1/* 2 * Copyright (c) 2022 Huawei Device Co., Ltd. 3 * Licensed under the Apache License, Version 2.0 (the "License"); 4 * you may not use this file except in compliance with the License. 5 * You may obtain a copy of the License at 6 * 7 * http://www.apache.org/licenses/LICENSE-2.0 8 * 9 * Unless required by applicable law or agreed to in writing, software 10 * distributed under the License is distributed on an "AS IS" BASIS, 11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 * See the License for the specific language governing permissions and 13 * limitations under the License. 14 */ 15 16#include <gtest/gtest.h> 17 18#include <cstdlib> 19#include <unistd.h> 20#include <sys/wait.h> 21#include <csignal> 22#include <cerrno> 23#include <cstring> 24#include <sys/prctl.h> 25#include <sys/types.h> 26#include <sys/stat.h> 27#include <fcntl.h> 28#include <sys/syscall.h> 29#include <asm/unistd.h> 30#include <syscall.h> 31#include <climits> 32#include <sched.h> 33 34#include "seccomp_policy.h" 35 36using SyscallFunc = bool (*)(void); 37constexpr int SLEEP_TIME_100MS = 100000; // 100ms 38constexpr int SLEEP_TIME_1S = 1; 39 40using namespace testing::ext; 41using namespace std; 42 43namespace init_ut { 44class SeccompUnitTest : public testing::Test { 45public: 46 SeccompUnitTest() {}; 47 virtual ~SeccompUnitTest() {}; 48 static void SetUpTestCase() {}; 49 static void TearDownTestCase() {}; 50 51 void SetUp() 52 { 53 /* 54 * Wait for 1 second to prevent the generated crash file 55 * from being overwritten because the crash interval is too short 56 * and the crash file's name is constructed by time stamp. 57 */ 58 sleep(SLEEP_TIME_1S); 59 }; 60 61 void TearDown() {}; 62 void TestBody(void) {}; 63 64 static pid_t StartChild(SeccompFilterType type, const char *filterName, SyscallFunc func) 65 { 66 pid_t pid = fork(); 67 if (pid == 0) { 68 if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) != 0) { 69 std::cout << "PR_SET_NO_NEW_PRIVS set fail " << std::endl; 70 exit(EXIT_FAILURE); 71 } 72 73 if (!SetSeccompPolicyWithName(type, filterName)) { 74 std::cout << "SetSeccompPolicy set fail fiterName is " << filterName << std::endl; 75 exit(EXIT_FAILURE); 76 } 77 78 if (!func()) { 79 std::cout << "func excute fail" << std::endl; 80 exit(EXIT_FAILURE); 81 } 82 83 std::cout << "func excute success" << std::endl; 84 85 exit(EXIT_SUCCESS); 86 } 87 return pid; 88 } 89 90 static int CheckStatus(int status, bool isAllow) 91 { 92 if (WEXITSTATUS(status) == EXIT_FAILURE) { 93 return -1; 94 } 95 96 if (WIFSIGNALED(status)) { 97 if (WTERMSIG(status) == SIGSYS) { 98 std::cout << "child process exit with SIGSYS" << std::endl; 99 return isAllow ? -1 : 0; 100 } 101 } else { 102 std::cout << "child process finished normally" << std::endl; 103 return isAllow ? 0 : -1; 104 } 105 106 return -1; 107 } 108 109 static int CheckSyscall(SeccompFilterType type, const char *filterName, SyscallFunc func, bool isAllow) 110 { 111 sigset_t set; 112 int status; 113 pid_t pid; 114 int flag = 0; 115 struct timespec waitTime = {5, 0}; 116 117 sigemptyset(&set); 118 sigaddset(&set, SIGCHLD); 119 sigprocmask(SIG_BLOCK, &set, nullptr); 120 sigaddset(&set, SIGSYS); 121 if (signal(SIGCHLD, SIG_DFL) == nullptr) { 122 std::cout << "signal failed:" << strerror(errno) << std::endl; 123 } 124 if (signal(SIGSYS, SIG_DFL) == nullptr) { 125 std::cout << "signal failed:" << strerror(errno) << std::endl; 