1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
|
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
#
# Copyright (C) 2016 The Android Open Source Project
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# This script will take any number of trace files generated by strace(1)
# and output a system call filtering policy suitable for use with Minijail.
"""Tool to generate a minijail seccomp filter from strace or audit output."""
from __future__ import print_function
import argparse
import collections
import os
import re
import sys
# auparse may not be installed and is currently optional.
try:
import auparse
except ImportError:
auparse = None
NOTICE = """# Copyright (C) 2018 The Android Open Source Project
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""
ALLOW = '1'
# This ignores any leading PID tag and trailing <unfinished ...>, and extracts
# the syscall name and the argument list.
LINE_RE = re.compile(r'^\s*(?:\[[^]]*\]|\d+)?\s*([a-zA-Z0-9_]+)\(([^)<]*)')
SOCKETCALLS = {
'accept', 'bind', 'connect', 'getpeername', 'getsockname', 'getsockopt',
'listen', 'recv', 'recvfrom', 'recvmsg', 'send', 'sendmsg', 'sendto',
'setsockopt', 'shutdown', 'socket', 'socketpair',
}
# List of private ARM syscalls. These can be found in any ARM specific unistd.h
# such as Linux's arch/arm/include/uapi/asm/unistd.h.
PRIVATE_ARM_SYSCALLS = {
983041: 'ARM_breakpoint',
983042: 'ARM_cacheflush',
983043: 'ARM_usr26',
983044: 'ARM_usr32',
983045: 'ARM_set_tls',
}
ArgInspectionEntry = collections.namedtuple('ArgInspectionEntry',
('arg_index', 'value_set'))
# pylint: disable=too-few-public-methods
class BucketInputFiles(argparse.Action):
"""Buckets input files using simple content based heuristics.
Attributes:
audit_logs: Mutually exclusive list of audit log filenames.
traces: Mutually exclusive list of strace log filenames.
"""
def __call__(self, parser, namespace, values, option_string=None):
audit_logs = []
traces = []
strace_line_re = re.compile(r'[a-z]+[0-9]*\(.+\) += ')
audit_line_re = re.compile(r'type=(SYSCALL|SECCOMP)')
for filename in values:
if not os.path.exists(filename):
parser.error(f'Input file {filename} not found.')
with open(filename, mode='r', encoding='utf8') as input_file:
for line in input_file.readlines():
if strace_line_re.search(line):
traces.append(filename)
break
if audit_line_re.search(line):
audit_logs.append(filename)
break
else:
# Treat it as an strace log to retain legacy behaviour and
# also just in case the strace regex is imperfect.
traces.append(filename)
setattr(namespace, 'audit_logs', audit_logs)
setattr(namespace, 'traces', traces)
# pylint: enable=too-few-public-methods
def parse_args(argv):
"""Returns the parsed CLI arguments for this tool."""
parser = argparse.ArgumentParser(description=__doc__)
parser.add_argument('--verbose', action='store_true',
help='output informational messages to stderr')
parser.add_argument('--frequency', type=argparse.FileType('w'),
help='frequency file')
parser.add_argument('--policy', type=argparse.FileType('w'),
default=sys.stdout, help='policy file')
parser.add_argument('input-logs', action=BucketInputFiles,
help='strace and/or audit logs', nargs='+')
parser.add_argument('--audit-comm', type=str, metavar='PROCESS_NAME',
help='relevant process name from the audit.log files')
opts = parser.parse_args(argv)
if opts.audit_logs and not auparse:
parser.error('Python bindings for the audit subsystem were not found.\n'
'Please install the python3-audit (sometimes python-audit)'
' package for your distro to process audit logs: '
f'{opts.audit_logs}')
if opts.audit_logs and not opts.audit_comm:
parser.error(f'--audit-comm is required when using audit logs as input:'
f' {opts.audit_logs}')
if not opts.audit_logs and opts.audit_comm:
parser.error('--audit-comm was specified yet none of the input files '
'matched our hueristic for an audit log')
return opts
def get_seccomp_bpf_filter(syscall, entry):
"""Returns a minijail seccomp-bpf filter expression for the syscall."""
