<feat>

将init部件中的seccomp模块插件化

<body>
将seccomp模块插件化
测试用例中删除openat2的使用 新增shmget系统调用使用
系统调用配置文件新增遗漏名单

Signed-off-by: xiacong <xiacong4@huawei.com>
Change-Id: I619c9e6ec36732355a478df8274359d23b8e493f
Signed-off-by: xiacong <xiacong4@huawei.com>

interfaces/innerkits/seccomp/BUILD.gn

@@ -17,28 +17,38 @@ config("seccomp_public_config") {
   include_dirs = [ "//base/startup/init/interfaces/innerkits/seccomp/include" ]
 }
 
-ohos_shared_library("seccomp") {
-  sources = [ "//base/startup/init/services/modules/seccomp/seccomp_policy.c" ]
+if (defined(build_seccomp) && build_seccomp) {
+  ohos_shared_library("seccomp") {
+    sources =
+        [ "//base/startup/init/services/modules/seccomp/seccomp_policy.c" ]
 
-  public_configs = [ ":seccomp_public_config" ]
+    public_configs = [ ":seccomp_public_config" ]
 
-  include_dirs = [ "//base/startup/init/services/modules/seccomp" ]
+    include_dirs = [
+      "//base/startup/init/interfaces/innerkits/include",
+      "//base/startup/init/services/modules/seccomp",
+      "//base/startup/init/services/modules",
+      "//base/startup/init/services/log",
+    ]
 
-  deps = [
-    "//base/startup/init/interfaces/innerkits:libbegetutil",
-    "//base/startup/init/services/modules/seccomp:appspawn_filter",
-    "//base/startup/init/services/modules/seccomp:nwebspawn_filter",
-    "//base/startup/init/services/modules/seccomp:system_filter",
-  ]
+    deps = [
+      "//base/startup/init/interfaces/innerkits:libbegetutil",
+      "//base/startup/init/services/modules/seccomp:appspawn_filter",
+      "//base/startup/init/services/modules/seccomp:nwebspawn_filter",
+      "//base/startup/init/services/modules/seccomp:system_filter",
+    ]
 
-  license_file = "//base/startup/init/LICENSE"
+    license_file = "//base/startup/init/LICENSE"
 
-  part_name = "init"
+    part_name = "init"
 
-  install_enable = true
-  install_images = [
-    "system",
-    "updater",
-    "ramdisk",
-  ]
+    install_enable = true
+    install_images = [
+      "system",
+      "updater",
+    ]
+  }
+} else {
+  group("seccomp") {
+  }
 }

services/init/init_common_service.c

@@ -33,6 +33,7 @@
 #include "init_adapter.h"
 #include "init_cmds.h"
 #include "init_log.h"
+#include "init_cmdexecutor.h"
 #include "init_jobs_internal.h"
 #include "init_service.h"
 #include "init_service_manager.h"
@@ -54,7 +55,6 @@
 #endif // WITH_SELINUX
 
 #ifdef WITH_SECCOMP
-#include "seccomp_policy.h"
 #define APPSPAWN_NAME ("appspawn")
 #define NWEBSPAWN_NAME ("nwebspawn")
 #endif
@@ -73,19 +73,15 @@ static int SetAllAmbientCapability(void)
     return SERVICE_SUCCESS;
 }
 
-#ifdef WITH_SECCOMP
-static int SetSystemSeccompPolicy(const Service *service)
+static void SetSystemSeccompPolicy(const Service *service)
 {
+#ifdef WITH_SECCOMP
     if (strncmp(APPSPAWN_NAME, service->name, strlen(APPSPAWN_NAME)) \
         && strncmp(NWEBSPAWN_NAME, service->name, strlen(NWEBSPAWN_NAME))) {
-        if (!SetSeccompPolicy(SYSTEM)) {
-            INIT_LOGE("init seccomp failed, name is %s\n", service->name);
-            return SERVICE_FAILURE;
-        }
+        PluginExecCmdByName("SetSeccompPolicy", "start");
     }
-    return SERVICE_SUCCESS;
-}
 #endif
+}
 
 #ifndef OHOS_LITE
 /**
@@ -342,10 +338,7 @@ static int InitServicePropertys(Service *service)
     INIT_CHECK_ONLY_ELOG(BindCpuCore(service) == SERVICE_SUCCESS,
         "binding core number failed for service %s", service->name);
 
