From e8a8f6d6e80df43e4946fef3882d25dfdf5aa76a Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Wed, 20 Apr 2016 14:30:43 +0000 Subject: [PATCH] tests: workaround kernel bugs in seccomp-strict.test and prctl-seccomp-strict.test If kernel implementation of strict seccomp mode is buggy, test programs will be killed by SIGKILL. This is a known problem at least on x32 and mips. Skip affected tests if this is the case. This change partially revert commit 9c1a72cd3f3d52d573876ce474b620a5f141fb1b. * tests/seccomp-strict.c (main): Remove workaround for x32. * tests/prctl-seccomp-strict.c: Likewise. * tests/seccomp-strict.test: Skip the test if the test program has been killed by SIGKILL. * tests/prctl-seccomp-strict.test: Likewise. --- tests/prctl-seccomp-strict.c | 13 ++++--------- tests/prctl-seccomp-strict.test | 12 +++++++++--- tests/seccomp-strict.c | 13 ++++--------- tests/seccomp-strict.test | 13 ++++++++++++- 4 files changed, 29 insertions(+), 22 deletions(-) diff --git a/tests/prctl-seccomp-strict.c b/tests/prctl-seccomp-strict.c index 0a0d6a8c..8d1fdfc9 100644 --- a/tests/prctl-seccomp-strict.c +++ b/tests/prctl-seccomp-strict.c @@ -41,14 +41,6 @@ int main(void) { -# if defined __x86_64__ && defined __ILP32__ - /* - * Syscall numbers are hardcoded in - * kernel/seccomp.c:__secure_computing_strict(), - * but x32 syscall numbers are not supported. - */ - error_msg_and_skip("SECCOMP_MODE_STRICT is not supported on x32"); -# else static const char text1[] = "prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT) = 0\n"; static const char text2[] = "+++ exited with 0 +++\n"; @@ -64,12 +56,15 @@ main(void) ENOSYS == errno ? "ENOSYS" : "EINVAL"); fflush(stdout); } else { + /* + * If kernel implementaton of SECCOMP_MODE_STRICT is buggy, + * the following syscall will result to SIGKILL. + */ rc += write(1, text1, LENGTH_OF(text1)) != LENGTH_OF(text1); } rc += write(1, text2, LENGTH_OF(text2)) != LENGTH_OF(text2); return !!syscall(__NR_exit, rc); -# endif } #else diff --git a/tests/prctl-seccomp-strict.test b/tests/prctl-seccomp-strict.test index ff3c4f3b..1f987df7 100755 --- a/tests/prctl-seccomp-strict.test +++ b/tests/prctl-seccomp-strict.test @@ -5,9 +5,15 @@ . "${srcdir=.}/init.sh" check_prog grep -run_prog > /dev/null -run_strace -eprctl $args > "$EXP" +set -- "./$NAME" +"$@" > /dev/null || { + case $? in + 77) skip_ "$* exited with code 77" ;; + 137) framework_skip_ "$* killed by SIGKILL, fix your kernel" ;; + *) fail_ "$args failed" ;; + esac +} +run_strace -eprctl "$@" > "$EXP" grep -v '^prctl(PR_GET_' < "$LOG" > "$OUT" match_diff "$OUT" "$EXP" - rm -f "$EXP" "$OUT" diff --git a/tests/seccomp-strict.c b/tests/seccomp-strict.c index f9fef96d..f615aa18 100644 --- a/tests/seccomp-strict.c +++ b/tests/seccomp-strict.c @@ -40,14 +40,6 @@ int main(void) { -# if defined __x86_64__ && defined __ILP32__ - /* - * Syscall numbers are hardcoded in - * kernel/seccomp.c:__secure_computing_strict(), - * but x32 syscall numbers are not supported. - */ - error_msg_and_skip("SECCOMP_SET_MODE_STRICT is not supported on x32"); -# else static const char text1[] = "seccomp(SECCOMP_SET_MODE_STRICT, 0, NULL) = 0\n"; static const char text2[] = "+++ exited with 0 +++\n"; @@ -64,12 +56,15 @@ main(void) ENOSYS == errno ? "ENOSYS" : "EINVAL"); fflush(stdout); } else { + /* + * If kernel implementaton of SECCOMP_MODE_STRICT is buggy, + * the following syscall will result to SIGKILL. + */ rc += write(1, text1, LENGTH_OF(text1)) != LENGTH_OF(text1); } rc += write(1, text2, LENGTH_OF(text2)) != LENGTH_OF(text2); return !!syscall(__NR_exit, rc); -# endif } #else diff --git a/tests/seccomp-strict.test b/tests/seccomp-strict.test index 62f66b8a..b354c6a2 100755 --- a/tests/seccomp-strict.test +++ b/tests/seccomp-strict.test @@ -3,4 +3,15 @@ # Check how seccomp SECCOMP_SET_MODE_STRICT is decoded. . "${srcdir=.}/init.sh" -run_strace_match_diff -e trace=seccomp + +set -- "./$NAME" +"$@" > /dev/null || { + case $? in + 77) skip_ "$* exited with code 77" ;; + 137) framework_skip_ "$* killed by SIGKILL, fix your kernel" ;; + *) fail_ "$args failed" ;; + esac +} +run_strace -eseccomp "$@" > "$EXP" +match_diff "$LOG" "$EXP" +rm -f "$EXP" -- 2.40.0