summaryrefslogtreecommitdiffhomepage
path: root/pkg/seccomp
diff options
context:
space:
mode:
Diffstat (limited to 'pkg/seccomp')
-rw-r--r--pkg/seccomp/BUILD52
-rwxr-xr-xpkg/seccomp/seccomp_state_autogen.go4
-rw-r--r--pkg/seccomp/seccomp_test.go505
-rw-r--r--pkg/seccomp/seccomp_test_victim.go117
4 files changed, 4 insertions, 674 deletions
diff --git a/pkg/seccomp/BUILD b/pkg/seccomp/BUILD
deleted file mode 100644
index 2a59ebbce..000000000
--- a/pkg/seccomp/BUILD
+++ /dev/null
@@ -1,52 +0,0 @@
-load("//tools/go_stateify:defs.bzl", "go_library", "go_test")
-load("@io_bazel_rules_go//go:def.bzl", "go_binary", "go_embed_data")
-
-package(licenses = ["notice"])
-
-go_binary(
- name = "victim",
- testonly = 1,
- srcs = ["seccomp_test_victim.go"],
- deps = [":seccomp"],
-)
-
-go_embed_data(
- name = "victim_data",
- testonly = 1,
- src = "victim",
- package = "seccomp",
- var = "victimData",
-)
-
-go_library(
- name = "seccomp",
- srcs = [
- "seccomp.go",
- "seccomp_amd64.go",
- "seccomp_arm64.go",
- "seccomp_rules.go",
- "seccomp_unsafe.go",
- ],
- importpath = "gvisor.googlesource.com/gvisor/pkg/seccomp",
- visibility = ["//visibility:public"],
- deps = [
- "//pkg/abi/linux",
- "//pkg/bpf",
- "//pkg/log",
- ],
-)
-
-go_test(
- name = "seccomp_test",
- size = "small",
- srcs = [
- "seccomp_test.go",
- ":victim_data",
- ],
- embed = [":seccomp"],
- deps = [
- "//pkg/abi/linux",
- "//pkg/binary",
- "//pkg/bpf",
- ],
-)
diff --git a/pkg/seccomp/seccomp_state_autogen.go b/pkg/seccomp/seccomp_state_autogen.go
new file mode 100755
index 000000000..0fc23d1a8
--- /dev/null
+++ b/pkg/seccomp/seccomp_state_autogen.go
@@ -0,0 +1,4 @@
+// automatically generated by stateify.
+
+package seccomp
+
diff --git a/pkg/seccomp/seccomp_test.go b/pkg/seccomp/seccomp_test.go
deleted file mode 100644
index 47ecac6f7..000000000
--- a/pkg/seccomp/seccomp_test.go
+++ /dev/null
@@ -1,505 +0,0 @@
-// Copyright 2018 The gVisor Authors.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package seccomp
-
-import (
- "bytes"
- "fmt"
- "io"
- "io/ioutil"
- "math"
- "math/rand"
- "os"
- "os/exec"
- "strings"
- "testing"
- "time"
-
- "gvisor.googlesource.com/gvisor/pkg/abi/linux"
- "gvisor.googlesource.com/gvisor/pkg/binary"
- "gvisor.googlesource.com/gvisor/pkg/bpf"
-)
-
-type seccompData struct {
- nr uint32
- arch uint32
- instructionPointer uint64
- args [6]uint64
-}
-
-// newVictim makes a victim binary.
-func newVictim() (string, error) {
- f, err := ioutil.TempFile("", "victim")
- if err != nil {
- return "", err
- }
- defer f.Close()
- path := f.Name()
- if _, err := io.Copy(f, bytes.NewBuffer(victimData)); err != nil {
- os.Remove(path)
- return "", err
- }
- if err := os.Chmod(path, 0755); err != nil {
- os.Remove(path)
- return "", err
- }
- return path, nil
-}
-
-// asInput converts a seccompData to a bpf.Input.
-func (d *seccompData) asInput() bpf.Input {
- return bpf.InputBytes{binary.Marshal(nil, binary.LittleEndian, d), binary.LittleEndian}
-}
-
-func TestBasic(t *testing.T) {
- type spec struct {
- // desc is the test's description.
- desc string
-
- // data is the input data.
- data seccompData
-
- // want is the expected return value of the BPF program.
