seccomp-tools 1.4.0 → 1.6.0

data/lib/seccomp-tools/cli/disasm.rb

@@ -10,7 +10,13 @@ module SeccompTools
       # Summary of this command.
       SUMMARY = 'Disassemble seccomp bpf.'
       # Usage of this command.
-      USAGE = ('disasm - ' + SUMMARY + "\n\n" + 'Usage: seccomp-tools disasm BPF_FILE [options]').freeze
+      USAGE = "disasm - #{SUMMARY}\n\nUsage: seccomp-tools disasm BPF_FILE [options]"
+
+      def initialize(*)
+        super
+        option[:bpf] = true
+        option[:arg_infer] = true
+      end
 
       # Define option parser.
       # @return [OptionParser]
@@ -20,8 +26,23 @@ module SeccompTools
           opt.on('-o', '--output FILE', 'Output result into FILE instead of stdout.') do |o|
             option[:ofile] = o
           end
-
           option_arch(opt)
+          opt.on('--[no-]bpf', 'Display BPF bytes (code, jt, etc.).',
+                 'Default: true') do |f|
+                   option[:bpf] = f
+                 end
+          opt.on('--[no-]arg-infer', 'Display syscall arguments with parameter names when possible.',
+                 'Default: true') do |f|
+                   option[:arg_infer] = f
+                 end
+          opt.on('--asm-able', 'Output with this flag is a valid input of "seccomp-tools asm".',
+                 'By default, "seccomp-tools disasm" is in a human-readable format that easy for analysis.',
+                 'Passing this flag can have the output be simplified to a valid input for "seccomp-tools asm".',
+                 'This flag implies "--no-bpf --no-arg-infer".',
+                 'Default: false') do |_f|
+                   option[:bpf] = false
+                   option[:arg_infer] = false
+                 end
         end
       end
 
@@ -33,7 +54,10 @@ module SeccompTools
         option[:ifile] = argv.shift
         return CLI.show(parser.help) if option[:ifile].nil?
 
-        output { SeccompTools::Disasm.disasm(input, arch: option[:arch]) }
+        output do
+          SeccompTools::Disasm.disasm(input, arch: option[:arch], display_bpf: option[:bpf],
+                                             arg_infer: option[:arg_infer])
+        end
       end
     end
   end

data/lib/seccomp-tools/cli/dump.rb

@@ -14,7 +14,8 @@ module SeccompTools
       # Summary of this command.
       SUMMARY = 'Automatically dump seccomp bpf from execution file(s).'
       # Usage of this command.
-      USAGE = ('dump - ' + SUMMARY + "\n\n" + 'Usage: seccomp-tools dump [exec] [options]').freeze
+      USAGE = "dump - #{SUMMARY}\nNOTE : This function is only available on Linux." \
+              "\n\nUsage: seccomp-tools dump [exec] [options]"
 
       def initialize(*)
         super
@@ -64,11 +65,12 @@ module SeccompTools
       # Handle options.
       # @return [void]
       def handle
+        return Logger.error('Dump is only available on Linux.') unless Dumper::SUPPORTED
         return unless super
 
         block = lambda do |bpf, arch|
           case option[:format]
-          when :inspect then output { '"' + bpf.bytes.map { |b| format('\\x%02X', b) }.join + "\"\n" }
+          when :inspect then output { "\"#{bpf.bytes.map { |b| format('\\x%02X', b) }.join}\"\n" }
           when :raw then output { bpf }
           when :disasm then output { SeccompTools::Disasm.disasm(bpf, arch: arch) }
           end

data/lib/seccomp-tools/cli/emu.rb

@@ -15,10 +15,7 @@ module SeccompTools
       # Summary of this command.
       SUMMARY = 'Emulate seccomp rules.'
       # Usage of this command.
-      USAGE = ('emu - ' +
-               SUMMARY +
-               "\n\n" \
-               'Usage: seccomp-tools emu [options] BPF_FILE [sys_nr [arg0 [arg1 ... arg5]]]').freeze
+      USAGE = "emu - #{SUMMARY}\n\nUsage: seccomp-tools emu [options] BPF_FILE [sys_nr [arg0 [arg1 ... arg5]]]"
 
       def initialize(*)
         super

data/lib/seccomp-tools/const.rb

@@ -59,6 +59,8 @@ module SeccompTools
         KILL: 0x00000000, # alias of KILL_THREAD
         TRAP: 0x00030000,
         ERRNO: 0x00050000,
+        USER_NOTIF: 0x7fc00000,
+        LOG: 0x7ffc0000,
         TRACE: 0x7ff00000,
         ALLOW: 0x7fff0000
       }.freeze
@@ -118,19 +120,51 @@ module SeccompTools
         filename = File.join(__dir__, 'consts', 'sys_nr', "#{arch}.rb")
         return unless File.exist?(filename)
 
