├── .gitignore
├── AUTHORS
├── LICENSE
├── README.md
├── setns-common
    ├── Cargo.lock
    ├── Cargo.toml
    └── src
    │   └── lib.rs
└── setns-so
    ├── .cargo
        ├── .gitignore
        └── config.bak
    ├── .gitignore
    ├── Cargo.lock
    ├── Cargo.toml
    ├── build.rs
    ├── build.sh
    ├── frida
        ├── .gitignore
        └── x86_64-unknown-linux-gnu
        │   └── .gitignore
    ├── patch.py
    └── src
        ├── lib.rs
        └── main.rs


/.gitignore:
--------------------------------------------------------------------------------
1 | .idea/
2 | 


--------------------------------------------------------------------------------
/AUTHORS:
--------------------------------------------------------------------------------
 1 | Creators:
 2 | ---------
 3 | - Jeff Dileo
 4 | 
 5 | 
 6 | Maintainers:
 7 | ------------
 8 | - Jeff Dileo
 9 | 
10 | 
11 | Contributors:
12 | -------------
13 | 
14 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | Copyright (c) NCC Group, 2021
 2 | All rights reserved.
 3 | 
 4 | Redistribution and use in source and binary forms, with or without
 5 | modification, are permitted provided that the following conditions are met:
 6 | 
 7 | 1. Redistributions of source code must retain the above copyright notice, this
 8 |    list of conditions and the following disclaimer.
 9 | 2. Redistributions in binary form must reproduce the above copyright notice,
10 |    this list of conditions and the following disclaimer in the documentation
11 |    and/or other materials provided with the distribution.
12 | 
13 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
14 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
15 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
16 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
17 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
18 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
19 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
20 | ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
21 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
22 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
23 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # Insject
  2 | 
  3 | `insject` is a tool for poking at containers. It enables you to run an
  4 | arbitrary command in a container or any mix of Linux namespaces. It supports
  5 | three main use-cases:
  6 | 
  7 | * LD_PRELOAD-mode using `libsetns.so` (`LD_PRELOAD=./libsetns.so SETNS_ARGS="..."`)
  8 | * Running a host command in a container (`insject ... -- <cmd>...`)
  9 | * Forcing a running process into a container (`insject ... -! <pid>`)
 10 | 
 11 | When using the first two modes, the `-s <symbol>` option is used to place a
 12 | function hook that triggers the containerization of the process. This can help
 13 | with simple commands that need to load resources from the host filesystem by
 14 | having them containerize on calling a specific function after initializing.
 15 | 
 16 | For processes with more complicated initialization routines, such as scripting
 17 | languages, the third use-case may be preferable, enabling one to ensure full
 18 | initialization before entering a container.
 19 | 
 20 | ***Note:*** insject and libsetns.so share the same limitations as `setns(2)` in
 21 | that they may fail when a process contains multiple threads.
 22 | 
 23 | ***WARNING:*** Be careful when accessing or executing files in containers as
 24 | they may be able to abuse the access of the joined process to escape.
 25 | 
 26 | ## Installation
 27 | 
 28 | ```
 29 | $ wget https://github.com/frida/frida/releases/download/14.2.17/frida-gum-devkit-14.2.17-linux-x86_64.tar.xz
 30 | $ tar -xvJf frida-gum-devkit-14.2.17-linux-x86_64.tar.xz
 31 | $ mv frida-gum.h setns-so/frida/
 32 | $ mv libfrida-gum.a setns-so/frida/x86_64-unknown-linux-gnu/
 33 | $ pip3 install --user lief
 34 | $ cd setns-so
 35 | $ cargo build --lib --release
 36 | $ cargo build --bin insject --release
 37 | $ python3 patch.py target/release/insject
 38 | ```
 39 | 
 40 | ## Examples
 41 | 
 42 | ```
 43 | ## Terminal 1
 44 | $ docker run --rm -it -v $(PWD):/FOO:ro alpine /bin/sh
 45 | / # ls /
 46 | bin    dev    etc    FOO   home   lib    media  mnt    opt    proc   root   run    sbin   srv    sys    tmp    usr    var
 47 | ```
 48 | 
 49 | ```
 50 | ## Terminal 2
 51 | $ sudo bash
 52 | # echo $$
 53 | 164001
 54 | #
 55 | ```
 56 | 
 57 | ```
 58 | ## Terminal 3
 59 | $ docker ps -q
 60 | acd1d4d97027
 61 | $ docker inspect acd1d4d97027 | jq .[0].State.Pid
 62 | 68575
 63 | $ sudo LD_PRELOAD=./target/release/libsetns.so SETNS_ARGS="-I 68575 --user 0:85:0,1,2,3,4" ls /
 64 | setns -> mnt: 0, net: 0, time: 0, ipc: N/A, uts: 0, pid: 0, cgroup: 0, userns: 0, apparmor: docker-default, user: 0/0/0
 65 | bin    dev    etc    FOO   home   lib    media  mnt    opt    proc   root   run    sbin   srv    sys    tmp    usr    var
 66 | ```
 67 | 
 68 | ```
 69 | ## Terminal 2
 70 | # setns -> mnt: 0, net: 0, time: 0, ipc: N/A, uts: 0, pid: 0, cgroup: 0, userns: 0, apparmor: docker-default, user: 0/0/0
 71 | # ls /
 72 | bin    dev    etc    FOO   home   lib    media  mnt    opt    proc   root   run    sbin   srv    sys    tmp    usr    var
 73 | # ifconfig
 74 | eth0      Link encap:Ethernet  HWaddr 02:42:AC:11:00:02
 75 |           inet addr:172.17.0.2  Bcast:172.17.255.255  Mask:255.255.0.0
 76 |           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
 77 |           RX packets:525 errors:0 dropped:0 overruns:0 frame:0
 78 |           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
 79 |           collisions:0 txqueuelen:0
 80 |           RX bytes:49454 (48.2 KiB)  TX bytes:0 (0.0 B)
 81 | 
 82 | lo        Link encap:Local Loopback
 83 |           inet addr:127.0.0.1  Mask:255.0.0.0
 84 |           UP LOOPBACK RUNNING  MTU:65536  Metric:1
 85 |           RX packets:0 errors:0 dropped:0 overruns:0 frame:0
 86 |           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
 87 |           collisions:0 txqueuelen:1000
 88 |           RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
 89 | ```
 90 | 
 91 | ```
 92 | ## Terminal 3
 93 | $ sudo ./target/release/insject -I 68575 --user 0:85:0,1,2,3,4 -- ls /
 94 | setns -> mnt: 0, net: 0, time: 0, ipc: N/A, uts: 0, pid: 0, cgroup: 0, userns: 0, apparmor: docker-default, user: 0/0/0
 95 | bin  dev  etc  FOO  home  lib	media  mnt  opt  proc  root  run  sbin	srv  sys  tmp  usr  var
 96 | $ sudo ./target/release/insject -I 68575 --user 0:85:0,1,2,3,4 -- id
 97 | setns -> mnt: 0, net: 0, time: 0, ipc: N/A, uts: 0, pid: 0, cgroup: 0, userns: 0, apparmor: docker-default, user: 0/0/0
 98 | uid=0 gid=85 groups=85,0,1,2,3,4
 99 | $ sudo ./target/release/insject -I 68575 --user 0:85:0,1,2,3,4 -- sh -c id
100 | setns -> mnt: 0, net: 0, time: 0, ipc: N/A, uts: 0, pid: 0, cgroup: 0, userns: 0, apparmor: docker-default, user: 0/0/0
101 | uid=0(root) gid=85(usb) groups=0(root),1(bin),2(daemon),3(sys),4(adm)
102 | ```
103 | 
104 | ## Usage
105 | 
106 | ```
107 | $ insject --help
108 | insject 1.0
109 | Jeff Dileo <jeff.dileo@nccgroup.com>
110 | A tool to simplify container testing that runs an arbitrary
111 | command in the Linux namespaces of other processes.
112 | 
113 | WARNING: Be careful when accessing or executing files in containers as they may
114 |          be able to abuse the access of the joined process to escape.
115 | 
116 | Note: The -! instrumentation mode has several differences from the LD_PRELOAD modes:
117 |         * Forking is not supported
118 |         * -S,--strict is not supported
119 |         * errno values are not returned
120 | 
121 | USAGE:
122 |     insject [FLAGS] [OPTIONS] [setns-opts]... [-- <cmd>...]
123 | 
124 | ARGS:
125 |     <setns-opts>...    setns.so options. For detailed information, use --help-setns
126 |     <cmd>...
127 | 
128 | FLAGS:
129 |     -h, --help          Prints help information
130 |         --help-setns    Prints help information for setns.so
131 |     -V, --version       Prints version information
132 | 
133 | OPTIONS:
134 |     -! <pid>        PID to instrument
135 | $ insject --help-setns
136 | libsetns.so 1.0
137 | Jeff Dileo <jeff.dileo@nccgroup.com>
138 | An inject-/LD_PRELOAD-able shim to simplify container testing by joining an external program
139 | run with it into the Linux namespaces of other processes.
140 | 
141 | WARNING: Be careful when accessing or executing files in containers as they may
142 |          be able to abuse the access of the joined process to escape.
143 | 
144 | USAGE:
145 |     libsetns.so [FLAGS] [OPTIONS] [target-pid]
146 | 
147 | ARGS:
148 |     <target-pid>    PID to source namespaces from by default
149 | 
150 | FLAGS:
151 |         --help            Prints help information
152 |     -A, --no-apparmor     Skip setting AppArmor profile
153 |     -C, --no-cgroup       Skip setting cgroup namespace
154 |     -F, --no-fork         Skip fork after entering PID namespace, if entering PID namespace
155 |     -I, --no-ipc          Skip setting IPC namespace
156 |     -M, --no-mnt          Skip setting mount namespace
157 |     -N, --no-net          Skip setting network namespace
158 |     -P, --no-pid          Skip setting PID namespace
159 |     -T, --no-time         Skip setting time namespace
160 |     -U, --no-userns       Skip setting user namespace
161 |     -H, --no-uts          Skip setting UTS (hostname) namespace
162 |     -S, --strict          Exit if any namespace attach fails
163 |     -1, --userns-first    Set user namespace before other namespaces
164 |     -V, --version         Prints version information
165 | 
166 | OPTIONS:
167 |     -@, --raw-address <address>         Raw memory address to hook instead of a symbol
168 |                                         Note: This is not an offset
169 |     -c, --cgroup <cgroup>               Path to cgroup namespace to set
170 |     -i, --ipc <ipc>                     Path to IPC namespace to set
171 |     -m, --mnt <mnt>                     Path to mount namespace to set
172 |     -n, --net <net>                     Path to network namespace to set
173 |     -p, --pid <pid>                     Path to PID namespace to set
174 |     -a, --apparmor-profile <profile>    Alternate AppArmor profile to set
175 |     -s, --symbol <symbol>               Symbol to hook entry of instead of main
176 |     -t, --time <time>                   Path to time namespace to set
177 |         --user <user>                   <uid>[:<gid>[:<group,ids>]]) [default: 0:0:0]
178 |     -u, --userns <userns>               Path to user namespace to set
179 |     -h, --uts <uts>                     Path to UTS (hostname) namespace to set
180 | ```
181 | 
182 | # License
183 | 
184 | insject is licensed under the 2-clause BSD license.
185 | 


