def setUp(self):
self.arch = ARCH_64
self.kill_action = bpf.KillProcess()
self.parser = parser.PolicyParser(self.arch,
kill_action=self.kill_action,
denylist=True)
self.tempdir = tempfile.mkdtemp()
def main(argv=None):
"""Main entrypoint."""
if argv is None:
argv = sys.argv[1:]
opts = parse_args(argv)
parsed_arch = arch.Arch.load_from_json(opts.arch_json)
policy_compiler = compiler.PolicyCompiler(parsed_arch)
if opts.use_kill_process:
kill_action = bpf.KillProcess()
else:
kill_action = bpf.KillThread()
override_default_action = None
if opts.default_action:
parser_state = parser.ParserState('<memory>')
override_default_action = parser.PolicyParser(
parsed_arch, kill_action=bpf.KillProcess()).parse_action(
next(parser_state.tokenize([opts.default_action])))
with opts.output as outf:
outf.write(
policy_compiler.compile_file(
opts.policy.name,
optimization_strategy=opts.optimization_strategy,
kill_action=kill_action,
include_depth_limit=opts.include_depth_limit,
override_default_action=override_default_action).opcodes)
return 0
def _compile(self, line):
with tempfile.NamedTemporaryFile(mode='w') as policy_file:
policy_file.write(line)
policy_file.flush()
policy_parser = parser.PolicyParser(self.arch,
kill_action=bpf.KillProcess())
parsed_policy = policy_parser.parse_file(policy_file.name)
assert len(parsed_policy.filter_statements) == 1
return self.compiler.compile_filter_statement(
parsed_policy.filter_statements[0],
kill_action=bpf.KillProcess())
def compile_file(self,
policy_filename,
*,
optimization_strategy,
kill_action,
include_depth_limit=10,
override_default_action=None,
denylist=False,
ret_log=False):
"""Return a compiled BPF program from the provided policy file."""
policy_parser = parser.PolicyParser(
self._arch,
kill_action=kill_action,
include_depth_limit=include_depth_limit,
override_default_action=override_default_action,
denylist=denylist,
ret_log=ret_log)
parsed_policy = policy_parser.parse_file(policy_filename)
entries = [
self.compile_filter_statement(filter_statement,
kill_action=kill_action,
denylist=denylist)
for filter_statement in parsed_policy.filter_statements
]
visitor = bpf.FlatteningVisitor(arch=self._arch,
kill_action=kill_action)
if denylist:
accept_action = kill_action
reject_action = bpf.Allow()
else:
accept_action = bpf.Allow()
reject_action = parsed_policy.default_action
if entries:
if optimization_strategy == OptimizationStrategy.BST:
next_action = _compile_entries_bst(entries, accept_action,
reject_action)
else:
next_action = _compile_entries_linear(entries, accept_action,
reject_action)
next_action.accept(bpf.ArgFilterForwardingVisitor(visitor))
reject_action.accept(visitor)
accept_action.accept(visitor)
bpf.ValidateArch(next_action).accept(visitor)
else:
reject_action.accept(visitor)
bpf.ValidateArch(reject_action).accept(visitor)
return visitor.result
def setUp(self):
self.arch = ARCH_64
self.parser = parser.PolicyParser(self.arch,
kill_action=bpf.KillProcess())
def main(argv=None):
"""Main entrypoint."""
if argv is None:
argv = sys.argv[1:]
opts, arg_parser = parse_args(argv)
if not os.path.exists(opts.arch_json):
arg_parser.error(CONSTANTS_ERR_MSG)
parsed_arch = arch.Arch.load_from_json(opts.arch_json)
policy_compiler = compiler.PolicyCompiler(parsed_arch)
# Set ret_log to true if the MINIJAIL_DEFAULT_RET_LOG environment variable
# is present.
if 'MINIJAIL_DEFAULT_RET_LOG' in os.environ:
print("""
\n**********************
Warning: MINJAIL_DEFAULT_RET_LOG is on, policy will not have any effect
**********************\n
""")
opts.use_ret_log = True
if opts.use_ret_log:
kill_action = bpf.Log()
elif opts.denylist:
# Default action for a denylist policy is return EPERM
kill_action = bpf.ReturnErrno(parsed_arch.constants['EPERM'])
elif opts.use_kill_process:
kill_action = bpf.KillProcess()
else:
kill_action = bpf.KillThread()
override_default_action = None
if opts.default_action:
parser_state = parser.ParserState('<memory>')
override_default_action = parser.PolicyParser(
parsed_arch, kill_action=bpf.KillProcess()).parse_action(
next(parser_state.tokenize([opts.default_action])))
compiled_policy = policy_compiler.compile_file(
opts.policy.name,
optimization_strategy=opts.optimization_strategy,
kill_action=kill_action,
include_depth_limit=opts.include_depth_limit,
override_default_action=override_default_action,
denylist=opts.denylist,
ret_log=opts.use_ret_log)
# Outputs the bpf binary to a c header file instead of a binary file.
if opts.output_header_file:
output_file_base = opts.output
with open(output_file_base + '.h', 'w') as output_file:
program = ', '.join('%i' % x for x in compiled_policy.opcodes)
output_file.write(
HEADER_TEMPLATE % {
'upper_name': output_file_base.upper(),
'name': output_file_base,
'program': program,
})
else:
with open(opts.output, 'wb') as outf:
outf.write(compiled_policy.opcodes)
return 0
