From 05cbb2d0f55287d2d09fee3a8f19984c3f220c28 Mon Sep 17 00:00:00 2001 From: xiacong Date: Mon, 5 Sep 2022 16:06:31 +0800 Subject: [PATCH] =?UTF-8?q?=20=E4=BC=98=E5=8C=96=E8=BF=9B=E7=A8=8B?= =?UTF-8?q?=E5=86=85=E5=AD=98=E6=98=A0=E5=B0=84=E7=A9=BA=E9=97=B4=EF=BC=8C?= =?UTF-8?q?=E5=8D=B3=E8=AE=BE=E7=BD=AEseccomp=E7=AD=96=E7=95=A5=E5=90=8E?= =?UTF-8?q?=EF=BC=8C=E8=A7=A3=E9=99=A4=E7=AD=96=E7=95=A5so=E5=BA=93?= =?UTF-8?q?=E5=9C=A8=E8=BF=9B=E7=A8=8B=E7=A9=BA=E9=97=B4=E7=9A=84=E6=98=A0?= =?UTF-8?q?=E5=B0=84=20=E6=8F=92=E4=BB=B6=E5=8A=A8=E6=80=81=E5=BA=93?= =?UTF-8?q?=E5=88=A0=E9=99=A4=EF=BC=8C=E5=8F=AA=E4=BD=BF=E7=94=A8=E6=8F=92?= =?UTF-8?q?=E4=BB=B6=E9=9D=99=E6=80=81=E5=BA=93?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: xiacong Change-Id: Ifffc4db213d7c818303766169c2f9e16121b7b6a Signed-off-by: xiacong --- interfaces/innerkits/seccomp/BUILD.gn | 11 +- .../seccomp/include/seccomp_policy.h | 12 +- services/modules/BUILD.gn | 2 +- services/modules/seccomp/BUILD.gn | 58 +++------- services/modules/seccomp/seccomp_filters.h | 47 -------- services/modules/seccomp/seccomp_policy.c | 107 +++++++----------- .../seccomp_policy/app_arm.seccomp.policy | 3 - .../seccomp_policy/app_arm64.seccomp.policy | 3 - .../renderer_arm.seccomp.policy | 1 - .../renderer_arm64.seccomp.policy | 1 - .../seccomp_policy/spawn_arm.seccomp.policy | 3 - .../seccomp_policy/spawn_arm64.seccomp.policy | 3 - .../seccomp_policy/system_arm.seccomp.policy | 3 - .../system_arm64.seccomp.policy | 3 - .../modules/seccomp/seccomp_policy_static.c | 24 +++- test/unittest/seccomp/seccomp_unittest.cpp | 34 +++--- 16 files changed, 104 insertions(+), 211 deletions(-) delete mode 100644 services/modules/seccomp/seccomp_filters.h diff --git a/interfaces/innerkits/seccomp/BUILD.gn b/interfaces/innerkits/seccomp/BUILD.gn index 80e11e78..37fabe58 100755 --- a/interfaces/innerkits/seccomp/BUILD.gn +++ b/interfaces/innerkits/seccomp/BUILD.gn @@ -26,16 +26,14 @@ if (defined(build_seccomp) && build_seccomp) { include_dirs = [ "//base/startup/init/interfaces/innerkits/include", - "//base/startup/init/services/modules/seccomp", "//base/startup/init/services/modules", "//base/startup/init/services/log", + "//third_party/bounds_checking_function/include", ] deps = [ "//base/startup/init/interfaces/innerkits:libbegetutil", - "//base/startup/init/services/modules/seccomp:app_filter", - "//base/startup/init/services/modules/seccomp:appspawn_filter", - "//base/startup/init/services/modules/seccomp:nwebspawn_filter", + "//third_party/bounds_checking_function:libsec_shared", ] license_file = "//base/startup/init/LICENSE" @@ -43,10 +41,7 @@ if (defined(build_seccomp) && build_seccomp) { part_name = "init" install_enable = true - install_images = [ - "system", - "updater", - ] + install_images = [ "system" ] } } else { group("seccomp") { diff --git a/interfaces/innerkits/seccomp/include/seccomp_policy.h b/interfaces/innerkits/seccomp/include/seccomp_policy.h index 3f23cfc0..5b9f7062 100644 --- a/interfaces/innerkits/seccomp/include/seccomp_policy.h +++ b/interfaces/innerkits/seccomp/include/seccomp_policy.h @@ -25,14 +25,12 @@ extern "C" { #endif #endif -typedef enum { - SYSTEM, - APPSPAWN, - APP, - NWEBSPAWN, -} PolicyType; +#define SYSTEM_NAME "system" +#define APPSPAWN_NAME "appspawn" +#define NWEBSPAWN_NAME "nwebspawn" +#define APP_NAME "app" -bool SetSeccompPolicy(PolicyType policy); +bool SetSeccompPolicyWithName(const