1/* 2 * Copyright (c) 2012 The Chromium OS Authors. All rights reserved. 3 * Use of this source code is governed by the GPLv2 license. 4 * 5 * Test code for seccomp bpf. 6 */ 7 8#include <sys/types.h> 9 10/* 11 * glibc 2.26 and later have SIGSYS in siginfo_t. Before that, 12 * we need to use the kernel's siginfo.h file and trick glibc 13 * into accepting it. 14 */ 15#if defined(__GLIBC_PREREQ) 16#if !__GLIBC_PREREQ(2, 26) 17# include <asm/siginfo.h> 18# define __have_siginfo_t 1 19# define __have_sigval_t 1 20# define __have_sigevent_t 1 21#endif 22#endif 23 24#include <errno.h> 25#include <linux/filter.h> 26#include <sys/prctl.h> 27#include <sys/ptrace.h> 28#include <sys/user.h> 29#include <linux/prctl.h> 30#include <linux/ptrace.h> 31#include <linux/seccomp.h> 32#include <pthread.h> 33#include <semaphore.h> 34#include <signal.h> 35#include <stddef.h> 36#include <stdbool.h> 37#include <string.h> 38#include <time.h> 39#include <linux/elf.h> 40#include <sys/uio.h> 41#include <sys/utsname.h> 42#include <sys/fcntl.h> 43#include <sys/mman.h> 44#include <sys/times.h> 45 46#define _GNU_SOURCE 47#include <unistd.h> 48#include <sys/syscall.h> 49 50#include "../kselftest_harness.h" 51 52#ifndef PR_SET_PTRACER 53# define PR_SET_PTRACER 0x59616d61 54#endif 55 56#ifndef PR_SET_NO_NEW_PRIVS 57#define PR_SET_NO_NEW_PRIVS 38 58#define PR_GET_NO_NEW_PRIVS 39 59#endif 60 61#ifndef PR_SECCOMP_EXT 62#define PR_SECCOMP_EXT 43 63#endif 64 65#ifndef SECCOMP_EXT_ACT 66#define SECCOMP_EXT_ACT 1 67#endif 68 69#ifndef SECCOMP_EXT_ACT_TSYNC 70#define SECCOMP_EXT_ACT_TSYNC 1 71#endif 72 73#ifndef SECCOMP_MODE_STRICT 74#define SECCOMP_MODE_STRICT 1 75#endif 76 77#ifndef SECCOMP_MODE_FILTER 78#define SECCOMP_MODE_FILTER 2 79#endif 80 81#ifndef SECCOMP_RET_ALLOW 82struct seccomp_data { 83 int nr; 84 __u32 arch; 85 __u64 instruction_pointer; 86 __u64 args[6]; 87}; 88#endif 89 90#ifndef SECCOMP_RET_KILL_PROCESS 91#define SECCOMP_RET_KILL_PROCESS 0x80000000U /* kill the process */ 92#define SECCOMP_RET_KILL_THREAD 0x00000000U /* kill the thread */ 93#endif 94#ifndef SECCOMP_RET_KILL 95#define SECCOMP_RET_KILL SECCOMP_RET_KILL_THREAD 96#define SECCOMP_RET_TRAP 0x00030000U /* disallow and force a SIGSYS */ 97#define SECCOMP_RET_ERRNO 0x00050000U /* returns an errno */ 98#define SECCOMP_RET_TRACE 0x7ff00000U /* pass to a tracer or disallow */ 99#define SECCOMP_RET_ALLOW 0x7fff0000U /* allow */ 100#endif 101#ifndef SECCOMP_RET_LOG 102#define SECCOMP_RET_LOG 0x7ffc0000U /* allow after logging */ 103#endif 104 105#ifndef __NR_seccomp 106# if defined(__i386__) 107# define __NR_seccomp 354 108# elif defined(__x86_64__) 109# define __NR_seccomp 317 110# elif defined(__arm__) 111# define __NR_seccomp 383 112# elif defined(__aarch64__) 113# define __NR_seccomp 277 114# elif defined(__hppa__) 115# define __NR_seccomp 338 116# elif defined(__powerpc__) 117# define __NR_seccomp 358 118# elif defined(__s390__) 119# define __NR_seccomp 348 120# else 121# warning "seccomp syscall number unknown for this architecture" 122# define __NR_seccomp 0xffff 123# endif 124#endif 125 126#ifndef SECCOMP_SET_MODE_STRICT 127#define SECCOMP_SET_MODE_STRICT 0 128#endif 129 130#ifndef SECCOMP_SET_MODE_FILTER 131#define SECCOMP_SET_MODE_FILTER 1 132#endif 133 134#ifndef SECCOMP_GET_ACTION_AVAIL 135#define SECCOMP_GET_ACTION_AVAIL 2 136#endif 137 138#ifndef SECCOMP_FILTER_FLAG_TSYNC 139#define SECCOMP_FILTER_FLAG_TSYNC 1 140#endif 141 142#ifndef SECCOMP_FILTER_FLAG_LOG 143#define SECCOMP_FILTER_FLAG_LOG 2 144#endif 145 146#ifndef seccomp 147int seccomp(unsigned int op, unsigned int flags, void *args) 148{ 149 errno = 0; 150 return syscall(__NR_seccomp, op, flags, args); 151} 152#endif 153 154#if __BYTE_ORDER == __LITTLE_ENDIAN 155#define syscall_arg(_n) (offsetof(struct seccomp_data, args[_n])) 156#elif __BYTE_ORDER == __BIG_ENDIAN 157#define syscall_arg(_n) (offsetof(struct seccomp_data, args[_n]) + sizeof(__u32)) 158#else 159#error "wut? Unknown __BYTE_ORDER?!" 160#endif 161 162#define SIBLING_EXIT_UNKILLED 0xbadbeef 163#define SIBLING_EXIT_FAILURE 0xbadface 164#define SIBLING_EXIT_NEWPRIVS 0xbadfeed 165 166TEST(mode_strict_support) 167{ 168 long ret; 169 170 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT, NULL, NULL, NULL); 171 ASSERT_EQ(0, ret) { 172 TH_LOG("Kernel does not support CONFIG_SECCOMP"); 173 } 174 syscall(__NR_exit, 0); 175} 176 177TEST_SIGNAL(mode_strict_cannot_call_prctl, SIGKILL) 178{ 179 long ret; 180 181 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT, NULL, NULL, NULL); 182 ASSERT_EQ(0, ret) { 183 TH_LOG("Kernel does not support CONFIG_SECCOMP"); 184 } 185 syscall(__NR_prctl, PR_SET_SECCOMP, SECCOMP_MODE_FILTER, 186 NULL, NULL, NULL); 187 EXPECT_FALSE(true) { 188 TH_LOG("Unreachable!"); 189 } 190} 191 192/* Note! This doesn't test no new privs behavior */ 193TEST(no_new_privs_support) 194{ 195 long ret; 196 197 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); 198 EXPECT_EQ(0, ret) { 199 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!"); 200 } 201} 202 203/* Tests kernel support by checking for a copy_from_user() fault on NULL. */ 204TEST(mode_filter_support) 205{ 206 long ret; 207 208 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, NULL, 0, 0); 209 ASSERT_EQ(0, ret) { 210 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!"); 211 } 212 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, NULL, NULL); 213 EXPECT_EQ(-1, ret); 214 EXPECT_EQ(EFAULT, errno) { 215 TH_LOG("Kernel does not support CONFIG_SECCOMP_FILTER!"); 216 } 217} 218 219TEST(mode_filter_without_nnp) 220{ 221 struct sock_filter filter[] = { 222 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW), 223 }; 224 struct sock_fprog prog = { 225 .len = (unsigned short)ARRAY_SIZE(filter), 226 .filter = filter, 227 }; 228 long ret; 229 230 ret = prctl(PR_GET_NO_NEW_PRIVS, 0, NULL, 0, 0); 231 ASSERT_LE(0, ret) { 232 TH_LOG("Expected 0 or unsupported for NO_NEW_PRIVS"); 233 } 234 errno = 0; 235 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0); 236 /* Succeeds with CAP_SYS_ADMIN, fails without */ 237 /* TODO(wad) check caps not euid */ 238 if (geteuid()) { 239 EXPECT_EQ(-1, ret); 240 EXPECT_EQ(EACCES, errno); 241 } else { 242 EXPECT_EQ(0, ret); 243 } 244} 245 246#define MAX_INSNS_PER_PATH 32768 247 248TEST(filter_size_limits) 249{ 250 int i; 251 int count = BPF_MAXINSNS + 1; 252 struct sock_filter allow[] = { 253 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW), 254 }; 255 struct sock_filter *filter; 256 struct sock_fprog prog = { }; 257 long ret; 258 259 filter = calloc(count, sizeof(*filter)); 260 ASSERT_NE(NULL, filter); 261 262 for (i = 0; i < count; i++) 263 filter[i] = allow[0]; 264 265 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); 266 ASSERT_EQ(0, ret); 267 268 prog.filter = filter; 269 prog.len = count; 270 271 /* Too many filter instructions in a single filter. */ 272 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0); 273 ASSERT_NE(0, ret) { 274 TH_LOG("Installing %d insn filter was allowed", prog.len); 275 } 276 277 /* One less is okay, though. */ 278 prog.len -= 1; 279 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0); 280 ASSERT_EQ(0, ret) { 281 TH_LOG("Installing %d insn filter wasn't allowed", prog.len); 282 } 283} 284 285TEST(filter_chain_limits) 286{ 287 int i; 288 int count = BPF_MAXINSNS; 289 struct sock_filter allow[] = { 290 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW), 291 }; 292 struct sock_filter *filter; 293 struct sock_fprog prog = { }; 294 long ret; 295 296 filter = calloc(count, sizeof(*filter)); 297 ASSERT_NE(NULL, filter); 298 299 for (i = 0; i < count; i++) 300 filter[i] = allow[0]; 301 302 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); 303 ASSERT_EQ(0, ret); 304 305 prog.filter = filter; 306 prog.len = 1; 307 308 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0); 309 ASSERT_EQ(0, ret); 310 311 prog.len = count; 312 313 /* Too many total filter instructions. */ 314 for (i = 0; i < MAX_INSNS_PER_PATH; i++) { 315 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0); 316 if (ret != 0) 317 break; 318 } 319 ASSERT_NE(0, ret) { 320 TH_LOG("Allowed %d %d-insn filters (total with penalties:%d)", 321 i, count, i * (count + 4)); 322 } 323} 324 325TEST(mode_filter_cannot_move_to_strict) 326{ 327 struct sock_filter filter[] = { 328 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW), 329 }; 330 struct sock_fprog prog = { 331 .len = (unsigned short)ARRAY_SIZE(filter), 332 .filter = filter, 333 }; 334 long ret; 335 336 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); 337 ASSERT_EQ(0, ret); 338 339 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0); 340 ASSERT_EQ(0, ret); 341 342 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT, NULL, 0, 0); 343 EXPECT_EQ(-1, ret); 344 EXPECT_EQ(EINVAL, errno); 345} 346 347 348TEST(mode_filter_get_seccomp) 349{ 350 struct sock_filter filter[] = { 351 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW), 352 }; 353 struct sock_fprog prog = { 354 .len = (unsigned short)ARRAY_SIZE(filter), 355 .filter = filter, 356 }; 357 long ret; 358 359 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); 360 ASSERT_EQ(0, ret); 361 362 ret = prctl(PR_GET_SECCOMP, 0, 0, 0, 0); 363 EXPECT_EQ(0, ret); 364 365 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0); 366 ASSERT_EQ(0, ret); 367 368 ret = prctl(PR_GET_SECCOMP, 0, 0, 0, 0); 369 EXPECT_EQ(2, ret); 370} 371 372 373TEST(ALLOW_all) 374{ 375 struct sock_filter filter[] = { 376 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW), 377 }; 378 struct sock_fprog prog = { 379 .len = (unsigned short)ARRAY_SIZE(filter), 380 .filter = filter, 381 }; 382 long ret; 383 384 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); 385 ASSERT_EQ(0, ret); 386 387 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog); 388 ASSERT_EQ(0, ret); 389} 390 391TEST(empty_prog) 392{ 393 struct sock_filter filter[] = { 394 }; 395 struct sock_fprog prog = { 396 .len = (unsigned short)ARRAY_SIZE(filter), 397 .filter = filter, 398 }; 399 long ret; 400 401 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); 402 ASSERT_EQ(0, ret); 403 404 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog); 405 EXPECT_EQ(-1, ret); 406 EXPECT_EQ(EINVAL, errno); 407} 408 409#if 0 410TEST(log_all) 411{ 412 struct sock_filter filter[] = { 413 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_LOG), 414 }; 415 struct sock_fprog prog = { 416 .len = (unsigned short)ARRAY_SIZE(filter), 417 .filter = filter, 418 }; 419 long ret; 420 pid_t parent = getppid(); 421 422 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); 423 ASSERT_EQ(0, ret); 424 425 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog); 426 ASSERT_EQ(0, ret); 427 428 /* getppid() should succeed and be logged (no check for logging) */ 429 EXPECT_EQ(parent, syscall(__NR_getppid)); 430} 431#endif 432 433TEST_SIGNAL(unknown_ret_is_kill_inside, SIGSYS) 434{ 435 struct sock_filter filter[] = { 436 BPF_STMT(BPF_RET|BPF_K, 