提交 1090e04e 编写于 作者: X xiacong

<feat>

增强DFX能力,进程被seccomp机制拦截而崩溃时,留下上下文信息
在relase版本的root版本增加系统参数,用于控制seccomp机制的开关,release的user版本不支持seccomp开关能力
Signed-off-by: Nxiacong <xiacong4@huawei.com>
Change-Id: I57efe5d4b25f60ca6cd07373aa147a1f4f2af234
Signed-off-by: Nxiacong <xiacong4@huawei.com>
上级 dc9404e2
...@@ -18,6 +18,12 @@ config("seccomp_public_config") { ...@@ -18,6 +18,12 @@ config("seccomp_public_config") {
} }
if (defined(build_seccomp) && build_seccomp) { if (defined(build_seccomp) && build_seccomp) {
if (build_variant == "root") {
seccomp_enable_debug = true
} else {
seccomp_enable_debug = false
}
ohos_shared_library("seccomp") { ohos_shared_library("seccomp") {
sources = sources =
[ "//base/startup/init/services/modules/seccomp/seccomp_policy.c" ] [ "//base/startup/init/services/modules/seccomp/seccomp_policy.c" ]
...@@ -31,6 +37,15 @@ if (defined(build_seccomp) && build_seccomp) { ...@@ -31,6 +37,15 @@ if (defined(build_seccomp) && build_seccomp) {
"//third_party/bounds_checking_function/include", "//third_party/bounds_checking_function/include",
] ]
if (seccomp_enable_debug) {
include_dirs += [
"../../../services/include",
"../../../services/include/param",
]
defines = [ "WITH_SECCOMP_DEBUG" ]
}
deps = [ deps = [
"//base/startup/init/interfaces/innerkits:libbegetutil", "//base/startup/init/interfaces/innerkits:libbegetutil",
"//third_party/bounds_checking_function:libsec_shared", "//third_party/bounds_checking_function:libsec_shared",
......
...@@ -73,7 +73,7 @@ static int SetAllAmbientCapability(void) ...@@ -73,7 +73,7 @@ static int SetAllAmbientCapability(void)
static void SetSystemSeccompPolicy(const Service *service) static void SetSystemSeccompPolicy(const Service *service)
{ {
#ifdef WITH_SECCOMP #ifdef WITH_SECCOMP
if (strncmp(APPSPAWN_NAME, service->name, strlen(APPSPAWN_NAME)) \ if (strncmp(APPSPAWN_NAME, service->name, strlen(APPSPAWN_NAME))
&& strncmp(NWEBSPAWN_NAME, service->name, strlen(NWEBSPAWN_NAME)) && strncmp(NWEBSPAWN_NAME, service->name, strlen(NWEBSPAWN_NAME))
&& !strncmp(SA_MAIN_PATH, service->pathArgs.argv[0], strlen(SA_MAIN_PATH))) { && !strncmp(SA_MAIN_PATH, service->pathArgs.argv[0], strlen(SA_MAIN_PATH))) {
PluginExecCmdByName("SetSeccompPolicy", "start"); PluginExecCmdByName("SetSeccompPolicy", "start");
......
...@@ -11,7 +11,6 @@ ...@@ -11,7 +11,6 @@
# See the License for the specific language governing permissions and # See the License for the specific language governing permissions and
