1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3 * Copyright (c) 2019 FUJITSU LIMITED. All rights reserved.
4 * Author: Yang Xu <xuyang2018.jy@cn.fujitsu.com>
5 *
6 * Test PR_GET_SECCOMP and PR_SET_SECCOMP of prctl(2).
7 * 1) If PR_SET_SECCOMP sets the SECCOMP_MODE_STRICT for the calling thread,
8 * the only system call that the thread is permitted to make are read(2),
9 * write(2),_exit(2)(but not exit_group(2)), and sigreturn(2). Other
10 * system calls result in the delivery of a SIGKILL signal. This operation
11 * is available only if the kernel is configured with CONFIG_SECCOMP enabled.
12 * 2) If PR_SET_SECCOMP sets the SECCOMP_MODE_FILTER for the calling thread,
13 * the system calls allowed are defined by a pointer to a Berkeley Packet
14 * Filter. Other system calls result int the delivery of a SIGSYS signal
15 * with SECCOMP_RET_KILL. The SECCOMP_SET_MODE_FILTER operation is available
16 * only if the kernel is configured with CONFIG_SECCOMP_FILTER enabled.
17 * 3) If SECCOMP_MODE_FILTER filters permit fork(2), then the seccomp mode
18 * is inherited by children created by fork(2).
19 */
20
21 #include <errno.h>
22 #include <signal.h>
23 #include <sys/prctl.h>
24 #include <sys/wait.h>
25 #include <sys/types.h>
26 #include <linux/filter.h>
27 #include <unistd.h>
28 #include <stdlib.h>
29 #include <stddef.h>
30 #include "tst_test.h"
31 #include "lapi/syscalls.h"
32 #include "lapi/prctl.h"
33 #include "config.h"
34 #include "lapi/seccomp.h"
35
36 #define FNAME "filename"
37
38 static const struct sock_filter strict_filter[] = {
39 BPF_STMT(BPF_LD | BPF_W | BPF_ABS, (offsetof (struct seccomp_data, nr))),
40
41 BPF_JUMP(BPF_JMP | BPF_JEQ, __NR_close, 5, 0),
42 BPF_JUMP(BPF_JMP | BPF_JEQ, __NR_exit, 4, 0),
43 BPF_JUMP(BPF_JMP | BPF_JEQ, __NR_wait4, 3, 0),
44 BPF_JUMP(BPF_JMP | BPF_JEQ, __NR_write, 2, 0),
45 BPF_JUMP(BPF_JMP | BPF_JEQ, __NR_clone, 1, 0),
46
47 BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_KILL),
48 BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW)
49 };
50
51 static const struct sock_fprog strict = {
52 .len = (unsigned short)ARRAY_SIZE(strict_filter),
53 .filter = (struct sock_filter *)strict_filter
54 };
55
56 static void check_strict_mode(int);
57 static void check_filter_mode(int);
58
59 static struct tcase {
60 void (*func_check)();
61 int pass_flag;
62 int val;
63 int exp_signal;
64 char *message;
65 } tcases[] = {
66 {check_strict_mode, 1, 1, SIGKILL,
67 "SECCOMP_MODE_STRICT doesn't permit GET_SECCOMP call"},
68
69 {check_strict_mode, 0, 2, SIGKILL,
70 "SECCOMP_MODE_STRICT doesn't permit read(2) write(2) and _exit(2)"},
71
72 {check_strict_mode, 1, 3, SIGKILL,
73 "SECCOMP_MODE_STRICT doesn't permit close(2)"},
74
75 {check_filter_mode, 1, 1, SIGSYS,
76 "SECCOMP_MODE_FILTER doestn't permit GET_SECCOMP call"},
77
78 {check_filter_mode, 0, 2, SIGSYS,
79 "SECCOMP_MODE_FILTER doesn't permit close(2)"},
80
81 {check_filter_mode, 2, 3, SIGSYS,
82 "SECCOMP_MODE_FILTER doesn't permit exit()"},
83
84 {check_filter_mode, 0, 4, SIGSYS,
85 "SECCOMP_MODE_FILTER doesn't permit exit()"}
86 };
87
check_filter_mode_inherit(void)88 static void check_filter_mode_inherit(void)
89 {
90 int childpid;
91 int childstatus;
92
93 childpid = SAFE_FORK();
94 if (childpid == 0) {
95 tst_res(TPASS, "SECCOMP_MODE_FILTER permits fork(2)");
