1 /* SPDX-License-Identifier: LGPL-2.1+ */
7 #include <sys/eventfd.h>
9 #include <sys/personality.h>
11 #include <sys/syscall.h>
12 #include <sys/types.h>
15 #include "alloc-util.h"
18 #include "memory-util.h"
19 #include "missing_sched.h"
21 #include "nulstr-util.h"
22 #include "process-util.h"
23 #include "raw-clone.h"
25 #include "seccomp-util.h"
27 #include "string-util.h"
29 #include "tmpfile-util.h"
32 #if SCMP_SYS(socket) < 0 || defined(__i386__) || defined(__s390x__) || defined(__s390__)
33 /* On these archs, socket() is implemented via the socketcall() syscall multiplexer,
34 * and we can't restrict it hence via seccomp. */
35 # define SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN 1
37 # define SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN 0
40 static void test_seccomp_arch_to_string(void) {
44 log_info("/* %s */", __func__
);
46 a
= seccomp_arch_native();
48 name
= seccomp_arch_to_string(a
);
50 assert_se(seccomp_arch_from_string(name
, &b
) >= 0);
54 static void test_architecture_table(void) {
57 log_info("/* %s */", __func__
);
79 assert_se(seccomp_arch_from_string(n
, &c
) >= 0);
80 n2
= seccomp_arch_to_string(c
);
81 log_info("seccomp-arch: %s → 0x%"PRIx32
" → %s", n
, c
, n2
);
82 assert_se(streq_ptr(n
, n2
));
86 static void test_syscall_filter_set_find(void) {
87 log_info("/* %s */", __func__
);
89 assert_se(!syscall_filter_set_find(NULL
));
90 assert_se(!syscall_filter_set_find(""));
91 assert_se(!syscall_filter_set_find("quux"));
92 assert_se(!syscall_filter_set_find("@quux"));
94 assert_se(syscall_filter_set_find("@clock") == syscall_filter_sets
+ SYSCALL_FILTER_SET_CLOCK
);
95 assert_se(syscall_filter_set_find("@default") == syscall_filter_sets
+ SYSCALL_FILTER_SET_DEFAULT
);
96 assert_se(syscall_filter_set_find("@raw-io") == syscall_filter_sets
+ SYSCALL_FILTER_SET_RAW_IO
);
99 static void test_filter_sets(void) {
103 log_info("/* %s */", __func__
);
105 if (!is_seccomp_available()) {
106 log_notice("Seccomp not available, skipping %s", __func__
);
109 if (geteuid() != 0) {
110 log_notice("Not root, skipping %s", __func__
);
114 for (i
= 0; i
< _SYSCALL_FILTER_SET_MAX
; i
++) {
117 log_info("Testing %s", syscall_filter_sets
[i
].name
);
122 if (pid
== 0) { /* Child? */
125 /* If we look at the default set (or one that includes it), whitelist instead of blacklist */
126 if (IN_SET(i
, SYSCALL_FILTER_SET_DEFAULT
, SYSCALL_FILTER_SET_SYSTEM_SERVICE
))
127 r
= seccomp_load_syscall_filter_set(SCMP_ACT_ERRNO(EUCLEAN
), syscall_filter_sets
+ i
, SCMP_ACT_ALLOW
, true);
129 r
= seccomp_load_syscall_filter_set(SCMP_ACT_ALLOW
, syscall_filter_sets
+ i
, SCMP_ACT_ERRNO(EUCLEAN
), true);
133 /* Test the sycall filter with one random system call */
134 fd
= eventfd(0, EFD_NONBLOCK
|EFD_CLOEXEC
);
135 if (IN_SET(i
, SYSCALL_FILTER_SET_IO_EVENT
, SYSCALL_FILTER_SET_DEFAULT
))
136 assert_se(fd
< 0 && errno
== EUCLEAN
);
145 assert_se(wait_for_terminate_and_check(syscall_filter_sets
[i
].name
, pid
, WAIT_LOG
) == EXIT_SUCCESS
);
149 static void test_filter_sets_ordered(void) {
152 log_info("/* %s */", __func__
);
154 /* Ensure "@default" always remains at the beginning of the list */
155 assert_se(SYSCALL_FILTER_SET_DEFAULT
== 0);
156 assert_se(streq(syscall_filter_sets
[0].name
, "@default"));
158 for (i
= 0; i
< _SYSCALL_FILTER_SET_MAX
; i
++) {
159 const char *k
, *p
= NULL
;
161 /* Make sure each group has a description */
