1 /* SPDX-License-Identifier: LGPL-2.1+ */
3 Copyright 2016 Lennart Poettering
9 #include <sys/eventfd.h>
11 #include <sys/personality.h>
13 #include <sys/types.h>
16 #include "alloc-util.h"
21 #include "process-util.h"
22 #include "raw-clone.h"
23 #include "seccomp-util.h"
25 #include "string-util.h"
29 #if SCMP_SYS(socket) < 0 || defined(__i386__) || defined(__s390x__) || defined(__s390__)
30 /* On these archs, socket() is implemented via the socketcall() syscall multiplexer,
31 * and we can't restrict it hence via seccomp. */
32 # define SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN 1
34 # define SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN 0
37 static void test_seccomp_arch_to_string(void) {
41 a
= seccomp_arch_native();
43 name
= seccomp_arch_to_string(a
);
45 assert_se(seccomp_arch_from_string(name
, &b
) >= 0);
49 static void test_architecture_table(void) {
72 assert_se(seccomp_arch_from_string(n
, &c
) >= 0);
73 n2
= seccomp_arch_to_string(c
);
74 log_info("seccomp-arch: %s → 0x%"PRIx32
" → %s", n
, c
, n2
);
75 assert_se(streq_ptr(n
, n2
));
79 static void test_syscall_filter_set_find(void) {
80 assert_se(!syscall_filter_set_find(NULL
));
81 assert_se(!syscall_filter_set_find(""));
82 assert_se(!syscall_filter_set_find("quux"));
83 assert_se(!syscall_filter_set_find("@quux"));
85 assert_se(syscall_filter_set_find("@clock") == syscall_filter_sets
+ SYSCALL_FILTER_SET_CLOCK
);
86 assert_se(syscall_filter_set_find("@default") == syscall_filter_sets
+ SYSCALL_FILTER_SET_DEFAULT
);
87 assert_se(syscall_filter_set_find("@raw-io") == syscall_filter_sets
+ SYSCALL_FILTER_SET_RAW_IO
);
90 static void test_filter_sets(void) {
94 if (!is_seccomp_available())
99 for (i
= 0; i
< _SYSCALL_FILTER_SET_MAX
; i
++) {
102 log_info("Testing %s", syscall_filter_sets
[i
].name
);
107 if (pid
== 0) { /* Child? */
110 if (i
== SYSCALL_FILTER_SET_DEFAULT
) /* if we look at the default set, whitelist instead of blacklist */
111 r
= seccomp_load_syscall_filter_set(SCMP_ACT_ERRNO(EUCLEAN
), syscall_filter_sets
+ i
, SCMP_ACT_ALLOW
);
113 r
= seccomp_load_syscall_filter_set(SCMP_ACT_ALLOW
, syscall_filter_sets
+ i
, SCMP_ACT_ERRNO(EUCLEAN
));
117 /* Test the sycall filter with one random system call */
118 fd
= eventfd(0, EFD_NONBLOCK
|EFD_CLOEXEC
);
119 if (IN_SET(i
, SYSCALL_FILTER_SET_IO_EVENT
, SYSCALL_FILTER_SET_DEFAULT
))
120 assert_se(fd
< 0 && errno
== EUCLEAN
);
129 assert_se(wait_for_terminate_and_check(syscall_filter_sets
[i
].name
, pid
, WAIT_LOG
) == EXIT_SUCCESS
);
133 static void test_restrict_namespace(void) {
138 assert_se(namespace_flags_to_string(0, &s
) == 0 && streq(s
, ""));
140 assert_se(namespace_flags_to_string(CLONE_NEWNS
, &s
) == 0 && streq(s
