1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
4 *
5 * Test code for seccomp bpf.
6 */
7
8 #define _GNU_SOURCE
9 #include <sys/types.h>
10
11 /*
12 * glibc 2.26 and later have SIGSYS in siginfo_t. Before that,
13 * we need to use the kernel's siginfo.h file and trick glibc
14 * into accepting it.
15 */
16 #if defined(__GLIBC_PREREQ)
17 #if !__GLIBC_PREREQ(2, 26)
18 # include <asm/siginfo.h>
19 # define __have_siginfo_t 1
20 # define __have_sigval_t 1
21 # define __have_sigevent_t 1
22 #endif
23 #endif
24
25 #include <errno.h>
26 #include <linux/filter.h>
27 #include <sys/prctl.h>
28 #include <sys/ptrace.h>
29 #include <sys/user.h>
30 #include <linux/prctl.h>
31 #include <linux/ptrace.h>
32 #include <linux/seccomp.h>
33 #include <pthread.h>
34 #include <semaphore.h>
35 #include <signal.h>
36 #include <stddef.h>
37 #include <stdbool.h>
38 #include <string.h>
39 #include <time.h>
40 #include <limits.h>
41 #include <linux/elf.h>
42 #include <sys/uio.h>
43 #include <sys/utsname.h>
44 #include <sys/fcntl.h>
45 #include <sys/mman.h>
46 #include <sys/times.h>
47 #include <sys/socket.h>
48 #include <sys/ioctl.h>
49 #include <linux/kcmp.h>
50
51 #include <unistd.h>
52 #include <sys/syscall.h>
53 #include <poll.h>
54
55 #include "../kselftest_harness.h"
56
57 #ifndef PR_SET_PTRACER
58 # define PR_SET_PTRACER 0x59616d61
59 #endif
60
61 #ifndef PR_SET_NO_NEW_PRIVS
62 #define PR_SET_NO_NEW_PRIVS 38
63 #define PR_GET_NO_NEW_PRIVS 39
64 #endif
65
66 #ifndef PR_SECCOMP_EXT
67 #define PR_SECCOMP_EXT 43
68 #endif
69
70 #ifndef SECCOMP_EXT_ACT
71 #define SECCOMP_EXT_ACT 1
72 #endif
73
74 #ifndef SECCOMP_EXT_ACT_TSYNC
75 #define SECCOMP_EXT_ACT_TSYNC 1
76 #endif
77
78 #ifndef SECCOMP_MODE_STRICT
79 #define SECCOMP_MODE_STRICT 1
80 #endif
81
82 #ifndef SECCOMP_MODE_FILTER
83 #define SECCOMP_MODE_FILTER 2
84 #endif
85
86 #ifndef SECCOMP_RET_ALLOW
87 struct seccomp_data {
88 int nr;
89 __u32 arch;
90 __u64 instruction_pointer;
91 __u64 args[6];
92 };
93 #endif
94
95 #ifndef SECCOMP_RET_KILL_PROCESS
96 #define SECCOMP_RET_KILL_PROCESS 0x80000000U /* kill the process */
97 #define SECCOMP_RET_KILL_THREAD 0x00000000U /* kill the thread */
98 #endif
99 #ifndef SECCOMP_RET_KILL
100 #define SECCOMP_RET_KILL SECCOMP_RET_KILL_THREAD
101 #define SECCOMP_RET_TRAP 0x00030000U /* disallow and force a SIGSYS */
102 #define SECCOMP_RET_ERRNO 0x00050000U /* returns an errno */
103 #define SECCOMP_RET_TRACE 0x7ff00000U /* pass to a tracer or disallow */
104 #define SECCOMP_RET_ALLOW 0x7fff0000U /* allow */
105 #endif
106 #ifndef SECCOMP_RET_LOG
107 #define SECCOMP_RET_LOG 0x7ffc0000U /* allow after logging */
108 #endif
109
110 #ifndef __NR_seccomp
111 # if defined(__i386__)
112 # define __NR_seccomp 354
113 # elif defined(__x86_64__)
114 # define __NR_seccomp 317
115 # elif defined(__arm__)
116 # define __NR_seccomp 383
117 # elif defined(__aarch64__)
118 # define __NR_seccomp 277
119 # elif defined(__riscv)
120 # define __NR_seccomp 277
121 # elif defined(__hppa__)
122 # define __NR_seccomp 338
123 # elif defined(__powerpc__)
124 # define __NR_seccomp 358
125 # elif defined(__s390__)
126 # define __NR_seccomp 348
127 # else
128 # warning "seccomp syscall number unknown for this architecture"
129 # define __NR_seccomp 0xffff
130 # endif
131 #endif
132
133 #ifndef SECCOMP_SET_MODE_STRICT
134 #define SECCOMP_SET_MODE_STRICT 0
135 #endif
136
137 #ifndef SECCOMP_SET_MODE_FILTER
138 #define SECCOMP_SET_MODE_FILTER 1
139 #endif
140
141 #ifndef SECCOMP_GET_ACTION_AVAIL
142 #define SECCOMP_GET_ACTION_AVAIL 2
143 #endif
144
145 #ifndef SECCOMP_GET_NOTIF_SIZES
146 #define SECCOMP_GET_NOTIF_SIZES 3
147 #endif
148
149 #ifndef SECCOMP_FILTER_FLAG_TSYNC
150 #define SECCOMP_FILTER_FLAG_TSYNC (1UL << 0)
151 #endif
152
153 #ifndef SECCOMP_FILTER_FLAG_LOG
154 #define SECCOMP_FILTER_FLAG_LOG (1UL << 1)
155 #endif
156
157 #ifndef SECCOMP_FILTER_FLAG_SPEC_ALLOW
158 #define SECCOMP_FILTER_FLAG_SPEC_ALLOW (1UL << 2)
159 #endif
160
161 #ifndef PTRACE_SECCOMP_GET_METADATA
162 #define PTRACE_SECCOMP_GET_METADATA 0x420d
163
164 struct seccomp_metadata {
165 __u64 filter_off; /* Input: which filter */
166 __u64 flags; /* Output: filter's flags */
167 };
168 #endif
169
170 #ifndef SECCOMP_FILTER_FLAG_NEW_LISTENER
171 #define SECCOMP_FILTER_FLAG_NEW_LISTENER (1UL << 3)
172
173 #define SECCOMP_RET_USER_NOTIF 0x7fc00000U
174
175 #define SECCOMP_IOC_MAGIC '!'
176 #define SECCOMP_IO(nr) _IO(SECCOMP_IOC_MAGIC, nr)
177 #define SECCOMP_IOR(nr, type) _IOR(SECCOMP_IOC_MAGIC, nr, type)
178 #define SECCOMP_IOW(nr, type) _IOW(SECCOMP_IOC_MAGIC, nr, type)
179 #define SECCOMP_IOWR(nr, type) _IOWR(SECCOMP_IOC_MAGIC, nr, type)
180
181 /* Flags for seccomp notification fd ioctl. */
182 #define SECCOMP_IOCTL_NOTIF_RECV SECCOMP_IOWR(0, struct seccomp_notif)
183 #define SECCOMP_IOCTL_NOTIF_SEND SECCOMP_IOWR(1, \
184 struct seccomp_notif_resp)
185 #define SECCOMP_IOCTL_NOTIF_ID_VALID SECCOMP_IOR(2, __u64)
186
187 struct seccomp_notif {
188 __u64 id;
189 __u32 pid;
190 __u32 flags;
191 struct seccomp_data data;
192 };
193
194 struct seccomp_notif_resp {
195 __u64 id;
196 __s64 val;
197 __s32 error;
198 __u32 flags;
199 };
200
201 struct seccomp_notif_sizes {
202 __u16 seccomp_notif;
203 __u16 seccomp_notif_resp;
204 __u16 seccomp_data;
205 };
206 #endif
207
208 #ifndef PTRACE_EVENTMSG_SYSCALL_ENTRY
209 #define PTRACE_EVENTMSG_SYSCALL_ENTRY 1
210 #define PTRACE_EVENTMSG_SYSCALL_EXIT 2
211 #endif
212
213 #ifndef SECCOMP_USER_NOTIF_FLAG_CONTINUE
214 #define SECCOMP_USER_NOTIF_FLAG_CONTINUE 0x00000001
215 #endif
216
217 #ifndef seccomp
seccomp(unsigned int op,unsigned int flags,void * args)218 int seccomp(unsigned int op, unsigned int flags, void *args)
219 {
220 errno = 0;
221 return syscall(__NR_seccomp, op, flags, args);
222 }
223 #endif
224
225 #if __BYTE_ORDER == __LITTLE_ENDIAN
226 #define syscall_arg(_n) (offsetof(struct seccomp_data, args[_n]))
227 #elif __BYTE_ORDER == __BIG_ENDIAN
228 #define syscall_arg(_n) (offsetof(struct seccomp_data, args[_n]) + sizeof(__u32))
229 #else
230 #error "wut? Unknown __BYTE_ORDER?!"
231 #endif
232
233 #define SIBLING_EXIT_UNKILLED 0xbadbeef
234 #define SIBLING_EXIT_FAILURE 0xbadface
235 #define SIBLING_EXIT_NEWPRIVS 0xbadfeed
236
TEST(mode_strict_support)237 TEST(mode_strict_support)
238 {
239 long ret;
240
241 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT, NULL, NULL, NULL);
242 ASSERT_EQ(0, ret) {
243 TH_LOG("Kernel does not support CONFIG_SECCOMP");
244 }
245 syscall(__NR_exit, 0);
246 }
247
TEST_SIGNAL(mode_strict_cannot_call_prctl,SIGKILL)248 TEST_SIGNAL(mode_strict_cannot_call_prctl, SIGKILL)
249 {
250 long ret;
251
252 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT, NULL, NULL, NULL);
253 ASSERT_EQ(0, ret) {
254 TH_LOG("Kernel does not support CONFIG_SECCOMP");
255 }
256 syscall(__NR_prctl, PR_SET_SECCOMP, SECCOMP_MODE_FILTER,
257 NULL, NULL, NULL);
258 EXPECT_FALSE(true) {
259 TH_LOG("Unreachable!");
260 }
261 }
262
263 /* Note! This doesn't test no new privs behavior */
TEST(no_new_privs_support)264 TEST(no_new_privs_support)
265 {
266 long ret;
267
268 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
269 EXPECT_EQ(0, ret) {
270 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
271 }
272 }
273
274 /* Tests kernel support by checking for a copy_from_user() fault on NULL. */
TEST(mode_filter_support)275 TEST(mode_filter_support)
276 {
277 long ret;
278
279 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, NULL, 0, 0);
280 ASSERT_EQ(0, ret) {
281 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
282 }
283 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, NULL, NULL);
284 EXPECT_EQ(-1, ret);
285 EXPECT_EQ(EFAULT, errno) {
286 TH_LOG("Kernel does not support CONFIG_SECCOMP_FILTER!");
287 }
288 }
289
TEST(mode_filter_without_nnp)290 TEST(mode_filter_without_nnp)
291 {
292 struct sock_filter filter[] = {
293 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
294 };
295 struct sock_fprog prog = {
296 .len = (unsigned short)ARRAY_SIZE(filter),
297 .filter = filter,
298 };
299 long ret;
300
301 ret = prctl(PR_GET_NO_NEW_PRIVS, 0, NULL, 0, 0);
302 ASSERT_LE(0, ret) {
303 TH_LOG("Expected 0 or unsupported for NO_NEW_PRIVS");
304 }
305 errno = 0;
306 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0);
307 /* Succeeds with CAP_SYS_ADMIN, fails without */
308 /* TODO(wad) check caps not euid */
309 if (geteuid()) {
310 EXPECT_EQ(-1, ret);
311 EXPECT_EQ(EACCES, errno);
312 } else {
313 EXPECT_EQ(0, ret);
314 }
315 }
316
317 #define MAX_INSNS_PER_PATH 32768
318
TEST(filter_size_limits)319 TEST(filter_size_limits)
320 {
321 int i;
322 int count = BPF_MAXINSNS + 1;
323 struct sock_filter allow[] = {
324 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
325 };
326 struct sock_filter *filter;
327 struct sock_fprog prog = { };
328 long ret;
329
330 filter = calloc(count, sizeof(*filter));
331 ASSERT_NE(NULL, filter);
332
333 for (i = 0; i < count; i++)
334 filter[i] = allow[0];
335
336 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
337 ASSERT_EQ(0, ret);
338
339 prog.filter = filter;
340 prog.len = count;
341
342 /* Too many filter instructions in a single filter. */
343 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0);
344 ASSERT_NE(0, ret) {
345 TH_LOG("Installing %d insn filter was allowed", prog.len);
346 }
347
348 /* One less is okay, though. */
349 prog.len -= 1;
350 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0);
351 ASSERT_EQ(0, ret) {
352 TH_LOG("Installing %d insn filter wasn't allowed", prog.len);
353 }
354 }
355
TEST(filter_chain_limits)356 TEST(filter_chain_limits)
357 {
358 int i;
359 int count = BPF_MAXINSNS;
360 struct sock_filter allow[] = {
361 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
362 };
363 struct sock_filter *filter;
364 struct sock_fprog prog = { };
365 long ret;
366
367 filter = calloc(count, sizeof(*filter));
368 ASSERT_NE(NULL, filter);
369
370 for (i = 0; i < count; i++)
371 filter[i] = allow[0];
372
373 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
374 ASSERT_EQ(0, ret);
375
376 prog.filter = filter;
377 prog.len = 1;
378
379 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0);
380 ASSERT_EQ(0, ret);
381
382 prog.len = count;
383
384 /* Too many total filter instructions. */
385 for (i = 0; i < MAX_INSNS_PER_PATH; i++) {
386 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0);
387 if (ret != 0)
388 break;
389 }
390 ASSERT_NE(0, ret) {
391 TH_LOG("Allowed %d %d-insn filters (total with penalties:%d)",
392 i, count, i * (count + 4));
393 }
394 }
395
TEST(mode_filter_cannot_move_to_strict)396 TEST(mode_filter_cannot_move_to_strict)
397 {
398 struct sock_filter filter[] = {
399 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
400 };
401 struct sock_fprog prog = {
402 .len = (unsigned short)ARRAY_SIZE(filter),
403 .filter = filter,
404 };
405 long ret;
406
407 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
408 ASSERT_EQ(0, ret);
409
410 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0);
411 ASSERT_EQ(0, ret);
412
413 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT, NULL, 0, 0);
414 EXPECT_EQ(-1, ret);
415 EXPECT_EQ(EINVAL, errno);
416 }
417
418
TEST(mode_filter_get_seccomp)419 TEST(mode_filter_get_seccomp)
420 {
421 struct sock_filter filter[] = {
422 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
423 };
424 struct sock_fprog prog = {
425 .len = (unsigned short)ARRAY_SIZE(filter),
426 .filter = filter,
427 };
428 long ret;
429
430 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
431 ASSERT_EQ(0, ret);
432
433 ret = prctl(PR_GET_SECCOMP, 0, 0, 0, 0);
434 EXPECT_EQ(0, ret);
435
436 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0);
437 ASSERT_EQ(0, ret);
438
439 ret = prctl(PR_GET_SECCOMP, 0, 0, 0, 0);
440 EXPECT_EQ(2, ret);
441 }
442
443
TEST(ALLOW_all)444 TEST(ALLOW_all)
445 {
446 struct sock_filter filter[] = {
447 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
448 };
449 struct sock_fprog prog = {
450 .len = (unsigned short)ARRAY_SIZE(filter),
451 .filter = filter,
452 };
453 long ret;
454
455 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
456 ASSERT_EQ(0, ret);
457
458 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
459 ASSERT_EQ(0, ret);
460 }
461
TEST(empty_prog)462 TEST(empty_prog)
463 {
464 struct sock_filter filter[] = {
465 };
466 struct sock_fprog prog = {
467 .len = (unsigned short)ARRAY_SIZE(filter),
468 .filter = filter,
469 };
470 long ret;
471
472 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
473 ASSERT_EQ(0, ret);
474
475 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
476 EXPECT_EQ(-1, ret);
477 EXPECT_EQ(EINVAL, errno);
478 }
479
480 /* b/147676645 */
481 #if 0
482 TEST(log_all)
483 {
484 struct sock_filter filter[] = {
485 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_LOG),
486 };