162 assert_se(!isempty(syscall_filter_sets
[0].help
));
164 /* Make sure the groups are ordered alphabetically, except for the first entry */
165 assert_se(i
< 2 || strcmp(syscall_filter_sets
[i
-1].name
, syscall_filter_sets
[i
].name
) < 0);
167 NULSTR_FOREACH(k
, syscall_filter_sets
[i
].value
) {
169 /* Ensure each syscall list is in itself ordered, but groups before names */
171 (*p
== '@' && *k
!= '@') ||
172 (((*p
== '@' && *k
== '@') ||
173 (*p
!= '@' && *k
!= '@')) &&
181 static void test_restrict_namespace(void) {
186 if (!have_namespaces()) {
187 log_notice("Testing without namespaces, skipping %s", __func__
);
191 log_info("/* %s */", __func__
);
193 assert_se(namespace_flags_to_string(0, &s
) == 0 && streq(s
, ""));
195 assert_se(namespace_flags_to_string(CLONE_NEWNS
, &s
) == 0 && streq(s
, "mnt"));
197 assert_se(namespace_flags_to_string(CLONE_NEWNS
|CLONE_NEWIPC
, &s
) == 0 && streq(s
, "ipc mnt"));
199 assert_se(namespace_flags_to_string(CLONE_NEWCGROUP
, &s
) == 0 && streq(s
, "cgroup"));
202 assert_se(namespace_flags_from_string("mnt", &ul
) == 0 && ul
== CLONE_NEWNS
);
203 assert_se(namespace_flags_from_string(NULL
, &ul
) == 0 && ul
== 0);
204 assert_se(namespace_flags_from_string("", &ul
) == 0 && ul
== 0);
205 assert_se(namespace_flags_from_string("uts", &ul
) == 0 && ul
== CLONE_NEWUTS
);
206 assert_se(namespace_flags_from_string("mnt uts ipc", &ul
) == 0 && ul
== (CLONE_NEWNS
|CLONE_NEWUTS
|CLONE_NEWIPC
));
208 assert_se(namespace_flags_to_string(CLONE_NEWUTS
, &s
) == 0 && streq(s
, "uts"));
209 assert_se(namespace_flags_from_string(s
, &ul
) == 0 && ul
== CLONE_NEWUTS
);
211 assert_se(namespace_flags_from_string("ipc", &ul
) == 0 && ul
== CLONE_NEWIPC
);
212 assert_se(namespace_flags_to_string(ul
, &s
) == 0 && streq(s
, "ipc"));
215 assert_se(namespace_flags_to_string(NAMESPACE_FLAGS_ALL
, &s
) == 0);
216 assert_se(streq(s
, "cgroup ipc net mnt pid user uts"));
217 assert_se(namespace_flags_from_string(s
, &ul
) == 0 && ul
== NAMESPACE_FLAGS_ALL
);
220 if (!is_seccomp_available()) {
221 log_notice("Seccomp not available, skipping remaining tests in %s", __func__
);
224 if (geteuid() != 0) {
225 log_notice("Not root, skipping remaining tests in %s", __func__
);
234 assert_se(seccomp_restrict_namespaces(CLONE_NEWNS
|CLONE_NEWNET
) >= 0);
236 assert_se(unshare(CLONE_NEWNS
) == 0);
237 assert_se(unshare(CLONE_NEWNET
) == 0);
238 assert_se(unshare(CLONE_NEWUTS
) == -1);
239 assert_se(errno
== EPERM
);
240 assert_se(unshare(CLONE_NEWIPC
) == -1);
241 assert_se(errno
== EPERM
);
242 assert_se(unshare(CLONE_NEWNET
|CLONE_NEWUTS
) == -1);
243 assert_se(errno
== EPERM
);
245 /* We use fd 0 (stdin) here, which of course will fail with EINVAL on setns(). Except of course our
246 * seccomp filter worked, and hits first and makes it return EPERM */
247 assert_se(setns(0, CLONE_NEWNS
) == -1);
248 assert_se(errno
== EINVAL
);
249 assert_se(setns(0, CLONE_NEWNET
) == -1);
250 assert_se(errno
== EINVAL
);
251 assert_se(setns(0, CLONE_NEWUTS
) == -1);
252 assert_se(errno
== EPERM
);
253 assert_se(setns(0, CLONE_NEWIPC
) == -1);
254 assert_se(errno
== EPERM
);
255 assert_se(setns(0, CLONE_NEWNET
|CLONE_NEWUTS
) == -1);
256 assert_se(errno
== EPERM
);
257 assert_se(setns(0, 0) == -1);
258 assert_se(errno
== EPERM
);
260 pid
= raw_clone(CLONE_NEWNS
);
264 pid
= raw_clone(CLONE_NEWNET
);
268 pid
= raw_clone(CLONE_NEWUTS
