seccomp-tools 1.4.0 → 1.6.0

data/lib/seccomp-tools/syscall.rb

@@ -1,7 +1,9 @@
 # frozen_string_literal: true
 
+require 'os'
+
 require 'seccomp-tools/const'
-require 'seccomp-tools/ptrace'
+require 'seccomp-tools/ptrace' if OS.linux?
 
 module SeccompTools
   # Record syscall number, arguments, return value.
@@ -9,12 +11,16 @@ module SeccompTools
     # Syscall arguments offset of +struct user+ in different arch.
     ABI = {
       amd64: { number: 120, args: [112, 104, 96, 56, 72, 44], ret: 80, SYS_prctl: 157, SYS_seccomp: 317 },
-      i386: { number: 120, args: [40, 88, 96, 104, 112, 32], ret: 80, SYS_prctl: 172, SYS_seccomp: 354 }
+      i386: { number: 44, args: [0, 4, 8, 12, 16, 20], ret: 24, SYS_prctl: 172, SYS_seccomp: 354 },
+      aarch64: { number: 64, args: [0, 8, 16, 24, 32, 40, 48], ret: 0, SYS_prctl: 167, SYS_seccomp: 277 },
+      # Most software invokes syscalls through "svc 0", in which case the syscall number is in r1.
+      # However, it's also possible to use "svc NR": this case is not handled here.
+      s390x: { number: 24, args: [32, 40, 48, 56, 64, 72], ret: 32, SYS_prctl: 172, SYS_seccomp: 348 }
     }.freeze
 
     # @return [Integer] Process id.
     attr_reader :pid
-    # @return [Hash{Symbol => Integer, Array<Integer>}] See {ABI}.
+    # @return [{Symbol => Integer, Array<Integer>}] See {ABI}.
     attr_reader :abi
     # @return [Integer] Syscall number.
     attr_reader :number
@@ -60,25 +66,29 @@ module SeccompTools
     #   Architecture of this syscall.
     def arch
       @arch ||= File.open("/proc/#{pid}/exe", 'rb') do |f|
-        f.pos = 4
-        case f.read(1).ord
-        when 1 then :i386
-        when 2 then :amd64
-        end
+        f.pos = 18
+        {
+          "\x03\x00" => :i386,
+          "\x3e\x00" => :amd64,
+          "\xb7\x00" => :aarch64,
+          "\x00\x16" => :s390x
+        }[f.read(2)]
       end
     end
 
     private
 
     def bits
-      case arch
-      when :i386 then 32
-      when :amd64 then 64
-      end
+      {
+        i386: 32,
+        amd64: 64,
+        aarch64: 64,
+        s390x: 64
+      }[arch]
     end
 
     def peek(offset)
-      Ptrace.peekuser(pid, offset, 0)
+      Ptrace.peekuser(pid, offset, 0, bits)
     end
   end
 end

data/lib/seccomp-tools/templates/asm.s390x.asm

@@ -0,0 +1,26 @@
+  .globl install_seccomp
+install_seccomp:
+  lghi   %r1, 172   /* __NR_prctl */
+  lghi   %r2, 38    /* PR_SET_NO_NEW_PRIVS */
+  lghi   %r3, 1
+  xgr    %r4, %r4
+  xgr    %r5, %r5
+  xgr    %r6, %r6
+  svc    0
+
+  lghi   %r1, 172   /* __NR_prctl */
+  lghi   %r2, 22    /* PR_SET_SECCOMP */
+  lghi   %r3, 2     /* SECCOMP_MODE_FILTER */
+  aghi   %r15, -16  /* sizeof(struct sock_fprog) */
+  mvhhi  0(%r15), (_filter_end - _filter) >> 3  /* .len */
+  larl   %r4, _filter
+  stg    %r4, 8(%r15)                           /* .filter */
+  lgr    %r4, %r15
+  svc    0
+  aghi   %r15, 16
+
+  br     %r14
+
+_filter:
+.ascii "<TO_BE_REPLACED>"
+_filter_end:

data/lib/seccomp-tools/util.rb

@@ -20,6 +20,8 @@ module SeccompTools
       case RbConfig::CONFIG['host_cpu']
       when /x86_64/ then :amd64
       when /i386/ then :i386
+      when /aarch64/ then :aarch64
+      when /s390x/ then :s390x
       else :unknown
       end
     end
@@ -77,7 +79,7 @@ module SeccompTools
     # @return [String]
     #   Content of the file.
     def template(filename)
-      IO.binread(File.join(__dir__, 'templates', filename))
+      File.binread(File.join(__dir__, 'templates', filename))
     end
   end
 end

