tequilaOS/platform_bionic
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Use more inclusive language for seccomp filter

Browse source 
blacklist and whitelist are replaced with blocklist and allowlist
respectively.

Test: CtsSeccompHostTestCases
Change-Id: I39d9eda89038d1addbdaed59284a254a34cea1c6
This commit is contained in:
Victor Hsieh 2020-06-15 09:29:07 -07:00
parent 4ea659a7c6
commit dbb8670dfd
11 changed files with 74 additions and 74 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

30
libc/Android.bp
View file

@ -2360,11 +2360,11 @@ cc_genrule {
], ],
} }
// SECCOMP_BLACKLIST_APP_ZYGOTE.TXT = SECCOMP_BLACKLIST_APP.txt - setresgid* // SECCOMP_BLOCKLIST_APP_ZYGOTE.TXT = SECCOMP_BLOCKLIST_APP.txt - setresgid*
genrule { genrule {
name: "generate_app_zygote_blacklist", name: "generate_app_zygote_blocklist",
out: ["SECCOMP_BLACKLIST_APP_ZYGOTE.TXT"], out: ["SECCOMP_BLOCKLIST_APP_ZYGOTE.TXT"],
srcs: ["SECCOMP_BLACKLIST_APP.TXT"], srcs: ["SECCOMP_BLOCKLIST_APP.TXT"],
cmd: "grep -v '^int[ \t]*setresgid' $(in) > $(out)", cmd: "grep -v '^int[ \t]*setresgid' $(in) > $(out)",
} }
@ -2377,11 +2377,11 @@ cc_genrule {
srcs: [ srcs: [
"SYSCALLS.TXT", "SYSCALLS.TXT",
"SECCOMP_WHITELIST_COMMON.TXT", "SECCOMP_ALLOWLIST_COMMON.TXT",
"SECCOMP_WHITELIST_APP.TXT", "SECCOMP_ALLOWLIST_APP.TXT",
"SECCOMP_BLACKLIST_COMMON.TXT", "SECCOMP_BLOCKLIST_COMMON.TXT",
"SECCOMP_PRIORITY.TXT", "SECCOMP_PRIORITY.TXT",
":generate_app_zygote_blacklist", ":generate_app_zygote_blocklist",
":libseccomp_gen_syscall_nrs_arm", ":libseccomp_gen_syscall_nrs_arm",
":libseccomp_gen_syscall_nrs_arm64", ":libseccomp_gen_syscall_nrs_arm64",
":libseccomp_gen_syscall_nrs_x86", ":libseccomp_gen_syscall_nrs_x86",
@ -2405,10 +2405,10 @@ cc_genrule {
srcs: [ srcs: [
"SYSCALLS.TXT", "SYSCALLS.TXT",
"SECCOMP_WHITELIST_COMMON.TXT", "SECCOMP_ALLOWLIST_COMMON.TXT",
"SECCOMP_WHITELIST_APP.TXT", "SECCOMP_ALLOWLIST_APP.TXT",
"SECCOMP_BLACKLIST_COMMON.TXT", "SECCOMP_BLOCKLIST_COMMON.TXT",
"SECCOMP_BLACKLIST_APP.TXT", "SECCOMP_BLOCKLIST_APP.TXT",
"SECCOMP_PRIORITY.TXT", "SECCOMP_PRIORITY.TXT",
":libseccomp_gen_syscall_nrs_arm", ":libseccomp_gen_syscall_nrs_arm",
":libseccomp_gen_syscall_nrs_arm64", ":libseccomp_gen_syscall_nrs_arm64",
@ -2433,9 +2433,9 @@ cc_genrule {
srcs: [ srcs: [
"SYSCALLS.TXT", "SYSCALLS.TXT",
"SECCOMP_WHITELIST_COMMON.TXT", "SECCOMP_ALLOWLIST_COMMON.TXT",
"SECCOMP_WHITELIST_SYSTEM.TXT", "SECCOMP_ALLOWLIST_SYSTEM.TXT",
"SECCOMP_BLACKLIST_COMMON.TXT", "SECCOMP_BLOCKLIST_COMMON.TXT",
"SECCOMP_PRIORITY.TXT", "SECCOMP_PRIORITY.TXT",
":libseccomp_gen_syscall_nrs_arm", ":libseccomp_gen_syscall_nrs_arm",
":libseccomp_gen_syscall_nrs_arm64", ":libseccomp_gen_syscall_nrs_arm64",

2
libc/SECCOMP_WHITELIST_APP.TXT → libc/SECCOMP_ALLOWLIST_APP.TXT
View file

@ -1,4 +1,4 @@
# This file is used to populate seccomp's whitelist policy in combination with SYSCALLS.TXT. # This file is used to populate seccomp's allowlist policy in combination with SYSCALLS.TXT.
# Note that the resultant policy is applied only to zygote spawned processes. # Note that the resultant policy is applied only to zygote spawned processes.
# #
# This file is processed by a python script named genseccomp.py. # This file is processed by a python script named genseccomp.py.

