tests: add a dedicated PFC test

This commit also adds special shell-script handling for the "basic" tests. Signed-off-by: Paul Moore <paul@paul-moore.com>
author: Paul Moore <paul@paul-moore.com> 2017-02-24 02:31:59 -0500
committer: Paul Moore <paul@paul-moore.com> 2017-02-24 13:43:52 -0500
commit: ec6f45ab7c588e007a78faf128df039596dbde59 (patch)
tree: ad01c7af6009a5d5cd015b9bf8d69bdcd33e9693
parent: cde6b3783e563c350059460c8d2e3504e35293f1 (diff)
download: libseccomp-ec6f45ab7c588e007a78faf128df039596dbde59.tar.gz
7 files changed, 263 insertions, 2 deletions
diff --git a/tests/.gitignore b/tests/.gitignore
index ae228ea..97edd22 100644
--- a/tests/.gitignore
+++ b/tests/.gitignore
@@ -42,3 +42,4 @@ util.pyc
 35-sim-negative_one
 36-sim-ipc_syscalls
 37-sim-ipc_syscalls_be
+38-basic-pfc_coverage
diff --git a/tests/38-basic-pfc_coverage.c b/tests/38-basic-pfc_coverage.c
new file mode 100644
index 0000000..a12d06c
--- /dev/null
+++ b/tests/38-basic-pfc_coverage.c
@@ -0,0 +1,92 @@
+/**
+ * Seccomp Library test program
+ *
+ * Copyright (c) 2017 Red Hat <pmoore@redhat.com>
+ * Author: Paul Moore <paul@paul-moore.com>
+ */
+
+/*
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public License
+ * for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
+ */
+
+#include <errno.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+
+#include <seccomp.h>
+
+#include "util.h"
+
+int main(int argc, char *argv[])
+{
+	int rc;
+	int fd;
+	scmp_filter_ctx ctx = NULL;
+
+	/* stdout */
+	fd = 1;
+
+	ctx = seccomp_init(SCMP_ACT_ALLOW);
+	if (ctx == NULL) {
+		rc = ENOMEM;
+		goto out;
+	}
+
+	rc = seccomp_arch_remove(ctx, SCMP_ARCH_NATIVE);
+	if (rc < 0)
+		goto out;
+	rc = seccomp_arch_add(ctx, SCMP_ARCH_X86_64);
+	if (rc < 0)
+		goto out;
+	rc = seccomp_arch_add(ctx, SCMP_ARCH_X86);
+	if (rc < 0)
+		goto out;
+
+	/* NOTE: the syscalls and their arguments have been picked to achieve
+	 *       the highest possible code coverage, this is not a useful
+	 *       real world filter configuration */
+
+	rc = seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(open), 0);
+	if (rc < 0)
+		goto out;
+	rc = seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(read), 4,
+			      SCMP_A0(SCMP_CMP_EQ, 0),
+			      SCMP_A1(SCMP_CMP_GE, 1),
+			      SCMP_A2(SCMP_CMP_GT, 2),
+			      SCMP_A3(SCMP_CMP_MASKED_EQ, 0x0f, 3));
+	if (rc < 0)
+		goto out;
+	rc = seccomp_rule_add(ctx, SCMP_ACT_TRAP, SCMP_SYS(write), 3,
+			      SCMP_A0(SCMP_CMP_NE, 0),
+			      SCMP_A1(SCMP_CMP_LE, 1),
+			      SCMP_A2(SCMP_CMP_LT, 2));
+	if (rc < 0)
+		goto out;
+	rc = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(1), SCMP_SYS(close), 0);
+	if (rc < 0)
+		goto out;
+	rc = seccomp_rule_add(ctx, SCMP_ACT_TRACE(1), SCMP_SYS(exit), 0);
+	if (rc < 0)
+		goto out;
+
+	rc = seccomp_export_pfc(ctx, fd);
+	if (rc < 0)
+		goto out;
+
+out:
+	seccomp_release(ctx);
+	close(fd);
+	return (rc < 0 ? -rc : rc);
+}
diff --git a/tests/38-basic-pfc_coverage.pfc b/tests/38-basic-pfc_coverage.pfc
new file mode 100644
index 0000000..a0c31ac
--- /dev/null
+++ b/tests/38-basic-pfc_coverage.pfc
@@ -0,0 +1,99 @@
+#
+# pseudo filter code start
+#
+# filter for arch x86_64 (3221225534)
+if ($arch == 3221225534)
+  # filter for syscall "exit" (60) [priority: 65535]
+  if ($syscall == 60)
+    action TRACE(1);
+  # filter for syscall "close" (3) [priority: 65535]
+  if ($syscall == 3)
+    action ERRNO(1);
+  # filter for syscall "open" (2) [priority: 65535]
+  if ($syscall == 2)
+    action KILL;
+  # filter for syscall "write" (1) [priority: 65529]
+  if ($syscall == 1)
+    if ($a0.hi32 == 0)
+      if ($a0.lo32 == 0)
+      else
+        if ($a1.hi32 >= 0)
+          if ($a1.lo32 > 1)
