<feat>

app进程沙盒支持seccomp-BPF

<body>
增加app进程的系统调用名单配置文件
增加app的进程使能分支
在配置文件中的带参数限制白名单项，增加返回结果，并在解析脚本编写相应的解析代码
Signed-off-by: Nxiacong <xiacong4@huawei.com>
Change-Id: Ifc17b661750d7070e17bc2a469c285ecb44d871a
Signed-off-by: Nxiacong <xiacong4@huawei.com>

interfaces/innerkits/seccomp/BUILD.gn

@@ -33,9 +33,9 @@ if (defined(build_seccomp) && build_seccomp) {
 
     deps = [
       "//base/startup/init/interfaces/innerkits:libbegetutil",
+      "//base/startup/init/services/modules/seccomp:app_filter",
       "//base/startup/init/services/modules/seccomp:appspawn_filter",
       "//base/startup/init/services/modules/seccomp:nwebspawn_filter",
-      "//base/startup/init/services/modules/seccomp:system_filter",
     ]
 
     license_file = "//base/startup/init/LICENSE"

services/modules/seccomp/BUILD.gn

@@ -107,11 +107,7 @@ ohos_prebuilt_seccomp("appspawn_filter") {
   subsystem_name = "startup"
 
   install_enable = true
-  install_images = [
-    "system",
-    "ramdisk",
-    "updater",
-  ]
+  install_images = [ "system" ]
 }
 
 ohos_prebuilt_seccomp("nwebspawn_filter") {
@@ -127,11 +123,28 @@ ohos_prebuilt_seccomp("nwebspawn_filter") {
   subsystem_name = "startup"
 
   install_enable = true
-  install_images = [
-    "system",
-    "ramdisk",
-    "updater",
-  ]
+  install_images = [ "system" ]
+}
+
+ohos_prebuilt_seccomp("app_filter") {
+  sources = []
+  if (target_cpu == "arm") {
+    sources += [ "seccomp_policy/app_arm.seccomp.policy" ]
+  } else if (target_cpu == "arm64") {
+    sources += [
+      # 64-bit machine also need check use 32-bit syscall
+      "seccomp_policy/app_arm.seccomp.policy",
+      "seccomp_policy/app_arm64.seccomp.policy",
+    ]
+  }
+
+  filtername = "g_appSeccompFilter"
+  include_dirs = [ "." ]
+  part_name = INIT_PART
+  subsystem_name = "startup"
+
+  install_enable = true
+  install_images = [ "system" ]
 }
 
 ohos_shared_library("seccomp_module") {
@@ -145,16 +158,12 @@ ohos_shared_library("seccomp_module") {
   ]
 
   deps = [
-    ":appspawn_filter",
-    ":nwebspawn_filter",
     ":system_filter",
-    "//base/startup/init/interfaces/innerkits:libbegetutil",
+    "//base/startup/init/interfaces/innerkits/init_module_engine:libinit_module_engine",
   ]
 
   cflags = [ "-DSECCOMP_PLUGIN" ]
 
-  external_deps = [ "init:libinit_module_engine" ]
-
   part_name = "init"
   if (target_cpu == "arm64") {
     module_install_dir = "lib64/init"

services/modules/seccomp/scripts/generate_code_from_policy.py

@@ -40,7 +40,8 @@ operation = ['<', '<=', '!=', '==', '>', '>=', '&']
 ret_str_to_bpf = {
     'KILL_PROCESS': 'SECCOMP_RET_KILL_PROCESS',
     'KILL_THREAD': 'SECCOMP_RET_KILL_THREAD',
-    'LOG' : 'SECCOMP_RET_LOG'
+    'LOG' : 'SECCOMP_RET_LOG',
+    'ALLOW': 'SECCOMP_RET_ALLOW'
 }
 
 mode_str = {
@@ -201,6 +202,7 @@ class GenBpfPolicy:
         self.function_name_nr_table = {}
         self.gen_mode = 0
         self.flag = True
+        self.return_value = ''
         self.operate_func_table = {
             '<' : self.gen_bpf_lt,
             '<=': self.gen_bpf_le,
@@ -232,6 +234,13 @@ class GenBpfPolicy:
     def set_gen_mode(self, mode):
         self.gen_mode = mode_str.get(mode)
 
