seccomp-tools 1.2.0 → 1.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 5c6965417440352f339d587caf0ee612604d7d0e
-  data.tar.gz: 294d2c627f26b1bf03581675d35412d13296f27b
+SHA256:
+  metadata.gz: 5d0a3997904616df1a40c2a8131ec70fb83511477e155de8e6d0de9c3a445cf9
+  data.tar.gz: eb7970f0de4a89ac13e41626950dbee92ca141b5bc4342e804a799076a61ac53
 SHA512:
-  metadata.gz: cfc63e0881c0cb4c7852051a4a0b98f93935523674582a75d5fb4f904cbd81673cb86d0be9f31cb76ce2515fa29a42f53a8e81321f3063d0bddce3257cac9b95
-  data.tar.gz: '090dd0f577b52bc5494121420d8600b12018f857bcccd05be15849fd774de4e02abfdc1c36610d8908910f79cfe4153b2f0dd613d015e5aaa86e2f984844ab1f'
+  metadata.gz: 5ce8984f8b3ada51158a181de2ab5e12d291ff12cf3515467763c77ab58870416c4927fce3e362c3775d3749e8a5939d54971681ec85da96adfb38210a51ca90
+  data.tar.gz: 2611058a57579fb1806f9bcc6ca05d203f36fa34f5d6aa0434b71b0dbc815f14b513b9907d60a4cbc59a8e648c8880e39e5339a1d85113a98cd147728223e65e

data/README.md

@@ -1,4 +1,5 @@
 [![Build Status](https://travis-ci.org/david942j/seccomp-tools.svg?branch=master)](https://travis-ci.org/david942j/seccomp-tools)
+[![Dependabot Status](https://api.dependabot.com/badges/status?host=github&repo=david942j/seccomp-tools)](https://dependabot.com)
 [![Code Climate](https://codeclimate.com/github/david942j/seccomp-tools/badges/gpa.svg)](https://codeclimate.com/github/david942j/seccomp-tools)
 [![Issue Count](https://codeclimate.com/github/david942j/seccomp-tools/badges/issue_count.svg)](https://codeclimate.com/github/david942j/seccomp-tools)
 [![Test Coverage](https://codeclimate.com/github/david942j/seccomp-tools/badges/coverage.svg)](https://codeclimate.com/github/david942j/seccomp-tools/coverage)
@@ -12,15 +13,14 @@ This project is targeted to (but not limited to) analyze seccomp sandbox in CTF
 Some features might be CTF-specific, but still useful for analyzing seccomp in real-case.
 
 ## Features
-* Dump - Automatically dump seccomp-bpf from execution file(s).
-* Disasm - Convert bpf to human readable format.
+* Dump - Automatically dumps seccomp-bpf from execution file(s).
+* Disasm - Converts bpf to human readable format.
   - Simple decompile.
-  - Show syscall names.
+  - Display syscall names and arguments when possible.
   - Colorful!
 * Asm - Write seccomp rules is so easy!
-* Emu - Emulate seccomp rules.
-* (TODO) Solve constraints for executing syscalls (e.g. `execve/open/read/write`).
-* Support multi-architectures.
+* Emu - Emulates seccomp rules.
+* Supports multi-architectures.
 
 ## Installation
 
@@ -29,6 +29,12 @@ Available on RubyGems.org!
 $ gem install seccomp-tools
 ```
 
+If you failed when compiling, try:
+```
+sudo apt install gcc ruby-dev
+```
+and install seccomp-tools again.
+
 ## Command Line Interface
 
 ### seccomp-tools
@@ -67,13 +73,13 @@ $ seccomp-tools dump --help
 
 ### dump
 
-Dump the seccomp bpf from an execution file.
+Dumps the seccomp bpf from an execution file.
 This work is done by the `ptrace` syscall.
 
 NOTICE: beware of the execution file will be executed.
 ```bash
 $ file spec/binary/twctf-2016-diary
-# spec/binary/twctf-2016-diary: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.24, BuildID[sha1]=3648e29153ac0259a0b7c3e25537a5334f50107f, not stripped
+# spec/binary/twctf-2016-diary: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, for GNU/Linux 2.6.24, BuildID[sha1]=3648e29153ac0259a0b7c3e25537a5334f50107f, not stripped
 