char *filterName); #ifdef __cplusplus #if __cplusplus diff --git a/services/modules/BUILD.gn b/services/modules/BUILD.gn index 5023a02e..3b5a098a 100755 --- a/services/modules/BUILD.gn +++ b/services/modules/BUILD.gn @@ -36,7 +36,7 @@ group("modulesgroup") { "reboot:rebootmodule", ] if (build_seccomp) { - deps += [ "seccomp:seccomp_module" ] + deps += [ "seccomp:seccomp_filter" ] } if (build_selinux) { deps += [ "selinux:selinuxadp" ] diff --git a/services/modules/seccomp/BUILD.gn b/services/modules/seccomp/BUILD.gn index ae480585..3813a009 100755 --- a/services/modules/seccomp/BUILD.gn +++ b/services/modules/seccomp/BUILD.gn @@ -77,16 +77,11 @@ ohos_prebuilt_seccomp("system_filter") { } filtername = "g_systemSeccompFilter" - include_dirs = [ "." ] part_name = INIT_PART subsystem_name = "startup" install_enable = true - install_images = [ - "system", - "ramdisk", - "updater", - ] + install_images = [ "system" ] } ohos_prebuilt_seccomp("appspawn_filter") { @@ -102,7 +97,6 @@ ohos_prebuilt_seccomp("appspawn_filter") { } filtername = "g_appspawnSeccompFilter" - include_dirs = [ "." ] part_name = INIT_PART subsystem_name = "startup" @@ -118,7 +112,6 @@ ohos_prebuilt_seccomp("nwebspawn_filter") { } filtername = "g_nwebspawnSeccompFilter" - include_dirs = [ "." ] part_name = INIT_PART subsystem_name = "startup" @@ -139,7 +132,6 @@ ohos_prebuilt_seccomp("app_filter") { } filtername = "g_appSeccompFilter" - include_dirs = [ "." ] part_name = INIT_PART subsystem_name = "startup" @@ -147,46 +139,30 @@ ohos_prebuilt_seccomp("app_filter") { install_images = [ "system" ] } -ohos_shared_library("seccomp_module") { - sources = [ "seccomp_policy.c" ] - +config("libseccomp_static_config") { include_dirs = [ "//base/startup/init/services/modules", - "//base/startup/init/interfaces/innerkits/include", "//base/startup/init/interfaces/innerkits/seccomp/include", - "//base/startup/init/services/modules/seccomp", + "//third_party/bounds_checking_function/include", ] +} - deps = [ - ":system_filter", - "//base/startup/init/interfaces/innerkits/init_module_engine:libinit_module_engine", +ohos_source_set("libseccomp_static") { + sources = [ + "seccomp_policy.c", + "seccomp_policy_static.c", ] - - cflags = [ "-DSECCOMP_PLUGIN" ] - - part_name = "init" - if (target_cpu == "arm64") { - module_install_dir = "lib64/init" - } else { - module_install_dir = "lib/init" - } - install_images = [ - "system", - "ramdisk", - "updater", + public_configs = [ + ":libseccomp_static_config", + "//base/startup/init/interfaces/innerkits/init_module_engine:init_module_engine_exported_config", ] } -config("libseccomp_static_config") { - include_dirs = [ - "//base/startup/init/services/modules", - "//base/startup/init/services/modules/seccomp", - "//base/startup/init/interfaces/innerkits/seccomp/include", +group("seccomp_filter") { + deps = [ + ":app_filter", + ":appspawn_filter", + ":nwebspawn_filter", + ":system_filter", ] } - -ohos_source_set("libseccomp_static") { - sources = [ "seccomp_policy_static.c" ] - public_configs = [ ":libseccomp_static_config" ] - public_configs += [ "//base/startup/init/interfaces/innerkits/init_module_engine:init_module_engine_exported_config" ] -} diff --git a/services/modules/seccomp/seccomp_filters.h b/services/modules/seccomp/seccomp_filters.h deleted file mode 100644 index 7791afb3..00000000 --- a/services/modules/seccomp/seccomp_filters.h +++ /dev/null @@ -1,47 +0,0 @@ -/* - * Copyright (c) 2022 Huawei Device Co., Ltd. - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -#ifndef SECCOMP_FILTERS_H -#define SECCOMP_FILTERS_H - -#include -#include - -#ifdef __cplusplus -#if __cplusplus -extern "C" { -#endif -#endif - -extern const struct sock_filter g_appspawnSeccompFilter[]; -extern const size_t g_appspawnSeccompFilterSize; - -extern const struct sock_filter g_systemSeccompFilter[]; -extern const size_t g_systemSeccompFilterSize; - -extern const struct sock_filter g_nwebspawnSeccompFilter[]; -extern const size_t g_nwebspawnSeccompFilterSize; - -extern const struct sock_filter g_appSeccompFilter[]; -extern const size_t g_appSeccompFilterSize; - -#ifdef __cplusplus -#if __cplusplus -} -#endif -#endif - -#endif // SECCOMP_FILTERS_H - diff --git a/services/modules/seccomp/seccomp_policy.c b/services/modules/seccomp/seccomp_policy.c index 41a36001..09359cc9 100644 --- a/services/modules/seccomp/seccomp_policy.c +++ b/services/modules/seccomp/seccomp_policy.c @@ -14,12 +14,10 @@ */ #include "seccomp_policy.h" -#include "seccomp_filters.h" #include "plugin_adapter.h" -#ifdef SECCOMP_PLUGIN -#include "init_module_engine.h" -#endif +#include "securec.h" +#include #include #include #include @@ -33,6 +31,14 @@ #define SECCOMP_SET_MODE_FILTER (1) #endif +#ifdef __aarch64__ +#define FILTER_LIB_PATH_FORMAT "/system/lib64/lib%s_filter.z.so" +#else +#define FILTER_LIB_PATH_FORMAT "/system/lib/lib%s_filter.z.so" +#endif +#define FILTER_NAME_FORMAT "g_%sSeccompFilter" +#define FILTER_SIZE_STRING "Size" + static bool IsSupportFilterFlag(unsigned int filterFlag) { errno = 0; @@ -69,78 +75,41 @@ static bool InstallSeccompPolicy(const struct sock_filter* filter, size_t filter return true; } -#ifndef SECCOMP_PLUGIN -bool SetSeccompPolicy(PolicyType policy) +bool SetSeccompPolicyWithName(const char *filterName) { - bool ret = false; - switch (policy) { - case APPSPAWN: - ret = InstallSeccompPolicy(g_appspawnSeccompFilter, g_appspawnSeccompFilterSize, SECCOMP_FILTER_FLAG_LOG); - break; - case NWEBSPAWN: - ret = InstallSeccompPolicy(g_nwebspawnSeccompFilter, g_nwebspawnSeccompFilterSize, SECCOMP_FILTER_FLAG_LOG); - break; - case APP: - ret = InstallSeccompPolicy(g_appSeccompFilter, g_appSeccompFilterSize, SECCOMP_FILTER_FLAG_LOG); - break; - default: - ret = false; - } + char filterLibPath[512] = {0}; + char filterVaribleName[512] = {0}; + struct sock_filter *filterPtr = NULL; + size_t *filterSize = NULL; - return ret; -} -#else -static bool SetSystemSeccompPolicy(void) -{ - return InstallSeccompPolicy(g_systemSeccompFilter, g_systemSeccompFilterSize, SECCOMP_FILTER_FLAG_LOG); -} + int rc = snprintf_s(filterLibPath, sizeof(filterLibPath), \ + strlen(filterName) + strlen(FILTER_LIB_PATH_FORMAT) - strlen("%s"), \ + FILTER_LIB_PATH_FORMAT, filterName); + PLUGIN_CHECK(rc != -1, return false, "snprintf_s filterLibPath failed"); -static int DoSetSeccompPolicyStart(void) -{ - bool ret = false; - ret = SetSystemSeccompPolicy(); - PLUGIN_CHECK(ret == true, return -1, "SetSeccompPolicy failed"); + rc = snprintf_s(filterVaribleName, sizeof(filterVaribleName), \ + strlen(filterName) + strlen(FILTER_NAME_FORMAT) - strlen("%s"), \ + FILTER_NAME_FORMAT, filterName); + PLUGIN_CHECK(rc != -1, return false, "snprintf_s faiVribleName failed"); - return 0; -} + void *handler = dlopen(filterLibPath, RTLD_LAZY); + PLUGIN_CHECK(handler != NULL, return false, "dlopen %s failed", filterLibPath); -static int DoSetSeccompPolicyCmd(int id, const char *name, int argc, const char **argv) -{ - PLUGIN_LOGI("DoBootchartCmd argc %d %s", argc, name); - PLUGIN_CHECK(argc >= 1, return -1, "Invalid parameter"); - if (strcmp(argv[0], "start") == 0) { - return DoSetSeccompPolicyStart(); - } - return 0; -} + filterPtr = (struct sock_filter *)dlsym(handler, filterVaribleName); + PLUGIN_CHECK(filterPtr != NULL, dlclose(handler); + return false, "dlsym %s failed", filterVaribleName); -static int32_t g_executorId = -1; -static int SetSeccompPolicyInit(void) -{ - if (g_executorId == -1) { - g_executorId = AddCmdExecutor("SetSeccompPolicy", DoSetSeccompPolicyCmd); - PLUGIN_LOGI("SetSeccompPolicy executorId %d", g_executorId); - } - return 0; -} + rc = strcat_s(filterVaribleName, strlen(filterVaribleName) + strlen(FILTER_SIZE_STRING) + 1, FILTER_SIZE_STRING); + PLUGIN_CHECK(rc == 0, dlclose(handler); + return false, "strcat_s filterVaribleName failed"); -static void SetSeccompPolicyExit(void) -{ - PLUGIN_LOGI("SetSeccompPolicy executorId %d", g_executorId); - if (g_executorId != -1) { - RemoveCmdExecutor("SetSeccompPolicy", g_executorId); - } -} + filterSize = (size_t *)dlsym(handler, filterVaribleName); + PLUGIN_CHECK(filterSize != NULL, dlclose(handler); + return false, "dlsym %s failed", filterVaribleName); -MODULE_CONSTRUCTOR(void) -{ - PLUGIN_LOGI("DoSetSeccompPolicyStart now ..."); - SetSeccompPolicyInit(); -} + bool ret = InstallSeccompPolicy(filterPtr, *filterSize, SECCOMP_FILTER_FLAG_LOG); -MODULE_DESTRUCTOR(void) -{ - PLUGIN_LOGI("DoSetSeccompPolicyStop now ..."); - SetSeccompPolicyExit(); + dlclose(handler); + + return ret; } -#endif diff --git a/services/modules/seccomp/seccomp_policy/app_arm.seccomp.policy b/services/modules/seccomp/seccomp_policy/app_arm.seccomp.policy index 92110403..cc913331 100644 --- a/services/modules/seccomp/seccomp_policy/app_arm.seccomp.policy +++ b/services/modules/seccomp/seccomp_policy/app_arm.seccomp.policy @@ -17,9 +17,6 @@ arm @returnValue KILL_PROCESS -@headFiles -"seccomp_filters.h" - @priority ioctl futex diff --git a/services/modules/seccomp/seccomp_policy/app_arm64.seccomp.policy b/services/modules/seccomp/seccomp_policy/app_arm64.seccomp.policy index c9d0a947..b52ec8f5 100644 --- a/services/modules/seccomp/seccomp_policy/app_arm64.seccomp.policy +++ b/services/modules/seccomp/seccomp_policy/app_arm64.seccomp.policy @@ -17,9 +17,6 @@ arm64 @returnValue KILL_PROCESS -@headFiles -"seccomp_filters.h" - @priority ioctl futex diff --git a/services/modules/seccomp/seccomp_policy/renderer_arm.seccomp.policy b/services/modules/seccomp/seccomp_policy/renderer_arm.seccomp.policy index ea9816d6..f5a39680 100644 --- a/services/modules/seccomp/seccomp_policy/renderer_arm.seccomp.policy +++ b/services/modules/seccomp/seccomp_policy/renderer_arm.seccomp.policy @@ -18,7 +18,6 @@ arm KILL_PROCESS @headFiles -"seccomp_filters.h" "time.h" "sys/ioctl.h" "linux/futex.h" diff --git a/services/modules/seccomp/seccomp_policy/renderer_arm64.seccomp.policy b/services/modules/seccomp/seccomp_policy/renderer_arm64.seccomp.policy index bfadb0a6..a7192b37 100644 --- a/services/modules/seccomp/seccomp_policy/renderer_arm64.seccomp.policy +++ b/services/modules/seccomp/seccomp_policy/renderer_arm64.seccomp.policy @@ -18,7 +18,6 @@ arm64 KILL_PROCESS @headFiles -"seccomp_filters.h" "time.h" "sys/ioctl.h" "linux/futex.h" diff --git a/services/modules/seccomp/seccomp_policy/spawn_arm.seccomp.policy b/services/modules/seccomp/seccomp_policy/spawn_arm.seccomp.policy index 12cb720e..0b882f60 100644 --- a/services/modules/seccomp/seccomp_policy/spawn_arm.seccomp.policy +++ b/services/modules/seccomp/seccomp_policy/spawn_arm.seccomp.policy @@ -20,9 +20,6 @@ KILL_PROCESS @mode ONLY_CHECK_ARGS -@headFiles -"seccomp_filters.h" - @allowListWithArgs setresuid32: if arg0 >= 1000 && arg1 >= 1000 && arg2 >= 1000; return ALLOW; else return KILL_PROCESS; setresgid32: if arg0 >= 1000 && arg1 >= 1000 && arg2 >= 1000; return ALLOW; else return KILL_PROCESS; diff --git a/services/modules/seccomp/seccomp_policy/spawn_arm64.seccomp.policy b/services/modules/seccomp/seccomp_policy/spawn_arm64.seccomp.policy index 21bcad77..acf97888 100644 --- a/services/modules/seccomp/seccomp_policy/spawn_arm64.seccomp.policy +++ b/services/modules/seccomp/seccomp_policy/spawn_arm64.seccomp.policy @@ -19,9 +19,6 @@ KILL_PROCESS @mode ONLY_CHECK_ARGS -@headFiles -"seccomp_filters.h" - @allowListWithArgs setresuid: if arg0 >= 1000 && arg1 >= 1000 && arg2 >= 1000; return ALLOW; else return KILL_PROCESS; setresgid: if arg0 >= 1000 && arg1 >= 1000 && arg2 >= 1000; return ALLOW; else return KILL_PROCESS; diff --git a/services/modules/seccomp/seccomp_policy/system_arm.seccomp.policy b/services/modules/seccomp/seccomp_policy/system_arm.seccomp.policy index edf295fe..3b70f6d0 100644 --- a/services/modules/seccomp/seccomp_policy/system_arm.seccomp.policy +++ b/services/modules/seccomp/seccomp_policy/system_arm.seccomp.policy @@ -17,9 +17,6 @@ arm @returnValue KILL_PROCESS -@headFiles -"seccomp_filters.h" - @allowList restart_syscall exit diff --git a/services/modules/seccomp/seccomp_policy/system_arm64.seccomp.policy b/services/modules/seccomp/seccomp_policy/system_arm64.seccomp.policy index 4ac4c1ec..65a04d0e 100644 --- a/services/modules/seccomp/seccomp_policy/system_arm64.seccomp.policy +++ b/services/modules/seccomp/seccomp_policy/system_arm64.seccomp.policy @@ -17,9 +17,6 @@ arm64 @returnValue KILL_PROCESS -@headFiles -"seccomp_filters.h" - @allowList io_setup io_destroy diff --git a/services/modules/seccomp/seccomp_policy_static.c b/services/modules/seccomp/seccomp_policy_static.c index 61fabd36..fba03f61 100644 --- a/services/modules/seccomp/seccomp_policy_static.c +++ b/services/modules/seccomp/seccomp_policy_static.c @@ -15,10 +15,32 @@ #include #include "init_module_engine.h" #include "plugin_adapter.h" +#include "seccomp_policy.h" + +static int SetSystemSeccompPolicy(int id, const char *name, int argc, const char **argv) +{ + PLUGIN_LOGI("SetSystemSeccompPolicy argc %d %s", argc, name); + PLUGIN_CHECK(argc >= 1, return -1, "Invalid parameter"); + + bool ret = SetSeccompPolicyWithName(SYSTEM_NAME); + PLUGIN_CHECK(ret == true, return -1, "SetSystemSeccompPolicy failed"); + + return 0; +} + +static int32_t g_executorId = -1; +static int SetSeccompPolicyInit(void) +{ + if (g_executorId == -1) { + g_executorId = AddCmdExecutor("SetSeccompPolicy", SetSystemSeccompPolicy); + PLUGIN_LOGI("SetSeccompPolicy executorId %d", g_executorId); + } + return 0; +} static int SeccompHook(const HOOK_INFO *info, void *cookie) { - InitModuleMgrInstall("seccomp_module"); + SetSeccompPolicyInit(); PLUGIN_LOGI("seccomp enabled."); return 0; } diff --git a/test/unittest/seccomp/seccomp_unittest.cpp