Signed-off-by: Paul Moore <[email protected]> --- tests/01-allow.py | 40 ++++++++++++ tests/02-basic.py | 44 +++++++++++++ tests/03-basic-chains.py | 45 ++++++++++++++ tests/04-multilevel-chains.py | 56 +++++++++++++++++ tests/05-long-jumps.py | 56 +++++++++++++++++ tests/06-actions.py | 45 ++++++++++++++ tests/07-db-bug-looping.py | 45 ++++++++++++++ tests/08-subtree-checks.py | 122 +++++++++++++++++++++++++++++++++++++ tests/09-syscall-priority-pre.py | 47 ++++++++++++++ tests/10-syscall-priority-post.py | 47 ++++++++++++++ tests/11-basic-errors.py | 86 ++++++++++++++++++++++++++ tests/12-basic-masked-ops.c | 3 + tests/12-basic-masked-ops.py | 61 +++++++++++++++++++ tests/13-attrs.py | 49 +++++++++++++++ tests/14-reset.py | 43 +++++++++++++ tests/15-resolver.py | 45 ++++++++++++++ tests/16-arch-basic.py | 51 +++++++++++++++ tests/17-arch-merge.py | 55 +++++++++++++++++ 18 files changed, 940 insertions(+) create mode 100755 tests/01-allow.py create mode 100755 tests/02-basic.py create mode 100755 tests/03-basic-chains.py create mode 100755 tests/04-multilevel-chains.py create mode 100755 tests/05-long-jumps.py create mode 100755 tests/06-actions.py create mode 100755 tests/07-db-bug-looping.py create mode 100755 tests/08-subtree-checks.py create mode 100755 tests/09-syscall-priority-pre.py create mode 100755 tests/10-syscall-priority-post.py create mode 100755 tests/11-basic-errors.py create mode 100755 tests/12-basic-masked-ops.py create mode 100755 tests/13-attrs.py create mode 100755 tests/14-reset.py create mode 100755 tests/15-resolver.py create mode 100755 tests/16-arch-basic.py create mode 100755 tests/17-arch-merge.py
diff --git a/tests/01-allow.py b/tests/01-allow.py new file mode 100755 index 0000000..db3656b --- /dev/null +++ b/tests/01-allow.py @@ -0,0 +1,40 @@ +#!/usr/bin/env python + +# +# Seccomp Library test program +# +# Copyright (c) 2012 Red Hat <[email protected]> +# Author: Paul Moore <[email protected]> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +import argparse +import sys + +import util + +from seccomp import * + +def test(args): + f = SyscallFilter(ALLOW) + return f + +args = util.get_opt() +ctx = test(args) +util.filter_output(args, ctx) + +# kate: syntax python; +# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; diff --git a/tests/02-basic.py b/tests/02-basic.py new file mode 100755 index 0000000..868664f --- /dev/null +++ b/tests/02-basic.py @@ -0,0 +1,44 @@ +#!/usr/bin/env python + +# +# Seccomp Library test program +# +# Copyright (c) 2012 Red Hat <[email protected]> +# Author: Paul Moore <[email protected]> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +import argparse +import sys + +import util + +from seccomp import * + +def test(args): + f = SyscallFilter(KILL) + f.add_rule_exactly(ALLOW, "read"); + f.add_rule_exactly(ALLOW, "write"); + f.add_rule_exactly(ALLOW, "close"); + f.add_rule_exactly(ALLOW, "rt_sigreturn"); + return f + +args = util.get_opt() +ctx = test(args) +util.filter_output(args, ctx) + +# kate: syntax python; +# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; diff --git a/tests/03-basic-chains.py b/tests/03-basic-chains.py new file mode 100755 index 0000000..324170d --- /dev/null +++ b/tests/03-basic-chains.py @@ -0,0 +1,45 @@ +#!