mirror of
https://github.com/systemd/systemd.git
synced 2024-12-23 21:35:11 +03:00
test: add tests for syscall:errno style in SystemCallFilter=
This commit is contained in:
parent
8cfa775f4f
commit
b4891260b9
@ -23,6 +23,7 @@
|
||||
#include <sys/prctl.h>
|
||||
#include <sys/types.h>
|
||||
|
||||
#include "errno-list.h"
|
||||
#include "fileio.h"
|
||||
#include "fs-util.h"
|
||||
#include "macro.h"
|
||||
@ -261,6 +262,8 @@ static void test_exec_systemcallfilter(Manager *m) {
|
||||
test(m, "exec-systemcallfilter-not-failing2.service", 0, CLD_EXITED);
|
||||
test(m, "exec-systemcallfilter-failing.service", SIGSYS, CLD_KILLED);
|
||||
test(m, "exec-systemcallfilter-failing2.service", SIGSYS, CLD_KILLED);
|
||||
test(m, "exec-systemcallfilter-with-errno-name.service", errno_from_name("EILSEQ"), CLD_EXITED);
|
||||
test(m, "exec-systemcallfilter-with-errno-number.service", 255, CLD_EXITED);
|
||||
|
||||
#endif
|
||||
}
|
||||
|
@ -519,7 +519,7 @@ static void test_load_syscall_filter_set_raw(void) {
|
||||
assert_se(pid >= 0);
|
||||
|
||||
if (pid == 0) {
|
||||
_cleanup_set_free_ Set *s = NULL;
|
||||
_cleanup_hashmap_free_ Hashmap *s = NULL;
|
||||
|
||||
assert_se(access("/", F_OK) >= 0);
|
||||
assert_se(poll(NULL, 0, 0) == 0);
|
||||
@ -528,11 +528,11 @@ static void test_load_syscall_filter_set_raw(void) {
|
||||
assert_se(access("/", F_OK) >= 0);
|
||||
assert_se(poll(NULL, 0, 0) == 0);
|
||||
|
||||
assert_se(s = set_new(NULL));
|
||||
assert_se(s = hashmap_new(NULL));
|
||||
#if SCMP_SYS(access) >= 0
|
||||
assert_se(set_put(s, UINT32_TO_PTR(__NR_access + 1)) >= 0);
|
||||
assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_access + 1), INT_TO_PTR(-1)) >= 0);
|
||||
#else
|
||||
assert_se(set_put(s, UINT32_TO_PTR(__NR_faccessat + 1)) >= 0);
|
||||
assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_faccessat + 1), INT_TO_PTR(-1)) >= 0);
|
||||
#endif
|
||||
|
||||
assert_se(seccomp_load_syscall_filter_set_raw(SCMP_ACT_ALLOW, s, SCMP_ACT_ERRNO(EUCLEAN)) >= 0);
|
||||
@ -542,23 +542,56 @@ static void test_load_syscall_filter_set_raw(void) {
|
||||
|
||||
assert_se(poll(NULL, 0, 0) == 0);
|
||||
|
||||
s = set_free(s);
|
||||
s = hashmap_free(s);
|
||||
|
||||
assert_se(s = set_new(NULL));
|
||||
#if SCMP_SYS(poll) >= 0
|
||||
assert_se(set_put(s, UINT32_TO_PTR(__NR_poll + 1)) >= 0);
|
||||
assert_se(s = hashmap_new(NULL));
|
||||
#if SCMP_SYS(access) >= 0
|
||||
assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_access + 1), INT_TO_PTR(EILSEQ)) >= 0);
|
||||
#else
|
||||
assert_se(set_put(s, UINT32_TO_PTR(__NR_ppoll + 1)) >= 0);
|
||||
assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_faccessat + 1), INT_TO_PTR(EILSEQ)) >= 0);
|
||||
#endif
|
||||
|
||||
