• Home
Name Date Size #Lines LOC

..--

testdata/03-May-2024-284283

Android.bpD03-May-20242.4 KiB110103

README.mdD03-May-20242.4 KiB6749

arch.pyD03-May-20241.9 KiB5733

bpf.pyD03-May-202420.7 KiB694510

compile_seccomp_policy.pyD03-May-20243.5 KiB10273

compiler.pyD03-May-202414.3 KiB346222

compiler_unittest.pyD03-May-202420.7 KiB500395

generate_constants_json.pyD03-May-20244.4 KiB12378

generate_seccomp_policy.pyD03-May-20246.5 KiB181118

parser.pyD03-May-202430.6 KiB780620

parser_unittest.pyD03-May-202431.6 KiB870749

README.md

1# Minijail tools
2
3## generate_seccomp_policy.py
4
5This script lets you build a Minijail seccomp-bpf filter from strace output.
6This is very useful if the process that is traced has a fairly tight working
7domain, and it can be traced in a few scenarios that will exercise all of the
8needed syscalls. In particular, you should always make sure that failure cases
9are also exercised to account for calls to `abort(2)`.
10
11If `libminijail` or `minijail0` are used with preloading (the default with
12dynamically-linked executables), the first few system calls after the first call
13to `execve(2)` might not be needed, since the seccomp-bpf filter is installed
14after that point in a sandboxed process.
15
16### Sample usage
17
18```shell
19strace -f -e raw=all -o strace.txt -- <program>
20./tools/generate_seccomp_policy.py strace.txt > <program>.policy
21```
22
23## compile_seccomp_policy.py
24
25An external seccomp-bpf compiler that is documented [here][1]. This uses a
26slightly different syntax and generates highly-optimized BPF binaries that can
27be provided to `minijail0`'s `--seccomp-bpf-binary` or `libminijail`'s
28`minijail_set_secomp_filters()`. This requires the existence of an
29architecture-specific `constants.json` file that contains the mapping of syscall
30names to numbers, the values of any compile-time constants that could be used to
31simplify the parameter declaration for filters (like `O_RDONLY` and any other
32constant defined in typical headers in `/usr/include`).
33
34Policy files can also include references to frequency files, which enable
35profile-guided optimization of the generated BPF code.
36
37The generated BPF code can be analyzed using
38[libseccomp](https://github.com/seccomp/libseccomp)'s `tools/scmp_bpf_disasm`.
39
40### Sample usage
41
42```shell
43make minijail0 constants.json
44
45# Create the .policy file using the syntax described in the documentation.
46cat > test/seccomp.policy <<EOF
47read: allow
48write: allow
49rt_sigreturn: allow
50exit: allow
51EOF
52
53# Compile the .policy file into a .bpf filter
54./tools/compile_seccomp_policy.py test/seccomp.policy test/seccomp.bpf
55
56# Load the filter to sandbox your program.
57./minijail0 --seccomp-bpf-binary=test/seccomp.bpf -- <program>
58```
59
60## generate_constants_json.py
61
62This script generates the `constants.json` file from LLVM IR assembly files.
63This makes it easier to generate architecture-specific `constants.json` files at
64build-time.
65
66[1]: https://docs.google.com/document/d/e/2PACX-1vQOeYLWmJJrRWvglnMo5cynkUe0gZ9wVsndLLePkJg6dfUXSOUWoveBBeY3u5nQMlEU4dt_vRgj0ifR/pub
67