1 /* 2 * Copyright (c) 2022 Huawei Device Co., Ltd. 3 * Licensed under the Apache License, Version 2.0 (the "License"); 4 * you may not use this file except in compliance with the License. 5 * You may obtain a copy of the License at 6 * 7 * http://www.apache.org/licenses/LICENSE-2.0 8 * 9 * Unless required by applicable law or agreed to in writing, software 10 * distributed under the License is distributed on an "AS IS" BASIS, 11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 * See the License for the specific language governing permissions and 13 * limitations under the License. 14 */ 15 16 #include <gtest/gtest.h> 17 18 #include <cstdlib> 19 #include <unistd.h> 20 #include <sys/wait.h> 21 #include <csignal> 22 #include <cerrno> 23 #include <cstring> 24 #include <sys/prctl.h> 25 #include <sys/types.h> 26 #include <sys/stat.h> 27 #include <fcntl.h> 28 #include <sys/syscall.h> 29 #include <asm/unistd.h> 30 #include <syscall.h> 31 #include <climits> 32 #include <sched.h> 33 34 #include "seccomp_policy.h" 35 36 using SyscallFunc = bool (*)(void); 37 constexpr int SLEEP_TIME_100MS = 100000; // 100ms 38 constexpr int SLEEP_TIME_1S = 1; 39 40 using namespace testing::ext; 41 using namespace std; 42 43 namespace init_ut { 44 class SeccompUnitTest : public testing::Test { 45 public: SeccompUnitTest()46 SeccompUnitTest() {}; ~SeccompUnitTest()47 virtual ~SeccompUnitTest() {}; SetUpTestCase()48 static void SetUpTestCase() {}; TearDownTestCase()49 static void TearDownTestCase() {}; 50 SetUp()51 void SetUp() 52 { 53 /* 54 * Wait for 1 second to prevent the generated crash file 55 * from being overwritten because the crash interval is too short 56 * and the crash file's name is constructed by time stamp. 57 */ 58 sleep(SLEEP_TIME_1S); 59 }; 60 TearDown()61 void TearDown() {}; TestBody(void)62 void TestBody(void) {}; 63 StartChild(SeccompFilterType type,const char * filterName,SyscallFunc func)64 static pid_t StartChild(SeccompFilterType type, const char *filterName, SyscallFunc func) 65 { 66 pid_t pid = fork(); 67 if (pid == 0) { 68 if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) != 0) { 69 std::cout << "PR_SET_NO_NEW_PRIVS set fail " << std::endl; 70 exit(EXIT_FAILURE); 71 } 72 73 if (IsEnableSeccomp()) { 74 std::cout << "Seccomp is enabled" << std::endl; 75 } 76 77 if (!SetSeccompPolicyWithName(type, filterName)) { 78 std::cout << "SetSeccompPolicy set fail fiterName is " << filterName << std::endl; 79 exit(EXIT_FAILURE); 80 } 81 82 if (!func()) { 83 std::cout << "func excute fail" << std::endl; 84 exit(EXIT_FAILURE); 85 } 86 87 std::cout << "func excute success" << std::endl; 88 89 exit(EXIT_SUCCESS); 90 } 91 return pid; 92 } 93 CheckStatus(int status,bool isAllow)94 static int CheckStatus(int status, bool isAllow) 95 { 96 if (WEXITSTATUS(status) == EXIT_FAILURE) { 97 return -1; 98 } 99 100 if (WIFSIGNALED(status)) { 101 if (WTERMSIG(status) == SIGSYS) { 102 std::cout << "child process exit with SIGSYS" << std::endl; 103 return isAllow ? -1 : 0; 104 } 105 } else { 106 std::cout << "child process finished normally" << std::endl; 107 return isAllow ? 0 : -1; 108 } 109 110 return -1; 111 } 112 CheckSyscall(SeccompFilterType type,const char * filterName,SyscallFunc func,bool isAllow)113 static int CheckSyscall(SeccompFilterType type, const char *filterName, SyscallFunc func, bool isAllow) 114 { 115 sigset_t set; 116 int status; 117 pid_t pid; 118 int flag = 0; 119 struct timespec waitTime = {5, 0}; 120 121 sigemptyset(&set); 122 sigaddset(&set, SIGCHLD); 123 sigprocmask(SIG_BLOCK, &set, nullptr); 124 sigaddset(&set, SIGSYS); 125 if (signal(SIGCHLD, SIG_DFL) == nullptr) { 126 std::cout << "signal failed:" << strerror(errno) << std::endl; 127 } 128 if (signal(SIGSYS, SIG_DFL) == nullptr) { 129 std::cout << "signal failed:" << strerror(errno) << std::endl; 130 } 131 132 /* Sleeping for avoiding influencing child proccess wait for other threads 133 * which were created by other unittests to release global rwlock. The global 134 * rwlock will be used by function dlopen in child process */ 135 usleep(SLEEP_TIME_100MS); 136 137 pid = StartChild(type, filterName, func); 138 if (pid == -1) { 139 std::cout << "fork failed:" << strerror(errno) << std::endl; 140 return -1; 141 } 142 if (sigtimedwait(&set, nullptr, &waitTime) == -1) { /* Wait for 5 seconds */ 143 if (errno == EAGAIN) { 144 flag = 1; 145 } else { 146 std::cout << "sigtimedwait failed:" << strerror(errno) << std::endl; 147 } 148 149 if (kill(pid, SIGKILL) == -1) { 150 std::cout << "kill