--------------------------------------------------------------------------------
/setns-common/Cargo.lock:
--------------------------------------------------------------------------------
  1 | # This file is automatically @generated by Cargo.
  2 | # It is not intended for manual editing.
  3 | [[package]]
  4 | name = "atty"
  5 | version = "0.2.14"
  6 | source = "registry+https://github.com/rust-lang/crates.io-index"
  7 | checksum = "d9b39be18770d11421cdb1b9947a45dd3f37e93092cbf377614828a319d5fee8"
  8 | dependencies = [
  9 |  "hermit-abi",
 10 |  "libc",
 11 |  "winapi",
 12 | ]
 13 | 
 14 | [[package]]
 15 | name = "autocfg"
 16 | version = "1.0.1"
 17 | source = "registry+https://github.com/rust-lang/crates.io-index"
 18 | checksum = "cdb031dd78e28731d87d56cc8ffef4a8f36ca26c38fe2de700543e627f8a464a"
 19 | 
 20 | [[package]]
 21 | name = "bitflags"
 22 | version = "1.3.2"
 23 | source = "registry+https://github.com/rust-lang/crates.io-index"
 24 | checksum = "bef38d45163c2f1dde094a7dfd33ccf595c92905c8f8f4fdc18d06fb1037718a"
 25 | 
 26 | [[package]]
 27 | name = "clap"
 28 | version = "3.0.0"
 29 | source = "registry+https://github.com/rust-lang/crates.io-index"
 30 | checksum = "d17bf219fcd37199b9a29e00ba65dfb8cd5b2688b7297ec14ff829c40ac50ca9"
 31 | dependencies = [
 32 |  "atty",
 33 |  "bitflags",
 34 |  "indexmap",
 35 |  "os_str_bytes",
 36 |  "strsim",
 37 |  "termcolor",
 38 |  "textwrap",
 39 | ]
 40 | 
 41 | [[package]]
 42 | name = "commands"
 43 | version = "0.0.5"
 44 | source = "registry+https://github.com/rust-lang/crates.io-index"
 45 | checksum = "688226b9769bbf11a9d82a94fb4adda15793a6023d33a8ca7695dbafec6f4123"
 46 | 
 47 | [[package]]
 48 | name = "hashbrown"
 49 | version = "0.11.2"
 50 | source = "registry+https://github.com/rust-lang/crates.io-index"
 51 | checksum = "ab5ef0d4909ef3724cc8cce6ccc8572c5c817592e9285f5464f8e86f8bd3726e"
 52 | 
 53 | [[package]]
 54 | name = "hermit-abi"
 55 | version = "0.1.19"
 56 | source = "registry+https://github.com/rust-lang/crates.io-index"
 57 | checksum = "62b467343b94ba476dcb2500d242dadbb39557df889310ac77c5d99100aaac33"
 58 | dependencies = [
 59 |  "libc",
 60 | ]
 61 | 
 62 | [[package]]
 63 | name = "indexmap"
 64 | version = "1.7.0"
 65 | source = "registry+https://github.com/rust-lang/crates.io-index"
 66 | checksum = "bc633605454125dec4b66843673f01c7df2b89479b32e0ed634e43a91cff62a5"
 67 | dependencies = [
 68 |  "autocfg",
 69 |  "hashbrown",
 70 | ]
 71 | 
 72 | [[package]]
 73 | name = "itoa"
 74 | version = "1.0.1"
 75 | source = "registry+https://github.com/rust-lang/crates.io-index"
 76 | checksum = "1aab8fc367588b89dcee83ab0fd66b72b50b72fa1904d7095045ace2b0c81c35"
 77 | 
 78 | [[package]]
 79 | name = "libc"
 80 | version = "0.2.112"
 81 | source = "registry+https://github.com/rust-lang/crates.io-index"
 82 | checksum = "1b03d17f364a3a042d5e5d46b053bbbf82c92c9430c592dd4c064dc6ee997125"
 83 | 
 84 | [[package]]
 85 | name = "memchr"
 86 | version = "2.4.1"
 87 | source = "registry+https://github.com/rust-lang/crates.io-index"
 88 | checksum = "308cc39be01b73d0d18f82a0e7b2a3df85245f84af96fdddc5d202d27e47b86a"
 89 | 
 90 | [[package]]
 91 | name = "os_str_bytes"
 92 | version = "6.0.0"
 93 | source = "registry+https://github.com/rust-lang/crates.io-index"
 94 | checksum = "8e22443d1643a904602595ba1cd8f7d896afe56d26712531c5ff73a15b2fbf64"
 95 | dependencies = [
 96 |  "memchr",
 97 | ]
 98 | 
 99 | [[package]]
100 | name = "proc-macro2"
101 | version = "1.0.36"
102 | source = "registry+https://github.com/rust-lang/crates.io-index"
103 | checksum = "c7342d5883fbccae1cc37a2353b09c87c9b0f3afd73f5fb9bba687a1f733b029"
104 | dependencies = [
105 |  "unicode-xid",
106 | ]
107 | 
108 | [[package]]
109 | name = "quote"
110 | version = "1.0.14"
111 | source = "registry+https://github.com/rust-lang/crates.io-index"
112 | checksum = "47aa80447ce4daf1717500037052af176af5d38cc3e571d9ec1c7353fc10c87d"
113 | dependencies = [
114 |  "proc-macro2",
115 | ]
116 | 
117 | [[package]]
118 | name = "ryu"
119 | version = "1.0.9"
120 | source = "registry+https://github.com/rust-lang/crates.io-index"
121 | checksum = "73b4b750c782965c211b42f022f59af1fbceabdd026623714f104152f1ec149f"
122 | 
123 | [[package]]
124 | name = "serde"
125 | version = "1.0.132"
126 | source = "registry+https://github.com/rust-lang/crates.io-index"
127 | checksum = "8b9875c23cf305cd1fd7eb77234cbb705f21ea6a72c637a5c6db5fe4b8e7f008"
128 | dependencies = [
129 |  "serde_derive",
130 | ]
131 | 
132 | [[package]]
133 | name = "serde_derive"
134 | version = "1.0.132"
135 | source = "registry+https://github.com/rust-lang/crates.io-index"
136 | checksum = "ecc0db5cb2556c0e558887d9bbdcf6ac4471e83ff66cf696e5419024d1606276"
137 | dependencies = [
138 |  "proc-macro2",
139 |  "quote",
140 |  "syn",
141 | ]
142 | 
143 | [[package]]
144 | name = "serde_json"
145 | version = "1.0.73"
146 | source = "registry+https://github.com/rust-lang/crates.io-index"
147 | checksum = "bcbd0344bc6533bc7ec56df11d42fb70f1b912351c0825ccb7211b59d8af7cf5"
148 | dependencies = [
149 |  "itoa",
150 |  "ryu",
151 |  "serde",
152 | ]
153 | 
154 | [[package]]
155 | name = "setns-common"
156 | version = "0.1.0"
157 | dependencies = [
158 |  "clap",
159 |  "commands",
160 |  "serde",
161 |  "serde_json",
162 | ]
163 | 
164 | [[package]]
165 | name = "strsim"
166 | version = "0.10.0"
167 | source = "registry+https://github.com/rust-lang/crates.io-index"
168 | checksum = "73473c0e59e6d5812c5dfe2a064a6444949f089e20eec9a2e5506596494e4623"
169 | 
170 | [[package]]
171 | name = "syn"
172 | version = "1.0.84"
173 | source = "registry+https://github.com/rust-lang/crates.io-index"
174 | checksum = "ecb2e6da8ee5eb9a61068762a32fa9619cc591ceb055b3687f4cd4051ec2e06b"
175 | dependencies = [
176 |  "proc-macro2",
177 |  "quote",
178 |  "unicode-xid",
179 | ]
180 | 
181 | [[package]]
182 | name = "termcolor"
183 | version = "1.1.2"
184 | source = "registry+https://github.com/rust-lang/crates.io-index"
185 | checksum = "2dfed899f0eb03f32ee8c6a0aabdb8a7949659e3466561fc0adf54e26d88c5f4"
186 | dependencies = [
187 |  "winapi-util",
188 | ]
189 | 
190 | [[package]]
191 | name = "textwrap"
192 | version = "0.14.2"
193 | source = "registry+https://github.com/rust-lang/crates.io-index"
194 | checksum = "0066c8d12af8b5acd21e00547c3797fde4e8677254a7ee429176ccebbe93dd80"
195 | 
196 | [[package]]
197 | name = "unicode-xid"
198 | version = "0.2.2"
199 | source = "registry+https://github.com/rust-lang/crates.io-index"
200 | checksum = "8ccb82d61f80a663efe1f787a51b16b5a51e3314d6ac365b08639f52387b33f3"
201 | 
202 | [[package]]
203 | name = "winapi"
204 | version = "0.3.9"
205 | source = "registry+https://github.com/rust-lang/crates.io-index"
206 | checksum = "5c839a674fcd7a98952e593242ea400abe93992746761e38641405d28b00f419"
207 | dependencies = [
208 |  "winapi-i686-pc-windows-gnu",
209 |  "winapi-x86_64-pc-windows-gnu",
210 | ]
211 | 
212 | [[package]]
213 | name = "winapi-i686-pc-windows-gnu"
214 | version = "0.4.0"
215 | source = "registry+https://github.com/rust-lang/crates.io-index"
216 | checksum = "ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6"
217 | 
218 | [[package]]
219 | name = "winapi-util"
220 | version = "0.1.5"
221 | source = "registry+https://github.com/rust-lang/crates.io-index"
222 | checksum = "70ec6ce85bb158151cae5e5c87f95a8e97d2c0c4b001223f33a334e3ce5de178"
223 | dependencies = [
224 |  "winapi",
225 | ]
226 | 
227 | [[package]]
228 | name = "winapi-x86_64-pc-windows-gnu"
229 | version = "0.4.0"
230 | source = "registry+https://github.com/rust-lang/crates.io-index"
231 | checksum = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f"
232 | 


--------------------------------------------------------------------------------
/setns-common/Cargo.toml:
--------------------------------------------------------------------------------
 1 | [package]
 2 | name = "setns-common"
 3 | version = "1.0.0"
 4 | authors = ["jeff.dileo@nccgroup.com"]
 5 | edition = "2018"
 6 | 
 7 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 8 | 
 9 | [dependencies]
10 | clap = "3.0.0-beta.2"
11 | commands = "0.0.5"
12 | serde = { version = "1.0", features = ["derive"] }
13 | serde_json = "1.0"
14 | 


