Skip to content

S
Startup Init Lite

OpenHarmony / Startup Init Lite
大约 1 年 前同步成功

通知 3
Star 37
Fork 0
S
Startup Init Lite

体验新版 GitCode,发现更多精彩内容 >>

提交 7211e789 编写于 作者: G GengYinzong
浏览文件
操作

对uid=0做限制 

Signed-off-by: NGengYinzong <gengyinzong@huawei.com>
Change-Id: I8166b04b57f674df323c8874ac1db444253db392
上级 4a063de6
隐藏空白更改
内联 并排
Showing with 677 addition and 0 deletion
services/modules/seccomp/BUILD.gn
浏览文件 @ 7211e789
......@@ -107,6 +107,7 @@ ohos_prebuilt_seccomp("updater_filter") {
filtername = "updater"
process_type = "system"
uid_is_root = true
part_name = INIT_PART
subsystem_name = "startup"
......
services/modules/seccomp/scripts/generate_code_from_policy.py
浏览文件 @ 7211e789
......@@ -101,6 +101,15 @@ def is_function_name_exist(arch, function_name, func_name_nr_table):
raise ValidateError('{} not exsit in {} function_name_nr_table Table'.format(function_name, arch))
def is_function_name_repeats(func_name, allow_list_with_args):
for line in allow_list_with_args:
pos = line.find(':')
function_name = line[:pos]
if func_name == function_name:
return True
return False
def function_name_to_nr(function_name_list, func_name_nr_table):
return set(func_name_nr_table[function_name] for function_name \
in function_name_list if function_name in func_name_nr_table)
......@@ -292,6 +301,9 @@ class SeccompPolicyParam:
priority_function_name_list_with_args
self.final_allow_list_with_args |= self.allow_list_with_args
self.final_priority_with_args |= self.priority_with_args
for line in self.final_allow_list.copy():
if is_function_name_repeats(line, self.final_allow_list_with_args):
self.final_allow_list.remove(line)
self.clear_list()
......
services/modules/seccomp/scripts/seccomp_policy_fixer.gni
浏览文件 @ 7211e789
......@@ -86,6 +86,17 @@ template("ohos_prebuilt_seccomp") {
sources += get_target_outputs(":${_syscall_to_nr_arm_name}")
sources += get_target_outputs(":${_syscall_to_nr_arm64_name}")
uid_is_root = false
if (defined(invoker.uid_is_root)) {
uid_is_root = invoker.uid_is_root
} else {
uid_is_root = false
}
if (invoker.process_type == "system" && invoker.filtername != "appspawn" &&
invoker.filtername != "nwebspawn" && uid_is_root == false) {
sources += [ "//base/startup/init/services/modules/seccomp/seccomp_policy/system_uid_filter.seccomp.policy" ]
}
deps = [
":${_syscall_to_nr_arm64_name}",
":${_syscall_to_nr_arm_name}",
......
services/modules/seccomp/seccomp_policy/system_uid_filter.seccomp.policy 0 → 100644
浏览文件 @ 7211e789
# Copyright (c) 2023 Huawei Device Co., Ltd.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# For now, it supports architechture of ['arm', 'arm64'].
@returnValue
TRAP
@allowListWithArgs
setuid: if arg0 != 0; return ALLOW; else return TRAP;all
setreuid: if arg0 != 0 && arg1 != 0; return ALLOW; else return TRAP;all
setfsuid: if arg0 != 0; return ALLOW; else return TRAP;all
setresuid: if arg0 != 0 && arg1 != 0 && arg2 != 0; return ALLOW; else return TRAP;all
setuid32: if arg0 != 0; return ALLOW; else return TRAP;arm
setreuid32: if arg0 != 0 && arg1 != 0; return ALLOW; else return TRAP;arm
setfsuid32: if arg0 != 0; return ALLOW; else return TRAP;arm
setresuid32: if arg0 != 0 && arg1 != 0 && arg2 != 0; return ALLOW; else return TRAP;arm
\ No newline at end of file
test/unittest/seccomp/seccomp_unittest.cpp
浏览文件 @ 7211e789
......@@ -215,6 +215,166 @@ public:
return false;
}
static bool CheckSetuid64ForUidFilter1()
{
int uid = syscall(__NR_setuid, 0);
if (uid == 0) {
return true;
}
return false;
}
static bool CheckSetuid64ForUidFilter2()
{
int uid = syscall(__NR_setuid, 2);
if (uid == 0) {
return true;
}
return false;
}
static bool CheckSetreuid64ForUidFilter1()
{
int uid = syscall(__NR_setreuid, 0, 2);
if (uid == 0) {
return true;
}
return false;
}
static bool CheckSetreuid64ForUidFilter2()
{
int uid = syscall(__NR_setreuid, 2, 0);
