projects / linux-2.6-microblaze.git / blob
? search:


e4b2b9468ff9203c01d3566e9929e34f92f909ba
[linux-2.6-microblaze.git] / tools / testing / selftests / seccomp / seccomp_bpf.c
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
4  *
5  * Test code for seccomp bpf.
6  */
7
8 #define _GNU_SOURCE
9 #include <sys/types.h>
10
11 /*
12  * glibc 2.26 and later have SIGSYS in siginfo_t. Before that,
13  * we need to use the kernel's siginfo.h file and trick glibc
14  * into accepting it.
15  */
16 #if !__GLIBC_PREREQ(2, 26)
17 # include <asm/siginfo.h>
18 # define __have_siginfo_t 1
19 # define __have_sigval_t 1
20 # define __have_sigevent_t 1
21 #endif
22
23 #include <errno.h>
24 #include <linux/filter.h>
25 #include <sys/prctl.h>
26 #include <sys/ptrace.h>
27 #include <sys/user.h>
28 #include <linux/prctl.h>
29 #include <linux/ptrace.h>
30 #include <linux/seccomp.h>
31 #include <pthread.h>
32 #include <semaphore.h>
33 #include <signal.h>
34 #include <stddef.h>
35 #include <stdbool.h>
36 #include <string.h>
37 #include <time.h>
38 #include <limits.h>
39 #include <linux/elf.h>
40 #include <sys/uio.h>
41 #include <sys/utsname.h>
42 #include <sys/fcntl.h>
43 #include <sys/mman.h>
44 #include <sys/times.h>
45 #include <sys/socket.h>
46 #include <sys/ioctl.h>
47 #include <linux/kcmp.h>
48 #include <sys/resource.h>
49
50 #include <unistd.h>
51 #include <sys/syscall.h>
52 #include <poll.h>
53
54 #include "../kselftest_harness.h"
55 #include "../clone3/clone3_selftests.h"
56
57 /* Attempt to de-conflict with the selftests tree. */
58 #ifndef SKIP
59 #define SKIP(s, ...)    XFAIL(s, ##__VA_ARGS__)
60 #endif
61
62 #ifndef PR_SET_PTRACER
63 # define PR_SET_PTRACER 0x59616d61
64 #endif
65
66 #ifndef PR_SET_NO_NEW_PRIVS
67 #define PR_SET_NO_NEW_PRIVS 38
68 #define PR_GET_NO_NEW_PRIVS 39
69 #endif
70
71 #ifndef PR_SECCOMP_EXT
72 #define PR_SECCOMP_EXT 43
73 #endif
74
75 #ifndef SECCOMP_EXT_ACT
76 #define SECCOMP_EXT_ACT 1
77 #endif
78
79 #ifndef SECCOMP_EXT_ACT_TSYNC
80 #define SECCOMP_EXT_ACT_TSYNC 1
81 #endif
82
83 #ifndef SECCOMP_MODE_STRICT
84 #define SECCOMP_MODE_STRICT 1
85 #endif
86
87 #ifndef SECCOMP_MODE_FILTER
88 #define SECCOMP_MODE_FILTER 2
89 #endif
90
91 #ifndef SECCOMP_RET_ALLOW
92 struct seccomp_data {
93         int nr;
94         __u32 arch;
95         __u64 instruction_pointer;
96         __u64 args[6];
97 };
98 #endif
99
100 #ifndef SECCOMP_RET_KILL_PROCESS
101 #define SECCOMP_RET_KILL_PROCESS 0x80000000U /* kill the process */
102 #define SECCOMP_RET_KILL_THREAD  0x00000000U /* kill the thread */
103 #endif
104 #ifndef SECCOMP_RET_KILL
105 #define SECCOMP_RET_KILL         SECCOMP_RET_KILL_THREAD
106 #define SECCOMP_RET_TRAP         0x00030000U /* disallow and force a SIGSYS */
107 #define SECCOMP_RET_ERRNO        0x00050000U /* returns an errno */
108 #define SECCOMP_RET_TRACE        0x7ff00000U /* pass to a tracer or disallow */
109 #define SECCOMP_RET_ALLOW        0x7fff0000U /* allow */
110 #endif
111 #ifndef SECCOMP_RET_LOG
112 #define SECCOMP_RET_LOG          0x7ffc0000U /* allow after logging */
113 #endif
114
115 #ifndef __NR_seccomp
116 # if defined(__i386__)
117 #  define __NR_seccomp 354
118 # elif defined(__x86_64__)
119 #  define __NR_seccomp 317
120 # elif defined(__arm__)
121 #  define __NR_seccomp 383
122 # elif defined(__aarch64__)
123 #  define __NR_seccomp 277
124 # elif defined(__riscv)
125 #  define __NR_seccomp 277
126 # elif defined(__csky__)
127 #  define __NR_seccomp 277
128 # elif defined(__hppa__)
129 #  define __NR_seccomp 338
130 # elif defined(__powerpc__)
131 #  define __NR_seccomp 358
132 # elif defined(__s390__)
133 #  define __NR_seccomp 348
134 # elif defined(__xtensa__)
135 #  define __NR_seccomp 337
136 # elif defined(__sh__)
137 #  define __NR_seccomp 372
138 # else
139 #  warning "seccomp syscall number unknown for this architecture"
140 #  define __NR_seccomp 0xffff
141 # endif
142 #endif
143
144 #ifndef SECCOMP_SET_MODE_STRICT
145 #define SECCOMP_SET_MODE_STRICT 0
146 #endif
147
148 #ifndef SECCOMP_SET_MODE_FILTER
149 #define SECCOMP_SET_MODE_FILTER 1
150 #endif
151
152 #ifndef SECCOMP_GET_ACTION_AVAIL
153 #define SECCOMP_GET_ACTION_AVAIL 2
154 #endif
155
156 #ifndef SECCOMP_GET_NOTIF_SIZES
157 #define SECCOMP_GET_NOTIF_SIZES 3
158 #endif
159
160 #ifndef SECCOMP_FILTER_FLAG_TSYNC
161 #define SECCOMP_FILTER_FLAG_TSYNC (1UL << 0)
162 #endif
163
164 #ifndef SECCOMP_FILTER_FLAG_LOG
165 #define SECCOMP_FILTER_FLAG_LOG (1UL << 1)
166 #endif
167
168 #ifndef SECCOMP_FILTER_FLAG_SPEC_ALLOW
169 #define SECCOMP_FILTER_FLAG_SPEC_ALLOW (1UL << 2)
170 #endif
171
172 #ifndef PTRACE_SECCOMP_GET_METADATA
173 #define PTRACE_SECCOMP_GET_METADATA     0x420d
174
175 struct seccomp_metadata {
176         __u64 filter_off;       /* Input: which filter */
177         __u64 flags;             /* Output: filter's flags */
178 };
179 #endif
180
181 #ifndef SECCOMP_FILTER_FLAG_NEW_LISTENER
182 #define SECCOMP_FILTER_FLAG_NEW_LISTENER        (1UL << 3)
183 #endif
184
185 #ifndef SECCOMP_RET_USER_NOTIF
186 #define SECCOMP_RET_USER_NOTIF 0x7fc00000U
187
188 #define SECCOMP_IOC_MAGIC               '!'
189 #define SECCOMP_IO(nr)                  _IO(SECCOMP_IOC_MAGIC, nr)
190 #define SECCOMP_IOR(nr, type)           _IOR(SECCOMP_IOC_MAGIC, nr, type)
191 #define SECCOMP_IOW(nr, type)           _IOW(SECCOMP_IOC_MAGIC, nr, type)
192 #define SECCOMP_IOWR(nr, type)          _IOWR(SECCOMP_IOC_MAGIC, nr, type)
193
194 /* Flags for seccomp notification fd ioctl. */
195 #define SECCOMP_IOCTL_NOTIF_RECV        SECCOMP_IOWR(0, struct seccomp_notif)
196 #define SECCOMP_IOCTL_NOTIF_SEND        SECCOMP_IOWR(1, \
197                                                 struct seccomp_notif_resp)
198 #define SECCOMP_IOCTL_NOTIF_ID_VALID    SECCOMP_IOW(2, __u64)
199
200 struct seccomp_notif {
201         __u64 id;
202         __u32 pid;
203         __u32 flags;
204         struct seccomp_data data;
205 };
206
207 struct seccomp_notif_resp {
208         __u64 id;
209         __s64 val;
210         __s32 error;
211         __u32 flags;
212 };
213
214 struct seccomp_notif_sizes {
215         __u16 seccomp_notif;
216         __u16 seccomp_notif_resp;
217         __u16 seccomp_data;
218 };
219 #endif
220
221 #ifndef SECCOMP_IOCTL_NOTIF_ADDFD
222 /* On success, the return value is the remote process's added fd number */
223 #define SECCOMP_IOCTL_NOTIF_ADDFD       SECCOMP_IOW(3,  \
224                                                 struct seccomp_notif_addfd)
225
226 /* valid flags for seccomp_notif_addfd */
227 #define SECCOMP_ADDFD_FLAG_SETFD        (1UL << 0) /* Specify remote fd */
228
229 struct seccomp_notif_addfd {
230         __u64 id;
231         __u32 flags;
232         __u32 srcfd;
233         __u32 newfd;
234         __u32 newfd_flags;
235 };
236 #endif
237
238 struct seccomp_notif_addfd_small {
239         __u64 id;
240         char weird[4];
241 };
242 #define SECCOMP_IOCTL_NOTIF_ADDFD_SMALL \
243         SECCOMP_IOW(3, struct seccomp_notif_addfd_small)
244
245 struct seccomp_notif_addfd_big {
246         union {
247                 struct seccomp_notif_addfd addfd;
248                 char buf[sizeof(struct seccomp_notif_addfd) + 8];
249         };
250 };
251 #define SECCOMP_IOCTL_NOTIF_ADDFD_BIG   \
252         SECCOMP_IOWR(3, struct seccomp_notif_addfd_big)
253
254 #ifndef PTRACE_EVENTMSG_SYSCALL_ENTRY
255 #define PTRACE_EVENTMSG_SYSCALL_ENTRY   1
256 #define PTRACE_EVENTMSG_SYSCALL_EXIT    2
257 #endif
258
259 #ifndef SECCOMP_USER_NOTIF_FLAG_CONTINUE
260 #define SECCOMP_USER_NOTIF_FLAG_CONTINUE 0x00000001
261 #endif
262
263 #ifndef SECCOMP_FILTER_FLAG_TSYNC_ESRCH
264 #define SECCOMP_FILTER_FLAG_TSYNC_ESRCH (1UL << 4)
265 #endif
266
267 #ifndef seccomp
268 int seccomp(unsigned int op, unsigned int flags, void *args)
269 {
270         errno = 0;
271         return syscall(__NR_seccomp, op, flags, args);
272 }
273 #endif
274
275 #if __BYTE_ORDER == __LITTLE_ENDIAN
276 #define syscall_arg(_n) (offsetof(struct seccomp_data, args[_n]))
277 #elif __BYTE_ORDER == __BIG_ENDIAN
278 #define syscall_arg(_n) (offsetof(struct seccomp_data, args[_n]) + sizeof(__u32))
279 #else
280 #error "wut? Unknown __BYTE_ORDER?!"
281 #endif
282
283 #define SIBLING_EXIT_UNKILLED   0xbadbeef
284 #define SIBLING_EXIT_FAILURE    0xbadface
285 #define SIBLING_EXIT_NEWPRIVS   0xbadfeed
286
287 static int __filecmp(pid_t pid1, pid_t pid2, int fd1, int fd2)
288 {
289 #ifdef __NR_kcmp
290         errno = 0;
291         return syscall(__NR_kcmp, pid1, pid2, KCMP_FILE, fd1, fd2);
292 #else
293         errno = ENOSYS;
294         return -1;
295 #endif
296 }
297
298 /* Have TH_LOG report actual location filecmp() is used. */
299 #define filecmp(pid1, pid2, fd1, fd2)   ({              \
300         int _ret;                                       \
301                                                         \
302         _ret = __filecmp(pid1, pid2, fd1, fd2);         \
303         if (_ret != 0) {                                \
304                 if (_ret < 0 && errno == ENOSYS) {      \
305                         TH_LOG("kcmp() syscall missing (test is less accurate)");\
306                         _ret = 0;                       \
307                 }                                       \
308         }                                               \
309         _ret; })
310
311 TEST(kcmp)
312 {
313         int ret;
314
315         ret = __filecmp(getpid(), getpid(), 1, 1);
316         EXPECT_EQ(ret, 0);
317         if (ret != 0 && errno == ENOSYS)
318                 SKIP(return, "Kernel does not support kcmp() (missing CONFIG_CHECKPOINT_RESTORE?)");
319 }
320
321 TEST(mode_strict_support)
322 {
323         long ret;
324
325         ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT, NULL, NULL, NULL);
326         ASSERT_EQ(0, ret) {
327                 TH_LOG("Kernel does not support CONFIG_SECCOMP");
328         }
329         syscall(__NR_exit, 0);
330 }
331
332 TEST_SIGNAL(mode_strict_cannot_call_prctl, SIGKILL)
333 {
334         long ret;
335
336         ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT, NULL, NULL, NULL);
337         ASSERT_EQ(0, ret) {
338                 TH_LOG("Kernel does not support CONFIG_SECCOMP");
339         }
340         syscall(__NR_prctl, PR_SET_SECCOMP, SECCOMP_MODE_FILTER,
341                 NULL, NULL, NULL);
342         EXPECT_FALSE(true) {
343                 TH_LOG("Unreachable!");
344         }
345 }
346
347 /* Note! This doesn't test no new privs behavior */
348 TEST(no_new_privs_support)
349 {
350         long ret;
351
352         ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
353         EXPECT_EQ(0, ret) {
354                 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
355         }
356 }
357
358 /* Tests kernel support by checking for a copy_from_user() fault on NULL. */
359 TEST(mode_filter_support)
360 {
361         long ret;
362
363         ret = prctl(PR_SET_NO_NEW_PRIVS, 1, NULL, 0, 0);
364         ASSERT_EQ(0, ret) {
365                 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
366         }
367         ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, NULL, NULL);
368         EXPECT_EQ(-1, ret);
369         EXPECT_EQ(EFAULT, errno) {
370                 TH_LOG("Kernel does not support CONFIG_SECCOMP_FILTER!");
371         }
372 }
373
374 TEST(mode_filter_without_nnp)
375 {
376         struct sock_filter filter[] = {
377                 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
378         };
379         struct sock_fprog prog = {
380                 .len = (unsigned short)ARRAY_SIZE(filter),
381                 .filter = filter,
382         };
383         long ret;
384
385         ret = prctl(PR_GET_NO_NEW_PRIVS, 0, NULL, 0, 0);
386         ASSERT_LE(0, ret) {
387                 TH_LOG("Expected 0 or unsupported for NO_NEW_PRIVS");
388         }
389         errno = 0;
390         ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0);
391         /* Succeeds with CAP_SYS_ADMIN, fails without */
392         /* TODO(wad) check caps not euid */
393         if (geteuid()) {
394                 EXPECT_EQ(-1, ret);
395                 EXPECT_EQ(EACCES, errno);
396         } else {
397                 EXPECT_EQ(0, ret);
398         }
399 }
400
401 #define MAX_INSNS_PER_PATH 32768
402
403 TEST(filter_size_limits)
404 {
405         int i;
406         int count = BPF_MAXINSNS + 1;
407         struct sock_filter allow[] = {
408                 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
409         };
410         struct sock_filter *filter;
411         struct sock_fprog prog = { };
412         long ret;
413
414         filter = calloc(count, sizeof(*filter));
415         ASSERT_NE(NULL, filter);
416
417         for (i = 0; i < count; i++)
418                 filter[i] = allow[0];
419
420         ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
421         ASSERT_EQ(0, ret);
422
423         prog.filter = filter;
424         prog.len = count;
425
426         /* Too many filter instructions in a single filter. */
427         ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0);
428         ASSERT_NE(0, ret) {
429                 TH_LOG("Installing %d insn filter was allowed", prog.len);
430         }
431
432         /* One less is okay, though. */
433         prog.len -= 1;
434         ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0);
435         ASSERT_EQ(0, ret) {
436                 TH_LOG("Installing %d insn filter wasn't allowed", prog.len);
437         }
438 }
439
440 TEST(filter_chain_limits)
441 {
442         int i;
443         int count = BPF_MAXINSNS;
444         struct sock_filter allow[] = {
445                 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
446         };
447         struct sock_filter *filter;
448         struct sock_fprog prog = { };
449         long ret;
450
451         filter = calloc(count, sizeof(*filter));
452         ASSERT_NE(NULL, filter);
453
454         for (i = 0; i < count; i++)
455                 filter[i] = allow[0];
456
457         ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
458         ASSERT_EQ(0, ret);
459
460         prog.filter = filter;
461         prog.len = 1;
462
463         ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0);
464         ASSERT_EQ(0, ret);
465
466         prog.len = count;
467
468         /* Too many total filter instructions. */
469         for (i = 0; i < MAX_INSNS_PER_PATH; i++) {
470                 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0);
471                 if (ret != 0)
472                         break;
473         }
474         ASSERT_NE(0, ret) {
475                 TH_LOG("Allowed %d %d-insn filters (total with penalties:%d)",
476                        i, count, i * (count + 4));
477         }
478 }
479
480 TEST(mode_filter_cannot_move_to_strict)
481 {
482         struct sock_filter filter[] = {
483                 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
484         };
485         struct sock_fprog prog = {
486                 .len = (unsigned short)ARRAY_SIZE(filter),
487                 .filter = filter,
488         };
489         long ret;
490
491         ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
492         ASSERT_EQ(0, ret);
493
494         ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0);
495         ASSERT_EQ(0, ret);
496
497         ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT, NULL, 0, 0);
498         EXPECT_EQ(-1, ret);
499         EXPECT_EQ(EINVAL, errno);
500 }
501
502
503 TEST(mode_filter_get_seccomp)
504 {
505         struct sock_filter filter[] = {
506                 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
507         };
508         struct sock_fprog prog = {
509                 .len = (unsigned short)ARRAY_SIZE(filter),
510                 .filter = filter,
511         };
512         long ret;
513
514         ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
515         ASSERT_EQ(0, ret);
516
517         ret = prctl(PR_GET_SECCOMP, 0, 0, 0, 0);
518         EXPECT_EQ(0, ret);
519
520         ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0);
521         ASSERT_EQ(0, ret);
522
523         ret = prctl(PR_GET_SECCOMP, 0, 0, 0, 0);
524         EXPECT_EQ(2, ret);
525 }
526
527
528 TEST(ALLOW_all)
529 {
530         struct sock_filter filter[] = {
531                 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
532         };
533         struct sock_fprog prog = {
534                 .len = (unsigned short)ARRAY_SIZE(filter),
535                 .filter = filter,
536         };
537         long ret;
538
539         ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
540         ASSERT_EQ(0, ret);
541
542         ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
543         ASSERT_EQ(0, ret);
544 }
545
546 TEST(empty_prog)
547 {
548         struct sock_filter filter[] = {
549         };
550         struct sock_fprog prog = {
551                 .len = (unsigned short)ARRAY_SIZE(filter),
