1 /*
2 * Copyright (c) 2022 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include <gtest/gtest.h>
17
18 #include <cstdlib>
19 #include <unistd.h>
20 #include <sys/wait.h>
21 #include <csignal>
22 #include <cerrno>
23 #include <cstring>
24 #include <sys/prctl.h>
25 #include <sys/types.h>
26 #include <sys/stat.h>
27 #include <fcntl.h>
28 #include <sys/syscall.h>
29 #include <asm/unistd.h>
30 #include <syscall.h>
31 #include <climits>
32 #include <sched.h>
33
34 #include "seccomp_policy.h"
35
36 using SyscallFunc = bool (*)(void);
37 constexpr int SLEEP_TIME_100MS = 100000; // 100ms
38 constexpr int SLEEP_TIME_1S = 1;
39
40 using namespace testing::ext;
41 using namespace std;
42
43 namespace init_ut {
44 class SeccompUnitTest : public testing::Test {
45 public:
SeccompUnitTest()46 SeccompUnitTest() {};
~SeccompUnitTest()47 virtual ~SeccompUnitTest() {};
SetUpTestCase()48 static void SetUpTestCase() {};
TearDownTestCase()49 static void TearDownTestCase() {};
50
SetUp()51 void SetUp()
52 {
53 /*
54 * Wait for 1 second to prevent the generated crash file
55 * from being overwritten because the crash interval is too short
56 * and the crash file's name is constructed by time stamp.
57 */
58 sleep(SLEEP_TIME_1S);
59 };
60
TearDown()61 void TearDown() {};
TestBody(void)62 void TestBody(void) {};
63
StartChild(SeccompFilterType type, const char *filterName, SyscallFunc func)64 static pid_t StartChild(SeccompFilterType type, const char *filterName, SyscallFunc func)
65 {
66 pid_t pid = fork();
67 if (pid == 0) {
68 if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) != 0) {
69 std::cout << "PR_SET_NO_NEW_PRIVS set fail " << std::endl;
70 exit(EXIT_FAILURE);
71 }
72
73 if (!SetSeccompPolicyWithName(type, filterName)) {
74 std::cout << "SetSeccompPolicy set fail fiterName is " << filterName << std::endl;
75 exit(EXIT_FAILURE);
76 }
77
78 if (!func()) {
79 std::cout << "func excute fail" << std::endl;
80 exit(EXIT_FAILURE);
81 }
82
83 std::cout << "func excute success" << std::endl;
84
85 exit(EXIT_SUCCESS);
86 }
87 return pid;
88 }
89
CheckStatus(int status, bool isAllow)90 static int CheckStatus(int status, bool isAllow)
91 {
92 if (WEXITSTATUS(status) == EXIT_FAILURE) {
93 return -1;
94 }
95
96 if (WIFSIGNALED(status)) {
97 if (WTERMSIG(status) == SIGSYS) {
98 std::cout << "child process exit with SIGSYS" << std::endl;
99 return isAllow ? -1 : 0;
100 }
101 } else {
102 std::cout << "child process finished normally" << std::endl;
103 return isAllow ? 0 : -1;
104 }
105
106 return -1;
107 }
108
CheckSyscall(SeccompFilterType type, const char *filterName, SyscallFunc func, bool isAllow)109 static int CheckSyscall(SeccompFilterType type, const char *filterName, SyscallFunc func, bool isAllow)
110 {
111 sigset_t set;
112 int status;
113 pid_t pid;
114 int flag = 0;
115 struct timespec waitTime = {5, 0};
116
117 sigemptyset(&set);
118 sigaddset(&set, SIGCHLD);
119 sigprocmask(SIG_BLOCK, &set, nullptr);
120 sigaddset(&set, SIGSYS);
121 if (signal(SIGCHLD, SIG_DFL) == nullptr) {
122 std::cout << "signal failed:" << strerror(errno) << std::endl;
123 }
124 if (signal(SIGSYS, SIG_DFL) == nullptr) {
125 std::cout << "signal failed:" << strerror(errno) << std::endl;
126 }
127
128 /* Sleeping for avoiding influencing child proccess wait for other threads
129 * which were created by other unittests to release global rwlock. The global
130 * rwlock will be used by function dlopen in child process */
131 usleep(SLEEP_TIME_100MS);
132
133 pid = StartChild(type, filterName, func);
134 if (pid == -1) {
135 std::cout << "fork failed:" << strerror(errno) << std::endl;
136 return -1;
137 }
138 if (sigtimedwait(&set, nullptr, &waitTime) == -1) { /* Wait for 5 seconds */
139 if (errno == EAGAIN) {
140 flag = 1;
141 } else {
142 std::cout << "sigtimedwait failed:" << strerror(errno) << std::endl;
143 }
144
145 if (kill(pid, SIGKILL) == -1) {
