From f9c60d5a3aaecc11b1dbb933bca45c461b03ca83 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 28 Dec 2017 12:28:08 -0500 Subject: replacing seccomp printing with a seccomp disassembler --- src/fseccomp/main.c | 3 - src/fseccomp/seccomp_print.c | 183 ------------------------------------------- 2 files changed, 186 deletions(-) delete mode 100644 src/fseccomp/seccomp_print.c (limited to 'src/fseccomp') diff --git a/src/fseccomp/main.c b/src/fseccomp/main.c index ae0ae64ef..030eaf90b 100644 --- a/src/fseccomp/main.c +++ b/src/fseccomp/main.c @@ -37,7 +37,6 @@ static void usage(void) { printf("\tfseccomp default drop file1 file2 list allow-debuggers\n"); printf("\tfseccomp keep file1 file2 list\n"); printf("\tfseccomp memory-deny-write-execute file\n"); - printf("\tfseccomp print file\n"); } int main(int argc, char **argv) { @@ -93,8 +92,6 @@ printf("\n"); seccomp_keep(argv[2], argv[3], argv[4]); else if (argc == 3 && strcmp(argv[1], "memory-deny-write-execute") == 0) memory_deny_write_execute(argv[2]); - else if (argc == 3 && strcmp(argv[1], "print") == 0) - filter_print(argv[2]); else { fprintf(stderr, "Error fseccomp: invalid arguments\n"); return 1; diff --git a/src/fseccomp/seccomp_print.c b/src/fseccomp/seccomp_print.c deleted file mode 100644 index ffc65e7c3..000000000 --- a/src/fseccomp/seccomp_print.c +++ /dev/null @@ -1,183 +0,0 @@ -/* - * Copyright (C) 2014-2017 Firejail Authors - * - * This file is part of firejail project - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -*/ -#include "fseccomp.h" -#include "../include/seccomp.h" -#include - -static struct sock_filter *filter = NULL; -static int filter_cnt = 0; - -static void load_seccomp(const char *fname) { - assert(fname); - - // open filter file - int fd = open(fname, O_RDONLY); - if (fd == -1) - goto errexit; - - // calculate the number of entries - int size = lseek(fd, 0, SEEK_END); - if (size == -1) - goto errexit; - if (lseek(fd, 0 , SEEK_SET) == -1) - goto errexit; - unsigned short entries = (unsigned short) size / (unsigned short) sizeof(struct sock_filter); - filter_cnt = entries; - - // read filter - filter = malloc(size); - if (filter == NULL) - goto errexit; - memset(filter, 0, size); - int rd = 0; - while (rd < size) { - int rv = read(fd, (unsigned char *) filter + rd, size - rd); - if (rv == -1) - goto errexit; - rd += rv; - } - - // close file - close(fd); - return; - -errexit: - fprintf(stderr, "Error fseccomp: cannot read %s\n", fname); - exit(1); -} - -static int detect_filter_type(void) { - // the filter ishould already be load in filter variable - assert(filter); - - printf("SECCOMP Filter\n"); - - // testing for main seccomp filter, protocol, mdwe - platform architecture - const struct sock_filter start_main[] = { - VALIDATE_ARCHITECTURE, -#if defined(__x86_64__) - EXAMINE_SYSCALL, - HANDLE_X32 -#else - EXAMINE_SYSCALL -#endif - }; - - if (memcmp(&start_main[0], filter, sizeof(start_main)) == 0) { - printf(" VALIDATE_ARCHITECTURE\n"); - printf(" EXAMINE_SYSCALL\n"); -#if