File: test-seccomp.sh

package info (click to toggle)
flatpak 1.17.3-1
  • links: PTS, VCS
  • area: main
  • in suites: experimental
  • size: 13,508 kB
  • sloc: ansic: 104,079; xml: 12,184; sh: 5,297; python: 2,315; yacc: 1,236; makefile: 84; csh: 20
file content (100 lines) | stat: -rwxr-xr-x 2,542 bytes parent folder | download | duplicates (7) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
 
#!/bin/bash
# Copyright 2021 Collabora Ltd.
# SPDX-License-Identifier: LGPL-2.0-or-later

set -euo pipefail

. $(dirname $0)/libtest.sh

skip_without_bwrap

echo "1..18"

setup_repo
install_repo

cp -a "$G_TEST_BUILDDIR/try-syscall" "$test_tmpdir/try-syscall"

# How this works:
# try-syscall tries to make various syscalls, some benign, some not.
#
# The parameters are chosen to make them fail with EBADF or EFAULT if
# not blocked. If they are blocked, we get ENOSYS or EPERM. If the syscall
# is impossible for a particular architecture, we get ENOENT.
#
# The exit status is an errno value, which we can compare with the expected
# errno value.

eval "$("$test_tmpdir/try-syscall" print-errno-values)"

try_syscall () {
  ${FLATPAK} run \
    --filesystem="$test_tmpdir" \
    --command="$test_tmpdir/try-syscall" \
    $extra_argv \
    org.test.Hello "$@"
}

for extra_argv in "" "--allow=multiarch"; do
  echo "# testing with extra argv: '$extra_argv'"

  echo "# chmod (benign)"
  e=0
  try_syscall chmod || e="$?"
  assert_streq "$e" "$EFAULT"
  ok "chmod not blocked"

  echo "# chroot (harmful)"
  e=0
  try_syscall chroot || e="$?"
  assert_streq "$e" "$EPERM"
  ok "chroot blocked with EPERM"

  echo "# clone3 (harmful)"
  e=0
  try_syscall clone3 || e="$?"
  # This is either ENOSYS because the kernel genuinely doesn't implement it,
  # or because we successfully blocked it. We can't tell which.
  assert_streq "$e" "$ENOSYS"
  ok "clone3 blocked with ENOSYS (CVE-2021-41133)"

  echo "# ioctl TIOCNOTTY (benign)"
  e=0
  try_syscall "ioctl TIOCNOTTY" || e="$?"
  assert_streq "$e" "$EBADF"
  ok "ioctl TIOCNOTTY not blocked"

  echo "# ioctl TIOCSTI (CVE-2017-5226)"
  e=0
  try_syscall "ioctl TIOCSTI" || e="$?"
  assert_streq "$e" "$EPERM"
  ok "ioctl TIOCSTI blocked (CVE-2017-5226)"

  echo "# ioctl TIOCSTI (trying to repeat CVE-2019-10063)"
  e=0
  try_syscall "ioctl TIOCSTI CVE-2019-10063" || e="$?"
  if test "$e" = "$ENOENT"; then
    echo "ok # SKIP Cannot replicate CVE-2019-10063 on 32-bit architecture"
  else
    assert_streq "$e" "$EPERM"
    ok "ioctl TIOCSTI with high bits blocked (CVE-2019-10063)"
  fi

  echo "# ioctl TIOCLINUX (CVE-2023-28100)"
  e=0
  try_syscall "ioctl TIOCLINUX" || e="$?"
  assert_streq "$e" "$EPERM"
  ok "ioctl TIOCLINUX blocked"

  echo "# listen (benign)"
  e=0
  try_syscall "listen" || e="$?"
  assert_streq "$e" "$EBADF"
  ok "listen not blocked"

  echo "# prctl (benign)"
  e=0
  try_syscall "prctl" || e="$?"
  assert_streq "$e" "$EFAULT"
  ok "prctl not blocked"
done