seccomp-tools 1.1.0 → 1.5.0

data/lib/seccomp-tools/disasm/disasm.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'set'
 
 require 'seccomp-tools/bpf'
@@ -28,10 +30,11 @@ module SeccompTools
         code.contexts = ctxs
         code.disasm
       end.join("\n")
-      <<EOS + dis + "\n"
+      <<-EOS
  line  CODE  JT   JF      K
 =================================
-EOS
+#{dis}
+      EOS
     end
 
     # Convert raw bpf string to array of {BPF}.

data/lib/seccomp-tools/dumper.rb

@@ -1,10 +1,19 @@
-require 'seccomp-tools/ptrace'
+# frozen_string_literal: true
+
+require 'os'
+
+require 'seccomp-tools/logger'
+require 'seccomp-tools/ptrace' if OS.linux?
 require 'seccomp-tools/syscall'
 
 module SeccompTools
   # Dump seccomp-bpf using ptrace of binary.
-  # Currently only support x86_64.
+  # Currently only support x86_64 and aarch64.
   module Dumper
+    # Whether the dumper is supported.
+    # Dumper works based on ptrace, so we need the platform be Linux.
+    SUPPORTED = OS.linux?
+
     module_function
 
     # Main bpf dump function.
@@ -32,6 +41,8 @@ module SeccompTools
     # @todo
     #   +timeout+ option.
     def dump(*args, limit: 1, &block)
+      return [] unless SUPPORTED
+
       pid = fork { handle_child(*args) }
       Handler.new(pid).handle(limit, &block)
     end
@@ -54,6 +65,8 @@ module SeccompTools
       #   Child will be killed when number of calling +prctl(SET_SECCOMP)+ reaches +limit+.
       # @yieldparam [String] bpf
       #   Seccomp bpf in raw bytes.
+      # @yieldparam [Symbol] arch
+      #   Architecture, either :i386 or :amd64.
       # @return [Array<Object>, Array<String>]
       #   Return the block returned. If block is not given, array of raw bytes will be returned.
       def handle(limit, &block)
@@ -74,7 +87,8 @@ module SeccompTools
           end
           !limit.zero?
         end
-        syscalls.keys.each { |cpid| Process.kill('KILL', cpid) if alive?(cpid) }
+        syscalls.each_key { |cpid| Process.kill('KILL', cpid) if alive?(cpid) }
+        Process.waitall
         collect
       end
 
@@ -95,9 +109,9 @@ module SeccompTools
           cont = yield(child)
         end
         Ptrace.syscall(child, 0, 0) unless status.exited?
-        return cont
+        cont
       rescue Errno::ECHILD
-        return false
+        false
       end
 
       # @return [SeccompTools::Syscall]
@@ -119,11 +133,64 @@ module SeccompTools
       def handle_child(*args)
         Ptrace.traceme_and_stop
         exec(*args)
-      rescue # exec fail
-        # TODO: use logger
-        $stderr.puts("Failed to execute #{args.join(' ')}")
+      rescue # rubocop:disable Style/RescueStandardError # exec fail
+        Logger.error("Failed to execute #{args.join(' ')}")
         exit(1)
       end
     end
+
+    # Dump installed seccomp-bpf of an existing process using PTRACE_SECCOMP_GET_FILTER.
+    #
+    # Dump the installed seccomp-bpf from a running process. This is achieved by the ptrace command
+    # PTRACE_SECCOMP_GET_FILTER, which needs CAP_SYS_ADMIN capability.
+    #
+    # @param [Integer] pid
+    #   Target process identifier.
+    # @param [Integer] limit
+    #   Number of filters to dump. Negative number for unlimited.
+    # @yieldparam [String] bpf
+    #   Seccomp bpf in raw bytes.
+    # @yieldparam [Symbol] arch
+    #   Architecture of the target process (always nil right now).
+    # @return [Array<Object>, Array<String>]
+    #   Return the block returned. If block is not given, array of raw bytes will be returned.
+    # @raise [Errno::ESRCH]
+    #   Raises when the target process does not exist.
+    # @raise [Errno::EPERM]
+    #   Raises the error if not allowed to attach.
+    # @raise [Errno::EACCES]
+    #   Raises the error if not allowed to dump (e.g. no CAP_SYS_ADMIN).
+    # @example
+    #   pid1 = Process.spawn('sleep inf')
+    #   dump_by_pid(pid1, 1)
+    #   # empty because there is no seccomp installed
+    #   #=> []
+    # @example
+    #   pid2 = Process.spawn('spec/binary/twctf-2016-diary')
+    #   # give it some time to install the filter
+    #   sleep(1)
+    #   dump_by_pid(pid2, 1) { |c| c[0, 10] }
+    #   #=> [" \x00\x00\x00\x00\x00\x00\x00\x15\x00"]
+    def dump_by_pid(pid, limit, &block)
+      return [] unless SUPPORTED
+
+      collect = []
+      Ptrace.attach_and_wait(pid)
+      begin
+        i = 0
+        while limit.negative? || i < limit
+          begin
+            bpf = Ptrace.seccomp_get_filter(pid, i)
+          rescue Errno::ENOENT, Errno::EINVAL
+            break
+          end
+          collect << (block.nil? ? bpf : yield(bpf, nil))
+          i += 1
+        end
+      ensure
+        Ptrace.detach(pid)
+      end
+      collect
+    end
   end
 end

