1 /* 2 * Copyright (c) 2022 Huawei Device Co., Ltd. 3 * Licensed under the Apache License, Version 2.0 (the "License"); 4 * you may not use this file except in compliance with the License. 5 * You may obtain a copy of the License at 6 * 7 * http://www.apache.org/licenses/LICENSE-2.0 8 * 9 * Unless required by applicable law or agreed to in writing, software 10 * distributed under the License is distributed on an "AS IS" BASIS, 11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 * See the License for the specific language governing permissions and 13 * limitations under the License. 14 */ 15 16 #include <gtest/gtest.h> 17 18 #include <cstdlib> 19 #include <unistd.h> 20 #include <sys/wait.h> 21 #include <csignal> 22 #include <cerrno> 23 #include <cstring> 24 #include <sys/prctl.h> 25 #include <sys/types.h> 26 #include <sys/stat.h> 27 #include <fcntl.h> 28 #include <sys/syscall.h> 29 #include <asm/unistd.h> 30 #include <syscall.h> 31 #include <climits> 32 #include <sched.h> 33 34 #include "seccomp_policy.h" 35 36 using SyscallFunc = bool (*)(void); 37 constexpr int SLEEP_TIME_100MS = 100000; // 100ms 38 constexpr int SLEEP_TIME_1S = 1; 39 40 using namespace testing::ext; 41 using namespace std; 42 43 namespace init_ut { 44 class SeccompUnitTest : public testing::Test { 45 public: SeccompUnitTest()46 SeccompUnitTest() {}; ~SeccompUnitTest()47 virtual ~SeccompUnitTest() {}; SetUpTestCase()48 static void SetUpTestCase() {}; TearDownTestCase()49 static void TearDownTestCase() {}; 50 SetUp()51 void SetUp() 52 { 53 /* 54 * Wait for 1 second to prevent the generated crash file 55 * from being overwritten because the crash interval is too short 56 * and the crash file's name is constructed by time stamp. 57 */ 58 sleep(SLEEP_TIME_1S); 59 }; 60 TearDown()61 void TearDown() {}; TestBody(void)62 void TestBody(void) {}; 63 StartChild(SeccompFilterType type,const char * filterName,SyscallFunc func)64 static pid_t StartChild(SeccompFilterType type, const char *filterName, SyscallFunc func) 65 { 66 pid_t pid = fork(); 67 if (pid == 0) { 68 if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) != 0) { 69 std::cout << "PR_SET_NO_NEW_PRIVS set fail " << std::endl; 70 exit(EXIT_FAILURE); 71 } 72 73 if (!SetSeccompPolicyWithName(type, filterName)) { 74 std::cout << "SetSeccompPolicy set fail fiterName is " << filterName << std::endl; 75 exit(EXIT_FAILURE); 76 } 77 78 if (!func()) { 79 std::cout << "func excute fail" << std::endl; 80 exit(EXIT_FAILURE); 81 } 82 83 std::cout << "func excute success" << std::endl; 84 85 exit(EXIT_SUCCESS); 86 } 87 return pid; 88 } 89 CheckStatus(int status,bool isAllow)90 static int CheckStatus(int status, bool isAllow) 91 { 92 if (WEXITSTATUS(status) == EXIT_FAILURE) { 93 return -1; 94 } 95 96 if (WIFSIGNALED(status)) { 97 if (WTERMSIG(status) == SIGSYS) { 98 std::cout << "child process exit with SIGSYS" << std::endl; 99 return isAllow ? -1 : 0; 100 } 101 } else { 102 std::cout << "child process finished normally" << std::endl; 103 return isAllow ? 0 : -1; 104 } 105 106 return -1; 107 } 108 CheckSyscall(SeccompFilterType type,const char * filterName,SyscallFunc func,bool isAllow)109 static int CheckSyscall(SeccompFilterType type, const char *filterName, SyscallFunc func, bool isAllow) 110 { 111 sigset_t set; 112 int status; 113 pid_t pid; 114 int flag = 0; 115 struct timespec waitTime = {5, 0}; 116 117 sigemptyset(&set); 118 sigaddset(&set, SIGCHLD); 119 sigprocmask(SIG_BLOCK, &set, nullptr); 120 sigaddset(&set, SIGSYS); 121 if (signal(SIGCHLD, SIG_DFL) == nullptr) { 122 std::cout << "signal failed:" << strerror(errno) << std::endl; 123 } 124 if (signal(SIGSYS, SIG_DFL) == nullptr) { 125 std::cout << "signal failed:" << strerror(errno) << std::endl; 126 } 127 128 /* Sleeping for avoiding influencing child proccess wait for other threads 129 * which were created by other unittests to release global rwlock. The global 130 * rwlock will be used by function dlopen in child process */ 131 usleep(SLEEP_TIME_100MS); 132 133 pid = StartChild(type, filterName, func); 134 if (pid == -1) { 135 std::cout << "fork failed:" << strerror(errno) << std::endl; 136 return -1; 137 } 138 if (sigtimedwait(&set, nullptr, &waitTime) == -1) { /* Wait for 5 seconds */ 139 if (errno == EAGAIN) { 140 flag = 1; 141 } else { 142 std::cout << "sigtimedwait