-        const_set(cons, instance_eval(IO.read(filename)))
+        const_set(cons, instance_eval(File.read(filename)))
+      end
+
+      # Helper for loading syscall prototypes from generated sys_arg.rb.
+      def load_args
+        hash = instance_eval(File.read(File.join(__dir__, 'consts', 'sys_arg.rb')))
+        Hash.new do |_h, k|
+          next hash[k] if hash[k]
+          next hash[k.to_s[4..].to_sym] if k.to_s.start_with?('x32_')
+
+          nil
+        end
       end
     end
 
     # The argument names of all syscalls.
-    SYS_ARG = instance_eval(IO.read(File.join(__dir__, 'consts', 'sys_arg.rb'))).freeze
+    SYS_ARG = Syscall.load_args.freeze
 
     # Constants from https://github.com/torvalds/linux/blob/master/include/uapi/linux/audit.h.
     module Audit
+      # Maps arch name to {ARCH}'s key.
+      ARCH_NAME = {
+        amd64: 'ARCH_X86_64',
+        i386: 'ARCH_I386',
+        aarch64: 'ARCH_AARCH64',
+        s390x: 'ARCH_S390X'
+      }.freeze
+
       # AUDIT_ARCH_*
       ARCH = {
         'ARCH_X86_64' => 0xc000003e,
-        'ARCH_I386' => 0x40000003
+        'ARCH_I386' => 0x40000003,
+        'ARCH_AARCH64' => 0xc00000b7,
+        'ARCH_S390X' => 0x80000016
+      }.freeze
+    end
+
+    # Endianess constants.
+    module Endian
+      # Defining default endianess of architectures.
+      ENDIAN = {
+        i386: '<',
+        amd64: '<',
+        aarch64: '<',
+        s390x: '>'
       }.freeze
     end
   end