);
270 assert_se(errno
== EPERM
);
271 pid
= raw_clone(CLONE_NEWIPC
);
273 assert_se(errno
== EPERM
);
274 pid
= raw_clone(CLONE_NEWNET
|CLONE_NEWUTS
);
276 assert_se(errno
== EPERM
);
281 assert_se(wait_for_terminate_and_check("nsseccomp", pid
, WAIT_LOG
) == EXIT_SUCCESS
);
284 static void test_protect_sysctl(void) {
287 log_info("/* %s */", __func__
);
289 if (!is_seccomp_available()) {
290 log_notice("Seccomp not available, skipping %s", __func__
);
293 if (geteuid() != 0) {
294 log_notice("Not root, skipping %s", __func__
);
298 /* in containers _sysctl() is likely missing anyway */
299 if (detect_container() > 0) {
300 log_notice("Testing in container, skipping %s", __func__
);
309 assert_se(syscall(__NR__sysctl
, NULL
) < 0);
310 assert_se(errno
== EFAULT
);
313 assert_se(seccomp_protect_sysctl() >= 0);
316 assert_se(syscall(__NR__sysctl
, 0, 0, 0) < 0);
317 assert_se(errno
== EPERM
);
323 assert_se(wait_for_terminate_and_check("sysctlseccomp", pid
, WAIT_LOG
) == EXIT_SUCCESS
);
326 static void test_restrict_address_families(void) {
329 log_info("/* %s */", __func__
);
331 if (!is_seccomp_available()) {
332 log_notice("Seccomp not available, skipping %s", __func__
);
335 if (geteuid() != 0) {
336 log_notice("Not root, skipping %s", __func__
);
347 fd
= socket(AF_INET
, SOCK_DGRAM
, 0);
351 fd
= socket(AF_UNIX
, SOCK_DGRAM
, 0);
355 fd
= socket(AF_NETLINK
, SOCK_DGRAM
, 0);
359 assert_se(s
= set_new(NULL
));
360 assert_se(set_put(s
, INT_TO_PTR(AF_UNIX
)) >= 0);
362 assert_se(seccomp_restrict_address_families(s
, false) >= 0);
364 fd
= socket(AF_INET
, SOCK_DGRAM
, 0);
368 fd
= socket(AF_UNIX
, SOCK_DGRAM
, 0);
369 #if SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN
374 assert_se(errno
== EAFNOSUPPORT
);
377 fd
= socket(AF_NETLINK
, SOCK_DGRAM
, 0);
383 assert_se(set_put(s
, INT_TO_PTR(AF_INET
)) >= 0);
385 assert_se(seccomp_restrict_address_families(s
, true) >= 0);
387 fd
= socket(AF_INET
, SOCK_DGRAM
, 0);
391 fd
= socket(AF_UNIX
, SOCK_DGRAM
, 0);
392 #if SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN
397 assert_se(errno
== EAFNOSUPPORT
);
400 fd
= socket(AF_NETLINK
, SOCK_DGRAM
, 0);
401 #if SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN
406 assert_se(errno
== EAFNOSUPPORT
);
412 assert_se(wait_for_terminate_and_check("socketseccomp", pid
, WAIT_LOG
) == EXIT_SUCCESS
);
415 static void test_restrict_realtime(void) {
418 log_info("/* %s */", __func__
);
420 if (!is_seccomp_available()) {
421 log_notice("Seccomp not available, skipping %s", __func__
);
424 if (geteuid() != 0) {
425 log_notice("Not root, skipping %s", __func__
);
429 /* in containers RT privs are likely missing anyway */
430 if (detect_container() > 0) {
431 log_notice("Testing in container, skipping %s", __func__
);
439 assert_se(sched_setscheduler(0, SCHED_FIFO
, &(struct sched_param
) { .sched_priority
= 1 }) >= 0);
440 assert_se(sched_setscheduler(0, SCHED_RR
, &(struct sched_param
) { .sched_priority
= 1 }) >= 0);
441 assert_se(sched_setscheduler(0, SCHED_IDLE
, &(struct sched_param
) { .sched_priority
= 0 }) >= 0);
442 assert_se(sched_setscheduler(0, SCHED_BATCH
, &(struct sched_param
) { .sched_priority
= 0 }) >= 0);
443 assert_se(sched_setscheduler(0, SCHED_OTHER
, &(struct sched_param
) {}) >= 0);
445 assert_se(seccomp_restrict_realtime() >= 0);
447 assert_se(sched_setscheduler(0, SCHED_IDLE
, &(struct sched_param
) { .sched_priority
