-
Notifications
You must be signed in to change notification settings - Fork 160
/
fake_id0.c
1286 lines (1113 loc) · 35.8 KB
/
fake_id0.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
/* -*- c-set-style: "K&R"; c-basic-offset: 8 -*-
*
* This file is part of PRoot.
*
* Copyright (C) 2015 STMicroelectronics
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License as
* published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301 USA.
*/
#include <assert.h> /* assert(3), */
#include <stdint.h> /* intptr_t, */
#include <errno.h> /* E*, */
#include <sys/stat.h> /* chmod(2), stat(2) */
#include <sys/types.h> /* uid_t, gid_t, get*id(2), */
#include <unistd.h> /* get*id(2), */
#include <sys/ptrace.h> /* linux.git:c0a3a20b */
#include <linux/audit.h> /* AUDIT_ARCH_*, */
#include <string.h> /* memcpy(3), */
#include <stdlib.h> /* strtol(3), */
#include <linux/auxvec.h>/* AT_, */
#include <sys/socket.h> /* cmsghdr, */
#include <linux/net.h> /* SYS_SENDMSG, */
#include "extension/extension.h"
#include "syscall/syscall.h"
#include "syscall/sysnum.h"
#include "syscall/seccomp.h"
#include "syscall/chain.h"
#include "execve/execve.h"
#include "tracee/tracee.h"
#include "tracee/abi.h"
#include "tracee/mem.h"
#include "execve/auxv.h"
#include "path/binding.h"
#include "path/f2fs-bug.h"
#include "arch.h"
#include "extension/fake_id0/chown.h"
#include "extension/fake_id0/chroot.h"
#include "extension/fake_id0/getsockopt.h"
#include "extension/fake_id0/sendmsg.h"
#include "extension/fake_id0/socket.h"
#include "extension/fake_id0/stat.h"
#ifdef USERLAND
#include "extension/fake_id0/open.h"
#include "extension/fake_id0/unlink.h"
#include "extension/fake_id0/rename.h"
#include "extension/fake_id0/chmod.h"
#include "extension/fake_id0/utimensat.h"
#include "extension/fake_id0/access.h"
#include "extension/fake_id0/exec.h"
#include "extension/fake_id0/link.h"
#include "extension/fake_id0/symlink.h"
#include "extension/fake_id0/mk.h"
#include "extension/fake_id0/stat.h"
#include "extension/fake_id0/helper_functions.h"
#endif
/**
* Copy config->@field to the tracee's memory location pointed to by @sysarg.
*/
#define POKE_MEM_ID(sysarg, field) do { \
poke_uint16(tracee, peek_reg(tracee, ORIGINAL, sysarg), config->field); \
if (errno != 0) \
return -errno; \
} while (0)
/**
* Emulate setuid(2) and setgid(2).
*/
#define SETXID(id, version) do { \
id ## _t id = peek_reg(tracee, version, SYSARG_1); \
bool allowed; \
\
/* "EPERM: The user is not privileged (does not have the \
* CAP_SETUID capability) and uid does not match the real UID \
* or saved set-user-ID of the calling process." -- man \
* setuid */ \
allowed = (config->euid == 0 /* TODO: || HAS_CAP(SETUID) */ \
|| id == config->r ## id \
|| id == config->e ## id \
|| id == config->s ## id); \
if (!allowed) \
return -EPERM; \
\
/* "If the effective UID of the caller is root, the real UID \
* and saved set-user-ID are also set." -- man setuid */ \
if (config->euid == 0) { \
config->r ## id = id; \
config->s ## id = id; \
} \
\
/* "whenever the effective user ID is changed, fsuid will also \
* be changed to the new value of the effective user ID." -- \
* man setfsuid */ \
config->e ## id = id; \
config->fs ## id = id; \
\
poke_reg(tracee, SYSARG_RESULT, 0); \
return 0; \
} while (0)
/**
* Check whether @id is set or not.
*/
#define UNSET_ID(id) (id == (uid_t) -1)
/**
* Check whether @id is change or not.
*/
#define UNCHANGED_ID(id) (UNSET_ID(id) || id == config->id)
/**
* Emulate setreuid(2) and setregid(2).
