Paul Chaignon's GSoC status report - #11 of 12
Paul Chaignon
paul.chaignon at gmail.com
Mon Aug 12 16:20:47 UTC 2019
Hi all,
Accomplishments:
- Addressed most comments from Eugene on my RFC v2 patchset. I still need
to adapt print_bpf_fprog() to be able to use it in filter_seccomp.c.
- The subsequent patchset, which introduces two new seccomp-filter
generation strategies (reverse linear and binary match), is almost
finished and available at [1].
I spent more time than expected on this because of what I thought was a
bug. My initial BPF program was rejected by the kernel without any
information other than EINVAL (if you think eBPF debugging is hard, try
cBPF...). It turns out seccomp-bpf doesn't run cBPF but a subset of the
bytecode, with only some whitelisted instructions. The modulo
instruction isn't part of the whitelist. Luckily, we only need nr % 32
and can replace it with nr & 0x1F.
From a first look, the binary match strategy generates the longest BPF
programs for most traced syscall sets. Exceptions I found are:
-echdir,%memory,%ipc,%pure,%signal,%network (introduced as a test for
the under-review patchset)
-e%file (thanks to a few optimizations)
As an example, the bytecodes generated for strace -e%file is shown
below, with the linear and the binary match strategies. Several
optimizations are still possible; I'll rerun evaluations after that.
- I've added a test to the RFC v2 patchset to check seccomp-filter is
enabled by counting the number of syscalls performed in a fixed time
slot. I however don't know yet how to differentiate between expected
and unexpected failures to enable seccomp-filter. I might have to
remove the test if I don't find a way.
Priorities:
- Finish addressing reviews on RFC v2 patchset and send v3.
- Optimize seccomp-filter binary match generation and run new evaluations
to compare with other strategies.
Paul
1 - https://github.com/pchaigno/strace/tree/seccomp-strategies
---
strace -dnf -e%file ls >/dev/null
With binary match program (172 instructions):
STMT(BPF_LDWABS, data->arch)
JUMP(BPF_JEQ, 0, 59, 3221225534)
STMT(BPF_LDWABS, data->nr)
JUMP(BPF_JGE, 2, 0, 1073741824)
STMT(BPF_LDWABS, data->arch)
JUMP(BPF_JA, 55)