failed::" << strerror(errno) << std::endl; 151 } 152 } 153 154 if (waitpid(pid, &status, 0) != pid) { 155 std::cout << "waitpid failed:" << strerror(errno) << std::endl; 156 return -1; 157 } 158 159 if (flag != 0) { 160 std::cout << "Child process time out" << std::endl; 161 } 162 163 return CheckStatus(status, isAllow); 164 } 165 CheckUnshare()166 static bool CheckUnshare() 167 { 168 int ret = unshare(CLONE_NEWPID); 169 if (ret) { 170 return false; 171 } 172 return true; 173 } 174 CheckSetns()175 static bool CheckSetns() 176 { 177 int fd = open("/proc/1/ns/mnt", O_RDONLY | O_CLOEXEC); 178 if (fd < 0) { 179 return false; 180 } 181 182 if (setns(fd, CLONE_NEWNS) != 0) { 183 close(fd); 184 return false; 185 } 186 187 close(fd); 188 return true; 189 } 190 ChildFunc(void * arg)191 static int ChildFunc(void *arg) 192 { 193 exit(0); 194 } 195 CheckCloneNs(int flag)196 static bool CheckCloneNs(int flag) 197 { 198 const int stackSize = 65536; 199 200 char *stack = static_cast<char *>(malloc(stackSize)); 201 if (stack == nullptr) { 202 return false; 203 } 204 char *stackTop = stack + stackSize; 205 pid_t pid = clone(ChildFunc, stackTop, flag | SIGCHLD, nullptr); 206 if (pid == -1) { 207 free(stack); 208 return false; 209 } 210 return true; 211 } 212 CheckClonePidNs(void)213 static bool CheckClonePidNs(void) 214 { 215 return CheckCloneNs(CLONE_NEWPID); 216 } 217 CheckCloneMntNs(void)218 static bool CheckCloneMntNs(void) 219 { 220 return CheckCloneNs(CLONE_NEWNS); 221 } 222 CheckCloneNetNs(void)223 static bool CheckCloneNetNs(void) 224 { 225 return CheckCloneNs(CLONE_NEWNET); 226 } 227 CheckCloneCgroupNs(void)228 static bool CheckCloneCgroupNs(void) 229 { 230 return CheckCloneNs(CLONE_NEWCGROUP); 231 } 232 CheckCloneUtsNs(void)233 static bool CheckCloneUtsNs(void) 234 { 235 return CheckCloneNs(CLONE_NEWUTS); 236 } 237 CheckCloneIpcNs(void)238 static bool CheckCloneIpcNs(void) 239 { 240 return CheckCloneNs(CLONE_NEWIPC); 241 } 242 CheckCloneUserNs(void)243 static bool CheckCloneUserNs(void) 244 { 245 return CheckCloneNs(CLONE_NEWUSER); 246 } 247 CheckIoctlFlag1()248 static bool CheckIoctlFlag1() 249 { 250 (void)syscall(__NR_ioctl, 0, 0x4000); 251 return true; 252 } 253 CheckIoctlFlag2()254 static bool CheckIoctlFlag2() 255 { 256 (void)syscall(__NR_ioctl, 0, 0x5003); 257 return true; 258 } 259 CheckIoctlFlag3()260 static bool CheckIoctlFlag3() 261 { 262 (void)syscall(__NR_ioctl, 0, 0x5006); 263 return true; 264 } 265 CheckIoctlFlag4()266 static bool CheckIoctlFlag4() 267 { 268 (void)syscall(__NR_ioctl, 0, 0x5007); 269 return true; 270 } 271 CheckIoctlFlag5()272 static bool CheckIoctlFlag5() 273 { 274 (void)syscall(__NR_ioctl, 0, 0x5090); 275 return true; 276 } 277 CheckIoctlFlag6()278 static bool CheckIoctlFlag6() 279 { 280 (void)syscall(__NR_ioctl, 0, 0x5100); 281 return true; 282 } 283 CheckIoctlFlag7()284 static bool CheckIoctlFlag7() 285 { 286 (void)syscall(__NR_ioctl, 0, 0x5104); 287 return true; 288 } 289 CheckIoctlFlag8()290 static bool CheckIoctlFlag8() 291 { 292 (void)syscall(__NR_ioctl, 0, 0x5105); 293 return true; 294 } 295 CheckIoctlFlag9()296 static bool CheckIoctlFlag9() 297 { 298 (void)syscall(__NR_ioctl, 0, 0x5107); 299 return true; 300 } 301 CheckIoctlFlag10()302 static bool CheckIoctlFlag10() 303 { 304 (void)syscall(__NR_ioctl, 0, 0x510a); 305 return true; 306 } 307 CheckIoctlFlag11()308 static bool CheckIoctlFlag11() 309 { 310 (void)syscall(__NR_ioctl, 0, 0x5110); 311 return true; 312 } 313 CheckIoctlFlag12()314 static bool CheckIoctlFlag12() 315 { 316 (void)syscall(__NR_ioctl, 0, 0x5300); 317 return true; 318 } 319 CheckIoctlFlag13()320 static bool CheckIoctlFlag13() 321 { 322 (void)syscall(__NR_ioctl, 0, 0x5310); 323 return true; 324 } 325 CheckIoctlFlag14()326 static bool CheckIoctlFlag14() 327 { 328 (void)syscall(__NR_ioctl, 0, 0x5400); 329 return true; 330 } 331 CheckIoctlFlag15()332 static bool CheckIoctlFlag15() 333 { 334 (void)syscall(__NR_ioctl, 0, 0x5480); 335 return true; 336 } 337 CheckIoctlFlag16()338 static bool CheckIoctlFlag16() 339 { 340 (void)syscall(__NR_ioctl, 0, 0x5482); 341 return true; 342 } 343 CheckIoctlFlag17()344 static bool CheckIoctlFlag17() 345 { 346 (void)syscall(__NR_ioctl, 0, 0x5500); 347 return true; 348 } 349 TestAppAtomicSyscallForIoctl()350 void TestAppAtomicSyscallForIoctl() 351 { 352 int ret = CheckSyscall(APP, APP_ATOMIC, CheckIoctlFlag1, true); 353 EXPECT_EQ(ret, 0); 354 355 ret = CheckSyscall(APP, APP_ATOMIC, CheckIoctlFlag2, false); 356 EXPECT_EQ(ret, 0); 357 358 ret = CheckSyscall(APP, APP_ATOMIC, CheckIoctlFlag3, true); 