1 /* 2 * Copyright (c) 2022 Huawei Device Co., Ltd. 3 * Licensed under the Apache License, Version 2.0 (the "License"); 4 * you may not use this file except in compliance with the License. 5 * You may obtain a copy of the License at 6 * 7 * http://www.apache.org/licenses/LICENSE-2.0 8 * 9 * Unless required by applicable law or agreed to in writing, software 10 * distributed under the License is distributed on an "AS IS" BASIS, 11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 * See the License for the specific language governing permissions and 13 * limitations under the License. 14 */ 15 16 #include <gtest/gtest.h> 17 18 #include <cstdlib> 19 #include <unistd.h> 20 #include <sys/wait.h> 21 #include <csignal> 22 #include <cerrno> 23 #include <cstring> 24 #include <sys/prctl.h> 25 #include <sys/types.h> 26 #include <sys/stat.h> 27 #include <fcntl.h> 28 #include <sys/syscall.h> 29 #include <asm/unistd.h> 30 #include <syscall.h> 31 #include <climits> 32 #include <sched.h> 33 34 #include "seccomp_policy.h" 35 36 using SyscallFunc = bool (*)(void); 37 constexpr int SLEEP_TIME_100MS = 100000; // 100ms 38 constexpr int SLEEP_TIME_1S = 1; 39 40 using namespace testing::ext; 41 using namespace std; 42 43 namespace init_ut { 44 class SeccompUnitTest : public testing::Test { 45 public: SeccompUnitTest()46 SeccompUnitTest() {}; ~SeccompUnitTest()47 virtual ~SeccompUnitTest() {}; SetUpTestCase()48 static void SetUpTestCase() {}; TearDownTestCase()49 static void TearDownTestCase() {}; 50 SetUp()51 void SetUp() 52 { 53 /* 54 * Wait for 1 second to prevent the generated crash file 55 * from being overwritten because the crash interval is too short 56 * and the crash file's name is constructed by time stamp. 57 */ 58 sleep(SLEEP_TIME_1S); 59 }; 60 TearDown()61 void TearDown() {}; TestBody(void)62 void TestBody(void) {}; 63 StartChild(SeccompFilterType type,const char * filterName,SyscallFunc func)64 static pid_t StartChild(SeccompFilterType type, const char *filterName, SyscallFunc func) 65 { 66 pid_t pid = fork(); 67 if (pid == 0) { 68 if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) != 0) { 69 std::cout << "PR_SET_NO_NEW_PRIVS set fail " << std::endl; 70 exit(EXIT_FAILURE); 71 } 72 73 if (!SetSeccompPolicyWithName(type, filterName)) { 74 std::cout << "SetSeccompPolicy set fail fiterName is " << filterName << std::endl; 75 exit(EXIT_FAILURE); 76 } 77 78 if (!func()) { 79 std::cout << "func excute fail" << std::endl; 80 exit(EXIT_FAILURE); 81 } 82 83 std::cout << "func excute success" << std::endl; 84 85 exit(EXIT_SUCCESS); 86 } 87 return pid; 88 } 89 CheckStatus(int status,bool isAllow)90 static int CheckStatus(int status, bool isAllow) 91 { 92 if (WEXITSTATUS(status) == EXIT_FAILURE) { 93 return -1; 94 } 95 96 if (WIFSIGNALED(status)) { 97 if (WTERMSIG(status) == SIGSYS) { 98 std::cout << "child process exit with SIGSYS" << std::endl; 99 return isAllow ? -1 : 0; 100 } 101 } else { 102 std::cout << "child process finished normally" << std::endl; 103 return isAllow ? 0 : -1; 104 } 105 106 return -1; 107 } 108 CheckSyscall(SeccompFilterType type,const char * filterName,SyscallFunc func,bool isAllow)109 static int CheckSyscall(SeccompFilterType type, const char *filterName, SyscallFunc func, bool isAllow) 110 { 111 sigset_t set; 112 int status; 113 pid_t pid; 114 int flag = 0; 115 struct timespec waitTime = {5, 0}; 116 117 sigemptyset(&set); 118 sigaddset(&set, SIGCHLD); 119 sigprocmask(SIG_BLOCK, &set, nullptr); 120 sigaddset(&set, SIGSYS); 121 if (signal(SIGCHLD, SIG_DFL) == nullptr) { 122 std::cout << "signal