platform_external_minijail/parse_seccomp_policy.cc, branch master Unnamed repository; edit this file 'description' to name the repository. Add support for SECCOMP_RET_LOG. 2019-06-24T14:02:41+00:00 Jorge Lucangeli Obes jorgelo@google.com 2019-06-12T18:45:06+00:00 32201f8a02ad582aa08b8a71ff2938dc7bc038d1 Detect at runtime whether SECCOMP_RET_LOG is available and use that for logging. Bug: chromium:934859 Test: New unit tests. Test: On 4.14 device, minijail0 -S -L test/seccomp.policy -- /bin/true. Test: audit.log shows failing syscall, binary exits successfully. Test: On <4.14 device, behaves as before. Change-Id: Ic9da1b5dae2b4b1df50e9d3e6f18c816e93bff87 
Detect at runtime whether SECCOMP_RET_LOG is available and use that for
logging.

Bug: chromium:934859
Test: New unit tests.
Test: On 4.14 device, minijail0 -S -L test/seccomp.policy -- /bin/true.
Test: audit.log shows failing syscall, binary exits successfully.
Test: On <4.14 device, behaves as before.

Change-Id: Ic9da1b5dae2b4b1df50e9d3e6f18c816e93bff87
parse_seccomp_policy: Allow to read from stdin 2018-07-24T22:14:10+00:00 Luis Hector Chavez lhchavez@google.com 2018-07-22T05:45:38+00:00 dacb705c88bed50541b2d76f607389e817081792 When the filename is "-", parse_seccomp_policy will read the policy from stdin instead of a file. Bug: None Test: echo 'read: 1' | ./parse_seccomp_policy --dump - | \ ./libseccomp/tools/scmp_bpf_disasm Change-Id: I150d5536e2672a843661be3605e652d250eede7a 
When the filename is "-", parse_seccomp_policy will read the policy from
stdin instead of a file.

Bug: None
Test: echo 'read: 1' | ./parse_seccomp_policy --dump - | \
      ./libseccomp/tools/scmp_bpf_disasm

Change-Id: I150d5536e2672a843661be3605e652d250eede7a
parse_seccomp_policy: Add a --dump flag 2018-07-13T15:32:25+00:00 Luis Hector Chavez lhchavez@google.com 2018-07-13T13:28:10+00:00 cb4ae3272d8836e1ae7db64cbdd544aece20d978 This change adds a --dump flag to parse_seccomp_policy, to allow people to inspect the policy with libseccomp's scmp_bpf_disasm. It also moves the dump_bpf_prog / dump_bpf_filter functions to parse_seccomp_policy.cc since they were only used in that one file, and formats the file in C++. Bug: None Test: make tests Test: make parse_seccomp_policy Test: ./parse_seccomp_policy --dump test/seccomp.policy | \ ./libseccomp/tools/scmp_bpf_disasm Change-Id: I96d54cae68b5b102f8962e39ff00b35407f45758 
This change adds a --dump flag to parse_seccomp_policy, to allow people
to inspect the policy with libseccomp's scmp_bpf_disasm. It also moves
the dump_bpf_prog / dump_bpf_filter functions to parse_seccomp_policy.cc
since they were only used in that one file, and formats the file in C++.

Bug: None
Test: make tests
Test: make parse_seccomp_policy
Test: ./parse_seccomp_policy --dump test/seccomp.policy | \
      ./libseccomp/tools/scmp_bpf_disasm

Change-Id: I96d54cae68b5b102f8962e39ff00b35407f45758
Add the 'e' flag to all fopen(3) calls 2018-07-13T04:10:33+00:00 Luis Hector Chavez lhchavez@google.com 2018-07-13T04:10:33+00:00 a30a206d163bba1fb2fc0e5097a8dddfd78bee68 This change adds the 'e' flag to all fopen(3) calls so they get O_CLOEXEC. Bug: None Test: make tests Change-Id: I27eb4e99be4823bca4ed81e95abaa683f4b877d0 
This change adds the 'e' flag to all fopen(3) calls so they get
O_CLOEXEC.

