seccomp-tools 1.1.1 → 1.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: e486ade31fe2b1da262f3636060b4d0b3947fb29
-  data.tar.gz: c65f8074f25cb4b3806726a04d2c2377d44b3ec4
+  metadata.gz: 5c6965417440352f339d587caf0ee612604d7d0e
+  data.tar.gz: 294d2c627f26b1bf03581675d35412d13296f27b
 SHA512:
-  metadata.gz: 4fbb16ae849bcfc0d17eb8bbcb36f4e7906adb3da00f8bcc31712b69a299e3d3a4f659227e1668f8809433f5c4805170fd79e4934c174a4c455438bca6973361
-  data.tar.gz: a3aba5b768d38fe50f4533a60f7f9cc9d592429803a17728101f721d1aaaf767fcec270ffe59d08bd36763e542e48af48774a707d30dcba71d3920fc6a05123c
+  metadata.gz: cfc63e0881c0cb4c7852051a4a0b98f93935523674582a75d5fb4f904cbd81673cb86d0be9f31cb76ce2515fa29a42f53a8e81321f3063d0bddce3257cac9b95
+  data.tar.gz: '090dd0f577b52bc5494121420d8600b12018f857bcccd05be15849fd774de4e02abfdc1c36610d8908910f79cfe4153b2f0dd613d015e5aaa86e2f984844ab1f'

data/README.md

@@ -6,16 +6,17 @@
 [![MIT License](https://img.shields.io/badge/license-MIT-blue.svg)](http://choosealicense.com/licenses/mit/)
 
 # Seccomp Tools
-Provides powerful tools for seccomp analysis.
+Provide powerful tools for seccomp analysis.
 
 This project is targeted to (but not limited to) analyze seccomp sandbox in CTF pwn challenges.
-Some features might be CTF-specific, but still useful for analysis of seccomp in real-case.
+Some features might be CTF-specific, but still useful for analyzing seccomp in real-case.
 
 ## Features
-* Dump - Automatically dump seccomp-bpf from binary.
+* Dump - Automatically dump seccomp-bpf from execution file(s).
 * Disasm - Convert bpf to human readable format.
   - Simple decompile.
   - Show syscall names.
+  - Colorful!
 * Asm - Write seccomp rules is so easy!
 * Emu - Emulate seccomp rules.
 * (TODO) Solve constraints for executing syscalls (e.g. `execve/open/read/write`).
@@ -40,13 +41,13 @@ $ seccomp-tools --help
 #
 # 	asm	Seccomp bpf assembler.
 # 	disasm	Disassemble seccomp bpf.
-# 	dump	Automatically dump seccomp bpf from execution file.
+# 	dump	Automatically dump seccomp bpf from execution file(s).
 # 	emu	Emulate seccomp rules.
 #
 # See 'seccomp-tools <command> --help' to read about a specific subcommand.
 
 $ seccomp-tools dump --help
-# dump - Automatically dump seccomp bpf from execution file.
+# dump - Automatically dump seccomp bpf from execution file(s).
 #
 # Usage: seccomp-tools dump [exec] [options]
 #     -c, --sh-exec <command>          Executes the given command (via sh).
@@ -166,7 +167,7 @@ $ seccomp-tools asm
 $ cat spec/data/libseccomp.asm
 # # check if arch is X86_64
 # A = arch
-# A == 0xc000003e ? next : dead
+# A == ARCH_X86_64 ? next : dead
 # A = sys_number
 # A >= 0x40000000 ? dead : next
 # A == write ? ok : next
@@ -246,6 +247,7 @@ $ seccomp-tools emu spec/data/libseccomp.bpf 0x3
 ![emu](https://github.com/david942j/seccomp-tools/blob/master/examples/emu-amigo.png?raw=true)
 
 ## I Need You
+
 Any suggestion or feature request is welcome!
 Feel free to file an issue or send a pull request.
-And, if you like this work, I'll be happy to be [stared](https://github.com/david942j/seccomp-tools/stargazers) :grimacing:
+And, if you like this work, I'll be happy to be [starred](https://github.com/david942j/seccomp-tools/stargazers) :grimacing:

data/lib/seccomp-tools/asm/compiler.rb

@@ -42,7 +42,6 @@ module SeccompTools
         else
           @insts << res
         end
-        res
       end
 
