diff --git a/interfaces/innerkits/seccomp/BUILD.gn b/interfaces/innerkits/seccomp/BUILD.gn index 8db904f94d05f068091c149742f56cca7aa05295..80e11e7899a68d4d98ed4c9243894095d82bf30a 100755 --- a/interfaces/innerkits/seccomp/BUILD.gn +++ b/interfaces/innerkits/seccomp/BUILD.gn @@ -33,9 +33,9 @@ if (defined(build_seccomp) && build_seccomp) { deps = [ "//base/startup/init/interfaces/innerkits:libbegetutil", + "//base/startup/init/services/modules/seccomp:app_filter", "//base/startup/init/services/modules/seccomp:appspawn_filter", "//base/startup/init/services/modules/seccomp:nwebspawn_filter", - "//base/startup/init/services/modules/seccomp:system_filter", ] license_file = "//base/startup/init/LICENSE" diff --git a/services/modules/seccomp/BUILD.gn b/services/modules/seccomp/BUILD.gn index 999a9374ea842e1250bd62145c146f0eccccf54e..ae4805852fd22e754f526b606781acfb55afdb6e 100755 --- a/services/modules/seccomp/BUILD.gn +++ b/services/modules/seccomp/BUILD.gn @@ -107,11 +107,7 @@ ohos_prebuilt_seccomp("appspawn_filter") { subsystem_name = "startup" install_enable = true - install_images = [ - "system", - "ramdisk", - "updater", - ] + install_images = [ "system" ] } ohos_prebuilt_seccomp("nwebspawn_filter") { @@ -127,11 +123,28 @@ ohos_prebuilt_seccomp("nwebspawn_filter") { subsystem_name = "startup" install_enable = true - install_images = [ - "system", - "ramdisk", - "updater", - ] + install_images = [ "system" ] +} + +ohos_prebuilt_seccomp("app_filter") { + sources = [] + if (target_cpu == "arm") { + sources += [ "seccomp_policy/app_arm.seccomp.policy" ] + } else if (target_cpu == "arm64") { + sources += [ + # 64-bit machine also need check use 32-bit syscall + "seccomp_policy/app_arm.seccomp.policy", + "seccomp_policy/app_arm64.seccomp.policy", + ] + } + + filtername = "g_appSeccompFilter" + include_dirs = [ "." ] + part_name = INIT_PART + subsystem_name = "startup" + + install_enable = true + install_images = [ "system" ] } ohos_shared_library("seccomp_module") { @@ -145,16 +158,12 @@ ohos_shared_library("seccomp_module") { ] deps = [ - ":appspawn_filter", - ":nwebspawn_filter", ":system_filter", - "//base/startup/init/interfaces/innerkits:libbegetutil", + "//base/startup/init/interfaces/innerkits/init_module_engine:libinit_module_engine", ] cflags = [ "-DSECCOMP_PLUGIN" ] - external_deps = [ "init:libinit_module_engine" ] - part_name = "init" if (target_cpu == "arm64") { module_install_dir = "lib64/init" diff --git a/services/modules/seccomp/scripts/generate_code_from_policy.py b/services/modules/seccomp/scripts/generate_code_from_policy.py index 0df44aa407a89113831646fdae0a883a2af6d5a0..2c4876d1497fa54cd35068224bef78b38a3f81a8 100755 --- a/services/modules/seccomp/scripts/generate_code_from_policy.py +++ b/services/modules/seccomp/scripts/generate_code_from_policy.py @@ -40,7 +40,8 @@ operation = ['<', '<=', '!