failed:" << strerror(errno) << std::endl; 143 } 144 145 if (kill(pid, SIGKILL) == -1) { 146 std::cout << "kill failed::" << strerror(errno) << std::endl; 147 } 148 } 149 150 if (waitpid(pid, &status, 0) != pid) { 151 std::cout << "waitpid failed:" << strerror(errno) << std::endl; 152 return -1; 153 } 154 155 if (flag != 0) { 156 std::cout << "Child process time out" << std::endl; 157 } 158 159 return CheckStatus(status, isAllow); 160 } 161 CheckUnshare()162 static bool CheckUnshare() 163 { 164 int ret = unshare(CLONE_NEWPID); 165 if (ret) { 166 return false; 167 } 168 return true; 169 } 170 CheckSetns()171 static bool CheckSetns() 172 { 173 int fd = open("/proc/1/ns/mnt", O_RDONLY | O_CLOEXEC); 174 if (fd < 0) { 175 return false; 176 } 177 178 if (setns(fd, CLONE_NEWNS) != 0) { 179 close(fd); 180 return false; 181 } 182 183 close(fd); 184 return true; 185 } 186 ChildFunc(void * arg)187 static int ChildFunc(void *arg) 188 { 189 exit(0); 190 } 191 CheckCloneNs(int flag)192 static bool CheckCloneNs(int flag) 193 { 194 const int stackSize = 65536; 195 196 char *stack = static_cast<char *>(malloc(stackSize)); 197 if (stack == nullptr) { 198 return false; 199 } 200 char *stackTop = stack + stackSize; 201 pid_t pid = clone(ChildFunc, stackTop, flag | SIGCHLD, nullptr); 202 if (pid == -1) { 203 free(stack); 204 return false; 205 } 206 return true; 207 } 208 CheckClonePidNs(void)209 static bool CheckClonePidNs(void) 210 { 211 return CheckCloneNs(CLONE_NEWPID); 212 } 213 CheckCloneMntNs(void)214 static bool CheckCloneMntNs(void) 215 { 216 return CheckCloneNs(CLONE_NEWNS); 217 } 218 CheckCloneNetNs(void)219 static bool CheckCloneNetNs(void) 220 { 221 return CheckCloneNs(CLONE_NEWNET); 222 } 223 CheckCloneCgroupNs(void)224 static bool CheckCloneCgroupNs(void) 225 { 226 return CheckCloneNs(CLONE_NEWCGROUP); 227 } 228 CheckCloneUtsNs(void)229 static bool CheckCloneUtsNs(void) 230 { 231 return CheckCloneNs(CLONE_NEWUTS); 232 } 233 CheckCloneIpcNs(void)234 static bool CheckCloneIpcNs(void) 235 { 236 return CheckCloneNs(CLONE_NEWIPC); 237 } 238 CheckCloneUserNs(void)239 static bool CheckCloneUserNs(void) 240 { 241 return CheckCloneNs(CLONE_NEWUSER); 242 } 243 CheckIoctlFlag1()244 static bool CheckIoctlFlag1() 245 { 246 (void)syscall(__NR_ioctl, 0, 0x4000); 247 return true; 248 } 249 CheckIoctlFlag2()250 static bool CheckIoctlFlag2() 251 { 252 (void)syscall(__NR_ioctl, 0, 0x5003); 253 return true; 254 } 255 CheckIoctlFlag3()256 static bool CheckIoctlFlag3() 257 { 258 (void)syscall(__NR_ioctl, 0, 0x5006); 259 return true; 260 } 261 CheckIoctlFlag4()262 static bool CheckIoctlFlag4() 263 { 264 (void)syscall(__NR_ioctl, 0, 0x5007); 265 return true; 266 } 267 CheckIoctlFlag5()268 static bool CheckIoctlFlag5() 269 { 270 (void)syscall(__NR_ioctl, 0, 0x5090); 271 return true; 272 } 273 CheckIoctlFlag6()274 static bool CheckIoctlFlag6() 275 { 276 (void)syscall(__NR_ioctl, 0, 0x5100); 277 return true; 278 } 279 CheckIoctlFlag7()280 static bool CheckIoctlFlag7() 281 { 282 (void)syscall(__NR_ioctl, 0, 0x5104); 283 return true; 284 } 285 CheckIoctlFlag8()286 static bool CheckIoctlFlag8() 287 { 288 (void)syscall(__NR_ioctl, 0, 0x5105); 289 return true; 290 } 291 CheckIoctlFlag9()292 static bool CheckIoctlFlag9() 293 { 294 (void)syscall(__NR_ioctl, 0, 0x5107); 295 return true; 296 } 297 CheckIoctlFlag10()298 static bool CheckIoctlFlag10() 299 { 300 (void)syscall(__NR_ioctl, 0, 0x510a); 301 return true; 302 } 303 CheckIoctlFlag11()304 static bool CheckIoctlFlag11() 305 { 306 (void)syscall(__NR_ioctl, 0, 0x5110); 307 return true; 308 } 309 CheckIoctlFlag12()310 static bool CheckIoctlFlag12() 311 { 312 (void)syscall(__NR_ioctl, 0, 0x5300); 313 return true; 314 } 315 CheckIoctlFlag13()316 static bool CheckIoctlFlag13() 317 { 318 (void)syscall(__NR_ioctl, 0, 0x5310); 319 return true; 320 } 321 CheckIoctlFlag14()322 static bool CheckIoctlFlag14() 323 { 324 (void)syscall(__NR_ioctl, 0, 0x5400); 325 return true; 326 } 327 CheckIoctlFlag15()328 static bool CheckIoctlFlag15() 329 { 330 (void)syscall(__NR_ioctl, 0, 0x5480); 331 return true; 332 } 333 CheckIoctlFlag16()334 static bool CheckIoctlFlag16() 335 { 336 (void)syscall(__NR_ioctl, 0, 0x5482); 337 return true; 338 } 339 CheckIoctlFlag17()340 static bool CheckIoctlFlag17() 341 { 342 (void)syscall(__NR_ioctl, 0, 0x5500); 343 return true; 344 } 345 TestAppAtomicSyscallForIoctl()346 