aboutgitcodelistschat:MatrixIRC
diff options
context:
space:
mode:
authorAlice Frosi <afrosi@redhat.com>2023-03-23 17:06:00 +0100
committerAlice Frosi <afrosi@redhat.com>2023-03-23 17:16:12 +0100
commit06b0f6d323c396ca1df000af96fdd07cc69b06e0 (patch)
treef3f900d0cd928d6ec2e6d1ce019d87e119998c0c
parent018da5282e74504c0bf232facd7cb35b392d389f (diff)
downloadseitan-06b0f6d323c396ca1df000af96fdd07cc69b06e0.tar
seitan-06b0f6d323c396ca1df000af96fdd07cc69b06e0.tar.gz
seitan-06b0f6d323c396ca1df000af96fdd07cc69b06e0.tar.bz2
seitan-06b0f6d323c396ca1df000af96fdd07cc69b06e0.tar.lz
seitan-06b0f6d323c396ca1df000af96fdd07cc69b06e0.tar.xz
seitan-06b0f6d323c396ca1df000af96fdd07cc69b06e0.tar.zst
seitan-06b0f6d323c396ca1df000af96fdd07cc69b06e0.zip
filter: add logging mode
The logging mode creates a BPF filter where all the syscalls trigger a notification to the seccomp notifier.
-rw-r--r--Makefile4
-rw-r--r--build.c3
-rw-r--r--filter.c21
-rw-r--r--filter.h2
-rw-r--r--seitan.c69
5 files changed, 64 insertions, 35 deletions
diff --git a/Makefile b/Makefile
index 79155e0..4b59853 100644
--- a/Makefile
+++ b/Makefile
@@ -25,8 +25,8 @@ bpf_dbg: disasm.c disasm.h bpf_dbg.c
seitan-eater: eater.c common.h common.c
$(CC) $(CFLAGS) -o seitan-eater eater.c common.c
-seitan: seitan.c transform.h common.h common.c
- $(CC) $(CFLAGS) -o seitan seitan.c common.c
+seitan: seitan.c transform.h common.h common.c operations.c
+ $(CC) $(CFLAGS) -o seitan seitan.c common.c operations.c
numbers.h:
./nr_syscalls.sh
diff --git a/build.c b/build.c
index f99dc97..93ce97b 100644
--- a/build.c
+++ b/build.c
@@ -23,7 +23,8 @@ int main(int argc, char **argv)
perror("missing input file");
exit(EXIT_FAILURE);
}
- ret = convert_bpf(argv[1], calls, sizeof(calls) / sizeof(calls[0]));
+ ret = convert_bpf(argv[1], calls, sizeof(calls) / sizeof(calls[0]),
+ true);
if (ret < 0) {
perror("converting bpf program");
exit(EXIT_FAILURE);
diff --git a/filter.c b/filter.c
index f8b782d..dbda7ca 100644
--- a/filter.c
+++ b/filter.c
@@ -174,6 +174,20 @@ static unsigned int get_total_args(const struct syscall_entry table[],
return n;
}
+unsigned int create_bpf_program_log(struct sock_filter filter[])
+{
+ filter[0] = (struct sock_filter)BPF_STMT(
+ BPF_LD | BPF_W | BPF_ABS,
+ (offsetof(struct seccomp_data, arch)));
+ filter[1] = (struct sock_filter)BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K,
+ SEITAN_AUDIT_ARCH, 0, 1);
+ filter[2] = (struct sock_filter)BPF_STMT(BPF_RET | BPF_K,
+ SECCOMP_RET_USER_NOTIF);
+ filter[3] = (struct sock_filter)BPF_STMT(BPF_RET | BPF_K,
+ SECCOMP_RET_ALLOW);
+ return 4;
+}
+
unsigned int create_bfp_program(struct syscall_entry table[],
struct sock_filter filter[],
unsigned int n_syscall)
@@ -258,7 +272,7 @@ static int compare_names(const void *a, const void *b)
((struct syscall_numbers *)b)->name);
}
-int convert_bpf(char *file, struct bpf_call *entries, int n)
+int convert_bpf(char *file, struct bpf_call *entries, int n, bool log)
{
int nt, fd, fsize;
struct syscall_entry table[N_SYSCALL];
@@ -270,7 +284,10 @@ int convert_bpf(char *file, struct bpf_call *entries, int n)
qsort(entries, n, sizeof(struct bpf_call), compare_bpf_call_names);
nt = construct_table(entries, n, table);
- fsize = create_bfp_program(table, filter, nt);
+ if (log)
+ fsize = create_bpf_program_log(filter);
+ else
+ fsize = create_bfp_program(table, filter, nt);
fd = open(file, O_WRONLY | O_CREAT | O_TRUNC | O_CLOEXEC,
S_IRUSR | S_IWUSR);
diff --git a/filter.h b/filter.h
index 134a16b..ee5ab12 100644
--- a/filter.h
+++ b/filter.h
@@ -34,6 +34,6 @@ unsigned int right_child(unsigned int parent_index);
unsigned int create_bfp_program(struct syscall_entry table[],
struct sock_filter filter[],
unsigned int n_syscall);
-int convert_bpf(char *file, struct bpf_call *entries, int n);
