1 // SPDX-License-Identifier: GPL-2.0-only
3 * Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
5 * Test code for seccomp bpf.
12 * glibc 2.26 and later have SIGSYS in siginfo_t. Before that,
13 * we need to use the kernel's siginfo.h file and trick glibc
16 #if !__GLIBC_PREREQ(2, 26)
17 # include <asm/siginfo.h>
18 # define __have_siginfo_t 1
19 # define __have_sigval_t 1
20 # define __have_sigevent_t 1
24 #include <linux/filter.h>
25 #include <sys/prctl.h>
26 #include <sys/ptrace.h>
28 #include <linux/prctl.h>
29 #include <linux/ptrace.h>
30 #include <linux/seccomp.h>
32 #include <semaphore.h>
39 #include <linux/elf.h>
41 #include <sys/utsname.h>
42 #include <sys/fcntl.h>
44 #include <sys/times.h>
45 #include <sys/socket.h>
46 #include <sys/ioctl.h>
47 #include <linux/kcmp.h>
50 #include <sys/syscall.h>
53 #include "../kselftest_harness.h"
55 #ifndef PR_SET_PTRACER
56 # define PR_SET_PTRACER 0x59616d61
59 #ifndef PR_SET_NO_NEW_PRIVS
60 #define PR_SET_NO_NEW_PRIVS 38
61 #define PR_GET_NO_NEW_PRIVS 39
64 #ifndef PR_SECCOMP_EXT
65 #define PR_SECCOMP_EXT 43
68 #ifndef SECCOMP_EXT_ACT
69 #define SECCOMP_EXT_ACT 1
72 #ifndef SECCOMP_EXT_ACT_TSYNC
73 #define SECCOMP_EXT_ACT_TSYNC 1
76 #ifndef SECCOMP_MODE_STRICT
77 #define SECCOMP_MODE_STRICT 1
80 #ifndef SECCOMP_MODE_FILTER
81 #define SECCOMP_MODE_FILTER 2
84 #ifndef SECCOMP_RET_ALLOW
88 __u64 instruction_pointer;
93 #ifndef SECCOMP_RET_KILL_PROCESS
94 #define SECCOMP_RET_KILL_PROCESS 0x80000000U /* kill the process */
95 #define SECCOMP_RET_KILL_THREAD 0x00000000U /* kill the thread */
97 #ifndef SECCOMP_RET_KILL
98 #define SECCOMP_RET_KILL SECCOMP_RET_KILL_THREAD
99 #define SECCOMP_RET_TRAP 0x00030000U /* disallow and force a SIGSYS */
100 #define SECCOMP_RET_ERRNO 0x00050000U /* returns an errno */
101 #define SECCOMP_RET_TRACE 0x7ff00000U /* pass to a tracer or disallow */
102 #define SECCOMP_RET_ALLOW 0x7fff0000U /* allow */
104 #ifndef SECCOMP_RET_LOG
105 #define SECCOMP_RET_LOG 0x7ffc0000U /* allow after logging */
109 # if defined(__i386__)
110 # define __NR_seccomp 354
111 # elif defined(__x86_64__)
112 # define __NR_seccomp 317
113 # elif defined(__arm__)
114 # define __NR_seccomp 383
115 # elif defined(__aarch64__)
116 # define __NR_seccomp 277
117 # elif defined(__riscv)
118 # define __NR_seccomp 277
119 # elif defined(__hppa__)
120 # define __NR_seccomp 338
121 # elif defined(__powerpc__)
122 # define __NR_seccomp 358
123 # elif defined(__s390__)
124 # define __NR_seccomp 348
126 # warning "seccomp syscall number unknown for this architecture"
127 # define __NR_seccomp 0xffff
131 #ifndef SECCOMP_SET_MODE_STRICT
132 #define SECCOMP_SET_MODE_STRICT 0
135 #ifndef SECCOMP_SET_MODE_FILTER
136 #define SECCOMP_SET_MODE_FILTER 1
139 #ifndef SECCOMP_GET_ACTION_AVAIL
140 #define SECCOMP_GET_ACTION_AVAIL 2
143 #ifndef SECCOMP_GET_NOTIF_SIZES
144 #define SECCOMP_GET_NOTIF_SIZES 3
147 #ifndef SECCOMP_FILTER_FLAG_TSYNC
148 #define SECCOMP_FILTER_FLAG_TSYNC (1UL << 0)
151 #ifndef SECCOMP_FILTER_FLAG_LOG
152 #define SECCOMP_FILTER_FLAG_LOG (1UL << 1)
155 #ifndef SECCOMP_FILTER_FLAG_SPEC_ALLOW
156 #define SECCOMP_FILTER_FLAG_SPEC_ALLOW (1UL << 2)
159 #ifndef PTRACE_SECCOMP_GET_METADATA
160 #define PTRACE_SECCOMP_GET_METADATA 0x420d
162 struct seccomp_metadata {
163 __u64 filter_off; /* Input: which filter */
164 __u64 flags; /* Output: filter's flags */
168 #ifndef SECCOMP_FILTER_FLAG_NEW_LISTENER
169 #define SECCOMP_FILTER_FLAG_NEW_LISTENER (1UL << 3)
171 #define SECCOMP_RET_USER_NOTIF 0x7fc00000U
173 #define SECCOMP_IOC_MAGIC '!'
174 #define SECCOMP_IO(nr) _IO(SECCOMP_IOC_MAGIC, nr)
175 #define SECCOMP_IOR(nr, type) _IOR(SECCOMP_IOC_MAGIC, nr, type)
176 #define SECCOMP_IOW(nr, type) _IOW(SECCOMP_IOC_MAGIC, nr, type)
177 #define SECCOMP_IOWR(nr, type) _IOWR(SECCOMP_IOC_MAGIC, nr, type)
179 /* Flags for seccomp notification fd ioctl. */
180 #define SECCOMP_IOCTL_NOTIF_RECV SECCOMP_IOWR(0, struct seccomp_notif)
181 #define SECCOMP_IOCTL_NOTIF_SEND SECCOMP_IOWR(1, \
182 struct seccomp_notif_resp)
183 #define SECCOMP_IOCTL_NOTIF_ID_VALID SECCOMP_IOR(2, __u64)
185 struct seccomp_notif {
189 struct seccomp_data data;
192 struct seccomp_notif_resp {
199 struct seccomp_notif_sizes {
201 __u16 seccomp_notif_resp;
206 #ifndef PTRACE_EVENTMSG_SYSCALL_ENTRY
207 #define PTRACE_EVENTMSG_SYSCALL_ENTRY 1
208 #define PTRACE_EVENTMSG_SYSCALL_EXIT 2
211 #ifndef SECCOMP_USER_NOTIF_FLAG_CONTINUE
212 #define SECCOMP_USER_NOTIF_FLAG_CONTINUE 0x00000001
216 int seccomp(unsigned int op, unsigned int flags, void *args)
219 return syscall(__NR_seccomp, op, flags, args);
223 #if __BYTE_ORDER == __LITTLE_ENDIAN
224 #define syscall_arg(_n) (offsetof(struct seccomp_data, args[_n]))
225 #elif __BYTE_ORDER == __BIG_ENDIAN
226 #define syscall_arg(_n) (offsetof(struct seccomp_data, args[_n]) + sizeof(__u32))
228 #error "wut? Unknown __BYTE_ORDER?!"
231 #define SIBLING_EXIT_UNKILLED 0xbadbeef
232 #define SIBLING_EXIT_FAILURE 0xbadface
233 #define SIBLING_EXIT_NEWPRIVS 0xbadfeed
235 TEST(mode_strict_support)
239 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT, NULL, NULL, NULL);
241 TH_LOG("Kernel does not support CONFIG_SECCOMP");
243 syscall(__NR_exit, 0);
246 TEST_SIGNAL(mode_strict_cannot_call_prctl, SIGKILL)
250 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT, NULL, NULL, NULL);
252 TH_LOG("Kernel does not support CONFIG_SECCOMP");
254 syscall(__NR_prctl, PR_SET_SECCOMP, SECCOMP_MODE_FILTER,
257 TH_LOG("Unreachable!");
261 /* Note! This doesn't test no new privs behavior */
262 TEST(no_new_privs_support)
266 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
268 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
272 /* Tests kernel support by checking for a copy_from_user() fault on NULL. */
273 TEST(mode_filter_support)
277 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, NULL, 0, 0);
279 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
281 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, NULL, NULL);
283 EXPECT_EQ(EFAULT, errno) {
284 TH_LOG("Kernel does not support CONFIG_SECCOMP_FILTER!");
288 TEST(mode_filter_without_nnp)
290 struct sock_filter filter[] = {
291 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
293 struct sock_fprog prog = {
294 .len = (unsigned short)ARRAY_SIZE(filter),
299 ret = prctl(PR_GET_NO_NEW_PRIVS, 0, NULL, 0, 0);
301 TH_LOG("Expected 0 or unsupported for NO_NEW_PRIVS");
304 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0);
305 /* Succeeds with CAP_SYS_ADMIN, fails without */
306 /* TODO(wad) check caps not euid */
309 EXPECT_EQ(EACCES, errno);
315 #define MAX_INSNS_PER_PATH 32768
317 TEST(filter_size_limits)
320 int count = BPF_MAXINSNS + 1;
321 struct sock_filter allow[] = {
322 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
324 struct sock_filter *filter;
325 struct sock_fprog prog = { };
328 filter = calloc(count, sizeof(*filter));
329 ASSERT_NE(NULL, filter);
331 for (i = 0; i < count; i++)
332 filter[i] = allow[0];
334 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
337 prog.filter = filter;
340 /* Too many filter instructions in a single filter. */
341 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0);
343 TH_LOG("Installing %d insn filter was allowed", prog.len);
346 /* One less is okay, though. */
348 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0);
350 TH_LOG("Installing %d insn filter wasn't allowed", prog.len);
354 TEST(filter_chain_limits)
357 int count = BPF_MAXINSNS;
358 struct sock_filter allow[] = {
359 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
361 struct sock_filter *filter;
362 struct sock_fprog prog = { };
365 filter = calloc(count, sizeof(*filter));
366 ASSERT_NE(NULL, filter);
368 for (i = 0; i < count; i++)
369 filter[i] = allow[0];
371 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
374 prog.filter = filter;
377 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0);
382 /* Too many total filter instructions. */
383 for (i = 0; i < MAX_INSNS_PER_PATH; i++) {
384 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0);
389 TH_LOG("Allowed %d %d-insn filters (total with penalties:%d)",
390 i, count, i * (count + 4));
394 TEST(mode_filter_cannot_move_to_strict)
396 struct sock_filter filter[] = {
397 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
399 struct sock_fprog prog = {
400 .len = (unsigned short)ARRAY_SIZE(filter),
405 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
408 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0);
411 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT, NULL, 0, 0);
413 EXPECT_EQ(EINVAL, errno);
417 TEST(mode_filter_get_seccomp)
419 struct sock_filter filter[] = {
420 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
422 struct sock_fprog prog = {
423 .len = (unsigned short)ARRAY_SIZE(filter),
428 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
431 ret = prctl(PR_GET_SECCOMP, 0, 0, 0, 0);
434 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0);
437 ret = prctl(PR_GET_SECCOMP, 0, 0, 0, 0);
444 struct sock_filter filter[] = {
445 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
447 struct sock_fprog prog = {
448 .len = (unsigned short)ARRAY_SIZE(filter),
453 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
456 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
462 struct sock_filter filter[] = {
464 struct sock_fprog prog = {
465 .len = (unsigned short)ARRAY_SIZE(filter),
470 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
473 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
475 EXPECT_EQ(EINVAL, errno);
480 struct sock_filter filter[] = {
481 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_LOG),
483 struct sock_fprog prog = {
484 .len = (unsigned short)ARRAY_SIZE(filter),
488 pid_t parent = getppid();
490 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
493 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
496 /* getppid() should succeed and be logged (no check for logging) */
497 EXPECT_EQ(parent, syscall(__NR_getppid));
500 TEST_SIGNAL(unknown_ret_is_kill_inside, SIGSYS)
502 struct sock_filter filter[] = {
503 BPF_STMT(BPF_RET|BPF_K, 0x10000000U),
505 struct sock_fprog prog = {
506 .len = (unsigned short)ARRAY_SIZE(filter),
511 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
514 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
516 EXPECT_EQ(0, syscall(__NR_getpid)) {
517 TH_LOG("getpid() shouldn't ever return");
521 /* return code >= 0x80000000 is unused. */
522 TEST_SIGNAL(unknown_ret_is_kill_above_allow, SIGSYS)
524 struct sock_filter filter[] = {
525 BPF_STMT(BPF_RET|BPF_K, 0x90000000U),
527 struct sock_fprog prog = {
528 .len = (unsigned short)ARRAY_SIZE(filter),
533 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
536 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
538 EXPECT_EQ(0, syscall(__NR_getpid)) {
539 TH_LOG("getpid() shouldn't ever return");
543 TEST_SIGNAL(KILL_all, SIGSYS)
545 struct sock_filter filter[] = {
546 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL),
548 struct sock_fprog prog = {
549 .len = (unsigned short)ARRAY_SIZE(filter),
554 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
557 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
561 TEST_SIGNAL(KILL_one, SIGSYS)
563 struct sock_filter filter[] = {
564 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
565 offsetof(struct seccomp_data, nr)),
566 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getpid, 0, 1),
567 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL),
568 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
570 struct sock_fprog prog = {
571 .len = (unsigned short)ARRAY_SIZE(filter),
575 pid_t parent = getppid();
577 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
580 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
583 EXPECT_EQ(parent, syscall(__NR_getppid));
584 /* getpid() should never return. */
585 EXPECT_EQ(0, syscall(__NR_getpid));
588 TEST_SIGNAL(KILL_one_arg_one, SIGSYS)
591 struct sock_filter filter[] = {
592 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
593 offsetof(struct seccomp_data, nr)),
594 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_times, 1, 0),
595 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
596 /* Only both with lower 32-bit for now. */
597 BPF_STMT(BPF_LD|BPF_W|BPF_ABS, syscall_arg(0)),
598 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K,
599 (unsigned long)&fatal_address, 0, 1),
600 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL),
601 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
603 struct sock_fprog prog = {
604 .len = (unsigned short)ARRAY_SIZE(filter),
608 pid_t parent = getppid();
610 clock_t clock = times(&timebuf);
612 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
615 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
618 EXPECT_EQ(parent, syscall(__NR_getppid));
619 EXPECT_LE(clock, syscall(__NR_times, &timebuf));
620 /* times() should never return. */
621 EXPECT_EQ(0, syscall(__NR_times, &fatal_address));
624 TEST_SIGNAL(KILL_one_arg_six, SIGSYS)
627 int sysno = __NR_mmap;
629 int sysno = __NR_mmap2;
631 struct sock_filter filter[] = {
632 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
633 offsetof(struct seccomp_data, nr)),
634 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, sysno, 1, 0),
635 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
636 /* Only both with lower 32-bit for now. */
637 BPF_STMT(BPF_LD|BPF_W|BPF_ABS, syscall_arg(5)),
638 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, 0x0C0FFEE, 0, 1),
639 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL),
640 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
642 struct sock_fprog prog = {
643 .len = (unsigned short)ARRAY_SIZE(filter),
647 pid_t parent = getppid();
650 int page_size = sysconf(_SC_PAGESIZE);
652 ASSERT_LT(0, page_size);
654 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
657 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
660 fd = open("/dev/zero", O_RDONLY);
663 EXPECT_EQ(parent, syscall(__NR_getppid));
664 map1 = (void *)syscall(sysno,
665 NULL, page_size, PROT_READ, MAP_PRIVATE, fd, page_size);
666 EXPECT_NE(MAP_FAILED, map1);
667 /* mmap2() should never return. */
668 map2 = (void *)syscall(sysno,
669 NULL, page_size, PROT_READ, MAP_PRIVATE, fd, 0x0C0FFEE);
670 EXPECT_EQ(MAP_FAILED, map2);
672 /* The test failed, so clean up the resources. */
673 munmap(map1, page_size);
674 munmap(map2, page_size);
678 /* This is a thread task to die via seccomp filter violation. */
679 void *kill_thread(void *data)
681 bool die = (bool)data;
684 prctl(PR_GET_SECCOMP, 0, 0, 0, 0);
685 return (void *)SIBLING_EXIT_FAILURE;
688 return (void *)SIBLING_EXIT_UNKILLED;
691 /* Prepare a thread that will kill itself or both of us. */
692 void kill_thread_or_group(struct __test_metadata *_metadata, bool kill_process)
696 /* Kill only when calling __NR_prctl. */
697 struct sock_filter filter_thread[] = {
698 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
699 offsetof(struct seccomp_data, nr)),
700 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_prctl, 0, 1),
701 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL_THREAD),
702 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
704 struct sock_fprog prog_thread = {
705 .len = (unsigned short)ARRAY_SIZE(filter_thread),
706 .filter = filter_thread,
708 struct sock_filter filter_process[] = {
709 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
710 offsetof(struct seccomp_data, nr)),
711 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_prctl, 0, 1),
712 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL_PROCESS),
713 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
715 struct sock_fprog prog_process = {
716 .len = (unsigned short)ARRAY_SIZE(filter_process),
717 .filter = filter_process,
720 ASSERT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
721 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
724 ASSERT_EQ(0, seccomp(SECCOMP_SET_MODE_FILTER, 0,
725 kill_process ? &prog_process : &prog_thread));
728 * Add the KILL_THREAD rule again to make sure that the KILL_PROCESS
729 * flag cannot be downgraded by a new filter.
731 ASSERT_EQ(0, seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog_thread));
733 /* Start a thread that will exit immediately. */
734 ASSERT_EQ(0, pthread_create(&thread, NULL, kill_thread, (void *)false));
735 ASSERT_EQ(0, pthread_join(thread, &status));
736 ASSERT_EQ(SIBLING_EXIT_UNKILLED, (unsigned long)status);
738 /* Start a thread that will die immediately. */
739 ASSERT_EQ(0, pthread_create(&thread, NULL, kill_thread, (void *)true));
740 ASSERT_EQ(0, pthread_join(thread, &status));
741 ASSERT_NE(SIBLING_EXIT_FAILURE, (unsigned long)status);
744 * If we get here, only the spawned thread died. Let the parent know
745 * the whole process didn't die (i.e. this thread, the spawner,
757 ASSERT_LE(0, child_pid);
758 if (child_pid == 0) {
759 kill_thread_or_group(_metadata, false);
763 ASSERT_EQ(child_pid, waitpid(child_pid, &status, 0));
765 /* If only the thread was killed, we'll see exit 42. */
766 ASSERT_TRUE(WIFEXITED(status));
767 ASSERT_EQ(42, WEXITSTATUS(status));
776 ASSERT_LE(0, child_pid);
777 if (child_pid == 0) {
778 kill_thread_or_group(_metadata, true);
782 ASSERT_EQ(child_pid, waitpid(child_pid, &status, 0));
784 /* If the entire process was killed, we'll see SIGSYS. */
785 ASSERT_TRUE(WIFSIGNALED(status));
786 ASSERT_EQ(SIGSYS, WTERMSIG(status));
789 /* TODO(wad) add 64-bit versus 32-bit arg tests. */
790 TEST(arg_out_of_range)
792 struct sock_filter filter[] = {
793 BPF_STMT(BPF_LD|BPF_W|BPF_ABS, syscall_arg(6)),
794 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
796 struct sock_fprog prog = {
797 .len = (unsigned short)ARRAY_SIZE(filter),
802 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
805 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
807 EXPECT_EQ(EINVAL, errno);
810 #define ERRNO_FILTER(name, errno) \
811 struct sock_filter _read_filter_##name[] = { \
812 BPF_STMT(BPF_LD|BPF_W|BPF_ABS, \
813 offsetof(struct seccomp_data, nr)), \
814 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_read, 0, 1), \
815 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ERRNO | errno), \
816 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW), \
818 struct sock_fprog prog_##name = { \
819 .len = (unsigned short)ARRAY_SIZE(_read_filter_##name), \
820 .filter = _read_filter_##name, \
823 /* Make sure basic errno values are correctly passed through a filter. */
826 ERRNO_FILTER(valid, E2BIG);
828 pid_t parent = getppid();
830 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
833 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog_valid);
836 EXPECT_EQ(parent, syscall(__NR_getppid));
837 EXPECT_EQ(-1, read(0, NULL, 0));
838 EXPECT_EQ(E2BIG, errno);
841 /* Make sure an errno of zero is correctly handled by the arch code. */
844 ERRNO_FILTER(zero, 0);
846 pid_t parent = getppid();
848 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
851 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog_zero);
854 EXPECT_EQ(parent, syscall(__NR_getppid));
855 /* "errno" of 0 is ok. */
856 EXPECT_EQ(0, read(0, NULL, 0));
860 * The SECCOMP_RET_DATA mask is 16 bits wide, but errno is smaller.
861 * This tests that the errno value gets capped correctly, fixed by
862 * 580c57f10768 ("seccomp: cap SECCOMP_RET_ERRNO data to MAX_ERRNO").
866 ERRNO_FILTER(capped, 4096);
868 pid_t parent = getppid();
870 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
873 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog_capped);
876 EXPECT_EQ(parent, syscall(__NR_getppid));
877 EXPECT_EQ(-1, read(0, NULL, 0));
878 EXPECT_EQ(4095, errno);
882 * Filters are processed in reverse order: last applied is executed first.
883 * Since only the SECCOMP_RET_ACTION mask is tested for return values, the
884 * SECCOMP_RET_DATA mask results will follow the most recently applied
885 * matching filter return (and not the lowest or highest value).
889 ERRNO_FILTER(first, 11);
890 ERRNO_FILTER(second, 13);
891 ERRNO_FILTER(third, 12);
893 pid_t parent = getppid();
895 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
898 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog_first);
901 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog_second);
904 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog_third);
907 EXPECT_EQ(parent, syscall(__NR_getppid));
908 EXPECT_EQ(-1, read(0, NULL, 0));
909 EXPECT_EQ(12, errno);
913 struct sock_fprog prog;
918 struct sock_filter filter[] = {
919 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
920 offsetof(struct seccomp_data, nr)),
921 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getpid, 0, 1),
922 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRAP),
923 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
926 memset(&self->prog, 0, sizeof(self->prog));
927 self->prog.filter = malloc(sizeof(filter));
928 ASSERT_NE(NULL, self->prog.filter);
929 memcpy(self->prog.filter, filter, sizeof(filter));
930 self->prog.len = (unsigned short)ARRAY_SIZE(filter);
933 FIXTURE_TEARDOWN(TRAP)
935 if (self->prog.filter)
936 free(self->prog.filter);
939 TEST_F_SIGNAL(TRAP, dfl, SIGSYS)
943 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
946 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->prog);
948 syscall(__NR_getpid);
951 /* Ensure that SIGSYS overrides SIG_IGN */
952 TEST_F_SIGNAL(TRAP, ign, SIGSYS)
956 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
959 signal(SIGSYS, SIG_IGN);
961 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->prog);
963 syscall(__NR_getpid);
966 static siginfo_t TRAP_info;
967 static volatile int TRAP_nr;
968 static void TRAP_action(int nr, siginfo_t *info, void *void_context)
970 memcpy(&TRAP_info, info, sizeof(TRAP_info));
974 TEST_F(TRAP, handler)
977 struct sigaction act;
980 memset(&act, 0, sizeof(act));
982 sigaddset(&mask, SIGSYS);
984 act.sa_sigaction = &TRAP_action;
985 act.sa_flags = SA_SIGINFO;
986 ret = sigaction(SIGSYS, &act, NULL);
988 TH_LOG("sigaction failed");
990 ret = sigprocmask(SIG_UNBLOCK, &mask, NULL);
992 TH_LOG("sigprocmask failed");
995 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
997 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->prog);
1000 memset(&TRAP_info, 0, sizeof(TRAP_info));
1001 /* Expect the registers to be rolled back. (nr = error) may vary
1003 ret = syscall(__NR_getpid);
1004 /* Silence gcc warning about volatile. */
1006 EXPECT_EQ(SIGSYS, test);
1007 struct local_sigsys {
1008 void *_call_addr; /* calling user insn */
1009 int _syscall; /* triggering system call number */
1010 unsigned int _arch; /* AUDIT_ARCH_* of syscall */
1011 } *sigsys = (struct local_sigsys *)
1013 &(TRAP_info.si_call_addr);
1017 EXPECT_EQ(__NR_getpid, sigsys->_syscall);
1018 /* Make sure arch is non-zero. */
1019 EXPECT_NE(0, sigsys->_arch);
1020 EXPECT_NE(0, (unsigned long)sigsys->_call_addr);
1023 FIXTURE_DATA(precedence) {
1024 struct sock_fprog allow;
1025 struct sock_fprog log;
1026 struct sock_fprog trace;
1027 struct sock_fprog error;
1028 struct sock_fprog trap;
1029 struct sock_fprog kill;
1032 FIXTURE_SETUP(precedence)
1034 struct sock_filter allow_insns[] = {
1035 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
1037 struct sock_filter log_insns[] = {
1038 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
1039 offsetof(struct seccomp_data, nr)),
1040 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getpid, 1, 0),
1041 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
1042 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_LOG),
1044 struct sock_filter trace_insns[] = {
1045 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
1046 offsetof(struct seccomp_data, nr)),
1047 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getpid, 1, 0),
1048 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
1049 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRACE),
1051 struct sock_filter error_insns[] = {
1052 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
1053 offsetof(struct seccomp_data, nr)),
1054 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getpid, 1, 0),
1055 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
1056 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ERRNO),
1058 struct sock_filter trap_insns[] = {
1059 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
1060 offsetof(struct seccomp_data, nr)),
1061 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getpid, 1, 0),
1062 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
1063 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRAP),
1065 struct sock_filter kill_insns[] = {
1066 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
1067 offsetof(struct seccomp_data, nr)),
1068 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getpid, 1, 0),
1069 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
1070 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL),
1073 memset(self, 0, sizeof(*self));
1074 #define FILTER_ALLOC(_x) \
1075 self->_x.filter = malloc(sizeof(_x##_insns)); \
1076 ASSERT_NE(NULL, self->_x.filter); \
1077 memcpy(self->_x.filter, &_x##_insns, sizeof(_x##_insns)); \
1078 self->_x.len = (unsigned short)ARRAY_SIZE(_x##_insns)
1079 FILTER_ALLOC(allow);
1081 FILTER_ALLOC(trace);
1082 FILTER_ALLOC(error);
1087 FIXTURE_TEARDOWN(precedence)
1089 #define FILTER_FREE(_x) if (self->_x.filter) free(self->_x.filter)
1098 TEST_F(precedence, allow_ok)
1100 pid_t parent, res = 0;
1104 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1107 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow);
1109 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->log);
1111 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trace);
1113 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->error);
1115 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trap);
1117 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->kill);
1119 /* Should work just fine. */
1120 res = syscall(__NR_getppid);
1121 EXPECT_EQ(parent, res);
1124 TEST_F_SIGNAL(precedence, kill_is_highest, SIGSYS)
1126 pid_t parent, res = 0;
1130 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1133 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow);
1135 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->log);
1137 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trace);
1139 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->error);
1141 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trap);
1143 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->kill);
1145 /* Should work just fine. */
1146 res = syscall(__NR_getppid);
1147 EXPECT_EQ(parent, res);
1148 /* getpid() should never return. */
1149 res = syscall(__NR_getpid);
1153 TEST_F_SIGNAL(precedence, kill_is_highest_in_any_order, SIGSYS)
1159 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1162 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow);
1164 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->kill);
1166 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->error);
1168 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->log);
1170 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trace);
1172 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trap);
1174 /* Should work just fine. */
1175 EXPECT_EQ(parent, syscall(__NR_getppid));
1176 /* getpid() should never return. */
1177 EXPECT_EQ(0, syscall(__NR_getpid));
1180 TEST_F_SIGNAL(precedence, trap_is_second, SIGSYS)
1186 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1189 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow);
1191 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->log);
1193 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trace);
1195 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->error);
1197 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trap);
1199 /* Should work just fine. */
1200 EXPECT_EQ(parent, syscall(__NR_getppid));
1201 /* getpid() should never return. */
1202 EXPECT_EQ(0, syscall(__NR_getpid));
1205 TEST_F_SIGNAL(precedence, trap_is_second_in_any_order, SIGSYS)
1211 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1214 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow);
1216 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trap);
1218 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->log);
1220 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trace);
1222 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->error);
1224 /* Should work just fine. */
1225 EXPECT_EQ(parent, syscall(__NR_getppid));
1226 /* getpid() should never return. */
1227 EXPECT_EQ(0, syscall(__NR_getpid));
1230 TEST_F(precedence, errno_is_third)
1236 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1239 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow);
1241 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->log);
1243 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trace);
1245 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->error);
1247 /* Should work just fine. */
1248 EXPECT_EQ(parent, syscall(__NR_getppid));
1249 EXPECT_EQ(0, syscall(__NR_getpid));
1252 TEST_F(precedence, errno_is_third_in_any_order)
1258 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1261 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->log);
1263 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->error);
1265 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trace);
1267 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow);
1269 /* Should work just fine. */
1270 EXPECT_EQ(parent, syscall(__NR_getppid));
1271 EXPECT_EQ(0, syscall(__NR_getpid));
1274 TEST_F(precedence, trace_is_fourth)
1280 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1283 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow);
1285 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->log);
1287 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trace);
1289 /* Should work just fine. */
1290 EXPECT_EQ(parent, syscall(__NR_getppid));
1292 EXPECT_EQ(-1, syscall(__NR_getpid));
1295 TEST_F(precedence, trace_is_fourth_in_any_order)
1301 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1304 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trace);
1306 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow);
1308 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->log);
1310 /* Should work just fine. */
1311 EXPECT_EQ(parent, syscall(__NR_getppid));
1313 EXPECT_EQ(-1, syscall(__NR_getpid));
1316 TEST_F(precedence, log_is_fifth)
1318 pid_t mypid, parent;
1323 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1326 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow);
1328 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->log);
1330 /* Should work just fine. */
1331 EXPECT_EQ(parent, syscall(__NR_getppid));
1332 /* Should also work just fine */
1333 EXPECT_EQ(mypid, syscall(__NR_getpid));
1336 TEST_F(precedence, log_is_fifth_in_any_order)
1338 pid_t mypid, parent;
1343 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1346 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->log);
1348 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow);
1350 /* Should work just fine. */
1351 EXPECT_EQ(parent, syscall(__NR_getppid));
1352 /* Should also work just fine */
1353 EXPECT_EQ(mypid, syscall(__NR_getpid));
1356 #ifndef PTRACE_O_TRACESECCOMP
1357 #define PTRACE_O_TRACESECCOMP 0x00000080
1360 /* Catch the Ubuntu 12.04 value error. */
1361 #if PTRACE_EVENT_SECCOMP != 7
1362 #undef PTRACE_EVENT_SECCOMP
1365 #ifndef PTRACE_EVENT_SECCOMP
1366 #define PTRACE_EVENT_SECCOMP 7
1369 #define IS_SECCOMP_EVENT(status) ((status >> 16) == PTRACE_EVENT_SECCOMP)
1370 bool tracer_running;
1371 void tracer_stop(int sig)
1373 tracer_running = false;
1376 typedef void tracer_func_t(struct __test_metadata *_metadata,
1377 pid_t tracee, int status, void *args);
1379 void start_tracer(struct __test_metadata *_metadata, int fd, pid_t tracee,
1380 tracer_func_t tracer_func, void *args, bool ptrace_syscall)
1383 struct sigaction action = {
1384 .sa_handler = tracer_stop,
1387 /* Allow external shutdown. */
1388 tracer_running = true;
1389 ASSERT_EQ(0, sigaction(SIGUSR1, &action, NULL));
1392 while (ret == -1 && errno != EINVAL)
1393 ret = ptrace(PTRACE_ATTACH, tracee, NULL, 0);
1395 kill(tracee, SIGKILL);
1397 /* Wait for attach stop */
1400 ret = ptrace(PTRACE_SETOPTIONS, tracee, NULL, ptrace_syscall ?
1401 PTRACE_O_TRACESYSGOOD :
1402 PTRACE_O_TRACESECCOMP);
1404 TH_LOG("Failed to set PTRACE_O_TRACESECCOMP");
1405 kill(tracee, SIGKILL);
1407 ret = ptrace(ptrace_syscall ? PTRACE_SYSCALL : PTRACE_CONT,
1411 /* Unblock the tracee */
1412 ASSERT_EQ(1, write(fd, "A", 1));
1413 ASSERT_EQ(0, close(fd));
1415 /* Run until we're shut down. Must assert to stop execution. */
1416 while (tracer_running) {
1419 if (wait(&status) != tracee)
1421 if (WIFSIGNALED(status) || WIFEXITED(status))
1422 /* Child is dead. Time to go. */
1425 /* Check if this is a seccomp event. */
1426 ASSERT_EQ(!ptrace_syscall, IS_SECCOMP_EVENT(status));
1428 tracer_func(_metadata, tracee, status, args);
1430 ret = ptrace(ptrace_syscall ? PTRACE_SYSCALL : PTRACE_CONT,
1434 /* Directly report the status of our test harness results. */
1435 syscall(__NR_exit, _metadata->passed ? EXIT_SUCCESS : EXIT_FAILURE);
1438 /* Common tracer setup/teardown functions. */
1439 void cont_handler(int num)
1441 pid_t setup_trace_fixture(struct __test_metadata *_metadata,
1442 tracer_func_t func, void *args, bool ptrace_syscall)
1447 pid_t tracee = getpid();
1449 /* Setup a pipe for clean synchronization. */
1450 ASSERT_EQ(0, pipe(pipefd));
1452 /* Fork a child which we'll promote to tracer */
1453 tracer_pid = fork();
1454 ASSERT_LE(0, tracer_pid);
1455 signal(SIGALRM, cont_handler);
1456 if (tracer_pid == 0) {
1458 start_tracer(_metadata, pipefd[1], tracee, func, args,
1460 syscall(__NR_exit, 0);
1463 prctl(PR_SET_PTRACER, tracer_pid, 0, 0, 0);
1464 read(pipefd[0], &sync, 1);
1469 void teardown_trace_fixture(struct __test_metadata *_metadata,
1475 * Extract the exit code from the other process and
1476 * adopt it for ourselves in case its asserts failed.
1478 ASSERT_EQ(0, kill(tracer, SIGUSR1));
1479 ASSERT_EQ(tracer, waitpid(tracer, &status, 0));
1480 if (WEXITSTATUS(status))
1481 _metadata->passed = 0;
1485 /* "poke" tracer arguments and function. */
1486 struct tracer_args_poke_t {
1487 unsigned long poke_addr;
1490 void tracer_poke(struct __test_metadata *_metadata, pid_t tracee, int status,
1495 struct tracer_args_poke_t *info = (struct tracer_args_poke_t *)args;
1497 ret = ptrace(PTRACE_GETEVENTMSG, tracee, NULL, &msg);
1499 /* If this fails, don't try to recover. */
1500 ASSERT_EQ(0x1001, msg) {
1501 kill(tracee, SIGKILL);
1504 * Poke in the message.
1505 * Registers are not touched to try to keep this relatively arch
1508 ret = ptrace(PTRACE_POKEDATA, tracee, info->poke_addr, 0x1001);
1512 FIXTURE_DATA(TRACE_poke) {
1513 struct sock_fprog prog;
1516 struct tracer_args_poke_t tracer_args;
1519 FIXTURE_SETUP(TRACE_poke)
1521 struct sock_filter filter[] = {
1522 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
1523 offsetof(struct seccomp_data, nr)),
1524 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_read, 0, 1),
1525 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRACE | 0x1001),
1526 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
1530 memset(&self->prog, 0, sizeof(self->prog));
1531 self->prog.filter = malloc(sizeof(filter));
1532 ASSERT_NE(NULL, self->prog.filter);
1533 memcpy(self->prog.filter, filter, sizeof(filter));
1534 self->prog.len = (unsigned short)ARRAY_SIZE(filter);
1536 /* Set up tracer args. */
1537 self->tracer_args.poke_addr = (unsigned long)&self->poked;
1539 /* Launch tracer. */
1540 self->tracer = setup_trace_fixture(_metadata, tracer_poke,
1541 &self->tracer_args, false);
1544 FIXTURE_TEARDOWN(TRACE_poke)
1546 teardown_trace_fixture(_metadata, self->tracer);
1547 if (self->prog.filter)
1548 free(self->prog.filter);
1551 TEST_F(TRACE_poke, read_has_side_effects)
1555 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1558 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->prog, 0, 0);
1561 EXPECT_EQ(0, self->poked);
1562 ret = read(-1, NULL, 0);
1564 EXPECT_EQ(0x1001, self->poked);
1567 TEST_F(TRACE_poke, getpid_runs_normally)
1571 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1574 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->prog, 0, 0);
1577 EXPECT_EQ(0, self->poked);
1578 EXPECT_NE(0, syscall(__NR_getpid));
1579 EXPECT_EQ(0, self->poked);
1582 #if defined(__x86_64__)
1583 # define ARCH_REGS struct user_regs_struct
1584 # define SYSCALL_NUM orig_rax
1585 # define SYSCALL_RET rax
1586 #elif defined(__i386__)
1587 # define ARCH_REGS struct user_regs_struct
1588 # define SYSCALL_NUM orig_eax
1589 # define SYSCALL_RET eax
1590 #elif defined(__arm__)
1591 # define ARCH_REGS struct pt_regs
1592 # define SYSCALL_NUM ARM_r7
1593 # define SYSCALL_RET ARM_r0
1594 #elif defined(__aarch64__)
1595 # define ARCH_REGS struct user_pt_regs
1596 # define SYSCALL_NUM regs[8]
1597 # define SYSCALL_RET regs[0]
1598 #elif defined(__riscv) && __riscv_xlen == 64
1599 # define ARCH_REGS struct user_regs_struct
1600 # define SYSCALL_NUM a7
1601 # define SYSCALL_RET a0
1602 #elif defined(__hppa__)
1603 # define ARCH_REGS struct user_regs_struct
1604 # define SYSCALL_NUM gr[20]
1605 # define SYSCALL_RET gr[28]
1606 #elif defined(__powerpc__)
1607 # define ARCH_REGS struct pt_regs
1608 # define SYSCALL_NUM gpr[0]
1609 # define SYSCALL_RET gpr[3]
1610 #elif defined(__s390__)
1611 # define ARCH_REGS s390_regs
1612 # define SYSCALL_NUM gprs[2]
1613 # define SYSCALL_RET gprs[2]
1614 #elif defined(__mips__)
1615 # define ARCH_REGS struct pt_regs
1616 # define SYSCALL_NUM regs[2]
1617 # define SYSCALL_SYSCALL_NUM regs[4]
1618 # define SYSCALL_RET regs[2]
1619 # define SYSCALL_NUM_RET_SHARE_REG
1621 # error "Do not know how to find your architecture's registers and syscalls"
1624 /* When the syscall return can't be changed, stub out the tests for it. */
1625 #ifdef SYSCALL_NUM_RET_SHARE_REG
1626 # define EXPECT_SYSCALL_RETURN(val, action) EXPECT_EQ(-1, action)
1628 # define EXPECT_SYSCALL_RETURN(val, action) \
1632 EXPECT_EQ(-1, action); \
1633 EXPECT_EQ(-(val), errno); \
1635 EXPECT_EQ(val, action); \
1640 /* Use PTRACE_GETREGS and PTRACE_SETREGS when available. This is useful for
1641 * architectures without HAVE_ARCH_TRACEHOOK (e.g. User-mode Linux).
1643 #if defined(__x86_64__) || defined(__i386__) || defined(__mips__)
1644 #define HAVE_GETREGS
1647 /* Architecture-specific syscall fetching routine. */
1648 int get_syscall(struct __test_metadata *_metadata, pid_t tracee)
1652 EXPECT_EQ(0, ptrace(PTRACE_GETREGS, tracee, 0, ®s)) {
1653 TH_LOG("PTRACE_GETREGS failed");
1659 iov.iov_base = ®s;
1660 iov.iov_len = sizeof(regs);
1661 EXPECT_EQ(0, ptrace(PTRACE_GETREGSET, tracee, NT_PRSTATUS, &iov)) {
1662 TH_LOG("PTRACE_GETREGSET failed");
1667 #if defined(__mips__)
1668 if (regs.SYSCALL_NUM == __NR_O32_Linux)
1669 return regs.SYSCALL_SYSCALL_NUM;
1671 return regs.SYSCALL_NUM;
1674 /* Architecture-specific syscall changing routine. */
1675 void change_syscall(struct __test_metadata *_metadata,
1676 pid_t tracee, int syscall, int result)
1681 ret = ptrace(PTRACE_GETREGS, tracee, 0, ®s);
1684 iov.iov_base = ®s;
1685 iov.iov_len = sizeof(regs);
1686 ret = ptrace(PTRACE_GETREGSET, tracee, NT_PRSTATUS, &iov);
1688 EXPECT_EQ(0, ret) {}
1690 #if defined(__x86_64__) || defined(__i386__) || defined(__powerpc__) || \
1691 defined(__s390__) || defined(__hppa__) || defined(__riscv)
1693 regs.SYSCALL_NUM = syscall;
1695 #elif defined(__mips__)
1697 if (regs.SYSCALL_NUM == __NR_O32_Linux)
1698 regs.SYSCALL_SYSCALL_NUM = syscall;
1700 regs.SYSCALL_NUM = syscall;
1703 #elif defined(__arm__)
1704 # ifndef PTRACE_SET_SYSCALL
1705 # define PTRACE_SET_SYSCALL 23
1708 ret = ptrace(PTRACE_SET_SYSCALL, tracee, NULL, syscall);
1712 #elif defined(__aarch64__)
1713 # ifndef NT_ARM_SYSTEM_CALL
1714 # define NT_ARM_SYSTEM_CALL 0x404
1717 iov.iov_base = &syscall;
1718 iov.iov_len = sizeof(syscall);
1719 ret = ptrace(PTRACE_SETREGSET, tracee, NT_ARM_SYSTEM_CALL,
1726 TH_LOG("How is the syscall changed on this architecture?");
1730 /* If syscall is skipped, change return value. */
1732 #ifdef SYSCALL_NUM_RET_SHARE_REG
1733 TH_LOG("Can't modify syscall return on this architecture");
1735 regs.SYSCALL_RET = result;
1739 ret = ptrace(PTRACE_SETREGS, tracee, 0, ®s);
1741 iov.iov_base = ®s;
1742 iov.iov_len = sizeof(regs);
1743 ret = ptrace(PTRACE_SETREGSET, tracee, NT_PRSTATUS, &iov);
1748 void tracer_syscall(struct __test_metadata *_metadata, pid_t tracee,
1749 int status, void *args)
1754 /* Make sure we got the right message. */
1755 ret = ptrace(PTRACE_GETEVENTMSG, tracee, NULL, &msg);
1758 /* Validate and take action on expected syscalls. */
1761 /* change getpid to getppid. */
1762 EXPECT_EQ(__NR_getpid, get_syscall(_metadata, tracee));
1763 change_syscall(_metadata, tracee, __NR_getppid, 0);
1766 /* skip gettid with valid return code. */
1767 EXPECT_EQ(__NR_gettid, get_syscall(_metadata, tracee));
1768 change_syscall(_metadata, tracee, -1, 45000);
1771 /* skip openat with error. */
1772 EXPECT_EQ(__NR_openat, get_syscall(_metadata, tracee));
1773 change_syscall(_metadata, tracee, -1, -ESRCH);
1776 /* do nothing (allow getppid) */
1777 EXPECT_EQ(__NR_getppid, get_syscall(_metadata, tracee));
1781 TH_LOG("Unknown PTRACE_GETEVENTMSG: 0x%lx", msg);
1782 kill(tracee, SIGKILL);
1788 void tracer_ptrace(struct __test_metadata *_metadata, pid_t tracee,
1789 int status, void *args)
1796 * The traditional way to tell PTRACE_SYSCALL entry/exit
1801 /* Make sure we got an appropriate message. */
1802 ret = ptrace(PTRACE_GETEVENTMSG, tracee, NULL, &msg);
1804 EXPECT_EQ(entry ? PTRACE_EVENTMSG_SYSCALL_ENTRY
1805 : PTRACE_EVENTMSG_SYSCALL_EXIT, msg);
1810 nr = get_syscall(_metadata, tracee);
1812 if (nr == __NR_getpid)
1813 change_syscall(_metadata, tracee, __NR_getppid, 0);
1814 if (nr == __NR_gettid)
1815 change_syscall(_metadata, tracee, -1, 45000);
1816 if (nr == __NR_openat)
1817 change_syscall(_metadata, tracee, -1, -ESRCH);
1820 FIXTURE_DATA(TRACE_syscall) {
1821 struct sock_fprog prog;
1822 pid_t tracer, mytid, mypid, parent;
1825 FIXTURE_SETUP(TRACE_syscall)
1827 struct sock_filter filter[] = {
1828 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
1829 offsetof(struct seccomp_data, nr)),
1830 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getpid, 0, 1),
1831 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRACE | 0x1002),
1832 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_gettid, 0, 1),
1833 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRACE | 0x1003),
1834 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_openat, 0, 1),
1835 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRACE | 0x1004),
1836 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getppid, 0, 1),
1837 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRACE | 0x1005),
1838 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
1841 memset(&self->prog, 0, sizeof(self->prog));
1842 self->prog.filter = malloc(sizeof(filter));
1843 ASSERT_NE(NULL, self->prog.filter);
1844 memcpy(self->prog.filter, filter, sizeof(filter));
1845 self->prog.len = (unsigned short)ARRAY_SIZE(filter);
1847 /* Prepare some testable syscall results. */
1848 self->mytid = syscall(__NR_gettid);
1849 ASSERT_GT(self->mytid, 0);
1850 ASSERT_NE(self->mytid, 1) {
1851 TH_LOG("Running this test as init is not supported. :)");
1854 self->mypid = getpid();
1855 ASSERT_GT(self->mypid, 0);
1856 ASSERT_EQ(self->mytid, self->mypid);
1858 self->parent = getppid();
1859 ASSERT_GT(self->parent, 0);
1860 ASSERT_NE(self->parent, self->mypid);
1862 /* Launch tracer. */
1863 self->tracer = setup_trace_fixture(_metadata, tracer_syscall, NULL,
1867 FIXTURE_TEARDOWN(TRACE_syscall)
1869 teardown_trace_fixture(_metadata, self->tracer);
1870 if (self->prog.filter)
1871 free(self->prog.filter);
1874 TEST_F(TRACE_syscall, ptrace_syscall_redirected)
1876 /* Swap SECCOMP_RET_TRACE tracer for PTRACE_SYSCALL tracer. */
1877 teardown_trace_fixture(_metadata, self->tracer);
1878 self->tracer = setup_trace_fixture(_metadata, tracer_ptrace, NULL,
1881 /* Tracer will redirect getpid to getppid. */
1882 EXPECT_NE(self->mypid, syscall(__NR_getpid));
1885 TEST_F(TRACE_syscall, ptrace_syscall_errno)
1887 /* Swap SECCOMP_RET_TRACE tracer for PTRACE_SYSCALL tracer. */
1888 teardown_trace_fixture(_metadata, self->tracer);
1889 self->tracer = setup_trace_fixture(_metadata, tracer_ptrace, NULL,
1892 /* Tracer should skip the open syscall, resulting in ESRCH. */
1893 EXPECT_SYSCALL_RETURN(-ESRCH, syscall(__NR_openat));
1896 TEST_F(TRACE_syscall, ptrace_syscall_faked)
1898 /* Swap SECCOMP_RET_TRACE tracer for PTRACE_SYSCALL tracer. */
1899 teardown_trace_fixture(_metadata, self->tracer);
1900 self->tracer = setup_trace_fixture(_metadata, tracer_ptrace, NULL,
1903 /* Tracer should skip the gettid syscall, resulting fake pid. */
1904 EXPECT_SYSCALL_RETURN(45000, syscall(__NR_gettid));
1907 TEST_F(TRACE_syscall, syscall_allowed)
1911 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1914 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->prog, 0, 0);
1917 /* getppid works as expected (no changes). */
1918 EXPECT_EQ(self->parent, syscall(__NR_getppid));
1919 EXPECT_NE(self->mypid, syscall(__NR_getppid));
1922 TEST_F(TRACE_syscall, syscall_redirected)
1926 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1929 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->prog, 0, 0);
1932 /* getpid has been redirected to getppid as expected. */
1933 EXPECT_EQ(self->parent, syscall(__NR_getpid));
1934 EXPECT_NE(self->mypid, syscall(__NR_getpid));
1937 TEST_F(TRACE_syscall, syscall_errno)
1941 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1944 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->prog, 0, 0);
1947 /* openat has been skipped and an errno return. */
1948 EXPECT_SYSCALL_RETURN(-ESRCH, syscall(__NR_openat));
1951 TEST_F(TRACE_syscall, syscall_faked)
1955 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1958 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->prog, 0, 0);
1961 /* gettid has been skipped and an altered return value stored. */
1962 EXPECT_SYSCALL_RETURN(45000, syscall(__NR_gettid));
1965 TEST_F(TRACE_syscall, skip_after_RET_TRACE)
1967 struct sock_filter filter[] = {
1968 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
1969 offsetof(struct seccomp_data, nr)),
1970 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getppid, 0, 1),
1971 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ERRNO | EPERM),
1972 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
1974 struct sock_fprog prog = {
1975 .len = (unsigned short)ARRAY_SIZE(filter),
1980 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1983 /* Install fixture filter. */
1984 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->prog, 0, 0);
1987 /* Install "errno on getppid" filter. */
1988 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0);
1991 /* Tracer will redirect getpid to getppid, and we should see EPERM. */
1993 EXPECT_EQ(-1, syscall(__NR_getpid));
1994 EXPECT_EQ(EPERM, errno);
1997 TEST_F_SIGNAL(TRACE_syscall, kill_after_RET_TRACE, SIGSYS)
1999 struct sock_filter filter[] = {
2000 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
2001 offsetof(struct seccomp_data, nr)),
2002 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getppid, 0, 1),
2003 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL),
2004 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
2006 struct sock_fprog prog = {
2007 .len = (unsigned short)ARRAY_SIZE(filter),
2012 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
2015 /* Install fixture filter. */
2016 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->prog, 0, 0);
2019 /* Install "death on getppid" filter. */
2020 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0);
2023 /* Tracer will redirect getpid to getppid, and we should die. */
2024 EXPECT_NE(self->mypid, syscall(__NR_getpid));
2027 TEST_F(TRACE_syscall, skip_after_ptrace)
2029 struct sock_filter filter[] = {
2030 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
2031 offsetof(struct seccomp_data, nr)),
2032 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getppid, 0, 1),
2033 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ERRNO | EPERM),
2034 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
2036 struct sock_fprog prog = {
2037 .len = (unsigned short)ARRAY_SIZE(filter),
2042 /* Swap SECCOMP_RET_TRACE tracer for PTRACE_SYSCALL tracer. */
2043 teardown_trace_fixture(_metadata, self->tracer);
2044 self->tracer = setup_trace_fixture(_metadata, tracer_ptrace, NULL,
2047 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
2050 /* Install "errno on getppid" filter. */
2051 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0);
2054 /* Tracer will redirect getpid to getppid, and we should see EPERM. */
2055 EXPECT_EQ(-1, syscall(__NR_getpid));
2056 EXPECT_EQ(EPERM, errno);
2059 TEST_F_SIGNAL(TRACE_syscall, kill_after_ptrace, SIGSYS)
2061 struct sock_filter filter[] = {
2062 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
2063 offsetof(struct seccomp_data, nr)),
2064 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getppid, 0, 1),
2065 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL),
2066 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
2068 struct sock_fprog prog = {
2069 .len = (unsigned short)ARRAY_SIZE(filter),
2074 /* Swap SECCOMP_RET_TRACE tracer for PTRACE_SYSCALL tracer. */
2075 teardown_trace_fixture(_metadata, self->tracer);
2076 self->tracer = setup_trace_fixture(_metadata, tracer_ptrace, NULL,
2079 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
2082 /* Install "death on getppid" filter. */
2083 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0);
2086 /* Tracer will redirect getpid to getppid, and we should die. */
2087 EXPECT_NE(self->mypid, syscall(__NR_getpid));
2090 TEST(seccomp_syscall)
2092 struct sock_filter filter[] = {
2093 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
2095 struct sock_fprog prog = {
2096 .len = (unsigned short)ARRAY_SIZE(filter),
2101 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
2103 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
2106 /* Reject insane operation. */
2107 ret = seccomp(-1, 0, &prog);
2108 ASSERT_NE(ENOSYS, errno) {
2109 TH_LOG("Kernel does not support seccomp syscall!");
2111 EXPECT_EQ(EINVAL, errno) {
2112 TH_LOG("Did not reject crazy op value!");
2115 /* Reject strict with flags or pointer. */
2116 ret = seccomp(SECCOMP_SET_MODE_STRICT, -1, NULL);
2117 EXPECT_EQ(EINVAL, errno) {
2118 TH_LOG("Did not reject mode strict with flags!");
2120 ret = seccomp(SECCOMP_SET_MODE_STRICT, 0, &prog);
2121 EXPECT_EQ(EINVAL, errno) {
2122 TH_LOG("Did not reject mode strict with uargs!");
2125 /* Reject insane args for filter. */
2126 ret = seccomp(SECCOMP_SET_MODE_FILTER, -1, &prog);
2127 EXPECT_EQ(EINVAL, errno) {
2128 TH_LOG("Did not reject crazy filter flags!");
2130 ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, NULL);
2131 EXPECT_EQ(EFAULT, errno) {
2132 TH_LOG("Did not reject NULL filter!");
2135 ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog);
2136 EXPECT_EQ(0, errno) {
2137 TH_LOG("Kernel does not support SECCOMP_SET_MODE_FILTER: %s",
2142 TEST(seccomp_syscall_mode_lock)
2144 struct sock_filter filter[] = {
2145 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
2147 struct sock_fprog prog = {
2148 .len = (unsigned short)ARRAY_SIZE(filter),
2153 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, NULL, 0, 0);
2155 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
2158 ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog);
2159 ASSERT_NE(ENOSYS, errno) {
2160 TH_LOG("Kernel does not support seccomp syscall!");
2163 TH_LOG("Could not install filter!");
2166 /* Make sure neither entry point will switch to strict. */
2167 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT, 0, 0, 0);
2168 EXPECT_EQ(EINVAL, errno) {
2169 TH_LOG("Switched to mode strict!");
2172 ret = seccomp(SECCOMP_SET_MODE_STRICT, 0, NULL);
2173 EXPECT_EQ(EINVAL, errno) {
2174 TH_LOG("Switched to mode strict!");
2179 * Test detection of known and unknown filter flags. Userspace needs to be able
2180 * to check if a filter flag is supported by the current kernel and a good way
2181 * of doing that is by attempting to enter filter mode, with the flag bit in
2182 * question set, and a NULL pointer for the _args_ parameter. EFAULT indicates
2183 * that the flag is valid and EINVAL indicates that the flag is invalid.
2185 TEST(detect_seccomp_filter_flags)
2187 unsigned int flags[] = { SECCOMP_FILTER_FLAG_TSYNC,
2188 SECCOMP_FILTER_FLAG_LOG,
2189 SECCOMP_FILTER_FLAG_SPEC_ALLOW,
2190 SECCOMP_FILTER_FLAG_NEW_LISTENER };
2191 unsigned int exclusive[] = {
2192 SECCOMP_FILTER_FLAG_TSYNC,
2193 SECCOMP_FILTER_FLAG_NEW_LISTENER };
2194 unsigned int flag, all_flags, exclusive_mask;
2198 /* Test detection of individual known-good filter flags */
2199 for (i = 0, all_flags = 0; i < ARRAY_SIZE(flags); i++) {
2203 /* Make sure the flag is a single bit! */
2212 ret = seccomp(SECCOMP_SET_MODE_FILTER, flag, NULL);
2213 ASSERT_NE(ENOSYS, errno) {
2214 TH_LOG("Kernel does not support seccomp syscall!");
2217 EXPECT_EQ(EFAULT, errno) {
2218 TH_LOG("Failed to detect that a known-good filter flag (0x%X) is supported!",
2226 * Test detection of all known-good filter flags combined. But
2227 * for the exclusive flags we need to mask them out and try them
2228 * individually for the "all flags" testing.
2231 for (i = 0; i < ARRAY_SIZE(exclusive); i++)
2232 exclusive_mask |= exclusive[i];
2233 for (i = 0; i < ARRAY_SIZE(exclusive); i++) {
2234 flag = all_flags & ~exclusive_mask;
2235 flag |= exclusive[i];
2237 ret = seccomp(SECCOMP_SET_MODE_FILTER, flag, NULL);
2239 EXPECT_EQ(EFAULT, errno) {
2240 TH_LOG("Failed to detect that all known-good filter flags (0x%X) are supported!",
2245 /* Test detection of an unknown filter flags, without exclusives. */
2247 flag &= ~exclusive_mask;
2248 ret = seccomp(SECCOMP_SET_MODE_FILTER, flag, NULL);
2250 EXPECT_EQ(EINVAL, errno) {
2251 TH_LOG("Failed to detect that an unknown filter flag (0x%X) is unsupported!",
2256 * Test detection of an unknown filter flag that may simply need to be
2257 * added to this test
2259 flag = flags[ARRAY_SIZE(flags) - 1] << 1;
2260 ret = seccomp(SECCOMP_SET_MODE_FILTER, flag, NULL);
2262 EXPECT_EQ(EINVAL, errno) {
2263 TH_LOG("Failed to detect that an unknown filter flag (0x%X) is unsupported! Does a new flag need to be added to this test?",
2270 struct sock_filter filter[] = {
2271 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
2273 struct sock_fprog prog = {
2274 .len = (unsigned short)ARRAY_SIZE(filter),
2279 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, NULL, 0, 0);
2281 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
2284 ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC,
2286 ASSERT_NE(ENOSYS, errno) {
2287 TH_LOG("Kernel does not support seccomp syscall!");
2290 TH_LOG("Could not install initial filter with TSYNC!");
2294 #define TSYNC_SIBLINGS 2
2295 struct tsync_sibling {
2299 pthread_cond_t *cond;
2300 pthread_mutex_t *mutex;
2303 struct sock_fprog *prog;
2304 struct __test_metadata *metadata;
2308 * To avoid joining joined threads (which is not allowed by Bionic),
2309 * make sure we both successfully join and clear the tid to skip a
2310 * later join attempt during fixture teardown. Any remaining threads
2311 * will be directly killed during teardown.
2313 #define PTHREAD_JOIN(tid, status) \
2315 int _rc = pthread_join(tid, status); \
2317 TH_LOG("pthread_join of tid %u failed: %d\n", \
2318 (unsigned int)tid, _rc); \
2324 FIXTURE_DATA(TSYNC) {
2325 struct sock_fprog root_prog, apply_prog;
2326 struct tsync_sibling sibling[TSYNC_SIBLINGS];
2328 pthread_cond_t cond;
2329 pthread_mutex_t mutex;
2333 FIXTURE_SETUP(TSYNC)
2335 struct sock_filter root_filter[] = {
2336 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
2338 struct sock_filter apply_filter[] = {
2339 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
2340 offsetof(struct seccomp_data, nr)),
2341 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_read, 0, 1),
2342 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL),
2343 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
2346 memset(&self->root_prog, 0, sizeof(self->root_prog));
2347 memset(&self->apply_prog, 0, sizeof(self->apply_prog));
2348 memset(&self->sibling, 0, sizeof(self->sibling));
2349 self->root_prog.filter = malloc(sizeof(root_filter));
2350 ASSERT_NE(NULL, self->root_prog.filter);
2351 memcpy(self->root_prog.filter, &root_filter, sizeof(root_filter));
2352 self->root_prog.len = (unsigned short)ARRAY_SIZE(root_filter);
2354 self->apply_prog.filter = malloc(sizeof(apply_filter));
2355 ASSERT_NE(NULL, self->apply_prog.filter);
2356 memcpy(self->apply_prog.filter, &apply_filter, sizeof(apply_filter));
2357 self->apply_prog.len = (unsigned short)ARRAY_SIZE(apply_filter);
2359 self->sibling_count = 0;
2360 pthread_mutex_init(&self->mutex, NULL);
2361 pthread_cond_init(&self->cond, NULL);
2362 sem_init(&self->started, 0, 0);
2363 self->sibling[0].tid = 0;
2364 self->sibling[0].cond = &self->cond;
2365 self->sibling[0].started = &self->started;
2366 self->sibling[0].mutex = &self->mutex;
2367 self->sibling[0].diverge = 0;
2368 self->sibling[0].num_waits = 1;
2369 self->sibling[0].prog = &self->root_prog;
2370 self->sibling[0].metadata = _metadata;
2371 self->sibling[1].tid = 0;
2372 self->sibling[1].cond = &self->cond;
2373 self->sibling[1].started = &self->started;
2374 self->sibling[1].mutex = &self->mutex;
2375 self->sibling[1].diverge = 0;
2376 self->sibling[1].prog = &self->root_prog;
2377 self->sibling[1].num_waits = 1;
2378 self->sibling[1].metadata = _metadata;
2381 FIXTURE_TEARDOWN(TSYNC)
2385 if (self->root_prog.filter)
2386 free(self->root_prog.filter);
2387 if (self->apply_prog.filter)
2388 free(self->apply_prog.filter);
2390 for ( ; sib < self->sibling_count; ++sib) {
2391 struct tsync_sibling *s = &self->sibling[sib];
2396 * If a thread is still running, it may be stuck, so hit
2397 * it over the head really hard.
2399 pthread_kill(s->tid, 9);
2401 pthread_mutex_destroy(&self->mutex);
2402 pthread_cond_destroy(&self->cond);
2403 sem_destroy(&self->started);
2406 void *tsync_sibling(void *data)
2409 struct tsync_sibling *me = data;
2411 me->system_tid = syscall(__NR_gettid);
2413 pthread_mutex_lock(me->mutex);
2415 /* Just re-apply the root prog to fork the tree */
2416 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER,
2419 sem_post(me->started);
2420 /* Return outside of started so parent notices failures. */
2422 pthread_mutex_unlock(me->mutex);
2423 return (void *)SIBLING_EXIT_FAILURE;
2426 pthread_cond_wait(me->cond, me->mutex);
2427 me->num_waits = me->num_waits - 1;
2428 } while (me->num_waits);
2429 pthread_mutex_unlock(me->mutex);
2431 ret = prctl(PR_GET_NO_NEW_PRIVS, 0, 0, 0, 0);
2433 return (void *)SIBLING_EXIT_NEWPRIVS;
2435 return (void *)SIBLING_EXIT_UNKILLED;
2438 void tsync_start_sibling(struct tsync_sibling *sibling)
2440 pthread_create(&sibling->tid, NULL, tsync_sibling, (void *)sibling);
2443 TEST_F(TSYNC, siblings_fail_prctl)
2447 struct sock_filter filter[] = {
2448 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
2449 offsetof(struct seccomp_data, nr)),
2450 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_prctl, 0, 1),
2451 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ERRNO | EINVAL),
2452 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
2454 struct sock_fprog prog = {
2455 .len = (unsigned short)ARRAY_SIZE(filter),
2459 ASSERT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
2460 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
2463 /* Check prctl failure detection by requesting sib 0 diverge. */
2464 ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog);
2465 ASSERT_NE(ENOSYS, errno) {
2466 TH_LOG("Kernel does not support seccomp syscall!");
2469 TH_LOG("setting filter failed");
2472 self->sibling[0].diverge = 1;
2473 tsync_start_sibling(&self->sibling[0]);
2474 tsync_start_sibling(&self->sibling[1]);
2476 while (self->sibling_count < TSYNC_SIBLINGS) {
2477 sem_wait(&self->started);
2478 self->sibling_count++;
2481 /* Signal the threads to clean up*/
2482 pthread_mutex_lock(&self->mutex);
2483 ASSERT_EQ(0, pthread_cond_broadcast(&self->cond)) {
2484 TH_LOG("cond broadcast non-zero");
2486 pthread_mutex_unlock(&self->mutex);
2488 /* Ensure diverging sibling failed to call prctl. */
2489 PTHREAD_JOIN(self->sibling[0].tid, &status);
2490 EXPECT_EQ(SIBLING_EXIT_FAILURE, (long)status);
2491 PTHREAD_JOIN(self->sibling[1].tid, &status);
2492 EXPECT_EQ(SIBLING_EXIT_UNKILLED, (long)status);
2495 TEST_F(TSYNC, two_siblings_with_ancestor)
2500 ASSERT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
2501 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
2504 ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &self->root_prog);
2505 ASSERT_NE(ENOSYS, errno) {
2506 TH_LOG("Kernel does not support seccomp syscall!");
2509 TH_LOG("Kernel does not support SECCOMP_SET_MODE_FILTER!");
2511 tsync_start_sibling(&self->sibling[0]);
2512 tsync_start_sibling(&self->sibling[1]);
2514 while (self->sibling_count < TSYNC_SIBLINGS) {
2515 sem_wait(&self->started);
2516 self->sibling_count++;
2519 ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC,
2522 TH_LOG("Could install filter on all threads!");
2524 /* Tell the siblings to test the policy */
2525 pthread_mutex_lock(&self->mutex);
2526 ASSERT_EQ(0, pthread_cond_broadcast(&self->cond)) {
2527 TH_LOG("cond broadcast non-zero");
2529 pthread_mutex_unlock(&self->mutex);
2530 /* Ensure they are both killed and don't exit cleanly. */
2531 PTHREAD_JOIN(self->sibling[0].tid, &status);
2532 EXPECT_EQ(0x0, (long)status);
2533 PTHREAD_JOIN(self->sibling[1].tid, &status);
2534 EXPECT_EQ(0x0, (long)status);
2537 TEST_F(TSYNC, two_sibling_want_nnp)
2541 /* start siblings before any prctl() operations */
2542 tsync_start_sibling(&self->sibling[0]);
2543 tsync_start_sibling(&self->sibling[1]);
2544 while (self->sibling_count < TSYNC_SIBLINGS) {
2545 sem_wait(&self->started);
2546 self->sibling_count++;
2549 /* Tell the siblings to test no policy */
2550 pthread_mutex_lock(&self->mutex);
2551 ASSERT_EQ(0, pthread_cond_broadcast(&self->cond)) {
2552 TH_LOG("cond broadcast non-zero");
2554 pthread_mutex_unlock(&self->mutex);
2556 /* Ensure they are both upset about lacking nnp. */
2557 PTHREAD_JOIN(self->sibling[0].tid, &status);
2558 EXPECT_EQ(SIBLING_EXIT_NEWPRIVS, (long)status);
2559 PTHREAD_JOIN(self->sibling[1].tid, &status);
2560 EXPECT_EQ(SIBLING_EXIT_NEWPRIVS, (long)status);
2563 TEST_F(TSYNC, two_siblings_with_no_filter)
2568 /* start siblings before any prctl() operations */
2569 tsync_start_sibling(&self->sibling[0]);
2570 tsync_start_sibling(&self->sibling[1]);
2571 while (self->sibling_count < TSYNC_SIBLINGS) {
2572 sem_wait(&self->started);
2573 self->sibling_count++;
2576 ASSERT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
2577 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
2580 ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC,
2582 ASSERT_NE(ENOSYS, errno) {
2583 TH_LOG("Kernel does not support seccomp syscall!");
2586 TH_LOG("Could install filter on all threads!");
2589 /* Tell the siblings to test the policy */
2590 pthread_mutex_lock(&self->mutex);
2591 ASSERT_EQ(0, pthread_cond_broadcast(&self->cond)) {
2592 TH_LOG("cond broadcast non-zero");
2594 pthread_mutex_unlock(&self->mutex);
2596 /* Ensure they are both killed and don't exit cleanly. */
2597 PTHREAD_JOIN(self->sibling[0].tid, &status);
2598 EXPECT_EQ(0x0, (long)status);
2599 PTHREAD_JOIN(self->sibling[1].tid, &status);
2600 EXPECT_EQ(0x0, (long)status);
2603 TEST_F(TSYNC, two_siblings_with_one_divergence)
2608 ASSERT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
2609 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
2612 ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &self->root_prog);
2613 ASSERT_NE(ENOSYS, errno) {
2614 TH_LOG("Kernel does not support seccomp syscall!");
2617 TH_LOG("Kernel does not support SECCOMP_SET_MODE_FILTER!");
2619 self->sibling[0].diverge = 1;
2620 tsync_start_sibling(&self->sibling[0]);
2621 tsync_start_sibling(&self->sibling[1]);
2623 while (self->sibling_count < TSYNC_SIBLINGS) {
2624 sem_wait(&self->started);
2625 self->sibling_count++;
2628 ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC,
2630 ASSERT_EQ(self->sibling[0].system_tid, ret) {
2631 TH_LOG("Did not fail on diverged sibling.");
2634 /* Wake the threads */
2635 pthread_mutex_lock(&self->mutex);
2636 ASSERT_EQ(0, pthread_cond_broadcast(&self->cond)) {
2637 TH_LOG("cond broadcast non-zero");
2639 pthread_mutex_unlock(&self->mutex);
2641 /* Ensure they are both unkilled. */
2642 PTHREAD_JOIN(self->sibling[0].tid, &status);
2643 EXPECT_EQ(SIBLING_EXIT_UNKILLED, (long)status);
2644 PTHREAD_JOIN(self->sibling[1].tid, &status);
2645 EXPECT_EQ(SIBLING_EXIT_UNKILLED, (long)status);
2648 TEST_F(TSYNC, two_siblings_not_under_filter)
2652 struct timespec delay = { .tv_nsec = 100000000 };
2654 ASSERT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
2655 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
2659 * Sibling 0 will have its own seccomp policy
2660 * and Sibling 1 will not be under seccomp at
2661 * all. Sibling 1 will enter seccomp and 0
2662 * will cause failure.
2664 self->sibling[0].diverge = 1;
2665 tsync_start_sibling(&self->sibling[0]);
2666 tsync_start_sibling(&self->sibling[1]);
2668 while (self->sibling_count < TSYNC_SIBLINGS) {
2669 sem_wait(&self->started);
2670 self->sibling_count++;
2673 ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &self->root_prog);
2674 ASSERT_NE(ENOSYS, errno) {
2675 TH_LOG("Kernel does not support seccomp syscall!");
2678 TH_LOG("Kernel does not support SECCOMP_SET_MODE_FILTER!");
2681 ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC,
2683 ASSERT_EQ(ret, self->sibling[0].system_tid) {
2684 TH_LOG("Did not fail on diverged sibling.");
2687 if (ret == self->sibling[0].system_tid)
2690 pthread_mutex_lock(&self->mutex);
2692 /* Increment the other siblings num_waits so we can clean up
2693 * the one we just saw.
2695 self->sibling[!sib].num_waits += 1;
2697 /* Signal the thread to clean up*/
2698 ASSERT_EQ(0, pthread_cond_broadcast(&self->cond)) {
2699 TH_LOG("cond broadcast non-zero");
2701 pthread_mutex_unlock(&self->mutex);
2702 PTHREAD_JOIN(self->sibling[sib].tid, &status);
2703 EXPECT_EQ(SIBLING_EXIT_UNKILLED, (long)status);
2704 /* Poll for actual task death. pthread_join doesn't guarantee it. */
2705 while (!kill(self->sibling[sib].system_tid, 0))
2706 nanosleep(&delay, NULL);
2707 /* Switch to the remaining sibling */
2710 ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC,
2713 TH_LOG("Expected the remaining sibling to sync");
2716 pthread_mutex_lock(&self->mutex);
2718 /* If remaining sibling didn't have a chance to wake up during
2719 * the first broadcast, manually reduce the num_waits now.
2721 if (self->sibling[sib].num_waits > 1)
2722 self->sibling[sib].num_waits = 1;
2723 ASSERT_EQ(0, pthread_cond_broadcast(&self->cond)) {
2724 TH_LOG("cond broadcast non-zero");
2726 pthread_mutex_unlock(&self->mutex);
2727 PTHREAD_JOIN(self->sibling[sib].tid, &status);
2728 EXPECT_EQ(0, (long)status);
2729 /* Poll for actual task death. pthread_join doesn't guarantee it. */
2730 while (!kill(self->sibling[sib].system_tid, 0))
2731 nanosleep(&delay, NULL);
2733 ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC,
2735 ASSERT_EQ(0, ret); /* just us chickens */
2738 /* Make sure restarted syscalls are seen directly as "restart_syscall". */
2739 TEST(syscall_restart)
2746 siginfo_t info = { };
2747 struct sock_filter filter[] = {
2748 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
2749 offsetof(struct seccomp_data, nr)),
2751 #ifdef __NR_sigreturn
2752 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_sigreturn, 6, 0),
2754 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_read, 5, 0),
2755 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_exit, 4, 0),
2756 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_rt_sigreturn, 3, 0),
2757 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_nanosleep, 4, 0),
2758 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_restart_syscall, 4, 0),
2760 /* Allow __NR_write for easy logging. */
2761 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_write, 0, 1),
2762 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
2763 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL),
2764 /* The nanosleep jump target. */
2765 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRACE|0x100),
2766 /* The restart_syscall jump target. */
2767 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRACE|0x200),
2769 struct sock_fprog prog = {
2770 .len = (unsigned short)ARRAY_SIZE(filter),
2773 #if defined(__arm__)
2774 struct utsname utsbuf;
2777 ASSERT_EQ(0, pipe(pipefd));
2780 ASSERT_LE(0, child_pid);
2781 if (child_pid == 0) {
2782 /* Child uses EXPECT not ASSERT to deliver status correctly. */
2784 struct timespec timeout = { };
2786 /* Attach parent as tracer and stop. */
2787 EXPECT_EQ(0, ptrace(PTRACE_TRACEME));
2788 EXPECT_EQ(0, raise(SIGSTOP));
2790 EXPECT_EQ(0, close(pipefd[1]));
2792 EXPECT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
2793 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
2796 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0);
2798 TH_LOG("Failed to install filter!");
2801 EXPECT_EQ(1, read(pipefd[0], &buf, 1)) {
2802 TH_LOG("Failed to read() sync from parent");
2804 EXPECT_EQ('.', buf) {
2805 TH_LOG("Failed to get sync data from read()");
2808 /* Start nanosleep to be interrupted. */
2811 EXPECT_EQ(0, nanosleep(&timeout, NULL)) {
2812 TH_LOG("Call to nanosleep() failed (errno %d)", errno);
2815 /* Read final sync from parent. */
2816 EXPECT_EQ(1, read(pipefd[0], &buf, 1)) {
2817 TH_LOG("Failed final read() from parent");
2819 EXPECT_EQ('!', buf) {
2820 TH_LOG("Failed to get final data from read()");
2823 /* Directly report the status of our test harness results. */
2824 syscall(__NR_exit, _metadata->passed ? EXIT_SUCCESS
2827 EXPECT_EQ(0, close(pipefd[0]));
2829 /* Attach to child, setup options, and release. */
2830 ASSERT_EQ(child_pid, waitpid(child_pid, &status, 0));
2831 ASSERT_EQ(true, WIFSTOPPED(status));
2832 ASSERT_EQ(0, ptrace(PTRACE_SETOPTIONS, child_pid, NULL,
2833 PTRACE_O_TRACESECCOMP));
2834 ASSERT_EQ(0, ptrace(PTRACE_CONT, child_pid, NULL, 0));
2835 ASSERT_EQ(1, write(pipefd[1], ".", 1));
2837 /* Wait for nanosleep() to start. */
2838 ASSERT_EQ(child_pid, waitpid(child_pid, &status, 0));
2839 ASSERT_EQ(true, WIFSTOPPED(status));
2840 ASSERT_EQ(SIGTRAP, WSTOPSIG(status));
2841 ASSERT_EQ(PTRACE_EVENT_SECCOMP, (status >> 16));
2842 ASSERT_EQ(0, ptrace(PTRACE_GETEVENTMSG, child_pid, NULL, &msg));
2843 ASSERT_EQ(0x100, msg);
2844 EXPECT_EQ(__NR_nanosleep, get_syscall(_metadata, child_pid));
2846 /* Might as well check siginfo for sanity while we're here. */
2847 ASSERT_EQ(0, ptrace(PTRACE_GETSIGINFO, child_pid, NULL, &info));
2848 ASSERT_EQ(SIGTRAP, info.si_signo);
2849 ASSERT_EQ(SIGTRAP | (PTRACE_EVENT_SECCOMP << 8), info.si_code);
2850 EXPECT_EQ(0, info.si_errno);
2851 EXPECT_EQ(getuid(), info.si_uid);
2852 /* Verify signal delivery came from child (seccomp-triggered). */
2853 EXPECT_EQ(child_pid, info.si_pid);
2855 /* Interrupt nanosleep with SIGSTOP (which we'll need to handle). */
2856 ASSERT_EQ(0, kill(child_pid, SIGSTOP));
2857 ASSERT_EQ(0, ptrace(PTRACE_CONT, child_pid, NULL, 0));
2858 ASSERT_EQ(child_pid, waitpid(child_pid, &status, 0));
2859 ASSERT_EQ(true, WIFSTOPPED(status));
2860 ASSERT_EQ(SIGSTOP, WSTOPSIG(status));
2861 ASSERT_EQ(0, ptrace(PTRACE_GETSIGINFO, child_pid, NULL, &info));
2863 * There is no siginfo on SIGSTOP any more, so we can't verify
2864 * signal delivery came from parent now (getpid() == info.si_pid).
2865 * https://lkml.kernel.org/r/CAGXu5jJaZAOzP1qFz66tYrtbuywqb+UN2SOA1VLHpCCOiYvYeg@mail.gmail.com
2866 * At least verify the SIGSTOP via PTRACE_GETSIGINFO.
2868 EXPECT_EQ(SIGSTOP, info.si_signo);
2870 /* Restart nanosleep with SIGCONT, which triggers restart_syscall. */
2871 ASSERT_EQ(0, kill(child_pid, SIGCONT));
2872 ASSERT_EQ(0, ptrace(PTRACE_CONT, child_pid, NULL, 0));
2873 ASSERT_EQ(child_pid, waitpid(child_pid, &status, 0));
2874 ASSERT_EQ(true, WIFSTOPPED(status));
2875 ASSERT_EQ(SIGCONT, WSTOPSIG(status));
2876 ASSERT_EQ(0, ptrace(PTRACE_CONT, child_pid, NULL, 0));
2878 /* Wait for restart_syscall() to start. */
2879 ASSERT_EQ(child_pid, waitpid(child_pid, &status, 0));
2880 ASSERT_EQ(true, WIFSTOPPED(status));
2881 ASSERT_EQ(SIGTRAP, WSTOPSIG(status));
2882 ASSERT_EQ(PTRACE_EVENT_SECCOMP, (status >> 16));
2883 ASSERT_EQ(0, ptrace(PTRACE_GETEVENTMSG, child_pid, NULL, &msg));
2885 ASSERT_EQ(0x200, msg);
2886 ret = get_syscall(_metadata, child_pid);
2887 #if defined(__arm__)
2890 * - native ARM registers do NOT expose true syscall.
2891 * - compat ARM registers on ARM64 DO expose true syscall.
2893 ASSERT_EQ(0, uname(&utsbuf));
2894 if (strncmp(utsbuf.machine, "arm", 3) == 0) {
2895 EXPECT_EQ(__NR_nanosleep, ret);
2899 EXPECT_EQ(__NR_restart_syscall, ret);
2902 /* Write again to end test. */
2903 ASSERT_EQ(0, ptrace(PTRACE_CONT, child_pid, NULL, 0));
2904 ASSERT_EQ(1, write(pipefd[1], "!", 1));
2905 EXPECT_EQ(0, close(pipefd[1]));
2907 ASSERT_EQ(child_pid, waitpid(child_pid, &status, 0));
2908 if (WIFSIGNALED(status) || WEXITSTATUS(status))
2909 _metadata->passed = 0;
2912 TEST_SIGNAL(filter_flag_log, SIGSYS)
2914 struct sock_filter allow_filter[] = {
2915 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
2917 struct sock_filter kill_filter[] = {
2918 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
2919 offsetof(struct seccomp_data, nr)),
2920 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getpid, 0, 1),
2921 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL),
2922 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
2924 struct sock_fprog allow_prog = {
2925 .len = (unsigned short)ARRAY_SIZE(allow_filter),
2926 .filter = allow_filter,
2928 struct sock_fprog kill_prog = {
2929 .len = (unsigned short)ARRAY_SIZE(kill_filter),
2930 .filter = kill_filter,
2933 pid_t parent = getppid();
2935 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
2938 /* Verify that the FILTER_FLAG_LOG flag isn't accepted in strict mode */
2939 ret = seccomp(SECCOMP_SET_MODE_STRICT, SECCOMP_FILTER_FLAG_LOG,
2941 ASSERT_NE(ENOSYS, errno) {
2942 TH_LOG("Kernel does not support seccomp syscall!");
2945 TH_LOG("Kernel accepted FILTER_FLAG_LOG flag in strict mode!");
2947 EXPECT_EQ(EINVAL, errno) {
2948 TH_LOG("Kernel returned unexpected errno for FILTER_FLAG_LOG flag in strict mode!");
2951 /* Verify that a simple, permissive filter can be added with no flags */
2952 ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &allow_prog);
2955 /* See if the same filter can be added with the FILTER_FLAG_LOG flag */
2956 ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_LOG,
2958 ASSERT_NE(EINVAL, errno) {
2959 TH_LOG("Kernel does not support the FILTER_FLAG_LOG flag!");
2963 /* Ensure that the kill filter works with the FILTER_FLAG_LOG flag */
2964 ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_LOG,
2968 EXPECT_EQ(parent, syscall(__NR_getppid));
2969 /* getpid() should never return. */
2970 EXPECT_EQ(0, syscall(__NR_getpid));
2973 TEST(get_action_avail)
2975 __u32 actions[] = { SECCOMP_RET_KILL_THREAD, SECCOMP_RET_TRAP,
2976 SECCOMP_RET_ERRNO, SECCOMP_RET_TRACE,
2977 SECCOMP_RET_LOG, SECCOMP_RET_ALLOW };
2978 __u32 unknown_action = 0x10000000U;
2982 ret = seccomp(SECCOMP_GET_ACTION_AVAIL, 0, &actions[0]);
2983 ASSERT_NE(ENOSYS, errno) {
2984 TH_LOG("Kernel does not support seccomp syscall!");
2986 ASSERT_NE(EINVAL, errno) {
2987 TH_LOG("Kernel does not support SECCOMP_GET_ACTION_AVAIL operation!");
2991 for (i = 0; i < ARRAY_SIZE(actions); i++) {
2992 ret = seccomp(SECCOMP_GET_ACTION_AVAIL, 0, &actions[i]);
2994 TH_LOG("Expected action (0x%X) not available!",
2999 /* Check that an unknown action is handled properly (EOPNOTSUPP) */
3000 ret = seccomp(SECCOMP_GET_ACTION_AVAIL, 0, &unknown_action);
3002 EXPECT_EQ(errno, EOPNOTSUPP);
3010 struct seccomp_metadata md;
3013 /* Only real root can get metadata. */
3015 XFAIL(return, "get_metadata requires real root");
3019 ASSERT_EQ(0, pipe(pipefd));
3024 struct sock_filter filter[] = {
3025 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
3027 struct sock_fprog prog = {
3028 .len = (unsigned short)ARRAY_SIZE(filter),
3032 /* one with log, one without */
3033 EXPECT_EQ(0, seccomp(SECCOMP_SET_MODE_FILTER,
3034 SECCOMP_FILTER_FLAG_LOG, &prog));
3035 EXPECT_EQ(0, seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog));
3037 EXPECT_EQ(0, close(pipefd[0]));
3038 ASSERT_EQ(1, write(pipefd[1], "1", 1));
3039 ASSERT_EQ(0, close(pipefd[1]));
3045 ASSERT_EQ(0, close(pipefd[1]));
3046 ASSERT_EQ(1, read(pipefd[0], &buf, 1));
3048 ASSERT_EQ(0, ptrace(PTRACE_ATTACH, pid));
3049 ASSERT_EQ(pid, waitpid(pid, NULL, 0));
3051 /* Past here must not use ASSERT or child process is never killed. */
3055 ret = ptrace(PTRACE_SECCOMP_GET_METADATA, pid, sizeof(md), &md);
3056 EXPECT_EQ(sizeof(md), ret) {
3057 if (errno == EINVAL)
3058 XFAIL(goto skip, "Kernel does not support PTRACE_SECCOMP_GET_METADATA (missing CONFIG_CHECKPOINT_RESTORE?)");
3061 EXPECT_EQ(md.flags, SECCOMP_FILTER_FLAG_LOG);
3062 EXPECT_EQ(md.filter_off, 0);
3065 ret = ptrace(PTRACE_SECCOMP_GET_METADATA, pid, sizeof(md), &md);
3066 EXPECT_EQ(sizeof(md), ret);
3067 EXPECT_EQ(md.flags, 0);
3068 EXPECT_EQ(md.filter_off, 1);
3071 ASSERT_EQ(0, kill(pid, SIGKILL));
3074 static int user_trap_syscall(int nr, unsigned int flags)
3076 struct sock_filter filter[] = {
3077 BPF_STMT(BPF_LD+BPF_W+BPF_ABS,
3078 offsetof(struct seccomp_data, nr)),
3079 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, nr, 0, 1),
3080 BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_USER_NOTIF),
3081 BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW),
3084 struct sock_fprog prog = {
3085 .len = (unsigned short)ARRAY_SIZE(filter),
3089 return seccomp(SECCOMP_SET_MODE_FILTER, flags, &prog);
3092 #define USER_NOTIF_MAGIC INT_MAX
3093 TEST(user_notification_basic)
3097 int status, listener;
3098 struct seccomp_notif req = {};
3099 struct seccomp_notif_resp resp = {};
3100 struct pollfd pollfd;
3102 struct sock_filter filter[] = {
3103 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
3105 struct sock_fprog prog = {
3106 .len = (unsigned short)ARRAY_SIZE(filter),
3110 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
3112 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
3118 /* Check that we get -ENOSYS with no listener attached */
3120 if (user_trap_syscall(__NR_getppid, 0) < 0)
3122 ret = syscall(__NR_getppid);
3123 exit(ret >= 0 || errno != ENOSYS);
3126 EXPECT_EQ(waitpid(pid, &status, 0), pid);
3127 EXPECT_EQ(true, WIFEXITED(status));
3128 EXPECT_EQ(0, WEXITSTATUS(status));
3130 /* Add some no-op filters for grins. */
3131 EXPECT_EQ(seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog), 0);
3132 EXPECT_EQ(seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog), 0);
3133 EXPECT_EQ(seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog), 0);
3134 EXPECT_EQ(seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog), 0);
3136 /* Check that the basic notification machinery works */
3137 listener = user_trap_syscall(__NR_getppid,
3138 SECCOMP_FILTER_FLAG_NEW_LISTENER);
3139 ASSERT_GE(listener, 0);
3141 /* Installing a second listener in the chain should EBUSY */
3142 EXPECT_EQ(user_trap_syscall(__NR_getppid,
3143 SECCOMP_FILTER_FLAG_NEW_LISTENER),
3145 EXPECT_EQ(errno, EBUSY);
3151 ret = syscall(__NR_getppid);
3152 exit(ret != USER_NOTIF_MAGIC);
3155 pollfd.fd = listener;
3156 pollfd.events = POLLIN | POLLOUT;
3158 EXPECT_GT(poll(&pollfd, 1, -1), 0);
3159 EXPECT_EQ(pollfd.revents, POLLIN);
3161 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_RECV, &req), 0);
3163 pollfd.fd = listener;
3164 pollfd.events = POLLIN | POLLOUT;
3166 EXPECT_GT(poll(&pollfd, 1, -1), 0);
3167 EXPECT_EQ(pollfd.revents, POLLOUT);
3169 EXPECT_EQ(req.data.nr, __NR_getppid);
3173 resp.val = USER_NOTIF_MAGIC;
3175 /* check that we make sure flags == 0 */
3177 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_SEND, &resp), -1);
3178 EXPECT_EQ(errno, EINVAL);
3181 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_SEND, &resp), 0);
3183 EXPECT_EQ(waitpid(pid, &status, 0), pid);
3184 EXPECT_EQ(true, WIFEXITED(status));
3185 EXPECT_EQ(0, WEXITSTATUS(status));
3188 TEST(user_notification_kill_in_middle)
3193 struct seccomp_notif req = {};
3194 struct seccomp_notif_resp resp = {};
3196 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
3198 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
3201 listener = user_trap_syscall(__NR_getppid,
3202 SECCOMP_FILTER_FLAG_NEW_LISTENER);
3203 ASSERT_GE(listener, 0);
3206 * Check that nothing bad happens when we kill the task in the middle
3213 ret = syscall(__NR_getppid);
3214 exit(ret != USER_NOTIF_MAGIC);
3217 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_RECV, &req), 0);
3218 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_ID_VALID, &req.id), 0);
3220 EXPECT_EQ(kill(pid, SIGKILL), 0);
3221 EXPECT_EQ(waitpid(pid, NULL, 0), pid);
3223 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_ID_VALID, &req.id), -1);
3226 ret = ioctl(listener, SECCOMP_IOCTL_NOTIF_SEND, &resp);
3228 EXPECT_EQ(errno, ENOENT);
3231 static int handled = -1;
3233 static void signal_handler(int signal)
3235 if (write(handled, "c", 1) != 1)
3236 perror("write from signal");
3239 TEST(user_notification_signal)
3243 int status, listener, sk_pair[2];
3244 struct seccomp_notif req = {};
3245 struct seccomp_notif_resp resp = {};
3248 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
3250 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
3253 ASSERT_EQ(socketpair(PF_LOCAL, SOCK_SEQPACKET, 0, sk_pair), 0);
3255 listener = user_trap_syscall(__NR_gettid,
3256 SECCOMP_FILTER_FLAG_NEW_LISTENER);
3257 ASSERT_GE(listener, 0);
3264 handled = sk_pair[1];
3265 if (signal(SIGUSR1, signal_handler) == SIG_ERR) {
3270 * ERESTARTSYS behavior is a bit hard to test, because we need
3271 * to rely on a signal that has not yet been handled. Let's at
3272 * least check that the error code gets propagated through, and
3273 * hope that it doesn't break when there is actually a signal :)
3275 ret = syscall(__NR_gettid);
3276 exit(!(ret == -1 && errno == 512));
3281 memset(&req, 0, sizeof(req));
3282 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_RECV, &req), 0);
3284 EXPECT_EQ(kill(pid, SIGUSR1), 0);
3287 * Make sure the signal really is delivered, which means we're not
3288 * stuck in the user notification code any more and the notification
3291 EXPECT_EQ(read(sk_pair[0], &c, 1), 1);
3294 resp.error = -EPERM;
3297 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_SEND, &resp), -1);
3298 EXPECT_EQ(errno, ENOENT);
3300 memset(&req, 0, sizeof(req));
3301 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_RECV, &req), 0);
3304 resp.error = -512; /* -ERESTARTSYS */
3307 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_SEND, &resp), 0);
3309 EXPECT_EQ(waitpid(pid, &status, 0), pid);
3310 EXPECT_EQ(true, WIFEXITED(status));
3311 EXPECT_EQ(0, WEXITSTATUS(status));
3314 TEST(user_notification_closed_listener)
3318 int status, listener;
3320 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
3322 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
3325 listener = user_trap_syscall(__NR_getppid,
3326 SECCOMP_FILTER_FLAG_NEW_LISTENER);
3327 ASSERT_GE(listener, 0);
3330 * Check that we get an ENOSYS when the listener is closed.
3336 ret = syscall(__NR_getppid);
3337 exit(ret != -1 && errno != ENOSYS);
3342 EXPECT_EQ(waitpid(pid, &status, 0), pid);
3343 EXPECT_EQ(true, WIFEXITED(status));
3344 EXPECT_EQ(0, WEXITSTATUS(status));
3348 * Check that a pid in a child namespace still shows up as valid in ours.
3350 TEST(user_notification_child_pid_ns)
3353 int status, listener;
3354 struct seccomp_notif req = {};
3355 struct seccomp_notif_resp resp = {};
3357 ASSERT_EQ(unshare(CLONE_NEWUSER | CLONE_NEWPID), 0);
3359 listener = user_trap_syscall(__NR_getppid,
3360 SECCOMP_FILTER_FLAG_NEW_LISTENER);
3361 ASSERT_GE(listener, 0);
3367 exit(syscall(__NR_getppid) != USER_NOTIF_MAGIC);
3369 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_RECV, &req), 0);
3370 EXPECT_EQ(req.pid, pid);
3374 resp.val = USER_NOTIF_MAGIC;
3376 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_SEND, &resp), 0);
3378 EXPECT_EQ(waitpid(pid, &status, 0), pid);
3379 EXPECT_EQ(true, WIFEXITED(status));
3380 EXPECT_EQ(0, WEXITSTATUS(status));
3385 * Check that a pid in a sibling (i.e. unrelated) namespace shows up as 0, i.e.
3388 TEST(user_notification_sibling_pid_ns)
3391 int status, listener;
3392 struct seccomp_notif req = {};
3393 struct seccomp_notif_resp resp = {};
3395 ASSERT_EQ(prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0), 0) {
3396 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
3399 listener = user_trap_syscall(__NR_getppid,
3400 SECCOMP_FILTER_FLAG_NEW_LISTENER);
3401 ASSERT_GE(listener, 0);
3407 ASSERT_EQ(unshare(CLONE_NEWPID), 0);
3413 exit(syscall(__NR_getppid) != USER_NOTIF_MAGIC);
3415 EXPECT_EQ(waitpid(pid2, &status, 0), pid2);
3416 EXPECT_EQ(true, WIFEXITED(status));
3417 EXPECT_EQ(0, WEXITSTATUS(status));
3418 exit(WEXITSTATUS(status));
3421 /* Create the sibling ns, and sibling in it. */
3422 ASSERT_EQ(unshare(CLONE_NEWPID), 0);
3423 ASSERT_EQ(errno, 0);
3429 ASSERT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_RECV, &req), 0);
3431 * The pid should be 0, i.e. the task is in some namespace that
3434 EXPECT_EQ(req.pid, 0);
3438 resp.val = USER_NOTIF_MAGIC;
3440 ASSERT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_SEND, &resp), 0);
3446 EXPECT_EQ(waitpid(pid, &status, 0), pid);
3447 EXPECT_EQ(true, WIFEXITED(status));
3448 EXPECT_EQ(0, WEXITSTATUS(status));
3450 EXPECT_EQ(waitpid(pid2, &status, 0), pid2);
3451 EXPECT_EQ(true, WIFEXITED(status));
3452 EXPECT_EQ(0, WEXITSTATUS(status));
3455 TEST(user_notification_fault_recv)
3458 int status, listener;
3459 struct seccomp_notif req = {};
3460 struct seccomp_notif_resp resp = {};
3462 ASSERT_EQ(unshare(CLONE_NEWUSER), 0);
3464 listener = user_trap_syscall(__NR_getppid,
3465 SECCOMP_FILTER_FLAG_NEW_LISTENER);
3466 ASSERT_GE(listener, 0);
3472 exit(syscall(__NR_getppid) != USER_NOTIF_MAGIC);
3474 /* Do a bad recv() */
3475 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_RECV, NULL), -1);
3476 EXPECT_EQ(errno, EFAULT);
3478 /* We should still be able to receive this notification, though. */
3479 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_RECV, &req), 0);
3480 EXPECT_EQ(req.pid, pid);
3484 resp.val = USER_NOTIF_MAGIC;
3486 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_SEND, &resp), 0);
3488 EXPECT_EQ(waitpid(pid, &status, 0), pid);
3489 EXPECT_EQ(true, WIFEXITED(status));
3490 EXPECT_EQ(0, WEXITSTATUS(status));
3493 TEST(seccomp_get_notif_sizes)
3495 struct seccomp_notif_sizes sizes;
3497 ASSERT_EQ(seccomp(SECCOMP_GET_NOTIF_SIZES, 0, &sizes), 0);
3498 EXPECT_EQ(sizes.seccomp_notif, sizeof(struct seccomp_notif));
3499 EXPECT_EQ(sizes.seccomp_notif_resp, sizeof(struct seccomp_notif_resp));
3502 static int filecmp(pid_t pid1, pid_t pid2, int fd1, int fd2)
3505 return syscall(__NR_kcmp, pid1, pid2, KCMP_FILE, fd1, fd2);
3512 TEST(user_notification_continue)
3516 int status, listener;
3517 struct seccomp_notif req = {};
3518 struct seccomp_notif_resp resp = {};
3519 struct pollfd pollfd;
3521 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
3523 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
3526 listener = user_trap_syscall(__NR_dup, SECCOMP_FILTER_FLAG_NEW_LISTENER);
3527 ASSERT_GE(listener, 0);
3533 int dup_fd, pipe_fds[2];
3536 ret = pipe(pipe_fds);
3540 dup_fd = dup(pipe_fds[0]);
3546 ret = filecmp(self, self, pipe_fds[0], dup_fd);
3553 pollfd.fd = listener;
3554 pollfd.events = POLLIN | POLLOUT;
3556 EXPECT_GT(poll(&pollfd, 1, -1), 0);
3557 EXPECT_EQ(pollfd.revents, POLLIN);
3559 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_RECV, &req), 0);
3561 pollfd.fd = listener;
3562 pollfd.events = POLLIN | POLLOUT;
3564 EXPECT_GT(poll(&pollfd, 1, -1), 0);
3565 EXPECT_EQ(pollfd.revents, POLLOUT);
3567 EXPECT_EQ(req.data.nr, __NR_dup);
3570 resp.flags = SECCOMP_USER_NOTIF_FLAG_CONTINUE;
3573 * Verify that setting SECCOMP_USER_NOTIF_FLAG_CONTINUE enforces other
3577 resp.val = USER_NOTIF_MAGIC;
3578 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_SEND, &resp), -1);
3579 EXPECT_EQ(errno, EINVAL);
3581 resp.error = USER_NOTIF_MAGIC;
3583 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_SEND, &resp), -1);
3584 EXPECT_EQ(errno, EINVAL);
3588 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_SEND, &resp), 0) {
3589 if (errno == EINVAL)
3590 XFAIL(goto skip, "Kernel does not support SECCOMP_USER_NOTIF_FLAG_CONTINUE");
3594 EXPECT_EQ(waitpid(pid, &status, 0), pid);
3595 EXPECT_EQ(true, WIFEXITED(status));
3596 EXPECT_EQ(0, WEXITSTATUS(status)) {
3597 if (WEXITSTATUS(status) == 2) {
3598 XFAIL(return, "Kernel does not support kcmp() syscall");
3606 * - add microbenchmarks
3607 * - expand NNP testing
3608 * - better arch-specific TRACE and TRAP handlers.
3609 * - endianness checking when appropriate
3610 * - 64-bit arg prodding
3611 * - arch value testing (x86 modes especially)
3612 * - verify that FILTER_FLAG_LOG filters generate log messages
3613 * - verify that RET_LOG generates log messages
projects / linux-2.6-microblaze.git / blob