- want linux.BPFAction
- }
-
- for _, test := range []struct {
- ruleSets []RuleSet
- defaultAction linux.BPFAction
- specs []spec
- }{
- {
- ruleSets: []RuleSet{
- {
- Rules: SyscallRules{1: {}},
- Action: linux.SECCOMP_RET_ALLOW,
- },
- },
- defaultAction: linux.SECCOMP_RET_TRAP,
- specs: []spec{
- {
- desc: "Single syscall allowed",
- data: seccompData{nr: 1, arch: linux.AUDIT_ARCH_X86_64},
- want: linux.SECCOMP_RET_ALLOW,
- },
- {
- desc: "Single syscall disallowed",
- data: seccompData{nr: 2, arch: linux.AUDIT_ARCH_X86_64},
- want: linux.SECCOMP_RET_TRAP,
- },
- },
- },
- {
- ruleSets: []RuleSet{
- {
- Rules: SyscallRules{
- 1: []Rule{
- {
- AllowValue(0x1),
- },
- },
- },
- Action: linux.SECCOMP_RET_ALLOW,
- },
- {
- Rules: SyscallRules{
- 1: {},
- 2: {},
- },
- Action: linux.SECCOMP_RET_TRAP,
- },
- },
- defaultAction: linux.SECCOMP_RET_KILL_THREAD,
- specs: []spec{
- {
- desc: "Multiple rulesets allowed (1a)",
- data: seccompData{nr: 1, arch: linux.AUDIT_ARCH_X86_64, args: [6]uint64{0x1}},
- want: linux.SECCOMP_RET_ALLOW,
- },
- {
- desc: "Multiple rulesets allowed (1b)",
- data: seccompData{nr: 1, arch: linux.AUDIT_ARCH_X86_64},
- want: linux.SECCOMP_RET_TRAP,
- },
- {
- desc: "Multiple rulesets allowed (2)",
- data: seccompData{nr: 1, arch: linux.AUDIT_ARCH_X86_64},
- want: linux.SECCOMP_RET_TRAP,
- },
- {
- desc: "Multiple rulesets allowed (2)",
- data: seccompData{nr: 0, arch: linux.AUDIT_ARCH_X86_64},
- want: linux.SECCOMP_RET_KILL_THREAD,
- },
- },
- },
- {
- ruleSets: []RuleSet{
- {
- Rules: SyscallRules{
- 1: {},
- 3: {},
- 5: {},
- },
- Action: linux.SECCOMP_RET_ALLOW,
- },
- },
- defaultAction: linux.SECCOMP_RET_TRAP,
- specs: []spec{
- {
- desc: "Multiple syscalls allowed (1)",
- data: seccompData{nr: 1, arch: linux.AUDIT_ARCH_X86_64},
- want: linux.SECCOMP_RET_ALLOW,
- },
- {
- desc: "Multiple syscalls allowed (3)",
- data: seccompData{nr: 3, arch: linux.AUDIT_ARCH_X86_64},
- want: linux.SECCOMP_RET_ALLOW,
- },
- {
- desc: "Multiple syscalls allowed (5)",
- data: seccompData{nr: 5, arch: linux.AUDIT_ARCH_X86_64},
- want: linux.SECCOMP_RET_ALLOW,
- },
- {
- desc: "Multiple syscalls disallowed (0)",
- data: seccompData{nr: 0, arch: linux.AUDIT_ARCH_X86_64},
- want: linux.SECCOMP_RET_TRAP,
- },
- {
- desc: "Multiple syscalls disallowed (2)",
- data: seccompData{nr: 2, arch: linux.AUDIT_ARCH_X86_64},
- want: linux.SECCOMP_RET_TRAP,
- },
- {
- desc: "Multiple syscalls disallowed (4)",
- data: seccompData{nr: 4, arch: linux.AUDIT_ARCH_X86_64},
- want: linux.SECCOMP_RET_TRAP,
- },
- {
- desc: "Multiple syscalls disallowed (6)",
- data: seccompData{nr: 6, arch: linux.AUDIT_ARCH_X86_64},
- want: linux.SECCOMP_RET_TRAP,
- },
- {
- desc: "Multiple syscalls disallowed (100)",
- data: seccompData{nr: 100, arch: linux.AUDIT_ARCH_X86_64},
- want: linux.SECCOMP_RET_TRAP,
- },
- },
- },
- {
- ruleSets: []RuleSet{
- {
- Rules: SyscallRules{
- 1: {},
- },
- Action: linux.SECCOMP_RET_ALLOW,
- },
- },
- defaultAction: linux.SECCOMP_RET_TRAP,
- specs: []spec{
- {
- desc: "Wrong architecture",
- data: seccompData{nr: 1, arch: 123},
