DR_EXPORT
void dr_init(client_id_t id)
{
client_id = id;
dr_fprintf(STDERR, "thank you for testing the client interface\n");
drmgr_init();
cls_idx = drmgr_register_cls_field(event_thread_context_init,
event_thread_context_exit);
ASSERT(cls_idx != -1);
dr_register_nudge_event(event_nudge, id);
dr_register_filter_syscall_event(event_filter_syscall);
drmgr_register_pre_syscall_event(event_pre_syscall);
drmgr_register_post_syscall_event(event_post_syscall);
dr_register_exit_event(event_exit);
#ifdef WINDOWS
sysnum_CreateProcess = get_sysnum("NtCreateProcess");
ASSERT(sysnum_CreateProcess != -1);
/* not asserting on these since added later */
sysnum_CreateProcessEx = get_sysnum("NtCreateProcessEx");
sysnum_CreateUserProcess = get_sysnum("NtCreateUserProcess");
sysnum_ResumeThread = get_sysnum("NtResumeThread");
ASSERT(sysnum_ResumeThread != -1);
#endif
}
void translate_brk_exit(Tracee *tracee)
{
word_t result;
word_t sysnum;
int tracee_errno;
assert(heap_offset > 0);
sysnum = get_sysnum(tracee, MODIFIED);
result = peek_reg(tracee, CURRENT, SYSARG_RESULT);
tracee_errno = (int) result;
switch (sysnum) {
case PR_void:
poke_reg(tracee, SYSARG_RESULT, tracee->heap->base + tracee->heap->size);
break;
case PR_mmap:
case PR_mmap2:
/* On error, mmap(2) returns -errno (the last 4k is
* reserved for this), whereas brk(2) returns the
* previous value. */
if (tracee_errno < 0 && tracee_errno > -4096) {
poke_reg(tracee, SYSARG_RESULT, 0);
break;
}
tracee->heap->base = result + heap_offset;
tracee->heap->size = 0;
poke_reg(tracee, SYSARG_RESULT, tracee->heap->base + tracee->heap->size);
break;
case PR_mremap:
/* On error, mremap(2) returns -errno (the last 4k is
* reserved this), whereas brk(2) returns the previous
* value. */
if ( (tracee_errno < 0 && tracee_errno > -4096)
|| (tracee->heap->base != result + heap_offset)) {
poke_reg(tracee, SYSARG_RESULT, tracee->heap->base + tracee->heap->size);
break;
}
tracee->heap->size = peek_reg(tracee, MODIFIED, SYSARG_3) - heap_offset;
poke_reg(tracee, SYSARG_RESULT, tracee->heap->base + tracee->heap->size);
break;
default:
assert(0);
}
DEBUG_BRK("brk() = 0x%lx\n", peek_reg(tracee, CURRENT, SYSARG_RESULT));
}
/**
* Print the value of the current @tracee's registers according
* to the @verbose_level. Note: @message is mixed to the output.
*/
void print_current_regs(Tracee *tracee, int verbose_level, const char *message)
{
if (tracee->verbose < verbose_level)
return;
note(tracee, INFO, INTERNAL,
"pid %d: %s: %s(0x%lx, 0x%lx, 0x%lx, 0x%lx, 0x%lx, 0x%lx) = 0x%lx [0x%lx, %d]",
tracee->pid, message,
stringify_sysnum(get_sysnum(tracee, CURRENT)),
peek_reg(tracee, CURRENT, SYSARG_1), peek_reg(tracee, CURRENT, SYSARG_2),
peek_reg(tracee, CURRENT, SYSARG_3), peek_reg(tracee, CURRENT, SYSARG_4),
peek_reg(tracee, CURRENT, SYSARG_5), peek_reg(tracee, CURRENT, SYSARG_6),
peek_reg(tracee, CURRENT, SYSARG_RESULT),
peek_reg(tracee, CURRENT, STACK_POINTER),
get_abi(tracee));
}
static int handle_syschained_exit(Tracee *tracee, Config *config)
{
int sysnum;
sysnum = get_sysnum(tracee, CURRENT);
switch(sysnum) {
#define SYSARG_ADDR(n) (args_addr + ((n) - 1) * sizeof_word(tracee))
#define PEEK_WORD(addr, forced_errno) \
peek_word(tracee, addr); \
if (errno != 0) { \
status = forced_errno ?: -errno; \
break; \
}
#define POKE_WORD(addr, value) \
poke_word(tracee, addr, value); \
if (errno != 0) { \
status = -errno; \
break; \
}
case PR_socketcall: {
word_t args_addr;
word_t call;
call = peek_reg(tracee, CURRENT, SYSARG_1);
args_addr = peek_reg(tracee, CURRENT, SYSARG_2);
switch(call) {
case SYS_GETSOCKNAME:{
word_t sockfd, sock_addr;
int result, status;
sockfd = PEEK_WORD(SYSARG_ADDR(1), 0);
sock_addr = PEEK_WORD(SYSARG_ADDR(2), 0);
result = peek_reg(tracee, CURRENT, SYSARG_RESULT);
status = add_changed_port_as_entry(tracee, config, sockfd, sock_addr, result);
return status;
}
default:
return 0;
}
return 0;
}
#undef SYSARG_ADDR
#undef PEEK_WORD
#undef POKE_WORD
case PR_getsockname:{
word_t sockfd, sock_addr;
int result;
sockfd = peek_reg(tracee, CURRENT, SYSARG_1);
sock_addr = peek_reg(tracee, CURRENT, SYSARG_2);
result = peek_reg(tracee, CURRENT, SYSARG_RESULT);
return add_changed_port_as_entry(tracee, config, sockfd, sock_addr, result);
}
default:
return 0;
}
}
static int handle_sysenter_end(Tracee *tracee, Config *config)
{
int status;
int sysnum;
sysnum = get_sysnum(tracee, CURRENT);
switch(sysnum) {
#define SYSARG_ADDR(n) (args_addr + ((n) - 1) * sizeof_word(tracee))
#define PEEK_WORD(addr, forced_errno) \
peek_word(tracee, addr); \
if (errno != 0) { \
status = forced_errno ?: -errno; \
break; \
}
#define POKE_WORD(addr, value) \
poke_word(tracee, addr, value); \
if (errno != 0) { \
status = -errno; \
break; \
}
case PR_socketcall: {
word_t sockfd;
word_t args_addr;
word_t sock_addr_saved;
word_t sock_addr;
word_t size;
word_t call;
int is_bind_syscall = sysnum == PR_bind;
call = peek_reg(tracee, CURRENT, SYSARG_1);
is_bind_syscall = call == SYS_BIND;
args_addr = peek_reg(tracee, CURRENT, SYSARG_2);
switch(call) {
case SYS_BIND:
case SYS_CONNECT: {
/* Remember: PEEK_WORD puts -errno in status and breaks if an
* error occured. */
sockfd = PEEK_WORD(SYSARG_ADDR(1), 0);
sock_addr = PEEK_WORD(SYSARG_ADDR(2), 0);
size = PEEK_WORD(SYSARG_ADDR(3), 0);
sock_addr_saved = sock_addr;
status = translate_port(tracee, config, sockfd, &sock_addr, size, is_bind_syscall);
if (status < 0)
break;
/* These parameters are used/restored at the exit stage. */
poke_reg(tracee, SYSARG_5, sock_addr_saved);
poke_reg(tracee, SYSARG_6, size);
/* Remember: POKE_WORD puts -errno in status and breaks if an
* error occured. */
POKE_WORD(SYSARG_ADDR(2), sock_addr);
POKE_WORD(SYSARG_ADDR(3), sizeof(struct sockaddr_un));
return 0;
}
case SYS_LISTEN: {
word_t sockfd;
if(!config->netcoop_mode || !config->need_to_check_new_port)
return 0;
/* we retrieve this one from the listen() system call */
sockfd = PEEK_WORD(SYSARG_ADDR(1), 0);
status = prepare_getsockname_chained_syscall(tracee, config, sockfd, true);
return status;
}
default:
return 0;
}
break;
}
#undef SYSARG_ADDR
#undef PEEK_WORD
#undef POKE_WORD
case PR_connect:
case PR_bind: {
int size;
int is_bind_syscall;
word_t sockfd, sock_addr;
/*
* Get the reg address of the socket, and the size of the structure.