, "mnt"));
142 assert_se(namespace_flags_to_string(CLONE_NEWNS
|CLONE_NEWIPC
, &s
) == 0 && streq(s
, "ipc mnt"));
144 assert_se(namespace_flags_to_string(CLONE_NEWCGROUP
, &s
) == 0 && streq(s
, "cgroup"));
147 assert_se(namespace_flags_from_string("mnt", &ul
) == 0 && ul
== CLONE_NEWNS
);
148 assert_se(namespace_flags_from_string(NULL
, &ul
) == 0 && ul
== 0);
149 assert_se(namespace_flags_from_string("", &ul
) == 0 && ul
== 0);
150 assert_se(namespace_flags_from_string("uts", &ul
) == 0 && ul
== CLONE_NEWUTS
);
151 assert_se(namespace_flags_from_string("mnt uts ipc", &ul
) == 0 && ul
== (CLONE_NEWNS
|CLONE_NEWUTS
|CLONE_NEWIPC
));
153 assert_se(namespace_flags_to_string(CLONE_NEWUTS
, &s
) == 0 && streq(s
, "uts"));
154 assert_se(namespace_flags_from_string(s
, &ul
) == 0 && ul
== CLONE_NEWUTS
);
156 assert_se(namespace_flags_from_string("ipc", &ul
) == 0 && ul
== CLONE_NEWIPC
);
157 assert_se(namespace_flags_to_string(ul
, &s
) == 0 && streq(s
, "ipc"));
160 assert_se(namespace_flags_to_string(NAMESPACE_FLAGS_ALL
, &s
) == 0);
161 assert_se(streq(s
, "cgroup ipc net mnt pid user uts"));
162 assert_se(namespace_flags_from_string(s
, &ul
) == 0 && ul
== NAMESPACE_FLAGS_ALL
);
165 if (!is_seccomp_available())
175 assert_se(seccomp_restrict_namespaces(CLONE_NEWNS
|CLONE_NEWNET
) >= 0);
177 assert_se(unshare(CLONE_NEWNS
) == 0);
178 assert_se(unshare(CLONE_NEWNET
) == 0);
179 assert_se(unshare(CLONE_NEWUTS
) == -1);
180 assert_se(errno
== EPERM
);
181 assert_se(unshare(CLONE_NEWIPC
) == -1);
182 assert_se(errno
== EPERM
);
183 assert_se(unshare(CLONE_NEWNET
|CLONE_NEWUTS
) == -1);
184 assert_se(errno
== EPERM
);
186 /* We use fd 0 (stdin) here, which of course will fail with EINVAL on setns(). Except of course our
187 * seccomp filter worked, and hits first and makes it return EPERM */
188 assert_se(setns(0, CLONE_NEWNS
) == -1);
189 assert_se(errno
== EINVAL
);
190 assert_se(setns(0, CLONE_NEWNET
) == -1);
191 assert_se(errno
== EINVAL
);
192 assert_se(setns(0, CLONE_NEWUTS
) == -1);
193 assert_se(errno
== EPERM
);
194 assert_se(setns(0, CLONE_NEWIPC
) == -1);
195 assert_se(errno
== EPERM
);
196 assert_se(setns(0, CLONE_NEWNET
|CLONE_NEWUTS
) == -1);
197 assert_se(errno
== EPERM
);
198 assert_se(setns(0, 0) == -1);
199 assert_se(errno
== EPERM
);
201 pid
= raw_clone(CLONE_NEWNS
);
205 pid
= raw_clone(CLONE_NEWNET
);
209 pid
= raw_clone(CLONE_NEWUTS
);
211 assert_se(errno
== EPERM
);
212 pid
= raw_clone(CLONE_NEWIPC
);
214 assert_se(errno
== EPERM
);
215 pid
= raw_clone(CLONE_NEWNET
|CLONE_NEWUTS
);
217 assert_se(errno
== EPERM
);
222 assert_se(wait_for_terminate_and_check("nsseccomp", pid
, WAIT_LOG
) == EXIT_SUCCESS
);
225 static void test_protect_sysctl(void) {
