1 /* 2 * Copyright (c) 2022 Huawei Device Co., Ltd. 3 * Licensed under the Apache License, Version 2.0 (the "License"); 4 * you may not use this file except in compliance with the License. 5 * You may obtain a copy of the License at 6 * 7 * http://www.apache.org/licenses/LICENSE-2.0 8 * 9 * Unless required by applicable law or agreed to in writing, software 10 * distributed under the License is distributed on an "AS IS" BASIS, 11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 * See the License for the specific language governing permissions and 13 * limitations under the License. 14 */ 15 16 #include <gtest/gtest.h> 17 18 #include <cstdlib> 19 #include <unistd.h> 20 #include <sys/wait.h> 21 #include <csignal> 22 #include <cerrno> 23 #include <cstring> 24 #include <sys/prctl.h> 25 #include <sys/types.h> 26 #include <sys/stat.h> 27 #include <fcntl.h> 28 #include <sys/syscall.h> 29 #include <asm/unistd.h> 30 #include <syscall.h> 31 #include <climits> 32 #include <sched.h> 33 34 #include "seccomp_policy.h" 35 36 using SyscallFunc = bool (*)(void); 37 constexpr int SLEEP_TIME_100MS = 100000; // 100ms 38 constexpr int SLEEP_TIME_1S = 1; 39 40 using namespace testing::ext; 41 using namespace std; 42 43 namespace init_ut { 44 class SeccompUnitTest : public testing::Test { 45 public: SeccompUnitTest()46 SeccompUnitTest() {}; ~SeccompUnitTest()47 virtual ~SeccompUnitTest() {}; SetUpTestCase()48 static void SetUpTestCase() {}; TearDownTestCase()49 static void TearDownTestCase() {}; 50 SetUp()51 void SetUp() 52 { 53 /* 54 * Wait for 1 second to prevent the generated crash file 55 * from being overwritten because the crash interval is too short 56 * and the crash file's name is constructed by time stamp. 57 */ 58 sleep(SLEEP_TIME_1S); 59 }; 60 TearDown()61 void TearDown() {}; TestBody(void)62 void TestBody(void) {}; 63 StartChild(SeccompFilterType type,const char * filterName,SyscallFunc func)64 static pid_t StartChild(SeccompFilterType type, const char *filterName, SyscallFunc func) 65 { 66 pid_t pid = fork(); 67 if (pid == 0) { 68 if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) != 0) { 69 std::cout << "PR_SET_NO_NEW_PRIVS set fail " << std::endl; 70 exit(EXIT_FAILURE); 71 } 72 73 if (!SetSeccompPolicyWithName(type, filterName)) { 74 std::cout << "SetSeccompPolicy set fail fiterName is " << filterName << std::endl; 75 exit(EXIT_FAILURE); 76 } 77 78 if (!func()) { 79 std::cout << "func excute fail" << std::endl; 80 exit(EXIT_FAILURE); 81 } 82 83 std::cout << "func excute success" << std::endl; 84 85 exit(EXIT_SUCCESS); 86 } 87 return pid; 88 } 89 CheckStatus(int status,bool isAllow)90 static int CheckStatus(int status, bool isAllow) 91 { 92 if (WEXITSTATUS(status) == EXIT_FAILURE) { 93 return -1; 94 } 95 96 if (WIFSIGNALED(status)) { 97 if (WTERMSIG(status) == SIGSYS) { 98 std::cout << "child process exit with SIGSYS" << std::endl; 99 return isAllow ? -1 : 0; 100 } 101 } else { 102 std::cout << "child process finished normally" << std::endl; 103 return isAllow ? 0 : -1; 104 } 105 106 return -1; 107 } 108 CheckSyscall(SeccompFilterType type,const char * filterName,SyscallFunc func,bool isAllow)109 static int CheckSyscall(SeccompFilterType type, const char *filterName, SyscallFunc func, bool isAllow) 110 { 111 sigset_t set; 112 int status; 113 pid_t pid; 114 int flag = 0; 115 struct timespec waitTime = {5, 0}; 116 117 sigemptyset(&set); 118 sigaddset(&set, SIGCHLD); 119 sigprocmask(SIG_BLOCK, &set, nullptr); 120 sigaddset(&set, SIGSYS); 121 if (signal(SIGCHLD, SIG_DFL) == nullptr) { 122 std::cout << "signal failed:" << strerror(errno) << std::endl; 