Signed-off-by: Paul Moore <[email protected]> --- tests/01-allow.py | 39 ++++++++++++ tests/02-basic.py | 43 +++++++++++++ tests/03-basic-chains.py | 44 +++++++++++++ tests/04-multilevel-chains.py | 55 +++++++++++++++++ tests/05-long-jumps.py | 55 +++++++++++++++++ tests/06-actions.py | 44 +++++++++++++ tests/07-db-bug-looping.py | 44 +++++++++++++ tests/08-subtree-checks.py | 121 +++++++++++++++++++++++++++++++++++++ tests/09-syscall-priority-pre.py | 46 ++++++++++++++ tests/10-syscall-priority-post.py | 46 ++++++++++++++ tests/11-basic-errors.py | 85 ++++++++++++++++++++++++++ tests/12-basic-masked-ops.c | 3 + tests/12-basic-masked-ops.py | 60 ++++++++++++++++++ tests/13-attrs.py | 48 +++++++++++++++ tests/14-reset.py | 42 +++++++++++++ tests/15-resolver.py | 44 +++++++++++++ tests/16-arch-basic.py | 50 +++++++++++++++ tests/17-arch-merge.py | 54 +++++++++++++++++ 18 files changed, 923 insertions(+) create mode 100755 tests/01-allow.py create mode 100755 tests/02-basic.py create mode 100755 tests/03-basic-chains.py create mode 100755 tests/04-multilevel-chains.py create mode 100755 tests/05-long-jumps.py create mode 100755 tests/06-actions.py create mode 100755 tests/07-db-bug-looping.py create mode 100755 tests/08-subtree-checks.py create mode 100755 tests/09-syscall-priority-pre.py create mode 100755 tests/10-syscall-priority-post.py create mode 100755 tests/11-basic-errors.py create mode 100755 tests/12-basic-masked-ops.py create mode 100755 tests/13-attrs.py create mode 100755 tests/14-reset.py create mode 100755 tests/15-resolver.py create mode 100755 tests/16-arch-basic.py create mode 100755 tests/17-arch-merge.py
diff --git a/tests/01-allow.py b/tests/01-allow.py new file mode 100755 index 0000000..afc8a7d --- /dev/null +++ b/tests/01-allow.py @@ -0,0 +1,39 @@ +#!/usr/bin/env python + +# +# Seccomp Library test program +# +# Copyright (c) 2012 Red Hat <[email protected]> +# Author: Paul Moore <[email protected]> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +import argparse +import sys + +from util import * +from seccomp import * + +def test(args): + f = SyscallFilter(ALLOW) + return f + +args = UtilGetOpt() +ctx = test(args) +UtilFilterOutput(args, ctx) + +# kate: syntax python; +# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; diff --git a/tests/02-basic.py b/tests/02-basic.py new file mode 100755 index 0000000..561fb3d --- /dev/null +++ b/tests/02-basic.py @@ -0,0 +1,43 @@ +#!/usr/bin/env python + +# +# Seccomp Library test program +# +# Copyright (c) 2012 Red Hat <[email protected]> +# Author: Paul Moore <[email protected]> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +import argparse +import sys + +from util import * +from seccomp import * + +def test(args): + f = SyscallFilter(KILL) + f.add_rule_exactly(ALLOW, "read"); + f.add_rule_exactly(ALLOW, "write"); + f.add_rule_exactly(ALLOW, "close"); + f.add_rule_exactly(ALLOW, "rt_sigreturn"); + return f + +args = UtilGetOpt() +ctx = test(args) +UtilFilterOutput(args, ctx) + +# kate: syntax python; +# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; diff --git a/tests/03-basic-chains.py b/tests/03-basic-chains.py new file mode 100755 index 0000000..c2a1e5d --- /dev/null +++ b/tests/03-basic-chains.py @@ -0,0 +1,44 @@ +#!