seccomp-tools 1.4.0 → 1.6.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2726a64dc089ec7c492cedad9a98d500c656dce84ca593a505d95a42cd07906c
-  data.tar.gz: c8d3eec04aa38ead5bac1727bb4a1a29199283e648b902edb38df2a7fc4e539f
+  metadata.gz: 898cc2a23df6443f39054c4b9027a576fb929729f74fc804ae82ae3b11c6772e
+  data.tar.gz: 0e07d2d1914ac7185135425d0e34f0dcb1b6100e977176d8bd9ce23f95a3f287
 SHA512:
-  metadata.gz: 2639ed20158afda2cc96dfeb16899f417d50180da548b4a45a0024c12119d0b9908649979fb9ab00287d41478f507eb6740ffda855aa238cd82755d774ca82de
-  data.tar.gz: 6e6df86398ee4bde9ff9c54647dc5af95eb03e40001cf6117077afeecf20ecaed12f6e3f53b47bda1e2908094632c12e9d7faee3ee72c2422d7665016e583eff
+  metadata.gz: ec604fca33e16dd6ca77e923e34629338245828abdf3c97e9974d205a2306aa9ae0f3bc074b90e056790a8de86ed6484ab17ce190524b30394f2fda2b5dd9432
+  data.tar.gz: 399e5e77fa99de23f3ad5013c442fc29a800a261d04150ab0bd467744a9302601ca7c60e5570e4e65f423cf4c93e4eb4428ae3f33b97d6a64c223af13b342e47

data/README.md

@@ -1,26 +1,26 @@
-[![Build Status](https://travis-ci.org/david942j/seccomp-tools.svg?branch=master)](https://travis-ci.org/david942j/seccomp-tools)
-[![Dependabot Status](https://api.dependabot.com/badges/status?host=github&repo=david942j/seccomp-tools)](https://dependabot.com)
+[![Build Status](https://github.com/david942j/seccomp-tools/workflows/build/badge.svg)](https://github.com/david942j/seccomp-tools/actions)
 [![Code Climate](https://codeclimate.com/github/david942j/seccomp-tools/badges/gpa.svg)](https://codeclimate.com/github/david942j/seccomp-tools)
 [![Issue Count](https://codeclimate.com/github/david942j/seccomp-tools/badges/issue_count.svg)](https://codeclimate.com/github/david942j/seccomp-tools)
 [![Test Coverage](https://codeclimate.com/github/david942j/seccomp-tools/badges/coverage.svg)](https://codeclimate.com/github/david942j/seccomp-tools/coverage)
 [![Inline docs](https://inch-ci.org/github/david942j/seccomp-tools.svg?branch=master)](https://inch-ci.org/github/david942j/seccomp-tools)
+[![Yard Docs](http://img.shields.io/badge/yard-docs-blue.svg)](https://www.rubydoc.info/github/david942j/seccomp-tools/)
 [![MIT License](https://img.shields.io/badge/license-MIT-blue.svg)](http://choosealicense.com/licenses/mit/)
 
 # Seccomp Tools
 Provide powerful tools for seccomp analysis.
 
-This project is targeted to (but not limited to) analyze seccomp sandbox in CTF pwn challenges.
-Some features might be CTF-specific, but still useful for analyzing seccomp in real-case.
+This project targets to (but is not limited to) analyze seccomp sandbox in CTF pwn challenges.
+Some features might be CTF-specific, but also useful for analyzing seccomp of real cases.
 
 ## Features
-* Dump - Automatically dumps seccomp-bpf from execution file(s).
-* Disasm - Converts bpf to human readable format.
-  - Simple decompile.
-  - Display syscall names and arguments when possible.
+* Dump - Automatically dumps seccomp BPF from execution file(s).
+* Disasm - Converts seccomp BPF to a human readable format.
+  - With simple decompilation.
+  - With syscall names and arguments whenever possible.
   - Colorful!
-* Asm - Write seccomp rules is so easy!
+* Asm - Makes writing seccomp rules similar to writing codes.
 * Emu - Emulates seccomp rules.
-* Supports multi-architectures.
+* Supports multi-architecture.
 