123 } 124 if (signal(SIGSYS, SIG_DFL) == nullptr) { 125 std::cout << "signal failed:" << strerror(errno) << std::endl; 126 } 127 128 /* Sleeping for avoiding influencing child proccess wait for other threads 129 * which were created by other unittests to release global rwlock. The global 130 * rwlock will be used by function dlopen in child process */ 131 usleep(SLEEP_TIME_100MS); 132 133 pid = StartChild(type, filterName, func); 134 if (pid == -1) { 135 std::cout << "fork failed:" << strerror(errno) << std::endl; 136 return -1; 137 } 138 if (sigtimedwait(&set, nullptr, &waitTime) == -1) { /* Wait for 5 seconds */ 139 if (errno == EAGAIN) { 140 flag = 1; 141 } else { 142 std::cout << "sigtimedwait failed:" << strerror(errno) << std::endl; 143 } 144 145 if (kill(pid, SIGKILL) == -1) { 146 std::cout << "kill failed::" << strerror(errno) << std::endl; 147 } 148 } 149 150 if (waitpid(pid, &status, 0) != pid) { 151 std::cout << "waitpid failed:" << strerror(errno) << std::endl; 152 return -1; 153 } 154 155 if (flag != 0) { 156 std::cout << "Child process time out" << std::endl; 157 } 158 159 return CheckStatus(status, isAllow); 160 } 161 CheckUnshare()162 static bool CheckUnshare() 163 { 164 int ret = unshare(CLONE_NEWPID); 165 if (ret) { 166 return false; 167 } 168 return true; 169 } 170 CheckSetns()171 static bool CheckSetns() 172 { 173 int fd = open("/proc/1/ns/mnt", O_RDONLY | O_CLOEXEC); 174 if (fd < 0) { 175 return false; 176 } 177 178 if (setns(fd, CLONE_NEWNS) != 0) { 179 close(fd); 180 return false; 181 } 182 183 close(fd); 184 return true; 185 } 186 ChildFunc(void * arg)187 static int ChildFunc(void *arg) 188 { 189 exit(0); 190 } 191 CheckCloneNs(int flag)192 static bool CheckCloneNs(int flag) 193 { 194 const int stackSize = 65536; 195 196 char *stack = static_cast<char *>(malloc(stackSize)); 197 if (stack == nullptr) { 198 return false; 199 } 200 char *stackTop = stack + stackSize; 201 pid_t pid = clone(ChildFunc, stackTop, flag | SIGCHLD, nullptr); 202 if (pid == -1) { 203 free(stack); 204 return false; 205 } 206 return true; 207 } 208 CheckClonePidNs(void)209 static bool CheckClonePidNs(void) 210 { 211 return CheckCloneNs(CLONE_NEWPID); 212 } 213 CheckCloneMntNs(void)214 static bool CheckCloneMntNs(void) 215 { 216 return CheckCloneNs(CLONE_NEWNS); 217 } 218 CheckCloneNetNs(void)219 static bool CheckCloneNetNs(void) 220 { 221 return CheckCloneNs(CLONE_NEWNET); 222 } 223 CheckCloneCgroupNs(void)224 static bool CheckCloneCgroupNs(void) 225 { 226 return CheckCloneNs(CLONE_NEWCGROUP); 227 } 228 CheckCloneUtsNs(void)229 static bool CheckCloneUtsNs(void) 230 { 231 return CheckCloneNs(CLONE_NEWUTS); 232 } 233 CheckCloneIpcNs(void)234 static bool CheckCloneIpcNs(void) 235 { 236 return CheckCloneNs(CLONE_NEWIPC); 237 } 238 CheckCloneUserNs(void)239 static bool CheckCloneUserNs(void) 240 { 241 return CheckCloneNs(CLONE_NEWUSER); 242 } 243 244 #if defined __aarch64__ CheckMqOpen()245 static bool CheckMqOpen() 246 { 247 int ret = (int)syscall(__NR_mq_open, nullptr, 0); 248 if (ret < 0) { 249 return false; 250 } 251 252 return true; 253 } 254 CheckGetpid()255 static bool CheckGetpid() 256 { 257 pid_t pid = 1; 258 pid = syscall(__NR_getpid); 259 if (pid > 1) { 260 return true; 261 } 262 return false; 263 } 264 CheckGetuid()265 static bool CheckGetuid() 266 { 267 uid_t uid = 0; 268 uid = syscall(__NR_getuid); 269 if (uid >= 0) { 270 return true; 271 } 272 273 return false; 274 } 275 CheckSetresuidArgsInRange()276 static bool CheckSetresuidArgsInRange() 277 { 278 int ret = syscall(__NR_setresuid, 20000, 20000, 20000); 279 if (ret == 0) { 280 return true; 281 } 282 283 return false; 284 } 285 CheckSetresuidArgsOutOfRange()286 static bool CheckSetresuidArgsOutOfRange() 287 { 288 int ret = syscall(__NR_setresuid, 800, 800, 800); 289 if (ret == 0) { 290 return true; 291 } 292 293 return false; 294 } 295 CheckSetuid()296 static bool CheckSetuid() 297 { 298 int uid = syscall(__NR_setuid, 1); 299 if (uid == 0) { 300 return true; 301 } 302 303 return false; 304 } 305 CheckSetuid64ForUidFilter1()306 static bool CheckSetuid64ForUidFilter1() 307 { 308 int ret = syscall(__NR_setuid, 0); 309 if (ret == 0) { 310 return true; 311 } 312 313 return false; 314 } 315 CheckSetuid64ForUidFilter2()316 static bool CheckSetuid64ForUidFilter2() 317 { 318 int ret = syscall(__NR_setuid, 2); 319 if (ret == 0) { 320 return true; 321 } 322 323 return false; 324 } 325 CheckSetreuid64ForUidFilter1()326 static bool CheckSetreuid64ForUidFilter1() 327 { 328 int ret = syscall(__NR_setreuid, 0, 2); 329 if (ret == 0) { 330 return true; 331 } 332 333 return false; 334 } 335 CheckSetreuid64ForUidFilter2()336 static bool CheckSetreuid64ForUidFilter2() 337 { 338 int ret = syscall(__NR_setreuid, 2, 0); 339 if (ret == 0) { 340 return true; 341 } 342 343 return false; 344 } 345 CheckSetreuid64ForUidFilter3()346 static bool CheckSetreuid64ForUidFilter3() 347 { 348 int ret = syscall(__NR_setreuid, 0, 0); 349 if (ret == 0) { 350 return true; 351 } 352 353 return false; 354 } 355 CheckSetreuid64ForUidFilter4()356 static bool CheckSetreuid64ForUidFilter4() 357 { 358 int ret = syscall(__NR_setreuid, 2, 2); 359 if (ret == 0) { 360 return true; 361 } 362 363 return false; 364 } 365 CheckSetfsuid64ForUidFilter1()366 static bool CheckSetfsuid64ForUidFilter1() 367 { 368 int ret = syscall(__NR_setfsuid, 0); 369 if (ret == 0) { 370 return true; 371 } 372 373 return false; 374 } 375 CheckSetfsuid64ForUidFilter2()376 static bool CheckSetfsuid64ForUidFilter2() 377 { 378 int ret = syscall(__NR_setfsuid, 2); 379 if (ret == 0) { 380 return true; 381 } 382 383 return false; 384 } 385 CheckSetresuid64ForUidFilter1()386 static bool CheckSetresuid64ForUidFilter1() 387 { 388 int ret = syscall(__NR_setresuid, 0, 0, 0); 389 if (ret == 0) { 390 return true; 391 } 392 393 return false; 394 } 395 CheckSetresuid64ForUidFilter2()396 static bool CheckSetresuid64ForUidFilter2() 397 { 398 int ret = syscall(__NR_setresuid, 2, 0, 0); 399 if (ret == 0) { 400 return true; 401 } 402 403 return false; 404 } 405 CheckSetresuid64ForUidFilter3()406 static bool CheckSetresuid64ForUidFilter3() 407 { 408 int ret = syscall(__NR_setresuid, 0, 2, 0); 409 if (ret == 0) { 410 return true; 411 } 412 413 return false; 414 } 415 CheckSetresuid64ForUidFilter4()416 static bool CheckSetresuid64ForUidFilter4() 417 { 418 int ret = syscall(__NR_setresuid, 0, 0, 2); 419 if (ret == 0) { 420 return true; 421 } 422 423 return false; 424 } 425 CheckSetresuid64ForUidFilter5()426 static bool CheckSetresuid64ForUidFilter5() 427 { 428 int ret = syscall(__NR_setresuid, 0, 2, 2); 429 if (ret == 0) { 430 return true; 431 } 432 433 return false; 434 } 435 CheckSetresuid64ForUidFilter6()436 static bool CheckSetresuid64ForUidFilter6() 437 { 438 int ret = syscall(__NR_setresuid, 2, 0, 2); 439 if (ret == 0) { 440 return true; 441 } 442 443 return false; 444 } 445 CheckSetresuid64ForUidFilter7()446 static bool CheckSetresuid64ForUidFilter7() 447 { 448 int ret = syscall(__NR_setresuid, 2, 2, 0); 449 if (ret == 0) { 450 return true; 451 } 452 453 return false; 454 } 455 CheckSetresuid64ForUidFilter8()456 static bool CheckSetresuid64ForUidFilter8() 457 { 458 int ret = syscall(__NR_setresuid, 