+    def set_return_value(self, return_value):
+        if return_value not in ret_str_to_bpf:
+            self.set_gen_mode(False)
+            return
+
+        self.return_value = return_value
+
     @staticmethod
     def gen_bpf_eq32(const_str, jt, jf):
         bpf_policy = []
@@ -306,9 +315,9 @@ class GenBpfPolicy:
         low = number & 0xffffffff
 
         if digit_flag and hight == 0:
-            bpf_policy.append(BPF_JGE.format('((unsigned long)'+const_str+') >> 32', jt + 2, 0))
+            bpf_policy.append(BPF_JGT.format('((unsigned long)'+const_str+') >> 32', jt + 2, 0))
         else:
-            bpf_policy.append(BPF_JGE.format('((unsigned long)'+const_str+') >> 32', jt + 3, 0))
+            bpf_policy.append(BPF_JGT.format('((unsigned long)'+const_str+') >> 32', jt + 3, 0))
             bpf_policy.append(BPF_JEQ.format('((unsigned long)'+const_str+') >> 32', 0, jf + 2))
         bpf_policy.append(BPF_LOAD_MEM.format(0))
         bpf_policy.append(BPF_JGE.format(const_str+' & 0xffffffff', jt, jf))
@@ -526,38 +535,52 @@ class GenBpfPolicy:
         bpf_policy = []
         for atom in reversed(atoms):
             bpf_policy = self.compile_atom(atom, len(bpf_policy)) + bpf_policy
-        bpf_policy.append(BPF_RET_VALUE.format('SECCOMP_RET_ALLOW'))
         return bpf_policy
 
     def parse_sub_group(self, group):
         bpf_policy = []
-        and_cond_groups = group.split('||')
+        group_info = group.split(';')
+        operation_part = group_info[0]
+        return_part = group_info[1]
+        if not return_part.startswith('return'):
+            self.set_gen_flag(False)
+            return bpf_policy
+        self.set_return_value(return_part[len('return'):])
+        and_cond_groups = operation_part.split('||')
         for and_condition_group in and_cond_groups:
             bpf_policy += self.parse_args_with_condition(and_condition_group)
         return bpf_policy
 
+    def parse_else_part(self, else_part):
+        return_value = else_part.split(';')[0][else_part.find('return') + len('return'):]
+        self.set_return_value(return_value)
+
     def parse_args(self, function_name, line, skip):
         bpf_policy = []
-
-        group = line.split('elif')
+        group_info  = line.split('else')
+        else_part = group_info[-1]
+        group = group_info[0].split('elif')
         for sub_group in group:
             bpf_policy += self.parse_sub_group(sub_group)
+            bpf_policy.append(BPF_RET_VALUE.format(ret_str_to_bpf.get(self.return_value)))
+        self.parse_else_part(else_part)
+        bpf_policy.append(BPF_RET_VALUE.format(ret_str_to_bpf.get(self.return_value)))
         syscall_nr = self.function_name_nr_table.get(function_name)
         #load syscall nr
         bpf_policy = self.gen_bpf_valid_syscall_nr(syscall_nr, len(bpf_policy) - skip)  + bpf_policy
         return bpf_policy
 
-    def gen_bpf_policy_with_args(self, allow_list_with_args, mode):
+    def gen_bpf_policy_with_args(self, allow_list_with_args, mode, return_value):
         self.set_gen_mode(mode)
         skip = 0
         for line in allow_list_with_args:
             if self.gen_mode == 1 and line == list(allow_list_with_args)[-1]:
-                skip = 1
+                skip = 2
             line = line.replace(' ', '')
             pos = line.find(':')
             function_name = line[:pos]
 
-            left_line = line[pos+1:]
+            left_line = line[pos + 1:]
             if not left_line.startswith('if'):
                 continue
 