# limitations under the License. # limitations under the License.
import("//base/startup/init/begetd.gni")
import( import(
"//base/startup/init/services/modules/seccomp/scripts/seccomp_policy_fixer.gni") "//base/startup/init/services/modules/seccomp/scripts/seccomp_policy_fixer.gni")
import("//build/config/clang/clang.gni") import("//build/config/clang/clang.gni")
...@@ -20,6 +19,12 @@ import("//build/ohos/kernel/kernel.gni") ...@@ -20,6 +19,12 @@ import("//build/ohos/kernel/kernel.gni")
INIT_PART = "init" INIT_PART = "init"
if (build_variant == "root") {
seccomp_enable_debug = true
} else {
seccomp_enable_debug = false
}
action("syscall_to_nr_arm") { action("syscall_to_nr_arm") {
script = "${clang_base_path}/bin/clang" script = "${clang_base_path}/bin/clang"
output_dir = target_gen_dir + "/libsyscall_to_nr_arm" output_dir = target_gen_dir + "/libsyscall_to_nr_arm"
...@@ -145,6 +150,15 @@ config("libseccomp_static_config") { ...@@ -145,6 +150,15 @@ config("libseccomp_static_config") {
"//base/startup/init/interfaces/innerkits/seccomp/include", "//base/startup/init/interfaces/innerkits/seccomp/include",
"//third_party/bounds_checking_function/include", "//third_party/bounds_checking_function/include",
] ]
if (seccomp_enable_debug) {
include_dirs += [
"../../../services/include",
"../../../services/include/param",
]
defines = [ "WITH_SECCOMP_DEBUG" ]
}
} }
ohos_source_set("libseccomp_static") { ohos_source_set("libseccomp_static") {
......
...@@ -44,6 +44,7 @@ operation = ['<', '<=', '!=', '==', '>', '>=', '&'] ...@@ -44,6 +44,7 @@ operation = ['<', '<=', '!=', '==', '>', '>=', '&']
ret_str_to_bpf = { ret_str_to_bpf = {
'KILL_PROCESS': 'SECCOMP_RET_KILL_PROCESS', 'KILL_PROCESS': 'SECCOMP_RET_KILL_PROCESS',
'KILL_THREAD': 'SECCOMP_RET_KILL_THREAD', 'KILL_THREAD': 'SECCOMP_RET_KILL_THREAD',
'TRAP': 'SECCOMP_RET_TRAP',
'LOG' : 'SECCOMP_RET_LOG', 'LOG' : 'SECCOMP_RET_LOG',
'ALLOW': 'SECCOMP_RET_ALLOW' 'ALLOW': 'SECCOMP_RET_ALLOW'
} }
...@@ -691,13 +692,13 @@ class GenBpfPolicy: ...@@ -691,13 +692,13 @@ class GenBpfPolicy:
bpf_policy.append(BPF_JEQ.format('AUDIT_ARCH_AARCH64', 3, 0)) bpf_policy.append(BPF_JEQ.format('AUDIT_ARCH_AARCH64', 3, 0))
bpf_policy.append(BPF_JEQ.format('AUDIT_ARCH_ARM', 0, 1)) bpf_policy.append(BPF_JEQ.format('AUDIT_ARCH_ARM', 0, 1))
bpf_policy.append(BPF_JA.format(skip_step)) bpf_policy.append(BPF_JA.format(skip_step))
bpf_policy.append(BPF_RET_VALUE.format('SECCOMP_RET_KILL_PROCESS')) bpf_policy.append(BPF_RET_VALUE.format('SECCOMP_RET_TRAP'))
elif 'arm' in arches: elif 'arm' in arches:
bpf_policy.append(BPF_JEQ.format('AUDIT_ARCH_ARM', 1, 0)) bpf_policy.append(BPF_JEQ.format('AUDIT_ARCH_ARM', 1, 0))
bpf_policy.append(BPF_RET_VALUE.format('SECCOMP_RET_KILL_PROCESS')) bpf_policy.append(BPF_RET_VALUE.format('SECCOMP_RET_TRAP'))
elif 'arm64' in arches: elif 'arm64' in arches:
bpf_policy.append(BPF_JEQ.format('AUDIT_ARCH_AARCH64', 1, 0)) bpf_policy.append(BPF_JEQ.format('AUDIT_ARCH_AARCH64', 1, 0))
bpf_policy.append(BPF_RET_VALUE.format('SECCOMP_RET_KILL_PROCESS')) bpf_policy.append(BPF_RET_VALUE.format('SECCOMP_RET_TRAP'))
else: else:
self.bpf_policy = [] self.bpf_policy = []
......
