| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
| |
A bit rough at the moment, but it does the trick. Bonus: setsockopt()
(with magic values only, not used in any demo yet).
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
The sched_setscheduler requires to set the pid of the process we want to
change the priority, this adds a new metadata for getting the target pid
at runtime.
Add a couple of syscalls for the scheduler in the string parsing.
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
| |
|
|
|
|
| |
Fixes:
- return an error message in do_clone instead of exit
- check if the type of context is out-of-bound
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Group the metadata information:
- simplify the json by removing the 'tag' and only using 'get' and 'set'
keys
- get uid and gid at runtime for the target ('caller'). This can be useful when
the the UID and GID of the target are only known at runtime and they
need to be used for setting the permissions of files
- updated example demo/mknod.hjson
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
| | |
|
| |
|
|
| |
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Similarly to namespace specifications, the special value "caller", as
well as login/group names and numeric UID/GIDs are supported.
Example of usage in demo/mknod.hjson. Light on checks and with some
TODOs left behind at the moment.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
| |
|
|
| |
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
| |
|
|
| |
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
| |
|
|
| |
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
./seitan-cooker demo/mknod.hjson demo/mknod.gluten demo/mknod.bpf
Start seitan with the socket option:
./seitan -s /tmp/seitan.sock -i demo/mknod.gluten
Start the container:
sudo rm -f /dev/lol
sudo chown $USER:$USER /tmp/seitan.sock
podman run -ti --runtime /usr/bin/crun \
--security-opt label=disable \
-v $(pwd)/test:/test \
--annotation run.oci.seccomp_bpf_data="$(base64 -w0 demo/mknod.bpf)" \
--annotation run.oci.seccomp.receiver=/tmp/seitan.sock fedora \
sh -c 'mknod /dev/lol c 1 7 && ls -l /dev/lol'
|
| |
|
|
| |
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
| |
|
|
| |
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
| |
|
|
|
|
|
| |
Refactor OP_RETURN:
- merged OP_BLOCK and OP_CONT into OP_RETURN
- add desc field for op_return
- updated the demo files
|
| |
|
|
|
|
|
|
|
| |
ops:
- update resolvefd with the description
- add debug prints
cooker:
- add emit_resolvefd when match has type FDPATH
|
| |
|
|
|
|
|
|
| |
While at it:
- directly assign 'fd' in eater from install_filter()
- turn op_cmp into a description-style thing
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
Added:
- fix offset for jumping to the next block (use absolute jump and not
relative.
- fix op_cmp, jump if the comparison is true.
- added a couple of debug print
|
| |
|
|
|
|
| |
As discussed with Alice -- 'reuse lint' passes now.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
| |
|
|
| |
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
| |
|
|
| |
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
| |
|
|
| |
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
cooker:
- added missing OP_CALL type
- local copy of the offset for the type STRUCT
- fix return offset
- added type LONG in emit_data
seitan:
- check context if NULL
- fix ptr dereference
- added a couple of debug print
- added error message in seitan for eval
|
| |
|
|
| |
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
parser:
- add OP_BLOCK and OP_RETURN to the parser
seitan:
- fix op_cmp in seitan, it was jmp when comparison was true
Working example:
demo.json:
[
{
"match": [ /* qemu-pr-helper and similar */
{ "connect": { "addr": { "family": "unix", "path": "/tmp/test.sock" } } }
],
"return": 0
}
]
Create gluten and the bpf filter:
$ seitan-cooker demo.hjson demo.gluten demo.bpf
Launch the seitan eater with the target program:
$ seitan-eater -i demo.bpf -- strace -e connect tests-utils/test-syscalls connect
Start seitan with gluten:
$ seitan -i demo.gluten -p $(pgrep seitan-eater)
Seitan mocks the connect syscall and `connect` returns successfully:
$ seitan-eater -i demo.bpf -- strace -e connect tests-utils/test-syscalls connect
Test syscall: connect
connect(4, {sa_family=AF_UNIX, sun_path="/tmp/test.sock"}, 108) = 0
|
| |
|
|
|
|
|
| |
Add:
- missing implementation for op_nr
- op_copy to copy data
- tests for op_nr and op_data
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Pseudorandom changes and progress around cooker and seitan:
- cooker:
- rename matching functions, split match.c
- fix up SELECT semantics
- add some form of handling for all syscalls in the example
(some stubs)
- OP_CMP for all basic and compound types except for flags
- link jumps to next block and next match
- completed implementation of tags
- gluten write
- filter clean-ups, write filters (probably not working)
- seitan:
- load gluten and source instructions and data from there
$ ./seitan-cooker cooker/example.hjson example.gluten example.bpf
Parsing block 0
Parsing match 0: connect
Found description for connect
0: OP_NR: if syscall number is not 0, jump to next block
Parsing match argument fd
setting tag reference 'fd'
tag 'fd' now refers to seccomp data at 0
Parsing match argument addr
allocating 128 at offset 0
1: OP_LOAD: #0 < args[1] (size: 128)
C#0: (INT) 1
2: OP_CMP: if temporary data: #0 NE (size: 4) read-only data: #0, jump to next block
C#4: (STRING:24) /var/run/pr-helper.sock
3: OP_CMP: if temporary data: #0 NE (size: 24) read-only data: #4, jump to next block
Linking match...
