cooker, seitan: Now with 100% more gluten

Pseudorandom changes and progress around cooker and seitan: - cooker: - rename matching functions, split match.c - fix up SELECT semantics - add some form of handling for all syscalls in the example (some stubs) - OP_CMP for all basic and compound types except for flags - link jumps to next block and next match - completed implementation of tags - gluten write - filter clean-ups, write filters (probably not working) - seitan: - load gluten and source instructions and data from there $ ./seitan-cooker cooker/example.hjson example.gluten example.bpf Parsing block 0 Parsing match 0: connect Found description for connect 0: OP_NR: if syscall number is not 0, jump to next block Parsing match argument fd setting tag reference 'fd' tag 'fd' now refers to seccomp data at 0 Parsing match argument addr allocating 128 at offset 0 1: OP_LOAD: #0 < args[1] (size: 128) C#0: (INT) 1 2: OP_CMP: if temporary data: #0 NE (size: 4) read-only data: #0, jump to next block C#4: (STRING:24) /var/run/pr-helper.sock 3: OP_CMP: if temporary data: #0 NE (size: 24) read-only data: #4, jump to next block Linking match... Linking block... linked jump of instruction #0 to #4 linked jump of instruction #2 to #4 linked jump of instruction #3 to #4 Parsing block 1 Parsing match 0: ioctl Found description for ioctl 4: OP_NR: if syscall number is not 112, jump to next block Parsing match argument path Parsing match argument request C#28: (INT) 1074025674 5: OP_CMP: if seccomp data: #1 NE (size: 4) read-only data: #28, jump to next block Parsing match argument ifr allocating 40 at offset 128 6: OP_LOAD: #128 < args[2] (size: 40) C#32: (STRING:5) tap0 7: OP_CMP: if temporary data: #128 NE (size: 5) read-only data: #32, jump to next block C#37: (INT) 1 8: OP_CMP: if temporary data: #128 NE (size: 4) read-only data: #37, jump to next block Linking match... Linking block... linked jump of instruction #4 to #9 linked jump of instruction #5 to #9 linked jump of instruction #7 to #9 linked jump of instruction #8 to #9 Parsing block 2 Parsing match 0: unshare Found description for unshare 9: OP_NR: if syscall number is not 164, jump to next block Parsing match argument flags Linking match... Linking block... linked jump of instruction #9 to #10 Parsing block 3 Parsing match 0: unshare Found description for unshare 10: OP_NR: if syscall number is not 164, jump to next block Parsing match argument flags Linking match... Linking block... linked jump of instruction #10 to #11 Parsing block 4 Parsing match 0: mknod Found description for mknod 11: OP_NR: if syscall number is not 164, jump to next block Parsing match argument path allocating 1 at offset 168 12: OP_LOAD: #168 < args[0] (size: 1) setting tag reference 'path' tag 'path' now refers to temporary data at 168 Parsing match argument mode Parsing match argument major Parsing match argument minor setting tag reference 'minor' tag 'minor' now refers to seccomp data at 2 Linking match... Linking block... linked jump of instruction #11 to #13 Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
author: Stefano Brivio <sbrivio@redhat.com> 2023-05-16 03:19:01 +0200
committer: Stefano Brivio <sbrivio@redhat.com> 2023-05-16 07:20:25 +0200
commit: 7ab2bda2e69d4a862572be4b5e389a6aa864470d (patch)
tree: fa9653204a4ab9581b76499c95d76d16d467301d /cooker/calls
parent: 049bd1ca828da835f2903b88adcf9ce0bdacd6e4 (diff)
download: seitan-7ab2bda2e69d4a862572be4b5e389a6aa864470d.tar
seitan-7ab2bda2e69d4a862572be4b5e389a6aa864470d.tar.gz
seitan-7ab2bda2e69d4a862572be4b5e389a6aa864470d.tar.bz2
seitan-7ab2bda2e69d4a862572be4b5e389a6aa864470d.tar.lz
seitan-7ab2bda2e69d4a862572be4b5e389a6aa864470d.tar.xz
seitan-7ab2bda2e69d4a862572be4b5e389a6aa864470d.tar.zst
seitan-7ab2bda2e69d4a862572be4b5e389a6aa864470d.zip
7 files changed, 324 insertions, 5 deletions
diff --git a/cooker/calls/fs.c b/cooker/calls/fs.c
new file mode 100644
index 0000000..d800f38
--- /dev/null
+++ b/cooker/calls/fs.c
@@ -0,0 +1,91 @@
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+/* seitan - Syscall Expressive Interpreter, Transformer and Notifier
+ *
+ * cooker/calls/fs.c - Description of known filesystem-related system calls
+ *
+ * Copyright 2023 Red Hat GmbH
+ * Author: Stefano Brivio <sbrivio@redhat.com>
+ */
+
+/*
+stat ?
