1 /* seccomp_bpf_tests.c
2 * Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
3 * Use of this source code is governed by a BSD-style license that can be
4 * found in the LICENSE file.
5 *
6 * Test code for seccomp bpf.
7 */
8
9 #include <asm/siginfo.h>
10 #define __have_siginfo_t 1
11 #define __have_sigval_t 1
12 #define __have_sigevent_t 1
13
14 #include <errno.h>
15 #include <linux/filter.h>
16 #include <sys/prctl.h>
17 #include <sys/ptrace.h>
18 #include <sys/user.h>
19 #include <linux/prctl.h>
20 #include <linux/ptrace.h>
21 #include <linux/seccomp.h>
22 #include <poll.h>
23 #include <pthread.h>
24 #include <semaphore.h>
25 #include <signal.h>
26 #include <stddef.h>
27 #include <stdbool.h>
28 #include <string.h>
29 #include <linux/elf.h>
30 #include <sys/uio.h>
31
32 #define _GNU_SOURCE
33 #include <unistd.h>
34 #include <sys/syscall.h>
35
36 #include "test_harness.h"
37
38 #ifndef PR_SET_PTRACER
39 # define PR_SET_PTRACER 0x59616d61
40 #endif
41
42 #ifndef PR_SET_NO_NEW_PRIVS
43 #define PR_SET_NO_NEW_PRIVS 38
44 #define PR_GET_NO_NEW_PRIVS 39
45 #endif
46
47 #ifndef PR_SECCOMP_EXT
48 #define PR_SECCOMP_EXT 43
49 #endif
50
51 #ifndef SECCOMP_EXT_ACT
52 #define SECCOMP_EXT_ACT 1
53 #endif
54
55 #ifndef SECCOMP_EXT_ACT_TSYNC
56 #define SECCOMP_EXT_ACT_TSYNC 1
57 #endif
58
59 #ifndef SECCOMP_MODE_STRICT
60 #define SECCOMP_MODE_STRICT 1
61 #endif
62
63 #ifndef SECCOMP_MODE_FILTER
64 #define SECCOMP_MODE_FILTER 2
65 #endif
66
67 #ifndef SECCOMP_RET_KILL
68 #define SECCOMP_RET_KILL 0x00000000U // kill the task immediately
69 #define SECCOMP_RET_TRAP 0x00030000U // disallow and force a SIGSYS
70 #define SECCOMP_RET_ERRNO 0x00050000U // returns an errno
71 #define SECCOMP_RET_TRACE 0x7ff00000U // pass to a tracer or disallow
72 #define SECCOMP_RET_ALLOW 0x7fff0000U // allow
73
74 /* Masks for the return value sections. */
75 #define SECCOMP_RET_ACTION 0x7fff0000U
76 #define SECCOMP_RET_DATA 0x0000ffffU
77
78 struct seccomp_data {
79 int nr;
80 __u32 arch;
81 __u64 instruction_pointer;
82 __u64 args[6];
83 };
84 #endif
85
86 #define syscall_arg(_n) (offsetof(struct seccomp_data, args[_n]))
87
88 #define SIBLING_EXIT_UNKILLED 0xbadbeef
89 #define SIBLING_EXIT_FAILURE 0xbadface
90 #define SIBLING_EXIT_NEWPRIVS 0xbadfeed
91
TEST(mode_strict_support)92 TEST(mode_strict_support) {
93 long ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT, NULL, NULL, NULL);
94 ASSERT_EQ(0, ret) {
95 TH_LOG("Kernel does not support CONFIG_SECCOMP");
96 }
97 syscall(__NR_exit, 1);
98 }
99
TEST_SIGNAL(mode_strict_cannot_call_prctl,SIGKILL)100 TEST_SIGNAL(mode_strict_cannot_call_prctl, SIGKILL) {
101 long ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT, NULL, NULL, NULL);
102 ASSERT_EQ(0, ret) {
103 TH_LOG("Kernel does not support CONFIG_SECCOMP");
104 }
105 syscall(__NR_prctl, PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, NULL, NULL);
106 EXPECT_FALSE(true) {
107 TH_LOG("Unreachable!");
108 }
109 }
110
111 /* Note! This doesn't test no new privs behavior */
TEST(no_new_privs_support)112 TEST(no_new_privs_support) {
113 long ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
114 EXPECT_EQ(0, ret) {
115 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
116 }
117 }
118
119 /* Tests kernel support by checking for a copy_from_user() fault on * NULL. */
TEST(mode_filter_support)120 TEST(mode_filter_support) {
121 long ret = prctl(PR_SET_NO_NEW_PRIVS, 1, NULL, 0, 0);
122 ASSERT_EQ(0, ret) {
123 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
124 }
125 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, NULL, NULL);
126 EXPECT_EQ(-1, ret);
127 EXPECT_EQ(EFAULT, errno) {
128 TH_LOG("Kernel does not support CONFIG_SECCOMP_FILTER!");
129 }
130 }
131
TEST(mode_filter_without_nnp)132 TEST(mode_filter_without_nnp) {
133 struct sock_filter filter[] = {
134 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
135 };
136 struct sock_fprog prog = {
137 .len = (unsigned short)(sizeof(filter)/sizeof(filter[0])),
138 .filter = filter,
139 };
140 long ret = prctl(PR_GET_NO_NEW_PRIVS, 0, NULL, 0, 0);
141 ASSERT_LE(0, ret) {
142 TH_LOG("Expected 0 or unsupported for NO_NEW_PRIVS");
143 }
144 errno = 0;
145 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0);
146 /* Succeeds with CAP_SYS_ADMIN, fails without */
147 /* TODO(wad) check caps not euid */
148 if (geteuid()) {
149 EXPECT_EQ(-1, ret);
150 EXPECT_EQ(EACCES, errno);
151 } else {
152 EXPECT_EQ(0, ret);
153 }
154 }
155
156 #define MAX_INSNS_PER_PATH 32768
157
TEST(filter_size_limits)158 TEST(filter_size_limits) {
159 int i;
160 int count = BPF_MAXINSNS + 1;
161 struct sock_filter allow[] = {
162 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
163 };
164 struct sock_filter *filter;
165 struct sock_fprog prog = { };
166
167 filter = calloc(count, sizeof(*filter));
168 ASSERT_NE(NULL, filter);
169
170 for (i = 0; i < count; i++) {
171 filter[i] = allow[0];
172 }
173
174 long ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
175 ASSERT_EQ(0, ret);
176
177 prog.filter = filter;
178 prog.len = count;
179
180 /* Too many filter instructions in a single filter. */
181 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0);
182 ASSERT_NE(0, ret) {
183 TH_LOG("Installing %d insn filter was allowed", prog.len);
184 }
185
186 /* One less is okay, though. */
187 prog.len -= 1;
188 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0);
189 ASSERT_EQ(0, ret) {
190 TH_LOG("Installing %d insn filter wasn't allowed", prog.len);
191 }
192 }
193
TEST(filter_chain_limits)194 TEST(filter_chain_limits) {
195 int i;
196 int count = BPF_MAXINSNS;
197 struct sock_filter allow[] = {
198 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
199 };
200 struct sock_filter *filter;
201 struct sock_fprog prog = { };
202
203 filter = calloc(count, sizeof(*filter));
204 ASSERT_NE(NULL, filter);
205
206 for (i = 0; i < count; i++) {
207 filter[i] = allow[0];
208 }
209
210 long ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
211 ASSERT_EQ(0, ret);
212
213 prog.filter = filter;
214 prog.len = 1;
215
216 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0);
217 ASSERT_EQ(0, ret);
218
219 prog.len = count;
220
221 /* Too many total filter instructions. */
222 for (i = 0; i < MAX_INSNS_PER_PATH; i++) {
223 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0);
224 if (ret != 0)
225 break;
226 }
227 ASSERT_NE(0, ret) {
228 TH_LOG("Allowed %d %d-insn filters (total with penalties:%d)",
229 i, count, i * (count + 4));
230 }
231 }
232
TEST(mode_filter_cannot_move_to_strict)233 TEST(mode_filter_cannot_move_to_strict) {
234 struct sock_filter filter[] = {
235 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
236 };
237 struct sock_fprog prog = {
238 .len = (unsigned short)(sizeof(filter)/sizeof(filter[0])),
239 .filter = filter,
240 };
241
242 long ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
243 ASSERT_EQ(0, ret);
244
245 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0);
246 ASSERT_EQ(0, ret);
247
248 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT, NULL, 0, 0);
249 EXPECT_EQ(-1, ret);
250 EXPECT_EQ(EINVAL, errno);
251 }
252
253
TEST(mode_filter_get_seccomp)254 TEST(mode_filter_get_seccomp) {
255 struct sock_filter filter[] = {
256 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
257 };
258 struct sock_fprog prog = {
259 .len = (unsigned short)(sizeof(filter)/sizeof(filter[0])),
260 .filter = filter,
261 };
262
263 long ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
264 ASSERT_EQ(0, ret);
265
266 ret = prctl(PR_GET_SECCOMP, 0, 0, 0, 0);
267 EXPECT_EQ(0, ret);
268
269 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0);
270 ASSERT_EQ(0, ret);
271
272 ret = prctl(PR_GET_SECCOMP, 0, 0, 0, 0);
273 EXPECT_EQ(2, ret);
274 }
275
276
TEST(ALLOW_all)277 TEST(ALLOW_all) {
278 struct sock_filter filter[] = {
279 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
280 };
281 struct sock_fprog prog = {
282 .len = (unsigned short)(sizeof(filter)/sizeof(filter[0])),
283 .filter = filter,
284 };
285
