提交 92d40ab5 编写于 作者: X xiacong

<feat>

app进程沙盒支持seccomp-BPF

<body>
增加app进程的系统调用名单配置文件
增加app的进程使能分支
在配置文件中的带参数限制白名单项,增加返回结果,并在解析脚本编写相应的解析代码
Signed-off-by: Nxiacong <xiacong4@huawei.com>
Change-Id: Ifc17b661750d7070e17bc2a469c285ecb44d871a
Signed-off-by: Nxiacong <xiacong4@huawei.com>
上级 1d70b1f7
...@@ -33,9 +33,9 @@ if (defined(build_seccomp) && build_seccomp) { ...@@ -33,9 +33,9 @@ if (defined(build_seccomp) && build_seccomp) {
deps = [ deps = [
"//base/startup/init/interfaces/innerkits:libbegetutil", "//base/startup/init/interfaces/innerkits:libbegetutil",
"//base/startup/init/services/modules/seccomp:app_filter",
"//base/startup/init/services/modules/seccomp:appspawn_filter", "//base/startup/init/services/modules/seccomp:appspawn_filter",
"//base/startup/init/services/modules/seccomp:nwebspawn_filter", "//base/startup/init/services/modules/seccomp:nwebspawn_filter",
"//base/startup/init/services/modules/seccomp:system_filter",
] ]
license_file = "//base/startup/init/LICENSE" license_file = "//base/startup/init/LICENSE"
......
...@@ -107,11 +107,7 @@ ohos_prebuilt_seccomp("appspawn_filter") { ...@@ -107,11 +107,7 @@ ohos_prebuilt_seccomp("appspawn_filter") {
subsystem_name = "startup" subsystem_name = "startup"
install_enable = true install_enable = true
install_images = [ install_images = [ "system" ]
"system",
"ramdisk",
"updater",
]
} }
ohos_prebuilt_seccomp("nwebspawn_filter") { ohos_prebuilt_seccomp("nwebspawn_filter") {
...@@ -127,11 +123,28 @@ ohos_prebuilt_seccomp("nwebspawn_filter") { ...@@ -127,11 +123,28 @@ ohos_prebuilt_seccomp("nwebspawn_filter") {
subsystem_name = "startup" subsystem_name = "startup"
install_enable = true install_enable = true
install_images = [ install_images = [ "system" ]
"system", }
"ramdisk",
"updater", ohos_prebuilt_seccomp("app_filter") {
] sources = []
if (target_cpu == "arm") {
sources += [ "seccomp_policy/app_arm.seccomp.policy" ]
} else if (target_cpu == "arm64") {
sources += [
# 64-bit machine also need check use 32-bit syscall
"seccomp_policy/app_arm.seccomp.policy",
"seccomp_policy/app_arm64.seccomp.policy",
]
}
filtername = "g_appSeccompFilter"
include_dirs = [ "." ]
part_name = INIT_PART
subsystem_name = "startup"
install_enable = true
install_images = [ "system" ]
} }
ohos_shared_library("seccomp_module") { ohos_shared_library("seccomp_module") {
...@@ -145,16 +158,12 @@ ohos_shared_library("seccomp_module") { ...@@ -145,16 +158,12 @@ ohos_shared_library("seccomp_module") {
] ]
deps = [ deps = [
":appspawn_filter",
":nwebspawn_filter",
":system_filter", ":system_filter",
"//base/startup/init/interfaces/innerkits:libbegetutil", "//base/startup/init/interfaces/innerkits/init_module_engine:libinit_module_engine",
] ]
cflags = [ "-DSECCOMP_PLUGIN" ] cflags = [ "-DSECCOMP_PLUGIN" ]
external_deps = [ "init:libinit_module_engine" ]
part_name = "init" part_name = "init"
if (target_cpu == "arm64") { if (target_cpu == "arm64") {
module_install_dir = "lib64/init" module_install_dir = "lib64/init"
......