0x10000000U), 437 }; 438 struct sock_fprog prog = { 439 .len = (unsigned short)ARRAY_SIZE(filter), 440 .filter = filter, 441 }; 442 long ret; 443 444 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); 445 ASSERT_EQ(0, ret); 446 447 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog); 448 ASSERT_EQ(0, ret); 449 EXPECT_EQ(0, syscall(__NR_getpid)) { 450 TH_LOG("getpid() shouldn't ever return"); 451 } 452} 453 454/* return code >= 0x80000000 is unused. */ 455TEST_SIGNAL(unknown_ret_is_kill_above_allow, SIGSYS) 456{ 457 struct sock_filter filter[] = { 458 BPF_STMT(BPF_RET|BPF_K, 0x90000000U), 459 }; 460 struct sock_fprog prog = { 461 .len = (unsigned short)ARRAY_SIZE(filter), 462 .filter = filter, 463 }; 464 long ret; 465 466 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); 467 ASSERT_EQ(0, ret); 468 469 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog); 470 ASSERT_EQ(0, ret); 471 EXPECT_EQ(0, syscall(__NR_getpid)) { 472 TH_LOG("getpid() shouldn't ever return"); 473 } 474} 475 476TEST_SIGNAL(KILL_all, SIGSYS) 477{ 478 struct sock_filter filter[] = { 479 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL), 480 }; 481 struct sock_fprog prog = { 482 .len = (unsigned short)ARRAY_SIZE(filter), 483 .filter = filter, 484 }; 485 long ret; 486 487 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); 488 ASSERT_EQ(0, ret); 489 490 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog); 491 ASSERT_EQ(0, ret); 492} 493 494TEST_SIGNAL(KILL_one, SIGSYS) 495{ 496 struct sock_filter filter[] = { 497 BPF_STMT(BPF_LD|BPF_W|BPF_ABS, 498 offsetof(struct seccomp_data, nr)), 499 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getpid, 0, 1), 500 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL), 501 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW), 502 }; 503 struct sock_fprog prog = { 504 .len = (unsigned short)ARRAY_SIZE(filter), 505 .filter = filter, 506 }; 507 long ret; 508 pid_t parent = getppid(); 509 510 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); 511 ASSERT_EQ(0, ret); 512 513 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog); 514 ASSERT_EQ(0, ret); 515 516 EXPECT_EQ(parent, syscall(__NR_getppid)); 517 /* getpid() should never return. */ 518 EXPECT_EQ(0, syscall(__NR_getpid)); 519} 520 521TEST_SIGNAL(KILL_one_arg_one, SIGSYS) 522{ 523 void *fatal_address; 524 struct sock_filter filter[] = { 525 BPF_STMT(BPF_LD|BPF_W|BPF_ABS, 526 offsetof(struct seccomp_data, nr)), 527 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_times, 1, 0), 528 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW), 529 /* Only both with lower 32-bit for now. */ 530 BPF_STMT(BPF_LD|BPF_W|BPF_ABS, syscall_arg(0)), 531 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, 532 (unsigned long)&fatal_address, 0, 1), 533 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL), 534 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW), 535 }; 536 struct sock_fprog prog = { 537 .len = (unsigned short)ARRAY_SIZE(filter), 538 .filter = filter, 539 }; 540 long ret; 541 pid_t parent = getppid(); 542 struct tms timebuf; 543 clock_t clock = times(&timebuf); 544 545 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); 546 ASSERT_EQ(0, ret); 547 548 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog); 549 ASSERT_EQ(0, ret); 550 551 EXPECT_EQ(parent, syscall(__NR_getppid)); 552 EXPECT_LE(clock, syscall(__NR_times, &timebuf)); 553 /* times() should never return. */ 554 EXPECT_EQ(0, syscall(__NR_times, &fatal_address)); 555} 556 557TEST_SIGNAL(KILL_one_arg_six, SIGSYS) 558{ 559#ifndef __NR_mmap2 560 int sysno = __NR_mmap; 561#else 562 int sysno = __NR_mmap2; 563#endif 564 struct sock_filter filter[] = { 565 BPF_STMT(BPF_LD|BPF_W|BPF_ABS, 566 offsetof(struct seccomp_data, nr)), 567 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, sysno, 1, 0), 568 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW), 569 /* Only both with lower 32-bit for now. */ 570 BPF_STMT(BPF_LD|BPF_W|BPF_ABS, syscall_arg(5)), 571 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, 0x0C0FFEE, 0, 1), 572 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL), 573 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW), 574 }; 575 struct sock_fprog prog = { 576 .len = (unsigned short)ARRAY_SIZE(filter), 577 .filter = filter, 578 }; 579 long ret; 580 pid_t parent = getppid(); 581 int fd; 582 void *map1, *map2; 583 int page_size = sysconf(_SC_PAGESIZE); 584 585 ASSERT_LT(0, page_size); 586 587 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); 588 ASSERT_EQ(0, ret); 589 590 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog); 591 ASSERT_EQ(0, ret); 592 593 fd = open("/dev/zero", O_RDONLY); 594 ASSERT_NE(-1, fd); 595 596 EXPECT_EQ(parent, syscall(__NR_getppid)); 597 map1 = (void *)syscall(sysno, 598 NULL, page_size, PROT_READ, MAP_PRIVATE, fd, page_size); 599 EXPECT_NE(MAP_FAILED, map1); 600 /* mmap2() should never return. */ 601 map2 = (void *)syscall(sysno, 602 NULL, page_size, PROT_READ, MAP_PRIVATE, fd, 0x0C0FFEE); 603 EXPECT_EQ(MAP_FAILED, map2); 604 605 /* The test failed, so clean up the resources. */ 606 munmap(map1, page_size); 607 munmap(map2, page_size); 608 close(fd); 609} 610 611/* This is a thread task to die via seccomp filter violation. */ 612void *kill_thread(void *data) 613{ 614 bool die = (bool)data; 615 616 if (die) { 617 prctl(PR_GET_SECCOMP, 0, 0, 0, 0); 618 return (void *)SIBLING_EXIT_FAILURE; 619 } 620 621 return (void *)SIBLING_EXIT_UNKILLED; 622} 623 624/* Prepare a thread that will kill itself or both of us. */ 625void kill_thread_or_group(struct __test_metadata *_metadata, bool kill_process) 626{ 627 pthread_t thread; 628 void *status; 629 /* Kill only when calling __NR_prctl. */ 630 struct sock_filter filter_thread[] = { 631 BPF_STMT(BPF_LD|BPF_W|BPF_ABS, 632 offsetof(struct seccomp_data, nr)), 633 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_prctl, 0, 1), 634 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL_THREAD), 635 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW), 636 }; 637 struct sock_fprog prog_thread = { 638 .len = (unsigned short)ARRAY_SIZE(filter_thread), 639 .filter = filter_thread, 640 }; 641 struct sock_filter filter_process[] = { 642 BPF_STMT(BPF_LD|BPF_W|BPF_ABS, 643 offsetof(struct seccomp_data, nr)), 644 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_prctl, 0, 1), 645 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL_PROCESS), 646 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW), 647 }; 648 struct sock_fprog prog_process = { 649 .len = (unsigned short)ARRAY_SIZE(filter_process), 650 .filter = filter_process, 651 }; 652 653 ASSERT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { 654 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!"); 655 } 656 657 ASSERT_EQ(0, seccomp(SECCOMP_SET_MODE_FILTER, 0, 658 kill_process ? &prog_process : &prog_thread)); 659 660 /* 661 * Add the KILL_THREAD rule again to make sure that the KILL_PROCESS 662 * flag cannot be downgraded by a new filter. 663 */ 664 ASSERT_EQ(0, seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog_thread)); 665 666 /* Start a thread that will exit immediately. */ 667 ASSERT_EQ(0, pthread_create(&thread, NULL, kill_thread, (void *)false)); 668 ASSERT_EQ(0, pthread_join(thread, &status)); 669 ASSERT_EQ(SIBLING_EXIT_UNKILLED, (unsigned long)status); 670 671 /* Start a thread that will die immediately. */ 672 ASSERT_EQ(0, pthread_create(&thread, NULL, kill_thread, (void *)true)); 673 ASSERT_EQ(0, pthread_join(thread, &status)); 674 ASSERT_NE(SIBLING_EXIT_FAILURE, (unsigned long)status); 675 676 /* 677 * If we get here, only the spawned thread died. Let the parent know 678 * the whole process didn't die (i.e. this thread, the spawner, 679 * stayed running). 680 */ 681 exit(42); 682} 683 684#if 0 685TEST(KILL_thread) 686{ 687 int status; 688 pid_t child_pid; 689 690 child_pid = fork(); 691 ASSERT_LE(0, child_pid); 692 if (child_pid == 0) { 693 kill_thread_or_group(_metadata, false); 694 _exit(38); 695 } 696 697 ASSERT_EQ(child_pid, waitpid(child_pid, &status, 0)); 698 699 /* If only the thread was killed, we'll see exit 42. */ 700 ASSERT_TRUE(WIFEXITED(status)); 701 ASSERT_EQ(42, WEXITSTATUS(status)); 702} 703#endif 704 705TEST(KILL_process) 706{ 707 int status; 708 pid_t child_pid; 709 710 child_pid = fork(); 711 ASSERT_LE(0, child_pid); 712 if (child_pid == 0) { 713 kill_thread_or_group(_metadata, true); 714 _exit(38); 715 } 716 717 ASSERT_EQ(child_pid, waitpid(child_pid, &status, 0)); 718 719 /* If the entire process was killed, we'll see SIGSYS. */ 720 ASSERT_TRUE(WIFSIGNALED(status)); 721 ASSERT_EQ(SIGSYS, WTERMSIG(status)); 722} 723 724/* TODO(wad) add 64-bit versus 32-bit arg tests. */ 725TEST(arg_out_of_range) 726{ 727 struct sock_filter filter[] = { 728 BPF_STMT(BPF_LD|BPF_W|BPF_ABS, syscall_arg(6)), 729 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW), 730 }; 731 struct sock_fprog prog = { 732 .len = (unsigned short)ARRAY_SIZE(filter), 733 .filter = filter, 734 }; 735 long ret; 736 737 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); 738 ASSERT_EQ(0, ret); 739 740 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog); 741 EXPECT_EQ(-1, ret); 742 EXPECT_EQ(EINVAL, errno); 743} 744 745#define ERRNO_FILTER(name, errno) \ 746 struct sock_filter _read_filter_##name[] = { \ 747 BPF_STMT(BPF_LD|BPF_W|BPF_ABS, \ 748 offsetof(struct seccomp_data, nr)), \ 749 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_read, 0, 1), \ 750 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ERRNO | errno), \ 751 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW), \ 752 }; \ 753 struct sock_fprog prog_##name = { \ 754 .len = (unsigned short)ARRAY_SIZE(_read_filter_##name), \ 755 .filter = _read_filter_##name, \ 756 } 757 758/* Make sure basic errno values are correctly passed through a filter. */ 759TEST(ERRNO_valid) 760{ 761 ERRNO_FILTER(valid, E2BIG); 762 long ret; 763 pid_t parent = getppid(); 764 765 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); 766 ASSERT_EQ(0, ret); 767 768 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog_valid); 769 ASSERT_EQ(0, ret); 770 771 EXPECT_EQ(parent, syscall(__NR_getppid)); 772 EXPECT_EQ(-1, read(0, NULL, 0)); 773 EXPECT_EQ(E2BIG, errno); 774} 775 776/* Make sure an errno of zero is correctly handled by the arch code. */ 777TEST(ERRNO_zero) 778{ 779 ERRNO_FILTER(zero, 0); 780 long ret; 781 pid_t parent = getppid(); 782 783 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); 784 ASSERT_EQ(0, ret); 785 786 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog_zero); 787 ASSERT_EQ(0, ret); 788 789 EXPECT_EQ(parent, syscall(__NR_getppid)); 790 /* "errno" of 0 is ok. */ 791 EXPECT_EQ(0, read(0, NULL, 0)); 792} 793 794/* 795 * The SECCOMP_RET_DATA mask is 16 bits wide, but errno is smaller. 796 * This tests that the errno value gets capped correctly, fixed by 797 * 580c57f10768 ("seccomp: cap SECCOMP_RET_ERRNO data to MAX_ERRNO"). 