!1008 添加webview渲染进程seccomp-BPF白名单策略

Merge pull request !1008 from JerryH/webview

interfaces/innerkits/seccomp/BUILD.gn

@@ -27,6 +27,7 @@ ohos_shared_library("seccomp") {
   deps = [
     "//base/startup/init/interfaces/innerkits:libbegetutil",
     "//base/startup/init/services/modules/seccomp:appspawn_filter",
+    "//base/startup/init/services/modules/seccomp:nwebspawn_filter",
     "//base/startup/init/services/modules/seccomp:system_filter",
   ]
 

interfaces/innerkits/seccomp/include/seccomp_policy.h

@@ -28,7 +28,8 @@ extern "C" {
 typedef enum {
     SYSTEM,
     APPSPAWN,
-    APP
+    APP,
+    NWEBSPAWN,
 } PolicyType;
 
 bool SetSeccompPolicy(PolicyType policy);

services/modules/seccomp/BUILD.gn

@@ -112,6 +112,26 @@ ohos_prebuilt_seccomp("appspawn_filter") {
   ]
 }
 
+ohos_prebuilt_seccomp("nwebspawn_filter") {
+  if (target_cpu == "arm") {
+    sources = [ "seccomp_policy/renderer_arm.seccomp.policy" ]
+  } else if (target_cpu == "arm64") {
+    sources = [ "seccomp_policy/renderer_arm64.seccomp.policy" ]
+  }
+
+  filtername = "g_nwebspawnSeccompFilter"
+  include_dirs = [ "." ]
+  part_name = INIT_PART
+  subsystem_name = "startup"
+
+  install_enable = true
+  install_images = [
+    "system",
+    "ramdisk",
+    "updater",
+  ]
+}
+
 ohos_static_library("seccomp_static") {
   sources = [ "//base/startup/init/services/modules/seccomp/seccomp_policy.c" ]
 
@@ -123,6 +143,7 @@ ohos_static_library("seccomp_static") {
 
   deps = [
     ":appspawn_filter",
+    ":nwebspawn_filter",
     ":system_filter",
   ]
 

services/modules/seccomp/scripts/generate_code_from_policy.py

@@ -232,13 +232,13 @@ class GenBpfPolicy:
         self.gen_mode = mode_str.get(mode)
 
     @staticmethod
-    def gen_bpf_eq32(self, const_str, jt, jf):
+    def gen_bpf_eq32(const_str, jt, jf):
         bpf_policy = []
         bpf_policy.append(BPF_JEQ.format(const_str + ' & 0xffffffff', jt, jf))
         return bpf_policy
 
     @staticmethod
-    def gen_bpf_eq64(self, const_str, jt, jf):
+    def gen_bpf_eq64(const_str, jt, jf):
         bpf_policy = []
         bpf_policy.append(BPF_JEQ.format('((unsigned long)' + const_str + ') >> 32', 0, jf + 2))
         bpf_policy.append(BPF_LOAD_MEM.format(0))
@@ -803,4 +803,4 @@ def main():
 
 
 if __name__ == '__main__':
-    sys.exit(main())
\ No newline at end of file
+    sys.exit(main())

services/modules/seccomp/seccomp_filters.h

@@ -31,6 +31,9 @@ extern const size_t g_appspawnSeccompFilterSize;
 extern const struct sock_filter g_systemSeccompFilter[];
 extern const size_t g_systemSeccompFilterSize;
 
+extern const struct sock_filter g_nwebspawnSeccompFilter[];
+extern const size_t g_nwebspawnSeccompFilterSize;
+
 #ifdef __cplusplus
 #if __cplusplus
 }

services/modules/seccomp/seccomp_policy.c

@@ -76,6 +76,9 @@ bool SetSeccompPolicy(PolicyType policy)
         case APPSPAWN:
             ret = InstallSeccompPolicy(g_appspawnSeccompFilter, g_appspawnSeccompFilterSize, SECCOMP_FILTER_FLAG_LOG);
             break;
+        case NWEBSPAWN:
+            ret = InstallSeccompPolicy(g_nwebspawnSeccompFilter, g_nwebspawnSeccompFilterSize, SECCOMP_FILTER_FLAG_LOG);
+            break;
         default:
             ret = false;
     }

