def setUp(self): self.arch = ARCH_64 self.kill_action = bpf.KillProcess() self.parser = parser.PolicyParser(self.arch, kill_action=self.kill_action, denylist=True) self.tempdir = tempfile.mkdtemp()
def main(argv=None): """Main entrypoint.""" if argv is None: argv = sys.argv[1:] opts = parse_args(argv) parsed_arch = arch.Arch.load_from_json(opts.arch_json) policy_compiler = compiler.PolicyCompiler(parsed_arch) if opts.use_kill_process: kill_action = bpf.KillProcess() else: kill_action = bpf.KillThread() override_default_action = None if opts.default_action: parser_state = parser.ParserState('<memory>') override_default_action = parser.PolicyParser( parsed_arch, kill_action=bpf.KillProcess()).parse_action( next(parser_state.tokenize([opts.default_action]))) with opts.output as outf: outf.write( policy_compiler.compile_file( opts.policy.name, optimization_strategy=opts.optimization_strategy, kill_action=kill_action, include_depth_limit=opts.include_depth_limit, override_default_action=override_default_action).opcodes) return 0
def _compile(self, line): with tempfile.NamedTemporaryFile(mode='w') as policy_file: policy_file.write(line) policy_file.flush() policy_parser = parser.PolicyParser(self.arch, kill_action=bpf.KillProcess()) parsed_policy = policy_parser.parse_file(policy_file.name) assert len(parsed_policy.filter_statements) == 1 return self.compiler.compile_filter_statement( parsed_policy.filter_statements[0], kill_action=bpf.KillProcess())
def compile_file(self, policy_filename, *, optimization_strategy, kill_action, include_depth_limit=10, override_default_action=None, denylist=False, ret_log=False): """Return a compiled BPF program from the provided policy file.""" policy_parser = parser.PolicyParser( self._arch, kill_action=kill_action, include_depth_limit=include_depth_limit, override_default_action=override_default_action, denylist=denylist, ret_log=ret_log) parsed_policy = policy_parser.parse_file(policy_filename) entries = [ self.compile_filter_statement(filter_statement, kill_action=kill_action, denylist=denylist) for filter_statement in parsed_policy.filter_statements ] visitor = bpf.FlatteningVisitor(arch=self._arch, kill_action=kill_action) if denylist: accept_action = kill_action reject_action = bpf.Allow() else: accept_action = bpf.Allow() reject_action = parsed_policy.default_action if entries: if optimization_strategy == OptimizationStrategy.BST: next_action = _compile_entries_bst(entries, accept_action, reject_action) else: next_action = _compile_entries_linear(entries, accept_action, reject_action) next_action.accept(bpf.ArgFilterForwardingVisitor(visitor)) reject_action.accept(visitor) accept_action.accept(visitor) bpf.ValidateArch(next_action).accept(visitor) else: reject_action.accept(visitor) bpf.ValidateArch(reject_action).accept(visitor) return visitor.result
def setUp(self): self.arch = ARCH_64 self.parser = parser.PolicyParser(self.arch, kill_action=bpf.KillProcess())
def main(argv=None): """Main entrypoint.""" if argv is None: argv = sys.argv[1:] opts, arg_parser = parse_args(argv) if not os.path.exists(opts.arch_json): arg_parser.error(CONSTANTS_ERR_MSG) parsed_arch = arch.Arch.load_from_json(opts.arch_json) policy_compiler = compiler.PolicyCompiler(parsed_arch) # Set ret_log to true if the MINIJAIL_DEFAULT_RET_LOG environment variable # is present. if 'MINIJAIL_DEFAULT_RET_LOG' in os.environ: print(""" \n********************** Warning: MINJAIL_DEFAULT_RET_LOG is on, policy will not have any effect **********************\n """) opts.use_ret_log = True if opts.use_ret_log: kill_action = bpf.Log() elif opts.denylist: # Default action for a denylist policy is return EPERM kill_action = bpf.ReturnErrno(parsed_arch.constants['EPERM']) elif opts.use_kill_process: kill_action = bpf.KillProcess() else: kill_action = bpf.KillThread() override_default_action = None if opts.default_action: parser_state = parser.ParserState('<memory>') override_default_action = parser.PolicyParser( parsed_arch, kill_action=bpf.KillProcess()).parse_action( next(parser_state.tokenize([opts.default_action]))) compiled_policy = policy_compiler.compile_file( opts.policy.name, optimization_strategy=opts.optimization_strategy, kill_action=kill_action, include_depth_limit=opts.include_depth_limit, override_default_action=override_default_action, denylist=opts.denylist, ret_log=opts.use_ret_log) # Outputs the bpf binary to a c header file instead of a binary file. if opts.output_header_file: output_file_base = opts.output with open(output_file_base + '.h', 'w') as output_file: program = ', '.join('%i' % x for x in compiled_policy.opcodes) output_file.write( HEADER_TEMPLATE % { 'upper_name': output_file_base.upper(), 'name': output_file_base, 'program': program, }) else: with open(opts.output, 'wb') as outf: outf.write(compiled_policy.opcodes) return 0