...@@ -17,6 +17,11 @@ ...@@ -17,6 +17,11 @@
#include "plugin_adapter.h" #include "plugin_adapter.h"
#include "securec.h" #include "securec.h"
#ifdef WITH_SECCOMP_DEBUG
#include "init_utils.h"
#include "sys_param.h"
#endif
#include <dlfcn.h> #include <dlfcn.h>
#include <sys/syscall.h> #include <sys/syscall.h>
#include <unistd.h> #include <unistd.h>
...@@ -169,12 +174,34 @@ static int GetSeccompPolicy(const char *filterName, int **handler, ...@@ -169,12 +174,34 @@ static int GetSeccompPolicy(const char *filterName, int **handler,
return ret; return ret;
} }
#ifdef WITH_SECCOMP_DEBUG
static bool IsEnableSeccomp(void)
{
char value[MAX_BUFFER_LEN] = {0};
unsigned int len = MAX_BUFFER_LEN;
bool isEnableSeccompFlag = true;
if (SystemReadParam("persist.init.debug.seccomp.enable", value, &len) == 0) {
if (strncmp(value, "0", len) == 0) {
isEnableSeccompFlag = false;
}
}
return isEnableSeccompFlag;
}
#endif
bool SetSeccompPolicyWithName(const char *filterName) bool SetSeccompPolicyWithName(const char *filterName)
{ {
if (filterName == NULL) { if (filterName == NULL) {
return false; return false;
} }
#ifdef WITH_SECCOMP_DEBUG
if (!IsEnableSeccomp()) {
return true;
}
#endif
void *handler = NULL; void *handler = NULL;
char *filterLibRealPath = NULL; char *filterLibRealPath = NULL;
struct sock_fprog prog; struct sock_fprog prog;
......
...@@ -15,7 +15,7 @@ ...@@ -15,7 +15,7 @@
arm arm
@returnValue @returnValue
KILL_PROCESS TRAP
@priority @priority
ioctl ioctl
......
...@@ -15,7 +15,7 @@ ...@@ -15,7 +15,7 @@
arm64 arm64
@returnValue @returnValue
KILL_PROCESS TRAP
@priority @priority
ioctl ioctl
......
...@@ -15,7 +15,7 @@ ...@@ -15,7 +15,7 @@
arm arm
@returnValue @returnValue
KILL_PROCESS TRAP
@headFiles @headFiles
"time.h" "time.h"
...@@ -175,9 +175,9 @@ ptrace ...@@ -175,9 +175,9 @@ ptrace
membarrier membarrier
@allowListWithArgs @allowListWithArgs
getrusage:if arg0 == RUSAGE_SELF || arg0 == RUSAGE_THREAD; return ALLOW; else return KILL_PROCESS; getrusage:if arg0 == RUSAGE_SELF || arg0 == RUSAGE_THREAD; return ALLOW; else return TRAP;
clock_getres:if arg0 >= CLOCK_REALTIME && arg0 <= CLOCK_BOOTTIME; return ALLOW; else return KILL_PROCESS; clock_getres:if arg0 >= CLOCK_REALTIME && arg0 <= CLOCK_BOOTTIME; return ALLOW; else return TRAP;
clock_gettime:if arg0 >= CLOCK_REALTIME && arg0 <= CLOCK_BOOTTIME; return ALLOW; else return KILL_PROCESS; clock_gettime:if arg0 >= CLOCK_REALTIME && arg0 <= CLOCK_BOOTTIME; return ALLOW; else return TRAP;
clock_nanosleep:if arg0 >= CLOCK_REALTIME && arg0 <= CLOCK_BOOTTIME; return ALLOW; else return KILL_PROCESS; clock_nanosleep:if arg0 >= CLOCK_REALTIME && arg0 <= CLOCK_BOOTTIME; return ALLOW; else return TRAP;
socketpair:if arg0 == AF_UNIX; return ALLOW; else return KILL_PROCESS; socketpair:if arg0 == AF_UNIX; return ALLOW; else return TRAP;
getsockopt:if arg1 == SOL_SOCKET || arg2 == SO_PEEK_OFF; return ALLOW; else return KILL_PROCESS; getsockopt:if arg1 == SOL_SOCKET || arg2 == SO_PEEK_OFF; return ALLOW; else return TRAP;
