bugfix: nwebspawn增加setuid setgid的限制

Signed-off-by: xiacong <xiacong4@huawei.com>
Change-Id: I2001f9e344b5b44d82647927989f657a0d27cb96
Signed-off-by: xiacong <xiacong4@huawei.com>

services/modules/seccomp/BUILD.gn

@@ -59,10 +59,10 @@ ohos_prebuilt_seccomp("appspawn_filter") {
   install_images = [ "system" ]
 }
 
-ohos_prebuilt_seccomp("nwebspawn_filter") {
+ohos_prebuilt_seccomp("renderer_filter") {
   sources = [ "seccomp_policy/renderer.seccomp.policy" ]
 
-  filtername = "nwebspawn"
+  filtername = "renderer"
   process_type = "app"
 
   part_name = INIT_PART
@@ -72,6 +72,21 @@ ohos_prebuilt_seccomp("nwebspawn_filter") {
   install_images = [ "system" ]
 }
 
+ohos_prebuilt_seccomp("nwebspawn_filter") {
+  sources = [ "seccomp_policy/nwebspawn.seccomp.policy" ]
+
+  filtername = "nwebspawn"
+  process_type = "system"
+
+  part_name = INIT_PART
+  subsystem_name = "startup"
+
+  include_dirs = [ "." ]
+
+  install_enable = true
+  install_images = [ "system" ]
+}
+
 ohos_prebuilt_seccomp("app_filter") {
   sources = [ "seccomp_policy/app.seccomp.policy" ]
 
@@ -140,6 +155,7 @@ group("seccomp_filter") {
     deps += [
       ":appspawn_filter",
       ":nwebspawn_filter",
+      ":renderer_filter",
     ]
   }
 }

services/modules/seccomp/seccomp_policy/nwebspawn.seccomp.policy

@@ -0,0 +1,42 @@
+# Copyright (c) 2023 Huawei Device Co., Ltd.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# For now, it supports architechture of ['arm', 'arm64'].
+
+@returnValue
+TRAP
+
+@headFiles
+"seccomp_policy_constants.h"
+
+@mode
+ONLY_CHECK_ARGS
+
+@allowListWithArgs
+setresuid: if arg0 >= START_UID_FOR_RENDER_PROCESS && arg0 <= END_UID_FOR_RENDER_PROCESS && arg1 >= START_UID_FOR_RENDER_PROCESS && arg1 <= END_UID_FOR_RENDER_PROCESS && arg2 >= START_UID_FOR_RENDER_PROCESS && arg2 <= END_UID_FOR_RENDER_PROCESS; return ALLOW; else return TRAP;all
+setresgid: if arg0 >= START_UID_FOR_RENDER_PROCESS && arg0 <= END_UID_FOR_RENDER_PROCESS && arg1 >= START_UID_FOR_RENDER_PROCESS && arg1 <= END_UID_FOR_RENDER_PROCESS && arg2 >= START_UID_FOR_RENDER_PROCESS && arg2 <= END_UID_FOR_RENDER_PROCESS; return ALLOW; else return TRAP;all
+setresuid32: if arg0 >= START_UID_FOR_RENDER_PROCESS && arg0 <= END_UID_FOR_RENDER_PROCESS && arg1 >= START_UID_FOR_RENDER_PROCESS && arg1 <= END_UID_FOR_RENDER_PROCESS && arg2 >= START_UID_FOR_RENDER_PROCESS && arg2 <= END_UID_FOR_RENDER_PROCESS; return ALLOW; else return TRAP;arm
+setresgid32: if arg0 >= START_UID_FOR_RENDER_PROCESS && arg0 <= END_UID_FOR_RENDER_PROCESS && arg1 >= START_UID_FOR_RENDER_PROCESS && arg1 <= END_UID_FOR_RENDER_PROCESS && arg2 >= START_UID_FOR_RENDER_PROCESS && arg2 <= END_UID_FOR_RENDER_PROCESS; return ALLOW; else return TRAP;arm
+setuid: if arg0 >= START_UID_FOR_RENDER_PROCESS && arg0 <= END_UID_FOR_RENDER_PROCESS; return ALLOW; else return TRAP;all
+setgid: if arg0 >= START_UID_FOR_RENDER_PROCESS && arg0 <= END_UID_FOR_RENDER_PROCESS; return ALLOW; else return TRAP;all
+setuid32: if arg0 >= START_UID_FOR_RENDER_PROCESS && arg0 <= END_UID_FOR_RENDER_PROCESS; return ALLOW; else return TRAP;arm
+setgid32: if arg0 >= START_UID_FOR_RENDER_PROCESS && arg0 <= END_UID_FOR_RENDER_PROCESS; return ALLOW; else return TRAP;arm
+setreuid: if arg0 >= START_UID_FOR_RENDER_PROCESS && arg0 <= END_UID_FOR_RENDER_PROCESS && arg1 >= START_UID_FOR_RENDER_PROCESS && arg1 <= END_UID_FOR_RENDER_PROCESS; return ALLOW; else return TRAP;all
+setregid: if arg0 >= START_UID_FOR_RENDER_PROCESS && arg0 <= END_UID_FOR_RENDER_PROCESS && arg1 >= START_UID_FOR_RENDER_PROCESS && arg1 <= END_UID_FOR_RENDER_PROCESS; return ALLOW; else return TRAP;all
+setreuid32: if arg0 >= START_UID_FOR_RENDER_PROCESS && arg0 <= END_UID_FOR_RENDER_PROCESS && arg1 >= START_UID_FOR_RENDER_PROCESS && arg1 <= END_UID_FOR_RENDER_PROCESS; return ALLOW; else return TRAP;arm
+setregid32: if arg0 >= START_UID_FOR_RENDER_PROCESS && arg0 <= END_UID_FOR_RENDER_PROCESS && arg1 >= START_UID_FOR_RENDER_PROCESS && arg1 <= END_UID_FOR_RENDER_PROCESS; return ALLOW; else return TRAP;arm
+setfsuid: if arg0 >= START_UID_FOR_RENDER_PROCESS && arg0 <= END_UID_FOR_RENDER_PROCESS; return ALLOW; else return TRAP;all
+setfsgid: if arg0 >= START_UID_FOR_RENDER_PROCESS && arg0 <= END_UID_FOR_RENDER_PROCESS; return ALLOW; else return TRAP;all
+setfsuid32: if arg0 >= START_UID_FOR_RENDER_PROCESS && arg0 <= END_UID_FOR_RENDER_PROCESS; return ALLOW; else return TRAP;arm
+setfsgid32: if arg0 >= START_UID_FOR_RENDER_PROCESS && arg0 <= END_UID_FOR_RENDER_PROCESS; return ALLOW; else return TRAP;arm
+

services/modules/seccomp/seccomp_policy_constants.h

@@ -0,0 +1,34 @@
+/*
+ * Copyright (c) 2023 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef SECCOMP_POLICY_CONSTANTS_H
+#define SECCOMP_POLICY_CONSTANTS_H
+
+#ifdef __cplusplus
+#if __cplusplus
+extern "C" {
+#endif
+#endif
+
+#define START_UID_FOR_RENDER_PROCESS (1000000)
+#define END_UID_FOR_RENDER_PROCESS (1099999)
+
+#ifdef __cplusplus
+#if __cplusplus
+}
+#endif
+#endif
+
+#endif // SECCOMP_POLICY_CONSTANTS_H