RubyGems - seccomp-tools - Versions diffs - 1.4.0 → 1.6.0 - Mend

seccomp-tools 1.4.0 → 1.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (37) hide show

checksums.yaml +4 -4
data/README.md +105 -17
data/ext/ptrace/ptrace.c +56 -4
data/lib/seccomp-tools/asm/asm.rb +8 -6
data/lib/seccomp-tools/asm/compiler.rb +130 -224
data/lib/seccomp-tools/asm/sasm.tab.rb +780 -0
data/lib/seccomp-tools/asm/sasm.y +175 -0
data/lib/seccomp-tools/asm/scalar.rb +129 -0
data/lib/seccomp-tools/asm/scanner.rb +163 -0
data/lib/seccomp-tools/asm/statement.rb +32 -0
data/lib/seccomp-tools/asm/token.rb +29 -0
data/lib/seccomp-tools/bpf.rb +31 -7
data/lib/seccomp-tools/cli/asm.rb +3 -3
data/lib/seccomp-tools/cli/base.rb +4 -4
data/lib/seccomp-tools/cli/disasm.rb +27 -3
data/lib/seccomp-tools/cli/dump.rb +4 -2
data/lib/seccomp-tools/cli/emu.rb +1 -4
data/lib/seccomp-tools/const.rb +37 -3
data/lib/seccomp-tools/consts/sys_nr/aarch64.rb +284 -0
data/lib/seccomp-tools/consts/sys_nr/amd64.rb +5 -1
data/lib/seccomp-tools/consts/sys_nr/i386.rb +14 -14
data/lib/seccomp-tools/consts/sys_nr/s390x.rb +365 -0
data/lib/seccomp-tools/disasm/context.rb +2 -2
data/lib/seccomp-tools/disasm/disasm.rb +16 -9
data/lib/seccomp-tools/dumper.rb +12 -3
data/lib/seccomp-tools/emulator.rb +5 -9
data/lib/seccomp-tools/error.rb +31 -0
data/lib/seccomp-tools/instruction/alu.rb +1 -1
data/lib/seccomp-tools/instruction/base.rb +1 -1
data/lib/seccomp-tools/instruction/jmp.rb +28 -10
data/lib/seccomp-tools/instruction/ld.rb +5 -3
data/lib/seccomp-tools/syscall.rb +23 -13
data/lib/seccomp-tools/templates/asm.s390x.asm +26 -0
data/lib/seccomp-tools/util.rb +3 -1
data/lib/seccomp-tools/version.rb +1 -1
metadata +38 -9
data/lib/seccomp-tools/asm/tokenizer.rb +0 -169