2, 2, 2); 459 if (ret == 0) { 460 return true; 461 } 462 463 return false; 464 } 465 TestSystemSycall()466 void TestSystemSycall() 467 { 468 // system blocklist 469 int ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckMqOpen, false); 470 EXPECT_EQ(ret, 0); 471 472 // system allowlist 473 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckGetpid, true); 474 EXPECT_EQ(ret, 0); 475 } 476 TestSystemSyscallForUidFilter()477 void TestSystemSyscallForUidFilter() 478 { 479 // system_uid_filter_64bit_test 480 int ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetuid64ForUidFilter1, false); 481 EXPECT_EQ(ret, 0); 482 483 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetuid64ForUidFilter2, true); 484 EXPECT_EQ(ret, 0); 485 486 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetreuid64ForUidFilter1, false); 487 EXPECT_EQ(ret, 0); 488 489 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetreuid64ForUidFilter2, false); 490 EXPECT_EQ(ret, 0); 491 492 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetreuid64ForUidFilter3, false); 493 EXPECT_EQ(ret, 0); 494 495 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetreuid64ForUidFilter4, true); 496 EXPECT_EQ(ret, 0); 497 498 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetfsuid64ForUidFilter1, false); 499 EXPECT_EQ(ret, 0); 500 501 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetfsuid64ForUidFilter2, true); 502 EXPECT_EQ(ret, 0); 503 504 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid64ForUidFilter1, false); 505 EXPECT_EQ(ret, 0); 506 507 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid64ForUidFilter2, false); 508 EXPECT_EQ(ret, 0); 509 510 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid64ForUidFilter3, false); 511 EXPECT_EQ(ret, 0); 512 513 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid64ForUidFilter4, false); 514 EXPECT_EQ(ret, 0); 515 516 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid64ForUidFilter5, false); 517 EXPECT_EQ(ret, 0); 518 519 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid64ForUidFilter6, false); 520 EXPECT_EQ(ret, 0); 521 522 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid64ForUidFilter7, false); 523 EXPECT_EQ(ret, 0); 524 525 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid64ForUidFilter8, true); 526 EXPECT_EQ(ret, 0); 527 } 528 TestSetUidGidFilter()529 void TestSetUidGidFilter() 530 { 531 // system blocklist 532 int ret = CheckSyscall(INDIVIDUAL, APPSPAWN_NAME, CheckSetresuidArgsOutOfRange, false); 533 EXPECT_EQ(ret, 0); 534 535 // system allowlist 536 ret = CheckSyscall(INDIVIDUAL, APPSPAWN_NAME, CheckSetresuidArgsInRange, true); 537 EXPECT_EQ(ret, 0); 538 } 539 TestAppSycall()540 void TestAppSycall() 541 { 542 // app blocklist 543 int ret = CheckSyscall(APP, APP_NAME, CheckSetuid, false); 544 EXPECT_EQ(ret, 0); 545 546 // app allowlist 547 ret = CheckSyscall(APP, APP_NAME, CheckGetpid, true); 548 EXPECT_EQ(ret, 0); 549 } 550 #elif defined __arm__ CheckGetuid32()551 static bool CheckGetuid32() 552 { 553 uid_t uid = syscall(__NR_getuid32); 554 if (uid >= 0) { 555 return true; 556 } 557 return false; 558 } 559 CheckGetuid()560 static bool CheckGetuid() 561 { 562 uid_t uid = syscall(__NR_getuid); 563 if (uid >= 0) { 564 return true; 565 } 566 return false; 567 } 568 CheckSetuid32()569 static bool CheckSetuid32() 570 { 571 int ret = syscall(__NR_setuid32, 1); 572 if (ret == 0) { 573 return true; 574 } 575 576 return false; 577 } 578 CheckSetresuid32ArgsInRange()579 static bool CheckSetresuid32ArgsInRange() 580 { 581 int ret = syscall(__NR_setresuid32, 20000, 20000, 20000); 