2
libc/SECCOMP_WHITELIST_COMMON.TXT → libc/SECCOMP_ALLOWLIST_COMMON.TXT
View file

@ -1,4 +1,4 @@
# This file is used to populate seccomp's whitelist policy in combination with SYSCALLS.TXT. # This file is used to populate seccomp's allowlist policy in combination with SYSCALLS.TXT.
# Note that the resultant policy is applied only to zygote spawned processes. # Note that the resultant policy is applied only to zygote spawned processes.
# #
# This file is processed by a python script named genseccomp.py. # This file is processed by a python script named genseccomp.py.

2
libc/SECCOMP_WHITELIST_SYSTEM.TXT → libc/SECCOMP_ALLOWLIST_SYSTEM.TXT
View file

@ -1,4 +1,4 @@
# This file is used to populate seccomp's whitelist policy in combination with SYSCALLS.TXT. # This file is used to populate seccomp's allowlist policy in combination with SYSCALLS.TXT.
# Note that the resultant policy is applied only to zygote spawned processes. # Note that the resultant policy is applied only to zygote spawned processes.
# #
# This file is processed by a python script named genseccomp.py. # This file is processed by a python script named genseccomp.py.

10
libc/SECCOMP_BLACKLIST_COMMON.TXT
View file

@ -1,10 +0,0 @@
# This file is used to populate seccomp's whitelist policy in combination with SYSCALLS.TXT.
# Note that the resultant policy is applied only to zygote spawned processes.
#
# The final seccomp whitelist is SYSCALLS.TXT - SECCOMP_BLACKLIST.TXT + SECCOMP_WHITELIST.TXT
# Any entry in the blacklist must be in the syscalls file and not be in the whitelist file
#
# This file is processed by a python script named genseccomp.py.
int swapon(const char*, int) all
int swapoff(const char*) all

6
libc/SECCOMP_BLACKLIST_APP.TXT → libc/SECCOMP_BLOCKLIST_APP.TXT
View file

@ -1,8 +1,8 @@
# This file is used to populate seccomp's whitelist policy in combination with SYSCALLS.TXT. # This file is used to populate seccomp's allowlist policy in combination with SYSCALLS.TXT.
# Note that the resultant policy is applied only to zygote spawned processes. # Note that the resultant policy is applied only to zygote spawned processes.
# #
# The final seccomp whitelist is SYSCALLS.TXT - SECCOMP_BLACKLIST.TXT + SECCOMP_WHITELIST.TXT # The final seccomp allowlist is SYSCALLS.TXT - SECCOMP_BLOCKLIST.TXT + SECCOMP_ALLOWLIST.TXT
# Any entry in the blacklist must be in the syscalls file and not be in the whitelist file # Any entry in the blocklist must be in the syscalls file and not be in the allowlist file
# #
# This file is processed by a python script named genseccomp.py. # This file is processed by a python script named genseccomp.py.

10
libc/SECCOMP_BLOCKLIST_COMMON.TXT Normal file
View file

@ -0,0 +1,10 @@
# This file is used to populate seccomp's allowlist policy in combination with SYSCALLS.TXT.
# Note that the resultant policy is applied only to zygote spawned processes.
#
# The final seccomp allowlist is SYSCALLS.TXT - SECCOMP_BLOCKLIST.TXT + SECCOMP_ALLOWLIST.TXT
# Any entry in the blocklist must be in the syscalls file and not be in the allowlist file
#
# This file is processed by a python script named genseccomp.py.
int swapon(const char*, int) all
int swapoff(const char*) all

2
libc/SECCOMP_PRIORITY.TXT
View file

@ -1,4 +1,4 @@
# This file is used to populate seccomp's whitelist policy in combination with SYSCALLS.TXT. # This file is used to populate seccomp's allowlist policy in combination with SYSCALLS.TXT.
# Note that the resultant policy is applied only to zygote spawned processes. # Note that the resultant policy is applied only to zygote spawned processes.
# #
# This file is processed by a python script named genseccomp.py. # This file is processed by a python script named genseccomp.py.