359 EXPECT_EQ(ret, 0); 360 361 ret = CheckSyscall(APP, APP_ATOMIC, CheckIoctlFlag4, false); 362 EXPECT_EQ(ret, 0); 363 364 ret = CheckSyscall(APP, APP_ATOMIC, CheckIoctlFlag5, true); 365 EXPECT_EQ(ret, 0); 366 367 ret = CheckSyscall(APP, APP_ATOMIC, CheckIoctlFlag6, false); 368 EXPECT_EQ(ret, 0); 369 370 ret = CheckSyscall(APP, APP_ATOMIC, CheckIoctlFlag7, true); 371 EXPECT_EQ(ret, 0); 372 373 ret = CheckSyscall(APP, APP_ATOMIC, CheckIoctlFlag8, false); 374 EXPECT_EQ(ret, 0); 375 376 ret = CheckSyscall(APP, APP_ATOMIC, CheckIoctlFlag9, true); 377 EXPECT_EQ(ret, 0); 378 379 ret = CheckSyscall(APP, APP_ATOMIC, CheckIoctlFlag10, false); 380 EXPECT_EQ(ret, 0); 381 382 ret = CheckSyscall(APP, APP_ATOMIC, CheckIoctlFlag11, true); 383 EXPECT_EQ(ret, 0); 384 385 ret = CheckSyscall(APP, APP_ATOMIC, CheckIoctlFlag12, false); 386 EXPECT_EQ(ret, 0); 387 388 ret = CheckSyscall(APP, APP_ATOMIC, CheckIoctlFlag13, true); 389 EXPECT_EQ(ret, 0); 390 391 ret = CheckSyscall(APP, APP_ATOMIC, CheckIoctlFlag14, false); 392 EXPECT_EQ(ret, 0); 393 394 ret = CheckSyscall(APP, APP_ATOMIC, CheckIoctlFlag15, true); 395 EXPECT_EQ(ret, 0); 396 397 ret = CheckSyscall(APP, APP_ATOMIC, CheckIoctlFlag16, false); 398 EXPECT_EQ(ret, 0); 399 400 ret = CheckSyscall(APP, APP_ATOMIC, CheckIoctlFlag17, true); 401 EXPECT_EQ(ret, 0); 402 } 403 CheckIoUringFlag1()404 static bool CheckIoUringFlag1() 405 { 406 (void)syscall(SYS_io_uring_setup, 0, nullptr); 407 return true; 408 } 409 CheckIoUringFlag2()410 static bool CheckIoUringFlag2() 411 { 412 (void)syscall(SYS_io_uring_enter, 0, nullptr, 0, 0, nullptr); 413 return true; 414 } 415 CheckIoUringFlag3()416 static bool CheckIoUringFlag3() 417 { 418 (void)syscall(SYS_io_uring_register, 0, "example", 0); 419 return true; 420 } 421 TestAppAllowIoUringSyscall()422 void TestAppAllowIoUringSyscall() 423 { 424 int ret = CheckSyscall(APP, APP_ALLOW_IOURING, CheckIoUringFlag1, true); 425 EXPECT_EQ(ret, 0); 426 427 ret = CheckSyscall(APP, APP_NAME, CheckIoUringFlag1, false); 428 EXPECT_EQ(ret, 0); 429 430 ret = CheckSyscall(APP, APP_ALLOW_IOURING, CheckIoUringFlag2, true); 431 EXPECT_EQ(ret, 0); 432 433 ret = CheckSyscall(APP, APP_NAME, CheckIoUringFlag2, false); 434 EXPECT_EQ(ret, 0); 435 436 ret = CheckSyscall(APP, APP_ALLOW_IOURING, CheckIoUringFlag3, true); 437 EXPECT_EQ(ret, 0); 438 439 ret = CheckSyscall(APP, APP_NAME, CheckIoUringFlag3, false); 440 EXPECT_EQ(ret, 0); 441 } 442 443 #if defined __aarch64__ CheckMqOpen()444 static bool CheckMqOpen() 445 { 446 int ret = (int)syscall(__NR_mq_open, nullptr, 0); 447 if (ret < 0) { 448 return false; 449 } 450 451 return true; 452 } 453 CheckGetpid()454 static bool CheckGetpid() 455 { 456 pid_t pid = 1; 457 pid = syscall(__NR_getpid); 458 if (pid > 1) { 459 return true; 460 } 461 return false; 462 } 463 CheckGetuid()464 static bool CheckGetuid() 465 { 466 uid_t uid = 0; 467 uid = syscall(__NR_getuid); 468 if (uid >= 0) { 469 return true; 470 } 471 472 return false; 473 } 474 CheckSetresuidArgsInRange()475 static bool CheckSetresuidArgsInRange() 476 { 477 int ret = syscall(__NR_setresuid, 20000, 20000, 20000); 478 if (ret == 0) { 479 return true; 480 } 481 482 return false; 483 } 484 CheckSetresuidArgsOutOfRange()485 static bool CheckSetresuidArgsOutOfRange() 486 { 487 int ret = syscall(__NR_setresuid, 800, 800, 800); 488 if (ret == 0) { 489 return true; 490 } 491 492 return false; 493 } 494 CheckSetuid()495 static bool CheckSetuid() 496 { 497 int uid = syscall(__NR_setuid, 1); 498 if (uid == 0) { 499 return true; 500 } 501 502 return false; 503 } 504 CheckSetuid64ForUidFilter1()505 static bool CheckSetuid64ForUidFilter1() 506 { 507 int ret = syscall(__NR_setuid, 0); 508 if (ret == 0) { 509 return true; 510 } 511 512 return false; 513 } 514 CheckSetuid64ForUidFilter2()515 static bool CheckSetuid64ForUidFilter2() 516 { 517 int ret = syscall(__NR_setuid, 2); 518 if (ret == 0) { 519 return true; 520 } 521 522 return false; 523 } 524 CheckSetreuid64ForUidFilter1()525 static bool CheckSetreuid64ForUidFilter1() 526 { 527 int ret = syscall(__NR_setreuid, 0, 2); 528 if (ret == 0) { 529 return true; 530 } 531 532 return false; 533 } 534 CheckSetreuid64ForUidFilter2()535 static bool CheckSetreuid64ForUidFilter2() 536 { 537 int ret = syscall(__NR_setreuid, 2, 0); 538 if (ret == 0) { 539 return true; 540 } 541 542 return false; 543 } 544 CheckSetreuid64ForUidFilter3()545 static bool CheckSetreuid64ForUidFilter3() 546 { 547 int ret = syscall(__NR_setreuid, 0, 0); 548 if (ret == 0) { 549 return true; 550 } 551 552 