tools/generate_seccomp_policy.py - platform/external/minijail - Git at Google

 #!/usr/bin/env python3
 # -*- coding: utf-8 -*-
 #
 # Copyright (C) 2016 The Android Open Source Project
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #      http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
 # This script will take any number of trace files generated by strace(1)
 # and output a system call filtering policy suitable for use with Minijail.

 """Helper tool to generate a minijail seccomp filter from strace output."""

 from __future__ import print_function

 import argparse
 import collections
 import re
 import sys


 NOTICE = """# Copyright (C) 2018 The Android Open Source Project
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #      http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 """

 ALLOW = '1'

 # This ignores any leading PID tag and trailing <unfinished ...>, and extracts
 # the syscall name and the argument list.
 LINE_RE = re.compile(r'^\s*(?:\[[^]]*\]|\d+)?\s*([a-zA-Z0-9_]+)\(([^)<]*)')

 SOCKETCALLS = {
     'accept', 'bind', 'connect', 'getpeername', 'getsockname', 'getsockopt',
     'listen', 'recv', 'recvfrom', 'recvmsg', 'send', 'sendmsg', 'sendto',
     'setsockopt', 'shutdown', 'socket', 'socketpair',
 }

 ArgInspectionEntry = collections.namedtuple('ArgInspectionEntry',
                                             ('arg_index', 'value_set'))


 def parse_args(argv):
     """Returns the parsed CLI arguments for this tool."""
     parser = argparse.ArgumentParser(description=__doc__)
     parser.add_argument('traces', nargs='+', help='The strace logs.')
     return parser.parse_args(argv)


 def get_seccomp_bpf_filter(syscall, entry):
     """Return a minijail seccomp-bpf filter expression for the syscall."""
     arg_index = entry.arg_index
     arg_values = entry.value_set
     atoms = []
     if syscall in ('mmap', 'mmap2', 'mprotect') and arg_index == 2:
         # See if there is at least one instance of any of these syscalls trying
         # to map memory with both PROT_EXEC and PROT_WRITE. If there isn't, we
         # can craft a concise expression to forbid this.
         write_and_exec = set(('PROT_EXEC', 'PROT_WRITE'))
         for arg_value in arg_values:
             if write_and_exec.issubset(set(p.strip() for p in
                                            arg_value.split('|'))):
                 break
         else:
             atoms.extend(['arg2 in ~PROT_EXEC', 'arg2 in ~PROT_WRITE'])
             arg_values = set()
     atoms.extend('arg%d == %s' % (arg_index, arg_value)
                  for arg_value in arg_values)
     return ' || '.join(atoms)


 def parse_trace_file(trace_filename, syscalls, arg_inspection):
     """Parses one file produced by strace."""
     uses_socketcall = ('i386' in trace_filename or
                        ('x86' in trace_filename and
                         '64' not in trace_filename))

     with open(trace_filename) as trace_file:
         for line in trace_file:
             matches = LINE_RE.match(line)
             if not matches:
                 continue

             syscall, args = matches.groups()
             if uses_socketcall and syscall in SOCKETCALLS:
                 syscall = 'socketcall'

             syscalls[syscall] += 1

             args = [arg.strip() for arg in args.split(',')]

             if syscall in arg_inspection:
                 arg_value = args[arg_inspection[syscall].arg_index]
                 arg_inspection[syscall].value_set.add(arg_value)


 def main(argv):
     """Main entrypoint."""
     opts = parse_args(argv)

     syscalls = collections.defaultdict(int)

     arg_inspection = {
         'socket': ArgInspectionEntry(0, set([])),   # int domain
         'ioctl': ArgInspectionEntry(1, set([])),    # int request
         'prctl': ArgInspectionEntry(0, set([])),    # int option
         'mmap': ArgInspectionEntry(2, set([])),     # int prot
         'mmap2': ArgInspectionEntry(2, set([])),    # int prot
         'mprotect': ArgInspectionEntry(2, set([])), # int prot
     }

     for trace_filename in opts.traces:
         parse_trace_file(trace_filename, syscalls, arg_inspection)

     # Add the basic set if they are not yet present.
     basic_set = [
         'restart_syscall', 'exit', 'exit_group', 'rt_sigreturn',
     ]
     for basic_syscall in basic_set:
         if basic_syscall not in syscalls:
             syscalls[basic_syscall] = 1

     # Sort the syscalls based on frequency.  This way the calls that are used
     # more often come first which in turn speeds up the filter slightly.
     sorted_syscalls = list(
         x[0] for x in sorted(syscalls.items(), key=lambda pair: pair[1],
                              reverse=True)
     )

     print(NOTICE)

     for syscall in sorted_syscalls:
         if syscall in arg_inspection:
             arg_filter = get_seccomp_bpf_filter(syscall, arg_inspection[syscall])
         else:
             arg_filter = ALLOW
         print('%s: %s' % (syscall, arg_filter))


 if __name__ == '__main__':
     sys.exit(main(sys.argv[1:]))
	#!/usr/bin/env python3
	# -- coding: utf-8 --
	#
	# Copyright (C) 2016 The Android Open Source Project
	#
	# Licensed under the Apache License, Version 2.0 (the "License");
	# you may not use this file except in compliance with the License.
	# You may obtain a copy of the License at
	#
	# http://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing, software
	# distributed under the License is distributed on an "AS IS" BASIS,
	# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	# See the License for the specific language governing permissions and
	# limitations under the License.
	#
	# This script will take any number of trace files generated by strace(1)
	# and output a system call filtering policy suitable for use with Minijail.