 ## Installation
 
@@ -54,6 +54,7 @@ $ seccomp-tools --help
 
 $ seccomp-tools dump --help
 # dump - Automatically dump seccomp bpf from execution file(s).
+# NOTE : This function is only available on Linux.
 #
 # Usage: seccomp-tools dump [exec] [options]
 #     -c, --sh-exec <command>          Executes the given command (via sh).
@@ -75,8 +76,8 @@ $ seccomp-tools dump --help
 
 ### dump
 
-Dumps the seccomp bpf from an execution file.
-This work is done by the `ptrace` syscall.
+Dumps the seccomp BPF from an execution file.
+This work is done by utilizing the `ptrace` syscall.
 
 NOTICE: beware of the execution file will be executed.
 ```bash
@@ -123,7 +124,7 @@ $ seccomp-tools dump spec/binary/twctf-2016-diary -f raw | xxd
 
 ### disasm
 
-Disassembles the seccomp from raw bpf.
+Disassembles the seccomp from raw BPF.
 ```bash
 $ xxd spec/data/twctf-2016-diary.bpf | head -n 3
 # 00000000: 2000 0000 0000 0000 1500 0001 0200 0000   ...............
@@ -169,7 +170,7 @@ $ seccomp-tools asm
 #     -f, --format FORMAT              Output format. FORMAT can only be one of <inspect|raw|c_array|c_source|assembly>.
 #                                      Default: inspect
 #     -a, --arch ARCH                  Specify architecture.
-#                                      Supported architectures are <amd64|i386>.
+#                                      Supported architectures are <aarch64|amd64|i386|s390x>.
 #                                      Default: amd64
 