146 std::cout << "kill failed::" << strerror(errno) << std::endl;
147 }
148 }
149
150 if (waitpid(pid, &status, 0) != pid) {
151 std::cout << "waitpid failed:" << strerror(errno) << std::endl;
152 return -1;
153 }
154
155 if (flag != 0) {
156 std::cout << "Child process time out" << std::endl;
157 }
158
159 return CheckStatus(status, isAllow);
160 }
161
CheckUnshare()162 static bool CheckUnshare()
163 {
164 int ret = unshare(CLONE_NEWPID);
165 if (ret) {
166 return false;
167 }
168 return true;
169 }
170
CheckSetns()171 static bool CheckSetns()
172 {
173 int fd = open("/proc/1/ns/mnt", O_RDONLY | O_CLOEXEC);
174 if (fd < 0) {
175 return false;
176 }
177
178 if (setns(fd, CLONE_NEWNS) != 0) {
179 close(fd);
180 return false;
181 }
182
183 close(fd);
184 return true;
185 }
186
ChildFunc(void *arg)187 static int ChildFunc(void *arg)
188 {
189 exit(0);
190 }
191
CheckCloneNs(int flag)192 static bool CheckCloneNs(int flag)
193 {
194 const int stackSize = 65536;
195
196 char *stack = static_cast<char *>(malloc(stackSize));
197 if (stack == nullptr) {
198 return false;
199 }
200 char *stackTop = stack + stackSize;
201 pid_t pid = clone(ChildFunc, stackTop, flag | SIGCHLD, nullptr);
202 if (pid == -1) {
203 free(stack);
204 return false;
205 }
206 return true;
207 }
208
CheckClonePidNs(void)209 static bool CheckClonePidNs(void)
210 {
211 return CheckCloneNs(CLONE_NEWPID);
212 }
213
CheckCloneMntNs(void)214 static bool CheckCloneMntNs(void)
215 {
216 return CheckCloneNs(CLONE_NEWNS);
217 }
218
CheckCloneNetNs(void)219 static bool CheckCloneNetNs(void)
220 {
221 return CheckCloneNs(CLONE_NEWNET);
222 }
223
CheckCloneCgroupNs(void)224 static bool CheckCloneCgroupNs(void)
225 {
226 return CheckCloneNs(CLONE_NEWCGROUP);
227 }
228
CheckCloneUtsNs(void)229 static bool CheckCloneUtsNs(void)
230 {
231 return CheckCloneNs(CLONE_NEWUTS);
232 }
233
CheckCloneIpcNs(void)234 static bool CheckCloneIpcNs(void)
235 {
236 return CheckCloneNs(CLONE_NEWIPC);
237 }
238
CheckCloneUserNs(void)239 static bool CheckCloneUserNs(void)
240 {
241 return CheckCloneNs(CLONE_NEWUSER);
242 }
243
244 #if defined __aarch64__
CheckMqOpen()245 static bool CheckMqOpen()
246 {
247 int ret = (int)syscall(__NR_mq_open, nullptr, 0);
248 if (ret < 0) {
249 return false;
250 }
251
252 return true;
253 }
254
CheckGetpid()255 static bool CheckGetpid()
256 {
257 pid_t pid = 1;
258 pid = syscall(__NR_getpid);
259 if (pid > 1) {
260 return true;
261 }
262 return false;
263 }
264
CheckGetuid()265 static bool CheckGetuid()
266 {
267 uid_t uid = 0;
268 uid = syscall(__NR_getuid);
269 if (uid >= 0) {
270 return true;
271 }
272
273 return false;
274 }
275
CheckSetresuidArgsInRange()276 static bool CheckSetresuidArgsInRange()
277 {
278 int ret = syscall(__NR_setresuid, 20000, 20000, 20000);
279 if (ret == 0) {
280 return true;
281 }
282
283 return false;
284 }
285
CheckSetresuidArgsOutOfRange()286 static bool CheckSetresuidArgsOutOfRange()
287 {
288 int ret = syscall(__NR_setresuid, 800, 800, 800);
289 if (ret == 0) {
290 return true;
291 }
292
293 return false;
294 }
295
CheckSetuid()296 static bool CheckSetuid()
297 {
298 int uid = syscall(__NR_setuid, 1);
299 if (uid == 0) {
300 return true;
301 }
302
303 return false;
304 }
305
CheckSetuid64ForUidFilter1()306 static bool CheckSetuid64ForUidFilter1()
307 {
308 int ret = syscall(__NR_setuid, 0);
309 if (ret == 0) {
310 return true;
311 }
312
313 return false;
314 }
315
CheckSetuid64ForUidFilter2()316 static bool CheckSetuid64ForUidFilter2()
317 {
318 int ret = syscall(__NR_setuid, 2);
319 if (ret == 0) {
320 return true;
321 }
322
323 return false;
324 }
325
CheckSetreuid64ForUidFilter1()326 static bool CheckSetreuid64ForUidFilter1()
327 {
328 int ret = syscall(__NR_setreuid, 0, 2);
329 if (ret == 0) {
330 return true;
331 }
332
333 return false;
334 }
335
CheckSetreuid64ForUidFilter2()336 static bool CheckSetreuid64ForUidFilter2()
337 {
