diff options
-rw-r--r-- | common/gluten.h | 1 | ||||
-rw-r--r-- | cooker/emit.c | 2 | ||||
-rw-r--r-- | cooker/filter.c | 76 | ||||
-rw-r--r-- | cooker/filter.h | 2 | ||||
-rw-r--r-- | cooker/match.c | 1 | ||||
-rw-r--r-- | tests/unit/Makefile | 23 | ||||
-rw-r--r-- | tests/unit/test_filter_build.c | 121 | ||||
-rw-r--r-- | tests/unit/testutil.h | 4 | ||||
-rw-r--r-- | tests/unit/util.c | 19 |
9 files changed, 125 insertions, 124 deletions
diff --git a/common/gluten.h b/common/gluten.h index f3ef47d..83cfbc3 100644 --- a/common/gluten.h +++ b/common/gluten.h @@ -34,7 +34,6 @@ extern struct seccomp_data anonymous_seccomp_data; #define OP_EMPTY { .block = { -1 } } #define NO_FIELD block -#define NS_NUM sizeof(enum ns_type) #define GET_BIT(x, i) (((x) & (1UL << (i))) != 0) enum gluten_offset_type { diff --git a/cooker/emit.c b/cooker/emit.c index ee52b17..28afd29 100644 --- a/cooker/emit.c +++ b/cooker/emit.c @@ -559,8 +559,6 @@ void emit_bpf_arg(int index, enum type type, union value v, union value mask, */ if (mask.v_num) bpf.cmp = (cmp == CMP_EQ) ? AND_NE : AND_EQ; - else - bpf.cmp = (cmp == CMP_EQ) ? NE : EQ; bpf.arg = index; diff --git a/cooker/filter.c b/cooker/filter.c index c7e0ee4..4a06111 100644 --- a/cooker/filter.c +++ b/cooker/filter.c @@ -13,7 +13,7 @@ #include <string.h> #include <unistd.h> -#include <util.h> +#include "util.h" #include "filter.h" @@ -37,30 +37,13 @@ struct bpf_entry { struct filter_call_input { bool notify; bool ignore_args; + unsigned int count; struct bpf_entry entry[MAX_ENTRIES_PER_SYSCALL]; } filter_input[N_SYSCALL] = { 0 }; static long current_nr; /** - * entry_has_check() - Input stage: does the syscall entry need argument checks? - * @entry: syscall entry with field checks - * - * Return: true if at least one argument comparison is requested - */ -static bool entry_has_check(const struct bpf_entry *entry) -{ - unsigned i; - - for (i = 0; i < MAX_FIELDS_PER_SYSCALL; i++) { - if (entry->field[i].cmp != NO_CHECK) - return true; - } - - return false; -} - -/** * call_entry_count() - Input stage: count of entries for the same syscall * @nr: syscall number * @@ -69,19 +52,8 @@ static bool entry_has_check(const struct bpf_entry *entry) static unsigned int call_entry_count(long nr) { struct filter_call_input *call = filter_input + nr; - unsigned i, count = 0; - - if (!call->notify || call->ignore_args) - return 0; - - for (i = 0; i < MAX_ENTRIES_PER_SYSCALL; i++) { - if (entry_has_check(&call->entry[i])) - count++; - else - break; - } - return count; + return call->count; } /** @@ -170,6 +142,17 @@ void filter_needs_deref(void) call->ignore_args = true; } +void filter_flush_args(long nr) +{ + struct filter_call_input *call = filter_input + nr; + struct bpf_entry *entry = &call->entry[(call->count)]; + + if (entry_check_count(entry) > 0) + call->count++; + if (call->count > MAX_FIELDS_PER_SYSCALL) + call->ignore_args = true; +} + /* Calculate how many instruction for the syscall */ static unsigned int get_n_args_syscall_instr(long nr) { @@ -469,6 +452,9 @@ static unsigned int insert_args(struct sock_filter filter[], long nr) unsigned int size = 0; unsigned int i, j; + /* No entries, hence no arguments for the @nr syscall */ + if (count <= 0) + return 0; for (i = 0; i < count; i++) { n_checks = 0; entry = &call->entry[i]; @@ -478,10 +464,14 @@ static unsigned int insert_args(struct sock_filter filter[], long nr) * jump to the next group if the check is false. */ next_offset = entry_check_count(entry); - for (j = 0; j < entry_check_count(entry); j++) { + for (j = 0; j <= entry_check_count(entry); j++) { struct bpf_field *field = &entry->field[j]; - + /* If the current argument isn't the last argument (offset = 1), + * add an additional jump as there is seccomp notify instruction + * before the allow one. + */ offset = next_offset - n_checks; + offset += (offset > 1) ? 1 : 0; switch (field->cmp) { case NO_CHECK: continue; @@ -512,12 +502,10 @@ static unsigned int insert_args(struct sock_filter filter[], long nr) } n_checks++; } - /* If there were no arguments for this entry, then we don't need - * to add the notification */ if (n_checks > 0) - filter[size++] = STMT(BPF_RET | BPF_K, - SECCOMP_RET_ALLOW); + filter[size++] = STMT(BPF_RET | BPF_K, SECCOMP_RET_USER_NOTIF); } + filter[size++] = STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW); return size; } @@ -571,7 +559,7 @@ unsigned int filter_build(struct sock_filter filter[], unsigned n) for (i = 0; i < n; i++) { nr = get_syscall(i); if (call_entry_count(nr) > 0) { - offset = next_offset - 1; + offset = next_offset; } else { /* If the syscall doesn't have any arguments, then notify */ offset = notify - size - 1; @@ -584,21 +572,15 @@ unsigned int filter_build(struct sock_filter filter[], unsigned n) } /* Seccomp accept and notify instruction */ filter[size++] = STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW); - if (!call_entry_count(nr)) - filter[size++] = STMT(BPF_RET | BPF_K, SECCOMP_RET_USER_NOTIF); - + filter[size++] = STMT(BPF_RET | BPF_K, SECCOMP_RET_USER_NOTIF); /* * Insert args. It sequentially checks all the arguments for a syscall * entry. If a check on the argument isn't equal then it jumps to * check the following entry of the syscall and its arguments. */ - for (i = 0; i < n; i++) { - size += insert_args(&filter[size], nr); - if (call_entry_count(nr)) - filter[size++] = STMT(BPF_RET | BPF_K, - SECCOMP_RET_USER_NOTIF); - } + for (i = 0; i < n; i++) + size += insert_args(&filter[size], get_syscall(i)); debug(" BPF: filter with %i call%s has %i instructions", n, n != 1 ? "s" : "", size); diff --git a/cooker/filter.h b/cooker/filter.h index 8efdc47..c152b2e 100644 --- a/cooker/filter.h +++ b/cooker/filter.h @@ -70,5 +70,5 @@ void filter_notify(long nr); void filter_needs_deref(void); void filter_add_check(struct bpf_field *field); void filter_write(const char *path); - +void filter_flush_args(long nr); #endif diff --git a/cooker/match.c b/cooker/match.c index c1f5fa8..c83f9fe 100644 --- a/cooker/match.c +++ b/cooker/match.c @@ -381,6 +381,7 @@ void handle_matches(struct gluten_ctx *g, JSON_Value *value) filter_notify(call->number); parse_match(g, args, call->args); + filter_flush_args(call->number); break; } diff --git a/tests/unit/Makefile