1 /*
2 * Check verbose decoding of seccomp SECCOMP_SET_MODE_FILTER.
3 *
4 * Copyright (c) 2015-2016 Dmitry V. Levin <ldv@strace.io>
5 * Copyright (c) 2016-2022 The strace developers.
6 * All rights reserved.
7 *
8 * SPDX-License-Identifier: GPL-2.0-or-later
9 */
10
11 #include "tests.h"
12
13 #include <errno.h>
14 #include <stddef.h>
15 #include <stdio.h>
16 #include <unistd.h>
17 #include <sys/prctl.h>
18 #include <linux/seccomp.h>
19 #include <linux/filter.h>
20 #include "scno.h"
21
22 #if defined PR_SET_NO_NEW_PRIVS \
23 && defined BPF_JUMP \
24 && defined BPF_STMT
25
26 # define SOCK_FILTER_ALLOW_SYSCALL(nr) \
27 BPF_JUMP(BPF_JMP|BPF_K|BPF_JEQ, __NR_ ## nr, 0, 1), \
28 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW)
29
30 # define SOCK_FILTER_DENY_SYSCALL(nr, err) \
31 BPF_JUMP(BPF_JMP|BPF_K|BPF_JEQ, __NR_ ## nr, 0, 1), \
32 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ERRNO|(SECCOMP_RET_DATA & (err)))
33
34 # define SOCK_FILTER_KILL_PROCESS \
35 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL)
36
37 # define PRINT_ALLOW_SYSCALL(nr) \
38 tprintf("BPF_JUMP(BPF_JMP|BPF_K|BPF_JEQ, %#lx, 0, 0x1), " \
39 "BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW), ", \
40 (long) __NR_ ## nr)
41
42 # define PRINT_DENY_SYSCALL(nr, err) \
43 tprintf("BPF_JUMP(BPF_JMP|BPF_K|BPF_JEQ, %#lx, 0, 0x1), " \
44 "BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ERRNO|%#x), ", \
45 (long) __NR_ ## nr, err)
46
47 static const struct sock_filter filter_c[] = {
48 /* load syscall number */
49 BPF_STMT(BPF_LD|BPF_W|BPF_ABS, offsetof(struct seccomp_data, nr)),
50
51 /* allow syscalls */
52 SOCK_FILTER_ALLOW_SYSCALL(close),
53 SOCK_FILTER_ALLOW_SYSCALL(exit),
54 SOCK_FILTER_ALLOW_SYSCALL(exit_group),
55
56 /* deny syscalls */
57 SOCK_FILTER_DENY_SYSCALL(sync, EBUSY),
58 SOCK_FILTER_DENY_SYSCALL(setsid, EPERM),
59
60 /* kill process */
61 SOCK_FILTER_KILL_PROCESS
62 };
63
64 int
65 main(void)
66 {
67 tprintf("%s", "");
68
69 static const char kill_stmt_txt[] =
70 "BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL_THREAD)";
71 struct sock_filter *const filter =
72 tail_memdup(filter_c, sizeof(filter_c));
73 struct sock_filter *const big_filter =
74 tail_alloc(sizeof(*big_filter) * (BPF_MAXINSNS + 1));
75 TAIL_ALLOC_OBJECT_CONST_PTR(struct sock_fprog, prog);
76
77 int fds[2];
78 if (pipe(fds))
79 perror_msg_and_fail("pipe");
80 if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0))
81 perror_msg_and_skip("PR_SET_NO_NEW_PRIVS");
82
83 prog->filter = filter + ARRAY_SIZE(filter_c);
84 prog->len = 1;
85 syscall(__NR_seccomp, SECCOMP_SET_MODE_FILTER, 0, prog);
86 tprintf("seccomp(SECCOMP_SET_MODE_FILTER, 0, {len=1, filter=%p})"
87 " = -1 EFAULT (%m)\n", prog->filter);
88
89 prog->filter = filter + ARRAY_SIZE(filter_c) - 1;