@@ -674,7 +697,7 @@ class SeccompPolicyParser:
         self.bpf_generator.gen_bpf_policy(syscall_nr_priority)
         self.bpf_generator.gen_bpf_policy(syscall_nr_allow_list)
         self.bpf_generator.gen_bpf_policy_with_args(self.cur_policy_param.final_allow_list_with_args, \
-            self.cur_policy_param.mode)
+            self.cur_policy_param.mode, self.cur_policy_param.return_value)
 
         self.bpf_generator.add_return_value(self.cur_policy_param.return_value)
 

services/modules/seccomp/seccomp_filters.h

@@ -34,6 +34,9 @@ extern const size_t g_systemSeccompFilterSize;
 extern const struct sock_filter g_nwebspawnSeccompFilter[];
 extern const size_t g_nwebspawnSeccompFilterSize;
 
+extern const struct sock_filter g_appSeccompFilter[];
+extern const size_t g_appSeccompFilterSize;
+
 #ifdef __cplusplus
 #if __cplusplus
 }

services/modules/seccomp/seccomp_policy.c

@@ -69,31 +69,36 @@ static bool InstallSeccompPolicy(const struct sock_filter* filter, size_t filter
     return true;
 }
 
+#ifndef SECCOMP_PLUGIN
 bool SetSeccompPolicy(PolicyType policy)
 {
     bool ret = false;
     switch (policy) {
-        case SYSTEM:
-            ret = InstallSeccompPolicy(g_systemSeccompFilter, g_systemSeccompFilterSize, SECCOMP_FILTER_FLAG_LOG);
-            break;
         case APPSPAWN:
             ret = InstallSeccompPolicy(g_appspawnSeccompFilter, g_appspawnSeccompFilterSize, SECCOMP_FILTER_FLAG_LOG);
             break;
         case NWEBSPAWN:
             ret = InstallSeccompPolicy(g_nwebspawnSeccompFilter, g_nwebspawnSeccompFilterSize, SECCOMP_FILTER_FLAG_LOG);
             break;
+        case APP:
+            ret = InstallSeccompPolicy(g_appSeccompFilter, g_appSeccompFilterSize, SECCOMP_FILTER_FLAG_LOG);
+            break;
         default:
             ret = false;
     }
 
     return ret;
 }
+#else
+static bool SetSystemSeccompPolicy(void)
+{
+    return InstallSeccompPolicy(g_systemSeccompFilter, g_systemSeccompFilterSize, SECCOMP_FILTER_FLAG_LOG);
+}
 
-#ifdef SECCOMP_PLUGIN
 static int DoSetSeccompPolicyStart(void)
 {
     bool ret = false;
-    ret = SetSeccompPolicy(SYSTEM);
+    ret = SetSystemSeccompPolicy();
     PLUGIN_CHECK(ret == true, return -1, "SetSeccompPolicy failed");
 
     return 0;

