seccomp-tools 1.2.0 → 1.3.0

data/lib/seccomp-tools/instruction/ld.rb

@@ -1,4 +1,8 @@
+# frozen_string_literal: true
+
+require 'seccomp-tools/const'
 require 'seccomp-tools/instruction/base'
+require 'seccomp-tools/util'
 
 module SeccompTools
   module Instruction
@@ -10,6 +14,7 @@ module SeccompTools
         _, _reg, type = symbolize
         return ret + type[:val].to_s if type[:rel] == :immi
         return ret + "mem[#{type[:val]}]" if type[:rel] == :mem
+
         ret + seccomp_data_str
       end
 
@@ -30,22 +35,17 @@ module SeccompTools
       #   Current context.
       # @return [Array<(Integer, Context)>]
       def branch(context)
-        nctx = context.dup
-        type = load_val
-        nctx[reg] = case type[:rel]
-                    when :immi then nil
-                    when :mem then context[type[:val]]
-                    when :data then type[:val]
-                    end
-        [[line + 1, nctx]]
+        ctx = context.dup
+        ctx.load(reg, **load_val)
+        [[line + 1, ctx]]
       end
 
       private
 
       def mode
         @mode ||= MODE.invert[code & 0xe0]
-        # Seccomp doesn't support this mode
-        invalid if @mode.nil? || @mode == :ind
+        # Seccomp doesn't support these modes
+        invalid if @mode.nil? || @mode == :ind || @mode == :msh
         @mode
       end
 
@@ -53,6 +53,7 @@ module SeccompTools
         return { rel: :immi, val: k } if mode == :imm
         return { rel: :immi, val: SIZEOF_SECCOMP_DATA } if mode == :len
         return { rel: :mem, val: k } if mode == :mem
+
         { rel: :data, val: k }
       end
 
@@ -71,9 +72,24 @@ module SeccompTools
         else
           idx = Array.new(12) { |i| i * 4 + 16 }.index(k)
           return 'INVALID' if idx.nil?
-          idx.even? ? "args[#{idx / 2}]" : "args[#{idx / 2}] >> 32"
+
+          args_name(idx)
         end
       end
+
+      def args_name(idx)
+        sys_nrs = contexts.map { |ctx| ctx.known_data[0] }.uniq
+        default = idx.even? ? "args[#{idx / 2}]" : "args[#{idx / 2}] >> 32"
+        return default if sys_nrs.size != 1 || sys_nrs.first.nil?
+
+        sys = Const::Syscall.const_get(arch.upcase.to_sym).invert[sys_nrs.first]
+        args = Const::SYS_ARG[sys]
+        return default if args.nil? || args[idx / 2].nil? # function prototype doesn't have that argument
+
+        comment = "# #{sys}(#{args.join(', ')})"
+        arg_name = Util.colorize(args[idx / 2], t: :args)
+        (idx.even? ? arg_name : "#{arg_name} >> 32") + ' ' + Util.colorize(comment, t: :gray)
+      end
     end
   end
 end

data/lib/seccomp-tools/instruction/ldx.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'seccomp-tools/instruction/ld'
 
 module SeccompTools

data/lib/seccomp-tools/instruction/misc.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'seccomp-tools/instruction/base'
 
 module SeccompTools

data/lib/seccomp-tools/instruction/ret.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'seccomp-tools/instruction/base'
 
 module SeccompTools
@@ -27,6 +29,7 @@ module SeccompTools
       def ret_str
         _, type = symbolize
         return 'A' if type == :a
+
         str = ACTION.invert[type & SECCOMP_RET_ACTION_FULL].to_s
         str << "(#{type & SECCOMP_RET_DATA})" if str == 'ERRNO'
         str

data/lib/seccomp-tools/instruction/st.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'seccomp-tools/instruction/ld'
 
 module SeccompTools
@@ -18,7 +20,7 @@ module SeccompTools
       # @return [Array<(Integer, Context)>]
       def branch(context)
         ctx = context.dup
-        ctx[k] = ctx[reg]
+        ctx.store(k, reg)
         [[line + 1, ctx]]
       end
     end

data/lib/seccomp-tools/instruction/stx.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'seccomp-tools/instruction/st'
 
 module SeccompTools

data/lib/seccomp-tools/syscall.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'seccomp-tools/const'
 require 'seccomp-tools/ptrace'
 