*/
#define SETREXID(id, version) do { \
id ## _t r ## id = peek_reg(tracee, version, SYSARG_1); \
id ## _t e ## id = peek_reg(tracee, version, SYSARG_2); \
bool allowed; \
\
/* "Unprivileged processes may only set the effective user ID \
* to the real user ID, the effective user ID, or the saved \
* set-user-ID. \
* \
* Unprivileged users may only set the real user ID to the \
* real user ID or the effective user ID." \
*
* "EPERM: The calling process is not privileged (does not \
* have the CAP_SETUID) and a change other than: \
* 1. swapping the effective user ID with the real user ID, \
* or; \
* 2. setting one to the value of the other, or ; \
* 3. setting the effective user ID to the value of the saved \
* set-user-ID \
* was specified." -- man setreuid \
* \
* Is it possible to "ruid <- euid" and "euid <- suid" at the \
* same time? */ \
allowed = (config->euid == 0 /* TODO: || HAS_CAP(SETUID) */ \
|| (UNCHANGED_ID(e ## id) && UNCHANGED_ID(r ## id)) \
|| (r ## id == config->e ## id && (e ## id == config->r ## id || UNCHANGED_ID(e ## id))) \
|| (e ## id == config->r ## id && (r ## id == config->e ## id || UNCHANGED_ID(r ## id))) \
|| (e ## id == config->s ## id && UNCHANGED_ID(r ## id))); \
if (!allowed) \
return -EPERM; \
\
/* "Supplying a value of -1 for either the real or effective \
* user ID forces the system to leave that ID unchanged. \
* [...] If the real user ID is set or the effective user ID \
* is set to a value not equal to the previous real user ID, \
* the saved set-user-ID will be set to the new effective user \
* ID." -- man setreuid */ \
if (!UNSET_ID(e ## id)) { \
if (e ## id != config->r ## id) \
config->s ## id = e ## id; \
\
config->e ## id = e ## id; \
config->fs ## id = e ## id; \
} \
\
/* Since it changes the current ruid value, this has to be \
* done after euid handling. */ \
if (!UNSET_ID(r ## id)) { \
if (!UNSET_ID(e ## id)) \
config->s ## id = e ## id; \
config->r ## id = r ## id; \
} \
\
poke_reg(tracee, SYSARG_RESULT, 0); \
return 0; \
} while (0)
/**
* Check if @var is equal to any config->r{@type}id's.
*/
#define EQUALS_ANY_ID(var, type) (var == config->r ## type ## id \
|| var == config->e ## type ## id \
|| var == config->s ## type ## id)
/**
* Emulate setresuid(2) and setresgid(2).
*/
#define SETRESXID(type,version) do { \
type ## id_t r ## type ## id = peek_reg(tracee, version, SYSARG_1); \
type ## id_t e ## type ## id = peek_reg(tracee, version, SYSARG_2); \
type ## id_t s ## type ## id = peek_reg(tracee, version, SYSARG_3); \
bool allowed; \
\
/* "Unprivileged user processes may change the real UID, \
* effective UID, and saved set-user-ID, each to one of: the \
* current real UID, the current effective UID or the current \
* saved set-user-ID. \
* \
* Privileged processes (on Linux, those having the CAP_SETUID \
* capability) may set the real UID, effective UID, and saved \
* set-user-ID to arbitrary values." -- man setresuid */ \
allowed = (config->euid == 0 /* || HAS_CAP(SETUID) */ \
|| ((UNSET_ID(r ## type ## id) || EQUALS_ANY_ID(r ## type ## id, type)) \
&& (UNSET_ID(e ## type ## id) || EQUALS_ANY_ID(e ## type ## id, type)) \
&& (UNSET_ID(s ## type ## id) || EQUALS_ANY_ID(s ## type ## id, type)))); \
if (!allowed) \
return -EPERM; \
\
/* "If one of the arguments equals -1, the corresponding value \
* is not changed." -- man setresuid */ \
if (!UNSET_ID(r ## type ## id)) \
config->r ## type ## id = r ## type ## id; \
\
if (!UNSET_ID(e ## type ## id)) { \
/* "the file system UID is always set to the same \
* value as the (possibly new) effective UID." -- man \
* setresuid */ \
config->e ## type ## id = e ## type ## id; \
config->fs ## type ## id = e ## type ## id; \
} \
\
if (!UNSET_ID(s ## type ## id)) \
config->s ## type ## id = s ## type ## id; \
\
poke_reg(tracee, SYSARG_RESULT, 0); \
return 0; \
} while (0)
/**
* Emulate setfsuid(2) and setfsgid(2).