798 */ 799TEST(ERRNO_capped) 800{ 801 ERRNO_FILTER(capped, 4096); 802 long ret; 803 pid_t parent = getppid(); 804 805 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); 806 ASSERT_EQ(0, ret); 807 808 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog_capped); 809 ASSERT_EQ(0, ret); 810 811 EXPECT_EQ(parent, syscall(__NR_getppid)); 812 EXPECT_EQ(-1, read(0, NULL, 0)); 813 EXPECT_EQ(4095, errno); 814} 815 816/* 817 * Filters are processed in reverse order: last applied is executed first. 818 * Since only the SECCOMP_RET_ACTION mask is tested for return values, the 819 * SECCOMP_RET_DATA mask results will follow the most recently applied 820 * matching filter return (and not the lowest or highest value). 821 */ 822TEST(ERRNO_order) 823{ 824 ERRNO_FILTER(first, 11); 825 ERRNO_FILTER(second, 13); 826 ERRNO_FILTER(third, 12); 827 long ret; 828 pid_t parent = getppid(); 829 830 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); 831 ASSERT_EQ(0, ret); 832 833 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog_first); 834 ASSERT_EQ(0, ret); 835 836 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog_second); 837 ASSERT_EQ(0, ret); 838 839 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog_third); 840 ASSERT_EQ(0, ret); 841 842 EXPECT_EQ(parent, syscall(__NR_getppid)); 843 EXPECT_EQ(-1, read(0, NULL, 0)); 844 EXPECT_EQ(12, errno); 845} 846 847FIXTURE_DATA(TRAP) { 848 struct sock_fprog prog; 849}; 850 851FIXTURE_SETUP(TRAP) 852{ 853 struct sock_filter filter[] = { 854 BPF_STMT(BPF_LD|BPF_W|BPF_ABS, 855 offsetof(struct seccomp_data, nr)), 856 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getpid, 0, 1), 857 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRAP), 858 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW), 859 }; 860 861 memset(&self->prog, 0, sizeof(self->prog)); 862 self->prog.filter = malloc(sizeof(filter)); 863 ASSERT_NE(NULL, self->prog.filter); 864 memcpy(self->prog.filter, filter, sizeof(filter)); 865 self->prog.len = (unsigned short)ARRAY_SIZE(filter); 866} 867 868FIXTURE_TEARDOWN(TRAP) 869{ 870 if (self->prog.filter) 871 free(self->prog.filter); 872} 873 874TEST_F_SIGNAL(TRAP, dfl, SIGSYS) 875{ 876 long ret; 877 878 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); 879 ASSERT_EQ(0, ret); 880 881 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->prog); 882 ASSERT_EQ(0, ret); 883 syscall(__NR_getpid); 884} 885 886/* Ensure that SIGSYS overrides SIG_IGN */ 887TEST_F_SIGNAL(TRAP, ign, SIGSYS) 888{ 889 long ret; 890 891 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); 892 ASSERT_EQ(0, ret); 893 894 signal(SIGSYS, SIG_IGN); 895 896 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->prog); 897 ASSERT_EQ(0, ret); 898 syscall(__NR_getpid); 899} 900 901static siginfo_t TRAP_info; 902static volatile int TRAP_nr; 903static void TRAP_action(int nr, siginfo_t *info, void *void_context) 904{ 905 memcpy(&TRAP_info, info, sizeof(TRAP_info)); 906 TRAP_nr = nr; 907} 908 909TEST_F(TRAP, handler) 910{ 911 int ret, test; 912 struct sigaction act; 913 sigset_t mask; 914 915 memset(&act, 0, sizeof(act)); 916 sigemptyset(&mask); 917 sigaddset(&mask, SIGSYS); 918 919 act.sa_sigaction = &TRAP_action; 920 act.sa_flags = SA_SIGINFO; 921 ret = sigaction(SIGSYS, &act, NULL); 922 ASSERT_EQ(0, ret) { 923 TH_LOG("sigaction failed"); 924 } 925 ret = sigprocmask(SIG_UNBLOCK, &mask, NULL); 926 ASSERT_EQ(0, ret) { 927 TH_LOG("sigprocmask failed"); 928 } 929 930 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); 931 ASSERT_EQ(0, ret); 932 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->prog); 933 ASSERT_EQ(0, ret); 934 TRAP_nr = 0; 935 memset(&TRAP_info, 0, sizeof(TRAP_info)); 936 /* Expect the registers to be rolled back. (nr = error) may vary 937 * based on arch. */ 938 ret = syscall(__NR_getpid); 939 /* Silence gcc warning about volatile. */ 940 test = TRAP_nr; 941 EXPECT_EQ(SIGSYS, test); 942 struct local_sigsys { 943 void *_call_addr; /* calling user insn */ 944 int _syscall; /* triggering system call number */ 945 unsigned int _arch; /* AUDIT_ARCH_* of syscall */ 946 } *sigsys = (struct local_sigsys *) 947#ifdef si_syscall 948 &(TRAP_info.si_call_addr); 949#else 950 &TRAP_info.si_pid; 951#endif 952 EXPECT_EQ(__NR_getpid, sigsys->_syscall); 953 /* Make sure arch is non-zero. */ 954 EXPECT_NE(0, sigsys->_arch); 955 EXPECT_NE(0, (unsigned long)sigsys->_call_addr); 956} 957 958FIXTURE_DATA(precedence) { 959 struct sock_fprog allow; 960 struct sock_fprog log; 961 struct sock_fprog trace; 962 struct sock_fprog error; 963 struct sock_fprog trap; 964 struct sock_fprog kill; 965}; 966 967FIXTURE_SETUP(precedence) 968{ 969 struct sock_filter allow_insns[] = { 970 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW), 971 }; 972 struct sock_filter log_insns[] = { 973 BPF_STMT(BPF_LD|BPF_W|BPF_ABS, 974 offsetof(struct seccomp_data, nr)), 975 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getpid, 1, 0), 976 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW), 977 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_LOG), 978 }; 979 struct sock_filter trace_insns[] = { 980 BPF_STMT(BPF_LD|BPF_W|BPF_ABS, 981 offsetof(struct seccomp_data, nr)), 982 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getpid, 1, 0), 983 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW), 984 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRACE), 985 }; 986 struct sock_filter error_insns[] = { 987 BPF_STMT(BPF_LD|BPF_W|BPF_ABS, 988 offsetof(struct seccomp_data, nr)), 989 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getpid, 1, 0), 990 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW), 991 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ERRNO), 992 }; 993 struct sock_filter trap_insns[] = { 994 BPF_STMT(BPF_LD|BPF_W|BPF_ABS, 995 offsetof(struct seccomp_data, nr)), 996 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getpid, 1, 0), 997 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW), 998 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRAP), 999 }; 1000 struct sock_filter kill_insns[] = { 1001 BPF_STMT(BPF_LD|BPF_W|BPF_ABS, 1002 offsetof(struct seccomp_data, nr)), 1003 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getpid, 1, 0), 1004 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW), 1005 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL), 1006 }; 1007 1008 memset(self, 0, sizeof(*self)); 1009#define FILTER_ALLOC(_x) \ 1010 self->_x.filter = malloc(sizeof(_x##_insns)); \ 1011 ASSERT_NE(NULL, self->_x.filter); \ 1012 memcpy(self->_x.filter, &_x##_insns, sizeof(_x##_insns)); \ 1013 self->_x.len = (unsigned short)ARRAY_SIZE(_x##_insns) 1014 FILTER_ALLOC(allow); 1015 FILTER_ALLOC(log); 1016 FILTER_ALLOC(trace); 1017 FILTER_ALLOC(error); 1018 FILTER_ALLOC(trap); 1019 FILTER_ALLOC(kill); 1020} 1021 1022FIXTURE_TEARDOWN(precedence) 1023{ 1024#define FILTER_FREE(_x) if (self->_x.filter) free(self->_x.filter) 1025 FILTER_FREE(allow); 1026 FILTER_FREE(log); 1027 FILTER_FREE(trace); 1028 FILTER_FREE(error); 1029 FILTER_FREE(trap); 1030 FILTER_FREE(kill); 1031} 1032 1033TEST_F(precedence, allow_ok) 1034{ 1035 pid_t parent, res = 0; 1036 long ret; 1037 1038 parent = getppid(); 1039 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); 1040 ASSERT_EQ(0, ret); 1041 1042 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow); 1043 ASSERT_EQ(0, ret); 1044 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->log); 1045 ASSERT_EQ(0, ret); 1046 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trace); 1047 ASSERT_EQ(0, ret); 1048 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->error); 1049 ASSERT_EQ(0, ret); 1050 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trap); 1051 ASSERT_EQ(0, ret); 1052 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->kill); 1053 ASSERT_EQ(0, ret); 1054 /* Should work just fine. */ 1055 res = syscall(__NR_getppid); 1056 EXPECT_EQ(parent, res); 1057} 1058 1059TEST_F_SIGNAL(precedence, kill_is_highest, SIGSYS) 1060{ 1061 pid_t parent, res = 0; 1062 long ret; 1063 1064 parent = getppid(); 1065 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); 1066 ASSERT_EQ(0, ret); 1067 1068 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow); 1069 ASSERT_EQ(0, ret); 1070 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->log); 1071 ASSERT_EQ(0, ret); 1072 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trace); 1073 ASSERT_EQ(0, ret); 1074 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->error); 1075 ASSERT_EQ(0, ret); 1076 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trap); 1077 ASSERT_EQ(0, ret); 1078 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->kill); 1079 ASSERT_EQ(0, ret); 1080 /* Should work just fine. */ 1081 res = syscall(__NR_getppid); 1082 EXPECT_EQ(parent, res); 1083 /* getpid() should never return. */ 1084 res = syscall(__NR_getpid); 1085 EXPECT_EQ(0, res); 1086} 1087 1088TEST_F_SIGNAL(precedence, kill_is_highest_in_any_order, SIGSYS) 1089{ 1090 pid_t parent; 1091 long ret; 1092 1093 parent = getppid(); 1094 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); 1095 ASSERT_EQ(0, ret); 1096 1097 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow); 1098 ASSERT_EQ(0, ret); 1099 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->kill); 1100 ASSERT_EQ(0, ret); 1101 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->error); 1102 ASSERT_EQ(0, ret); 1103 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->log); 1104 ASSERT_EQ(0, ret); 1105 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trace); 1106 ASSERT_EQ(0, ret); 1107 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trap); 1108 ASSERT_EQ(0, ret); 1109 /* Should work just fine. */ 1110 EXPECT_EQ(parent, syscall(__NR_getppid)); 1111 /* getpid() should never return. */ 1112 EXPECT_EQ(0, syscall(__NR_getpid)); 1113} 1114 1115TEST_F_SIGNAL(precedence, trap_is_second, SIGSYS) 1116{ 1117 pid_t parent; 1118 long ret; 1119 1120 parent = getppid(); 1121 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); 1122 ASSERT_EQ(0, ret); 1123 1124 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow); 1125 ASSERT_EQ(0, ret); 1126 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->log); 1127 ASSERT_EQ(0, ret); 1128 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trace); 1129 ASSERT_EQ(0, ret); 1130 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->error); 1131 ASSERT_EQ(0, ret); 1132 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trap); 1133 ASSERT_EQ(0, ret); 1134 /* Should work just fine. */ 1135 EXPECT_EQ(parent, syscall(__NR_getppid)); 1136 /* getpid() should never return. */ 1137 EXPECT_EQ(0, syscall(__NR_getpid)); 1138} 1139 1140TEST_F_SIGNAL(precedence, trap_is_second_in_any_order, SIGSYS) 1141{ 1142 pid_t parent; 1143 long ret; 1144 1145 parent = getppid(); 1146 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); 1147 ASSERT_EQ(0, ret); 1148 1149 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow); 1150 ASSERT_EQ(0, ret); 1151 