= 0 }) >= 0);
448 assert_se(sched_setscheduler(0, SCHED_BATCH
, &(struct sched_param
) { .sched_priority
= 0 }) >= 0);
449 assert_se(sched_setscheduler(0, SCHED_OTHER
, &(struct sched_param
) {}) >= 0);
451 assert_se(sched_setscheduler(0, SCHED_FIFO
, &(struct sched_param
) { .sched_priority
= 1 }) < 0);
452 assert_se(errno
== EPERM
);
453 assert_se(sched_setscheduler(0, SCHED_RR
, &(struct sched_param
) { .sched_priority
= 1 }) < 0);
454 assert_se(errno
== EPERM
);
459 assert_se(wait_for_terminate_and_check("realtimeseccomp", pid
, WAIT_LOG
) == EXIT_SUCCESS
);
462 static void test_memory_deny_write_execute_mmap(void) {
465 log_info("/* %s */", __func__
);
467 if (!is_seccomp_available()) {
468 log_notice("Seccomp not available, skipping %s", __func__
);
471 if (geteuid() != 0) {
472 log_notice("Not root, skipping %s", __func__
);
482 p
= mmap(NULL
, page_size(), PROT_WRITE
|PROT_EXEC
, MAP_PRIVATE
|MAP_ANONYMOUS
, -1,0);
483 assert_se(p
!= MAP_FAILED
);
484 assert_se(munmap(p
, page_size()) >= 0);
486 p
= mmap(NULL
, page_size(), PROT_WRITE
|PROT_READ
, MAP_PRIVATE
|MAP_ANONYMOUS
, -1,0);
487 assert_se(p
!= MAP_FAILED
);
488 assert_se(munmap(p
, page_size()) >= 0);
490 assert_se(seccomp_memory_deny_write_execute() >= 0);
492 p
= mmap(NULL
, page_size(), PROT_WRITE
|PROT_EXEC
, MAP_PRIVATE
|MAP_ANONYMOUS
, -1,0);
493 #if defined(__x86_64__) || defined(__i386__) || defined(__powerpc64__) || defined(__arm__) || defined(__aarch64__)
494 assert_se(p
== MAP_FAILED
);
495 assert_se(errno
== EPERM
);
496 #else /* unknown architectures */
497 assert_se(p
!= MAP_FAILED
);
498 assert_se(munmap(p
, page_size()) >= 0);
501 p
= mmap(NULL
, page_size(), PROT_WRITE
|PROT_READ
, MAP_PRIVATE
|MAP_ANONYMOUS
, -1,0);
502 assert_se(p
!= MAP_FAILED
);
503 assert_se(munmap(p
, page_size()) >= 0);
508 assert_se(wait_for_terminate_and_check("memoryseccomp-mmap", pid
, WAIT_LOG
) == EXIT_SUCCESS
);
511 static void test_memory_deny_write_execute_shmat(void) {
516 log_info("/* %s */", __func__
);
518 SECCOMP_FOREACH_LOCAL_ARCH(arch
) {
519 log_debug("arch %s: SCMP_SYS(mmap) = %d", seccomp_arch_to_string(arch
), SCMP_SYS(mmap
));
520 log_debug("arch %s: SCMP_SYS(mmap2) = %d", seccomp_arch_to_string(arch
), SCMP_SYS(mmap2
));
521 log_debug("arch %s: SCMP_SYS(shmget) = %d", seccomp_arch_to_string(arch
), SCMP_SYS(shmget
));
522 log_debug("arch %s: SCMP_SYS(shmat) = %d", seccomp_arch_to_string(arch
), SCMP_SYS(shmat
));
523 log_debug("arch %s: SCMP_SYS(shmdt) = %d", seccomp_arch_to_string(arch
), SCMP_SYS(shmdt
));
526 if (!is_seccomp_available()) {
527 log_notice("Seccomp not available, skipping %s", __func__
);
530 if (geteuid() != 0) {
531 log_notice("Not root, skipping %s", __func__
);
535 shmid
= shmget(IPC_PRIVATE
, page_size(), 0);
536 assert_se(shmid
>= 0);
544 p
= shmat(shmid
, NULL
, 0);
545 assert_se(p
!= MAP_FAILED
);
546 assert_se(shmdt(p
) == 0);
548 p
= shmat(shmid
, NULL
, SHM_EXEC
);
549 assert_se(p
!= MAP_FAILED
);
550 assert_se(shmdt(p
) == 0);
552 assert_se(seccomp_memory_deny_write_execute() >= 0);
554 p
= shmat(shmid
, NULL
, SHM_EXEC
);
555 log_debug_errno(p
== MAP_FAILED
? errno
: 0, "shmat(SHM_EXEC): %m");
556 #if defined(__x86_64__) || defined(__arm__) || defined(__aarch64__)
557 assert_se(p
== MAP_FAILED
);
558 assert_se(errno
== EPERM
);
560 /* Depending on kernel, libseccomp, and glibc versions, other architectures