@@ -7,7 +9,7 @@ module SeccompTools
     # Syscall arguments offset of +struct user+ in different arch.
     ABI = {
       amd64: { number: 120, args: [112, 104, 96, 56, 72, 44], ret: 80, SYS_prctl: 157, SYS_seccomp: 317 },
-      i386: { number: 120, args: [40, 88, 96, 104, 112, 32], ret: 80, SYS_prctl: 172 }
+      i386: { number: 120, args: [40, 88, 96, 104, 112, 32], ret: 80, SYS_prctl: 172, SYS_seccomp: 354 }
     }.freeze
 
     # @return [Integer] Process id.
@@ -27,6 +29,7 @@ module SeccompTools
     def initialize(pid)
       @pid = pid
       raise ArgumentError, "Only supports #{ABI.keys.join(', ')}" if ABI[arch].nil?
+
       @abi = ABI[arch]
       @number = peek(abi[:number])
       @args = abi[:args].map { |off| peek(off) }
@@ -40,6 +43,7 @@ module SeccompTools
     def set_seccomp?
       # TODO: handle SECCOMP_MODE_SET_STRICT / SECCOMP_MODE_STRICT
       return true if number == abi[:SYS_seccomp] && args[0] == Const::BPF::SECCOMP_SET_MODE_FILTER
+
       number == abi[:SYS_prctl] && args[0] == Const::BPF::PR_SET_SECCOMP && args[1] == Const::BPF::SECCOMP_MODE_FILTER
     end
 

data/lib/seccomp-tools/templates/asm.amd64.asm

@@ -0,0 +1,26 @@
+install_seccomp:
+  push   rbp
+  mov    rbp, rsp
+  push   38
+  pop    rdi
+  push   0x1
+  pop    rsi
+  xor    eax, eax
+  mov    al, 0x9d
+  syscall
+  push   22
+  pop    rdi
+  lea    rdx, [rip + _filter]
+  push   rdx /* .filter */
+  push   _filter_end - _filter >> 3 /* .len */
+  mov    rdx, rsp
+  push   0x2
+  pop    rsi
+  xor    eax, eax
+  mov    al, 0x9d
+  syscall
+  leave
+  ret
+_filter:
+.ascii "<TO_BE_REPLACED>"
+_filter_end:

data/lib/seccomp-tools/templates/asm.c

@@ -0,0 +1,17 @@
+#include <linux/seccomp.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/prctl.h>
+
+static void install_seccomp() {
+  static unsigned char filter[] = {<TO_BE_REPLACED>};
+  struct prog {
+    unsigned short len;
+    unsigned char *filter;
+  } rule = {
+    .len = sizeof(filter) >> 3,
+    .filter = filter
+  };
+  if(prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) { perror("prctl(PR_SET_NO_NEW_PRIVS)"); exit(2); }
+  if(prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &rule) < 0) { perror("prctl(PR_SET_SECCOMP)"); exit(2); }
+}

data/lib/seccomp-tools/templates/asm.i386.asm

@@ -0,0 +1,33 @@
+install_seccomp:
+  push   ebx
+  push   ebp
+  mov    ebp, esp
+  push   38
+  pop    ebx
+  push   0x1
+  pop    ecx
+  xor    eax, eax
+  mov    al, 0xac
+  int    0x80
+  push   22
+  pop    ebx
+  jmp    __get_eip__
+__back__:
+  pop    edx
+  push   edx /* .filter */
+  mov    edx, _filter_end - _filter >> 3 /* .len */
+  push   edx
+  mov    edx, esp
+  push   0x2
+  pop    ecx
+  xor    eax, eax
+  mov    al, 0xac
+  int    0x80
+  leave
+  pop    ebx
+  ret
+__get_eip__:
+  call __back__
+_filter:
+.ascii "<TO_BE_REPLACED>"
+_filter_end:

data/lib/seccomp-tools/util.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module SeccompTools
   # Define utility methods.
   module Util
@@ -7,7 +9,7 @@ module SeccompTools
     # @return [Array<Symbol>]
     #   Architectures.
     def supported_archs
-      @supported_archs ||= Dir.glob(File.join(__dir__, 'consts', '*.rb'))
+      @supported_archs ||= Dir.glob(File.join(__dir__, 'consts', 'sys_nr', '*.rb'))
                               .map { |f| File.basename(f, '.rb').to_sym }
                               .sort
     end
@@ -45,6 +47,7 @@ module SeccompTools
       esc_m: "\e[0m",
       syscall: "\e[38;5;120m", # light green
       arch: "\e[38;5;230m", # light yellow
+      args: "\e[38;5;230m", # light yellow, same as arch
       gray: "\e[2m"
     }.freeze
     # Wrapper color codes.
@@ -57,9 +60,21 @@ module SeccompTools
     def colorize(s, t: nil)
       s = s.to_s
       return s unless colorize_enabled?
+
       cc = COLOR_CODE
       color = cc[t]
       "#{color}#{s.sub(cc[:esc_m], cc[:esc_m] + color)}#{cc[:esc_m]}"
     end
+
+    # Get content of filename under directory templates/.
+    #
+    # @param [String] filename
+    #   The filename.
+    #
+    # @return [String]
+    #   Content of the file.
+    def template(filename)
+      IO.binread(File.join(__dir__, 'templates', filename))
+    end
   end
 end

data/lib/seccomp-tools/version.rb

@@ -1,4 +1,6 @@
+# frozen_string_literal: true
+
 module SeccompTools
   # Gem version.
-  VERSION = '1.2.0'.freeze
+  VERSION = '1.3.0'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: seccomp-tools
 version: !ruby/object:Gem::Version
-  version: 1.2.0
+  version: 1.3.0
 platform: ruby
 authors:
 - david942j
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-04-05 00:00:00.000000000 Z
+date: 2019-06-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: pry
@@ -72,14 +72,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.54'
+        version: '0.59'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.54'
+        version: '0.59'
 - !ruby/object:Gem::Dependency
   name: simplecov
   requirement: !ruby/object:Gem::Requirement
@@ -135,8 +135,9 @@ files:
 - lib/seccomp-tools/cli/dump.rb
 - lib/seccomp-tools/cli/emu.rb
 - lib/seccomp-tools/const.rb
-- lib/seccomp-tools/consts/amd64.rb
-- lib/seccomp-tools/consts/i386.rb
+- lib/seccomp-tools/consts/sys_arg.rb
+- lib/seccomp-tools/consts/sys_nr/amd64.rb
+- lib/seccomp-tools/consts/sys_nr/i386.rb
 - lib/seccomp-tools/disasm/context.rb
 - lib/seccomp-tools/disasm/disasm.rb
 - lib/seccomp-tools/dumper.rb
@@ -152,12 +153,19 @@ files:
 - lib/seccomp-tools/instruction/st.rb
 - lib/seccomp-tools/instruction/stx.rb
 - lib/seccomp-tools/syscall.rb
+- lib/seccomp-tools/templates/asm.amd64.asm
+- lib/seccomp-tools/templates/asm.c
+- lib/seccomp-tools/templates/asm.i386.asm
 - lib/seccomp-tools/util.rb
 - lib/seccomp-tools/version.rb
-homepage: https://github.com/david942j/seccomp-tools
+homepage: 
 licenses:
 - MIT
-metadata: {}
+metadata:
+  bug_tracker_uri: https://github.com/david942j/seccomp-tools/issues
+  documentation_uri: https://www.rubydoc.info/github/david942j/seccomp-tools/master
+  homepage_uri: https://github.com/david942j/seccomp-tools
+  source_code_uri: https://github.com/david942j/seccomp-tools
 post_install_message: 
 rdoc_options: []
 require_paths:
@@ -166,15 +174,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 2.1.0
+      version: '2.3'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.6.14
+rubygems_version: 3.0.2
 signing_key: 
 specification_version: 4
 summary: seccomp-tools