diff options
Diffstat (limited to 'tests')
189 files changed, 15569 insertions, 0 deletions
diff --git a/tests/01-sim-allow.c b/tests/01-sim-allow.c new file mode 100644 index 0000000..74e3f15 --- /dev/null +++ b/tests/01-sim-allow.c @@ -0,0 +1,50 @@ +/** + * Seccomp Library test program + * + * Copyright (c) 2012 Red Hat <pmoore@redhat.com> + * Author: Paul Moore <paul@paul-moore.com> + */ + +/* + * This library is free software; you can redistribute it and/or modify it + * under the terms of version 2.1 of the GNU Lesser General Public License as + * published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License + * for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this library; if not, see <http://www.gnu.org/licenses>. + */ + +#include <errno.h> +#include <unistd.h> + +#include <seccomp.h> + +#include "util.h" + +int main(int argc, char *argv[]) +{ + int rc; + struct util_options opts; + scmp_filter_ctx ctx = NULL; + + rc = util_getopt(argc, argv, &opts); + if (rc < 0) + goto out; + + ctx = seccomp_init(SCMP_ACT_ALLOW); + if (ctx == NULL) + return ENOMEM; + + rc = util_filter_output(&opts, ctx); + if (rc) + goto out; + +out: + seccomp_release(ctx); + return (rc < 0 ? -rc : rc); +} diff --git a/tests/01-sim-allow.py b/tests/01-sim-allow.py new file mode 100755 index 0000000..d1dbf08 --- /dev/null +++ b/tests/01-sim-allow.py @@ -0,0 +1,40 @@ +#!/usr/bin/env python + +# +# Seccomp Library test program +# +# Copyright (c) 2012 Red Hat <pmoore@redhat.com> +# Author: Paul Moore <paul@paul-moore.com> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +import argparse +import sys + +import util + +from seccomp import * + +def test(args): + f = SyscallFilter(ALLOW) + return f + +args = util.get_opt() +ctx = test(args) +util.filter_output(args, ctx) + +# kate: syntax python; +# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; diff --git a/tests/01-sim-allow.tests b/tests/01-sim-allow.tests new file mode 100644 index 0000000..bfdc470 --- /dev/null +++ b/tests/01-sim-allow.tests @@ -0,0 +1,21 @@ +# +# libseccomp regression test automation data +# +# Copyright IBM Corp. 2012 +# Author: Corey Bryant <coreyb@linux.vnet.ibm.com> +# + +test type: bpf-sim + +# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result +01-sim-allow all,-x32 0-350 N N N N N N ALLOW + +test type: bpf-sim-fuzz + +# Testname StressCount +01-sim-allow 50 + +test type: bpf-valgrind + +# Testname +01-sim-allow diff --git a/tests/02-sim-basic.c b/tests/02-sim-basic.c new file mode 100644 index 0000000..ed61f90 --- /dev/null +++ b/tests/02-sim-basic.c @@ -0,0 +1,72 @@ +/** + * Seccomp Library test program + * + * Copyright (c) 2012 Red Hat <pmoore@redhat.com> + * Author: Paul Moore <paul@paul-moore.com> + */ + +/* + * This library is free software; you can redistribute it and/or modify it + * under the terms of version 2.1 of the GNU Lesser General Public License as + * published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License + * for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this library; if not, see <http://www.gnu.org/licenses>. + */ + +/* + * Just like mode 1 seccomp we allow 4 syscalls: + * read, write, exit, and rt_sigreturn + */ + +#include <errno.h> +#include <unistd.h> + +#include <seccomp.h> + +#include "util.h" + +int main(int argc, char *argv[]) +{ + int rc; + struct util_options opts; + scmp_filter_ctx ctx = NULL; + + rc = util_getopt(argc, argv, &opts); + if (rc < 0) + goto out; + + ctx = seccomp_init(SCMP_ACT_KILL); + if (ctx == NULL) + return ENOMEM; + + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 0); + if (rc != 0) + goto out; + + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 0); + if (rc != 0) + goto out; + + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, SCMP_SYS(close), 0); + if (rc != 0) + goto out; + + rc = seccomp_rule_add_exact(ctx, + SCMP_ACT_ALLOW, SCMP_SYS(rt_sigreturn), 0); + if (rc != 0) + goto out; + + rc = util_filter_output(&opts, ctx); + if (rc) + goto out; + +out: + seccomp_release(ctx); + return (rc < 0 ? -rc : rc); +} diff --git a/tests/02-sim-basic.py b/tests/02-sim-basic.py new file mode 100755 index 0000000..2b0029c --- /dev/null +++ b/tests/02-sim-basic.py @@ -0,0 +1,44 @@ +#!/usr/bin/env python + +# +# Seccomp Library test program +# +# Copyright (c) 2012 Red Hat <pmoore@redhat.com> +# Author: Paul Moore <paul@paul-moore.com> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +import argparse +import sys + +import util + +from seccomp import * + +def test(args): + f = SyscallFilter(KILL) + f.add_rule_exactly(ALLOW, "read") + f.add_rule_exactly(ALLOW, "write") + f.add_rule_exactly(ALLOW, "close") + f.add_rule_exactly(ALLOW, "rt_sigreturn") + return f + +args = util.get_opt() +ctx = test(args) +util.filter_output(args, ctx) + +# kate: syntax python; +# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; diff --git a/tests/02-sim-basic.tests b/tests/02-sim-basic.tests new file mode 100644 index 0000000..07004a4 --- /dev/null +++ b/tests/02-sim-basic.tests @@ -0,0 +1,30 @@ +# +# libseccomp regression test automation data +# +# Copyright IBM Corp. 2012 +# Author: Corey Bryant <coreyb@linux.vnet.ibm.com> +# + +test type: bpf-sim + +# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result +02-sim-basic all read 0 0x856B008 40 N N N ALLOW +02-sim-basic all write 1 0x856B008 40 N N N ALLOW +02-sim-basic all close 4 N N N N N ALLOW +02-sim-basic all rt_sigreturn N N N N N N ALLOW +02-sim-basic all open 0x856B008 4 N N N N KILL +02-sim-basic x86 0-2 N N N N N N KILL +02-sim-basic x86 7-172 N N N N N N KILL +02-sim-basic x86 174-350 N N N N N N KILL +02-sim-basic x86_64 4-14 N N N N N N KILL +02-sim-basic x86_64 16-350 N N N N N N KILL + +test type: bpf-sim-fuzz + +# Testname StressCount +02-sim-basic 50 + +test type: bpf-valgrind + +# Testname +02-sim-basic diff --git a/tests/03-sim-basic_chains.c b/tests/03-sim-basic_chains.c new file mode 100644 index 0000000..64d6323 --- /dev/null +++ b/tests/03-sim-basic_chains.c @@ -0,0 +1,74 @@ +/** + * Seccomp Library test program + * + * Copyright (c) 2012 Red Hat <pmoore@redhat.com> + * Author: Paul Moore <paul@paul-moore.com> + */ + +/* + * This library is free software; you can redistribute it and/or modify it + * under the terms of version 2.1 of the GNU Lesser General Public License as + * published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License + * for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this library; if not, see <http://www.gnu.org/licenses>. + */ + +#include <errno.h> +#include <unistd.h> + +#include <seccomp.h> + +#include "util.h" + +int main(int argc, char *argv[]) +{ + int rc; + struct util_options opts; + scmp_filter_ctx ctx = NULL; + + rc = util_getopt(argc, argv, &opts); + if (rc < 0) + goto out; + + ctx = seccomp_init(SCMP_ACT_KILL); + if (ctx == NULL) + return ENOMEM; + + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 1, + SCMP_A0(SCMP_CMP_EQ, STDIN_FILENO)); + if (rc != 0) + goto out; + + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 1, + SCMP_A0(SCMP_CMP_EQ, STDOUT_FILENO)); + if (rc != 0) + goto out; + + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 1, + SCMP_A0(SCMP_CMP_EQ, STDERR_FILENO)); + if (rc != 0) + goto out; + + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, SCMP_SYS(close), 0); + if (rc != 0) + goto out; + + rc = seccomp_rule_add_exact(ctx, + SCMP_ACT_ALLOW, SCMP_SYS(rt_sigreturn), 0); + if (rc != 0) + goto out; + + rc = util_filter_output(&opts, ctx); + if (rc) + goto out; + +out: + seccomp_release(ctx); + return (rc < 0 ? -rc : rc); +} diff --git a/tests/03-sim-basic_chains.py b/tests/03-sim-basic_chains.py new file mode 100755 index 0000000..f8d3373 --- /dev/null +++ b/tests/03-sim-basic_chains.py @@ -0,0 +1,45 @@ +#!/usr/bin/env python + +# +# Seccomp Library test program +# +# Copyright (c) 2012 Red Hat <pmoore@redhat.com> +# Author: Paul Moore <paul@paul-moore.com> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +import argparse +import sys + +import util + +from seccomp import * + +def test(args): + f = SyscallFilter(KILL) + f.add_rule_exactly(ALLOW, "read", Arg(0, EQ, sys.stdin.fileno())) + f.add_rule_exactly(ALLOW, "write", Arg(0, EQ, sys.stdout.fileno())) + f.add_rule_exactly(ALLOW, "write", Arg(0, EQ, sys.stderr.fileno())) + f.add_rule_exactly(ALLOW, "close") + f.add_rule_exactly(ALLOW, "rt_sigreturn") + return f + +args = util.get_opt() +ctx = test(args) +util.filter_output(args, ctx) + +# kate: syntax python; +# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; diff --git a/tests/03-sim-basic_chains.tests b/tests/03-sim-basic_chains.tests new file mode 100644 index 0000000..ef4353a --- /dev/null +++ b/tests/03-sim-basic_chains.tests @@ -0,0 +1,32 @@ +# +# libseccomp regression test automation data +# +# Copyright IBM Corp. 2012 +# Author: Corey Bryant <coreyb@linux.vnet.ibm.com> +# + +test type: bpf-sim + +# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result +03-sim-basic_chains all read 0 0x856B008 10 N N N ALLOW +03-sim-basic_chains all read 1-10 0x856B008 10 N N N KILL +03-sim-basic_chains all write 1-2 0x856B008 10 N N N ALLOW +03-sim-basic_chains all write 3-10 0x856B008 10 N N N KILL +03-sim-basic_chains all close N N N N N N ALLOW +03-sim-basic_chains all rt_sigreturn N N N N N N ALLOW +03-sim-basic_chains all open 0x856B008 4 N N N N KILL +03-sim-basic_chains x86 0-2 N N N N N N KILL +03-sim-basic_chains x86 7-172 N N N N N N KILL +03-sim-basic_chains x86 174-350 N N N N N N KILL +03-sim-basic_chains x86_64 4-14 N N N N N N KILL +03-sim-basic_chains x86_64 16-350 N N N N N N KILL + +test type: bpf-sim-fuzz + +# Testname StressCount +03-sim-basic_chains 50 + +test type: bpf-valgrind + +# Testname +03-sim-basic_chains diff --git a/tests/04-sim-multilevel_chains.c b/tests/04-sim-multilevel_chains.c new file mode 100644 index 0000000..e3e4f9b --- /dev/null +++ b/tests/04-sim-multilevel_chains.c @@ -0,0 +1,87 @@ +/** + * Seccomp Library test program + * + * Copyright (c) 2012 Red Hat <pmoore@redhat.com> + * Author: Paul Moore <paul@paul-moore.com> + */ + +/* + * This library is free software; you can redistribute it and/or modify it + * under the terms of version 2.1 of the GNU Lesser General Public License as + * published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License + * for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this library; if not, see <http://www.gnu.org/licenses>. + */ + +#include <errno.h> +#include <limits.h> +#include <unistd.h> + +#include <seccomp.h> + +#include "util.h" + +int main(int argc, char *argv[]) +{ + int rc; + struct util_options opts; + scmp_filter_ctx ctx = NULL; + + rc = util_getopt(argc, argv, &opts); + if (rc < 0) + goto out; + + ctx = seccomp_init(SCMP_ACT_KILL); + if (ctx == NULL) + return ENOMEM; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 0); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(close), 0); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 3, + SCMP_A0(SCMP_CMP_EQ, STDIN_FILENO), + SCMP_A1(SCMP_CMP_NE, 0x0), + SCMP_A2(SCMP_CMP_LT, SSIZE_MAX)); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 3, + SCMP_A0(SCMP_CMP_EQ, STDOUT_FILENO), + SCMP_A1(SCMP_CMP_NE, 0x0), + SCMP_A2(SCMP_CMP_LT, SSIZE_MAX)); + if (rc != 0) + goto out; + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 3, + SCMP_A0(SCMP_CMP_EQ, STDERR_FILENO), + SCMP_A1(SCMP_CMP_NE, 0x0), + SCMP_A2(SCMP_CMP_LT, SSIZE_MAX)); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(close), 0); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigreturn), 0); + if (rc != 0) + goto out; + + rc = util_filter_output(&opts, ctx); + if (rc) + goto out; + +out: + seccomp_release(ctx); + return (rc < 0 ? -rc : rc); +} diff --git a/tests/04-sim-multilevel_chains.py b/tests/04-sim-multilevel_chains.py new file mode 100755 index 0000000..a5127a2 --- /dev/null +++ b/tests/04-sim-multilevel_chains.py @@ -0,0 +1,56 @@ +#!/usr/bin/env python + +# +# Seccomp Library test program +# +# Copyright (c) 2012 Red Hat <pmoore@redhat.com> +# Author: Paul Moore <paul@paul-moore.com> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +import argparse +import sys + +import util + +from seccomp import * + +def test(args): + f = SyscallFilter(KILL) + f.add_rule(ALLOW, "openat") + f.add_rule(ALLOW, "close") + f.add_rule(ALLOW, "read", + Arg(0, EQ, sys.stdin.fileno()), + Arg(1, NE, 0), + Arg(2, LT, sys.maxsize)) + f.add_rule(ALLOW, "write", + Arg(0, EQ, sys.stdout.fileno()), + Arg(1, NE, 0), + Arg(2, LT, sys.maxsize)) + f.add_rule(ALLOW, "write", + Arg(0, EQ, sys.stderr.fileno()), + Arg(1, NE, 0), + Arg(2, LT, sys.maxsize)) + f.add_rule(ALLOW, "close") + f.add_rule(ALLOW, "rt_sigreturn") + return f + +args = util.get_opt() +ctx = test(args) +util.filter_output(args, ctx) + +# kate: syntax python; +# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; diff --git a/tests/04-sim-multilevel_chains.tests b/tests/04-sim-multilevel_chains.tests new file mode 100644 index 0000000..b6f7576 --- /dev/null +++ b/tests/04-sim-multilevel_chains.tests @@ -0,0 +1,44 @@ +# +# libseccomp regression test automation data +# +# Copyright IBM Corp. 2012 +# Author: Corey Bryant <coreyb@linux.vnet.ibm.com> +# + +test type: bpf-sim + +# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result +04-sim-multilevel_chains all openat 0 0x856B008 4 N N N ALLOW +04-sim-multilevel_chains all close 4 N N N N N ALLOW +04-sim-multilevel_chains x86 read 0 0x856B008 0x7FFFFFFE N N N ALLOW +04-sim-multilevel_chains x86_64 read 0 0x856B008 0x7FFFFFFFFFFFFFFE N N N ALLOW +04-sim-multilevel_chains x86 read 0 0x856B008 0x7FFFFFFF N N N KILL +04-sim-multilevel_chains x86_64 read 0 0x856B008 0x7FFFFFFFFFFFFFFF N N N KILL +04-sim-multilevel_chains x86 read 0 0 0x7FFFFFFE N N N KILL +04-sim-multilevel_chains x86_64 read 0 0 0x7FFFFFFFFFFFFFFE N N N KILL +04-sim-multilevel_chains all read 1-10 0x856B008 0x7FFFFFFE N N N KILL +04-sim-multilevel_chains x86 write 1-2 0x856B008 0x7FFFFFFE N N N ALLOW +04-sim-multilevel_chains x86_64 write 1-2 0x856B008 0x7FFFFFFFFFFFFFFE N N N ALLOW +04-sim-multilevel_chains x86 write 1-2 0 0x7FFFFFFE N N N KILL +04-sim-multilevel_chains x86_64 write 1-2 0 0x7FFFFFFFFFFFFFFE N N N KILL +04-sim-multilevel_chains x86 write 1-2 0x856B008 0x7FFFFFFF N N N KILL +04-sim-multilevel_chains x86_64 write 1-2 0x856B008 0x7FFFFFFFFFFFFFFF N N N KILL +04-sim-multilevel_chains all write 3-10 0x856B008 0x7FFFFFFE N N N KILL +04-sim-multilevel_chains all rt_sigreturn N N N N N N ALLOW +04-sim-multilevel_chains x86 0-2 N N N N N N KILL +04-sim-multilevel_chains x86 7-172 N N N N N N KILL +04-sim-multilevel_chains x86 174-294 N N N N N N KILL +04-sim-multilevel_chains x86 296-350 N N N N N N KILL +04-sim-multilevel_chains x86_64 4-14 N N N N N N KILL +04-sim-multilevel_chains x86_64 16-256 N N N N N N KILL +04-sim-multilevel_chains x86_64 258-350 N N N N N N KILL + +test type: bpf-sim-fuzz + +# Testname StressCount +04-sim-multilevel_chains 50 + +test type: bpf-valgrind + +# Testname +04-sim-multilevel_chains diff --git a/tests/05-sim-long_jumps.c b/tests/05-sim-long_jumps.c new file mode 100644 index 0000000..f8e9634 --- /dev/null +++ b/tests/05-sim-long_jumps.c @@ -0,0 +1,89 @@ +/** + * Seccomp Library test program + * + * Copyright (c) 2012 Red Hat <pmoore@redhat.com> + * Copyright (c) 2021 Microsoft Corporation <paulmoore@microsoft.com> + * Author: Paul Moore <paul@paul-moore.com> + */ + +/* + * This library is free software; you can redistribute it and/or modify it + * under the terms of version 2.1 of the GNU Lesser General Public License as + * published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License + * for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this library; if not, see <http://www.gnu.org/licenses>. + */ + +#include <errno.h> +#include <unistd.h> +#include <limits.h> +#include <stdlib.h> + +#include <seccomp.h> + +#include "util.h" + +int main(int argc, char *argv[]) +{ + int rc; + int iter, ctr; + char *syscall; + struct util_options opts; + scmp_filter_ctx ctx = NULL; + + rc = util_getopt(argc, argv, &opts); + if (rc < 0) + goto out; + + ctx = seccomp_init(SCMP_ACT_KILL); + if (ctx == NULL) + return ENOMEM; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(brk), 0); + if (rc != 0) + goto out; + + /* same syscall, many chains */ + for (iter = 0; iter < 100; iter++) { + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(chdir), 3, + SCMP_A0(SCMP_CMP_EQ, iter), + SCMP_A1(SCMP_CMP_NE, 0x0), + SCMP_A2(SCMP_CMP_LT, SSIZE_MAX)); + if (rc != 0) + goto out; + } + + /* many syscalls, same chain */ + for (iter = 0, ctr = 0; iter < 10000 && ctr < 100; iter++) { + if (iter == SCMP_SYS(chdir)) + continue; + syscall = seccomp_syscall_resolve_num_arch(SCMP_ARCH_NATIVE, + iter); + if (syscall) { + free(syscall); + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, iter, 1, + SCMP_A0(SCMP_CMP_NE, 0)); + if (rc != 0) + goto out; + ctr++; + } + } + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(close), 0); + if (rc != 0) + goto out; + + rc = util_filter_output(&opts, ctx); + if (rc) + goto out; + +out: + seccomp_release(ctx); + return (rc < 0 ? -rc : rc); +} diff --git a/tests/05-sim-long_jumps.py b/tests/05-sim-long_jumps.py new file mode 100755 index 0000000..6d9d5d4 --- /dev/null +++ b/tests/05-sim-long_jumps.py @@ -0,0 +1,64 @@ +#!/usr/bin/env python + +# +# Seccomp Library test program +# +# Copyright (c) 2012 Red Hat <pmoore@redhat.com> +# Copyright (c) 2021 Microsoft Corporation <paulmoore@microsoft.com> +# Author: Paul Moore <paul@paul-moore.com> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +import argparse +import sys + +import util + +from seccomp import * + +def test(args): + f = SyscallFilter(KILL) + f.add_rule(ALLOW, "brk") + i = 0 + while i < 100: + f.add_rule(ALLOW, "chdir", + Arg(0, EQ, i), + Arg(1, NE, 0), + Arg(2, LT, sys.maxsize)) + i += 1 + i = 0 + ctr = 0 + while i < 10000 and ctr < 100: + sc = i + i += 1 + if sc == resolve_syscall(Arch(), "chdir"): + continue + try: + resolve_syscall(Arch(), sc) + except ValueError: + continue + f.add_rule(ALLOW, sc, Arg(0, NE, 0)) + ctr += 1 + f.add_rule(ALLOW, "close") + return f + +args = util.get_opt() +ctx = test(args) +util.filter_output(args, ctx) + +# kate: syntax python; +# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; + diff --git a/tests/05-sim-long_jumps.tests b/tests/05-sim-long_jumps.tests new file mode 100644 index 0000000..1f9f36b --- /dev/null +++ b/tests/05-sim-long_jumps.tests @@ -0,0 +1,30 @@ +# +# libseccomp regression test automation data +# +# Copyright (c) 2012 IBM Corp. +# Copyright (c) 2021 Microsoft Corporation <paulmoore@microsoft.com> +# Author: Corey Bryant <coreyb@linux.vnet.ibm.com> +# + +test type: bpf-sim + +# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result +05-sim-long_jumps all,-x32 brk 1 2 3 4 5 6 ALLOW +05-sim-long_jumps all,-x32 9999 N N N N N N KILL +05-sim-long_jumps x86 chdir 0-5 0x856B008 0x7FFFFFFE N N N ALLOW +05-sim-long_jumps x86_64 chdir 0-5 0x856B008 0x7FFFFFFFFFFFFFFE N N N ALLOW +05-sim-long_jumps x86 chdir 95-99 0x856B008 0x7FFFFFFE N N N ALLOW +05-sim-long_jumps x86_64 chdir 95-99 0x856B008 0x7FFFFFFFFFFFFFFE N N N ALLOW +05-sim-long_jumps x86 chdir 100 0x856B008 0x7FFFFFFE N N N KILL +05-sim-long_jumps x86_64 chdir 100 0x856B008 0x7FFFFFFFFFFFFFFE N N N KILL +05-sim-long_jumps all,-x32 close 1 N N N N N ALLOW + +test type: bpf-sim-fuzz + +# Testname StressCount +05-sim-long_jumps 50 + +test type: bpf-valgrind + +# Testname +05-sim-long_jumps diff --git a/tests/06-sim-actions.c b/tests/06-sim-actions.c new file mode 100644 index 0000000..da636c9 --- /dev/null +++ b/tests/06-sim-actions.c @@ -0,0 +1,78 @@ +/** + * Seccomp Library test program + * + * Copyright (c) 2012 Red Hat <pmoore@redhat.com> + * Author: Paul Moore <paul@paul-moore.com> + */ + +/* + * This library is free software; you can redistribute it and/or modify it + * under the terms of version 2.1 of the GNU Lesser General Public License as + * published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License + * for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this library; if not, see <http://www.gnu.org/licenses>. + */ + +#include <errno.h> +#include <unistd.h> + +#include <seccomp.h> + +#include "util.h" + +int main(int argc, char *argv[]) +{ + int rc; + struct util_options opts; + scmp_filter_ctx ctx = NULL; + + rc = util_getopt(argc, argv, &opts); + if (rc < 0) + goto out; + + rc = seccomp_api_set(3); + if (rc != 0) + return EOPNOTSUPP; + + ctx = seccomp_init(SCMP_ACT_KILL); + if (ctx == NULL) + return ENOMEM; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 0); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_LOG, SCMP_SYS(rt_sigreturn), 0); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(write), 0); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_TRAP, SCMP_SYS(close), 0); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_TRACE(1234), SCMP_SYS(openat), 0); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_KILL_PROCESS, SCMP_SYS(fstat), 0); + if (rc != 0) + goto out; + + rc = util_filter_output(&opts, ctx); + if (rc) + goto out; + +out: + seccomp_release(ctx); + return (rc < 0 ? -rc : rc); +} diff --git a/tests/06-sim-actions.py b/tests/06-sim-actions.py new file mode 100755 index 0000000..253061d --- /dev/null +++ b/tests/06-sim-actions.py @@ -0,0 +1,49 @@ +#!/usr/bin/env python + +# +# Seccomp Library test program +# +# Copyright (c) 2012 Red Hat <pmoore@redhat.com> +# Author: Paul Moore <paul@paul-moore.com> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +import argparse +import errno +import sys + +import util + +from seccomp import * + +def test(args): + set_api(3) + + f = SyscallFilter(KILL) + f.add_rule(ALLOW, "read") + f.add_rule(LOG, "rt_sigreturn") + f.add_rule(ERRNO(errno.EPERM), "write") + f.add_rule(TRAP, "close") + f.add_rule(TRACE(1234), "openat") + f.add_rule(KILL_PROCESS, "fstat") + return f + +args = util.get_opt() +ctx = test(args) +util.filter_output(args, ctx) + +# kate: syntax python; +# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; diff --git a/tests/06-sim-actions.tests b/tests/06-sim-actions.tests new file mode 100644 index 0000000..1ef38b3 --- /dev/null +++ b/tests/06-sim-actions.tests @@ -0,0 +1,34 @@ +# +# libseccomp regression test automation data +# +# Copyright IBM Corp. 2012 +# Author: Corey Bryant <coreyb@linux.vnet.ibm.com> +# + +test type: bpf-sim + +# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result +06-sim-actions all read 4 0x856B008 80 N N N ALLOW +06-sim-actions all write 1 0x856B008 N N N N ERRNO(1) +06-sim-actions all close 4 N N N N N TRAP +06-sim-actions all openat 0 0x856B008 4 N N N TRACE(1234) +06-sim-actions all fstat N N N N N N KILL_PROCESS +06-sim-actions all rt_sigreturn N N N N N N LOG +06-sim-actions x86 0-2 N N N N N N KILL +06-sim-actions x86 7-107 N N N N N N KILL +06-sim-actions x86 109-172 N N N N N N KILL +06-sim-actions x86 174-294 N N N N N N KILL +06-sim-actions x86 296-350 N N N N N N KILL +06-sim-actions x86_64 6-14 N N N N N N KILL +06-sim-actions x86_64 16-256 N N N N N N KILL +06-sim-actions x86_64 258-350 N N N N N N KILL + +test type: bpf-sim-fuzz + +# Testname StressCount +06-sim-actions 50 + +test type: bpf-valgrind + +# Testname +06-sim-actions diff --git a/tests/07-sim-db_bug_looping.c b/tests/07-sim-db_bug_looping.c new file mode 100644 index 0000000..e3fec81 --- /dev/null +++ b/tests/07-sim-db_bug_looping.c @@ -0,0 +1,68 @@ +/** + * Seccomp Library test program + * + * Copyright IBM Corp. 2012 + * Author: Ashley Lai <adlai@us.ibm.com> + */ + +/* + * This library is free software; you can redistribute it and/or modify it + * under the terms of version 2.1 of the GNU Lesser General Public License as + * published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License + * for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this library; if not, see <http://www.gnu.org/licenses>. + */ + +#include <errno.h> +#include <unistd.h> + +#include <seccomp.h> + +#include "util.h" + +int main(int argc, char *argv[]) +{ + int rc; + struct util_options opts; + scmp_filter_ctx ctx = NULL; + + rc = util_getopt(argc, argv, &opts); + if (rc < 0) + goto out; + + ctx = seccomp_init(SCMP_ACT_KILL); + if (ctx == NULL) + return ENOMEM; + + /* The next three seccomp_rule_add_exact() calls for read must + * go together in this order to catch an infinite loop. */ + + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 1, + SCMP_A0(SCMP_CMP_EQ, STDOUT_FILENO)); + if (rc != 0) + goto out; + + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 1, + SCMP_A1(SCMP_CMP_EQ, 0x0)); + if (rc != 0) + goto out; + + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 1, + SCMP_A0(SCMP_CMP_EQ, STDIN_FILENO)); + if (rc != 0) + goto out; + + rc = util_filter_output(&opts, ctx); + if (rc) + goto out; + +out: + seccomp_release(ctx); + return (rc < 0 ? -rc : rc); +} diff --git a/tests/07-sim-db_bug_looping.py b/tests/07-sim-db_bug_looping.py new file mode 100755 index 0000000..5fcdf11 --- /dev/null +++ b/tests/07-sim-db_bug_looping.py @@ -0,0 +1,45 @@ +#!/usr/bin/env python + +# +# Seccomp Library test program +# +# Copyright (c) 2012 Red Hat <pmoore@redhat.com> +# Author: Paul Moore <paul@paul-moore.com> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +import argparse +import sys + +import util + +from seccomp import * + +def test(args): + f = SyscallFilter(KILL) + # the next three seccomp_rule_add_exact() calls for read must go together + # in this order to catch an infinite loop. + f.add_rule(ALLOW, "read", Arg(0, EQ, sys.stdout.fileno())) + f.add_rule(ALLOW, "read", Arg(1, EQ, 0)) + f.add_rule(ALLOW, "read", Arg(0, EQ, sys.stdin.fileno())) + return f + +args = util.get_opt() +ctx = test(args) +util.filter_output(args, ctx) + +# kate: syntax python; +# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; diff --git a/tests/07-sim-db_bug_looping.tests b/tests/07-sim-db_bug_looping.tests new file mode 100644 index 0000000..a7ec72b --- /dev/null +++ b/tests/07-sim-db_bug_looping.tests @@ -0,0 +1,23 @@ +# +# libseccomp regression test automation data +# +# Copyright IBM Corp. 2012 +# Author: Corey Bryant <coreyb@linux.vnet.ibm.com> +# + +test type: bpf-sim + +# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result +07-sim-db_bug_looping all read 1 0x856B008 10 N N N ALLOW +07-sim-db_bug_looping all read 2-10 0 10 N N N ALLOW +07-sim-db_bug_looping all read 0 0x856B008 10 N N N ALLOW + +test type: bpf-sim-fuzz + +# Testname StressCount +07-sim-db_bug_looping 50 + +test type: bpf-valgrind + +# Testname +07-sim-db_bug_looping diff --git a/tests/08-sim-subtree_checks.c b/tests/08-sim-subtree_checks.c new file mode 100644 index 0000000..cc35e54 --- /dev/null +++ b/tests/08-sim-subtree_checks.c @@ -0,0 +1,179 @@ +/** + * Seccomp Library test program + * + * Copyright (c) 2012 Red Hat <pmoore@redhat.com> + * Author: Paul Moore <paul@paul-moore.com> + */ + +/* + * This library is free software; you can redistribute it and/or modify it + * under the terms of version 2.1 of the GNU Lesser General Public License as + * published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License + * for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this library; if not, see <http://www.gnu.org/licenses>. + */ + +#include <errno.h> +#include <unistd.h> + +#include <seccomp.h> + +#include "util.h" + +int main(int argc, char *argv[]) +{ + int rc; + struct util_options opts; + scmp_filter_ctx ctx = NULL; + + rc = util_getopt(argc, argv, &opts); + if (rc < 0) + goto out; + + ctx = seccomp_init(SCMP_ACT_KILL); + if (ctx == NULL) + return ENOMEM; + + /* the syscall and argument numbers are all fake to make the test + * simpler */ + + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1000, 2, + SCMP_A0(SCMP_CMP_EQ, 0), + SCMP_A1(SCMP_CMP_EQ, 1)); + if (rc != 0) + goto out; + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1000, 1, + SCMP_A1(SCMP_CMP_EQ, 1)); + if (rc != 0) + goto out; + + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1001, 1, + SCMP_A1(SCMP_CMP_EQ, 1)); + if (rc != 0) + goto out; + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1001, 2, + SCMP_A0(SCMP_CMP_EQ, 0), + SCMP_A1(SCMP_CMP_EQ, 1)); + if (rc != 0) + goto out; + + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1002, 4, + SCMP_A0(SCMP_CMP_EQ, 0), + SCMP_A1(SCMP_CMP_EQ, 1), + SCMP_A2(SCMP_CMP_EQ, 2), + SCMP_A3(SCMP_CMP_EQ, 3)); + if (rc != 0) + goto out; + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1002, 2, + SCMP_A1(SCMP_CMP_EQ, 1), + SCMP_A2(SCMP_CMP_EQ, 2)); + if (rc != 0) + goto out; + + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1003, 2, + SCMP_A1(SCMP_CMP_EQ, 1), + SCMP_A2(SCMP_CMP_EQ, 2)); + if (rc != 0) + goto out; + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1003, 4, + SCMP_A0(SCMP_CMP_EQ, 0), + SCMP_A1(SCMP_CMP_EQ, 1), + SCMP_A2(SCMP_CMP_EQ, 2), + SCMP_A3(SCMP_CMP_EQ, 3)); + if (rc != 0) + goto out; + + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1004, 4, + SCMP_A0(SCMP_CMP_EQ, 0), + SCMP_A1(SCMP_CMP_EQ, 1), + SCMP_A2(SCMP_CMP_EQ, 2), + SCMP_A3(SCMP_CMP_EQ, 3)); + if (rc != 0) + goto out; + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1004, 2, + SCMP_A0(SCMP_CMP_EQ, 0), + SCMP_A1(SCMP_CMP_EQ, 11)); + if (rc != 0) + goto out; + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1004, 4, + SCMP_A0(SCMP_CMP_EQ, 0), + SCMP_A1(SCMP_CMP_EQ, 1), + SCMP_A2(SCMP_CMP_EQ, 2), + SCMP_A3(SCMP_CMP_EQ, 33)); + if (rc != 0) + goto out; + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1004, 2, + SCMP_A1(SCMP_CMP_EQ, 1), + SCMP_A2(SCMP_CMP_EQ, 2)); + if (rc != 0) + goto out; + + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1005, 2, + SCMP_A1(SCMP_CMP_EQ, 1), + SCMP_A2(SCMP_CMP_EQ, 2)); + if (rc != 0) + goto out; + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1005, 4, + SCMP_A0(SCMP_CMP_EQ, 0), + SCMP_A1(SCMP_CMP_EQ, 1), + SCMP_A2(SCMP_CMP_EQ, 2), + SCMP_A3(SCMP_CMP_EQ, 3)); + if (rc != 0) + goto out; + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1005, 2, + SCMP_A0(SCMP_CMP_EQ, 0), + SCMP_A1(SCMP_CMP_EQ, 11)); + if (rc != 0) + goto out; + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1005, 4, + SCMP_A0(SCMP_CMP_EQ, 0), + SCMP_A1(SCMP_CMP_EQ, 1), + SCMP_A2(SCMP_CMP_EQ, 2), + SCMP_A3(SCMP_CMP_EQ, 33)); + if (rc != 0) + goto out; + + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1006, 2, + SCMP_A1(SCMP_CMP_NE, 1), + SCMP_A2(SCMP_CMP_EQ, 0)); + if (rc != 0) + goto out; + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1006, 2, + SCMP_A1(SCMP_CMP_EQ, 1), + SCMP_A2(SCMP_CMP_EQ, 2)); + if (rc != 0) + goto out; + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1006, 1, + SCMP_A1(SCMP_CMP_NE, 1)); + if (rc != 0) + goto out; + + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_TRAP, 1007, 2, + SCMP_A2(SCMP_CMP_EQ, 2), + SCMP_A3(SCMP_CMP_EQ, 3)); + if (rc != 0) + goto out; + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1007, 2, + SCMP_A2(SCMP_CMP_EQ, 2), + SCMP_A3(SCMP_CMP_NE, 3)); + if (rc != 0) + goto out; + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1007, 1, + SCMP_A3(SCMP_CMP_NE, 3)); + if (rc != 0) + goto out; + + rc = util_filter_output(&opts, ctx); + if (rc) + goto out; + +out: + seccomp_release(ctx); + return (rc < 0 ? -rc : rc); +} diff --git a/tests/08-sim-subtree_checks.py b/tests/08-sim-subtree_checks.py new file mode 100755 index 0000000..66dac3c --- /dev/null +++ b/tests/08-sim-subtree_checks.py @@ -0,0 +1,122 @@ +#!/usr/bin/env python + +# +# Seccomp Library test program +# +# Copyright (c) 2012 Red Hat <pmoore@redhat.com> +# Author: Paul Moore <paul@paul-moore.com> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +import argparse +import sys + +import util + +from seccomp import * + +def test(args): + f = SyscallFilter(KILL) + # the syscall and argument numbers are all fake to make the test simpler + f.add_rule_exactly(ALLOW, 1000, + Arg(0, EQ, 0), + Arg(1, EQ, 1)) + f.add_rule_exactly(ALLOW, 1000, + Arg(1, EQ, 1)) + + f.add_rule_exactly(ALLOW, 1001, + Arg(1, EQ, 1)) + f.add_rule_exactly(ALLOW, 1001, + Arg(0, EQ, 0), + Arg(1, EQ, 1)) + + f.add_rule_exactly(ALLOW, 1002, + Arg(0, EQ, 0), + Arg(1, EQ, 1), + Arg(2, EQ, 2), + Arg(3, EQ, 3)) + f.add_rule_exactly(ALLOW, 1002, + Arg(1, EQ, 1), + Arg(2, EQ, 2)) + + f.add_rule_exactly(ALLOW, 1003, + Arg(1, EQ, 1), + Arg(2, EQ, 2)) + f.add_rule_exactly(ALLOW, 1003, + Arg(0, EQ, 0), + Arg(1, EQ, 1), + Arg(2, EQ, 2), + Arg(3, EQ, 3)) + + f.add_rule_exactly(ALLOW, 1004, + Arg(0, EQ, 0), + Arg(1, EQ, 1), + Arg(2, EQ, 2), + Arg(3, EQ, 3)) + f.add_rule_exactly(ALLOW, 1004, + Arg(0, EQ, 0), + Arg(1, EQ, 11)) + f.add_rule_exactly(ALLOW, 1004, + Arg(0, EQ, 0), + Arg(1, EQ, 1), + Arg(2, EQ, 2), + Arg(3, EQ, 33)) + f.add_rule_exactly(ALLOW, 1004, + Arg(1, EQ, 1), + Arg(2, EQ, 2)) + + f.add_rule_exactly(ALLOW, 1005, + Arg(1, EQ, 1), + Arg(2, EQ, 2)) + f.add_rule_exactly(ALLOW, 1005, + Arg(0, EQ, 0), + Arg(1, EQ, 1), + Arg(2, EQ, 2), + Arg(3, EQ, 3)) + f.add_rule_exactly(ALLOW, 1005, + Arg(0, EQ, 0), + Arg(1, EQ, 11)) + f.add_rule_exactly(ALLOW, 1005, + Arg(0, EQ, 0), + Arg(1, EQ, 1), + Arg(2, EQ, 2), + Arg(3, EQ, 33)) + + f.add_rule_exactly(ALLOW, 1006, + Arg(1, NE, 1), + Arg(2, EQ, 0)) + f.add_rule_exactly(ALLOW, 1006, + Arg(1, EQ, 1), + Arg(2, EQ, 2)) + f.add_rule_exactly(ALLOW, 1006, + Arg(1, NE, 1)) + + f.add_rule_exactly(TRAP, 1007, + Arg(2, EQ, 2), + Arg(3, EQ, 3)) + f.add_rule_exactly(ALLOW, 1007, + Arg(2, EQ, 2), + Arg(3, NE, 3)) + f.add_rule_exactly(ALLOW, 1007, + Arg(3, NE, 3)) + return f + +args = util.get_opt() +ctx = test(args) +util.filter_output(args, ctx) + +# kate: syntax python; +# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; diff --git a/tests/08-sim-subtree_checks.tests b/tests/08-sim-subtree_checks.tests new file mode 100644 index 0000000..6c29c21 --- /dev/null +++ b/tests/08-sim-subtree_checks.tests @@ -0,0 +1,47 @@ +# +# libseccomp regression test automation data +# +# Copyright IBM Corp. 2012 +# Author: Corey Bryant <coreyb@linux.vnet.ibm.com> +# + +test type: bpf-sim + +# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result +08-sim-subtree_checks all,-x32 1000 0-10 1 N N N N ALLOW +08-sim-subtree_checks all,-x32 1000 0-10 0 N N N N KILL +08-sim-subtree_checks all,-x32 1001 0-10 1 N N N N ALLOW +08-sim-subtree_checks all,-x32 1001 0-10 0 N N N N KILL +08-sim-subtree_checks all,-x32 1002 0-5 1 2 0-5 N N ALLOW +08-sim-subtree_checks all,-x32 1002 0-5 2 1 0-5 N N KILL +08-sim-subtree_checks all,-x32 1003 0-5 1 2 0-5 N N ALLOW +08-sim-subtree_checks all,-x32 1003 0-5 2 1 0-5 N N KILL +08-sim-subtree_checks all,-x32 1004 0 11 5-10 10 10 1-5 ALLOW +08-sim-subtree_checks all,-x32 1004 0 1 2 0-5 N N ALLOW +08-sim-subtree_checks all,-x32 1004 1-5 1 2 0-5 N N ALLOW +08-sim-subtree_checks all,-x32 1004 1-5 1 2 30-35 N N ALLOW +08-sim-subtree_checks all,-x32 1004 1-5 2 1 30-35 N N KILL +08-sim-subtree_checks all,-x32 1005 0 11 5-10 10 10 1-5 ALLOW +08-sim-subtree_checks all,-x32 1005 0 1 2 0-5 N N ALLOW +08-sim-subtree_checks all,-x32 1005 1-5 1 2 0-5 N N ALLOW +08-sim-subtree_checks all,-x32 1005 1-5 1 2 30-35 N N ALLOW +08-sim-subtree_checks all,-x32 1005 1-5 2 1 30-35 N N KILL +08-sim-subtree_checks all,-x32 1006 0-10 1 2 N N N ALLOW +08-sim-subtree_checks all,-x32 1006 0-10 1 3 N N N KILL +08-sim-subtree_checks all,-x32 1006 10 2-100 2 N N N ALLOW +08-sim-subtree_checks all,-x32 1007 0 0 2 3 N N TRAP +08-sim-subtree_checks all,-x32 1007 1 1 1 0-2 1 1 ALLOW +08-sim-subtree_checks all,-x32 1007 1 1 2 0-2 1 1 ALLOW +08-sim-subtree_checks all,-x32 1007 1 1 2 4-6 1 1 ALLOW +08-sim-subtree_checks all,-x32 1007 1 1 0 3 1 1 KILL + +test type: bpf-sim-fuzz + +# Testname StressCount +08-sim-subtree_checks 50 + + +test type: bpf-valgrind + +# Testname +08-sim-subtree_checks diff --git a/tests/09-sim-syscall_priority_pre.c b/tests/09-sim-syscall_priority_pre.c new file mode 100644 index 0000000..fbcd27d --- /dev/null +++ b/tests/09-sim-syscall_priority_pre.c @@ -0,0 +1,76 @@ +/** + * Seccomp Library test program + * + * Copyright (c) 2012 Red Hat <pmoore@redhat.com> + * Author: Paul Moore <paul@paul-moore.com> + */ + +/* + * This library is free software; you can redistribute it and/or modify it + * under the terms of version 2.1 of the GNU Lesser General Public License as + * published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License + * for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this library; if not, see <http://www.gnu.org/licenses>. + */ + +#include <errno.h> +#include <unistd.h> + +#include <seccomp.h> + +#include "util.h" + +int main(int argc, char *argv[]) +{ + int rc; + struct util_options opts; + scmp_filter_ctx ctx = NULL; + + rc = util_getopt(argc, argv, &opts); + if (rc < 0) + goto out; + + ctx = seccomp_init(SCMP_ACT_KILL); + if (ctx == NULL) + return ENOMEM; + + /* the syscall and argument numbers are all fake to make the test + * simpler */ + + rc = seccomp_syscall_priority(ctx, 1000, 3); + if (rc != 0) + goto out; + rc = seccomp_syscall_priority(ctx, 1001, 2); + if (rc != 0) + goto out; + rc = seccomp_syscall_priority(ctx, 1002, 1); + if (rc != 0) + goto out; + + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1000, 2, + SCMP_A0(SCMP_CMP_EQ, 0), + SCMP_A1(SCMP_CMP_EQ, 1)); + if (rc != 0) + goto out; + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1001, 1, + SCMP_A0(SCMP_CMP_EQ, 0)); + if (rc != 0) + goto out; + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1002, 0); + if (rc != 0) + goto out; + + rc = util_filter_output(&opts, ctx); + if (rc) + goto out; + +out: + seccomp_release(ctx); + return (rc < 0 ? -rc : rc); +} diff --git a/tests/09-sim-syscall_priority_pre.py b/tests/09-sim-syscall_priority_pre.py new file mode 100755 index 0000000..2ba5ea0 --- /dev/null +++ b/tests/09-sim-syscall_priority_pre.py @@ -0,0 +1,47 @@ +#!