582 if (ret == 0) { 583 return true; 584 } 585 586 return false; 587 } 588 CheckSetresuid32ArgsOutOfRange()589 static bool CheckSetresuid32ArgsOutOfRange() 590 { 591 int ret = syscall(__NR_setresuid32, 800, 800, 800); 592 if (ret == 0) { 593 return true; 594 } 595 596 return false; 597 } 598 CheckSetuid32ForUidFilter1()599 static bool CheckSetuid32ForUidFilter1() 600 { 601 int ret = syscall(__NR_setuid32, 0); 602 if (ret == 0) { 603 return true; 604 } 605 606 return false; 607 } 608 CheckSetuid32ForUidFilter2()609 static bool CheckSetuid32ForUidFilter2() 610 { 611 int ret = syscall(__NR_setuid32, 2); 612 if (ret == 0) { 613 return true; 614 } 615 616 return false; 617 } 618 CheckSetuid16ForUidFilter1()619 static bool CheckSetuid16ForUidFilter1() 620 { 621 int ret = syscall(__NR_setuid, 0); 622 if (ret == 0) { 623 return true; 624 } 625 626 return false; 627 } 628 CheckSetuid16ForUidFilter2()629 static bool CheckSetuid16ForUidFilter2() 630 { 631 int ret = syscall(__NR_setuid, 2); 632 if (ret == 0) { 633 return true; 634 } 635 636 return false; 637 } 638 CheckSetreuid32ForUidFilter1()639 static bool CheckSetreuid32ForUidFilter1() 640 { 641 int ret = syscall(__NR_setreuid32, 0, 2); 642 if (ret == 0) { 643 return true; 644 } 645 646 return false; 647 } 648 CheckSetreuid32ForUidFilter2()649 static bool CheckSetreuid32ForUidFilter2() 650 { 651 int ret = syscall(__NR_setreuid32, 2, 0); 652 if (ret == 0) { 653 return true; 654 } 655 656 return false; 657 } 658 CheckSetreuid32ForUidFilter3()659 static bool CheckSetreuid32ForUidFilter3() 660 { 661 int ret = syscall(__NR_setreuid32, 0, 0); 662 if (ret == 0) { 663 return true; 664 } 665 666 return false; 667 } 668 CheckSetreuid32ForUidFilter4()669 static bool CheckSetreuid32ForUidFilter4() 670 { 671 int ret = syscall(__NR_setreuid32, 2, 2); 672 if (ret == 0) { 673 return true; 674 } 675 676 return false; 677 } 678 CheckSetreuid16ForUidFilter1()679 static bool CheckSetreuid16ForUidFilter1() 680 { 681 int ret = syscall(__NR_setreuid, 0, 2); 682 if (ret == 0) { 683 return true; 684 } 685 686 return false; 687 } 688 CheckSetreuid16ForUidFilter2()689 static bool CheckSetreuid16ForUidFilter2() 690 { 691 int ret = syscall(__NR_setreuid, 2, 0); 692 if (ret == 0) { 693 return true; 694 } 695 696 return false; 697 } 698 CheckSetreuid16ForUidFilter3()699 static bool CheckSetreuid16ForUidFilter3() 700 { 701 int ret = syscall(__NR_setreuid, 0, 0); 702 if (ret == 0) { 703 return true; 704 } 705 706 return false; 707 } 708 CheckSetreuid16ForUidFilter4()709 static bool CheckSetreuid16ForUidFilter4() 710 { 711 int ret = syscall(__NR_setreuid, 2, 2); 712 if (ret == 0) { 713 return true; 714 } 715 716 return false; 717 } 718 CheckSetfsuid32ForUidFilter1()719 static bool CheckSetfsuid32ForUidFilter1() 720 { 721 int ret = syscall(__NR_setfsuid32, 0); 722 if (ret == 0) { 723 return true; 724 } 725 726 return false; 727 } 728 CheckSetfsuid32ForUidFilter2()729 static bool CheckSetfsuid32ForUidFilter2() 730 { 731 int ret = syscall(__NR_setfsuid32, 2); 732 if (ret == 0) { 733 return true; 734 } 735 736 return false; 737 } 738 CheckSetfsuid16ForUidFilter1()739 static bool CheckSetfsuid16ForUidFilter1() 740 { 741 int ret = syscall(__NR_setfsuid, 0); 742 if (ret == 0) { 743 return true; 744 } 745 746 return false; 747 } 748 CheckSetfsuid16ForUidFilter2()749 static bool CheckSetfsuid16ForUidFilter2() 750 { 751 int ret = syscall(__NR_setfsuid, 2); 752 if (ret == 0) { 753 return true; 754 } 755 756 return false; 757 } 758 CheckSetresuid32ForUidFilter1()759 static bool CheckSetresuid32ForUidFilter1() 760 { 761 int ret = syscall(__NR_setresuid32, 0, 0, 0); 762 if (ret == 0) { 763 return true; 764 } 765 766 return false; 767 } 768 CheckSetresuid32ForUidFilter2()769 static bool CheckSetresuid32ForUidFilter2() 770 { 771 int ret = syscall(__NR_setresuid32, 2, 0, 0); 772 if (ret == 0) { 773 return true; 774 } 775 776 return false; 777 } 778 CheckSetresuid32ForUidFilter3()779 static bool CheckSetresuid32ForUidFilter3() 780 { 781 int ret = syscall(__NR_setresuid32, 0, 2, 0); 782 if (ret == 0) { 783 return true; 784 } 785 786 return false; 787 } 788 CheckSetresuid32ForUidFilter4()789 static bool CheckSetresuid32ForUidFilter4() 790 { 791 int ret = syscall(__NR_setresuid32, 0, 0, 2); 792 if (ret == 0) { 793 return true; 794 } 795 796 return false; 797 } 798 CheckSetresuid32ForUidFilter5()799 static bool CheckSetresuid32ForUidFilter5() 800 { 801 int ret = syscall(__NR_setresuid32, 0, 2, 2); 802 if (ret == 0) { 803 return true; 804 } 805 806 return false; 807 } 808 CheckSetresuid32ForUidFilter6()809 static bool CheckSetresuid32ForUidFilter6() 810 { 811 int ret = syscall(__NR_setresuid32, 2, 0, 2); 812 if (ret == 0) { 813 return true; 814 } 815 816 return false; 817 } 818 CheckSetresuid32ForUidFilter7()819 static bool CheckSetresuid32ForUidFilter7() 820 { 821 int ret = syscall(__NR_setresuid32, 2, 2, 0); 822 if (ret == 0) { 823 return true; 824 } 825 826 return false; 827 } 828 CheckSetresuid32ForUidFilter8()829 static bool CheckSetresuid32ForUidFilter8() 830 { 831 int ret = syscall(__NR_setresuid32, 2, 2, 2); 832 if (ret == 0) { 833 return true; 834 } 835 836 return false; 837 } 838 CheckSetresuid16ForUidFilter1()839 static bool CheckSetresuid16ForUidFilter1() 840 { 841 int ret = syscall(__NR_setresuid, 0, 0, 0); 842 if (ret == 0) { 843 return true; 844 } 845 846 return false; 847 } 848 CheckSetresuid16ForUidFilter2()849 static bool CheckSetresuid16ForUidFilter2() 850 { 851 int ret = syscall(__NR_setresuid, 2, 0, 0); 852 if (ret == 0) { 853 return true; 854 } 855 856 return false; 857 } 858 CheckSetresuid16ForUidFilter3()859 static bool CheckSetresuid16ForUidFilter3() 860 { 861 int ret = syscall(__NR_setresuid, 0, 2, 0); 862 if (ret == 0) { 863 return true; 864 } 865 866 return false; 867 } 868 CheckSetresuid16ForUidFilter4()869 static bool CheckSetresuid16ForUidFilter4() 870 { 871 int ret = syscall(__NR_setresuid, 0, 0, 2); 872 if (ret == 0) { 873 return true; 874 } 875 876 return false; 877 } 878 CheckSetresuid16ForUidFilter5()879 static bool CheckSetresuid16ForUidFilter5() 880 { 881 int ret = syscall(__NR_setresuid, 0, 2, 2); 882 if (ret == 0) { 883 return true; 884 } 885 886 return false; 887 } 888 CheckSetresuid16ForUidFilter6()889 static bool CheckSetresuid16ForUidFilter6() 890 { 891 int ret = syscall(__NR_setresuid, 2, 0, 2); 892 if (ret == 0) { 893 return true; 894 } 895 896 return false; 897 } 898 CheckSetresuid16ForUidFilter7()899 static bool CheckSetresuid16ForUidFilter7() 900 { 901 int ret = syscall(__NR_setresuid, 2, 2, 0); 902 if (ret == 0) { 903 return true; 904 } 905 906 return false; 907 } 908 CheckSetresuid16ForUidFilter8()909 static bool CheckSetresuid16ForUidFilter8() 910 { 911 int ret = syscall(__NR_setresuid, 2, 2, 2); 912 if (ret == 0) { 913 return true; 914 } 915 916 return false; 917 } 918 TestSystemSycall()919 void TestSystemSycall() 920 { 921 // system blocklist 922 int ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckGetuid, false); 923 EXPECT_EQ(ret, 0); 924 925 // system allowlist 926 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckGetuid32, true); 927 EXPECT_EQ(ret, 0); 928 } 929 TestSystemSyscallForUidFilter32Bit()930 void