/usr/bin/env python + +# +# Seccomp Library test program +# +# Copyright (c) 2012 Red Hat <[email protected]> +# Author: Paul Moore <[email protected]> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +import argparse +import sys + +import util + +from seccomp import * + +def test(args): + f = SyscallFilter(KILL) + f.add_rule_exactly(ALLOW, "read", Arg(0, EQ, sys.stdin.fileno())); + f.add_rule_exactly(ALLOW, "write", Arg(0, EQ, sys.stdout.fileno())); + f.add_rule_exactly(ALLOW, "write", Arg(0, EQ, sys.stderr.fileno())); + f.add_rule_exactly(ALLOW, "close"); + f.add_rule_exactly(ALLOW, "rt_sigreturn"); + return f + +args = util.get_opt() +ctx = test(args) +util.filter_output(args, ctx) + +# kate: syntax python; +# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; diff --git a/tests/04-multilevel-chains.py b/tests/04-multilevel-chains.py new file mode 100755 index 0000000..e40deee --- /dev/null +++ b/tests/04-multilevel-chains.py @@ -0,0 +1,56 @@ +#!/usr/bin/env python + +# +# Seccomp Library test program +# +# Copyright (c) 2012 Red Hat <[email protected]> +# Author: Paul Moore <[email protected]> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +import argparse +import sys + +import util + +from seccomp import * + +def test(args): + f = SyscallFilter(KILL) + f.add_rule_exactly(ALLOW, "open"); + f.add_rule_exactly(ALLOW, "close"); + f.add_rule_exactly(ALLOW, "read", + Arg(0, EQ, sys.stdin.fileno()), + Arg(1, NE, 0), + Arg(2, LT, sys.maxsize)); + f.add_rule_exactly(ALLOW, "write", + Arg(0, EQ, sys.stdout.fileno()), + Arg(1, NE, 0), + Arg(2, LT, sys.maxsize)); + f.add_rule_exactly(ALLOW, "write", + Arg(0, EQ, sys.stderr.fileno()), + Arg(1, NE, 0), + Arg(2, LT, sys.maxsize)); + f.add_rule_exactly(ALLOW, "close"); + f.add_rule_exactly(ALLOW, "rt_sigreturn"); + return f + +args = util.get_opt() +ctx = test(args) +util.filter_output(args, ctx) + +# kate: syntax python; +# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; diff --git a/tests/05-long-jumps.py b/tests/05-long-jumps.py new file mode 100755 index 0000000..c6fd066 --- /dev/null +++ b/tests/05-long-jumps.py @@ -0,0 +1,56 @@ +#!/usr/bin/env python + +# +# Seccomp Library test program +# +# Copyright (c) 2012 Red Hat <[email protected]> +# Author: Paul Moore <[email protected]> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +import argparse +import sys + +import util + +from seccomp import * + +def test(args): + f = SyscallFilter(KILL) + # syscalls referenced by number to make the test simpler + f.add_rule_exactly(ALLOW, 1) + i = 0 + while i < 600: + f.add_rule_exactly(ALLOW, 1000, + Arg(0, EQ, i), + Arg(1, NE, 0), + Arg(2, LT, sys.maxsize)) + i += 1 + i = 100 + while i < 700: + f.add_rule_exactly(ALLOW, i, + Arg(0, NE, 0)) + i += 1 + f.add_rule_exactly(ALLOW, 4) + return f + +args = util.get_opt() +ctx = test(args) +util.filter_output(args, ctx) + +# kate: syntax python; +# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; + diff --git a/tests/06-actions.py b/tests/06-actions.py new file mode 100755 index 0000000..4bd76f5 --- /dev/null +++ b/tests/06-actions.py @@ -0,0 +1,45 @@ +#!/usr/bin/env python + +# +# Seccomp Library test program +# +# Copyright (c) 2012 Red Hat <[email protected]> +# Author: Paul Moore <[email protected]> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +import argparse +import errno +import sys + +import util + +from seccomp import * + +def test(args): + f = SyscallFilter(KILL) + f.add_rule(ALLOW, "read") + f.add_rule(ERRNO(errno.EPERM), "write") + f.add_rule(TRAP, "close") + f.add_rule(TRACE(1234), "open") + return f + +args = util.get_opt() +ctx = test(args) +util.filter_output(args, ctx) + +# kate: syntax python; +# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; diff --git a/tests/07-db-bug-looping.py b/tests/07-db-bug-looping.py new file mode 100755 index 0000000..0b6e988 --- /dev/null +++ b/tests/07-db-bug-looping.py @@ -0,0 +1,45 @@ +#!