caidong
/
ut_SG560D
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
master
SG560D_rl
Qualcomm_source_code_link
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'master'
${ noResults }
ut_SG560D/UM.9.14/external/minijail/tools
History
quectel 55794fdde8 QCM6490:Alyssa:upload QCM6490 android12 base code. 
Change-Id: If3e3c4e01b19443714d880ae669aaa8b39edfff7
 		4 years ago
..
testdata QCM6490:Alyssa:upload QCM6490 android12 base code. 4 years ago
Android.bp QCM6490:Alyssa:upload QCM6490 android12 base code. 4 years ago
README.md QCM6490:Alyssa:upload QCM6490 android12 base code. 4 years ago
arch.py QCM6490:Alyssa:upload QCM6490 android12 base code. 4 years ago
bpf.py QCM6490:Alyssa:upload QCM6490 android12 base code. 4 years ago
compile_seccomp_policy.py QCM6490:Alyssa:upload QCM6490 android12 base code. 4 years ago
compiler.py QCM6490:Alyssa:upload QCM6490 android12 base code. 4 years ago
compiler_unittest.py QCM6490:Alyssa:upload QCM6490 android12 base code. 4 years ago
generate_constants_json.py QCM6490:Alyssa:upload QCM6490 android12 base code. 4 years ago
generate_seccomp_policy.py QCM6490:Alyssa:upload QCM6490 android12 base code. 4 years ago
parser.py QCM6490:Alyssa:upload QCM6490 android12 base code. 4 years ago
parser_unittest.py QCM6490:Alyssa:upload QCM6490 android12 base code. 4 years ago

README.md

Minijail tools

generate_seccomp_policy.py

This script lets you build a Minijail seccomp-bpf filter from strace output. This is very useful if the process that is traced has a fairly tight working domain, and it can be traced in a few scenarios that will exercise all of the needed syscalls. In particular, you should always make sure that failure cases are also exercised to account for calls to abort(2).

If libminijail or minijail0 are used with preloading (the default with dynamically-linked executables), the first few system calls after the first call to execve(2) might not be needed, since the seccomp-bpf filter is installed after that point in a sandboxed process.

Sample usage

strace -f -e raw=all -o strace.txt -- <program>
./tools/generate_seccomp_policy.py strace.txt > <program>.policy

compile_seccomp_policy.py

An external seccomp-bpf compiler that is documented here. This uses a slightly different syntax and generates highly-optimized BPF binaries that can be provided to minijail0's --seccomp-bpf-binary or libminijail's minijail_set_secomp_filters(). This requires the existence of an architecture-specific constants.json file that contains the mapping of syscall names to numbers, the values of any compile-time constants that could be used to simplify the parameter declaration for filters (like O_RDONLY and any other constant defined in typical headers in /usr/include).

Policy files can also include references to frequency files, which enable profile-guided optimization of the generated BPF code.

The generated BPF code can be analyzed using libseccomp's tools/scmp_bpf_disasm.

Sample usage

make minijail0 constants.json

# Create the .policy file using the syntax described in the documentation.
cat > test/seccomp.policy <<EOF
read: allow
write: allow
rt_sigreturn: allow
exit: allow
EOF

# Compile the .policy file into a .bpf filter
./tools/compile_seccomp_policy.py test/seccomp.policy test/seccomp.bpf

# Load the filter to sandbox your program.
./minijail0 --seccomp-bpf-binary=test/seccomp.bpf -- <program>

generate_constants_json.py

This script generates the constants.json file from LLVM IR assembly files. This makes it easier to generate architecture-specific constants.json files at build-time.