seccomp-tools 1.5.0 → 1.6.1

data/lib/seccomp-tools/const.rb

@@ -120,14 +120,15 @@ module SeccompTools
         filename = File.join(__dir__, 'consts', 'sys_nr', "#{arch}.rb")
         return unless File.exist?(filename)
 
-        const_set(cons, instance_eval(IO.read(filename)))
+        const_set(cons, instance_eval(File.read(filename)))
       end
 
+      # Helper for loading syscall prototypes from generated sys_arg.rb.
       def load_args
-        hash = instance_eval(IO.read(File.join(__dir__, 'consts', 'sys_arg.rb')))
+        hash = instance_eval(File.read(File.join(__dir__, 'consts', 'sys_arg.rb')))
         Hash.new do |_h, k|
           next hash[k] if hash[k]
-          next hash[k.to_s[4..-1].to_sym] if k.to_s.start_with?('x32_')
+          next hash[k.to_s[4..].to_sym] if k.to_s.start_with?('x32_')
 
           nil
         end
@@ -139,11 +140,31 @@ module SeccompTools
 
     # Constants from https://github.com/torvalds/linux/blob/master/include/uapi/linux/audit.h.
     module Audit
+      # Maps arch name to {ARCH}'s key.
+      ARCH_NAME = {
+        amd64: 'ARCH_X86_64',
+        i386: 'ARCH_I386',
+        aarch64: 'ARCH_AARCH64',
+        s390x: 'ARCH_S390X'
+      }.freeze
+
       # AUDIT_ARCH_*
       ARCH = {
         'ARCH_X86_64' => 0xc000003e,
         'ARCH_I386' => 0x40000003,
-        'ARCH_AARCH64' => 0xc00000b7
+        'ARCH_AARCH64' => 0xc00000b7,
+        'ARCH_S390X' => 0x80000016
+      }.freeze
+    end
+
+    # Endianess constants.
+    module Endian
+      # Defining default endianess of architectures.
+      ENDIAN = {
+        i386: '<',
+        amd64: '<',
+        aarch64: '<',
+        s390x: '>'
       }.freeze
     end
   end

