• source navigation  • diff markup  • identifier search  • freetext search  • 

Sources/procd/trace/trace.c

  1 /*
  2  * Copyright (C) 2015 John Crispin <blogic@openwrt.org>
  3  *
  4  * This program is free software; you can redistribute it and/or modify
  5  * it under the terms of the GNU Lesser General Public License version 2.1
  6  * as published by the Free Software Foundation
  7  *
  8  * This program is distributed in the hope that it will be useful,
  9  * but WITHOUT ANY WARRANTY; without even the implied warranty of
 10  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 11  * GNU General Public License for more details.
 12  */
 13 
 14 #define _GNU_SOURCE
 15 #include <fcntl.h>
 16 #include <stddef.h>
 17 #include <sys/ptrace.h>
 18 #include <sys/stat.h>
 19 #include <sys/types.h>
 20 #include <sys/user.h>
 21 #include <sys/wait.h>
 22 #include <unistd.h>
 23 #include <stdlib.h>
 24 #include <stdio.h>
 25 #include <errno.h>
 26 #include <string.h>
 27 #include <syslog.h>
 28 #include <limits.h>
 29 
 30 #ifndef PTRACE_EVENT_STOP
 31 /* PTRACE_EVENT_STOP is defined in linux/ptrace.h, but this header
 32  * collides with musl's sys/ptrace.h */
 33 #define PTRACE_EVENT_STOP 128
 34 #endif
 35 
 36 #ifndef PTRACE_EVENT_SECCOMP
 37 /* undefined with uClibc-ng */
 38 #define PTRACE_EVENT_SECCOMP 7
 39 #endif
 40 
 41 #include <libubox/ulog.h>
 42 #include <libubox/uloop.h>
 43 #include <libubox/blobmsg.h>
 44 #include <libubox/blobmsg_json.h>
 45 
 46 #include "../syscall-names.h"
 47 
 48 #define _offsetof(a, b) __builtin_offsetof(a,b)
 49 #define ARRAY_SIZE(arr) (sizeof(arr) / sizeof((arr)[0]))
 50 
 51 #ifdef __amd64__
 52 #define reg_syscall_nr  _offsetof(struct user, regs.orig_rax)
 53 #elif defined(__i386__)
 54 #define reg_syscall_nr  _offsetof(struct user, regs.orig_eax)
 55 #elif defined(__mips)
 56 # ifndef EF_REG2
 57 # define EF_REG2        8
 58 # endif
 59 #define reg_syscall_nr  (EF_REG2 / 4)
 60 #elif defined(__arm__)
 61 #include <asm/ptrace.h>         /* for PTRACE_SET_SYSCALL */
 62 #define reg_syscall_nr  _offsetof(struct user, regs.uregs[7])
 63 # if defined(__ARM_EABI__)
 64 # define reg_retval_nr  _offsetof(struct user, regs.uregs[0])
 65 # endif
 66 #elif defined(__PPC__)
 67 #define reg_syscall_nr  _offsetof(struct user, regs.gpr[0])
 68 #define reg_retval_nr   _offsetof(struct user, regs.gpr[3])
 69 #else
 70 #error tracing is not supported on this architecture
 71 #endif
 72 
 73 enum mode {
 74         UTRACE,
 75         SECCOMP_TRACE,
 76 } mode = UTRACE;
 77 
 78 struct tracee {
 79         struct uloop_process proc;
 80         int in_syscall;
 81 };
 82 
 83 static struct tracee tracer;
 84 static int syscall_count[SYSCALL_COUNT];
 85 static int violation_count;
 86 static struct blob_buf b;
 87 static int debug;
 88 char *json = NULL;
 89 int ptrace_restart;
 90 
 91 static void set_syscall(const char *name, int val)
 92 {
 93         int i;
 94 
 95         for (i = 0; i < SYSCALL_COUNT; i++) {
 96                 int sc = syscall_index_to_number(i);
 97                 if (syscall_name(sc) && !strcmp(syscall_name(sc), name)) {
 98                         syscall_count[i] = val;
 99                         return;
100                 }
101         }
102 }
103 
104 struct syscall {
105         int syscall;
106         int count;
107 };
108 
109 static int cmp_count(const void *a, const void *b)
110 {
111         return ((struct syscall*)b)->count - ((struct syscall*)a)->count;
112 }
113 
114 static void print_syscalls(int policy, const char *json)
115 {
116         void *c;
117         int i;
118 
119         if (mode == UTRACE) {
120                 set_syscall("rt_sigaction", 1);
121                 set_syscall("sigreturn", 1);
122                 set_syscall("rt_sigreturn", 1);
123                 set_syscall("exit_group", 1);
124                 set_syscall("exit", 1);
125         }
