2 * Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
3 * Use of this source code is governed by the GPLv2 license.
5 * Test code for seccomp bpf.
8 #include <asm/siginfo.h>
9 #define __have_siginfo_t 1
10 #define __have_sigval_t 1
11 #define __have_sigevent_t 1
14 #include <linux/filter.h>
15 #include <sys/prctl.h>
16 #include <sys/ptrace.h>
18 #include <linux/prctl.h>
19 #include <linux/ptrace.h>
20 #include <linux/seccomp.h>
23 #include <semaphore.h>
28 #include <linux/elf.h>
33 #include <sys/syscall.h>
35 #include "test_harness.h"
37 #ifndef PR_SET_PTRACER
38 # define PR_SET_PTRACER 0x59616d61
41 #ifndef PR_SET_NO_NEW_PRIVS
42 #define PR_SET_NO_NEW_PRIVS 38
43 #define PR_GET_NO_NEW_PRIVS 39
46 #ifndef PR_SECCOMP_EXT
47 #define PR_SECCOMP_EXT 43
50 #ifndef SECCOMP_EXT_ACT
51 #define SECCOMP_EXT_ACT 1
54 #ifndef SECCOMP_EXT_ACT_TSYNC
55 #define SECCOMP_EXT_ACT_TSYNC 1
58 #ifndef SECCOMP_MODE_STRICT
59 #define SECCOMP_MODE_STRICT 1
62 #ifndef SECCOMP_MODE_FILTER
63 #define SECCOMP_MODE_FILTER 2
66 #ifndef SECCOMP_RET_KILL
67 #define SECCOMP_RET_KILL 0x00000000U /* kill the task immediately */
68 #define SECCOMP_RET_TRAP 0x00030000U /* disallow and force a SIGSYS */
69 #define SECCOMP_RET_ERRNO 0x00050000U /* returns an errno */
70 #define SECCOMP_RET_TRACE 0x7ff00000U /* pass to a tracer or disallow */
71 #define SECCOMP_RET_ALLOW 0x7fff0000U /* allow */
73 /* Masks for the return value sections. */
74 #define SECCOMP_RET_ACTION 0x7fff0000U
75 #define SECCOMP_RET_DATA 0x0000ffffU
80 __u64 instruction_pointer;
85 #define syscall_arg(_n) (offsetof(struct seccomp_data, args[_n]))
87 #define SIBLING_EXIT_UNKILLED 0xbadbeef
88 #define SIBLING_EXIT_FAILURE 0xbadface
89 #define SIBLING_EXIT_NEWPRIVS 0xbadfeed
91 TEST(mode_strict_support)
95 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT, NULL, NULL, NULL);
97 TH_LOG("Kernel does not support CONFIG_SECCOMP");
99 syscall(__NR_exit, 1);
102 TEST_SIGNAL(mode_strict_cannot_call_prctl, SIGKILL)
106 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT, NULL, NULL, NULL);
108 TH_LOG("Kernel does not support CONFIG_SECCOMP");
110 syscall(__NR_prctl, PR_SET_SECCOMP, SECCOMP_MODE_FILTER,
113 TH_LOG("Unreachable!");
117 /* Note! This doesn't test no new privs behavior */
118 TEST(no_new_privs_support)
122 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
124 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
128 /* Tests kernel support by checking for a copy_from_user() fault on * NULL. */
129 TEST(mode_filter_support)
133 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, NULL, 0, 0);
135 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
137 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, NULL, NULL);
139 EXPECT_EQ(EFAULT, errno) {
140 TH_LOG("Kernel does not support CONFIG_SECCOMP_FILTER!");
144 TEST(mode_filter_without_nnp)
146 struct sock_filter filter[] = {
147 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
149 struct sock_fprog prog = {
150 .len = (unsigned short)ARRAY_SIZE(filter),
155 ret = prctl(PR_GET_NO_NEW_PRIVS, 0, NULL, 0, 0);
157 TH_LOG("Expected 0 or unsupported for NO_NEW_PRIVS");
160 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0);
161 /* Succeeds with CAP_SYS_ADMIN, fails without */
162 /* TODO(wad) check caps not euid */
165 EXPECT_EQ(EACCES, errno);
171 #define MAX_INSNS_PER_PATH 32768
173 TEST(filter_size_limits)
176 int count = BPF_MAXINSNS + 1;
177 struct sock_filter allow[] = {
178 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
180 struct sock_filter *filter;
181 struct sock_fprog prog = { };
184 filter = calloc(count, sizeof(*filter));
185 ASSERT_NE(NULL, filter);
187 for (i = 0; i < count; i++)
188 filter[i] = allow[0];
190 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
193 prog.filter = filter;
196 /* Too many filter instructions in a single filter. */
197 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0);
199 TH_LOG("Installing %d insn filter was allowed", prog.len);
202 /* One less is okay, though. */
204 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0);
206 TH_LOG("Installing %d insn filter wasn't allowed", prog.len);
210 TEST(filter_chain_limits)
213 int count = BPF_MAXINSNS;
214 struct sock_filter allow[] = {
215 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
217 struct sock_filter *filter;
218 struct sock_fprog prog = { };
221 filter = calloc(count, sizeof(*filter));
222 ASSERT_NE(NULL, filter);
224 for (i = 0; i < count; i++)
225 filter[i] = allow[0];
227 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
230 prog.filter = filter;
233 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0);
238 /* Too many total filter instructions. */
239 for (i = 0; i < MAX_INSNS_PER_PATH; i++) {
240 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0);
245 TH_LOG("Allowed %d %d-insn filters (total with penalties:%d)",
246 i, count, i * (count + 4));
250 TEST(mode_filter_cannot_move_to_strict)
252 struct sock_filter filter[] = {
253 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
255 struct sock_fprog prog = {
256 .len = (unsigned short)ARRAY_SIZE(filter),
261 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
264 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0);
267 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT, NULL, 0, 0);
269 EXPECT_EQ(EINVAL, errno);
273 TEST(mode_filter_get_seccomp)
275 struct sock_filter filter[] = {
276 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
278 struct sock_fprog prog = {
279 .len = (unsigned short)ARRAY_SIZE(filter),
284 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
287 ret = prctl(PR_GET_SECCOMP, 0, 0, 0, 0);
290 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0);
293 ret = prctl(PR_GET_SECCOMP, 0, 0, 0, 0);
300 struct sock_filter filter[] = {
301 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
303 struct sock_fprog prog = {
304 .len = (unsigned short)ARRAY_SIZE(filter),
309 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
312 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
318 struct sock_filter filter[] = {
320 struct sock_fprog prog = {
321 .len = (unsigned short)ARRAY_SIZE(filter),
326 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
329 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
331 EXPECT_EQ(EINVAL, errno);
334 TEST_SIGNAL(unknown_ret_is_kill_inside, SIGSYS)
336 struct sock_filter filter[] = {
337 BPF_STMT(BPF_RET|BPF_K, 0x10000000U),
339 struct sock_fprog prog = {
340 .len = (unsigned short)ARRAY_SIZE(filter),
345 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
