Signed-off-by: Paul Moore <[email protected]> --- tests/.gitignore | 2 + tests/16-arch-basic.c | 92 ++++++++++++++++++++++++++++++++++++++ tests/16-arch-basic.tests | 24 ++++++++++ tests/17-arch-merge.c | 110 +++++++++++++++++++++++++++++++++++++++++++++ tests/17-arch-merge.tests | 24 ++++++++++ tests/Makefile | 4 +- 6 files changed, 255 insertions(+), 1 deletion(-) create mode 100644 tests/16-arch-basic.c create mode 100644 tests/16-arch-basic.tests create mode 100644 tests/17-arch-merge.c create mode 100644 tests/17-arch-merge.tests
diff --git a/tests/.gitignore b/tests/.gitignore index 4766982..7bc23f4 100644 --- a/tests/.gitignore +++ b/tests/.gitignore @@ -14,3 +14,5 @@ 13-attrs 14-reset 15-resolver +16-arch-basic +17-arch-merge diff --git a/tests/16-arch-basic.c b/tests/16-arch-basic.c new file mode 100644 index 0000000..e053db2 --- /dev/null +++ b/tests/16-arch-basic.c @@ -0,0 +1,92 @@ +/** + * Seccomp Library test program + * + * Copyright (c) 2012 Red Hat <[email protected]> + * Author: Paul Moore <[email protected]> + */ + +/* + * This library is free software; you can redistribute it and/or modify it + * under the terms of version 2.1 of the GNU Lesser General Public License as + * published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License + * for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this library; if not, see <http://www.gnu.org/licenses>. + */ + +#include <unistd.h> +#include <errno.h> + +#include <seccomp.h> + +#include "util.h" + +int main(int argc, char *argv[]) +{ + int rc; + struct util_options opts; + scmp_filter_ctx ctx; + + rc = util_getopt(argc, argv, &opts); + if (rc < 0) + goto out; + + ctx = seccomp_init(SCMP_ACT_KILL); + if (ctx == NULL) + goto out; + + if (seccomp_arch_exist(ctx, SCMP_ARCH_X86) == -EEXIST) { + rc = seccomp_arch_add(ctx, SCMP_ARCH_X86); + if (rc != 0) + goto out; + } + if (seccomp_arch_exist(ctx, SCMP_ARCH_X86_64) == -EEXIST) { + rc = seccomp_arch_add(ctx, SCMP_ARCH_X86_64); + if (rc != 0) + goto out; + } + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 1, + SCMP_A0(SCMP_CMP_EQ, STDIN_FILENO)); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 1, + SCMP_A0(SCMP_CMP_EQ, STDOUT_FILENO)); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 1, + SCMP_A0(SCMP_CMP_EQ, STDERR_FILENO)); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(close), 0); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket), 0); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(connect), 0); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(shutdown), 0); + if (rc != 0) + goto out; + + rc = util_filter_output(&opts, ctx); + if (rc) + goto out; + +out: + seccomp_release(ctx); + return (rc < 0 ? -rc : rc); +} diff --git a/tests/16-arch-basic.tests b/tests/16-arch-basic.tests new file mode 100644 index 0000000..053c849 --- /dev/null +++ b/tests/16-arch-basic.tests @@ -0,0 +1,24 @@ +# +# libseccomp regression test automation data +# +# Copyright (c) 2012 Red Hat <[email protected]> +# Author: Paul Moore <[email protected]> +# + +test type: bpf-sim + +# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result +16-arch-basic all read 0 0x856B008 10 N N N ALLOW +16-arch-basic all read 1-10 0x856B008 10 N N N KILL +16-arch-basic all write 1-2 0x856B008 10 N N N ALLOW +16-arch-basic all write 3-10 0x856B008 10 N N N KILL +16-arch-basic all close N N N N N N ALLOW +16-arch-basic all open 0x856B008 4 N N N N KILL +16-arch-basic all socket 0 1 2 N N N ALLOW +16-arch-basic all connect 0 1 2 N N N ALLOW +16-arch-basic all shutdown 0 1 2 N N N ALLOW + +test type: bpf-sim-fuzz + +# Testname StressCount +16-arch-basic 150 diff --git a/tests/17-arch-merge.c b/tests/17-arch-merge.c new file mode 100644 index 0000000..61e1490 --- /dev/null +++ b/tests/17-arch-merge.c @@ -0,0 +1,110 @@ +/** + * Seccomp Library test program + * + * Copyright (c) 2012 Red Hat <[email protected]> + * Author: Paul Moore <[email protected]> + */ + +/* + * This library is free software; you can redistribute it and/or modify it + * under the terms of version 2.1 of the GNU Lesser General Public License as + * published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License + * for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this library; if not, see <http://www.gnu.org/licenses>. + */ + +#include <unistd.h> +#include <errno.h> + +#include <seccomp.h> + +#include "util.h" + +int main(int argc, char *argv[]) +{ + int rc; + struct util_options opts; + scmp_filter_ctx ctx_64, ctx_32; + + rc = util_getopt(argc, argv, &opts); + if (rc < 0) + goto out_all; + + ctx_32 = seccomp_init(SCMP_ACT_KILL); + if (ctx_32 == NULL) + goto out_all; + ctx_64 = seccomp_init(SCMP_ACT_KILL); + if (ctx_64 == NULL) + goto out_all; + + if (seccomp_arch_exist(ctx_32, SCMP_ARCH_X86) == -EEXIST) { + rc = seccomp_arch_add(ctx_32, SCMP_ARCH_X86); + if (rc != 0) + goto out_all; + rc = seccomp_arch_remove(ctx_32, SCMP_ARCH_NATIVE); + if (rc != 0) + goto out_all; + } + if (seccomp_arch_exist(ctx_64, SCMP_ARCH_X86_64) == -EEXIST) { + rc = seccomp_arch_add(ctx_64, SCMP_ARCH_X86_64); + if (rc != 0) + goto out_all; + rc = seccomp_arch_remove(ctx_64, SCMP_ARCH_NATIVE); + if (rc != 0) + goto out_all; + } + + rc = seccomp_rule_add(ctx_32, SCMP_ACT_ALLOW, SCMP_SYS(read), 1, + SCMP_A0(SCMP_CMP_EQ, STDIN_FILENO)); + if (rc != 0) + goto out_all; + + rc = seccomp_rule_add(ctx_32, SCMP_ACT_ALLOW, SCMP_SYS(write), 1, + SCMP_A0(SCMP_CMP_EQ, STDOUT_FILENO)); + if (rc != 0) + goto out_all; + + rc = seccomp_rule_add(ctx_32, SCMP_ACT_ALLOW, SCMP_SYS(write), 1, + SCMP_A0(SCMP_CMP_EQ, STDERR_FILENO)); + if (rc != 0) + goto out_all; + + rc = seccomp_rule_add(ctx_32, SCMP_ACT_ALLOW, SCMP_SYS(close), 0); + if (rc != 0) + goto out_all; + + rc = seccomp_rule_add(ctx_64, SCMP_ACT_ALLOW, SCMP_SYS(socket), 0); + if (rc != 0) + goto out_all; + + rc = seccomp_rule_add(ctx_64, SCMP_ACT_ALLOW, SCMP_SYS(connect), 0); + if (rc != 0) + goto out_all; + + rc = seccomp_rule_add(ctx_64, SCMP_ACT_ALLOW, SCMP_SYS(shutdown), 0); + if (rc != 0) + goto out_all; + + rc = seccomp_merge(ctx_64, ctx_32); + if (rc != 0) + goto out_all; + + /* NOTE: ctx_32 is no longer valid at this point */ + + rc = util_filter_output(&opts, ctx_64); + if (rc) + goto out; + +out: + seccomp_release(ctx_64); + return (rc < 0 ? -rc : rc); +out_all: + seccomp_release(ctx_32); + goto out; +} diff --git a/tests/17-arch-merge.tests b/tests/17-arch-merge.tests new file mode 100644 index 0000000..e2bd53c --- /dev/null +++ b/tests/17-arch-merge.tests @@ -0,0 +1,24 @@ +# +# libseccomp regression test automation data +# +# Copyright (c) 2012 Red Hat <[email protected]> +# Author: Paul Moore <[email protected]> +# + +test type: bpf-sim + +# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result +17-arch-merge x86 read 0 0x856B008 10 N N N ALLOW +17-arch-merge x86 read 1-10 0x856B008 10 N N N KILL +17-arch-merge x86 write 1-2 0x856B008 10 N N N ALLOW +17-arch-merge x86 write 3-10 0x856B008 10 N N N KILL +17-arch-merge x86 close N N N N N N ALLOW +17-arch-merge x86 open 0x856B008 4 N N N N KILL +17-arch-merge x86_64 socket 0 1 2 N N N ALLOW +17-arch-merge x86_64 connect 0 1 2 N N N ALLOW +17-arch-merge x86_64 shutdown 0 1 2 N N N ALLOW + +test type: bpf-sim-fuzz + +# Testname StressCount +17-arch-merge 150 diff --git a/tests/Makefile b/tests/Makefile index bf62769..e3714f2 100644 --- a/tests/Makefile +++ b/tests/Makefile @@ -50,7 +50,9 @@ TESTS = 01-allow \ 12-basic-masked-ops \ 13-attrs \ 14-reset \ - 15-resolver + 15-resolver \ + 16-arch-basic \ + 17-arch-merge DEPS_OBJS = $(OBJS:%.o=%.d) DEPS_TESTS = $(TESTS:%=%.d) ------------------------------------------------------------------------------ Don't let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev _______________________________________________ libseccomp-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/libseccomp-discuss