* Note that the sockaddr and addrlen are at the same position for all 4 of these syscalls.
*/
sockfd = peek_reg(tracee, CURRENT, SYSARG_1);
sock_addr = peek_reg(tracee, CURRENT, SYSARG_2);
size = (int) peek_reg(tracee, CURRENT, SYSARG_3);
is_bind_syscall = sysnum == PR_bind;
status = translate_port(tracee, config, sockfd, &sock_addr, size, is_bind_syscall);
if (status < 0) {
return status;
}
/* then we modify the syscall argument so that it uses the modified socket address */
poke_reg(tracee, SYSARG_2, sock_addr);
//poke_reg(tracee, SYSARG_3, size);
poke_reg(tracee, SYSARG_3, sizeof(struct sockaddr_un));
return 0;
}
case PR_listen: {
word_t sockfd;
if(!config->netcoop_mode || !config->need_to_check_new_port)
return 0;
/* we retrieve this one from the listen() system call */
sockfd = peek_reg(tracee, CURRENT, SYSARG_1);
status = prepare_getsockname_chained_syscall(tracee, config, sockfd, false);
return status;
}
default:
return 0;
}
return 0;
}
/**
* Replace current @tracee's syscall with an older and compatible one
* whenever it's required, i.e. when the syscall is supported by the
* kernel as specified by @config->virtual_release but it isn't
* supported by the actual kernel.
*/
static int handle_sysenter_end(Tracee *tracee, Config *config)
{
/* Note: syscalls like "openat" can be replaced by "open" since PRoot
* has canonicalized "fd + path" into "path". */
switch (get_sysnum(tracee, ORIGINAL)) {
case PR_accept4: {
Modif modif = {
.expected_release = KERNEL_VERSION(2,6,28),
.new_sysarg_num = PR_accept,
.shifts = NONE
};
modify_syscall(tracee, config, &modif);
return 0;
}
case PR_dup3: {
Modif modif = {
.expected_release = KERNEL_VERSION(2,6,27),
.new_sysarg_num = PR_dup2,
.shifts = NONE
};
/* "If oldfd equals newfd, then dup3() fails with the
* error EINVAL" -- man dup3 */
if (peek_reg(tracee, CURRENT, SYSARG_1) == peek_reg(tracee, CURRENT, SYSARG_2))
return -EINVAL;
modify_syscall(tracee, config, &modif);
return 0;
}
case PR_epoll_create1: {
bool modified;
Modif modif = {
.expected_release = KERNEL_VERSION(2,6,27),
.new_sysarg_num = PR_epoll_create,
.shifts = NONE
};
/* "the size argument is ignored, but must be greater
* than zero" -- man epoll_create */
modified = modify_syscall(tracee, config, &modif);
if (modified)
poke_reg(tracee, SYSARG_1, 1);
return 0;
}
case PR_epoll_pwait: {
Modif modif = {
.expected_release = KERNEL_VERSION(2,6,19),
.new_sysarg_num = PR_epoll_wait,
.shifts = NONE
};
modify_syscall(tracee, config, &modif);
return 0;
}
case PR_eventfd2: {
bool modified;
word_t flags;
Modif modif = {
.expected_release = KERNEL_VERSION(2,6,27),
.new_sysarg_num = PR_eventfd,
.shifts = NONE
};
modified = modify_syscall(tracee, config, &modif);
if (modified) {
/* EFD_SEMAPHORE can't be emulated with eventfd. */
flags = peek_reg(tracee, CURRENT, SYSARG_2);
if ((flags & EFD_SEMAPHORE) != 0)
return -EINVAL;
}
return 0;
}
case PR_faccessat: {
Modif modif = {
.expected_release = KERNEL_VERSION(2,6,16),
.new_sysarg_num = PR_access,
.shifts = { [0] = {
.sysarg = SYSARG_2,
.nb_args = 2,
.offset = -1 }
}
};
modify_syscall(tracee, config, &modif);
return 0;
}
case PR_fchmodat: {
Modif modif = {
.expected_release = KERNEL_VERSION(2,6,16),
.new_sysarg_num = PR_chmod,
.shifts = { [0] = {
.sysarg = SYSARG_2,
.nb_args = 2,
.offset = -1 }
}
};
modify_syscall(tracee, config, &modif);
return 0;
}
case PR_fchownat: {
word_t flags;
Modif modif = {
.expected_release = KERNEL_VERSION(2,6,16),
.shifts = { [0] = {
.sysarg = SYSARG_2,
.nb_args = 3,
.offset = -1 }
}
};
flags = peek_reg(tracee, CURRENT, SYSARG_5);
modif.new_sysarg_num = ((flags & AT_SYMLINK_NOFOLLOW) != 0
? PR_lchown
: PR_chown);
modify_syscall(tracee, config, &modif);
return 0;
}
case PR_fcntl: {
word_t command;
if (!needs_kompat(config, KERNEL_VERSION(2,6,24)))
return 0;
command = peek_reg(tracee, ORIGINAL, SYSARG_2);
if (command == F_DUPFD_CLOEXEC)
poke_reg(tracee, SYSARG_2, F_DUPFD);
return 0;
}
case PR_newfstatat:
case PR_fstatat64: {
word_t flags;
Modif modif = {
.expected_release = KERNEL_VERSION(2,6,16),
.shifts = { [0] = {
.sysarg = SYSARG_2,
.nb_args = 2,
.offset = -1 }
}
};
flags = peek_reg(tracee, CURRENT, SYSARG_4);
if ((flags & ~AT_SYMLINK_NOFOLLOW) != 0)
return -EINVAL; /* Exposed by LTP. */
#if defined(ARCH_X86_64)
if ((flags & AT_SYMLINK_NOFOLLOW) != 0)
modif.new_sysarg_num = (get_abi(tracee) != ABI_2 ? PR_lstat : PR_lstat64);
else
modif.new_sysarg_num = (get_abi(tracee) != ABI_2 ? PR_stat : PR_stat64);
#else
if ((flags & AT_SYMLINK_NOFOLLOW) != 0)
modif.new_sysarg_num = PR_lstat64;
else
modif.new_sysarg_num = PR_stat64;
#endif
modify_syscall(tracee, config, &modif);
return 0;
}
case PR_futex: {
word_t operation;
static bool warned = false;
if (!needs_kompat(config, KERNEL_VERSION(2,6,22)) || config->actual_release == 0)
return 0;
operation = peek_reg(tracee, CURRENT, SYSARG_2);
if ((operation & FUTEX_PRIVATE_FLAG) == 0)
return 0;
if (!warned) {
warned = true;
note(tracee, WARNING, USER,
"kompat: this kernel doesn't support private futexes "
"and PRoot can't emulate them. Expect some troubles...");
}
poke_reg(tracee, SYSARG_2, operation & ~FUTEX_PRIVATE_FLAG);
return 0;
}
case PR_futimesat: {
Modif modif = {
.expected_release = KERNEL_VERSION(2,6,16),
.new_sysarg_num = PR_utimes,
.shifts = { [0] = {
.sysarg = SYSARG_2,
.nb_args = 2,
.offset = -1 }
}
};
modify_syscall(tracee, config, &modif);
return 0;
}
case PR_inotify_init1: {
Modif modif = {
.expected_release = KERNEL_VERSION(2,6,27),
.new_sysarg_num = PR_inotify_init,
.shifts = NONE
};
modify_syscall(tracee, config, &modif);
return 0;
}
case PR_linkat: {
word_t flags;
Modif modif = {
.expected_release = KERNEL_VERSION(2,6,16),
.new_sysarg_num = PR_link,
.shifts = { [0] = {
.sysarg = SYSARG_2,
.nb_args = 1,
.offset = -1 },
[1] = {
.sysarg = SYSARG_4,
.nb_args = 1,
.offset = -2 }
}
};
flags = peek_reg(tracee, CURRENT, SYSARG_5);
if ((flags & ~AT_SYMLINK_FOLLOW) != 0)
return -EINVAL; /* Exposed by LTP. */
modify_syscall(tracee, config, &modif);
return 0;
}
case PR_mkdirat: {
Modif modif = {
.expected_release = KERNEL_VERSION(2,6,16),
.new_sysarg_num = PR_mkdir,
.shifts = { [0] = {
.sysarg = SYSARG_2,
.nb_args = 2,
.offset = -1 }
}
};
modify_syscall(tracee, config, &modif);
return 0;
}
/**
* Translate the output arguments of the current @tracee's syscall in
* the @tracee->pid process area. This function sets the result of
* this syscall to @tracee->status if an error occured previously
* during the translation, that is, if @tracee->status is less than 0.
