| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
| |
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
|
|
|
|
|
| |
As discussed with Alice -- 'reuse lint' passes now.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Only tangentially related:
- make seitan C99 again, so that I can build cooker without warnings
- make Makefiles make use of the usual conventions about assigning
directory paths in variables, drop numbers.h as requirement for
cooker and make it convenient to run stand-alone Makefiles
- fix up nr_syscalls.sh to be POSIX, otherwise it will give syntax
errors on my system
- define a single, common way to refer to offsets in gluten, and
functions to use those offsets in a safe way. Immediates are gone:
cooker will write any bit of "data" to the read-only section
- call const what has to be const
- define on-disk layout for gluten
- add OP_NR (to check syscall numbers), rename OP_COPY_ARGS to
OP_LOAD (it loads _selected_ stuff from arguments)
As for cooker itself:
- drop ARG_ and arg_ prefixes from struct names, and similar
- add/rework functions to build OP_NR, OP_LOAD, OP_CMP, and to
write constant data to gluten
- add parsing for "compound" arguments, but that's not completely
hooked into evaluation for numeric arguments yet
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
| |
The logging mode creates a BPF filter where all the syscalls trigger a
notification to the seccomp notifier.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Create initial pytest suite for testing seitan and seitan-eater setup.
The test suite includes:
- 'test_simple' verifies the basic functionalities and the
synchronization between seitan and the eater
- 'test_restart_seitan' verifies when steitan needs to restart
Seitan and eater are deployed in a container to control the environment
where they run.
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
|
|
|
|
|
|
|
| |
Preserve the seccomp notifier fd after the exec. In this way, if seitan
needs to restat is able to retrive the fd from /proc/<pid>/fd of the
target.
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
|
|
|
|
|
|
| |
Move find_fd_seccomp_notifier to common.c to be reused
in other places.
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
|
|
|
|
|
| |
The action file needs to be set from the seitan command line.
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
|
|
|
| |
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
|
|
|
| |
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The test-filter verifies that the create_bfp_program builds the filter
correctly.
The test suite includes the tests for checking a filter with:
* a single instruction
* a single instruction with arguments
* 2 instructions
* multiple instructions
* multiple instructions with arguments
* multiple instructions with multiple instance of the same instruction
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The bpf_dbg binary prints the instructions included in the BPF filter.
This is particurarly useful for debugging and verifing the generated
filter. E.g:
./bpf_dbg test.bpf
Read 7 entries
l0: ld [4]
l1: jeq #0xc000003e, l2, l5
l2: ld [0]
l3: jeq #0x2a, l4, l5
l4: ja 5
l5: ret #0x7fff0000
l6: ret #0x7fc00000
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
|
|
|
| |
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The build binary creates the bpf filter based on the syscalls defined in
struct bpf_call. E.g:
./build test.bpf
First, a table with the filtered syscalls is built in ascending order of
syscall number and including the amount of syscalls of that type.
After, the BPF filter with a binary search tree is constructed with:
1. the nodes for the tree search
2. the leaves with all the syscall numbers
3. every syscall arguments if present
Then, the BPF instructions are written in the input file.
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
|
|
|
|
|
| |
The flags aren't necessary anymore as the filter is built at runtime.
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Refactor filter.sh script by:
* renaming the filter.sh to nr_syscalls.sh
* removing the BPF filter generation
* simplifying the syscall number and header generation
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
|
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|