void TestAppAtomicSyscallForIoctl() 347 { 348 int ret = CheckSyscall(APP, APP_ATOMIC, CheckIoctlFlag1, true); 349 EXPECT_EQ(ret, 0); 350 351 ret = CheckSyscall(APP, APP_ATOMIC, CheckIoctlFlag2, false); 352 EXPECT_EQ(ret, 0); 353 354 ret = CheckSyscall(APP, APP_ATOMIC, CheckIoctlFlag3, true); 355 EXPECT_EQ(ret, 0); 356 357 ret = CheckSyscall(APP, APP_ATOMIC, CheckIoctlFlag4, false); 358 EXPECT_EQ(ret, 0); 359 360 ret = CheckSyscall(APP, APP_ATOMIC, CheckIoctlFlag5, true); 361 EXPECT_EQ(ret, 0); 362 363 ret = CheckSyscall(APP, APP_ATOMIC, CheckIoctlFlag6, false); 364 EXPECT_EQ(ret, 0); 365 366 ret = CheckSyscall(APP, APP_ATOMIC, CheckIoctlFlag7, true); 367 EXPECT_EQ(ret, 0); 368 369 ret = CheckSyscall(APP, APP_ATOMIC, CheckIoctlFlag8, false); 370 EXPECT_EQ(ret, 0); 371 372 ret = CheckSyscall(APP, APP_ATOMIC, CheckIoctlFlag9, true); 373 EXPECT_EQ(ret, 0); 374 375 ret = CheckSyscall(APP, APP_ATOMIC, CheckIoctlFlag10, false); 376 EXPECT_EQ(ret, 0); 377 378 ret = CheckSyscall(APP, APP_ATOMIC, CheckIoctlFlag11, true); 379 EXPECT_EQ(ret, 0); 380 381 ret = CheckSyscall(APP, APP_ATOMIC, CheckIoctlFlag12, false); 382 EXPECT_EQ(ret, 0); 383 384 ret = CheckSyscall(APP, APP_ATOMIC, CheckIoctlFlag13, true); 385 EXPECT_EQ(ret, 0); 386 387 ret = CheckSyscall(APP, APP_ATOMIC, CheckIoctlFlag14, false); 388 EXPECT_EQ(ret, 0); 389 390 ret = CheckSyscall(APP, APP_ATOMIC, CheckIoctlFlag15, true); 391 EXPECT_EQ(ret, 0); 392 393 ret = CheckSyscall(APP, APP_ATOMIC, CheckIoctlFlag16, false); 394 EXPECT_EQ(ret, 0); 395 396 ret = CheckSyscall(APP, APP_ATOMIC, CheckIoctlFlag17, true); 397 EXPECT_EQ(ret, 0); 398 } 399 400 #if defined __aarch64__ CheckMqOpen()401 static bool CheckMqOpen() 402 { 403 int ret = (int)syscall(__NR_mq_open, nullptr, 0); 404 if (ret < 0) { 405 return false; 406 } 407 408 return true; 409 } 410 CheckGetpid()411 static bool CheckGetpid() 412 { 413 pid_t pid = 1; 414 pid = syscall(__NR_getpid); 415 if (pid > 1) { 416 return true; 417 } 418 return false; 419 } 420 CheckGetuid()421 static bool CheckGetuid() 422 { 423 uid_t uid = 0; 424 uid = syscall(__NR_getuid); 425 if (uid >= 0) { 426 return true; 427 } 428 429 return false; 430 } 431 CheckSetresuidArgsInRange()432 static bool CheckSetresuidArgsInRange() 433 { 434 int ret = syscall(__NR_setresuid, 20000, 20000, 20000); 435 if (ret == 0) { 436 return true; 437 } 438 439 return false; 440 } 441 CheckSetresuidArgsOutOfRange()442 static bool CheckSetresuidArgsOutOfRange() 443 { 444 int ret = syscall(__NR_setresuid, 800, 800, 800); 445 if (ret == 0) { 446 return true; 447 } 448 449 return false; 450 } 451 CheckSetuid()452 static bool CheckSetuid() 453 { 454 int uid = syscall(__NR_setuid, 1); 455 if (uid == 0) { 456 return true; 457 } 458 459 return false; 460 } 461 CheckSetuid64ForUidFilter1()462 static bool CheckSetuid64ForUidFilter1() 463 { 464 int ret = syscall(__NR_setuid, 0); 465 if (ret == 0) { 466 return true; 467 } 468 469 return false; 470 } 471 CheckSetuid64ForUidFilter2()472 static bool CheckSetuid64ForUidFilter2() 473 { 474 int ret = syscall(__NR_setuid, 2); 475 if (ret == 0) { 476 return true; 477 } 478 479 return false; 480 } 481 CheckSetreuid64ForUidFilter1()482 static bool CheckSetreuid64ForUidFilter1() 483 { 484 int ret = syscall(__NR_setreuid, 0, 2); 485 if (ret == 0) { 486 return true; 487 } 488 489 return false; 490 } 491 CheckSetreuid64ForUidFilter2()492 static bool CheckSetreuid64ForUidFilter2() 493 { 494 int ret = syscall(__NR_setreuid, 2, 0); 495 if (ret == 0) { 496 return true; 497 } 498 499 return false; 500 } 501 CheckSetreuid64ForUidFilter3()502 static bool CheckSetreuid64ForUidFilter3() 503 { 504 int ret = syscall(__NR_setreuid, 0, 0); 505 if (ret == 0) { 506 return true; 507 } 508 509 return false; 510 } 511 CheckSetreuid64ForUidFilter4()512 static bool CheckSetreuid64ForUidFilter4() 513 { 514 int ret = syscall(__NR_setreuid, 2, 2); 515 if (ret == 0) { 516 return true; 517 } 518 519 return false; 520 } 521 CheckSetfsuid64ForUidFilter1()522 static bool CheckSetfsuid64ForUidFilter1() 523 { 524 int ret = syscall(__NR_setfsuid, 0); 525 if (ret == 0) { 526 return true; 527 } 528 529 return false; 530 } 531 CheckSetfsuid64ForUidFilter2()532 static bool CheckSetfsuid64ForUidFilter2() 533 { 534 int ret = syscall(__NR_setfsuid, 2); 535 if (ret == 0) { 536 return true; 537 } 538 539 return