338 int ret = syscall(__NR_setreuid, 2, 0);
339 if (ret == 0) {
340 return true;
341 }
342
343 return false;
344 }
345
CheckSetreuid64ForUidFilter3()346 static bool CheckSetreuid64ForUidFilter3()
347 {
348 int ret = syscall(__NR_setreuid, 0, 0);
349 if (ret == 0) {
350 return true;
351 }
352
353 return false;
354 }
355
CheckSetreuid64ForUidFilter4()356 static bool CheckSetreuid64ForUidFilter4()
357 {
358 int ret = syscall(__NR_setreuid, 2, 2);
359 if (ret == 0) {
360 return true;
361 }
362
363 return false;
364 }
365
CheckSetfsuid64ForUidFilter1()366 static bool CheckSetfsuid64ForUidFilter1()
367 {
368 int ret = syscall(__NR_setfsuid, 0);
369 if (ret == 0) {
370 return true;
371 }
372
373 return false;
374 }
375
CheckSetfsuid64ForUidFilter2()376 static bool CheckSetfsuid64ForUidFilter2()
377 {
378 int ret = syscall(__NR_setfsuid, 2);
379 if (ret == 0) {
380 return true;
381 }
382
383 return false;
384 }
385
CheckSetresuid64ForUidFilter1()386 static bool CheckSetresuid64ForUidFilter1()
387 {
388 int ret = syscall(__NR_setresuid, 0, 0, 0);
389 if (ret == 0) {
390 return true;
391 }
392
393 return false;
394 }
395
CheckSetresuid64ForUidFilter2()396 static bool CheckSetresuid64ForUidFilter2()
397 {
398 int ret = syscall(__NR_setresuid, 2, 0, 0);
399 if (ret == 0) {
400 return true;
401 }
402
403 return false;
404 }
405
CheckSetresuid64ForUidFilter3()406 static bool CheckSetresuid64ForUidFilter3()
407 {
408 int ret = syscall(__NR_setresuid, 0, 2, 0);
409 if (ret == 0) {
410 return true;
411 }
412
413 return false;
414 }
415
CheckSetresuid64ForUidFilter4()416 static bool CheckSetresuid64ForUidFilter4()
417 {
418 int ret = syscall(__NR_setresuid, 0, 0, 2);
419 if (ret == 0) {
420 return true;
421 }
422
423 return false;
424 }
425
CheckSetresuid64ForUidFilter5()426 static bool CheckSetresuid64ForUidFilter5()
427 {
428 int ret = syscall(__NR_setresuid, 0, 2, 2);
429 if (ret == 0) {
430 return true;
431 }
432
433 return false;
434 }
435
CheckSetresuid64ForUidFilter6()436 static bool CheckSetresuid64ForUidFilter6()
437 {
438 int ret = syscall(__NR_setresuid, 2, 0, 2);
439 if (ret == 0) {
440 return true;
441 }
442
443 return false;
444 }
445
CheckSetresuid64ForUidFilter7()446 static bool CheckSetresuid64ForUidFilter7()
447 {
448 int ret = syscall(__NR_setresuid, 2, 2, 0);
449 if (ret == 0) {
450 return true;
451 }
452
453 return false;
454 }
455
CheckSetresuid64ForUidFilter8()456 static bool CheckSetresuid64ForUidFilter8()
457 {
458 int ret = syscall(__NR_setresuid, 2, 2, 2);
459 if (ret == 0) {
460 return true;
461 }
462
463 return false;
464 }
465
TestSystemSycall()466 void TestSystemSycall()
467 {
468 // system blocklist
469 int ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckMqOpen, false);
470 EXPECT_EQ(ret, 0);
471
472 // system allowlist
473 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckGetpid, true);
474 EXPECT_EQ(ret, 0);
475 }
476
TestSystemSyscallForUidFilter()477 void TestSystemSyscallForUidFilter()
478 {
479 // system_uid_filter_64bit_test
480 int ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetuid64ForUidFilter1, false);
481 EXPECT_EQ(ret, 0);
482
483 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetuid64ForUidFilter2, true);
484 EXPECT_EQ(ret, 0);
485
486 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetreuid64ForUidFilter1, false);
487 EXPECT_EQ(ret, 0);
488
489 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetreuid64ForUidFilter2, false);
490 EXPECT_EQ(ret, 0);
491
492 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetreuid64ForUidFilter3, false);
493 EXPECT_EQ(ret, 0);
494
495 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetreuid64ForUidFilter4, true);
496 EXPECT_EQ(ret, 0);
497
498 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetfsuid64ForUidFilter1, false);
499 EXPECT_EQ(ret, 0);
500
501 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetfsuid64ForUidFilter2, true);