126 
127         struct syscall sorted[SYSCALL_COUNT];
128 
129         for (i = 0; i < SYSCALL_COUNT; i++) {
130                 sorted[i].syscall = syscall_index_to_number(i);
131                 sorted[i].count = syscall_count[i];
132         }
133 
134         qsort(sorted, SYSCALL_COUNT, sizeof(sorted[0]), cmp_count);
135 
136         blob_buf_init(&b, 0);
137         c = blobmsg_open_array(&b, "whitelist");
138 
139         for (i = 0; i < SYSCALL_COUNT; i++) {
140                 int sc = sorted[i].syscall;
141                 if (!sorted[i].count)
142                         break;
143                 if (syscall_name(sc)) {
144                         if (debug)
145                                 printf("syscall %d (%s) was called %d times\n",
146                                        sc, syscall_name(sc), sorted[i].count);
147                         blobmsg_add_string(&b, NULL, syscall_name(sc));
148                 } else {
149                         ULOG_ERR("no name found for syscall(%d)\n", sc);
150                 }
151         }
152         blobmsg_close_array(&b, c);
153         blobmsg_add_u32(&b, "policy", policy);
154         if (json) {
155                 FILE *fp = fopen(json, "w");
156                 if (fp) {
157                         fprintf(fp, "%s", blobmsg_format_json_indent(b.head, true, 0));
158                         fclose(fp);
159                         ULOG_INFO("saving syscall trace to %s\n", json);
160                 } else {
161                         ULOG_ERR("failed to open %s\n", json);
162                 }
163         } else {
164                 printf("%s\n",
165                         blobmsg_format_json_indent(b.head, true, 0));
166         }
167 
168 }
169 
170 static void report_seccomp_vialation(pid_t pid, unsigned syscall)
171 {
172         char buf[200];
173         snprintf(buf, sizeof(buf), "/proc/%d/cmdline", pid);
174         int f = open(buf, O_RDONLY);
175         int r = read(f, buf, sizeof(buf) - 1);
176         if (r >= 0)
177                 buf[r] = 0;
178         else
179                 strcpy(buf, "unknown?");
180         close(f);
181 
182         if (violation_count < INT_MAX)
183                 violation_count++;
184         int i = syscall_index(syscall);
185         if (i >= 0) {
186                 syscall_count[i]++;
187                 ULOG_ERR("%s[%u] tried to call non-whitelisted syscall: %s (see %s)\n",
188                          buf, pid,  syscall_name(syscall), json);
189         } else {
190                 ULOG_ERR("%s[%u] tried to call non-whitelisted syscall: %d (see %s)\n",
191                          buf, pid,  syscall, json);
192         }
193 }
194 
195 static void tracer_cb(struct uloop_process *c, int ret)
196 {
197         struct tracee *tracee = container_of(c, struct tracee, proc);
198         int inject_signal = 0;
199 
200         /* We explicitely check for events in upper 16 bits, because
201          * musl (as opposed to glibc) does not report
202          * PTRACE_EVENT_STOP as WIFSTOPPED */
203         if (WIFSTOPPED(ret) || (ret >> 16)) {
204                 if (WSTOPSIG(ret) & 0x80) {
205                         if (!tracee->in_syscall) {
206                                 int syscall = ptrace(PTRACE_PEEKUSER, c->pid, reg_syscall_nr);
207                                 int i = syscall_index(syscall);
208                                 if (i >= 0) {
209                                         syscall_count[i]++;
210                                         if (debug)
211                                                 fprintf(stderr, "%s()\n", syscall_name(syscall));
212                                 } else if (debug) {
213                                         fprintf(stderr, "syscal(%d)\n", syscall);
214                                 }
215                         }
216                         tracee->in_syscall = !tracee->in_syscall;
