seccomp-tools 1.1.0 → 1.1.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +7 -6
- data/lib/seccomp-tools.rb +3 -0
- data/lib/seccomp-tools/asm/compiler.rb +19 -5
- data/lib/seccomp-tools/asm/tokenizer.rb +1 -1
- data/lib/seccomp-tools/cli/cli.rb +3 -3
- data/lib/seccomp-tools/cli/dump.rb +2 -1
- data/lib/seccomp-tools/instruction/ret.rb +11 -2
- data/lib/seccomp-tools/instruction/st.rb +1 -1
- data/lib/seccomp-tools/version.rb +1 -1
- metadata +3 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: e486ade31fe2b1da262f3636060b4d0b3947fb29
|
|
4
|
+
data.tar.gz: c65f8074f25cb4b3806726a04d2c2377d44b3ec4
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 4fbb16ae849bcfc0d17eb8bbcb36f4e7906adb3da00f8bcc31712b69a299e3d3a4f659227e1668f8809433f5c4805170fd79e4934c174a4c455438bca6973361
|
|
7
|
+
data.tar.gz: a3aba5b768d38fe50f4533a60f7f9cc9d592429803a17728101f721d1aaaf767fcec270ffe59d08bd36763e542e48af48774a707d30dcba71d3920fc6a05123c
|
data/README.md
CHANGED
|
@@ -38,19 +38,20 @@ $ seccomp-tools --help
|
|
|
38
38
|
#
|
|
39
39
|
# List of commands:
|
|
40
40
|
#
|
|
41
|
-
# dump Automatically dump seccomp bpf from execution file.
|
|
42
|
-
# disasm Disassemble seccomp bpf.
|
|
43
41
|
# asm Seccomp bpf assembler.
|
|
42
|
+
# disasm Disassemble seccomp bpf.
|
|
43
|
+
# dump Automatically dump seccomp bpf from execution file.
|
|
44
44
|
# emu Emulate seccomp rules.
|
|
45
45
|
#
|
|
46
|
-
# See 'seccomp-tools
|
|
46
|
+
# See 'seccomp-tools <command> --help' to read about a specific subcommand.
|
|
47
47
|
|
|
48
|
-
$ seccomp-tools --help
|
|
48
|
+
$ seccomp-tools dump --help
|
|
49
49
|
# dump - Automatically dump seccomp bpf from execution file.
|
|
50
50
|
#
|
|
51
51
|
# Usage: seccomp-tools dump [exec] [options]
|
|
52
52
|
# -c, --sh-exec <command> Executes the given command (via sh).
|
|
53
53
|
# Use this option if want to pass arguments or do pipe things to the execution file.
|
|
54
|
+
# e.g. use `-c "./bin > /dev/null"` to dump seccomp without being mixed with stdout.
|
|
54
55
|
# -f, --format FORMAT Output format. FORMAT can only be one of <disasm|raw|inspect>.
|
|
55
56
|
# Default: disasm
|
|
56
57
|
# -l, --limit LIMIT Limit the number of calling "prctl(PR_SET_SECCOMP)".
|
|
@@ -197,7 +198,7 @@ $ seccomp-tools asm spec/data/libseccomp.asm -f raw | seccomp-tools disasm -
|
|
|
197
198
|
# 0005: 0x15 0x03 0x00 0x00000003 if (A == close) goto 0009
|
|
198
199
|
# 0006: 0x15 0x02 0x00 0x00000020 if (A == dup) goto 0009
|
|
199
200
|
# 0007: 0x15 0x01 0x00 0x0000003c if (A == exit) goto 0009
|
|
200
|
-
# 0008: 0x06 0x00 0x00 0x00050005 return ERRNO
|
|
201
|
+
# 0008: 0x06 0x00 0x00 0x00050005 return ERRNO(5)
|
|
201
202
|
# 0009: 0x06 0x00 0x00 0x7fff0000 return ALLOW
|
|
202
203
|
# 0010: 0x06 0x00 0x00 0x00000000 return KILL
|
|
203
204
|
|
|
@@ -226,7 +227,7 @@ $ seccomp-tools emu spec/data/libseccomp.bpf 0x3
|
|
|
226
227
|
# 0005: 0x15 0x03 0x00 0x00000003 if (A == close) goto 0009
|
|
227
228
|
# 0006: 0x15 0x02 0x00 0x00000020 if (A == dup) goto 0009
|
|
228