/usr/bin/env python + +# +# Seccomp Library test program +# +# Copyright (c) 2012 Red Hat <pmoore@redhat.com> +# Author: Paul Moore <paul@paul-moore.com> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +import argparse +import sys + +import util + +from seccomp import * + +def test(args): + f = SyscallFilter(KILL) + # the syscall and argument numbers are all fake to make the test simpler + f.syscall_priority(1000, 3) + f.syscall_priority(1001, 2) + f.syscall_priority(1002, 1) + f.add_rule_exactly(ALLOW, 1000, Arg(0, EQ, 0), Arg(1, EQ, 1)) + f.add_rule_exactly(ALLOW, 1001, Arg(0, EQ, 0)) + f.add_rule_exactly(ALLOW, 1002) + return f + +args = util.get_opt() +ctx = test(args) +util.filter_output(args, ctx) + +# kate: syntax python; +# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; diff --git a/tests/09-sim-syscall_priority_pre.tests b/tests/09-sim-syscall_priority_pre.tests new file mode 100644 index 0000000..a983967 --- /dev/null +++ b/tests/09-sim-syscall_priority_pre.tests @@ -0,0 +1,26 @@ +# +# libseccomp regression test automation data +# +# Copyright IBM Corp. 2012 +# Author: Corey Bryant <coreyb@linux.vnet.ibm.com> +# + +test type: bpf-sim + +# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result +09-sim-syscall_priority_pre all,-x32 999 N N N N N N KILL +09-sim-syscall_priority_pre all,-x32 1000-1002 0 1 N N N N ALLOW +09-sim-syscall_priority_pre all,-x32 1000 0 2 N N N N KILL +09-sim-syscall_priority_pre all,-x32 1001-1002 0 2 N N N N ALLOW +09-sim-syscall_priority_pre all,-x32 1000-1001 1 1 N N N N KILL +09-sim-syscall_priority_pre all,-x32 1003 N N N N N N KILL + +test type: bpf-sim-fuzz + +# Testname StressCount +09-sim-syscall_priority_pre 50 + +test type: bpf-valgrind + +# Testname +09-sim-syscall_priority_pre diff --git a/tests/10-sim-syscall_priority_post.c b/tests/10-sim-syscall_priority_post.c new file mode 100644 index 0000000..48ed9c0 --- /dev/null +++ b/tests/10-sim-syscall_priority_post.c @@ -0,0 +1,76 @@ +/** + * Seccomp Library test program + * + * Copyright (c) 2012 Red Hat <pmoore@redhat.com> + * Author: Paul Moore <paul@paul-moore.com> + */ + +/* + * This library is free software; you can redistribute it and/or modify it + * under the terms of version 2.1 of the GNU Lesser General Public License as + * published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License + * for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this library; if not, see <http://www.gnu.org/licenses>. + */ + +#include <errno.h> +#include <unistd.h> + +#include <seccomp.h> + +#include "util.h" + +int main(int argc, char *argv[]) +{ + int rc; + struct util_options opts; + scmp_filter_ctx ctx = NULL; + + rc = util_getopt(argc, argv, &opts); + if (rc < 0) + goto out; + + ctx = seccomp_init(SCMP_ACT_KILL); + if (ctx == NULL) + return ENOMEM; + + /* the syscall and argument numbers are all fake to make the test + * simpler */ + + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1000, 2, + SCMP_A0(SCMP_CMP_EQ, 0), + SCMP_A1(SCMP_CMP_EQ, 1)); + if (rc != 0) + goto out; + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1001, 1, + SCMP_A0(SCMP_CMP_EQ, 0)); + if (rc != 0) + goto out; + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1002, 0); + if (rc != 0) + goto out; + + rc = seccomp_syscall_priority(ctx, 1000, 3); + if (rc != 0) + goto out; + rc = seccomp_syscall_priority(ctx, 1001, 2); + if (rc != 0) + goto out; + rc = seccomp_syscall_priority(ctx, 1002, 1); + if (rc != 0) + goto out; + + rc = util_filter_output(&opts, ctx); + if (rc) + goto out; + +out: + seccomp_release(ctx); + return (rc < 0 ? -rc : rc); +} diff --git a/tests/10-sim-syscall_priority_post.py b/tests/10-sim-syscall_priority_post.py new file mode 100755 index 0000000..01292d4 --- /dev/null +++ b/tests/10-sim-syscall_priority_post.py @@ -0,0 +1,47 @@ +#!/usr/bin/env python + +# +# Seccomp Library test program +# +# Copyright (c) 2012 Red Hat <pmoore@redhat.com> +# Author: Paul Moore <paul@paul-moore.com> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +import argparse +import sys + +import util + +from seccomp import * + +def test(args): + f = SyscallFilter(KILL) + # the syscall and argument numbers are all fake to make the test simpler + f.add_rule_exactly(ALLOW, 1000, Arg(0, EQ, 0), Arg(1, EQ, 1)) + f.add_rule_exactly(ALLOW, 1001, Arg(0, EQ, 0)) + f.add_rule_exactly(ALLOW, 1002) + f.syscall_priority(1000, 3) + f.syscall_priority(1001, 2) + f.syscall_priority(1002, 1) + return f + +args = util.get_opt() +ctx = test(args) +util.filter_output(args, ctx) + +# kate: syntax python; +# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; diff --git a/tests/10-sim-syscall_priority_post.tests b/tests/10-sim-syscall_priority_post.tests new file mode 100644 index 0000000..b05235c --- /dev/null +++ b/tests/10-sim-syscall_priority_post.tests @@ -0,0 +1,26 @@ +# +# libseccomp regression test automation data +# +# Copyright IBM Corp. 2012 +# Author: Corey Bryant <coreyb@linux.vnet.ibm.com> +# + +test type: bpf-sim + +# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result +10-sim-syscall_priority_post all,-x32 999 N N N N N N KILL +10-sim-syscall_priority_post all,-x32 1000-1002 0 1 N N N N ALLOW +10-sim-syscall_priority_post all,-x32 1000 0 2 N N N N KILL +10-sim-syscall_priority_post all,-x32 1001-1002 0 2 N N N N ALLOW +10-sim-syscall_priority_post all,-x32 1000-1001 1 1 N N N N KILL +10-sim-syscall_priority_post all,-x32 1003 N N N N N N KILL + +test type: bpf-sim-fuzz + +# Testname StressCount +10-sim-syscall_priority_post 50 + +test type: bpf-valgrind + +# Testname +10-sim-syscall_priority_post diff --git a/tests/11-basic-basic_errors.c b/tests/11-basic-basic_errors.c new file mode 100644 index 0000000..c065b42 --- /dev/null +++ b/tests/11-basic-basic_errors.c @@ -0,0 +1,243 @@ +/** + * Seccomp Library test program + * + * Copyright IBM Corp. 2012 + * Author: Corey Bryant <coreyb@linux.vnet.ibm.com> + */ + +/* + * This library is free software; you can redistribute it and/or modify it + * under the terms of version 2.1 of the GNU Lesser General Public License as + * published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License + * for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this library; if not, see <http://www.gnu.org/licenses>. + */ + +#include <errno.h> +#include <unistd.h> + +#include <seccomp.h> + +int main(int argc, char *argv[]) +{ + int rc; + scmp_filter_ctx ctx; + uint32_t attr; + unsigned int api; + struct seccomp_notif *req = NULL; + struct seccomp_notif_resp *resp = NULL; + + /* get the api level */ + api = seccomp_api_get(); + + /* seccomp_init errors */ + ctx = seccomp_init(SCMP_ACT_ALLOW + 1); + if (ctx != NULL) + return -1; + + ctx = seccomp_init(SCMP_ACT_ALLOW); + if (ctx == NULL) + return -1; + seccomp_release(ctx); + ctx = NULL; + + /* ensure that seccomp_reset(NULL, ...) is accepted */ + rc = seccomp_reset(NULL, SCMP_ACT_ALLOW); + if (rc != 0) + return -1; + + /* seccomp_load error */ + rc = seccomp_load(ctx); + if (rc != -EINVAL) + return -1; + + /* seccomp_syscall_priority errors */ + rc = seccomp_syscall_priority(ctx, SCMP_SYS(read), 1); + if (rc != -EINVAL) + return -1; + + ctx = seccomp_init(SCMP_ACT_ALLOW); + if (ctx == NULL) + return -1; + else { + rc = seccomp_syscall_priority(ctx, -10, 1); + if (rc != -EINVAL) + return -1; + } + seccomp_release(ctx); + ctx = NULL; + + /* seccomp_rule_add errors */ + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 1, + SCMP_A0(SCMP_CMP_EQ, 0)); + if (rc != -EINVAL) + return -1; + + ctx = seccomp_init(SCMP_ACT_ALLOW); + if (ctx == NULL) + return -1; + else { + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 0); + if (rc != -EACCES) + return -1; + rc = seccomp_rule_add(ctx, SCMP_ACT_KILL - 1, SCMP_SYS(read), 0); + if (rc != -EINVAL) + return -1; + rc = seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(read), 7); + if (rc != -EINVAL) + return -1; + rc = seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(read), 7, + SCMP_A0(SCMP_CMP_EQ, 0), + SCMP_A1(SCMP_CMP_EQ, 0), + SCMP_A2(SCMP_CMP_EQ, 0), + SCMP_A3(SCMP_CMP_EQ, 0), + SCMP_A4(SCMP_CMP_EQ, 0), + SCMP_A5(SCMP_CMP_EQ, 0), + SCMP_CMP(6, SCMP_CMP_EQ, 0)); + if (rc != -EINVAL) + return -1; + rc = seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(read), 1, + SCMP_A0(_SCMP_CMP_MIN, 0)); + if (rc != -EINVAL) + return -1; + rc = seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(read), 1, + SCMP_A0(_SCMP_CMP_MAX, 0)); + if (rc != -EINVAL) + return -1; + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_KILL, -10001, 0); + if (rc != -EDOM) + return -1; + } + seccomp_release(ctx); + ctx = NULL; + + /* seccomp_rule_add_exact error */ + ctx = seccomp_init(SCMP_ACT_ALLOW); + if (ctx == NULL) + return -1; + rc = seccomp_arch_remove(ctx, SCMP_ARCH_NATIVE); + if (rc != 0) + return -1; + rc = seccomp_arch_add(ctx, SCMP_ARCH_X86); + if (rc != 0) + return -1; + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_KILL, SCMP_SYS(socket), 1, + SCMP_A0(SCMP_CMP_EQ, 2)); + if (rc != -EINVAL) + return -1; + rc = seccomp_rule_add_exact(ctx, 0xdeadbeef, SCMP_SYS(open), 0); + if (rc != -EINVAL) + return -1; + seccomp_release(ctx); + ctx = NULL; + + /* errno values beyond MAX_ERRNO */ + ctx = seccomp_init(SCMP_ACT_ALLOW); + if (ctx == NULL) + return -1; + rc = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(0xffff), 0, 0); + if (rc != -EINVAL) + return -1; + seccomp_release(ctx); + ctx = NULL; + + /* seccomp_export_pfc errors */ + rc = seccomp_export_pfc(ctx, STDOUT_FILENO); + if (rc != -EINVAL) + return -1; + + ctx = seccomp_init(SCMP_ACT_ALLOW); + if (ctx == NULL) + return -1; + else { + rc = seccomp_export_pfc(ctx, sysconf(_SC_OPEN_MAX) - 1); + if (rc != -ECANCELED) + return -1; + } + seccomp_release(ctx); + ctx = NULL; + + /* seccomp_export_bpf errors */ + rc = seccomp_export_bpf(ctx, STDOUT_FILENO); + if (rc != -EINVAL) + return -1; + + ctx = seccomp_init(SCMP_ACT_ALLOW); + if (ctx == NULL) + return -1; + else { + rc = seccomp_export_bpf(ctx, sysconf(_SC_OPEN_MAX) - 1); + if (rc != -ECANCELED) + return -1; + } + seccomp_release(ctx); + ctx = NULL; + + /* seccomp_attr_* errors */ + ctx = seccomp_init(SCMP_ACT_ALLOW); + if (ctx == NULL) + return -1; + rc = seccomp_attr_get(ctx, 1000, &attr); + if (rc != -EINVAL) + return -1; + rc = seccomp_attr_set(ctx, 1000, 1); + if (rc != -EINVAL) + return -1; + seccomp_release(ctx); + ctx = NULL; + + /* seccomp_merge() errors */ + ctx = seccomp_init(SCMP_ACT_ALLOW); + if (ctx == NULL) + return -1; + rc = seccomp_merge(ctx, NULL); + if (rc == 0) + return -1; + seccomp_release(ctx); + ctx = NULL; + + /* seccomp notify errors */ + if (api >= 5) { + ctx = seccomp_init(SCMP_ACT_ALLOW); + if (ctx == NULL) + return -1; + rc = seccomp_notify_alloc(NULL, NULL); + if (rc != 0) + return -1; + rc = seccomp_notify_alloc(&req, NULL); + if (rc != 0) + return -1; + rc = seccomp_notify_alloc(NULL, &resp); + if (rc != 0) + return -1; + seccomp_notify_free(NULL, NULL); + seccomp_notify_free(req, resp); + req = NULL; + resp = NULL; + rc = seccomp_notify_receive(-1, NULL); + if (rc == 0) + return -1; + rc = seccomp_notify_respond(-1, NULL); + if (rc == 0) + return -1; + rc = seccomp_notify_id_valid(-1, 0); + if (rc == 0) + return -1; + rc = seccomp_notify_fd(NULL); + if (rc == 0) + return -1; + rc = seccomp_notify_fd(ctx); + if (rc == 0) + return -1; + seccomp_release(ctx); + ctx = NULL; + } + + return 0; +} diff --git a/tests/11-basic-basic_errors.py b/tests/11-basic-basic_errors.py new file mode 100755 index 0000000..a2689ca --- /dev/null +++ b/tests/11-basic-basic_errors.py @@ -0,0 +1,93 @@ +#!/usr/bin/env python + +# +# Seccomp Library test program +# +# Copyright (c) 2012 Red Hat <pmoore@redhat.com> +# Author: Paul Moore <paul@paul-moore.com> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +import argparse +import sys + +import util + +from seccomp import * + +def test(): + # this test differs from the native test for obvious reasons + try: + f = SyscallFilter(ALLOW + 1) + except RuntimeError: + pass + + f = SyscallFilter(ALLOW) + try: + f.reset(KILL + 1) + except ValueError: + pass + + f = SyscallFilter(ALLOW) + try: + f.syscall_priority(-10000, 1) + except RuntimeError: + pass + + f = SyscallFilter(ALLOW) + try: + f.add_rule(ALLOW, "read") + except RuntimeError: + pass + try: + f.add_rule(KILL - 1, "read") + except RuntimeError: + pass + try: + f.add_rule(KILL, "read", + Arg(0, EQ, 0), + Arg(1, EQ, 1), + Arg(2, EQ, 2), + Arg(3, EQ, 3), + Arg(4, EQ, 4), + Arg(5, EQ, 5), + Arg(6, EQ, 6), + Arg(7, EQ, 7)) + except RuntimeError: + pass + try: + f.add_rule(KILL, -1001) + except RuntimeError: + pass + + f = SyscallFilter(ALLOW) + f.remove_arch(Arch()) + f.add_arch(Arch("x86")) + try: + f.add_rule_exactly(KILL, "socket", Arg(0, EQ, 2)) + except RuntimeError: + pass + + f = SyscallFilter(ALLOW) + try: + f.add_rule(ERRNO(0xffff), "read") + except RuntimeError: + pass + +test() + +# kate: syntax python; +# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; diff --git a/tests/11-basic-basic_errors.tests b/tests/11-basic-basic_errors.tests new file mode 100644 index 0000000..3593392 --- /dev/null +++ b/tests/11-basic-basic_errors.tests @@ -0,0 +1,11 @@ +# +# libseccomp regression test automation data +# +# Copyright IBM Corp. 2012 +# Author: Corey Bryant <coreyb@linux.vnet.ibm.com> +# + +test type: basic + +# Test command +11-basic-basic_errors diff --git a/tests/12-sim-basic_masked_ops.c b/tests/12-sim-basic_masked_ops.c new file mode 100644 index 0000000..1506715 --- /dev/null +++ b/tests/12-sim-basic_masked_ops.c @@ -0,0 +1,88 @@ +/** + * Seccomp Library test program + * + * Copyright (c) 2012 Red Hat <pmoore@redhat.com> + * Author: Paul Moore <paul@paul-moore.com> + */ + +/* + * This library is free software; you can redistribute it and/or modify it + * under the terms of version 2.1 of the GNU Lesser General Public License as + * published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License + * for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this library; if not, see <http://www.gnu.org/licenses>. + */ + +#include <errno.h> +#include <unistd.h> + +#include <seccomp.h> + +#include "util.h" + +int main(int argc, char *argv[]) +{ + int rc; + struct util_options opts; + scmp_filter_ctx ctx = NULL; + + rc = util_getopt(argc, argv, &opts); + if (rc < 0) + goto out; + + ctx = seccomp_init(SCMP_ACT_KILL); + if (ctx == NULL) + return ENOMEM; + + /* the syscall and argument numbers are all fake to make the test + * simpler */ + + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1000, 3, + SCMP_A0(SCMP_CMP_EQ, 0), + SCMP_A1(SCMP_CMP_EQ, 1), + SCMP_A2(SCMP_CMP_EQ, 2)); + if (rc != 0) + goto out; + + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1000, 3, + SCMP_A0(SCMP_CMP_EQ, 0), + SCMP_A1(SCMP_CMP_MASKED_EQ, 0x00ff, 1), + SCMP_A2(SCMP_CMP_EQ, 2)); + if (rc != 0) + goto out; + + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1000, 3, + SCMP_A0(SCMP_CMP_EQ, 0), + SCMP_A1(SCMP_CMP_MASKED_EQ, 0xffff, 11), + SCMP_A2(SCMP_CMP_EQ, 2)); + if (rc != 0) + goto out; + + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1000, 3, + SCMP_A0(SCMP_CMP_EQ, 0), + SCMP_A1(SCMP_CMP_MASKED_EQ, 0xffff, 111), + SCMP_A2(SCMP_CMP_EQ, 2)); + if (rc != 0) + goto out; + + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1000, 3, + SCMP_A0(SCMP_CMP_EQ, 0), + SCMP_A1(SCMP_CMP_MASKED_EQ, 0xff00, 1000), + SCMP_A2(SCMP_CMP_EQ, 2)); + if (rc != 0) + goto out; + + rc = util_filter_output(&opts, ctx); + if (rc) + goto out; + +out: + seccomp_release(ctx); + return (rc < 0 ? -rc : rc); +} diff --git a/tests/12-sim-basic_masked_ops.py b/tests/12-sim-basic_masked_ops.py new file mode 100755 index 0000000..48cf63a --- /dev/null +++ b/tests/12-sim-basic_masked_ops.py @@ -0,0 +1,61 @@ +#!/usr/bin/env python + +# +# Seccomp Library test program +# +# Copyright (c) 2012 Red Hat <pmoore@redhat.com> +# Author: Paul Moore <paul@paul-moore.com> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +import argparse +import sys + +import util + +from seccomp import * + +def test(args): + f = SyscallFilter(KILL) + # the syscall and argument numbers are all fake to make the test simpler + f.add_rule_exactly(ALLOW, 1000, + Arg(0, EQ, 0), + Arg(1, EQ, 1), + Arg(2, EQ, 2)) + f.add_rule_exactly(ALLOW, 1000, + Arg(0, EQ, 0), + Arg(1, MASKED_EQ, 0x00ff, 1), + Arg(2, EQ, 2)) + f.add_rule_exactly(ALLOW, 1000, + Arg(0, EQ, 0), + Arg(1, MASKED_EQ, 0xffff, 11), + Arg(2, EQ, 2)) + f.add_rule_exactly(ALLOW, 1000, + Arg(0, EQ, 0), + Arg(1, MASKED_EQ, 0xffff, 111), + Arg(2, EQ, 2)) + f.add_rule_exactly(ALLOW, 1000, + Arg(0, EQ, 0), + Arg(1, MASKED_EQ, 0xff00, 1000), + Arg(2, EQ, 2)) + return f + +args = util.get_opt() +ctx = test(args) +util.filter_output(args, ctx) + +# kate: syntax python; +# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; diff --git a/tests/12-sim-basic_masked_ops.tests b/tests/12-sim-basic_masked_ops.tests new file mode 100644 index 0000000..5a722f8 --- /dev/null +++ b/tests/12-sim-basic_masked_ops.tests @@ -0,0 +1,48 @@ +# +# libseccomp regression test automation data +# +# Copyright IBM Corp. 2012 +# Author: Corey Bryant <coreyb@linux.vnet.ibm.com> +# + +test type: bpf-sim + +# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result +12-sim-basic_masked_ops all,-x32 1000 0 1 2 N N N ALLOW +12-sim-basic_masked_ops all,-x32 1000 0 0x01 2 N N N ALLOW +12-sim-basic_masked_ops all,-x32 1000 0 0x02-0x0A 2 N N N KILL +12-sim-basic_masked_ops all,-x32 1000 0 0x101 2 N N N ALLOW +12-sim-basic_masked_ops all,-x32 1000 0 11 2 N N N ALLOW +12-sim-basic_masked_ops all,-x32 1000 0 0x0B 2 N N N ALLOW +12-sim-basic_masked_ops all,-x32 1000 0 0x0C-0x6E 2 N N N KILL +12-sim-basic_masked_ops all,-x32 1000 0 0x1000B 2 N N N ALLOW +12-sim-basic_masked_ops all,-x32 1000 0 111 2 N N N ALLOW +12-sim-basic_masked_ops all,-x32 1000 0 0x6F 2 N N N ALLOW +12-sim-basic_masked_ops all,-x32 1000 0 0x70-0x100 2 N N N KILL +12-sim-basic_masked_ops all,-x32 1000 0 0x102-0x200 2 N N N KILL +12-sim-basic_masked_ops all,-x32 1000 0 0x10002-0x1000A 2 N N N KILL +12-sim-basic_masked_ops all,-x32 1000 0 0x1000C-0x1006E 2 N N N KILL +12-sim-basic_masked_ops all,-x32 1000 0 0x1006F 2 N N N ALLOW +12-sim-basic_masked_ops all,-x32 1000 0 1000 2 N N N ALLOW +12-sim-basic_masked_ops all,-x32 1000 0 0x3E8 2 N N N ALLOW +12-sim-basic_masked_ops all,-x32 1000 0 0x2FF 2 N N N KILL +12-sim-basic_masked_ops all,-x32 1000 0 0x300-0x3FF 2 N N N ALLOW +12-sim-basic_masked_ops all,-x32 1000 0 0x400 2 N N N KILL +12-sim-basic_masked_ops all,-x32 1000 0 0x402-0x4FF 2 N N N KILL +12-sim-basic_masked_ops all,-x32 1000 0 0x10300-0x103FF 2 N N N ALLOW +12-sim-basic_masked_ops all,-x32 1000 0 0x00000000F00003E8 2 N N N ALLOW +12-sim-basic_masked_ops all,-x32 1000 0 0x00000000800003E8 2 N N N ALLOW +12-sim-basic_masked_ops all,-x32 1000 0 0x00000001800003E8 2 N N N ALLOW +12-sim-basic_masked_ops all,-x32 1000 0 0x00000001000003E8 2 N N N ALLOW +12-sim-basic_masked_ops all,-x32 1000 0 0x0000000F000003E8 2 N N N ALLOW +12-sim-basic_masked_ops all,-x32 1000 0 0xFFFFFFFFFFFF03E8 2 N N N ALLOW + +test type: bpf-sim-fuzz + +# Testname StressCount +12-sim-basic_masked_ops 50 + +test type: bpf-valgrind + +# Testname +12-sim-basic_masked_ops diff --git a/tests/13-basic-attrs.c b/tests/13-basic-attrs.c new file mode 100644 index 0000000..e3c5881 --- /dev/null +++ b/tests/13-basic-attrs.c @@ -0,0 +1,149 @@ +/** + * Seccomp Library test program + * + * Copyright (c) 2012 Red Hat <pmoore@redhat.com> + * Author: Paul Moore <paul@paul-moore.com> + */ + +/* + * This library is free software; you can redistribute it and/or modify it + * under the terms of version 2.1 of the GNU Lesser General Public License as + * published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License + * for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this library; if not, see <http://www.gnu.org/licenses>. + */ + +#include <errno.h> +#include <unistd.h> + +#include <seccomp.h> + +#include "util.h" + +int main(int argc, char *argv[]) +{ + int rc; + uint32_t val = (uint32_t)(-1); + scmp_filter_ctx ctx = NULL; + + rc = seccomp_api_set(5); + if (rc != 0) + return EOPNOTSUPP; + + ctx = seccomp_init(SCMP_ACT_ALLOW); + if (ctx == NULL) + return ENOMEM; + + rc = seccomp_attr_get(ctx, SCMP_FLTATR_ACT_DEFAULT, &val); + if (rc != 0) + goto out; + if (val != SCMP_ACT_ALLOW) { + rc = -1; + goto out; + } + rc = seccomp_attr_set(ctx, SCMP_FLTATR_ACT_DEFAULT, val); + if (rc != -EACCES) { + rc = -1; + goto out; + } + + rc = seccomp_attr_set(ctx, SCMP_FLTATR_ACT_BADARCH, SCMP_ACT_ALLOW); + if (rc != 0) + goto out; + rc = seccomp_attr_get(ctx, SCMP_FLTATR_ACT_BADARCH, &val); + if (rc != 0) + goto out; + if (val != SCMP_ACT_ALLOW) { + rc = -1; + goto out; + } + + rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_NNP, 0); + if (rc != 0) + goto out; + rc = seccomp_attr_get(ctx, SCMP_FLTATR_CTL_NNP, &val); + if (rc != 0) + goto out; + if (val != 0) { + rc = -1; + goto out; + } + + rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_TSYNC, 1); + if (rc != 0 && rc != -EOPNOTSUPP) + goto out; + rc = seccomp_attr_get(ctx, SCMP_FLTATR_CTL_TSYNC, &val); + if (rc != 0) + goto out; + if (val != 1) { + rc = -1; + goto out; + } + + rc = seccomp_attr_set(ctx, SCMP_FLTATR_API_TSKIP, 1); + if (rc != 0) + goto out; + rc = seccomp_attr_get(ctx, SCMP_FLTATR_API_TSKIP, &val); + if (rc != 0) + goto out; + if (val != 1) { + rc = -1; + goto out; + } + + rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_LOG, 1); + if (rc != 0) + goto out; + rc = seccomp_attr_get(ctx, SCMP_FLTATR_CTL_LOG, &val); + if (rc != 0) + goto out; + if (val != 1) { + rc = -1; + goto out; + } + + + rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_SSB, 1); + if (rc != 0) + goto out; + rc = seccomp_attr_get(ctx, SCMP_FLTATR_CTL_SSB, &val); + if (rc != 0) + goto out; + if (val != 1) { + rc = -1; + goto out; + } + + rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_OPTIMIZE, 2); + if (rc != 0) + goto out; + rc = seccomp_attr_get(ctx, SCMP_FLTATR_CTL_OPTIMIZE, &val); + if (rc != 0) + goto out; + if (val != 2) { + rc = -1; + goto out; + } + + rc = seccomp_attr_set(ctx, SCMP_FLTATR_API_SYSRAWRC, 1); + if (rc != 0) + goto out; + rc = seccomp_attr_get(ctx, SCMP_FLTATR_API_SYSRAWRC, &val); + if (rc != 0) + goto out; + if (val != 1) { + rc = -1; + goto out; + } + + rc = 0; +out: + seccomp_release(ctx); + return (rc < 0 ? -rc : rc); +} diff --git a/tests/13-basic-attrs.py b/tests/13-basic-attrs.py new file mode 100755 index 0000000..48c25a0 --- /dev/null +++ b/tests/13-basic-attrs.py @@ -0,0 +1,68 @@ +#!/usr/bin/env python + +# +# Seccomp Library test program +# +# Copyright (c) 2012 Red Hat <pmoore@redhat.com> +# Author: Paul Moore <paul@paul-moore.com> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +import argparse +import sys + +import util + +from seccomp import * + +def test(): + set_api(5) + + f = SyscallFilter(ALLOW) + if f.get_attr(Attr.ACT_DEFAULT) != ALLOW: + raise RuntimeError("Failed getting Attr.ACT_DEFAULT") + try: + f.set_attr(Attr.ACT_DEFAULT, ALLOW) + except RuntimeError: + pass + f.set_attr(Attr.ACT_BADARCH, ALLOW) + if f.get_attr(Attr.ACT_BADARCH) != ALLOW: + raise RuntimeError("Failed getting Attr.ACT_BADARCH") + f.set_attr(Attr.CTL_NNP, 0) + if f.get_attr(Attr.CTL_NNP) != 0: + raise RuntimeError("Failed getting Attr.CTL_NNP") + if f.get_attr(Attr.CTL_TSYNC) != 0: + raise RuntimeError("Failed getting Attr.CTL_TSYNC") + f.set_attr(Attr.API_TSKIP, 0) + if f.get_attr(Attr.API_TSKIP) != 0: + raise RuntimeError("Failed getting Attr.API_TSKIP") + f.set_attr(Attr.CTL_LOG, 1) + if f.get_attr(Attr.CTL_LOG) != 1: + raise RuntimeError("Failed getting Attr.CTL_LOG") + f.set_attr(Attr.CTL_SSB, 1) + if f.get_attr(Attr.CTL_SSB) != 1: + raise RuntimeError("Failed getting Attr.CTL_SSB") + f.set_attr(Attr.CTL_OPTIMIZE, 2) + if f.get_attr(Attr.CTL_OPTIMIZE) != 2: + raise RuntimeError("Failed getting Attr.CTL_OPTIMIZE") + f.set_attr(Attr.API_SYSRAWRC, 1) + if f.get_attr(Attr.API_SYSRAWRC) != 1: + raise RuntimeError("Failed getting Attr.API_SYSRAWRC") + +test() + +# kate: syntax python; +# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; diff --git a/tests/13-basic-attrs.tests b/tests/13-basic-attrs.tests new file mode 100644 index 0000000..2288787 --- /dev/null +++ b/tests/13-basic-attrs.tests @@ -0,0 +1,11 @@ +# +# libseccomp regression test automation data +# +# Copyright IBM Corp. 2012 +# Author: Corey Bryant <coreyb@linux.vnet.ibm.com> +# + +test type: basic + +# Test command +13-basic-attrs diff --git a/tests/14-sim-reset.c b/tests/14-sim-reset.c new file mode 100644 index 0000000..3dd3181 --- /dev/null +++ b/tests/14-sim-reset.c @@ -0,0 +1,62 @@ +/** + * Seccomp Library test program + * + * Copyright (c) 2012 Red Hat <pmoore@redhat.com> + * Author: Paul Moore <paul@paul-moore.com> + */ + +/* + * This library is free software; you can redistribute it and/or modify it + * under the terms of version 2.1 of the GNU Lesser General Public License as + * published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License + * for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this library; if not, see <http://www.gnu.org/licenses>. + */ + +#include <errno.h> +#include <unistd.h> + +#include <seccomp.h> + +#include "util.h" + +int main(int argc, char *argv[]) +{ + int rc; + struct util_options opts; + scmp_filter_ctx ctx = NULL; + + rc = util_getopt(argc, argv, &opts); + if (rc < 0) + goto out; + + ctx = seccomp_init(SCMP_ACT_KILL); + if (ctx == NULL) + return ENOMEM; + + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 0); + if (rc != 0) + goto out; + + rc = seccomp_reset(ctx, SCMP_ACT_KILL); + if (rc != 0) + goto out; + + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 0); + if (rc != 0) + goto out; + + rc = util_filter_output(&opts, ctx); + if (rc) + goto out; + +out: + seccomp_release(ctx); + return (rc < 0 ? -rc : rc); +} diff --git a/tests/14-sim-reset.py b/tests/14-sim-reset.py new file mode 100755 index 0000000..66463c8 --- /dev/null +++ b/tests/14-sim-reset.py @@ -0,0 +1,43 @@ +#!/usr/bin/env python + +# +# Seccomp Library test program +# +# Copyright (c) 2012 Red Hat <pmoore@redhat.com> +# Author: Paul Moore <paul@paul-moore.com> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +import argparse +import sys + +import util + +from seccomp import * + +def test(args): + f = SyscallFilter(KILL) + f.add_rule(ALLOW, "read") + f.reset() + f.add_rule(ALLOW, "write") + return f + +args = util.get_opt() +ctx = test(args) +util.filter_output(args, ctx) + +# kate: syntax python; +# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; diff --git a/tests/14-sim-reset.tests b/tests/14-sim-reset.tests new file mode 100644 index 0000000..584fbb0 --- /dev/null +++ b/tests/14-sim-reset.tests @@ -0,0 +1,29 @@ +# +# libseccomp regression test automation data +# +# Copyright (c) 2012 Red Hat <pmoore@redhat.com> +# Author: Paul Moore <paul@paul-moore.com> +# + +test type: bpf-sim + +# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result +14-sim-reset all read 0 0x856B008 40 N N N KILL +14-sim-reset all write 1 0x856B008 40 N N N ALLOW +14-sim-reset all close 4 N N N N N KILL +14-sim-reset all rt_sigreturn N N N N N N KILL +14-sim-reset all open 0x856B008 4 N N N N KILL +14-sim-reset x86 0-3 N N N N N N KILL +14-sim-reset x86 5-360 N N N N N N KILL +14-sim-reset x86_64 0 N N N N N N KILL +14-sim-reset x86_64 2-360 N N N N N N KILL + +test type: bpf-sim-fuzz + +# Testname StressCount +14-sim-reset 50 + +test type: bpf-valgrind + +# Testname +14-sim-reset diff --git a/tests/15-basic-resolver.c b/tests/15-basic-resolver.c new file mode 100644 index 0000000..6db69e8 --- /dev/null +++ b/tests/15-basic-resolver.c @@ -0,0 +1,170 @@ +/** + * Seccomp Library test program + * + * Copyright (c) 2012 Red Hat <pmoore@redhat.com> + * Author: Paul Moore <paul@paul-moore.com> + */ + +/* + * This library is free software; you can redistribute it and/or modify it + * under the terms of version 2.1 of the GNU Lesser General Public License as + * published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License + * for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this library; if not, see <http://www.gnu.org/licenses>. + */ + +#include <errno.h> +#include <string.h> +#include <stdlib.h> + +#include <seccomp.h> + +unsigned int arch_list[] = { + SCMP_ARCH_NATIVE, + SCMP_ARCH_X86, + SCMP_ARCH_X86_64, + SCMP_ARCH_X32, + SCMP_ARCH_ARM, + SCMP_ARCH_AARCH64, + SCMP_ARCH_MIPS, + SCMP_ARCH_MIPS64, + SCMP_ARCH_MIPS64N32, + SCMP_ARCH_MIPSEL, + SCMP_ARCH_MIPSEL64, + SCMP_ARCH_MIPSEL64N32, + SCMP_ARCH_PPC, + SCMP_ARCH_PPC64, + SCMP_ARCH_PPC64LE, + SCMP_ARCH_S390, + SCMP_ARCH_S390X, + SCMP_ARCH_PARISC, + SCMP_ARCH_PARISC64, + SCMP_ARCH_RISCV64, + -1 +}; + +int main(int argc, char *argv[]) +{ + int rc; + int iter = 0; + unsigned int arch; + char *name = NULL; + + if (seccomp_syscall_resolve_name("open") != __SNR_open) + goto fail; + if (seccomp_syscall_resolve_name("read") != __SNR_read) + goto fail; + if (seccomp_syscall_resolve_name("INVALID") != __NR_SCMP_ERROR) + goto fail; + + rc = seccomp_syscall_resolve_name_rewrite(SCMP_ARCH_NATIVE, "openat"); + if (rc != __SNR_openat) + goto fail; + + while ((arch = arch_list[iter++]) != -1) { + int sys; + int nr_open; + int nr_read; + int nr_socket; + int nr_shmctl; + + if (seccomp_syscall_resolve_name_arch(arch, + "INVALID") != __NR_SCMP_ERROR) + goto fail; + name = seccomp_syscall_resolve_num_arch(arch, __NR_SCMP_ERROR); + if (name != NULL) + goto fail; + + nr_open = seccomp_syscall_resolve_name_arch(arch, "open"); + if (nr_open == __NR_SCMP_ERROR) + goto fail; + nr_read = seccomp_syscall_resolve_name_arch(arch, "read"); + if (nr_read == __NR_SCMP_ERROR) + goto fail; + nr_socket = seccomp_syscall_resolve_name_rewrite(arch, "socket"); + if (nr_socket == __NR_SCMP_ERROR) + goto fail; + nr_shmctl = seccomp_syscall_resolve_name_rewrite(arch, "shmctl"); + if (nr_shmctl == __NR_SCMP_ERROR) + goto fail; + + name = seccomp_syscall_resolve_num_arch(arch, nr_open); + if (name == NULL || strcmp(name, "open") != 0) + goto fail; + free(name); + name = NULL; + + name = seccomp_syscall_resolve_num_arch(arch, nr_read); + if (name == NULL || strcmp(name, "read") != 0) + goto fail; + free(name); + name = NULL; + + name = seccomp_syscall_resolve_num_arch(arch, nr_socket); + if (name == NULL || + (strcmp(name, "socket") != 0 && + strcmp(name, "socketcall") != 0)) + goto fail; + free(name); + name = NULL; + + name = seccomp_syscall_resolve_num_arch(arch, nr_shmctl); + if (name == NULL || + (strcmp(name, "shmctl") != 0 && strcmp(name, "ipc") != 0)) + goto fail; + free(name); + name = NULL; + + /* socket pseudo-syscalls */ + if (seccomp_syscall_resolve_name_arch(arch, "socketcall") > 0) { + for (sys = -101; sys >= -120; sys--) { + name = seccomp_syscall_resolve_num_arch(arch, + sys); + if (name == NULL) + goto fail; + free(name); + name = NULL; + } + } + /* ipc pseudo-syscalls */ + if (seccomp_syscall_resolve_name_arch(arch, "ipc") > 0) { + for (sys = -201; sys >= -204; sys--) { + name = seccomp_syscall_resolve_num_arch(arch, + sys); + if (name == NULL) + goto fail; + free(name); + name = NULL; + } + for (sys = -211; sys >= -214; sys--) { + name = seccomp_syscall_resolve_num_arch(arch, + sys); + if (name == NULL) + goto fail; + free(name); + name = NULL; + } + for (sys = -221; sys >= -224; sys--) { + name = seccomp_syscall_resolve_num_arch(arch, + sys); + if (name == NULL) + goto fail; + free(name); + name = NULL; + } + } + } + + return 0; + +fail: + if (name != NULL) + free(name); + return 1; +} diff --git a/tests/15-basic-resolver.py b/tests/15-basic-resolver.py new file mode 100755 index 0000000..3ce3389 --- /dev/null +++ b/tests/15-basic-resolver.py @@ -0,0 +1,54 @@ +#!/usr/bin/env python + +# +# Seccomp Library test program +# +# Copyright (c) 2012 Red Hat <pmoore@redhat.com> +# Author: Paul Moore <paul@paul-moore.com> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +import argparse +import sys + +import util + +from seccomp import * + +def test(): + f = SyscallFilter(KILL) + # this differs from the native test as we don't support the syscall + # resolution functions by themselves + f.add_rule(ALLOW, "open") + f.add_rule(ALLOW, "read") + try: + f.add_rule(ALLOW, "INVALID") + except RuntimeError: + pass + + sys_num = resolve_syscall(Arch(), "open") + sys_name = resolve_syscall(Arch(), sys_num) + if (sys_name != b"open"): + raise RuntimeError("Test failure") + sys_num = resolve_syscall(Arch(), "read") + sys_name = resolve_syscall(Arch(), sys_num) + if (sys_name != b"read"): + raise RuntimeError("Test failure") + +test() + +# kate: syntax python; +# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; diff --git a/tests/15-basic-resolver.tests b/tests/15-basic-resolver.tests new file mode 100644 index 0000000..c3f239b --- /dev/null +++ b/tests/15-basic-resolver.tests @@ -0,0 +1,11 @@ +# +# libseccomp regression test automation data +# +# Copyright (c) 2012 Red Hat <pmoore@redhat.com> +# Author: Paul Moore <paul@paul-moore.com> +# + +test type: basic + +# Test command +15-basic-resolver diff --git a/tests/16-sim-arch_basic.c b/tests/16-sim-arch_basic.c new file mode 100644 index 0000000..0b141e1 --- /dev/null +++ b/tests/16-sim-arch_basic.c @@ -0,0 +1,169 @@ +/** + * Seccomp Library test program + * + * Copyright (c) 2012 Red Hat <pmoore@redhat.com> + * Author: Paul Moore <paul@paul-moore.com> + */ + +/* + * This library is free software; you can redistribute it and/or modify it + * under the terms of version 2.1 of the GNU Lesser General Public License as + * published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License + * for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this library; if not, see <http://www.gnu.org/licenses>. + */ + +#include <errno.h> +#include <unistd.h> + +#include <seccomp.h> + +#include "util.h" + +int main(int argc, char *argv[]) +{ + int rc; + struct util_options opts; + scmp_filter_ctx ctx = NULL; + + rc = util_getopt(argc, argv, &opts); + if (rc < 0) + goto out; + + ctx = seccomp_init(SCMP_ACT_KILL); + if (ctx == NULL) + return ENOMEM; + + /* NOTE: not strictly necessary since we get the native arch by default + * but it serves as a good sanity check for the code and boosts + * our code coverage numbers */ + rc = seccomp_arch_exist(ctx, seccomp_arch_native()); + if (rc != 0) + goto out; + + rc = seccomp_arch_remove(ctx, SCMP_ARCH_NATIVE); + if (rc != 0) + goto out; + + /* NOTE: we are using a different approach to test for the native arch + * to exercise slightly different code paths */ + rc = seccomp_arch_exist(ctx, 0); + if (rc != -EEXIST) + goto out; + + /* NOTE: more sanity/coverage tests (see above) */ + rc = seccomp_arch_add(ctx, SCMP_ARCH_NATIVE); + if (rc != 0) + goto out; + rc = seccomp_arch_remove(ctx, SCMP_ARCH_NATIVE); + if (rc != 0) + goto out; + + rc = seccomp_arch_add(ctx, SCMP_ARCH_X86); + if (rc != 0) + goto out; + rc = seccomp_arch_add(ctx, SCMP_ARCH_X86_64); + if (rc != 0) + goto out; + rc = seccomp_arch_add(ctx, SCMP_ARCH_X32); + if (rc != 0) + goto out; + rc = seccomp_arch_add(ctx, SCMP_ARCH_ARM); + if (rc != 0) + goto out; + rc = seccomp_arch_add(ctx, SCMP_ARCH_AARCH64); + if (rc != 0) + goto out; + rc = seccomp_arch_add(ctx, SCMP_ARCH_MIPSEL); + if (rc != 0) + goto out; + rc = seccomp_arch_add(ctx, SCMP_ARCH_MIPSEL64); + if (rc != 0) + goto out; + rc = seccomp_arch_add(ctx, SCMP_ARCH_MIPSEL64N32); + if (rc != 0) + goto out; + rc = seccomp_arch_add(ctx, SCMP_ARCH_PPC64LE); + if (rc != 0) + goto out; + rc = seccomp_arch_add(ctx, SCMP_ARCH_RISCV64); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 1, + SCMP_A0(SCMP_CMP_EQ, STDIN_FILENO)); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 1, + SCMP_A0(SCMP_CMP_EQ, STDOUT_FILENO)); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 1, + SCMP_A0(SCMP_CMP_EQ, STDERR_FILENO)); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(close), 0); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket), 0); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(connect), 0); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(shutdown), 0); + if (rc != 0) + goto out; + + rc = util_filter_output(&opts, ctx); + if (rc) + goto out; + + /* not strictly necessary, but let's exercise the code paths */ + rc = seccomp_arch_remove(ctx, SCMP_ARCH_X86); + if (rc != 0) + goto out; + rc = seccomp_arch_remove(ctx, SCMP_ARCH_X86_64); + if (rc != 0) + goto out; + rc = seccomp_arch_remove(ctx, SCMP_ARCH_X32); + if (rc != 0) + goto out; + rc = seccomp_arch_remove(ctx, SCMP_ARCH_ARM); + if (rc != 0) + goto out; + rc = seccomp_arch_remove(ctx, SCMP_ARCH_AARCH64); + if (rc != 0) + goto out; + rc = seccomp_arch_remove(ctx, SCMP_ARCH_MIPSEL); + if (rc != 0) + goto out; + rc = seccomp_arch_remove(ctx, SCMP_ARCH_MIPSEL64); + if (rc != 0) + goto out; + rc = seccomp_arch_remove(ctx, SCMP_ARCH_MIPSEL64N32); + if (rc != 0) + goto out; + rc = seccomp_arch_remove(ctx, SCMP_ARCH_PPC64LE); + if (rc != 0) + goto out; + rc = seccomp_arch_remove(ctx, SCMP_ARCH_RISCV64); + if (rc != 0) + goto out; + +out: + seccomp_release(ctx); + return (rc < 0 ? -rc : rc); +} diff --git a/tests/16-sim-arch_basic.py b/tests/16-sim-arch_basic.py new file mode 100755 index 0000000..846553f --- /dev/null +++ b/tests/16-sim-arch_basic.py @@ -0,0 +1,62 @@ +#!