services/modules/seccomp/seccomp_policy/app_arm.seccomp.policy

+# Copyright (c) 2022 Huawei Device Co., Ltd.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+@arch
+arm
+
+@returnValue
+KILL_PROCESS
+
+@headFiles
+"seccomp_filters.h"
+
+@priority
+ioctl
+futex
+
+@allowList
+restart_syscall
+exit
+fork
+read
+write
+open
+close
+creat
+unlink
+execve
+chdir
+chmod
+lseek
+getpid
+getuid
+ptrace
+access
+sync
+kill
+rename
+mkdir
+dup
+pipe
+times
+brk
+ioctl
+fcntl
+setpgid
+umask
+dup2
+getppid
+setsid
+sigaction
+setrlimit
+getrusage
+gettimeofday
+readlink
+munmap
+truncate
+fchmod
+getpriority
+setpriority
+setitimer
+getitimer
+stat
+wait4
+sysinfo
+fsync
+sigreturn
+clone
+uname
+mprotect
+quotactl
+getpgid
+fchdir
+personality
+_llseek
+getdents
+_newselect
+flock
+msync
+readv
+writev
+getsid
+fdatasync
+mlock
+munlock
+mlockall
+munlockall
+sched_setparam
+sched_getparam
+sched_setscheduler
+sched_getscheduler
+sched_yield
+sched_get_priority_max
+sched_get_priority_min
+sched_rr_get_interval
+nanosleep
+mremap
+poll
+prctl
+rt_sigreturn
+rt_sigaction
+rt_sigprocmask
+rt_sigpending
+rt_sigtimedwait
+rt_sigqueueinfo
+rt_sigsuspend
+pread64
+pwrite64
+getcwd
+capget
+capset
+sigaltstack
+sendfile
+vfork
+ugetrlimit
+mmap2
+truncate64
+ftruncate64
+stat64
+lstat64
+fstat64
+getuid32
+getgid32
+geteuid32
+getegid32
+getgroups32
+setgroups32
+fchown32
+setresuid32
+getresuid32
+setresgid32
+getresgid32
+getdents64
+mincore
+madvise
+fcntl64
+gettid
+readahead
+setxattr
+lsetxattr
+fsetxattr
+getxattr
+lgetxattr
+fgetxattr
+listxattr
+llistxattr
+flistxattr
+removexattr
+lremovexattr
+fremovexattr
+tkill
+sendfile64
+futex
+sched_setaffinity
+sched_getaffinity
+io_setup
+io_destroy
+io_getevents
+io_submit
+io_cancel
+exit_group
+epoll_create
+epoll_ctl
+epoll_wait
+remap_file_pages
+set_tid_address
+timer_create
+timer_settime
+timer_gettime
+timer_getoverrun
+timer_delete
+clock_gettime
+clock_getres
+clock_nanosleep
+statfs64
+fstatfs64
+tgkill
+fadvise64_64
+waitid
+socket
+bind
+connect
+listen
+accept
+getsockname
+getpeername
+socketpair
+sendto
+recvfrom
+shutdown
+setsockopt
+getsockopt
+sendmsg
+recvmsg
+inotify_init
+inotify_add_watch
+inotify_rm_watch
+openat
+mkdirat
+mknodat
+fchownat
+fstatat64
+unlinkat
+renameat
+linkat
+symlinkat
+readlinkat
+fchmodat
+faccessat
+pselect6
+ppoll
+unshare
+splice
+sync_file_range2
+tee
+vmsplice
+getcpu
+epoll_pwait
+utimensat
+timerfd_create
+eventfd
+fallocate
+timerfd_settime
+timerfd_gettime
+signalfd4
+eventfd2
+epoll_create1
+dup3
+pipe2
+inotify_init1
+preadv
+pwritev
+rt_tgsigqueueinfo
+perf_event_open
+recvmmsg
+accept4
+prlimit64
+syncfs
+sendmmsg
+setns
+process_vm_readv
+process_vm_writev
+finit_module
+sched_setattr
+sched_getattr
+renameat2
+seccomp
+getrandom
+memfd_create
+bpf
+execveat
+userfaultfd
+membarrier
+mlock2
+copy_file_range
+preadv2
+pwritev2
+statx
+clock_gettime64
+clock_settime64
+clock_adjtime64
+clock_getres_time64
+clock_nanosleep_time64
+timer_gettime64
+timer_settime64
+timerfd_gettime64
+timerfd_settime64
+utimensat_time64
+pselect6_time64
+ppoll_time64
+recvmmsg_time64
+semtimedop_time64
+rt_sigtimedwait_time64
+futex_time64
+sched_rr_get_interval_time64
+pidfd_send_signal
+pidfd_open
+close_range
+pidfd_getfd
+process_madvise
+cacheflush
+set_tls
+
+@blockList
+mount
+acct
+umount2
+chroot
+sethostname
+settimeofday
+swapon
+reboot
+syslog
+swapoff
+setdomainname
+adjtimex
+init_module
+delete_module
+setfsuid
+setfsgid
+setreuid32
+setregid32
+setuid32
+setgid32
+clock_settime
+clock_adjtime
\ No newline at end of file