487 struct sock_fprog prog = {
488 .len = (unsigned short)ARRAY_SIZE(filter),
489 .filter = filter,
490 };
491 long ret;
492 pid_t parent = getppid();
493
494 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
495 ASSERT_EQ(0, ret);
496
497 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
498 ASSERT_EQ(0, ret);
499
500 /* getppid() should succeed and be logged (no check for logging) */
501 EXPECT_EQ(parent, syscall(__NR_getppid));
502 }
503 #endif
504
TEST_SIGNAL(unknown_ret_is_kill_inside,SIGSYS)505 TEST_SIGNAL(unknown_ret_is_kill_inside, SIGSYS)
506 {
507 struct sock_filter filter[] = {
508 BPF_STMT(BPF_RET|BPF_K, 0x10000000U),
509 };
510 struct sock_fprog prog = {
511 .len = (unsigned short)ARRAY_SIZE(filter),
512 .filter = filter,
513 };
514 long ret;
515
516 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
517 ASSERT_EQ(0, ret);
518
519 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
520 ASSERT_EQ(0, ret);
521 EXPECT_EQ(0, syscall(__NR_getpid)) {
522 TH_LOG("getpid() shouldn't ever return");
523 }
524 }
525
526 /* return code >= 0x80000000 is unused. */
TEST_SIGNAL(unknown_ret_is_kill_above_allow,SIGSYS)527 TEST_SIGNAL(unknown_ret_is_kill_above_allow, SIGSYS)
528 {
529 struct sock_filter filter[] = {
530 BPF_STMT(BPF_RET|BPF_K, 0x90000000U),
531 };
532 struct sock_fprog prog = {
533 .len = (unsigned short)ARRAY_SIZE(filter),
534 .filter = filter,
535 };
536 long ret;
537
538 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
539 ASSERT_EQ(0, ret);
540
541 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
542 ASSERT_EQ(0, ret);
543 EXPECT_EQ(0, syscall(__NR_getpid)) {
544 TH_LOG("getpid() shouldn't ever return");
545 }
546 }
547
TEST_SIGNAL(KILL_all,SIGSYS)548 TEST_SIGNAL(KILL_all, SIGSYS)
549 {
550 struct sock_filter filter[] = {
551 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL),
552 };
553 struct sock_fprog prog = {
554 .len = (unsigned short)ARRAY_SIZE(filter),
555 .filter = filter,
556 };
557 long ret;
558
559 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
560 ASSERT_EQ(0, ret);
561
562 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
563 ASSERT_EQ(0, ret);
564 }
565
TEST_SIGNAL(KILL_one,SIGSYS)566 TEST_SIGNAL(KILL_one, SIGSYS)
567 {
568 struct sock_filter filter[] = {
569 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
570 offsetof(struct seccomp_data, nr)),
571 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getpid, 0, 1),
572 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL),
573 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
574 };
575 struct sock_fprog prog = {
576 .len = (unsigned short)ARRAY_SIZE(filter),
577 .filter = filter,
578 };
579 long ret;
580 pid_t parent = getppid();
581
582 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
583 ASSERT_EQ(0, ret);
584
585 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
586 ASSERT_EQ(0, ret);
587
588 EXPECT_EQ(parent, syscall(__NR_getppid));
589 /* getpid() should never return. */
590 EXPECT_EQ(0, syscall(__NR_getpid));
591 }
592
TEST_SIGNAL(KILL_one_arg_one,SIGSYS)593 TEST_SIGNAL(KILL_one_arg_one, SIGSYS)
594 {
595 void *fatal_address;
596 struct sock_filter filter[] = {
597 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
598 offsetof(struct seccomp_data, nr)),
599 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_times, 1, 0),
600 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
601 /* Only both with lower 32-bit for now. */
602 BPF_STMT(BPF_LD|BPF_W|BPF_ABS, syscall_arg(0)),
603 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K,
604 (unsigned long)&fatal_address, 0, 1),
605 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL),
606 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
607 };
608 struct sock_fprog prog = {
609 .len = (unsigned short)ARRAY_SIZE(filter),
610 .filter = filter,
611 };
612 long ret;
613 pid_t parent = getppid();
614 struct tms timebuf;
615 clock_t clock = times(&timebuf);
616
617 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
618 ASSERT_EQ(0, ret);
619
620 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
621 ASSERT_EQ(0, ret);
622
623 EXPECT_EQ(parent, syscall(__NR_getppid));
624 EXPECT_LE(clock, syscall(__NR_times, &timebuf));
625 /* times() should never return. */
626 EXPECT_EQ(0, syscall(__NR_times, &fatal_address));
627 }
628
TEST_SIGNAL(KILL_one_arg_six,SIGSYS)629 TEST_SIGNAL(KILL_one_arg_six, SIGSYS)
630 {
631 #ifndef __NR_mmap2
632 int sysno = __NR_mmap;
633 #else
634 int sysno = __NR_mmap2;
635 #endif
636 struct sock_filter filter[] = {
637 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
638 offsetof(struct seccomp_data, nr)),
639 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, sysno, 1, 0),
640 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
641 /* Only both with lower 32-bit for now. */
642 BPF_STMT(BPF_LD|BPF_W|BPF_ABS, syscall_arg(5)),
643 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, 0x0C0FFEE, 0, 1),
644 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL),
645 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
646 };
647 struct sock_fprog prog = {
648 .len = (unsigned short)ARRAY_SIZE(filter),
649 .filter = filter,
650 };
651 long ret;
652 pid_t parent = getppid();
653 int fd;
654 void *map1, *map2;
655 int page_size = sysconf(_SC_PAGESIZE);
656
657 ASSERT_LT(0, page_size);
658
659 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
660 ASSERT_EQ(0, ret);
661
662 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
663 ASSERT_EQ(0, ret);
664
665 fd = open("/dev/zero", O_RDONLY);
666 ASSERT_NE(-1, fd);
667
668 EXPECT_EQ(parent, syscall(__NR_getppid));
669 map1 = (void *)syscall(sysno,
670 NULL, page_size, PROT_READ, MAP_PRIVATE, fd, page_size);
671 EXPECT_NE(MAP_FAILED, map1);
672 /* mmap2() should never return. */
673 map2 = (void *)syscall(sysno,
674 NULL, page_size, PROT_READ, MAP_PRIVATE, fd, 0x0C0FFEE);
675 EXPECT_EQ(MAP_FAILED, map2);
676
677 /* The test failed, so clean up the resources. */
678 munmap(map1, page_size);
679 munmap(map2, page_size);
680 close(fd);
681 }
682
683 /* This is a thread task to die via seccomp filter violation. */
kill_thread(void * data)684 void *kill_thread(void *data)
685 {
686 bool die = (bool)data;
687
688 if (die) {
689 prctl(PR_GET_SECCOMP, 0, 0, 0, 0);
690 return (void *)SIBLING_EXIT_FAILURE;
691 }
692
693 return (void *)SIBLING_EXIT_UNKILLED;
694 }
695
696 /* Prepare a thread that will kill itself or both of us. */
kill_thread_or_group(struct __test_metadata * _metadata,bool kill_process)697 void kill_thread_or_group(struct __test_metadata *_metadata, bool kill_process)
698 {
699 pthread_t thread;
700 void *status;
701 /* Kill only when calling __NR_prctl. */
702 struct sock_filter filter_thread[] = {
703 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
704 offsetof(struct seccomp_data, nr)),
705 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_prctl, 0, 1),
706 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL_THREAD),
707 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
708 };
709 struct sock_fprog prog_thread = {
710 .len = (unsigned short)ARRAY_SIZE(filter_thread),
711 .filter = filter_thread,
712 };
713 struct sock_filter filter_process[] = {
714 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
715 offsetof(struct seccomp_data, nr)),
716 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_prctl, 0, 1),
717 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL_PROCESS),
718 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
719 };
720 struct sock_fprog prog_process = {
721 .len = (unsigned short)ARRAY_SIZE(filter_process),
722 .filter = filter_process,
723 };
724
725 ASSERT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
726 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
727 }
728
729 ASSERT_EQ(0, seccomp(SECCOMP_SET_MODE_FILTER, 0,
730 kill_process ? &prog_process : &prog_thread));
731
732 /*
733 * Add the KILL_THREAD rule again to make sure that the KILL_PROCESS
734 * flag cannot be downgraded by a new filter.
735 */
736 ASSERT_EQ(0, seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog_thread));
737
738 /* Start a thread that will exit immediately. */
739 ASSERT_EQ(0, pthread_create(&thread, NULL, kill_thread, (void *)false));
740 ASSERT_EQ(0, pthread_join(thread, &status));
741 ASSERT_EQ(SIBLING_EXIT_UNKILLED, (unsigned long)status);
742
743 /* Start a thread that will die immediately. */
744 ASSERT_EQ(0, pthread_create(&thread, NULL, kill_thread, (void *)true));
745 ASSERT_EQ(0, pthread_join(thread, &status));
746 ASSERT_NE(SIBLING_EXIT_FAILURE, (unsigned long)status);
747
748 /*
749 * If we get here, only the spawned thread died. Let the parent know
750 * the whole process didn't die (i.e. this thread, the spawner,
751 * stayed running).
752 */
753 exit(42);
754 }
755
756 /* b/147676645 */
757 #if 0
758 TEST(KILL_thread)
759 {
760 int status;
761 pid_t child_pid;
762
763 child_pid = fork();
764 ASSERT_LE(0, child_pid);
765 if (child_pid == 0) {
766 kill_thread_or_group(_metadata, false);
767 _exit(38);
768 }
769
770 ASSERT_EQ(child_pid, waitpid(child_pid, &status, 0));
771
772 /* If only the thread was killed, we'll see exit 42. */
773 ASSERT_TRUE(WIFEXITED(status));
774 ASSERT_EQ(42, WEXITSTATUS(status));
775 }
776 #endif
777
TEST(KILL_process)778 TEST(KILL_process)
779 {
780 int status;
781 pid_t child_pid;
782
783 child_pid = fork();
784 ASSERT_LE(0, child_pid);
785 if (child_pid == 0) {
786 kill_thread_or_group(_metadata, true);
787 _exit(38);
788 }
789
790 ASSERT_EQ(child_pid, waitpid(child_pid, &status, 0));
791
792 /* If the entire process was killed, we'll see SIGSYS. */
793 ASSERT_TRUE(WIFSIGNALED(status));
794 ASSERT_EQ(SIGSYS, WTERMSIG(status));
795 }
796
797 /* TODO(wad) add 64-bit versus 32-bit arg tests. */
TEST(arg_out_of_range)798 TEST(arg_out_of_range)
799 {
800 struct sock_filter filter[] = {
801 BPF_STMT(BPF_LD|BPF_W|BPF_ABS, syscall_arg(6)),
802 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
803 };
804 struct sock_fprog prog = {
805 .len = (unsigned short)ARRAY_SIZE(filter),
806 .filter = filter,
807 };
808 long ret;
809
810 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
811 ASSERT_EQ(0, ret);
812
813 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
814 EXPECT_EQ(-1, ret);
815 EXPECT_EQ(EINVAL, errno);
816 }
817
818 #define ERRNO_FILTER(name, errno) \
819 struct sock_filter _read_filter_##name[] = { \
820 BPF_STMT(BPF_LD|BPF_W|BPF_ABS, \
821 offsetof(struct seccomp_data, nr)), \
822 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_read, 0, 1), \
823 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ERRNO | errno), \
824 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW), \
825 }; \
826 struct sock_fprog prog_##name = { \
827 .len = (unsigned short)ARRAY_SIZE(_read_filter_##name), \
828 .filter = _read_filter_##name, \
829 }
830
831 /* Make sure basic errno values are correctly passed through a filter. */
TEST(ERRNO_valid)832 TEST(ERRNO_valid)
833 {
834 ERRNO_FILTER(valid, E2BIG);
835 long ret;
836 pid_t parent = getppid();
837
838 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
839 ASSERT_EQ(0, ret);
840
841 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog_valid);
842 ASSERT_EQ(0, ret);
843
844 EXPECT_EQ(parent, syscall(__NR_getppid));
845 EXPECT_EQ(-1, read(0, NULL, 0));
846 EXPECT_EQ(E2BIG, errno);
847 }
848
849 /* Make sure an errno of zero is correctly handled by the arch code. */
TEST(ERRNO_zero)850 TEST(ERRNO_zero)
851 {
852 ERRNO_FILTER(zero, 0);
853 long ret;
854 pid_t parent = getppid();
855
856 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
857 ASSERT_EQ(0, ret);
858
859 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog_zero);
860 ASSERT_EQ(0, ret);
861
862 EXPECT_EQ(parent, syscall(__NR_getppid));
863 /* "errno" of 0 is ok. */
864 EXPECT_EQ(0, read(0, NULL, 0));
865 }
866
867 /*
868 * The SECCOMP_RET_DATA mask is 16 bits wide, but errno is smaller.
869 * This tests that the errno value gets capped correctly, fixed by
870 * 580c57f10768 ("seccomp: cap SECCOMP_RET_ERRNO data to MAX_ERRNO").
871 */
TEST(ERRNO_capped)872 TEST(ERRNO_capped)
873 {
874 ERRNO_FILTER(capped, 4096);
875 long ret;
876 pid_t parent = getppid();
877
878 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
879 ASSERT_EQ(0, ret);
880
881 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog_capped);
882 ASSERT_EQ(0, ret);
883
884 EXPECT_EQ(parent, syscall(__NR_getppid));
885 EXPECT_EQ(-1, read(0, NULL, 0));
886 EXPECT_EQ(4095, errno);
887 }
888
889 /*
890 * Filters are processed in reverse order: last applied is executed first.
891 * Since only the SECCOMP_RET_ACTION mask is tested for return values, the
892 * SECCOMP_RET_DATA mask results will follow the most recently applied
893 * matching filter return (and not the lowest or highest value).