348 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
350 EXPECT_EQ(0, syscall(__NR_getpid)) {
351 TH_LOG("getpid() shouldn't ever return");
355 /* return code >= 0x80000000 is unused. */
356 TEST_SIGNAL(unknown_ret_is_kill_above_allow, SIGSYS)
358 struct sock_filter filter[] = {
359 BPF_STMT(BPF_RET|BPF_K, 0x90000000U),
361 struct sock_fprog prog = {
362 .len = (unsigned short)ARRAY_SIZE(filter),
367 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
370 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
372 EXPECT_EQ(0, syscall(__NR_getpid)) {
373 TH_LOG("getpid() shouldn't ever return");
377 TEST_SIGNAL(KILL_all, SIGSYS)
379 struct sock_filter filter[] = {
380 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL),
382 struct sock_fprog prog = {
383 .len = (unsigned short)ARRAY_SIZE(filter),
388 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
391 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
395 TEST_SIGNAL(KILL_one, SIGSYS)
397 struct sock_filter filter[] = {
398 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
399 offsetof(struct seccomp_data, nr)),
400 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getpid, 0, 1),
401 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL),
402 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
404 struct sock_fprog prog = {
405 .len = (unsigned short)ARRAY_SIZE(filter),
409 pid_t parent = getppid();
411 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
414 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
417 EXPECT_EQ(parent, syscall(__NR_getppid));
418 /* getpid() should never return. */
419 EXPECT_EQ(0, syscall(__NR_getpid));
422 TEST_SIGNAL(KILL_one_arg_one, SIGSYS)
424 struct sock_filter filter[] = {
425 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
426 offsetof(struct seccomp_data, nr)),
427 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getpid, 1, 0),
428 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
429 /* Only both with lower 32-bit for now. */
430 BPF_STMT(BPF_LD|BPF_W|BPF_ABS, syscall_arg(0)),
431 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, 0x0C0FFEE, 0, 1),
432 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL),
433 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
435 struct sock_fprog prog = {
436 .len = (unsigned short)ARRAY_SIZE(filter),
440 pid_t parent = getppid();
441 pid_t pid = getpid();
443 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
446 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
449 EXPECT_EQ(parent, syscall(__NR_getppid));
450 EXPECT_EQ(pid, syscall(__NR_getpid));
451 /* getpid() should never return. */
452 EXPECT_EQ(0, syscall(__NR_getpid, 0x0C0FFEE));
455 TEST_SIGNAL(KILL_one_arg_six, SIGSYS)
457 struct sock_filter filter[] = {
458 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
459 offsetof(struct seccomp_data, nr)),
460 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getpid, 1, 0),
461 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
462 /* Only both with lower 32-bit for now. */
463 BPF_STMT(BPF_LD|BPF_W|BPF_ABS, syscall_arg(5)),
464 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, 0x0C0FFEE, 0, 1),
465 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL),
466 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
468 struct sock_fprog prog = {
469 .len = (unsigned short)ARRAY_SIZE(filter),
473 pid_t parent = getppid();
474 pid_t pid = getpid();
476 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
479 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
482 EXPECT_EQ(parent, syscall(__NR_getppid));
483 EXPECT_EQ(pid, syscall(__NR_getpid));
484 /* getpid() should never return. */
485 EXPECT_EQ(0, syscall(__NR_getpid, 1, 2, 3, 4, 5, 0x0C0FFEE));
488 /* TODO(wad) add 64-bit versus 32-bit arg tests. */
489 TEST(arg_out_of_range)
491 struct sock_filter filter[] = {
492 BPF_STMT(BPF_LD|BPF_W|BPF_ABS, syscall_arg(6)),
493 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
495 struct sock_fprog prog = {
496 .len = (unsigned short)ARRAY_SIZE(filter),
501 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
504 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
506 EXPECT_EQ(EINVAL, errno);
511 struct sock_filter filter[] = {
512 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
513 offsetof(struct seccomp_data, nr)),
514 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_read, 0, 1),
515 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ERRNO | E2BIG),
516 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
518 struct sock_fprog prog = {
519 .len = (unsigned short)ARRAY_SIZE(filter),
523 pid_t parent = getppid();
525 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
528 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
531 EXPECT_EQ(parent, syscall(__NR_getppid));
532 EXPECT_EQ(-1, read(0, NULL, 0));
533 EXPECT_EQ(E2BIG, errno);
538 struct sock_filter filter[] = {
539 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
540 offsetof(struct seccomp_data, nr)),
541 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_read, 0, 1),
542 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ERRNO | 0),
543 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
545 struct sock_fprog prog = {
546 .len = (unsigned short)ARRAY_SIZE(filter),
550 pid_t parent = getppid();
552 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
555 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
558 EXPECT_EQ(parent, syscall(__NR_getppid));
559 /* "errno" of 0 is ok. */
560 EXPECT_EQ(0, read(0, NULL, 0));
565 struct sock_filter filter[] = {
566 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
567 offsetof(struct seccomp_data, nr)),
568 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_read, 0, 1),
569 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ERRNO | 4096),
570 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
572 struct sock_fprog prog = {
573 .len = (unsigned short)ARRAY_SIZE(filter),
577 pid_t parent = getppid();
579 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
582 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
585 EXPECT_EQ(parent, syscall(__NR_getppid));
586 EXPECT_EQ(-1, read(0, NULL, 0));
587 EXPECT_EQ(4095, errno);
591 struct sock_fprog prog;
596 struct sock_filter filter[] = {
597 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
598 offsetof(struct seccomp_data, nr)),
599 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getpid, 0, 1),
600 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRAP),
601 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
