From aa0f858aa58d51c93a176c60a4c83a4a303bcffd Mon Sep 17 00:00:00 2001 From: Paul Moore Date: Tue, 3 Aug 2021 14:12:50 -0400 Subject: tests: various additions to improve code coverage Acked-by: Tom Hromatka Signed-off-by: Paul Moore (imported from commit fcc601279004a7f4c2f6ebf766acb4556b0f5e65) --- tests/11-basic-basic_errors.c | 52 ++++ tests/15-basic-resolver.c | 40 +++ tests/30-sim-socket_syscalls.c | 62 +++- tests/33-sim-socket_syscalls_be.c | 3 + tests/33-sim-socket_syscalls_be.py | 1 + tests/33-sim-socket_syscalls_be.tests | 42 ++- tests/36-sim-ipc_syscalls.c | 3 + tests/36-sim-ipc_syscalls.py | 1 + tests/36-sim-ipc_syscalls.tests | 50 ++-- tests/37-sim-ipc_syscalls_be.c | 3 + tests/37-sim-ipc_syscalls_be.py | 1 + tests/37-sim-ipc_syscalls_be.tests | 26 +- tests/38-basic-pfc_coverage.c | 27 ++ tests/38-basic-pfc_coverage.pfc | 534 ++++++++++++++++++++++++++++++++++ tests/52-basic-load.c | 23 ++ 15 files changed, 804 insertions(+), 64 deletions(-) diff --git a/tests/11-basic-basic_errors.c b/tests/11-basic-basic_errors.c index da059df..49d9eef 100644 --- a/tests/11-basic-basic_errors.c +++ b/tests/11-basic-basic_errors.c @@ -29,6 +29,8 @@ int main(int argc, char *argv[]) int rc; scmp_filter_ctx ctx; uint32_t attr; + struct seccomp_notif *req = NULL; + struct seccomp_notif_resp *resp = NULL; /* seccomp_init errors */ ctx = seccomp_init(SCMP_ACT_ALLOW + 1); @@ -123,6 +125,9 @@ int main(int argc, char *argv[]) return -1; rc = seccomp_rule_add_exact(ctx, SCMP_ACT_KILL, SCMP_SYS(socket), 1, SCMP_A0(SCMP_CMP_EQ, 2)); + if (rc != -EINVAL) + return -1; + rc = seccomp_rule_add_exact(ctx, 0xdeadbeef, SCMP_SYS(open), 0); if (rc != -EINVAL) return -1; seccomp_release(ctx); @@ -180,6 +185,53 @@ int main(int argc, char *argv[]) rc = seccomp_attr_set(ctx, 1000, 1); if (rc != -EINVAL) return -1; + seccomp_release(ctx); + ctx = NULL; + + /* seccomp_merge() errors */ + ctx = seccomp_init(SCMP_ACT_ALLOW); + if (ctx == NULL) + return -1; + rc = seccomp_merge(ctx, NULL); + if (rc == 0) + return -1; + seccomp_release(ctx); + ctx = NULL; + + /* seccomp notify errors */ + ctx = seccomp_init(SCMP_ACT_ALLOW); + if (ctx == NULL) + return -1; + rc = seccomp_notify_alloc(NULL, NULL); + if (rc != 0) + return -1; + rc = seccomp_notify_alloc(&req, NULL); + if (rc != 0) + return -1; + rc = seccomp_notify_alloc(NULL, &resp); + if (rc != 0) + return -1; + seccomp_notify_free(NULL, NULL); + seccomp_notify_free(req, resp); + req = NULL; + resp = NULL; + rc = seccomp_notify_receive(-1, NULL); + if (rc == 0) + return -1; + rc = seccomp_notify_respond(-1, NULL); + if (rc == 0) + return -1; + rc = seccomp_notify_id_valid(-1, 0); + if (rc == 0) + return -1; + rc = seccomp_notify_fd(NULL); + if (rc == 0) + return -1; + rc = seccomp_notify_fd(ctx); + if (rc == 0) + return -1; + seccomp_release(ctx); + ctx = NULL; return 0; } diff --git a/tests/15-basic-resolver.c b/tests/15-basic-resolver.c index 2679270..6db69e8 100644 --- a/tests/15-basic-resolver.c +++ b/tests/15-basic-resolver.c @@ -68,6 +68,7 @@ int main(int argc, char *argv[]) goto fail; while ((arch = arch_list[iter++]) != -1) { + int sys; int nr_open; int nr_read; int nr_socket; @@ -119,6 +120,45 @@ int main(int argc, char *argv[]) goto fail; free(name); name = NULL; + + /* socket pseudo-syscalls */ + if (seccomp_syscall_resolve_name_arch(arch, "socketcall") > 0) { + for (sys = -101; sys >= -120; sys--) { + name = seccomp_syscall_resolve_num_arch(arch, + sys); + if (name == NULL) + goto fail; + free(name); + name = NULL; + } + } + /* ipc pseudo-syscalls */ + if (seccomp_syscall_resolve_name_arch(arch, "ipc") > 0) { + for (sys = -201; sys >= -204; sys--) { + name = seccomp_syscall_resolve_num_arch(arch, + sys); + if (name == NULL) + goto fail; + free(name); + name = NULL; + } + for (sys = -211; sys >= -214; sys--) { + name = seccomp_syscall_resolve_num_arch(arch, + sys); + if (name == NULL) + goto fail; + free(name); + name = NULL; + } + for (sys = -221; sys >= -224; sys--) { + name = seccomp_syscall_resolve_num_arch(arch, + sys); + if (name == NULL) + goto fail; + free(name); + name = NULL; + } + } } return 0; diff --git a/tests/30-sim-socket_syscalls.c b/tests/30-sim-socket_syscalls.c index 7a193b2..900f0a3 100644 --- a/tests/30-sim-socket_syscalls.c +++ b/tests/30-sim-socket_syscalls.c @@ -61,15 +61,47 @@ int main(int argc, char *argv[]) if (rc != 0) goto out; + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(bind), 0); + if (rc != 0) + goto out; + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(connect), 0); if (rc != 0) goto out; + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(listen), 0); + if (rc != 0) + goto out; + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(accept), 0); if (rc != 0) goto out; - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(accept4), 0); + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockname), 0); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getpeername), 0); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socketpair), 0); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(send), 0); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(recv), 0); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(sendto), 0); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(recvfrom), 0); if (rc != 0) goto out; @@ -77,6 +109,34 @@ int main(int argc, char *argv[]) if (rc != 0) goto out; + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt), 0); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockopt), 0); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(sendmsg), 0); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(recvmsg), 0); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(accept4), 0); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(sendmmsg), 0); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(recvmmsg), 0); + if (rc != 0) + goto out; + rc = util_filter_output(&opts, ctx); if (rc) goto out; diff --git a/tests/33-sim-socket_syscalls_be.c b/tests/33-sim-socket_syscalls_be.c index 7c4d788..e770771 100644 --- a/tests/33-sim-socket_syscalls_be.c +++ b/tests/33-sim-socket_syscalls_be.c @@ -48,6 +48,9 @@ int main(int argc, char *argv[]) if (rc != 0) goto out; rc = seccomp_arch_add(ctx, SCMP_ARCH_S390X); + if (rc != 0) + goto out; + rc = seccomp_arch_add(ctx, SCMP_ARCH_PPC); if (rc != 0) goto out; diff --git a/tests/33-sim-socket_syscalls_be.py b/tests/33-sim-socket_syscalls_be.py index 416fb33..c3cd628 100755 --- a/tests/33-sim-socket_syscalls_be.py +++ b/tests/33-sim-socket_syscalls_be.py @@ -33,6 +33,7 @@ def test(args): f.remove_arch(Arch()) f.add_arch(Arch("s390")) f.add_arch(Arch("s390x")) + f.add_arch(Arch("ppc")) f.add_rule(ALLOW, "socket") f.add_rule(ALLOW, "connect") f.add_rule(ALLOW, "accept") diff --git a/tests/33-sim-socket_syscalls_be.tests b/tests/33-sim-socket_syscalls_be.tests index b2523af..11e2552 100644 --- a/tests/33-sim-socket_syscalls_be.tests +++ b/tests/33-sim-socket_syscalls_be.tests @@ -7,31 +7,23 @@ test type: bpf-sim -# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result -33-sim-socket_syscalls_be +s390 socketcall 1 N N N N N ALLOW -33-sim-socket_syscalls_be +s390 socketcall 3 N N N N N ALLOW -33-sim-socket_syscalls_be +s390 socketcall 5 N N N N N ALLOW -33-sim-socket_syscalls_be +s390 socketcall 13 N N N N N ALLOW -33-sim-socket_syscalls_be +s390 359 0 1 2 N N N ALLOW -33-sim-socket_syscalls_be +s390 362 0 1 2 N N N ALLOW -33-sim-socket_syscalls_be +s390 364 0 1 2 N N N ALLOW -33-sim-socket_syscalls_be +s390 373 0 1 2 N N N ALLOW -33-sim-socket_syscalls_be +s390 accept 5 N N N N N ALLOW -33-sim-socket_syscalls_be +s390 accept 0 1 2 N N N KILL -33-sim-socket_syscalls_be +s390 accept4 18 1 2 N N N ALLOW -33-sim-socket_syscalls_be +s390 accept4 0 1 2 N N N KILL -33-sim-socket_syscalls_be +s390x socketcall 1 N N N N N ALLOW -33-sim-socket_syscalls_be +s390x socketcall 3 N N N N N ALLOW -33-sim-socket_syscalls_be +s390x socketcall 5 N N N N N ALLOW -33-sim-socket_syscalls_be +s390x socketcall 13 N N N N N ALLOW -33-sim-socket_syscalls_be +s390x 359 0 1 2 N N N ALLOW -33-sim-socket_syscalls_be +s390x 362 0 1 2 N N N ALLOW -33-sim-socket_syscalls_be +s390x 364 0 1 2 N N N ALLOW -33-sim-socket_syscalls_be +s390x 373 0 1 2 N N N ALLOW -33-sim-socket_syscalls_be +s390x accept 5 N N N N N ALLOW -33-sim-socket_syscalls_be +s390x accept 0 1 2 N N N KILL -33-sim-socket_syscalls_be +s390x accept4 18 1 2 N N N ALLOW -33-sim-socket_syscalls_be +s390x accept4 0 1 2 N N N KILL +# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result +33-sim-socket_syscalls_be +s390,+s390x,+ppc socketcall 1 N N N N N ALLOW +33-sim-socket_syscalls_be +s390,+s390x,+ppc socketcall 3 N N N N N ALLOW +33-sim-socket_syscalls_be +s390,+s390x,+ppc socketcall 5 N N N N N ALLOW +33-sim-socket_syscalls_be +s390,+s390x,+ppc socketcall 13 N N N N N ALLOW +33-sim-socket_syscalls_be +s390,+s390x 359 0 1 2 N N N ALLOW +33-sim-socket_syscalls_be +ppc 326 0 1 2 N N N ALLOW +33-sim-socket_syscalls_be +s390,+s390x 362 0 1 2 N N N ALLOW +33-sim-socket_syscalls_be +ppc 328 0 1 2 N N N ALLOW +33-sim-socket_syscalls_be +s390,+s390x 364 0 1 2 N N N ALLOW +33-sim-socket_syscalls_be +ppc 344 0 1 2 N N N ALLOW +33-sim-socket_syscalls_be +s390,+s390x 373 0 1 2 N N N ALLOW +33-sim-socket_syscalls_be +ppc 338 0 1 2 N N N ALLOW +33-sim-socket_syscalls_be +s390,+s390x,+ppc accept 5 N N N N N ALLOW +33-sim-socket_syscalls_be +s390,+s390x,+ppc accept 0 1 2 N N N KILL +33-sim-socket_syscalls_be +s390,+s390x,+ppc accept4 18 1 2 N N N ALLOW +33-sim-socket_syscalls_be +s390,+s390x,+ppc accept4 0 1 2 N N N KILL test type: bpf-valgrind diff --git a/tests/36-sim-ipc_syscalls.c b/tests/36-sim-ipc_syscalls.c index 1437e43..c9b575e 100644 --- a/tests/36-sim-ipc_syscalls.c +++ b/tests/36-sim-ipc_syscalls.c @@ -54,6 +54,9 @@ int main(int argc, char *argv[]) if (rc != 0) goto out; rc = seccomp_arch_add(ctx, SCMP_ARCH_PPC64LE); + if (rc != 0) + goto out; + rc = seccomp_arch_add(ctx, SCMP_ARCH_MIPSEL); if (rc != 0) goto out; diff --git a/tests/36-sim-ipc_syscalls.py b/tests/36-sim-ipc_syscalls.py index 2e223ff..90a8e9f 100755 --- a/tests/36-sim-ipc_syscalls.py +++ b/tests/36-sim-ipc_syscalls.py @@ -35,6 +35,7 @@ def test(args): f.add_arch(Arch("x86_64")) f.add_arch(Arch("x32")) f.add_arch(Arch("ppc64le")) + f.add_arch(Arch("mipsel")) f.add_rule(ALLOW, "semop") f.add_rule(ALLOW, "semtimedop") f.add_rule(ALLOW, "semget") diff --git a/tests/36-sim-ipc_syscalls.tests b/tests/36-sim-ipc_syscalls.tests index 8d83af7..90e5445 100644 --- a/tests/36-sim-ipc_syscalls.tests +++ b/tests/36-sim-ipc_syscalls.tests @@ -7,31 +7,31 @@ test type: bpf-sim -# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result -36-sim-ipc_syscalls +x86,+ppc64le ipc 1 N N N N N ALLOW -36-sim-ipc_syscalls +x86,+ppc64le ipc 2 N N N N N ALLOW -36-sim-ipc_syscalls +x86,+ppc64le ipc 3 N N N N N ALLOW -36-sim-ipc_syscalls +x86,+ppc64le ipc 4 N N N N N ALLOW -36-sim-ipc_syscalls +x86,+ppc64le ipc 11 N N N N N ALLOW -36-sim-ipc_syscalls +x86,+ppc64le ipc 12 N N N N N ALLOW -36-sim-ipc_syscalls +x86,+ppc64le ipc 13 N N N N N ALLOW -36-sim-ipc_syscalls +x86,+ppc64le ipc 14 N N N N N ALLOW -36-sim-ipc_syscalls +x86,+ppc64le ipc 21 N N N N N ALLOW -36-sim-ipc_syscalls +x86,+ppc64le ipc 22 N N N N N ALLOW -36-sim-ipc_syscalls +x86,+ppc64le ipc 23 N N N N N ALLOW -36-sim-ipc_syscalls +x86,+ppc64le ipc 24 N N N N N ALLOW -36-sim-ipc_syscalls +x86_64 semop N N N N N N ALLOW -36-sim-ipc_syscalls +x86_64 semget N N N N N N ALLOW -36-sim-ipc_syscalls +x86_64 semctl N N N N N N ALLOW -36-sim-ipc_syscalls +x86_64 semtimedop N