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trap); 1152 ASSERT_EQ(0, ret); 1153 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->log); 1154 ASSERT_EQ(0, ret); 1155 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trace); 1156 ASSERT_EQ(0, ret); 1157 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->error); 1158 ASSERT_EQ(0, ret); 1159 /* Should work just fine. */ 1160 EXPECT_EQ(parent, syscall(__NR_getppid)); 1161 /* getpid() should never return. */ 1162 EXPECT_EQ(0, syscall(__NR_getpid)); 1163} 1164 1165TEST_F(precedence, errno_is_third) 1166{ 1167 pid_t parent; 1168 long ret; 1169 1170 parent = getppid(); 1171 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); 1172 ASSERT_EQ(0, ret); 1173 1174 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow); 1175 ASSERT_EQ(0, ret); 1176 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->log); 1177 ASSERT_EQ(0, ret); 1178 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trace); 1179 ASSERT_EQ(0, ret); 1180 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->error); 1181 ASSERT_EQ(0, ret); 1182 /* Should work just fine. */ 1183 EXPECT_EQ(parent, syscall(__NR_getppid)); 1184 EXPECT_EQ(0, syscall(__NR_getpid)); 1185} 1186 1187TEST_F(precedence, errno_is_third_in_any_order) 1188{ 1189 pid_t parent; 1190 long ret; 1191 1192 parent = getppid(); 1193 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); 1194 ASSERT_EQ(0, ret); 1195 1196 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->log); 1197 ASSERT_EQ(0, ret); 1198 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->error); 1199 ASSERT_EQ(0, ret); 1200 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trace); 1201 ASSERT_EQ(0, ret); 1202 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow); 1203 ASSERT_EQ(0, ret); 1204 /* Should work just fine. */ 1205 EXPECT_EQ(parent, syscall(__NR_getppid)); 1206 EXPECT_EQ(0, syscall(__NR_getpid)); 1207} 1208 1209TEST_F(precedence, trace_is_fourth) 1210{ 1211 pid_t parent; 1212 long ret; 1213 1214 parent = getppid(); 1215 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); 1216 ASSERT_EQ(0, ret); 1217 1218 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow); 1219 ASSERT_EQ(0, ret); 1220 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->log); 1221 ASSERT_EQ(0, ret); 1222 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trace); 1223 ASSERT_EQ(0, ret); 1224 /* Should work just fine. */ 1225 EXPECT_EQ(parent, syscall(__NR_getppid)); 1226 /* No ptracer */ 1227 EXPECT_EQ(-1, syscall(__NR_getpid)); 1228} 1229 1230TEST_F(precedence, trace_is_fourth_in_any_order) 1231{ 1232 pid_t parent; 1233 long ret; 1234 1235 parent = getppid(); 1236 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); 1237 ASSERT_EQ(0, ret); 1238 1239 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trace); 1240 ASSERT_EQ(0, ret); 1241 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow); 1242 ASSERT_EQ(0, ret); 1243 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->log); 1244 ASSERT_EQ(0, ret); 1245 /* Should work just fine. */ 1246 EXPECT_EQ(parent, syscall(__NR_getppid)); 1247 /* No ptracer */ 1248 EXPECT_EQ(-1, syscall(__NR_getpid)); 1249} 1250 1251#if 0 1252TEST_F(precedence, log_is_fifth) 1253{ 1254 pid_t mypid, parent; 1255 long ret; 1256 1257 mypid = getpid(); 1258 parent = getppid(); 1259 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); 1260 ASSERT_EQ(0, ret); 1261 1262 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow); 1263 ASSERT_EQ(0, ret); 1264 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->log); 1265 ASSERT_EQ(0, ret); 1266 /* Should work just fine. */ 1267 EXPECT_EQ(parent, syscall(__NR_getppid)); 1268 /* Should also work just fine */ 1269 EXPECT_EQ(mypid, syscall(__NR_getpid)); 1270} 1271 1272TEST_F(precedence, log_is_fifth_in_any_order) 1273{ 1274 pid_t mypid, parent; 1275 long ret; 1276 1277 mypid = getpid(); 1278 parent = getppid(); 1279 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); 1280 ASSERT_EQ(0, ret); 1281 1282 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->log); 1283 ASSERT_EQ(0, ret); 1284 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow); 1285 ASSERT_EQ(0, ret); 1286 /* Should work just fine. */ 1287 EXPECT_EQ(parent, syscall(__NR_getppid)); 1288 /* Should also work just fine */ 1289 EXPECT_EQ(mypid, syscall(__NR_getpid)); 1290} 1291#endif 1292 1293#ifndef PTRACE_O_TRACESECCOMP 1294#define PTRACE_O_TRACESECCOMP 0x00000080 1295#endif 1296 1297/* Catch the Ubuntu 12.04 value error. */ 1298#if PTRACE_EVENT_SECCOMP != 7 1299#undef PTRACE_EVENT_SECCOMP 1300#endif 1301 1302#ifndef PTRACE_EVENT_SECCOMP 1303#define PTRACE_EVENT_SECCOMP 7 1304#endif 1305 1306#define IS_SECCOMP_EVENT(status) ((status >> 16) == PTRACE_EVENT_SECCOMP) 1307bool tracer_running; 1308void tracer_stop(int sig) 1309{ 1310 tracer_running = false; 1311} 1312 1313typedef void tracer_func_t(struct __test_metadata *_metadata, 1314 pid_t tracee, int status, void *args); 1315 1316void start_tracer(struct __test_metadata *_metadata, int fd, pid_t tracee, 1317 tracer_func_t tracer_func, void *args, bool ptrace_syscall) 1318{ 1319 int ret = -1; 1320 struct sigaction action = { 1321 .sa_handler = tracer_stop, 1322 }; 1323 1324 /* Allow external shutdown. */ 1325 tracer_running = true; 1326 ASSERT_EQ(0, sigaction(SIGUSR1, &action, NULL)); 1327 1328 errno = 0; 1329 while (ret == -1 && errno != EINVAL) 1330 ret = ptrace(PTRACE_ATTACH, tracee, NULL, 0); 1331 ASSERT_EQ(0, ret) { 1332 kill(tracee, SIGKILL); 1333 } 1334 /* Wait for attach stop */ 1335 wait(NULL); 1336 1337 ret = ptrace(PTRACE_SETOPTIONS, tracee, NULL, ptrace_syscall ? 1338 PTRACE_O_TRACESYSGOOD : 1339 PTRACE_O_TRACESECCOMP); 1340 ASSERT_EQ(0, ret) { 1341 TH_LOG("Failed to set PTRACE_O_TRACESECCOMP"); 1342 kill(tracee, SIGKILL); 1343 } 1344 ret = ptrace(ptrace_syscall ? PTRACE_SYSCALL : PTRACE_CONT, 1345 tracee, NULL, 0); 1346 ASSERT_EQ(0, ret); 1347 1348 /* Unblock the tracee */ 1349 ASSERT_EQ(1, write(fd, "A", 1)); 1350 ASSERT_EQ(0, close(fd)); 1351 1352 /* Run until we're shut down. Must assert to stop execution. */ 1353 while (tracer_running) { 1354 int status; 1355 1356 if (wait(&status) != tracee) 1357 continue; 1358 if (WIFSIGNALED(status) || WIFEXITED(status)) 1359 /* Child is dead. Time to go. */ 1360 return; 1361 1362 /* Check if this is a seccomp event. */ 1363 ASSERT_EQ(!ptrace_syscall, IS_SECCOMP_EVENT(status)); 1364 1365 tracer_func(_metadata, tracee, status, args); 1366 1367 ret = ptrace(ptrace_syscall ? PTRACE_SYSCALL : PTRACE_CONT, 1368 tracee, NULL, 0); 1369 ASSERT_EQ(0, ret); 1370 } 1371 /* Directly report the status of our test harness results. */ 1372 syscall(__NR_exit, _metadata->passed ? EXIT_SUCCESS : EXIT_FAILURE); 1373} 1374 1375/* Common tracer setup/teardown functions. */ 1376void cont_handler(int num) 1377{ } 1378pid_t setup_trace_fixture(struct __test_metadata *_metadata, 1379 tracer_func_t func, void *args, bool ptrace_syscall) 1380{ 1381 char sync; 1382 int pipefd[2]; 1383 pid_t tracer_pid; 1384 pid_t tracee = getpid(); 1385 1386 /* Setup a pipe for clean synchronization. */ 1387 ASSERT_EQ(0, pipe(pipefd)); 1388 1389 /* Fork a child which we'll promote to tracer */ 1390 tracer_pid = fork(); 1391 ASSERT_LE(0, tracer_pid); 1392 signal(SIGALRM, cont_handler); 1393 if (tracer_pid == 0) { 1394 close(pipefd[0]); 1395 start_tracer(_metadata, pipefd[1], tracee, func, args, 1396 ptrace_syscall); 1397 syscall(__NR_exit, 0); 1398 } 1399 close(pipefd[1]); 1400 prctl(PR_SET_PTRACER, tracer_pid, 0, 0, 0); 1401 read(pipefd[0], &sync, 1); 1402 close(pipefd[0]); 1403 1404 return tracer_pid; 1405} 1406void teardown_trace_fixture(struct __test_metadata *_metadata, 1407 pid_t tracer) 1408{ 1409 if (tracer) { 1410 int status; 1411 /* 1412 * Extract the exit code from the other process and 1413 * adopt it for ourselves in case its asserts failed. 1414 */ 1415 ASSERT_EQ(0, kill(tracer, SIGUSR1)); 1416 ASSERT_EQ(tracer, waitpid(tracer, &status, 0)); 1417 if (WEXITSTATUS(status)) 1418 _metadata->passed = 0; 1419 } 1420} 1421 1422/* "poke" tracer arguments and function. */ 1423struct tracer_args_poke_t { 1424 unsigned long poke_addr; 1425}; 1426 1427void tracer_poke(struct __test_metadata *_metadata, pid_t tracee, int status, 1428 void *args) 1429{ 1430 int ret; 1431 unsigned long msg; 1432 struct tracer_args_poke_t *info = (struct tracer_args_poke_t *)args; 1433 1434 ret = ptrace(PTRACE_GETEVENTMSG, tracee, NULL, &msg); 1435 EXPECT_EQ(0, ret); 1436 /* If this fails, don't try to recover. */ 1437 ASSERT_EQ(0x1001, msg) { 1438 kill(tracee, SIGKILL); 1439 } 1440 /* 1441 * Poke in the message. 1442 * Registers are not touched to try to keep this relatively arch 1443 * agnostic. 1444 */ 1445 ret = ptrace(PTRACE_POKEDATA, tracee, info->poke_addr, 0x1001); 1446 EXPECT_EQ(0, ret); 1447} 1448 1449FIXTURE_DATA(TRACE_poke) { 1450 struct sock_fprog prog; 1451 pid_t tracer; 1452 long poked; 1453 struct tracer_args_poke_t tracer_args; 1454}; 1455 1456FIXTURE_SETUP(TRACE_poke) 1457{ 1458 struct sock_filter filter[] = { 1459 BPF_STMT(BPF_LD|BPF_W|BPF_ABS, 1460 offsetof(struct seccomp_data, nr)), 1461 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_read, 0, 1), 1462 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRACE | 0x1001), 1463 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW), 1464 }; 1465 1466 self->poked = 0; 1467 memset(&self->prog, 0, sizeof(self->prog)); 1468 self->prog.filter = malloc(sizeof(filter)); 1469 ASSERT_NE(NULL, self->prog.filter); 1470 memcpy(self->prog.filter, filter, sizeof(filter)); 1471 self->prog.len = (unsigned short)ARRAY_SIZE(filter); 1472 1473 /* Set up tracer args. */ 1474 self->tracer_args.poke_addr = (unsigned long)&self->poked; 1475 1476 /* Launch tracer. */ 1477 self->tracer = setup_trace_fixture(_metadata, tracer_poke, 1478 &self->tracer_args, false); 1479} 1480 1481FIXTURE_TEARDOWN(TRACE_poke) 1482{ 1483 teardown_trace_fixture(_metadata, self->tracer); 1484 if (self->prog.filter) 1485 free(self->prog.filter); 1486} 1487 1488TEST_F(TRACE_poke, read_has_side_effects) 1489{ 1490 ssize_t ret; 1491 1492 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); 1493 ASSERT_EQ(0, ret); 1494 1495 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->prog, 0, 0); 1496 ASSERT_EQ(0, ret); 1497 1498 EXPECT_EQ(0, self->poked); 1499 ret = read(-1, NULL, 0); 1500 EXPECT_EQ(-1, ret); 1501 EXPECT_EQ(0x1001, self->poked); 1502} 1503 1504TEST_F(TRACE_poke, getpid_runs_normally) 1505{ 1506 long ret; 1507 1508 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); 1509 ASSERT_EQ(0, ret); 1510 1511 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->prog, 0, 0); 1512 ASSERT_EQ(0, ret); 1513 1514 EXPECT_EQ(0, self->poked); 1515 EXPECT_NE(0, syscall(__NR_getpid)); 1516 EXPECT_EQ(0, self->poked); 1517} 1518 1519#if defined(__x86_64__) 1520# define ARCH_REGS struct user_regs_struct 1521# define SYSCALL_NUM orig_rax 1522# define SYSCALL_RET rax 1523#elif defined(__i386__) 1524# define ARCH_REGS struct user_regs_struct 1525# define SYSCALL_NUM orig_eax 1526# define SYSCALL_RET eax 1527#elif defined(__arm__) 1528# define ARCH_REGS struct pt_regs 1529# define SYSCALL_NUM ARM_r7 1530# define SYSCALL_RET ARM_r0 1531#elif defined(__aarch64__) 1532# define ARCH_REGS struct user_pt_regs 1533# define SYSCALL_NUM regs[8] 1534# define SYSCALL_RET regs[0] 1535#elif defined(__hppa__) 1536# define ARCH_REGS struct user_regs_struct 1537# define SYSCALL_NUM gr[20] 1538# define SYSCALL_RET gr[28] 1539#elif defined(__powerpc__) 1540# define ARCH_REGS struct pt_regs 1541# define SYSCALL_NUM gpr[0] 1542# define SYSCALL_RET gpr[3] 1543#elif defined(__s390__) 1544# define ARCH_REGS s390_regs 1545# define SYSCALL_NUM gprs[2] 1546# define SYSCALL_RET gprs[2] 1547#elif defined(__mips__) 1548# define ARCH_REGS struct pt_regs 1549# define SYSCALL_NUM regs[2] 1550# define SYSCALL_SYSCALL_NUM regs[4] 1551# define SYSCALL_RET regs[2] 1552# define SYSCALL_NUM_RET_SHARE_REG 1553#else 1554# error "Do not know how to find your architecture's registers and syscalls" 1555#endif 1556 1557/* When the syscall return can't be changed, stub out the tests for it. */ 1558#ifdef SYSCALL_NUM_RET_SHARE_REG 1559# define EXPECT_SYSCALL_RETURN(val, action) EXPECT_EQ(-1, action) 1560#else 1561# define EXPECT_SYSCALL_RETURN(val, action) EXPECT_EQ(val, action) 1562#endif 1563 1564/* Use PTRACE_GETREGS and PTRACE_SETREGS when available. This is useful for 1565 * architectures without HAVE_ARCH_TRACEHOOK (e.g. User-mode Linux). 