Skip to content

Syscall rewriter: interface changes, no_std support, and hardening #738

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wdcui wants to merge 7 commits into
base: main
Choose a base branch
from
Open

Syscall rewriter: interface changes, no_std support, and hardening #738

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
3719609
Syscall rewriter: interface changes, no_std support, and bug fixes
wdcui Apr 2, 2026
bcb8f98
Syscall rewriter: harden ELF rewrite edge cases
wdcui Apr 4, 2026
eeca867
Fix syscall rewriter formatting
wdcui Apr 4, 2026
5081c53
address review comments
wdcui Apr 7, 2026
98ea175
fixed a bug introduced in the last commit
wdcui Apr 7, 2026
9fc38e2
Remove fork-to-vfork patching from syscall rewriter
wdcui Apr 8, 2026
0446a21
Refactor syscall rewriter API: return skipped addrs, improve error va…
wdcui Apr 8, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 0 additions & 1 deletion Cargo.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

18 changes: 16 additions & 2 deletions litebox_packager/src/lib.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -570,7 +570,15 @@ fn rewrite_elf(data: &[u8], path: &Path, verbose: bool) -> anyhow::Result<Vec<u8
}

match litebox_syscall_rewriter::hook_syscalls_in_elf(data, None) {
Ok(rewritten) => {
Ok((rewritten, skipped_addrs)) => {
if !skipped_addrs.is_empty() {
eprintln!(
" warning: {} has {} unpatchable syscall instruction(s) at {:?}",
path.display(),
skipped_addrs.len(),
skipped_addrs,
);
}
if verbose {
eprintln!(" {} (rewritten)", path.display());
}
Expand All @@ -592,7 +600,7 @@ fn rewrite_elf(data: &[u8], path: &Path, verbose: bool) -> anyhow::Result<Vec<u8
}
Ok(data.to_vec())
}
Err(litebox_syscall_rewriter::Error::UnsupportedObjectFile) => {
Err(litebox_syscall_rewriter::Error::UnsupportedObjectFile(_)) => {
if verbose {
eprintln!(
" warning: {} is not a supported ELF, including as-is",
Expand All @@ -610,6 +618,12 @@ fn rewrite_elf(data: &[u8], path: &Path, verbose: bool) -> anyhow::Result<Vec<u8
}
Ok(data.to_vec())
}
Err(litebox_syscall_rewriter::Error::UnsupportedExecutable(_)) => {
anyhow::bail!(
"{} is a Bun-packaged executable and cannot be safely packaged without syscall rewriting",
path.display()
)
}
Err(e) => Err(e).with_context(|| format!("failed to rewrite {}", path.display())),
}
}
Expand Down
16 changes: 12 additions & 4 deletions litebox_runner_linux_userland/src/lib.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
// Copyright (c) Microsoft Corporation.
// Licensed under the MIT license.

use anyhow::{Result, anyhow};
use anyhow::{Context as _, Result, anyhow};
use clap::Parser;
use litebox::fs::{FileSystem as _, Mode};
use litebox_platform_multiplex::Platform;
Expand Down Expand Up @@ -188,9 +188,17 @@ pub fn run(cli_args: CliArgs) -> Result<()> {
.collect();
let file = mmapped_file(&prog)?;
let data = if cli_args.rewrite_syscalls {
litebox_syscall_rewriter::hook_syscalls_in_elf(file.data, None)
.unwrap()
.into()
let (rewritten, skipped_addrs) =
litebox_syscall_rewriter::hook_syscalls_in_elf(file.data, None)
.with_context(|| format!("failed to rewrite {}", prog.display()))?;
if !skipped_addrs.is_empty() {
eprintln!(
"warning: program has {} unpatchable syscall instruction(s) at {:?}",
skipped_addrs.len(),
skipped_addrs,
);
}
rewritten.into()
} else {
let data = file.data.into();
cow_eligible_regions.push(file);
Expand Down
34 changes: 29 additions & 5 deletions litebox_runner_optee_on_linux_userland/src/lib.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
// Copyright (c) Microsoft Corporation.
// Licensed under the MIT license.

use anyhow::Result;
use anyhow::{Context as _, Result};
use clap::Parser;
use litebox_common_optee::{TeeUuid, UteeEntryFunc, UteeParamOwned};
use litebox_platform_multiplex::Platform;
Expand Down Expand Up @@ -65,19 +65,43 @@ pub enum InterceptionBackend {
pub fn run(cli_args: CliArgs) -> Result<()> {
let ldelf_data: Vec<u8> = {
let ldelf = PathBuf::from(&cli_args.ldelf);
let data = std::fs::read(ldelf).unwrap();
let data =
std::fs::read(&ldelf).with_context(|| format!("failed to read {}", cli_args.ldelf))?;
if cli_args.rewrite_syscalls {
litebox_syscall_rewriter::hook_syscalls_in_elf(&data, None).unwrap()
let (rewritten, skipped_addrs) =
litebox_syscall_rewriter::hook_syscalls_in_elf(&data, None)
.with_context(|| format!("failed to rewrite {}", cli_args.ldelf))?;
if !skipped_addrs.is_empty() {
eprintln!(
"warning: {} has {} unpatchable syscall instruction(s) at {:?}",
cli_args.ldelf,
skipped_addrs.len(),
skipped_addrs,
);
}
rewritten
} else {
data
}
};

let prog_data: Vec<u8> = {
let prog = PathBuf::from(&cli_args.program);
let data = std::fs::read(prog).unwrap();
let data =
std::fs::read(&prog).with_context(|| format!("failed to read {}", cli_args.program))?;
if cli_args.rewrite_syscalls {
litebox_syscall_rewriter::hook_syscalls_in_elf(&data, None).unwrap()
let (rewritten, skipped_addrs) =
litebox_syscall_rewriter::hook_syscalls_in_elf(&data, None)
.with_context(|| format!("failed to rewrite {}", cli_args.program))?;
if !skipped_addrs.is_empty() {
eprintln!(
"warning: {} has {} unpatchable syscall instruction(s) at {:?}",
cli_args.program,
skipped_addrs.len(),
skipped_addrs,
);
}
rewritten
} else {
data
}
Expand Down
23 changes: 17 additions & 6 deletions litebox_syscall_rewriter/Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,14 +3,25 @@ name = "litebox_syscall_rewriter"
version = "0.1.0"
edition = "2024"

[features]
default = ["std", "anyhow", "clap"]
std = []
anyhow = ["dep:anyhow"]
clap = ["dep:clap"]

[dependencies]
anyhow = "1.0"
clap = { version = "4.5.32", features = ["derive"] }
iced-x86 = "1.21"
memmap2 = "0.9"
object = { version = "0.36.7", default-features = false, features = ["elf", "read", "std"] }
iced-x86 = { version = "1.21", default-features = false, features = ["no_std", "decoder", "encoder", "instr_info"] }
object = { version = "0.36.7", default-features = false, features = ["elf", "read_core"] }
thiserror = { version = "2.0.6", default-features = false }
zerocopy = { version = "0.8", features = ["derive"] }
zerocopy = { version = "0.8", default-features = false, features = ["derive"] }

# Binary-only dependencies
anyhow = { version = "1.0", optional = true }
clap = { version = "4.5.32", features = ["derive"], optional = true }

[[bin]]
name = "litebox_syscall_rewriter"
required-features = ["std", "anyhow", "clap"]

[lints]
workspace = true
Expand Down
Loading
Loading