| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
|
|
|
|
|
|
| |
The sched_setscheduler requires to set the pid of the process we want to
change the priority, this adds a new metadata for getting the target pid
at runtime.
Add a couple of syscalls for the scheduler in the string parsing.
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Group the metadata information:
- simplify the json by removing the 'tag' and only using 'get' and 'set'
keys
- get uid and gid at runtime for the target ('caller'). This can be useful when
the the UID and GID of the target are only known at runtime and they
need to be used for setting the permissions of files
- updated example demo/mknod.hjson
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Generate the OCI seccomp profile instead of directly the BPF filter. The
seccomp profile will be used consquently by the container runtime as
input in order to generate the BPF filter.
Example with mknod:
$ seitan-cooker -g /tmp/gluten -p /tmp/scmp_prof.json -s seccomp.json -i demo/mknod.hjson
$ seitan -s /tmp/seitan.sock -i /tmp/gluten
$ podman run --cap-drop ALL
--security-opt=seccomp=/tmp/scmp_prof.json \
--annotation run.oci.seccomp.receiver=/tmp/seitan.sock \
-ti fedora \
sh -c 'mknod /dev/lol c 1 7 && ls /dev/lol'
/dev/lol
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The tests for checking the filter build recompile and are successfull.
Changes:
- spotted a couple of bugs for adding the arguments in the filter
- readded function `filter_flush_args` to flush_args; this is needed
to distinguish when the arguments belong to the same block or are different
entries to the same syscall
- build the filter in a way that CMP_EQ corresponds to BPF_JEQ and we
don't need to awkwardly negate the operations (still TODO for AND_EQ)
|
|
|
|
|
|
|
|
|
|
| |
Similarly to namespace specifications, the special value "caller", as
well as login/group names and numeric UID/GIDs are supported.
Example of usage in demo/mknod.hjson. Light on checks and with some
TODOs left behind at the moment.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Starting from Linux 2.6 series, we have 20 bits of minor (not 32)
and the gap between low and high bits is 12 bits, meaning the high
ones are shifted by 20 (not 12).
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
| |
|
|
|
|
| |
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
|
|
|
| |
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
|
|
|
| |
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
|
|
|
| |
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
|
|
|
| |
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
| |
|
|
|
|
| |
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
./seitan-cooker demo/mknod.hjson demo/mknod.gluten demo/mknod.bpf
Start seitan with the socket option:
./seitan -s /tmp/seitan.sock -i demo/mknod.gluten
Start the container:
sudo rm -f /dev/lol
sudo chown $USER:$USER /tmp/seitan.sock
podman run -ti --runtime /usr/bin/crun \
--security-opt label=disable \
-v $(pwd)/test:/test \
--annotation run.oci.seccomp_bpf_data="$(base64 -w0 demo/mknod.bpf)" \
--annotation run.oci.seccomp.receiver=/tmp/seitan.sock fedora \
sh -c 'mknod /dev/lol c 1 7 && ls -l /dev/lol'
|
|
|
|
| |
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
|
|
|
| |
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
|
|
|
|
|
|
| |
Refactor OP_RETURN:
- merged OP_BLOCK and OP_CONT into OP_RETURN
- add desc field for op_return
- updated the demo files
|
|
|
|
|
|
|
|
|
| |
ops:
- update resolvefd with the description
- add debug prints
cooker:
- add emit_resolvefd when match has type FDPATH
|
|
|
|
|
|
|
|
| |
While at it:
- directly assign 'fd' in eater from install_filter()
- turn op_cmp into a description-style thing
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
| |
|
| |
|
| |
|
|
|
|
| |
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
|
|
|
|
|
| |
As discussed with Alice -- 'reuse lint' passes now.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
|
|
|
| |
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
|
|
|
| |
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
cooker:
- added missing OP_CALL type
- local copy of the offset for the type STRUCT
- fix return offset
- added type LONG in emit_data
seitan:
- check context if NULL
- fix ptr dereference
- added a couple of debug print
- added error message in seitan for eval
|
|
|
|
| |
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
|
|
|
|
|
| |
...mostly.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
|
|
|
|
|
|
| |
Changes:
- fix initialization of size
- addedfew comments
- finish to fix the test_filter_build tests
|
|
|
|
|
|
|
| |
Add filter_flush_args() to flush the arguments when finish to add the
syscall arguments.
Fixed test compilation after refactoring.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
parser:
- add OP_BLOCK and OP_RETURN to the parser
seitan:
- fix op_cmp in seitan, it was jmp when comparison was true
Working example:
demo.json:
[
{
"match": [ /* qemu-pr-helper and similar */
{ "connect": { "addr": { "family": "unix", "path": "/tmp/test.sock" } } }
],
"return": 0
}
]
Create gluten and the bpf filter:
$ seitan-cooker demo.hjson demo.gluten demo.bpf
Launch the seitan eater with the target program:
$ seitan-eater -i demo.bpf -- strace -e connect tests-utils/test-syscalls connect
Start seitan with gluten:
$ seitan -i demo.gluten -p $(pgrep seitan-eater)
Seitan mocks the connect syscall and `connect` returns successfully:
$ seitan-eater -i demo.bpf -- strace -e connect tests-utils/test-syscalls connect
Test syscall: connect
connect(4, {sa_family=AF_UNIX, sun_path="/tmp/test.sock"}, 108) = 0
|
|
|
|
|
|
| |
Add:
- ignore_args field for the filter.