286 long ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
287 ASSERT_EQ(0, ret);
288
289 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
290 ASSERT_EQ(0, ret);
291 }
292
TEST(empty_prog)293 TEST(empty_prog) {
294 struct sock_filter filter[] = {
295 };
296 struct sock_fprog prog = {
297 .len = (unsigned short)(sizeof(filter)/sizeof(filter[0])),
298 .filter = filter,
299 };
300
301 long ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
302 ASSERT_EQ(0, ret);
303
304 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
305 EXPECT_EQ(-1, ret);
306 EXPECT_EQ(EINVAL, errno);
307 }
308
TEST_SIGNAL(unknown_ret_is_kill_inside,SIGSYS)309 TEST_SIGNAL(unknown_ret_is_kill_inside, SIGSYS) {
310 struct sock_filter filter[] = {
311 BPF_STMT(BPF_RET|BPF_K, 0x10000000U),
312 };
313 struct sock_fprog prog = {
314 .len = (unsigned short)(sizeof(filter)/sizeof(filter[0])),
315 .filter = filter,
316 };
317
318 long ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
319 ASSERT_EQ(0, ret);
320
321 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
322 ASSERT_EQ(0, ret);
323 EXPECT_EQ(0, syscall(__NR_getpid)) {
324 TH_LOG("getpid() shouldn't ever return");
325 }
326 }
327
328 /* return code >= 0x80000000 is unused. */
TEST_SIGNAL(unknown_ret_is_kill_above_allow,SIGSYS)329 TEST_SIGNAL(unknown_ret_is_kill_above_allow, SIGSYS) {
330 struct sock_filter filter[] = {
331 BPF_STMT(BPF_RET|BPF_K, 0x90000000U),
332 };
333 struct sock_fprog prog = {
334 .len = (unsigned short)(sizeof(filter)/sizeof(filter[0])),
335 .filter = filter,
336 };
337
338 long ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
339 ASSERT_EQ(0, ret);
340
341 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
342 ASSERT_EQ(0, ret);
343 EXPECT_EQ(0, syscall(__NR_getpid)) {
344 TH_LOG("getpid() shouldn't ever return");
345 }
346 }
347
TEST_SIGNAL(KILL_all,SIGSYS)348 TEST_SIGNAL(KILL_all, SIGSYS) {
349 struct sock_filter filter[] = {
350 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL),
351 };
352 struct sock_fprog prog = {
353 .len = (unsigned short)(sizeof(filter)/sizeof(filter[0])),
354 .filter = filter,
355 };
356
357 long ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
358 ASSERT_EQ(0, ret);
359
360 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
361 ASSERT_EQ(0, ret);
362 }
363
TEST_SIGNAL(KILL_one,SIGSYS)364 TEST_SIGNAL(KILL_one, SIGSYS) {
365 struct sock_filter filter[] = {
366 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
367 offsetof(struct seccomp_data, nr)),
368 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getpid, 0, 1),
369 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL),
370 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
371 };
372 struct sock_fprog prog = {
373 .len = (unsigned short)(sizeof(filter)/sizeof(filter[0])),
374 .filter = filter,
375 };
376 long ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
377 pid_t parent = getppid();
378 ASSERT_EQ(0, ret);
379
380 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
381 ASSERT_EQ(0, ret);
382
383 EXPECT_EQ(parent, syscall(__NR_getppid));
384 /* getpid() should never return. */
385 EXPECT_EQ(0, syscall(__NR_getpid));
386 }
387
TEST_SIGNAL(KILL_one_arg_one,SIGSYS)388 TEST_SIGNAL(KILL_one_arg_one, SIGSYS) {
389 struct sock_filter filter[] = {
390 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
391 offsetof(struct seccomp_data, nr)),
392 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getpid, 1, 0),
393 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
394 /* Only both with lower 32-bit for now. */
395 BPF_STMT(BPF_LD|BPF_W|BPF_ABS, syscall_arg(0)),
396 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, 0x0C0FFEE, 0, 1),
397 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL),
398 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
399 };
400 struct sock_fprog prog = {
401 .len = (unsigned short)(sizeof(filter)/sizeof(filter[0])),
402 .filter = filter,
403 };
404 long ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
405 pid_t parent = getppid();
406 pid_t pid = getpid();
407 ASSERT_EQ(0, ret);
408
409 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
410 ASSERT_EQ(0, ret);
411
412 EXPECT_EQ(parent, syscall(__NR_getppid));
413 EXPECT_EQ(pid, syscall(__NR_getpid));
414 /* getpid() should never return. */
415 EXPECT_EQ(0, syscall(__NR_getpid, 0x0C0FFEE));
416 }
417
TEST_SIGNAL(KILL_one_arg_six,SIGSYS)418 TEST_SIGNAL(KILL_one_arg_six, SIGSYS) {
419 struct sock_filter filter[] = {
420 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
421 offsetof(struct seccomp_data, nr)),
422 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getpid, 1, 0),
423 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
424 /* Only both with lower 32-bit for now. */
425 BPF_STMT(BPF_LD|BPF_W|BPF_ABS, syscall_arg(5)),
426 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, 0x0C0FFEE, 0, 1),
427 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL),
428 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
429 };
430 struct sock_fprog prog = {
431 .len = (unsigned short)(sizeof(filter)/sizeof(filter[0])),
432 .filter = filter,
433 };
434 long ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
435 pid_t parent = getppid();
436 pid_t pid = getpid();
437 ASSERT_EQ(0, ret);
438
439 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
440 ASSERT_EQ(0, ret);
441
442 EXPECT_EQ(parent, syscall(__NR_getppid));
443 EXPECT_EQ(pid, syscall(__NR_getpid));
444 /* getpid() should never return. */
445 EXPECT_EQ(0, syscall(__NR_getpid, 1, 2, 3, 4, 5, 0x0C0FFEE));
446 }
447
448 /* TODO(wad) add 64-bit versus 32-bit arg tests. */
449
TEST(arg_out_of_range)450 TEST(arg_out_of_range) {
451 struct sock_filter filter[] = {
452 BPF_STMT(BPF_LD|BPF_W|BPF_ABS, syscall_arg(6)),
453 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
454 };
455 struct sock_fprog prog = {
456 .len = (unsigned short)(sizeof(filter)/sizeof(filter[0])),
457 .filter = filter,
458 };
459 long ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
460 ASSERT_EQ(0, ret);
461
462 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
463 EXPECT_EQ(-1, ret);
464 EXPECT_EQ(EINVAL, errno);
465 }
466
TEST(ERRNO_one)467 TEST(ERRNO_one) {
468 struct sock_filter filter[] = {
469 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
470 offsetof(struct seccomp_data, nr)),
471 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_read, 0, 1),
472 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ERRNO | E2BIG),
473 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
474 };
475 struct sock_fprog prog = {
476 .len = (unsigned short)(sizeof(filter)/sizeof(filter[0])),
477 .filter = filter,
478 };
479 long ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
480 pid_t parent = getppid();
481 ASSERT_EQ(0, ret);
482
483 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
484 ASSERT_EQ(0, ret);
485
486 EXPECT_EQ(parent, syscall(__NR_getppid));
487 EXPECT_EQ(-1, read(0, NULL, 0));
488 EXPECT_EQ(E2BIG, errno);
489 }
490
TEST(ERRNO_one_ok)491 TEST(ERRNO_one_ok) {
492 struct sock_filter filter[] = {
493 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
494 offsetof(struct seccomp_data, nr)),
495 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_read, 0, 1),
496 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ERRNO | 0),
497 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
498 };
499 struct sock_fprog prog = {
500 .len = (unsigned short)(sizeof(filter)/sizeof(filter[0])),
501 .filter = filter,
502 };
503 long ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
504 pid_t parent = getppid();
505 ASSERT_EQ(0, ret);
506
507 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
508 ASSERT_EQ(0, ret);
509
510 EXPECT_EQ(parent, syscall(__NR_getppid));
511 /* "errno" of 0 is ok. */
512 EXPECT_EQ(0, read(0, NULL, 0));
513 }
514
FIXTURE_DATA(TRAP)515 FIXTURE_DATA(TRAP) {
516 struct sock_fprog prog;
517 };
518
FIXTURE_SETUP(TRAP)519 FIXTURE_SETUP(TRAP) {
520 struct sock_filter filter[] = {
521 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