217                 } else if ((ret >> 8) == (SIGTRAP | (PTRACE_EVENT_FORK << 8)) ||
218                            (ret >> 8) == (SIGTRAP | (PTRACE_EVENT_VFORK << 8)) ||
219                            (ret >> 8) == (SIGTRAP | (PTRACE_EVENT_CLONE << 8))) {
220                         struct tracee *child = calloc(1, sizeof(struct tracee));
221 
222                         unsigned long msg;
223                         ptrace(PTRACE_GETEVENTMSG, c->pid, 0, &msg);
224                         child->proc.pid = msg;
225                         child->proc.cb = tracer_cb;
226                         ptrace(ptrace_restart, child->proc.pid, 0, 0);
227                         uloop_process_add(&child->proc);
228                         if (debug)
229                                 fprintf(stderr, "Tracing new child %d\n", child->proc.pid);
230                 } else if ((ret >> 16) == PTRACE_EVENT_STOP) {
231                         /* Nothing special to do here */
232                 } else if ((ret >> 8) == (SIGTRAP | (PTRACE_EVENT_SECCOMP << 8))) {
233                         int syscall = ptrace(PTRACE_PEEKUSER, c->pid, reg_syscall_nr);
234 #if defined(__arm__)
235                         ptrace(PTRACE_SET_SYSCALL, c->pid, 0, -1);
236                         ptrace(PTRACE_POKEUSER, c->pid, reg_retval_nr, -ENOSYS);
237 #else
238                         ptrace(PTRACE_POKEUSER, c->pid, reg_syscall_nr, -1);
239 #endif
240                         report_seccomp_vialation(c->pid, syscall);
241                 } else {
242                         inject_signal = WSTOPSIG(ret);
243                         if (debug)
244                                 fprintf(stderr, "Injecting signal %d into pid %d\n",
245                                         inject_signal, tracee->proc.pid);
246                 }
247         } else if (WIFEXITED(ret) || (WIFSIGNALED(ret) && WTERMSIG(ret))) {
248                 if (tracee == &tracer) {
249                         uloop_end(); /* Main process exit */
250                 } else {
251                         if (debug)
252                                 fprintf(stderr, "Child %d exited\n", tracee->proc.pid);
253                         free(tracee);
254                 }
255                 return;
256         }
257 
258         ptrace(ptrace_restart, c->pid, 0, inject_signal);
259         uloop_process_add(c);
260 }
261 
262 static void sigterm_handler(int signum)
263 {
264         /* When we receive SIGTERM, we forward it to the tracee. After
265          * the tracee exits, trace_cb() will be called and make us
266          * exit too. */
267         kill(tracer.proc.pid, SIGTERM);
268 }
269 
270 
271 int main(int argc, char **argv, char **envp)
272 {
273         int status, ch, policy = EPERM;
274         pid_t child;
275 
276         /* When invoked via seccomp-trace symlink, work as seccomp
277          * violation logger rather than as syscall tracer */
278         if (strstr(argv[0], "seccomp-trace"))
279                 mode = SECCOMP_TRACE;
280 
281         while ((ch = getopt(argc, argv, "f:p:")) != -1) {
282                 switch (ch) {
283                 case 'f':
284                         json = optarg;
285                         break;
286                 case 'p':
287                         policy = atoi(optarg);
288                         break;
289                 }
290         }
291 
292         if (!json)
293                 json = getenv("SECCOMP_FILE");
294 
295         argc -= optind;
296         argv += optind;
297 
298         if (!argc)
299                 return -1;
300 
301         if (getenv("TRACE_DEBUG"))
302                 debug = 1;
303         unsetenv("TRACE_DEBUG");
304 
305         child = fork();
306 
307         if (child == 0) {
308                 char **_argv = calloc(argc + 1, sizeof(char *));
309                 char **_envp;