...@@ -40,7 +40,8 @@ operation = ['<', '<=', '!=', '==', '>', '>=', '&'] ...@@ -40,7 +40,8 @@ operation = ['<', '<=', '!=', '==', '>', '>=', '&']
ret_str_to_bpf = { ret_str_to_bpf = {
'KILL_PROCESS': 'SECCOMP_RET_KILL_PROCESS', 'KILL_PROCESS': 'SECCOMP_RET_KILL_PROCESS',
'KILL_THREAD': 'SECCOMP_RET_KILL_THREAD', 'KILL_THREAD': 'SECCOMP_RET_KILL_THREAD',
'LOG' : 'SECCOMP_RET_LOG' 'LOG' : 'SECCOMP_RET_LOG',
'ALLOW': 'SECCOMP_RET_ALLOW'
} }
mode_str = { mode_str = {
...@@ -201,6 +202,7 @@ class GenBpfPolicy: ...@@ -201,6 +202,7 @@ class GenBpfPolicy:
self.function_name_nr_table = {} self.function_name_nr_table = {}
self.gen_mode = 0 self.gen_mode = 0
self.flag = True self.flag = True
self.return_value = ''
self.operate_func_table = { self.operate_func_table = {
'<' : self.gen_bpf_lt, '<' : self.gen_bpf_lt,
'<=': self.gen_bpf_le, '<=': self.gen_bpf_le,
...@@ -232,6 +234,13 @@ class GenBpfPolicy: ...@@ -232,6 +234,13 @@ class GenBpfPolicy:
def set_gen_mode(self, mode): def set_gen_mode(self, mode):
self.gen_mode = mode_str.get(mode) self.gen_mode = mode_str.get(mode)
def set_return_value(self, return_value):
if return_value not in ret_str_to_bpf:
self.set_gen_mode(False)
return
self.return_value = return_value
@staticmethod @staticmethod
def gen_bpf_eq32(const_str, jt, jf): def gen_bpf_eq32(const_str, jt, jf):
bpf_policy = [] bpf_policy = []
...@@ -306,9 +315,9 @@ class GenBpfPolicy: ...@@ -306,9 +315,9 @@ class GenBpfPolicy:
low = number & 0xffffffff low = number & 0xffffffff
if digit_flag and hight == 0: if digit_flag and hight == 0:
bpf_policy.append(BPF_JGE.format('((unsigned long)'+const_str+') >> 32', jt + 2, 0)) bpf_policy.append(BPF_JGT.format('((unsigned long)'+const_str+') >> 32', jt + 2, 0))
else: else:
bpf_policy.append(BPF_JGE.format('((unsigned long)'+const_str+') >> 32', jt + 3, 0)) bpf_policy.append(BPF_JGT.format('((unsigned long)'+const_str+') >> 32', jt + 3, 0))
bpf_policy.append(BPF_JEQ.format('((unsigned long)'+const_str+') >> 32', 0, jf + 2)) bpf_policy.append(BPF_JEQ.format('((unsigned long)'+const_str+') >> 32', 0, jf + 2))
bpf_policy.append(BPF_LOAD_MEM.format(0)) bpf_policy.append(BPF_LOAD_MEM.format(0))
bpf_policy.append(BPF_JGE.format(const_str+' & 0xffffffff', jt, jf)) bpf_policy.append(BPF_JGE.format(const_str+' & 0xffffffff', jt, jf))
...@@ -526,38 +535,52 @@ class GenBpfPolicy: ...@@ -526,38 +535,52 @@ class GenBpfPolicy:
bpf_policy = [] bpf_policy = []
for atom in reversed(atoms): for atom in reversed(atoms):
bpf_policy = self.compile_atom(atom, len(bpf_policy)) + bpf_policy bpf_policy = self.compile_atom(atom, len(bpf_policy)) + bpf_policy
bpf_policy.append(BPF_RET_VALUE.format('SECCOMP_RET_ALLOW'))
return bpf_policy return bpf_policy
def parse_sub_group(self, group): def parse_sub_group(self, group):
bpf_policy = [] bpf_policy = []
and_cond_groups = group.split('||') group_info = group.split(';')
operation_part = group_info[0]
return_part = group_info[1]
if not return_part.startswith('return'):
self.set_gen_flag(False)
return bpf_policy
self.set_return_value(return_part[len('return'):])
and_cond_groups = operation_part.split('||')
for and_condition_group in and_cond_groups: for and_condition_group in and_cond_groups:
bpf_policy += self.parse_args_with_condition(and_condition_group) bpf_policy += self.parse_args_with_condition(and_condition_group)
return bpf_policy return bpf_policy
def parse_else_part(self, else_part):
return_value = else_part.split(';')[0][else_part.find('return') + len('return'):]
self.set_return_value(return_value)
def parse_args(self, function_name, line, skip): def parse_args(self, function_name, line, skip):
bpf_policy = [] bpf_policy = []
group_info = line.split('else')
group = line.split('elif') else_part = group_info[-1]
group = group_info[0].split('elif')
for sub_group in group: for sub_group in group:
bpf_policy += self.parse_sub_group(sub_group) bpf_policy += self.parse_sub_group(sub_group)
bpf_policy.append(BPF_RET_VALUE.format(ret_str_to_bpf.get(self.return_value)))
self.parse_else_part(else_part)
bpf_policy.append(BPF_RET_VALUE.format(ret_str_to_bpf.get(self.return_value)))
syscall_nr = self.function_name_nr_table.get(function_name) syscall_nr = self.function_name_nr_table.get(function_name)
#load syscall nr #load syscall nr
bpf_policy = self.gen_bpf_valid_syscall_nr(syscall_nr, len(bpf_policy) - skip) + bpf_policy bpf_policy = self.gen_bpf_valid_syscall_nr(syscall_nr, len(bpf_policy) - skip) + bpf_policy
return bpf_policy return bpf_policy
def gen_bpf_policy_with_args(self, allow_list_with_args, mode): def gen_bpf_policy_with_args(self, allow_list_with_args, mode, return_value):
self.set_gen_mode(mode) self.set_gen_mode(mode)
skip = 0 skip = 0
for line in allow_list_with_args: for line in allow_list_with_args:
if self.gen_mode == 1 and line == list(allow_list_with_args)[-1]: if self.gen_mode == 1 and line == list(allow_list_with_args)[-1]:
skip = 1 skip = 2
line = line.replace(' ', '') line = line.replace(' ', '')
pos = line.find(':') pos = line.find(':')
function_name = line[:pos] function_name = line[:pos]
left_line = line[pos+1:] left_line = line[pos + 1:]
if not left_line.startswith('if'): if not left_line.startswith('if'):
continue continue
...@@ -674,7 +697,7 @@ class SeccompPolicyParser: ...@@ -674,7 +697,7 @@ class SeccompPolicyParser:
self.bpf_generator.gen_bpf_policy(syscall_nr_priority) self.bpf_generator.gen_bpf_policy(syscall_nr_priority)
self.bpf_generator.gen_bpf_policy(syscall_nr_allow_list) self.bpf_generator.gen_bpf_policy(syscall_nr_allow_list)
self.bpf_generator.gen_bpf_policy_with_args(self.cur_policy_param.final_allow_list_with_args, \ self.bpf_generator.gen_bpf_policy_with_args(self.cur_policy_param.final_allow_list_with_args, \
self.cur_policy_param.mode) self.cur_policy_param.mode, self.cur_policy_param.return_value)
self.bpf_generator.add_return_value(self.cur_policy_param.return_value) self.bpf_generator.add_return_value(self.cur_policy_param.return_value)
......
...@@ -34,6 +34,9 @@ extern const size_t g_systemSeccompFilterSize; ...@@ -34,6 +34,9 @@ extern const size_t g_systemSeccompFilterSize;
extern const struct sock_filter g_nwebspawnSeccompFilter[]; extern const struct sock_filter g_nwebspawnSeccompFilter[];
extern const size_t g_nwebspawnSeccompFilterSize; extern const size_t g_nwebspawnSeccompFilterSize;
extern const struct sock_filter g_appSeccompFilter[];
extern const size_t g_appSeccompFilterSize;
#ifdef __cplusplus #ifdef __cplusplus
#if __cplusplus #if __cplusplus
} }
......