failed:" << strerror(errno) << std::endl; 123 } 124 if (signal(SIGSYS, SIG_DFL) == nullptr) { 125 std::cout << "signal failed:" << strerror(errno) << std::endl; 126 } 127 128 /* Sleeping for avoiding influencing child proccess wait for other threads 129 * which were created by other unittests to release global rwlock. The global 130 * rwlock will be used by function dlopen in child process */ 131 usleep(SLEEP_TIME_100MS); 132 133 pid = StartChild(type, filterName, func); 134 if (pid == -1) { 135 std::cout << "fork failed:" << strerror(errno) << std::endl; 136 return -1; 137 } 138 if (sigtimedwait(&set, nullptr, &waitTime) == -1) { /* Wait for 5 seconds */ 139 if (errno == EAGAIN) { 140 flag = 1; 141 } else { 142 std::cout << "sigtimedwait failed:" << strerror(errno) << std::endl; 143 } 144 145 if (kill(pid, SIGKILL) == -1) { 146 std::cout << "kill failed::" << strerror(errno) << std::endl; 147 } 148 } 149 150 if (waitpid(pid, &status, 0) != pid) { 151 std::cout << "waitpid failed:" << strerror(errno) << std::endl; 152 return -1; 153 } 154 155 if (flag != 0) { 156 std::cout << "Child process time out" << std::endl; 157 } 158 159 return CheckStatus(status, isAllow); 160 } 161 CheckUnshare()162 static bool CheckUnshare() 163 { 164 int ret = unshare(CLONE_NEWPID); 165 if (ret) { 166 return false; 167 } 168 return true; 169 } 170 CheckSetns()171 static bool CheckSetns() 172 { 173 int fd = open("/proc/1/ns/mnt", O_RDONLY | O_CLOEXEC); 174 if (fd < 0) { 175 return false; 176 } 177 178 if (setns(fd, CLONE_NEWNS) != 0) { 179 return false; 180 } 181 182 close(fd); 183 return true; 184 } 185 ChildFunc(void * arg)186 static int ChildFunc(void *arg) 187 { 188 exit(0); 189 } 190 CheckCloneNs(int flag)191 static bool CheckCloneNs(int flag) 192 { 193 const int stackSize = 65536; 194 195 char *stack = static_cast<char *>(malloc(stackSize)); 196 if (stack == nullptr) { 197 return false; 198 } 199 char *stackTop = stack + stackSize; 200 pid_t pid = clone(ChildFunc, stackTop, flag | SIGCHLD, nullptr); 201 if (pid == -1) { 202 return false; 203 } 204 return true; 205 } 206 CheckClonePidNs(void)207 static bool CheckClonePidNs(void) 208 { 209 return CheckCloneNs(CLONE_NEWPID); 210 } 211 CheckCloneMntNs(void)212 static bool CheckCloneMntNs(void) 213 { 214 return CheckCloneNs(CLONE_NEWNS); 215 } 216 CheckCloneNetNs(void)217 static bool CheckCloneNetNs(void) 218 { 219 return CheckCloneNs(CLONE_NEWNET); 220 } 221 CheckCloneCgroupNs(void)222 static bool CheckCloneCgroupNs(void) 223 { 224 return CheckCloneNs(CLONE_NEWCGROUP); 225 } 226 CheckCloneUtsNs(void)227 static bool CheckCloneUtsNs(void) 228 { 229 return CheckCloneNs(CLONE_NEWUTS); 230 } 231 CheckCloneIpcNs(void)232 static bool CheckCloneIpcNs(void) 233 { 234 return CheckCloneNs(CLONE_NEWIPC); 235 } 236 CheckCloneUserNs(void)237 static bool CheckCloneUserNs(void) 238 { 239 return CheckCloneNs(CLONE_NEWUSER); 240 } 241 242 #if defined __aarch64__ CheckMqOpen()243 static bool CheckMqOpen() 244 { 245 int ret = (int)syscall(__NR_mq_open, nullptr, 0); 246 if (ret < 0) { 247 return false; 248 } 249 250 return true; 251 } 252 CheckGetpid()253 static bool CheckGetpid() 254 { 255 pid_t pid = 1; 256 pid = syscall(__NR_getpid); 257 if (pid > 1) { 258 return true; 259 } 260 return false; 261 } 262 CheckGetuid()263 static bool CheckGetuid() 264 { 265 uid_t uid = 0; 266 uid = syscall(__NR_getuid); 267 if (uid >= 0) { 268 return true; 269 } 270 271 return false; 272 } 273 CheckSetresuidArgsInRange()274 static bool CheckSetresuidArgsInRange() 275 { 276 int ret = syscall(__NR_setresuid, 20000, 20000, 20000); 277 if (ret == 0) { 