arg_index = entry.arg_index
arg_values = entry.value_set
atoms = []
if syscall in ('mmap', 'mmap2', 'mprotect') and arg_index == 2:
# See if there is at least one instance of any of these syscalls trying
# to map memory with both PROT_EXEC and PROT_WRITE. If there isn't, we
# can craft a concise expression to forbid this.
write_and_exec = set(('PROT_EXEC', 'PROT_WRITE'))
for arg_value in arg_values:
if write_and_exec.issubset(set(p.strip() for p in
arg_value.split('|'))):
break
else:
atoms.extend(['arg2 in ~PROT_EXEC', 'arg2 in ~PROT_WRITE'])
arg_values = set()
atoms.extend(f'arg{arg_index} == {arg_value}' for arg_value in arg_values)
return ' || '.join(atoms)
def parse_trace_file(trace_filename, syscalls, arg_inspection):
"""Parses one file produced by strace."""
uses_socketcall = ('i386' in trace_filename or
('x86' in trace_filename and
'64' not in trace_filename))
with open(trace_filename, encoding='utf8') as trace_file:
for line in trace_file:
matches = LINE_RE.match(line)
if not matches:
continue
syscall, args = matches.groups()
if uses_socketcall and syscall in SOCKETCALLS:
syscall = 'socketcall'
# strace omits the 'ARM_' prefix on all private ARM syscalls. Add
# it manually here as a workaround. These syscalls are exclusive
# to ARM so we don't need to predicate this on a trace_filename
# based heuristic for the arch.
if f'ARM_{syscall}' in PRIVATE_ARM_SYSCALLS.values():
syscall = f'ARM_{syscall}'
syscalls[syscall] += 1
args = [arg.strip() for arg in args.split(',')]
if syscall in arg_inspection:
arg_value = args[arg_inspection[syscall].arg_index]
arg_inspection[syscall].value_set.add(arg_value)
def parse_audit_log(audit_log, audit_comm, syscalls, arg_inspection):
"""Parses one audit.log file generated by the Linux audit subsystem."""
unknown_syscall_re = re.compile(r'unknown-syscall\((?P<syscall_num>\d+)\)')
au = auparse.AuParser(auparse.AUSOURCE_FILE, audit_log)
# Quick validity check for whether this parses as a valid audit log. The
# first event should have at least one record.
if not au.first_record():
raise ValueError(f'Unable to parse audit log file {audit_log.name}')
# Iterate through events where _any_ contained record matches
# ((type == SECCOMP || type == SYSCALL) && comm == audit_comm).
au.search_add_item('type', '=', 'SECCOMP', auparse.AUSEARCH_RULE_CLEAR)
au.search_add_item('type', '=', 'SYSCALL', auparse.AUSEARCH_RULE_OR)
au.search_add_item('comm', '=', f'"{audit_comm}"',
auparse.AUSEARCH_RULE_AND)
# auparse_find_field(3) will ignore preceding fields in the record and
# at the same time happily cross record boundaries when looking for the
# field. This helper method always seeks the cursor back to the first
# field in the record and stops searching before crossing over to the
# next record; making the search far less error prone.
# Also implicitly seeks the internal 'cursor' to the matching field
# for any subsequent calls like auparse_interpret_field.
def _find_field_in_current_record(name):
au.first_field()
while True:
if au.get_field_name() == name:
return au.get_field_str()
if not au.next_field():
return None
while au.search_next_event():
# The event may have multiple records. Loop through all.
au.first_record()
for _ in range(au.get_num_records()):
event_type = _find_field_in_current_record('type')
comm = _find_field_in_current_record('comm')
# Some of the records in this event may not be relevant
# despite the event-specific search filter. Skip those.
if (event_type not in ('SECCOMP', 'SYSCALL') or
comm != f'"{audit_comm}"'):
au.next_record()
continue
if not _find_field_in_current_record('syscall'):
raise ValueError(f'Could not find field "syscall" in event of '
f'type {event_type}')
# Intepret the syscall field that's under our 'cursor' following the
# find. Interpreting fields yields human friendly names instead
# of integers. E.g '16' -> 'ioctl'.
syscall = au.interpret_field()