229
|
# 0007: 0x15 0x01 0x00 0x0000003c if (A == exit) goto 0009
|
|
229
|
-
# 0008: 0x06 0x00 0x00 0x00050005 return ERRNO
|
|
230
|
+
# 0008: 0x06 0x00 0x00 0x00050005 return ERRNO(5)
|
|
230
231
|
# 0009: 0x06 0x00 0x00 0x7fff0000 return ALLOW
|
|
231
232
|
# 0010: 0x06 0x00 0x00 0x00000000 return KILL
|
|
232
233
|
#
|
data/lib/seccomp-tools.rb
CHANGED
|
@@ -30,7 +30,8 @@ module SeccompTools
|
|
|
30
30
|
when /^#{Tokenizer::LABEL_REGEXP}:/ then define_label
|
|
31
31
|
when /^return/ then ret
|
|
32
32
|
when /^(A|X)\s*=[^=]/ then assign
|
|
33
|
-
when /^
|
|
33
|
+
when /^mem\[\d+\]\s*=\s*(A|X)/ then store
|
|
34
|
+
when /^A\s*.{1,2}=/ then alu
|
|
34
35
|
end
|
|
35
36
|
rescue ArgumentError => e
|
|
36
37
|
invalid(@input.size - 1, e.message)
|
|
@@ -80,12 +81,14 @@ module SeccompTools
|
|
|
80
81
|
# <A|X> = 123|sys_const
|
|
81
82
|
# A = args[i]|sys_number|arch
|
|
82
83
|
# A = data[4 * i]
|
|
84
|
+
# mem[i] = <A|X>
|
|
83
85
|
def compile_assign(dst, src)
|
|
84
86
|
# misc txa / tax
|
|
85
87
|
return emit(:misc, :txa) if dst == :a && src == :x
|
|
86
88
|
return emit(:misc, :tax) if dst == :x && src == :a
|
|
87
89
|
src = evaluate(src)
|
|
88
|
-
#
|
|
90
|
+
# case of st / stx
|
|
91
|
+
return emit(src == :x ? :stx : :st, k: dst.last) if dst[0] == :mem
|
|
89
92
|
ld = dst == :x ? :ldx : :ld
|
|
90
93
|
# <A|X> = <immi>
|
|
91
94
|
return emit(ld, :imm, k: src) if src.is_a?(Integer)
|
|
@@ -104,7 +107,11 @@ module SeccompTools
|
|
|
104
107
|
end
|
|
105
108
|
|
|
106
109
|
def compile_ret(val)
|
|
107
|
-
|
|
110
|
+
if val == :a
|
|
111
|
+
src = :a
|
|
112
|
+
val = 0
|
|
113
|
+
end
|
|
114
|
+
emit(:ret, src, k: val)
|
|
108
115
|
end
|
|
109
116
|
|
|
110
117
|
def compile_cmp(op, val, jt, jf)
|
|
@@ -124,7 +131,7 @@ module SeccompTools
|
|
|
124
131
|
end
|
|
125
132
|
|
|
126
133
|
def evaluate(val)
|
|
127
|
-
return val if val.is_a?(Integer) || val == :x
|
|
134
|
+
return val if val.is_a?(Integer) || val == :x || val == :a
|
|
128
135
|
# keywords
|
|
129
136
|
val = case val
|
|
130
137
|
when 'sys_number' then [:data, 0]
|
|
@@ -186,10 +193,16 @@ module SeccompTools
|
|
|
186
193
|
token.fetch(:sys_num_x) ||
|
|
187
194
|
token.fetch(:ary) ||
|
|
188
195
|
token.fetch('sys_number') ||
|
|
189
|
-
token.fetch('arch')
|
|
196
|
+
token.fetch('arch') ||
|
|
197
|
+
raise(ArgumentError, 'Invalid source: ' + token.cur.inspect)
|
|
190
198
|
[:assign, dst, src]
|
|
191
199
|
end
|
|
192
200
|
|
|
201
|
+
# returns same format as assign
|
|
202
|
+
def store
|
|
203
|
+
[:assign, token.fetch!(:ary), token.fetch!('=') && token.fetch!(:ax)]
|
|
204
|
+
end
|
|
205
|
+
|
|
193
206
|
def define_label
|
|
194
207
|
name = token.fetch!(:goto)
|
|
195
208
|
token.fetch(':')
|
|
@@ -197,6 +210,7 @@ module SeccompTools
|
|
|
197
210
|
end
|
|
198
211
|
|
|
199
212
|
# A op= sys_num_x
|
|
213
|
+
# TODO: support A = -A
|
|
200
214
|
def alu
|
|
201
215
|
token.fetch!('A')
|
|
202
216
|
op = token.fetch!(:alu_op)
|
|
@@ -121,7 +121,7 @@ Invalid return type: #{cur.inspect}.