services/modules/seccomp/seccomp_policy/app_arm64.seccomp.policy

+# Copyright (c) 2022 Huawei Device Co., Ltd.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+@arch
+arm64
+
+@returnValue
+KILL_PROCESS
+
+@headFiles
+"seccomp_filters.h"
+
+@priority
+ioctl
+futex
+
+@allowList
+io_setup
+io_destroy
+io_submit
+io_cancel
+io_getevents
+setxattr
+lsetxattr
+fsetxattr
+getxattr
+lgetxattr
+fgetxattr
+listxattr
+llistxattr
+flistxattr
+removexattr
+lremovexattr
+fremovexattr
+getcwd
+eventfd2
+epoll_create1
+epoll_ctl
+epoll_pwait
+dup
+dup3
+fcntl
+inotify_init1
+inotify_add_watch
+inotify_rm_watch
+ioctl
+ioprio_set
+ioprio_get
+flock
+mknodat
+mkdirat
+unlinkat
+symlinkat
+linkat
+renameat
+pivot_root
+statfs
+fstatfs
+truncate
+ftruncate
+fallocate
+faccessat
+chdir
+fchdir
+fchmod
+fchmodat
+fchownat
+fchown
+openat
+close
+pipe2
+quotactl
+getdents64
+lseek
+read
+write
+readv
+writev
+pread64
+pwrite64
+preadv
+pwritev
+sendfile
+pselect6
+ppoll
+signalfd4
+vmsplice
+splice
+tee
+readlinkat
+newfstatat
+fstat
+sync
+fsync
+fdatasync
+sync_file_range
+timerfd_create
+timerfd_settime
+timerfd_gettime
+utimensat
+capget
+capset
+personality
+exit
+exit_group
+waitid
+set_tid_address
+unshare
+futex
+nanosleep
+getitimer
+setitimer
+timer_create
+timer_gettime
+timer_getoverrun
+timer_settime
+timer_delete
+clock_gettime
+clock_getres
+clock_nanosleep
+ptrace
+sched_setparam
+sched_setscheduler
+sched_getscheduler
+sched_getparam
+sched_setaffinity
+sched_getaffinity
+sched_yield
+sched_get_priority_max
+sched_get_priority_min
+sched_rr_get_interval
+restart_syscall
+kill
+tkill
+tgkill
+sigaltstack
+rt_sigsuspend
+rt_sigaction
+rt_sigprocmask
+rt_sigpending
+rt_sigtimedwait
+rt_sigqueueinfo
+rt_sigreturn
+setpriority
+getpriority
+setresuid
+getresuid
+setresgid
+getresgid
+times
+setpgid
+getpgid
+getsid
+setsid
+getgroups
+setgroups
+uname
+getrlimit
+setrlimit
+getrusage
+umask
+prctl
+getcpu
+gettimeofday
+getpid
+getppid
+getuid
+geteuid
+getgid
+getegid
+gettid
+sysinfo
+socket
+socketpair
+bind
+listen
+accept
+connect
+getsockname
+getpeername
+sendto
+recvfrom
+setsockopt
+getsockopt
+shutdown
+sendmsg
+recvmsg
+readahead
+brk
+munmap
+mremap
+clone
+execve
+mmap
+fadvise64
+mprotect
+msync
+mlock
+munlock
+mlockall
+munlockall
+mincore
+madvise
+rt_tgsigqueueinfo
+perf_event_open
+accept4
+recvmmsg
+wait4
+prlimit64
+syncfs
+setns
+sendmmsg
+process_vm_readv
+process_vm_writev
+finit_module
+sched_setattr
+sched_getattr
+renameat2
+seccomp
+getrandom
+memfd_create
+bpf
+execveat
+userfaultfd
+membarrier
+mlock2
+copy_file_range
+preadv2
+pwritev2
+statx
+pidfd_send_signal
+pidfd_open
+close_range
+pidfd_getfd
+process_madvise
+
+@blockList
+umount2
+mount
+chroot
+acct
+init_module
+delete_module
+clock_settime
+syslog
+reboot
+setregid
+setgid
+setreuid
+setuid
+setfsuid
+setfsgid
+sethostname
+setdomainname
+settimeofday
+adjtimex
+swapon
+swapoff
+clock_adjtime
+
+
+

