tequilaOS/platform_bionic
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_bionic/libc/tools/genseccomp.py
Paul Lawrence 65b47c9fe0 Fix problem that we don't block syscalls below min value 
The check that we are not below the lowest permitted syscall was
off by one, so we always allowed them, rather than always denying
them

Test: Check arm64 boots, chrome and maps work
      mips and mips64 emulators boot
      Note that arm, x86 and x86_64 already allow syscall 0 so there
      will be no functional change there

Change-Id: I85873f1d04124e634e648bd47c027f280f1d6dbd
2017-03-22 09:48:17 -07:00

226 lines
7.4 KiB
Python
Executable file
Raw Blame History

#!/usr/bin/env python
import collections
import os
import textwrap
from gensyscalls import SysCallsTxtParser
from subprocess import Popen, PIPE
BPF_JGE = "BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, {0}, {1}, {2})"
BPF_ALLOW = "BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW)"
class SyscallRange(object):
def __init__(self, name, value):
self.names = [name]
self.begin = value
self.end = self.begin + 1
def __str__(self):
return "(%s, %s, %s)" % (self.begin, self.end, self.names)
def add(self, name, value):
if value != self.end:
raise ValueError
self.end += 1
self.names.append(name)
def get_names(syscall_files, architecture):
syscalls = []
for syscall_file in syscall_files:
parser = SysCallsTxtParser()
parser.parse_open_file(syscall_file)
syscalls += parser.syscalls
# Select only elements matching required architecture
syscalls = [x for x in syscalls if architecture in x and x[architecture]]
# We only want the name
names = [x["name"] for x in syscalls]
# Check for duplicates
dups = [name for name, count in collections.Counter(names).items() if count > 1]
# x86 has duplicate socketcall entries, so hard code for this
if architecture == "x86":
dups.remove("socketcall")
if len(dups) > 0:
print "Duplicate entries found - aborting ", dups
exit(-1)
# Remove remaining duplicates
return list(set(names))
def convert_names_to_NRs(names, header_dir, extra_switches):
# Run preprocessor over the __NR_syscall symbols, including unistd.h,
# to get the actual numbers
prefix = "__SECCOMP_" # prefix to ensure no name collisions
cpp = Popen(["../../prebuilts/clang/host/linux-x86/clang-stable/bin/clang",
"-E", "-nostdinc", "-I" + header_dir, "-Ikernel/uapi/"]
+ extra_switches
+ ["-"],
stdin=PIPE, stdout=PIPE)
cpp.stdin.write("#include <asm/unistd.h>\n")
for name in names:
# In SYSCALLS.TXT, there are two arm-specific syscalls whose names start
# with __ARM__NR_. These we must simply write out as is.
if not name.startswith("__ARM_NR_"):
cpp.stdin.write(prefix + name + ", __NR_" + name + "\n")
else:
cpp.stdin.write(prefix + name + ", " + name + "\n")
content = cpp.communicate()[0].split("\n")
# The input is now the preprocessed source file. This will contain a lot
# of junk from the preprocessor, but our lines will be in the format:
#
# __SECCOMP_${NAME}, (0 + value)
syscalls = []
for line in content:
if not line.startswith(prefix):
continue
# We might pick up extra whitespace during preprocessing, so best to strip.
name, value = [w.strip() for w in line.split(",")]
name = name[len(prefix):]
# Note that some of the numbers were expressed as base + offset, so we
# need to eval, not just int
value = eval(value)
syscalls.append((name, value))
return syscalls
def convert_NRs_to_ranges(syscalls):
# Sort the values so we convert to ranges and binary chop
syscalls = sorted(syscalls, lambda x, y: cmp(x[1], y[1]))
# Turn into a list of ranges. Keep the names for the comments
ranges = []
for name, value in syscalls:
if not ranges:
ranges.append(SyscallRange(name, value))
continue
last_range = ranges[-1]
if last_range.end == value:
last_range.add(name, value)
else:
ranges.append(SyscallRange(name, value))