TestSystemSyscallForUidFilter32Bit() 931 { 932 // system_uid_filter_32bit_test 933 int ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetuid32ForUidFilter1, false); 934 EXPECT_EQ(ret, 0); 935 936 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetuid32ForUidFilter2, true); 937 EXPECT_EQ(ret, 0); 938 939 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetreuid32ForUidFilter1, false); 940 EXPECT_EQ(ret, 0); 941 942 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetreuid32ForUidFilter2, false); 943 EXPECT_EQ(ret, 0); 944 945 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetreuid32ForUidFilter3, false); 946 EXPECT_EQ(ret, 0); 947 948 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetreuid32ForUidFilter4, true); 949 EXPECT_EQ(ret, 0); 950 951 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetfsuid32ForUidFilter1, false); 952 EXPECT_EQ(ret, 0); 953 954 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetfsuid32ForUidFilter2, true); 955 EXPECT_EQ(ret, 0); 956 957 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid32ForUidFilter1, false); 958 EXPECT_EQ(ret, 0); 959 960 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid32ForUidFilter2, false); 961 EXPECT_EQ(ret, 0); 962 963 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid32ForUidFilter3, false); 964 EXPECT_EQ(ret, 0); 965 966 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid32ForUidFilter4, false); 967 EXPECT_EQ(ret, 0); 968 969 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid32ForUidFilter5, false); 970 EXPECT_EQ(ret, 0); 971 972 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid32ForUidFilter6, false); 973 EXPECT_EQ(ret, 0); 974 975 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid32ForUidFilter7, false); 976 EXPECT_EQ(ret, 0); 977 978 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid32ForUidFilter8, true); 979 EXPECT_EQ(ret, 0); 980 } 981 TestSystemSyscallForUidFilter16Bit()982 void TestSystemSyscallForUidFilter16Bit() 983 { 984 // system_uid_filter_16bit_test 985 int ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetuid16ForUidFilter1, false); 986 EXPECT_EQ(ret, 0); 987 988 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetuid16ForUidFilter2, true); 989 EXPECT_EQ(ret, 0); 990 991 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetreuid16ForUidFilter1, false); 992 EXPECT_EQ(ret, 0); 993 994 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetreuid16ForUidFilter2, false); 995 EXPECT_EQ(ret, 0); 996 997 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetreuid16ForUidFilter3, false); 998 EXPECT_EQ(ret, 0); 999 1000 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetreuid16ForUidFilter4, true); 1001 EXPECT_EQ(ret, 0); 1002 1003 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetfsuid16ForUidFilter1, false); 1004 EXPECT_EQ(ret, 0); 1005 1006 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetfsuid16ForUidFilter2, true); 1007 EXPECT_EQ(ret, 0); 1008 1009 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid16ForUidFilter1, false); 1010 EXPECT_EQ(ret, 0); 1011 1012 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid16ForUidFilter2, false); 1013 EXPECT_EQ(ret, 0); 1014 1015 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid16ForUidFilter3, false); 1016 EXPECT_EQ(ret, 0); 1017 1018 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid16ForUidFilter4, false); 1019 EXPECT_EQ(ret, 0); 1020 1021 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid16ForUidFilter5, false); 1022 EXPECT_EQ(ret, 0); 1023 1024 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid16ForUidFilter6, false); 