=', '==', '>', '>=', '&'] ret_str_to_bpf = { 'KILL_PROCESS': 'SECCOMP_RET_KILL_PROCESS', 'KILL_THREAD': 'SECCOMP_RET_KILL_THREAD', - 'LOG' : 'SECCOMP_RET_LOG' + 'LOG' : 'SECCOMP_RET_LOG', + 'ALLOW': 'SECCOMP_RET_ALLOW' } mode_str = { @@ -201,6 +202,7 @@ class GenBpfPolicy: self.function_name_nr_table = {} self.gen_mode = 0 self.flag = True + self.return_value = '' self.operate_func_table = { '<' : self.gen_bpf_lt, '<=': self.gen_bpf_le, @@ -232,6 +234,13 @@ class GenBpfPolicy: def set_gen_mode(self, mode): self.gen_mode = mode_str.get(mode) + def set_return_value(self, return_value): + if return_value not in ret_str_to_bpf: + self.set_gen_mode(False) + return + + self.return_value = return_value + @staticmethod def gen_bpf_eq32(const_str, jt, jf): bpf_policy = [] @@ -306,9 +315,9 @@ class GenBpfPolicy: low = number & 0xffffffff if digit_flag and hight == 0: - bpf_policy.append(BPF_JGE.format('((unsigned long)'+const_str+') >> 32', jt + 2, 0)) + bpf_policy.append(BPF_JGT.format('((unsigned long)'+const_str+') >> 32', jt + 2, 0)) else: - bpf_policy.append(BPF_JGE.format('((unsigned long)'+const_str+') >> 32', jt + 3, 0)) + bpf_policy.append(BPF_JGT.format('((unsigned long)'+const_str+') >> 32', jt + 3, 0)) bpf_policy.append(BPF_JEQ.format('((unsigned long)'+const_str+') >> 32', 0, jf + 2)) bpf_policy.append(BPF_LOAD_MEM.format(0)) bpf_policy.append(BPF_JGE.format(const_str+' & 0xffffffff', jt, jf)) @@ -526,38 +535,52 @@ class GenBpfPolicy: bpf_policy = [] for atom in reversed(atoms): bpf_policy = self.compile_atom(atom, len(bpf_policy)) + bpf_policy - bpf_policy.append(BPF_RET_VALUE.format('SECCOMP_RET_ALLOW')) return bpf_policy def parse_sub_group(self, group): bpf_policy = [] - and_cond_groups = group.split('||') + group_info = group.split(';') + operation_part = group_info[0] + return_part = group_info[1] + if not return_part.startswith('return'): + self.set_gen_flag(False) + return bpf_policy + self.set_return_value(return_part[len('return'):]) + and_cond_groups = operation_part.split('||') for and_condition_group in and_cond_groups: bpf_policy += self.parse_args_with_condition(and_condition_group) return bpf_policy + def parse_else_part(self, else_part): + return_value = else_part.split(';')[0][else_part.find('return') + len('return'):] + self.set_return_value(return_value) + def parse_args(self, function_name, line, skip): bpf_policy = [] - - group = line.split('elif') + group_info = line.split('else') + else_part = group_info[-1] + group = group_info[0].split('elif') for sub_group in group: bpf_policy += self.parse_sub_group(sub_group) + bpf_policy.append(BPF_RET_VALUE.format(ret_str_to_bpf.get(self.return_value))) + self.parse_else_part(else_part) + bpf_policy.append(BPF_RET_VALUE.format(ret_str_to_bpf.get(self.return_value))) syscall_nr = self.function_name_nr_table.get(function_name) #load syscall nr bpf_policy = self.gen_bpf_valid_syscall_nr(syscall_nr, len(bpf_policy) - skip) + bpf_policy return bpf_policy - def gen_bpf_policy_with_args(self, allow_list_with_args, mode): + def gen_bpf_policy_with_args(self, allow_list_with_args, mode, return_value): self.set_gen_mode(mode) skip = 0 for line in allow_list_with_args: if self.gen_mode == 1 and line == list(allow_list_with_args)[-1]: - skip = 1 + skip = 2 line = line.replace(' ', '') pos = line.find(':') function_name = line[:pos] - left_line = line[pos+1:] + left_line = line[pos + 1:] if not left_line.startswith('if'): continue @@ -674,7 +697,7 @@ class SeccompPolicyParser: self.bpf_generator.gen_bpf_policy(syscall_nr_priority) self.bpf_generator.gen_bpf_policy(syscall_nr_allow_list) self.bpf_generator.gen_bpf_policy_with_args(self.cur_policy_param.final_allow_list_with_args, \ - self.cur_policy_param.mode) + self.cur_policy_param.mode, self.cur_policy_param.return_value) self.bpf_generator.add_return_value(self.cur_policy_param.return_value) diff --git a/services/modules/seccomp/seccomp_filters.h b/services/modules/seccomp/seccomp_filters.h index dc15890023688f192810d55cfe0ff2a7a074e634..7791afb3ada56df0182d8569935cc7eed35bdbc4 100644 --- a/services/modules/seccomp/seccomp_filters.h +++ b/services/modules/seccomp/seccomp_filters.h @@ -34,6 +34,9 @@ extern const size_t g_systemSeccompFilterSize; extern const struct sock_filter g_nwebspawnSeccompFilter[]; extern const size_t g_nwebspawnSeccompFilterSize; +extern const struct sock_filter g_appSeccompFilter[]; +extern const size_t g_appSeccompFilterSize; + #ifdef __cplusplus #if __cplusplus } diff --git a/services/modules/seccomp/seccomp_policy.c b/services/modules/seccomp/seccomp_policy.c index 049ab85bc8f413c95a036c626dacf8bf6fb1289e..41a3600145ad50916ad2202f503ec4966e0eeb93 100644 --- a/services/modules/seccomp/seccomp_policy.c +++ b/services/modules/seccomp/seccomp_policy.c @@ -69,31 +69,36 @@ static bool InstallSeccompPolicy(const struct sock_filter* filter, size_t filter return true; } +#ifndef SECCOMP_PLUGIN bool SetSeccompPolicy(PolicyType policy) { bool ret = false; switch (policy) { - case SYSTEM: - ret = InstallSeccompPolicy(g_systemSeccompFilter, g_systemSeccompFilterSize, SECCOMP_FILTER_FLAG_LOG); - break; case APPSPAWN: ret = InstallSeccompPolicy(g_appspawnSeccompFilter, g_appspawnSeccompFilterSize, SECCOMP_FILTER_FLAG_LOG); break; case NWEBSPAWN: ret = InstallSeccompPolicy(g_nwebspawnSeccompFilter, g_nwebspawnSeccompFilterSize, SECCOMP_FILTER_FLAG_LOG); break; + case APP: + ret = InstallSeccompPolicy(g_appSeccompFilter, g_appSeccompFilterSize, SECCOMP_FILTER_FLAG_LOG); + break; default: ret = false; } return ret; } +#else +static bool SetSystemSeccompPolicy(void) +{ + return InstallSeccompPolicy(g_systemSeccompFilter, g_systemSeccompFilterSize, SECCOMP_FILTER_FLAG_LOG); +} -#ifdef SECCOMP_PLUGIN static int DoSetSeccompPolicyStart(void) { bool ret = false; - ret = SetSeccompPolicy(SYSTEM); + ret = SetSystemSeccompPolicy(); PLUGIN_CHECK(ret == true, return -1, "SetSeccompPolicy failed"); return 0; diff --git a/services/modules/seccomp/seccomp_policy/app_arm.seccomp.policy b/services/modules/seccomp/seccomp_policy/app_arm.seccomp.policy new file mode 100644 index 0000000000000000000000000000000000000000..50eb288b1583270e3fb8a931517587bbc3852825 --- /dev/null +++ b/services/modules/seccomp/seccomp_policy/app_arm.seccomp.policy @@ -0,0 +1,315 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +@arch +arm + +@returnValue +KILL_PROCESS + +@headFiles +"seccomp_filters.h" + +@priority +ioctl +futex + +@allowList +restart_syscall +exit +fork +read +write +open +close +creat +unlink +execve +chdir +chmod +lseek +getpid +getuid +ptrace +access +sync +kill +rename +mkdir +dup +pipe +times +brk +ioctl +fcntl +setpgid +umask +dup2 +getppid +setsid +sigaction +setrlimit +getrusage +gettimeofday +readlink +munmap +truncate +fchmod +getpriority +setpriority +setitimer +getitimer +stat +wait4 +sysinfo +fsync +sigreturn +clone +uname +mprotect +quotactl +getpgid +fchdir +personality +_llseek +getdents +_newselect +flock +msync +readv +writev +getsid +fdatasync +mlock +munlock +mlockall +munlockall +sched_setparam +sched_getparam +sched_setscheduler +sched_getscheduler +sched_yield +sched_get_priority_max +sched_get_priority_min +sched_rr_get_interval +nanosleep +mremap +poll +prctl +rt_sigreturn +rt_sigaction +rt_sigprocmask +rt_sigpending +rt_sigtimedwait +rt_sigqueueinfo +rt_sigsuspend +pread64 +pwrite64 +getcwd +capget +capset +sigaltstack +sendfile +vfork +ugetrlimit +mmap2 +truncate64 +ftruncate64 +stat64 +lstat64 +fstat64 +getuid32 +getgid32 +geteuid32 +getegid32 +getgroups32 +setgroups32 +fchown32 +setresuid32 +getresuid32 +setresgid32 +getresgid32 +getdents64 +mincore +madvise +fcntl64 +gettid +readahead +setxattr +lsetxattr +fsetxattr +getxattr +lgetxattr +fgetxattr +listxattr +llistxattr +flistxattr +removexattr +lremovexattr +fremovexattr +tkill +sendfile64 +futex +sched_setaffinity +sched_getaffinity +io_setup +io_destroy +io_getevents +io_submit +io_cancel +exit_group +epoll_create +epoll_ctl +epoll_wait +remap_file_pages +set_tid_address +timer_create +timer_settime +timer_gettime +timer_getoverrun +timer_delete +clock_gettime +clock_getres +clock_nanosleep +statfs64 +fstatfs64 +tgkill +fadvise64_64 +waitid +socket +bind +connect +listen +accept +getsockname +getpeername +socketpair +sendto +recvfrom +shutdown +setsockopt +getsockopt +sendmsg +recvmsg +inotify_init +inotify_add_watch +inotify_rm_watch +openat +mkdirat +mknodat +fchownat +fstatat64 +unlinkat +renameat +linkat +symlinkat +readlinkat +fchmodat +faccessat +pselect6 +ppoll +unshare +splice +sync_file_range2 +tee +vmsplice +getcpu +epoll_pwait +utimensat +timerfd_create +eventfd +fallocate +timerfd_settime +timerfd_gettime +signalfd4 +eventfd2 +epoll_create1 +dup3 +pipe2 +inotify_init1 +preadv +pwritev +rt_tgsigqueueinfo +perf_event_open +recvmmsg +accept4 +prlimit64 +syncfs +sendmmsg +setns +process_vm_readv +process_vm_writev +finit_module +sched_setattr +sched_getattr +renameat2 +seccomp +getrandom +memfd_create +bpf +execveat +userfaultfd +membarrier +mlock2 +copy_file_range +preadv2 +pwritev2 +statx +clock_gettime64 +clock_settime64 +clock_adjtime64 +clock_getres_time64 +clock_nanosleep_time64 +timer_gettime64 +timer_settime64 +timerfd_gettime64 +timerfd_settime64 +utimensat_time64 +pselect6_time64 +ppoll_time64 +recvmmsg_time64 +semtimedop_time64 +rt_sigtimedwait_time64 +futex_time64 +sched_rr_get_interval_time64 +pidfd_send_signal +pidfd_open +close_range +pidfd_getfd +process_madvise +cacheflush +set_tls + +@blockList +mount +acct +umount2 +chroot +sethostname +settimeofday +swapon +reboot +syslog +swapoff +setdomainname +adjtimex +init_module +delete_module +setfsuid +setfsgid +setreuid32 +setregid32 +setuid32 +setgid32 +clock_settime +clock_adjtime \ No newline at end of file diff --git a/services/modules/seccomp/seccomp_policy/app_arm64.seccomp.policy b/services/modules/seccomp/seccomp_policy/app_arm64.seccomp.policy new file mode 100644 index 0000000000000000000000000000000000000000..47c06971a65ab675a1d0abb078dc1558af6a1903 --- /dev/null +++ b/services/modules/seccomp/seccomp_policy/app_arm64.seccomp.policy @@ -0,0 +1,272 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +@arch +arm64 + +@returnValue +KILL_PROCESS + +@headFiles +"seccomp_filters.h" + +@priority +ioctl +futex + +@allowList +io_setup +io_destroy +io_submit +io_cancel +io_getevents +setxattr +lsetxattr +fsetxattr +getxattr +lgetxattr +fgetxattr +listxattr +llistxattr +flistxattr +removexattr +lremovexattr +fremovexattr +getcwd +eventfd2 +epoll_create1 +epoll_ctl +epoll_pwait +dup +dup3 +fcntl +inotify_init1 +inotify_add_watch +inotify_rm_watch +ioctl +ioprio_set +ioprio_get +flock +mknodat +mkdirat +unlinkat +symlinkat +linkat +renameat +pivot_root +statfs +fstatfs +truncate +ftruncate +fallocate +faccessat +chdir +fchdir +fchmod +fchmodat +fchownat +fchown +openat +close +pipe2 +quotactl +getdents64 +lseek +read +write +readv +writev +pread64 +pwrite64 +preadv +pwritev +sendfile +pselect6 +ppoll +signalfd4 +vmsplice +splice +tee +readlinkat +newfstatat +fstat +sync +fsync +fdatasync +sync_file_range +timerfd_create +timerfd_settime +timerfd_gettime +utimensat +capget +capset +personality +exit +exit_group +waitid +set_tid_address +unshare +futex +nanosleep +getitimer +setitimer +timer_create +timer_gettime +timer_getoverrun +timer_settime +timer_delete +clock_gettime +clock_getres +clock_nanosleep +ptrace +sched_setparam +sched_setscheduler +sched_getscheduler +sched_getparam +sched_setaffinity +sched_getaffinity +sched_yield +sched_get_priority_max +sched_get_priority_min +sched_rr_get_interval +restart_syscall +kill +tkill +tgkill +sigaltstack +rt_sigsuspend +rt_sigaction +rt_sigprocmask +rt_sigpending +rt_sigtimedwait +rt_sigqueueinfo +rt_sigreturn +setpriority +getpriority +setresuid +getresuid +setresgid +getresgid +times +setpgid +getpgid +getsid +setsid +getgroups +setgroups +uname +getrlimit +setrlimit +getrusage +umask +prctl +getcpu +gettimeofday +getpid +getppid +getuid +geteuid +getgid +getegid +gettid +sysinfo +socket +socketpair +bind +listen +accept +connect +getsockname +getpeername +sendto +recvfrom +setsockopt +getsockopt +shutdown +sendmsg +recvmsg +readahead +brk +munmap +mremap +clone +execve +mmap +fadvise64 +mprotect +msync +mlock +munlock +mlockall +munlockall +mincore +madvise +rt_tgsigqueueinfo +perf_event_open +accept4 +recvmmsg +wait4 +prlimit64 +syncfs +setns +sendmmsg +process_vm_readv +process_vm_writev +finit_module +sched_setattr +sched_getattr +renameat2 +seccomp +getrandom +memfd_create +bpf +execveat +userfaultfd +membarrier +mlock2 +copy_file_range +preadv2 +pwritev2 +statx +pidfd_send_signal +pidfd_open +close_range +pidfd_getfd +process_madvise + +@blockList +umount2 +mount +chroot +acct +init_module +delete_module +clock_settime +syslog +reboot +setregid +setgid +setreuid +setuid +setfsuid +setfsgid +sethostname +setdomainname +settimeofday +adjtimex +swapon +swapoff +clock_adjtime + + + diff --git a/services/modules/seccomp/seccomp_policy/renderer_arm.seccomp.policy b/services/modules/seccomp/seccomp_policy/renderer_arm.seccomp.policy index e58a0e6de52e7461f94a756166ec7341ac04ce2c..ea9816d64ebea9e352552437d5873d791a9536e1 100644 --- a/services/modules/seccomp/seccomp_policy/renderer_arm.seccomp.policy +++ b/services/modules/seccomp/seccomp_policy/renderer_arm.seccomp.policy @@ -164,9 +164,9 @@ set_tls sched_setscheduler @allowListWithArgs -getrusage:if arg0 == RUSAGE_SELF || arg0 == RUSAGE_THREAD -clock_getres:if arg0 >= CLOCK_REALTIME && arg0 <= CLOCK_BOOTTIME -clock_gettime:if arg0 >= CLOCK_REALTIME && arg0 <= CLOCK_BOOTTIME -clock_nanosleep:if arg0 >= CLOCK_REALTIME && arg0 <= CLOCK_BOOTTIME -socketpair:if arg0 == AF_UNIX -getsockopt:if arg1 == SOL_SOCKET || arg2 == SO_PEEK_OFF +getrusage:if arg0 == RUSAGE_SELF || arg0 == RUSAGE_THREAD; return ALLOW; else return KILL_PROCESS; +clock_getres:if arg0 >= CLOCK_REALTIME && arg0 <= CLOCK_BOOTTIME; return ALLOW; else return KILL_PROCESS; +clock_gettime:if arg0 >= CLOCK_REALTIME && arg0 <= CLOCK_BOOTTIME; return ALLOW; else return KILL_PROCESS; +clock_nanosleep:if arg0 >= CLOCK_REALTIME && arg0 <= CLOCK_BOOTTIME; return ALLOW; else return KILL_PROCESS; +socketpair:if arg0 == AF_UNIX; return ALLOW; else return KILL_PROCESS; +getsockopt:if arg1 == SOL_SOCKET || arg2 == SO_PEEK_OFF; return ALLOW; else return KILL_PROCESS; diff --git a/services/modules/seccomp/seccomp_policy/renderer_arm64.seccomp.policy b/services/modules/seccomp/seccomp_policy/renderer_arm64.seccomp.policy index fa593fdf5755b1b2cb79fc162294607a68d14f3c..bfadb0a6799a854e02388a5de823b979435427ba 100644 --- a/services/modules/seccomp/seccomp_policy/renderer_arm64.seccomp.policy +++ b/services/modules/seccomp/seccomp_policy/renderer_arm64.seccomp.policy @@ -134,9 +134,9 @@ prlimit64 sched_setscheduler @allowListWithArgs -getrusage:if arg0 == RUSAGE_SELF || arg0 == RUSAGE_THREAD -clock_getres:if arg0 >= CLOCK_REALTIME && arg0 <= CLOCK_BOOTTIME -clock_gettime:if arg0 >= CLOCK_REALTIME && arg0 <= CLOCK_BOOTTIME -clock_nanosleep:if arg0 >= CLOCK_REALTIME && arg0 <= CLOCK_BOOTTIME -socketpair:if arg0 == AF_UNIX -getsockopt:if arg1 == SOL_SOCKET || arg2 == SO_PEEK_OFF +getrusage:if arg0 == RUSAGE_SELF || arg0 == RUSAGE_THREAD; return ALLOW; else return KILL_PROCESS; +clock_getres:if arg0 >= CLOCK_REALTIME && arg0 <= CLOCK_BOOTTIME; return ALLOW; else return KILL_PROCESS; +clock_gettime:if arg0 >= CLOCK_REALTIME && arg0 <= CLOCK_BOOTTIME; return ALLOW; else return KILL_PROCESS; +clock_nanosleep:if arg0 >= CLOCK_REALTIME && arg0 <= CLOCK_BOOTTIME; return ALLOW; else return KILL_PROCESS; +socketpair:if arg0 == AF_UNIX; return ALLOW; else return KILL_PROCESS; +getsockopt:if arg1 == SOL_SOCKET || arg2 == SO_PEEK_OFF; return ALLOW; else return KILL_PROCESS; diff --git a/services/modules/seccomp/seccomp_policy/spawn_arm.seccomp.policy b/services/modules/seccomp/seccomp_policy/spawn_arm.seccomp.policy index 20e1c353b93162209838d2027a481411fb2d621c..12cb720eaf7372dcfd28a2926acd0f5467a93f02 100644 --- a/services/modules/seccomp/seccomp_policy/spawn_arm.seccomp.policy +++ b/services/modules/seccomp/seccomp_policy/spawn_arm.seccomp.policy @@ -24,5 +24,5 @@ ONLY_CHECK_ARGS "seccomp_filters.h" @allowListWithArgs -setresuid32: if arg0 >= 0 && arg1 >= 0 && arg2 >= 0 -setresgid32: if arg0 >= 0 && arg1 >= 0 && arg2 >= 0 +setresuid32: if arg0 >= 1000 && arg1 >= 1000 && arg2 >= 1000; return ALLOW; else return KILL_PROCESS; +setresgid32: if arg0 >= 1000 && arg1 >= 1000 && arg2 >= 1000; return ALLOW; else return KILL_PROCESS; diff --git a/services/modules/seccomp/seccomp_policy/spawn_arm64.seccomp.policy b/services/modules/seccomp/seccomp_policy/spawn_arm64.seccomp.policy