seitan/common, branch master Syscall Expressive Interpreter, Transformer and Notifier call, emit, match: Add support for vectorised operations, nfnetlink 2024-08-13T17:00:35+00:00 Stefano Brivio sbrivio@redhat.com 2024-08-13T16:50:33+00:00 9bf3b1cc7a94357c250f77f16829c96cbae801fe We want to add and delete rules with iptables(8), and manipulate set elements with nft(8). These are the first users we encounter sending multiple netlink messages in one sendmsg(). To support matching on those, we need to iterate over several messages, looking for a matching one, or a mismatching one (depending on quantifiers and match type), but we don't want to implement program loops because of security design reasons. We can't implement a generalised instruction that vectorises existing ones, either, because we need to support universal and existential quantifiers in fields that are repeated multiple times, once per each netlink message, with bitwise operations and non-exact matching types. Add vectorisation support to OP_CMP and OP_BITWISE instead, with a generic description for a vector (only sequences of netlink messages with length in nlmsghdr are supported at the moment) so that, depending on the quantifiers, we'll repeat those operations as many times as needed. This way, we don't risk any O(n^2) explosion, and we are bound by O(m * n) instead, with m compare/bitwise operations for a given expression, and n number of netlink messages. Add demos for nft and iptables using the new concepts. Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
We want to add and delete rules with iptables(8), and manipulate set
elements with nft(8).

These are the first users we encounter sending multiple netlink
messages in one sendmsg().

To support matching on those, we need to iterate over several
messages, looking for a matching one, or a mismatching one (depending
on quantifiers and match type), but we don't want to implement program
loops because of security design reasons.

We can't implement a generalised instruction that vectorises existing
ones, either, because we need to support universal and existential
quantifiers in fields that are repeated multiple times, once per each
netlink message, with bitwise operations and non-exact matching types.

Add vectorisation support to OP_CMP and OP_BITWISE instead, with a
generic description for a vector (only sequences of netlink messages
with length in nlmsghdr are supported at the moment) so that,
depending on the quantifiers, we'll repeat those operations as many
times as needed. This way, we don't risk any O(n^2) explosion, and we
are bound by O(m * n) instead, with m compare/bitwise operations for
a given expression, and n number of netlink messages.

Add demos for nft and iptables using the new concepts.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
util: Fix system call name resolution in syscall_name() debug function 2024-07-02T11:46:48+00:00 Stefano Brivio sbrivio@redhat.com 2024-07-02T11:46:48+00:00 d699dac08778c597eefac1067a325059925e87e6 Fix the starting index, otherwise we miss the first call in sets (say, mknod in filesystem calls). And if we don't find a matching name for the system call, actually return it, instead of trying to fetch it from the current (invalid) call. Fixes: bdbec30a8498 ("seitan: Add netlink, sendto()/sendmsg(), iovec handling, demo with routes") Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
Fix the starting index, otherwise we miss the first call in sets
(say, mknod in filesystem calls).

And if we don't find a matching name for the system call, actually
return it, instead of trying to fetch it from the current (invalid)
call.

Fixes: bdbec30a8498 ("seitan: Add netlink, sendto()/sendmsg(), iovec handling, demo with routes")
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Add fsetxattr(), fremovexattr(), open_by_handle_at(), and "virtiofsd demo" 2024-05-15T06:49:56+00:00 Stefano Brivio sbrivio@redhat.com 2024-05-15T06:49:56+00:00 5a9302bab9c9bb3d1577f04678d074fb7af4115f Mostly assorted fixes, a new FDGET operation (get a copy of the target file descriptor via pidfd_getfd()) and a new "FD" flag that means we have to do that on direct tag reference. Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
Mostly assorted fixes, a new FDGET operation (get a copy of the
target file descriptor via pidfd_getfd()) and a new "FD" flag that
means we have to do that on direct tag reference.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
seitan: Add netlink, sendto()/sendmsg(), iovec handling, demo with routes 2023-12-21T11:45:36+00:00 Stefano Brivio sbrivio@redhat.com 2023-12-21T11:06:05+00:00 bdbec30a849807fb5e6841a38cfe0d168e5962b9 A bit rough at the moment, but it does the trick. Bonus: setsockopt() (with magic values only, not used in any demo yet). Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
A bit rough at the moment, but it does the trick. Bonus: setsockopt()
(with magic values only, not used in any demo yet).