604 memset(&self->prog, 0, sizeof(self->prog));
605 self->prog.filter = malloc(sizeof(filter));
606 ASSERT_NE(NULL, self->prog.filter);
607 memcpy(self->prog.filter, filter, sizeof(filter));
608 self->prog.len = (unsigned short)ARRAY_SIZE(filter);
611 FIXTURE_TEARDOWN(TRAP)
613 if (self->prog.filter)
614 free(self->prog.filter);
617 TEST_F_SIGNAL(TRAP, dfl, SIGSYS)
621 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
624 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->prog);
626 syscall(__NR_getpid);
629 /* Ensure that SIGSYS overrides SIG_IGN */
630 TEST_F_SIGNAL(TRAP, ign, SIGSYS)
634 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
637 signal(SIGSYS, SIG_IGN);
639 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->prog);
641 syscall(__NR_getpid);
644 static struct siginfo TRAP_info;
645 static volatile int TRAP_nr;
646 static void TRAP_action(int nr, siginfo_t *info, void *void_context)
648 memcpy(&TRAP_info, info, sizeof(TRAP_info));
652 TEST_F(TRAP, handler)
655 struct sigaction act;
658 memset(&act, 0, sizeof(act));
660 sigaddset(&mask, SIGSYS);
662 act.sa_sigaction = &TRAP_action;
663 act.sa_flags = SA_SIGINFO;
664 ret = sigaction(SIGSYS, &act, NULL);
666 TH_LOG("sigaction failed");
668 ret = sigprocmask(SIG_UNBLOCK, &mask, NULL);
670 TH_LOG("sigprocmask failed");
673 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
675 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->prog);
678 memset(&TRAP_info, 0, sizeof(TRAP_info));
679 /* Expect the registers to be rolled back. (nr = error) may vary
681 ret = syscall(__NR_getpid);
682 /* Silence gcc warning about volatile. */
684 EXPECT_EQ(SIGSYS, test);
685 struct local_sigsys {
686 void *_call_addr; /* calling user insn */
687 int _syscall; /* triggering system call number */
688 unsigned int _arch; /* AUDIT_ARCH_* of syscall */
689 } *sigsys = (struct local_sigsys *)
691 &(TRAP_info.si_call_addr);
695 EXPECT_EQ(__NR_getpid, sigsys->_syscall);
696 /* Make sure arch is non-zero. */
697 EXPECT_NE(0, sigsys->_arch);
698 EXPECT_NE(0, (unsigned long)sigsys->_call_addr);
701 FIXTURE_DATA(precedence) {
702 struct sock_fprog allow;
703 struct sock_fprog trace;
704 struct sock_fprog error;
705 struct sock_fprog trap;
706 struct sock_fprog kill;
709 FIXTURE_SETUP(precedence)
711 struct sock_filter allow_insns[] = {
712 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
714 struct sock_filter trace_insns[] = {
715 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
716 offsetof(struct seccomp_data, nr)),
717 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getpid, 1, 0),
718 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
719 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRACE),
721 struct sock_filter error_insns[] = {
722 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
723 offsetof(struct seccomp_data, nr)),
724 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getpid, 1, 0),
725 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
726 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ERRNO),
728 struct sock_filter trap_insns[] = {
729 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
730 offsetof(struct seccomp_data, nr)),
731 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getpid, 1, 0),
732 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
733 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRAP),
735 struct sock_filter kill_insns[] = {
736 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
737 offsetof(struct seccomp_data, nr)),
738 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getpid, 1, 0),
739 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
740 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL),
743 memset(self, 0, sizeof(*self));
744 #define FILTER_ALLOC(_x) \
745 self->_x.filter = malloc(sizeof(_x##_insns)); \
746 ASSERT_NE(NULL, self->_x.filter); \
747 memcpy(self->_x.filter, &_x##_insns, sizeof(_x##_insns)); \
748 self->_x.len = (unsigned short)ARRAY_SIZE(_x##_insns)
756 FIXTURE_TEARDOWN(precedence)
758 #define FILTER_FREE(_x) if (self->_x.filter) free(self->_x.filter)
766 TEST_F(precedence, allow_ok)
768 pid_t parent, res = 0;
772 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
775 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow);
777 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trace);
779 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->error);
781 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trap);
783 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->kill);
785 /* Should work just fine. */
786 res = syscall(__NR_getppid);
787 EXPECT_EQ(parent, res);
790 TEST_F_SIGNAL(precedence, kill_is_highest, SIGSYS)
792 pid_t parent, res = 0;
796 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
799 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow);
801 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trace);
803 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->error);
805 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trap);
807 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->kill);
809 /* Should work just fine. */
810 res = syscall(__NR_getppid);
811 EXPECT_EQ(parent, res);
812 /* getpid() should never return. */
813 res = syscall(__NR_getpid);
817 TEST_F_SIGNAL(precedence, kill_is_highest_in_any_order, SIGSYS)
823 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
826 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow);
828 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->kill);
830 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->error);
832 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trace);
834 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trap);
836 /* Should work just fine. */
837 EXPECT_EQ(parent, syscall(__NR_getppid));
838 /* getpid() should never return. */
839 EXPECT_EQ(0, syscall(__NR_getpid));
842 TEST_F_SIGNAL(precedence, trap_is_second, SIGSYS)
848 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
851 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow);
853 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trace);
855 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->error);
857 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trap);
859 /* Should work just fine. */
860 EXPECT_EQ(parent, syscall(__NR_getppid));
861 /* getpid() should never return. */
862 EXPECT_EQ(0, syscall(__NR_getpid));
865 TEST_F_SIGNAL(precedence, trap_is_second_in_any_order, SIGSYS)
871 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
874 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow);
