seccomp-tools 1.3.0 → 1.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5d0a3997904616df1a40c2a8131ec70fb83511477e155de8e6d0de9c3a445cf9
-  data.tar.gz: eb7970f0de4a89ac13e41626950dbee92ca141b5bc4342e804a799076a61ac53
+  metadata.gz: 2726a64dc089ec7c492cedad9a98d500c656dce84ca593a505d95a42cd07906c
+  data.tar.gz: c8d3eec04aa38ead5bac1727bb4a1a29199283e648b902edb38df2a7fc4e539f
 SHA512:
-  metadata.gz: 5ce8984f8b3ada51158a181de2ab5e12d291ff12cf3515467763c77ab58870416c4927fce3e362c3775d3749e8a5939d54971681ec85da96adfb38210a51ca90
-  data.tar.gz: 2611058a57579fb1806f9bcc6ca05d203f36fa34f5d6aa0434b71b0dbc815f14b513b9907d60a4cbc59a8e648c8880e39e5339a1d85113a98cd147728223e65e
+  metadata.gz: 2639ed20158afda2cc96dfeb16899f417d50180da548b4a45a0024c12119d0b9908649979fb9ab00287d41478f507eb6740ffda855aa238cd82755d774ca82de
+  data.tar.gz: 6e6df86398ee4bde9ff9c54647dc5af95eb03e40001cf6117077afeecf20ecaed12f6e3f53b47bda1e2908094632c12e9d7faee3ee72c2422d7665016e583eff

data/README.md

@@ -68,6 +68,8 @@ $ seccomp-tools dump --help
 #                                      If multiple seccomp syscalls have been invoked (see --limit),
 #                                      results will be written to FILE, FILE_1, FILE_2.. etc.
 #                                      For example, "--output out.bpf" and the output files are out.bpf, out_1.bpf, ...
+#     -p, --pid PID                    Dump installed seccomp filters of the existing process.
+#                                      You must have CAP_SYS_ADMIN (e.g. be root) in order to use this option.
 
 ```
 
@@ -79,7 +81,7 @@ This work is done by the `ptrace` syscall.
 NOTICE: beware of the execution file will be executed.
 ```bash
 $ file spec/binary/twctf-2016-diary
-# spec/binary/twctf-2016-diary: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, for GNU/Linux 2.6.24, BuildID[sha1]=3648e29153ac0259a0b7c3e25537a5334f50107f, not stripped
+# spec/binary/twctf-2016-diary: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.24, BuildID[sha1]=3648e29153ac0259a0b7c3e25537a5334f50107f, not stripped
 
 $ seccomp-tools dump spec/binary/twctf-2016-diary
 #  line  CODE  JT   JF      K
@@ -168,6 +170,7 @@ $ seccomp-tools asm
 #                                      Default: inspect
 #     -a, --arch ARCH                  Specify architecture.
 #                                      Supported architectures are <amd64|i386>.
+#                                      Default: amd64
 
 # Input file for asm
 $ cat spec/data/libseccomp.asm
@@ -265,6 +268,7 @@ $ seccomp-tools emu --help
 # Usage: seccomp-tools emu [options] BPF_FILE [sys_nr [arg0 [arg1 ... arg5]]]
 #     -a, --arch ARCH                  Specify architecture.
 #                                      Supported architectures are <amd64|i386>.
+#                                      Default: amd64
 #     -q, --[no-]quiet                 Run quietly, only show emulation result.
 
 $ seccomp-tools emu spec/data/libseccomp.bpf write 0x3

data/ext/ptrace/extconf.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'mkmf'
 
 extension_name = 'seccomp-tools/ptrace'

data/ext/ptrace/ptrace.c

@@ -1,5 +1,8 @@
+#include <errno.h>
+#include <linux/filter.h>
 #include <sys/ptrace.h>
 #include <sys/signal.h>
+#include <sys/wait.h>
 
 #include "ruby.h"
 