false; 540 } 541 CheckSetresuid64ForUidFilter1()542 static bool CheckSetresuid64ForUidFilter1() 543 { 544 int ret = syscall(__NR_setresuid, 0, 0, 0); 545 if (ret == 0) { 546 return true; 547 } 548 549 return false; 550 } 551 CheckSetresuid64ForUidFilter2()552 static bool CheckSetresuid64ForUidFilter2() 553 { 554 int ret = syscall(__NR_setresuid, 2, 0, 0); 555 if (ret == 0) { 556 return true; 557 } 558 559 return false; 560 } 561 CheckSetresuid64ForUidFilter3()562 static bool CheckSetresuid64ForUidFilter3() 563 { 564 int ret = syscall(__NR_setresuid, 0, 2, 0); 565 if (ret == 0) { 566 return true; 567 } 568 569 return false; 570 } 571 CheckSetresuid64ForUidFilter4()572 static bool CheckSetresuid64ForUidFilter4() 573 { 574 int ret = syscall(__NR_setresuid, 0, 0, 2); 575 if (ret == 0) { 576 return true; 577 } 578 579 return false; 580 } 581 CheckSetresuid64ForUidFilter5()582 static bool CheckSetresuid64ForUidFilter5() 583 { 584 int ret = syscall(__NR_setresuid, 0, 2, 2); 585 if (ret == 0) { 586 return true; 587 } 588 589 return false; 590 } 591 CheckSetresuid64ForUidFilter6()592 static bool CheckSetresuid64ForUidFilter6() 593 { 594 int ret = syscall(__NR_setresuid, 2, 0, 2); 595 if (ret == 0) { 596 return true; 597 } 598 599 return false; 600 } 601 CheckSetresuid64ForUidFilter7()602 static bool CheckSetresuid64ForUidFilter7() 603 { 604 int ret = syscall(__NR_setresuid, 2, 2, 0); 605 if (ret == 0) { 606 return true; 607 } 608 609 return false; 610 } 611 CheckSetresuid64ForUidFilter8()612 static bool CheckSetresuid64ForUidFilter8() 613 { 614 int ret = syscall(__NR_setresuid, 2, 2, 2); 615 if (ret == 0) { 616 return true; 617 } 618 619 return false; 620 } 621 TestSystemSycall()622 void TestSystemSycall() 623 { 624 // system blocklist 625 int ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckMqOpen, false); 626 EXPECT_EQ(ret, 0); 627 628 // system allowlist 629 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckGetpid, true); 630 EXPECT_EQ(ret, 0); 631 } 632 TestSystemSyscallForUidFilter()633 void TestSystemSyscallForUidFilter() 634 { 635 // system_uid_filter_64bit_test 636 int ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetuid64ForUidFilter1, false); 637 EXPECT_EQ(ret, 0); 638 639 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetuid64ForUidFilter2, true); 640 EXPECT_EQ(ret, 0); 641 642 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetreuid64ForUidFilter1, false); 643 EXPECT_EQ(ret, 0); 644 645 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetreuid64ForUidFilter2, false); 646 EXPECT_EQ(ret, 0); 647 648 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetreuid64ForUidFilter3, false); 649 EXPECT_EQ(ret, 0); 650 651 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetreuid64ForUidFilter4, true); 652 EXPECT_EQ(ret, 0); 653 654 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetfsuid64ForUidFilter1, false); 655 EXPECT_EQ(ret, 0); 656 657 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetfsuid64ForUidFilter2, true); 658 EXPECT_EQ(ret, 0); 659 660 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid64ForUidFilter1, false); 661 EXPECT_EQ(ret, 0); 662 663 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid64ForUidFilter2, false); 664 EXPECT_EQ(ret, 0); 665 666 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid64ForUidFilter3, false); 667 EXPECT_EQ(ret, 0); 668 669 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid64ForUidFilter4, false); 670 EXPECT_EQ(ret, 0); 671 672 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid64ForUidFilter5, false); 673 EXPECT_EQ(ret, 0); 674 675 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid64ForUidFilter6, false); 676 EXPECT_EQ(ret, 0); 677 678 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid64ForUidFilter7, false); 679 EXPECT_EQ(ret, 0); 680 681 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid64ForUidFilter8, true); 682 EXPECT_EQ(ret, 0); 683 } 684 TestSetUidGidFilter()685 void TestSetUidGidFilter() 686 { 687 // system blocklist 688 int ret = CheckSyscall(INDIVIDUAL, APPSPAWN_NAME, CheckSetresuidArgsOutOfRange, false); 689 EXPECT_EQ(ret, 0); 690 691 // system allowlist 692 ret = CheckSyscall(INDIVIDUAL, APPSPAWN_NAME, CheckSetresuidArgsInRange, true); 693 EXPECT_EQ(ret, 0); 694 } 695 TestAppSycall()696 void TestAppSycall() 697 { 698 // app blocklist 