return ranges
# Converts the sorted ranges of allowed syscalls to a binary tree bpf
# For a single range, output a simple jump to {fail} or {allow}. We can't set
# the jump ranges yet, since we don't know the size of the filter, so use a
# placeholder
# For multiple ranges, split into two, convert the two halves and output a jump
# to the correct half
def convert_to_intermediate_bpf(ranges):
if len(ranges) == 1:
# We will replace {fail} and {allow} with appropriate range jumps later
return [BPF_JGE.format(ranges[0].end, "{fail}", "{allow}") +
", //" + "|".join(ranges[0].names)]
else:
half = (len(ranges) + 1) / 2
first = convert_to_intermediate_bpf(ranges[:half])
second = convert_to_intermediate_bpf(ranges[half:])
jump = [BPF_JGE.format(ranges[half].begin, len(first), 0) + ","]
return jump + first + second
def convert_ranges_to_bpf(ranges):
bpf = convert_to_intermediate_bpf(ranges)
# Now we know the size of the tree, we can substitute the {fail} and {allow}
# placeholders
for i, statement in enumerate(bpf):
# Replace placeholder with
# "distance to jump to fail, distance to jump to allow"
# We will add a kill statement and an allow statement after the tree
# With bpfs jmp 0 means the next statement, so the distance to the end is
# len(bpf) - i - 1, which is where we will put the kill statement, and
# then the statement after that is the allow statement
if "{fail}" in statement and "{allow}" in statement:
bpf[i] = statement.format(fail=str(len(bpf) - i),
allow=str(len(bpf) - i - 1))
# Add the allow calls at the end. If the syscall is not matched, we will
# continue. This allows the user to choose to match further syscalls, and
# also to choose the action when we want to block
bpf.append(BPF_ALLOW + ",")
# Add check that we aren't off the bottom of the syscalls
bpf.insert(0, BPF_JGE.format(ranges[0].begin, 0, str(len(bpf))) + ',')
return bpf
def convert_bpf_to_output(bpf, architecture):
header = textwrap.dedent("""\
// Autogenerated file - edit at your peril!!
#include <linux/filter.h>
#include <errno.h>
#include "seccomp_bpfs.h"
const sock_filter {architecture}_filter[] = {{
""").format(architecture=architecture)
footer = textwrap.dedent("""\
}};
const size_t {architecture}_filter_size = sizeof({architecture}_filter) / sizeof(struct sock_filter);
""").format(architecture=architecture)
return header + "\n".join(bpf) + footer
def construct_bpf(syscall_files, architecture, header_dir, extra_switches):
names = get_names(syscall_files, architecture)
syscalls = convert_names_to_NRs(names, header_dir, extra_switches)
ranges = convert_NRs_to_ranges(syscalls)
bpf = convert_ranges_to_bpf(ranges)
return convert_bpf_to_output(bpf, architecture)
ANDROID_SYSCALL_FILES = ["SYSCALLS.TXT", "SECCOMP_WHITELIST.TXT"]
POLICY_CONFIGS = [("arm", "kernel/uapi/asm-arm", []),
("arm64", "kernel/uapi/asm-arm64", []),
("x86", "kernel/uapi/asm-x86", ["-D__i386__"]),
("x86_64", "kernel/uapi/asm-x86", []),
("mips", "kernel/uapi/asm-mips", ["-D_MIPS_SIM=_MIPS_SIM_ABI32"]),
("mips64", "kernel/uapi/asm-mips", ["-D_MIPS_SIM=_MIPS_SIM_ABI64"])]
def set_dir():
# Set working directory for predictable results
os.chdir(os.path.join(os.environ["ANDROID_BUILD_TOP"], "bionic/libc"))
def main():
set_dir()
for arch, header_path, switches in POLICY_CONFIGS:
files = [open(filename) for filename in ANDROID_SYSCALL_FILES]
output = construct_bpf(files, arch, header_path, switches)
# And output policy
existing = ""
output_path = "seccomp/{}_policy.cpp".format(arch)
if os.path.isfile(output_path):
existing = open(output_path).read()
if output == existing:
print "File " + output_path + " not changed."
else:
with open(output_path, "w") as output_file:
output_file.write(output)
print "Generated file " + output_path
if __name__ == "__main__":
main()
Reference in a new issue View git blame Copy permalink