-#ifdef WITH_SECCOMP
-    INIT_ERROR_CHECK(SetSystemSeccompPolicy(service) == SERVICE_SUCCESS, return -1,
-        "service %s exit! set seccomp failed! err %d.", service->name, errno);
-#endif
+    SetSystemSeccompPolicy(service);
     
     // permissions
     INIT_ERROR_CHECK(SetPerms(service) == SERVICE_SUCCESS, return -1,

services/init/standard/BUILD.gn

@@ -99,9 +99,6 @@ ohos_executable("init") {
 
   if (build_seccomp) {
     cflags += [ "-DWITH_SECCOMP" ]
-    include_dirs +=
-        [ "//base/startup/init/interfaces/innerkits/seccomp/include" ]
-    deps += [ "//base/startup/init/services/modules/seccomp:seccomp_static" ]
   }
 
   if (build_selinux) {

services/modules/BUILD.gn

@@ -18,11 +18,17 @@ group("static_modules") {
       "bootevent:libbootevent_static",
       "init_hook:inithook",
     ]
+    if (build_seccomp) {
+      deps += [ "seccomp:libseccomp_static" ]
+    }
   }
 }
 
 group("modulesgroup") {
   if (!defined(ohos_lite)) {
     deps = [ "bootchart:bootchart" ]
+    if (build_seccomp) {
+      deps += [ "seccomp:seccomp_module" ]
+    }
   }
 }

services/modules/seccomp/BUILD.gn

@@ -134,10 +134,11 @@ ohos_prebuilt_seccomp("nwebspawn_filter") {
   ]
 }
 
-ohos_static_library("seccomp_static") {
-  sources = [ "//base/startup/init/services/modules/seccomp/seccomp_policy.c" ]
+ohos_shared_library("seccomp_module") {
+  sources = [ "seccomp_policy.c" ]
 
   include_dirs = [
+    "//base/startup/init/services/modules",
     "//base/startup/init/interfaces/innerkits/include",
     "//base/startup/init/interfaces/innerkits/seccomp/include",
     "//base/startup/init/services/modules/seccomp",
@@ -147,10 +148,36 @@ ohos_static_library("seccomp_static") {
     ":appspawn_filter",
     ":nwebspawn_filter",
     ":system_filter",
+    "//base/startup/init/interfaces/innerkits:libbegetutil",
   ]
 
-  license_file = "//base/startup/init/LICENSE"
+  cflags = [ "-DSECCOMP_PLUGIN" ]
 
-  part_name = INIT_PART
-  subsystem_name = "startup"
+  external_deps = [ "init:libinit_module_engine" ]
+
+  part_name = "init"
+  if (target_cpu == "arm64") {
+    module_install_dir = "lib64/init"
+  } else {
+    module_install_dir = "lib/init"
+  }
+  install_images = [
+    "system",
+    "ramdisk",
+    "updater",
+  ]
+}
+
+config("libseccomp_static_config") {
+  include_dirs = [
+    "//base/startup/init/services/modules",
+    "//base/startup/init/services/modules/seccomp",
+    "//base/startup/init/interfaces/innerkits/seccomp/include",
+  ]
+}
+
+ohos_source_set("libseccomp_static") {
+  sources = [ "seccomp_policy_static.c" ]
+  public_configs = [ ":libseccomp_static_config" ]
+  public_configs += [ "//base/startup/init/interfaces/innerkits/init_module_engine:init_module_engine_exported_config" ]
 }

services/modules/seccomp/scripts/generate_code_from_policy.py

@@ -452,7 +452,7 @@ class GenBpfPolicy:
         self.gen_range_list(syscall_nr_list)
         range_size = (int)((len(self.syscall_nr_range) - 1) / 127) + 1
         alone_range_cnt = self.count_alone_range()
-        if alone_range_cnt >= len(self.syscall_nr_range) / 2:
+        if alone_range_cnt == len(self.syscall_nr_range):
             #Scattered distribution
             self.gen_transverse_bpf_policy()
             return

services/modules/seccomp/seccomp_policy.c

@@ -15,7 +15,10 @@
 
 #include "seccomp_policy.h"
 #include "seccomp_filters.h"
-#include "seccomp_utils.h"
+#include "plugin_adapter.h"
+#ifdef SECCOMP_PLUGIN
+#include "init_module_engine.h"
+#endif
 