data/lib/seccomp-tools/consts/sys_nr/amd64.rb

@@ -1,5 +1,6 @@
 # frozen_string_literal: true
 
+# Denote a x32 syscall.
 X32_MODE_BIT = 0x40000000
 {
   read: 0,

data/lib/seccomp-tools/consts/sys_nr/s390x.rb

@@ -0,0 +1,365 @@
+# frozen_string_literal: true
+
+{
+  exit: 1,
+  fork: 2,
+  read: 3,
+  write: 4,
+  open: 5,
+  close: 6,
+  restart_syscall: 7,
+  creat: 8,
+  link: 9,
+  unlink: 10,
+  execve: 11,
+  chdir: 12,
+  mknod: 14,
+  chmod: 15,
+  lseek: 19,
+  getpid: 20,
+  mount: 21,
+  umount: 22,
+  ptrace: 26,
+  alarm: 27,
+  pause: 29,
+  utime: 30,
+  access: 33,
+  nice: 34,
+  sync: 36,
+  kill: 37,
+  rename: 38,
+  mkdir: 39,
+  rmdir: 40,
+  dup: 41,
+  pipe: 42,
+  times: 43,
+  brk: 45,
+  signal: 48,
+  acct: 51,
+  umount2: 52,
+  ioctl: 54,
+  fcntl: 55,
+  setpgid: 57,
+  umask: 60,
+  chroot: 61,
+  ustat: 62,
+  dup2: 63,
+  getppid: 64,
+  getpgrp: 65,
+  setsid: 66,
+  sigaction: 67,
+  sigsuspend: 72,
+  sigpending: 73,
+  sethostname: 74,
+  setrlimit: 75,
+  getrusage: 77,
+  gettimeofday: 78,
+  settimeofday: 79,
+  symlink: 83,
+  readlink: 85,
+  uselib: 86,
+  swapon: 87,
+  reboot: 88,
+  readdir: 89,
+  mmap: 90,
+  munmap: 91,
+  truncate: 92,
+  ftruncate: 93,
+  fchmod: 94,
+  getpriority: 96,
+  setpriority: 97,
+  statfs: 99,
+  fstatfs: 100,
+  socketcall: 102,
+  syslog: 103,
+  setitimer: 104,
+  getitimer: 105,
+  stat: 106,
+  lstat: 107,
+  fstat: 108,
+  lookup_dcookie: 110,
+  vhangup: 111,
+  idle: 112,
+  wait4: 114,
+  swapoff: 115,
+  sysinfo: 116,
+  ipc: 117,
+  fsync: 118,
+  sigreturn: 119,
+  clone: 120,
+  setdomainname: 121,
+  uname: 122,
+  adjtimex: 124,
+  mprotect: 125,
+  sigprocmask: 126,
+  create_module: 127,
+  init_module: 128,
+  delete_module: 129,
+  get_kernel_syms: 130,
+  quotactl: 131,
+  getpgid: 132,
+  fchdir: 133,
+  bdflush: 134,
+  sysfs: 135,
+  personality: 136,
+  afs_syscall: 137,
+  getdents: 141,
+  select: 142,
+  flock: 143,
+  msync: 144,
+  readv: 145,
+  writev: 146,
+  getsid: 147,
+  fdatasync: 148,
+  _sysctl: 149,
+  mlock: 150,
+  munlock: 151,
+  mlockall: 152,
+  munlockall: 153,
+  sched_setparam: 154,
+  sched_getparam: 155,
+  sched_setscheduler: 156,
+  sched_getscheduler: 157,
+  sched_yield: 158,
+  sched_get_priority_max: 159,
+  sched_get_priority_min: 160,
+  sched_rr_get_interval: 161,
+  nanosleep: 162,
+  mremap: 163,
+  query_module: 167,
+  poll: 168,
+  nfsservctl: 169,
+  prctl: 172,
+  rt_sigreturn: 173,
+  rt_sigaction: 174,
+  rt_sigprocmask: 175,
+  rt_sigpending: 176,
+  rt_sigtimedwait: 177,
+  rt_sigqueueinfo: 178,
+  rt_sigsuspend: 179,
+  pread64: 180,
+  pwrite64: 181,
+  getcwd: 183,
+  capget: 184,
+  capset: 185,
+  sigaltstack: 186,
+  sendfile: 187,
+  getpmsg: 188,
+  putpmsg: 189,
+  vfork: 190,
+  getrlimit: 191,
+  lchown: 198,
+  getuid: 199,
+  getgid: 200,
+  geteuid: 201,
+  getegid: 202,
+  setreuid: 203,
+  setregid: 204,
+  getgroups: 205,
+  setgroups: 206,
+  fchown: 207,
+  setresuid: 208,
+  getresuid: 209,
+  setresgid: 210,
+  getresgid: 211,
+  chown: 212,
+  setuid: 213,
+  setgid: 214,
+  setfsuid: 215,
+  setfsgid: 216,
+  pivot_root: 217,
+  mincore: 218,
+  madvise: 219,
+  getdents64: 220,
+  readahead: 222,
+  setxattr: 224,
+  lsetxattr: 225,
+  fsetxattr: 226,
+  getxattr: 227,
+  lgetxattr: 228,
+  fgetxattr: 229,
+  listxattr: 230,
+  llistxattr: 231,
+  flistxattr: 232,
+  removexattr: 233,
+  lremovexattr: 234,
+  fremovexattr: 235,
+  gettid: 236,
+  tkill: 237,
+  futex: 238,