b/tests/unit/Makefile index 1a7f70a..76f815e 100644 --- a/tests/unit/Makefile +++ b/tests/unit/Makefile @@ -4,29 +4,30 @@ MAIN_DIR := ../../ COMMON_DIR := ../../common -OP_DIR := ../../ COOKER_DIR := ../../cooker DBG_DIR := ../../debug -SRCS_FILTER_BUILD := $(COOKER_DIR)/filter.c $(DBG_DIR)/disasm.c $(COMMON_DIR)/common.c -HEADERS_FILTER_BUILD := $(COOKER_DIR)/filter.h $(DBG_DIR)/disasm.h $(COMMON_DIR)/common.h +SRCS_FILTER_BUILD := $(COOKER_DIR)/filter.c $(DBG_DIR)/disasm.c $(COMMON_DIR)/common.c \ + $(COMMON_DIR)/util.c +HEADERS_FILTER_BUILD := $(COOKER_DIR)/filter.h $(DBG_DIR)/disasm.h $(COMMON_DIR)/common.h \ + $(COMMON_DIR)/util.h SRCS_FILTER := $(COOKER_DIR)/filter.c $(COMMON_DIR)/common.c util.c \ $(DBG_DIR)/disasm.c -HEADERS_FILTER := $(COOKER_DIR)/filter.h $(COMMON_DIR)/common.h \ +HEADERS_FILTER := $(COOKER_DIR)/filter.h $(COMMON_DIR)/common.h $(COMMON_DIR)/util.h \ $(DBG_DIR)/disasm.h testutil.h -HEADERS_OP_CALL := testutil.h $(COMMON_DIR)/gluten.h $(OP_DIR)/operations.h \ +HEADERS_OP_CALL := testutil.h $(COMMON_DIR)/gluten.h $(MAIN_DIR)/operations.h \ $(COMMON_DIR)/common.h $(COMMON_DIR)/util.h -SRCS_OP_CALL := $(COMMON_DIR)/common.c $(OP_DIR)/operations.c util.c $(COMMON_DIR)/util.c +SRCS_OP_CALL := $(COMMON_DIR)/common.c $(MAIN_DIR)/operations.c util.c $(COMMON_DIR)/util.c -HEADERS_OP := $(COMMON_DIR)/gluten.h $(OP_DIR)/operations.h \ +HEADERS_OP := $(COMMON_DIR)/gluten.h $(MAIN_DIR)/operations.h \ $(COMMON_DIR)/common.h testutil.h $(COMMON_DIR)/util.h -SRCS_OP := $(COMMON_DIR)/common.c $(OP_DIR)/operations.c util.c $(COMMON_DIR)/util.c +SRCS_OP := $(COMMON_DIR)/common.c $(MAIN_DIR)/operations.c util.c $(COMMON_DIR)/util.c -HEADERS_ERROR := $(COMMON_DIR)/gluten.h $(OP_DIR)/operations.h \ +HEADERS_ERROR := $(COMMON_DIR)/gluten.h $(MAIN_DIR)/operations.h \ $(COMMON_DIR)/common.h testutil.h $(COMMON_DIR)/util.h -SRCS_ERROR := $(COMMON_DIR)/common.c $(OP_DIR)/operations.c util.c $(COMMON_DIR)/util.c +SRCS_ERROR := $(COMMON_DIR)/common.c $(MAIN_DIR)/operations.c util.c $(COMMON_DIR)/util.c TARGET := $(shell $(CC) -dumpmachine) TARGET_ARCH := $(shell echo $(TARGET) | cut -f1 -d- | tr [A-Z] [a-z]) @@ -38,7 +39,7 @@ AUDIT_ARCH := $(shell echo $(AUDIT_ARCH) | sed 's/PPC64/PPC/') AUDIT_ARCH := $(shell echo $(AUDIT_ARCH) | sed 's/PPCLE/PPC64LE/') CFLAGS += -Wall -Wextra -pedantic -CFLAGS += -I$(MAIN_DIR) -I$(OP_DIR) -I$(DBG_DIR) +CFLAGS += -I$(MAIN_DIR) -I$(DBG_DIR) -I$(COMMON_DIR) -I$(COOKER_DIR) CFLAGS += -lcheck CFLAGS += -DSEITAN_AUDIT_ARCH=AUDIT_ARCH_$(AUDIT_ARCH) diff --git a/tests/unit/test_filter_build.c b/tests/unit/test_filter_build.c index f6d9ba5..52c1a82 100644 --- a/tests/unit/test_filter_build.c +++ b/tests/unit/test_filter_build.c @@ -35,7 +35,7 @@ static bool filter_eq(struct sock_filter *f1, struct sock_filter *f2, START_TEST(test_single_instr) { - struct sock_filter filter[10]; + struct sock_filter result[10]; unsigned int size; long nr = 42; struct sock_filter expected[] = { @@ -53,11 +53,13 @@ START_TEST(test_single_instr) }; filter_notify(nr); + filter_flush_args(nr); filter_write(tfilter); - size = read_filter(filter, tfilter); - ck_assert_uint_eq(size, ARRAY_SIZE(expected)); - ck_assert(filter_eq(expected, filter, ARRAY_SIZE(expected))); + size = read_filter(result, tfilter); + + bpf_disasm_all(result, size); + ck_assert(filter_eq(expected, result, ARRAY_SIZE(expected))); } END_TEST @@ -65,12 +67,12 @@ START_TEST(test_single_instr_two_args) { unsigned int size; long nr = 42; - struct bpf_arg a1 = { .cmp = EQ, - .value = { .v32 = 0x123 }, - .type = BPF_U32 }; - struct bpf_arg a2 = { .cmp = EQ, - .value = { .v32 = 0x321 }, - .type = BPF_U32 }; + struct bpf_field a1 = { + .arg = 1, .cmp = EQ, .value = { .v32 = 0x123 }, .type = BPF_U32 + }; + struct bpf_field a2 = { + .arg = 2, .cmp = EQ, .value = { .v32 = 0x321 }, .type = BPF_U32 + }; struct sock_filter result[20]; struct sock_filter expected[] = { /* l0 */ BPF_STMT(BPF_LD | BPF_W | BPF_ABS, @@ -85,7 +87,7 @@ START_TEST(test_single_instr_two_args) /* l5 */ BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW), /* l6 */ BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_USER_NOTIF), /* l7 */ LOAD(offsetof(struct seccomp_data, args[1])), - /* l8 */ EQ(0x123, 0, 2), + /* l8 */ EQ(0x123, 0, 3), /* l9 */ LOAD(offsetof(struct seccomp_data, args[2])), /* l10 */ EQ(0x321, 0, 1), /* l11 */ BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_USER_NOTIF), @@ -93,14 +95,14 @@ START_TEST(test_single_instr_two_args) }; filter_notify(nr); - filter_add_arg(1, a1); - filter_add_arg(2, a2); - filter_flush_args(); + filter_add_check(&a1); + filter_add_check(&a2); + filter_flush_args(nr); filter_write(tfilter); size = read_filter(result, tfilter); - ck_assert_uint_eq(size, ARRAY_SIZE(expected)); + bpf_disasm_all(result, size); ck_assert(filter_eq(expected, result, ARRAY_SIZE(expected))); } END_TEST @@ -127,18 +129,21 @@ START_TEST(test_two_instr) }; struct sock_filter result[30]; filter_notify(42); + filter_flush_args(42); filter_notify(49); + filter_flush_args(49); filter_write(tfilter); size = read_filter(result, tfilter); - ck_assert_uint_eq(size, ARRAY_SIZE(expected)); + bpf_disasm_all(result, size); ck_assert(filter_eq(expected, result, ARRAY_SIZE(expected))); } END_TEST START_TEST(test_multiple_instr_no_args) { + unsigned long nrs[] = { 42, 43, 44, 45, 46 }; unsigned int size; struct sock_filter expected[] = { /* l0 */ BPF_STMT(BPF_LD | BPF_W | BPF_ABS, @@ -170,16 +175,14 @@ START_TEST(test_multiple_instr_no_args) }; struct sock_filter result[sizeof(expected) / sizeof(expected[0]) + 10]; - filter_notify(42); - filter_notify(43); - filter_notify(44); - filter_notify(45); - filter_notify(46); - + for(unsigned int i = 0; i < ARRAY_SIZE(nrs); i++) { + filter_notify(nrs[i]); + filter_flush_args(nrs[i]); + } filter_write(tfilter); size = read_filter(result, tfilter); - ck_assert_uint_eq(size, ARRAY_SIZE(expected)); + bpf_disasm_all(result, size); ck_assert(filter_eq(expected, result, ARRAY_SIZE(expected))); } END_TEST @@ -187,12 +190,12 @@ END_TEST START_TEST(test_multiple_instr_with_args) { unsigned int size; - struct bpf_arg a1 = { .cmp = EQ, - .value = { .v32 = 0x123 }, - .type = BPF_U32 }; - struct bpf_arg a2 = { .cmp = EQ, - .value = { .v32 = 0x321 }, - .type = BPF_U32 }; + struct bpf_field a1 = { + .arg = 1, .cmp = EQ, .value = { .v32 = 0x123 }, .type = BPF_U32 + }; + struct bpf_field a2 = { + .arg = 2, .cmp = EQ, .value = { .v32 = 0x321 }, .type = BPF_U32 + }; struct sock_filter expected[] = { /* l0 */ BPF_STMT(BPF_LD | BPF_W | BPF_ABS, (offsetof(struct seccomp_data, arch))), @@ -222,14 +225,14 @@ START_TEST(test_multiple_instr_with_args) /* l17 */ BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_USER_NOTIF), /* ------- args ---------- */ /* l18 */ LOAD(offsetof(struct seccomp_data, args[1])), - /* l19 */ EQ(0x123, 0, 2), + /* l19 */ EQ(0x123, 0, 3), /* l20 */ LOAD(offsetof(struct seccomp_data, args[2])), /* l21 */ EQ(0x321, 0, 1), /* l22 */ BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_USER_NOTIF), /* l23 */ BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW), /* ----- end call42 ------ */ /* l24 */ LOAD(offsetof(struct seccomp_data, args[1])), - /* l25 */ EQ(0x123, 0, 2), + /* l25 */ EQ(0x123, 0, 3), /* l26 */ LOAD(offsetof(struct seccomp_data, args[2])), /* l27 */ EQ(0x321, 0, 1), /* l28 */ BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_USER_NOTIF), @@ -238,21 +241,21 @@ START_TEST(test_multiple_instr_with_args) }; struct sock_filter result[sizeof(expected) / sizeof(expected[0]) + 10]; filter_notify(42); - filter_add_arg(1, a1); - filter_add_arg(2, a2); - filter_flush_args(); + filter_add_check(&a1); + filter_add_check(&a2); + filter_flush_args(42); filter_notify(43); filter_notify(44); filter_notify(45); - filter_add_arg(1, a1); - filter_add_arg(2, a2); - filter_flush_args(); + filter_add_check(&a1); + filter_add_check(&a2); + filter_flush_args(45); filter_notify(46); filter_write(tfilter); size = read_filter(result, tfilter); - ck_assert_uint_eq(size, ARRAY_SIZE(expected)); + bpf_disasm_all(result, size); ck_assert(filter_eq(expected, result, ARRAY_SIZE(expected))); } END_TEST @@ -260,12 +263,12 @@ END_TEST START_TEST(test_multiple_instance_same_instr) { unsigned int size; - struct bpf_arg a1 = { .cmp = EQ, - .value = { .v32 = 0x123 }, - .type = BPF_U32 }; - struct bpf_arg a2 = { .cmp = EQ, - .value = { .v32 = 0x321 }, - .type = BPF_U32 }; + struct bpf_field a1 = { + .arg = 1, .cmp = EQ, .value = { .v32 = 0x123 }, .type = BPF_U32 + }; + struct bpf_field a2 = { + .arg = 2, .cmp = EQ, .value = { .v32 = 0x321 }, .type = BPF_U32 + }; struct sock_filter expected[] = { /* l0 */ BPF_STMT(BPF_LD | BPF_W | BPF_ABS, (offsetof(struct seccomp_data, arch))), @@ -299,38 +302,40 @@ START_TEST(test_multiple_instance_same_instr) /* l20 */ BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_USER_NOTIF), /* l21 */ LOAD(offsetof(struct seccomp_data, args[2])), /* l22 */ EQ(0x321, 0, 1), - /* l23 */ BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_USER_NOTIF), - /* l24 */ BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW), + /* l24 */ BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_USER_NOTIF), + /* l23 */ BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW), /* ----- end call42 ------ */ /* l25 */ LOAD(offsetof(struct seccomp_data, args[1])), /* l26 */ EQ(0x123, 0, 1), - /* l27 */ BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_USER_NOTIF), + /* l24 */ BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_USER_NOTIF), /* l28 */ LOAD(offsetof(struct seccomp_data, args[2])), /* l29 */ EQ(0x321, 0, 1), - /* l30 */ BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_USER_NOTIF), - /* l31 */ BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW), + /* l31 */ BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_USER_NOTIF), + /* l30 */ BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW), /* ----- end call45 ------ */ }; struct sock_filter result[sizeof(expected) / sizeof(expected[0]) + 10]; filter_notify(42); - filter_add_arg(1, a1); - filter_flush_args(); - filter_add_arg(2, a2); - filter_flush_args(); + filter_add_check(&a1); + filter_flush_args(42); + filter_notify(42); + filter_add_check(&a2); + filter_flush_args(42); filter_notify(43); filter_notify(44); filter_notify(45); - filter_add_arg(1, a1); - filter_flush_args(); - filter_add_arg(2, a2); - filter_flush_args(); + filter_add_check(&a1); + filter_flush_args(45); + filter_notify(45); + filter_add_check(&a2); + filter_flush_args(45); filter_notify(46); filter_write(tfilter); size = read_filter(result, tfilter); - ck_assert_uint_eq(size, ARRAY_SIZE(expected)); + bpf_disasm_all(result, size); ck_assert(filter_eq(expected, result, ARRAY_SIZE(expected))); } END_TEST diff --git a/tests/unit/testutil.h b/tests/unit/testutil.h index a0fa0b8..caccd44 100644 --- a/tests/unit/testutil.h +++ b/tests/unit/testutil.h @@ -58,7 +58,7 @@ static inline void *test_gluten_write_ptr(struct gluten *g, ck_assert_ptr_nonnull(p); \ memcpy(&ref, p, sizeof(ref)); \ } while (0) - +#define NS_NUM CONTEXT_TYPE_MAX - 3 struct args_target { long ret; int err; @@ -67,7 +67,7 @@ struct args_target { int fd; int nr; bool filter_args[6]; - struct bpf_arg args[6]; + struct bpf_field bpf_fields[6]; void *targs[6]; void *tclone; bool ns[NS_NUM]; diff --git a/tests/unit/util.c b/tests/unit/util.c index 96d6663..26f13e0 100644 --- a/tests/unit/util.c +++ b/tests/unit/util.c @@ -13,6 +13,7 @@ #include <signal.h> #include <limits.h> #include <fcntl.h> +#include <stdarg.h> #include <errno.h> #include <sys/prctl.h> #include <sys/syscall.h> @@ -38,6 +39,19 @@ struct gluten gluten; char stderr_buff[BUFSIZ]; char stdout_buff[BUFSIZ]; +#define logfn(name) \ +void name(const char *format, ...) { \ + va_list args; \ + \ + va_start(args, format); \ + (void)vfprintf(stderr, format, args); \ + va_end(args); \ + if (format[strlen(format)] != '\n') \ + fprintf(stderr, "\n"); \ +} + +logfn(debug) + int install_single_syscall(long nr) { /* filter a single syscall for the tests */ @@ -209,7 +223,7 @@ void mock_syscall_target() void set_args_no_check(struct args_target *at) { for (unsigned int i = 0; i < 6; i++) - at->args[i].cmp = NO_CHECK; + at->bpf_fields[i].cmp = NO_CHECK; } static int set_ns_flags(bool ns[], int flags) @@ -217,8 +231,9 @@ static int set_ns_flags(bool ns[], int flags) unsigned int i; for (i = 0; i < NS_NUM; i++) { - if (!ns[i] || i == NS_NONE) + if (!ns[i]) continue; + switch (i) { case NS_CGROUP: flags |= CLONE_NEWCGROUP; |