/usr/bin/env python + +# +# Seccomp Library test program +# +# Copyright (c) 2012 Red Hat <pmoore@redhat.com> +# Author: Paul Moore <paul@paul-moore.com> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +import argparse +import sys + +import util + +from seccomp import * + +def test(args): + f = SyscallFilter(KILL) + # NOTE: some of these arch functions are not strictly necessary, but are + # here for test sanity/coverage + f.remove_arch(Arch()) + f.add_arch(Arch()) + f.remove_arch(Arch()) + f.add_arch(Arch("x86")) + f.add_arch(Arch("x86_64")) + f.add_arch(Arch("x32")) + f.add_arch(Arch("arm")) + f.add_arch(Arch("aarch64")) + f.add_arch(Arch("mipsel")) + f.add_arch(Arch("mipsel64")) + f.add_arch(Arch("mipsel64n32")) + f.add_arch(Arch("ppc64le")) + f.add_arch(Arch("riscv64")) + f.add_rule(ALLOW, "read", Arg(0, EQ, sys.stdin.fileno())) + f.add_rule(ALLOW, "write", Arg(0, EQ, sys.stdout.fileno())) + f.add_rule(ALLOW, "write", Arg(0, EQ, sys.stderr.fileno())) + f.add_rule(ALLOW, "close") + f.add_rule(ALLOW, "socket") + f.add_rule(ALLOW, "connect") + f.add_rule(ALLOW, "shutdown") + return f + +args = util.get_opt() +ctx = test(args) +util.filter_output(args, ctx) + +# kate: syntax python; +# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; diff --git a/tests/16-sim-arch_basic.tests b/tests/16-sim-arch_basic.tests new file mode 100644 index 0000000..f580167 --- /dev/null +++ b/tests/16-sim-arch_basic.tests @@ -0,0 +1,27 @@ +# +# libseccomp regression test automation data +# +# Copyright (c) 2012 Red Hat <pmoore@redhat.com> +# Author: Paul Moore <paul@paul-moore.com> +# + +test type: bpf-sim + +# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result +16-sim-arch_basic +all_le read 0 0x856B008 10 N N N ALLOW +16-sim-arch_basic +all_le read 1-10 0x856B008 10 N N N KILL +16-sim-arch_basic +all_le write 1-2 0x856B008 10 N N N ALLOW +16-sim-arch_basic +all_le write 3-10 0x856B008 10 N N N KILL +16-sim-arch_basic +all_le close N N N N N N ALLOW +16-sim-arch_basic +all_le open 0x856B008 4 N N N N KILL +16-sim-arch_basic +x86 socket 1 N N N N N ALLOW +16-sim-arch_basic +x86 connect 3 N N N N N ALLOW +16-sim-arch_basic +x86 shutdown 13 N N N N N ALLOW +16-sim-arch_basic +x86_64 socket 0 1 2 N N N ALLOW +16-sim-arch_basic +x86_64 connect 0 1 2 N N N ALLOW +16-sim-arch_basic +x86_64 shutdown 0 1 2 N N N ALLOW + +test type: bpf-valgrind + +# Testname +16-sim-arch_basic diff --git a/tests/17-sim-arch_merge.c b/tests/17-sim-arch_merge.c new file mode 100644 index 0000000..6716c7e --- /dev/null +++ b/tests/17-sim-arch_merge.c @@ -0,0 +1,111 @@ +/** + * Seccomp Library test program + * + * Copyright (c) 2012 Red Hat <pmoore@redhat.com> + * Author: Paul Moore <paul@paul-moore.com> + */ + +/* + * This library is free software; you can redistribute it and/or modify it + * under the terms of version 2.1 of the GNU Lesser General Public License as + * published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License + * for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this library; if not, see <http://www.gnu.org/licenses>. + */ + +#include <errno.h> +#include <unistd.h> + +#include <seccomp.h> + +#include "util.h" + +int main(int argc, char *argv[]) +{ + int rc; + struct util_options opts; + scmp_filter_ctx ctx_64 = NULL, ctx_32 = NULL; + + rc = util_getopt(argc, argv, &opts); + if (rc < 0) + goto out_all; + + ctx_32 = seccomp_init(SCMP_ACT_KILL); + if (ctx_32 == NULL) { + rc = -ENOMEM; + goto out_all; + } + ctx_64 = seccomp_init(SCMP_ACT_KILL); + if (ctx_64 == NULL) { + rc = -ENOMEM; + goto out_all; + } + + rc = seccomp_arch_remove(ctx_32, SCMP_ARCH_NATIVE); + if (rc != 0) + goto out; + rc = seccomp_arch_remove(ctx_64, SCMP_ARCH_NATIVE); + if (rc != 0) + goto out; + + rc = seccomp_arch_add(ctx_32, SCMP_ARCH_X86); + if (rc != 0) + goto out_all; + rc = seccomp_arch_add(ctx_64, SCMP_ARCH_X86_64); + if (rc != 0) + goto out_all; + + rc = seccomp_rule_add(ctx_32, SCMP_ACT_ALLOW, SCMP_SYS(read), 1, + SCMP_A0(SCMP_CMP_EQ, STDIN_FILENO)); + if (rc != 0) + goto out_all; + + rc = seccomp_rule_add(ctx_32, SCMP_ACT_ALLOW, SCMP_SYS(write), 1, + SCMP_A0(SCMP_CMP_EQ, STDOUT_FILENO)); + if (rc != 0) + goto out_all; + + rc = seccomp_rule_add(ctx_32, SCMP_ACT_ALLOW, SCMP_SYS(write), 1, + SCMP_A0(SCMP_CMP_EQ, STDERR_FILENO)); + if (rc != 0) + goto out_all; + + rc = seccomp_rule_add(ctx_32, SCMP_ACT_ALLOW, SCMP_SYS(close), 0); + if (rc != 0) + goto out_all; + + rc = seccomp_rule_add(ctx_64, SCMP_ACT_ALLOW, SCMP_SYS(socket), 0); + if (rc != 0) + goto out_all; + + rc = seccomp_rule_add(ctx_64, SCMP_ACT_ALLOW, SCMP_SYS(connect), 0); + if (rc != 0) + goto out_all; + + rc = seccomp_rule_add(ctx_64, SCMP_ACT_ALLOW, SCMP_SYS(shutdown), 0); + if (rc != 0) + goto out_all; + + rc = seccomp_merge(ctx_64, ctx_32); + if (rc != 0) + goto out_all; + + /* NOTE: ctx_32 is no longer valid at this point */ + + rc = util_filter_output(&opts, ctx_64); + if (rc) + goto out; + +out: + seccomp_release(ctx_64); + return (rc < 0 ? -rc : rc); +out_all: + seccomp_release(ctx_32); + goto out; +} diff --git a/tests/17-sim-arch_merge.py b/tests/17-sim-arch_merge.py new file mode 100755 index 0000000..24f2f6a --- /dev/null +++ b/tests/17-sim-arch_merge.py @@ -0,0 +1,53 @@ +#!/usr/bin/env python + +# +# Seccomp Library test program +# +# Copyright (c) 2012 Red Hat <pmoore@redhat.com> +# Author: Paul Moore <paul@paul-moore.com> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +import argparse +import sys + +import util + +from seccomp import * + +def test(args): + f32 = SyscallFilter(KILL) + f64 = SyscallFilter(KILL) + f32.remove_arch(Arch()) + f64.remove_arch(Arch()) + f32.add_arch(Arch("x86")) + f64.add_arch(Arch("x86_64")) + f32.add_rule(ALLOW, "read", Arg(0, EQ, sys.stdin.fileno())) + f32.add_rule(ALLOW, "write", Arg(0, EQ, sys.stdout.fileno())) + f32.add_rule(ALLOW, "write", Arg(0, EQ, sys.stderr.fileno())) + f32.add_rule(ALLOW, "close") + f64.add_rule(ALLOW, "socket") + f64.add_rule(ALLOW, "connect") + f64.add_rule(ALLOW, "shutdown") + f64.merge(f32) + return f64 + +args = util.get_opt() +ctx = test(args) +util.filter_output(args, ctx) + +# kate: syntax python; +# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; diff --git a/tests/17-sim-arch_merge.tests b/tests/17-sim-arch_merge.tests new file mode 100644 index 0000000..0f56578 --- /dev/null +++ b/tests/17-sim-arch_merge.tests @@ -0,0 +1,24 @@ +# +# libseccomp regression test automation data +# +# Copyright (c) 2012 Red Hat <pmoore@redhat.com> +# Author: Paul Moore <paul@paul-moore.com> +# + +test type: bpf-sim + +# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result +17-sim-arch_merge +x86 read 0 0x856B008 10 N N N ALLOW +17-sim-arch_merge +x86 read 1-10 0x856B008 10 N N N KILL +17-sim-arch_merge +x86 write 1-2 0x856B008 10 N N N ALLOW +17-sim-arch_merge +x86 write 3-10 0x856B008 10 N N N KILL +17-sim-arch_merge +x86 close N N N N N N ALLOW +17-sim-arch_merge +x86 open 0x856B008 4 N N N N KILL +17-sim-arch_merge +x86_64 socket 0 1 2 N N N ALLOW +17-sim-arch_merge +x86_64 connect 0 1 2 N N N ALLOW +17-sim-arch_merge +x86_64 shutdown 0 1 2 N N N ALLOW + +test type: bpf-valgrind + +# Testname +17-sim-arch_merge diff --git a/tests/18-sim-basic_allowlist.c b/tests/18-sim-basic_allowlist.c new file mode 100644 index 0000000..e30274f --- /dev/null +++ b/tests/18-sim-basic_allowlist.c @@ -0,0 +1,74 @@ +/** + * Seccomp Library test program + * + * Copyright (c) 2013 Red Hat <pmoore@redhat.com> + * Author: Paul Moore <paul@paul-moore.com> + */ + +/* + * This library is free software; you can redistribute it and/or modify it + * under the terms of version 2.1 of the GNU Lesser General Public License as + * published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License + * for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this library; if not, see <http://www.gnu.org/licenses>. + */ + +#include <errno.h> +#include <unistd.h> + +#include <seccomp.h> + +#include "util.h" + +int main(int argc, char *argv[]) +{ + int rc; + struct util_options opts; + scmp_filter_ctx ctx = NULL; + + rc = util_getopt(argc, argv, &opts); + if (rc < 0) + goto out; + + ctx = seccomp_init(SCMP_ACT_KILL); + if (ctx == NULL) + return ENOMEM; + + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 1, + SCMP_A0(SCMP_CMP_EQ, STDIN_FILENO)); + if (rc != 0) + goto out; + + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 1, + SCMP_A0(SCMP_CMP_EQ, STDOUT_FILENO)); + if (rc != 0) + goto out; + + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 1, + SCMP_A0(SCMP_CMP_EQ, STDERR_FILENO)); + if (rc != 0) + goto out; + + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, SCMP_SYS(close), 0); + if (rc != 0) + goto out; + + rc = seccomp_rule_add_exact(ctx, + SCMP_ACT_ALLOW, SCMP_SYS(rt_sigreturn), 0); + if (rc != 0) + goto out; + + rc = util_filter_output(&opts, ctx); + if (rc) + goto out; + +out: + seccomp_release(ctx); + return (rc < 0 ? -rc : rc); +} diff --git a/tests/18-sim-basic_allowlist.py b/tests/18-sim-basic_allowlist.py new file mode 100755 index 0000000..dbee3ac --- /dev/null +++ b/tests/18-sim-basic_allowlist.py @@ -0,0 +1,45 @@ +#!/usr/bin/env python + +# +# Seccomp Library test program +# +# Copyright (c) 2013 Red Hat <pmoore@redhat.com> +# Author: Paul Moore <paul@paul-moore.com> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +import argparse +import sys + +import util + +from seccomp import * + +def test(args): + f = SyscallFilter(KILL) + f.add_rule_exactly(ALLOW, "read", Arg(0, EQ, sys.stdin.fileno())) + f.add_rule_exactly(ALLOW, "write", Arg(0, EQ, sys.stdout.fileno())) + f.add_rule_exactly(ALLOW, "write", Arg(0, EQ, sys.stderr.fileno())) + f.add_rule_exactly(ALLOW, "close") + f.add_rule_exactly(ALLOW, "rt_sigreturn") + return f + +args = util.get_opt() +ctx = test(args) +util.filter_output(args, ctx) + +# kate: syntax python; +# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; diff --git a/tests/18-sim-basic_allowlist.tests b/tests/18-sim-basic_allowlist.tests new file mode 100644 index 0000000..dba88ce --- /dev/null +++ b/tests/18-sim-basic_allowlist.tests @@ -0,0 +1,32 @@ +# +# libseccomp regression test automation data +# +# Copyright (c) 2013 Red Hat <pmoore@redhat.com> +# Author: Paul Moore <paul@paul-moore.com> +# + +test type: bpf-sim + +# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result +18-sim-basic_allowlist all read 0 0x856B008 10 N N N ALLOW +18-sim-basic_allowlist all read 1-10 0x856B008 10 N N N KILL +18-sim-basic_allowlist all write 1-2 0x856B008 10 N N N ALLOW +18-sim-basic_allowlist all write 3-10 0x856B008 10 N N N KILL +18-sim-basic_allowlist all close N N N N N N ALLOW +18-sim-basic_allowlist all rt_sigreturn N N N N N N ALLOW +18-sim-basic_allowlist all open 0x856B008 4 N N N N KILL +18-sim-basic_allowlist x86 0-2 N N N N N N KILL +18-sim-basic_allowlist x86 7-172 N N N N N N KILL +18-sim-basic_allowlist x86 174-350 N N N N N N KILL +18-sim-basic_allowlist x86_64 4-14 N N N N N N KILL +18-sim-basic_allowlist x86_64 16-350 N N N N N N KILL + +test type: bpf-sim-fuzz + +# Testname StressCount +18-sim-basic_allowlist 50 + +test type: bpf-valgrind + +# Testname +18-sim-basic_allowlist diff --git a/tests/19-sim-missing_syscalls.c b/tests/19-sim-missing_syscalls.c new file mode 100644 index 0000000..4461ed6 --- /dev/null +++ b/tests/19-sim-missing_syscalls.c @@ -0,0 +1,65 @@ +/** + * Seccomp Library test program + * + * Copyright (c) 2013 Red Hat <pmoore@redhat.com> + * Author: Paul Moore <paul@paul-moore.com> + */ + +/* + * This library is free software; you can redistribute it and/or modify it + * under the terms of version 2.1 of the GNU Lesser General Public License as + * published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License + * for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this library; if not, see <http://www.gnu.org/licenses>. + */ + +#include <errno.h> +#include <unistd.h> + +#include <seccomp.h> + +#include "util.h" + +int main(int argc, char *argv[]) +{ + int rc; + struct util_options opts; + scmp_filter_ctx ctx = NULL; + + rc = util_getopt(argc, argv, &opts); + if (rc < 0) + goto out; + + ctx = seccomp_init(SCMP_ACT_KILL); + if (ctx == NULL) + return ENOMEM; + + rc = seccomp_arch_remove(ctx, SCMP_ARCH_NATIVE); + if (rc != 0) + goto out; + + rc = seccomp_arch_add(ctx, SCMP_ARCH_X86); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(tuxcall), 0); + if (rc != 0) + goto out; + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, SCMP_SYS(tuxcall), 0); + if (rc != -EDOM) + goto out; + + rc = util_filter_output(&opts, ctx); + if (rc) + goto out; + +out: + seccomp_release(ctx); + return (rc < 0 ? -rc : rc); +} diff --git a/tests/19-sim-missing_syscalls.py b/tests/19-sim-missing_syscalls.py new file mode 100755 index 0000000..aa888da --- /dev/null +++ b/tests/19-sim-missing_syscalls.py @@ -0,0 +1,47 @@ +#!/usr/bin/env python + +# +# Seccomp Library test program +# +# Copyright (c) 2013 Red Hat <pmoore@redhat.com> +# Author: Paul Moore <paul@paul-moore.com> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +import argparse +import sys + +import util + +from seccomp import * + +def test(args): + f = SyscallFilter(KILL) + f.remove_arch(Arch()) + f.add_arch(Arch("x86")) + f.add_rule(ALLOW, "tuxcall") + try: + f.add_rule_exactly(ALLOW, "tuxcall") + except RuntimeError: + pass + return f + +args = util.get_opt() +ctx = test(args) +util.filter_output(args, ctx) + +# kate: syntax python; +# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; diff --git a/tests/19-sim-missing_syscalls.tests b/tests/19-sim-missing_syscalls.tests new file mode 100644 index 0000000..6725733 --- /dev/null +++ b/tests/19-sim-missing_syscalls.tests @@ -0,0 +1,16 @@ +# +# libseccomp regression test automation data +# +# Copyright (c) 2013 Red Hat <pmoore@redhat.com> +# Author: Paul Moore <paul@paul-moore.com> +# + +test type: bpf-sim + +# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result +19-sim-missing_syscalls +x86 0-350 N N N N N N KILL + +test type: bpf-valgrind + +# Testname +19-sim-missing_syscalls diff --git a/tests/20-live-basic_die.c b/tests/20-live-basic_die.c new file mode 100644 index 0000000..7c556b0 --- /dev/null +++ b/tests/20-live-basic_die.c @@ -0,0 +1,70 @@ +/** + * Seccomp Library test program + * + * Copyright (c) 2013 Red Hat <pmoore@redhat.com> + * Author: Paul Moore <paul@paul-moore.com> + */ + +/* + * This library is free software; you can redistribute it and/or modify it + * under the terms of version 2.1 of the GNU Lesser General Public License as + * published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License + * for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this library; if not, see <http://www.gnu.org/licenses>. + */ + +#include <errno.h> +#include <unistd.h> + +#include <seccomp.h> + +#include "util.h" + +int main(int argc, char *argv[]) +{ + int rc; + int action; + scmp_filter_ctx ctx = NULL; + + rc = util_action_parse(argv[1]); + if (rc == -1) + goto out; + action = rc; + + if (action == SCMP_ACT_TRAP) { + rc = util_trap_install(); + if (rc != 0) + goto out; + } + + ctx = seccomp_init(action); + if (ctx == NULL) + return ENOMEM; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigreturn), 0); + if (rc != 0) + goto out; + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit_group), 0); + if (rc != 0) + goto out; + + rc = seccomp_load(ctx); + if (rc != 0) + goto out; + + rc = util_file_write("/dev/null"); + if (rc != 0) + goto out; + + rc = 160; + +out: + seccomp_release(ctx); + return (rc < 0 ? -rc : rc); +} diff --git a/tests/20-live-basic_die.py b/tests/20-live-basic_die.py new file mode 100755 index 0000000..26013f6 --- /dev/null +++ b/tests/20-live-basic_die.py @@ -0,0 +1,50 @@ +#!/usr/bin/env python + +# +# Seccomp Library test program +# +# Copyright (c) 2013 Red Hat <pmoore@redhat.com> +# Author: Paul Moore <paul@paul-moore.com> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +import argparse +import sys + +import util + +from seccomp import * + +def test(): + action = util.parse_action(sys.argv[1]) + if action == TRAP: + util.install_trap() + f = SyscallFilter(action) + f.add_rule(ALLOW, "getpid") + f.add_rule(ALLOW, "rt_sigreturn") + f.add_rule(ALLOW, "sigreturn") + f.add_rule(ALLOW, "exit_group") + f.load() + try: + util.write_file("/dev/null") + except OSError as ex: + quit(ex.errno) + quit(160) + +test() + +# kate: syntax python; +# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; diff --git a/tests/20-live-basic_die.tests b/tests/20-live-basic_die.tests new file mode 100644 index 0000000..cade132 --- /dev/null +++ b/tests/20-live-basic_die.tests @@ -0,0 +1,13 @@ +# +# libseccomp regression test automation data +# +# Copyright (c) 2013 Red Hat <pmoore@redhat.com> +# Author: Paul Moore <paul@paul-moore.com> +# + +test type: live + +# Testname API Result +20-live-basic_die 1 KILL +20-live-basic_die 1 TRAP +20-live-basic_die 1 ERRNO diff --git a/tests/21-live-basic_allow.c b/tests/21-live-basic_allow.c new file mode 100644 index 0000000..3c80c17 --- /dev/null +++ b/tests/21-live-basic_allow.c @@ -0,0 +1,80 @@ +/** + * Seccomp Library test program + * + * Copyright (c) 2013 Red Hat <pmoore@redhat.com> + * Author: Paul Moore <paul@paul-moore.com> + */ + +/* + * This library is free software; you can redistribute it and/or modify it + * under the terms of version 2.1 of the GNU Lesser General Public License as + * published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License + * for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this library; if not, see <http://www.gnu.org/licenses>. + */ + +#include <errno.h> +#include <unistd.h> + +#include <seccomp.h> + +#include "util.h" + +int main(int argc, char *argv[]) +{ + int rc; + scmp_filter_ctx ctx = NULL; + + rc = util_action_parse(argv[1]); + if (rc != SCMP_ACT_ALLOW) { + rc = 1; + goto out; + } + + rc = util_trap_install(); + if (rc != 0) + goto out; + + ctx = seccomp_init(SCMP_ACT_TRAP); + if (ctx == NULL) + return ENOMEM; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 0); + if (rc != 0) + goto out; + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 0); + if (rc != 0) + goto out; + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 0); + if (rc != 0) + goto out; + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(close), 0); + if (rc != 0) + goto out; + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigreturn), 0); + if (rc != 0) + goto out; + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit_group), 0); + if (rc != 0) + goto out; + + rc = seccomp_load(ctx); + if (rc != 0) + goto out; + + rc = util_file_write("/dev/null"); + if (rc != 0) + goto out; + + rc = 160; + +out: + seccomp_release(ctx); + return (rc < 0 ? -rc : rc); +} diff --git a/tests/21-live-basic_allow.py b/tests/21-live-basic_allow.py new file mode 100755 index 0000000..3bf5317 --- /dev/null +++ b/tests/21-live-basic_allow.py @@ -0,0 +1,64 @@ +#!/usr/bin/env python + +# +# Seccomp Library test program +# +# Copyright (c) 2013 Red Hat <pmoore@redhat.com> +# Author: Paul Moore <paul@paul-moore.com> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +import argparse +import sys + +import util + +from seccomp import * + +def test(): + action = util.parse_action(sys.argv[1]) + if not action == ALLOW: + quit(1) + util.install_trap() + f = SyscallFilter(TRAP) + # NOTE: additional syscalls required for python + f.add_rule(ALLOW, "stat") + f.add_rule(ALLOW, "fstat") + f.add_rule(ALLOW, "open") + f.add_rule(ALLOW, "openat") + f.add_rule(ALLOW, "mmap") + f.add_rule(ALLOW, "munmap") + f.add_rule(ALLOW, "read") + f.add_rule(ALLOW, "write") + f.add_rule(ALLOW, "close") + f.add_rule(ALLOW, "rt_sigaction") + f.add_rule(ALLOW, "rt_sigreturn") + f.add_rule(ALLOW, "sigreturn") + f.add_rule(ALLOW, "sigaltstack") + f.add_rule(ALLOW, "brk") + f.add_rule(ALLOW, "exit_group") + f.load() + + try: + util.write_file("/dev/null") + except OSError as ex: + quit(ex.errno) + quit(160) + +test() + +# kate: syntax python; +# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; diff --git a/tests/21-live-basic_allow.tests b/tests/21-live-basic_allow.tests new file mode 100644 index 0000000..73027dc --- /dev/null +++ b/tests/21-live-basic_allow.tests @@ -0,0 +1,11 @@ +# +# libseccomp regression test automation data +# +# Copyright (c) 2013 Red Hat <pmoore@redhat.com> +# Author: Paul Moore <paul@paul-moore.com> +# + +test type: live + +# Testname API Result +21-live-basic_allow 1 ALLOW diff --git a/tests/22-sim-basic_chains_array.c b/tests/22-sim-basic_chains_array.c new file mode 100644 index 0000000..2127f1e --- /dev/null +++ b/tests/22-sim-basic_chains_array.c @@ -0,0 +1,78 @@ +/** + * Seccomp Library test program + * + * Author: Paul Moore <paul@paul-moore.com>, Vitaly Shukela <vi0oss@gmail.com> + */ + +/* + * This library is free software; you can redistribute it and/or modify it + * under the terms of version 2.1 of the GNU Lesser General Public License as + * published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License + * for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this library; if not, see <http://www.gnu.org/licenses>. + */ + +#include <errno.h> +#include <unistd.h> + +#include <seccomp.h> + +#include "util.h" + +int main(int argc, char *argv[]) +{ + int rc; + struct util_options opts; + scmp_filter_ctx ctx = NULL; + struct scmp_arg_cmp arg_cmp; + + rc = util_getopt(argc, argv, &opts); + if (rc < 0) + goto out; + + ctx = seccomp_init(SCMP_ACT_KILL); + if (ctx == NULL) + return ENOMEM; + + arg_cmp = SCMP_A0(SCMP_CMP_EQ, STDIN_FILENO); + rc = seccomp_rule_add_exact_array(ctx, SCMP_ACT_ALLOW, + SCMP_SYS(read), 1, &arg_cmp); + if (rc != 0) + goto out; + + arg_cmp = SCMP_A0(SCMP_CMP_EQ, STDOUT_FILENO); + rc = seccomp_rule_add_exact_array(ctx, SCMP_ACT_ALLOW, + SCMP_SYS(write), 1, &arg_cmp); + if (rc != 0) + goto out; + + arg_cmp = SCMP_A0(SCMP_CMP_EQ, STDERR_FILENO); + rc = seccomp_rule_add_exact_array(ctx, SCMP_ACT_ALLOW, + SCMP_SYS(write), 1, &arg_cmp); + if (rc != 0) + goto out; + + rc = seccomp_rule_add_exact_array(ctx, SCMP_ACT_ALLOW, + SCMP_SYS(close), 0, NULL); + if (rc != 0) + goto out; + + rc = seccomp_rule_add_exact_array(ctx, SCMP_ACT_ALLOW, + SCMP_SYS(rt_sigreturn), 0, NULL); + if (rc != 0) + goto out; + + rc = util_filter_output(&opts, ctx); + if (rc) + goto out; + +out: + seccomp_release(ctx); + return (rc < 0 ? -rc : rc); +} diff --git a/tests/22-sim-basic_chains_array.py b/tests/22-sim-basic_chains_array.py new file mode 100755 index 0000000..bde2461 --- /dev/null +++ b/tests/22-sim-basic_chains_array.py @@ -0,0 +1,48 @@ +#!/usr/bin/env python + +# +# Seccomp Library test program +# +# Copyright (c) 2013 Red Hat <pmoore@redhat.com> +# Author: Paul Moore <paul@paul-moore.com> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +# NOTE: this is identical to 03-sim-basic_chains.py but is here to satisfy the +# need for an equivalent Python test for each native C test + +import argparse +import sys + +import util + +from seccomp import * + +def test(args): + f = SyscallFilter(KILL) + f.add_rule_exactly(ALLOW, "read", Arg(0, EQ, sys.stdin.fileno())) + f.add_rule_exactly(ALLOW, "write", Arg(0, EQ, sys.stdout.fileno())) + f.add_rule_exactly(ALLOW, "write", Arg(0, EQ, sys.stderr.fileno())) + f.add_rule_exactly(ALLOW, "close") + f.add_rule_exactly(ALLOW, "rt_sigreturn") + return f + +args = util.get_opt() +ctx = test(args) +util.filter_output(args, ctx) + +# kate: syntax python; +# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; diff --git a/tests/22-sim-basic_chains_array.tests b/tests/22-sim-basic_chains_array.tests new file mode 100644 index 0000000..b8867b7 --- /dev/null +++ b/tests/22-sim-basic_chains_array.tests @@ -0,0 +1,31 @@ +# +# libseccomp regression test automation data +# +# Author: Vitaly Shukela <vi0oss@gmail.com> +# + +test type: bpf-sim + +# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result +22-sim-basic_chains_array all read 0 0x856B008 10 N N N ALLOW +22-sim-basic_chains_array all read 1-10 0x856B008 10 N N N KILL +22-sim-basic_chains_array all write 1-2 0x856B008 10 N N N ALLOW +22-sim-basic_chains_array all write 3-10 0x856B008 10 N N N KILL +22-sim-basic_chains_array all close N N N N N N ALLOW +22-sim-basic_chains_array all rt_sigreturn N N N N N N ALLOW +22-sim-basic_chains_array all open 0x856B008 4 N N N N KILL +22-sim-basic_chains_array x86 0-2 N N N N N N KILL +22-sim-basic_chains_array x86 7-172 N N N N N N KILL +22-sim-basic_chains_array x86 174-350 N N N N N N KILL +22-sim-basic_chains_array x86_64 4-14 N N N N N N KILL +22-sim-basic_chains_array x86_64 16-350 N N N N N N KILL + +test type: bpf-sim-fuzz + +# Testname StressCount +22-sim-basic_chains_array 50 + +test type: bpf-valgrind + +# Testname +22-sim-basic_chains_array diff --git a/tests/23-sim-arch_all_le_basic.c b/tests/23-sim-arch_all_le_basic.c new file mode 100644 index 0000000..32739e5 --- /dev/null +++ b/tests/23-sim-arch_all_le_basic.c @@ -0,0 +1,108 @@ +/** + * Seccomp Library test program + * + * Copyright (c) 2012 Red Hat <pmoore@redhat.com> + * Author: Paul Moore <paul@paul-moore.com> + */ + +/* + * This library is free software; you can redistribute it and/or modify it + * under the terms of version 2.1 of the GNU Lesser General Public License as + * published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License + * for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this library; if not, see <http://www.gnu.org/licenses>. + */ + +#include <errno.h> +#include <unistd.h> + +#include <seccomp.h> + +#include "util.h" + +int main(int argc, char *argv[]) +{ + int rc; + struct util_options opts; + scmp_filter_ctx ctx = NULL; + + rc = util_getopt(argc, argv, &opts); + if (rc < 0) + goto out; + + ctx = seccomp_init(SCMP_ACT_KILL); + if (ctx == NULL) + return ENOMEM; + + rc = seccomp_arch_remove(ctx, SCMP_ARCH_NATIVE); + if (rc != 0) + goto out; + + rc = seccomp_arch_add(ctx, seccomp_arch_resolve_name("x86")); + if (rc != 0) + goto out; + rc = seccomp_arch_add(ctx, seccomp_arch_resolve_name("x86_64")); + if (rc != 0) + goto out; + rc = seccomp_arch_add(ctx, seccomp_arch_resolve_name("x32")); + if (rc != 0) + goto out; + rc = seccomp_arch_add(ctx, seccomp_arch_resolve_name("arm")); + if (rc != 0) + goto out; + rc = seccomp_arch_add(ctx, seccomp_arch_resolve_name("aarch64")); + if (rc != 0) + goto out; + rc = seccomp_arch_add(ctx, seccomp_arch_resolve_name("mipsel")); + if (rc != 0) + goto out; + rc = seccomp_arch_add(ctx, seccomp_arch_resolve_name("mipsel64")); + if (rc != 0) + goto out; + rc = seccomp_arch_add(ctx, seccomp_arch_resolve_name("mipsel64n32")); + if (rc != 0) + goto out; + rc = seccomp_arch_add(ctx, seccomp_arch_resolve_name("ppc64le")); + if (rc != 0) + goto out; + rc = seccomp_arch_add(ctx, seccomp_arch_resolve_name("riscv64")); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 1, + SCMP_A0(SCMP_CMP_EQ, STDIN_FILENO)); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 1, + SCMP_A0(SCMP_CMP_EQ, STDOUT_FILENO)); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 1, + SCMP_A0(SCMP_CMP_EQ, STDERR_FILENO)); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(close), 0); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigreturn), 0); + if (rc != 0) + goto out; + + rc = util_filter_output(&opts, ctx); + if (rc) + goto out; + +out: + seccomp_release(ctx); + return (rc < 0 ? -rc : rc); +} diff --git a/tests/23-sim-arch_all_le_basic.py b/tests/23-sim-arch_all_le_basic.py new file mode 100755 index 0000000..33eedb1 --- /dev/null +++ b/tests/23-sim-arch_all_le_basic.py @@ -0,0 +1,56 @@ +#!/usr/bin/env python + +# +# Seccomp Library test program +# +# Copyright (c) 2012 Red Hat <pmoore@redhat.com> +# Author: Paul Moore <paul@paul-moore.com> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +import argparse +import sys + +import util + +from seccomp import * + +def test(args): + f = SyscallFilter(KILL) + f.remove_arch(Arch()) + f.add_arch(Arch("x86")) + f.add_arch(Arch("x86_64")) + f.add_arch(Arch("x32")) + f.add_arch(Arch("arm")) + f.add_arch(Arch("aarch64")) + f.add_arch(Arch("mipsel")) + f.add_arch(Arch("mipsel64")) + f.add_arch(Arch("mipsel64n32")) + f.add_arch(Arch("ppc64le")) + f.add_arch(Arch("riscv64")) + f.add_rule(ALLOW, "read", Arg(0, EQ, sys.stdin.fileno())) + f.add_rule(ALLOW, "write", Arg(0, EQ, sys.stdout.fileno())) + f.add_rule(ALLOW, "write", Arg(0, EQ, sys.stderr.fileno())) + f.add_rule(ALLOW, "close") + f.add_rule(ALLOW, "rt_sigreturn") + return f + +args = util.get_opt() +ctx = test(args) +util.filter_output(args, ctx) + +# kate: syntax python; +# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; diff --git a/tests/23-sim-arch_all_le_basic.tests b/tests/23-sim-arch_all_le_basic.tests new file mode 100644 index 0000000..5e1142b --- /dev/null +++ b/tests/23-sim-arch_all_le_basic.tests @@ -0,0 +1,23 @@ +# +# libseccomp regression test automation data +# +# +# Copyright (c) 2013 Red Hat <pmoore@redhat.com> +# Author: Paul Moore <paul@paul-moore.com> +# + +test type: bpf-sim + +# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result +23-sim-arch_all_le_basic +all_le read 0 0x856B008 10 N N N ALLOW +23-sim-arch_all_le_basic +all_le read 1-10 0x856B008 10 N N N KILL +23-sim-arch_all_le_basic +all_le write 1-2 0x856B008 10 N N N ALLOW +23-sim-arch_all_le_basic +all_le write 3-10 0x856B008 10 N N N KILL +23-sim-arch_all_le_basic +all_le close N N N N N N ALLOW +23-sim-arch_all_le_basic +all_le rt_sigreturn N N N N N N ALLOW +23-sim-arch_all_le_basic +all_le open 0x856B008 4 N N N N KILL + +test type: bpf-valgrind + +# Testname +23-sim-arch_all_le_basic diff --git a/tests/24-live-arg_allow.c b/tests/24-live-arg_allow.c new file mode 100644 index 0000000..f6e746f --- /dev/null +++ b/tests/24-live-arg_allow.c @@ -0,0 +1,93 @@ +/** + * Seccomp Library test program + * + * Copyright (c) 2013 Red Hat <pmoore@redhat.com> + * Author: Paul Moore <paul@paul-moore.com> + */ + +/* + * This library is free software; you can redistribute it and/or modify it + * under the terms of version 2.1 of the GNU Lesser General Public License as + * published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License + * for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this library; if not, see <http://www.gnu.org/licenses>. + */ + +#include <errno.h> +#include <fcntl.h> +#include <string.h> +#include <unistd.h> +#include <sys/types.h> +#include <sys/stat.h> + +#include <seccomp.h> + +#include "util.h" + +int main(int argc, char *argv[]) +{ + int rc; + int fd; + scmp_filter_ctx ctx = NULL; + const char buf[] = "testing"; + ssize_t buf_len = strlen(buf); + + rc = util_action_parse(argv[1]); + if (rc != SCMP_ACT_ALLOW) { + rc = 1; + goto out; + } + + rc = util_trap_install(); + if (rc != 0) + goto out; + + fd = open("/dev/null", O_WRONLY | O_CREAT, S_IRUSR | S_IWUSR); + if (fd < 0) { + rc = errno; + goto out; + } + + ctx = seccomp_init(SCMP_ACT_TRAP); + if (ctx == NULL) + return ENOMEM; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 1, + SCMP_A0(SCMP_CMP_EQ, fd)); + if (rc != 0) + goto out; + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(close), 0); + if (rc != 0) + goto out; + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigreturn), 0); + if (rc != 0) + goto out; + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit_group), 0); + if (rc != 0) + goto out; + + rc = seccomp_load(ctx); + if (rc != 0) + goto out; + + if (write(fd, buf, buf_len) < buf_len) { + rc = errno; + goto out; + } + if (close(fd) < 0) { + rc = errno; + goto out; + } + + rc = 160; + +out: + seccomp_release(ctx); + return (rc < 0 ? -rc : rc); +} diff --git a/tests/24-live-arg_allow.py b/tests/24-live-arg_allow.py new file mode 100755 index 0000000..42d2389 --- /dev/null +++ b/tests/24-live-arg_allow.py @@ -0,0 +1,63 @@ +#!/usr/bin/env python + +# +# Seccomp Library test program +# +# Copyright (c) 2013 Red Hat <pmoore@redhat.com> +# Author: Paul Moore <paul@paul-moore.com> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +import argparse +import os +import sys + +import util + +from seccomp import * + +def test(): + action = util.parse_action(sys.argv[1]) + if not action == ALLOW: + quit(1) + util.install_trap() + + fd = os.open("/dev/null", os.O_WRONLY|os.O_CREAT) + + f = SyscallFilter(TRAP) + # NOTE: additional syscalls required for python + f.add_rule(ALLOW, "write", Arg(0, EQ, fd)) + f.add_rule(ALLOW, "close") + f.add_rule(ALLOW, "munmap") + f.add_rule(ALLOW, "rt_sigaction") + f.add_rule(ALLOW, "rt_sigreturn") + f.add_rule(ALLOW, "sigaltstack") + f.add_rule(ALLOW, "exit_group") + f.add_rule(ALLOW, "brk") + f.load() + + try: + if not os.write(fd, b"testing") == len("testing"): + raise IOError("failed to write the full test string") + quit(160) + except OSError as ex: + quit(ex.errno) + os.close(fd) + +test() + +# kate: syntax python; +# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; diff --git a/tests/24-live-arg_allow.tests b/tests/24-live-arg_allow.tests new file mode 100644 index 0000000..5d89be5 --- /dev/null +++ b/tests/24-live-arg_allow.tests @@ -0,0 +1,11 @@ +# +# libseccomp regression test automation data +# +# Copyright (c) 2013 Red Hat <pmoore@redhat.com> +# Author: Paul Moore <paul@paul-moore.com> +# + +test type: live + +# Testname API Result +24-live-arg_allow 1 ALLOW diff --git a/tests/25-sim-multilevel_chains_adv.c b/tests/25-sim-multilevel_chains_adv.c new file mode 100644 index 0000000..870e47f --- /dev/null +++ b/tests/25-sim-multilevel_chains_adv.c @@ -0,0 +1,63 @@ +/** + * Seccomp Library test program + * + * Copyright (c) 2013 Red Hat <pmoore@redhat.com> + * Author: Paul Moore <paul@paul-moore.com> + */ + +/* + * This library is free software; you can redistribute it and/or modify it + * under the terms of version 2.1 of the GNU Lesser General Public License as + * published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License + * for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this library; if not, see <http://www.gnu.org/licenses>. + */ + +#include <errno.h> +#include <stdlib.h> + +#include <seccomp.h> + +#include "util.h" + +int main(int argc, char *argv[]) +{ + int rc; + struct util_options opts; + scmp_filter_ctx ctx = NULL; + + rc = util_getopt(argc, argv, &opts); + if (rc < 0) + goto out; + + ctx = seccomp_init(SCMP_ACT_KILL); + if (ctx == NULL) + return ENOMEM; + + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 10, 2, + SCMP_A0(SCMP_CMP_EQ, 11), + SCMP_A1(SCMP_CMP_NE, 12)); + if (rc != 0) + goto out; + + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 20, 3, + SCMP_A0(SCMP_CMP_EQ, 21), + SCMP_A1(SCMP_CMP_NE, 22), + SCMP_A2(SCMP_CMP_EQ, 23)); + if (rc != 0) + goto out; + + rc = util_filter_output(&opts, ctx); + if (rc) + goto out; + +out: + seccomp_release(ctx); + return (rc < 0 ? -rc : rc); +} diff --git a/tests/25-sim-multilevel_chains_adv.py b/tests/25-sim-multilevel_chains_adv.py new file mode 100755 index 0000000..2657e9a --- /dev/null +++ b/tests/25-sim-multilevel_chains_adv.py @@ -0,0 +1,47 @@ +#!