1025 EXPECT_EQ(ret, 0); 1026 1027 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid16ForUidFilter7, false); 1028 EXPECT_EQ(ret, 0); 1029 1030 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid16ForUidFilter8, true); 1031 EXPECT_EQ(ret, 0); 1032 } 1033 TestSystemSyscallForUidFilter()1034 void TestSystemSyscallForUidFilter() 1035 { 1036 TestSystemSyscallForUidFilter32Bit(); 1037 TestSystemSyscallForUidFilter16Bit(); 1038 } 1039 TestSetUidGidFilter()1040 void TestSetUidGidFilter() 1041 { 1042 // system blocklist 1043 int ret = CheckSyscall(INDIVIDUAL, APPSPAWN_NAME, CheckSetresuid32ArgsOutOfRange, false); 1044 EXPECT_EQ(ret, 0); 1045 1046 // system allowlist 1047 ret = CheckSyscall(INDIVIDUAL, APPSPAWN_NAME, CheckSetresuid32ArgsInRange, true); 1048 EXPECT_EQ(ret, 0); 1049 } 1050 TestAppSycall()1051 void TestAppSycall() 1052 { 1053 // app blocklist 1054 int ret = CheckSyscall(APP, APP_NAME, CheckSetuid32, false); 1055 EXPECT_EQ(ret, 0); 1056 1057 // app allowlist 1058 ret = CheckSyscall(APP, APP_NAME, CheckGetuid32, true); 1059 EXPECT_EQ(ret, 0); 1060 } 1061 #endif TestAppSycallNs()1062 void TestAppSycallNs() 1063 { 1064 int ret = CheckSyscall(APP, APP_NAME, CheckUnshare, false); 1065 EXPECT_EQ(ret, 0); 1066 1067 ret = CheckSyscall(APP, APP_NAME, CheckSetns, false); 1068 EXPECT_EQ(ret, 0); 1069 1070 ret = CheckSyscall(APP, APP_NAME, CheckClonePidNs, false); 1071 EXPECT_EQ(ret, 0); 1072 1073 ret = CheckSyscall(APP, APP_NAME, CheckCloneMntNs, false); 1074 EXPECT_EQ(ret, 0); 1075 1076 ret = CheckSyscall(APP, APP_NAME, CheckCloneCgroupNs, false); 1077 EXPECT_EQ(ret, 0); 1078 1079 ret = CheckSyscall(APP, APP_NAME, CheckCloneIpcNs, false); 1080 EXPECT_EQ(ret, 0); 1081 1082 ret = CheckSyscall(APP, APP_NAME, CheckCloneUserNs, false); 1083 EXPECT_EQ(ret, 0); 1084 1085 ret = CheckSyscall(APP, APP_NAME, CheckCloneNetNs, false); 1086 EXPECT_EQ(ret, 0); 1087 1088 ret = CheckSyscall(APP, APP_NAME, CheckCloneUtsNs, false); 1089 EXPECT_EQ(ret, 0); 1090 } 1091 }; 1092 1093 /** 1094 * @tc.name: TestSystemSycall 1095 * @tc.desc: Verify the system seccomp policy. 1096 * @tc.type: FUNC 1097 * @tc.require: issueI5IUWJ 1098 */ 1099 HWTEST_F(SeccompUnitTest, Init_Seccomp_SystemSycall001, TestSize.Level1) 1100 { 1101 SeccompUnitTest test; 1102 test.TestSystemSycall(); 1103 } 1104 1105 /** 1106 * @tc.name: TestSetUidGidFilter 1107 * @tc.desc: Verify the uid gid seccomp policy. 1108 * @tc.type: FUNC 1109 * @tc.require: issueI5IUWJ 1110 */ 1111 HWTEST_F(SeccompUnitTest, Init_Seccomp_SetUidGidFilter001, TestSize.Level1) 1112 { 1113 SeccompUnitTest test; 1114 test.TestSetUidGidFilter(); 1115 } 1116 1117 /** 1118 * @tc.name: TestAppSycall 1119 * @tc.desc: Verify the app seccomp policy. 1120 * @tc.type: FUNC 1121 * @tc.require: issueI5MUXD 1122 */ 1123 HWTEST_F(SeccompUnitTest, Init_Seccomp_AppSycall001, TestSize.Level1) 1124 { 1125 SeccompUnitTest test; 1126 test.TestAppSycall(); 1127 } 1128 1129 /** 1130 * @tc.name: TestSystemSyscallForUidFilter 1131 * @tc.desc: Verify the system seccomp policy. 1132 * @tc.type: FUNC 1133 * @tc.require: issueI7QET2 1134 */ 1135 HWTEST_F(SeccompUnitTest, Init_Seccomp_SystemSyscallForUidFilter001, TestSize.Level1) 1136 { 1137 SeccompUnitTest test; 1138 test.TestSystemSyscallForUidFilter(); 1139 } 1140 1141 /** 1142 * @tc.name: TestAppSycallNs 1143 * @tc.desc: Verify the app seccomp policy about namespace. 1144 * @tc.type: FUNC 1145 * @tc.require: issueI8LZTC 1146 */ 1147 HWTEST_F(SeccompUnitTest, Init_Seccomp_AppSycallNs001, TestSize.Level1) 1148 { 1149 SeccompUnitTest test; 1150 test.TestAppSycallNs(); 1151 } 1152 } 1153