228 if (!is_seccomp_available())
233 if (detect_container() > 0) /* in containers _sysctl() is likely missing anyway */
241 assert_se(syscall(__NR__sysctl
, NULL
) < 0);
242 assert_se(errno
== EFAULT
);
245 assert_se(seccomp_protect_sysctl() >= 0);
248 assert_se(syscall(__NR__sysctl
, 0, 0, 0) < 0);
249 assert_se(errno
== EPERM
);
255 assert_se(wait_for_terminate_and_check("sysctlseccomp", pid
, WAIT_LOG
) == EXIT_SUCCESS
);
258 static void test_restrict_address_families(void) {
261 if (!is_seccomp_available())
273 fd
= socket(AF_INET
, SOCK_DGRAM
, 0);
277 fd
= socket(AF_UNIX
, SOCK_DGRAM
, 0);
281 fd
= socket(AF_NETLINK
, SOCK_DGRAM
, 0);
285 assert_se(s
= set_new(NULL
));
286 assert_se(set_put(s
, INT_TO_PTR(AF_UNIX
)) >= 0);
288 assert_se(seccomp_restrict_address_families(s
, false) >= 0);
290 fd
= socket(AF_INET
, SOCK_DGRAM
, 0);
294 fd
= socket(AF_UNIX
, SOCK_DGRAM
, 0);
295 #if SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN
300 assert_se(errno
== EAFNOSUPPORT
);
303 fd
= socket(AF_NETLINK
, SOCK_DGRAM
, 0);
309 assert_se(set_put(s
, INT_TO_PTR(AF_INET
)) >= 0);
311 assert_se(seccomp_restrict_address_families(s
, true) >= 0);
313 fd
= socket(AF_INET
, SOCK_DGRAM
, 0);
317 fd
= socket(AF_UNIX
, SOCK_DGRAM
, 0);
318 #if SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN
323 assert_se(errno
== EAFNOSUPPORT
);
326 fd
= socket(AF_NETLINK
, SOCK_DGRAM
, 0);
327 #if SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN
332 assert_se(errno
== EAFNOSUPPORT
);
338 assert_se(wait_for_terminate_and_check("socketseccomp", pid
, WAIT_LOG
) == EXIT_SUCCESS
);
341 static void test_restrict_realtime(void) {
344 if (!is_seccomp_available())
349 if (detect_container() > 0) /* in containers RT privs are likely missing anyway */
356 assert_se(sched_setscheduler(0, SCHED_FIFO
, &(struct sched_param
) { .sched_priority
= 1 }) >= 0);
357 assert_se(sched_setscheduler(0, SCHED_RR
, &(struct sched_param
) { .sched_priority
= 1 }) >= 0);
358 assert_se(sched_setscheduler(0, SCHED_IDLE
, &(struct sched_param
) { .sched_priority
= 0 }) >= 0);
359 assert_se(sched_setscheduler(0, SCHED_BATCH
, &(struct sched_param
) { .sched_priority
= 0 }) >= 0);
360 assert_se(sched_setscheduler(0, SCHED_OTHER
, &(struct sched_param
) {}) >= 0);
362 assert_se(seccomp_restrict_realtime() >= 0);
364 assert_se(sched_setscheduler(0, SCHED_IDLE
, &(struct sched_param
) { .sched_priority
= 0 }) >= 0);
365 assert_se(sched_setscheduler(0, SCHED_BATCH
, &(struct sched_param
) { .sched_priority
= 0 }) >= 0);
366 assert_se(sched_setscheduler(0, SCHED_OTHER
, &(struct sched_param
) {}) >= 0);
368 assert_se(sched_setscheduler(0, SCHED_FIFO
, &(struct sched_param
) { .sched_priority
= 1 }) < 0);
369 assert_se(errno