b/test/unittest/seccomp/seccomp_unittest.cpp index fdcf97f4..20c2fd66 100644 --- a/test/unittest/seccomp/seccomp_unittest.cpp +++ b/test/unittest/seccomp/seccomp_unittest.cpp @@ -53,7 +53,7 @@ public: { } - static pid_t StartChild(PolicyType type, SyscallFunc func) + static pid_t StartChild(const char *filterName, SyscallFunc func) { pid_t pid = fork(); if (pid == 0) { @@ -61,8 +61,8 @@ public: std::cout << "PR_SET_NO_NEW_PRIVS set fail " << std::endl; exit(EXIT_FAILURE); } - if (type != SYSTEM && !SetSeccompPolicy(type)) { - std::cout << "SetSeccompPolicy set fail type is " << type << std::endl; + if (!SetSeccompPolicyWithName(filterName)) { + std::cout << "SetSeccompPolicy set fail fiterName is " << filterName << std::endl; exit(EXIT_FAILURE); } @@ -78,7 +78,7 @@ public: return pid; } - static int CheckSyscall(PolicyType type, SyscallFunc func, bool isAllow) + static int CheckSyscall(const char *filterName, SyscallFunc func, bool isAllow) { sigset_t set; int status; @@ -93,7 +93,7 @@ public: std::cout << "signal failed:" << strerror(errno) << std::endl; } - pid = StartChild(type, func); + pid = StartChild(filterName, func); if (pid == -1) { std::cout << "fork failed:" << strerror(errno) << std::endl; return -1; @@ -200,33 +200,33 @@ public: void TestSystemSycall() { // system blocklist - int ret = CheckSyscall(SYSTEM, CheckGetMempolicy, false); + int ret = CheckSyscall(SYSTEM_NAME, CheckGetMempolicy, false); EXPECT_EQ(ret, 0); // system allowlist - ret = CheckSyscall(SYSTEM, CheckGetpid, true); + ret = CheckSyscall(SYSTEM_NAME, CheckGetpid, true); EXPECT_EQ(ret, 0); } void TestSetUidGidFilter() { // system blocklist - int ret = CheckSyscall(APPSPAWN, CheckSetresuidArgsOutOfRange, false); + int ret = CheckSyscall(APPSPAWN_NAME, CheckSetresuidArgsOutOfRange, false); EXPECT_EQ(ret, 0); // system allowlist - ret = CheckSyscall(APPSPAWN, CheckSetresuidArgsInRange, true); + ret = CheckSyscall(APPSPAWN_NAME, CheckSetresuidArgsInRange, true); EXPECT_EQ(ret, 0); } void TestAppSycall() { // app blocklist - int ret = CheckSyscall(APP, CheckSetuid, false); + int ret = CheckSyscall(APP_NAME, CheckSetuid, false); EXPECT_EQ(ret, 0); // app allowlist - ret = CheckSyscall(APP, CheckGetpid, true); + ret = CheckSyscall(APP_NAME, CheckGetpid, true); EXPECT_EQ(ret, 0); } #elif defined __arm__ @@ -281,33 +281,33 @@ public: void TestSystemSycall() { // system blocklist - int ret = CheckSyscall(SYSTEM, CheckGetuid, false); + int ret = CheckSyscall(SYSTEM_NAME, CheckGetuid, false); EXPECT_EQ(ret, 0); // system allowlist - ret = CheckSyscall(SYSTEM, CheckGetuid32, true); + ret = CheckSyscall(SYSTEM_NAME, CheckGetuid32, true); EXPECT_EQ(ret, 0); } void TestSetUidGidFilter() { // system blocklist - int ret = CheckSyscall(APPSPAWN, CheckSetresuid32ArgsOutOfRange, false); + int ret = CheckSyscall(APPSPAWN_NAME, CheckSetresuid32ArgsOutOfRange, false); EXPECT_EQ(ret, 0); // system allowlist - ret = CheckSyscall(APPSPAWN, CheckSetresuid32ArgsInRange, true); + ret = CheckSyscall(APPSPAWN_NAME, CheckSetresuid32ArgsInRange, true); EXPECT_EQ(ret, 0); } void TestAppSycall() { // app blocklist - int ret = CheckSyscall(APP, CheckSetuid32, false); + int ret = CheckSyscall(APP_NAME, CheckSetuid32, false); EXPECT_EQ(ret, 0); // app allowlist - ret = CheckSyscall(APP, CheckGetuid32, true); + ret = CheckSyscall(APP_NAME, CheckGetuid32, true); EXPECT_EQ(ret, 0); } #endif -- GitLab