Merge branch 'master' of gitee.com:openharmony/startup_init_lite into codex

Signed-off-by: Ncheng_jinsong <chengjinsong2@huawei.com>

interfaces/innerkits/seccomp/BUILD.gn

@@ -26,16 +26,14 @@ if (defined(build_seccomp) && build_seccomp) {
 
     include_dirs = [
       "//base/startup/init/interfaces/innerkits/include",
-      "//base/startup/init/services/modules/seccomp",
       "//base/startup/init/services/modules",
       "//base/startup/init/services/log",
+      "//third_party/bounds_checking_function/include",
     ]
 
     deps = [
       "//base/startup/init/interfaces/innerkits:libbegetutil",
-      "//base/startup/init/services/modules/seccomp:app_filter",
-      "//base/startup/init/services/modules/seccomp:appspawn_filter",
-      "//base/startup/init/services/modules/seccomp:nwebspawn_filter",
+      "//third_party/bounds_checking_function:libsec_shared",
     ]
 
     license_file = "//base/startup/init/LICENSE"
@@ -43,10 +41,7 @@ if (defined(build_seccomp) && build_seccomp) {
     part_name = "init"
 
     install_enable = true
-    install_images = [
-      "system",
-      "updater",
-    ]
+    install_images = [ "system" ]
   }
 } else {
   group("seccomp") {

interfaces/innerkits/seccomp/include/seccomp_policy.h

@@ -25,14 +25,12 @@ extern "C" {
 #endif
 #endif
 
-typedef enum {
-    SYSTEM,
-    APPSPAWN,
-    APP,
-    NWEBSPAWN,
-} PolicyType;
+#define SYSTEM_NAME "system"
+#define APPSPAWN_NAME "appspawn"
+#define NWEBSPAWN_NAME "nwebspawn"
+#define APP_NAME "app"
 
-bool SetSeccompPolicy(PolicyType policy);
+bool SetSeccompPolicyWithName(const char *filterName);
 
 #ifdef __cplusplus
 #if __cplusplus

interfaces/innerkits/syspara/param_comm.c

@@ -142,6 +142,9 @@ static int GetSha256Value(const char *input, char *udid, int udidSize)
 #else
 static int GetSha256Value(const char *input, char *udid, int udidSize)
 {
+    (void)input;
+    (void)udid;
+    (void)udidSize;
     return EC_FAILURE;
 }
 #endif

services/etc/param/ohos.para

@@ -30,7 +30,7 @@ const.build.product=default
 const.product.hardwareversion=default
 const.product.bootloader.version=bootloader
 const.product.cpu.abilist=default
-const.product.software.version=OpenHarmony 3.2.7.2
+const.product.software.version=OpenHarmony 3.2.7.3
 const.product.incremental.version=default
 const.product.firstapiversion=1
 const.product.build.type=default

services/init/init_common_service.c

@@ -309,11 +309,7 @@ static int InitServicePropertys(Service *service)
 
     CreateServiceFile(service->fileCfg);
     if ((service->attribute & SERVICE_ATTR_CONSOLE)) {
-        if (strcmp(service->name, "console") != 0 || !IsOnDemandService(service)) {
-            OpenConsole();
-        } else {
-            setsid();
-        }
+        OpenConsole();
     }
 
     PublishHoldFds(service);

services/init/init_service_manager.c

@@ -895,7 +895,9 @@ static void ProcessConsoleEvent(const WatcherHandle handler, int fd, uint32_t *e
         INIT_LOGE("Process console event with invalid arguments");
         return;
     }
-
+    // Since we've got event from console device
+    // the fd related to '/dev/console' does not need anymore, close it.
+    close(fd);
     if (strcmp(service->name, "console") != 0) {
         INIT_LOGE("Process console event with invalid service %s, only console service should do this", service->name);
         return;
@@ -906,19 +908,14 @@ static void ProcessConsoleEvent(const WatcherHandle handler, int fd, uint32_t *e
     unsigned int len = MAX_BUFFER_LEN;
     if (SystemReadParam("const.debuggable", value, &len) != 0) {
         INIT_LOGE("Failed to read parameter \'const.debuggable\', prevent console service starting");
-        CloseStdio();
         return;
     }
 