561 * might fail or not. Let's not assert success. */
563 assert_se(shmdt(p
) == 0);
565 p
= shmat(shmid
, NULL
, 0);
566 log_debug_errno(p
== MAP_FAILED
? errno
: 0, "shmat(0): %m");
567 assert_se(p
!= MAP_FAILED
);
568 assert_se(shmdt(p
) == 0);
573 assert_se(wait_for_terminate_and_check("memoryseccomp-shmat", pid
, WAIT_LOG
) == EXIT_SUCCESS
);
576 static void test_restrict_archs(void) {
579 log_info("/* %s */", __func__
);
581 if (!is_seccomp_available()) {
582 log_notice("Seccomp not available, skipping %s", __func__
);
585 if (geteuid() != 0) {
586 log_notice("Not root, skipping %s", __func__
);
594 _cleanup_set_free_ Set
*s
= NULL
;
596 assert_se(access("/", F_OK
) >= 0);
598 assert_se(s
= set_new(NULL
));
601 assert_se(set_put(s
, UINT32_TO_PTR(SCMP_ARCH_X86
+1)) >= 0);
603 assert_se(seccomp_restrict_archs(s
) >= 0);
605 assert_se(access("/", F_OK
) >= 0);
606 assert_se(seccomp_restrict_archs(NULL
) >= 0);
608 assert_se(access("/", F_OK
) >= 0);
613 assert_se(wait_for_terminate_and_check("archseccomp", pid
, WAIT_LOG
) == EXIT_SUCCESS
);
616 static void test_load_syscall_filter_set_raw(void) {
619 log_info("/* %s */", __func__
);
621 if (!is_seccomp_available()) {
622 log_notice("Seccomp not available, skipping %s", __func__
);
625 if (geteuid() != 0) {
626 log_notice("Not root, skipping %s", __func__
);
634 _cleanup_hashmap_free_ Hashmap
*s
= NULL
;
636 assert_se(access("/", F_OK
) >= 0);
637 assert_se(poll(NULL
, 0, 0) == 0);
639 assert_se(seccomp_load_syscall_filter_set_raw(SCMP_ACT_ALLOW
, NULL
, scmp_act_kill_process(), true) >= 0);
640 assert_se(access("/", F_OK
) >= 0);
641 assert_se(poll(NULL
, 0, 0) == 0);
643 assert_se(s
= hashmap_new(NULL
));
644 #if SCMP_SYS(access) >= 0
645 assert_se(hashmap_put(s
, UINT32_TO_PTR(__NR_access
+ 1), INT_TO_PTR(-1)) >= 0);
647 assert_se(hashmap_put(s
, UINT32_TO_PTR(__NR_faccessat
+ 1), INT_TO_PTR(-1)) >= 0);
650 assert_se(seccomp_load_syscall_filter_set_raw(SCMP_ACT_ALLOW
, s
, SCMP_ACT_ERRNO(EUCLEAN
), true) >= 0);
652 assert_se(access("/", F_OK
) < 0);
653 assert_se(errno
== EUCLEAN
);
655 assert_se(poll(NULL
, 0, 0) == 0);
659 assert_se(s
= hashmap_new(NULL
));
660 #if SCMP_SYS(access) >= 0
661 assert_se(hashmap_put(s
, UINT32_TO_PTR(__NR_access
+ 1), INT_TO_PTR(EILSEQ
)) >= 0);
663 assert_se(hashmap_put(s
, UINT32_TO_PTR(__NR_faccessat
+ 1), INT_TO_PTR(EILSEQ
)) >= 0);
666 assert_se(seccomp_load_syscall_filter_set_raw(SCMP_ACT_ALLOW
, s
, SCMP_ACT_ERRNO(EUCLEAN
), true) >= 0);
668 assert_se(access("/", F_OK
) < 0);
669 assert_se(errno
== EILSEQ
);
671 assert_se(poll(NULL
, 0, 0) == 0);
675 assert_se(s
= hashmap_new(NULL
));
676 #if SCMP_SYS(poll) >= 0
677 assert_se(hashmap_put(s
, UINT32_TO_PTR(__NR_poll
+ 1), INT_TO_PTR(-1)) >= 0);
679 assert_se(hashmap_put(s
, UINT32_TO_PTR(__NR_ppoll
+ 1), INT_TO_PTR(-1)) >= 0);
682 assert_se(seccomp_load_syscall_filter_set_raw(SCMP_ACT_ALLOW
, s
, SCMP_ACT_ERRNO(EUNATCH
), true) >= 0);
684 assert_se(access("/", F_OK
) < 0);
685 assert_se(errno
== EILSEQ
);
687 assert_se(poll(NULL
, 0, 0) < 0);
688 assert_se(errno
== EUNATCH
);
692 assert_se(s
= hashmap_new(NULL
));
693 #if SCMP_SYS(poll) >= 0
694 assert_se(hashmap_put(s
, UINT32_TO_PTR(__NR_poll
+ 1), INT_TO_PTR(EILSEQ
)) >= 0);
696 assert_se(hashmap_put(s
, UINT32_TO_PTR(__NR_ppoll
+ 1), INT_TO_PTR(EILSEQ
)) >= 0);
699 assert_se(seccomp_load_syscall_filter_set_raw(SCMP_ACT_ALLOW
, s
, SCMP_ACT_ERRNO(EUNATCH