data/lib/seccomp-tools/version.rb

@@ -2,5 +2,5 @@
 
 module SeccompTools
   # Gem version.
-  VERSION = '1.4.0'
+  VERSION = '1.6.0'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: seccomp-tools
 version: !ruby/object:Gem::Version
-  version: 1.4.0
+  version: 1.6.0
 platform: ruby
 authors:
 - david942j
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-02-16 00:00:00.000000000 Z
+date: 2023-09-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -58,28 +58,28 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.79'
+        version: '1'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.79'
+        version: '1'
 - !ruby/object:Gem::Dependency
   name: simplecov
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.17.0
+        version: '0.21'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.17.0
+        version: '0.21'
 - !ruby/object:Gem::Dependency
   name: yard
   requirement: !ruby/object:Gem::Requirement
@@ -94,6 +94,26 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0.9'
+- !ruby/object:Gem::Dependency
+  name: os
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.1'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.1.1
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.1'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.1.1
 description: |
   Provide useful tools to analyze seccomp rules.
   Visit https://github.com/david942j/seccomp-tools for more details.
@@ -112,7 +132,12 @@ files:
 - lib/seccomp-tools.rb
 - lib/seccomp-tools/asm/asm.rb
 - lib/seccomp-tools/asm/compiler.rb
-- lib/seccomp-tools/asm/tokenizer.rb
+- lib/seccomp-tools/asm/sasm.tab.rb
+- lib/seccomp-tools/asm/sasm.y
+- lib/seccomp-tools/asm/scalar.rb
+- lib/seccomp-tools/asm/scanner.rb
+- lib/seccomp-tools/asm/statement.rb
+- lib/seccomp-tools/asm/token.rb
 - lib/seccomp-tools/bpf.rb
 - lib/seccomp-tools/cli/asm.rb
 - lib/seccomp-tools/cli/base.rb
@@ -122,12 +147,15 @@ files:
 - lib/seccomp-tools/cli/emu.rb
 - lib/seccomp-tools/const.rb
 - lib/seccomp-tools/consts/sys_arg.rb
+- lib/seccomp-tools/consts/sys_nr/aarch64.rb
 - lib/seccomp-tools/consts/sys_nr/amd64.rb
 - lib/seccomp-tools/consts/sys_nr/i386.rb
+- lib/seccomp-tools/consts/sys_nr/s390x.rb
 - lib/seccomp-tools/disasm/context.rb
 - lib/seccomp-tools/disasm/disasm.rb
 - lib/seccomp-tools/dumper.rb
 - lib/seccomp-tools/emulator.rb
+- lib/seccomp-tools/error.rb
 - lib/seccomp-tools/instruction/alu.rb
 - lib/seccomp-tools/instruction/base.rb
 - lib/seccomp-tools/instruction/instruction.rb
@@ -143,6 +171,7 @@ files:
 - lib/seccomp-tools/templates/asm.amd64.asm
 - lib/seccomp-tools/templates/asm.c
 - lib/seccomp-tools/templates/asm.i386.asm
+- lib/seccomp-tools/templates/asm.s390x.asm
 - lib/seccomp-tools/util.rb
 - lib/seccomp-tools/version.rb
 homepage: 
@@ -161,14 +190,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '2.4'
+      version: '2.6'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
+rubygems_version: 3.1.6
 signing_key: 
 specification_version: 4
 summary: seccomp-tools