96 exit(0);
97 }
98
99 wait4(childpid, &childstatus, 0, NULL);
100 if (WIFSIGNALED(childstatus) && WTERMSIG(childstatus) == SIGSYS)
101 tst_res(TPASS,
102 "SECCOMP_MODE_FILTER has been inherited by child");
103 else
104 tst_res(TFAIL,
105 "SECCOMP_MODE_FILTER isn't been inherited by child");
106 }
107
check_strict_mode(int val)108 static void check_strict_mode(int val)
109 {
110 int fd;
111 char buf[2];
112
113 fd = SAFE_OPEN(FNAME, O_RDWR | O_CREAT, 0666);
114
115 TEST(prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT));
116 if (TST_RET == -1) {
117 tst_res(TFAIL | TTERRNO,
118 "prctl(PR_SET_SECCOMP) sets SECCOMP_MODE_STRICT failed");
119 return;
120 }
121
122 switch (val) {
123 case 1:
124 tst_res(TPASS,
125 "prctl(PR_SET_SECCOMP) sets SECCOMP_MODE_STRICT succeed");
126 prctl(PR_GET_SECCOMP);
127 tst_res(TFAIL, "prctl(PR_GET_SECCOMP) succeed unexpectedly");
128 break;
129 case 2:
130 SAFE_WRITE(1, fd, "a", 1);
131 SAFE_READ(0, fd, buf, 1);
132 tst_res(TPASS,
133 "SECCOMP_MODE_STRICT permits read(2) write(2) and _exit(2)");
134 break;
135 case 3:
136 close(fd);
137 tst_res(TFAIL,
138 "SECCOMP_MODE_STRICT permits close(2) unexpectdly");
139 break;
140 }
141
142 tst_syscall(__NR_exit, 0);
143 }
144
check_filter_mode(int val)145 static void check_filter_mode(int val)
146 {
147 int fd;
148
149 fd = SAFE_OPEN(FNAME, O_RDWR | O_CREAT, 0666);
150
151 TEST(prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &strict));
152 if (TST_RET == -1) {
153 if (TST_ERR == EINVAL)
154 tst_res(TCONF,
155 "kernel doesn't support SECCOMP_MODE_FILTER");
156 else
157 tst_res(TFAIL | TERRNO,
158 "prctl(PR_SET_SECCOMP) sets SECCOMP_MODE_FILTER failed");
159 return;
160 }
161
162 switch (val) {
163 case 1:
164 tst_res(TPASS,
165 "prctl(PR_SET_SECCOMP) sets SECCOMP_MODE_FILTER succeed");
166 prctl(PR_GET_SECCOMP);
167 tst_res(TFAIL, "prctl(PR_GET_SECCOMP) succeed unexpectedly");
168 break;
169 case 2:
170 close(fd);
171 tst_res(TPASS, "SECCOMP_MODE_FILTER permits close(2)");
172 break;
173 case 3:
174 exit(0);
175 break;
176 case 4:
177 check_filter_mode_inherit();
178 break;
179 }
180
181 tst_syscall(__NR_exit, 0);
182 }
183
verify_prctl(unsigned int n)184 static void verify_prctl(unsigned int n)
185 {
186 int pid;
187 int status;
188 struct tcase *tc = &tcases[n];
189
190 pid = SAFE_FORK();
191 if (pid == 0) {
192 tc->func_check(tc->val);
193 } else {
194 SAFE_WAITPID(pid, &status, 0);
195 if (WIFSIGNALED(status) && WTERMSIG(status) == tc->exp_signal) {
196 if (tc->pass_flag)
197 tst_res(TPASS, "%s", tc->message);
198 else
199 tst_res(TFAIL, "%s", tc->message);
200 return;
201 }
202
203 if (tc->pass_flag == 2)
204 tst_res(TFAIL,
205 "SECCOMP_MODE_FILTER permits exit() unexpectedly");
206 }
207 }
208
setup(void)209 static void setup(void)
210 {
211 TEST(prctl(PR_GET_SECCOMP));
212 if (TST_RET == 0) {
213 tst_res(TINFO, "kernel support PR_GET/SET_SECCOMP");
214 return;
215 }
216
217 if (TST_ERR == EINVAL)
218 tst_brk(TCONF, "kernel doesn't support PR_GET/SET_SECCOMP");
219
220 tst_brk(TBROK | TTERRNO,
221 "current environment doesn't permit PR_GET/SET_SECCOMP");
222 }
223
224 static struct tst_test test = {
225 .setup = setup,
226 .test = verify_prctl,
227 .tcnt = ARRAY_SIZE(tcases),
228 .forks_child = 1,
229 .needs_tmpdir = 1,
230 .needs_root = 1,
231 };
232