522 offsetof(struct seccomp_data, nr)),
523 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getpid, 0, 1),
524 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRAP),
525 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
526 };
527 memset(&self->prog, 0, sizeof(self->prog));
528 self->prog.filter = malloc(sizeof(filter));
529 ASSERT_NE(NULL, self->prog.filter);
530 memcpy(self->prog.filter, filter, sizeof(filter));
531 self->prog.len = (unsigned short)(sizeof(filter)/sizeof(filter[0]));
532 }
533
FIXTURE_TEARDOWN(TRAP)534 FIXTURE_TEARDOWN(TRAP) {
535 if (self->prog.filter)
536 free(self->prog.filter);
537 };
538
TEST_F_SIGNAL(TRAP,dfl,SIGSYS)539 TEST_F_SIGNAL(TRAP, dfl, SIGSYS) {
540 long ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
541 ASSERT_EQ(0, ret);
542
543 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->prog);
544 ASSERT_EQ(0, ret);
545 syscall(__NR_getpid);
546 }
547
548 /* Ensure that SIGSYS overrides SIG_IGN */
TEST_F_SIGNAL(TRAP,ign,SIGSYS)549 TEST_F_SIGNAL(TRAP, ign, SIGSYS) {
550 long ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
551 ASSERT_EQ(0, ret);
552
553 signal(SIGSYS, SIG_IGN);
554
555 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->prog);
556 ASSERT_EQ(0, ret);
557 syscall(__NR_getpid);
558 }
559
560 static struct siginfo TRAP_info;
561 static volatile int TRAP_nr;
TRAP_action(int nr,siginfo_t * info,void * void_context)562 static void TRAP_action(int nr, siginfo_t *info, void *void_context)
563 {
564 memcpy(&TRAP_info, info, sizeof(TRAP_info));
565 TRAP_nr = nr;
566 return;
567 }
568
TEST_F(TRAP,handler)569 TEST_F(TRAP, handler) {
570 int ret, test;
571 struct sigaction act;
572 sigset_t mask;
573 memset(&act, 0, sizeof(act));
574 sigemptyset(&mask);
575 sigaddset(&mask, SIGSYS);
576
577 act.sa_sigaction = &TRAP_action;
578 act.sa_flags = SA_SIGINFO;
579 ret = sigaction(SIGSYS, &act, NULL);
580 ASSERT_EQ(0, ret) {
581 TH_LOG("sigaction failed");
582 }
583 ret = sigprocmask(SIG_UNBLOCK, &mask, NULL);
584 ASSERT_EQ(0, ret) {
585 TH_LOG("sigprocmask failed");
586 }
587
588 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
589 ASSERT_EQ(0, ret);
590 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->prog);
591 ASSERT_EQ(0, ret);
592 TRAP_nr = 0;
593 memset(&TRAP_info, 0, sizeof(TRAP_info));
594 /* Expect the registers to be rolled back. (nr = error) may vary
595 * based on arch. */
596 ret = syscall(__NR_getpid);
597 /* Silence gcc warning about volatile. */
598 test = TRAP_nr;
599 EXPECT_EQ(SIGSYS, test);
600 struct local_sigsys {
601 void *_call_addr; /* calling user insn */
602 int _syscall; /* triggering system call number */
603 unsigned int _arch; /* AUDIT_ARCH_* of syscall */
604 } *sigsys = (struct local_sigsys *)
605 #ifdef si_syscall
606 &(TRAP_info.si_call_addr);
607 #else
608 &TRAP_info.si_pid;
609 #endif
610 EXPECT_EQ(__NR_getpid, sigsys->_syscall);
611 /* Make sure arch is non-zero. */
612 EXPECT_NE(0, sigsys->_arch);
613 EXPECT_NE(0, (unsigned long)sigsys->_call_addr);
614 }
615
FIXTURE_DATA(precedence)616 FIXTURE_DATA(precedence) {
617 struct sock_fprog allow;
618 struct sock_fprog trace;
619 struct sock_fprog error;
620 struct sock_fprog trap;
621 struct sock_fprog kill;
622 };
623
FIXTURE_SETUP(precedence)624 FIXTURE_SETUP(precedence) {
625 struct sock_filter allow_insns[] = {
626 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
627 };
628 struct sock_filter trace_insns[] = {
629 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
630 offsetof(struct seccomp_data, nr)),
631 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getpid, 1, 0),
632 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
633 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRACE),
634 };
635 struct sock_filter error_insns[] = {
636 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
637 offsetof(struct seccomp_data, nr)),
638 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getpid, 1, 0),
639 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
640 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ERRNO),
641 };
642 struct sock_filter trap_insns[] = {
643 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
644 offsetof(struct seccomp_data, nr)),
645 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getpid, 1, 0),
646 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
647 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRAP),
648 };
649 struct sock_filter kill_insns[] = {
650 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
651 offsetof(struct seccomp_data, nr)),
652 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getpid, 1, 0),
653 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
654 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL),
655 };
656 memset(self, 0, sizeof(*self));
657 #define FILTER_ALLOC(_x) \
658 self->_x.filter = malloc(sizeof(_x##_insns)); \
659 ASSERT_NE(NULL, self->_x.filter); \
660 memcpy(self->_x.filter, &_x##_insns, sizeof(_x##_insns)); \
661 self->_x.len = (unsigned short)(sizeof(_x##_insns)/sizeof(_x##_insns[0]))
662 FILTER_ALLOC(allow);
663 FILTER_ALLOC(trace);
664 FILTER_ALLOC(error);
665 FILTER_ALLOC(trap);
666 FILTER_ALLOC(kill);
667 }
668
FIXTURE_TEARDOWN(precedence)669 FIXTURE_TEARDOWN(precedence) {
670 #define FILTER_FREE(_x) if (self->_x.filter) free(self->_x.filter)
671 FILTER_FREE(allow);
672 FILTER_FREE(trace);
673 FILTER_FREE(error);
674 FILTER_FREE(trap);
675 FILTER_FREE(kill);
676 }
677
TEST_F(precedence,allow_ok)678 TEST_F(precedence, allow_ok) {
679 long ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
680 pid_t parent = getppid();
681 pid_t res = 0;
682 ASSERT_EQ(0, ret);
683
684 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow);
685 ASSERT_EQ(0, ret);
686 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trace);
687 ASSERT_EQ(0, ret);
688 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->error);
689 ASSERT_EQ(0, ret);
690 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trap);
691 ASSERT_EQ(0, ret);
692 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->kill);
693 ASSERT_EQ(0, ret);
694 /* Should work just fine. */
695 res = syscall(__NR_getppid);
696 EXPECT_EQ(parent, res);
697 }
698
TEST_F_SIGNAL(precedence,kill_is_highest,SIGSYS)699 TEST_F_SIGNAL(precedence, kill_is_highest, SIGSYS) {
700 long ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
701 pid_t parent = getppid();
702 pid_t res = 0;
703 ASSERT_EQ(0, ret);
704
705 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow);
706 ASSERT_EQ(0, ret);
707 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trace);
708 ASSERT_EQ(0, ret);
709 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->error);
710 ASSERT_EQ(0, ret);
711 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trap);
712 ASSERT_EQ(0, ret);
713 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->kill);
714 ASSERT_EQ(0, ret);
715 /* Should work just fine. */
716 res = syscall(__NR_getppid);
717 EXPECT_EQ(parent, res);
718 /* getpid() should never return. */
719 res = syscall(__NR_getpid);
720 EXPECT_EQ(0, res);
721 }
722
TEST_F_SIGNAL(precedence,kill_is_highest_in_any_order,SIGSYS)723 TEST_F_SIGNAL(precedence, kill_is_highest_in_any_order, SIGSYS) {
724 long ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
725 pid_t parent = getppid();
726 ASSERT_EQ(0, ret);
727
728 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow);
729 ASSERT_EQ(0, ret);
730 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->kill);
731 ASSERT_EQ(0, ret);
732 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->error);
733 ASSERT_EQ(0, ret);
734 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trace);
735 ASSERT_EQ(0, ret);
736 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trap);
737 ASSERT_EQ(0, ret);
738 /* Should work just fine. */
739 EXPECT_EQ(parent, syscall(__NR_getppid));
740 /* getpid() should never return. */
741 EXPECT_EQ(0, syscall(__NR_getpid));
742 }
743
TEST_F_SIGNAL(precedence,trap_is_second,SIGSYS)744 TEST_F_SIGNAL(precedence, trap_is_second, SIGSYS) {