*/
void translate_syscall_exit(Tracee *tracee)
{
word_t syscall_number;
word_t syscall_result;
int status;
status = notify_extensions(tracee, SYSCALL_EXIT_START, 0, 0);
if (status < 0) {
poke_reg(tracee, SYSARG_RESULT, (word_t) status);
goto end;
}
if (status > 0)
return;
/* Set the tracee's errno if an error occured previously during
* the translation. */
if (tracee->status < 0) {
poke_reg(tracee, SYSARG_RESULT, (word_t) tracee->status);
goto end;
}
/* Translate output arguments:
* - break: update the syscall result register with "status"
* - goto end: nothing else to do.
*/
syscall_number = get_sysnum(tracee, ORIGINAL);
syscall_result = peek_reg(tracee, CURRENT, SYSARG_RESULT);
switch (syscall_number) {
case PR_brk:
translate_brk_exit(tracee);
goto end;
case PR_getcwd: {
char path[PATH_MAX];
size_t new_size;
size_t size;
word_t output;
size = (size_t) peek_reg(tracee, ORIGINAL, SYSARG_2);
if (size == 0) {
status = -EINVAL;
break;
}
/* Ensure cwd still exists. */
status = translate_path(tracee, path, AT_FDCWD, ".", false);
if (status < 0)
break;
new_size = strlen(tracee->fs->cwd) + 1;
if (size < new_size) {
status = -ERANGE;
break;
}
/* Overwrite the path. */
output = peek_reg(tracee, ORIGINAL, SYSARG_1);
status = write_data(tracee, output, tracee->fs->cwd, new_size);
if (status < 0)
break;
/* The value of "status" is used to update the returned value
* in translate_syscall_exit(). */
status = new_size;
break;
}
case PR_accept:
case PR_accept4:
/* Nothing special to do if no sockaddr was specified. */
if (peek_reg(tracee, ORIGINAL, SYSARG_2) == 0)
goto end;
/* Fall through. */
case PR_getsockname:
case PR_getpeername: {
word_t sock_addr;
word_t size_addr;
word_t max_size;
/* Error reported by the kernel. */
if ((int) syscall_result < 0)
goto end;
sock_addr = peek_reg(tracee, ORIGINAL, SYSARG_2);
size_addr = peek_reg(tracee, MODIFIED, SYSARG_3);
max_size = peek_reg(tracee, MODIFIED, SYSARG_6);
status = translate_socketcall_exit(tracee, sock_addr, size_addr, max_size);
if (status < 0)
break;
/* Don't overwrite the syscall result. */
goto end;
}
#define SYSARG_ADDR(n) (args_addr + ((n) - 1) * sizeof_word(tracee))
#define POKE_WORD(addr, value) \
poke_word(tracee, addr, value); \
if (errno != 0) { \
status = -errno; \
break; \
}
#define PEEK_WORD(addr) \
peek_word(tracee, addr); \
if (errno != 0) { \
status = -errno; \
break; \
}
case PR_socketcall: {
word_t args_addr;
word_t sock_addr;
word_t size_addr;
word_t max_size;
args_addr = peek_reg(tracee, ORIGINAL, SYSARG_2);
switch (peek_reg(tracee, ORIGINAL, SYSARG_1)) {
case SYS_ACCEPT:
case SYS_ACCEPT4:
/* Nothing special to do if no sockaddr was specified. */
sock_addr = PEEK_WORD(SYSARG_ADDR(2));
if (sock_addr == 0)
goto end;
/* Fall through. */
case SYS_GETSOCKNAME:
case SYS_GETPEERNAME:
/* Handle these cases below. */
status = 1;
break;
case SYS_BIND:
case SYS_CONNECT:
/* Restore the initial parameters: this memory was
* overwritten at the enter stage. Remember: POKE_WORD
* puts -errno in status and breaks if an error
* occured. */
POKE_WORD(SYSARG_ADDR(2), peek_reg(tracee, MODIFIED, SYSARG_5));
POKE_WORD(SYSARG_ADDR(3), peek_reg(tracee, MODIFIED, SYSARG_6));
status = 0;
break;
default:
status = 0;
break;
}
/* Error reported by the kernel or there's nothing else to do. */
if ((int) syscall_result < 0 || status == 0)
goto end;
/* An error occured in SYS_BIND or SYS_CONNECT. */
if (status < 0)
break;
/* Remember: PEEK_WORD puts -errno in status and breaks if an
* error occured. */
sock_addr = PEEK_WORD(SYSARG_ADDR(2));
size_addr = PEEK_WORD(SYSARG_ADDR(3));
max_size = peek_reg(tracee, MODIFIED, SYSARG_6);
status = translate_socketcall_exit(tracee, sock_addr, size_addr, max_size);
if (status < 0)
break;
/* Don't overwrite the syscall result. */
goto end;
}
#undef SYSARG_ADDR
#undef PEEK_WORD
#undef POKE_WORD
case PR_fchdir:
case PR_chdir:
/* These syscalls are fully emulated, see enter.c for details
* (like errors). */
status = 0;
break;
case PR_rename:
case PR_renameat: {
char old_path[PATH_MAX];
char new_path[PATH_MAX];
ssize_t old_length;
ssize_t new_length;
Comparison comparison;
Reg old_reg;
Reg new_reg;
char *tmp;
/* Error reported by the kernel. */
if ((int) syscall_result < 0)
goto end;
if (syscall_number == PR_rename) {
old_reg = SYSARG_1;
new_reg = SYSARG_2;
}
else {
old_reg = SYSARG_2;
new_reg = SYSARG_4;
}
/* Get the old path, then convert it to the same
* "point-of-view" as tracee->fs->cwd (guest). */
status = read_path(tracee, old_path, peek_reg(tracee, MODIFIED, old_reg));
if (status < 0)
break;
status = detranslate_path(tracee, old_path, NULL);
if (status < 0)
break;
old_length = (status > 0 ? status - 1 : (ssize_t) strlen(old_path));
/* Nothing special to do if the moved path is not the
* current working directory. */
comparison = compare_paths(old_path, tracee->fs->cwd);
if (comparison != PATH1_IS_PREFIX && comparison != PATHS_ARE_EQUAL) {
status = 0;
break;
}
/* Get the new path, then convert it to the same
* "point-of-view" as tracee->fs->cwd (guest). */
status = read_path(tracee, new_path, peek_reg(tracee, MODIFIED, new_reg));
if (status < 0)
break;
status = detranslate_path(tracee, new_path, NULL);
if (status < 0)
break;
new_length = (status > 0 ? status - 1 : (ssize_t) strlen(new_path));
/* Sanity check. */