502 EXPECT_EQ(ret, 0);
503
504 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid64ForUidFilter1, false);
505 EXPECT_EQ(ret, 0);
506
507 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid64ForUidFilter2, false);
508 EXPECT_EQ(ret, 0);
509
510 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid64ForUidFilter3, false);
511 EXPECT_EQ(ret, 0);
512
513 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid64ForUidFilter4, false);
514 EXPECT_EQ(ret, 0);
515
516 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid64ForUidFilter5, false);
517 EXPECT_EQ(ret, 0);
518
519 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid64ForUidFilter6, false);
520 EXPECT_EQ(ret, 0);
521
522 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid64ForUidFilter7, false);
523 EXPECT_EQ(ret, 0);
524
525 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid64ForUidFilter8, true);
526 EXPECT_EQ(ret, 0);
527 }
528
TestSetUidGidFilter()529 void TestSetUidGidFilter()
530 {
531 // system blocklist
532 int ret = CheckSyscall(INDIVIDUAL, APPSPAWN_NAME, CheckSetresuidArgsOutOfRange, false);
533 EXPECT_EQ(ret, 0);
534
535 // system allowlist
536 ret = CheckSyscall(INDIVIDUAL, APPSPAWN_NAME, CheckSetresuidArgsInRange, true);
537 EXPECT_EQ(ret, 0);
538 }
539
TestAppSycall()540 void TestAppSycall()
541 {
542 // app blocklist
543 int ret = CheckSyscall(APP, APP_NAME, CheckSetuid, false);
544 EXPECT_EQ(ret, 0);
545
546 // app allowlist
547 ret = CheckSyscall(APP, APP_NAME, CheckGetpid, true);
548 EXPECT_EQ(ret, 0);
549 }
550 #ifdef SECCOMP_PRIVILEGE
TestSeccompPrivilegeSyscall()551 void TestSeccompPrivilegeSyscall()
552 {
553 int ret = CheckSyscall(APP, APP_PRIVILEGE, CheckSetuid64ForUidFilter1, true);
554 EXPECT_EQ(ret, 0);
555 }
556 #endif
557
558 #elif defined __arm__
CheckGetuid32()559 static bool CheckGetuid32()
560 {
561 uid_t uid = syscall(__NR_getuid32);
562 if (uid >= 0) {
563 return true;
564 }
565 return false;
566 }
567
CheckGetuid()568 static bool CheckGetuid()
569 {
570 uid_t uid = syscall(__NR_getuid);
571 if (uid >= 0) {
572 return true;
573 }
574 return false;
575 }
576
CheckSetuid32()577 static bool CheckSetuid32()
578 {
579 int ret = syscall(__NR_setuid32, 1);
580 if (ret == 0) {
581 return true;
582 }
583
584 return false;
585 }
586
CheckSetresuid32ArgsInRange()587 static bool CheckSetresuid32ArgsInRange()
588 {
589 int ret = syscall(__NR_setresuid32, 20000, 20000, 20000);
590 if (ret == 0) {
591 return true;
592 }
593
594 return false;
595 }
596
CheckSetresuid32ArgsOutOfRange()597 static bool CheckSetresuid32ArgsOutOfRange()
598 {
599 int ret = syscall(__NR_setresuid32, 800, 800, 800);
600 if (ret == 0) {
601 return true;
602 }
603
604 return false;
605 }
606
CheckSetuid32ForUidFilter1()607 static bool CheckSetuid32ForUidFilter1()
608 {
609 int ret = syscall(__NR_setuid32, 0);
610 if (ret == 0) {
611 return true;
612 }
613
614 return false;
615 }
616
CheckSetuid32ForUidFilter2()617 static bool CheckSetuid32ForUidFilter2()
618 {
619 int ret = syscall(__NR_setuid32, 2);
620 if (ret == 0) {
621 return true;
622 }
623
624 return false;
625 }
626
CheckSetuid16ForUidFilter1()627 static bool CheckSetuid16ForUidFilter1()
628 {
629 int ret = syscall(__NR_setuid, 0);
630 if (ret == 0) {
631 return true;
632 }
633
634 return false;
635 }
636
CheckSetuid16ForUidFilter2()637 static bool CheckSetuid16ForUidFilter2()
638 {
639 int ret = syscall(__NR_setuid, 2);
640 if (ret == 0) {
641 return true;
642 }
643
644 return false;
645 }
646
CheckSetreuid32ForUidFilter1()647 static bool CheckSetreuid32ForUidFilter1()
648 {
649 int ret = syscall(__NR_setreuid32, 0, 2);
650 if (ret == 0) {
651 return true;
652 }
653
654 return false;
655 }
656
CheckSetreuid32ForUidFilter2()657 static bool CheckSetreuid32ForUidFilter2()
658 {
659 int ret = syscall(__NR_setreuid32, 2, 0);
660 if (ret == 0) {
661 return true;
662 }
663
664 return false;