876 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trap);
878 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trace);
880 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->error);
882 /* Should work just fine. */
883 EXPECT_EQ(parent, syscall(__NR_getppid));
884 /* getpid() should never return. */
885 EXPECT_EQ(0, syscall(__NR_getpid));
888 TEST_F(precedence, errno_is_third)
894 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
897 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow);
899 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trace);
901 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->error);
903 /* Should work just fine. */
904 EXPECT_EQ(parent, syscall(__NR_getppid));
905 EXPECT_EQ(0, syscall(__NR_getpid));
908 TEST_F(precedence, errno_is_third_in_any_order)
914 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
917 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->error);
919 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trace);
921 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow);
923 /* Should work just fine. */
924 EXPECT_EQ(parent, syscall(__NR_getppid));
925 EXPECT_EQ(0, syscall(__NR_getpid));
928 TEST_F(precedence, trace_is_fourth)
934 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
937 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow);
939 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trace);
941 /* Should work just fine. */
942 EXPECT_EQ(parent, syscall(__NR_getppid));
944 EXPECT_EQ(-1, syscall(__NR_getpid));
947 TEST_F(precedence, trace_is_fourth_in_any_order)
953 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
956 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trace);
958 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow);
960 /* Should work just fine. */
961 EXPECT_EQ(parent, syscall(__NR_getppid));
963 EXPECT_EQ(-1, syscall(__NR_getpid));
966 #ifndef PTRACE_O_TRACESECCOMP
967 #define PTRACE_O_TRACESECCOMP 0x00000080
970 /* Catch the Ubuntu 12.04 value error. */
971 #if PTRACE_EVENT_SECCOMP != 7
972 #undef PTRACE_EVENT_SECCOMP
975 #ifndef PTRACE_EVENT_SECCOMP
976 #define PTRACE_EVENT_SECCOMP 7
979 #define IS_SECCOMP_EVENT(status) ((status >> 16) == PTRACE_EVENT_SECCOMP)
981 void tracer_stop(int sig)
983 tracer_running = false;
986 typedef void tracer_func_t(struct __test_metadata *_metadata,
987 pid_t tracee, int status, void *args);
989 void tracer(struct __test_metadata *_metadata, int fd, pid_t tracee,
990 tracer_func_t tracer_func, void *args)
993 struct sigaction action = {
994 .sa_handler = tracer_stop,
997 /* Allow external shutdown. */
998 tracer_running = true;
999 ASSERT_EQ(0, sigaction(SIGUSR1, &action, NULL));
1002 while (ret == -1 && errno != EINVAL)
1003 ret = ptrace(PTRACE_ATTACH, tracee, NULL, 0);
1005 kill(tracee, SIGKILL);
1007 /* Wait for attach stop */
1010 ret = ptrace(PTRACE_SETOPTIONS, tracee, NULL, PTRACE_O_TRACESECCOMP);
1012 TH_LOG("Failed to set PTRACE_O_TRACESECCOMP");
1013 kill(tracee, SIGKILL);
1015 ptrace(PTRACE_CONT, tracee, NULL, 0);
1017 /* Unblock the tracee */
1018 ASSERT_EQ(1, write(fd, "A", 1));
1019 ASSERT_EQ(0, close(fd));
1021 /* Run until we're shut down. Must assert to stop execution. */
1022 while (tracer_running) {
1025 if (wait(&status) != tracee)
1027 if (WIFSIGNALED(status) || WIFEXITED(status))
1028 /* Child is dead. Time to go. */
1031 /* Make sure this is a seccomp event. */
1032 ASSERT_EQ(true, IS_SECCOMP_EVENT(status));
1034 tracer_func(_metadata, tracee, status, args);
1036 ret = ptrace(PTRACE_CONT, tracee, NULL, NULL);
1039 /* Directly report the status of our test harness results. */
1040 syscall(__NR_exit, _metadata->passed ? EXIT_SUCCESS : EXIT_FAILURE);
1043 /* Common tracer setup/teardown functions. */
1044 void cont_handler(int num)
1046 pid_t setup_trace_fixture(struct __test_metadata *_metadata,
1047 tracer_func_t func, void *args)
1052 pid_t tracee = getpid();
1054 /* Setup a pipe for clean synchronization. */
1055 ASSERT_EQ(0, pipe(pipefd));
1057 /* Fork a child which we'll promote to tracer */
1058 tracer_pid = fork();
1059 ASSERT_LE(0, tracer_pid);
1060 signal(SIGALRM, cont_handler);
1061 if (tracer_pid == 0) {
1063 tracer(_metadata, pipefd[1], tracee, func, args);
1064 syscall(__NR_exit, 0);
1067 prctl(PR_SET_PTRACER, tracer_pid, 0, 0, 0);
1068 read(pipefd[0], &sync, 1);
1073 void teardown_trace_fixture(struct __test_metadata *_metadata,
1079 * Extract the exit code from the other process and
1080 * adopt it for ourselves in case its asserts failed.
1082 ASSERT_EQ(0, kill(tracer, SIGUSR1));
1083 ASSERT_EQ(tracer, waitpid(tracer, &status, 0));
1084 if (WEXITSTATUS(status))
1085 _metadata->passed = 0;
1089 /* "poke" tracer arguments and function. */
1090 struct tracer_args_poke_t {
1091 unsigned long poke_addr;
1094 void tracer_poke(struct __test_metadata *_metadata, pid_t tracee, int status,
1099 struct tracer_args_poke_t *info = (struct tracer_args_poke_t *)args;
1101 ret = ptrace(PTRACE_GETEVENTMSG, tracee, NULL, &msg);
1103 /* If this fails, don't try to recover. */
1104 ASSERT_EQ(0x1001, msg) {
1105 kill(tracee, SIGKILL);
1108 * Poke in the message.
1109 * Registers are not touched to try to keep this relatively arch
1112 ret = ptrace(PTRACE_POKEDATA, tracee, info->poke_addr, 0x1001);
1116 FIXTURE_DATA(TRACE_poke) {
1117 struct sock_fprog prog;
1120 struct tracer_args_poke_t tracer_args;
1123 FIXTURE_SETUP(TRACE_poke)
1125 struct sock_filter filter[] = {
1126 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
1127 offsetof(struct seccomp_data, nr)),
1128 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_read, 0, 1),
1129 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRACE | 0x1001),
1130 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
1134 memset(&self->prog, 0, sizeof(self->prog));
1135 self->prog.filter = malloc(sizeof(filter));
1136 ASSERT_NE(NULL, self->prog.filter);
1137 memcpy(self->prog.filter, filter, sizeof(filter));
1138 self->prog.len = (unsigned short)ARRAY_SIZE(filter);
1140 /* Set up tracer args. */
1141 self->tracer_args.poke_addr = (unsigned long)&self->poked;
1143 /* Launch tracer. */
1144 self->tracer = setup_trace_fixture(_metadata, tracer_poke,
1145 &self->tracer_args);
1148 FIXTURE_TEARDOWN(TRACE_poke)
1150 teardown_trace_fixture(_metadata, self->tracer);
1151 if (self->prog.filter)
1152 free(self->prog.filter);
1155 TEST_F(TRACE_poke, read_has_side_effects)
1159 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1162 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->prog, 0, 0);