- want: linux.SECCOMP_RET_TRAP,
- },
- },
- },
- {
- ruleSets: []RuleSet{
- {
- Rules: SyscallRules{
- 1: {},
- },
- Action: linux.SECCOMP_RET_ALLOW,
- },
- },
- defaultAction: linux.SECCOMP_RET_TRAP,
- specs: []spec{
- {
- desc: "Syscall disallowed, action trap",
- data: seccompData{nr: 2, arch: linux.AUDIT_ARCH_X86_64},
- want: linux.SECCOMP_RET_TRAP,
- },
- },
- },
- {
- ruleSets: []RuleSet{
- {
- Rules: SyscallRules{
- 1: []Rule{
- {
- AllowAny{},
- AllowValue(0xf),
- },
- },
- },
- Action: linux.SECCOMP_RET_ALLOW,
- },
- },
- defaultAction: linux.SECCOMP_RET_TRAP,
- specs: []spec{
- {
- desc: "Syscall argument allowed",
- data: seccompData{nr: 1, arch: linux.AUDIT_ARCH_X86_64, args: [6]uint64{0xf, 0xf}},
- want: linux.SECCOMP_RET_ALLOW,
- },
- {
- desc: "Syscall argument disallowed",
- data: seccompData{nr: 1, arch: linux.AUDIT_ARCH_X86_64, args: [6]uint64{0xf, 0xe}},
- want: linux.SECCOMP_RET_TRAP,
- },
- },
- },
- {
- ruleSets: []RuleSet{
- {
- Rules: SyscallRules{
- 1: []Rule{
- {
- AllowValue(0xf),
- },
- {
- AllowValue(0xe),
- },
- },
- },
- Action: linux.SECCOMP_RET_ALLOW,
- },
- },
- defaultAction: linux.SECCOMP_RET_TRAP,
- specs: []spec{
- {
- desc: "Syscall argument allowed, two rules",
- data: seccompData{nr: 1, arch: linux.AUDIT_ARCH_X86_64, args: [6]uint64{0xf}},
- want: linux.SECCOMP_RET_ALLOW,
- },
- {
- desc: "Syscall argument allowed, two rules",
- data: seccompData{nr: 1, arch: linux.AUDIT_ARCH_X86_64, args: [6]uint64{0xe}},
- want: linux.SECCOMP_RET_ALLOW,
- },
- },
- },
- {
- ruleSets: []RuleSet{
- {
- Rules: SyscallRules{
- 1: []Rule{
- {
- AllowValue(0),
- AllowValue(math.MaxUint64 - 1),
- AllowValue(math.MaxUint32),
- },
- },
- },
- Action: linux.SECCOMP_RET_ALLOW,
- },
- },
- defaultAction: linux.SECCOMP_RET_TRAP,
- specs: []spec{
- {
- desc: "64bit syscall argument allowed",
- data: seccompData{
- nr: 1,
- arch: linux.AUDIT_ARCH_X86_64,
- args: [6]uint64{0, math.MaxUint64 - 1, math.MaxUint32},
- },
- want: linux.SECCOMP_RET_ALLOW,
- },
- {
- desc: "64bit syscall argument disallowed",
- data: seccompData{
- nr: 1,
- arch: linux.AUDIT_ARCH_X86_64,
- args: [6]uint64{0, math.MaxUint64, math.MaxUint32},
- },
- want: linux.SECCOMP_RET_TRAP,
- },
- {
- desc: "64bit syscall argument disallowed",
- data: seccompData{
- nr: 1,
- arch: linux.AUDIT_ARCH_X86_64,
- args: [6]uint64{0, math.MaxUint64, math.MaxUint32 - 1},
- },
- want: linux.SECCOMP_RET_TRAP,
- },
- },
- },
- } {
- instrs, err := BuildProgram(test.ruleSets, test.defaultAction)
- if err != nil {
- t.Errorf("%s: buildProgram() got error: %v", test.specs[0].desc, err)
- continue
- }
- p, err := bpf.Compile(instrs)
- if err != nil {
- t.Errorf("%s: bpf.Compile() got error: %v", test.specs[0].desc, err)
- continue
- }
- for _, spec := range test.specs {
- got, err := bpf.Exec(p, spec.data.asInput())
- if err != nil {
- t.Errorf("%s: bpf.Exec() got error: %v", spec.desc, err)
- continue
- }
- if got != uint32(spec.want) {
- t.Errorf("%s: bpd.Exec() = %d, want: %d", spec.desc, got, spec.want)
- }
- }
- }
-}
-
-// TestRandom tests that randomly generated rules are encoded correctly.