 $ seccomp-tools dump spec/binary/twctf-2016-diary
 #  line  CODE  JT   JF      K
@@ -115,7 +121,7 @@ $ seccomp-tools dump spec/binary/twctf-2016-diary -f raw | xxd
 
 ### disasm
 
-Disassemble the seccomp from raw bpf.
+Disassembles the seccomp from raw bpf.
 ```bash
 $ xxd spec/data/twctf-2016-diary.bpf | head -n 3
 # 00000000: 2000 0000 0000 0000 1500 0001 0200 0000   ...............
@@ -148,17 +154,17 @@ $ seccomp-tools disasm spec/data/twctf-2016-diary.bpf
 
 ### asm
 
-Assemble the seccomp rules into raw bytes.
-Very useful when want to write custom seccomp rules.
+Assembles the seccomp rules into raw bytes.
+It's very useful when one wants to write custom seccomp rules.
 
-Supports labels for jumping and use syscall names directly. See example below.
+Supports labels for jumping and uses syscall names directly. See examples below.
 ```bash
 $ seccomp-tools asm
 # asm - Seccomp bpf assembler.
 #
 # Usage: seccomp-tools asm IN_FILE [options]
 #     -o, --output FILE                Output result into FILE instead of stdout.
-#     -f, --format FORMAT              Output format. FORMAT can only be one of <inspect|raw|carray>.
+#     -f, --format FORMAT              Output format. FORMAT can only be one of <inspect|raw|c_array|c_source|assembly>.
 #                                      Default: inspect
 #     -a, --arch ARCH                  Specify architecture.
 #                                      Supported architectures are <amd64|i386>.
@@ -183,8 +189,52 @@ $ cat spec/data/libseccomp.asm
 $ seccomp-tools asm spec/data/libseccomp.asm
 # " \x00\x00\x00\x04\x00\x00\x00\x15\x00\x00\b>\x00\x00\xC0 \x00\x00\x00\x00\x00\x00\x005\x00\x06\x00\x00\x00\x00@\x15\x00\x04\x00\x01\x00\x00\x00\x15\x00\x03\x00\x03\x00\x00\x00\x15\x00\x02\x00 \x00\x00\x00\x15\x00\x01\x00<\x00\x00\x00\x06\x00\x00\x00\x05\x00\x05\x00\x06\x00\x00\x00\x00\x00\xFF\x7F\x06\x00\x00\x00\x00\x00\x00\x00"
 
