seccomp-tools 1.5.0 → 1.6.1

data/lib/seccomp-tools/asm/sasm.y

@@ -0,0 +1,175 @@
+class SeccompTools::Asm::SeccompAsmParser
+  options no_result_var
+rule
+  prog: normalized_statement terminator { [val[0]] }
+      | prog normalized_statement terminator { val[0] << val[1] }
+  normalized_statement: symbols newlines statement { Statement.new(*val[2], val[0]) }
+                      | statement { Statement.new(*val[0], []) }
+  symbols: symbol { val }
+         | symbols newlines symbol { val[0] << val[2] }
+  symbol: SYMBOL {
+            t = val[0]
+            raise_error("'next' is a reserved label") if t == 'next'
+            last_token
+          }
+  statement: arithmetic { [:alu, val[0]] }
+           | assignment { [:assign, val[0]] }
+           | conditional { [:if, val[0]] }
+           | goto_expr { [:if, [nil, val[0], val[0]]] }
+           | return_stat { [:ret, val[0]] }
+  arithmetic: A alu_op_eq newlines x_constexpr { [val[1], val[3]] }
+  assignment: a ASSIGN a_rval { [val[0], val[2]] }
+            | x ASSIGN x_rval { [val[0], val[2]] }
+            | memory ASSIGN ax { [val[0], val[2]] }
+  # X = ?
+  x_rval: constexpr
+        | memory
+        | a
+  # A = ?
+  a_rval: x_constexpr
+        | argument { Scalar::Data.new(val[0]) }
+        | memory
+        | LEN { Scalar::Len.instance }
+        # A = -A is a special case, it's in an assignment form but belongs to ALU BPF
+        | ALU_OP A {
+          raise_error('do you mean A = -A?', -1) if val[0] != '-'
+          :neg
+        }
+  conditional: IF comparison newlines goto_expr newlines else_block {
+                 op, rval, parity = val[1]
+                 jt, jf = val[3], val[5]
+                 jt, jf = jf, jt if parity.odd?
+                 [[op, rval], jt, jf]
+               }
+             | A compare x_constexpr goto_symbol goto_symbol { [[val[1], val[2]], val[3], val[4]] }
+  else_block: ELSE newlines goto_expr { val[2] }
+            | { :next }
+  comparison: LPAREN newlines comparison_ newlines RPAREN { val[2] }
+  comparison_: a newlines compare newlines x_constexpr { [val[2], val[4], 0] }
+             | BANG LPAREN comparison_ RPAREN { val[2][2] += 1; val[2] }
+  compare: COMPARE
+         | AND
+  goto_expr: GOTO goto_symbol { val[1] }
+  goto_symbol: GOTO_SYMBOL { last_token }
+  return_stat: RETURN ret_val { val[1] }
+  ret_val: a
+         | ACTION { Scalar::ConstVal.new(Const::BPF::ACTION[val[0].to_sym]) }
+         | ACTION LPAREN constexpr RPAREN {
+             Scalar::ConstVal.new(Const::BPF::ACTION[val[0].to_sym] |
+               (val[2].to_i & Const::BPF::SECCOMP_RET_DATA))
+           }
+         | constexpr
+  memory: MEM LBRACK constexpr RBRACK {
+            idx = val[2].to_i
+            raise_error(format("index of mem[] must between 0 and 15, got %d", idx), -1) unless idx.between?(0, 15)
+            Scalar::Mem.new(idx)
+          }
+  x_constexpr: x
+             | constexpr
+  argument: argument_long
+          | argument_long alu_op INT {
+              if val[1] != '>>' || val[2].to_i != 32
+                off = val[1] == '>>' ? 0 : -1
+                raise_error("operator after an argument can only be '>> 32'", off)
+              end
+              val[0] + 4
+            }
+          | SYS_NUMBER { 0 }
+          | ARCH { 4 }
+          | DATA LBRACK constexpr RBRACK {
+              idx = val[2].to_i
+              if idx % 4 != 0 || idx >= 64
+                raise_error(format('index of data[] must be a multiple of 4 and less than 64, got %d', idx), -1)
+              end
+              idx
+            }
+  # 8-byte long arguments
+  argument_long: args LBRACK constexpr RBRACK {
+                   idx = val[2].to_i
+                   s = val[0]
+                   raise_error(format('index of %s[] must between 0 and 5, got %d', s, idx), -1) unless idx.between?(0, 5)
+                   16 + idx * 8 + (s.downcase.end_with?('h') ? 4 : 0)
+                 }
+               | INSTRUCTION_POINTER { 8 }
+  args: ARGS
+      | ARGS_H
+  alu_op_eq: alu_op ASSIGN { val[0] + val[1] }
+  alu_op: ALU_OP
+        | AND
+  constexpr: number { Scalar::ConstVal.new(val[0] & 0xffffffff) }
+           | LPAREN constexpr RPAREN { val[1] }
+  ax: a
+     | x
+  a: A { Scalar::A.instance }
+  x: X { Scalar::X.instance }
+  number: INT { val[0].to_i }
+        | HEX_INT { val[0].to_i(16) }
+        | ARCH_VAL { Const::Audit::ARCH[val[0]] }
+        | SYSCALL {
+            s = val[0]
+            return @scanner.syscalls[s.to_sym] unless s.include?('.')
+
+            arch, sys = s.split('.')
+            Const::Syscall.const_get(arch.upcase)[sys.to_sym].tap do |v|
+              raise_error("syscall '#{sys}' doesn't exist on #{arch}") if v.nil?
+            end
+          }
+  terminator: newlines
+            | false
+  newlines: newlines NEWLINE
+          |
+  ASSIGN: '='
+  LPAREN: '('
+  RPAREN: ')'
+  LBRACK: '['
+  RBRACK: ']'
+  AND: '&'
+  BANG: '!'
+end
+
+---- header
+require 'seccomp-tools/asm/scalar'
+require 'seccomp-tools/asm/scanner'
+require 'seccomp-tools/asm/statement'
+
+---- inner
+  def initialize(scanner)
+    @scanner = scanner
+    super()
+  end
+
+  # @return [Array<Statement>]
+  def parse
+    @tokens = @scanner.scan.dup
+    return [] if @tokens.empty?
+
+    @cur_idx = 0
+    do_parse
+  end
+
+  def next_token
+    token = @tokens[@cur_idx]
+    return [false, '$'] if token.nil?
+
+    @cur_idx += 1
+    [token.sym, token.str]
+  end
+
+  def on_error(t, val, vstack)
+    raise_error("unexpected string #{last_token.str.inspect}")
+  end
+
+  # @param [String] msg
+  # @param [Integer] offset
+  # @private
+  def raise_error(msg, offset = 0)
+    raise SeccompTools::ParseError, @scanner.format_error(last_token(offset), msg)
+  end
+
+  # @param [Integer] off
+  #   0 for the last parsed token, -n for the n-th previous parsed token, n for the future n-th token.
+  def last_token(off = 0)
+    @tokens[@cur_idx - 1 + off]
+  end
+
+---- footer

