RubyGems - seccomp-tools - Versions diffs - 1.1.0 → 1.5.0 - Mend

seccomp-tools 1.1.0 → 1.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (43) hide show

checksums.yaml +5 -5
data/README.md +112 -30
data/bin/seccomp-tools +1 -0
data/ext/ptrace/extconf.rb +2 -0
data/ext/ptrace/ptrace.c +107 -5
data/lib/seccomp-tools.rb +5 -0
data/lib/seccomp-tools/asm/asm.rb +5 -2
data/lib/seccomp-tools/asm/compiler.rb +96 -18
data/lib/seccomp-tools/asm/tokenizer.rb +25 -8
data/lib/seccomp-tools/bpf.rb +7 -4
data/lib/seccomp-tools/cli/asm.rb +16 -6
data/lib/seccomp-tools/cli/base.rb +10 -4
data/lib/seccomp-tools/cli/cli.rb +9 -6
data/lib/seccomp-tools/cli/disasm.rb +6 -2
data/lib/seccomp-tools/cli/dump.rb +37 -6
data/lib/seccomp-tools/cli/emu.rb +41 -22
data/lib/seccomp-tools/const.rb +47 -16
data/lib/seccomp-tools/consts/sys_arg.rb +432 -0
data/lib/seccomp-tools/consts/sys_nr/aarch64.rb +284 -0
data/lib/seccomp-tools/consts/{amd64.rb → sys_nr/amd64.rb} +6 -1
data/lib/seccomp-tools/consts/{i386.rb → sys_nr/i386.rb} +18 -15
data/lib/seccomp-tools/disasm/context.rb +125 -34
data/lib/seccomp-tools/disasm/disasm.rb +5 -2
data/lib/seccomp-tools/dumper.rb +75 -8
data/lib/seccomp-tools/emulator.rb +19 -8
data/lib/seccomp-tools/instruction/alu.rb +7 -2
data/lib/seccomp-tools/instruction/base.rb +5 -3
data/lib/seccomp-tools/instruction/instruction.rb +2 -0
data/lib/seccomp-tools/instruction/jmp.rb +28 -14
data/lib/seccomp-tools/instruction/ld.rb +28 -12
data/lib/seccomp-tools/instruction/ldx.rb +2 -0
data/lib/seccomp-tools/instruction/misc.rb +2 -0
data/lib/seccomp-tools/instruction/ret.rb +14 -2
data/lib/seccomp-tools/instruction/st.rb +4 -2
data/lib/seccomp-tools/instruction/stx.rb +2 -0
data/lib/seccomp-tools/logger.rb +40 -0
data/lib/seccomp-tools/syscall.rb +24 -13
data/lib/seccomp-tools/templates/asm.amd64.asm +26 -0
data/lib/seccomp-tools/templates/asm.c +17 -0
data/lib/seccomp-tools/templates/asm.i386.asm +33 -0
data/lib/seccomp-tools/util.rb +24 -3
data/lib/seccomp-tools/version.rb +3 -1
metadata +51 -44

data/lib/seccomp-tools/instruction/ldx.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 require 'seccomp-tools/instruction/ld'
 module SeccompTools

data/lib/seccomp-tools/instruction/misc.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 require 'seccomp-tools/instruction/base'
 module SeccompTools

data/lib/seccomp-tools/instruction/ret.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 require 'seccomp-tools/instruction/base'
 module SeccompTools
@@ -6,8 +8,7 @@ module SeccompTools
     class RET < Base
       # Decompile instruction.
       def decompile
-        _, type = symbolize
-        "return #{type == :a ? 'A' : ACTION.invert[type & 0x7fff0000]}"
+        "return #{ret_str}"
       end
       # See {Instruction::Base#symbolize}.
@@ -22,6 +23,17 @@ module SeccompTools
       def branch(*)
         []
       end
+      private
+      def ret_str
+        _, type = symbolize
+        return 'A' if type == :a
+        str = ACTION.invert[type & SECCOMP_RET_ACTION_FULL].to_s
+        str << "(#{type & SECCOMP_RET_DATA})" if str == 'ERRNO'
+        str
+      end
     end
   end
 end

data/lib/seccomp-tools/instruction/st.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 require 'seccomp-tools/instruction/ld'
 module SeccompTools
@@ -10,7 +12,7 @@ module SeccompTools
       end
       # See {Instruction::Base#symbolize}.
-      # @return [[:misc, (:a, :x), Integer]]
+      # @return [[:st, (:a, :x), Integer]]
       def symbolize
         [:st, reg.downcase.to_sym, k]
       end
@@ -18,7 +20,7 @@ module SeccompTools
       # @return [Array<(Integer, Context)>]
       def branch(context)
         ctx = context.dup
-        ctx[k] = ctx[reg]
+        ctx.store(k, reg)
         [[line + 1, ctx]]
       end
     end