services/modules/seccomp/seccomp_policy/renderer_arm.seccomp.policy

@@ -164,9 +164,9 @@ set_tls
 sched_setscheduler
 
 @allowListWithArgs
-getrusage:if arg0 == RUSAGE_SELF || arg0 == RUSAGE_THREAD
-clock_getres:if arg0 >= CLOCK_REALTIME && arg0 <= CLOCK_BOOTTIME
-clock_gettime:if arg0 >= CLOCK_REALTIME && arg0 <= CLOCK_BOOTTIME
-clock_nanosleep:if arg0 >= CLOCK_REALTIME && arg0 <= CLOCK_BOOTTIME
-socketpair:if arg0 == AF_UNIX
-getsockopt:if arg1 == SOL_SOCKET || arg2 == SO_PEEK_OFF
+getrusage:if arg0 == RUSAGE_SELF || arg0 == RUSAGE_THREAD; return ALLOW; else return KILL_PROCESS;
+clock_getres:if arg0 >= CLOCK_REALTIME && arg0 <= CLOCK_BOOTTIME; return ALLOW; else return KILL_PROCESS;
+clock_gettime:if arg0 >= CLOCK_REALTIME && arg0 <= CLOCK_BOOTTIME; return ALLOW; else return KILL_PROCESS;
+clock_nanosleep:if arg0 >= CLOCK_REALTIME && arg0 <= CLOCK_BOOTTIME; return ALLOW; else return KILL_PROCESS;
+socketpair:if arg0 == AF_UNIX; return ALLOW; else return KILL_PROCESS;
+getsockopt:if arg1 == SOL_SOCKET || arg2 == SO_PEEK_OFF; return ALLOW; else return KILL_PROCESS;

services/modules/seccomp/seccomp_policy/renderer_arm64.seccomp.policy

@@ -134,9 +134,9 @@ prlimit64
 sched_setscheduler
 
 @allowListWithArgs
-getrusage:if arg0 == RUSAGE_SELF || arg0 == RUSAGE_THREAD
-clock_getres:if arg0 >= CLOCK_REALTIME && arg0 <= CLOCK_BOOTTIME
-clock_gettime:if arg0 >= CLOCK_REALTIME && arg0 <= CLOCK_BOOTTIME
-clock_nanosleep:if arg0 >= CLOCK_REALTIME && arg0 <= CLOCK_BOOTTIME
-socketpair:if arg0 == AF_UNIX
-getsockopt:if arg1 == SOL_SOCKET || arg2 == SO_PEEK_OFF
+getrusage:if arg0 == RUSAGE_SELF || arg0 == RUSAGE_THREAD; return ALLOW; else return KILL_PROCESS;
+clock_getres:if arg0 >= CLOCK_REALTIME && arg0 <= CLOCK_BOOTTIME; return ALLOW; else return KILL_PROCESS;
+clock_gettime:if arg0 >= CLOCK_REALTIME && arg0 <= CLOCK_BOOTTIME; return ALLOW; else return KILL_PROCESS;
+clock_nanosleep:if arg0 >= CLOCK_REALTIME && arg0 <= CLOCK_BOOTTIME; return ALLOW; else return KILL_PROCESS;
+socketpair:if arg0 == AF_UNIX; return ALLOW; else return KILL_PROCESS;
+getsockopt:if arg1 == SOL_SOCKET || arg2 == SO_PEEK_OFF; return ALLOW; else return KILL_PROCESS;

services/modules/seccomp/seccomp_policy/spawn_arm.seccomp.policy

@@ -24,5 +24,5 @@ ONLY_CHECK_ARGS
 "seccomp_filters.h"
 
 @allowListWithArgs
-setresuid32: if arg0 >= 0 && arg1 >= 0 && arg2 >= 0
-setresgid32: if arg0 >= 0 && arg1 >= 0 && arg2 >= 0
+setresuid32: if arg0 >= 1000 && arg1 >= 1000 && arg2 >= 1000; return ALLOW; else return KILL_PROCESS;
+setresgid32: if arg0 >= 1000 && arg1 >= 1000 && arg2 >= 1000; return ALLOW; else return KILL_PROCESS;

services/modules/seccomp/seccomp_policy/spawn_arm64.seccomp.policy

@@ -23,5 +23,5 @@ ONLY_CHECK_ARGS
 "seccomp_filters.h"
 