STMT(BPF_AND, 0xbfffffff)
STMT(BPF_AND, 0x1f)
STMT(BPF_TAX)
STMT(BPF_LDWIMM, 0x1)
STMT(BPF_LSH, X)
STMT(BPF_TAX)
STMT(BPF_LDWABS, data->nr)
STMT(BPF_AND, 0xbfffffff)
STMT(BPF_RSH, 5)
JUMP(BPF_JEQ, 0, 2, 0)
STMT(BPF_TXA)
JUMP(BPF_JSET, 42, 41, 0x200054)
JUMP(BPF_JEQ, 0, 2, 1)
STMT(BPF_TXA)
JUMP(BPF_JSET, 39, 38, 0x8000000)
JUMP(BPF_JEQ, 0, 2, 2)
STMT(BPF_TXA)
JUMP(BPF_JSET, 36, 35, 0x57fd9000)
JUMP(BPF_JEQ, 34, 0, 3)
JUMP(BPF_JEQ, 0, 2, 4)
STMT(BPF_TXA)
JUMP(BPF_JSET, 32, 31, 0x8000270)
JUMP(BPF_JEQ, 0, 2, 5)
STMT(BPF_TXA)
JUMP(BPF_JSET, 29, 28, 0xb00801ea)
JUMP(BPF_JEQ, 0, 2, 6)
STMT(BPF_TXA)
JUMP(BPF_JSET, 26, 25, 0x6d)
JUMP(BPF_JEQ, 0, 2, 7)
STMT(BPF_TXA)
JUMP(BPF_JSET, 23, 22, 0x40000800)
JUMP(BPF_JEQ, 0, 2, 8)
STMT(BPF_TXA)
JUMP(BPF_JSET, 20, 19, 0x1003ffe)
JUMP(BPF_JEQ, 0, 2, 9)
STMT(BPF_TXA)
JUMP(BPF_JSET, 17, 16, 0x1000a000)
JUMP(BPF_JEQ, 0, 2, 10)
STMT(BPF_TXA)
JUMP(BPF_JSET, 14, 13, 0x1004)
JUMP(BPF_JEQ, 12, 0, 11)
JUMP(BPF_JEQ, 11, 0, 12)
JUMP(BPF_JEQ, 0, 2, 13)
STMT(BPF_TXA)
JUMP(BPF_JSET, 9, 8, 0x2b000)
JUMP(BPF_JEQ, 7, 0, 14)
JUMP(BPF_JEQ, 6, 0, 15)
JUMP(BPF_JEQ, 0, 2, 16)
STMT(BPF_TXA)
JUMP(BPF_JSET, 4, 3, 0x100)
JUMP(BPF_JEQ, 0, 2, 17)
STMT(BPF_TXA)
JUMP(BPF_JSET, 1, 0, 0x2)
STMT(BPF_RET, SECCOMP_RET_ALLOW)
STMT(BPF_RET, SECCOMP_RET_TRACE)
JUMP(BPF_JEQ, 0, 62, 1073741827)
STMT(BPF_LDWABS, data->nr)
STMT(BPF_AND, 0x1f)
STMT(BPF_TAX)
STMT(BPF_LDWIMM, 0x1)
STMT(BPF_LSH, X)
STMT(BPF_TAX)
STMT(BPF_LDWABS, data->nr)
STMT(BPF_RSH, 5)
JUMP(BPF_JEQ, 0, 2, 0)
STMT(BPF_TXA)
JUMP(BPF_JSET, 50, 49, 0x4065df20)
JUMP(BPF_JEQ, 0, 2, 1)
STMT(BPF_TXA)
JUMP(BPF_JSET, 47, 46, 0x201801c2)
JUMP(BPF_JEQ, 0, 2, 2)
STMT(BPF_TXA)
JUMP(BPF_JSET, 44, 43, 0x10f80000)
JUMP(BPF_JEQ, 0, 2, 3)
STMT(BPF_TXA)
JUMP(BPF_JSET, 41, 40, 0x280c48)
JUMP(BPF_JEQ, 0, 2, 4)
STMT(BPF_TXA)
JUMP(BPF_JSET, 38, 37, 0x8)
JUMP(BPF_JEQ, 0, 2, 5)
STMT(BPF_TXA)
JUMP(BPF_JSET, 35, 34, 0xc00000)
JUMP(BPF_JEQ, 0, 2, 6)
STMT(BPF_TXA)
JUMP(BPF_JSET, 32, 31, 0x210005a)
JUMP(BPF_JEQ, 0, 2, 7)
STMT(BPF_TXA)
JUMP(BPF_JSET, 29, 28, 0x1b6c)
JUMP(BPF_JEQ, 0, 2, 8)
STMT(BPF_TXA)
JUMP(BPF_JSET, 26, 25, 0x9000)
JUMP(BPF_JEQ, 0, 2, 9)
STMT(BPF_TXA)
JUMP(BPF_JSET, 23, 22, 0xfff90)
JUMP(BPF_JEQ, 0, 2, 10)
STMT(BPF_TXA)