data/lib/seccomp-tools/consts/sys_nr/s390x.rb ADDED Viewed

@@ -0,0 +1,365 @@
+# frozen_string_literal: true
+{
+  exit: 1,
+  fork: 2,
+  read: 3,
+  write: 4,
+  open: 5,
+  close: 6,
+  restart_syscall: 7,
+  creat: 8,
+  link: 9,
+  unlink: 10,
+  execve: 11,
+  chdir: 12,
+  mknod: 14,
+  chmod: 15,
+  lseek: 19,
+  getpid: 20,
+  mount: 21,
+  umount: 22,
+  ptrace: 26,
+  alarm: 27,
+  pause: 29,
+  utime: 30,
+  access: 33,
+  nice: 34,
+  sync: 36,
+  kill: 37,
+  rename: 38,
+  mkdir: 39,
+  rmdir: 40,
+  dup: 41,
+  pipe: 42,
+  times: 43,
+  brk: 45,
+  signal: 48,
+  acct: 51,
+  umount2: 52,
+  ioctl: 54,
+  fcntl: 55,
+  setpgid: 57,
+  umask: 60,
+  chroot: 61,
+  ustat: 62,
+  dup2: 63,
+  getppid: 64,
+  getpgrp: 65,
+  setsid: 66,
+  sigaction: 67,
+  sigsuspend: 72,
+  sigpending: 73,
+  sethostname: 74,
+  setrlimit: 75,
+  getrusage: 77,
+  gettimeofday: 78,
+  settimeofday: 79,
+  symlink: 83,
+  readlink: 85,
+  uselib: 86,
+  swapon: 87,
+  reboot: 88,
+  readdir: 89,
+  mmap: 90,
+  munmap: 91,
+  truncate: 92,
+  ftruncate: 93,
+  fchmod: 94,
+  getpriority: 96,
+  setpriority: 97,
+  statfs: 99,
+  fstatfs: 100,
+  socketcall: 102,
+  syslog: 103,
+  setitimer: 104,
+  getitimer: 105,
+  stat: 106,
+  lstat: 107,
+  fstat: 108,
+  lookup_dcookie: 110,
+  vhangup: 111,
+  idle: 112,
+  wait4: 114,
+  swapoff: 115,
+  sysinfo: 116,
+  ipc: 117,
+  fsync: 118,
+  sigreturn: 119,
+  clone: 120,
+  setdomainname: 121,
+  uname: 122,
+  adjtimex: 124,
+  mprotect: 125,
+  sigprocmask: 126,
+  create_module: 127,
+  init_module: 128,
+  delete_module: 129,
+  get_kernel_syms: 130,
+  quotactl: 131,
+  getpgid: 132,
+  fchdir: 133,
+  bdflush: 134,
+  sysfs: 135,
+  personality: 136,
+  afs_syscall: 137,
+  getdents: 141,
+  select: 142,
+  flock: 143,
+  msync: 144,
+  readv: 145,
+  writev: 146,
+  getsid: 147,
+  fdatasync: 148,
+  _sysctl: 149,
+  mlock: 150,
+  munlock: 151,
+  mlockall: 152,
+  munlockall: 153,
+  sched_setparam: 154,
+  sched_getparam: 155,
+  sched_setscheduler: 156,
+  sched_getscheduler: 157,
+  sched_yield: 158,
+  sched_get_priority_max: 159,
+  sched_get_priority_min: 160,
+  sched_rr_get_interval: 161,
+  nanosleep: 162,
+  mremap: 163,
+  query_module: 167,
+  poll: 168,
+  nfsservctl: 169,
+  prctl: 172,
+  rt_sigreturn: 173,
+  rt_sigaction: 174,
+  rt_sigprocmask: 175,
+  rt_sigpending: 176,
+  rt_sigtimedwait: 177,
+  rt_sigqueueinfo: 178,
+  rt_sigsuspend: 179,
+  pread64: 180,
+  pwrite64: 181,
+  getcwd: 183,
+  capget: 184,
+  capset: 185,
+  sigaltstack: 186,
+  sendfile: 187,
+  getpmsg: 188,
+  putpmsg: 189,
+  vfork: 190,
+  getrlimit: 191,
+  lchown: 198,
+  getuid: 199,
+  getgid: 200,
+  geteuid: 201,
+  getegid: 202,
+  setreuid: 203,
+  setregid: 204,
+  getgroups: 205,
+  setgroups: 206,
+  fchown: 207,
+  setresuid: 208,
+  getresuid: 209,
+  setresgid: 210,
+  getresgid: 211,
+  chown: 212,
+  setuid: 213,
+  setgid: 214,
+  setfsuid: 215,
+  setfsgid: 216,
+  pivot_root: 217,
+  mincore: 218,
+  madvise: 219,
+  getdents64: 220,
+  readahead: 222,
+  setxattr: 224,
+  lsetxattr: 225,
+  fsetxattr: 226,
+  getxattr: 227,
+  lgetxattr: 228,
+  fgetxattr: 229,
+  listxattr: 230,
+  llistxattr: 231,
+  flistxattr: 232,
+  removexattr: 233,
+  lremovexattr: 234,
+  fremovexattr: 235,
+  gettid: 236,
+  tkill: 237,
+  futex: 238,
+  sched_setaffinity: 239,
+  sched_getaffinity: 240,
+  tgkill: 241,