...@@ -15,7 +15,7 @@ ...@@ -15,7 +15,7 @@
arm64 arm64
@returnValue @returnValue
KILL_PROCESS TRAP
@headFiles @headFiles
"time.h" "time.h"
...@@ -144,9 +144,9 @@ ptrace ...@@ -144,9 +144,9 @@ ptrace
membarrier membarrier
@allowListWithArgs @allowListWithArgs
getrusage:if arg0 == RUSAGE_SELF || arg0 == RUSAGE_THREAD; return ALLOW; else return KILL_PROCESS; getrusage:if arg0 == RUSAGE_SELF || arg0 == RUSAGE_THREAD; return ALLOW; else return TRAP;
clock_getres:if arg0 >= CLOCK_REALTIME && arg0 <= CLOCK_BOOTTIME; return ALLOW; else return KILL_PROCESS; clock_getres:if arg0 >= CLOCK_REALTIME && arg0 <= CLOCK_BOOTTIME; return ALLOW; else return TRAP;
clock_gettime:if arg0 >= CLOCK_REALTIME && arg0 <= CLOCK_BOOTTIME; return ALLOW; else return KILL_PROCESS; clock_gettime:if arg0 >= CLOCK_REALTIME && arg0 <= CLOCK_BOOTTIME; return ALLOW; else return TRAP;
clock_nanosleep:if arg0 >= CLOCK_REALTIME && arg0 <= CLOCK_BOOTTIME; return ALLOW; else return KILL_PROCESS; clock_nanosleep:if arg0 >= CLOCK_REALTIME && arg0 <= CLOCK_BOOTTIME; return ALLOW; else return TRAP;
socketpair:if arg0 == AF_UNIX; return ALLOW; else return KILL_PROCESS; socketpair:if arg0 == AF_UNIX; return ALLOW; else return TRAP;
getsockopt:if arg1 == SOL_SOCKET || arg2 == SO_PEEK_OFF; return ALLOW; else return KILL_PROCESS; getsockopt:if arg1 == SOL_SOCKET || arg2 == SO_PEEK_OFF; return ALLOW; else return TRAP;
...@@ -15,11 +15,11 @@ ...@@ -15,11 +15,11 @@
arm arm
@returnValue @returnValue
KILL_PROCESS TRAP
@mode @mode
ONLY_CHECK_ARGS ONLY_CHECK_ARGS
@allowListWithArgs @allowListWithArgs
setresuid32: if arg0 >= 1000 && arg1 >= 1000 && arg2 >= 1000; return ALLOW; else return KILL_PROCESS; setresuid32: if arg0 >= 1000 && arg1 >= 1000 && arg2 >= 1000; return ALLOW; else return TRAP;
setresgid32: if arg0 >= 1000 && arg1 >= 1000 && arg2 >= 1000; return ALLOW; else return KILL_PROCESS; setresgid32: if arg0 >= 1000 && arg1 >= 1000 && arg2 >= 1000; return ALLOW; else return TRAP;
...@@ -14,11 +14,11 @@ ...@@ -14,11 +14,11 @@
arm64 arm64
@returnValue @returnValue
KILL_PROCESS TRAP
@mode @mode
ONLY_CHECK_ARGS ONLY_CHECK_ARGS
@allowListWithArgs @allowListWithArgs
setresuid: if arg0 >= 1000 && arg1 >= 1000 && arg2 >= 1000; return ALLOW; else return KILL_PROCESS; setresuid: if arg0 >= 1000 && arg1 >= 1000 && arg2 >= 1000; return ALLOW; else return TRAP;
setresgid: if arg0 >= 1000 && arg1 >= 1000 && arg2 >= 1000; return ALLOW; else return KILL_PROCESS; setresgid: if arg0 >= 1000 && arg1 >= 1000 && arg2 >= 1000; return ALLOW; else return TRAP;
...@@ -15,7 +15,7 @@ ...@@ -15,7 +15,7 @@
arm arm
@returnValue @returnValue
KILL_PROCESS TRAP
@allowList @allowList
restart_syscall restart_syscall
......
...@@ -15,7 +15,7 @@ ...@@ -15,7 +15,7 @@
arm64 arm64
@returnValue @returnValue
KILL_PROCESS TRAP
@allowList @allowList
io_setup io_setup
......
