tests: add a test for SECCOMP_MODE_FILTER decoding

* tests/seccomp.c: New file.
* tests/seccomp.test: New test.
* tests/Makefile.am (check_PROGRAMS): Add seccomp.
(TESTS): Add seccomp.test.
* tests/.gitignore: Add seccomp.
This commit is contained in:
Дмитрий Левин 2015-03-19 00:40:49 +00:00
parent 226bf1c21b
commit 485f8fb250
4 changed files with 131 additions and 0 deletions

1
tests/.gitignore vendored
View File

@ -12,6 +12,7 @@ netlink_inet_diag
netlink_unix_diag
pc
scm_rights
seccomp
select
set_ptracer_any
sigaction

View File

@ -21,6 +21,7 @@ check_PROGRAMS = \
netlink_unix_diag \
pc \
scm_rights \
seccomp \
select \
set_ptracer_any \
sigaction \
@ -56,6 +57,7 @@ TESTS = \
ipc_shm.test \
ipc_sem.test \
scm_rights-fd.test \
seccomp.test \
select.test \
sigaction.test \
sigreturn.test \

113
tests/seccomp.c Normal file
View File

@ -0,0 +1,113 @@
#ifdef HAVE_CONFIG_H
# include "config.h"
#endif
#include <stddef.h>
#include <unistd.h>
#include <stdio.h>
#include <errno.h>
#include <sys/syscall.h>
#ifdef HAVE_PRCTL
# include <sys/prctl.h>
#endif
#ifdef HAVE_LINUX_SECCOMP_H
# include <linux/seccomp.h>
#endif
#ifdef HAVE_LINUX_FILTER_H
# include <linux/filter.h>
#endif
#if defined HAVE_PRCTL \
&& defined PR_SET_NO_NEW_PRIVS \
&& defined PR_SET_SECCOMP \
&& defined SECCOMP_MODE_FILTER \
&& defined SECCOMP_RET_ERRNO \
&& defined BPF_JUMP \
&& defined BPF_STMT
#define SOCK_FILTER_ALLOW_SYSCALL(nr) \
BPF_JUMP(BPF_JMP | BPF_K | BPF_JEQ, __NR_ ## nr, 0, 1), \
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW)
#define SOCK_FILTER_DENY_SYSCALL(nr, err) \
BPF_JUMP(BPF_JMP | BPF_K | BPF_JEQ, __NR_ ## nr, 0, 1), \
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ERRNO | (SECCOMP_RET_DATA & (err)))
#define SOCK_FILTER_KILL_PROCESS \
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_KILL)
#define PRINT_ALLOW_SYSCALL(nr) \
printf("BPF_JUMP(BPF_JMP | BPF_K | BPF_JEQ, %#x, 0, 0x1), " \
"BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW), ", \
__NR_ ## nr)
#define PRINT_DENY_SYSCALL(nr, err) \
printf("BPF_JUMP(BPF_JMP | BPF_K | BPF_JEQ, %#x, 0, 0x1), " \
"BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ERRNO | %#x), ", \
__NR_ ## nr, err)
static const struct sock_filter filter[] = {
/* load syscall number */
BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, nr)),
/* allow syscalls */
SOCK_FILTER_ALLOW_SYSCALL(close),
SOCK_FILTER_ALLOW_SYSCALL(exit),
SOCK_FILTER_ALLOW_SYSCALL(exit_group),
/* deny syscalls */
SOCK_FILTER_DENY_SYSCALL(sync, EBUSY),
SOCK_FILTER_DENY_SYSCALL(setsid, EPERM),
/* kill process */
SOCK_FILTER_KILL_PROCESS
};
static const struct sock_fprog prog = {
.len = sizeof(filter) / sizeof(filter[0]),
.filter = (struct sock_filter *) filter,
};
int
main(void)
{
int fds[2];
puts("prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) = 0");
printf("prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, [");
printf("BPF_STMT(BPF_LD | BPF_W | BPF_ABS, %#x), ",
(unsigned) offsetof(struct seccomp_data, nr));
PRINT_ALLOW_SYSCALL(close);
PRINT_ALLOW_SYSCALL(exit);
PRINT_ALLOW_SYSCALL(exit_group);
PRINT_DENY_SYSCALL(sync, EBUSY),
PRINT_DENY_SYSCALL(setsid, EPERM),
printf("BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_KILL)");
puts("]) = 0");
puts("+++ exited with 0 +++");
fflush(stdout);
close(0);
close(1);
if (pipe(fds) ||
prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) ||
prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) ||
close(0) || close(1))
_exit(77);
_exit(0);
}
#else
int main(void) { return 77; }
#endif

15
tests/seccomp.test Executable file
View File

@ -0,0 +1,15 @@
#!/bin/sh
# Check how SECCOMP_MODE_FILTER is decoded.
. "${srcdir=.}/init.sh"
OUT="$LOG.out"
run_prog > /dev/null
run_strace -veprctl $args > "$OUT"
match_diff "$LOG" "$OUT"
rm -f "$OUT"
exit 0