Merge pull request #20 from QingdaoU/execveat

add execveat to black list
2024-12-28 07:51:42 +00:00 · 2017-12-21 20:45:11 +08:00 · 2017-12-21 20:45:11 +08:00 · 27e0cc0d24
commit 27e0cc0d24
parent d7c8e51e1d 821fc4a252
3 changed files with 47 additions and 1 deletions
--- a/src/rules/general.c
+++ b/src/rules/general.c
@ -11,7 +11,11 @@
 int general_seccomp_rules(struct config *_config) {
    int syscalls_blacklist[] = {SCMP_SYS(clone),
                                SCMP_SYS(fork), SCMP_SYS(vfork),
-                                SCMP_SYS(kill)};
+                                SCMP_SYS(kill), 
+#ifdef __NR_execveat
+                                SCMP_SYS(execveat)
+#endif
+                               };
    int syscalls_blacklist_length = sizeof(syscalls_blacklist) / sizeof(int);
    scmp_filter_ctx ctx = NULL;
    // load seccomp rules
--- a/tests/Python_and_core/testcase/seccomp/test.py
+++ b/tests/Python_and_core/testcase/seccomp/test.py
@ -157,3 +157,18 @@ class SeccompTest(base.BaseTestCase):

        self.assertEqual(result["result"], _judger.RESULT_SUCCESS)

+    def test_exceveat(self):
+        config = self.base_config
+        config["exe_path"] = self._compile_c("execveat.c")
+        config["output_path"] = config["error_path"] = self.output_path()
+        result = _judger.run(**config)
+        if "syscall not found" in self.output_content(config["output_path"]):
+            print("execveat syscall not found, test ignored")
+            return
+        self.assertEqual(result["result"], _judger.RESULT_SUCCESS)
+        
+        # with general seccomp 
+        config["seccomp_rule_name"] = "general"
+        result = _judger.run(**config)
+        self.assertEqual(result["result"], _judger.RESULT_RUNTIME_ERROR)
+        self.assertEqual(result["signal"], self.BAD_SYSTEM_CALL)
--- a/tests/test_src/seccomp/execveat.c
+++ b/tests/test_src/seccomp/execveat.c
@ -0,0 +1,27 @@
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <errno.h>
+#include <unistd.h>
+#include <sys/syscall.h>
+
+
+int execveat_(int fd, const char *path, char **argv, char **envp, int flags)
+{
+#ifdef __NR_execveat
+	return syscall(__NR_execveat, fd, path, argv, envp, flags);
+#endif
+}
+
+int main() {
+#ifndef __NR_execveat
+    printf("syscall not found");
+    return 0;
+#else
+    char *envp[] = {"test=1", NULL};
+    char *argv[] = {"hello", NULL};
+
+    execveat_(1, "/bin/true", argv, envp, 0);
+    printf("failed %d", errno);
+    return 1;
+#endif
+}