1 /* 2 * Copyright (c) 2022 Huawei Device Co., Ltd. 3 * Licensed under the Apache License, Version 2.0 (the "License"); 4 * you may not use this file except in compliance with the License. 5 * You may obtain a copy of the License at 6 * 7 * http://www.apache.org/licenses/LICENSE-2.0 8 * 9 * Unless required by applicable law or agreed to in writing, software 10 * distributed under the License is distributed on an "AS IS" BASIS, 11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 * See the License for the specific language governing permissions and 13 * limitations under the License. 14 */ 15 16 #include <gtest/gtest.h> 17 18 #include <cstdlib> 19 #include <unistd.h> 20 #include <sys/wait.h> 21 #include <csignal> 22 #include <cerrno> 23 #include <cstring> 24 #include <sys/prctl.h> 25 #include <sys/types.h> 26 #include <sys/stat.h> 27 #include <fcntl.h> 28 #include <sys/syscall.h> 29 #include <asm/unistd.h> 30 #include <syscall.h> 31 #include <climits> 32 33 #include "seccomp_policy.h" 34 35 using SyscallFunc = bool (*)(void); 36 constexpr int SLEEP_TIME_100MS = 100000; // 100ms 37 constexpr int SLEEP_TIME_1S = 1; 38 39 using namespace testing::ext; 40 using namespace std; 41 42 namespace init_ut { 43 class SeccompUnitTest : public testing::Test { 44 public: SeccompUnitTest()45 SeccompUnitTest() {}; ~SeccompUnitTest()46 virtual ~SeccompUnitTest() {}; SetUpTestCase()47 static void SetUpTestCase() {}; TearDownTestCase()48 static void TearDownTestCase() {}; 49 SetUp()50 void SetUp() 51 { 52 /* 53 * Wait for 1 second to prevent the generated crash file 54 * from being overwritten because the crash interval is too short 55 * and the crash file's name is constructed by time stamp. 56 */ 57 sleep(SLEEP_TIME_1S); 58 }; 59 TearDown()60 void TearDown() {}; TestBody(void)61 void TestBody(void) {}; 62 Handler(int s)63 static void Handler(int s) 64 { 65 } 66 StartChild(SeccompFilterType type,const char * filterName,SyscallFunc func)67 static pid_t StartChild(SeccompFilterType type, const char *filterName, SyscallFunc func) 68 { 69 pid_t pid = fork(); 70 if (pid == 0) { 71 if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) != 0) { 72 std::cout << "PR_SET_NO_NEW_PRIVS set fail " << std::endl; 73 exit(EXIT_FAILURE); 74 } 75 76 if (!SetSeccompPolicyWithName(type, filterName)) { 77 std::cout << "SetSeccompPolicy set fail fiterName is " << filterName << std::endl; 78 exit(EXIT_FAILURE); 79 } 80 81 if (!func()) { 82 std::cout << "func excute fail" << std::endl; 83 exit(EXIT_FAILURE); 84 } 85 86 std::cout << "func excute success" << std::endl; 87 88 exit(EXIT_SUCCESS); 89 } 90 return pid; 91 } 92 CheckSyscall(SeccompFilterType type,const char * filterName,SyscallFunc func,bool isAllow)93 static int CheckSyscall(SeccompFilterType type, const char *filterName, SyscallFunc func, bool isAllow) 94 { 95 sigset_t set; 96 int status; 97 pid_t pid; 98 int flag = 0; 99 struct timespec waitTime = {5, 0}; 100 101 sigemptyset(&set); 102 sigaddset(&set, SIGCHLD); 103 sigaddset(&set, SIGSYS); 104 sigprocmask(SIG_BLOCK, &set, nullptr); 105 if (signal(SIGCHLD, Handler) == nullptr) { 106 std::cout << "signal failed:" << strerror(errno) << std::endl; 107 } 108 109 /* Sleeping for avoiding influencing child proccess wait for other threads 110 * which were created by other unittests to release global rwlock. The global 111 * rwlock will be used by function dlopen in child process */ 112 usleep(SLEEP_TIME_100MS); 113 114 pid = StartChild(type, filterName, func); 115 if (pid == -1) { 116 std::cout << "fork failed:" << strerror(errno) << std::endl; 117 return -1; 118 } 119 if (sigtimedwait(&set, nullptr, &waitTime) == -1) { /* Wait for 5 seconds */ 120 if (errno == EAGAIN) { 121 flag = 1; 122 } else { 123 std::cout << "sigtimedwait failed:" << strerror(errno) << std::endl; 124 } 125 126 if (kill(pid, SIGKILL) == -1) { 127 std::cout << "kill failed::" << strerror(errno) << std::endl; 128 } 129 } 130 131 if (waitpid(pid, &status, 0) != pid) { 132 std::cout << "waitpid failed:" << strerror(errno) << std::endl; 133 return -1; 134 } 135 136 if (flag != 0) { 137 std::cout << "Child process time out" << std::endl; 138 } 139 140 if (WEXITSTATUS(status) == EXIT_FAILURE) { 141 return -1; 142 } 143 144 if (WIFSIGNALED(status)) { 145 if (WTERMSIG(status) == SIGSYS) { 146 std::cout << "child process exit with SIGSYS" << std::endl; 147 return isAllow ? -1 : 0; 148 } 149 } else { 150 std::cout << "child process finished normally" << std::endl; 151 return isAllow ? 0 : -1; 152 } 153 return -1; 154 } 155 156 #if defined __aarch64__ CheckGetMempolicy()157 static bool CheckGetMempolicy() 158 { 159 int ret = syscall(__NR_get_mempolicy, nullptr, nullptr, 0, nullptr, 0); 160 if (ret < 0) { 161 return false; 162 } 163 164 return true; 165 } 166 CheckGetpid()167 static bool CheckGetpid() 168 { 169 pid_t pid = 1; 170 pid = syscall(__NR_getpid); 171 if (pid > 1) { 172 return true; 173 } 174 return false; 175 } 176 CheckGetuid()177 static bool CheckGetuid() 178 { 179 uid_t uid = 0; 180 uid = syscall(__NR_getuid); 181 if (uid >= 0) { 182 return true; 183 } 184 185 return false; 186 } 187 CheckSetresuidArgsInRange()188 static bool CheckSetresuidArgsInRange() 189 { 190 int ret = syscall(__NR_setresuid, 20000, 20000, 20000); 191 if (ret == 0) { 192 return true; 193 } 194 195 return false; 196 } 197 CheckSetresuidArgsOutOfRange()198 static bool CheckSetresuidArgsOutOfRange() 199 { 200 int ret = syscall(__NR_setresuid, 800, 800, 800); 201 if (ret == 0) { 202 return true; 203 } 204 205 return false; 206 } 207 CheckSetuid()208 static bool CheckSetuid() 209 { 210 int uid = syscall(__NR_setuid, 1); 211 if (uid == 0) { 212 return true; 213 } 214 215 return false; 216 } 217 CheckSetuid64ForUidFilter1()218 static bool CheckSetuid64ForUidFilter1() 219 { 220 int ret = syscall(__NR_setuid, 0); 221 if (ret == 0) { 222 return true; 223 } 224 225 return false; 226 } 227 CheckSetuid64ForUidFilter2()228 static bool CheckSetuid64ForUidFilter2() 229 { 230 int ret = syscall(__NR_setuid, 2); 231 if (ret == 0) { 232 return true; 233 } 234 235 return false; 236 } 237 CheckSetreuid64ForUidFilter1()238 static bool CheckSetreuid64ForUidFilter1() 239 { 240 int ret = syscall(__NR_setreuid, 0, 2); 241 if (ret == 0) { 242 return true; 243 } 244 245 return false; 246 } 247 CheckSetreuid64ForUidFilter2()248 static bool CheckSetreuid64ForUidFilter2() 249 { 250 int