--------------------------------------------------------------------------------
/setns-common/src/lib.rs:
--------------------------------------------------------------------------------
  1 | /*
  2 | Copyright (c) NCC Group, 2021
  3 | All rights reserved.
  4 | 
  5 | Redistribution and use in source and binary forms, with or without
  6 | modification, are permitted provided that the following conditions are met:
  7 | 
  8 | 1. Redistributions of source code must retain the above copyright notice, this
  9 |    list of conditions and the following disclaimer.
 10 | 2. Redistributions in binary form must reproduce the above copyright notice,
 11 |    this list of conditions and the following disclaimer in the documentation
 12 |    and/or other materials provided with the distribution.
 13 | 
 14 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
 15 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
 16 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
 17 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
 18 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
 19 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 20 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
 21 | ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 22 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
 23 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 24 |  */
 25 | 
 26 | extern crate clap;
 27 | //use clap::AppSettings;
 28 | //pub use clap::Clap;
 29 | //pub use clap::AppSettings;
 30 | use clap::{Clap,AppSettings};
 31 | 
 32 | extern crate commands;
 33 | use commands::tokenizer::{tokenize,TokenType};
 34 | 
 35 | extern crate serde;
 36 | use serde::{Deserialize, Serialize};
 37 | 
 38 | extern crate serde_json;
 39 | 
 40 | #[derive(Clap,Clone,Debug,Deserialize,Serialize)]
 41 | #[clap(name = "libsetns.so", version = "1.0",
 42 |        author = "Jeff Dileo <jeff.dileo@nccgroup.com>",
 43 |        about = "An inject-/LD_PRELOAD-able shim to simplify container testing \
 44 |                 by joining an external program\nrun with it into the Linux \
 45 |                 namespaces of other processes.\n
 46 | WARNING: Be careful when accessing or executing files in \
 47 |          containers as they may
 48 |          be able to abuse the access \
 49 |          of the joined process to escape.",
 50 |        setting = AppSettings::ColoredHelp
 51 | )]
 52 | pub struct Opts {
 53 |   #[clap(short = 's', long = "symbol", name = "symbol",
 54 |          about = "Symbol to hook entry of instead of main")]
 55 |   pub sym_name: Option<String>,
 56 |   #[clap(short = '@', long = "raw-address", name = "address",
 57 |          about = "Raw memory address to hook instead of a symbol\nNote: This is not an offset")]
 58 |   pub raw_address: Option<usize>,
 59 |   #[clap(about = "PID to source namespaces from by default",
 60 |          validator = |val| { val.parse::<usize>().map_err(|_| format!("must be a non-negative number, got: {}", val)) } )]
 61 |   pub target_pid: Option<usize>,
 62 |   #[clap(short = '1', long, about = "Set user namespace before other namespaces")]
 63 |   pub userns_first: bool,
 64 | 
 65 |   #[clap(short, long, about = "Path to mount namespace to set")]
 66 |   pub mnt: Option<String>,
 67 |   #[clap(short, long, about = "Path to network namespace to set")]
 68 |   pub net: Option<String>,
 69 |   #[clap(short, long, about = "Path to time namespace to set")]
 70 |   pub time: Option<String>,
 71 |   #[clap(short, long, about = "Path to IPC namespace to set")]
 72 |   pub ipc: Option<String>,
 73 |   #[clap(short = 'h', long, about = "Path to UTS (hostname) namespace to set")]
 74 |   pub uts: Option<String>,
 75 |   #[clap(short, long, about = "Path to PID namespace to set")]
 76 |   pub pid: Option<String>,
 77 |   #[clap(short, long, about = "Path to cgroup namespace to set")]
 78 |   pub cgroup: Option<String>,
 79 |   #[clap(short, long, about = "Path to user namespace to set")]
 80 |   pub userns: Option<String>,
 81 | 
 82 |   #[clap(long, about = "<uid>[:<gid>[:<group,ids>]])",
 83 |          default_value = "0:0:0",
 84 |          validator = |val: &str| {
 85 |            let vals: std::vec::Vec<String> = val.split(':').into_iter().map(|s| s.to_string()).collect();
 86 |            if vals.len() > 3 {
 87 |              return Err("invalid number of parts".to_string());
 88 |            }
 89 |            for (i,v) in vals.iter().enumerate() {
 90 |              if i < 2 {
 91 |                match v.parse::<u32>() {
 92 |                  Ok(_) => {},
 93 |                  Err(err) => { return Err(format!("invalid uid/gid: {}", v)) }
 94 |                }
 95 |              } else {
 96 |                let groups: std::vec::Vec<String> = v.split(',').into_iter().map(|s| s.to_string()).collect();
 97 |                for g in groups.iter() {
 98 |                  match g.parse::<u32>() {
 99 |                    Ok(_) => {},
100 |                    Err(err) => { return Err(format!("invalid group: {}", v)) }
101 |                  }
102 |                }
103 |              }
104 |            }
105 |            Ok(val.to_string())
106 |          }
107 |   )]
108 |   pub user: String,
109 | 
110 |   #[clap(short, long, name = "profile", about = "Alternate AppArmor profile to set")]
111 |   pub apparmor_profile: Option<String>,
112 | 
113 |   #[clap(short = 'F', long, about = "Skip fork after entering PID namespace, if entering PID namespace")]
114 |   pub no_fork: bool,
115 | 
116 |   #[clap(short = 'M', long, about = "Skip setting mount namespace")]
117 |   pub no_mnt: bool,
118 |   #[clap(short = 'N', long, about = "Skip setting network namespace")]
119 |   pub no_net: bool,
120 |   #[clap(short = 'T', long, about = "Skip setting time namespace")]
121 |   pub no_time: bool,
122 |   #[clap(short = 'I', long, about = "Skip setting IPC namespace")]
123 |   pub no_ipc: bool,
124 |   #[clap(short = 'H', long, about = "Skip setting UTS (hostname) namespace")]
125 |   pub no_uts: bool,
126 |   #[clap(short = 'P', long, about = "Skip setting PID namespace")]
127 |   pub no_pid: bool,
128 |   #[clap(short = 'C', long, about = "Skip setting cgroup namespace")]
129 |   pub no_cgroup: bool,
130 |   #[clap(short = 'U', long, about = "Skip setting user namespace")]
131 |   pub no_userns: bool,
132 | 
133 |   #[clap(short = 'A', long, about = "Skip setting AppArmor profile")]
134 |   pub no_apparmor: bool,
135 | 
136 |   #[clap(short = 'S', long, about = "Exit if any namespace attach fails")]
137 |   pub strict: bool,
138 | }
139 | 
140 | pub fn print_help(ret: i32) {
141 |   match <Opts as clap::IntoApp>::into_app().print_help() {
142 |     Ok(_) => {
143 |       std::process::exit(ret);
144 |     },
145 |     Err(err) => {
146 |       println!("{}", err);
147 |       std::process::exit(1);
148 |     }
149 |   }
150 | }
151 | 
152 | pub fn parse_opts(args: &String) -> Opts {
153 |   //let args = "setns ".to_owned() + args;
154 |   let tokens = tokenize(&args);
155 |   match tokens {
156 |     Ok(tokens) => {
157 |       for (_, token) in tokens.clone().iter().enumerate() {
158 |         if token.text == "--help" {
159 |           print_help(0);
160 |         }
161 |       }
162 |       let tokens: std::vec::Vec<String> = tokens.into_iter().filter_map(|t| {
163 |         match t.token_type {
164 |           TokenType::Word => Some(t.text.to_string()),
165 |           _ => None
166 |         }
167 |       }).collect();
168 |       parse_opts_parts(&tokens)
169 |     },
170 |     Err(err) => {
171 |       println!("{}", err);
172 |       std::process::exit(1)
173 |     }
174 |   }
175 | }
176 | 
177 | pub fn parse_opts_parts(args: &std::vec::Vec<String>) -> Opts {
178 |   let mut args = args.clone();
179 |   args.insert(0, "setns".to_string());
180 | 
181 |   let opts = match Opts::try_parse_from(args.into_iter()) {
182 |     Ok(opts) => {
183 |       opts
184 |     },
185 |     Err(err) => {
186 |       println!("{}", err);
187 |       std::process::exit(1)
188 |     }
189 |   };
190 | 
191 |   if opts.target_pid.is_none() &&
192 |      opts.mnt.is_none() &&
193 |      opts.net.is_none() &&
194 |      opts.time.is_none() &&
195 |      opts.ipc.is_none() &&
196 |      opts.uts.is_none() &&
197 |      opts.pid.is_none() &&
198 |      opts.cgroup.is_none() &&
199 |      opts.userns.is_none() {
200 | 
201 |     println!("Error: Must have at least one of <target-pid> or namespace option set.");
202 |     print_help(1);
203 |   }
204 | 
205 |   // if opts.fork && opts.no_pid {
206 |   //   println!("Error: -f,--fork not supported with -P, --no-pid");
207 |   //   print_help(1);
208 |   // }
209 | 
210 |   opts
211 | }
212 | 
213 | pub fn to_json(opts: &Opts) -> Option<String> {
214 |   let j = serde_json::to_string(opts);
215 |   match j {
216 |     Ok(s) => Some(s),
217 |     Err(err) => {
218 |       println!("failed to JSON encode opts, err: {}, opts: {:?}", err, opts);
219 |       None
220 |     }
221 |   }
222 | }
223 | 
224 | pub fn from_json(s: &str) -> Option<Opts> {
225 |   let o = serde_json::from_str(s);
226 |   match o {
227 |     Ok(opts) => Some(opts),
228 |     Err(err) => {
229 |       println!("failed to deserialize as Opts, error: {}, s: {}", err, s);
230 |       None
231 |     }
232 |   }
233 | }
234 | 


--------------------------------------------------------------------------------
/setns-so/.cargo/.gitignore:
--------------------------------------------------------------------------------
1 | config
2 | 


--------------------------------------------------------------------------------
/setns-so/.cargo/config.bak:
--------------------------------------------------------------------------------
1 | [build]
2 | rustflags = ["-C", "relocation-model=pic",
3 |              "-C", "link-args=-Wl,-Bstatic -L /mnt/hgfs/psc/insject/setns-so/frida/x86_64-unknown-linux-gnu -lfrida-gum -L /mnt/hgfs/psc/insject/setns-so/target/release/build/setns-b1dfcc80dea94804/out -l frida-gum-wrapper"]
4 | 


--------------------------------------------------------------------------------
/setns-so/.gitignore:
--------------------------------------------------------------------------------
 1 | gen/
 2 | target/
 3 | libfrida-gum.a
 4 | frida-gum.h
 5 | frida-gum-wrapper.c
 6 | frida-gum-example.c
 7 | frida-gum-devkit-*
 8 | test
 9 | test.c
10 | 