894 */
TEST(ERRNO_order)895 TEST(ERRNO_order)
896 {
897 ERRNO_FILTER(first, 11);
898 ERRNO_FILTER(second, 13);
899 ERRNO_FILTER(third, 12);
900 long ret;
901 pid_t parent = getppid();
902
903 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
904 ASSERT_EQ(0, ret);
905
906 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog_first);
907 ASSERT_EQ(0, ret);
908
909 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog_second);
910 ASSERT_EQ(0, ret);
911
912 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog_third);
913 ASSERT_EQ(0, ret);
914
915 EXPECT_EQ(parent, syscall(__NR_getppid));
916 EXPECT_EQ(-1, read(0, NULL, 0));
917 EXPECT_EQ(12, errno);
918 }
919
FIXTURE_DATA(TRAP)920 FIXTURE_DATA(TRAP) {
921 struct sock_fprog prog;
922 };
923
FIXTURE_SETUP(TRAP)924 FIXTURE_SETUP(TRAP)
925 {
926 struct sock_filter filter[] = {
927 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
928 offsetof(struct seccomp_data, nr)),
929 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getpid, 0, 1),
930 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRAP),
931 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
932 };
933
934 memset(&self->prog, 0, sizeof(self->prog));
935 self->prog.filter = malloc(sizeof(filter));
936 ASSERT_NE(NULL, self->prog.filter);
937 memcpy(self->prog.filter, filter, sizeof(filter));
938 self->prog.len = (unsigned short)ARRAY_SIZE(filter);
939 }
940
FIXTURE_TEARDOWN(TRAP)941 FIXTURE_TEARDOWN(TRAP)
942 {
943 if (self->prog.filter)
944 free(self->prog.filter);
945 }
946
TEST_F_SIGNAL(TRAP,dfl,SIGSYS)947 TEST_F_SIGNAL(TRAP, dfl, SIGSYS)
948 {
949 long ret;
950
951 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
952 ASSERT_EQ(0, ret);
953
954 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->prog);
955 ASSERT_EQ(0, ret);
956 syscall(__NR_getpid);
957 }
958
959 /* Ensure that SIGSYS overrides SIG_IGN */
TEST_F_SIGNAL(TRAP,ign,SIGSYS)960 TEST_F_SIGNAL(TRAP, ign, SIGSYS)
961 {
962 long ret;
963
964 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
965 ASSERT_EQ(0, ret);
966
967 signal(SIGSYS, SIG_IGN);
968
969 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->prog);
970 ASSERT_EQ(0, ret);
971 syscall(__NR_getpid);
972 }
973
974 static siginfo_t TRAP_info;
975 static volatile int TRAP_nr;
TRAP_action(int nr,siginfo_t * info,void * void_context)976 static void TRAP_action(int nr, siginfo_t *info, void *void_context)
977 {
978 memcpy(&TRAP_info, info, sizeof(TRAP_info));
979 TRAP_nr = nr;
980 }
981
TEST_F(TRAP,handler)982 TEST_F(TRAP, handler)
983 {
984 int ret, test;
985 struct sigaction act;
986 sigset_t mask;
987
988 memset(&act, 0, sizeof(act));
989 sigemptyset(&mask);
990 sigaddset(&mask, SIGSYS);
991
992 act.sa_sigaction = &TRAP_action;
993 act.sa_flags = SA_SIGINFO;
994 ret = sigaction(SIGSYS, &act, NULL);
995 ASSERT_EQ(0, ret) {
996 TH_LOG("sigaction failed");
997 }
998 ret = sigprocmask(SIG_UNBLOCK, &mask, NULL);
999 ASSERT_EQ(0, ret) {
1000 TH_LOG("sigprocmask failed");
1001 }
1002
1003 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1004 ASSERT_EQ(0, ret);
1005 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->prog);
1006 ASSERT_EQ(0, ret);
1007 TRAP_nr = 0;
1008 memset(&TRAP_info, 0, sizeof(TRAP_info));
1009 /* Expect the registers to be rolled back. (nr = error) may vary
1010 * based on arch. */
1011 ret = syscall(__NR_getpid);
1012 /* Silence gcc warning about volatile. */
1013 test = TRAP_nr;
1014 EXPECT_EQ(SIGSYS, test);
1015 struct local_sigsys {
1016 void *_call_addr; /* calling user insn */
1017 int _syscall; /* triggering system call number */
1018 unsigned int _arch; /* AUDIT_ARCH_* of syscall */
1019 } *sigsys = (struct local_sigsys *)
1020 #ifdef si_syscall
1021 &(TRAP_info.si_call_addr);
1022 #else
1023 &TRAP_info.si_pid;
1024 #endif
1025 EXPECT_EQ(__NR_getpid, sigsys->_syscall);
1026 /* Make sure arch is non-zero. */
1027 EXPECT_NE(0, sigsys->_arch);
1028 EXPECT_NE(0, (unsigned long)sigsys->_call_addr);
1029 }
1030
FIXTURE_DATA(precedence)1031 FIXTURE_DATA(precedence) {
1032 struct sock_fprog allow;
1033 struct sock_fprog log;
1034 struct sock_fprog trace;
1035 struct sock_fprog error;
1036 struct sock_fprog trap;
1037 struct sock_fprog kill;
1038 };
1039
FIXTURE_SETUP(precedence)1040 FIXTURE_SETUP(precedence)
1041 {
1042 struct sock_filter allow_insns[] = {
1043 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
1044 };
1045 struct sock_filter log_insns[] = {
1046 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
1047 offsetof(struct seccomp_data, nr)),
1048 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getpid, 1, 0),
1049 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
1050 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_LOG),
1051 };
1052 struct sock_filter trace_insns[] = {
1053 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
1054 offsetof(struct seccomp_data, nr)),
1055 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getpid, 1, 0),
1056 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
1057 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRACE),
1058 };
1059 struct sock_filter error_insns[] = {
1060 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
1061 offsetof(struct seccomp_data, nr)),
1062 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getpid, 1, 0),
1063 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
1064 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ERRNO),
1065 };
1066 struct sock_filter trap_insns[] = {
1067 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
1068 offsetof(struct seccomp_data, nr)),
1069 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getpid, 1, 0),
1070 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
1071 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRAP),
1072 };
1073 struct sock_filter kill_insns[] = {
1074 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
1075 offsetof(struct seccomp_data, nr)),
1076 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getpid, 1, 0),
1077 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
1078 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL),
1079 };
1080
1081 memset(self, 0, sizeof(*self));
1082 #define FILTER_ALLOC(_x) \
1083 self->_x.filter = malloc(sizeof(_x##_insns)); \
1084 ASSERT_NE(NULL, self->_x.filter); \
1085 memcpy(self->_x.filter, &_x##_insns, sizeof(_x##_insns)); \
1086 self->_x.len = (unsigned short)ARRAY_SIZE(_x##_insns)
1087 FILTER_ALLOC(allow);
1088 FILTER_ALLOC(log);
1089 FILTER_ALLOC(trace);
1090 FILTER_ALLOC(error);
1091 FILTER_ALLOC(trap);
1092 FILTER_ALLOC(kill);
1093 }
1094
FIXTURE_TEARDOWN(precedence)1095 FIXTURE_TEARDOWN(precedence)
1096 {
1097 #define FILTER_FREE(_x) if (self->_x.filter) free(self->_x.filter)
1098 FILTER_FREE(allow);
1099 FILTER_FREE(log);
1100 FILTER_FREE(trace);
1101 FILTER_FREE(error);
1102 FILTER_FREE(trap);
1103 FILTER_FREE(kill);
1104 }
1105
TEST_F(precedence,allow_ok)1106 TEST_F(precedence, allow_ok)
1107 {
1108 pid_t parent, res = 0;
1109 long ret;
1110
1111 parent = getppid();
1112 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1113 ASSERT_EQ(0, ret);
1114
1115 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow);
1116 ASSERT_EQ(0, ret);
1117 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->log);
1118 ASSERT_EQ(0, ret);
1119 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trace);
1120 ASSERT_EQ(0, ret);
1121 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->error);
1122 ASSERT_EQ(0, ret);
1123 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trap);
1124 ASSERT_EQ(0, ret);
1125 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->kill);
1126 ASSERT_EQ(0, ret);
1127 /* Should work just fine. */
1128 res = syscall(__NR_getppid);
1129 EXPECT_EQ(parent, res);
1130 }
1131
TEST_F_SIGNAL(precedence,kill_is_highest,SIGSYS)1132 TEST_F_SIGNAL(precedence, kill_is_highest, SIGSYS)
1133 {
1134 pid_t parent, res = 0;
1135 long ret;
1136
1137 parent = getppid();
1138 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1139 ASSERT_EQ(0, ret);
1140
1141 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow);
1142 ASSERT_EQ(0, ret);
1143 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->log);
1144 ASSERT_EQ(0, ret);
1145 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trace);
1146 ASSERT_EQ(0, ret);
1147 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->error);
1148 ASSERT_EQ(0, ret);
1149 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trap);
1150 ASSERT_EQ(0, ret);
1151 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->kill);
1152 ASSERT_EQ(0, ret);
1153 /* Should work just fine. */
1154 res = syscall(__NR_getppid);
1155 EXPECT_EQ(parent, res);
1156 /* getpid() should never return. */
1157 res = syscall(__NR_getpid);
1158 EXPECT_EQ(0, res);
1159 }
1160
TEST_F_SIGNAL(precedence,kill_is_highest_in_any_order,SIGSYS)1161 TEST_F_SIGNAL(precedence, kill_is_highest_in_any_order, SIGSYS)
1162 {
1163 pid_t parent;
1164 long ret;
1165
1166 parent = getppid();
1167 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1168 ASSERT_EQ(0, ret);
1169
1170 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow);
1171 ASSERT_EQ(0, ret);
1172 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->kill);
1173 ASSERT_EQ(0, ret);
1174 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->error);
1175 ASSERT_EQ(0, ret);
1176 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->log);
1177 ASSERT_EQ(0, ret);
1178 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trace);
1179 ASSERT_EQ(0, ret);
1180 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trap);
1181 ASSERT_EQ(0, ret);
1182 /* Should work just fine. */
1183 EXPECT_EQ(parent, syscall(__NR_getppid));
1184 /* getpid() should never return. */
1185 EXPECT_EQ(0, syscall(__NR_getpid));
1186 }
1187
TEST_F_SIGNAL(precedence,trap_is_second,SIGSYS)1188 TEST_F_SIGNAL(precedence, trap_is_second, SIGSYS)
1189 {
1190 pid_t parent;
1191 long ret;
1192
1193 parent = getppid();
1194 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1195 ASSERT_EQ(0, ret);
1196
1197 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow);
1198 ASSERT_EQ(0, ret);
1199 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->log);
1200 ASSERT_EQ(0, ret);
1201 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trace);
1202 ASSERT_EQ(0, ret);
1203 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->error);
1204 ASSERT_EQ(0, ret);
1205 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trap);
1206 ASSERT_EQ(0, ret);
1207 /* Should work just fine. */
1208 EXPECT_EQ(parent, syscall(__NR_getppid));
1209 /* getpid() should never return. */
1210 EXPECT_EQ(0, syscall(__NR_getpid));
1211 }
1212
TEST_F_SIGNAL(precedence,trap_is_second_in_any_order,SIGSYS)1213 TEST_F_SIGNAL(precedence, trap_is_second_in_any_order, SIGSYS)
1214 {
1215 pid_t parent;
1216 long ret;
1217
1218 parent = getppid();
1219 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1220 ASSERT_EQ(0, ret);
1221
1222 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow);
1223 ASSERT_EQ(0, ret);
1224 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trap);
1225 ASSERT_EQ(0, ret);
1226 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->log);
1227 ASSERT_EQ(0, ret);
1228 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trace);
1229 ASSERT_EQ(0, ret);
1230 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->error);
1231 ASSERT_EQ(0, ret);
1232 /* Should work just fine. */
1233 EXPECT_EQ(parent, syscall(__NR_getppid));
1234 /* getpid() should never return. */
1235 EXPECT_EQ(0, syscall(__NR_getpid));
1236 }
1237
TEST_F(precedence,errno_is_third)1238 TEST_F(precedence, errno_is_third)
1239 {
1240 pid_t parent;
1241 long ret;
1242
1243 parent = getppid();
1244 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1245 ASSERT_EQ(0, ret);
1246
1247 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow);
1248 ASSERT_EQ(0, ret);
1249 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->log);
1250 ASSERT_EQ(0, ret);
1251 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trace);
1252 ASSERT_EQ(0, ret);
1253 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->error);
1254 ASSERT_EQ(0, ret);
1255 /* Should work just fine. */
1256 EXPECT_EQ(parent, syscall(__NR_getppid));
1257 EXPECT_EQ(0, syscall(__NR_getpid));
1258 }
1259
TEST_F(precedence,errno_is_third_in_any_order)1260 TEST_F(precedence, errno_is_third_in_any_order)
1261 {
1262 pid_t parent;
1263 long ret;
1264
1265 parent = getppid();
1266 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1267 ASSERT_EQ(0, ret);
1268
1269 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->log);
1270 ASSERT_EQ(0, ret);
1271 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->error);
1272 ASSERT_EQ(0, ret);
1273 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trace);
1274 ASSERT_EQ(0, ret);
1275 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow);
1276 ASSERT_EQ(0, ret);
1277 /* Should work just fine. */
1278 EXPECT_EQ(parent, syscall(__NR_getppid));
1279 EXPECT_EQ(0, syscall(__NR_getpid));
1280 }
1281
TEST_F(precedence,trace_is_fourth)1282 TEST_F(precedence, trace_is_fourth)
1283 {
1284 pid_t parent;
1285 long ret;
1286
1287 parent = getppid();
1288 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1289 ASSERT_EQ(0, ret);
1290
1291 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow);
1292 ASSERT_EQ(0, ret);
1293 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->log);
1294 ASSERT_EQ(0, ret);
1295 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trace);
1296 ASSERT_EQ(0, ret);
1297 /* Should work just fine. */
1298 EXPECT_EQ(parent, syscall(__NR_getppid));
1299 /* No ptracer */
1300 EXPECT_EQ(-1, syscall(__NR_getpid));
1301 }
1302
TEST_F(precedence,trace_is_fourth_in_any_order)1303 TEST_F(precedence, trace_is_fourth_in_any_order)
1304 {
1305 pid_t parent;
1306 long ret;
1307
1308 parent = getppid();
1309 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1310 ASSERT_EQ(0, ret);
1311
1312 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trace);
1313 ASSERT_EQ(0, ret);
1314 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow);
1315 ASSERT_EQ(0, ret);
1316 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->log);
1317 ASSERT_EQ(0, ret);
1318 /* Should work just fine. */
1319 EXPECT_EQ(parent, syscall(__NR_getppid));
1320 /* No ptracer */
1321 EXPECT_EQ(-1, syscall(__NR_getpid));
1322 }
1323
1324 /* b/147676645 */
1325 #if 0
1326 TEST_F(precedence, log_is_fifth)
1327 {
1328 pid_t mypid, parent;
1329 long ret;
1330
1331 mypid = getpid();
1332 parent = getppid();
1333 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1334 ASSERT_EQ(0, ret);
1335
1336 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow);
1337 ASSERT_EQ(0, ret);
1338 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->log);
1339 ASSERT_EQ(0, ret);
1340 /* Should work just fine. */
1341 EXPECT_EQ(parent, syscall(__NR_getppid));
1342 /* Should also work just fine */
1343 EXPECT_EQ(mypid, syscall(__NR_getpid));
1344 }
1345
1346 TEST_F(precedence, log_is_fifth_in_any_order)
1347 {
1348 pid_t mypid, parent;
1349 long ret;
1350
1351 mypid = getpid();
1352 parent = getppid();
1353 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1354 ASSERT_EQ(0, ret);
1355
1356 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->log);
1357 ASSERT_EQ(0, ret);
1358 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow);
1359 ASSERT_EQ(0, ret);
1360 /* Should work just fine. */
1361 EXPECT_EQ(parent, syscall(__NR_getppid));
1362 /* Should also work just fine */
1363 EXPECT_EQ(mypid, syscall(__NR_getpid));
1364 }
1365 #endif
1366
1367 #ifndef PTRACE_O_TRACESECCOMP
1368 #define PTRACE_O_TRACESECCOMP 0x00000080
1369 #endif
1370
1371 /* Catch the Ubuntu 12.04 value error. */
1372 #if PTRACE_EVENT_SECCOMP != 7
1373 #undef PTRACE_EVENT_SECCOMP
1374 #endif
1375
1376 #ifndef PTRACE_EVENT_SECCOMP
1377 #define PTRACE_EVENT_SECCOMP 7
1378 #endif
1379
1380 #define IS_SECCOMP_EVENT(status) ((status >> 16) == PTRACE_EVENT_SECCOMP)
1381 bool tracer_running;
tracer_stop(int sig)1382 void tracer_stop(int sig)
1383 {
1384 tracer_running = false;
1385 }
1386
1387 typedef void tracer_func_t(struct __test_metadata *_metadata,
1388 pid_t tracee, int status, void *args);
1389
start_tracer(struct __test_metadata * _metadata,int fd,pid_t tracee,tracer_func_t tracer_func,void * args,bool ptrace_syscall)1390 void start_tracer(struct __test_metadata *_metadata, int fd, pid_t tracee,
1391 tracer_func_t tracer_func, void *args, bool ptrace_syscall)
1392 {
1393 int ret = -1;
1394 struct sigaction action = {
1395 .sa_handler = tracer_stop,
1396 };
1397
1398 /* Allow external shutdown. */
1399 tracer_running = true;
1400 ASSERT_EQ(0, sigaction(SIGUSR1, &action, NULL));
1401
1402 errno = 0;
1403 while (ret == -1 && errno != EINVAL)
1404 ret = ptrace(PTRACE_ATTACH, tracee, NULL, 0);
1405 ASSERT_EQ(0, ret) {
1406 kill(tracee, SIGKILL);
1407 }
1408 /* Wait for attach stop */
1409 wait(NULL);
1410
1411 ret = ptrace(PTRACE_SETOPTIONS, tracee, NULL, ptrace_syscall ?
1412 PTRACE_O_TRACESYSGOOD :
1413 PTRACE_O_TRACESECCOMP);
1414 ASSERT_EQ(0, ret) {
1415 TH_LOG("Failed to set PTRACE_O_TRACESECCOMP");
1416 kill(tracee, SIGKILL);
1417 }
1418 ret = ptrace(ptrace_syscall ? PTRACE_SYSCALL : PTRACE_CONT,
1419 tracee, NULL, 0);
1420 ASSERT_EQ(0, ret);
1421
1422 /* Unblock the tracee */
1423 ASSERT_EQ(1, write(fd, "A", 1));
1424 ASSERT_EQ(0, close(fd));
1425
1426 /* Run until we're shut down. Must assert to stop execution. */
1427 while (tracer_running) {
1428 int status;
1429
1430 if (wait(&status) != tracee)
1431 continue;
1432 if (WIFSIGNALED(status) || WIFEXITED(status))
1433 /* Child is dead. Time to go. */
1434 return;
1435
1436 /* Check if this is a seccomp event. */
1437 ASSERT_EQ(!ptrace_syscall, IS_SECCOMP_EVENT(status));
1438
1439 tracer_func(_metadata, tracee, status, args);
1440
1441 ret = ptrace(ptrace_syscall ? PTRACE_SYSCALL : PTRACE_CONT,
1442 tracee, NULL, 0);
1443 ASSERT_EQ(0, ret);
1444 }
1445 /* Directly report the status of our test harness results. */
1446 syscall(__NR_exit, _metadata->passed ? EXIT_SUCCESS : EXIT_FAILURE);
1447 }
1448
1449 /* Common tracer setup/teardown functions. */
cont_handler(int num)1450 void cont_handler(int num)
1451 { }
setup_trace_fixture(struct __test_metadata * _metadata,tracer_func_t func,void * args,bool ptrace_syscall)1452 pid_t setup_trace_fixture(struct __test_metadata *_metadata,
1453 tracer_func_t func, void *args, bool ptrace_syscall)
1454 {
1455 char sync;
1456 int pipefd[2];
1457 pid_t tracer_pid;
1458 pid_t tracee = getpid();
1459
1460 /* Setup a pipe for clean synchronization. */
1461 ASSERT_EQ(0, pipe(pipefd));
1462
1463 /* Fork a child which we'll promote to tracer */
1464 tracer_pid = fork();
1465 ASSERT_LE(0, tracer_pid);
1466 signal(SIGALRM, cont_handler);
1467 if (tracer_pid == 0) {
1468 close(pipefd[0]);
1469 start_tracer(_metadata, pipefd[1], tracee, func, args,
1470 ptrace_syscall);
1471 syscall(__NR_exit, 0);
1472 }
1473 close(pipefd[1]);
1474 prctl(PR_SET_PTRACER, tracer_pid, 0, 0, 0);
1475 read(pipefd[0], &sync, 1);
1476 close(pipefd[0]);
1477
1478 return tracer_pid;
1479 }
teardown_trace_fixture(struct __test_metadata * _metadata,pid_t tracer)1480 void teardown_trace_fixture(struct __test_metadata *_metadata,
1481 pid_t tracer)
1482 {
1483 if (tracer) {
1484 int status;
1485 /*
1486 * Extract the exit code from the other process and
1487 * adopt it for ourselves in case its asserts failed.
