1 files changed, 116 insertions, 0 deletions
diff --git a/src/fseccomp/seccomp_print.c b/src/fseccomp/seccomp_print.c
new file mode 100644
index 000000000..7dc983b12
--- /dev/null
+++ b/src/fseccomp/seccomp_print.c
@@ -0,0 +1,116 @@
+/*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "fseccomp.h"
+#include "../include/seccomp.h"
+#include <sys/syscall.h>
+static struct sock_filter *filter = NULL;
+static int filter_cnt = 0;
+static void load_seccomp(const char *fname) {
+        assert(fname);
+        // check file
+        struct stat s;
+        if (stat(fname, &s) == -1) {
+                fprintf(stderr, "Error fseccomp: cannot read protocol filter file\n");
+                exit(1);
+        }
+        int size = s.st_size;
+        unsigned short entries = (unsigned short) size / (unsigned short) sizeof(struct sock_filter);
+        filter_cnt = entries;
+//printf("size %d, entries %d\n", s.st_size, entries);
+        filter = malloc(sizeof(struct sock_filter) * entries);
+        if (!filter)
+                errExit("malloc");
+                
+        // read filter
+        memset(filter, 0, sizeof(struct sock_filter) * entries);
+        int src = open(fname, O_RDONLY);
+        int rd = 0;
+        while (rd < size) {
+                int rv = read(src, (unsigned char *) filter + rd, size - rd);
+                if (rv == -1) {
+                        fprintf(stderr, "Error fseccomp: cannot read %s file\n", fname);
+                        exit(1);
+                }
+                rd += rv;
+        }
+        close(src);
+}
+// debug filter
+void filter_print(const char *fname) {
+        assert(fname);
+        load_seccomp(fname);
+        
+        // start filter
+        struct sock_filter start[] = {
+                VALIDATE_ARCHITECTURE,
+                EXAMINE_SYSCALL
+        };
+        // print sizes
+        printf("SECCOMP Filter:\n");
+        // test the start of the filter
+        if (memcmp(&start[0], filter, sizeof(start)) == 0) {
+                printf("  VALIDATE_ARCHITECTURE\n");
+                printf("  EXAMINE_SYSCAL\n");
+        }
+        else {
+                printf("Invalid seccomp filter %s\n", fname);
+                return;
+        }
+        
+        // loop trough blacklists
+        int i = 4;
+        while (i < filter_cnt) {
+                // minimal parsing!
+                unsigned char *ptr = (unsigned char *) &filter[i];
+                int *nr = (int *) (ptr + 4);
+                if (*ptr        == 0x15 && *(ptr +14) == 0xff && *(ptr + 15) == 0x7f ) {
+                        printf("  WHITELIST %d %s\n", *nr, syscall_find_nr(*nr));
+                        i += 2;
+                }
+                else if (*ptr   == 0x15 && *(ptr +14) == 0 && *(ptr + 15) == 0) {
+                        printf("  BLACKLIST %d %s\n", *nr, syscall_find_nr(*nr));
+                        i += 2;
+                }
+                else if (*ptr   == 0x15 && *(ptr +14) == 0x5 && *(ptr + 15) == 0) {
+                        int err = *(ptr + 13) << 8 | *(ptr + 12);
+                        printf("  ERRNO %d %s %d %s\n", *nr, syscall_find_nr(*nr), err, errno_find_nr(err));
+                        i += 2;
+                }
+                else if (*ptr == 0x06 && *(ptr +6) == 0 && *(ptr + 7) == 0 ) {
+                        printf("  KILL_PROCESS\n");
+                        i++;
+                }
+                else if (*ptr == 0x06 && *(ptr +6) == 0xff && *(ptr + 7) == 0x7f ) {
+                        printf("  RETURN_ALLOW\n");
+                        i++;
+                }
+                else {
+                        printf("  UNKNOWN ENTRY!!!\n");
+                        i++;
+                }
+        }
+}

diff --git a/src/fseccomp/seccomp_print.c b/src/fseccomp/seccomp_print.c new file mode 100644 index 000000000..7dc983b12 --- /dev/null +++ b/src/fseccomp/seccomp_print.c
@@ -0,0 +1,116 @@
	1	/*
	2	* Copyright (C) 2014-2016 Firejail Authors
	3	*
	4	* This file is part of firejail project
	5	*
	6	* This program is free software; you can redistribute it and/or modify
	7	* it under the terms of the GNU General Public License as published by
	8	* the Free Software Foundation; either version 2 of the License, or
	9	* (at your option) any later version.