+  sched_setaffinity: 239,
+  sched_getaffinity: 240,
+  tgkill: 241,
+  io_setup: 243,
+  io_destroy: 244,
+  io_getevents: 245,
+  io_submit: 246,
+  io_cancel: 247,
+  exit_group: 248,
+  epoll_create: 249,
+  epoll_ctl: 250,
+  epoll_wait: 251,
+  set_tid_address: 252,
+  fadvise64: 253,
+  timer_create: 254,
+  timer_settime: 255,
+  timer_gettime: 256,
+  timer_getoverrun: 257,
+  timer_delete: 258,
+  clock_settime: 259,
+  clock_gettime: 260,
+  clock_getres: 261,
+  clock_nanosleep: 262,
+  statfs64: 265,
+  fstatfs64: 266,
+  remap_file_pages: 267,
+  mbind: 268,
+  get_mempolicy: 269,
+  set_mempolicy: 270,
+  mq_open: 271,
+  mq_unlink: 272,
+  mq_timedsend: 273,
+  mq_timedreceive: 274,
+  mq_notify: 275,
+  mq_getsetattr: 276,
+  kexec_load: 277,
+  add_key: 278,
+  request_key: 279,
+  keyctl: 280,
+  waitid: 281,
+  ioprio_set: 282,
+  ioprio_get: 283,
+  inotify_init: 284,
+  inotify_add_watch: 285,
+  inotify_rm_watch: 286,
+  migrate_pages: 287,
+  openat: 288,
+  mkdirat: 289,
+  mknodat: 290,
+  fchownat: 291,
+  futimesat: 292,
+  newfstatat: 293,
+  unlinkat: 294,
+  renameat: 295,
+  linkat: 296,
+  symlinkat: 297,
+  readlinkat: 298,
+  fchmodat: 299,
+  faccessat: 300,
+  pselect6: 301,
+  ppoll: 302,
+  unshare: 303,
+  set_robust_list: 304,
+  get_robust_list: 305,
+  splice: 306,
+  sync_file_range: 307,
+  tee: 308,
+  vmsplice: 309,
+  move_pages: 310,
+  getcpu: 311,
+  epoll_pwait: 312,
+  utimes: 313,
+  fallocate: 314,
+  utimensat: 315,
+  signalfd: 316,
+  timerfd: 317,
+  eventfd: 318,
+  timerfd_create: 319,
+  timerfd_settime: 320,
+  timerfd_gettime: 321,
+  signalfd4: 322,
+  eventfd2: 323,
+  inotify_init1: 324,
+  pipe2: 325,
+  dup3: 326,
+  epoll_create1: 327,
+  preadv: 328,
+  pwritev: 329,
+  rt_tgsigqueueinfo: 330,
+  perf_event_open: 331,
+  fanotify_init: 332,
+  fanotify_mark: 333,
+  prlimit64: 334,
+  name_to_handle_at: 335,
+  open_by_handle_at: 336,
+  clock_adjtime: 337,
+  syncfs: 338,
+  setns: 339,
+  process_vm_readv: 340,
+  process_vm_writev: 341,
+  s390_runtime_instr: 342,
+  kcmp: 343,
+  finit_module: 344,
+  sched_setattr: 345,
+  sched_getattr: 346,
+  renameat2: 347,
+  seccomp: 348,
+  getrandom: 349,
+  memfd_create: 350,
+  bpf: 351,
+  s390_pci_mmio_write: 352,
+  s390_pci_mmio_read: 353,
+  execveat: 354,
+  userfaultfd: 355,
+  membarrier: 356,
+  recvmmsg: 357,
+  sendmmsg: 358,
+  socket: 359,
+  socketpair: 360,
+  bind: 361,
+  connect: 362,
+  listen: 363,
+  accept4: 364,
+  getsockopt: 365,
+  setsockopt: 366,
+  getsockname: 367,
+  getpeername: 368,
+  sendto: 369,
+  sendmsg: 370,
+  recvfrom: 371,
+  recvmsg: 372,
+  shutdown: 373,
+  mlock2: 374,
+  copy_file_range: 375,
+  preadv2: 376,
+  pwritev2: 377,
+  s390_guarded_storage: 378,
+  statx: 379,
+  s390_sthyi: 380,
+  kexec_file_load: 381,
+  io_pgetevents: 382,
+  rseq: 383,
+  pkey_mprotect: 384,
+  pkey_alloc: 385,
+  pkey_free: 386,
+  semtimedop: 392,
+  semget: 393,
+  semctl: 394,
+  shmget: 395,
+  shmctl: 396,
+  shmat: 397,
+  shmdt: 398,
+  msgget: 399,
+  msgsnd: 400,
+  msgrcv: 401,
+  msgctl: 402,
+  pidfd_send_signal: 424,
+  io_uring_setup: 425,
+  io_uring_enter: 426,
+  io_uring_register: 427,
+  open_tree: 428,
+  move_mount: 429,
+  fsopen: 430,
+  fsconfig: 431,
+  fsmount: 432,
+  fspick: 433,
+  pidfd_open: 434,
+  clone3: 435,
+  close_range: 436,
+  openat2: 437,
+  pidfd_getfd: 438,
+  faccessat2: 439,
+  process_madvise: 440,
+  epoll_pwait2: 441,
+  mount_setattr: 442
+}