126 } 127 128 /* Sleeping for avoiding influencing child proccess wait for other threads 129 * which were created by other unittests to release global rwlock. The global 130 * rwlock will be used by function dlopen in child process */ 131 usleep(SLEEP_TIME_100MS); 132 133 pid = StartChild(type, filterName, func); 134 if (pid == -1) { 135 std::cout << "fork failed:" << strerror(errno) << std::endl; 136 return -1; 137 } 138 if (sigtimedwait(&set, nullptr, &waitTime) == -1) { /* Wait for 5 seconds */ 139 if (errno == EAGAIN) { 140 flag = 1; 141 } else { 142 std::cout << "sigtimedwait failed:" << strerror(errno) << std::endl; 143 } 144 145 if (kill(pid, SIGKILL) == -1) { 146 std::cout << "kill failed::" << strerror(errno) << std::endl; 147 } 148 } 149 150 if (waitpid(pid, &status, 0) != pid) { 151 std::cout << "waitpid failed:" << strerror(errno) << std::endl; 152 return -1; 153 } 154 155 if (flag != 0) { 156 std::cout << "Child process time out" << std::endl; 157 } 158 159 return CheckStatus(status, isAllow); 160 } 161 162 static bool CheckUnshare() 163 { 164 int ret = unshare(CLONE_NEWPID); 165 if (ret) { 166 return false; 167 } 168 return true; 169 } 170 171 static bool CheckSetns() 172 { 173 int fd = open("/proc/1/ns/mnt", O_RDONLY | O_CLOEXEC); 174 if (fd < 0) { 175 return false; 176 } 177 178 if (setns(fd, CLONE_NEWNS) != 0) { 179 close(fd); 180 return false; 181 } 182 183 close(fd); 184 return true; 185 } 186 187 static int ChildFunc(void *arg) 188 { 189 exit(0); 190 } 191 192 static bool CheckCloneNs(int flag) 193 { 194 const int stackSize = 65536; 195 196 char *stack = static_cast<char *>(malloc(stackSize)); 197 if (stack == nullptr) { 198 return false; 199 } 200 char *stackTop = stack + stackSize; 201 pid_t pid = clone(ChildFunc, stackTop, flag | SIGCHLD, nullptr); 202 if (pid == -1) { 203 free(stack); 204 return false; 205 } 206 return true; 207 } 208 209 static bool CheckClonePidNs(void) 210 { 211 return CheckCloneNs(CLONE_NEWPID); 212 } 213 214 static bool CheckCloneMntNs(void) 215 { 216 return CheckCloneNs(CLONE_NEWNS); 217 } 218 219 static bool CheckCloneNetNs(void) 220 { 221 return CheckCloneNs(CLONE_NEWNET); 222 } 223 224 static bool CheckCloneCgroupNs(void) 225 { 226 return CheckCloneNs(CLONE_NEWCGROUP); 227 } 228 229 static bool CheckCloneUtsNs(void) 230 { 231 return CheckCloneNs(CLONE_NEWUTS); 232 } 233 234 static bool CheckCloneIpcNs(void) 235 { 236 return CheckCloneNs(CLONE_NEWIPC); 237 } 238 239 static bool CheckCloneUserNs(void) 240 { 241 return CheckCloneNs(CLONE_NEWUSER); 242 } 243 244#if defined __aarch64__ 245 static bool CheckMqOpen() 246 { 247 int ret = (int)syscall(__NR_mq_open, nullptr, 0); 248 if (ret < 0) { 249 return false; 250 } 251 252 return true; 253 } 254 255 static bool CheckGetpid() 256 { 257 pid_t pid = 1; 258 pid = syscall(__NR_getpid); 259 if (pid > 1) { 260 return true; 261 } 262 return false; 263 } 264 265 static bool CheckGetuid() 266 { 267 uid_t uid = 0; 268 uid = syscall(__NR_getuid); 269 if (uid >= 0) { 270 return true; 271 } 272 273 return false; 274 } 275 276 static bool CheckSetresuidArgsInRange() 277 { 278 int ret = syscall(__NR_setresuid, 20000, 20000, 20000); 279 if (ret == 0) { 280 return true; 281 } 282 283 return false; 284 } 285 286 static bool CheckSetresuidArgsOutOfRange() 287 { 288 int ret = syscall(__NR_setresuid, 800, 800, 800); 289 if (ret == 0) { 