From 3c2da115b5b35222afbc62f27779832d47a34786 Mon Sep 17 00:00:00 2001 From: Paul Moore Date: Mon, 1 Nov 2021 10:07:44 -0600 Subject: tests: improve 05-sim-long_jumps to work better across arch/ABIs This patch primarily moves the test away from abstract syscall numbers to honest-to-goodness actual syscalls which are present on all currently supported arch/ABIs. This change should make it easier to support this test across different platforms now and moving forward. Signed-off-by: Paul Moore Reviewed-by: Tom Hromatka Signed-off-by: Tom Hromatka --- tests/05-sim-long_jumps.c | 36 ++++++++++++++++++++++-------------- tests/05-sim-long_jumps.py | 30 +++++++++++++++++++----------- tests/05-sim-long_jumps.tests | 29 +++++++++++------------------ 3 files changed, 52 insertions(+), 43 deletions(-) (limited to 'tests') diff --git a/tests/05-sim-long_jumps.c b/tests/05-sim-long_jumps.c index 9acbb91..24e5cf2 100644 --- a/tests/05-sim-long_jumps.c +++ b/tests/05-sim-long_jumps.c @@ -2,6 +2,7 @@ * Seccomp Library test program * * Copyright (c) 2012 Red Hat + * Copyright (c) 2021 Microsoft Corporation * Author: Paul Moore */ @@ -30,7 +31,8 @@ int main(int argc, char *argv[]) { int rc; - int iter; + int iter, ctr; + char *syscall; struct util_options opts; scmp_filter_ctx ctx = NULL; @@ -42,31 +44,37 @@ int main(int argc, char *argv[]) if (ctx == NULL) return ENOMEM; - /* NOTE - syscalls referenced by number to make the test simpler */ - - rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1, 0); + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(brk), 0); if (rc != 0) goto out; /* same syscall, many chains */ for (iter = 0; iter < 100; iter++) { - rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1000, 3, - SCMP_A0(SCMP_CMP_EQ, iter), - SCMP_A1(SCMP_CMP_NE, 0x0), - SCMP_A2(SCMP_CMP_LT, SSIZE_MAX)); + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(chdir), 3, + SCMP_A0(SCMP_CMP_EQ, iter), + SCMP_A1(SCMP_CMP_NE, 0x0), + SCMP_A2(SCMP_CMP_LT, SSIZE_MAX)); if (rc != 0) goto out; } /* many syscalls, same chain */ - for (iter = 100; iter < 200; iter++) { - rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, iter, 1, - SCMP_A0(SCMP_CMP_NE, 0)); - if (rc != 0) - goto out; + for (iter = 0, ctr = 0; iter < 10000 && ctr < 100; iter++) { + if (iter == SCMP_SYS(chdir)) + continue; + syscall = seccomp_syscall_resolve_num_arch(SCMP_ARCH_NATIVE, + iter); + if (syscall) { + free(syscall); + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, iter, 1, + SCMP_A0(SCMP_CMP_NE, 0)); + if (rc != 0) + goto out; + ctr++; + } } - rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 4, 0); + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(close), 0); if (rc != 0) goto out; diff --git a/tests/05-sim-long_jumps.py b/tests/05-sim-long_jumps.py index 1ec9a24..6d9d5d4 100755 --- a/tests/05-sim-long_jumps.py +++ b/tests/05-sim-long_jumps.py @@ -4,6 +4,7 @@ # Seccomp Library test program # # Copyright (c) 