+  io_setup: 243,
+  io_destroy: 244,
+  io_getevents: 245,
+  io_submit: 246,
+  io_cancel: 247,
+  exit_group: 248,
+  epoll_create: 249,
+  epoll_ctl: 250,
+  epoll_wait: 251,
+  set_tid_address: 252,
+  fadvise64: 253,
+  timer_create: 254,
+  timer_settime: 255,
+  timer_gettime: 256,
+  timer_getoverrun: 257,
+  timer_delete: 258,
+  clock_settime: 259,
+  clock_gettime: 260,
+  clock_getres: 261,
+  clock_nanosleep: 262,
+  statfs64: 265,
+  fstatfs64: 266,
+  remap_file_pages: 267,
+  mbind: 268,
+  get_mempolicy: 269,
+  set_mempolicy: 270,
+  mq_open: 271,
+  mq_unlink: 272,
+  mq_timedsend: 273,
+  mq_timedreceive: 274,
+  mq_notify: 275,
+  mq_getsetattr: 276,
+  kexec_load: 277,
+  add_key: 278,
+  request_key: 279,
+  keyctl: 280,
+  waitid: 281,
+  ioprio_set: 282,
+  ioprio_get: 283,
+  inotify_init: 284,
+  inotify_add_watch: 285,
+  inotify_rm_watch: 286,
+  migrate_pages: 287,
+  openat: 288,
+  mkdirat: 289,
+  mknodat: 290,
+  fchownat: 291,
+  futimesat: 292,
+  newfstatat: 293,
+  unlinkat: 294,
+  renameat: 295,
+  linkat: 296,
+  symlinkat: 297,
+  readlinkat: 298,
+  fchmodat: 299,
+  faccessat: 300,
+  pselect6: 301,
+  ppoll: 302,
+  unshare: 303,
+  set_robust_list: 304,
+  get_robust_list: 305,
+  splice: 306,
+  sync_file_range: 307,
+  tee: 308,
+  vmsplice: 309,
+  move_pages: 310,
+  getcpu: 311,
+  epoll_pwait: 312,
+  utimes: 313,
+  fallocate: 314,
+  utimensat: 315,
+  signalfd: 316,
+  timerfd: 317,
+  eventfd: 318,
+  timerfd_create: 319,
+  timerfd_settime: 320,
+  timerfd_gettime: 321,
+  signalfd4: 322,
+  eventfd2: 323,
+  inotify_init1: 324,
+  pipe2: 325,
+  dup3: 326,
+  epoll_create1: 327,
+  preadv: 328,
+  pwritev: 329,
+  rt_tgsigqueueinfo: 330,
+  perf_event_open: 331,
+  fanotify_init: 332,
+  fanotify_mark: 333,
+  prlimit64: 334,
+  name_to_handle_at: 335,
+  open_by_handle_at: 336,
+  clock_adjtime: 337,
+  syncfs: 338,
+  setns: 339,
+  process_vm_readv: 340,
+  process_vm_writev: 341,
+  s390_runtime_instr: 342,
+  kcmp: 343,
+  finit_module: 344,
+  sched_setattr: 345,
+  sched_getattr: 346,
+  renameat2: 347,
+  seccomp: 348,
+  getrandom: 349,
+  memfd_create: 350,
+  bpf: 351,
+  s390_pci_mmio_write: 352,
+  s390_pci_mmio_read: 353,
+  execveat: 354,
+  userfaultfd: 355,
+  membarrier: 356,
+  recvmmsg: 357,
+  sendmmsg: 358,
+  socket: 359,
+  socketpair: 360,
+  bind: 361,
+  connect: 362,
+  listen: 363,
+  accept4: 364,
+  getsockopt: 365,
+  setsockopt: 366,
+  getsockname: 367,
+  getpeername: 368,
+  sendto: 369,
+  sendmsg: 370,
+  recvfrom: 371,
+  recvmsg: 372,
+  shutdown: 373,
+  mlock2: 374,
+  copy_file_range: 375,
+  preadv2: 376,
+  pwritev2: 377,
+  s390_guarded_storage: 378,
+  statx: 379,
+  s390_sthyi: 380,
+  kexec_file_load: 381,
+  io_pgetevents: 382,
+  rseq: 383,
+  pkey_mprotect: 384,
+  pkey_alloc: 385,
+  pkey_free: 386,
+  semtimedop: 392,
+  semget: 393,
+  semctl: 394,
+  shmget: 395,
+  shmctl: 396,
+  shmat: 397,
+  shmdt: 398,
+  msgget: 399,
+  msgsnd: 400,
+  msgrcv: 401,
+  msgctl: 402,
+  pidfd_send_signal: 424,
+  io_uring_setup: 425,
+  io_uring_enter: 426,
+  io_uring_register: 427,
+  open_tree: 428,
+  move_mount: 429,
+  fsopen: 430,
+  fsconfig: 431,
+  fsmount: 432,
+  fspick: 433,
+  pidfd_open: 434,
+  clone3: 435,
+  close_range: 436,
+  openat2: 437,
+  pidfd_getfd: 438,
+  faccessat2: 439,
+  process_madvise: 440,
+  epoll_pwait2: 441,
+  mount_setattr: 442
+}

