1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
|
#if defined(__linux__) && !defined(__ANDROID__)
#include <execinfo.h>
#include <fcntl.h>
#include "seccomp.h"
#include "debug.h"
static void seccomp_callback_filter(struct seccomp_notif * req,
struct seccomp_notif_resp *resp,
GumReturnAddressArray * frames) {
GumDebugSymbolDetails details = {0};
if (req->data.nr == SYS_OPENAT) {
#if UINTPTR_MAX == 0xffffffffffffffffu
seccomp_print("SYS_OPENAT: (%s)\n", (char *)req->data.args[1]);
#endif
#if UINTPTR_MAX == 0xffffffff
seccomp_print("SYS_OPENAT: (%s)\n", (char *)(__u32)req->data.args[1]);
#endif
}
seccomp_print(
"\nID (%#llx) for PID %d - %d (%s) [0x%llx 0x%llx 0x%llx 0x%llx 0x%llx "
"0x%llx ]\n",
req->id, req->pid, req->data.nr, seccomp_syscall_lookup(req->data.nr),
req->data.args[0], req->data.args[1], req->data.args[2],
req->data.args[3], req->data.args[4], req->data.args[5]);
seccomp_print("FRAMES: (%u)\n", frames->len);
char **syms = backtrace_symbols(frames->items, frames->len);
if (syms == NULL) { FATAL("Failed to get symbols"); }
for (guint i = 0; i < frames->len; i++) {
if (gum_symbol_details_from_address(frames->items[i], &details)) {
seccomp_print("\t%3d. %s!%s\n", i, details.module_name,
details.symbol_name);
} else {
seccomp_print("\t%3d. %s\n", i, syms[i]);
}
}
free(syms);
resp->error = 0;
resp->val = 0;
resp->id = req->id;
resp->flags = SECCOMP_USER_NOTIF_FLAG_CONTINUE;
}
static void seccomp_callback_child(int signal_parent, void *ctx) {
int sock_fd = *((int *)ctx);
int fd = seccomp_socket_recv(sock_fd);
if (close(sock_fd) < 0) { FATAL("child - close"); }
seccomp_event_signal(signal_parent);
seccomp_filter_child_install();
seccomp_filter_run(fd, seccomp_callback_filter);
}
void seccomp_callback_parent(void) {
int sock[2] = {-1, -1};
pid_t child = -1;
int child_fd = -1;
seccomp_socket_create(sock);
seccomp_child_run(seccomp_callback_child, sock, &child, &child_fd);
if (dup2(child_fd, SECCOMP_PARENT_EVENT_FD) < 0) { FATAL("dup2"); }
if (close(child_fd) < 0) { FATAL("seccomp_on_fork - close (1)"); }
if (close(sock[STDIN_FILENO]) < 0) { FATAL("grandparent - close (2)"); }
int fd = seccomp_filter_install(child);
seccomp_socket_send(sock[STDOUT_FILENO], fd);
if (close(sock[STDOUT_FILENO]) < 0) { FATAL("grandparent - close (3)"); }
if (close(fd) < 0) { FATAL("grandparent - close (4)"); }
seccomp_child_wait(SECCOMP_PARENT_EVENT_FD);
}
void seccomp_callback_initialize(void) {
char *path = NULL;
int fd;
path = g_canonicalize_filename(seccomp_filename, g_get_current_dir());
OKF("Seccomp - path [%s]", path);
fd = open(path, O_RDWR | O_CREAT | O_TRUNC,
S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP);
if (dup2(fd, SECCOMP_OUTPUT_FILE_FD) < 0) {
FATAL("Failed to duplicate seccomp output file");
}
if (close(fd) < 0) { FATAL("Failed to close seccomp output file fd"); }
g_free(path);
}
#endif
|