       # @return [Array<SeccompTools::BPF>]
@@ -84,11 +83,10 @@ module SeccompTools
       # mem[i] = <A|X>
       def compile_assign(dst, src)
         # misc txa / tax
-        return emit(:misc, :txa) if dst == :a && src == :x
-        return emit(:misc, :tax) if dst == :x && src == :a
-        src = evaluate(src)
+        return compile_assign_misc(dst, src) if (dst == :a && src == :x) || (dst == :x && src == :a)
         # case of st / stx
-        return emit(src == :x ? :stx : :st, k: dst.last) if dst[0] == :mem
+        return emit(src == :x ? :stx : :st, k: dst.last) if dst.is_a?(Array) && dst.first == :mem
+        src = evaluate(src)
         ld = dst == :x ? :ldx : :ld
         # <A|X> = <immi>
         return emit(ld, :imm, k: src) if src.is_a?(Integer)
@@ -99,6 +97,10 @@ module SeccompTools
         emit(ld, :abs, k: src.last)
       end
 
+      def compile_assign_misc(dst, _src)
+        emit(:misc, dst == :a ? :txa : :tax)
+      end
+
       def compile_alu(op, val)
         val = evaluate(val)
         src = val == :x ? :x : :k
@@ -138,13 +140,17 @@ module SeccompTools
               when 'arch' then [:data, 4]
               else val
               end
-        return Const::Syscall.const_get(@arch.upcase.to_sym)[val.to_sym] if val.is_a?(String)
+        return eval_constants(val) if val.is_a?(String)
         # remains are [:mem/:data/:args, <num>]
         # first convert args to data
         val = [:data, val.last * 8 + 16] if val.first == :args
         val
       end
 
+      def eval_constants(str)
+        Const::Syscall.const_get(@arch.upcase.to_sym)[str.to_sym] || Const::Audit::ARCH[str]
+      end
+
       attr_reader :token
 
       # A <comparison> <sys_str|X|Integer> ? <label|Integer> : <label|Integer>

data/lib/seccomp-tools/asm/tokenizer.rb

@@ -40,7 +40,7 @@ module SeccompTools
         res = case type
               when String then fetch_str(type) || raise_expected("token #{type.inspect}")
               when :comparison then fetch_strs(COMPARISON).to_sym || raise_expected('a comparison operator')
-              when :sys_num_x then fetch_sys_num_x || raise_expected("a syscall number or 'X'")
+              when :sys_num_x then fetch_sys_num_arch_x || raise_expected("a syscall number or 'X'")
               when :goto then fetch_number || fetch_label || raise_expected('a number or label name')
               when :ret then fetch_return || raise(ArgumentError, <<-EOS)
 Invalid return type: #{cur.inspect}.
@@ -74,9 +74,9 @@ Invalid return type: #{cur.inspect}.
         nil
       end
 
-      def fetch_sys_num_x
+      def fetch_sys_num_arch_x
         return :x if fetch_str('X')
-        fetch_number || fetch_syscall
+        fetch_number || fetch_syscall || fetch_arch
       end
 
       # Currently only supports 10-based decimal numbers.
@@ -92,6 +92,10 @@ Invalid return type: #{cur.inspect}.
         fetch_strs(sys.keys.map(&:to_s).sort_by(&:size).reverse)
       end
 
+      def fetch_arch
+        fetch_strs(Const::Audit::ARCH.keys)
+      end
+
       def fetch_regexp(regexp)
         idx = cur =~ regexp
         return nil if idx.nil? || idx != 0
@@ -121,7 +125,7 @@ Invalid return type: #{cur.inspect}.
 
