1 files changed, 122 insertions, 0 deletions
diff --git a/src/fseccomp/seccomp_print.c b/src/fseccomp/seccomp_print.c
new file mode 100644
index 000000000..e22c682dc
--- /dev/null
+++ b/src/fseccomp/seccomp_print.c
@@ -0,0 +1,122 @@
+/*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "fseccomp.h"
+#include "../include/seccomp.h"
+#include <sys/syscall.h>
+static struct sock_filter *filter = NULL;
+static int filter_cnt = 0;
+static void load_seccomp(const char *fname) {
+        assert(fname);
+        
+        // open filter file
+        int fd = open(fname, O_RDONLY);
+        if (fd == -1)
+                goto errexit;
+        // calculate the number of entries
+        int size = lseek(fd, 0, SEEK_END);
+        if (size == -1)
+                goto errexit;
+        if (lseek(fd, 0 , SEEK_SET) == -1)
+                goto errexit;
+        unsigned short entries = (unsigned short) size / (unsigned short) sizeof(struct sock_filter);
+        filter_cnt = entries;
+        
+        // read filter
+        filter = malloc(size);
+        if (filter == NULL)
+                goto errexit;
+        memset(filter, 0, size);
+        int rd = 0;
+        while (rd < size) {
+                int rv = read(fd, (unsigned char *) filter + rd, size - rd);
+                if (rv == -1)
+                        goto errexit;
+                rd += rv;
+        }
+        
+        // close file
+        close(fd);
+        return;
+errexit:
+        fprintf(stderr, "Error fseccomp: cannot read %s\n", fname);
+        exit(1);
+}
+// debug filter
+void filter_print(const char *fname) {
+        assert(fname);
+        load_seccomp(fname);
+        
+        // start filter
+        struct sock_filter start[] = {
+                VALIDATE_ARCHITECTURE,
+                EXAMINE_SYSCALL
+        };
+        // print sizes
+        printf("SECCOMP Filter:\n");
+        // test the start of the filter
+        if (memcmp(&start[0], filter, sizeof(start)) == 0) {
+                printf("  VALIDATE_ARCHITECTURE\n");
+                printf("  EXAMINE_SYSCAL\n");
+        }
+        else {
+                printf("Invalid seccomp filter %s\n", fname);
+                return;
+        }
+        
+        // loop trough blacklists
+        int i = 4;
+        while (i < filter_cnt) {
+                // minimal parsing!
+                unsigned char *ptr = (unsigned char *) &filter[i];
+                int *nr = (int *) (ptr + 4);
+                if (*ptr        == 0x15 && *(ptr +14) == 0xff && *(ptr + 15) == 0x7f ) {
+                        printf("  WHITELIST %d %s\n", *nr, syscall_find_nr(*nr));
+                        i += 2;
+                }
+                else if (*ptr   == 0x15 && *(ptr +14) == 0 && *(ptr + 15) == 0) {
+                        printf("  BLACKLIST %d %s\n", *nr, syscall_find_nr(*nr));
+                        i += 2;
+                }
+                else if (*ptr   == 0x15 && *(ptr +14) == 0x5 && *(ptr + 15) == 0) {
+                        int err = *(ptr + 13) << 8 | *(ptr + 12);
+                        printf("  ERRNO %d %s %d %s\n", *nr, syscall_find_nr(*nr), err, errno_find_nr(err));
+                        i += 2;
+                }
+                else if (*ptr == 0x06 && *(ptr +6) == 0 && *(ptr + 7) == 0 ) {
+                        printf("  KILL_PROCESS\n");
+                        i++;
+                }
+                else if (*ptr == 0x06 && *(ptr +6) == 0xff && *(ptr + 7) == 0x7f ) {
+                        printf("  RETURN_ALLOW\n");
+                        i++;
+                }
+                else {
+                        printf("  UNKNOWN ENTRY!!!\n");
+                        i++;
+                }
+        }
+}

diff --git a/src/fseccomp/seccomp_print.c b/src/fseccomp/seccomp_print.c new file mode 100644 index 000000000..e22c682dc --- /dev/null +++ b/src/fseccomp/seccomp_print.c
@@ -0,0 +1,122 @@
	1	/*
	2	* Copyright (C) 2014-2016 Firejail Authors
	3	*
	4	* This file is part of firejail project
	5	*
	6	* This program is free software; you can redistribute it and/or modify
	7	* it under the terms of the GNU General Public License as published by
	8	* the Free Software Foundation; either version 2 of the License, or
	9	* (at your option) any later version.
