Hello - I'm working on some libseccomp patches to support new kernel
filter flags (SECCOMP_FILTER_FLAG_LOG and maybe
SECCOMP_FILTER_FLAG_KILL_PROCESS) and return actions (SECCOMP_RET_LOG)
being discussed upstream. I've bumped into an issue with the libseccomp
test suite and would like to get some direction on how to proceed.

The problems stem from the (new) need for libseccomp to call the
seccomp() syscall in order to verify that the kernel supports the new
filter flags and new return action. The seccomp() syscall can already be
used to verify that specific filter flags are supported and will likely
soon get a new operation that allows the caller to check if a specific
action is supported.

The first problem is that the build tests may be running under an older
kernel that doesn't support the new features. If specifying the new
SECCOMP_RET_LOG as an action, seccomp_rule_add() could fail due to the
kernel not supporting the action and there's no way in the current test
infrastructure to handle that. Additionally, seccomp_attr_set() may fail
when trying to set one of the new filter flags.

The second problem is with the valgrind tests. Valgrind doesn't wrap
seccomp(2):

  https://bugs.kde.org/show_bug.cgi?id=345414
  https://bugs.kde.org/show_bug.cgi?id=380183

This means that the valgrind tests will always fail because libseccomp
will see ENOSYS when attempting to verify that the kernel supports those
new filter flags and the new action.

The best solution that I can think of is for libseccomp to call
secure_getenv(), prior to calling seccomp() to check feature support,
and always blindly assume that a feature is supported if a "magic"
environment variable is set. The test runner would set that env variable
prior to running each test. Is this an acceptable solution? If not, do
you have any ideas that you like better?

Tyler

-- 
You received this message because you are subscribed to the Google Groups 
"libseccomp" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to libseccomp+unsubscr...@googlegroups.com.
To post to this group, send email to libseccomp@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to