| #!/usr/bin/python |
| # |
| # Copyright (C) 2016 The Android Open Source Project |
| # |
| # Licensed under the Apache License, Version 2.0 (the "License"); |
| # you may not use this file except in compliance with the License. |
| # You may obtain a copy of the License at |
| # |
| # http://www.apache.org/licenses/LICENSE-2.0 |
| # |
| # Unless required by applicable law or agreed to in writing, software |
| # distributed under the License is distributed on an "AS IS" BASIS, |
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| # See the License for the specific language governing permissions and |
| # limitations under the License. |
| # |
| # This script will take any number of trace files generated by strace(1) |
| # and output a system call filtering policy suitable for use with Minijail. |
| |
| from collections import namedtuple |
| import sys |
| |
| NOTICE = """# Copyright (C) 2016 The Android Open Source Project |
| # |
| # Licensed under the Apache License, Version 2.0 (the "License"); |
| # you may not use this file except in compliance with the License. |
| # You may obtain a copy of the License at |
| # |
| # http://www.apache.org/licenses/LICENSE-2.0 |
| # |
| # Unless required by applicable law or agreed to in writing, software |
| # distributed under the License is distributed on an "AS IS" BASIS, |
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| # See the License for the specific language governing permissions and |
| # limitations under the License. |
| """ |
| |
| ALLOW = "%s: 1" |
| |
| SOCKETCALLS = ["accept", "bind", "connect", "getpeername", "getsockname", |
| "getsockopt", "listen", "recv", "recvfrom", "recvmsg", "send", |
| "sendmsg", "sendto", "setsockopt", "shutdown", "socket", |
| "socketpair"] |
| |
| # /* Protocol families. */ |
| # #define PF_UNSPEC 0 /* Unspecified. */ |
| # #define PF_LOCAL 1 /* Local to host (pipes and file-domain). */ |
| # #define PF_UNIX PF_LOCAL /* POSIX name for PF_LOCAL. */ |
| # #define PF_FILE PF_LOCAL /* Another non-standard name for PF_LOCAL. */ |
| # #define PF_INET 2 /* IP protocol family. */ |
| # #define PF_AX25 3 /* Amateur Radio AX.25. */ |
| # #define PF_IPX 4 /* Novell Internet Protocol. */ |
| # #define PF_APPLETALK 5 /* Appletalk DDP. */ |
| # #define PF_NETROM 6 /* Amateur radio NetROM. */ |
| # #define PF_BRIDGE 7 /* Multiprotocol bridge. */ |
| # #define PF_ATMPVC 8 /* ATM PVCs. */ |
| # #define PF_X25 9 /* Reserved for X.25 project. */ |
| # #define PF_INET6 10 /* IP version 6. */ |
| # #define PF_ROSE 11 /* Amateur Radio X.25 PLP. */ |
| # #define PF_DECnet 12 /* Reserved for DECnet project. */ |
| # #define PF_NETBEUI 13 /* Reserved for 802.2LLC project. */ |
| # #define PF_SECURITY 14 /* Security callback pseudo AF. */ |
| # #define PF_KEY 15 /* PF_KEY key management API. */ |
| # #define PF_NETLINK 16 |
| |
| ArgInspectionEntry = namedtuple("ArgInspectionEntry", "arg_index value_set") |
| |
| |
| def usage(argv): |
| print "%s <trace file> [trace files...]" % argv[0] |
| |
| |
| def main(traces): |
| syscalls = {} |
| |
| uses_socketcall = False |
| |
| basic_set = ["restart_syscall", "exit", "exit_group", |
| "rt_sigreturn"] |
| frequent_set = [] |
| |
| syscall_sets = {} |
| syscall_set_list = [["sigreturn", "rt_sigreturn"], |
| ["sigaction", "rt_sigaction"], |
| ["sigprocmask", "rt_sigprocmask"], |
| ["open", "openat"], |
| ["mmap", "mremap"], |
| ["mmap2", "mremap"]] |
| |
| arg_inspection = { |
| "socket": ArgInspectionEntry(0, set([])), # int domain |
| "ioctl": ArgInspectionEntry(1, set([])), # int request |
| "prctl": ArgInspectionEntry(0, set([])) # int option |
| } |
| |
| for syscall_list in syscall_set_list: |
| for syscall in syscall_list: |
| other_syscalls = syscall_list[:] |
| other_syscalls.remove(syscall) |
| syscall_sets[syscall] = other_syscalls |
| |
| for trace_filename in traces: |
| if "i386" in trace_filename or ("x86" in trace_filename and |
| "64" not in trace_filename): |
| uses_socketcall = True |
| |
| trace_file = open(trace_filename) |
| for line in trace_file: |
| if "---" in line or '(' not in line: |
| continue |
| |
| syscall, args = line.strip().split('(', 1) |
| if uses_socketcall and syscall in SOCKETCALLS: |
| syscall = "socketcall" |
| |
| if syscall in syscalls: |
| syscalls[syscall] += 1 |
| else: |
| syscalls[syscall] = 1 |
| |
| args = [arg.strip() for arg in args.split(')', 1)[0].split(',')] |
| |
| if syscall in arg_inspection: |
| arg_value = args[arg_inspection[syscall].arg_index] |
| arg_inspection[syscall].value_set.add(arg_value) |
| |
| sorted_syscalls = list(zip(*sorted(syscalls.iteritems(), |
| key=lambda pair: pair[1], |
| reverse=True))[0]) |
| |
| print NOTICE |
| |
| # Add frequent syscalls first. |
| for frequent_syscall in frequent_set: |
| sorted_syscalls.remove(frequent_syscall) |
| |
| all_syscalls = frequent_set + sorted_syscalls |
| |
| # Add the basic set once the frequency drops below 2. |
| below_ten_index = -1 |
| for sorted_syscall in sorted_syscalls: |
| if syscalls[sorted_syscall] < 2: |
| below_ten_index = all_syscalls.index(sorted_syscall) |
| break |
| |
| first_half = all_syscalls[:below_ten_index] |
| for basic_syscall in basic_set: |
| if basic_syscall not in all_syscalls: |
| first_half.append(basic_syscall) |
| |
| all_syscalls = first_half + all_syscalls[below_ten_index:] |
| |
| for syscall in all_syscalls: |
| if syscall in arg_inspection: |
| arg_index = arg_inspection[syscall].arg_index |
| arg_values = arg_inspection[syscall].value_set |
| arg_filter = " || ".join(["arg%d == %s" % (arg_index, arg_value) |
| for arg_value in arg_values]) |
| print syscall + ": " + arg_filter |
| else: |
| print ALLOW % syscall |
| |
| |
| if __name__ == "__main__": |
| if len(sys.argv) < 2: |
| usage(sys.argv) |
| sys.exit(1) |
| |
| main(sys.argv[1:]) |