278 return true; 279 } 280 281 return false; 282 } 283 CheckSetresuidArgsOutOfRange()284 static bool CheckSetresuidArgsOutOfRange() 285 { 286 int ret = syscall(__NR_setresuid, 800, 800, 800); 287 if (ret == 0) { 288 return true; 289 } 290 291 return false; 292 } 293 CheckSetuid()294 static bool CheckSetuid() 295 { 296 int uid = syscall(__NR_setuid, 1); 297 if (uid == 0) { 298 return true; 299 } 300 301 return false; 302 } 303 CheckSetuid64ForUidFilter1()304 static bool CheckSetuid64ForUidFilter1() 305 { 306 int ret = syscall(__NR_setuid, 0); 307 if (ret == 0) { 308 return true; 309 } 310 311 return false; 312 } 313 CheckSetuid64ForUidFilter2()314 static bool CheckSetuid64ForUidFilter2() 315 { 316 int ret = syscall(__NR_setuid, 2); 317 if (ret == 0) { 318 return true; 319 } 320 321 return false; 322 } 323 CheckSetreuid64ForUidFilter1()324 static bool CheckSetreuid64ForUidFilter1() 325 { 326 int ret = syscall(__NR_setreuid, 0, 2); 327 if (ret == 0) { 328 return true; 329 } 330 331 return false; 332 } 333 CheckSetreuid64ForUidFilter2()334 static bool CheckSetreuid64ForUidFilter2() 335 { 336 int ret = syscall(__NR_setreuid, 2, 0); 337 if (ret == 0) { 338 return true; 339 } 340 341 return false; 342 } 343 CheckSetreuid64ForUidFilter3()344 static bool CheckSetreuid64ForUidFilter3() 345 { 346 int ret = syscall(__NR_setreuid, 0, 0); 347 if (ret == 0) { 348 return true; 349 } 350 351 return false; 352 } 353 CheckSetreuid64ForUidFilter4()354 static bool CheckSetreuid64ForUidFilter4() 355 { 356 int ret = syscall(__NR_setreuid, 2, 2); 357 if (ret == 0) { 358 return true; 359 } 360 361 return false; 362 } 363 CheckSetfsuid64ForUidFilter1()364 static bool CheckSetfsuid64ForUidFilter1() 365 { 366 int ret = syscall(__NR_setfsuid, 0); 367 if (ret == 0) { 368 return true; 369 } 370 371 return false; 372 } 373 CheckSetfsuid64ForUidFilter2()374 static bool CheckSetfsuid64ForUidFilter2() 375 { 376 int ret = syscall(__NR_setfsuid, 2); 377 if (ret == 0) { 378 return true; 379 } 380 381 return false; 382 } 383 CheckSetresuid64ForUidFilter1()384 static bool CheckSetresuid64ForUidFilter1() 385 { 386 int ret = syscall(__NR_setresuid, 0, 0, 0); 387 if (ret == 0) { 388 return true; 389 } 390 391 return false; 392 } 393 CheckSetresuid64ForUidFilter2()394 static bool CheckSetresuid64ForUidFilter2() 395 { 396 int ret = syscall(__NR_setresuid, 2, 0, 0); 397 if (ret == 0) { 398 return true; 399 } 400 401 return false; 402 } 403 CheckSetresuid64ForUidFilter3()404 static bool CheckSetresuid64ForUidFilter3() 405 { 406 int ret = syscall(__NR_setresuid, 0, 2, 0); 407 if (ret == 0) { 408 return true; 409 } 410 411 return false; 412 } 413 CheckSetresuid64ForUidFilter4()414 static bool CheckSetresuid64ForUidFilter4() 415 { 416 int ret = syscall(__NR_setresuid, 0, 0, 2); 417 if (ret == 0) { 418 return true; 419 } 420 421 return false; 422 } 423 CheckSetresuid64ForUidFilter5()424 static bool CheckSetresuid64ForUidFilter5() 425 { 426 int ret = syscall(__NR_setresuid, 0, 2, 2); 427 if (ret == 0) { 428 return true; 429 } 430 431 return false; 432 } 433 CheckSetresuid64ForUidFilter6()434 static bool CheckSetresuid64ForUidFilter6() 435 { 436 int ret = syscall(__NR_setresuid, 2, 0, 2); 437 if (ret == 0) { 438 return true; 439 } 440 441 return false; 442 } 443 CheckSetresuid64ForUidFilter7()444 static bool CheckSetresuid64ForUidFilter7() 445 { 446 int ret = syscall(__NR_setresuid, 2, 2, 0); 447 if (ret == 0) { 448 return true; 449 } 450 451 return false; 452 } 453 CheckSetresuid64ForUidFilter8()454 static bool CheckSetresuid64ForUidFilter8() 455 { 456 int ret = syscall(__NR_setresuid, 