data/lib/seccomp-tools/asm/scalar.rb

@@ -0,0 +1,129 @@
+# frozen_string_literal: true
+
+require 'singleton'
+
+module SeccompTools
+  module Asm
+    # Collection of scalars.
+    #
+    # Internally used by sasm.y.
+    # @private
+    module Scalar
+      # To be used to denote a register (A / X), an argument (data[]), or a memory data (mem[]).
+      class Base
+        attr_reader :val
+
+        def a?
+          false
+        end
+
+        def x?
+          false
+        end
+
+        def len?
+          false
+        end
+
+        def data?
+          false
+        end
+
+        def mem?
+          false
+        end
+
+        def const?
+          false
+        end
+      end
+
+      # Register A.
+      class A < Base
+        include Singleton
+
+        def a?
+          true
+        end
+      end
+
+      # Register X.
+      class X < Base
+        include Singleton
+
+        def x?
+          true
+        end
+      end
+
+      # Len.
+      class Len < Base
+        include Singleton
+
+        def len?
+          true
+        end
+      end
+
+      # A constant value.
+      class ConstVal < Base
+        # @param [Integer] val
+        def initialize(val)
+          @val = val
+          super()
+        end
+
+        # @param [ConstVal, Integer] other
+        def ==(other)
+          to_i == other.to_i
+        end
+
+        def const?
+          true
+        end
+
+        alias to_i val
+      end
+
+      # data[]
+      class Data < Base
+        # Instantiates a {Data} object.
+        #
+        # @param [Integer] index
+        def initialize(index)
+          @val = index
+          super()
+        end
+
+        # @param [Data] other
+        def ==(other)
+          other.is_a?(Data) && val == other.val
+        end
+
+        def data?
+          true
+        end
+      end
+
+      # mem[]
+      class Mem < Base
+        # Instantiates a {Mem} object.
+        #
+        # @param [Integer] index
+        def initialize(index)
+          @val = index
+          super()
+        end
+
+        # @param [Data] other
+        def ==(other)
+          other.is_a?(Mem) && val == other.val
+        end
+
+        def mem?
+          true
+        end
+      end
+    end
+  end
+end

