fflush
file_handle
file_ioctl
+filter_seccomp-perf
filter-unavailable
finit_module
flock
scm_rights
scno.h
seccomp-filter
+filter_seccomp-flag
seccomp-filter-v
seccomp-strict
seccomp_get_action_avail
status-all
status-failed
status-none
+status-none-f
status-none-threads
status-successful
status-unfinished
delay \
execve-v \
execveat-v \
+ filter_seccomp-flag \
+ filter_seccomp-perf \
filter-unavailable \
fork-f \
fsync-y \
detach-sleeping.test \
detach-stopped.test \
fflush.test \
+ filter_seccomp-perf.test \
filter-unavailable.test \
filtering_fd-syntax.test \
filtering_syscall-syntax.test \
eventfd.expected \
fadvise.h \
fcntl-common.c \
+ filter_seccomp.in \
+ filter_seccomp.sh \
filter-unavailable.expected \
fstatat.c \
fstatx.c \
--- /dev/null
+/*
+ * Check that syscall numbers do not conflict with seccomp filter flags.
+ *
+ * Copyright (c) 2019 Paul Chaignon <paul.chaignon@gmail.com>
+ * Copyright (c) 2019 The strace developers.
+ * All rights reserved.
+ *
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ */
+
+#include "tests.h"
+#include "arch_defs.h"
+#include "sysent.h"
+#include "scno.h"
+#include <linux/audit.h>
+
+#ifdef __x86_64__
+# ifndef __X32_SYSCALL_BIT
+# define __X32_SYSCALL_BIT 0x40000000
+# endif
+#endif
+
+/* Define these shorthand notations to simplify the syscallent files. */
+#include "sysent_shorthand_defs.h"
+
+const struct_sysent sysent0[] = {
+#include "syscallent.h"
+};
+
+#if SUPPORTED_PERSONALITIES > 1
+static const struct_sysent sysent1[] = {
+# include "syscallent1.h"
+};
+#endif
+
+#if SUPPORTED_PERSONALITIES > 2
+static const struct_sysent sysent2[] = {
+# include "syscallent2.h"
+};
+#endif
+
+const unsigned int nsyscall_vec[SUPPORTED_PERSONALITIES] = {
+ ARRAY_SIZE(sysent0),
+#if SUPPORTED_PERSONALITIES > 1
+ ARRAY_SIZE(sysent1),
+#endif
+#if SUPPORTED_PERSONALITIES > 2
+ ARRAY_SIZE(sysent2),
+#endif
+};
+
+struct audit_arch_t {
+ unsigned int arch;
+ unsigned int flag;
+};
+
+static const struct audit_arch_t audit_arch_vec[SUPPORTED_PERSONALITIES] = {
+#if SUPPORTED_PERSONALITIES > 1
+ PERSONALITY0_AUDIT_ARCH,
+ PERSONALITY1_AUDIT_ARCH,
+# if SUPPORTED_PERSONALITIES > 2
+ PERSONALITY2_AUDIT_ARCH,
+# endif
+#endif
+};
+
+int
+main(void)
+{
+ for (unsigned int p = 0; p < SUPPORTED_PERSONALITIES; ++p) {
+ if (!audit_arch_vec[p].flag)
+ continue;
+ for (unsigned int nr = 1; nr < nsyscall_vec[p]; ++nr) {
+ if (!(audit_arch_vec[p].flag & nr))
+ continue;
+ error_msg_and_fail("system call number %u of"
+ " personality %u conflicts with"
+ " seccomp filter flag %#x",
+ nr, p, audit_arch_vec[p].flag);
+ }
+ }
+ return 0;
+}
--- /dev/null
+/*
+ * Check seccomp filter performance.
+ *
+ * Copyright (c) 2019 Paul Chaignon <paul.chaignon@gmail.com>
+ * Copyright (c) 2019 The strace developers.
+ * All rights reserved.
+ *
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ */
+
+#include "tests.h"
+#include <signal.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <unistd.h>
+
+static volatile bool stop = false;
+
+static void
+handler(int signo)
+{
+ stop = true;
+}
+
+int
+main(void)
+{
+ unsigned int i;
+ int rc = 0;
+
+ signal(SIGALRM, handler);
+ alarm(1);
+
+ for (i = 0; !stop; i++) {
+ rc |= chdir(".");
+ }
+ printf("%d\n", i);
+ return rc;
+}
--- /dev/null
+#!/bin/sh
+#
+# Check seccomp filter performance.
+#
+# Copyright (c) 2019 Paul Chaignon <paul.chaignon@gmail.com>
+# Copyright (c) 2019 The strace developers.
+# All rights reserved.
+#
+# SPDX-License-Identifier: GPL-2.0-or-later
+
+. "${srcdir=.}/init.sh"
+. "${srcdir=.}/filter_seccomp.sh"
+
+args="-f -qq -e signal=none -e trace=fchdir ../$NAME"
+num_regular="$(run_strace $args)"
+mv "$LOG" "$LOG.regular"
+num_seccomp="$(run_strace --seccomp-bpf $args)"
+mv "$LOG" "$LOG.seccomp"
+match_diff "$LOG.regular" "$LOG.seccomp"
+
+min_ratio=8
+# With seccomp filter enabled, we should be able to complete
+# at least $min_ratio times more chdir system calls.
+ratio="$((num_seccomp / num_regular))"
+if [ "$ratio" -lt "$min_ratio" ]; then
+ fail_ "Only $ratio times more syscalls performed with seccomp filter enabled, expected at least $min_ratio times speedup"
+fi
--- /dev/null
+fork-f -a26 -qq -e signal=none -e trace=chdir
+vfork-f -a26 -qq -e signal=none -e trace=chdir
+fork-f -a26 -qq -e signal=none -e trace=chdir,%memory,%ipc,%pure,%signal,%network -e status=failed
+status-none-f -e trace=!ptrace -e status=none
--- /dev/null
+#!/bin/sh
+#
+# Skip the test if seccomp filter is not available.
+#
+# Copyright (c) 2019 The strace developers.
+# All rights reserved.
+#
+# SPDX-License-Identifier: GPL-2.0-or-later
+
+$STRACE --seccomp-bpf -f -e trace=fchdir / > /dev/null 2> "$LOG" ||:
+if grep -x "[^:]*strace: seccomp filter is requested but unavailable" \
+ "$LOG" > /dev/null; then
+ skip_ 'seccomp filter is unavailable'
+fi
fdatasync -a14
file_handle -e trace=name_to_handle_at,open_by_handle_at
file_ioctl +ioctl.test
+filter_seccomp . "${srcdir=.}/filter_seccomp.sh"; test_prog_set --seccomp-bpf -f
+filter_seccomp-flag ../$NAME
finit_module -a25
flock -a19
fork-f -a26 -qq -f -e signal=none -e trace=chdir
< negative.list
}
+test_prog_set()
+{
+ test_pure_prog_set "$@" < "$srcdir/$NAME.in"
+}
+
check_prog cat
check_prog rm
status-all
status-failed
status-none
+status-none-f
status-successful
status-unfinished
statx
--- /dev/null
+/*
+ * Check basic seccomp filtering with large number of traced syscalls.
+ *
+ * Copyright (c) 2019 The strace developers.
+ * All rights reserved.
+ *
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ */
+
+#include "tests.h"
+#include <stdio.h>
+#include <unistd.h>
+
+int
+main(void)
+{
+ printf("%-5d +++ exited with 0 +++\n", getpid());
+ return 0;
+}