-func TestRandom(t *testing.T) {
- rand.Seed(time.Now().UnixNano())
- size := rand.Intn(50) + 1
- syscallRules := make(map[uintptr][]Rule)
- for len(syscallRules) < size {
- n := uintptr(rand.Intn(200))
- if _, ok := syscallRules[n]; !ok {
- syscallRules[n] = []Rule{}
- }
- }
-
- fmt.Printf("Testing filters: %v", syscallRules)
- instrs, err := BuildProgram([]RuleSet{
- RuleSet{
- Rules: syscallRules,
- Action: linux.SECCOMP_RET_ALLOW,
- },
- }, linux.SECCOMP_RET_TRAP)
- if err != nil {
- t.Fatalf("buildProgram() got error: %v", err)
- }
- p, err := bpf.Compile(instrs)
- if err != nil {
- t.Fatalf("bpf.Compile() got error: %v", err)
- }
- for i := uint32(0); i < 200; i++ {
- data := seccompData{nr: i, arch: linux.AUDIT_ARCH_X86_64}
- got, err := bpf.Exec(p, data.asInput())
- if err != nil {
- t.Errorf("bpf.Exec() got error: %v, for syscall %d", err, i)
- continue
- }
- want := linux.SECCOMP_RET_TRAP
- if _, ok := syscallRules[uintptr(i)]; ok {
- want = linux.SECCOMP_RET_ALLOW
- }
- if got != uint32(want) {
- t.Errorf("bpf.Exec() = %d, want: %d, for syscall %d", got, want, i)
- }
- }
-}
-
-// TestReadDeal checks that a process dies when it trips over the filter and
-// that it doesn't die when the filter is not triggered.
-func TestRealDeal(t *testing.T) {
- for _, test := range []struct {
- die bool
- want string
- }{
- {die: true, want: "bad system call"},
- {die: false, want: "Syscall was allowed!!!"},
- } {
- victim, err := newVictim()
- if err != nil {
- t.Fatalf("unable to get victim: %v", err)
- }
- defer os.Remove(victim)
- dieFlag := fmt.Sprintf("-die=%v", test.die)
- cmd := exec.Command(victim, dieFlag)
-
- out, err := cmd.CombinedOutput()
- if test.die {
- if err == nil {
- t.Errorf("victim was not killed as expected, output: %s", out)
- continue
- }
- // Depending on kernel version, either RET_TRAP or RET_KILL_PROCESS is
- // used. RET_TRAP dumps reason for exit in output, while RET_KILL_PROCESS
- // returns SIGSYS as exit status.
- if !strings.Contains(string(out), test.want) &&
- !strings.Contains(err.Error(), test.want) {
- t.Errorf("Victim error is wrong, got: %v, err: %v, want: %v", string(out), err, test.want)
- continue
- }
- } else {
- if err != nil {
- t.Errorf("victim failed to execute, err: %v", err)
- continue
- }
- if !strings.Contains(string(out), test.want) {
- t.Errorf("Victim output is wrong, got: %v, want: %v", string(out), test.want)
- continue
- }
- }
- }
-}
-
-// TestMerge ensures that empty rules are not erased when rules are merged.
-func TestMerge(t *testing.T) {
- for _, tst := range []struct {
- name string
- main []Rule
- merge []Rule
- want []Rule
- }{
- {
- name: "empty both",
- main: nil,
- merge: nil,
- want: []Rule{{}, {}},
- },
- {
- name: "empty main",
- main: nil,
- merge: []Rule{{}},
- want: []Rule{{}, {}},
- },
- {
- name: "empty merge",
- main: []Rule{{}},
- merge: nil,
- want: []Rule{{}, {}},
- },
- } {
- t.Run(tst.name, func(t *testing.T) {
- mainRules := SyscallRules{1: tst.main}
- mergeRules := SyscallRules{1: tst.merge}
- mainRules.Merge(mergeRules)
- if got, want := len(mainRules[1]), len(tst.want); got != want {
- t.Errorf("wrong length, got: %d, want: %d", got, want)
- }
- for i, r := range mainRules[1] {
- if r != tst.want[i] {
- t.Errorf("result, got: %v, want: %v", r, tst.want[i])
- }
- }
- })
- }
-}
-
-// TestAddRule ensures that empty rules are not erased when rules are added.