Bug: None
Test: make tests
Change-Id: I27eb4e99be4823bca4ed81e95abaa683f4b877d0
relicense new source files under BSD 2018-01-23T18:10:19+00:00 Mike Frysinger vapier@google.com 2018-01-19T23:59:49+00:00 50e31fa7e92cd0cceefa89e65837c1ee04aaf2bb This project was started as a BSD licensed work, and it remained that way even after the AOSP move, so make sure new files correctly reflect that too. Otherwise we end up with half the files using BSD and the other half using Apache which is annoying. Bug: None Test: grepped for "apache" in all the files Change-Id: I7cc7c890b42a1ded7552e1852246eaf86ca8428c 
This project was started as a BSD licensed work, and it remained that
way even after the AOSP move, so make sure new files correctly reflect
that too.  Otherwise we end up with half the files using BSD and the
other half using Apache which is annoying.

Bug: None
Test: grepped for "apache" in all the files
Change-Id: I7cc7c890b42a1ded7552e1852246eaf86ca8428c
Allow redirecting logging to an FD 2017-09-14T13:16:06+00:00 Luis Hector Chavez lhchavez@google.com 2017-09-06T03:36:58+00:00 114a930ff5d9ad3e2f0bcf0320526e904e511634 This change allows redirection of logging facilities, from syslog to a file. Bug: None Test: make tests // see logging in stderr Change-Id: Ia45ccb87908f1d4a2f7964a01d11a74da6e9fdb7 
This change allows redirection of logging facilities, from syslog to a
file.

Bug: None
Test: make tests  // see logging in stderr
Change-Id: Ia45ccb87908f1d4a2f7964a01d11a74da6e9fdb7
Improve compiler logging 2017-09-14T13:16:06+00:00 Luis Hector Chavez lhchavez@google.com 2017-08-29T02:30:59+00:00 7624e716094e37a55662c1b836656c5025856ae2 This change adds line numbers to the logs emitted when compiling syscall filter policy files. Bug: None Test: See filenames+line numbers in syslog Change-Id: Id6fb7d097f60e317269b5abd03b5a6929db6cd40 
This change adds line numbers to the logs emitted when compiling syscall
filter policy files.

Bug: None
Test: See filenames+line numbers in syslog
Change-Id: Id6fb7d097f60e317269b5abd03b5a6929db6cd40
syscall_filter: Refactor 'compile_file' out of 'compile_filter'. 2017-03-20T17:41:24+00:00 Jorge Lucangeli Obes jorgelo@google.com 2017-03-15T21:02:58+00:00 45932a51abc18f3daddba7776fcfe7d3517da68c The new in-process crash dumping on Android could use functionality to include policy files in other policy files. The use case would be to add a short section of syscalls required for crash dumping to processes already using syscall filtering. The first step to do this is to extract the functionality that parses an individual file to a separate function, so that it can be called multiple times. Implementation of the include directive will be done in a follow-up CL. Bug: 36007996 Test: New unit tests, but no change in functionality. Change-Id: I4097513bf11c23af67b6741fceb5c7abe360396e 
The new in-process crash dumping on Android could use functionality to
include policy files in other policy files. The use case would be to
add a short section of syscalls required for crash dumping to processes
already using syscall filtering.

The first step to do this is to extract the functionality that parses
an individual file to a separate function, so that it can be called
multiple times.

Implementation of the include directive will be done in a follow-up CL.

Bug: 36007996
Test: New unit tests, but no change in functionality.

Change-Id: I4097513bf11c23af67b6741fceb5c7abe360396e
Fix BPF instruction count bug. 2016-09-30T18:25:44+00:00 Jorge Lucangeli Obes jorgelo@google.com 2016-09-30T00:25:27+00:00 f16d6d177fdbf41f6d4389436dbbe5d2b84cd519 We were accidentally capping the total number of BPF instructions at 256 when doing label fixup. Also add a simple binary to print a compiled policy. Bug: 31848734 Test: Policy attached to the bug works. Change-Id: I9df058e2f4888289db0219d65ca97851fac515d0 
We were accidentally capping the total number of BPF instructions at
256 when doing label fixup.

Also add a simple binary to print a compiled policy.

Bug: 31848734
Test: Policy attached to the bug works.

Change-Id: I9df058e2f4888289db0219d65ca97851fac515d0