	"""Helper tool to generate a minijail seccomp filter from strace output."""

	from __future__ import print_function

	import argparse
	import collections
	import re
	import sys


	NOTICE = """# Copyright (C) 2018 The Android Open Source Project
	#
	# Licensed under the Apache License, Version 2.0 (the "License");
	# you may not use this file except in compliance with the License.
	# You may obtain a copy of the License at
	#
	# http://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing, software
	# distributed under the License is distributed on an "AS IS" BASIS,
	# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	# See the License for the specific language governing permissions and
	# limitations under the License.
	"""

	ALLOW = '1'

	# This ignores any leading PID tag and trailing <unfinished ...>, and extracts
	# the syscall name and the argument list.
	LINE_RE = re.compile(r'^\s(?:\[[^]]\]\|\d+)?\s([a-zA-Z0-9_]+)\(([^)<])')

	SOCKETCALLS = {
	'accept', 'bind', 'connect', 'getpeername', 'getsockname', 'getsockopt',
	'listen', 'recv', 'recvfrom', 'recvmsg', 'send', 'sendmsg', 'sendto',
	'setsockopt', 'shutdown', 'socket', 'socketpair',
	}

	ArgInspectionEntry = collections.namedtuple('ArgInspectionEntry',
	('arg_index', 'value_set'))


	def parse_args(argv):
	"""Returns the parsed CLI arguments for this tool."""
	parser = argparse.ArgumentParser(description=__doc__)
	parser.add_argument('traces', nargs='+', help='The strace logs.')
	return parser.parse_args(argv)


	def get_seccomp_bpf_filter(syscall, entry):
	"""Return a minijail seccomp-bpf filter expression for the syscall."""
	arg_index = entry.arg_index
	arg_values = entry.value_set
	atoms = []
	if syscall in ('mmap', 'mmap2', 'mprotect') and arg_index == 2:
	# See if there is at least one instance of any of these syscalls trying
	# to map memory with both PROT_EXEC and PROT_WRITE. If there isn't, we
	# can craft a concise expression to forbid this.
	write_and_exec = set(('PROT_EXEC', 'PROT_WRITE'))
	for arg_value in arg_values:
	if write_and_exec.issubset(set(p.strip() for p in
	arg_value.split('\|'))):
	break
	else:
	atoms.extend(['arg2 in ~PROT_EXEC', 'arg2 in ~PROT_WRITE'])
	arg_values = set()
	atoms.extend('arg%d == %s' % (arg_index, arg_value)
	for arg_value in arg_values)
	return ' \|\| '.join(atoms)


	def parse_trace_file(trace_filename, syscalls, arg_inspection):
	"""Parses one file produced by strace."""
	uses_socketcall = ('i386' in trace_filename or
	('x86' in trace_filename and
	'64' not in trace_filename))

	with open(trace_filename) as trace_file:
	for line in trace_file:
	matches = LINE_RE.match(line)
	if not matches:
	continue

	syscall, args = matches.groups()
	if uses_socketcall and syscall in SOCKETCALLS:
	syscall = 'socketcall'

	syscalls[syscall] += 1

	args = [arg.strip() for arg in args.split(',')]

	if syscall in arg_inspection:
	arg_value = args[arg_inspection[syscall].arg_index]
	arg_inspection[syscall].value_set.add(arg_value)


	def main(argv):
	"""Main entrypoint."""
	opts = parse_args(argv)

	syscalls = collections.defaultdict(int)

	arg_inspection = {
	'socket': ArgInspectionEntry(0, set([])), # int domain
	'ioctl': ArgInspectionEntry(1, set([])), # int request
	'prctl': ArgInspectionEntry(0, set([])), # int option
	'mmap': ArgInspectionEntry(2, set([])), # int prot
	'mmap2': ArgInspectionEntry(2, set([])), # int prot
	'mprotect': ArgInspectionEntry(2, set([])), # int prot
	}

	for trace_filename in opts.traces:
	parse_trace_file(trace_filename, syscalls, arg_inspection)

	# Add the basic set if they are not yet present.
	basic_set = [
	'restart_syscall', 'exit', 'exit_group', 'rt_sigreturn',
	]
	for basic_syscall in basic_set:
	if basic_syscall not in syscalls:
	syscalls[basic_syscall] = 1

	# Sort the syscalls based on frequency. This way the calls that are used
	# more often come first which in turn speeds up the filter slightly.
	sorted_syscalls = list(
	x[0] for x in sorted(syscalls.items(), key=lambda pair: pair[1],
	reverse=True)
	)

	print(NOTICE)

	for syscall in sorted_syscalls:
	if syscall in arg_inspection:
	arg_filter = get_seccomp_bpf_filter(syscall, arg_inspection[syscall])
	else:
	arg_filter = ALLOW
	print('%s: %s' % (syscall, arg_filter))


	if __name__ == '__main__':
	sys.exit(main(sys.argv[1:]))