90 prog->len = 3;
91 syscall(__NR_seccomp, SECCOMP_SET_MODE_FILTER, 0, prog);
92 tprintf("seccomp(SECCOMP_SET_MODE_FILTER, 0, {len=%u"
93 ", filter=[%s, ... /* %p */]}) = -1 EFAULT (%m)\n",
94 prog->len, kill_stmt_txt, filter + ARRAY_SIZE(filter_c));
95
96 prog->len = 0;
97 syscall(__NR_seccomp, SECCOMP_SET_MODE_FILTER, 0, prog);
98 tprintf("seccomp(SECCOMP_SET_MODE_FILTER, 0, {len=0, filter=[]})"
99 " = -1 EINVAL (%m)\n");
100
101 for (unsigned int i = 0; i <= BPF_MAXINSNS; ++i) {
102 const struct sock_filter stmt =
103 BPF_STMT(BPF_CLASS(i), i << 16);
104 big_filter[i] = stmt;
105 }
106
107 prog->filter = big_filter;
108 prog->len = BPF_MAXINSNS + 1;
109 tprintf("seccomp(SECCOMP_SET_MODE_FILTER, %s, {len=%u, filter=[",
110 "SECCOMP_FILTER_FLAG_TSYNC|SECCOMP_FILTER_FLAG_LOG|"
111 "SECCOMP_FILTER_FLAG_SPEC_ALLOW|"
112 "SECCOMP_FILTER_FLAG_NEW_LISTENER|"
113 "SECCOMP_FILTER_FLAG_TSYNC_ESRCH|"
114 "SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV|"
115 "0xffffffc0",
116 prog->len);
117 for (unsigned int i = 0; i < BPF_MAXINSNS; ++i) {
118 if (i)
119 tprintf(", ");
120 switch (BPF_CLASS(i)) {
121 case BPF_LD:
122 tprintf("BPF_STMT(BPF_LD|BPF_W|BPF_IMM, %#x)", i << 16);
123 break;
124 case BPF_LDX:
125 tprintf("BPF_STMT(BPF_LDX|BPF_W|BPF_IMM, %#x)", i << 16);
126 break;
127 case BPF_ST:
128 tprintf("BPF_STMT(BPF_ST, %#x)", i << 16);
129 break;
130 case BPF_STX:
131 tprintf("BPF_STMT(BPF_STX, %#x)", i << 16);
132 break;
133 case BPF_ALU:
134 tprintf("BPF_STMT(BPF_ALU|BPF_K|BPF_ADD, %#x)", i << 16);
135 break;
136 case BPF_JMP:
137 tprintf("BPF_STMT(BPF_JMP|BPF_K|BPF_JA, %#x)", i << 16);
138 break;
139 case BPF_RET:
140 tprintf("BPF_STMT(BPF_RET|BPF_K, %#x"
141 " /* SECCOMP_RET_??? */)", i << 16);
142 break;
143 case BPF_MISC:
144 tprintf("BPF_STMT(BPF_MISC|BPF_TAX, %#x)", i << 16);
145 break;
146 }
147 }
148 tprintf(", ...]})");
149 syscall(__NR_seccomp, SECCOMP_SET_MODE_FILTER, -1, prog);
150 tprintf(" = -1 EINVAL (%m)\n");
151
152 prog->filter = filter;
153 prog->len = ARRAY_SIZE(filter_c);
154
155 tprintf("seccomp(SECCOMP_SET_MODE_FILTER, 0, {len=%u, filter=[",
156 prog->len);
157
158 tprintf("BPF_STMT(BPF_LD|BPF_W|BPF_ABS, %#x), ",
159 (unsigned) offsetof(struct seccomp_data, nr));
160
161 PRINT_ALLOW_SYSCALL(close);
162 PRINT_ALLOW_SYSCALL(exit);
163 PRINT_ALLOW_SYSCALL(exit_group);
164
165 PRINT_DENY_SYSCALL(sync, EBUSY),
166 PRINT_DENY_SYSCALL(setsid, EPERM),
167
168 tprintf("%s]}) = 0\n+++ exited with 0 +++\n", kill_stmt_txt);
169
170 if (syscall(__NR_seccomp, SECCOMP_SET_MODE_FILTER, 0, prog))
171 perror_msg_and_skip("SECCOMP_SET_MODE_FILTER");
172
173 if (close(0) || close(1))
174 _exit(77);
175
176 _exit(0);
177 }
178
179 #else
180
181 SKIP_MAIN_UNDEFINED("PR_SET_NO_NEW_PRIVS && BPF_JUMP && BPF_STMT")
182
183 #endif