1165 EXPECT_EQ(0, self->poked);
1166 ret = read(-1, NULL, 0);
1168 EXPECT_EQ(0x1001, self->poked);
1171 TEST_F(TRACE_poke, getpid_runs_normally)
1175 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1178 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->prog, 0, 0);
1181 EXPECT_EQ(0, self->poked);
1182 EXPECT_NE(0, syscall(__NR_getpid));
1183 EXPECT_EQ(0, self->poked);
1186 #if defined(__x86_64__)
1187 # define ARCH_REGS struct user_regs_struct
1188 # define SYSCALL_NUM orig_rax
1189 # define SYSCALL_RET rax
1190 #elif defined(__i386__)
1191 # define ARCH_REGS struct user_regs_struct
1192 # define SYSCALL_NUM orig_eax
1193 # define SYSCALL_RET eax
1194 #elif defined(__arm__)
1195 # define ARCH_REGS struct pt_regs
1196 # define SYSCALL_NUM ARM_r7
1197 # define SYSCALL_RET ARM_r0
1198 #elif defined(__aarch64__)
1199 # define ARCH_REGS struct user_pt_regs
1200 # define SYSCALL_NUM regs[8]
1201 # define SYSCALL_RET regs[0]
1203 # error "Do not know how to find your architecture's registers and syscalls"
1206 /* Architecture-specific syscall fetching routine. */
1207 int get_syscall(struct __test_metadata *_metadata, pid_t tracee)
1212 iov.iov_base = ®s;
1213 iov.iov_len = sizeof(regs);
1214 EXPECT_EQ(0, ptrace(PTRACE_GETREGSET, tracee, NT_PRSTATUS, &iov)) {
1215 TH_LOG("PTRACE_GETREGSET failed");
1219 return regs.SYSCALL_NUM;
1222 /* Architecture-specific syscall changing routine. */
1223 void change_syscall(struct __test_metadata *_metadata,
1224 pid_t tracee, int syscall)
1230 iov.iov_base = ®s;
1231 iov.iov_len = sizeof(regs);
1232 ret = ptrace(PTRACE_GETREGSET, tracee, NT_PRSTATUS, &iov);
1235 #if defined(__x86_64__) || defined(__i386__) || defined(__aarch64__)
1237 regs.SYSCALL_NUM = syscall;
1240 #elif defined(__arm__)
1241 # ifndef PTRACE_SET_SYSCALL
1242 # define PTRACE_SET_SYSCALL 23
1245 ret = ptrace(PTRACE_SET_SYSCALL, tracee, NULL, syscall);
1251 TH_LOG("How is the syscall changed on this architecture?");
1255 /* If syscall is skipped, change return value. */
1257 regs.SYSCALL_RET = 1;
1259 ret = ptrace(PTRACE_SETREGSET, tracee, NT_PRSTATUS, &iov);
1263 void tracer_syscall(struct __test_metadata *_metadata, pid_t tracee,
1264 int status, void *args)
1269 /* Make sure we got the right message. */
1270 ret = ptrace(PTRACE_GETEVENTMSG, tracee, NULL, &msg);
1275 /* change getpid to getppid. */
1276 change_syscall(_metadata, tracee, __NR_getppid);
1280 change_syscall(_metadata, tracee, -1);
1283 /* do nothing (allow getppid) */
1287 TH_LOG("Unknown PTRACE_GETEVENTMSG: 0x%lx", msg);
1288 kill(tracee, SIGKILL);
1294 FIXTURE_DATA(TRACE_syscall) {
1295 struct sock_fprog prog;
1296 pid_t tracer, mytid, mypid, parent;
1299 FIXTURE_SETUP(TRACE_syscall)
1301 struct sock_filter filter[] = {
1302 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
1303 offsetof(struct seccomp_data, nr)),
1304 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getpid, 0, 1),
1305 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRACE | 0x1002),
1306 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_gettid, 0, 1),
1307 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRACE | 0x1003),
1308 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getppid, 0, 1),
1309 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRACE | 0x1004),
1310 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
1313 memset(&self->prog, 0, sizeof(self->prog));
1314 self->prog.filter = malloc(sizeof(filter));
1315 ASSERT_NE(NULL, self->prog.filter);
1316 memcpy(self->prog.filter, filter, sizeof(filter));
1317 self->prog.len = (unsigned short)ARRAY_SIZE(filter);
1319 /* Prepare some testable syscall results. */
1320 self->mytid = syscall(__NR_gettid);
1321 ASSERT_GT(self->mytid, 0);
1322 ASSERT_NE(self->mytid, 1) {
1323 TH_LOG("Running this test as init is not supported. :)");
1326 self->mypid = getpid();
1327 ASSERT_GT(self->mypid, 0);
1328 ASSERT_EQ(self->mytid, self->mypid);
1330 self->parent = getppid();
1331 ASSERT_GT(self->parent, 0);
1332 ASSERT_NE(self->parent, self->mypid);
1334 /* Launch tracer. */
1335 self->tracer = setup_trace_fixture(_metadata, tracer_syscall, NULL);
1338 FIXTURE_TEARDOWN(TRACE_syscall)
1340 teardown_trace_fixture(_metadata, self->tracer);
1341 if (self->prog.filter)
1342 free(self->prog.filter);
1345 TEST_F(TRACE_syscall, syscall_allowed)
1349 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1352 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->prog, 0, 0);
1355 /* getppid works as expected (no changes). */
1356 EXPECT_EQ(self->parent, syscall(__NR_getppid));
1357 EXPECT_NE(self->mypid, syscall(__NR_getppid));
1360 TEST_F(TRACE_syscall, syscall_redirected)
1364 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1367 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->prog, 0, 0);
1370 /* getpid has been redirected to getppid as expected. */
1371 EXPECT_EQ(self->parent, syscall(__NR_getpid));
1372 EXPECT_NE(self->mypid, syscall(__NR_getpid));
1375 TEST_F(TRACE_syscall, syscall_dropped)
1379 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1382 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->prog, 0, 0);
1385 /* gettid has been skipped and an altered return value stored. */
1386 EXPECT_EQ(1, syscall(__NR_gettid));
1387 EXPECT_NE(self->mytid, syscall(__NR_gettid));
1390 #ifndef __NR_seccomp
1391 # if defined(__i386__)
1392 # define __NR_seccomp 354
1393 # elif defined(__x86_64__)
1394 # define __NR_seccomp 317
1395 # elif defined(__arm__)
1396 # define __NR_seccomp 383
1397 # elif defined(__aarch64__)
1398 # define __NR_seccomp 277
1400 # warning "seccomp syscall number unknown for this architecture"
1401 # define __NR_seccomp 0xffff
1405 #ifndef SECCOMP_SET_MODE_STRICT
1406 #define SECCOMP_SET_MODE_STRICT 0
1409 #ifndef SECCOMP_SET_MODE_FILTER
1410 #define SECCOMP_SET_MODE_FILTER 1
1413 #ifndef SECCOMP_FLAG_FILTER_TSYNC
1414 #define SECCOMP_FLAG_FILTER_TSYNC 1
1418 int seccomp(unsigned int op, unsigned int flags, struct sock_fprog *filter)
1421 return syscall(__NR_seccomp, op, flags, filter);
1425 TEST(seccomp_syscall)
1427 struct sock_filter filter[] = {
1428 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
1430 struct sock_fprog prog = {
1431 .len = (unsigned short)ARRAY_SIZE(filter),
1436 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1438 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
1441 /* Reject insane operation. */
1442 ret = seccomp(-1, 0, &prog);
1443 EXPECT_EQ(EINVAL, errno) {
1444 TH_LOG("Did not reject crazy op value!");
1447 /* Reject strict with flags or pointer. */