2, 2, 2); 457 if (ret == 0) { 458 return true; 459 } 460 461 return false; 462 } 463 TestSystemSycall()464 void TestSystemSycall() 465 { 466 // system blocklist 467 int ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckMqOpen, false); 468 EXPECT_EQ(ret, 0); 469 470 // system allowlist 471 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckGetpid, true); 472 EXPECT_EQ(ret, 0); 473 } 474 TestSystemSyscallForUidFilter()475 void TestSystemSyscallForUidFilter() 476 { 477 // system_uid_filter_64bit_test 478 int ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetuid64ForUidFilter1, false); 479 EXPECT_EQ(ret, 0); 480 481 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetuid64ForUidFilter2, true); 482 EXPECT_EQ(ret, 0); 483 484 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetreuid64ForUidFilter1, false); 485 EXPECT_EQ(ret, 0); 486 487 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetreuid64ForUidFilter2, false); 488 EXPECT_EQ(ret, 0); 489 490 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetreuid64ForUidFilter3, false); 491 EXPECT_EQ(ret, 0); 492 493 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetreuid64ForUidFilter4, true); 494 EXPECT_EQ(ret, 0); 495 496 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetfsuid64ForUidFilter1, false); 497 EXPECT_EQ(ret, 0); 498 499 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetfsuid64ForUidFilter2, true); 500 EXPECT_EQ(ret, 0); 501 502 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid64ForUidFilter1, false); 503 EXPECT_EQ(ret, 0); 504 505 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid64ForUidFilter2, false); 506 EXPECT_EQ(ret, 0); 507 508 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid64ForUidFilter3, false); 509 EXPECT_EQ(ret, 0); 510 511 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid64ForUidFilter4, false); 512 EXPECT_EQ(ret, 0); 513 514 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid64ForUidFilter5, false); 515 EXPECT_EQ(ret, 0); 516 517 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid64ForUidFilter6, false); 518 EXPECT_EQ(ret, 0); 519 520 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid64ForUidFilter7, false); 521 EXPECT_EQ(ret, 0); 522 523 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid64ForUidFilter8, true); 524 EXPECT_EQ(ret, 0); 525 } 526 TestSetUidGidFilter()527 void TestSetUidGidFilter() 528 { 529 // system blocklist 530 int ret = CheckSyscall(INDIVIDUAL, APPSPAWN_NAME, CheckSetresuidArgsOutOfRange, false); 531 EXPECT_EQ(ret, 0); 532 533 // system allowlist 534 ret = CheckSyscall(INDIVIDUAL, APPSPAWN_NAME, CheckSetresuidArgsInRange, true); 535 EXPECT_EQ(ret, 0); 536 } 537 TestAppSycall()538 void TestAppSycall() 539 { 540 // app blocklist 541 int ret = CheckSyscall(APP, APP_NAME, CheckSetuid, false); 542 EXPECT_EQ(ret, 0); 543 544 // app allowlist 545 ret = CheckSyscall(APP, APP_NAME, CheckGetpid, true); 546 EXPECT_EQ(ret, 0); 547 } 548 #elif defined __arm__ CheckGetuid32()549 static bool CheckGetuid32() 550 { 551 uid_t uid = syscall(__NR_getuid32); 552 if (uid >= 0) { 553 return true; 554 } 555 return false; 556 } 557 CheckGetuid()558 static bool CheckGetuid() 559 { 560 uid_t uid = syscall(__NR_getuid); 561 if (uid >= 0) { 562 return true; 563 } 564 return false; 565 } 566 CheckSetuid32()567 static bool CheckSetuid32() 568 { 569 int ret = syscall(__NR_setuid32, 1); 570 if (ret == 0) { 571 return true; 572 } 573 574 return false; 575 } 576 CheckSetresuid32ArgsInRange()577 static bool CheckSetresuid32ArgsInRange() 578 { 579 int ret = syscall(__NR_setresuid32, 20000, 