defined(__x86_64__) - printf(" HANDLE_X32\n"); -#endif - return sizeof(start_main) / sizeof(struct sock_filter); - } - - - // testing for secondary 64 bit filter - const struct sock_filter start_secondary_64[] = { - VALIDATE_ARCHITECTURE_64, - EXAMINE_SYSCALL, - }; - - if (memcmp(&start_secondary_64[0], filter, sizeof(start_secondary_64)) == 0) { - printf(" VALIDATE_ARCHITECTURE_64\n"); - printf(" EXAMINE_SYSCALL\n"); - return sizeof(start_secondary_64) / sizeof(struct sock_filter); - } - - // testing for secondary 32 bit filter - const struct sock_filter start_secondary_32[] = { - VALIDATE_ARCHITECTURE_32, - EXAMINE_SYSCALL, - }; - - if (memcmp(&start_secondary_32[0], filter, sizeof(start_secondary_32)) == 0) { - printf(" VALIDATE_ARCHITECTURE_32\n"); - printf(" EXAMINE_SYSCALL\n"); - return sizeof(start_secondary_32) / sizeof(struct sock_filter); - } - - const struct sock_filter start_secondary_block[] = { - VALIDATE_ARCHITECTURE_KILL, -#if defined(__x86_64__) - EXAMINE_SYSCALL, - HANDLE_X32_KILL, -#else - EXAMINE_SYSCALL -#endif - }; - - if (memcmp(&start_secondary_block[0], filter, sizeof(start_secondary_block)) == 0) { - printf(" VALIDATE_ARCHITECTURE_KILL\n"); - printf(" EXAMINE_SYSCALL\n"); -#if defined(__x86_64__) - printf(" HANDLE_X32_KILL\n"); -#endif - return sizeof(start_secondary_block) / sizeof(struct sock_filter); - } - - return 0; // filter unrecognized -} - -// debug filter -void filter_print(const char *fname) { - assert(fname); - load_seccomp(fname); - - int i = detect_filter_type(); - if (i == 0) { - printf("Invalid seccomp filter %s\n", fname); - return; - } - - // loop trough the rest of commands - while (i < filter_cnt) { - // minimal parsing! - struct sock_filter *s = (struct sock_filter *) &filter[i]; - if (s->code == BPF_JMP+BPF_JEQ+BPF_K && (s + 1)->code == BPF_RET+BPF_K && (s + 1)->k == SECCOMP_RET_ALLOW ) { - printf(" WHITELIST %d %s\n", s->k, syscall_find_nr(s->k)); - i += 2; - } - else if (s->code == BPF_JMP+BPF_JEQ+BPF_K && (s + 1)->code == BPF_RET+BPF_K && (s + 1)->k == SECCOMP_RET_KILL ) { - printf(" BLACKLIST %d %s\n", s->k, syscall_find_nr(s->k)); - i += 2; - } - else if (s->code == BPF_JMP+BPF_JEQ+BPF_K && (s + 1)->code == BPF_RET+BPF_K && ((s + 1)->k & ~SECCOMP_RET_DATA) == SECCOMP_RET_ERRNO) { - printf(" BLACKLIST_ERRNO %d %s %d %s\n", s->k, syscall_find_nr(s->k), (s + 1)->k & SECCOMP_RET_DATA, errno_find_nr((s + 1)->k & SECCOMP_RET_DATA)); - i += 2; - } - else if (s->code == BPF_RET+BPF_K && (s->k & ~SECCOMP_RET_DATA) == SECCOMP_RET_ERRNO) { - printf(" RETURN_ERRNO %d %s\n", s->k & SECCOMP_RET_DATA, errno_find_nr(s->k & SECCOMP_RET_DATA)); - i++; - } - else if (s->code == BPF_RET+BPF_K && s->k == SECCOMP_RET_KILL) { - printf(" KILL_PROCESS\n"); - i++; - } - else if (s->code == BPF_RET+BPF_K && s->k == SECCOMP_RET_ALLOW) { - printf(" RETURN_ALLOW\n"); - i++; - } - else { - printf(" UNKNOWN ENTRY %x!\n", s->code); - i++; - } - } -} -- cgit v1.2.3-54-g00ecf