*/
#define SETFSXID(type) do { \
uid_t fs ## type ## id = peek_reg(tracee, ORIGINAL, SYSARG_1); \
uid_t old_fs ## type ## id = config->fs ## type ## id; \
bool allowed; \
\
/* "setfsuid() will succeed only if the caller is the \
* superuser or if fsuid matches either the real user ID, \
* effective user ID, saved set-user-ID, or the current value \
* of fsuid." -- man setfsuid */ \
allowed = (config->euid == 0 /* TODO: || HAS_CAP(SETUID) */ \
|| fs ## type ## id == config->fs ## type ## id \
|| EQUALS_ANY_ID(fs ## type ## id, type)); \
if (allowed) \
config->fs ## type ## id = fs ## type ## id; \
\
/* "On success, the previous value of fsuid is returned. On \
* error, the current value of fsuid is returned." -- man \
* setfsuid */ \
poke_reg(tracee, SYSARG_RESULT, old_fs ## type ## id); \
return 0; \
} while (0)
typedef struct {
char *path;
mode_t mode;
} ModifiedNode;
/* List of syscalls handled by this extensions. */
static FilteredSysnum filtered_sysnums[] = {
#ifdef USERLAND
{ PR_access, FILTER_SYSEXIT },
{ PR_creat, FILTER_SYSEXIT },
{ PR_faccessat, FILTER_SYSEXIT },
{ PR_faccessat2, FILTER_SYSEXIT },
{ PR_link, FILTER_SYSEXIT },
{ PR_linkat, FILTER_SYSEXIT },
{ PR_mkdir, FILTER_SYSEXIT },
{ PR_mkdirat, FILTER_SYSEXIT },
{ PR_symlink, FILTER_SYSEXIT },
{ PR_symlinkat, FILTER_SYSEXIT },
{ PR_umask, FILTER_SYSEXIT },
{ PR_unlink, FILTER_SYSEXIT },
{ PR_unlinkat, FILTER_SYSEXIT },
{ PR_utimensat, FILTER_SYSEXIT },
#endif
{ PR_capset, FILTER_SYSEXIT },
{ PR_chmod, FILTER_SYSEXIT },
{ PR_chown, FILTER_SYSEXIT },
{ PR_chown32, FILTER_SYSEXIT },
{ PR_chroot, FILTER_SYSEXIT },
{ PR_execve, FILTER_SYSEXIT },
{ PR_fchmod, FILTER_SYSEXIT },
{ PR_fchmodat, FILTER_SYSEXIT },
{ PR_fchown, FILTER_SYSEXIT },
{ PR_fchown32, FILTER_SYSEXIT },
{ PR_fchownat, FILTER_SYSEXIT },
{ PR_fstat, FILTER_SYSEXIT },
{ PR_fstat64, FILTER_SYSEXIT },
{ PR_fstatat64, FILTER_SYSEXIT },
{ PR_getegid, FILTER_SYSEXIT },
{ PR_getegid32, FILTER_SYSEXIT },
{ PR_geteuid, FILTER_SYSEXIT },
{ PR_geteuid32, FILTER_SYSEXIT },
{ PR_getgid, FILTER_SYSEXIT },
{ PR_getgid32, FILTER_SYSEXIT },
{ PR_getgroups, FILTER_SYSEXIT },
{ PR_getgroups32, FILTER_SYSEXIT },
{ PR_getresgid, FILTER_SYSEXIT },
{ PR_getresgid32, FILTER_SYSEXIT },
{ PR_getresuid, FILTER_SYSEXIT },
{ PR_getresuid32, FILTER_SYSEXIT },
{ PR_getuid, FILTER_SYSEXIT },
{ PR_getuid32, FILTER_SYSEXIT },
{ PR_getsockopt, FILTER_SYSEXIT },
{ PR_lchown, FILTER_SYSEXIT },
{ PR_lchown32, FILTER_SYSEXIT },
{ PR_lstat, FILTER_SYSEXIT },
{ PR_lstat64, FILTER_SYSEXIT },
{ PR_mknod, FILTER_SYSEXIT },
{ PR_mknodat, FILTER_SYSEXIT },
{ PR_newfstatat, FILTER_SYSEXIT },
{ PR_oldlstat, FILTER_SYSEXIT },
{ PR_oldstat, FILTER_SYSEXIT },
{ PR_sendmsg, 0 },
{ PR_setfsgid, FILTER_SYSEXIT },
{ PR_setfsgid32, FILTER_SYSEXIT },
{ PR_setfsuid, FILTER_SYSEXIT },
{ PR_setfsuid32, FILTER_SYSEXIT },
{ PR_setgid, FILTER_SYSEXIT },
{ PR_setgid32, FILTER_SYSEXIT },
{ PR_setgroups, FILTER_SYSEXIT },
{ PR_setgroups32, FILTER_SYSEXIT },
{ PR_setregid, FILTER_SYSEXIT },
{ PR_setregid32, FILTER_SYSEXIT },
{ PR_setreuid, FILTER_SYSEXIT },
{ PR_setreuid32, FILTER_SYSEXIT },
{ PR_setresgid, FILTER_SYSEXIT },
{ PR_setresgid32, FILTER_SYSEXIT },
{ PR_setresuid, FILTER_SYSEXIT },
{ PR_setresuid32, FILTER_SYSEXIT },
{ PR_setuid, FILTER_SYSEXIT },
{ PR_setuid32, FILTER_SYSEXIT },
{ PR_setxattr, FILTER_SYSEXIT },
{ PR_setdomainname, FILTER_SYSEXIT },
{ PR_sethostname, FILTER_SYSEXIT },
{ PR_socket, FILTER_SYSEXIT },
{ PR_lsetxattr, FILTER_SYSEXIT },
{ PR_fsetxattr, FILTER_SYSEXIT },
{ PR_stat, FILTER_SYSEXIT },
{ PR_stat64, FILTER_SYSEXIT },
{ PR_statfs, FILTER_SYSEXIT },
{ PR_statfs64, FILTER_SYSEXIT },
FILTERED_SYSNUM_END,
};
/**
* Restore the @node->mode for the given @node->path.