 #include <sys/syscall.h>
 #include <unistd.h>
@@ -35,7 +38,7 @@ static bool IsSupportFilterFlag(unsigned int filterFlag)
     errno = 0;
     int ret = syscall(__NR_seccomp, SECCOMP_SET_MODE_FILTER, filterFlag, NULL);
     if (ret != -1 || errno != EFAULT) {
-        SECCOMP_LOGE("not support  seccomp flag %u", filterFlag);
+        PLUGIN_LOGE("not support  seccomp flag %u", filterFlag);
         return false;
     }
 
@@ -59,7 +62,7 @@ static bool InstallSeccompPolicy(const struct sock_filter* filter, size_t filter
     }
 
     if (syscall(__NR_seccomp, SECCOMP_SET_MODE_FILTER, flag, &prog) != 0) {
-        SECCOMP_LOGE("SetSeccompFilter failed");
+        PLUGIN_LOGE("SetSeccompFilter failed");
         return false;
     }
 
@@ -85,3 +88,54 @@ bool SetSeccompPolicy(PolicyType policy)
 
     return ret;
 }
+
+#ifdef SECCOMP_PLUGIN
+static int DoSetSeccompPolicyStart(void)
+{
+    bool ret = false;
+    ret = SetSeccompPolicy(SYSTEM);
+    PLUGIN_CHECK(ret == true, return -1, "SetSeccompPolicy failed");
+
+    return 0;
+}
+
+static int DoSetSeccompPolicyCmd(int id, const char *name, int argc, const char **argv)
+{
+    PLUGIN_LOGI("DoBootchartCmd argc %d %s", argc, name);
+    PLUGIN_CHECK(argc >= 1, return -1, "Invalid parameter");
+    if (strcmp(argv[0], "start") == 0) {
+        return DoSetSeccompPolicyStart();
+    }
+    return 0;
+}
+
+static int32_t g_executorId = -1;
+static int SetSeccompPolicyInit(void)
+{
+    if (g_executorId == -1) {
+        g_executorId = AddCmdExecutor("SetSeccompPolicy", DoSetSeccompPolicyCmd);
+        PLUGIN_LOGI("SetSeccompPolicy executorId %d", g_executorId);
+    }
+    return 0;
+}
+
+static void SetSeccompPolicyExit(void)
+{
+    PLUGIN_LOGI("SetSeccompPolicy executorId %d", g_executorId);
+    if (g_executorId != -1) {
+        RemoveCmdExecutor("SetSeccompPolicy", g_executorId);
+    }
+}
+
+MODULE_CONSTRUCTOR(void)
+{
+    PLUGIN_LOGI("DoSetSeccompPolicyStart now ...");
+    SetSeccompPolicyInit();
+}
+
+MODULE_DESTRUCTOR(void)
+{
+    PLUGIN_LOGI("DoSetSeccompPolicyStop now ...");
+    SetSeccompPolicyExit();
+}
+#endif

services/modules/seccomp/seccomp_policy/renderer_arm.seccomp.policy

@@ -161,6 +161,7 @@ statx
 prlimit64
 cacheflush
 set_tls
+sched_setscheduler
 
 @allowListWithArgs
 getrusage:if arg0 == RUSAGE_SELF || arg0 == RUSAGE_THREAD

services/modules/seccomp/seccomp_policy/renderer_arm64.seccomp.policy

@@ -131,6 +131,7 @@ madvise
 getrandom
 statx
 prlimit64
+sched_setscheduler
 
 @allowListWithArgs
 getrusage:if arg0 == RUSAGE_SELF || arg0 == RUSAGE_THREAD

services/modules/seccomp/seccomp_policy/system_arm.seccomp.policy

@@ -216,6 +216,9 @@ setsockopt
 getsockopt
 sendmsg
 recvmsg
+semget
+add_key
+keyctl
 inotify_add_watch
 inotify_rm_watch
 openat

services/modules/seccomp/seccomp_policy/system_arm64.seccomp.policy

@@ -197,6 +197,7 @@ getgid
 getegid
 gettid
 sysinfo
+semget
 socket
 socketpair
 bind
@@ -216,6 +217,8 @@ readahead
 brk
 munmap
 mremap
+add_key
+keyctl
 clone
 execve
 mmap