if (strlen(tracee->fs->cwd) >= PATH_MAX) {
status = 0;
break;
}
strcpy(old_path, tracee->fs->cwd);
/* Update the virtual current working directory. */
substitute_path_prefix(old_path, old_length, new_path, new_length);
tmp = talloc_strdup(tracee->fs, old_path);
if (tmp == NULL) {
status = -ENOMEM;
break;
}
TALLOC_FREE(tracee->fs->cwd);
tracee->fs->cwd = tmp;
status = 0;
break;
}
case PR_readlink:
case PR_readlinkat: {
char referee[PATH_MAX];
char referer[PATH_MAX];
size_t old_size;
size_t new_size;
size_t max_size;
word_t input;
word_t output;
/* Error reported by the kernel. */
if ((int) syscall_result < 0)
goto end;
old_size = syscall_result;
if (syscall_number == PR_readlink) {
output = peek_reg(tracee, ORIGINAL, SYSARG_2);
max_size = peek_reg(tracee, ORIGINAL, SYSARG_3);
input = peek_reg(tracee, MODIFIED, SYSARG_1);
}
else {
output = peek_reg(tracee, ORIGINAL, SYSARG_3);
max_size = peek_reg(tracee, ORIGINAL, SYSARG_4);
input = peek_reg(tracee, MODIFIED, SYSARG_2);
}
if (max_size > PATH_MAX)
max_size = PATH_MAX;
if (max_size == 0) {
status = -EINVAL;
break;
}
/* The kernel does NOT put the NULL terminating byte for
* readlink(2). */
status = read_data(tracee, referee, output, old_size);
if (status < 0)
break;
referee[old_size] = '\0';
/* Not optimal but safe (path is fully translated). */
status = read_path(tracee, referer, input);
if (status < 0)
break;
if (status >= PATH_MAX) {
status = -ENAMETOOLONG;
break;
}
status = detranslate_path(tracee, referee, referer);
if (status < 0)
break;
/* The original path doesn't require any transformation, i.e
* it is a symetric binding. */
if (status == 0)
goto end;
/* Overwrite the path. Note: the output buffer might be
* initialized with zeros but it was updated with the kernel
* result, and then with the detranslated result. This later
* might be shorter than the former, so it's safier to add a
* NULL terminating byte when possible. This problem was
* exposed by IDA Demo 6.3. */
if ((size_t) status < max_size) {
new_size = status - 1;
status = write_data(tracee, output, referee, status);
}
else {
new_size = max_size;
status = write_data(tracee, output, referee, max_size);
}
if (status < 0)
break;
/* The value of "status" is used to update the returned value
* in translate_syscall_exit(). */
status = new_size;
break;
}
#if defined(ARCH_X86_64)
case PR_uname: {
struct utsname utsname;
word_t address;
size_t size;
if (get_abi(tracee) != ABI_2)
goto end;
/* Error reported by the kernel. */
if ((int) syscall_result < 0)
goto end;
address = peek_reg(tracee, ORIGINAL, SYSARG_1);
status = read_data(tracee, &utsname, address, sizeof(utsname));
if (status < 0)
break;
/* Some 32-bit programs like package managers can be
* confused when the kernel reports "x86_64". */
size = sizeof(utsname.machine);
strncpy(utsname.machine, "i686", size);
utsname.machine[size - 1] = '\0';
status = write_data(tracee, address, &utsname, sizeof(utsname));
if (status < 0)
break;
status = 0;
break;
}
#endif
case PR_execve:
translate_execve_exit(tracee);
goto end;
case PR_ptrace:
status = translate_ptrace_exit(tracee);
break;
case PR_wait4:
case PR_waitpid:
if (tracee->as_ptracer.waits_in != WAITS_IN_PROOT)
goto end;
status = translate_wait_exit(tracee);
break;
case PR_setrlimit:
case PR_prlimit64:
/* Error reported by the kernel. */
if ((int) syscall_result < 0)
goto end;
status = translate_setrlimit_exit(tracee, syscall_number == PR_prlimit64);
if (status < 0)
break;
/* Don't overwrite the syscall result. */
goto end;
default:
goto end;
}
poke_reg(tracee, SYSARG_RESULT, (word_t) status);
end:
status = notify_extensions(tracee, SYSCALL_EXIT_END, status, 0);
if (status < 0)
poke_reg(tracee, SYSARG_RESULT, (word_t) status);
}
void
syscall_wingdi_init(void *drcontext, app_pc ntdll_base)
{
get_sysnum("NtGdiCreateDIBSection", &sysnum_GdiCreateDIBSection,
get_windows_version() <= DR_WINDOWS_VERSION_2000);
get_sysnum("NtUserGetDC", &sysnum_UserGetDC, false/*reqd*/);
get_sysnum("NtUserGetDCEx", &sysnum_UserGetDCEx, false/*reqd*/);
get_sysnum("NtUserGetWindowDC", &sysnum_UserGetWindowDC, false/*reqd*/);
get_sysnum("NtUserBeginPaint", &sysnum_UserBeginPaint, false/*reqd*/);
get_sysnum("NtUserEndPaint", &sysnum_UserEndPaint, false/*reqd*/);
get_sysnum("ReleaseDC", &sysnum_UserReleaseDC,
get_windows_version() <= DR_WINDOWS_VERSION_2000);
get_sysnum("NtGdiGetDCforBitmap", &sysnum_GdiGetDCforBitmap,
get_windows_version() <= DR_WINDOWS_VERSION_2000);
get_sysnum("NtGdiDdGetDC", &sysnum_GdiDdGetDC,
get_windows_version() <= DR_WINDOWS_VERSION_2000);
get_sysnum("NtGdiDeleteObjectApp", &sysnum_GdiDeleteObjectApp,
get_windows_version() <= DR_WINDOWS_VERSION_2000);
get_sysnum("NtGdiCreateMetafileDC", &sysnum_GdiCreateMetafileDC,
get_windows_version() <= DR_WINDOWS_VERSION_2000);
get_sysnum("NtGdiCreateCompatibleDC", &sysnum_GdiCreateCompatibleDC,
get_windows_version() <= DR_WINDOWS_VERSION_2000);
get_sysnum("NtGdiOpenDCW", &sysnum_GdiOpenDCW,
get_windows_version() <= DR_WINDOWS_VERSION_2000);
if (options.check_gdi)
gdicheck_init();
}
/**
* Translate the input arguments of the current @tracee's syscall in the
* @tracee->pid process area. This function sets @tracee->status to
* -errno if an error occured from the tracee's point-of-view (EFAULT
* for instance), otherwise 0.