*
* Note: this is a Talloc destructor.
*/
static int restore_mode(ModifiedNode *node)
{
(void) chmod(node->path, node->mode);
return 0;
}
/**
* Force permissions of @path to "rwx" during the path translation of
* current @tracee's syscall, in order to simulate CAP_DAC_OVERRIDE.
* The original permissions are restored through talloc destructors.
* See canonicalize() for the meaning of @is_final.
*/
static void override_permissions(const Tracee *tracee, const char *path, bool is_final)
{
ModifiedNode *node;
struct stat perms;
mode_t new_mode;
int status;
/* Get the meta-data */
if (should_skip_file_access_due_to_f2fs_bug(tracee, path))
return;
status = stat(path, &perms);
if (status < 0)
return;
/* Copy the current permissions */
new_mode = perms.st_mode & (S_IRWXU | S_IRWXG | S_IRWXO);
/* Add read and write permissions to everything. */
new_mode |= (S_IRUSR | S_IWUSR);
/* Always add 'x' bit to directories */
if (S_ISDIR(perms.st_mode))
new_mode |= S_IXUSR;
/* Patch the permissions only if needed. */
if (new_mode == (perms.st_mode & (S_IRWXU | S_IRWXG | S_IRWXO)))
return;
node = talloc_zero(tracee->ctx, ModifiedNode);
if (node == NULL)
return;
if (!is_final) {
/* Restore the previous mode of any non final components. */
node->mode = perms.st_mode;
}
else {
switch (get_sysnum(tracee, ORIGINAL)) {
/* For chmod syscalls: restore the new mode of the final component. */
case PR_chmod:
node->mode = peek_reg(tracee, ORIGINAL, SYSARG_2);
break;
case PR_fchmodat:
node->mode = peek_reg(tracee, ORIGINAL, SYSARG_3);
break;
/* For stat syscalls: don't touch the mode of the final component. */
case PR_fstatat64:
case PR_lstat:
case PR_lstat64:
case PR_newfstatat:
case PR_oldlstat:
case PR_oldstat:
case PR_stat:
case PR_stat64:
case PR_statfs:
case PR_statfs64:
return;
/* Otherwise: restore the previous mode of the final component. */
default:
node->mode = perms.st_mode;
break;
}
}
node->path = talloc_strdup(node, path);
if (node->path == NULL) {
/* Keep only consistent nodes. */
TALLOC_FREE(node);
return;
}
/* The mode restoration works because Talloc destructors are
* called in reverse order. */
talloc_set_destructor(node, restore_mode);
(void) chmod(path, new_mode);
return;
}
/**
* Adjust some ELF auxiliary vectors. This function assumes the
* "argv, envp, auxv" stuff is pointed to by @tracee's stack pointer,
* as expected right after a successful call to execve(2).
*/
static int adjust_elf_auxv(Tracee *tracee, Config *config)
{
ElfAuxVector *vectors;
ElfAuxVector *vector;
word_t vectors_address;
vectors_address = get_elf_aux_vectors_address(tracee);
if (vectors_address == 0)
return 0;
vectors = fetch_elf_aux_vectors(tracee, vectors_address);
if (vectors == NULL)
return 0;
for (vector = vectors; vector->type != AT_NULL; vector++) {
switch (vector->type) {
case AT_UID:
vector->value = config->ruid;
break;
case AT_EUID:
vector->value = config->euid;
break;
case AT_GID:
vector->value = config->rgid;
break;
case AT_EGID:
vector->value = config->egid;
break;
default:
break;
}
}
push_elf_aux_vectors(tracee, vectors, vectors_address);
return 0;
}
static int handle_perm_err_exit_end(Tracee *tracee, Config *config) {
word_t result;
/* Override only permission errors. */
result = peek_reg(tracee, CURRENT, SYSARG_RESULT);
#ifdef USERLAND
/** If the call has been set to PR_void, it "succeeded" in
* altering a meta file correctly.
