| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
cooker:
- added missing OP_CALL type
- local copy of the offset for the type STRUCT
- fix return offset
- added type LONG in emit_data
seitan:
- check context if NULL
- fix ptr dereference
- added a couple of debug print
- added error message in seitan for eval
|
|
|
|
| |
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
|
|
|
|
|
| |
...mostly.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Changes:
- fix initialization of size
- addedfew comments
- finish to fix the test_filter_build tests
|
|
|
|
|
|
|
| |
Add filter_flush_args() to flush the arguments when finish to add the
syscall arguments.
Fixed test compilation after refactoring.
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
parser:
- add OP_BLOCK and OP_RETURN to the parser
seitan:
- fix op_cmp in seitan, it was jmp when comparison was true
Working example:
demo.json:
[
{
"match": [ /* qemu-pr-helper and similar */
{ "connect": { "addr": { "family": "unix", "path": "/tmp/test.sock" } } }
],
"return": 0
}
]
Create gluten and the bpf filter:
$ seitan-cooker demo.hjson demo.gluten demo.bpf
Launch the seitan eater with the target program:
$ seitan-eater -i demo.bpf -- strace -e connect tests-utils/test-syscalls connect
Start seitan with gluten:
$ seitan -i demo.gluten -p $(pgrep seitan-eater)
Seitan mocks the connect syscall and `connect` returns successfully:
$ seitan-eater -i demo.bpf -- strace -e connect tests-utils/test-syscalls connect
Test syscall: connect
connect(4, {sa_family=AF_UNIX, sun_path="/tmp/test.sock"}, 108) = 0
|
|
|
|
|
|
| |
Add:
- ignore_args field for the filter.
- use MAX_FILTER to define the filter size in the eater
|
|
|
|
|
|
|
| |
Add:
- missing implementation for op_nr
- op_copy to copy data
- tests for op_nr and op_data
|
|
|
|
|
|
|
|
|
|
|
| |
Attempt to simplify the filter build:
- storing all the bpf_args in a common array and saving the index of
each entry in filter_input
- added new flag to filter_add_arg for append an argument to an entry
- split large loop in filter_build in multiple functions
- adjust and refactor tests/units/test_filter
The tests in test_filter_build.c still need to be fixed
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Pseudorandom changes and progress around cooker and seitan:
- cooker:
- rename matching functions, split match.c
- fix up SELECT semantics
- add some form of handling for all syscalls in the example
(some stubs)
- OP_CMP for all basic and compound types except for flags
- link jumps to next block and next match
- completed implementation of tags
- gluten write
- filter clean-ups, write filters (probably not working)
- seitan:
- load gluten and source instructions and data from there
$ ./seitan-cooker cooker/example.hjson example.gluten example.bpf
Parsing block 0
Parsing match 0: connect
Found description for connect
0: OP_NR: if syscall number is not 0, jump to next block
Parsing match argument fd
setting tag reference 'fd'
tag 'fd' now refers to seccomp data at 0
Parsing match argument addr
allocating 128 at offset 0
1: OP_LOAD: #0 < args[1] (size: 128)
C#0: (INT) 1
2: OP_CMP: if temporary data: #0 NE (size: 4) read-only data: #0, jump to next block
C#4: (STRING:24) /var/run/pr-helper.sock
3: OP_CMP: if temporary data: #0 NE (size: 24) read-only data: #4, jump to next block
Linking match...
Linking block...
linked jump of instruction #0 to #4
linked jump of instruction #2 to #4
linked jump of instruction #3 to #4
Parsing block 1
Parsing match 0: ioctl
Found description for ioctl
4: OP_NR: if syscall number is not 112, jump to next block
Parsing match argument path
Parsing match argument request
C#28: (INT) 1074025674
5: OP_CMP: if seccomp data: #1 NE (size: 4) read-only data: #28, jump to next block
Parsing match argument ifr
allocating 40 at offset 128
6: OP_LOAD: #128 < args[2] (size: 40)
C#32: (STRING:5) tap0
7: OP_CMP: if temporary data: #128 NE (size: 5) read-only data: #32, jump to next block
C#37: (INT) 1
8: OP_CMP: if temporary data: #128 NE (size: 4) read-only data: #37, jump to next block
Linking match...
Linking block...
linked jump of instruction #4 to #9
linked jump of instruction #5 to #9
linked jump of instruction #7 to #9
linked jump of instruction #8 to #9
Parsing block 2
Parsing match 0: unshare
Found description for unshare
9: OP_NR: if syscall number is not 164, jump to next block
Parsing match argument flags
Linking match...
Linking block...
linked jump of instruction #9 to #10
Parsing block 3
Parsing match 0: unshare
Found description for unshare
10: OP_NR: if syscall number is not 164, jump to next block
Parsing match argument flags
Linking match...
Linking block...
linked jump of instruction #10 to #11
Parsing block 4
Parsing match 0: mknod
Found description for mknod
11: OP_NR: if syscall number is not 164, jump to next block
Parsing match argument path
allocating 1 at offset 168
12: OP_LOAD: #168 < args[0] (size: 1)
setting tag reference 'path'
tag 'path' now refers to temporary data at 168
Parsing match argument mode
Parsing match argument major
Parsing match argument minor
setting tag reference 'minor'
tag 'minor' now refers to seccomp data at 2
Linking match...
Linking block...
linked jump of instruction #11 to #13
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
Refactoring error messages:
- standardize error messages and functions
- return on error instead of exit
- test error when target doesn't exist
- include ability to capture stderr and stdout in the tests
|
|
|
|
| |
Add check if offset type is SECCOMP_DATA and the seccomp request is set.
|
|
|
|
| |
Adding the offset limits checks and unit tests.
|
|
|
|
|
|
|
|
| |
Refactor includes:
- use static inline instead of macro
- return -1 if there is an error and don't exit
- eval return 0 or -1
- adjust code and tests
|
|
|
|
|
|
| |
Add bounds checking:
- if offset is larger then the maximum per offset type
- if memcpy is reading/writing inside gluten
|
|
|
|
| |
Adjust the tests after the refactoring and to use struct gluten_offset
|
|
|
|
|
|
|
|
|
|
|
| |
Refactoring:
- rename do_operations to eval and reduce the number of arguments
- create macro HANDLE_OP
- rename all functions with op_*(operation name)
- exposed the op_* functions in the operations.h
Fixes:
- use pread for op_load
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Only tangentially related:
- make seitan C99 again, so that I can build cooker without warnings
- make Makefiles make use of the usual conventions about assigning
directory paths in variables, drop numbers.h as requirement for
cooker and make it convenient to run stand-alone Makefiles
- fix up nr_syscalls.sh to be POSIX, otherwise it will give syntax
errors on my system
- define a single, common way to refer to offsets in gluten, and
functions to use those offsets in a safe way. Immediates are gone:
cooker will write any bit of "data" to the read-only section
- call const what has to be const
- define on-disk layout for gluten
- add OP_NR (to check syscall numbers), rename OP_COPY_ARGS to
OP_LOAD (it loads _selected_ stuff from arguments)
As for cooker itself:
- drop ARG_ and arg_ prefixes from struct names, and similar
- add/rework functions to build OP_NR, OP_LOAD, OP_CMP, and to
write constant data to gluten
- add parsing for "compound" arguments, but that's not completely
hooked into evaluation for numeric arguments yet
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
| |
|
|
|
|
| |
The logging will be handled different using op_log
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
| |
Pid and id are reduandant fields as the information are already included
in the seccomp request
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|