个人中心
gpt4 book ai didi

c - 如何使用 SECCOMP_RET_DATA 和 PTRACE_GETEVENTMSG 获取系统调用的返回码

转载 作者:行者123 更新时间:2023-12-01 22:50:50 25 4
gpt4 key购买 nike

尝试使用 ptrace + seccomp 获取系统调用的返回值时我有点困惑。

man 4 bpf说:

 FILTER MACHINE
A filter program is an array of instructions, with  all branches forwardly 
directed, terminated by a return instruction

man 2 ptrace 说:

 PTRACE_O_TRACESECCOMP  
While this triggers a PTRACE_EVENT stop, it is
similar to a syscall-enter-stop, in that the tracee has not yet
entered the syscall that seccomp triggered on. The seccomp event
message data (from the SECCOMP_RET_DATA portion of the seccomp filter
rule) can be retrieved with PTRACE_GETEVENTMSG.

 PTRACE_GETEVENTMSG 
For PTRACE_EVENT_SECCOMP, this is the seccomp(2)
filter's SECCOMP_RET_DATA associated with the triggered rule.

man 2 seccomp 说:

 SECCOMP_RET_TRACE
The tracer will be notified of a 
PTRACE_EVENT_SECCOMP  and  the  SECCOMP_RET_DATA
portion of the filter's return value will be available to 
the tracer via PTRACE_GETEVENTMSG
 [...]
The seccomp check will not be run again after the tracer is notified.

事实证明,BPF 程序无法在 BPF_RET 语句之后执行进一步的操作。因此,当tracee在SECCOMP_RET_TRACE上被中断时,它处于syscall-enter-stop状态并且系统调用尚未进行,因此,返回代码肯定无处可取。我希望在后续调用 PTRACE_SYSCALL 后,tracee 将处于 syscall-exit-stop 状态,并且跟踪器将能够使用 获取系统调用的结果PTRACE_GETEVENTMSG。但它在我的示例中不起作用。

#include <linux/filter.h>
#include <linux/seccomp.h>
#include <linux/unistd.h>
#include <stddef.h>
#include <stdio.h>
#include <sys/prctl.h>
#include <sys/ptrace.h>
#include <sys/wait.h>
#include <unistd.h>

int main(int argc, char **argv)
{
    pid_t pid;
    int status;

    if (argc < 2) {
        fprintf(stderr, "Usage: %s <prog> <arg1> ... <argN>\n", argv[0]);
        return 1;
    }

    if ((pid = fork()) == 0) {
        ptrace(PTRACE_TRACEME, 0, 0, 0);

        struct sock_filter filter[] = {
            BPF_STMT(BPF_LD | BPF_W | BPF_ABS, (offsetof(struct seccomp_data, nr))),
            BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_open, 1, 2),
            BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_openat, 0, 1),
            BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_TRACE | SECCOMP_RET_DATA),
            BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),
        };
        struct sock_fprog prog = {
            .filter = filter,
            .len = (unsigned short) (sizeof(filter)/sizeof(filter[0])),
        };

        if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1)
            return 2;
        if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) == -1)
            return 3;

        kill(getpid(), SIGSTOP);
        return execvp(argv[1], argv + 1);
    } else {
        waitpid(pid, &status, 0);
        ptrace(PTRACE_SETOPTIONS, pid, 0, PTRACE_O_TRACESECCOMP);
        ptrace(PTRACE_CONT, pid, 0, 0);

        int status = 0;
        unsigned long ret_data = 0;
        while(1) {
            while (1) {
                waitpid(pid, &status, 0);
                fprintf(stderr, "status = %08x\n", status);

                if (status >> 8 == (SIGTRAP | (PTRACE_EVENT_SECCOMP << 8)))
                    break;

                if (WIFEXITED(status))
                    return 0;
                ptrace(PTRACE_CONT, pid, 0, 0);
            }
            // restart stopped tracee
            ptrace(PTRACE_SYSCALL, pid, 0, 0);
            // wait for SIGTRAP, when tracee will be in the syscall-exit-stop state
            waitpid(pid, &status, 0);

            ptrace(PTRACE_GETEVENTMSG, pid, 0, &ret_data);
            fprintf(stderr, "retdat = %lu\n", ret_data);

            ptrace(PTRACE_CONT, pid, 0, 0);
        }
        return 0;
    }
}

我能够获取系统调用的返回代码来检查寄存器

    // ptrace(PTRACE_GETEVENTMSG, pid, 0, &ret_data);
    struct user_regs_struct regs;
    ptrace(PTRACE_GETREGS, pid, 0, &regs);
    fprintf(stderr, "retdat = %lu\n", regs.rax);

但我想知道如何按照文档中指定的方式进行操作。

最佳答案

How to get the return code of the syscall using SECCOMP_RET_DATA and PTRACE_GETEVENTMSG?

简单的答案是你不能。 seccomp 事件甚至在进入系统调用之前就被发送。您在那里看不到任何结果,因为还没有任何系统调用。要获得一个,您必须在收到 seccomp 事件后使用 PTRACE_SYSCALL 旋转该进程两次:

bool WaitForSyscallExit(const pid_t pid)
{
  bool entered = false;
  int  status  = 0;

  while (true)
  {
    ptrace(PTRACE_SYSCALL, pid, 0, 0);
    waitpid(pid, &status, 0);

    if (WSTOPSIG(status) == SIGTRAP)
    {
      if (entered)
      {
        // If we had already entered before, then current SIGTRAP signal means exiting
        break;
      }
      entered = true;
    }
    else if (WIFEXITED(status) || WIFSIGNALED(status) || WCOREDUMP(status))
    {
      std::cerr << "The child has unexpectedly exited." << std::endl;

      return false;
    }
  }

  return true;
}

由于使用了PTRACE_SYSCALL,进程会被停止两次(第一次是进入系统调用后,下一次和最后一次是退出系统调用后)。只有在系统调用实际完成后(即第二个进程停止后)才能获取结果。是的,您只能通过手动读取寄存器来完成此操作,因为 seccomp 结构只能在该事件的 seccomp 跟踪处理程序中使用。甚至结构本身也不包含与系统调用结果相关的任何内容,并且手册页也没有提到获取结果值。

关于c - 如何使用 SECCOMP_RET_DATA 和 PTRACE_GETEVENTMSG 获取系统调用的返回码,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/55006186/

25 4 0
文章推荐: android-studio - Android Studio 3.2 Canary 14 Github 集成
文章推荐: scope - COBOL 的范围是什么
文章推荐: Java 内存缓存,每个客户端都有子缓存
文章推荐: c++ - 为什么 NULL 不能作为 std::thread 执行函数的 void* 参数的参数?
行者123
个人简介

我是一名优秀的程序员,十分优秀!

滴滴打车优惠券免费领取
滴滴打车优惠券
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com