From 97d05f3b709c39acebc53749b1d9eb29a24690b1 Mon Sep 17 00:00:00 2001 From: Kevin Kuehler Date: Sun, 10 Nov 2019 20:37:20 -0800 Subject: [PATCH] test/test-seccomp: add test_protect_syslog --- src/test/test-seccomp.c | 43 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) diff --git a/src/test/test-seccomp.c b/src/test/test-seccomp.c index 018c20f8be..ca3f37344a 100644 --- a/src/test/test-seccomp.c +++ b/src/test/test-seccomp.c @@ -322,6 +322,48 @@ static void test_protect_sysctl(void) { assert_se(wait_for_terminate_and_check("sysctlseccomp", pid, WAIT_LOG) == EXIT_SUCCESS); } +static void test_protect_syslog(void) { + pid_t pid; + + log_info("/* %s */", __func__); + + if (!is_seccomp_available()) { + log_notice("Seccomp not available, skipping %s", __func__); + return; + } + if (geteuid() != 0) { + log_notice("Not root, skipping %s", __func__); + return; + } + + /* in containers syslog() is likely missing anyway */ + if (detect_container() > 0) { + log_notice("Testing in container, skipping %s", __func__); + return; + } + + pid = fork(); + assert_se(pid >= 0); + + if (pid == 0) { +#if defined __NR_syslog && __NR_syslog > 0 + assert_se(syscall(__NR_syslog, -1, NULL, 0) < 0); + assert_se(errno == EINVAL); +#endif + + assert_se(seccomp_protect_syslog() >= 0); + +#if defined __NR_syslog && __NR_syslog > 0 + assert_se(syscall(__NR_syslog, 0, 0, 0) < 0); + assert_se(errno == EPERM); +#endif + + _exit(EXIT_SUCCESS); + } + + assert_se(wait_for_terminate_and_check("syslogseccomp", pid, WAIT_LOG) == EXIT_SUCCESS); +} + static void test_restrict_address_families(void) { pid_t pid; @@ -982,6 +1024,7 @@ int main(int argc, char *argv[]) { test_filter_sets_ordered(); test_restrict_namespace(); test_protect_sysctl(); + test_protect_syslog(); test_restrict_address_families(); test_restrict_realtime(); test_memory_deny_write_execute_mmap();