--------------------------------------------------------------------------------
/setns-so/Cargo.lock:
--------------------------------------------------------------------------------
  1 | # This file is automatically @generated by Cargo.
  2 | # It is not intended for manual editing.
  3 | version = 3
  4 | 
  5 | [[package]]
  6 | name = "atty"
  7 | version = "0.2.14"
  8 | source = "registry+https://github.com/rust-lang/crates.io-index"
  9 | checksum = "d9b39be18770d11421cdb1b9947a45dd3f37e93092cbf377614828a319d5fee8"
 10 | dependencies = [
 11 |  "hermit-abi",
 12 |  "libc",
 13 |  "winapi",
 14 | ]
 15 | 
 16 | [[package]]
 17 | name = "autocfg"
 18 | version = "1.0.1"
 19 | source = "registry+https://github.com/rust-lang/crates.io-index"
 20 | checksum = "cdb031dd78e28731d87d56cc8ffef4a8f36ca26c38fe2de700543e627f8a464a"
 21 | 
 22 | [[package]]
 23 | name = "base64"
 24 | version = "0.6.0"
 25 | source = "registry+https://github.com/rust-lang/crates.io-index"
 26 | checksum = "96434f987501f0ed4eb336a411e0631ecd1afa11574fe148587adc4ff96143c9"
 27 | dependencies = [
 28 |  "byteorder",
 29 |  "safemem",
 30 | ]
 31 | 
 32 | [[package]]
 33 | name = "base64"
 34 | version = "0.13.0"
 35 | source = "registry+https://github.com/rust-lang/crates.io-index"
 36 | checksum = "904dfeac50f3cdaba28fc6f57fdcddb75f49ed61346676a78c4ffe55877802fd"
 37 | 
 38 | [[package]]
 39 | name = "bitflags"
 40 | version = "1.2.1"
 41 | source = "registry+https://github.com/rust-lang/crates.io-index"
 42 | checksum = "cf1de2fe8c75bc145a2f577add951f8134889b4795d47466a54a5c846d691693"
 43 | 
 44 | [[package]]
 45 | name = "byteorder"
 46 | version = "1.4.3"
 47 | source = "registry+https://github.com/rust-lang/crates.io-index"
 48 | checksum = "14c189c53d098945499cdfa7ecc63567cf3886b3332b312a5b4585d8d3a6a610"
 49 | 
 50 | [[package]]
 51 | name = "cc"
 52 | version = "1.0.67"
 53 | source = "registry+https://github.com/rust-lang/crates.io-index"
 54 | checksum = "e3c69b077ad434294d3ce9f1f6143a2a4b89a8a2d54ef813d85003a4fd1137fd"
 55 | 
 56 | [[package]]
 57 | name = "clap"
 58 | version = "3.0.0-beta.2"
 59 | source = "registry+https://github.com/rust-lang/crates.io-index"
 60 | checksum = "4bd1061998a501ee7d4b6d449020df3266ca3124b941ec56cf2005c3779ca142"
 61 | dependencies = [
 62 |  "atty",
 63 |  "bitflags",
 64 |  "clap_derive",
 65 |  "indexmap",
 66 |  "lazy_static",
 67 |  "os_str_bytes",
 68 |  "strsim",
 69 |  "termcolor",
 70 |  "textwrap",
 71 |  "unicode-width",
 72 |  "vec_map",
 73 | ]
 74 | 
 75 | [[package]]
 76 | name = "clap_derive"
 77 | version = "3.0.0-beta.2"
 78 | source = "registry+https://github.com/rust-lang/crates.io-index"
 79 | checksum = "370f715b81112975b1b69db93e0b56ea4cd4e5002ac43b2da8474106a54096a1"
 80 | dependencies = [
 81 |  "heck",
 82 |  "proc-macro-error",
 83 |  "proc-macro2",
 84 |  "quote",
 85 |  "syn",
 86 | ]
 87 | 
 88 | [[package]]
 89 | name = "commands"
 90 | version = "0.0.5"
 91 | source = "registry+https://github.com/rust-lang/crates.io-index"
 92 | checksum = "688226b9769bbf11a9d82a94fb4adda15793a6023d33a8ca7695dbafec6f4123"
 93 | 
 94 | [[package]]
 95 | name = "gumshoe"
 96 | version = "0.1.0"
 97 | source = "git+https://github.com/ChaosData/frida-gum-rs#926db91944826b338d821c0088b23e62266e3ed2"
 98 | dependencies = [
 99 |  "base64 0.6.0",
100 |  "libc",
101 | ]
102 | 
103 | [[package]]
104 | name = "hashbrown"
105 | version = "0.9.1"
106 | source = "registry+https://github.com/rust-lang/crates.io-index"
107 | checksum = "d7afe4a420e3fe79967a00898cc1f4db7c8a49a9333a29f8a4bd76a253d5cd04"
108 | 
109 | [[package]]
110 | name = "heck"
111 | version = "0.3.2"
112 | source = "registry+https://github.com/rust-lang/crates.io-index"
113 | checksum = "87cbf45460356b7deeb5e3415b5563308c0a9b057c85e12b06ad551f98d0a6ac"
114 | dependencies = [
115 |  "unicode-segmentation",
116 | ]
117 | 
118 | [[package]]
119 | name = "hermit-abi"
120 | version = "0.1.18"
121 | source = "registry+https://github.com/rust-lang/crates.io-index"
122 | checksum = "322f4de77956e22ed0e5032c359a0f1273f1f7f0d79bfa3b8ffbc730d7fbcc5c"
123 | dependencies = [
124 |  "libc",
125 | ]
126 | 
127 | [[package]]
128 | name = "indexmap"
129 | version = "1.6.2"
130 | source = "registry+https://github.com/rust-lang/crates.io-index"
131 | checksum = "824845a0bf897a9042383849b02c1bc219c2383772efcd5c6f9766fa4b81aef3"
132 | dependencies = [
133 |  "autocfg",
134 |  "hashbrown",
135 | ]
136 | 
137 | [[package]]
138 | name = "itoa"
139 | version = "0.4.7"
140 | source = "registry+https://github.com/rust-lang/crates.io-index"
141 | checksum = "dd25036021b0de88a0aff6b850051563c6516d0bf53f8638938edbb9de732736"
142 | 
143 | [[package]]
144 | name = "lazy_static"
145 | version = "1.4.0"
146 | source = "registry+https://github.com/rust-lang/crates.io-index"
147 | checksum = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646"
148 | 
149 | [[package]]
150 | name = "libc"
151 | version = "0.2.93"
152 | source = "registry+https://github.com/rust-lang/crates.io-index"
153 | checksum = "9385f66bf6105b241aa65a61cb923ef20efc665cb9f9bb50ac2f0c4b7f378d41"
154 | 
155 | [[package]]
156 | name = "os_str_bytes"
157 | version = "2.4.0"
158 | source = "registry+https://github.com/rust-lang/crates.io-index"
159 | checksum = "afb2e1c3ee07430c2cf76151675e583e0f19985fa6efae47d6848a3e2c824f85"
160 | 
161 | [[package]]
162 | name = "proc-macro-error"
163 | version = "1.0.4"
164 | source = "registry+https://github.com/rust-lang/crates.io-index"
165 | checksum = "da25490ff9892aab3fcf7c36f08cfb902dd3e71ca0f9f9517bea02a73a5ce38c"
166 | dependencies = [
167 |  "proc-macro-error-attr",
168 |  "proc-macro2",
169 |  "quote",
170 |  "syn",
171 |  "version_check",
172 | ]
173 | 
174 | [[package]]
175 | name = "proc-macro-error-attr"
176 | version = "1.0.4"
177 | source = "registry+https://github.com/rust-lang/crates.io-index"
178 | checksum = "a1be40180e52ecc98ad80b184934baf3d0d29f979574e439af5a55274b35f869"
179 | dependencies = [
180 |  "proc-macro2",
181 |  "quote",
182 |  "version_check",
183 | ]
184 | 
185 | [[package]]
186 | name = "proc-macro2"
187 | version = "1.0.26"
188 | source = "registry+https://github.com/rust-lang/crates.io-index"
189 | checksum = "a152013215dca273577e18d2bf00fa862b89b24169fb78c4c95aeb07992c9cec"
190 | dependencies = [
191 |  "unicode-xid",
192 | ]
193 | 
194 | [[package]]
195 | name = "quote"
196 | version = "1.0.9"
197 | source = "registry+https://github.com/rust-lang/crates.io-index"
198 | checksum = "c3d0b9745dc2debf507c8422de05d7226cc1f0644216dfdfead988f9b1ab32a7"
199 | dependencies = [
200 |  "proc-macro2",
201 | ]
202 | 
203 | [[package]]
204 | name = "ryu"
205 | version = "1.0.5"
206 | source = "registry+https://github.com/rust-lang/crates.io-index"
207 | checksum = "71d301d4193d031abdd79ff7e3dd721168a9572ef3fe51a1517aba235bd8f86e"
208 | 
209 | [[package]]
210 | name = "safemem"
211 | version = "0.2.0"
212 | source = "registry+https://github.com/rust-lang/crates.io-index"
213 | checksum = "e27a8b19b835f7aea908818e871f5cc3a5a186550c30773be987e155e8163d8f"
214 | 
215 | [[package]]
216 | name = "serde"
217 | version = "1.0.125"
218 | source = "registry+https://github.com/rust-lang/crates.io-index"
219 | checksum = "558dc50e1a5a5fa7112ca2ce4effcb321b0300c0d4ccf0776a9f60cd89031171"
220 | dependencies = [
221 |  "serde_derive",
222 | ]
223 | 
224 | [[package]]
225 | name = "serde_derive"
226 | version = "1.0.125"
227 | source = "registry+https://github.com/rust-lang/crates.io-index"
228 | checksum = "b093b7a2bb58203b5da3056c05b4ec1fed827dcfdb37347a8841695263b3d06d"
229 | dependencies = [
230 |  "proc-macro2",
231 |  "quote",
232 |  "syn",
233 | ]
234 | 
235 | [[package]]
236 | name = "serde_json"
237 | version = "1.0.64"
238 | source = "registry+https://github.com/rust-lang/crates.io-index"
239 | checksum = "799e97dc9fdae36a5c8b8f2cae9ce2ee9fdce2058c57a93e6099d919fd982f79"
240 | dependencies = [
241 |  "itoa",
242 |  "ryu",
243 |  "serde",
244 | ]
245 | 
246 | [[package]]
247 | name = "setns"
248 | version = "1.0.0"
249 | dependencies = [
250 |  "base64 0.13.0",
251 |  "cc",
252 |  "clap",
253 |  "gumshoe",
254 |  "libc",
255 |  "setns-common",
256 | ]
257 | 
258 | [[package]]
259 | name = "setns-common"
260 | version = "1.0.0"
261 | dependencies = [
262 |  "clap",
263 |  "commands",
264 |  "serde",
265 |  "serde_json",
266 | ]
267 | 
268 | [[package]]
269 | name = "strsim"
270 | version = "0.10.0"
271 | source = "registry+https://github.com/rust-lang/crates.io-index"
272 | checksum = "73473c0e59e6d5812c5dfe2a064a6444949f089e20eec9a2e5506596494e4623"
273 | 
274 | [[package]]
275 | name = "syn"
276 | version = "1.0.70"
277 | source = "registry+https://github.com/rust-lang/crates.io-index"
278 | checksum = "b9505f307c872bab8eb46f77ae357c8eba1fdacead58ee5a850116b1d7f82883"
279 | dependencies = [
280 |  "proc-macro2",
281 |  "quote",
282 |  "unicode-xid",
283 | ]
284 | 
285 | [[package]]
286 | name = "termcolor"
287 | version = "1.1.2"
288 | source = "registry+https://github.com/rust-lang/crates.io-index"
289 | checksum = "2dfed899f0eb03f32ee8c6a0aabdb8a7949659e3466561fc0adf54e26d88c5f4"
290 | dependencies = [
291 |  "winapi-util",
292 | ]
293 | 
294 | [[package]]
295 | name = "textwrap"
296 | version = "0.12.1"
297 | source = "registry+https://github.com/rust-lang/crates.io-index"
298 | checksum = "203008d98caf094106cfaba70acfed15e18ed3ddb7d94e49baec153a2b462789"
299 | dependencies = [
300 |  "unicode-width",
301 | ]
302 | 
303 | [[package]]
304 | name = "unicode-segmentation"
305 | version = "1.7.1"
306 | source = "registry+https://github.com/rust-lang/crates.io-index"
307 | checksum = "bb0d2e7be6ae3a5fa87eed5fb451aff96f2573d2694942e40543ae0bbe19c796"
308 | 
309 | [[package]]
310 | name = "unicode-width"
311 | version = "0.1.8"
312 | source = "registry+https://github.com/rust-lang/crates.io-index"
313 | checksum = "9337591893a19b88d8d87f2cec1e73fad5cdfd10e5a6f349f498ad6ea2ffb1e3"
314 | 
315 | [[package]]
316 | name = "unicode-xid"
317 | version = "0.2.1"
318 | source = "registry+https://github.com/rust-lang/crates.io-index"
319 | checksum = "f7fe0bb3479651439c9112f72b6c505038574c9fbb575ed1bf3b797fa39dd564"
320 | 
321 | [[package]]
322 | name = "vec_map"
323 | version = "0.8.2"
324 | source = "registry+https://github.com/rust-lang/crates.io-index"
325 | checksum = "f1bddf1187be692e79c5ffeab891132dfb0f236ed36a43c7ed39f1165ee20191"
326 | 
327 | [[package]]
328 | name = "version_check"
329 | version = "0.9.3"
330 | source = "registry+https://github.com/rust-lang/crates.io-index"
331 | checksum = "5fecdca9a5291cc2b8dcf7dc02453fee791a280f3743cb0905f8822ae463b3fe"
332 | 
333 | [[package]]
334 | name = "winapi"
335 | version = "0.3.9"
336 | source = "registry+https://github.com/rust-lang/crates.io-index"
337 | checksum = "5c839a674fcd7a98952e593242ea400abe93992746761e38641405d28b00f419"
338 | dependencies = [
339 |  "winapi-i686-pc-windows-gnu",
340 |  "winapi-x86_64-pc-windows-gnu",
341 | ]
342 | 
343 | [[package]]
344 | name = "winapi-i686-pc-windows-gnu"
345 | version = "0.4.0"
346 | source = "registry+https://github.com/rust-lang/crates.io-index"
347 | checksum = "ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6"
348 | 
349 | [[package]]
350 | name = "winapi-util"
351 | version = "0.1.5"
352 | source = "registry+https://github.com/rust-lang/crates.io-index"
353 | checksum = "70ec6ce85bb158151cae5e5c87f95a8e97d2c0c4b001223f33a334e3ce5de178"
354 | dependencies = [
355 |  "winapi",
356 | ]
357 | 
358 | [[package]]
359 | name = "winapi-x86_64-pc-windows-gnu"
360 | version = "0.4.0"
361 | source = "registry+https://github.com/rust-lang/crates.io-index"
362 | checksum = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f"
363 | 


--------------------------------------------------------------------------------
/setns-so/Cargo.toml:
--------------------------------------------------------------------------------
 1 | [package]
 2 | name = "setns"
 3 | version = "1.0.0"
 4 | authors = ["jeff.dileo@nccgroup.com"]
 5 | 
 6 | [lib]
 7 | name = "setns"
 8 | #crate-type = ["dylib"]
 9 | crate-type = ["cdylib"]
10 | #crate-type = ["staticlib"]
11 | 
12 | [[bin]]
13 | name = "insject"
14 | path = "src/main.rs"
15 | 
16 | [dependencies]
17 | #gumshoe = { path = "../../frida-gum-rs" }
18 | gumshoe = { git = "https://github.com/ChaosData/frida-gum-rs" }
19 | setns-common = { path = "../setns-common" }
20 | clap = "3.0.0-beta.2"
21 | libc = "0.2"
22 | 
23 | [build-dependencies]
24 | #gumshoe = { path = "../../frida-gum-rs" }
25 | gumshoe = { git = "https://github.com/ChaosData/frida-gum-rs" }
26 | cc = "1.0"
27 | base64 = "0.13"
28 | 


--------------------------------------------------------------------------------
/setns-so/build.rs:
--------------------------------------------------------------------------------
 1 | /*
 2 | Copyright (c) NCC Group, 2021
 3 | All rights reserved.
 4 | 
 5 | Redistribution and use in source and binary forms, with or without
 6 | modification, are permitted provided that the following conditions are met:
 7 | 
 8 | 1. Redistributions of source code must retain the above copyright notice, this
 9 |    list of conditions and the following disclaimer.
10 | 2. Redistributions in binary form must reproduce the above copyright notice,
11 |    this list of conditions and the following disclaimer in the documentation
12 |    and/or other materials provided with the distribution.
13 | 
14 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
15 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
16 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
17 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
18 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
19 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
20 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
21 | ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
23 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24 |  */
25 | 
26 | #[macro_use]
27 | extern crate gumshoe;
28 | //extern crate base64;
29 | //extern crate cc;
30 | 
31 | /*
32 | use base64::decode;
33 | 
34 | use std::fs::File;
35 | use std::io::Write;
36 | 
37 | extern crate cc;
38 | 
39 | pub fn link() {
40 |   let b64 = gumshoe::codeb64();
41 |   let code = &decode(b64).unwrap();
42 | 
43 |   std::fs::create_dir_all("gen").unwrap();
44 |   let mut f = File::create("gen/frida-gum-wrapper.c").expect("Unable to create file");
45 |   f.write_all(code.as_slice()).expect("Unable to write data");
46 | 
47 |   println!("cargo:rustc-flags=-L frida/{}", std::env::var("TARGET").unwrap());
48 |   println!("cargo:rustc-flags=-l frida-gum");
49 |   println!("cargo:rustc-flags=-l dl");
50 |   println!("cargo:rustc-flags=-l resolv");
51 |   println!("cargo:rustc-flags=-l rt");
52 |   println!("cargo:rustc-flags=-l m");
53 |   println!("cargo:rustc-flags=-l pthread");
54 | 
55 |   cc::Build::new()
56 |     .include("frida")
57 |     .file("gen/frida-gum-wrapper.c")
58 |     .compile("frida-gum-wrapper");
59 | }
60 | */
61 | 
62 | link!{}
63 | 
64 | fn main() {
65 |   link(true);
66 | }
67 | 
68 | 
69 | 