/usr/bin/env python + +# +# Seccomp Library test program +# +# Copyright (c) 2012 Red Hat <[email protected]> +# Author: Paul Moore <[email protected]> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +import argparse +import sys + +import util + +from seccomp import * + +def test(args): + f = SyscallFilter(KILL) + # the next three seccomp_rule_add_exact() calls for read must go together + # in this order to catch an infinite loop. + f.add_rule(ALLOW, "read", Arg(0, EQ, sys.stdout)) + f.add_rule(ALLOW, "read", Arg(1, EQ, 0)) + f.add_rule(ALLOW, "read", Arg(0, EQ, sys.stdin)) + return f + +args = util.get_opt() +ctx = test(args) +util.filter_output(args, ctx) + +# kate: syntax python; +# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; diff --git a/tests/08-subtree-checks.py b/tests/08-subtree-checks.py new file mode 100755 index 0000000..766c3d1 --- /dev/null +++ b/tests/08-subtree-checks.py @@ -0,0 +1,122 @@ +#!/usr/bin/env python + +# +# Seccomp Library test program +# +# Copyright (c) 2012 Red Hat <[email protected]> +# Author: Paul Moore <[email protected]> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +import argparse +import sys + +import util + +from seccomp import * + +def test(args): + f = SyscallFilter(KILL) + # the syscall and argument numbers are all fake to make the test simpler + f.add_rule_exactly(ALLOW, 1000, + Arg(0, EQ, 0), + Arg(1, EQ, 1)) + f.add_rule_exactly(ALLOW, 1000, + Arg(1, EQ, 1)) + + f.add_rule_exactly(ALLOW, 1001, + Arg(1, EQ, 1)) + f.add_rule_exactly(ALLOW, 1001, + Arg(0, EQ, 0), + Arg(1, EQ, 1)) + + f.add_rule_exactly(ALLOW, 1002, + Arg(0, EQ, 0), + Arg(1, EQ, 1), + Arg(2, EQ, 2), + Arg(3, EQ, 3)) + f.add_rule_exactly(ALLOW, 1002, + Arg(1, EQ, 1), + Arg(2, EQ, 2)) + + f.add_rule_exactly(ALLOW, 1003, + Arg(1, EQ, 1), + Arg(2, EQ, 2)) + f.add_rule_exactly(ALLOW, 1003, + Arg(0, EQ, 0), + Arg(1, EQ, 1), + Arg(2, EQ, 2), + Arg(3, EQ, 3)) + + f.add_rule_exactly(ALLOW, 1004, + Arg(0, EQ, 0), + Arg(1, EQ, 1), + Arg(2, EQ, 2), + Arg(3, EQ, 3)) + f.add_rule_exactly(ALLOW, 1004, + Arg(0, EQ, 0), + Arg(1, EQ, 11)) + f.add_rule_exactly(ALLOW, 1004, + Arg(0, EQ, 0), + Arg(1, EQ, 1), + Arg(2, EQ, 2), + Arg(3, EQ, 33)) + f.add_rule_exactly(ALLOW, 1004, + Arg(1, EQ, 1), + Arg(2, EQ, 2)) + + f.add_rule_exactly(ALLOW, 1005, + Arg(1, EQ, 1), + Arg(2, EQ, 2)) + f.add_rule_exactly(ALLOW, 1005, + Arg(0, EQ, 0), + Arg(1, EQ, 1), + Arg(2, EQ, 2), + Arg(3, EQ, 3)) + f.add_rule_exactly(ALLOW, 1005, + Arg(0, EQ, 0), + Arg(1, EQ, 11)) + f.add_rule_exactly(ALLOW, 1005, + Arg(0, EQ, 0), + Arg(1, EQ, 1), + Arg(2, EQ, 2), + Arg(3, EQ, 33)) + + f.add_rule_exactly(ALLOW, 1006, + Arg(1, NE, 1), + Arg(2, EQ, 0)) + f.add_rule_exactly(ALLOW, 1006, + Arg(1, EQ, 1), + Arg(2, EQ, 2)) + f.add_rule_exactly(ALLOW, 1006, + Arg(1, NE, 1)) + + f.add_rule_exactly(TRAP, 1007, + Arg(2, EQ, 1), + Arg(3, EQ, 3)) + f.add_rule_exactly(ALLOW, 1007, + Arg(2, EQ, 1), + Arg(3, NE, 3)) + f.add_rule_exactly(ALLOW, 1007, + Arg(3, NE, 3)) + return f + +args = util.get_opt() +ctx = test(args) +util.filter_output(args, ctx) + +# kate: syntax python; +# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; diff --git a/tests/09-syscall-priority-pre.py b/tests/09-syscall-priority-pre.py new file mode 100755 index 0000000..7b19943 --- /dev/null +++ b/tests/09-syscall-priority-pre.py @@ -0,0 +1,47 @@ +#!