aboutgitcodelistschat:MatrixIRC
path: root/operations.h
Commit message (Collapse)AuthorAgeFilesLines
* Add fsetxattr(), fremovexattr(), open_by_handle_at(), and "virtiofsd demo"Stefano Brivio2024-05-151-0/+2
| | | | | | | | Mostly assorted fixes, a new FDGET operation (get a copy of the target file descriptor via pidfd_getfd()) and a new "FD" flag that means we have to do that on direct tag reference. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* cooker, seitan: Add support for GID/UID in contextStefano Brivio2023-06-281-0/+2
| | | | | | | | | | Similarly to namespace specifications, the special value "caller", as well as login/group names and numeric UID/GIDs are supported. Example of usage in demo/mknod.hjson. Light on checks and with some TODOs left behind at the moment. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* seitan,cooker: add wd to change work directory and mknodAlice Frosi2023-06-091-0/+1
| | | | | | | | | | | | | | | | | ./seitan-cooker demo/mknod.hjson demo/mknod.gluten demo/mknod.bpf Start seitan with the socket option: ./seitan -s /tmp/seitan.sock -i demo/mknod.gluten Start the container: sudo rm -f /dev/lol sudo chown $USER:$USER /tmp/seitan.sock podman run -ti --runtime /usr/bin/crun \ --security-opt label=disable \ -v $(pwd)/test:/test \ --annotation run.oci.seccomp_bpf_data="$(base64 -w0 demo/mknod.bpf)" \ --annotation run.oci.seccomp.receiver=/tmp/seitan.sock fedora \ sh -c 'mknod /dev/lol c 1 7 && ls -l /dev/lol'
* mknod/mknodat values, initial support for MASK flag, OP_BITWISEStefano Brivio2023-06-071-0/+2
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* seitan, cooker: refactor op_returnAlice Frosi2023-06-071-4/+0
| | | | | | | Refactor OP_RETURN: - merged OP_BLOCK and OP_CONT into OP_RETURN - add desc field for op_return - updated the demo files
* seitan,cooker: op_resolvefdAlice Frosi2023-06-071-1/+1
| | | | | | | | | ops: - update resolvefd with the description - add debug prints cooker: - add emit_resolvefd when match has type FDPATH
* seitan: operationsAlice Frosi2023-06-051-2/+3
| | | | | | | | Added: - fix offset for jumping to the next block (use absolute jump and not relative. - fix op_cmp, jump if the comparison is true. - added a couple of debug print
* treewide: Change to GPLv2, add LICENSES, missing headersStefano Brivio2023-06-041-1/+1
| | | | | | As discussed with Alice -- 'reuse lint' passes now. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* gluten: What's const is constStefano Brivio2023-06-021-1/+1
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* seitan: whoopsStefano Brivio2023-06-021-4/+2
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* cooker, seitan: OP_CALL arguments and contextStefano Brivio2023-06-021-1/+1
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* test: fix compilation and adjust changesAlice Frosi2023-05-191-0/+1
|
* ops: fix op_call and testsAlice Frosi2023-05-191-2/+1
|
* cooker, seitan: simple working exampleAlice Frosi2023-05-171-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | parser: - add OP_BLOCK and OP_RETURN to the parser seitan: - fix op_cmp in seitan, it was jmp when comparison was true Working example: demo.json: [ { "match": [ /* qemu-pr-helper and similar */ { "connect": { "addr": { "family": "unix", "path": "/tmp/test.sock" } } } ], "return": 0 } ] Create gluten and the bpf filter: $ seitan-cooker demo.hjson demo.gluten demo.bpf Launch the seitan eater with the target program: $ seitan-eater -i demo.bpf -- strace -e connect tests-utils/test-syscalls connect Start seitan with gluten: $ seitan -i demo.gluten -p $(pgrep seitan-eater) Seitan mocks the connect syscall and `connect` returns successfully: $ seitan-eater -i demo.bpf -- strace -e connect tests-utils/test-syscalls connect Test syscall: connect connect(4, {sa_family=AF_UNIX, sun_path="/tmp/test.sock"}, 108) = 0
* ops: add op_nr and op_copyAlice Frosi2023-05-171-0/+2
| | | | | | | Add: - missing implementation for op_nr - op_copy to copy data - tests for op_nr and op_data
* cooker, seitan: Now with 100% more glutenStefano Brivio2023-05-161-2/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Pseudorandom changes and progress around cooker and seitan: - cooker: - rename matching functions, split match.c - fix up SELECT semantics - add some form of handling for all syscalls in the example (some stubs) - OP_CMP for all basic and compound types except for flags - link jumps to next block and next match - completed implementation of tags - gluten write - filter clean-ups, write filters (probably not working) - seitan: - load gluten and source instructions and data from there $ ./seitan-cooker cooker/example.hjson example.gluten example.bpf Parsing block 0 Parsing match 0: connect Found description