665 }
666
CheckSetreuid32ForUidFilter3()667 static bool CheckSetreuid32ForUidFilter3()
668 {
669 int ret = syscall(__NR_setreuid32, 0, 0);
670 if (ret == 0) {
671 return true;
672 }
673
674 return false;
675 }
676
CheckSetreuid32ForUidFilter4()677 static bool CheckSetreuid32ForUidFilter4()
678 {
679 int ret = syscall(__NR_setreuid32, 2, 2);
680 if (ret == 0) {
681 return true;
682 }
683
684 return false;
685 }
686
CheckSetreuid16ForUidFilter1()687 static bool CheckSetreuid16ForUidFilter1()
688 {
689 int ret = syscall(__NR_setreuid, 0, 2);
690 if (ret == 0) {
691 return true;
692 }
693
694 return false;
695 }
696
CheckSetreuid16ForUidFilter2()697 static bool CheckSetreuid16ForUidFilter2()
698 {
699 int ret = syscall(__NR_setreuid, 2, 0);
700 if (ret == 0) {
701 return true;
702 }
703
704 return false;
705 }
706
CheckSetreuid16ForUidFilter3()707 static bool CheckSetreuid16ForUidFilter3()
708 {
709 int ret = syscall(__NR_setreuid, 0, 0);
710 if (ret == 0) {
711 return true;
712 }
713
714 return false;
715 }
716
CheckSetreuid16ForUidFilter4()717 static bool CheckSetreuid16ForUidFilter4()
718 {
719 int ret = syscall(__NR_setreuid, 2, 2);
720 if (ret == 0) {
721 return true;
722 }
723
724 return false;
725 }
726
CheckSetfsuid32ForUidFilter1()727 static bool CheckSetfsuid32ForUidFilter1()
728 {
729 int ret = syscall(__NR_setfsuid32, 0);
730 if (ret == 0) {
731 return true;
732 }
733
734 return false;
735 }
736
CheckSetfsuid32ForUidFilter2()737 static bool CheckSetfsuid32ForUidFilter2()
738 {
739 int ret = syscall(__NR_setfsuid32, 2);
740 if (ret == 0) {
741 return true;
742 }
743
744 return false;
745 }
746
CheckSetfsuid16ForUidFilter1()747 static bool CheckSetfsuid16ForUidFilter1()
748 {
749 int ret = syscall(__NR_setfsuid, 0);
750 if (ret == 0) {
751 return true;
752 }
753
754 return false;
755 }
756
CheckSetfsuid16ForUidFilter2()757 static bool CheckSetfsuid16ForUidFilter2()
758 {
759 int ret = syscall(__NR_setfsuid, 2);
760 if (ret == 0) {
761 return true;
762 }
763
764 return false;
765 }
766
CheckSetresuid32ForUidFilter1()767 static bool CheckSetresuid32ForUidFilter1()
768 {
769 int ret = syscall(__NR_setresuid32, 0, 0, 0);
770 if (ret == 0) {
771 return true;
772 }
773
774 return false;
775 }
776
CheckSetresuid32ForUidFilter2()777 static bool CheckSetresuid32ForUidFilter2()
778 {
779 int ret = syscall(__NR_setresuid32, 2, 0, 0);
780 if (ret == 0) {
781 return true;
782 }
783
784 return false;
785 }
786
CheckSetresuid32ForUidFilter3()787 static bool CheckSetresuid32ForUidFilter3()
788 {
789 int ret = syscall(__NR_setresuid32, 0, 2, 0);
790 if (ret == 0) {
791 return true;
792 }
793
794 return false;
795 }
796
CheckSetresuid32ForUidFilter4()797 static bool CheckSetresuid32ForUidFilter4()
798 {
799 int ret = syscall(__NR_setresuid32, 0, 0, 2);
800 if (ret == 0) {
801 return true;
802 }
803
804 return false;
805 }
806
CheckSetresuid32ForUidFilter5()807 static bool CheckSetresuid32ForUidFilter5()
808 {
809 int ret = syscall(__NR_setresuid32, 0, 2, 2);
810 if (ret == 0) {
811 return true;
812 }
813
814 return false;
815 }
816
CheckSetresuid32ForUidFilter6()817 static bool CheckSetresuid32ForUidFilter6()
818 {
819 int ret = syscall(__NR_setresuid32, 2, 0, 2);
820 if (ret == 0) {
821 return true;
822 }
823
824 return false;
825 }
826
CheckSetresuid32ForUidFilter7()827 static bool CheckSetresuid32ForUidFilter7()
828 {
829 int ret = syscall(__NR_setresuid32, 2, 2, 0);
830 if (ret == 0) {
831 return true;
832 }
833
834 return false;
835 }
836
CheckSetresuid32ForUidFilter8()837 static bool CheckSetresuid32ForUidFilter8()
838 {
839 int ret = syscall(__NR_setresuid32, 2, 2, 2);
840 if (ret == 0) {
841 return true;
842 }
843
844 return false;
845 }
846
CheckSetresuid16ForUidFilter1()847 static bool CheckSetresuid16ForUidFilter1()
848 {
849 int ret = syscall(__NR_setresuid, 0, 0, 0);
850 if (ret == 0) {
851 return true;
852 }
853