*/
int translate_syscall_enter(Tracee *tracee)
{
int flags;
int dirfd;
int olddirfd;
int newdirfd;
int status;
int status2;
char path[PATH_MAX];
char oldpath[PATH_MAX];
char newpath[PATH_MAX];
word_t syscall_number;
bool special = false;
status = notify_extensions(tracee, SYSCALL_ENTER_START, 0, 0);
if (status < 0)
goto end;
if (status > 0)
return 0;
/* Translate input arguments. */
syscall_number = get_sysnum(tracee, ORIGINAL);
switch (syscall_number) {
default:
/* Nothing to do. */
status = 0;
break;
case PR_execve:
status = translate_execve_enter(tracee);
break;
case PR_ptrace:
status = translate_ptrace_enter(tracee);
break;
case PR_wait4:
case PR_waitpid:
status = translate_wait_enter(tracee);
break;
case PR_brk:
translate_brk_enter(tracee);
status = 0;
break;
case PR_getcwd:
set_sysnum(tracee, PR_void);
status = 0;
break;
case PR_fchdir:
case PR_chdir: {
struct stat statl;
char *tmp;
/* The ending "." ensures an error will be reported if
* path does not exist or if it is not a directory. */
if (syscall_number == PR_chdir) {
status = get_sysarg_path(tracee, path, SYSARG_1);
if (status < 0)
break;
status = join_paths(2, oldpath, path, ".");
if (status < 0)
break;
dirfd = AT_FDCWD;
}
else {
strcpy(oldpath, ".");
dirfd = peek_reg(tracee, CURRENT, SYSARG_1);
}
status = translate_path(tracee, path, dirfd, oldpath, true);
if (status < 0)
break;
status = lstat(path, &statl);
if (status < 0)
break;
/* Check this directory is accessible. */
if ((statl.st_mode & S_IXUSR) == 0)
return -EACCES;
/* Sadly this method doesn't detranslate statefully,
* this means that there's an ambiguity when several
* bindings are from the same host path:
*
* $ proot -m /tmp:/a -m /tmp:/b fchdir_getcwd /a
* /b
*
* $ proot -m /tmp:/b -m /tmp:/a fchdir_getcwd /a
* /a
*
* A solution would be to follow each file descriptor
* just like it is done for cwd.
*/
status = detranslate_path(tracee, path, NULL);
if (status < 0)
break;
/* Remove the trailing "/" or "/.". */
chop_finality(path);
tmp = talloc_strdup(tracee->fs, path);
if (tmp == NULL) {
status = -ENOMEM;
break;
}
TALLOC_FREE(tracee->fs->cwd);
tracee->fs->cwd = tmp;
talloc_set_name_const(tracee->fs->cwd, "$cwd");
set_sysnum(tracee, PR_void);
status = 0;
break;
}
case PR_bind:
case PR_connect: {
word_t address;
word_t size;
address = peek_reg(tracee, CURRENT, SYSARG_2);
size = peek_reg(tracee, CURRENT, SYSARG_3);
status = translate_socketcall_enter(tracee, &address, size);
if (status <= 0)
break;
poke_reg(tracee, SYSARG_2, address);
poke_reg(tracee, SYSARG_3, sizeof(struct sockaddr_un));
status = 0;
break;
}
#define SYSARG_ADDR(n) (args_addr + ((n) - 1) * sizeof_word(tracee))
#define PEEK_WORD(addr, forced_errno) \
peek_word(tracee, addr); \
if (errno != 0) { \
status = forced_errno ?: -errno; \
break; \
}
#define POKE_WORD(addr, value) \
poke_word(tracee, addr, value); \
if (errno != 0) { \
status = -errno; \
break; \
}
case PR_accept:
case PR_accept4:
/* Nothing special to do if no sockaddr was specified. */
if (peek_reg(tracee, ORIGINAL, SYSARG_2) == 0) {
status = 0;
break;
}
special = true;
/* Fall through. */
case PR_getsockname:
case PR_getpeername:{
int size;
/* Remember: PEEK_WORD puts -errno in status and breaks if an
* error occured. */
size = (int) PEEK_WORD(peek_reg(tracee, ORIGINAL, SYSARG_3), special ? -EINVAL : 0);
/* The "size" argument is both used as an input parameter
* (max. size) and as an output parameter (actual size). The
* exit stage needs to know the max. size to not overwrite
* anything, that's why it is copied in the 6th argument
* (unused) before the kernel updates it. */
poke_reg(tracee, SYSARG_6, size);
status = 0;
break;
}
case PR_socketcall: {
word_t args_addr;
word_t sock_addr_saved;
word_t sock_addr;
word_t size_addr;
word_t size;
args_addr = peek_reg(tracee, CURRENT, SYSARG_2);
switch (peek_reg(tracee, CURRENT, SYSARG_1)) {
case SYS_BIND:
case SYS_CONNECT:
/* Handle these cases below. */
status = 1;
break;
case SYS_ACCEPT:
case SYS_ACCEPT4:
/* Nothing special to do if no sockaddr was specified. */
sock_addr = PEEK_WORD(SYSARG_ADDR(2), 0);
if (sock_addr == 0) {
status = 0;
break;
}
special = true;
/* Fall through. */
case SYS_GETSOCKNAME:
case SYS_GETPEERNAME:
/* Remember: PEEK_WORD puts -errno in status and breaks
* if an error occured. */
size_addr = PEEK_WORD(SYSARG_ADDR(3), 0);
size = (int) PEEK_WORD(size_addr, special ? -EINVAL : 0);
/* See case PR_accept for explanation. */
poke_reg(tracee, SYSARG_6, size);
status = 0;
break;
default:
status = 0;
break;
}
/* An error occured or there's nothing else to do. */
if (status <= 0)
break;
/* Remember: PEEK_WORD puts -errno in status and breaks if an
* error occured. */
sock_addr = PEEK_WORD(SYSARG_ADDR(2), 0);
size = PEEK_WORD(SYSARG_ADDR(3), 0);
sock_addr_saved = sock_addr;
status = translate_socketcall_enter(tracee, &sock_addr, size);
if (status <= 0)
break;
/* These parameters are used/restored at the exit stage. */
poke_reg(tracee, SYSARG_5, sock_addr_saved);
poke_reg(tracee, SYSARG_6, size);
/* Remember: POKE_WORD puts -errno in status and breaks if an
* error occured. */
POKE_WORD(SYSARG_ADDR(2), sock_addr);
POKE_WORD(SYSARG_ADDR(3), sizeof(struct sockaddr_un));
status = 0;
break;
}
#undef SYSARG_ADDR
#undef PEEK_WORD
#undef POKE_WORD
case PR_access:
case PR_acct:
case PR_chmod:
case PR_chown:
case PR_chown32:
case PR_chroot:
case PR_getxattr:
case PR_listxattr:
case PR_mknod:
case PR_oldstat:
case PR_creat:
case PR_removexattr:
case PR_setxattr:
case PR_stat:
case PR_stat64:
case PR_statfs:
case PR_statfs64:
case PR_swapoff:
case PR_swapon:
case PR_truncate:
case PR_truncate64:
case PR_umount:
case PR_umount2:
case PR_uselib:
case PR_utime:
case PR_utimes:
status = translate_sysarg(tracee, SYSARG_1, REGULAR);
break;
case PR_open:
flags = peek_reg(tracee, CURRENT, SYSARG_2);
if ( ((flags & O_NOFOLLOW) != 0)
|| ((flags & O_EXCL) != 0 && (flags & O_CREAT) != 0))
status = translate_sysarg(tracee, SYSARG_1, SYMLINK);
else
status = translate_sysarg(tracee, SYSARG_1, REGULAR);
break;
case PR_fchownat:
case PR_fstatat64:
case PR_newfstatat:
case PR_utimensat:
case PR_name_to_handle_at:
dirfd = peek_reg(tracee, CURRENT, SYSARG_1);
status = get_sysarg_path(tracee, path, SYSARG_2);
if (status < 0)
break;
flags = ( syscall_number == PR_fchownat
|| syscall_number == PR_name_to_handle_at)
? peek_reg(tracee, CURRENT, SYSARG_5)
: peek_reg(tracee, CURRENT, SYSARG_4);
if ((flags & AT_SYMLINK_NOFOLLOW) != 0)
status = translate_path2(tracee, dirfd, path, SYSARG_2, SYMLINK);
else
status = translate_path2(tracee, dirfd, path, SYSARG_2, REGULAR);
break;
case PR_fchmodat:
case PR_faccessat:
case PR_futimesat:
case PR_mknodat:
dirfd = peek_reg(tracee, CURRENT, SYSARG_1);
status = get_sysarg_path(tracee, path, SYSARG_2);
if (status < 0)
break;
status = translate_path2(tracee, dirfd, path, SYSARG_2, REGULAR);
break;
case PR_inotify_add_watch:
flags = peek_reg(tracee, CURRENT, SYSARG_3);
if ((flags & IN_DONT_FOLLOW) != 0)
status = translate_sysarg(tracee, SYSARG_2, SYMLINK);
else
status = translate_sysarg(tracee, SYSARG_2, REGULAR);
break;
case PR_readlink:
case PR_lchown:
case PR_lchown32:
case PR_lgetxattr:
case PR_llistxattr:
case PR_lremovexattr:
case PR_lsetxattr:
case PR_lstat:
case PR_lstat64:
case PR_oldlstat:
case PR_unlink:
case PR_rmdir:
case PR_mkdir:
status = translate_sysarg(tracee, SYSARG_1, SYMLINK);
break;
case PR_pivot_root:
status = translate_sysarg(tracee, SYSARG_1, REGULAR);
if (status < 0)
break;
status = translate_sysarg(tracee, SYSARG_2, REGULAR);
break;
case PR_linkat:
olddirfd = peek_reg(tracee, CURRENT, SYSARG_1);
newdirfd = peek_reg(tracee, CURRENT, SYSARG_3);
flags = peek_reg(tracee, CURRENT, SYSARG_5);
status = get_sysarg_path(tracee, oldpath, SYSARG_2);
if (status < 0)
break;
status = get_sysarg_path(tracee, newpath, SYSARG_4);
if (status < 0)
break;
if ((flags & AT_SYMLINK_FOLLOW) != 0)
status = translate_path2(tracee, olddirfd, oldpath, SYSARG_2, REGULAR);
else
status = translate_path2(tracee, olddirfd, oldpath, SYSARG_2, SYMLINK);
if (status < 0)
break;
status = translate_path2(tracee, newdirfd, newpath, SYSARG_4, SYMLINK);
break;
case PR_mount:
status = get_sysarg_path(tracee, path, SYSARG_1);
if (status < 0)
break;
/* The following check covers only 90% of the cases. */
if (path[0] == '/' || path[0] == '.') {
status = translate_path2(tracee, AT_FDCWD, path, SYSARG_1, REGULAR);
if (status < 0)
break;
}
status = translate_sysarg(tracee, SYSARG_2, REGULAR);
break;
case PR_openat:
dirfd = peek_reg(tracee, CURRENT, SYSARG_1);
flags = peek_reg(tracee, CURRENT, SYSARG_3);
status = get_sysarg_path(tracee, path, SYSARG_2);
if (status < 0)
break;
if ( ((flags & O_NOFOLLOW) != 0)
|| ((flags & O_EXCL) != 0 && (flags & O_CREAT) != 0))
status = translate_path2(tracee, dirfd, path, SYSARG_2, SYMLINK);
else
status = translate_path2(tracee, dirfd, path, SYSARG_2, REGULAR);
break;
case PR_readlinkat:
case PR_unlinkat:
case PR_mkdirat:
dirfd = peek_reg(tracee, CURRENT, SYSARG_1);
status = get_sysarg_path(tracee, path, SYSARG_2);
if (status < 0)
break;
status = translate_path2(tracee, dirfd, path, SYSARG_2, SYMLINK);
break;
case PR_link:
case PR_rename:
status = translate_sysarg(tracee, SYSARG_1, SYMLINK);
if (status < 0)
break;
status = translate_sysarg(tracee, SYSARG_2, SYMLINK);
break;
case PR_renameat:
olddirfd = peek_reg(tracee, CURRENT, SYSARG_1);
newdirfd = peek_reg(tracee, CURRENT, SYSARG_3);
status = get_sysarg_path(tracee, oldpath, SYSARG_2);
if (status < 0)
break;
status = get_sysarg_path(tracee, newpath, SYSARG_4);
if (status < 0)
break;
status = translate_path2(tracee, olddirfd, oldpath, SYSARG_2, SYMLINK);
if (status < 0)
break;
status = translate_path2(tracee, newdirfd, newpath, SYSARG_4, SYMLINK);
break;
case PR_symlink:
status = translate_sysarg(tracee, SYSARG_2, SYMLINK);
break;
case PR_symlinkat:
newdirfd = peek_reg(tracee, CURRENT, SYSARG_2);
status = get_sysarg_path(tracee, newpath, SYSARG_3);
if (status < 0)
break;
status = translate_path2(tracee, newdirfd, newpath, SYSARG_3, SYMLINK);
break;
}
end:
status2 = notify_extensions(tracee, SYSCALL_ENTER_END, status, 0);
if (status2 < 0)
status = status2;
return status;
}
/**
* Make new @parent's child inherit from it. Depending on
* @clone_flags, some information are copied or shared. This function
* returns -errno if an error occured, otherwise 0.
*/
int new_child(Tracee *parent, word_t clone_flags)
{
unsigned long pid;
Tracee *child;
int status;
/* If the tracee calls clone(2) with the CLONE_VFORK flag,
* PTRACE_EVENT_VFORK will be delivered instead [...];
* otherwise if the tracee calls clone(2) with the exit signal
* set to SIGCHLD, PTRACE_EVENT_FORK will be delivered [...]
*
* -- ptrace(2) man-page
*
* That means we have to check if it's actually a clone(2) in
* order to get the right flags.
*/
status = fetch_regs(parent);
if (status >= 0 && get_sysnum(parent, CURRENT) == PR_clone)
clone_flags = peek_reg(parent, CURRENT, SYSARG_1);
/* Get the pid of the parent's new child. */
status = ptrace(PTRACE_GETEVENTMSG, parent->pid, NULL, &pid);
if (status < 0) {
notice(parent, WARNING, SYSTEM, "ptrace(GETEVENTMSG)");
return status;
}
child = get_tracee(parent, (pid_t) pid, true);
if (child == NULL) {
notice(parent, WARNING, SYSTEM, "running out of memory");
return -ENOMEM;
}
/* Sanity checks. */
assert(child != NULL
&& child->exe == NULL
&& child->cmdline == NULL
&& child->fs->cwd == NULL
&& child->fs->bindings.pending == NULL
&& child->fs->bindings.guest == NULL
&& child->fs->bindings.host == NULL
&& child->qemu == NULL
&& child->glue == NULL);
child->verbose = parent->verbose;
child->seccomp = parent->seccomp;
child->sysexit_pending = parent->sysexit_pending;
/* If CLONE_VM is set, the calling process and the child
* process run in the same memory space [...] any memory
* mapping or unmapping performed with mmap(2) or munmap(2) by
* the child or calling process also affects the other
* process.
*
* If CLONE_VM is not set, the child process runs in a
* separate copy of the memory space of the calling process at
* the time of clone(). Memory writes or file
* mappings/unmappings performed by one of the processes do
* not affect the other, as with fork(2).