290 return true; 291 } 292 293 return false; 294 } 295 296 static bool CheckSetuid() 297 { 298 int uid = syscall(__NR_setuid, 1); 299 if (uid == 0) { 300 return true; 301 } 302 303 return false; 304 } 305 306 static bool CheckSetuid64ForUidFilter1() 307 { 308 int ret = syscall(__NR_setuid, 0); 309 if (ret == 0) { 310 return true; 311 } 312 313 return false; 314 } 315 316 static bool CheckSetuid64ForUidFilter2() 317 { 318 int ret = syscall(__NR_setuid, 2); 319 if (ret == 0) { 320 return true; 321 } 322 323 return false; 324 } 325 326 static bool CheckSetreuid64ForUidFilter1() 327 { 328 int ret = syscall(__NR_setreuid, 0, 2); 329 if (ret == 0) { 330 return true; 331 } 332 333 return false; 334 } 335 336 static bool CheckSetreuid64ForUidFilter2() 337 { 338 int ret = syscall(__NR_setreuid, 2, 0); 339 if (ret == 0) { 340 return true; 341 } 342 343 return false; 344 } 345 346 static bool CheckSetreuid64ForUidFilter3() 347 { 348 int ret = syscall(__NR_setreuid, 0, 0); 349 if (ret == 0) { 350 return true; 351 } 352 353 return false; 354 } 355 356 static bool CheckSetreuid64ForUidFilter4() 357 { 358 int ret = syscall(__NR_setreuid, 2, 2); 359 if (ret == 0) { 360 return true; 361 } 362 363 return false; 364 } 365 366 static bool CheckSetfsuid64ForUidFilter1() 367 { 368 int ret = syscall(__NR_setfsuid, 0); 369 if (ret == 0) { 370 return true; 371 } 372 373 return false; 374 } 375 376 static bool CheckSetfsuid64ForUidFilter2() 377 { 378 int ret = syscall(__NR_setfsuid, 2); 379 if (ret == 0) { 380 return true; 381 } 382 383 return false; 384 } 385 386 static bool CheckSetresuid64ForUidFilter1() 387 { 388 int ret = syscall(__NR_setresuid, 0, 0, 0); 389 if (ret == 0) { 390 return true; 391 } 392 393 return false; 394 } 395 396 static bool CheckSetresuid64ForUidFilter2() 397 { 398 int ret = syscall(__NR_setresuid, 2, 0, 0); 399 if (ret == 0) { 400 return true; 401 } 402 403 return false; 404 } 405 406 static bool CheckSetresuid64ForUidFilter3() 407 { 408 int ret = syscall(__NR_setresuid, 0, 2, 0); 409 if (ret == 0) { 410 return true; 411 } 412 413 return false; 414 } 415 416 static bool CheckSetresuid64ForUidFilter4() 417 { 418 int ret = syscall(__NR_setresuid, 0, 0, 2); 419 if (ret == 0) { 420 return true; 421 } 422 423 return false; 424 } 425 426 static bool CheckSetresuid64ForUidFilter5() 427 { 428 int ret = syscall(__NR_setresuid, 0, 2, 2); 429 if (ret == 0) { 430 return true; 431 } 432 433 return false; 434 } 435 436 static bool CheckSetresuid64ForUidFilter6() 437 { 438 int ret = syscall(__NR_setresuid, 2, 0, 2); 439 if (ret == 0) { 440 return true; 441 } 442 443 return false; 444 } 445 446 static bool CheckSetresuid64ForUidFilter7() 447 { 448 int ret = syscall(__NR_setresuid, 2, 2, 0); 449 if (ret == 0) { 450 return true; 451 } 452 453 return false; 454 } 455 456 static bool CheckSetresuid64ForUidFilter8() 457 { 458 int ret = syscall(__NR_setresuid, 2, 2, 2); 459 if (ret == 0) { 460 return true; 461 } 462 463 return false; 464 } 465 466 void TestSystemSycall() 467 { 468 // system blocklist 469 int ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckMqOpen, false); 470 EXPECT_EQ(ret, 0); 471 472 // system allowlist 473 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckGetpid, true); 474 EXPECT_EQ(ret, 0); 475 } 476 477 void TestSystemSyscallForUidFilter() 478 { 479 // system_uid_filter_64bit_test 480 int ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetuid64ForUidFilter1, false); 481 EXPECT_EQ(ret, 0); 482 483 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetuid64ForUidFilter2, true); 484 EXPECT_EQ(ret, 0); 485 486 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetreuid64ForUidFilter1, false); 487 EXPECT_EQ(ret, 0); 488 489 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetreuid64ForUidFilter2, false); 490 EXPECT_EQ(ret, 0); 491 492 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetreuid64ForUidFilter3, false); 493 EXPECT_EQ(ret, 0); 494 495 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetreuid64ForUidFilter4, true); 496 EXPECT_EQ(ret, 0); 497 498 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetfsuid64ForUidFilter1, false); 499 EXPECT_EQ(ret, 0); 500 501 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetfsuid64ForUidFilter2, true); 502 EXPECT_EQ(ret, 0); 503 504 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid64ForUidFilter1, false); 505 EXPECT_EQ(ret, 0); 506 507 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid64ForUidFilter2, false); 508 EXPECT_EQ(ret, 0); 509 510 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid64ForUidFilter3, false); 511 EXPECT_EQ(ret, 0); 512 513 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid64ForUidFilter4, false); 514 EXPECT_EQ(ret, 0); 515 516 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid64ForUidFilter5, false); 517 EXPECT_EQ(ret, 0); 518 519 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid64ForUidFilter6, false); 520 EXPECT_EQ(ret, 0); 521 522 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid64ForUidFilter7, false); 523 EXPECT_EQ(ret, 0); 524 525 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid64ForUidFilter8, true); 526 EXPECT_EQ(ret, 0); 527 } 528 529 void TestSetUidGidFilter() 530 { 531 // system blocklist 532 int ret = CheckSyscall(INDIVIDUAL, APPSPAWN_NAME, CheckSetresuidArgsOutOfRange, false); 533 EXPECT_EQ(ret, 0); 534 535 // system allowlist 536 ret = CheckSyscall(INDIVIDUAL, APPSPAWN_NAME, CheckSetresuidArgsInRange, true); 537 EXPECT_EQ(ret, 0); 538 } 539 540 void TestAppSycall() 541 { 542 // app blocklist 543 int ret = CheckSyscall(APP, APP_NAME, CheckSetuid, false); 544 EXPECT_EQ(ret, 0); 545 546 // app allowlist 547 ret = CheckSyscall(APP, APP_NAME, CheckGetpid, true); 548 EXPECT_EQ(ret, 0); 549 } 550#ifdef SECCOMP_PRIVILEGE 551 void TestSeccompPrivilegeSyscall() 552 { 553 int ret = CheckSyscall(APP, APP_PRIVILEGE, CheckSetuid64ForUidFilter1, true); 554 EXPECT_EQ(ret, 0); 555 } 556#endif 557 558#elif defined __arm__ 559 static bool CheckGetuid32() 560 { 561 uid_t uid = syscall(__NR_getuid32); 562 if (uid >= 0) { 563 return true; 564 } 565 return false; 566 } 567 568 static bool CheckGetuid() 569 { 570 uid_t uid = syscall(__NR_getuid); 571 if (uid >= 0) { 572 return true; 573 } 574 return false; 575 } 576 577 static bool CheckSetuid32() 578 { 579 int ret = syscall(__NR_setuid32, 1); 580 if (ret == 0) { 581 return true; 582 } 583 584 return false; 585 } 586 587 static bool CheckSetresuid32ArgsInRange() 588 { 589 int ret = syscall(__NR_setresuid32, 20000, 20000, 20000); 590 if (ret == 0) { 591 return true; 592 } 593 594 return false; 595 } 596 597 static bool CheckSetresuid32ArgsOutOfRange() 598 { 599 int ret = syscall(__NR_setresuid32, 800, 800, 800); 600 if (ret == 0) { 601 return true; 602 } 603 604 return false; 