--------------------------------------------------------------------------------
/setns-so/build.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | 
3 | set -e
4 | set -o xtrace
5 | 
6 | cargo build --lib --release
7 | cargo build --bin insject --release
8 | python3 patch.py target/release/insject
9 | 


--------------------------------------------------------------------------------
/setns-so/frida/.gitignore:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nccgroup/insject/0619ee9e61134d8283a8039c03b07ba62dd29dd1/setns-so/frida/.gitignore


--------------------------------------------------------------------------------
/setns-so/frida/x86_64-unknown-linux-gnu/.gitignore:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nccgroup/insject/0619ee9e61134d8283a8039c03b07ba62dd29dd1/setns-so/frida/x86_64-unknown-linux-gnu/.gitignore


--------------------------------------------------------------------------------
/setns-so/patch.py:
--------------------------------------------------------------------------------
 1 | # https://lief.quarkslab.com/doc/latest/tutorials/08_elf_bin2lib.html#warning-for-glibc-2-29-users
 2 | 
 3 | import lief
 4 | import sys
 5 | import os
 6 | 
 7 | path = sys.argv[1]
 8 | os.rename(path, path + ".old")
 9 | 
10 | bin_ = lief.parse(path + ".old")
11 | bin_[lief.ELF.DYNAMIC_TAGS.FLAGS_1].remove(lief.ELF.DYNAMIC_FLAGS_1.PIE)
12 | bin_.write(path)
13 | 
14 | os.system("chmod +x " + path)
15 | 