     int isDebug = StringToInt(value, 0);
     if (isDebug != 1) {
         INIT_LOGI("Non-debuggable system, prevent console service starting");
-        CloseStdio();
         return;
     }
-    ioctl(fd, TIOCSCTTY, 0);
-    RedirectStdio(fd);
-    close(fd);
     if (ServiceStart(service) != SERVICE_SUCCESS) {
         INIT_LOGE("Start console service failed");
     }
@@ -956,11 +953,14 @@ int WatchConsoleDevice(Service *service)
         if (errno == ENOENT) {
             INIT_LOGW("/dev/console is not exist, wait for it...");
             WaitForFile("/dev/console", WAIT_MAX_SECOND);
-            fd = open("/dev/console", O_RDWR);
-            if (fd < 0) {
-                INIT_LOGW("Failed to open /dev/console after try 1 time");
-                return -1;
-            }
+        } else {
+            INIT_LOGE("Failed to open /dev/console, err = %d", errno);
+            return -1;
+        }
+        fd = open("/dev/console", O_RDWR);
+        if (fd < 0) {
+            INIT_LOGW("Failed to open /dev/console after try 1 time, err = %d", errno);
+            return -1;
         }
     }
 
@@ -1018,8 +1018,7 @@ void ParseAllServices(const cJSON *fileRoot)
         // Watch "/dev/console" node for starting console service ondemand.
         if ((strcmp(service->name, "console") == 0) && IsOnDemandService(service)) {
             if (WatchConsoleDevice(service) < 0) {
-                INIT_LOGW("Failed to watch console device, unset \' %s \' ondemand attribute", service->name);
-                UnMarkServiceAsOndemand(service);
+                INIT_LOGW("Failed to watch \'/dev/console\' device");
             }
         }
 #ifndef OHOS_LITE
@@ -1191,4 +1190,4 @@ int GetKillServiceSig(const char *name)
         return SIGTERM;
     }
     return SIGKILL;
-}
\ No newline at end of file
+}

services/init/standard/init.c

@@ -29,6 +29,7 @@
 #include "device.h"
 #include "fd_holder_service.h"
 #include "fs_manager/fs_manager.h"
+#include "key_control.h"
 #include "init_control_fd_service.h"
 #include "init_log.h"
 #include "init_mount.h"
@@ -199,6 +200,9 @@ static void StartInitSecondStage(void)
     // It will panic if close stdio before execv("/bin/sh", NULL)
     CloseStdio();
 
+    // Set up a session keyring that all processes will have access to.
+    KeyCtrlGetKeyringId(KEY_SPEC_SESSION_KEYRING, 1);
+
 #ifndef DISABLE_INIT_TWO_STAGES
     SwitchRoot("/usr");
     // Execute init second stage

services/init/standard/init_cmds.c

@@ -453,10 +453,6 @@ static void DoInitMainUser(const struct CmdArgs *ctx)
         INIT_LOGE("DoInitMainUser: para invalid");
         return;
     }
-    if (!InitFscryptPolicy()) {
-        INIT_LOGI("DoInitMainUser:init fscrypt failed,not enable fscrypt");
-        return;
-    }
 
     char * const argv[] = {
         "/system/bin/sdc",

services/loopevent/include/loop_event.h

@@ -76,6 +76,7 @@ BufferHandle LE_CreateBuffer(const LoopHandle loopHandle, uint32_t bufferSize);
 void LE_FreeBuffer(const LoopHandle loopHandle, const TaskHandle taskHandle, const BufferHandle handle);
 uint8_t *LE_GetBufferInfo(const BufferHandle handle, uint32_t *dataSize, uint32_t *buffSize);
 void *LE_GetUserData(const TaskHandle handle);
+int32_t LE_GetSendResult(const BufferHandle handle);
 
 typedef void (*LE_Close)(const TaskHandle taskHandle);
 typedef struct {

services/loopevent/task/le_streamtask.c

@@ -30,6 +30,7 @@ static LE_STATUS HandleSendMsg_(const LoopHandle loopHandle,
     while (buffer) {
         int ret = write(GetSocketFd(taskHandle), buffer->data, buffer->dataSize);
         LE_LOGV("HandleSendMsg_ fd:%d send data size %d %d", GetSocketFd(taskHandle), buffer->dataSize, ret);
+        buffer->result = (ret == buffer->dataSize) ? 0 : errno;
         if (complete != NULL) {
             complete(taskHandle, buffer);
         }

