android13/external/minijail/tools/README.md

129 lines
4.9 KiB
Markdown
Raw Normal View History

2024-06-22 08:45:49 -04:00
# Minijail tools
## generate_seccomp_policy.py
This script lets you build a Minijail seccomp-bpf filter from strace output.
This is very useful if the process that is traced has a fairly tight working
domain, and it can be traced in a few scenarios that will exercise all of the
needed syscalls. In particular, you should always make sure that failure cases
are also exercised to account for calls to `abort(2)`.
If `libminijail` or `minijail0` are used with preloading (the default with
dynamically-linked executables), the first few system calls after the first call
to `execve(2)` might not be needed, since the seccomp-bpf filter is installed
after that point in a sandboxed process.
### Sample usage
```shell
strace -f -e raw=all -o strace.txt -- <program>
./tools/generate_seccomp_policy.py strace.txt > <program>.policy
```
### Using linux audit logs to generate policy
*** note
**NOTE**: Certain syscalls made by `minijail0` may be misattributed to the
sandboxed binary and may result in a policy that is overly-permissive.
Please pay some extra attention when manually reviewing the allowable args for
these syscalls: `ioctl`, `socket`, `prctl`, `mmap`, `mprotect`, and `mmap2`.
***
Linux kernel v4.14+ support `SECCOMP_RET_LOG`. This allows minijail to log
syscalls via the [audit subsystem][1] (Redhat has a nice overview [here][2])
instead of blocking them. One caveat of this approach is that `SECCOMP_RET_LOG`
does not log syscall arguments for finer grained filtering.
The audit subsystem itself has a mechanism to log all syscalls. Though a
`SYSCALL` event is more voluminous than a corresponding `SECCOMP` event.
We employ here a combination of both techniques. We rely on `SECCOMP` for all
except the syscalls for which we want finer grained filtering.
Note that this requires python3 bindings for `auparse` which are generally
available in distro packages named `python3-audit` or `python-audit`.
#### Per-boot setup of audit rules on DUT
Set up `audit` rules and an empty seccomp policy for later use. This can be
done in the `pre-start` section of your upstart conf.
`$UID` is the uid for your process. Using root will lead to logspam.
As mentioned above, these extra audit rules enable `SYSCALL` auditing which
in turn lets the tool inspect arguments for a pre-selected subset of syscalls.
The list of syscalls here matches the list of keys in `arg_inspection`.
```shell
for arch in b32 b64; do
auditctl -a exit,always -F uid=$UID -F arch=$arch -S ioctl -S socket \
-S prctl -S mmap -S mprotect \
$([ "$arch" = "b32" ] && echo "-S mmap2") -c
done
touch /tmp/empty.policy
```
#### Run your program under minijail with an empty policy
Again, this can be done via your upstart conf. Just be sure to stimulate all
corner cases, error conditions, etc for comprehensive coverage.
```shell
minijail0 -u $UID -g $GID -L -S /tmp/empty.policy -- <program>
```
#### Generate policy using the audit.log
```shell
./tools/generate_seccomp_policy.py --audit-comm $PROGRAM_NAME audit.log \
> $PROGRAM_NAME.policy
```
Note that the tool can also consume multiple audit logs and/or strace traces to
produce one unified policy.
## compile_seccomp_policy.py
An external seccomp-bpf compiler that is documented [here][3]. This uses a
slightly different syntax and generates highly-optimized BPF binaries that can
be provided to `minijail0`'s `--seccomp-bpf-binary` or `libminijail`'s
`minijail_set_secomp_filters()`. This requires the existence of an
architecture-specific `constants.json` file that contains the mapping of syscall
names to numbers, the values of any compile-time constants that could be used to
simplify the parameter declaration for filters (like `O_RDONLY` and any other
constant defined in typical headers in `/usr/include`).
Policy files can also include references to frequency files, which enable
profile-guided optimization of the generated BPF code.
The generated BPF code can be analyzed using
[libseccomp](https://github.com/seccomp/libseccomp)'s `tools/scmp_bpf_disasm`.
### Sample usage
```shell
make minijail0 constants.json
# Create the .policy file using the syntax described in the documentation.
cat > test/seccomp.policy <<EOF
read: allow
write: allow
rt_sigreturn: allow
exit: allow
EOF
# Compile the .policy file into a .bpf filter
./tools/compile_seccomp_policy.py test/seccomp.policy test/seccomp.bpf
# Load the filter to sandbox your program.
./minijail0 --seccomp-bpf-binary=test/seccomp.bpf -- <program>
```
## generate_constants_json.py
This script generates the `constants.json` file from LLVM IR assembly files.
This makes it easier to generate architecture-specific `constants.json` files at
build-time.
[1]: https://people.redhat.com/sgrubb/audit/
[2]: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/chap-system_auditing
[3]: https://docs.google.com/document/d/e/2PACX-1vQOeYLWmJJrRWvglnMo5cynkUe0gZ9wVsndLLePkJg6dfUXSOUWoveBBeY3u5nQMlEU4dt_vRgj0ifR/pub