data/lib/seccomp-tools/asm/scanner.rb

@@ -0,0 +1,163 @@
+# frozen_string_literal: true
+
+require 'seccomp-tools/asm/token'
+require 'seccomp-tools/const'
+require 'seccomp-tools/error'
+require 'seccomp-tools/syscall'
+
+module SeccompTools
+  module Asm
+    # Converts text to array of tokens.
+    #
+    # Maintains columns and rows to have informative error messages.
+    #
+    # Internally used by {SeccompAsmParser}.
+    class Scanner
+      attr_reader :syscalls
+
+      # Keywords with special meanings in our assembly. Keywords are all case-insensitive.
+      KEYWORDS = %w[a x if else return mem args args_h data len sys_number arch instruction_pointer].freeze
+      # Regexp for matching keywords.
+      KEYWORD_MATCHER = /\A\b(#{KEYWORDS.join('|')})\b/i.freeze
+      # Action strings can be used in a return statement. Actions must be in upper case.
+      # See {SeccompTools::Const::BPF::ACTION}.
+      ACTIONS = Const::BPF::ACTION.keys.map(&:to_s)
+      # Regexp for matching actions.
+      ACTION_MATCHER = /\A\b(#{ACTIONS.join('|')})\b/.freeze
+      # Special constants for checking the current architecture. See {SeccompTools::Const::Audit::ARCH}. These constants
+      # are case-insensitive.
+      AUDIT_ARCHES = Const::Audit::ARCH.keys
+      # Regexp for matching arch values.
+      AUDIT_ARCH_MATCHER = /\A\b(#{AUDIT_ARCHES.join('|')})\b/i.freeze
+      # Comparisons.
+      COMPARE = %w[== != >= <= > <].freeze
+      # Regexp for matching comparisons.
+      COMPARE_MATCHER = /\A(#{COMPARE.join('|')})/.freeze
+      # All valid arithmetic operators.
+      ALU_OP = %w[+ - * / | ^ << >>].freeze
+      # Regexp for matching ALU operators.
+      ALU_OP_MATCHER = /\A(#{ALU_OP.map { |o| ::Regexp.escape(o) }.join('|')})/.freeze
+      # Supported architectures
+      ARCHES = SeccompTools::Syscall::ABI.keys.map(&:to_s)
+
+      # @param [String] str
+      # @param [Symbol] arch
+      # @param [String?] filename
+      # @example
+      #   Scanner.new('return ALLOW', :amd64)
+      def initialize(str, arch, filename: nil)
+        @filename = filename || '<inline>'
+        @str = str
+        @syscalls =
+          begin; Const::Syscall.const_get(arch.to_s.upcase); rescue NameError; []; end
+        @syscall_all = ARCHES.each_with_object({}) do |ar, memo|
+          memo.merge!(Const::Syscall.const_get(ar.to_s.upcase))
+        end.keys
+      end
+
+      # Scans the whole string and raises errors when there are unrecognized tokens.
+      # @return [self]
+      # @raise [UnrecognizedTokenError]
+      def validate!
+        errors = validate
+        return self if errors.empty?
+
+        raise UnrecognizedTokenError, errors.map { |e| format_error(e, "unknown token #{e.str.inspect}") }.join("\n")
+      end
+
+      # Same as {#validate!} but returns the array of errors instead of raising an exception.
+      #
+      # @return [Array<Token>]
+      def validate
+        scan.select { |t| t.sym == :unknown }
+      end
+
+      # @return [Array<Token>]
+      def scan
+        return @tokens if defined?(@tokens)
+
+        @tokens = []
+        row = 0
+        col = 0
+        str = @str
+        add_token = ->(sym, s, c = col) { @tokens.push(Token.new(sym, s, row, c)) }
+        # define a helper because it's commonly used - add a token with matched string, bump col with string size