services/loopevent/task/le_task.c

@@ -202,4 +202,10 @@ void *LE_GetUserData(TaskHandle handle)
     LE_CHECK(handle != NULL, return NULL, "Invalid handle");
     BaseTask *stream = (BaseTask *)handle;
     return (void *)(((char *)stream) + stream->userDataOffset);
+}
+
+int32_t LE_GetSendResult(const BufferHandle handle)
+{
+    LE_CHECK(handle != NULL, return 0, "Invalid handle");
+    return ((LE_Buffer *)handle)->result;
 }
\ No newline at end of file

services/loopevent/task/le_task.h

@@ -44,6 +44,7 @@ typedef struct {
     ListNode node;
     uint32_t buffSize;
     uint32_t dataSize;
+    int32_t result;
     uint8_t data[0];
 } LE_Buffer;
 

services/modules/BUILD.gn

@@ -36,7 +36,7 @@ group("modulesgroup") {
       "reboot:rebootmodule",
     ]
     if (build_seccomp) {
-      deps += [ "seccomp:seccomp_module" ]
+      deps += [ "seccomp:seccomp_filter" ]
     }
     if (build_selinux) {
       deps += [ "selinux:selinuxadp" ]

services/modules/seccomp/BUILD.gn

@@ -77,16 +77,11 @@ ohos_prebuilt_seccomp("system_filter") {
   }
 
   filtername = "g_systemSeccompFilter"
-  include_dirs = [ "." ]
   part_name = INIT_PART
   subsystem_name = "startup"
 
   install_enable = true
-  install_images = [
-    "system",
-    "ramdisk",
-    "updater",
-  ]
+  install_images = [ "system" ]
 }
 
 ohos_prebuilt_seccomp("appspawn_filter") {
@@ -102,7 +97,6 @@ ohos_prebuilt_seccomp("appspawn_filter") {
   }
 
   filtername = "g_appspawnSeccompFilter"
-  include_dirs = [ "." ]
   part_name = INIT_PART
   subsystem_name = "startup"
 
@@ -118,7 +112,6 @@ ohos_prebuilt_seccomp("nwebspawn_filter") {
   }
 
   filtername = "g_nwebspawnSeccompFilter"
-  include_dirs = [ "." ]
   part_name = INIT_PART
   subsystem_name = "startup"
 
@@ -139,7 +132,6 @@ ohos_prebuilt_seccomp("app_filter") {
   }
 
   filtername = "g_appSeccompFilter"
-  include_dirs = [ "." ]
   part_name = INIT_PART
   subsystem_name = "startup"
 
@@ -147,46 +139,30 @@ ohos_prebuilt_seccomp("app_filter") {
   install_images = [ "system" ]
 }
 
-ohos_shared_library("seccomp_module") {
-  sources = [ "seccomp_policy.c" ]
-
+config("libseccomp_static_config") {
   include_dirs = [
     "//base/startup/init/services/modules",
-    "//base/startup/init/interfaces/innerkits/include",
     "//base/startup/init/interfaces/innerkits/seccomp/include",
-    "//base/startup/init/services/modules/seccomp",
+    "//third_party/bounds_checking_function/include",
   ]
+}
 
-  deps = [
-    ":system_filter",
-    "//base/startup/init/interfaces/innerkits/init_module_engine:libinit_module_engine",
+ohos_source_set("libseccomp_static") {
+  sources = [
+    "seccomp_policy.c",
+    "seccomp_policy_static.c",
   ]
-
-  cflags = [ "-DSECCOMP_PLUGIN" ]
-
-  part_name = "init"
-  if (target_cpu == "arm64") {
-    module_install_dir = "lib64/init"
-  } else {
-    module_install_dir = "lib/init"
-  }
-  install_images = [
-    "system",
-    "ramdisk",
-    "updater",
+  public_configs = [
+    ":libseccomp_static_config",
+    "//base/startup/init/interfaces/innerkits/init_module_engine:init_module_engine_exported_config",
   ]
 }
 
