aboutgitcodelistschat:MatrixIRC
path: root/cooker
Commit message (Collapse)AuthorAgeFilesLines
* Add fsetxattr(), fremovexattr(), open_by_handle_at(), and "virtiofsd demo"Stefano Brivio2024-05-158-10/+269
| | | | | | | | Mostly assorted fixes, a new FDGET operation (get a copy of the target file descriptor via pidfd_getfd()) and a new "FD" flag that means we have to do that on direct tag reference. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* seitan: Add netlink, sendto()/sendmsg(), iovec handling, demo with routesStefano Brivio2023-12-219-16/+434
| | | | | | | A bit rough at the moment, but it does the trick. Bonus: setsockopt() (with magic values only, not used in any demo yet). Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* cooker: set base_offset for structAlice Frosi2023-09-081-0/+2
|
* cooker: Don't mix up JSON objects when checking temporary storage needsStefano Brivio2023-09-051-1/+1
| | | | | | | | ...including the check on whether the given object is a top-level (corresponding to a full argument) metadata tag. Fixes: d3917582873d ("cooker: simplify tag and add caller metadata") Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* cooker/calls: Add support for bind()Stefano Brivio2023-09-041-0/+1
| | | | | | | ...no examples yet, but it's trivial as the prototype is exactly the same as connect(). Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* cooker: fix tag check with the new formatAlice Frosi2023-09-041-7/+31
|
* cooker: fix priority name for sched_setschedulerAlice Frosi2023-09-012-6/+9
|
* cooker: fix wrong checkAlice Frosi2023-09-011-5/+8
|
* cooker, seitan: add sched_setschedulerAlice Frosi2023-09-015-6/+71
| | | | | | | | | | The sched_setscheduler requires to set the pid of the process we want to change the priority, this adds a new metadata for getting the target pid at runtime. Add a couple of syscalls for the scheduler in the string parsing. Signed-off-by: Alice Frosi <afrosi@redhat.com>
* cooker: print syscall name instead of numberAlice Frosi2023-09-012-3/+3
|
* cooker: remove debug printAlice Frosi2023-08-301-3/+1
|
* cooker: simplify tag and add caller metadataAlice Frosi2023-08-303-59/+80
| | | | | | | | | | | | Group the metadata information: - simplify the json by removing the 'tag' and only using 'get' and 'set' keys - get uid and gid at runtime for the target ('caller'). This can be useful when the the UID and GID of the target are only known at runtime and they need to be used for setting the permissions of files - updated example demo/mknod.hjson Signed-off-by: Alice Frosi <afrosi@redhat.com>
* cooker: add chown and lchownAlice Frosi2023-08-252-1/+31
|
* cooker: generate OCI seccomp profileAlice Frosi2023-08-247-21/+559
| | | | | | | | | | | | | | | | | | Generate the OCI seccomp profile instead of directly the BPF filter. The seccomp profile will be used consquently by the container runtime as input in order to generate the BPF filter. Example with mknod: $ seitan-cooker -g /tmp/gluten -p /tmp/scmp_prof.json -s seccomp.json -i demo/mknod.hjson $ seitan -s /tmp/seitan.sock -i /tmp/gluten $ podman run --cap-drop ALL --security-opt=seccomp=/tmp/scmp_prof.json \ --annotation run.oci.seccomp.receiver=/tmp/seitan.sock \ -ti fedora \ sh -c 'mknod /dev/lol c 1 7 && ls /dev/lol' /dev/lol Signed-off-by: Alice Frosi <afrosi@redhat.com>
* cooker: add flags with getoptsAlice Frosi2023-08-242-6/+88
|
* test: fix filter-build test and bugsAlice Frosi2023-07-034-50/+31
| | | | | | | | | | | | The tests for checking the filter build recompile and are successfull. Changes: - spotted a couple of bugs for adding the arguments in the filter - readded function `filter_flush_args` to flush_args; this is needed to distinguish when the arguments belong to the same block or are different entries to the same syscall - build the filter in a way that CMP_EQ corresponds to BPF_JEQ and we don't need to awkwardly negate the operations (still TODO for AND_EQ)
* cooker, seitan: Add support for GID/UID in contextStefano Brivio2023-06-281-4/+15
| | | | | | | | | | Similarly to namespace specifications, the special value "caller", as well as login/group names and numeric UID/GIDs are supported. Example of usage in demo/mknod.hjson. Light on checks and with some TODOs left behind at the moment. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* common: move cmp_type_str in utilAlice Frosi2023-06-281-4/+0
|
* cooker/match: Fix mask calculation for GNU_DEV_MINORStefano Brivio2023-06-271-2/+2