605 } 606 607 static bool CheckSetuid32ForUidFilter1() 608 { 609 int ret = syscall(__NR_setuid32, 0); 610 if (ret == 0) { 611 return true; 612 } 613 614 return false; 615 } 616 617 static bool CheckSetuid32ForUidFilter2() 618 { 619 int ret = syscall(__NR_setuid32, 2); 620 if (ret == 0) { 621 return true; 622 } 623 624 return false; 625 } 626 627 static bool CheckSetuid16ForUidFilter1() 628 { 629 int ret = syscall(__NR_setuid, 0); 630 if (ret == 0) { 631 return true; 632 } 633 634 return false; 635 } 636 637 static bool CheckSetuid16ForUidFilter2() 638 { 639 int ret = syscall(__NR_setuid, 2); 640 if (ret == 0) { 641 return true; 642 } 643 644 return false; 645 } 646 647 static bool CheckSetreuid32ForUidFilter1() 648 { 649 int ret = syscall(__NR_setreuid32, 0, 2); 650 if (ret == 0) { 651 return true; 652 } 653 654 return false; 655 } 656 657 static bool CheckSetreuid32ForUidFilter2() 658 { 659 int ret = syscall(__NR_setreuid32, 2, 0); 660 if (ret == 0) { 661 return true; 662 } 663 664 return false; 665 } 666 667 static bool CheckSetreuid32ForUidFilter3() 668 { 669 int ret = syscall(__NR_setreuid32, 0, 0); 670 if (ret == 0) { 671 return true; 672 } 673 674 return false; 675 } 676 677 static bool CheckSetreuid32ForUidFilter4() 678 { 679 int ret = syscall(__NR_setreuid32, 2, 2); 680 if (ret == 0) { 681 return true; 682 } 683 684 return false; 685 } 686 687 static bool CheckSetreuid16ForUidFilter1() 688 { 689 int ret = syscall(__NR_setreuid, 0, 2); 690 if (ret == 0) { 691 return true; 692 } 693 694 return false; 695 } 696 697 static bool CheckSetreuid16ForUidFilter2() 698 { 699 int ret = syscall(__NR_setreuid, 2, 0); 700 if (ret == 0) { 701 return true; 702 } 703 704 return false; 705 } 706 707 static bool CheckSetreuid16ForUidFilter3() 708 { 709 int ret = syscall(__NR_setreuid, 0, 0); 710 if (ret == 0) { 711 return true; 712 } 713 714 return false; 715 } 716 717 static bool CheckSetreuid16ForUidFilter4() 718 { 719 int ret = syscall(__NR_setreuid, 2, 2); 720 if (ret == 0) { 721 return true; 722 } 723 724 return false; 725 } 726 727 static bool CheckSetfsuid32ForUidFilter1() 728 { 729 int ret = syscall(__NR_setfsuid32, 0); 730 if (ret == 0) { 731 return true; 732 } 733 734 return false; 735 } 736 737 static bool CheckSetfsuid32ForUidFilter2() 738 { 739 int ret = syscall(__NR_setfsuid32, 2); 740 if (ret == 0) { 741 return true; 742 } 743 744 return false; 745 } 746 747 static bool CheckSetfsuid16ForUidFilter1() 748 { 749 int ret = syscall(__NR_setfsuid, 0); 750 if (ret == 0) { 751 return true; 752 } 753 754 return false; 755 } 756 757 static bool CheckSetfsuid16ForUidFilter2() 758 { 759 int ret = syscall(__NR_setfsuid, 2); 760 if (ret == 0) { 761 return true; 762 } 763 764 return false; 765 } 766 767 static bool CheckSetresuid32ForUidFilter1() 768 { 769 int ret = syscall(__NR_setresuid32, 0, 0, 0); 770 if (ret == 0) { 771 return true; 772 } 773 774 return false; 775 } 776 777 static bool CheckSetresuid32ForUidFilter2() 778 { 779 int ret = syscall(__NR_setresuid32, 2, 0, 0); 780 if (ret == 0) { 781 return true; 782 } 783 784 return false; 785 } 786 787 static bool CheckSetresuid32ForUidFilter3() 788 { 789 int ret = syscall(__NR_setresuid32, 0, 2, 0); 790 if (ret == 0) { 791 return true; 792 } 793 794 return false; 795 } 796 797 static bool CheckSetresuid32ForUidFilter4() 798 { 799 int ret = syscall(__NR_setresuid32, 0, 0, 2); 800 if (ret == 0) { 801 return true; 802 } 803 804 return false; 805 } 806 807 static bool CheckSetresuid32ForUidFilter5() 808 { 809 int ret = syscall(__NR_setresuid32, 0, 2, 2); 810 if (ret == 0) { 811 return true; 812 } 813 814 return false; 815 } 816 817 static bool CheckSetresuid32ForUidFilter6() 818 { 819 int ret = syscall(__NR_setresuid32, 2, 0, 2); 820 if (ret == 0) { 821 return true; 822 } 823 824 return false; 825 } 826 827 static bool CheckSetresuid32ForUidFilter7() 828 { 829 int ret = syscall(__NR_setresuid32, 2, 2, 0); 830 if (ret == 0) { 831 return true; 832 } 833 834 return false; 835 } 836 837 static bool CheckSetresuid32ForUidFilter8() 838 { 839 int ret = syscall(__NR_setresuid32, 2, 2, 2); 840 if (ret == 0) { 841 return true; 842 } 843 844 return false; 845 } 846 847 static bool CheckSetresuid16ForUidFilter1() 848 { 849 int ret = syscall(__NR_setresuid, 0, 0, 0); 850 if (ret == 0) { 851 return true; 852 } 853 854 return false; 855 } 856 857 static bool CheckSetresuid16ForUidFilter2() 858 { 859 int ret = syscall(__NR_setresuid, 2, 0, 0); 860 if (ret == 0) { 861 return true; 862 } 863 864 return false; 865 } 866 867 static bool CheckSetresuid16ForUidFilter3() 868 { 869 int ret = syscall(__NR_setresuid, 0, 2, 0); 870 if (ret == 0) { 871 return true; 872 } 873 874 return false; 875 } 876 877 static bool CheckSetresuid16ForUidFilter4() 878 { 879 int ret = syscall(__NR_setresuid, 0, 0, 2); 880 if (ret == 0) { 881 return true; 882 } 883 884 return false; 885 } 886 887 static bool CheckSetresuid16ForUidFilter5() 888 { 889 int ret = syscall(__NR_setresuid, 0, 2, 2); 890 if (ret == 0) { 891 return true; 892 } 893 894 return false; 895 } 896 897 static bool CheckSetresuid16ForUidFilter6() 898 { 899 int ret = syscall(__NR_setresuid, 2, 0, 2); 900 if (ret == 0) { 901 return true; 902 } 903 904 return false; 905 } 906 907 static bool CheckSetresuid16ForUidFilter7() 908 { 909 int ret = syscall(__NR_setresuid, 2, 2, 0); 910 if (ret == 0) { 911 return true; 912 } 913 914 return false; 915 } 916 917 static bool CheckSetresuid16ForUidFilter8() 918 { 919 int ret = syscall(__NR_setresuid, 2, 2, 2); 920 if (ret == 0) { 921 return true; 922 } 923 924 return false; 925 } 926 927 void TestSystemSycall() 928 { 929 // system blocklist 930 int ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckGetuid, false); 931 EXPECT_EQ(ret, 0); 932 933 // system allowlist 934 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckGetuid32, true); 935 EXPECT_EQ(ret, 0); 936 } 937 938 void TestSystemSyscallForUidFilter32Bit() 939 { 940 // system_uid_filter_32bit_test 941 int ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetuid32ForUidFilter1, false); 942 EXPECT_EQ(ret, 0); 943 944 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetuid32ForUidFilter2, true); 945 EXPECT_EQ(ret, 0); 946 947 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetreuid32ForUidFilter1, false); 948 EXPECT_EQ(ret, 0); 949 950 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetreuid32ForUidFilter2, false); 951 EXPECT_EQ(ret, 0); 952 953 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetreuid32ForUidFilter3, false); 954 EXPECT_EQ(ret, 0); 955 956 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetreuid32ForUidFilter4, true); 957 EXPECT_EQ(ret, 0); 958 959 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetfsuid32ForUidFilter1, false); 960 EXPECT_EQ(ret, 0); 