Linking block...
linked jump of instruction #0 to #4
linked jump of instruction #2 to #4
linked jump of instruction #3 to #4
Parsing block 1
Parsing match 0: ioctl
Found description for ioctl
4: OP_NR: if syscall number is not 112, jump to next block
Parsing match argument path
Parsing match argument request
C#28: (INT) 1074025674
5: OP_CMP: if seccomp data: #1 NE (size: 4) read-only data: #28, jump to next block
Parsing match argument ifr
allocating 40 at offset 128
6: OP_LOAD: #128 < args[2] (size: 40)
C#32: (STRING:5) tap0
7: OP_CMP: if temporary data: #128 NE (size: 5) read-only data: #32, jump to next block
C#37: (INT) 1
8: OP_CMP: if temporary data: #128 NE (size: 4) read-only data: #37, jump to next block
Linking match...
Linking block...
linked jump of instruction #4 to #9
linked jump of instruction #5 to #9
linked jump of instruction #7 to #9
linked jump of instruction #8 to #9
Parsing block 2
Parsing match 0: unshare
Found description for unshare
9: OP_NR: if syscall number is not 164, jump to next block
Parsing match argument flags
Linking match...
Linking block...
linked jump of instruction #9 to #10
Parsing block 3
Parsing match 0: unshare
Found description for unshare
10: OP_NR: if syscall number is not 164, jump to next block
Parsing match argument flags
Linking match...
Linking block...
linked jump of instruction #10 to #11
Parsing block 4
Parsing match 0: mknod
Found description for mknod
11: OP_NR: if syscall number is not 164, jump to next block
Parsing match argument path
allocating 1 at offset 168
12: OP_LOAD: #168 < args[0] (size: 1)
setting tag reference 'path'
tag 'path' now refers to temporary data at 168
Parsing match argument mode
Parsing match argument major
Parsing match argument minor
setting tag reference 'minor'
tag 'minor' now refers to seccomp data at 2
Linking match...
Linking block...
linked jump of instruction #11 to #13
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
Refactoring error messages:
- standardize error messages and functions
- return on error instead of exit
- test error when target doesn't exist
- include ability to capture stderr and stdout in the tests
|
| |
|
|
| |
Add check if offset type is SECCOMP_DATA and the seccomp request is set.
|
| |
|
|
| |
Adding the offset limits checks and unit tests.
|
| |
|
|
|
|
|
|
| |
Refactor includes:
- use static inline instead of macro
- return -1 if there is an error and don't exit
- eval return 0 or -1
- adjust code and tests
|
| |
|
|
|
|
| |
Add bounds checking:
- if offset is larger then the maximum per offset type
- if memcpy is reading/writing inside gluten
|
| |
|
|
|
|
|
|
|
|
|
| |
Refactoring:
- rename do_operations to eval and reduce the number of arguments
- create macro HANDLE_OP
- rename all functions with op_*(operation name)
- exposed the op_* functions in the operations.h
Fixes:
- use pread for op_load
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Only tangentially related:
- make seitan C99 again, so that I can build cooker without warnings
- make Makefiles make use of the usual conventions about assigning
directory paths in variables, drop numbers.h as requirement for
cooker and make it convenient to run stand-alone Makefiles
- fix up nr_syscalls.sh to be POSIX, otherwise it will give syntax
errors on my system
- define a single, common way to refer to offsets in gluten, and
functions to use those offsets in a safe way. Immediates are gone:
cooker will write any bit of "data" to the read-only section
- call const what has to be const
- define on-disk layout for gluten
- add OP_NR (to check syscall numbers), rename OP_COPY_ARGS to
OP_LOAD (it loads _selected_ stuff from arguments)
As for cooker itself:
- drop ARG_ and arg_ prefixes from struct names, and similar
- add/rework functions to build OP_NR, OP_LOAD, OP_CMP, and to
write constant data to gluten
- add parsing for "compound" arguments, but that's not completely
hooked into evaluation for numeric arguments yet
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
| | |
|
| | |
|
| |
|
|
|
| |
Pid and id are reduandant fields as the information are already included
in the seccomp request
|
| | |
|
| | |
|
| |
|
|
|
|
| |
The op_resolvedfd verifies that the fd points to a path.
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
| |
|
|
|
| |
The operation op_cmp allows to compare 2 areas of memory and if they
don't match to jump to an operation.
|
| |
|
|
|
| |
The op_end signal to terminate reading the operations. This is useful
for the introductions of branches for the matches.
|