@@ -50,6 +53,40 @@ ptrace_traceme_and_stop(VALUE mod) {
   return Qnil;
 }
 
+static VALUE
+ptrace_attach_and_wait(VALUE _mod, VALUE pid) {
+  long val = ptrace(PTRACE_ATTACH, NUM2LONG(pid), 0, 0);
+  if(val < 0)
+    rb_sys_fail("ptrace attach failed");
+  waitpid(NUM2LONG(pid), NULL, 0);
+  return Qnil;
+}
+
+static VALUE
+ptrace_seccomp_get_filter(VALUE _mod, VALUE pid, VALUE index) {
+  long count = ptrace(PTRACE_SECCOMP_GET_FILTER, NUM2LONG(pid), NUM2LONG(index), NULL);
+  struct sock_filter *filter;
+  VALUE result;
+  if(count < 0)
+    rb_sys_fail("ptrace seccomp_get_filter failed");
+  filter = ALLOC_N(struct sock_filter, count);
+  if(ptrace(PTRACE_SECCOMP_GET_FILTER, NUM2LONG(pid), NUM2LONG(index), filter) != count) {
+    xfree(filter);
+    rb_sys_fail("ptrace seccomp_get_filter failed");
+  }
+  result = rb_str_new((const char *)filter, sizeof(struct sock_filter) * count);
+  xfree(filter);
+  return result;
+}
+
+static VALUE
+ptrace_detach(VALUE _mod, VALUE pid) {
+  long val = ptrace(PTRACE_DETACH, NUM2LONG(pid), 0, 0);
+  if(val < 0)
+    rb_sys_fail(0);
+  return Qnil;
+}
+
 
 void Init_ptrace(void) {
   VALUE mSeccompTools = rb_define_module("SeccompTools");
@@ -79,5 +116,11 @@ void Init_ptrace(void) {
   rb_define_module_function(mPtrace, "traceme", ptrace_traceme, 0);
   /* stop itself before parent attaching */
   rb_define_module_function(mPtrace, "traceme_and_stop", ptrace_traceme_and_stop, 0);
+  /* attach to an existing process */
+  rb_define_module_function(mPtrace, "attach_and_wait", ptrace_attach_and_wait, 1);
+  /* retrieve seccomp filter */
+  rb_define_module_function(mPtrace, "seccomp_get_filter", ptrace_seccomp_get_filter, 2);
+  /* detach from an existing process */
+  rb_define_module_function(mPtrace, "detach", ptrace_detach, 1);
 }
 

data/lib/seccomp-tools/asm/asm.rb

@@ -28,7 +28,7 @@ module SeccompTools
     #   EOS
     #   #=> <raw binary bytes>
     def asm(str, arch: nil)
-      arch = Util.system_arch if arch.nil? # TODO: show warning
+      arch = Util.system_arch if arch.nil?
       compiler = Compiler.new(arch)
       str.lines.each { |l| compiler.process(l) }
       compiler.compile!.map(&:asm).join

data/lib/seccomp-tools/asm/compiler.rb

@@ -39,6 +39,7 @@ module SeccompTools
                 when /\?/ then cmp
                 when /^#{Tokenizer::LABEL_REGEXP}:/ then define_label
                 when /^return/ then ret
+                when /^A\s*=\s*-A/ then alu_neg
                 when /^(A|X)\s*=[^=]/ then assign
                 when /^mem\[\d+\]\s*=\s*(A|X)/ then store
                 when /^A\s*.{1,2}=/ then alu
@@ -127,6 +128,8 @@ module SeccompTools
       end
 
       def compile_alu(op, val)
+        return emit(:alu, :neg) if op == :neg
+
         val = evaluate(val)
         src = val == :x ? :x : :k
         val = 0 if val == :x
@@ -146,7 +149,7 @@ module SeccompTools
         emit(:jmp, :ja, k: targ)
       end
 
-      # Compiles comparsion.
+      # Compiles comparison.
       def compile_cmp(op, val, jt, jf)
         jt = label_offset(jt)
         jf = label_offset(jf)
@@ -267,7 +270,6 @@ module SeccompTools
       end
 
       # A op= sys_num_x
-      # TODO: support A = -A
       def alu
         token.fetch!('A')
         op = token.fetch!(:alu_op)
@@ -276,6 +278,11 @@ module SeccompTools
         [:alu, op, src]
       end
 