745 long ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
746 pid_t parent = getppid();
747 ASSERT_EQ(0, ret);
748
749 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow);
750 ASSERT_EQ(0, ret);
751 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trace);
752 ASSERT_EQ(0, ret);
753 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->error);
754 ASSERT_EQ(0, ret);
755 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trap);
756 ASSERT_EQ(0, ret);
757 /* Should work just fine. */
758 EXPECT_EQ(parent, syscall(__NR_getppid));
759 /* getpid() should never return. */
760 EXPECT_EQ(0, syscall(__NR_getpid));
761 }
762
TEST_F_SIGNAL(precedence,trap_is_second_in_any_order,SIGSYS)763 TEST_F_SIGNAL(precedence, trap_is_second_in_any_order, SIGSYS) {
764 long ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
765 pid_t parent = getppid();
766 ASSERT_EQ(0, ret);
767
768 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow);
769 ASSERT_EQ(0, ret);
770 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trap);
771 ASSERT_EQ(0, ret);
772 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trace);
773 ASSERT_EQ(0, ret);
774 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->error);
775 ASSERT_EQ(0, ret);
776 /* Should work just fine. */
777 EXPECT_EQ(parent, syscall(__NR_getppid));
778 /* getpid() should never return. */
779 EXPECT_EQ(0, syscall(__NR_getpid));
780 }
781
TEST_F(precedence,errno_is_third)782 TEST_F(precedence, errno_is_third) {
783 long ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
784 pid_t parent = getppid();
785 ASSERT_EQ(0, ret);
786
787 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow);
788 ASSERT_EQ(0, ret);
789 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trace);
790 ASSERT_EQ(0, ret);
791 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->error);
792 ASSERT_EQ(0, ret);
793 /* Should work just fine. */
794 EXPECT_EQ(parent, syscall(__NR_getppid));
795 EXPECT_EQ(0, syscall(__NR_getpid));
796 }
797
TEST_F(precedence,errno_is_third_in_any_order)798 TEST_F(precedence, errno_is_third_in_any_order) {
799 long ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
800 pid_t parent = getppid();
801 ASSERT_EQ(0, ret);
802
803 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->error);
804 ASSERT_EQ(0, ret);
805 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trace);
806 ASSERT_EQ(0, ret);
807 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow);
808 ASSERT_EQ(0, ret);
809 /* Should work just fine. */
810 EXPECT_EQ(parent, syscall(__NR_getppid));
811 EXPECT_EQ(0, syscall(__NR_getpid));
812 }
813
TEST_F(precedence,trace_is_fourth)814 TEST_F(precedence, trace_is_fourth) {
815 long ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
816 pid_t parent = getppid();
817 ASSERT_EQ(0, ret);
818
819 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow);
820 ASSERT_EQ(0, ret);
821 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trace);
822 ASSERT_EQ(0, ret);
823 /* Should work just fine. */
824 EXPECT_EQ(parent, syscall(__NR_getppid));
825 /* No ptracer */
826 EXPECT_EQ(-1, syscall(__NR_getpid));
827 }
828
TEST_F(precedence,trace_is_fourth_in_any_order)829 TEST_F(precedence, trace_is_fourth_in_any_order) {
830 long ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
831 pid_t parent = getppid();
832 ASSERT_EQ(0, ret);
833
834 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trace);
835 ASSERT_EQ(0, ret);
836 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow);
837 ASSERT_EQ(0, ret);
838 /* Should work just fine. */
839 EXPECT_EQ(parent, syscall(__NR_getppid));
840 /* No ptracer */
841 EXPECT_EQ(-1, syscall(__NR_getpid));
842 }
843
844 #ifndef PTRACE_O_TRACESECCOMP
845 #define PTRACE_O_TRACESECCOMP 0x00000080
846 #endif
847
848 /* Catch the Ubuntu 12.04 value error. */
849 #if PTRACE_EVENT_SECCOMP != 7
850 #undef PTRACE_EVENT_SECCOMP
851 #endif
852
853 #ifndef PTRACE_EVENT_SECCOMP
854 #define PTRACE_EVENT_SECCOMP 7
855 #endif
856
857 #define IS_SECCOMP_EVENT(status) ((status >> 16) == PTRACE_EVENT_SECCOMP)
858 bool tracer_running;
tracer_stop(int sig)859 void tracer_stop(int sig)
860 {
861 tracer_running = false;
862 }
863
864 typedef void tracer_func_t(struct __test_metadata *_metadata,
865 pid_t tracee, int status, void *args);
866
tracer(struct __test_metadata * _metadata,int fd,pid_t tracee,tracer_func_t tracer_func,void * args)867 void tracer(struct __test_metadata *_metadata, int fd, pid_t tracee,
868 tracer_func_t tracer_func, void *args) {
869 int ret = -1;
870 struct sigaction action = {
871 .sa_handler = tracer_stop,
872 };
873
874 /* Allow external shutdown. */
875 tracer_running = true;
876 ASSERT_EQ(0, sigaction(SIGUSR1, &action, NULL));
877
878 errno = 0;
879 while (ret == -1 && errno != EINVAL) {
880 ret = ptrace(PTRACE_ATTACH, tracee, NULL, 0);
881 }
882 ASSERT_EQ(0, ret) {
883 kill(tracee, SIGKILL);
884 }
885 /* Wait for attach stop */
886 wait(NULL);
887
888 ret = ptrace(PTRACE_SETOPTIONS, tracee, NULL, PTRACE_O_TRACESECCOMP);
889 ASSERT_EQ(0, ret) {
890 TH_LOG("Failed to set PTRACE_O_TRACESECCOMP");
891 kill(tracee, SIGKILL);
892 }
893 ptrace(PTRACE_CONT, tracee, NULL, 0);
894
895 /* Unblock the tracee */
896 ASSERT_EQ(1, write(fd, "A", 1));
897 ASSERT_EQ(0, close(fd));
898
899 /* Run until we're shut down. Must assert to stop execution. */
900 while (tracer_running) {
901 int status;
902 if (wait(&status) != tracee)
903 continue;
904 if (WIFSIGNALED(status) || WIFEXITED(status))
905 /* Child is dead. Time to go. */
906 return;
907
908 /* Make sure this is a seccomp event. */
909 ASSERT_EQ(true, IS_SECCOMP_EVENT(status));
910
911 tracer_func(_metadata, tracee, status, args);
912
913 ret = ptrace(PTRACE_CONT, tracee, NULL, NULL);
914 ASSERT_EQ(0, ret);
915 }
916 /* Directly report the status of our test harness results. */
917 syscall(__NR_exit, _metadata->passed ? EXIT_SUCCESS : EXIT_FAILURE);
918 }
919
920 /* Common tracer setup/teardown functions. */
cont_handler(int num)921 void cont_handler(int num) {
922 }
setup_trace_fixture(struct __test_metadata * _metadata,tracer_func_t func,void * args)923 pid_t setup_trace_fixture(struct __test_metadata *_metadata,
924 tracer_func_t func, void *args) {
925 char sync;
926 int pipefd[2];
927 pid_t tracer_pid;
928 pid_t tracee = getpid();
929
930 /* Setup a pipe for clean synchronization. */
931 ASSERT_EQ(0, pipe(pipefd));
932
933 /* Fork a child which we'll promote to tracer */
934 tracer_pid = fork();
935 ASSERT_LE(0, tracer_pid);
936 signal(SIGALRM, cont_handler);
937 if (tracer_pid == 0) {
938 close(pipefd[0]);
939 tracer(_metadata, pipefd[1], tracee, func, args);
940 syscall(__NR_exit, 0);
941 }
942 close(pipefd[1]);
943 prctl(PR_SET_PTRACER, tracer_pid, 0, 0, 0);
944 read(pipefd[0], &sync, 1);
945 close(pipefd[0]);
946
947 return tracer_pid;
948 }
teardown_trace_fixture(struct __test_metadata * _metadata,pid_t tracer)949 void teardown_trace_fixture(struct __test_metadata *_metadata,
950 pid_t tracer) {
951 if (tracer) {
952 int status;
953 /*
954 * Extract the exit code from the other process and
955 * adopt it for ourselves in case its asserts failed.
956 */
957 ASSERT_EQ(0, kill(tracer, SIGUSR1));
958 ASSERT_EQ(tracer, waitpid(tracer, &status, 0));
959 if (WEXITSTATUS(status))
960 _metadata->passed = 0;
961 }
962 }
963
964 /* "poke" tracer arguments and function. */
965 struct tracer_args_poke_t {
966 unsigned long poke_addr;
967 };
968
tracer_poke(struct __test_metadata * _metadata,pid_t tracee,int status,void * args)969 void tracer_poke(struct __test_metadata *_metadata, pid_t tracee, int status,
970 void *args) {
971 int ret;
972 unsigned long msg;
973 struct tracer_args_poke_t *info = (struct tracer_args_poke_t *)args;
974
975 ret = ptrace(PTRACE_GETEVENTMSG, tracee, NULL, &msg);
976 EXPECT_EQ(0, ret);
977 /* If this fails, don't try to recover. */
978 ASSERT_EQ(0x1001, msg) {
979 kill(tracee, SIGKILL);
980 }
981 /*
982 * Poke in the message.
983 * Registers are not touched to try to keep this relatively arch
984 * agnostic.
