.hash ^ known_data.hash
       end
     end
   end