#!/usr/bin/env python import collections import os import textwrap from gensyscalls import SysCallsTxtParser from subprocess import Popen, PIPE BPF_JGE = "BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, {0}, {1}, {2})" BPF_ALLOW = "BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW)" class SyscallRange(object): def __init__(self, name, value): self.names = [name] self.begin = value self.end = self.begin + 1 def __str__(self): return "(%s, %s, %s)" % (self.begin, self.end, self.names) def add(self, name, value): if value != self.end: raise ValueError self.end += 1 self.names.append(name) def get_names(syscall_files, architecture): syscall_lists = [] for syscall_file in syscall_files: parser = SysCallsTxtParser() parser.parse_open_file(syscall_file) syscall_lists.append(parser.syscalls) bionic, whitelist, blacklist = syscall_lists[0], syscall_lists[1], syscall_lists[2] for x in blacklist: if not x in bionic: raise RuntimeError("Blacklist item not in bionic - aborting " + str(x)) if x in whitelist: raise RuntimeError("Blacklist item in whitelist - aborting " + str(x)) bionic_minus_blacklist = [x for x in bionic if x not in blacklist] syscalls = bionic_minus_blacklist + whitelist # Select only elements matching required architecture syscalls = [x for x in syscalls if architecture in x and x[architecture]] # We only want the name names = [x["name"] for x in syscalls] # Check for duplicates dups = [name for name, count in collections.Counter(names).items() if count > 1] # x86 has duplicate socketcall entries, so hard code for this if architecture == "x86": dups.remove("socketcall") if len(dups) > 0: raise RuntimeError("Duplicate entries found - aborting " + str(dups)) # Remove remaining duplicates return list(set(names)) def convert_names_to_NRs(names, header_dir, extra_switches): # Run preprocessor over the __NR_syscall symbols, including unistd.h, # to get the actual numbers prefix = "__SECCOMP_" # prefix to ensure no name collisions cpp = Popen(["../../prebuilts/clang/host/linux-x86/clang-stable/bin/clang", "-E", "-nostdinc", "-I" + header_dir, "-Ikernel/uapi/"] + extra_switches + ["-"], stdin=PIPE, stdout=PIPE) cpp.stdin.write("#include \n") for name in names: # In SYSCALLS.TXT, there are two arm-specific syscalls whose names start # with __ARM__NR_. These we must simply write out as is. if not name.startswith("__ARM_NR_"): cpp.stdin.write(prefix + name + ", __NR_" + name + "\n") else: cpp.stdin.write(prefix + name + ", " + name + "\n") content = cpp.communicate()[0].split("\n") # The input is now the preprocessed source file. This will contain a lot # of junk from the preprocessor, but our lines will be in the format: # # __SECCOMP_${NAME}, (0 + value) syscalls = [] for line in content: if not line.startswith(prefix): continue # We might pick up extra whitespace during preprocessing, so best to strip. name, value = [w.strip() for w in line.split(",")] name = name[len(prefix):] # Note that some of the numbers were expressed as base + offset, so we # need to eval, not just int value = eval(value) syscalls.append((name, value)) return syscalls def convert_NRs_to_ranges(syscalls): # Sort the values so we convert to ranges and binary chop syscalls = sorted(syscalls, lambda x, y: cmp(x[1], y[1])) # Turn into a list of ranges. Keep the names for the comments ranges = [] for name, value in syscalls: if not ranges: ranges.append(SyscallRange(name, value)) continue last_range = ranges[-1] if last_range.end == value: last_range.add(name, value) else: ranges.append(SyscallRange(name, value)) return ranges # Converts the sorted ranges of allowed syscalls to a binary tree bpf # For a single range, output a simple jump to {fail} or {allow}. We can't set # the jump ranges yet, since we don't know the size of the filter, so use a # placeholder # For multiple ranges, split into two, convert the two halves and output a jump # to the correct half def convert_to_intermediate_bpf(ranges): if len(ranges) == 1: # We will replace {fail} and {allow} with appropriate range jumps later return [BPF_JGE.format(ranges[0].end, "{fail}", "{allow}") + ", //" + "|".join(ranges[0].names)] else: half = (len(ranges) + 1) / 2 first = convert_to_intermediate_bpf(ranges[:half]) second = convert_to_intermediate_bpf(ranges[half:]) jump = [BPF_JGE.format(ranges[half].begin, len(first), 0) + ","] return jump + first + second def convert_ranges_to_bpf(ranges): bpf = convert_to_intermediate_bpf(ranges) # Now we know the size of the tree, we can substitute the {fail} and {allow} # placeholders for i, statement in enumerate(bpf): # Replace placeholder with # "distance to jump to fail, distance to jump to allow" # We will add a kill statement and an allow statement after the tree # With bpfs jmp 0 means the next statement, so the distance to the end is # len(bpf) - i - 1, which is where we will put the kill statement, and # then the statement after that is the allow statement if "{fail}" in statement and "{allow}" in statement: bpf[i] = statement.format(fail=str(len(bpf) - i), allow=str(len(bpf) - i - 1)) # Add the allow calls at the end. If the syscall is not matched, we will # continue. This allows the user to choose to match further syscalls, and # also to choose the action when we want to block bpf.append(BPF_ALLOW + ",") # Add check that we aren't off the bottom of the syscalls bpf.insert(0, BPF_JGE.format(ranges[0].begin, 0, str(len(bpf))) + ',') return bpf def convert_bpf_to_output(bpf, architecture): header = textwrap.dedent("""\ // Autogenerated file - edit at your peril!! #include #include #include "seccomp_bpfs.h" const sock_filter {architecture}_filter[] = {{ """).format(architecture=architecture) footer = textwrap.dedent("""\ }}; const size_t {architecture}_filter_size = sizeof({architecture}_filter) / sizeof(struct sock_filter); """).format(architecture=architecture) return header + "\n".join(bpf) + footer def construct_bpf(syscall_files, architecture, header_dir, extra_switches): names = get_names(syscall_files, architecture) syscalls = convert_names_to_NRs(names, header_dir, extra_switches) ranges = convert_NRs_to_ranges(syscalls) bpf = convert_ranges_to_bpf(ranges) return convert_bpf_to_output(bpf, architecture) ANDROID_SYSCALL_FILES = ["SYSCALLS.TXT", "SECCOMP_WHITELIST.TXT", "SECCOMP_BLACKLIST.TXT"] POLICY_CONFIGS = [("arm", "kernel/uapi/asm-arm", []), ("arm64", "kernel/uapi/asm-arm64", []), ("x86", "kernel/uapi/asm-x86", ["-D__i386__"]), ("x86_64", "kernel/uapi/asm-x86", []), ("mips", "kernel/uapi/asm-mips", ["-D_MIPS_SIM=_MIPS_SIM_ABI32"]), ("mips64", "kernel/uapi/asm-mips", ["-D_MIPS_SIM=_MIPS_SIM_ABI64"])] def set_dir(): # Set working directory for predictable results os.chdir(os.path.join(os.environ["ANDROID_BUILD_TOP"], "bionic/libc")) def main(): set_dir() for arch, header_path, switches in POLICY_CONFIGS: files = [open(filename) for filename in ANDROID_SYSCALL_FILES] output = construct_bpf(files, arch, header_path, switches) # And output policy existing = "" output_path = "seccomp/{}_policy.cpp".format(arch) if os.path.isfile(output_path): existing = open(output_path).read() if output == existing: print "File " + output_path + " not changed." else: with open(output_path, "w") as output_file: output_file.write(output) print "Generated file " + output_path if __name__ == "__main__": main()