*/
if(get_sysnum(tracee, CURRENT) == PR_getuid && (int) result != 0)
poke_reg(tracee, SYSARG_RESULT, 0);
if(get_sysnum(tracee, CURRENT) == PR_void && (int) result != 0)
poke_reg(tracee, SYSARG_RESULT, 0);
#endif
if ((int) result != -EPERM && (int) result != -EACCES)
return 0;
/* Force success if the tracee was supposed to have
* the capability. */
if (config->euid == 0) /* TODO: || HAS_CAP(...) */
poke_reg(tracee, SYSARG_RESULT, 0);
return 0;
}
static int handle_getresuid_exit_end(Tracee *tracee, Config *config) {
POKE_MEM_ID(SYSARG_1, ruid);
POKE_MEM_ID(SYSARG_2, euid);
POKE_MEM_ID(SYSARG_3, suid);
return 0;
}
static int handle_getresgid_exit_end(Tracee *tracee, Config *config) {
POKE_MEM_ID(SYSARG_1, rgid);
POKE_MEM_ID(SYSARG_2, egid);
POKE_MEM_ID(SYSARG_3, sgid);
return 0;
}
/**
* Adjust current @tracee's syscall parameters according to @config.
* This function always returns 0.
*/
static int handle_sysenter_end(Tracee *tracee, Config *config)
{
word_t sysnum;
Reg uid_sysarg = SYSARG_2;
Reg gid_sysarg = SYSARG_3;
sysnum = get_sysnum(tracee, ORIGINAL);
switch (sysnum) {
#ifdef USERLAND
/* handle_open(tracee, fd_sysarg, path_sysarg, flags_sysarg, mode_sysarg, config) */
/* int openat(int dirfd, const char *pathname, int flags, mode_t mode) */
case PR_openat:
return handle_open_enter_end(tracee, SYSARG_1, SYSARG_2, SYSARG_3, SYSARG_4, config);
/* int open(const char *pathname, int flags, mode_t mode) */
case PR_open:
return handle_open_enter_end(tracee, IGNORE_SYSARG, SYSARG_1, SYSARG_2, SYSARG_3, config);
/* int creat(const char *pathname, mode_t mode) */
case PR_creat:
return handle_open_enter_end(tracee, IGNORE_SYSARG, SYSARG_1, IGNORE_SYSARG, SYSARG_2, config);
/* handle_mk(tracee, fd_sysarg, path_sysarg, mode_sysarg, config) */
/* int mkdirat(int dirfd, const char *pathname, mode_t mode) */
case PR_mkdirat:
return handle_mk_enter_end(tracee, SYSARG_1, SYSARG_2, SYSARG_3, config);
/* int mkdir(const char *pathname, mode_t mode) */
case PR_mkdir:
return handle_mk_enter_end(tracee, IGNORE_SYSARG, SYSARG_1, SYSARG_2, config);
/* handle_mk(tracee, fd_sysarg, path_sysarg, mode_sysarg, config) */
/* int mknodat(int dirfd, const char *pathname, mode_t mode, dev_t dev); */
case PR_mknodat:
return handle_mk_enter_end(tracee, SYSARG_1, SYSARG_2, SYSARG_3, config);
/* int mknod(const char *pathname, mode_t mode, dev_t dev); */
case PR_mknod:
return handle_mk_enter_end(tracee, IGNORE_SYSARG, SYSARG_1, SYSARG_2, config);
/* handle_unlink(tracee, fd_sysarg, path_sysarg, config) */
/* int unlinkat(int dirfd, const char *pathname, int flags) */
case PR_unlinkat:
return handle_unlink_enter_end(tracee, SYSARG_1, SYSARG_2, config);
/* int rmdir(const char *pathname */
case PR_rmdir:
/* int unlink(const char *pathname) */
case PR_unlink:
return handle_unlink_enter_end(tracee, IGNORE_SYSARG, SYSARG_1, config);
/* handle_rename(tracee, oldfd_sysarg, oldpath_sysarg, newfd_sysarg, newpath_sysarg, config) */
/* int renameat(int olddirfd, const char *oldpath, int newdirfd, const char *newpath) */
case PR_renameat:
return handle_rename_enter_end(tracee, SYSARG_1, SYSARG_2, SYSARG_3, SYSARG_4, config);
/* int rename(const char *oldpath, const char *newpath) */
case PR_rename:
return handle_rename_enter_end(tracee, IGNORE_SYSARG, SYSARG_1, IGNORE_SYSARG, SYSARG_2, config);
/* handle_chmod(tracee, path_sysarg, mode_sysarg, fd_sysarg, dirfd_sysarg, config) */
