2 * Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
3 * Use of this source code is governed by the GPLv2 license.
5 * Test code for seccomp bpf.
11 * glibc 2.26 and later have SIGSYS in siginfo_t. Before that,
12 * we need to use the kernel's siginfo.h file and trick glibc
15 #if !__GLIBC_PREREQ(2, 26)
16 # include <asm/siginfo.h>
17 # define __have_siginfo_t 1
18 # define __have_sigval_t 1
19 # define __have_sigevent_t 1
23 #include <linux/filter.h>
24 #include <sys/prctl.h>
25 #include <sys/ptrace.h>
27 #include <linux/prctl.h>
28 #include <linux/ptrace.h>
29 #include <linux/seccomp.h>
31 #include <semaphore.h>
37 #include <linux/elf.h>
39 #include <sys/utsname.h>
40 #include <sys/fcntl.h>
42 #include <sys/times.h>
46 #include <sys/syscall.h>
48 #include "test_harness.h"
50 #ifndef PR_SET_PTRACER
51 # define PR_SET_PTRACER 0x59616d61
54 #ifndef PR_SET_NO_NEW_PRIVS
55 #define PR_SET_NO_NEW_PRIVS 38
56 #define PR_GET_NO_NEW_PRIVS 39
59 #ifndef PR_SECCOMP_EXT
60 #define PR_SECCOMP_EXT 43
63 #ifndef SECCOMP_EXT_ACT
64 #define SECCOMP_EXT_ACT 1
67 #ifndef SECCOMP_EXT_ACT_TSYNC
68 #define SECCOMP_EXT_ACT_TSYNC 1
71 #ifndef SECCOMP_MODE_STRICT
72 #define SECCOMP_MODE_STRICT 1
75 #ifndef SECCOMP_MODE_FILTER
76 #define SECCOMP_MODE_FILTER 2
79 #ifndef SECCOMP_RET_KILL
80 #define SECCOMP_RET_KILL 0x00000000U /* kill the task immediately */
81 #define SECCOMP_RET_TRAP 0x00030000U /* disallow and force a SIGSYS */
82 #define SECCOMP_RET_ERRNO 0x00050000U /* returns an errno */
83 #define SECCOMP_RET_TRACE 0x7ff00000U /* pass to a tracer or disallow */
84 #define SECCOMP_RET_ALLOW 0x7fff0000U /* allow */
86 /* Masks for the return value sections. */
87 #define SECCOMP_RET_ACTION 0x7fff0000U
88 #define SECCOMP_RET_DATA 0x0000ffffU
93 __u64 instruction_pointer;
98 #if __BYTE_ORDER == __LITTLE_ENDIAN
99 #define syscall_arg(_n) (offsetof(struct seccomp_data, args[_n]))
100 #elif __BYTE_ORDER == __BIG_ENDIAN
101 #define syscall_arg(_n) (offsetof(struct seccomp_data, args[_n]) + sizeof(__u32))
103 #error "wut? Unknown __BYTE_ORDER?!"
106 #define SIBLING_EXIT_UNKILLED 0xbadbeef
107 #define SIBLING_EXIT_FAILURE 0xbadface
108 #define SIBLING_EXIT_NEWPRIVS 0xbadfeed
110 TEST(mode_strict_support)
114 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT, NULL, NULL, NULL);
116 TH_LOG("Kernel does not support CONFIG_SECCOMP");
118 syscall(__NR_exit, 1);
121 TEST_SIGNAL(mode_strict_cannot_call_prctl, SIGKILL)
125 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT, NULL, NULL, NULL);
127 TH_LOG("Kernel does not support CONFIG_SECCOMP");
129 syscall(__NR_prctl, PR_SET_SECCOMP, SECCOMP_MODE_FILTER,
132 TH_LOG("Unreachable!");
136 /* Note! This doesn't test no new privs behavior */
137 TEST(no_new_privs_support)
141 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
143 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
147 /* Tests kernel support by checking for a copy_from_user() fault on * NULL. */
148 TEST(mode_filter_support)
152 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, NULL, 0, 0);
154 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
156 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, NULL, NULL);
158 EXPECT_EQ(EFAULT, errno) {
159 TH_LOG("Kernel does not support CONFIG_SECCOMP_FILTER!");
163 TEST(mode_filter_without_nnp)
165 struct sock_filter filter[] = {
166 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
168 struct sock_fprog prog = {
169 .len = (unsigned short)ARRAY_SIZE(filter),
174 ret = prctl(PR_GET_NO_NEW_PRIVS, 0, NULL, 0, 0);
176 TH_LOG("Expected 0 or unsupported for NO_NEW_PRIVS");
179 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0);
180 /* Succeeds with CAP_SYS_ADMIN, fails without */
181 /* TODO(wad) check caps not euid */
184 EXPECT_EQ(EACCES, errno);
190 #define MAX_INSNS_PER_PATH 32768
192 TEST(filter_size_limits)
195 int count = BPF_MAXINSNS + 1;
196 struct sock_filter allow[] = {
197 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
199 struct sock_filter *filter;
200 struct sock_fprog prog = { };
203 filter = calloc(count, sizeof(*filter));
204 ASSERT_NE(NULL, filter);
206 for (i = 0; i < count; i++)
207 filter[i] = allow[0];
209 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
212 prog.filter = filter;
215 /* Too many filter instructions in a single filter. */
216 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0);
218 TH_LOG("Installing %d insn filter was allowed", prog.len);
221 /* One less is okay, though. */
223 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0);
225 TH_LOG("Installing %d insn filter wasn't allowed", prog.len);
229 TEST(filter_chain_limits)
232 int count = BPF_MAXINSNS;
233 struct sock_filter allow[] = {
234 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
236 struct sock_filter *filter;
237 struct sock_fprog prog = { };
240 filter = calloc(count, sizeof(*filter));
241 ASSERT_NE(NULL, filter);
243 for (i = 0; i < count; i++)
244 filter[i] = allow[0];
246 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
249 prog.filter = filter;
252 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0);
257 /* Too many total filter instructions. */
258 for (i = 0; i < MAX_INSNS_PER_PATH; i++) {
259 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0);
264 TH_LOG("Allowed %d %d-insn filters (total with penalties:%d)",
265 i, count, i * (count + 4));
269 TEST(mode_filter_cannot_move_to_strict)
271 struct sock_filter filter[] = {
272 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
274 struct sock_fprog prog = {
275 .len = (unsigned short)ARRAY_SIZE(filter),
280 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
283 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0);
286 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT, NULL, 0, 0);
288 EXPECT_EQ(EINVAL, errno);
292 TEST(mode_filter_get_seccomp)
294 struct sock_filter filter[] = {
295 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
297 struct sock_fprog prog = {
298 .len = (unsigned short)ARRAY_SIZE(filter),
303 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
306 ret = prctl(PR_GET_SECCOMP, 0, 0, 0, 0);
309 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0);
312 ret = prctl(PR_GET_SECCOMP, 0, 0, 0, 0);
319 struct sock_filter filter[] = {
320 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
322 struct sock_fprog prog = {
323 .len = (unsigned short)ARRAY_SIZE(filter),
328 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
331 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
337 struct sock_filter filter[] = {
339 struct sock_fprog prog = {
340 .len = (unsigned short)ARRAY_SIZE(filter),
345 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
348 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
350 EXPECT_EQ(EINVAL, errno);
353 TEST_SIGNAL(unknown_ret_is_kill_inside, SIGSYS)
355 struct sock_filter filter[] = {
356 BPF_STMT(BPF_RET|BPF_K, 0x10000000U),
358 struct sock_fprog prog = {
359 .len = (unsigned short)ARRAY_SIZE(filter),
364 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
367 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
369 EXPECT_EQ(0, syscall(__NR_getpid)) {
370 TH_LOG("getpid() shouldn't ever return");
374 /* return code >= 0x80000000 is unused. */
375 TEST_SIGNAL(unknown_ret_is_kill_above_allow, SIGSYS)
377 struct sock_filter filter[] = {
378 BPF_STMT(BPF_RET|BPF_K, 0x90000000U),
380 struct sock_fprog prog = {
381 .len = (unsigned short)ARRAY_SIZE(filter),
386 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
389 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
391 EXPECT_EQ(0, syscall(__NR_getpid)) {
392 TH_LOG("getpid() shouldn't ever return");
396 TEST_SIGNAL(KILL_all, SIGSYS)
398 struct sock_filter filter[] = {
399 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL),
401 struct sock_fprog prog = {
402 .len = (unsigned short)ARRAY_SIZE(filter),
407 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
410 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
414 TEST_SIGNAL(KILL_one, SIGSYS)
416 struct sock_filter filter[] = {
417 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
418 offsetof(struct seccomp_data, nr)),
419 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getpid, 0, 1),
420 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL),
421 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
423 struct sock_fprog prog = {
424 .len = (unsigned short)ARRAY_SIZE(filter),
428 pid_t parent = getppid();
430 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
433 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
436 EXPECT_EQ(parent, syscall(__NR_getppid));
437 /* getpid() should never return. */
438 EXPECT_EQ(0, syscall(__NR_getpid));
441 TEST_SIGNAL(KILL_one_arg_one, SIGSYS)
444 struct sock_filter filter[] = {
445 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
446 offsetof(struct seccomp_data, nr)),
447 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_times, 1, 0),
448 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
449 /* Only both with lower 32-bit for now. */
450 BPF_STMT(BPF_LD|BPF_W|BPF_ABS, syscall_arg(0)),
451 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K,
452 (unsigned long)&fatal_address, 0, 1),
453 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL),
454 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
456 struct sock_fprog prog = {
457 .len = (unsigned short)ARRAY_SIZE(filter),
461 pid_t parent = getppid();
463 clock_t clock = times(&timebuf);
465 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
468 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
471 EXPECT_EQ(parent, syscall(__NR_getppid));
472 EXPECT_LE(clock, syscall(__NR_times, &timebuf));
473 /* times() should never return. */
474 EXPECT_EQ(0, syscall(__NR_times, &fatal_address));
477 TEST_SIGNAL(KILL_one_arg_six, SIGSYS)
480 int sysno = __NR_mmap;
482 int sysno = __NR_mmap2;
484 struct sock_filter filter[] = {
485 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
486 offsetof(struct seccomp_data, nr)),
487 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, sysno, 1, 0),
488 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
489 /* Only both with lower 32-bit for now. */
490 BPF_STMT(BPF_LD|BPF_W|BPF_ABS, syscall_arg(5)),
491 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, 0x0C0FFEE, 0, 1),
492 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL),
493 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
495 struct sock_fprog prog = {
496 .len = (unsigned short)ARRAY_SIZE(filter),
500 pid_t parent = getppid();
503 int page_size = sysconf(_SC_PAGESIZE);
505 ASSERT_LT(0, page_size);
507 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
510 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
513 fd = open("/dev/zero", O_RDONLY);
516 EXPECT_EQ(parent, syscall(__NR_getppid));
517 map1 = (void *)syscall(sysno,
518 NULL, page_size, PROT_READ, MAP_PRIVATE, fd, page_size);
519 EXPECT_NE(MAP_FAILED, map1);
520 /* mmap2() should never return. */
521 map2 = (void *)syscall(sysno,
522 NULL, page_size, PROT_READ, MAP_PRIVATE, fd, 0x0C0FFEE);
523 EXPECT_EQ(MAP_FAILED, map2);
525 /* The test failed, so clean up the resources. */
526 munmap(map1, page_size);
527 munmap(map2, page_size);
531 /* TODO(wad) add 64-bit versus 32-bit arg tests. */
532 TEST(arg_out_of_range)
534 struct sock_filter filter[] = {
535 BPF_STMT(BPF_LD|BPF_W|BPF_ABS, syscall_arg(6)),
536 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
538 struct sock_fprog prog = {
539 .len = (unsigned short)ARRAY_SIZE(filter),
544 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
547 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
549 EXPECT_EQ(EINVAL, errno);
554 struct sock_filter filter[] = {
555 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
556 offsetof(struct seccomp_data, nr)),
557 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_read, 0, 1),
558 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ERRNO | E2BIG),
559 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
561 struct sock_fprog prog = {
562 .len = (unsigned short)ARRAY_SIZE(filter),
566 pid_t parent = getppid();
568 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
571 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
574 EXPECT_EQ(parent, syscall(__NR_getppid));
575 EXPECT_EQ(-1, read(0, NULL, 0));
576 EXPECT_EQ(E2BIG, errno);
581 struct sock_filter filter[] = {
582 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
583 offsetof(struct seccomp_data, nr)),
584 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_read, 0, 1),
585 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ERRNO | 0),
586 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
588 struct sock_fprog prog = {
589 .len = (unsigned short)ARRAY_SIZE(filter),
593 pid_t parent = getppid();
595 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
598 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
601 EXPECT_EQ(parent, syscall(__NR_getppid));
602 /* "errno" of 0 is ok. */
603 EXPECT_EQ(0, read(0, NULL, 0));
608 struct sock_filter filter[] = {
609 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
610 offsetof(struct seccomp_data, nr)),
611 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_read, 0, 1),
612 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ERRNO | 4096),
613 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
615 struct sock_fprog prog = {
616 .len = (unsigned short)ARRAY_SIZE(filter),
620 pid_t parent = getppid();
622 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
625 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
628 EXPECT_EQ(parent, syscall(__NR_getppid));
629 EXPECT_EQ(-1, read(0, NULL, 0));
630 EXPECT_EQ(4095, errno);
634 struct sock_fprog prog;
639 struct sock_filter filter[] = {
640 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
641 offsetof(struct seccomp_data, nr)),
642 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getpid, 0, 1),
643 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRAP),
644 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
647 memset(&self->prog, 0, sizeof(self->prog));
648 self->prog.filter = malloc(sizeof(filter));
649 ASSERT_NE(NULL, self->prog.filter);
650 memcpy(self->prog.filter, filter, sizeof(filter));
651 self->prog.len = (unsigned short)ARRAY_SIZE(filter);
654 FIXTURE_TEARDOWN(TRAP)
656 if (self->prog.filter)
657 free(self->prog.filter);
660 TEST_F_SIGNAL(TRAP, dfl, SIGSYS)
664 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
667 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->prog);
669 syscall(__NR_getpid);
672 /* Ensure that SIGSYS overrides SIG_IGN */
673 TEST_F_SIGNAL(TRAP, ign, SIGSYS)
677 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
680 signal(SIGSYS, SIG_IGN);
682 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->prog);
684 syscall(__NR_getpid);
687 static siginfo_t TRAP_info;
688 static volatile int TRAP_nr;
689 static void TRAP_action(int nr, siginfo_t *info, void *void_context)
691 memcpy(&TRAP_info, info, sizeof(TRAP_info));
695 TEST_F(TRAP, handler)
698 struct sigaction act;
701 memset(&act, 0, sizeof(act));
703 sigaddset(&mask, SIGSYS);
705 act.sa_sigaction = &TRAP_action;
706 act.sa_flags = SA_SIGINFO;
707 ret = sigaction(SIGSYS, &act, NULL);
709 TH_LOG("sigaction failed");
711 ret = sigprocmask(SIG_UNBLOCK, &mask, NULL);
713 TH_LOG("sigprocmask failed");
716 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
718 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->prog);
721 memset(&TRAP_info, 0, sizeof(TRAP_info));
722 /* Expect the registers to be rolled back. (nr = error) may vary
724 ret = syscall(__NR_getpid);
725 /* Silence gcc warning about volatile. */
727 EXPECT_EQ(SIGSYS, test);
728 struct local_sigsys {
729 void *_call_addr; /* calling user insn */
730 int _syscall; /* triggering system call number */
731 unsigned int _arch; /* AUDIT_ARCH_* of syscall */
732 } *sigsys = (struct local_sigsys *)
734 &(TRAP_info.si_call_addr);
738 EXPECT_EQ(__NR_getpid, sigsys->_syscall);
739 /* Make sure arch is non-zero. */
740 EXPECT_NE(0, sigsys->_arch);
741 EXPECT_NE(0, (unsigned long)sigsys->_call_addr);
744 FIXTURE_DATA(precedence) {
745 struct sock_fprog allow;
746 struct sock_fprog trace;
747 struct sock_fprog error;
748 struct sock_fprog trap;
749 struct sock_fprog kill;
752 FIXTURE_SETUP(precedence)
754 struct sock_filter allow_insns[] = {
755 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
757 struct sock_filter trace_insns[] = {
758 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
759 offsetof(struct seccomp_data, nr)),
760 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getpid, 1, 0),
761 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
762 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRACE),
764 struct sock_filter error_insns[] = {
765 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
766 offsetof(struct seccomp_data, nr)),
767 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getpid, 1, 0),
768 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
769 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ERRNO),
771 struct sock_filter trap_insns[] = {
772 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
773 offsetof(struct seccomp_data, nr)),
774 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getpid, 1, 0),
775 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
776 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRAP),
778 struct sock_filter kill_insns[] = {
779 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
780 offsetof(struct seccomp_data, nr)),
781 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getpid, 1, 0),
782 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
783 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL),
786 memset(self, 0, sizeof(*self));
787 #define FILTER_ALLOC(_x) \
788 self->_x.filter = malloc(sizeof(_x##_insns)); \
789 ASSERT_NE(NULL, self->_x.filter); \
790 memcpy(self->_x.filter, &_x##_insns, sizeof(_x##_insns)); \
791 self->_x.len = (unsigned short)ARRAY_SIZE(_x##_insns)
799 FIXTURE_TEARDOWN(precedence)
801 #define FILTER_FREE(_x) if (self->_x.filter) free(self->_x.filter)
809 TEST_F(precedence, allow_ok)
811 pid_t parent, res = 0;
815 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
818 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow);
820 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trace);
822 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->error);
824 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trap);
826 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->kill);
828 /* Should work just fine. */
829 res = syscall(__NR_getppid);
830 EXPECT_EQ(parent, res);
833 TEST_F_SIGNAL(precedence, kill_is_highest, SIGSYS)
835 pid_t parent, res = 0;
839 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
842 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow);
844 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trace);
846 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->error);
848 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trap);
850 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->kill);
852 /* Should work just fine. */
853 res = syscall(__NR_getppid);
854 EXPECT_EQ(parent, res);
855 /* getpid() should never return. */
856 res = syscall(__NR_getpid);
860 TEST_F_SIGNAL(precedence, kill_is_highest_in_any_order, SIGSYS)
866 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
869 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow);
871 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->kill);
873 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->error);
875 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trace);
877 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trap);
879 /* Should work just fine. */
880 EXPECT_EQ(parent, syscall(__NR_getppid));
881 /* getpid() should never return. */
882 EXPECT_EQ(0, syscall(__NR_getpid));
885 TEST_F_SIGNAL(precedence, trap_is_second, SIGSYS)
891 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
894 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow);
896 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trace);
898 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->error);
900 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trap);
902 /* Should work just fine. */
903 EXPECT_EQ(parent, syscall(__NR_getppid));
904 /* getpid() should never return. */
905 EXPECT_EQ(0, syscall(__NR_getpid));
908 TEST_F_SIGNAL(precedence, trap_is_second_in_any_order, SIGSYS)
914 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
917 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow);
919 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trap);
921 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trace);
923 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->error);
925 /* Should work just fine. */
926 EXPECT_EQ(parent, syscall(__NR_getppid));
927 /* getpid() should never return. */
928 EXPECT_EQ(0, syscall(__NR_getpid));
931 TEST_F(precedence, errno_is_third)
937 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
940 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow);
942 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trace);
944 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->error);
946 /* Should work just fine. */
947 EXPECT_EQ(parent, syscall(__NR_getppid));
948 EXPECT_EQ(0, syscall(__NR_getpid));
951 TEST_F(precedence, errno_is_third_in_any_order)
957 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
960 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->error);
962 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trace);
964 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow);
966 /* Should work just fine. */
967 EXPECT_EQ(parent, syscall(__NR_getppid));
968 EXPECT_EQ(0, syscall(__NR_getpid));
971 TEST_F(precedence, trace_is_fourth)
977 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
980 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow);
982 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trace);
984 /* Should work just fine. */
985 EXPECT_EQ(parent, syscall(__NR_getppid));
987 EXPECT_EQ(-1, syscall(__NR_getpid));
990 TEST_F(precedence, trace_is_fourth_in_any_order)
996 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
999 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trace);
1001 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow);
1003 /* Should work just fine. */
1004 EXPECT_EQ(parent, syscall(__NR_getppid));
1006 EXPECT_EQ(-1, syscall(__NR_getpid));
1009 #ifndef PTRACE_O_TRACESECCOMP
1010 #define PTRACE_O_TRACESECCOMP 0x00000080
1013 /* Catch the Ubuntu 12.04 value error. */
1014 #if PTRACE_EVENT_SECCOMP != 7
1015 #undef PTRACE_EVENT_SECCOMP
1018 #ifndef PTRACE_EVENT_SECCOMP
1019 #define PTRACE_EVENT_SECCOMP 7
1022 #define IS_SECCOMP_EVENT(status) ((status >> 16) == PTRACE_EVENT_SECCOMP)
1023 bool tracer_running;
1024 void tracer_stop(int sig)
1026 tracer_running = false;
1029 typedef void tracer_func_t(struct __test_metadata *_metadata,
1030 pid_t tracee, int status, void *args);
1032 void start_tracer(struct __test_metadata *_metadata, int fd, pid_t tracee,
1033 tracer_func_t tracer_func, void *args, bool ptrace_syscall)
1036 struct sigaction action = {
1037 .sa_handler = tracer_stop,
1040 /* Allow external shutdown. */
1041 tracer_running = true;
1042 ASSERT_EQ(0, sigaction(SIGUSR1, &action, NULL));
1045 while (ret == -1 && errno != EINVAL)
1046 ret = ptrace(PTRACE_ATTACH, tracee, NULL, 0);
1048 kill(tracee, SIGKILL);
1050 /* Wait for attach stop */
1053 ret = ptrace(PTRACE_SETOPTIONS, tracee, NULL, ptrace_syscall ?
1054 PTRACE_O_TRACESYSGOOD :
1055 PTRACE_O_TRACESECCOMP);
1057 TH_LOG("Failed to set PTRACE_O_TRACESECCOMP");
1058 kill(tracee, SIGKILL);
1060 ret = ptrace(ptrace_syscall ? PTRACE_SYSCALL : PTRACE_CONT,
1064 /* Unblock the tracee */
1065 ASSERT_EQ(1, write(fd, "A", 1));
1066 ASSERT_EQ(0, close(fd));
1068 /* Run until we're shut down. Must assert to stop execution. */
1069 while (tracer_running) {
1072 if (wait(&status) != tracee)
1074 if (WIFSIGNALED(status) || WIFEXITED(status))
1075 /* Child is dead. Time to go. */
1078 /* Check if this is a seccomp event. */
1079 ASSERT_EQ(!ptrace_syscall, IS_SECCOMP_EVENT(status));
1081 tracer_func(_metadata, tracee, status, args);
1083 ret = ptrace(ptrace_syscall ? PTRACE_SYSCALL : PTRACE_CONT,
1087 /* Directly report the status of our test harness results. */
1088 syscall(__NR_exit, _metadata->passed ? EXIT_SUCCESS : EXIT_FAILURE);
1091 /* Common tracer setup/teardown functions. */
1092 void cont_handler(int num)
1094 pid_t setup_trace_fixture(struct __test_metadata *_metadata,
1095 tracer_func_t func, void *args, bool ptrace_syscall)
1100 pid_t tracee = getpid();
1102 /* Setup a pipe for clean synchronization. */
1103 ASSERT_EQ(0, pipe(pipefd));
1105 /* Fork a child which we'll promote to tracer */
1106 tracer_pid = fork();
1107 ASSERT_LE(0, tracer_pid);
1108 signal(SIGALRM, cont_handler);
1109 if (tracer_pid == 0) {
1111 start_tracer(_metadata, pipefd[1], tracee, func, args,
1113 syscall(__NR_exit, 0);
1116 prctl(PR_SET_PTRACER, tracer_pid, 0, 0, 0);
1117 read(pipefd[0], &sync, 1);
1122 void teardown_trace_fixture(struct __test_metadata *_metadata,
1128 * Extract the exit code from the other process and
1129 * adopt it for ourselves in case its asserts failed.
1131 ASSERT_EQ(0, kill(tracer, SIGUSR1));
1132 ASSERT_EQ(tracer, waitpid(tracer, &status, 0));
1133 if (WEXITSTATUS(status))
1134 _metadata->passed = 0;
1138 /* "poke" tracer arguments and function. */
1139 struct tracer_args_poke_t {
1140 unsigned long poke_addr;
1143 void tracer_poke(struct __test_metadata *_metadata, pid_t tracee, int status,
1148 struct tracer_args_poke_t *info = (struct tracer_args_poke_t *)args;
1150 ret = ptrace(PTRACE_GETEVENTMSG, tracee, NULL, &msg);
1152 /* If this fails, don't try to recover. */
1153 ASSERT_EQ(0x1001, msg) {
1154 kill(tracee, SIGKILL);
1157 * Poke in the message.
1158 * Registers are not touched to try to keep this relatively arch
1161 ret = ptrace(PTRACE_POKEDATA, tracee, info->poke_addr, 0x1001);
1165 FIXTURE_DATA(TRACE_poke) {
1166 struct sock_fprog prog;
1169 struct tracer_args_poke_t tracer_args;
1172 FIXTURE_SETUP(TRACE_poke)
1174 struct sock_filter filter[] = {
1175 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
1176 offsetof(struct seccomp_data, nr)),
1177 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_read, 0, 1),
1178 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRACE | 0x1001),
1179 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
1183 memset(&self->prog, 0, sizeof(self->prog));
1184 self->prog.filter = malloc(sizeof(filter));
1185 ASSERT_NE(NULL, self->prog.filter);
1186 memcpy(self->prog.filter, filter, sizeof(filter));
1187 self->prog.len = (unsigned short)ARRAY_SIZE(filter);
1189 /* Set up tracer args. */
1190 self->tracer_args.poke_addr = (unsigned long)&self->poked;
1192 /* Launch tracer. */
1193 self->tracer = setup_trace_fixture(_metadata, tracer_poke,
1194 &self->tracer_args, false);
1197 FIXTURE_TEARDOWN(TRACE_poke)
1199 teardown_trace_fixture(_metadata, self->tracer);
1200 if (self->prog.filter)
1201 free(self->prog.filter);
1204 TEST_F(TRACE_poke, read_has_side_effects)
1208 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1211 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->prog, 0, 0);
1214 EXPECT_EQ(0, self->poked);
1215 ret = read(-1, NULL, 0);
1217 EXPECT_EQ(0x1001, self->poked);
1220 TEST_F(TRACE_poke, getpid_runs_normally)
1224 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1227 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->prog, 0, 0);
1230 EXPECT_EQ(0, self->poked);
1231 EXPECT_NE(0, syscall(__NR_getpid));
1232 EXPECT_EQ(0, self->poked);
1235 #if defined(__x86_64__)
1236 # define ARCH_REGS struct user_regs_struct
1237 # define SYSCALL_NUM orig_rax
1238 # define SYSCALL_RET rax
1239 #elif defined(__i386__)
1240 # define ARCH_REGS struct user_regs_struct
1241 # define SYSCALL_NUM orig_eax
1242 # define SYSCALL_RET eax
1243 #elif defined(__arm__)
1244 # define ARCH_REGS struct pt_regs
1245 # define SYSCALL_NUM ARM_r7
1246 # define SYSCALL_RET ARM_r0
1247 #elif defined(__aarch64__)
1248 # define ARCH_REGS struct user_pt_regs
1249 # define SYSCALL_NUM regs[8]
1250 # define SYSCALL_RET regs[0]
1251 #elif defined(__hppa__)
1252 # define ARCH_REGS struct user_regs_struct
1253 # define SYSCALL_NUM gr[20]
1254 # define SYSCALL_RET gr[28]
1255 #elif defined(__powerpc__)
1256 # define ARCH_REGS struct pt_regs
1257 # define SYSCALL_NUM gpr[0]
1258 # define SYSCALL_RET gpr[3]
1259 #elif defined(__s390__)
1260 # define ARCH_REGS s390_regs
1261 # define SYSCALL_NUM gprs[2]
1262 # define SYSCALL_RET gprs[2]
1263 #elif defined(__mips__)
1264 # define ARCH_REGS struct pt_regs
1265 # define SYSCALL_NUM regs[2]
1266 # define SYSCALL_SYSCALL_NUM regs[4]
1267 # define SYSCALL_RET regs[2]
1268 # define SYSCALL_NUM_RET_SHARE_REG
1270 # error "Do not know how to find your architecture's registers and syscalls"
1273 /* Use PTRACE_GETREGS and PTRACE_SETREGS when available. This is useful for
1274 * architectures without HAVE_ARCH_TRACEHOOK (e.g. User-mode Linux).
1276 #if defined(__x86_64__) || defined(__i386__) || defined(__mips__)
1277 #define HAVE_GETREGS
1280 /* Architecture-specific syscall fetching routine. */
1281 int get_syscall(struct __test_metadata *_metadata, pid_t tracee)
1285 EXPECT_EQ(0, ptrace(PTRACE_GETREGS, tracee, 0, ®s)) {
1286 TH_LOG("PTRACE_GETREGS failed");
1292 iov.iov_base = ®s;
1293 iov.iov_len = sizeof(regs);
1294 EXPECT_EQ(0, ptrace(PTRACE_GETREGSET, tracee, NT_PRSTATUS, &iov)) {
1295 TH_LOG("PTRACE_GETREGSET failed");
1300 #if defined(__mips__)
1301 if (regs.SYSCALL_NUM == __NR_O32_Linux)
1302 return regs.SYSCALL_SYSCALL_NUM;
1304 return regs.SYSCALL_NUM;
1307 /* Architecture-specific syscall changing routine. */
1308 void change_syscall(struct __test_metadata *_metadata,
1309 pid_t tracee, int syscall)
1314 ret = ptrace(PTRACE_GETREGS, tracee, 0, ®s);
1317 iov.iov_base = ®s;
1318 iov.iov_len = sizeof(regs);
1319 ret = ptrace(PTRACE_GETREGSET, tracee, NT_PRSTATUS, &iov);
1321 EXPECT_EQ(0, ret) {}
1323 #if defined(__x86_64__) || defined(__i386__) || defined(__powerpc__) || \
1324 defined(__s390__) || defined(__hppa__)
1326 regs.SYSCALL_NUM = syscall;
1328 #elif defined(__mips__)
1330 if (regs.SYSCALL_NUM == __NR_O32_Linux)
1331 regs.SYSCALL_SYSCALL_NUM = syscall;
1333 regs.SYSCALL_NUM = syscall;
1336 #elif defined(__arm__)
1337 # ifndef PTRACE_SET_SYSCALL
1338 # define PTRACE_SET_SYSCALL 23
1341 ret = ptrace(PTRACE_SET_SYSCALL, tracee, NULL, syscall);
1345 #elif defined(__aarch64__)
1346 # ifndef NT_ARM_SYSTEM_CALL
1347 # define NT_ARM_SYSTEM_CALL 0x404
1350 iov.iov_base = &syscall;
1351 iov.iov_len = sizeof(syscall);
1352 ret = ptrace(PTRACE_SETREGSET, tracee, NT_ARM_SYSTEM_CALL,
1359 TH_LOG("How is the syscall changed on this architecture?");
1363 /* If syscall is skipped, change return value. */
1365 #ifdef SYSCALL_NUM_RET_SHARE_REG
1366 TH_LOG("Can't modify syscall return on this architecture");
1368 regs.SYSCALL_RET = 1;
1372 ret = ptrace(PTRACE_SETREGS, tracee, 0, ®s);
1374 iov.iov_base = ®s;
1375 iov.iov_len = sizeof(regs);
1376 ret = ptrace(PTRACE_SETREGSET, tracee, NT_PRSTATUS, &iov);
1381 void tracer_syscall(struct __test_metadata *_metadata, pid_t tracee,
1382 int status, void *args)
1387 /* Make sure we got the right message. */
1388 ret = ptrace(PTRACE_GETEVENTMSG, tracee, NULL, &msg);
1391 /* Validate and take action on expected syscalls. */
1394 /* change getpid to getppid. */
1395 EXPECT_EQ(__NR_getpid, get_syscall(_metadata, tracee));
1396 change_syscall(_metadata, tracee, __NR_getppid);
1400 EXPECT_EQ(__NR_gettid, get_syscall(_metadata, tracee));
1401 change_syscall(_metadata, tracee, -1);
1404 /* do nothing (allow getppid) */
1405 EXPECT_EQ(__NR_getppid, get_syscall(_metadata, tracee));
1409 TH_LOG("Unknown PTRACE_GETEVENTMSG: 0x%lx", msg);
1410 kill(tracee, SIGKILL);
1416 void tracer_ptrace(struct __test_metadata *_metadata, pid_t tracee,
1417 int status, void *args)
1423 /* Make sure we got an empty message. */
1424 ret = ptrace(PTRACE_GETEVENTMSG, tracee, NULL, &msg);
1428 /* The only way to tell PTRACE_SYSCALL entry/exit is by counting. */
1433 nr = get_syscall(_metadata, tracee);
1435 if (nr == __NR_getpid)
1436 change_syscall(_metadata, tracee, __NR_getppid);
1439 FIXTURE_DATA(TRACE_syscall) {
1440 struct sock_fprog prog;
1441 pid_t tracer, mytid, mypid, parent;
1444 FIXTURE_SETUP(TRACE_syscall)
1446 struct sock_filter filter[] = {
1447 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
1448 offsetof(struct seccomp_data, nr)),
1449 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getpid, 0, 1),
1450 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRACE | 0x1002),
1451 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_gettid, 0, 1),
1452 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRACE | 0x1003),
1453 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getppid, 0, 1),
1454 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRACE | 0x1004),
1455 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
1458 memset(&self->prog, 0, sizeof(self->prog));
1459 self->prog.filter = malloc(sizeof(filter));
1460 ASSERT_NE(NULL, self->prog.filter);
1461 memcpy(self->prog.filter, filter, sizeof(filter));
1462 self->prog.len = (unsigned short)ARRAY_SIZE(filter);
1464 /* Prepare some testable syscall results. */
1465 self->mytid = syscall(__NR_gettid);
1466 ASSERT_GT(self->mytid, 0);
1467 ASSERT_NE(self->mytid, 1) {
1468 TH_LOG("Running this test as init is not supported. :)");
1471 self->mypid = getpid();
1472 ASSERT_GT(self->mypid, 0);
1473 ASSERT_EQ(self->mytid, self->mypid);
1475 self->parent = getppid();
1476 ASSERT_GT(self->parent, 0);
1477 ASSERT_NE(self->parent, self->mypid);
1479 /* Launch tracer. */
1480 self->tracer = setup_trace_fixture(_metadata, tracer_syscall, NULL,
1484 FIXTURE_TEARDOWN(TRACE_syscall)
1486 teardown_trace_fixture(_metadata, self->tracer);
1487 if (self->prog.filter)
1488 free(self->prog.filter);
1491 TEST_F(TRACE_syscall, syscall_allowed)
1495 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1498 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->prog, 0, 0);
1501 /* getppid works as expected (no changes). */
1502 EXPECT_EQ(self->parent, syscall(__NR_getppid));
1503 EXPECT_NE(self->mypid, syscall(__NR_getppid));
1506 TEST_F(TRACE_syscall, syscall_redirected)
1510 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1513 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->prog, 0, 0);
1516 /* getpid has been redirected to getppid as expected. */
1517 EXPECT_EQ(self->parent, syscall(__NR_getpid));
1518 EXPECT_NE(self->mypid, syscall(__NR_getpid));
1521 TEST_F(TRACE_syscall, syscall_dropped)
1525 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1528 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->prog, 0, 0);
1531 #ifdef SYSCALL_NUM_RET_SHARE_REG
1532 /* gettid has been skipped */
1533 EXPECT_EQ(-1, syscall(__NR_gettid));
1535 /* gettid has been skipped and an altered return value stored. */
1536 EXPECT_EQ(1, syscall(__NR_gettid));
1538 EXPECT_NE(self->mytid, syscall(__NR_gettid));
1541 TEST_F(TRACE_syscall, skip_after_RET_TRACE)
1543 struct sock_filter filter[] = {
1544 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
1545 offsetof(struct seccomp_data, nr)),
1546 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getppid, 0, 1),
1547 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ERRNO | EPERM),
1548 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
1550 struct sock_fprog prog = {
1551 .len = (unsigned short)ARRAY_SIZE(filter),
1556 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1559 /* Install fixture filter. */
1560 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->prog, 0, 0);
1563 /* Install "errno on getppid" filter. */
1564 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0);
1567 /* Tracer will redirect getpid to getppid, and we should see EPERM. */
1568 EXPECT_EQ(-1, syscall(__NR_getpid));
1569 EXPECT_EQ(EPERM, errno);
1572 TEST_F_SIGNAL(TRACE_syscall, kill_after_RET_TRACE, SIGSYS)
1574 struct sock_filter filter[] = {
1575 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
1576 offsetof(struct seccomp_data, nr)),
1577 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getppid, 0, 1),
1578 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL),
1579 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
1581 struct sock_fprog prog = {
1582 .len = (unsigned short)ARRAY_SIZE(filter),
1587 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1590 /* Install fixture filter. */
1591 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->prog, 0, 0);
1594 /* Install "death on getppid" filter. */
1595 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0);
1598 /* Tracer will redirect getpid to getppid, and we should die. */
1599 EXPECT_NE(self->mypid, syscall(__NR_getpid));
1602 TEST_F(TRACE_syscall, skip_after_ptrace)
1604 struct sock_filter filter[] = {
1605 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
1606 offsetof(struct seccomp_data, nr)),
1607 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getppid, 0, 1),
1608 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ERRNO | EPERM),
1609 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
1611 struct sock_fprog prog = {
1612 .len = (unsigned short)ARRAY_SIZE(filter),
1617 /* Swap SECCOMP_RET_TRACE tracer for PTRACE_SYSCALL tracer. */
1618 teardown_trace_fixture(_metadata, self->tracer);
1619 self->tracer = setup_trace_fixture(_metadata, tracer_ptrace, NULL,
1622 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1625 /* Install "errno on getppid" filter. */
1626 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0);
1629 /* Tracer will redirect getpid to getppid, and we should see EPERM. */
1630 EXPECT_EQ(-1, syscall(__NR_getpid));
1631 EXPECT_EQ(EPERM, errno);
1634 TEST_F_SIGNAL(TRACE_syscall, kill_after_ptrace, SIGSYS)
1636 struct sock_filter filter[] = {
1637 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
1638 offsetof(struct seccomp_data, nr)),
1639 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getppid, 0, 1),
1640 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL),
1641 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
1643 struct sock_fprog prog = {
1644 .len = (unsigned short)ARRAY_SIZE(filter),
1649 /* Swap SECCOMP_RET_TRACE tracer for PTRACE_SYSCALL tracer. */
1650 teardown_trace_fixture(_metadata, self->tracer);
1651 self->tracer = setup_trace_fixture(_metadata, tracer_ptrace, NULL,
1654 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1657 /* Install "death on getppid" filter. */
1658 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0);
1661 /* Tracer will redirect getpid to getppid, and we should die. */
1662 EXPECT_NE(self->mypid, syscall(__NR_getpid));
1665 #ifndef __NR_seccomp
1666 # if defined(__i386__)
1667 # define __NR_seccomp 354
1668 # elif defined(__x86_64__)
1669 # define __NR_seccomp 317
1670 # elif defined(__arm__)
1671 # define __NR_seccomp 383
1672 # elif defined(__aarch64__)
1673 # define __NR_seccomp 277
1674 # elif defined(__hppa__)
1675 # define __NR_seccomp 338
1676 # elif defined(__powerpc__)
1677 # define __NR_seccomp 358
1678 # elif defined(__s390__)
1679 # define __NR_seccomp 348
1681 # warning "seccomp syscall number unknown for this architecture"
1682 # define __NR_seccomp 0xffff
1686 #ifndef SECCOMP_SET_MODE_STRICT
1687 #define SECCOMP_SET_MODE_STRICT 0
1690 #ifndef SECCOMP_SET_MODE_FILTER
1691 #define SECCOMP_SET_MODE_FILTER 1
1694 #ifndef SECCOMP_FILTER_FLAG_TSYNC
1695 #define SECCOMP_FILTER_FLAG_TSYNC (1UL << 0)
1698 #ifndef SECCOMP_FILTER_FLAG_SPEC_ALLOW
1699 #define SECCOMP_FILTER_FLAG_SPEC_ALLOW (1UL << 2)
1703 int seccomp(unsigned int op, unsigned int flags, void *args)
1706 return syscall(__NR_seccomp, op, flags, args);
1710 TEST(seccomp_syscall)
1712 struct sock_filter filter[] = {
1713 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
1715 struct sock_fprog prog = {
1716 .len = (unsigned short)ARRAY_SIZE(filter),
1721 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1723 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
1726 /* Reject insane operation. */
1727 ret = seccomp(-1, 0, &prog);
1728 ASSERT_NE(ENOSYS, errno) {
1729 TH_LOG("Kernel does not support seccomp syscall!");
1731 EXPECT_EQ(EINVAL, errno) {
1732 TH_LOG("Did not reject crazy op value!");
1735 /* Reject strict with flags or pointer. */
1736 ret = seccomp(SECCOMP_SET_MODE_STRICT, -1, NULL);
1737 EXPECT_EQ(EINVAL, errno) {
1738 TH_LOG("Did not reject mode strict with flags!");
1740 ret = seccomp(SECCOMP_SET_MODE_STRICT, 0, &prog);
1741 EXPECT_EQ(EINVAL, errno) {
1742 TH_LOG("Did not reject mode strict with uargs!");
1745 /* Reject insane args for filter. */
1746 ret = seccomp(SECCOMP_SET_MODE_FILTER, -1, &prog);
1747 EXPECT_EQ(EINVAL, errno) {
1748 TH_LOG("Did not reject crazy filter flags!");
1750 ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, NULL);
1751 EXPECT_EQ(EFAULT, errno) {
1752 TH_LOG("Did not reject NULL filter!");
1755 ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog);
1756 EXPECT_EQ(0, errno) {
1757 TH_LOG("Kernel does not support SECCOMP_SET_MODE_FILTER: %s",
1762 TEST(seccomp_syscall_mode_lock)
1764 struct sock_filter filter[] = {
1765 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
1767 struct sock_fprog prog = {
1768 .len = (unsigned short)ARRAY_SIZE(filter),
1773 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, NULL, 0, 0);
1775 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
1778 ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog);
1779 ASSERT_NE(ENOSYS, errno) {
1780 TH_LOG("Kernel does not support seccomp syscall!");
1783 TH_LOG("Could not install filter!");
1786 /* Make sure neither entry point will switch to strict. */
1787 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT, 0, 0, 0);
1788 EXPECT_EQ(EINVAL, errno) {
1789 TH_LOG("Switched to mode strict!");
1792 ret = seccomp(SECCOMP_SET_MODE_STRICT, 0, NULL);
1793 EXPECT_EQ(EINVAL, errno) {
1794 TH_LOG("Switched to mode strict!");
1799 * Test detection of known and unknown filter flags. Userspace needs to be able
1800 * to check if a filter flag is supported by the current kernel and a good way
1801 * of doing that is by attempting to enter filter mode, with the flag bit in
1802 * question set, and a NULL pointer for the _args_ parameter. EFAULT indicates
1803 * that the flag is valid and EINVAL indicates that the flag is invalid.
1805 TEST(detect_seccomp_filter_flags)
1807 unsigned int flags[] = { SECCOMP_FILTER_FLAG_TSYNC,
1808 SECCOMP_FILTER_FLAG_SPEC_ALLOW };
1809 unsigned int flag, all_flags;
1813 /* Test detection of known-good filter flags */
1814 for (i = 0, all_flags = 0; i < ARRAY_SIZE(flags); i++) {
1818 /* Make sure the flag is a single bit! */
1827 ret = seccomp(SECCOMP_SET_MODE_FILTER, flag, NULL);
1828 ASSERT_NE(ENOSYS, errno) {
1829 TH_LOG("Kernel does not support seccomp syscall!");
1832 EXPECT_EQ(EFAULT, errno) {
1833 TH_LOG("Failed to detect that a known-good filter flag (0x%X) is supported!",
1840 /* Test detection of all known-good filter flags */
1841 ret = seccomp(SECCOMP_SET_MODE_FILTER, all_flags, NULL);
1843 EXPECT_EQ(EFAULT, errno) {
1844 TH_LOG("Failed to detect that all known-good filter flags (0x%X) are supported!",
1848 /* Test detection of an unknown filter flag */
1850 ret = seccomp(SECCOMP_SET_MODE_FILTER, flag, NULL);
1852 EXPECT_EQ(EINVAL, errno) {
1853 TH_LOG("Failed to detect that an unknown filter flag (0x%X) is unsupported!",
1858 * Test detection of an unknown filter flag that may simply need to be
1859 * added to this test
1861 flag = flags[ARRAY_SIZE(flags) - 1] << 1;
1862 ret = seccomp(SECCOMP_SET_MODE_FILTER, flag, NULL);
1864 EXPECT_EQ(EINVAL, errno) {
1865 TH_LOG("Failed to detect that an unknown filter flag (0x%X) is unsupported! Does a new flag need to be added to this test?",
1872 struct sock_filter filter[] = {
1873 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
1875 struct sock_fprog prog = {
1876 .len = (unsigned short)ARRAY_SIZE(filter),
1881 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, NULL, 0, 0);
1883 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
1886 ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC,
1888 ASSERT_NE(ENOSYS, errno) {
1889 TH_LOG("Kernel does not support seccomp syscall!");
1892 TH_LOG("Could not install initial filter with TSYNC!");
1896 #define TSYNC_SIBLINGS 2
1897 struct tsync_sibling {
1901 pthread_cond_t *cond;
1902 pthread_mutex_t *mutex;
1905 struct sock_fprog *prog;
1906 struct __test_metadata *metadata;
1909 FIXTURE_DATA(TSYNC) {
1910 struct sock_fprog root_prog, apply_prog;
1911 struct tsync_sibling sibling[TSYNC_SIBLINGS];
1913 pthread_cond_t cond;
1914 pthread_mutex_t mutex;
1918 FIXTURE_SETUP(TSYNC)
1920 struct sock_filter root_filter[] = {
1921 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
1923 struct sock_filter apply_filter[] = {
1924 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
1925 offsetof(struct seccomp_data, nr)),
1926 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_read, 0, 1),
1927 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL),
1928 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
1931 memset(&self->root_prog, 0, sizeof(self->root_prog));
1932 memset(&self->apply_prog, 0, sizeof(self->apply_prog));
1933 memset(&self->sibling, 0, sizeof(self->sibling));
1934 self->root_prog.filter = malloc(sizeof(root_filter));
1935 ASSERT_NE(NULL, self->root_prog.filter);
1936 memcpy(self->root_prog.filter, &root_filter, sizeof(root_filter));
1937 self->root_prog.len = (unsigned short)ARRAY_SIZE(root_filter);
1939 self->apply_prog.filter = malloc(sizeof(apply_filter));
1940 ASSERT_NE(NULL, self->apply_prog.filter);
1941 memcpy(self->apply_prog.filter, &apply_filter, sizeof(apply_filter));
1942 self->apply_prog.len = (unsigned short)ARRAY_SIZE(apply_filter);
1944 self->sibling_count = 0;
1945 pthread_mutex_init(&self->mutex, NULL);
1946 pthread_cond_init(&self->cond, NULL);
1947 sem_init(&self->started, 0, 0);
1948 self->sibling[0].tid = 0;
1949 self->sibling[0].cond = &self->cond;
1950 self->sibling[0].started = &self->started;
1951 self->sibling[0].mutex = &self->mutex;
1952 self->sibling[0].diverge = 0;
1953 self->sibling[0].num_waits = 1;
1954 self->sibling[0].prog = &self->root_prog;
1955 self->sibling[0].metadata = _metadata;
1956 self->sibling[1].tid = 0;
1957 self->sibling[1].cond = &self->cond;
1958 self->sibling[1].started = &self->started;
1959 self->sibling[1].mutex = &self->mutex;
1960 self->sibling[1].diverge = 0;
1961 self->sibling[1].prog = &self->root_prog;
1962 self->sibling[1].num_waits = 1;
1963 self->sibling[1].metadata = _metadata;
1966 FIXTURE_TEARDOWN(TSYNC)
1970 if (self->root_prog.filter)
1971 free(self->root_prog.filter);
1972 if (self->apply_prog.filter)
1973 free(self->apply_prog.filter);
1975 for ( ; sib < self->sibling_count; ++sib) {
1976 struct tsync_sibling *s = &self->sibling[sib];
1981 if (pthread_kill(s->tid, 0)) {
1982 pthread_cancel(s->tid);
1983 pthread_join(s->tid, &status);
1986 pthread_mutex_destroy(&self->mutex);
1987 pthread_cond_destroy(&self->cond);
1988 sem_destroy(&self->started);
1991 void *tsync_sibling(void *data)
1994 struct tsync_sibling *me = data;
1996 me->system_tid = syscall(__NR_gettid);
1998 pthread_mutex_lock(me->mutex);
2000 /* Just re-apply the root prog to fork the tree */
2001 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER,
2004 sem_post(me->started);
2005 /* Return outside of started so parent notices failures. */
2007 pthread_mutex_unlock(me->mutex);
2008 return (void *)SIBLING_EXIT_FAILURE;
2011 pthread_cond_wait(me->cond, me->mutex);
2012 me->num_waits = me->num_waits - 1;
2013 } while (me->num_waits);
2014 pthread_mutex_unlock(me->mutex);
2016 ret = prctl(PR_GET_NO_NEW_PRIVS, 0, 0, 0, 0);
2018 return (void *)SIBLING_EXIT_NEWPRIVS;
2020 return (void *)SIBLING_EXIT_UNKILLED;
2023 void tsync_start_sibling(struct tsync_sibling *sibling)
2025 pthread_create(&sibling->tid, NULL, tsync_sibling, (void *)sibling);
2028 TEST_F(TSYNC, siblings_fail_prctl)
2032 struct sock_filter filter[] = {
2033 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
2034 offsetof(struct seccomp_data, nr)),
2035 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_prctl, 0, 1),
2036 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ERRNO | EINVAL),
2037 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
2039 struct sock_fprog prog = {
2040 .len = (unsigned short)ARRAY_SIZE(filter),
2044 ASSERT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
2045 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
2048 /* Check prctl failure detection by requesting sib 0 diverge. */
2049 ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog);
2050 ASSERT_NE(ENOSYS, errno) {
2051 TH_LOG("Kernel does not support seccomp syscall!");
2054 TH_LOG("setting filter failed");
2057 self->sibling[0].diverge = 1;
2058 tsync_start_sibling(&self->sibling[0]);
2059 tsync_start_sibling(&self->sibling[1]);
2061 while (self->sibling_count < TSYNC_SIBLINGS) {
2062 sem_wait(&self->started);
2063 self->sibling_count++;
2066 /* Signal the threads to clean up*/
2067 pthread_mutex_lock(&self->mutex);
2068 ASSERT_EQ(0, pthread_cond_broadcast(&self->cond)) {
2069 TH_LOG("cond broadcast non-zero");
2071 pthread_mutex_unlock(&self->mutex);
2073 /* Ensure diverging sibling failed to call prctl. */
2074 pthread_join(self->sibling[0].tid, &status);
2075 EXPECT_EQ(SIBLING_EXIT_FAILURE, (long)status);
2076 pthread_join(self->sibling[1].tid, &status);
2077 EXPECT_EQ(SIBLING_EXIT_UNKILLED, (long)status);
2080 TEST_F(TSYNC, two_siblings_with_ancestor)
2085 ASSERT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
2086 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
2089 ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &self->root_prog);
2090 ASSERT_NE(ENOSYS, errno) {
2091 TH_LOG("Kernel does not support seccomp syscall!");
2094 TH_LOG("Kernel does not support SECCOMP_SET_MODE_FILTER!");
2096 tsync_start_sibling(&self->sibling[0]);
2097 tsync_start_sibling(&self->sibling[1]);
2099 while (self->sibling_count < TSYNC_SIBLINGS) {
2100 sem_wait(&self->started);
2101 self->sibling_count++;
2104 ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC,
2107 TH_LOG("Could install filter on all threads!");
2109 /* Tell the siblings to test the policy */
2110 pthread_mutex_lock(&self->mutex);
2111 ASSERT_EQ(0, pthread_cond_broadcast(&self->cond)) {
2112 TH_LOG("cond broadcast non-zero");
2114 pthread_mutex_unlock(&self->mutex);
2115 /* Ensure they are both killed and don't exit cleanly. */
2116 pthread_join(self->sibling[0].tid, &status);
2117 EXPECT_EQ(0x0, (long)status);
2118 pthread_join(self->sibling[1].tid, &status);
2119 EXPECT_EQ(0x0, (long)status);
2122 TEST_F(TSYNC, two_sibling_want_nnp)
2126 /* start siblings before any prctl() operations */
2127 tsync_start_sibling(&self->sibling[0]);
2128 tsync_start_sibling(&self->sibling[1]);
2129 while (self->sibling_count < TSYNC_SIBLINGS) {
2130 sem_wait(&self->started);
2131 self->sibling_count++;
2134 /* Tell the siblings to test no policy */
2135 pthread_mutex_lock(&self->mutex);
2136 ASSERT_EQ(0, pthread_cond_broadcast(&self->cond)) {
2137 TH_LOG("cond broadcast non-zero");
2139 pthread_mutex_unlock(&self->mutex);
2141 /* Ensure they are both upset about lacking nnp. */
2142 pthread_join(self->sibling[0].tid, &status);
2143 EXPECT_EQ(SIBLING_EXIT_NEWPRIVS, (long)status);
2144 pthread_join(self->sibling[1].tid, &status);
2145 EXPECT_EQ(SIBLING_EXIT_NEWPRIVS, (long)status);
2148 TEST_F(TSYNC, two_siblings_with_no_filter)
2153 /* start siblings before any prctl() operations */
2154 tsync_start_sibling(&self->sibling[0]);
2155 tsync_start_sibling(&self->sibling[1]);
2156 while (self->sibling_count < TSYNC_SIBLINGS) {
2157 sem_wait(&self->started);
2158 self->sibling_count++;
2161 ASSERT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
2162 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
2165 ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC,
2167 ASSERT_NE(ENOSYS, errno) {
2168 TH_LOG("Kernel does not support seccomp syscall!");
2171 TH_LOG("Could install filter on all threads!");
2174 /* Tell the siblings to test the policy */
2175 pthread_mutex_lock(&self->mutex);
2176 ASSERT_EQ(0, pthread_cond_broadcast(&self->cond)) {
2177 TH_LOG("cond broadcast non-zero");
2179 pthread_mutex_unlock(&self->mutex);
2181 /* Ensure they are both killed and don't exit cleanly. */
2182 pthread_join(self->sibling[0].tid, &status);
2183 EXPECT_EQ(0x0, (long)status);
2184 pthread_join(self->sibling[1].tid, &status);
2185 EXPECT_EQ(0x0, (long)status);
2188 TEST_F(TSYNC, two_siblings_with_one_divergence)
2193 ASSERT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
2194 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
2197 ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &self->root_prog);
2198 ASSERT_NE(ENOSYS, errno) {
2199 TH_LOG("Kernel does not support seccomp syscall!");
2202 TH_LOG("Kernel does not support SECCOMP_SET_MODE_FILTER!");
2204 self->sibling[0].diverge = 1;
2205 tsync_start_sibling(&self->sibling[0]);
2206 tsync_start_sibling(&self->sibling[1]);
2208 while (self->sibling_count < TSYNC_SIBLINGS) {
2209 sem_wait(&self->started);
2210 self->sibling_count++;
2213 ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC,
2215 ASSERT_EQ(self->sibling[0].system_tid, ret) {
2216 TH_LOG("Did not fail on diverged sibling.");
2219 /* Wake the threads */
2220 pthread_mutex_lock(&self->mutex);
2221 ASSERT_EQ(0, pthread_cond_broadcast(&self->cond)) {
2222 TH_LOG("cond broadcast non-zero");
2224 pthread_mutex_unlock(&self->mutex);
2226 /* Ensure they are both unkilled. */
2227 pthread_join(self->sibling[0].tid, &status);
2228 EXPECT_EQ(SIBLING_EXIT_UNKILLED, (long)status);
2229 pthread_join(self->sibling[1].tid, &status);
2230 EXPECT_EQ(SIBLING_EXIT_UNKILLED, (long)status);
2233 TEST_F(TSYNC, two_siblings_not_under_filter)
2238 ASSERT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
2239 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
2243 * Sibling 0 will have its own seccomp policy
2244 * and Sibling 1 will not be under seccomp at
2245 * all. Sibling 1 will enter seccomp and 0
2246 * will cause failure.
2248 self->sibling[0].diverge = 1;
2249 tsync_start_sibling(&self->sibling[0]);
2250 tsync_start_sibling(&self->sibling[1]);
2252 while (self->sibling_count < TSYNC_SIBLINGS) {
2253 sem_wait(&self->started);
2254 self->sibling_count++;
2257 ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &self->root_prog);
2258 ASSERT_NE(ENOSYS, errno) {
2259 TH_LOG("Kernel does not support seccomp syscall!");
2262 TH_LOG("Kernel does not support SECCOMP_SET_MODE_FILTER!");
2265 ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC,
2267 ASSERT_EQ(ret, self->sibling[0].system_tid) {
2268 TH_LOG("Did not fail on diverged sibling.");
2271 if (ret == self->sibling[0].system_tid)
2274 pthread_mutex_lock(&self->mutex);
2276 /* Increment the other siblings num_waits so we can clean up
2277 * the one we just saw.
2279 self->sibling[!sib].num_waits += 1;
2281 /* Signal the thread to clean up*/
2282 ASSERT_EQ(0, pthread_cond_broadcast(&self->cond)) {
2283 TH_LOG("cond broadcast non-zero");
2285 pthread_mutex_unlock(&self->mutex);
2286 pthread_join(self->sibling[sib].tid, &status);
2287 EXPECT_EQ(SIBLING_EXIT_UNKILLED, (long)status);
2288 /* Poll for actual task death. pthread_join doesn't guarantee it. */
2289 while (!kill(self->sibling[sib].system_tid, 0))
2291 /* Switch to the remaining sibling */
2294 ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC,
2297 TH_LOG("Expected the remaining sibling to sync");
2300 pthread_mutex_lock(&self->mutex);
2302 /* If remaining sibling didn't have a chance to wake up during
2303 * the first broadcast, manually reduce the num_waits now.
2305 if (self->sibling[sib].num_waits > 1)
2306 self->sibling[sib].num_waits = 1;
2307 ASSERT_EQ(0, pthread_cond_broadcast(&self->cond)) {
2308 TH_LOG("cond broadcast non-zero");
2310 pthread_mutex_unlock(&self->mutex);
2311 pthread_join(self->sibling[sib].tid, &status);
2312 EXPECT_EQ(0, (long)status);
2313 /* Poll for actual task death. pthread_join doesn't guarantee it. */
2314 while (!kill(self->sibling[sib].system_tid, 0))
2317 ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC,
2319 ASSERT_EQ(0, ret); /* just us chickens */
2322 /* Make sure restarted syscalls are seen directly as "restart_syscall". */
2323 TEST(syscall_restart)
2330 siginfo_t info = { };
2331 struct sock_filter filter[] = {
2332 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
2333 offsetof(struct seccomp_data, nr)),
2335 #ifdef __NR_sigreturn
2336 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_sigreturn, 6, 0),
2338 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_read, 5, 0),
2339 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_exit, 4, 0),
2340 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_rt_sigreturn, 3, 0),
2341 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_nanosleep, 4, 0),
2342 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_restart_syscall, 4, 0),
2344 /* Allow __NR_write for easy logging. */
2345 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_write, 0, 1),
2346 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
2347 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL),
2348 /* The nanosleep jump target. */
2349 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRACE|0x100),
2350 /* The restart_syscall jump target. */
2351 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRACE|0x200),
2353 struct sock_fprog prog = {
2354 .len = (unsigned short)ARRAY_SIZE(filter),
2357 #if defined(__arm__)
2358 struct utsname utsbuf;
2361 ASSERT_EQ(0, pipe(pipefd));
2364 ASSERT_LE(0, child_pid);
2365 if (child_pid == 0) {
2366 /* Child uses EXPECT not ASSERT to deliver status correctly. */
2368 struct timespec timeout = { };
2370 /* Attach parent as tracer and stop. */
2371 EXPECT_EQ(0, ptrace(PTRACE_TRACEME));
2372 EXPECT_EQ(0, raise(SIGSTOP));
2374 EXPECT_EQ(0, close(pipefd[1]));
2376 EXPECT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
2377 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
2380 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0);
2382 TH_LOG("Failed to install filter!");
2385 EXPECT_EQ(1, read(pipefd[0], &buf, 1)) {
2386 TH_LOG("Failed to read() sync from parent");
2388 EXPECT_EQ('.', buf) {
2389 TH_LOG("Failed to get sync data from read()");
2392 /* Start nanosleep to be interrupted. */
2395 EXPECT_EQ(0, nanosleep(&timeout, NULL)) {
2396 TH_LOG("Call to nanosleep() failed (errno %d)", errno);
2399 /* Read final sync from parent. */
2400 EXPECT_EQ(1, read(pipefd[0], &buf, 1)) {
2401 TH_LOG("Failed final read() from parent");
2403 EXPECT_EQ('!', buf) {
2404 TH_LOG("Failed to get final data from read()");
2407 /* Directly report the status of our test harness results. */
2408 syscall(__NR_exit, _metadata->passed ? EXIT_SUCCESS
2411 EXPECT_EQ(0, close(pipefd[0]));
2413 /* Attach to child, setup options, and release. */
2414 ASSERT_EQ(child_pid, waitpid(child_pid, &status, 0));
2415 ASSERT_EQ(true, WIFSTOPPED(status));
2416 ASSERT_EQ(0, ptrace(PTRACE_SETOPTIONS, child_pid, NULL,
2417 PTRACE_O_TRACESECCOMP));
2418 ASSERT_EQ(0, ptrace(PTRACE_CONT, child_pid, NULL, 0));
2419 ASSERT_EQ(1, write(pipefd[1], ".", 1));
2421 /* Wait for nanosleep() to start. */
2422 ASSERT_EQ(child_pid, waitpid(child_pid, &status, 0));
2423 ASSERT_EQ(true, WIFSTOPPED(status));
2424 ASSERT_EQ(SIGTRAP, WSTOPSIG(status));
2425 ASSERT_EQ(PTRACE_EVENT_SECCOMP, (status >> 16));
2426 ASSERT_EQ(0, ptrace(PTRACE_GETEVENTMSG, child_pid, NULL, &msg));
2427 ASSERT_EQ(0x100, msg);
2428 EXPECT_EQ(__NR_nanosleep, get_syscall(_metadata, child_pid));
2430 /* Might as well check siginfo for sanity while we're here. */
2431 ASSERT_EQ(0, ptrace(PTRACE_GETSIGINFO, child_pid, NULL, &info));
2432 ASSERT_EQ(SIGTRAP, info.si_signo);
2433 ASSERT_EQ(SIGTRAP | (PTRACE_EVENT_SECCOMP << 8), info.si_code);
2434 EXPECT_EQ(0, info.si_errno);
2435 EXPECT_EQ(getuid(), info.si_uid);
2436 /* Verify signal delivery came from child (seccomp-triggered). */
2437 EXPECT_EQ(child_pid, info.si_pid);
2439 /* Interrupt nanosleep with SIGSTOP (which we'll need to handle). */
2440 ASSERT_EQ(0, kill(child_pid, SIGSTOP));
2441 ASSERT_EQ(0, ptrace(PTRACE_CONT, child_pid, NULL, 0));
2442 ASSERT_EQ(child_pid, waitpid(child_pid, &status, 0));
2443 ASSERT_EQ(true, WIFSTOPPED(status));
2444 ASSERT_EQ(SIGSTOP, WSTOPSIG(status));
2445 /* Verify signal delivery came from parent now. */
2446 ASSERT_EQ(0, ptrace(PTRACE_GETSIGINFO, child_pid, NULL, &info));
2447 EXPECT_EQ(getpid(), info.si_pid);
2449 /* Restart nanosleep with SIGCONT, which triggers restart_syscall. */
2450 ASSERT_EQ(0, kill(child_pid, SIGCONT));
2451 ASSERT_EQ(0, ptrace(PTRACE_CONT, child_pid, NULL, 0));
2452 ASSERT_EQ(child_pid, waitpid(child_pid, &status, 0));
2453 ASSERT_EQ(true, WIFSTOPPED(status));
2454 ASSERT_EQ(SIGCONT, WSTOPSIG(status));
2455 ASSERT_EQ(0, ptrace(PTRACE_CONT, child_pid, NULL, 0));
2457 /* Wait for restart_syscall() to start. */
2458 ASSERT_EQ(child_pid, waitpid(child_pid, &status, 0));
2459 ASSERT_EQ(true, WIFSTOPPED(status));
2460 ASSERT_EQ(SIGTRAP, WSTOPSIG(status));
2461 ASSERT_EQ(PTRACE_EVENT_SECCOMP, (status >> 16));
2462 ASSERT_EQ(0, ptrace(PTRACE_GETEVENTMSG, child_pid, NULL, &msg));
2464 ASSERT_EQ(0x200, msg);
2465 ret = get_syscall(_metadata, child_pid);
2466 #if defined(__arm__)
2469 * - native ARM registers do NOT expose true syscall.
2470 * - compat ARM registers on ARM64 DO expose true syscall.
2472 ASSERT_EQ(0, uname(&utsbuf));
2473 if (strncmp(utsbuf.machine, "arm", 3) == 0) {
2474 EXPECT_EQ(__NR_nanosleep, ret);
2478 EXPECT_EQ(__NR_restart_syscall, ret);
2481 /* Write again to end test. */
2482 ASSERT_EQ(0, ptrace(PTRACE_CONT, child_pid, NULL, 0));
2483 ASSERT_EQ(1, write(pipefd[1], "!", 1));
2484 EXPECT_EQ(0, close(pipefd[1]));
2486 ASSERT_EQ(child_pid, waitpid(child_pid, &status, 0));
2487 if (WIFSIGNALED(status) || WEXITSTATUS(status))
2488 _metadata->passed = 0;
2493 * - add microbenchmarks
2494 * - expand NNP testing
2495 * - better arch-specific TRACE and TRAP handlers.
2496 * - endianness checking when appropriate
2497 * - 64-bit arg prodding
2498 * - arch value testing (x86 modes especially)
projects / librecmc / linux-libre.git / blob