Class: SeccompTools::BPF

Inherits:

Object

• Object
• SeccompTools::BPF

Defined in:

lib/seccomp-tools/bpf.rb

Overview

Define the struct sock_filter, while more powerful.

Instance Attribute Summary

• #arch ⇒ Symbol readonly

  Architecture.

• #code ⇒ Integer readonly

  BPF code.

• #contexts ⇒ Set<Context>

  Possible contexts before this instruction.

• #jf ⇒ Integer readonly

  BPF JF.

• #jt ⇒ Integer readonly

  BPF JT.

• #k ⇒ Integer readonly

  BPF K.

• #line ⇒ Integer readonly

  Line number.

Instance Method Summary

• #asm ⇒ String

  Convert to raw bytes.

• #branch(context) {|pc, ctx| ... } ⇒ void
• #command ⇒ Symbol

  Command according to code.

• #decompile ⇒ String

  Decompile.

• #disasm(**options) ⇒ String

  Pretty display the disassemble result.

• #initialize(raw, arch, line) ⇒ BPF constructor

  Instantiate a BPF object.

• #inst ⇒ SeccompTools::Instruction::Base

  Corresponding instruction object.

• #show_arg_infer? ⇒ Boolean

  Whether needs to infer the syscall argument names.

• #show_code? ⇒ Boolean

  Whether needs to dump code, jt, jf, k.

Constructor Details

#initialize(raw, arch, line) ⇒ BPF

Instantiate a SeccompTools::BPF object.

Parameters:

• raw (String) —

  One struct sock_filter in bytes, should be 8 bytes long.

• arch (Symbol) —

  Architecture, for showing constant names in decompile.

• line (Integer) —

  Line number of this filter.

# File 'lib/seccomp-tools/bpf.rb', line 34

def initialize(raw, arch, line)
  if raw.is_a?(String)
    io = ::StringIO.new(raw)
    endian = Const::Endian::ENDIAN[arch]
    @code = io.read(2).unpack1("S#{endian}")
    @jt = io.read(1).ord
    @jf = io.read(1).ord
    @k = io.read(4).unpack1("L#{endian}")
  else
    @code = raw[:code]
    @jt = raw[:jt]
    @jf = raw[:jf]
    @k = raw[:k]
  end
  @arch = arch
  @line = line
  @contexts = Set.new
  @disasm_setting = {
    code: true,
    arg_infer: true
  }
end

Instance Attribute Details

#arch ⇒ Symbol (readonly)

Returns Architecture.

Returns:

• (Symbol) —

  Architecture.

# File 'lib/seccomp-tools/bpf.rb', line 23

def arch
  @arch
end

#code ⇒ Integer (readonly)

Returns BPF code.

Returns:

• (Integer) —

  BPF code.

# File 'lib/seccomp-tools/bpf.rb', line 15

def code
  @code
end

#contexts ⇒ Set<Context>

Returns Possible contexts before this instruction.

Returns:

• (Set<Context>) —

  Possible contexts before this instruction.

# File 'lib/seccomp-tools/bpf.rb', line 25

def contexts
  @contexts
end

#jf ⇒ Integer (readonly)

Returns BPF JF.

Returns:

• (Integer) —

  BPF JF.

# File 'lib/seccomp-tools/bpf.rb', line 19

def jf
  @jf
end

#jt ⇒ Integer (readonly)

Returns BPF JT.

Returns:

• (Integer) —

  BPF JT.

# File 'lib/seccomp-tools/bpf.rb', line 17

def jt
  @jt
end

#k ⇒ Integer (readonly)

Returns BPF K.

Returns:

• (Integer) —

  BPF K.

# File 'lib/seccomp-tools/bpf.rb', line 21

def k
  @k
end

#line ⇒ Integer (readonly)

Returns Line number.

Returns:

• (Integer) —

  Line number.

# File 'lib/seccomp-tools/bpf.rb', line 13

def line
  @line
end

Instance Method Details

#asm ⇒ String

Convert to raw bytes.

Returns:

• (String) —

  Raw bpf bytes.

# File 'lib/seccomp-tools/bpf.rb', line 85

def asm
  endian = Const::Endian::ENDIAN[arch]
  [code, jt, jf, k].pack("S#{endian}CCL#{endian}")
end

#branch(context) {|pc, ctx| ... } ⇒ void

This method returns an undefined value.

Parameters:

• context (Context) —

  Current context.

Yield Parameters:

• pc (Integer) —

  Program counter after this instruction.

• ctx (Context) —

  Context after this instruction.

# File 'lib/seccomp-tools/bpf.rb', line 111

def branch(context, &block)
  inst.branch(context).each(&block)
end

#command ⇒ Symbol

Command according to code.

Returns:

• (Symbol) —

  See Const::BPF::COMMAND for list of commands.

# File 'lib/seccomp-tools/bpf.rb', line 93

def command
  Const::BPF::COMMAND.invert[code & 7]
end

#decompile ⇒ String

Decompile.

Returns:

• (String) —

  Decompile string.

# File 'lib/seccomp-tools/bpf.rb', line 100

def decompile
  inst.decompile
end

#disasm(**options) ⇒ String

Pretty display the disassemble result.

Parameters:

• options ({Symbol => Boolean}) —

  Set display settings.

Returns:

• (String)

# File 'lib/seccomp-tools/bpf.rb', line 61

def disasm(**options)
  @disasm_setting.merge!(options)
  if show_code?
    format(' %04d: 0x%02x 0x%02x 0x%02x 0x%08x  %s',
           line, code, jt, jf, k, decompile)
  else
    format('%04d: %s',
           line, decompile)
  end
end

#inst ⇒ SeccompTools::Instruction::Base

Corresponding instruction object.

Returns:

• (SeccompTools::Instruction::Base)

# File 'lib/seccomp-tools/bpf.rb', line 117

def inst
  @inst ||= case command
            when :alu  then SeccompTools::Instruction::ALU
            when :jmp  then SeccompTools::Instruction::JMP
            when :ld   then SeccompTools::Instruction::LD
            when :ldx  then SeccompTools::Instruction::LDX
            when :misc then SeccompTools::Instruction::MISC
            when :ret  then SeccompTools::Instruction::RET
            when :st   then SeccompTools::Instruction::ST
            when :stx  then SeccompTools::Instruction::STX
            end.new(self)
end

#show_arg_infer? ⇒ Boolean

Whether needs to infer the syscall argument names.

Returns:

• (Boolean)

# File 'lib/seccomp-tools/bpf.rb', line 78

def show_arg_infer?
  @disasm_setting[:arg_infer]
end

#show_code? ⇒ Boolean

Whether needs to dump code, jt, jf, k.

Returns:

• (Boolean)

# File 'lib/seccomp-tools/bpf.rb', line 73

def show_code?
  @disasm_setting[:code]
end