/usr/bin/env python + +# +# Seccomp Library test program +# +# Copyright (c) 2013 Red Hat <pmoore@redhat.com> +# Author: Paul Moore <paul@paul-moore.com> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +import argparse +import sys + +import util + +from seccomp import * + +def test(args): + f = SyscallFilter(KILL) + f.add_rule_exactly(ALLOW, 10, + Arg(0, EQ, 11), + Arg(1, NE, 12)) + f.add_rule_exactly(ALLOW, 20, + Arg(0, EQ, 21), + Arg(1, NE, 22), + Arg(2, EQ, 23)) + return f + +args = util.get_opt() +ctx = test(args) +util.filter_output(args, ctx) + +# kate: syntax python; +# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; diff --git a/tests/25-sim-multilevel_chains_adv.tests b/tests/25-sim-multilevel_chains_adv.tests new file mode 100644 index 0000000..c090a2e --- /dev/null +++ b/tests/25-sim-multilevel_chains_adv.tests @@ -0,0 +1,30 @@ +# +# libseccomp regression test automation data +# +# Copyright (c) 2013 Red Hat <pmoore@redhat.com> +# Author: Paul Moore <paul@paul-moore.com> +# + +test type: bpf-sim + +# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result +25-sim-multilevel_chains_adv all,-x32 0-9 N N N N N N KILL +25-sim-multilevel_chains_adv all,-x32 10 0x0000000b 0x00000000 N N N N ALLOW +25-sim-multilevel_chains_adv x86_64 10 0x10000000b 0x00000000 N N N N KILL +25-sim-multilevel_chains_adv x86_64 10 0x0000000b 0x10000000c N N N N ALLOW +25-sim-multilevel_chains_adv all,-x32 11-19 N N N N N N KILL +25-sim-multilevel_chains_adv all,-x32 20 0x00000015 0x00000000 0x00000017 N N N ALLOW +25-sim-multilevel_chains_adv all,-x32 20 0x00000015 0x00000016 0x00000017 N N N KILL +25-sim-multilevel_chains_adv x86_64 20 0x100000015 0x00000000 0x00000017 N N N KILL +25-sim-multilevel_chains_adv x86_64 20 0x00000015 0x00000000 0x100000017 N N N KILL +25-sim-multilevel_chains_adv all,-x32 21-30 N N N N N N KILL + +test type: bpf-sim-fuzz + +# Testname StressCount +25-sim-multilevel_chains_adv 50 + +test type: bpf-valgrind + +# Testname +25-sim-multilevel_chains_adv diff --git a/tests/26-sim-arch_all_be_basic.c b/tests/26-sim-arch_all_be_basic.c new file mode 100644 index 0000000..d31ce12 --- /dev/null +++ b/tests/26-sim-arch_all_be_basic.c @@ -0,0 +1,104 @@ +/** + * Seccomp Library test program + * + * Author: Markos Chandras <markos.chandras@imgtec.com> + */ + +/* + * This library is free software; you can redistribute it and/or modify it + * under the terms of version 2.1 of the GNU Lesser General Public License as + * published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License + * for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this library; if not, see <http://www.gnu.org/licenses>. + */ + +#include <errno.h> +#include <unistd.h> + +#include <seccomp.h> + +#include "util.h" + +int main(int argc, char *argv[]) +{ + int rc; + struct util_options opts; + scmp_filter_ctx ctx = NULL; + + rc = util_getopt(argc, argv, &opts); + if (rc < 0) + goto out; + + ctx = seccomp_init(SCMP_ACT_KILL); + if (ctx == NULL) + return ENOMEM; + + rc = seccomp_arch_remove(ctx, SCMP_ARCH_NATIVE); + if (rc != 0) + goto out; + + rc = seccomp_arch_add(ctx, seccomp_arch_resolve_name("mips")); + if (rc != 0) + goto out; + rc = seccomp_arch_add(ctx, seccomp_arch_resolve_name("mips64")); + if (rc != 0) + goto out; + rc = seccomp_arch_add(ctx, seccomp_arch_resolve_name("mips64n32")); + if (rc != 0) + goto out; + rc = seccomp_arch_add(ctx, seccomp_arch_resolve_name("parisc")); + if (rc != 0) + goto out; + rc = seccomp_arch_add(ctx, seccomp_arch_resolve_name("parisc64")); + if (rc != 0) + goto out; + rc = seccomp_arch_add(ctx, seccomp_arch_resolve_name("ppc")); + if (rc != 0) + goto out; + rc = seccomp_arch_add(ctx, seccomp_arch_resolve_name("ppc64")); + if (rc != 0) + goto out; + rc = seccomp_arch_add(ctx, seccomp_arch_resolve_name("s390")); + if (rc != 0) + goto out; + rc = seccomp_arch_add(ctx, seccomp_arch_resolve_name("s390x")); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 1, + SCMP_A0(SCMP_CMP_EQ, STDIN_FILENO)); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 1, + SCMP_A0(SCMP_CMP_EQ, STDOUT_FILENO)); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 1, + SCMP_A0(SCMP_CMP_EQ, STDERR_FILENO)); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(close), 0); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigreturn), 0); + if (rc != 0) + goto out; + + rc = util_filter_output(&opts, ctx); + if (rc) + goto out; + +out: + seccomp_release(ctx); + return (rc < 0 ? -rc : rc); +} diff --git a/tests/26-sim-arch_all_be_basic.py b/tests/26-sim-arch_all_be_basic.py new file mode 100755 index 0000000..3a177b4 --- /dev/null +++ b/tests/26-sim-arch_all_be_basic.py @@ -0,0 +1,54 @@ +#!/usr/bin/env python + +# +# Seccomp Library test program +# +# Author: Markos Chandras <markos.chandras@imgtec.com> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +import argparse +import sys + +import util + +from seccomp import * + +def test(args): + f = SyscallFilter(KILL) + f.remove_arch(Arch()) + f.add_arch(Arch("mips")) + f.add_arch(Arch("mips64")) + f.add_arch(Arch("mips64n32")) + f.add_arch(Arch("parisc")) + f.add_arch(Arch("parisc64")) + f.add_arch(Arch("ppc")) + f.add_arch(Arch("ppc64")) + f.add_arch(Arch("s390")) + f.add_arch(Arch("s390x")) + f.add_rule(ALLOW, "read", Arg(0, EQ, sys.stdin.fileno())) + f.add_rule(ALLOW, "write", Arg(0, EQ, sys.stdout.fileno())) + f.add_rule(ALLOW, "write", Arg(0, EQ, sys.stderr.fileno())) + f.add_rule(ALLOW, "close") + f.add_rule(ALLOW, "rt_sigreturn") + return f + +args = util.get_opt() +ctx = test(args) +util.filter_output(args, ctx) + +# kate: syntax python; +# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; diff --git a/tests/26-sim-arch_all_be_basic.tests b/tests/26-sim-arch_all_be_basic.tests new file mode 100644 index 0000000..5eac610 --- /dev/null +++ b/tests/26-sim-arch_all_be_basic.tests @@ -0,0 +1,23 @@ +# +# libseccomp regression test automation data +# +# Author: Markos Chandras <markos.chandras@imgtec.com> +# +# Similar to 23-sim-arch_all_basic but for big-endian architectures +# + +test type: bpf-sim + +# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result +26-sim-arch_all_be_basic +all_be read 0 0x856B008 10 N N N ALLOW +26-sim-arch_all_be_basic +all_be read 1-10 0x856B008 10 N N N KILL +26-sim-arch_all_be_basic +all_be write 1-2 0x856B008 10 N N N ALLOW +26-sim-arch_all_be_basic +all_be write 3-10 0x856B008 10 N N N KILL +26-sim-arch_all_be_basic +all_be close N N N N N N ALLOW +26-sim-arch_all_be_basic +all_be rt_sigreturn N N N N N N ALLOW +26-sim-arch_all_be_basic +all_be open 0x856B008 4 N N N N KILL + +test type: bpf-valgrind + +# Testname +26-sim-arch_all_be_basic diff --git a/tests/27-sim-bpf_blk_state.c b/tests/27-sim-bpf_blk_state.c new file mode 100644 index 0000000..2d9b6f2 --- /dev/null +++ b/tests/27-sim-bpf_blk_state.c @@ -0,0 +1,103 @@ +/** + * Seccomp Library test program + * + * Copyright (c) 2015 Red Hat <pmoore@redhat.com> + * Author: Paul Moore <paul@paul-moore.com> + */ + +/* + * This library is free software; you can redistribute it and/or modify it + * under the terms of version 2.1 of the GNU Lesser General Public License as + * published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License + * for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this library; if not, see <http://www.gnu.org/licenses>. + */ + +#include <errno.h> +#include <unistd.h> + +#include <seccomp.h> + +#include "util.h" + +int main(int argc, char *argv[]) +{ + int rc; + struct util_options opts; + scmp_filter_ctx ctx = NULL; + + rc = util_getopt(argc, argv, &opts); + if (rc < 0) + goto out; + + ctx = seccomp_init(SCMP_ACT_ALLOW); + if (ctx == NULL) + return ENOMEM; + + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_KILL, 1000, 1, + SCMP_A0(SCMP_CMP_EQ, 3)); + if (rc != 0) + goto out; + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_KILL, 1000, 1, + SCMP_A0(SCMP_CMP_EQ, 4)); + if (rc != 0) + goto out; + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_KILL, 1000, 1, + SCMP_A0(SCMP_CMP_EQ, 5)); + if (rc != 0) + goto out; + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_KILL, 1000, 1, + SCMP_A0(SCMP_CMP_EQ, 6)); + if (rc != 0) + goto out; + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_KILL, 1000, 1, + SCMP_A0(SCMP_CMP_EQ, 7)); + if (rc != 0) + goto out; + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_KILL, 1000, 1, + SCMP_A0(SCMP_CMP_EQ, 8)); + if (rc != 0) + goto out; + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_KILL, 1000, 1, + SCMP_A0(SCMP_CMP_EQ, 9)); + if (rc != 0) + goto out; + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_KILL, 1000, 1, + SCMP_A0(SCMP_CMP_EQ, 11)); + if (rc != 0) + goto out; + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_KILL, 1000, 1, + SCMP_A0(SCMP_CMP_EQ, 12)); + if (rc != 0) + goto out; + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_KILL, 1000, 1, + SCMP_A0(SCMP_CMP_EQ, 13)); + if (rc != 0) + goto out; + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_KILL, 1000, 1, + SCMP_A0(SCMP_CMP_EQ, 14)); + if (rc != 0) + goto out; + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_KILL, 1000, 1, + SCMP_A0(SCMP_CMP_EQ, 15)); + if (rc != 0) + goto out; + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_KILL, 1000, 1, + SCMP_A0(SCMP_CMP_GE, 16)); + if (rc != 0) + goto out; + + rc = util_filter_output(&opts, ctx); + if (rc) + goto out; + +out: + seccomp_release(ctx); + return (rc < 0 ? -rc : rc); +} diff --git a/tests/27-sim-bpf_blk_state.py b/tests/27-sim-bpf_blk_state.py new file mode 100755 index 0000000..5967f62 --- /dev/null +++ b/tests/27-sim-bpf_blk_state.py @@ -0,0 +1,53 @@ +#!/usr/bin/env python + +# +# Seccomp Library test program +# +# Copyright (c) 2015 Red Hat <pmoore@redhat.com> +# Author: Paul Moore <paul@paul-moore.com> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +import argparse +import sys + +import util + +from seccomp import * + +def test(args): + f = SyscallFilter(ALLOW) + f.add_rule_exactly(KILL, 1000, Arg(0, EQ, 3)) + f.add_rule_exactly(KILL, 1000, Arg(0, EQ, 4)) + f.add_rule_exactly(KILL, 1000, Arg(0, EQ, 5)) + f.add_rule_exactly(KILL, 1000, Arg(0, EQ, 6)) + f.add_rule_exactly(KILL, 1000, Arg(0, EQ, 7)) + f.add_rule_exactly(KILL, 1000, Arg(0, EQ, 8)) + f.add_rule_exactly(KILL, 1000, Arg(0, EQ, 9)) + f.add_rule_exactly(KILL, 1000, Arg(0, EQ, 11)) + f.add_rule_exactly(KILL, 1000, Arg(0, EQ, 12)) + f.add_rule_exactly(KILL, 1000, Arg(0, EQ, 13)) + f.add_rule_exactly(KILL, 1000, Arg(0, EQ, 14)) + f.add_rule_exactly(KILL, 1000, Arg(0, EQ, 15)) + f.add_rule_exactly(KILL, 1000, Arg(0, GE, 16)) + return f + +args = util.get_opt() +ctx = test(args) +util.filter_output(args, ctx) + +# kate: syntax python; +# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; diff --git a/tests/27-sim-bpf_blk_state.tests b/tests/27-sim-bpf_blk_state.tests new file mode 100644 index 0000000..cd1da6e --- /dev/null +++ b/tests/27-sim-bpf_blk_state.tests @@ -0,0 +1,24 @@ +# +# libseccomp regression test automation data +# +# Copyright (c) 2015 Red Hat <pmoore@redhat.com> +# Author: Paul Moore <paul@paul-moore.com> +# + +test type: bpf-sim + +# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result +27-sim-bpf_blk_state all,-x32 1000 0-2 N N N N N ALLOW +27-sim-bpf_blk_state all,-x32 1000 3-9 N N N N N KILL +27-sim-bpf_blk_state all,-x32 1000 10 N N N N N ALLOW +27-sim-bpf_blk_state all,-x32 1000 11-32 N N N N N KILL + +test type: bpf-sim-fuzz + +# Testname StressCount +27-sim-bpf_blk_state 50 + +test type: bpf-valgrind + +# Testname +27-sim-bpf_blk_state diff --git a/tests/28-sim-arch_x86.c b/tests/28-sim-arch_x86.c new file mode 100644 index 0000000..fa6302f --- /dev/null +++ b/tests/28-sim-arch_x86.c @@ -0,0 +1,71 @@ +/** + * Seccomp Library test program + * + * This test triggered a bug in libseccomp erroneously allowing the close() + * syscall on x32 instead of 'KILL'ing it, as it should do for unsupported + * architectures. + * + * Copyright (c) 2012 Red Hat <pmoore@redhat.com> + * Authors: Paul Moore <pmoore@redhat.com> + * Mathias Krause <minipli@googlemail.com> + */ + +/* + * This library is free software; you can redistribute it and/or modify it + * under the terms of version 2.1 of the GNU Lesser General Public License as + * published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License + * for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this library; if not, see <http://www.gnu.org/licenses>. + */ + +#include <errno.h> +#include <unistd.h> + +#include <seccomp.h> + +#include "util.h" + +int main(int argc, char *argv[]) +{ + int rc; + struct util_options opts; + scmp_filter_ctx ctx = NULL; + + rc = util_getopt(argc, argv, &opts); + if (rc < 0) + goto out; + + ctx = seccomp_init(SCMP_ACT_ALLOW); + if (ctx == NULL) + return ENOMEM; + + rc = seccomp_arch_remove(ctx, SCMP_ARCH_NATIVE); + if (rc != 0) + goto out; + + /* add x86-64 and x86 (in that order!) but explicitly leave out x32 */ + rc = seccomp_arch_add(ctx, SCMP_ARCH_X86_64); + if (rc != 0) + goto out; + rc = seccomp_arch_add(ctx, SCMP_ARCH_X86); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(1), SCMP_SYS(close), 0); + if (rc != 0) + goto out; + + rc = util_filter_output(&opts, ctx); + if (rc) + goto out; + +out: + seccomp_release(ctx); + return (rc < 0 ? -rc : rc); +} diff --git a/tests/28-sim-arch_x86.py b/tests/28-sim-arch_x86.py new file mode 100755 index 0000000..f133c95 --- /dev/null +++ b/tests/28-sim-arch_x86.py @@ -0,0 +1,47 @@ +#!/usr/bin/env python + +# +# Seccomp Library test program +# +# Copyright (c) 2015 Red Hat <pmoore@redhat.com> +# Author: Paul Moore <paul@paul-moore.com> +# +# Adapted from 29-sim-arch_x86.c by Mathias Krause <minipli@googlemail.com> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +import argparse +import sys + +import util + +from seccomp import * + +def test(args): + f = SyscallFilter(ALLOW) + f.remove_arch(Arch()) + # add x86-64 and x86 (in that order!) but explicitly leave out x32 + f.add_arch(Arch("x86_64")) + f.add_arch(Arch("x86")) + f.add_rule(ERRNO(1), "close") + return f + +args = util.get_opt() +ctx = test(args) +util.filter_output(args, ctx) + +# kate: syntax python; +# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; diff --git a/tests/28-sim-arch_x86.tests b/tests/28-sim-arch_x86.tests new file mode 100644 index 0000000..e8a38dc --- /dev/null +++ b/tests/28-sim-arch_x86.tests @@ -0,0 +1,22 @@ +# +# libseccomp regression test automation data +# +# This test triggered a bug in libseccomp erroneously allowing the close() +# syscall on x32 instead of 'KILL'ing it, as it should do for unsupported +# architectures. +# +# Author: Mathias Krause <minipli@googlemail.com> +# + +test type: bpf-sim + +# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result +28-sim-arch_x86 +x86,+x86_64 read N N N N N N ALLOW +28-sim-arch_x86 +x86,+x86_64 close N N N N N N ERRNO(1) +28-sim-arch_x86 +arm,+x32 read N N N N N N KILL +28-sim-arch_x86 +arm,+x32 close N N N N N N KILL + +test type: bpf-valgrind + +# Testname +28-sim-arch_x86 diff --git a/tests/29-sim-pseudo_syscall.c b/tests/29-sim-pseudo_syscall.c new file mode 100644 index 0000000..acf9c19 --- /dev/null +++ b/tests/29-sim-pseudo_syscall.c @@ -0,0 +1,71 @@ +/** + * Seccomp Library test program + * + * Copyright (c) 2015 Red Hat <pmoore@redhat.com> + * Author: Paul Moore <paul@paul-moore.com> + */ + +/* + * This library is free software; you can redistribute it and/or modify it + * under the terms of version 2.1 of the GNU Lesser General Public License as + * published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License + * for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this library; if not, see <http://www.gnu.org/licenses>. + */ + +#include <errno.h> +#include <unistd.h> + +#include <seccomp.h> + +#include "util.h" + +int main(int argc, char *argv[]) +{ + int rc; + struct util_options opts; + scmp_filter_ctx ctx = NULL; + + rc = util_getopt(argc, argv, &opts); + if (rc < 0) + goto out; + + ctx = seccomp_init(SCMP_ACT_ALLOW); + if (ctx == NULL) + return ENOMEM; + + /* NOTE: we have to be careful here because some ABIs use syscall + * offsets which could interfere with our test, x86 is safe */ + rc = seccomp_arch_remove(ctx, SCMP_ARCH_NATIVE); + if (rc < 0) + goto out; + rc = seccomp_arch_add(ctx, SCMP_ARCH_X86); + if (rc < 0) + goto out; + + /* SCMP_SYS(sysmips) == 4294957190 (unsigned) */ + rc = seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(sysmips), 0); + if (rc < 0) + goto out; + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_KILL, SCMP_SYS(sysmips), 0); + if (rc == 0) + goto out; + /* -10001 == 4294957295 (unsigned) */ + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_KILL, -11001, 0); + if (rc == 0) + goto out; + + rc = util_filter_output(&opts, ctx); + if (rc) + goto out; + +out: + seccomp_release(ctx); + return (rc < 0 ? -rc : rc); +} diff --git a/tests/29-sim-pseudo_syscall.py b/tests/29-sim-pseudo_syscall.py new file mode 100755 index 0000000..d7ab33b --- /dev/null +++ b/tests/29-sim-pseudo_syscall.py @@ -0,0 +1,51 @@ +#!/usr/bin/env python + +# +# Seccomp Library test program +# +# Copyright (c) 2015 Red Hat <pmoore@redhat.com> +# Author: Paul Moore <paul@paul-moore.com> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +import argparse +import sys + +import util + +from seccomp import * + +def test(args): + f = SyscallFilter(ALLOW) + f.remove_arch(Arch()) + f.add_arch(Arch("x86")) + f.add_rule(KILL, "sysmips") + try: + f.add_rule_exactly(KILL, "sysmips") + except RuntimeError: + pass + try: + f.add_rule_exactly(KILL, -10001) + except RuntimeError: + pass + return f + +args = util.get_opt() +ctx = test(args) +util.filter_output(args, ctx) + +# kate: syntax python; +# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; diff --git a/tests/29-sim-pseudo_syscall.tests b/tests/29-sim-pseudo_syscall.tests new file mode 100644 index 0000000..45f8dce --- /dev/null +++ b/tests/29-sim-pseudo_syscall.tests @@ -0,0 +1,18 @@ +# +# libseccomp regression test automation data +# +# Copyright (c) 2015 Red Hat <pmoore@redhat.com> +# Author: Paul Moore <paul@paul-moore.com> +# + +test type: bpf-sim + +# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result +29-sim-pseudo_syscall +x86 0-10 N N N N N N ALLOW +29-sim-pseudo_syscall +x86 4294957190 N N N N N N ALLOW +29-sim-pseudo_syscall +x86 4294957295 N N N N N N ALLOW + +test type: bpf-valgrind + +# Testname +29-sim-pseudo_syscall diff --git a/tests/30-sim-socket_syscalls.c b/tests/30-sim-socket_syscalls.c new file mode 100644 index 0000000..e87d107 --- /dev/null +++ b/tests/30-sim-socket_syscalls.c @@ -0,0 +1,150 @@ +/** + * Seccomp Library test program + * + * Copyright (c) 2016 Red Hat <pmoore@redhat.com> + * Author: Paul Moore <paul@paul-moore.com> + */ + +/* + * This library is free software; you can redistribute it and/or modify it + * under the terms of version 2.1 of the GNU Lesser General Public License as + * published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License + * for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this library; if not, see <http://www.gnu.org/licenses>. + */ + +#include <errno.h> +#include <unistd.h> + +#include <seccomp.h> + +#include "util.h" + +int main(int argc, char *argv[]) +{ + int rc; + struct util_options opts; + scmp_filter_ctx ctx = NULL; + + rc = util_getopt(argc, argv, &opts); + if (rc < 0) + goto out; + + ctx = seccomp_init(SCMP_ACT_KILL); + if (ctx == NULL) + return ENOMEM; + + rc = seccomp_arch_remove(ctx, SCMP_ARCH_NATIVE); + if (rc != 0) + goto out; + + rc = seccomp_arch_add(ctx, SCMP_ARCH_X86); + if (rc != 0) + goto out; + rc = seccomp_arch_add(ctx, SCMP_ARCH_X86_64); + if (rc != 0) + goto out; + rc = seccomp_arch_add(ctx, SCMP_ARCH_X32); + if (rc != 0) + goto out; + rc = seccomp_arch_add(ctx, SCMP_ARCH_PPC64LE); + if (rc != 0) + goto out; + rc = seccomp_arch_add(ctx, SCMP_ARCH_MIPSEL); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket), 0); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(bind), 0); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(connect), 0); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(listen), 0); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(accept), 0); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockname), 0); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getpeername), 0); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socketpair), 0); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(send), 0); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(recv), 0); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(sendto), 0); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(recvfrom), 0); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(shutdown), 0); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt), 0); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockopt), 0); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(sendmsg), 0); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(recvmsg), 0); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(accept4), 0); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(sendmmsg), 0); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(recvmmsg), 0); + if (rc != 0) + goto out; + + rc = util_filter_output(&opts, ctx); + if (rc) + goto out; + +out: + seccomp_release(ctx); + return (rc < 0 ? -rc : rc); +} diff --git a/tests/30-sim-socket_syscalls.py b/tests/30-sim-socket_syscalls.py new file mode 100755 index 0000000..2e06fa7 --- /dev/null +++ b/tests/30-sim-socket_syscalls.py @@ -0,0 +1,67 @@ +#!/usr/bin/env python + +# +# Seccomp Library test program +# +# Copyright (c) 2016 Red Hat <pmoore@redhat.com> +# Author: Paul Moore <paul@paul-moore.com> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +import argparse +import sys + +import util + +from seccomp import * + +def test(args): + f = SyscallFilter(KILL) + f.remove_arch(Arch()) + f.add_arch(Arch("x86")) + f.add_arch(Arch("x86_64")) + f.add_arch(Arch("x32")) + f.add_arch(Arch("ppc64le")) + f.add_arch(Arch("mipsel")) + f.add_rule(ALLOW, "socket") + f.add_rule(ALLOW, "bind") + f.add_rule(ALLOW, "connect") + f.add_rule(ALLOW, "listen") + f.add_rule(ALLOW, "accept") + f.add_rule(ALLOW, "accept4") + f.add_rule(ALLOW, "getsockname") + f.add_rule(ALLOW, "getpeername") + f.add_rule(ALLOW, "socketpair") + f.add_rule(ALLOW, "send") + f.add_rule(ALLOW, "recv") + f.add_rule(ALLOW, "sendto") + f.add_rule(ALLOW, "recvfrom") + f.add_rule(ALLOW, "shutdown") + f.add_rule(ALLOW, "setsockopt") + f.add_rule(ALLOW, "getsockopt") + f.add_rule(ALLOW, "sendmsg") + f.add_rule(ALLOW, "recvmsg") + f.add_rule(ALLOW, "accept4") + f.add_rule(ALLOW, "sendmmsg") + f.add_rule(ALLOW, "recvmmsg") + return f + +args = util.get_opt() +ctx = test(args) +util.filter_output(args, ctx) + +# kate: syntax python; +# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; diff --git a/tests/30-sim-socket_syscalls.tests b/tests/30-sim-socket_syscalls.tests new file mode 100644 index 0000000..a34620b --- /dev/null +++ b/tests/30-sim-socket_syscalls.tests @@ -0,0 +1,53 @@ +# +# libseccomp regression test automation data +# +# Copyright (c) 2016 Red Hat <pmoore@redhat.com> +# Author: Paul Moore <paul@paul-moore.com> +# + +test type: bpf-sim + +# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result +# socket +30-sim-socket_syscalls +x86,+ppc64le,+mipsel socketcall 1 N N N N N ALLOW +# connect +30-sim-socket_syscalls +x86,+ppc64le,+mipsel socketcall 3 N N N N N ALLOW +# accept +30-sim-socket_syscalls +x86,+ppc64le,+mipsel socketcall 5 N N N N N ALLOW +# accept4 +30-sim-socket_syscalls +ppc64le socketcall 18 N N N N N ALLOW +# shutdown +30-sim-socket_syscalls +x86,+ppc64le,+mipsel socketcall 13 N N N N N ALLOW +# socket +30-sim-socket_syscalls +x86 359 0 1 2 N N N ALLOW +30-sim-socket_syscalls +ppc64le 326 0 1 2 N N N ALLOW +30-sim-socket_syscalls +mipsel 4183 0 1 2 N N N ALLOW +# connect +30-sim-socket_syscalls +x86 362 0 1 2 N N N ALLOW +30-sim-socket_syscalls +ppc64le 328 0 1 2 N N N ALLOW +30-sim-socket_syscalls +mipsel 4170 0 1 2 N N N ALLOW +# accept +30-sim-socket_syscalls +ppc64le 330 0 1 2 N N N ALLOW +30-sim-socket_syscalls +mipsel 4168 0 1 2 N N N ALLOW +# accept4 +30-sim-socket_syscalls +x86 364 0 1 2 N N N ALLOW +30-sim-socket_syscalls +ppc64le 344 0 1 2 N N N ALLOW +30-sim-socket_syscalls +mipsel 4334 0 1 2 N N N ALLOW +# shutdown +30-sim-socket_syscalls +x86 373 0 1 2 N N N ALLOW +30-sim-socket_syscalls +ppc64le 338 0 1 2 N N N ALLOW +30-sim-socket_syscalls +mipsel 4182 0 1 2 N N N ALLOW +# direct syscalls +30-sim-socket_syscalls +x86,+ppc64le,+mipsel accept 5 N N N N N ALLOW +30-sim-socket_syscalls +x86,+ppc64le,+mipsel accept 0 1 2 N N N KILL +30-sim-socket_syscalls +x86,+ppc64le,+mipsel accept4 18 1 2 N N N ALLOW +30-sim-socket_syscalls +x86,+ppc64le,+mipsel accept4 0 1 2 N N N KILL +30-sim-socket_syscalls +x86_64 socket 0 1 2 N N N ALLOW +30-sim-socket_syscalls +x86_64 connect 0 1 2 N N N ALLOW +30-sim-socket_syscalls +x86_64 accept4 0 1 2 N N N ALLOW +30-sim-socket_syscalls +x86_64 shutdown 0 1 2 N N N ALLOW + +test type: bpf-valgrind + +# Testname +30-sim-socket_syscalls diff --git a/tests/31-basic-version_check.c b/tests/31-basic-version_check.c new file mode 100644 index 0000000..112f666 --- /dev/null +++ b/tests/31-basic-version_check.c @@ -0,0 +1,41 @@ +/** + * Seccomp Library test program + * + * Copyright (c) 2016 Red Hat <pmoore@redhat.com> + * Author: Paul Moore <paul@paul-moore.com> + */ + +/* + * This library is free software; you can redistribute it and/or modify it + * under the terms of version 2.1 of the GNU Lesser General Public License as + * published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License + * for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this library; if not, see <http://www.gnu.org/licenses>. + */ + +#include <errno.h> +#include <unistd.h> + +#include <seccomp.h> + +int main(int argc, char *argv[]) +{ + const struct scmp_version *ver; + + ver = seccomp_version(); + if (ver == NULL) + return -1; + + if (ver->major != SCMP_VER_MAJOR || + ver->minor != SCMP_VER_MINOR || + ver->micro != SCMP_VER_MICRO) + return -2; + + return 0; +} diff --git a/tests/31-basic-version_check.py b/tests/31-basic-version_check.py new file mode 100755 index 0000000..e958bf1 --- /dev/null +++ b/tests/31-basic-version_check.py @@ -0,0 +1,35 @@ +#!/usr/bin/env python + +# +# Seccomp Library test program +# +# Copyright (c) 2016 Red Hat <pmoore@redhat.com> +# Author: Paul Moore <paul@paul-moore.com> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +import argparse +import sys + +import util + +from seccomp import * + +# NOTE: this is a NULL test since we don't support the seccomp_version() API +# via the libseccomp python bindings + +# kate: syntax python; +# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; diff --git a/tests/31-basic-version_check.tests b/tests/31-basic-version_check.tests new file mode 100644 index 0000000..feeda66 --- /dev/null +++ b/tests/31-basic-version_check.tests @@ -0,0 +1,11 @@ +# +# libseccomp regression test automation data +# +# Copyright (c) 2016 Red Hat <pmoore@redhat.com> +# Author: Paul Moore <paul@paul-moore.com> +# + +test type: basic + +# Test command +31-basic-version_check diff --git a/tests/32-live-tsync_allow.c b/tests/32-live-tsync_allow.c new file mode 100644 index 0000000..26f7af2 --- /dev/null +++ b/tests/32-live-tsync_allow.c @@ -0,0 +1,84 @@ +/** + * Seccomp Library test program + * + * Copyright (c) 2013 Red Hat <pmoore@redhat.com> + * Author: Paul Moore <paul@paul-moore.com> + */ + +/* + * This library is free software; you can redistribute it and/or modify it + * under the terms of version 2.1 of the GNU Lesser General Public License as + * published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License + * for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this library; if not, see <http://www.gnu.org/licenses>. + */ + +#include <errno.h> +#include <unistd.h> + +#include <seccomp.h> + +#include "util.h" + +int main(int argc, char *argv[]) +{ + int rc; + scmp_filter_ctx ctx = NULL; + + rc = util_action_parse(argv[1]); + if (rc != SCMP_ACT_ALLOW) { + rc = 1; + goto out; + } + + rc = util_trap_install(); + if (rc != 0) + goto out; + + ctx = seccomp_init(SCMP_ACT_TRAP); + if (ctx == NULL) + return ENOMEM; + + rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_TSYNC, 1); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 0); + if (rc != 0) + goto out; + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 0); + if (rc != 0) + goto out; + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 0); + if (rc != 0) + goto out; + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(close), 0); + if (rc != 0) + goto out; + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigreturn), 0); + if (rc != 0) + goto out; + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit_group), 0); + if (rc != 0) + goto out; + + rc = seccomp_load(ctx); + if (rc != 0) + goto out; + + rc = util_file_write("/dev/null"); + if (rc != 0) + goto out; + + rc = 160; + +out: + seccomp_release(ctx); + return (rc < 0 ? -rc : rc); +} diff --git a/tests/32-live-tsync_allow.py b/tests/32-live-tsync_allow.py new file mode 100755 index 0000000..da8d4cb --- /dev/null +++ b/tests/32-live-tsync_allow.py @@ -0,0 +1,64 @@ +#!/usr/bin/env python + +# +# Seccomp Library test program +# +# Copyright (c) 2013 Red Hat <pmoore@redhat.com> +# Author: Paul Moore <paul@paul-moore.com> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +import argparse +import sys + +import util + +from seccomp import * + +def test(): + action = util.parse_action(sys.argv[1]) + if not action == ALLOW: + quit(1) + util.install_trap() + f = SyscallFilter(TRAP) + f.set_attr(Attr.CTL_TSYNC, 1) + # NOTE: additional syscalls required for python + f.add_rule(ALLOW, "stat") + f.add_rule(ALLOW, "fstat") + f.add_rule(ALLOW, "open") + f.add_rule(ALLOW, "openat") + f.add_rule(ALLOW, "mmap") + f.add_rule(ALLOW, "munmap") + f.add_rule(ALLOW, "read") + f.add_rule(ALLOW, "write") + f.add_rule(ALLOW, "close") + f.add_rule(ALLOW, "rt_sigaction") + f.add_rule(ALLOW, "rt_sigreturn") + f.add_rule(ALLOW, "sigreturn") + f.add_rule(ALLOW, "sigaltstack") + f.add_rule(ALLOW, "brk") + f.add_rule(ALLOW, "exit_group") + f.load() + try: + util.write_file("/dev/null") + except OSError as ex: + quit(ex.errno) + quit(160) + +test() + +# kate: syntax python; +# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; diff --git a/tests/32-live-tsync_allow.tests b/tests/32-live-tsync_allow.tests new file mode 100644 index 0000000..2e8a3bd --- /dev/null +++ b/tests/32-live-tsync_allow.tests @@ -0,0 +1,11 @@ +# +# libseccomp regression test automation data +# +# Copyright (c) 2013 Red Hat <pmoore@redhat.com> +# Author: Paul Moore <paul@paul-moore.com> +# + +test type: live + +# Testname API Result +32-live-tsync_allow 2 ALLOW diff --git a/tests/33-sim-socket_syscalls_be.c b/tests/33-sim-socket_syscalls_be.c new file mode 100644 index 0000000..e770771 --- /dev/null +++ b/tests/33-sim-socket_syscalls_be.c @@ -0,0 +1,84 @@ +/** + * Seccomp Library test program + * + * Copyright (c) 2016 Red Hat <pmoore@redhat.com> + * Author: Paul Moore <paul@paul-moore.com> + */ + +/* + * This library is free software; you can redistribute it and/or modify it + * under the terms of version 2.1 of the GNU Lesser General Public License as + * published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License + * for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this library; if not, see <http://www.gnu.org/licenses>. + */ + +#include <errno.h> +#include <unistd.h> + +#include <seccomp.h> + +#include "util.h" + +int main(int argc, char *argv[]) +{ + int rc; + struct util_options opts; + scmp_filter_ctx ctx = NULL; + + rc = util_getopt(argc, argv, &opts); + if (rc < 0) + goto out; + + ctx = seccomp_init(SCMP_ACT_KILL); + if (ctx == NULL) + return ENOMEM; + + rc = seccomp_arch_remove(ctx, SCMP_ARCH_NATIVE); + if (rc != 0) + goto out; + + rc = seccomp_arch_add(ctx, SCMP_ARCH_S390); + if (rc != 0) + goto out; + rc = seccomp_arch_add(ctx, SCMP_ARCH_S390X); + if (rc != 0) + goto out; + rc = seccomp_arch_add(ctx, SCMP_ARCH_PPC); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket), 0); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(connect), 0); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(accept), 0); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(accept4), 0); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(shutdown), 0); + if (rc != 0) + goto out; + + rc = util_filter_output(&opts, ctx); + if (rc) + goto out; + +out: + seccomp_release(ctx); + return (rc < 0 ? -rc : rc); +} diff --git a/tests/33-sim-socket_syscalls_be.py b/tests/33-sim-socket_syscalls_be.py new file mode 100755 index 0000000..c3cd628 --- /dev/null +++ b/tests/33-sim-socket_syscalls_be.py @@ -0,0 +1,49 @@ +#!/usr/bin/env python + +# +# Seccomp Library test program +# +# Copyright (c) 2016 Red Hat <pmoore@redhat.com> +# Author: Paul Moore <paul@paul-moore.com> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +import argparse +import sys + +import util + +from seccomp import * + +def test(args): + f = SyscallFilter(KILL) + f.remove_arch(Arch()) + f.add_arch(Arch("s390")) + f.add_arch(Arch("s390x")) + f.add_arch(Arch("ppc")) + f.add_rule(ALLOW, "socket") + f.add_rule(ALLOW, "connect") + f.add_rule(ALLOW, "accept") + f.add_rule(ALLOW, "accept4") + f.add_rule(ALLOW, "shutdown") + return f + +args = util.get_opt() +ctx = test(args) +util.filter_output(args, ctx) + +# kate: syntax python; +# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; diff --git a/tests/33-sim-socket_syscalls_be.tests b/tests/33-sim-socket_syscalls_be.tests new file mode 100644 index 0000000..11e2552 --- /dev/null +++ b/tests/33-sim-socket_syscalls_be.tests @@ -0,0 +1,31 @@ +# +# libseccomp regression test automation data +# +# Copyright (c) 2016 Red Hat <pmoore@redhat.com> +# Author: Paul Moore <paul@paul-moore.com> +# + +test type: bpf-sim + +# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result +33-sim-socket_syscalls_be +s390,+s390x,+ppc socketcall 1 N N N N N ALLOW +33-sim-socket_syscalls_be +s390,+s390x,+ppc socketcall 3 N N N N N ALLOW +33-sim-socket_syscalls_be +s390,+s390x,+ppc socketcall 5 N N N N N ALLOW +33-sim-socket_syscalls_be +s390,+s390x,+ppc socketcall 13 N N N N N ALLOW +33-sim-socket_syscalls_be +s390,+s390x 359 0 1 2 N N N ALLOW +33-sim-socket_syscalls_be +ppc 326 0 1 2 N N N ALLOW +33-sim-socket_syscalls_be +s390,+s390x 362 0 1 2 N N N ALLOW +33-sim-socket_syscalls_be +ppc 328 0 1 2 N N N ALLOW +33-sim-socket_syscalls_be +s390,+s390x 364 0 1 2 N N N ALLOW +33-sim-socket_syscalls_be +ppc 344 0 1 2 N N N ALLOW +33-sim-socket_syscalls_be +s390,+s390x 373 0 1 2 N N N ALLOW +33-sim-socket_syscalls_be +ppc 338 0 1 2 N N N ALLOW +33-sim-socket_syscalls_be +s390,+s390x,+ppc accept 5 N N N N N ALLOW +33-sim-socket_syscalls_be +s390,+s390x,+ppc accept 0 1 2 N N N KILL +33-sim-socket_syscalls_be +s390,+s390x,+ppc accept4 18 1 2 N N N ALLOW +33-sim-socket_syscalls_be +s390,+s390x,+ppc accept4 0 1 2 N N N KILL + +test type: bpf-valgrind + +# Testname +33-sim-socket_syscalls_be diff --git a/tests/34-sim-basic_denylist.c b/tests/34-sim-basic_denylist.c new file mode 100644 index 0000000..e17406f --- /dev/null +++ b/tests/34-sim-basic_denylist.c @@ -0,0 +1,74 @@ +/** + * Seccomp Library test program + * + * Copyright (c) 2013 Red Hat <pmoore@redhat.com> + * Author: Paul Moore <paul@paul-moore.com> + */ + +/* + * This library is free software; you can redistribute it and/or modify it + * under the terms of version 2.1 of the GNU Lesser General Public License as + * published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License + * for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this library; if not, see <http://www.gnu.org/licenses>. + */ + +#include <errno.h> +#include <unistd.h> + +#include <seccomp.h> + +#include "util.h" + +int main(int argc, char *argv[]) +{ + int rc; + struct util_options opts; + scmp_filter_ctx ctx = NULL; + + rc = util_getopt(argc, argv, &opts); + if (rc < 0) + goto out; + + ctx = seccomp_init(SCMP_ACT_ALLOW); + if (ctx == NULL) + return ENOMEM; + + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_KILL, SCMP_SYS(read), 1, + SCMP_A0(SCMP_CMP_EQ, STDIN_FILENO)); + if (rc != 0) + goto out; + + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_KILL, SCMP_SYS(write), 1, + SCMP_A0(SCMP_CMP_EQ, STDOUT_FILENO)); + if (rc != 0) + goto out; + + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_KILL, SCMP_SYS(write), 1, + SCMP_A0(SCMP_CMP_EQ, STDERR_FILENO)); + if (rc != 0) + goto out; + + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_KILL, SCMP_SYS(close), 0); + if (rc != 0) + goto out; + + rc = seccomp_rule_add_exact(ctx, + SCMP_ACT_KILL, SCMP_SYS(rt_sigreturn), 0); + if (rc != 0) + goto out; + + rc = util_filter_output(&opts, ctx); + if (rc) + goto out; + +out: + seccomp_release(ctx); + return (rc < 0 ? -rc : rc); +} diff --git a/tests/34-sim-basic_denylist.py b/tests/34-sim-basic_denylist.py new file mode 100755 index 0000000..05a202d --- /dev/null +++ b/tests/34-sim-basic_denylist.py @@ -0,0 +1,45 @@ +#!