       def fetch_ary
         support_name = %w[data mem args]
-        regexp = /(#{support_name.join('|')})\[[0-9]{1,9}\]/
+        regexp = /(#{support_name.join('|')})\[[0-9]{1,2}\]/
         match = fetch_regexp(regexp)
         return nil if match.nil?
         res, val = match.split('[')

data/lib/seccomp-tools/bpf.rb

@@ -1,4 +1,5 @@
 require 'set'
+require 'stringio'
 
 require 'seccomp-tools/const'
 require 'seccomp-tools/instruction/instruction'
@@ -30,7 +31,7 @@ module SeccompTools
     #   Line number of this filter.
     def initialize(raw, arch, line)
       if raw.is_a?(String)
-        io = StringIO.new(raw)
+        io = ::StringIO.new(raw)
         @code = io.read(2).unpack('S').first
         @jt = io.read(1).ord
         @jf = io.read(1).ord

data/lib/seccomp-tools/cli/base.rb

@@ -23,7 +23,7 @@ module SeccompTools
 
       # Handle show help message.
       # @return [Boolean]
-      #   For decestors to check if needs to conitnue.
+      #   For decestors to check if need to continue.
       def handle
         return CLI.show(parser.help) if argv.empty? || %w[-h --help].any? { |h| argv.include?(h) }
         parser.parse!(argv)

data/lib/seccomp-tools/cli/dump.rb

@@ -7,7 +7,7 @@ module SeccompTools
     # Handle 'dump' command.
     class Dump < Base
       # Summary of this command.
-      SUMMARY = 'Automatically dump seccomp bpf from execution file.'.freeze
+      SUMMARY = 'Automatically dump seccomp bpf from execution file(s).'.freeze
       # Usage of this command.
       USAGE = ('dump - ' + SUMMARY + "\n\n" + 'Usage: seccomp-tools dump [exec] [options]').freeze
 

data/lib/seccomp-tools/cli/emu.rb

@@ -44,7 +44,6 @@ module SeccompTools
         return CLI.show(parser.help) if option[:ifile].nil?
         raw = input
         insts = SeccompTools::Disasm.to_bpf(raw, option[:arch]).map(&:inst)
-        disasm = SeccompTools::Disasm.disasm(raw, arch: option[:arch])
         sys, *args = argv
         sys = Integer(sys) if sys
         args.map! { |v| Integer(v) }
@@ -54,26 +53,36 @@ module SeccompTools
         end
 
         if option[:verbose] >= 1
-          disasm = disasm.lines
-          output { disasm.shift }
-          output { disasm.shift }
-          disasm.each_with_index do |line, idx|
-            output do
-              next line if trace.member?(idx)
-              Util.colorize(line, t: :gray)
-            end
-            # Too much remain, omit them.
-            rem = disasm.size - idx - 1
-            break output { Util.colorize("... (omitting #{rem} lines)\n", t: :gray) } if rem > 3 && idx > res[:pc] + 4
-          end
-          output { "\n" }
+          disasm = SeccompTools::Disasm.disasm(raw, arch: option[:arch]).lines
+          output_emulate_path(disasm, trace, res)
         end
         output do
-          ret_type = Const::BPF::ACTION.invert[res[:ret] & 0x7fff0000]
-          errno = ret_type == :ERRNO ? "(#{res[:ret] & 0xffff})" : ''
+          ret_type = Const::BPF::ACTION.invert[res[:ret] & Const::BPF::SECCOMP_RET_ACTION_FULL]
+          errno = ret_type == :ERRNO ? "(#{res[:ret] & Const::BPF::SECCOMP_RET_DATA})" : ''
           format("return %s%s at line %04d\n", ret_type, errno, res[:pc])
         end
       end
+
+      private
+
+      # output the path during emulation
+      # @param [Array<String>] disasm
+      # @param [Set] trace
+      # @param [{Symbol => Object}] result
+      def output_emulate_path(disasm, trace, result)
+        output { disasm.shift }
+        output { disasm.shift }
+        disasm.each_with_index do |line, idx|
+          output do
+            next line if trace.member?(idx)
+            Util.colorize(line, t: :gray)
+          end
+          # Too much remain, omit them.
+          rem = disasm.size - idx - 1
+          break output { Util.colorize("... (omitting #{rem} lines)\n", t: :gray) } if rem > 3 && idx > result[:pc] + 4
+        end
+        output { "\n" }
+      end
     end
   end
 end

data/lib/seccomp-tools/const.rb

@@ -12,6 +12,16 @@ module SeccompTools
       # filter mode
       SECCOMP_MODE_FILTER = 2
 