index 4a59c974491ff737701c9f70553c3e57afc3af42..21bcad77f5eca26c94aa6b5207504c9986ce4fdf 100644 --- a/services/modules/seccomp/seccomp_policy/spawn_arm64.seccomp.policy +++ b/services/modules/seccomp/seccomp_policy/spawn_arm64.seccomp.policy @@ -23,5 +23,5 @@ ONLY_CHECK_ARGS "seccomp_filters.h" @allowListWithArgs -setresuid: if arg0 >= 0 && arg1 >= 0 && arg2 >= 0 -setresgid: if arg0 >= 0 && arg1 >= 0 && arg2 >= 0 +setresuid: if arg0 >= 1000 && arg1 >= 1000 && arg2 >= 1000; return ALLOW; else return KILL_PROCESS; +setresgid: if arg0 >= 1000 && arg1 >= 1000 && arg2 >= 1000; return ALLOW; else return KILL_PROCESS; diff --git a/test/unittest/seccomp/seccomp_unittest.cpp b/test/unittest/seccomp/seccomp_unittest.cpp index 5fcae032dfe97295ecc7cf969d2beb6069a97c84..fdcf97f47eb74a3419a9c192716a2c1e3273b217 100644 --- a/test/unittest/seccomp/seccomp_unittest.cpp +++ b/test/unittest/seccomp/seccomp_unittest.cpp @@ -61,7 +61,7 @@ public: std::cout << "PR_SET_NO_NEW_PRIVS set fail " << std::endl; exit(EXIT_FAILURE); } - if (!SetSeccompPolicy(type)) { + if (type != SYSTEM && !SetSeccompPolicy(type)) { std::cout << "SetSeccompPolicy set fail type is " << type << std::endl; exit(EXIT_FAILURE); } @@ -187,6 +187,16 @@ public: return false; } + static bool CheckSetuid() + { + int uid = syscall(__NR_setuid, 1); + if (uid == 0) { + return true; + } + + return false; + } + void TestSystemSycall() { // system blocklist @@ -208,6 +218,17 @@ public: ret = CheckSyscall(APPSPAWN, CheckSetresuidArgsInRange, true); EXPECT_EQ(ret, 0); } + + void TestAppSycall() + { + // app blocklist + int ret = CheckSyscall(APP, CheckSetuid, false); + EXPECT_EQ(ret, 0); + + // app allowlist + ret = CheckSyscall(APP, CheckGetpid, true); + EXPECT_EQ(ret, 0); + } #elif defined __arm__ static bool CheckGetuid32() { @@ -227,6 +248,16 @@ public: return false; } + static bool CheckSetuid32() + { + int ret = syscall(__NR_setuid32, 1); + if (ret == 0) { + return true; + } + + return false; + } + static bool CheckSetresuid32ArgsInRange() { int ret = syscall(__NR_setresuid32, 20000, 20000, 20000); @@ -268,6 +299,17 @@ public: ret = CheckSyscall(APPSPAWN, CheckSetresuid32ArgsInRange, true); EXPECT_EQ(ret, 0); } + + void TestAppSycall() + { + // app blocklist + int ret = CheckSyscall(APP, CheckSetuid32, false); + EXPECT_EQ(ret, 0); + + // app allowlist + ret = CheckSyscall(APP, CheckGetuid32, true); + EXPECT_EQ(ret, 0); + } #endif }; @@ -275,11 +317,35 @@ public: * @tc.name: TestSystemSycall * @tc.desc: Verify the system seccomp policy. * @tc.type: FUNC - * @tc.require: I5IUWJ + * @tc.require: issueI5IUWJ */ HWTEST_F(SeccompUnitTest, TestSystemSycall, TestSize.Level1) { SeccompUnitTest test; test.TestSystemSycall(); } + +/** + * @tc.name: TestSetUidGidFilter + * @tc.desc: Verify the system seccomp policy. + * @tc.type: FUNC + * @tc.require: issueI5IUWJ + */ +HWTEST_F(SeccompUnitTest, TestSetUidGidFilter, TestSize.Level1) +{ + SeccompUnitTest test; + test.TestSetUidGidFilter(); +} + +/** + * @tc.name: TestSystemSycall + * @tc.desc: Verify the system seccomp policy. + * @tc.type: FUNC + * @tc.require: issueI5MUXD + */ +HWTEST_F(SeccompUnitTest, TestAppSycall, TestSize.Level1) +{ + SeccompUnitTest test; + test.TestAppSycall(); +} }