assert_se(seccomp_load_syscall_filter_set_raw(SCMP_ACT_ALLOW, s, SCMP_ACT_ERRNO(EUCLEAN)) >= 0);
|
||||
|
||||
assert_se(access("/", F_OK) < 0);
|
||||
assert_se(errno == EILSEQ);
|
||||
|
||||
assert_se(poll(NULL, 0, 0) == 0);
|
||||
|
||||
s = hashmap_free(s);
|
||||
|
||||
assert_se(s = hashmap_new(NULL));
|
||||
#if SCMP_SYS(poll) >= 0
|
||||
assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_poll + 1), INT_TO_PTR(-1)) >= 0);
|
||||
#else
|
||||
assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_ppoll + 1), INT_TO_PTR(-1)) >= 0);
|
||||
#endif
|
||||
|
||||
assert_se(seccomp_load_syscall_filter_set_raw(SCMP_ACT_ALLOW, s, SCMP_ACT_ERRNO(EUNATCH)) >= 0);
|
||||
|
||||
assert_se(access("/", F_OK) < 0);
|
||||
assert_se(errno == EUCLEAN);
|
||||
assert_se(errno == EILSEQ);
|
||||
|
||||
assert_se(poll(NULL, 0, 0) < 0);
|
||||
assert_se(errno == EUNATCH);
|
||||
|
||||
s = hashmap_free(s);
|
||||
|
||||
assert_se(s = hashmap_new(NULL));
|
||||
#if SCMP_SYS(poll) >= 0
|
||||
assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_poll + 1), INT_TO_PTR(EILSEQ)) >= 0);
|
||||
#else
|
||||
assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_ppoll + 1), INT_TO_PTR(EILSEQ)) >= 0);
|
||||
#endif
|
||||
|
||||
assert_se(seccomp_load_syscall_filter_set_raw(SCMP_ACT_ALLOW, s, SCMP_ACT_ERRNO(EUNATCH)) >= 0);
|
||||
|
||||
assert_se(access("/", F_OK) < 0);
|
||||
assert_se(errno == EILSEQ);
|
||||
|
||||
assert_se(poll(NULL, 0, 0) < 0);
|
||||
assert_se(errno == EILSEQ);
|
||||
|
||||
_exit(EXIT_SUCCESS);
|
||||
}
|
||||
|
||||
|
@ -107,6 +107,8 @@ test_data_files = '''
|
||||
test-execute/exec-systemcallfilter-not-failing2.service
|
||||
test-execute/exec-systemcallfilter-system-user-nfsnobody.service
|
||||
test-execute/exec-systemcallfilter-system-user.service
|
||||
test-execute/exec-systemcallfilter-with-errno-name.service
|
||||
test-execute/exec-systemcallfilter-with-errno-number.service
|
||||
test-execute/exec-umask-0177.service
|
||||
test-execute/exec-umask-default.service
|
||||
test-execute/exec-unset-environment.service
|
||||
|
@ -0,0 +1,8 @@
|
||||
[Unit]
|
||||
Description=Test for SystemCallFilter with errno name
|
||||
|
||||
[Service]
|
||||
ExecStart=/bin/python3 -c 'import os\ntry: os.uname()\nexcept Exception as e: exit(e.errno)'
|
||||
Type=oneshot
|
||||
SystemCallFilter=~uname:EILSEQ
|
||||
SystemCallErrorNumber=EACCES
|
@ -0,0 +1,8 @@
|
||||
[Unit]
|
||||
Description=Test for SystemCallFilter with errno number
|
||||
|
||||
[Service]
|
||||
ExecStart=/bin/python3 -c 'import os\ntry: os.uname()\nexcept Exception as e: exit(e.errno)'
|
||||
Type=oneshot
|
||||
SystemCallFilter=~uname:255
|
||||
SystemCallErrorNumber=EACCES
|
Loading…
Reference in New Issue
Block a user