4
libc/seccomp/seccomp_policy.cpp
View file

@ -140,12 +140,12 @@ static void ValidateSyscallArgInRange(filter& f, __u32 arg_num, __u32 range_min,
Disallow(f); Disallow(f);
} }
// This filter is meant to be installed in addition to a regular whitelist filter. // This filter is meant to be installed in addition to a regular allowlist filter.
// Therefore, it's default action has to be Allow, except when the evaluated // Therefore, it's default action has to be Allow, except when the evaluated
// system call matches setresuid/setresgid and the arguments don't fall within the // system call matches setresuid/setresgid and the arguments don't fall within the
// passed in range. // passed in range.
// //
// The regular whitelist only allows setresuid/setresgid for UID/GID changes, so // The regular allowlist only allows setresuid/setresgid for UID/GID changes, so
// that's the only system call we need to check here. A CTS test ensures the other // that's the only system call we need to check here. A CTS test ensures the other
// calls will remain blocked. // calls will remain blocked.
static void ValidateSetUidGid(filter& f, uint32_t uid_gid_min, uint32_t uid_gid_max, bool primary) { static void ValidateSetUidGid(filter& f, uint32_t uid_gid_min, uint32_t uid_gid_max, bool primary) {

26
libc/tools/genseccomp.py
View file

@ -56,12 +56,12 @@ def load_syscall_priorities_from_file(file_path):
return priorities return priorities
def merge_names(base_names, whitelist_names, blacklist_names): def merge_names(base_names, allowlist_names, blocklist_names):
if bool(blacklist_names - base_names): if bool(blocklist_names - base_names):
raise RuntimeError("Blacklist item not in bionic - aborting " + str( raise RuntimeError("blocklist item not in bionic - aborting " + str(
blacklist_names - base_names)) blocklist_names - base_names))
return (base_names - blacklist_names) | whitelist_names return (base_names - blocklist_names) | allowlist_names
def extract_priority_syscalls(syscalls, priorities): def extract_priority_syscalls(syscalls, priorities):
@ -230,19 +230,19 @@ def construct_bpf(syscalls, architecture, name_modifier, priorities):
def gen_policy(name_modifier, out_dir, base_syscall_file, syscall_files, syscall_NRs, priority_file): def gen_policy(name_modifier, out_dir, base_syscall_file, syscall_files, syscall_NRs, priority_file):
for arch in SupportedArchitectures: for arch in SupportedArchitectures:
base_names = load_syscall_names_from_file(base_syscall_file, arch) base_names = load_syscall_names_from_file(base_syscall_file, arch)
whitelist_names = set() allowlist_names = set()
blacklist_names = set() blocklist_names = set()
for f in syscall_files: for f in syscall_files:
if "blacklist" in f.lower(): if "blocklist" in f.lower():
blacklist_names |= load_syscall_names_from_file(f, arch) blocklist_names |= load_syscall_names_from_file(f, arch)
else: else:
whitelist_names |= load_syscall_names_from_file(f, arch) allowlist_names |= load_syscall_names_from_file(f, arch)
priorities = [] priorities = []
if priority_file: if priority_file:
priorities = load_syscall_priorities_from_file(priority_file) priorities = load_syscall_priorities_from_file(priority_file)
allowed_syscalls = [] allowed_syscalls = []
for name in merge_names(base_names, whitelist_names, blacklist_names): for name in merge_names(base_names, allowlist_names, blocklist_names):
try: try:
allowed_syscalls.append((name, syscall_NRs[arch][name])) allowed_syscalls.append((name, syscall_NRs[arch][name]))
except: except:
@ -274,8 +274,8 @@ def main():
help=("The path of the input files. In order to " help=("The path of the input files. In order to "
"simplify the build rules, it can take any of the " "simplify the build rules, it can take any of the "
"following files: \n" "following files: \n"
"* /blacklist.*\.txt$/ syscall blacklist.\n" "* /blocklist.*\.txt$/ syscall blocklist.\n"
"* /whitelist.*\.txt$/ syscall whitelist.\n" "* /allowlist.*\.txt$/ syscall allowlist.\n"
"* /priority.txt$/ priorities for bpf rules.\n" "* /priority.txt$/ priorities for bpf rules.\n"
"* otherwise, syscall name-number mapping.\n")) "* otherwise, syscall name-number mapping.\n"))
args = parser.parse_args() args = parser.parse_args()