+      # A = -A
+      def alu_neg
+        %i[alu neg]
+      end
+
       def remove_comment(line)
         line = line.to_s.dup
         line.slice!(/#.*\Z/m)

data/lib/seccomp-tools/asm/tokenizer.rb

@@ -5,8 +5,9 @@ require 'seccomp-tools/instruction/alu'
 
 module SeccompTools
   module Asm
-    # Fetch tokens from string.
-    # This class is for internel usage, used by {Compiler}.
+    # Fetch tokens from a string.
+    #
+    # Internal used by {Compiler}.
     # @private
     class Tokenizer
       # a valid label

data/lib/seccomp-tools/bpf.rb

@@ -80,7 +80,7 @@ module SeccompTools
     # @param [Context] context
     #   Current context.
     # @yieldparam [Integer] pc
-    #   Program conter after this instruction.
+    #   Program counter after this instruction.
     # @yieldparam [Context] ctx
     #   Context after this instruction.
     # @return [void]

data/lib/seccomp-tools/cli/asm.rb

@@ -51,11 +51,11 @@ module SeccompTools
           when :raw then res
           when :c_array, :carray then "unsigned char bpf[] = {#{res.bytes.join(',')}};\n"
           when :c_source then SeccompTools::Util.template('asm.c').sub('<TO_BE_REPLACED>', res.bytes.join(','))
-          when :assembly then SeccompTools::Util.template("asm.#{option[:arch]}.asm")
-                                                .sub(
-                                                  '<TO_BE_REPLACED>',
-                                                  res.bytes.map { |b| format('\\\%03o', b) }.join
-                                                )
+          when :assembly
+            SeccompTools::Util.template("asm.#{option[:arch]}.asm").sub(
+              '<TO_BE_REPLACED>',
+              res.bytes.map { |b| format('\\\%03o', b) }.join
+            )
           end
         end
       end

data/lib/seccomp-tools/cli/base.rb

@@ -82,7 +82,7 @@ module SeccompTools
         File.join(File.dirname(file), base + suffix) + ext
       end
 
-      # For decestors easy to define usage message.
+      # For descendants to define usage message easily.
       # @return [String]
       #   Usage information.
       def usage
@@ -92,7 +92,8 @@ module SeccompTools
       def option_arch(opt)
         supported = Util.supported_archs
         opt.on('-a', '--arch ARCH', supported, 'Specify architecture.',
-               "Supported architectures are <#{supported.join('|')}>.") do |a|
+               "Supported architectures are <#{supported.join('|')}>.",
+               "Default: #{Util.system_arch}") do |a|
           option[:arch] = a
         end
       end

data/lib/seccomp-tools/cli/dump.rb

@@ -1,8 +1,11 @@
 # frozen_string_literal: true
 
+require 'shellwords'
+
 require 'seccomp-tools/cli/base'
 require 'seccomp-tools/disasm/disasm'
 require 'seccomp-tools/dumper'
+require 'seccomp-tools/logger'
 
 module SeccompTools
   module CLI
@@ -17,6 +20,7 @@ module SeccompTools
         super
         option[:format] = :disasm
         option[:limit] = 1
+        option[:pid] = nil
       end
 
       # Define option parser.
@@ -48,6 +52,12 @@ module SeccompTools
                  'For example, "--output out.bpf" and the output files are out.bpf, out_1.bpf, ...') do |o|
                    option[:ofile] = o
                  end
+
+          opt.on('-p', '--pid PID', 'Dump installed seccomp filters of the existing process.',
+                 'You must have CAP_SYS_ADMIN (e.g. be root) in order to use this option.',
+                 Integer) do |p|
+            option[:pid] = p
+          end
         end
       end
 
@@ -56,14 +66,29 @@ module SeccompTools
       def handle
         return unless super
 
