From 469830d1426a91e0897c321fdc8ee428f0a750c1 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Tue, 27 Dec 2016 15:28:25 +0100 Subject: seccomp: rework seccomp code, to improve compat with some archs This substantially reworks the seccomp code, to ensure better compatibility with some architectures, including i386. So far we relied on libseccomp's internal handling of the multiple syscall ABIs supported on Linux. This is problematic however, as it does not define clear semantics if an ABI is not able to support specific seccomp rules we install. This rework hence changes a couple of things: - We no longer use seccomp_rule_add(), but only seccomp_rule_add_exact(), and fail the installation of a filter if the architecture doesn't support it. - We no longer rely on adding multiple syscall architectures to a single filter, but instead install a separate filter for each syscall architecture supported. This way, we can install a strict filter for x86-64, while permitting a less strict filter for i386. - All high-level filter additions are now moved from execute.c to seccomp-util.c, so that we can test them independently of the service execution logic. - Tests have been added for all types of our seccomp filters. - SystemCallFilters= and SystemCallArchitectures= are now implemented in independent filters and installation logic, as they semantically are very much independent of each other. Fixes: #4575 --- src/test/test-seccomp.c | 272 ++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 265 insertions(+), 7 deletions(-) (limited to 'src/test/test-seccomp.c') diff --git a/src/test/test-seccomp.c b/src/test/test-seccomp.c index beb6a7f422..6f15879c45 100644 --- a/src/test/test-seccomp.c +++ b/src/test/test-seccomp.c @@ -17,10 +17,12 @@ along with systemd; If not, see . ***/ +#include #include #include +#include #include -#include +#include #include "alloc-util.h" #include "fd-util.h" @@ -30,8 +32,10 @@ #include "process-util.h" #include "raw-clone.h" #include "seccomp-util.h" +#include "set.h" #include "string-util.h" #include "util.h" +#include "virt.h" static void test_seccomp_arch_to_string(void) { uint32_t a, b; @@ -92,7 +96,6 @@ static void test_filter_sets(void) { if (!is_seccomp_available()) return; - if (geteuid() != 0) return; @@ -108,16 +111,16 @@ static void test_filter_sets(void) { int fd; if (i == SYSCALL_FILTER_SET_DEFAULT) /* if we look at the default set, whitelist instead of blacklist */ - r = seccomp_load_filter_set(SCMP_ACT_ERRNO(EPERM), syscall_filter_sets + i, SCMP_ACT_ALLOW); + r = seccomp_load_syscall_filter_set(SCMP_ACT_ERRNO(EUCLEAN), syscall_filter_sets + i, SCMP_ACT_ALLOW); else - r = seccomp_load_filter_set(SCMP_ACT_ALLOW, syscall_filter_sets + i, SCMP_ACT_ERRNO(EPERM)); + r = seccomp_load_syscall_filter_set(SCMP_ACT_ALLOW, syscall_filter_sets + i, SCMP_ACT_ERRNO(EUCLEAN)); if (r < 0) _exit(EXIT_FAILURE); /* Test the sycall filter with one random system call */ fd = eventfd(0, EFD_NONBLOCK|EFD_CLOEXEC); if (IN_SET(i, SYSCALL_FILTER_SET_IO_EVENT, SYSCALL_FILTER_SET_DEFAULT)) - assert_se(fd < 0 && errno == EPERM); + assert_se(fd < 0 && errno == EUCLEAN); else { assert_se(fd >= 0); safe_close(fd); @@ -132,8 +135,8 @@ static void test_filter_sets(void) { static void test_restrict_namespace(void) { _cleanup_free_ char *s = NULL; - pid_t pid; unsigned long ul; + pid_t pid; assert_se(namespace_flag_to_string(0) == NULL); assert_se(streq(namespace_flag_to_string(CLONE_NEWNS), "mnt")); @@ -157,7 +160,6 @@ static void test_restrict_namespace(void) { if (!is_seccomp_available()) return; - if (geteuid() != 0) return; @@ -216,6 +218,256 @@ static void test_restrict_namespace(void) { assert_se(wait_for_terminate_and_warn("nsseccomp", pid, true) == EXIT_SUCCESS); } +static void test_protect_sysctl(void) { + pid_t pid; + + if (!is_seccomp_available()) + return; + if (geteuid() != 0) + return; + + if (detect_container() > 0) /* in containers _sysctl() is likely missing anyway */ + return; + + pid = fork(); + assert_se(pid >= 0); + + if (pid == 0) { + assert_se(syscall(__NR__sysctl, NULL) < 0); + assert_se(errno == EFAULT); + + assert_se(seccomp_protect_sysctl() >= 0); + + assert_se(syscall(__NR__sysctl, 0, 0, 0) < 0); + assert_se(errno == EPERM); + + _exit(EXIT_SUCCESS); + } + + assert_se(wait_for_terminate_and_warn("sysctlseccomp", pid, true) == EXIT_SUCCESS); +} + +static void test_restrict_address_families(void) { + pid_t pid; + + if (!is_seccomp_available()) + return; + if (geteuid() != 0) + return; + + pid = fork(); + assert_se(pid >= 0); + + if (pid == 0) { + int fd; + Set *s; + + fd = socket(AF_INET, SOCK_DGRAM, 0); + assert_se(fd >= 0); + safe_close(fd); + + fd = socket(AF_UNIX, SOCK_DGRAM, 0); + assert_se(fd >= 0); + safe_close(fd); + + fd = socket(AF_NETLINK, SOCK_DGRAM, 0); + assert_se(fd >= 0); + safe_close(fd); + + assert_se(s = set_new(NULL)); + assert_se(set_put(s, INT_TO_PTR(AF_UNIX)) >= 0); + + assert_se(seccomp_restrict_address_families(s, false) >= 0); + + fd = socket(AF_INET, SOCK_DGRAM, 0); + assert_se(fd >= 0); + safe_close(fd); + + assert_se(socket(AF_UNIX, SOCK_DGRAM, 0) < 0); + assert_se(errno == EAFNOSUPPORT); + + fd = socket(AF_NETLINK, SOCK_DGRAM, 0); + assert_se(fd >= 0); + safe_close(fd); + + set_clear(s); + + assert_se(set_put(s, INT_TO_PTR(AF_INET)) >= 0); + + assert_se(seccomp_restrict_address_families(s, true) >= 0); + + fd = socket(AF_INET, SOCK_DGRAM, 0); + assert_se(fd >= 0); + safe_close(fd); + + assert_se(socket(AF_UNIX, SOCK_DGRAM, 0) < 0); + assert_se(errno == EAFNOSUPPORT); + + assert_se(socket(AF_NETLINK, SOCK_DGRAM, 0) < 0); + assert_se(errno == EAFNOSUPPORT); + + _exit(EXIT_SUCCESS); + } + + assert_se(wait_for_terminate_and_warn("socketseccomp", pid, true) == EXIT_SUCCESS); +} + +static void test_restrict_realtime(void) { + pid_t pid; + + if (!is_seccomp_available()) + return; + if (geteuid() != 0) + return; + + if (detect_container() > 0) /* in containers RT privs are likely missing anyway */ + return; + + pid = fork(); + assert_se(pid >= 0); + + if (pid == 0) { + assert_se(sched_setscheduler(0, SCHED_FIFO, &(struct sched_param) { .sched_priority = 1 }) >= 0); + assert_se(sched_setscheduler(0, SCHED_RR, &(struct sched_param) { .sched_priority = 1 }) >= 0); + assert_se(sched_setscheduler(0, SCHED_IDLE, &(struct sched_param) { .sched_priority = 0 }) >= 0); + assert_se(sched_setscheduler(0, SCHED_BATCH, &(struct sched_param) { .sched_priority = 0 }) >= 0); + assert_se(sched_setscheduler(0, SCHED_OTHER, &(struct sched_param) {}) >= 0); + + assert_se(seccomp_restrict_realtime() >= 0); + + assert_se(sched_setscheduler(0, SCHED_IDLE, &(struct sched_param) { .sched_priority = 0 }) >= 0); + assert_se(sched_setscheduler(0, SCHED_BATCH, &(struct sched_param) { .sched_priority = 0 }) >= 0); + assert_se(sched_setscheduler(0, SCHED_OTHER, &(struct sched_param) {}) >= 0); + + assert_se(sched_setscheduler(0, SCHED_FIFO, &(struct sched_param) { .sched_priority = 1 }) < 0); + assert_se(errno == EPERM); + assert_se(sched_setscheduler(0, SCHED_RR, &(struct sched_param) { .sched_priority = 1 }) < 0); + assert_se(errno == EPERM); + + _exit(EXIT_SUCCESS); + } + + assert_se(wait_for_terminate_and_warn("realtimeseccomp", pid, true) == EXIT_SUCCESS); +} + +static void test_memory_deny_write_execute(void) { + pid_t pid; + + if (!is_seccomp_available()) + return; + if (geteuid() != 0) + return; + + pid = fork(); + assert_se(pid >= 0); + + if (pid == 0) { + void *p; + + p = mmap(NULL, page_size(), PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS, -1,0); + assert_se(p != MAP_FAILED); + assert_se(munmap(p, page_size()) >= 0); + + seccomp_memory_deny_write_execute(); + + p = mmap(NULL, page_size(), PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS, -1,0); + assert_se(p == MAP_FAILED); + assert_se(errno == EPERM); + + p = mmap(NULL, page_size(), PROT_WRITE|PROT_READ, MAP_PRIVATE|MAP_ANONYMOUS, -1,0); + assert_se(p != MAP_FAILED); + assert_se(munmap(p, page_size()) >= 0); + + _exit(EXIT_SUCCESS); + } + + assert_se(wait_for_terminate_and_warn("memoryseccomp", pid, true) == EXIT_SUCCESS); +} + +static void test_restrict_archs(void) { + pid_t pid; + + if (!is_seccomp_available()) + return; + if (geteuid() != 0) + return; + + pid = fork(); + assert_se(pid >= 0); + + if (pid == 0) { + _cleanup_set_free_ Set *s = NULL; + + assert_se(access("/", F_OK) >= 0); + + assert_se(s = set_new(NULL)); + +#ifdef __x86_64__ + assert_se(set_put(s, UINT32_TO_PTR(SCMP_ARCH_X86+1)) >= 0); +#endif + assert_se(seccomp_restrict_archs(s) >= 0); + + assert_se(access("/", F_OK) >= 0); + assert_se(seccomp_restrict_archs(NULL) >= 0); + + assert_se(access("/", F_OK) >= 0); + + _exit(EXIT_SUCCESS); + } + + assert_se(wait_for_terminate_and_warn("archseccomp", pid, true) == EXIT_SUCCESS); +} + +static void test_load_syscall_filter_set_raw(void) { + pid_t pid; + + if (!is_seccomp_available()) + return; + if (geteuid() != 0) + return; + + pid = fork(); + assert_se(pid >= 0); + + if (pid == 0) { + _cleanup_set_free_ Set *s = NULL; + + assert_se(access("/", F_OK) >= 0); + assert_se(poll(NULL, 0, 0) == 0); + + assert_se(seccomp_load_syscall_filter_set_raw(SCMP_ACT_ALLOW, NULL, SCMP_ACT_KILL) >= 0); + assert_se(access("/", F_OK) >= 0); + assert_se(poll(NULL, 0, 0) == 0); + + assert_se(s = set_new(NULL)); + assert_se(set_put(s, UINT32_TO_PTR(__NR_access + 1)) >= 0); + + assert_se(seccomp_load_syscall_filter_set_raw(SCMP_ACT_ALLOW, s, SCMP_ACT_ERRNO(EUCLEAN)) >= 0); + + assert_se(access("/", F_OK) < 0); + assert_se(errno == EUCLEAN); + + assert_se(poll(NULL, 0, 0) == 0); + + s = set_free(s); + + assert_se(s = set_new(NULL)); + assert_se(set_put(s, UINT32_TO_PTR(__NR_poll + 1)) >= 0); + + assert_se(seccomp_load_syscall_filter_set_raw(SCMP_ACT_ALLOW, s, SCMP_ACT_ERRNO(EUNATCH)) >= 0); + + assert_se(access("/", F_OK) < 0); + assert_se(errno == EUCLEAN); + + assert_se(poll(NULL, 0, 0) < 0); + assert_se(errno == EUNATCH); + + _exit(EXIT_SUCCESS); + } + + assert_se(wait_for_terminate_and_warn("syscallrawseccomp", pid, true) == EXIT_SUCCESS); +} + int main(int argc, char *argv[]) { log_set_max_level(LOG_DEBUG); @@ -225,6 +477,12 @@ int main(int argc, char *argv[]) { test_syscall_filter_set_find(); test_filter_sets(); test_restrict_namespace(); + test_protect_sysctl(); + test_restrict_address_families(); + test_restrict_realtime(); + test_memory_deny_write_execute(); + test_restrict_archs(); + test_load_syscall_filter_set_raw(); return 0; } -- cgit v1.2.3-54-g00ecf