+fstat ?
+lstat ?
+
+lseek ?
+
+fcntl ?
+flock ~
+fsync
+fdatasync
+truncate
+ftruncate
+
+getdents
+getcwd
+chdir
+fchdir
+mkdir
+rmdir
+
+rename
+
+creat
+
+link
+unlink
+symlink
+readlink
+
+chmod
+fchmod
+chown
+fchown
+fchownat
+lchown
+umask
+
+mknod
+mknodat
+
+mount
+umount2
+swapon
+swapoff
+*/
+
+#include <asm-generic/unistd.h>
+#include <sys/syscall.h>
+
+#include <fcntl.h>
+#include <sys/stat.h>
+#include <linux/limits.h>
+
+#include "../cooker.h"
+#include "../calls.h"
+
+static struct arg mknod_args[] = {
+	{
+		0,	"path",		STRING,		1 /* TODO: PATH_MAX */,
+		{ 0 }
+	},
+	{
+		1,	"mode",		INTFLAGS,	0,
+		{ 0 /* TODO */ },
+	},
+	{
+		2,	"major",	UNDEF /* TODO */, 0,
+		{ 0 },
+	},
+	{
+		2,	"minor",	UNDEF /* TODO */, 0,
+		{ 0 },
+	},
+	{ 0 },
+};
+
+struct call syscalls_fs[] = {
+	{ __NR_mknod, "mknod", mknod_args },
+	{ 0 },
+};
diff --git a/cooker/calls/fs.h b/cooker/calls/fs.h
new file mode 100644
index 0000000..2e3c06b
--- /dev/null
+++ b/cooker/calls/fs.h
@@ -0,0 +1,11 @@
+/* SPDX-License-Identifier: GPL-3.0-or-later
+ * Copyright 2023 Red Hat GmbH
+ * Author: Stefano Brivio <sbrivio@redhat.com>
+ */
+
+#ifndef CALLS_FS_H
+#define CALLS_FS_H
+
+extern struct call syscalls_fs[];
+
+#endif /* CALLS_FS_H */
diff --git a/cooker/calls/ioctl.c b/cooker/calls/ioctl.c
new file mode 100644
index 0000000..576e02e
--- /dev/null
+++ b/cooker/calls/ioctl.c
@@ -0,0 +1,135 @@
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+/* seitan - Syscall Expressive Interpreter, Transformer and Notifier
+ *
+ * cooker/calls/ioctl.c - Description of known ioctl(2) requests
+ *
+ * Copyright 2023 Red Hat GmbH
+ * Authors: Alice Frosi <afrosi@redhat.com>
+ *	    Stefano Brivio <sbrivio@redhat.com>
+ */
+
+/*
+fd = ioctl_ns(fd, request)
+n  = ioctl_tty(fd, cmd, argp)
+e  = ioctl_iflags(fd, cmd, attr)
+*/
+
+#include <asm-generic/unistd.h>
+#include <sys/syscall.h>
+
+#include <sys/ioctl.h>
+#include <termios.h>
+#include <linux/fs.h>
+#include <linux/nsfs.h>
+
+#include <net/if.h>
+#include <linux/if.h>
+#include <linux/if_tun.h>
+
+#include "../cooker.h"
+#include "../calls.h"
+
+static struct num request[] = {
+	{ "FS_IOC_GETFLAGS", FS_IOC_GETFLAGS },		/* ioctl_iflags */
+	{ "FS_IOC_SETFLAGS", FS_IOC_SETFLAGS },
+
+	{ "NS_GET_USERNS", NS_GET_USERNS },		/* ioctl_ns*/
+	{ "NS_GET_PARENT", NS_GET_PARENT },
+
+	{ "TCGETS", TCGETS },				/* ioctl_tty */
+	{ "TCSETS", TCSETS },
+	{ "TCSETSW", TCSETSW },
+	{ "TCSETSF", TCSETSF },
+
+	{ "TUNSETIFF", TUNSETIFF },			/* no man page? */
+
+	{ 0 },
+};
+
+static struct num attr[] = {
+	{ "FS_APPEND_FL", FS_APPEND_FL },
+	{ "FS_COMPR_FL", FS_COMPR_FL },