*
* -- clone(2) man-page
*/
TALLOC_FREE(child->heap);
child->heap = ((clone_flags & CLONE_VM) != 0)
? talloc_reference(child, parent->heap)
: talloc_memdup(child, parent->heap, sizeof(Heap));
if (child->heap == NULL)
return -ENOMEM;
/* If CLONE_FS is set, the parent and the child process share
* the same file system information. This includes the root
* of the file system, the current working directory, and the
* umask. Any call to chroot(2), chdir(2), or umask(2)
* performed by the parent process or the child process also
* affects the other process.
*
* If CLONE_FS is not set, the child process works on a copy
* of the file system information of the parent process at the
* time of the clone() call. Calls to chroot(2), chdir(2),
* umask(2) performed later by one of the processes do not
* affect the other process.
*
* -- clone(2) man-page
*/
TALLOC_FREE(child->fs);
if ((clone_flags & CLONE_FS) != 0) {
/* File-system name-space is shared. */
child->fs = talloc_reference(child, parent->fs);
}
else {
/* File-system name-space is copied. */
child->fs = talloc_zero(child, FileSystemNameSpace);
if (child->fs == NULL)
return -ENOMEM;
child->fs->cwd = talloc_strdup(child->fs, parent->fs->cwd);
if (child->fs->cwd == NULL)
return -ENOMEM;
talloc_set_name_const(child->fs->cwd, "$cwd");
/* Bindings are shared across file-system name-spaces since a
* "mount --bind" made by a process affects all other processes
* under Linux. Actually they are copied when a sub
* reconfiguration occured (nested proot or chroot(2)). */
child->fs->bindings.guest = talloc_reference(child->fs, parent->fs->bindings.guest);
child->fs->bindings.host = talloc_reference(child->fs, parent->fs->bindings.host);
}
/* The path to the executable and the command-line are unshared only
* once the child process does a call to execve(2). */
child->exe = talloc_reference(child, parent->exe);
child->cmdline = talloc_reference(child, parent->cmdline);
child->qemu_pie_workaround = parent->qemu_pie_workaround;
child->qemu = talloc_reference(child, parent->qemu);
child->glue = talloc_reference(child, parent->glue);
child->host_ldso_paths = talloc_reference(child, parent->host_ldso_paths);
child->guest_ldso_paths = talloc_reference(child, parent->guest_ldso_paths);
inherit_extensions(child, parent, false);
/* Restart the child tracee if it was already alive but
* stopped until that moment. */
if (child->sigstop == SIGSTOP_PENDING) {
int status;
child->sigstop = SIGSTOP_ALLOWED;
status = ptrace(PTRACE_SYSCALL, child->pid, NULL, 0);
if (status < 0)
TALLOC_FREE(child);
}
return 0;
}
/**
* Force current @tracee's syscall to behave as if executed by "root".
* This function returns -errno if an error occured, otherwise 0.
*/
static int handle_sysexit_end(Tracee *tracee)
{
word_t sysnum;
sysnum = get_sysnum(tracee, ORIGINAL);
switch (sysnum) {
case PR_chroot: {
char path[PATH_MAX];
word_t result;
word_t input;
int status;
/* Override only permission errors. */
result = peek_reg(tracee, CURRENT, SYSARG_RESULT);
if ((int) result != -EPERM)
return 0;
input = peek_reg(tracee, MODIFIED, SYSARG_1);
status = read_path(tracee, path, input);
if (status < 0)
return status;
/* Only "new rootfs == current rootfs" is supported yet. */
status = compare_paths(get_root(tracee), path);
if (status != PATHS_ARE_EQUAL)
return 0;
/* Force success. */
poke_reg(tracee, SYSARG_RESULT, 0);
return 0;
}
case PR_setresuid:
case PR_setresgid:
case PR_setresuid32:
case PR_setresgid32:
case PR_mknod:
case PR_capset:
case PR_setxattr:
case PR_chmod:
case PR_chown:
case PR_fchmod:
case PR_fchown:
case PR_lchown:
case PR_chown32:
case PR_fchown32:
case PR_lchown32:
case PR_fchmodat:
case PR_fchownat: {
word_t result;
/* Override only permission errors. */
result = peek_reg(tracee, CURRENT, SYSARG_RESULT);
if ((int) result != -EPERM)
return 0;
/* Force success. */
poke_reg(tracee, SYSARG_RESULT, 0);
return 0;
}
case PR_getresuid:
case PR_getresuid32:
case PR_getresgid:
case PR_getresgid32:
poke_mem(tracee, peek_reg(tracee, ORIGINAL, SYSARG_1), 0);
if (errno != 0)
return -EFAULT;
poke_mem(tracee, peek_reg(tracee, ORIGINAL, SYSARG_2), 0);
if (errno != 0)
return -EFAULT;
poke_mem(tracee, peek_reg(tracee, ORIGINAL, SYSARG_3), 0);
if (errno != 0)
return -EFAULT;
/* Force success. */
poke_reg(tracee, SYSARG_RESULT, 0);
return 0;
case PR_fstatat64:
case PR_newfstatat:
case PR_stat64:
case PR_lstat64:
case PR_fstat64:
case PR_stat:
case PR_lstat:
case PR_fstat: {
word_t result;
word_t address;
word_t uid, gid;
Reg sysarg;
/* Override only if it succeed. */
result = peek_reg(tracee, CURRENT, SYSARG_RESULT);
if (result != 0)
return 0;
/* Get the address of the 'stat' structure. */
if (sysnum == PR_fstatat64 || sysnum == PR_newfstatat)
sysarg = SYSARG_3;
else
sysarg = SYSARG_2;
address = peek_reg(tracee, ORIGINAL, sysarg);
/* Get the uid & gid values from the 'stat' structure. */
uid = peek_mem(tracee, address + offsetof_stat_uid(tracee));
if (errno != 0)
uid = 0; /* Not fatal. */
gid = peek_mem(tracee, address + offsetof_stat_gid(tracee));
if (errno != 0)
gid = 0; /* Not fatal. */
/* These values are 32-bit width, even on 64-bit architecture. */
uid &= 0xFFFFFFFF;
gid &= 0xFFFFFFFF;
/* Override only if the file is owned by the current user.
* Errors are not fatal here. */
if (uid == getuid())
poke_mem(tracee, address + offsetof_stat_uid(tracee), 0);
if (gid == getgid())
poke_mem(tracee, address + offsetof_stat_gid(tracee), 0);
return 0;
}
case PR_getuid:
case PR_getgid:
case PR_getegid:
case PR_geteuid:
case PR_getuid32:
case PR_getgid32:
case PR_geteuid32:
case PR_getegid32:
case PR_setuid:
case PR_setgid:
case PR_setfsuid:
case PR_setfsgid:
case PR_setuid32:
case PR_setgid32:
case PR_setfsuid32:
case PR_setfsgid32:
/* Force success. */
poke_reg(tracee, SYSARG_RESULT, 0);
return 0;
default:
return 0;
}
}
/**
* Force permissions of @path to "rwx" during the path translation of
* current @tracee's syscall, in order to simulate CAP_DAC_OVERRIDE.
* The original permissions are restored through talloc destructors.
* See canonicalize() for the meaning of @is_final.
