code-intelligence.com/cifuzz@v0.40.0/third-party/minijail/tools/compile_seccomp_policy.py (about) 1 #!/usr/bin/env python3 2 # -*- coding: utf-8 -*- 3 # 4 # Copyright (C) 2018 The Android Open Source Project 5 # 6 # Licensed under the Apache License, Version 2.0 (the "License"); 7 # you may not use this file except in compliance with the License. 8 # You may obtain a copy of the License at 9 # 10 # http://www.apache.org/licenses/LICENSE-2.0 11 # 12 # Unless required by applicable law or agreed to in writing, software 13 # distributed under the License is distributed on an "AS IS" BASIS, 14 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 15 # See the License for the specific language governing permissions and 16 # limitations under the License. 17 """Helper tool to compile a BPF program from a Minijail seccomp filter. 18 19 This script will take a Minijail seccomp policy file and compile it into a 20 BPF program suitable for use with Minijail in the current architecture. 21 """ 22 23 from __future__ import print_function 24 25 import argparse 26 import os 27 import sys 28 29 try: 30 import arch 31 import bpf 32 import compiler 33 import parser 34 except ImportError: 35 from minijail import arch 36 from minijail import bpf 37 from minijail import compiler 38 from minijail import parser 39 40 CONSTANTS_ERR_MSG = """Could not find 'constants.json' file. 41 See 'generate_constants_json.py -h'.""" 42 43 44 def parse_args(argv): 45 """Return the parsed CLI arguments for this tool.""" 46 arg_parser = argparse.ArgumentParser(description=__doc__) 47 arg_parser.add_argument('--optimization-strategy', 48 default=compiler.OptimizationStrategy.BST, 49 type=compiler.OptimizationStrategy, 50 choices=list(compiler.OptimizationStrategy)) 51 arg_parser.add_argument('--include-depth-limit', default=10) 52 arg_parser.add_argument('--arch-json', default='constants.json') 53 arg_parser.add_argument( 54 '--denylist', 55 action='store_true', 56 help='Compile as a denylist policy rather than the default allowlist.') 57 arg_parser.add_argument( 58 '--default-action', 59 type=str, 60 help=('Use the specified default action, overriding any @default ' 61 'action found in the .policy files. ' 62 'This allows the use of permissive actions (allow, log, trace, ' 63 'user-notify) since it is not valid to specify a permissive ' 64 'action in .policy files. This is useful for debugging.')) 65 arg_parser.add_argument( 66 '--use-kill-process', 67 action='store_true', 68 help=('Use SECCOMP_RET_KILL_PROCESS instead of ' 69 'SECCOMP_RET_KILL_THREAD (requires Linux v4.14+).')) 70 arg_parser.add_argument('policy', 71 help='The seccomp policy.', 72 type=argparse.FileType('r')) 73 arg_parser.add_argument('output', 74 help='The BPF program.', 75 type=argparse.FileType('wb')) 76 return arg_parser.parse_args(argv), arg_parser 77 78 79 def main(argv=None): 80 """Main entrypoint.""" 81 82 if argv is None: 83 argv = sys.argv[1:] 84 85 opts, arg_parser = parse_args(argv) 86 if not os.path.exists(opts.arch_json): 87 arg_parser.error(CONSTANTS_ERR_MSG) 88 89 parsed_arch = arch.Arch.load_from_json(opts.arch_json) 90 policy_compiler = compiler.PolicyCompiler(parsed_arch) 91 if opts.use_kill_process: 92 kill_action = bpf.KillProcess() 93 else: 94 kill_action = bpf.KillThread() 95 override_default_action = None 96 if opts.default_action: 97 parser_state = parser.ParserState('<memory>') 98 override_default_action = parser.PolicyParser( 99 parsed_arch, kill_action=bpf.KillProcess()).parse_action( 100 next(parser_state.tokenize([opts.default_action]))) 101 with opts.output as outf: 102 outf.write( 103 policy_compiler.compile_file( 104 opts.policy.name, 105 optimization_strategy=opts.optimization_strategy, 106 kill_action=kill_action, 107 include_depth_limit=opts.include_depth_limit, 108 override_default_action=override_default_action, 109 denylist=opts.denylist).opcodes) 110 return 0 111 112 113 if __name__ == '__main__': 114 sys.exit(main(sys.argv[1:]))