-$ seccomp-tools asm spec/data/libseccomp.asm -f carray
-# unsigned char bpf[] = {32,0,0,0,4,0,0,0,21,0,0,8,62,0,0,192,32,0,0,0,0,0,0,0,53,0,6,0,0,0,0,64,21,0,4,0,1,0,0,0,21,0,3,0,3,0,0,0,21,0,2,0,32,0,0,0,21,0,1,0,60,0,0,0,6,0,0,0,5,0,5,0,6,0,0,0,0,0,255,127,6,0,0,0,0,0,0,0};
+$ seccomp-tools asm spec/data/libseccomp.asm -f c_source
+# #include <linux/seccomp.h>
+# #include <stdio.h>
+# #include <stdlib.h>
+# #include <sys/prctl.h>
+#
+# static void install_seccomp() {
+#   static unsigned char filter[] = {32,0,0,0,4,0,0,0,21,0,0,8,62,0,0,192,32,0,0,0,0,0,0,0,53,0,6,0,0,0,0,64,21,0,4,0,1,0,0,0,21,0,3,0,3,0,0,0,21,0,2,0,32,0,0,0,21,0,1,0,60,0,0,0,6,0,0,0,5,0,5,0,6,0,0,0,0,0,255,127,6,0,0,0,0,0,0,0};
+#   struct prog {
+#     unsigned short len;
+#     unsigned char *filter;
+#   } rule = {
+#     .len = sizeof(filter) >> 3,
+#     .filter = filter
+#   };
+#   if(prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) { perror("prctl(PR_SET_NO_NEW_PRIVS)"); exit(2); }
+#   if(prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &rule) < 0) { perror("prctl(PR_SET_SECCOMP)"); exit(2); }
+# }
+
+$ seccomp-tools asm spec/data/libseccomp.asm -f assembly
+# install_seccomp:
+#   push   rbp
+#   mov    rbp, rsp
+#   push   38
+#   pop    rdi
+#   push   0x1
+#   pop    rsi
+#   xor    eax, eax
+#   mov    al, 0x9d
+#   syscall
+#   push   22
+#   pop    rdi
+#   lea    rdx, [rip + _filter]
+#   push   rdx /* .filter */
+#   push   _filter_end - _filter >> 3 /* .len */
+#   mov    rdx, rsp
+#   push   0x2
+#   pop    rsi
+#   xor    eax, eax
+#   mov    al, 0x9d
+#   syscall
+#   leave
+#   ret
+# _filter:
+# .ascii "\040\000\000\000\004\000\000\000\025\000\000\010\076\000\000\300\040\000\000\000\000\000\000\000\065\000\006\000\000\000\000\100\025\000\004\000\001\000\000\000\025\000\003\000\003\000\000\000\025\000\002\000\040\000\000\000\025\000\001\000\074\000\000\000\006\000\000\000\005\000\005\000\006\000\000\000\000\000\377\177\006\000\000\000\000\000\000\000"
+# _filter_end:
 
 
 # let's asm then disasm!
@@ -207,7 +257,7 @@ $ seccomp-tools asm spec/data/libseccomp.asm -f raw | seccomp-tools disasm -
 