return false; 553 } 554 CheckSetreuid64ForUidFilter4()555 static bool CheckSetreuid64ForUidFilter4() 556 { 557 int ret = syscall(__NR_setreuid, 2, 2); 558 if (ret == 0) { 559 return true; 560 } 561 562 return false; 563 } 564 CheckSetfsuid64ForUidFilter1()565 static bool CheckSetfsuid64ForUidFilter1() 566 { 567 int ret = syscall(__NR_setfsuid, 0); 568 if (ret == 0) { 569 return true; 570 } 571 572 return false; 573 } 574 CheckSetfsuid64ForUidFilter2()575 static bool CheckSetfsuid64ForUidFilter2() 576 { 577 int ret = syscall(__NR_setfsuid, 2); 578 if (ret == 0) { 579 return true; 580 } 581 582 return false; 583 } 584 CheckSetresuid64ForUidFilter1()585 static bool CheckSetresuid64ForUidFilter1() 586 { 587 int ret = syscall(__NR_setresuid, 0, 0, 0); 588 if (ret == 0) { 589 return true; 590 } 591 592 return false; 593 } 594 CheckSetresuid64ForUidFilter2()595 static bool CheckSetresuid64ForUidFilter2() 596 { 597 int ret = syscall(__NR_setresuid, 2, 0, 0); 598 if (ret == 0) { 599 return true; 600 } 601 602 return false; 603 } 604 CheckSetresuid64ForUidFilter3()605 static bool CheckSetresuid64ForUidFilter3() 606 { 607 int ret = syscall(__NR_setresuid, 0, 2, 0); 608 if (ret == 0) { 609 return true; 610 } 611 612 return false; 613 } 614 CheckSetresuid64ForUidFilter4()615 static bool CheckSetresuid64ForUidFilter4() 616 { 617 int ret = syscall(__NR_setresuid, 0, 0, 2); 618 if (ret == 0) { 619 return true; 620 } 621 622 return false; 623 } 624 CheckSetresuid64ForUidFilter5()625 static bool CheckSetresuid64ForUidFilter5() 626 { 627 int ret = syscall(__NR_setresuid, 0, 2, 2); 628 if (ret == 0) { 629 return true; 630 } 631 632 return false; 633 } 634 CheckSetresuid64ForUidFilter6()635 static bool CheckSetresuid64ForUidFilter6() 636 { 637 int ret = syscall(__NR_setresuid, 2, 0, 2); 638 if (ret == 0) { 639 return true; 640 } 641 642 return false; 643 } 644 CheckSetresuid64ForUidFilter7()645 static bool CheckSetresuid64ForUidFilter7() 646 { 647 int ret = syscall(__NR_setresuid, 2, 2, 0); 648 if (ret == 0) { 649 return true; 650 } 651 652 return false; 653 } 654 CheckSetresuid64ForUidFilter8()655 static bool CheckSetresuid64ForUidFilter8() 656 { 657 int ret = syscall(__NR_setresuid, 2, 2, 2); 658 if (ret == 0) { 659 return true; 660 } 661 662 return false; 663 } 664 TestSystemSycall()665 void TestSystemSycall() 666 { 667 // system blocklist 668 int ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckMqOpen, false); 669 EXPECT_EQ(ret, 0); 670 671 // system allowlist 672 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckGetpid, true); 673 EXPECT_EQ(ret, 0); 674 } 675 TestSystemSyscallForUidFilter()676 void TestSystemSyscallForUidFilter() 677 { 678 // system_uid_filter_64bit_test 679 int ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetuid64ForUidFilter1, false); 680 EXPECT_EQ(ret, 0); 681 682 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetuid64ForUidFilter2, true); 683 EXPECT_EQ(ret, 0); 684 685 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetreuid64ForUidFilter1, false); 686 EXPECT_EQ(ret, 0); 687 688 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetreuid64ForUidFilter2, false); 689 EXPECT_EQ(ret, 0); 690 691 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetreuid64ForUidFilter3, false); 692 EXPECT_EQ(ret, 0); 693 694 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetreuid64ForUidFilter4, true); 695 EXPECT_EQ(ret, 0); 696 697 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetfsuid64ForUidFilter1, false); 698 EXPECT_EQ(ret, 0); 699 700 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetfsuid64ForUidFilter2, true); 701 EXPECT_EQ(ret, 0); 702 703 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid64ForUidFilter1, false); 704 EXPECT_EQ(ret, 0); 705 706 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid64ForUidFilter2, false); 707 EXPECT_EQ(ret, 0); 708 709 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid64ForUidFilter3, false); 710 EXPECT_EQ(ret, 0); 711 712 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid64ForUidFilter4, false); 713 EXPECT_EQ(ret, 0); 714 715 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid64ForUidFilter5, false); 716 EXPECT_EQ(ret, 0); 717 718 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid64ForUidFilter6, false); 719 EXPECT_EQ(ret, 0); 720 721 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid64ForUidFilter7, false); 722 EXPECT_EQ(ret, 0); 723 724 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid64ForUidFilter8, true); 725 EXPECT_EQ(ret, 0); 726 } 727 