-func TestAddRule(t *testing.T) {
- rules := SyscallRules{1: {}}
- rules.AddRule(1, Rule{})
- if got, want := len(rules[1]), 2; got != want {
- t.Errorf("len(rules[1]), got: %d, want: %d", got, want)
- }
-}
diff --git a/pkg/seccomp/seccomp_test_victim.go b/pkg/seccomp/seccomp_test_victim.go
deleted file mode 100644
index afc2f755f..000000000
--- a/pkg/seccomp/seccomp_test_victim.go
+++ /dev/null
@@ -1,117 +0,0 @@
-// Copyright 2018 The gVisor Authors.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-// Test binary used to test that seccomp filters are properly constructed and
-// indeed kill the process on violation.
-package main
-
-import (
- "flag"
- "fmt"
- "os"
- "syscall"
-
- "gvisor.googlesource.com/gvisor/pkg/seccomp"
-)
-
-func main() {
- dieFlag := flag.Bool("die", false, "trips over the filter if true")
- flag.Parse()
-
- syscalls := seccomp.SyscallRules{
- syscall.SYS_ACCEPT: {},
- syscall.SYS_ARCH_PRCTL: {},
- syscall.SYS_BIND: {},
- syscall.SYS_BRK: {},
- syscall.SYS_CLOCK_GETTIME: {},
- syscall.SYS_CLONE: {},
- syscall.SYS_CLOSE: {},
- syscall.SYS_DUP: {},
- syscall.SYS_DUP2: {},
- syscall.SYS_EPOLL_CREATE1: {},
- syscall.SYS_EPOLL_CTL: {},
- syscall.SYS_EPOLL_WAIT: {},
- syscall.SYS_EPOLL_PWAIT: {},
- syscall.SYS_EXIT: {},
- syscall.SYS_EXIT_GROUP: {},
- syscall.SYS_FALLOCATE: {},
- syscall.SYS_FCHMOD: {},
- syscall.SYS_FCNTL: {},
- syscall.SYS_FSTAT: {},
- syscall.SYS_FSYNC: {},
- syscall.SYS_FTRUNCATE: {},
- syscall.SYS_FUTEX: {},
- syscall.SYS_GETDENTS64: {},
- syscall.SYS_GETPEERNAME: {},
- syscall.SYS_GETPID: {},
- syscall.SYS_GETSOCKNAME: {},
- syscall.SYS_GETSOCKOPT: {},
- syscall.SYS_GETTID: {},
- syscall.SYS_GETTIMEOFDAY: {},
- syscall.SYS_LISTEN: {},
- syscall.SYS_LSEEK: {},
- syscall.SYS_MADVISE: {},
- syscall.SYS_MINCORE: {},
- syscall.SYS_MMAP: {},
- syscall.SYS_MPROTECT: {},
- syscall.SYS_MUNLOCK: {},
- syscall.SYS_MUNMAP: {},
- syscall.SYS_NANOSLEEP: {},
- syscall.SYS_NEWFSTATAT: {},
- syscall.SYS_OPEN: {},
- syscall.SYS_POLL: {},
- syscall.SYS_PREAD64: {},
- syscall.SYS_PSELECT6: {},
- syscall.SYS_PWRITE64: {},
- syscall.SYS_READ: {},
- syscall.SYS_READLINKAT: {},
- syscall.SYS_READV: {},
- syscall.SYS_RECVMSG: {},
- syscall.SYS_RENAMEAT: {},
- syscall.SYS_RESTART_SYSCALL: {},
- syscall.SYS_RT_SIGACTION: {},
- syscall.SYS_RT_SIGPROCMASK: {},
- syscall.SYS_RT_SIGRETURN: {},
- syscall.SYS_SCHED_YIELD: {},
- syscall.SYS_SENDMSG: {},
- syscall.SYS_SETITIMER: {},
- syscall.SYS_SET_ROBUST_LIST: {},
- syscall.SYS_SETSOCKOPT: {},
- syscall.SYS_SHUTDOWN: {},
- syscall.SYS_SIGALTSTACK: {},
- syscall.SYS_SOCKET: {},
- syscall.SYS_SYNC_FILE_RANGE: {},
- syscall.SYS_TGKILL: {},
- syscall.SYS_UTIMENSAT: {},
- syscall.SYS_WRITE: {},
- syscall.SYS_WRITEV: {},
- }
- die := *dieFlag
- if !die {
- syscalls[syscall.SYS_OPENAT] = []seccomp.Rule{
- {
- seccomp.AllowValue(10),
- },
- }
- }
-
- if err := seccomp.Install(syscalls); err != nil {
- fmt.Printf("Failed to install seccomp: %v", err)
- os.Exit(1)
- }
- fmt.Printf("Filters installed\n")
-
- syscall.RawSyscall(syscall.SYS_OPENAT, 10, 0, 0)
- fmt.Printf("Syscall was allowed!!!\n")
-}