), true) >= 0);
701 assert_se(access("/", F_OK
) < 0);
702 assert_se(errno
== EILSEQ
);
704 assert_se(poll(NULL
, 0, 0) < 0);
705 assert_se(errno
== EILSEQ
);
710 assert_se(wait_for_terminate_and_check("syscallrawseccomp", pid
, WAIT_LOG
) == EXIT_SUCCESS
);
713 static void test_lock_personality(void) {
714 unsigned long current
;
717 log_info("/* %s */", __func__
);
719 if (!is_seccomp_available()) {
720 log_notice("Seccomp not available, skipping %s", __func__
);
723 if (geteuid() != 0) {
724 log_notice("Not root, skipping %s", __func__
);
728 assert_se(opinionated_personality(¤t
) >= 0);
730 log_info("current personality=%lu", current
);
736 assert_se(seccomp_lock_personality(current
) >= 0);
738 assert_se((unsigned long) safe_personality(current
) == current
);
740 /* Note, we also test that safe_personality() works correctly, by checkig whether errno is properly
741 * set, in addition to the return value */
743 assert_se(safe_personality(PER_LINUX
| ADDR_NO_RANDOMIZE
) == -EPERM
);
744 assert_se(errno
== EPERM
);
746 assert_se(safe_personality(PER_LINUX
| MMAP_PAGE_ZERO
) == -EPERM
);
747 assert_se(safe_personality(PER_LINUX
| ADDR_COMPAT_LAYOUT
) == -EPERM
);
748 assert_se(safe_personality(PER_LINUX
| READ_IMPLIES_EXEC
) == -EPERM
);
749 assert_se(safe_personality(PER_LINUX_32BIT
) == -EPERM
);
750 assert_se(safe_personality(PER_SVR4
) == -EPERM
);
751 assert_se(safe_personality(PER_BSD
) == -EPERM
);
752 assert_se(safe_personality(current
== PER_LINUX
? PER_LINUX32
: PER_LINUX
) == -EPERM
);
753 assert_se(safe_personality(PER_LINUX32_3GB
) == -EPERM
);
754 assert_se(safe_personality(PER_UW7
) == -EPERM
);
755 assert_se(safe_personality(0x42) == -EPERM
);
757 assert_se(safe_personality(PERSONALITY_INVALID
) == -EPERM
); /* maybe remove this later */
759 assert_se((unsigned long) personality(current
) == current
);
763 assert_se(wait_for_terminate_and_check("lockpersonalityseccomp", pid
, WAIT_LOG
) == EXIT_SUCCESS
);
766 static int real_open(const char *path
, int flags
, mode_t mode
) {
767 /* glibc internally calls openat() when open() is requested. Let's hence define our own wrapper for
768 * testing purposes that calls the real syscall, on architectures where SYS_open is defined. On
769 * other architectures, let's just fall back to the glibc call. */
772 return (int) syscall(SYS_open
, path
, flags
, mode
);
774 return open(path
, flags
, mode
);
778 static void test_restrict_suid_sgid(void) {
781 log_info("/* %s */", __func__
);
783 if (!is_seccomp_available()) {
784 log_notice("Seccomp not available, skipping %s", __func__
);
787 if (geteuid() != 0) {
788 log_notice("Not root, skipping %s", __func__
);
796 char path
[] = "/tmp/suidsgidXXXXXX", dir
[] = "/tmp/suidsgiddirXXXXXX";
800 fd
= mkostemp_safe(path
);
803 assert_se(mkdtemp(dir
));
804 z
= strjoina(dir
, "/test");
806 assert_se(chmod(path
, 0755 | S_ISUID
) >= 0);
807 assert_se(chmod(path
, 0755 | S_ISGID
) >= 0);
808 assert_se(chmod(path
, 0755 | S_ISGID
| S_ISUID
) >= 0);
809 assert_se(chmod(path
, 0755) >= 0);
811 assert_se(fchmod(fd
, 0755 | S_ISUID
) >= 0);
812 assert_se(fchmod(fd
, 0755 | S_ISGID
) >= 0);
813 assert_se(fchmod(fd
, 0755 | S_ISGID
| S_ISUID
) >= 0);
814 assert_se(fchmod(fd
, 0755) >= 0);
816 assert_se(fchmodat(AT_FDCWD
, path
, 0755 | S_ISUID
, 0) >= 0);
817 assert_se(fchmodat(AT_FDCWD
, path
, 0755 | S_ISGID
, 0) >= 0);
818 assert_se(fchmodat(AT_FDCWD