1488 */
1489 ASSERT_EQ(0, kill(tracer, SIGUSR1));
1490 ASSERT_EQ(tracer, waitpid(tracer, &status, 0));
1491 if (WEXITSTATUS(status))
1492 _metadata->passed = 0;
1493 }
1494 }
1495
1496 /* "poke" tracer arguments and function. */
1497 struct tracer_args_poke_t {
1498 unsigned long poke_addr;
1499 };
1500
tracer_poke(struct __test_metadata * _metadata,pid_t tracee,int status,void * args)1501 void tracer_poke(struct __test_metadata *_metadata, pid_t tracee, int status,
1502 void *args)
1503 {
1504 int ret;
1505 unsigned long msg;
1506 struct tracer_args_poke_t *info = (struct tracer_args_poke_t *)args;
1507
1508 ret = ptrace(PTRACE_GETEVENTMSG, tracee, NULL, &msg);
1509 EXPECT_EQ(0, ret);
1510 /* If this fails, don't try to recover. */
1511 ASSERT_EQ(0x1001, msg) {
1512 kill(tracee, SIGKILL);
1513 }
1514 /*
1515 * Poke in the message.
1516 * Registers are not touched to try to keep this relatively arch
1517 * agnostic.
1518 */
1519 ret = ptrace(PTRACE_POKEDATA, tracee, info->poke_addr, 0x1001);
1520 EXPECT_EQ(0, ret);
1521 }
1522
FIXTURE_DATA(TRACE_poke)1523 FIXTURE_DATA(TRACE_poke) {
1524 struct sock_fprog prog;
1525 pid_t tracer;
1526 long poked;
1527 struct tracer_args_poke_t tracer_args;
1528 };
1529
FIXTURE_SETUP(TRACE_poke)1530 FIXTURE_SETUP(TRACE_poke)
1531 {
1532 struct sock_filter filter[] = {
1533 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
1534 offsetof(struct seccomp_data, nr)),
1535 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_read, 0, 1),
1536 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRACE | 0x1001),
1537 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
1538 };
1539
1540 self->poked = 0;
1541 memset(&self->prog, 0, sizeof(self->prog));
1542 self->prog.filter = malloc(sizeof(filter));
1543 ASSERT_NE(NULL, self->prog.filter);
1544 memcpy(self->prog.filter, filter, sizeof(filter));
1545 self->prog.len = (unsigned short)ARRAY_SIZE(filter);
1546
1547 /* Set up tracer args. */
1548 self->tracer_args.poke_addr = (unsigned long)&self->poked;
1549
1550 /* Launch tracer. */
1551 self->tracer = setup_trace_fixture(_metadata, tracer_poke,
1552 &self->tracer_args, false);
1553 }
1554
FIXTURE_TEARDOWN(TRACE_poke)1555 FIXTURE_TEARDOWN(TRACE_poke)
1556 {
1557 teardown_trace_fixture(_metadata, self->tracer);
1558 if (self->prog.filter)
1559 free(self->prog.filter);
1560 }
1561
TEST_F(TRACE_poke,read_has_side_effects)1562 TEST_F(TRACE_poke, read_has_side_effects)
1563 {
1564 ssize_t ret;
1565
1566 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1567 ASSERT_EQ(0, ret);
1568
1569 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->prog, 0, 0);
1570 ASSERT_EQ(0, ret);
1571
1572 EXPECT_EQ(0, self->poked);
1573 ret = read(-1, NULL, 0);
1574 EXPECT_EQ(-1, ret);
1575 EXPECT_EQ(0x1001, self->poked);
1576 }
1577
TEST_F(TRACE_poke,getpid_runs_normally)1578 TEST_F(TRACE_poke, getpid_runs_normally)
1579 {
1580 long ret;
1581
1582 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1583 ASSERT_EQ(0, ret);
1584
1585 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->prog, 0, 0);
1586 ASSERT_EQ(0, ret);
1587
1588 EXPECT_EQ(0, self->poked);
1589 EXPECT_NE(0, syscall(__NR_getpid));
1590 EXPECT_EQ(0, self->poked);
1591 }
1592
1593 #if defined(__x86_64__)
1594 # define ARCH_REGS struct user_regs_struct
1595 # define SYSCALL_NUM orig_rax
1596 # define SYSCALL_RET rax
1597 #elif defined(__i386__)
1598 # define ARCH_REGS struct user_regs_struct
1599 # define SYSCALL_NUM orig_eax
1600 # define SYSCALL_RET eax
1601 #elif defined(__arm__)
1602 # define ARCH_REGS struct pt_regs
1603 # define SYSCALL_NUM ARM_r7
1604 # define SYSCALL_RET ARM_r0
1605 #elif defined(__aarch64__)
1606 # define ARCH_REGS struct user_pt_regs
1607 # define SYSCALL_NUM regs[8]
1608 # define SYSCALL_RET regs[0]
1609 #elif defined(__riscv) && __riscv_xlen == 64
1610 # define ARCH_REGS struct user_regs_struct
1611 # define SYSCALL_NUM a7
1612 # define SYSCALL_RET a0
1613 #elif defined(__hppa__)
1614 # define ARCH_REGS struct user_regs_struct
1615 # define SYSCALL_NUM gr[20]
1616 # define SYSCALL_RET gr[28]
1617 #elif defined(__powerpc__)
1618 # define ARCH_REGS struct pt_regs
1619 # define SYSCALL_NUM gpr[0]
1620 # define SYSCALL_RET gpr[3]
1621 #elif defined(__s390__)
1622 # define ARCH_REGS s390_regs
1623 # define SYSCALL_NUM gprs[2]
1624 # define SYSCALL_RET gprs[2]
1625 #elif defined(__mips__)
1626 # define ARCH_REGS struct pt_regs
1627 # define SYSCALL_NUM regs[2]
1628 # define SYSCALL_SYSCALL_NUM regs[4]
1629 # define SYSCALL_RET regs[2]
1630 # define SYSCALL_NUM_RET_SHARE_REG
1631 #else
1632 # error "Do not know how to find your architecture's registers and syscalls"
1633 #endif
1634
1635 /* When the syscall return can't be changed, stub out the tests for it. */
1636 #ifdef SYSCALL_NUM_RET_SHARE_REG
1637 # define EXPECT_SYSCALL_RETURN(val, action) EXPECT_EQ(-1, action)
1638 #else
1639 # define EXPECT_SYSCALL_RETURN(val, action) \
1640 do { \
1641 errno = 0; \
1642 if (val < 0) { \
1643 EXPECT_EQ(-1, action); \
1644 EXPECT_EQ(-(val), errno); \
1645 } else { \
1646 EXPECT_EQ(val, action); \
1647 } \
1648 } while (0)
1649 #endif
1650
1651 /* Use PTRACE_GETREGS and PTRACE_SETREGS when available. This is useful for
1652 * architectures without HAVE_ARCH_TRACEHOOK (e.g. User-mode Linux).
1653 */
1654 #if defined(__x86_64__) || defined(__i386__) || defined(__mips__)
1655 #define HAVE_GETREGS
1656 #endif
1657
1658 /* Architecture-specific syscall fetching routine. */
get_syscall(struct __test_metadata * _metadata,pid_t tracee)1659 int get_syscall(struct __test_metadata *_metadata, pid_t tracee)
1660 {
1661 ARCH_REGS regs;
1662 #ifdef HAVE_GETREGS
1663 EXPECT_EQ(0, ptrace(PTRACE_GETREGS, tracee, 0, ®s)) {
1664 TH_LOG("PTRACE_GETREGS failed");
1665 return -1;
1666 }
1667 #else
1668 struct iovec iov;
1669
1670 iov.iov_base = ®s;
1671 iov.iov_len = sizeof(regs);
1672 EXPECT_EQ(0, ptrace(PTRACE_GETREGSET, tracee, NT_PRSTATUS, &iov)) {
1673 TH_LOG("PTRACE_GETREGSET failed");
1674 return -1;
1675 }
1676 #endif
1677
1678 #if defined(__mips__)
1679 if (regs.SYSCALL_NUM == __NR_O32_Linux)
1680 return regs.SYSCALL_SYSCALL_NUM;
1681 #endif
1682 return regs.SYSCALL_NUM;
1683 }
1684
1685 /* Architecture-specific syscall changing routine. */
change_syscall(struct __test_metadata * _metadata,pid_t tracee,int syscall,int result)1686 void change_syscall(struct __test_metadata *_metadata,
1687 pid_t tracee, int syscall, int result)
1688 {
1689 int ret;
1690 ARCH_REGS regs;
1691 #ifdef HAVE_GETREGS
1692 ret = ptrace(PTRACE_GETREGS, tracee, 0, ®s);
1693 #else
1694 struct iovec iov;
1695 iov.iov_base = ®s;
1696 iov.iov_len = sizeof(regs);
1697 ret = ptrace(PTRACE_GETREGSET, tracee, NT_PRSTATUS, &iov);
1698 #endif
1699 EXPECT_EQ(0, ret) {}
1700
1701 #if defined(__x86_64__) || defined(__i386__) || defined(__powerpc__) || \
1702 defined(__s390__) || defined(__hppa__) || defined(__riscv)
1703 {
1704 regs.SYSCALL_NUM = syscall;
1705 }
1706 #elif defined(__mips__)
1707 {
1708 if (regs.SYSCALL_NUM == __NR_O32_Linux)
1709 regs.SYSCALL_SYSCALL_NUM = syscall;
1710 else
1711 regs.SYSCALL_NUM = syscall;
1712 }
1713
1714 #elif defined(__arm__)
1715 # ifndef PTRACE_SET_SYSCALL
1716 # define PTRACE_SET_SYSCALL 23
1717 # endif
1718 {
1719 ret = ptrace(PTRACE_SET_SYSCALL, tracee, NULL, syscall);
1720 EXPECT_EQ(0, ret);
1721 }
1722
1723 #elif defined(__aarch64__)
1724 # ifndef NT_ARM_SYSTEM_CALL
1725 # define NT_ARM_SYSTEM_CALL 0x404
1726 # endif
1727 {
1728 iov.iov_base = &syscall;
1729 iov.iov_len = sizeof(syscall);
1730 ret = ptrace(PTRACE_SETREGSET, tracee, NT_ARM_SYSTEM_CALL,
1731 &iov);
1732 EXPECT_EQ(0, ret);
1733 }
1734
1735 #else
1736 ASSERT_EQ(1, 0) {
1737 TH_LOG("How is the syscall changed on this architecture?");
1738 }
1739 #endif
1740
1741 /* If syscall is skipped, change return value. */
1742 if (syscall == -1)
1743 #ifdef SYSCALL_NUM_RET_SHARE_REG
1744 TH_LOG("Can't modify syscall return on this architecture");
1745 #else
1746 regs.SYSCALL_RET = result;
1747 #endif
1748
1749 #ifdef HAVE_GETREGS
1750 ret = ptrace(PTRACE_SETREGS, tracee, 0, ®s);
1751 #else
1752 iov.iov_base = ®s;
1753 iov.iov_len = sizeof(regs);
1754 ret = ptrace(PTRACE_SETREGSET, tracee, NT_PRSTATUS, &iov);
1755 #endif
1756 EXPECT_EQ(0, ret);
1757 }
1758
tracer_syscall(struct __test_metadata * _metadata,pid_t tracee,int status,void * args)1759 void tracer_syscall(struct __test_metadata *_metadata, pid_t tracee,
1760 int status, void *args)
1761 {
1762 int ret;
1763 unsigned long msg;
1764
1765 /* Make sure we got the right message. */
1766 ret = ptrace(PTRACE_GETEVENTMSG, tracee, NULL, &msg);
1767 EXPECT_EQ(0, ret);
1768
1769 /* Validate and take action on expected syscalls. */
1770 switch (msg) {
1771 case 0x1002:
1772 /* change getpid to getppid. */
1773 EXPECT_EQ(__NR_getpid, get_syscall(_metadata, tracee));
1774 change_syscall(_metadata, tracee, __NR_getppid, 0);
1775 break;
1776 case 0x1003:
1777 /* skip gettid with valid return code. */
1778 EXPECT_EQ(__NR_gettid, get_syscall(_metadata, tracee));
1779 change_syscall(_metadata, tracee, -1, 45000);
1780 break;
1781 case 0x1004:
1782 /* skip openat with error. */
1783 EXPECT_EQ(__NR_openat, get_syscall(_metadata, tracee));
1784 change_syscall(_metadata, tracee, -1, -ESRCH);
1785 break;
1786 case 0x1005:
1787 /* do nothing (allow getppid) */
1788 EXPECT_EQ(__NR_getppid, get_syscall(_metadata, tracee));
1789 break;
1790 default:
1791 EXPECT_EQ(0, msg) {
1792 TH_LOG("Unknown PTRACE_GETEVENTMSG: 0x%lx", msg);
1793 kill(tracee, SIGKILL);
1794 }
1795 }
1796
1797 }
1798
tracer_ptrace(struct __test_metadata * _metadata,pid_t tracee,int status,void * args)1799 void tracer_ptrace(struct __test_metadata *_metadata, pid_t tracee,
1800 int status, void *args)
1801 {
1802 int ret, nr;
1803 unsigned long msg;
1804 static bool entry;
1805
1806 /*
1807 * The traditional way to tell PTRACE_SYSCALL entry/exit
1808 * is by counting.
1809 */
1810 entry = !entry;
1811
1812 /* Make sure we got an appropriate message. */
1813 ret = ptrace(PTRACE_GETEVENTMSG, tracee, NULL, &msg);
1814 EXPECT_EQ(0, ret);
1815 EXPECT_EQ(entry ? PTRACE_EVENTMSG_SYSCALL_ENTRY
1816 : PTRACE_EVENTMSG_SYSCALL_EXIT, msg);
1817
1818 if (!entry)
1819 return;
1820
1821 nr = get_syscall(_metadata, tracee);
1822
1823 if (nr == __NR_getpid)
1824 change_syscall(_metadata, tracee, __NR_getppid, 0);
1825 if (nr == __NR_gettid)
1826 change_syscall(_metadata, tracee, -1, 45000);
1827 if (nr == __NR_openat)
1828 change_syscall(_metadata, tracee, -1, -ESRCH);
1829 }
1830
FIXTURE_DATA(TRACE_syscall)1831 FIXTURE_DATA(TRACE_syscall) {
1832 struct sock_fprog prog;
1833 pid_t tracer, mytid, mypid, parent;
1834 };
1835
FIXTURE_SETUP(TRACE_syscall)1836 FIXTURE_SETUP(TRACE_syscall)
1837 {
1838 struct sock_filter filter[] = {
1839 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
1840 offsetof(struct seccomp_data, nr)),
1841 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getpid, 0, 1),
1842 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRACE | 0x1002),
1843 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_gettid, 0, 1),
1844 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRACE | 0x1003),
1845 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_openat, 0, 1),
1846 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRACE | 0x1004),
1847 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getppid, 0, 1),
1848 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRACE | 0x1005),
1849 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
1850 };
1851
1852 memset(&self->prog, 0, sizeof(self->prog));
1853 self->prog.filter = malloc(sizeof(filter));
1854 ASSERT_NE(NULL, self->prog.filter);
1855 memcpy(self->prog.filter, filter, sizeof(filter));
1856 self->prog.len = (unsigned short)ARRAY_SIZE(filter);
1857
1858 /* Prepare some testable syscall results. */
1859 self->mytid = syscall(__NR_gettid);
1860 ASSERT_GT(self->mytid, 0);
1861 ASSERT_NE(self->mytid, 1) {
1862 TH_LOG("Running this test as init is not supported. :)");
1863 }
1864
1865 self->mypid = getpid();
1866 ASSERT_GT(self->mypid, 0);
1867 ASSERT_EQ(self->mytid, self->mypid);
1868
1869 self->parent = getppid();
1870 ASSERT_GT(self->parent, 0);
1871 ASSERT_NE(self->parent, self->mypid);
1872
1873 /* Launch tracer. */
1874 self->tracer = setup_trace_fixture(_metadata, tracer_syscall, NULL,
1875 false);
1876 }
1877
FIXTURE_TEARDOWN(TRACE_syscall)1878 FIXTURE_TEARDOWN(TRACE_syscall)
1879 {
1880 teardown_trace_fixture(_metadata, self->tracer);
1881 if (self->prog.filter)
1882 free(self->prog.filter);
1883 }
1884
1885 /* b/147676645 */
1886 #if 0
1887 TEST_F(TRACE_syscall, ptrace_syscall_redirected)
1888 {
1889 /* Swap SECCOMP_RET_TRACE tracer for PTRACE_SYSCALL tracer. */
1890 teardown_trace_fixture(_metadata, self->tracer);
1891 self->tracer = setup_trace_fixture(_metadata, tracer_ptrace, NULL,
1892 true);
1893
1894 /* Tracer will redirect getpid to getppid. */
1895 EXPECT_NE(self->mypid, syscall(__NR_getpid));
1896 }
1897
1898 TEST_F(TRACE_syscall, ptrace_syscall_errno)
1899 {
1900 /* Swap SECCOMP_RET_TRACE tracer for PTRACE_SYSCALL tracer. */
1901 teardown_trace_fixture(_metadata, self->tracer);
1902 self->tracer = setup_trace_fixture(_metadata, tracer_ptrace, NULL,
1903 true);
1904
1905 /* Tracer should skip the open syscall, resulting in ESRCH. */
1906 EXPECT_SYSCALL_RETURN(-ESRCH, syscall(__NR_openat));
1907 }
1908
1909 TEST_F(TRACE_syscall, ptrace_syscall_faked)
1910 {
1911 /* Swap SECCOMP_RET_TRACE tracer for PTRACE_SYSCALL tracer. */
1912 teardown_trace_fixture(_metadata, self->tracer);
1913 self->tracer = setup_trace_fixture(_metadata, tracer_ptrace, NULL,
1914 true);
1915
1916 /* Tracer should skip the gettid syscall, resulting fake pid. */
1917 EXPECT_SYSCALL_RETURN(45000, syscall(__NR_gettid));
1918 }
1919 #endif
1920
TEST_F(TRACE_syscall,syscall_allowed)1921 TEST_F(TRACE_syscall, syscall_allowed)
1922 {
1923 long ret;
1924
1925 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1926 ASSERT_EQ(0, ret);
1927
1928 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->prog, 0, 0);
1929 ASSERT_EQ(0, ret);
1930
1931 /* getppid works as expected (no changes). */
1932 EXPECT_EQ(self->parent, syscall(__NR_getppid));
1933 EXPECT_NE(self->mypid, syscall(__NR_getppid));
1934 }
1935
TEST_F(TRACE_syscall,syscall_redirected)1936 TEST_F(TRACE_syscall, syscall_redirected)
1937 {
1938 long ret;
1939
1940 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1941 ASSERT_EQ(0, ret);
1942
1943 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->prog, 0, 0);
1944 ASSERT_EQ(0, ret);
1945
1946 /* getpid has been redirected to getppid as expected. */
1947 EXPECT_EQ(self->parent, syscall(__NR_getpid));
1948 EXPECT_NE(self->mypid, syscall(__NR_getpid));
1949 }
1950
TEST_F(TRACE_syscall,syscall_errno)1951 TEST_F(TRACE_syscall, syscall_errno)
1952 {
1953 long ret;
1954
1955 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1956 ASSERT_EQ(0, ret);
1957
1958 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->prog, 0, 0);
1959 ASSERT_EQ(0, ret);
1960
1961 /* openat has been skipped and an errno return. */
1962 EXPECT_SYSCALL_RETURN(-ESRCH, syscall(__NR_openat));
1963 }
1964
TEST_F(TRACE_syscall,syscall_faked)1965 TEST_F(TRACE_syscall, syscall_faked)
1966 {
1967 long ret;
1968
1969 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1970 ASSERT_EQ(0, ret);
1971
1972 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->prog, 0, 0);
1973 ASSERT_EQ(0, ret);
1974
1975 /* gettid has been skipped and an altered return value stored. */
1976 EXPECT_SYSCALL_RETURN(45000, syscall(__NR_gettid));
1977 }
1978
1979 /*
1980 * TODO: b/33027081
1981 * These tests do not work on kernels prior to 4.8.
