From 821fc4a252b2aa1f9b98353aa5f68519d7944870 Mon Sep 17 00:00:00 2001 From: virusdefender Date: Wed, 20 Dec 2017 11:08:58 +0800 Subject: [PATCH] add execveat to black list --- src/rules/general.c | 6 ++++- .../Python_and_core/testcase/seccomp/test.py | 15 +++++++++++ tests/test_src/seccomp/execveat.c | 27 +++++++++++++++++++ 3 files changed, 47 insertions(+), 1 deletion(-) create mode 100644 tests/test_src/seccomp/execveat.c diff --git a/src/rules/general.c b/src/rules/general.c index 8372851..24c391d 100644 --- a/src/rules/general.c +++ b/src/rules/general.c @@ -11,7 +11,11 @@ int general_seccomp_rules(struct config *_config) { int syscalls_blacklist[] = {SCMP_SYS(clone), SCMP_SYS(fork), SCMP_SYS(vfork), - SCMP_SYS(kill)}; + SCMP_SYS(kill), +#ifdef __NR_execveat + SCMP_SYS(execveat) +#endif + }; int syscalls_blacklist_length = sizeof(syscalls_blacklist) / sizeof(int); scmp_filter_ctx ctx = NULL; // load seccomp rules diff --git a/tests/Python_and_core/testcase/seccomp/test.py b/tests/Python_and_core/testcase/seccomp/test.py index 659fc29..f8b8f70 100644 --- a/tests/Python_and_core/testcase/seccomp/test.py +++ b/tests/Python_and_core/testcase/seccomp/test.py @@ -157,3 +157,18 @@ class SeccompTest(base.BaseTestCase): self.assertEqual(result["result"], _judger.RESULT_SUCCESS) + def test_exceveat(self): + config = self.base_config + config["exe_path"] = self._compile_c("execveat.c") + config["output_path"] = config["error_path"] = self.output_path() + result = _judger.run(**config) + if "syscall not found" in self.output_content(config["output_path"]): + print("execveat syscall not found, test ignored") + return + self.assertEqual(result["result"], _judger.RESULT_SUCCESS) + + # with general seccomp + config["seccomp_rule_name"] = "general" + result = _judger.run(**config) + self.assertEqual(result["result"], _judger.RESULT_RUNTIME_ERROR) + self.assertEqual(result["signal"], self.BAD_SYSTEM_CALL) diff --git a/tests/test_src/seccomp/execveat.c b/tests/test_src/seccomp/execveat.c new file mode 100644 index 0000000..0eda9a3 --- /dev/null +++ b/tests/test_src/seccomp/execveat.c @@ -0,0 +1,27 @@ +#define _GNU_SOURCE +#include +#include +#include +#include + + +int execveat_(int fd, const char *path, char **argv, char **envp, int flags) +{ +#ifdef __NR_execveat + return syscall(__NR_execveat, fd, path, argv, envp, flags); +#endif +} + +int main() { +#ifndef __NR_execveat + printf("syscall not found"); + return 0; +#else + char *envp[] = {"test=1", NULL}; + char *argv[] = {"hello", NULL}; + + execveat_(1, "/bin/true", argv, envp, 0); + printf("failed %d", errno); + return 1; +#endif +}