1566 */ 1567#if defined(__x86_64__) || defined(__i386__) || defined(__mips__) 1568#define HAVE_GETREGS 1569#endif 1570 1571/* Architecture-specific syscall fetching routine. */ 1572int get_syscall(struct __test_metadata *_metadata, pid_t tracee) 1573{ 1574 ARCH_REGS regs; 1575#ifdef HAVE_GETREGS 1576 EXPECT_EQ(0, ptrace(PTRACE_GETREGS, tracee, 0, ®s)) { 1577 TH_LOG("PTRACE_GETREGS failed"); 1578 return -1; 1579 } 1580#else 1581 struct iovec iov; 1582 1583 iov.iov_base = ®s; 1584 iov.iov_len = sizeof(regs); 1585 EXPECT_EQ(0, ptrace(PTRACE_GETREGSET, tracee, NT_PRSTATUS, &iov)) { 1586 TH_LOG("PTRACE_GETREGSET failed"); 1587 return -1; 1588 } 1589#endif 1590 1591#if defined(__mips__) 1592 if (regs.SYSCALL_NUM == __NR_O32_Linux) 1593 return regs.SYSCALL_SYSCALL_NUM; 1594#endif 1595 return regs.SYSCALL_NUM; 1596} 1597 1598/* Architecture-specific syscall changing routine. */ 1599void change_syscall(struct __test_metadata *_metadata, 1600 pid_t tracee, int syscall) 1601{ 1602 int ret; 1603 ARCH_REGS regs; 1604#ifdef HAVE_GETREGS 1605 ret = ptrace(PTRACE_GETREGS, tracee, 0, ®s); 1606#else 1607 struct iovec iov; 1608 iov.iov_base = ®s; 1609 iov.iov_len = sizeof(regs); 1610 ret = ptrace(PTRACE_GETREGSET, tracee, NT_PRSTATUS, &iov); 1611#endif 1612 EXPECT_EQ(0, ret) {} 1613 1614#if defined(__x86_64__) || defined(__i386__) || defined(__powerpc__) || \ 1615 defined(__s390__) || defined(__hppa__) 1616 { 1617 regs.SYSCALL_NUM = syscall; 1618 } 1619#elif defined(__mips__) 1620 { 1621 if (regs.SYSCALL_NUM == __NR_O32_Linux) 1622 regs.SYSCALL_SYSCALL_NUM = syscall; 1623 else 1624 regs.SYSCALL_NUM = syscall; 1625 } 1626 1627#elif defined(__arm__) 1628# ifndef PTRACE_SET_SYSCALL 1629# define PTRACE_SET_SYSCALL 23 1630# endif 1631 { 1632 ret = ptrace(PTRACE_SET_SYSCALL, tracee, NULL, syscall); 1633 EXPECT_EQ(0, ret); 1634 } 1635 1636#elif defined(__aarch64__) 1637# ifndef NT_ARM_SYSTEM_CALL 1638# define NT_ARM_SYSTEM_CALL 0x404 1639# endif 1640 { 1641 iov.iov_base = &syscall; 1642 iov.iov_len = sizeof(syscall); 1643 ret = ptrace(PTRACE_SETREGSET, tracee, NT_ARM_SYSTEM_CALL, 1644 &iov); 1645 EXPECT_EQ(0, ret); 1646 } 1647 1648#else 1649 ASSERT_EQ(1, 0) { 1650 TH_LOG("How is the syscall changed on this architecture?"); 1651 } 1652#endif 1653 1654 /* If syscall is skipped, change return value. */ 1655 if (syscall == -1) 1656#ifdef SYSCALL_NUM_RET_SHARE_REG 1657 TH_LOG("Can't modify syscall return on this architecture"); 1658#else 1659 regs.SYSCALL_RET = EPERM; 1660#endif 1661 1662#ifdef HAVE_GETREGS 1663 ret = ptrace(PTRACE_SETREGS, tracee, 0, ®s); 1664#else 1665 iov.iov_base = ®s; 1666 iov.iov_len = sizeof(regs); 1667 ret = ptrace(PTRACE_SETREGSET, tracee, NT_PRSTATUS, &iov); 1668#endif 1669 EXPECT_EQ(0, ret); 1670} 1671 1672void tracer_syscall(struct __test_metadata *_metadata, pid_t tracee, 1673 int status, void *args) 1674{ 1675 int ret; 1676 unsigned long msg; 1677 1678 /* Make sure we got the right message. */ 1679 ret = ptrace(PTRACE_GETEVENTMSG, tracee, NULL, &msg); 1680 EXPECT_EQ(0, ret); 1681 1682 /* Validate and take action on expected syscalls. */ 1683 switch (msg) { 1684 case 0x1002: 1685 /* change getpid to getppid. */ 1686 EXPECT_EQ(__NR_getpid, get_syscall(_metadata, tracee)); 1687 change_syscall(_metadata, tracee, __NR_getppid); 1688 break; 1689 case 0x1003: 1690 /* skip gettid. */ 1691 EXPECT_EQ(__NR_gettid, get_syscall(_metadata, tracee)); 1692 change_syscall(_metadata, tracee, -1); 1693 break; 1694 case 0x1004: 1695 /* do nothing (allow getppid) */ 1696 EXPECT_EQ(__NR_getppid, get_syscall(_metadata, tracee)); 1697 break; 1698 default: 1699 EXPECT_EQ(0, msg) { 1700 TH_LOG("Unknown PTRACE_GETEVENTMSG: 0x%lx", msg); 1701 kill(tracee, SIGKILL); 1702 } 1703 } 1704 1705} 1706 1707void tracer_ptrace(struct __test_metadata *_metadata, pid_t tracee, 1708 int status, void *args) 1709{ 1710 int ret, nr; 1711 unsigned long msg; 1712 static bool entry; 1713 1714 /* Make sure we got an empty message. */ 1715 ret = ptrace(PTRACE_GETEVENTMSG, tracee, NULL, &msg); 1716 EXPECT_EQ(0, ret); 1717 EXPECT_EQ(0, msg); 1718 1719 /* The only way to tell PTRACE_SYSCALL entry/exit is by counting. */ 1720 entry = !entry; 1721 if (!entry) 1722 return; 1723 1724 nr = get_syscall(_metadata, tracee); 1725 1726 if (nr == __NR_getpid) 1727 change_syscall(_metadata, tracee, __NR_getppid); 1728#ifdef __NR_open 1729 if (nr == __NR_open) 1730 change_syscall(_metadata, tracee, -1); 1731#endif 1732} 1733 1734FIXTURE_DATA(TRACE_syscall) { 1735 struct sock_fprog prog; 1736 pid_t tracer, mytid, mypid, parent; 1737}; 1738 1739FIXTURE_SETUP(TRACE_syscall) 1740{ 1741 struct sock_filter filter[] = { 1742 BPF_STMT(BPF_LD|BPF_W|BPF_ABS, 1743 offsetof(struct seccomp_data, nr)), 1744 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getpid, 0, 1), 1745 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRACE | 0x1002), 1746 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_gettid, 0, 1), 1747 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRACE | 0x1003), 1748 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getppid, 0, 1), 1749 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRACE | 0x1004), 1750 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW), 1751 }; 1752 1753 memset(&self->prog, 0, sizeof(self->prog)); 1754 self->prog.filter = malloc(sizeof(filter)); 1755 ASSERT_NE(NULL, self->prog.filter); 1756 memcpy(self->prog.filter, filter, sizeof(filter)); 1757 self->prog.len = (unsigned short)ARRAY_SIZE(filter); 1758 1759 /* Prepare some testable syscall results. */ 1760 self->mytid = syscall(__NR_gettid); 1761 ASSERT_GT(self->mytid, 0); 1762 ASSERT_NE(self->mytid, 1) { 1763 TH_LOG("Running this test as init is not supported. :)"); 1764 } 1765 1766 self->mypid = getpid(); 1767 ASSERT_GT(self->mypid, 0); 1768 ASSERT_EQ(self->mytid, self->mypid); 1769 1770 self->parent = getppid(); 1771 ASSERT_GT(self->parent, 0); 1772 ASSERT_NE(self->parent, self->mypid); 1773 1774 /* Launch tracer. */ 1775 self->tracer = setup_trace_fixture(_metadata, tracer_syscall, NULL, 1776 false); 1777} 1778 1779FIXTURE_TEARDOWN(TRACE_syscall) 1780{ 1781 teardown_trace_fixture(_metadata, self->tracer); 1782 if (self->prog.filter) 1783 free(self->prog.filter); 1784} 1785 1786TEST_F(TRACE_syscall, ptrace_syscall_redirected) 1787{ 1788 /* Swap SECCOMP_RET_TRACE tracer for PTRACE_SYSCALL tracer. */ 1789 teardown_trace_fixture(_metadata, self->tracer); 1790 self->tracer = setup_trace_fixture(_metadata, tracer_ptrace, NULL, 1791 true); 1792 1793 /* Tracer will redirect getpid to getppid. */ 1794 EXPECT_NE(self->mypid, syscall(__NR_getpid)); 1795} 1796 1797#ifdef __NR_open 1798TEST_F(TRACE_syscall, ptrace_syscall_dropped) 1799{ 1800 /* Swap SECCOMP_RET_TRACE tracer for PTRACE_SYSCALL tracer. */ 1801 teardown_trace_fixture(_metadata, self->tracer); 1802 self->tracer = setup_trace_fixture(_metadata, tracer_ptrace, NULL, 1803 true); 1804 1805 /* Tracer should skip the open syscall, resulting in EPERM. */ 1806 EXPECT_SYSCALL_RETURN(EPERM, syscall(__NR_open)); 1807} 1808#endif 1809 1810TEST_F(TRACE_syscall, syscall_allowed) 1811{ 1812 long ret; 1813 1814 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); 1815 ASSERT_EQ(0, ret); 1816 1817 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->prog, 0, 0); 1818 ASSERT_EQ(0, ret); 1819 1820 /* getppid works as expected (no changes). */ 1821 EXPECT_EQ(self->parent, syscall(__NR_getppid)); 1822 EXPECT_NE(self->mypid, syscall(__NR_getppid)); 1823} 1824 1825TEST_F(TRACE_syscall, syscall_redirected) 1826{ 1827 long ret; 1828 1829 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); 1830 ASSERT_EQ(0, ret); 1831 1832 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->prog, 0, 0); 1833 ASSERT_EQ(0, ret); 1834 1835 /* getpid has been redirected to getppid as expected. */ 1836 EXPECT_EQ(self->parent, syscall(__NR_getpid)); 1837 EXPECT_NE(self->mypid, syscall(__NR_getpid)); 1838} 1839 1840TEST_F(TRACE_syscall, syscall_dropped) 1841{ 1842 long ret; 1843 1844 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); 1845 ASSERT_EQ(0, ret); 1846 1847 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->prog, 0, 0); 1848 ASSERT_EQ(0, ret); 1849 1850 /* gettid has been skipped and an altered return value stored. */ 1851 EXPECT_SYSCALL_RETURN(EPERM, syscall(__NR_gettid)); 1852 EXPECT_NE(self->mytid, syscall(__NR_gettid)); 1853} 1854 1855/* 1856 * TODO: b/33027081 1857 * These tests do not work on kernels prior to 4.8. 