+      # For syscall +seccomp+
+      SECCOMP_SET_MODE_FILTER = 1
+
+      # Masks for the return value sections.
+
+      # mask of return action
+      SECCOMP_RET_ACTION_FULL = 0xffff0000
+      # mask of return data
+      SECCOMP_RET_DATA = 0x0000ffff
+
       # bpf command classes
       COMMAND = {
         ld:   0x0,
@@ -42,11 +52,13 @@ module SeccompTools
 
       # seccomp action values
       ACTION = {
-        KILL:  0x00000000,
-        TRAP:  0x00030000,
-        ERRNO: 0x00050000,
-        TRACE: 0x7ff00000,
-        ALLOW: 0x7fff0000
+        KILL_PROCESS: 0x80000000,
+        KILL_THREAD:  0x00000000,
+        KILL:         0x00000000, # alias of KILL_THREAD
+        TRAP:         0x00030000,
+        ERRNO:        0x00050000,
+        TRACE:        0x7ff00000,
+        ALLOW:        0x7fff0000
       }.freeze
 
       # mode used in ld / ldx

data/lib/seccomp-tools/dumper.rb

@@ -74,7 +74,7 @@ module SeccompTools
           end
           !limit.zero?
         end
-        syscalls.keys.each { |cpid| Process.kill('KILL', cpid) if alive?(cpid) }
+        syscalls.each_key { |cpid| Process.kill('KILL', cpid) if alive?(cpid) }
         collect
       end
 
@@ -95,9 +95,9 @@ module SeccompTools
           cont = yield(child)
         end
         Ptrace.syscall(child, 0, 0) unless status.exited?
-        return cont
+        cont
       rescue Errno::ECHILD
-        return false
+        false
       end
 
       # @return [SeccompTools::Syscall]
@@ -119,9 +119,9 @@ module SeccompTools
       def handle_child(*args)
         Ptrace.traceme_and_stop
         exec(*args)
-      rescue # exec fail
+      rescue # rubocop:disable Style/RescueStandardError # exec fail
         # TODO: use logger
-        $stderr.puts("Failed to execute #{args.join(' ')}")
+        warn("Failed to execute #{args.join(' ')}")
         exit(1)
       end
     end

data/lib/seccomp-tools/emulator.rb

@@ -1,7 +1,7 @@
 require 'seccomp-tools/const'
 
 module SeccompTools
-  # For emulation seccomp.
+  # For emulating seccomp.
   class Emulator
     # Instantiate a {Emulator} object.
     #
@@ -89,7 +89,7 @@ module SeccompTools
     def cmp(op, src, jt, jf)
       src = get(:x) if src == :x
       a = get(:a)
-      val = a.send(op, src)
+      val = a.__send__(op, src)
       val = (val != 0) if val.is_a?(Integer) # handle & operator
       j = val ? jt : jf
       set(:pc, get(:pc) + j + 1)
@@ -100,7 +100,7 @@ module SeccompTools
         set(:a, 2**32 - get(:a))
       else
         src = get(:x) if src == :x
-        set(:a, get(:a).send(op, src))
+        set(:a, get(:a).__send__(op, src))
       end
     end
 

data/lib/seccomp-tools/instruction/base.rb

@@ -47,7 +47,7 @@ module SeccompTools
 
       %i(code jt jf k arch line contexts).each do |sym|
         define_method(sym) do
-          @bpf.send(sym)
+          @bpf.__send__(sym)
         end
       end
     end

data/lib/seccomp-tools/instruction/jmp.rb

@@ -9,14 +9,13 @@ module SeccompTools
       def decompile
         return goto(k) if jop == :none
         # if jt == 0 && jf == 0 => no-op # should not happen
-        # jt == 0 => if(!) goto jf
+        # jt == 0 => if(!) goto jf;
         # jf == 0 => if() goto jt;
         # otherwise => if () goto jt; else goto jf;
         return '/* no-op */' if jt.zero? && jf.zero?
         return goto(jt) if jt == jf
-        return if_str + goto(jt) + ' else ' + goto(jf) unless jt.zero? || jf.zero?
-        return if_str + goto(jt) if jf.zero?
-        if_str(true) + goto(jf)
+        return if_str(true) + goto(jf) if jt.zero?
+        if_str + goto(jt) + (jf.zero? ? '' : ' else ' + goto(jf))
       end
 