+int convert_bpf(char *file, struct bpf_call *entries, int n, bool log);
#endif
diff --git a/seitan.c b/seitan.c
index 6ced328..5d2df21 100644
--- a/seitan.c
+++ b/seitan.c
@@ -36,6 +36,8 @@
#include <linux/seccomp.h>
#include "common.h"
+#include "gluten.h"
+#include "operations.h"
#define EPOLL_EVENTS 8
#define errExit(msg) \
@@ -259,24 +261,25 @@ int handle(struct seccomp_notif *req, int notifyfd)
static int create_socket(const char *path)
{
struct sockaddr_un addr;
- const int optval = 1;
- int fd;
+ int ret, conn;
+ int fd = socket(AF_UNIX, SOCK_STREAM, 0);
+ if (fd < 0)
+ errExit("error creating UNIX socket");
- if ((fd = socket(AF_UNIX, SOCK_DGRAM | SOCK_CLOEXEC, 0)) < 0)
- errExit("socket");
-
- if (strlen(path) >= sizeof(addr.sun_path))
- errExit("path is invalid");
strcpy(addr.sun_path, path);
addr.sun_family = AF_UNIX;
- if (bind(fd, (struct sockaddr *)&addr, sizeof(addr)) < 0)
+ ret = bind(fd, (struct sockaddr *)&addr, sizeof(addr));
+ if (ret < 0)
errExit("bind");
- if (setsockopt(fd, SOL_SOCKET, SO_PASSCRED, &optval, sizeof(optval)) <
- 0)
- errExit("setsockopt");
+ ret = listen(fd, 1);
+ if (ret < 0)
+ errExit("listen");
+ conn = accept(fd, NULL, NULL);
+ if (conn < 0)
+ errExit("accept");
- return fd;
+ return conn;
}
static int recvfd(int sockfd)
@@ -324,16 +327,16 @@ static int write_syscall(int fd, struct seccomp_notif *req)
char buf[1000];
/* TODO: Define format and print syscall with the right arguments */
- snprintf(buf, sizeof(buf), "nr_syscall=%d", req->data.nr);
- write(fd, buf, sizeof(buf));
+ snprintf(buf, sizeof(buf), "nr_syscall=%d\n", req->data.nr);
+ write(fd, buf, strlen(buf));
+ return 0;
}
int main(int argc, char **argv)
{
int s = nl_init(), ret, pidfd, notifier;
- char resp_b[BUFSIZ], req_b[BUFSIZ];
+ char req_b[BUFSIZ];
struct epoll_event ev, events[EPOLL_EVENTS];
- struct seccomp_notif_resp *resp = (struct seccomp_notif_resp *)resp_b;
struct seccomp_notif *req = (struct seccomp_notif *)req_b;
struct arguments arguments;
char path[PATH_MAX + 1];
@@ -352,8 +355,9 @@ int main(int argc, char **argv)
if (strcmp(arguments.output_file, "") > 0) {
output = true;
- if ((fdout = open(arguments.output_file, O_CREAT | O_WRONLY)) <
- 0)
+ unlink(arguments.output_file);
+ if ((fdout = open(arguments.output_file,
+ O_CREAT | O_RDWR | O_TRUNC)) < 0)
errExit("open");
}
@@ -369,6 +373,7 @@ int main(int argc, char **argv)
/* Unblock seitan-loader */
unblock_eater(pidfd);
} else if (strcmp(arguments.socket, "") > 0) {
+ unlink(arguments.socket);
if ((fd = create_socket(arguments.socket)) < 0)
exit(EXIT_FAILURE);
if ((notifier = recvfd(fd)) < 0)
@@ -398,27 +403,33 @@ int main(int argc, char **argv)
perror("epoll_wait");
exit(EXIT_FAILURE);
}
- /* TODO: Open syscall transformation table blob, actually handle
- * syscalls actions as parsed
- */
memset(req, 0, sizeof(*req));
+ if (ioctl(notifier, SECCOMP_IOCTL_NOTIF_RECV, req) < 0)
+ errExit("recieving seccomp notification");
for (i = 0; i < nevents; ++i) {
if (events[i].events & EPOLLHUP) {
/* The notifier fd was closed by the target */
running = false;
} else if (notifier == events[i].data.fd) {
- if (!handle(req, events[i].data.fd))
- continue;
-
- resp->flags = SECCOMP_USER_NOTIF_FLAG_CONTINUE;
- resp->id = req->id;
- resp->error = 0;
- resp->val = 0;
+ /*
+ * TODO: remove until we parse correctly the
+ * operations from the bytecode
+ */
+ struct op operations[] = {
+ { .type = OP_CONT },
+ };
+ if (do_operations(NULL, operations, req,
+ sizeof(operations) /
+ sizeof(operations[0]),
+ req->pid, notifier,
+ req->id) == -1)
+ errExit("failed executing operation");
- ioctl(notifier, SECCOMP_IOCTL_NOTIF_SEND, resp);
if (output)
write_syscall(fdout, req);
}
}
}
+ if (strcmp(arguments.socket, "") > 0)
+ unlink(arguments.socket);
}