1 // SPDX-License-Identifier: GPL-2.0-only
3 * Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
5 * Test code for seccomp bpf.
12 * glibc 2.26 and later have SIGSYS in siginfo_t. Before that,
13 * we need to use the kernel's siginfo.h file and trick glibc
16 #if !__GLIBC_PREREQ(2, 26)
17 # include <asm/siginfo.h>
18 # define __have_siginfo_t 1
19 # define __have_sigval_t 1
20 # define __have_sigevent_t 1
24 #include <linux/filter.h>
25 #include <sys/prctl.h>
26 #include <sys/ptrace.h>
28 #include <linux/prctl.h>
29 #include <linux/ptrace.h>
30 #include <linux/seccomp.h>
32 #include <semaphore.h>
39 #include <linux/elf.h>
41 #include <sys/utsname.h>
42 #include <sys/fcntl.h>
44 #include <sys/times.h>
45 #include <sys/socket.h>
46 #include <sys/ioctl.h>
47 #include <linux/kcmp.h>
48 #include <sys/resource.h>
51 #include <sys/syscall.h>
54 #include "../kselftest_harness.h"
55 #include "../clone3/clone3_selftests.h"
57 /* Attempt to de-conflict with the selftests tree. */
59 #define SKIP(s, ...) XFAIL(s, ##__VA_ARGS__)
62 #ifndef PR_SET_PTRACER
63 # define PR_SET_PTRACER 0x59616d61
66 #ifndef PR_SET_NO_NEW_PRIVS
67 #define PR_SET_NO_NEW_PRIVS 38
68 #define PR_GET_NO_NEW_PRIVS 39
71 #ifndef PR_SECCOMP_EXT
72 #define PR_SECCOMP_EXT 43
75 #ifndef SECCOMP_EXT_ACT
76 #define SECCOMP_EXT_ACT 1
79 #ifndef SECCOMP_EXT_ACT_TSYNC
80 #define SECCOMP_EXT_ACT_TSYNC 1
83 #ifndef SECCOMP_MODE_STRICT
84 #define SECCOMP_MODE_STRICT 1
87 #ifndef SECCOMP_MODE_FILTER
88 #define SECCOMP_MODE_FILTER 2
91 #ifndef SECCOMP_RET_ALLOW
95 __u64 instruction_pointer;
100 #ifndef SECCOMP_RET_KILL_PROCESS
101 #define SECCOMP_RET_KILL_PROCESS 0x80000000U /* kill the process */
102 #define SECCOMP_RET_KILL_THREAD 0x00000000U /* kill the thread */
104 #ifndef SECCOMP_RET_KILL
105 #define SECCOMP_RET_KILL SECCOMP_RET_KILL_THREAD
106 #define SECCOMP_RET_TRAP 0x00030000U /* disallow and force a SIGSYS */
107 #define SECCOMP_RET_ERRNO 0x00050000U /* returns an errno */
108 #define SECCOMP_RET_TRACE 0x7ff00000U /* pass to a tracer or disallow */
109 #define SECCOMP_RET_ALLOW 0x7fff0000U /* allow */
111 #ifndef SECCOMP_RET_LOG
112 #define SECCOMP_RET_LOG 0x7ffc0000U /* allow after logging */
116 # if defined(__i386__)
117 # define __NR_seccomp 354
118 # elif defined(__x86_64__)
119 # define __NR_seccomp 317
120 # elif defined(__arm__)
121 # define __NR_seccomp 383
122 # elif defined(__aarch64__)
123 # define __NR_seccomp 277
124 # elif defined(__riscv)
125 # define __NR_seccomp 277
126 # elif defined(__csky__)
127 # define __NR_seccomp 277
128 # elif defined(__hppa__)
129 # define __NR_seccomp 338
130 # elif defined(__powerpc__)
131 # define __NR_seccomp 358
132 # elif defined(__s390__)
133 # define __NR_seccomp 348
134 # elif defined(__xtensa__)
135 # define __NR_seccomp 337
136 # elif defined(__sh__)
137 # define __NR_seccomp 372
139 # warning "seccomp syscall number unknown for this architecture"
140 # define __NR_seccomp 0xffff
144 #ifndef SECCOMP_SET_MODE_STRICT
145 #define SECCOMP_SET_MODE_STRICT 0
148 #ifndef SECCOMP_SET_MODE_FILTER
149 #define SECCOMP_SET_MODE_FILTER 1
152 #ifndef SECCOMP_GET_ACTION_AVAIL
153 #define SECCOMP_GET_ACTION_AVAIL 2
156 #ifndef SECCOMP_GET_NOTIF_SIZES
157 #define SECCOMP_GET_NOTIF_SIZES 3
160 #ifndef SECCOMP_FILTER_FLAG_TSYNC
161 #define SECCOMP_FILTER_FLAG_TSYNC (1UL << 0)
164 #ifndef SECCOMP_FILTER_FLAG_LOG
165 #define SECCOMP_FILTER_FLAG_LOG (1UL << 1)
168 #ifndef SECCOMP_FILTER_FLAG_SPEC_ALLOW
169 #define SECCOMP_FILTER_FLAG_SPEC_ALLOW (1UL << 2)
172 #ifndef PTRACE_SECCOMP_GET_METADATA
173 #define PTRACE_SECCOMP_GET_METADATA 0x420d
175 struct seccomp_metadata {
176 __u64 filter_off; /* Input: which filter */
177 __u64 flags; /* Output: filter's flags */
181 #ifndef SECCOMP_FILTER_FLAG_NEW_LISTENER
182 #define SECCOMP_FILTER_FLAG_NEW_LISTENER (1UL << 3)
185 #ifndef SECCOMP_RET_USER_NOTIF
186 #define SECCOMP_RET_USER_NOTIF 0x7fc00000U
188 #define SECCOMP_IOC_MAGIC '!'
189 #define SECCOMP_IO(nr) _IO(SECCOMP_IOC_MAGIC, nr)
190 #define SECCOMP_IOR(nr, type) _IOR(SECCOMP_IOC_MAGIC, nr, type)
191 #define SECCOMP_IOW(nr, type) _IOW(SECCOMP_IOC_MAGIC, nr, type)
192 #define SECCOMP_IOWR(nr, type) _IOWR(SECCOMP_IOC_MAGIC, nr, type)
194 /* Flags for seccomp notification fd ioctl. */
195 #define SECCOMP_IOCTL_NOTIF_RECV SECCOMP_IOWR(0, struct seccomp_notif)
196 #define SECCOMP_IOCTL_NOTIF_SEND SECCOMP_IOWR(1, \
197 struct seccomp_notif_resp)
198 #define SECCOMP_IOCTL_NOTIF_ID_VALID SECCOMP_IOW(2, __u64)
200 struct seccomp_notif {
204 struct seccomp_data data;
207 struct seccomp_notif_resp {
214 struct seccomp_notif_sizes {
216 __u16 seccomp_notif_resp;
221 #ifndef SECCOMP_IOCTL_NOTIF_ADDFD
222 /* On success, the return value is the remote process's added fd number */
223 #define SECCOMP_IOCTL_NOTIF_ADDFD SECCOMP_IOW(3, \
224 struct seccomp_notif_addfd)
226 /* valid flags for seccomp_notif_addfd */
227 #define SECCOMP_ADDFD_FLAG_SETFD (1UL << 0) /* Specify remote fd */
229 struct seccomp_notif_addfd {
238 struct seccomp_notif_addfd_small {
242 #define SECCOMP_IOCTL_NOTIF_ADDFD_SMALL \
243 SECCOMP_IOW(3, struct seccomp_notif_addfd_small)
245 struct seccomp_notif_addfd_big {
247 struct seccomp_notif_addfd addfd;
248 char buf[sizeof(struct seccomp_notif_addfd) + 8];
251 #define SECCOMP_IOCTL_NOTIF_ADDFD_BIG \
252 SECCOMP_IOWR(3, struct seccomp_notif_addfd_big)
254 #ifndef PTRACE_EVENTMSG_SYSCALL_ENTRY
255 #define PTRACE_EVENTMSG_SYSCALL_ENTRY 1
256 #define PTRACE_EVENTMSG_SYSCALL_EXIT 2
259 #ifndef SECCOMP_USER_NOTIF_FLAG_CONTINUE
260 #define SECCOMP_USER_NOTIF_FLAG_CONTINUE 0x00000001
263 #ifndef SECCOMP_FILTER_FLAG_TSYNC_ESRCH
264 #define SECCOMP_FILTER_FLAG_TSYNC_ESRCH (1UL << 4)
268 int seccomp(unsigned int op, unsigned int flags, void *args)
271 return syscall(__NR_seccomp, op, flags, args);
275 #if __BYTE_ORDER == __LITTLE_ENDIAN
276 #define syscall_arg(_n) (offsetof(struct seccomp_data, args[_n]))
277 #elif __BYTE_ORDER == __BIG_ENDIAN
278 #define syscall_arg(_n) (offsetof(struct seccomp_data, args[_n]) + sizeof(__u32))
280 #error "wut? Unknown __BYTE_ORDER?!"
283 #define SIBLING_EXIT_UNKILLED 0xbadbeef
284 #define SIBLING_EXIT_FAILURE 0xbadface
285 #define SIBLING_EXIT_NEWPRIVS 0xbadfeed
287 static int __filecmp(pid_t pid1, pid_t pid2, int fd1, int fd2)
291 return syscall(__NR_kcmp, pid1, pid2, KCMP_FILE, fd1, fd2);
298 /* Have TH_LOG report actual location filecmp() is used. */
299 #define filecmp(pid1, pid2, fd1, fd2) ({ \
302 _ret = __filecmp(pid1, pid2, fd1, fd2); \
304 if (_ret < 0 && errno == ENOSYS) { \
305 TH_LOG("kcmp() syscall missing (test is less accurate)");\
315 ret = __filecmp(getpid(), getpid(), 1, 1);
317 if (ret != 0 && errno == ENOSYS)
318 SKIP(return, "Kernel does not support kcmp() (missing CONFIG_CHECKPOINT_RESTORE?)");
321 TEST(mode_strict_support)
325 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT, NULL, NULL, NULL);
327 TH_LOG("Kernel does not support CONFIG_SECCOMP");
329 syscall(__NR_exit, 0);
332 TEST_SIGNAL(mode_strict_cannot_call_prctl, SIGKILL)
336 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT, NULL, NULL, NULL);
338 TH_LOG("Kernel does not support CONFIG_SECCOMP");
340 syscall(__NR_prctl, PR_SET_SECCOMP, SECCOMP_MODE_FILTER,
343 TH_LOG("Unreachable!");
347 /* Note! This doesn't test no new privs behavior */
348 TEST(no_new_privs_support)
352 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
354 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
358 /* Tests kernel support by checking for a copy_from_user() fault on NULL. */
359 TEST(mode_filter_support)
363 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, NULL, 0, 0);
365 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
367 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, NULL, NULL);
369 EXPECT_EQ(EFAULT, errno) {
370 TH_LOG("Kernel does not support CONFIG_SECCOMP_FILTER!");
374 TEST(mode_filter_without_nnp)
376 struct sock_filter filter[] = {
377 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
379 struct sock_fprog prog = {
380 .len = (unsigned short)ARRAY_SIZE(filter),
385 ret = prctl(PR_GET_NO_NEW_PRIVS, 0, NULL, 0, 0);
387 TH_LOG("Expected 0 or unsupported for NO_NEW_PRIVS");
390 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0);
391 /* Succeeds with CAP_SYS_ADMIN, fails without */
392 /* TODO(wad) check caps not euid */
395 EXPECT_EQ(EACCES, errno);
401 #define MAX_INSNS_PER_PATH 32768
403 TEST(filter_size_limits)
406 int count = BPF_MAXINSNS + 1;
407 struct sock_filter allow[] = {
408 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
410 struct sock_filter *filter;
411 struct sock_fprog prog = { };
414 filter = calloc(count, sizeof(*filter));
415 ASSERT_NE(NULL, filter);
417 for (i = 0; i < count; i++)
418 filter[i] = allow[0];
420 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
423 prog.filter = filter;
426 /* Too many filter instructions in a single filter. */
427 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0);
429 TH_LOG("Installing %d insn filter was allowed", prog.len);
432 /* One less is okay, though. */
434 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0);
436 TH_LOG("Installing %d insn filter wasn't allowed", prog.len);
440 TEST(filter_chain_limits)
443 int count = BPF_MAXINSNS;
444 struct sock_filter allow[] = {
445 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
447 struct sock_filter *filter;
448 struct sock_fprog prog = { };
451 filter = calloc(count, sizeof(*filter));
452 ASSERT_NE(NULL, filter);
454 for (i = 0; i < count; i++)
455 filter[i] = allow[0];
457 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
460 prog.filter = filter;
463 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0);
468 /* Too many total filter instructions. */
469 for (i = 0; i < MAX_INSNS_PER_PATH; i++) {
470 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0);
475 TH_LOG("Allowed %d %d-insn filters (total with penalties:%d)",
476 i, count, i * (count + 4));
480 TEST(mode_filter_cannot_move_to_strict)
482 struct sock_filter filter[] = {
483 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
485 struct sock_fprog prog = {
486 .len = (unsigned short)ARRAY_SIZE(filter),
491 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
494 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0);
497 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT, NULL, 0, 0);
499 EXPECT_EQ(EINVAL, errno);
503 TEST(mode_filter_get_seccomp)
505 struct sock_filter filter[] = {
506 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
508 struct sock_fprog prog = {
509 .len = (unsigned short)ARRAY_SIZE(filter),
514 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
517 ret = prctl(PR_GET_SECCOMP, 0, 0, 0, 0);
520 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0);
523 ret = prctl(PR_GET_SECCOMP, 0, 0, 0, 0);
530 struct sock_filter filter[] = {
531 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
533 struct sock_fprog prog = {
534 .len = (unsigned short)ARRAY_SIZE(filter),
539 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
542 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
548 struct sock_filter filter[] = {
550 struct sock_fprog prog = {
551 .len = (unsigned short)ARRAY_SIZE(filter),
556 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
559 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
561 EXPECT_EQ(EINVAL, errno);
566 struct sock_filter filter[] = {
567 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_LOG),
569 struct sock_fprog prog = {
570 .len = (unsigned short)ARRAY_SIZE(filter),
574 pid_t parent = getppid();
576 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
579 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
582 /* getppid() should succeed and be logged (no check for logging) */
583 EXPECT_EQ(parent, syscall(__NR_getppid));
586 TEST_SIGNAL(unknown_ret_is_kill_inside, SIGSYS)
588 struct sock_filter filter[] = {
589 BPF_STMT(BPF_RET|BPF_K, 0x10000000U),
591 struct sock_fprog prog = {
592 .len = (unsigned short)ARRAY_SIZE(filter),
597 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
600 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
602 EXPECT_EQ(0, syscall(__NR_getpid)) {
603 TH_LOG("getpid() shouldn't ever return");
607 /* return code >= 0x80000000 is unused. */
608 TEST_SIGNAL(unknown_ret_is_kill_above_allow, SIGSYS)
610 struct sock_filter filter[] = {
611 BPF_STMT(BPF_RET|BPF_K, 0x90000000U),
613 struct sock_fprog prog = {
614 .len = (unsigned short)ARRAY_SIZE(filter),
619 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
622 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
624 EXPECT_EQ(0, syscall(__NR_getpid)) {
625 TH_LOG("getpid() shouldn't ever return");
629 TEST_SIGNAL(KILL_all, SIGSYS)
631 struct sock_filter filter[] = {
632 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL),
634 struct sock_fprog prog = {
635 .len = (unsigned short)ARRAY_SIZE(filter),
640 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
643 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
647 TEST_SIGNAL(KILL_one, SIGSYS)
649 struct sock_filter filter[] = {
650 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
651 offsetof(struct seccomp_data, nr)),
652 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getpid, 0, 1),
653 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL),
654 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
656 struct sock_fprog prog = {
657 .len = (unsigned short)ARRAY_SIZE(filter),
661 pid_t parent = getppid();
663 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
666 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
669 EXPECT_EQ(parent, syscall(__NR_getppid));
670 /* getpid() should never return. */
671 EXPECT_EQ(0, syscall(__NR_getpid));
674 TEST_SIGNAL(KILL_one_arg_one, SIGSYS)
677 struct sock_filter filter[] = {
678 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
679 offsetof(struct seccomp_data, nr)),
680 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_times, 1, 0),
681 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
682 /* Only both with lower 32-bit for now. */
683 BPF_STMT(BPF_LD|BPF_W|BPF_ABS, syscall_arg(0)),
684 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K,
685 (unsigned long)&fatal_address, 0, 1),
686 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL),
687 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
689 struct sock_fprog prog = {
690 .len = (unsigned short)ARRAY_SIZE(filter),
694 pid_t parent = getppid();
696 clock_t clock = times(&timebuf);
698 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
701 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
704 EXPECT_EQ(parent, syscall(__NR_getppid));
705 EXPECT_LE(clock, syscall(__NR_times, &timebuf));
706 /* times() should never return. */
707 EXPECT_EQ(0, syscall(__NR_times, &fatal_address));
710 TEST_SIGNAL(KILL_one_arg_six, SIGSYS)
713 int sysno = __NR_mmap;
715 int sysno = __NR_mmap2;
717 struct sock_filter filter[] = {
718 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
719 offsetof(struct seccomp_data, nr)),
720 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, sysno, 1, 0),
721 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
722 /* Only both with lower 32-bit for now. */
723 BPF_STMT(BPF_LD|BPF_W|BPF_ABS, syscall_arg(5)),
724 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, 0x0C0FFEE, 0, 1),
725 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL),
726 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
728 struct sock_fprog prog = {
729 .len = (unsigned short)ARRAY_SIZE(filter),
733 pid_t parent = getppid();
736 int page_size = sysconf(_SC_PAGESIZE);
738 ASSERT_LT(0, page_size);
740 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
743 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
746 fd = open("/dev/zero", O_RDONLY);
749 EXPECT_EQ(parent, syscall(__NR_getppid));
750 map1 = (void *)syscall(sysno,
751 NULL, page_size, PROT_READ, MAP_PRIVATE, fd, page_size);
752 EXPECT_NE(MAP_FAILED, map1);
753 /* mmap2() should never return. */
754 map2 = (void *)syscall(sysno,
755 NULL, page_size, PROT_READ, MAP_PRIVATE, fd, 0x0C0FFEE);
756 EXPECT_EQ(MAP_FAILED, map2);
758 /* The test failed, so clean up the resources. */
759 munmap(map1, page_size);
760 munmap(map2, page_size);
764 /* This is a thread task to die via seccomp filter violation. */
765 void *kill_thread(void *data)
767 bool die = (bool)data;
770 prctl(PR_GET_SECCOMP, 0, 0, 0, 0);
771 return (void *)SIBLING_EXIT_FAILURE;
774 return (void *)SIBLING_EXIT_UNKILLED;
783 /* Prepare a thread that will kill itself or both of us. */
784 void kill_thread_or_group(struct __test_metadata *_metadata,
785 enum kill_t kill_how)
789 /* Kill only when calling __NR_prctl. */
790 struct sock_filter filter_thread[] = {
791 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
792 offsetof(struct seccomp_data, nr)),
793 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_prctl, 0, 1),
794 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL_THREAD),
795 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
797 struct sock_fprog prog_thread = {
798 .len = (unsigned short)ARRAY_SIZE(filter_thread),
799 .filter = filter_thread,
801 int kill = kill_how == KILL_PROCESS ? SECCOMP_RET_KILL_PROCESS : 0xAAAAAAAAA;
802 struct sock_filter filter_process[] = {
803 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
804 offsetof(struct seccomp_data, nr)),
805 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_prctl, 0, 1),
806 BPF_STMT(BPF_RET|BPF_K, kill),
807 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
809 struct sock_fprog prog_process = {
810 .len = (unsigned short)ARRAY_SIZE(filter_process),
811 .filter = filter_process,
814 ASSERT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
815 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
818 ASSERT_EQ(0, seccomp(SECCOMP_SET_MODE_FILTER, 0,
819 kill_how == KILL_THREAD ? &prog_thread
823 * Add the KILL_THREAD rule again to make sure that the KILL_PROCESS
824 * flag cannot be downgraded by a new filter.
826 if (kill_how == KILL_PROCESS)
827 ASSERT_EQ(0, seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog_thread));
829 /* Start a thread that will exit immediately. */
830 ASSERT_EQ(0, pthread_create(&thread, NULL, kill_thread, (void *)false));
831 ASSERT_EQ(0, pthread_join(thread, &status));
832 ASSERT_EQ(SIBLING_EXIT_UNKILLED, (unsigned long)status);
834 /* Start a thread that will die immediately. */
835 ASSERT_EQ(0, pthread_create(&thread, NULL, kill_thread, (void *)true));
836 ASSERT_EQ(0, pthread_join(thread, &status));
837 ASSERT_NE(SIBLING_EXIT_FAILURE, (unsigned long)status);
840 * If we get here, only the spawned thread died. Let the parent know
841 * the whole process didn't die (i.e. this thread, the spawner,
853 ASSERT_LE(0, child_pid);
854 if (child_pid == 0) {
855 kill_thread_or_group(_metadata, KILL_THREAD);
859 ASSERT_EQ(child_pid, waitpid(child_pid, &status, 0));
861 /* If only the thread was killed, we'll see exit 42. */
862 ASSERT_TRUE(WIFEXITED(status));
863 ASSERT_EQ(42, WEXITSTATUS(status));
872 ASSERT_LE(0, child_pid);
873 if (child_pid == 0) {
874 kill_thread_or_group(_metadata, KILL_PROCESS);
878 ASSERT_EQ(child_pid, waitpid(child_pid, &status, 0));
880 /* If the entire process was killed, we'll see SIGSYS. */
881 ASSERT_TRUE(WIFSIGNALED(status));
882 ASSERT_EQ(SIGSYS, WTERMSIG(status));
891 ASSERT_LE(0, child_pid);
892 if (child_pid == 0) {
893 kill_thread_or_group(_metadata, RET_UNKNOWN);
897 ASSERT_EQ(child_pid, waitpid(child_pid, &status, 0));
899 /* If the entire process was killed, we'll see SIGSYS. */
900 EXPECT_TRUE(WIFSIGNALED(status)) {
901 TH_LOG("Unknown SECCOMP_RET is only killing the thread?");
903 ASSERT_EQ(SIGSYS, WTERMSIG(status));
906 /* TODO(wad) add 64-bit versus 32-bit arg tests. */
907 TEST(arg_out_of_range)
909 struct sock_filter filter[] = {
910 BPF_STMT(BPF_LD|BPF_W|BPF_ABS, syscall_arg(6)),
911 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
913 struct sock_fprog prog = {
914 .len = (unsigned short)ARRAY_SIZE(filter),
919 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
922 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
924 EXPECT_EQ(EINVAL, errno);
927 #define ERRNO_FILTER(name, errno) \
928 struct sock_filter _read_filter_##name[] = { \
929 BPF_STMT(BPF_LD|BPF_W|BPF_ABS, \
930 offsetof(struct seccomp_data, nr)), \
931 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_read, 0, 1), \
932 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ERRNO | errno), \
933 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW), \
935 struct sock_fprog prog_##name = { \
936 .len = (unsigned short)ARRAY_SIZE(_read_filter_##name), \
937 .filter = _read_filter_##name, \
940 /* Make sure basic errno values are correctly passed through a filter. */
943 ERRNO_FILTER(valid, E2BIG);
945 pid_t parent = getppid();
947 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
950 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog_valid);
953 EXPECT_EQ(parent, syscall(__NR_getppid));
954 EXPECT_EQ(-1, read(0, NULL, 0));
955 EXPECT_EQ(E2BIG, errno);
958 /* Make sure an errno of zero is correctly handled by the arch code. */
961 ERRNO_FILTER(zero, 0);
963 pid_t parent = getppid();
965 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
968 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog_zero);
971 EXPECT_EQ(parent, syscall(__NR_getppid));
972 /* "errno" of 0 is ok. */
973 EXPECT_EQ(0, read(0, NULL, 0));
977 * The SECCOMP_RET_DATA mask is 16 bits wide, but errno is smaller.
978 * This tests that the errno value gets capped correctly, fixed by
979 * 580c57f10768 ("seccomp: cap SECCOMP_RET_ERRNO data to MAX_ERRNO").
983 ERRNO_FILTER(capped, 4096);
985 pid_t parent = getppid();
987 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
990 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog_capped);
993 EXPECT_EQ(parent, syscall(__NR_getppid));
994 EXPECT_EQ(-1, read(0, NULL, 0));
995 EXPECT_EQ(4095, errno);
999 * Filters are processed in reverse order: last applied is executed first.
1000 * Since only the SECCOMP_RET_ACTION mask is tested for return values, the
1001 * SECCOMP_RET_DATA mask results will follow the most recently applied
1002 * matching filter return (and not the lowest or highest value).
1006 ERRNO_FILTER(first, 11);
1007 ERRNO_FILTER(second, 13);
1008 ERRNO_FILTER(third, 12);
1010 pid_t parent = getppid();
1012 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1015 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog_first);
1018 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog_second);
1021 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog_third);
1024 EXPECT_EQ(parent, syscall(__NR_getppid));
1025 EXPECT_EQ(-1, read(0, NULL, 0));
1026 EXPECT_EQ(12, errno);
1030 struct sock_fprog prog;
1035 struct sock_filter filter[] = {
1036 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
1037 offsetof(struct seccomp_data, nr)),
1038 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getpid, 0, 1),
1039 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRAP),
1040 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
1043 memset(&self->prog, 0, sizeof(self->prog));
1044 self->prog.filter = malloc(sizeof(filter));
1045 ASSERT_NE(NULL, self->prog.filter);
1046 memcpy(self->prog.filter, filter, sizeof(filter));
1047 self->prog.len = (unsigned short)ARRAY_SIZE(filter);
1050 FIXTURE_TEARDOWN(TRAP)
1052 if (self->prog.filter)
1053 free(self->prog.filter);
1056 TEST_F_SIGNAL(TRAP, dfl, SIGSYS)
1060 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1063 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->prog);
1065 syscall(__NR_getpid);
1068 /* Ensure that SIGSYS overrides SIG_IGN */
1069 TEST_F_SIGNAL(TRAP, ign, SIGSYS)
1073 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1076 signal(SIGSYS, SIG_IGN);
1078 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->prog);
1080 syscall(__NR_getpid);
1083 static siginfo_t TRAP_info;
1084 static volatile int TRAP_nr;
1085 static void TRAP_action(int nr, siginfo_t *info, void *void_context)
1087 memcpy(&TRAP_info, info, sizeof(TRAP_info));
1091 TEST_F(TRAP, handler)
1094 struct sigaction act;
1097 memset(&act, 0, sizeof(act));
1099 sigaddset(&mask, SIGSYS);
1101 act.sa_sigaction = &TRAP_action;
1102 act.sa_flags = SA_SIGINFO;
1103 ret = sigaction(SIGSYS, &act, NULL);
1105 TH_LOG("sigaction failed");
1107 ret = sigprocmask(SIG_UNBLOCK, &mask, NULL);
1109 TH_LOG("sigprocmask failed");
1112 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1114 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->prog);
1117 memset(&TRAP_info, 0, sizeof(TRAP_info));
1118 /* Expect the registers to be rolled back. (nr = error) may vary
1120 ret = syscall(__NR_getpid);
1121 /* Silence gcc warning about volatile. */
1123 EXPECT_EQ(SIGSYS, test);
1124 struct local_sigsys {
1125 void *_call_addr; /* calling user insn */
1126 int _syscall; /* triggering system call number */
1127 unsigned int _arch; /* AUDIT_ARCH_* of syscall */
1128 } *sigsys = (struct local_sigsys *)
1130 &(TRAP_info.si_call_addr);
1134 EXPECT_EQ(__NR_getpid, sigsys->_syscall);
1135 /* Make sure arch is non-zero. */
1136 EXPECT_NE(0, sigsys->_arch);
1137 EXPECT_NE(0, (unsigned long)sigsys->_call_addr);
1140 FIXTURE(precedence) {
1141 struct sock_fprog allow;
1142 struct sock_fprog log;
1143 struct sock_fprog trace;
1144 struct sock_fprog error;
1145 struct sock_fprog trap;
1146 struct sock_fprog kill;
1149 FIXTURE_SETUP(precedence)
1151 struct sock_filter allow_insns[] = {
1152 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
1154 struct sock_filter log_insns[] = {
1155 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
1156 offsetof(struct seccomp_data, nr)),
1157 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getpid, 1, 0),
1158 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
1159 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_LOG),
1161 struct sock_filter trace_insns[] = {
1162 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
1163 offsetof(struct seccomp_data, nr)),
1164 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getpid, 1, 0),
1165 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
1166 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRACE),
1168 struct sock_filter error_insns[] = {
1169 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
1170 offsetof(struct seccomp_data, nr)),
1171 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getpid, 1, 0),
1172 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
1173 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ERRNO),
1175 struct sock_filter trap_insns[] = {
1176 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
1177 offsetof(struct seccomp_data, nr)),
1178 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getpid, 1, 0),
1179 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
1180 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRAP),
1182 struct sock_filter kill_insns[] = {
1183 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
1184 offsetof(struct seccomp_data, nr)),
1185 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getpid, 1, 0),
1186 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
1187 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL),
1190 memset(self, 0, sizeof(*self));
1191 #define FILTER_ALLOC(_x) \
1192 self->_x.filter = malloc(sizeof(_x##_insns)); \
1193 ASSERT_NE(NULL, self->_x.filter); \
1194 memcpy(self->_x.filter, &_x##_insns, sizeof(_x##_insns)); \
1195 self->_x.len = (unsigned short)ARRAY_SIZE(_x##_insns)
1196 FILTER_ALLOC(allow);
1198 FILTER_ALLOC(trace);
1199 FILTER_ALLOC(error);
1204 FIXTURE_TEARDOWN(precedence)
1206 #define FILTER_FREE(_x) if (self->_x.filter) free(self->_x.filter)
1215 TEST_F(precedence, allow_ok)
1217 pid_t parent, res = 0;
1221 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1224 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow);
1226 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->log);
1228 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trace);
1230 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->error);
1232 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trap);
1234 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->kill);
1236 /* Should work just fine. */
1237 res = syscall(__NR_getppid);
1238 EXPECT_EQ(parent, res);
1241 TEST_F_SIGNAL(precedence, kill_is_highest, SIGSYS)
1243 pid_t parent, res = 0;
1247 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1250 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow);
1252 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->log);
1254 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trace);
1256 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->error);
1258 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trap);
1260 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->kill);
1262 /* Should work just fine. */
1263 res = syscall(__NR_getppid);
1264 EXPECT_EQ(parent, res);
1265 /* getpid() should never return. */
1266 res = syscall(__NR_getpid);
1270 TEST_F_SIGNAL(precedence, kill_is_highest_in_any_order, SIGSYS)
1276 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1279 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow);
1281 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->kill);
1283 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->error);
1285 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->log);
1287 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trace);
1289 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trap);
1291 /* Should work just fine. */
1292 EXPECT_EQ(parent, syscall(__NR_getppid));
1293 /* getpid() should never return. */
1294 EXPECT_EQ(0, syscall(__NR_getpid));
1297 TEST_F_SIGNAL(precedence, trap_is_second, SIGSYS)
1303 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1306 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow);
1308 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->log);
1310 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trace);
1312 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->error);
1314 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trap);
1316 /* Should work just fine. */
1317 EXPECT_EQ(parent, syscall(__NR_getppid));
1318 /* getpid() should never return. */
1319 EXPECT_EQ(0, syscall(__NR_getpid));
1322 TEST_F_SIGNAL(precedence, trap_is_second_in_any_order, SIGSYS)
1328 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1331 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow);
1333 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trap);
1335 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->log);
1337 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trace);
1339 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->error);
1341 /* Should work just fine. */
1342 EXPECT_EQ(parent, syscall(__NR_getppid));
1343 /* getpid() should never return. */
1344 EXPECT_EQ(0, syscall(__NR_getpid));
1347 TEST_F(precedence, errno_is_third)
1353 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1356 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow);
1358 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->log);
1360 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trace);
1362 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->error);
1364 /* Should work just fine. */
1365 EXPECT_EQ(parent, syscall(__NR_getppid));
1366 EXPECT_EQ(0, syscall(__NR_getpid));
1369 TEST_F(precedence, errno_is_third_in_any_order)
1375 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1378 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->log);
1380 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->error);
1382 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trace);
1384 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow);
1386 /* Should work just fine. */
1387 EXPECT_EQ(parent, syscall(__NR_getppid));
1388 EXPECT_EQ(0, syscall(__NR_getpid));
1391 TEST_F(precedence, trace_is_fourth)
1397 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1400 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow);
1402 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->log);
1404 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trace);
1406 /* Should work just fine. */
1407 EXPECT_EQ(parent, syscall(__NR_getppid));
1409 EXPECT_EQ(-1, syscall(__NR_getpid));
1412 TEST_F(precedence, trace_is_fourth_in_any_order)
1418 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1421 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trace);
1423 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow);
1425 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->log);
1427 /* Should work just fine. */
1428 EXPECT_EQ(parent, syscall(__NR_getppid));
1430 EXPECT_EQ(-1, syscall(__NR_getpid));
1433 TEST_F(precedence, log_is_fifth)
1435 pid_t mypid, parent;
1440 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1443 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow);
1445 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->log);
1447 /* Should work just fine. */
1448 EXPECT_EQ(parent, syscall(__NR_getppid));
1449 /* Should also work just fine */
1450 EXPECT_EQ(mypid, syscall(__NR_getpid));
1453 TEST_F(precedence, log_is_fifth_in_any_order)
1455 pid_t mypid, parent;
1460 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1463 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->log);
1465 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow);
1467 /* Should work just fine. */
1468 EXPECT_EQ(parent, syscall(__NR_getppid));
1469 /* Should also work just fine */
1470 EXPECT_EQ(mypid, syscall(__NR_getpid));
1473 #ifndef PTRACE_O_TRACESECCOMP
1474 #define PTRACE_O_TRACESECCOMP 0x00000080
1477 /* Catch the Ubuntu 12.04 value error. */
1478 #if PTRACE_EVENT_SECCOMP != 7
1479 #undef PTRACE_EVENT_SECCOMP
1482 #ifndef PTRACE_EVENT_SECCOMP
1483 #define PTRACE_EVENT_SECCOMP 7
1486 #define IS_SECCOMP_EVENT(status) ((status >> 16) == PTRACE_EVENT_SECCOMP)
1487 bool tracer_running;
1488 void tracer_stop(int sig)
1490 tracer_running = false;
1493 typedef void tracer_func_t(struct __test_metadata *_metadata,
1494 pid_t tracee, int status, void *args);
1496 void start_tracer(struct __test_metadata *_metadata, int fd, pid_t tracee,
1497 tracer_func_t tracer_func, void *args, bool ptrace_syscall)
1500 struct sigaction action = {
1501 .sa_handler = tracer_stop,
1504 /* Allow external shutdown. */
1505 tracer_running = true;
1506 ASSERT_EQ(0, sigaction(SIGUSR1, &action, NULL));
1509 while (ret == -1 && errno != EINVAL)
1510 ret = ptrace(PTRACE_ATTACH, tracee, NULL, 0);
1512 kill(tracee, SIGKILL);
1514 /* Wait for attach stop */
1517 ret = ptrace(PTRACE_SETOPTIONS, tracee, NULL, ptrace_syscall ?
1518 PTRACE_O_TRACESYSGOOD :
1519 PTRACE_O_TRACESECCOMP);
1521 TH_LOG("Failed to set PTRACE_O_TRACESECCOMP");
1522 kill(tracee, SIGKILL);
1524 ret = ptrace(ptrace_syscall ? PTRACE_SYSCALL : PTRACE_CONT,
1528 /* Unblock the tracee */
1529 ASSERT_EQ(1, write(fd, "A", 1));
1530 ASSERT_EQ(0, close(fd));
1532 /* Run until we're shut down. Must assert to stop execution. */
1533 while (tracer_running) {
1536 if (wait(&status) != tracee)
1538 if (WIFSIGNALED(status) || WIFEXITED(status))
1539 /* Child is dead. Time to go. */
1542 /* Check if this is a seccomp event. */
1543 ASSERT_EQ(!ptrace_syscall, IS_SECCOMP_EVENT(status));
1545 tracer_func(_metadata, tracee, status, args);
1547 ret = ptrace(ptrace_syscall ? PTRACE_SYSCALL : PTRACE_CONT,
1551 /* Directly report the status of our test harness results. */
1552 syscall(__NR_exit, _metadata->passed ? EXIT_SUCCESS : EXIT_FAILURE);
1555 /* Common tracer setup/teardown functions. */
1556 void cont_handler(int num)
1558 pid_t setup_trace_fixture(struct __test_metadata *_metadata,
1559 tracer_func_t func, void *args, bool ptrace_syscall)
1564 pid_t tracee = getpid();
1566 /* Setup a pipe for clean synchronization. */
1567 ASSERT_EQ(0, pipe(pipefd));
1569 /* Fork a child which we'll promote to tracer */
1570 tracer_pid = fork();
1571 ASSERT_LE(0, tracer_pid);
1572 signal(SIGALRM, cont_handler);
1573 if (tracer_pid == 0) {
1575 start_tracer(_metadata, pipefd[1], tracee, func, args,
1577 syscall(__NR_exit, 0);
1580 prctl(PR_SET_PTRACER, tracer_pid, 0, 0, 0);
1581 read(pipefd[0], &sync, 1);
1587 void teardown_trace_fixture(struct __test_metadata *_metadata,
1593 * Extract the exit code from the other process and
1594 * adopt it for ourselves in case its asserts failed.
1596 ASSERT_EQ(0, kill(tracer, SIGUSR1));
1597 ASSERT_EQ(tracer, waitpid(tracer, &status, 0));
1598 if (WEXITSTATUS(status))
1599 _metadata->passed = 0;
1603 /* "poke" tracer arguments and function. */
1604 struct tracer_args_poke_t {
1605 unsigned long poke_addr;
1608 void tracer_poke(struct __test_metadata *_metadata, pid_t tracee, int status,
1613 struct tracer_args_poke_t *info = (struct tracer_args_poke_t *)args;
1615 ret = ptrace(PTRACE_GETEVENTMSG, tracee, NULL, &msg);
1617 /* If this fails, don't try to recover. */
1618 ASSERT_EQ(0x1001, msg) {
1619 kill(tracee, SIGKILL);
1622 * Poke in the message.
1623 * Registers are not touched to try to keep this relatively arch
1626 ret = ptrace(PTRACE_POKEDATA, tracee, info->poke_addr, 0x1001);
1630 FIXTURE(TRACE_poke) {
1631 struct sock_fprog prog;
1634 struct tracer_args_poke_t tracer_args;
1637 FIXTURE_SETUP(TRACE_poke)
1639 struct sock_filter filter[] = {
1640 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
1641 offsetof(struct seccomp_data, nr)),
1642 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_read, 0, 1),
1643 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRACE | 0x1001),
1644 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
1648 memset(&self->prog, 0, sizeof(self->prog));
1649 self->prog.filter = malloc(sizeof(filter));
1650 ASSERT_NE(NULL, self->prog.filter);
1651 memcpy(self->prog.filter, filter, sizeof(filter));
1652 self->prog.len = (unsigned short)ARRAY_SIZE(filter);
1654 /* Set up tracer args. */
1655 self->tracer_args.poke_addr = (unsigned long)&self->poked;
1657 /* Launch tracer. */
1658 self->tracer = setup_trace_fixture(_metadata, tracer_poke,
1659 &self->tracer_args, false);
1662 FIXTURE_TEARDOWN(TRACE_poke)
1664 teardown_trace_fixture(_metadata, self->tracer);
1665 if (self->prog.filter)
1666 free(self->prog.filter);
1669 TEST_F(TRACE_poke, read_has_side_effects)
1673 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1676 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->prog, 0, 0);
1679 EXPECT_EQ(0, self->poked);
1680 ret = read(-1, NULL, 0);
1682 EXPECT_EQ(0x1001, self->poked);
1685 TEST_F(TRACE_poke, getpid_runs_normally)
1689 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1692 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->prog, 0, 0);
1695 EXPECT_EQ(0, self->poked);
1696 EXPECT_NE(0, syscall(__NR_getpid));
1697 EXPECT_EQ(0, self->poked);
1700 #if defined(__x86_64__)
1701 # define ARCH_REGS struct user_regs_struct
1702 # define SYSCALL_NUM(_regs) (_regs).orig_rax
1703 # define SYSCALL_RET(_regs) (_regs).rax
1704 #elif defined(__i386__)
1705 # define ARCH_REGS struct user_regs_struct
1706 # define SYSCALL_NUM(_regs) (_regs).orig_eax
1707 # define SYSCALL_RET(_regs) (_regs).eax
1708 #elif defined(__arm__)
1709 # define ARCH_REGS struct pt_regs
1710 # define SYSCALL_NUM(_regs) (_regs).ARM_r7
1711 # ifndef PTRACE_SET_SYSCALL
1712 # define PTRACE_SET_SYSCALL 23
1714 # define SYSCALL_NUM_SET(_regs, _nr) \
1715 EXPECT_EQ(0, ptrace(PTRACE_SET_SYSCALL, tracee, NULL, _nr))
1716 # define SYSCALL_RET(_regs) (_regs).ARM_r0
1717 #elif defined(__aarch64__)
1718 # define ARCH_REGS struct user_pt_regs
1719 # define SYSCALL_NUM(_regs) (_regs).regs[8]
1720 # ifndef NT_ARM_SYSTEM_CALL
1721 # define NT_ARM_SYSTEM_CALL 0x404
1723 # define SYSCALL_NUM_SET(_regs, _nr) \
1726 typeof(_nr) __nr = (_nr); \
1727 __v.iov_base = &__nr; \
1728 __v.iov_len = sizeof(__nr); \
1729 EXPECT_EQ(0, ptrace(PTRACE_SETREGSET, tracee, \
1730 NT_ARM_SYSTEM_CALL, &__v)); \
1732 # define SYSCALL_RET(_regs) (_regs).regs[0]
1733 #elif defined(__riscv) && __riscv_xlen == 64
1734 # define ARCH_REGS struct user_regs_struct
1735 # define SYSCALL_NUM(_regs) (_regs).a7
1736 # define SYSCALL_RET(_regs) (_regs).a0
1737 #elif defined(__csky__)
1738 # define ARCH_REGS struct pt_regs
1739 # if defined(__CSKYABIV2__)
1740 # define SYSCALL_NUM(_regs) (_regs).regs[3]
1742 # define SYSCALL_NUM(_regs) (_regs).regs[9]
1744 # define SYSCALL_RET(_regs) (_regs).a0
1745 #elif defined(__hppa__)
1746 # define ARCH_REGS struct user_regs_struct
1747 # define SYSCALL_NUM(_regs) (_regs).gr[20]
1748 # define SYSCALL_RET(_regs) (_regs).gr[28]
1749 #elif defined(__powerpc__)
1750 # define ARCH_REGS struct pt_regs
1751 # define SYSCALL_NUM(_regs) (_regs).gpr[0]
1752 # define SYSCALL_RET(_regs) (_regs).gpr[3]
1753 #elif defined(__s390__)
1754 # define ARCH_REGS s390_regs
1755 # define SYSCALL_NUM(_regs) (_regs).gprs[2]
1756 # define SYSCALL_RET(_regs) (_regs).gprs[2]
1757 # define SYSCALL_NUM_RET_SHARE_REG
1758 #elif defined(__mips__)
1759 # include <asm/unistd_nr_n32.h>
1760 # include <asm/unistd_nr_n64.h>
1761 # include <asm/unistd_nr_o32.h>
1762 # define ARCH_REGS struct pt_regs
1763 # define SYSCALL_NUM(_regs) \
1765 typeof((_regs).regs[2]) _nr; \
1766 if ((_regs).regs[2] == __NR_O32_Linux) \
1767 _nr = (_regs).regs[4]; \
1769 _nr = (_regs).regs[2]; \
1772 # define SYSCALL_NUM_SET(_regs, _nr) \
1774 if ((_regs).regs[2] == __NR_O32_Linux) \
1775 (_regs).regs[4] = _nr; \
1777 (_regs).regs[2] = _nr; \
1779 # define SYSCALL_RET(_regs) (_regs).regs[2]
1780 # define SYSCALL_NUM_RET_SHARE_REG
1781 #elif defined(__xtensa__)
1782 # define ARCH_REGS struct user_pt_regs
1783 # define SYSCALL_NUM(_regs) (_regs).syscall
1785 * On xtensa syscall return value is in the register
1786 * a2 of the current window which is not fixed.
1788 #define SYSCALL_RET(_regs) (_regs).a[(_regs).windowbase * 4 + 2]
1789 #elif defined(__sh__)
1790 # define ARCH_REGS struct pt_regs
1791 # define SYSCALL_NUM(_regs) (_regs).gpr[3]
1792 # define SYSCALL_RET(_regs) (_regs).gpr[0]
1794 # error "Do not know how to find your architecture's registers and syscalls"
1798 * Most architectures can change the syscall by just updating the
1799 * associated register. This is the default if not defined above.
1801 #ifndef SYSCALL_NUM_SET
1802 # define SYSCALL_NUM_SET(_regs, _nr) \
1804 SYSCALL_NUM(_regs) = (_nr); \
1808 /* When the syscall return can't be changed, stub out the tests for it. */
1809 #ifdef SYSCALL_NUM_RET_SHARE_REG
1810 # define EXPECT_SYSCALL_RETURN(val, action) EXPECT_EQ(-1, action)
1812 # define EXPECT_SYSCALL_RETURN(val, action) \
1816 EXPECT_EQ(-1, action); \
1817 EXPECT_EQ(-(val), errno); \
1819 EXPECT_EQ(val, action); \
1824 /* Use PTRACE_GETREGS and PTRACE_SETREGS when available. This is useful for
1825 * architectures without HAVE_ARCH_TRACEHOOK (e.g. User-mode Linux).
1827 #if defined(__x86_64__) || defined(__i386__) || defined(__mips__)
1828 #define HAVE_GETREGS
1831 /* Architecture-specific syscall fetching routine. */
1832 int get_syscall(struct __test_metadata *_metadata, pid_t tracee)
1836 EXPECT_EQ(0, ptrace(PTRACE_GETREGS, tracee, 0, ®s)) {
1837 TH_LOG("PTRACE_GETREGS failed");
1843 iov.iov_base = ®s;
1844 iov.iov_len = sizeof(regs);
1845 EXPECT_EQ(0, ptrace(PTRACE_GETREGSET, tracee, NT_PRSTATUS, &iov)) {
1846 TH_LOG("PTRACE_GETREGSET failed");
1851 return SYSCALL_NUM(regs);
1854 /* Architecture-specific syscall changing routine. */
1855 void change_syscall(struct __test_metadata *_metadata,
1856 pid_t tracee, int syscall, int result)
1861 ret = ptrace(PTRACE_GETREGS, tracee, 0, ®s);
1864 iov.iov_base = ®s;
1865 iov.iov_len = sizeof(regs);
1866 ret = ptrace(PTRACE_GETREGSET, tracee, NT_PRSTATUS, &iov);
1870 SYSCALL_NUM_SET(regs, syscall);
1872 /* If syscall is skipped, change return value. */
1874 #ifdef SYSCALL_NUM_RET_SHARE_REG
1875 TH_LOG("Can't modify syscall return on this architecture");
1877 SYSCALL_RET(regs) = result;
1880 /* Flush any register changes made. */
1882 ret = ptrace(PTRACE_SETREGS, tracee, 0, ®s);
1884 iov.iov_base = ®s;
1885 iov.iov_len = sizeof(regs);
1886 ret = ptrace(PTRACE_SETREGSET, tracee, NT_PRSTATUS, &iov);
1891 void tracer_seccomp(struct __test_metadata *_metadata, pid_t tracee,
1892 int status, void *args)
1897 /* Make sure we got the right message. */
1898 ret = ptrace(PTRACE_GETEVENTMSG, tracee, NULL, &msg);
1901 /* Validate and take action on expected syscalls. */
1904 /* change getpid to getppid. */
1905 EXPECT_EQ(__NR_getpid, get_syscall(_metadata, tracee));
1906 change_syscall(_metadata, tracee, __NR_getppid, 0);
1909 /* skip gettid with valid return code. */
1910 EXPECT_EQ(__NR_gettid, get_syscall(_metadata, tracee));
1911 change_syscall(_metadata, tracee, -1, 45000);
1914 /* skip openat with error. */
1915 EXPECT_EQ(__NR_openat, get_syscall(_metadata, tracee));
1916 change_syscall(_metadata, tracee, -1, -ESRCH);
1919 /* do nothing (allow getppid) */
1920 EXPECT_EQ(__NR_getppid, get_syscall(_metadata, tracee));
1924 TH_LOG("Unknown PTRACE_GETEVENTMSG: 0x%lx", msg);
1925 kill(tracee, SIGKILL);
1931 void tracer_ptrace(struct __test_metadata *_metadata, pid_t tracee,
1932 int status, void *args)
1939 * The traditional way to tell PTRACE_SYSCALL entry/exit
1944 /* Make sure we got an appropriate message. */
1945 ret = ptrace(PTRACE_GETEVENTMSG, tracee, NULL, &msg);
1947 EXPECT_EQ(entry ? PTRACE_EVENTMSG_SYSCALL_ENTRY
1948 : PTRACE_EVENTMSG_SYSCALL_EXIT, msg);
1953 nr = get_syscall(_metadata, tracee);
1955 if (nr == __NR_getpid)
1956 change_syscall(_metadata, tracee, __NR_getppid, 0);
1957 if (nr == __NR_gettid)
1958 change_syscall(_metadata, tracee, -1, 45000);
1959 if (nr == __NR_openat)
1960 change_syscall(_metadata, tracee, -1, -ESRCH);
1963 FIXTURE(TRACE_syscall) {
1964 struct sock_fprog prog;
1965 pid_t tracer, mytid, mypid, parent;
1968 FIXTURE_VARIANT(TRACE_syscall) {
1970 * All of the SECCOMP_RET_TRACE behaviors can be tested with either
1971 * SECCOMP_RET_TRACE+PTRACE_CONT or plain ptrace()+PTRACE_SYSCALL.
1972 * This indicates if we should use SECCOMP_RET_TRACE (false), or
1978 FIXTURE_VARIANT_ADD(TRACE_syscall, ptrace) {
1982 FIXTURE_VARIANT_ADD(TRACE_syscall, seccomp) {
1983 .use_ptrace = false,
1986 FIXTURE_SETUP(TRACE_syscall)
1988 struct sock_filter filter[] = {
1989 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
1990 offsetof(struct seccomp_data, nr)),
1991 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getpid, 0, 1),
1992 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRACE | 0x1002),
1993 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_gettid, 0, 1),
1994 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRACE | 0x1003),
1995 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_openat, 0, 1),
1996 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRACE | 0x1004),
1997 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getppid, 0, 1),
1998 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRACE | 0x1005),
1999 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
2001 struct sock_fprog prog = {
2002 .len = (unsigned short)ARRAY_SIZE(filter),
2007 /* Prepare some testable syscall results. */
2008 self->mytid = syscall(__NR_gettid);
2009 ASSERT_GT(self->mytid, 0);
2010 ASSERT_NE(self->mytid, 1) {
2011 TH_LOG("Running this test as init is not supported. :)");
2014 self->mypid = getpid();
2015 ASSERT_GT(self->mypid, 0);
2016 ASSERT_EQ(self->mytid, self->mypid);
2018 self->parent = getppid();
2019 ASSERT_GT(self->parent, 0);
2020 ASSERT_NE(self->parent, self->mypid);
2022 /* Launch tracer. */
2023 self->tracer = setup_trace_fixture(_metadata,
2024 variant->use_ptrace ? tracer_ptrace
2026 NULL, variant->use_ptrace);
2028 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
2031 if (variant->use_ptrace)
2034 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0);
2038 FIXTURE_TEARDOWN(TRACE_syscall)
2040 teardown_trace_fixture(_metadata, self->tracer);
2043 TEST(negative_ENOSYS)
2046 * There should be no difference between an "internal" skip
2047 * and userspace asking for syscall "-1".
2050 EXPECT_EQ(-1, syscall(-1));
2051 EXPECT_EQ(errno, ENOSYS);
2052 /* And no difference for "still not valid but not -1". */
2054 EXPECT_EQ(-1, syscall(-101));
2055 EXPECT_EQ(errno, ENOSYS);
2058 TEST_F(TRACE_syscall, negative_ENOSYS)
2060 negative_ENOSYS(_metadata);
2063 TEST_F(TRACE_syscall, syscall_allowed)
2065 /* getppid works as expected (no changes). */
2066 EXPECT_EQ(self->parent, syscall(__NR_getppid));
2067 EXPECT_NE(self->mypid, syscall(__NR_getppid));
2070 TEST_F(TRACE_syscall, syscall_redirected)
2072 /* getpid has been redirected to getppid as expected. */
2073 EXPECT_EQ(self->parent, syscall(__NR_getpid));
2074 EXPECT_NE(self->mypid, syscall(__NR_getpid));
2077 TEST_F(TRACE_syscall, syscall_errno)
2079 /* Tracer should skip the open syscall, resulting in ESRCH. */
2080 EXPECT_SYSCALL_RETURN(-ESRCH, syscall(__NR_openat));
2083 TEST_F(TRACE_syscall, syscall_faked)
2085 /* Tracer skips the gettid syscall and store altered return value. */
2086 EXPECT_SYSCALL_RETURN(45000, syscall(__NR_gettid));
2089 TEST_F(TRACE_syscall, skip_after)
2091 struct sock_filter filter[] = {
2092 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
2093 offsetof(struct seccomp_data, nr)),
2094 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getppid, 0, 1),
2095 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ERRNO | EPERM),
2096 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
2098 struct sock_fprog prog = {
2099 .len = (unsigned short)ARRAY_SIZE(filter),
2104 /* Install additional "errno on getppid" filter. */
2105 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0);
2108 /* Tracer will redirect getpid to getppid, and we should see EPERM. */
2110 EXPECT_EQ(-1, syscall(__NR_getpid));
2111 EXPECT_EQ(EPERM, errno);
2114 TEST_F_SIGNAL(TRACE_syscall, kill_after, SIGSYS)
2116 struct sock_filter filter[] = {
2117 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
2118 offsetof(struct seccomp_data, nr)),
2119 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getppid, 0, 1),
2120 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL),
2121 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
2123 struct sock_fprog prog = {
2124 .len = (unsigned short)ARRAY_SIZE(filter),
2129 /* Install additional "death on getppid" filter. */
2130 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0);
2133 /* Tracer will redirect getpid to getppid, and we should die. */
2134 EXPECT_NE(self->mypid, syscall(__NR_getpid));
2137 TEST(seccomp_syscall)
2139 struct sock_filter filter[] = {
2140 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
2142 struct sock_fprog prog = {
2143 .len = (unsigned short)ARRAY_SIZE(filter),
2148 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
2150 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
2153 /* Reject insane operation. */
2154 ret = seccomp(-1, 0, &prog);
2155 ASSERT_NE(ENOSYS, errno) {
2156 TH_LOG("Kernel does not support seccomp syscall!");
2158 EXPECT_EQ(EINVAL, errno) {
2159 TH_LOG("Did not reject crazy op value!");
2162 /* Reject strict with flags or pointer. */
2163 ret = seccomp(SECCOMP_SET_MODE_STRICT, -1, NULL);
2164 EXPECT_EQ(EINVAL, errno) {
2165 TH_LOG("Did not reject mode strict with flags!");
2167 ret = seccomp(SECCOMP_SET_MODE_STRICT, 0, &prog);
2168 EXPECT_EQ(EINVAL, errno) {
2169 TH_LOG("Did not reject mode strict with uargs!");
2172 /* Reject insane args for filter. */
2173 ret = seccomp(SECCOMP_SET_MODE_FILTER, -1, &prog);
2174 EXPECT_EQ(EINVAL, errno) {
2175 TH_LOG("Did not reject crazy filter flags!");
2177 ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, NULL);
2178 EXPECT_EQ(EFAULT, errno) {
2179 TH_LOG("Did not reject NULL filter!");
2182 ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog);
2183 EXPECT_EQ(0, errno) {
2184 TH_LOG("Kernel does not support SECCOMP_SET_MODE_FILTER: %s",
2189 TEST(seccomp_syscall_mode_lock)
2191 struct sock_filter filter[] = {
2192 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
2194 struct sock_fprog prog = {
2195 .len = (unsigned short)ARRAY_SIZE(filter),
2200 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, NULL, 0, 0);
2202 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
2205 ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog);
2206 ASSERT_NE(ENOSYS, errno) {
2207 TH_LOG("Kernel does not support seccomp syscall!");
2210 TH_LOG("Could not install filter!");
2213 /* Make sure neither entry point will switch to strict. */
2214 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT, 0, 0, 0);
2215 EXPECT_EQ(EINVAL, errno) {
2216 TH_LOG("Switched to mode strict!");
2219 ret = seccomp(SECCOMP_SET_MODE_STRICT, 0, NULL);
2220 EXPECT_EQ(EINVAL, errno) {
2221 TH_LOG("Switched to mode strict!");
2226 * Test detection of known and unknown filter flags. Userspace needs to be able
2227 * to check if a filter flag is supported by the current kernel and a good way
2228 * of doing that is by attempting to enter filter mode, with the flag bit in
2229 * question set, and a NULL pointer for the _args_ parameter. EFAULT indicates
2230 * that the flag is valid and EINVAL indicates that the flag is invalid.
2232 TEST(detect_seccomp_filter_flags)
2234 unsigned int flags[] = { SECCOMP_FILTER_FLAG_TSYNC,
2235 SECCOMP_FILTER_FLAG_LOG,
2236 SECCOMP_FILTER_FLAG_SPEC_ALLOW,
2237 SECCOMP_FILTER_FLAG_NEW_LISTENER,
2238 SECCOMP_FILTER_FLAG_TSYNC_ESRCH };
2239 unsigned int exclusive[] = {
2240 SECCOMP_FILTER_FLAG_TSYNC,
2241 SECCOMP_FILTER_FLAG_NEW_LISTENER };
2242 unsigned int flag, all_flags, exclusive_mask;
2246 /* Test detection of individual known-good filter flags */
2247 for (i = 0, all_flags = 0; i < ARRAY_SIZE(flags); i++) {
2251 /* Make sure the flag is a single bit! */
2260 ret = seccomp(SECCOMP_SET_MODE_FILTER, flag, NULL);
2261 ASSERT_NE(ENOSYS, errno) {
2262 TH_LOG("Kernel does not support seccomp syscall!");
2265 EXPECT_EQ(EFAULT, errno) {
2266 TH_LOG("Failed to detect that a known-good filter flag (0x%X) is supported!",
2274 * Test detection of all known-good filter flags combined. But
2275 * for the exclusive flags we need to mask them out and try them
2276 * individually for the "all flags" testing.
2279 for (i = 0; i < ARRAY_SIZE(exclusive); i++)
2280 exclusive_mask |= exclusive[i];
2281 for (i = 0; i < ARRAY_SIZE(exclusive); i++) {
2282 flag = all_flags & ~exclusive_mask;
2283 flag |= exclusive[i];
2285 ret = seccomp(SECCOMP_SET_MODE_FILTER, flag, NULL);
2287 EXPECT_EQ(EFAULT, errno) {
2288 TH_LOG("Failed to detect that all known-good filter flags (0x%X) are supported!",
2293 /* Test detection of an unknown filter flags, without exclusives. */
2295 flag &= ~exclusive_mask;
2296 ret = seccomp(SECCOMP_SET_MODE_FILTER, flag, NULL);
2298 EXPECT_EQ(EINVAL, errno) {
2299 TH_LOG("Failed to detect that an unknown filter flag (0x%X) is unsupported!",
2304 * Test detection of an unknown filter flag that may simply need to be
2305 * added to this test
2307 flag = flags[ARRAY_SIZE(flags) - 1] << 1;
2308 ret = seccomp(SECCOMP_SET_MODE_FILTER, flag, NULL);
2310 EXPECT_EQ(EINVAL, errno) {
2311 TH_LOG("Failed to detect that an unknown filter flag (0x%X) is unsupported! Does a new flag need to be added to this test?",
2318 struct sock_filter filter[] = {
2319 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
2321 struct sock_fprog prog = {
2322 .len = (unsigned short)ARRAY_SIZE(filter),
2327 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, NULL, 0, 0);
2329 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
2332 ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC,
2334 ASSERT_NE(ENOSYS, errno) {
2335 TH_LOG("Kernel does not support seccomp syscall!");
2338 TH_LOG("Could not install initial filter with TSYNC!");
2342 #define TSYNC_SIBLINGS 2
2343 struct tsync_sibling {
2347 pthread_cond_t *cond;
2348 pthread_mutex_t *mutex;
2351 struct sock_fprog *prog;
2352 struct __test_metadata *metadata;
2356 * To avoid joining joined threads (which is not allowed by Bionic),
2357 * make sure we both successfully join and clear the tid to skip a
2358 * later join attempt during fixture teardown. Any remaining threads
2359 * will be directly killed during teardown.
2361 #define PTHREAD_JOIN(tid, status) \
2363 int _rc = pthread_join(tid, status); \
2365 TH_LOG("pthread_join of tid %u failed: %d\n", \
2366 (unsigned int)tid, _rc); \
2373 struct sock_fprog root_prog, apply_prog;
2374 struct tsync_sibling sibling[TSYNC_SIBLINGS];
2376 pthread_cond_t cond;
2377 pthread_mutex_t mutex;
2381 FIXTURE_SETUP(TSYNC)
2383 struct sock_filter root_filter[] = {
2384 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
2386 struct sock_filter apply_filter[] = {
2387 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
2388 offsetof(struct seccomp_data, nr)),
2389 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_read, 0, 1),
2390 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL),
2391 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
2394 memset(&self->root_prog, 0, sizeof(self->root_prog));
2395 memset(&self->apply_prog, 0, sizeof(self->apply_prog));
2396 memset(&self->sibling, 0, sizeof(self->sibling));
2397 self->root_prog.filter = malloc(sizeof(root_filter));
2398 ASSERT_NE(NULL, self->root_prog.filter);
2399 memcpy(self->root_prog.filter, &root_filter, sizeof(root_filter));
2400 self->root_prog.len = (unsigned short)ARRAY_SIZE(root_filter);
2402 self->apply_prog.filter = malloc(sizeof(apply_filter));
2403 ASSERT_NE(NULL, self->apply_prog.filter);
2404 memcpy(self->apply_prog.filter, &apply_filter, sizeof(apply_filter));
2405 self->apply_prog.len = (unsigned short)ARRAY_SIZE(apply_filter);
2407 self->sibling_count = 0;
2408 pthread_mutex_init(&self->mutex, NULL);
2409 pthread_cond_init(&self->cond, NULL);
2410 sem_init(&self->started, 0, 0);
2411 self->sibling[0].tid = 0;
2412 self->sibling[0].cond = &self->cond;
2413 self->sibling[0].started = &self->started;
2414 self->sibling[0].mutex = &self->mutex;
2415 self->sibling[0].diverge = 0;
2416 self->sibling[0].num_waits = 1;
2417 self->sibling[0].prog = &self->root_prog;
2418 self->sibling[0].metadata = _metadata;
2419 self->sibling[1].tid = 0;
2420 self->sibling[1].cond = &self->cond;
2421 self->sibling[1].started = &self->started;
2422 self->sibling[1].mutex = &self->mutex;
2423 self->sibling[1].diverge = 0;
2424 self->sibling[1].prog = &self->root_prog;
2425 self->sibling[1].num_waits = 1;
2426 self->sibling[1].metadata = _metadata;
2429 FIXTURE_TEARDOWN(TSYNC)
2433 if (self->root_prog.filter)
2434 free(self->root_prog.filter);
2435 if (self->apply_prog.filter)
2436 free(self->apply_prog.filter);
2438 for ( ; sib < self->sibling_count; ++sib) {
2439 struct tsync_sibling *s = &self->sibling[sib];
2444 * If a thread is still running, it may be stuck, so hit
2445 * it over the head really hard.
2447 pthread_kill(s->tid, 9);
2449 pthread_mutex_destroy(&self->mutex);
2450 pthread_cond_destroy(&self->cond);
2451 sem_destroy(&self->started);
2454 void *tsync_sibling(void *data)
2457 struct tsync_sibling *me = data;
2459 me->system_tid = syscall(__NR_gettid);
2461 pthread_mutex_lock(me->mutex);
2463 /* Just re-apply the root prog to fork the tree */
2464 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER,
2467 sem_post(me->started);
2468 /* Return outside of started so parent notices failures. */
2470 pthread_mutex_unlock(me->mutex);
2471 return (void *)SIBLING_EXIT_FAILURE;
2474 pthread_cond_wait(me->cond, me->mutex);
2475 me->num_waits = me->num_waits - 1;
2476 } while (me->num_waits);
2477 pthread_mutex_unlock(me->mutex);
2479 ret = prctl(PR_GET_NO_NEW_PRIVS, 0, 0, 0, 0);
2481 return (void *)SIBLING_EXIT_NEWPRIVS;
2483 return (void *)SIBLING_EXIT_UNKILLED;
2486 void tsync_start_sibling(struct tsync_sibling *sibling)
2488 pthread_create(&sibling->tid, NULL, tsync_sibling, (void *)sibling);
2491 TEST_F(TSYNC, siblings_fail_prctl)
2495 struct sock_filter filter[] = {
2496 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
2497 offsetof(struct seccomp_data, nr)),
2498 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_prctl, 0, 1),
2499 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ERRNO | EINVAL),
2500 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
2502 struct sock_fprog prog = {
2503 .len = (unsigned short)ARRAY_SIZE(filter),
2507 ASSERT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
2508 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
2511 /* Check prctl failure detection by requesting sib 0 diverge. */
2512 ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog);
2513 ASSERT_NE(ENOSYS, errno) {
2514 TH_LOG("Kernel does not support seccomp syscall!");
2517 TH_LOG("setting filter failed");
2520 self->sibling[0].diverge = 1;
2521 tsync_start_sibling(&self->sibling[0]);
2522 tsync_start_sibling(&self->sibling[1]);
2524 while (self->sibling_count < TSYNC_SIBLINGS) {
2525 sem_wait(&self->started);
2526 self->sibling_count++;
2529 /* Signal the threads to clean up*/
2530 pthread_mutex_lock(&self->mutex);
2531 ASSERT_EQ(0, pthread_cond_broadcast(&self->cond)) {
2532 TH_LOG("cond broadcast non-zero");
2534 pthread_mutex_unlock(&self->mutex);
2536 /* Ensure diverging sibling failed to call prctl. */
2537 PTHREAD_JOIN(self->sibling[0].tid, &status);
2538 EXPECT_EQ(SIBLING_EXIT_FAILURE, (long)status);
2539 PTHREAD_JOIN(self->sibling[1].tid, &status);
2540 EXPECT_EQ(SIBLING_EXIT_UNKILLED, (long)status);
2543 TEST_F(TSYNC, two_siblings_with_ancestor)
2548 ASSERT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
2549 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
2552 ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &self->root_prog);
2553 ASSERT_NE(ENOSYS, errno) {
2554 TH_LOG("Kernel does not support seccomp syscall!");
2557 TH_LOG("Kernel does not support SECCOMP_SET_MODE_FILTER!");
2559 tsync_start_sibling(&self->sibling[0]);
2560 tsync_start_sibling(&self->sibling[1]);
2562 while (self->sibling_count < TSYNC_SIBLINGS) {
2563 sem_wait(&self->started);
2564 self->sibling_count++;
2567 ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC,
2570 TH_LOG("Could install filter on all threads!");
2572 /* Tell the siblings to test the policy */
2573 pthread_mutex_lock(&self->mutex);
2574 ASSERT_EQ(0, pthread_cond_broadcast(&self->cond)) {
2575 TH_LOG("cond broadcast non-zero");
2577 pthread_mutex_unlock(&self->mutex);
2578 /* Ensure they are both killed and don't exit cleanly. */
2579 PTHREAD_JOIN(self->sibling[0].tid, &status);
2580 EXPECT_EQ(0x0, (long)status);
2581 PTHREAD_JOIN(self->sibling[1].tid, &status);
2582 EXPECT_EQ(0x0, (long)status);
2585 TEST_F(TSYNC, two_sibling_want_nnp)
2589 /* start siblings before any prctl() operations */
2590 tsync_start_sibling(&self->sibling[0]);
2591 tsync_start_sibling(&self->sibling[1]);
2592 while (self->sibling_count < TSYNC_SIBLINGS) {
2593 sem_wait(&self->started);
2594 self->sibling_count++;
2597 /* Tell the siblings to test no policy */
2598 pthread_mutex_lock(&self->mutex);
2599 ASSERT_EQ(0, pthread_cond_broadcast(&self->cond)) {
2600 TH_LOG("cond broadcast non-zero");
2602 pthread_mutex_unlock(&self->mutex);
2604 /* Ensure they are both upset about lacking nnp. */
2605 PTHREAD_JOIN(self->sibling[0].tid, &status);
2606 EXPECT_EQ(SIBLING_EXIT_NEWPRIVS, (long)status);
2607 PTHREAD_JOIN(self->sibling[1].tid, &status);
2608 EXPECT_EQ(SIBLING_EXIT_NEWPRIVS, (long)status);
2611 TEST_F(TSYNC, two_siblings_with_no_filter)
2616 /* start siblings before any prctl() operations */
2617 tsync_start_sibling(&self->sibling[0]);
2618 tsync_start_sibling(&self->sibling[1]);
2619 while (self->sibling_count < TSYNC_SIBLINGS) {
2620 sem_wait(&self->started);
2621 self->sibling_count++;
2624 ASSERT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
2625 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
2628 ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC,
2630 ASSERT_NE(ENOSYS, errno) {
2631 TH_LOG("Kernel does not support seccomp syscall!");
2634 TH_LOG("Could install filter on all threads!");
2637 /* Tell the siblings to test the policy */
2638 pthread_mutex_lock(&self->mutex);
2639 ASSERT_EQ(0, pthread_cond_broadcast(&self->cond)) {
2640 TH_LOG("cond broadcast non-zero");
2642 pthread_mutex_unlock(&self->mutex);
2644 /* Ensure they are both killed and don't exit cleanly. */
2645 PTHREAD_JOIN(self->sibling[0].tid, &status);
2646 EXPECT_EQ(0x0, (long)status);
2647 PTHREAD_JOIN(self->sibling[1].tid, &status);
2648 EXPECT_EQ(0x0, (long)status);
2651 TEST_F(TSYNC, two_siblings_with_one_divergence)
2656 ASSERT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
2657 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
2660 ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &self->root_prog);
2661 ASSERT_NE(ENOSYS, errno) {
2662 TH_LOG("Kernel does not support seccomp syscall!");
2665 TH_LOG("Kernel does not support SECCOMP_SET_MODE_FILTER!");
2667 self->sibling[0].diverge = 1;
2668 tsync_start_sibling(&self->sibling[0]);
2669 tsync_start_sibling(&self->sibling[1]);
2671 while (self->sibling_count < TSYNC_SIBLINGS) {
2672 sem_wait(&self->started);
2673 self->sibling_count++;
2676 ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC,
2678 ASSERT_EQ(self->sibling[0].system_tid, ret) {
2679 TH_LOG("Did not fail on diverged sibling.");
2682 /* Wake the threads */
2683 pthread_mutex_lock(&self->mutex);
2684 ASSERT_EQ(0, pthread_cond_broadcast(&self->cond)) {
2685 TH_LOG("cond broadcast non-zero");
2687 pthread_mutex_unlock(&self->mutex);
2689 /* Ensure they are both unkilled. */
2690 PTHREAD_JOIN(self->sibling[0].tid, &status);
2691 EXPECT_EQ(SIBLING_EXIT_UNKILLED, (long)status);
2692 PTHREAD_JOIN(self->sibling[1].tid, &status);
2693 EXPECT_EQ(SIBLING_EXIT_UNKILLED, (long)status);
2696 TEST_F(TSYNC, two_siblings_with_one_divergence_no_tid_in_err)
2701 ASSERT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
2702 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
2705 ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &self->root_prog);
2706 ASSERT_NE(ENOSYS, errno) {
2707 TH_LOG("Kernel does not support seccomp syscall!");
2710 TH_LOG("Kernel does not support SECCOMP_SET_MODE_FILTER!");
2712 self->sibling[0].diverge = 1;
2713 tsync_start_sibling(&self->sibling[0]);
2714 tsync_start_sibling(&self->sibling[1]);
2716 while (self->sibling_count < TSYNC_SIBLINGS) {
2717 sem_wait(&self->started);
2718 self->sibling_count++;
2721 flags = SECCOMP_FILTER_FLAG_TSYNC | \
2722 SECCOMP_FILTER_FLAG_TSYNC_ESRCH;
2723 ret = seccomp(SECCOMP_SET_MODE_FILTER, flags, &self->apply_prog);
2724 ASSERT_EQ(ESRCH, errno) {
2725 TH_LOG("Did not return ESRCH for diverged sibling.");
2727 ASSERT_EQ(-1, ret) {
2728 TH_LOG("Did not fail on diverged sibling.");
2731 /* Wake the threads */
2732 pthread_mutex_lock(&self->mutex);
2733 ASSERT_EQ(0, pthread_cond_broadcast(&self->cond)) {
2734 TH_LOG("cond broadcast non-zero");
2736 pthread_mutex_unlock(&self->mutex);
2738 /* Ensure they are both unkilled. */
2739 PTHREAD_JOIN(self->sibling[0].tid, &status);
2740 EXPECT_EQ(SIBLING_EXIT_UNKILLED, (long)status);
2741 PTHREAD_JOIN(self->sibling[1].tid, &status);
2742 EXPECT_EQ(SIBLING_EXIT_UNKILLED, (long)status);
2745 TEST_F(TSYNC, two_siblings_not_under_filter)
2749 struct timespec delay = { .tv_nsec = 100000000 };
2751 ASSERT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
2752 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
2756 * Sibling 0 will have its own seccomp policy
2757 * and Sibling 1 will not be under seccomp at
2758 * all. Sibling 1 will enter seccomp and 0
2759 * will cause failure.
2761 self->sibling[0].diverge = 1;
2762 tsync_start_sibling(&self->sibling[0]);
2763 tsync_start_sibling(&self->sibling[1]);
2765 while (self->sibling_count < TSYNC_SIBLINGS) {
2766 sem_wait(&self->started);
2767 self->sibling_count++;
2770 ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &self->root_prog);
2771 ASSERT_NE(ENOSYS, errno) {
2772 TH_LOG("Kernel does not support seccomp syscall!");
2775 TH_LOG("Kernel does not support SECCOMP_SET_MODE_FILTER!");
2778 ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC,
2780 ASSERT_EQ(ret, self->sibling[0].system_tid) {
2781 TH_LOG("Did not fail on diverged sibling.");
2784 if (ret == self->sibling[0].system_tid)
2787 pthread_mutex_lock(&self->mutex);
2789 /* Increment the other siblings num_waits so we can clean up
2790 * the one we just saw.
2792 self->sibling[!sib].num_waits += 1;
2794 /* Signal the thread to clean up*/
2795 ASSERT_EQ(0, pthread_cond_broadcast(&self->cond)) {
2796 TH_LOG("cond broadcast non-zero");
2798 pthread_mutex_unlock(&self->mutex);
2799 PTHREAD_JOIN(self->sibling[sib].tid, &status);
2800 EXPECT_EQ(SIBLING_EXIT_UNKILLED, (long)status);
2801 /* Poll for actual task death. pthread_join doesn't guarantee it. */
2802 while (!kill(self->sibling[sib].system_tid, 0))
2803 nanosleep(&delay, NULL);
2804 /* Switch to the remaining sibling */
2807 ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC,
2810 TH_LOG("Expected the remaining sibling to sync");
2813 pthread_mutex_lock(&self->mutex);
2815 /* If remaining sibling didn't have a chance to wake up during
2816 * the first broadcast, manually reduce the num_waits now.
2818 if (self->sibling[sib].num_waits > 1)
2819 self->sibling[sib].num_waits = 1;
2820 ASSERT_EQ(0, pthread_cond_broadcast(&self->cond)) {
2821 TH_LOG("cond broadcast non-zero");
2823 pthread_mutex_unlock(&self->mutex);
2824 PTHREAD_JOIN(self->sibling[sib].tid, &status);
2825 EXPECT_EQ(0, (long)status);
2826 /* Poll for actual task death. pthread_join doesn't guarantee it. */
2827 while (!kill(self->sibling[sib].system_tid, 0))
2828 nanosleep(&delay, NULL);
2830 ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC,
2832 ASSERT_EQ(0, ret); /* just us chickens */
2835 /* Make sure restarted syscalls are seen directly as "restart_syscall". */
2836 TEST(syscall_restart)
2843 siginfo_t info = { };
2844 struct sock_filter filter[] = {
2845 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
2846 offsetof(struct seccomp_data, nr)),
2848 #ifdef __NR_sigreturn
2849 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_sigreturn, 7, 0),
2851 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_read, 6, 0),
2852 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_exit, 5, 0),
2853 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_rt_sigreturn, 4, 0),
2854 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_nanosleep, 5, 0),
2855 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_clock_nanosleep, 4, 0),
2856 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_restart_syscall, 4, 0),
2858 /* Allow __NR_write for easy logging. */
2859 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_write, 0, 1),
2860 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
2861 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL),
2862 /* The nanosleep jump target. */
2863 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRACE|0x100),
2864 /* The restart_syscall jump target. */
2865 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRACE|0x200),
2867 struct sock_fprog prog = {
2868 .len = (unsigned short)ARRAY_SIZE(filter),
2871 #if defined(__arm__)
2872 struct utsname utsbuf;
2875 ASSERT_EQ(0, pipe(pipefd));
2878 ASSERT_LE(0, child_pid);
2879 if (child_pid == 0) {
2880 /* Child uses EXPECT not ASSERT to deliver status correctly. */
2882 struct timespec timeout = { };
2884 /* Attach parent as tracer and stop. */
2885 EXPECT_EQ(0, ptrace(PTRACE_TRACEME));
2886 EXPECT_EQ(0, raise(SIGSTOP));
2888 EXPECT_EQ(0, close(pipefd[1]));
2890 EXPECT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
2891 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
2894 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0);
2896 TH_LOG("Failed to install filter!");
2899 EXPECT_EQ(1, read(pipefd[0], &buf, 1)) {
2900 TH_LOG("Failed to read() sync from parent");
2902 EXPECT_EQ('.', buf) {
2903 TH_LOG("Failed to get sync data from read()");
2906 /* Start nanosleep to be interrupted. */
2909 EXPECT_EQ(0, nanosleep(&timeout, NULL)) {
2910 TH_LOG("Call to nanosleep() failed (errno %d)", errno);
2913 /* Read final sync from parent. */
2914 EXPECT_EQ(1, read(pipefd[0], &buf, 1)) {
2915 TH_LOG("Failed final read() from parent");
2917 EXPECT_EQ('!', buf) {
2918 TH_LOG("Failed to get final data from read()");
2921 /* Directly report the status of our test harness results. */
2922 syscall(__NR_exit, _metadata->passed ? EXIT_SUCCESS
2925 EXPECT_EQ(0, close(pipefd[0]));
2927 /* Attach to child, setup options, and release. */
2928 ASSERT_EQ(child_pid, waitpid(child_pid, &status, 0));
2929 ASSERT_EQ(true, WIFSTOPPED(status));
2930 ASSERT_EQ(0, ptrace(PTRACE_SETOPTIONS, child_pid, NULL,
2931 PTRACE_O_TRACESECCOMP));
2932 ASSERT_EQ(0, ptrace(PTRACE_CONT, child_pid, NULL, 0));
2933 ASSERT_EQ(1, write(pipefd[1], ".", 1));
2935 /* Wait for nanosleep() to start. */
2936 ASSERT_EQ(child_pid, waitpid(child_pid, &status, 0));
2937 ASSERT_EQ(true, WIFSTOPPED(status));
2938 ASSERT_EQ(SIGTRAP, WSTOPSIG(status));
2939 ASSERT_EQ(PTRACE_EVENT_SECCOMP, (status >> 16));
2940 ASSERT_EQ(0, ptrace(PTRACE_GETEVENTMSG, child_pid, NULL, &msg));
2941 ASSERT_EQ(0x100, msg);
2942 ret = get_syscall(_metadata, child_pid);
2943 EXPECT_TRUE(ret == __NR_nanosleep || ret == __NR_clock_nanosleep);
2945 /* Might as well check siginfo for sanity while we're here. */
2946 ASSERT_EQ(0, ptrace(PTRACE_GETSIGINFO, child_pid, NULL, &info));
2947 ASSERT_EQ(SIGTRAP, info.si_signo);
2948 ASSERT_EQ(SIGTRAP | (PTRACE_EVENT_SECCOMP << 8), info.si_code);
2949 EXPECT_EQ(0, info.si_errno);
2950 EXPECT_EQ(getuid(), info.si_uid);
2951 /* Verify signal delivery came from child (seccomp-triggered). */
2952 EXPECT_EQ(child_pid, info.si_pid);
2954 /* Interrupt nanosleep with SIGSTOP (which we'll need to handle). */
2955 ASSERT_EQ(0, kill(child_pid, SIGSTOP));
2956 ASSERT_EQ(0, ptrace(PTRACE_CONT, child_pid, NULL, 0));
2957 ASSERT_EQ(child_pid, waitpid(child_pid, &status, 0));
2958 ASSERT_EQ(true, WIFSTOPPED(status));
2959 ASSERT_EQ(SIGSTOP, WSTOPSIG(status));
2960 ASSERT_EQ(0, ptrace(PTRACE_GETSIGINFO, child_pid, NULL, &info));
2962 * There is no siginfo on SIGSTOP any more, so we can't verify
2963 * signal delivery came from parent now (getpid() == info.si_pid).
2964 * https://lkml.kernel.org/r/CAGXu5jJaZAOzP1qFz66tYrtbuywqb+UN2SOA1VLHpCCOiYvYeg@mail.gmail.com
2965 * At least verify the SIGSTOP via PTRACE_GETSIGINFO.
2967 EXPECT_EQ(SIGSTOP, info.si_signo);
2969 /* Restart nanosleep with SIGCONT, which triggers restart_syscall. */
2970 ASSERT_EQ(0, kill(child_pid, SIGCONT));
2971 ASSERT_EQ(0, ptrace(PTRACE_CONT, child_pid, NULL, 0));
2972 ASSERT_EQ(child_pid, waitpid(child_pid, &status, 0));
2973 ASSERT_EQ(true, WIFSTOPPED(status));
2974 ASSERT_EQ(SIGCONT, WSTOPSIG(status));
2975 ASSERT_EQ(0, ptrace(PTRACE_CONT, child_pid, NULL, 0));
2977 /* Wait for restart_syscall() to start. */
2978 ASSERT_EQ(child_pid, waitpid(child_pid, &status, 0));
2979 ASSERT_EQ(true, WIFSTOPPED(status));
2980 ASSERT_EQ(SIGTRAP, WSTOPSIG(status));
2981 ASSERT_EQ(PTRACE_EVENT_SECCOMP, (status >> 16));
2982 ASSERT_EQ(0, ptrace(PTRACE_GETEVENTMSG, child_pid, NULL, &msg));
2984 ASSERT_EQ(0x200, msg);
2985 ret = get_syscall(_metadata, child_pid);
2986 #if defined(__arm__)
2989 * - native ARM registers do NOT expose true syscall.
2990 * - compat ARM registers on ARM64 DO expose true syscall.
2992 ASSERT_EQ(0, uname(&utsbuf));
2993 if (strncmp(utsbuf.machine, "arm", 3) == 0) {
2994 EXPECT_EQ(__NR_nanosleep, ret);
2998 EXPECT_EQ(__NR_restart_syscall, ret);
3001 /* Write again to end test. */
3002 ASSERT_EQ(0, ptrace(PTRACE_CONT, child_pid, NULL, 0));
3003 ASSERT_EQ(1, write(pipefd[1], "!", 1));
3004 EXPECT_EQ(0, close(pipefd[1]));
3006 ASSERT_EQ(child_pid, waitpid(child_pid, &status, 0));
3007 if (WIFSIGNALED(status) || WEXITSTATUS(status))
3008 _metadata->passed = 0;
3011 TEST_SIGNAL(filter_flag_log, SIGSYS)
3013 struct sock_filter allow_filter[] = {
3014 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
3016 struct sock_filter kill_filter[] = {
3017 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
3018 offsetof(struct seccomp_data, nr)),
3019 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getpid, 0, 1),
3020 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL),
3021 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
3023 struct sock_fprog allow_prog = {
3024 .len = (unsigned short)ARRAY_SIZE(allow_filter),
3025 .filter = allow_filter,
3027 struct sock_fprog kill_prog = {
3028 .len = (unsigned short)ARRAY_SIZE(kill_filter),
3029 .filter = kill_filter,
3032 pid_t parent = getppid();
3034 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
3037 /* Verify that the FILTER_FLAG_LOG flag isn't accepted in strict mode */
3038 ret = seccomp(SECCOMP_SET_MODE_STRICT, SECCOMP_FILTER_FLAG_LOG,
3040 ASSERT_NE(ENOSYS, errno) {
3041 TH_LOG("Kernel does not support seccomp syscall!");
3044 TH_LOG("Kernel accepted FILTER_FLAG_LOG flag in strict mode!");
3046 EXPECT_EQ(EINVAL, errno) {
3047 TH_LOG("Kernel returned unexpected errno for FILTER_FLAG_LOG flag in strict mode!");
3050 /* Verify that a simple, permissive filter can be added with no flags */
3051 ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &allow_prog);
3054 /* See if the same filter can be added with the FILTER_FLAG_LOG flag */
3055 ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_LOG,
3057 ASSERT_NE(EINVAL, errno) {
3058 TH_LOG("Kernel does not support the FILTER_FLAG_LOG flag!");
3062 /* Ensure that the kill filter works with the FILTER_FLAG_LOG flag */
3063 ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_LOG,
3067 EXPECT_EQ(parent, syscall(__NR_getppid));
3068 /* getpid() should never return. */
3069 EXPECT_EQ(0, syscall(__NR_getpid));
3072 TEST(get_action_avail)
3074 __u32 actions[] = { SECCOMP_RET_KILL_THREAD, SECCOMP_RET_TRAP,
3075 SECCOMP_RET_ERRNO, SECCOMP_RET_TRACE,
3076 SECCOMP_RET_LOG, SECCOMP_RET_ALLOW };
3077 __u32 unknown_action = 0x10000000U;
3081 ret = seccomp(SECCOMP_GET_ACTION_AVAIL, 0, &actions[0]);
3082 ASSERT_NE(ENOSYS, errno) {
3083 TH_LOG("Kernel does not support seccomp syscall!");
3085 ASSERT_NE(EINVAL, errno) {
3086 TH_LOG("Kernel does not support SECCOMP_GET_ACTION_AVAIL operation!");
3090 for (i = 0; i < ARRAY_SIZE(actions); i++) {
3091 ret = seccomp(SECCOMP_GET_ACTION_AVAIL, 0, &actions[i]);
3093 TH_LOG("Expected action (0x%X) not available!",
3098 /* Check that an unknown action is handled properly (EOPNOTSUPP) */
3099 ret = seccomp(SECCOMP_GET_ACTION_AVAIL, 0, &unknown_action);
3101 EXPECT_EQ(errno, EOPNOTSUPP);
3109 struct seccomp_metadata md;
3112 /* Only real root can get metadata. */
3114 SKIP(return, "get_metadata requires real root");
3118 ASSERT_EQ(0, pipe(pipefd));
3123 struct sock_filter filter[] = {
3124 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
3126 struct sock_fprog prog = {
3127 .len = (unsigned short)ARRAY_SIZE(filter),
3131 /* one with log, one without */
3132 EXPECT_EQ(0, seccomp(SECCOMP_SET_MODE_FILTER,
3133 SECCOMP_FILTER_FLAG_LOG, &prog));
3134 EXPECT_EQ(0, seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog));
3136 EXPECT_EQ(0, close(pipefd[0]));
3137 ASSERT_EQ(1, write(pipefd[1], "1", 1));
3138 ASSERT_EQ(0, close(pipefd[1]));
3144 ASSERT_EQ(0, close(pipefd[1]));
3145 ASSERT_EQ(1, read(pipefd[0], &buf, 1));
3147 ASSERT_EQ(0, ptrace(PTRACE_ATTACH, pid));
3148 ASSERT_EQ(pid, waitpid(pid, NULL, 0));
3150 /* Past here must not use ASSERT or child process is never killed. */
3154 ret = ptrace(PTRACE_SECCOMP_GET_METADATA, pid, sizeof(md), &md);
3155 EXPECT_EQ(sizeof(md), ret) {
3156 if (errno == EINVAL)
3157 SKIP(goto skip, "Kernel does not support PTRACE_SECCOMP_GET_METADATA (missing CONFIG_CHECKPOINT_RESTORE?)");
3160 EXPECT_EQ(md.flags, SECCOMP_FILTER_FLAG_LOG);
3161 EXPECT_EQ(md.filter_off, 0);
3164 ret = ptrace(PTRACE_SECCOMP_GET_METADATA, pid, sizeof(md), &md);
3165 EXPECT_EQ(sizeof(md), ret);
3166 EXPECT_EQ(md.flags, 0);
3167 EXPECT_EQ(md.filter_off, 1);
3170 ASSERT_EQ(0, kill(pid, SIGKILL));
3173 static int user_notif_syscall(int nr, unsigned int flags)
3175 struct sock_filter filter[] = {
3176 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
3177 offsetof(struct seccomp_data, nr)),
3178 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, nr, 0, 1),
3179 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_USER_NOTIF),
3180 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
3183 struct sock_fprog prog = {
3184 .len = (unsigned short)ARRAY_SIZE(filter),
3188 return seccomp(SECCOMP_SET_MODE_FILTER, flags, &prog);
3191 #define USER_NOTIF_MAGIC INT_MAX
3192 TEST(user_notification_basic)
3196 int status, listener;
3197 struct seccomp_notif req = {};
3198 struct seccomp_notif_resp resp = {};
3199 struct pollfd pollfd;
3201 struct sock_filter filter[] = {
3202 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
3204 struct sock_fprog prog = {
3205 .len = (unsigned short)ARRAY_SIZE(filter),
3209 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
3211 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
3217 /* Check that we get -ENOSYS with no listener attached */
3219 if (user_notif_syscall(__NR_getppid, 0) < 0)
3221 ret = syscall(__NR_getppid);
3222 exit(ret >= 0 || errno != ENOSYS);
3225 EXPECT_EQ(waitpid(pid, &status, 0), pid);
3226 EXPECT_EQ(true, WIFEXITED(status));
3227 EXPECT_EQ(0, WEXITSTATUS(status));
3229 /* Add some no-op filters for grins. */
3230 EXPECT_EQ(seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog), 0);
3231 EXPECT_EQ(seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog), 0);
3232 EXPECT_EQ(seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog), 0);
3233 EXPECT_EQ(seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog), 0);
3235 /* Check that the basic notification machinery works */
3236 listener = user_notif_syscall(__NR_getppid,
3237 SECCOMP_FILTER_FLAG_NEW_LISTENER);
3238 ASSERT_GE(listener, 0);
3240 /* Installing a second listener in the chain should EBUSY */
3241 EXPECT_EQ(user_notif_syscall(__NR_getppid,
3242 SECCOMP_FILTER_FLAG_NEW_LISTENER),
3244 EXPECT_EQ(errno, EBUSY);
3250 ret = syscall(__NR_getppid);
3251 exit(ret != USER_NOTIF_MAGIC);
3254 pollfd.fd = listener;
3255 pollfd.events = POLLIN | POLLOUT;
3257 EXPECT_GT(poll(&pollfd, 1, -1), 0);
3258 EXPECT_EQ(pollfd.revents, POLLIN);
3260 /* Test that we can't pass garbage to the kernel. */
3261 memset(&req, 0, sizeof(req));
3264 ret = ioctl(listener, SECCOMP_IOCTL_NOTIF_RECV, &req);
3266 EXPECT_EQ(EINVAL, errno);
3270 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_RECV, &req), 0);
3273 pollfd.fd = listener;
3274 pollfd.events = POLLIN | POLLOUT;
3276 EXPECT_GT(poll(&pollfd, 1, -1), 0);
3277 EXPECT_EQ(pollfd.revents, POLLOUT);
3279 EXPECT_EQ(req.data.nr, __NR_getppid);
3283 resp.val = USER_NOTIF_MAGIC;
3285 /* check that we make sure flags == 0 */
3287 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_SEND, &resp), -1);
3288 EXPECT_EQ(errno, EINVAL);
3291 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_SEND, &resp), 0);
3293 EXPECT_EQ(waitpid(pid, &status, 0), pid);
3294 EXPECT_EQ(true, WIFEXITED(status));
3295 EXPECT_EQ(0, WEXITSTATUS(status));
3298 TEST(user_notification_with_tsync)
3303 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
3305 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
3308 /* these were exclusive */
3309 flags = SECCOMP_FILTER_FLAG_NEW_LISTENER |
3310 SECCOMP_FILTER_FLAG_TSYNC;
3311 ASSERT_EQ(-1, user_notif_syscall(__NR_getppid, flags));
3312 ASSERT_EQ(EINVAL, errno);
3314 /* but now they're not */
3315 flags |= SECCOMP_FILTER_FLAG_TSYNC_ESRCH;
3316 ret = user_notif_syscall(__NR_getppid, flags);
3321 TEST(user_notification_kill_in_middle)
3326 struct seccomp_notif req = {};
3327 struct seccomp_notif_resp resp = {};
3329 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
3331 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
3334 listener = user_notif_syscall(__NR_getppid,
3335 SECCOMP_FILTER_FLAG_NEW_LISTENER);
3336 ASSERT_GE(listener, 0);
3339 * Check that nothing bad happens when we kill the task in the middle
3346 ret = syscall(__NR_getppid);
3347 exit(ret != USER_NOTIF_MAGIC);
3350 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_RECV, &req), 0);
3351 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_ID_VALID, &req.id), 0);
3353 EXPECT_EQ(kill(pid, SIGKILL), 0);
3354 EXPECT_EQ(waitpid(pid, NULL, 0), pid);
3356 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_ID_VALID, &req.id), -1);
3359 ret = ioctl(listener, SECCOMP_IOCTL_NOTIF_SEND, &resp);
3361 EXPECT_EQ(errno, ENOENT);
3364 static int handled = -1;
3366 static void signal_handler(int signal)
3368 if (write(handled, "c", 1) != 1)
3369 perror("write from signal");
3372 TEST(user_notification_signal)
3376 int status, listener, sk_pair[2];
3377 struct seccomp_notif req = {};
3378 struct seccomp_notif_resp resp = {};
3381 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
3383 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
3386 ASSERT_EQ(socketpair(PF_LOCAL, SOCK_SEQPACKET, 0, sk_pair), 0);
3388 listener = user_notif_syscall(__NR_gettid,
3389 SECCOMP_FILTER_FLAG_NEW_LISTENER);
3390 ASSERT_GE(listener, 0);
3397 handled = sk_pair[1];
3398 if (signal(SIGUSR1, signal_handler) == SIG_ERR) {
3403 * ERESTARTSYS behavior is a bit hard to test, because we need
3404 * to rely on a signal that has not yet been handled. Let's at
3405 * least check that the error code gets propagated through, and
3406 * hope that it doesn't break when there is actually a signal :)
3408 ret = syscall(__NR_gettid);
3409 exit(!(ret == -1 && errno == 512));
3414 memset(&req, 0, sizeof(req));
3415 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_RECV, &req), 0);
3417 EXPECT_EQ(kill(pid, SIGUSR1), 0);
3420 * Make sure the signal really is delivered, which means we're not
3421 * stuck in the user notification code any more and the notification
3424 EXPECT_EQ(read(sk_pair[0], &c, 1), 1);
3427 resp.error = -EPERM;
3430 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_SEND, &resp), -1);
3431 EXPECT_EQ(errno, ENOENT);
3433 memset(&req, 0, sizeof(req));
3434 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_RECV, &req), 0);
3437 resp.error = -512; /* -ERESTARTSYS */
3440 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_SEND, &resp), 0);
3442 EXPECT_EQ(waitpid(pid, &status, 0), pid);
3443 EXPECT_EQ(true, WIFEXITED(status));
3444 EXPECT_EQ(0, WEXITSTATUS(status));
3447 TEST(user_notification_closed_listener)
3451 int status, listener;
3453 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
3455 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
3458 listener = user_notif_syscall(__NR_getppid,
3459 SECCOMP_FILTER_FLAG_NEW_LISTENER);
3460 ASSERT_GE(listener, 0);
3463 * Check that we get an ENOSYS when the listener is closed.
3469 ret = syscall(__NR_getppid);
3470 exit(ret != -1 && errno != ENOSYS);
3475 EXPECT_EQ(waitpid(pid, &status, 0), pid);
3476 EXPECT_EQ(true, WIFEXITED(status));
3477 EXPECT_EQ(0, WEXITSTATUS(status));
3481 * Check that a pid in a child namespace still shows up as valid in ours.
3483 TEST(user_notification_child_pid_ns)
3486 int status, listener;
3487 struct seccomp_notif req = {};
3488 struct seccomp_notif_resp resp = {};
3490 ASSERT_EQ(unshare(CLONE_NEWUSER | CLONE_NEWPID), 0) {
3491 if (errno == EINVAL)
3492 SKIP(return, "kernel missing CLONE_NEWUSER support");
3495 listener = user_notif_syscall(__NR_getppid,
3496 SECCOMP_FILTER_FLAG_NEW_LISTENER);
3497 ASSERT_GE(listener, 0);
3503 exit(syscall(__NR_getppid) != USER_NOTIF_MAGIC);
3505 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_RECV, &req), 0);
3506 EXPECT_EQ(req.pid, pid);
3510 resp.val = USER_NOTIF_MAGIC;
3512 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_SEND, &resp), 0);
3514 EXPECT_EQ(waitpid(pid, &status, 0), pid);
3515 EXPECT_EQ(true, WIFEXITED(status));
3516 EXPECT_EQ(0, WEXITSTATUS(status));
3521 * Check that a pid in a sibling (i.e. unrelated) namespace shows up as 0, i.e.
3524 TEST(user_notification_sibling_pid_ns)
3527 int status, listener;
3528 struct seccomp_notif req = {};
3529 struct seccomp_notif_resp resp = {};
3531 ASSERT_EQ(prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0), 0) {
3532 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
3535 listener = user_notif_syscall(__NR_getppid,
3536 SECCOMP_FILTER_FLAG_NEW_LISTENER);
3537 ASSERT_GE(listener, 0);
3543 ASSERT_EQ(unshare(CLONE_NEWPID), 0);
3549 exit(syscall(__NR_getppid) != USER_NOTIF_MAGIC);
3551 EXPECT_EQ(waitpid(pid2, &status, 0), pid2);
3552 EXPECT_EQ(true, WIFEXITED(status));
3553 EXPECT_EQ(0, WEXITSTATUS(status));
3554 exit(WEXITSTATUS(status));
3557 /* Create the sibling ns, and sibling in it. */
3558 ASSERT_EQ(unshare(CLONE_NEWPID), 0) {
3560 SKIP(return, "CLONE_NEWPID requires CAP_SYS_ADMIN");
3562 ASSERT_EQ(errno, 0);
3568 ASSERT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_RECV, &req), 0);
3570 * The pid should be 0, i.e. the task is in some namespace that
3573 EXPECT_EQ(req.pid, 0);
3577 resp.val = USER_NOTIF_MAGIC;
3579 ASSERT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_SEND, &resp), 0);
3585 EXPECT_EQ(waitpid(pid, &status, 0), pid);
3586 EXPECT_EQ(true, WIFEXITED(status));
3587 EXPECT_EQ(0, WEXITSTATUS(status));
3589 EXPECT_EQ(waitpid(pid2, &status, 0), pid2);
3590 EXPECT_EQ(true, WIFEXITED(status));
3591 EXPECT_EQ(0, WEXITSTATUS(status));
3594 TEST(user_notification_fault_recv)
3597 int status, listener;
3598 struct seccomp_notif req = {};
3599 struct seccomp_notif_resp resp = {};
3601 ASSERT_EQ(unshare(CLONE_NEWUSER), 0);
3603 listener = user_notif_syscall(__NR_getppid,
3604 SECCOMP_FILTER_FLAG_NEW_LISTENER);
3605 ASSERT_GE(listener, 0);
3611 exit(syscall(__NR_getppid) != USER_NOTIF_MAGIC);
3613 /* Do a bad recv() */
3614 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_RECV, NULL), -1);
3615 EXPECT_EQ(errno, EFAULT);
3617 /* We should still be able to receive this notification, though. */
3618 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_RECV, &req), 0);
3619 EXPECT_EQ(req.pid, pid);
3623 resp.val = USER_NOTIF_MAGIC;
3625 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_SEND, &resp), 0);
3627 EXPECT_EQ(waitpid(pid, &status, 0), pid);
3628 EXPECT_EQ(true, WIFEXITED(status));
3629 EXPECT_EQ(0, WEXITSTATUS(status));
3632 TEST(seccomp_get_notif_sizes)
3634 struct seccomp_notif_sizes sizes;
3636 ASSERT_EQ(seccomp(SECCOMP_GET_NOTIF_SIZES, 0, &sizes), 0);
3637 EXPECT_EQ(sizes.seccomp_notif, sizeof(struct seccomp_notif));
3638 EXPECT_EQ(sizes.seccomp_notif_resp, sizeof(struct seccomp_notif_resp));
3641 TEST(user_notification_continue)
3645 int status, listener;
3646 struct seccomp_notif req = {};
3647 struct seccomp_notif_resp resp = {};
3648 struct pollfd pollfd;
3650 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
3652 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
3655 listener = user_notif_syscall(__NR_dup, SECCOMP_FILTER_FLAG_NEW_LISTENER);
3656 ASSERT_GE(listener, 0);
3662 int dup_fd, pipe_fds[2];
3665 ASSERT_GE(pipe(pipe_fds), 0);
3667 dup_fd = dup(pipe_fds[0]);
3668 ASSERT_GE(dup_fd, 0);
3669 EXPECT_NE(pipe_fds[0], dup_fd);
3672 ASSERT_EQ(filecmp(self, self, pipe_fds[0], dup_fd), 0);
3676 pollfd.fd = listener;
3677 pollfd.events = POLLIN | POLLOUT;
3679 EXPECT_GT(poll(&pollfd, 1, -1), 0);
3680 EXPECT_EQ(pollfd.revents, POLLIN);
3682 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_RECV, &req), 0);
3684 pollfd.fd = listener;
3685 pollfd.events = POLLIN | POLLOUT;
3687 EXPECT_GT(poll(&pollfd, 1, -1), 0);
3688 EXPECT_EQ(pollfd.revents, POLLOUT);
3690 EXPECT_EQ(req.data.nr, __NR_dup);
3693 resp.flags = SECCOMP_USER_NOTIF_FLAG_CONTINUE;
3696 * Verify that setting SECCOMP_USER_NOTIF_FLAG_CONTINUE enforces other
3700 resp.val = USER_NOTIF_MAGIC;
3701 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_SEND, &resp), -1);
3702 EXPECT_EQ(errno, EINVAL);
3704 resp.error = USER_NOTIF_MAGIC;
3706 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_SEND, &resp), -1);
3707 EXPECT_EQ(errno, EINVAL);
3711 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_SEND, &resp), 0) {
3712 if (errno == EINVAL)
3713 SKIP(goto skip, "Kernel does not support SECCOMP_USER_NOTIF_FLAG_CONTINUE");
3717 EXPECT_EQ(waitpid(pid, &status, 0), pid);
3718 EXPECT_EQ(true, WIFEXITED(status));
3719 EXPECT_EQ(0, WEXITSTATUS(status)) {
3720 if (WEXITSTATUS(status) == 2) {
3721 SKIP(return, "Kernel does not support kcmp() syscall");
3727 TEST(user_notification_filter_empty)
3732 struct pollfd pollfd;
3733 struct clone_args args = {
3734 .flags = CLONE_FILES,
3735 .exit_signal = SIGCHLD,
3738 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
3740 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
3743 pid = sys_clone3(&args, sizeof(args));
3749 listener = user_notif_syscall(__NR_mknodat, SECCOMP_FILTER_FLAG_NEW_LISTENER);
3751 _exit(EXIT_FAILURE);
3753 if (dup2(listener, 200) != 200)
3754 _exit(EXIT_FAILURE);
3758 _exit(EXIT_SUCCESS);
3761 EXPECT_EQ(waitpid(pid, &status, 0), pid);
3762 EXPECT_EQ(true, WIFEXITED(status));
3763 EXPECT_EQ(0, WEXITSTATUS(status));
3766 * The seccomp filter has become unused so we should be notified once
3767 * the kernel gets around to cleaning up task struct.
3770 pollfd.events = POLLHUP;
3772 EXPECT_GT(poll(&pollfd, 1, 2000), 0);
3773 EXPECT_GT((pollfd.revents & POLLHUP) ?: 0, 0);
3776 static void *do_thread(void *data)
3781 TEST(user_notification_filter_empty_threaded)
3786 struct pollfd pollfd;
3787 struct clone_args args = {
3788 .flags = CLONE_FILES,
3789 .exit_signal = SIGCHLD,
3792 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
3794 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
3797 pid = sys_clone3(&args, sizeof(args));
3802 int listener, status;
3805 listener = user_notif_syscall(__NR_dup, SECCOMP_FILTER_FLAG_NEW_LISTENER);
3807 _exit(EXIT_FAILURE);
3809 if (dup2(listener, 200) != 200)
3810 _exit(EXIT_FAILURE);
3816 _exit(EXIT_FAILURE);
3819 _exit(EXIT_SUCCESS);
3823 _exit(EXIT_FAILURE);
3826 _exit(EXIT_SUCCESS);
3828 if (pthread_create(&thread, NULL, do_thread, NULL) ||
3829 pthread_join(thread, NULL))
3830 _exit(EXIT_FAILURE);
3832 if (pthread_create(&thread, NULL, do_thread, NULL) ||
3833 pthread_join(thread, NULL))
3834 _exit(EXIT_FAILURE);
3836 if (waitpid(pid1, &status, 0) != pid1 || !WIFEXITED(status) ||
3837 WEXITSTATUS(status))
3838 _exit(EXIT_FAILURE);
3840 if (waitpid(pid2, &status, 0) != pid2 || !WIFEXITED(status) ||
3841 WEXITSTATUS(status))
3842 _exit(EXIT_FAILURE);
3847 EXPECT_EQ(waitpid(pid, &status, 0), pid);
3848 EXPECT_EQ(true, WIFEXITED(status));
3849 EXPECT_EQ(0, WEXITSTATUS(status));
3852 * The seccomp filter has become unused so we should be notified once
3853 * the kernel gets around to cleaning up task struct.
3856 pollfd.events = POLLHUP;
3858 EXPECT_GT(poll(&pollfd, 1, 2000), 0);
3859 EXPECT_GT((pollfd.revents & POLLHUP) ?: 0, 0);
3862 TEST(user_notification_addfd)
3866 int status, listener, memfd, fd;
3867 struct seccomp_notif_addfd addfd = {};
3868 struct seccomp_notif_addfd_small small = {};
3869 struct seccomp_notif_addfd_big big = {};
3870 struct seccomp_notif req = {};
3871 struct seccomp_notif_resp resp = {};
3873 struct timespec delay = { .tv_nsec = 100000000 };
3875 memfd = memfd_create("test", 0);
3876 ASSERT_GE(memfd, 0);
3878 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
3880 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
3883 /* Check that the basic notification machinery works */
3884 listener = user_notif_syscall(__NR_getppid,
3885 SECCOMP_FILTER_FLAG_NEW_LISTENER);
3886 ASSERT_GE(listener, 0);
3892 if (syscall(__NR_getppid) != USER_NOTIF_MAGIC)
3894 exit(syscall(__NR_getppid) != USER_NOTIF_MAGIC);
3897 ASSERT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_RECV, &req), 0);
3899 addfd.srcfd = memfd;
3904 /* Verify bad newfd_flags cannot be set */
3905 addfd.newfd_flags = ~O_CLOEXEC;
3906 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_ADDFD, &addfd), -1);
3907 EXPECT_EQ(errno, EINVAL);
3908 addfd.newfd_flags = O_CLOEXEC;
3910 /* Verify bad flags cannot be set */
3912 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_ADDFD, &addfd), -1);
3913 EXPECT_EQ(errno, EINVAL);
3916 /* Verify that remote_fd cannot be set without setting flags */
3918 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_ADDFD, &addfd), -1);
3919 EXPECT_EQ(errno, EINVAL);
3922 /* Verify small size cannot be set */
3923 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_ADDFD_SMALL, &small), -1);
3924 EXPECT_EQ(errno, EINVAL);
3926 /* Verify we can't send bits filled in unknown buffer area */
3927 memset(&big, 0xAA, sizeof(big));
3929 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_ADDFD_BIG, &big), -1);
3930 EXPECT_EQ(errno, E2BIG);
3933 /* Verify we can set an arbitrary remote fd */
3934 fd = ioctl(listener, SECCOMP_IOCTL_NOTIF_ADDFD, &addfd);
3936 * The child has fds 0(stdin), 1(stdout), 2(stderr), 3(memfd),
3937 * 4(listener), so the newly allocated fd should be 5.
3940 EXPECT_EQ(filecmp(getpid(), pid, memfd, fd), 0);
3942 /* Verify we can set an arbitrary remote fd with large size */
3943 memset(&big, 0x0, sizeof(big));
3945 fd = ioctl(listener, SECCOMP_IOCTL_NOTIF_ADDFD_BIG, &big);
3948 /* Verify we can set a specific remote fd */
3950 addfd.flags = SECCOMP_ADDFD_FLAG_SETFD;
3951 fd = ioctl(listener, SECCOMP_IOCTL_NOTIF_ADDFD, &addfd);
3953 EXPECT_EQ(filecmp(getpid(), pid, memfd, fd), 0);
3955 /* Resume syscall */
3958 resp.val = USER_NOTIF_MAGIC;
3959 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_SEND, &resp), 0);
3962 * This sets the ID of the ADD FD to the last request plus 1. The
3963 * notification ID increments 1 per notification.
3965 addfd.id = req.id + 1;
3967 /* This spins until the underlying notification is generated */
3968 while (ioctl(listener, SECCOMP_IOCTL_NOTIF_ADDFD, &addfd) != -1 &&
3969 errno != -EINPROGRESS)
3970 nanosleep(&delay, NULL);
3972 memset(&req, 0, sizeof(req));
3973 ASSERT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_RECV, &req), 0);
3974 ASSERT_EQ(addfd.id, req.id);
3978 resp.val = USER_NOTIF_MAGIC;
3979 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_SEND, &resp), 0);
3981 /* Wait for child to finish. */
3982 EXPECT_EQ(waitpid(pid, &status, 0), pid);
3983 EXPECT_EQ(true, WIFEXITED(status));
3984 EXPECT_EQ(0, WEXITSTATUS(status));
3989 TEST(user_notification_addfd_rlimit)
3993 int status, listener, memfd;
3994 struct seccomp_notif_addfd addfd = {};
3995 struct seccomp_notif req = {};
3996 struct seccomp_notif_resp resp = {};
3997 const struct rlimit lim = {
4002 memfd = memfd_create("test", 0);
4003 ASSERT_GE(memfd, 0);
4005 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
4007 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
4010 /* Check that the basic notification machinery works */
4011 listener = user_notif_syscall(__NR_getppid,
4012 SECCOMP_FILTER_FLAG_NEW_LISTENER);
4013 ASSERT_GE(listener, 0);
4019 exit(syscall(__NR_getppid) != USER_NOTIF_MAGIC);
4022 ASSERT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_RECV, &req), 0);
4024 ASSERT_EQ(prlimit(pid, RLIMIT_NOFILE, &lim, NULL), 0);
4026 addfd.srcfd = memfd;
4027 addfd.newfd_flags = O_CLOEXEC;
4032 /* Should probably spot check /proc/sys/fs/file-nr */
4033 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_ADDFD, &addfd), -1);
4034 EXPECT_EQ(errno, EMFILE);
4037 addfd.flags = SECCOMP_ADDFD_FLAG_SETFD;
4038 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_ADDFD, &addfd), -1);
4039 EXPECT_EQ(errno, EBADF);
4043 resp.val = USER_NOTIF_MAGIC;
4045 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_SEND, &resp), 0);
4047 /* Wait for child to finish. */
4048 EXPECT_EQ(waitpid(pid, &status, 0), pid);
4049 EXPECT_EQ(true, WIFEXITED(status));
4050 EXPECT_EQ(0, WEXITSTATUS(status));
4057 * - expand NNP testing
4058 * - better arch-specific TRACE and TRAP handlers.
4059 * - endianness checking when appropriate
4060 * - 64-bit arg prodding
4061 * - arch value testing (x86 modes especially)
4062 * - verify that FILTER_FLAG_LOG filters generate log messages
4063 * - verify that RET_LOG generates log messages