Merge pull request #15 from QingdaoU/openat_rule

Openat rule
2024-12-27 23:41:42 +00:00 · 2017-08-30 09:42:35 +08:00 · 2017-08-30 09:42:35 +08:00 · 20bcbf0fd7
commit 20bcbf0fd7
parent 679994e8df e15806026b
4 changed files with 79 additions and 6 deletions
--- a/src/rules/general.c
+++ b/src/rules/general.c
@ -27,13 +27,21 @@ int general_seccomp_rules(struct config *_config) {
    if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(execve), 1, SCMP_A0(SCMP_CMP_NE, (scmp_datum_t)(_config->exe_path))) != 0) {
        return LOAD_SECCOMP_FAILED;
    }
-    // do not allow "w" and "rw"
+    // do not allow "w" and "rw" using open
    if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(open), 1, SCMP_CMP(1, SCMP_CMP_MASKED_EQ, O_WRONLY, O_WRONLY)) != 0) {
        return LOAD_SECCOMP_FAILED;
    }
    if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(open), 1, SCMP_CMP(1, SCMP_CMP_MASKED_EQ, O_RDWR, O_RDWR)) != 0) {
        return LOAD_SECCOMP_FAILED;
    }
+    // do not allow "w" and "rw" using openat
+    if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(openat), 1, SCMP_CMP(2, SCMP_CMP_MASKED_EQ, O_WRONLY, O_WRONLY)) != 0) {
+        return LOAD_SECCOMP_FAILED;
+    }
+    if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(openat), 1, SCMP_CMP(2, SCMP_CMP_MASKED_EQ, O_RDWR, O_RDWR)) != 0) {
+        return LOAD_SECCOMP_FAILED;
+    }
+
    if (seccomp_load(ctx) != 0) {
        return LOAD_SECCOMP_FAILED;
    }
--- a/tests/Python_and_core/testcase/seccomp/test.py
+++ b/tests/Python_and_core/testcase/seccomp/test.py
@ -58,9 +58,9 @@ class SeccompTest(base.BaseTestCase):
        self.assertEqual(result["result"], _judger.RESULT_RUNTIME_ERROR)
        self.assertEqual(result["signal"], self.BAD_SYSTEM_CALL)

-    def test_write_file(self):
+    def test_write_file_using_open(self):
        config = self.base_config
-        config["exe_path"] = self._compile_c("write_file.c")
+        config["exe_path"] = self._compile_c("write_file_open.c")
        config["output_path"] = config["error_path"] = self.output_path()
        path = os.path.join(self.workspace, "file1.txt")
        config["args"] = [path, "w"]
@ -81,14 +81,59 @@ class SeccompTest(base.BaseTestCase):
        self.assertEqual(result["result"], _judger.RESULT_RUNTIME_ERROR)
        self.assertEqual(result["signal"], self.BAD_SYSTEM_CALL)

-    def test_read_write_file(self):
+    def test_read_write_file_using_open(self):
        config = self.base_config
-        config["exe_path"] = self._compile_c("write_file.c")
+        config["exe_path"] = self._compile_c("write_file_open.c")
        config["output_path"] = config["error_path"] = self.output_path()
        path = os.path.join(self.workspace, "file2.txt")
        config["args"] = [path, "w+"]
        result = _judger.run(**config)
-        print(result)
+        # without seccomp
+        self.assertEqual(result["result"], _judger.RESULT_SUCCESS)
+        self.assertEqual("", self.output_content(path))
+
+        # with general seccomp
+        config["seccomp_rule_name"] = "general"
+        result = _judger.run(**config)
+        self.assertEqual(result["result"], _judger.RESULT_RUNTIME_ERROR)
+        self.assertEqual(result["signal"], self.BAD_SYSTEM_CALL)
+
+        # with c_cpp seccomp
+        config["seccomp_rule_name"] = "c_cpp"
+        result = _judger.run(**config)
+        self.assertEqual(result["result"], _judger.RESULT_RUNTIME_ERROR)
+        self.assertEqual(result["signal"], self.BAD_SYSTEM_CALL)
+
+    def test_write_file_using_openat(self):
+        config = self.base_config
+        config["exe_path"] = self._compile_c("write_file_openat.c")
+        config["output_path"] = config["error_path"] = self.output_path()
+        path = os.path.join(self.workspace, "file3.txt")
+        config["args"] = [path, "w"]
+        result = _judger.run(**config)
+        # without seccomp
+        self.assertEqual(result["result"], _judger.RESULT_SUCCESS)
+        self.assertEqual("", self.output_content(path))
+
+        # with general seccomp
+        config["seccomp_rule_name"] = "general"
+        result = _judger.run(**config)
+        self.assertEqual(result["result"], _judger.RESULT_RUNTIME_ERROR)
+        self.assertEqual(result["signal"], self.BAD_SYSTEM_CALL)
+
+        # with c_cpp seccomp
+        config["seccomp_rule_name"] = "c_cpp"
+        result = _judger.run(**config)
+        self.assertEqual(result["result"], _judger.RESULT_RUNTIME_ERROR)
+        self.assertEqual(result["signal"], self.BAD_SYSTEM_CALL)
+
+    def test_read_write_file_using_openat(self):
+        config = self.base_config
+        config["exe_path"] = self._compile_c("write_file_openat.c")
+        config["output_path"] = config["error_path"] = self.output_path()
+        path = os.path.join(self.workspace, "file4.txt")
+        config["args"] = [path, "w+"]
+        result = _judger.run(**config)
        # without seccomp
        self.assertEqual(result["result"], _judger.RESULT_SUCCESS)
        self.assertEqual("", self.output_content(path))
--- a/tests/test_src/seccomp/write_file_open.c
+++ b/tests/test_src/seccomp/write_file_open.c
--- a/tests/test_src/seccomp/write_file_openat.c
+++ b/tests/test_src/seccomp/write_file_openat.c
@ -0,0 +1,20 @@
+#include <unistd.h>
+#include <string.h>
+#include <errno.h>
+#include <fcntl.h>
+
+int main(int argc, char *argv[]) {
+    int flags;
+    if (!strcmp(argv[2], "w")) {
+        flags = O_WRONLY | O_CREAT;
+    }
+    else {
+        flags = O_RDWR | O_CREAT;
+    }
+    int fd = openat(0, argv[1], flags, 0755);
+    if (fd < 0) {
+        return errno;
+    }
+    close(fd);
+    return 0;
+}