+	{ "FS_DIRSYNC_FL", FS_DIRSYNC_FL },
+	{ "FS_IMMUTABLE_FL", FS_IMMUTABLE_FL },
+	{ "FS_JOURNAL_DATA_FL", FS_JOURNAL_DATA_FL },
+	{ "FS_NOATIME_FL", FS_NOATIME_FL },
+	{ "FS_NOCOW_FL", FS_NOCOW_FL },
+	{ "FS_NODUMP_FL", FS_NODUMP_FL },
+	{ "FS_NOTAIL_FL", FS_NOTAIL_FL },
+	{ "FS_PROJINHERIT_FL", FS_PROJINHERIT_FL },
+	{ "FS_SECRM_FL", FS_SECRM_FL },
+	{ "FS_SYNC_FL", FS_SYNC_FL },
+	{ "FS_TOPDIR_FL", FS_TOPDIR_FL },
+	{ "FS_UNRM_FL", FS_UNRM_FL },
+};
+
+static struct num tun_ifr_flags[] = {
+	{ "IFF_TUN",	IFF_TUN },
+	{ 0 },
+};
+
+static struct field tun_ifr[] = {	/* netdevice(7) */
+	{
+		"name",		STRING,
+		offsetof(struct ifreq, ifr_name),
+		IFNAMSIZ,	{ 0 },
+	},
+	{
+		"flags",	INT,	/* One allowed at a time? */
+		offsetof(struct ifreq, ifr_flags),
+		0,		{ .d_num = tun_ifr_flags },
+	},
+};
+
+static struct select_num ioctl_request_arg[] = {
+	{
+		FS_IOC_GETFLAGS,
+		{ 2, "argp",	INTFLAGS, sizeof(int), { .d_num = attr } }
+	},
+	{
+		FS_IOC_SETFLAGS,
+		{ 2, "argp",	INTFLAGS, sizeof(int), { .d_num = attr } }
+	},
+	{
+		TUNSETIFF,
+		{
+			2, "ifr",	STRUCT, sizeof(struct ifreq),
+			{ .d_struct = tun_ifr }
+		}
+	},
+	{ 0 },
+};
+
+static struct field ioctl_request = {
+	"request", INT, 0, 0, { .d_num = request },
+};
+
+static struct select ioctl_request_select = {
+	&ioctl_request, { .d_num = ioctl_request_arg }
+};
+
+static struct arg ioctl_args[] = {
+	{
+		0,	"path",		FDPATH,		0,
+		{ 0 }
+	},
+	{
+		0,	"fd",		INT,		0,
+		{ 0 }
+	},
+	{
+		1,	"request",	SELECT,		0,
+		{ .d_select = &ioctl_request_select }
+	},
+	{
+		2,	"arg",		SELECTED,	-1,
+		{ 0 }
+	},
+	{ 0 },
+};
+
+struct call syscalls_ioctl[] = {
+	{ __NR_ioctl, "ioctl", ioctl_args },
+	{ 0 },
+};
diff --git a/cooker/calls/ioctl.h b/cooker/calls/ioctl.h
new file mode 100644
index 0000000..a06a9bc
--- /dev/null
+++ b/cooker/calls/ioctl.h
@@ -0,0 +1,11 @@
+/* SPDX-License-Identifier: GPL-3.0-or-later
+ * Copyright 2023 Red Hat GmbH
+ * Author: Stefano Brivio <sbrivio@redhat.com>
+ */
+
+#ifndef CALLS_IOCTL_H
+#define CALLS_IOCTL_H
+
+extern struct call syscalls_ioctl[];
+
+#endif /* CALLS_IOCTL_H */
diff --git a/cooker/calls/net.c b/cooker/calls/net.c
index 370a3a1..df97aab 100644
--- a/cooker/calls/net.c
+++ b/cooker/calls/net.c
@@ -135,7 +135,7 @@ static struct field connect_addr_nl[] = {
 	},
 	{
 		"groups",	U32,
-		offsetof(struct sockaddr_in6, sin6_addr),
+		offsetof(struct sockaddr_nl, nl_groups),
 		0,		{ 0 }
 	},
 	{ 0 },
@@ -148,10 +148,22 @@ static struct field connect_family = {
 };
 
 static struct select_num connect_addr_select_family[] = {
-	{ AF_UNIX,	STRUCT,	{ .d_struct = connect_addr_unix } },