data/lib/seccomp-tools/consts/sys_nr/aarch64.rb

@@ -0,0 +1,284 @@
+# frozen_string_literal: true
+
+{
+  io_setup: 0,
+  io_destroy: 1,
+  io_submit: 2,
+  io_cancel: 3,
+  io_getevents: 4,
+  setxattr: 5,
+  lsetxattr: 6,
+  fsetxattr: 7,
+  getxattr: 8,
+  lgetxattr: 9,
+  fgetxattr: 10,
+  listxattr: 11,
+  llistxattr: 12,
+  flistxattr: 13,
+  removexattr: 14,
+  lremovexattr: 15,
+  fremovexattr: 16,
+  getcwd: 17,
+  lookup_dcookie: 18,
+  eventfd2: 19,
+  epoll_create1: 20,
+  epoll_ctl: 21,
+  epoll_pwait: 22,
+  dup: 23,
+  dup3: 24,
+  fcntl: 25,
+  inotify_init1: 26,
+  inotify_add_watch: 27,
+  inotify_rm_watch: 28,
+  ioctl: 29,
+  ioprio_set: 30,
+  ioprio_get: 31,
+  flock: 32,
+  mknodat: 33,
+  mkdirat: 34,
+  unlinkat: 35,
+  symlinkat: 36,
+  linkat: 37,
+  renameat: 38,
+  umount2: 39,
+  mount: 40,
+  pivot_root: 41,
+  nfsservctl: 42,
+  statfs: 43,
+  fstatfs: 44,
+  truncate: 45,
+  ftruncate: 46,
+  fallocate: 47,
+  faccessat: 48,
+  chdir: 49,
+  fchdir: 50,
+  chroot: 51,
+  fchmod: 52,
+  fchmodat: 53,
+  fchownat: 54,
+  fchown: 55,
+  openat: 56,
+  close: 57,
+  vhangup: 58,
+  pipe2: 59,
+  quotactl: 60,
+  getdents: 61,
+  getdents64: 61,
+  lseek: 62,
+  read: 63,
+  write: 64,
+  readv: 65,
+  writev: 66,
+  pread: 67,
+  pread64: 67,
+  pwrite: 68,
+  pwrite64: 68,
+  preadv: 69,
+  pwritev: 70,
+  sendfile: 71,
+  pselect6: 72,
+  ppoll: 73,
+  signalfd4: 74,
+  vmsplice: 75,
+  splice: 76,
+  tee: 77,
+  readlinkat: 78,
+  newfstatat: 79,
+  fstat: 80,
+  newfstat: 80,
+  sync: 81,
+  fsync: 82,
+  fdatasync: 83,
+  sync_file_range: 84,
+  timerfd_create: 85,
+  timerfd_settime: 86,
+  timerfd_gettime: 87,
+  utimensat: 88,
+  acct: 89,
+  capget: 90,
+  capset: 91,
+  personality: 92,
+  exit: 93,
+  exit_group: 94,
+  waitid: 95,
+  set_tid_address: 96,
+  unshare: 97,
+  futex: 98,
+  set_robust_list: 99,
+  get_robust_list: 100,
+  nanosleep: 101,
+  getitimer: 102,
+  setitimer: 103,
+  kexec_load: 104,
+  init_module: 105,
+  delete_module: 106,
+  timer_create: 107,
+  timer_gettime: 108,
+  timer_getoverrun: 109,
+  timer_settime: 110,
+  timer_delete: 111,
+  clock_settime: 112,
+  clock_gettime: 113,
+  clock_getres: 114,
+  clock_nanosleep: 115,
+  syslog: 116,
+  ptrace: 117,
+  sched_setparam: 118,
+  sched_setscheduler: 119,
+  sched_getscheduler: 120,
+  sched_getparam: 121,
+  sched_setaffinity: 122,
+  sched_getaffinity: 123,
+  sched_yield: 124,
+  sched_get_priority_max: 125,
+  sched_get_priority_min: 126,
+  sched_rr_get_interval: 127,
+  restart_syscall: 128,
+  kill: 129,
+  tkill: 130,
+  tgkill: 131,
+  sigaltstack: 132,
+  rt_sigsuspend: 133,
+  rt_sigaction: 134,
+  rt_sigprocmask: 135,
+  rt_sigpending: 136,
+  rt_sigtimedwait: 137,
+  rt_sigqueueinfo: 138,
+  rt_sigreturn: 139,
+  setpriority: 140,
+  getpriority: 141,
+  reboot: 142,
+  setregid: 143,
+  setgid: 144,
+  setreuid: 145,
+  setuid: 146,
+  setresuid: 147,
+  getresuid: 148,
+  setresgid: 149,
+  getresgid: 150,
+  setfsuid: 151,
+  setfsgid: 152,
+  times: 153,
+  setpgid: 154,
+  getpgid: 155,
+  getsid: 156,
+  setsid: 157,
+  getgroups: 158,
+  setgroups: 159,
+  uname: 160,
+  sethostname: 161,
+  setdomainname: 162,
+  getrlimit: 163,
+  setrlimit: 164,
+  getrusage: 165,
+  umask: 166,
+  prctl: 167,
+  getcpu: 168,
+  gettimeofday: 169,
+  settimeofday: 170,
+  adjtimex: 171,
+  getpid: 172,
+  getppid: 173,
+  getuid: 174,
+  geteuid: 175,
+  getgid: 176,
+  getegid: 177,
+  gettid: 178,
+  sysinfo: 179,
+  mq_open: 180,
+  mq_unlink: 181,
+  mq_timedsend: 182,
+  mq_timedreceive: 183,
+  mq_notify: 184,
+  mq_getsetattr: 185,
+  msgget: 186,
+  msgctl: 187,
+  msgrcv: 188,
+  msgsnd: 189,
+  semget: 190,
+  semctl: 191,
+  semtimedop: 192,
+  semop: 193,
+  shmget: 194,
+  shmctl: 195,
+  shmat: 196,
+  shmdt: 197,
+  socket: 198,
+  socketpair: 199,
+  bind: 200,
+  listen: 201,
+  accept: 202,
+  connect: 203,
+  getsockname: 204,
+  getpeername: 205,
+  sendto: 206,
+  recvfrom: 207,
+  setsockopt: 208,
+  getsockopt: 209,
+  shutdown: 210,
+  sendmsg: 211,
+  recvmsg: 212,
+  readahead: 213,
+  brk: 214,
+  munmap: 215,
+  mremap: 216,
+  add_key: 217,
+  request_key: 218,
+  keyctl: 219,
+  clone: 220,
+  execve: 221,
+  mmap: 222,
+  fadvise64: 223,
+  swapon: 224,
+  swapoff: 225,
+  mprotect: 226,
+  msync: 227,
+  mlock: 228,
+  munlock: 229,
+  mlockall: 230,
+  munlockall: 231,
+  mincore: 232,
+  madvise: 233,
+  remap_file_pages: 234,
+  mbind: 235,
+  get_mempolicy: 236,
+  set_mempolicy: 237,
+  migrate_pages: 238,
+  move_pages: 239,
+  rt_tgsigqueueinfo: 240,
+  perf_event_open: 241,
+  accept4: 242,
+  recvmmsg: 243,
+  wait4: 260,
+  prlimit64: 261,
+  fanotify_init: 262,
+  fanotify_mark: 263,
+  name_to_handle_at: 264,
+  open_by_handle_at: 265,
+  clock_adjtime: 266,
+  syncfs: 267,
+  setns: 268,
+  sendmmsg: 269,
+  process_vm_readv: 270,
+  process_vm_writev: 271,
+  kcmp: 272,
+  finit_module: 273,
+  sched_setattr: 274,
+  sched_getattr: 275,
+  renameat2: 276,
+  seccomp: 277,
+  getrandom: 278,
+  memfd_create: 279,
+  bpf: 280,
+  execveat: 281,
+  userfaultfd: 282,
+  membarrier: 283,
+  mlock2: 284,
+  copy_file_range: 285,
+  preadv2: 286,
+  pwritev2: 287,
+  pkey_mprotect: 288,
+  pkey_alloc: 289,
+  pkey_free: 290,
+  statx: 291
+}