/* int chmod(const char *pathname, mode_t mode) */
case PR_chmod:
return handle_chmod_enter_end(tracee, SYSARG_1, SYSARG_2, IGNORE_SYSARG, IGNORE_SYSARG, config);
/* int fchmod(int fd, mode_t mode) */
case PR_fchmod:
return handle_chmod_enter_end(tracee, IGNORE_SYSARG, SYSARG_2,
SYSARG_1, IGNORE_SYSARG, config);
/* int fchmodat(int dirfd, const char *pathname, mode_t mode, int flags (unused)) */
case PR_fchmodat:
return handle_chmod_enter_end(tracee, SYSARG_2, SYSARG_3,
IGNORE_SYSARG, SYSARG_1, config);
/* handle_chown(tracee, path_sysarg, owner_sysarg, group_sysarg, fd_sysarg, dirfd_sysarg, config) */
/* int chown(const char *pathname, uid_t owner, gid_t group) */
case PR_chown:
case PR_chown32:
return handle_chown_enter_end(tracee, SYSARG_1, SYSARG_2, SYSARG_3,
IGNORE_SYSARG, IGNORE_SYSARG, config);
/* int fchown(int fd, uid_t owner, gid_t group) */
case PR_fchown:
case PR_fchown32:
return handle_chown_enter_end(tracee, IGNORE_SYSARG, SYSARG_2, SYSARG_3,
SYSARG_1, IGNORE_SYSARG, config);
/* int lchown(const char *pathname, uid_t owner, gid_t group) */
case PR_lchown:
case PR_lchown32:
return handle_chown_enter_end(tracee, SYSARG_1, SYSARG_2, SYSARG_3,
IGNORE_SYSARG, IGNORE_SYSARG, config);
/* int fchownat(int dirfd, const char *pathname, uid_t owner, gid_t group, int flags (unused)) */
case PR_fchownat:
return handle_chown_enter_end(tracee, SYSARG_2, SYSARG_3, SYSARG_4,
IGNORE_SYSARG, SYSARG_1, config);
/* handle_utimensat(tracee, dirfd_sysarg, path_sysarg, times_sysarg, config) */
/* int utimensat(int dirfd, const char *pathname, const struct timespec times[2], int flags) */
case PR_utimensat:
return handle_utimensat_enter_end(tracee, SYSARG_1, SYSARG_2, SYSARG_3, config);
/* handle_access(tracee path_sysarg, mode_sysarg, dirfd_sysarg, config) */
/* int access(const char *pathname, int mode) */
case PR_access:
return handle_access_enter_end(tracee, SYSARG_1, SYSARG_2, IGNORE_SYSARG, config);
/* int faccessat(int dirfd, const char *pathname, int mode, int flags) */
case PR_faccessat:
case PR_faccessat2:
return handle_access_enter_end(tracee, SYSARG_2, SYSARG_3, SYSARG_1, config);
/* handle_exec(tracee, filename_sysarg, config) */
case PR_execve:
return handle_exec_enter_end(tracee, SYSARG_1, config);
/* handle_link(tracee, olddirfd_sysarg, oldpath_sysarg, newdirfd_sysarg, newpath_sysarg, config) */
/* int link(const char *oldpath, const char *newpath) */
case PR_link:
return handle_link_enter_end(tracee, IGNORE_SYSARG, SYSARG_1, IGNORE_SYSARG, SYSARG_2, config);
/* int linkat(int olddirfd, const char *oldpath, int newdirfd, const char *newpath, int flags) */
case PR_linkat:
return handle_link_enter_end(tracee, SYSARG_1, SYSARG_2, SYSARG_3, SYSARG_4, config);
/* handle_symlink(tracee, oldpath_sysarg, newdirfd_sysarg, newpath_sysarg, config) */
/* int symlink(const char *target, const char *linkpath); */
case PR_symlink:
return handle_symlink_enter_end(tracee, SYSARG_1, IGNORE_SYSARG, SYSARG_2, config);
/* int symlinkat(const char *target, int newdirfd, const char *linkpath); */
case PR_symlinkat:
return handle_symlink_enter_end(tracee, SYSARG_1, SYSARG_2, SYSARG_3, config);
/* int fstat(int fd, struct stat *buf); */
case PR_fstat:
case PR_fstat64:
return handle_stat_enter_end(tracee, SYSARG_1);
#endif
case PR_sendmsg:
case PR_socketcall:
return handle_sendmsg_enter_end(tracee, sysnum);
case PR_setuid:
case PR_setuid32:
case PR_setgid:
case PR_setgid32:
case PR_setreuid:
case PR_setreuid32:
case PR_setregid:
case PR_setregid32:
case PR_setresuid:
case PR_setresuid32:
case PR_setresgid:
case PR_setresgid32:
case PR_setfsuid:
case PR_setfsuid32:
case PR_setfsgid:
case PR_setfsgid32:
#ifdef USERLAND
case PR_umask:
#endif
/* These syscalls are fully emulated. */
set_sysnum(tracee, PR_void);
return 0;
#ifndef USERLAND
case PR_fchownat:
uid_sysarg = SYSARG_3;
gid_sysarg = SYSARG_4;
case PR_chown:
case PR_chown32:
case PR_lchown:
case PR_lchown32:
case PR_fchown:
case PR_fchown32:
return handle_chown_enter_end(tracee, config, uid_sysarg, gid_sysarg);
#endif
case PR_setgroups:
case PR_setgroups32:
case PR_getgroups:
case PR_getgroups32:
/* TODO */
#ifdef USERLAND
/* TODO: need to actually emulate these */
//On Android, the system is returning gids that our rootfs knows nothing about
//which is generating errors
set_sysnum(tracee, PR_void);
return 0;
#endif
default:
return 0;
}
/* Never reached */
assert(0);
return 0;
}
/**
* Adjust current @tracee's syscall result according to @config. This
* function returns -errno if an error occured, otherwise 0.
*/
static int handle_sysexit_end(Tracee *tracee, Config *config)
{
word_t sysnum;
#ifdef USERLAND
word_t result;
#endif
#ifndef USERLAND
Reg stat_sysarg = SYSARG_2;
#endif
sysnum = get_sysnum(tracee, ORIGINAL);
#ifdef USERLAND
if ((get_sysnum(tracee, CURRENT) == PR_fstat) || (get_sysnum(tracee, CURRENT) == PR_fstat64)) {
word_t address;
Reg sysarg;
uid_t uid;
gid_t gid;
/* Override only if it succeed. */
result = peek_reg(tracee, CURRENT, SYSARG_RESULT);
if (result != 0)
return 0;
/* Get the address of the 'stat' structure. */
sysarg = SYSARG_2;
address = peek_reg(tracee, ORIGINAL, sysarg);
/* Sanity checks. */
assert(__builtin_types_compatible_p(uid_t, uint32_t));
assert(__builtin_types_compatible_p(gid_t, uint32_t));
/* Get the uid & gid values from the 'stat' structure. */
uid = peek_uint32(tracee, address + offsetof_stat_uid(tracee));
if (errno != 0)
uid = 0; /* Not fatal. */
gid = peek_uint32(tracee, address + offsetof_stat_gid(tracee));
if (errno != 0)
gid = 0; /* Not fatal. */
/* Override only if the file is owned by the current user.
* * Errors are not fatal here. */
if (uid == getuid())
poke_uint32(tracee, address + offsetof_stat_uid(tracee), config->suid);
if (gid == getgid())
poke_uint32(tracee, address + offsetof_stat_gid(tracee), config->sgid);
return 0;
}
if (((sysnum == PR_fstat) || (sysnum == PR_fstat64)) && (get_sysnum(tracee, CURRENT) == PR_readlinkat)) {
int status;
char path[PATH_MAX];
result = peek_reg(tracee, CURRENT, SYSARG_RESULT);
poke_reg(tracee, SYSARG_RESULT, 0);
if ((int)result <= 0)
return result;
status = read_sysarg_path(tracee, path, SYSARG_3, MODIFIED);
if(status < 0)
return status;
path[result] = '\0';
if ((strcmp(path + strlen(path) - strlen(" (deleted)"), " (deleted)") == 0) || (strncmp(path, "pipe", 4) == 0)) {
register_chained_syscall(tracee, sysnum, peek_reg(tracee, ORIGINAL, SYSARG_1), peek_reg(tracee, ORIGINAL, SYSARG_2), 0, 0, 0, 0);
} else {
write_data(tracee, peek_reg(tracee, MODIFIED, SYSARG_3), path, sizeof(path));
# if defined(__x86_64__)
register_chained_syscall(tracee, PR_newfstatat, AT_FDCWD, peek_reg(tracee, MODIFIED, SYSARG_3), peek_reg(tracee, ORIGINAL, SYSARG_2), 0, 0, 0);