for connect 0: OP_NR: if syscall number is not 0, jump to next block Parsing match argument fd setting tag reference 'fd' tag 'fd' now refers to seccomp data at 0 Parsing match argument addr allocating 128 at offset 0 1: OP_LOAD: #0 < args[1] (size: 128) C#0: (INT) 1 2: OP_CMP: if temporary data: #0 NE (size: 4) read-only data: #0, jump to next block C#4: (STRING:24) /var/run/pr-helper.sock 3: OP_CMP: if temporary data: #0 NE (size: 24) read-only data: #4, jump to next block Linking match... Linking block... linked jump of instruction #0 to #4 linked jump of instruction #2 to #4 linked jump of instruction #3 to #4 Parsing block 1 Parsing match 0: ioctl Found description for ioctl 4: OP_NR: if syscall number is not 112, jump to next block Parsing match argument path Parsing match argument request C#28: (INT) 1074025674 5: OP_CMP: if seccomp data: #1 NE (size: 4) read-only data: #28, jump to next block Parsing match argument ifr allocating 40 at offset 128 6: OP_LOAD: #128 < args[2] (size: 40) C#32: (STRING:5) tap0 7: OP_CMP: if temporary data: #128 NE (size: 5) read-only data: #32, jump to next block C#37: (INT) 1 8: OP_CMP: if temporary data: #128 NE (size: 4) read-only data: #37, jump to next block Linking match... Linking block... linked jump of instruction #4 to #9 linked jump of instruction #5 to #9 linked jump of instruction #7 to #9 linked jump of instruction #8 to #9 Parsing block 2 Parsing match 0: unshare Found description for unshare 9: OP_NR: if syscall number is not 164, jump to next block Parsing match argument flags Linking match... Linking block... linked jump of instruction #9 to #10 Parsing block 3 Parsing match 0: unshare Found description for unshare 10: OP_NR: if syscall number is not 164, jump to next block Parsing match argument flags Linking match... Linking block... linked jump of instruction #10 to #11 Parsing block 4 Parsing match 0: mknod Found description for mknod 11: OP_NR: if syscall number is not 164, jump to next block Parsing match argument path allocating 1 at offset 168 12: OP_LOAD: #168 < args[0] (size: 1) setting tag reference 'path' tag 'path' now refers to temporary data at 168 Parsing match argument mode Parsing match argument major Parsing match argument minor setting tag reference 'minor' tag 'minor' now refers to seccomp data at 2 Linking match... Linking block... linked jump of instruction #11 to #13 Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* Adjust op_call with gluten_offsetAlice Frosi2023-05-111-2/+7
|
* Refactoring of gluten_read/writeAlice Frosi2023-05-101-2/+2
| | | | | | | | Refactor includes: - use static inline instead of macro - return -1 if there is an error and don't exit - eval return 0 or -1 - adjust code and tests
* seitan: refactor operationsAlice Frosi2023-05-081-3/+35
| | | | | | | | | | | Refactoring: - rename do_operations to eval and reduce the number of arguments - create macro HANDLE_OP - rename all functions with op_*(operation name) - exposed the op_* functions in the operations.h Fixes: - use pread for op_load
* cooker updates spilling all over the placeStefano Brivio2023-05-021-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Only tangentially related: - make seitan C99 again, so that I can build cooker without warnings - make Makefiles make use of the usual conventions about assigning directory paths in variables, drop numbers.h as requirement for cooker and make it convenient to run stand-alone Makefiles - fix up nr_syscalls.sh to be POSIX, otherwise it will give syntax errors on my system - define a single, common way to refer to offsets in gluten, and functions to use those offsets in a safe way. Immediates are gone: cooker will write any bit of "data" to the read-only section - call const what has to be const - define on-disk layout for gluten - add OP_NR (to check syscall numbers), rename OP_COPY_ARGS to OP_LOAD (it loads _selected_ stuff from arguments) As for cooker itself: - drop ARG_ and arg_ prefixes from struct names, and similar - add/rework functions to build OP_NR, OP_LOAD, OP_CMP, and to write constant data to gluten - add parsing for "compound" arguments, but that's not completely hooked into evaluation for numeric arguments yet Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* operation: remove pid and idAlice Frosi2023-04-211-2/+1
| | | | | Pid and id are reduandant fields as the information are already included in the seccomp request
* Re-arrange repository structureAlice Frosi2023-03-241-0/+26
|
* Re-organize project and add license headerAlice Frosi2023-03-241-21/+0
|
* operations: add op_copyAlice Frosi2023-02-231-2/+4
|
* Rename actions to operationsAlice Frosi2023-02-221-0/+19
Replace all the action related names to operations to make them more generic.