JUMP(BPF_JSET, 20, 19, 0x280001)
JUMP(BPF_JEQ, 0, 2, 11)
STMT(BPF_TXA)
JUMP(BPF_JSET, 17, 16, 0x80000042)
JUMP(BPF_JEQ, 0, 2, 12)
STMT(BPF_TXA)
JUMP(BPF_JSET, 14, 13, 0x10000000)
JUMP(BPF_JEQ, 0, 2, 13)
STMT(BPF_TXA)
JUMP(BPF_JSET, 11, 10, 0x2b000)
JUMP(BPF_JEQ, 9, 0, 14)
JUMP(BPF_JEQ, 0, 2, 15)
STMT(BPF_TXA)
JUMP(BPF_JSET, 7, 6, 0xffe00000)
JUMP(BPF_JEQ, 0, 2, 16)
STMT(BPF_TXA)
JUMP(BPF_JSET, 4, 3, 0xc0f03dff)
JUMP(BPF_JEQ, 0, 2, 17)
STMT(BPF_TXA)
JUMP(BPF_JSET, 1, 0, 0x3)
STMT(BPF_RET, SECCOMP_RET_ALLOW)
STMT(BPF_RET, SECCOMP_RET_TRACE)
JUMP(BPF_JEQ, 0, 46, 3221225534)
STMT(BPF_LDWABS, data->nr)
STMT(BPF_AND, 0x1f)
STMT(BPF_TAX)
STMT(BPF_LDWIMM, 0x1)
STMT(BPF_LSH, X)
STMT(BPF_TAX)
STMT(BPF_LDWABS, data->nr)
STMT(BPF_RSH, 5)
JUMP(BPF_JEQ, 0, 2, 0)
STMT(BPF_TXA)
JUMP(BPF_JSET, 34, 33, 0x200054)
JUMP(BPF_JEQ, 0, 2, 1)
STMT(BPF_TXA)
JUMP(BPF_JSET, 31, 30, 0x8000000)
JUMP(BPF_JEQ, 0, 2, 2)
STMT(BPF_TXA)
JUMP(BPF_JSET, 28, 27, 0x57fd9000)
JUMP(BPF_JEQ, 26, 0, 3)
JUMP(BPF_JEQ, 0, 2, 4)
STMT(BPF_TXA)
JUMP(BPF_JSET, 24, 23, 0x8000270)
JUMP(BPF_JEQ, 0, 2, 5)
STMT(BPF_TXA)
JUMP(BPF_JSET, 21, 20, 0xb00801ea)
JUMP(BPF_JEQ, 0, 2, 6)
STMT(BPF_TXA)
JUMP(BPF_JSET, 18, 17, 0x6d)
JUMP(BPF_JEQ, 0, 2, 7)
STMT(BPF_TXA)
JUMP(BPF_JSET, 15, 14, 0x40000800)
JUMP(BPF_JEQ, 0, 2, 8)
STMT(BPF_TXA)
JUMP(BPF_JSET, 12, 11, 0x1003ffe)
JUMP(BPF_JEQ, 0, 2, 9)
STMT(BPF_TXA)
JUMP(BPF_JSET, 9, 8, 0x1000a000)
JUMP(BPF_JEQ, 0, 2, 10)
STMT(BPF_TXA)
JUMP(BPF_JSET, 6, 5, 0x1004)
JUMP(BPF_JEQ, 4, 0, 11)
JUMP(BPF_JEQ, 3, 0, 12)
JUMP(BPF_JEQ, 0, 2, 13)
STMT(BPF_TXA)
JUMP(BPF_JSET, 1, 0, 0x2b000)
STMT(BPF_RET, SECCOMP_RET_ALLOW)
STMT(BPF_RET, SECCOMP_RET_TRACE)
STMT(BPF_RET, SECCOMP_RET_TRACE)
With linear program (173 instructions):
STMT(BPF_LDWABS, data->arch)
JUMP(BPF_JEQ, 0, 52, 3221225534)
STMT(BPF_LDWABS, data->nr)
JUMP(BPF_JGE, 2, 0, 1073741824)
STMT(BPF_LDWABS, data->arch)
JUMP(BPF_JA, 48)
JUMP(BPF_JEQ, 46, 0, 1073741826)
JUMP(BPF_JEQ, 45, 0, 1073741828)
JUMP(BPF_JEQ, 44, 0, 1073741830)
JUMP(BPF_JEQ, 43, 0, 1073741845)
JUMP(BPF_JEQ, 42, 0, 1073741883)
JUMP(BPF_JEQ, 41, 0, 1073741900)
JUMP(BPF_JGE, 0, 1, 1073741903)
JUMP(BPF_JGE, 0, 39, 1073741905)
JUMP(BPF_JGE, 0, 1, 1073741906)