data/lib/seccomp-tools/disasm/context.rb

@@ -58,7 +58,7 @@ module SeccompTools
       #   Value to be set to +reg/mem+.
       # @param [Array<Integer?>] known_data
       #   Records which index of data is known.
-      #   It's used for tracking if the syscall number is known, which can be used to display argument names of the
+      #   It's used for tracking when the syscall number is known, which can be used to display argument names of the
       #   syscall.
       def initialize(values: {}, known_data: [])
         @values = values
@@ -104,7 +104,7 @@ module SeccompTools
       #   Returns the object itself.
       def eql!(val)
         tap do
-          # only cares if A is fetched from data
+          # only cares when A is fetched from data
           next unless a.data?
           next known_data[a.val] = val if val.is_a?(Integer)
           # A == X, we can handle these cases:

data/lib/seccomp-tools/disasm/disasm.rb

@@ -7,20 +7,22 @@ require 'seccomp-tools/disasm/context'
 require 'seccomp-tools/util'
 
 module SeccompTools
-  # Disassembler of seccomp bpf.
+  # Disassembler of seccomp BPF.
   module Disasm
     module_function
 
-    # Disassemble bpf codes.
+    # Disassemble BPF codes.
     # @param [String] raw
-    #   The raw bpf bytes.
+    #   The raw BPF bytes.
     # @param [Symbol] arch
     #   Architecture.
-    def disasm(raw, arch: nil)
+    # @param [Boolean] display_bpf
+    # @param [Boolean] arg_infer
+    def disasm(raw, arch: nil, display_bpf: true, arg_infer: true)
       codes = to_bpf(raw, arch)
       contexts = Array.new(codes.size) { Set.new }
       contexts[0].add(Context.new)
-      # all we care is if A is exactly one of data[*]
+      # all we care is whether A is data[*]
       dis = codes.zip(contexts).map do |code, ctxs|
         ctxs.each do |ctx|
           code.branch(ctx) do |pc, c|
@@ -28,16 +30,20 @@ module SeccompTools
           end
         end
         code.contexts = ctxs
-        code.disasm
+        code.disasm(code: display_bpf, arg_infer: arg_infer)
       end.join("\n")
-      <<-EOS
+      if display_bpf
+        <<-EOS
  line  CODE  JT   JF      K
 =================================
 #{dis}
-      EOS
+        EOS
+      else
+        "#{dis}\n"
+      end
     end
 
-    # Convert raw bpf string to array of {BPF}.
+    # Convert raw BPF string to array of {BPF}.
     # @param [String] raw
     # @param [Symbol] arch
     # @return [Array<BPF>]

data/lib/seccomp-tools/dumper.rb

@@ -8,7 +8,6 @@ require 'seccomp-tools/syscall'
 
 module SeccompTools
   # Dump seccomp-bpf using ptrace of binary.
-  # Currently only support x86_64 and aarch64.
   module Dumper
     # Whether the dumper is supported.
     # Dumper works based on ptrace, so we need the platform be Linux.
@@ -66,7 +65,7 @@ module SeccompTools
       # @yieldparam [String] bpf
       #   Seccomp bpf in raw bytes.
       # @yieldparam [Symbol] arch
-      #   Architecture, either :i386 or :amd64.
+      #   Architecture. See {SeccompTools::Syscall::ABI} for supported architectures.
       # @return [Array<Object>, Array<String>]
       #   Return the block returned. If block is not given, array of raw bytes will be returned.
       def handle(limit, &block)