- use MAX_FILTER to define the filter size in the eater
|
|
|
|
|
|
|
|
|
|
|
| |
Attempt to simplify the filter build:
- storing all the bpf_args in a common array and saving the index of
each entry in filter_input
- added new flag to filter_add_arg for append an argument to an entry
- split large loop in filter_build in multiple functions
- adjust and refactor tests/units/test_filter
The tests in test_filter_build.c still need to be fixed
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Pseudorandom changes and progress around cooker and seitan:
- cooker:
- rename matching functions, split match.c
- fix up SELECT semantics
- add some form of handling for all syscalls in the example
(some stubs)
- OP_CMP for all basic and compound types except for flags
- link jumps to next block and next match
- completed implementation of tags
- gluten write
- filter clean-ups, write filters (probably not working)
- seitan:
- load gluten and source instructions and data from there
$ ./seitan-cooker cooker/example.hjson example.gluten example.bpf
Parsing block 0
Parsing match 0: connect
Found description for connect
0: OP_NR: if syscall number is not 0, jump to next block
Parsing match argument fd
setting tag reference 'fd'
tag 'fd' now refers to seccomp data at 0
Parsing match argument addr
allocating 128 at offset 0
1: OP_LOAD: #0 < args[1] (size: 128)
C#0: (INT) 1
2: OP_CMP: if temporary data: #0 NE (size: 4) read-only data: #0, jump to next block
C#4: (STRING:24) /var/run/pr-helper.sock
3: OP_CMP: if temporary data: #0 NE (size: 24) read-only data: #4, jump to next block
Linking match...
Linking block...
linked jump of instruction #0 to #4
linked jump of instruction #2 to #4
linked jump of instruction #3 to #4
Parsing block 1
Parsing match 0: ioctl
Found description for ioctl
4: OP_NR: if syscall number is not 112, jump to next block
Parsing match argument path
Parsing match argument request
C#28: (INT) 1074025674
5: OP_CMP: if seccomp data: #1 NE (size: 4) read-only data: #28, jump to next block
Parsing match argument ifr
allocating 40 at offset 128
6: OP_LOAD: #128 < args[2] (size: 40)
C#32: (STRING:5) tap0
7: OP_CMP: if temporary data: #128 NE (size: 5) read-only data: #32, jump to next block
C#37: (INT) 1
8: OP_CMP: if temporary data: #128 NE (size: 4) read-only data: #37, jump to next block
Linking match...
Linking block...
linked jump of instruction #4 to #9
linked jump of instruction #5 to #9
linked jump of instruction #7 to #9
linked jump of instruction #8 to #9
Parsing block 2
Parsing match 0: unshare
Found description for unshare
9: OP_NR: if syscall number is not 164, jump to next block
Parsing match argument flags
Linking match...
Linking block...
linked jump of instruction #9 to #10
Parsing block 3
Parsing match 0: unshare
Found description for unshare
10: OP_NR: if syscall number is not 164, jump to next block
Parsing match argument flags
Linking match...
Linking block...
linked jump of instruction #10 to #11
Parsing block 4
Parsing match 0: mknod
Found description for mknod
11: OP_NR: if syscall number is not 164, jump to next block
Parsing match argument path
allocating 1 at offset 168
12: OP_LOAD: #168 < args[0] (size: 1)
setting tag reference 'path'
tag 'path' now refers to temporary data at 168
Parsing match argument mode
Parsing match argument major
Parsing match argument minor
setting tag reference 'minor'
tag 'minor' now refers to seccomp data at 2
Linking match...
Linking block...
linked jump of instruction #11 to #13
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Only tangentially related:
- make seitan C99 again, so that I can build cooker without warnings
- make Makefiles make use of the usual conventions about assigning
directory paths in variables, drop numbers.h as requirement for
cooker and make it convenient to run stand-alone Makefiles
- fix up nr_syscalls.sh to be POSIX, otherwise it will give syntax
errors on my system
- define a single, common way to refer to offsets in gluten, and
functions to use those offsets in a safe way. Immediates are gone:
cooker will write any bit of "data" to the read-only section
- call const what has to be const
- define on-disk layout for gluten
- add OP_NR (to check syscall numbers), rename OP_COPY_ARGS to
OP_LOAD (it loads _selected_ stuff from arguments)
As for cooker itself:
- drop ARG_ and arg_ prefixes from struct names, and similar
- add/rework functions to build OP_NR, OP_LOAD, OP_CMP, and to
write constant data to gluten
- add parsing for "compound" arguments, but that's not completely
hooked into evaluation for numeric arguments yet
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
| |
|
|
|
|
| |
The logging will be handled different using op_log
|
| |
|
| |
|
| |
|
| |
|