JUMP(BPF_JGE, 0, 37, 1073741915)
JUMP(BPF_JEQ, 36, 0, 1073741916)
JUMP(BPF_JEQ, 35, 0, 1073741918)
JUMP(BPF_JGE, 0, 1, 1073741956)
JUMP(BPF_JGE, 0, 33, 1073741959)
JUMP(BPF_JEQ, 32, 0, 1073741961)
JUMP(BPF_JEQ, 31, 0, 1073741979)
JUMP(BPF_JEQ, 30, 0, 1073741985)
JUMP(BPF_JEQ, 29, 0, 1073741987)
JUMP(BPF_JGE, 0, 1, 1073741989)
JUMP(BPF_JGE, 0, 27, 1073741993)
JUMP(BPF_JEQ, 26, 0, 1073742003)
JUMP(BPF_JGE, 0, 1, 1073742012)
JUMP(BPF_JGE, 0, 24, 1073742014)
JUMP(BPF_JGE, 0, 1, 1073742015)
JUMP(BPF_JGE, 0, 22, 1073742017)
JUMP(BPF_JGE, 0, 1, 1073742018)
JUMP(BPF_JGE, 0, 20, 1073742020)
JUMP(BPF_JGE, 0, 1, 1073742021)
JUMP(BPF_JGE, 0, 18, 1073742023)
JUMP(BPF_JEQ, 17, 0, 1073742059)
JUMP(BPF_JEQ, 16, 0, 1073742078)
JUMP(BPF_JGE, 0, 1, 1073742081)
JUMP(BPF_JGE, 0, 14, 1073742094)
JUMP(BPF_JEQ, 13, 0, 1073742104)
JUMP(BPF_JEQ, 12, 0, 1073742125)
JUMP(BPF_JEQ, 11, 0, 1073742127)
JUMP(BPF_JEQ, 10, 0, 1073742140)
JUMP(BPF_JEQ, 9, 0, 1073742146)
JUMP(BPF_JEQ, 8, 0, 1073742156)
JUMP(BPF_JGE, 0, 1, 1073742252)
JUMP(BPF_JGE, 0, 6, 1073742254)
JUMP(BPF_JEQ, 5, 0, 1073742255)
JUMP(BPF_JEQ, 4, 0, 1073742257)
JUMP(BPF_JEQ, 3, 0, 1073742344)
JUMP(BPF_JEQ, 2, 0, 1073742369)
JUMP(BPF_JGE, 1, 0, 1073742372)
STMT(BPF_RET, SECCOMP_RET_ALLOW)
STMT(BPF_RET, SECCOMP_RET_TRACE)
JUMP(BPF_JEQ, 0, 69, 1073741827)
STMT(BPF_LDWABS, data->nr)
JUMP(BPF_JEQ, 66, 0, 5)
JUMP(BPF_JGE, 0, 1, 8)
JUMP(BPF_JGE, 0, 64, 13)
JUMP(BPF_JGE, 0, 1, 14)
JUMP(BPF_JGE, 0, 62, 17)
JUMP(BPF_JEQ, 61, 0, 18)
JUMP(BPF_JGE, 0, 1, 21)
JUMP(BPF_JGE, 0, 59, 23)
JUMP(BPF_JEQ, 58, 0, 30)
JUMP(BPF_JEQ, 57, 0, 33)
JUMP(BPF_JGE, 0, 1, 38)
JUMP(BPF_JGE, 0, 55, 41)
JUMP(BPF_JGE, 0, 1, 51)
JUMP(BPF_JGE, 0, 53, 53)
JUMP(BPF_JEQ, 52, 0, 61)
JUMP(BPF_JGE, 0, 1, 83)
JUMP(BPF_JGE, 0, 50, 88)
JUMP(BPF_JEQ, 49, 0, 92)
JUMP(BPF_JEQ, 48, 0, 99)
JUMP(BPF_JEQ, 47, 0, 102)
JUMP(BPF_JGE, 0, 1, 106)
JUMP(BPF_JGE, 0, 45, 108)
JUMP(BPF_JEQ, 44, 0, 115)
JUMP(BPF_JEQ, 43, 0, 117)
JUMP(BPF_JEQ, 42, 0, 131)
JUMP(BPF_JGE, 0, 1, 182)
JUMP(BPF_JGE, 0, 40, 184)
JUMP(BPF_JEQ, 39, 0, 193)
JUMP(BPF_JGE, 0, 1, 195)
JUMP(BPF_JGE, 0, 37, 197)
JUMP(BPF_JEQ, 36, 0, 198)
JUMP(BPF_JEQ, 35, 0, 212)
JUMP(BPF_JEQ, 34, 0, 217)
JUMP(BPF_JGE, 0, 1, 226)
JUMP(BPF_JGE, 0, 32, 228)