552                 .filter = filter,
553         };
554         long ret;
555
556         ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
557         ASSERT_EQ(0, ret);
558
559         ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
560         EXPECT_EQ(-1, ret);
561         EXPECT_EQ(EINVAL, errno);
562 }
563
564 TEST(log_all)
565 {
566         struct sock_filter filter[] = {
567                 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_LOG),
568         };
569         struct sock_fprog prog = {
570                 .len = (unsigned short)ARRAY_SIZE(filter),
571                 .filter = filter,
572         };
573         long ret;
574         pid_t parent = getppid();
575
576         ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
577         ASSERT_EQ(0, ret);
578
579         ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
580         ASSERT_EQ(0, ret);
581
582         /* getppid() should succeed and be logged (no check for logging) */
583         EXPECT_EQ(parent, syscall(__NR_getppid));
584 }
585
586 TEST_SIGNAL(unknown_ret_is_kill_inside, SIGSYS)
587 {
588         struct sock_filter filter[] = {
589                 BPF_STMT(BPF_RET|BPF_K, 0x10000000U),
590         };
591         struct sock_fprog prog = {
592                 .len = (unsigned short)ARRAY_SIZE(filter),
593                 .filter = filter,
594         };
595         long ret;
596
597         ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
598         ASSERT_EQ(0, ret);
599
600         ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
601         ASSERT_EQ(0, ret);
602         EXPECT_EQ(0, syscall(__NR_getpid)) {
603                 TH_LOG("getpid() shouldn't ever return");
604         }
605 }
606
607 /* return code >= 0x80000000 is unused. */
608 TEST_SIGNAL(unknown_ret_is_kill_above_allow, SIGSYS)
609 {
610         struct sock_filter filter[] = {
611                 BPF_STMT(BPF_RET|BPF_K, 0x90000000U),
612         };
613         struct sock_fprog prog = {
614                 .len = (unsigned short)ARRAY_SIZE(filter),
615                 .filter = filter,
616         };
617         long ret;
618
619         ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
620         ASSERT_EQ(0, ret);
621
622         ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
623         ASSERT_EQ(0, ret);
624         EXPECT_EQ(0, syscall(__NR_getpid)) {
625                 TH_LOG("getpid() shouldn't ever return");
626         }
627 }
628
629 TEST_SIGNAL(KILL_all, SIGSYS)
630 {
631         struct sock_filter filter[] = {
632                 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL),
633         };
634         struct sock_fprog prog = {
635                 .len = (unsigned short)ARRAY_SIZE(filter),
636                 .filter = filter,
637         };
638         long ret;
639
640         ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
641         ASSERT_EQ(0, ret);
642
643         ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
644         ASSERT_EQ(0, ret);
645 }
646
647 TEST_SIGNAL(KILL_one, SIGSYS)
648 {
649         struct sock_filter filter[] = {
650                 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
651                         offsetof(struct seccomp_data, nr)),
652                 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getpid, 0, 1),
653                 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL),
654                 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
655         };
656         struct sock_fprog prog = {
657                 .len = (unsigned short)ARRAY_SIZE(filter),
658                 .filter = filter,
659         };
660         long ret;
661         pid_t parent = getppid();
662
663         ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
664         ASSERT_EQ(0, ret);
665
666         ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
667         ASSERT_EQ(0, ret);
668
669         EXPECT_EQ(parent, syscall(__NR_getppid));
670         /* getpid() should never return. */
671         EXPECT_EQ(0, syscall(__NR_getpid));
672 }
673
674 TEST_SIGNAL(KILL_one_arg_one, SIGSYS)
675 {
676         void *fatal_address;
677         struct sock_filter filter[] = {
678                 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
679                         offsetof(struct seccomp_data, nr)),
680                 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_times, 1, 0),
681                 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
682                 /* Only both with lower 32-bit for now. */
683                 BPF_STMT(BPF_LD|BPF_W|BPF_ABS, syscall_arg(0)),
684                 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K,
685                         (unsigned long)&fatal_address, 0, 1),
686                 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL),
687                 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
688         };
689         struct sock_fprog prog = {
690                 .len = (unsigned short)ARRAY_SIZE(filter),
691                 .filter = filter,
692         };
693         long ret;
694         pid_t parent = getppid();
695         struct tms timebuf;
696         clock_t clock = times(&timebuf);
697
698         ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
699         ASSERT_EQ(0, ret);
700
701         ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
702         ASSERT_EQ(0, ret);
703
704         EXPECT_EQ(parent, syscall(__NR_getppid));
705         EXPECT_LE(clock, syscall(__NR_times, &timebuf));
706         /* times() should never return. */
707         EXPECT_EQ(0, syscall(__NR_times, &fatal_address));
708 }
709
710 TEST_SIGNAL(KILL_one_arg_six, SIGSYS)
711 {
712 #ifndef __NR_mmap2
713         int sysno = __NR_mmap;
714 #else
715         int sysno = __NR_mmap2;
716 #endif
717         struct sock_filter filter[] = {
718                 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
719                         offsetof(struct seccomp_data, nr)),
720                 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, sysno, 1, 0),
721                 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
722                 /* Only both with lower 32-bit for now. */
723                 BPF_STMT(BPF_LD|BPF_W|BPF_ABS, syscall_arg(5)),
724                 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, 0x0C0FFEE, 0, 1),
725                 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL),
726                 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
727         };
728         struct sock_fprog prog = {
729                 .len = (unsigned short)ARRAY_SIZE(filter),
730                 .filter = filter,
731         };
732         long ret;
733         pid_t parent = getppid();
734         int fd;
735         void *map1, *map2;
736         int page_size = sysconf(_SC_PAGESIZE);
737
738         ASSERT_LT(0, page_size);
739
740         ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
741         ASSERT_EQ(0, ret);
742
743         ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
744         ASSERT_EQ(0, ret);
745
746         fd = open("/dev/zero", O_RDONLY);
747         ASSERT_NE(-1, fd);
748
749         EXPECT_EQ(parent, syscall(__NR_getppid));
750         map1 = (void *)syscall(sysno,
751                 NULL, page_size, PROT_READ, MAP_PRIVATE, fd, page_size);
752         EXPECT_NE(MAP_FAILED, map1);
753         /* mmap2() should never return. */
754         map2 = (void *)syscall(sysno,
755                  NULL, page_size, PROT_READ, MAP_PRIVATE, fd, 0x0C0FFEE);
756         EXPECT_EQ(MAP_FAILED, map2);
757
758         /* The test failed, so clean up the resources. */
759         munmap(map1, page_size);
760         munmap(map2, page_size);
761         close(fd);
762 }
763
764 /* This is a thread task to die via seccomp filter violation. */
765 void *kill_thread(void *data)
766 {
767         bool die = (bool)data;
768
769         if (die) {
770                 prctl(PR_GET_SECCOMP, 0, 0, 0, 0);
771                 return (void *)SIBLING_EXIT_FAILURE;
772         }
773
774         return (void *)SIBLING_EXIT_UNKILLED;
775 }
776
777 enum kill_t {
778         KILL_THREAD,
779         KILL_PROCESS,
780         RET_UNKNOWN
781 };
782
783 /* Prepare a thread that will kill itself or both of us. */
784 void kill_thread_or_group(struct __test_metadata *_metadata,
785                           enum kill_t kill_how)
786 {
787         pthread_t thread;
788         void *status;
789         /* Kill only when calling __NR_prctl. */
790         struct sock_filter filter_thread[] = {
791                 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
792                         offsetof(struct seccomp_data, nr)),
793                 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_prctl, 0, 1),
794                 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL_THREAD),
795                 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
796         };
797         struct sock_fprog prog_thread = {
798                 .len = (unsigned short)ARRAY_SIZE(filter_thread),
799                 .filter = filter_thread,
800         };
801         int kill = kill_how == KILL_PROCESS ? SECCOMP_RET_KILL_PROCESS : 0xAAAAAAAAA;
802         struct sock_filter filter_process[] = {
803                 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
804                         offsetof(struct seccomp_data, nr)),
805                 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_prctl, 0, 1),
806                 BPF_STMT(BPF_RET|BPF_K, kill),
807                 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
808         };
809         struct sock_fprog prog_process = {
810                 .len = (unsigned short)ARRAY_SIZE(filter_process),
811                 .filter = filter_process,
812         };
813
814         ASSERT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
815                 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
816         }
817
818         ASSERT_EQ(0, seccomp(SECCOMP_SET_MODE_FILTER, 0,
819                              kill_how == KILL_THREAD ? &prog_thread
820                                                      : &prog_process));
821
822         /*
823          * Add the KILL_THREAD rule again to make sure that the KILL_PROCESS
824          * flag cannot be downgraded by a new filter.
825          */
826         if (kill_how == KILL_PROCESS)
827                 ASSERT_EQ(0, seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog_thread));
828
829         /* Start a thread that will exit immediately. */
830         ASSERT_EQ(0, pthread_create(&thread, NULL, kill_thread, (void *)false));
831         ASSERT_EQ(0, pthread_join(thread, &status));
832         ASSERT_EQ(SIBLING_EXIT_UNKILLED, (unsigned long)status);
833
834         /* Start a thread that will die immediately. */
835         ASSERT_EQ(0, pthread_create(&thread, NULL, kill_thread, (void *)true));
836         ASSERT_EQ(0, pthread_join(thread, &status));
837         ASSERT_NE(SIBLING_EXIT_FAILURE, (unsigned long)status);
838
839         /*
840          * If we get here, only the spawned thread died. Let the parent know
841          * the whole process didn't die (i.e. this thread, the spawner,
842          * stayed running).
843          */
844         exit(42);
845 }
846
847 TEST(KILL_thread)
848 {
849         int status;
850         pid_t child_pid;
851
852         child_pid = fork();
853         ASSERT_LE(0, child_pid);
854         if (child_pid == 0) {
855                 kill_thread_or_group(_metadata, KILL_THREAD);
856                 _exit(38);
857         }
858
859         ASSERT_EQ(child_pid, waitpid(child_pid, &status, 0));
860
861         /* If only the thread was killed, we'll see exit 42. */
862         ASSERT_TRUE(WIFEXITED(status));
863         ASSERT_EQ(42, WEXITSTATUS(status));
864 }
865
866 TEST(KILL_process)
867 {
868         int status;
869         pid_t child_pid;
870
871         child_pid = fork();
872         ASSERT_LE(0, child_pid);
873         if (child_pid == 0) {
874                 kill_thread_or_group(_metadata, KILL_PROCESS);
875                 _exit(38);
876         }
877
878         ASSERT_EQ(child_pid, waitpid(child_pid, &status, 0));
879
880         /* If the entire process was killed, we'll see SIGSYS. */
881         ASSERT_TRUE(WIFSIGNALED(status));
882         ASSERT_EQ(SIGSYS, WTERMSIG(status));
883 }
884
885 TEST(KILL_unknown)
886 {
887         int status;
888         pid_t child_pid;
889
890         child_pid = fork();
891         ASSERT_LE(0, child_pid);
892         if (child_pid == 0) {
893                 kill_thread_or_group(_metadata, RET_UNKNOWN);
894                 _exit(38);
895         }
896
897         ASSERT_EQ(child_pid, waitpid(child_pid, &status, 0));
898
899         /* If the entire process was killed, we'll see SIGSYS. */
900         EXPECT_TRUE(WIFSIGNALED(status)) {
901                 TH_LOG("Unknown SECCOMP_RET is only killing the thread?");
902         }
903         ASSERT_EQ(SIGSYS, WTERMSIG(status));
904 }
905
906 /* TODO(wad) add 64-bit versus 32-bit arg tests. */
907 TEST(arg_out_of_range)
908 {
909         struct sock_filter filter[] = {
910                 BPF_STMT(BPF_LD|BPF_W|BPF_ABS, syscall_arg(6)),
911                 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
912         };
913         struct sock_fprog prog = {
914                 .len = (unsigned short)ARRAY_SIZE(filter),
915                 .filter = filter,
916         };
917         long ret;
918
919         ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
920         ASSERT_EQ(0, ret);
921
922         ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
923         EXPECT_EQ(-1, ret);
924         EXPECT_EQ(EINVAL, errno);
925 }
926
927 #define ERRNO_FILTER(name, errno)                                       \
928         struct sock_filter _read_filter_##name[] = {                    \
929                 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,                          \
930                         offsetof(struct seccomp_data, nr)),             \
931                 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_read, 0, 1),       \
932                 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ERRNO | errno),     \
933                 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),             \
934         };                                                              \
935         struct sock_fprog prog_##name = {                               \
936                 .len = (unsigned short)ARRAY_SIZE(_read_filter_##name), \
937                 .filter = _read_filter_##name,                          \
938         }
939
940 /* Make sure basic errno values are correctly passed through a filter. */
941 TEST(ERRNO_valid)
942 {
943         ERRNO_FILTER(valid, E2BIG);
944         long ret;
945         pid_t parent = getppid();
946
947         ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
948         ASSERT_EQ(0, ret);
949
950         ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog_valid);
951         ASSERT_EQ(0, ret);
952
953         EXPECT_EQ(parent, syscall(__NR_getppid));
954         EXPECT_EQ(-1, read(0, NULL, 0));
955         EXPECT_EQ(E2BIG, errno);
956 }
957
958 /* Make sure an errno of zero is correctly handled by the arch code. */
959 TEST(ERRNO_zero)
960 {
961         ERRNO_FILTER(zero, 0);
962         long ret;
963         pid_t parent = getppid();
964
965         ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
966         ASSERT_EQ(0, ret);
967
968         ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog_zero);
969         ASSERT_EQ(0, ret);
970
971         EXPECT_EQ(parent, syscall(__NR_getppid));
972         /* "errno" of 0 is ok. */
973         EXPECT_EQ(0, read(0, NULL, 0));
974 }
975
976 /*
977  * The SECCOMP_RET_DATA mask is 16 bits wide, but errno is smaller.
978  * This tests that the errno value gets capped correctly, fixed by
979  * 580c57f10768 ("seccomp: cap SECCOMP_RET_ERRNO data to MAX_ERRNO").
980  */
981 TEST(ERRNO_capped)
982 {
983         ERRNO_FILTER(capped, 4096);
984         long ret;
985         pid_t parent = getppid();
986
987         ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
988         ASSERT_EQ(0, ret);
989
990         ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog_capped);
991         ASSERT_EQ(0, ret);
992
993         EXPECT_EQ(parent, syscall(__NR_getppid));
994         EXPECT_EQ(-1, read(0, NULL, 0));
995         EXPECT_EQ(4095, errno);
996 }
997
998 /*
999  * Filters are processed in reverse order: last applied is executed first.
1000  * Since only the SECCOMP_RET_ACTION mask is tested for return values, the
1001  * SECCOMP_RET_DATA mask results will follow the most recently applied
1002  * matching filter return (and not the lowest or highest value).