985 */
986 ret = ptrace(PTRACE_POKEDATA, tracee, info->poke_addr, 0x1001);
987 EXPECT_EQ(0, ret);
988 }
989
FIXTURE_DATA(TRACE_poke)990 FIXTURE_DATA(TRACE_poke) {
991 struct sock_fprog prog;
992 pid_t tracer;
993 long poked;
994 struct tracer_args_poke_t tracer_args;
995 };
996
FIXTURE_SETUP(TRACE_poke)997 FIXTURE_SETUP(TRACE_poke) {
998 struct sock_filter filter[] = {
999 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
1000 offsetof(struct seccomp_data, nr)),
1001 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_read, 0, 1),
1002 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRACE | 0x1001),
1003 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
1004 };
1005
1006 self->poked = 0;
1007 memset(&self->prog, 0, sizeof(self->prog));
1008 self->prog.filter = malloc(sizeof(filter));
1009 ASSERT_NE(NULL, self->prog.filter);
1010 memcpy(self->prog.filter, filter, sizeof(filter));
1011 self->prog.len = (unsigned short)(sizeof(filter)/sizeof(filter[0]));
1012
1013 /* Set up tracer args. */
1014 self->tracer_args.poke_addr = (unsigned long)&self->poked;
1015
1016 /* Launch tracer. */
1017 self->tracer = setup_trace_fixture(_metadata, tracer_poke,
1018 &self->tracer_args);
1019 }
1020
FIXTURE_TEARDOWN(TRACE_poke)1021 FIXTURE_TEARDOWN(TRACE_poke) {
1022 teardown_trace_fixture(_metadata, self->tracer);
1023 if (self->prog.filter)
1024 free(self->prog.filter);
1025 };
1026
TEST_F(TRACE_poke,read_has_side_effects)1027 TEST_F(TRACE_poke, read_has_side_effects) {
1028 ssize_t ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1029 ASSERT_EQ(0, ret);
1030
1031 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->prog, 0, 0);
1032 ASSERT_EQ(0, ret);
1033
1034 EXPECT_EQ(0, self->poked);
1035 ret = read(-1, NULL, 0);
1036 EXPECT_EQ(-1, ret);
1037 EXPECT_EQ(0x1001, self->poked);
1038 }
1039
TEST_F(TRACE_poke,getpid_runs_normally)1040 TEST_F(TRACE_poke, getpid_runs_normally) {
1041 long ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1042 ASSERT_EQ(0, ret);
1043
1044 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->prog, 0, 0);
1045 ASSERT_EQ(0, ret);
1046
1047 EXPECT_EQ(0, self->poked);
1048 EXPECT_NE(0, syscall(__NR_getpid));
1049 EXPECT_EQ(0, self->poked);
1050 }
1051
1052 #if defined(__x86_64__)
1053 # define ARCH_REGS struct user_regs_struct
1054 # define SYSCALL_NUM orig_rax
1055 # define SYSCALL_RET rax
1056 #elif defined(__i386__)
1057 # define ARCH_REGS struct user_regs_struct
1058 # define SYSCALL_NUM orig_eax
1059 # define SYSCALL_RET eax
1060 #elif defined(__arm__)
1061 # define ARCH_REGS struct pt_regs
1062 # define SYSCALL_NUM ARM_r7
1063 # define SYSCALL_RET ARM_r0
1064 #elif defined(__aarch64__)
1065 # define ARCH_REGS struct user_pt_regs
1066 # define SYSCALL_NUM regs[8]
1067 # define SYSCALL_RET regs[0]
1068 #else
1069 # error "Do not know how to find your architecture's registers and syscalls"
1070 #endif
1071
1072 /* Architecture-specific syscall fetching routine. */
get_syscall(struct __test_metadata * _metadata,pid_t tracee)1073 int get_syscall(struct __test_metadata *_metadata, pid_t tracee) {
1074 struct iovec iov;
1075 ARCH_REGS regs;
1076
1077 iov.iov_base = ®s;
1078 iov.iov_len = sizeof(regs);
1079 EXPECT_EQ(0, ptrace(PTRACE_GETREGSET, tracee, NT_PRSTATUS, &iov)) {
1080 TH_LOG("PTRACE_GETREGSET failed");
1081 return -1;
1082 }
1083
1084 return regs.SYSCALL_NUM;
1085 }
1086
1087 /* Architecture-specific syscall changing routine. */
change_syscall(struct __test_metadata * _metadata,pid_t tracee,int syscall)1088 void change_syscall(struct __test_metadata *_metadata,
1089 pid_t tracee, int syscall) {
1090 struct iovec iov;
1091 int ret;
1092 ARCH_REGS regs;
1093
1094 iov.iov_base = ®s;
1095 iov.iov_len = sizeof(regs);
1096 ret = ptrace(PTRACE_GETREGSET, tracee, NT_PRSTATUS, &iov);
1097 EXPECT_EQ(0, ret);
1098
1099 #if defined(__x86_64__) || defined(__i386__) || defined(__aarch64__)
1100 {
1101 regs.SYSCALL_NUM = syscall;
1102 }
1103
1104 #elif defined(__arm__)
1105 # ifndef PTRACE_SET_SYSCALL
1106 # define PTRACE_SET_SYSCALL 23
1107 # endif
1108 {
1109 ret = ptrace(PTRACE_SET_SYSCALL, tracee, NULL, syscall);
1110 EXPECT_EQ(0, ret);
1111 }
1112
1113 #else
1114 ASSERT_EQ(1, 0) {
1115 TH_LOG("How is the syscall changed on this architecture?");
1116 }
1117 #endif
1118
1119 /* If syscall is skipped, change return value. */
1120 if (syscall == -1)
1121 regs.SYSCALL_RET = 1;
1122
1123 ret = ptrace(PTRACE_SETREGSET, tracee, NT_PRSTATUS, &iov);
1124 EXPECT_EQ(0, ret);
1125 }
1126
tracer_syscall(struct __test_metadata * _metadata,pid_t tracee,int status,void * args)1127 void tracer_syscall(struct __test_metadata *_metadata, pid_t tracee,
1128 int status, void *args) {
1129 int ret;
1130 unsigned long msg;
1131
1132 /* Make sure we got the right message. */
1133 ret = ptrace(PTRACE_GETEVENTMSG, tracee, NULL, &msg);
1134 EXPECT_EQ(0, ret);
1135
1136 switch (msg) {
1137 case 0x1002:
1138 /* change getpid to getppid. */
1139 change_syscall(_metadata, tracee, __NR_getppid);
1140 break;
1141 case 0x1003:
1142 /* skip gettid. */
1143 change_syscall(_metadata, tracee, -1);
1144 break;
1145 case 0x1004:
1146 /* do nothing (allow getppid) */
1147 break;
1148 default:
1149 EXPECT_EQ(0, msg) {
1150 TH_LOG("Unknown PTRACE_GETEVENTMSG: 0x%lx", msg);
1151 kill(tracee, SIGKILL);
1152 }
1153 }
1154
1155 }
1156
FIXTURE_DATA(TRACE_syscall)1157 FIXTURE_DATA(TRACE_syscall) {
1158 struct sock_fprog prog;
1159 pid_t tracer, mytid, mypid, parent;
1160 };
1161
FIXTURE_SETUP(TRACE_syscall)1162 FIXTURE_SETUP(TRACE_syscall) {
1163 struct sock_filter filter[] = {
1164 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
1165 offsetof(struct seccomp_data, nr)),
1166 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getpid, 0, 1),
1167 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRACE | 0x1002),
1168 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_gettid, 0, 1),
1169 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRACE | 0x1003),
1170 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getppid, 0, 1),
1171 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRACE | 0x1004),
1172 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
1173 };
1174
1175 memset(&self->prog, 0, sizeof(self->prog));
1176 self->prog.filter = malloc(sizeof(filter));
1177 ASSERT_NE(NULL, self->prog.filter);
1178 memcpy(self->prog.filter, filter, sizeof(filter));
1179 self->prog.len = (unsigned short)(sizeof(filter)/sizeof(filter[0]));
1180
1181 /* Prepare some testable syscall results. */
1182 self->mytid = syscall(__NR_gettid);
1183 ASSERT_GT(self->mytid, 0);
1184 ASSERT_NE(self->mytid, 1) {
1185 TH_LOG("Running this test as init is not supported. :)");
1186 }
1187
1188 self->mypid = getpid();
1189 ASSERT_GT(self->mypid, 0);
1190 ASSERT_EQ(self->mytid, self->mypid);
1191
1192 self->parent = getppid();
1193 ASSERT_GT(self->parent, 0);
1194 ASSERT_NE(self->parent, self->mypid);
1195
1196 /* Launch tracer. */
1197 self->tracer = setup_trace_fixture(_metadata, tracer_syscall, NULL);
1198 }
1199
FIXTURE_TEARDOWN(TRACE_syscall)1200 FIXTURE_TEARDOWN(TRACE_syscall) {
1201 teardown_trace_fixture(_metadata, self->tracer);
1202 if (self->prog.filter)
1203 free(self->prog.filter);
1204 };
1205
TEST_F(TRACE_syscall,syscall_allowed)1206 TEST_F(TRACE_syscall, syscall_allowed) {
1207 long ret;
1208
1209 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1210 ASSERT_EQ(0, ret);
1211
1212 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->prog, 0, 0);
1213 ASSERT_EQ(0, ret);
1214
1215 /* getppid works as expected (no changes). */
1216 EXPECT_EQ(self->parent, syscall(__NR_getppid));
1217 EXPECT_NE(self->mypid, syscall(__NR_getppid));
1218 }
1219
TEST_F(TRACE_syscall,syscall_redirected)1220 TEST_F(TRACE_syscall, syscall_redirected) {
1221 long ret;
1222
1223 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1224 ASSERT_EQ(0, ret);
1225
1226 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->prog, 0, 0);
1227 ASSERT_EQ(0, ret);
1228
1229 /* getpid has been redirected to getppid as expected. */
1230 EXPECT_EQ(self->parent, syscall(__NR_getpid));
1231 EXPECT_NE(self->mypid, syscall(__NR_getpid));
1232 }
1233
TEST_F(TRACE_syscall,syscall_dropped)1234 TEST_F(TRACE_syscall, syscall_dropped) {
1235 long ret;
1236
1237 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1238 ASSERT_EQ(0, ret);
1239
1240 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->prog, 0, 0);
1241 ASSERT_EQ(0, ret);
1242
1243 /* gettid has been skipped and an altered return value stored. */
1244 EXPECT_EQ(1, syscall(__NR_gettid));
1245 EXPECT_NE(self->mytid, syscall(__NR_gettid));
