Add a syscall filter generation script.
Many people have found this script useful to bootstrap their seccomp
filter policies. Add it to the repo instead of keeping it elsewhere.
Bug: None
Change-Id: I1ec0c25eb52aac1542f710a5acdb7d2616d075d6
diff --git a/tools/generate_seccomp_policy.py b/tools/generate_seccomp_policy.py
new file mode 100755
index 0000000..0b51e71
--- /dev/null
+++ b/tools/generate_seccomp_policy.py
@@ -0,0 +1,169 @@
+#!/usr/bin/python
+#
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# This script will take any number of trace files generated by strace(1)
+# and output a system call filtering policy suitable for use with Minijail.
+
+from collections import namedtuple
+import sys
+
+NOTICE = """# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+"""
+
+ALLOW = "%s: 1"
+
+SOCKETCALLS = ["accept", "bind", "connect", "getpeername", "getsockname",
+ "getsockopt", "listen", "recv", "recvfrom", "recvmsg", "send",
+ "sendmsg", "sendto", "setsockopt", "shutdown", "socket",
+ "socketpair"]
+
+# /* Protocol families. */
+# #define PF_UNSPEC 0 /* Unspecified. */
+# #define PF_LOCAL 1 /* Local to host (pipes and file-domain). */
+# #define PF_UNIX PF_LOCAL /* POSIX name for PF_LOCAL. */
+# #define PF_FILE PF_LOCAL /* Another non-standard name for PF_LOCAL. */
+# #define PF_INET 2 /* IP protocol family. */
+# #define PF_AX25 3 /* Amateur Radio AX.25. */
+# #define PF_IPX 4 /* Novell Internet Protocol. */
+# #define PF_APPLETALK 5 /* Appletalk DDP. */
+# #define PF_NETROM 6 /* Amateur radio NetROM. */
+# #define PF_BRIDGE 7 /* Multiprotocol bridge. */
+# #define PF_ATMPVC 8 /* ATM PVCs. */
+# #define PF_X25 9 /* Reserved for X.25 project. */
+# #define PF_INET6 10 /* IP version 6. */
+# #define PF_ROSE 11 /* Amateur Radio X.25 PLP. */
+# #define PF_DECnet 12 /* Reserved for DECnet project. */
+# #define PF_NETBEUI 13 /* Reserved for 802.2LLC project. */
+# #define PF_SECURITY 14 /* Security callback pseudo AF. */
+# #define PF_KEY 15 /* PF_KEY key management API. */
+# #define PF_NETLINK 16
+
+ArgInspectionEntry = namedtuple("ArgInspectionEntry", "arg_index value_set")
+
+
+def usage(argv):
+ print "%s <trace file> [trace files...]" % argv[0]
+
+
+def main(traces):
+ syscalls = {}
+
+ uses_socketcall = False
+
+ basic_set = ["restart_syscall", "exit", "exit_group",
+ "rt_sigreturn"]
+ frequent_set = []
+
+ syscall_sets = {}
+ syscall_set_list = [["sigreturn", "rt_sigreturn"],
+ ["sigaction", "rt_sigaction"],
+ ["sigprocmask", "rt_sigprocmask"],
+ ["open", "openat"],
+ ["mmap", "mremap"],
+ ["mmap2", "mremap"]]
+
+ arg_inspection = {
+ "socket": ArgInspectionEntry(0, set([])), # int domain
+ "ioctl": ArgInspectionEntry(1, set([])), # int request
+ "prctl": ArgInspectionEntry(0, set([])) # int option
+ }
+
+ for syscall_list in syscall_set_list:
+ for syscall in syscall_list:
+ other_syscalls = syscall_list[:]
+ other_syscalls.remove(syscall)
+ syscall_sets[syscall] = other_syscalls
+
+ for trace_filename in traces:
+ if "i386" in trace_filename or ("x86" in trace_filename and
+ "64" not in trace_filename):
+ uses_socketcall = True
+
+ trace_file = open(trace_filename)
+ for line in trace_file:
+ if "---" in line or '(' not in line:
+ continue
+
+ syscall, args = line.strip().split('(', 1)
+ if uses_socketcall and syscall in SOCKETCALLS:
+ syscall = "socketcall"
+
+ if syscall in syscalls:
+ syscalls[syscall] += 1
+ else:
+ syscalls[syscall] = 1
+
+ args = [arg.strip() for arg in args.split(')', 1)[0].split(',')]
+
+ if syscall in arg_inspection:
+ arg_value = args[arg_inspection[syscall].arg_index]
+ arg_inspection[syscall].value_set.add(arg_value)
+
+ sorted_syscalls = list(zip(*sorted(syscalls.iteritems(),
+ key=lambda pair: pair[1],
+ reverse=True))[0])
+
+ print NOTICE
+
+ # Add frequent syscalls first.
+ for frequent_syscall in frequent_set:
+ sorted_syscalls.remove(frequent_syscall)
+
+ all_syscalls = frequent_set + sorted_syscalls
+
+ # Add the basic set once the frequency drops below 2.
+ below_ten_index = -1
+ for sorted_syscall in sorted_syscalls:
+ if syscalls[sorted_syscall] < 2:
+ below_ten_index = all_syscalls.index(sorted_syscall)
+ break
+
+ first_half = all_syscalls[:below_ten_index]
+ for basic_syscall in basic_set:
+ if basic_syscall not in all_syscalls:
+ first_half.append(basic_syscall)
+
+ all_syscalls = first_half + all_syscalls[below_ten_index:]
+
+ for syscall in all_syscalls:
+ if syscall in arg_inspection:
+ arg_index = arg_inspection[syscall].arg_index
+ arg_values = arg_inspection[syscall].value_set
+ arg_filter = " || ".join(["arg%d == %s" % (arg_index, arg_value)
+ for arg_value in arg_values])
+ print syscall + ": " + arg_filter
+ else:
+ print ALLOW % syscall
+
+
+if __name__ == "__main__":
+ if len(sys.argv) < 2:
+ usage(sys.argv)
+ sys.exit(1)
+
+ main(sys.argv[1:])