20000, 20000); 580 if (ret == 0) { 581 return true; 582 } 583 584 return false; 585 } 586 CheckSetresuid32ArgsOutOfRange()587 static bool CheckSetresuid32ArgsOutOfRange() 588 { 589 int ret = syscall(__NR_setresuid32, 800, 800, 800); 590 if (ret == 0) { 591 return true; 592 } 593 594 return false; 595 } 596 CheckSetuid32ForUidFilter1()597 static bool CheckSetuid32ForUidFilter1() 598 { 599 int ret = syscall(__NR_setuid32, 0); 600 if (ret == 0) { 601 return true; 602 } 603 604 return false; 605 } 606 CheckSetuid32ForUidFilter2()607 static bool CheckSetuid32ForUidFilter2() 608 { 609 int ret = syscall(__NR_setuid32, 2); 610 if (ret == 0) { 611 return true; 612 } 613 614 return false; 615 } 616 CheckSetuid16ForUidFilter1()617 static bool CheckSetuid16ForUidFilter1() 618 { 619 int ret = syscall(__NR_setuid, 0); 620 if (ret == 0) { 621 return true; 622 } 623 624 return false; 625 } 626 CheckSetuid16ForUidFilter2()627 static bool CheckSetuid16ForUidFilter2() 628 { 629 int ret = syscall(__NR_setuid, 2); 630 if (ret == 0) { 631 return true; 632 } 633 634 return false; 635 } 636 CheckSetreuid32ForUidFilter1()637 static bool CheckSetreuid32ForUidFilter1() 638 { 639 int ret = syscall(__NR_setreuid32, 0, 2); 640 if (ret == 0) { 641 return true; 642 } 643 644 return false; 645 } 646 CheckSetreuid32ForUidFilter2()647 static bool CheckSetreuid32ForUidFilter2() 648 { 649 int ret = syscall(__NR_setreuid32, 2, 0); 650 if (ret == 0) { 651 return true; 652 } 653 654 return false; 655 } 656 CheckSetreuid32ForUidFilter3()657 static bool CheckSetreuid32ForUidFilter3() 658 { 659 int ret = syscall(__NR_setreuid32, 0, 0); 660 if (ret == 0) { 661 return true; 662 } 663 664 return false; 665 } 666 CheckSetreuid32ForUidFilter4()667 static bool CheckSetreuid32ForUidFilter4() 668 { 669 int ret = syscall(__NR_setreuid32, 2, 2); 670 if (ret == 0) { 671 return true; 672 } 673 674 return false; 675 } 676 CheckSetreuid16ForUidFilter1()677 static bool CheckSetreuid16ForUidFilter1() 678 { 679 int ret = syscall(__NR_setreuid, 0, 2); 680 if (ret == 0) { 681 return true; 682 } 683 684 return false; 685 } 686 CheckSetreuid16ForUidFilter2()687 static bool CheckSetreuid16ForUidFilter2() 688 { 689 int ret = syscall(__NR_setreuid, 2, 0); 690 if (ret == 0) { 691 return true; 692 } 693 694 return false; 695 } 696 CheckSetreuid16ForUidFilter3()697 static bool CheckSetreuid16ForUidFilter3() 698 { 699 int ret = syscall(__NR_setreuid, 0, 0); 700 if (ret == 0) { 701 return true; 702 } 703 704 return false; 705 } 706 CheckSetreuid16ForUidFilter4()707 static bool CheckSetreuid16ForUidFilter4() 708 { 709 int ret = syscall(__NR_setreuid, 2, 2); 710 if (ret == 0) { 711 return true; 712 } 713 714 return false; 715 } 716 CheckSetfsuid32ForUidFilter1()717 static bool CheckSetfsuid32ForUidFilter1() 718 { 719 int ret = syscall(__NR_setfsuid32, 0); 720 if (ret == 0) { 721 return true; 722 } 723 724 return false; 725 } 726 CheckSetfsuid32ForUidFilter2()727 static bool CheckSetfsuid32ForUidFilter2() 728 { 729 int ret = syscall(__NR_setfsuid32, 2); 730 if (ret == 0) { 731 return true; 732 } 733 734 return false; 735 } 736 CheckSetfsuid16ForUidFilter1()737 static bool CheckSetfsuid16ForUidFilter1() 738 { 739 int ret = syscall(__NR_setfsuid, 0); 740 if (ret == 0) { 741 return true; 742 } 743 744 return false; 745 } 746 CheckSetfsuid16ForUidFilter2()747 static bool CheckSetfsuid16ForUidFilter2() 748 { 749 int ret = syscall(__NR_setfsuid, 2); 750 if (ret == 0) { 751 return true; 752 } 753 754 return false; 755 } 756 CheckSetresuid32ForUidFilter1()757 static bool CheckSetresuid32ForUidFilter1() 