 ### Emu
 
-Emulate seccomp given `sys_nr`, `arg0`, `arg1`, etc.
+Emulates seccomp given `sys_nr`, `arg0`, `arg1`, etc.
 ```bash
 $ seccomp-tools emu --help
 # emu - Emulate seccomp rules.
@@ -217,7 +267,7 @@ $ seccomp-tools emu --help
 #                                      Supported architectures are <amd64|i386>.
 #     -q, --[no-]quiet                 Run quietly, only show emulation result.
 
-$ seccomp-tools emu spec/data/libseccomp.bpf 0x3
+$ seccomp-tools emu spec/data/libseccomp.bpf write 0x3
 #  line  CODE  JT   JF      K
 # =================================
 #  0000: 0x20 0x00 0x00 0x00000004  A = arch
@@ -246,6 +296,23 @@ $ seccomp-tools emu spec/data/libseccomp.bpf 0x3
 
 ![emu](https://github.com/david942j/seccomp-tools/blob/master/examples/emu-amigo.png?raw=true)
 
+## Development
+
+I recommend to use [rbenv](https://github.com/rbenv/rbenv) for your Ruby environment.
+
+### Setup
+
+- Install bundler
+  - `$ gem install bundler`
+- Clone the source
+  - `$ git clone https://github.com/david942j/seccomp-tools && cd seccomp-tools`
+- Install dependencies
+  - `$ bundle install`
+
+### Run tests
+
+`$ bundle exec rake`
+
 ## I Need You
 
 Any suggestion or feature request is welcome!

data/bin/seccomp-tools

@@ -1,4 +1,5 @@
 #!/usr/bin/env ruby
+# frozen_string_literal: true
 
 require 'seccomp-tools/cli/cli'
 

data/ext/ptrace/ptrace.c

@@ -53,6 +53,7 @@ ptrace_traceme_and_stop(VALUE mod) {
 
 void Init_ptrace(void) {
   VALUE mSeccompTools = rb_define_module("SeccompTools");
+  /* The module to wrap ptrace syscall */
   VALUE mPtrace = rb_define_module_under(mSeccompTools, "Ptrace");
 
   /* consts */
@@ -64,13 +65,19 @@ void Init_ptrace(void) {
   rb_define_const(mPtrace, "O_TRACESYSGOOD", UINT2NUM(PTRACE_O_TRACESYSGOOD));
   rb_define_const(mPtrace, "O_TRACEVFORK", UINT2NUM(PTRACE_O_TRACEVFORK));
 
-  /* ptrace wrapper */
+  /* geteventmsg */
   rb_define_module_function(mPtrace, "geteventmsg", ptrace_geteventmsg, 1);
+  /* get data */
   rb_define_module_function(mPtrace, "peekdata", ptrace_peekdata, 3);
+  /* get registers */
   rb_define_module_function(mPtrace, "peekuser", ptrace_peekuser, 3);
+  /* set ptrace options */
   rb_define_module_function(mPtrace, "setoptions", ptrace_setoptions, 3);
+  /* wait for syscall */
   rb_define_module_function(mPtrace, "syscall", ptrace_syscall, 3);
+  /* wait for its parent to attach */
   rb_define_module_function(mPtrace, "traceme", ptrace_traceme, 0);
+  /* stop itself before parent attaching */
   rb_define_module_function(mPtrace, "traceme_and_stop", ptrace_traceme_and_stop, 0);
 }
 

data/lib/seccomp-tools.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 # @author david942j
 
 # Main module.

data/lib/seccomp-tools/asm/asm.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'seccomp-tools/asm/compiler'
 require 'seccomp-tools/util'
 
@@ -8,10 +10,11 @@ module SeccompTools
 
     # Assembler of seccomp bpf.
     # @param [String] str
+    # @param [:amd64, :i386] arch
     # @return [String]
     #   Raw bpf bytes.
     # @example
-    #   asm(<<EOS)
+    #   SeccompTools::Asm.asm(<<-EOS)
     #     # lines start with '#' are comments
     #     A = sys_number                # here's a comment, too
     #     A >= 0x40000000 ? dead : next # 'next' is a keyword, denote the next instruction

data/lib/seccomp-tools/asm/compiler.rb

@@ -1,15 +1,24 @@
+# frozen_string_literal: true
+
 require 'seccomp-tools/asm/tokenizer'
 require 'seccomp-tools/bpf'
 require 'seccomp-tools/const'
 
 module SeccompTools
   module Asm
+    # @private
+    #
     # Compile seccomp rules.
     class Compiler
+      # Instantiate a {Compiler} object.
+      #
+      # @param [Symbol] arch
+      #   Architecture.
       def initialize(arch)
         @arch = arch
         @insts = []
         @labels = {}
+        @insts_linenum = {}
         @input = []
       end
 
@@ -24,6 +33,7 @@ module SeccompTools
         line = remove_comment(line)
         @token = Tokenizer.new(line)
         return if line.empty?
+
         begin
           res = case line
                 when /\?/ then cmp
@@ -32,6 +42,7 @@ module SeccompTools
                 when /^(A|X)\s*=[^=]/ then assign
                 when /^mem\[\d+\]\s*=\s*(A|X)/ then store