1858 */ 1859#ifndef __ANDROID__ 1860TEST_F(TRACE_syscall, skip_after_RET_TRACE) 1861{ 1862 struct sock_filter filter[] = { 1863 BPF_STMT(BPF_LD|BPF_W|BPF_ABS, 1864 offsetof(struct seccomp_data, nr)), 1865 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getppid, 0, 1), 1866 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ERRNO | EPERM), 1867 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW), 1868 }; 1869 struct sock_fprog prog = { 1870 .len = (unsigned short)ARRAY_SIZE(filter), 1871 .filter = filter, 1872 }; 1873 long ret; 1874 1875 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); 1876 ASSERT_EQ(0, ret); 1877 1878 /* Install fixture filter. */ 1879 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->prog, 0, 0); 1880 ASSERT_EQ(0, ret); 1881 1882 /* Install "errno on getppid" filter. */ 1883 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0); 1884 ASSERT_EQ(0, ret); 1885 1886 /* Tracer will redirect getpid to getppid, and we should see EPERM. */ 1887 errno = 0; 1888 EXPECT_EQ(-1, syscall(__NR_getpid)); 1889 EXPECT_EQ(EPERM, errno); 1890} 1891 1892TEST_F_SIGNAL(TRACE_syscall, kill_after_RET_TRACE, SIGSYS) 1893{ 1894 struct sock_filter filter[] = { 1895 BPF_STMT(BPF_LD|BPF_W|BPF_ABS, 1896 offsetof(struct seccomp_data, nr)), 1897 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getppid, 0, 1), 1898 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL), 1899 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW), 1900 }; 1901 struct sock_fprog prog = { 1902 .len = (unsigned short)ARRAY_SIZE(filter), 1903 .filter = filter, 1904 }; 1905 long ret; 1906 1907 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); 1908 ASSERT_EQ(0, ret); 1909 1910 /* Install fixture filter. */ 1911 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->prog, 0, 0); 1912 ASSERT_EQ(0, ret); 1913 1914 /* Install "death on getppid" filter. */ 1915 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0); 1916 ASSERT_EQ(0, ret); 1917 1918 /* Tracer will redirect getpid to getppid, and we should die. */ 1919 EXPECT_NE(self->mypid, syscall(__NR_getpid)); 1920} 1921 1922TEST_F(TRACE_syscall, skip_after_ptrace) 1923{ 1924 struct sock_filter filter[] = { 1925 BPF_STMT(BPF_LD|BPF_W|BPF_ABS, 1926 offsetof(struct seccomp_data, nr)), 1927 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getppid, 0, 1), 1928 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ERRNO | EPERM), 1929 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW), 1930 }; 1931 struct sock_fprog prog = { 1932 .len = (unsigned short)ARRAY_SIZE(filter), 1933 .filter = filter, 1934 }; 1935 long ret; 1936 1937 /* Swap SECCOMP_RET_TRACE tracer for PTRACE_SYSCALL tracer. */ 1938 teardown_trace_fixture(_metadata, self->tracer); 1939 self->tracer = setup_trace_fixture(_metadata, tracer_ptrace, NULL, 1940 true); 1941 1942 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); 1943 ASSERT_EQ(0, ret); 1944 1945 /* Install "errno on getppid" filter. */ 1946 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0); 1947 ASSERT_EQ(0, ret); 1948 1949 /* Tracer will redirect getpid to getppid, and we should see EPERM. */ 1950 EXPECT_EQ(-1, syscall(__NR_getpid)); 1951 EXPECT_EQ(EPERM, errno); 1952} 1953 1954TEST_F_SIGNAL(TRACE_syscall, kill_after_ptrace, SIGSYS) 1955{ 1956 struct sock_filter filter[] = { 1957 BPF_STMT(BPF_LD|BPF_W|BPF_ABS, 1958 offsetof(struct seccomp_data, nr)), 1959 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getppid, 0, 1), 1960 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL), 1961 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW), 1962 }; 1963 struct sock_fprog prog = { 1964 .len = (unsigned short)ARRAY_SIZE(filter), 1965 .filter = filter, 1966 }; 1967 long ret; 1968 1969 /* Swap SECCOMP_RET_TRACE tracer for PTRACE_SYSCALL tracer. */ 1970 teardown_trace_fixture(_metadata, self->tracer); 1971 self->tracer = setup_trace_fixture(_metadata, tracer_ptrace, NULL, 1972 true); 1973 1974 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); 1975 ASSERT_EQ(0, ret); 1976 1977 /* Install "death on getppid" filter. */ 1978 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0); 1979 ASSERT_EQ(0, ret); 1980 1981 /* Tracer will redirect getpid to getppid, and we should die. */ 1982 EXPECT_NE(self->mypid, syscall(__NR_getpid)); 1983} 1984#endif 1985 1986TEST(seccomp_syscall) 1987{ 1988 struct sock_filter filter[] = { 1989 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW), 1990 }; 1991 struct sock_fprog prog = { 1992 .len = (unsigned short)ARRAY_SIZE(filter), 1993 .filter = filter, 1994 }; 1995 long ret; 1996 1997 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); 1998 ASSERT_EQ(0, ret) { 1999 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!"); 2000 } 2001 2002 /* Reject insane operation. */ 2003 ret = seccomp(-1, 0, &prog); 2004 ASSERT_NE(ENOSYS, errno) { 2005 TH_LOG("Kernel does not support seccomp syscall!"); 2006 } 2007 EXPECT_EQ(EINVAL, errno) { 2008 TH_LOG("Did not reject crazy op value!"); 2009 } 2010 2011 /* Reject strict with flags or pointer. */ 2012 ret = seccomp(SECCOMP_SET_MODE_STRICT, -1, NULL); 2013 EXPECT_EQ(EINVAL, errno) { 2014 TH_LOG("Did not reject mode strict with flags!"); 2015 } 2016 ret = seccomp(SECCOMP_SET_MODE_STRICT, 0, &prog); 2017 EXPECT_EQ(EINVAL, errno) { 2018 TH_LOG("Did not reject mode strict with uargs!"); 2019 } 2020 2021 /* Reject insane args for filter. */ 2022 ret = seccomp(SECCOMP_SET_MODE_FILTER, -1, &prog); 2023 EXPECT_EQ(EINVAL, errno) { 2024 TH_LOG("Did not reject crazy filter flags!"); 2025 } 2026 ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, NULL); 2027 EXPECT_EQ(EFAULT, errno) { 2028 TH_LOG("Did not reject NULL filter!"); 2029 } 2030 2031 ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog); 2032 EXPECT_EQ(0, errno) { 2033 TH_LOG("Kernel does not support SECCOMP_SET_MODE_FILTER: %s", 2034 strerror(errno)); 2035 } 2036} 2037 2038TEST(seccomp_syscall_mode_lock) 2039{ 2040 struct sock_filter filter[] = { 2041 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW), 2042 }; 2043 struct sock_fprog prog = { 2044 .len = (unsigned short)ARRAY_SIZE(filter), 2045 .filter = filter, 2046 }; 2047 long ret; 2048 2049 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, NULL, 0, 0); 2050 ASSERT_EQ(0, ret) { 2051 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!"); 2052 } 2053 2054 ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog); 2055 ASSERT_NE(ENOSYS, errno) { 2056 TH_LOG("Kernel does not support seccomp syscall!"); 2057 } 2058 EXPECT_EQ(0, ret) { 2059 TH_LOG("Could not install filter!"); 2060 } 2061 2062 /* Make sure neither entry point will switch to strict. */ 2063 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT, 0, 0, 0); 2064 EXPECT_EQ(EINVAL, errno) { 2065 TH_LOG("Switched to mode strict!"); 2066 } 2067 2068 ret = seccomp(SECCOMP_SET_MODE_STRICT, 0, NULL); 2069 EXPECT_EQ(EINVAL, errno) { 2070 TH_LOG("Switched to mode strict!"); 2071 } 2072} 2073 2074#if 0 2075/* 2076 * Test detection of known and unknown filter flags. Userspace needs to be able 2077 * to check if a filter flag is supported by the current kernel and a good way 2078 * of doing that is by attempting to enter filter mode, with the flag bit in 2079 * question set, and a NULL pointer for the _args_ parameter. EFAULT indicates 2080 * that the flag is valid and EINVAL indicates that the flag is invalid. 2081 */ 2082TEST(detect_seccomp_filter_flags) 2083{ 2084 unsigned int flags[] = { SECCOMP_FILTER_FLAG_TSYNC, 2085 SECCOMP_FILTER_FLAG_LOG }; 2086 unsigned int flag, all_flags; 2087 int i; 2088 long ret; 2089 2090 /* Test detection of known-good filter flags */ 2091 for (i = 0, all_flags = 0; i < ARRAY_SIZE(flags); i++) { 2092 flag = flags[i]; 2093 ret = seccomp(SECCOMP_SET_MODE_FILTER, flag, NULL); 2094 ASSERT_NE(ENOSYS, errno) { 2095 TH_LOG("Kernel does not support seccomp syscall!"); 2096 } 2097 EXPECT_EQ(-1, ret); 2098 EXPECT_EQ(EFAULT, errno) { 2099 TH_LOG("Failed to detect that a known-good filter flag (0x%X) is supported!", 2100 flag); 2101 } 2102 2103 all_flags |= flag; 2104 } 2105 2106 /* Test detection of all known-good filter flags */ 2107 ret = seccomp(SECCOMP_SET_MODE_FILTER, all_flags, NULL); 2108 EXPECT_EQ(-1, ret); 2109 EXPECT_EQ(EFAULT, errno) { 2110 TH_LOG("Failed to detect that all known-good filter flags (0x%X) are supported!", 2111 all_flags); 2112 } 2113 2114 /* Test detection of an unknown filter flag */ 2115 flag = -1; 2116 ret = seccomp(SECCOMP_SET_MODE_FILTER, flag, NULL); 2117 EXPECT_EQ(-1, ret); 2118 EXPECT_EQ(EINVAL, errno) { 2119 TH_LOG("Failed to detect that an unknown filter flag (0x%X) is unsupported!", 2120 flag); 2121 } 2122 2123 /* 2124 * Test detection of an unknown filter flag that may simply need to be 2125 * added to this test 2126 */ 2127 flag = flags[ARRAY_SIZE(flags) - 1] << 1; 2128 ret = seccomp(SECCOMP_SET_MODE_FILTER, flag, NULL); 2129 EXPECT_EQ(-1, ret); 2130 EXPECT_EQ(EINVAL, errno) { 2131 TH_LOG("Failed to detect that an unknown filter flag (0x%X) is unsupported! Does a new flag need to be added to this test?", 2132 flag); 2133 } 2134} 2135#endif 2136 2137TEST(TSYNC_first) 2138{ 2139 struct sock_filter filter[] = { 2140 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW), 2141 }; 2142 struct sock_fprog prog = { 2143 .len = (unsigned short)ARRAY_SIZE(filter), 2144 .filter = filter, 2145 }; 2146 long ret; 2147 2148 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, NULL, 0, 0); 2149 ASSERT_EQ(0, ret) { 2150 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!"); 2151 } 2152 2153 ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC, 2154 &prog); 2155 ASSERT_NE(ENOSYS, errno) { 2156 TH_LOG("Kernel does not support seccomp syscall!"); 2157 } 2158 EXPECT_EQ(0, ret) { 2159 TH_LOG("Could not install initial filter with TSYNC!"); 2160 } 2161} 2162 2163#define TSYNC_SIBLINGS 2 2164struct tsync_sibling { 2165 pthread_t tid; 2166 pid_t system_tid; 2167 sem_t *started; 2168 pthread_cond_t *cond; 2169 pthread_mutex_t *mutex; 2170 int diverge; 2171 int num_waits; 2172 struct sock_fprog *prog; 2173 struct __test_metadata *metadata; 2174}; 2175 2176/* 2177 * To avoid joining joined threads (which is not allowed by Bionic), 2178 * make sure we both successfully join and clear the tid to skip a 2179 * later join attempt during fixture teardown. Any remaining threads 2180 * will be directly killed during teardown. 