/usr/bin/env python + +# +# Seccomp Library test program +# +# Copyright (c) 2012 Red Hat <[email protected]> +# Author: Paul Moore <[email protected]> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +import argparse +import sys + +import util + +from seccomp import * + +def test(args): + f = SyscallFilter(KILL) + # the syscall and argument numbers are all fake to make the test simpler + f.syscall_priority(1000, 3) + f.syscall_priority(1001, 2) + f.syscall_priority(1002, 1) + f.add_rule_exactly(ALLOW, 1000, Arg(0, EQ, 0), Arg(1, EQ, 1)) + f.add_rule_exactly(ALLOW, 1001, Arg(0, EQ, 0)) + f.add_rule_exactly(ALLOW, 1002) + return f + +args = util.get_opt() +ctx = test(args) +util.filter_output(args, ctx) + +# kate: syntax python; +# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; diff --git a/tests/10-syscall-priority-post.py b/tests/10-syscall-priority-post.py new file mode 100755 index 0000000..bc2e152 --- /dev/null +++ b/tests/10-syscall-priority-post.py @@ -0,0 +1,47 @@ +#!/usr/bin/env python + +# +# Seccomp Library test program +# +# Copyright (c) 2012 Red Hat <[email protected]> +# Author: Paul Moore <[email protected]> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +import argparse +import sys + +import util + +from seccomp import * + +def test(args): + f = SyscallFilter(KILL) + # the syscall and argument numbers are all fake to make the test simpler + f.add_rule_exactly(ALLOW, 1000, Arg(0, EQ, 0), Arg(1, EQ, 1)) + f.add_rule_exactly(ALLOW, 1001, Arg(0, EQ, 0)) + f.add_rule_exactly(ALLOW, 1002) + f.syscall_priority(1000, 3) + f.syscall_priority(1001, 2) + f.syscall_priority(1002, 1) + return f + +args = util.get_opt() +ctx = test(args) +util.filter_output(args, ctx) + +# kate: syntax python; +# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; diff --git a/tests/11-basic-errors.py b/tests/11-basic-errors.py new file mode 100755 index 0000000..900548d --- /dev/null +++ b/tests/11-basic-errors.py @@ -0,0 +1,86 @@ +#!/usr/bin/env python + +# +# Seccomp Library test program +# +# Copyright (c) 2012 Red Hat <[email protected]> +# Author: Paul Moore <[email protected]> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +import argparse +import sys + +import util + +from seccomp import * + +def test(): + # this test differs from the native test for obvious reasons + try: + f = SyscallFilter(ALLOW + 1) + except RuntimeError: + pass + + f = SyscallFilter(ALLOW) + try: + f.reset(KILL + 1) + except ValueError: + pass + + f = SyscallFilter(ALLOW) + try: + f.syscall_priority(-1000, 1) + except RuntimeError: + pass + + f = SyscallFilter(ALLOW) + try: + f.add_rule(ALLOW, "read") + except RuntimeError: + pass + try: + f.add_rule(KILL - 1, "read") + except RuntimeError: + pass + try: + f.add_rule(KILL, "read", + Arg(0, EQ, 0), + Arg(1, EQ, 1), + Arg(2, EQ, 2), + Arg(3, EQ, 3), + Arg(4, EQ, 4), + Arg(5, EQ, 5), + Arg(6, EQ, 6), + Arg(7, EQ, 7)) + except RuntimeError: + pass + try: + f.add_rule(KILL, -1001) + except RuntimeError: + pass + + f = SyscallFilter(ALLOW) + if f.exist_arch(Arch.X86): + try: + f.add_rule_exactly(KILL, "socket", Arg(0, EQ, 2)) + except RuntimeError: + pass + +test() + +# kate: syntax python; +# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; diff --git a/tests/12-basic-masked-ops.c