1246 }
1247
1248 #ifndef __NR_seccomp
1249 # if defined(__i386__)
1250 # define __NR_seccomp 354
1251 # elif defined(__x86_64__)
1252 # define __NR_seccomp 317
1253 # elif defined(__arm__)
1254 # define __NR_seccomp 383
1255 # elif defined(__aarch64__)
1256 # define __NR_seccomp 277
1257 # else
1258 # warning "seccomp syscall number unknown for this architecture"
1259 # define __NR_seccomp 0xffff
1260 # endif
1261 #endif
1262
1263 #ifndef SECCOMP_SET_MODE_STRICT
1264 #define SECCOMP_SET_MODE_STRICT 0
1265 #endif
1266
1267 #ifndef SECCOMP_SET_MODE_FILTER
1268 #define SECCOMP_SET_MODE_FILTER 1
1269 #endif
1270
1271 #ifndef SECCOMP_FLAG_FILTER_TSYNC
1272 #define SECCOMP_FLAG_FILTER_TSYNC 1
1273 #endif
1274
1275 #ifndef seccomp
seccomp(unsigned int op,unsigned int flags,struct sock_fprog * filter)1276 int seccomp(unsigned int op, unsigned int flags, struct sock_fprog *filter)
1277 {
1278 errno = 0;
1279 return syscall(__NR_seccomp, op, flags, filter);
1280 }
1281 #endif
1282
TEST(seccomp_syscall)1283 TEST(seccomp_syscall) {
1284 struct sock_filter filter[] = {
1285 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
1286 };
1287 struct sock_fprog prog = {
1288 .len = (unsigned short)(sizeof(filter)/sizeof(filter[0])),
1289 .filter = filter,
1290 };
1291 long ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1292 ASSERT_EQ(0, ret) {
1293 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
1294 }
1295
1296 /* Reject insane operation. */
1297 ret = seccomp(-1, 0, &prog);
1298 EXPECT_EQ(EINVAL, errno) {
1299 TH_LOG("Did not reject crazy op value!");
1300 }
1301
1302 /* Reject strict with flags or pointer. */
1303 ret = seccomp(SECCOMP_SET_MODE_STRICT, -1, NULL);
1304 EXPECT_EQ(EINVAL, errno) {
1305 TH_LOG("Did not reject mode strict with flags!");
1306 }
1307 ret = seccomp(SECCOMP_SET_MODE_STRICT, 0, &prog);
1308 EXPECT_EQ(EINVAL, errno) {
1309 TH_LOG("Did not reject mode strict with uargs!");
1310 }
1311
1312 /* Reject insane args for filter. */
1313 ret = seccomp(SECCOMP_SET_MODE_FILTER, -1, &prog);
1314 EXPECT_EQ(EINVAL, errno) {
1315 TH_LOG("Did not reject crazy filter flags!");
1316 }
1317 ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, NULL);
1318 EXPECT_EQ(EFAULT, errno) {
1319 TH_LOG("Did not reject NULL filter!");
1320 }
1321
1322 ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog);
1323 EXPECT_EQ(0, errno) {
1324 TH_LOG("Kernel does not support SECCOMP_SET_MODE_FILTER: %s",
1325 strerror(errno));
1326 }
1327 }
1328
TEST(seccomp_syscall_mode_lock)1329 TEST(seccomp_syscall_mode_lock) {
1330 struct sock_filter filter[] = {
1331 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
1332 };
1333 struct sock_fprog prog = {
1334 .len = (unsigned short)(sizeof(filter)/sizeof(filter[0])),
1335 .filter = filter,
1336 };
1337 long ret = prctl(PR_SET_NO_NEW_PRIVS, 1, NULL, 0, 0);
1338 ASSERT_EQ(0, ret) {
1339 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
1340 }
1341
1342 ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog);
1343 EXPECT_EQ(0, ret) {
1344 TH_LOG("Could not install filter!");
1345 }
1346
1347 /* Make sure neither entry point will switch to strict. */
1348 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT, 0, 0, 0);
1349 EXPECT_EQ(EINVAL, errno) {
1350 TH_LOG("Switched to mode strict!");
1351 }
1352
1353 ret = seccomp(SECCOMP_SET_MODE_STRICT, 0, NULL);
1354 EXPECT_EQ(EINVAL, errno) {
1355 TH_LOG("Switched to mode strict!");
1356 }
1357 }
1358
TEST(TSYNC_first)1359 TEST(TSYNC_first) {
1360 struct sock_filter filter[] = {
1361 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
1362 };
1363 struct sock_fprog prog = {
1364 .len = (unsigned short)(sizeof(filter)/sizeof(filter[0])),
1365 .filter = filter,
1366 };
1367 long ret = prctl(PR_SET_NO_NEW_PRIVS, 1, NULL, 0, 0);
1368 ASSERT_EQ(0, ret) {
1369 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
1370 }
1371
1372 ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FLAG_FILTER_TSYNC,
1373 &prog);
1374 EXPECT_EQ(0, ret) {
1375 TH_LOG("Could not install initial filter with TSYNC!");
1376 }
1377 }
1378
1379 #define TSYNC_SIBLINGS 2
1380 struct tsync_sibling {
1381 pthread_t tid;
1382 pid_t system_tid;
1383 sem_t *started;
1384 pthread_cond_t *cond;
1385 pthread_mutex_t *mutex;
1386 int diverge;
1387 int num_waits;
1388 struct sock_fprog *prog;
1389 struct __test_metadata *metadata;
1390 };
1391
FIXTURE_DATA(TSYNC)1392 FIXTURE_DATA(TSYNC) {
1393 struct sock_fprog root_prog, apply_prog;
1394 struct tsync_sibling sibling[TSYNC_SIBLINGS];
1395 sem_t started;
1396 pthread_cond_t cond;
1397 pthread_mutex_t mutex;
1398 int sibling_count;
1399 };
1400
FIXTURE_SETUP(TSYNC)1401 FIXTURE_SETUP(TSYNC) {
1402 struct sock_filter root_filter[] = {
1403 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
1404 };
1405 struct sock_filter apply_filter[] = {
1406 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
1407 offsetof(struct seccomp_data, nr)),
1408 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_read, 0, 1),
1409 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL),
1410 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
1411 };
1412 memset(&self->root_prog, 0, sizeof(self->root_prog));
1413 memset(&self->apply_prog, 0, sizeof(self->apply_prog));
1414 memset(&self->sibling, 0, sizeof(self->sibling));
1415 self->root_prog.filter = malloc(sizeof(root_filter));
1416 ASSERT_NE(NULL, self->root_prog.filter);
1417 memcpy(self->root_prog.filter, &root_filter, sizeof(root_filter));
1418 self->root_prog.len = (unsigned short)(sizeof(root_filter)/sizeof(root_filter[0]));
1419
1420 self->apply_prog.filter = malloc(sizeof(apply_filter));
1421 ASSERT_NE(NULL, self->apply_prog.filter);
1422 memcpy(self->apply_prog.filter, &apply_filter, sizeof(apply_filter));
1423 self->apply_prog.len = (unsigned short)(sizeof(apply_filter)/sizeof(apply_filter[0]));
1424
1425 self->sibling_count = 0;
1426 pthread_mutex_init(&self->mutex, NULL);
1427 pthread_cond_init(&self->cond, NULL);
1428 sem_init(&self->started, 0, 0);
1429 self->sibling[0].tid = 0;
1430 self->sibling[0].cond = &self->cond;
1431 self->sibling[0].started = &self->started;
1432 self->sibling[0].mutex = &self->mutex;
1433 self->sibling[0].diverge = 0;
1434 self->sibling[0].num_waits = 1;
1435 self->sibling[0].prog = &self->root_prog;
1436 self->sibling[0].metadata = _metadata;
1437 self->sibling[1].tid = 0;
1438 self->sibling[1].cond = &self->cond;
1439 self->sibling[1].started = &self->started;
1440 self->sibling[1].mutex = &self->mutex;
1441 self->sibling[1].diverge = 0;
1442 self->sibling[1].prog = &self->root_prog;
1443 self->sibling[1].num_waits = 1;
1444 self->sibling[1].metadata = _metadata;
1445 }
1446
FIXTURE_TEARDOWN(TSYNC)1447 FIXTURE_TEARDOWN(TSYNC) {
1448 int sib = 0;
1449 if (self->root_prog.filter)
1450 free(self->root_prog.filter);
1451 if (self->apply_prog.filter)
1452 free(self->apply_prog.filter);
1453
1454 for ( ; sib < self->sibling_count; ++sib) {
1455 struct tsync_sibling *s = &self->sibling[sib];
1456 void *status;
1457 if (!s->tid)
1458 continue;
1459 if (pthread_kill(s->tid, 0)) {
1460 //pthread_cancel(s->tid); // ANDROID
1461 pthread_join(s->tid, &status);
1462 }
1463 }
1464 pthread_mutex_destroy(&self->mutex);
1465 pthread_cond_destroy(&self->cond);
1466 sem_destroy(&self->started);
1467 };
1468
tsync_sibling(void * data)1469 void *tsync_sibling(void *data)
1470 {
1471 long ret = 0;
1472 struct tsync_sibling *me = data;
1473 me->system_tid = syscall(__NR_gettid);
1474
1475 pthread_mutex_lock(me->mutex);
1476 if (me->diverge) {
1477 /* Just re-apply the root prog to fork the tree */
1478 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER,
1479 me->prog, 0, 0);
1480 }
1481 sem_post(me->started);
1482 /* Return outside of started so parent notices failures. */
1483 if (ret) {
1484 pthread_mutex_unlock(me->mutex);
1485 return (void *)SIBLING_EXIT_FAILURE;
1486 }
1487 do {
1488 pthread_cond_wait(me->cond, me->mutex);
1489 me->num_waits = me->num_waits - 1;
1490 }
1491 while (me->num_waits);
1492 pthread_mutex_unlock(me->mutex);
1493 long nnp = prctl(PR_GET_NO_NEW_PRIVS, 0, 0, 0, 0);
1494 if (!nnp)
1495 return (void*)SIBLING_EXIT_NEWPRIVS;
1496 read(0, NULL, 0);
1497 return (void *)SIBLING_EXIT_UNKILLED;
1498 }
1499
tsync_start_sibling(struct tsync_sibling * sibling)1500 void tsync_start_sibling(struct tsync_sibling *sibling)
1501 {
1502 pthread_create(&sibling->tid, NULL, tsync_sibling, (void *)sibling);
1503 }
1504
TEST_F(TSYNC,siblings_fail_prctl)1505 TEST_F(TSYNC, siblings_fail_prctl) {
1506 long ret;
1507 void *status;
1508 struct sock_filter filter[] = {