854 return false;
855 }
856
CheckSetresuid16ForUidFilter2()857 static bool CheckSetresuid16ForUidFilter2()
858 {
859 int ret = syscall(__NR_setresuid, 2, 0, 0);
860 if (ret == 0) {
861 return true;
862 }
863
864 return false;
865 }
866
CheckSetresuid16ForUidFilter3()867 static bool CheckSetresuid16ForUidFilter3()
868 {
869 int ret = syscall(__NR_setresuid, 0, 2, 0);
870 if (ret == 0) {
871 return true;
872 }
873
874 return false;
875 }
876
CheckSetresuid16ForUidFilter4()877 static bool CheckSetresuid16ForUidFilter4()
878 {
879 int ret = syscall(__NR_setresuid, 0, 0, 2);
880 if (ret == 0) {
881 return true;
882 }
883
884 return false;
885 }
886
CheckSetresuid16ForUidFilter5()887 static bool CheckSetresuid16ForUidFilter5()
888 {
889 int ret = syscall(__NR_setresuid, 0, 2, 2);
890 if (ret == 0) {
891 return true;
892 }
893
894 return false;
895 }
896
CheckSetresuid16ForUidFilter6()897 static bool CheckSetresuid16ForUidFilter6()
898 {
899 int ret = syscall(__NR_setresuid, 2, 0, 2);
900 if (ret == 0) {
901 return true;
902 }
903
904 return false;
905 }
906
CheckSetresuid16ForUidFilter7()907 static bool CheckSetresuid16ForUidFilter7()
908 {
909 int ret = syscall(__NR_setresuid, 2, 2, 0);
910 if (ret == 0) {
911 return true;
912 }
913
914 return false;
915 }
916
CheckSetresuid16ForUidFilter8()917 static bool CheckSetresuid16ForUidFilter8()
918 {
919 int ret = syscall(__NR_setresuid, 2, 2, 2);
920 if (ret == 0) {
921 return true;
922 }
923
924 return false;
925 }
926
TestSystemSycall()927 void TestSystemSycall()
928 {
929 // system blocklist
930 int ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckGetuid, false);
931 EXPECT_EQ(ret, 0);
932
933 // system allowlist
934 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckGetuid32, true);
935 EXPECT_EQ(ret, 0);
936 }
937
TestSystemSyscallForUidFilter32Bit()938 void TestSystemSyscallForUidFilter32Bit()
939 {
940 // system_uid_filter_32bit_test
941 int ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetuid32ForUidFilter1, false);
942 EXPECT_EQ(ret, 0);
943
944 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetuid32ForUidFilter2, true);
945 EXPECT_EQ(ret, 0);
946
947 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetreuid32ForUidFilter1, false);
948 EXPECT_EQ(ret, 0);
949
950 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetreuid32ForUidFilter2, false);
951 EXPECT_EQ(ret, 0);
952
953 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetreuid32ForUidFilter3, false);
954 EXPECT_EQ(ret, 0);
955
956 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetreuid32ForUidFilter4, true);
957 EXPECT_EQ(ret, 0);
958
959 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetfsuid32ForUidFilter1, false);
960 EXPECT_EQ(ret, 0);
961
962 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetfsuid32ForUidFilter2, true);
963 EXPECT_EQ(ret, 0);
964
965 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid32ForUidFilter1, false);
966 EXPECT_EQ(ret, 0);
967
968 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid32ForUidFilter2, false);
969 EXPECT_EQ(ret, 0);
970
971 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid32ForUidFilter3, false);
972 EXPECT_EQ(ret, 0);
973
974 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid32ForUidFilter4, false);
975 EXPECT_EQ(ret, 0);
976
977 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid32ForUidFilter5, false);
978 EXPECT_EQ(ret, 0);
979
980 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid32ForUidFilter6, false);
981 EXPECT_EQ(ret, 0);
982
983 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid32ForUidFilter7, false);
984 EXPECT_EQ(ret, 0);
985
986 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid32ForUidFilter8, true);
987 EXPECT_EQ(ret, 0);
988 }
989
TestSystemSyscallForUidFilter16Bit()990 void TestSystemSyscallForUidFilter16Bit()
991 {
992 // system_uid_filter_16bit_test