| | | | | | | | Starting from Linux 2.6 series, we have 20 bits of minor (not 32) and the gap between low and high bits is 12 bits, meaning the high ones are shifted by 20 (not 12). Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* cooker: fix initialization and variable typeAlice Frosi2023-06-142-7/+5
|
* cooker: Fix up debugging messages for "return"Stefano Brivio2023-06-143-22/+42
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* cooker/parse: Error out on 'continue' with value/error tagStefano Brivio2023-06-141-4/+4
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* cooker/calls: Actually add io.{c,h}Stefano Brivio2023-06-142-0/+135
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* cooker/filter: Stop the sock_filter cast madnessStefano Brivio2023-06-142-92/+65
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* cooker: Support for read(), OP_STORE, field-based filtersStefano Brivio2023-06-149-229/+337
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* filter: increment counter only if call has argsAlice Frosi2023-06-121-0/+2
|
* cooker: Pass arguments to filterStefano Brivio2023-06-096-11/+74
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* seitan,cooker: add wd to change work directory and mknodAlice Frosi2023-06-093-33/+34
| | | | | | | | | | | | | | | | | ./seitan-cooker demo/mknod.hjson demo/mknod.gluten demo/mknod.bpf Start seitan with the socket option: ./seitan -s /tmp/seitan.sock -i demo/mknod.gluten Start the container: sudo rm -f /dev/lol sudo chown $USER:$USER /tmp/seitan.sock podman run -ti --runtime /usr/bin/crun \ --security-opt label=disable \ -v $(pwd)/test:/test \ --annotation run.oci.seccomp_bpf_data="$(base64 -w0 demo/mknod.bpf)" \ --annotation run.oci.seccomp.receiver=/tmp/seitan.sock fedora \ sh -c 'mknod /dev/lol c 1 7 && ls -l /dev/lol'
* cooker: Full support for flags and masks, assorted fixesStefano Brivio2023-06-089-46/+176
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* mknod/mknodat values, initial support for MASK flag, OP_BITWISEStefano Brivio2023-06-076-60/+154
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* seitan, cooker: refactor op_returnAlice Frosi2023-06-073-29/+45
| | | | | | | Refactor OP_RETURN: - merged OP_BLOCK and OP_CONT into OP_RETURN - add desc field for op_return - updated the demo files
* seitan,cooker: op_resolvefdAlice Frosi2023-06-074-2/+56
| | | | | | | | | ops: - update resolvefd with the description - add debug prints cooker: - add emit_resolvefd when match has type FDPATH
* cooker: Draft quality: mknod/mknodat, sets of values with "in"Stefano Brivio2023-06-069-23/+208
| | | | | | | | While at it: - directly assign 'fd' in eater from install_filter() - turn op_cmp into a description-style thing Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* cooker: use unsigned short for family with connectAlice Frosi2023-06-056-3/+9
|
* cooker: missing size set for op_loadAlice Frosi2023-06-051-0/+1
|
* cooker: add emit_endAlice Frosi2023-06-053-1/+18
|
* cooker: Generic attributes and ATTR_SIZEStefano Brivio2023-06-048-31/+89
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* treewide: Change to GPLv2, add LICENSES, missing headersStefano Brivio2023-06-0427-182/+183
| | | | | | As discussed with Alice -- 'reuse lint' passes now. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* cooker: json_object_get_boolean() can return true for missing keyStefano Brivio2023-06-021-2/+2
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* cooker, seitan: OP_FDStefano Brivio2023-06-025-9/+76
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* cooker, seitan: fix some bugs for op callAlice Frosi2023-06-022-6/+9
| | | | | | | | | | | | | | cooker: - added missing OP_CALL type - local copy of the offset for the type STRUCT - fix return offset - added type LONG in emit_data seitan: - check context if NULL - fix ptr dereference - added a couple of debug print - added error message in seitan for eval
* cooker, seitan: OP_CALL arguments and contextStefano Brivio2023-06-026-68/+189
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* cooker: OP_CALL and OP_COPY stuffStefano Brivio2023-06-0117-347/+1011
| | | | | | ...mostly. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* filter: fix filter build and adjust testsAlice Frosi2023-05-221-18/+27
| | | | | | | Changes: - fix initialization of size - addedfew comments - finish to fix the test_filter_build tests
* filter: adjust filter buildAlice Frosi2023-05-192-9/+15
| | | | | | | Add filter_flush_args() to flush the arguments when finish to add the syscall arguments. Fixed test compilation after refactoring.