|
|
|
121
121
|
|
|
122
122
|
def fetch_ary
|
|
123
123
|
support_name = %w[data mem args]
|
|
124
|
-
regexp = /(#{support_name.join('|')})\[[0-9]{1,
|
|
124
|
+
regexp = /(#{support_name.join('|')})\[[0-9]{1,9}\]/
|
|
125
125
|
match = fetch_regexp(regexp)
|
|
126
126
|
return nil if match.nil?
|
|
127
127
|
res, val = match.split('[')
|
|
@@ -9,9 +9,9 @@ module SeccompTools
|
|
|
9
9
|
module CLI
|
|
10
10
|
# Handled commands
|
|
11
11
|
COMMANDS = {
|
|
12
|
-
'dump' => SeccompTools::CLI::Dump,
|
|
13
|
-
'disasm' => SeccompTools::CLI::Disasm,
|
|
14
12
|
'asm' => SeccompTools::CLI::Asm,
|
|
13
|
+
'disasm' => SeccompTools::CLI::Disasm,
|
|
14
|
+
'dump' => SeccompTools::CLI::Dump,
|
|
15
15
|
'emu' => SeccompTools::CLI::Emu
|
|
16
16
|
}.freeze
|
|
17
17
|
|
|
@@ -23,7 +23,7 @@ List of commands:
|
|
|
23
23
|
|
|
24
24
|
%COMMANDS
|
|
25
25
|
|
|
26
|
-
See 'seccomp-tools
|
|
26
|
+
See 'seccomp-tools <command> --help' to read about a specific subcommand.
|
|
27
27
|
EOS
|
|
28
28
|
|
|
29
29
|
module_function
|
|
@@ -23,7 +23,8 @@ module SeccompTools
|
|
|
23
23
|
@parser ||= OptionParser.new do |opt|
|
|
24
24
|
opt.banner = usage
|
|
25
25
|
opt.on('-c', '--sh-exec <command>', 'Executes the given command (via sh).',
|
|
26
|
-
'Use this option if want to pass arguments or do pipe things to the execution file.'
|
|
26
|
+
'Use this option if want to pass arguments or do pipe things to the execution file.',
|
|
27
|
+
'e.g. use `-c "./bin > /dev/null"` to dump seccomp without being mixed with stdout.') do |command|
|
|
27
28
|
option[:command] = command
|
|
28
29
|
end
|
|
29
30
|
|
|
@@ -6,8 +6,7 @@ module SeccompTools
|
|
|
6
6
|
class RET < Base
|
|
7
7
|
# Decompile instruction.
|
|
8
8
|
def decompile
|
|
9
|
-
|
|
10
|
-
"return #{type == :a ? 'A' : ACTION.invert[type & 0x7fff0000]}"
|
|
9
|
+
"return #{ret_str}"
|
|
11
10
|
end
|
|
12
11
|
|
|
13
12
|
# See {Instruction::Base#symbolize}.
|
|
@@ -22,6 +21,16 @@ module SeccompTools
|
|
|
22
21
|
def branch(*)
|
|
23
22
|
[]
|
|
24
23
|
end
|
|
24
|
+
|
|
25
|
+
private
|
|
26
|
+
|
|
27
|
+
def ret_str
|
|
28
|
+
_, type = symbolize
|
|
29
|
+
return 'A' if type == :a
|
|
30
|
+
str = ACTION.invert[type & 0x7fff0000].to_s
|
|
31
|
+
str += "(#{type & 0xffff})" if str == 'ERRNO'
|
|
32
|
+
str
|
|
33
|
+
end
|
|
25
34
|
end
|
|
26
35
|
end
|
|
27
36
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: seccomp-tools
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.1.
|
|
4
|
+
version: 1.1.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- david942j
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2017-
|
|
11
|
+
date: 2017-12-01 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: codeclimate-test-reporter
|
|
@@ -188,7 +188,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
188
188
|
version: '0'
|
|
189
189
|
requirements: []
|
|
190
190
|
rubyforge_project:
|
|
191
|
-
rubygems_version: 2.
|
|
191
|
+
rubygems_version: 2.6.13
|
|
192
192
|
signing_key:
|
|
193
193
|
specification_version: 4
|
|
194
194
|
summary: seccomp-tools
|