N N N N N ALLOW -36-sim-ipc_syscalls +x86_64 msgsnd N N N N N N ALLOW -36-sim-ipc_syscalls +x86_64 msgrcv N N N N N N ALLOW -36-sim-ipc_syscalls +x86_64 msgget N N N N N N ALLOW -36-sim-ipc_syscalls +x86_64 msgctl N N N N N N ALLOW -36-sim-ipc_syscalls +x86_64 shmat N N N N N N ALLOW -36-sim-ipc_syscalls +x86_64 shmdt N N N N N N ALLOW -36-sim-ipc_syscalls +x86_64 shmget N N N N N N ALLOW -36-sim-ipc_syscalls +x86_64 shmctl N N N N N N ALLOW +# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result +36-sim-ipc_syscalls +x86,+ppc64le,+mipsel ipc 1 N N N N N ALLOW +36-sim-ipc_syscalls +x86,+ppc64le,+mipsel ipc 2 N N N N N ALLOW +36-sim-ipc_syscalls +x86,+ppc64le,+mipsel ipc 3 N N N N N ALLOW +36-sim-ipc_syscalls +x86,+ppc64le,+mipsel ipc 4 N N N N N ALLOW +36-sim-ipc_syscalls +x86,+ppc64le,+mipsel ipc 11 N N N N N ALLOW +36-sim-ipc_syscalls +x86,+ppc64le,+mipsel ipc 12 N N N N N ALLOW +36-sim-ipc_syscalls +x86,+ppc64le,+mipsel ipc 13 N N N N N ALLOW +36-sim-ipc_syscalls +x86,+ppc64le,+mipsel ipc 14 N N N N N ALLOW +36-sim-ipc_syscalls +x86,+ppc64le,+mipsel ipc 21 N N N N N ALLOW +36-sim-ipc_syscalls +x86,+ppc64le,+mipsel ipc 22 N N N N N ALLOW +36-sim-ipc_syscalls +x86,+ppc64le,+mipsel ipc 23 N N N N N ALLOW +36-sim-ipc_syscalls +x86,+ppc64le,+mipsel ipc 24 N N N N N ALLOW +36-sim-ipc_syscalls +x86_64 semop N N N N N N ALLOW +36-sim-ipc_syscalls +x86_64 semget N N N N N N ALLOW +36-sim-ipc_syscalls +x86_64 semctl N N N N N N ALLOW +36-sim-ipc_syscalls +x86_64 semtimedop N N N N N N ALLOW +36-sim-ipc_syscalls +x86_64 msgsnd N N N N N N ALLOW +36-sim-ipc_syscalls +x86_64 msgrcv N N N N N N ALLOW +36-sim-ipc_syscalls +x86_64 msgget N N N N N N ALLOW +36-sim-ipc_syscalls +x86_64 msgctl N N N N N N ALLOW +36-sim-ipc_syscalls +x86_64 shmat N N N N N N ALLOW +36-sim-ipc_syscalls +x86_64 shmdt N N N N N N ALLOW +36-sim-ipc_syscalls +x86_64 shmget N N N N N N ALLOW +36-sim-ipc_syscalls +x86_64 shmctl N N N N N N ALLOW test type: bpf-valgrind diff --git a/tests/37-sim-ipc_syscalls_be.c b/tests/37-sim-ipc_syscalls_be.c index e82a2aa..d1bd57e 100644 --- a/tests/37-sim-ipc_syscalls_be.c +++ b/tests/37-sim-ipc_syscalls_be.c @@ -48,6 +48,9 @@ int main(int argc, char *argv[]) if (rc != 0) goto out; rc = seccomp_arch_add(ctx, SCMP_ARCH_S390X); + if (rc != 0) + goto out; + rc = seccomp_arch_add(ctx, SCMP_ARCH_PPC); if (rc != 0) goto out; diff --git a/tests/37-sim-ipc_syscalls_be.py b/tests/37-sim-ipc_syscalls_be.py index 40ae279..18a09d0 100755 --- a/tests/37-sim-ipc_syscalls_be.py +++ b/tests/37-sim-ipc_syscalls_be.py @@ -33,6 +33,7 @@ def test(args): f.remove_arch(Arch()) f.add_arch(Arch("s390")) f.add_arch(Arch("s390x")) + f.add_arch(Arch("ppc")) f.add_rule(ALLOW, "semop") f.add_rule(ALLOW, "semtimedop") f.add_rule(ALLOW, "semget") diff --git a/tests/37-sim-ipc_syscalls_be.tests b/tests/37-sim-ipc_syscalls_be.tests index ff98cec..96a5c81 100644 --- a/tests/37-sim-ipc_syscalls_be.tests +++ b/tests/37-sim-ipc_syscalls_be.tests @@ -7,19 +7,19 @@ test type: bpf-sim -# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result -37-sim-ipc_syscalls_be +s390,+s390x ipc 1 N N N N N ALLOW -37-sim-ipc_syscalls_be +s390,+s390x ipc 2 N N N N N ALLOW -37-sim-ipc_syscalls_be +s390,+s390x ipc 3 N N N N N ALLOW -37-sim-ipc_syscalls_be +s390,+s390x ipc 4 N N N N N ALLOW -37-sim-ipc_syscalls_be +s390,+s390x ipc 11 N N N N N ALLOW -37-sim-ipc_syscalls_be +s390,+s390x ipc 12 N N N N N ALLOW -37-sim-ipc_syscalls_be +s390,+s390x ipc 13 N N N N N ALLOW -37-sim-ipc_syscalls_be +s390,+s390x ipc 14 N N N N N ALLOW -37-sim-ipc_syscalls_be +s390,+s390x ipc 21 N N N N N ALLOW -37-sim-ipc_syscalls_be +s390,+s390x ipc 22 N N N N N ALLOW -37-sim-ipc_syscalls_be +s390,+s390x ipc 23 N N N N N ALLOW -37-sim-ipc_syscalls_be +s390,+s390x ipc 24 N N N N N ALLOW +# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result +37-sim-ipc_syscalls_be +s390,+s390x,+ppc ipc 1 N N N N N ALLOW +37-sim-ipc_syscalls_be +s390,+s390x,+ppc ipc 2 N N N N N ALLOW +37-sim-ipc_syscalls_be +s390,+s390x,+ppc ipc 3 N N N N N ALLOW +37-sim-ipc_syscalls_be +s390,+s390x,+ppc ipc 4 N N N N N ALLOW +37-sim-ipc_syscalls_be +s390,+s390x,+ppc ipc 11 N N N N N ALLOW +37-sim-ipc_syscalls_be +s390,+s390x,+ppc ipc 12 N N N N N ALLOW +37-sim-ipc_syscalls_be +s390,+s390x,+ppc ipc 13 N N N N N ALLOW +37-sim-ipc_syscalls_be +s390,+s390x,+ppc ipc 14 N N N N N ALLOW +37-sim-ipc_syscalls_be +s390,+s390x,+ppc ipc 21 N N N N N ALLOW +37-sim-ipc_syscalls_be +s390,+s390x,+ppc ipc 22 N N N N N ALLOW +37-sim-ipc_syscalls_be +s390,+s390x,+ppc ipc 23 N N N N N ALLOW +37-sim-ipc_syscalls_be +s390,+s390x,+ppc ipc 24 N N N N N ALLOW test type: bpf-valgrind diff --git a/tests/38-basic-pfc_coverage.c b/tests/38-basic-pfc_coverage.c index e680afc..c6829ac 100644 --- a/tests/38-basic-pfc_coverage.c +++ b/tests/38-basic-pfc_coverage.c @@ -55,6 +55,30 @@ int main(int argc, char *argv[]) if (rc < 0) goto out; rc = seccomp_arch_add(ctx, SCMP_ARCH_X86); + if (rc < 0) + goto out; + rc = seccomp_arch_add(ctx, SCMP_ARCH_X32); + if (rc < 0) + goto out; + rc = seccomp_arch_add(ctx, SCMP_ARCH_ARM); + if (rc < 0) + goto out; + rc = seccomp_arch_add(ctx, SCMP_ARCH_AARCH64); + if (rc < 0) + goto out; + rc = seccomp_arch_add(ctx, SCMP_ARCH_MIPSEL); + if (rc < 0) + goto out; + rc = seccomp_arch_add(ctx, SCMP_ARCH_MIPSEL64); + if (rc < 0) + goto out; + rc = seccomp_arch_add(ctx, SCMP_ARCH_MIPSEL64N32); + if (rc < 0) + goto out; + rc = seccomp_arch_add(ctx, SCMP_ARCH_PPC64LE); + if (rc < 0) + goto out; + rc = seccomp_arch_add(ctx, SCMP_ARCH_RISCV64); if (rc < 0) goto out; @@ -85,6 +109,9 @@ int main(int argc, char *argv[]) if (rc < 0) goto out; rc = seccomp_rule_add(ctx, SCMP_ACT_KILL_PROCESS, SCMP_SYS(fstat), 0); + if (rc < 0) + goto out; + rc = seccomp_rule_add(ctx, SCMP_ACT_LOG, SCMP_SYS(exit_group), 0); if (rc < 0) goto out; diff --git a/tests/38-basic-pfc_coverage.pfc b/tests/38-basic-pfc_coverage.pfc index 8d3c53b..3fb181b 100644 --- a/tests/38-basic-pfc_coverage.pfc +++ b/tests/38-basic-pfc_coverage.pfc @@ -3,6 +3,9 @@ # # filter for arch x86_64 (3221225534) if ($arch == 3221225534) + # filter for syscall "exit_group" (231) [priority: 65535] + if ($syscall == 231) + action LOG; # filter for syscall "exit" (60) [priority: 65535] if ($syscall == 60) action TRACE(1); @@ -97,6 +100,9 @@ if ($arch == 3221225534) action ALLOW; # filter for arch x86 (1073741827) if ($arch == 1073741827) + # filter for syscall "exit_group" (252) [priority: 65535] + if ($syscall == 252) + action LOG; # filter for syscall "fstat" (108) [priority: 65535] if ($syscall == 108) action KILL_PROCESS; @@ -127,6 +133,534 @@ if ($arch == 1073741827) action KILL; # default action action ALLOW; +# filter for arch x32 (3221225534) +if ($arch == 3221225534) + # filter for syscall "exit_group" (1073742055) [priority: 65535] + if ($syscall == 1073742055) + action LOG; + # filter for syscall "exit" (1073741884) [priority: 65535] + if ($syscall == 1073741884) + action TRACE(1); + # filter for syscall "fstat" (1073741829) [priority: 65535] + if ($syscall == 1073741829) + action KILL_PROCESS; + # filter for syscall "close" (1073741827) [priority: 65535] + if ($syscall == 1073741827) + action ERRNO(1); + # filter for syscall "open" (1073741826) [priority: 65535] + if ($syscall == 1073741826) + action KILL; + # filter for syscall "write" (1073741825) [priority: 65532] + if ($syscall == 1073741825) + if ($a0 == 0) + else + if ($a1 > 1) + else + if ($a2 >= 2) + else + action TRAP; + # filter for syscall "read" (1073741824) [priority: 65531] + if ($syscall == 1073741824) + if ($a0 == 0) + if ($a1 >= 1) + if ($a2 > 2) + if ($a3 & 0x0000000f == 3) + action KILL; + # default action + action ALLOW; +# filter for arch arm (1073741864) +if ($arch == 1073741864) + # filter for syscall "exit_group" (248) [priority: 65535] + if ($syscall == 248) + action LOG; + # filter for syscall "fstat" (108) [priority: 65535] + if ($syscall == 108) + action KILL_PROCESS; + # filter for syscall "close" (6) [priority: 65535] + if ($syscall == 6) + action ERRNO(1); + # filter for syscall "open" (5) [priority: 65535] + if ($syscall == 5) + action KILL; + # filter for syscall "exit" (1) [priority: 65535] + if ($syscall == 1) + action TRACE(1); + # filter for syscall "write" (4) [priority: 65532] + if ($syscall == 4) + if ($a0 == 0) + else + if ($a1 > 1) + else + if ($a2 >= 2) + else + action TRAP; + # filter for syscall "read" (3) [priority: 65531] + if ($syscall == 3) + if ($a0 == 0) + if ($a1 >= 1) + if ($a2 > 2) + if ($a3 & 0x0000000f == 3) + action KILL; + # default action + action ALLOW; +# filter for arch aarch64 (3221225655) +if ($arch == 3221225655) + # filter for syscall "open" (4294957130) [priority: 65535] + if ($syscall == 4294957130) + action KILL; + # filter for syscall "exit_group" (94) [priority: 65535] + if ($syscall == 94) + action LOG; + # filter for syscall "exit" (93) [priority: 65535] + if ($syscall == 93) + action TRACE(1); + # filter for syscall "fstat" (80) [priority: 65535] + if ($syscall == 80) + action KILL_PROCESS; + # filter for syscall "close" (57) [priority: 65535] + if ($syscall == 57) + action ERRNO(1); + # filter for syscall "write" (64) [priority: 65527] + if ($syscall == 64) + if ($a0.hi32 == 0) + if ($a0.lo32 == 0) + else + if ($a1.hi32 > 0) + else + if ($a1.hi32 == 0) + if ($a1.lo32 > 1) + else + if ($a2.hi32 > 0) + else + if ($a2.hi32 == 0) + if ($a2.lo32 >= 2) + else + action TRAP; + else + action TRAP; + else + if ($a2.hi32 > 0) + else + if ($a2.hi32 == 0) + if ($a2.lo32 >= 2) + else + action TRAP; + else + action TRAP; + else + if ($a1.hi32 > 0) + else + if ($a1.hi32 == 0) + if ($a1.lo32 > 1) + else + if ($a2.hi32 > 0) + else + if ($a2.hi32 == 0) + if ($a2.lo32 >= 2) + else + action TRAP; + else + action TRAP; + else + if ($a2.hi32 > 0) + else + if ($a2.hi32 == 0) + if ($a2.lo32 >= 2) + else + action TRAP; + else + action TRAP; + # filter for syscall "read" (63) [priority: 65525] + if ($syscall == 63) + if ($a0.hi32 == 0) + if ($a0.lo32 == 0) + if ($a1.hi32 > 0) + if ($a2.hi32 > 0) + if ($a3.hi32 & 0x00000000 == 0) + if ($a3.lo32 & 0x0000000f == 3) + action KILL; + else + if ($a2.hi32 == 0) + if ($a2.lo32 > 2) + if ($a3.hi32 & 0x00000000 == 0) + if ($a3.lo32 & 0x0000000f == 3) + action KILL; + else + if ($a1.hi32 == 0) + if ($a1.lo32 >= 1) + if ($a2.hi32 > 0) + if ($a3.hi32 & 0x00000000 == 0) + if ($a3.lo32 & 0x0000000f == 3) + action KILL; + else + if ($a2.hi32 == 0) + if ($a2.lo32 > 2) + if ($a3.hi32 & 0x00000000 == 0) + if ($a3.lo32 & 0x0000000f == 3) + action KILL; + # default action + action ALLOW; +# filter for arch mipsel (1073741832) +if ($arch == 1073741832) + # filter for syscall "exit_group" (246) [priority: 65535] + if ($syscall == 246) + action LOG; + # filter for syscall "fstat" (108) [priority: 65535] + if ($syscall == 108) + action KILL_PROCESS; + # filter for syscall "close" (6) [priority: 65535] + if ($syscall == 6) + action ERRNO(1); + # filter for syscall "open" (5) [priority: 65535] + if ($syscall == 5) + action KILL; + # filter for syscall "exit" (1) [priority: 65535] + if ($syscall == 1) + action TRACE(1); + # filter for syscall "write" (4) [priority: 65532] + if ($syscall == 4) + if ($a0 == 0) + else + if ($a1 > 1) + else + if ($a2 >= 2) + else + action TRAP; + # filter for syscall "read" (3) [priority: 65531] + if ($syscall == 3) + if ($a0 == 0) + if ($a1 >= 1) + if ($a2 > 2) + if ($a3 & 0x0000000f == 3) + action KILL; + # default action + action ALLOW; +# filter for arch mipsel64 (3221225480) +if ($arch == 3221225480) + # filter for syscall "exit_group" (5205) [priority: 