data/lib/seccomp-tools/emulator.rb

@@ -7,7 +7,7 @@ module SeccompTools
   class Emulator
     # Instantiate a {Emulator} object.
     #
-    # All parameters except +instructions+ are optional, while a warning will be shown if unset data being accessed.
+    # All parameters except +instructions+ are optional. A warning is shown when uninitialized data is accessed.
     # @param [Array<Instruction::Base>] instructions
     # @param [Integer] sys_nr
     #   Syscall number.
@@ -15,8 +15,8 @@ module SeccompTools
     #   Syscall arguments
     # @param [Integer] instruction_pointer
     #   Program counter address when this syscall invoked.
-    # @param [Symbol] arch
-    #   If not given, use system architecture as default.
+    # @param [Symbol?] arch
+    #   System architecture is used when this parameter is not provided.
     #
     #   See {SeccompTools::Util.supported_archs} for list of supported architectures.
     def initialize(instructions, sys_nr: nil, args: [], instruction_pointer: nil, arch: nil)
@@ -28,7 +28,7 @@ module SeccompTools
     end
 
     # Run emulation!
-    # @return [Hash{Symbol, Integer => Integer}]
+    # @return [{Symbol, Integer => Integer}]
     def run
       @values = { pc: 0, a: 0, x: 0 }
       loop do
@@ -58,12 +58,7 @@ module SeccompTools
     end
 
     def audit(arch)
-      type = {
-        amd64: 'ARCH_X86_64',
-        i386: 'ARCH_I386',
-        aarch64: 'ARCH_AARCH64'
-      }[arch]
-      Const::Audit::ARCH[type]
+      Const::Audit::ARCH[Const::Audit::ARCH_NAME[arch]]
     end
 
     def ret(num)

data/lib/seccomp-tools/error.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+module SeccompTools
+  # Base error class.
+  class Error < StandardError
+  end
+
+  # Raised when unrecognized token(s) are found on compiling seccomp assembly.
+  class UnrecognizedTokenError < Error
+  end
+
+  # Raised when a referred label is defined no where on compiling seccomp assembly.
+  class UndefinedLabelError < Error
+  end
+
+  # Raised on RACC parsing error when compiling seccomp assembly.
+  class ParseError < Error
+  end
+
+  # Raised when a jump expression goes backward on compiling seccomp assembly.
+  class BackwardJumpError < Error
+  end
+
+  # Raised when a label is defined more than once on compiling seccomp assembly.
+  class DuplicateLabelError < Error
+  end
+
+  # Raised when a jump is longer than supported distance.
+  class LongJumpError < Error
+  end
+end

data/lib/seccomp-tools/instruction/base.rb

@@ -47,7 +47,7 @@ module SeccompTools
 
       private
 
-      %i(code jt jf k arch line contexts).each do |sym|
+      %i(code jt jf k arch line contexts show_arg_infer?).each do |sym|
         define_method(sym) do
           @bpf.__send__(sym)
         end

data/lib/seccomp-tools/instruction/jmp.rb

@@ -74,7 +74,20 @@ module SeccompTools
       end
 
       def sysname_by_k
-        Const::Syscall.const_get(arch.upcase.to_sym).invert[k]
+        a = infer_arch || arch
+        name = Const::Syscall.const_get(a.upcase.to_sym).invert[k]
+        return name if name.nil?
+
+        a == arch ? name : "#{a}.#{name}"
+      end
+
+      # Infers the architecture from context.
+      # @return [Symbol?]
+      def infer_arch
+        arches = contexts.map { |ctx| ctx.known_data[4] }.uniq
+        return nil unless arches.size == 1 && !arches.first.nil?
+
+        Const::Audit::ARCH_NAME.invert[Const::Audit::ARCH.invert[arches.first]]
       end
 
       def src

data/lib/seccomp-tools/instruction/ld.rb

@@ -78,8 +78,10 @@ module SeccompTools
       end
 
       def args_name(idx)
-        sys_nrs = contexts.map { |ctx| ctx.known_data[0] }.uniq
         default = idx.even? ? "args[#{idx / 2}]" : "args[#{idx / 2}] >> 32"
+        return default unless show_arg_infer?
+
+        sys_nrs = contexts.map { |ctx| ctx.known_data[0] }.uniq
         return default if sys_nrs.size != 1 || sys_nrs.first.nil?
 