699 int ret = CheckSyscall(APP, APP_NAME, CheckSetuid, false); 700 EXPECT_EQ(ret, 0); 701 702 // app allowlist 703 ret = CheckSyscall(APP, APP_NAME, CheckGetpid, true); 704 EXPECT_EQ(ret, 0); 705 } 706 707 #ifdef SECCOMP_PRIVILEGE TestSeccompPrivilegeSyscall()708 void TestSeccompPrivilegeSyscall() 709 { 710 int ret = CheckSyscall(APP, APP_PRIVILEGE, CheckSetuid64ForUidFilter1, true); 711 EXPECT_EQ(ret, 0); 712 } 713 #endif 714 715 #ifdef CUSTOM_SANDBOX TestSeccompCustomSyscall()716 void TestSeccompCustomSyscall() 717 { 718 // app custom allowlist 719 ret = CheckSyscall(APP, APP_CUSTOM, CheckGetpid, true); 720 EXPECT_EQ(ret, 0); 721 722 // app custom blocklist 723 int ret = CheckSyscall(APP, APP_CUSTOM, CheckSetuid, false); 724 EXPECT_EQ(ret, 0); 725 } 726 #endif 727 728 #elif defined __arm__ CheckGetuid32()729 static bool CheckGetuid32() 730 { 731 uid_t uid = syscall(__NR_getuid32); 732 if (uid >= 0) { 733 return true; 734 } 735 return false; 736 } 737 CheckGetuid()738 static bool CheckGetuid() 739 { 740 uid_t uid = syscall(__NR_getuid); 741 if (uid >= 0) { 742 return true; 743 } 744 return false; 745 } 746 CheckSetuid32()747 static bool CheckSetuid32() 748 { 749 int ret = syscall(__NR_setuid32, 1); 750 if (ret == 0) { 751 return true; 752 } 753 754 return false; 755 } 756 CheckSetresuid32ArgsInRange()757 static bool CheckSetresuid32ArgsInRange() 758 { 759 int ret = syscall(__NR_setresuid32, 20000, 20000, 20000); 760 if (ret == 0) { 761 return true; 762 } 763 764 return false; 765 } 766 CheckSetresuid32ArgsOutOfRange()767 static bool CheckSetresuid32ArgsOutOfRange() 768 { 769 int ret = syscall(__NR_setresuid32, 800, 800, 800); 770 if (ret == 0) { 771 return true; 772 } 773 774 return false; 775 } 776 CheckSetuid32ForUidFilter1()777 static bool CheckSetuid32ForUidFilter1() 778 { 779 int ret = syscall(__NR_setuid32, 0); 780 if (ret == 0) { 781 return true; 782 } 783 784 return false; 785 } 786 CheckSetuid32ForUidFilter2()787 static bool CheckSetuid32ForUidFilter2() 788 { 789 int ret = syscall(__NR_setuid32, 2); 790 if (ret == 0) { 791 return true; 792 } 793 794 return false; 795 } 796 CheckSetuid16ForUidFilter1()797 static bool CheckSetuid16ForUidFilter1() 798 { 799 int ret = syscall(__NR_setuid, 0); 800 if (ret == 0) { 801 return true; 802 } 803 804 return false; 805 } 806 CheckSetuid16ForUidFilter2()807 static bool CheckSetuid16ForUidFilter2() 808 { 809 int ret = syscall(__NR_setuid, 2); 810 if (ret == 0) { 811 return true; 812 } 813 814 return false; 815 } 816 CheckSetreuid32ForUidFilter1()817 static bool CheckSetreuid32ForUidFilter1() 818 { 819 int ret = syscall(__NR_setreuid32, 0, 2); 820 if (ret == 0) { 821 return true; 822 } 823 824 return false; 825 } 826 CheckSetreuid32ForUidFilter2()827 static bool CheckSetreuid32ForUidFilter2() 828 { 829 int ret = syscall(__NR_setreuid32, 2, 0); 830 if (ret == 0) { 831 return true; 832 } 833 834 return false; 835 } 836 CheckSetreuid32ForUidFilter3()837 static bool CheckSetreuid32ForUidFilter3() 838 { 839 int ret = syscall(__NR_setreuid32, 0, 0); 840 if (ret == 0) { 841 return true; 842 } 843 844 return false; 845 } 846 CheckSetreuid32ForUidFilter4()847 static bool CheckSetreuid32ForUidFilter4() 848 { 849 int ret = syscall(__NR_setreuid32, 2, 2); 850 if (ret == 0) { 851 return true; 852 } 853 854 return false; 855 } 856 CheckSetreuid16ForUidFilter1()857 static bool CheckSetreuid16ForUidFilter1() 858 { 859 int ret = syscall(__NR_setreuid, 0, 2); 860 if (ret == 0) { 861 return true; 862 } 863 864 return false; 865 } 866 CheckSetreuid16ForUidFilter2()867 static bool CheckSetreuid16ForUidFilter2() 868 { 869 int ret = syscall(__NR_setreuid, 2, 0); 870 if (ret == 0) { 871 return true; 872 } 873 874 return false; 875 } 876 CheckSetreuid16ForUidFilter3()877 static bool CheckSetreuid16ForUidFilter3() 878 { 879 int ret = syscall(__NR_setreuid, 0, 0); 880 if (ret == 0) { 881 return true; 882 } 883 884 return false; 885 } 886 CheckSetreuid16ForUidFilter4()887 static bool CheckSetreuid16ForUidFilter4() 888 { 889 int ret = syscall(__NR_setreuid, 2, 2); 890 if (ret == 0) { 891 return true; 892 } 893 894 return false; 895 } 896 CheckSetfsuid32ForUidFilter1()897 static bool CheckSetfsuid32ForUidFilter1() 898 { 899 int ret = syscall(__NR_setfsuid32, 0); 900 if (ret == 0) { 901 return true; 902 } 903 904 return false; 905 } 906 