-config("libseccomp_static_config") {
-  include_dirs = [
-    "//base/startup/init/services/modules",
-    "//base/startup/init/services/modules/seccomp",
-    "//base/startup/init/interfaces/innerkits/seccomp/include",
+group("seccomp_filter") {
+  deps = [
+    ":app_filter",
+    ":appspawn_filter",
+    ":nwebspawn_filter",
+    ":system_filter",
   ]
 }
-
-ohos_source_set("libseccomp_static") {
-  sources = [ "seccomp_policy_static.c" ]
-  public_configs = [ ":libseccomp_static_config" ]
-  public_configs += [ "//base/startup/init/interfaces/innerkits/init_module_engine:init_module_engine_exported_config" ]
-}

services/modules/seccomp/seccomp_filters.h

-/*
- * Copyright (c) 2022 Huawei Device Co., Ltd.
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef SECCOMP_FILTERS_H
-#define SECCOMP_FILTERS_H
-
-#include <stddef.h>
-#include <linux/filter.h>
-
-#ifdef __cplusplus
-#if __cplusplus
-extern "C" {
-#endif
-#endif
-
-extern const struct sock_filter g_appspawnSeccompFilter[];
-extern const size_t g_appspawnSeccompFilterSize;
-
-extern const struct sock_filter g_systemSeccompFilter[];
-extern const size_t g_systemSeccompFilterSize;
-
-extern const struct sock_filter g_nwebspawnSeccompFilter[];
-extern const size_t g_nwebspawnSeccompFilterSize;
-
-extern const struct sock_filter g_appSeccompFilter[];
-extern const size_t g_appSeccompFilterSize;
-
-#ifdef __cplusplus
-#if __cplusplus
-}
-#endif
-#endif
-
-#endif // SECCOMP_FILTERS_H
-

services/modules/seccomp/seccomp_policy.c

@@ -14,12 +14,10 @@
  */
 
 #include "seccomp_policy.h"
-#include "seccomp_filters.h"
 #include "plugin_adapter.h"
-#ifdef SECCOMP_PLUGIN
-#include "init_module_engine.h"
-#endif
+#include "securec.h"
 
+#include <dlfcn.h>
 #include <sys/syscall.h>
 #include <unistd.h>
 #include <ctype.h>
@@ -33,6 +31,14 @@
 #define SECCOMP_SET_MODE_FILTER  (1)
 #endif
 
+#ifdef __aarch64__
+#define FILTER_LIB_PATH_FORMAT "/system/lib64/lib%s_filter.z.so"
+#else
+#define FILTER_LIB_PATH_FORMAT "/system/lib/lib%s_filter.z.so"
+#endif
+#define FILTER_NAME_FORMAT "g_%sSeccompFilter"
+#define FILTER_SIZE_STRING "Size"
+
 static bool IsSupportFilterFlag(unsigned int filterFlag)
 {
     errno = 0;
@@ -69,78 +75,41 @@ static bool InstallSeccompPolicy(const struct sock_filter* filter, size_t filter
     return true;
 }
 
-#ifndef SECCOMP_PLUGIN
-bool SetSeccompPolicy(PolicyType policy)
+bool SetSeccompPolicyWithName(const char *filterName)
 {
-    bool ret = false;
-    switch (policy) {
-        case APPSPAWN:
-            ret = InstallSeccompPolicy(g_appspawnSeccompFilter, g_appspawnSeccompFilterSize, SECCOMP_FILTER_FLAG_LOG);
-            break;
-        case NWEBSPAWN:
-            ret = InstallSeccompPolicy(g_nwebspawnSeccompFilter, g_nwebspawnSeccompFilterSize, SECCOMP_FILTER_FLAG_LOG);
-            break;
-        case APP:
-            ret = InstallSeccompPolicy(g_appSeccompFilter, g_appSeccompFilterSize, SECCOMP_FILTER_FLAG_LOG);
-            break;
-        default:
-            ret = false;
-    }
+    char filterLibPath[512] = {0};
+    char filterVaribleName[512] = {0};
+    struct sock_filter *filterPtr = NULL;
+    size_t *filterSize = NULL;
 
