From 228518fc1316e8a8f26befd8c1f7091169136977 Mon Sep 17 00:00:00 2001 From: GengYinzong Date: Thu, 13 Mar 2025 00:12:51 -0700 Subject: [PATCH] fix Signed-off-by: GengYinzong --- .../seccomp/include/seccomp_policy.h | 1 + services/modules/seccomp/BUILD.gn | 15 + .../seccomp_policy/app_atomic.seccomp.policy | 331 ++++++++++++++++++ test/unittest/seccomp/seccomp_unittest.cpp | 168 +++++++++ 4 files changed, 515 insertions(+) create mode 100644 services/modules/seccomp/seccomp_policy/app_atomic.seccomp.policy diff --git a/interfaces/innerkits/seccomp/include/seccomp_policy.h b/interfaces/innerkits/seccomp/include/seccomp_policy.h index 4ee1aaeeb..4706723cb 100644 --- a/interfaces/innerkits/seccomp/include/seccomp_policy.h +++ b/interfaces/innerkits/seccomp/include/seccomp_policy.h @@ -30,6 +30,7 @@ extern "C" { #define NWEBSPAWN_NAME "nwebspawn" #define APP_NAME "app" #define IMF_EXTENTOIN_NAME "imf_secure_mode" +#define APP_ATOMIC "app_atomic" typedef enum { SYSTEM_SA, // system service process diff --git a/services/modules/seccomp/BUILD.gn b/services/modules/seccomp/BUILD.gn index 2cb7befd9..ea8bca1ea 100755 --- a/services/modules/seccomp/BUILD.gn +++ b/services/modules/seccomp/BUILD.gn @@ -89,6 +89,20 @@ ohos_prebuilt_seccomp("app_filter") { install_images = [ "system" ] } +ohos_prebuilt_seccomp("app_atomic_filter") { + sources = [ "seccomp_policy/app_atomic.seccomp.policy" ] + + filtername = "app_atomic" + process_type = "app" + uid_is_root = true + + part_name = INIT_PART + subsystem_name = "startup" + + install_enable = true + install_images = [ "system" ] +} + ohos_prebuilt_seccomp("updater_filter") { sources = [ "seccomp_policy/updater.seccomp.policy" ] @@ -140,6 +154,7 @@ ohos_source_set("libseccomp_static") { group("seccomp_filter") { deps = [ + ":app_atomic_filter", ":app_filter", ":system_filter", ":updater_filter", diff --git a/services/modules/seccomp/seccomp_policy/app_atomic.seccomp.policy b/services/modules/seccomp/seccomp_policy/app_atomic.seccomp.policy new file mode 100644 index 000000000..ec81c9a77 --- /dev/null +++ b/services/modules/seccomp/seccomp_policy/app_atomic.seccomp.policy @@ -0,0 +1,331 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# For now, it supports architechture of ['arm', 'arm64', 'riscv64']. + +@returnValue +TRAP + +@headFiles + + + +@priority +futex;all + +@allowList +io_setup;all +io_destroy;all +io_submit;all +io_cancel;all +io_getevents;all +setxattr;all +lsetxattr;all +fsetxattr;all +getxattr;all +lgetxattr;all +fgetxattr;all +listxattr;all +llistxattr;all +flistxattr;all +removexattr;all +lremovexattr;all +fremovexattr;all +getcwd;all +eventfd2;all +epoll_create1;all +epoll_ctl;all +epoll_pwait;all +dup;all +dup3;all +fcntl;all +inotify_init1;all +inotify_add_watch;all +inotify_rm_watch;all +ioprio_set;arm64 +ioprio_set;riscv64 +ioprio_get;arm64 +ioprio_get;riscv64 +flock;all +mknodat;all +mkdirat;all +unlinkat;all +symlinkat;all +linkat;all +renameat;arm +renameat;arm64 +pivot_root;riscv64 +statfs;arm64 +statfs;riscv64 +fstatfs;arm64 +fstatfs;riscv64 +truncate;all +ftruncate;arm64 +ftruncate;riscv64 +fallocate;all +faccessat;all +chdir;all +fchdir;all +fchmod;all +fchmodat;all +fchownat;all +fchown;arm64 +fchown;riscv64 +openat;all +close;all +pipe2;all +quotactl;all +getdents64;all +lseek;all +read;all +write;all +readv;all +writev;all +pread64;all +pwrite64;all +preadv;all +pwritev;all +sendfile;all +pselect6;all +ppoll;all +signalfd4;all +vmsplice;all +splice;all +tee;all +readlinkat;all +newfstatat;arm64 +newfstatat;riscv64 +fstat;arm64 +fstat;riscv64 +sync;all +fsync;all +fdatasync;all +sync_file_range;arm64 +sync_file_range;riscv64 +timerfd_create;all +timerfd_settime;all +timerfd_gettime;all +utimensat;all +capget;all +capset;all +personality;all +exit;all +exit_group;all +waitid;all +set_tid_address;all +futex;all +nanosleep;all +getitimer;all +setitimer;all +timer_create;all +timer_gettime;all +timer_getoverrun;all +timer_settime;all +timer_delete;all +clock_gettime;all +clock_getres;all +clock_nanosleep;all +ptrace;all +sched_setparam;all +sched_setscheduler;all +sched_getscheduler;all +sched_getparam;all +sched_setaffinity;all +sched_getaffinity;all +sched_yield;all +sched_get_priority_max;all +sched_get_priority_min;all +sched_rr_get_interval;all +restart_syscall;all +kill;all +tkill;all +tgkill;all +sigaltstack;all +rt_sigsuspend;all +rt_sigaction;all +rt_sigprocmask;all +rt_sigpending;all +rt_sigtimedwait;all +rt_sigqueueinfo;all +rt_sigreturn;all +setpriority;all +getpriority;all +setresuid;arm64 +setresuid;riscv64 +getresuid;arm64 +getresuid;riscv64 +getresgid;arm64 +getresgid;riscv64 +times;all +setpgid;all +getpgid;all +getsid;all +setsid;all +getgroups;arm64 +getgroups;riscv64 +uname;all +getrlimit;arm64 +getrlimit;riscv64 +setrlimit;all +getrusage;all +umask;all +prctl;all +getcpu;all +gettimeofday;all +getpid;all +getppid;all +getuid;all +geteuid;arm64 +geteuid;riscv64 +getgid;arm64 +getgid;riscv64 +getegid;arm64 +getegid;riscv64 +gettid;all +sysinfo;all +socket;all +socketpair;all +bind;all +listen;all +accept;all +connect;all +getsockname;all +getpeername;all +sendto;all +recvfrom;all +setsockopt;all +getsockopt;all +shutdown;all +sendmsg;all +recvmsg;all +readahead;all +brk;all +munmap;all +mremap;all +execve;all +mmap;arm64 +mmap;riscv64 +fadvise64;arm64 +fadvise64;riscv64 +mprotect;all +msync;all +mlock;all +munlock;all +mlockall;all +munlockall;all +mincore;all +madvise;all +rt_tgsigqueueinfo;all +perf_event_open;all +accept4;all +recvmmsg;all +wait4;all +prlimit64;all +syncfs;all +sendmmsg;all +process_vm_readv;all +process_vm_writev;all +sched_setattr;all +sched_getattr;all +renameat2;all +seccomp;all +getrandom;all +memfd_create;all +execveat;all +userfaultfd;all +membarrier;all +mlock2;all +copy_file_range;all +preadv2;all +pwritev2;all +statx;all +pidfd_send_signal;all +pidfd_open;all +pidfd_getfd;all +faccessat2;all +process_madvise;all +set_robust_list;all +fork;arm +open;arm +creat;arm +link;arm +unlink;arm +chmod;arm +access;arm +rename;arm +mkdir;arm +rmdir;arm +pipe;arm +dup2;arm +sigaction;arm +symlink;arm +readlink;arm +sigreturn;arm +_llseek;arm +getdents;arm +_newselect;arm +poll;arm +vfork;arm +ugetrlimit;arm +mmap2;arm +truncate64;arm +ftruncate64;arm +stat64;arm +lstat64;arm +fstat64;arm +lchown32;arm +getuid32;arm +getgid32;arm +geteuid32;arm +getegid32;arm +getgroups32;arm +fchown32;arm +setresuid32;arm +getresuid32;arm +getresgid32;arm +chown32;arm +fcntl64;arm +sendfile64;arm +epoll_create;arm +epoll_wait;arm +remap_file_pages;arm +statfs64;arm +fstatfs64;arm +fadvise64_64;arm +inotify_init;arm +fstatat64;arm +sync_file_range2;arm +eventfd;arm +clock_gettime64;arm +clock_settime64;arm +clock_adjtime64;arm +clock_getres_time64;arm +clock_nanosleep_time64;arm +timer_gettime64;arm +timer_settime64;arm +timerfd_gettime64;arm +timerfd_settime64;arm +utimensat_time64;arm +pselect6_time64;arm +ppoll_time64;arm +recvmmsg_time64;arm +semtimedop_time64;arm +rt_sigtimedwait_time64;arm +futex_time64;arm +sched_rr_get_interval_time64;arm +cacheflush;arm +set_tls;arm + +@allowListWithArgs +clone: if (arg0 & (CLONE_NEWNS | CLONE_NEWPID | CLONE_NEWNET | CLONE_NEWCGROUP | CLONE_NEWUTS | CLONE_NEWIPC | CLONE_NEWUSER)) == 0 ; return ALLOW; else return TRAP;all +ioctl: if arg1 >= 0x5000 && arg1 <= 0x5005; return TRAP; elif arg1 >= 0x5007 && arg1 <= 0x500d; return TRAP; elif arg1 >= 0x5100 && arg1 <= 0x5103; return TRAP; elif arg1 >= 0x5105 && arg1 <= 0x5106; return TRAP; elif arg1 == 0x510a; return TRAP; elif arg1 >= 0x5300 && arg1 <= 0x530f; return TRAP; elif arg1 >= 0x5400 && arg1 <= 0x5409; return TRAP; elif arg1 >= 0x5482 && arg1 <= 0x5490; return TRAP; else return ALLOW;all diff --git a/test/unittest/seccomp/seccomp_unittest.cpp b/test/unittest/seccomp/seccomp_unittest.cpp index b2cdbfe4c..1c0ca9929 100644 --- a/test/unittest/seccomp/seccomp_unittest.cpp +++ b/test/unittest/seccomp/seccomp_unittest.cpp @@ -241,6 +241,162 @@ public: return CheckCloneNs(CLONE_NEWUSER); } + static bool CheckIoctlFlag1() + { + (void)syscall(__NR_ioctl, 0, 0x4000); + return true; + } + + static bool CheckIoctlFlag2() + { + (void)syscall(__NR_ioctl, 0, 0x5003); + return true; + } + + static bool CheckIoctlFlag3() + { + (void)syscall(__NR_ioctl, 0, 0x5006); + return true; + } + + static bool CheckIoctlFlag4() + { + (void)syscall(__NR_ioctl, 0, 0x5007); + return true; + } + + static bool CheckIoctlFlag5() + { + (void)syscall(__NR_ioctl, 0, 0x5090); + return true; + } + + static bool CheckIoctlFlag6() + { + (void)syscall(__NR_ioctl, 0, 0x5100); + return true; + } + + static bool CheckIoctlFlag7() + { + (void)syscall(__NR_ioctl, 0, 0x5104); + return true; + } + + static bool CheckIoctlFlag8() + { + (void)syscall(__NR_ioctl, 0, 0x5105); + return true; + } + + static bool CheckIoctlFlag9() + { + (void)syscall(__NR_ioctl, 0, 0x5107); + return true; + } + + static bool CheckIoctlFlag10() + { + (void)syscall(__NR_ioctl, 0, 0x510a); + return true; + } + + static bool CheckIoctlFlag11() + { + (void)syscall(__NR_ioctl, 0, 0x5110); + return true; + } + + static bool CheckIoctlFlag12() + { + (void)syscall(__NR_ioctl, 0, 0x5300); + return true; + } + + static bool CheckIoctlFlag13() + { + (void)syscall(__NR_ioctl, 0, 0x5310); + return true; + } + + static bool CheckIoctlFlag14() + { + (void)syscall(__NR_ioctl, 0, 0x5400); + return true; + } + + static bool CheckIoctlFlag15() + { + (void)syscall(__NR_ioctl, 0, 0x5480); + return true; + } + + static bool CheckIoctlFlag16() + { + (void)syscall(__NR_ioctl, 0, 0x5482); + return true; + } + + static bool CheckIoctlFlag17() + { + (void)syscall(__NR_ioctl, 0, 0x5500); + return true; + } + + void TestAppAtomicSyscallForIoctl() + { + int ret = CheckSyscall(APP, APP_ATOMIC, CheckIoctlFlag1, true); + EXPECT_EQ(ret, 0); + + ret = CheckSyscall(APP, APP_ATOMIC, CheckIoctlFlag2, false); + EXPECT_EQ(ret, 0); + + ret = CheckSyscall(APP, APP_ATOMIC, CheckIoctlFlag3, true); + EXPECT_EQ(ret, 0); + + ret = CheckSyscall(APP, APP_ATOMIC, CheckIoctlFlag4, false); + EXPECT_EQ(ret, 0); + + ret = CheckSyscall(APP, APP_ATOMIC, CheckIoctlFlag5, true); + EXPECT_EQ(ret, 0); + + ret = CheckSyscall(APP, APP_ATOMIC, CheckIoctlFlag6, false); + EXPECT_EQ(ret, 0); + + ret = CheckSyscall(APP, APP_ATOMIC, CheckIoctlFlag7, true); + EXPECT_EQ(ret, 0); + + ret = CheckSyscall(APP, APP_ATOMIC, CheckIoctlFlag8, false); + EXPECT_EQ(ret, 0); + + ret = CheckSyscall(APP, APP_ATOMIC, CheckIoctlFlag9, true); + EXPECT_EQ(ret, 0); + + ret = CheckSyscall(APP, APP_ATOMIC, CheckIoctlFlag10, false); + EXPECT_EQ(ret, 0); + + ret = CheckSyscall(APP, APP_ATOMIC, CheckIoctlFlag11, true); + EXPECT_EQ(ret, 0); + + ret = CheckSyscall(APP, APP_ATOMIC, CheckIoctlFlag12, false); + EXPECT_EQ(ret, 0); + + ret = CheckSyscall(APP, APP_ATOMIC, CheckIoctlFlag13, true); + EXPECT_EQ(ret, 0); + + ret = CheckSyscall(APP, APP_ATOMIC, CheckIoctlFlag14, false); + EXPECT_EQ(ret, 0); + + ret = CheckSyscall(APP, APP_ATOMIC, CheckIoctlFlag15, true); + EXPECT_EQ(ret, 0); + + ret = CheckSyscall(APP, APP_ATOMIC, CheckIoctlFlag16, false); + EXPECT_EQ(ret, 0); + + ret = CheckSyscall(APP, APP_ATOMIC, CheckIoctlFlag17, true); + EXPECT_EQ(ret, 0); + } + #if defined __aarch64__ static bool CheckMqOpen() { @@ -1126,6 +1282,18 @@ HWTEST_F(SeccompUnitTest, Init_Seccomp_AppSycall001, TestSize.Level1) test.TestAppSycall(); } +/** + * @tc.name: TestAppAtomicSycall + * @tc.desc: Verify the atomic app seccomp policy. + * @tc.type: FUNC + * @tc.require: issueI5MUXD + */ +HWTEST_F(SeccompUnitTest, Init_Seccomp_AppSycall002, TestSize.Level1) +{ + SeccompUnitTest test; + test.TestAppAtomicSyscallForIoctl(); +} + /** * @tc.name: TestSystemSyscallForUidFilter * @tc.desc: Verify the system seccomp policy. -- Gitee