-	{ AF_INET,	STRUCT,	{ .d_struct = connect_addr_ipv4 } },
-	{ AF_INET6,	STRUCT,	{ .d_struct = connect_addr_ipv6 } },
-	{ AF_NETLINK,	STRUCT,	{ .d_struct = connect_addr_nl } },
+	{
+		AF_UNIX,
+		{ 1, NULL, STRUCT, 0, { .d_struct = connect_addr_unix } }
+	},
+	{
+		AF_INET,
+		{ 1, NULL, STRUCT, 0, { .d_struct = connect_addr_ipv4 } }
+	},
+	{
+		AF_INET6,
+		{ 1, NULL, STRUCT, 0, { .d_struct = connect_addr_ipv6 } }
+	},
+	{
+		AF_NETLINK,
+		{ 1, NULL, STRUCT, 0, { .d_struct = connect_addr_nl } }
+	},
 	{ 0 },
 };
 
diff --git a/cooker/calls/process.c b/cooker/calls/process.c
new file mode 100644
index 0000000..7c0f36e
--- /dev/null
+++ b/cooker/calls/process.c
@@ -0,0 +1,48 @@
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+/* seitan - Syscall Expressive Interpreter, Transformer and Notifier
+ *
+ * cooker/calls/process.c - Description of known process-related system calls
+ *
+ * Copyright 2023 Red Hat GmbH
+ * Author: Stefano Brivio <sbrivio@redhat.com>
+ */
+
+/*
+clone
+fork
+vfork
+execve
+exit
+wait3
+wait4
+waitid
+kill
+exit_group
+unshare
+kcmp
+clone3
+*/
+
+#include <asm-generic/unistd.h>
+#include <sys/syscall.h>
+
+#include <unistd.h>
+#include <sched.h>
+#include <linux/kcmp.h>
+#include <sys/wait.h>
+
+#include "../cooker.h"
+#include "../calls.h"
+
+static struct arg unshare_args[] = {
+	{
+		0,	"flags",	INTFLAGS,	0,
+		{ 0 /* TODO */ }
+	},
+};
+
+struct call syscalls_process[] = {
+	{ __NR_unshare, "unshare", unshare_args },
+	{ 0 },
+};
diff --git a/cooker/calls/process.h b/cooker/calls/process.h
new file mode 100644
index 0000000..5e214ef
--- /dev/null
+++ b/cooker/calls/process.h
@@ -0,0 +1,11 @@
+/* SPDX-License-Identifier: GPL-3.0-or-later
+ * Copyright 2023 Red Hat GmbH
+ * Author: Stefano Brivio <sbrivio@redhat.com>
+ */
+
+#ifndef CALLS_PROCESS_H
+#define CALLS_PROCESS_H
+
+extern struct call syscalls_process[];
+
+#endif /* CALLS_PROCESS_H */
author	Stefano Brivio <sbrivio@redhat.com>	2023-05-16 03:19:01 +0200
committer	Stefano Brivio <sbrivio@redhat.com>	2023-05-16 07:20:25 +0200
commit	7ab2bda2e69d4a862572be4b5e389a6aa864470d (patch)
tree	fa9653204a4ab9581b76499c95d76d16d467301d /cooker/calls
parent	049bd1ca828da835f2903b88adcf9ce0bdacd6e4 (diff)
download	seitan-7ab2bda2e69d4a862572be4b5e389a6aa864470d.tar seitan-7ab2bda2e69d4a862572be4b5e389a6aa864470d.tar.gz seitan-7ab2bda2e69d4a862572be4b5e389a6aa864470d.tar.bz2 seitan-7ab2bda2e69d4a862572be4b5e389a6aa864470d.tar.lz seitan-7ab2bda2e69d4a862572be4b5e389a6aa864470d.tar.xz seitan-7ab2bda2e69d4a862572be4b5e389a6aa864470d.tar.zst seitan-7ab2bda2e69d4a862572be4b5e389a6aa864470d.zip