test: add basic seccomp tests

2025-02-01 09:47:35 +03:00 · 2014-02-14 17:21:41 +01:00 · 2014-02-14 17:21:41 +01:00 · f928d3263d
commit f928d3263d
parent 8f9c6fe5ff
7 changed files with 122 additions and 0 deletions
--- a/test/TEST-04-SECCOMP/Makefile
+++ b/test/TEST-04-SECCOMP/Makefile
@ -0,0 +1 @@
+../TEST-01-BASIC/Makefile
--- a/test/TEST-04-SECCOMP/test-seccomp.sh
+++ b/test/TEST-04-SECCOMP/test-seccomp.sh
@ -0,0 +1,13 @@
+#!/bin/bash -x
+
+systemctl start will-fail.service
+systemctl start will-fail2.service
+systemctl start will-not-fail.service
+systemctl start will-not-fail2.service
+systemctl is-failed will-fail.service || exit 1
+systemctl is-failed will-fail2.service || exit 1
+systemctl is-failed will-not-fail.service && exit 1
+systemctl is-failed will-not-fail2.service && exit 1
+
+touch /testok
+exit 0
--- a/test/TEST-04-SECCOMP/test.sh
+++ b/test/TEST-04-SECCOMP/test.sh
@ -0,0 +1,79 @@
+#!/bin/bash
+# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
+# ex: ts=8 sw=4 sts=4 et filetype=sh
+TEST_DESCRIPTION="seccomp tests"
+
+. $TEST_BASE_DIR/test-functions
+
+check_result_qemu() {
+    ret=1
+    mkdir -p $TESTDIR/root
+    mount ${LOOPDEV}p1 $TESTDIR/root
+    [[ -e $TESTDIR/root/testok ]] && ret=0
+    [[ -f $TESTDIR/root/failed ]] && cp -a $TESTDIR/root/failed $TESTDIR
+    cp -a $TESTDIR/root/var/log/journal $TESTDIR
+    umount $TESTDIR/root
+    [[ -f $TESTDIR/failed ]] && cat $TESTDIR/failed
+    ls -l $TESTDIR/journal/*/*.journal
+    test -s $TESTDIR/failed && ret=$(($ret+1))
+    return $ret
+}
+
+test_run() {
+    if run_qemu; then
+        check_result_qemu || return 1
+    else
+        dwarn "can't run QEMU, skipping"
+    fi
+    if check_nspawn; then
+        run_nspawn
+        check_result_nspawn || return 1
+    else
+        dwarn "can't run systemd-nspawn, skipping"
+    fi
+    return 0
+}
+
+test_setup() {
+    create_empty_image
+    mkdir -p $TESTDIR/root
+    mount ${LOOPDEV}p1 $TESTDIR/root
+
+    # Create what will eventually be our root filesystem onto an overlay
+    (
+        LOG_LEVEL=5
+        eval $(udevadm info --export --query=env --name=${LOOPDEV}p2)
+
+        setup_basic_environment
+
+        # setup the testsuite service
+        cat >$initdir/etc/systemd/system/testsuite.service <<EOF
+[Unit]
+Description=Testsuite service
+After=multi-user.target
+
+[Service]
+ExecStart=/test-seccomp.sh
+Type=oneshot
+EOF
+
+        # copy the units used by this test
+        cp {will-fail,will-fail2,will-not-fail,will-not-fail2}.service \
+            $initdir/etc/systemd/system
+        cp test-seccomp.sh $initdir/
+
+        setup_testsuite
+    )
+    setup_nspawn_root
+
+    ddebug "umount $TESTDIR/root"
+    umount $TESTDIR/root
+}
+
+test_cleanup() {
+    umount $TESTDIR/root 2>/dev/null
+    [[ $LOOPDEV ]] && losetup -d $LOOPDEV
+    return 0
+}
+
+do_test "$@"
--- a/test/TEST-04-SECCOMP/will-fail.service
+++ b/test/TEST-04-SECCOMP/will-fail.service
@ -0,0 +1,8 @@
+[Unit]
+Description=Will fail
+
+[Service]
+ExecStart=/bin/echo "This should not be seen"
+SystemCallFilter=ioperm
+SystemCallFilter=~ioperm
+SystemCallFilter=ioperm
--- a/test/TEST-04-SECCOMP/will-fail2.service
+++ b/test/TEST-04-SECCOMP/will-fail2.service
@ -0,0 +1,6 @@
+[Unit]
+Description=Will fail 2
+
+[Service]
+ExecStart=/bin/echo "This should not be seen"
+SystemCallFilter=~write open execve exit_group close mmap munmap fstat DONOTEXIST
--- a/test/TEST-04-SECCOMP/will-not-fail.service
+++ b/test/TEST-04-SECCOMP/will-not-fail.service
@ -0,0 +1,9 @@
+[Unit]
+Description=Will not fail
+
+[Service]
+ExecStart=/bin/echo "Foo bar"
+SystemCallFilter=~read write open execve ioperm
+SystemCallFilter=ioctl
+SystemCallFilter=read write open execve
+SystemCallFilter=~ioperm
--- a/test/TEST-04-SECCOMP/will-not-fail2.service
+++ b/test/TEST-04-SECCOMP/will-not-fail2.service
@ -0,0 +1,6 @@
+[Unit]
+Description=Reset SystemCallFilter
+
+[Service]
+ExecStart=/bin/echo "Foo bar"
+SystemCallFilter=