	10	*
	11	* This program is distributed in the hope that it will be useful,
	12	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	13	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	14	* GNU General Public License for more details.
	15	*
	16	* You should have received a copy of the GNU General Public License along
	17	* with this program; if not, write to the Free Software Foundation, Inc.,
	18	* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
	19	*/
	20	#include "fseccomp.h"
	21	#include "../include/seccomp.h"
	22	#include <sys/syscall.h>
	23
	24	static struct sock_filter *filter = NULL;
	25	static int filter_cnt = 0;
	26
	27	static void load_seccomp(const char *fname) {
	28	assert(fname);
	29
	30	// open filter file
	31	int fd = open(fname, O_RDONLY);
	32	if (fd == -1)
	33	goto errexit;
	34
	35	// calculate the number of entries
	36	int size = lseek(fd, 0, SEEK_END);
	37	if (size == -1)
	38	goto errexit;
	39	if (lseek(fd, 0 , SEEK_SET) == -1)
	40	goto errexit;
	41	unsigned short entries = (unsigned short) size / (unsigned short) sizeof(struct sock_filter);
	42	filter_cnt = entries;
	43
	44	// read filter
	45	filter = malloc(size);
	46	if (filter == NULL)
	47	goto errexit;
	48	memset(filter, 0, size);
	49	int rd = 0;
	50	while (rd < size) {
	51	int rv = read(fd, (unsigned char *) filter + rd, size - rd);
	52	if (rv == -1)
	53	goto errexit;
	54	rd += rv;
	55	}
	56
	57	// close file
	58	close(fd);
	59	return;
	60
	61	errexit:
	62	fprintf(stderr, "Error fseccomp: cannot read %s\n", fname);
	63	exit(1);
	64	}
	65
	66	// debug filter
	67	void filter_print(const char *fname) {
	68	assert(fname);
	69	load_seccomp(fname);
	70
	71	// start filter
	72	struct sock_filter start[] = {
	73	VALIDATE_ARCHITECTURE,
	74	EXAMINE_SYSCALL
	75	};
	76
	77	// print sizes
	78	printf("SECCOMP Filter:\n");
	79
	80	// test the start of the filter
	81	if (memcmp(&start[0], filter, sizeof(start)) == 0) {
	82	printf(" VALIDATE_ARCHITECTURE\n");
	83	printf(" EXAMINE_SYSCAL\n");
	84	}
	85	else {
	86	printf("Invalid seccomp filter %s\n", fname);
	87	return;
	88	}
	89
	90	// loop trough blacklists
	91	int i = 4;
	92	while (i < filter_cnt) {
	93	// minimal parsing!
	94	unsigned char ptr = (unsigned char ) &filter[i];
	95	int nr = (int ) (ptr + 4);
	96	if (ptr == 0x15 && (ptr +14) == 0xff && *(ptr + 15) == 0x7f ) {
	97	printf(" WHITELIST %d %s\n", nr, syscall_find_nr(nr));
	98	i += 2;
	99	}
	100	else if (ptr == 0x15 && (ptr +14) == 0 && *(ptr + 15) == 0) {
	101	printf(" BLACKLIST %d %s\n", nr, syscall_find_nr(nr));
	102	i += 2;
	103	}
	104	else if (ptr == 0x15 && (ptr +14) == 0x5 && *(ptr + 15) == 0) {
	105	int err = (ptr + 13) << 8 \| (ptr + 12);
	106	printf(" ERRNO %d %s %d %s\n", nr, syscall_find_nr(nr), err, errno_find_nr(err));
	107	i += 2;
	108	}
	109	else if (ptr == 0x06 && (ptr +6) == 0 && *(ptr + 7) == 0 ) {
	110	printf(" KILL_PROCESS\n");
	111	i++;
	112	}
	113	else if (ptr == 0x06 && (ptr +6) == 0xff && *(ptr + 7) == 0x7f ) {
	114	printf(" RETURN_ALLOW\n");
	115	i++;
	116	}
	117	else {
	118	printf(" UNKNOWN ENTRY!!!\n");
	119	i++;
	120	}
	121	}
	122	}