+          else
+            if ($a2.hi32 >= 0)
+              if ($a2.lo32 >= 2)
+              else
+                action TRAP;
+            else
+              action TRAP;
+        else
+          if ($a2.hi32 >= 0)
+            if ($a2.lo32 >= 2)
+            else
+              action TRAP;
+          else
+            action TRAP;
+    else
+      if ($a1.hi32 >= 0)
+        if ($a1.lo32 > 1)
+        else
+          if ($a2.hi32 >= 0)
+            if ($a2.lo32 >= 2)
+            else
+              action TRAP;
+          else
+            action TRAP;
+      else
+        if ($a2.hi32 >= 0)
+          if ($a2.lo32 >= 2)
+          else
+            action TRAP;
+        else
+          action TRAP;
+  # filter for syscall "read" (0) [priority: 65527]
+  if ($syscall == 0)
+    if ($a0.hi32 == 0)
+      if ($a0.lo32 == 0)
+        if ($a1.hi32 >= 0)
+          if ($a1.lo32 >= 1)
+            if ($a2.hi32 >= 0)
+              if ($a2.lo32 > 2)
+                if ($a3.hi32 & 0x00000000 == 0)
+                  if ($a3.lo32 & 0x0000000f == 3)
+                    action KILL;
+  # default action
+  action ALLOW;
+# filter for arch x86 (1073741827)
+if ($arch == 1073741827)
+  # filter for syscall "close" (6) [priority: 65535]
+  if ($syscall == 6)
+    action ERRNO(1);
+  # filter for syscall "open" (5) [priority: 65535]
+  if ($syscall == 5)
+    action KILL;
+  # filter for syscall "exit" (1) [priority: 65535]
+  if ($syscall == 1)
+    action TRACE(1);
+  # filter for syscall "write" (4) [priority: 65532]
+  if ($syscall == 4)
+    if ($a0 == 0)
+    else
+      if ($a1 > 1)
+      else
+        if ($a2 >= 2)
+        else
+          action TRAP;
+  # filter for syscall "read" (3) [priority: 65531]
+  if ($syscall == 3)
+    if ($a0 == 0)
+      if ($a1 >= 1)
+        if ($a2 > 2)
+          if ($a3 & 0x0000000f == 3)
+            action KILL;
+  # default action
+  action ALLOW;
+# invalid architecture action
+action KILL;
+#
+# pseudo filter code end
+#
diff --git a/tests/38-basic-pfc_coverage.sh b/tests/38-basic-pfc_coverage.sh
new file mode 100755
index 0000000..598a57d
--- /dev/null
+++ b/tests/38-basic-pfc_coverage.sh
@@ -0,0 +1,45 @@
+#!/bin/bash
+
+#
+# libseccomp regression test automation data
+#
+# Copyright (c) 2017 Red Hat <pmoore@redhat.com>
+# Author: Paul Moore <paul@paul-moore.com>
+#
+
+####
+# functions
+
+#
+# Dependency check
+#
+# Arguments:
+#     1    Dependency to check for
+#
+function check_deps() {
+	[[ -z "$1" ]] && return
+	which "$1" >& /dev/null
+	return $?
+}
+
+#
+# Dependency verification
+#
+# Arguments:
+#     1    Dependency to check for
+#
+function verify_deps() {
+	[[ -z "$1" ]] && return
+	if ! check_deps "$1"; then
+		echo "error: install \"$1\" and include it in your \$PATH"
+		exit 1
+	fi
+}
+
+####
+# functions
+
+verify_deps diff
+
+# compare output to the known good output, fail if different
+./38-basic-pfc_coverage | diff -q 38-basic-pfc_coverage.pfc - > /dev/null
diff --git a/tests/38-basic-pfc_coverage.tests b/tests/38-basic-pfc_coverage.tests
new file mode 100644
index 0000000..7514903
--- /dev/null
+++ b/tests/38-basic-pfc_coverage.tests
@@ -0,0 +1,11 @@
+#
+# libseccomp regression test automation data
+#
+# Copyright (c) 2017 Red Hat <pmoore@redhat.com>
+# Author: Paul Moore <paul@paul-moore.com>
+#
+
+test type: basic
+
+# Test command
+38-basic-pfc_coverage.sh
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 3058590..025dfdf 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -76,7 +76,8 @@ check_PROGRAMS = \
 	34-sim-basic_blacklist \
 	35-sim-negative_one \
 	36-sim-ipc_syscalls \
-	37-sim-ipc_syscalls_be
+	37-sim-ipc_syscalls_be \
+	38-basic-pfc_coverage
 