data/lib/seccomp-tools/emulator.rb

@@ -1,7 +1,9 @@
+# frozen_string_literal: true
+
 require 'seccomp-tools/const'
 
 module SeccompTools
-  # For emulation seccomp.
+  # For emulating seccomp.
   class Emulator
     # Instantiate a {Emulator} object.
     #
@@ -31,6 +33,7 @@ module SeccompTools
       @values = { pc: 0, a: 0, x: 0 }
       loop do
         break if @values[:ret] # break when returned
+
         yield(@values) if block_given?
         inst = @instructions[pc]
         op, *args = inst.symbolize
@@ -39,7 +42,7 @@ module SeccompTools
         when :ld then ld(args[0], args[1]) # ld/ldx
         when :st then st(args[0], args[1]) # st/stx
         when :jmp then jmp(args[0]) # directly jmp
-        when :cmp then cmp(*args[0, 4]) # jmp with comparsion
+        when :cmp then cmp(*args[0, 4]) # jmp with comparison
         when :alu then alu(args[0], args[1]) # alu
         when :misc then misc(args[0]) # misc: txa/tax
         end
@@ -55,10 +58,11 @@ module SeccompTools
     end
 
     def audit(arch)
-      type = case arch
-             when :amd64 then 'ARCH_X86_64'
-             when :i386 then 'ARCH_I386'
-             end
+      type = {
+        amd64: 'ARCH_X86_64',
+        i386: 'ARCH_I386',
+        aarch64: 'ARCH_AARCH64'
+      }[arch]
       Const::Audit::ARCH[type]
     end
 
@@ -79,6 +83,7 @@ module SeccompTools
 
     def st(reg, index)
       raise IndexError, "Expect 0 <= index < 16, got: #{index}" unless index.between?(0, 15)
+
       set(:mem, index, get(reg))
     end
 
@@ -86,10 +91,11 @@ module SeccompTools
       set(:pc, get(:pc) + k + 1)
     end
 
+    # Emulates cmp instruction.
     def cmp(op, src, jt, jf)
       src = get(:x) if src == :x
       a = get(:a)
-      val = a.send(op, src)
+      val = a.__send__(op, src)
       val = (val != 0) if val.is_a?(Integer) # handle & operator
       j = val ? jt : jf
       set(:pc, get(:pc) + j + 1)
@@ -100,7 +106,7 @@ module SeccompTools
         set(:a, 2**32 - get(:a))
       else
         src = get(:x) if src == :x
-        set(:a, get(:a).send(op, src))
+        set(:a, get(:a).__send__(op, src))
       end
     end
 
@@ -115,10 +121,12 @@ module SeccompTools
       if arg.size == 1
         arg = arg.first
         raise ArgumentError, "Invalid #{arg}" unless %i[a x pc ret].include?(arg)
+
         @values[arg] = val & 0xffffffff
       else
         raise ArgumentError, arg.to_s unless arg.first == :mem
         raise IndexError, "Invalid index: #{arg[1]}" unless arg[1].between?(0, 15)
+
         @values[arg[1]] = val & 0xffffffff
       end
     end
@@ -127,15 +135,18 @@ module SeccompTools
       if arg.size == 1
         arg = arg.first
         raise ArgumentError, "Invalid #{arg}" unless %i[a x pc ret].include?(arg)
+
         undefined(arg.upcase) if @values[arg].nil?
         return @values[arg]
       end
       return @values[arg[1]] if arg.first == :mem
+
       data_of(arg[1])
     end
 
     def data_of(index)
       raise IndexError, "Invalid index: #{index}" unless (index & 3).zero? && index.between?(0, 63)
+
       index /= 4
       case index
       when 0 then @sys_nr || undefined('sys_number')

data/lib/seccomp-tools/instruction/alu.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'seccomp-tools/instruction/base'
 
 module SeccompTools
@@ -21,6 +23,7 @@ module SeccompTools
       # Decompile instruction.
       def decompile
         return 'A = -A' if op == :neg
+
         "A #{op_sym}= #{src_str}"
       end
 