                 when /^A\s*.{1,2}=/ then alu
+                when /^(goto|jmp|jump)/ then jmp_abs
                 end
         rescue ArgumentError => e
           invalid(@input.size - 1, e.message)
@@ -41,10 +52,16 @@ module SeccompTools
           @labels[res.last] = @insts.size
         else
           @insts << res
+          @insts_linenum[@insts.size - 1] = @input.size - 1
         end
       end
 
+      # Compiles the processed instructions.
+      #
       # @return [Array<SeccompTools::BPF>]
+      #   Returns the compiled {BPF} array.
+      # @raise [ArgumentError]
+      #   Raises the error found during compilation.
       def compile!
         @insts.map.with_index do |inst, idx|
           @line = idx
@@ -53,17 +70,22 @@ module SeccompTools
           when :alu then compile_alu(inst[1], inst[2])
           when :ret then compile_ret(inst[1])
           when :cmp then compile_cmp(inst[1], inst[2], inst[3], inst[4])
+          when :jmp_abs then compile_jmp_abs(inst[1])
           end
         end
       rescue ArgumentError => e
-        invalid(@line, e.message)
+        invalid(@insts_linenum[@line], e.message)
       end
 
       private
 
+      # Emits a raw BPF object.
+      #
+      # @return [BPF]
+      #   Returns the emitted {BPF} object.
       def emit(*args, k: 0, jt: 0, jf: 0)
         code = 0
-        # bad idea, while keys are not duplicated so this is ok.
+        # bad idea, but keys are not duplicated so this is ok.
         args.each do |a|
           code |= Const::BPF::COMMAND.fetch(a, 0)
           code |= Const::BPF::JMP.fetch(a, 0)
@@ -76,24 +98,27 @@ module SeccompTools
       end
 
       # A = X / X = A
-      # <A|X> = mem[i]
+      # mem[i] = <A|X>
       # <A|X> = 123|sys_const
-      # A = args[i]|sys_number|arch
+      # A = len
+      # <A|X> = mem[i]
+      # A = args_h[i]|args[i]|sys_number|arch
       # A = data[4 * i]
-      # mem[i] = <A|X>
       def compile_assign(dst, src)
         # misc txa / tax
         return compile_assign_misc(dst, src) if (dst == :a && src == :x) || (dst == :x && src == :a)
         # case of st / stx
         return emit(src == :x ? :stx : :st, k: dst.last) if dst.is_a?(Array) && dst.first == :mem
+
         src = evaluate(src)
         ld = dst == :x ? :ldx : :ld
         # <A|X> = <immi>
         return emit(ld, :imm, k: src) if src.is_a?(Integer)
-        # now src must be in form [:mem/:data, num]
-        return emit(ld, :mem, k: src.last) if src.first == :mem
+        # now src must be in form [:len/:mem/:data, num]
+        return emit(ld, src.first, k: src.last) if src.first == :mem || src.first == :len
         # check if num is multiple of 4
-        raise ArgumentError, 'Index of data[] must be multiplication of 4' if src.last % 4 != 0
+        raise ArgumentError, 'Index of data[] must be a multiple of 4' if src.last % 4 != 0
+
         emit(ld, :abs, k: src.last)
       end
 
@@ -116,6 +141,12 @@ module SeccompTools
         emit(:ret, src, k: val)
       end
 
+      def compile_jmp_abs(target)
+        targ = label_offset(target)
+        emit(:jmp, :ja, k: targ)
+      end
+
+      # Compiles comparsion.
       def compile_cmp(op, val, jt, jf)
         jt = label_offset(jt)
         jf = label_offset(jf)
@@ -129,30 +160,48 @@ module SeccompTools
         return label if label.is_a?(Integer)
         return 0 if label == 'next'
         raise ArgumentError, "Undefined label #{label.inspect}" if @labels[label].nil?
+        raise ArgumentError, "Does not support backward jumping to #{label.inspect}" if @labels[label] < @line
+
         @labels[label] - @line - 1
       end
 
       def evaluate(val)
         return val if val.is_a?(Integer) || val == :x || val == :a
+
         # keywords
         val = case val
               when 'sys_number' then [:data, 0]
               when 'arch' then [:data, 4]
+              when 'len' then [:len, 0]
               else val
               end
         return eval_constants(val) if val.is_a?(String)
-        # remains are [:mem/:data/:args, <num>]
+
+        # remains are [:mem/:data/:args/:args_h, <num>]
         # first convert args to data
         val = [:data, val.last * 8 + 16] if val.first == :args