if (uid == 0) {
return true;
}
return false;
}
static bool CheckSetreuid64ForUidFilter3()
{
int uid = syscall(__NR_setreuid, 0, 0);
if (uid == 0) {
return true;
}
return false;
}
static bool CheckSetreuid64ForUidFilter4()
{
int uid = syscall(__NR_setreuid, 2, 2);
if (uid == 0) {
return true;
}
return false;
}
static bool CheckSetfsuid64ForUidFilter1()
{
int uid = syscall(__NR_setfsuid, 0);
if (uid == 0) {
return true;
}
return false;
}
static bool CheckSetfsuid64ForUidFilter2()
{
int uid = syscall(__NR_setfsuid, 2);
if (uid == 0) {
return true;
}
return false;
}
static bool CheckSetresuid64ForUidFilter1()
{
int uid = syscall(__NR_setresuid, 0, 0, 0);
if (uid == 0) {
return true;
}
return false;
}
static bool CheckSetresuid64ForUidFilter2()
{
int uid = syscall(__NR_setresuid, 2, 0, 0);
if (uid == 0) {
return true;
}
return false;
}
static bool CheckSetresuid64ForUidFilter3()
{
int uid = syscall(__NR_setresuid, 0, 2, 0);
if (uid == 0) {
return true;
}
return false;
}
static bool CheckSetresuid64ForUidFilter4()
{
int uid = syscall(__NR_setresuid, 0, 0, 2);
if (uid == 0) {
return true;
}
return false;
}
static bool CheckSetresuid64ForUidFilter5()
{
int uid = syscall(__NR_setresuid, 0, 2, 2);
if (uid == 0) {
return true;
}
return false;
}
static bool CheckSetresuid64ForUidFilter6()
{
int uid = syscall(__NR_setresuid, 2, 0, 2);
if (uid == 0) {
return true;
}
return false;
}
static bool CheckSetresuid64ForUidFilter7()
{
int uid = syscall(__NR_setresuid, 2, 2, 0);
if (uid == 0) {
return true;
}
return false;
}
static bool CheckSetresuid64ForUidFilter8()
{
int uid = syscall(__NR_setresuid, 2, 2, 2);
if (uid == 0) {
return true;
}
return false;
}
void TestSystemSycall()
{
// system blocklist
......@@ -224,6 +384,55 @@ public:
// system allowlist
ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckGetpid, true);
EXPECT_EQ(ret, 0);
// system_uid_filter_test
ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetuid64ForUidFilter1, false);
EXPECT_EQ(ret, 0);
ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetuid64ForUidFilter2, true);
EXPECT_EQ(ret, 0);
ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetreuid64ForUidFilter1, false);
EXPECT_EQ(ret, 0);
ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetreuid64ForUidFilter2, false);
EXPECT_EQ(ret, 0);
ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetreuid64ForUidFilter3, false);
EXPECT_EQ(ret, 0);
ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetreuid64ForUidFilter4, true);
EXPECT_EQ(ret, 0);
ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetfsuid64ForUidFilter1, false);
EXPECT_EQ(ret, 0);
ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetfsuid64ForUidFilter2, true);
EXPECT_EQ(ret, 0);
ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid64ForUidFilter1, false);
EXPECT_EQ(ret, 0);
ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid64ForUidFilter2, false);
EXPECT_EQ(ret, 0);
ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid64ForUidFilter3, false);
EXPECT_EQ(ret, 0);
ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid64ForUidFilter4, false);
EXPECT_EQ(ret, 0);
ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid64ForUidFilter5, false);
EXPECT_EQ(ret, 0);
ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid64ForUidFilter6, false);
EXPECT_EQ(ret, 0);
ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid64ForUidFilter7, false);
EXPECT_EQ(ret, 0);
ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid64ForUidFilter8, true);
EXPECT_EQ(ret, 0);
}
void TestSetUidGidFilter()
......@@ -296,6 +505,326 @@ public:
return false;
}
static bool CheckSetuid32ForUidFilter1()
{
int uid = syscall(__NR_setuid32, 0);
if (uid == 0) {
return true;
}
return false;
}
static bool CheckSetuid32ForUidFilter2()
{
int uid = syscall(__NR_setuid32, 2);