data/lib/seccomp-tools/consts/sys_nr/amd64.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+# Denote a x32 syscall.
+X32_MODE_BIT = 0x40000000
 {
   read: 0,
   write: 1,
@@ -18,7 +20,9 @@
   rt_sigprocmask: 14,
   rt_sigreturn: 15,
   ioctl: 16,
+  pread: 17,
   pread64: 17,
+  pwrite: 18,
   pwrite64: 18,
   readv: 19,
   writev: 20,
@@ -334,4 +338,4 @@
   pkey_alloc: 330,
   pkey_free: 331,
   statx: 332
-}
+}.tap { |h| h.keys.each { |k| h["x32_#{k}".to_sym] = h[k] | X32_MODE_BIT } } # rubocop:disable Style/HashEachMethods

data/lib/seccomp-tools/consts/sys_nr/i386.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 {
-  setup: 0,
+  restart_syscall: 0,
   exit: 1,
   fork: 2,
   read: 3,
@@ -259,14 +259,14 @@
   remap_file_pages: 257,
   set_tid_address: 258,
   timer_create: 259,
-  timer_settime: (259 + 1),
-  timer_gettime: (259 + 2),
-  timer_getoverrun: (259 + 3),
-  timer_delete: (259 + 4),
-  clock_settime: (259 + 5),
-  clock_gettime: (259 + 6),
-  clock_getres: (259 + 7),
-  clock_nanosleep: (259 + 8),
+  timer_settime: 260,
+  timer_gettime: 261,
+  timer_getoverrun: 262,
+  timer_delete: 263,
+  clock_settime: 264,
+  clock_gettime: 265,
+  clock_getres: 266,
+  clock_nanosleep: 267,
   statfs64: 268,
   fstatfs64: 269,
   tgkill: 270,
@@ -277,11 +277,11 @@
   get_mempolicy: 275,
   set_mempolicy: 276,
   mq_open: 277,
-  mq_unlink: (277 + 1),
-  mq_timedsend: (277 + 2),
-  mq_timedreceive: (277 + 3),
-  mq_notify: (277 + 4),
-  mq_getsetattr: (277 + 5),
+  mq_unlink: 278,
+  mq_timedsend: 279,
+  mq_timedreceive: 280,
+  mq_notify: 281,
+  mq_getsetattr: 282,
   sys_kexec_load: 283,
   waitid: 284,
   add_key: 286,