-    return ret;
-}
-#else
-static bool SetSystemSeccompPolicy(void)
-{
-    return InstallSeccompPolicy(g_systemSeccompFilter, g_systemSeccompFilterSize, SECCOMP_FILTER_FLAG_LOG);
-}
+    int rc = snprintf_s(filterLibPath, sizeof(filterLibPath), \
+                        strlen(filterName) + strlen(FILTER_LIB_PATH_FORMAT) - strlen("%s"), \
+                        FILTER_LIB_PATH_FORMAT, filterName);
+    PLUGIN_CHECK(rc != -1, return false, "snprintf_s filterLibPath failed");
 
-static int DoSetSeccompPolicyStart(void)
-{
-    bool ret = false;
-    ret = SetSystemSeccompPolicy();
-    PLUGIN_CHECK(ret == true, return -1, "SetSeccompPolicy failed");
+    rc = snprintf_s(filterVaribleName, sizeof(filterVaribleName), \
+                    strlen(filterName) + strlen(FILTER_NAME_FORMAT) - strlen("%s"), \
+                    FILTER_NAME_FORMAT, filterName);
+    PLUGIN_CHECK(rc != -1, return false, "snprintf_s  faiVribleName failed");
 
-    return 0;
-}
+    void *handler = dlopen(filterLibPath, RTLD_LAZY);
+    PLUGIN_CHECK(handler != NULL, return false, "dlopen %s failed", filterLibPath);
 
-static int DoSetSeccompPolicyCmd(int id, const char *name, int argc, const char **argv)
-{
-    PLUGIN_LOGI("DoBootchartCmd argc %d %s", argc, name);
-    PLUGIN_CHECK(argc >= 1, return -1, "Invalid parameter");
-    if (strcmp(argv[0], "start") == 0) {
-        return DoSetSeccompPolicyStart();
-    }
-    return 0;
-}
+    filterPtr = (struct sock_filter *)dlsym(handler, filterVaribleName);
+    PLUGIN_CHECK(filterPtr != NULL, dlclose(handler);
+        return false, "dlsym %s failed", filterVaribleName);
 
-static int32_t g_executorId = -1;
-static int SetSeccompPolicyInit(void)
-{
-    if (g_executorId == -1) {
-        g_executorId = AddCmdExecutor("SetSeccompPolicy", DoSetSeccompPolicyCmd);
-        PLUGIN_LOGI("SetSeccompPolicy executorId %d", g_executorId);
-    }
-    return 0;
-}
+    rc = strcat_s(filterVaribleName, strlen(filterVaribleName) + strlen(FILTER_SIZE_STRING) + 1, FILTER_SIZE_STRING);
+    PLUGIN_CHECK(rc == 0, dlclose(handler);
+        return false, "strcat_s filterVaribleName failed");
 
-static void SetSeccompPolicyExit(void)
-{
-    PLUGIN_LOGI("SetSeccompPolicy executorId %d", g_executorId);
-    if (g_executorId != -1) {
-        RemoveCmdExecutor("SetSeccompPolicy", g_executorId);
-    }
-}
+    filterSize = (size_t *)dlsym(handler, filterVaribleName);
+    PLUGIN_CHECK(filterSize != NULL, dlclose(handler);
+        return false, "dlsym %s failed", filterVaribleName);
 
-MODULE_CONSTRUCTOR(void)
-{
-    PLUGIN_LOGI("DoSetSeccompPolicyStart now ...");
-    SetSeccompPolicyInit();
-}
+    bool ret = InstallSeccompPolicy(filterPtr, *filterSize, SECCOMP_FILTER_FLAG_LOG);
 
-MODULE_DESTRUCTOR(void)
-{
-    PLUGIN_LOGI("DoSetSeccompPolicyStop now ...");
-    SetSeccompPolicyExit();
+    dlclose(handler);
+
+    return ret;
 }
-#endif

services/modules/seccomp/seccomp_policy/app_arm.seccomp.policy

@@ -17,9 +17,6 @@ arm
 @returnValue
 KILL_PROCESS
 
-@headFiles
-"seccomp_filters.h"
-
 @priority
 ioctl
 futex

services/modules/seccomp/seccomp_policy/app_arm64.seccomp.policy

@@ -17,9 +17,6 @@ arm64
 @returnValue
 KILL_PROCESS
 
-@headFiles
-"seccomp_filters.h"
-
 @priority
 ioctl
 futex

services/modules/seccomp/seccomp_policy/renderer_arm.seccomp.policy

@@ -18,7 +18,6 @@ arm
 KILL_PROCESS
 
 @headFiles
-"seccomp_filters.h"
 "time.h"
 "sys/ioctl.h"
 "linux/futex.h"

