diff --git a/interfaces/innerkits/seccomp/BUILD.gn b/interfaces/innerkits/seccomp/BUILD.gn index 80e11e7899a68d4d98ed4c9243894095d82bf30a..37fabe586a7c75eaee1f78d88dde81ad11b81243 100755 --- a/interfaces/innerkits/seccomp/BUILD.gn +++ b/interfaces/innerkits/seccomp/BUILD.gn @@ -26,16 +26,14 @@ if (defined(build_seccomp) && build_seccomp) { include_dirs = [ "//base/startup/init/interfaces/innerkits/include", - "//base/startup/init/services/modules/seccomp", "//base/startup/init/services/modules", "//base/startup/init/services/log", + "//third_party/bounds_checking_function/include", ] deps = [ "//base/startup/init/interfaces/innerkits:libbegetutil", - "//base/startup/init/services/modules/seccomp:app_filter", - "//base/startup/init/services/modules/seccomp:appspawn_filter", - "//base/startup/init/services/modules/seccomp:nwebspawn_filter", + "//third_party/bounds_checking_function:libsec_shared", ] license_file = "//base/startup/init/LICENSE" @@ -43,10 +41,7 @@ if (defined(build_seccomp) && build_seccomp) { part_name = "init" install_enable = true - install_images = [ - "system", - "updater", - ] + install_images = [ "system" ] } } else { group("seccomp") { diff --git a/interfaces/innerkits/seccomp/include/seccomp_policy.h b/interfaces/innerkits/seccomp/include/seccomp_policy.h index 3f23cfc0a337676f575c76e972e0b3daa6da51fd..5b9f70626a824af557872925104c3563277ad5c7 100644 --- a/interfaces/innerkits/seccomp/include/seccomp_policy.h +++ b/interfaces/innerkits/seccomp/include/seccomp_policy.h @@ -25,14 +25,12 @@ extern "C" { #endif #endif -typedef enum { - SYSTEM, - APPSPAWN, - APP, - NWEBSPAWN, -} PolicyType; +#define SYSTEM_NAME "system" +#define APPSPAWN_NAME "appspawn" +#define NWEBSPAWN_NAME "nwebspawn" +#define APP_NAME "app" -bool SetSeccompPolicy(PolicyType policy); +bool SetSeccompPolicyWithName(const char *filterName); #ifdef __cplusplus #if __cplusplus diff --git a/services/modules/BUILD.gn b/services/modules/BUILD.gn index 5023a02edf4dde0654a9638b95ad16245a8369e2..3b5a098a00baa95c682daba532f036c027f1d3fa 100755 --- a/services/modules/BUILD.gn +++ b/services/modules/BUILD.gn @@ -36,7 +36,7 @@ group("modulesgroup") { "reboot:rebootmodule", ] if (build_seccomp) { - deps += [ "seccomp:seccomp_module" ] + deps += [ "seccomp:seccomp_filter" ] } if (build_selinux) { deps += [ "selinux:selinuxadp" ] diff --git a/services/modules/seccomp/BUILD.gn b/services/modules/seccomp/BUILD.gn index ae4805852fd22e754f526b606781acfb55afdb6e..3813a009b9ae11bba8c79be9b52b42df01e435e4 100755 --- a/services/modules/seccomp/BUILD.gn +++ b/services/modules/seccomp/BUILD.gn @@ -77,16 +77,11 @@ ohos_prebuilt_seccomp("system_filter") { } filtername = "g_systemSeccompFilter" - include_dirs = [ "." ] part_name = INIT_PART subsystem_name = "startup" install_enable = true - install_images = [ - "system", - "ramdisk", - "updater", - ] + install_images = [ "system" ] } ohos_prebuilt_seccomp("appspawn_filter") { @@ -102,7 +97,6 @@ ohos_prebuilt_seccomp("appspawn_filter") { } filtername = "g_appspawnSeccompFilter" - include_dirs = [ "." ] part_name = INIT_PART subsystem_name = "startup" @@ -118,7 +112,6 @@ ohos_prebuilt_seccomp("nwebspawn_filter") { } filtername = "g_nwebspawnSeccompFilter" - include_dirs = [ "." ] part_name = INIT_PART subsystem_name = "startup" @@ -139,7 +132,6 @@ ohos_prebuilt_seccomp("app_filter") { } filtername = "g_appSeccompFilter" - include_dirs = [ "." ] part_name = INIT_PART subsystem_name = "startup" @@ -147,46 +139,30 @@ ohos_prebuilt_seccomp("app_filter") { install_images = [ "system" ] } -ohos_shared_library("seccomp_module") { - sources = [ "seccomp_policy.c" ] - +config("libseccomp_static_config") { include_dirs = [ "//base/startup/init/services/modules", - "//base/startup/init/interfaces/innerkits/include", "//base/startup/init/interfaces/innerkits/seccomp/include", - "//base/startup/init/services/modules/seccomp", + "//third_party/bounds_checking_function/include", ] +} - deps = [ - ":system_filter", - "//base/startup/init/interfaces/innerkits/init_module_engine:libinit_module_engine", +ohos_source_set("libseccomp_static") { + sources = [ + "seccomp_policy.c", + "seccomp_policy_static.c", ] - - cflags = [ "-DSECCOMP_PLUGIN" ] - - part_name = "init" - if (target_cpu == "arm64") { - module_install_dir = "lib64/init" - } else { - module_install_dir = "lib/init" - } - install_images = [ - "system", - "ramdisk", - "updater", + public_configs = [ + ":libseccomp_static_config", + "//base/startup/init/interfaces/innerkits/init_module_engine:init_module_engine_exported_config", ] } -config("libseccomp_static_config") { - include_dirs = [ - "//base/startup/init/services/modules", - "//base/startup/init/services/modules/seccomp", - "//base/startup/init/interfaces/innerkits/seccomp/include", +group("seccomp_filter") { + deps = [ + ":app_filter", + ":appspawn_filter", + ":nwebspawn_filter", + ":system_filter", ] } - -ohos_source_set("libseccomp_static") { - sources = [ "seccomp_policy_static.c" ] - public_configs = [ ":libseccomp_static_config" ] - public_configs += [ "//base/startup/init/interfaces/innerkits/init_module_engine:init_module_engine_exported_config" ] -} diff --git a/services/modules/seccomp/seccomp_filters.h b/services/modules/seccomp/seccomp_filters.h deleted file mode 100644 index 7791afb3ada56df0182d8569935cc7eed35bdbc4..0000000000000000000000000000000000000000 --- a/services/modules/seccomp/seccomp_filters.h +++ /dev/null @@ -1,47 +0,0 @@ -/* - * Copyright (c) 2022 Huawei Device Co., Ltd. - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -#ifndef SECCOMP_FILTERS_H -#define SECCOMP_FILTERS_H - -#include -#include - -#ifdef __cplusplus -#if __cplusplus -extern "C" { -#endif -#endif - -extern const struct sock_filter g_appspawnSeccompFilter[]; -extern const size_t g_appspawnSeccompFilterSize; - -extern const struct sock_filter g_systemSeccompFilter[]; -extern const size_t g_systemSeccompFilterSize; - -extern const struct sock_filter g_nwebspawnSeccompFilter[]; -extern const size_t g_nwebspawnSeccompFilterSize; - -extern const struct sock_filter g_appSeccompFilter[]; -extern const size_t g_appSeccompFilterSize; - -#ifdef __cplusplus -#if __cplusplus -} -#endif -#endif - -#endif // SECCOMP_FILTERS_H - diff --git a/services/modules/seccomp/seccomp_policy.c b/services/modules/seccomp/seccomp_policy.c index 41a3600145ad50916ad2202f503ec4966e0eeb93..09359cc94f85bc76116e7d27cd1c3f5661214fae 100644 --- a/services/modules/seccomp/seccomp_policy.c +++ b/services/modules/seccomp/seccomp_policy.c @@ -14,12 +14,10 @@ */ #include "seccomp_policy.h" -#include "seccomp_filters.h" #include "plugin_adapter.h" -#ifdef SECCOMP_PLUGIN -#include "init_module_engine.h" -#endif +#include "securec.h" +#include #include #include #include @@ -33,6 +31,14 @@ #define SECCOMP_SET_MODE_FILTER (1) #endif +#ifdef __aarch64__ +#define FILTER_LIB_PATH_FORMAT "/system/lib64/lib%s_filter.z.so" +#else +#define FILTER_LIB_PATH_FORMAT "/system/lib/lib%s_filter.z.so" +#endif +#define FILTER_NAME_FORMAT "g_%sSeccompFilter" +#define FILTER_SIZE_STRING "Size" + static bool IsSupportFilterFlag(unsigned int filterFlag) { errno = 0; @@ -69,78 +75,41 @@ static bool InstallSeccompPolicy(const struct sock_filter* filter, size_t filter return true; } -#ifndef SECCOMP_PLUGIN -bool SetSeccompPolicy(PolicyType policy) +bool SetSeccompPolicyWithName(const char *filterName) { - bool ret = false; - switch (policy) { - case APPSPAWN: - ret = InstallSeccompPolicy(g_appspawnSeccompFilter, g_appspawnSeccompFilterSize, SECCOMP_FILTER_FLAG_LOG); - break; - case NWEBSPAWN: - ret = InstallSeccompPolicy(g_nwebspawnSeccompFilter, g_nwebspawnSeccompFilterSize, SECCOMP_FILTER_FLAG_LOG); - break; - case APP: - ret = InstallSeccompPolicy(g_appSeccompFilter, g_appSeccompFilterSize, SECCOMP_FILTER_FLAG_LOG); - break; - default: - ret = false; - } + char filterLibPath[512] = {0}; + char filterVaribleName[512] = {0}; + struct sock_filter *filterPtr = NULL; + size_t *filterSize = NULL; - return ret; -} -#else -static bool SetSystemSeccompPolicy(void) -{ - return InstallSeccompPolicy(g_systemSeccompFilter, g_systemSeccompFilterSize, SECCOMP_FILTER_FLAG_LOG); -} + int rc = snprintf_s(filterLibPath, sizeof(filterLibPath), \ + strlen(filterName) + strlen(FILTER_LIB_PATH_FORMAT) - strlen("%s"), \ + FILTER_LIB_PATH_FORMAT, filterName); + PLUGIN_CHECK(rc != -1, return false, "snprintf_s filterLibPath failed"); -static int DoSetSeccompPolicyStart(void) -{ - bool ret = false; - ret = SetSystemSeccompPolicy(); - PLUGIN_CHECK(ret == true, return -1, "SetSeccompPolicy failed"); + rc = snprintf_s(filterVaribleName, sizeof(filterVaribleName), \ + strlen(filterName) + strlen(FILTER_NAME_FORMAT) - strlen("%s"), \ + FILTER_NAME_FORMAT, filterName); + PLUGIN_CHECK(rc != -1, return false, "snprintf_s faiVribleName failed"); - return 0; -} + void *handler = dlopen(filterLibPath, RTLD_LAZY); + PLUGIN_CHECK(handler != NULL, return false, "dlopen %s failed", filterLibPath); -static int DoSetSeccompPolicyCmd(int id, const char *name, int argc, const char **argv) -{ - PLUGIN_LOGI("DoBootchartCmd argc %d %s", argc, name); - PLUGIN_CHECK(argc >= 1, return -1, "Invalid parameter"); - if (strcmp(argv[0], "start") == 0) { - return DoSetSeccompPolicyStart(); - } - return 0; -} + filterPtr = (struct sock_filter *)dlsym(handler, filterVaribleName); + PLUGIN_CHECK(filterPtr != NULL, dlclose(handler); + return false, "dlsym %s failed", filterVaribleName); -static int32_t g_executorId = -1; -static int SetSeccompPolicyInit(void) -{ - if (g_executorId == -1) { - g_executorId = AddCmdExecutor("SetSeccompPolicy", DoSetSeccompPolicyCmd); - PLUGIN_LOGI("SetSeccompPolicy executorId %d", g_executorId); - } - return 0; -} + rc = strcat_s(filterVaribleName, strlen(filterVaribleName) + strlen(FILTER_SIZE_STRING) + 1, FILTER_SIZE_STRING); + PLUGIN_CHECK(rc == 0, dlclose(handler); + return false, "strcat_s