Merge branch 'sniffglue'
Peter Michael Green
3 years ago
| 0 | rust-sniffglue (0.11.1-6) UNRELEASED-FIXME-AUTOGENERATED-DEBCARGO; urgency=medium | |
| 1 | ||
| 2 | * Team upload. | |
| 3 | * Package sniffglue 0.11.1 from crates.io using debcargo 2.4.0 | |
| 4 | * Drop dev-dependency on boxxy and remove examples/boxxy.rs | |
| 5 | to allow the rest of the tests to run. | |
| 6 | * Fix a couple of compile errors in benches/bench.rs | |
| 7 | ||
| 8 | [ kpcyrd ] | |
| 9 | * Add missing syscalls to seccomp filter (Closes: #985858) | |
| 10 | ||
| 11 | -- Peter Michael Green <plugwash@debian.org> Thu, 25 Mar 2021 19:15:48 +0000 | |
| 12 | ||
| 0 | 13 | rust-sniffglue (0.11.1-5) unstable; urgency=medium |
| 1 | 14 | |
| 2 | 15 | * Team upload. |
| 8 | 8 | |
| 9 | 9 | Files: debian/* |
| 10 | 10 | Copyright: |
| 11 | 2018-2020 Debian Rust Maintainers <pkg-rust-maintainers@alioth-lists.debian.net> | |
| 12 | 2018-2020 kpcyrd <git@rxv.cc> | |
| 11 | 2018-2021 Debian Rust Maintainers <pkg-rust-maintainers@alioth-lists.debian.net> | |
| 12 | 2018-2021 kpcyrd <git@rxv.cc> | |
| 13 | 13 | License: GPL-3.0 |
| 14 | 14 | |
| 15 | 15 | License: GPL-3.0 |
| 20 | 20 | |
| 21 | 21 | Files: debian/* |
| 22 | 22 | Copyright: |
| 23 | 2018-2020 Debian Rust Maintainers <pkg-rust-maintainers@alioth-lists.debian.net> | |
| 24 | 2018-2020 kpcyrd <git@rxv.cc> | |
| 23 | 2018-2021 Debian Rust Maintainers <pkg-rust-maintainers@alioth-lists.debian.net> | |
| 24 | 2018-2021 kpcyrd <git@rxv.cc> | |
| 25 | 25 | License: GPL-3.0 |
| 26 | 26 | |
| 27 | 27 | License: GPL-3.0 |
| 0 | Index: sniffglue/benches/bench.rs | |
| 1 | =================================================================== | |
| 2 | --- sniffglue.orig/benches/bench.rs | |
| 3 | +++ sniffglue/benches/bench.rs | |
| 4 | @@ -43,7 +43,8 @@ mod tests { | |
| 5 | use structs::tcp::TCP::Text; | |
| 6 | ||
| 7 | use pktparse::ethernet::{MacAddress, EtherType, EthernetFrame}; | |
| 8 | - use pktparse::ipv4::{IPv4Header, IPv4Protocol}; | |
| 9 | + use pktparse::ipv4::IPv4Header; | |
| 10 | + use pktparse::ip::IPProtocol; | |
| 11 | use pktparse::tcp::TcpHeader; | |
| 12 | ||
| 13 | let mut pkt = Vec::new(); | |
| 14 | @@ -72,7 +73,7 @@ mod tests { | |
| 15 | flags: 2, | |
| 16 | fragment_offset: 0, | |
| 17 | ttl: 55, | |
| 18 | - protocol: IPv4Protocol::TCP, | |
| 19 | + protocol: IPProtocol::TCP, | |
| 20 | chksum: 64371, | |
| 21 | source_addr: "93.184.216.34".parse().unwrap(), | |
| 22 | dest_addr: "192.168.44.55".parse().unwrap(), | |
| 23 | @@ -98,14 +99,14 @@ mod tests { | |
| 24 | Text(String::from_utf8(HTML.to_vec()).unwrap()) | |
| 25 | )))); | |
| 26 | ||
| 27 | - let x = centrifuge::parse(&pkt); | |
| 28 | + let x = centrifuge::parse_eth(&pkt); | |
| 29 | assert_eq!(expected, x); | |
| 30 | } | |
| 31 | ||
| 32 | #[bench] | |
| 33 | fn bench_empty(b: &mut Bencher) { | |
| 34 | b.iter(|| { | |
| 35 | - centrifuge::parse(&[]).ok(); | |
| 36 | + centrifuge::parse_eth(&[]).ok(); | |
| 37 | }); | |
| 38 | } | |
| 39 | ||
| 40 | @@ -123,7 +124,7 @@ mod tests { | |
| 41 | pkt.extend(HTML.iter()); | |
| 42 | ||
| 43 | b.iter(|| { | |
| 44 | - centrifuge::parse(&pkt).ok(); | |
| 45 | + centrifuge::parse_eth(&pkt).ok(); | |
| 46 | }); | |
| 47 | } | |
| 48 | } |
| 0 | Index: sniffglue/Cargo.toml | |
| 1 | =================================================================== | |
| 2 | --- sniffglue.orig/Cargo.toml | |
| 3 | +++ sniffglue/Cargo.toml | |
| 4 | @@ -102,8 +102,6 @@ version = "0.5" | |
| 5 | ||
| 6 | [dependencies.users] | |
| 7 | version = "0.10" | |
| 8 | -[dev-dependencies.boxxy] | |
| 9 | -version = "0.11" | |
| 10 | [target."cfg(target_os=\"linux\")".dependencies.syscallz] | |
| 11 | version = "0.15.0" | |
| 12 | [badges.travis-ci] | |
| 13 | Index: sniffglue/examples/boxxy.rs | |