/usr/bin/env python + +# +# Seccomp Library test program +# +# Copyright (c) 2013 Red Hat <pmoore@redhat.com> +# Author: Paul Moore <paul@paul-moore.com> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +import argparse +import sys + +import util + +from seccomp import * + +def test(args): + f = SyscallFilter(ALLOW) + f.add_rule_exactly(KILL, "read", Arg(0, EQ, sys.stdin.fileno())) + f.add_rule_exactly(KILL, "write", Arg(0, EQ, sys.stdout.fileno())) + f.add_rule_exactly(KILL, "write", Arg(0, EQ, sys.stderr.fileno())) + f.add_rule_exactly(KILL, "close") + f.add_rule_exactly(KILL, "rt_sigreturn") + return f + +args = util.get_opt() +ctx = test(args) +util.filter_output(args, ctx) + +# kate: syntax python; +# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; diff --git a/tests/34-sim-basic_denylist.tests b/tests/34-sim-basic_denylist.tests new file mode 100644 index 0000000..ed2491a --- /dev/null +++ b/tests/34-sim-basic_denylist.tests @@ -0,0 +1,32 @@ +# +# libseccomp regression test automation data +# +# Copyright (c) 2013 Red Hat <pmoore@redhat.com> +# Author: Paul Moore <paul@paul-moore.com> +# + +test type: bpf-sim + +# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result +34-sim-basic_denylist all read 0 0x856B008 10 N N N KILL +34-sim-basic_denylist all read 1-10 0x856B008 10 N N N ALLOW +34-sim-basic_denylist all write 1-2 0x856B008 10 N N N KILL +34-sim-basic_denylist all write 3-10 0x856B008 10 N N N ALLOW +34-sim-basic_denylist all close N N N N N N KILL +34-sim-basic_denylist all rt_sigreturn N N N N N N KILL +34-sim-basic_denylist all open 0x856B008 4 N N N N ALLOW +34-sim-basic_denylist x86 0-2 N N N N N N ALLOW +34-sim-basic_denylist x86 7-172 N N N N N N ALLOW +34-sim-basic_denylist x86 174-350 N N N N N N ALLOW +34-sim-basic_denylist x86_64 4-14 N N N N N N ALLOW +34-sim-basic_denylist x86_64 16-350 N N N N N N ALLOW + +test type: bpf-sim-fuzz + +# Testname StressCount +34-sim-basic_denylist 50 + +test type: bpf-valgrind + +# Testname +34-sim-basic_denylist diff --git a/tests/35-sim-negative_one.c b/tests/35-sim-negative_one.c new file mode 100644 index 0000000..0452d9b --- /dev/null +++ b/tests/35-sim-negative_one.c @@ -0,0 +1,73 @@ +/** + * Seccomp Library test program + * + * Copyright (c) 2017 Red Hat <pmoore@redhat.com> + * Author: Paul Moore <paul@paul-moore.com> + */ + +/* + * This library is free software; you can redistribute it and/or modify it + * under the terms of version 2.1 of the GNU Lesser General Public License as + * published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License + * for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this library; if not, see <http://www.gnu.org/licenses>. + */ + +#include <errno.h> +#include <unistd.h> + +#include <seccomp.h> + +#include "util.h" + +int main(int argc, char *argv[]) +{ + int rc; + struct util_options opts; + scmp_filter_ctx ctx = NULL; + + rc = util_getopt(argc, argv, &opts); + if (rc < 0) + goto out; + + ctx = seccomp_init(SCMP_ACT_KILL); + if (ctx == NULL) + return ENOMEM; + + rc = seccomp_arch_remove(ctx, SCMP_ARCH_NATIVE); + if (rc != 0) + goto out; + + rc = seccomp_arch_add(ctx, SCMP_ARCH_X86); + if (rc != 0) + goto out; + rc = seccomp_arch_add(ctx, SCMP_ARCH_X86_64); + if (rc != 0) + goto out; + + rc = seccomp_attr_set(ctx, SCMP_FLTATR_API_TSKIP, 1); + if (rc != 0) + goto out; + + rc = seccomp_syscall_priority(ctx, -1, 100); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, -1, 0); + if (rc != 0) + goto out; + + rc = util_filter_output(&opts, ctx); + if (rc) + goto out; + +out: + seccomp_release(ctx); + return (rc < 0 ? -rc : rc); +} diff --git a/tests/35-sim-negative_one.py b/tests/35-sim-negative_one.py new file mode 100755 index 0000000..d94fda5 --- /dev/null +++ b/tests/35-sim-negative_one.py @@ -0,0 +1,46 @@ +#!/usr/bin/env python + +# +# Seccomp Library test program +# +# Copyright (c) 2017 Red Hat <pmoore@redhat.com> +# Author: Paul Moore <paul@paul-moore.com> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +import argparse +import sys + +import util + +from seccomp import * + +def test(args): + f = SyscallFilter(KILL) + f.remove_arch(Arch()) + f.add_arch(Arch("x86")) + f.add_arch(Arch("x86_64")) + f.set_attr(Attr.API_TSKIP, 1) + f.syscall_priority(-1, 100) + f.add_rule(ALLOW, -1) + return f + +args = util.get_opt() +ctx = test(args) +util.filter_output(args, ctx) + +# kate: syntax python; +# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; diff --git a/tests/35-sim-negative_one.tests b/tests/35-sim-negative_one.tests new file mode 100644 index 0000000..7d929de --- /dev/null +++ b/tests/35-sim-negative_one.tests @@ -0,0 +1,18 @@ +# +# libseccomp regression test automation data +# +# Copyright (c) 2017 Red Hat <pmoore@redhat.com> +# Author: Paul Moore <paul@paul-moore.com> +# + +test type: bpf-sim + +# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result +35-sim-negative_one +x86 -1 N N N N N N ALLOW +35-sim-negative_one +x86_64 -1 N N N N N N ALLOW +35-sim-negative_one +x32 -1 N N N N N N ALLOW + +test type: bpf-valgrind + +# Testname +35-sim-negative_one diff --git a/tests/36-sim-ipc_syscalls.c b/tests/36-sim-ipc_syscalls.c new file mode 100644 index 0000000..c9b575e --- /dev/null +++ b/tests/36-sim-ipc_syscalls.c @@ -0,0 +1,118 @@ +/** + * Seccomp Library test program + * + * Copyright (c) 2017 Red Hat <pmoore@redhat.com> + * Author: Paul Moore <paul@paul-moore.com> + */ + +/* + * This library is free software; you can redistribute it and/or modify it + * under the terms of version 2.1 of the GNU Lesser General Public License as + * published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License + * for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this library; if not, see <http://www.gnu.org/licenses>. + */ + +#include <errno.h> +#include <unistd.h> + +#include <seccomp.h> + +#include "util.h" + +int main(int argc, char *argv[]) +{ + int rc; + struct util_options opts; + scmp_filter_ctx ctx = NULL; + + rc = util_getopt(argc, argv, &opts); + if (rc < 0) + goto out; + + ctx = seccomp_init(SCMP_ACT_KILL); + if (ctx == NULL) + return ENOMEM; + + rc = seccomp_arch_remove(ctx, SCMP_ARCH_NATIVE); + if (rc != 0) + goto out; + + rc = seccomp_arch_add(ctx, SCMP_ARCH_X86); + if (rc != 0) + goto out; + rc = seccomp_arch_add(ctx, SCMP_ARCH_X86_64); + if (rc != 0) + goto out; + rc = seccomp_arch_add(ctx, SCMP_ARCH_X32); + if (rc != 0) + goto out; + rc = seccomp_arch_add(ctx, SCMP_ARCH_PPC64LE); + if (rc != 0) + goto out; + rc = seccomp_arch_add(ctx, SCMP_ARCH_MIPSEL); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(semop), 0); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(semtimedop), 0); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(semget), 0); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(semctl), 0); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(msgsnd), 0); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(msgrcv), 0); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(msgget), 0); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(msgctl), 0); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(shmat), 0); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(shmdt), 0); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(shmget), 0); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(shmctl), 0); + if (rc != 0) + goto out; + + rc = util_filter_output(&opts, ctx); + if (rc) + goto out; + +out: + seccomp_release(ctx); + return (rc < 0 ? -rc : rc); +} diff --git a/tests/36-sim-ipc_syscalls.py b/tests/36-sim-ipc_syscalls.py new file mode 100755 index 0000000..90a8e9f --- /dev/null +++ b/tests/36-sim-ipc_syscalls.py @@ -0,0 +1,58 @@ +#!/usr/bin/env python + +# +# Seccomp Library test program +# +# Copyright (c) 2017 Red Hat <pmoore@redhat.com> +# Author: Paul Moore <paul@paul-moore.com> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +import argparse +import sys + +import util + +from seccomp import * + +def test(args): + f = SyscallFilter(KILL) + f.remove_arch(Arch()) + f.add_arch(Arch("x86")) + f.add_arch(Arch("x86_64")) + f.add_arch(Arch("x32")) + f.add_arch(Arch("ppc64le")) + f.add_arch(Arch("mipsel")) + f.add_rule(ALLOW, "semop") + f.add_rule(ALLOW, "semtimedop") + f.add_rule(ALLOW, "semget") + f.add_rule(ALLOW, "semctl") + f.add_rule(ALLOW, "msgsnd") + f.add_rule(ALLOW, "msgrcv") + f.add_rule(ALLOW, "msgget") + f.add_rule(ALLOW, "msgctl") + f.add_rule(ALLOW, "shmat") + f.add_rule(ALLOW, "shmdt") + f.add_rule(ALLOW, "shmget") + f.add_rule(ALLOW, "shmctl") + return f + +args = util.get_opt() +ctx = test(args) +util.filter_output(args, ctx) + +# kate: syntax python; +# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; diff --git a/tests/36-sim-ipc_syscalls.tests b/tests/36-sim-ipc_syscalls.tests new file mode 100644 index 0000000..90e5445 --- /dev/null +++ b/tests/36-sim-ipc_syscalls.tests @@ -0,0 +1,39 @@ +# +# libseccomp regression test automation data +# +# Copyright (c) 2017 Red Hat <pmoore@redhat.com> +# Author: Paul Moore <paul@paul-moore.com> +# + +test type: bpf-sim + +# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result +36-sim-ipc_syscalls +x86,+ppc64le,+mipsel ipc 1 N N N N N ALLOW +36-sim-ipc_syscalls +x86,+ppc64le,+mipsel ipc 2 N N N N N ALLOW +36-sim-ipc_syscalls +x86,+ppc64le,+mipsel ipc 3 N N N N N ALLOW +36-sim-ipc_syscalls +x86,+ppc64le,+mipsel ipc 4 N N N N N ALLOW +36-sim-ipc_syscalls +x86,+ppc64le,+mipsel ipc 11 N N N N N ALLOW +36-sim-ipc_syscalls +x86,+ppc64le,+mipsel ipc 12 N N N N N ALLOW +36-sim-ipc_syscalls +x86,+ppc64le,+mipsel ipc 13 N N N N N ALLOW +36-sim-ipc_syscalls +x86,+ppc64le,+mipsel ipc 14 N N N N N ALLOW +36-sim-ipc_syscalls +x86,+ppc64le,+mipsel ipc 21 N N N N N ALLOW +36-sim-ipc_syscalls +x86,+ppc64le,+mipsel ipc 22 N N N N N ALLOW +36-sim-ipc_syscalls +x86,+ppc64le,+mipsel ipc 23 N N N N N ALLOW +36-sim-ipc_syscalls +x86,+ppc64le,+mipsel ipc 24 N N N N N ALLOW +36-sim-ipc_syscalls +x86_64 semop N N N N N N ALLOW +36-sim-ipc_syscalls +x86_64 semget N N N N N N ALLOW +36-sim-ipc_syscalls +x86_64 semctl N N N N N N ALLOW +36-sim-ipc_syscalls +x86_64 semtimedop N N N N N N ALLOW +36-sim-ipc_syscalls +x86_64 msgsnd N N N N N N ALLOW +36-sim-ipc_syscalls +x86_64 msgrcv N N N N N N ALLOW +36-sim-ipc_syscalls +x86_64 msgget N N N N N N ALLOW +36-sim-ipc_syscalls +x86_64 msgctl N N N N N N ALLOW +36-sim-ipc_syscalls +x86_64 shmat N N N N N N ALLOW +36-sim-ipc_syscalls +x86_64 shmdt N N N N N N ALLOW +36-sim-ipc_syscalls +x86_64 shmget N N N N N N ALLOW +36-sim-ipc_syscalls +x86_64 shmctl N N N N N N ALLOW + +test type: bpf-valgrind + +# Testname +36-sim-ipc_syscalls diff --git a/tests/37-sim-ipc_syscalls_be.c b/tests/37-sim-ipc_syscalls_be.c new file mode 100644 index 0000000..d1bd57e --- /dev/null +++ b/tests/37-sim-ipc_syscalls_be.c @@ -0,0 +1,112 @@ +/** + * Seccomp Library test program + * + * Copyright (c) 2017 Red Hat <pmoore@redhat.com> + * Author: Paul Moore <paul@paul-moore.com> + */ + +/* + * This library is free software; you can redistribute it and/or modify it + * under the terms of version 2.1 of the GNU Lesser General Public License as + * published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License + * for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this library; if not, see <http://www.gnu.org/licenses>. + */ + +#include <errno.h> +#include <unistd.h> + +#include <seccomp.h> + +#include "util.h" + +int main(int argc, char *argv[]) +{ + int rc; + struct util_options opts; + scmp_filter_ctx ctx = NULL; + + rc = util_getopt(argc, argv, &opts); + if (rc < 0) + goto out; + + ctx = seccomp_init(SCMP_ACT_KILL); + if (ctx == NULL) + return ENOMEM; + + rc = seccomp_arch_remove(ctx, SCMP_ARCH_NATIVE); + if (rc != 0) + goto out; + + rc = seccomp_arch_add(ctx, SCMP_ARCH_S390); + if (rc != 0) + goto out; + rc = seccomp_arch_add(ctx, SCMP_ARCH_S390X); + if (rc != 0) + goto out; + rc = seccomp_arch_add(ctx, SCMP_ARCH_PPC); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(semop), 0); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(semtimedop), 0); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(semget), 0); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(semctl), 0); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(msgsnd), 0); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(msgrcv), 0); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(msgget), 0); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(msgctl), 0); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(shmat), 0); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(shmdt), 0); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(shmget), 0); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(shmctl), 0); + if (rc != 0) + goto out; + + rc = util_filter_output(&opts, ctx); + if (rc) + goto out; + +out: + seccomp_release(ctx); + return (rc < 0 ? -rc : rc); +} diff --git a/tests/37-sim-ipc_syscalls_be.py b/tests/37-sim-ipc_syscalls_be.py new file mode 100755 index 0000000..18a09d0 --- /dev/null +++ b/tests/37-sim-ipc_syscalls_be.py @@ -0,0 +1,56 @@ +#!/usr/bin/env python + +# +# Seccomp Library test program +# +# Copyright (c) 2017 Red Hat <pmoore@redhat.com> +# Author: Paul Moore <paul@paul-moore.com> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +import argparse +import sys + +import util + +from seccomp import * + +def test(args): + f = SyscallFilter(KILL) + f.remove_arch(Arch()) + f.add_arch(Arch("s390")) + f.add_arch(Arch("s390x")) + f.add_arch(Arch("ppc")) + f.add_rule(ALLOW, "semop") + f.add_rule(ALLOW, "semtimedop") + f.add_rule(ALLOW, "semget") + f.add_rule(ALLOW, "semctl") + f.add_rule(ALLOW, "msgsnd") + f.add_rule(ALLOW, "msgrcv") + f.add_rule(ALLOW, "msgget") + f.add_rule(ALLOW, "msgctl") + f.add_rule(ALLOW, "shmat") + f.add_rule(ALLOW, "shmdt") + f.add_rule(ALLOW, "shmget") + f.add_rule(ALLOW, "shmctl") + return f + +args = util.get_opt() +ctx = test(args) +util.filter_output(args, ctx) + +# kate: syntax python; +# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; diff --git a/tests/37-sim-ipc_syscalls_be.tests b/tests/37-sim-ipc_syscalls_be.tests new file mode 100644 index 0000000..96a5c81 --- /dev/null +++ b/tests/37-sim-ipc_syscalls_be.tests @@ -0,0 +1,27 @@ +# +# libseccomp regression test automation data +# +# Copyright (c) 2017 Red Hat <pmoore@redhat.com> +# Author: Paul Moore <paul@paul-moore.com> +# + +test type: bpf-sim + +# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result +37-sim-ipc_syscalls_be +s390,+s390x,+ppc ipc 1 N N N N N ALLOW +37-sim-ipc_syscalls_be +s390,+s390x,+ppc ipc 2 N N N N N ALLOW +37-sim-ipc_syscalls_be +s390,+s390x,+ppc ipc 3 N N N N N ALLOW +37-sim-ipc_syscalls_be +s390,+s390x,+ppc ipc 4 N N N N N ALLOW +37-sim-ipc_syscalls_be +s390,+s390x,+ppc ipc 11 N N N N N ALLOW +37-sim-ipc_syscalls_be +s390,+s390x,+ppc ipc 12 N N N N N ALLOW +37-sim-ipc_syscalls_be +s390,+s390x,+ppc ipc 13 N N N N N ALLOW +37-sim-ipc_syscalls_be +s390,+s390x,+ppc ipc 14 N N N N N ALLOW +37-sim-ipc_syscalls_be +s390,+s390x,+ppc ipc 21 N N N N N ALLOW +37-sim-ipc_syscalls_be +s390,+s390x,+ppc ipc 22 N N N N N ALLOW +37-sim-ipc_syscalls_be +s390,+s390x,+ppc ipc 23 N N N N N ALLOW +37-sim-ipc_syscalls_be +s390,+s390x,+ppc ipc 24 N N N N N ALLOW + +test type: bpf-valgrind + +# Testname +37-sim-ipc_syscalls_be diff --git a/tests/38-basic-pfc_coverage.c b/tests/38-basic-pfc_coverage.c new file mode 100644 index 0000000..c6829ac --- /dev/null +++ b/tests/38-basic-pfc_coverage.c @@ -0,0 +1,131 @@ +/** + * Seccomp Library test program + * + * Copyright (c) 2017 Red Hat <pmoore@redhat.com> + * Author: Paul Moore <paul@paul-moore.com> + */ + +/* + * This library is free software; you can redistribute it and/or modify it + * under the terms of version 2.1 of the GNU Lesser General Public License as + * published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License + * for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this library; if not, see <http://www.gnu.org/licenses>. + */ + +#include <errno.h> +#include <fcntl.h> +#include <unistd.h> +#include <sys/types.h> +#include <sys/stat.h> + +#include <seccomp.h> + +#include "util.h" + +int main(int argc, char *argv[]) +{ + int rc; + int fd; + scmp_filter_ctx ctx = NULL; + + /* stdout */ + fd = 1; + + rc = seccomp_api_set(3); + if (rc != 0) + return EOPNOTSUPP; + + ctx = seccomp_init(SCMP_ACT_ALLOW); + if (ctx == NULL) { + rc = ENOMEM; + goto out; + } + + rc = seccomp_arch_remove(ctx, SCMP_ARCH_NATIVE); + if (rc < 0) + goto out; + rc = seccomp_arch_add(ctx, SCMP_ARCH_X86_64); + if (rc < 0) + goto out; + rc = seccomp_arch_add(ctx, SCMP_ARCH_X86); + if (rc < 0) + goto out; + rc = seccomp_arch_add(ctx, SCMP_ARCH_X32); + if (rc < 0) + goto out; + rc = seccomp_arch_add(ctx, SCMP_ARCH_ARM); + if (rc < 0) + goto out; + rc = seccomp_arch_add(ctx, SCMP_ARCH_AARCH64); + if (rc < 0) + goto out; + rc = seccomp_arch_add(ctx, SCMP_ARCH_MIPSEL); + if (rc < 0) + goto out; + rc = seccomp_arch_add(ctx, SCMP_ARCH_MIPSEL64); + if (rc < 0) + goto out; + rc = seccomp_arch_add(ctx, SCMP_ARCH_MIPSEL64N32); + if (rc < 0) + goto out; + rc = seccomp_arch_add(ctx, SCMP_ARCH_PPC64LE); + if (rc < 0) + goto out; + rc = seccomp_arch_add(ctx, SCMP_ARCH_RISCV64); + if (rc < 0) + goto out; + + /* NOTE: the syscalls and their arguments have been picked to achieve + * the highest possible code coverage, this is not a useful + * real world filter configuration */ + + rc = seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(open), 0); + if (rc < 0) + goto out; + rc = seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(read), 4, + SCMP_A0(SCMP_CMP_EQ, 0), + SCMP_A1(SCMP_CMP_GE, 1), + SCMP_A2(SCMP_CMP_GT, 2), + SCMP_A3(SCMP_CMP_MASKED_EQ, 0x0f, 3)); + if (rc < 0) + goto out; + rc = seccomp_rule_add(ctx, SCMP_ACT_TRAP, SCMP_SYS(write), 3, + SCMP_A0(SCMP_CMP_NE, 0), + SCMP_A1(SCMP_CMP_LE, 1), + SCMP_A2(SCMP_CMP_LT, 2)); + if (rc < 0) + goto out; + rc = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(1), SCMP_SYS(close), 0); + if (rc < 0) + goto out; + rc = seccomp_rule_add(ctx, SCMP_ACT_TRACE(1), SCMP_SYS(exit), 0); + if (rc < 0) + goto out; + rc = seccomp_rule_add(ctx, SCMP_ACT_KILL_PROCESS, SCMP_SYS(fstat), 0); + if (rc < 0) + goto out; + rc = seccomp_rule_add(ctx, SCMP_ACT_LOG, SCMP_SYS(exit_group), 0); + if (rc < 0) + goto out; + + /* verify the prioritized, but no-rule, syscall */ + rc = seccomp_syscall_priority(ctx, SCMP_SYS(poll), 255); + if (rc < 0) + goto out; + + rc = seccomp_export_pfc(ctx, fd); + if (rc < 0) + goto out; + +out: + seccomp_release(ctx); + close(fd); + return (rc < 0 ? -rc : rc); +} diff --git a/tests/38-basic-pfc_coverage.pfc b/tests/38-basic-pfc_coverage.pfc new file mode 100644 index 0000000..3109280 --- /dev/null +++ b/tests/38-basic-pfc_coverage.pfc @@ -0,0 +1,668 @@ +# +# pseudo filter code start +# +# filter for arch x86_64 (3221225534) +if ($arch == 3221225534) + # filter for syscall "exit_group" (231) [priority: 65535] + if ($syscall == 231) + action LOG; + # filter for syscall "exit" (60) [priority: 65535] + if ($syscall == 60) + action TRACE(1); + # filter for syscall "fstat" (5) [priority: 65535] + if ($syscall == 5) + action KILL_PROCESS; + # filter for syscall "close" (3) [priority: 65535] + if ($syscall == 3) + action ERRNO(1); + # filter for syscall "open" (2) [priority: 65535] + if ($syscall == 2) + action KILL; + # filter for syscall "write" (1) [priority: 65527] + if ($syscall == 1) + if ($a0.hi32 == 0) + if ($a0.lo32 == 0) + else + if ($a1.hi32 > 0) + else + if ($a1.hi32 == 0) + if ($a1.lo32 > 1) + else + if ($a2.hi32 > 0) + else + if ($a2.hi32 == 0) + if ($a2.lo32 >= 2) + else + action TRAP; + else + action TRAP; + else + if ($a2.hi32 > 0) + else + if ($a2.hi32 == 0) + if ($a2.lo32 >= 2) + else + action TRAP; + else + action TRAP; + else + if ($a1.hi32 > 0) + else + if ($a1.hi32 == 0) + if ($a1.lo32 > 1) + else + if ($a2.hi32 > 0) + else + if ($a2.hi32 == 0) + if ($a2.lo32 >= 2) + else + action TRAP; + else + action TRAP; + else + if ($a2.hi32 > 0) + else + if ($a2.hi32 == 0) + if ($a2.lo32 >= 2) + else + action TRAP; + else + action TRAP; + # filter for syscall "read" (0) [priority: 65525] + if ($syscall == 0) + if ($a0.hi32 == 0) + if ($a0.lo32 == 0) + if ($a1.hi32 > 0) + if ($a2.hi32 > 0) + if ($a3.hi32 & 0x00000000 == 0) + if ($a3.lo32 & 0x0000000f == 3) + action KILL; + else + if ($a2.hi32 == 0) + if ($a2.lo32 > 2) + if ($a3.hi32 & 0x00000000 == 0) + if ($a3.lo32 & 0x0000000f == 3) + action KILL; + else + if ($a1.hi32 == 0) + if ($a1.lo32 >= 1) + if ($a2.hi32 > 0) + if ($a3.hi32 & 0x00000000 == 0) + if ($a3.lo32 & 0x0000000f == 3) + action KILL; + else + if ($a2.hi32 == 0) + if ($a2.lo32 > 2) + if ($a3.hi32 & 0x00000000 == 0) + if ($a3.lo32 & 0x0000000f == 3) + action KILL; + # default action + action ALLOW; +# filter for arch x86 (1073741827) +if ($arch == 1073741827) + # filter for syscall "exit_group" (252) [priority: 65535] + if ($syscall == 252) + action LOG; + # filter for syscall "fstat" (108) [priority: 65535] + if ($syscall == 108) + action KILL_PROCESS; + # filter for syscall "close" (6) [priority: 65535] + if ($syscall == 6) + action ERRNO(1); + # filter for syscall "open" (5) [priority: 65535] + if ($syscall == 5) + action KILL; + # filter for syscall "exit" (1) [priority: 65535] + if ($syscall == 1) + action TRACE(1); + # filter for syscall "write" (4) [priority: 65532] + if ($syscall == 4) + if ($a0 == 0) + else + if ($a1 > 1) + else + if ($a2 >= 2) + else + action TRAP; + # filter for syscall "read" (3) [priority: 65531] + if ($syscall == 3) + if ($a0 == 0) + if ($a1 >= 1) + if ($a2 > 2) + if ($a3 & 0x0000000f == 3) + action KILL; + # default action + action ALLOW; +# filter for arch x32 (3221225534) +if ($arch == 3221225534) + # filter for syscall "exit_group" (1073742055) [priority: 65535] + if ($syscall == 1073742055) + action LOG; + # filter for syscall "exit" (1073741884) [priority: 65535] + if ($syscall == 1073741884) + action TRACE(1); + # filter for syscall "fstat" (1073741829) [priority: 65535] + if ($syscall == 1073741829) + action KILL_PROCESS; + # filter for syscall "close" (1073741827) [priority: 65535] + if ($syscall == 1073741827) + action ERRNO(1); + # filter for syscall "open" (1073741826) [priority: 65535] + if ($syscall == 1073741826) + action KILL; + # filter for syscall "write" (1073741825) [priority: 65532] + if ($syscall == 1073741825) + if ($a0 == 0) + else + if ($a1 > 1) + else + if ($a2 >= 2) + else + action TRAP; + # filter for syscall "read" (1073741824) [priority: 65531] + if ($syscall == 1073741824) + if ($a0 == 0) + if ($a1 >= 1) + if ($a2 > 2) + if ($a3 & 0x0000000f == 3) + action KILL; + # default action + action ALLOW; +# filter for arch arm (1073741864) +if ($arch == 1073741864) + # filter for syscall "exit_group" (248) [priority: 65535] + if ($syscall == 248) + action LOG; + # filter for syscall "fstat" (108) [priority: 65535] + if ($syscall == 108) + action KILL_PROCESS; + # filter for syscall "close" (6) [priority: 65535] + if ($syscall == 6) + action ERRNO(1); + # filter for syscall "open" (5) [priority: 65535] + if ($syscall == 5) + action KILL; + # filter for syscall "exit" (1) [priority: 65535] + if ($syscall == 1) + action TRACE(1); + # filter for syscall "write" (4) [priority: 65532] + if ($syscall == 4) + if ($a0 == 0) + else + if ($a1 > 1) + else + if ($a2 >= 2) + else + action TRAP; + # filter for syscall "read" (3) [priority: 65531] + if ($syscall == 3) + if ($a0 == 0) + if ($a1 >= 1) + if ($a2 > 2) + if ($a3 & 0x0000000f == 3) + action KILL; + # default action + action ALLOW; +# filter for arch aarch64 (3221225655) +if ($arch == 3221225655) + # filter for syscall "open" (4294957130) [priority: 65535] + if ($syscall == 4294957130) + action KILL; + # filter for syscall "exit_group" (94) [priority: 65535] + if ($syscall == 94) + action LOG; + # filter for syscall "exit" (93) [priority: 65535] + if ($syscall == 93) + action TRACE(1); + # filter for syscall "fstat" (80) [priority: 65535] + if ($syscall == 80) + action KILL_PROCESS; + # filter for syscall "close" (57) [priority: 65535] + if ($syscall == 57) + action ERRNO(1); + # filter for syscall "write" (64) [priority: 65527] + if ($syscall == 64) + if ($a0.hi32 == 0) + if ($a0.lo32 == 0) + else + if ($a1.hi32 > 0) + else + if ($a1.hi32 == 0) + if ($a1.lo32 > 1) + else + if ($a2.hi32 > 0) + else + if ($a2.hi32 == 0) + if ($a2.lo32 >= 2) + else + action TRAP; + else + action TRAP; + else + if ($a2.hi32 > 0) + else + if ($a2.hi32 == 0) + if ($a2.lo32 >= 2) + else + action TRAP; + else + action TRAP; + else + if ($a1.hi32 > 0) + else + if ($a1.hi32 == 0) + if ($a1.lo32 > 1) + else + if ($a2.hi32 > 0) + else + if ($a2.hi32 == 0) + if ($a2.lo32 >= 2) + else + action TRAP; + else + action TRAP; + else + if ($a2.hi32 > 0) + else + if ($a2.hi32 == 0) + if ($a2.lo32 >= 2) + else + action TRAP; + else + action TRAP; + # filter for syscall "read" (63) [priority: 65525] + if ($syscall == 63) + if ($a0.hi32 == 0) + if ($a0.lo32 == 0) + if ($a1.hi32 > 0) + if ($a2.hi32 > 0) + if ($a3.hi32 & 0x00000000 == 0) + if ($a3.lo32 & 0x0000000f == 3) + action KILL; + else + if ($a2.hi32 == 0) + if ($a2.lo32 > 2) + if ($a3.hi32 & 0x00000000 == 0) + if ($a3.lo32 & 0x0000000f == 3) + action KILL; + else + if ($a1.hi32 == 0) + if ($a1.lo32 >= 1) + if ($a2.hi32 > 0) + if ($a3.hi32 & 0x00000000 == 0) + if ($a3.lo32 & 0x0000000f == 3) + action KILL; + else + if ($a2.hi32 == 0) + if ($a2.lo32 > 2) + if ($a3.hi32 & 0x00000000 == 0) + if ($a3.lo32 & 0x0000000f == 3) + action KILL; + # default action + action ALLOW; +# filter for arch mipsel (1073741832) +if ($arch == 1073741832) + # filter for syscall "exit_group" (4246) [priority: 65535] + if ($syscall == 4246) + action LOG; + # filter for syscall "fstat" (4108) [priority: 65535] + if ($syscall == 4108) + action KILL_PROCESS; + # filter for syscall "close" (4006) [priority: 65535] + if ($syscall == 4006) + action ERRNO(1); + # filter for syscall "open" (4005) [priority: 65535] + if ($syscall == 4005) + action KILL; + # filter for syscall "exit" (4001) [priority: 65535] + if ($syscall == 4001) + action TRACE(1); + # filter for syscall "write" (4004) [priority: 65532] + if ($syscall == 4004) + if ($a0 == 0) + else + if ($a1 > 1) + else + if ($a2 >= 2) + else + action TRAP; + # filter for syscall "read" (4003) [priority: 65531] + if ($syscall == 4003) + if ($a0 == 0) + if ($a1 >= 1) + if ($a2 > 2) + if ($a3 & 0x0000000f == 3) + action KILL; + # default action + action ALLOW; +# filter for arch mipsel64 (3221225480) +if ($arch == 3221225480) + # filter for syscall "exit_group" (5205) [priority: 65535] + if ($syscall == 5205) + action LOG; + # filter for syscall "exit" (5058) [priority: 65535] + if ($syscall == 5058) + action TRACE(1); + # filter for syscall "fstat" (5005) [priority: 65535] + if ($syscall == 5005) + action KILL_PROCESS; + # filter for syscall "close" (5003) [priority: 65535] + if ($syscall == 5003) + action ERRNO(1); + # filter for syscall "open" (5002) [priority: 65535] + if ($syscall == 5002) + action KILL; + # filter for syscall "write" (5001) [priority: 65527] + if ($syscall == 5001) + if ($a0.hi32 == 0) + if ($a0.lo32 == 0) + else + if ($a1.hi32 > 0) + else + if ($a1.hi32 == 0) + if ($a1.lo32 > 1) + else + if ($a2.hi32 > 0) + else + if ($a2.hi32 == 0) + if ($a2.lo32 >= 2) + else + action TRAP; + else + action TRAP; + else + if ($a2.hi32 > 0) + else + if ($a2.hi32 == 0) + if ($a2.lo32 >= 2) + else + action TRAP; + else + action TRAP; + else + if ($a1.hi32 > 0) + else + if ($a1.hi32 == 0) + if ($a1.lo32 > 1) + else + if ($a2.hi32 > 0) + else + if ($a2.hi32 == 0) + if ($a2.lo32 >= 2) + else + action TRAP; + else + action TRAP; + else + if ($a2.hi32 > 0) + else + if ($a2.hi32 == 0) + if ($a2.lo32 >= 2) + else + action TRAP; + else + action TRAP; + # filter for syscall "read" (5000) [priority: 65525] + if ($syscall == 5000) + if ($a0.hi32 == 0) + if ($a0.lo32 == 0) + if ($a1.hi32 > 0) + if ($a2.hi32 > 0) + if ($a3.hi32 & 0x00000000 == 0) + if ($a3.lo32 & 0x0000000f == 3) + action KILL; + else + if ($a2.hi32 == 0) + if ($a2.lo32 > 2) + if ($a3.hi32 & 0x00000000 == 0) + if ($a3.lo32 & 0x0000000f == 3) + action KILL; + else + if ($a1.hi32 == 0) + if ($a1.lo32 >= 1) + if ($a2.hi32 > 0) + if ($a3.hi32 & 0x00000000 == 0) + if ($a3.lo32 & 0x0000000f == 3) + action KILL; + else + if ($a2.hi32 == 0) + if ($a2.lo32 > 2) + if ($a3.hi32 & 0x00000000 == 0) + if ($a3.lo32 & 0x0000000f == 3) + action KILL; + # default action + action ALLOW; +# filter for arch mipsel64n32 (3758096392) +if ($arch == 3758096392) + # filter for syscall "exit_group" (6205) [priority: 65535] + if ($syscall == 6205) + action LOG; + # filter for syscall "exit" (6058) [priority: 65535] + if ($syscall == 6058) + action TRACE(1); + # filter for syscall "fstat" (6005) [priority: 65535] + if ($syscall == 6005) + action KILL_PROCESS; + # filter for syscall "close" (6003) [priority: 65535] + if ($syscall == 6003) + action ERRNO(1); + # filter for syscall "open" (6002) [priority: 65535] + if ($syscall == 6002) + action KILL; + # filter for syscall "write" (6001) [priority: 65532] + if ($syscall == 6001) + if ($a0 == 0) + else + if ($a1 > 1) + else + if ($a2 >= 2) + else + action TRAP; + # filter for syscall "read" (6000) [priority: 65531] + if ($syscall == 6000) + if ($a0 == 0) + if ($a1 >= 1) + if ($a2 > 2) + if ($a3 & 0x0000000f == 3) + action KILL; + # default action + action ALLOW; +# filter for arch ppc64le (3221225493) +if ($arch == 3221225493) + # filter for syscall "exit_group" (234) [priority: 65535] + if ($syscall == 234) + action LOG; + # filter for syscall "fstat" (108) [priority: 65535] + if ($syscall == 108) + action KILL_PROCESS; + # filter for syscall "close" (6) [priority: 65535] + if ($syscall == 6) + action ERRNO(1); + # filter for syscall "open" (5) [priority: 65535] + if ($syscall == 5) + action KILL; + # filter for syscall "exit" (1) [priority: 65535] + if ($syscall == 1) + action TRACE(1); + # filter for syscall "write" (4) [priority: 65527] + if ($syscall == 4) + if ($a0.hi32 == 0) + if ($a0.lo32 == 0) + else + if ($a1.hi32 > 0) + else + if ($a1.hi32 == 0) + if ($a1.lo32 > 1) + else + if ($a2.hi32 > 0) + else + if ($a2.hi32 == 0) + if ($a2.lo32 >= 2) + else + action TRAP; + else + action TRAP; + else + if ($a2.hi32 > 0) + else + if ($a2.hi32 == 0) + if ($a2.lo32 >= 2) + else + action TRAP; + else + action TRAP; + else + if ($a1.hi32 > 0) + else + if ($a1.hi32 == 0) + if ($a1.lo32 > 1) + else + if ($a2.hi32 > 0) + else + if ($a2.hi32 == 0) + if ($a2.lo32 >= 2) + else + action TRAP; + else + action TRAP; + else + if ($a2.hi32 > 0) + else + if ($a2.hi32 == 0) + if ($a2.lo32 >= 2) + else + action TRAP; + else + action TRAP; + # filter for syscall "read" (3) [priority: 65525] + if ($syscall == 3) + if ($a0.hi32 == 0) + if ($a0.lo32 == 0) + if ($a1.hi32 > 0) + if ($a2.hi32 > 0) + if ($a3.hi32 & 0x00000000 == 0) + if ($a3.lo32 & 0x0000000f == 3) + action KILL; + else + if ($a2.hi32 == 0) + if ($a2.lo32 > 2) + if ($a3.hi32 & 0x00000000 == 0) + if ($a3.lo32 & 0x0000000f == 3) + action KILL; + else + if ($a1.hi32 == 0) + if ($a1.lo32 >= 1) + if ($a2.hi32 > 0) + if ($a3.hi32 & 0x00000000 == 0) + if ($a3.lo32 & 0x0000000f == 3) + action KILL; + else + if ($a2.hi32 == 0) + if ($a2.lo32 > 2) + if ($a3.hi32 & 0x00000000 == 0) + if ($a3.lo32 & 0x0000000f == 3) + action KILL; + # default action + action ALLOW; +# filter for arch riscv64 (3221225715) +if ($arch == 3221225715) + # filter for syscall "open" (4294957130) [priority: 65535] + if ($syscall == 4294957130) + action KILL; + # filter for syscall "exit_group" (94) [priority: 65535] + if ($syscall == 94) + action LOG; + # filter for syscall "exit" (93) [priority: 65535] + if ($syscall == 93) + action TRACE(1); + # filter for syscall "fstat" (80) [priority: 65535] + if ($syscall == 80) + action KILL_PROCESS; + # filter for syscall "close" (57) [priority: 65535] + if ($syscall == 57) + action ERRNO(1); + # filter for syscall "write" (64) [priority: 65527] + if ($syscall == 64) + if ($a0.hi32 == 0) + if ($a0.lo32 == 0) + else + if ($a1.hi32 > 0) + else + if ($a1.hi32 == 0) + if ($a1.lo32 > 1) + else + if ($a2.hi32 > 0) + else + if ($a2.hi32 == 0) + if ($a2.lo32 >= 2) + else + action TRAP; + else + action TRAP; + else + if ($a2.hi32 > 0) + else + if ($a2.hi32 == 0) + if ($a2.lo32 >= 2) + else + action TRAP; + else + action TRAP; + else + if ($a1.hi32 > 0) + else + if ($a1.hi32 == 0) + if ($a1.lo32 > 1) + else + if ($a2.hi32 > 0) + else + if ($a2.hi32 == 0) + if ($a2.lo32 >= 2) + else + action TRAP; + else + action TRAP; + else + if ($a2.hi32 > 0) + else + if ($a2.hi32 == 0) + if ($a2.lo32 >= 2) + else + action TRAP; + else + action TRAP; + # filter for syscall "read" (63) [priority: 65525] + if ($syscall == 63) + if ($a0.hi32 == 0) + if ($a0.lo32 == 0) + if ($a1.hi32 > 0) + if ($a2.hi32 > 0) + if ($a3.hi32 & 0x00000000 == 0) + if ($a3.lo32 & 0x0000000f == 3) + action KILL; + else + if ($a2.hi32 == 0) + if ($a2.lo32 > 2) + if ($a3.hi32 & 0x00000000 == 0) + if ($a3.lo32 & 0x0000000f == 3) + action KILL; + else + if ($a1.hi32 == 0) + if ($a1.lo32 >= 1) + if ($a2.hi32 > 0) + if ($a3.hi32 & 0x00000000 == 0) + if ($a3.lo32 & 0x0000000f == 3) + action KILL; + else + if ($a2.hi32 == 0) + if ($a2.lo32 > 2) + if ($a3.hi32 & 0x00000000 == 0) + if ($a3.lo32 & 0x0000000f == 3) + action KILL; + # default action + action ALLOW; +# invalid architecture action +action KILL; +# +# pseudo filter code end +# diff --git a/tests/38-basic-pfc_coverage.sh b/tests/38-basic-pfc_coverage.sh new file mode 100755 index 0000000..d22947a --- /dev/null +++ b/tests/38-basic-pfc_coverage.sh @@ -0,0 +1,46 @@ +#!/bin/bash + +# +# libseccomp regression test automation data +# +# Copyright (c) 2017 Red Hat <pmoore@redhat.com> +# Author: Paul Moore <paul@paul-moore.com> +# + +#### +# functions + +# +# Dependency check +# +# Arguments: +# 1 Dependency to check for +# +function check_deps() { + [[ -z "$1" ]] && return + which "$1" >& /dev/null + return $? +} + +# +# Dependency verification +# +# Arguments: +# 1 Dependency to check for +# +function verify_deps() { + [[ -z "$1" ]] && return + if ! check_deps "$1"; then + echo "error: install \"$1\" and include it in your \$PATH" + exit 1 + fi +} + +#### +# functions + +verify_deps diff + +# compare output to the known good output, fail if different +./38-basic-pfc_coverage | \ + diff -q ${srcdir:=.}/38-basic-pfc_coverage.pfc - > /dev/null diff --git a/tests/38-basic-pfc_coverage.tests b/tests/38-basic-pfc_coverage.tests new file mode 100644 index 0000000..7514903 --- /dev/null +++ b/tests/38-basic-pfc_coverage.tests @@ -0,0 +1,11 @@ +# +# libseccomp regression test automation data +# +# Copyright (c) 2017 Red Hat <pmoore@redhat.com> +# Author: Paul Moore <paul@paul-moore.com> +# + +test type: basic + +# Test command +38-basic-pfc_coverage.sh diff --git a/tests/39-basic-api_level.c b/tests/39-basic-api_level.c new file mode 100644 index 0000000..6c31be1 --- /dev/null +++ b/tests/39-basic-api_level.c @@ -0,0 +1,88 @@ +/** + * Seccomp Library test program + * + * Copyright (c) 2017 Red Hat <pmoore@redhat.com> + * Author: Paul Moore <paul@paul-moore.com> + */ + +/* + * This library is free software; you can redistribute it and/or modify it + * under the terms of version 2.1 of the GNU Lesser General Public License as + * published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License + * for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this library; if not, see <http://www.gnu.org/licenses>. + */ + +#include <errno.h> +#include <unistd.h> + +#include <seccomp.h> + +int main(int argc, char *argv[]) +{ + int rc; + unsigned int api; + + api = seccomp_api_get(); + if (api < 1) + return -1; + + rc = seccomp_api_set(1); + if (rc != 0) + return -2; + api = seccomp_api_get(); + if (api != 1) + return -3; + + rc = seccomp_api_set(2); + if (rc != 0) + return -4; + api = seccomp_api_get(); + if (api != 2) + return -5; + + rc = seccomp_api_set(3); + if (rc != 0) + return -6; + api = seccomp_api_get(); + if (api != 3) + return -7; + + rc = seccomp_api_set(4); + if (rc != 0) + return -8; + api = seccomp_api_get(); + if (api != 4) + return -9; + + rc = seccomp_api_set(5); + if (rc != 0) + return -10; + api = seccomp_api_get(); + if (api != 5) + return -11; + + rc = seccomp_api_set(6); + if (rc != 0) + return -12; + api = seccomp_api_get(); + if (api != 6) + return -13; + + /* Attempt to set a high, invalid API level */ + rc = seccomp_api_set(1024); + if (rc != -EINVAL) + return -1001; + /* Ensure that the previously set API level didn't change */ + api = seccomp_api_get(); + if (api != 6) + return -1002; + + return 0; +} diff --git a/tests/39-basic-api_level.py b/tests/39-basic-api_level.py new file mode 100755 index 0000000..352568e --- /dev/null +++ b/tests/39-basic-api_level.py @@ -0,0 +1,83 @@ +#!