758 { 759 int ret = syscall(__NR_setresuid32, 0, 0, 0); 760 if (ret == 0) { 761 return true; 762 } 763 764 return false; 765 } 766 CheckSetresuid32ForUidFilter2()767 static bool CheckSetresuid32ForUidFilter2() 768 { 769 int ret = syscall(__NR_setresuid32, 2, 0, 0); 770 if (ret == 0) { 771 return true; 772 } 773 774 return false; 775 } 776 CheckSetresuid32ForUidFilter3()777 static bool CheckSetresuid32ForUidFilter3() 778 { 779 int ret = syscall(__NR_setresuid32, 0, 2, 0); 780 if (ret == 0) { 781 return true; 782 } 783 784 return false; 785 } 786 CheckSetresuid32ForUidFilter4()787 static bool CheckSetresuid32ForUidFilter4() 788 { 789 int ret = syscall(__NR_setresuid32, 0, 0, 2); 790 if (ret == 0) { 791 return true; 792 } 793 794 return false; 795 } 796 CheckSetresuid32ForUidFilter5()797 static bool CheckSetresuid32ForUidFilter5() 798 { 799 int ret = syscall(__NR_setresuid32, 0, 2, 2); 800 if (ret == 0) { 801 return true; 802 } 803 804 return false; 805 } 806 CheckSetresuid32ForUidFilter6()807 static bool CheckSetresuid32ForUidFilter6() 808 { 809 int ret = syscall(__NR_setresuid32, 2, 0, 2); 810 if (ret == 0) { 811 return true; 812 } 813 814 return false; 815 } 816 CheckSetresuid32ForUidFilter7()817 static bool CheckSetresuid32ForUidFilter7() 818 { 819 int ret = syscall(__NR_setresuid32, 2, 2, 0); 820 if (ret == 0) { 821 return true; 822 } 823 824 return false; 825 } 826 CheckSetresuid32ForUidFilter8()827 static bool CheckSetresuid32ForUidFilter8() 828 { 829 int ret = syscall(__NR_setresuid32, 2, 2, 2); 830 if (ret == 0) { 831 return true; 832 } 833 834 return false; 835 } 836 CheckSetresuid16ForUidFilter1()837 static bool CheckSetresuid16ForUidFilter1() 838 { 839 int ret = syscall(__NR_setresuid, 0, 0, 0); 840 if (ret == 0) { 841 return true; 842 } 843 844 return false; 845 } 846 CheckSetresuid16ForUidFilter2()847 static bool CheckSetresuid16ForUidFilter2() 848 { 849 int ret = syscall(__NR_setresuid, 2, 0, 0); 850 if (ret == 0) { 851 return true; 852 } 853 854 return false; 855 } 856 CheckSetresuid16ForUidFilter3()857 static bool CheckSetresuid16ForUidFilter3() 858 { 859 int ret = syscall(__NR_setresuid, 0, 2, 0); 860 if (ret == 0) { 861 return true; 862 } 863 864 return false; 865 } 866 CheckSetresuid16ForUidFilter4()867 static bool CheckSetresuid16ForUidFilter4() 868 { 869 int ret = syscall(__NR_setresuid, 0, 0, 2); 870 if (ret == 0) { 871 return true; 872 } 873 874 return false; 875 } 876 CheckSetresuid16ForUidFilter5()877 static bool CheckSetresuid16ForUidFilter5() 878 { 879 int ret = syscall(__NR_setresuid, 0, 2, 2); 880 if (ret == 0) { 881 return true; 882 } 883 884 return false; 885 } 886 CheckSetresuid16ForUidFilter6()887 static bool CheckSetresuid16ForUidFilter6() 888 { 889 int ret = syscall(__NR_setresuid, 2, 0, 2); 890 if (ret == 0) { 891 return true; 892 } 893 894 return false; 895 } 896 CheckSetresuid16ForUidFilter7()897 static bool CheckSetresuid16ForUidFilter7() 898 { 899 int ret = syscall(__NR_setresuid, 2, 2, 0); 900 if (ret == 0) { 901 return true; 902 } 903 904 return false; 905 } 906 CheckSetresuid16ForUidFilter8()907 static bool CheckSetresuid16ForUidFilter8() 908 { 909 int ret = syscall(__NR_setresuid, 2, 2, 2); 910 if (ret == 0) { 911 return true; 912 } 913 914 return false; 915 } 916 TestSystemSycall()917 void TestSystemSycall() 918 { 919 // system blocklist 920 int ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckGetuid, false); 921 EXPECT_EQ(ret, 0); 922 923 // system allowlist 924 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckGetuid32, true); 925 EXPECT_EQ(ret, 0); 926 } 927 