1982 */
1983 #ifndef __ANDROID__
TEST_F(TRACE_syscall,skip_after_RET_TRACE)1984 TEST_F(TRACE_syscall, skip_after_RET_TRACE)
1985 {
1986 struct sock_filter filter[] = {
1987 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
1988 offsetof(struct seccomp_data, nr)),
1989 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getppid, 0, 1),
1990 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ERRNO | EPERM),
1991 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
1992 };
1993 struct sock_fprog prog = {
1994 .len = (unsigned short)ARRAY_SIZE(filter),
1995 .filter = filter,
1996 };
1997 long ret;
1998
1999 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
2000 ASSERT_EQ(0, ret);
2001
2002 /* Install fixture filter. */
2003 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->prog, 0, 0);
2004 ASSERT_EQ(0, ret);
2005
2006 /* Install "errno on getppid" filter. */
2007 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0);
2008 ASSERT_EQ(0, ret);
2009
2010 /* Tracer will redirect getpid to getppid, and we should see EPERM. */
2011 errno = 0;
2012 EXPECT_EQ(-1, syscall(__NR_getpid));
2013 EXPECT_EQ(EPERM, errno);
2014 }
2015
TEST_F_SIGNAL(TRACE_syscall,kill_after_RET_TRACE,SIGSYS)2016 TEST_F_SIGNAL(TRACE_syscall, kill_after_RET_TRACE, SIGSYS)
2017 {
2018 struct sock_filter filter[] = {
2019 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
2020 offsetof(struct seccomp_data, nr)),
2021 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getppid, 0, 1),
2022 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL),
2023 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
2024 };
2025 struct sock_fprog prog = {
2026 .len = (unsigned short)ARRAY_SIZE(filter),
2027 .filter = filter,
2028 };
2029 long ret;
2030
2031 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
2032 ASSERT_EQ(0, ret);
2033
2034 /* Install fixture filter. */
2035 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->prog, 0, 0);
2036 ASSERT_EQ(0, ret);
2037
2038 /* Install "death on getppid" filter. */
2039 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0);
2040 ASSERT_EQ(0, ret);
2041
2042 /* Tracer will redirect getpid to getppid, and we should die. */
2043 EXPECT_NE(self->mypid, syscall(__NR_getpid));
2044 }
2045
TEST_F(TRACE_syscall,skip_after_ptrace)2046 TEST_F(TRACE_syscall, skip_after_ptrace)
2047 {
2048 struct sock_filter filter[] = {
2049 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
2050 offsetof(struct seccomp_data, nr)),
2051 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getppid, 0, 1),
2052 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ERRNO | EPERM),
2053 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
2054 };
2055 struct sock_fprog prog = {
2056 .len = (unsigned short)ARRAY_SIZE(filter),
2057 .filter = filter,
2058 };
2059 long ret;
2060
2061 /* Swap SECCOMP_RET_TRACE tracer for PTRACE_SYSCALL tracer. */
2062 teardown_trace_fixture(_metadata, self->tracer);
2063 self->tracer = setup_trace_fixture(_metadata, tracer_ptrace, NULL,
2064 true);
2065
2066 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
2067 ASSERT_EQ(0, ret);
2068
2069 /* Install "errno on getppid" filter. */
2070 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0);
2071 ASSERT_EQ(0, ret);
2072
2073 /* Tracer will redirect getpid to getppid, and we should see EPERM. */
2074 EXPECT_EQ(-1, syscall(__NR_getpid));
2075 EXPECT_EQ(EPERM, errno);
2076 }
2077
TEST_F_SIGNAL(TRACE_syscall,kill_after_ptrace,SIGSYS)2078 TEST_F_SIGNAL(TRACE_syscall, kill_after_ptrace, SIGSYS)
2079 {
2080 struct sock_filter filter[] = {
2081 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
2082 offsetof(struct seccomp_data, nr)),
2083 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getppid, 0, 1),
2084 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL),
2085 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
2086 };
2087 struct sock_fprog prog = {
2088 .len = (unsigned short)ARRAY_SIZE(filter),
2089 .filter = filter,
2090 };
2091 long ret;
2092
2093 /* Swap SECCOMP_RET_TRACE tracer for PTRACE_SYSCALL tracer. */
2094 teardown_trace_fixture(_metadata, self->tracer);
2095 self->tracer = setup_trace_fixture(_metadata, tracer_ptrace, NULL,
2096 true);
2097
2098 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
2099 ASSERT_EQ(0, ret);
2100
2101 /* Install "death on getppid" filter. */
2102 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0);
2103 ASSERT_EQ(0, ret);
2104
2105 /* Tracer will redirect getpid to getppid, and we should die. */
2106 EXPECT_NE(self->mypid, syscall(__NR_getpid));
2107 }
2108 #endif
2109
TEST(seccomp_syscall)2110 TEST(seccomp_syscall)
2111 {
2112 struct sock_filter filter[] = {
2113 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
2114 };
2115 struct sock_fprog prog = {
2116 .len = (unsigned short)ARRAY_SIZE(filter),
2117 .filter = filter,
2118 };
2119 long ret;
2120
2121 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
2122 ASSERT_EQ(0, ret) {
2123 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
2124 }
2125
2126 /* Reject insane operation. */
2127 ret = seccomp(-1, 0, &prog);
2128 ASSERT_NE(ENOSYS, errno) {
2129 TH_LOG("Kernel does not support seccomp syscall!");
2130 }
2131 EXPECT_EQ(EINVAL, errno) {
2132 TH_LOG("Did not reject crazy op value!");
2133 }
2134
2135 /* Reject strict with flags or pointer. */
2136 ret = seccomp(SECCOMP_SET_MODE_STRICT, -1, NULL);
2137 EXPECT_EQ(EINVAL, errno) {
2138 TH_LOG("Did not reject mode strict with flags!");
2139 }
2140 ret = seccomp(SECCOMP_SET_MODE_STRICT, 0, &prog);
2141 EXPECT_EQ(EINVAL, errno) {
2142 TH_LOG("Did not reject mode strict with uargs!");
2143 }
2144
2145 /* Reject insane args for filter. */
2146 ret = seccomp(SECCOMP_SET_MODE_FILTER, -1, &prog);
2147 EXPECT_EQ(EINVAL, errno) {
2148 TH_LOG("Did not reject crazy filter flags!");
2149 }
2150 ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, NULL);
2151 EXPECT_EQ(EFAULT, errno) {
2152 TH_LOG("Did not reject NULL filter!");
2153 }
2154
2155 ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog);
2156 EXPECT_EQ(0, errno) {
2157 TH_LOG("Kernel does not support SECCOMP_SET_MODE_FILTER: %s",
2158 strerror(errno));
2159 }
2160 }
2161
TEST(seccomp_syscall_mode_lock)2162 TEST(seccomp_syscall_mode_lock)
2163 {
2164 struct sock_filter filter[] = {
2165 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
2166 };
2167 struct sock_fprog prog = {
2168 .len = (unsigned short)ARRAY_SIZE(filter),
2169 .filter = filter,
2170 };
2171 long ret;
2172
2173 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, NULL, 0, 0);
2174 ASSERT_EQ(0, ret) {
2175 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
2176 }
2177
2178 ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog);
2179 ASSERT_NE(ENOSYS, errno) {
2180 TH_LOG("Kernel does not support seccomp syscall!");
2181 }
2182 EXPECT_EQ(0, ret) {
2183 TH_LOG("Could not install filter!");
2184 }
2185
2186 /* Make sure neither entry point will switch to strict. */
2187 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT, 0, 0, 0);
2188 EXPECT_EQ(EINVAL, errno) {
2189 TH_LOG("Switched to mode strict!");
2190 }
2191
2192 ret = seccomp(SECCOMP_SET_MODE_STRICT, 0, NULL);
2193 EXPECT_EQ(EINVAL, errno) {
2194 TH_LOG("Switched to mode strict!");
2195 }
2196 }
2197
2198 /* b/147676645 */
2199 #if 0
2200 /*
2201 * Test detection of known and unknown filter flags. Userspace needs to be able
2202 * to check if a filter flag is supported by the current kernel and a good way
2203 * of doing that is by attempting to enter filter mode, with the flag bit in
2204 * question set, and a NULL pointer for the _args_ parameter. EFAULT indicates
2205 * that the flag is valid and EINVAL indicates that the flag is invalid.
2206 */
2207 TEST(detect_seccomp_filter_flags)
2208 {
2209 unsigned int flags[] = { SECCOMP_FILTER_FLAG_TSYNC,
2210 SECCOMP_FILTER_FLAG_LOG,
2211 SECCOMP_FILTER_FLAG_SPEC_ALLOW,
2212 SECCOMP_FILTER_FLAG_NEW_LISTENER };
2213 unsigned int exclusive[] = {
2214 SECCOMP_FILTER_FLAG_TSYNC,
2215 SECCOMP_FILTER_FLAG_NEW_LISTENER };
2216 unsigned int flag, all_flags, exclusive_mask;
2217 int i;
2218 long ret;
2219
2220 /* Test detection of individual known-good filter flags */
2221 for (i = 0, all_flags = 0; i < ARRAY_SIZE(flags); i++) {
2222 int bits = 0;
2223
2224 flag = flags[i];
2225 /* Make sure the flag is a single bit! */
2226 while (flag) {
2227 if (flag & 0x1)
2228 bits ++;
2229 flag >>= 1;
2230 }
2231 ASSERT_EQ(1, bits);
2232 flag = flags[i];
2233
2234 ret = seccomp(SECCOMP_SET_MODE_FILTER, flag, NULL);
2235 ASSERT_NE(ENOSYS, errno) {
2236 TH_LOG("Kernel does not support seccomp syscall!");
2237 }
2238 EXPECT_EQ(-1, ret);
2239 EXPECT_EQ(EFAULT, errno) {
2240 TH_LOG("Failed to detect that a known-good filter flag (0x%X) is supported!",
2241 flag);
2242 }
2243
2244 all_flags |= flag;
2245 }
2246
2247 /*
2248 * Test detection of all known-good filter flags combined. But
2249 * for the exclusive flags we need to mask them out and try them
2250 * individually for the "all flags" testing.
2251 */
2252 exclusive_mask = 0;
2253 for (i = 0; i < ARRAY_SIZE(exclusive); i++)
2254 exclusive_mask |= exclusive[i];
2255 for (i = 0; i < ARRAY_SIZE(exclusive); i++) {
2256 flag = all_flags & ~exclusive_mask;
2257 flag |= exclusive[i];
2258
2259 ret = seccomp(SECCOMP_SET_MODE_FILTER, flag, NULL);
2260 EXPECT_EQ(-1, ret);
2261 EXPECT_EQ(EFAULT, errno) {
2262 TH_LOG("Failed to detect that all known-good filter flags (0x%X) are supported!",
2263 flag);
2264 }
2265 }
2266
2267 /* Test detection of an unknown filter flags, without exclusives. */
2268 flag = -1;
2269 flag &= ~exclusive_mask;
2270 ret = seccomp(SECCOMP_SET_MODE_FILTER, flag, NULL);
2271 EXPECT_EQ(-1, ret);
2272 EXPECT_EQ(EINVAL, errno) {
2273 TH_LOG("Failed to detect that an unknown filter flag (0x%X) is unsupported!",
2274 flag);
2275 }
2276
2277 /*
2278 * Test detection of an unknown filter flag that may simply need to be
2279 * added to this test
2280 */
2281 flag = flags[ARRAY_SIZE(flags) - 1] << 1;
2282 ret = seccomp(SECCOMP_SET_MODE_FILTER, flag, NULL);
2283 EXPECT_EQ(-1, ret);
2284 EXPECT_EQ(EINVAL, errno) {
2285 TH_LOG("Failed to detect that an unknown filter flag (0x%X) is unsupported! Does a new flag need to be added to this test?",
2286 flag);
2287 }
2288 }
2289 #endif
2290
TEST(TSYNC_first)2291 TEST(TSYNC_first)
2292 {
2293 struct sock_filter filter[] = {
2294 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
2295 };
2296 struct sock_fprog prog = {
2297 .len = (unsigned short)ARRAY_SIZE(filter),
2298 .filter = filter,
2299 };
2300 long ret;
2301
2302 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, NULL, 0, 0);
2303 ASSERT_EQ(0, ret) {
2304 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
2305 }
2306
2307 ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC,
2308 &prog);
2309 ASSERT_NE(ENOSYS, errno) {
2310 TH_LOG("Kernel does not support seccomp syscall!");
2311 }
2312 EXPECT_EQ(0, ret) {
2313 TH_LOG("Could not install initial filter with TSYNC!");
2314 }
2315 }
2316
2317 #define TSYNC_SIBLINGS 2
2318 struct tsync_sibling {
2319 pthread_t tid;
2320 pid_t system_tid;
2321 sem_t *started;
2322 pthread_cond_t *cond;
2323 pthread_mutex_t *mutex;
2324 int diverge;
2325 int num_waits;
2326 struct sock_fprog *prog;
2327 struct __test_metadata *metadata;
2328 };
2329
2330 /*
2331 * To avoid joining joined threads (which is not allowed by Bionic),
2332 * make sure we both successfully join and clear the tid to skip a
2333 * later join attempt during fixture teardown. Any remaining threads
2334 * will be directly killed during teardown.
