Subject: Chen Jingpiao's GSoC status report - #5 of #13

Eugene Syromyatnikov evgsyr at gmail.com
Wed Jun 20 18:03:56 UTC 2018


On Tue, Jun 19, 2018 at 6:57 PM, Chen Jingpiao <chenjingpiao at gmail.com> wrote:
> Hello, strace community!
>
> Last week, I focus on bpf code construct. Add a function to dump bpf code
> for
> debug, which will be remove when the project complete. Now trace syscall
> number
> in [lower, uppder) only need two bpf instructions. For example:
>
> $ ./strace -d -etrace=1,2,3,4,5 ls >/dev/null
> # offsetof(struct seccomp_data, arch) == 4
> # offsetof(struct seccomp_data, nr) == 0
> STMT(BPF_LD + BPF_W + BPF_ABS, 4)
>
> JUMP(BPF_JMP + BPF_JEQ + BPF_K, 0, 11, 3221225534)
> STMT(BPF_LD + BPF_W + BPF_ABS, 0)
> JUMP(BPF_JMP + BPF_JGE + BPF_K, 0, 1, 1) # lower
> JUMP(BPF_JMP + BPF_JGE + BPF_K, 0, 7, 6) # upper
> JUMP(BPF_JMP + BPF_JEQ + BPF_K, 6, 0, 59)
> JUMP(BPF_JMP + BPF_JGE + BPF_K, 0, 2, 1073741824)
> STMT(BPF_LD + BPF_W + BPF_ABS, 4)
> JUMP(BPF_JMP + BPF_JEQ + BPF_K, 3, 0, 3221225534)
> STMT(BPF_LD + BPF_W + BPF_ABS, 0)
> JUMP(BPF_JMP + BPF_JGE + BPF_K, 1, 0, 335)
> STMT(BPF_RET + BPF_K, 2147418112) # ALLOW
> STMT(BPF_RET + BPF_K, 2146435072) # TRACE
>
> JUMP(BPF_JMP + BPF_JEQ + BPF_K, 0, 13, 1073741827)
> STMT(BPF_LD + BPF_W + BPF_ABS, 0)
> JUMP(BPF_JMP + BPF_JGE + BPF_K, 0, 1, 1) # lower
> JUMP(BPF_JMP + BPF_JGE + BPF_K, 0, 9, 6) # upper
> JUMP(BPF_JMP + BPF_JEQ + BPF_K, 8, 0, 11)
> JUMP(BPF_JMP + BPF_JGE + BPF_K, 0, 1, 222)
> JUMP(BPF_JMP + BPF_JGE + BPF_K, 0, 6, 224)
> JUMP(BPF_JMP + BPF_JEQ + BPF_K, 5, 0, 251)
> JUMP(BPF_JMP + BPF_JEQ + BPF_K, 4, 0, 285)
> JUMP(BPF_JMP + BPF_JGE + BPF_K, 0, 1, 387)
> JUMP(BPF_JMP + BPF_JGE + BPF_K, 0, 2, 446)
> JUMP(BPF_JMP + BPF_JGE + BPF_K, 1, 0, 446)
> STMT(BPF_RET + BPF_K, 2147418112) # ALLOW
> STMT(BPF_RET + BPF_K, 2146435072) # TRACE
>
> JUMP(BPF_JMP + BPF_JEQ + BPF_K, 0, 9, 3221225534)
> STMT(BPF_LD + BPF_W + BPF_ABS, 0)
> JUMP(BPF_JMP + BPF_JGE + BPF_K, 0, 1, 1073741825) # lower
> JUMP(BPF_JMP + BPF_JGE + BPF_K, 0, 5, 1073741830) # upper
> JUMP(BPF_JMP + BPF_JGE + BPF_K, 0, 1, 1073742159)
> JUMP(BPF_JMP + BPF_JGE + BPF_K, 0, 3, 1073742336)
> JUMP(BPF_JMP + BPF_JEQ + BPF_K, 2, 0, 1073742344)
> JUMP(BPF_JMP + BPF_JGE + BPF_K, 1, 0, 1073742372)
> STMT(BPF_RET + BPF_K, 2147418112) # ALLOW
> STMT(BPF_RET + BPF_K, 2146435072) # TRACE
>
> STMT(BPF_RET + BPF_K, 2146435072) # TRACE

BTW, there's a classic BPF decoder present already in strace's code
(bpf_filter.c:print_bpf_fprog).

> Next week, I will fix the code and improve check_seccomp_order function.
>
> --
> Chen Jingpiao
>
> --
> Strace-devel mailing list
> Strace-devel at lists.strace.io
> https://lists.strace.io/mailman/listinfo/strace-devel
>



-- 
Eugene Syromyatnikov
mailto:evgsyr at gmail.com
xmpp:esyr at jabber.{ru|org}


More information about the Strace-devel mailing list