services/modules/seccomp/seccomp_policy/renderer_arm64.seccomp.policy

@@ -18,7 +18,6 @@ arm64
 KILL_PROCESS
 
 @headFiles
-"seccomp_filters.h"
 "time.h"
 "sys/ioctl.h"
 "linux/futex.h"

services/modules/seccomp/seccomp_policy/spawn_arm.seccomp.policy

@@ -20,9 +20,6 @@ KILL_PROCESS
 @mode
 ONLY_CHECK_ARGS
 
-@headFiles
-"seccomp_filters.h"
-
 @allowListWithArgs
 setresuid32: if arg0 >= 1000 && arg1 >= 1000 && arg2 >= 1000; return ALLOW; else return KILL_PROCESS;
 setresgid32: if arg0 >= 1000 && arg1 >= 1000 && arg2 >= 1000; return ALLOW; else return KILL_PROCESS;

services/modules/seccomp/seccomp_policy/spawn_arm64.seccomp.policy

@@ -19,9 +19,6 @@ KILL_PROCESS
 @mode
 ONLY_CHECK_ARGS
 
-@headFiles
-"seccomp_filters.h"
-
 @allowListWithArgs
 setresuid: if arg0 >= 1000 && arg1 >= 1000 && arg2 >= 1000; return ALLOW; else return KILL_PROCESS;
 setresgid: if arg0 >= 1000 && arg1 >= 1000 && arg2 >= 1000; return ALLOW; else return KILL_PROCESS;

services/modules/seccomp/seccomp_policy/system_arm.seccomp.policy

@@ -17,9 +17,6 @@ arm
 @returnValue
 KILL_PROCESS
 
-@headFiles
-"seccomp_filters.h"
-
 @allowList
 restart_syscall
 exit

services/modules/seccomp/seccomp_policy/system_arm64.seccomp.policy

@@ -17,9 +17,6 @@ arm64
 @returnValue
 KILL_PROCESS
 
-@headFiles
-"seccomp_filters.h"
-
 @allowList
 io_setup
 io_destroy

services/modules/seccomp/seccomp_policy_static.c

@@ -15,10 +15,32 @@
 #include <string.h>
 #include "init_module_engine.h"
 #include "plugin_adapter.h"
+#include "seccomp_policy.h"
+
+static int SetSystemSeccompPolicy(int id, const char *name, int argc, const char **argv)
+{
+    PLUGIN_LOGI("SetSystemSeccompPolicy argc %d %s", argc, name);
+    PLUGIN_CHECK(argc >= 1, return -1, "Invalid parameter");
+
+    bool ret = SetSeccompPolicyWithName(SYSTEM_NAME);
+    PLUGIN_CHECK(ret == true, return -1, "SetSystemSeccompPolicy failed");
+
+    return 0;
+}
+
+static int32_t g_executorId = -1;
+static int SetSeccompPolicyInit(void)
+{
+    if (g_executorId == -1) {
+        g_executorId = AddCmdExecutor("SetSeccompPolicy", SetSystemSeccompPolicy);
+        PLUGIN_LOGI("SetSeccompPolicy executorId %d", g_executorId);
+    }
+    return 0;
+}
 
 static int SeccompHook(const HOOK_INFO *info, void *cookie)
 {
-    InitModuleMgrInstall("seccomp_module");
+    SetSeccompPolicyInit();
     PLUGIN_LOGI("seccomp enabled.");
     return 0;
 }

test/unittest/seccomp/seccomp_unittest.cpp

@@ -53,7 +53,7 @@ public:
     {
     }
 
-    static pid_t StartChild(PolicyType type, SyscallFunc func)
+    static pid_t StartChild(const char *filterName, SyscallFunc func)
     {
         pid_t pid = fork();
         if (pid == 0) {
@@ -61,8 +61,8 @@ public:
                 std::cout << "PR_SET_NO_NEW_PRIVS set fail " << std::endl;
                 exit(EXIT_FAILURE);
             }
-            if (type != SYSTEM && !SetSeccompPolicy(type)) {
-                std::cout << "SetSeccompPolicy set fail type is " << type << std::endl;
+            if (!SetSeccompPolicyWithName(filterName)) {
+                std::cout << "SetSeccompPolicy set fail fiterName is " << filterName << std::endl;
                 exit(EXIT_FAILURE);
             }
 