 @allowListWithArgs
-setresuid: if arg0 >= 0 && arg1 >= 0 && arg2 >= 0
-setresgid: if arg0 >= 0 && arg1 >= 0 && arg2 >= 0
+setresuid: if arg0 >= 1000 && arg1 >= 1000 && arg2 >= 1000; return ALLOW; else return KILL_PROCESS;
+setresgid: if arg0 >= 1000 && arg1 >= 1000 && arg2 >= 1000; return ALLOW; else return KILL_PROCESS;

test/unittest/seccomp/seccomp_unittest.cpp

@@ -61,7 +61,7 @@ public:
                 std::cout << "PR_SET_NO_NEW_PRIVS set fail " << std::endl;
                 exit(EXIT_FAILURE);
             }
-            if (!SetSeccompPolicy(type)) {
+            if (type != SYSTEM && !SetSeccompPolicy(type)) {
                 std::cout << "SetSeccompPolicy set fail type is " << type << std::endl;
                 exit(EXIT_FAILURE);
             }
@@ -187,6 +187,16 @@ public:
         return false;
     }
 
+    static bool CheckSetuid()
+    {
+        int uid = syscall(__NR_setuid, 1);
+        if (uid == 0) {
+            return true;
+        }
+
+        return false;
+    }
+
     void TestSystemSycall()
     {
         // system blocklist
@@ -208,6 +218,17 @@ public:
         ret = CheckSyscall(APPSPAWN, CheckSetresuidArgsInRange, true);
         EXPECT_EQ(ret, 0);
     }
+
+    void TestAppSycall()
+    {
+        // app blocklist
+        int ret = CheckSyscall(APP, CheckSetuid, false);
+        EXPECT_EQ(ret, 0);
+
+        // app allowlist
+        ret = CheckSyscall(APP, CheckGetpid, true);
+        EXPECT_EQ(ret, 0);
+    }
 #elif defined __arm__
     static bool CheckGetuid32()
     {
@@ -227,6 +248,16 @@ public:
         return false;
     }
 
+    static bool CheckSetuid32()
+    {
+        int ret = syscall(__NR_setuid32, 1);
+        if (ret == 0) {
+            return true;
+        }
+
+        return false;
+    }
+
     static bool CheckSetresuid32ArgsInRange()
     {
         int ret = syscall(__NR_setresuid32, 20000, 20000, 20000);
@@ -268,6 +299,17 @@ public:
         ret = CheckSyscall(APPSPAWN, CheckSetresuid32ArgsInRange, true);
         EXPECT_EQ(ret, 0);
     }
+
+    void TestAppSycall()
+    {
+        // app blocklist
+        int ret = CheckSyscall(APP, CheckSetuid32, false);
+        EXPECT_EQ(ret, 0);
+
+        // app allowlist
+        ret = CheckSyscall(APP, CheckGetuid32, true);
+        EXPECT_EQ(ret, 0);
+    }
 #endif
 };
 
@@ -275,11 +317,35 @@ public:
  * @tc.name: TestSystemSycall
  * @tc.desc: Verify the system seccomp policy.
  * @tc.type: FUNC
- * @tc.require: I5IUWJ
+ * @tc.require: issueI5IUWJ
  */
 HWTEST_F(SeccompUnitTest, TestSystemSycall, TestSize.Level1)
 {
     SeccompUnitTest test;
     test.TestSystemSycall();
 }
+
+/**
+ * @tc.name: TestSetUidGidFilter
+ * @tc.desc: Verify the system seccomp policy.
+ * @tc.type: FUNC
+ * @tc.require: issueI5IUWJ
+ */
+HWTEST_F(SeccompUnitTest, TestSetUidGidFilter, TestSize.Level1)
+{
+    SeccompUnitTest test;
+    test.TestSetUidGidFilter();
+}
+
+/**
+ * @tc.name: TestSystemSycall
+ * @tc.desc: Verify the system seccomp policy.
+ * @tc.type: FUNC
+ * @tc.require: issueI5MUXD
+ */
+HWTEST_F(SeccompUnitTest, TestAppSycall, TestSize.Level1)
+{
+    SeccompUnitTest test;
+    test.TestAppSycall();
+}
 }