CheckSetfsuid32ForUidFilter2()907 static bool CheckSetfsuid32ForUidFilter2() 908 { 909 int ret = syscall(__NR_setfsuid32, 2); 910 if (ret == 0) { 911 return true; 912 } 913 914 return false; 915 } 916 CheckSetfsuid16ForUidFilter1()917 static bool CheckSetfsuid16ForUidFilter1() 918 { 919 int ret = syscall(__NR_setfsuid, 0); 920 if (ret == 0) { 921 return true; 922 } 923 924 return false; 925 } 926 CheckSetfsuid16ForUidFilter2()927 static bool CheckSetfsuid16ForUidFilter2() 928 { 929 int ret = syscall(__NR_setfsuid, 2); 930 if (ret == 0) { 931 return true; 932 } 933 934 return false; 935 } 936 CheckSetresuid32ForUidFilter1()937 static bool CheckSetresuid32ForUidFilter1() 938 { 939 int ret = syscall(__NR_setresuid32, 0, 0, 0); 940 if (ret == 0) { 941 return true; 942 } 943 944 return false; 945 } 946 CheckSetresuid32ForUidFilter2()947 static bool CheckSetresuid32ForUidFilter2() 948 { 949 int ret = syscall(__NR_setresuid32, 2, 0, 0); 950 if (ret == 0) { 951 return true; 952 } 953 954 return false; 955 } 956 CheckSetresuid32ForUidFilter3()957 static bool CheckSetresuid32ForUidFilter3() 958 { 959 int ret = syscall(__NR_setresuid32, 0, 2, 0); 960 if (ret == 0) { 961 return true; 962 } 963 964 return false; 965 } 966 CheckSetresuid32ForUidFilter4()967 static bool CheckSetresuid32ForUidFilter4() 968 { 969 int ret = syscall(__NR_setresuid32, 0, 0, 2); 970 if (ret == 0) { 971 return true; 972 } 973 974 return false; 975 } 976 CheckSetresuid32ForUidFilter5()977 static bool CheckSetresuid32ForUidFilter5() 978 { 979 int ret = syscall(__NR_setresuid32, 0, 2, 2); 980 if (ret == 0) { 981 return true; 982 } 983 984 return false; 985 } 986 CheckSetresuid32ForUidFilter6()987 static bool CheckSetresuid32ForUidFilter6() 988 { 989 int ret = syscall(__NR_setresuid32, 2, 0, 2); 990 if (ret == 0) { 991 return true; 992 } 993 994 return false; 995 } 996 CheckSetresuid32ForUidFilter7()997 static bool CheckSetresuid32ForUidFilter7() 998 { 999 int ret = syscall(__NR_setresuid32, 2, 2, 0); 1000 if (ret == 0) { 1001 return true; 1002 } 1003 1004 return false; 1005 } 1006 CheckSetresuid32ForUidFilter8()1007 static bool CheckSetresuid32ForUidFilter8() 1008 { 1009 int ret = syscall(__NR_setresuid32, 2, 2, 2); 1010 if (ret == 0) { 1011 return true; 1012 } 1013 1014 return false; 1015 } 1016 CheckSetresuid16ForUidFilter1()1017 static bool CheckSetresuid16ForUidFilter1() 1018 { 1019 int ret = syscall(__NR_setresuid, 0, 0, 0); 1020 if (ret == 0) { 1021 return true; 1022 } 1023 1024 return false; 1025 } 1026 CheckSetresuid16ForUidFilter2()1027 static bool CheckSetresuid16ForUidFilter2() 1028 { 1029 int ret = syscall(__NR_setresuid, 2, 0, 0); 1030 if (ret == 0) { 1031 return true; 1032 } 1033 1034 return false; 1035 } 1036 CheckSetresuid16ForUidFilter3()1037 static bool CheckSetresuid16ForUidFilter3() 1038 { 1039 int ret = syscall(__NR_setresuid, 0, 2, 0); 1040 if (ret == 0) { 1041 return true; 1042 } 1043 1044 return false; 1045 } 1046 CheckSetresuid16ForUidFilter4()1047 static bool CheckSetresuid16ForUidFilter4() 1048 { 1049 int ret = syscall(__NR_setresuid, 0, 0, 2); 1050 if (ret == 0) { 1051 return true; 1052 } 1053 1054 return false; 1055 } 1056 CheckSetresuid16ForUidFilter5()1057 static bool CheckSetresuid16ForUidFilter5() 1058 { 1059 int ret = syscall(__NR_setresuid, 0, 2, 2); 1060 if (ret == 0) { 1061 return true; 1062 } 1063 1064 return false; 1065 } 1066 CheckSetresuid16ForUidFilter6()1067 static bool CheckSetresuid16ForUidFilter6() 1068 { 1069 int ret = syscall(__NR_setresuid, 2, 0, 2); 1070 if (ret == 0) { 1071 return true; 1072 } 1073 1074 return false; 1075 } 1076 CheckSetresuid16ForUidFilter7()1077 static bool CheckSetresuid16ForUidFilter7() 1078 { 1079 int ret = syscall(__NR_setresuid, 2, 2, 0); 1080 if (ret == 0) { 1081 return true; 1082 } 1083 1084 return false; 1085 } 1086 CheckSetresuid16ForUidFilter8()1087 static bool CheckSetresuid16ForUidFilter8() 1088 { 1089 int ret = syscall(__NR_setresuid, 2, 2, 2); 1090 if (ret == 0) { 1091 return true; 1092 } 1093 1094 return false; 1095 } 1096 TestSystemSycall()1097 void TestSystemSycall() 1098 { 1099 // system blocklist 1100 int ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckGetuid, false); 1101 EXPECT_EQ(ret, 0); 1102 1103 // system allowlist 1104 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckGetuid32, true); 1105 EXPECT_EQ(ret, 