310                 char *preload = NULL;
311                 const char *old_preload = getenv("LD_PRELOAD");
312                 int newenv = 0;
313                 int envc = 0;
314                 int ret;
315 
316                 memcpy(_argv, argv, argc * sizeof(char *));
317 
318                 while (envp[envc++])
319                         ;
320 
321                 _envp = calloc(envc + 2, sizeof(char *));
322                 switch (mode) {
323                 case UTRACE:
324                         preload = "/lib/libpreload-trace.so";
325                         newenv = 1;
326                         break;
327                 case SECCOMP_TRACE:
328                         preload = "/lib/libpreload-seccomp.so";
329                         newenv = 2;
330                         if (asprintf(&_envp[1], "SECCOMP_FILE=%s", json ? json : "") < 0)
331                                 ULOG_ERR("failed to allocate SECCOMP_FILE env: %m\n");
332 
333                         kill(getpid(), SIGSTOP);
334                         break;
335                 }
336                 if (asprintf(&_envp[0], "LD_PRELOAD=%s%s%s", preload,
337                              old_preload ? ":" : "",
338                               old_preload ? old_preload : "") < 0)
339                         ULOG_ERR("failed to allocate LD_PRELOAD env: %m\n");
340 
341                 memcpy(&_envp[newenv], envp, envc * sizeof(char *));
342 
343                 ret = execve(_argv[0], _argv, _envp);
344                 ULOG_ERR("failed to exec %s: %m\n", _argv[0]);
345 
346                 free(_argv);
347                 free(_envp);
348                 return ret;
349         }
350 
351         if (child < 0)
352                 return -1;
353 
354         waitpid(child, &status, WUNTRACED);
355         if (!WIFSTOPPED(status)) {
356                 ULOG_ERR("failed to start %s\n", *argv);
357                 return -1;
358         }
359 
360         /* Initialize uloop to catch all ptrace stops from now on. */
361         uloop_init();
362 
363         int ptrace_options = PTRACE_O_TRACEFORK | PTRACE_O_TRACEVFORK | PTRACE_O_TRACECLONE;
364         switch (mode) {
365         case UTRACE:
366                 ptrace_options |= PTRACE_O_TRACESYSGOOD;
367                 ptrace_restart = PTRACE_SYSCALL;
368                 break;
369         case SECCOMP_TRACE:
370                 ptrace_options |= PTRACE_O_TRACESECCOMP;
371                 ptrace_restart = PTRACE_CONT;
372                 break;
373         }
374         if (ptrace(PTRACE_SEIZE, child, 0, ptrace_options) == -1) {
375                 ULOG_ERR("PTRACE_SEIZE: %m\n");
376                 return -1;
377         }
378         if (ptrace(ptrace_restart, child, 0, SIGCONT) == -1) {
379                 ULOG_ERR("ptrace_restart: %m\n");
380                 return -1;
381         }
382 
383         tracer.proc.pid = child;
384         tracer.proc.cb = tracer_cb;
385         uloop_process_add(&tracer.proc);
386         signal(SIGTERM, sigterm_handler); /* Override uloop's SIGTERM handler */
387         uloop_run();
388         uloop_done();
389 
390 
391         switch (mode) {
392         case UTRACE:
393                 if (!json)
394                         if (asprintf(&json, "/tmp/%s.%u.json", basename(*argv), child) < 0)
395                                 ULOG_ERR("failed to allocate output path: %m\n");
396                 break;
397         case SECCOMP_TRACE:
398                 if (!violation_count)
399                         return 0;
400                 if (asprintf(&json, "/tmp/%s.%u.violations.json", basename(*argv), child) < 0)
401                         ULOG_ERR("failed to allocate violations output path: %m\n");
402                 break;
403         }
404         print_syscalls(policy, json);
405         return 0;
406 }
407 

This page was automatically generated by LXR 0.3.1.  •  OpenWrt