data/lib/seccomp-tools/disasm/context.rb CHANGED Viewed

@@ -58,7 +58,7 @@ module SeccompTools
       #   Value to be set to +reg/mem+.
       # @param [Array<Integer?>] known_data
       #   Records which index of data is known.
-      #   It's used for tracking if the syscall number is known, which can be used to display argument names of the
+      #   It's used for tracking when the syscall number is known, which can be used to display argument names of the
       #   syscall.
       def initialize(values: {}, known_data: [])
         @values = values
@@ -104,7 +104,7 @@ module SeccompTools
       #   Returns the object itself.
       def eql!(val)
         tap do
-          # only cares if A is fetched from data
+          # only cares when A is fetched from data
           next unless a.data?
           next known_data[a.val] = val if val.is_a?(Integer)
           # A == X, we can handle these cases:

data/lib/seccomp-tools/disasm/disasm.rb CHANGED Viewed

@@ -7,20 +7,22 @@ require 'seccomp-tools/disasm/context'
 require 'seccomp-tools/util'
 module SeccompTools
-  # Disassembler of seccomp bpf.
+  # Disassembler of seccomp BPF.
   module Disasm
     module_function
-    # Disassemble bpf codes.
+    # Disassemble BPF codes.
     # @param [String] raw
-    #   The raw bpf bytes.
+    #   The raw BPF bytes.
     # @param [Symbol] arch
     #   Architecture.
-    def disasm(raw, arch: nil)
+    # @param [Boolean] display_bpf
+    # @param [Boolean] arg_infer
+    def disasm(raw, arch: nil, display_bpf: true, arg_infer: true)
       codes = to_bpf(raw, arch)
       contexts = Array.new(codes.size) { Set.new }
       contexts[0].add(Context.new)
-      # all we care is if A is exactly one of data[*]
+      # all we care is whether A is data[*]
       dis = codes.zip(contexts).map do |code, ctxs|
         ctxs.each do |ctx|
           code.branch(ctx) do |pc, c|
@@ -28,15 +30,20 @@ module SeccompTools
           end
         end
         code.contexts = ctxs
-        code.disasm
+        code.disasm(code: display_bpf, arg_infer: arg_infer)
       end.join("\n")
-      <<-EOS + dis + "\n"
+      if display_bpf
+        <<-EOS
  line  CODE  JT   JF      K
 =================================
-      EOS
+#{dis}
+        EOS
+      else
+        "#{dis}\n"
+      end
     end
-    # Convert raw bpf string to array of {BPF}.
+    # Convert raw BPF string to array of {BPF}.
     # @param [String] raw
     # @param [Symbol] arch
     # @return [Array<BPF>]