filterVaribleName failed"); -static void SetSeccompPolicyExit(void) -{ - PLUGIN_LOGI("SetSeccompPolicy executorId %d", g_executorId); - if (g_executorId != -1) { - RemoveCmdExecutor("SetSeccompPolicy", g_executorId); - } -} + filterSize = (size_t *)dlsym(handler, filterVaribleName); + PLUGIN_CHECK(filterSize != NULL, dlclose(handler); + return false, "dlsym %s failed", filterVaribleName); -MODULE_CONSTRUCTOR(void) -{ - PLUGIN_LOGI("DoSetSeccompPolicyStart now ..."); - SetSeccompPolicyInit(); -} + bool ret = InstallSeccompPolicy(filterPtr, *filterSize, SECCOMP_FILTER_FLAG_LOG); -MODULE_DESTRUCTOR(void) -{ - PLUGIN_LOGI("DoSetSeccompPolicyStop now ..."); - SetSeccompPolicyExit(); + dlclose(handler); + + return ret; } -#endif diff --git a/services/modules/seccomp/seccomp_policy/app_arm.seccomp.policy b/services/modules/seccomp/seccomp_policy/app_arm.seccomp.policy index 92110403b2d467d0d1385c61179a606281b130eb..cc91333124d9a7ee92ee31c7e9ba70cbb93abf6c 100644 --- a/services/modules/seccomp/seccomp_policy/app_arm.seccomp.policy +++ b/services/modules/seccomp/seccomp_policy/app_arm.seccomp.policy @@ -17,9 +17,6 @@ arm @returnValue KILL_PROCESS -@headFiles -"seccomp_filters.h" - @priority ioctl futex diff --git a/services/modules/seccomp/seccomp_policy/app_arm64.seccomp.policy b/services/modules/seccomp/seccomp_policy/app_arm64.seccomp.policy index c9d0a94719076dfe54e651a60cd98d31c42b2a43..b52ec8f5dcd6f0c332fa9dd48271fc1868e46065 100644 --- a/services/modules/seccomp/seccomp_policy/app_arm64.seccomp.policy +++ b/services/modules/seccomp/seccomp_policy/app_arm64.seccomp.policy @@ -17,9 +17,6 @@ arm64 @returnValue KILL_PROCESS -@headFiles -"seccomp_filters.h" - @priority ioctl futex diff --git a/services/modules/seccomp/seccomp_policy/renderer_arm.seccomp.policy b/services/modules/seccomp/seccomp_policy/renderer_arm.seccomp.policy index ea9816d64ebea9e352552437d5873d791a9536e1..f5a3968036fa29386ddbe92b6fd42d1543d82035 100644 --- a/services/modules/seccomp/seccomp_policy/renderer_arm.seccomp.policy +++ b/services/modules/seccomp/seccomp_policy/renderer_arm.seccomp.policy @@ -18,7 +18,6 @@ arm KILL_PROCESS @headFiles -"seccomp_filters.h" "time.h" "sys/ioctl.h" "linux/futex.h" diff --git a/services/modules/seccomp/seccomp_policy/renderer_arm64.seccomp.policy b/services/modules/seccomp/seccomp_policy/renderer_arm64.seccomp.policy index bfadb0a6799a854e02388a5de823b979435427ba..a7192b3762c3b2487113f9985732b6ebb0bf6664 100644 --- a/services/modules/seccomp/seccomp_policy/renderer_arm64.seccomp.policy +++ b/services/modules/seccomp/seccomp_policy/renderer_arm64.seccomp.policy @@ -18,7 +18,6 @@ arm64 KILL_PROCESS @headFiles -"seccomp_filters.h" "time.h" "sys/ioctl.h" "linux/futex.h" diff --git a/services/modules/seccomp/seccomp_policy/spawn_arm.seccomp.policy b/services/modules/seccomp/seccomp_policy/spawn_arm.seccomp.policy index 12cb720eaf7372dcfd28a2926acd0f5467a93f02..0b882f6087229e5d26b59eba558ffafd828ae44b 100644 --- a/services/modules/seccomp/seccomp_policy/spawn_arm.seccomp.policy +++ b/services/modules/seccomp/seccomp_policy/spawn_arm.seccomp.policy @@ -20,9 +20,6 @@ KILL_PROCESS @mode ONLY_CHECK_ARGS -@headFiles -"seccomp_filters.h" - @allowListWithArgs setresuid32: if arg0 >= 1000 && arg1 >= 1000 && arg2 >= 1000; return ALLOW; else