data/lib/seccomp-tools/instruction/stx.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 require 'seccomp-tools/instruction/st'
 module SeccompTools

data/lib/seccomp-tools/logger.rb ADDED Viewed

@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+require 'logger'
+require 'seccomp-tools/util'
+module SeccompTools
+  # A logger for internal use.
+  #
+  # @private
+  module Logger
+    module_function
+    # Returns a +::Logger+ object for internal logging.
+    #
+    # @return [::Logger]
+    def logger
+      ::Logger.new($stdout).tap do |log|
+        log.formatter = proc do |severity, _datetime, _progname, msg|
+          prep = ' ' * (severity.size + 3)
+          message = msg.lines.map.with_index do |str, i|
+            next str if i.zero?
+            str.strip.empty? ? str : prep + str
+          end
+          color = severity.downcase.to_sym
+          msg = +"[#{SeccompTools::Util.colorize(severity, t: color)}] #{message.join}"
+          msg << "\n" unless msg.end_with?("\n")
+          msg
+        end
+      end
+    end
+    %i[error].each do |sym|
+      define_method(sym) do |msg|
+        logger.__send__(sym, msg)
+      end
+    end
+  end
+end

data/lib/seccomp-tools/syscall.rb CHANGED Viewed

@@ -1,13 +1,18 @@
+# frozen_string_literal: true
+require 'os'
 require 'seccomp-tools/const'
-require 'seccomp-tools/ptrace'
+require 'seccomp-tools/ptrace' if OS.linux?
 module SeccompTools
   # Record syscall number, arguments, return value.
   class Syscall
     # Syscall arguments offset of +struct user+ in different arch.
     ABI = {
-      amd64: { number: 120, args: [112, 104, 96, 56, 72, 44], ret: 80, SYS_prctl: 157 },
-      i386: { number: 120, args: [40, 88, 96, 104, 112, 32], ret: 80, SYS_prctl: 172 }
+      amd64: { number: 120, args: [112, 104, 96, 56, 72, 44], ret: 80, SYS_prctl: 157, SYS_seccomp: 317 },
+      i386: { number: 44, args: [0, 4, 8, 12, 16, 20], ret: 24, SYS_prctl: 172, SYS_seccomp: 354 },
+      aarch64: { number: 64, args: [0, 8, 16, 24, 32, 40, 48], ret: 0, SYS_prctl: 167, SYS_seccomp: 277 }
     }.freeze
     # @return [Integer] Process id.
@@ -27,17 +32,21 @@ module SeccompTools
     def initialize(pid)
       @pid = pid
       raise ArgumentError, "Only supports #{ABI.keys.join(', ')}" if ABI[arch].nil?
       @abi = ABI[arch]
       @number = peek(abi[:number])
       @args = abi[:args].map { |off| peek(off) }
       @ret = peek(abi[:ret])
     end
-    # Is this a +prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, addr)+ syscall?
+    # Is this a +seccomp(SECCOMP_MODE_FILTER, addr)+/+prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, addr)+ syscall?
+    #
     # @return [Boolean]
     #   +true+ for is a seccomp installation syscall.
     def set_seccomp?
-      # TODO: handle SECCOMP_MODE_STRICT
+      # TODO: handle SECCOMP_MODE_SET_STRICT / SECCOMP_MODE_STRICT
+      return true if number == abi[:SYS_seccomp] && args[0] == Const::BPF::SECCOMP_SET_MODE_FILTER
       number == abi[:SYS_prctl] && args[0] == Const::BPF::PR_SET_SECCOMP && args[1] == Const::BPF::SECCOMP_MODE_FILTER
     end
@@ -54,10 +63,11 @@ module SeccompTools
     #   Architecture of this syscall.
     def arch
       @arch ||= File.open("/proc/#{pid}/exe", 'rb') do |f|
-        f.pos = 4
+        f.pos = 18
         case f.read(1).ord
-        when 1 then :i386
-        when 2 then :amd64
+        when 3 then :i386
+        when 62 then :amd64
+        when 183 then :aarch64
         end
       end
     end
@@ -65,14 +75,15 @@ module SeccompTools
     private
     def bits
-      case arch
-      when :i386 then 32
-      when :amd64 then 64
-      end
+      {
+        i386: 32,
+        amd64: 64,
+        aarch64: 64
+      }[arch]
     end
     def peek(offset)
-      Ptrace.peekuser(pid, offset, 0)
+      Ptrace.peekuser(pid, offset, 0, bits)
     end
   end
 end