/usr/bin/env python + +# +# Seccomp Library test program +# +# Copyright (c) 2012 Red Hat <[email protected]> +# Author: Paul Moore <[email protected]> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +import argparse +import sys + +from util import * +from seccomp import * + +def test(args): + f = SyscallFilter(KILL) + f.add_rule_exactly(ALLOW, "read", Arg(0, EQ, sys.stdin.fileno())); + f.add_rule_exactly(ALLOW, "write", Arg(0, EQ, sys.stdout.fileno())); + f.add_rule_exactly(ALLOW, "write", Arg(0, EQ, sys.stderr.fileno())); + f.add_rule_exactly(ALLOW, "close"); + f.add_rule_exactly(ALLOW, "rt_sigreturn"); + return f + +args = UtilGetOpt() +ctx = test(args) +UtilFilterOutput(args, ctx) + +# kate: syntax python; +# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; diff --git a/tests/04-multilevel-chains.py b/tests/04-multilevel-chains.py new file mode 100755 index 0000000..77b0de7 --- /dev/null +++ b/tests/04-multilevel-chains.py @@ -0,0 +1,55 @@ +#!/usr/bin/env python + +# +# Seccomp Library test program +# +# Copyright (c) 2012 Red Hat <[email protected]> +# Author: Paul Moore <[email protected]> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +import argparse +import sys + +from util import * +from seccomp import * + +def test(args): + f = SyscallFilter(KILL) + f.add_rule_exactly(ALLOW, "open"); + f.add_rule_exactly(ALLOW, "close"); + f.add_rule_exactly(ALLOW, "read", + Arg(0, EQ, sys.stdin.fileno()), + Arg(1, NE, 0), + Arg(2, LT, sys.maxsize)); + f.add_rule_exactly(ALLOW, "write", + Arg(0, EQ, sys.stdout.fileno()), + Arg(1, NE, 0), + Arg(2, LT, sys.maxsize)); + f.add_rule_exactly(ALLOW, "write", + Arg(0, EQ, sys.stderr.fileno()), + Arg(1, NE, 0), + Arg(2, LT, sys.maxsize)); + f.add_rule_exactly(ALLOW, "close"); + f.add_rule_exactly(ALLOW, "rt_sigreturn"); + return f + +args = UtilGetOpt() +ctx = test(args) +UtilFilterOutput(args, ctx) + +# kate: syntax python; +# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; diff --git a/tests/05-long-jumps.py b/tests/05-long-jumps.py new file mode 100755 index 0000000..14c83a6 --- /dev/null +++ b/tests/05-long-jumps.py @@ -0,0 +1,55 @@ +#!/usr/bin/env python + +# +# Seccomp Library test program +# +# Copyright (c) 2012 Red Hat <[email protected]> +# Author: Paul Moore <[email protected]> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +import argparse +import sys + +from util import * +from seccomp import * + +def test(args): + f = SyscallFilter(KILL) + # syscalls referenced by number to make the test simpler + f.add_rule_exactly(ALLOW, 1) + i = 0 + while i < 600: + f.add_rule_exactly(ALLOW, 1000, + Arg(0, EQ, i), + Arg(1, NE, 0), + Arg(2, LT, sys.maxsize)) + i += 1 + i = 100 + while i < 700: + f.add_rule_exactly(ALLOW, i, + Arg(0, NE, 0)) + i += 1 + f.add_rule_exactly(ALLOW, 4) + return f + +args = UtilGetOpt() +ctx = test(args) +UtilFilterOutput(args, ctx) + +# kate: syntax python; +# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; + diff --git a/tests/06-actions.py b/tests/06-actions.py new file mode 100755 index 0000000..1e25c3b --- /dev/null +++ b/tests/06-actions.py @@ -0,0 +1,44 @@ +#!/usr/bin/env python + +# +# Seccomp Library test program +# +# Copyright (c) 2012 Red Hat <[email protected]> +# Author: Paul Moore <[email protected]> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +import argparse +import errno +import sys + +from util import * +from seccomp import * + +def test(args): + f = SyscallFilter(KILL) + f.add_rule(ALLOW, "read") + f.add_rule(ERRNO(errno.EPERM), "write") + f.add_rule(TRAP, "close") + f.add_rule(TRACE(1234), "open") + return f + +args = UtilGetOpt() +ctx = test(args) +UtilFilterOutput(args, ctx) + +# kate: syntax python; +# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; diff --git a/tests/07-db-bug-looping.py b/tests/07-db-bug-looping.py new file mode 100755 index 0000000..8fabea0 --- /dev/null +++ b/tests/07-db-bug-looping.py @@ -0,0 +1,44 @@ +#!