2012 Red Hat +# Copyright (c) 2021 Microsoft Corporation # Author: Paul Moore # @@ -30,21 +31,28 @@ from seccomp import * def test(args): f = SyscallFilter(KILL) - # syscalls referenced by number to make the test simpler - f.add_rule_exactly(ALLOW, 1) + f.add_rule(ALLOW, "brk") i = 0 while i < 100: - f.add_rule_exactly(ALLOW, 1000, - Arg(0, EQ, i), - Arg(1, NE, 0), - Arg(2, LT, sys.maxsize)) + f.add_rule(ALLOW, "chdir", + Arg(0, EQ, i), + Arg(1, NE, 0), + Arg(2, LT, sys.maxsize)) i += 1 - i = 100 - while i < 200: - f.add_rule_exactly(ALLOW, i, - Arg(0, NE, 0)) + i = 0 + ctr = 0 + while i < 10000 and ctr < 100: + sc = i i += 1 - f.add_rule_exactly(ALLOW, 4) + if sc == resolve_syscall(Arch(), "chdir"): + continue + try: + resolve_syscall(Arch(), sc) + except ValueError: + continue + f.add_rule(ALLOW, sc, Arg(0, NE, 0)) + ctr += 1 + f.add_rule(ALLOW, "close") return f args = util.get_opt() diff --git a/tests/05-sim-long_jumps.tests b/tests/05-sim-long_jumps.tests index a2d6dd0..d1eb92c 100644 --- a/tests/05-sim-long_jumps.tests +++ b/tests/05-sim-long_jumps.tests @@ -1,30 +1,23 @@ # # libseccomp regression test automation data # -# Copyright IBM Corp. 2012 +# Copyright (c) 2012 IBM Corp. +# Copyright (c) 2021 Microsoft Corporation # Author: Corey Bryant # test type: bpf-sim # Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result -05-sim-long_jumps all,-x32 1 1 2 3 4 5 6 ALLOW -05-sim-long_jumps all,-x32 2 N N N N N N KILL -05-sim-long_jumps all,-x32 999 N N N N N N KILL -05-sim-long_jumps x86 1000 0-5 0x856B008 0x7FFFFFFE N N N ALLOW -05-sim-long_jumps x86_64 1000 0-5 0x856B008 0x7FFFFFFFFFFFFFFE N N N ALLOW -05-sim-long_jumps x86 1000 95-99 0x856B008 0x7FFFFFFE N N N ALLOW -05-sim-long_jumps x86_64 1000 95-99 0x856B008 0x7FFFFFFFFFFFFFFE N N N ALLOW -05-sim-long_jumps x86 1000 100 0x856B008 0x7FFFFFFE N N N KILL -05-sim-long_jumps x86_64 1000 100 0x856B008 0x7FFFFFFFFFFFFFFE N N N KILL -05-sim-long_jumps all,-x32 1001 N N N N N N KILL -05-sim-long_jumps all,-x32 99 1 N N N N N KILL -05-sim-long_jumps all,-x32 100-105 1 N N N N N ALLOW -05-sim-long_jumps all,-x32 195-199 1 N N N N N ALLOW -05-sim-long_jumps all,-x32 200 1 N N N N N KILL -05-sim-long_jumps all,-x32 3 N N N N N N KILL -05-sim-long_jumps all,-x32 4 1 2 3 4 5 6 ALLOW -05-sim-long_jumps all,-x32 5 N N N N N N KILL +05-sim-long_jumps all,-x32 brk 1 2 3 4 5 6 ALLOW +05-sim-long_jumps all,-x32 9999 N N N N N N KILL +05-sim-long_jumps x86 chdir 0-5 0x856B008 0x7FFFFFFE N N N ALLOW +05-sim-long_jumps x86_64 chdir 0-5 0x856B008 0x7FFFFFFFFFFFFFFE N N N ALLOW +05-sim-long_jumps x86 chdir 95-99 0x856B008 0x7FFFFFFE N N N ALLOW +05-sim-long_jumps x86_64 chdir 95-99 0x856B008 0x7FFFFFFFFFFFFFFE N N N ALLOW +05-sim-long_jumps x86 chdir 100 0x856B008 0x7FFFFFFE N N N KILL +05-sim-long_jumps x86_64 chdir 100 0x856B008 0x7FFFFFFFFFFFFFFE N N N KILL +05-sim-long_jumps all,-x32 close 1 N N N N N ALLOW test type: bpf-sim-fuzz -- cgit v1.2.1