1448 ret = seccomp(SECCOMP_SET_MODE_STRICT, -1, NULL);
1449 EXPECT_EQ(EINVAL, errno) {
1450 TH_LOG("Did not reject mode strict with flags!");
1452 ret = seccomp(SECCOMP_SET_MODE_STRICT, 0, &prog);
1453 EXPECT_EQ(EINVAL, errno) {
1454 TH_LOG("Did not reject mode strict with uargs!");
1457 /* Reject insane args for filter. */
1458 ret = seccomp(SECCOMP_SET_MODE_FILTER, -1, &prog);
1459 EXPECT_EQ(EINVAL, errno) {
1460 TH_LOG("Did not reject crazy filter flags!");
1462 ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, NULL);
1463 EXPECT_EQ(EFAULT, errno) {
1464 TH_LOG("Did not reject NULL filter!");
1467 ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog);
1468 EXPECT_EQ(0, errno) {
1469 TH_LOG("Kernel does not support SECCOMP_SET_MODE_FILTER: %s",
1474 TEST(seccomp_syscall_mode_lock)
1476 struct sock_filter filter[] = {
1477 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
1479 struct sock_fprog prog = {
1480 .len = (unsigned short)ARRAY_SIZE(filter),
1485 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, NULL, 0, 0);
1487 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
1490 ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog);
1492 TH_LOG("Could not install filter!");
1495 /* Make sure neither entry point will switch to strict. */
1496 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT, 0, 0, 0);
1497 EXPECT_EQ(EINVAL, errno) {
1498 TH_LOG("Switched to mode strict!");
1501 ret = seccomp(SECCOMP_SET_MODE_STRICT, 0, NULL);
1502 EXPECT_EQ(EINVAL, errno) {
1503 TH_LOG("Switched to mode strict!");
1509 struct sock_filter filter[] = {
1510 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
1512 struct sock_fprog prog = {
1513 .len = (unsigned short)ARRAY_SIZE(filter),
1518 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, NULL, 0, 0);
1520 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
1523 ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FLAG_FILTER_TSYNC,
1526 TH_LOG("Could not install initial filter with TSYNC!");
1530 #define TSYNC_SIBLINGS 2
1531 struct tsync_sibling {
1535 pthread_cond_t *cond;
1536 pthread_mutex_t *mutex;
1539 struct sock_fprog *prog;
1540 struct __test_metadata *metadata;
1543 FIXTURE_DATA(TSYNC) {
1544 struct sock_fprog root_prog, apply_prog;
1545 struct tsync_sibling sibling[TSYNC_SIBLINGS];
1547 pthread_cond_t cond;
1548 pthread_mutex_t mutex;
1552 FIXTURE_SETUP(TSYNC)
1554 struct sock_filter root_filter[] = {
1555 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
1557 struct sock_filter apply_filter[] = {
1558 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
1559 offsetof(struct seccomp_data, nr)),
1560 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_read, 0, 1),
1561 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL),
1562 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
1565 memset(&self->root_prog, 0, sizeof(self->root_prog));
1566 memset(&self->apply_prog, 0, sizeof(self->apply_prog));
1567 memset(&self->sibling, 0, sizeof(self->sibling));
1568 self->root_prog.filter = malloc(sizeof(root_filter));
1569 ASSERT_NE(NULL, self->root_prog.filter);
1570 memcpy(self->root_prog.filter, &root_filter, sizeof(root_filter));
1571 self->root_prog.len = (unsigned short)ARRAY_SIZE(root_filter);
1573 self->apply_prog.filter = malloc(sizeof(apply_filter));
1574 ASSERT_NE(NULL, self->apply_prog.filter);
1575 memcpy(self->apply_prog.filter, &apply_filter, sizeof(apply_filter));
1576 self->apply_prog.len = (unsigned short)ARRAY_SIZE(apply_filter);
1578 self->sibling_count = 0;
1579 pthread_mutex_init(&self->mutex, NULL);
1580 pthread_cond_init(&self->cond, NULL);
1581 sem_init(&self->started, 0, 0);
1582 self->sibling[0].tid = 0;
1583 self->sibling[0].cond = &self->cond;
1584 self->sibling[0].started = &self->started;
1585 self->sibling[0].mutex = &self->mutex;
1586 self->sibling[0].diverge = 0;
1587 self->sibling[0].num_waits = 1;
1588 self->sibling[0].prog = &self->root_prog;
1589 self->sibling[0].metadata = _metadata;
1590 self->sibling[1].tid = 0;
1591 self->sibling[1].cond = &self->cond;
1592 self->sibling[1].started = &self->started;
1593 self->sibling[1].mutex = &self->mutex;
1594 self->sibling[1].diverge = 0;
1595 self->sibling[1].prog = &self->root_prog;
1596 self->sibling[1].num_waits = 1;
1597 self->sibling[1].metadata = _metadata;
1600 FIXTURE_TEARDOWN(TSYNC)
1604 if (self->root_prog.filter)
1605 free(self->root_prog.filter);
1606 if (self->apply_prog.filter)
1607 free(self->apply_prog.filter);
1609 for ( ; sib < self->sibling_count; ++sib) {
1610 struct tsync_sibling *s = &self->sibling[sib];
1615 if (pthread_kill(s->tid, 0)) {
1616 pthread_cancel(s->tid);
1617 pthread_join(s->tid, &status);
1620 pthread_mutex_destroy(&self->mutex);
1621 pthread_cond_destroy(&self->cond);
1622 sem_destroy(&self->started);
1625 void *tsync_sibling(void *data)
1628 struct tsync_sibling *me = data;
1630 me->system_tid = syscall(__NR_gettid);
1632 pthread_mutex_lock(me->mutex);
1634 /* Just re-apply the root prog to fork the tree */
1635 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER,
1638 sem_post(me->started);
1639 /* Return outside of started so parent notices failures. */
1641 pthread_mutex_unlock(me->mutex);
1642 return (void *)SIBLING_EXIT_FAILURE;
1645 pthread_cond_wait(me->cond, me->mutex);
1646 me->num_waits = me->num_waits - 1;
1647 } while (me->num_waits);
1648 pthread_mutex_unlock(me->mutex);
1650 ret = prctl(PR_GET_NO_NEW_PRIVS, 0, 0, 0, 0);
1652 return (void *)SIBLING_EXIT_NEWPRIVS;
1654 return (void *)SIBLING_EXIT_UNKILLED;
1657 void tsync_start_sibling(struct tsync_sibling *sibling)
1659 pthread_create(&sibling->tid, NULL, tsync_sibling, (void *)sibling);
1662 TEST_F(TSYNC, siblings_fail_prctl)
1666 struct sock_filter filter[] = {
1667 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
1668 offsetof(struct seccomp_data, nr)),
1669 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_prctl, 0, 1),
1670 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ERRNO | EINVAL),
1671 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
1673 struct sock_fprog prog = {
1674 .len = (unsigned short)ARRAY_SIZE(filter),
1678 ASSERT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
1679 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
1682 /* Check prctl failure detection by requesting sib 0 diverge. */
1683 ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog);
1685 TH_LOG("setting filter failed");
1688 self->sibling[0].diverge = 1;
1689 tsync_start_sibling(&self->sibling[0]);
1690 tsync_start_sibling(&self->sibling[1]);