/usr/bin/env python + +# +# Seccomp Library test program +# +# Copyright (c) 2012 Red Hat <[email protected]> +# Author: Paul Moore <[email protected]> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +import argparse +import sys + +from util import * +from seccomp import * + +def test(args): + f = SyscallFilter(KILL) + # the next three seccomp_rule_add_exact() calls for read must go together + # in this order to catch an infinite loop. + f.add_rule(ALLOW, "read", Arg(0, EQ, sys.stdout)) + f.add_rule(ALLOW, "read", Arg(1, EQ, 0)) + f.add_rule(ALLOW, "read", Arg(0, EQ, sys.stdin)) + return f + +args = UtilGetOpt() +ctx = test(args) +UtilFilterOutput(args, ctx) + +# kate: syntax python; +# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; diff --git a/tests/08-subtree-checks.py b/tests/08-subtree-checks.py new file mode 100755 index 0000000..4b2ba4e --- /dev/null +++ b/tests/08-subtree-checks.py @@ -0,0 +1,121 @@ +#!/usr/bin/env python + +# +# Seccomp Library test program +# +# Copyright (c) 2012 Red Hat <[email protected]> +# Author: Paul Moore <[email protected]> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +import argparse +import sys + +from util import * +from seccomp import * + +def test(args): + f = SyscallFilter(KILL) + # the syscall and argument numbers are all fake to make the test simpler + f.add_rule_exactly(ALLOW, 1000, + Arg(0, EQ, 0), + Arg(1, EQ, 1)) + f.add_rule_exactly(ALLOW, 1000, + Arg(1, EQ, 1)) + + f.add_rule_exactly(ALLOW, 1001, + Arg(1, EQ, 1)) + f.add_rule_exactly(ALLOW, 1001, + Arg(0, EQ, 0), + Arg(1, EQ, 1)) + + f.add_rule_exactly(ALLOW, 1002, + Arg(0, EQ, 0), + Arg(1, EQ, 1), + Arg(2, EQ, 2), + Arg(3, EQ, 3)) + f.add_rule_exactly(ALLOW, 1002, + Arg(1, EQ, 1), + Arg(2, EQ, 2)) + + f.add_rule_exactly(ALLOW, 1003, + Arg(1, EQ, 1), + Arg(2, EQ, 2)) + f.add_rule_exactly(ALLOW, 1003, + Arg(0, EQ, 0), + Arg(1, EQ, 1), + Arg(2, EQ, 2), + Arg(3, EQ, 3)) + + f.add_rule_exactly(ALLOW, 1004, + Arg(0, EQ, 0), + Arg(1, EQ, 1), + Arg(2, EQ, 2), + Arg(3, EQ, 3)) + f.add_rule_exactly(ALLOW, 1004, + Arg(0, EQ, 0), + Arg(1, EQ, 11)) + f.add_rule_exactly(ALLOW, 1004, + Arg(0, EQ, 0), + Arg(1, EQ, 1), + Arg(2, EQ, 2), + Arg(3, EQ, 33)) + f.add_rule_exactly(ALLOW, 1004, + Arg(1, EQ, 1), + Arg(2, EQ, 2)) + + f.add_rule_exactly(ALLOW, 1005, + Arg(1, EQ, 1), + Arg(2, EQ, 2)) + f.add_rule_exactly(ALLOW, 1005, + Arg(0, EQ, 0), + Arg(1, EQ, 1), + Arg(2, EQ, 2), + Arg(3, EQ, 3)) + f.add_rule_exactly(ALLOW, 1005, + Arg(0, EQ, 0), + Arg(1, EQ, 11)) + f.add_rule_exactly(ALLOW, 1005, + Arg(0, EQ, 0), + Arg(1, EQ, 1), + Arg(2, EQ, 2), + Arg(3, EQ, 33)) + + f.add_rule_exactly(ALLOW, 1006, + Arg(1, NE, 1), + Arg(2, EQ, 0)) + f.add_rule_exactly(ALLOW, 1006, + Arg(1, EQ, 1), + Arg(2, EQ, 2)) + f.add_rule_exactly(ALLOW, 1006, + Arg(1, NE, 1)) + + f.add_rule_exactly(TRAP, 1007, + Arg(2, EQ, 1), + Arg(3, EQ, 3)) + f.add_rule_exactly(ALLOW, 1007, + Arg(2, EQ, 1), + Arg(3, NE, 3)) + f.add_rule_exactly(ALLOW, 1007, + Arg(3, NE, 3)) + return f + +args = UtilGetOpt() +ctx = test(args) +UtilFilterOutput(args, ctx) + +# kate: syntax python; +# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; diff --git a/tests/09-syscall-priority-pre.py b/tests/09-syscall-priority-pre.py new file mode 100755 index 0000000..07e6741 --- /dev/null +++ b/tests/09-syscall-priority-pre.py @@ -0,0 +1,46 @@ +#!