/usr/bin/env python + +# +# Seccomp Library test program +# +# Copyright (c) 2016 Red Hat <pmoore@redhat.com> +# Copyright (c) 2017 Canonical Ltd. +# Authors: Paul Moore <paul@paul-moore.com> +# Tyler Hicks <tyhicks@canonical.com> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +import argparse +import sys + +import util + +from seccomp import * + +def test(): + api = get_api() + if (api < 1): + raise RuntimeError("Failed getting initial API level") + + set_api(1) + api = get_api() + if api != 1: + raise RuntimeError("Failed getting API level 1") + + set_api(2) + api = get_api() + if api != 2: + raise RuntimeError("Failed getting API level 2") + + set_api(3) + api = get_api() + if api != 3: + raise RuntimeError("Failed getting API level 3") + + set_api(4) + api = get_api() + if api != 4: + raise RuntimeError("Failed getting API level 4") + + set_api(5) + api = get_api() + if api != 5: + raise RuntimeError("Failed getting API level 5") + + set_api(6) + api = get_api() + if api != 6: + raise RuntimeError("Failed getting API level 6") + + # Attempt to set a high, invalid API level + try: + set_api(1024) + except ValueError: + pass + else: + raise RuntimeError("Missing failure when setting invalid API level") + # Ensure that the previously set API level didn't change + api = get_api() + if api != 6: + raise RuntimeError("Failed getting old API level after setting an invalid API level") + +test() + +# kate: syntax python; +# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; diff --git a/tests/39-basic-api_level.tests b/tests/39-basic-api_level.tests new file mode 100644 index 0000000..4093f98 --- /dev/null +++ b/tests/39-basic-api_level.tests @@ -0,0 +1,11 @@ +# +# libseccomp regression test automation data +# +# Copyright (c) 2017 Red Hat <pmoore@redhat.com> +# Author: Paul Moore <paul@paul-moore.com> +# + +test type: basic + +# Test command +39-basic-api_level diff --git a/tests/40-sim-log.c b/tests/40-sim-log.c new file mode 100644 index 0000000..cdd2a5e --- /dev/null +++ b/tests/40-sim-log.c @@ -0,0 +1,59 @@ +/** + * Seccomp Library test program + * + * Originally 01-sim-allow.c but updated to use SCMP_ACT_LOG. + * + * Copyright (c) 2012 Red Hat <pmoore@redhat.com> + * Author: Paul Moore <paul@paul-moore.com> + * + * Copyright (c) 2017 Canonical Ltd. + * Author: Tyler Hicks <tyhicks@canonical.com> + */ + +/* + * This library is free software; you can redistribute it and/or modify it + * under the terms of version 2.1 of the GNU Lesser General Public License as + * published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License + * for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this library; if not, see <http://www.gnu.org/licenses>. + */ + +#include <errno.h> +#include <unistd.h> + +#include <seccomp.h> + +#include "util.h" + +int main(int argc, char *argv[]) +{ + int rc; + struct util_options opts; + scmp_filter_ctx ctx = NULL; + + rc = util_getopt(argc, argv, &opts); + if (rc < 0) + goto out; + + rc = seccomp_api_set(3); + if (rc != 0) + return EOPNOTSUPP; + + ctx = seccomp_init(SCMP_ACT_LOG); + if (ctx == NULL) + return ENOMEM; + + rc = util_filter_output(&opts, ctx); + if (rc) + goto out; + +out: + seccomp_release(ctx); + return (rc < 0 ? -rc : rc); +} diff --git a/tests/40-sim-log.py b/tests/40-sim-log.py new file mode 100755 index 0000000..63b217e --- /dev/null +++ b/tests/40-sim-log.py @@ -0,0 +1,47 @@ +#!/usr/bin/env python + +# +# Seccomp Library test program +# +# Originally 01-sim-allow.py but updated to use LOG. +# +# Copyright (c) 2012 Red Hat <pmoore@redhat.com> +# Author: Paul Moore <paul@paul-moore.com> +# +# Copyright (c) 2017 Canonical Ltd. +# Author: Tyler Hicks <tyhicks@canonical.com> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +import argparse +import sys + +import util + +from seccomp import * + +def test(args): + set_api(3) + + f = SyscallFilter(LOG) + return f + +args = util.get_opt() +ctx = test(args) +util.filter_output(args, ctx) + +# kate: syntax python; +# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; diff --git a/tests/40-sim-log.tests b/tests/40-sim-log.tests new file mode 100644 index 0000000..5a036e8 --- /dev/null +++ b/tests/40-sim-log.tests @@ -0,0 +1,21 @@ +# +# libseccomp regression test automation data +# +# Copyright Canonical Ltd. 2017 +# Author: Tyler Hicks <tyhicks@canonical.com> +# + +test type: bpf-sim + +# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result +40-sim-log all,-x32 0-350 N N N N N N LOG + +test type: bpf-sim-fuzz + +# Testname StressCount +40-sim-log 50 + +test type: bpf-valgrind + +# Testname +40-sim-log diff --git a/tests/41-sim-syscall_priority_arch.c b/tests/41-sim-syscall_priority_arch.c new file mode 100644 index 0000000..2f3c88b --- /dev/null +++ b/tests/41-sim-syscall_priority_arch.c @@ -0,0 +1,63 @@ +/** + * Seccomp Library test program + * + * Copyright (c) 2017 Red Hat <pmoore@redhat.com> + * Author: Paul Moore <paul@paul-moore.com> + */ + +/* + * This library is free software; you can redistribute it and/or modify it + * under the terms of version 2.1 of the GNU Lesser General Public License as + * published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License + * for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this library; if not, see <http://www.gnu.org/licenses>. + */ + +#include <errno.h> +#include <unistd.h> + +#include <seccomp.h> + +#include "util.h" + +int main(int argc, char *argv[]) +{ + int rc; + struct util_options opts; + scmp_filter_ctx ctx = NULL; + + rc = util_getopt(argc, argv, &opts); + if (rc < 0) + goto out; + + ctx = seccomp_init(SCMP_ACT_KILL); + if (ctx == NULL) + return ENOMEM; + + rc = seccomp_arch_remove(ctx, SCMP_ARCH_NATIVE); + if (rc != 0) + goto out; + rc = seccomp_arch_add(ctx, SCMP_ARCH_X86); + + rc = seccomp_syscall_priority(ctx, SCMP_SYS(socket), 128); + if (rc != 0) + goto out; + + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket), 0); + if (rc != 0) + goto out; + + rc = util_filter_output(&opts, ctx); + if (rc) + goto out; + +out: + seccomp_release(ctx); + return (rc < 0 ? -rc : rc); +} diff --git a/tests/41-sim-syscall_priority_arch.py b/tests/41-sim-syscall_priority_arch.py new file mode 100755 index 0000000..a865a5e --- /dev/null +++ b/tests/41-sim-syscall_priority_arch.py @@ -0,0 +1,44 @@ +#!/usr/bin/env python + +# +# Seccomp Library test program +# +# Copyright (c) 2017 Red Hat <pmoore@redhat.com> +# Author: Paul Moore <paul@paul-moore.com> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +import argparse +import sys + +import util + +from seccomp import * + +def test(args): + f = SyscallFilter(KILL) + f.remove_arch(Arch()) + f.add_arch(Arch("x86")) + f.syscall_priority("socket", 128) + f.add_rule_exactly(ALLOW, "socket") + return f + +args = util.get_opt() +ctx = test(args) +util.filter_output(args, ctx) + +# kate: syntax python; +# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; diff --git a/tests/41-sim-syscall_priority_arch.tests b/tests/41-sim-syscall_priority_arch.tests new file mode 100644 index 0000000..ad60682 --- /dev/null +++ b/tests/41-sim-syscall_priority_arch.tests @@ -0,0 +1,19 @@ +# +# libseccomp regression test automation data +# +# Copyright (c) 2017 Red Hat <pmoore@redhat.com> +# Author: Paul Moore <paul@paul-moore.com> +# + +test type: bpf-sim + +# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result +41-sim-syscall_priority_arch +x86 102 1 N N N N N ALLOW +41-sim-syscall_priority_arch +x86 102 18 N N N N N KILL +41-sim-syscall_priority_arch +x86 359 N N N N N N ALLOW +41-sim-syscall_priority_arch +x86 364 N N N N N N KILL + +test type: bpf-valgrind + +# Testname +41-sim-syscall_priority_arch diff --git a/tests/42-sim-adv_chains.c b/tests/42-sim-adv_chains.c new file mode 100644 index 0000000..67d0f36 --- /dev/null +++ b/tests/42-sim-adv_chains.c @@ -0,0 +1,198 @@ +/** + * Seccomp Library test program + * + * Copyright (c) 2017 Red Hat <pmoore@redhat.com> + * Author: Paul Moore <paul@paul-moore.com> + */ + +/* + * This library is free software; you can redistribute it and/or modify it + * under the terms of version 2.1 of the GNU Lesser General Public License as + * published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License + * for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this library; if not, see <http://www.gnu.org/licenses>. + */ + +#include <errno.h> +#include <limits.h> +#include <unistd.h> + +#include <seccomp.h> + +#include "util.h" + +int main(int argc, char *argv[]) +{ + int rc; + struct util_options opts; + scmp_filter_ctx ctx = NULL; + + rc = util_getopt(argc, argv, &opts); + if (rc < 0) + goto out; + + ctx = seccomp_init(SCMP_ACT_KILL); + if (ctx == NULL) + return ENOMEM; + + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1001, 2, + SCMP_A0(SCMP_CMP_EQ, 1), + SCMP_A1(SCMP_CMP_EQ, 2)); + if (rc != 0) + goto out; + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1001, 0); + if (rc != 0) + goto out; + + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1002, 1, + SCMP_A0(SCMP_CMP_EQ, 1)); + if (rc != 0) + goto out; + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_TRAP, 1002, 1, + SCMP_A0(SCMP_CMP_EQ, 1)); + if (rc != -EEXIST) { + rc = EEXIST; + goto out; + } + + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1003, 1, + SCMP_A0(SCMP_CMP_NE, 1)); + if (rc != 0) + goto out; + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_TRAP, 1003, 1, + SCMP_A0(SCMP_CMP_EQ, 1)); + if (rc != 0) + goto out; + + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1004, 1, + SCMP_A0(SCMP_CMP_EQ, 1)); + if (rc != 0) + goto out; + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_TRAP, 1004, 1, + SCMP_A0(SCMP_CMP_NE, 1)); + if (rc != 0) + goto out; + + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1005, 1, + SCMP_A0(SCMP_CMP_EQ, 1)); + if (rc != 0) + goto out; + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1005, 1, + SCMP_A0(SCMP_CMP_NE, 1)); + if (rc != 0) + goto out; + + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1006, 2, + SCMP_A0(SCMP_CMP_EQ, 1), + SCMP_A1(SCMP_CMP_EQ, 2)); + if (rc != 0) + goto out; + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1006, 1, + SCMP_A0(SCMP_CMP_EQ, 1)); + if (rc != 0) + goto out; + + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1007, 1, + SCMP_A0(SCMP_CMP_EQ, 1)); + if (rc != 0) + goto out; + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1007, 2, + SCMP_A0(SCMP_CMP_EQ, 1), + SCMP_A1(SCMP_CMP_EQ, 2)); + if (rc != 0) + goto out; + + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1008, 2, + SCMP_A0(SCMP_CMP_NE, 1), + SCMP_A1(SCMP_CMP_NE, 2)); + if (rc != 0) + goto out; + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1008, 3, + SCMP_A0(SCMP_CMP_NE, 1), + SCMP_A1(SCMP_CMP_NE, 2), + SCMP_A2(SCMP_CMP_NE, 3)); + if (rc != 0) + goto out; + + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1009, 2, + SCMP_A0(SCMP_CMP_EQ, 1), + SCMP_A1(SCMP_CMP_NE, 2)); + if (rc != 0) + goto out; + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1009, 1, + SCMP_A0(SCMP_CMP_NE, 1)); + if (rc != 0) + goto out; + + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1010, 2, + SCMP_A0(SCMP_CMP_NE, 1), + SCMP_A1(SCMP_CMP_EQ, 2)); + if (rc != 0) + goto out; + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1010, 1, + SCMP_A0(SCMP_CMP_EQ, 1)); + if (rc != 0) + goto out; + + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1011, 1, + SCMP_A0(SCMP_CMP_EQ, 1)); + if (rc != 0) + goto out; + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1011, 2, + SCMP_A0(SCMP_CMP_NE, 1), + SCMP_A2(SCMP_CMP_EQ, 1)); + if (rc != 0) + goto out; + + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1012, 1, + SCMP_A0(SCMP_CMP_MASKED_EQ, 0x0000, 1)); + if (rc != 0) + goto out; + + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1013, 2, + SCMP_A0(SCMP_CMP_NE, 1), + SCMP_A1(SCMP_CMP_NE, 2)); + if (rc != 0) + goto out; + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1013, 2, + SCMP_A0(SCMP_CMP_LT, 1), + SCMP_A1(SCMP_CMP_NE, 2)); + if (rc != 0) + goto out; + + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1014, 2, + SCMP_A3(SCMP_CMP_GE, 1), + SCMP_A4(SCMP_CMP_GE, 2)); + if (rc != 0) + goto out; + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1014, 2, + SCMP_A0(SCMP_CMP_NE, 1), + SCMP_A1(SCMP_CMP_NE, 2)); + if (rc != 0) + goto out; + + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1015, 2, + SCMP_A0(SCMP_CMP_EQ, 4), + SCMP_A1(SCMP_CMP_EQ, 1)); + if (rc != 0) + goto out; + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1015, 2, + SCMP_A0(SCMP_CMP_EQ, 4), + SCMP_A1(SCMP_CMP_NE, 1)); + if (rc != 0) + goto out; + + rc = util_filter_output(&opts, ctx); + if (rc) + goto out; + +out: + seccomp_release(ctx); + return (rc < 0 ? -rc : rc); +} diff --git a/tests/42-sim-adv_chains.py b/tests/42-sim-adv_chains.py new file mode 100755 index 0000000..83e5a18 --- /dev/null +++ b/tests/42-sim-adv_chains.py @@ -0,0 +1,128 @@ +#!/usr/bin/env python + +# +# Seccomp Library test program +# +# Copyright (c) 2017 Red Hat <pmoore@redhat.com> +# Author: Paul Moore <paul@paul-moore.com> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +import argparse +import sys + +import util + +from seccomp import * + +def test(args): + f = SyscallFilter(KILL) + + f.add_rule_exactly(ALLOW, 1001, + Arg(0, EQ, 1), + Arg(1, EQ, 2)) + f.add_rule_exactly(ALLOW, 1001) + + f.add_rule_exactly(ALLOW, 1002, + Arg(0, EQ, 1)) + f.add_rule_exactly(ALLOW, 1002, + Arg(0, EQ, 1)) + + f.add_rule_exactly(ALLOW, 1003, + Arg(0, NE, 1)) + f.add_rule_exactly(TRAP, 1003, + Arg(0, EQ, 1)) + + f.add_rule_exactly(ALLOW, 1004, + Arg(0, EQ, 1)) + f.add_rule_exactly(TRAP, 1004, + Arg(0, NE, 1)) + + f.add_rule_exactly(ALLOW, 1005, + Arg(0, EQ, 1)) + f.add_rule_exactly(ALLOW, 1005, + Arg(0, NE, 1)) + + f.add_rule_exactly(ALLOW, 1006, + Arg(0, EQ, 1), + Arg(1, EQ, 2)) + f.add_rule_exactly(ALLOW, 1006, + Arg(0, EQ, 1)) + + f.add_rule_exactly(ALLOW, 1007, + Arg(0, EQ, 1)) + f.add_rule_exactly(ALLOW, 1007, + Arg(0, EQ, 1), + Arg(1, EQ, 2)) + + f.add_rule_exactly(ALLOW, 1008, + Arg(0, NE, 1), + Arg(1, NE, 2)) + f.add_rule_exactly(ALLOW, 1008, + Arg(0, NE, 1), + Arg(1, NE, 2), + Arg(2, NE, 3)) + + f.add_rule_exactly(ALLOW, 1009, + Arg(0, EQ, 1), + Arg(1, NE, 2)) + f.add_rule_exactly(ALLOW, 1009, + Arg(0, NE, 1)) + + f.add_rule_exactly(ALLOW, 1010, + Arg(0, NE, 1), + Arg(1, EQ, 2)) + f.add_rule_exactly(ALLOW, 1010, + Arg(0, EQ, 1)) + + f.add_rule_exactly(ALLOW, 1011, + Arg(0, EQ, 1)) + f.add_rule_exactly(ALLOW, 1011, + Arg(0, NE, 1), + Arg(2, EQ, 1)) + + f.add_rule_exactly(ALLOW, 1012, + Arg(0, MASKED_EQ, 0x0000, 1)) + + f.add_rule_exactly(ALLOW, 1013, + Arg(0, NE, 1), + Arg(2, NE, 2)) + f.add_rule_exactly(ALLOW, 1013, + Arg(0, LT, 1), + Arg(2, NE, 2)) + + f.add_rule_exactly(ALLOW, 1014, + Arg(3, GE, 1), + Arg(4, GE, 2)) + f.add_rule_exactly(ALLOW, 1014, + Arg(0, NE, 1), + Arg(1, NE, 2)) + + f.add_rule_exactly(ALLOW, 1015, + Arg(0, EQ, 4), + Arg(1, EQ, 1)) + f.add_rule_exactly(ALLOW, 1015, + Arg(0, EQ, 4), + Arg(1, NE, 1)) + + return f + +args = util.get_opt() +ctx = test(args) +util.filter_output(args, ctx) + +# kate: syntax python; +# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; diff --git a/tests/42-sim-adv_chains.tests b/tests/42-sim-adv_chains.tests new file mode 100644 index 0000000..600ad09 --- /dev/null +++ b/tests/42-sim-adv_chains.tests @@ -0,0 +1,54 @@ +# +# libseccomp regression test automation data +# +# Copyright (c) 2017 Red Hat <pmoore@redhat.com> +# Author: Paul Moore <paul@paul-moore.com> +# + +test type: bpf-sim + +# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result +42-sim-adv_chains all,-x32 1000 N N N N N N KILL +42-sim-adv_chains all,-x32 1001 N N N N N N ALLOW +42-sim-adv_chains all,-x32 1002 1 N N N N N ALLOW +42-sim-adv_chains all,-x32 1003 N N N N N N ALLOW +42-sim-adv_chains all,-x32 1003 1 N N N N N TRAP +42-sim-adv_chains all,-x32 1003 2 N N N N N ALLOW +42-sim-adv_chains all,-x32 1004 N N N N N N TRAP +42-sim-adv_chains all,-x32 1004 1 N N N N N ALLOW +42-sim-adv_chains all,-x32 1004 2 N N N N N TRAP +42-sim-adv_chains all,-x32 1005 N N N N N N ALLOW +42-sim-adv_chains all,-x32 1005 1 N N N N N ALLOW +42-sim-adv_chains all,-x32 1005 2 N N N N N ALLOW +42-sim-adv_chains all,-x32 1006 1 N N N N N ALLOW +42-sim-adv_chains all,-x32 1007 1 N N N N N ALLOW +42-sim-adv_chains all,-x32 1008 2 3 N N N N ALLOW +42-sim-adv_chains all,-x32 1008 2 3 3 N N N ALLOW +42-sim-adv_chains all,-x32 1008 2 3 4 N N N ALLOW +42-sim-adv_chains all,-x32 1009 N N N N N N ALLOW +42-sim-adv_chains all,-x32 1009 2 N N N N N ALLOW +42-sim-adv_chains all,-x32 1009 1 3 N N N N ALLOW +42-sim-adv_chains all,-x32 1010 N N N N N N KILL +42-sim-adv_chains all,-x32 1010 1 N N N N N ALLOW +42-sim-adv_chains all,-x32 1010 2 2 N N N N ALLOW +42-sim-adv_chains all,-x32 1011 1 N N N N N ALLOW +42-sim-adv_chains all,-x32 1011 2 4 1 N N N ALLOW +42-sim-adv_chains all,-x32 1012 8 N N N N N ALLOW +42-sim-adv_chains all,-x32 1013 2 3 N N N N ALLOW +42-sim-adv_chains all,-x32 1013 0 4 N N N N ALLOW +42-sim-adv_chains all,-x32 1014 0 0 2 3 N N ALLOW +42-sim-adv_chains all,-x32 1014 2 3 1 2 N N ALLOW +42-sim-adv_chains all,-x32 1015 1 N N N N N KILL +42-sim-adv_chains all,-x32 1015 4 N N N N N ALLOW +42-sim-adv_chains all,-x32 1015 4 1 N N N N ALLOW +42-sim-adv_chains all,-x32 1015 4 2 N N N N ALLOW + +test type: bpf-sim-fuzz + +# Testname StressCount +42-sim-adv_chains 50 + +test type: bpf-valgrind + +# Testname +42-sim-adv_chains diff --git a/tests/43-sim-a2_order.c b/tests/43-sim-a2_order.c new file mode 100644 index 0000000..89e6d11 --- /dev/null +++ b/tests/43-sim-a2_order.c @@ -0,0 +1,132 @@ +/** + * Seccomp Library test program + * + * Copyright (c) 2018 Oracle and/or its affiliates. All rights reserved. + * Author: Tom Hromatka <tom.hromatka@oracle.com> + */ + +/* + * This library is free software; you can redistribute it and/or modify it + * under the terms of version 2.1 of the GNU Lesser General Public License as + * published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License + * for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this library; if not, see <http://www.gnu.org/licenses>. + */ + +#include <errno.h> +#include <unistd.h> + +#include <seccomp.h> + +#include "util.h" + +int main(int argc, char *argv[]) +{ + int rc; + struct util_options opts; + scmp_filter_ctx ctx = NULL; + + rc = util_getopt(argc, argv, &opts); + if (rc < 0) + goto out; + + ctx = seccomp_init(SCMP_ACT_KILL); + if (ctx == NULL) + return ENOMEM; + + /* note - a "hole" was intentionally left between 64 and 128. + * reads of this size should fall through to the default action - + * SCMP_ACT_KILL in this test's case. + */ + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 1, + SCMP_A2(SCMP_CMP_LE, 64)); + if (rc != 0) + goto out; + rc = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(5), SCMP_SYS(read), 1, + SCMP_A2(SCMP_CMP_GT, 128)); + if (rc != 0) + goto out; + rc = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(6), SCMP_SYS(read), 1, + SCMP_A2(SCMP_CMP_GT, 256)); + if (rc != 0) + goto out; + rc = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(7), SCMP_SYS(read), 1, + SCMP_A2(SCMP_CMP_GT, 512)); + if (rc != 0) + goto out; + rc = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(8), SCMP_SYS(read), 1, + SCMP_A2(SCMP_CMP_GT, 1024)); + if (rc != 0) + goto out; + rc = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(9), SCMP_SYS(read), 1, + SCMP_A2(SCMP_CMP_GT, 2048)); + if (rc != 0) + goto out; + rc = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(10), SCMP_SYS(read), 1, + SCMP_A2(SCMP_CMP_GT, 4096)); + if (rc != 0) + goto out; + rc = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(11), SCMP_SYS(read), 1, + SCMP_A2(SCMP_CMP_GT, 8192)); + if (rc != 0) + goto out; + rc = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(12), SCMP_SYS(read), 1, + SCMP_A2(SCMP_CMP_GT, 16384)); + if (rc != 0) + goto out; + + /* note - a "hole" was intentionally left between 16384 and 32768. + * writes of this size should fall through to the default action - + * SCMP_ACT_KILL in this test's case. + */ + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 1, + SCMP_A2(SCMP_CMP_GE, 32768)); + if (rc != 0) + goto out; + rc = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(5), SCMP_SYS(write), 1, + SCMP_A2(SCMP_CMP_LT, 128)); + if (rc != 0) + goto out; + rc = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(6), SCMP_SYS(write), 1, + SCMP_A2(SCMP_CMP_LT, 256)); + if (rc != 0) + goto out; + rc = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(7), SCMP_SYS(write), 1, + SCMP_A2(SCMP_CMP_LT, 512)); + if (rc != 0) + goto out; + rc = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(8), SCMP_SYS(write), 1, + SCMP_A2(SCMP_CMP_LT, 1024)); + if (rc != 0) + goto out; + rc = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(9), SCMP_SYS(write), 1, + SCMP_A2(SCMP_CMP_LT, 2048)); + if (rc != 0) + goto out; + rc = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(10), SCMP_SYS(write), 1, + SCMP_A2(SCMP_CMP_LT, 4096)); + if (rc != 0) + goto out; + rc = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(11), SCMP_SYS(write), 1, + SCMP_A2(SCMP_CMP_LT, 8192)); + if (rc != 0) + goto out; + rc = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(12), SCMP_SYS(write), 1, + SCMP_A2(SCMP_CMP_LT, 16384)); + if (rc != 0) + goto out; + + rc = util_filter_output(&opts, ctx); + if (rc) + goto out; + +out: + seccomp_release(ctx); + return (rc < 0 ? -rc : rc); +} diff --git a/tests/43-sim-a2_order.py b/tests/43-sim-a2_order.py new file mode 100755 index 0000000..7cc5f94 --- /dev/null +++ b/tests/43-sim-a2_order.py @@ -0,0 +1,62 @@ +#!/usr/bin/env python + +# +# Seccomp Library test program +# +# Copyright (c) 2018 Oracle and/or its affiliates. All rights reserved. +# Author: Tom Hromatka <tom.hromatka@oracle.com> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +import argparse +import errno +import sys + +import util + +from seccomp import * + +def test(args): + set_api(3) + + f = SyscallFilter(KILL) + f.add_rule(ALLOW, "read", Arg(2, LE, 64)) + f.add_rule(ERRNO(5), "read", Arg(2, GT, 128)) + f.add_rule(ERRNO(6), "read", Arg(2, GT, 256)) + f.add_rule(ERRNO(7), "read", Arg(2, GT, 512)) + f.add_rule(ERRNO(8), "read", Arg(2, GT, 1024)) + f.add_rule(ERRNO(9), "read", Arg(2, GT, 2048)) + f.add_rule(ERRNO(10), "read", Arg(2, GT, 4096)) + f.add_rule(ERRNO(11), "read", Arg(2, GT, 8192)) + f.add_rule(ERRNO(12), "read", Arg(2, GT, 16384)) + f.add_rule(ALLOW, "write", Arg(2, GE, 32768)) + f.add_rule(ERRNO(5), "write", Arg(2, LT, 128)) + f.add_rule(ERRNO(6), "write", Arg(2, LT, 256)) + f.add_rule(ERRNO(7), "write", Arg(2, LT, 512)) + f.add_rule(ERRNO(8), "write", Arg(2, LT, 1024)) + f.add_rule(ERRNO(9), "write", Arg(2, LT, 2048)) + f.add_rule(ERRNO(10), "write", Arg(2, LT, 4096)) + f.add_rule(ERRNO(11), "write", Arg(2, LT, 8192)) + f.add_rule(ERRNO(12), "write", Arg(2, LT, 16384)) + + return f + +args = util.get_opt() +ctx = test(args) +util.filter_output(args, ctx) + +# kate: syntax python; +# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; diff --git a/tests/43-sim-a2_order.tests b/tests/43-sim-a2_order.tests new file mode 100644 index 0000000..fe4427e --- /dev/null +++ b/tests/43-sim-a2_order.tests @@ -0,0 +1,55 @@ +# +# libseccomp regression test automation data +# +# Copyright (c) 2018 Oracle and/or its affiliates. All rights reserved. +# Author: Tom Hromatka <tom.hromatka@oracle.com> +# + +test type: bpf-sim + +# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result +43-sim-a2_order all read 4 0x856B008 30 N N N ALLOW +43-sim-a2_order all read 4 0x856B008 64 N N N ALLOW +43-sim-a2_order all read 4 0x856B008 65 N N N KILL +43-sim-a2_order all read 4 0x856B008 128 N N N KILL +43-sim-a2_order all read 4 0x856B008 129 N N N ERRNO(5) +43-sim-a2_order all read 4 0x856B008 250 N N N ERRNO(5) +43-sim-a2_order all read 4 0x856B008 256 N N N ERRNO(5) +43-sim-a2_order all read 4 0x856B008 257 N N N ERRNO(6) +43-sim-a2_order all read 4 0x856B008 512 N N N ERRNO(6) +43-sim-a2_order all read 4 0x856B008 513 N N N ERRNO(7) +43-sim-a2_order all read 4 0x856B008 1024 N N N ERRNO(7) +43-sim-a2_order all read 4 0x856B008 1025 N N N ERRNO(8) +43-sim-a2_order all read 4 0x856B008 2048 N N N ERRNO(8) +43-sim-a2_order all read 4 0x856B008 2049 N N N ERRNO(9) +43-sim-a2_order all read 4 0x856B008 4096 N N N ERRNO(9) +43-sim-a2_order all read 4 0x856B008 4097 N N N ERRNO(10) +43-sim-a2_order all read 4 0x856B008 8192 N N N ERRNO(10) +43-sim-a2_order all read 4 0x856B008 8193 N N N ERRNO(11) +43-sim-a2_order all read 4 0x856B008 16384 N N N ERRNO(11) +43-sim-a2_order all read 4 0x856B008 16385 N N N ERRNO(12) +43-sim-a2_order all write 4 0x856B008 65 N N N ERRNO(5) +43-sim-a2_order all write 4 0x856B008 128 N N N ERRNO(6) +43-sim-a2_order all write 4 0x856B008 129 N N N ERRNO(6) +43-sim-a2_order all write 4 0x856B008 250 N N N ERRNO(6) +43-sim-a2_order all write 4 0x856B008 256 N N N ERRNO(7) +43-sim-a2_order all write 4 0x856B008 257 N N N ERRNO(7) +43-sim-a2_order all write 4 0x856B008 512 N N N ERRNO(8) +43-sim-a2_order all write 4 0x856B008 513 N N N ERRNO(8) +43-sim-a2_order all write 4 0x856B008 1024 N N N ERRNO(9) +43-sim-a2_order all write 4 0x856B008 1025 N N N ERRNO(9) +43-sim-a2_order all write 4 0x856B008 2048 N N N ERRNO(10) +43-sim-a2_order all write 4 0x856B008 2049 N N N ERRNO(10) +43-sim-a2_order all write 4 0x856B008 4096 N N N ERRNO(11) +43-sim-a2_order all write 4 0x856B008 4097 N N N ERRNO(11) +43-sim-a2_order all write 4 0x856B008 8192 N N N ERRNO(12) +43-sim-a2_order all write 4 0x856B008 8193 N N N ERRNO(12) +43-sim-a2_order all write 4 0x856B008 16384 N N N KILL +43-sim-a2_order all write 4 0x856B008 16385 N N N KILL +43-sim-a2_order all write 4 0x856B008 32768 N N N ALLOW + +# Testname StressCount +test type: bpf-valgrind + +# Testname +43-sim-a2_order diff --git a/tests/44-live-a2_order.c b/tests/44-live-a2_order.c new file mode 100644 index 0000000..4af0b89 --- /dev/null +++ b/tests/44-live-a2_order.c @@ -0,0 +1,178 @@ +/** + * Seccomp Library test program + * + * Copyright (c) 2018 Oracle and/or its affiliates. All rights reserved. + * Author: Tom Hromatka <tom.hromatka@oracle.com> + */ + +/* + * This library is free software; you can redistribute it and/or modify it + * under the terms of version 2.1 of the GNU Lesser General Public License as + * published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License + * for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this library; if not, see <http://www.gnu.org/licenses>. + */ + +#include <errno.h> +#include <fcntl.h> +#include <stdlib.h> +#include <string.h> +#include <unistd.h> +#include <sys/types.h> +#include <sys/stat.h> + +#include <seccomp.h> + +#include "util.h" + +#define DEFAULT_ACTION_ERRNO 100 +#define DEFAULT_ACTION SCMP_ACT_ERRNO(DEFAULT_ACTION_ERRNO) + +struct size_and_rc { + int size; + int expected_rc; +}; + +static const struct size_and_rc test_cases[] = { + {1, 1}, + {10, 10}, + {50, 50}, + {100, -DEFAULT_ACTION_ERRNO}, + {200, -5}, + {256, -5}, + {257, -6}, + {400, -6}, + {800, -7}, + {1600, -8}, + {3200, -9}, + {4095, -9}, + {4096, -9}, + {4097, -10}, + {8000, -10}, + {8192, -10}, + {16383, -11}, + {16384, -11}, + {16385, -12}, + {35000, -12}, +}; + +static int do_read(int sz, int expected_rc) +{ + char *buf = NULL; + int rc = -1000, zero_fd = -1; + + zero_fd = open("/dev/zero", O_RDONLY); + if (zero_fd <= 0) + goto error; + + buf = malloc(sz); + if (buf == NULL) + goto error; + + rc = read(zero_fd, buf, sz); + if(rc < 0) { + if (expected_rc == -errno) + rc = 0; + } else { + if (rc == expected_rc) + rc = 0; + } + +error: + if (zero_fd >= 0) + close(zero_fd); + if (buf) + free(buf); + return rc; +} + +int main(int argc, char *argv[]) +{ + int rc, i; + scmp_filter_ctx ctx = NULL; + + ctx = seccomp_init(DEFAULT_ACTION); + if (ctx == NULL) + return ENOMEM; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 1, + SCMP_A2(SCMP_CMP_LE, 64)); + if (rc != 0) + goto out; + rc = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(5), SCMP_SYS(read), 1, + SCMP_A2(SCMP_CMP_GT, 128)); + if (rc != 0) + goto out; + rc = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(6), SCMP_SYS(read), 1, + SCMP_A2(SCMP_CMP_GT, 256)); + if (rc != 0) + goto out; + rc = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(7), SCMP_SYS(read), 1, + SCMP_A2(SCMP_CMP_GT, 512)); + if (rc != 0) + goto out; + rc = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(8), SCMP_SYS(read), 1, + SCMP_A2(SCMP_CMP_GT, 1024)); + if (rc != 0) + goto out; + rc = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(9), SCMP_SYS(read), 1, + SCMP_A2(SCMP_CMP_GT, 2048)); + if (rc != 0) + goto out; + rc = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(10), SCMP_SYS(read), 1, + SCMP_A2(SCMP_CMP_GT, 4096)); + if (rc != 0) + goto out; + rc = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(11), SCMP_SYS(read), 1, + SCMP_A2(SCMP_CMP_GT, 8192)); + if (rc != 0) + goto out; + rc = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(12), SCMP_SYS(read), 1, + SCMP_A2(SCMP_CMP_GT, 16384)); + if (rc != 0) + goto out; + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(close), 0); + if (rc != 0) + goto out; + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigreturn), 0); + if (rc != 0) + goto out; + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit_group), 0); + if (rc != 0) + goto out; + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit), 0); + if (rc != 0) + goto out; + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 0); + if (rc != 0) + goto out; + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 0); + if (rc != 0) + goto out; + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(stat), 0); + if (rc != 0) + goto out; + + rc = seccomp_load(ctx); + if (rc != 0) + goto out; + + for (i = 0; i < sizeof(test_cases) / sizeof(test_cases[0]); i++) { + rc = do_read(test_cases[i].size, + test_cases[i].expected_rc); + if (rc < 0) + goto out; + } + + rc = 160; + +out: + seccomp_release(ctx); + return (rc < 0 ? -rc : rc); +} diff --git a/tests/44-live-a2_order.py b/tests/44-live-a2_order.py new file mode 100755 index 0000000..4bd56a1 --- /dev/null +++ b/tests/44-live-a2_order.py @@ -0,0 +1,107 @@ +#!/usr/bin/env python + +# +# Seccomp Library test program +# +# Copyright (c) 2018 Oracle and/or its affiliates. All rights reserved. +# Author: Tom Hromatka <tom.hromatka@oracle.com> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +import argparse +import os +import sys + +import util + +from seccomp import * + +DEFAULT_ACTION_ERRNO = 100 +DEFAULT_ACTION = ERRNO(DEFAULT_ACTION_ERRNO) + +test_cases = [ + {'sz': 1, 'exp_rc': 1}, + {'sz': 10, 'exp_rc': 10}, + {'sz': 50, 'exp_rc': 50}, + {'sz': 100, 'exp_rc': -DEFAULT_ACTION_ERRNO}, + {'sz': 200, 'exp_rc': -5}, + {'sz': 256, 'exp_rc': -5}, + {'sz': 257, 'exp_rc': -6}, + {'sz': 400, 'exp_rc': -6}, + {'sz': 800, 'exp_rc': -7}, + {'sz': 1600, 'exp_rc': -8}, + {'sz': 3200, 'exp_rc': -9}, + {'sz': 4095, 'exp_rc': -9}, + {'sz': 4096, 'exp_rc': -9}, + {'sz': 4097, 'exp_rc': -10}, + {'sz': 8000, 'exp_rc': -10}, + {'sz': 8192, 'exp_rc': -10}, + {'sz': 16383, 'exp_rc': -11}, + {'sz': 16384, 'exp_rc': -11}, + {'sz': 16385, 'exp_rc': -12}, + {'sz': 35000, 'exp_rc': -12}, +] + +def do_read(): + fd = os.open("/dev/zero", os.O_RDONLY) + for x in test_cases: + try: + os.read(fd, x['sz']) + if x['exp_rc'] < 0: + os.close(fd) + raise IOError("Erroneously read %d bytes. Expected rc = %d" % + (x['sz'], x['exp_rc'])) + except OSError as ex: + if -ex.errno != x['exp_rc']: + os.close(fd) + raise IOError("Expected errno %d but os.read(%d bytes) caused errno %d" % + (-x['exp_rc'], x['sz'], ex.errno)) + os.close(fd) + +def test(): + f = SyscallFilter(DEFAULT_ACTION) + f.add_rule(ALLOW, "read", Arg(2, LE, 64)) + f.add_rule(ERRNO(5), "read", Arg(2, GT, 128)) + f.add_rule(ERRNO(6), "read", Arg(2, GT, 256)) + f.add_rule(ERRNO(7), "read", Arg(2, GT, 512)) + f.add_rule(ERRNO(8), "read", Arg(2, GT, 1024)) + f.add_rule(ERRNO(9), "read", Arg(2, GT, 2048)) + f.add_rule(ERRNO(10), "read", Arg(2, GT, 4096)) + f.add_rule(ERRNO(11), "read", Arg(2, GT, 8192)) + f.add_rule(ERRNO(12), "read", Arg(2, GT, 16384)) + # NOTE: additional syscalls required for python + f.add_rule(ALLOW, "close") + f.add_rule(ALLOW, "rt_sigaction") + f.add_rule(ALLOW, "rt_sigreturn") + f.add_rule(ALLOW, "sigaltstack") + f.add_rule(ALLOW, "exit_group") + f.add_rule(ALLOW, "exit") + f.add_rule(ALLOW, "brk") + f.add_rule(ALLOW, "open") + f.add_rule(ALLOW, "openat") + f.add_rule(ALLOW, "stat") + f.add_rule(ALLOW, "write") + f.load() + + do_read() + + # all reads behaved as expected + quit(160) + +test() + +# kate: syntax python; +# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; diff --git a/tests/44-live-a2_order.tests b/tests/44-live-a2_order.tests new file mode 100644 index 0000000..40b8cca --- /dev/null +++ b/tests/44-live-a2_order.tests @@ -0,0 +1,11 @@ +# +# libseccomp regression test automation data +# +# Copyright (c) 2018 Oracle and/or its affiliates. All rights reserved. +# Author: Tom Hromatka <tom.hromatka@oracle.com> +# + +test type: live + +# Testname API Result +44-live-a2_order 1 ALLOW diff --git a/tests/45-sim-chain_code_coverage.c b/tests/45-sim-chain_code_coverage.c new file mode 100644 index 0000000..1ae8dab --- /dev/null +++ b/tests/45-sim-chain_code_coverage.c @@ -0,0 +1,108 @@ +/** + * Seccomp Library test program + * + * Copyright (c) 2018 Oracle and/or its affiliates. All rights reserved. + * Author: Tom Hromatka <tom.hromatka@oracle.com> + */ + +/* + * This library is free software; you can redistribute it and/or modify it + * under the terms of version 2.1 of the GNU Lesser General Public License as + * published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License + * for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this library; if not, see <http://www.gnu.org/licenses>. + */ + +#include <errno.h> +#include <unistd.h> +#include <stdbool.h> + +#include <seccomp.h> + +#include "util.h" + +int main(int argc, char *argv[]) +{ + int rc; + struct util_options opts; + scmp_filter_ctx ctx = NULL; + + rc = util_getopt(argc, argv, &opts); + if (rc < 0) + goto out; + + ctx = seccomp_init(SCMP_ACT_KILL); + if (ctx == NULL) + return ENOMEM; + + /* the syscall and argument numbers are all fake to make the test + * simpler */ + + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1008, 1, + SCMP_A0(SCMP_CMP_GE, 1)); + if (rc != 0) + goto out; + + /* db_chain_lt() path #1 - due to "A1" > "A0" */ + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1008, 1, + SCMP_A1(SCMP_CMP_GE, 2)); + if (rc != 0) + goto out; + + /* db_chain_lt() path #2 - due to "GT" > "GE" */ + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1008, 1, + SCMP_A0(SCMP_CMP_GT, 3)); + if (rc != 0) + goto out; + + /* db_chain_lt() path #3 - due to the second mask (0xff) being greater + * than the first (0xf) */ + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1008, 1, + SCMP_A2(SCMP_CMP_MASKED_EQ, 0xf, 4)); + if (rc != 0) + goto out; + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1008, 1, + SCMP_A2(SCMP_CMP_MASKED_EQ, 0xff, 5)); + if (rc != 0) + goto out; + + /* db_chain_lt() path #4 - due to datum (6) > previous datum (5) */ + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1008, 1, + SCMP_A2(SCMP_CMP_MASKED_EQ, 0xff, 6)); + if (rc != 0) + goto out; + + /* attempt to hit some of the lvl_prv and lvl_nxt code in db.c */ + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1008, 5, + SCMP_A0(SCMP_CMP_NE, 7), + SCMP_A1(SCMP_CMP_LT, 8), + SCMP_A2(SCMP_CMP_EQ, 9), + SCMP_A3(SCMP_CMP_GE, 10), + SCMP_A4(SCMP_CMP_GT, 11), + SCMP_A5(SCMP_CMP_MASKED_EQ, 0xffff, 12)); + if (rc != 0) + goto out; + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1008, 5, + SCMP_A0(SCMP_CMP_NE, 7), + SCMP_A1(SCMP_CMP_LT, 8), + SCMP_A2(SCMP_CMP_EQ, 9), + SCMP_A3(SCMP_CMP_GE, 10), + SCMP_A4(SCMP_CMP_GT, 11), + SCMP_A5(SCMP_CMP_MASKED_EQ, 0xffff, 13)); + if (rc != 0) + goto out; + + rc = util_filter_output(&opts, ctx); + if (rc) + goto out; + +out: + seccomp_release(ctx); + return (rc < 0 ? -rc : rc); +} diff --git a/tests/45-sim-chain_code_coverage.py b/tests/45-sim-chain_code_coverage.py new file mode 100755 index 0000000..32ea547 --- /dev/null +++ b/tests/45-sim-chain_code_coverage.py @@ -0,0 +1,48 @@ +#!