if (uid == 0) {
return true;
}
return false;
}
static bool CheckSetuid16ForUidFilter1()
{
int uid = syscall(__NR_setuid, 0);
if (uid == 0) {
return true;
}
return false;
}
static bool CheckSetuid16ForUidFilter2()
{
int uid = syscall(__NR_setuid, 2);
if (uid == 0) {
return true;
}
return false;
}
static bool CheckSetreuid32ForUidFilter1()
{
int uid = syscall(__NR_setreuid32, 0, 2);
if (uid == 0) {
return true;
}
return false;
}
static bool CheckSetreuid32ForUidFilter2()
{
int uid = syscall(__NR_setreuid32, 2, 0);
if (uid == 0) {
return true;
}
return false;
}
static bool CheckSetreuid32ForUidFilter3()
{
int uid = syscall(__NR_setreuid32, 0, 0);
if (uid == 0) {
return true;
}
return false;
}
static bool CheckSetreuid32ForUidFilter4()
{
int uid = syscall(__NR_setreuid32, 2, 2);
if (uid == 0) {
return true;
}
return false;
}
static bool CheckSetreuid16ForUidFilter1()
{
int uid = syscall(__NR_setreuid, 0, 2);
if (uid == 0) {
return true;
}
return false;
}
static bool CheckSetreuid16ForUidFilter2()
{
int uid = syscall(__NR_setreuid, 2, 0);
if (uid == 0) {
return true;
}
return false;
}
static bool CheckSetreuid16ForUidFilter3()
{
int uid = syscall(__NR_setreuid, 0, 0);
if (uid == 0) {
return true;
}
return false;
}
static bool CheckSetreuid16ForUidFilter4()
{
int uid = syscall(__NR_setreuid, 2, 2);
if (uid == 0) {
return true;
}
return false;
}
static bool CheckSetfsuid32ForUidFilter1()
{
int uid = syscall(__NR_setfsuid32, 0);
if (uid == 0) {
return true;
}
return false;
}
static bool CheckSetfsuid32ForUidFilter2()
{
int uid = syscall(__NR_setfsuid32, 2);
if (uid == 0) {
return true;
}
return false;
}
static bool CheckSetfsuid16ForUidFilter1()
{
int uid = syscall(__NR_setfsuid, 0);
if (uid == 0) {
return true;
}
return false;
}
static bool CheckSetfsuid16ForUidFilter2()
{
int uid = syscall(__NR_setfsuid, 2);
if (uid == 0) {
return true;
}
return false;
}
static bool CheckSetresuid32ForUidFilter1()
{
int uid = syscall(__NR_setresuid32, 0, 0, 0);
if (uid == 0) {
return true;
}
return false;
}
static bool CheckSetresuid32ForUidFilter2()
{
int uid = syscall(__NR_setresuid32, 2, 0, 0);
if (uid == 0) {
return true;
}
return false;
}
static bool CheckSetresuid32ForUidFilter3()
{
int uid = syscall(__NR_setresuid32, 0, 2, 0);
if (uid == 0) {
return true;
}
return false;
}
static bool CheckSetresuid32ForUidFilter4()
{
int uid = syscall(__NR_setresuid32, 0, 0, 2);
if (uid == 0) {
return true;
}
return false;
}
static bool CheckSetresuid32ForUidFilter5()
{
int uid = syscall(__NR_setresuid32, 0, 2, 2);
if (uid == 0) {
return true;
}
return false;
}
static bool CheckSetresuid32ForUidFilter6()
{
int uid = syscall(__NR_setresuid32, 2, 0, 2);
if (uid == 0) {
return true;
}
return false;
}
static bool CheckSetresuid32ForUidFilter7()
{
int uid = syscall(__NR_setresuid32, 2, 2, 0);
if (uid == 0) {
return true;
}
return false;
}
static bool CheckSetresuid32ForUidFilter8()
{
int uid = syscall(__NR_setresuid32, 2, 2, 2);
if (uid == 0) {
return true;
}
return false;
}
static bool CheckSetresuid16ForUidFilter1()
{
int uid = syscall(__NR_setresuid, 0, 0, 0);
if (uid == 0) {
return true;
}
return false;
}
static bool CheckSetresuid16ForUidFilter2()
{
int uid = syscall(__NR_setresuid, 2, 0, 0);
if (uid == 0) {
return true;
}
return false;
}
static bool CheckSetresuid16ForUidFilter3()
{
int uid = syscall(__NR_setresuid, 0, 2, 0);
if (uid == 0) {
return true;
}
return false;
}
static bool CheckSetresuid16ForUidFilter4()
{
int uid = syscall(__NR_setresuid, 0, 0, 2);
if (uid == 0) {
return true;
}
return false;
}
static bool CheckSetresuid16ForUidFilter5()
{
int uid = syscall(__NR_setresuid, 0, 2, 2);
if (uid == 0) {
return true;
}
return false;
}
static bool CheckSetresuid16ForUidFilter6()
{
int uid = syscall(__NR_setresuid, 2, 0, 2);
if (uid == 0) {
return true;
}
return false;
}