| 14 | =================================================================== | |
| 15 | --- sniffglue.orig/examples/boxxy.rs | |
| 16 | +++ /dev/null | |
| 17 | @@ -1,30 +0,0 @@ | |
| 18 | -#[macro_use] extern crate boxxy; | |
| 19 | -extern crate sniffglue; | |
| 20 | -extern crate env_logger; | |
| 21 | - | |
| 22 | -fn stage1(sh: &mut boxxy::Shell, _args: Vec<String>) -> Result<(), boxxy::Error> { | |
| 23 | - shprintln!(sh, "[*] starting stage1"); | |
| 24 | - sniffglue::sandbox::activate_stage1().unwrap(); | |
| 25 | - shprintln!(sh, "[+] activated!"); | |
| 26 | - Ok(()) | |
| 27 | -} | |
| 28 | - | |
| 29 | -fn stage2(sh: &mut boxxy::Shell, _args: Vec<String>) -> Result<(), boxxy::Error> { | |
| 30 | - shprintln!(sh, "[*] starting stage2"); | |
| 31 | - sniffglue::sandbox::activate_stage2().unwrap(); | |
| 32 | - shprintln!(sh, "[+] activated!"); | |
| 33 | - Ok(()) | |
| 34 | -} | |
| 35 | - | |
| 36 | -fn main() { | |
| 37 | - env_logger::init(); | |
| 38 | - | |
| 39 | - println!("stage1 activate sandbox stage1/2"); | |
| 40 | - println!("stage2 activate sandbox stage2/2"); | |
| 41 | - | |
| 42 | - let toolbox = boxxy::Toolbox::new().with(vec![ | |
| 43 | - ("stage1", stage1), | |
| 44 | - ("stage2", stage2), | |
| 45 | - ]); | |
| 46 | - boxxy::Shell::new(toolbox).run() | |
| 47 | -} |
| 0 | diff --git a/src/sandbox/seccomp.rs b/src/sandbox/seccomp.rs | |
| 1 | index bfa2e49..0cb5837 100644 | |
| 2 | --- a/src/sandbox/seccomp.rs | |
| 3 | +++ b/src/sandbox/seccomp.rs | |
| 4 | @@ -43,6 +44,8 @@ pub fn activate_stage1() -> Result<(), syscallz::Error> { | |
| 5 | #[cfg(target_arch = "arm")] | |
| 6 | ctx.allow_syscall(Syscall::send)?; | |
| 7 | ctx.allow_syscall(Syscall::sendto)?; | |
| 8 | + #[cfg(target_arch = "arm")] | |
| 9 | + ctx.allow_syscall(Syscall::recv)?; | |
| 10 | ctx.allow_syscall(Syscall::recvfrom)?; | |
| 11 | ctx.allow_syscall(Syscall::sendmsg)?; | |
| 12 | ctx.allow_syscall(Syscall::recvmsg)?; | |
| 13 | @@ -99,7 +102,7 @@ pub fn activate_stage1() -> Result<(), syscallz::Error> { | |
| 14 | ctx.allow_syscall(Syscall::exit_group)?; | |
| 15 | ctx.allow_syscall(Syscall::set_robust_list)?; | |
| 16 | ctx.allow_syscall(Syscall::openat)?; | |
| 17 | - #[cfg(target_arch = "aarch64")] | |
| 18 | + #[cfg(any(target_arch = "x86_64", target_arch = "aarch64"))] | |
| 19 | ctx.allow_syscall(Syscall::newfstatat)?; | |
| 20 | ctx.allow_syscall(Syscall::seccomp)?; // needed for stage2 | |
| 21 | ctx.allow_syscall(Syscall::getrandom)?; | |
| 22 | @@ -117,6 +120,7 @@ pub fn activate_stage1() -> Result<(), syscallz::Error> { | |
| 23 | #[cfg(not(target_arch = "aarch64"))] | |
| 24 | ctx.allow_syscall(Syscall::access)?; // needed for debian /etc/ld.so.nohwcap | |
| 25 | ctx.allow_syscall(Syscall::faccessat)?; // needed for debian /etc/ld.so.nohwcap | |
| 26 | + ctx.allow_syscall(Syscall::eventfd2)?; | |
| 27 | ||
| 28 | ctx.load()?; | |
| 29 | ||
| 30 | @@ -153,13 +157,15 @@ pub fn activate_stage2() -> Result<(), syscallz::Error> { | |
| 31 | // ctx.allow_syscall(Syscall::socket)?; | |
| 32 | // ctx.allow_syscall(Syscall::connect)?; | |
| 33 | // ctx.allow_syscall(Syscall::sendto)?; | |
| 34 | + #[cfg(target_arch = "arm")] | |
| 35 | + ctx.allow_syscall(Syscall::recv)?; | |
| 36 | // ctx.allow_syscall(Syscall::recvfrom)?; | |
| 37 | // ctx.allow_syscall(Syscall::sendmsg)?; | |
| 38 | // ctx.allow_syscall(Syscall::recvmsg)?; | |
| 39 | // ctx.allow_syscall(Syscall::bind)?; | |
| 40 | - // ctx.allow_syscall(Syscall::getsockname)?; | |
| 41 | + ctx.allow_syscall(Syscall::getsockname)?; | |
| 42 | ctx.allow_syscall(Syscall::setsockopt)?; | |
| 43 | - // ctx.allow_syscall(Syscall::getsockopt)?; | |
| 44 | + ctx.allow_syscall(Syscall::getsockopt)?; | |
| 45 | ctx.allow_syscall(Syscall::clone)?; | |
| 46 | // ctx.allow_syscall(Syscall::uname)?; | |
| 47 | // ctx.allow_syscall(Syscall::fcntl)?; |