	10	*
	11	* This program is distributed in the hope that it will be useful,
	12	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	13	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	14	* GNU General Public License for more details.
	15	*
	16	* You should have received a copy of the GNU General Public License along
	17	* with this program; if not, write to the Free Software Foundation, Inc.,
	18	* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
	19	*/
	20	#include "fseccomp.h"
	21	#include "../include/seccomp.h"
	22	#include <sys/syscall.h>
	23
	24	static struct sock_filter *filter = NULL;
	25	static int filter_cnt = 0;
	26
	27	static void load_seccomp(const char *fname) {
	28	assert(fname);
	29
	30	// check file
	31	struct stat s;
	32	if (stat(fname, &s) == -1) {
	33	fprintf(stderr, "Error fseccomp: cannot read protocol filter file\n");
	34	exit(1);
	35	}
	36	int size = s.st_size;
	37	unsigned short entries = (unsigned short) size / (unsigned short) sizeof(struct sock_filter);
	38	filter_cnt = entries;
	39	//printf("size %d, entries %d\n", s.st_size, entries);
	40
	41	filter = malloc(sizeof(struct sock_filter) * entries);
	42	if (!filter)
	43	errExit("malloc");
	44
	45	// read filter
	46	memset(filter, 0, sizeof(struct sock_filter) * entries);
	47	int src = open(fname, O_RDONLY);
	48	int rd = 0;
	49	while (rd < size) {
	50	int rv = read(src, (unsigned char *) filter + rd, size - rd);
	51	if (rv == -1) {
	52	fprintf(stderr, "Error fseccomp: cannot read %s file\n", fname);
	53	exit(1);
	54	}
	55	rd += rv;
	56	}
	57	close(src);
	58	}
	59
	60	// debug filter
	61	void filter_print(const char *fname) {
	62	assert(fname);
	63	load_seccomp(fname);
	64
	65	// start filter
	66	struct sock_filter start[] = {
	67	VALIDATE_ARCHITECTURE,
	68	EXAMINE_SYSCALL
	69	};
	70
	71	// print sizes
	72	printf("SECCOMP Filter:\n");
	73
	74	// test the start of the filter
	75	if (memcmp(&start[0], filter, sizeof(start)) == 0) {
	76	printf(" VALIDATE_ARCHITECTURE\n");
	77	printf(" EXAMINE_SYSCAL\n");
	78	}
	79	else {
	80	printf("Invalid seccomp filter %s\n", fname);
	81	return;
	82	}
	83
	84	// loop trough blacklists
	85	int i = 4;
	86	while (i < filter_cnt) {
	87	// minimal parsing!
	88	unsigned char ptr = (unsigned char ) &filter[i];
	89	int nr = (int ) (ptr + 4);
	90	if (ptr == 0x15 && (ptr +14) == 0xff && *(ptr + 15) == 0x7f ) {
	91	printf(" WHITELIST %d %s\n", nr, syscall_find_nr(nr));
	92	i += 2;
	93	}
	94	else if (ptr == 0x15 && (ptr +14) == 0 && *(ptr + 15) == 0) {
	95	printf(" BLACKLIST %d %s\n", nr, syscall_find_nr(nr));
	96	i += 2;
	97	}
	98	else if (ptr == 0x15 && (ptr +14) == 0x5 && *(ptr + 15) == 0) {
	99	int err = (ptr + 13) << 8 \| (ptr + 12);
	100	printf(" ERRNO %d %s %d %s\n", nr, syscall_find_nr(nr), err, errno_find_nr(err));
	101	i += 2;
	102	}
	103	else if (ptr == 0x06 && (ptr +6) == 0 && *(ptr + 7) == 0 ) {
	104	printf(" KILL_PROCESS\n");
	105	i++;
	106	}
	107	else if (ptr == 0x06 && (ptr +6) == 0xff && *(ptr + 7) == 0x7f ) {
	108	printf(" RETURN_ALLOW\n");
	109	i++;
	110	}
	111	else {
	112	printf(" UNKNOWN ENTRY!!!\n");
	113	i++;
	114	}
	115	}
	116	}