 # Input file for asm
@@ -258,6 +259,83 @@ $ seccomp-tools asm spec/data/libseccomp.asm -f raw | seccomp-tools disasm -
 
 ```
 
+Since v1.6.0 [not released yet], `asm` has switched to using a yacc-based syntax parser, hence supports more flexible and intuitive syntax!
+
+```bash
+$ cat spec/data/example.asm
+# # An example of supported assembly syntax
+# if (A == X)
+#   goto next # 'next' is a reserved label, means the next statement ("A = args[0]" in this example)
+# else
+#   goto err_label # custom defined label
+# A = args[0]
+# if (
+#   A # put a comment here is also valid
+#     == 0x123
+#   ) goto disallow
+# if (! (A & 0x1337)) # support bang in if-conditions
+#   goto 0 # equivalent to 'goto next'
+# else goto 2 # goto $ + 2, 'mem[0] = A' in this example
+# A = sys_number
+# A = instruction_pointer >> 32
+# mem[0] = A
+# A = data[4] # equivalent to 'A = arch'
+# err_label: return ERRNO(1337)
+# disallow:
+# return KILL
+
+$ seccomp-tools asm spec/data/example.asm -f raw | seccomp-tools disasm -
+#  line  CODE  JT   JF      K
+# =================================
+#  0000: 0x1d 0x00 0x07 0x00000000  if (A != X) goto 0008
+#  0001: 0x20 0x00 0x00 0x00000010  A = args[0]
+#  0002: 0x15 0x06 0x00 0x00000123  if (A == 0x123) goto 0009
+#  0003: 0x45 0x02 0x00 0x00001337  if (A & 0x1337) goto 0006
+#  0004: 0x20 0x00 0x00 0x00000000  A = sys_number
+#  0005: 0x20 0x00 0x00 0x0000000c  A = instruction_pointer >> 32
+#  0006: 0x02 0x00 0x00 0x00000000  mem[0] = A
+#  0007: 0x20 0x00 0x00 0x00000004  A = arch
+#  0008: 0x06 0x00 0x00 0x00050539  return ERRNO(1337)
+#  0009: 0x06 0x00 0x00 0x00000000  return KILL
+
+```
+
+The output of `seccomp-tools disasm <file> --asm-able` is a valid input of `asm`:
+```bash
+$ seccomp-tools disasm spec/data/x32.bpf --asm-able
+# 0000: A = arch
+# 0001: if (A != ARCH_X86_64) goto 0011
+# 0002: A = sys_number
+# 0003: if (A < 0x40000000) goto 0011
+# 0004: if (A == x32_read) goto 0011
+# 0005: if (A == x32_write) goto 0011
+# 0006: if (A == x32_iopl) goto 0011
+# 0007: if (A != x32_mmap) goto 0011
+# 0008: A = args[0]
+# 0009: if (A == 0x0) goto 0011
+# 0010: return ERRNO(5)
+# 0011: return ALLOW
+
+
+# disasm then asm then disasm!
+$ seccomp-tools disasm spec/data/x32.bpf --asm-able | seccomp-tools asm - -f raw | seccomp-tools disasm -
+#  line  CODE  JT   JF      K
+# =================================
+#  0000: 0x20 0x00 0x00 0x00000004  A = arch
+#  0001: 0x15 0x00 0x09 0xc000003e  if (A != ARCH_X86_64) goto 0011
+#  0002: 0x20 0x00 0x00 0x00000000  A = sys_number
+#  0003: 0x35 0x00 0x07 0x40000000  if (A < 0x40000000) goto 0011
+#  0004: 0x15 0x06 0x00 0x40000000  if (A == x32_read) goto 0011
+#  0005: 0x15 0x05 0x00 0x40000001  if (A == x32_write) goto 0011
+#  0006: 0x15 0x04 0x00 0x400000ac  if (A == x32_iopl) goto 0011
+#  0007: 0x15 0x00 0x03 0x40000009  if (A != x32_mmap) goto 0011
+#  0008: 0x20 0x00 0x00 0x00000010  A = addr # x32_mmap(addr, len, prot, flags, fd, pgoff)
+#  0009: 0x15 0x01 0x00 0x00000000  if (A == 0x0) goto 0011
+#  0010: 0x06 0x00 0x00 0x00050005  return ERRNO(5)
+#  0011: 0x06 0x00 0x00 0x7fff0000  return ALLOW
+
+```
+
 ### Emu
 
 Emulates seccomp given `sys_nr`, `arg0`, `arg1`, etc.
@@ -267,7 +345,7 @@ $ seccomp-tools emu --help
 #
 # Usage: seccomp-tools emu [options] BPF_FILE [sys_nr [arg0 [arg1 ... arg5]]]
 #     -a, --arch ARCH                  Specify architecture.
-#                                      Supported architectures are <amd64|i386>.
+#                                      Supported architectures are <aarch64|amd64|i386|s390x>.
 #                                      Default: amd64
 #     -q, --[no-]quiet                 Run quietly, only show emulation result.
 
@@ -300,6 +378,16 @@ $ seccomp-tools emu spec/data/libseccomp.bpf write 0x3
 
 ![emu](https://github.com/david942j/seccomp-tools/blob/master/examples/emu-amigo.png?raw=true)
 
+## Supported Architectures
+
+- [x] x86_64
+- [x] x32
+- [x] x86
+- [x] arm64 (@saagarjha)
+- [x] s390x (@iii-i)
+
+Pull Requests of adding more architectures support are welcome!
+
 ## Development
 
 I recommend to use [rbenv](https://github.com/rbenv/rbenv) for your Ruby environment.
@@ -319,6 +407,6 @@ I recommend to use [rbenv](https://github.com/rbenv/rbenv) for your Ruby environ
 
 ## I Need You
 
-Any suggestion or feature request is welcome!
-Feel free to file an issue or send a pull request.
+Any suggestions or feature requests are welcome!