2335 */
2336 #define PTHREAD_JOIN(tid, status) \
2337 do { \
2338 int _rc = pthread_join(tid, status); \
2339 if (_rc) { \
2340 TH_LOG("pthread_join of tid %u failed: %d\n", \
2341 (unsigned int)tid, _rc); \
2342 } else { \
2343 tid = 0; \
2344 } \
2345 } while (0)
2346
FIXTURE_DATA(TSYNC)2347 FIXTURE_DATA(TSYNC) {
2348 struct sock_fprog root_prog, apply_prog;
2349 struct tsync_sibling sibling[TSYNC_SIBLINGS];
2350 sem_t started;
2351 pthread_cond_t cond;
2352 pthread_mutex_t mutex;
2353 int sibling_count;
2354 };
2355
FIXTURE_SETUP(TSYNC)2356 FIXTURE_SETUP(TSYNC)
2357 {
2358 struct sock_filter root_filter[] = {
2359 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
2360 };
2361 struct sock_filter apply_filter[] = {
2362 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
2363 offsetof(struct seccomp_data, nr)),
2364 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_read, 0, 1),
2365 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL),
2366 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
2367 };
2368
2369 memset(&self->root_prog, 0, sizeof(self->root_prog));
2370 memset(&self->apply_prog, 0, sizeof(self->apply_prog));
2371 memset(&self->sibling, 0, sizeof(self->sibling));
2372 self->root_prog.filter = malloc(sizeof(root_filter));
2373 ASSERT_NE(NULL, self->root_prog.filter);
2374 memcpy(self->root_prog.filter, &root_filter, sizeof(root_filter));
2375 self->root_prog.len = (unsigned short)ARRAY_SIZE(root_filter);
2376
2377 self->apply_prog.filter = malloc(sizeof(apply_filter));
2378 ASSERT_NE(NULL, self->apply_prog.filter);
2379 memcpy(self->apply_prog.filter, &apply_filter, sizeof(apply_filter));
2380 self->apply_prog.len = (unsigned short)ARRAY_SIZE(apply_filter);
2381
2382 self->sibling_count = 0;
2383 pthread_mutex_init(&self->mutex, NULL);
2384 pthread_cond_init(&self->cond, NULL);
2385 sem_init(&self->started, 0, 0);
2386 self->sibling[0].tid = 0;
2387 self->sibling[0].cond = &self->cond;
2388 self->sibling[0].started = &self->started;
2389 self->sibling[0].mutex = &self->mutex;
2390 self->sibling[0].diverge = 0;
2391 self->sibling[0].num_waits = 1;
2392 self->sibling[0].prog = &self->root_prog;
2393 self->sibling[0].metadata = _metadata;
2394 self->sibling[1].tid = 0;
2395 self->sibling[1].cond = &self->cond;
2396 self->sibling[1].started = &self->started;
2397 self->sibling[1].mutex = &self->mutex;
2398 self->sibling[1].diverge = 0;
2399 self->sibling[1].prog = &self->root_prog;
2400 self->sibling[1].num_waits = 1;
2401 self->sibling[1].metadata = _metadata;
2402 }
2403
FIXTURE_TEARDOWN(TSYNC)2404 FIXTURE_TEARDOWN(TSYNC)
2405 {
2406 int sib = 0;
2407
2408 if (self->root_prog.filter)
2409 free(self->root_prog.filter);
2410 if (self->apply_prog.filter)
2411 free(self->apply_prog.filter);
2412
2413 for ( ; sib < self->sibling_count; ++sib) {
2414 struct tsync_sibling *s = &self->sibling[sib];
2415
2416 if (!s->tid)
2417 continue;
2418 /*
2419 * If a thread is still running, it may be stuck, so hit
2420 * it over the head really hard.
2421 */
2422 pthread_kill(s->tid, 9);
2423 }
2424 pthread_mutex_destroy(&self->mutex);
2425 pthread_cond_destroy(&self->cond);
2426 sem_destroy(&self->started);
2427 }
2428
tsync_sibling(void * data)2429 void *tsync_sibling(void *data)
2430 {
2431 long ret = 0;
2432 struct tsync_sibling *me = data;
2433
2434 me->system_tid = syscall(__NR_gettid);
2435
2436 pthread_mutex_lock(me->mutex);
2437 if (me->diverge) {
2438 /* Just re-apply the root prog to fork the tree */
2439 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER,
2440 me->prog, 0, 0);
2441 }
2442 sem_post(me->started);
2443 /* Return outside of started so parent notices failures. */
2444 if (ret) {
2445 pthread_mutex_unlock(me->mutex);
2446 return (void *)SIBLING_EXIT_FAILURE;
2447 }
2448 do {
2449 pthread_cond_wait(me->cond, me->mutex);
2450 me->num_waits = me->num_waits - 1;
2451 } while (me->num_waits);
2452 pthread_mutex_unlock(me->mutex);
2453
2454 ret = prctl(PR_GET_NO_NEW_PRIVS, 0, 0, 0, 0);
2455 if (!ret)
2456 return (void *)SIBLING_EXIT_NEWPRIVS;
2457 read(0, NULL, 0);
2458 return (void *)SIBLING_EXIT_UNKILLED;
2459 }
2460
tsync_start_sibling(struct tsync_sibling * sibling)2461 void tsync_start_sibling(struct tsync_sibling *sibling)
2462 {
2463 pthread_create(&sibling->tid, NULL, tsync_sibling, (void *)sibling);
2464 }
2465
TEST_F(TSYNC,siblings_fail_prctl)2466 TEST_F(TSYNC, siblings_fail_prctl)
2467 {
2468 long ret;
2469 void *status;
2470 struct sock_filter filter[] = {
2471 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
2472 offsetof(struct seccomp_data, nr)),
2473 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_prctl, 0, 1),
2474 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ERRNO | EINVAL),
2475 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
2476 };
2477 struct sock_fprog prog = {
2478 .len = (unsigned short)ARRAY_SIZE(filter),
2479 .filter = filter,
2480 };
2481
2482 ASSERT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
2483 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
2484 }
2485
2486 /* Check prctl failure detection by requesting sib 0 diverge. */
2487 ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog);
2488 ASSERT_NE(ENOSYS, errno) {
2489 TH_LOG("Kernel does not support seccomp syscall!");
2490 }
2491 ASSERT_EQ(0, ret) {
2492 TH_LOG("setting filter failed");
2493 }
2494
2495 self->sibling[0].diverge = 1;
2496 tsync_start_sibling(&self->sibling[0]);
2497 tsync_start_sibling(&self->sibling[1]);
2498
2499 while (self->sibling_count < TSYNC_SIBLINGS) {
2500 sem_wait(&self->started);
2501 self->sibling_count++;
2502 }
2503
2504 /* Signal the threads to clean up*/
2505 pthread_mutex_lock(&self->mutex);
2506 ASSERT_EQ(0, pthread_cond_broadcast(&self->cond)) {
2507 TH_LOG("cond broadcast non-zero");
2508 }
2509 pthread_mutex_unlock(&self->mutex);
2510
2511 /* Ensure diverging sibling failed to call prctl. */
2512 PTHREAD_JOIN(self->sibling[0].tid, &status);
2513 EXPECT_EQ(SIBLING_EXIT_FAILURE, (long)status);
2514 PTHREAD_JOIN(self->sibling[1].tid, &status);
2515 EXPECT_EQ(SIBLING_EXIT_UNKILLED, (long)status);
2516 }
2517
TEST_F(TSYNC,two_siblings_with_ancestor)2518 TEST_F(TSYNC, two_siblings_with_ancestor)
2519 {
2520 long ret;
2521 void *status;
2522
2523 ASSERT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
2524 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
2525 }
2526
2527 ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &self->root_prog);
2528 ASSERT_NE(ENOSYS, errno) {
2529 TH_LOG("Kernel does not support seccomp syscall!");
2530 }
2531 ASSERT_EQ(0, ret) {
2532 TH_LOG("Kernel does not support SECCOMP_SET_MODE_FILTER!");
2533 }
2534 tsync_start_sibling(&self->sibling[0]);
2535 tsync_start_sibling(&self->sibling[1]);
2536
2537 while (self->sibling_count < TSYNC_SIBLINGS) {
2538 sem_wait(&self->started);
2539 self->sibling_count++;
2540 }
2541
2542 ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC,
2543 &self->apply_prog);
2544 ASSERT_EQ(0, ret) {
2545 TH_LOG("Could install filter on all threads!");
2546 }
2547 /* Tell the siblings to test the policy */
2548 pthread_mutex_lock(&self->mutex);
2549 ASSERT_EQ(0, pthread_cond_broadcast(&self->cond)) {
2550 TH_LOG("cond broadcast non-zero");
2551 }
2552 pthread_mutex_unlock(&self->mutex);
2553 /* Ensure they are both killed and don't exit cleanly. */
2554 PTHREAD_JOIN(self->sibling[0].tid, &status);
2555 EXPECT_EQ(0x0, (long)status);
2556 PTHREAD_JOIN(self->sibling[1].tid, &status);
2557 EXPECT_EQ(0x0, (long)status);
2558 }
2559
TEST_F(TSYNC,two_sibling_want_nnp)2560 TEST_F(TSYNC, two_sibling_want_nnp)
2561 {
2562 void *status;
2563
2564 /* start siblings before any prctl() operations */
2565 tsync_start_sibling(&self->sibling[0]);
2566 tsync_start_sibling(&self->sibling[1]);
2567 while (self->sibling_count < TSYNC_SIBLINGS) {
2568 sem_wait(&self->started);
2569 self->sibling_count++;
2570 }
2571
2572 /* Tell the siblings to test no policy */
2573 pthread_mutex_lock(&self->mutex);
2574 ASSERT_EQ(0, pthread_cond_broadcast(&self->cond)) {
2575 TH_LOG("cond broadcast non-zero");
2576 }
2577 pthread_mutex_unlock(&self->mutex);
2578
2579 /* Ensure they are both upset about lacking nnp. */
2580 PTHREAD_JOIN(self->sibling[0].tid, &status);
2581 EXPECT_EQ(SIBLING_EXIT_NEWPRIVS, (long)status);
2582 PTHREAD_JOIN(self->sibling[1].tid, &status);
2583 EXPECT_EQ(SIBLING_EXIT_NEWPRIVS, (long)status);
2584 }
2585
TEST_F(TSYNC,two_siblings_with_no_filter)2586 TEST_F(TSYNC, two_siblings_with_no_filter)
2587 {
2588 long ret;
2589 void *status;
2590
2591 /* start siblings before any prctl() operations */
2592 tsync_start_sibling(&self->sibling[0]);
2593 tsync_start_sibling(&self->sibling[1]);
2594 while (self->sibling_count < TSYNC_SIBLINGS) {
2595 sem_wait(&self->started);
2596 self->sibling_count++;
2597 }
2598
2599 ASSERT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
2600 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
2601 }
2602
2603 ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC,
2604 &self->apply_prog);
2605 ASSERT_NE(ENOSYS, errno) {
2606 TH_LOG("Kernel does not support seccomp syscall!");
2607 }
2608 ASSERT_EQ(0, ret) {
2609 TH_LOG("Could install filter on all threads!");
2610 }
2611
2612 /* Tell the siblings to test the policy */
2613 pthread_mutex_lock(&self->mutex);
2614 ASSERT_EQ(0, pthread_cond_broadcast(&self->cond)) {
2615 TH_LOG("cond broadcast non-zero");
2616 }
2617 pthread_mutex_unlock(&self->mutex);
2618
2619 /* Ensure they are both killed and don't exit cleanly. */
2620 PTHREAD_JOIN(self->sibling[0].tid, &status);
2621 EXPECT_EQ(0x0, (long)status);
2622 PTHREAD_JOIN(self->sibling[1].tid, &status);
2623 EXPECT_EQ(0x0, (long)status);
2624 }
2625
TEST_F(TSYNC,two_siblings_with_one_divergence)2626 TEST_F(TSYNC, two_siblings_with_one_divergence)
2627 {
2628 long ret;
2629 void *status;
2630
2631 ASSERT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
2632 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
2633 }
2634
2635 ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &self->root_prog);
2636 ASSERT_NE(ENOSYS, errno) {
2637 TH_LOG("Kernel does not support seccomp syscall!");
2638 }
2639 ASSERT_EQ(0, ret) {
2640 TH_LOG("Kernel does not support SECCOMP_SET_MODE_FILTER!");
2641 }
2642 self->sibling[0].diverge = 1;
2643 tsync_start_sibling(&self->sibling[0]);
2644 tsync_start_sibling(&self->sibling[1]);
2645
2646 while (self->sibling_count < TSYNC_SIBLINGS) {
2647 sem_wait(&self->started);
2648 self->sibling_count++;
2649 }
2650
2651 ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC,
2652 &self->apply_prog);
2653 ASSERT_EQ(self->sibling[0].system_tid, ret) {
2654 TH_LOG("Did not fail on diverged sibling.");
2655 }
2656
2657 /* Wake the threads */
2658 pthread_mutex_lock(&self->mutex);
2659 ASSERT_EQ(0, pthread_cond_broadcast(&self->cond)) {
2660 TH_LOG("cond broadcast non-zero");
2661 }
2662 pthread_mutex_unlock(&self->mutex);
2663
2664 /* Ensure they are both unkilled. */
2665 PTHREAD_JOIN(self->sibling[0].tid, &status);
2666 EXPECT_EQ(SIBLING_EXIT_UNKILLED, (long)status);
2667 PTHREAD_JOIN(self->sibling[1].tid, &status);
2668 EXPECT_EQ(SIBLING_EXIT_UNKILLED, (long)status);
2669 }
2670
TEST_F(TSYNC,two_siblings_not_under_filter)2671 TEST_F(TSYNC, two_siblings_not_under_filter)
2672 {
2673 long ret, sib;
2674 void *status;
2675 struct timespec delay = { .tv_nsec = 100000000 };
2676
2677 ASSERT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
2678 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
2679 }
2680
2681 /*
2682 * Sibling 0 will have its own seccomp policy
2683 * and Sibling 1 will not be under seccomp at
2684 * all. Sibling 1 will enter seccomp and 0
2685 * will cause failure.
2686 */
2687 self->sibling[0].diverge = 1;
2688 tsync_start_sibling(&self->sibling[0]);
2689 tsync_start_sibling(&self->sibling[1]);
2690
2691 while (self->sibling_count < TSYNC_SIBLINGS) {
2692 sem_wait(&self->started);
2693 self->sibling_count++;
2694 }
2695
2696 ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &self->root_prog);
2697 ASSERT_NE(ENOSYS, errno) {
2698 TH_LOG("Kernel does not support seccomp syscall!");
2699 }
2700 ASSERT_EQ(0, ret) {
2701 TH_LOG("Kernel does not support SECCOMP_SET_MODE_FILTER!");
2702 }
2703
2704 ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC,
2705 &self->apply_prog);
2706 ASSERT_EQ(ret, self->sibling[0].system_tid) {
2707 TH_LOG("Did not fail on diverged sibling.");
2708 }
2709 sib = 1;
2710 if (ret == self->sibling[0].system_tid)
2711 sib = 0;
2712
2713 pthread_mutex_lock(&self->mutex);
2714
2715 /* Increment the other siblings num_waits so we can clean up
2716 * the one we just saw.
2717 */
2718 self->sibling[!sib].num_waits += 1;
2719
2720 /* Signal the thread to clean up*/
2721 ASSERT_EQ(0, pthread_cond_broadcast(&self->cond)) {
2722 TH_LOG("cond broadcast non-zero");
2723 }
2724 pthread_mutex_unlock(&self->mutex);
2725 PTHREAD_JOIN(self->sibling[sib].tid, &status);
2726 EXPECT_EQ(SIBLING_EXIT_UNKILLED, (long)status);
2727 /* Poll for actual task death. pthread_join doesn't guarantee it. */
2728 while (!kill(self->sibling[sib].system_tid, 0))
2729 nanosleep(&delay, NULL);
2730 /* Switch to the remaining sibling */
2731 sib = !sib;
2732
2733 ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC,
2734 &self->apply_prog);
2735 ASSERT_EQ(0, ret) {
2736 TH_LOG("Expected the remaining sibling to sync");
2737 };
2738
2739 pthread_mutex_lock(&self->mutex);
2740
2741 /* If remaining sibling didn't have a chance to wake up during
2742 * the first broadcast, manually reduce the num_waits now.