993 int ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetuid16ForUidFilter1, false);
994 EXPECT_EQ(ret, 0);
995
996 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetuid16ForUidFilter2, true);
997 EXPECT_EQ(ret, 0);
998
999 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetreuid16ForUidFilter1, false);
1000 EXPECT_EQ(ret, 0);
1001
1002 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetreuid16ForUidFilter2, false);
1003 EXPECT_EQ(ret, 0);
1004
1005 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetreuid16ForUidFilter3, false);
1006 EXPECT_EQ(ret, 0);
1007
1008 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetreuid16ForUidFilter4, true);
1009 EXPECT_EQ(ret, 0);
1010
1011 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetfsuid16ForUidFilter1, false);
1012 EXPECT_EQ(ret, 0);
1013
1014 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetfsuid16ForUidFilter2, true);
1015 EXPECT_EQ(ret, 0);
1016
1017 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid16ForUidFilter1, false);
1018 EXPECT_EQ(ret, 0);
1019
1020 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid16ForUidFilter2, false);
1021 EXPECT_EQ(ret, 0);
1022
1023 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid16ForUidFilter3, false);
1024 EXPECT_EQ(ret, 0);
1025
1026 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid16ForUidFilter4, false);
1027 EXPECT_EQ(ret, 0);
1028
1029 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid16ForUidFilter5, false);
1030 EXPECT_EQ(ret, 0);
1031
1032 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid16ForUidFilter6, false);
1033 EXPECT_EQ(ret, 0);
1034
1035 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid16ForUidFilter7, false);
1036 EXPECT_EQ(ret, 0);
1037
1038 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid16ForUidFilter8, true);
1039 EXPECT_EQ(ret, 0);
1040 }
1041
TestSystemSyscallForUidFilter()1042 void TestSystemSyscallForUidFilter()
1043 {
1044 TestSystemSyscallForUidFilter32Bit();
1045 TestSystemSyscallForUidFilter16Bit();
1046 }
1047
TestSetUidGidFilter()1048 void TestSetUidGidFilter()
1049 {
1050 // system blocklist
1051 int ret = CheckSyscall(INDIVIDUAL, APPSPAWN_NAME, CheckSetresuid32ArgsOutOfRange, false);
1052 EXPECT_EQ(ret, 0);
1053
1054 // system allowlist
1055 ret = CheckSyscall(INDIVIDUAL, APPSPAWN_NAME, CheckSetresuid32ArgsInRange, true);
1056 EXPECT_EQ(ret, 0);
1057 }
1058
TestAppSycall()1059 void TestAppSycall()
1060 {
1061 // app blocklist
1062 int ret = CheckSyscall(APP, APP_NAME, CheckSetuid32, false);
1063 EXPECT_EQ(ret, 0);
1064
1065 // app allowlist
1066 ret = CheckSyscall(APP, APP_NAME, CheckGetuid32, true);
1067 EXPECT_EQ(ret, 0);
1068 }
1069
1070 #ifdef SECCOMP_PRIVILEGE
TestSeccompPrivilegeSyscall()1071 void TestSeccompPrivilegeSyscall()
1072 {
1073 int ret = CheckSyscall(APP, APP_PRIVILEGE, CheckSetuid32ForUidFilter1, true);
1074 EXPECT_EQ(ret, 0);
1075 }
1076 #endif
1077 #endif
TestAppSycallNs()1078 void TestAppSycallNs()
1079 {
1080 int ret = CheckSyscall(APP, APP_NAME, CheckUnshare, false);
1081 EXPECT_EQ(ret, 0);
1082
1083 ret = CheckSyscall(APP, APP_NAME, CheckSetns, false);
1084 EXPECT_EQ(ret, 0);
1085
1086 ret = CheckSyscall(APP, APP_NAME, CheckClonePidNs, false);
1087 EXPECT_EQ(ret, 0);
1088
1089 ret = CheckSyscall(APP, APP_NAME, CheckCloneMntNs, false);
1090 EXPECT_EQ(ret, 0);
1091
1092 ret = CheckSyscall(APP, APP_NAME, CheckCloneCgroupNs, false);
1093 EXPECT_EQ(ret, 0);
1094
1095 ret = CheckSyscall(APP, APP_NAME, CheckCloneIpcNs, false);
1096 EXPECT_EQ(ret, 0);
1097
1098 ret = CheckSyscall(APP, APP_NAME, CheckCloneUserNs, false);
1099 EXPECT_EQ(ret, 0);
1100
1101 ret = CheckSyscall(APP, APP_NAME, CheckCloneNetNs, false);
1102 EXPECT_EQ(ret, 0);
1103
1104 ret = CheckSyscall(APP, APP_NAME, CheckCloneUtsNs, false);
1105 EXPECT_EQ(ret, 0);
1106 }
1107 };
1108
1109 /**
1110 * @tc.name: TestSystemSycall
1111 * @tc.desc: Verify the system seccomp policy.