b/tests/12-basic-masked-ops.c index c213a69..a6fd939 100644 --- a/tests/12-basic-masked-ops.c +++ b/tests/12-basic-masked-ops.c @@ -39,6 +39,9 @@ int main(int argc, char *argv[]) if (ctx == NULL) goto out; + /* the syscall and argument numbers are all fake to make the test + * simpler */ + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1000, 3, SCMP_A0(SCMP_CMP_EQ, 0), SCMP_A1(SCMP_CMP_EQ, 1), diff --git a/tests/12-basic-masked-ops.py b/tests/12-basic-masked-ops.py new file mode 100755 index 0000000..283534b --- /dev/null +++ b/tests/12-basic-masked-ops.py @@ -0,0 +1,61 @@ +#!/usr/bin/env python + +# +# Seccomp Library test program +# +# Copyright (c) 2012 Red Hat <[email protected]> +# Author: Paul Moore <[email protected]> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +import argparse +import sys + +import util + +from seccomp import * + +def test(args): + f = SyscallFilter(KILL) + # the syscall and argument numbers are all fake to make the test simpler + f.add_rule_exactly(ALLOW, 1000, + Arg(0, EQ, 0), + Arg(1, EQ, 1), + Arg(2, EQ, 2)) + f.add_rule_exactly(ALLOW, 1000, + Arg(0, EQ, 0), + Arg(1, MASKED_EQ, 0x00ff, 1), + Arg(2, EQ, 2)) + f.add_rule_exactly(ALLOW, 1000, + Arg(0, EQ, 0), + Arg(1, MASKED_EQ, 0xffff, 11), + Arg(2, EQ, 2)) + f.add_rule_exactly(ALLOW, 1000, + Arg(0, EQ, 0), + Arg(1, MASKED_EQ, 0xffff, 111), + Arg(2, EQ, 2)) + f.add_rule_exactly(ALLOW, 1000, + Arg(0, EQ, 0), + Arg(1, MASKED_EQ, 0xff00, 1000), + Arg(2, EQ, 2)) + return f + +args = util.get_opt() +ctx = test(args) +util.filter_output(args, ctx) + +# kate: syntax python; +# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; diff --git a/tests/13-attrs.py b/tests/13-attrs.py new file mode 100755 index 0000000..471ab34 --- /dev/null +++ b/tests/13-attrs.py @@ -0,0 +1,49 @@ +#!/usr/bin/env python + +# +# Seccomp Library test program +# +# Copyright (c) 2012 Red Hat <[email protected]> +# Author: Paul Moore <[email protected]> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +import argparse +import sys + +import util + +from seccomp import * + +def test(): + f = SyscallFilter(ALLOW) + if f.get_attr(Attr.ACT_DEFAULT) != ALLOW: + raise RuntimeError("Failed getting Attr.ACT_DEFAULT") + try: + f.set_attr(Attr.ACT_DEFAULT, ALLOW) + except RuntimeError: + pass + f.set_attr(Attr.ACT_BADARCH, ALLOW) + if f.get_attr(Attr.ACT_BADARCH) != ALLOW: + raise RuntimeError("Failed getting Attr.ACT_BADARCH") + f.set_attr(Attr.CTL_NNP, 0) + if f.get_attr(Attr.CTL_NNP) != 0: + raise RuntimeError("Failed getting Attr.CTL_NNP") + +test() + +# kate: syntax python; +# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; diff --git a/tests/14-reset.py b/tests/14-reset.py new file mode 100755 index 0000000..60c131f --- /dev/null +++ b/tests/14-reset.py @@ -0,0 +1,43 @@ +#!/usr/bin/env python + +# +# Seccomp Library test program +# +# Copyright (c) 2012 Red Hat <[email protected]> +# Author: Paul Moore <[email protected]> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +import argparse +import sys + +import util + +from seccomp import * + +def test(args): + f = SyscallFilter(KILL) + f.add_rule(ALLOW, "read") + f.reset() + f.add_rule(ALLOW, "write") + return f + +args = util.get_opt() +ctx = test(args) +util.filter_output(args, ctx) + +# kate: syntax python; +# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; diff --git a/tests/15-resolver.py b/tests/15-resolver.py new file mode 100755 index 0000000..b15e148 --- /dev/null +++ b/tests/15-resolver.py @@ -0,0 +1,45 @@ +#!