| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
./seitan-cooker demo/mknod.hjson demo/mknod.gluten demo/mknod.bpf
Start seitan with the socket option:
./seitan -s /tmp/seitan.sock -i demo/mknod.gluten
Start the container:
sudo rm -f /dev/lol
sudo chown $USER:$USER /tmp/seitan.sock
podman run -ti --runtime /usr/bin/crun \
--security-opt label=disable \
-v $(pwd)/test:/test \
--annotation run.oci.seccomp_bpf_data="$(base64 -w0 demo/mknod.bpf)" \
--annotation run.oci.seccomp.receiver=/tmp/seitan.sock fedora \
sh -c 'mknod /dev/lol c 1 7 && ls -l /dev/lol'
|
|
|
|
|
|
| |
...and terminate on EPOLLHUP.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
|
|
|
|
|
| |
As discussed with Alice -- 'reuse lint' passes now.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
|
|
|
| |
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
cooker:
- added missing OP_CALL type
- local copy of the offset for the type STRUCT
- fix return offset
- added type LONG in emit_data
seitan:
- check context if NULL
- fix ptr dereference
- added a couple of debug print
- added error message in seitan for eval
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Pseudorandom changes and progress around cooker and seitan:
- cooker:
- rename matching functions, split match.c
- fix up SELECT semantics
- add some form of handling for all syscalls in the example
(some stubs)
- OP_CMP for all basic and compound types except for flags
- link jumps to next block and next match
- completed implementation of tags
- gluten write
- filter clean-ups, write filters (probably not working)
- seitan:
- load gluten and source instructions and data from there
$ ./seitan-cooker cooker/example.hjson example.gluten example.bpf
Parsing block 0
Parsing match 0: connect
Found description for connect
0: OP_NR: if syscall number is not 0, jump to next block
Parsing match argument fd
setting tag reference 'fd'
tag 'fd' now refers to seccomp data at 0
Parsing match argument addr
allocating 128 at offset 0
1: OP_LOAD: #0 < args[1] (size: 128)
C#0: (INT) 1
2: OP_CMP: if temporary data: #0 NE (size: 4) read-only data: #0, jump to next block
C#4: (STRING:24) /var/run/pr-helper.sock
3: OP_CMP: if temporary data: #0 NE (size: 24) read-only data: #4, jump to next block
Linking match...
Linking block...
linked jump of instruction #0 to #4
linked jump of instruction #2 to #4
linked jump of instruction #3 to #4
Parsing block 1
Parsing match 0: ioctl
Found description for ioctl
4: OP_NR: if syscall number is not 112, jump to next block
Parsing match argument path
Parsing match argument request
C#28: (INT) 1074025674
5: OP_CMP: if seccomp data: #1 NE (size: 4) read-only data: #28, jump to next block
Parsing match argument ifr
allocating 40 at offset 128
6: OP_LOAD: #128 < args[2] (size: 40)
C#32: (STRING:5) tap0
7: OP_CMP: if temporary data: #128 NE (size: 5) read-only data: #32, jump to next block
C#37: (INT) 1
8: OP_CMP: if temporary data: #128 NE (size: 4) read-only data: #37, jump to next block
Linking match...
Linking block...
linked jump of instruction #4 to #9
linked jump of instruction #5 to #9
linked jump of instruction #7 to #9
linked jump of instruction #8 to #9
Parsing block 2
Parsing match 0: unshare
Found description for unshare
9: OP_NR: if syscall number is not 164, jump to next block
Parsing match argument flags
Linking match...
Linking block...
linked jump of instruction #9 to #10
Parsing block 3
Parsing match 0: unshare
Found description for unshare
10: OP_NR: if syscall number is not 164, jump to next block
Parsing match argument flags
Linking match...
Linking block...
linked jump of instruction #10 to #11
Parsing block 4
Parsing match 0: mknod
Found description for mknod
11: OP_NR: if syscall number is not 164, jump to next block
Parsing match argument path
allocating 1 at offset 168
12: OP_LOAD: #168 < args[0] (size: 1)
setting tag reference 'path'
tag 'path' now refers to temporary data at 168
Parsing match argument mode
Parsing match argument major
Parsing match argument minor
setting tag reference 'minor'
tag 'minor' now refers to seccomp data at 2
Linking match...
Linking block...
linked jump of instruction #11 to #13
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Refactoring:
- rename do_operations to eval and reduce the number of arguments
- create macro HANDLE_OP
- rename all functions with op_*(operation name)
- exposed the op_* functions in the operations.h
Fixes:
- use pread for op_load
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
This was a left over of the previous version
|
| |
|
| |
|
| |
|
|
|
|
|
| |
The logging mode creates a BPF filter where all the syscalls trigger a
notification to the seccomp notifier.
|
|
|
|
|
|
|
|
| |
OCI spec and container runtimes expect to send the seccomp notifer fd
through a unix socket. This mode is complementary of retrieving the file
descriptor using the pid of the target process.
Add option to log the syscalls.
|
| |
|
|
|
|
|
|
|
| |
Move find_fd_seccomp_notifier to common.c to be reused
in other places.
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
|
|
|
|
|
|
| |
Instead of assuming that the fd of the notifier is always 3, find the
correct fd from procfs.
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
The connect syscall was used to synchronize seitan and the eater for the
seccomp installation filter and notifier initialization. However, we
assume that the fd 0 is always free, and this might not always be the
case.
Try to implement an alternative and more robust solution.
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
|
|
|
|
|
| |
Repeatedly listen for seccomp notification events using epoll.
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
|
|
|
|
|
|
|
| |
Avoid hardcoded values and set the option from command line:
Example:
./seitan -i action -p 1234
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
|
|
|
| |
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
|
|
|
|
|
|
| |
...the PROC_EVENT_EXEC we're looking for might be hiding there. Also,
avoid a possible endless loop on NLMSG_NOOP.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
|
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|