/usr/bin/env python + +# +# Seccomp Library test program +# +# Copyright (c) 2018 Oracle and/or its affiliates. All rights reserved. +# Author: Tom Hromatka <tom.hromatka@oracle.com> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +import argparse +import sys + +import util + +from seccomp import * + +def test(args): + f = SyscallFilter(KILL) + # the syscall and argument numbers are all fake to make the test simpler + f.add_rule_exactly(ALLOW, 1008, Arg(0, GE, 1)) + f.add_rule_exactly(ALLOW, 1008, Arg(1, GE, 2)) + f.add_rule_exactly(ALLOW, 1008, Arg(0, GT, 3)) + f.add_rule_exactly(ALLOW, 1008, Arg(2, MASKED_EQ, 0xf, 4)) + f.add_rule_exactly(ALLOW, 1008, Arg(2, MASKED_EQ, 0xff, 5)) + f.add_rule_exactly(ALLOW, 1008, Arg(2, MASKED_EQ, 0xff, 6)) + + return f + +args = util.get_opt() +ctx = test(args) +util.filter_output(args, ctx) + +# kate: syntax python; +# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; diff --git a/tests/45-sim-chain_code_coverage.tests b/tests/45-sim-chain_code_coverage.tests new file mode 100644 index 0000000..c013912 --- /dev/null +++ b/tests/45-sim-chain_code_coverage.tests @@ -0,0 +1,16 @@ +# +# libseccomp regression test automation data +# +# Copyright (c) 2018 Oracle and/or its affiliates. All rights reserved. +# Author: Tom Hromatka <tom.hromatka@oracle.com> +# + +test type: bpf-sim + +# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result +45-sim-chain_code_coverage all,-x32 1008 1 1 1 1 1 1 ALLOW +45-sim-chain_code_coverage all,-x32 1008 1 2 1 1 1 1 ALLOW +45-sim-chain_code_coverage all,-x32 1008 4 1 1 1 1 1 ALLOW +45-sim-chain_code_coverage all,-x32 1008 1 1 0x14 1 1 1 ALLOW +45-sim-chain_code_coverage all,-x32 1008 4 1 0x15 1 1 1 ALLOW +45-sim-chain_code_coverage all,-x32 1008 4 1 0x106 1 1 1 ALLOW diff --git a/tests/46-sim-kill_process.c b/tests/46-sim-kill_process.c new file mode 100644 index 0000000..961a047 --- /dev/null +++ b/tests/46-sim-kill_process.c @@ -0,0 +1,78 @@ +/** + * Seccomp Library test program + * + * Copyright (c) 2018 Oracle and/or its affiliates. All rights reserved. + * Author: Tom Hromatka <tom.hromatka@oracle.com> + */ + +/* + * This library is free software; you can redistribute it and/or modify it + * under the terms of version 2.1 of the GNU Lesser General Public License as + * published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License + * for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this library; if not, see <http://www.gnu.org/licenses>. + */ + +#include <errno.h> +#include <unistd.h> + +#include <seccomp.h> + +#include "util.h" + +int main(int argc, char *argv[]) +{ + int rc; + struct util_options opts; + scmp_filter_ctx ctx = NULL; + + rc = util_getopt(argc, argv, &opts); + if (rc < 0) + goto out; + + rc = seccomp_api_set(3); + if (rc != 0) + return -rc; + + ctx = seccomp_init(SCMP_ACT_KILL_PROCESS); + if (ctx == NULL) + return ENOMEM; + + rc = seccomp_arch_remove(ctx, SCMP_ARCH_NATIVE); + if (rc != 0) + goto out; + rc = seccomp_arch_add(ctx, SCMP_ARCH_X86_64); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 0); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(5), SCMP_SYS(write), 0); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_KILL_THREAD, SCMP_SYS(open), 0); + if (rc != 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(6), SCMP_SYS(close), 1, + SCMP_A0(SCMP_CMP_GT, 100)); + if (rc != 0) + goto out; + + rc = util_filter_output(&opts, ctx); + if (rc) + goto out; + +out: + seccomp_release(ctx); + return (rc < 0 ? -rc : rc); +} diff --git a/tests/46-sim-kill_process.py b/tests/46-sim-kill_process.py new file mode 100755 index 0000000..81b72be --- /dev/null +++ b/tests/46-sim-kill_process.py @@ -0,0 +1,47 @@ +#!/usr/bin/env python + +# +# Seccomp Library test program +# +# Copyright (c) 2018 Oracle and/or its affiliates. All rights reserved. +# Author: Tom Hromatka <tom.hromatka@oracle.com> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +import argparse +import sys + +import util + +from seccomp import * + +def test(args): + set_api(3) + f = SyscallFilter(KILL_PROCESS) + f.remove_arch(Arch()) + f.add_arch(Arch("x86_64")) + f.add_rule_exactly(ALLOW, "read") + f.add_rule_exactly(ERRNO(5), "write") + f.add_rule_exactly(KILL, "open") + f.add_rule_exactly(ERRNO(6), "close", Arg(0, GT, 100)) + return f + +args = util.get_opt() +ctx = test(args) +util.filter_output(args, ctx) + +# kate: syntax python; +# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; diff --git a/tests/46-sim-kill_process.tests b/tests/46-sim-kill_process.tests new file mode 100644 index 0000000..f31a378 --- /dev/null +++ b/tests/46-sim-kill_process.tests @@ -0,0 +1,16 @@ +# +# libseccomp regression test automation data +# +# Copyright (c) 2018 Oracle and/or its affiliates. All rights reserved. +# Author: Tom Hromatka <tom.hromatka@oracle.com> +# + +test type: bpf-sim + +# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result +46-sim-kill_process +x86_64 0 N N N N N N ALLOW +46-sim-kill_process +x86_64 1 N N N N N N ERRNO(5) +46-sim-kill_process +x86_64 2 N N N N N N KILL +46-sim-kill_process +x86_64 3 100 N N N N N KILL_PROCESS +46-sim-kill_process +x86_64 3 101 N N N N N ERRNO(6) +46-sim-kill_process +x86_64 4 N N N N N N KILL_PROCESS diff --git a/tests/47-live-kill_process.c b/tests/47-live-kill_process.c new file mode 100644 index 0000000..47d5833 --- /dev/null +++ b/tests/47-live-kill_process.c @@ -0,0 +1,102 @@ +/** + * Seccomp Library test program + * + * Copyright (c) 2018 Oracle and/or its affiliates. All rights reserved. + * Author: Tom Hromatka <tom.hromatka@oracle.com> + */ + +/* + * This library is free software; you can redistribute it and/or modify it + * under the terms of version 2.1 of the GNU Lesser General Public License as + * published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License + * for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this library; if not, see <http://www.gnu.org/licenses>. + */ + +#include <errno.h> +#include <fcntl.h> +#include <pthread.h> +#include <sys/types.h> +#include <sys/stat.h> +#include <unistd.h> + +#include <seccomp.h> + +#include "util.h" + + +static const unsigned int allowlist[] = { + SCMP_SYS(clone), + SCMP_SYS(exit), + SCMP_SYS(exit_group), + SCMP_SYS(futex), + SCMP_SYS(madvise), + SCMP_SYS(mmap), + SCMP_SYS(mprotect), + SCMP_SYS(munmap), + SCMP_SYS(nanosleep), + SCMP_SYS(set_robust_list), +}; + +/** + * Child thread created via pthread_create() + * + * This thread will call a disallowed syscall. It should + * cause the entire program to die (and not just this + * thread.) + */ +void *child_start(void *param) +{ + int fd; + + /* make a disallowed syscall */ + fd = open("/dev/null", O_WRONLY | O_CREAT, S_IRUSR | S_IWUSR); + /* we should never get here. seccomp should kill the entire + * process when open() is called. */ + if (fd >= 0) + close(fd); + + return NULL; +} + +int main(int argc, char *argv[]) +{ + int rc, i; + scmp_filter_ctx ctx = NULL; + pthread_t child_thread; + + ctx = seccomp_init(SCMP_ACT_KILL_PROCESS); + if (ctx == NULL) + return ENOMEM; + + for (i = 0; i < sizeof(allowlist) / sizeof(allowlist[0]); i++) { + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, allowlist[i], 0); + if (rc != 0) + goto out; + } + + rc = seccomp_load(ctx); + if (rc != 0) + goto out; + + rc = pthread_create(&child_thread, NULL, child_start, NULL); + if (rc != 0) + goto out; + + /* sleep for a bit to ensure that the child thread has time to run */ + sleep(1); + + /* we should never get here! */ + rc = -EACCES; + goto out; + +out: + seccomp_release(ctx); + return (rc < 0 ? -rc : rc); +} diff --git a/tests/47-live-kill_process.py b/tests/47-live-kill_process.py new file mode 100755 index 0000000..8c62ee7 --- /dev/null +++ b/tests/47-live-kill_process.py @@ -0,0 +1,68 @@ +#!/usr/bin/env python + +# +# Seccomp Library test program +# +# Copyright (c) 2018 Oracle and/or its affiliates. All rights reserved. +# Author: Tom Hromatka <tom.hromatka@oracle.com> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +import argparse +import os +import sys +import threading +import time + +import util + +from seccomp import * + +def child_start(param): + param = 1 + + try: + fd = os.open("/dev/null", os.O_WRONLY) + except IOError as ex: + param = ex.errno + quit(ex.errno) + +def test(): + f = SyscallFilter(KILL_PROCESS) + f.add_rule(ALLOW, "clone") + f.add_rule(ALLOW, "exit") + f.add_rule(ALLOW, "exit_group") + f.add_rule(ALLOW, "futex") + f.add_rule(ALLOW, "madvise") + f.add_rule(ALLOW, "mmap") + f.add_rule(ALLOW, "mprotect") + f.add_rule(ALLOW, "munmap") + f.add_rule(ALLOW, "nanosleep") + f.add_rule(ALLOW, "set_robust_list") + f.load() + + param = 0 + threading.Thread(target = child_start, args = (param, )) + thread.start() + + time.sleep(1) + + quit(-errno.EACCES) + +test() + +# kate: syntax python; +# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; diff --git a/tests/47-live-kill_process.tests b/tests/47-live-kill_process.tests new file mode 100644 index 0000000..4f58ed4 --- /dev/null +++ b/tests/47-live-kill_process.tests @@ -0,0 +1,11 @@ +# +# libseccomp regression test automation data +# +# Copyright (c) 2018 Oracle and/or its affiliates. All rights reserved. +# Author: Tom Hromatka <tom.hromatka@oracle.com> +# + +test type: live + +# Testname API Result +47-live-kill_process 3 KILL_PROCESS diff --git a/tests/48-sim-32b_args.c b/tests/48-sim-32b_args.c new file mode 100644 index 0000000..2d10519 --- /dev/null +++ b/tests/48-sim-32b_args.c @@ -0,0 +1,84 @@ +/** + * Seccomp Library test program + * + * Copyright (c) 2019 Cisco Systems, Inc. <pmoore2@cisco.com> + * Author: Paul Moore <paul@paul-moore.com> + * Additions: Michael Weiser <michael.weiser@gmx.de> + */ + +/* + * This library is free software; you can redistribute it and/or modify it + * under the terms of version 2.1 of the GNU Lesser General Public License as + * published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License + * for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this library; if not, see <http://www.gnu.org/licenses>. + */ + +#include <errno.h> +#include <unistd.h> +#include <inttypes.h> + +#include <seccomp.h> + +#include "util.h" + +int main(int argc, char *argv[]) +{ + int rc; + struct util_options opts; + scmp_filter_ctx ctx = NULL; + struct args { + uint32_t action; + int syscall; + struct scmp_arg_cmp cmp; + } *a, f[] = { + {SCMP_ACT_ALLOW, 2000, SCMP_A0(SCMP_CMP_EQ, -1)}, + {SCMP_ACT_ALLOW, 2064, SCMP_A0_64(SCMP_CMP_EQ, -1)}, + {SCMP_ACT_ALLOW, 2032, SCMP_A0_32(SCMP_CMP_EQ, -1)}, + {0}, + }; + + rc = util_getopt(argc, argv, &opts); + if (rc < 0) + goto out; + + ctx = seccomp_init(SCMP_ACT_KILL); + if (ctx == NULL) + return ENOMEM; + + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1000, 1, + SCMP_A0(SCMP_CMP_EQ, -1)); + if (rc != 0) + goto out; + + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1064, 1, + SCMP_A0_64(SCMP_CMP_EQ, -1)); + if (rc != 0) + goto out; + + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1032, 1, + SCMP_A0_32(SCMP_CMP_EQ, -1)); + if (rc != 0) + goto out; + + for (a = f; a->syscall != 0; a++) { + rc = seccomp_rule_add_exact(ctx, a->action, a->syscall, 1, + a->cmp); + if (rc != 0) + goto out; + } + + rc = util_filter_output(&opts, ctx); + if (rc) + goto out; + +out: + seccomp_release(ctx); + return (rc < 0 ? -rc : rc); +} diff --git a/tests/48-sim-32b_args.py b/tests/48-sim-32b_args.py new file mode 100755 index 0000000..486c488 --- /dev/null +++ b/tests/48-sim-32b_args.py @@ -0,0 +1,50 @@ +#!/usr/bin/env python + +# +# Seccomp Library test program +# +# Copyright (c) 2019 Cisco Systems, Inc. <pmoore2@cisco.com> +# Author: Paul Moore <paul@paul-moore.com> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +import argparse +import sys + +import util + +from seccomp import * + +def test(args): + f = SyscallFilter(KILL) + # NOTE: this test is different from the native/c test as the bindings don't + # allow negative numbers (which is a good thing here) + f.add_rule_exactly(ALLOW, 1000, Arg(0, EQ, 0xffffffffffffffff)) + f.add_rule_exactly(ALLOW, 1064, Arg(0, EQ, 0xffffffffffffffff)) + f.add_rule_exactly(ALLOW, 1032, Arg(0, EQ, 0xffffffff)) + # here we do not have static initializers to test but need to keep + # behaviour in sync with the native test + f.add_rule_exactly(ALLOW, 2000, Arg(0, EQ, 0xffffffffffffffff)) + f.add_rule_exactly(ALLOW, 2064, Arg(0, EQ, 0xffffffffffffffff)) + f.add_rule_exactly(ALLOW, 2032, Arg(0, EQ, 0xffffffff)) + return f + +args = util.get_opt() +ctx = test(args) +util.filter_output(args, ctx) + +# kate: syntax python; +# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; diff --git a/tests/48-sim-32b_args.tests b/tests/48-sim-32b_args.tests new file mode 100644 index 0000000..4254742 --- /dev/null +++ b/tests/48-sim-32b_args.tests @@ -0,0 +1,38 @@ +# +# libseccomp regression test automation data +# +# Copyright (c) 2019 Cisco Systems, Inc. <pmoore2@cisco.com> +# Author: Paul Moore <paul@paul-moore.com> +# + +test type: bpf-sim + +# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result +48-sim-32b_args all_64 1000 0x0 N N N N N KILL +48-sim-32b_args all_64 1000 0xffffffff N N N N N KILL +48-sim-32b_args all_64 1000 0xffffffffffffffff N N N N N ALLOW +48-sim-32b_args all_64 1032 0x0 N N N N N KILL +48-sim-32b_args all_64 1032 0xffffffff N N N N N ALLOW +48-sim-32b_args all_64 1032 0xffffffffffffffff N N N N N KILL +48-sim-32b_args all_64 1064 0x0 N N N N N KILL +48-sim-32b_args all_64 1064 0xffffffff N N N N N KILL +48-sim-32b_args all_64 1064 0xffffffffffffffff N N N N N ALLOW +48-sim-32b_args all_64 2000 0x0 N N N N N KILL +48-sim-32b_args all_64 2000 0xffffffff N N N N N KILL +48-sim-32b_args all_64 2000 0xffffffffffffffff N N N N N ALLOW +48-sim-32b_args all_64 2032 0x0 N N N N N KILL +48-sim-32b_args all_64 2032 0xffffffff N N N N N ALLOW +48-sim-32b_args all_64 2032 0xffffffffffffffff N N N N N KILL +48-sim-32b_args all_64 2064 0x0 N N N N N KILL +48-sim-32b_args all_64 2064 0xffffffff N N N N N KILL +48-sim-32b_args all_64 2064 0xffffffffffffffff N N N N N ALLOW + +test type: bpf-sim-fuzz + +# Testname StressCount +48-sim-32b_args 50 + +test type: bpf-valgrind + +# Testname +48-sim-32b_args diff --git a/tests/49-sim-64b_comparisons.c b/tests/49-sim-64b_comparisons.c new file mode 100644 index 0000000..364a67d --- /dev/null +++ b/tests/49-sim-64b_comparisons.c @@ -0,0 +1,56 @@ +/** + * Seccomp Library test program + * + * Copyright (c) 2019 Cisco Systems, Inc. <pmoore2@cisco.com> + * Author: Paul Moore <paul@paul-moore.com> + */ + +/* + * This library is free software; you can redistribute it and/or modify it + * under the terms of version 2.1 of the GNU Lesser General Public License as + * published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License + * for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this library; if not, see <http://www.gnu.org/licenses>. + */ + +#include <errno.h> +#include <unistd.h> + +#include <seccomp.h> + +#include "util.h" + +int main(int argc, char *argv[]) +{ + int rc; + struct util_options opts; + scmp_filter_ctx ctx = NULL; + + rc = util_getopt(argc, argv, &opts); + if (rc < 0) + goto out; + + ctx = seccomp_init(SCMP_ACT_KILL); + if (ctx == NULL) + return ENOMEM; + + + rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1000, 1, + SCMP_A0(SCMP_CMP_LT, 0x123456789abcUL)); + if (rc != 0) + goto out; + + rc = util_filter_output(&opts, ctx); + if (rc) + goto out; + +out: + seccomp_release(ctx); + return (rc < 0 ? -rc : rc); +} diff --git a/tests/49-sim-64b_comparisons.py b/tests/49-sim-64b_comparisons.py new file mode 100755 index 0000000..054cdea --- /dev/null +++ b/tests/49-sim-64b_comparisons.py @@ -0,0 +1,45 @@ +#!/usr/bin/env python + +# +# Seccomp Library test program +# +# Copyright (c) 2019 Cisco Systems, Inc. <pmoore2@cisco.com> +# Author: Paul Moore <paul@paul-moore.com> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +import argparse +import errno +import sys + +import util + +from seccomp import * + +def test(args): + set_api(3) + + f = SyscallFilter(KILL) + f.add_rule_exactly(ALLOW, 1000, Arg(0, LT, 0x123456789abc)) + + return f + +args = util.get_opt() +ctx = test(args) +util.filter_output(args, ctx) + +# kate: syntax python; +# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; diff --git a/tests/49-sim-64b_comparisons.tests b/tests/49-sim-64b_comparisons.tests new file mode 100644 index 0000000..053d5f1 --- /dev/null +++ b/tests/49-sim-64b_comparisons.tests @@ -0,0 +1,25 @@ +# +# libseccomp regression test automation data +# +# Copyright (c) 2019 Cisco Systems, Inc. <pmoore2@cisco.com> +# Author: Paul Moore <paul@paul-moore.com> +# + +test type: bpf-sim + +# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result +49-sim-64b_comparisons all_64 1000 0x000000000000 N N N N N ALLOW +49-sim-64b_comparisons all_64 1000 0x123000000000 N N N N N ALLOW +49-sim-64b_comparisons all_64 1000 0x1230f0000000 N N N N N ALLOW +49-sim-64b_comparisons all_64 1000 0x123400000000 N N N N N ALLOW +49-sim-64b_comparisons all_64 1000 0x123450000000 N N N N N ALLOW +49-sim-64b_comparisons all_64 1000 0x123460000000 N N N N N KILL +49-sim-64b_comparisons all_64 1000 0x1234f0000000 N N N N N KILL +49-sim-64b_comparisons all_64 1000 0x123500000000 N N N N N KILL +49-sim-64b_comparisons all_64 1000 0x1235f0000000 N N N N N KILL +49-sim-64b_comparisons all_64 1000 0x123600000000 N N N N N KILL + +test type: bpf-valgrind + +# Testname +49-sim-64b_comparisons diff --git a/tests/50-sim-hash_collision.c b/tests/50-sim-hash_collision.c new file mode 100644 index 0000000..24eba19 --- /dev/null +++ b/tests/50-sim-hash_collision.c @@ -0,0 +1,98 @@ +/** + * Seccomp Library test program + * + * Copyright (c) 2019 Oracle and/or its affiliates. All rights reserved. + * Author: Tom Hromatka <tom.hromatka@oracle.com> + */ + +/* + * This library is free software; you can redistribute it and/or modify it + * under the terms of version 2.1 of the GNU Lesser General Public License as + * published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License + * for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this library; if not, see <http://www.gnu.org/licenses>. + */ + +#include <errno.h> +#include <unistd.h> + +#include <seccomp.h> + +#include "util.h" + +int main(int argc, char *argv[]) +{ + int rc; + struct util_options opts; + scmp_filter_ctx ctx = NULL; + + rc = util_getopt(argc, argv, &opts); + if (rc < 0) + goto out; + + rc = seccomp_api_set(1); + if (rc != 0) + return -rc; + + ctx = seccomp_init(SCMP_ACT_ERRNO(100)); + if (ctx == NULL) + return ENOMEM; + + rc = seccomp_arch_remove(ctx, SCMP_ARCH_NATIVE); + if (rc != 0) + goto out; + rc = seccomp_arch_add(ctx, SCMP_ARCH_X86_64); + if (rc != 0) + goto out; + + /* libseccomp utilizes a hash table to manage BPF blocks. It + * currently employs MurmurHash3 where the key is the hashed values + * of the BPF instruction blocks, the accumulator start, and the + * accumulator end. Changes to the hash algorithm will likely affect + * this test. + */ + + /* The following rules were derived from an issue reported by Tor: + * https://github.com/seccomp/libseccomp/issues/148 + * + * In the steps below, syscall 1001 is configured similarly to how + * Tor configured socket. The fairly complex rules below led to + * a hash collision with rt_sigaction (syscall 1000) in this test. + */ + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, 1001, 3, + SCMP_A0(SCMP_CMP_EQ, 1), + SCMP_A1(SCMP_CMP_MASKED_EQ, 0xf, 2), + SCMP_A2(SCMP_CMP_EQ, 3)); + if (rc != 0) + goto out; + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, 1001, 2, + SCMP_A0(SCMP_CMP_EQ, 1), + SCMP_A1(SCMP_CMP_MASKED_EQ, 0xf, 1)); + if (rc != 0) + goto out; + + + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, 1000, 1, + SCMP_A0(SCMP_CMP_EQ, 2)); + if (rc != 0) + goto out; + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, 1000, 1, + SCMP_A0(SCMP_CMP_EQ, 1)); + if (rc != 0) + goto out; + + rc = util_filter_output(&opts, ctx); + if (rc) + goto out; + +out: + seccomp_release(ctx); + return (rc < 0 ? -rc : rc); +} diff --git a/tests/50-sim-hash_collision.py b/tests/50-sim-hash_collision.py new file mode 100755 index 0000000..d3c5f2f --- /dev/null +++ b/tests/50-sim-hash_collision.py @@ -0,0 +1,61 @@ +#!/usr/bin/env python + +# +# Seccomp Library test program +# +# Copyright (c) 2019 Oracle and/or its affiliates. All rights reserved. +# Author: Tom Hromatka <tom.hromatka@oracle.com> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +import argparse +import sys + +import util + +from seccomp import * + +def test(args): + set_api(1) + f = SyscallFilter(ERRNO(100)) + f.remove_arch(Arch()) + f.add_arch(Arch("x86_64")) + + # libseccomp utilizes a hash table to manage BPF blocks. It currently + # employs MurmurHash3 where the key is the hashed values of the BPF + # instruction blocks, the accumulator start, and the accumulator end. + # Changes to the hash algorithm will likely affect this test. + + # The following rules were derived from an issue reported by Tor: + # https://github.com/seccomp/libseccomp/issues/148 + # + # In the steps below, syscall 1001 is configured similarly to how + # Tor configured socket. The fairly complex rules below led to + # a hash collision with rt_sigaction (syscall 1000) in this test. + + f.add_rule_exactly(ALLOW, 1001, Arg(0, EQ, 1), Arg(1, MASKED_EQ, 0xf, 2), + Arg(2, EQ, 3)) + f.add_rule_exactly(ALLOW, 1001, Arg(0, EQ, 1), Arg(1, MASKED_EQ, 0xf, 1)) + f.add_rule_exactly(ALLOW, 1000, Arg(0, EQ, 2)) + f.add_rule_exactly(ALLOW, 1000, Arg(0, EQ, 1)) + return f + +args = util.get_opt() +ctx = test(args) +util.filter_output(args, ctx) + +# kate: syntax python; +# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; diff --git a/tests/50-sim-hash_collision.tests b/tests/50-sim-hash_collision.tests new file mode 100644 index 0000000..f63f6f4 --- /dev/null +++ b/tests/50-sim-hash_collision.tests @@ -0,0 +1,18 @@ +# +# libseccomp regression test automation data +# +# Copyright (c) 2019 Oracle and/or its affiliates. All rights reserved. +# Author: Tom Hromatka <tom.hromatka@oracle.com> +# + +test type: bpf-sim + +# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result +50-sim-hash_collision x86_64 1000 1 N N N N N ALLOW +50-sim-hash_collision x86_64 1000 2 N N N N N ALLOW +50-sim-hash_collision x86_64 1000 3 N N N N N ERRNO(100) +50-sim-hash_collision x86_64 1001 1 2 3 N N N ALLOW +50-sim-hash_collision x86_64 1001 1 1 N N N N ALLOW +50-sim-hash_collision x86_64 1001 2 N N N N N ERRNO(100) +50-sim-hash_collision x86_64 1001 1 3 N N N N ERRNO(100) +50-sim-hash_collision x86_64 1001 1 2 4 N N N ERRNO(100) diff --git a/tests/51-live-user_notification.c b/tests/51-live-user_notification.c new file mode 100644 index 0000000..4847d8b --- /dev/null +++ b/tests/51-live-user_notification.c @@ -0,0 +1,134 @@ +/** + * Seccomp Library test program + * + * Copyright (c) 2019 Cisco Systems, Inc. <pmoore2@cisco.com> + * Author: Paul Moore <paul@paul-moore.com> + */ + +/* + * This library is free software; you can redistribute it and/or modify it + * under the terms of version 2.1 of the GNU Lesser General Public License as + * published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License + * for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this library; if not, see <http://www.gnu.org/licenses>. + */ + +#include <sys/types.h> +#include <sys/wait.h> +#include <asm/unistd.h> +#include <unistd.h> +#include <seccomp.h> +#include <signal.h> +#include <syscall.h> +#include <errno.h> +#include <stdlib.h> + +#include "util.h" + +int main(int argc, char *argv[]) +{ + int rc, fd = -1, status; + struct seccomp_notif *req = NULL; + struct seccomp_notif_resp *resp = NULL; + scmp_filter_ctx ctx = NULL; + pid_t pid = 0, magic; + + magic = getpid(); + + ctx = seccomp_init(SCMP_ACT_ALLOW); + if (ctx == NULL) + return ENOMEM; + + rc = seccomp_rule_add(ctx, SCMP_ACT_NOTIFY, SCMP_SYS(getpid), 0, NULL); + if (rc) + goto out; + + rc = seccomp_load(ctx); + if (rc < 0) + goto out; + + rc = seccomp_notify_fd(ctx); + if (rc < 0) + goto out; + fd = rc; + + pid = fork(); + if (pid == 0) + exit(syscall(__NR_getpid) != magic); + + rc = seccomp_notify_alloc(&req, &resp); + if (rc) + goto out; + + rc = seccomp_notify_receive(fd, req); + if (rc) + goto out; + if (req->data.nr != __NR_getpid) { + rc = -EFAULT; + goto out; + } + rc = seccomp_notify_id_valid(fd, req->id); + if (rc) + goto out; + + resp->id = req->id; + resp->val = magic; + resp->error = 0; + resp->flags = 0; + rc = seccomp_notify_respond(fd, resp); + if (rc) + goto out; + + if (waitpid(pid, &status, 0) != pid) { + rc = -EFAULT; + goto out; + } + + if (!WIFEXITED(status)) { + rc = -EFAULT; + goto out; + } + if (WEXITSTATUS(status)) { + rc = -EFAULT; + goto out; + } + + rc = seccomp_reset(ctx, SCMP_ACT_ALLOW); + if (rc < 0) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_NOTIFY, SCMP_SYS(getppid), 0, NULL); + if (rc) + goto out; + + rc = seccomp_load(ctx); + if (rc < 0) + goto out; + + rc = seccomp_notify_fd(ctx); + if (rc < 0) + goto out; + if (rc != fd) { + rc = -EFAULT; + goto out; + } else + rc = 0; + +out: + if (fd >= 0) + close(fd); + if (pid) + kill(pid, SIGKILL); + seccomp_notify_free(req, resp); + seccomp_release(ctx); + + if (rc != 0) + return (rc < 0 ? -rc : rc); + return 160; +} diff --git a/tests/51-live-user_notification.py b/tests/51-live-user_notification.py new file mode 100755 index 0000000..3449c44 --- /dev/null +++ b/tests/51-live-user_notification.py @@ -0,0 +1,64 @@ +#!/usr/bin/env python + +# +# Seccomp Library test program +# +# Copyright (c) 2019 Cisco Systems, Inc. <pmoore2@cisco.com> +# Author: Paul Moore <paul@paul-moore.com> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +import argparse +import os +import signal +import sys + +import util + +from seccomp import * + +def test(): + magic = os.getuid() + 1 + f = SyscallFilter(ALLOW) + f.add_rule(NOTIFY, "getuid") + f.load() + pid = os.fork() + if pid == 0: + val = os.getuid() + if val != magic: + raise RuntimeError("Response return value failed") + quit(1) + quit(0) + else: + notify = f.receive_notify() + if notify.syscall != resolve_syscall(Arch(), "getuid"): + raise RuntimeError("Notification failed") + f.respond_notify(NotificationResponse(notify, magic, 0, 0)) + wpid, rc = os.waitpid(pid, 0) + if os.WIFEXITED(rc) == 0: + raise RuntimeError("Child process error") + if os.WEXITSTATUS(rc) != 0: + raise RuntimeError("Child process error") + f.reset(ALLOW) + f.add_rule(NOTIFY, "getppid") + f.load() + # no easy way to check the notification fd here + quit(160) + +test() + +# kate: syntax python; +# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; diff --git a/tests/51-live-user_notification.tests b/tests/51-live-user_notification.tests new file mode 100644 index 0000000..4c5e964 --- /dev/null +++ b/tests/51-live-user_notification.tests @@ -0,0 +1,11 @@ +# +# libseccomp regression test automation data +# +# Copyright Cisco Systems 2019 +# Author: Tycho Andersen <tycho@tycho.ws> +# + +test type: live + +# Testname API Result +51-live-user_notification 5 ALLOW diff --git a/tests/52-basic-load.c b/tests/52-basic-load.c new file mode 100644 index 0000000..de3cb8f --- /dev/null +++ b/tests/52-basic-load.c @@ -0,0 +1,71 @@ +/** + * Seccomp Library test program + * + * Copyright (c) 2019 Cisco Systems, Inc. <pmoore2@cisco.com> + * Author: Paul Moore <paul@paul-moore.com> + */ + +/* + * This library is free software; you can redistribute it and/or modify it + * under the terms of version 2.1 of the GNU Lesser General Public License as + * published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License + * for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this library; if not, see <http://www.gnu.org/licenses>. + */ + +#include <errno.h> +#include <unistd.h> + +#include <seccomp.h> + +#include "util.h" + +int main(int argc, char *argv[]) +{ + int rc; + struct util_options opts; + scmp_filter_ctx ctx = NULL; + unsigned int api; + + rc = util_getopt(argc, argv, &opts); + if (rc < 0) + goto out; + + api = seccomp_api_get(); + if (api == 0) { + rc = -EFAULT; + goto out; + } + + ctx = seccomp_init(SCMP_ACT_ALLOW); + if (ctx == NULL) + return ENOMEM; + + if (api >= 2) { + rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_TSYNC, 1); + if (rc != 0) + goto out; + } + if (api >= 3) { + rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_LOG, 1); + if (rc != 0) + goto out; + } + if (api >= 4) { + rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_SSB, 1); + if (rc != 0) + goto out; + } + + rc = seccomp_load(ctx); + +out: + seccomp_release(ctx); + return (rc < 0 ? -rc : rc); +} diff --git a/tests/52-basic-load.py b/tests/52-basic-load.py new file mode 100755 index 0000000..4395a79 --- /dev/null +++ b/tests/52-basic-load.py @@ -0,0 +1,38 @@ +#!/usr/bin/env python + +# +# Seccomp Library test program +# +# Copyright (c) 2019 Cisco Systems, Inc. <pmoore2@cisco.com> +# Author: Paul Moore <paul@paul-moore.com> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +import argparse +import sys + +import util + +from seccomp import * + +def test(): + f = SyscallFilter(ALLOW) + f.load() + +test() + +# kate: syntax python; +# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; diff --git a/tests/52-basic-load.tests b/tests/52-basic-load.tests new file mode 100644 index 0000000..510e2d3 --- /dev/null +++ b/tests/52-basic-load.tests @@ -0,0 +1,11 @@ +# +# libseccomp regression test automation data +# +# Copyright (c) 2013 Red Hat <pmoore@redhat.com> +# Author: Paul Moore <paul@paul-moore.com> +# + +test type: basic + +# Test command +52-basic-load diff --git a/tests/53-sim-binary_tree.c b/tests/53-sim-binary_tree.c new file mode 100644 index 0000000..4aa5f13 --- /dev/null +++ b/tests/53-sim-binary_tree.c @@ -0,0 +1,156 @@ +/** + * Seccomp Library test program + * + * Copyright (c) 2018-2020 Oracle and/or its affiliates. + * Author: Tom Hromatka <tom.hromatka@oracle.com> + */ + +/* + * This library is free software; you can redistribute it and/or modify it + * under the terms of version 2.1 of the GNU Lesser General Public License as + * published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License + * for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this library; if not, see <http://www.gnu.org/licenses>. + */ + +#include <errno.h> +#include <fcntl.h> +#include <unistd.h> +#include <sys/types.h> +#include <sys/stat.h> + +#include <seccomp.h> + +#include "util.h" + +#define ARG_COUNT_MAX 2 + +struct syscall_errno { + int syscall; + int error; + int arg_cnt; + /* To make the test more interesting, arguments are added to several + * syscalls. To keep the test simple, the arguments always use + * SCMP_CMP_EQ. + */ + int args[ARG_COUNT_MAX]; +}; + +struct syscall_errno table[] = { + { SCMP_SYS(read), 0, 0, { 0, 0 } }, + { SCMP_SYS(write), 1, 0, { 0, 0 } }, + { SCMP_SYS(open), 2, 0, { 0, 0 } }, + { SCMP_SYS(close), 3, 2, { 100, 101 } }, + { SCMP_SYS(stat), 4, 0, { 0, 0 } }, + { SCMP_SYS(fstat), 5, 0, { 0, 0 } }, + { SCMP_SYS(lstat), 6, 0, { 0, 0 } }, + { SCMP_SYS(poll), 7, 1, { 102, 0 } }, + { SCMP_SYS(lseek), 8, 2, { 103, 104 } }, + { SCMP_SYS(mmap), 9, 0, { 0, 0 } }, + { SCMP_SYS(mprotect), 10, 0, { 0, 0 } }, + { SCMP_SYS(munmap), 11, 0, { 0, 0 } }, + { SCMP_SYS(brk), 12, 0, { 0, 0 } }, + { SCMP_SYS(rt_sigaction), 13, 0, { 0, 0 } }, + { SCMP_SYS(rt_sigprocmask), 14, 0, { 0, 0 } }, + { SCMP_SYS(rt_sigreturn), 15, 0, { 0, 0 } }, + { SCMP_SYS(ioctl), 16, 0, { 0, 0 } }, + { SCMP_SYS(pread64), 17, 1, { 105, 0 } }, + { SCMP_SYS(pwrite64), 18, 0, { 0, 0 } }, + { SCMP_SYS(readv), 19, 0, { 0, 0 } }, + { SCMP_SYS(writev), 20, 0, { 0, 0 } }, + { SCMP_SYS(access), 21, 0, { 0, 0 } }, + { SCMP_SYS(pipe), 22, 0, { 0, 0 } }, + { SCMP_SYS(select), 23, 2, { 106, 107 } }, + { SCMP_SYS(sched_yield), 24, 0, { 0, 0 } }, + { SCMP_SYS(mremap), 25, 2, { 108, 109 } }, + { SCMP_SYS(msync), 26, 0, { 0, 0 } }, + { SCMP_SYS(mincore), 27, 0, { 0, 0 } }, + { SCMP_SYS(madvise), 28, 0, { 0, 0 } }, + { SCMP_SYS(dup), 32, 1, { 112, 0 } }, + { SCMP_SYS(dup2), 33, 0, { 0, 0 } }, + { SCMP_SYS(pause), 34, 0, { 0, 0 } }, + { SCMP_SYS(nanosleep), 35, 0, { 0, 0 } }, + { SCMP_SYS(getitimer), 36, 0, { 0, 0 } }, + { SCMP_SYS(alarm), 37, 0, { 0, 0 } }, +}; + +const int table_size = sizeof(table) / sizeof(table[0]); + +int main(int argc, char *argv[]) +{ + int rc, i; + struct util_options opts; + scmp_filter_ctx ctx = NULL; + + rc = util_getopt(argc, argv, &opts); + if (rc < 0) + goto out; + + ctx = seccomp_init(SCMP_ACT_ALLOW); + if (ctx == NULL) { + rc = ENOMEM; + goto out; + } + + rc = seccomp_arch_remove(ctx, SCMP_ARCH_NATIVE); + if (rc != 0) + goto out; + + rc = seccomp_arch_add(ctx, SCMP_ARCH_AARCH64); + if (rc != 0) + goto out; + rc = seccomp_arch_add(ctx, SCMP_ARCH_PPC64LE); + if (rc != 0) + goto out; + rc = seccomp_arch_add(ctx, SCMP_ARCH_X86_64); + if (rc != 0) + goto out; + + rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_OPTIMIZE, 2); + if (rc < 0) + goto out; + + for (i = 0; i < table_size; i++) { + switch (table[i].arg_cnt) { + case 2: + rc = seccomp_rule_add(ctx, + SCMP_ACT_ERRNO(table[i].error), + table[i].syscall, 2, + SCMP_A0(SCMP_CMP_EQ, + table[i].args[0]), + SCMP_A1(SCMP_CMP_EQ, + table[i].args[1])); + break; + case 1: + rc = seccomp_rule_add(ctx, + SCMP_ACT_ERRNO(table[i].error), + table[i].syscall, 1, + SCMP_A0(SCMP_CMP_EQ, + table[i].args[0])); + break; + case 0: + default: + rc = seccomp_rule_add(ctx, + SCMP_ACT_ERRNO(table[i].error), + table[i].syscall, 0); + break; + } + + if (rc < 0) + goto out; + } + + rc = util_filter_output(&opts, ctx); + if (rc) + goto out; + +out: + seccomp_release(ctx); + return (rc < 0 ? -rc : rc); +} diff --git a/tests/53-sim-binary_tree.py b/tests/53-sim-binary_tree.py new file mode 100755 index 0000000..8ee58cd --- /dev/null +++ b/tests/53-sim-binary_tree.py @@ -0,0 +1,96 @@ +#!