data/lib/seccomp-tools/dumper.rb CHANGED Viewed

@@ -1,13 +1,18 @@
 # frozen_string_literal: true
+require 'os'
 require 'seccomp-tools/logger'
-require 'seccomp-tools/ptrace'
+require 'seccomp-tools/ptrace' if OS.linux?
 require 'seccomp-tools/syscall'
 module SeccompTools
   # Dump seccomp-bpf using ptrace of binary.
-  # Currently only support x86_64.
   module Dumper
+    # Whether the dumper is supported.
+    # Dumper works based on ptrace, so we need the platform be Linux.
+    SUPPORTED = OS.linux?
     module_function
     # Main bpf dump function.
@@ -35,6 +40,8 @@ module SeccompTools
     # @todo
     #   +timeout+ option.
     def dump(*args, limit: 1, &block)
+      return [] unless SUPPORTED
       pid = fork { handle_child(*args) }
       Handler.new(pid).handle(limit, &block)
     end
@@ -58,7 +65,7 @@ module SeccompTools
       # @yieldparam [String] bpf
       #   Seccomp bpf in raw bytes.
       # @yieldparam [Symbol] arch
-      #   Architecture, either :i386 or :amd64.
+      #   Architecture. See {SeccompTools::Syscall::ABI} for supported architectures.
       # @return [Array<Object>, Array<String>]
       #   Return the block returned. If block is not given, array of raw bytes will be returned.
       def handle(limit, &block)
@@ -164,6 +171,8 @@ module SeccompTools
     #   dump_by_pid(pid2, 1) { |c| c[0, 10] }
     #   #=> [" \x00\x00\x00\x00\x00\x00\x00\x15\x00"]
     def dump_by_pid(pid, limit, &block)
+      return [] unless SUPPORTED
       collect = []
       Ptrace.attach_and_wait(pid)
       begin

data/lib/seccomp-tools/emulator.rb CHANGED Viewed

@@ -7,7 +7,7 @@ module SeccompTools
   class Emulator
     # Instantiate a {Emulator} object.
     #
-    # All parameters except +instructions+ are optional, while a warning will be shown if unset data being accessed.
+    # All parameters except +instructions+ are optional. A warning is shown when uninitialized data is accessed.
     # @param [Array<Instruction::Base>] instructions
     # @param [Integer] sys_nr
     #   Syscall number.
@@ -15,8 +15,8 @@ module SeccompTools
     #   Syscall arguments
     # @param [Integer] instruction_pointer
     #   Program counter address when this syscall invoked.
-    # @param [Symbol] arch
-    #   If not given, use system architecture as default.
+    # @param [Symbol?] arch
+    #   System architecture is used when this parameter is not provided.
     #
     #   See {SeccompTools::Util.supported_archs} for list of supported architectures.
     def initialize(instructions, sys_nr: nil, args: [], instruction_pointer: nil, arch: nil)
@@ -28,7 +28,7 @@ module SeccompTools
     end
     # Run emulation!
-    # @return [Hash{Symbol, Integer => Integer}]
+    # @return [{Symbol, Integer => Integer}]
     def run
       @values = { pc: 0, a: 0, x: 0 }
       loop do
@@ -58,11 +58,7 @@ module SeccompTools
     end
     def audit(arch)
-      type = case arch
-             when :amd64 then 'ARCH_X86_64'
-             when :i386 then 'ARCH_I386'
-             end
-      Const::Audit::ARCH[type]
+      Const::Audit::ARCH[Const::Audit::ARCH_NAME[arch]]
     end
     def ret(num)

data/lib/seccomp-tools/error.rb ADDED Viewed

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+module SeccompTools
+  # Base error class.
+  class Error < StandardError
+  end
+  # Raised when unrecognized token(s) are found on compiling seccomp assembly.
+  class UnrecognizedTokenError < Error
+  end
+  # Raised when a referred label is defined no where on compiling seccomp assembly.
+  class UndefinedLabelError < Error
+  end
+  # Raised on RACC parsing error when compiling seccomp assembly.
+  class ParseError < Error
+  end
+  # Raised when a jump expression goes backward on compiling seccomp assembly.
+  class BackwardJumpError < Error
+  end
+  # Raised when a label is defined more than once on compiling seccomp assembly.
+  class DuplicateLabelError < Error
+  end
+  # Raised when a jump is longer than supported distance.
+  class LongJumpError < Error
+  end
+end

data/lib/seccomp-tools/instruction/alu.rb CHANGED Viewed

@@ -62,7 +62,7 @@ module SeccompTools
         case op
         when :lsh, :rsh then src.to_s
-        else '0x' + src.to_s(16)
+        else "0x#{src.to_s(16)}"
         end
       end

data/lib/seccomp-tools/instruction/base.rb CHANGED Viewed

@@ -47,7 +47,7 @@ module SeccompTools
       private
-      %i(code jt jf k arch line contexts).each do |sym|
+      %i(code jt jf k arch line contexts show_arg_infer?).each do |sym|
         define_method(sym) do
           @bpf.__send__(sym)
         end