--------------------------------------------------------------------------------
/setns-so/src/lib.rs:
--------------------------------------------------------------------------------
  1 | /*
  2 | Copyright (c) NCC Group, 2021
  3 | All rights reserved.
  4 | 
  5 | Redistribution and use in source and binary forms, with or without
  6 | modification, are permitted provided that the following conditions are met:
  7 | 
  8 | 1. Redistributions of source code must retain the above copyright notice, this
  9 |    list of conditions and the following disclaimer.
 10 | 2. Redistributions in binary form must reproduce the above copyright notice,
 11 |    this list of conditions and the following disclaimer in the documentation
 12 |    and/or other materials provided with the distribution.
 13 | 
 14 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
 15 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
 16 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
 17 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
 18 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
 19 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 20 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
 21 | ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 22 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
 23 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 24 |  */
 25 | 
 26 | extern crate gumshoe;
 27 | use gumshoe::*;
 28 | 
 29 | extern crate libc;
 30 | use libc::*;
 31 | 
 32 | extern crate setns_common;
 33 | use setns_common::*;
 34 | 
 35 | //static mut ARGS: Option<String> = None;
 36 | static mut OPTS: Option<Opts> = None;
 37 | 
 38 | static mut HOOK_SINGLETON: SetnsHook = SetnsHook{ raw_listener: std::ptr::null_mut() };
 39 | 
 40 | pub fn setup_frida_gum() {
 41 |   gumshoe::gum_init_embedded();
 42 | }
 43 | 
 44 | pub fn has_sym(name: &String) -> Option<GumAddress> {
 45 |   let path = std::fs::read_link("/proc/self/exe").unwrap();
 46 |   let path = path.to_str().unwrap();
 47 | 
 48 |   let mut addr = gumshoe::gum_module_find_symbol_by_name(path, name.as_str());
 49 |   if addr == 0 {
 50 |     addr = gumshoe::gum_module_find_export_by_name("", name.as_str());
 51 |   }
 52 |   if addr == 0 {
 53 |     None
 54 |   } else {
 55 |     Some(addr)
 56 |   }
 57 | }
 58 | 
 59 | pub fn try_hook_by_sym_name(name: &String) -> bool {
 60 |   let path = std::fs::read_link("/proc/self/exe").unwrap();
 61 |   let path = path.to_str().unwrap();
 62 | 
 63 |   let mut addr = gumshoe::gum_module_find_symbol_by_name(path, name.as_str());
 64 |   if addr == 0 {
 65 |     addr = gumshoe::gum_module_find_export_by_name("", name.as_str());
 66 |   }
 67 |   if addr == 0 {
 68 |     return false;
 69 |   }
 70 | 
 71 |   unsafe {
 72 |     match &mut OPTS {
 73 |       Some(opts) => {
 74 |         opts.raw_address = Some(addr);
 75 |       },
 76 |       None => { unreachable!(); }
 77 |     }
 78 |   }
 79 |   do_hook(addr);
 80 |   return true;
 81 | }
 82 | 
 83 | pub fn get_and_sanitize_env(vars: &[&str]) -> std::collections::BTreeMap<String,String> {
 84 |   let mut ret = std::collections::BTreeMap::new();
 85 |   let input: std::collections::BTreeSet<String> = vars.into_iter().map(|s| s.to_string()).collect();
 86 | 
 87 |   extern "C" {
 88 |     static mut environ: *mut *const c_char;
 89 |   }
 90 |   let mut orig_env = unsafe { *(std::ptr::addr_of_mut!(environ)) };
 91 |   let mut env = orig_env;
 92 | 
 93 |   let mut c = 0;
 94 |   let mut var_vals: std::vec::Vec<*const c_char> = vec!();
 95 | 
 96 |   if env.is_null() {
 97 |     return ret;
 98 |   }
 99 |   unsafe {
100 |     while !(*env).is_null() {
101 |       var_vals.push(*env);
102 |       c += 1;
103 |       match std::ffi::CStr::from_ptr(*env).to_str() {
104 |         Ok(str) => {
105 |           let v: std::vec::Vec<&str> = str.splitn(2, '=').collect();
106 |           if v.len() == 2 {
107 |             if input.contains(v[0]) {
108 |               ret.insert(v[0].to_string(), v[1].to_string());
109 |               let _ = var_vals.pop();
110 |             }
111 |           }
112 |         },
113 |         Err(_) => {}
114 |       }
115 |       env = env.add(1);
116 |     }
117 | 
118 |     for i in 0..c {
119 |       *orig_env = match var_vals.get(i) {
120 |         Some(val) => val.clone(),
121 |         None => 0 as *const c_char
122 |       };
123 |       orig_env = orig_env.add(1);
124 |     }
125 |   }
126 | 
127 |   ret
128 | }
129 | 
130 | pub fn real_get_and_unset_env(vars: &[&str]) -> std::collections::BTreeMap<String,String> {
131 |   let mut ret = std::collections::BTreeMap::new();
132 | 
133 |   let real_unsetenv = unsafe {
134 |     //RTLD_NEXT
135 |     dlsym(usize::MAX as *mut c_void, b"unsetenv\0".as_ptr() as *const c_char)
136 |   };
137 |   if real_unsetenv as usize == 0 {
138 |     println!("could not find real unsetenv?");
139 |     return ret;
140 |   }
141 | 
142 |   let real_unsetenv = |n: &str| {
143 |     let n = std::ffi::CString::new(n).unwrap();
144 |     unsafe {
145 |       core::intrinsics::transmute::<*mut c_void,
146 |         extern fn(var: *const c_char) -> c_int
147 |       >(real_unsetenv)(n.as_ptr());
148 |     }
149 |   };
150 | 
151 |   for v in vars {
152 |     match std::env::var(v) {
153 |       Ok(val) => {
154 |         ret.insert(v.to_string(), val);
155 |       },
156 |       Err(_) => {}
157 |     }
158 |   }
159 | 
160 |   for (n,_) in &ret {
161 |     real_unsetenv(n.as_str());
162 |   }
163 | 
164 |   ret
165 | }
166 | 
167 | //pub fn get_and_unset_env(vars: &[&str]) -> std::collections::HashMap<String,String> {
168 | pub fn get_and_unset_env(vars: &[&str]) -> std::collections::BTreeMap<String,String> {
169 |   //let mut ret = std::collections::HashMap::new();
170 |   let mut ret = std::collections::BTreeMap::new();
171 | 
172 |   let getenv = |n: &str| {
173 |     let n = std::ffi::CString::new(n).unwrap();
174 |     let v = unsafe { getenv(n.as_ptr()) };
175 |     if v.is_null() {
176 |       return None;
177 |     }
178 |     let v = unsafe { std::ffi::CStr::from_ptr(v) };
179 |     Some(v.to_str().unwrap().to_string())
180 |   };
181 | 
182 |   let unsetenv = |n: &str| {
183 |     let n = std::ffi::CString::new(n).unwrap();
184 |     unsafe { unsetenv(n.as_ptr()) }
185 |   };
186 | 
187 |   for v in vars {
188 |     match getenv(v) {
189 |       Some(val) => {
190 |         ret.insert(v.to_string(), val);
191 |       },
192 |       None => {}
193 |     }
194 |   }
195 | 
196 |   for (n,_) in &ret {
197 |     unsetenv(n.as_str());
198 |   }
199 | 
200 |   ret
201 | }
202 | 
203 | pub fn overrides_getenv() -> bool {
204 |   let real = unsafe {
205 |     //RTLD_NEXT
206 |     dlsym(usize::MAX as *mut c_void, b"getenv\0".as_ptr() as *const c_char) as usize
207 |   };
208 |   if real == 0 {
209 |     false
210 |   } else {
211 |     real != (getenv as *const () as usize)
212 |   }
213 | }
214 | 
215 | pub fn overrides_setenv() -> bool {
216 |   let real = unsafe {
217 |     //RTLD_NEXT
218 |     dlsym(usize::MAX as *mut c_void, b"setenv\0".as_ptr() as *const c_char) as usize
219 |   };
220 |   if real == 0 {
221 |     false
222 |   } else {
223 |     real != (setenv as *const () as usize)
224 |   }
225 | }
226 | 
227 | pub fn overrides_unsetenv() -> bool {
228 |   let real = unsafe {
229 |     //RTLD_NEXT
230 |     dlsym(usize::MAX as *mut c_void, b"unsetenv\0".as_ptr() as *const c_char) as usize
231 |   };
232 |   if real == 0 {
233 |     false
234 |   } else {
235 |     real != (unsetenv as *const () as usize)
236 |   }
237 | }
238 | 
239 | 
240 | #[used]
241 | #[link_section = ".ctors"]
242 | #[no_mangle]
243 | pub static CONSTRUCTOR: extern fn() = on_load;
244 | 
245 | #[no_mangle]
246 | pub extern "C" fn on_load() {
247 |   //note: if we have an LD_PRELOAD that means we were not loaded by some
248 |   //      vanilla dlopen. if the symbol name is defined and not main, then
249 |   //      we set up the frida infra to hook the symbol. we will _try_ to
250 |   //      do the same for main, but it might not be defined. so we have
251 |   //      an LD_PRELOAD hook for __libc_start_main that can catch main
252 |   //      for us. the key thing here is that our __libc_start_main needs
253 |   //      to be able to determine that we were LD_PRELOADed and if main
254 |   //      was already hooked by frida by symbol name.
255 | 
256 |   //note: some shells hook unsetenv, so we try to pull it out of libc.
257 |   //      a cleaner future approach may just be to shift the entries around
258 |   //      to remove ours.
259 |   //
260 |   //      the other problem is that glibc decided to make some foolish
261 |   //      modifications and recent versions block dlopen-ing PIE executables.
262 |   //      we can get around the initial check by patching the ELF headers with
263 |   //      lief, but once loaded, the symbols don't actually become available to
264 |   //      the main process, even through dlsym. as such, we can't just call
265 |   //      do_setns_external as originally planned unless using the .so.
266 |   //      for convenience purposes though, we are not going to do that.
267 |   //
268 |   //      after a lot of testing, most issues w/ get/set/unsetvar causing
269 |   //      crashes (libc.so.6`__mbrtowc + 132) are red herrings, or at least
270 |   //      things are so broken that they don't matter. something about rust's
271 |   //      internals, such as HashMap and HashSet, but apparently other stuff,
272 |   //      will seemingly clobber memory that bash/libc wants to use, resulting
273 |   //      in the same/similar crashes. this may be an artifact of forcing glibc
274 |   //      dlopen to accept PIE executables as shared libraries, given that the
275 |   //      crashes did not occur when using the actual .so as the dlopen target,
276 |   //      but that doesn't really matter. oddly enough, i got as far as
277 |   //      determining that using BTreeMap/BTreeSet instead stopped the crashes
278 |   //      from happening but that further code resulted in the same issues.
279 |   //
280 |   //      so instead, since we can't reliably inject the PIE executable itself,
281 |   //      insject will re-implement the setns.so logic in templated lldb "C",
282 |   //      much like the original setns toy script. honestly, torvalds should
283 |   //      put the glibc devs heads on pikes for constantly breaking userland
284 |   //      and blaming it on everyone else.
285 |   //      (ノಠ □ ಠ)ノ彡┻━┻
286 | 
287 |   //crashes
288 |   //let mut ret = std::collections::HashMap::new();
289 |   //ret.insert("hello".to_string(), "world".to_string());
290 | 
291 |   //does not crash
292 |   //let mut ret = vec!();
293 |   //ret.push(4);
294 |   //ret.push(5);
295 | 
296 |   //does not crash
297 |   //let mut ret = std::collections::BTreeMap::new();
298 |   //ret.insert("hello".to_string(), "world".to_string());
299 | 
300 |   //crashes
301 |   //let mut ret = std::collections::HashSet::new();
302 |   //ret.insert("hello".to_string());
303 |   //ret.insert("world".to_string());
304 | 
305 |   //does not crash
306 |   //let mut ret = std::collections::BTreeSet::new();
307 |   //ret.insert("hello".to_string());
308 |   //ret.insert("world".to_string());
309 | 
310 |   //println!("testing 1,2,3 {:?}", ret);
311 |   //return;
312 | 
313 |   let ld_preloaded = match std::env::var("LD_PRELOAD") {
314 |     Ok(_) => true,
315 |     Err(_) => false
316 |   };
317 | 
318 |   let vars = if !ld_preloaded {
319 |     //println!("overrides: getenv: {}, setenv: {}, unsetenv: {}",
320 |     //         overrides_getenv(), overrides_setenv(), overrides_unsetenv());
321 |     get_and_unset_env(&["LD_PRELOAD", "SETNS_ARGS", "SETNS_JSON"])
322 |   } else {
323 |     // use environ / real getenv/setenv
324 |     //real_get_and_unset_env(&["LD_PRELOAD", "SETNS_ARGS", "SETNS_JSON"])
325 |     get_and_sanitize_env(&["LD_PRELOAD", "SETNS_ARGS", "SETNS_JSON"])
326 |   };
327 |   //println!("vars: {:?}", vars);
328 | 
329 |   //println!("on_load: pid={}", unsafe{getpid()});
330 |   match vars.get("SETNS_JSON") {
331 |     Some(json_str) => {
332 |       match from_json(json_str.as_str()) {
333 |         Some(opts) => {
334 |           unsafe { OPTS = Some(opts) };
335 |         },
336 |         None => {
337 |           println!("from_json -> None");
338 |           std::process::exit(1);
339 |         }
340 |       }
341 |     },
342 |     None => {
343 |       match vars.get("SETNS_ARGS") {
344 |         Some(args_str) => {
345 |           let opts = parse_opts(&args_str);
346 |           unsafe { OPTS = Some(opts) };
347 |         },
348 |         None => { }
349 |       }
350 |     }
351 |   }
352 | 
353 |   if unsafe { OPTS.is_none() } {
354 |     if ld_preloaded {
355 |       println!("SETNS_ARGS env var is required");
356 |       std::process::exit(1);
357 |     } else {
358 |       // dlopen w/o SETNS_JSON/SETNS_ARGS env set
359 |       //println!("dlopen w/o SETNS_JSON/SETNS_ARGS env set");