, path
, 0755 | S_ISGID
| S_ISUID
, 0) >= 0);
819 assert_se(fchmodat(AT_FDCWD
, path
, 0755, 0) >= 0);
821 k
= real_open(z
, O_CREAT
|O_RDWR
|O_CLOEXEC
|O_EXCL
, 0644 | S_ISUID
);
823 assert_se(unlink(z
) >= 0);
825 k
= real_open(z
, O_CREAT
|O_RDWR
|O_CLOEXEC
|O_EXCL
, 0644 | S_ISGID
);
827 assert_se(unlink(z
) >= 0);
829 k
= real_open(z
, O_CREAT
|O_RDWR
|O_CLOEXEC
|O_EXCL
, 0644 | S_ISUID
| S_ISGID
);
831 assert_se(unlink(z
) >= 0);
833 k
= real_open(z
, O_CREAT
|O_RDWR
|O_CLOEXEC
|O_EXCL
, 0644);
835 assert_se(unlink(z
) >= 0);
837 k
= creat(z
, 0644 | S_ISUID
);
839 assert_se(unlink(z
) >= 0);
841 k
= creat(z
, 0644 | S_ISGID
);
843 assert_se(unlink(z
) >= 0);
845 k
= creat(z
, 0644 | S_ISUID
| S_ISGID
);
847 assert_se(unlink(z
) >= 0);
851 assert_se(unlink(z
) >= 0);
853 k
= openat(AT_FDCWD
, z
, O_CREAT
|O_RDWR
|O_CLOEXEC
|O_EXCL
, 0644 | S_ISUID
);
855 assert_se(unlink(z
) >= 0);
857 k
= openat(AT_FDCWD
, z
, O_CREAT
|O_RDWR
|O_CLOEXEC
|O_EXCL
, 0644 | S_ISGID
);
859 assert_se(unlink(z
) >= 0);
861 k
= openat(AT_FDCWD
, z
, O_CREAT
|O_RDWR
|O_CLOEXEC
|O_EXCL
, 0644 | S_ISUID
| S_ISGID
);
863 assert_se(unlink(z
) >= 0);
865 k
= openat(AT_FDCWD
, z
, O_CREAT
|O_RDWR
|O_CLOEXEC
|O_EXCL
, 0644);
867 assert_se(unlink(z
) >= 0);
869 assert_se(mkdir(z
, 0755 | S_ISUID
) >= 0);
870 assert_se(rmdir(z
) >= 0);
871 assert_se(mkdir(z
, 0755 | S_ISGID
) >= 0);
872 assert_se(rmdir(z
) >= 0);
873 assert_se(mkdir(z
, 0755 | S_ISUID
| S_ISGID
) >= 0);
874 assert_se(rmdir(z
) >= 0);
875 assert_se(mkdir(z
, 0755) >= 0);
876 assert_se(rmdir(z
) >= 0);
878 assert_se(mkdirat(AT_FDCWD
, z
, 0755 | S_ISUID
) >= 0);
879 assert_se(rmdir(z
) >= 0);
880 assert_se(mkdirat(AT_FDCWD
, z
, 0755 | S_ISGID
) >= 0);
881 assert_se(rmdir(z
) >= 0);
882 assert_se(mkdirat(AT_FDCWD
, z
, 0755 | S_ISUID
| S_ISGID
) >= 0);
883 assert_se(rmdir(z
) >= 0);
884 assert_se(mkdirat(AT_FDCWD
, z
, 0755) >= 0);
885 assert_se(rmdir(z
) >= 0);
887 assert_se(mknod(z
, S_IFREG
| 0755 | S_ISUID
, 0) >= 0);
888 assert_se(unlink(z
) >= 0);
889 assert_se(mknod(z
, S_IFREG
| 0755 | S_ISGID
, 0) >= 0);
890 assert_se(unlink(z
) >= 0);
891 assert_se(mknod(z
, S_IFREG
| 0755 | S_ISUID
| S_ISGID
, 0) >= 0);
892 assert_se(unlink(z
) >= 0);
893 assert_se(mknod(z
, S_IFREG
| 0755, 0) >= 0);
894 assert_se(unlink(z
) >= 0);
896 assert_se(mknodat(AT_FDCWD
, z
, S_IFREG
| 0755 | S_ISUID
, 0) >= 0);
897 assert_se(unlink(z
) >= 0);
898 assert_se(mknodat(AT_FDCWD
, z
, S_IFREG
| 0755 | S_ISGID
, 0) >= 0);
899 assert_se(unlink(z
) >= 0);
900 assert_se(mknodat(AT_FDCWD
, z
, S_IFREG
| 0755 | S_ISUID
| S_ISGID
, 0) >= 0);
901 assert_se(unlink(z
) >= 0);
902 assert_se(mknodat(AT_FDCWD
, z
, S_IFREG
| 0755, 0) >= 0);
903 assert_se(unlink(z
) >= 0);
905 assert_se(seccomp_restrict_suid_sgid() >= 0);
907 assert_se(chmod(path
, 0775 | S_ISUID
) < 0 && errno
== EPERM
);
908 assert_se(chmod(path
, 0775 | S_ISGID
) < 0 && errno
== EPERM
);
909 assert_se(chmod(path
, 0775 | S_ISGID
| S_ISUID
) < 0 && errno
== EPERM
);
910 assert_se(chmod(path
, 0775) >= 0);
912 assert_se(fchmod(fd
, 0775 | S_ISUID
) < 0 && errno
== EPERM
);
913 assert_se(fchmod(fd
, 0775 | S_ISGID
) < 0 && errno
== EPERM
);
914 assert_se(fchmod(fd
, 0775 | S_ISGID
| S_ISUID
) < 0 && errno
== EPERM
);
915 assert_se(fchmod(fd
, 0775) >= 0);
917 assert_se(fchmodat(AT_FDCWD
, path
, 0755 | S_ISUID
, 0) < 0 && errno
== EPERM
);
918 assert_se(fchmodat(AT_FDCWD