...@@ -69,31 +69,36 @@ static bool InstallSeccompPolicy(const struct sock_filter* filter, size_t filter ...@@ -69,31 +69,36 @@ static bool InstallSeccompPolicy(const struct sock_filter* filter, size_t filter
return true; return true;
} }
#ifndef SECCOMP_PLUGIN
bool SetSeccompPolicy(PolicyType policy) bool SetSeccompPolicy(PolicyType policy)
{ {
bool ret = false; bool ret = false;
switch (policy) { switch (policy) {
case SYSTEM:
ret = InstallSeccompPolicy(g_systemSeccompFilter, g_systemSeccompFilterSize, SECCOMP_FILTER_FLAG_LOG);
break;
case APPSPAWN: case APPSPAWN:
ret = InstallSeccompPolicy(g_appspawnSeccompFilter, g_appspawnSeccompFilterSize, SECCOMP_FILTER_FLAG_LOG); ret = InstallSeccompPolicy(g_appspawnSeccompFilter, g_appspawnSeccompFilterSize, SECCOMP_FILTER_FLAG_LOG);
break; break;
case NWEBSPAWN: case NWEBSPAWN:
ret = InstallSeccompPolicy(g_nwebspawnSeccompFilter, g_nwebspawnSeccompFilterSize, SECCOMP_FILTER_FLAG_LOG); ret = InstallSeccompPolicy(g_nwebspawnSeccompFilter, g_nwebspawnSeccompFilterSize, SECCOMP_FILTER_FLAG_LOG);
break; break;
case APP:
ret = InstallSeccompPolicy(g_appSeccompFilter, g_appSeccompFilterSize, SECCOMP_FILTER_FLAG_LOG);
break;
default: default:
ret = false; ret = false;
} }
return ret; return ret;
} }
#else
static bool SetSystemSeccompPolicy(void)
{
return InstallSeccompPolicy(g_systemSeccompFilter, g_systemSeccompFilterSize, SECCOMP_FILTER_FLAG_LOG);
}
#ifdef SECCOMP_PLUGIN
static int DoSetSeccompPolicyStart(void) static int DoSetSeccompPolicyStart(void)
{ {
bool ret = false; bool ret = false;
ret = SetSeccompPolicy(SYSTEM); ret = SetSystemSeccompPolicy();
PLUGIN_CHECK(ret == true, return -1, "SetSeccompPolicy failed"); PLUGIN_CHECK(ret == true, return -1, "SetSeccompPolicy failed");
return 0; return 0;
......
# Copyright (c) 2022 Huawei Device Co., Ltd.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
@arch
arm
@returnValue
KILL_PROCESS
@headFiles
"seccomp_filters.h"
@priority
ioctl
futex
@allowList
restart_syscall
exit
fork
read
write
open
close
creat
unlink
execve
chdir
chmod
lseek
getpid
getuid
ptrace
access
sync
kill
rename
mkdir
dup
pipe
times
brk
ioctl
fcntl
setpgid
umask
dup2
getppid
setsid
sigaction
setrlimit
getrusage
gettimeofday
readlink
munmap
truncate
fchmod
getpriority
setpriority
setitimer
getitimer
stat
wait4
sysinfo
fsync
sigreturn
clone
uname
mprotect
quotactl
getpgid
fchdir
personality
_llseek
getdents
_newselect
flock
msync
readv
writev
getsid
fdatasync
mlock
munlock
mlockall
munlockall
sched_setparam
sched_getparam
sched_setscheduler
sched_getscheduler
sched_yield
sched_get_priority_max
sched_get_priority_min
sched_rr_get_interval
nanosleep
mremap
poll
prctl
rt_sigreturn
rt_sigaction
rt_sigprocmask
rt_sigpending
rt_sigtimedwait
rt_sigqueueinfo
rt_sigsuspend
pread64