ret = syscall(__NR_setreuid, 2, 0); 251 if (ret == 0) { 252 return true; 253 } 254 255 return false; 256 } 257 CheckSetreuid64ForUidFilter3()258 static bool CheckSetreuid64ForUidFilter3() 259 { 260 int ret = syscall(__NR_setreuid, 0, 0); 261 if (ret == 0) { 262 return true; 263 } 264 265 return false; 266 } 267 CheckSetreuid64ForUidFilter4()268 static bool CheckSetreuid64ForUidFilter4() 269 { 270 int ret = syscall(__NR_setreuid, 2, 2); 271 if (ret == 0) { 272 return true; 273 } 274 275 return false; 276 } 277 CheckSetfsuid64ForUidFilter1()278 static bool CheckSetfsuid64ForUidFilter1() 279 { 280 int ret = syscall(__NR_setfsuid, 0); 281 if (ret == 0) { 282 return true; 283 } 284 285 return false; 286 } 287 CheckSetfsuid64ForUidFilter2()288 static bool CheckSetfsuid64ForUidFilter2() 289 { 290 int ret = syscall(__NR_setfsuid, 2); 291 if (ret == 0) { 292 return true; 293 } 294 295 return false; 296 } 297 CheckSetresuid64ForUidFilter1()298 static bool CheckSetresuid64ForUidFilter1() 299 { 300 int ret = syscall(__NR_setresuid, 0, 0, 0); 301 if (ret == 0) { 302 return true; 303 } 304 305 return false; 306 } 307 CheckSetresuid64ForUidFilter2()308 static bool CheckSetresuid64ForUidFilter2() 309 { 310 int ret = syscall(__NR_setresuid, 2, 0, 0); 311 if (ret == 0) { 312 return true; 313 } 314 315 return false; 316 } 317 CheckSetresuid64ForUidFilter3()318 static bool CheckSetresuid64ForUidFilter3() 319 { 320 int ret = syscall(__NR_setresuid, 0, 2, 0); 321 if (ret == 0) { 322 return true; 323 } 324 325 return false; 326 } 327 CheckSetresuid64ForUidFilter4()328 static bool CheckSetresuid64ForUidFilter4() 329 { 330 int ret = syscall(__NR_setresuid, 0, 0, 2); 331 if (ret == 0) { 332 return true; 333 } 334 335 return false; 336 } 337 CheckSetresuid64ForUidFilter5()338 static bool CheckSetresuid64ForUidFilter5() 339 { 340 int ret = syscall(__NR_setresuid, 0, 2, 2); 341 if (ret == 0) { 342 return true; 343 } 344 345 return false; 346 } 347 CheckSetresuid64ForUidFilter6()348 static bool CheckSetresuid64ForUidFilter6() 349 { 350 int ret = syscall(__NR_setresuid, 2, 0, 2); 351 if (ret == 0) { 352 return true; 353 } 354 355 return false; 356 } 357 CheckSetresuid64ForUidFilter7()358 static bool CheckSetresuid64ForUidFilter7() 359 { 360 int ret = syscall(__NR_setresuid, 2, 2, 0); 361 if (ret == 0) { 362 return true; 363 } 364 365 return false; 366 } 367 CheckSetresuid64ForUidFilter8()368 static bool CheckSetresuid64ForUidFilter8() 369 { 370 int ret = syscall(__NR_setresuid, 2, 2, 2); 371 if (ret == 0) { 372 return true; 373 } 374 375 return false; 376 } 377 TestSystemSycall()378 void TestSystemSycall() 379 { 380 // system blocklist 381 int ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckGetMempolicy, false); 382 EXPECT_EQ(ret, 0); 383 384 // system allowlist 385 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckGetpid, true); 386 EXPECT_EQ(ret, 0); 387 } 388 TestSystemSyscallForUidFilter()389 void TestSystemSyscallForUidFilter() 390 { 391 // system_uid_filter_64bit_test 392 int ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetuid64ForUidFilter1, false); 393 EXPECT_EQ(ret, 0); 394 395 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetuid64ForUidFilter2, true); 