services/modules/seccomp/seccomp_policy/renderer_arm.seccomp.policy

+# Copyright (c) 2022 Huawei Device Co., Ltd.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+@arch
+arm
+
+@returnValue
+KILL_PROCESS
+
+@headFiles
+"seccomp_filters.h"
+"time.h"
+"sys/ioctl.h"
+"linux/futex.h"
+"sys/resource.h"
+"sys/prctl.h"
+"sys/mman.h"
+"sched.h"
+"fcntl.h"
+"sys/random.h"
+"sys/types.h"
+"sys/socket.h"
+
+@priority
+futex
+
+@allowList
+fdatasync
+fsync
+ftruncate
+ftruncate64
+setrlimit
+ugetrlimit
+mremap
+pwrite64
+sched_get_priority_max
+sched_get_priority_min
+getpriority
+setpriority
+sysinfo
+times
+uname
+get_robust_list
+set_robust_list
+sched_getaffinity
+sigaltstack
+futex_time64
+brk
+mlock
+munlock
+munmap
+mmap2
+sched_yield
+pause
+nanosleep
+epoll_create
+epoll_wait
+epoll_pwait
+epoll_create1
+epoll_ctl
+eventfd
+eventfd2
+fstat
+fstat64
+lseek
+_llseek
+poll
+ppoll
+pselect6
+read
+readv
+pread64
+recvfrom
+recvmsg
+_newselect
+send
+sendmsg
+sendto
+write
+writev
+pipe
+pipe2
+gettimeofday
+exit
+exit_group
+wait4
+waitid
+rt_sigaction
+rt_sigprocmask
+rt_sigreturn
+rt_sigtimedwait
+capget
+getegid
+getegid32
+geteuid
+geteuid32
+getgid
+getgid32
+getgroups
+getgroups32
+getpid
+getppid
+getresgid
+getresgid32
+getsid
+gettid
+getuid
+getuid32
+getresuid
+getresuid32
+restart_syscall
+close
+dup
+dup2
+dup3
+shutdown
+mincore
+memfd_create
+faccessat
+access
+prctl
+fcntl
+fcntl64
+clone
+setsockopt
+
+setgroups
+setgroups32
+setresgid
+setresgid32
+setresuid
+setresuid32
+capset
+openat
+open
+socket
+connect
+readlinkat
+readlink
+unlink
+unlinkat
+ioctl
+mprotect
+mkdirat
+set_tid_address
+getdents64
+madvise
+getrandom
+clock_gettime64
+statx
+prlimit64
+cacheflush
+set_tls
+
+@allowListWithArgs
+getrusage:if arg0 == RUSAGE_SELF || arg0 == RUSAGE_THREAD
+clock_getres:if arg0 >= CLOCK_REALTIME && arg0 <= CLOCK_BOOTTIME
+clock_gettime:if arg0 >= CLOCK_REALTIME && arg0 <= CLOCK_BOOTTIME
+clock_nanosleep:if arg0 >= CLOCK_REALTIME && arg0 <= CLOCK_BOOTTIME
+socketpair:if arg0 == AF_UNIX
+getsockopt:if arg1 == SOL_SOCKET || arg2 == SO_PEEK_OFF

services/modules/seccomp/seccomp_policy/renderer_arm64.seccomp.policy

+# Copyright (c) 2022 Huawei Device Co., Ltd.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+@arch
+arm64
+
+@returnValue
+KILL_PROCESS
+
+@headFiles
+"seccomp_filters.h"
+"time.h"
+"sys/ioctl.h"
+"linux/futex.h"
+"sys/resource.h"
+"sys/prctl.h"
+"sys/mman.h"
+"sched.h"
+"fcntl.h"
+"sys/random.h"
+"sys/types.h"
+"sys/socket.h"
+
+@priority
+futex
+
+@allowList
+fdatasync
+fsync
+ftruncate
+getrlimit
+setrlimit
+mremap
+pwrite64
+sched_get_priority_max
+sched_get_priority_min
+getpriority
+setpriority
+sysinfo
+times
+uname
+get_robust_list
+set_robust_list
+sched_getaffinity
+sigaltstack
+brk
+mlock
+munlock
+munmap
+mmap
+sched_yield
+nanosleep
+epoll_pwait
+epoll_create1
+epoll_ctl
+lseek
+eventfd2
+fstat
+ppoll
+pselect6
+read
+readv
+pread64
+recvfrom
+recvmsg
+sendmsg
+sendto
+write
+writev
+pipe2
+gettimeofday
+exit
+exit_group
+wait4
+waitid
+rt_sigaction
+rt_sigprocmask
+rt_sigreturn
+rt_sigtimedwait
+capget
+getegid
+geteuid
+getgid
+getgroups
+getpid
+getppid
+getresgid
+getsid
+gettid
+getuid
+getresuid
+restart_syscall
+close
+dup
+dup3
+shutdown
+mincore
+memfd_create
+faccessat
+prctl
+fcntl
+clone
+setsockopt
+
+setgroups
+setresgid
+setresuid
+capset
+openat
+socket
+connect
+readlinkat
+newfstatat
+unlinkat
+ioctl
+mprotect
+mkdirat
+set_tid_address
+getdents64
+madvise
+getrandom
+statx
+prlimit64
+
+@allowListWithArgs
+getrusage:if arg0 == RUSAGE_SELF || arg0 == RUSAGE_THREAD
+clock_getres:if arg0 >= CLOCK_REALTIME && arg0 <= CLOCK_BOOTTIME
+clock_gettime:if arg0 >= CLOCK_REALTIME && arg0 <= CLOCK_BOOTTIME
+clock_nanosleep:if arg0 >= CLOCK_REALTIME && arg0 <= CLOCK_BOOTTIME
+socketpair:if arg0 == AF_UNIX
+getsockopt:if arg1 == SOL_SOCKET || arg2 == SO_PEEK_OFF