, path
, 0755 | S_ISGID
, 0) < 0 && errno
== EPERM
);
919 assert_se(fchmodat(AT_FDCWD
, path
, 0755 | S_ISGID
| S_ISUID
, 0) < 0 && errno
== EPERM
);
920 assert_se(fchmodat(AT_FDCWD
, path
, 0755, 0) >= 0);
922 assert_se(real_open(z
, O_CREAT
|O_RDWR
|O_CLOEXEC
|O_EXCL
, 0644 | S_ISUID
) < 0 && errno
== EPERM
);
923 assert_se(real_open(z
, O_CREAT
|O_RDWR
|O_CLOEXEC
|O_EXCL
, 0644 | S_ISGID
) < 0 && errno
== EPERM
);
924 assert_se(real_open(z
, O_CREAT
|O_RDWR
|O_CLOEXEC
|O_EXCL
, 0644 | S_ISUID
| S_ISGID
) < 0 && errno
== EPERM
);
925 k
= real_open(z
, O_CREAT
|O_RDWR
|O_CLOEXEC
|O_EXCL
, 0644);
927 assert_se(unlink(z
) >= 0);
929 assert_se(creat(z
, 0644 | S_ISUID
) < 0 && errno
== EPERM
);
930 assert_se(creat(z
, 0644 | S_ISGID
) < 0 && errno
== EPERM
);
931 assert_se(creat(z
, 0644 | S_ISUID
| S_ISGID
) < 0 && errno
== EPERM
);
934 assert_se(unlink(z
) >= 0);
936 assert_se(openat(AT_FDCWD
, z
, O_CREAT
|O_RDWR
|O_CLOEXEC
|O_EXCL
, 0644 | S_ISUID
) < 0 && errno
== EPERM
);
937 assert_se(openat(AT_FDCWD
, z
, O_CREAT
|O_RDWR
|O_CLOEXEC
|O_EXCL
, 0644 | S_ISGID
) < 0 && errno
== EPERM
);
938 assert_se(openat(AT_FDCWD
, z
, O_CREAT
|O_RDWR
|O_CLOEXEC
|O_EXCL
, 0644 | S_ISUID
| S_ISGID
) < 0 && errno
== EPERM
);
939 k
= openat(AT_FDCWD
, z
, O_CREAT
|O_RDWR
|O_CLOEXEC
|O_EXCL
, 0644);
941 assert_se(unlink(z
) >= 0);
943 assert_se(mkdir(z
, 0755 | S_ISUID
) < 0 && errno
== EPERM
);
944 assert_se(mkdir(z
, 0755 | S_ISGID
) < 0 && errno
== EPERM
);
945 assert_se(mkdir(z
, 0755 | S_ISUID
| S_ISGID
) < 0 && errno
== EPERM
);
946 assert_se(mkdir(z
, 0755) >= 0);
947 assert_se(rmdir(z
) >= 0);
949 assert_se(mkdirat(AT_FDCWD
, z
, 0755 | S_ISUID
) < 0 && errno
== EPERM
);
950 assert_se(mkdirat(AT_FDCWD
, z
, 0755 | S_ISGID
) < 0 && errno
== EPERM
);
951 assert_se(mkdirat(AT_FDCWD
, z
, 0755 | S_ISUID
| S_ISGID
) < 0 && errno
== EPERM
);
952 assert_se(mkdirat(AT_FDCWD
, z
, 0755) >= 0);
953 assert_se(rmdir(z
) >= 0);
955 assert_se(mknod(z
, S_IFREG
| 0755 | S_ISUID
, 0) < 0 && errno
== EPERM
);
956 assert_se(mknod(z
, S_IFREG
| 0755 | S_ISGID
, 0) < 0 && errno
== EPERM
);
957 assert_se(mknod(z
, S_IFREG
| 0755 | S_ISUID
| S_ISGID
, 0) < 0 && errno
== EPERM
);
958 assert_se(mknod(z
, S_IFREG
| 0755, 0) >= 0);
959 assert_se(unlink(z
) >= 0);
961 assert_se(mknodat(AT_FDCWD
, z
, S_IFREG
| 0755 | S_ISUID
, 0) < 0 && errno
== EPERM
);
962 assert_se(mknodat(AT_FDCWD
, z
, S_IFREG
| 0755 | S_ISGID
, 0) < 0 && errno
== EPERM
);
963 assert_se(mknodat(AT_FDCWD
, z
, S_IFREG
| 0755 | S_ISUID
| S_ISGID
, 0) < 0 && errno
== EPERM
);
964 assert_se(mknodat(AT_FDCWD
, z
, S_IFREG
| 0755, 0) >= 0);
965 assert_se(unlink(z
) >= 0);
967 assert_se(unlink(path
) >= 0);
968 assert_se(rm_rf(dir
, REMOVE_ROOT
|REMOVE_PHYSICAL
) >= 0);
973 assert_se(wait_for_terminate_and_check("suidsgidseccomp", pid
, WAIT_LOG
) == EXIT_SUCCESS
);
976 int main(int argc
, char *argv
[]) {
977 test_setup_logging(LOG_DEBUG
);
979 test_seccomp_arch_to_string();
980 test_architecture_table();
981 test_syscall_filter_set_find();
983 test_filter_sets_ordered();
984 test_restrict_namespace();
985 test_protect_sysctl();
986 test_restrict_address_families();
987 test_restrict_realtime();
988 test_memory_deny_write_execute_mmap();
989 test_memory_deny_write_execute_shmat();
990 test_restrict_archs();
991 test_load_syscall_filter_set_raw();
992 test_lock_personality();
993 test_restrict_suid_sgid();