1003  */
1004 TEST(ERRNO_order)
1005 {
1006         ERRNO_FILTER(first,  11);
1007         ERRNO_FILTER(second, 13);
1008         ERRNO_FILTER(third,  12);
1009         long ret;
1010         pid_t parent = getppid();
1011
1012         ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1013         ASSERT_EQ(0, ret);
1014
1015         ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog_first);
1016         ASSERT_EQ(0, ret);
1017
1018         ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog_second);
1019         ASSERT_EQ(0, ret);
1020
1021         ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog_third);
1022         ASSERT_EQ(0, ret);
1023
1024         EXPECT_EQ(parent, syscall(__NR_getppid));
1025         EXPECT_EQ(-1, read(0, NULL, 0));
1026         EXPECT_EQ(12, errno);
1027 }
1028
1029 FIXTURE(TRAP) {
1030         struct sock_fprog prog;
1031 };
1032
1033 FIXTURE_SETUP(TRAP)
1034 {
1035         struct sock_filter filter[] = {
1036                 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
1037                         offsetof(struct seccomp_data, nr)),
1038                 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getpid, 0, 1),
1039                 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRAP),
1040                 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
1041         };
1042
1043         memset(&self->prog, 0, sizeof(self->prog));
1044         self->prog.filter = malloc(sizeof(filter));
1045         ASSERT_NE(NULL, self->prog.filter);
1046         memcpy(self->prog.filter, filter, sizeof(filter));
1047         self->prog.len = (unsigned short)ARRAY_SIZE(filter);
1048 }
1049
1050 FIXTURE_TEARDOWN(TRAP)
1051 {
1052         if (self->prog.filter)
1053                 free(self->prog.filter);
1054 }
1055
1056 TEST_F_SIGNAL(TRAP, dfl, SIGSYS)
1057 {
1058         long ret;
1059
1060         ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1061         ASSERT_EQ(0, ret);
1062
1063         ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->prog);
1064         ASSERT_EQ(0, ret);
1065         syscall(__NR_getpid);
1066 }
1067
1068 /* Ensure that SIGSYS overrides SIG_IGN */
1069 TEST_F_SIGNAL(TRAP, ign, SIGSYS)
1070 {
1071         long ret;
1072
1073         ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1074         ASSERT_EQ(0, ret);
1075
1076         signal(SIGSYS, SIG_IGN);
1077
1078         ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->prog);
1079         ASSERT_EQ(0, ret);
1080         syscall(__NR_getpid);
1081 }
1082
1083 static siginfo_t TRAP_info;
1084 static volatile int TRAP_nr;
1085 static void TRAP_action(int nr, siginfo_t *info, void *void_context)
1086 {
1087         memcpy(&TRAP_info, info, sizeof(TRAP_info));
1088         TRAP_nr = nr;
1089 }
1090
1091 TEST_F(TRAP, handler)
1092 {
1093         int ret, test;
1094         struct sigaction act;
1095         sigset_t mask;
1096
1097         memset(&act, 0, sizeof(act));
1098         sigemptyset(&mask);
1099         sigaddset(&mask, SIGSYS);
1100
1101         act.sa_sigaction = &TRAP_action;
1102         act.sa_flags = SA_SIGINFO;
1103         ret = sigaction(SIGSYS, &act, NULL);
1104         ASSERT_EQ(0, ret) {
1105                 TH_LOG("sigaction failed");
1106         }
1107         ret = sigprocmask(SIG_UNBLOCK, &mask, NULL);
1108         ASSERT_EQ(0, ret) {
1109                 TH_LOG("sigprocmask failed");
1110         }
1111
1112         ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1113         ASSERT_EQ(0, ret);
1114         ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->prog);
1115         ASSERT_EQ(0, ret);
1116         TRAP_nr = 0;
1117         memset(&TRAP_info, 0, sizeof(TRAP_info));
1118         /* Expect the registers to be rolled back. (nr = error) may vary
1119          * based on arch. */
1120         ret = syscall(__NR_getpid);
1121         /* Silence gcc warning about volatile. */
1122         test = TRAP_nr;
1123         EXPECT_EQ(SIGSYS, test);
1124         struct local_sigsys {
1125                 void *_call_addr;       /* calling user insn */
1126                 int _syscall;           /* triggering system call number */
1127                 unsigned int _arch;     /* AUDIT_ARCH_* of syscall */
1128         } *sigsys = (struct local_sigsys *)
1129 #ifdef si_syscall
1130                 &(TRAP_info.si_call_addr);
1131 #else
1132                 &TRAP_info.si_pid;
1133 #endif
1134         EXPECT_EQ(__NR_getpid, sigsys->_syscall);
1135         /* Make sure arch is non-zero. */
1136         EXPECT_NE(0, sigsys->_arch);
1137         EXPECT_NE(0, (unsigned long)sigsys->_call_addr);
1138 }
1139
1140 FIXTURE(precedence) {
1141         struct sock_fprog allow;
1142         struct sock_fprog log;
1143         struct sock_fprog trace;
1144         struct sock_fprog error;
1145         struct sock_fprog trap;
1146         struct sock_fprog kill;
1147 };
1148
1149 FIXTURE_SETUP(precedence)
1150 {
1151         struct sock_filter allow_insns[] = {
1152                 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
1153         };
1154         struct sock_filter log_insns[] = {
1155                 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
1156                         offsetof(struct seccomp_data, nr)),
1157                 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getpid, 1, 0),
1158                 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
1159                 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_LOG),
1160         };
1161         struct sock_filter trace_insns[] = {
1162                 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
1163                         offsetof(struct seccomp_data, nr)),
1164                 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getpid, 1, 0),
1165                 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
1166                 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRACE),
1167         };
1168         struct sock_filter error_insns[] = {
1169                 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
1170                         offsetof(struct seccomp_data, nr)),
1171                 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getpid, 1, 0),
1172                 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
1173                 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ERRNO),
1174         };
1175         struct sock_filter trap_insns[] = {
1176                 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
1177                         offsetof(struct seccomp_data, nr)),
1178                 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getpid, 1, 0),
1179                 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
1180                 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRAP),
1181         };
1182         struct sock_filter kill_insns[] = {
1183                 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
1184                         offsetof(struct seccomp_data, nr)),
1185                 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getpid, 1, 0),
1186                 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
1187                 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL),
1188         };
1189
1190         memset(self, 0, sizeof(*self));
1191 #define FILTER_ALLOC(_x) \
1192         self->_x.filter = malloc(sizeof(_x##_insns)); \
1193         ASSERT_NE(NULL, self->_x.filter); \
1194         memcpy(self->_x.filter, &_x##_insns, sizeof(_x##_insns)); \
1195         self->_x.len = (unsigned short)ARRAY_SIZE(_x##_insns)
1196         FILTER_ALLOC(allow);
1197         FILTER_ALLOC(log);
1198         FILTER_ALLOC(trace);
1199         FILTER_ALLOC(error);
1200         FILTER_ALLOC(trap);
1201         FILTER_ALLOC(kill);
1202 }
1203
1204 FIXTURE_TEARDOWN(precedence)
1205 {
1206 #define FILTER_FREE(_x) if (self->_x.filter) free(self->_x.filter)
1207         FILTER_FREE(allow);
1208         FILTER_FREE(log);
1209         FILTER_FREE(trace);
1210         FILTER_FREE(error);
1211         FILTER_FREE(trap);
1212         FILTER_FREE(kill);
1213 }
1214
1215 TEST_F(precedence, allow_ok)
1216 {
1217         pid_t parent, res = 0;
1218         long ret;
1219
1220         parent = getppid();
1221         ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1222         ASSERT_EQ(0, ret);
1223
1224         ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow);
1225         ASSERT_EQ(0, ret);
1226         ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->log);
1227         ASSERT_EQ(0, ret);
1228         ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trace);
1229         ASSERT_EQ(0, ret);
1230         ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->error);
1231         ASSERT_EQ(0, ret);
1232         ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trap);
1233         ASSERT_EQ(0, ret);
1234         ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->kill);
1235         ASSERT_EQ(0, ret);
1236         /* Should work just fine. */
1237         res = syscall(__NR_getppid);
1238         EXPECT_EQ(parent, res);
1239 }
1240
1241 TEST_F_SIGNAL(precedence, kill_is_highest, SIGSYS)
1242 {
1243         pid_t parent, res = 0;
1244         long ret;
1245
1246         parent = getppid();
1247         ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1248         ASSERT_EQ(0, ret);
1249
1250         ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow);
1251         ASSERT_EQ(0, ret);
1252         ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->log);
1253         ASSERT_EQ(0, ret);
1254         ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trace);
1255         ASSERT_EQ(0, ret);
1256         ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->error);
1257         ASSERT_EQ(0, ret);
1258         ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trap);
1259         ASSERT_EQ(0, ret);
1260         ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->kill);
1261         ASSERT_EQ(0, ret);
1262         /* Should work just fine. */
1263         res = syscall(__NR_getppid);
1264         EXPECT_EQ(parent, res);
1265         /* getpid() should never return. */
1266         res = syscall(__NR_getpid);
1267         EXPECT_EQ(0, res);
1268 }
1269
1270 TEST_F_SIGNAL(precedence, kill_is_highest_in_any_order, SIGSYS)
1271 {
1272         pid_t parent;
1273         long ret;
1274
1275         parent = getppid();
1276         ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1277         ASSERT_EQ(0, ret);
1278
1279         ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow);
1280         ASSERT_EQ(0, ret);
1281         ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->kill);
1282         ASSERT_EQ(0, ret);
1283         ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->error);
1284         ASSERT_EQ(0, ret);
1285         ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->log);
1286         ASSERT_EQ(0, ret);
1287         ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trace);
1288         ASSERT_EQ(0, ret);
1289         ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trap);
1290         ASSERT_EQ(0, ret);
1291         /* Should work just fine. */
1292         EXPECT_EQ(parent, syscall(__NR_getppid));
1293         /* getpid() should never return. */
1294         EXPECT_EQ(0, syscall(__NR_getpid));
1295 }
1296
1297 TEST_F_SIGNAL(precedence, trap_is_second, SIGSYS)
1298 {
1299         pid_t parent;
1300         long ret;
1301
1302         parent = getppid();
1303         ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1304         ASSERT_EQ(0, ret);
1305
1306         ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow);
1307         ASSERT_EQ(0, ret);
1308         ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->log);
1309         ASSERT_EQ(0, ret);
1310         ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trace);
1311         ASSERT_EQ(0, ret);
1312         ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->error);
1313         ASSERT_EQ(0, ret);
1314         ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trap);
1315         ASSERT_EQ(0, ret);
1316         /* Should work just fine. */
1317         EXPECT_EQ(parent, syscall(__NR_getppid));
1318         /* getpid() should never return. */
1319         EXPECT_EQ(0, syscall(__NR_getpid));
1320 }
1321
1322 TEST_F_SIGNAL(precedence, trap_is_second_in_any_order, SIGSYS)
1323 {
1324         pid_t parent;
1325         long ret;
1326
1327         parent = getppid();
1328         ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1329         ASSERT_EQ(0, ret);
1330
1331         ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow);
1332         ASSERT_EQ(0, ret);
1333         ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trap);
1334         ASSERT_EQ(0, ret);
1335         ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->log);
1336         ASSERT_EQ(0, ret);
1337         ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trace);
1338         ASSERT_EQ(0, ret);
1339         ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->error);
1340         ASSERT_EQ(0, ret);
1341         /* Should work just fine. */
1342         EXPECT_EQ(parent, syscall(__NR_getppid));
1343         /* getpid() should never return. */
1344         EXPECT_EQ(0, syscall(__NR_getpid));
1345 }
1346
1347 TEST_F(precedence, errno_is_third)
1348 {
1349         pid_t parent;
1350         long ret;
1351
1352         parent = getppid();
1353         ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1354         ASSERT_EQ(0, ret);
1355
1356         ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow);
1357         ASSERT_EQ(0, ret);
1358         ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->log);
1359         ASSERT_EQ(0, ret);
1360         ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trace);
1361         ASSERT_EQ(0, ret);
1362         ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->error);
1363         ASSERT_EQ(0, ret);
1364         /* Should work just fine. */
1365         EXPECT_EQ(parent, syscall(__NR_getppid));
1366         EXPECT_EQ(0, syscall(__NR_getpid));
1367 }
1368
1369 TEST_F(precedence, errno_is_third_in_any_order)
1370 {
1371         pid_t parent;
1372         long ret;
1373
1374         parent = getppid();
1375         ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1376         ASSERT_EQ(0, ret);
1377
1378         ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->log);
1379         ASSERT_EQ(0, ret);
1380         ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->error);
1381         ASSERT_EQ(0, ret);
1382         ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trace);
1383         ASSERT_EQ(0, ret);
1384         ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow);
1385         ASSERT_EQ(0, ret);
1386         /* Should work just fine. */
1387         EXPECT_EQ(parent, syscall(__NR_getppid));
1388         EXPECT_EQ(0, syscall(__NR_getpid));
1389 }
1390
1391 TEST_F(precedence, trace_is_fourth)
1392 {
1393         pid_t parent;
1394         long ret;
1395
1396         parent = getppid();
1397         ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1398         ASSERT_EQ(0, ret);
1399
1400         ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow);
1401         ASSERT_EQ(0, ret);
1402         ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->log);
1403         ASSERT_EQ(0, ret);
1404         ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trace);
1405         ASSERT_EQ(0, ret);
1406         /* Should work just fine. */
1407         EXPECT_EQ(parent, syscall(__NR_getppid));
1408         /* No ptracer */
1409         EXPECT_EQ(-1, syscall(__NR_getpid));
1410 }
1411
1412 TEST_F(precedence, trace_is_fourth_in_any_order)
1413 {
1414         pid_t parent;
1415         long ret;
1416
1417         parent = getppid();
1418         ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1419         ASSERT_EQ(0, ret);
1420
1421         ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trace);
1422         ASSERT_EQ(0, ret);
1423         ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow);
1424         ASSERT_EQ(0, ret);
1425         ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->log);
1426         ASSERT_EQ(0, ret);
1427         /* Should work just fine. */
1428         EXPECT_EQ(parent, syscall(__NR_getppid));
1429         /* No ptracer */
1430         EXPECT_EQ(-1, syscall(__NR_getpid));
1431 }
1432
1433 TEST_F(precedence, log_is_fifth)
1434 {
1435         pid_t mypid, parent;
1436         long ret;
1437
1438         mypid = getpid();
1439         parent = getppid();
1440         ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1441         ASSERT_EQ(0, ret);
1442
1443         ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow);
1444         ASSERT_EQ(0, ret);
1445         ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->log);
1446         ASSERT_EQ(0, ret);
1447         /* Should work just fine. */
1448         EXPECT_EQ(parent, syscall(__NR_getppid));
1449         /* Should also work just fine */
1450         EXPECT_EQ(mypid, syscall(__NR_getpid));
1451 }
1452
1453 TEST_F(precedence, log_is_fifth_in_any_order)
1454 {
1455         pid_t mypid, parent;
1456         long ret;
1457
1458         mypid = getpid();
1459         parent = getppid();
1460         ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1461         ASSERT_EQ(0, ret);
1462
1463         ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->log);
1464         ASSERT_EQ(0, ret);
1465         ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow);
1466         ASSERT_EQ(0, ret);
1467         /* Should work just fine. */
1468         EXPECT_EQ(parent, syscall(__NR_getppid));
1469         /* Should also work just fine */
1470         EXPECT_EQ(mypid, syscall(__NR_getpid));
1471 }
1472
1473 #ifndef PTRACE_O_TRACESECCOMP
1474 #define PTRACE_O_TRACESECCOMP   0x00000080
1475 #endif
1476
1477 /* Catch the Ubuntu 12.04 value error. */
1478 #if PTRACE_EVENT_SECCOMP != 7
1479 #undef PTRACE_EVENT_SECCOMP
1480 #endif
1481
1482 #ifndef PTRACE_EVENT_SECCOMP
1483 #define PTRACE_EVENT_SECCOMP 7
1484 #endif
1485
1486 #define IS_SECCOMP_EVENT(status) ((status >> 16) == PTRACE_EVENT_SECCOMP)
1487 bool tracer_running;
1488 void tracer_stop(int sig)
1489 {
1490         tracer_running = false;
1491 }
1492
1493 typedef void tracer_func_t(struct __test_metadata *_metadata,
1494                            pid_t tracee, int status, void *args);
1495
1496 void start_tracer(struct __test_metadata *_metadata, int fd, pid_t tracee,
1497             tracer_func_t tracer_func, void *args, bool ptrace_syscall)
1498 {
1499         int ret = -1;
1500         struct sigaction action = {
1501                 .sa_handler = tracer_stop,
1502         };
1503
1504         /* Allow external shutdown. */
1505         tracer_running = true;
1506         ASSERT_EQ(0, sigaction(SIGUSR1, &action, NULL));
1507
1508         errno = 0;
1509         while (ret == -1 && errno != EINVAL)
1510                 ret = ptrace(PTRACE_ATTACH, tracee, NULL, 0);
1511         ASSERT_EQ(0, ret) {
1512                 kill(tracee, SIGKILL);
1513         }
1514         /* Wait for attach stop */
1515         wait(NULL);
1516
1517         ret = ptrace(PTRACE_SETOPTIONS, tracee, NULL, ptrace_syscall ?
1518                                                       PTRACE_O_TRACESYSGOOD :
1519                                                       PTRACE_O_TRACESECCOMP);
1520         ASSERT_EQ(0, ret) {
1521                 TH_LOG("Failed to set PTRACE_O_TRACESECCOMP");
1522                 kill(tracee, SIGKILL);
1523         }
1524         ret = ptrace(ptrace_syscall ? PTRACE_SYSCALL : PTRACE_CONT,
1525                      tracee, NULL, 0);
1526         ASSERT_EQ(0, ret);
1527
1528         /* Unblock the tracee */
1529         ASSERT_EQ(1, write(fd, "A", 1));
1530         ASSERT_EQ(0, close(fd));
1531
1532         /* Run until we're shut down. Must assert to stop execution. */
1533         while (tracer_running) {
1534                 int status;
1535
1536                 if (wait(&status) != tracee)
1537                         continue;
1538                 if (WIFSIGNALED(status) || WIFEXITED(status))
1539                         /* Child is dead. Time to go. */
1540                         return;
1541
1542                 /* Check if this is a seccomp event. */
1543                 ASSERT_EQ(!ptrace_syscall, IS_SECCOMP_EVENT(status));
1544
1545                 tracer_func(_metadata, tracee, status, args);
1546
1547                 ret = ptrace(ptrace_syscall ? PTRACE_SYSCALL : PTRACE_CONT,
1548                              tracee, NULL, 0);
1549                 ASSERT_EQ(0, ret);
1550         }
1551         /* Directly report the status of our test harness results. */
1552         syscall(__NR_exit, _metadata->passed ? EXIT_SUCCESS : EXIT_FAILURE);
1553 }
1554
1555 /* Common tracer setup/teardown functions. */
1556 void cont_handler(int num)
1557 { }
1558 pid_t setup_trace_fixture(struct __test_metadata *_metadata,
1559                           tracer_func_t func, void *args, bool ptrace_syscall)
1560 {
1561         char sync;
1562         int pipefd[2];
1563         pid_t tracer_pid;
1564         pid_t tracee = getpid();
1565
1566         /* Setup a pipe for clean synchronization. */
1567         ASSERT_EQ(0, pipe(pipefd));
1568
1569         /* Fork a child which we'll promote to tracer */
1570         tracer_pid = fork();
1571         ASSERT_LE(0, tracer_pid);
1572         signal(SIGALRM, cont_handler);
1573         if (tracer_pid == 0) {
1574                 close(pipefd[0]);
1575                 start_tracer(_metadata, pipefd[1], tracee, func, args,
1576                              ptrace_syscall);
1577                 syscall(__NR_exit, 0);
1578         }
1579         close(pipefd[1]);
1580         prctl(PR_SET_PTRACER, tracer_pid, 0, 0, 0);
1581         read(pipefd[0], &sync, 1);
1582         close(pipefd[0]);
1583
1584         return tracer_pid;
1585 }
1586
1587 void teardown_trace_fixture(struct __test_metadata *_metadata,
1588                             pid_t tracer)
1589 {
1590         if (tracer) {
1591                 int status;
1592                 /*
1593                  * Extract the exit code from the other process and
1594                  * adopt it for ourselves in case its asserts failed.
1595                  */
1596                 ASSERT_EQ(0, kill(tracer, SIGUSR1));
1597                 ASSERT_EQ(tracer, waitpid(tracer, &status, 0));
1598                 if (WEXITSTATUS(status))
1599                         _metadata->passed = 0;
1600         }
1601 }
1602
1603 /* "poke" tracer arguments and function. */
1604 struct tracer_args_poke_t {
1605         unsigned long poke_addr;
1606 };
1607
1608 void tracer_poke(struct __test_metadata *_metadata, pid_t tracee, int status,
1609                  void *args)
1610 {
1611         int ret;
1612         unsigned long msg;
1613         struct tracer_args_poke_t *info = (struct tracer_args_poke_t *)args;
1614
1615         ret = ptrace(PTRACE_GETEVENTMSG, tracee, NULL, &msg);
1616         EXPECT_EQ(0, ret);
1617         /* If this fails, don't try to recover. */
1618         ASSERT_EQ(0x1001, msg) {
1619                 kill(tracee, SIGKILL);
1620         }
1621         /*
1622          * Poke in the message.
1623          * Registers are not touched to try to keep this relatively arch
1624          * agnostic.