...@@ -15,8 +15,6 @@ ...@@ -15,8 +15,6 @@
#include <gtest/gtest.h> #include <gtest/gtest.h>
#include <gtest/gtest.h>
#include <cstdlib> #include <cstdlib>
#include <unistd.h> #include <unistd.h>
#include <sys/wait.h> #include <sys/wait.h>
...@@ -35,7 +33,8 @@ ...@@ -35,7 +33,8 @@
#include "seccomp_policy.h" #include "seccomp_policy.h"
using SyscallFunc = bool (*)(void); using SyscallFunc = bool (*)(void);
constexpr int SLEEP_TIME = 100000; // 100ms constexpr int SLEEP_TIME_100MS = 100000; // 100ms
constexpr int SLEEP_TIME_1S = 1;
using namespace testing::ext; using namespace testing::ext;
using namespace std; using namespace std;
...@@ -47,9 +46,20 @@ public: ...@@ -47,9 +46,20 @@ public:
virtual ~SeccompUnitTest() {}; virtual ~SeccompUnitTest() {};
static void SetUpTestCase() {}; static void SetUpTestCase() {};
static void TearDownTestCase() {}; static void TearDownTestCase() {};
void SetUp() {};
void SetUp()
{
/*
* Wait for 1 second to prevent the generated crash file
* from being overwritten because the crash interval is too short
* and the crash file's name is constructed by time stamp.
*/
sleep(SLEEP_TIME_1S);
};
void TearDown() {}; void TearDown() {};
void TestBody(void) {}; void TestBody(void) {};
static void Handler(int s) static void Handler(int s)
{ {
} }
...@@ -62,6 +72,7 @@ public: ...@@ -62,6 +72,7 @@ public:
std::cout << "PR_SET_NO_NEW_PRIVS set fail " << std::endl; std::cout << "PR_SET_NO_NEW_PRIVS set fail " << std::endl;
exit(EXIT_FAILURE); exit(EXIT_FAILURE);
} }
if (!SetSeccompPolicyWithName(filterName)) { if (!SetSeccompPolicyWithName(filterName)) {
std::cout << "SetSeccompPolicy set fail fiterName is " << filterName << std::endl; std::cout << "SetSeccompPolicy set fail fiterName is " << filterName << std::endl;
exit(EXIT_FAILURE); exit(EXIT_FAILURE);
...@@ -97,7 +108,7 @@ public: ...@@ -97,7 +108,7 @@ public:
/* Sleeping for avoiding influencing child proccess wait for other threads /* Sleeping for avoiding influencing child proccess wait for other threads
* which were created by other unittests to release global rwlock. The global * which were created by other unittests to release global rwlock. The global
* rwlock will be used by function dlopen in child process */ * rwlock will be used by function dlopen in child process */
usleep(SLEEP_TIME); usleep(SLEEP_TIME_100MS);
pid = StartChild(filterName, func); pid = StartChild(filterName, func);
if (pid == -1) { if (pid == -1) {
...@@ -333,7 +344,7 @@ HWTEST_F(SeccompUnitTest, TestSystemSycall, TestSize.Level1) ...@@ -333,7 +344,7 @@ HWTEST_F(SeccompUnitTest, TestSystemSycall, TestSize.Level1)
/** /**
* @tc.name: TestSetUidGidFilter * @tc.name: TestSetUidGidFilter
* @tc.desc: Verify the system seccomp policy. * @tc.desc: Verify the uid gid seccomp policy.
* @tc.type: FUNC * @tc.type: FUNC
* @tc.require: issueI5IUWJ * @tc.require: issueI5IUWJ
*/ */
...@@ -344,8 +355,8 @@ HWTEST_F(SeccompUnitTest, TestSetUidGidFilter, TestSize.Level1) ...@@ -344,8 +355,8 @@ HWTEST_F(SeccompUnitTest, TestSetUidGidFilter, TestSize.Level1)
} }
/** /**
* @tc.name: TestSystemSycall * @tc.name: TestAppSycall
* @tc.desc: Verify the system seccomp policy. * @tc.desc: Verify the app seccomp policy.
* @tc.type: FUNC * @tc.type: FUNC
* @tc.require: issueI5MUXD * @tc.require: issueI5MUXD
*/ */
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册