Add seccomp support library
Policy library which exports an autogenerated policy from SYSCALLS.TXT
blocking any other calls.
Test: Generate policy, install onto Sailfish, check boots, Chrome runs,
calls are blocked.
Bug: 32313202
Change-Id: Ib590704e50122f077eeae26561eb9b0a70386551
diff --git a/libc/tools/genseccomp.py b/libc/tools/genseccomp.py
new file mode 100755
index 0000000..b82bb12
--- /dev/null
+++ b/libc/tools/genseccomp.py
@@ -0,0 +1,171 @@
+#!/usr/bin/env python
+import os
+from subprocess import Popen, PIPE
+import textwrap
+from gensyscalls import SysCallsTxtParser
+
+
+syscall_file = "SYSCALLS.TXT"
+
+
+class SyscallRange(object):
+ def __init__(self, name, value):
+ self.names = [name]
+ self.begin = value
+ self.end = self.begin + 1
+
+ def add(self, name, value):
+ if value != self.end:
+ raise ValueError
+ self.end += 1
+ self.names.append(name)
+
+
+def generate_bpf_jge(value, ge_target, less_target):
+ return "BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, {0}, {1}, {2})".format(value, ge_target, less_target)
+
+
+# Converts the sorted ranges of allowed syscalls to a binary tree bpf
+# For a single range, output a simple jump to {fail} or {allow}. We can't set
+# the jump ranges yet, since we don't know the size of the filter, so use a
+# placeholder
+# For multiple ranges, split into two, convert the two halves and output a jump
+# to the correct half
+def convert_to_bpf(ranges):
+ if len(ranges) == 1:
+ # We will replace {fail} and {allow} with appropriate range jumps later
+ return [generate_bpf_jge(ranges[0].end, "{fail}", "{allow}") +
+ ", //" + "|".join(ranges[0].names)]
+ else:
+ half = (len(ranges) + 1) / 2
+ first = convert_to_bpf(ranges[:half])
+ second = convert_to_bpf(ranges[half:])
+ return [generate_bpf_jge(ranges[half].begin, len(first), 0) + ","] + first + second
+
+
+def construct_bpf(architecture, header_dir, output_path):
+ parser = SysCallsTxtParser()
+ parser.parse_file(syscall_file)
+ syscalls = parser.syscalls
+
+ # Select only elements matching required architecture
+ syscalls = [x for x in syscalls if architecture in x and x[architecture]]
+
+ # We only want the name
+ names = [x["name"] for x in syscalls]
+
+ # Run preprocessor over the __NR_syscall symbols, including unistd.h,
+ # to get the actual numbers
+ prefix = "__SECCOMP_" # prefix to ensure no name collisions
+ cpp = Popen(["../../prebuilts/clang/host/linux-x86/clang-stable/bin/clang",
+ "-E", "-nostdinc", "-I" + header_dir, "-Ikernel/uapi/", "-"],
+ stdin=PIPE, stdout=PIPE)
+ cpp.stdin.write("#include <asm/unistd.h>\n")
+ for name in names:
+ # In SYSCALLS.TXT, there are two arm-specific syscalls whose names start
+ # with __ARM__NR_. These we must simply write out as is.
+ if not name.startswith("__ARM_NR_"):
+ cpp.stdin.write(prefix + name + ", __NR_" + name + "\n")
+ else:
+ cpp.stdin.write(prefix + name + ", " + name + "\n")
+ content = cpp.communicate()[0].split("\n")
+
+ # The input is now the preprocessed source file. This will contain a lot
+ # of junk from the preprocessor, but our lines will be in the format:
+ #
+ # __SECCOMP_${NAME}, (0 + value)
+
+ syscalls = []
+ for line in content:
+ if not line.startswith(prefix):
+ continue
+
+ # We might pick up extra whitespace during preprocessing, so best to strip.
+ name, value = [w.strip() for w in line.split(",")]
+ name = name[len(prefix):]
+
+ # Note that some of the numbers were expressed as base + offset, so we
+ # need to eval, not just int
+ value = eval(value)
+ syscalls.append((name, value))
+
+ # Sort the values so we convert to ranges and binary chop
+ syscalls = sorted(syscalls, lambda x, y: cmp(x[1], y[1]))
+
+ # Turn into a list of ranges. Keep the names for the comments
+ ranges = []
+ for name, value in syscalls:
+ if not ranges:
+ ranges.append(SyscallRange(name, value))
+ continue
+
+ last_range = ranges[-1]
+ if last_range.end == value:
+ last_range.add(name, value)
+ else:
+ ranges.append(SyscallRange(name, value))
+
+ bpf = convert_to_bpf(ranges)
+
+ # Now we know the size of the tree, we can substitute the {fail} and {allow}
+ # placeholders
+ for i, statement in enumerate(bpf):
+ # Replace placeholder with
+ # "distance to jump to fail, distance to jump to allow"
+ # We will add a kill statement and an allow statement after the tree
+ # With bpfs jmp 0 means the next statement, so the distance to the end is
+ # len(bpf) - i - 1, which is where we will put the kill statement, and
+ # then the statement after that is the allow statement
+ if "{fail}" in statement and "{allow}" in statement:
+ bpf[i] = statement.format(fail=str(len(bpf) - i - 1),
+ allow=str(len(bpf) - i))
+
+ # Add check that we aren't off the bottom of the syscalls
+ bpf.insert(0,
+ "BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, " + str(ranges[0].begin) +
+ ", 0, " + str(len(bpf)) + "),")
+
+ # Add the error and allow calls at the end
+ bpf.append("BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL),")
+ bpf.append("BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),")
+
+ # And output policy
+ header = textwrap.dedent("""\
+ // Autogenerated file - edit at your peril!!
+
+ #include <linux/filter.h>
+ #include <errno.h>
+
+ #include "seccomp_policy.h"
+ const struct sock_filter {architecture}_filter[] = {{
+ """).format(architecture=architecture)
+
+ footer = textwrap.dedent("""\
+
+ }};
+
+ const size_t {architecture}_filter_size = sizeof({architecture}_filter) / sizeof(struct sock_filter);
+ """).format(architecture=architecture)
+ output = header + "\n".join(bpf) + footer
+
+ existing = ""
+ if os.path.isfile(output_path):
+ existing = open(output_path).read()
+ if output == existing:
+ print "File " + output_path + " not changed."
+ else:
+ with open(output_path, "w") as output_file:
+ output_file.write(output)
+
+ print "Generated file " + output_path
+
+
+def main():
+ # Set working directory for predictable results
+ os.chdir(os.path.join(os.environ["ANDROID_BUILD_TOP"], "bionic/libc"))
+ construct_bpf("arm", "kernel/uapi/asm-arm", "seccomp/arm_policy.c")
+ construct_bpf("arm64", "kernel/uapi/asm-arm64", "seccomp/arm64_policy.c")
+
+
+if __name__ == "__main__":
+ main()