360 |       return;
361 |     }
362 |   } else if !ld_preloaded {
363 |     // dlopen w/ SETNS_JSON/SETNS_ARGS env set
364 |     //println!("dlopen w/ SETNS_JSON/SETNS_ARGS env set, OPTS: {:?}", unsafe { &OPTS });
365 |     do_setns_external(0 as *const c_char);
366 |     return;
367 |   }
368 | 
369 |   let opts = unsafe { OPTS.as_ref().unwrap() };
370 |   setup_frida_gum();
371 | 
372 |   match &opts.raw_address {
373 |     Some(addr) => {
374 |       do_hook(*addr)
375 |     },
376 |     None => {
377 |       match &opts.sym_name {
378 |         Some(name) => {
379 |           if !try_hook_by_sym_name(name) && name != "main" {
380 |             println!("could not find symbol: {}", name);
381 |             std::process::exit(1);
382 |           }
383 |         },
384 |         None => {
385 |           // this is fine
386 |           if has_sym(&"main".to_string()).is_none() {
387 |             // early enough golang binary hook
388 |             try_hook_by_sym_name(&"runtime.schedule".to_string());
389 |           }
390 |         }
391 |       }
392 |     }
393 |   }
394 | }
395 | 
396 | #[no_mangle]
397 | pub extern "C" fn __libc_start_main(main: *const c_void, argc: c_int, argv: *mut *mut c_char,
398 |                                     init: *const c_void, fini: *const c_void,
399 |                                     rtld_fini: *const c_void, stack_end: *mut c_void) -> c_int {
400 |   match unsafe { &mut OPTS } {
401 |     Some(opts) => {
402 |       match opts.raw_address {
403 |         Some(_) => {},
404 |         None => {
405 |           opts.raw_address = Some(main as usize);
406 |           do_hook(main as usize);
407 |         }
408 |       }
409 |     },
410 |     None => {
411 |       //note: this will be the case when we're executing as the actual binary
412 |     }
413 |   }
414 | 
415 |   let real_libc_start_main = unsafe {
416 |     //RTLD_NEXT
417 |     dlsym(usize::MAX as *mut c_void, b"__libc_start_main\0".as_ptr() as *const c_char)
418 |   };
419 |   if real_libc_start_main as usize == 0 {
420 |     println!("could not find real __libc_start_main???");
421 |     std::process::exit(1);
422 |   }
423 |   unsafe {
424 |     core::intrinsics::transmute::<*mut c_void,
425 |       extern fn(main: *const c_void, argc: c_int, argv: *mut *mut c_char,
426 |                 init: *const c_void, fini: *const c_void,
427 |                 rtld_fini: *const c_void, stack_end: *mut c_void) -> c_int
428 |     >(real_libc_start_main)(main, argc, argv, init, fini, rtld_fini, stack_end)
429 |   }
430 | }
431 | 
432 | fn do_hook(addr: usize) {
433 |   let raw_listener = hook_by_addr(unsafe { &mut HOOK_SINGLETON }, addr);
434 |   unsafe {
435 |     HOOK_SINGLETON.raw_listener = raw_listener;
436 |   }
437 | }
438 | 
439 | struct SetnsHook {
440 |   raw_listener: *mut gumshoe::gum::ffi::ArchetypalListener
441 | }
442 | 
443 | impl ArchetypalListener for SetnsHook {
444 |   fn on_enter(&mut self, _ic: gum::GumInvocationContext) {
445 |     gumshoe::detach_hook(self.raw_listener);
446 |     match unsafe { &OPTS } {
447 |       Some(_) => {
448 |         do_setns_external(0 as *const c_char);
449 |       },
450 |       None => { unreachable!(); }
451 |     }
452 |   }
453 | 
454 |   fn on_leave(&mut self, _ic: gum::GumInvocationContext) {
455 |     gumshoe::detach_hook(self.raw_listener);
456 |   }
457 | }
458 | 
459 | fn open_for_fd(path: &String, flag: c_int) -> c_int {
460 |   let path = std::ffi::CString::new(path.clone()).unwrap();
461 |   unsafe { open(path.as_ptr(), flag) }
462 | }
463 | 
464 | fn ns_fd(nstype: &str, path: &Option<String>, no: bool, pid: &Option<usize>) -> Option<c_int> {
465 |   if no {
466 |     return None;
467 |   }
468 |   match path {
469 |     Some(path) => Some(open_for_fd(&path, 0)),
470 |     None => if !no {
471 |       match pid {
472 |         Some(pid) => {
473 |           Some(open_for_fd(&format!("/proc/{}/ns/{}", pid, nstype), 0))
474 |         },
475 |         None => panic!("Attempted to load {} ns from pid", nstype)
476 |       }
477 |     } else { None }
478 |   }
479 | }
480 | 
481 | fn setns_wrapper(ns_fd: Option<c_int>, nstype: c_int) -> String {
482 |   let ret = match ns_fd {
483 |     Some(ns_fd) if ns_fd >= 0 => {
484 |       let r = unsafe { setns(ns_fd, nstype) };
485 |       if r < 0 {
486 |         format!("err:{}", unsafe { *__errno_location() } )
487 |       } else {
488 |         format!("{}", r)
489 |       }
490 |     },
491 |     Some(ns_fd) if ns_fd < 0 => format!("fd:{}", ns_fd),
492 |     _  => "N/A".to_owned()
493 |   };
494 |   let _ = close_wrapper(ns_fd);
495 |   ret
496 | }
497 | 
498 | fn close_wrapper(ns_fd: Option<c_int>) -> c_int {
499 |   match ns_fd {
500 |     Some(ns_fd) if ns_fd >= 0 => unsafe { close(ns_fd) },
501 |     _  => { -1 }
502 |   }
503 | }
504 | 
505 | 
506 | #[no_mangle]
507 | pub extern "C" fn do_setns_external(args: *const c_char) {
508 |   let opts: Opts = if args.is_null() {
509 |     match unsafe { &OPTS } {
510 |       Some(opts) => (*opts).clone(),
511 |       None => panic!("args is null, but OPTS is None"),
512 |     }
513 |   } else {
514 |     let args = unsafe { std::ffi::CStr::from_ptr(args) };
515 |     let args = match args.to_str() {
516 |       Ok(args) => args.to_owned(),
517 |       Err(err) => {
518 |         println!("failed to decode args: {}", err);
519 |         std::process::exit(1);
520 |       }
521 |     };
522 |     if args.starts_with("{") {
523 |       from_json(&args).unwrap()
524 |     } else {
525 |       parse_opts(&args)
526 |     }
527 |   };
528 | 
529 |   {
530 |     let threads = match std::fs::read_dir("/proc/self/task") {
531 |       Ok(dir) => {
532 |         Some(dir.count())
533 |       },
534 |       Err(_) => None
535 |     };
536 | 
537 |     if threads.unwrap_or(1) > 1 {
538 |       if opts.strict {
539 |         println!("[insject] strict mode: multiple threads detected -> exiting");
540 |         unsafe { exit(1) };
541 |       } else {
542 |         println!("[insject] wanrning: multiple threads detected");
543 |       }
544 |     }
545 |   }
546 | 
547 |   let mnt_ns_fd = ns_fd("mnt", &opts.mnt, opts.no_mnt, &opts.target_pid);
548 |   let net_ns_fd = ns_fd("net", &opts.net, opts.no_net, &opts.target_pid);
549 |   let time_ns_fd = ns_fd("time", &opts.time, opts.no_time, &opts.target_pid);
550 |   let ipc_ns_fd = ns_fd("ipc", &opts.ipc, opts.no_ipc, &opts.target_pid);
551 |   let uts_ns_fd = ns_fd("uts", &opts.uts, opts.no_uts, &opts.target_pid);
552 |   let pid_ns_fd = ns_fd("pid", &opts.pid, opts.no_pid, &opts.target_pid);
553 |   let cgroup_ns_fd = ns_fd("cgroup", &opts.cgroup, opts.no_cgroup, &opts.target_pid);
554 | 
555 |   let mut same_userns = false;
556 |   {
557 |     let user_ns_path = match &opts.userns {
558 |       Some(path) => {
559 |         Some(path.clone())
560 |       },
561 |       None => {
562 |         match &opts.target_pid {
563 |           Some(pid) => {
564 |             Some(format!("/proc/{}/ns/user", pid))
565 |           },
566 |           None => None
567 |         }
568 |       }
569 |     };
570 |     match user_ns_path {
571 |       Some(path) => {
572 |         match std::fs::read_link(path) {
573 |           Ok(userns_real) => {
574 |             match std::fs::read_link("/proc/self/ns/user") {
575 |               Ok(self_userns_real) => {
576 |                 if userns_real == self_userns_real {
577 |                   same_userns = true;
578 |                 }
579 |               },
580 |               Err(_) => {}
581 |             };
582 |           },
583 |           Err(_) => {}
584 |         };
585 |       },
586 |       None => {}
587 |     };
588 |   }
589 |   let user_ns_fd = ns_fd("user", &opts.userns, same_userns || opts.no_userns, &opts.target_pid);
590 | 
591 | 
592 |   let apparmor_profile: String = match &opts.apparmor_profile {
593 |     Some(apparmor_profile) => (*apparmor_profile).clone(),
594 |     None => if opts.no_apparmor {
595 |       "unconfined".to_owned()
596 |     } else {
597 |       match &opts.target_pid {
598 |         Some(pid) => {
599 |           let profile = match std::fs::read_to_string(format!("/proc/{}/attr/current", pid)) {
600 |             Ok(profile) => profile,
601 |             Err(_) => "unconfined".to_string()
602 |           };
603 |           match profile.strip_suffix(" (enforce)\n") {
604 |             Some(profile) => profile.to_owned(),
605 |             None => profile
606 |           }
607 |         },
608 |         None => "unconfined".to_owned()
609 |       }
610 |     }
611 |   };
612 |   //println!("apparmor_profile: {}", apparmor_profile);
613 | 
614 |   let attr_current_fd = if apparmor_profile == "unconfined" {
615 |     None
616 |   } else {
617 |     Some(open_for_fd(&"/proc/self/attr/current".to_owned(), O_WRONLY))
618 |   };
619 | 
620 |   let mut user_ns_r = "N/A".to_owned();
621 |   if opts.userns_first {
622 |     user_ns_r = setns_wrapper(user_ns_fd, CLONE_NEWUSER);
623 |   }
624 | 
625 |   let net_ns_r = setns_wrapper(net_ns_fd, CLONE_NEWNET);
626 | 
627 |   //note: "CLONE_NEWTIME" is not really defined and the kernel defines it as 0,
628 |   //      which is a problem as 0 is the magic "accept any" setns flag value
629 |   let time_ns_r = setns_wrapper(time_ns_fd, 0);
630 | 
631 |   let ipc_ns_r = setns_wrapper(ipc_ns_fd, CLONE_NEWIPC);
632 |   let uts_ns_r = setns_wrapper(uts_ns_fd, CLONE_NEWUTS);
633 |   let cgroup_ns_r = setns_wrapper(cgroup_ns_fd, CLONE_NEWCGROUP);
634 | 
635 |   //note: at this moment in time in the thread doing setns for itself, we are
636 |   //      not doing anything else. therefore the biggest target is the PID
637 |   //      namespace, which only becomes an attack surface once we fork and have
638 |   //      the child be exposed to PID-related operations in the container.
639 |   let mnt_ns_r = setns_wrapper(mnt_ns_fd, CLONE_NEWNS);
640 | 
641 |   let pid_ns_r = setns_wrapper(pid_ns_fd, CLONE_NEWPID);
642 | 
643 |   if !opts.userns_first {
644 |     user_ns_r = setns_wrapper(user_ns_fd, CLONE_NEWUSER);
645 |   }
646 | 
647 |   let user_parts: std::vec::Vec<&str> = opts.user.split(':').collect();
648 |   let (uid, gid, groups) = match &*user_parts {
649 |     &[uid, gid, groups] => { (uid, gid, groups) },
650 |     &[uid, gid] => { (uid, gid, "0") },
651 |     &[uid] => { (uid, "0", "0") },
652 |     _ => unreachable!()
653 |   };
654 | 
655 |   let uid: u32 = uid.parse().unwrap();
656 |   let gid: u32 = gid.parse().unwrap();
657 |   let mut groups: std::vec::Vec<u32> = groups.split(',').into_iter().map(|g| g.parse::<u32>().unwrap()).collect();
658 |   groups.shrink_to_fit();
659 |   let groups_ptr = groups.as_ptr();
660 |   let groups_len = groups.len();
661 |   let user_r = unsafe {
662 |     let groups_r = setgroups(groups_len, groups_ptr);
663 |     let gid_r = setgid(gid);
664 |     let uid_r = setuid(uid);
665 |     format!("{}/{}/{}", uid_r, gid_r, groups_r)
666 |   };
667 | 
668 |   let aa_r = match attr_current_fd {
669 |     None => "N/A".to_owned(),
670 |     Some(fd) => {
671 |       let s = format!("changeprofile {}", apparmor_profile);
672 |       let data = std::ffi::CString::new(s.as_str()).unwrap();
673 |       let _ = unsafe {
674 |         write(fd, data.as_ptr() as *const c_void, s.len())
675 |       };
676 |       let _ = unsafe { close(fd) };
677 |       format!("{}", apparmor_profile)
678 |     }
679 |   };
680 | 
681 |   if !opts.no_fork && pid_ns_r == "0" {
682 |     let p = unsafe { fork() };
683 |     if p != 0 {
684 |       let mut status = 0;
685 |       let _ = unsafe { wait(&mut status as *mut i32) };
686 |       unsafe { exit(0) };
687 |     }
688 |   }
689 | 
690 |   if !opts.userns_first {
691 |     println!("[insject] -> mnt: {}, net: {}, time: {}, ipc: {}, uts: {}, pid: {}, cgroup: {}, userns: {}, apparmor: {}, user: {}",
692 |              mnt_ns_r, net_ns_r, time_ns_r, ipc_ns_r, uts_ns_r, pid_ns_r, cgroup_ns_r, user_ns_r, aa_r, user_r);
693 |   } else {
694 |     println!("[insject] -> userns: {}, mnt: {}, net: {}, time: {}, ipc: {}, uts: {}, pid: {}, cgroup: {}, apparmor: {}, user: {}",
695 |              user_ns_r, mnt_ns_r, net_ns_r, time_ns_r, ipc_ns_r, uts_ns_r, pid_ns_r, cgroup_ns_r, aa_r, user_r);
696 |   }
697 | 
698 |   if opts.strict {
699 |     if  (mnt_ns_r != "0" && mnt_ns_r != "N/A") ||
700 |         (net_ns_r != "0" && net_ns_r != "N/A") ||
701 |         (time_ns_r != "0" && time_ns_r != "N/A") ||
702 |         (ipc_ns_r != "0" && ipc_ns_r != "N/A") ||
703 |         (uts_ns_r != "0" && uts_ns_r != "N/A") ||
704 |         (pid_ns_r != "0" && pid_ns_r != "N/A") ||
705 |         (cgroup_ns_r != "0" && cgroup_ns_r != "N/A") ||
706 |         (user_ns_r != "0" && user_ns_r != "N/A") ||
707 |         user_r.find("-1").is_some() {
708 |       println!("[insject] strict mode: some operations failed -> exiting");
709 |       unsafe { exit(1) };
710 |     }
711 |   }
712 | 
713 |   unsafe {
714 |     (*__errno_location()) = 0;
715 |   }
716 | }
717 | 