pwrite64
getcwd
capget
capset
sigaltstack
sendfile
vfork
ugetrlimit
mmap2
truncate64
ftruncate64
stat64
lstat64
fstat64
getuid32
getgid32
geteuid32
getegid32
getgroups32
setgroups32
fchown32
setresuid32
getresuid32
setresgid32
getresgid32
getdents64
mincore
madvise
fcntl64
gettid
readahead
setxattr
lsetxattr
fsetxattr
getxattr
lgetxattr
fgetxattr
listxattr
llistxattr
flistxattr
removexattr
lremovexattr
fremovexattr
tkill
sendfile64
futex
sched_setaffinity
sched_getaffinity
io_setup
io_destroy
io_getevents
io_submit
io_cancel
exit_group
epoll_create
epoll_ctl
epoll_wait
remap_file_pages
set_tid_address
timer_create
timer_settime
timer_gettime
timer_getoverrun
timer_delete
clock_gettime
clock_getres
clock_nanosleep
statfs64
fstatfs64
tgkill
fadvise64_64
waitid
socket
bind
connect
listen
accept
getsockname
getpeername
socketpair
sendto
recvfrom
shutdown
setsockopt
getsockopt
sendmsg
recvmsg
inotify_init
inotify_add_watch
inotify_rm_watch
openat
mkdirat
mknodat
fchownat
fstatat64
unlinkat
renameat
linkat
symlinkat
readlinkat
fchmodat
faccessat
pselect6
ppoll
unshare
splice
sync_file_range2
tee
vmsplice
getcpu
epoll_pwait
utimensat
timerfd_create
eventfd
fallocate
timerfd_settime
timerfd_gettime
signalfd4
eventfd2
epoll_create1
dup3
pipe2
inotify_init1
preadv
pwritev
rt_tgsigqueueinfo
perf_event_open
recvmmsg
accept4
prlimit64
syncfs
sendmmsg
setns
process_vm_readv
process_vm_writev
finit_module
sched_setattr
sched_getattr
renameat2
seccomp
getrandom
memfd_create
bpf
execveat
userfaultfd
membarrier
mlock2
copy_file_range
preadv2
pwritev2
statx
clock_gettime64
clock_settime64
clock_adjtime64
clock_getres_time64
clock_nanosleep_time64
timer_gettime64
timer_settime64
timerfd_gettime64
timerfd_settime64
utimensat_time64
pselect6_time64
ppoll_time64
recvmmsg_time64
semtimedop_time64
rt_sigtimedwait_time64
futex_time64
sched_rr_get_interval_time64
pidfd_send_signal
pidfd_open
close_range
pidfd_getfd
process_madvise
cacheflush
set_tls
@blockList
mount
acct
umount2
chroot
sethostname
settimeofday
swapon
reboot
syslog
swapoff
setdomainname
adjtimex
init_module
delete_module
setfsuid
setfsgid
setreuid32
setregid32
setuid32
setgid32
clock_settime
clock_adjtime
\ No newline at end of file
# Copyright (c) 2022 Huawei Device Co., Ltd.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
@arch
arm64
@returnValue
KILL_PROCESS
@headFiles
"seccomp_filters.h"
@priority
ioctl
futex
@allowList
io_setup
io_destroy
io_submit
io_cancel
io_getevents
setxattr
lsetxattr
fsetxattr
getxattr
lgetxattr
fgetxattr
listxattr
llistxattr
flistxattr
removexattr
lremovexattr
fremovexattr
getcwd
eventfd2
epoll_create1
epoll_ctl
epoll_pwait
dup
dup3
fcntl
inotify_init1
inotify_add_watch
inotify_rm_watch
ioctl
ioprio_set
ioprio_get
flock
mknodat
mkdirat
unlinkat
symlinkat
linkat