1692 while (self->sibling_count < TSYNC_SIBLINGS) {
1693 sem_wait(&self->started);
1694 self->sibling_count++;
1697 /* Signal the threads to clean up*/
1698 pthread_mutex_lock(&self->mutex);
1699 ASSERT_EQ(0, pthread_cond_broadcast(&self->cond)) {
1700 TH_LOG("cond broadcast non-zero");
1702 pthread_mutex_unlock(&self->mutex);
1704 /* Ensure diverging sibling failed to call prctl. */
1705 pthread_join(self->sibling[0].tid, &status);
1706 EXPECT_EQ(SIBLING_EXIT_FAILURE, (long)status);
1707 pthread_join(self->sibling[1].tid, &status);
1708 EXPECT_EQ(SIBLING_EXIT_UNKILLED, (long)status);
1711 TEST_F(TSYNC, two_siblings_with_ancestor)
1716 ASSERT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
1717 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
1720 ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &self->root_prog);
1722 TH_LOG("Kernel does not support SECCOMP_SET_MODE_FILTER!");
1724 tsync_start_sibling(&self->sibling[0]);
1725 tsync_start_sibling(&self->sibling[1]);
1727 while (self->sibling_count < TSYNC_SIBLINGS) {
1728 sem_wait(&self->started);
1729 self->sibling_count++;
1732 ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FLAG_FILTER_TSYNC,
1735 TH_LOG("Could install filter on all threads!");
1737 /* Tell the siblings to test the policy */
1738 pthread_mutex_lock(&self->mutex);
1739 ASSERT_EQ(0, pthread_cond_broadcast(&self->cond)) {
1740 TH_LOG("cond broadcast non-zero");
1742 pthread_mutex_unlock(&self->mutex);
1743 /* Ensure they are both killed and don't exit cleanly. */
1744 pthread_join(self->sibling[0].tid, &status);
1745 EXPECT_EQ(0x0, (long)status);
1746 pthread_join(self->sibling[1].tid, &status);
1747 EXPECT_EQ(0x0, (long)status);
1750 TEST_F(TSYNC, two_sibling_want_nnp)
1754 /* start siblings before any prctl() operations */
1755 tsync_start_sibling(&self->sibling[0]);
1756 tsync_start_sibling(&self->sibling[1]);
1757 while (self->sibling_count < TSYNC_SIBLINGS) {
1758 sem_wait(&self->started);
1759 self->sibling_count++;
1762 /* Tell the siblings to test no policy */
1763 pthread_mutex_lock(&self->mutex);
1764 ASSERT_EQ(0, pthread_cond_broadcast(&self->cond)) {
1765 TH_LOG("cond broadcast non-zero");
1767 pthread_mutex_unlock(&self->mutex);
1769 /* Ensure they are both upset about lacking nnp. */
1770 pthread_join(self->sibling[0].tid, &status);
1771 EXPECT_EQ(SIBLING_EXIT_NEWPRIVS, (long)status);
1772 pthread_join(self->sibling[1].tid, &status);
1773 EXPECT_EQ(SIBLING_EXIT_NEWPRIVS, (long)status);
1776 TEST_F(TSYNC, two_siblings_with_no_filter)
1781 /* start siblings before any prctl() operations */
1782 tsync_start_sibling(&self->sibling[0]);
1783 tsync_start_sibling(&self->sibling[1]);
1784 while (self->sibling_count < TSYNC_SIBLINGS) {
1785 sem_wait(&self->started);
1786 self->sibling_count++;
1789 ASSERT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
1790 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
1793 ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FLAG_FILTER_TSYNC,
1796 TH_LOG("Could install filter on all threads!");
1799 /* Tell the siblings to test the policy */
1800 pthread_mutex_lock(&self->mutex);
1801 ASSERT_EQ(0, pthread_cond_broadcast(&self->cond)) {
1802 TH_LOG("cond broadcast non-zero");
1804 pthread_mutex_unlock(&self->mutex);
1806 /* Ensure they are both killed and don't exit cleanly. */
1807 pthread_join(self->sibling[0].tid, &status);
1808 EXPECT_EQ(0x0, (long)status);
1809 pthread_join(self->sibling[1].tid, &status);
1810 EXPECT_EQ(0x0, (long)status);
1813 TEST_F(TSYNC, two_siblings_with_one_divergence)
1818 ASSERT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
1819 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
1822 ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &self->root_prog);
1824 TH_LOG("Kernel does not support SECCOMP_SET_MODE_FILTER!");
1826 self->sibling[0].diverge = 1;
1827 tsync_start_sibling(&self->sibling[0]);
1828 tsync_start_sibling(&self->sibling[1]);
1830 while (self->sibling_count < TSYNC_SIBLINGS) {
1831 sem_wait(&self->started);
1832 self->sibling_count++;
1835 ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FLAG_FILTER_TSYNC,
1837 ASSERT_EQ(self->sibling[0].system_tid, ret) {
1838 TH_LOG("Did not fail on diverged sibling.");
1841 /* Wake the threads */
1842 pthread_mutex_lock(&self->mutex);
1843 ASSERT_EQ(0, pthread_cond_broadcast(&self->cond)) {
1844 TH_LOG("cond broadcast non-zero");
1846 pthread_mutex_unlock(&self->mutex);
1848 /* Ensure they are both unkilled. */
1849 pthread_join(self->sibling[0].tid, &status);
1850 EXPECT_EQ(SIBLING_EXIT_UNKILLED, (long)status);
1851 pthread_join(self->sibling[1].tid, &status);
1852 EXPECT_EQ(SIBLING_EXIT_UNKILLED, (long)status);
1855 TEST_F(TSYNC, two_siblings_not_under_filter)
1860 ASSERT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
1861 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
1865 * Sibling 0 will have its own seccomp policy
1866 * and Sibling 1 will not be under seccomp at
1867 * all. Sibling 1 will enter seccomp and 0
1868 * will cause failure.
1870 self->sibling[0].diverge = 1;
1871 tsync_start_sibling(&self->sibling[0]);
1872 tsync_start_sibling(&self->sibling[1]);
1874 while (self->sibling_count < TSYNC_SIBLINGS) {
1875 sem_wait(&self->started);
1876 self->sibling_count++;
1879 ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &self->root_prog);
1881 TH_LOG("Kernel does not support SECCOMP_SET_MODE_FILTER!");
1884 ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FLAG_FILTER_TSYNC,
1886 ASSERT_EQ(ret, self->sibling[0].system_tid) {
1887 TH_LOG("Did not fail on diverged sibling.");
1890 if (ret == self->sibling[0].system_tid)
1893 pthread_mutex_lock(&self->mutex);
1895 /* Increment the other siblings num_waits so we can clean up
1896 * the one we just saw.
1898 self->sibling[!sib].num_waits += 1;
1900 /* Signal the thread to clean up*/
1901 ASSERT_EQ(0, pthread_cond_broadcast(&self->cond)) {
1902 TH_LOG("cond broadcast non-zero");
1904 pthread_mutex_unlock(&self->mutex);
1905 pthread_join(self->sibling[sib].tid, &status);
1906 EXPECT_EQ(SIBLING_EXIT_UNKILLED, (long)status);
1907 /* Poll for actual task death. pthread_join doesn't guarantee it. */
1908 while (!kill(self->sibling[sib].system_tid, 0))
1910 /* Switch to the remaining sibling */
1913 ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FLAG_FILTER_TSYNC,
1916 TH_LOG("Expected the remaining sibling to sync");
1919 pthread_mutex_lock(&self->mutex);
1921 /* If remaining sibling didn't have a chance to wake up during
1922 * the first broadcast, manually reduce the num_waits now.