+Feel free to file issues or send pull requests.
 And, if you like this work, I'll be happy to be [starred](https://github.com/david942j/seccomp-tools/stargazers) :grimacing:

data/ext/ptrace/ptrace.c

@@ -1,7 +1,15 @@
+// ptrace is only available on Linux, therefore let this file be an empty
+// object when installing on other platforms.
+#if __linux__
+
+#include <assert.h>
 #include <errno.h>
+#include <linux/elf.h>
 #include <linux/filter.h>
+#include <stdint.h>
 #include <sys/ptrace.h>
 #include <sys/signal.h>
+#include <sys/uio.h>
 #include <sys/wait.h>
 
 #include "ruby.h"
@@ -19,10 +27,53 @@ ptrace_peekdata(VALUE _mod, VALUE pid, VALUE addr, VALUE _data) {
   return LONG2NUM(val);  
 }
 
+// aarch64 doesn't support PTRACE_PEEKUSER, but it does support
+// PTRACE_GETREGSET which is fairly similar. Since i386 and x86_64 support it
+// too, just use that unconditionally to present the same API for the registers
+// we care about.
 static VALUE
-ptrace_peekuser(VALUE _mod, VALUE pid, VALUE off, VALUE _data) {
-  long val = ptrace(PTRACE_PEEKUSER, NUM2LONG(pid), NUM2LONG(off), NULL);
-  return LONG2NUM(val);  
+ptrace_peekuser(VALUE _mod, VALUE pid, VALUE off, VALUE _data, VALUE bits) {
+  size_t offset = NUM2LONG(off);
+  // Unless your registers fill an entire page, an offset greater than this is
+  // probably wrong.
+  if (offset >= 4096) {
+    return LONG2NUM(-1);
+  }
+  size_t width = NUM2LONG(bits);
+  if (width != 32 && width != 64) {
+    return LONG2NUM(-1);
+  }
+  width /= 8;
+  union {
+    uint32_t val32;
+    uint64_t val64;
+  } val;
+  // Dynamically allocate a buffer to store registers-well, at least enough
+  // registers to reach the offset we want. Normally we'd want to use
+  // user_pt_regs or similar, but it's difficult to find it available in the
+  // the same header across different versions of Linux or libcs, or even with
+  // the same *name*, so this is the compromise.
+  size_t size = offset + width;
+  char *regs = malloc(size);
+  if (!regs) {
+    return LONG2NUM(-1);
+  }
+  struct iovec vec = { regs, size };
+  if (ptrace(PTRACE_GETREGSET, NUM2LONG(pid), NT_PRSTATUS, &vec) != -1 && vec.iov_len >= size) {
+    memcpy(&val, regs + offset, width);
+  } else {
+    free(regs);
+    return LONG2NUM(-1);
+  }
+  free(regs);
+  if (width == sizeof(val.val32)) {
+    return LONG2NUM(val.val32);
+  } else if (width == sizeof(val.val64)) {
+    return LONG2NUM(val.val64);
+  } else {
+    assert(!"Unreachable");
+    return LONG2NUM(-1);
+  }
 }
 
 static VALUE
@@ -107,7 +158,7 @@ void Init_ptrace(void) {
   /* get data */
   rb_define_module_function(mPtrace, "peekdata", ptrace_peekdata, 3);
   /* get registers */
-  rb_define_module_function(mPtrace, "peekuser", ptrace_peekuser, 3);
+  rb_define_module_function(mPtrace, "peekuser", ptrace_peekuser, 4);
   /* set ptrace options */
   rb_define_module_function(mPtrace, "setoptions", ptrace_setoptions, 3);
   /* wait for syscall */
@@ -124,3 +175,4 @@ void Init_ptrace(void) {
   rb_define_module_function(mPtrace, "detach", ptrace_detach, 1);
 }
 
+#endif  /* __linux__ */

data/lib/seccomp-tools/asm/asm.rb

@@ -10,16 +10,18 @@ module SeccompTools
 
     # Assembler of seccomp bpf.
     # @param [String] str
-    # @param [:amd64, :i386] arch
+    # @param [String] filename
+    #   Only used for error messages.
+    # @param [Symbol?] arch
     # @return [String]
-    #   Raw bpf bytes.
+    #   Raw BPF bytes.
     # @example
     #   SeccompTools::Asm.asm(<<-EOS)
     #     # lines start with '#' are comments
     #     A = sys_number                # here's a comment, too
     #     A >= 0x40000000 ? dead : next # 'next' is a keyword, denote the next instruction
     #     A == read ? ok : next         # custom defined label 'dead' and 'ok'
-    #     A == 1 ? ok : next            # SYS_write = 1 in amd64
+    #     A == 1 ? ok : next            # SYS_write = 1 on amd64
     #     return ERRNO(1)
     #     dead:
     #     return KILL
@@ -27,10 +29,10 @@ module SeccompTools
     #     return ALLOW
     #   EOS
     #   #=> <raw binary bytes>
-    def asm(str, arch: nil)
+    def asm(str, filename: '-', arch: nil)
+      filename = nil if filename == '-'
       arch = Util.system_arch if arch.nil?
-      compiler = Compiler.new(arch)
-      str.lines.each { |l| compiler.process(l) }
+      compiler = Compiler.new(str, filename, arch)
       compiler.compile!.map(&:asm).join
     end
   end