396 EXPECT_EQ(ret, 0); 397 398 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetreuid64ForUidFilter1, false); 399 EXPECT_EQ(ret, 0); 400 401 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetreuid64ForUidFilter2, false); 402 EXPECT_EQ(ret, 0); 403 404 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetreuid64ForUidFilter3, false); 405 EXPECT_EQ(ret, 0); 406 407 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetreuid64ForUidFilter4, true); 408 EXPECT_EQ(ret, 0); 409 410 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetfsuid64ForUidFilter1, false); 411 EXPECT_EQ(ret, 0); 412 413 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetfsuid64ForUidFilter2, true); 414 EXPECT_EQ(ret, 0); 415 416 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid64ForUidFilter1, false); 417 EXPECT_EQ(ret, 0); 418 419 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid64ForUidFilter2, false); 420 EXPECT_EQ(ret, 0); 421 422 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid64ForUidFilter3, false); 423 EXPECT_EQ(ret, 0); 424 425 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid64ForUidFilter4, false); 426 EXPECT_EQ(ret, 0); 427 428 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid64ForUidFilter5, false); 429 EXPECT_EQ(ret, 0); 430 431 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid64ForUidFilter6, false); 432 EXPECT_EQ(ret, 0); 433 434 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid64ForUidFilter7, false); 435 EXPECT_EQ(ret, 0); 436 437 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid64ForUidFilter8, true); 438 EXPECT_EQ(ret, 0); 439 } 440 TestSetUidGidFilter()441 void TestSetUidGidFilter() 442 { 443 // system blocklist 444 int ret = CheckSyscall(INDIVIDUAL, APPSPAWN_NAME, CheckSetresuidArgsOutOfRange, false); 445 EXPECT_EQ(ret, 0); 446 447 // system allowlist 448 ret = CheckSyscall(INDIVIDUAL, APPSPAWN_NAME, CheckSetresuidArgsInRange, true); 449 EXPECT_EQ(ret, 0); 450 } 451 TestAppSycall()452 void TestAppSycall() 453 { 454 // app blocklist 455 int ret = CheckSyscall(APP, APP_NAME, CheckSetuid, false); 456 EXPECT_EQ(ret, 0); 457 458 // app allowlist 459 ret = CheckSyscall(APP, APP_NAME, CheckGetpid, true); 460 EXPECT_EQ(ret, 0); 461 } 462 #elif defined __arm__ CheckGetuid32()463 static bool CheckGetuid32() 464 { 465 uid_t uid = syscall(__NR_getuid32); 466 if (uid >= 0) { 467 return true; 468 } 469 return false; 470 } 471 CheckGetuid()472 static bool CheckGetuid() 473 { 474 uid_t uid = syscall(__NR_getuid); 475 if (uid >= 0) { 476 return true; 477 } 478 return false; 479 } 480 CheckSetuid32()481 static bool CheckSetuid32() 482 { 483 int ret = syscall(__NR_setuid32, 1); 484 if (ret == 0) { 485 return true; 486 } 487 488 return false; 489 } 490 CheckSetresuid32ArgsInRange()491 static bool CheckSetresuid32ArgsInRange() 492 { 493 int ret = syscall(__NR_setresuid32, 20000, 20000, 20000); 494 if (ret == 0) { 495 return true; 496 } 497 498 return false; 499 } 500 CheckSetresuid32ArgsOutOfRange()501 static bool CheckSetresuid32ArgsOutOfRange() 502 { 503 int ret = syscall(__NR_setresuid32, 800, 800, 800); 504 if (ret == 0) { 505 return true; 506 } 507 508 return false; 509 } 510 CheckSetuid32ForUidFilter1()511 static bool CheckSetuid32ForUidFilter1() 512 { 513 int ret = syscall(__NR_setuid32, 0); 514 if (ret == 0) { 515 return true; 516 } 517 518 return false; 519 } 520 CheckSetuid32ForUidFilter2()521 static bool CheckSetuid32ForUidFilter2() 522 { 523 int ret = syscall(__NR_setuid32, 2); 524 if (ret == 0) { 525 return true; 526 } 527 528 return false; 529 } 530 CheckSetuid16ForUidFilter1()531 static bool CheckSetuid16ForUidFilter1() 532 { 533 int ret = syscall(__NR_setuid, 0); 534 if (ret == 0) { 535 return true; 536 } 537 538 return false; 539 } 540 CheckSetuid16ForUidFilter2()541 static bool CheckSetuid16ForUidFilter2() 542 { 543 int ret = syscall(__NR_setuid, 2); 544 if (ret == 0) { 545 return true; 546 } 547 548 return false; 549 } 550 CheckSetreuid32ForUidFilter1()551 static bool CheckSetreuid32ForUidFilter1() 552 { 553 int ret = syscall(__NR_setreuid32, 0, 2); 554 if (ret == 0) { 555 return true; 556 } 557 558 return false; 559 } 560 CheckSetreuid32ForUidFilter2()561 static bool CheckSetreuid32ForUidFilter2() 562 { 563 int ret = syscall(__NR_setreuid32, 2, 0); 564 if (ret == 0) { 565 return true; 566 } 567 568 return false; 569 } 570 CheckSetreuid32ForUidFilter3()571 static bool CheckSetreuid32ForUidFilter3() 572 { 573 int ret = syscall(__NR_setreuid32, 0, 0); 574 if (ret == 0) { 575 return true; 576 } 577 578 return false; 579 } 580 CheckSetreuid32ForUidFilter4()581 static bool CheckSetreuid32ForUidFilter4() 582 { 583 int ret = syscall(__NR_setreuid32, 2, 2); 584 if (ret == 0) { 585 return true; 586 } 587 588 return false; 589 } 590 CheckSetreuid16ForUidFilter1()591 static bool CheckSetreuid16ForUidFilter1() 592 { 593 int ret = syscall(__NR_setreuid, 0, 2); 594 if (ret == 0) { 595 return true; 596 } 597 598 return false; 599 } 600 CheckSetreuid16ForUidFilter2()601 static bool CheckSetreuid16ForUidFilter2() 602 { 603 int ret = syscall(__NR_setreuid, 2, 0); 604 if (ret == 0) { 605 return true; 606 } 607 608 return false; 609 } 610 CheckSetreuid16ForUidFilter3()611 static bool CheckSetreuid16ForUidFilter3() 612 { 613 int ret = syscall(__NR_setreuid, 0, 0); 614 if (ret == 0) { 615 return true; 616 } 617 618 return false; 619 } 620 CheckSetreuid16ForUidFilter4()621 static bool CheckSetreuid16ForUidFilter4() 622 { 623 int ret = syscall(__NR_setreuid, 2, 2); 624 if (ret == 0) { 625 return true; 626 } 627 628 return false; 629 } 630 CheckSetfsuid32ForUidFilter1()631 static bool CheckSetfsuid32ForUidFilter1() 632 { 633 int ret = syscall(__NR_setfsuid32, 0); 634 if (ret == 0) { 635 return true; 636 } 637 638 return false; 639 } 640 CheckSetfsuid32ForUidFilter2()641 static bool CheckSetfsuid32ForUidFilter2() 642 { 643 int ret = syscall(__NR_setfsuid32, 2); 644 if (ret == 0) { 645 return true; 646 } 647 648 return false; 649 } 650 CheckSetfsuid16ForUidFilter1()651 static bool CheckSetfsuid16ForUidFilter1() 652 { 653 int ret = syscall(__NR_setfsuid, 0); 654 if (ret == 0) { 655 return true; 656 } 657 658 return false; 659 } 660 CheckSetfsuid16ForUidFilter2()661 static bool CheckSetfsuid16ForUidFilter2() 662 { 663 int ret = syscall(__NR_setfsuid, 2); 664 if (ret == 0) { 665 return true; 666 } 667 668 return false; 