1509 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
1510 offsetof(struct seccomp_data, nr)),
1511 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_prctl, 0, 1),
1512 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ERRNO | EINVAL),
1513 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
1514 };
1515 struct sock_fprog prog = {
1516 .len = (unsigned short)(sizeof(filter)/sizeof(filter[0])),
1517 .filter = filter,
1518 };
1519
1520 ASSERT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
1521 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
1522 }
1523
1524 /* Check prctl failure detection by requesting sib 0 diverge. */
1525 ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog);
1526 ASSERT_EQ(0, ret) {
1527 TH_LOG("setting filter failed");
1528 }
1529
1530 self->sibling[0].diverge = 1;
1531 tsync_start_sibling(&self->sibling[0]);
1532 tsync_start_sibling(&self->sibling[1]);
1533
1534 while (self->sibling_count < TSYNC_SIBLINGS) {
1535 sem_wait(&self->started);
1536 self->sibling_count++;
1537 }
1538
1539 /* Signal the threads to clean up*/
1540 pthread_mutex_lock(&self->mutex);
1541 ASSERT_EQ(0, pthread_cond_broadcast(&self->cond)) {
1542 TH_LOG("cond broadcast non-zero");
1543 }
1544 pthread_mutex_unlock(&self->mutex);
1545
1546 /* Ensure diverging sibling failed to call prctl. */
1547 pthread_join(self->sibling[0].tid, &status);
1548 EXPECT_EQ(SIBLING_EXIT_FAILURE, (long)status);
1549 pthread_join(self->sibling[1].tid, &status);
1550 EXPECT_EQ(SIBLING_EXIT_UNKILLED, (long)status);
1551 }
1552
TEST_F(TSYNC,two_siblings_with_ancestor)1553 TEST_F(TSYNC, two_siblings_with_ancestor) {
1554 long ret;
1555 void *status;
1556
1557 ASSERT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
1558 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
1559 }
1560
1561 ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &self->root_prog);
1562 ASSERT_EQ(0, ret) {
1563 TH_LOG("Kernel does not support SECCOMP_SET_MODE_FILTER!");
1564 }
1565 tsync_start_sibling(&self->sibling[0]);
1566 tsync_start_sibling(&self->sibling[1]);
1567
1568 while (self->sibling_count < TSYNC_SIBLINGS) {
1569 sem_wait(&self->started);
1570 self->sibling_count++;
1571 }
1572
1573 ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FLAG_FILTER_TSYNC,
1574 &self->apply_prog);
1575 ASSERT_EQ(0, ret) {
1576 TH_LOG("Could install filter on all threads!");
1577 }
1578 /* Tell the siblings to test the policy */
1579 pthread_mutex_lock(&self->mutex);
1580 ASSERT_EQ(0, pthread_cond_broadcast(&self->cond)) {
1581 TH_LOG("cond broadcast non-zero");
1582 }
1583 pthread_mutex_unlock(&self->mutex);
1584 /* Ensure they are both killed and don't exit cleanly. */
1585 pthread_join(self->sibling[0].tid, &status);
1586 EXPECT_EQ(0x0, (long)status);
1587 pthread_join(self->sibling[1].tid, &status);
1588 EXPECT_EQ(0x0, (long)status);
1589 }
1590
TEST_F(TSYNC,two_sibling_want_nnp)1591 TEST_F(TSYNC, two_sibling_want_nnp) {
1592 void *status;
1593
1594 /* start siblings before any prctl() operations */
1595 tsync_start_sibling(&self->sibling[0]);
1596 tsync_start_sibling(&self->sibling[1]);
1597 while (self->sibling_count < TSYNC_SIBLINGS) {
1598 sem_wait(&self->started);
1599 self->sibling_count++;
1600 }
1601
1602 /* Tell the siblings to test no policy */
1603 pthread_mutex_lock(&self->mutex);
1604 ASSERT_EQ(0, pthread_cond_broadcast(&self->cond)) {
1605 TH_LOG("cond broadcast non-zero");
1606 }
1607 pthread_mutex_unlock(&self->mutex);
1608
1609 /* Ensure they are both upset about lacking nnp. */
1610 pthread_join(self->sibling[0].tid, &status);
1611 EXPECT_EQ(SIBLING_EXIT_NEWPRIVS, (long)status);
1612 pthread_join(self->sibling[1].tid, &status);
1613 EXPECT_EQ(SIBLING_EXIT_NEWPRIVS, (long)status);
1614 }
1615
TEST_F(TSYNC,two_siblings_with_no_filter)1616 TEST_F(TSYNC, two_siblings_with_no_filter) {
1617 long ret;
1618 void *status;
1619
1620 /* start siblings before any prctl() operations */
1621 tsync_start_sibling(&self->sibling[0]);
1622 tsync_start_sibling(&self->sibling[1]);
1623 while (self->sibling_count < TSYNC_SIBLINGS) {
1624 sem_wait(&self->started);
1625 self->sibling_count++;
1626 }
1627
1628 ASSERT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
1629 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
1630 }
1631
1632 ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FLAG_FILTER_TSYNC,
1633 &self->apply_prog);
1634 ASSERT_EQ(0, ret) {
1635 TH_LOG("Could install filter on all threads!");
1636 }
1637
1638 /* Tell the siblings to test the policy */
1639 pthread_mutex_lock(&self->mutex);
1640 ASSERT_EQ(0, pthread_cond_broadcast(&self->cond)) {
1641 TH_LOG("cond broadcast non-zero");
1642 }
1643 pthread_mutex_unlock(&self->mutex);
1644
1645 /* Ensure they are both killed and don't exit cleanly. */
1646 pthread_join(self->sibling[0].tid, &status);
1647 EXPECT_EQ(0x0, (long)status);
1648 pthread_join(self->sibling[1].tid, &status);
1649 EXPECT_EQ(0x0, (long)status);
1650 }
1651
TEST_F(TSYNC,two_siblings_with_one_divergence)1652 TEST_F(TSYNC, two_siblings_with_one_divergence) {
1653 long ret;
1654 void *status;
1655
1656 ASSERT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
1657 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
1658 }
1659
1660 ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &self->root_prog);
1661 ASSERT_EQ(0, ret) {
1662 TH_LOG("Kernel does not support SECCOMP_SET_MODE_FILTER!");
1663 }
1664 self->sibling[0].diverge = 1;
1665 tsync_start_sibling(&self->sibling[0]);
1666 tsync_start_sibling(&self->sibling[1]);
1667
1668 while (self->sibling_count < TSYNC_SIBLINGS) {
1669 sem_wait(&self->started);
1670 self->sibling_count++;
1671 }
1672
1673 ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FLAG_FILTER_TSYNC,
1674 &self->apply_prog);
1675 ASSERT_EQ(self->sibling[0].system_tid, ret) {
1676 TH_LOG("Did not fail on diverged sibling.");
1677 }
1678
1679 /* Wake the threads */
1680 pthread_mutex_lock(&self->mutex);
1681 ASSERT_EQ(0, pthread_cond_broadcast(&self->cond)) {
1682 TH_LOG("cond broadcast non-zero");
1683 }
1684 pthread_mutex_unlock(&self->mutex);
1685
1686 /* Ensure they are both unkilled. */
1687 pthread_join(self->sibling[0].tid, &status);
1688 EXPECT_EQ(SIBLING_EXIT_UNKILLED, (long)status);
1689 pthread_join(self->sibling[1].tid, &status);
1690 EXPECT_EQ(SIBLING_EXIT_UNKILLED, (long)status);
1691 }
1692
TEST_F(TSYNC,two_siblings_not_under_filter)1693 TEST_F(TSYNC, two_siblings_not_under_filter) {
1694 long ret, sib;
1695 void *status;
1696
1697 ASSERT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
1698 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
1699 }
1700
1701 /*
1702 * Sibling 0 will have its own seccomp policy
1703 * and Sibling 1 will not be under seccomp at
1704 * all. Sibling 1 will enter seccomp and 0
1705 * will cause failure.
1706 */
1707 self->sibling[0].diverge = 1;
1708 tsync_start_sibling(&self->sibling[0]);
1709 tsync_start_sibling(&self->sibling[1]);
1710
1711 while (self->sibling_count < TSYNC_SIBLINGS) {
1712 sem_wait(&self->started);
1713 self->sibling_count++;
1714 }
1715
1716 ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &self->root_prog);
1717 ASSERT_EQ(0, ret) {
1718 TH_LOG("Kernel does not support SECCOMP_SET_MODE_FILTER!");
1719 }
1720
1721 ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FLAG_FILTER_TSYNC,
1722 &self->apply_prog);
1723 ASSERT_EQ(ret, self->sibling[0].system_tid) {
1724 TH_LOG("Did not fail on diverged sibling.");
1725 }
1726 sib = 1;
1727 if (ret == self->sibling[0].system_tid)
1728 sib = 0;
1729
1730 pthread_mutex_lock(&self->mutex);
1731
1732 /* Increment the other siblings num_waits so we can clean up
1733 * the one we just saw.
1734 */
1735 self->sibling[!sib].num_waits += 1;
1736
1737 /* Signal the thread to clean up*/
1738 ASSERT_EQ(0, pthread_cond_broadcast(&self->cond)) {
1739 TH_LOG("cond broadcast non-zero");
1740 }
1741 pthread_mutex_unlock(&self->mutex);
1742 pthread_join(self->sibling[sib].tid, &status);
1743 EXPECT_EQ(SIBLING_EXIT_UNKILLED, (long)status);
1744 /* Poll for actual task death. pthread_join doesn't guarantee it. */
1745 while (!kill(self->sibling[sib].system_tid, 0)) sleep(0.1);
1746 /* Switch to the remaining sibling */
1747 sib = !sib;
1748
1749 ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FLAG_FILTER_TSYNC,
1750 &self->apply_prog);
1751 ASSERT_EQ(0, ret) {
1752 TH_LOG("Expected the remaining sibling to sync");
1753 };
1754
1755 pthread_mutex_lock(&self->mutex);
1756
1757 /* If remaining sibling didn't have a chance to wake up during
1758 * the first broadcast, manually reduce the num_waits now.
1759 */
1760 if (self->sibling[sib].num_waits > 1)
1761 self->sibling[sib].num_waits = 1;
1762 ASSERT_EQ(0, pthread_cond_broadcast(&self->cond)) {
1763 TH_LOG("cond broadcast non-zero");
1764 }
1765 pthread_mutex_unlock(&self->mutex);
1766 pthread_join(self->sibling[sib].tid, &status);
1767 EXPECT_EQ(0, (long)status);
1768 /* Poll for actual task death. pthread_join doesn't guarantee it. */
1769 while (!kill(self->sibling[sib].system_tid, 0)) sleep(0.1);
1770
1771 ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FLAG_FILTER_TSYNC,
1772 &self->apply_prog);
1773 ASSERT_EQ(0, ret); /* just us chickens */
1774 }
1775
1776 /* Make sure restarted syscalls are seen directly as "restart_syscall". */
TEST(syscall_restart)1777 TEST(syscall_restart) {
1778 long ret;
1779 unsigned long msg;
1780 pid_t child_pid;
1781 int pipefd[2];
1782 int status;
1783 siginfo_t info = { };
1784 struct sock_filter filter[] = {
1785 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
1786 offsetof(struct seccomp_data, nr)),
1787
1788 #ifdef __NR_sigreturn
1789 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_sigreturn, 6, 0),
1790 #endif
1791 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_read, 5, 0),
1792 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_exit, 4, 0),
1793 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_rt_sigreturn, 3, 0),
1794 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_poll, 4, 0),
1795 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_restart_syscall, 4, 0),
1796
1797 /* Allow __NR_write for easy logging. */
1798 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_write, 0, 1),
1799 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
1800 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL),
1801 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRACE|0x100), /* poll */
1802 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRACE|0x200), /* restart */
1803 };
1804 struct sock_fprog prog = {
1805 .len = (unsigned short)(sizeof(filter)/sizeof(filter[0])),
1806 .filter = filter,
1807 };
1808
1809 ASSERT_EQ(0, pipe(pipefd));
1810
1811 child_pid = fork();
1812 ASSERT_LE(0, child_pid);
1813 if (child_pid == 0) {
1814 /* Child uses EXPECT not ASSERT to deliver status correctly. */
1815 char buf = ' ';
1816 struct pollfd fds = {
1817 .fd = pipefd[0],
1818 .events = POLLIN,
1819 };
1820
1821 /* Attach parent as tracer and stop. */
1822 EXPECT_EQ(0, ptrace(PTRACE_TRACEME));
1823 EXPECT_EQ(0, raise(SIGSTOP));
1824
1825 EXPECT_EQ(0, close(pipefd[1]));
1826
1827 EXPECT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
1828 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
1829 }
1830
1831 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0);
1832 EXPECT_EQ(0, ret) {
1833 TH_LOG("Failed to install filter!");
1834 }
1835
1836 EXPECT_EQ(1, read(pipefd[0], &buf, 1)) {
1837 TH_LOG("Failed to read() sync from parent");
1838 }
1839 EXPECT_EQ('.', buf) {
1840 TH_LOG("Failed to get sync data from read()");
1841 }
1842
1843 /* Start poll to be interrupted. */
1844 errno = 0;
1845 EXPECT_EQ(1, poll(&fds, 1, -1)) {
1846 TH_LOG("Call to poll() failed (errno %d)", errno);
1847 }
1848
1849 /* Read final sync from parent. */
1850 EXPECT_EQ(1, read(pipefd[0], &buf, 1)) {
1851 TH_LOG("Failed final read() from parent");
1852 }
1853 EXPECT_EQ('!', buf) {
1854 TH_LOG("Failed to get final data from read()");
1855 }
1856
1857 /* Directly report the status of our test harness results. */
1858 syscall(__NR_exit, _metadata->passed ? EXIT_SUCCESS
1859 : EXIT_FAILURE);
1860 }
1861 EXPECT_EQ(0, close(pipefd[0]));
1862
1863 /* Attach to child, setup options, and release. */
1864 ASSERT_EQ(child_pid, waitpid(child_pid, &status, 0));
1865 ASSERT_EQ(true, WIFSTOPPED(status));
1866 ASSERT_EQ(0, ptrace(PTRACE_SETOPTIONS, child_pid, NULL,
1867 PTRACE_O_TRACESECCOMP));
1868 ASSERT_EQ(0, ptrace(PTRACE_CONT, child_pid, NULL, 0));
1869 ASSERT_EQ(1, write(pipefd[1], ".", 1));
1870
1871 /* Wait for poll() to start. */
1872 ASSERT_EQ(child_pid, waitpid(child_pid, &status, 0));
1873 ASSERT_EQ(true, WIFSTOPPED(status));
1874 ASSERT_EQ(SIGTRAP, WSTOPSIG(status));
1875 ASSERT_EQ(PTRACE_EVENT_SECCOMP, (status >> 16));
1876 ASSERT_EQ(0, ptrace(PTRACE_GETEVENTMSG, child_pid, NULL, &msg));
1877 ASSERT_EQ(0x100, msg);
1878 EXPECT_EQ(__NR_poll, get_syscall(_metadata, child_pid));
1879
1880 /* Might as well check siginfo for sanity while we're here. */
1881 ASSERT_EQ(0, ptrace(PTRACE_GETSIGINFO, child_pid, NULL, &info));
1882 ASSERT_EQ(SIGTRAP, info.si_signo);
1883 ASSERT_EQ(SIGTRAP | (PTRACE_EVENT_SECCOMP << 8), info.si_code);
1884 EXPECT_EQ(0, info.si_errno);
1885 EXPECT_EQ(getuid(), info.si_uid);
1886 /* Verify signal delivery came from child (seccomp-triggered). */
1887 EXPECT_EQ(child_pid, info.si_pid);
1888
1889 /* Interrupt poll with SIGSTOP (which we'll need to handle). */
1890 ASSERT_EQ(0, kill(child_pid, SIGSTOP));
1891 ASSERT_EQ(0, ptrace(PTRACE_CONT, child_pid, NULL, 0));
1892 ASSERT_EQ(child_pid, waitpid(child_pid, &status, 0));
1893 ASSERT_EQ(true, WIFSTOPPED(status));
1894 ASSERT_EQ(SIGSTOP, WSTOPSIG(status));
1895 /* Verify signal delivery came from parent now. */
1896 ASSERT_EQ(0, ptrace(PTRACE_GETSIGINFO, child_pid, NULL, &info));
1897 EXPECT_EQ(getpid(), info.si_pid);
1898
1899 /* Restart poll with SIGCONT, which triggers restart_syscall. */
1900 ASSERT_EQ(0, kill(child_pid, SIGCONT));
1901 ASSERT_EQ(0, ptrace(PTRACE_CONT, child_pid, NULL, 0));
1902 ASSERT_EQ(child_pid, waitpid(child_pid, &status, 0));
1903 ASSERT_EQ(true, WIFSTOPPED(status));
1904 ASSERT_EQ(SIGCONT, WSTOPSIG(status));
1905 ASSERT_EQ(0, ptrace(PTRACE_CONT, child_pid, NULL, 0));
1906
1907 /* Wait for restart_syscall() to start. */
1908 ASSERT_EQ(child_pid, waitpid(child_pid, &status, 0));
1909 ASSERT_EQ(true, WIFSTOPPED(status));
1910 ASSERT_EQ(SIGTRAP, WSTOPSIG(status));
1911 ASSERT_EQ(PTRACE_EVENT_SECCOMP, (status >> 16));
1912 ASSERT_EQ(0, ptrace(PTRACE_GETEVENTMSG, child_pid, NULL, &msg));
1913 ASSERT_EQ(0x200, msg);
1914 ret = get_syscall(_metadata, child_pid);
1915 #if defined(__arm__)
1916 /* FIXME: ARM does not expose true syscall in registers. */
1917 EXPECT_EQ(__NR_poll, ret);
1918 #else
1919 EXPECT_EQ(__NR_restart_syscall, ret);
1920 #endif
1921
1922 /* Write again to end poll. */
1923 ASSERT_EQ(0, ptrace(PTRACE_CONT, child_pid, NULL, 0));
1924 ASSERT_EQ(1, write(pipefd[1], "!", 1));
1925 EXPECT_EQ(0, close(pipefd[1]));
1926
1927 ASSERT_EQ(child_pid, waitpid(child_pid, &status, 0));
1928 if (WIFSIGNALED(status) || WEXITSTATUS(status))
1929 _metadata->passed = 0;
1930 }
1931
1932 /*
1933 * TODO:
1934 * - add microbenchmarks
1935 * - expand NNP testing
1936 * - better arch-specific TRACE and TRAP handlers.
1937 * - endianness checking when appropriate
1938 * - 64-bit arg prodding
1939 * - arch value testing (x86 modes especially)
1940 * - ...
1941 */
1942
1943 // ANDROID:begin
get_seccomp_test_list()1944 struct __test_metadata* get_seccomp_test_list() {
1945 return __test_list;
1946 }
1947 // ANDROID:end
1948
1949 TEST_HARNESS_MAIN
1950