== EPERM
);
370 assert_se(sched_setscheduler(0, SCHED_RR
, &(struct sched_param
) { .sched_priority
= 1 }) < 0);
371 assert_se(errno
== EPERM
);
376 assert_se(wait_for_terminate_and_check("realtimeseccomp", pid
, WAIT_LOG
) == EXIT_SUCCESS
);
379 static void test_memory_deny_write_execute_mmap(void) {
382 if (!is_seccomp_available())
393 p
= mmap(NULL
, page_size(), PROT_WRITE
|PROT_EXEC
, MAP_PRIVATE
|MAP_ANONYMOUS
, -1,0);
394 assert_se(p
!= MAP_FAILED
);
395 assert_se(munmap(p
, page_size()) >= 0);
397 p
= mmap(NULL
, page_size(), PROT_WRITE
|PROT_READ
, MAP_PRIVATE
|MAP_ANONYMOUS
, -1,0);
398 assert_se(p
!= MAP_FAILED
);
399 assert_se(munmap(p
, page_size()) >= 0);
401 assert_se(seccomp_memory_deny_write_execute() >= 0);
403 p
= mmap(NULL
, page_size(), PROT_WRITE
|PROT_EXEC
, MAP_PRIVATE
|MAP_ANONYMOUS
, -1,0);
404 #if defined(__x86_64__) || defined(__i386__) || defined(__powerpc64__) || defined(__arm__) || defined(__aarch64__)
405 assert_se(p
== MAP_FAILED
);
406 assert_se(errno
== EPERM
);
407 #else /* unknown architectures */
408 assert_se(p
!= MAP_FAILED
);
409 assert_se(munmap(p
, page_size()) >= 0);
412 p
= mmap(NULL
, page_size(), PROT_WRITE
|PROT_READ
, MAP_PRIVATE
|MAP_ANONYMOUS
, -1,0);
413 assert_se(p
!= MAP_FAILED
);
414 assert_se(munmap(p
, page_size()) >= 0);
419 assert_se(wait_for_terminate_and_check("memoryseccomp-mmap", pid
, WAIT_LOG
) == EXIT_SUCCESS
);
422 static void test_memory_deny_write_execute_shmat(void) {
426 if (!is_seccomp_available())
431 shmid
= shmget(IPC_PRIVATE
, page_size(), 0);
432 assert_se(shmid
>= 0);
440 p
= shmat(shmid
, NULL
, 0);
441 assert_se(p
!= MAP_FAILED
);
442 assert_se(shmdt(p
) == 0);
444 p
= shmat(shmid
, NULL
, SHM_EXEC
);
445 assert_se(p
!= MAP_FAILED
);
446 assert_se(shmdt(p
) == 0);
448 assert_se(seccomp_memory_deny_write_execute() >= 0);
450 p
= shmat(shmid
, NULL
, SHM_EXEC
);
451 #if defined(__x86_64__) || defined(__arm__) || defined(__aarch64__)
452 assert_se(p
== MAP_FAILED
);
453 assert_se(errno
== EPERM
);
454 #else /* __i386__, __powerpc64__, and "unknown" architectures */
455 assert_se(p
!= MAP_FAILED
);
456 assert_se(shmdt(p
) == 0);
459 p
= shmat(shmid
, NULL
, 0);
460 assert_se(p
!= MAP_FAILED
);
461 assert_se(shmdt(p
) == 0);
466 assert_se(wait_for_terminate_and_check("memoryseccomp-shmat", pid
, WAIT_LOG
) == EXIT_SUCCESS
);
469 static void test_restrict_archs(void) {
472 if (!is_seccomp_available())
481 _cleanup_set_free_ Set
*s
= NULL
;
483 assert_se(access("/", F_OK
) >= 0);
485 assert_se(s
= set_new(NULL
));
488 assert_se(set_put(s
, UINT32_TO_PTR(SCMP_ARCH_X86
+1)) >= 0);
490 assert_se(seccomp_restrict_archs(s
) >= 0);
492 assert_se(access("/", F_OK
) >= 0);
493 assert_se(seccomp_restrict_archs(NULL
