tests: add a test for SECCOMP_MODE_FILTER decoding

author Dmitry V. Levin <ldv@altlinux.org>

Thu, 19 Mar 2015 00:40:49 +0000 (00:40 +0000)

committer Dmitry V. Levin <ldv@altlinux.org>

Thu, 19 Mar 2015 00:40:49 +0000 (00:40 +0000)
author Dmitry V. Levin <ldv@altlinux.org>
Thu, 19 Mar 2015 00:40:49 +0000 (00:40 +0000)
committer Dmitry V. Levin <ldv@altlinux.org>
Thu, 19 Mar 2015 00:40:49 +0000 (00:40 +0000)
diff --git a/tests/.gitignore b/tests/.gitignore

index 8efb0ef1d52f67ea0bcf68f0d307c52fb7a81b06..9fdbe4d86308b40f693c6d44ed2728a51119647b 100644 (file)
--- a/tests/.gitignore
+++ b/tests/.gitignore
@@ -12,6 +12,7 @@ netlink_inet_diag
  netlink_unix_diag
  pc
  scm_rights
+seccomp
  select
  set_ptracer_any
  sigaction
diff --git a/tests/Makefile.am b/tests/Makefile.am

index 0acad4df71c666148cd6ae71718c0141a9d0ee98..930f6d95ed1d4bdf1933b8d19d2be5a34890b918 100644 (file)
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -21,6 +21,7 @@ check_PROGRAMS = \
         netlink_unix_diag \
         pc \
         scm_rights \
+       seccomp \
         select \
         set_ptracer_any \
         sigaction \
@@ -56,6 +57,7 @@ TESTS = \
         ipc_shm.test \
         ipc_sem.test \
         scm_rights-fd.test \
+       seccomp.test \
         select.test \
         sigaction.test \
         sigreturn.test \
diff --git a/tests/seccomp.c b/tests/seccomp.c

new file mode 100644 (file)

index 0000000..01fe2eb
--- /dev/null
+++ b/tests/seccomp.c
@@ -0,0 +1,113 @@
+#ifdef HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include <stddef.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <errno.h>
+#include <sys/syscall.h>
+
+#ifdef HAVE_PRCTL
+# include <sys/prctl.h>
+#endif
+#ifdef HAVE_LINUX_SECCOMP_H
+# include <linux/seccomp.h>
+#endif
+#ifdef HAVE_LINUX_FILTER_H
+# include <linux/filter.h>
+#endif
+
+#if defined HAVE_PRCTL \
+ && defined PR_SET_NO_NEW_PRIVS \
+ && defined PR_SET_SECCOMP \
+ && defined SECCOMP_MODE_FILTER \
+ && defined SECCOMP_RET_ERRNO \
+ && defined BPF_JUMP \
+ && defined BPF_STMT
+
+#define SOCK_FILTER_ALLOW_SYSCALL(nr) \
+               BPF_JUMP(BPF_JMP | BPF_K | BPF_JEQ, __NR_ ## nr, 0, 1), \
+               BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW)
+
+#define SOCK_FILTER_DENY_SYSCALL(nr, err) \
+               BPF_JUMP(BPF_JMP | BPF_K | BPF_JEQ, __NR_ ## nr, 0, 1), \
+               BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ERRNO | (SECCOMP_RET_DATA & (err)))
+
+#define SOCK_FILTER_KILL_PROCESS \
+               BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_KILL)
+
+#define PRINT_ALLOW_SYSCALL(nr) \
+       printf("BPF_JUMP(BPF_JMP | BPF_K | BPF_JEQ, %#x, 0, 0x1), " \
+              "BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW), ", \
+              __NR_ ## nr)
+
+#define PRINT_DENY_SYSCALL(nr, err) \
+       printf("BPF_JUMP(BPF_JMP | BPF_K | BPF_JEQ, %#x, 0, 0x1), " \
+              "BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ERRNO | %#x), ", \
+              __NR_ ## nr, err)
+
+static const struct sock_filter filter[] = {
+       /* load syscall number */
+       BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, nr)),
+
+       /* allow syscalls */
+       SOCK_FILTER_ALLOW_SYSCALL(close),
+       SOCK_FILTER_ALLOW_SYSCALL(exit),
+       SOCK_FILTER_ALLOW_SYSCALL(exit_group),
+
+       /* deny syscalls */
+       SOCK_FILTER_DENY_SYSCALL(sync, EBUSY),
+       SOCK_FILTER_DENY_SYSCALL(setsid, EPERM),
+
+       /* kill process */
+       SOCK_FILTER_KILL_PROCESS
+};
+
+static const struct sock_fprog prog = {
+       .len = sizeof(filter) / sizeof(filter[0]),
+       .filter = (struct sock_filter *) filter,
+};
+
+int
+main(void)
+{
+       int fds[2];
+
+       puts("prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)  = 0");
+
+       printf("prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, [");
+
+       printf("BPF_STMT(BPF_LD | BPF_W | BPF_ABS, %#x), ",
+              (unsigned) offsetof(struct seccomp_data, nr));
+
+       PRINT_ALLOW_SYSCALL(close);
+       PRINT_ALLOW_SYSCALL(exit);
+       PRINT_ALLOW_SYSCALL(exit_group);
+
+       PRINT_DENY_SYSCALL(sync, EBUSY),
+       PRINT_DENY_SYSCALL(setsid, EPERM),
+
+       printf("BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_KILL)");
+
+       puts("]) = 0");
+       puts("+++ exited with 0 +++");
+
+       fflush(stdout);
+       close(0);
+       close(1);
+
+       if (pipe(fds) ||
+           prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) ||
+           prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) ||
+           close(0) || close(1))
+               _exit(77);
+
+       _exit(0);
+}
+
+#else
+
+int main(void) { return 77; }
+
+#endif
diff --git a/tests/seccomp.test b/tests/seccomp.test

new file mode 100755 (executable)

index 0000000..4101cae
--- /dev/null
+++ b/tests/seccomp.test
@@ -0,0 +1,15 @@
+#!/bin/sh
+
+# Check how SECCOMP_MODE_FILTER is decoded.
+
+. "${srcdir=.}/init.sh"
+
+OUT="$LOG.out"
+
+run_prog > /dev/null
+run_strace -veprctl $args > "$OUT"
+match_diff "$LOG" "$OUT"
+
+rm -f "$OUT"
+
+exit 0
author	Dmitry V. Levin <ldv@altlinux.org>
	Thu, 19 Mar 2015 00:40:49 +0000 (00:40 +0000)
committer	Dmitry V. Levin <ldv@altlinux.org>
	Thu, 19 Mar 2015 00:40:49 +0000 (00:40 +0000)
tests/.gitignore		patch \| blob \| history
tests/Makefile.am		patch \| blob \| history
tests/seccomp.c	[new file with mode: 0644]	patch \| blob
tests/seccomp.test	[new file with mode: 0755]	patch \| blob