generate_seccomp_policy.py - Android社区 - https://www.androidos.net.cn/

#!/usr/bin/python
#
# Copyright (C) 2016 The Android Open Source Project
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# This script will take any number of trace files generated by strace(1)
# and output a system call filtering policy suitable for use with Minijail.

from collections import namedtuple
import sys

NOTICE = """# Copyright (C) 2016 The Android Open Source Project
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""

ALLOW = "%s: 1"

SOCKETCALLS = ["accept", "bind", "connect", "getpeername", "getsockname",
               "getsockopt", "listen", "recv", "recvfrom", "recvmsg", "send",
               "sendmsg", "sendto", "setsockopt", "shutdown", "socket",
               "socketpair"]

# /* Protocol families.  */
# #define PF_UNSPEC     0       /* Unspecified.  */
# #define PF_LOCAL      1       /* Local to host (pipes and file-domain).  */
# #define PF_UNIX       PF_LOCAL /* POSIX name for PF_LOCAL.  */
# #define PF_FILE       PF_LOCAL /* Another non-standard name for PF_LOCAL.  */
# #define PF_INET       2       /* IP protocol family.  */
# #define PF_AX25       3       /* Amateur Radio AX.25.  */
# #define PF_IPX        4       /* Novell Internet Protocol.  */
# #define PF_APPLETALK  5       /* Appletalk DDP.  */
# #define PF_NETROM     6       /* Amateur radio NetROM.  */
# #define PF_BRIDGE     7       /* Multiprotocol bridge.  */
# #define PF_ATMPVC     8       /* ATM PVCs.  */
# #define PF_X25        9       /* Reserved for X.25 project.  */
# #define PF_INET6     10      /* IP version 6.  */
# #define PF_ROSE      11      /* Amateur Radio X.25 PLP.  */
# #define PF_DECnet    12      /* Reserved for DECnet project.  */
# #define PF_NETBEUI   13      /* Reserved for 802.2LLC project.  */
# #define PF_SECURITY  14      /* Security callback pseudo AF.  */
# #define PF_KEY       15      /* PF_KEY key management API.  */
# #define PF_NETLINK   16

ArgInspectionEntry = namedtuple("ArgInspectionEntry", "arg_index value_set")

def usage(argv):
    print "%s <trace file> [trace files...]" % argv[0]

def main(traces):
    syscalls = {}

uses_socketcall = False

basic_set = ["restart_syscall", "exit", "exit_group",
                 "rt_sigreturn"]
    frequent_set = []

syscall_sets = {}
    syscall_set_list = [["sigreturn", "rt_sigreturn"],
                        ["sigaction", "rt_sigaction"],
                        ["sigprocmask", "rt_sigprocmask"],
                        ["open", "openat"],
                        ["mmap", "mremap"],
                        ["mmap2", "mremap"]]

arg_inspection = {
        "socket": ArgInspectionEntry(0, set([])),   # int domain
        "ioctl": ArgInspectionEntry(1, set([])),    # int request
        "prctl": ArgInspectionEntry(0, set([]))     # int option
    }

for syscall_list in syscall_set_list:
        for syscall in syscall_list:
            other_syscalls = syscall_list[:]
            other_syscalls.remove(syscall)
            syscall_sets[syscall] = other_syscalls

for trace_filename in traces:
        if "i386" in trace_filename or ("x86" in trace_filename and
                                        "64" not in trace_filename):
            uses_socketcall = True

trace_file = open(trace_filename)
        for line in trace_file:
            if "---" in line or '(' not in line:
                continue

syscall, args = line.strip().split('(', 1)
            if uses_socketcall and syscall in SOCKETCALLS:
                syscall = "socketcall"

if syscall in syscalls:
                syscalls[syscall] += 1
            else:
                syscalls[syscall] = 1

args = [arg.strip() for arg in args.split(')', 1)[0].split(',')]

if syscall in arg_inspection:
                arg_value = args[arg_inspection[syscall].arg_index]
                arg_inspection[syscall].value_set.add(arg_value)

sorted_syscalls = list(zip(*sorted(syscalls.iteritems(),
                                       key=lambda pair: pair[1],
                                       reverse=True))[0])

print NOTICE

# Add frequent syscalls first.
    for frequent_syscall in frequent_set:
        sorted_syscalls.remove(frequent_syscall)

all_syscalls = frequent_set + sorted_syscalls

# Add the basic set once the frequency drops below 2.
    below_ten_index = -1
    for sorted_syscall in sorted_syscalls:
        if syscalls[sorted_syscall] < 2:
            below_ten_index = all_syscalls.index(sorted_syscall)
            break

first_half = all_syscalls[:below_ten_index]
    for basic_syscall in basic_set:
        if basic_syscall not in all_syscalls:
            first_half.append(basic_syscall)

all_syscalls = first_half + all_syscalls[below_ten_index:]

for syscall in all_syscalls:
        if syscall in arg_inspection:
            arg_index = arg_inspection[syscall].arg_index
            arg_values = arg_inspection[syscall].value_set
            arg_filter = " || ".join(["arg%d == %s" % (arg_index, arg_value)
                                      for arg_value in arg_values])
            print syscall + ": " + arg_filter
        else:
            print ALLOW % syscall

if __name__ == "__main__":
    if len(sys.argv) < 2:
        usage(sys.argv)
        sys.exit(1)

main(sys.argv[1:])