) >= 0);
495 assert_se(access("/", F_OK
) >= 0);
500 assert_se(wait_for_terminate_and_check("archseccomp", pid
, WAIT_LOG
) == EXIT_SUCCESS
);
503 static void test_load_syscall_filter_set_raw(void) {
506 if (!is_seccomp_available())
515 _cleanup_hashmap_free_ Hashmap
*s
= NULL
;
517 assert_se(access("/", F_OK
) >= 0);
518 assert_se(poll(NULL
, 0, 0) == 0);
520 assert_se(seccomp_load_syscall_filter_set_raw(SCMP_ACT_ALLOW
, NULL
, SCMP_ACT_KILL
) >= 0);
521 assert_se(access("/", F_OK
) >= 0);
522 assert_se(poll(NULL
, 0, 0) == 0);
524 assert_se(s
= hashmap_new(NULL
));
525 #if SCMP_SYS(access) >= 0
526 assert_se(hashmap_put(s
, UINT32_TO_PTR(__NR_access
+ 1), INT_TO_PTR(-1)) >= 0);
528 assert_se(hashmap_put(s
, UINT32_TO_PTR(__NR_faccessat
+ 1), INT_TO_PTR(-1)) >= 0);
531 assert_se(seccomp_load_syscall_filter_set_raw(SCMP_ACT_ALLOW
, s
, SCMP_ACT_ERRNO(EUCLEAN
)) >= 0);
533 assert_se(access("/", F_OK
) < 0);
534 assert_se(errno
== EUCLEAN
);
536 assert_se(poll(NULL
, 0, 0) == 0);
540 assert_se(s
= hashmap_new(NULL
));
541 #if SCMP_SYS(access) >= 0
542 assert_se(hashmap_put(s
, UINT32_TO_PTR(__NR_access
+ 1), INT_TO_PTR(EILSEQ
)) >= 0);
544 assert_se(hashmap_put(s
, UINT32_TO_PTR(__NR_faccessat
+ 1), INT_TO_PTR(EILSEQ
)) >= 0);
547 assert_se(seccomp_load_syscall_filter_set_raw(SCMP_ACT_ALLOW
, s
, SCMP_ACT_ERRNO(EUCLEAN
)) >= 0);
549 assert_se(access("/", F_OK
) < 0);
550 assert_se(errno
== EILSEQ
);
552 assert_se(poll(NULL
, 0, 0) == 0);
556 assert_se(s
= hashmap_new(NULL
));
557 #if SCMP_SYS(poll) >= 0
558 assert_se(hashmap_put(s
, UINT32_TO_PTR(__NR_poll
+ 1), INT_TO_PTR(-1)) >= 0);
560 assert_se(hashmap_put(s
, UINT32_TO_PTR(__NR_ppoll
+ 1), INT_TO_PTR(-1)) >= 0);
563 assert_se(seccomp_load_syscall_filter_set_raw(SCMP_ACT_ALLOW
, s
, SCMP_ACT_ERRNO(EUNATCH
)) >= 0);
565 assert_se(access("/", F_OK
) < 0);
566 assert_se(errno
== EILSEQ
);
568 assert_se(poll(NULL
, 0, 0) < 0);
569 assert_se(errno
== EUNATCH
);
573 assert_se(s
= hashmap_new(NULL
));
574 #if SCMP_SYS(poll) >= 0
575 assert_se(hashmap_put(s
, UINT32_TO_PTR(__NR_poll
+ 1), INT_TO_PTR(EILSEQ
)) >= 0);
577 assert_se(hashmap_put(s
, UINT32_TO_PTR(__NR_ppoll
+ 1), INT_TO_PTR(EILSEQ
)) >= 0);
580 assert_se(seccomp_load_syscall_filter_set_raw(SCMP_ACT_ALLOW
, s
, SCMP_ACT_ERRNO(EUNATCH
)) >= 0);
582 assert_se(access("/", F_OK
) < 0);
583 assert_se(errno
== EILSEQ
);
585 assert_se(poll(NULL
, 0, 0) < 0);
586 assert_se(errno
== EILSEQ
);
591 assert_se(wait_for_terminate_and_check("syscallrawseccomp", pid
, WAIT_LOG
) == EXIT_SUCCESS
);
594 static void test_lock_personality(void) {
595 unsigned long current
;
598 if (!is_seccomp_available())
603 assert_se(opinionated_personality(¤t
) >= 0);