+        bump_vars = lambda {
+          col += ::Regexp.last_match(0).size
+          str = ::Regexp.last_match.post_match
+        }
+        add_token_def = lambda do |sym|
+          add_token.call(sym, ::Regexp.last_match(0))
+          bump_vars.call
+        end
+        syscalls = @syscalls.keys.map { |s| ::Regexp.escape(s) }.join('|')
+        syscall_matcher = ::Regexp.compile("\\A\\b(#{syscalls})\\b")
+        syscall_all_matcher = ::Regexp.compile("\\A(#{ARCHES.join('|')})\\.(#{@syscall_all.join('|')})\\b")
+        until str.empty?
+          case str
+          when /\A\n+/
+            # Don't push newline as the first token
+            add_token.call(:NEWLINE, ::Regexp.last_match(0)) unless @tokens.empty?
+            row += ::Regexp.last_match(0).size
+            col = 0
+            str = ::Regexp.last_match.post_match
+          when /\A\s+/, /\A#.*/ then bump_vars.call
+          when /\A(\w+):/
+            add_token.call(:SYMBOL, ::Regexp.last_match(1))
+            bump_vars.call
+          when /\A(goto|jmp|jump)\s+(\w+)\b/i
+            add_token.call(:GOTO, ::Regexp.last_match(1), col + ::Regexp.last_match.begin(1))
+            add_token.call(:GOTO_SYMBOL, ::Regexp.last_match(2), col + ::Regexp.last_match.begin(2))
+            bump_vars.call
+          when KEYWORD_MATCHER then add_token_def.call(::Regexp.last_match(0).upcase.to_sym)
+          when ACTION_MATCHER then add_token_def.call(:ACTION)
+          when AUDIT_ARCH_MATCHER then add_token_def.call(:ARCH_VAL)
+          when syscall_matcher, syscall_all_matcher then add_token_def.call(:SYSCALL)
+          when /\A-?0x[0-9a-f]+\b/ then add_token_def.call(:HEX_INT)
+          when /\A-?[0-9]+\b/ then add_token_def.call(:INT)
+          when ALU_OP_MATCHER then add_token_def.call(:ALU_OP)
+          when COMPARE_MATCHER then add_token_def.call(:COMPARE)
+          # '&' is in both compare and ALU op category, handle it here
+          when /\A(\(|\)|=|\[|\]|&|!)/ then add_token_def.call(::Regexp.last_match(0))
+          when /\A\?\s*(?<jt>\w+)\s*:\s*(?<jf>\w+)/
+            %i[jt jf].each do |s|
+              add_token.call(:GOTO_SYMBOL, ::Regexp.last_match(s), col + ::Regexp.last_match.begin(s))
+            end
+            bump_vars.call
+          when /\A([^\s]+)(\s?)/
+            # unrecognized token - match until \s
+            last = ::Regexp.last_match(1)
+            add_token.call(:unknown, last)
+            col += last.size
+            str = ::Regexp.last_match(2) + ::Regexp.last_match.post_match
+          end
+        end
+        @tokens
+      end
+
+      # Let tab on terminal be 4 spaces wide.
+      TAB_WIDTH = 4
+
+      # @param [Token] tok
+      # @param [String] msg
+      # @return [String]
+      def format_error(tok, msg)
+        @lines = @str.lines unless defined?(@lines)
+        line = @lines[tok.line]
+        line = line[0..-2] if line.end_with?("\n")
+        line = line.gsub("\t", ' ' * TAB_WIDTH)
+        <<-EOS
+#{@filename}:#{tok.line + 1}:#{tok.col + 1} #{msg}
+#{line}
+#{' ' * calculate_spaces(@lines[tok.line][0...tok.col]) + '^' * tok.str.size}
+        EOS
+      end
+
+      private
+
+      def calculate_spaces(str)
+        str.size + str.count("\t") * (TAB_WIDTH - 1)
+      end
+    end
+  end
+end