TestSetUidGidFilter()728 void TestSetUidGidFilter() 729 { 730 // system blocklist 731 int ret = CheckSyscall(INDIVIDUAL, APPSPAWN_NAME, CheckSetresuidArgsOutOfRange, false); 732 EXPECT_EQ(ret, 0); 733 734 // system allowlist 735 ret = CheckSyscall(INDIVIDUAL, APPSPAWN_NAME, CheckSetresuidArgsInRange, true); 736 EXPECT_EQ(ret, 0); 737 } 738 TestAppSycall()739 void TestAppSycall() 740 { 741 // app blocklist 742 int ret = CheckSyscall(APP, APP_NAME, CheckSetuid, false); 743 EXPECT_EQ(ret, 0); 744 745 // app allowlist 746 ret = CheckSyscall(APP, APP_NAME, CheckGetpid, true); 747 EXPECT_EQ(ret, 0); 748 } 749 750 #ifdef SECCOMP_PRIVILEGE TestSeccompPrivilegeSyscall()751 void TestSeccompPrivilegeSyscall() 752 { 753 int ret = CheckSyscall(APP, APP_PRIVILEGE, CheckSetuid64ForUidFilter1, true); 754 EXPECT_EQ(ret, 0); 755 } 756 #endif 757 758 #ifdef CUSTOM_SANDBOX TestSeccompCustomSyscall()759 void TestSeccompCustomSyscall() 760 { 761 // app custom allowlist 762 int ret = CheckSyscall(APP, APP_CUSTOM, CheckGetpid, true); 763 EXPECT_EQ(ret, 0); 764 765 // app custom blocklist 766 ret = CheckSyscall(APP, APP_CUSTOM, CheckSetuid, false); 767 EXPECT_EQ(ret, 0); 768 } 769 #endif 770 771 #elif defined __arm__ CheckGetuid32()772 static bool CheckGetuid32() 773 { 774 uid_t uid = syscall(__NR_getuid32); 775 if (uid >= 0) { 776 return true; 777 } 778 return false; 779 } 780 CheckGetuid()781 static bool CheckGetuid() 782 { 783 uid_t uid = syscall(__NR_getuid); 784 if (uid >= 0) { 785 return true; 786 } 787 return false; 788 } 789 CheckSetuid32()790 static bool CheckSetuid32() 791 { 792 int ret = syscall(__NR_setuid32, 1); 793 if (ret == 0) { 794 return true; 795 } 796 797 return false; 798 } 799 CheckSetresuid32ArgsInRange()800 static bool CheckSetresuid32ArgsInRange() 801 { 802 int ret = syscall(__NR_setresuid32, 20000, 20000, 20000); 803 if (ret == 0) { 804 return true; 805 } 806 807 return false; 808 } 809 CheckSetresuid32ArgsOutOfRange()810 static bool CheckSetresuid32ArgsOutOfRange() 811 { 812 int ret = syscall(__NR_setresuid32, 800, 800, 800); 813 if (ret == 0) { 814 return true; 815 } 816 817 return false; 818 } 819 CheckSetuid32ForUidFilter1()820 static bool CheckSetuid32ForUidFilter1() 821 { 822 int ret = syscall(__NR_setuid32, 0); 823 if (ret == 0) { 824 return true; 825 } 826 827 return false; 828 } 829 CheckSetuid32ForUidFilter2()830 static bool CheckSetuid32ForUidFilter2() 831 { 832 int ret = syscall(__NR_setuid32, 2); 833 if (ret == 0) { 834 return true; 835 } 836 837 return false; 838 } 839 CheckSetuid16ForUidFilter1()840 static bool CheckSetuid16ForUidFilter1() 841 { 842 int ret = syscall(__NR_setuid, 0); 843 if (ret == 0) { 844 return true; 845 } 846 847 return false; 848 } 849 CheckSetuid16ForUidFilter2()850 static bool CheckSetuid16ForUidFilter2() 851 { 852 int ret = syscall(__NR_setuid, 2); 853 if (ret == 0) { 854 return true; 855 } 856 857 return false; 858 } 859 CheckSetreuid32ForUidFilter1()860 static bool CheckSetreuid32ForUidFilter1() 861 { 862 int ret = syscall(__NR_setreuid32, 0, 2); 863 if (ret == 0) { 864 return true; 865 } 866 867 return false; 868 } 869 CheckSetreuid32ForUidFilter2()870 static bool CheckSetreuid32ForUidFilter2() 871 { 872 int ret = syscall(__NR_setreuid32, 2, 0); 873 if (ret == 0) { 874 return true; 875 } 876 877 return false; 878 } 879 CheckSetreuid32ForUidFilter3()880 static bool CheckSetreuid32ForUidFilter3() 881 { 882 int ret = syscall(__NR_setreuid32, 0, 0); 883 if (ret == 0) { 884 return true; 885 } 886 887 return false; 888 } 889 CheckSetreuid32ForUidFilter4()890 static bool CheckSetreuid32ForUidFilter4() 891 { 892 int ret = syscall(__NR_setreuid32, 2, 2); 893 if (ret == 0) { 894 return true; 895 } 896 897 return false; 898 } 899 CheckSetreuid16ForUidFilter1()900 static bool CheckSetreuid16ForUidFilter1() 901 { 902 int ret = syscall(__NR_setreuid, 0, 2); 903 if (ret == 0) { 904 return true; 905 } 906 907 return false; 908 } 909 CheckSetreuid16ForUidFilter2()910 static bool CheckSetreuid16ForUidFilter2() 911 { 912 int ret = syscall(__NR_setreuid, 2, 0); 913 if (ret == 0) { 914 return true; 915 } 916 917 return false; 918 } 919 CheckSetreuid16ForUidFilter3()920 static bool CheckSetreuid16ForUidFilter3() 921 { 922 int ret = syscall(__NR_setreuid, 0, 0); 923 if (ret == 0) { 924 return true; 925 } 926 927 return false; 928 } 929 CheckSetreuid16ForUidFilter4()930 static bool CheckSetreuid16ForUidFilter4() 931 { 932 int ret = syscall(__NR_setreuid, 2, 2); 933 if (ret == 0) { 934 return true; 935 } 936 937 return false; 938 } 939 