605 log_info("current personality=%lu", current
);
611 assert_se(seccomp_lock_personality(current
) >= 0);
613 assert_se((unsigned long) safe_personality(current
) == current
);
615 /* Note, we also test that safe_personality() works correctly, by checkig whether errno is properly
616 * set, in addition to the return value */
618 assert_se(safe_personality(PER_LINUX
| ADDR_NO_RANDOMIZE
) == -EPERM
);
619 assert_se(errno
== EPERM
);
621 assert_se(safe_personality(PER_LINUX
| MMAP_PAGE_ZERO
) == -EPERM
);
622 assert_se(safe_personality(PER_LINUX
| ADDR_COMPAT_LAYOUT
) == -EPERM
);
623 assert_se(safe_personality(PER_LINUX
| READ_IMPLIES_EXEC
) == -EPERM
);
624 assert_se(safe_personality(PER_LINUX_32BIT
) == -EPERM
);
625 assert_se(safe_personality(PER_SVR4
) == -EPERM
);
626 assert_se(safe_personality(PER_BSD
) == -EPERM
);
627 assert_se(safe_personality(current
== PER_LINUX
? PER_LINUX32
: PER_LINUX
) == -EPERM
);
628 assert_se(safe_personality(PER_LINUX32_3GB
) == -EPERM
);
629 assert_se(safe_personality(PER_UW7
) == -EPERM
);
630 assert_se(safe_personality(0x42) == -EPERM
);
632 assert_se(safe_personality(PERSONALITY_INVALID
) == -EPERM
); /* maybe remove this later */
634 assert_se((unsigned long) personality(current
) == current
);
638 assert_se(wait_for_terminate_and_check("lockpersonalityseccomp", pid
, WAIT_LOG
) == EXIT_SUCCESS
);
641 static void test_filter_sets_ordered(void) {
644 /* Ensure "@default" always remains at the beginning of the list */
645 assert_se(SYSCALL_FILTER_SET_DEFAULT
== 0);
646 assert_se(streq(syscall_filter_sets
[0].name
, "@default"));
648 for (i
= 0; i
< _SYSCALL_FILTER_SET_MAX
; i
++) {
649 const char *k
, *p
= NULL
;
651 /* Make sure each group has a description */
652 assert_se(!isempty(syscall_filter_sets
[0].help
));
654 /* Make sure the groups are ordered alphabetically, except for the first entry */
655 assert_se(i
< 2 || strcmp(syscall_filter_sets
[i
-1].name
, syscall_filter_sets
[i
].name
) < 0);
657 NULSTR_FOREACH(k
, syscall_filter_sets
[i
].value
) {
659 /* Ensure each syscall list is in itself ordered, but groups before names */
661 (*p
== '@' && *k
!= '@') ||
662 (((*p
== '@' && *k
== '@') ||
663 (*p
!= '@' && *k
!= '@')) &&
671 int main(int argc
, char *argv
[]) {
673 log_set_max_level(LOG_DEBUG
);
675 test_seccomp_arch_to_string();
676 test_architecture_table();
677 test_syscall_filter_set_find();
679 test_restrict_namespace();
680 test_protect_sysctl();
681 test_restrict_address_families();
682 test_restrict_realtime();
683 test_memory_deny_write_execute_mmap();
684 test_memory_deny_write_execute_shmat();
685 test_restrict_archs();
686 test_load_syscall_filter_set_raw();
687 test_lock_personality();
688 test_filter_sets_ordered();