2181 */ 2182#define PTHREAD_JOIN(tid, status) \ 2183 do { \ 2184 int _rc = pthread_join(tid, status); \ 2185 if (_rc) { \ 2186 TH_LOG("pthread_join of tid %u failed: %d\n", \ 2187 (unsigned int)tid, _rc); \ 2188 } else { \ 2189 tid = 0; \ 2190 } \ 2191 } while (0) 2192 2193FIXTURE_DATA(TSYNC) { 2194 struct sock_fprog root_prog, apply_prog; 2195 struct tsync_sibling sibling[TSYNC_SIBLINGS]; 2196 sem_t started; 2197 pthread_cond_t cond; 2198 pthread_mutex_t mutex; 2199 int sibling_count; 2200}; 2201 2202FIXTURE_SETUP(TSYNC) 2203{ 2204 struct sock_filter root_filter[] = { 2205 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW), 2206 }; 2207 struct sock_filter apply_filter[] = { 2208 BPF_STMT(BPF_LD|BPF_W|BPF_ABS, 2209 offsetof(struct seccomp_data, nr)), 2210 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_read, 0, 1), 2211 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL), 2212 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW), 2213 }; 2214 2215 memset(&self->root_prog, 0, sizeof(self->root_prog)); 2216 memset(&self->apply_prog, 0, sizeof(self->apply_prog)); 2217 memset(&self->sibling, 0, sizeof(self->sibling)); 2218 self->root_prog.filter = malloc(sizeof(root_filter)); 2219 ASSERT_NE(NULL, self->root_prog.filter); 2220 memcpy(self->root_prog.filter, &root_filter, sizeof(root_filter)); 2221 self->root_prog.len = (unsigned short)ARRAY_SIZE(root_filter); 2222 2223 self->apply_prog.filter = malloc(sizeof(apply_filter)); 2224 ASSERT_NE(NULL, self->apply_prog.filter); 2225 memcpy(self->apply_prog.filter, &apply_filter, sizeof(apply_filter)); 2226 self->apply_prog.len = (unsigned short)ARRAY_SIZE(apply_filter); 2227 2228 self->sibling_count = 0; 2229 pthread_mutex_init(&self->mutex, NULL); 2230 pthread_cond_init(&self->cond, NULL); 2231 sem_init(&self->started, 0, 0); 2232 self->sibling[0].tid = 0; 2233 self->sibling[0].cond = &self->cond; 2234 self->sibling[0].started = &self->started; 2235 self->sibling[0].mutex = &self->mutex; 2236 self->sibling[0].diverge = 0; 2237 self->sibling[0].num_waits = 1; 2238 self->sibling[0].prog = &self->root_prog; 2239 self->sibling[0].metadata = _metadata; 2240 self->sibling[1].tid = 0; 2241 self->sibling[1].cond = &self->cond; 2242 self->sibling[1].started = &self->started; 2243 self->sibling[1].mutex = &self->mutex; 2244 self->sibling[1].diverge = 0; 2245 self->sibling[1].prog = &self->root_prog; 2246 self->sibling[1].num_waits = 1; 2247 self->sibling[1].metadata = _metadata; 2248} 2249 2250FIXTURE_TEARDOWN(TSYNC) 2251{ 2252 int sib = 0; 2253 2254 if (self->root_prog.filter) 2255 free(self->root_prog.filter); 2256 if (self->apply_prog.filter) 2257 free(self->apply_prog.filter); 2258 2259 for ( ; sib < self->sibling_count; ++sib) { 2260 struct tsync_sibling *s = &self->sibling[sib]; 2261 2262 if (!s->tid) 2263 continue; 2264 /* 2265 * If a thread is still running, it may be stuck, so hit 2266 * it over the head really hard. 2267 */ 2268 pthread_kill(s->tid, 9); 2269 } 2270 pthread_mutex_destroy(&self->mutex); 2271 pthread_cond_destroy(&self->cond); 2272 sem_destroy(&self->started); 2273} 2274 2275void *tsync_sibling(void *data) 2276{ 2277 long ret = 0; 2278 struct tsync_sibling *me = data; 2279 2280 me->system_tid = syscall(__NR_gettid); 2281 2282 pthread_mutex_lock(me->mutex); 2283 if (me->diverge) { 2284 /* Just re-apply the root prog to fork the tree */ 2285 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, 2286 me->prog, 0, 0); 2287 } 2288 sem_post(me->started); 2289 /* Return outside of started so parent notices failures. */ 2290 if (ret) { 2291 pthread_mutex_unlock(me->mutex); 2292 return (void *)SIBLING_EXIT_FAILURE; 2293 } 2294 do { 2295 pthread_cond_wait(me->cond, me->mutex); 2296 me->num_waits = me->num_waits - 1; 2297 } while (me->num_waits); 2298 pthread_mutex_unlock(me->mutex); 2299 2300 ret = prctl(PR_GET_NO_NEW_PRIVS, 0, 0, 0, 0); 2301 if (!ret) 2302 return (void *)SIBLING_EXIT_NEWPRIVS; 2303 read(0, NULL, 0); 2304 return (void *)SIBLING_EXIT_UNKILLED; 2305} 2306 2307void tsync_start_sibling(struct tsync_sibling *sibling) 2308{ 2309 pthread_create(&sibling->tid, NULL, tsync_sibling, (void *)sibling); 2310} 2311 2312TEST_F(TSYNC, siblings_fail_prctl) 2313{ 2314 long ret; 2315 void *status; 2316 struct sock_filter filter[] = { 2317 BPF_STMT(BPF_LD|BPF_W|BPF_ABS, 2318 offsetof(struct seccomp_data, nr)), 2319 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_prctl, 0, 1), 2320 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ERRNO | EINVAL), 2321 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW), 2322 }; 2323 struct sock_fprog prog = { 2324 .len = (unsigned short)ARRAY_SIZE(filter), 2325 .filter = filter, 2326 }; 2327 2328 ASSERT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { 2329 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!"); 2330 } 2331 2332 /* Check prctl failure detection by requesting sib 0 diverge. */ 2333 ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog); 2334 ASSERT_NE(ENOSYS, errno) { 2335 TH_LOG("Kernel does not support seccomp syscall!"); 2336 } 2337 ASSERT_EQ(0, ret) { 2338 TH_LOG("setting filter failed"); 2339 } 2340 2341 self->sibling[0].diverge = 1; 2342 tsync_start_sibling(&self->sibling[0]); 2343 tsync_start_sibling(&self->sibling[1]); 2344 2345 while (self->sibling_count < TSYNC_SIBLINGS) { 2346 sem_wait(&self->started); 2347 self->sibling_count++; 2348 } 2349 2350 /* Signal the threads to clean up*/ 2351 pthread_mutex_lock(&self->mutex); 2352 ASSERT_EQ(0, pthread_cond_broadcast(&self->cond)) { 2353 TH_LOG("cond broadcast non-zero"); 2354 } 2355 pthread_mutex_unlock(&self->mutex); 2356 2357 /* Ensure diverging sibling failed to call prctl. */ 2358 PTHREAD_JOIN(self->sibling[0].tid, &status); 2359 EXPECT_EQ(SIBLING_EXIT_FAILURE, (long)status); 2360 PTHREAD_JOIN(self->sibling[1].tid, &status); 2361 EXPECT_EQ(SIBLING_EXIT_UNKILLED, (long)status); 2362} 2363 2364TEST_F(TSYNC, two_siblings_with_ancestor) 2365{ 2366 long ret; 2367 void *status; 2368 2369 ASSERT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { 2370 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!"); 2371 } 2372 2373 ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &self->root_prog); 2374 ASSERT_NE(ENOSYS, errno) { 2375 TH_LOG("Kernel does not support seccomp syscall!"); 2376 } 2377 ASSERT_EQ(0, ret) { 2378 TH_LOG("Kernel does not support SECCOMP_SET_MODE_FILTER!"); 2379 } 2380 tsync_start_sibling(&self->sibling[0]); 2381 tsync_start_sibling(&self->sibling[1]); 2382 2383 while (self->sibling_count < TSYNC_SIBLINGS) { 2384 sem_wait(&self->started); 2385 self->sibling_count++; 2386 } 2387 2388 ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC, 2389 &self->apply_prog); 2390 ASSERT_EQ(0, ret) { 2391 TH_LOG("Could install filter on all threads!"); 2392 } 2393 /* Tell the siblings to test the policy */ 2394 pthread_mutex_lock(&self->mutex); 2395 ASSERT_EQ(0, pthread_cond_broadcast(&self->cond)) { 2396 TH_LOG("cond broadcast non-zero"); 2397 } 2398 pthread_mutex_unlock(&self->mutex); 2399 /* Ensure they are both killed and don't exit cleanly. */ 2400 PTHREAD_JOIN(self->sibling[0].tid, &status); 2401 EXPECT_EQ(0x0, (long)status); 2402 PTHREAD_JOIN(self->sibling[1].tid, &status); 2403 EXPECT_EQ(0x0, (long)status); 2404} 2405 2406TEST_F(TSYNC, two_sibling_want_nnp) 2407{ 2408 void *status; 2409 2410 /* start siblings before any prctl() operations */ 2411 tsync_start_sibling(&self->sibling[0]); 2412 tsync_start_sibling(&self->sibling[1]); 2413 while (self->sibling_count < TSYNC_SIBLINGS) { 2414 sem_wait(&self->started); 2415 self->sibling_count++; 2416 } 2417 2418 /* Tell the siblings to test no policy */ 2419 pthread_mutex_lock(&self->mutex); 2420 ASSERT_EQ(0, pthread_cond_broadcast(&self->cond)) { 2421 TH_LOG("cond broadcast non-zero"); 2422 } 2423 pthread_mutex_unlock(&self->mutex); 2424 2425 /* Ensure they are both upset about lacking nnp. */ 2426 PTHREAD_JOIN(self->sibling[0].tid, &status); 2427 EXPECT_EQ(SIBLING_EXIT_NEWPRIVS, (long)status); 2428 PTHREAD_JOIN(self->sibling[1].tid, &status); 2429 EXPECT_EQ(SIBLING_EXIT_NEWPRIVS, (long)status); 2430} 2431 2432TEST_F(TSYNC, two_siblings_with_no_filter) 2433{ 2434 long ret; 2435 void *status; 2436 2437 /* start siblings before any prctl() operations */ 2438 tsync_start_sibling(&self->sibling[0]); 2439 tsync_start_sibling(&self->sibling[1]); 2440 while (self->sibling_count < TSYNC_SIBLINGS) { 2441 sem_wait(&self->started); 2442 self->sibling_count++; 2443 } 2444 2445 ASSERT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { 2446 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!"); 2447 } 2448 2449 ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC, 2450 &self->apply_prog); 2451 ASSERT_NE(ENOSYS, errno) { 2452 TH_LOG("Kernel does not support seccomp syscall!"); 2453 } 2454 ASSERT_EQ(0, ret) { 2455 TH_LOG("Could install filter on all threads!"); 2456 } 2457 2458 /* Tell the siblings to test the policy */ 2459 pthread_mutex_lock(&self->mutex); 2460 ASSERT_EQ(0, pthread_cond_broadcast(&self->cond)) { 2461 TH_LOG("cond broadcast non-zero"); 2462 } 2463 pthread_mutex_unlock(&self->mutex); 2464 2465 /* Ensure they are both killed and don't exit cleanly. */ 2466 PTHREAD_JOIN(self->sibling[0].tid, &status); 2467 EXPECT_EQ(0x0, (long)status); 2468 PTHREAD_JOIN(self->sibling[1].tid, &status); 2469 EXPECT_EQ(0x0, (long)status); 2470} 2471 2472TEST_F(TSYNC, two_siblings_with_one_divergence) 2473{ 2474 long ret; 2475 void *status; 2476 2477 ASSERT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { 2478 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!"); 2479 } 2480 2481 ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &self->root_prog); 2482 ASSERT_NE(ENOSYS, errno) { 2483 TH_LOG("Kernel does not support seccomp syscall!"); 2484 } 2485 ASSERT_EQ(0, ret) { 2486 TH_LOG("Kernel does not support SECCOMP_SET_MODE_FILTER!"); 2487 } 2488 self->sibling[0].diverge = 1; 2489 tsync_start_sibling(&self->sibling[0]); 2490 tsync_start_sibling(&self->sibling[1]); 2491 2492 while (self->sibling_count < TSYNC_SIBLINGS) { 2493 sem_wait(&self->started); 2494 self->sibling_count++; 2495 } 2496 2497 ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC, 2498 &self->apply_prog); 2499 ASSERT_EQ(self->sibling[0].system_tid, ret) { 2500 TH_LOG("Did not fail on diverged sibling."); 2501 } 2502 2503 /* Wake the threads */ 2504 pthread_mutex_lock(&self->mutex); 2505 ASSERT_EQ(0, pthread_cond_broadcast(&self->cond)) { 2506 TH_LOG("cond broadcast non-zero"); 2507 } 2508 pthread_mutex_unlock(&self->mutex); 2509 2510 /* Ensure they are both unkilled. */ 2511 PTHREAD_JOIN(self->sibling[0].tid, &status); 2512 EXPECT_EQ(SIBLING_EXIT_UNKILLED, (long)status); 2513 PTHREAD_JOIN(self->sibling[1].tid, &status); 2514 EXPECT_EQ(SIBLING_EXIT_UNKILLED, (long)status); 2515} 2516 2517TEST_F(TSYNC, two_siblings_not_under_filter) 2518{ 2519 long ret, sib; 2520 void *status; 2521 2522 ASSERT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { 2523 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!"); 2524 } 2525 2526 /* 2527 * Sibling 0 will have its own seccomp policy 2528 * and Sibling 1 will not be under seccomp at 2529 * all. Sibling 1 will enter seccomp and 0 2530 * will cause failure. 