CheckSetfsuid32ForUidFilter1()940 static bool CheckSetfsuid32ForUidFilter1() 941 { 942 int ret = syscall(__NR_setfsuid32, 0); 943 if (ret == 0) { 944 return true; 945 } 946 947 return false; 948 } 949 CheckSetfsuid32ForUidFilter2()950 static bool CheckSetfsuid32ForUidFilter2() 951 { 952 int ret = syscall(__NR_setfsuid32, 2); 953 if (ret == 0) { 954 return true; 955 } 956 957 return false; 958 } 959 CheckSetfsuid16ForUidFilter1()960 static bool CheckSetfsuid16ForUidFilter1() 961 { 962 int ret = syscall(__NR_setfsuid, 0); 963 if (ret == 0) { 964 return true; 965 } 966 967 return false; 968 } 969 CheckSetfsuid16ForUidFilter2()970 static bool CheckSetfsuid16ForUidFilter2() 971 { 972 int ret = syscall(__NR_setfsuid, 2); 973 if (ret == 0) { 974 return true; 975 } 976 977 return false; 978 } 979 CheckSetresuid32ForUidFilter1()980 static bool CheckSetresuid32ForUidFilter1() 981 { 982 int ret = syscall(__NR_setresuid32, 0, 0, 0); 983 if (ret == 0) { 984 return true; 985 } 986 987 return false; 988 } 989 CheckSetresuid32ForUidFilter2()990 static bool CheckSetresuid32ForUidFilter2() 991 { 992 int ret = syscall(__NR_setresuid32, 2, 0, 0); 993 if (ret == 0) { 994 return true; 995 } 996 997 return false; 998 } 999 CheckSetresuid32ForUidFilter3()1000 static bool CheckSetresuid32ForUidFilter3() 1001 { 1002 int ret = syscall(__NR_setresuid32, 0, 2, 0); 1003 if (ret == 0) { 1004 return true; 1005 } 1006 1007 return false; 1008 } 1009 CheckSetresuid32ForUidFilter4()1010 static bool CheckSetresuid32ForUidFilter4() 1011 { 1012 int ret = syscall(__NR_setresuid32, 0, 0, 2); 1013 if (ret == 0) { 1014 return true; 1015 } 1016 1017 return false; 1018 } 1019 CheckSetresuid32ForUidFilter5()1020 static bool CheckSetresuid32ForUidFilter5() 1021 { 1022 int ret = syscall(__NR_setresuid32, 0, 2, 2); 1023 if (ret == 0) { 1024 return true; 1025 } 1026 1027 return false; 1028 } 1029 CheckSetresuid32ForUidFilter6()1030 static bool CheckSetresuid32ForUidFilter6() 1031 { 1032 int ret = syscall(__NR_setresuid32, 2, 0, 2); 1033 if (ret == 0) { 1034 return true; 1035 } 1036 1037 return false; 1038 } 1039 CheckSetresuid32ForUidFilter7()1040 static bool CheckSetresuid32ForUidFilter7() 1041 { 1042 int ret = syscall(__NR_setresuid32, 2, 2, 0); 1043 if (ret == 0) { 1044 return true; 1045 } 1046 1047 return false; 1048 } 1049 CheckSetresuid32ForUidFilter8()1050 static bool CheckSetresuid32ForUidFilter8() 1051 { 1052 int ret = syscall(__NR_setresuid32, 2, 2, 2); 1053 if (ret == 0) { 1054 return true; 1055 } 1056 1057 return false; 1058 } 1059 CheckSetresuid16ForUidFilter1()1060 static bool CheckSetresuid16ForUidFilter1() 1061 { 1062 int ret = syscall(__NR_setresuid, 0, 0, 0); 1063 if (ret == 0) { 1064 return true; 1065 } 1066 1067 return false; 1068 } 1069 CheckSetresuid16ForUidFilter2()1070 static bool CheckSetresuid16ForUidFilter2() 1071 { 1072 int ret = syscall(__NR_setresuid, 2, 0, 0); 1073 if (ret == 0) { 1074 return true; 1075 } 1076 1077 return false; 1078 } 1079 CheckSetresuid16ForUidFilter3()1080 static bool CheckSetresuid16ForUidFilter3() 1081 { 1082 int ret = syscall(__NR_setresuid, 0, 2, 0); 1083 if (ret == 0) { 1084 return true; 1085 } 1086 1087 return false; 1088 } 1089 CheckSetresuid16ForUidFilter4()1090 static bool CheckSetresuid16ForUidFilter4() 1091 { 1092 int ret = syscall(__NR_setresuid, 0, 0, 2); 1093 if (ret == 0) { 1094 return true; 1095 } 1096 1097 return false; 1098 } 1099 CheckSetresuid16ForUidFilter5()1100 static bool CheckSetresuid16ForUidFilter5() 1101 { 1102 int ret = syscall(__NR_setresuid, 0, 2, 2); 1103 if (ret == 0) { 1104 return true; 1105 } 1106 1107 return false; 1108 } 1109 CheckSetresuid16ForUidFilter6()1110 static bool CheckSetresuid16ForUidFilter6() 1111 { 1112 int ret = syscall(__NR_setresuid, 2, 0, 2); 1113 if (ret == 0) { 1114 return true; 1115 } 1116 1117 return false; 1118 } 1119 CheckSetresuid16ForUidFilter7()1120 static bool CheckSetresuid16ForUidFilter7() 1121 { 1122 int ret = syscall(__NR_setresuid, 2, 2, 0); 1123 if (ret == 0) { 1124 return true; 1125 } 1126 1127 return false; 1128 } 1129 CheckSetresuid16ForUidFilter8()1130 static bool CheckSetresuid16ForUidFilter8() 1131 { 1132 int ret = syscall(__NR_setresuid, 2, 2, 2); 1133 if (ret == 0) { 1134 return true; 1135 } 1136 1137 return false; 1138 } 1139 TestSystemSycall()1140 void TestSystemSycall() 1141 { 1142 // system blocklist 1143 int ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckGetuid, false); 1144 EXPECT_EQ(ret, 0); 1145 1146 // system allowlist 1147 