diff options
author | Paul Moore <paul@paul-moore.com> | 2017-02-24 02:31:59 -0500 |
---|---|---|
committer | Paul Moore <paul@paul-moore.com> | 2017-02-24 13:43:52 -0500 |
commit | ec6f45ab7c588e007a78faf128df039596dbde59 (patch) | |
tree | ad01c7af6009a5d5cd015b9bf8d69bdcd33e9693 | |
parent | cde6b3783e563c350059460c8d2e3504e35293f1 (diff) | |
download | libseccomp-ec6f45ab7c588e007a78faf128df039596dbde59.tar.gz |
tests: add a dedicated PFC test
This commit also adds special shell-script handling for the "basic"
tests.
Signed-off-by: Paul Moore <paul@paul-moore.com>
-rw-r--r-- | tests/.gitignore | 1 | ||||
-rw-r--r-- | tests/38-basic-pfc_coverage.c | 92 | ||||
-rw-r--r-- | tests/38-basic-pfc_coverage.pfc | 99 | ||||
-rwxr-xr-x | tests/38-basic-pfc_coverage.sh | 45 | ||||
-rw-r--r-- | tests/38-basic-pfc_coverage.tests | 11 | ||||
-rw-r--r-- | tests/Makefile.am | 10 | ||||
-rwxr-xr-x | tests/regression | 7 |
7 files changed, 263 insertions, 2 deletions
diff --git a/tests/.gitignore b/tests/.gitignore index ae228ea..97edd22 100644 --- a/tests/.gitignore +++ b/tests/.gitignore @@ -42,3 +42,4 @@ util.pyc 35-sim-negative_one 36-sim-ipc_syscalls 37-sim-ipc_syscalls_be +38-basic-pfc_coverage diff --git a/tests/38-basic-pfc_coverage.c b/tests/38-basic-pfc_coverage.c new file mode 100644 index 0000000..a12d06c --- /dev/null +++ b/tests/38-basic-pfc_coverage.c @@ -0,0 +1,92 @@ +/** + * Seccomp Library test program + * + * Copyright (c) 2017 Red Hat <pmoore@redhat.com> + * Author: Paul Moore <paul@paul-moore.com> + */ + +/* + * This library is free software; you can redistribute it and/or modify it + * under the terms of version 2.1 of the GNU Lesser General Public License as + * published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License + * for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this library; if not, see <http://www.gnu.org/licenses>. + */ + +#include <errno.h> +#include <fcntl.h> +#include <unistd.h> +#include <sys/types.h> +#include <sys/stat.h> + +#include <seccomp.h> + +#include "util.h" + +int main(int argc, char *argv[]) +{ + int rc; + int fd; + scmp_filter_ctx ctx = NULL; + + /* stdout */ + fd = 1; + + ctx = seccomp_init(SCMP_ACT_ALLOW); + if (ctx == NULL) { + rc = ENOMEM; + goto out; + } + + rc = seccomp_arch_remove(ctx, SCMP_ARCH_NATIVE); + if (rc < 0) + goto out; + rc = seccomp_arch_add(ctx, SCMP_ARCH_X86_64); + if (rc < 0) + goto out; + rc = seccomp_arch_add(ctx, SCMP_ARCH_X86); + if (rc < 0) + goto out; + + /* NOTE: the syscalls and their arguments have been picked to achieve + * the highest possible code coverage, this is not a useful + * real world filter configuration */ + + rc = seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(open), 0); + if (rc < 0) + goto out; + rc = seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(read), 4, + SCMP_A0(SCMP_CMP_EQ, 0), + SCMP_A1(SCMP_CMP_GE, 1), + SCMP_A2(SCMP_CMP_GT, 2), + SCMP_A3(SCMP_CMP_MASKED_EQ, 0x0f, 3)); + if (rc < 0) + goto out; + rc = seccomp_rule_add(ctx, SCMP_ACT_TRAP, SCMP_SYS(write), 3, + SCMP_A0(SCMP_CMP_NE, 0), + SCMP_A1(SCMP_CMP_LE, 1), + SCMP_A2(SCMP_CMP_LT, 2)); + if (rc < 0) + goto out; + rc = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(1), SCMP_SYS(close), 0); + if (rc < 0) + goto out; + rc = seccomp_rule_add(ctx, SCMP_ACT_TRACE(1), SCMP_SYS(exit), 0); + if (rc < 0) + goto out; + + rc = seccomp_export_pfc(ctx, fd); + if (rc < 0) + goto out; + +out: + seccomp_release(ctx); + close(fd); + return (rc < 0 ? -rc : rc); +} diff --git a/tests/38-basic-pfc_coverage.pfc b/tests/38-basic-pfc_coverage.pfc new file mode 100644 index 0000000..a0c31ac --- /dev/null +++ b/tests/38-basic-pfc_coverage.pfc @@ -0,0 +1,99 @@ +# +# pseudo filter code start +# +# filter for arch x86_64 (3221225534) +if ($arch == 3221225534) + # filter for syscall "exit" (60) [priority: 65535] + if ($syscall == 60) + action TRACE(1); + # filter for syscall "close" (3) [priority: 65535] + if ($syscall == 3) + action ERRNO(1); + # filter for syscall "open" (2) [priority: 65535] + if ($syscall == 2) + action KILL; + # filter for syscall "write" (1) [priority: 65529] + if ($syscall == 1) + if ($a0.hi32 == 0) + if ($a0.lo32 == 0) + else + if ($a1.hi32 >= 0) + if ($a1.lo32 > 1) + else + if ($a2.hi32 >= 0) + if ($a2.lo32 >= 2) + else + action TRAP; + else + action TRAP; + else + if ($a2.hi32 >= 0) + if ($a2.lo32 >= 2) + else + action TRAP; + else + action TRAP; + else + if ($a1.hi32 >= 0) + if ($a1.lo32 > 1) + else + if ($a2.hi32 >= 0) + if ($a2.lo32 >= 2) + else + action TRAP; + else + action TRAP; + else + if ($a2.hi32 >= 0) + if ($a2.lo32 >= 2) + else + action TRAP; + else + action TRAP; + # filter for syscall "read" (0) [priority: 65527] + if ($syscall == 0) + if ($a0.hi32 == 0) + if ($a0.lo32 == 0) + if ($a1.hi32 >= 0) + if ($a1.lo32 >= 1) + if ($a2.hi32 >= 0) + if ($a2.lo32 > 2) + if ($a3.hi32 & 0x00000000 == 0) + if ($a3.lo32 & 0x0000000f == 3) + action KILL; + # default action + action ALLOW; +# filter for arch x86 (1073741827) +if ($arch == 1073741827) + # filter for syscall "close" (6) [priority: 65535] + if ($syscall == 6) + action ERRNO(1); + # filter for syscall "open" (5) [priority: 65535] + if ($syscall == 5) + action KILL; + # filter for syscall "exit" (1) [priority: 65535] + if ($syscall == 1) + action TRACE(1); + # filter for syscall "write" (4) [priority: 65532] + if ($syscall == 4) + if ($a0 == 0) + else + if ($a1 > 1) + else + if ($a2 >= 2) + else + action TRAP; + # filter for syscall "read" (3) [priority: 65531] + if ($syscall == 3) + if ($a0 == 0) + if ($a1 >= 1) + if ($a2 > 2) + if ($a3 & 0x0000000f == 3) + action KILL; + # default action + action ALLOW; +# invalid architecture action +action KILL; +# +# pseudo filter code end +# diff --git a/tests/38-basic-pfc_coverage.sh b/tests/38-basic-pfc_coverage.sh new file mode 100755 index 0000000..598a57d --- /dev/null +++ b/tests/38-basic-pfc_coverage.sh @@ -0,0 +1,45 @@ +#!/bin/bash + +# +# libseccomp regression test automation data +# +# Copyright (c) 2017 Red Hat <pmoore@redhat.com> +# Author: Paul Moore <paul@paul-moore.com> +# + +#### +# functions + +# +# Dependency check +# +# Arguments: +# 1 Dependency to check for +# +function check_deps() { + [[ -z "$1" ]] && return + which "$1" >& /dev/null + return $? +} + +# +# Dependency verification +# +# Arguments: +# 1 Dependency to check for +# +function verify_deps() { + [[ -z "$1" ]] && return + if ! check_deps "$1"; then + echo "error: install \"$1\" and include it in your \$PATH" + exit 1 + fi +} + +#### +# functions + +verify_deps diff + +# compare output to the known good output, fail if different +./38-basic-pfc_coverage | diff -q 38-basic-pfc_coverage.pfc - > /dev/null diff --git a/tests/38-basic-pfc_coverage.tests b/tests/38-basic-pfc_coverage.tests new file mode 100644 index 0000000..7514903 --- /dev/null +++ b/tests/38-basic-pfc_coverage.tests @@ -0,0 +1,11 @@ +# +# libseccomp regression test automation data +# +# Copyright (c) 2017 Red Hat <pmoore@redhat.com> +# Author: Paul Moore <paul@paul-moore.com> +# + +test type: basic + +# Test command +38-basic-pfc_coverage.sh diff --git a/tests/Makefile.am b/tests/Makefile.am index 3058590..025dfdf 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -76,7 +76,8 @@ check_PROGRAMS = \ 34-sim-basic_blacklist \ 35-sim-negative_one \ 36-sim-ipc_syscalls \ - 37-sim-ipc_syscalls_be + 37-sim-ipc_syscalls_be \ + 38-basic-pfc_coverage EXTRA_DIST_TESTPYTHON = \ util.py \ @@ -155,7 +156,11 @@ EXTRA_DIST_TESTCFGS = \ 34-sim-basic_blacklist.tests \ 35-sim-negative_one.tests \ 36-sim-ipc_syscalls.tests \ - 37-sim-ipc_syscalls_be.tests + 37-sim-ipc_syscalls_be.tests \ + 38-basic-pfc_coverage.tests + +EXTRA_DIST_TESTBASIC = \ + 38-basic-pfc_coverage.sh EXTRA_DIST_TESTSCRIPTS = regression testdiff testgen @@ -164,6 +169,7 @@ EXTRA_DIST_TESTVALGRIND = valgrind_test.supp EXTRA_DIST = \ ${EXTRA_DIST_TESTCFGS} \ ${EXTRA_DIST_TESTPYTHON} \ + ${EXTRA_DIST_TESTBASIC} \ ${EXTRA_DIST_TESTSCRIPTS} \ ${EXTRA_DIST_TESTVALGRIND} diff --git a/tests/regression b/tests/regression index 683a36d..55fcbf9 100755 --- a/tests/regression +++ b/tests/regression @@ -606,6 +606,13 @@ function run_test_bpf_sim() { function run_test_basic() { local rc + # if the test is a script, only run it in native/c mode + if [[ $mode != "c" && $(echo "$2" | grep -q '.sh$') -eq 0 ]]; then + print_result "$1" "SKIPPED" "(only valid in native/c mode)" + stats_skipped=$(($stats_skipped+1)) + return + fi + # print out the input test data to the log file print_data "$1" "$2" |