669 } 670 CheckSetresuid32ForUidFilter1()671 static bool CheckSetresuid32ForUidFilter1() 672 { 673 int ret = syscall(__NR_setresuid32, 0, 0, 0); 674 if (ret == 0) { 675 return true; 676 } 677 678 return false; 679 } 680 CheckSetresuid32ForUidFilter2()681 static bool CheckSetresuid32ForUidFilter2() 682 { 683 int ret = syscall(__NR_setresuid32, 2, 0, 0); 684 if (ret == 0) { 685 return true; 686 } 687 688 return false; 689 } 690 CheckSetresuid32ForUidFilter3()691 static bool CheckSetresuid32ForUidFilter3() 692 { 693 int ret = syscall(__NR_setresuid32, 0, 2, 0); 694 if (ret == 0) { 695 return true; 696 } 697 698 return false; 699 } 700 CheckSetresuid32ForUidFilter4()701 static bool CheckSetresuid32ForUidFilter4() 702 { 703 int ret = syscall(__NR_setresuid32, 0, 0, 2); 704 if (ret == 0) { 705 return true; 706 } 707 708 return false; 709 } 710 CheckSetresuid32ForUidFilter5()711 static bool CheckSetresuid32ForUidFilter5() 712 { 713 int ret = syscall(__NR_setresuid32, 0, 2, 2); 714 if (ret == 0) { 715 return true; 716 } 717 718 return false; 719 } 720 CheckSetresuid32ForUidFilter6()721 static bool CheckSetresuid32ForUidFilter6() 722 { 723 int ret = syscall(__NR_setresuid32, 2, 0, 2); 724 if (ret == 0) { 725 return true; 726 } 727 728 return false; 729 } 730 CheckSetresuid32ForUidFilter7()731 static bool CheckSetresuid32ForUidFilter7() 732 { 733 int ret = syscall(__NR_setresuid32, 2, 2, 0); 734 if (ret == 0) { 735 return true; 736 } 737 738 return false; 739 } 740 CheckSetresuid32ForUidFilter8()741 static bool CheckSetresuid32ForUidFilter8() 742 { 743 int ret = syscall(__NR_setresuid32, 2, 2, 2); 744 if (ret == 0) { 745 return true; 746 } 747 748 return false; 749 } 750 CheckSetresuid16ForUidFilter1()751 static bool CheckSetresuid16ForUidFilter1() 752 { 753 int ret = syscall(__NR_setresuid, 0, 0, 0); 754 if (ret == 0) { 755 return true; 756 } 757 758 return false; 759 } 760 CheckSetresuid16ForUidFilter2()761 static bool CheckSetresuid16ForUidFilter2() 762 { 763 int ret = syscall(__NR_setresuid, 2, 0, 0); 764 if (ret == 0) { 765 return true; 766 } 767 768 return false; 769 } 770 CheckSetresuid16ForUidFilter3()771 static bool CheckSetresuid16ForUidFilter3() 772 { 773 int ret = syscall(__NR_setresuid, 0, 2, 0); 774 if (ret == 0) { 775 return true; 776 } 777 778 return false; 779 } 780 CheckSetresuid16ForUidFilter4()781 static bool CheckSetresuid16ForUidFilter4() 782 { 783 int ret = syscall(__NR_setresuid, 0, 0, 2); 784 if (ret == 0) { 785 return true; 786 } 787 788 return false; 789 } 790 CheckSetresuid16ForUidFilter5()791 static bool CheckSetresuid16ForUidFilter5() 792 { 793 int ret = syscall(__NR_setresuid, 0, 2, 2); 794 if (ret == 0) { 795 return true; 796 } 797 798 return false; 799 } 800 CheckSetresuid16ForUidFilter6()801 static bool CheckSetresuid16ForUidFilter6() 802 { 803 int ret = syscall(__NR_setresuid, 2, 0, 2); 804 if (ret == 0) { 805 return true; 806 } 807 808 return false; 809 } 810 CheckSetresuid16ForUidFilter7()811 static bool CheckSetresuid16ForUidFilter7() 812 { 813 int ret = syscall(__NR_setresuid, 2, 2, 0); 814 if (ret == 0) { 815 return true; 816 } 817 818 return false; 819 } 820 CheckSetresuid16ForUidFilter8()821 static