/usr/bin/env python + +# +# Seccomp Library test program +# +# Copyright (c) 2012 Red Hat <[email protected]> +# Author: Paul Moore <[email protected]> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +import argparse +import sys + +import util + +from seccomp import * + +def test(): + f = SyscallFilter(KILL) + # this differs from the native test as we don't support the syscall + # resolution functions by themselves + f.add_rule(ALLOW, "open") + f.add_rule(ALLOW, "socket") + try: + f.add_rule(ALLOW, "INVALID") + except RuntimeError: + pass + +test() + +# kate: syntax python; +# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; diff --git a/tests/16-arch-basic.py b/tests/16-arch-basic.py new file mode 100755 index 0000000..eebe9a3 --- /dev/null +++ b/tests/16-arch-basic.py @@ -0,0 +1,51 @@ +#!/usr/bin/env python + +# +# Seccomp Library test program +# +# Copyright (c) 2012 Red Hat <[email protected]> +# Author: Paul Moore <[email protected]> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +import argparse +import sys + +import util + +from seccomp import * + +def test(args): + f = SyscallFilter(KILL) + if not f.exist_arch(Arch.X86): + f.add_arch(Arch.X86) + if not f.exist_arch(Arch.X86_64): + f.add_arch(Arch.X86_64) + f.add_rule(ALLOW, "read", Arg(0, EQ, sys.stdin)) + f.add_rule(ALLOW, "write", Arg(0, EQ, sys.stdout)) + f.add_rule(ALLOW, "write", Arg(0, EQ, sys.stderr)) + f.add_rule(ALLOW, "close") + f.add_rule(ALLOW, "socket") + f.add_rule(ALLOW, "connect") + f.add_rule(ALLOW, "shutdown") + return f + +args = util.get_opt() +ctx = test(args) +util.filter_output(args, ctx) + +# kate: syntax python; +# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; diff --git a/tests/17-arch-merge.py b/tests/17-arch-merge.py new file mode 100755 index 0000000..0221764 --- /dev/null +++ b/tests/17-arch-merge.py @@ -0,0 +1,55 @@ +#!/usr/bin/env python + +# +# Seccomp Library test program +# +# Copyright (c) 2012 Red Hat <[email protected]> +# Author: Paul Moore <[email protected]> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +import argparse +import sys + +import util + +from seccomp import * + +def test(args): + f32 = SyscallFilter(KILL) + f64 = SyscallFilter(KILL) + if not f32.exist_arch(Arch.X86): + f32.add_arch(Arch.X86) + f32.remove_arch(Arch.NATIVE) + if not f64.exist_arch(Arch.X86_64): + f64.add_arch(Arch.X86_64) + f64.remove_arch(Arch.NATIVE) + f32.add_rule(ALLOW, "read", Arg(0, EQ, sys.stdin)) + f32.add_rule(ALLOW, "write", Arg(0, EQ, sys.stdout)) + f32.add_rule(ALLOW, "write", Arg(0, EQ, sys.stderr)) + f32.add_rule(ALLOW, "close") + f64.add_rule(ALLOW, "socket") + f64.add_rule(ALLOW, "connect") + f64.add_rule(ALLOW, "shutdown") + f64.merge(f32) + return f64 + +args = util.get_opt() +ctx = test(args) +util.filter_output(args, ctx) + +# kate: syntax python; +# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; ------------------------------------------------------------------------------ LogMeIn Central: Instant, anywhere, Remote PC access and management. Stay in control, update software, and manage PCs from one command center Diagnose problems and improve visibility into emerging IT issues Automate, monitor and manage. Do more in less time with Central http://p.sf.net/sfu/logmein12331_d2d _______________________________________________ libseccomp-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/libseccomp-discuss