*/
static void handle_host_path(const Tracee *tracee, const char *path, bool is_final)
{
ModifiedNode *node;
struct stat perms;
mode_t new_mode;
int status;
/* Get the meta-data */
status = stat(path, &perms);
if (status < 0)
return;
/* Copy the current permissions */
new_mode = perms.st_mode & (S_IRWXU | S_IRWXG | S_IRWXO);
/* Add read and write permissions to everything. */
new_mode |= (S_IRUSR | S_IWUSR);
/* Always add 'x' bit to directories */
if (S_ISDIR(perms.st_mode))
new_mode |= S_IXUSR;
/* Patch the permissions only if needed. */
if (new_mode == (perms.st_mode & (S_IRWXU | S_IRWXG | S_IRWXO)))
return;
node = talloc_zero(tracee->ctx, ModifiedNode);
if (node == NULL)
return;
if (!is_final) {
/* Restore the previous mode of any non final components. */
node->mode = perms.st_mode;
}
else {
switch (get_sysnum(tracee, ORIGINAL)) {
/* For chmod syscalls: restore the new mode of the final component. */
case PR_chmod:
node->mode = peek_reg(tracee, ORIGINAL, SYSARG_2);
break;
case PR_fchmodat:
node->mode = peek_reg(tracee, ORIGINAL, SYSARG_3);
break;
/* For stat syscalls: don't touch the mode of the final component. */
case PR_fstatat64:
case PR_lstat:
case PR_lstat64:
case PR_newfstatat:
case PR_oldlstat:
case PR_oldstat:
case PR_stat:
case PR_stat64:
case PR_statfs:
case PR_statfs64:
return;
/* Otherwise: restore the previous mode of the final component. */
default:
node->mode = perms.st_mode;
break;
}
}
node->path = talloc_strdup(node, path);
if (node->path == NULL) {
/* Keep only consistent nodes. */
TALLOC_FREE(node);
return;
}
/* The mode restoration works because Talloc destructors are
* called in reverse order. */
talloc_set_destructor(node, restore_mode);
(void) chmod(path, new_mode);
return;
}
/**
* Replace current @tracee's syscall with an older and compatible one
* whenever it's required, i.e. when the syscall is supported by the
* kernel as specified by @config->release but it isn't supported by
* the actual kernel.
*/
static void handle_sysenter_end(Tracee *tracee, Config *config)
{
bool modified;
/* Note: syscalls like "openat" can be replaced by "open" since PRoot
* has canonicalized "fd + path" into "path". */
switch (get_sysnum(tracee, ORIGINAL)) {
case PR_accept4: {
Modif modif = {
.expected_release = KERNEL_VERSION(2,6,28),
.new_sysarg_num = PR_accept,
.shifts = {{0}}
};
modify_syscall(tracee, config, &modif);
return;
}
case PR_dup3: {
Modif modif = {
.expected_release = KERNEL_VERSION(2,6,27),
.new_sysarg_num = PR_dup2,
.shifts = {{0}}
};
modify_syscall(tracee, config, &modif);
return;
}
case PR_epoll_create1: {
Modif modif = {
.expected_release = KERNEL_VERSION(2,6,27),
.new_sysarg_num = PR_epoll_create,
.shifts = {{0}}
};
modified = modify_syscall(tracee, config, &modif);
if (modified)
poke_reg(tracee, SYSARG_1, 0); /* Force "size" to 0. */
return;
}
case PR_epoll_pwait: {
Modif modif = {
.expected_release = KERNEL_VERSION(2,6,19),
.new_sysarg_num = PR_epoll_wait,
.shifts = {{0}}
};
modified = modify_syscall(tracee, config, &modif);
if (modified)
poke_reg(tracee, SYSARG_5, 0); /* Force "sigmask" to 0. */
return;
}
case PR_eventfd2: {
Modif modif = {
.expected_release = KERNEL_VERSION(2,6,27),
.new_sysarg_num = PR_eventfd,
.shifts = {{0}}
};
modified = modify_syscall(tracee, config, &modif);
if (modified)
poke_reg(tracee, SYSARG_2, 0); /* Force "flags" to 0. */
return;
}
case PR_faccessat: {
Modif modif = {
.expected_release = KERNEL_VERSION(2,6,16),
.new_sysarg_num = PR_access,
.shifts = { [0] = {
.sysarg = SYSARG_2,
.nb_args = 2,
.offset = -1 }
}
};
modified = modify_syscall(tracee, config, &modif);
if (modified)
poke_reg(tracee, SYSARG_4, 0); /* Force "flags" to 0. */
return;
}
case PR_fchmodat: {
Modif modif = {
.expected_release = KERNEL_VERSION(2,6,16),
.new_sysarg_num = PR_chmod,
.shifts = { [0] = {
.sysarg = SYSARG_2,
.nb_args = 2,
.offset = -1 }
}
};
modified = modify_syscall(tracee, config, &modif);
if (modified)
poke_reg(tracee, SYSARG_4, 0); /* Force "flags" to 0. */
return;
}
case PR_fchownat: {
word_t flags;
Modif modif = {
.expected_release = KERNEL_VERSION(2,6,16),
.shifts = { [0] = {
.sysarg = SYSARG_2,
.nb_args = 3,
.offset = -1 }
}
};
flags = peek_reg(tracee, CURRENT, SYSARG_5);
modif.new_sysarg_num = ((flags & AT_SYMLINK_NOFOLLOW) != 0
? PR_lchown
: PR_chown);
modified = modify_syscall(tracee, config, &modif);
if (modified)
poke_reg(tracee, SYSARG_5, 0); /* Force "flags" to 0. */
return;
}
case PR_newfstatat:
case PR_fstatat64: {
word_t flags;
Modif modif = {
.expected_release = KERNEL_VERSION(2,6,16),
.shifts = { [0] = {
.sysarg = SYSARG_2,
.nb_args = 2,
.offset = -1 }
}
};
flags = peek_reg(tracee, CURRENT, SYSARG_4);
#if defined(ARCH_X86_64)
if ((flags & AT_SYMLINK_NOFOLLOW) != 0)
modif.new_sysarg_num = (get_abi(tracee) != ABI_2 ? PR_lstat : PR_lstat64);
else
modif.new_sysarg_num = (get_abi(tracee) != ABI_2 ? PR_stat : PR_stat64);
#else
if ((flags & AT_SYMLINK_NOFOLLOW) != 0)
modif.new_sysarg_num = PR_lstat64;
else
modif.new_sysarg_num = PR_stat64;
#endif
modified = modify_syscall(tracee, config, &modif);
if (modified)
poke_reg(tracee, SYSARG_4, 0); /* Force "flags" to 0. */
return;
}
case PR_futimesat: {
Modif modif = {
.expected_release = KERNEL_VERSION(2,6,16),
.new_sysarg_num = PR_utimes,
.shifts = { [0] = {
.sysarg = SYSARG_2,
.nb_args = 2,
.offset = -1 }
}
};
modify_syscall(tracee, config, &modif);
return;
}
case PR_inotify_init1: {
Modif modif = {
.expected_release = KERNEL_VERSION(2,6,27),
.new_sysarg_num = PR_inotify_init,
.shifts = {{0}}
};
modified = modify_syscall(tracee, config, &modif);
if (modified)
poke_reg(tracee, SYSARG_1, 0); /* Force "flags" to 0. */
return;
}
case PR_linkat: {
Modif modif = {
.expected_release = KERNEL_VERSION(2,6,16),
.new_sysarg_num = PR_link,
.shifts = { [0] = {
.sysarg = SYSARG_2,
.nb_args = 1,
.offset = -1 },
[1] = {
.sysarg = SYSARG_4,
.nb_args = 1,
.offset = -2 }
}
};
modified = modify_syscall(tracee, config, &modif);
if (modified)
poke_reg(tracee, SYSARG_5, 0); /* Force "flags" to 0. */
return;
}
case PR_mkdirat: {
Modif modif = {
.expected_release = KERNEL_VERSION(2,6,16),
.new_sysarg_num = PR_mkdir,
.shifts = { [0] = {
.sysarg = SYSARG_2,
.nb_args = 2,
.offset = -1 }
}
};
modify_syscall(tracee, config, &modif);
return;
}