static bool CheckSetresuid16ForUidFilter7()
{
int uid = syscall(__NR_setresuid, 2, 2, 0);
if (uid == 0) {
return true;
}
return false;
}
static bool CheckSetresuid16ForUidFilter8()
{
int uid = syscall(__NR_setresuid, 2, 2, 2);
if (uid == 0) {
return true;
}
return false;
}
void TestSystemSycall()
{
// system blocklist
......@@ -305,6 +834,103 @@ public:
// system allowlist
ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckGetuid32, true);
EXPECT_EQ(ret, 0);
// system_uid_filter_test
ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetuid32ForUidFilter1, false);
EXPECT_EQ(ret, 0);
ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetuid32ForUidFilter2, true);
EXPECT_EQ(ret, 0);
ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetuid16ForUidFilter1, false);
EXPECT_EQ(ret, 0);
ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetuid16ForUidFilter2, true);
EXPECT_EQ(ret, 0);
ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetreuid32ForUidFilter1, false);
EXPECT_EQ(ret, 0);
ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetreuid32ForUidFilter2, false);
EXPECT_EQ(ret, 0);
ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetreuid32ForUidFilter3, false);
EXPECT_EQ(ret, 0);
ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetreuid32ForUidFilter4, true);
EXPECT_EQ(ret, 0);
ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetreuid16ForUidFilter1, false);
EXPECT_EQ(ret, 0);
ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetreuid16ForUidFilter2, false);
EXPECT_EQ(ret, 0);
ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetreuid16ForUidFilter3, false);
EXPECT_EQ(ret, 0);
ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetreuid16ForUidFilter4, true);
EXPECT_EQ(ret, 0);
ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetfsuid32ForUidFilter1, false);
EXPECT_EQ(ret, 0);
ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetfsuid32ForUidFilter2, true);
EXPECT_EQ(ret, 0);
ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetfsuid16ForUidFilter1, false);
EXPECT_EQ(ret, 0);
ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetfsuid16ForUidFilter2, true);
EXPECT_EQ(ret, 0);
ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid32ForUidFilter1, false);
EXPECT_EQ(ret, 0);
ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid32ForUidFilter2, false);
EXPECT_EQ(ret, 0);
ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid32ForUidFilter3, false);
EXPECT_EQ(ret, 0);
ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid32ForUidFilter4, false);
EXPECT_EQ(ret, 0);
ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid32ForUidFilter5, false);
EXPECT_EQ(ret, 0);
ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid32ForUidFilter6, false);
EXPECT_EQ(ret, 0);
ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid32ForUidFilter7, false);
EXPECT_EQ(ret, 0);
ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid32ForUidFilter8, true);
EXPECT_EQ(ret, 0);
ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid16ForUidFilter1, false);
EXPECT_EQ(ret, 0);
ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid16ForUidFilter2, false);
EXPECT_EQ(ret, 0);
ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid16ForUidFilter3, false);
EXPECT_EQ(ret, 0);
ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid16ForUidFilter4, false);
EXPECT_EQ(ret, 0);
ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid16ForUidFilter5, false);
EXPECT_EQ(ret, 0);
ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid16ForUidFilter6, false);
EXPECT_EQ(ret, 0);
ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid16ForUidFilter7, false);
EXPECT_EQ(ret, 0);
ret = CheckSyscall(SYSTEM_SA, SYSTEM_NAME, CheckSetresuid16ForUidFilter8, true);
EXPECT_EQ(ret, 0);
}
void TestSetUidGidFilter()
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册