@@ -28,6 +31,7 @@ module SeccompTools
       # @return [[:alu, Symbol, (:x, Integer, nil)]]
       def symbolize
         return [:alu, :neg, nil] if op == :neg
+
         [:alu, op_sym, src]
       end
 
@@ -37,7 +41,7 @@ module SeccompTools
       # @return [Array<(Integer, Context)>]
       def branch(context)
         ctx = context.dup
-        ctx[:a] = nil
+        ctx[:a] = Disasm::Context::Value.new
         [[line + 1, ctx]]
       end
 
@@ -55,9 +59,10 @@ module SeccompTools
 
       def src_str
         return 'X' if src == :x
+
         case op
         when :lsh, :rsh then src.to_s
-        else '0x' + src.to_s(16)
+        else "0x#{src.to_s(16)}"
         end
       end
 

data/lib/seccomp-tools/instruction/base.rb

@@ -1,9 +1,11 @@
+# frozen_string_literal: true
+
 require 'seccomp-tools/const'
 
 module SeccompTools
   # For instructions' class.
   module Instruction
-    # Base class for different instruction.
+    # Base class of instructions.
     class Base
       include SeccompTools::Const::BPF
 
@@ -22,7 +24,7 @@ module SeccompTools
         raise ArgumentError, "Line #{line} is invalid: #{msg}"
       end
 
-      # Return the possible branches after executing this instruction.
+      # Returns the possible branches after executing this instruction.
       # @param [Context] _context
       #   Current context.
       # @return [Array<(Integer, Context)>]
@@ -47,7 +49,7 @@ module SeccompTools
 
       %i(code jt jf k arch line contexts).each do |sym|
         define_method(sym) do
-          @bpf.send(sym)
+          @bpf.__send__(sym)
         end
       end
     end

data/lib/seccomp-tools/instruction/instruction.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'seccomp-tools/instruction/alu'
 require 'seccomp-tools/instruction/jmp'
 require 'seccomp-tools/instruction/ld'

data/lib/seccomp-tools/instruction/jmp.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'seccomp-tools/const'
 require 'seccomp-tools/instruction/base'
 
@@ -9,20 +11,21 @@ module SeccompTools
       def decompile
         return goto(k) if jop == :none
         # if jt == 0 && jf == 0 => no-op # should not happen
-        # jt == 0 => if(!) goto jf
+        # jt == 0 => if(!) goto jf;
         # jf == 0 => if() goto jt;
         # otherwise => if () goto jt; else goto jf;
         return '/* no-op */' if jt.zero? && jf.zero?
         return goto(jt) if jt == jf
-        return if_str + goto(jt) + ' else ' + goto(jf) unless jt.zero? || jf.zero?
-        return if_str + goto(jt) if jf.zero?
-        if_str(true) + goto(jf)
+        return if_str(neg: true) + goto(jf) if jt.zero?
+
+        if_str + goto(jt) + (jf.zero? ? '' : " else #{goto(jf)}")
       end
 
       # See {Instruction::Base#symbolize}.
       # @return [[:cmp, Symbol, (:x, Integer), Integer, Integer], [:jmp, Integer]]
       def symbolize
         return [:jmp, k] if jop == :none
+
         [:cmp, jop, src, jt, jf]
       end
 
@@ -33,6 +36,8 @@ module SeccompTools
       def branch(context)
         return [[at(k), context]] if jop == :none
         return [[at(jt), context]] if jt == jf
+        return [[at(jt), context.dup.eql!(src)], [at(jf), context]] if jop == :==
+
         [[at(jt), context], [at(jf), context]]
       end
 