1924 if (self->sibling[sib].num_waits > 1)
1925 self->sibling[sib].num_waits = 1;
1926 ASSERT_EQ(0, pthread_cond_broadcast(&self->cond)) {
1927 TH_LOG("cond broadcast non-zero");
1929 pthread_mutex_unlock(&self->mutex);
1930 pthread_join(self->sibling[sib].tid, &status);
1931 EXPECT_EQ(0, (long)status);
1932 /* Poll for actual task death. pthread_join doesn't guarantee it. */
1933 while (!kill(self->sibling[sib].system_tid, 0))
1936 ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FLAG_FILTER_TSYNC,
1938 ASSERT_EQ(0, ret); /* just us chickens */
1941 /* Make sure restarted syscalls are seen directly as "restart_syscall". */
1942 TEST(syscall_restart)
1949 siginfo_t info = { };
1950 struct sock_filter filter[] = {
1951 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
1952 offsetof(struct seccomp_data, nr)),
1954 #ifdef __NR_sigreturn
1955 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_sigreturn, 6, 0),
1957 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_read, 5, 0),
1958 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_exit, 4, 0),
1959 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_rt_sigreturn, 3, 0),
1960 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_poll, 4, 0),
1961 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_restart_syscall, 4, 0),
1963 /* Allow __NR_write for easy logging. */
1964 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_write, 0, 1),
1965 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
1966 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL),
1967 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRACE|0x100), /* poll */
1968 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRACE|0x200), /* restart */
1970 struct sock_fprog prog = {
1971 .len = (unsigned short)ARRAY_SIZE(filter),
1975 ASSERT_EQ(0, pipe(pipefd));
1978 ASSERT_LE(0, child_pid);
1979 if (child_pid == 0) {
1980 /* Child uses EXPECT not ASSERT to deliver status correctly. */
1982 struct pollfd fds = {
1987 /* Attach parent as tracer and stop. */
1988 EXPECT_EQ(0, ptrace(PTRACE_TRACEME));
1989 EXPECT_EQ(0, raise(SIGSTOP));
1991 EXPECT_EQ(0, close(pipefd[1]));
1993 EXPECT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
1994 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
1997 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0);
1999 TH_LOG("Failed to install filter!");
2002 EXPECT_EQ(1, read(pipefd[0], &buf, 1)) {
2003 TH_LOG("Failed to read() sync from parent");
2005 EXPECT_EQ('.', buf) {
2006 TH_LOG("Failed to get sync data from read()");
2009 /* Start poll to be interrupted. */
2011 EXPECT_EQ(1, poll(&fds, 1, -1)) {
2012 TH_LOG("Call to poll() failed (errno %d)", errno);
2015 /* Read final sync from parent. */
2016 EXPECT_EQ(1, read(pipefd[0], &buf, 1)) {
2017 TH_LOG("Failed final read() from parent");
2019 EXPECT_EQ('!', buf) {
2020 TH_LOG("Failed to get final data from read()");
2023 /* Directly report the status of our test harness results. */
2024 syscall(__NR_exit, _metadata->passed ? EXIT_SUCCESS
2027 EXPECT_EQ(0, close(pipefd[0]));
2029 /* Attach to child, setup options, and release. */
2030 ASSERT_EQ(child_pid, waitpid(child_pid, &status, 0));
2031 ASSERT_EQ(true, WIFSTOPPED(status));
2032 ASSERT_EQ(0, ptrace(PTRACE_SETOPTIONS, child_pid, NULL,
2033 PTRACE_O_TRACESECCOMP));
2034 ASSERT_EQ(0, ptrace(PTRACE_CONT, child_pid, NULL, 0));
2035 ASSERT_EQ(1, write(pipefd[1], ".", 1));
2037 /* Wait for poll() to start. */
2038 ASSERT_EQ(child_pid, waitpid(child_pid, &status, 0));
2039 ASSERT_EQ(true, WIFSTOPPED(status));
2040 ASSERT_EQ(SIGTRAP, WSTOPSIG(status));
2041 ASSERT_EQ(PTRACE_EVENT_SECCOMP, (status >> 16));
2042 ASSERT_EQ(0, ptrace(PTRACE_GETEVENTMSG, child_pid, NULL, &msg));
2043 ASSERT_EQ(0x100, msg);
2044 EXPECT_EQ(__NR_poll, get_syscall(_metadata, child_pid));
2046 /* Might as well check siginfo for sanity while we're here. */
2047 ASSERT_EQ(0, ptrace(PTRACE_GETSIGINFO, child_pid, NULL, &info));
2048 ASSERT_EQ(SIGTRAP, info.si_signo);
2049 ASSERT_EQ(SIGTRAP | (PTRACE_EVENT_SECCOMP << 8), info.si_code);
2050 EXPECT_EQ(0, info.si_errno);
2051 EXPECT_EQ(getuid(), info.si_uid);
2052 /* Verify signal delivery came from child (seccomp-triggered). */
2053 EXPECT_EQ(child_pid, info.si_pid);
2055 /* Interrupt poll with SIGSTOP (which we'll need to handle). */
2056 ASSERT_EQ(0, kill(child_pid, SIGSTOP));
2057 ASSERT_EQ(0, ptrace(PTRACE_CONT, child_pid, NULL, 0));
2058 ASSERT_EQ(child_pid, waitpid(child_pid, &status, 0));
2059 ASSERT_EQ(true, WIFSTOPPED(status));
2060 ASSERT_EQ(SIGSTOP, WSTOPSIG(status));
2061 /* Verify signal delivery came from parent now. */
2062 ASSERT_EQ(0, ptrace(PTRACE_GETSIGINFO, child_pid, NULL, &info));
2063 EXPECT_EQ(getpid(), info.si_pid);
2065 /* Restart poll with SIGCONT, which triggers restart_syscall. */
2066 ASSERT_EQ(0, kill(child_pid, SIGCONT));
2067 ASSERT_EQ(0, ptrace(PTRACE_CONT, child_pid, NULL, 0));
2068 ASSERT_EQ(child_pid, waitpid(child_pid, &status, 0));
2069 ASSERT_EQ(true, WIFSTOPPED(status));
2070 ASSERT_EQ(SIGCONT, WSTOPSIG(status));
2071 ASSERT_EQ(0, ptrace(PTRACE_CONT, child_pid, NULL, 0));
2073 /* Wait for restart_syscall() to start. */
2074 ASSERT_EQ(child_pid, waitpid(child_pid, &status, 0));
2075 ASSERT_EQ(true, WIFSTOPPED(status));
2076 ASSERT_EQ(SIGTRAP, WSTOPSIG(status));
2077 ASSERT_EQ(PTRACE_EVENT_SECCOMP, (status >> 16));
2078 ASSERT_EQ(0, ptrace(PTRACE_GETEVENTMSG, child_pid, NULL, &msg));
2079 ASSERT_EQ(0x200, msg);
2080 ret = get_syscall(_metadata, child_pid);
2081 #if defined(__arm__)
2082 /* FIXME: ARM does not expose true syscall in registers. */
2083 EXPECT_EQ(__NR_poll, ret);
2085 EXPECT_EQ(__NR_restart_syscall, ret);
2088 /* Write again to end poll. */
2089 ASSERT_EQ(0, ptrace(PTRACE_CONT, child_pid, NULL, 0));
2090 ASSERT_EQ(1, write(pipefd[1], "!", 1));
2091 EXPECT_EQ(0, close(pipefd[1]));
2093 ASSERT_EQ(child_pid, waitpid(child_pid, &status, 0));
2094 if (WIFSIGNALED(status) || WEXITSTATUS(status))
2095 _metadata->passed = 0;
2100 * - add microbenchmarks
2101 * - expand NNP testing
2102 * - better arch-specific TRACE and TRAP handlers.
2103 * - endianness checking when appropriate
2104 * - 64-bit arg prodding
2105 * - arch value testing (x86 modes especially)
projects / linux-2.6-microblaze.git / blob