data/lib/seccomp-tools/asm/tokenizer.rb

@@ -1,169 +0,0 @@
-# frozen_string_literal: true
-
-require 'seccomp-tools/const'
-require 'seccomp-tools/instruction/alu'
-
-module SeccompTools
-  module Asm
-    # Fetch tokens from a string.
-    #
-    # Internal used by {Compiler}.
-    # @private
-    class Tokenizer
-      # a valid label
-      LABEL_REGEXP = /[A-Za-z_]\w*/.freeze
-      attr_accessor :cur
-
-      # @param [String] str
-      # @example
-      #   Tokenizer.new('return ALLOW')
-      def initialize(str)
-        @str = str
-        @cur = @str.dup
-      end
-
-      # Fetch a token without raising errors.
-      def fetch(type)
-        fetch!(type)
-      rescue ArgumentError
-        nil
-      end
-
-      # Fetch a token. When expected token is not found,
-      # error with proper message would be raised.
-      #
-      # @param [String, Symbol] type
-      # @example
-      #   tokenizer = Tokenizer.new('return ALLOW')
-      #   tokenfizer.fetch!('return')
-      #   #=> "return"
-      #   tokenizer.fetch!(:ret)
-      #   #=> 2147418112
-      def fetch!(type)
-        @last_match_size = 0
-        res = case type
-              when String then fetch_str(type) || raise_expected("token #{type.inspect}")
-              when :comparison then fetch_strs(COMPARISON).to_sym || raise_expected('a comparison operator')
-              when :sys_num_x then fetch_sys_num_arch_x || raise_expected("a syscall number or 'X'")
-              when :goto then fetch_number || fetch_label || raise_expected('a number or label name')
-              when :ret then fetch_return || raise(ArgumentError, <<-EOS)
-Invalid return type: #{cur.inspect}.
-              EOS
-              when :ax then fetch_ax || raise_expected("'A' or 'X'")
-              when :ary then fetch_ary || raise_expected('data[<num>], mem[<num>], or args[<num>]')
-              when :alu_op then fetch_alu || raise_expected('an ALU operator')
-              else raise ArgumentError, "Unsupported type: #{type.inspect}"
-              end
-        slice!
-        res
-      end
-
-      private
-
-      COMPARISON = %w[== != <= >= < >].freeze
-
-      def fetch_strs(strs)
-        strs.find(&method(:fetch_str))
-      end
-
-      def fetch_str(str)
-        return nil unless cur.start_with?(str)
-        return nil if str =~ /\A[A-Za-z0-9_]+\Z/ && cur[str.size] =~ /[A-Za-z0-9_]/
-
-        @last_match_size = str.size
-        str
-      end
-
-      def fetch_ax
-        return :a if fetch_str('A')
-        return :x if fetch_str('X')
-
-        nil
-      end
-
-      def fetch_sys_num_arch_x
-        return :x if fetch_str('X')
-
-        fetch_number || fetch_syscall || fetch_arch
-      end
-
-      # Currently only supports 10-based decimal numbers.
-      def fetch_number
-        res = fetch_regexp(/^0x[0-9a-f]+/) || fetch_regexp(/^[0-9]+/)
-        return nil if res.nil?
-
-        Integer(res)
-      end
-
-      def fetch_syscall
-        sys = Const::Syscall::AMD64
-        sys = sys.merge(Const::Syscall::I386)
-        fetch_strs(sys.keys.map(&:to_s).sort_by(&:size).reverse)
-      end
-
-      def fetch_arch
-        fetch_strs(Const::Audit::ARCH.keys)
-      end
-
-      def fetch_regexp(regexp)
-        idx = cur =~ regexp
-        return nil if idx.nil? || idx != 0
-
-        match = cur.match(regexp)[0]
-        @last_match_size = match.size
-        match
-      end
-
-      def fetch_label
-        fetch_regexp(LABEL_REGEXP)
-      end
-
-      # Convert <type>(num) into return value according to {Const::ACTION}
-      # @return [Integer, :a]
-      def fetch_return
-        regexp = /(#{Const::BPF::ACTION.keys.join('|')})(\([0-9]{1,5}\))?/
-        action = fetch_regexp(regexp)
-        return fetch_str('A') && :a if action.nil?
-
-        # check if action contains '('the next bytes are (<num>)
-        ret_val = 0
-        if action.include?('(')
-          action, val = action.split('(')
-          ret_val = val.to_i
-        end
-        Const::BPF::ACTION[action.to_sym] | ret_val
-      end
-
-      def fetch_ary
-        support_name = %w[data mem args args_h]
-        regexp = /(#{support_name.join('|')})\[[0-9]{1,2}\]/
-        match = fetch_regexp(regexp)
-        return nil if match.nil?
-
-        res, val = match.split('[')
-        val = val.to_i
-        [res.to_sym, val]
-      end
-
-      def fetch_alu
-        ops = %w[+ - * / | & ^ << >>]
-        op = fetch_strs(ops)
-        return nil if op.nil?
-
-        Instruction::ALU::OP_SYM.invert[op.to_sym]
-      end
-
-      def slice!
-        ret = cur.slice!(0, @last_match_size)
-        cur.strip!
-        ret
-      end
-
-      def raise_expected(msg)
-        raise ArgumentError, <<-EOS
-Expected #{msg} but found #{cur.split[0].inspect}.
-        EOS
-      end
-    end
-  end
-end