         sys = Const::Syscall.const_get(arch.upcase.to_sym).invert[sys_nrs.first]

data/lib/seccomp-tools/syscall.rb

@@ -12,12 +12,15 @@ module SeccompTools
     ABI = {
       amd64: { number: 120, args: [112, 104, 96, 56, 72, 44], ret: 80, SYS_prctl: 157, SYS_seccomp: 317 },
       i386: { number: 44, args: [0, 4, 8, 12, 16, 20], ret: 24, SYS_prctl: 172, SYS_seccomp: 354 },
-      aarch64: { number: 64, args: [0, 8, 16, 24, 32, 40, 48], ret: 0, SYS_prctl: 167, SYS_seccomp: 277 }
+      aarch64: { number: 64, args: [0, 8, 16, 24, 32, 40, 48], ret: 0, SYS_prctl: 167, SYS_seccomp: 277 },
+      # Most software invokes syscalls through "svc 0", in which case the syscall number is in r1.
+      # However, it's also possible to use "svc NR": this case is not handled here.
+      s390x: { number: 24, args: [32, 40, 48, 56, 64, 72], ret: 32, SYS_prctl: 172, SYS_seccomp: 348 }
     }.freeze
 
     # @return [Integer] Process id.
     attr_reader :pid
-    # @return [Hash{Symbol => Integer, Array<Integer>}] See {ABI}.
+    # @return [{Symbol => Integer, Array<Integer>}] See {ABI}.
     attr_reader :abi
     # @return [Integer] Syscall number.
     attr_reader :number
@@ -64,11 +67,12 @@ module SeccompTools
     def arch
       @arch ||= File.open("/proc/#{pid}/exe", 'rb') do |f|
         f.pos = 18
-        case f.read(1).ord
-        when 3 then :i386
-        when 62 then :amd64
-        when 183 then :aarch64
-        end
+        {
+          "\x03\x00" => :i386,
+          "\x3e\x00" => :amd64,
+          "\xb7\x00" => :aarch64,
+          "\x00\x16" => :s390x
+        }[f.read(2)]
       end
     end
 
@@ -78,7 +82,8 @@ module SeccompTools
       {
         i386: 32,
         amd64: 64,
-        aarch64: 64
+        aarch64: 64,
+        s390x: 64
       }[arch]
     end
 

data/lib/seccomp-tools/templates/asm.s390x.asm

@@ -0,0 +1,26 @@
+  .globl install_seccomp
+install_seccomp:
+  lghi   %r1, 172   /* __NR_prctl */
+  lghi   %r2, 38    /* PR_SET_NO_NEW_PRIVS */
+  lghi   %r3, 1
+  xgr    %r4, %r4
+  xgr    %r5, %r5
+  xgr    %r6, %r6
+  svc    0
+
+  lghi   %r1, 172   /* __NR_prctl */
+  lghi   %r2, 22    /* PR_SET_SECCOMP */
+  lghi   %r3, 2     /* SECCOMP_MODE_FILTER */
+  aghi   %r15, -16  /* sizeof(struct sock_fprog) */
+  mvhhi  0(%r15), (_filter_end - _filter) >> 3  /* .len */
+  larl   %r4, _filter
+  stg    %r4, 8(%r15)                           /* .filter */
+  lgr    %r4, %r15
+  svc    0
+  aghi   %r15, 16
+
+  br     %r14
+
+_filter:
+.ascii "<TO_BE_REPLACED>"
+_filter_end: