From ac4198157ea8ef5b859a63d7ffa77f9d1fd06234 Mon Sep 17 00:00:00 2001 From: GengYinzong Date: Wed, 16 Jul 2025 20:45:35 -0700 Subject: [PATCH] fix Signed-off-by: GengYinzong --- .../seccomp/include/seccomp_policy.h | 1 + services/modules/seccomp/BUILD.gn | 15 + .../app_allow_iouring.seccomp.policy | 335 ++++++++++++++++++ test/unittest/seccomp/seccomp_unittest.cpp | 51 +++ 4 files changed, 402 insertions(+) create mode 100644 services/modules/seccomp/seccomp_policy/app_allow_iouring.seccomp.policy diff --git a/interfaces/innerkits/seccomp/include/seccomp_policy.h b/interfaces/innerkits/seccomp/include/seccomp_policy.h index cb968cbff..11e162ead 100644 --- a/interfaces/innerkits/seccomp/include/seccomp_policy.h +++ b/interfaces/innerkits/seccomp/include/seccomp_policy.h @@ -33,6 +33,7 @@ extern "C" { #define APP_PRIVILEGE "app_privilege" #define APP_ATOMIC "app_atomic" #define APP_CUSTOM "app_custom" +#define APP_ALLOW_IOURING "app_allow_iouring" typedef enum { SYSTEM_SA, // system service process diff --git a/services/modules/seccomp/BUILD.gn b/services/modules/seccomp/BUILD.gn index d46bb92d6..8b61aacb5 100755 --- a/services/modules/seccomp/BUILD.gn +++ b/services/modules/seccomp/BUILD.gn @@ -104,6 +104,20 @@ ohos_prebuilt_seccomp("app_atomic_filter") { install_images = [ "system" ] } +ohos_prebuilt_seccomp("app_allow_iouring_filter") { + sources = [ "seccomp_policy/app_allow_iouring.seccomp.policy" ] + + filtername = "app_allow_iouring" + process_type = "app" + uid_is_root = true + + part_name = INIT_PART + subsystem_name = "startup" + + install_enable = true + install_images = [ "system" ] +} + ohos_prebuilt_seccomp("app_privilege_filter") { sources = [ "seccomp_policy/app_privilege.seccomp.policy" ] @@ -183,6 +197,7 @@ ohos_source_set("libseccomp_static") { group("seccomp_filter") { deps = [ + ":app_allow_iouring_filter", ":app_atomic_filter", ":app_filter", ":system_filter", diff --git a/services/modules/seccomp/seccomp_policy/app_allow_iouring.seccomp.policy b/services/modules/seccomp/seccomp_policy/app_allow_iouring.seccomp.policy new file mode 100644 index 000000000..bc09e7077 --- /dev/null +++ b/services/modules/seccomp/seccomp_policy/app_allow_iouring.seccomp.policy @@ -0,0 +1,335 @@ +# Copyright (c) 2025 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# For now, it supports architechture of ['arm', 'arm64', 'riscv64']. + +@returnValue +TRAP + +@headFiles + + + +@priority +ioctl;all +futex;all + +@allowList +io_uring_setup;all +io_uring_enter;all +io_uring_register;all +io_setup;all +io_destroy;all +io_submit;all +io_cancel;all +io_getevents;all +setxattr;all +lsetxattr;all +fsetxattr;all +getxattr;all +lgetxattr;all +fgetxattr;all +listxattr;all +llistxattr;all +flistxattr;all +removexattr;all +lremovexattr;all +fremovexattr;all +getcwd;all +eventfd2;all +epoll_create1;all +epoll_ctl;all +epoll_pwait;all +dup;all +dup3;all +fcntl;all +inotify_init1;all +inotify_add_watch;all +inotify_rm_watch;all +ioctl;all +ioprio_set;arm64 +ioprio_set;riscv64 +ioprio_get;arm64 +ioprio_get;riscv64 +flock;all +mknodat;all +mkdirat;all +unlinkat;all +symlinkat;all +linkat;all +renameat;arm +renameat;arm64 +pivot_root;riscv64 +statfs;arm64 +statfs;riscv64 +fstatfs;arm64 +fstatfs;riscv64 +truncate;all +ftruncate;arm64 +ftruncate;riscv64 +fallocate;all +faccessat;all +chdir;all +fchdir;all +fchmod;all +fchmodat;all +fchownat;all +fchown;arm64 +fchown;riscv64 +openat;all +close;all +pipe2;all +quotactl;all +getdents64;all +lseek;all +read;all +write;all +readv;all +writev;all +pread64;all +pwrite64;all +preadv;all +pwritev;all +sendfile;all +pselect6;all +ppoll;all +signalfd4;all +vmsplice;all +splice;all +tee;all +readlinkat;all +newfstatat;arm64 +newfstatat;riscv64 +fstat;arm64 +fstat;riscv64 +sync;all +fsync;all +fdatasync;all +sync_file_range;arm64 +sync_file_range;riscv64 +timerfd_create;all +timerfd_settime;all +timerfd_gettime;all +utimensat;all +capget;all +capset;all +personality;all +exit;all +exit_group;all +waitid;all +set_tid_address;all +futex;all +nanosleep;all +getitimer;all +setitimer;all +timer_create;all +timer_gettime;all +timer_getoverrun;all +timer_settime;all +timer_delete;all +clock_gettime;all +clock_getres;all +clock_nanosleep;all +ptrace;all +sched_setparam;all +sched_setscheduler;all +sched_getscheduler;all +sched_getparam;all +sched_setaffinity;all +sched_getaffinity;all +sched_yield;all +sched_get_priority_max;all +sched_get_priority_min;all +sched_rr_get_interval;all +restart_syscall;all +kill;all +tkill;all +tgkill;all +sigaltstack;all +rt_sigsuspend;all +rt_sigaction;all +rt_sigprocmask;all +rt_sigpending;all +rt_sigtimedwait;all +rt_sigqueueinfo;all +rt_sigreturn;all +setpriority;all +getpriority;all +setresuid;arm64 +setresuid;riscv64 +getresuid;arm64 +getresuid;riscv64 +getresgid;arm64 +getresgid;riscv64 +times;all +setpgid;all +getpgid;all +getsid;all +setsid;all +getgroups;arm64 +getgroups;riscv64 +uname;all +getrlimit;arm64 +getrlimit;riscv64 +setrlimit;all +getrusage;all +umask;all +prctl;all +getcpu;all +gettimeofday;all +getpid;all +getppid;all +getuid;all +geteuid;arm64 +geteuid;riscv64 +getgid;arm64 +getgid;riscv64 +getegid;arm64 +getegid;riscv64 +gettid;all +sysinfo;all +socket;all +socketpair;all +bind;all +listen;all +accept;all +connect;all +getsockname;all +getpeername;all +sendto;all +recvfrom;all +setsockopt;all +getsockopt;all +shutdown;all +sendmsg;all +recvmsg;all +readahead;all +brk;all +munmap;all +mremap;all +execve;all +mmap;arm64 +mmap;riscv64 +fadvise64;arm64 +fadvise64;riscv64 +mprotect;all +msync;all +mlock;all +munlock;all +mlockall;all +munlockall;all +mincore;all +madvise;all +rt_tgsigqueueinfo;all +perf_event_open;all +accept4;all +recvmmsg;all +wait4;all +prlimit64;all +syncfs;all +sendmmsg;all +process_vm_readv;all +process_vm_writev;all +sched_setattr;all +sched_getattr;all +renameat2;all +seccomp;all +getrandom;all +memfd_create;all +execveat;all +userfaultfd;all +membarrier;all +mlock2;all +copy_file_range;all +preadv2;all +pwritev2;all +statx;all +pidfd_send_signal;all +pidfd_open;all +pidfd_getfd;all +faccessat2;all +process_madvise;all +set_robust_list;all +fork;arm +open;arm +creat;arm +link;arm +unlink;arm +chmod;arm +access;arm +rename;arm +mkdir;arm +rmdir;arm +pipe;arm +dup2;arm +sigaction;arm +symlink;arm +readlink;arm +sigreturn;arm +_llseek;arm +getdents;arm +_newselect;arm +poll;arm +vfork;arm +ugetrlimit;arm +mmap2;arm +truncate64;arm +ftruncate64;arm +stat64;arm +lstat64;arm +fstat64;arm +lchown32;arm +getuid32;arm +getgid32;arm +geteuid32;arm +getegid32;arm +getgroups32;arm +fchown32;arm +setresuid32;arm +getresuid32;arm +getresgid32;arm +chown32;arm +fcntl64;arm +sendfile64;arm +epoll_create;arm +epoll_wait;arm +remap_file_pages;arm +statfs64;arm +fstatfs64;arm +fadvise64_64;arm +inotify_init;arm +fstatat64;arm +sync_file_range2;arm +eventfd;arm +clock_gettime64;arm +clock_settime64;arm +clock_adjtime64;arm +clock_getres_time64;arm +clock_nanosleep_time64;arm +timer_gettime64;arm +timer_settime64;arm +timerfd_gettime64;arm +timerfd_settime64;arm +utimensat_time64;arm +pselect6_time64;arm +ppoll_time64;arm +recvmmsg_time64;arm +semtimedop_time64;arm +rt_sigtimedwait_time64;arm +futex_time64;arm +sched_rr_get_interval_time64;arm +cacheflush;arm +set_tls;arm + +@allowListWithArgs +clone: if (arg0 & (CLONE_NEWNS | CLONE_NEWPID | CLONE_NEWNET | CLONE_NEWCGROUP | CLONE_NEWUTS | CLONE_NEWIPC | CLONE_NEWUSER)) == 0 ; return ALLOW; else return TRAP;all diff --git a/test/unittest/seccomp/seccomp_unittest.cpp b/test/unittest/seccomp/seccomp_unittest.cpp index 393e73fe0..46a99e956 100644 --- a/test/unittest/seccomp/seccomp_unittest.cpp +++ b/test/unittest/seccomp/seccomp_unittest.cpp @@ -397,6 +397,45 @@ public: EXPECT_EQ(ret, 0); } + static bool CheckIoUringFlag1() + { + (void)syscall(SYS_io_uring_setup, 0, nullptr); + return true; + } + + static bool CheckIoUringFlag2() + { + (void)syscall(SYS_io_uring_enter, 0, nullptr, 0, 0, nullptr); + return true; + } + + static bool CheckIoUringFlag3() + { + (void)syscall(SYS_io_uring_register, 0, "example", 0); + return true; + } + + void TestAppAllowIoUringSyscall() + { + int ret = CheckSyscall(APP, APP_ALLOW_IOURING, CheckIoUringFlag1, true); + EXPECT_EQ(ret, 0); + + ret = CheckSyscall(APP, APP_NAME, CheckIoUringFlag1, false); + EXPECT_EQ(ret, 0); + + ret = CheckSyscall(APP, APP_ALLOW_IOURING, CheckIoUringFlag2, true); + EXPECT_EQ(ret, 0); + + ret = CheckSyscall(APP, APP_NAME, CheckIoUringFlag2, false); + EXPECT_EQ(ret, 0); + + ret = CheckSyscall(APP, APP_ALLOW_IOURING, CheckIoUringFlag3, true); + EXPECT_EQ(ret, 0); + + ret = CheckSyscall(APP, APP_NAME, CheckIoUringFlag3, false); + EXPECT_EQ(ret, 0); + } + #if defined __aarch64__ static bool CheckMqOpen() { @@ -1324,6 +1363,18 @@ HWTEST_F(SeccompUnitTest, Init_Seccomp_AppSycall002, TestSize.Level1) test.TestAppAtomicSyscallForIoctl(); } +/** + * @tc.name: TestAppIoUringSycall + * @tc.desc: Verify the app seccomp policy with io uring. + * @tc.type: FUNC + * @tc.require: issueI5MUXD + */ +HWTEST_F(SeccompUnitTest, Init_Seccomp_AppSycall003, TestSize.Level1) +{ + SeccompUnitTest test; + test.TestAppAllowIoUringSyscall(); +} + /** * @tc.name: TestSystemSyscallForUidFilter * @tc.desc: Verify the system seccomp policy. -- Gitee