return KILL_PROCESS; setresgid32: if arg0 >= 1000 && arg1 >= 1000 && arg2 >= 1000; return ALLOW; else return KILL_PROCESS; diff --git a/services/modules/seccomp/seccomp_policy/spawn_arm64.seccomp.policy b/services/modules/seccomp/seccomp_policy/spawn_arm64.seccomp.policy index 21bcad77f5eca26c94aa6b5207504c9986ce4fdf..acf97888ca5b1603aec032bc2f18cfd8bb27c389 100644 --- a/services/modules/seccomp/seccomp_policy/spawn_arm64.seccomp.policy +++ b/services/modules/seccomp/seccomp_policy/spawn_arm64.seccomp.policy @@ -19,9 +19,6 @@ KILL_PROCESS @mode ONLY_CHECK_ARGS -@headFiles -"seccomp_filters.h" - @allowListWithArgs setresuid: if arg0 >= 1000 && arg1 >= 1000 && arg2 >= 1000; return ALLOW; else return KILL_PROCESS; setresgid: if arg0 >= 1000 && arg1 >= 1000 && arg2 >= 1000; return ALLOW; else return KILL_PROCESS; diff --git a/services/modules/seccomp/seccomp_policy/system_arm.seccomp.policy b/services/modules/seccomp/seccomp_policy/system_arm.seccomp.policy index edf295fe5f529e29344b50c5a113a678484083fb..3b70f6d00f631b41a1c94e2d9dc23766bcddfa0f 100644 --- a/services/modules/seccomp/seccomp_policy/system_arm.seccomp.policy +++ b/services/modules/seccomp/seccomp_policy/system_arm.seccomp.policy @@ -17,9 +17,6 @@ arm @returnValue KILL_PROCESS -@headFiles -"seccomp_filters.h" - @allowList restart_syscall exit diff --git a/services/modules/seccomp/seccomp_policy/system_arm64.seccomp.policy b/services/modules/seccomp/seccomp_policy/system_arm64.seccomp.policy index 4ac4c1ec2451e98dd003a5463308af766ab6bde7..65a04d0e5712ebfc2f3a20d7044a629759aacfbc 100644 --- a/services/modules/seccomp/seccomp_policy/system_arm64.seccomp.policy +++ b/services/modules/seccomp/seccomp_policy/system_arm64.seccomp.policy @@ -17,9 +17,6 @@ arm64 @returnValue KILL_PROCESS -@headFiles -"seccomp_filters.h" - @allowList io_setup io_destroy diff --git a/services/modules/seccomp/seccomp_policy_static.c b/services/modules/seccomp/seccomp_policy_static.c index 61fabd36d4cdbc35beec231b9c27cc5ddd6bf7fb..fba03f614c5953cdb4607a66d3293acfdf365961 100644 --- a/services/modules/seccomp/seccomp_policy_static.c +++ b/services/modules/seccomp/seccomp_policy_static.c @@ -15,10 +15,32 @@ #include #include "init_module_engine.h" #include "plugin_adapter.h" +#include "seccomp_policy.h" + +static int SetSystemSeccompPolicy(int id, const char *name, int argc, const char **argv) +{ + PLUGIN_LOGI("SetSystemSeccompPolicy argc %d %s", argc, name); + PLUGIN_CHECK(argc >= 1, return -1, "Invalid parameter"); + + bool ret = SetSeccompPolicyWithName(SYSTEM_NAME); + PLUGIN_CHECK(ret == true, return -1, "SetSystemSeccompPolicy failed"); + + return 0; +} + +static int32_t g_executorId = -1; +static int SetSeccompPolicyInit(void) +{ + if (g_executorId == -1) { + g_executorId = AddCmdExecutor("SetSeccompPolicy", SetSystemSeccompPolicy); + PLUGIN_LOGI("SetSeccompPolicy executorId %d", g_executorId); + } + return 0; +} static int SeccompHook(const HOOK_INFO *info, void *cookie) { - InitModuleMgrInstall("seccomp_module"); + SetSeccompPolicyInit(); PLUGIN_LOGI("seccomp enabled."); return 0; } diff --git a/test/unittest/seccomp/seccomp_unittest.cpp b/test/unittest/seccomp/seccomp_unittest.cpp index fdcf97f47eb74a3419a9c192716a2c1e3273b217..20c2fd6645f55a137be2d2536bd73b3c3c965cbb 100644 --- a/test/unittest/seccomp/seccomp_unittest.cpp +++ b/test/unittest/seccomp/seccomp_unittest.cpp @@ -53,7 +53,7 @@ public: { } - static pid_t StartChild(PolicyType type, SyscallFunc func) + static pid_t StartChild(const char *filterName, SyscallFunc func) { pid_t pid = fork(); if (pid == 0) { @@ -61,8 +61,8 @@ public: std::cout << "PR_SET_NO_NEW_PRIVS set fail " << std::endl; exit(EXIT_FAILURE); } - if (type != SYSTEM && !SetSeccompPolicy(type)) { - std::cout << "SetSeccompPolicy set fail type is " << type << std::endl; + if (!SetSeccompPolicyWithName(filterName)) { + std::cout << "SetSeccompPolicy set fail fiterName is " << filterName << std::endl; exit(EXIT_FAILURE); } @@ -78,7 +78,7 @@ public: return pid; } - static int CheckSyscall(PolicyType type, SyscallFunc func, bool isAllow) + static int CheckSyscall(const char *filterName, SyscallFunc func, bool isAllow) { sigset_t set; int status; @@ -93,7 +93,7 @@ public: std::cout << "signal failed:" << strerror(errno) << std::endl; } - pid = StartChild(type, func); + pid = StartChild(filterName, func); if (pid == -1) { std::cout << "fork failed:" << strerror(errno) << std::endl; return -1; @@ -200,33 +200,33 @@ public: void TestSystemSycall() { // system blocklist - int ret = CheckSyscall(SYSTEM, CheckGetMempolicy, false); + int ret = CheckSyscall(SYSTEM_NAME, CheckGetMempolicy, false); EXPECT_EQ(ret, 0); // system allowlist - ret = CheckSyscall(SYSTEM, CheckGetpid, true); + ret = CheckSyscall(SYSTEM_NAME, CheckGetpid, true); EXPECT_EQ(ret, 0); } void TestSetUidGidFilter() { // system blocklist - int ret = CheckSyscall(APPSPAWN, CheckSetresuidArgsOutOfRange, false); + int ret = CheckSyscall(APPSPAWN_NAME, CheckSetresuidArgsOutOfRange, false); EXPECT_EQ(ret, 0); // system allowlist - ret = CheckSyscall(APPSPAWN, CheckSetresuidArgsInRange, true); + ret = CheckSyscall(APPSPAWN_NAME, CheckSetresuidArgsInRange, true); EXPECT_EQ(ret, 0); } void TestAppSycall() { // app blocklist - int ret = CheckSyscall(APP, CheckSetuid, false); + int ret = CheckSyscall(APP_NAME, CheckSetuid, false); EXPECT_EQ(ret, 0); // app allowlist - ret = CheckSyscall(APP, CheckGetpid, true); + ret = CheckSyscall(APP_NAME, CheckGetpid, true); EXPECT_EQ(ret, 0); } #elif defined __arm__ @@ -281,33 +281,33 @@ public: void TestSystemSycall() { // system blocklist - int ret = CheckSyscall(SYSTEM, CheckGetuid, false); + int ret = CheckSyscall(SYSTEM_NAME, CheckGetuid, false); EXPECT_EQ(ret, 0); // system allowlist - ret = CheckSyscall(SYSTEM, CheckGetuid32, true); + ret = CheckSyscall(SYSTEM_NAME, CheckGetuid32, true); EXPECT_EQ(ret, 0); } void TestSetUidGidFilter() { // system blocklist - int ret = CheckSyscall(APPSPAWN, CheckSetresuid32ArgsOutOfRange, false); + int ret = CheckSyscall(APPSPAWN_NAME, CheckSetresuid32ArgsOutOfRange, false); EXPECT_EQ(ret, 0); // system allowlist - ret = CheckSyscall(APPSPAWN, CheckSetresuid32ArgsInRange, true); + ret = CheckSyscall(APPSPAWN_NAME, CheckSetresuid32ArgsInRange, true); EXPECT_EQ(ret, 0); } void TestAppSycall() { // app blocklist - int ret = CheckSyscall(APP, CheckSetuid32, false); + int ret = CheckSyscall(APP_NAME, CheckSetuid32, false); EXPECT_EQ(ret, 0); // app allowlist - ret = CheckSyscall(APP, CheckGetuid32, true); + ret = CheckSyscall(APP_NAME, CheckGetuid32, true); EXPECT_EQ(ret, 0); } #endif