1112 * @tc.type: FUNC
1113 * @tc.require: issueI5IUWJ
1114 */
HWTEST_F(SeccompUnitTest, Init_Seccomp_SystemSycall001, TestSize.Level1)1115 HWTEST_F(SeccompUnitTest, Init_Seccomp_SystemSycall001, TestSize.Level1)
1116 {
1117 SeccompUnitTest test;
1118 test.TestSystemSycall();
1119 }
1120
1121 /**
1122 * @tc.name: TestSetUidGidFilter
1123 * @tc.desc: Verify the uid gid seccomp policy.
1124 * @tc.type: FUNC
1125 * @tc.require: issueI5IUWJ
1126 */
HWTEST_F(SeccompUnitTest, Init_Seccomp_SetUidGidFilter001, TestSize.Level1)1127 HWTEST_F(SeccompUnitTest, Init_Seccomp_SetUidGidFilter001, TestSize.Level1)
1128 {
1129 SeccompUnitTest test;
1130 test.TestSetUidGidFilter();
1131 }
1132
1133 /**
1134 * @tc.name: TestAppSycall
1135 * @tc.desc: Verify the app seccomp policy.
1136 * @tc.type: FUNC
1137 * @tc.require: issueI5MUXD
1138 */
HWTEST_F(SeccompUnitTest, Init_Seccomp_AppSycall001, TestSize.Level1)1139 HWTEST_F(SeccompUnitTest, Init_Seccomp_AppSycall001, TestSize.Level1)
1140 {
1141 SeccompUnitTest test;
1142 test.TestAppSycall();
1143 }
1144
1145 /**
1146 * @tc.name: TestSystemSyscallForUidFilter
1147 * @tc.desc: Verify the system seccomp policy.
1148 * @tc.type: FUNC
1149 * @tc.require: issueI7QET2
1150 */
HWTEST_F(SeccompUnitTest, Init_Seccomp_SystemSyscallForUidFilter001, TestSize.Level1)1151 HWTEST_F(SeccompUnitTest, Init_Seccomp_SystemSyscallForUidFilter001, TestSize.Level1)
1152 {
1153 SeccompUnitTest test;
1154 test.TestSystemSyscallForUidFilter();
1155 }
1156
1157 /**
1158 * @tc.name: TestAppSycallNs
1159 * @tc.desc: Verify the app seccomp policy about namespace.
1160 * @tc.type: FUNC
1161 * @tc.require: issueI8LZTC
1162 */
HWTEST_F(SeccompUnitTest, Init_Seccomp_AppSycallNs001, TestSize.Level1)1163 HWTEST_F(SeccompUnitTest, Init_Seccomp_AppSycallNs001, TestSize.Level1)
1164 {
1165 SeccompUnitTest test;
1166 test.TestAppSycallNs();
1167 }
1168 #ifdef SECCOMP_PRIVILEGE
1169 /**
1170 * @tc.name: TestSeccompPrivilegeSyscall
1171 * @tc.desc: Verify the privilege syscall of app and appspawn.
1172 * @tc.type: FUNC
1173 * @tc.require: issueIAVQ2P
1174 */
HWTEST_F(SeccompUnitTest, Init_Seccomp_SeccompPrivilegeSycall001, TestSize.Level1)1175 HWTEST_F(SeccompUnitTest, Init_Seccomp_SeccompPrivilegeSycall001, TestSize.Level1)
1176 {
1177 SeccompUnitTest test;
1178 test.TestSeccompPrivilegeSyscall();
1179 }
1180 #endif
1181 }
1182