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckGetuid32, true); 1148 EXPECT_EQ(ret, 0); 1149 } 1150 TestSystemSyscallForUidFilter32Bit()1151 void TestSystemSyscallForUidFilter32Bit() 1152 { 1153 // system_uid_filter_32bit_test 1154 int ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetuid32ForUidFilter1, false); 1155 EXPECT_EQ(ret, 0); 1156 1157 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetuid32ForUidFilter2, true); 1158 EXPECT_EQ(ret, 0); 1159 1160 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetreuid32ForUidFilter1, false); 1161 EXPECT_EQ(ret, 0); 1162 1163 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetreuid32ForUidFilter2, false); 1164 EXPECT_EQ(ret, 0); 1165 1166 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetreuid32ForUidFilter3, false); 1167 EXPECT_EQ(ret, 0); 1168 1169 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetreuid32ForUidFilter4, true); 1170 EXPECT_EQ(ret, 0); 1171 1172 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetfsuid32ForUidFilter1, false); 1173 EXPECT_EQ(ret, 0); 1174 1175 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetfsuid32ForUidFilter2, true); 1176 EXPECT_EQ(ret, 0); 1177 1178 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid32ForUidFilter1, false); 1179 EXPECT_EQ(ret, 0); 1180 1181 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid32ForUidFilter2, false); 1182 EXPECT_EQ(ret, 0); 1183 1184 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid32ForUidFilter3, false); 1185 EXPECT_EQ(ret, 0); 1186 1187 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid32ForUidFilter4, false); 1188 EXPECT_EQ(ret, 0); 1189 1190 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid32ForUidFilter5, false); 1191 EXPECT_EQ(ret, 0); 1192 1193 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid32ForUidFilter6, false); 1194 EXPECT_EQ(ret, 0); 1195 1196 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid32ForUidFilter7, false); 1197 EXPECT_EQ(ret, 0); 1198 1199 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid32ForUidFilter8, true); 1200 EXPECT_EQ(ret, 0); 1201 } 1202 TestSystemSyscallForUidFilter16Bit()1203 void TestSystemSyscallForUidFilter16Bit() 1204 { 1205 // system_uid_filter_16bit_test 1206 int ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetuid16ForUidFilter1, false); 1207 EXPECT_EQ(ret, 0); 1208 1209 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetuid16ForUidFilter2, true); 1210 EXPECT_EQ(ret, 0); 1211 1212 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetreuid16ForUidFilter1, false); 1213 EXPECT_EQ(ret, 0); 1214 1215 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetreuid16ForUidFilter2, false); 1216 EXPECT_EQ(ret, 0); 1217 1218 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetreuid16ForUidFilter3, false); 1219 EXPECT_EQ(ret, 0); 1220 1221 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetreuid16ForUidFilter4, true); 1222 EXPECT_EQ(ret, 0); 1223 1224 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetfsuid16ForUidFilter1, false); 1225 EXPECT_EQ(ret, 0); 1226 1227 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetfsuid16ForUidFilter2, true); 1228 EXPECT_EQ(ret, 0); 1229 1230 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid16ForUidFilter1, false); 1231 EXPECT_EQ(ret, 0); 1232 1233 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid16ForUidFilter2, false); 1234 EXPECT_EQ(ret, 0); 1235 1236 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid16ForUidFilter3, false); 1237 EXPECT_EQ(ret, 0); 1238 1239 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid16ForUidFilter4, false); 1240 EXPECT_EQ(ret, 0); 1241 1242 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid16ForUidFilter5, false); 1243 EXPECT_EQ(ret, 0); 1244 1245 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid16ForUidFilter6, false); 1246 EXPECT_EQ(ret, 0); 1247 1248 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid16ForUidFilter7, false); 1249 EXPECT_EQ(ret, 0); 1250 1251 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid16ForUidFilter8, true); 1252 EXPECT_EQ(ret, 0); 1253 } 1254 TestSystemSyscallForUidFilter()1255 void TestSystemSyscallForUidFilter() 1256 { 1257 TestSystemSyscallForUidFilter32Bit(); 1258 TestSystemSyscallForUidFilter16Bit(); 1259 } 1260 TestSetUidGidFilter()1261 void TestSetUidGidFilter() 1262 { 1263 // system blocklist 1264 int ret = CheckSyscall(INDIVIDUAL, APPSPAWN_NAME, CheckSetresuid32ArgsOutOfRange, false); 1265 EXPECT_EQ(ret, 0); 1266 1267 // system allowlist 1268 ret = CheckSyscall(INDIVIDUAL, APPSPAWN_NAME, CheckSetresuid32ArgsInRange, true); 