 EXTRA_DIST_TESTPYTHON = \
 	util.py \
@@ -155,7 +156,11 @@ EXTRA_DIST_TESTCFGS = \
 	34-sim-basic_blacklist.tests \
 	35-sim-negative_one.tests \
 	36-sim-ipc_syscalls.tests \
-	37-sim-ipc_syscalls_be.tests
+	37-sim-ipc_syscalls_be.tests \
+	38-basic-pfc_coverage.tests
+
+EXTRA_DIST_TESTBASIC = \
+	38-basic-pfc_coverage.sh
 
 EXTRA_DIST_TESTSCRIPTS = regression testdiff testgen
 
@@ -164,6 +169,7 @@ EXTRA_DIST_TESTVALGRIND = valgrind_test.supp
 EXTRA_DIST = \
 	${EXTRA_DIST_TESTCFGS} \
 	${EXTRA_DIST_TESTPYTHON} \
+	${EXTRA_DIST_TESTBASIC} \
 	${EXTRA_DIST_TESTSCRIPTS} \
 	${EXTRA_DIST_TESTVALGRIND}
 
diff --git a/tests/regression b/tests/regression
index 683a36d..55fcbf9 100755
--- a/tests/regression
+++ b/tests/regression
@@ -606,6 +606,13 @@ function run_test_bpf_sim() {
 function run_test_basic() {
 	local rc
 
+	# if the test is a script, only run it in native/c mode
+	if [[ $mode != "c" && $(echo "$2" | grep -q '.sh$') -eq 0 ]]; then
+		print_result "$1" "SKIPPED" "(only valid in native/c mode)"
+		stats_skipped=$(($stats_skipped+1))
+		return
+	fi
+
 	# print out the input test data to the log file
 	print_data "$1" "$2"
author	Paul Moore <paul@paul-moore.com>	2017-02-24 02:31:59 -0500
committer	Paul Moore <paul@paul-moore.com>	2017-02-24 13:43:52 -0500
commit	ec6f45ab7c588e007a78faf128df039596dbde59 (patch)
tree	ad01c7af6009a5d5cd015b9bf8d69bdcd33e9693
parent	cde6b3783e563c350059460c8d2e3504e35293f1 (diff)
download	libseccomp-ec6f45ab7c588e007a78faf128df039596dbde59.tar.gz