TestSystemSyscallForUidFilter32Bit()928 void TestSystemSyscallForUidFilter32Bit() 929 { 930 // system_uid_filter_32bit_test 931 int ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetuid32ForUidFilter1, false); 932 EXPECT_EQ(ret, 0); 933 934 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetuid32ForUidFilter2, true); 935 EXPECT_EQ(ret, 0); 936 937 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetreuid32ForUidFilter1, false); 938 EXPECT_EQ(ret, 0); 939 940 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetreuid32ForUidFilter2, false); 941 EXPECT_EQ(ret, 0); 942 943 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetreuid32ForUidFilter3, false); 944 EXPECT_EQ(ret, 0); 945 946 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetreuid32ForUidFilter4, true); 947 EXPECT_EQ(ret, 0); 948 949 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetfsuid32ForUidFilter1, false); 950 EXPECT_EQ(ret, 0); 951 952 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetfsuid32ForUidFilter2, true); 953 EXPECT_EQ(ret, 0); 954 955 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid32ForUidFilter1, false); 956 EXPECT_EQ(ret, 0); 957 958 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid32ForUidFilter2, false); 959 EXPECT_EQ(ret, 0); 960 961 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid32ForUidFilter3, false); 962 EXPECT_EQ(ret, 0); 963 964 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid32ForUidFilter4, false); 965 EXPECT_EQ(ret, 0); 966 967 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid32ForUidFilter5, false); 968 EXPECT_EQ(ret, 0); 969 970 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid32ForUidFilter6, false); 971 EXPECT_EQ(ret, 0); 972 973 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid32ForUidFilter7, false); 974 EXPECT_EQ(ret, 0); 975 976 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid32ForUidFilter8, true); 977 EXPECT_EQ(ret, 0); 978 } 979 TestSystemSyscallForUidFilter16Bit()980 void TestSystemSyscallForUidFilter16Bit() 981 { 982 // system_uid_filter_16bit_test 983 int ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetuid16ForUidFilter1, false); 984 EXPECT_EQ(ret, 0); 985 986 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetuid16ForUidFilter2, true); 987 EXPECT_EQ(ret, 0); 988 989 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetreuid16ForUidFilter1, false); 990 EXPECT_EQ(ret, 0); 991 992 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetreuid16ForUidFilter2, false); 993 EXPECT_EQ(ret, 0); 994 995 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetreuid16ForUidFilter3, false); 996 EXPECT_EQ(ret, 0); 997 998 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetreuid16ForUidFilter4, true); 999 EXPECT_EQ(ret, 0); 1000 1001 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetfsuid16ForUidFilter1, false); 1002 EXPECT_EQ(ret, 0); 1003 1004 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetfsuid16ForUidFilter2, true); 1005 EXPECT_EQ(ret, 0); 1006 1007 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid16ForUidFilter1, false); 1008 EXPECT_EQ(ret, 0); 1009 1010 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid16ForUidFilter2, false); 1011 EXPECT_EQ(ret, 0); 1012 1013 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid16ForUidFilter3, false); 1014 EXPECT_EQ(ret, 0); 1015 1016 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid16ForUidFilter4, false); 1017 EXPECT_EQ(ret, 0); 1018 1019 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid16ForUidFilter5, false); 1020 EXPECT_EQ(ret, 0); 1021 1022 