renameat
pivot_root
statfs
fstatfs
truncate
ftruncate
fallocate
faccessat
chdir
fchdir
fchmod
fchmodat
fchownat
fchown
openat
close
pipe2
quotactl
getdents64
lseek
read
write
readv
writev
pread64
pwrite64
preadv
pwritev
sendfile
pselect6
ppoll
signalfd4
vmsplice
splice
tee
readlinkat
newfstatat
fstat
sync
fsync
fdatasync
sync_file_range
timerfd_create
timerfd_settime
timerfd_gettime
utimensat
capget
capset
personality
exit
exit_group
waitid
set_tid_address
unshare
futex
nanosleep
getitimer
setitimer
timer_create
timer_gettime
timer_getoverrun
timer_settime
timer_delete
clock_gettime
clock_getres
clock_nanosleep
ptrace
sched_setparam
sched_setscheduler
sched_getscheduler
sched_getparam
sched_setaffinity
sched_getaffinity
sched_yield
sched_get_priority_max
sched_get_priority_min
sched_rr_get_interval
restart_syscall
kill
tkill
tgkill
sigaltstack
rt_sigsuspend
rt_sigaction
rt_sigprocmask
rt_sigpending
rt_sigtimedwait
rt_sigqueueinfo
rt_sigreturn
setpriority
getpriority
setresuid
getresuid
setresgid
getresgid
times
setpgid
getpgid
getsid
setsid
getgroups
setgroups
uname
getrlimit
setrlimit
getrusage
umask
prctl
getcpu
gettimeofday
getpid
getppid
getuid
geteuid
getgid
getegid
gettid
sysinfo
socket
socketpair
bind
listen
accept
connect
getsockname
getpeername
sendto
recvfrom
setsockopt
getsockopt
shutdown
sendmsg
recvmsg
readahead
brk
munmap
mremap
clone
execve
mmap
fadvise64
mprotect
msync
mlock
munlock
mlockall
munlockall
mincore
madvise
rt_tgsigqueueinfo
perf_event_open
accept4
recvmmsg
wait4
prlimit64
syncfs
setns
sendmmsg
process_vm_readv
process_vm_writev
finit_module
sched_setattr
sched_getattr
renameat2
seccomp
getrandom
memfd_create
bpf
execveat
userfaultfd
membarrier
mlock2
copy_file_range
preadv2
pwritev2
statx
pidfd_send_signal
pidfd_open
close_range
pidfd_getfd
process_madvise
@blockList
umount2
mount
chroot
acct
init_module
delete_module
clock_settime
syslog
reboot
setregid
setgid
setreuid
setuid
setfsuid
setfsgid
sethostname
setdomainname
settimeofday
adjtimex
swapon
swapoff
clock_adjtime
...@@ -164,9 +164,9 @@ set_tls ...@@ -164,9 +164,9 @@ set_tls
sched_setscheduler sched_setscheduler
@allowListWithArgs @allowListWithArgs
getrusage:if arg0 == RUSAGE_SELF || arg0 == RUSAGE_THREAD getrusage:if arg0 == RUSAGE_SELF || arg0 == RUSAGE_THREAD; return ALLOW; else return KILL_PROCESS;
clock_getres:if arg0 >= CLOCK_REALTIME && arg0 <= CLOCK_BOOTTIME clock_getres:if arg0 >= CLOCK_REALTIME && arg0 <= CLOCK_BOOTTIME; return ALLOW; else return KILL_PROCESS;
clock_gettime:if arg0 >= CLOCK_REALTIME && arg0 <= CLOCK_BOOTTIME clock_gettime:if arg0 >= CLOCK_REALTIME && arg0 <= CLOCK_BOOTTIME; return ALLOW; else return KILL_PROCESS;
clock_nanosleep:if arg0 >= CLOCK_REALTIME && arg0 <= CLOCK_BOOTTIME clock_nanosleep:if arg0 >= CLOCK_REALTIME && arg0 <= CLOCK_BOOTTIME; return ALLOW; else return KILL_PROCESS;