--------------------------------------------------------------------------------
/setns-so/src/main.rs:
--------------------------------------------------------------------------------
  1 | /*
  2 | Copyright (c) NCC Group, 2021
  3 | All rights reserved.
  4 | 
  5 | Redistribution and use in source and binary forms, with or without
  6 | modification, are permitted provided that the following conditions are met:
  7 | 
  8 | 1. Redistributions of source code must retain the above copyright notice, this
  9 |    list of conditions and the following disclaimer.
 10 | 2. Redistributions in binary form must reproduce the above copyright notice,
 11 |    this list of conditions and the following disclaimer in the documentation
 12 |    and/or other materials provided with the distribution.
 13 | 
 14 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
 15 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
 16 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
 17 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
 18 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
 19 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 20 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
 21 | ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 22 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
 23 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 24 |  */
 25 | 
 26 | extern crate gumshoe;
 27 | extern crate libc;
 28 | extern crate setns_common;
 29 | 
 30 | mod lib;
 31 | pub use lib::*;
 32 | // use std::io::Write;
 33 | 
 34 | extern crate clap;
 35 | use clap::{Clap,AppSettings,ArgSettings};
 36 | 
 37 | use std::vec::Vec;
 38 | 
 39 | use libc::*;
 40 | 
 41 | #[derive(Clap,Clone,Debug)]
 42 | #[clap(name = "insject", version = "1.0",
 43 |        author = "Jeff Dileo <jeff.dileo@nccgroup.com>",
 44 |        about = "A tool to simplify container testing that runs an arbitrary\n\
 45 |                 command in the Linux namespaces of other processes.
 46 | 
 47 | WARNING: Be careful when accessing or executing files in containers as they may
 48 |          be able to abuse the access of the joined process to escape.
 49 | 
 50 | Note: The -! instrumentation mode has several differences from the LD_PRELOAD modes:
 51 |         * Forking is not supported
 52 |         * -S,--strict is not supported
 53 |         * errno values are not returned
 54 | ",
 55 |        setting(AppSettings::ColoredHelp),
 56 |        setting(AppSettings::AllowLeadingHyphen),
 57 |        setting(AppSettings::TrailingVarArg),
 58 | )]
 59 | pub struct InsjectOpts {
 60 |   #[clap(long = "help-setns", about = "Prints help information for setns.so")]
 61 |   setns_help: bool,
 62 | 
 63 |   #[clap(short = '!', name = "pid", about = "PID to instrument", conflicts_with = "cmd")]
 64 |   instrument_pid: Option<usize>,
 65 | 
 66 |   #[clap(
 67 |     about = "setns.so options. For detailed information, use --help-setns",
 68 |     setting(ArgSettings::AllowHyphenValues),
 69 |   )]
 70 |   setns_opts: Vec<String>,
 71 | 
 72 |   #[clap(multiple = true, last = true, required = false)]
 73 |   cmd: Vec<String>,
 74 | }
 75 | 
 76 | pub fn print_help(ret: i32) {
 77 |   match <InsjectOpts as clap::IntoApp>::into_app().print_help() {
 78 |     Ok(_) => {
 79 |       std::process::exit(ret);
 80 |     },
 81 |     Err(err) => {
 82 |       println!("{}", err);
 83 |       std::process::exit(1);
 84 |     }
 85 |   }
 86 | }
 87 | 
 88 | fn main() {
 89 |   let opts = InsjectOpts::parse();
 90 |   //let opts = Opts::parse();
 91 | 
 92 |   if opts.setns_help {
 93 |     setns_common::print_help(0);
 94 |   }
 95 | 
 96 |   if opts.setns_opts.len() == 0 {
 97 |     println!("Error: <setns-opts>... were not provided");
 98 |     print_help(1);
 99 |   }
100 | 
101 |   //println!("opts: {:?}", opts);
102 |   let setns_opts = setns_common::parse_opts_parts(&opts.setns_opts);
103 |   //println!("setns_opts: {:?}", setns_opts);
104 | 
105 |   if opts.cmd.len() > 0 {
106 |     run_cmd(&opts, &setns_opts);
107 |   } else {
108 |     attach_inject(&opts, &setns_opts);
109 |   }
110 | 
111 |   return;
112 | 
113 | /*
114 |   let pid = unsafe { fork() };
115 | 
116 |   if pid == 0 {
117 |     println!("child: about to PTRACE_TRACEME");
118 |     //let _ = unsafe { ptrace(PTRACE_TRACEME, 0, 0 as *const c_char, 0 as *const c_char) };
119 |     println!("child: about to SIGSTOP");
120 |     let _ = unsafe { raise(SIGSTOP) };
121 |     println!("child: continued");
122 | 
123 |     extern "C" {
124 |       static mut environ: *const *const c_char;
125 |     }
126 | 
127 |     let cmd = std::ffi::CString::new(opts.cmd[0].clone()).unwrap();
128 |     let cmd = cmd.as_ptr();
129 | 
130 |     let argv: Vec<std::ffi::CString> = opts.cmd.into_iter().map(|s| std::ffi::CString::new(s).unwrap()).collect();
131 |     let mut argv_p: Vec<*const c_char> = vec!();
132 | 
133 |     for a in argv.iter() {
134 |       argv_p.push(a.as_ptr());
135 |     }
136 |     argv_p.push(0 as *const c_char);
137 | 
138 |     let r = unsafe {
139 |       execve(cmd, argv_p.as_ptr(), environ)
140 |     };
141 | 
142 |     println!("execve: {}", r);
143 |     std::process::exit(42);
144 |   } else {
145 |     println!("parent: child pid: {}", pid);
146 |     let mut status: c_int = 0;
147 |     let status_r = &mut status as *mut c_int;
148 | 
149 |     unsafe {
150 |       waitpid(pid, status_r, WUNTRACED);
151 |     }
152 | 
153 |     //let _ = unsafe { getchar() };
154 |     println!("parent: waitpid->status: {}", status);
155 | 
156 |     let _ = unsafe { getchar() };
157 | 
158 |     //let ret = unsafe { ptrace (PTRACE_CONT, pid, 0 as *const c_char, 0 as *const c_char) };
159 |     //println!("parent: ret: {}", ret);
160 | 
161 |     let output = std::process::Command::new("lldb")
162 |                                        .arg("-x")
163 |                                        .arg("-p")
164 |                                        .arg(format!("{}", pid))
165 |                                        .arg("-b")
166 |                                        .arg("-o")
167 |                                        .arg("continue")
168 |                                        .output();
169 |     println!("output: {:?}", output);
170 | 
171 |     //let ret = unsafe { ptrace (PTRACE_DETACH, pid, 0 as *const c_char, 0 as *const c_char) };
172 |     //println!("parent: ret: {}", ret);
173 | 
174 |     let _ = unsafe { kill(pid, SIGCONT) };
175 | 
176 |     let _ = unsafe { wait(status_r) };
177 | 
178 |     let exit_code = unsafe { WEXITSTATUS(status) };
179 |     println!("exit_code: {}", exit_code);
180 | 
181 |     std::process::exit(exit_code);
182 | 
183 |     return;
184 | 
185 | 
186 |     let ret = unsafe { ptrace (PTRACE_CONT, pid, 0 as *const c_char, 0 as *const c_char) };
187 |     println!("parent: ret: {}", ret);
188 | 
189 |     let _ = unsafe { getchar() };
190 | 
191 |     let res = unsafe {
192 |       waitpid(pid, status_r, 0);
193 |     };
194 |     println!("parent: waitpid->status: {}", status);
195 | 
196 |     let _ = unsafe { getchar() };
197 |   }
198 | */
199 | }
200 | 
201 | fn run_cmd(opts: &InsjectOpts, setns_opts: &setns_common::Opts) {
202 |   let cmd = &opts.cmd;
203 | 
204 |   let json_str = setns_common::to_json(setns_opts).unwrap();
205 | 
206 |   let self_path = std::fs::read_link("/proc/self/exe").unwrap();
207 |   std::env::set_var("LD_PRELOAD", self_path.as_os_str());
208 | 
209 |   std::env::set_var("SETNS_JSON", json_str);
210 | 
211 |   let file = std::ffi::CString::new(cmd[0].clone()).unwrap();
212 |   let argv_cs: std::vec::Vec<std::ffi::CString> = cmd.into_iter().map(|s|
213 |     std::ffi::CString::new(s.clone()).unwrap()
214 |   ).collect();
215 | 
216 |   let mut argv: std::vec::Vec<*const c_char> = argv_cs.iter().map(|cs| cs.as_ptr()).collect();
217 |   argv.push(0 as *const c_char);
218 | 
219 |   unsafe {
220 |     execvp(file.as_ptr(), argv.as_ptr());
221 | 
222 |     let s = std::ffi::CString::new("execvp").unwrap();
223 |     perror(s.as_ptr());
224 |   }
225 |   std::process::exit(42);
226 | }
227 | 
228 | fn attach_inject(insject_opts: &InsjectOpts, opts: &setns_common::Opts) {
229 | 
230 |   // if opts.fork {
231 |   //   println!("Error: -f,--fork not supported with -! <pid>");
232 |   //   print_help(1);
233 |   // }
234 | 
235 |   if opts.strict {
236 |     println!("Error: -S,--strict not supported with -! <pid>");
237 |     print_help(1);
238 |   }
239 | 
240 |   let mnt = match &opts.mnt {
241 |     Some(path) => path.clone(),
242 |     None => format!("/proc/{}/ns/mnt", if opts.no_mnt { -1 } else {
243 |       match opts.target_pid {
244 |         Some(pid) => pid as i32,
245 |         None => -1
246 |       }
247 |     })
248 |   };
249 |   let net = match &opts.net {
250 |     Some(path) => path.clone(),
251 |     None => format!("/proc/{}/ns/net", if opts.no_net { -1 } else {
252 |       match opts.target_pid {
253 |         Some(pid) => pid as i32,
254 |         None => -1
255 |       }
256 |     })
257 |   };
258 |   let time = match &opts.time {
259 |     Some(path) => path.clone(),
260 |     None => format!("/proc/{}/ns/time", if opts.no_time { -1 } else {
261 |       match opts.target_pid {
262 |         Some(pid) => pid as i32,
263 |         None => -1
264 |       }
265 |     })
266 |   };
267 |   let ipc = match &opts.ipc {
268 |     Some(path) => path.clone(),
269 |     None => format!("/proc/{}/ns/ipc", if opts.no_ipc { -1 } else {
270 |       match opts.target_pid {
271 |         Some(pid) => pid as i32,
272 |         None => -1
273 |       }
274 |     })
275 |   };
276 |   let uts = match &opts.uts {
277 |     Some(path) => path.clone(),
278 |     None => format!("/proc/{}/ns/uts", if opts.no_uts { -1 } else {
279 |       match opts.target_pid {
280 |         Some(pid) => pid as i32,
281 |         None => -1
282 |       }
283 |     })
284 |   };
285 |   let pid = match &opts.pid {
286 |     Some(path) => path.clone(),
287 |     None => format!("/proc/{}/ns/pid", if opts.no_pid { -1 } else {
288 |       match opts.target_pid {
289 |         Some(pid) => pid as i32,
290 |         None => -1
291 |       }
292 |     })
293 |   };
294 |   let cgroup = match &opts.cgroup {
295 |     Some(path) => path.clone(),
296 |     None => format!("/proc/{}/ns/cgroup", if opts.no_cgroup { -1 } else {
297 |       match opts.target_pid {
298 |         Some(pid) => pid as i32,
299 |         None => -1
300 |       }
301 |     })
302 |   };
303 |   let user = match &opts.userns {
304 |     Some(path) => path.clone(),
305 |     None => format!("/proc/{}/ns/user", if opts.no_userns { -1 } else {
306 |       match opts.target_pid {
307 |         Some(pid) => pid as i32,
308 |         None => -1
309 |       }
310 |     })
311 |   };
312 | 
313 |   let user_parts: std::vec::Vec<&str> = opts.user.split(':').collect();
314 |   let (uid, gid, groups) = match &*user_parts {
315 |     &[uid, gid, groups] => { (uid, gid, groups) },
316 |     &[uid, gid] => { (uid, gid, "0") },
317 |     &[uid] => { (uid, "0", "0") },
318 |     _ => unreachable!()
319 |   };
320 |   let groups_len = {
321 |     let pieces: std::vec::Vec<&str> = groups.split(',').into_iter().collect();
322 |     pieces.len()
323 |   };
324 |   let apparmor_profile: String = match &opts.apparmor_profile {
325 |     Some(apparmor_profile) => (*apparmor_profile).clone(),
326 |     None => if opts.no_apparmor {
327 |       "unconfined".to_owned()
328 |     } else {
329 |       match &opts.target_pid {
330 |         Some(pid) => {
331 |           let profile = match std::fs::read_to_string(format!("/proc/{}/attr/current", pid)) {
332 |             Ok(profile) => profile,
333 |             Err(_) => "unconfined".to_string()
334 |           };
335 |           match profile.strip_suffix(" (enforce)\n") {
336 |             Some(profile) => profile.to_owned(),
337 |             None => profile
338 |           }
339 |         },
340 |         None => "unconfined".to_owned()
341 |       }
342 |     }
343 |   };
344 |   let changeprofile = format!("changeprofile {}", apparmor_profile);
345 |   let changeprofile_len = if apparmor_profile == "unconfined".to_owned() {
346 |     0
347 |   } else {
348 |     changeprofile.len()
349 |   };
350 | 
351 |   let code = format!("\
352 | int mnt = (int)open(\"{mnt}\",0);\
353 | int net = (int)open(\"{net}\",0);\
354 | int time = (int)open(\"{time}\",0);\
355 | int ipc = (int)open(\"{ipc}\",0);\
356 | int uts = (int)open(\"{uts}\",0);\
357 | int pid = (int)open(\"{pid}\",0);\
358 | int cgroup = (int)open(\"{cgroup}\",0);\
359 | int user = (int)open(\"{user}\",0);\
360 | \
361 | int attr_current = -1;\
362 | if ({changeprofile_len} > 0) attr_current = (int)open(\"/proc/self/attr/current\", 1);\
363 | \
364 | const char* mnt_r = \"N/A\";\
365 | const char* net_r = \"N/A\";\
366 | const char* time_r = \"N/A\";\
367 | const char* ipc_r = \"N/A\";\
368 | const char* uts_r = \"N/A\";\
369 | const char* pid_r = \"N/A\";\
370 | const char* cgroup_r = \"N/A\";\
371 | const char* userns_r = \"N/A\";\
372 | \
373 | const char* aa_r = \"N/A\";\
374 | \
375 | if ({user_first} == 1) {{ if (user != -1) userns_r = ((int)setns(user, 0) == 0) ? \"0\" : \"-1\"; }}\
376 | \
377 | if (mnt != -1) mnt_r = ((int)setns(mnt, 0) == 0) ? \"0\" : \"-1\";\
378 | if (net != -1) net_r = ((int)setns(net, 0) == 0) ? \"0\" : \"-1\";\
379 | if (time != -1) time_r = ((int)setns(time, 0) == 0) ? \"0\" : \"-1\";\
380 | if (ipc != -1) ipc_r = ((int)setns(ipc, 0) == 0) ? \"0\" : \"-1\";\
381 | if (uts != -1) uts_r = ((int)setns(uts, 0) == 0) ? \"0\" : \"-1\";\
382 | if (pid != -1) pid_r = ((int)setns(pid, 0) == 0) ? \"0\" : \"-1\";\
383 | if (cgroup != -1) cgroup_r = ((int)setns(cgroup, 0) == 0) ? \"0\" : \"-1\";\
384 | \
385 | if ({user_first} != 1) {{ if (user != -1) userns_r = ((int)setns(user, 0) == 0) ? \"0\" : \"-1\"; }}\
386 | \
387 | const unsigned int groups[{groups_len}] = {{ {groups} }};\
388 | const char* groups_r = ((int)setgroups({groups_len}, groups) == 0) ? \"0\" : \"-1\";\
389 | if (groups_r[0] == '-') (void)perror(\"setgroups\");\
390 | const char* gid_r = ((int)setgid({gid}) == 0) ? \"0\" : \"-1\";\
391 | const char* uid_r = ((int)setuid({uid}) == 0) ? \"0\" : \"-1\";\
392 | \
393 | const char* changeprofile = \"{changeprofile}\";\
394 | if (attr_current != -1) aa_r = ((int)write(attr_current, changeprofile, {changeprofile_len}) != -1) ? \"{apparmor_profile}\" : \"-1\";\
395 | if (attr_current != -1) (int)close(attr_current);\
396 | if (mnt != -1) (int)close(mnt);\
397 | if (net != -1) (int)close(net);\
398 | if (time != -1) (int)close(time);\
399 | if (ipc != -1) (int)close(ipc);\
400 | if (uts != -1) (int)close(uts);\
401 | if (pid != -1) (int)close(pid);\
402 | if (cgroup != -1) (int)close(cgroup);\
403 | if (user != -1) (int)close(user);\
404 | \
405 | (int)printf(\"setns -> mnt: %s, net: %s, time: %s, ipc: %s, uts: %s, pid: %s, cgroup: %s, userns: %s, apparmor: %s, user: %s/%s/%s\\n\", \
406 |   mnt_r, net_r, time_r, ipc_r, uts_r, pid_r, cgroup_r, userns_r, aa_r, uid_r, gid_r, groups_r);\
407 | (*(int*)__errno_location()) = 0;\
408 | ",
409 |   mnt=mnt, net=net, time=time, ipc=ipc, uts=uts, pid=pid, cgroup=cgroup, user=user,
410 |   user_first=opts.userns_first as u32, apparmor_profile=apparmor_profile, changeprofile=changeprofile, changeprofile_len=changeprofile_len,
411 |   uid=uid, gid=gid, groups=groups, groups_len=groups_len);
412 | 
413 |   //println!("{}", code);
414 |   let output = std::process::Command::new("lldb")
415 |                                      .arg("-x")
416 |                                      .arg("-p")
417 |                                      .arg(format!("{}", insject_opts.instrument_pid.unwrap()))
418 |                                      .arg("-b")
419 |                                      .arg("-o")
420 |                                      .arg(format!("call {}", code))
421 |                                      .output();
422 |   // println!("output: {:?}", output);
423 | 
424 |   // if opts.fork {
425 |   //   let code = "pro hand -n false -p false -s false SIGSTOP\ncall int p = (int)fork(); if (p != 0) {(int)printf(\"(parent)pid: %d, child pid: %d\", (int)getpid(), p); (int)puts(\"\");while (1) {(int)sleep(1);int cs;int r = (int)waitpid();if ( r == -1 ) {(int)puts(\"wat\");(void)exit(1);} else {(int)puts(\"wat2\");(void)exit(0);}}} else {(int)printf(\"(child)pid: %d\", (int)getpid());(int)puts(\"\");(int)system(\"touch /tmp/wat\");}\n";
426 |   //   let mut child = std::process::Command::new("lldb")
427 |   //       .arg("-x")
428 |   //       .arg("-p")
429 |   //       .arg(format!("{}", insject_opts.instrument_pid.unwrap()))
430 |   //       // .arg("-b")
431 |   //       //.arg("-o")
432 |   //       //.arg(format!("{}", code))
433 |   //       .stdin(std::process::Stdio::piped())
434 |   //       .stdout(std::process::Stdio::piped())
435 |   //       .spawn()
436 |   //       .expect("Failed to spawn child process");;
437 |   //   let mut stdin = child.stdin.take().expect("Failed to open stdin");
438 |   //   std::thread::spawn(move || {
439 |   //     stdin.write_all(format!("{}", code).as_bytes()).expect("Failed to write to stdin");
440 |   //   });
441 |   //   let output = child.wait_with_output().expect("Failed to read stdout");
442 |   //   println!("output2: {:?}", String::from_utf8_lossy(&output.stdout));
443 |   // }
444 |   let _ = output;
445 | }
446 | 


--------------------------------------------------------------------------------