/usr/bin/env python + +# +# Seccomp Library test program +# +# Copyright (c) 2012 Red Hat <[email protected]> +# Author: Paul Moore <[email protected]> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +import argparse +import sys + +from util import * +from seccomp import * + +def test(args): + f = SyscallFilter(KILL) + # the syscall and argument numbers are all fake to make the test simpler + f.syscall_priority(1000, 3) + f.syscall_priority(1001, 2) + f.syscall_priority(1002, 1) + f.add_rule_exactly(ALLOW, 1000, Arg(0, EQ, 0), Arg(1, EQ, 1)) + f.add_rule_exactly(ALLOW, 1001, Arg(0, EQ, 0)) + f.add_rule_exactly(ALLOW, 1002) + return f + +args = UtilGetOpt() +ctx = test(args) +UtilFilterOutput(args, ctx) + +# kate: syntax python; +# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; diff --git a/tests/10-syscall-priority-post.py b/tests/10-syscall-priority-post.py new file mode 100755 index 0000000..47d7eb2 --- /dev/null +++ b/tests/10-syscall-priority-post.py @@ -0,0 +1,46 @@ +#!/usr/bin/env python + +# +# Seccomp Library test program +# +# Copyright (c) 2012 Red Hat <[email protected]> +# Author: Paul Moore <[email protected]> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +import argparse +import sys + +from util import * +from seccomp import * + +def test(args): + f = SyscallFilter(KILL) + # the syscall and argument numbers are all fake to make the test simpler + f.add_rule_exactly(ALLOW, 1000, Arg(0, EQ, 0), Arg(1, EQ, 1)) + f.add_rule_exactly(ALLOW, 1001, Arg(0, EQ, 0)) + f.add_rule_exactly(ALLOW, 1002) + f.syscall_priority(1000, 3) + f.syscall_priority(1001, 2) + f.syscall_priority(1002, 1) + return f + +args = UtilGetOpt() +ctx = test(args) +UtilFilterOutput(args, ctx) + +# kate: syntax python; +# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; diff --git a/tests/11-basic-errors.py b/tests/11-basic-errors.py new file mode 100755 index 0000000..7f6c5c3 --- /dev/null +++ b/tests/11-basic-errors.py @@ -0,0 +1,85 @@ +#!/usr/bin/env python + +# +# Seccomp Library test program +# +# Copyright (c) 2012 Red Hat <[email protected]> +# Author: Paul Moore <[email protected]> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +import argparse +import sys + +from util import * +from seccomp import * + +def test(): + # this test differs from the native test for obvious reasons + try: + f = SyscallFilter(ALLOW + 1) + except RuntimeError: + pass + + f = SyscallFilter(ALLOW) + try: + f.reset(KILL + 1) + except ValueError: + pass + + f = SyscallFilter(ALLOW) + try: + f.syscall_priority(-1000, 1) + except RuntimeError: + pass + + f = SyscallFilter(ALLOW) + try: + f.add_rule(ALLOW, "read") + except RuntimeError: + pass + try: + f.add_rule(KILL - 1, "read") + except RuntimeError: + pass + try: + f.add_rule(KILL, "read", + Arg(0, EQ, 0), + Arg(1, EQ, 1), + Arg(2, EQ, 2), + Arg(3, EQ, 3), + Arg(4, EQ, 4), + Arg(5, EQ, 5), + Arg(6, EQ, 6), + Arg(7, EQ, 7)) + except RuntimeError: + pass + try: + f.add_rule(KILL, -1001) + except RuntimeError: + pass + + f = SyscallFilter(ALLOW) + if