JUMP(BPF_JGE, 0, 1, 229)
JUMP(BPF_JGE, 0, 30, 231)
JUMP(BPF_JGE, 0, 1, 232)
JUMP(BPF_JGE, 0, 28, 234)
JUMP(BPF_JGE, 0, 1, 235)
JUMP(BPF_JGE, 0, 26, 237)
JUMP(BPF_JEQ, 25, 0, 268)
JUMP(BPF_JEQ, 24, 0, 271)
JUMP(BPF_JEQ, 23, 0, 292)
JUMP(BPF_JGE, 0, 1, 295)
JUMP(BPF_JGE, 0, 21, 308)
JUMP(BPF_JEQ, 20, 0, 320)
JUMP(BPF_JEQ, 19, 0, 339)
JUMP(BPF_JEQ, 18, 0, 341)
JUMP(BPF_JEQ, 17, 0, 353)
JUMP(BPF_JEQ, 16, 0, 358)
JUMP(BPF_JEQ, 15, 0, 383)
JUMP(BPF_JEQ, 14, 0, 412)
JUMP(BPF_JGE, 0, 1, 428)
JUMP(BPF_JGE, 0, 12, 430)
JUMP(BPF_JEQ, 11, 0, 431)
JUMP(BPF_JEQ, 10, 0, 433)
JUMP(BPF_JGE, 0, 1, 501)
JUMP(BPF_JGE, 0, 8, 521)
JUMP(BPF_JGE, 0, 1, 522)
JUMP(BPF_JGE, 0, 6, 526)
JUMP(BPF_JGE, 0, 1, 532)
JUMP(BPF_JGE, 0, 4, 536)
JUMP(BPF_JGE, 0, 1, 542)
JUMP(BPF_JGE, 0, 2, 546)
JUMP(BPF_JGE, 1, 0, 546)
STMT(BPF_RET, SECCOMP_RET_ALLOW)
STMT(BPF_RET, SECCOMP_RET_TRACE)
JUMP(BPF_JEQ, 0, 47, 3221225534)
STMT(BPF_LDWABS, data->nr)
JUMP(BPF_JEQ, 44, 0, 2)
JUMP(BPF_JEQ, 43, 0, 4)
JUMP(BPF_JEQ, 42, 0, 6)
JUMP(BPF_JEQ, 41, 0, 21)
JUMP(BPF_JEQ, 40, 0, 59)
JUMP(BPF_JEQ, 39, 0, 76)
JUMP(BPF_JGE, 0, 1, 79)
JUMP(BPF_JGE, 0, 37, 81)
JUMP(BPF_JGE, 0, 1, 82)
JUMP(BPF_JGE, 0, 35, 91)
JUMP(BPF_JEQ, 34, 0, 92)
JUMP(BPF_JEQ, 33, 0, 94)
JUMP(BPF_JGE, 0, 1, 132)
JUMP(BPF_JGE, 0, 31, 135)
JUMP(BPF_JEQ, 30, 0, 137)
JUMP(BPF_JEQ, 29, 0, 155)
JUMP(BPF_JEQ, 28, 0, 161)
JUMP(BPF_JEQ, 27, 0, 163)
JUMP(BPF_JGE, 0, 1, 165)
JUMP(BPF_JGE, 0, 25, 169)
JUMP(BPF_JEQ, 24, 0, 179)
JUMP(BPF_JGE, 0, 1, 188)
JUMP(BPF_JGE, 0, 22, 190)
JUMP(BPF_JGE, 0, 1, 191)
JUMP(BPF_JGE, 0, 20, 193)
JUMP(BPF_JGE, 0, 1, 194)
JUMP(BPF_JGE, 0, 18, 196)
JUMP(BPF_JGE, 0, 1, 197)
JUMP(BPF_JGE, 0, 16, 199)
JUMP(BPF_JEQ, 15, 0, 235)
JUMP(BPF_JEQ, 14, 0, 254)
JUMP(BPF_JGE, 0, 1, 257)
JUMP(BPF_JGE, 0, 12, 270)
JUMP(BPF_JEQ, 11, 0, 280)
JUMP(BPF_JEQ, 10, 0, 301)
JUMP(BPF_JEQ, 9, 0, 303)
JUMP(BPF_JEQ, 8, 0, 316)
JUMP(BPF_JEQ, 7, 0, 322)
JUMP(BPF_JEQ, 6, 0, 332)
JUMP(BPF_JGE, 0, 1, 428)
JUMP(BPF_JGE, 0, 4, 430)
JUMP(BPF_JEQ, 3, 0, 431)
JUMP(BPF_JEQ, 2, 0, 433)
JUMP(BPF_JGE, 1, 0, 434)
STMT(BPF_RET, SECCOMP_RET_ALLOW)
STMT(BPF_RET, SECCOMP_RET_TRACE)
STMT(BPF_RET, SECCOMP_RET_TRACE)
More information about the Strace-devel
mailing list