65535] + if ($syscall == 5205) + action LOG; + # filter for syscall "exit" (5058) [priority: 65535] + if ($syscall == 5058) + action TRACE(1); + # filter for syscall "fstat" (5005) [priority: 65535] + if ($syscall == 5005) + action KILL_PROCESS; + # filter for syscall "close" (5003) [priority: 65535] + if ($syscall == 5003) + action ERRNO(1); + # filter for syscall "open" (5002) [priority: 65535] + if ($syscall == 5002) + action KILL; + # filter for syscall "write" (5001) [priority: 65527] + if ($syscall == 5001) + if ($a0.hi32 == 0) + if ($a0.lo32 == 0) + else + if ($a1.hi32 > 0) + else + if ($a1.hi32 == 0) + if ($a1.lo32 > 1) + else + if ($a2.hi32 > 0) + else + if ($a2.hi32 == 0) + if ($a2.lo32 >= 2) + else + action TRAP; + else + action TRAP; + else + if ($a2.hi32 > 0) + else + if ($a2.hi32 == 0) + if ($a2.lo32 >= 2) + else + action TRAP; + else + action TRAP; + else + if ($a1.hi32 > 0) + else + if ($a1.hi32 == 0) + if ($a1.lo32 > 1) + else + if ($a2.hi32 > 0) + else + if ($a2.hi32 == 0) + if ($a2.lo32 >= 2) + else + action TRAP; + else + action TRAP; + else + if ($a2.hi32 > 0) + else + if ($a2.hi32 == 0) + if ($a2.lo32 >= 2) + else + action TRAP; + else + action TRAP; + # filter for syscall "read" (5000) [priority: 65525] + if ($syscall == 5000) + if ($a0.hi32 == 0) + if ($a0.lo32 == 0) + if ($a1.hi32 > 0) + if ($a2.hi32 > 0) + if ($a3.hi32 & 0x00000000 == 0) + if ($a3.lo32 & 0x0000000f == 3) + action KILL; + else + if ($a2.hi32 == 0) + if ($a2.lo32 > 2) + if ($a3.hi32 & 0x00000000 == 0) + if ($a3.lo32 & 0x0000000f == 3) + action KILL; + else + if ($a1.hi32 == 0) + if ($a1.lo32 >= 1) + if ($a2.hi32 > 0) + if ($a3.hi32 & 0x00000000 == 0) + if ($a3.lo32 & 0x0000000f == 3) + action KILL; + else + if ($a2.hi32 == 0) + if ($a2.lo32 > 2) + if ($a3.hi32 & 0x00000000 == 0) + if ($a3.lo32 & 0x0000000f == 3) + action KILL; + # default action + action ALLOW; +# filter for arch mipsel64n32 (3758096392) +if ($arch == 3758096392) + # filter for syscall "exit_group" (6205) [priority: 65535] + if ($syscall == 6205) + action LOG; + # filter for syscall "exit" (6058) [priority: 65535] + if ($syscall == 6058) + action TRACE(1); + # filter for syscall "fstat" (6005) [priority: 65535] + if ($syscall == 6005) + action KILL_PROCESS; + # filter for syscall "close" (6003) [priority: 65535] + if ($syscall == 6003) + action ERRNO(1); + # filter for syscall "open" (6002) [priority: 65535] + if ($syscall == 6002) + action KILL; + # filter for syscall "write" (6001) [priority: 65532] + if ($syscall == 6001) + if ($a0 == 0) + else + if ($a1 > 1) + else + if ($a2 >= 2) + else + action TRAP; + # filter for syscall "read" (6000) [priority: 65531] + if ($syscall == 6000) + if ($a0 == 0) + if ($a1 >= 1) + if ($a2 > 2) + if ($a3 & 0x0000000f == 3) + action KILL; + # default action + action ALLOW; +# filter for arch ppc64le (3221225493) +if ($arch == 3221225493) + # filter for syscall "exit_group" (234) [priority: 65535] + if ($syscall == 234) + action LOG; + # filter for syscall "fstat" (108) [priority: 65535] + if ($syscall == 108) + action KILL_PROCESS; + # filter for syscall "close" (6) [priority: 65535] + if ($syscall == 6) + action ERRNO(1); + # filter for syscall "open" (5) [priority: 65535] + if ($syscall == 5) + action KILL; + # filter for syscall "exit" (1) [priority: 65535] + if ($syscall == 1) + action TRACE(1); + # filter for syscall "write" (4) [priority: 65527] + if ($syscall == 4) + if ($a0.hi32 == 0) + if ($a0.lo32 == 0) + else + if ($a1.hi32 > 0) + else + if ($a1.hi32 == 0) + if ($a1.lo32 > 1) + else + if ($a2.hi32 > 0) + else + if ($a2.hi32 == 0) + if ($a2.lo32 >= 2) + else + action TRAP; + else + action TRAP; + else + if ($a2.hi32 > 0) + else + if ($a2.hi32 == 0) + if ($a2.lo32 >= 2) + else + action TRAP; + else + action TRAP; + else + if ($a1.hi32 > 0) + else + if ($a1.hi32 == 0) + if ($a1.lo32 > 1) + else + if ($a2.hi32 > 0) + else + if ($a2.hi32 == 0) + if ($a2.lo32 >= 2) + else + action TRAP; + else + action TRAP; + else + if ($a2.hi32 > 0) + else + if ($a2.hi32 == 0) + if ($a2.lo32 >= 2) + else + action TRAP; + else + action TRAP; + # filter for syscall "read" (3) [priority: 65525] + if ($syscall == 3) + if ($a0.hi32 == 0) + if ($a0.lo32 == 0) + if ($a1.hi32 > 0) + if ($a2.hi32 > 0) + if ($a3.hi32 & 0x00000000 == 0) + if ($a3.lo32 & 0x0000000f == 3) + action KILL; + else + if ($a2.hi32 == 0) + if ($a2.lo32 > 2) + if ($a3.hi32 & 0x00000000 == 0) + if ($a3.lo32 & 0x0000000f == 3) + action KILL; + else + if ($a1.hi32 == 0) + if ($a1.lo32 >= 1) + if ($a2.hi32 > 0) + if ($a3.hi32 & 0x00000000 == 0) + if ($a3.lo32 & 0x0000000f == 3) + action KILL; + else + if ($a2.hi32 == 0) + if ($a2.lo32 > 2) + if ($a3.hi32 & 0x00000000 == 0) + if ($a3.lo32 & 0x0000000f == 3) + action KILL; + # default action + action ALLOW; +# filter for arch riscv64 (3221225715) +if ($arch == 3221225715) + # filter for syscall "open" (4294957130) [priority: 65535] + if ($syscall == 4294957130) + action KILL; + # filter for syscall "exit_group" (94) [priority: 65535] + if ($syscall == 94) + action LOG; + # filter for syscall "exit" (93) [priority: 65535] + if ($syscall == 93) + action TRACE(1); + # filter for syscall "fstat" (80) [priority: 65535] + if ($syscall == 80) + action KILL_PROCESS; + # filter for syscall "close" (57) [priority: 65535] + if ($syscall == 57) + action ERRNO(1); + # filter for syscall "write" (64) [priority: 65527] + if ($syscall == 64) + if ($a0.hi32 == 0) + if ($a0.lo32 == 0) + else + if ($a1.hi32 > 0) + else + if ($a1.hi32 == 0) + if ($a1.lo32 > 1) + else + if ($a2.hi32 > 0) + else + if ($a2.hi32 == 0) + if ($a2.lo32 >= 2) + else + action TRAP; + else + action TRAP; + else + if ($a2.hi32 > 0) + else + if ($a2.hi32 == 0) + if ($a2.lo32 >= 2) + else + action TRAP; + else + action TRAP; + else + if ($a1.hi32 > 0) + else + if ($a1.hi32 == 0) + if ($a1.lo32 > 1) + else + if ($a2.hi32 > 0) + else + if ($a2.hi32 == 0) + if ($a2.lo32 >= 2) + else + action TRAP; + else + action TRAP; + else + if ($a2.hi32 > 0) + else + if ($a2.hi32 == 0) + if ($a2.lo32 >= 2) + else + action TRAP; + else + action TRAP; + # filter for syscall "read" (63) [priority: 65525] + if ($syscall == 63) + if ($a0.hi32 == 0) + if ($a0.lo32 == 0) + if ($a1.hi32 > 0) + if ($a2.hi32 > 0) + if ($a3.hi32 & 0x00000000 == 0) + if ($a3.lo32 & 0x0000000f == 3) + action KILL; + else + if ($a2.hi32 == 0) + if ($a2.lo32 > 2) + if ($a3.hi32 & 0x00000000 == 0) + if ($a3.lo32 & 0x0000000f == 3) + action KILL; + else + if ($a1.hi32 == 0) + if ($a1.lo32 >= 1) + if ($a2.hi32 > 0) + if ($a3.hi32 & 0x00000000 == 0) + if ($a3.lo32 & 0x0000000f == 3) + action KILL; + else + if ($a2.hi32 == 0) + if ($a2.lo32 > 2) + if ($a3.hi32 & 0x00000000 == 0) + if ($a3.lo32 & 0x0000000f == 3) + action KILL; + # default action + action ALLOW; # invalid architecture action action KILL; # diff --git a/tests/52-basic-load.c b/tests/52-basic-load.c index 2f2b516..de3cb8f 100644 --- a/tests/52-basic-load.c +++ b/tests/52-basic-load.c @@ -31,15 +31,38 @@ int main(int argc, char *argv[]) int rc; struct util_options opts; scmp_filter_ctx ctx = NULL; + unsigned int api; rc = util_getopt(argc, argv, &opts); if (rc < 0) goto out; + api = seccomp_api_get(); + if (api == 0) { + rc = -EFAULT; + goto out; + } + ctx = seccomp_init(SCMP_ACT_ALLOW); if (ctx == NULL) return ENOMEM; + if (api >= 2) { + rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_TSYNC, 1); + if (rc != 0) + goto out; + } + if (api >= 3) { + rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_LOG, 1); + if (rc != 0) + goto out; + } + if (api >= 4) { + rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_SSB, 1); + if (rc != 0) + goto out; + } + rc = seccomp_load(ctx); out: -- cgit v1.2.1