-        option[:command] = argv.shift unless argv.empty?
-        SeccompTools::Dumper.dump('/bin/sh', '-c', option[:command], limit: option[:limit]) do |bpf, arch|
+        block = lambda do |bpf, arch|
           case option[:format]
           when :inspect then output { '"' + bpf.bytes.map { |b| format('\\x%02X', b) }.join + "\"\n" }
           when :raw then output { bpf }
           when :disasm then output { SeccompTools::Disasm.disasm(bpf, arch: arch) }
           end
         end
+        if option[:pid].nil?
+          option[:command] = argv.shift unless argv.empty?
+          SeccompTools::Dumper.dump('/bin/sh', '-c', option[:command], limit: option[:limit], &block)
+        else
+          begin
+            SeccompTools::Dumper.dump_by_pid(option[:pid], option[:limit], &block)
+          rescue Errno::EPERM, Errno::EACCES => e
+            Logger.error(<<~EOS)
+            #{e}
+            PTRACE_SECCOMP_GET_FILTER requires CAP_SYS_ADMIN
+            Try:
+                sudo env "PATH=$PATH" #{(%w[seccomp-tools] + ARGV).shelljoin}
+            EOS
+            exit(1)
+          end
+        end
       end
     end
   end

data/lib/seccomp-tools/dumper.rb

@@ -1,5 +1,6 @@
 # frozen_string_literal: true
 
+require 'seccomp-tools/logger'
 require 'seccomp-tools/ptrace'
 require 'seccomp-tools/syscall'
 
@@ -79,6 +80,7 @@ module SeccompTools
           !limit.zero?
         end
         syscalls.each_key { |cpid| Process.kill('KILL', cpid) if alive?(cpid) }
+        Process.waitall
         collect
       end
 
@@ -124,10 +126,61 @@ module SeccompTools
         Ptrace.traceme_and_stop
         exec(*args)
       rescue # rubocop:disable Style/RescueStandardError # exec fail
-        # TODO: use logger
-        warn("Failed to execute #{args.join(' ')}")
+        Logger.error("Failed to execute #{args.join(' ')}")
         exit(1)
       end
     end
+
+    # Dump installed seccomp-bpf of an existing process using PTRACE_SECCOMP_GET_FILTER.
+    #
+    # Dump the installed seccomp-bpf from a running process. This is achieved by the ptrace command
+    # PTRACE_SECCOMP_GET_FILTER, which needs CAP_SYS_ADMIN capability.
+    #
+    # @param [Integer] pid
+    #   Target process identifier.
+    # @param [Integer] limit
+    #   Number of filters to dump. Negative number for unlimited.
+    # @yieldparam [String] bpf
+    #   Seccomp bpf in raw bytes.
+    # @yieldparam [Symbol] arch
+    #   Architecture of the target process (always nil right now).
+    # @return [Array<Object>, Array<String>]
+    #   Return the block returned. If block is not given, array of raw bytes will be returned.
+    # @raise [Errno::ESRCH]
+    #   Raises when the target process does not exist.
+    # @raise [Errno::EPERM]
+    #   Raises the error if not allowed to attach.
+    # @raise [Errno::EACCES]
+    #   Raises the error if not allowed to dump (e.g. no CAP_SYS_ADMIN).
+    # @example
+    #   pid1 = Process.spawn('sleep inf')
+    #   dump_by_pid(pid1, 1)
+    #   # empty because there is no seccomp installed
+    #   #=> []
+    # @example
+    #   pid2 = Process.spawn('spec/binary/twctf-2016-diary')
+    #   # give it some time to install the filter
+    #   sleep(1)
+    #   dump_by_pid(pid2, 1) { |c| c[0, 10] }
+    #   #=> [" \x00\x00\x00\x00\x00\x00\x00\x15\x00"]
+    def dump_by_pid(pid, limit, &block)
+      collect = []
+      Ptrace.attach_and_wait(pid)
+      begin
+        i = 0
+        while limit.negative? || i < limit
+          begin
+            bpf = Ptrace.seccomp_get_filter(pid, i)
+          rescue Errno::ENOENT, Errno::EINVAL
+            break
+          end
+          collect << (block.nil? ? bpf : yield(bpf, nil))
+          i += 1
+        end
+      ensure
+        Ptrace.detach(pid)
+      end
+      collect
+    end
   end
 end

data/lib/seccomp-tools/emulator.rb

@@ -42,7 +42,7 @@ module SeccompTools
         when :ld then ld(args[0], args[1]) # ld/ldx
         when :st then st(args[0], args[1]) # st/stx
         when :jmp then jmp(args[0]) # directly jmp
-        when :cmp then cmp(*args[0, 4]) # jmp with comparsion
+        when :cmp then cmp(*args[0, 4]) # jmp with comparison
         when :alu then alu(args[0], args[1]) # alu
         when :misc then misc(args[0]) # misc: txa/tax
         end