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
gluten: throw an error if the offset is seccomp but the request is empty 2023-09-08T12:44:30+00:00 Alice Frosi afrosi@redhat.com 2023-09-08T12:44:30+00:00 7837722a09c08957af93055062cecfd9c3ea8b14 






cooker, seitan: add sched_setscheduler
2023-09-01T08:37:04+00:00

Alice Frosi
afrosi@redhat.com

2023-09-01T08:16:36+00:00

59f7f7c241253293c25e001c9340f1deeb138311

The sched_setscheduler requires to set the pid of the process we want to
change the priority, this adds a new metadata for getting the target pid
at runtime.

Add a couple of syscalls for the scheduler in the string parsing.

Signed-off-by: Alice Frosi <afrosi@redhat.com>





The sched_setscheduler requires to set the pid of the process we want to
change the priority, this adds a new metadata for getting the target pid
at runtime.

Add a couple of syscalls for the scheduler in the string parsing.

Signed-off-by: Alice Frosi <afrosi@redhat.com>







seitan: small fixes
2023-08-31T13:41:41+00:00

Alice Frosi
afrosi@redhat.com

2023-08-31T13:41:41+00:00

75738f0ac9cde3b1aaebd6d700cb9329a419555e

Fixes:
  - return an error message in do_clone instead of exit
  - check if the type of context is out-of-bound





Fixes:
  - return an error message in do_clone instead of exit
  - check if the type of context is out-of-bound







cooker: simplify tag and add caller metadata
2023-08-30T08:48:59+00:00

Alice Frosi
afrosi@redhat.com

2023-08-29T09:50:00+00:00

d3917582873df723aa2a3ddbb6116950292e114c

Group the metadata information:
  - simplify the json by removing the 'tag' and only using 'get' and 'set'
    keys
  - get uid and gid at runtime for the target ('caller'). This can be useful when
    the the UID and GID of the target are only known at runtime and they
    need to be used for setting the permissions of files
  - updated example demo/mknod.hjson

Signed-off-by: Alice Frosi <afrosi@redhat.com>





Group the metadata information:
  - simplify the json by removing the 'tag' and only using 'get' and 'set'
    keys
  - get uid and gid at runtime for the target ('caller'). This can be useful when
    the the UID and GID of the target are only known at runtime and they
    need to be used for setting the permissions of files
  - updated example demo/mknod.hjson

Signed-off-by: Alice Frosi <afrosi@redhat.com>







common: print syscall name based on the number
2023-08-30T08:44:07+00:00

Alice Frosi
afrosi@redhat.com

2023-08-30T08:43:07+00:00

0e8806838763655f5f35822e19a20cb21e8d4747












cooker: generate OCI seccomp profile
2023-08-24T13:33:17+00:00

Alice Frosi
afrosi@redhat.com

2023-07-18T09:15:53+00:00

240eb94b44f9dc613a85911d4190df129372e9cc

Generate the OCI seccomp profile instead of directly the BPF filter. The
seccomp profile will be used consquently by the container runtime as
input in order to generate the BPF filter.

Example with mknod:
$ seitan-cooker -g /tmp/gluten -p /tmp/scmp_prof.json -s seccomp.json -i demo/mknod.hjson
$ seitan -s /tmp/seitan.sock -i /tmp/gluten
$ podman run --cap-drop ALL
  --security-opt=seccomp=/tmp/scmp_prof.json  \
  --annotation run.oci.seccomp.receiver=/tmp/seitan.sock  \
  -ti fedora   \
  sh -c 'mknod /dev/lol c 1 7 && ls /dev/lol'
/dev/lol

Signed-off-by: Alice Frosi <afrosi@redhat.com>





Generate the OCI seccomp profile instead of directly the BPF filter. The
seccomp profile will be used consquently by the container runtime as
input in order to generate the BPF filter.

Example with mknod:
$ seitan-cooker -g /tmp/gluten -p /tmp/scmp_prof.json -s seccomp.json -i demo/mknod.hjson
$ seitan -s /tmp/seitan.sock -i /tmp/gluten
$ podman run --cap-drop ALL
  --security-opt=seccomp=/tmp/scmp_prof.json  \
  --annotation run.oci.seccomp.receiver=/tmp/seitan.sock  \
  -ti fedora   \
  sh -c 'mknod /dev/lol c 1 7 && ls /dev/lol'
/dev/lol

Signed-off-by: Alice Frosi <afrosi@redhat.com>