2743 */
2744 if (self->sibling[sib].num_waits > 1)
2745 self->sibling[sib].num_waits = 1;
2746 ASSERT_EQ(0, pthread_cond_broadcast(&self->cond)) {
2747 TH_LOG("cond broadcast non-zero");
2748 }
2749 pthread_mutex_unlock(&self->mutex);
2750 PTHREAD_JOIN(self->sibling[sib].tid, &status);
2751 EXPECT_EQ(0, (long)status);
2752 /* Poll for actual task death. pthread_join doesn't guarantee it. */
2753 while (!kill(self->sibling[sib].system_tid, 0))
2754 nanosleep(&delay, NULL);
2755
2756 ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC,
2757 &self->apply_prog);
2758 ASSERT_EQ(0, ret); /* just us chickens */
2759 }
2760
2761 /* Make sure restarted syscalls are seen directly as "restart_syscall". */
TEST(syscall_restart)2762 TEST(syscall_restart)
2763 {
2764 long ret;
2765 unsigned long msg;
2766 pid_t child_pid;
2767 int pipefd[2];
2768 int status;
2769 siginfo_t info = { };
2770 struct sock_filter filter[] = {
2771 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
2772 offsetof(struct seccomp_data, nr)),
2773
2774 #ifdef __NR_sigreturn
2775 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_sigreturn, 6, 0),
2776 #endif
2777 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_read, 5, 0),
2778 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_exit, 4, 0),
2779 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_rt_sigreturn, 3, 0),
2780 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_nanosleep, 4, 0),
2781 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_restart_syscall, 4, 0),
2782
2783 /* Allow __NR_write for easy logging. */
2784 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_write, 0, 1),
2785 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
2786 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL),
2787 /* The nanosleep jump target. */
2788 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRACE|0x100),
2789 /* The restart_syscall jump target. */
2790 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRACE|0x200),
2791 };
2792 struct sock_fprog prog = {
2793 .len = (unsigned short)ARRAY_SIZE(filter),
2794 .filter = filter,
2795 };
2796 #if defined(__arm__)
2797 struct utsname utsbuf;
2798 int arm_version;
2799 #endif
2800
2801 ASSERT_EQ(0, pipe(pipefd));
2802
2803 child_pid = fork();
2804 ASSERT_LE(0, child_pid);
2805 if (child_pid == 0) {
2806 /* Child uses EXPECT not ASSERT to deliver status correctly. */
2807 char buf = ' ';
2808 struct timespec timeout = { };
2809
2810 /* Attach parent as tracer and stop. */
2811 EXPECT_EQ(0, ptrace(PTRACE_TRACEME));
2812 EXPECT_EQ(0, raise(SIGSTOP));
2813
2814 EXPECT_EQ(0, close(pipefd[1]));
2815
2816 EXPECT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
2817 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
2818 }
2819
2820 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0);
2821 EXPECT_EQ(0, ret) {
2822 TH_LOG("Failed to install filter!");
2823 }
2824
2825 EXPECT_EQ(1, read(pipefd[0], &buf, 1)) {
2826 TH_LOG("Failed to read() sync from parent");
2827 }
2828 EXPECT_EQ('.', buf) {
2829 TH_LOG("Failed to get sync data from read()");
2830 }
2831
2832 /* Start nanosleep to be interrupted. */
2833 timeout.tv_sec = 1;
2834 errno = 0;
2835 EXPECT_EQ(0, nanosleep(&timeout, NULL)) {
2836 TH_LOG("Call to nanosleep() failed (errno %d)", errno);
2837 }
2838
2839 /* Read final sync from parent. */
2840 EXPECT_EQ(1, read(pipefd[0], &buf, 1)) {
2841 TH_LOG("Failed final read() from parent");
2842 }
2843 EXPECT_EQ('!', buf) {
2844 TH_LOG("Failed to get final data from read()");
2845 }
2846
2847 /* Directly report the status of our test harness results. */
2848 syscall(__NR_exit, _metadata->passed ? EXIT_SUCCESS
2849 : EXIT_FAILURE);
2850 }
2851 EXPECT_EQ(0, close(pipefd[0]));
2852
2853 /* Attach to child, setup options, and release. */
2854 ASSERT_EQ(child_pid, waitpid(child_pid, &status, 0));
2855 ASSERT_EQ(true, WIFSTOPPED(status));
2856 ASSERT_EQ(0, ptrace(PTRACE_SETOPTIONS, child_pid, NULL,
2857 PTRACE_O_TRACESECCOMP));
2858 ASSERT_EQ(0, ptrace(PTRACE_CONT, child_pid, NULL, 0));
2859 ASSERT_EQ(1, write(pipefd[1], ".", 1));
2860
2861 /* Wait for nanosleep() to start. */
2862 ASSERT_EQ(child_pid, waitpid(child_pid, &status, 0));
2863 ASSERT_EQ(true, WIFSTOPPED(status));
2864 ASSERT_EQ(SIGTRAP, WSTOPSIG(status));
2865 ASSERT_EQ(PTRACE_EVENT_SECCOMP, (status >> 16));
2866 ASSERT_EQ(0, ptrace(PTRACE_GETEVENTMSG, child_pid, NULL, &msg));
2867 ASSERT_EQ(0x100, msg);
2868 EXPECT_EQ(__NR_nanosleep, get_syscall(_metadata, child_pid));
2869
2870 /* Might as well check siginfo for sanity while we're here. */
2871 ASSERT_EQ(0, ptrace(PTRACE_GETSIGINFO, child_pid, NULL, &info));
2872 ASSERT_EQ(SIGTRAP, info.si_signo);
2873 ASSERT_EQ(SIGTRAP | (PTRACE_EVENT_SECCOMP << 8), info.si_code);
2874 EXPECT_EQ(0, info.si_errno);
2875 EXPECT_EQ(getuid(), info.si_uid);
2876 /* Verify signal delivery came from child (seccomp-triggered). */
2877 EXPECT_EQ(child_pid, info.si_pid);
2878
2879 /* Interrupt nanosleep with SIGSTOP (which we'll need to handle). */
2880 ASSERT_EQ(0, kill(child_pid, SIGSTOP));
2881 ASSERT_EQ(0, ptrace(PTRACE_CONT, child_pid, NULL, 0));
2882 ASSERT_EQ(child_pid, waitpid(child_pid, &status, 0));
2883 ASSERT_EQ(true, WIFSTOPPED(status));
2884 ASSERT_EQ(SIGSTOP, WSTOPSIG(status));
2885 ASSERT_EQ(0, ptrace(PTRACE_GETSIGINFO, child_pid, NULL, &info));
2886 /*
2887 * There is no siginfo on SIGSTOP any more, so we can't verify
2888 * signal delivery came from parent now (getpid() == info.si_pid).
2889 * https://lkml.kernel.org/r/CAGXu5jJaZAOzP1qFz66tYrtbuywqb+UN2SOA1VLHpCCOiYvYeg@mail.gmail.com
2890 * At least verify the SIGSTOP via PTRACE_GETSIGINFO.
2891 */
2892 EXPECT_EQ(SIGSTOP, info.si_signo);
2893
2894 /* Restart nanosleep with SIGCONT, which triggers restart_syscall. */
2895 ASSERT_EQ(0, kill(child_pid, SIGCONT));
2896 ASSERT_EQ(0, ptrace(PTRACE_CONT, child_pid, NULL, 0));
2897 ASSERT_EQ(child_pid, waitpid(child_pid, &status, 0));
2898 ASSERT_EQ(true, WIFSTOPPED(status));
2899 ASSERT_EQ(SIGCONT, WSTOPSIG(status));
2900 ASSERT_EQ(0, ptrace(PTRACE_CONT, child_pid, NULL, 0));
2901
2902 /* Wait for restart_syscall() to start. */
2903 ASSERT_EQ(child_pid, waitpid(child_pid, &status, 0));
2904 ASSERT_EQ(true, WIFSTOPPED(status));
2905 ASSERT_EQ(SIGTRAP, WSTOPSIG(status));
2906 ASSERT_EQ(PTRACE_EVENT_SECCOMP, (status >> 16));
2907 ASSERT_EQ(0, ptrace(PTRACE_GETEVENTMSG, child_pid, NULL, &msg));
2908
2909 ASSERT_EQ(0x200, msg);
2910 ret = get_syscall(_metadata, child_pid);
2911 #if defined(__arm__)
2912 /*
2913 * - native ARM registers do NOT expose true syscall.
2914 * - compat ARM registers on ARM64 DO expose true syscall.
2915 */
2916 ASSERT_EQ(0, uname(&utsbuf));
2917 if (sscanf(utsbuf.machine, "armv%d", &arm_version) == 1 &&
2918 arm_version < 8) {
2919 EXPECT_EQ(__NR_nanosleep, ret);
2920 } else
2921 #endif
2922 {
2923 EXPECT_EQ(__NR_restart_syscall, ret);
2924 }
2925
2926 /* Write again to end test. */
2927 ASSERT_EQ(0, ptrace(PTRACE_CONT, child_pid, NULL, 0));
2928 ASSERT_EQ(1, write(pipefd[1], "!", 1));
2929 EXPECT_EQ(0, close(pipefd[1]));
2930
2931 ASSERT_EQ(child_pid, waitpid(child_pid, &status, 0));
2932 if (WIFSIGNALED(status) || WEXITSTATUS(status))
2933 _metadata->passed = 0;
2934 }
2935
2936 /* b/147676645 */
2937 #if 0
2938 TEST_SIGNAL(filter_flag_log, SIGSYS)
2939 {
2940 struct sock_filter allow_filter[] = {
2941 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
2942 };
2943 struct sock_filter kill_filter[] = {
2944 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
2945 offsetof(struct seccomp_data, nr)),
2946 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getpid, 0, 1),
2947 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL),
2948 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
2949 };
2950 struct sock_fprog allow_prog = {
2951 .len = (unsigned short)ARRAY_SIZE(allow_filter),
2952 .filter = allow_filter,
2953 };
2954 struct sock_fprog kill_prog = {
2955 .len = (unsigned short)ARRAY_SIZE(kill_filter),
2956 .filter = kill_filter,
2957 };
2958 long ret;
2959 pid_t parent = getppid();
2960
2961 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
2962 ASSERT_EQ(0, ret);
2963
2964 /* Verify that the FILTER_FLAG_LOG flag isn't accepted in strict mode */
2965 ret = seccomp(SECCOMP_SET_MODE_STRICT, SECCOMP_FILTER_FLAG_LOG,
2966 &allow_prog);
2967 ASSERT_NE(ENOSYS, errno) {
2968 TH_LOG("Kernel does not support seccomp syscall!");
2969 }
2970 EXPECT_NE(0, ret) {
2971 TH_LOG("Kernel accepted FILTER_FLAG_LOG flag in strict mode!");
2972 }
2973 EXPECT_EQ(EINVAL, errno) {
2974 TH_LOG("Kernel returned unexpected errno for FILTER_FLAG_LOG flag in strict mode!");
2975 }
2976
2977 /* Verify that a simple, permissive filter can be added with no flags */
2978 ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &allow_prog);
2979 EXPECT_EQ(0, ret);
2980
2981 /* See if the same filter can be added with the FILTER_FLAG_LOG flag */
2982 ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_LOG,
2983 &allow_prog);
2984 ASSERT_NE(EINVAL, errno) {
2985 TH_LOG("Kernel does not support the FILTER_FLAG_LOG flag!");
2986 }
2987 EXPECT_EQ(0, ret);
2988
2989 /* Ensure that the kill filter works with the FILTER_FLAG_LOG flag */
2990 ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_LOG,
2991 &kill_prog);
2992 EXPECT_EQ(0, ret);
2993
2994 EXPECT_EQ(parent, syscall(__NR_getppid));
2995 /* getpid() should never return. */
2996 EXPECT_EQ(0, syscall(__NR_getpid));
2997 }
2998
2999 TEST(get_action_avail)
3000 {
3001 __u32 actions[] = { SECCOMP_RET_KILL_THREAD, SECCOMP_RET_TRAP,
3002 SECCOMP_RET_ERRNO, SECCOMP_RET_TRACE,
3003 SECCOMP_RET_LOG, SECCOMP_RET_ALLOW };
3004 __u32 unknown_action = 0x10000000U;
3005 int i;
3006 long ret;
3007
3008 ret = seccomp(SECCOMP_GET_ACTION_AVAIL, 0, &actions[0]);
3009 ASSERT_NE(ENOSYS, errno) {
3010 TH_LOG("Kernel does not support seccomp syscall!");
3011 }
3012 ASSERT_NE(EINVAL, errno) {
3013 TH_LOG("Kernel does not support SECCOMP_GET_ACTION_AVAIL operation!");
3014 }
3015 EXPECT_EQ(ret, 0);
3016
3017 for (i = 0; i < ARRAY_SIZE(actions); i++) {
3018 ret = seccomp(SECCOMP_GET_ACTION_AVAIL, 0, &actions[i]);
3019 EXPECT_EQ(ret, 0) {
3020 TH_LOG("Expected action (0x%X) not available!",
3021 actions[i]);
3022 }
3023 }
3024
3025 /* Check that an unknown action is handled properly (EOPNOTSUPP) */
3026 ret = seccomp(SECCOMP_GET_ACTION_AVAIL, 0, &unknown_action);
3027 EXPECT_EQ(ret, -1);
3028 EXPECT_EQ(errno, EOPNOTSUPP);
3029 }
3030
3031 TEST(get_metadata)
3032 {
3033 pid_t pid;
3034 int pipefd[2];
3035 char buf;
3036 struct seccomp_metadata md;
3037 long ret;
3038
3039 /* Only real root can get metadata. */
3040 if (geteuid()) {
3041 XFAIL(return, "get_metadata requires real root");
3042 return;
3043 }
3044
3045 ASSERT_EQ(0, pipe(pipefd));
3046
3047 pid = fork();
3048 ASSERT_GE(pid, 0);
3049 if (pid == 0) {
3050 struct sock_filter filter[] = {
3051 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
3052 };
3053 struct sock_fprog prog = {
3054 .len = (unsigned short)ARRAY_SIZE(filter),
3055 .filter = filter,
3056 };
3057
3058 /* one with log, one without */
3059 EXPECT_EQ(0, seccomp(SECCOMP_SET_MODE_FILTER,
3060 SECCOMP_FILTER_FLAG_LOG, &prog));
3061 EXPECT_EQ(0, seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog));
3062
3063 EXPECT_EQ(0, close(pipefd[0]));
3064 ASSERT_EQ(1, write(pipefd[1], "1", 1));
3065 ASSERT_EQ(0, close(pipefd[1]));
3066
3067 while (1)
3068 sleep(100);
3069 }
3070
3071 ASSERT_EQ(0, close(pipefd[1]));
3072 ASSERT_EQ(1, read(pipefd[0], &buf, 1));
3073
3074 ASSERT_EQ(0, ptrace(PTRACE_ATTACH, pid));
3075 ASSERT_EQ(pid, waitpid(pid, NULL, 0));
3076
3077 /* Past here must not use ASSERT or child process is never killed. */
3078
3079 md.filter_off = 0;
3080 errno = 0;
3081 ret = ptrace(PTRACE_SECCOMP_GET_METADATA, pid, sizeof(md), &md);
3082 EXPECT_EQ(sizeof(md), ret) {
3083 if (errno == EINVAL)
3084 XFAIL(goto skip, "Kernel does not support PTRACE_SECCOMP_GET_METADATA (missing CONFIG_CHECKPOINT_RESTORE?)");
3085 }
3086
3087 EXPECT_EQ(md.flags, SECCOMP_FILTER_FLAG_LOG);
3088 EXPECT_EQ(md.filter_off, 0);
3089
3090 md.filter_off = 1;
3091 ret = ptrace(PTRACE_SECCOMP_GET_METADATA, pid, sizeof(md), &md);
3092 EXPECT_EQ(sizeof(md), ret);
3093 EXPECT_EQ(md.flags, 0);
3094 EXPECT_EQ(md.filter_off, 1);
3095
3096 skip:
3097 ASSERT_EQ(0, kill(pid, SIGKILL));
3098 }
3099 #endif
3100
3101 /* b/147676645 */
3102 #if 0
3103 static int user_trap_syscall(int nr, unsigned int flags)
3104 {
3105 struct sock_filter filter[] = {
3106 BPF_STMT(BPF_LD+BPF_W+BPF_ABS,
3107 offsetof(struct seccomp_data, nr)),
3108 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, nr, 0, 1),
3109 BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_USER_NOTIF),
3110 BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW),
3111 };
3112
3113 struct sock_fprog prog = {
3114 .len = (unsigned short)ARRAY_SIZE(filter),
3115 .filter = filter,
3116 };
3117
3118 return seccomp(SECCOMP_SET_MODE_FILTER, flags, &prog);
3119 }
3120
3121 #define USER_NOTIF_MAGIC INT_MAX
3122 TEST(user_notification_basic)
3123 {
3124 pid_t pid;
3125 long ret;
3126 int status, listener;
3127 struct seccomp_notif req = {};
3128 struct seccomp_notif_resp resp = {};
3129 struct pollfd pollfd;
3130
3131 struct sock_filter filter[] = {
3132 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
3133 };
3134 struct sock_fprog prog = {
3135 .len = (unsigned short)ARRAY_SIZE(filter),
3136 .filter = filter,
3137 };
3138
3139 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
3140 ASSERT_EQ(0, ret) {
3141 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
3142 }
3143
3144 pid = fork();
3145 ASSERT_GE(pid, 0);
3146
3147 /* Check that we get -ENOSYS with no listener attached */
3148 if (pid == 0) {
3149 if (user_trap_syscall(__NR_getppid, 0) < 0)
3150 exit(1);
3151 ret = syscall(__NR_getppid);
3152 exit(ret >= 0 || errno != ENOSYS);
3153 }
3154
3155 EXPECT_EQ(waitpid(pid, &status, 0), pid);
3156 EXPECT_EQ(true, WIFEXITED(status));
3157 EXPECT_EQ(0, WEXITSTATUS(status));
3158
3159 /* Add some no-op filters for grins. */
3160 EXPECT_EQ(seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog), 0);
3161 EXPECT_EQ(seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog), 0);
3162 EXPECT_EQ(seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog), 0);
3163 EXPECT_EQ(seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog), 0);
3164
3165 /* Check that the basic notification machinery works */
3166 listener = user_trap_syscall(__NR_getppid,
3167 SECCOMP_FILTER_FLAG_NEW_LISTENER);
3168 ASSERT_GE(listener, 0);
3169
3170 /* Installing a second listener in the chain should EBUSY */
3171 EXPECT_EQ(user_trap_syscall(__NR_getppid,
3172 SECCOMP_FILTER_FLAG_NEW_LISTENER),
3173 -1);
3174 EXPECT_EQ(errno, EBUSY);
3175
3176 pid = fork();
3177 ASSERT_GE(pid, 0);
3178
3179 if (pid == 0) {
3180 ret = syscall(__NR_getppid);
3181 exit(ret != USER_NOTIF_MAGIC);
3182 }
3183
3184 pollfd.fd = listener;
3185 pollfd.events = POLLIN | POLLOUT;
3186
3187 EXPECT_GT(poll(&pollfd, 1, -1), 0);
3188 EXPECT_EQ(pollfd.revents, POLLIN);
3189
3190 /* Test that we can't pass garbage to the kernel. */
3191 memset(&req, 0, sizeof(req));
3192 req.pid = -1;
3193 errno = 0;
3194 ret = ioctl(listener, SECCOMP_IOCTL_NOTIF_RECV, &req);
3195 EXPECT_EQ(-1, ret);
3196 EXPECT_EQ(EINVAL, errno);
3197
3198 if (ret) {
3199 req.pid = 0;
3200 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_RECV, &req), 0);
3201 }
3202
3203 pollfd.fd = listener;
3204 pollfd.events = POLLIN | POLLOUT;
3205
3206 EXPECT_GT(poll(&pollfd, 1, -1), 0);
3207 EXPECT_EQ(pollfd.revents, POLLOUT);
3208
3209 EXPECT_EQ(req.data.nr, __NR_getppid);
3210
3211 resp.id = req.id;
3212 resp.error = 0;
3213 resp.val = USER_NOTIF_MAGIC;
3214
3215 /* check that we make sure flags == 0 */
3216 resp.flags = 1;
3217 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_SEND, &resp), -1);
3218 EXPECT_EQ(errno, EINVAL);
3219
3220 resp.flags = 0;
3221 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_SEND, &resp), 0);
3222
3223 EXPECT_EQ(waitpid(pid, &status, 0), pid);
3224 EXPECT_EQ(true, WIFEXITED(status));
3225 EXPECT_EQ(0, WEXITSTATUS(status));
3226 }
3227
3228 TEST(user_notification_kill_in_middle)
3229 {
3230 pid_t pid;
3231 long ret;
3232 int listener;
3233 struct seccomp_notif req = {};
3234 struct seccomp_notif_resp resp = {};
3235
3236 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
3237 ASSERT_EQ(0, ret) {
3238 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
3239 }
3240
3241 listener = user_trap_syscall(__NR_getppid,
3242 SECCOMP_FILTER_FLAG_NEW_LISTENER);
3243 ASSERT_GE(listener, 0);
3244
3245 /*
3246 * Check that nothing bad happens when we kill the task in the middle
3247 * of a syscall.