data/lib/seccomp-tools/logger.rb

@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+require 'logger'
+
+require 'seccomp-tools/util'
+
+module SeccompTools
+  # A logger for internal use.
+  #
+  # @private
+  module Logger
+    module_function
+
+    # Returns a +::Logger+ object for internal logging.
+    #
+    # @return [::Logger]
+    def logger
+      ::Logger.new($stdout).tap do |log|
+        log.formatter = proc do |severity, _datetime, _progname, msg|
+          prep = ' ' * (severity.size + 3)
+          message = msg.lines.map.with_index do |str, i|
+            next str if i.zero?
+
+            str.strip.empty? ? str : prep + str
+          end
+          color = severity.downcase.to_sym
+          msg = +"[#{SeccompTools::Util.colorize(severity, t: color)}] #{message.join}"
+          msg << "\n" unless msg.end_with?("\n")
+          msg
+        end
+      end
+    end
+
+    %i[error].each do |sym|
+      define_method(sym) do |msg|
+        logger.__send__(sym, msg)
+      end
+    end
+  end
+end

data/lib/seccomp-tools/util.rb

@@ -42,13 +42,16 @@ module SeccompTools
       !@disable_color && $stdout.tty?
     end
 
+    # color code of light yellow
+    LIGHT_YELLOW = "\e[38;5;230m"
     # Color codes for pretty print.
     COLOR_CODE = {
       esc_m: "\e[0m",
       syscall: "\e[38;5;120m", # light green
-      arch: "\e[38;5;230m", # light yellow
-      args: "\e[38;5;230m", # light yellow, same as arch
-      gray: "\e[2m"
+      arch: LIGHT_YELLOW,
+      args: LIGHT_YELLOW,
+      gray: "\e[2m",
+      error: "\e[38;5;196m" # heavy red
     }.freeze
     # Wrapper color codes.
     # @param [String] s

data/lib/seccomp-tools/version.rb

@@ -2,5 +2,5 @@
 
 module SeccompTools
   # Gem version.
-  VERSION = '1.3.0'
+  VERSION = '1.4.0'
 end

metadata

@@ -1,43 +1,29 @@
 --- !ruby/object:Gem::Specification
 name: seccomp-tools
 version: !ruby/object:Gem::Version
-  version: 1.3.0
+  version: 1.4.0
 platform: ruby
 authors:
 - david942j
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-06-23 00:00:00.000000000 Z
+date: 2020-02-16 00:00:00.000000000 Z
 dependencies:
-- !ruby/object:Gem::Dependency
-  name: pry
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '0.10'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '0.10'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '12.0'
+        version: '13.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '12.0'
+        version: '13.0'
 - !ruby/object:Gem::Dependency
   name: rake-compiler
   requirement: !ruby/object:Gem::Requirement
@@ -58,42 +44,42 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.7'
+        version: '3.9'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.7'
+        version: '3.9'
 - !ruby/object:Gem::Dependency
   name: rubocop
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.59'
+        version: '0.79'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.59'
+        version: '0.79'
 - !ruby/object:Gem::Dependency
   name: simplecov
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.16.0
+        version: 0.17.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.16.0
+        version: 0.17.0
 - !ruby/object:Gem::Dependency
   name: yard
   requirement: !ruby/object:Gem::Requirement
@@ -152,6 +138,7 @@ files:
 - lib/seccomp-tools/instruction/ret.rb
 - lib/seccomp-tools/instruction/st.rb
 - lib/seccomp-tools/instruction/stx.rb
+- lib/seccomp-tools/logger.rb
 - lib/seccomp-tools/syscall.rb
 - lib/seccomp-tools/templates/asm.amd64.asm
 - lib/seccomp-tools/templates/asm.c
@@ -174,14 +161,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '2.3'
+      version: '2.4'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.2
+rubygems_version: 3.0.3
 signing_key: 
 specification_version: 4
 summary: seccomp-tools