diff options
| author | Luis Hector Chavez <lhchavez@google.com> | 2018-10-16 08:23:18 -0700 |
|---|---|---|
| committer | Luis Hector Chavez <lhchavez@google.com> | 2018-10-18 22:08:17 +0000 |
| commit | 86a2875daeacf08b998c06a01bd824d02e061836 (patch) | |
| tree | b42b459fd7f966d47109b89e745af2c388e693d6 /tools/generate_seccomp_policy.py | |
| parent | 342328d677499e2d6187ca0f0b97f45998585705 (diff) | |
| download | minijail-86a2875daeacf08b998c06a01bd824d02e061836.tar.gz | |
tools: Add a small optimization for mmap/mmap2/mremap
This change adds an optimization to the memory-mapping syscalls. It uses
two IN operators instead of 3-4 clauses to ensure that the memory is not
mapped PROT_EXEC|PROT_WRITE.
Bug: chromium:852235
Test: strace -f -s 512 -o ls.txt -- ls && \
tools/generate_seccomp_policy.py ls.txt
Change-Id: I2a714b4e3f09820a8e60f60a6bd3f232ed0cbbaf
Diffstat (limited to 'tools/generate_seccomp_policy.py')
| -rwxr-xr-x | tools/generate_seccomp_policy.py | 22 |
1 files changed, 18 insertions, 4 deletions
diff --git a/tools/generate_seccomp_policy.py b/tools/generate_seccomp_policy.py index 50b88df..0c20d80 100755 --- a/tools/generate_seccomp_policy.py +++ b/tools/generate_seccomp_policy.py @@ -66,12 +66,26 @@ def parse_args(argv): return parser.parse_args(argv) -def get_seccomp_bpf_filter(entry): +def get_seccomp_bpf_filter(syscall, entry): """Return a minijail seccomp-bpf filter expression for the syscall.""" arg_index = entry.arg_index arg_values = entry.value_set - return ' || ' .join('arg%d == %s' % (arg_index, arg_value) - for arg_value in arg_values) + atoms = [] + if syscall in ('mmap', 'mmap2', 'mprotect') and arg_index == 2: + # See if there is at least one instance of any of these syscalls trying + # to map memory with both PROT_EXEC and PROT_WRITE. If there isn't, we + # can craft a concise expression to forbid this. + write_and_exec = set(('PROT_EXEC', 'PROT_WRITE')) + for arg_value in arg_values: + if write_and_exec.issubset(set(p.strip() for p in + arg_value.split('|'))): + break + else: + atoms.extend(['arg2 in 0xfffffffb', 'arg2 in 0xfffffffd']) + arg_values = set() + atoms.extend('arg%d == %s' % (arg_index, arg_value) + for arg_value in arg_values) + return ' || '.join(atoms) def parse_trace_file(trace_filename, syscalls, arg_inspection): @@ -136,7 +150,7 @@ def main(argv): for syscall in sorted_syscalls: if syscall in arg_inspection: - arg_filter = get_seccomp_bpf_filter(arg_inspection[syscall]) + arg_filter = get_seccomp_bpf_filter(syscall, arg_inspection[syscall]) else: arg_filter = ALLOW print('%s: %s' % (syscall, arg_filter)) |