1625          */
1626         ret = ptrace(PTRACE_POKEDATA, tracee, info->poke_addr, 0x1001);
1627         EXPECT_EQ(0, ret);
1628 }
1629
1630 FIXTURE(TRACE_poke) {
1631         struct sock_fprog prog;
1632         pid_t tracer;
1633         long poked;
1634         struct tracer_args_poke_t tracer_args;
1635 };
1636
1637 FIXTURE_SETUP(TRACE_poke)
1638 {
1639         struct sock_filter filter[] = {
1640                 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
1641                         offsetof(struct seccomp_data, nr)),
1642                 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_read, 0, 1),
1643                 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRACE | 0x1001),
1644                 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
1645         };
1646
1647         self->poked = 0;
1648         memset(&self->prog, 0, sizeof(self->prog));
1649         self->prog.filter = malloc(sizeof(filter));
1650         ASSERT_NE(NULL, self->prog.filter);
1651         memcpy(self->prog.filter, filter, sizeof(filter));
1652         self->prog.len = (unsigned short)ARRAY_SIZE(filter);
1653
1654         /* Set up tracer args. */
1655         self->tracer_args.poke_addr = (unsigned long)&self->poked;
1656
1657         /* Launch tracer. */
1658         self->tracer = setup_trace_fixture(_metadata, tracer_poke,
1659                                            &self->tracer_args, false);
1660 }
1661
1662 FIXTURE_TEARDOWN(TRACE_poke)
1663 {
1664         teardown_trace_fixture(_metadata, self->tracer);
1665         if (self->prog.filter)
1666                 free(self->prog.filter);
1667 }
1668
1669 TEST_F(TRACE_poke, read_has_side_effects)
1670 {
1671         ssize_t ret;
1672
1673         ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1674         ASSERT_EQ(0, ret);
1675
1676         ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->prog, 0, 0);
1677         ASSERT_EQ(0, ret);
1678
1679         EXPECT_EQ(0, self->poked);
1680         ret = read(-1, NULL, 0);
1681         EXPECT_EQ(-1, ret);
1682         EXPECT_EQ(0x1001, self->poked);
1683 }
1684
1685 TEST_F(TRACE_poke, getpid_runs_normally)
1686 {
1687         long ret;
1688
1689         ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1690         ASSERT_EQ(0, ret);
1691
1692         ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->prog, 0, 0);
1693         ASSERT_EQ(0, ret);
1694
1695         EXPECT_EQ(0, self->poked);
1696         EXPECT_NE(0, syscall(__NR_getpid));
1697         EXPECT_EQ(0, self->poked);
1698 }
1699
1700 #if defined(__x86_64__)
1701 # define ARCH_REGS              struct user_regs_struct
1702 # define SYSCALL_NUM(_regs)     (_regs).orig_rax
1703 # define SYSCALL_RET(_regs)     (_regs).rax
1704 #elif defined(__i386__)
1705 # define ARCH_REGS              struct user_regs_struct
1706 # define SYSCALL_NUM(_regs)     (_regs).orig_eax
1707 # define SYSCALL_RET(_regs)     (_regs).eax
1708 #elif defined(__arm__)
1709 # define ARCH_REGS              struct pt_regs
1710 # define SYSCALL_NUM(_regs)     (_regs).ARM_r7
1711 # ifndef PTRACE_SET_SYSCALL
1712 #  define PTRACE_SET_SYSCALL   23
1713 # endif
1714 # define SYSCALL_NUM_SET(_regs, _nr)    \
1715                 EXPECT_EQ(0, ptrace(PTRACE_SET_SYSCALL, tracee, NULL, _nr))
1716 # define SYSCALL_RET(_regs)     (_regs).ARM_r0
1717 #elif defined(__aarch64__)
1718 # define ARCH_REGS              struct user_pt_regs
1719 # define SYSCALL_NUM(_regs)     (_regs).regs[8]
1720 # ifndef NT_ARM_SYSTEM_CALL
1721 #  define NT_ARM_SYSTEM_CALL 0x404
1722 # endif
1723 # define SYSCALL_NUM_SET(_regs, _nr)                            \
1724         do {                                                    \
1725                 struct iovec __v;                               \
1726                 typeof(_nr) __nr = (_nr);                       \
1727                 __v.iov_base = &__nr;                           \
1728                 __v.iov_len = sizeof(__nr);                     \
1729                 EXPECT_EQ(0, ptrace(PTRACE_SETREGSET, tracee,   \
1730                                     NT_ARM_SYSTEM_CALL, &__v)); \
1731         } while (0)
1732 # define SYSCALL_RET(_regs)     (_regs).regs[0]
1733 #elif defined(__riscv) && __riscv_xlen == 64
1734 # define ARCH_REGS              struct user_regs_struct
1735 # define SYSCALL_NUM(_regs)     (_regs).a7
1736 # define SYSCALL_RET(_regs)     (_regs).a0
1737 #elif defined(__csky__)
1738 # define ARCH_REGS              struct pt_regs
1739 #  if defined(__CSKYABIV2__)
1740 #   define SYSCALL_NUM(_regs)   (_regs).regs[3]
1741 #  else
1742 #   define SYSCALL_NUM(_regs)   (_regs).regs[9]
1743 #  endif
1744 # define SYSCALL_RET(_regs)     (_regs).a0
1745 #elif defined(__hppa__)
1746 # define ARCH_REGS              struct user_regs_struct
1747 # define SYSCALL_NUM(_regs)     (_regs).gr[20]
1748 # define SYSCALL_RET(_regs)     (_regs).gr[28]
1749 #elif defined(__powerpc__)
1750 # define ARCH_REGS              struct pt_regs
1751 # define SYSCALL_NUM(_regs)     (_regs).gpr[0]
1752 # define SYSCALL_RET(_regs)     (_regs).gpr[3]
1753 #elif defined(__s390__)
1754 # define ARCH_REGS              s390_regs
1755 # define SYSCALL_NUM(_regs)     (_regs).gprs[2]
1756 # define SYSCALL_RET(_regs)     (_regs).gprs[2]
1757 # define SYSCALL_NUM_RET_SHARE_REG
1758 #elif defined(__mips__)
1759 # include <asm/unistd_nr_n32.h>
1760 # include <asm/unistd_nr_n64.h>
1761 # include <asm/unistd_nr_o32.h>
1762 # define ARCH_REGS              struct pt_regs
1763 # define SYSCALL_NUM(_regs)                             \
1764         ({                                              \
1765                 typeof((_regs).regs[2]) _nr;            \
1766                 if ((_regs).regs[2] == __NR_O32_Linux)  \
1767                         _nr = (_regs).regs[4];          \
1768                 else                                    \
1769                         _nr = (_regs).regs[2];          \
1770                 _nr;                                    \
1771         })
1772 # define SYSCALL_NUM_SET(_regs, _nr)                    \
1773         do {                                            \
1774                 if ((_regs).regs[2] == __NR_O32_Linux)  \
1775                         (_regs).regs[4] = _nr;          \
1776                 else                                    \
1777                         (_regs).regs[2] = _nr;          \
1778         } while (0)
1779 # define SYSCALL_RET(_regs)     (_regs).regs[2]
1780 # define SYSCALL_NUM_RET_SHARE_REG
1781 #elif defined(__xtensa__)
1782 # define ARCH_REGS              struct user_pt_regs
1783 # define SYSCALL_NUM(_regs)     (_regs).syscall
1784 /*
1785  * On xtensa syscall return value is in the register
1786  * a2 of the current window which is not fixed.
1787  */
1788 #define SYSCALL_RET(_regs)      (_regs).a[(_regs).windowbase * 4 + 2]
1789 #elif defined(__sh__)
1790 # define ARCH_REGS              struct pt_regs
1791 # define SYSCALL_NUM(_regs)     (_regs).gpr[3]
1792 # define SYSCALL_RET(_regs)     (_regs).gpr[0]
1793 #else
1794 # error "Do not know how to find your architecture's registers and syscalls"
1795 #endif
1796
1797 /*
1798  * Most architectures can change the syscall by just updating the
1799  * associated register. This is the default if not defined above.
1800  */
1801 #ifndef SYSCALL_NUM_SET
1802 # define SYSCALL_NUM_SET(_regs, _nr)            \
1803         do {                                    \
1804                 SYSCALL_NUM(_regs) = (_nr);     \
1805         } while (0)
1806 #endif
1807
1808 /* When the syscall return can't be changed, stub out the tests for it. */
1809 #ifdef SYSCALL_NUM_RET_SHARE_REG
1810 # define EXPECT_SYSCALL_RETURN(val, action)     EXPECT_EQ(-1, action)
1811 #else
1812 # define EXPECT_SYSCALL_RETURN(val, action)             \
1813         do {                                            \
1814                 errno = 0;                              \
1815                 if (val < 0) {                          \
1816                         EXPECT_EQ(-1, action);          \
1817                         EXPECT_EQ(-(val), errno);       \
1818                 } else {                                \
1819                         EXPECT_EQ(val, action);         \
1820                 }                                       \
1821         } while (0)
1822 #endif
1823
1824 /* Use PTRACE_GETREGS and PTRACE_SETREGS when available. This is useful for
1825  * architectures without HAVE_ARCH_TRACEHOOK (e.g. User-mode Linux).
1826  */
1827 #if defined(__x86_64__) || defined(__i386__) || defined(__mips__)
1828 #define HAVE_GETREGS
1829 #endif
1830
1831 /* Architecture-specific syscall fetching routine. */
1832 int get_syscall(struct __test_metadata *_metadata, pid_t tracee)
1833 {
1834         ARCH_REGS regs;
1835 #ifdef HAVE_GETREGS
1836         EXPECT_EQ(0, ptrace(PTRACE_GETREGS, tracee, 0, &regs)) {
1837                 TH_LOG("PTRACE_GETREGS failed");
1838                 return -1;
1839         }
1840 #else
1841         struct iovec iov;
1842
1843         iov.iov_base = &regs;
1844         iov.iov_len = sizeof(regs);
1845         EXPECT_EQ(0, ptrace(PTRACE_GETREGSET, tracee, NT_PRSTATUS, &iov)) {
1846                 TH_LOG("PTRACE_GETREGSET failed");
1847                 return -1;
1848         }
1849 #endif
1850
1851         return SYSCALL_NUM(regs);
1852 }
1853
1854 /* Architecture-specific syscall changing routine. */
1855 void change_syscall(struct __test_metadata *_metadata,
1856                     pid_t tracee, int syscall, int result)
1857 {
1858         int ret;
1859         ARCH_REGS regs;
1860 #ifdef HAVE_GETREGS
1861         ret = ptrace(PTRACE_GETREGS, tracee, 0, &regs);
1862 #else
1863         struct iovec iov;
1864         iov.iov_base = &regs;
1865         iov.iov_len = sizeof(regs);
1866         ret = ptrace(PTRACE_GETREGSET, tracee, NT_PRSTATUS, &iov);
1867 #endif
1868         EXPECT_EQ(0, ret);
1869
1870         SYSCALL_NUM_SET(regs, syscall);
1871
1872         /* If syscall is skipped, change return value. */
1873         if (syscall == -1)
1874 #ifdef SYSCALL_NUM_RET_SHARE_REG
1875                 TH_LOG("Can't modify syscall return on this architecture");
1876 #else
1877                 SYSCALL_RET(regs) = result;
1878 #endif
1879
1880         /* Flush any register changes made. */
1881 #ifdef HAVE_GETREGS
1882         ret = ptrace(PTRACE_SETREGS, tracee, 0, &regs);
1883 #else
1884         iov.iov_base = &regs;
1885         iov.iov_len = sizeof(regs);
1886         ret = ptrace(PTRACE_SETREGSET, tracee, NT_PRSTATUS, &iov);
1887 #endif
1888         EXPECT_EQ(0, ret);
1889 }
1890
1891 void tracer_seccomp(struct __test_metadata *_metadata, pid_t tracee,
1892                     int status, void *args)
1893 {
1894         int ret;
1895         unsigned long msg;
1896
1897         /* Make sure we got the right message. */
1898         ret = ptrace(PTRACE_GETEVENTMSG, tracee, NULL, &msg);
1899         EXPECT_EQ(0, ret);
1900
1901         /* Validate and take action on expected syscalls. */
1902         switch (msg) {
1903         case 0x1002:
1904                 /* change getpid to getppid. */
1905                 EXPECT_EQ(__NR_getpid, get_syscall(_metadata, tracee));
1906                 change_syscall(_metadata, tracee, __NR_getppid, 0);
1907                 break;
1908         case 0x1003:
1909                 /* skip gettid with valid return code. */
1910                 EXPECT_EQ(__NR_gettid, get_syscall(_metadata, tracee));
1911                 change_syscall(_metadata, tracee, -1, 45000);
1912                 break;
1913         case 0x1004:
1914                 /* skip openat with error. */
1915                 EXPECT_EQ(__NR_openat, get_syscall(_metadata, tracee));
1916                 change_syscall(_metadata, tracee, -1, -ESRCH);
1917                 break;
1918         case 0x1005:
1919                 /* do nothing (allow getppid) */
1920                 EXPECT_EQ(__NR_getppid, get_syscall(_metadata, tracee));
1921                 break;
1922         default:
1923                 EXPECT_EQ(0, msg) {
1924                         TH_LOG("Unknown PTRACE_GETEVENTMSG: 0x%lx", msg);
1925                         kill(tracee, SIGKILL);
1926                 }
1927         }
1928
1929 }
1930
1931 void tracer_ptrace(struct __test_metadata *_metadata, pid_t tracee,
1932                    int status, void *args)
1933 {
1934         int ret, nr;
1935         unsigned long msg;
1936         static bool entry;
1937
1938         /*
1939          * The traditional way to tell PTRACE_SYSCALL entry/exit
1940          * is by counting.
1941          */
1942         entry = !entry;
1943
1944         /* Make sure we got an appropriate message. */
1945         ret = ptrace(PTRACE_GETEVENTMSG, tracee, NULL, &msg);
1946         EXPECT_EQ(0, ret);
1947         EXPECT_EQ(entry ? PTRACE_EVENTMSG_SYSCALL_ENTRY
1948                         : PTRACE_EVENTMSG_SYSCALL_EXIT, msg);
1949
1950         if (!entry)
1951                 return;
1952
1953         nr = get_syscall(_metadata, tracee);
1954
1955         if (nr == __NR_getpid)
1956                 change_syscall(_metadata, tracee, __NR_getppid, 0);
1957         if (nr == __NR_gettid)
1958                 change_syscall(_metadata, tracee, -1, 45000);
1959         if (nr == __NR_openat)
1960                 change_syscall(_metadata, tracee, -1, -ESRCH);
1961 }
1962
1963 FIXTURE(TRACE_syscall) {
1964         struct sock_fprog prog;
1965         pid_t tracer, mytid, mypid, parent;
1966 };
1967
1968 FIXTURE_VARIANT(TRACE_syscall) {
1969         /*
1970          * All of the SECCOMP_RET_TRACE behaviors can be tested with either
1971          * SECCOMP_RET_TRACE+PTRACE_CONT or plain ptrace()+PTRACE_SYSCALL.
1972          * This indicates if we should use SECCOMP_RET_TRACE (false), or
1973          * ptrace (true).
1974          */
1975         bool use_ptrace;
1976 };
1977
1978 FIXTURE_VARIANT_ADD(TRACE_syscall, ptrace) {
1979         .use_ptrace = true,
1980 };
1981
1982 FIXTURE_VARIANT_ADD(TRACE_syscall, seccomp) {
1983         .use_ptrace = false,
1984 };
1985
1986 FIXTURE_SETUP(TRACE_syscall)
1987 {
1988         struct sock_filter filter[] = {
1989                 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
1990                         offsetof(struct seccomp_data, nr)),
1991                 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getpid, 0, 1),
1992                 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRACE | 0x1002),
1993                 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_gettid, 0, 1),
1994                 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRACE | 0x1003),
1995                 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_openat, 0, 1),
1996                 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRACE | 0x1004),
1997                 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getppid, 0, 1),
1998                 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRACE | 0x1005),
1999                 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
2000         };
2001         struct sock_fprog prog = {
2002                 .len = (unsigned short)ARRAY_SIZE(filter),
2003                 .filter = filter,
2004         };
2005         long ret;
2006
2007         /* Prepare some testable syscall results. */
2008         self->mytid = syscall(__NR_gettid);
2009         ASSERT_GT(self->mytid, 0);
2010         ASSERT_NE(self->mytid, 1) {
2011                 TH_LOG("Running this test as init is not supported. :)");
2012         }
2013
2014         self->mypid = getpid();
2015         ASSERT_GT(self->mypid, 0);
2016         ASSERT_EQ(self->mytid, self->mypid);
2017
2018         self->parent = getppid();
2019         ASSERT_GT(self->parent, 0);
2020         ASSERT_NE(self->parent, self->mypid);
2021
2022         /* Launch tracer. */
2023         self->tracer = setup_trace_fixture(_metadata,
2024                                            variant->use_ptrace ? tracer_ptrace
2025                                                                : tracer_seccomp,
2026                                            NULL, variant->use_ptrace);
2027
2028         ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
2029         ASSERT_EQ(0, ret);
2030
2031         if (variant->use_ptrace)
2032                 return;
2033
2034         ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0);
2035         ASSERT_EQ(0, ret);
2036 }
2037
2038 FIXTURE_TEARDOWN(TRACE_syscall)
2039 {
2040         teardown_trace_fixture(_metadata, self->tracer);
2041 }
2042
2043 TEST(negative_ENOSYS)
2044 {
2045         /*
2046          * There should be no difference between an "internal" skip
2047          * and userspace asking for syscall "-1".