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid16ForUidFilter6, false); 1023 EXPECT_EQ(ret, 0); 1024 1025 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid16ForUidFilter7, false); 1026 EXPECT_EQ(ret, 0); 1027 1028 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid16ForUidFilter8, true); 1029 EXPECT_EQ(ret, 0); 1030 } 1031 TestSystemSyscallForUidFilter()1032 void TestSystemSyscallForUidFilter() 1033 { 1034 TestSystemSyscallForUidFilter32Bit(); 1035 TestSystemSyscallForUidFilter16Bit(); 1036 } 1037 TestSetUidGidFilter()1038 void TestSetUidGidFilter() 1039 { 1040 // system blocklist 1041 int ret = CheckSyscall(INDIVIDUAL, APPSPAWN_NAME, CheckSetresuid32ArgsOutOfRange, false); 1042 EXPECT_EQ(ret, 0); 1043 1044 // system allowlist 1045 ret = CheckSyscall(INDIVIDUAL, APPSPAWN_NAME, CheckSetresuid32ArgsInRange, true); 1046 EXPECT_EQ(ret, 0); 1047 } 1048 TestAppSycall()1049 void TestAppSycall() 1050 { 1051 // app blocklist 1052 int ret = CheckSyscall(APP, APP_NAME, CheckSetuid32, false); 1053 EXPECT_EQ(ret, 0); 1054 1055 // app allowlist 1056 ret = CheckSyscall(APP, APP_NAME, CheckGetuid32, true); 1057 EXPECT_EQ(ret, 0); 1058 } 1059 #endif TestAppSycallNs()1060 void TestAppSycallNs() 1061 { 1062 int ret = CheckSyscall(APP, APP_NAME, CheckUnshare, false); 1063 EXPECT_EQ(ret, 0); 1064 1065 ret = CheckSyscall(APP, APP_NAME, CheckSetns, false); 1066 EXPECT_EQ(ret, 0); 1067 1068 ret = CheckSyscall(APP, APP_NAME, CheckClonePidNs, false); 1069 EXPECT_EQ(ret, 0); 1070 1071 ret = CheckSyscall(APP, APP_NAME, CheckCloneMntNs, false); 1072 EXPECT_EQ(ret, 0); 1073 1074 ret = CheckSyscall(APP, APP_NAME, CheckCloneCgroupNs, false); 1075 EXPECT_EQ(ret, 0); 1076 1077 ret = CheckSyscall(APP, APP_NAME, CheckCloneIpcNs, false); 1078 EXPECT_EQ(ret, 0); 1079 1080 ret = CheckSyscall(APP, APP_NAME, CheckCloneUserNs, false); 1081 EXPECT_EQ(ret, 0); 1082 1083 ret = CheckSyscall(APP, APP_NAME, CheckCloneNetNs, false); 1084 EXPECT_EQ(ret, 0); 1085 1086 ret = CheckSyscall(APP, APP_NAME, CheckCloneUtsNs, false); 1087 EXPECT_EQ(ret, 0); 1088 } 1089 }; 1090 1091 /** 1092 * @tc.name: TestSystemSycall 1093 * @tc.desc: Verify the system seccomp policy. 1094 * @tc.type: FUNC 1095 * @tc.require: issueI5IUWJ 1096 */ 1097 HWTEST_F(SeccompUnitTest, TestSystemSycall, TestSize.Level1) 1098 { 1099 SeccompUnitTest test; 1100 test.TestSystemSycall(); 1101 } 1102 1103 /** 1104 * @tc.name: TestSetUidGidFilter 1105 * @tc.desc: Verify the uid gid seccomp policy. 1106 * @tc.type: FUNC 1107 * @tc.require: issueI5IUWJ 1108 */ 1109 HWTEST_F(SeccompUnitTest, TestSetUidGidFilter, TestSize.Level1) 1110 { 1111 SeccompUnitTest test; 1112 test.TestSetUidGidFilter(); 1113 } 1114 1115 /** 1116 * @tc.name: TestAppSycall 1117 * @tc.desc: Verify the app seccomp policy. 1118 * @tc.type: FUNC 1119 * @tc.require: issueI5MUXD 1120 */ 1121 HWTEST_F(SeccompUnitTest, TestAppSycall, TestSize.Level1) 1122 { 1123 SeccompUnitTest test; 1124 test.TestAppSycall(); 1125 } 1126 1127 /** 1128 * @tc.name: TestSystemSyscallForUidFilter 1129 * @tc.desc: Verify the system seccomp policy. 1130 * @tc.type: FUNC 1131 * @tc.require: issueI7QET2 1132 */ 1133 HWTEST_F(SeccompUnitTest, TestSystemSyscallForUidFilter, TestSize.Level1) 1134 { 1135 SeccompUnitTest test; 1136 test.TestSystemSyscallForUidFilter(); 1137 } 1138 1139 /** 1140 * @tc.name: TestAppSycallNs 1141 * @tc.desc: Verify the app seccomp policy about namespace. 1142 * @tc.type: FUNC 1143 * @tc.require: issueI8LZTC 1144 */ 1145 HWTEST_F(SeccompUnitTest, TestAppSycallNs, TestSize.Level1) 1146 { 1147 SeccompUnitTest test; 1148 test.TestAppSycallNs(); 1149 } 1150 } 1151