@@ -78,7 +78,7 @@ public:
         return pid;
     }
 
-    static int CheckSyscall(PolicyType type, SyscallFunc func, bool isAllow)
+    static int CheckSyscall(const char *filterName, SyscallFunc func, bool isAllow)
     {
         sigset_t set;
         int status;
@@ -93,7 +93,7 @@ public:
             std::cout << "signal failed:" << strerror(errno) << std::endl;
         }
 
-        pid = StartChild(type, func);
+        pid = StartChild(filterName, func);
         if (pid == -1) {
             std::cout << "fork failed:" << strerror(errno) << std::endl;
             return -1;
@@ -200,33 +200,33 @@ public:
     void TestSystemSycall()
     {
         // system blocklist
-        int ret = CheckSyscall(SYSTEM, CheckGetMempolicy, false);
+        int ret = CheckSyscall(SYSTEM_NAME, CheckGetMempolicy, false);
         EXPECT_EQ(ret, 0);
 
         // system allowlist
-        ret = CheckSyscall(SYSTEM, CheckGetpid, true);
+        ret = CheckSyscall(SYSTEM_NAME, CheckGetpid, true);
         EXPECT_EQ(ret, 0);
     }
 
     void TestSetUidGidFilter()
     {
         // system blocklist
-        int ret = CheckSyscall(APPSPAWN, CheckSetresuidArgsOutOfRange, false);
+        int ret = CheckSyscall(APPSPAWN_NAME, CheckSetresuidArgsOutOfRange, false);
         EXPECT_EQ(ret, 0);
 
         // system allowlist
-        ret = CheckSyscall(APPSPAWN, CheckSetresuidArgsInRange, true);
+        ret = CheckSyscall(APPSPAWN_NAME, CheckSetresuidArgsInRange, true);
         EXPECT_EQ(ret, 0);
     }
 
     void TestAppSycall()
     {
         // app blocklist
-        int ret = CheckSyscall(APP, CheckSetuid, false);
+        int ret = CheckSyscall(APP_NAME, CheckSetuid, false);
         EXPECT_EQ(ret, 0);
 
         // app allowlist
-        ret = CheckSyscall(APP, CheckGetpid, true);
+        ret = CheckSyscall(APP_NAME, CheckGetpid, true);
         EXPECT_EQ(ret, 0);
     }
 #elif defined __arm__
@@ -281,33 +281,33 @@ public:
     void TestSystemSycall()
     {
         // system blocklist
-        int ret = CheckSyscall(SYSTEM, CheckGetuid, false);
+        int ret = CheckSyscall(SYSTEM_NAME, CheckGetuid, false);
         EXPECT_EQ(ret, 0);
 
         // system allowlist
-        ret = CheckSyscall(SYSTEM, CheckGetuid32, true);
+        ret = CheckSyscall(SYSTEM_NAME, CheckGetuid32, true);
         EXPECT_EQ(ret, 0);
     }
 
     void TestSetUidGidFilter()
     {
         // system blocklist
-        int ret = CheckSyscall(APPSPAWN, CheckSetresuid32ArgsOutOfRange, false);
+        int ret = CheckSyscall(APPSPAWN_NAME, CheckSetresuid32ArgsOutOfRange, false);
         EXPECT_EQ(ret, 0);
 
         // system allowlist
-        ret = CheckSyscall(APPSPAWN, CheckSetresuid32ArgsInRange, true);
+        ret = CheckSyscall(APPSPAWN_NAME, CheckSetresuid32ArgsInRange, true);
         EXPECT_EQ(ret, 0);
     }
 
     void TestAppSycall()
     {
         // app blocklist
-        int ret = CheckSyscall(APP, CheckSetuid32, false);
+        int ret = CheckSyscall(APP_NAME, CheckSetuid32, false);
         EXPECT_EQ(ret, 0);
 
         // app allowlist
-        ret = CheckSyscall(APP, CheckGetuid32, true);
+        ret = CheckSyscall(APP_NAME, CheckGetuid32, true);
         EXPECT_EQ(ret, 0);
     }
 #endif