2531 */ 2532 self->sibling[0].diverge = 1; 2533 tsync_start_sibling(&self->sibling[0]); 2534 tsync_start_sibling(&self->sibling[1]); 2535 2536 while (self->sibling_count < TSYNC_SIBLINGS) { 2537 sem_wait(&self->started); 2538 self->sibling_count++; 2539 } 2540 2541 ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &self->root_prog); 2542 ASSERT_NE(ENOSYS, errno) { 2543 TH_LOG("Kernel does not support seccomp syscall!"); 2544 } 2545 ASSERT_EQ(0, ret) { 2546 TH_LOG("Kernel does not support SECCOMP_SET_MODE_FILTER!"); 2547 } 2548 2549 ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC, 2550 &self->apply_prog); 2551 ASSERT_EQ(ret, self->sibling[0].system_tid) { 2552 TH_LOG("Did not fail on diverged sibling."); 2553 } 2554 sib = 1; 2555 if (ret == self->sibling[0].system_tid) 2556 sib = 0; 2557 2558 pthread_mutex_lock(&self->mutex); 2559 2560 /* Increment the other siblings num_waits so we can clean up 2561 * the one we just saw. 2562 */ 2563 self->sibling[!sib].num_waits += 1; 2564 2565 /* Signal the thread to clean up*/ 2566 ASSERT_EQ(0, pthread_cond_broadcast(&self->cond)) { 2567 TH_LOG("cond broadcast non-zero"); 2568 } 2569 pthread_mutex_unlock(&self->mutex); 2570 PTHREAD_JOIN(self->sibling[sib].tid, &status); 2571 EXPECT_EQ(SIBLING_EXIT_UNKILLED, (long)status); 2572 /* Poll for actual task death. pthread_join doesn't guarantee it. */ 2573 while (!kill(self->sibling[sib].system_tid, 0)) 2574 sleep(0.1); 2575 /* Switch to the remaining sibling */ 2576 sib = !sib; 2577 2578 ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC, 2579 &self->apply_prog); 2580 ASSERT_EQ(0, ret) { 2581 TH_LOG("Expected the remaining sibling to sync"); 2582 }; 2583 2584 pthread_mutex_lock(&self->mutex); 2585 2586 /* If remaining sibling didn't have a chance to wake up during 2587 * the first broadcast, manually reduce the num_waits now. 2588 */ 2589 if (self->sibling[sib].num_waits > 1) 2590 self->sibling[sib].num_waits = 1; 2591 ASSERT_EQ(0, pthread_cond_broadcast(&self->cond)) { 2592 TH_LOG("cond broadcast non-zero"); 2593 } 2594 pthread_mutex_unlock(&self->mutex); 2595 PTHREAD_JOIN(self->sibling[sib].tid, &status); 2596 EXPECT_EQ(0, (long)status); 2597 /* Poll for actual task death. pthread_join doesn't guarantee it. */ 2598 while (!kill(self->sibling[sib].system_tid, 0)) 2599 sleep(0.1); 2600 2601 ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC, 2602 &self->apply_prog); 2603 ASSERT_EQ(0, ret); /* just us chickens */ 2604} 2605 2606/* Make sure restarted syscalls are seen directly as "restart_syscall". */ 2607TEST(syscall_restart) 2608{ 2609 long ret; 2610 unsigned long msg; 2611 pid_t child_pid; 2612 int pipefd[2]; 2613 int status; 2614 siginfo_t info = { }; 2615 struct sock_filter filter[] = { 2616 BPF_STMT(BPF_LD|BPF_W|BPF_ABS, 2617 offsetof(struct seccomp_data, nr)), 2618 2619#ifdef __NR_sigreturn 2620 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_sigreturn, 6, 0), 2621#endif 2622 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_read, 5, 0), 2623 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_exit, 4, 0), 2624 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_rt_sigreturn, 3, 0), 2625 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_nanosleep, 4, 0), 2626 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_restart_syscall, 4, 0), 2627 2628 /* Allow __NR_write for easy logging. */ 2629 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_write, 0, 1), 2630 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW), 2631 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL), 2632 /* The nanosleep jump target. */ 2633 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRACE|0x100), 2634 /* The restart_syscall jump target. */ 2635 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRACE|0x200), 2636 }; 2637 struct sock_fprog prog = { 2638 .len = (unsigned short)ARRAY_SIZE(filter), 2639 .filter = filter, 2640 }; 2641#if defined(__arm__) 2642 struct utsname utsbuf; 2643 int arm_version; 2644#endif 2645 2646 ASSERT_EQ(0, pipe(pipefd)); 2647 2648 child_pid = fork(); 2649 ASSERT_LE(0, child_pid); 2650 if (child_pid == 0) { 2651 /* Child uses EXPECT not ASSERT to deliver status correctly. */ 2652 char buf = ' '; 2653 struct timespec timeout = { }; 2654 2655 /* Attach parent as tracer and stop. */ 2656 EXPECT_EQ(0, ptrace(PTRACE_TRACEME)); 2657 EXPECT_EQ(0, raise(SIGSTOP)); 2658 2659 EXPECT_EQ(0, close(pipefd[1])); 2660 2661 EXPECT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { 2662 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!"); 2663 } 2664 2665 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0); 2666 EXPECT_EQ(0, ret) { 2667 TH_LOG("Failed to install filter!"); 2668 } 2669 2670 EXPECT_EQ(1, read(pipefd[0], &buf, 1)) { 2671 TH_LOG("Failed to read() sync from parent"); 2672 } 2673 EXPECT_EQ('.', buf) { 2674 TH_LOG("Failed to get sync data from read()"); 2675 } 2676 2677 /* Start nanosleep to be interrupted. */ 2678 timeout.tv_sec = 1; 2679 errno = 0; 2680 EXPECT_EQ(0, nanosleep(&timeout, NULL)) { 2681 TH_LOG("Call to nanosleep() failed (errno %d)", errno); 2682 } 2683 2684 /* Read final sync from parent. */ 2685 EXPECT_EQ(1, read(pipefd[0], &buf, 1)) { 2686 TH_LOG("Failed final read() from parent"); 2687 } 2688 EXPECT_EQ('!', buf) { 2689 TH_LOG("Failed to get final data from read()"); 2690 } 2691 2692 /* Directly report the status of our test harness results. */ 2693 syscall(__NR_exit, _metadata->passed ? EXIT_SUCCESS 2694 : EXIT_FAILURE); 2695 } 2696 EXPECT_EQ(0, close(pipefd[0])); 2697 2698 /* Attach to child, setup options, and release. */ 2699 ASSERT_EQ(child_pid, waitpid(child_pid, &status, 0)); 2700 ASSERT_EQ(true, WIFSTOPPED(status)); 2701 ASSERT_EQ(0, ptrace(PTRACE_SETOPTIONS, child_pid, NULL, 2702 PTRACE_O_TRACESECCOMP)); 2703 ASSERT_EQ(0, ptrace(PTRACE_CONT, child_pid, NULL, 0)); 2704 ASSERT_EQ(1, write(pipefd[1], ".", 1)); 2705 2706 /* Wait for nanosleep() to start. */ 2707 ASSERT_EQ(child_pid, waitpid(child_pid, &status, 0)); 2708 ASSERT_EQ(true, WIFSTOPPED(status)); 2709 ASSERT_EQ(SIGTRAP, WSTOPSIG(status)); 2710 ASSERT_EQ(PTRACE_EVENT_SECCOMP, (status >> 16)); 2711 ASSERT_EQ(0, ptrace(PTRACE_GETEVENTMSG, child_pid, NULL, &msg)); 2712 ASSERT_EQ(0x100, msg); 2713 EXPECT_EQ(__NR_nanosleep, get_syscall(_metadata, child_pid)); 2714 2715 /* Might as well check siginfo for sanity while we're here. */ 2716 ASSERT_EQ(0, ptrace(PTRACE_GETSIGINFO, child_pid, NULL, &info)); 2717 ASSERT_EQ(SIGTRAP, info.si_signo); 2718 ASSERT_EQ(SIGTRAP | (PTRACE_EVENT_SECCOMP << 8), info.si_code); 2719 EXPECT_EQ(0, info.si_errno); 2720 EXPECT_EQ(getuid(), info.si_uid); 2721 /* Verify signal delivery came from child (seccomp-triggered). */ 2722 EXPECT_EQ(child_pid, info.si_pid); 2723 2724 /* Interrupt nanosleep with SIGSTOP (which we'll need to handle). */ 2725 ASSERT_EQ(0, kill(child_pid, SIGSTOP)); 2726 ASSERT_EQ(0, ptrace(PTRACE_CONT, child_pid, NULL, 0)); 2727 ASSERT_EQ(child_pid, waitpid(child_pid, &status, 0)); 2728 ASSERT_EQ(true, WIFSTOPPED(status)); 2729 ASSERT_EQ(SIGSTOP, WSTOPSIG(status)); 2730 /* Verify signal delivery came from parent now. */ 2731 ASSERT_EQ(0, ptrace(PTRACE_GETSIGINFO, child_pid, NULL, &info)); 2732 EXPECT_EQ(getpid(), info.si_pid); 2733 2734 /* Restart nanosleep with SIGCONT, which triggers restart_syscall. */ 2735 ASSERT_EQ(0, kill(child_pid, SIGCONT)); 2736 ASSERT_EQ(0, ptrace(PTRACE_CONT, child_pid, NULL, 0)); 2737 ASSERT_EQ(child_pid, waitpid(child_pid, &status, 0)); 2738 ASSERT_EQ(true, WIFSTOPPED(status)); 2739 ASSERT_EQ(SIGCONT, WSTOPSIG(status)); 2740 ASSERT_EQ(0, ptrace(PTRACE_CONT, child_pid, NULL, 0)); 2741 2742 /* Wait for restart_syscall() to start. */ 2743 ASSERT_EQ(child_pid, waitpid(child_pid, &status, 0)); 2744 ASSERT_EQ(true, WIFSTOPPED(status)); 2745 ASSERT_EQ(SIGTRAP, WSTOPSIG(status)); 2746 ASSERT_EQ(PTRACE_EVENT_SECCOMP, (status >> 16)); 2747 ASSERT_EQ(0, ptrace(PTRACE_GETEVENTMSG, child_pid, NULL, &msg)); 2748 2749 ASSERT_EQ(0x200, msg); 2750 ret = get_syscall(_metadata, child_pid); 2751#if defined(__arm__) 2752 /* 2753 * - native ARM registers do NOT expose true syscall. 2754 * - compat ARM registers on ARM64 DO expose true syscall. 2755 */ 2756 ASSERT_EQ(0, uname(&utsbuf)); 2757 if (sscanf(utsbuf.machine, "armv%d", &arm_version) == 1 && 2758 arm_version < 8) { 2759 EXPECT_EQ(__NR_nanosleep, ret); 2760 } else 2761#endif 2762 { 2763 EXPECT_EQ(__NR_restart_syscall, ret); 2764 } 2765 2766 /* Write again to end test. */ 2767 ASSERT_EQ(0, ptrace(PTRACE_CONT, child_pid, NULL, 0)); 2768 ASSERT_EQ(1, write(pipefd[1], "!", 1)); 2769 EXPECT_EQ(0, close(pipefd[1])); 2770 2771 ASSERT_EQ(child_pid, waitpid(child_pid, &status, 0)); 2772 if (WIFSIGNALED(status) || WEXITSTATUS(status)) 2773 _metadata->passed = 0; 2774} 2775 2776#if 0 2777TEST_SIGNAL(filter_flag_log, SIGSYS) 2778{ 2779 struct sock_filter allow_filter[] = { 2780 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW), 2781 }; 2782 struct sock_filter kill_filter[] = { 2783 BPF_STMT(BPF_LD|BPF_W|BPF_ABS, 2784 offsetof(struct seccomp_data, nr)), 2785 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getpid, 0, 1), 2786 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL), 2787 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW), 2788 }; 2789 struct sock_fprog allow_prog = { 2790 .len = (unsigned short)ARRAY_SIZE(allow_filter), 2791 .filter = allow_filter, 2792 }; 2793 struct sock_fprog kill_prog = { 2794 .len = (unsigned short)ARRAY_SIZE(kill_filter), 2795 .filter = kill_filter, 2796 }; 2797 long ret; 2798 pid_t parent = getppid(); 2799 2800 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); 2801 ASSERT_EQ(0, ret); 2802 2803 /* Verify that the FILTER_FLAG_LOG flag isn't accepted in strict mode */ 2804 ret = seccomp(SECCOMP_SET_MODE_STRICT, SECCOMP_FILTER_FLAG_LOG, 2805 &allow_prog); 2806 ASSERT_NE(ENOSYS, errno) { 2807 TH_LOG("Kernel does not support seccomp syscall!"); 2808 } 2809 EXPECT_NE(0, ret) { 2810 TH_LOG("Kernel accepted FILTER_FLAG_LOG flag in strict mode!"); 2811 } 2812 EXPECT_EQ(EINVAL, errno) { 2813 TH_LOG("Kernel returned unexpected errno for FILTER_FLAG_LOG flag in strict mode!"); 2814 } 2815 2816 /* Verify that a simple, permissive filter can be added with no flags */ 2817 ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &allow_prog); 2818 EXPECT_EQ(0, ret); 2819 2820 /* See if the same filter can be added with the FILTER_FLAG_LOG flag */ 2821 ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_LOG, 2822 &allow_prog); 2823 ASSERT_NE(EINVAL, errno) { 2824 TH_LOG("Kernel does not support the FILTER_FLAG_LOG flag!"); 2825 } 2826 EXPECT_EQ(0, ret); 2827 2828 /* Ensure that the kill filter works with the FILTER_FLAG_LOG flag */ 2829 ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_LOG, 2830 &kill_prog); 2831 EXPECT_EQ(0, ret); 2832 2833 EXPECT_EQ(parent, syscall(__NR_getppid)); 2834 /* getpid() should never return. */ 2835 EXPECT_EQ(0, syscall(__NR_getpid)); 2836} 2837 2838TEST(get_action_avail) 2839{ 2840 __u32 actions[] = { SECCOMP_RET_KILL_THREAD, SECCOMP_RET_TRAP, 2841 SECCOMP_RET_ERRNO, SECCOMP_RET_TRACE, 2842 SECCOMP_RET_LOG, SECCOMP_RET_ALLOW }; 2843 __u32 unknown_action = 0x10000000U; 2844 int i; 2845 long ret; 2846 2847 ret = seccomp(SECCOMP_GET_ACTION_AVAIL, 0, &actions[0]); 2848 ASSERT_NE(ENOSYS, errno) { 2849 TH_LOG("Kernel does not support seccomp syscall!"); 2850 } 2851 ASSERT_NE(EINVAL, errno) { 2852 TH_LOG("Kernel does not support SECCOMP_GET_ACTION_AVAIL operation!"); 2853 } 2854 EXPECT_EQ(ret, 0); 2855 2856 for (i = 0; i < ARRAY_SIZE(actions); i++) { 2857 ret = seccomp(SECCOMP_GET_ACTION_AVAIL, 0, &actions[i]); 2858 EXPECT_EQ(ret, 0) { 2859 TH_LOG("Expected action (0x%X) not available!", 2860 actions[i]); 2861 } 2862 } 2863 2864 /* Check that an unknown action is handled properly (EOPNOTSUPP) */ 2865 ret = seccomp(SECCOMP_GET_ACTION_AVAIL, 0, &unknown_action); 2866 EXPECT_EQ(ret, -1); 2867 EXPECT_EQ(errno, EOPNOTSUPP); 2868} 2869#endif 2870 2871/* 2872 * TODO: 2873 * - add microbenchmarks 2874 * - expand NNP testing 2875 * - better arch-specific TRACE and TRAP handlers. 2876 * - endianness checking when appropriate 2877 * - 64-bit arg prodding 2878 * - arch value testing (x86 modes especially) 2879 * - verify that FILTER_FLAG_LOG filters generate log messages 2880 * - verify that RET_LOG generates log messages 2881 * - ... 2882 */ 2883 2884TEST_HARNESS_MAIN 2885