data/lib/seccomp-tools/templates/asm.amd64.asm ADDED Viewed

@@ -0,0 +1,26 @@
+install_seccomp:
+  push   rbp
+  mov    rbp, rsp
+  push   38
+  pop    rdi
+  push   0x1
+  pop    rsi
+  xor    eax, eax
+  mov    al, 0x9d
+  syscall
+  push   22
+  pop    rdi
+  lea    rdx, [rip + _filter]
+  push   rdx /* .filter */
+  push   _filter_end - _filter >> 3 /* .len */
+  mov    rdx, rsp
+  push   0x2
+  pop    rsi
+  xor    eax, eax
+  mov    al, 0x9d
+  syscall
+  leave
+  ret
+_filter:
+.ascii "<TO_BE_REPLACED>"
+_filter_end:

data/lib/seccomp-tools/templates/asm.c ADDED Viewed

@@ -0,0 +1,17 @@
+#include <linux/seccomp.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/prctl.h>
+static void install_seccomp() {
+  static unsigned char filter[] = {<TO_BE_REPLACED>};
+  struct prog {
+    unsigned short len;
+    unsigned char *filter;
+  } rule = {
+    .len = sizeof(filter) >> 3,
+    .filter = filter
+  };
+  if(prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) { perror("prctl(PR_SET_NO_NEW_PRIVS)"); exit(2); }
+  if(prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &rule) < 0) { perror("prctl(PR_SET_SECCOMP)"); exit(2); }
+}

data/lib/seccomp-tools/templates/asm.i386.asm ADDED Viewed

@@ -0,0 +1,33 @@
+install_seccomp:
+  push   ebx
+  push   ebp
+  mov    ebp, esp
+  push   38
+  pop    ebx
+  push   0x1
+  pop    ecx
+  xor    eax, eax
+  mov    al, 0xac
+  int    0x80
+  push   22
+  pop    ebx
+  jmp    __get_eip__
+__back__:
+  pop    edx
+  push   edx /* .filter */
+  mov    edx, _filter_end - _filter >> 3 /* .len */
+  push   edx
+  mov    edx, esp
+  push   0x2
+  pop    ecx
+  xor    eax, eax
+  mov    al, 0xac
+  int    0x80
+  leave
+  pop    ebx
+  ret
+__get_eip__:
+  call __back__
+_filter:
+.ascii "<TO_BE_REPLACED>"
+_filter_end:

data/lib/seccomp-tools/util.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 module SeccompTools
   # Define utility methods.
   module Util
@@ -7,7 +9,9 @@ module SeccompTools
     # @return [Array<Symbol>]
     #   Architectures.
     def supported_archs
-      @archs ||= Dir.glob(File.join(__dir__, 'consts', '*.rb')).map { |f| File.basename(f, '.rb').to_sym }.sort
+      @supported_archs ||= Dir.glob(File.join(__dir__, 'consts', 'sys_nr', '*.rb'))
+                              .map { |f| File.basename(f, '.rb').to_sym }
+                              .sort
     end
     # Detect system architecture.
@@ -16,6 +20,7 @@ module SeccompTools
       case RbConfig::CONFIG['host_cpu']
       when /x86_64/ then :amd64
       when /i386/ then :i386
+      when /aarch64/ then :aarch64
       else :unknown
       end
     end
@@ -38,12 +43,16 @@ module SeccompTools
       !@disable_color && $stdout.tty?
     end
+    # color code of light yellow
+    LIGHT_YELLOW = "\e[38;5;230m"
     # Color codes for pretty print.
     COLOR_CODE = {
       esc_m: "\e[0m",
       syscall: "\e[38;5;120m", # light green
-      arch: "\e[38;5;230m", # light yellow
-      gray: "\e[2m"
+      arch: LIGHT_YELLOW,
+      args: LIGHT_YELLOW,
+      gray: "\e[2m",
+      error: "\e[38;5;196m" # heavy red
     }.freeze
     # Wrapper color codes.
     # @param [String] s
@@ -55,9 +64,21 @@ module SeccompTools
     def colorize(s, t: nil)
       s = s.to_s
       return s unless colorize_enabled?
       cc = COLOR_CODE
       color = cc[t]
       "#{color}#{s.sub(cc[:esc_m], cc[:esc_m] + color)}#{cc[:esc_m]}"
     end
+    # Get content of filename under directory templates/.
+    #
+    # @param [String] filename
+    #   The filename.
+    #
+    # @return [String]
+    #   Content of the file.
+    def template(filename)
+      IO.binread(File.join(__dir__, 'templates', filename))
+    end
   end
 end