961 962 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetfsuid32ForUidFilter2, true); 963 EXPECT_EQ(ret, 0); 964 965 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid32ForUidFilter1, false); 966 EXPECT_EQ(ret, 0); 967 968 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid32ForUidFilter2, false); 969 EXPECT_EQ(ret, 0); 970 971 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid32ForUidFilter3, false); 972 EXPECT_EQ(ret, 0); 973 974 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid32ForUidFilter4, false); 975 EXPECT_EQ(ret, 0); 976 977 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid32ForUidFilter5, false); 978 EXPECT_EQ(ret, 0); 979 980 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid32ForUidFilter6, false); 981 EXPECT_EQ(ret, 0); 982 983 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid32ForUidFilter7, false); 984 EXPECT_EQ(ret, 0); 985 986 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid32ForUidFilter8, true); 987 EXPECT_EQ(ret, 0); 988 } 989 990 void TestSystemSyscallForUidFilter16Bit() 991 { 992 // system_uid_filter_16bit_test 993 int ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetuid16ForUidFilter1, false); 994 EXPECT_EQ(ret, 0); 995 996 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetuid16ForUidFilter2, true); 997 EXPECT_EQ(ret, 0); 998 999 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetreuid16ForUidFilter1, false); 1000 EXPECT_EQ(ret, 0); 1001 1002 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetreuid16ForUidFilter2, false); 1003 EXPECT_EQ(ret, 0); 1004 1005 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetreuid16ForUidFilter3, false); 1006 EXPECT_EQ(ret, 0); 1007 1008 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetreuid16ForUidFilter4, true); 1009 EXPECT_EQ(ret, 0); 1010 1011 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetfsuid16ForUidFilter1, false); 1012 EXPECT_EQ(ret, 0); 1013 1014 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetfsuid16ForUidFilter2, true); 1015 EXPECT_EQ(ret, 0); 1016 1017 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid16ForUidFilter1, false); 1018 EXPECT_EQ(ret, 0); 1019 1020 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid16ForUidFilter2, false); 1021 EXPECT_EQ(ret, 0); 1022 1023 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid16ForUidFilter3, false); 1024 EXPECT_EQ(ret, 0); 1025 1026 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid16ForUidFilter4, false); 1027 EXPECT_EQ(ret, 0); 1028 1029 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid16ForUidFilter5, false); 1030 EXPECT_EQ(ret, 0); 1031 1032 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid16ForUidFilter6, false); 1033 EXPECT_EQ(ret, 0); 1034 1035 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid16ForUidFilter7, false); 1036 EXPECT_EQ(ret, 0); 1037 1038 ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid16ForUidFilter8, true); 1039 EXPECT_EQ(ret, 0); 1040 } 1041 1042 void TestSystemSyscallForUidFilter() 1043 { 1044 TestSystemSyscallForUidFilter32Bit(); 1045 TestSystemSyscallForUidFilter16Bit(); 1046 } 1047 1048 void TestSetUidGidFilter() 1049 { 1050 // system blocklist 1051 int ret = CheckSyscall(INDIVIDUAL, APPSPAWN_NAME, CheckSetresuid32ArgsOutOfRange, false); 1052 EXPECT_EQ(ret, 0); 1053 1054 // system allowlist 1055 ret = CheckSyscall(INDIVIDUAL, APPSPAWN_NAME, CheckSetresuid32ArgsInRange, true); 