add tool to dump seccomp filters

author: smitsohu <smitsohu@gmail.com> 2020-02-17 00:56:27 +0000
committer: GitHub <noreply@github.com> 2020-02-17 00:56:27 +0000
commit: 960b4daba6684f8087bcdaf881ae8a9d97ba46a5 (patch)
tree: 93b29c45cea9b19911b66a66045275fa20105b1f /src/tools
parent: apparmor: minor enhancements (diff)
download: firejail-960b4daba6684f8087bcdaf881ae8a9d97ba46a5.tar.gz
firejail-960b4daba6684f8087bcdaf881ae8a9d97ba46a5.tar.zst
firejail-960b4daba6684f8087bcdaf881ae8a9d97ba46a5.zip
1 files changed, 115 insertions, 0 deletions
diff --git a/src/tools/extract_seccomp.c b/src/tools/extract_seccomp.c
new file mode 100644
index 000000000..133e65e8c
--- /dev/null
+++ b/src/tools/extract_seccomp.c
@@ -0,0 +1,115 @@
+/*
+ * Copyright (C) 2014-2020 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <string.h>
+#include <errno.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <sys/ptrace.h>
+#include <sys/wait.h>
+#include <linux/filter.h>
+#define MAXBUF 1024
+#define errExit(msg)  { char msgout[256]; \
+                        snprintf(msgout, 256, "Error %d: %s", __LINE__, (msg)); \
+                        perror(msgout); \
+                        exit(1); }
+// dump all seccomp filters of a process
+// for further analysis with fsec-print
+// requires kernel 4.4 or higher
+void dump_filter(const char *dname, unsigned cnt, const struct sock_filter *f, size_t nmemb) {
+        char fname[MAXBUF];
+        snprintf(fname, MAXBUF, "%s/%u", dname, cnt);
+        printf("Writing file %s\n", fname);
+        FILE *fp = fopen(fname, "w");
+        if (!fp) {
+                printf("Error: Cannot open %s for writing: %s\n", fname, strerror(errno));
+                exit(1);
+        }
+        if (fwrite(f, sizeof(struct sock_filter), nmemb, fp) != nmemb) {
+                printf("Error: Cannot write %s\n", fname);
+                exit(1);
+        }
+        fclose(fp);
+}
+int main(int argc, char **argv) {
+        if (argc != 2)
+                goto usage;
+        pid_t pid = (pid_t) strtol(argv[1], NULL, 10);
+        if (pid <= 0)
+                goto usage;
+        printf("** Attaching to process with pid %d **\n", pid);
+        long rv = ptrace(PTRACE_ATTACH, pid, 0, 0);
+        if (rv != 0) {
+                printf("Error: Cannot attach: %s\n", strerror(errno));
+                exit(1);
+        }
+        waitpid(pid, NULL, 0);
+        printf("Attached\n");
+        char dname[MAXBUF];
+        snprintf(dname, MAXBUF, "/tmp/seccomp-%d", pid);
+        printf("** Creating directory %s **\n", dname);
+        if (mkdir(dname, 0755) < 0) {
+                printf("Error: Cannot create directory: %s\n", strerror(errno));
+                exit(1);
+        }
+        printf("Created\n");
+        printf("** Extracting seccomp filters **\n");
+        unsigned cnt = 0;
+        while ((rv = ptrace(PTRACE_SECCOMP_GET_FILTER, pid, cnt, NULL)) > 0) {
+                struct sock_filter *f = malloc(rv * sizeof(struct sock_filter));
+                if (!f)
+                        errExit("malloc");
+                if (ptrace(PTRACE_SECCOMP_GET_FILTER, pid, cnt, f) < 0)
+                        errExit("ptrace");
+                dump_filter(dname, cnt, f, rv);
+                free(f);
+                cnt++;
+        }
+        if (cnt)
+                printf("Dumped %u filters\n", cnt);
+        else {
+                printf("No seccomp filter was found\n");
+                printf("** Cleanup **\n");
+                if (remove(dname) == 0)
+                        printf("Removed %s\n", dname);
+                else
+                        printf("Could not remove %s: %s\n", dname, strerror(errno));
+        }
+        printf("Bye ...\n");
+        return 0;
+usage:
+        printf("Usage: %s <PID>\n", argv[0]);
+        return 1;
+}
author	smitsohu <smitsohu@gmail.com>	2020-02-17 00:56:27 +0000
committer	GitHub <noreply@github.com>	2020-02-17 00:56:27 +0000
commit	960b4daba6684f8087bcdaf881ae8a9d97ba46a5 (patch)
tree	93b29c45cea9b19911b66a66045275fa20105b1f /src/tools
parent	apparmor: minor enhancements (diff)
download	firejail-960b4daba6684f8087bcdaf881ae8a9d97ba46a5.tar.gz firejail-960b4daba6684f8087bcdaf881ae8a9d97ba46a5.tar.zst firejail-960b4daba6684f8087bcdaf881ae8a9d97ba46a5.zip

diff --git a/src/tools/extract_seccomp.c b/src/tools/extract_seccomp.c new file mode 100644 index 000000000..133e65e8c --- /dev/null +++ b/src/tools/extract_seccomp.c
@@ -0,0 +1,115 @@
	1	/*
	2	* Copyright (C) 2014-2020 Firejail Authors
	3	*
	4	* This file is part of firejail project
	5	*
	6	* This program is free software; you can redistribute it and/or modify
	7	* it under the terms of the GNU General Public License as published by
	8	* the Free Software Foundation; either version 2 of the License, or
	9	* (at your option) any later version.