* cooker, seitan: simple working exampleAlice Frosi2023-05-174-4/+55
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | parser: - add OP_BLOCK and OP_RETURN to the parser seitan: - fix op_cmp in seitan, it was jmp when comparison was true Working example: demo.json: [ { "match": [ /* qemu-pr-helper and similar */ { "connect": { "addr": { "family": "unix", "path": "/tmp/test.sock" } } } ], "return": 0 } ] Create gluten and the bpf filter: $ seitan-cooker demo.hjson demo.gluten demo.bpf Launch the seitan eater with the target program: $ seitan-eater -i demo.bpf -- strace -e connect tests-utils/test-syscalls connect Start seitan with gluten: $ seitan -i demo.gluten -p $(pgrep seitan-eater) Seitan mocks the connect syscall and `connect` returns successfully: $ seitan-eater -i demo.bpf -- strace -e connect tests-utils/test-syscalls connect Test syscall: connect connect(4, {sa_family=AF_UNIX, sun_path="/tmp/test.sock"}, 108) = 0
* Minor fixes for the filter and the eaterAlice Frosi2023-05-172-3/+8
| | | | | | Add: - ignore_args field for the filter. - use MAX_FILTER to define the filter size in the eater
* filter: refactoring filterAlice Frosi2023-05-172-298/+291
| | | | | | | | | | | Attempt to simplify the filter build: - storing all the bpf_args in a common array and saving the index of each entry in filter_input - added new flag to filter_add_arg for append an argument to an entry - split large loop in filter_build in multiple functions - adjust and refactor tests/units/test_filter The tests in test_filter_build.c still need to be fixed
* filter: increment countAlice Frosi2023-05-161-1/+2
|
* cooker, seitan: Now with 100% more glutenStefano Brivio2023-05-1622-509/+1291
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Pseudorandom changes and progress around cooker and seitan: - cooker: - rename matching functions, split match.c - fix up SELECT semantics - add some form of handling for all syscalls in the example (some stubs) - OP_CMP for all basic and compound types except for flags - link jumps to next block and next match - completed implementation of tags - gluten write - filter clean-ups, write filters (probably not working) - seitan: - load gluten and source instructions and data from there $ ./seitan-cooker cooker/example.hjson example.gluten example.bpf Parsing block 0 Parsing match 0: connect Found description for connect 0: OP_NR: if syscall number is not 0, jump to next block Parsing match argument fd setting tag reference 'fd' tag 'fd' now refers to seccomp data at 0 Parsing match argument addr allocating 128 at offset 0 1: OP_LOAD: #0 < args[1] (size: 128) C#0: (INT) 1 2: OP_CMP: if temporary data: #0 NE (size: 4) read-only data: #0, jump to next block C#4: (STRING:24) /var/run/pr-helper.sock 3: OP_CMP: if temporary data: #0 NE (size: 24) read-only data: #4, jump to next block Linking match... Linking block... linked jump of instruction #0 to #4 linked jump of instruction #2 to #4 linked jump of instruction #3 to #4 Parsing block 1 Parsing match 0: ioctl Found description for ioctl 4: OP_NR: if syscall number is not 112, jump to next block Parsing match argument path Parsing match argument request C#28: (INT) 1074025674 5: OP_CMP: if seccomp data: #1 NE (size: 4) read-only data: #28, jump to next block Parsing match argument ifr allocating 40 at offset 128 6: OP_LOAD: #128 < args[2] (size: 40) C#32: (STRING:5) tap0 7: OP_CMP: if temporary data: #128 NE (size: 5) read-only data: #32, jump to next block C#37: (INT) 1 8: OP_CMP: if temporary data: #128 NE (size: 4) read-only data: #37, jump to next block Linking match... Linking block... linked jump of instruction #4 to #9 linked jump of instruction #5 to #9 linked jump of instruction #7 to #9 linked jump of instruction #8 to #9 Parsing block 2 Parsing match 0: unshare Found description for unshare 9: OP_NR: if syscall number is not 164, jump to next block Parsing match argument flags Linking match... Linking block... linked jump of instruction #9 to #10 Parsing block 3 Parsing match 0: unshare Found description for unshare 10: OP_NR: if syscall number is not 164, jump to next block Parsing match argument flags Linking match... Linking block... linked jump of instruction #10 to #11 Parsing block 4 Parsing match 0: mknod Found description for mknod 11: OP_NR: if syscall number is not 164, jump to next block Parsing match argument path allocating 1 at offset 168 12: OP_LOAD: #168 < args[0] (size: 1) setting tag reference 'path' tag 'path' now refers to temporary data at 168 Parsing match argument mode Parsing match argument major Parsing match argument minor setting tag reference 'minor' tag 'minor' now refers to seccomp data at 2 Linking match... Linking block... linked jump of instruction #11 to #13 Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-05 15:14:08 +0000