0); 1106 } 1107 TestSystemSyscallForUidFilter32Bit()1108 void TestSystemSyscallForUidFilter32Bit() 1109 { 1110 // system_uid_filter_32bit_test 1111 int ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetuid32ForUidFilter1, false); 1112 EXPECT_EQ(ret, 0); 1113 1114 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetuid32ForUidFilter2, true); 1115 EXPECT_EQ(ret, 0); 1116 1117 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetreuid32ForUidFilter1, false); 1118 EXPECT_EQ(ret, 0); 1119 1120 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetreuid32ForUidFilter2, false); 1121 EXPECT_EQ(ret, 0); 1122 1123 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetreuid32ForUidFilter3, false); 1124 EXPECT_EQ(ret, 0); 1125 1126 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetreuid32ForUidFilter4, true); 1127 EXPECT_EQ(ret, 0); 1128 1129 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetfsuid32ForUidFilter1, false); 1130 EXPECT_EQ(ret, 0); 1131 1132 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetfsuid32ForUidFilter2, true); 1133 EXPECT_EQ(ret, 0); 1134 1135 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid32ForUidFilter1, false); 1136 EXPECT_EQ(ret, 0); 1137 1138 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid32ForUidFilter2, false); 1139 EXPECT_EQ(ret, 0); 1140 1141 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid32ForUidFilter3, false); 1142 EXPECT_EQ(ret, 0); 1143 1144 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid32ForUidFilter4, false); 1145 EXPECT_EQ(ret, 0); 1146 1147 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid32ForUidFilter5, false); 1148 EXPECT_EQ(ret, 0); 1149 1150 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid32ForUidFilter6, false); 1151 EXPECT_EQ(ret, 0); 1152 1153 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid32ForUidFilter7, false); 1154 EXPECT_EQ(ret, 0); 1155 1156 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid32ForUidFilter8, true); 1157 EXPECT_EQ(ret, 0); 1158 } 1159 TestSystemSyscallForUidFilter16Bit()1160 void TestSystemSyscallForUidFilter16Bit() 1161 { 1162 // system_uid_filter_16bit_test 1163 int ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetuid16ForUidFilter1, false); 1164 EXPECT_EQ(ret, 0); 1165 1166 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetuid16ForUidFilter2, true); 1167 EXPECT_EQ(ret, 0); 1168 1169 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetreuid16ForUidFilter1, false); 1170 EXPECT_EQ(ret, 0); 1171 1172 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetreuid16ForUidFilter2, false); 1173 EXPECT_EQ(ret, 0); 1174 1175 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetreuid16ForUidFilter3, false); 1176 EXPECT_EQ(ret, 0); 1177 1178 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetreuid16ForUidFilter4, true); 1179 EXPECT_EQ(ret, 0); 1180 1181 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetfsuid16ForUidFilter1, false); 1182 EXPECT_EQ(ret, 0); 1183 1184 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetfsuid16ForUidFilter2, true); 1185 EXPECT_EQ(ret, 0); 1186 1187 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid16ForUidFilter1, false); 1188 EXPECT_EQ(ret, 0); 1189 1190 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid16ForUidFilter2, false); 1191 EXPECT_EQ(ret, 0); 1192 1193 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid16ForUidFilter3, false); 1194 EXPECT_EQ(ret, 0); 1195 1196 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid16ForUidFilter4, false); 1197 EXPECT_EQ(ret, 0); 1198 1199 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid16ForUidFilter5, false); 1200 EXPECT_EQ(ret, 0); 1201 1202 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid16ForUidFilter6, false); 1203 EXPECT_EQ(ret, 0); 1204 1205 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid16ForUidFilter7, false); 1206 EXPECT_EQ(ret, 0); 1207 1208 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid16ForUidFilter8, true); 1209 EXPECT_EQ(ret, 0); 1210 } 1211 TestSystemSyscallForUidFilter()1212 void TestSystemSyscallForUidFilter() 1213 { 1214 TestSystemSyscallForUidFilter32Bit(); 1215 TestSystemSyscallForUidFilter16Bit(); 1216 } 1217 TestSetUidGidFilter()1218 void TestSetUidGidFilter() 1219 { 1220 // system blocklist 1221 int ret = CheckSyscall(INDIVIDUAL, APPSPAWN_NAME, CheckSetresuid32ArgsOutOfRange, false); 