| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |/
|
|
| |
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
| |
|
|
| |
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
| |
|
|
| |
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
| |
|
|
| |
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
| |
|
|
| |
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
| |
|
|
| |
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
| | |
|
| | |
|
| |
|
|
| |
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
| |
|
|
|
|
| |
Splited common functions in web/common.sh and created new script for
mknod demo. The demo uses the mount namespace of the caller.
Additionally, this removes extra commented lines in demo/mknod.hjson.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
./seitan-cooker demo/mknod.hjson demo/mknod.gluten demo/mknod.bpf
Start seitan with the socket option:
./seitan -s /tmp/seitan.sock -i demo/mknod.gluten
Start the container:
sudo rm -f /dev/lol
sudo chown $USER:$USER /tmp/seitan.sock
podman run -ti --runtime /usr/bin/crun \
--security-opt label=disable \
-v $(pwd)/test:/test \
--annotation run.oci.seccomp_bpf_data="$(base64 -w0 demo/mknod.bpf)" \
--annotation run.oci.seccomp.receiver=/tmp/seitan.sock fedora \
sh -c 'mknod /dev/lol c 1 7 && ls -l /dev/lol'
|
| |
|
|
| |
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
| |
|
|
| |
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
| |
|
|
|
|
|
| |
Refactor OP_RETURN:
- merged OP_BLOCK and OP_CONT into OP_RETURN
- add desc field for op_return
- updated the demo files
|
| |
|
|
|
|
|
|
|
| |
ops:
- update resolvefd with the description
- add debug prints
cooker:
- add emit_resolvefd when match has type FDPATH
|
| | |
|
| |
|
|
|
|
| |
...and terminate on EPOLLHUP.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
| |
|
|
| |
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
| |
|
|
|
|
|
|
| |
While at it:
- directly assign 'fd' in eater from install_filter()
- turn op_cmp into a description-style thing
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
| |
|
|
|
|
| |
If DIR already exists, just remove our entries.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
| |
|
|
| |
Clean-up the entire DIR.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
Added:
- fix offset for jumping to the next block (use absolute jump and not
relative.
- fix op_cmp, jump if the comparison is true.
- added a couple of debug print
|
| |
|
|
|
| |
Add matches for injecting error and faking the connect syscall.
Fix seitan-run clean-up: delete only *.bpf and *.gluten files
|
| | |
|
| |
|
|
| |
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
| |
|
|
| |
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
| |
|
|
|
|
| |
As discussed with Alice -- 'reuse lint' passes now.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
| |
|
|
| |
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
| |
|
|
| |
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
| |
|
|
| |
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
| |
|
|
| |
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
| |
|
|
| |
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
| |
|
|
| |
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
| |
|
|
| |
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
cooker:
- added missing OP_CALL type
- local copy of the offset for the type STRUCT
- fix return offset
- added type LONG in emit_data
seitan:
- check context if NULL
- fix ptr dereference
- added a couple of debug print
- added error message in seitan for eval
|
| |
|
|
| |
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
| |
|
|
|
|
| |
...mostly.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
| | |
|
| |
|
|
|
|
|
| |
Changes:
- fix initialization of size
- addedfew comments
- finish to fix the test_filter_build tests
|
| |
|
|
|
|
|
| |
Add filter_flush_args() to flush the arguments when finish to add the
syscall arguments.
Fixed test compilation after refactoring.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
parser:
- add OP_BLOCK and OP_RETURN to the parser
seitan:
- fix op_cmp in seitan, it was jmp when comparison was true
Working example:
demo.json:
[
{
"match": [ /* qemu-pr-helper and similar */
{ "connect": { "addr": { "family": "unix", "path": "/tmp/test.sock" } } }
],
"return": 0
}
]
Create gluten and the bpf filter:
$ seitan-cooker demo.hjson demo.gluten demo.bpf
Launch the seitan eater with the target program:
$ seitan-eater -i demo.bpf -- strace -e connect tests-utils/test-syscalls connect
Start seitan with gluten:
$ seitan -i demo.gluten -p $(pgrep seitan-eater)
Seitan mocks the connect syscall and `connect` returns successfully:
$ seitan-eater -i demo.bpf -- strace -e connect tests-utils/test-syscalls connect
Test syscall: connect
connect(4, {sa_family=AF_UNIX, sun_path="/tmp/test.sock"}, 108) = 0
|
| |
|
|
|
|
| |
Add:
- ignore_args field for the filter.
- use MAX_FILTER to define the filter size in the eater
|