@@ -51,19 +56,27 @@ module SeccompTools
 
       def src_str
         return 'X' if src == :x
+
         # if A in all contexts are same
         a = contexts.map(&:a).uniq
         return k.to_s if a.size != 1
+
         a = a[0]
-        return k.to_s if a.nil?
-        hex = '0x' + k.to_s(16)
-        case a
-        when 0 then Util.colorize(Const::Syscall.const_get(arch.upcase.to_sym).invert[k] || hex, t: :syscall)
+        return k.to_s unless a.data?
+
+        hex = "0x#{k.to_s(16)}"
+        case a.val
+          # interpret as syscalls only if it's an equality test
+        when 0 then Util.colorize(jop == :== ? sysname_by_k || hex : hex, t: :syscall)
         when 4 then Util.colorize(Const::Audit::ARCH.invert[k] || hex, t: :arch)
         else hex
         end
       end
 
+      def sysname_by_k
+        Const::Syscall.const_get(arch.upcase.to_sym).invert[k]
+      end
+
       def src
         SRC.invert[code & 8] == :x ? :x : k
       end
@@ -76,14 +89,15 @@ module SeccompTools
         line + off + 1
       end
 
-      def if_str(neg = false)
+      def if_str(neg: false)
         return "if (A #{jop} #{src_str}) " unless neg
         return "if (!(A & #{src_str})) " if jop == :&
-        op = case jop
-             when :>= then :<
-             when :> then :<=
-             when :== then :!=
-             end
+
+        op = {
+          :>= => :<,
+          :> => :<=,
+          :== => :!=
+        }[jop]
         "if (A #{op} #{src_str}) "
       end
     end

data/lib/seccomp-tools/instruction/ld.rb

@@ -1,4 +1,8 @@
+# frozen_string_literal: true
+
+require 'seccomp-tools/const'
 require 'seccomp-tools/instruction/base'
+require 'seccomp-tools/util'
 
 module SeccompTools
   module Instruction
@@ -6,10 +10,11 @@ module SeccompTools
     class LD < Base
       # Decompile instruction.
       def decompile
-        ret = reg + ' = '
+        ret = "#{reg} = "
         _, _reg, type = symbolize
         return ret + type[:val].to_s if type[:rel] == :immi
         return ret + "mem[#{type[:val]}]" if type[:rel] == :mem
+
         ret + seccomp_data_str
       end
 
@@ -30,22 +35,17 @@ module SeccompTools
       #   Current context.
       # @return [Array<(Integer, Context)>]
       def branch(context)
-        nctx = context.dup
-        type = load_val
-        nctx[reg] = case type[:rel]
-                    when :immi then nil
-                    when :mem then context[type[:val]]
-                    when :data then type[:val]
-                    end
-        [[line + 1, nctx]]
+        ctx = context.dup
+        ctx.load(reg, **load_val)
+        [[line + 1, ctx]]
       end
 
       private
 
       def mode
         @mode ||= MODE.invert[code & 0xe0]
-        # Seccomp doesn't support this mode
-        invalid if @mode.nil? || @mode == :ind
+        # Seccomp doesn't support these modes
+        invalid if @mode.nil? || @mode == :ind || @mode == :msh
         @mode
       end
 
@@ -53,6 +53,7 @@ module SeccompTools
         return { rel: :immi, val: k } if mode == :imm
         return { rel: :immi, val: SIZEOF_SECCOMP_DATA } if mode == :len
         return { rel: :mem, val: k } if mode == :mem
+
         { rel: :data, val: k }
       end
 
@@ -71,9 +72,24 @@ module SeccompTools
         else
           idx = Array.new(12) { |i| i * 4 + 16 }.index(k)
           return 'INVALID' if idx.nil?
-          idx.even? ? "args[#{idx / 2}]" : "args[#{idx / 2}] >> 32"
+
+          args_name(idx)
         end
       end
+
+      def args_name(idx)
+        sys_nrs = contexts.map { |ctx| ctx.known_data[0] }.uniq
+        default = idx.even? ? "args[#{idx / 2}]" : "args[#{idx / 2}] >> 32"
+        return default if sys_nrs.size != 1 || sys_nrs.first.nil?
+
+        sys = Const::Syscall.const_get(arch.upcase.to_sym).invert[sys_nrs.first]
+        args = Const::SYS_ARG[sys]
+        return default if args.nil? || args[idx / 2].nil? # function prototype doesn't have that argument
+
+        comment = "# #{sys}(#{args.join(', ')})"
+        arg_name = Util.colorize(args[idx / 2], t: :args)
+        "#{idx.even? ? arg_name : "#{arg_name} >> 32"} #{Util.colorize(comment, t: :gray)}"
+      end
     end
   end
 end