data/lib/seccomp-tools/version.rb CHANGED Viewed

@@ -1,4 +1,6 @@
+# frozen_string_literal: true
 module SeccompTools
   # Gem version.
-  VERSION = '1.1.0'.freeze
+  VERSION = '1.5.0'
 end

metadata CHANGED Viewed

@@ -1,127 +1,125 @@
 --- !ruby/object:Gem::Specification
 name: seccomp-tools
 version: !ruby/object:Gem::Version
-  version: 1.1.0
+  version: 1.5.0
 platform: ruby
 authors:
 - david942j
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2017-09-29 00:00:00.000000000 Z
+date: 2021-03-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
-  name: codeclimate-test-reporter
+  name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.6'
+        version: '13.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.6'
+        version: '13.0'
 - !ruby/object:Gem::Dependency
-  name: pry
+  name: rake-compiler
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.10'
+        version: '1.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.10'
+        version: '1.0'
 - !ruby/object:Gem::Dependency
-  name: rake
+  name: rspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '12.0'
+        version: '3.9'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '12.0'
+        version: '3.9'
 - !ruby/object:Gem::Dependency
-  name: rake-compiler
+  name: rubocop
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.0'
+        version: '1.1'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.0'
+        version: '1.1'
 - !ruby/object:Gem::Dependency
-  name: rspec
+  name: simplecov
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.5'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '3.5'
-- !ruby/object:Gem::Dependency
-  name: rubocop
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
+        version: '0.17'
+    - - "<"
       - !ruby/object:Gem::Version
-        version: '0.49'
+        version: '0.18'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.49'
+        version: '0.17'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '0.18'
 - !ruby/object:Gem::Dependency
-  name: simplecov
+  name: yard
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.13.0
+        version: '0.9'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.13.0
+        version: '0.9'
 - !ruby/object:Gem::Dependency
-  name: yard
+  name: os
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.9'
-  type: :development
+        version: '1.1'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.1.1
+  type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.9'
+        version: '1.1'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.1.1
 description: |
   Provide useful tools to analyze seccomp rules.
   Visit https://github.com/david942j/seccomp-tools for more details.
@@ -149,8 +147,10 @@ files:
 - lib/seccomp-tools/cli/dump.rb
 - lib/seccomp-tools/cli/emu.rb
 - lib/seccomp-tools/const.rb
-- lib/seccomp-tools/consts/amd64.rb
-- lib/seccomp-tools/consts/i386.rb
+- lib/seccomp-tools/consts/sys_arg.rb
+- lib/seccomp-tools/consts/sys_nr/aarch64.rb
+- lib/seccomp-tools/consts/sys_nr/amd64.rb
+- lib/seccomp-tools/consts/sys_nr/i386.rb
 - lib/seccomp-tools/disasm/context.rb
 - lib/seccomp-tools/disasm/disasm.rb
 - lib/seccomp-tools/dumper.rb
@@ -165,13 +165,21 @@ files:
 - lib/seccomp-tools/instruction/ret.rb
 - lib/seccomp-tools/instruction/st.rb
 - lib/seccomp-tools/instruction/stx.rb
+- lib/seccomp-tools/logger.rb
 - lib/seccomp-tools/syscall.rb
+- lib/seccomp-tools/templates/asm.amd64.asm
+- lib/seccomp-tools/templates/asm.c
+- lib/seccomp-tools/templates/asm.i386.asm
 - lib/seccomp-tools/util.rb
 - lib/seccomp-tools/version.rb
-homepage: https://github.com/david942j/seccomp-tools
+homepage:
 licenses:
 - MIT
-metadata: {}
+metadata:
+  bug_tracker_uri: https://github.com/david942j/seccomp-tools/issues
+  documentation_uri: https://www.rubydoc.info/github/david942j/seccomp-tools/master
+  homepage_uri: https://github.com/david942j/seccomp-tools
+  source_code_uri: https://github.com/david942j/seccomp-tools
 post_install_message:
 rdoc_options: []
 require_paths:
@@ -180,15 +188,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 2.1.0
+      version: '2.4'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project:
-rubygems_version: 2.5.2
+rubygems_version: 3.1.4
 signing_key:
 specification_version: 4
 summary: seccomp-tools