# TODO(crbug/1172449): Add these syscalls to upstream
# audit-userspace and remove this workaround.
# This is redundant but safe for non-ARM architectures due to the
# disjoint set of private syscall numbers.
match = unknown_syscall_re.match(syscall)
if match:
syscall_num = int(match.group('syscall_num'))
syscall = PRIVATE_ARM_SYSCALLS.get(syscall_num, syscall)
if ((syscall in arg_inspection and event_type == 'SECCOMP') or
(syscall not in arg_inspection and event_type == 'SYSCALL')):
# Skip SECCOMP records for syscalls that require argument
# inspection. Similarly, skip SYSCALL records for syscalls
# that do not require argument inspection. Technically such
# records wouldn't exist per our setup instructions but audit
# sometimes lets a few records slip through.
au.next_record()
continue
elif event_type == 'SYSCALL':
arg_field_name = f'a{arg_inspection[syscall].arg_index}'
if not _find_field_in_current_record(arg_field_name):
raise ValueError(f'Could not find field "{arg_field_name}"'
f'in event of type {event_type}')
# Intepret the arg field that's under our 'cursor' following the
# find. This may yield a more human friendly name.
# E.g '5401' -> 'TCGETS'.
arg_inspection[syscall].value_set.add(au.interpret_field())
syscalls[syscall] += 1
au.next_record()
def main(argv=None):
"""Main entrypoint."""
if argv is None:
argv = sys.argv[1:]
opts = parse_args(argv)
syscalls = collections.defaultdict(int)
arg_inspection = {
'socket': ArgInspectionEntry(0, set([])), # int domain
'ioctl': ArgInspectionEntry(1, set([])), # int request
'prctl': ArgInspectionEntry(0, set([])), # int option
'mmap': ArgInspectionEntry(2, set([])), # int prot
'mmap2': ArgInspectionEntry(2, set([])), # int prot
'mprotect': ArgInspectionEntry(2, set([])), # int prot
}
if opts.verbose:
# Print an informational message to stderr in case the filetype detection
# heuristics are wonky.
print('Generating a seccomp policy using these input files:',
file=sys.stderr)
print(f'Strace logs: {opts.traces}', file=sys.stderr)
print(f'Audit logs: {opts.audit_logs}', file=sys.stderr)
for trace_filename in opts.traces:
parse_trace_file(trace_filename, syscalls, arg_inspection)
for audit_log in opts.audit_logs:
parse_audit_log(audit_log, opts.audit_comm, syscalls, arg_inspection)
# Add the basic set if they are not yet present.
basic_set = [
'restart_syscall', 'exit', 'exit_group', 'rt_sigreturn',
]
for basic_syscall in basic_set:
if basic_syscall not in syscalls:
syscalls[basic_syscall] = 1
# If a frequency file isn't used then sort the syscalls based on frequency
# to make the common case fast (by checking frequent calls earlier).
# Otherwise, sort alphabetically to make it easier for humans to see which
# calls are in use (and if necessary manually add a new syscall to the
# list).
if opts.frequency is None:
sorted_syscalls = list(
x[0] for x in sorted(syscalls.items(), key=lambda pair: pair[1],
reverse=True)
)
else:
sorted_syscalls = list(
x[0] for x in sorted(syscalls.items(), key=lambda pair: pair[0])
)
print(NOTICE, file=opts.policy)
if opts.frequency is not None:
print(NOTICE, file=opts.frequency)
for syscall in sorted_syscalls:
if syscall in arg_inspection:
arg_filter = get_seccomp_bpf_filter(syscall,
arg_inspection[syscall])
else:
arg_filter = ALLOW
print(f'{syscall}: {arg_filter}', file=opts.policy)
if opts.frequency is not None:
print(f'{syscall}: {syscalls[syscall]}', file=opts.frequency)
if __name__ == '__main__':
sys.exit(main(sys.argv[1:]))
|
