From 6b286c2e8e43de76746346b8eab855311915f5aa Mon Sep 17 00:00:00 2001 From: Paul Moore Date: Sat, 13 Jun 2020 15:47:49 -0400 Subject: api: add API level 6 API level 6 allows callers to use both the TSYNC and notify APIs at the same time. This is due to the TSYNC_ESRCH flag which was added in Linux v5.7. This patch also fixes some omissions in seccomp_api_set(). Acked-by: Tom Hromatka Signed-off-by: Paul Moore --- tests/.gitignore | 1 + tests/39-basic-api_level.c | 9 ++- tests/39-basic-api_level.py | 7 ++- tests/58-live-tsync_notify.c | 116 +++++++++++++++++++++++++++++++++++++++ tests/58-live-tsync_notify.py | 61 ++++++++++++++++++++ tests/58-live-tsync_notify.tests | 11 ++++ tests/Makefile.am | 9 ++- 7 files changed, 209 insertions(+), 5 deletions(-) create mode 100644 tests/58-live-tsync_notify.c create mode 100755 tests/58-live-tsync_notify.py create mode 100644 tests/58-live-tsync_notify.tests (limited to 'tests') diff --git a/tests/.gitignore b/tests/.gitignore index 59eb15c..1929840 100644 --- a/tests/.gitignore +++ b/tests/.gitignore @@ -63,3 +63,4 @@ util.pyc 55-basic-pfc_binary_tree 56-basic-iterate_syscalls 57-basic-rawsysrc +58-live-tsync_notify diff --git a/tests/39-basic-api_level.c b/tests/39-basic-api_level.c index 72801b5..6c31be1 100644 --- a/tests/39-basic-api_level.c +++ b/tests/39-basic-api_level.c @@ -68,13 +68,20 @@ int main(int argc, char *argv[]) if (api != 5) return -11; + rc = seccomp_api_set(6); + if (rc != 0) + return -12; + api = seccomp_api_get(); + if (api != 6) + return -13; + /* Attempt to set a high, invalid API level */ rc = seccomp_api_set(1024); if (rc != -EINVAL) return -1001; /* Ensure that the previously set API level didn't change */ api = seccomp_api_get(); - if (api != 5) + if (api != 6) return -1002; return 0; diff --git a/tests/39-basic-api_level.py b/tests/39-basic-api_level.py index 755ca02..352568e 100755 --- a/tests/39-basic-api_level.py +++ b/tests/39-basic-api_level.py @@ -60,6 +60,11 @@ def test(): if api != 5: raise RuntimeError("Failed getting API level 5") + set_api(6) + api = get_api() + if api != 6: + raise RuntimeError("Failed getting API level 6") + # Attempt to set a high, invalid API level try: set_api(1024) @@ -69,7 +74,7 @@ def test(): raise RuntimeError("Missing failure when setting invalid API level") # Ensure that the previously set API level didn't change api = get_api() - if api != 5: + if api != 6: raise RuntimeError("Failed getting old API level after setting an invalid API level") test() diff --git a/tests/58-live-tsync_notify.c b/tests/58-live-tsync_notify.c new file mode 100644 index 0000000..86e1b0c --- /dev/null +++ b/tests/58-live-tsync_notify.c @@ -0,0 +1,116 @@ +/** + * Seccomp Library test program + * + * Copyright (c) 2019 Cisco Systems, Inc. + * Author: Paul Moore + */ + +/* + * This library is free software; you can redistribute it and/or modify it + * under the terms of version 2.1 of the GNU Lesser General Public License as + * published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License + * for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this library; if not, see . + */ + +#include +#include +#include +#include +#include +#include +#include +#include + +#include "util.h" + +#define MAGIC 0x1122334455667788UL + +int main(int argc, char *argv[]) +{ + int rc, fd = -1, status; + struct seccomp_notif *req = NULL; + struct seccomp_notif_resp *resp = NULL; + scmp_filter_ctx ctx = NULL; + pid_t pid = 0; + + ctx = seccomp_init(SCMP_ACT_ALLOW); + if (ctx == NULL) + return ENOMEM; + + rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_TSYNC, 1); + if (rc) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_NOTIFY, SCMP_SYS(getpid), 0, NULL); + if (rc) + goto out; + + rc = seccomp_load(ctx); + if (rc < 0) + goto out; + + rc = seccomp_notify_fd(ctx); + if (rc < 0) + goto out; + fd = rc; + + pid = fork(); + if (pid == 0) + exit(syscall(SCMP_SYS(getpid)) != MAGIC); + + rc = seccomp_notify_alloc(&req, &resp); + if (rc) + goto out; + + rc = seccomp_notify_receive(fd, req); + if (rc) + goto out; + if (req->data.nr != SCMP_SYS(getpid)) { + rc = -EFAULT; + goto out; + } + rc = seccomp_notify_id_valid(fd, req->id); + if (rc) + goto out; + + resp->id = req->id; + resp->val = MAGIC; + resp->error = 0; + resp->flags = 0; + rc = seccomp_notify_respond(fd, resp); + if (rc) + goto out; + + if (waitpid(pid, &status, 0) != pid) { + rc = -EFAULT; + goto out; + } + + if (!WIFEXITED(status)) { + rc = -EFAULT; + goto out; + } + if (WEXITSTATUS(status)) { + rc = -EFAULT; + goto out; + } + +out: + if (fd >= 0) + close(fd); + if (pid) + kill(pid, SIGKILL); + seccomp_notify_free(req, resp); + seccomp_release(ctx); + + if (rc != 0) + return (rc < 0 ? -rc : rc); + return 160; +} diff --git a/tests/58-live-tsync_notify.py b/tests/58-live-tsync_notify.py new file mode 100755 index 0000000..ae01b06 --- /dev/null +++ b/tests/58-live-tsync_notify.py @@ -0,0 +1,61 @@ +#!/usr/bin/env python + +# +# Seccomp Library test program +# +# Copyright (c) 2019 Cisco Systems, Inc. +# Author: Paul Moore +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see . +# + +import argparse +import os +import signal +import sys + +import util + +from seccomp import * + +def test(): + magic = os.getuid() + 1 + f = SyscallFilter(ALLOW) + f.set_attr(Attr.CTL_TSYNC, 1) + f.add_rule(NOTIFY, "getuid") + f.load() + pid = os.fork() + if pid == 0: + val = os.getuid() + if val != magic: + raise RuntimeError("Response return value failed") + quit(1) + quit(0) + else: + notify = f.receive_notify() + if notify.syscall != resolve_syscall(Arch(), "getuid"): + raise RuntimeError("Notification failed") + f.respond_notify(NotificationResponse(notify, magic, 0, 0)) + wpid, rc = os.waitpid(pid, 0) + if os.WIFEXITED(rc) == 0: + raise RuntimeError("Child process error") + if os.WEXITSTATUS(rc) != 0: + raise RuntimeError("Child process error") + quit(160) + +test() + +# kate: syntax python; +# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; diff --git a/tests/58-live-tsync_notify.tests b/tests/58-live-tsync_notify.tests new file mode 100644 index 0000000..6c84891 --- /dev/null +++ b/tests/58-live-tsync_notify.tests @@ -0,0 +1,11 @@ +# +# libseccomp regression test automation data +# +# Copyright (c) 2019 Cisco Systems, Inc. +# Author: Paul Moore +# + +test type: live + +# Testname API Result +58-live-tsync_notify 6 ALLOW diff --git a/tests/Makefile.am b/tests/Makefile.am index 1765eec..ddacbf3 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -96,7 +96,8 @@ check_PROGRAMS = \ 54-live-binary_tree \ 55-basic-pfc_binary_tree \ 56-basic-iterate_syscalls \ - 57-basic-rawsysrc + 57-basic-rawsysrc \ + 58-live-tsync_notify EXTRA_DIST_TESTPYTHON = \ util.py \ @@ -153,7 +154,8 @@ EXTRA_DIST_TESTPYTHON = \ 52-basic-load.py \ 53-sim-binary_tree.py \ 54-live-binary_tree.py \ - 56-basic-iterate_syscalls.py + 56-basic-iterate_syscalls.py \ + 58-live-tsync_notify.py EXTRA_DIST_TESTCFGS = \ 01-sim-allow.tests \ @@ -212,7 +214,8 @@ EXTRA_DIST_TESTCFGS = \ 54-live-binary_tree.tests \ 55-basic-pfc_binary_tree.tests \ 56-basic-iterate_syscalls.tests \ - 57-basic-rawsysrc.tests + 57-basic-rawsysrc.tests \ + 58-live-tsync_notify.tests EXTRA_DIST_TESTSCRIPTS = \ 38-basic-pfc_coverage.sh 38-basic-pfc_coverage.pfc \ -- cgit v1.2.1