f.exist_arch(Arch.X86): + try: + f.add_rule_exactly(KILL, "socket", Arg(0, EQ, 2)) + except RuntimeError: + pass + +test() + +# kate: syntax python; +# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; diff --git a/tests/12-basic-masked-ops.c b/tests/12-basic-masked-ops.c index c213a69..a6fd939 100644 --- a/tests/12-basic-masked-ops.c +++ b/tests/12-basic-masked-ops.c @@ -39,6 +39,9 @@ int main(int argc, char *argv[]) if (ctx == NULL) goto out; + /* the syscall and argument numbers are all fake to make the test + * simpler */ + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1000, 3, SCMP_A0(SCMP_CMP_EQ, 0), SCMP_A1(SCMP_CMP_EQ, 1), diff --git a/tests/12-basic-masked-ops.py b/tests/12-basic-masked-ops.py new file mode 100755 index 0000000..13d000e --- /dev/null +++ b/tests/12-basic-masked-ops.py @@ -0,0 +1,60 @@ +#!/usr/bin/env python + +# +# Seccomp Library test program +# +# Copyright (c) 2012 Red Hat <[email protected]> +# Author: Paul Moore <[email protected]> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +import argparse +import sys + +from util import * +from seccomp import * + +def test(args): + f = SyscallFilter(KILL) + # the syscall and argument numbers are all fake to make the test simpler + f.add_rule_exactly(ALLOW, 1000, + Arg(0, EQ, 0), + Arg(1, EQ, 1), + Arg(2, EQ, 2)) + f.add_rule_exactly(ALLOW, 1000, + Arg(0, EQ, 0), + Arg(1, MASKED_EQ, 0x00ff, 1), + Arg(2, EQ, 2)) + f.add_rule_exactly(ALLOW, 1000, + Arg(0, EQ, 0), + Arg(1, MASKED_EQ, 0xffff, 11), + Arg(2, EQ, 2)) + f.add_rule_exactly(ALLOW, 1000, + Arg(0, EQ, 0), + Arg(1, MASKED_EQ, 0xffff, 111), + Arg(2, EQ, 2)) + f.add_rule_exactly(ALLOW, 1000, + Arg(0, EQ, 0), + Arg(1, MASKED_EQ, 0xff00, 1000), + Arg(2, EQ, 2)) + return f + +args = UtilGetOpt() +ctx = test(args) +UtilFilterOutput(args, ctx) + +# kate: syntax python; +# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; diff --git a/tests/13-attrs.py b/tests/13-attrs.py new file mode 100755 index 0000000..2e95700 --- /dev/null +++ b/tests/13-attrs.py @@ -0,0 +1,48 @@ +#!/usr/bin/env python + +# +# Seccomp Library test program +# +# Copyright (c) 2012 Red Hat <[email protected]> +# Author: Paul Moore <[email protected]> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +import argparse +import sys + +from util import * +from seccomp import * + +def test(): + f = SyscallFilter(ALLOW) + if f.get_attr(Attr.ACT_DEFAULT) != ALLOW: + raise RuntimeError("Failed getting Attr.ACT_DEFAULT") + try: + f.set_attr(Attr.ACT_DEFAULT, ALLOW) + except RuntimeError: + pass + f.set_attr(Attr.ACT_BADARCH, ALLOW) + if f.get_attr(Attr.ACT_BADARCH) != ALLOW: + raise RuntimeError("Failed getting Attr.ACT_BADARCH") + f.set_attr(Attr.CTL_NNP, 0) + if f.get_attr(Attr.CTL_NNP) != 0: + raise RuntimeError("Failed getting Attr.CTL_NNP") + +test() + +# kate: syntax python; +# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; diff --git a/tests/14-reset.py b/tests/14-reset.py new file mode 100755 index 0000000..ccc07ea --- /dev/null +++ b/tests/14-reset.py @@ -0,0 +1,42 @@ +#!