aboutgitcodelistschat:MatrixIRC
path: root/seitan.c
Commit message (Collapse)AuthorAgeFilesLines
* seitan: configure uid and gid for the socketAlice Frosi2023-08-241-4/+22
| | | | | | | Allow setting a different uid and gid for the socket, otherwise seitan uses its own uid and gid. Signed-off-by: Alice Frosi <afrosi@redhat.com>
* seitan: Zero out the request structure before SECCOMP_IOCTL_NOTIF_RECVStefano Brivio2023-07-051-0/+1
| | | | | | | Otherwise we'll get EINVAL (as expected) -- reproducibly, at least, when we handle more than one call. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* cooker: Support for read(), OP_STORE, field-based filtersStefano Brivio2023-06-141-1/+0
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* seitan,cooker: add wd to change work directory and mknodAlice Frosi2023-06-091-1/+1
| | | | | | | | | | | | | | | | | ./seitan-cooker demo/mknod.hjson demo/mknod.gluten demo/mknod.bpf Start seitan with the socket option: ./seitan -s /tmp/seitan.sock -i demo/mknod.gluten Start the container: sudo rm -f /dev/lol sudo chown $USER:$USER /tmp/seitan.sock podman run -ti --runtime /usr/bin/crun \ --security-opt label=disable \ -v $(pwd)/test:/test \ --annotation run.oci.seccomp_bpf_data="$(base64 -w0 demo/mknod.bpf)" \ --annotation run.oci.seccomp.receiver=/tmp/seitan.sock fedora \ sh -c 'mknod /dev/lol c 1 7 && ls -l /dev/lol'
* seitan, main: Più umano più vero (more human more true)Stefano Brivio2023-06-071-20/+25
| | | | | | ...and terminate on EPOLLHUP. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* treewide: Change to GPLv2, add LICENSES, missing headersStefano Brivio2023-06-041-1/+1
| | | | | | As discussed with Alice -- 'reuse lint' passes now. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* seitan: Minor header cleanupStefano Brivio2023-06-021-2/+3
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* cooker, seitan: fix some bugs for op callAlice Frosi2023-06-021-1/+2
| | | | | | | | | | | | | | cooker: - added missing OP_CALL type - local copy of the offset for the type STRUCT - fix return offset - added type LONG in emit_data seitan: - check context if NULL - fix ptr dereference - added a couple of debug print - added error message in seitan for eval
* cooker, seitan: Now with 100% more glutenStefano Brivio2023-05-161-3/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Pseudorandom changes and progress around cooker and seitan: - cooker: - rename matching functions, split match.c - fix up SELECT semantics - add some form of handling for all syscalls in the example (some stubs) - OP_CMP for all basic and compound types except for flags - link jumps to next block and next match - completed implementation of tags - gluten write - filter clean-ups, write filters (probably not working) - seitan: - load gluten and source instructions and data from there $ ./seitan-cooker cooker/example.hjson example.gluten example.bpf Parsing block 0 Parsing match 0: connect Found description for connect 0: OP_NR: if syscall number is not 0, jump to next block Parsing match argument fd setting tag reference 'fd' tag 'fd' now refers to seccomp data at 0 Parsing match argument addr allocating 128 at offset 0 1: OP_LOAD: #0 < args[1] (size: 128) C#0: (INT) 1 2: OP_CMP: if temporary data: #0 NE (size: 4) read-only data: #0, jump to next block C#4: (STRING:24) /var/run/pr-helper.sock 3: OP_CMP: if temporary data: #0 NE (size: 24) read-only data: #4, jump to next block Linking match... Linking block... linked jump of instruction #0 to #4 linked jump of instruction #2 to #4 linked jump of instruction #3 to #4 Parsing block 1 Parsing match 0: ioctl Found description for ioctl 4: OP_NR: if syscall number is not 112, jump to next block Parsing match argument path Parsing match argument request C#28: (INT) 1074025674 5: OP_CMP: if seccomp data: #1 NE (size: 4) read-only data: #28, jump to next block Parsing match argument ifr allocating 40 at offset 128 6: OP_LOAD: #128 < args[2] (size: 40) C#32: (STRING:5) tap0 7: OP_CMP: if temporary data: #128 NE (size: 5) read-only data: #32, jump to next block C#37: (INT) 1 8: OP_CMP: if temporary data: #128 NE (size: 4) read-only data: #37, jump to next block Linking match... Linking block... linked jump of instruction #4 to #9 linked jump of instruction #5 to #9 linked jump of instruction #7 to #9 linked jump of instruction #8 to #9 Parsing block 2 Parsing match 0: unshare Found description for unshare 9: OP_NR: if syscall number is not 164, jump to next block Parsing match argument flags Linking match... Linking block... linked jump of instruction #9 to #10 Parsing block 3 Parsing match 0: unshare Found description for unshare 10: OP_NR: if syscall number is not 164, jump to next block Parsing match argument flags Linking match... Linking block... linked jump of instruction #10 to #11 Parsing block 4 Parsing match 0: mknod Found description for mknod 11: OP_NR: if syscall number is not 164, jump to next block Parsing match argument path allocating 1 at offset 168 12: OP_LOAD: #168 < args[0] (size: 1) setting tag reference 'path' tag 'path' now refers to temporary data at 168 Parsing match argument mode Parsing match argument major Parsing match argument minor setting tag reference 'minor' tag 'minor' now refers to seccomp data at 2 Linking match... Linking block... linked jump of instruction #11 to #13 Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* seitan: refactor operationsAlice Frosi2023-05-081-13/+2
| | | | | | | | | | | Refactoring: - rename do_operations to eval and reduce the number of arguments - create macro HANDLE_OP - rename all functions with op_*(operation name) - exposed the op_* functions in the operations.h Fixes: - use pread for op_load
* seitan: use functions from util.hAlice Frosi2023-04-251-6/+7
|
* seitan: remove unused optionsAlice Frosi2023-04-251-108/+3
|
* Replace argp with getoptAlice Frosi2023-04-201-52/+53
|
* seitan: use die function to terminate on errorAlice Frosi2023-03-281-18/+10
|
* seitan: remove unused variables and functionsAlice Frosi2023-03-241-64/+1
| | | | This was a left over of the previous version
* Replace errExit with dieAlice Frosi2023-03-241-16/+12
|
* Re-arrange repository structureAlice Frosi2023-03-241-0/+435
|
* Re-organize project and add license headerAlice Frosi2023-03-241-435/+0
|
* filter: add logging modeAlice Frosi2023-03-231-29/+40
| | | | | The logging mode creates a BPF filter where all the syscalls trigger a notification to the seccomp notifier.
* seitan: receiving seccomp notifier with socketAlice Frosi2023-03-231-22/+126
| | | | | | | | OCI spec and container runtimes expect to send the seccomp notifer fd through a unix socket. This mode is complementary of retrieving the file descriptor using the pid of the target process. Add option to log the syscalls.
* fix formattingAlice Frosi2023-02-221-27/+33
|
* seitan: separate function in commonAlice Frosi2023-02-151-50/+5
| | | | | | | Move find_fd_seccomp_notifier to common.c to be reused in other places. Signed-off-by: Alice Frosi <afrosi@redhat.com>
* seitan: find fd of seccomp noitifier from procAlice Frosi2023-01-191-1/+55
| | | | | | | Instead of assuming that the fd of the notifier is always 3, find the correct fd from procfs. Signed-off-by: Alice Frosi <afrosi@redhat.com>
* Use signals instead of connect for synchronizationAlice Frosi2023-01-171-0/+16
| | | | | | | | | | The connect syscall was used to synchronize seitan and the eater for the seccomp installation filter and notifier initialization. However, we assume that the fd 0 is always free, and this might not always be the case. Try to implement an alternative and more robust solution. Signed-off-by: Alice Frosi <afrosi@redhat.com>
* seitan: replace ioctl with epollAlice Frosi2023-01-171-14/+41
| | | | | | Repeatedly listen for seccomp notification events using epoll. Signed-off-by: Alice Frosi <afrosi@redhat.com>
* seitan: add flags for pid and input fileAlice Frosi2023-01-171-3/+51
| | | | | | | | Avoid hardcoded values and set the option from command line: Example: ./seitan -i action -p 1234 Signed-off-by: Alice Frosi <afrosi@redhat.com>
* Rename loader to eaterAlice Frosi2023-01-161-2/+2
| | | | Signed-off-by: Alice Frosi <afrosi@redhat.com>
* seitan: Read the rest of the netlink message on event mismatchStefano Brivio2022-11-031-4/+3
| | | | | | | ...the PROC_EVENT_EXEC we're looking for might be hiding there. Also, avoid a possible endless loop on NLMSG_NOOP. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* seitan: Initial importStefano Brivio2022-10-251-0/+215
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-05 17:19:40 +0000