普通文本 | 170行 | 6.17 KB

#!/usr/bin/python
#
# Copyright (C) 2016 The Android Open Source Project
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# This script will take any number of trace files generated by strace(1)
# and output a system call filtering policy suitable for use with Minijail.

from collections import namedtuple
import sys

NOTICE = """# Copyright (C) 2016 The Android Open Source Project
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""

ALLOW = "%s: 1"

SOCKETCALLS = ["accept", "bind", "connect", "getpeername", "getsockname",
               "getsockopt", "listen", "recv", "recvfrom", "recvmsg", "send",
               "sendmsg", "sendto", "setsockopt", "shutdown", "socket",
               "socketpair"]

# /* Protocol families.  */
# #define PF_UNSPEC     0       /* Unspecified.  */
# #define PF_LOCAL      1       /* Local to host (pipes and file-domain).  */
# #define PF_UNIX       PF_LOCAL /* POSIX name for PF_LOCAL.  */
# #define PF_FILE       PF_LOCAL /* Another non-standard name for PF_LOCAL.  */
# #define PF_INET       2       /* IP protocol family.  */
# #define PF_AX25       3       /* Amateur Radio AX.25.  */
# #define PF_IPX        4       /* Novell Internet Protocol.  */
# #define PF_APPLETALK  5       /* Appletalk DDP.  */
# #define PF_NETROM     6       /* Amateur radio NetROM.  */
# #define PF_BRIDGE     7       /* Multiprotocol bridge.  */
# #define PF_ATMPVC     8       /* ATM PVCs.  */
# #define PF_X25        9       /* Reserved for X.25 project.  */
# #define PF_INET6     10      /* IP version 6.  */
# #define PF_ROSE      11      /* Amateur Radio X.25 PLP.  */
# #define PF_DECnet    12      /* Reserved for DECnet project.  */
# #define PF_NETBEUI   13      /* Reserved for 802.2LLC project.  */
# #define PF_SECURITY  14      /* Security callback pseudo AF.  */
# #define PF_KEY       15      /* PF_KEY key management API.  */
# #define PF_NETLINK   16

ArgInspectionEntry = namedtuple("ArgInspectionEntry", "arg_index value_set")


def usage(argv):
    print "%s <trace file> [trace files...]" % argv[0]


def main(traces):
    syscalls = {}

    uses_socketcall = False

    basic_set = ["restart_syscall", "exit", "exit_group",
                 "rt_sigreturn"]
    frequent_set = []

    syscall_sets = {}
    syscall_set_list = [["sigreturn", "rt_sigreturn"],
                        ["sigaction", "rt_sigaction"],
                        ["sigprocmask", "rt_sigprocmask"],
                        ["open", "openat"],
                        ["mmap", "mremap"],
                        ["mmap2", "mremap"]]

    arg_inspection = {
        "socket": ArgInspectionEntry(0, set([])),   # int domain
        "ioctl": ArgInspectionEntry(1, set([])),    # int request
        "prctl": ArgInspectionEntry(0, set([]))     # int option
    }

    for syscall_list in syscall_set_list:
        for syscall in syscall_list:
            other_syscalls = syscall_list[:]
            other_syscalls.remove(syscall)
            syscall_sets[syscall] = other_syscalls

    for trace_filename in traces:
        if "i386" in trace_filename or ("x86" in trace_filename and
                                        "64" not in trace_filename):
            uses_socketcall = True

        trace_file = open(trace_filename)
        for line in trace_file:
            if "---" in line or '(' not in line:
                continue

            syscall, args = line.strip().split('(', 1)
            if uses_socketcall and syscall in SOCKETCALLS:
                syscall = "socketcall"

            if syscall in syscalls:
                syscalls[syscall] += 1
            else:
                syscalls[syscall] = 1

            args = [arg.strip() for arg in args.split(')', 1)[0].split(',')]

            if syscall in arg_inspection:
                arg_value = args[arg_inspection[syscall].arg_index]
                arg_inspection[syscall].value_set.add(arg_value)

    sorted_syscalls = list(zip(*sorted(syscalls.iteritems(),
                                       key=lambda pair: pair[1],
                                       reverse=True))[0])

    print NOTICE

    # Add frequent syscalls first.
    for frequent_syscall in frequent_set:
        sorted_syscalls.remove(frequent_syscall)

    all_syscalls = frequent_set + sorted_syscalls

    # Add the basic set once the frequency drops below 2.
    below_ten_index = -1
    for sorted_syscall in sorted_syscalls:
        if syscalls[sorted_syscall] < 2:
            below_ten_index = all_syscalls.index(sorted_syscall)
            break

    first_half = all_syscalls[:below_ten_index]
    for basic_syscall in basic_set:
        if basic_syscall not in all_syscalls:
            first_half.append(basic_syscall)

    all_syscalls = first_half + all_syscalls[below_ten_index:]

    for syscall in all_syscalls:
        if syscall in arg_inspection:
            arg_index = arg_inspection[syscall].arg_index
            arg_values = arg_inspection[syscall].value_set
            arg_filter = " || ".join(["arg%d == %s" % (arg_index, arg_value)
                                      for arg_value in arg_values])
            print syscall + ": " + arg_filter
        else:
            print ALLOW % syscall


if __name__ == "__main__":
    if len(sys.argv) < 2:
        usage(sys.argv)
        sys.exit(1)

    main(sys.argv[1:])

登录后可以享受更多权益