去除应用进程setns unshare clone切换namespace相关系统调用

Signed-off-by: xiacong <xiacong4@huawei.com> Change-Id: Ia67d6ad9c6376ab9f944a50f8b0066fde76ee380 Signed-off-by: xiacong <xiacong4@huawei.com>
2025-03-01 17:08:26 +00:00 · 2023-11-23 17:39:46 +08:00 · 2023-11-23 17:39:46 +08:00 · 22d88d113b
commit 22d88d113b
parent 081cc51f13
3 changed files with 131 additions and 5 deletions
--- a/services/modules/seccomp/scripts/generate_code_from_policy.py
+++ b/services/modules/seccomp/scripts/generate_code_from_policy.py
@ -664,7 +664,7 @@ class GenBpfPolicy:
        #high 4 bytes
        bpf_policy.append(BPF_LOAD.format(20 + arg_id * 8))
        bpf_policy.append(BPF_AND.format('((uint64_t)' + mask + ') >> 32'))
-        bpf_policy.append(BPF_JEQ.format('((uint64_t)' + value + ') >> 32', 0, cur_size + 3))
+        bpf_policy.append(BPF_JEQ.format('((uint64_t)' + value + ') >> 32', 0, cur_size + 4))

        #low 4 bytes
        bpf_policy.append(BPF_LOAD.format(16 + arg_id * 8))
--- a/services/modules/seccomp/seccomp_policy/app.seccomp.policy
+++ b/services/modules/seccomp/seccomp_policy/app.seccomp.policy
@ -16,6 +16,10 @@
@returnValue
 TRAP

+@headFiles
+<linux/sched.h>
+<stdint.h>
+
@priority
 ioctl;all
 futex;all
@ -111,7 +115,6 @@ exit;all
 exit_group;all
 waitid;all
 set_tid_address;all
-unshare;all
 futex;all
 nanosleep;all
 getitimer;all
@ -193,7 +196,6 @@ readahead;all
 brk;all
 munmap;all
 mremap;all
-clone;all
 execve;all
 mmap;arm64
 fadvise64;arm64
@ -212,7 +214,6 @@ recvmmsg;all
 wait4;all
 prlimit64;all
 syncfs;all
-setns;all
 sendmmsg;all
 process_vm_readv;all
 process_vm_writev;all
@ -305,4 +306,7 @@ rt_sigtimedwait_time64;arm
 futex_time64;arm
 sched_rr_get_interval_time64;arm
 cacheflush;arm
-set_tls;arm
+set_tls;arm
+
+@allowListWithArgs
+clone: if (arg0 & (CLONE_NEWNS | CLONE_NEWPID | CLONE_NEWNET | CLONE_NEWCGROUP | CLONE_NEWUTS | CLONE_NEWIPC | CLONE_NEWUSER)) == 0 ; return ALLOW; else return TRAP;all
--- a/test/unittest/seccomp/seccomp_unittest.cpp
+++ b/test/unittest/seccomp/seccomp_unittest.cpp
@ -29,6 +29,7 @@
 #include <asm/unistd.h>
 #include <syscall.h>
 #include <climits>
+#include <sched.h>

 #include "seccomp_policy.h"

@ -153,6 +154,86 @@ public:
        return -1;
    }

+    static bool CheckUnshare()
+    {
+        int ret = unshare(CLONE_NEWPID);
+        if (ret) {
+            return false;
+        }
+        return true;
+    }
+
+    static bool CheckSetns()
+    {
+        int fd = open("/proc/1/ns/mnt", O_RDONLY | O_CLOEXEC);
+        if (fd < 0) {
+            return false;
+        }
+
+        if (setns(fd, CLONE_NEWNS) !=0) {
+            return false;
+        }
+
+        close(fd);
+        return true;
+    }
+
+    static int ChildFunc(void *arg)
+    {
+        exit(0);
+    }
+
+    static bool CheckCloneNs(int flag)
+    {
+        const int stackSize = 65536;
+
+        char *stack = static_cast<char *>(malloc(stackSize));
+        if (stack == nullptr) {
+            return false;
+        }
+        char *stackTop = stack + stackSize;
+        pid_t pid = clone(ChildFunc, stackTop, flag | SIGCHLD, nullptr);
+        if (pid == -1) {
+            return false;
+        }
+        return true;
+    }
+
+    static bool CheckClonePidNs(void)
+    {
+        return CheckCloneNs(CLONE_NEWPID);
+    }
+
+    static bool CheckCloneMntNs(void)
+    {
+        return CheckCloneNs(CLONE_NEWNS);
+    }
+
+    static bool CheckCloneNetNs(void)
+    {
+        return CheckCloneNs(CLONE_NEWNET);
+    }
+
+    static bool CheckCloneCgroupNs(void)
+    {
+        return CheckCloneNs(CLONE_NEWCGROUP);
+    }
+
+    static bool CheckCloneUtsNs(void)
+    {
+        return CheckCloneNs(CLONE_NEWUTS);
+    }
+
+    static bool CheckCloneIpcNs(void)
+    {
+        return CheckCloneNs(CLONE_NEWIPC);
+    }
+
+    static bool CheckCloneUserNs(void)
+    {
+        return CheckCloneNs(CLONE_NEWUSER);
+    }
+
 #if defined __aarch64__
    static bool CheckGetMempolicy()
    {
@ -971,6 +1052,35 @@ public:
        EXPECT_EQ(ret, 0);
    }
 #endif
+    void TestAppSycallNs()
+    {
+        int ret = CheckSyscall(APP, APP_NAME, CheckUnshare, false);
+        EXPECT_EQ(ret, 0);
+
+        ret = CheckSyscall(APP, APP_NAME, CheckSetns, false);
+        EXPECT_EQ(ret, 0);
+
+        ret = CheckSyscall(APP, APP_NAME, CheckClonePidNs, false);
+        EXPECT_EQ(ret, 0);
+
+        ret = CheckSyscall(APP, APP_NAME, CheckCloneMntNs, false);
+        EXPECT_EQ(ret, 0);
+
+        ret = CheckSyscall(APP, APP_NAME, CheckCloneCgroupNs, false);
+        EXPECT_EQ(ret, 0);
+
+        ret = CheckSyscall(APP, APP_NAME, CheckCloneIpcNs, false);
+        EXPECT_EQ(ret, 0);
+
+        ret = CheckSyscall(APP, APP_NAME, CheckCloneUserNs, false);
+        EXPECT_EQ(ret, 0);
+
+        ret = CheckSyscall(APP, APP_NAME, CheckCloneNetNs, false);
+        EXPECT_EQ(ret, 0);
+
+        ret = CheckSyscall(APP, APP_NAME, CheckCloneUtsNs, false);
+        EXPECT_EQ(ret, 0);
+    }
 };

 /**
@ -1020,4 +1130,16 @@ HWTEST_F(SeccompUnitTest, TestSystemSyscallForUidFilter, TestSize.Level1)
    SeccompUnitTest test;
    test.TestSystemSyscallForUidFilter();
 }
+
+/**
+ * @tc.name: TestAppSycallNs
+ * @tc.desc: Verify the app seccomp policy about namespace.
+ * @tc.type: FUNC
+ * @tc.require: issueI8LZTC
+ */
+HWTEST_F(SeccompUnitTest, TestAppSycallNs, TestSize.Level1)
+{
+    SeccompUnitTest test;
+    test.TestAppSycallNs();
+}
 }