# else
register_chained_syscall(tracee, PR_fstatat64, AT_FDCWD, peek_reg(tracee, MODIFIED, SYSARG_3), peek_reg(tracee, ORIGINAL, SYSARG_2), 0, 0, 0);
# endif
}
return 0;
}
#endif
switch (sysnum) {
case PR_setuid:
case PR_setuid32:
SETXID(uid, ORIGINAL);
case PR_setgid:
case PR_setgid32:
SETXID(gid, ORIGINAL);
case PR_setreuid:
case PR_setreuid32:
SETREXID(uid, ORIGINAL);
case PR_setregid:
case PR_setregid32:
SETREXID(gid, ORIGINAL);
case PR_setresuid:
case PR_setresuid32:
SETRESXID(u, ORIGINAL);
case PR_setresgid:
case PR_setresgid32:
SETRESXID(g, ORIGINAL);
case PR_setfsuid:
case PR_setfsuid32:
SETFSXID(u);
case PR_setfsgid:
case PR_setfsgid32:
SETFSXID(g);
case PR_getuid:
case PR_getuid32:
poke_reg(tracee, SYSARG_RESULT, config->ruid);
return 0;
case PR_getgid:
case PR_getgid32:
poke_reg(tracee, SYSARG_RESULT, config->rgid);
return 0;
case PR_geteuid:
case PR_geteuid32:
poke_reg(tracee, SYSARG_RESULT, config->euid);
return 0;
case PR_getegid:
case PR_getegid32:
poke_reg(tracee, SYSARG_RESULT, config->egid);
return 0;
case PR_getresuid:
case PR_getresuid32:
return handle_getresuid_exit_end(tracee, config);
case PR_getresgid:
case PR_getresgid32:
return handle_getresgid_exit_end(tracee, config);
#ifdef USERLAND
case PR_umask:
poke_reg(tracee, SYSARG_RESULT, config->umask);
config->umask = (mode_t) peek_reg(tracee, MODIFIED, SYSARG_1);
return 0;
case PR_setgroups:
case PR_setgroups32:
case PR_getgroups:
case PR_getgroups32:
/*TODO: need to really emulate*/
poke_reg(tracee, SYSARG_RESULT, 0);
return 0;
#endif
case PR_setdomainname:
case PR_sethostname:
#ifndef USERLAND
case PR_setgroups:
case PR_setgroups32:
#endif
case PR_mknod:
case PR_mknodat:
case PR_capset:
case PR_setxattr:
case PR_lsetxattr:
case PR_fsetxattr:
case PR_chmod:
case PR_chown:
case PR_fchmod:
case PR_fchown:
case PR_lchown:
case PR_chown32:
case PR_fchown32:
case PR_lchown32:
case PR_fchmodat:
case PR_fchownat:
return handle_perm_err_exit_end(tracee, config);
case PR_socket:
return handle_socket_exit_end(tracee, config);
#ifndef USERLAND
case PR_fstatat64:
case PR_newfstatat:
stat_sysarg = SYSARG_3;
case PR_stat64:
case PR_lstat64:
case PR_fstat64:
case PR_stat:
case PR_lstat:
case PR_fstat:
return handle_stat_exit_end(tracee, config, stat_sysarg);
#endif /* ifndef USERLAND */
#ifdef USERLAND
case PR_fstatat64:
case PR_newfstatat:
case PR_stat64:
case PR_lstat64:
case PR_fstat64:
case PR_stat:
case PR_lstat:
case PR_fstat:
return handle_stat_exit_end(tracee, config, sysnum);
#endif /* ifdef USERLAND */
case PR_chroot:
return handle_chroot_exit_end(tracee, config, false);
case PR_getsockopt:
return handle_getsockopt_exit_end(tracee);
#ifdef USERLAND
/** Check to see if a meta was created for a file that no longer exists.
* If so, delete it.
*/
case PR_open:
case PR_openat:
case PR_creat: {
int status;
Reg sysarg;
char path[PATH_MAX];
char meta_path[PATH_MAX];
if(sysnum == PR_open || sysnum == PR_creat)
sysarg = SYSARG_1;
else
sysarg = SYSARG_2;
status = read_sysarg_path(tracee, path, sysarg, MODIFIED);
if(status < 0)
return status;
if(status == 1)
return 0;
/* If the file exists, it doesn't matter if a metafile exists. */
if(path_exists(path) == 0)
return 0;
status = get_meta_path(path, meta_path);
if(status < 0)
return status;
/* If the metafile exists and the original file does not, delete it. */
if(path_exists(meta_path) == 0)
status = unlink(meta_path);
return 0;
}
#endif
default:
return 0;