data/lib/seccomp-tools/asm/statement.rb

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+module SeccompTools
+  module Asm
+    # A statement after parsing the assembly.
+    # Each statement will be converted to a BPF.
+    #
+    # Internally used by sasm.y.
+    # @private
+    class Statement
+      attr_reader :type, :data, :symbols
+
+      # Instantiates a {Statement} object.
+      #
+      # @param [:alu, :assign, :if, :ret] type
+      # @param [Integer, Array<Integer, String>] data
+      #   The data for describing this statement. Type of +data+ is variant according to the value of +type+.
+      # @param [Array<String>] symbols
+      #   Symbols that refer to this statement.
+      def initialize(type, data, symbols)
+        @type = type
+        @data = data
+        @symbols = symbols
+      end
+
+      # @param [Statement] other
+      def ==(other)
+        [type, data, symbols] == [other.type, other.data, other.symbols]
+      end
+    end
+  end
+end

data/lib/seccomp-tools/asm/token.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+module SeccompTools
+  module Asm
+    # Records information of a token.
+    class Token
+      attr_reader :sym, :str, :line, :col
+
+      # Instantiates a {Token} object.
+      # @param [Symbol] sym
+      # @param [String] str
+      # @param [Integer] line
+      # @param [Integer] col
+      def initialize(sym, str, line, col)
+        @sym = sym
+        @str = str
+        @line = line
+        @col = col
+      end
+
+      # To compare with another {Token} object.
+      # @param [Token] other
+      # @return [Boolean]
+      def ==(other)
+        [other.sym, other.str, other.line, other.col] == [sym, str, line, col]
+      end
+    end
+  end
+end

data/lib/seccomp-tools/bpf.rb

@@ -26,7 +26,7 @@ module SeccompTools
 
     # Instantiate a {BPF} object.
     # @param [String] raw
-    #   One +struct sock_filter+ in bytes, should exactly 8 bytes.
+    #   One +struct sock_filter+ in bytes, should be 8 bytes long.
     # @param [Symbol] arch
     #   Architecture, for showing constant names in decompile.
     # @param [Integer] line
@@ -34,10 +34,11 @@ module SeccompTools
     def initialize(raw, arch, line)
       if raw.is_a?(String)
         io = ::StringIO.new(raw)
-        @code = io.read(2).unpack1('S')
+        endian = Const::Endian::ENDIAN[arch]
+        @code = io.read(2).unpack1("S#{endian}")
         @jt = io.read(1).ord
         @jf = io.read(1).ord
-        @k = io.read(4).unpack1('L')
+        @k = io.read(4).unpack1("L#{endian}")
       else
         @code = raw[:code]
         @jt = raw[:jt]
@@ -47,20 +48,43 @@ module SeccompTools
       @arch = arch
       @line = line
       @contexts = Set.new
+      @disasm_setting = {
+        code: true,
+        arg_infer: true
+      }
     end
 
     # Pretty display the disassemble result.
+    # @param [{Symbol => Boolean}] options
+    #   Set display settings.
     # @return [String]
-    def disasm
-      format(' %04d: 0x%02x 0x%02x 0x%02x 0x%08x  %s',
-             line, code, jt, jf, k, decompile)
+    def disasm(**options)
+      @disasm_setting.merge!(options)
+      if show_code?
+        format(' %04d: 0x%02x 0x%02x 0x%02x 0x%08x  %s',
+               line, code, jt, jf, k, decompile)
+      else
+        format('%04d: %s',
+               line, decompile)
+      end
+    end
+
+    # Whether needs to dump code, jt, jf, k.
+    def show_code?
+      @disasm_setting[:code]
+    end
+
+    # Whether needs to infer the syscall argument names.
+    def show_arg_infer?
+      @disasm_setting[:arg_infer]
     end
 
     # Convert to raw bytes.
     # @return [String]
     #   Raw bpf bytes.
     def asm
-      [code].pack('S*') + [jt, jf].pack('C*') + [k].pack('L')
+      endian = Const::Endian::ENDIAN[arch]
+      [code, jt, jf, k].pack("S#{endian}CCL#{endian}")
     end
 
     # Command according to +code+.

data/lib/seccomp-tools/cli/asm.rb

@@ -44,7 +44,7 @@ module SeccompTools
         option[:ifile] = argv.shift
         return CLI.show(parser.help) if option[:ifile].nil?
 