/usr/bin/env python + +# +# Seccomp Library test program +# +# Copyright (c) 2012 Red Hat <[email protected]> +# Author: Paul Moore <[email protected]> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +import argparse +import sys + +from util import * +from seccomp import * + +def test(args): + f = SyscallFilter(KILL) + f.add_rule(ALLOW, "read") + f.reset() + f.add_rule(ALLOW, "write") + return f + +args = UtilGetOpt() +ctx = test(args) +UtilFilterOutput(args, ctx) + +# kate: syntax python; +# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; diff --git a/tests/15-resolver.py b/tests/15-resolver.py new file mode 100755 index 0000000..a9be7e3 --- /dev/null +++ b/tests/15-resolver.py @@ -0,0 +1,44 @@ +#!/usr/bin/env python + +# +# Seccomp Library test program +# +# Copyright (c) 2012 Red Hat <[email protected]> +# Author: Paul Moore <[email protected]> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +import argparse +import sys + +from util import * +from seccomp import * + +def test(): + f = SyscallFilter(KILL) + # this differs from the native test as we don't support the syscall + # resolution functions by themselves + f.add_rule(ALLOW, "open") + f.add_rule(ALLOW, "socket") + try: + f.add_rule(ALLOW, "INVALID") + except RuntimeError: + pass + +test() + +# kate: syntax python; +# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; diff --git a/tests/16-arch-basic.py b/tests/16-arch-basic.py new file mode 100755 index 0000000..7433c5e --- /dev/null +++ b/tests/16-arch-basic.py @@ -0,0 +1,50 @@ +#!/usr/bin/env python + +# +# Seccomp Library test program +# +# Copyright (c) 2012 Red Hat <[email protected]> +# Author: Paul Moore <[email protected]> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +import argparse +import sys + +from util import * +from seccomp import * + +def test(args): + f = SyscallFilter(KILL) + if not f.exist_arch(Arch.X86): + f.add_arch(Arch.X86) + if not f.exist_arch(Arch.X86_64): + f.add_arch(Arch.X86_64) + f.add_rule(ALLOW, "read", Arg(0, EQ, sys.stdin)) + f.add_rule(ALLOW, "write", Arg(0, EQ, sys.stdout)) + f.add_rule(ALLOW, "write", Arg(0, EQ, sys.stderr)) + f.add_rule(ALLOW, "close") + f.add_rule(ALLOW, "socket") + f.add_rule(ALLOW, "connect") + f.add_rule(ALLOW, "shutdown") + return f + +args = UtilGetOpt() +ctx = test(args) +UtilFilterOutput(args, ctx) + +# kate: syntax python; +# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; diff --git a/tests/17-arch-merge.py b/tests/17-arch-merge.py new file mode 100755 index 0000000..a0db731 --- /dev/null +++ b/tests/17-arch-merge.py @@ -0,0 +1,54 @@ +#!/usr/bin/env python + +# +# Seccomp Library test program +# +# Copyright (c) 2012 Red Hat <[email protected]> +# Author: Paul Moore <[email protected]> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +import argparse +import sys + +from util import * +from seccomp import * + +def test(args): + f32 = SyscallFilter(KILL) + f64 = SyscallFilter(KILL) + if not f32.exist_arch(Arch.X86): + f32.add_arch(Arch.X86) + f32.remove_arch(Arch.NATIVE) + if not f64.exist_arch(Arch.X86_64): + f64.add_arch(Arch.X86_64) + f64.remove_arch(Arch.NATIVE) + f32.add_rule(ALLOW, "read", Arg(0, EQ, sys.stdin)) + f32.add_rule(ALLOW, "write", Arg(0, EQ, sys.stdout)) + f32.add_rule(ALLOW, "write", Arg(0, EQ, sys.stderr)) + f32.add_rule(ALLOW, "close") + f64.add_rule(ALLOW, "socket") + f64.add_rule(ALLOW, "connect") + f64.add_rule(ALLOW, "shutdown") + f64.merge(f32) + return f64 + +args = UtilGetOpt() +ctx = test(args) +UtilFilterOutput(args, ctx) + +# kate: syntax python; +# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_sfd2d_oct _______________________________________________ libseccomp-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/libseccomp-discuss
