| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We want to add and delete rules with iptables(8), and manipulate set
elements with nft(8).
These are the first users we encounter sending multiple netlink
messages in one sendmsg().
To support matching on those, we need to iterate over several
messages, looking for a matching one, or a mismatching one (depending
on quantifiers and match type), but we don't want to implement program
loops because of security design reasons.
We can't implement a generalised instruction that vectorises existing
ones, either, because we need to support universal and existential
quantifiers in fields that are repeated multiple times, once per each
netlink message, with bitwise operations and non-exact matching types.
Add vectorisation support to OP_CMP and OP_BITWISE instead, with a
generic description for a vector (only sequences of netlink messages
with length in nlmsghdr are supported at the moment) so that,
depending on the quantifiers, we'll repeat those operations as many
times as needed. This way, we don't risk any O(n^2) explosion, and we
are bound by O(m * n) instead, with m compare/bitwise operations for
a given expression, and n number of netlink messages.
Add demos for nft and iptables using the new concepts.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix the starting index, otherwise we miss the first call in sets
(say, mknod in filesystem calls).
And if we don't find a matching name for the system call, actually
return it, instead of trying to fetch it from the current (invalid)
call.
Fixes: bdbec30a8498 ("seitan: Add netlink, sendto()/sendmsg(), iovec handling, demo with routes")
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
|
|
|
|
|
|
|
| |
Mostly assorted fixes, a new FDGET operation (get a copy of the
target file descriptor via pidfd_getfd()) and a new "FD" flag that
means we have to do that on direct tag reference.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
|
|
|
|
|
|
| |
A bit rough at the moment, but it does the trick. Bonus: setsockopt()
(with magic values only, not used in any demo yet).
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
...including the check on whether the given object is a top-level
(corresponding to a full argument) metadata tag.
Fixes: d3917582873d ("cooker: simplify tag and add caller metadata")
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
|
|
|
|
|
|
| |
...no examples yet, but it's trivial as the prototype is exactly the
same as connect().
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The sched_setscheduler requires to set the pid of the process we want to
change the priority, this adds a new metadata for getting the target pid
at runtime.
Add a couple of syscalls for the scheduler in the string parsing.
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
| |
|
|
|
|
|
|
| |
Fixes:
- return an error message in do_clone instead of exit
- check if the type of context is out-of-bound
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Group the metadata information:
- simplify the json by removing the 'tag' and only using 'get' and 'set'
keys
- get uid and gid at runtime for the target ('caller'). This can be useful when
the the UID and GID of the target are only known at runtime and they
need to be used for setting the permissions of files
- updated example demo/mknod.hjson
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Generate the OCI seccomp profile instead of directly the BPF filter. The
seccomp profile will be used consquently by the container runtime as
input in order to generate the BPF filter.
Example with mknod:
$ seitan-cooker -g /tmp/gluten -p /tmp/scmp_prof.json -s seccomp.json -i demo/mknod.hjson
$ seitan -s /tmp/seitan.sock -i /tmp/gluten
$ podman run --cap-drop ALL
--security-opt=seccomp=/tmp/scmp_prof.json \
--annotation run.oci.seccomp.receiver=/tmp/seitan.sock \
-ti fedora \
sh -c 'mknod /dev/lol c 1 7 && ls /dev/lol'
/dev/lol
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Allow setting a different uid and gid for the socket, otherwise seitan
uses its own uid and gid.
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
|
|
|
| |
The error-check tests recompile and pass.
|
| |
|
|
|
|
|
|
|
| |
Otherwise we'll get EINVAL (as expected) -- reproducibly, at least,
when we handle more than one call.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
|
|
|
| |
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
|
|
|
| |
The filter tests recompile and pass.
|
|
|
|
| |
Remove all the *.gluten and *.bpf files and added the files to gitignore
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The tests for checking the filter build recompile and are successfull.
Changes:
- spotted a couple of bugs for adding the arguments in the filter
- readded function `filter_flush_args` to flush_args; this is needed
to distinguish when the arguments belong to the same block or are different
entries to the same syscall
- build the filter in a way that CMP_EQ corresponds to BPF_JEQ and we
don't need to awkwardly negate the operations (still TODO for AND_EQ)
|
|
|
|
| |
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
|
|
|
|
| |
Use system mode as suggested by the documentation.
Added a note for directory permissions
|
|
|
|
|
|
|
|
|
|
| |
Similarly to namespace specifications, the special value "caller", as
well as login/group names and numeric UID/GIDs are supported.
Example of usage in demo/mknod.hjson. Light on checks and with some
TODOs left behind at the moment.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
Starting from Linux 2.6 series, we have 20 bits of minor (not 32)
and the gap between low and high bits is 12 bits, meaning the high
ones are shifted by 20 (not 12).
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
| |
|
| |
|
|
|
|
| |
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
| |
|
|
|
|
| |
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
|
|
|
|
| |
Add echo abcd for connect demo.
Pull and make before running the demo.
|
| |
|
|\ |
|
| | |
|