2048          */
2049         errno = 0;
2050         EXPECT_EQ(-1, syscall(-1));
2051         EXPECT_EQ(errno, ENOSYS);
2052         /* And no difference for "still not valid but not -1". */
2053         errno = 0;
2054         EXPECT_EQ(-1, syscall(-101));
2055         EXPECT_EQ(errno, ENOSYS);
2056 }
2057
2058 TEST_F(TRACE_syscall, negative_ENOSYS)
2059 {
2060         negative_ENOSYS(_metadata);
2061 }
2062
2063 TEST_F(TRACE_syscall, syscall_allowed)
2064 {
2065         /* getppid works as expected (no changes). */
2066         EXPECT_EQ(self->parent, syscall(__NR_getppid));
2067         EXPECT_NE(self->mypid, syscall(__NR_getppid));
2068 }
2069
2070 TEST_F(TRACE_syscall, syscall_redirected)
2071 {
2072         /* getpid has been redirected to getppid as expected. */
2073         EXPECT_EQ(self->parent, syscall(__NR_getpid));
2074         EXPECT_NE(self->mypid, syscall(__NR_getpid));
2075 }
2076
2077 TEST_F(TRACE_syscall, syscall_errno)
2078 {
2079         /* Tracer should skip the open syscall, resulting in ESRCH. */
2080         EXPECT_SYSCALL_RETURN(-ESRCH, syscall(__NR_openat));
2081 }
2082
2083 TEST_F(TRACE_syscall, syscall_faked)
2084 {
2085         /* Tracer skips the gettid syscall and store altered return value. */
2086         EXPECT_SYSCALL_RETURN(45000, syscall(__NR_gettid));
2087 }
2088
2089 TEST_F(TRACE_syscall, skip_after)
2090 {
2091         struct sock_filter filter[] = {
2092                 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
2093                         offsetof(struct seccomp_data, nr)),
2094                 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getppid, 0, 1),
2095                 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ERRNO | EPERM),
2096                 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
2097         };
2098         struct sock_fprog prog = {
2099                 .len = (unsigned short)ARRAY_SIZE(filter),
2100                 .filter = filter,
2101         };
2102         long ret;
2103
2104         /* Install additional "errno on getppid" filter. */
2105         ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0);
2106         ASSERT_EQ(0, ret);
2107
2108         /* Tracer will redirect getpid to getppid, and we should see EPERM. */
2109         errno = 0;
2110         EXPECT_EQ(-1, syscall(__NR_getpid));
2111         EXPECT_EQ(EPERM, errno);
2112 }
2113
2114 TEST_F_SIGNAL(TRACE_syscall, kill_after, SIGSYS)
2115 {
2116         struct sock_filter filter[] = {
2117                 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
2118                         offsetof(struct seccomp_data, nr)),
2119                 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getppid, 0, 1),
2120                 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL),
2121                 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
2122         };
2123         struct sock_fprog prog = {
2124                 .len = (unsigned short)ARRAY_SIZE(filter),
2125                 .filter = filter,
2126         };
2127         long ret;
2128
2129         /* Install additional "death on getppid" filter. */
2130         ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0);
2131         ASSERT_EQ(0, ret);
2132
2133         /* Tracer will redirect getpid to getppid, and we should die. */
2134         EXPECT_NE(self->mypid, syscall(__NR_getpid));
2135 }
2136
2137 TEST(seccomp_syscall)
2138 {
2139         struct sock_filter filter[] = {
2140                 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
2141         };
2142         struct sock_fprog prog = {
2143                 .len = (unsigned short)ARRAY_SIZE(filter),
2144                 .filter = filter,
2145         };
2146         long ret;
2147
2148         ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
2149         ASSERT_EQ(0, ret) {
2150                 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
2151         }
2152
2153         /* Reject insane operation. */
2154         ret = seccomp(-1, 0, &prog);
2155         ASSERT_NE(ENOSYS, errno) {
2156                 TH_LOG("Kernel does not support seccomp syscall!");
2157         }
2158         EXPECT_EQ(EINVAL, errno) {
2159                 TH_LOG("Did not reject crazy op value!");
2160         }
2161
2162         /* Reject strict with flags or pointer. */
2163         ret = seccomp(SECCOMP_SET_MODE_STRICT, -1, NULL);
2164         EXPECT_EQ(EINVAL, errno) {
2165                 TH_LOG("Did not reject mode strict with flags!");
2166         }
2167         ret = seccomp(SECCOMP_SET_MODE_STRICT, 0, &prog);
2168         EXPECT_EQ(EINVAL, errno) {
2169                 TH_LOG("Did not reject mode strict with uargs!");
2170         }
2171
2172         /* Reject insane args for filter. */
2173         ret = seccomp(SECCOMP_SET_MODE_FILTER, -1, &prog);
2174         EXPECT_EQ(EINVAL, errno) {
2175                 TH_LOG("Did not reject crazy filter flags!");
2176         }
2177         ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, NULL);
2178         EXPECT_EQ(EFAULT, errno) {
2179                 TH_LOG("Did not reject NULL filter!");
2180         }
2181
2182         ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog);
2183         EXPECT_EQ(0, errno) {
2184                 TH_LOG("Kernel does not support SECCOMP_SET_MODE_FILTER: %s",
2185                         strerror(errno));
2186         }
2187 }
2188
2189 TEST(seccomp_syscall_mode_lock)
2190 {
2191         struct sock_filter filter[] = {
2192                 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
2193         };
2194         struct sock_fprog prog = {
2195                 .len = (unsigned short)ARRAY_SIZE(filter),
2196                 .filter = filter,
2197         };
2198         long ret;
2199
2200         ret = prctl(PR_SET_NO_NEW_PRIVS, 1, NULL, 0, 0);
2201         ASSERT_EQ(0, ret) {
2202                 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
2203         }
2204
2205         ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog);
2206         ASSERT_NE(ENOSYS, errno) {
2207                 TH_LOG("Kernel does not support seccomp syscall!");
2208         }
2209         EXPECT_EQ(0, ret) {
2210                 TH_LOG("Could not install filter!");
2211         }
2212
2213         /* Make sure neither entry point will switch to strict. */
2214         ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT, 0, 0, 0);
2215         EXPECT_EQ(EINVAL, errno) {
2216                 TH_LOG("Switched to mode strict!");
2217         }
2218
2219         ret = seccomp(SECCOMP_SET_MODE_STRICT, 0, NULL);
2220         EXPECT_EQ(EINVAL, errno) {
2221                 TH_LOG("Switched to mode strict!");
2222         }
2223 }
2224
2225 /*
2226  * Test detection of known and unknown filter flags. Userspace needs to be able
2227  * to check if a filter flag is supported by the current kernel and a good way
2228  * of doing that is by attempting to enter filter mode, with the flag bit in
2229  * question set, and a NULL pointer for the _args_ parameter. EFAULT indicates
2230  * that the flag is valid and EINVAL indicates that the flag is invalid.
2231  */
2232 TEST(detect_seccomp_filter_flags)
2233 {
2234         unsigned int flags[] = { SECCOMP_FILTER_FLAG_TSYNC,
2235                                  SECCOMP_FILTER_FLAG_LOG,
2236                                  SECCOMP_FILTER_FLAG_SPEC_ALLOW,
2237                                  SECCOMP_FILTER_FLAG_NEW_LISTENER,
2238                                  SECCOMP_FILTER_FLAG_TSYNC_ESRCH };
2239         unsigned int exclusive[] = {
2240                                 SECCOMP_FILTER_FLAG_TSYNC,
2241                                 SECCOMP_FILTER_FLAG_NEW_LISTENER };
2242         unsigned int flag, all_flags, exclusive_mask;
2243         int i;
2244         long ret;
2245
2246         /* Test detection of individual known-good filter flags */
2247         for (i = 0, all_flags = 0; i < ARRAY_SIZE(flags); i++) {
2248                 int bits = 0;
2249
2250                 flag = flags[i];
2251                 /* Make sure the flag is a single bit! */
2252                 while (flag) {
2253                         if (flag & 0x1)
2254                                 bits ++;
2255                         flag >>= 1;
2256                 }
2257                 ASSERT_EQ(1, bits);
2258                 flag = flags[i];
2259
2260                 ret = seccomp(SECCOMP_SET_MODE_FILTER, flag, NULL);
2261                 ASSERT_NE(ENOSYS, errno) {
2262                         TH_LOG("Kernel does not support seccomp syscall!");
2263                 }
2264                 EXPECT_EQ(-1, ret);
2265                 EXPECT_EQ(EFAULT, errno) {
2266                         TH_LOG("Failed to detect that a known-good filter flag (0x%X) is supported!",
2267                                flag);
2268                 }
2269
2270                 all_flags |= flag;
2271         }
2272
2273         /*
2274          * Test detection of all known-good filter flags combined. But
2275          * for the exclusive flags we need to mask them out and try them
2276          * individually for the "all flags" testing.
2277          */
2278         exclusive_mask = 0;
2279         for (i = 0; i < ARRAY_SIZE(exclusive); i++)
2280                 exclusive_mask |= exclusive[i];
2281         for (i = 0; i < ARRAY_SIZE(exclusive); i++) {
2282                 flag = all_flags & ~exclusive_mask;
2283                 flag |= exclusive[i];
2284
2285                 ret = seccomp(SECCOMP_SET_MODE_FILTER, flag, NULL);
2286                 EXPECT_EQ(-1, ret);
2287                 EXPECT_EQ(EFAULT, errno) {
2288                         TH_LOG("Failed to detect that all known-good filter flags (0x%X) are supported!",
2289                                flag);
2290                 }
2291         }
2292
2293         /* Test detection of an unknown filter flags, without exclusives. */
2294         flag = -1;
2295         flag &= ~exclusive_mask;
2296         ret = seccomp(SECCOMP_SET_MODE_FILTER, flag, NULL);
2297         EXPECT_EQ(-1, ret);
2298         EXPECT_EQ(EINVAL, errno) {
2299                 TH_LOG("Failed to detect that an unknown filter flag (0x%X) is unsupported!",
2300                        flag);
2301         }
2302
2303         /*
2304          * Test detection of an unknown filter flag that may simply need to be
2305          * added to this test
2306          */
2307         flag = flags[ARRAY_SIZE(flags) - 1] << 1;
2308         ret = seccomp(SECCOMP_SET_MODE_FILTER, flag, NULL);
2309         EXPECT_EQ(-1, ret);
2310         EXPECT_EQ(EINVAL, errno) {
2311                 TH_LOG("Failed to detect that an unknown filter flag (0x%X) is unsupported! Does a new flag need to be added to this test?",
2312                        flag);
2313         }
2314 }
2315
2316 TEST(TSYNC_first)
2317 {
2318         struct sock_filter filter[] = {
2319                 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
2320         };
2321         struct sock_fprog prog = {
2322                 .len = (unsigned short)ARRAY_SIZE(filter),
2323                 .filter = filter,
2324         };
2325         long ret;
2326
2327         ret = prctl(PR_SET_NO_NEW_PRIVS, 1, NULL, 0, 0);
2328         ASSERT_EQ(0, ret) {
2329                 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
2330         }
2331
2332         ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC,
2333                       &prog);
2334         ASSERT_NE(ENOSYS, errno) {
2335                 TH_LOG("Kernel does not support seccomp syscall!");
2336         }
2337         EXPECT_EQ(0, ret) {
2338                 TH_LOG("Could not install initial filter with TSYNC!");
2339         }
2340 }
2341
2342 #define TSYNC_SIBLINGS 2
2343 struct tsync_sibling {
2344         pthread_t tid;
2345         pid_t system_tid;
2346         sem_t *started;
2347         pthread_cond_t *cond;
2348         pthread_mutex_t *mutex;
2349         int diverge;
2350         int num_waits;
2351         struct sock_fprog *prog;
2352         struct __test_metadata *metadata;
2353 };
2354
2355 /*
2356  * To avoid joining joined threads (which is not allowed by Bionic),
2357  * make sure we both successfully join and clear the tid to skip a
2358  * later join attempt during fixture teardown. Any remaining threads
2359  * will be directly killed during teardown.
2360  */
2361 #define PTHREAD_JOIN(tid, status)                                       \
2362         do {                                                            \
2363                 int _rc = pthread_join(tid, status);                    \
2364                 if (_rc) {                                              \
2365                         TH_LOG("pthread_join of tid %u failed: %d\n",   \
2366                                 (unsigned int)tid, _rc);                \
2367                 } else {                                                \
2368                         tid = 0;                                        \
2369                 }                                                       \
2370         } while (0)
2371
2372 FIXTURE(TSYNC) {
2373         struct sock_fprog root_prog, apply_prog;
2374         struct tsync_sibling sibling[TSYNC_SIBLINGS];
2375         sem_t started;
2376         pthread_cond_t cond;
2377         pthread_mutex_t mutex;
2378         int sibling_count;
2379 };
2380
2381 FIXTURE_SETUP(TSYNC)
2382 {
2383         struct sock_filter root_filter[] = {
2384                 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
2385         };
2386         struct sock_filter apply_filter[] = {
2387                 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
2388                         offsetof(struct seccomp_data, nr)),
2389                 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_read, 0, 1),
2390                 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL),
2391                 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
2392         };
2393
2394         memset(&self->root_prog, 0, sizeof(self->root_prog));
2395         memset(&self->apply_prog, 0, sizeof(self->apply_prog));
2396         memset(&self->sibling, 0, sizeof(self->sibling));
2397         self->root_prog.filter = malloc(sizeof(root_filter));
2398         ASSERT_NE(NULL, self->root_prog.filter);
2399         memcpy(self->root_prog.filter, &root_filter, sizeof(root_filter));
2400         self->root_prog.len = (unsigned short)ARRAY_SIZE(root_filter);
2401
2402         self->apply_prog.filter = malloc(sizeof(apply_filter));
2403         ASSERT_NE(NULL, self->apply_prog.filter);
2404         memcpy(self->apply_prog.filter, &apply_filter, sizeof(apply_filter));
2405         self->apply_prog.len = (unsigned short)ARRAY_SIZE(apply_filter);
2406
2407         self->sibling_count = 0;
2408         pthread_mutex_init(&self->mutex, NULL);
2409         pthread_cond_init(&self->cond, NULL);
2410         sem_init(&self->started, 0, 0);
2411         self->sibling[0].tid = 0;
2412         self->sibling[0].cond = &self->cond;
2413         self->sibling[0].started = &self->started;
2414         self->sibling[0].mutex = &self->mutex;
2415         self->sibling[0].diverge = 0;
2416         self->sibling[0].num_waits = 1;
2417         self->sibling[0].prog = &self->root_prog;
2418         self->sibling[0].metadata = _metadata;
2419         self->sibling[1].tid = 0;
2420         self->sibling[1].cond = &self->cond;
2421         self->sibling[1].started = &self->started;
2422         self->sibling[1].mutex = &self->mutex;
2423         self->sibling[1].diverge = 0;
2424         self->sibling[1].prog = &self->root_prog;
2425         self->sibling[1].num_waits = 1;
2426         self->sibling[1].metadata = _metadata;
2427 }
2428
2429 FIXTURE_TEARDOWN(TSYNC)
2430 {
2431         int sib = 0;
2432
2433         if (self->root_prog.filter)
2434                 free(self->root_prog.filter);
2435         if (self->apply_prog.filter)
2436                 free(self->apply_prog.filter);
2437
2438         for ( ; sib < self->sibling_count; ++sib) {
2439                 struct tsync_sibling *s = &self->sibling[sib];
2440
2441                 if (!s->tid)
2442                         continue;
2443                 /*
2444                  * If a thread is still running, it may be stuck, so hit
2445                  * it over the head really hard.
2446                  */
2447                 pthread_kill(s->tid, 9);
2448         }
2449         pthread_mutex_destroy(&self->mutex);
2450         pthread_cond_destroy(&self->cond);
2451         sem_destroy(&self->started);
2452 }
2453
2454 void *tsync_sibling(void *data)
2455 {
2456         long ret = 0;
2457         struct tsync_sibling *me = data;
2458
2459         me->system_tid = syscall(__NR_gettid);
2460
2461         pthread_mutex_lock(me->mutex);
2462         if (me->diverge) {
2463                 /* Just re-apply the root prog to fork the tree */
2464                 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER,
2465                                 me->prog, 0, 0);
2466         }
2467         sem_post(me->started);
2468         /* Return outside of started so parent notices failures. */
2469         if (ret) {
2470                 pthread_mutex_unlock(me->mutex);
2471                 return (void *)SIBLING_EXIT_FAILURE;
2472         }
2473         do {
2474                 pthread_cond_wait(me->cond, me->mutex);
2475                 me->num_waits = me->num_waits - 1;
2476         } while (me->num_waits);
2477         pthread_mutex_unlock(me->mutex);
2478
2479         ret = prctl(PR_GET_NO_NEW_PRIVS, 0, 0, 0, 0);
2480         if (!ret)
2481                 return (void *)SIBLING_EXIT_NEWPRIVS;
2482         read(0, NULL, 0);
2483         return (void *)SIBLING_EXIT_UNKILLED;
2484 }
2485
2486 void tsync_start_sibling(struct tsync_sibling *sibling)
2487 {
2488         pthread_create(&sibling->tid, NULL, tsync_sibling, (void *)sibling);
2489 }
2490
2491 TEST_F(TSYNC, siblings_fail_prctl)
2492 {
2493         long ret;
2494         void *status;
2495         struct sock_filter filter[] = {
2496                 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
2497                         offsetof(struct seccomp_data, nr)),
2498                 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_prctl, 0, 1),
2499                 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ERRNO | EINVAL),
2500                 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
2501         };
2502         struct sock_fprog prog = {
2503                 .len = (unsigned short)ARRAY_SIZE(filter),
2504                 .filter = filter,
2505         };
2506
2507         ASSERT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
2508                 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
2509         }
2510
2511         /* Check prctl failure detection by requesting sib 0 diverge. */
2512         ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog);
2513         ASSERT_NE(ENOSYS, errno) {
2514                 TH_LOG("Kernel does not support seccomp syscall!");
2515         }
2516         ASSERT_EQ(0, ret) {
2517                 TH_LOG("setting filter failed");
2518         }
2519
2520         self->sibling[0].diverge = 1;
2521         tsync_start_sibling(&self->sibling[0]);
2522         tsync_start_sibling(&self->sibling[1]);
2523
2524         while (self->sibling_count < TSYNC_SIBLINGS) {
2525                 sem_wait(&self->started);
2526                 self->sibling_count++;
2527         }
2528
2529         /* Signal the threads to clean up*/
2530         pthread_mutex_lock(&self->mutex);
2531         ASSERT_EQ(0, pthread_cond_broadcast(&self->cond)) {
2532                 TH_LOG("cond broadcast non-zero");
2533         }
2534         pthread_mutex_unlock(&self->mutex);
2535
2536         /* Ensure diverging sibling failed to call prctl. */
2537         PTHREAD_JOIN(self->sibling[0].tid, &status);
2538         EXPECT_EQ(SIBLING_EXIT_FAILURE, (long)status);
2539         PTHREAD_JOIN(self->sibling[1].tid, &status);
2540         EXPECT_EQ(SIBLING_EXIT_UNKILLED, (long)status);
2541 }
2542
2543 TEST_F(TSYNC, two_siblings_with_ancestor)
2544 {
2545         long ret;
2546         void *status;
2547
2548         ASSERT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
2549                 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
2550         }
2551
2552         ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &self->root_prog);
2553         ASSERT_NE(ENOSYS, errno) {
2554                 TH_LOG("Kernel does not support seccomp syscall!");
2555         }
2556         ASSERT_EQ(0, ret) {
2557                 TH_LOG("Kernel does not support SECCOMP_SET_MODE_FILTER!");
2558         }
2559         tsync_start_sibling(&self->sibling[0]);
2560         tsync_start_sibling(&self->sibling[1]);
2561
2562         while (self->sibling_count < TSYNC_SIBLINGS) {
2563                 sem_wait(&self->started);
2564                 self->sibling_count++;
2565         }
2566
2567         ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC,
2568                       &self->apply_prog);
2569         ASSERT_EQ(0, ret) {
2570                 TH_LOG("Could install filter on all threads!");
2571         }
2572         /* Tell the siblings to test the policy */
2573         pthread_mutex_lock(&self->mutex);
2574         ASSERT_EQ(0, pthread_cond_broadcast(&self->cond)) {
2575                 TH_LOG("cond broadcast non-zero");
2576         }
2577         pthread_mutex_unlock(&self->mutex);
2578         /* Ensure they are both killed and don't exit cleanly. */
2579         PTHREAD_JOIN(self->sibling[0].tid, &status);
2580         EXPECT_EQ(0x0, (long)status);
2581         PTHREAD_JOIN(self->sibling[1].tid, &status);
2582         EXPECT_EQ(0x0, (long)status);
2583 }
2584
2585 TEST_F(TSYNC, two_sibling_want_nnp)
2586 {
2587         void *status;
2588
2589         /* start siblings before any prctl() operations */
2590         tsync_start_sibling(&self->sibling[0]);
2591         tsync_start_sibling(&self->sibling[1]);
2592         while (self->sibling_count < TSYNC_SIBLINGS) {
2593                 sem_wait(&self->started);
2594                 self->sibling_count++;
2595         }
2596
2597         /* Tell the siblings to test no policy */
2598         pthread_mutex_lock(&self->mutex);
2599         ASSERT_EQ(0, pthread_cond_broadcast(&self->cond)) {
2600                 TH_LOG("cond broadcast non-zero");
2601         }
2602         pthread_mutex_unlock(&self->mutex);
2603
2604         /* Ensure they are both upset about lacking nnp. */
2605         PTHREAD_JOIN(self->sibling[0].tid, &status);
2606         EXPECT_EQ(SIBLING_EXIT_NEWPRIVS, (long)status);
2607         PTHREAD_JOIN(self->sibling[1].tid, &status);
2608         EXPECT_EQ(SIBLING_EXIT_NEWPRIVS, (long)status);
2609 }
2610
2611 TEST_F(TSYNC, two_siblings_with_no_filter)
2612 {
2613         long ret;
2614         void *status;
2615
2616         /* start siblings before any prctl() operations */
2617         tsync_start_sibling(&self->sibling[0]);
2618         tsync_start_sibling(&self->sibling[1]);
2619         while (self->sibling_count < TSYNC_SIBLINGS) {
2620                 sem_wait(&self->started);
2621                 self->sibling_count++;
2622         }
2623
2624         ASSERT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
2625                 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
2626         }
2627
2628         ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC,
2629                       &self->apply_prog);
2630         ASSERT_NE(ENOSYS, errno) {
2631                 TH_LOG("Kernel does not support seccomp syscall!");
2632         }
2633         ASSERT_EQ(0, ret) {
2634                 TH_LOG("Could install filter on all threads!");
2635         }
2636
2637         /* Tell the siblings to test the policy */
2638         pthread_mutex_lock(&self->mutex);
2639         ASSERT_EQ(0, pthread_cond_broadcast(&self->cond)) {
2640                 TH_LOG("cond broadcast non-zero");
2641         }
2642         pthread_mutex_unlock(&self->mutex);
2643
2644         /* Ensure they are both killed and don't exit cleanly. */
2645         PTHREAD_JOIN(self->sibling[0].tid, &status);
2646         EXPECT_EQ(0x0, (long)status);
2647         PTHREAD_JOIN(self->sibling[1].tid, &status);
2648         EXPECT_EQ(0x0, (long)status);
2649 }
2650
2651 TEST_F(TSYNC, two_siblings_with_one_divergence)
2652 {
2653         long ret;
2654         void *status;
2655
2656         ASSERT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
2657                 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
2658         }
2659
2660         ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &self->root_prog);
2661         ASSERT_NE(ENOSYS, errno) {
2662                 TH_LOG("Kernel does not support seccomp syscall!");
2663         }
2664         ASSERT_EQ(0, ret) {
2665                 TH_LOG("Kernel does not support SECCOMP_SET_MODE_FILTER!");
2666         }
2667         self->sibling[0].diverge = 1;
2668         tsync_start_sibling(&self->sibling[0]);
2669         tsync_start_sibling(&self->sibling[1]);
2670
2671         while (self->sibling_count < TSYNC_SIBLINGS) {
2672                 sem_wait(&self->started);
2673                 self->sibling_count++;
2674         }
2675
2676         ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC,
2677                       &self->apply_prog);
2678         ASSERT_EQ(self->sibling[0].system_tid, ret) {
2679                 TH_LOG("Did not fail on diverged sibling.");
2680         }
2681
2682         /* Wake the threads */
2683         pthread_mutex_lock(&self->mutex);
2684         ASSERT_EQ(0, pthread_cond_broadcast(&self->cond)) {
2685                 TH_LOG("cond broadcast non-zero");
2686         }
2687         pthread_mutex_unlock(&self->mutex);
2688
2689         /* Ensure they are both unkilled. */
2690         PTHREAD_JOIN(self->sibling[0].tid, &status);
2691         EXPECT_EQ(SIBLING_EXIT_UNKILLED, (long)status);
2692         PTHREAD_JOIN(self->sibling[1].tid, &status);
2693         EXPECT_EQ(SIBLING_EXIT_UNKILLED, (long)status);
2694 }
2695
2696 TEST_F(TSYNC, two_siblings_with_one_divergence_no_tid_in_err)
2697 {
2698         long ret, flags;
2699         void *status;
2700
2701         ASSERT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
2702                 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
2703         }
2704
2705         ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &self->root_prog);
2706         ASSERT_NE(ENOSYS, errno) {
2707                 TH_LOG("Kernel does not support seccomp syscall!");
2708         }
2709         ASSERT_EQ(0, ret) {
2710                 TH_LOG("Kernel does not support SECCOMP_SET_MODE_FILTER!");
2711         }
2712         self->sibling[0].diverge = 1;
2713         tsync_start_sibling(&self->sibling[0]);
2714         tsync_start_sibling(&self->sibling[1]);
2715
2716         while (self->sibling_count < TSYNC_SIBLINGS) {
2717                 sem_wait(&self->started);
2718                 self->sibling_count++;
2719         }
2720
2721         flags = SECCOMP_FILTER_FLAG_TSYNC | \
2722                 SECCOMP_FILTER_FLAG_TSYNC_ESRCH;
2723         ret = seccomp(SECCOMP_SET_MODE_FILTER, flags, &self->apply_prog);
2724         ASSERT_EQ(ESRCH, errno) {
2725                 TH_LOG("Did not return ESRCH for diverged sibling.");
2726         }
2727         ASSERT_EQ(-1, ret) {
2728                 TH_LOG("Did not fail on diverged sibling.");
2729         }
2730
2731         /* Wake the threads */
2732         pthread_mutex_lock(&self->mutex);
2733         ASSERT_EQ(0, pthread_cond_broadcast(&self->cond)) {
2734                 TH_LOG("cond broadcast non-zero");
2735         }
2736         pthread_mutex_unlock(&self->mutex);
2737
2738         /* Ensure they are both unkilled. */
2739         PTHREAD_JOIN(self->sibling[0].tid, &status);
2740         EXPECT_EQ(SIBLING_EXIT_UNKILLED, (long)status);
2741         PTHREAD_JOIN(self->sibling[1].tid, &status);
2742         EXPECT_EQ(SIBLING_EXIT_UNKILLED, (long)status);
2743 }
2744
2745 TEST_F(TSYNC, two_siblings_not_under_filter)
2746 {
2747         long ret, sib;
2748         void *status;
2749         struct timespec delay = { .tv_nsec = 100000000 };
2750
2751         ASSERT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
2752                 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
2753         }
2754
2755         /*
2756          * Sibling 0 will have its own seccomp policy
2757          * and Sibling 1 will not be under seccomp at
2758          * all. Sibling 1 will enter seccomp and 0
2759          * will cause failure.
2760          */
2761         self->sibling[0].diverge = 1;
2762         tsync_start_sibling(&self->sibling[0]);
2763         tsync_start_sibling(&self->sibling[1]);
2764
2765         while (self->sibling_count < TSYNC_SIBLINGS) {
2766                 sem_wait(&self->started);
2767                 self->sibling_count++;
2768         }
2769
2770         ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &self->root_prog);
2771         ASSERT_NE(ENOSYS, errno) {
2772                 TH_LOG("Kernel does not support seccomp syscall!");
2773         }
2774         ASSERT_EQ(0, ret) {
2775                 TH_LOG("Kernel does not support SECCOMP_SET_MODE_FILTER!");
2776         }
2777
2778         ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC,
2779                       &self->apply_prog);
2780         ASSERT_EQ(ret, self->sibling[0].system_tid) {
2781                 TH_LOG("Did not fail on diverged sibling.");
2782         }
2783         sib = 1;
2784         if (ret == self->sibling[0].system_tid)
2785                 sib = 0;
2786
2787         pthread_mutex_lock(&self->mutex);
2788
2789         /* Increment the other siblings num_waits so we can clean up
2790          * the one we just saw.
2791          */
2792         self->sibling[!sib].num_waits += 1;
2793
2794         /* Signal the thread to clean up*/
2795         ASSERT_EQ(0, pthread_cond_broadcast(&self->cond)) {
2796                 TH_LOG("cond broadcast non-zero");
2797         }
2798         pthread_mutex_unlock(&self->mutex);
2799         PTHREAD_JOIN(self->sibling[sib].tid, &status);
2800         EXPECT_EQ(SIBLING_EXIT_UNKILLED, (long)status);
2801         /* Poll for actual task death. pthread_join doesn't guarantee it. */
2802         while (!kill(self->sibling[sib].system_tid, 0))
2803                 nanosleep(&delay, NULL);
2804         /* Switch to the remaining sibling */
2805         sib = !sib;
2806
2807         ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC,
2808                       &self->apply_prog);
2809         ASSERT_EQ(0, ret) {
2810                 TH_LOG("Expected the remaining sibling to sync");
2811         };
2812
2813         pthread_mutex_lock(&self->mutex);
2814
2815         /* If remaining sibling didn't have a chance to wake up during
2816          * the first broadcast, manually reduce the num_waits now.
2817          */
2818         if (self->sibling[sib].num_waits > 1)
2819                 self->sibling[sib].num_waits = 1;
2820         ASSERT_EQ(0, pthread_cond_broadcast(&self->cond)) {
2821                 TH_LOG("cond broadcast non-zero");
2822         }
2823         pthread_mutex_unlock(&self->mutex);
2824         PTHREAD_JOIN(self->sibling[sib].tid, &status);
2825         EXPECT_EQ(0, (long)status);
2826         /* Poll for actual task death. pthread_join doesn't guarantee it. */
2827         while (!kill(self->sibling[sib].system_tid, 0))
2828                 nanosleep(&delay, NULL);
2829
2830         ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC,
2831                       &self->apply_prog);
2832         ASSERT_EQ(0, ret);  /* just us chickens */
2833 }
2834
2835 /* Make sure restarted syscalls are seen directly as "restart_syscall". */
2836 TEST(syscall_restart)
2837 {
2838         long ret;
2839         unsigned long msg;
2840         pid_t child_pid;
2841         int pipefd[2];
2842         int status;
2843         siginfo_t info = { };
2844         struct sock_filter filter[] = {
2845                 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
2846                          offsetof(struct seccomp_data, nr)),
2847
2848 #ifdef __NR_sigreturn
2849                 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_sigreturn, 7, 0),
2850 #endif
2851                 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_read, 6, 0),
2852                 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_exit, 5, 0),
2853                 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_rt_sigreturn, 4, 0),
2854                 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_nanosleep, 5, 0),
2855                 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_clock_nanosleep, 4, 0),
2856                 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_restart_syscall, 4, 0),
2857
2858                 /* Allow __NR_write for easy logging. */
2859                 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_write, 0, 1),
2860                 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
2861                 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL),
2862                 /* The nanosleep jump target. */
2863                 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRACE|0x100),
2864                 /* The restart_syscall jump target. */
2865                 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRACE|0x200),
2866         };
2867         struct sock_fprog prog = {
2868                 .len = (unsigned short)ARRAY_SIZE(filter),
2869                 .filter = filter,
2870         };
2871 #if defined(__arm__)
2872         struct utsname utsbuf;
2873 #endif
2874
2875         ASSERT_EQ(0, pipe(pipefd));
2876
2877         child_pid = fork();
2878         ASSERT_LE(0, child_pid);
2879         if (child_pid == 0) {
2880                 /* Child uses EXPECT not ASSERT to deliver status correctly. */
2881                 char buf = ' ';
2882                 struct timespec timeout = { };
2883
2884                 /* Attach parent as tracer and stop. */
2885                 EXPECT_EQ(0, ptrace(PTRACE_TRACEME));
2886                 EXPECT_EQ(0, raise(SIGSTOP));
2887
2888                 EXPECT_EQ(0, close(pipefd[1]));
2889
2890                 EXPECT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
2891                         TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
2892                 }
2893
2894                 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0);
2895                 EXPECT_EQ(0, ret) {
2896                         TH_LOG("Failed to install filter!");
2897                 }
2898
2899                 EXPECT_EQ(1, read(pipefd[0], &buf, 1)) {
2900                         TH_LOG("Failed to read() sync from parent");
2901                 }
2902                 EXPECT_EQ('.', buf) {
2903                         TH_LOG("Failed to get sync data from read()");
2904                 }
2905
2906                 /* Start nanosleep to be interrupted. */
2907                 timeout.tv_sec = 1;
2908                 errno = 0;
2909                 EXPECT_EQ(0, nanosleep(&timeout, NULL)) {
2910                         TH_LOG("Call to nanosleep() failed (errno %d)", errno);
2911                 }
2912
2913                 /* Read final sync from parent. */
2914                 EXPECT_EQ(1, read(pipefd[0], &buf, 1)) {
2915                         TH_LOG("Failed final read() from parent");
2916                 }
2917                 EXPECT_EQ('!', buf) {
2918                         TH_LOG("Failed to get final data from read()");
2919                 }
2920
2921                 /* Directly report the status of our test harness results. */
2922                 syscall(__NR_exit, _metadata->passed ? EXIT_SUCCESS
2923                                                      : EXIT_FAILURE);
2924         }
2925         EXPECT_EQ(0, close(pipefd[0]));
2926
2927         /* Attach to child, setup options, and release. */
2928         ASSERT_EQ(child_pid, waitpid(child_pid, &status, 0));
2929         ASSERT_EQ(true, WIFSTOPPED(status));
2930         ASSERT_EQ(0, ptrace(PTRACE_SETOPTIONS, child_pid, NULL,
2931                             PTRACE_O_TRACESECCOMP));
2932         ASSERT_EQ(0, ptrace(PTRACE_CONT, child_pid, NULL, 0));
2933         ASSERT_EQ(1, write(pipefd[1], ".", 1));
2934
2935         /* Wait for nanosleep() to start. */
2936         ASSERT_EQ(child_pid, waitpid(child_pid, &status, 0));
2937         ASSERT_EQ(true, WIFSTOPPED(status));
2938         ASSERT_EQ(SIGTRAP, WSTOPSIG(status));
2939         ASSERT_EQ(PTRACE_EVENT_SECCOMP, (status >> 16));
2940         ASSERT_EQ(0, ptrace(PTRACE_GETEVENTMSG, child_pid, NULL, &msg));
2941         ASSERT_EQ(0x100, msg);
2942         ret = get_syscall(_metadata, child_pid);
2943         EXPECT_TRUE(ret == __NR_nanosleep || ret == __NR_clock_nanosleep);
2944
2945         /* Might as well check siginfo for sanity while we're here. */
2946         ASSERT_EQ(0, ptrace(PTRACE_GETSIGINFO, child_pid, NULL, &info));
2947         ASSERT_EQ(SIGTRAP, info.si_signo);
2948         ASSERT_EQ(SIGTRAP | (PTRACE_EVENT_SECCOMP << 8), info.si_code);
2949         EXPECT_EQ(0, info.si_errno);
2950         EXPECT_EQ(getuid(), info.si_uid);
2951         /* Verify signal delivery came from child (seccomp-triggered). */
2952         EXPECT_EQ(child_pid, info.si_pid);
2953
2954         /* Interrupt nanosleep with SIGSTOP (which we'll need to handle). */
2955         ASSERT_EQ(0, kill(child_pid, SIGSTOP));
2956         ASSERT_EQ(0, ptrace(PTRACE_CONT, child_pid, NULL, 0));
2957         ASSERT_EQ(child_pid, waitpid(child_pid, &status, 0));
2958         ASSERT_EQ(true, WIFSTOPPED(status));
2959         ASSERT_EQ(SIGSTOP, WSTOPSIG(status));
2960         ASSERT_EQ(0, ptrace(PTRACE_GETSIGINFO, child_pid, NULL, &info));
2961         /*
2962          * There is no siginfo on SIGSTOP any more, so we can't verify
2963          * signal delivery came from parent now (getpid() == info.si_pid).
2964          * https://lkml.kernel.org/r/CAGXu5jJaZAOzP1qFz66tYrtbuywqb+UN2SOA1VLHpCCOiYvYeg@mail.gmail.com
2965          * At least verify the SIGSTOP via PTRACE_GETSIGINFO.
2966          */
2967         EXPECT_EQ(SIGSTOP, info.si_signo);
2968
2969         /* Restart nanosleep with SIGCONT, which triggers restart_syscall. */
2970         ASSERT_EQ(0, kill(child_pid, SIGCONT));
2971         ASSERT_EQ(0, ptrace(PTRACE_CONT, child_pid, NULL, 0));
2972         ASSERT_EQ(child_pid, waitpid(child_pid, &status, 0));
2973         ASSERT_EQ(true, WIFSTOPPED(status));
2974         ASSERT_EQ(SIGCONT, WSTOPSIG(status));
2975         ASSERT_EQ(0, ptrace(PTRACE_CONT, child_pid, NULL, 0));
2976
2977         /* Wait for restart_syscall() to start. */
2978         ASSERT_EQ(child_pid, waitpid(child_pid, &status, 0));
2979         ASSERT_EQ(true, WIFSTOPPED(status));
2980         ASSERT_EQ(SIGTRAP, WSTOPSIG(status));
2981         ASSERT_EQ(PTRACE_EVENT_SECCOMP, (status >> 16));
2982         ASSERT_EQ(0, ptrace(PTRACE_GETEVENTMSG, child_pid, NULL, &msg));
2983
2984         ASSERT_EQ(0x200, msg);
2985         ret = get_syscall(_metadata, child_pid);
2986 #if defined(__arm__)
2987         /*
2988          * FIXME:
2989          * - native ARM registers do NOT expose true syscall.
2990          * - compat ARM registers on ARM64 DO expose true syscall.
2991          */
2992         ASSERT_EQ(0, uname(&utsbuf));
2993         if (strncmp(utsbuf.machine, "arm", 3) == 0) {
2994                 EXPECT_EQ(__NR_nanosleep, ret);
2995         } else
2996 #endif
2997         {
2998                 EXPECT_EQ(__NR_restart_syscall, ret);
2999         }
3000
3001         /* Write again to end test. */
3002         ASSERT_EQ(0, ptrace(PTRACE_CONT, child_pid, NULL, 0));
3003         ASSERT_EQ(1, write(pipefd[1], "!", 1));
3004         EXPECT_EQ(0, close(pipefd[1]));
3005
3006         ASSERT_EQ(child_pid, waitpid(child_pid, &status, 0));
3007         if (WIFSIGNALED(status) || WEXITSTATUS(status))
3008                 _metadata->passed = 0;
3009 }
3010
3011 TEST_SIGNAL(filter_flag_log, SIGSYS)
3012 {
3013         struct sock_filter allow_filter[] = {
3014                 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
3015         };
3016         struct sock_filter kill_filter[] = {
3017                 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
3018                         offsetof(struct seccomp_data, nr)),
3019                 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getpid, 0, 1),
3020                 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL),
3021                 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
3022         };
3023         struct sock_fprog allow_prog = {
3024                 .len = (unsigned short)ARRAY_SIZE(allow_filter),
3025                 .filter = allow_filter,
3026         };
3027         struct sock_fprog kill_prog = {
3028                 .len = (unsigned short)ARRAY_SIZE(kill_filter),
3029                 .filter = kill_filter,
3030         };
3031         long ret;
3032         pid_t parent = getppid();
3033
3034         ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
3035         ASSERT_EQ(0, ret);
3036
3037         /* Verify that the FILTER_FLAG_LOG flag isn't accepted in strict mode */
3038         ret = seccomp(SECCOMP_SET_MODE_STRICT, SECCOMP_FILTER_FLAG_LOG,
3039                       &allow_prog);
3040         ASSERT_NE(ENOSYS, errno) {
3041                 TH_LOG("Kernel does not support seccomp syscall!");
3042         }
3043         EXPECT_NE(0, ret) {
3044                 TH_LOG("Kernel accepted FILTER_FLAG_LOG flag in strict mode!");
3045         }
3046         EXPECT_EQ(EINVAL, errno) {
3047                 TH_LOG("Kernel returned unexpected errno for FILTER_FLAG_LOG flag in strict mode!");
3048         }
3049
3050         /* Verify that a simple, permissive filter can be added with no flags */
3051         ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &allow_prog);
3052         EXPECT_EQ(0, ret);
3053
3054         /* See if the same filter can be added with the FILTER_FLAG_LOG flag */
3055         ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_LOG,
3056                       &allow_prog);
3057         ASSERT_NE(EINVAL, errno) {
3058                 TH_LOG("Kernel does not support the FILTER_FLAG_LOG flag!");
3059         }
3060         EXPECT_EQ(0, ret);
3061
3062         /* Ensure that the kill filter works with the FILTER_FLAG_LOG flag */
3063         ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_LOG,
3064                       &kill_prog);
3065         EXPECT_EQ(0, ret);
3066
3067         EXPECT_EQ(parent, syscall(__NR_getppid));
3068         /* getpid() should never return. */
3069         EXPECT_EQ(0, syscall(__NR_getpid));
3070 }
3071
3072 TEST(get_action_avail)
3073 {
3074         __u32 actions[] = { SECCOMP_RET_KILL_THREAD, SECCOMP_RET_TRAP,
3075                             SECCOMP_RET_ERRNO, SECCOMP_RET_TRACE,
3076                             SECCOMP_RET_LOG,   SECCOMP_RET_ALLOW };
3077         __u32 unknown_action = 0x10000000U;
3078         int i;
3079         long ret;
3080
3081         ret = seccomp(SECCOMP_GET_ACTION_AVAIL, 0, &actions[0]);
3082         ASSERT_NE(ENOSYS, errno) {
3083                 TH_LOG("Kernel does not support seccomp syscall!");
3084         }
3085         ASSERT_NE(EINVAL, errno) {
3086                 TH_LOG("Kernel does not support SECCOMP_GET_ACTION_AVAIL operation!");
3087         }
3088         EXPECT_EQ(ret, 0);
3089
3090         for (i = 0; i < ARRAY_SIZE(actions); i++) {
3091                 ret = seccomp(SECCOMP_GET_ACTION_AVAIL, 0, &actions[i]);
3092                 EXPECT_EQ(ret, 0) {
3093                         TH_LOG("Expected action (0x%X) not available!",
3094                                actions[i]);
3095                 }
3096         }
3097
3098         /* Check that an unknown action is handled properly (EOPNOTSUPP) */
3099         ret = seccomp(SECCOMP_GET_ACTION_AVAIL, 0, &unknown_action);
3100         EXPECT_EQ(ret, -1);
3101         EXPECT_EQ(errno, EOPNOTSUPP);
3102 }
3103
3104 TEST(get_metadata)
3105 {
3106         pid_t pid;
3107         int pipefd[2];
3108         char buf;
3109         struct seccomp_metadata md;
3110         long ret;
3111
3112         /* Only real root can get metadata. */
3113         if (geteuid()) {
3114                 SKIP(return, "get_metadata requires real root");
3115                 return;
3116         }
3117
3118         ASSERT_EQ(0, pipe(pipefd));
3119
3120         pid = fork();
3121         ASSERT_GE(pid, 0);
3122         if (pid == 0) {
3123                 struct sock_filter filter[] = {
3124                         BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
3125                 };
3126                 struct sock_fprog prog = {
3127                         .len = (unsigned short)ARRAY_SIZE(filter),
3128                         .filter = filter,
3129                 };
3130
3131                 /* one with log, one without */
3132                 EXPECT_EQ(0, seccomp(SECCOMP_SET_MODE_FILTER,
3133                                      SECCOMP_FILTER_FLAG_LOG, &prog));
3134                 EXPECT_EQ(0, seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog));
3135
3136                 EXPECT_EQ(0, close(pipefd[0]));
3137                 ASSERT_EQ(1, write(pipefd[1], "1", 1));
3138                 ASSERT_EQ(0, close(pipefd[1]));
3139
3140                 while (1)
3141                         sleep(100);
3142         }
3143
3144         ASSERT_EQ(0, close(pipefd[1]));
3145         ASSERT_EQ(1, read(pipefd[0], &buf, 1));
3146
3147         ASSERT_EQ(0, ptrace(PTRACE_ATTACH, pid));
3148         ASSERT_EQ(pid, waitpid(pid, NULL, 0));
3149
3150         /* Past here must not use ASSERT or child process is never killed. */
3151
3152         md.filter_off = 0;
3153         errno = 0;
3154         ret = ptrace(PTRACE_SECCOMP_GET_METADATA, pid, sizeof(md), &md);
3155         EXPECT_EQ(sizeof(md), ret) {
3156                 if (errno == EINVAL)
3157                         SKIP(goto skip, "Kernel does not support PTRACE_SECCOMP_GET_METADATA (missing CONFIG_CHECKPOINT_RESTORE?)");
3158         }
3159
3160         EXPECT_EQ(md.flags, SECCOMP_FILTER_FLAG_LOG);
3161         EXPECT_EQ(md.filter_off, 0);
3162
3163         md.filter_off = 1;
3164         ret = ptrace(PTRACE_SECCOMP_GET_METADATA, pid, sizeof(md), &md);
3165         EXPECT_EQ(sizeof(md), ret);
3166         EXPECT_EQ(md.flags, 0);
3167         EXPECT_EQ(md.filter_off, 1);
3168
3169 skip:
3170         ASSERT_EQ(0, kill(pid, SIGKILL));
3171 }
3172
3173 static int user_notif_syscall(int nr, unsigned int flags)
3174 {
3175         struct sock_filter filter[] = {
3176                 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
3177                         offsetof(struct seccomp_data, nr)),
3178                 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, nr, 0, 1),
3179                 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_USER_NOTIF),
3180                 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
3181         };
3182
3183         struct sock_fprog prog = {
3184                 .len = (unsigned short)ARRAY_SIZE(filter),
3185                 .filter = filter,
3186         };
3187
3188         return seccomp(SECCOMP_SET_MODE_FILTER, flags, &prog);
3189 }
3190
3191 #define USER_NOTIF_MAGIC INT_MAX
3192 TEST(user_notification_basic)
3193 {
3194         pid_t pid;
3195         long ret;
3196         int status, listener;
3197         struct seccomp_notif req = {};
3198         struct seccomp_notif_resp resp = {};
3199         struct pollfd pollfd;
3200
3201         struct sock_filter filter[] = {
3202                 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
3203         };
3204         struct sock_fprog prog = {
3205                 .len = (unsigned short)ARRAY_SIZE(filter),
3206                 .filter = filter,
3207         };
3208
3209         ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
3210         ASSERT_EQ(0, ret) {
3211                 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
3212         }
3213
3214         pid = fork();
3215         ASSERT_GE(pid, 0);
3216
3217         /* Check that we get -ENOSYS with no listener attached */
3218         if (pid == 0) {
3219                 if (user_notif_syscall(__NR_getppid, 0) < 0)
3220                         exit(1);
3221                 ret = syscall(__NR_getppid);
3222                 exit(ret >= 0 || errno != ENOSYS);
3223         }
3224
3225         EXPECT_EQ(waitpid(pid, &status, 0), pid);
3226         EXPECT_EQ(true, WIFEXITED(status));
3227         EXPECT_EQ(0, WEXITSTATUS(status));
3228
3229         /* Add some no-op filters for grins. */
3230         EXPECT_EQ(seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog), 0);
3231         EXPECT_EQ(seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog), 0);
3232         EXPECT_EQ(seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog), 0);
3233         EXPECT_EQ(seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog), 0);
3234
3235         /* Check that the basic notification machinery works */
3236         listener = user_notif_syscall(__NR_getppid,
3237                                       SECCOMP_FILTER_FLAG_NEW_LISTENER);
3238         ASSERT_GE(listener, 0);
3239
3240         /* Installing a second listener in the chain should EBUSY */
3241         EXPECT_EQ(user_notif_syscall(__NR_getppid,
3242                                      SECCOMP_FILTER_FLAG_NEW_LISTENER),
3243                   -1);
3244         EXPECT_EQ(errno, EBUSY);
3245
3246         pid = fork();
3247         ASSERT_GE(pid, 0);
3248
3249         if (pid == 0) {
3250                 ret = syscall(__NR_getppid);
3251                 exit(ret != USER_NOTIF_MAGIC);
3252         }
3253
3254         pollfd.fd = listener;
3255         pollfd.events = POLLIN | POLLOUT;
3256
3257         EXPECT_GT(poll(&pollfd, 1, -1), 0);
3258         EXPECT_EQ(pollfd.revents, POLLIN);
3259
3260         /* Test that we can't pass garbage to the kernel. */
3261         memset(&req, 0, sizeof(req));
3262         req.pid = -1;
3263         errno = 0;
3264         ret = ioctl(listener, SECCOMP_IOCTL_NOTIF_RECV, &req);
3265         EXPECT_EQ(-1, ret);
3266         EXPECT_EQ(EINVAL, errno);
3267
3268         if (ret) {
3269                 req.pid = 0;
3270                 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_RECV, &req), 0);
3271         }
3272
3273         pollfd.fd = listener;
3274         pollfd.events = POLLIN | POLLOUT;
3275
3276         EXPECT_GT(poll(&pollfd, 1, -1), 0);
3277         EXPECT_EQ(pollfd.revents, POLLOUT);
3278
3279         EXPECT_EQ(req.data.nr,  __NR_getppid);
3280
3281         resp.id = req.id;
3282         resp.error = 0;
3283         resp.val = USER_NOTIF_MAGIC;
3284
3285         /* check that we make sure flags == 0 */
3286         resp.flags = 1;
3287         EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_SEND, &resp), -1);
3288         EXPECT_EQ(errno, EINVAL);
3289
3290         resp.flags = 0;
3291         EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_SEND, &resp), 0);
3292
3293         EXPECT_EQ(waitpid(pid, &status, 0), pid);
3294         EXPECT_EQ(true, WIFEXITED(status));
3295         EXPECT_EQ(0, WEXITSTATUS(status));
3296 }
3297
3298 TEST(user_notification_with_tsync)
3299 {
3300         int ret;
3301         unsigned int flags;
3302
3303         ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
3304         ASSERT_EQ(0, ret) {
3305                 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
3306         }
3307
3308         /* these were exclusive */
3309         flags = SECCOMP_FILTER_FLAG_NEW_LISTENER |
3310                 SECCOMP_FILTER_FLAG_TSYNC;
3311         ASSERT_EQ(-1, user_notif_syscall(__NR_getppid, flags));
3312         ASSERT_EQ(EINVAL, errno);
3313
3314         /* but now they're not */
3315         flags |= SECCOMP_FILTER_FLAG_TSYNC_ESRCH;
3316         ret = user_notif_syscall(__NR_getppid, flags);
3317         close(ret);
3318         ASSERT_LE(0, ret);
3319 }
3320
3321 TEST(user_notification_kill_in_middle)
3322 {
3323         pid_t pid;
3324         long ret;
3325         int listener;
3326         struct seccomp_notif req = {};
3327         struct seccomp_notif_resp resp = {};
3328
3329         ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
3330         ASSERT_EQ(0, ret) {
3331                 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
3332         }
3333
3334         listener = user_notif_syscall(__NR_getppid,
3335                                       SECCOMP_FILTER_FLAG_NEW_LISTENER);
3336         ASSERT_GE(listener, 0);
3337
3338         /*
3339          * Check that nothing bad happens when we kill the task in the middle
3340          * of a syscall.
3341          */
3342         pid = fork();
3343         ASSERT_GE(pid, 0);
3344
3345         if (pid == 0) {
3346                 ret = syscall(__NR_getppid);
3347                 exit(ret != USER_NOTIF_MAGIC);
3348         }
3349
3350         EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_RECV, &req), 0);
3351         EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_ID_VALID, &req.id), 0);
3352
3353         EXPECT_EQ(kill(pid, SIGKILL), 0);
3354         EXPECT_EQ(waitpid(pid, NULL, 0), pid);
3355
3356         EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_ID_VALID, &req.id), -1);
3357
3358         resp.id = req.id;
3359         ret = ioctl(listener, SECCOMP_IOCTL_NOTIF_SEND, &resp);
3360         EXPECT_EQ(ret, -1);
3361         EXPECT_EQ(errno, ENOENT);
3362 }
3363
3364 static int handled = -1;
3365
3366 static void signal_handler(int signal)
3367 {
3368         if (write(handled, "c", 1) != 1)
3369                 perror("write from signal");
3370 }
3371
3372 TEST(user_notification_signal)
3373 {
3374         pid_t pid;
3375         long ret;
3376         int status, listener, sk_pair[2];
3377         struct seccomp_notif req = {};
3378         struct seccomp_notif_resp resp = {};
3379         char c;
3380
3381         ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
3382         ASSERT_EQ(0, ret) {
3383                 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
3384         }
3385
3386         ASSERT_EQ(socketpair(PF_LOCAL, SOCK_SEQPACKET, 0, sk_pair), 0);
3387
3388         listener = user_notif_syscall(__NR_gettid,
3389                                       SECCOMP_FILTER_FLAG_NEW_LISTENER);
3390         ASSERT_GE(listener, 0);
3391
3392         pid = fork();
3393         ASSERT_GE(pid, 0);
3394
3395         if (pid == 0) {
3396                 close(sk_pair[0]);
3397                 handled = sk_pair[1];
3398                 if (signal(SIGUSR1, signal_handler) == SIG_ERR) {
3399                         perror("signal");
3400                         exit(1);
3401                 }
3402                 /*
3403                  * ERESTARTSYS behavior is a bit hard to test, because we need
3404                  * to rely on a signal that has not yet been handled. Let's at
3405                  * least check that the error code gets propagated through, and
3406                  * hope that it doesn't break when there is actually a signal :)
3407                  */
3408                 ret = syscall(__NR_gettid);
3409                 exit(!(ret == -1 && errno == 512));
3410         }
3411
3412         close(sk_pair[1]);
3413
3414         memset(&req, 0, sizeof(req));
3415         EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_RECV, &req), 0);
3416
3417         EXPECT_EQ(kill(pid, SIGUSR1), 0);
3418
3419         /*
3420          * Make sure the signal really is delivered, which means we're not
3421          * stuck in the user notification code any more and the notification
3422          * should be dead.
3423          */
3424         EXPECT_EQ(read(sk_pair[0], &c, 1), 1);
3425
3426         resp.id = req.id;
3427         resp.error = -EPERM;
3428         resp.val = 0;
3429
3430         EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_SEND, &resp), -1);
3431         EXPECT_EQ(errno, ENOENT);
3432
3433         memset(&req, 0, sizeof(req));
3434         EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_RECV, &req), 0);
3435
3436         resp.id = req.id;
3437         resp.error = -512; /* -ERESTARTSYS */
3438         resp.val = 0;
3439
3440         EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_SEND, &resp), 0);
3441
3442         EXPECT_EQ(waitpid(pid, &status, 0), pid);
3443         EXPECT_EQ(true, WIFEXITED(status));
3444         EXPECT_EQ(0, WEXITSTATUS(status));
3445 }
3446
3447 TEST(user_notification_closed_listener)
3448 {
3449         pid_t pid;
3450         long ret;
3451         int status, listener;
3452
3453         ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
3454         ASSERT_EQ(0, ret) {
3455                 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
3456         }
3457
3458         listener = user_notif_syscall(__NR_getppid,
3459                                       SECCOMP_FILTER_FLAG_NEW_LISTENER);
3460         ASSERT_GE(listener, 0);
3461
3462         /*
3463          * Check that we get an ENOSYS when the listener is closed.
3464          */
3465         pid = fork();
3466         ASSERT_GE(pid, 0);
3467         if (pid == 0) {
3468                 close(listener);
3469                 ret = syscall(__NR_getppid);
3470                 exit(ret != -1 && errno != ENOSYS);
3471         }
3472
3473         close(listener);
3474
3475         EXPECT_EQ(waitpid(pid, &status, 0), pid);
3476         EXPECT_EQ(true, WIFEXITED(status));
3477         EXPECT_EQ(0, WEXITSTATUS(status));
3478 }
3479
3480 /*
3481  * Check that a pid in a child namespace still shows up as valid in ours.
3482  */
3483 TEST(user_notification_child_pid_ns)
3484 {
3485         pid_t pid;
3486         int status, listener;
3487         struct seccomp_notif req = {};
3488         struct seccomp_notif_resp resp = {};
3489
3490         ASSERT_EQ(unshare(CLONE_NEWUSER | CLONE_NEWPID), 0) {
3491                 if (errno == EINVAL)
3492                         SKIP(return, "kernel missing CLONE_NEWUSER support");
3493         };
3494
3495         listener = user_notif_syscall(__NR_getppid,
3496                                       SECCOMP_FILTER_FLAG_NEW_LISTENER);
3497         ASSERT_GE(listener, 0);
3498
3499         pid = fork();
3500         ASSERT_GE(pid, 0);
3501
3502         if (pid == 0)
3503                 exit(syscall(__NR_getppid) != USER_NOTIF_MAGIC);
3504
3505         EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_RECV, &req), 0);
3506         EXPECT_EQ(req.pid, pid);
3507
3508         resp.id = req.id;
3509         resp.error = 0;
3510         resp.val = USER_NOTIF_MAGIC;
3511
3512         EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_SEND, &resp), 0);
3513
3514         EXPECT_EQ(waitpid(pid, &status, 0), pid);
3515         EXPECT_EQ(true, WIFEXITED(status));
3516         EXPECT_EQ(0, WEXITSTATUS(status));
3517         close(listener);
3518 }
3519
3520 /*
3521  * Check that a pid in a sibling (i.e. unrelated) namespace shows up as 0, i.e.
3522  * invalid.
3523  */
3524 TEST(user_notification_sibling_pid_ns)
3525 {
3526         pid_t pid, pid2;
3527         int status, listener;
3528         struct seccomp_notif req = {};
3529         struct seccomp_notif_resp resp = {};
3530
3531         ASSERT_EQ(prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0), 0) {
3532                 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
3533         }
3534
3535         listener = user_notif_syscall(__NR_getppid,
3536                                       SECCOMP_FILTER_FLAG_NEW_LISTENER);
3537         ASSERT_GE(listener, 0);
3538
3539         pid = fork();
3540         ASSERT_GE(pid, 0);
3541
3542         if (pid == 0) {
3543                 ASSERT_EQ(unshare(CLONE_NEWPID), 0);
3544
3545                 pid2 = fork();
3546                 ASSERT_GE(pid2, 0);
3547
3548                 if (pid2 == 0)
3549                         exit(syscall(__NR_getppid) != USER_NOTIF_MAGIC);
3550
3551                 EXPECT_EQ(waitpid(pid2, &status, 0), pid2);
3552                 EXPECT_EQ(true, WIFEXITED(status));
3553                 EXPECT_EQ(0, WEXITSTATUS(status));
3554                 exit(WEXITSTATUS(status));
3555         }
3556
3557         /* Create the sibling ns, and sibling in it. */
3558         ASSERT_EQ(unshare(CLONE_NEWPID), 0) {
3559                 if (errno == EPERM)
3560                         SKIP(return, "CLONE_NEWPID requires CAP_SYS_ADMIN");
3561         }
3562         ASSERT_EQ(errno, 0);
3563
3564         pid2 = fork();
3565         ASSERT_GE(pid2, 0);
3566
3567         if (pid2 == 0) {
3568                 ASSERT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_RECV, &req), 0);
3569                 /*
3570                  * The pid should be 0, i.e. the task is in some namespace that
3571                  * we can't "see".