	10	*
	11	* This program is distributed in the hope that it will be useful,
	12	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	13	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	14	* GNU General Public License for more details.
	15	*
	16	* You should have received a copy of the GNU General Public License along
	17	* with this program; if not, write to the Free Software Foundation, Inc.,
	18	* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
	19	*/
	20
	21	#define _GNU_SOURCE
	22	#include <stdio.h>
	23	#include <stdlib.h>
	24	#include <unistd.h>
	25	#include <string.h>
	26	#include <errno.h>
	27	#include <sys/stat.h>
	28	#include <sys/types.h>
	29	#include <sys/ptrace.h>
	30	#include <sys/wait.h>
	31	#include <linux/filter.h>
	32
	33	#define MAXBUF 1024
	34	#define errExit(msg) { char msgout[256]; \
	35	snprintf(msgout, 256, "Error %d: %s", __LINE__, (msg)); \
	36	perror(msgout); \
	37	exit(1); }
	38
	39	// dump all seccomp filters of a process
	40	// for further analysis with fsec-print
	41	// requires kernel 4.4 or higher
	42
	43	void dump_filter(const char dname, unsigned cnt, const struct sock_filter f, size_t nmemb) {
	44	char fname[MAXBUF];
	45	snprintf(fname, MAXBUF, "%s/%u", dname, cnt);
	46	printf("Writing file %s\n", fname);
	47	FILE *fp = fopen(fname, "w");
	48	if (!fp) {
	49	printf("Error: Cannot open %s for writing: %s\n", fname, strerror(errno));
	50	exit(1);
	51	}
	52	if (fwrite(f, sizeof(struct sock_filter), nmemb, fp) != nmemb) {
	53	printf("Error: Cannot write %s\n", fname);
	54	exit(1);
	55	}
	56	fclose(fp);
	57	}
	58
	59	int main(int argc, char **argv) {
	60	if (argc != 2)
	61	goto usage;
	62	pid_t pid = (pid_t) strtol(argv[1], NULL, 10);
	63	if (pid <= 0)
	64	goto usage;
	65
	66	printf(" Attaching to process with pid %d \n", pid);
	67	long rv = ptrace(PTRACE_ATTACH, pid, 0, 0);
	68	if (rv != 0) {
	69	printf("Error: Cannot attach: %s\n", strerror(errno));
	70	exit(1);
	71	}
	72	waitpid(pid, NULL, 0);
	73	printf("Attached\n");
	74
	75	char dname[MAXBUF];
	76	snprintf(dname, MAXBUF, "/tmp/seccomp-%d", pid);
	77	printf(" Creating directory %s \n", dname);
	78	if (mkdir(dname, 0755) < 0) {
	79	printf("Error: Cannot create directory: %s\n", strerror(errno));
	80	exit(1);
	81	}
	82	printf("Created\n");
	83
	84	printf(" Extracting seccomp filters \n");
	85	unsigned cnt = 0;
	86	while ((rv = ptrace(PTRACE_SECCOMP_GET_FILTER, pid, cnt, NULL)) > 0) {
	87	struct sock_filter f = malloc(rv sizeof(struct sock_filter));
	88	if (!f)
	89	errExit("malloc");
	90	if (ptrace(PTRACE_SECCOMP_GET_FILTER, pid, cnt, f) < 0)
	91	errExit("ptrace");
	92
	93	dump_filter(dname, cnt, f, rv);
	94	free(f);
	95	cnt++;
	96	}
	97
	98	if (cnt)
	99	printf("Dumped %u filters\n", cnt);
	100	else {
	101	printf("No seccomp filter was found\n");
	102	printf(" Cleanup \n");
	103	if (remove(dname) == 0)
	104	printf("Removed %s\n", dname);
	105	else
	106	printf("Could not remove %s: %s\n", dname, strerror(errno));
	107	}
	108
	109	printf("Bye ...\n");
	110	return 0;
	111
	112	usage:
	113	printf("Usage: %s <PID>\n", argv[0]);
	114	return 1;
	115	}