3248 */
3249 pid = fork();
3250 ASSERT_GE(pid, 0);
3251
3252 if (pid == 0) {
3253 ret = syscall(__NR_getppid);
3254 exit(ret != USER_NOTIF_MAGIC);
3255 }
3256
3257 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_RECV, &req), 0);
3258 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_ID_VALID, &req.id), 0);
3259
3260 EXPECT_EQ(kill(pid, SIGKILL), 0);
3261 EXPECT_EQ(waitpid(pid, NULL, 0), pid);
3262
3263 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_ID_VALID, &req.id), -1);
3264
3265 resp.id = req.id;
3266 ret = ioctl(listener, SECCOMP_IOCTL_NOTIF_SEND, &resp);
3267 EXPECT_EQ(ret, -1);
3268 EXPECT_EQ(errno, ENOENT);
3269 }
3270
3271 static int handled = -1;
3272
3273 static void signal_handler(int signal)
3274 {
3275 if (write(handled, "c", 1) != 1)
3276 perror("write from signal");
3277 }
3278
3279 TEST(user_notification_signal)
3280 {
3281 pid_t pid;
3282 long ret;
3283 int status, listener, sk_pair[2];
3284 struct seccomp_notif req = {};
3285 struct seccomp_notif_resp resp = {};
3286 char c;
3287
3288 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
3289 ASSERT_EQ(0, ret) {
3290 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
3291 }
3292
3293 ASSERT_EQ(socketpair(PF_LOCAL, SOCK_SEQPACKET, 0, sk_pair), 0);
3294
3295 listener = user_trap_syscall(__NR_gettid,
3296 SECCOMP_FILTER_FLAG_NEW_LISTENER);
3297 ASSERT_GE(listener, 0);
3298
3299 pid = fork();
3300 ASSERT_GE(pid, 0);
3301
3302 if (pid == 0) {
3303 close(sk_pair[0]);
3304 handled = sk_pair[1];
3305 if (signal(SIGUSR1, signal_handler) == SIG_ERR) {
3306 perror("signal");
3307 exit(1);
3308 }
3309 /*
3310 * ERESTARTSYS behavior is a bit hard to test, because we need
3311 * to rely on a signal that has not yet been handled. Let's at
3312 * least check that the error code gets propagated through, and
3313 * hope that it doesn't break when there is actually a signal :)
3314 */
3315 ret = syscall(__NR_gettid);
3316 exit(!(ret == -1 && errno == 512));
3317 }
3318
3319 close(sk_pair[1]);
3320
3321 memset(&req, 0, sizeof(req));
3322 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_RECV, &req), 0);
3323
3324 EXPECT_EQ(kill(pid, SIGUSR1), 0);
3325
3326 /*
3327 * Make sure the signal really is delivered, which means we're not
3328 * stuck in the user notification code any more and the notification
3329 * should be dead.
3330 */
3331 EXPECT_EQ(read(sk_pair[0], &c, 1), 1);
3332
3333 resp.id = req.id;
3334 resp.error = -EPERM;
3335 resp.val = 0;
3336
3337 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_SEND, &resp), -1);
3338 EXPECT_EQ(errno, ENOENT);
3339
3340 memset(&req, 0, sizeof(req));
3341 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_RECV, &req), 0);
3342
3343 resp.id = req.id;
3344 resp.error = -512; /* -ERESTARTSYS */
3345 resp.val = 0;
3346
3347 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_SEND, &resp), 0);
3348
3349 EXPECT_EQ(waitpid(pid, &status, 0), pid);
3350 EXPECT_EQ(true, WIFEXITED(status));
3351 EXPECT_EQ(0, WEXITSTATUS(status));
3352 }
3353
3354 TEST(user_notification_closed_listener)
3355 {
3356 pid_t pid;
3357 long ret;
3358 int status, listener;
3359
3360 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
3361 ASSERT_EQ(0, ret) {
3362 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
3363 }
3364
3365 listener = user_trap_syscall(__NR_getppid,
3366 SECCOMP_FILTER_FLAG_NEW_LISTENER);
3367 ASSERT_GE(listener, 0);
3368
3369 /*
3370 * Check that we get an ENOSYS when the listener is closed.
3371 */
3372 pid = fork();
3373 ASSERT_GE(pid, 0);
3374 if (pid == 0) {
3375 close(listener);
3376 ret = syscall(__NR_getppid);
3377 exit(ret != -1 && errno != ENOSYS);
3378 }
3379
3380 close(listener);
3381
3382 EXPECT_EQ(waitpid(pid, &status, 0), pid);
3383 EXPECT_EQ(true, WIFEXITED(status));
3384 EXPECT_EQ(0, WEXITSTATUS(status));
3385 }
3386
3387 /*
3388 * Check that a pid in a child namespace still shows up as valid in ours.
3389 */
3390 TEST(user_notification_child_pid_ns)
3391 {
3392 pid_t pid;
3393 int status, listener;
3394 struct seccomp_notif req = {};
3395 struct seccomp_notif_resp resp = {};
3396
3397 ASSERT_EQ(unshare(CLONE_NEWUSER | CLONE_NEWPID), 0);
3398
3399 listener = user_trap_syscall(__NR_getppid,
3400 SECCOMP_FILTER_FLAG_NEW_LISTENER);
3401 ASSERT_GE(listener, 0);
3402
3403 pid = fork();
3404 ASSERT_GE(pid, 0);
3405
3406 if (pid == 0)
3407 exit(syscall(__NR_getppid) != USER_NOTIF_MAGIC);
3408
3409 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_RECV, &req), 0);
3410 EXPECT_EQ(req.pid, pid);
3411
3412 resp.id = req.id;
3413 resp.error = 0;
3414 resp.val = USER_NOTIF_MAGIC;
3415
3416 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_SEND, &resp), 0);
3417
3418 EXPECT_EQ(waitpid(pid, &status, 0), pid);
3419 EXPECT_EQ(true, WIFEXITED(status));
3420 EXPECT_EQ(0, WEXITSTATUS(status));
3421 close(listener);
3422 }
3423
3424 /*
3425 * Check that a pid in a sibling (i.e. unrelated) namespace shows up as 0, i.e.
3426 * invalid.
3427 */
3428 TEST(user_notification_sibling_pid_ns)
3429 {
3430 pid_t pid, pid2;
3431 int status, listener;
3432 struct seccomp_notif req = {};
3433 struct seccomp_notif_resp resp = {};
3434
3435 ASSERT_EQ(prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0), 0) {
3436 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
3437 }
3438
3439 listener = user_trap_syscall(__NR_getppid,
3440 SECCOMP_FILTER_FLAG_NEW_LISTENER);
3441 ASSERT_GE(listener, 0);
3442
3443 pid = fork();
3444 ASSERT_GE(pid, 0);
3445
3446 if (pid == 0) {
3447 ASSERT_EQ(unshare(CLONE_NEWPID), 0);
3448
3449 pid2 = fork();
3450 ASSERT_GE(pid2, 0);
3451
3452 if (pid2 == 0)
3453 exit(syscall(__NR_getppid) != USER_NOTIF_MAGIC);
3454
3455 EXPECT_EQ(waitpid(pid2, &status, 0), pid2);
3456 EXPECT_EQ(true, WIFEXITED(status));
3457 EXPECT_EQ(0, WEXITSTATUS(status));
3458 exit(WEXITSTATUS(status));
3459 }
3460
3461 /* Create the sibling ns, and sibling in it. */
3462 ASSERT_EQ(unshare(CLONE_NEWPID), 0);
3463 ASSERT_EQ(errno, 0);
3464
3465 pid2 = fork();
3466 ASSERT_GE(pid2, 0);
3467
3468 if (pid2 == 0) {
3469 ASSERT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_RECV, &req), 0);
3470 /*
3471 * The pid should be 0, i.e. the task is in some namespace that
3472 * we can't "see".
3473 */
3474 EXPECT_EQ(req.pid, 0);
3475
3476 resp.id = req.id;
3477 resp.error = 0;
3478 resp.val = USER_NOTIF_MAGIC;
3479
3480 ASSERT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_SEND, &resp), 0);
3481 exit(0);
3482 }
3483
3484 close(listener);
3485
3486 EXPECT_EQ(waitpid(pid, &status, 0), pid);
3487 EXPECT_EQ(true, WIFEXITED(status));
3488 EXPECT_EQ(0, WEXITSTATUS(status));
3489
3490 EXPECT_EQ(waitpid(pid2, &status, 0), pid2);
3491 EXPECT_EQ(true, WIFEXITED(status));
3492 EXPECT_EQ(0, WEXITSTATUS(status));
3493 }
3494
3495 TEST(user_notification_fault_recv)
3496 {
3497 pid_t pid;
3498 int status, listener;
3499 struct seccomp_notif req = {};
3500 struct seccomp_notif_resp resp = {};
3501
3502 ASSERT_EQ(unshare(CLONE_NEWUSER), 0);
3503
3504 listener = user_trap_syscall(__NR_getppid,
3505 SECCOMP_FILTER_FLAG_NEW_LISTENER);
3506 ASSERT_GE(listener, 0);
3507
3508 pid = fork();
3509 ASSERT_GE(pid, 0);
3510
3511 if (pid == 0)
3512 exit(syscall(__NR_getppid) != USER_NOTIF_MAGIC);
3513
3514 /* Do a bad recv() */
3515 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_RECV, NULL), -1);
3516 EXPECT_EQ(errno, EFAULT);
3517
3518 /* We should still be able to receive this notification, though. */
3519 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_RECV, &req), 0);
3520 EXPECT_EQ(req.pid, pid);
3521
3522 resp.id = req.id;
3523 resp.error = 0;
3524 resp.val = USER_NOTIF_MAGIC;
3525
3526 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_SEND, &resp), 0);
3527
3528 EXPECT_EQ(waitpid(pid, &status, 0), pid);
3529 EXPECT_EQ(true, WIFEXITED(status));
3530 EXPECT_EQ(0, WEXITSTATUS(status));
3531 }
3532
3533 TEST(seccomp_get_notif_sizes)
3534 {
3535 struct seccomp_notif_sizes sizes;
3536
3537 ASSERT_EQ(seccomp(SECCOMP_GET_NOTIF_SIZES, 0, &sizes), 0);
3538 EXPECT_EQ(sizes.seccomp_notif, sizeof(struct seccomp_notif));
3539 EXPECT_EQ(sizes.seccomp_notif_resp, sizeof(struct seccomp_notif_resp));
3540 }
3541
3542 static int filecmp(pid_t pid1, pid_t pid2, int fd1, int fd2)
3543 {
3544 #ifdef __NR_kcmp
3545 return syscall(__NR_kcmp, pid1, pid2, KCMP_FILE, fd1, fd2);
3546 #else
3547 errno = ENOSYS;
3548 return -1;
3549 #endif
3550 }
3551
3552 TEST(user_notification_continue)
3553 {
3554 pid_t pid;
3555 long ret;
3556 int status, listener;
3557 struct seccomp_notif req = {};
3558 struct seccomp_notif_resp resp = {};
3559 struct pollfd pollfd;
3560
3561 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
3562 ASSERT_EQ(0, ret) {
3563 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
3564 }
3565
3566 listener = user_trap_syscall(__NR_dup, SECCOMP_FILTER_FLAG_NEW_LISTENER);
3567 ASSERT_GE(listener, 0);
3568
3569 pid = fork();
3570 ASSERT_GE(pid, 0);
3571
3572 if (pid == 0) {
3573 int dup_fd, pipe_fds[2];
3574 pid_t self;
3575
3576 ret = pipe(pipe_fds);
3577 if (ret < 0)
3578 exit(1);
3579
3580 dup_fd = dup(pipe_fds[0]);
3581 if (dup_fd < 0)
3582 exit(1);
3583
3584 self = getpid();
3585
3586 ret = filecmp(self, self, pipe_fds[0], dup_fd);
3587 if (ret)
3588 exit(2);
3589
3590 exit(0);
3591 }
3592
3593 pollfd.fd = listener;
3594 pollfd.events = POLLIN | POLLOUT;
3595
3596 EXPECT_GT(poll(&pollfd, 1, -1), 0);
3597 EXPECT_EQ(pollfd.revents, POLLIN);
3598
3599 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_RECV, &req), 0);
3600
3601 pollfd.fd = listener;
3602 pollfd.events = POLLIN | POLLOUT;
3603
3604 EXPECT_GT(poll(&pollfd, 1, -1), 0);
3605 EXPECT_EQ(pollfd.revents, POLLOUT);
3606
3607 EXPECT_EQ(req.data.nr, __NR_dup);
3608
3609 resp.id = req.id;
3610 resp.flags = SECCOMP_USER_NOTIF_FLAG_CONTINUE;
3611
3612 /*
3613 * Verify that setting SECCOMP_USER_NOTIF_FLAG_CONTINUE enforces other
3614 * args be set to 0.
3615 */
3616 resp.error = 0;
3617 resp.val = USER_NOTIF_MAGIC;
3618 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_SEND, &resp), -1);
3619 EXPECT_EQ(errno, EINVAL);
3620
3621 resp.error = USER_NOTIF_MAGIC;
3622 resp.val = 0;
3623 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_SEND, &resp), -1);
3624 EXPECT_EQ(errno, EINVAL);
3625
3626 resp.error = 0;
3627 resp.val = 0;
3628 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_SEND, &resp), 0) {
3629 if (errno == EINVAL)
3630 XFAIL(goto skip, "Kernel does not support SECCOMP_USER_NOTIF_FLAG_CONTINUE");
3631 }
3632
3633 skip:
3634 EXPECT_EQ(waitpid(pid, &status, 0), pid);
3635 EXPECT_EQ(true, WIFEXITED(status));
3636 EXPECT_EQ(0, WEXITSTATUS(status)) {
3637 if (WEXITSTATUS(status) == 2) {
3638 XFAIL(return, "Kernel does not support kcmp() syscall");
3639 return;
3640 }
3641 }
3642 }
3643 #endif
3644
3645 /*
3646 * TODO:
3647 * - add microbenchmarks
3648 * - expand NNP testing
3649 * - better arch-specific TRACE and TRAP handlers.
3650 * - endianness checking when appropriate
3651 * - 64-bit arg prodding
3652 * - arch value testing (x86 modes especially)
3653 * - verify that FILTER_FLAG_LOG filters generate log messages
3654 * - verify that RET_LOG generates log messages
3655 * - ...
3656 */
3657
3658 TEST_HARNESS_MAIN
3659