Age | Commit message (Collapse) | Author |
|
strace omits the ARM_ prefix on these. Add a permanent workaround to
massage the syscall name in these cases.
These syscalls are also not supported by audit-userspace upstream
leading to 'unknown_syscall's in policy. Add a temporary workaround
to look these up in the same local table.
Test: Used strace and audit on a toy program that calls these syscalls.
Test: Manually verified generated policy in each case.
Bug: chromium:1172449
Bug: b:178654555
Change-Id: I419472dfc17290d88db6073f0cb190b1a6fcf1fc
|
|
auditctl will sometimes log certain SYSCALL records even if they don't
match our requested filters. Practically, this may cause some minijail0
syscalls to be attributed incorrectly to the sandboxed process. Avoid
doing that.
Test: Manually. mknodat was a common suspect with minimalistic-mountns
Bug: chromium:1138232
Change-Id: I972b9fe829ecb7f77aa8ae80866321779037a07a
|
|
Adds an option to generate seccomp policies by parsing audit logs.
Uses a combination of SECCOMP_RET_LOG and audit's own syscall
monitoring.
Tested on a x86_64 and aarch64 DUTs with some toy programs and also
by modifying upstart conf for mtpd (arbitrarily chosen).
Test: Manually. See above.
Bug: chromium:1138232
Change-Id: I635384a0cde4cb11db4da908ea76ed215fc863ca
|
|
There are quite a few requirements to be able to use the seccomp
compiler sucessfully, the trickiest of which is the 'constants.json'
file which is required by the compiler and uses LLVM IR files as input.
Leave enough breadcrumbs so that occasional users can figure out what
they need to do.
Also fix some style nits.
Bug: crbug.com/1162326
Test: generate_constants_json.py -h, compile_seccomp_policy.py -h,
Test: generate_seccomp_policy.py -h
Change-Id: I00ea7d9af3cf854ea8b084048533194a4edabd42
|
|
The best I could come up with for allowing compile_seccomp_policy
to be an executable script installed via setup.py.
Originally I cooked up a trick where setup.py also had:
data_files=[('minijail', ['constants.json'])],
and compile_seccomp_policy.py used:
constants_file = 'constants.json'
if pkg_resources.resource_exists(__name__, constants_file):
constants_file = pkg_resources.resource_filename(__name__, constants_file)
so that a package can ship with a constants.json and auotmatically use
it. This works when installed as a 'dist-package' egg, but CrOS installs
as a 'site-package' where this trick don't work (constants.json ends up in
another location under /usr, not to mention being stored with a board) and it
complicates the dependency story for the Makefile so I punted.
For both 'dist-package' and 'site-package' the plain "import XXX" form doesn't work
for files located in the same directory (results in a ModuleNotFoundError error),
so I've added a "from minijail import XXX" fallback so new & original cases both
work okay.
Bug: None
Test: `make tests`. Ran 'python3 setup.py install --record files.txt'
and verified the stubs in /usr/local/bin could be used to launch the 3
scripts without import errors.
Change-Id: I61fe0b624960c89fd715c1c60213edc2b736ad1c
|
|
The current generate_seccomp_policy.py can only generate policy files that
are sorted by frequency. compile_seccomp_policy.py can accept a frequency file
(via a @frequency line in the policy file), but such a file isn't
created by generate_seccomp_policy.
This change adds a --frequency command-line option that can be used to
genreate a frequency file. For consistency I also added a --policy
option that can be used to specify the destination file for the policy
(normally the file is just sent to standard output and piped to a file).
If --frequency is used then the policy file will be generate syscall
rules in alphabetical order (vs. the frequency of the use). Alphabetic
order makes it easier to see what syscalls are used and facilitates
manual modification.
I was tempted to also output an additional header comment to the
generated policy file (for both modes) that warn the files were
generated by a script (and to either add new syscalls in use order or to
the frequency file, as relevant for the mode that was used to create the
script).
TBD is whether to automatically add a @frequency line to the policy
file. So far I haven't (the relative paths used to create the files
might have no relation to where the files are stored). I thought about
adding a command-line parameter to compile_seccomp_policy.py that permits the
frequency file to be specified (instead of or in addition to @frequency) but
I didn't see a clean & easy way to add this.
Bug: None
Test: make tests
Change-Id: I9e1a5128052a7ae529b2e149c2e7bd4a263907a8
|
|
This is useful to avoid having to type out the hex constant for negating
a constant (e.g. |~PROT_WRITE|). This also introduces parenthesized
expressions, so that people can write |~(FOO|BAR)|, which is the next
natural thing to expect once unary operators are introduced.
Bug: None
Test: make tests
Change-Id: I980059c6d482762390c4a1c9b4197df54596b5f0
|
|
This change adds an optimization to the memory-mapping syscalls. It uses
two IN operators instead of 3-4 clauses to ensure that the memory is not
mapped PROT_EXEC|PROT_WRITE.
Bug: chromium:852235
Test: strace -f -s 512 -o ls.txt -- ls && \
tools/generate_seccomp_policy.py ls.txt
Change-Id: I2a714b4e3f09820a8e60f60a6bd3f232ed0cbbaf
|
|
This change refactors the generate_seccomp_policy.py script and makes
it pylint3-compliant. There were some bells and whistles that were not
being used.
Bug: None
Test: strace -f -s512 -o ls.txt -- ls && \
tools/generate_seccomp_policy.py
Change-Id: Ifc855a6210309939f233b7fafc451fc85c69768f
|
|
Python2 is on the way out, so rewrite for python3.
Also clean up the style a bit while we're in here.
Bug: None
Test: used `strace ls /proc` log and diffed the filter before & after
Change-Id: Ib96a24c5fd70d6a938bcf15f96a303bd8a34fe9e
|
|
Modify the regexp to ignore trailing <unfinished ...>
Inspect arguments of mmap, mmap2, and mprotect.
Bug: None
Test: generate_seccomp_policy.py strace.log
Change-Id: I5612031b8c70b4d34f49a9d82f7b60ec0e3848d2
|
|
This change also allows lines of the form
1234 open(...)
Where 1234 is the PID. This is produced by some versions of strace.
Bug: None
Test: ./generate_seccomp_policy.py strace.log
Change-Id: I31e344de2fd2c72bc9a6ee03b0b1db2ea641c6b9
|
|
This change improves the parsing of the trace files so that it supports
`strace -f`, which adds a leading [pid 12345] tag to each line.
Bug: None
Test: strace -f -e raw=all bash -c 'ls || true' 2>&1 | \
tools/generate_seccomp_policy.py /dev/stdin
Change-Id: I5a54ddff00948b55cbcb4f0be435585b3b4cb102
|
|
Many people have found this script useful to bootstrap their seccomp
filter policies. Add it to the repo instead of keeping it elsewhere.
Bug: None
Change-Id: I1ec0c25eb52aac1542f710a5acdb7d2616d075d6
|