bool CheckSetresuid16ForUidFilter8() 822 { 823 int ret = syscall(__NR_setresuid, 2, 2, 2); 824 if (ret == 0) { 825 return true; 826 } 827 828 return false; 829 } 830 TestSystemSycall()831 void TestSystemSycall() 832 { 833 // system blocklist 834 int ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckGetuid, false); 835 EXPECT_EQ(ret, 0); 836 837 // system allowlist 838 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckGetuid32, true); 839 EXPECT_EQ(ret, 0); 840 } 841 TestSystemSyscallForUidFilter32Bit()842 void TestSystemSyscallForUidFilter32Bit() 843 { 844 // system_uid_filter_32bit_test 845 int ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetuid32ForUidFilter1, false); 846 EXPECT_EQ(ret, 0); 847 848 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetuid32ForUidFilter2, true); 849 EXPECT_EQ(ret, 0); 850 851 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetreuid32ForUidFilter1, false); 852 EXPECT_EQ(ret, 0); 853 854 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetreuid32ForUidFilter2, false); 855 EXPECT_EQ(ret, 0); 856 857 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetreuid32ForUidFilter3, false); 858 EXPECT_EQ(ret, 0); 859 860 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetreuid32ForUidFilter4, true); 861 EXPECT_EQ(ret, 0); 862 863 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetfsuid32ForUidFilter1, false); 864 EXPECT_EQ(ret, 0); 865 866 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetfsuid32ForUidFilter2, true); 867 EXPECT_EQ(ret, 0); 868 869 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid32ForUidFilter1, false); 870 EXPECT_EQ(ret, 0); 871 872 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid32ForUidFilter2, false); 873 EXPECT_EQ(ret, 0); 874 875 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid32ForUidFilter3, false); 876 EXPECT_EQ(ret, 0); 877 878 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid32ForUidFilter4, false); 879 EXPECT_EQ(ret, 0); 880 881 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid32ForUidFilter5, false); 882 EXPECT_EQ(ret, 0); 883 884 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid32ForUidFilter6, false); 885 EXPECT_EQ(ret, 0); 886 887 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid32ForUidFilter7, false); 888 EXPECT_EQ(ret, 0); 889 890 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid32ForUidFilter8, true); 891 EXPECT_EQ(ret, 0); 892 } 893 TestSystemSyscallForUidFilter16Bit()894 void TestSystemSyscallForUidFilter16Bit() 895 { 896 // system_uid_filter_16bit_test 897 int ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetuid16ForUidFilter1, false); 898 EXPECT_EQ(ret, 0); 899 900 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetuid16ForUidFilter2, true); 901 EXPECT_EQ(ret, 0); 902 903 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetreuid16ForUidFilter1, false); 904 EXPECT_EQ(ret, 0); 905 906 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetreuid16ForUidFilter2, false); 907 EXPECT_EQ(ret, 0); 908 909 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetreuid16ForUidFilter3, false); 910 EXPECT_EQ(ret, 0); 911 912 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetreuid16ForUidFilter4, true); 