+        val = [:data, val.last * 8 + 20] if val.first == :args_h
         val
       end
 
       def eval_constants(str)
-        Const::Syscall.const_get(@arch.upcase.to_sym)[str.to_sym] || Const::Audit::ARCH[str]
+        Const::Syscall.const_get(@arch.upcase.to_sym)[str.to_sym] ||
+          Const::Audit::ARCH[str] ||
+          raise(ArgumentError, "Invalid constant: #{str.inspect}")
       end
 
       attr_reader :token
 
+      # <goto|jmp|jump> <label|Integer>
+      def jmp_abs
+        token.fetch('goto') ||
+          token.fetch('jmp') ||
+          token.fetch('jump') ||
+          raise(ArgumentError, 'Invalid jump alias: ' + token.cur.inspect)
+        target = token.fetch!(:goto)
+        [:jmp_abs, target]
+      end
+
       # A <comparison> <sys_str|X|Integer> ? <label|Integer> : <label|Integer>
       def cmp
         token.fetch!('A')
@@ -192,6 +241,7 @@ module SeccompTools
       #   A = mem[i]
       #   A = args[i]
       #   A = sys_number|arch
+      #   A = len
       def assign
         dst = token.fetch!(:ax)
         token.fetch!('=')
@@ -200,6 +250,7 @@ module SeccompTools
               token.fetch(:ary) ||
               token.fetch('sys_number') ||
               token.fetch('arch') ||
+              token.fetch('len') ||
               raise(ArgumentError, 'Invalid source: ' + token.cur.inspect)
         [:assign, dst, src]
       end

data/lib/seccomp-tools/asm/tokenizer.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'seccomp-tools/const'
 require 'seccomp-tools/instruction/alu'
 
@@ -5,9 +7,10 @@ module SeccompTools
   module Asm
     # Fetch tokens from string.
     # This class is for internel usage, used by {Compiler}.
+    # @private
     class Tokenizer
       # a valid label
-      LABEL_REGEXP = /[a-z_][a-z0-9_]+/
+      LABEL_REGEXP = /[A-Za-z_]\w*/.freeze
       attr_accessor :cur
 
       # @param [String] str
@@ -64,6 +67,8 @@ Invalid return type: #{cur.inspect}.
 
       def fetch_str(str)
         return nil unless cur.start_with?(str)
+        return nil if str =~ /\A[A-Za-z0-9_]+\Z/ && cur[str.size] =~ /[A-Za-z0-9_]/
+
         @last_match_size = str.size
         str
       end
@@ -71,11 +76,13 @@ Invalid return type: #{cur.inspect}.
       def fetch_ax
         return :a if fetch_str('A')
         return :x if fetch_str('X')
+
         nil
       end
 
       def fetch_sys_num_arch_x
         return :x if fetch_str('X')
+
         fetch_number || fetch_syscall || fetch_arch
       end
 
@@ -83,6 +90,7 @@ Invalid return type: #{cur.inspect}.
       def fetch_number
         res = fetch_regexp(/^0x[0-9a-f]+/) || fetch_regexp(/^[0-9]+/)
         return nil if res.nil?
+
         Integer(res)
       end
 
@@ -99,6 +107,7 @@ Invalid return type: #{cur.inspect}.
       def fetch_regexp(regexp)
         idx = cur =~ regexp
         return nil if idx.nil? || idx != 0
+
         match = cur.match(regexp)[0]
         @last_match_size = match.size
         match
@@ -114,6 +123,7 @@ Invalid return type: #{cur.inspect}.
         regexp = /(#{Const::BPF::ACTION.keys.join('|')})(\([0-9]{1,5}\))?/
         action = fetch_regexp(regexp)
         return fetch_str('A') && :a if action.nil?
+
         # check if action contains '('the next bytes are (<num>)
         ret_val = 0
         if action.include?('(')
@@ -124,10 +134,11 @@ Invalid return type: #{cur.inspect}.
       end
 
       def fetch_ary
-        support_name = %w[data mem args]
+        support_name = %w[data mem args args_h]
         regexp = /(#{support_name.join('|')})\[[0-9]{1,2}\]/
         match = fetch_regexp(regexp)
         return nil if match.nil?
+
         res, val = match.split('[')
         val = val.to_i
         [res.to_sym, val]
@@ -137,6 +148,7 @@ Invalid return type: #{cur.inspect}.
         ops = %w[+ - * / | & ^ << >>]
         op = fetch_strs(ops)
         return nil if op.nil?
+
         Instruction::ALU::OP_SYM.invert[op.to_sym]
       end
 
@@ -148,7 +160,7 @@ Invalid return type: #{cur.inspect}.
 
       def raise_expected(msg)
         raise ArgumentError, <<-EOS
-Expected #{msg}, while #{cur.split[0].inspect} occured.
+Expected #{msg} but found #{cur.split[0].inspect}.
         EOS
       end
     end