services/modules/seccomp/seccomp_policy_static.c

@@ -0,0 +1,29 @@
+/*
+ * Copyright (c) 2022 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#include <string.h>
+#include "init_module_engine.h"
+#include "plugin_adapter.h"
+
+static int SeccompHook(const HOOK_INFO *info, void *cookie)
+{
+    InitModuleMgrInstall("seccomp_module");
+    PLUGIN_LOGI("seccomp enabled.");
+    return 0;
+}
+
+MODULE_CONSTRUCTOR(void)
+{
+    InitAddPostPersistParamLoadHook(0, SeccompHook);
+}

services/modules/seccomp/seccomp_utils.h

@@ -1,49 +0,0 @@
-/*
- * Copyright (c) 2021 Huawei Device Co., Ltd.
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef BASE_STARTUP_SECCOMP_UTILS_H
-#define BASE_STARTUP_SECCOMP_UTILS_H
-#include <stddef.h>
-#include <stdint.h>
-
-#include "beget_ext.h"
-
-#ifdef __cplusplus
-#if __cplusplus
-extern "C" {
-#endif
-#endif
-
-
-#ifndef SECCOMP_DOMAIN
-#define SECCOMP_DOMAIN (BASE_DOMAIN + 0xe)
-#endif
-#define SECCOMP_LABEL "SECCOMP"
-#define SECCOMP_LOGI(fmt, ...) STARTUP_LOGI(SECCOMP_DOMAIN, SECCOMP_LABEL, fmt, ##__VA_ARGS__)
-#define SECCOMP_LOGE(fmt, ...) STARTUP_LOGE(SECCOMP_DOMAIN, SECCOMP_LABEL, fmt, ##__VA_ARGS__)
-#define SECCOMP_LOGV(fmt, ...) STARTUP_LOGV(SECCOMP_DOMAIN, SECCOMP_LABEL, fmt, ##__VA_ARGS__)
-
-#ifdef INIT_AGENT
-#define SECCOMP_DUMP printf
-#else
-#define SECCOMP_DUMP SECCOMP_LOGI
-#endif
-
-#ifdef __cplusplus
-#if __cplusplus
-}
-#endif
-#endif
-#endif

test/unittest/seccomp/seccomp_unittest.cpp

@@ -31,7 +31,8 @@
 #include <asm/unistd.h>
 #include <syscall.h>
 #include <climits>
-#include <linux/openat2.h>
+#include <sys/ipc.h>
+#include <sys/shm.h>
 
 #include "seccomp_policy.h"
 
@@ -137,15 +138,13 @@ public:
     }
 
 #if defined __aarch64__
-    static bool CheckOpenat2()
+    static bool CheckShmget()
     {
-        struct open_how how = {};
-        int fd = syscall(__NR_openat2, AT_FDCWD, ".", &how);
-        if (fd == -1) {
+        int fd = shmget(1, 4096, 0666);
+        if (fd < 0) {
             return false;
         }
 
-        close(fd);
         return true;
     }
 
@@ -182,7 +181,7 @@ public:
 
     static bool CheckSetresuidArgsOutOfRange()
     {
-        int ret = syscall(__NR_setresuid, 1000, 1000, 1000);
+        int ret = syscall(__NR_setresuid, 800, 800, 800);
         if (ret == 0) {
             return true;
         }
@@ -193,7 +192,7 @@ public:
     void TestSystemSycall()
     {
         // system blocklist
-        int ret = CheckSyscall(SYSTEM, CheckOpenat2, false);
+        int ret = CheckSyscall(SYSTEM, CheckShmget, false);
         EXPECT_EQ(ret, 0);
 
         // system allowlist
@@ -242,7 +241,7 @@ public:
 
     static bool CheckSetresuid32ArgsOutOfRange()
     {
-        int ret = syscall(__NR_setresuid32, 1000, 1000, 1000);
+        int ret = syscall(__NR_setresuid32, 800, 800, 800);
         if (ret == 0) {
             return true;
         }
@@ -283,6 +282,6 @@ HWTEST_F(SeccompUnitTest, TestSystemSycall, TestSize.Level1)
 HWTEST_F(SeccompUnitTest, TestSetUidGidFilter, TestSize.Level1)
 {
     SeccompUnitTest test;
-    test.TestSystemSycall();
+    test.TestSetUidGidFilter();
 }
 }