-        res = SeccompTools::Asm.asm(input, arch: option[:arch])
+        res = SeccompTools::Asm.asm(input, filename: option[:ifile], arch: option[:arch])
         output do
           case option[:format]
           when :inspect then "#{res.inspect}\n"

data/lib/seccomp-tools/cli/base.rb

@@ -8,7 +8,7 @@ module SeccompTools
   module CLI
     # Base class for handlers.
     class Base
-      # @return [Hash{Symbol => Object}] Options.
+      # @return [{Symbol => Object}] Options.
       attr_reader :option
       # @return [Array<String>] Arguments array.
       attr_reader :argv
@@ -25,7 +25,7 @@ module SeccompTools
 
       # Handle show help message.
       # @return [Boolean]
-      #   For decestors to check if need to continue.
+      #   For decestors to check whether need to continue.
       def handle
         return CLI.show(parser.help) if argv.empty? || %w[-h --help].any? { |h| argv.include?(h) }
 
@@ -39,7 +39,7 @@ module SeccompTools
       # @return [String]
       #   String read from file.
       def input
-        option[:ifile] == '-' ? $stdin.read.force_encoding('ascii-8bit') : IO.binread(option[:ifile])
+        option[:ifile] == '-' ? $stdin.read.force_encoding('ascii-8bit') : File.binread(option[:ifile])
       end
 
       # Write data to stdout or file(s).
@@ -55,7 +55,7 @@ module SeccompTools
         # Write to file, we should disable colorize
         enabled = Util.colorize_enabled?
         Util.disable_color! if enabled
-        IO.binwrite(file_of(option[:ofile], @serial), yield)
+        File.binwrite(file_of(option[:ofile], @serial), yield)
         Util.enable_color! if enabled
         @serial += 1
       end

data/lib/seccomp-tools/cli/disasm.rb

@@ -12,6 +12,12 @@ module SeccompTools
       # Usage of this command.
       USAGE = "disasm - #{SUMMARY}\n\nUsage: seccomp-tools disasm BPF_FILE [options]"
 
+      def initialize(*)
+        super
+        option[:bpf] = true
+        option[:arg_infer] = true
+      end
+
       # Define option parser.
       # @return [OptionParser]
       def parser
@@ -20,8 +26,23 @@ module SeccompTools
           opt.on('-o', '--output FILE', 'Output result into FILE instead of stdout.') do |o|
             option[:ofile] = o
           end
-
           option_arch(opt)
+          opt.on('--[no-]bpf', 'Display BPF bytes (code, jt, etc.).',
+                 'Default: true') do |f|
+                   option[:bpf] = f
+                 end
+          opt.on('--[no-]arg-infer', 'Display syscall arguments with parameter names when possible.',
+                 'Default: true') do |f|
+                   option[:arg_infer] = f
+                 end
+          opt.on('--asm-able', 'Output with this flag is a valid input of "seccomp-tools asm".',
+                 'By default, "seccomp-tools disasm" is in a human-readable format that easy for analysis.',
+                 'Passing this flag can have the output be simplified to a valid input for "seccomp-tools asm".',
+                 'This flag implies "--no-bpf --no-arg-infer".',
+                 'Default: false') do |_f|
+                   option[:bpf] = false
+                   option[:arg_infer] = false
+                 end
         end
       end
 
@@ -33,7 +54,10 @@ module SeccompTools
         option[:ifile] = argv.shift
         return CLI.show(parser.help) if option[:ifile].nil?
 
-        output { SeccompTools::Disasm.disasm(input, arch: option[:arch]) }
+        output do
+          SeccompTools::Disasm.disasm(input, arch: option[:arch], display_bpf: option[:bpf],
+                                             arg_infer: option[:arg_infer])
+        end
       end
     end
   end