       # See {Instruction::Base#symbolize}.

data/lib/seccomp-tools/instruction/ret.rb

@@ -27,8 +27,8 @@ module SeccompTools
       def ret_str
         _, type = symbolize
         return 'A' if type == :a
-        str = ACTION.invert[type & 0x7fff0000].to_s
-        str += "(#{type & 0xffff})" if str == 'ERRNO'
+        str = ACTION.invert[type & SECCOMP_RET_ACTION_FULL].to_s
+        str << "(#{type & SECCOMP_RET_DATA})" if str == 'ERRNO'
         str
       end
     end

data/lib/seccomp-tools/syscall.rb

@@ -6,7 +6,7 @@ module SeccompTools
   class Syscall
     # Syscall arguments offset of +struct user+ in different arch.
     ABI = {
-      amd64: { number: 120, args: [112, 104, 96, 56, 72, 44], ret: 80, SYS_prctl: 157 },
+      amd64: { number: 120, args: [112, 104, 96, 56, 72, 44], ret: 80, SYS_prctl: 157, SYS_seccomp: 317 },
       i386: { number: 120, args: [40, 88, 96, 104, 112, 32], ret: 80, SYS_prctl: 172 }
     }.freeze
 
@@ -33,11 +33,13 @@ module SeccompTools
       @ret = peek(abi[:ret])
     end
 
-    # Is this a +prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, addr)+ syscall?
+    # Is this a +seccomp(SECCOMP_MODE_FILTER, addr)+/+prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, addr)+ syscall?
+    #
     # @return [Boolean]
     #   +true+ for is a seccomp installation syscall.
     def set_seccomp?
-      # TODO: handle SECCOMP_MODE_STRICT
+      # TODO: handle SECCOMP_MODE_SET_STRICT / SECCOMP_MODE_STRICT
+      return true if number == abi[:SYS_seccomp] && args[0] == Const::BPF::SECCOMP_SET_MODE_FILTER
       number == abi[:SYS_prctl] && args[0] == Const::BPF::PR_SET_SECCOMP && args[1] == Const::BPF::SECCOMP_MODE_FILTER
     end
 

data/lib/seccomp-tools/util.rb

@@ -7,7 +7,9 @@ module SeccompTools
     # @return [Array<Symbol>]
     #   Architectures.
     def supported_archs
-      @archs ||= Dir.glob(File.join(__dir__, 'consts', '*.rb')).map { |f| File.basename(f, '.rb').to_sym }.sort
+      @supported_archs ||= Dir.glob(File.join(__dir__, 'consts', '*.rb'))
+                              .map { |f| File.basename(f, '.rb').to_sym }
+                              .sort
     end
 
     # Detect system architecture.

data/lib/seccomp-tools/version.rb

@@ -1,4 +1,4 @@
 module SeccompTools
   # Gem version.
-  VERSION = '1.1.1'.freeze
+  VERSION = '1.2.0'.freeze
 end

metadata

@@ -1,29 +1,15 @@
 --- !ruby/object:Gem::Specification
 name: seccomp-tools
 version: !ruby/object:Gem::Version
-  version: 1.1.1
+  version: 1.2.0
 platform: ruby
 authors:
 - david942j
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-12-01 00:00:00.000000000 Z
+date: 2018-04-05 00:00:00.000000000 Z
 dependencies:
-- !ruby/object:Gem::Dependency
-  name: codeclimate-test-reporter
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '0.6'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '0.6'
 - !ruby/object:Gem::Dependency
   name: pry
   requirement: !ruby/object:Gem::Requirement
@@ -72,42 +58,42 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.5'
+        version: '3.7'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.5'
+        version: '3.7'
 - !ruby/object:Gem::Dependency
   name: rubocop
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.49'
+        version: '0.54'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.49'
+        version: '0.54'
 - !ruby/object:Gem::Dependency
   name: simplecov
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.13.0
+        version: 0.16.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.13.0
+        version: 0.16.0
 - !ruby/object:Gem::Dependency
   name: yard
   requirement: !ruby/object:Gem::Requirement
@@ -188,7 +174,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.6.13
+rubygems_version: 2.6.14
 signing_key: 
 specification_version: 4
 summary: seccomp-tools