1222 EXPECT_EQ(ret, 0); 1223 1224 // system allowlist 1225 ret = CheckSyscall(INDIVIDUAL, APPSPAWN_NAME, CheckSetresuid32ArgsInRange, true); 1226 EXPECT_EQ(ret, 0); 1227 } 1228 TestAppSycall()1229 void TestAppSycall() 1230 { 1231 // app blocklist 1232 int ret = CheckSyscall(APP, APP_NAME, CheckSetuid32, false); 1233 EXPECT_EQ(ret, 0); 1234 1235 // app allowlist 1236 ret = CheckSyscall(APP, APP_NAME, CheckGetuid32, true); 1237 EXPECT_EQ(ret, 0); 1238 } 1239 1240 #ifdef SECCOMP_PRIVILEGE TestSeccompPrivilegeSyscall()1241 void TestSeccompPrivilegeSyscall() 1242 { 1243 int ret = CheckSyscall(APP, APP_PRIVILEGE, CheckSetuid32ForUidFilter1, true); 1244 EXPECT_EQ(ret, 0); 1245 } 1246 #endif 1247 #endif TestAppSycallNs()1248 void TestAppSycallNs() 1249 { 1250 int ret = CheckSyscall(APP, APP_NAME, CheckUnshare, false); 1251 EXPECT_EQ(ret, 0); 1252 1253 ret = CheckSyscall(APP, APP_NAME, CheckSetns, false); 1254 EXPECT_EQ(ret, 0); 1255 1256 ret = CheckSyscall(APP, APP_NAME, CheckClonePidNs, false); 1257 EXPECT_EQ(ret, 0); 1258 1259 ret = CheckSyscall(APP, APP_NAME, CheckCloneMntNs, false); 1260 EXPECT_EQ(ret, 0); 1261 1262 ret = CheckSyscall(APP, APP_NAME, CheckCloneCgroupNs, false); 1263 EXPECT_EQ(ret, 0); 1264 1265 ret = CheckSyscall(APP, APP_NAME, CheckCloneIpcNs, false); 1266 EXPECT_EQ(ret, 0); 1267 1268 ret = CheckSyscall(APP, APP_NAME, CheckCloneUserNs, false); 1269 EXPECT_EQ(ret, 0); 1270 1271 ret = CheckSyscall(APP, APP_NAME, CheckCloneNetNs, false); 1272 EXPECT_EQ(ret, 0); 1273 1274 ret = CheckSyscall(APP, APP_NAME, CheckCloneUtsNs, false); 1275 EXPECT_EQ(ret, 0); 1276 } 1277 }; 1278 1279 /** 1280 * @tc.name: TestSystemSycall 1281 * @tc.desc: Verify the system seccomp policy. 1282 * @tc.type: FUNC 1283 * @tc.require: issueI5IUWJ 1284 */ 1285 HWTEST_F(SeccompUnitTest, Init_Seccomp_SystemSycall001, TestSize.Level1) 1286 { 1287 SeccompUnitTest test; 1288 test.TestSystemSycall(); 1289 } 1290 1291 /** 1292 * @tc.name: TestSetUidGidFilter 1293 * @tc.desc: Verify the uid gid seccomp policy. 1294 * @tc.type: FUNC 1295 * @tc.require: issueI5IUWJ 1296 */ 1297 HWTEST_F(SeccompUnitTest, Init_Seccomp_SetUidGidFilter001, TestSize.Level1) 1298 { 1299 SeccompUnitTest test; 1300 test.TestSetUidGidFilter(); 1301 } 1302 1303 /** 1304 * @tc.name: TestAppSycall 1305 * @tc.desc: Verify the app seccomp policy. 1306 * @tc.type: FUNC 1307 * @tc.require: issueI5MUXD 1308 */ 1309 HWTEST_F(SeccompUnitTest, Init_Seccomp_AppSycall001, TestSize.Level1) 1310 { 1311 SeccompUnitTest test; 1312 test.TestAppSycall(); 1313 } 1314 1315 /** 1316 * @tc.name: TestAppAtomicSycall 1317 * @tc.desc: Verify the atomic app seccomp policy. 1318 * @tc.type: FUNC 1319 * @tc.require: issueI5MUXD 1320 */ 1321 HWTEST_F(SeccompUnitTest, Init_Seccomp_AppSycall002, TestSize.Level1) 1322 { 1323 SeccompUnitTest test; 1324 test.TestAppAtomicSyscallForIoctl(); 1325 } 1326 1327 /** 1328 * @tc.name: TestSystemSyscallForUidFilter 1329 * @tc.desc: Verify the system seccomp policy. 1330 * @tc.type: FUNC 1331 * @tc.require: issueI7QET2 1332 */ 1333 HWTEST_F(SeccompUnitTest, Init_Seccomp_SystemSyscallForUidFilter001, TestSize.Level1) 1334 { 1335 SeccompUnitTest test; 1336 test.TestSystemSyscallForUidFilter(); 1337 } 1338 1339 /** 1340 * @tc.name: TestAppSycallNs 1341 * @tc.desc: Verify the app seccomp policy about namespace. 1342 * @tc.type: FUNC 1343 * @tc.require: issueI8LZTC 1344 */ 1345 HWTEST_F(SeccompUnitTest, Init_Seccomp_AppSycallNs001, TestSize.Level1) 1346 { 1347 SeccompUnitTest test; 1348 test.TestAppSycallNs(); 1349 } 1350 #ifdef SECCOMP_PRIVILEGE 1351 /** 1352 * @tc.name: TestSeccompPrivilegeSyscall 1353 * @tc.desc: Verify the privilege syscall of app and appspawn. 1354 * @tc.type: FUNC 1355 * @tc.require: issueIAVQ2P 1356 */ 1357 HWTEST_F(SeccompUnitTest, Init_Seccomp_SeccompPrivilegeSycall001, TestSize.Level1) 1358 { 1359 SeccompUnitTest test; 1360 test.TestSeccompPrivilegeSyscall(); 1361 } 1362 #endif 1363 1364 #ifdef CUSTOM_SANDBOX 1365 /** 1366 * @tc.name: TestSeccompCustomSyscall 1367 * @tc.desc: Verify the custom syscall of app and appspawn. 1368 * @tc.type: FUNC 1369 * @tc.require: issueIBP64F 1370 */ 1371 HWTEST_F(SeccompUnitTest, Init_Seccomp_SeccompCustomSycall001, TestSize.Level1) 1372 { 1373 SeccompUnitTest test; 1374 test.TestSeccompCustomSyscall(); 1375 } 1376 #endif 1377 } 1378