54
libc/tools/test_genseccomp.py
View file

@ -29,20 +29,20 @@ int __llseek:_llseek(int, unsigned long, unsigned long, off64_t*, int) arm,x86
int fchown:fchown(int, uid_t, gid_t) arm64,x86_64 int fchown:fchown(int, uid_t, gid_t) arm64,x86_64
""")) """))
whitelist = cStringIO.StringIO(textwrap.dedent("""\ allowlist = cStringIO.StringIO(textwrap.dedent("""\
ssize_t read(int, void*, size_t) all ssize_t read(int, void*, size_t) all
""")) """))
empty = cStringIO.StringIO(textwrap.dedent("""\ empty = cStringIO.StringIO(textwrap.dedent("""\
""")) """))
names = genseccomp.get_names([bionic, whitelist, empty], "arm") names = genseccomp.get_names([bionic, allowlist, empty], "arm")
bionic.seek(0) bionic.seek(0)
whitelist.seek(0) allowlist.seek(0)
empty.seek(0) empty.seek(0)
names64 = genseccomp.get_names([bionic, whitelist, empty], "arm64") names64 = genseccomp.get_names([bionic, allowlist, empty], "arm64")
bionic.seek(0) bionic.seek(0)
whitelist.seek(0) allowlist.seek(0)
empty.seek(0) empty.seek(0)
self.assertIn("fchown", names64) self.assertIn("fchown", names64)
@ -52,45 +52,45 @@ ssize_t read(int, void*, size_t) all
self.assertIn("read", names) self.assertIn("read", names)
self.assertIn("read", names64) self.assertIn("read", names64)
# Blacklist item must be in bionic # Blocklist item must be in bionic
blacklist = cStringIO.StringIO(textwrap.dedent("""\ blocklist = cStringIO.StringIO(textwrap.dedent("""\
int fchown2:fchown2(int, uid_t, gid_t) arm64,x86_64 int fchown2:fchown2(int, uid_t, gid_t) arm64,x86_64
""")) """))
with self.assertRaises(RuntimeError): with self.assertRaises(RuntimeError):
genseccomp.get_names([bionic, whitelist, blacklist], "arm") genseccomp.get_names([bionic, allowlist, blocklist], "arm")
bionic.seek(0) bionic.seek(0)
whitelist.seek(0) allowlist.seek(0)
blacklist.seek(0) blocklist.seek(0)
# Test blacklist item is removed # Test blocklist item is removed
blacklist = cStringIO.StringIO(textwrap.dedent("""\ blocklist = cStringIO.StringIO(textwrap.dedent("""\
int fchown:fchown(int, uid_t, gid_t) arm64,x86_64 int fchown:fchown(int, uid_t, gid_t) arm64,x86_64
""")) """))
names = genseccomp.get_names([bionic, whitelist, blacklist], "arm64") names = genseccomp.get_names([bionic, allowlist, blocklist], "arm64")
bionic.seek(0) bionic.seek(0)
whitelist.seek(0) allowlist.seek(0)
blacklist.seek(0) blocklist.seek(0)
self.assertIn("read", names) self.assertIn("read", names)
self.assertNotIn("fchown", names) self.assertNotIn("fchown", names)
# Blacklist item must not be in whitelist # Blocklist item must not be in allowlist
whitelist = cStringIO.StringIO(textwrap.dedent("""\ allowlist = cStringIO.StringIO(textwrap.dedent("""\
int fchown:fchown(int, uid_t, gid_t) arm64,x86_64 int fchown:fchown(int, uid_t, gid_t) arm64,x86_64
""")) """))
with self.assertRaises(RuntimeError): with self.assertRaises(RuntimeError):
genseccomp.get_names([empty, whitelist, blacklist], "arm") genseccomp.get_names([empty, allowlist, blocklist], "arm")
empty.seek(0) empty.seek(0)
whitelist.seek(0) allowlist.seek(0)
blacklist.seek(0) blocklist.seek(0)
# No dups in bionic and whitelist # No dups in bionic and allowlist
whitelist = cStringIO.StringIO(textwrap.dedent("""\ allowlist = cStringIO.StringIO(textwrap.dedent("""\
int __llseek:_llseek(int, unsigned long, unsigned long, off64_t*, int) arm,x86 int __llseek:_llseek(int, unsigned long, unsigned long, off64_t*, int) arm,x86
""")) """))
with self.assertRaises(RuntimeError): with self.assertRaises(RuntimeError):
genseccomp.get_names([bionic, whitelist, empty], "arm") genseccomp.get_names([bionic, allowlist, empty], "arm")
bionic.seek(0) bionic.seek(0)
whitelist.seek(0) allowlist.seek(0)
empty.seek(0) empty.seek(0)
def test_convert_names_to_NRs(self): def test_convert_names_to_NRs(self):
@ -186,14 +186,14 @@ int __llseek:_llseek(int, unsigned long, unsigned long, off64_t*, int) arm,x86
int fchown:fchown(int, uid_t, gid_t) arm64,x86_64 int fchown:fchown(int, uid_t, gid_t) arm64,x86_64
""")) """))
whitelist = cStringIO.StringIO(textwrap.dedent("""\ allowlist = cStringIO.StringIO(textwrap.dedent("""\
ssize_t read(int, void*, size_t) all ssize_t read(int, void*, size_t) all
""")) """))
blacklist = cStringIO.StringIO(textwrap.dedent("""\ blocklist = cStringIO.StringIO(textwrap.dedent("""\
""")) """))
syscall_files = [syscalls, whitelist, blacklist] syscall_files = [syscalls, allowlist, blocklist]
output = genseccomp.construct_bpf(syscall_files, "arm", self.get_headers("arm"), output = genseccomp.construct_bpf(syscall_files, "arm", self.get_headers("arm"),
self.get_switches("arm")) self.get_switches("arm"))