data/lib/seccomp-tools/instruction/jmp.rb CHANGED Viewed

@@ -16,9 +16,9 @@ module SeccompTools
         # otherwise => if () goto jt; else goto jf;
         return '/* no-op */' if jt.zero? && jf.zero?
         return goto(jt) if jt == jf
-        return if_str(true) + goto(jf) if jt.zero?
+        return if_str(neg: true) + goto(jf) if jt.zero?
-        if_str + goto(jt) + (jf.zero? ? '' : ' else ' + goto(jf))
+        if_str + goto(jt) + (jf.zero? ? '' : " else #{goto(jf)}")
       end
       # See {Instruction::Base#symbolize}.
@@ -64,14 +64,32 @@ module SeccompTools
         a = a[0]
         return k.to_s unless a.data?
-        hex = '0x' + k.to_s(16)
+        hex = "0x#{k.to_s(16)}"
         case a.val
-        when 0 then Util.colorize(Const::Syscall.const_get(arch.upcase.to_sym).invert[k] || hex, t: :syscall)
+          # interpret as syscalls only if it's an equality test
+        when 0 then Util.colorize(jop == :== ? sysname_by_k || hex : hex, t: :syscall)
         when 4 then Util.colorize(Const::Audit::ARCH.invert[k] || hex, t: :arch)
         else hex
         end
       end
+      def sysname_by_k
+        a = infer_arch || arch
+        name = Const::Syscall.const_get(a.upcase.to_sym).invert[k]
+        return name if name.nil?
+        a == arch ? name : "#{a}.#{name}"
+      end
+      # Infers the architecture from context.
+      # @return [Symbol?]
+      def infer_arch
+        arches = contexts.map { |ctx| ctx.known_data[4] }.uniq
+        return nil unless arches.size == 1 && !arches.first.nil?
+        Const::Audit::ARCH_NAME.invert[Const::Audit::ARCH.invert[arches.first]]
+      end
       def src
         SRC.invert[code & 8] == :x ? :x : k
       end
@@ -84,15 +102,15 @@ module SeccompTools
         line + off + 1
       end
-      def if_str(neg = false)
+      def if_str(neg: false)
         return "if (A #{jop} #{src_str}) " unless neg
         return "if (!(A & #{src_str})) " if jop == :&
-        op = case jop
-             when :>= then :<
-             when :> then :<=
-             when :== then :!=
-             end
+        op = {
+          :>= => :<,
+          :> => :<=,
+          :== => :!=
+        }[jop]
         "if (A #{op} #{src_str}) "
       end
     end

data/lib/seccomp-tools/instruction/ld.rb CHANGED Viewed

@@ -10,7 +10,7 @@ module SeccompTools
     class LD < Base
       # Decompile instruction.
       def decompile
-        ret = reg + ' = '
+        ret = "#{reg} = "
         _, _reg, type = symbolize
         return ret + type[:val].to_s if type[:rel] == :immi
         return ret + "mem[#{type[:val]}]" if type[:rel] == :mem
@@ -78,8 +78,10 @@ module SeccompTools
       end
       def args_name(idx)
-        sys_nrs = contexts.map { |ctx| ctx.known_data[0] }.uniq
         default = idx.even? ? "args[#{idx / 2}]" : "args[#{idx / 2}] >> 32"
+        return default unless show_arg_infer?
+        sys_nrs = contexts.map { |ctx| ctx.known_data[0] }.uniq
         return default if sys_nrs.size != 1 || sys_nrs.first.nil?
         sys = Const::Syscall.const_get(arch.upcase.to_sym).invert[sys_nrs.first]
@@ -88,7 +90,7 @@ module SeccompTools
         comment = "# #{sys}(#{args.join(', ')})"
         arg_name = Util.colorize(args[idx / 2], t: :args)
-        (idx.even? ? arg_name : "#{arg_name} >> 32") + ' ' + Util.colorize(comment, t: :gray)
+        "#{idx.even? ? arg_name : "#{arg_name} >> 32"} #{Util.colorize(comment, t: :gray)}"
       end
     end
   end