3572                  */
3573                 EXPECT_EQ(req.pid, 0);
3574
3575                 resp.id = req.id;
3576                 resp.error = 0;
3577                 resp.val = USER_NOTIF_MAGIC;
3578
3579                 ASSERT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_SEND, &resp), 0);
3580                 exit(0);
3581         }
3582
3583         close(listener);
3584
3585         EXPECT_EQ(waitpid(pid, &status, 0), pid);
3586         EXPECT_EQ(true, WIFEXITED(status));
3587         EXPECT_EQ(0, WEXITSTATUS(status));
3588
3589         EXPECT_EQ(waitpid(pid2, &status, 0), pid2);
3590         EXPECT_EQ(true, WIFEXITED(status));
3591         EXPECT_EQ(0, WEXITSTATUS(status));
3592 }
3593
3594 TEST(user_notification_fault_recv)
3595 {
3596         pid_t pid;
3597         int status, listener;
3598         struct seccomp_notif req = {};
3599         struct seccomp_notif_resp resp = {};
3600
3601         ASSERT_EQ(unshare(CLONE_NEWUSER), 0);
3602
3603         listener = user_notif_syscall(__NR_getppid,
3604                                       SECCOMP_FILTER_FLAG_NEW_LISTENER);
3605         ASSERT_GE(listener, 0);
3606
3607         pid = fork();
3608         ASSERT_GE(pid, 0);
3609
3610         if (pid == 0)
3611                 exit(syscall(__NR_getppid) != USER_NOTIF_MAGIC);
3612
3613         /* Do a bad recv() */
3614         EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_RECV, NULL), -1);
3615         EXPECT_EQ(errno, EFAULT);
3616
3617         /* We should still be able to receive this notification, though. */
3618         EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_RECV, &req), 0);
3619         EXPECT_EQ(req.pid, pid);
3620
3621         resp.id = req.id;
3622         resp.error = 0;
3623         resp.val = USER_NOTIF_MAGIC;
3624
3625         EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_SEND, &resp), 0);
3626
3627         EXPECT_EQ(waitpid(pid, &status, 0), pid);
3628         EXPECT_EQ(true, WIFEXITED(status));
3629         EXPECT_EQ(0, WEXITSTATUS(status));
3630 }
3631
3632 TEST(seccomp_get_notif_sizes)
3633 {
3634         struct seccomp_notif_sizes sizes;
3635
3636         ASSERT_EQ(seccomp(SECCOMP_GET_NOTIF_SIZES, 0, &sizes), 0);
3637         EXPECT_EQ(sizes.seccomp_notif, sizeof(struct seccomp_notif));
3638         EXPECT_EQ(sizes.seccomp_notif_resp, sizeof(struct seccomp_notif_resp));
3639 }
3640
3641 TEST(user_notification_continue)
3642 {
3643         pid_t pid;
3644         long ret;
3645         int status, listener;
3646         struct seccomp_notif req = {};
3647         struct seccomp_notif_resp resp = {};
3648         struct pollfd pollfd;
3649
3650         ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
3651         ASSERT_EQ(0, ret) {
3652                 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
3653         }
3654
3655         listener = user_notif_syscall(__NR_dup, SECCOMP_FILTER_FLAG_NEW_LISTENER);
3656         ASSERT_GE(listener, 0);
3657
3658         pid = fork();
3659         ASSERT_GE(pid, 0);
3660
3661         if (pid == 0) {
3662                 int dup_fd, pipe_fds[2];
3663                 pid_t self;
3664
3665                 ASSERT_GE(pipe(pipe_fds), 0);
3666
3667                 dup_fd = dup(pipe_fds[0]);
3668                 ASSERT_GE(dup_fd, 0);
3669                 EXPECT_NE(pipe_fds[0], dup_fd);
3670
3671                 self = getpid();
3672                 ASSERT_EQ(filecmp(self, self, pipe_fds[0], dup_fd), 0);
3673                 exit(0);
3674         }
3675
3676         pollfd.fd = listener;
3677         pollfd.events = POLLIN | POLLOUT;
3678
3679         EXPECT_GT(poll(&pollfd, 1, -1), 0);
3680         EXPECT_EQ(pollfd.revents, POLLIN);
3681
3682         EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_RECV, &req), 0);
3683
3684         pollfd.fd = listener;
3685         pollfd.events = POLLIN | POLLOUT;
3686
3687         EXPECT_GT(poll(&pollfd, 1, -1), 0);
3688         EXPECT_EQ(pollfd.revents, POLLOUT);
3689
3690         EXPECT_EQ(req.data.nr, __NR_dup);
3691
3692         resp.id = req.id;
3693         resp.flags = SECCOMP_USER_NOTIF_FLAG_CONTINUE;
3694
3695         /*
3696          * Verify that setting SECCOMP_USER_NOTIF_FLAG_CONTINUE enforces other
3697          * args be set to 0.
3698          */
3699         resp.error = 0;
3700         resp.val = USER_NOTIF_MAGIC;
3701         EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_SEND, &resp), -1);
3702         EXPECT_EQ(errno, EINVAL);
3703
3704         resp.error = USER_NOTIF_MAGIC;
3705         resp.val = 0;
3706         EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_SEND, &resp), -1);
3707         EXPECT_EQ(errno, EINVAL);
3708
3709         resp.error = 0;
3710         resp.val = 0;
3711         EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_SEND, &resp), 0) {
3712                 if (errno == EINVAL)
3713                         SKIP(goto skip, "Kernel does not support SECCOMP_USER_NOTIF_FLAG_CONTINUE");
3714         }
3715
3716 skip:
3717         EXPECT_EQ(waitpid(pid, &status, 0), pid);
3718         EXPECT_EQ(true, WIFEXITED(status));
3719         EXPECT_EQ(0, WEXITSTATUS(status)) {
3720                 if (WEXITSTATUS(status) == 2) {
3721                         SKIP(return, "Kernel does not support kcmp() syscall");
3722                         return;
3723                 }
3724         }
3725 }
3726
3727 TEST(user_notification_filter_empty)
3728 {
3729         pid_t pid;
3730         long ret;
3731         int status;
3732         struct pollfd pollfd;
3733         struct clone_args args = {
3734                 .flags = CLONE_FILES,
3735                 .exit_signal = SIGCHLD,
3736         };
3737
3738         ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
3739         ASSERT_EQ(0, ret) {
3740                 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
3741         }
3742
3743         pid = sys_clone3(&args, sizeof(args));
3744         ASSERT_GE(pid, 0);
3745
3746         if (pid == 0) {
3747                 int listener;
3748
3749                 listener = user_notif_syscall(__NR_mknodat, SECCOMP_FILTER_FLAG_NEW_LISTENER);
3750                 if (listener < 0)
3751                         _exit(EXIT_FAILURE);
3752
3753                 if (dup2(listener, 200) != 200)
3754                         _exit(EXIT_FAILURE);
3755
3756                 close(listener);
3757
3758                 _exit(EXIT_SUCCESS);
3759         }
3760
3761         EXPECT_EQ(waitpid(pid, &status, 0), pid);
3762         EXPECT_EQ(true, WIFEXITED(status));
3763         EXPECT_EQ(0, WEXITSTATUS(status));
3764
3765         /*
3766          * The seccomp filter has become unused so we should be notified once
3767          * the kernel gets around to cleaning up task struct.
3768          */
3769         pollfd.fd = 200;
3770         pollfd.events = POLLHUP;
3771
3772         EXPECT_GT(poll(&pollfd, 1, 2000), 0);
3773         EXPECT_GT((pollfd.revents & POLLHUP) ?: 0, 0);
3774 }
3775
3776 static void *do_thread(void *data)
3777 {
3778         return NULL;
3779 }
3780
3781 TEST(user_notification_filter_empty_threaded)
3782 {
3783         pid_t pid;
3784         long ret;
3785         int status;
3786         struct pollfd pollfd;
3787         struct clone_args args = {
3788                 .flags = CLONE_FILES,
3789                 .exit_signal = SIGCHLD,
3790         };
3791
3792         ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
3793         ASSERT_EQ(0, ret) {
3794                 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
3795         }
3796
3797         pid = sys_clone3(&args, sizeof(args));
3798         ASSERT_GE(pid, 0);
3799
3800         if (pid == 0) {
3801                 pid_t pid1, pid2;
3802                 int listener, status;
3803                 pthread_t thread;
3804
3805                 listener = user_notif_syscall(__NR_dup, SECCOMP_FILTER_FLAG_NEW_LISTENER);
3806                 if (listener < 0)
3807                         _exit(EXIT_FAILURE);
3808
3809                 if (dup2(listener, 200) != 200)
3810                         _exit(EXIT_FAILURE);
3811
3812                 close(listener);
3813
3814                 pid1 = fork();
3815                 if (pid1 < 0)
3816                         _exit(EXIT_FAILURE);
3817
3818                 if (pid1 == 0)
3819                         _exit(EXIT_SUCCESS);
3820
3821                 pid2 = fork();
3822                 if (pid2 < 0)
3823                         _exit(EXIT_FAILURE);
3824
3825                 if (pid2 == 0)
3826                         _exit(EXIT_SUCCESS);
3827
3828                 if (pthread_create(&thread, NULL, do_thread, NULL) ||
3829                     pthread_join(thread, NULL))
3830                         _exit(EXIT_FAILURE);
3831
3832                 if (pthread_create(&thread, NULL, do_thread, NULL) ||
3833                     pthread_join(thread, NULL))
3834                         _exit(EXIT_FAILURE);
3835
3836                 if (waitpid(pid1, &status, 0) != pid1 || !WIFEXITED(status) ||
3837                     WEXITSTATUS(status))
3838                         _exit(EXIT_FAILURE);
3839
3840                 if (waitpid(pid2, &status, 0) != pid2 || !WIFEXITED(status) ||
3841                     WEXITSTATUS(status))
3842                         _exit(EXIT_FAILURE);
3843
3844                 exit(EXIT_SUCCESS);
3845         }
3846
3847         EXPECT_EQ(waitpid(pid, &status, 0), pid);
3848         EXPECT_EQ(true, WIFEXITED(status));
3849         EXPECT_EQ(0, WEXITSTATUS(status));
3850
3851         /*
3852          * The seccomp filter has become unused so we should be notified once
3853          * the kernel gets around to cleaning up task struct.
3854          */
3855         pollfd.fd = 200;
3856         pollfd.events = POLLHUP;
3857
3858         EXPECT_GT(poll(&pollfd, 1, 2000), 0);
3859         EXPECT_GT((pollfd.revents & POLLHUP) ?: 0, 0);
3860 }
3861
3862 TEST(user_notification_addfd)
3863 {
3864         pid_t pid;
3865         long ret;
3866         int status, listener, memfd, fd;
3867         struct seccomp_notif_addfd addfd = {};
3868         struct seccomp_notif_addfd_small small = {};
3869         struct seccomp_notif_addfd_big big = {};
3870         struct seccomp_notif req = {};
3871         struct seccomp_notif_resp resp = {};
3872         /* 100 ms */
3873         struct timespec delay = { .tv_nsec = 100000000 };
3874
3875         memfd = memfd_create("test", 0);
3876         ASSERT_GE(memfd, 0);
3877
3878         ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
3879         ASSERT_EQ(0, ret) {
3880                 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
3881         }
3882
3883         /* Check that the basic notification machinery works */
3884         listener = user_notif_syscall(__NR_getppid,
3885                                       SECCOMP_FILTER_FLAG_NEW_LISTENER);
3886         ASSERT_GE(listener, 0);
3887
3888         pid = fork();
3889         ASSERT_GE(pid, 0);
3890
3891         if (pid == 0) {
3892                 if (syscall(__NR_getppid) != USER_NOTIF_MAGIC)
3893                         exit(1);
3894                 exit(syscall(__NR_getppid) != USER_NOTIF_MAGIC);
3895         }
3896
3897         ASSERT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_RECV, &req), 0);
3898
3899         addfd.srcfd = memfd;
3900         addfd.newfd = 0;
3901         addfd.id = req.id;
3902         addfd.flags = 0x0;
3903
3904         /* Verify bad newfd_flags cannot be set */
3905         addfd.newfd_flags = ~O_CLOEXEC;
3906         EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_ADDFD, &addfd), -1);
3907         EXPECT_EQ(errno, EINVAL);
3908         addfd.newfd_flags = O_CLOEXEC;
3909
3910         /* Verify bad flags cannot be set */
3911         addfd.flags = 0xff;
3912         EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_ADDFD, &addfd), -1);
3913         EXPECT_EQ(errno, EINVAL);
3914         addfd.flags = 0;
3915
3916         /* Verify that remote_fd cannot be set without setting flags */
3917         addfd.newfd = 1;
3918         EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_ADDFD, &addfd), -1);
3919         EXPECT_EQ(errno, EINVAL);
3920         addfd.newfd = 0;
3921
3922         /* Verify small size cannot be set */
3923         EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_ADDFD_SMALL, &small), -1);
3924         EXPECT_EQ(errno, EINVAL);
3925
3926         /* Verify we can't send bits filled in unknown buffer area */
3927         memset(&big, 0xAA, sizeof(big));
3928         big.addfd = addfd;
3929         EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_ADDFD_BIG, &big), -1);
3930         EXPECT_EQ(errno, E2BIG);
3931
3932
3933         /* Verify we can set an arbitrary remote fd */
3934         fd = ioctl(listener, SECCOMP_IOCTL_NOTIF_ADDFD, &addfd);
3935         /*
3936          * The child has fds 0(stdin), 1(stdout), 2(stderr), 3(memfd),
3937          * 4(listener), so the newly allocated fd should be 5.
3938          */
3939         EXPECT_EQ(fd, 5);
3940         EXPECT_EQ(filecmp(getpid(), pid, memfd, fd), 0);
3941
3942         /* Verify we can set an arbitrary remote fd with large size */
3943         memset(&big, 0x0, sizeof(big));
3944         big.addfd = addfd;
3945         fd = ioctl(listener, SECCOMP_IOCTL_NOTIF_ADDFD_BIG, &big);
3946         EXPECT_EQ(fd, 6);
3947
3948         /* Verify we can set a specific remote fd */
3949         addfd.newfd = 42;
3950         addfd.flags = SECCOMP_ADDFD_FLAG_SETFD;
3951         fd = ioctl(listener, SECCOMP_IOCTL_NOTIF_ADDFD, &addfd);
3952         EXPECT_EQ(fd, 42);
3953         EXPECT_EQ(filecmp(getpid(), pid, memfd, fd), 0);
3954
3955         /* Resume syscall */
3956         resp.id = req.id;
3957         resp.error = 0;
3958         resp.val = USER_NOTIF_MAGIC;
3959         EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_SEND, &resp), 0);
3960
3961         /*
3962          * This sets the ID of the ADD FD to the last request plus 1. The
3963          * notification ID increments 1 per notification.
3964          */
3965         addfd.id = req.id + 1;
3966
3967         /* This spins until the underlying notification is generated */
3968         while (ioctl(listener, SECCOMP_IOCTL_NOTIF_ADDFD, &addfd) != -1 &&
3969                errno != -EINPROGRESS)
3970                 nanosleep(&delay, NULL);
3971
3972         memset(&req, 0, sizeof(req));
3973         ASSERT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_RECV, &req), 0);
3974         ASSERT_EQ(addfd.id, req.id);
3975
3976         resp.id = req.id;
3977         resp.error = 0;
3978         resp.val = USER_NOTIF_MAGIC;
3979         EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_SEND, &resp), 0);
3980
3981         /* Wait for child to finish. */
3982         EXPECT_EQ(waitpid(pid, &status, 0), pid);
3983         EXPECT_EQ(true, WIFEXITED(status));
3984         EXPECT_EQ(0, WEXITSTATUS(status));
3985
3986         close(memfd);
3987 }
3988
3989 TEST(user_notification_addfd_rlimit)
3990 {
3991         pid_t pid;
3992         long ret;
3993         int status, listener, memfd;
3994         struct seccomp_notif_addfd addfd = {};
3995         struct seccomp_notif req = {};
3996         struct seccomp_notif_resp resp = {};
3997         const struct rlimit lim = {
3998                 .rlim_cur       = 0,
3999                 .rlim_max       = 0,
4000         };
4001
4002         memfd = memfd_create("test", 0);
4003         ASSERT_GE(memfd, 0);
4004
4005         ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
4006         ASSERT_EQ(0, ret) {
4007                 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
4008         }
4009
4010         /* Check that the basic notification machinery works */
4011         listener = user_notif_syscall(__NR_getppid,
4012                                       SECCOMP_FILTER_FLAG_NEW_LISTENER);
4013         ASSERT_GE(listener, 0);
4014
4015         pid = fork();
4016         ASSERT_GE(pid, 0);
4017
4018         if (pid == 0)
4019                 exit(syscall(__NR_getppid) != USER_NOTIF_MAGIC);
4020
4021
4022         ASSERT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_RECV, &req), 0);
4023
4024         ASSERT_EQ(prlimit(pid, RLIMIT_NOFILE, &lim, NULL), 0);
4025
4026         addfd.srcfd = memfd;
4027         addfd.newfd_flags = O_CLOEXEC;
4028         addfd.newfd = 0;
4029         addfd.id = req.id;
4030         addfd.flags = 0;
4031
4032         /* Should probably spot check /proc/sys/fs/file-nr */
4033         EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_ADDFD, &addfd), -1);
4034         EXPECT_EQ(errno, EMFILE);
4035
4036         addfd.newfd = 100;
4037         addfd.flags = SECCOMP_ADDFD_FLAG_SETFD;
4038         EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_ADDFD, &addfd), -1);
4039         EXPECT_EQ(errno, EBADF);
4040
4041         resp.id = req.id;
4042         resp.error = 0;
4043         resp.val = USER_NOTIF_MAGIC;
4044
4045         EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_SEND, &resp), 0);
4046
4047         /* Wait for child to finish. */
4048         EXPECT_EQ(waitpid(pid, &status, 0), pid);
4049         EXPECT_EQ(true, WIFEXITED(status));
4050         EXPECT_EQ(0, WEXITSTATUS(status));
4051
4052         close(memfd);
4053 }
4054
4055 /*
4056  * TODO:
4057  * - expand NNP testing
4058  * - better arch-specific TRACE and TRAP handlers.
4059  * - endianness checking when appropriate
4060  * - 64-bit arg prodding
4061  * - arch value testing (x86 modes especially)
4062  * - verify that FILTER_FLAG_LOG filters generate log messages
4063  * - verify that RET_LOG generates log messages
4064  */
4065
4066 TEST_HARNESS_MAIN
MicroBlaze GIT Repository