913 EXPECT_EQ(ret, 0); 914 915 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetfsuid16ForUidFilter1, false); 916 EXPECT_EQ(ret, 0); 917 918 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetfsuid16ForUidFilter2, true); 919 EXPECT_EQ(ret, 0); 920 921 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid16ForUidFilter1, false); 922 EXPECT_EQ(ret, 0); 923 924 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid16ForUidFilter2, false); 925 EXPECT_EQ(ret, 0); 926 927 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid16ForUidFilter3, false); 928 EXPECT_EQ(ret, 0); 929 930 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid16ForUidFilter4, false); 931 EXPECT_EQ(ret, 0); 932 933 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid16ForUidFilter5, false); 934 EXPECT_EQ(ret, 0); 935 936 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid16ForUidFilter6, false); 937 EXPECT_EQ(ret, 0); 938 939 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid16ForUidFilter7, false); 940 EXPECT_EQ(ret, 0); 941 942 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid16ForUidFilter8, true); 943 EXPECT_EQ(ret, 0); 944 } 945 TestSystemSyscallForUidFilter()946 void TestSystemSyscallForUidFilter() 947 { 948 TestSystemSyscallForUidFilter32Bit(); 949 TestSystemSyscallForUidFilter16Bit(); 950 } 951 TestSetUidGidFilter()952 void TestSetUidGidFilter() 953 { 954 // system blocklist 955 int ret = CheckSyscall(INDIVIDUAL, APPSPAWN_NAME, CheckSetresuid32ArgsOutOfRange, false); 956 EXPECT_EQ(ret, 0); 957 958 // system allowlist 959 ret = CheckSyscall(INDIVIDUAL, APPSPAWN_NAME, CheckSetresuid32ArgsInRange, true); 960 EXPECT_EQ(ret, 0); 961 } 962 TestAppSycall()963 void TestAppSycall() 964 { 965 // app blocklist 966 int ret = CheckSyscall(APP, APP_NAME, CheckSetuid32, false); 967 EXPECT_EQ(ret, 0); 968 969 // app allowlist 970 ret = CheckSyscall(APP, APP_NAME, CheckGetuid32, true); 971 EXPECT_EQ(ret, 0); 972 } 973 #endif 974 }; 975 976 /** 977 * @tc.name: TestSystemSycall 978 * @tc.desc: Verify the system seccomp policy. 979 * @tc.type: FUNC 980 * @tc.require: issueI5IUWJ 981 */ 982 HWTEST_F(SeccompUnitTest, TestSystemSycall, TestSize.Level1) 983 { 984 SeccompUnitTest test; 985 test.TestSystemSycall(); 986 } 987 988 /** 989 * @tc.name: TestSetUidGidFilter 990 * @tc.desc: Verify the uid gid seccomp policy. 991 * @tc.type: FUNC 992 * @tc.require: issueI5IUWJ 993 */ 994 HWTEST_F(SeccompUnitTest, TestSetUidGidFilter, TestSize.Level1) 995 { 996 SeccompUnitTest test; 997 test.TestSetUidGidFilter(); 998 } 999 1000 /** 1001 * @tc.name: TestAppSycall 1002 * @tc.desc: Verify the app seccomp policy. 1003 * @tc.type: FUNC 1004 * @tc.require: issueI5MUXD 1005 */ 1006 HWTEST_F(SeccompUnitTest, TestAppSycall, TestSize.Level1) 1007 { 1008 SeccompUnitTest test; 1009 test.TestAppSycall(); 1010 } 1011 1012 /** 1013 * @tc.name: TestSystemSyscallForUidFilter 1014 * @tc.desc: Verify the system seccomp policy. 1015 * @tc.type: FUNC 1016 * @tc.require: issueI7QET2 1017 */ 1018 HWTEST_F(SeccompUnitTest, TestSystemSyscallForUidFilter, TestSize.Level1) 1019 { 1020 SeccompUnitTest test; 1021 test.TestSystemSyscallForUidFilter(); 1022 } 1023 } 1024