1269 EXPECT_EQ(ret, 0); 1270 } 1271 TestAppSycall()1272 void TestAppSycall() 1273 { 1274 // app blocklist 1275 int ret = CheckSyscall(APP, APP_NAME, CheckSetuid32, false); 1276 EXPECT_EQ(ret, 0); 1277 1278 // app allowlist 1279 ret = CheckSyscall(APP, APP_NAME, CheckGetuid32, true); 1280 EXPECT_EQ(ret, 0); 1281 } 1282 1283 #ifdef SECCOMP_PRIVILEGE TestSeccompPrivilegeSyscall()1284 void TestSeccompPrivilegeSyscall() 1285 { 1286 int ret = CheckSyscall(APP, APP_PRIVILEGE, CheckSetuid32ForUidFilter1, true); 1287 EXPECT_EQ(ret, 0); 1288 } 1289 #endif 1290 #endif TestAppSycallNs()1291 void TestAppSycallNs() 1292 { 1293 int ret = CheckSyscall(APP, APP_NAME, CheckUnshare, false); 1294 EXPECT_EQ(ret, 0); 1295 1296 ret = CheckSyscall(APP, APP_NAME, CheckSetns, false); 1297 EXPECT_EQ(ret, 0); 1298 1299 ret = CheckSyscall(APP, APP_NAME, CheckClonePidNs, false); 1300 EXPECT_EQ(ret, 0); 1301 1302 ret = CheckSyscall(APP, APP_NAME, CheckCloneMntNs, false); 1303 EXPECT_EQ(ret, 0); 1304 1305 ret = CheckSyscall(APP, APP_NAME, CheckCloneCgroupNs, false); 1306 EXPECT_EQ(ret, 0); 1307 1308 ret = CheckSyscall(APP, APP_NAME, CheckCloneIpcNs, false); 1309 EXPECT_EQ(ret, 0); 1310 1311 ret = CheckSyscall(APP, APP_NAME, CheckCloneUserNs, false); 1312 EXPECT_EQ(ret, 0); 1313 1314 ret = CheckSyscall(APP, APP_NAME, CheckCloneNetNs, false); 1315 EXPECT_EQ(ret, 0); 1316 1317 ret = CheckSyscall(APP, APP_NAME, CheckCloneUtsNs, false); 1318 EXPECT_EQ(ret, 0); 1319 } 1320 }; 1321 1322 /** 1323 * @tc.name: TestSystemSycall 1324 * @tc.desc: Verify the system seccomp policy. 1325 * @tc.type: FUNC 1326 * @tc.require: issueI5IUWJ 1327 */ 1328 HWTEST_F(SeccompUnitTest, Init_Seccomp_SystemSycall001, TestSize.Level1) 1329 { 1330 SeccompUnitTest test; 1331 test.TestSystemSycall(); 1332 } 1333 1334 /** 1335 * @tc.name: TestSetUidGidFilter 1336 * @tc.desc: Verify the uid gid seccomp policy. 1337 * @tc.type: FUNC 1338 * @tc.require: issueI5IUWJ 1339 */ 1340 HWTEST_F(SeccompUnitTest, Init_Seccomp_SetUidGidFilter001, TestSize.Level1) 1341 { 1342 SeccompUnitTest test; 1343 test.TestSetUidGidFilter(); 1344 } 1345 1346 /** 1347 * @tc.name: TestAppSycall 1348 * @tc.desc: Verify the app seccomp policy. 1349 * @tc.type: FUNC 1350 * @tc.require: issueI5MUXD 1351 */ 1352 HWTEST_F(SeccompUnitTest, Init_Seccomp_AppSycall001, TestSize.Level1) 1353 { 1354 SeccompUnitTest test; 1355 test.TestAppSycall(); 1356 } 1357 1358 /** 1359 * @tc.name: TestAppAtomicSycall 1360 * @tc.desc: Verify the atomic app seccomp policy. 1361 * @tc.type: FUNC 1362 * @tc.require: issueI5MUXD 1363 */ 1364 HWTEST_F(SeccompUnitTest, Init_Seccomp_AppSycall002, TestSize.Level1) 1365 { 1366 SeccompUnitTest test; 1367 test.TestAppAtomicSyscallForIoctl(); 1368 } 1369 1370 /** 1371 * @tc.name: TestAppIoUringSycall 1372 * @tc.desc: Verify the app seccomp policy with io uring. 1373 * @tc.type: FUNC 1374 * @tc.require: issueI5MUXD 1375 */ 1376 HWTEST_F(SeccompUnitTest, Init_Seccomp_AppSycall003, TestSize.Level1) 1377 { 1378 SeccompUnitTest test; 1379 test.TestAppAllowIoUringSyscall(); 1380 } 1381 1382 /** 1383 * @tc.name: TestSystemSyscallForUidFilter 1384 * @tc.desc: Verify the system seccomp policy. 1385 * @tc.type: FUNC 1386 * @tc.require: issueI7QET2 1387 */ 1388 HWTEST_F(SeccompUnitTest, Init_Seccomp_SystemSyscallForUidFilter001, TestSize.Level1) 1389 { 1390 SeccompUnitTest test; 1391 test.TestSystemSyscallForUidFilter(); 1392 } 1393 1394 /** 1395 * @tc.name: TestAppSycallNs 1396 * @tc.desc: Verify the app seccomp policy about namespace. 1397 * @tc.type: FUNC 1398 * @tc.require: issueI8LZTC 1399 */ 1400 HWTEST_F(SeccompUnitTest, Init_Seccomp_AppSycallNs001, TestSize.Level1) 1401 { 1402 SeccompUnitTest test; 1403 test.TestAppSycallNs(); 1404 } 1405 #ifdef SECCOMP_PRIVILEGE 1406 /** 1407 * @tc.name: TestSeccompPrivilegeSyscall 1408 * @tc.desc: Verify the privilege syscall of app and appspawn. 1409 * @tc.type: FUNC 1410 * @tc.require: issueIAVQ2P 1411 */ 1412 HWTEST_F(SeccompUnitTest, Init_Seccomp_SeccompPrivilegeSycall001, TestSize.Level1) 1413 { 1414 SeccompUnitTest test; 1415 test.TestSeccompPrivilegeSyscall(); 1416 } 1417 #endif 1418 1419 #ifdef CUSTOM_SANDBOX 1420 /** 1421 * @tc.name: TestSeccompCustomSyscall 1422 * @tc.desc: Verify the custom syscall of app and appspawn. 1423 * @tc.type: FUNC 1424 * @tc.require: issueIBP64F 1425 */ 1426 HWTEST_F(SeccompUnitTest, Init_Seccomp_SeccompCustomSycall001, TestSize.Level1) 1427 { 1428 SeccompUnitTest test; 1429 test.TestSeccompCustomSyscall(); 1430 } 1431 #endif 1432 } 1433