socketpair:if arg0 == AF_UNIX socketpair:if arg0 == AF_UNIX; return ALLOW; else return KILL_PROCESS;
getsockopt:if arg1 == SOL_SOCKET || arg2 == SO_PEEK_OFF getsockopt:if arg1 == SOL_SOCKET || arg2 == SO_PEEK_OFF; return ALLOW; else return KILL_PROCESS;
...@@ -134,9 +134,9 @@ prlimit64 ...@@ -134,9 +134,9 @@ prlimit64
sched_setscheduler sched_setscheduler
@allowListWithArgs @allowListWithArgs
getrusage:if arg0 == RUSAGE_SELF || arg0 == RUSAGE_THREAD getrusage:if arg0 == RUSAGE_SELF || arg0 == RUSAGE_THREAD; return ALLOW; else return KILL_PROCESS;
clock_getres:if arg0 >= CLOCK_REALTIME && arg0 <= CLOCK_BOOTTIME clock_getres:if arg0 >= CLOCK_REALTIME && arg0 <= CLOCK_BOOTTIME; return ALLOW; else return KILL_PROCESS;
clock_gettime:if arg0 >= CLOCK_REALTIME && arg0 <= CLOCK_BOOTTIME clock_gettime:if arg0 >= CLOCK_REALTIME && arg0 <= CLOCK_BOOTTIME; return ALLOW; else return KILL_PROCESS;
clock_nanosleep:if arg0 >= CLOCK_REALTIME && arg0 <= CLOCK_BOOTTIME clock_nanosleep:if arg0 >= CLOCK_REALTIME && arg0 <= CLOCK_BOOTTIME; return ALLOW; else return KILL_PROCESS;
socketpair:if arg0 == AF_UNIX socketpair:if arg0 == AF_UNIX; return ALLOW; else return KILL_PROCESS;
getsockopt:if arg1 == SOL_SOCKET || arg2 == SO_PEEK_OFF getsockopt:if arg1 == SOL_SOCKET || arg2 == SO_PEEK_OFF; return ALLOW; else return KILL_PROCESS;
...@@ -24,5 +24,5 @@ ONLY_CHECK_ARGS ...@@ -24,5 +24,5 @@ ONLY_CHECK_ARGS
"seccomp_filters.h" "seccomp_filters.h"
@allowListWithArgs @allowListWithArgs
setresuid32: if arg0 >= 0 && arg1 >= 0 && arg2 >= 0 setresuid32: if arg0 >= 1000 && arg1 >= 1000 && arg2 >= 1000; return ALLOW; else return KILL_PROCESS;
setresgid32: if arg0 >= 0 && arg1 >= 0 && arg2 >= 0 setresgid32: if arg0 >= 1000 && arg1 >= 1000 && arg2 >= 1000; return ALLOW; else return KILL_PROCESS;
...@@ -23,5 +23,5 @@ ONLY_CHECK_ARGS ...@@ -23,5 +23,5 @@ ONLY_CHECK_ARGS
"seccomp_filters.h" "seccomp_filters.h"
@allowListWithArgs @allowListWithArgs
setresuid: if arg0 >= 0 && arg1 >= 0 && arg2 >= 0 setresuid: if arg0 >= 1000 && arg1 >= 1000 && arg2 >= 1000; return ALLOW; else return KILL_PROCESS;
setresgid: if arg0 >= 0 && arg1 >= 0 && arg2 >= 0 setresgid: if arg0 >= 1000 && arg1 >= 1000 && arg2 >= 1000; return ALLOW; else return KILL_PROCESS;
...@@ -61,7 +61,7 @@ public: ...@@ -61,7 +61,7 @@ public:
std::cout << "PR_SET_NO_NEW_PRIVS set fail " << std::endl; std::cout << "PR_SET_NO_NEW_PRIVS set fail " << std::endl;
exit(EXIT_FAILURE); exit(EXIT_FAILURE);
} }
if (!SetSeccompPolicy(type)) { if (type != SYSTEM && !SetSeccompPolicy(type)) {
std::cout << "SetSeccompPolicy set fail type is " << type << std::endl; std::cout << "SetSeccompPolicy set fail type is " << type << std::endl;
exit(EXIT_FAILURE); exit(EXIT_FAILURE);