1056 EXPECT_EQ(ret, 0); 1057 } 1058 1059 void TestAppSycall() 1060 { 1061 // app blocklist 1062 int ret = CheckSyscall(APP, APP_NAME, CheckSetuid32, false); 1063 EXPECT_EQ(ret, 0); 1064 1065 // app allowlist 1066 ret = CheckSyscall(APP, APP_NAME, CheckGetuid32, true); 1067 EXPECT_EQ(ret, 0); 1068 } 1069 1070#ifdef SECCOMP_PRIVILEGE 1071 void TestSeccompPrivilegeSyscall() 1072 { 1073 int ret = CheckSyscall(APP, APP_PRIVILEGE, CheckSetuid32ForUidFilter1, true); 1074 EXPECT_EQ(ret, 0); 1075 } 1076#endif 1077#endif 1078 void TestAppSycallNs() 1079 { 1080 int ret = CheckSyscall(APP, APP_NAME, CheckUnshare, false); 1081 EXPECT_EQ(ret, 0); 1082 1083 ret = CheckSyscall(APP, APP_NAME, CheckSetns, false); 1084 EXPECT_EQ(ret, 0); 1085 1086 ret = CheckSyscall(APP, APP_NAME, CheckClonePidNs, false); 1087 EXPECT_EQ(ret, 0); 1088 1089 ret = CheckSyscall(APP, APP_NAME, CheckCloneMntNs, false); 1090 EXPECT_EQ(ret, 0); 1091 1092 ret = CheckSyscall(APP, APP_NAME, CheckCloneCgroupNs, false); 1093 EXPECT_EQ(ret, 0); 1094 1095 ret = CheckSyscall(APP, APP_NAME, CheckCloneIpcNs, false); 1096 EXPECT_EQ(ret, 0); 1097 1098 ret = CheckSyscall(APP, APP_NAME, CheckCloneUserNs, false); 1099 EXPECT_EQ(ret, 0); 1100 1101 ret = CheckSyscall(APP, APP_NAME, CheckCloneNetNs, false); 1102 EXPECT_EQ(ret, 0); 1103 1104 ret = CheckSyscall(APP, APP_NAME, CheckCloneUtsNs, false); 1105 EXPECT_EQ(ret, 0); 1106 } 1107}; 1108 1109/** 1110 * @tc.name: TestSystemSycall 1111 * @tc.desc: Verify the system seccomp policy. 1112 * @tc.type: FUNC 1113 * @tc.require: issueI5IUWJ 1114 */ 1115HWTEST_F(SeccompUnitTest, Init_Seccomp_SystemSycall001, TestSize.Level1) 1116{ 1117 SeccompUnitTest test; 1118 test.TestSystemSycall(); 1119} 1120 1121/** 1122 * @tc.name: TestSetUidGidFilter 1123 * @tc.desc: Verify the uid gid seccomp policy. 1124 * @tc.type: FUNC 1125 * @tc.require: issueI5IUWJ 1126 */ 1127HWTEST_F(SeccompUnitTest, Init_Seccomp_SetUidGidFilter001, TestSize.Level1) 1128{ 1129 SeccompUnitTest test; 1130 test.TestSetUidGidFilter(); 1131} 1132 1133/** 1134 * @tc.name: TestAppSycall 1135 * @tc.desc: Verify the app seccomp policy. 1136 * @tc.type: FUNC 1137 * @tc.require: issueI5MUXD 1138 */ 1139HWTEST_F(SeccompUnitTest, Init_Seccomp_AppSycall001, TestSize.Level1) 1140{ 1141 SeccompUnitTest test; 1142 test.TestAppSycall(); 1143} 1144 1145/** 1146 * @tc.name: TestSystemSyscallForUidFilter 1147 * @tc.desc: Verify the system seccomp policy. 1148 * @tc.type: FUNC 1149 * @tc.require: issueI7QET2 1150 */ 1151HWTEST_F(SeccompUnitTest, Init_Seccomp_SystemSyscallForUidFilter001, TestSize.Level1) 1152{ 1153 SeccompUnitTest test; 1154 test.TestSystemSyscallForUidFilter(); 1155} 1156 1157/** 1158 * @tc.name: TestAppSycallNs 1159 * @tc.desc: Verify the app seccomp policy about namespace. 1160 * @tc.type: FUNC 1161 * @tc.require: issueI8LZTC 1162 */ 1163HWTEST_F(SeccompUnitTest, Init_Seccomp_AppSycallNs001, TestSize.Level1) 1164{ 1165 SeccompUnitTest test; 1166 test.TestAppSycallNs(); 1167} 1168#ifdef SECCOMP_PRIVILEGE 1169/** 1170 * @tc.name: TestSeccompPrivilegeSyscall 1171 * @tc.desc: Verify the privilege syscall of app and appspawn. 1172 * @tc.type: FUNC 1173 * @tc.require: issueIAVQ2P 1174 */ 1175HWTEST_F(SeccompUnitTest, Init_Seccomp_SeccompPrivilegeSycall001, TestSize.Level1) 1176{ 1177 SeccompUnitTest test; 1178 test.TestSeccompPrivilegeSyscall(); 1179} 1180#endif 1181} 1182