} }
...@@ -187,6 +187,16 @@ public: ...@@ -187,6 +187,16 @@ public:
return false; return false;
} }
static bool CheckSetuid()
{
int uid = syscall(__NR_setuid, 1);
if (uid == 0) {
return true;
}
return false;
}
void TestSystemSycall() void TestSystemSycall()
{ {
// system blocklist // system blocklist
...@@ -208,6 +218,17 @@ public: ...@@ -208,6 +218,17 @@ public:
ret = CheckSyscall(APPSPAWN, CheckSetresuidArgsInRange, true); ret = CheckSyscall(APPSPAWN, CheckSetresuidArgsInRange, true);
EXPECT_EQ(ret, 0); EXPECT_EQ(ret, 0);
} }
void TestAppSycall()
{
// app blocklist
int ret = CheckSyscall(APP, CheckSetuid, false);
EXPECT_EQ(ret, 0);
// app allowlist
ret = CheckSyscall(APP, CheckGetpid, true);
EXPECT_EQ(ret, 0);
}
#elif defined __arm__ #elif defined __arm__
static bool CheckGetuid32() static bool CheckGetuid32()
{ {
...@@ -227,6 +248,16 @@ public: ...@@ -227,6 +248,16 @@ public:
return false; return false;
} }
static bool CheckSetuid32()
{
int ret = syscall(__NR_setuid32, 1);
if (ret == 0) {
return true;
}
return false;
}
static bool CheckSetresuid32ArgsInRange() static bool CheckSetresuid32ArgsInRange()
{ {
int ret = syscall(__NR_setresuid32, 20000, 20000, 20000); int ret = syscall(__NR_setresuid32, 20000, 20000, 20000);
...@@ -268,6 +299,17 @@ public: ...@@ -268,6 +299,17 @@ public:
ret = CheckSyscall(APPSPAWN, CheckSetresuid32ArgsInRange, true); ret = CheckSyscall(APPSPAWN, CheckSetresuid32ArgsInRange, true);
EXPECT_EQ(ret, 0); EXPECT_EQ(ret, 0);
} }
void TestAppSycall()
{
// app blocklist
int ret = CheckSyscall(APP, CheckSetuid32, false);
EXPECT_EQ(ret, 0);
// app allowlist
ret = CheckSyscall(APP, CheckGetuid32, true);
EXPECT_EQ(ret, 0);
}
#endif #endif
}; };
...@@ -275,11 +317,35 @@ public: ...@@ -275,11 +317,35 @@ public:
* @tc.name: TestSystemSycall * @tc.name: TestSystemSycall
* @tc.desc: Verify the system seccomp policy. * @tc.desc: Verify the system seccomp policy.
* @tc.type: FUNC * @tc.type: FUNC
* @tc.require: I5IUWJ * @tc.require: issueI5IUWJ
*/ */
HWTEST_F(SeccompUnitTest, TestSystemSycall, TestSize.Level1) HWTEST_F(SeccompUnitTest, TestSystemSycall, TestSize.Level1)
{ {
SeccompUnitTest test; SeccompUnitTest test;
test.TestSystemSycall(); test.TestSystemSycall();
} }
/**
* @tc.name: TestSetUidGidFilter
* @tc.desc: Verify the system seccomp policy.
* @tc.type: FUNC
* @tc.require: issueI5IUWJ
*/
HWTEST_F(SeccompUnitTest, TestSetUidGidFilter, TestSize.Level1)
{
SeccompUnitTest test;
test.TestSetUidGidFilter();
}
/**
* @tc.name: TestSystemSycall
* @tc.desc: Verify the system seccomp policy.
* @tc.type: FUNC
* @tc.require: issueI5MUXD
*/
HWTEST_F(SeccompUnitTest, TestAppSycall, TestSize.Level1)
{
SeccompUnitTest test;
test.TestAppSycall();
}
} }
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册