/usr/bin/env python + +# +# Seccomp Library test program +# +# Copyright (c) 2018 Oracle and/or its affiliates. All rights reserved. +# Author: Tom Hromatka <tom.hromatka@oracle.com> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +import argparse +import sys + +import util + +from seccomp import * + +table = [ + {"syscall": "read", "error": 0, "arg_cnt": 0 }, + {"syscall": "write", "error": 1, "arg_cnt": 0 }, + {"syscall": "open", "error": 2, "arg_cnt": 0 }, + {"syscall": "close", "error": 3, "arg_cnt": 2, "arg1": 100, "arg2": 101 }, + {"syscall": "stat", "error": 4, "arg_cnt": 0 }, + {"syscall": "fstat", "error": 5, "arg_cnt": 0 }, + {"syscall": "lstat", "error": 6, "arg_cnt": 0 }, + {"syscall": "poll", "error": 7, "arg_cnt": 1, "arg1": 102 }, + {"syscall": "lseek", "error": 8, "arg_cnt": 2, "arg1": 103, "arg2": 104 }, + {"syscall": "mmap", "error": 9, "arg_cnt": 0 }, + {"syscall": "mprotect", "error": 10, "arg_cnt": 0 }, + {"syscall": "munmap", "error": 11, "arg_cnt": 0 }, + {"syscall": "brk", "error": 12, "arg_cnt": 0 }, + {"syscall": "rt_sigaction", "error": 13, "arg_cnt": 0 }, + {"syscall": "rt_sigprocmask", "error": 14, "arg_cnt": 0 }, + {"syscall": "rt_sigreturn", "error": 15, "arg_cnt": 0 }, + {"syscall": "ioctl", "error": 16, "arg_cnt": 0 }, + {"syscall": "pread64", "error": 17, "arg_cnt": 1, "arg1": 105 }, + {"syscall": "pwrite64", "error": 18, "arg_cnt": 0 }, + {"syscall": "readv", "error": 19, "arg_cnt": 0 }, + {"syscall": "writev", "error": 20, "arg_cnt": 0 }, + {"syscall": "access", "error": 21, "arg_cnt": 0 }, + {"syscall": "pipe", "error": 22, "arg_cnt": 0 }, + {"syscall": "select", "error": 23, "arg_cnt": 2, "arg1": 106, "arg2": 107 }, + {"syscall": "sched_yield", "error": 24, "arg_cnt": 0 }, + {"syscall": "mremap", "error": 25, "arg_cnt": 2, "arg1": 108, "arg2": 109 }, + {"syscall": "msync", "error": 26, "arg_cnt": 0 }, + {"syscall": "mincore", "error": 27, "arg_cnt": 0 }, + {"syscall": "madvise", "error": 28, "arg_cnt": 0 }, + {"syscall": "dup", "error": 32, "arg_cnt": 1, "arg1": 112 }, + {"syscall": "dup2", "error": 33, "arg_cnt": 0 }, + {"syscall": "pause", "error": 34, "arg_cnt": 0 }, + {"syscall": "nanosleep", "error": 35, "arg_cnt": 0 }, + {"syscall": "getitimer", "error": 36, "arg_cnt": 0 }, + {"syscall": "alarm", "error": 37, "arg_cnt": 0 }, +] + +def test(args): + f = SyscallFilter(ALLOW) + f.set_attr(Attr.CTL_OPTIMIZE, 2) + + f.remove_arch(Arch()) + f.add_arch(Arch("aarch64")) + f.add_arch(Arch("ppc64le")) + f.add_arch(Arch("x86_64")) + + for entry in table: + if entry["arg_cnt"] == 2: + f.add_rule(ERRNO(entry["error"]), entry["syscall"], + Arg(0, EQ, entry["arg1"]), + Arg(1, EQ, entry["arg2"])) + elif entry["arg_cnt"] == 1: + f.add_rule(ERRNO(entry["error"]), entry["syscall"], + Arg(0, EQ, entry["arg1"])) + else: + f.add_rule(ERRNO(entry["error"]), entry["syscall"]) + + return f + +args = util.get_opt() +ctx = test(args) +util.filter_output(args, ctx) + +# kate: syntax python; +# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; diff --git a/tests/53-sim-binary_tree.tests b/tests/53-sim-binary_tree.tests new file mode 100644 index 0000000..2ebaafd --- /dev/null +++ b/tests/53-sim-binary_tree.tests @@ -0,0 +1,65 @@ +# +# libseccomp regression test automation data +# +# Copyright (c) 2019-2020 Oracle and/or its affiliates. +# Author: Tom Hromatka <tom.hromatka@oracle.com> +# + +test type: bpf-sim + +# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result +53-sim-binary_tree +x86_64,+ppc64le,+aarch64 read N N N N N N ERRNO(0) +53-sim-binary_tree +x86_64,+ppc64le,+aarch64 write N N N N N N ERRNO(1) +53-sim-binary_tree +x86_64,+ppc64le open N N N N N N ERRNO(2) +53-sim-binary_tree +aarch64 open N N N N N N ALLOW +53-sim-binary_tree +x86_64,+ppc64le,+aarch64 close N N N N N N ALLOW +53-sim-binary_tree +x86_64,+ppc64le,+aarch64 close 100 1234 N N N N ALLOW +53-sim-binary_tree +x86_64,+ppc64le,+aarch64 close 100 101 N N N N ERRNO(3) +53-sim-binary_tree +x86_64,+ppc64le stat N N N N N N ERRNO(4) +53-sim-binary_tree +aarch64 stat N N N N N N ALLOW +53-sim-binary_tree +x86_64,+ppc64le,+aarch64 fstat N N N N N N ERRNO(5) +53-sim-binary_tree +x86_64,+ppc64le lstat N N N N N N ERRNO(6) +53-sim-binary_tree +aarch64 lstat N N N N N N ALLOW +53-sim-binary_tree +x86_64,+ppc64le poll 102 N N N N N ERRNO(7) +53-sim-binary_tree +aarch64 poll 102 N N N N N ALLOW +53-sim-binary_tree +x86_64,+ppc64le,+aarch64 lseek 103 104 N N N N ERRNO(8) +53-sim-binary_tree +x86_64,+ppc64le,+aarch64 mmap N N N N N N ERRNO(9) +53-sim-binary_tree +x86_64,+ppc64le,+aarch64 mprotect N N N N N N ERRNO(10) +53-sim-binary_tree +x86_64,+ppc64le,+aarch64 munmap N N N N N N ERRNO(11) +53-sim-binary_tree +x86_64,+ppc64le,+aarch64 brk N N N N N N ERRNO(12) +53-sim-binary_tree +x86_64,+ppc64le,+aarch64 rt_sigaction N N N N N N ERRNO(13) +53-sim-binary_tree +x86_64,+ppc64le,+aarch64 rt_sigprocmask N N N N N N ERRNO(14) +53-sim-binary_tree +x86_64,+ppc64le,+aarch64 rt_sigreturn N N N N N N ERRNO(15) +53-sim-binary_tree +x86_64,+ppc64le,+aarch64 ioctl N N N N N N ERRNO(16) +53-sim-binary_tree +x86_64,+ppc64le,+aarch64 pread64 105 N N N N N ERRNO(17) +53-sim-binary_tree +x86_64,+ppc64le,+aarch64 pwrite64 N N N N N N ERRNO(18) +53-sim-binary_tree +x86_64,+ppc64le,+aarch64 readv N N N N N N ERRNO(19) +53-sim-binary_tree +x86_64,+ppc64le,+aarch64 writev N N N N N N ERRNO(20) +53-sim-binary_tree +x86_64,+ppc64le access N N N N N N ERRNO(21) +53-sim-binary_tree +aarch64 access N N N N N N ALLOW +53-sim-binary_tree +x86_64,+ppc64le pipe N N N N N N ERRNO(22) +53-sim-binary_tree +aarch64 pipe N N N N N N ALLOW +53-sim-binary_tree +x86_64,+ppc64le,+aarch64 select N N N N N N ALLOW +53-sim-binary_tree +x86_64,+ppc64le select 106 107 N N N N ERRNO(23) +53-sim-binary_tree +aarch64 select 106 107 N N N N ALLOW +53-sim-binary_tree +x86_64,+ppc64le,+aarch64 sched_yield N N N N N N ERRNO(24) +53-sim-binary_tree +x86_64,+ppc64le,+aarch64 mremap N N N N N N ALLOW +53-sim-binary_tree +x86_64,+ppc64le,+aarch64 mremap 108 109 N N N N ERRNO(25) +53-sim-binary_tree +x86_64,+ppc64le,+aarch64 msync N N N N N N ERRNO(26) +53-sim-binary_tree +x86_64,+ppc64le,+aarch64 mincore N N N N N N ERRNO(27) +53-sim-binary_tree +x86_64,+ppc64le,+aarch64 madvise N N N N N N ERRNO(28) +53-sim-binary_tree +x86_64,+ppc64le,+aarch64 dup 112 N N N N N ERRNO(32) +53-sim-binary_tree +x86_64,+ppc64le,+aarch64 dup 5678 N N N N N ALLOW +53-sim-binary_tree +x86_64,+ppc64le dup2 N N N N N N ERRNO(33) +53-sim-binary_tree +aarch64 dup2 N N N N N N ALLOW +53-sim-binary_tree +x86_64,+ppc64le pause N N N N N N ERRNO(34) +53-sim-binary_tree +aarch64 pause N N N N N N ALLOW +53-sim-binary_tree +x86_64,+ppc64le,+aarch64 nanosleep N N N N N N ERRNO(35) +53-sim-binary_tree +x86_64,+ppc64le,+aarch64 getitimer N N N N N N ERRNO(36) +53-sim-binary_tree +x86_64,+ppc64le alarm N N N N N N ERRNO(37) +53-sim-binary_tree +aarch64 alarm N N N N N N ALLOW + +test type: bpf-valgrind + +# Testname +53-sim-binary_tree diff --git a/tests/54-live-binary_tree.c b/tests/54-live-binary_tree.c new file mode 100644 index 0000000..8d0d25d --- /dev/null +++ b/tests/54-live-binary_tree.c @@ -0,0 +1,130 @@ +/** + * Seccomp Library test program + * + * Copyright (c) 2018 Oracle and/or its affiliates. All rights reserved. + * Author: Tom Hromatka <tom.hromatka@oracle.com> + */ + +/* + * This library is free software; you can redistribute it and/or modify it + * under the terms of version 2.1 of the GNU Lesser General Public License as + * published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License + * for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this library; if not, see <http://www.gnu.org/licenses>. + */ + +#include <errno.h> +#include <fcntl.h> +#include <string.h> +#include <unistd.h> +#include <sys/types.h> +#include <sys/stat.h> + +#include <seccomp.h> + +#include "util.h" + +static const int denylist[] = { + SCMP_SYS(times), + SCMP_SYS(ptrace), + SCMP_SYS(getuid), + SCMP_SYS(syslog), + SCMP_SYS(getgid), + SCMP_SYS(setuid), + SCMP_SYS(setgid), + SCMP_SYS(geteuid), + SCMP_SYS(getegid), + SCMP_SYS(setpgid), + SCMP_SYS(getppid), + SCMP_SYS(getpgrp), + SCMP_SYS(setsid), + SCMP_SYS(setreuid), + SCMP_SYS(setregid), + SCMP_SYS(getgroups), + SCMP_SYS(setgroups), + SCMP_SYS(setresuid), + SCMP_SYS(getresuid), + SCMP_SYS(setresgid), + SCMP_SYS(getresgid), + SCMP_SYS(getpgid), + SCMP_SYS(setfsuid), + SCMP_SYS(setfsgid), +}; + +int main(int argc, char *argv[]) +{ + int rc; + int fd; + int i; + scmp_filter_ctx ctx = NULL; + const char buf[] = "testing"; + ssize_t buf_len = strlen(buf); + + rc = util_action_parse(argv[1]); + if (rc != SCMP_ACT_ALLOW) { + rc = 1; + goto out; + } + + rc = util_trap_install(); + if (rc != 0) + goto out; + + fd = open("/dev/null", O_WRONLY | O_CREAT, S_IRUSR | S_IWUSR); + if (fd < 0) { + rc = errno; + goto out; + } + + ctx = seccomp_init(SCMP_ACT_TRAP); + if (ctx == NULL) + return ENOMEM; + + rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_OPTIMIZE, 2); + if (rc < 0) + goto out; + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 1, + SCMP_A0(SCMP_CMP_EQ, fd)); + if (rc != 0) + goto out; + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(close), 0); + if (rc != 0) + goto out; + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigreturn), 0); + if (rc != 0) + goto out; + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit_group), 0); + if (rc != 0) + goto out; + + for (i = 0; i < (sizeof(denylist) / sizeof(denylist[0])); i++) { + rc = seccomp_rule_add(ctx, SCMP_ACT_KILL, denylist[i], 0); + if (rc != 0) + goto out; + } + + rc = seccomp_load(ctx); + if (rc != 0) + goto out; + + if (write(fd, buf, buf_len) < buf_len) { + rc = errno; + goto out; + } + if (close(fd) < 0) { + rc = errno; + goto out; + } + + rc = 160; + +out: + seccomp_release(ctx); + return (rc < 0 ? -rc : rc); +} diff --git a/tests/54-live-binary_tree.py b/tests/54-live-binary_tree.py new file mode 100755 index 0000000..2bc7386 --- /dev/null +++ b/tests/54-live-binary_tree.py @@ -0,0 +1,96 @@ +#!/usr/bin/env python + +# +# Seccomp Library test program +# +# Copyright (c) 2018 Oracle and/or its affiliates. All rights reserved. +# Author: Tom Hromatka <tom.hromatka@oracle.com> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +import argparse +import sys + +import util + +from seccomp import * + +denylist = [ + "times", + "ptrace", + "getuid", + "syslog", + "getgid", + "setuid", + "setgid", + "geteuid", + "getegid", + "setpgid", + "getppid", + "getpgrp", + "setsid", + "setreuid", + "setregid", + "getgroups", + "setgroups", + "setresuid", + "getresuid", + "setresgid", + "getresgid", + "getpgid", + "setfsuid", + "setfsgid", +] + +def test(): + action = util.parse_action(sys.argv[1]) + if not action == ALLOW: + quit(1) + util.install_trap() + f = SyscallFilter(TRAP) + f.set_attr(Attr.CTL_TSYNC, 1) + f.set_attr(Attr.CTL_OPTIMIZE, 2) + # NOTE: additional syscalls required for python + f.add_rule(ALLOW, "stat") + f.add_rule(ALLOW, "fstat") + f.add_rule(ALLOW, "open") + f.add_rule(ALLOW, "openat") + f.add_rule(ALLOW, "mmap") + f.add_rule(ALLOW, "munmap") + f.add_rule(ALLOW, "read") + f.add_rule(ALLOW, "write") + f.add_rule(ALLOW, "close") + f.add_rule(ALLOW, "rt_sigaction") + f.add_rule(ALLOW, "rt_sigreturn") + f.add_rule(ALLOW, "sigreturn") + f.add_rule(ALLOW, "sigaltstack") + f.add_rule(ALLOW, "brk") + f.add_rule(ALLOW, "exit_group") + + for syscall in denylist: + f.add_rule(KILL, syscall) + + f.load() + try: + util.write_file("/dev/null") + except OSError as ex: + quit(ex.errno) + quit(160) + +test() + +# kate: syntax python; +# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; diff --git a/tests/54-live-binary_tree.tests b/tests/54-live-binary_tree.tests new file mode 100644 index 0000000..63575e9 --- /dev/null +++ b/tests/54-live-binary_tree.tests @@ -0,0 +1,11 @@ +# +# libseccomp regression test automation data +# +# Copyright (c) 2019 Oracle and/or its affiliates. All rights reserved. +# Author: Tom Hromatka <tom.hromatka@oracle.com> +# + +test type: live + +# Testname API Result +54-live-binary_tree 1 ALLOW diff --git a/tests/55-basic-pfc_binary_tree.c b/tests/55-basic-pfc_binary_tree.c new file mode 100644 index 0000000..e364fd6 --- /dev/null +++ b/tests/55-basic-pfc_binary_tree.c @@ -0,0 +1,134 @@ +/** + * Seccomp Library test program + * + * Copyright (c) 2018-2020 Oracle and/or its affiliates. + * Author: Tom Hromatka <tom.hromatka@oracle.com> + */ + +/* + * This library is free software; you can redistribute it and/or modify it + * under the terms of version 2.1 of the GNU Lesser General Public License as + * published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License + * for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this library; if not, see <http://www.gnu.org/licenses>. + */ + +#include <errno.h> +#include <fcntl.h> +#include <unistd.h> +#include <sys/types.h> +#include <sys/stat.h> + +#include <seccomp.h> + +#include "util.h" + +#define ARG_COUNT_MAX 2 + +struct syscall_errno { + int syscall; + int error; + int arg_cnt; + /* To make the test more interesting, arguments are added to several + * syscalls. To keep the test simple, the arguments always use + * SCMP_CMP_EQ. + */ + int args[ARG_COUNT_MAX]; +}; + +struct syscall_errno table[] = { + { SCMP_SYS(read), 0, 2, { 100, 101 } }, + { SCMP_SYS(write), 1, 1, { 102, 0 } }, + { SCMP_SYS(open), 2, 0, { 0, 0 } }, + { SCMP_SYS(close), 3, 0, { 0, 0 } }, + { SCMP_SYS(stat), 4, 0, { 0, 0 } }, + { SCMP_SYS(fstat), 5, 1, { 103, 0 } }, + { SCMP_SYS(lstat), 6, 0, { 0, 0 } }, + { SCMP_SYS(poll), 7, 0, { 0, 0 } }, + { SCMP_SYS(lseek), 8, 1, { 104, 0 } }, + { SCMP_SYS(mmap), 9, 0, { 0, 0 } }, + { SCMP_SYS(mprotect), 10, 1, { 105, 0 } }, + { SCMP_SYS(munmap), 11, 0, { 0, 0 } }, + { SCMP_SYS(brk), 12, 0, { 0, 0 } }, + { SCMP_SYS(rt_sigaction), 13, 0, { 0, 0 } }, + { SCMP_SYS(rt_sigprocmask), 14, 0, { 0, 0 } }, + { SCMP_SYS(rt_sigreturn), 15, 0, { 0, 0 } }, + { SCMP_SYS(ioctl), 16, 0, { 0, 0 } }, + { SCMP_SYS(pread64), 17, 1, { 106, 0 } }, + { SCMP_SYS(pwrite64), 18, 2, { 107, 108 } }, +}; + +const int table_size = sizeof(table) / sizeof(table[0]); + +int main(int argc, char *argv[]) +{ + int rc, fd, i; + scmp_filter_ctx ctx = NULL; + + /* stdout */ + fd = 1; + + ctx = seccomp_init(SCMP_ACT_ALLOW); + if (ctx == NULL) { + rc = ENOMEM; + goto out; + } + + rc = seccomp_arch_remove(ctx, SCMP_ARCH_NATIVE); + if (rc < 0) + goto out; + rc = seccomp_arch_add(ctx, SCMP_ARCH_X86_64); + if (rc < 0) + goto out; + rc = seccomp_arch_add(ctx, SCMP_ARCH_AARCH64); + if (rc < 0) + goto out; + rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_OPTIMIZE, 2); + if (rc < 0) + goto out; + + for (i = 0; i < table_size; i++) { + switch (table[i].arg_cnt) { + case 2: + rc = seccomp_rule_add(ctx, + SCMP_ACT_ERRNO(table[i].error), + table[i].syscall, 2, + SCMP_A0(SCMP_CMP_EQ, + table[i].args[0]), + SCMP_A1(SCMP_CMP_EQ, + table[i].args[1])); + break; + case 1: + rc = seccomp_rule_add(ctx, + SCMP_ACT_ERRNO(table[i].error), + table[i].syscall, 1, + SCMP_A0(SCMP_CMP_EQ, + table[i].args[0])); + break; + case 0: + default: + rc = seccomp_rule_add(ctx, + SCMP_ACT_ERRNO(table[i].error), + table[i].syscall, 0); + break; + } + + if (rc < 0) + goto out; + } + + rc = seccomp_export_pfc(ctx, fd); + if (rc < 0) + goto out; + +out: + seccomp_release(ctx); + close(fd); + return (rc < 0 ? -rc : rc); +} diff --git a/tests/55-basic-pfc_binary_tree.pfc b/tests/55-basic-pfc_binary_tree.pfc new file mode 100644 index 0000000..ba3244c --- /dev/null +++ b/tests/55-basic-pfc_binary_tree.pfc @@ -0,0 +1,182 @@ +# +# pseudo filter code start +# +# filter for arch x86_64 (3221225534) +if ($arch == 3221225534) + if ($syscall > 2) + if ($syscall > 10) + if ($syscall > 14) + # filter for syscall "pwrite64" (18) [priority: 65531] + if ($syscall == 18) + if ($a0.hi32 == 0) + if ($a0.lo32 == 107) + if ($a1.hi32 == 0) + if ($a1.lo32 == 108) + action ERRNO(18); + # filter for syscall "pread64" (17) [priority: 65533] + if ($syscall == 17) + if ($a0.hi32 == 0) + if ($a0.lo32 == 106) + action ERRNO(17); + # filter for syscall "ioctl" (16) [priority: 65535] + if ($syscall == 16) + action ERRNO(16); + # filter for syscall "rt_sigreturn" (15) [priority: 65535] + if ($syscall == 15) + action ERRNO(15); + else # ($syscall <= 14) + # filter for syscall "rt_sigprocmask" (14) [priority: 65535] + if ($syscall == 14) + action ERRNO(14); + # filter for syscall "rt_sigaction" (13) [priority: 65535] + if ($syscall == 13) + action ERRNO(13); + # filter for syscall "brk" (12) [priority: 65535] + if ($syscall == 12) + action ERRNO(12); + # filter for syscall "munmap" (11) [priority: 65535] + if ($syscall == 11) + action ERRNO(11); + else # ($syscall <= 10) + if ($syscall > 6) + # filter for syscall "mprotect" (10) [priority: 65533] + if ($syscall == 10) + if ($a0.hi32 == 0) + if ($a0.lo32 == 105) + action ERRNO(10); + # filter for syscall "mmap" (9) [priority: 65535] + if ($syscall == 9) + action ERRNO(9); + # filter for syscall "lseek" (8) [priority: 65533] + if ($syscall == 8) + if ($a0.hi32 == 0) + if ($a0.lo32 == 104) + action ERRNO(8); + # filter for syscall "poll" (7) [priority: 65535] + if ($syscall == 7) + action ERRNO(7); + else # ($syscall <= 6) + # filter for syscall "lstat" (6) [priority: 65535] + if ($syscall == 6) + action ERRNO(6); + # filter for syscall "fstat" (5) [priority: 65533] + if ($syscall == 5) + if ($a0.hi32 == 0) + if ($a0.lo32 == 103) + action ERRNO(5); + # filter for syscall "stat" (4) [priority: 65535] + if ($syscall == 4) + action ERRNO(4); + # filter for syscall "close" (3) [priority: 65535] + if ($syscall == 3) + action ERRNO(3); + else # ($syscall <= 2) + # filter for syscall "open" (2) [priority: 65535] + if ($syscall == 2) + action ERRNO(2); + # filter for syscall "write" (1) [priority: 65533] + if ($syscall == 1) + if ($a0.hi32 == 0) + if ($a0.lo32 == 102) + action ERRNO(1); + # filter for syscall "read" (0) [priority: 65531] + if ($syscall == 0) + if ($a0.hi32 == 0) + if ($a0.lo32 == 100) + if ($a1.hi32 == 0) + if ($a1.lo32 == 101) + action ERRNO(0); + # default action + action ALLOW; +# filter for arch aarch64 (3221225655) +if ($arch == 3221225655) + if ($syscall > 62) + if ($syscall > 139) + if ($syscall > 226) + # filter for syscall "lstat" (4294957133) [priority: 65535] + if ($syscall == 4294957133) + action ERRNO(6); + # filter for syscall "open" (4294957130) [priority: 65535] + if ($syscall == 4294957130) + action ERRNO(2); + # filter for syscall "poll" (4294957127) [priority: 65535] + if ($syscall == 4294957127) + action ERRNO(7); + # filter for syscall "stat" (4294957122) [priority: 65535] + if ($syscall == 4294957122) + action ERRNO(4); + else # ($syscall <= 226) + # filter for syscall "mprotect" (226) [priority: 65533] + if ($syscall == 226) + if ($a0.hi32 == 0) + if ($a0.lo32 == 105) + action ERRNO(10); + # filter for syscall "mmap" (222) [priority: 65535] + if ($syscall == 222) + action ERRNO(9); + # filter for syscall "munmap" (215) [priority: 65535] + if ($syscall == 215) + action ERRNO(11); + # filter for syscall "brk" (214) [priority: 65535] + if ($syscall == 214) + action ERRNO(12); + else # ($syscall <= 139) + if ($syscall > 68) + # filter for syscall "rt_sigreturn" (139) [priority: 65535] + if ($syscall == 139) + action ERRNO(15); + # filter for syscall "rt_sigprocmask" (135) [priority: 65535] + if ($syscall == 135) + action ERRNO(14); + # filter for syscall "rt_sigaction" (134) [priority: 65535] + if ($syscall == 134) + action ERRNO(13); + # filter for syscall "fstat" (80) [priority: 65533] + if ($syscall == 80) + if ($a0.hi32 == 0) + if ($a0.lo32 == 103) + action ERRNO(5); + else # ($syscall <= 68) + # filter for syscall "pwrite64" (68) [priority: 65531] + if ($syscall == 68) + if ($a0.hi32 == 0) + if ($a0.lo32 == 107) + if ($a1.hi32 == 0) + if ($a1.lo32 == 108) + action ERRNO(18); + # filter for syscall "pread64" (67) [priority: 65533] + if ($syscall == 67) + if ($a0.hi32 == 0) + if ($a0.lo32 == 106) + action ERRNO(17); + # filter for syscall "write" (64) [priority: 65533] + if ($syscall == 64) + if ($a0.hi32 == 0) + if ($a0.lo32 == 102) + action ERRNO(1); + # filter for syscall "read" (63) [priority: 65531] + if ($syscall == 63) + if ($a0.hi32 == 0) + if ($a0.lo32 == 100) + if ($a1.hi32 == 0) + if ($a1.lo32 == 101) + action ERRNO(0); + else # ($syscall <= 62) + # filter for syscall "lseek" (62) [priority: 65533] + if ($syscall == 62) + if ($a0.hi32 == 0) + if ($a0.lo32 == 104) + action ERRNO(8); + # filter for syscall "close" (57) [priority: 65535] + if ($syscall == 57) + action ERRNO(3); + # filter for syscall "ioctl" (29) [priority: 65535] + if ($syscall == 29) + action ERRNO(16); + # default action + action ALLOW; +# invalid architecture action +action KILL; +# +# pseudo filter code end +# diff --git a/tests/55-basic-pfc_binary_tree.sh b/tests/55-basic-pfc_binary_tree.sh new file mode 100755 index 0000000..a12c69c --- /dev/null +++ b/tests/55-basic-pfc_binary_tree.sh @@ -0,0 +1,46 @@ +#!/bin/bash + +# +# libseccomp regression test automation data +# +# Copyright (c) 2019 Oracle and/or its affiliates. All rights reserved. +# Author: Tom Hromatka <tom.hromatka@oracle.com> +# + +#### +# functions + +# +# Dependency check +# +# Arguments: +# 1 Dependency to check for +# +function check_deps() { + [[ -z "$1" ]] && return + which "$1" >& /dev/null + return $? +} + +# +# Dependency verification +# +# Arguments: +# 1 Dependency to check for +# +function verify_deps() { + [[ -z "$1" ]] && return + if ! check_deps "$1"; then + echo "error: install \"$1\" and include it in your \$PATH" + exit 1 + fi +} + +#### +# functions + +verify_deps diff + +# compare output to the known good output, fail if different +./55-basic-pfc_binary_tree | \ + diff -q ${srcdir:=.}/55-basic-pfc_binary_tree.pfc - > /dev/null diff --git a/tests/55-basic-pfc_binary_tree.tests b/tests/55-basic-pfc_binary_tree.tests new file mode 100644 index 0000000..8269a64 --- /dev/null +++ b/tests/55-basic-pfc_binary_tree.tests @@ -0,0 +1,11 @@ +# +# libseccomp regression test automation data +# +# Copyright (c) 2019 Oracle and/or its affiliates. All rights reserved. +# Author: Tom Hromatka <tom.hromatka@oracle.com> +# + +test type: basic + +# Test command +55-basic-pfc_binary_tree.sh diff --git a/tests/56-basic-iterate_syscalls.c b/tests/56-basic-iterate_syscalls.c new file mode 100644 index 0000000..5e7ab67 --- /dev/null +++ b/tests/56-basic-iterate_syscalls.c @@ -0,0 +1,90 @@ +/** + * Seccomp Library test program + * + * Copyright (c) 2020 Red Hat <gscrivan@redhat.com> + * Author: Giuseppe Scrivano <gscrivan@redhat.com> + */ + +/* + * This library is free software; you can redistribute it and/or modify it + * under the terms of version 2.1 of the GNU Lesser General Public License as + * published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License + * for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this library; if not, see <http://www.gnu.org/licenses>. + */ + +#include <errno.h> +#include <string.h> +#include <stdlib.h> +#include <stdio.h> + +#include <seccomp.h> + +unsigned int arch_list[] = { + SCMP_ARCH_NATIVE, + SCMP_ARCH_X86, + SCMP_ARCH_X86_64, + SCMP_ARCH_X32, + SCMP_ARCH_ARM, + SCMP_ARCH_AARCH64, + SCMP_ARCH_MIPS, + SCMP_ARCH_MIPS64, + SCMP_ARCH_MIPS64N32, + SCMP_ARCH_MIPSEL, + SCMP_ARCH_MIPSEL64, + SCMP_ARCH_MIPSEL64N32, + SCMP_ARCH_PPC, + SCMP_ARCH_PPC64, + SCMP_ARCH_PPC64LE, + SCMP_ARCH_S390, + SCMP_ARCH_S390X, + SCMP_ARCH_PARISC, + SCMP_ARCH_PARISC64, + SCMP_ARCH_RISCV64, + -1 +}; + +static int test_arch(int arch, int init) +{ + int n, iter = 0; + + for (iter = init; iter < init + 1000; iter++) { + char *name; + + name = seccomp_syscall_resolve_num_arch(arch, iter); + if (name == NULL) + continue; + + n = seccomp_syscall_resolve_name_arch(arch, name); + if (n != iter) + return 1; + } + return 0; +} + +int main(int argc, char *argv[]) +{ + int iter = 0; + + for (iter = 0; arch_list[iter] != -1; iter++) { + int init = 0; + if (arch_list[iter] == SCMP_ARCH_X32) + init = 0x40000000; + else if (arch_list[iter] == SCMP_ARCH_MIPS) + init = 4000; + else if (arch_list[iter] == SCMP_ARCH_MIPS64) + init = 5000; + else if (arch_list[iter] == SCMP_ARCH_MIPS64N32) + init = 6000; + if (test_arch(arch_list[iter], init) < 0) + return 1; + } + + return 0; +} diff --git a/tests/56-basic-iterate_syscalls.py b/tests/56-basic-iterate_syscalls.py new file mode 100755 index 0000000..77a5b89 --- /dev/null +++ b/tests/56-basic-iterate_syscalls.py @@ -0,0 +1,65 @@ +#!/usr/bin/env python + +# +# Seccomp Library test program +# +# Copyright (c) 2020 Red Hat <gscrivan@redhat.com> +# Author: Giuseppe Scrivano <gscrivan@redhat.com> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +import argparse +import sys + +import util + +from seccomp import * + +arch_list = ["x86", + "x86_64", + "x32", + "arm", + "aarch64", + "mipsel", + "mipsel64", + "mipsel64n32", + "ppc64le", + "riscv64"] + +def test_arch(arch, init): + for i in range(init, init + 1000): + sys_name = resolve_syscall(arch, i) + if sys_name is None: + continue + n = resolve_syscall(i, sys_name) + if i != n: + raise RuntimeError("Test failure") + +def test(): + for i in arch_list: + init = 0 + if i == "x32": + init = 0x40000000 + elif i == "mipsel": + init = 4000 + elif i == "mipsel64": + init = 5000 + elif i == "mipsel64n32": + init = 6000 + test_arch(Arch(i), init) + +# kate: syntax python; +# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; diff --git a/tests/56-basic-iterate_syscalls.tests b/tests/56-basic-iterate_syscalls.tests new file mode 100644 index 0000000..a84415a --- /dev/null +++ b/tests/56-basic-iterate_syscalls.tests @@ -0,0 +1,11 @@ +# +# libseccomp regression test automation data +# +# Copyright (c) 2020 Red Hat <gscrivan@redhat.com> +# Author: Giuseppe Scrivano <gscrivan@redhat.com> +# + +test type: basic + +# Test command +56-basic-iterate_syscalls diff --git a/tests/57-basic-rawsysrc.c b/tests/57-basic-rawsysrc.c new file mode 100644 index 0000000..4248c7a --- /dev/null +++ b/tests/57-basic-rawsysrc.c @@ -0,0 +1,64 @@ +/** + * Seccomp Library test program + * + * Copyright (c) 2020 Cisco Systems, Inc. <pmoore2@cisco.com> + * Author: Paul Moore <paul@paul-moore.com> + */ + +/* + * This library is free software; you can redistribute it and/or modify it + * under the terms of version 2.1 of the GNU Lesser General Public License as + * published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License + * for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this library; if not, see <http://www.gnu.org/licenses>. + */ + +#include <errno.h> +#include <fcntl.h> +#include <unistd.h> +#include <sys/types.h> +#include <sys/stat.h> + +#include <seccomp.h> + +#include "util.h" + +int main(int argc, char *argv[]) +{ + int rc; + int fd; + scmp_filter_ctx ctx = NULL; + + rc = seccomp_api_set(3); + if (rc != 0) + return EOPNOTSUPP; + + ctx = seccomp_init(SCMP_ACT_ALLOW); + if (ctx == NULL) { + rc = ENOMEM; + goto out; + } + + rc = seccomp_attr_set(ctx, SCMP_FLTATR_API_SYSRAWRC, 1); + if (rc != 0) + goto out; + + /* we must use a closed/invalid fd for this to work */ + fd = dup(2); + close(fd); + rc = seccomp_export_pfc(ctx, fd); + if (rc == -EBADF) + rc = 0; + else + rc = -1; + +out: + seccomp_release(ctx); + return (rc < 0 ? -rc : rc); +} diff --git a/tests/57-basic-rawsysrc.py b/tests/57-basic-rawsysrc.py new file mode 100755 index 0000000..a88461a --- /dev/null +++ b/tests/57-basic-rawsysrc.py @@ -0,0 +1,46 @@ +#!/usr/bin/env python + +# +# Seccomp Library test program +# +# Copyright (c) 2020 Cisco Systems, Inc. <pmoore2@cisco.com> +# Author: Paul Moore <paul@paul-moore.com> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +import argparse +import sys +import os + +import util + +from seccomp import * + +def test(): + # this test really isn't conclusive, but considering how python does error + # handling it may be the best we can do + f = SyscallFilter(ALLOW) + dummy = open("/dev/null", "w") + os.close(dummy.fileno()) + try: + f = f.export_pfc(dummy) + except RuntimeError: + pass + +test() + +# kate: syntax python; +# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; diff --git a/tests/57-basic-rawsysrc.tests b/tests/57-basic-rawsysrc.tests new file mode 100644 index 0000000..fe71632 --- /dev/null +++ b/tests/57-basic-rawsysrc.tests @@ -0,0 +1,11 @@ +# +# libseccomp regression test automation data +# +# Copyright (c) 2020 Cisco Systems, Inc. <pmoore2@cisco.com> +# Author: Paul Moore <paul@paul-moore.com> +# + +test type: basic + +# Test command +57-basic-rawsysrc diff --git a/tests/58-live-tsync_notify.c b/tests/58-live-tsync_notify.c new file mode 100644 index 0000000..e071284 --- /dev/null +++ b/tests/58-live-tsync_notify.c @@ -0,0 +1,117 @@ +/** + * Seccomp Library test program + * + * Copyright (c) 2019 Cisco Systems, Inc. <pmoore2@cisco.com> + * Author: Paul Moore <paul@paul-moore.com> + */ + +/* + * This library is free software; you can redistribute it and/or modify it + * under the terms of version 2.1 of the GNU Lesser General Public License as + * published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License + * for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this library; if not, see <http://www.gnu.org/licenses>. + */ + +#include <sys/types.h> +#include <sys/wait.h> +#include <asm/unistd.h> +#include <unistd.h> +#include <seccomp.h> +#include <signal.h> +#include <syscall.h> +#include <errno.h> +#include <stdlib.h> + +#include "util.h" + +int main(int argc, char *argv[]) +{ + int rc, fd = -1, status; + struct seccomp_notif *req = NULL; + struct seccomp_notif_resp *resp = NULL; + scmp_filter_ctx ctx = NULL; + pid_t pid = 0, magic; + + magic = getpid(); + + ctx = seccomp_init(SCMP_ACT_ALLOW); + if (ctx == NULL) + return ENOMEM; + + rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_TSYNC, 1); + if (rc) + goto out; + + rc = seccomp_rule_add(ctx, SCMP_ACT_NOTIFY, SCMP_SYS(getpid), 0, NULL); + if (rc) + goto out; + + rc = seccomp_load(ctx); + if (rc < 0) + goto out; + + rc = seccomp_notify_fd(ctx); + if (rc < 0) + goto out; + fd = rc; + + pid = fork(); + if (pid == 0) + exit(syscall(__NR_getpid) != magic); + + rc = seccomp_notify_alloc(&req, &resp); + if (rc) + goto out; + + rc = seccomp_notify_receive(fd, req); + if (rc) + goto out; + if (req->data.nr != __NR_getpid) { + rc = -EFAULT; + goto out; + } + rc = seccomp_notify_id_valid(fd, req->id); + if (rc) + goto out; + + resp->id = req->id; + resp->val = magic; + resp->error = 0; + resp->flags = 0; + rc = seccomp_notify_respond(fd, resp); + if (rc) + goto out; + + if (waitpid(pid, &status, 0) != pid) { + rc = -EFAULT; + goto out; + } + + if (!WIFEXITED(status)) { + rc = -EFAULT; + goto out; + } + if (WEXITSTATUS(status)) { + rc = -EFAULT; + goto out; + } + +out: + if (fd >= 0) + close(fd); + if (pid) + kill(pid, SIGKILL); + seccomp_notify_free(req, resp); + seccomp_release(ctx); + + if (rc != 0) + return (rc < 0 ? -rc : rc); + return 160; +} diff --git a/tests/58-live-tsync_notify.py b/tests/58-live-tsync_notify.py new file mode 100755 index 0000000..ae01b06 --- /dev/null +++ b/tests/58-live-tsync_notify.py @@ -0,0 +1,61 @@ +#!/usr/bin/env python + +# +# Seccomp Library test program +# +# Copyright (c) 2019 Cisco Systems, Inc. <pmoore2@cisco.com> +# Author: Paul Moore <paul@paul-moore.com> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +import argparse +import os +import signal +import sys + +import util + +from seccomp import * + +def test(): + magic = os.getuid() + 1 + f = SyscallFilter(ALLOW) + f.set_attr(Attr.CTL_TSYNC, 1) + f.add_rule(NOTIFY, "getuid") + f.load() + pid = os.fork() + if pid == 0: + val = os.getuid() + if val != magic: + raise RuntimeError("Response return value failed") + quit(1) + quit(0) + else: + notify = f.receive_notify() + if notify.syscall != resolve_syscall(Arch(), "getuid"): + raise RuntimeError("Notification failed") + f.respond_notify(NotificationResponse(notify, magic, 0, 0)) + wpid, rc = os.waitpid(pid, 0) + if os.WIFEXITED(rc) == 0: + raise RuntimeError("Child process error") + if os.WEXITSTATUS(rc) != 0: + raise RuntimeError("Child process error") + quit(160) + +test() + +# kate: syntax python; +# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; diff --git a/tests/58-live-tsync_notify.tests b/tests/58-live-tsync_notify.tests new file mode 100644 index 0000000..6c84891 --- /dev/null +++ b/tests/58-live-tsync_notify.tests @@ -0,0 +1,11 @@ +# +# libseccomp regression test automation data +# +# Copyright (c) 2019 Cisco Systems, Inc. <pmoore2@cisco.com> +# Author: Paul Moore <paul@paul-moore.com> +# + +test type: live + +# Testname API Result +58-live-tsync_notify 6 ALLOW diff --git a/tests/59-basic-empty_binary_tree.c b/tests/59-basic-empty_binary_tree.c new file mode 100644 index 0000000..6b6485e --- /dev/null +++ b/tests/59-basic-empty_binary_tree.c @@ -0,0 +1,54 @@ +/** + * Seccomp Library test program + * + * Copyright (c) 2018-2020 Oracle and/or its affiliates. + * Author: Tom Hromatka <tom.hromatka@oracle.com> + */ + +/* + * This library is free software; you can redistribute it and/or modify it + * under the terms of version 2.1 of the GNU Lesser General Public License as + * published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License + * for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this library; if not, see <http://www.gnu.org/licenses>. + */ + +#include <errno.h> +#include <unistd.h> + +#include <seccomp.h> + +#include "util.h" + +int main(int argc, char *argv[]) +{ + int rc; + struct util_options opts; + scmp_filter_ctx ctx = NULL; + + rc = util_getopt(argc, argv, &opts); + if (rc < 0) + goto out; + + ctx = seccomp_init(SCMP_ACT_ALLOW); + if (ctx == NULL) + return ENOMEM; + + rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_OPTIMIZE, 2); + if (rc < 0) + goto out; + + rc = util_filter_output(&opts, ctx); + if (rc) + goto out; + +out: + seccomp_release(ctx); + return (rc < 0 ? -rc : rc); +} diff --git a/tests/59-basic-empty_binary_tree.py b/tests/59-basic-empty_binary_tree.py new file mode 100755 index 0000000..5acbbd4 --- /dev/null +++ b/tests/59-basic-empty_binary_tree.py @@ -0,0 +1,41 @@ +#!/usr/bin/env python + +# +# Seccomp Library test program +# +# Copyright (c) 2022 Oracle and/or its affiliates. +# Author: Tom Hromatka <tom.hromatka@oracle.com> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +import argparse +import sys + +import util + +from seccomp import * + +def test(args): + f = SyscallFilter(ALLOW) + f.set_attr(Attr.CTL_OPTIMIZE, 2) + return f + +args = util.get_opt() +ctx = test(args) +util.filter_output(args, ctx) + +# kate: syntax python; +# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; diff --git a/tests/59-basic-empty_binary_tree.tests b/tests/59-basic-empty_binary_tree.tests new file mode 100644 index 0000000..ff6dbc3 --- /dev/null +++ b/tests/59-basic-empty_binary_tree.tests @@ -0,0 +1,16 @@ +# +# libseccomp regression test automation data +# +# Copyright (c) 2022 Oracle and/or its affiliates. +# Author: Tom Hromatka <tom.hromatka@oracle.com> +# + +test type: bpf-sim + +# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result +59-basic-empty_binary_tree all,-x32 0-350 N N N N N N ALLOW + +test type: bpf-valgrind + +# Testname +59-basic-empty_binary_tree diff --git a/tests/Makefile.am b/tests/Makefile.am new file mode 100644 index 0000000..f0a1f8e --- /dev/null +++ b/tests/Makefile.am @@ -0,0 +1,242 @@ +#### +# Seccomp Library Tests +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License +# as published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser +# General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +if CODE_COVERAGE_ENABLED +DBG_STATIC = +else +DBG_STATIC = -static +endif + +AM_LDFLAGS = ${DBG_STATIC} -lpthread + +LDADD = util.la ../src/libseccomp.la ${CODE_COVERAGE_LIBS} + +check_LTLIBRARIES = util.la +util_la_SOURCES = util.c util.h +util_la_LDFLAGS = -module + +miniseq_LDADD = + +TESTS = regression + +check_PROGRAMS = \ + miniseq \ + 01-sim-allow \ + 02-sim-basic \ + 03-sim-basic_chains \ + 04-sim-multilevel_chains \ + 05-sim-long_jumps \ + 06-sim-actions \ + 07-sim-db_bug_looping \ + 08-sim-subtree_checks \ + 09-sim-syscall_priority_pre \ + 10-sim-syscall_priority_post \ + 11-basic-basic_errors \ + 12-sim-basic_masked_ops \ + 13-basic-attrs \ + 14-sim-reset \ + 15-basic-resolver \ + 16-sim-arch_basic \ + 17-sim-arch_merge \ + 18-sim-basic_allowlist \ + 19-sim-missing_syscalls \ + 20-live-basic_die \ + 21-live-basic_allow \ + 22-sim-basic_chains_array \ + 23-sim-arch_all_le_basic \ + 24-live-arg_allow \ + 25-sim-multilevel_chains_adv \ + 26-sim-arch_all_be_basic \ + 27-sim-bpf_blk_state \ + 28-sim-arch_x86 \ + 29-sim-pseudo_syscall \ + 30-sim-socket_syscalls \ + 31-basic-version_check \ + 32-live-tsync_allow \ + 33-sim-socket_syscalls_be \ + 34-sim-basic_denylist \ + 35-sim-negative_one \ + 36-sim-ipc_syscalls \ + 37-sim-ipc_syscalls_be \ + 38-basic-pfc_coverage \ + 39-basic-api_level \ + 40-sim-log \ + 41-sim-syscall_priority_arch \ + 42-sim-adv_chains \ + 43-sim-a2_order \ + 44-live-a2_order \ + 45-sim-chain_code_coverage \ + 46-sim-kill_process \ + 47-live-kill_process \ + 48-sim-32b_args \ + 49-sim-64b_comparisons \ + 50-sim-hash_collision \ + 51-live-user_notification \ + 52-basic-load \ + 53-sim-binary_tree \ + 54-live-binary_tree \ + 55-basic-pfc_binary_tree \ + 56-basic-iterate_syscalls \ + 57-basic-rawsysrc \ + 58-live-tsync_notify \ + 59-basic-empty_binary_tree + +EXTRA_DIST_TESTPYTHON = \ + util.py \ + 01-sim-allow.py \ + 02-sim-basic.py \ + 03-sim-basic_chains.py \ + 04-sim-multilevel_chains.py \ + 05-sim-long_jumps.py \ + 06-sim-actions.py \ + 07-sim-db_bug_looping.py \ + 08-sim-subtree_checks.py \ + 09-sim-syscall_priority_pre.py \ + 10-sim-syscall_priority_post.py \ + 11-basic-basic_errors.py \ + 12-sim-basic_masked_ops.py \ + 13-basic-attrs.py \ + 14-sim-reset.py \ + 15-basic-resolver.py \ + 16-sim-arch_basic.py \ + 17-sim-arch_merge.py \ + 18-sim-basic_allowlist.py \ + 19-sim-missing_syscalls.py \ + 20-live-basic_die.py \ + 21-live-basic_allow.py \ + 22-sim-basic_chains_array.py \ + 23-sim-arch_all_le_basic.py \ + 24-live-arg_allow.py \ + 25-sim-multilevel_chains_adv.py \ + 26-sim-arch_all_be_basic.py \ + 27-sim-bpf_blk_state.py \ + 28-sim-arch_x86.py \ + 29-sim-pseudo_syscall.py \ + 30-sim-socket_syscalls.py \ + 31-basic-version_check.py \ + 32-live-tsync_allow.py \ + 33-sim-socket_syscalls_be.py \ + 34-sim-basic_denylist.py \ + 35-sim-negative_one.py \ + 36-sim-ipc_syscalls.py \ + 37-sim-ipc_syscalls_be.py \ + 39-basic-api_level.py \ + 40-sim-log.py \ + 41-sim-syscall_priority_arch.py \ + 42-sim-adv_chains.py \ + 43-sim-a2_order.py \ + 44-live-a2_order.py \ + 45-sim-chain_code_coverage.py \ + 46-sim-kill_process.py \ + 47-live-kill_process.py \ + 48-sim-32b_args.py \ + 49-sim-64b_comparisons.py \ + 50-sim-hash_collision.py \ + 51-live-user_notification.py \ + 52-basic-load.py \ + 53-sim-binary_tree.py \ + 54-live-binary_tree.py \ + 56-basic-iterate_syscalls.py \ + 57-basic-rawsysrc.py \ + 58-live-tsync_notify.py \ + 59-basic-empty_binary_tree.py + +EXTRA_DIST_TESTCFGS = \ + 01-sim-allow.tests \ + 02-sim-basic.tests \ + 03-sim-basic_chains.tests \ + 04-sim-multilevel_chains.tests \ + 05-sim-long_jumps.tests \ + 06-sim-actions.tests \ + 07-sim-db_bug_looping.tests \ + 08-sim-subtree_checks.tests \ + 09-sim-syscall_priority_pre.tests \ + 10-sim-syscall_priority_post.tests \ + 11-basic-basic_errors.tests \ + 12-sim-basic_masked_ops.tests \ + 13-basic-attrs.tests \ + 14-sim-reset.tests \ + 15-basic-resolver.tests \ + 16-sim-arch_basic.tests \ + 17-sim-arch_merge.tests \ + 18-sim-basic_allowlist.tests \ + 19-sim-missing_syscalls.tests \ + 20-live-basic_die.tests \ + 21-live-basic_allow.tests \ + 22-sim-basic_chains_array.tests \ + 23-sim-arch_all_le_basic.tests \ + 24-live-arg_allow.tests \ + 25-sim-multilevel_chains_adv.tests \ + 26-sim-arch_all_be_basic.tests \ + 27-sim-bpf_blk_state.tests \ + 28-sim-arch_x86.tests \ + 29-sim-pseudo_syscall.tests \ + 30-sim-socket_syscalls.tests \ + 31-basic-version_check.tests \ + 32-live-tsync_allow.tests \ + 33-sim-socket_syscalls_be.tests \ + 34-sim-basic_denylist.tests \ + 35-sim-negative_one.tests \ + 36-sim-ipc_syscalls.tests \ + 37-sim-ipc_syscalls_be.tests \ + 38-basic-pfc_coverage.tests \ + 39-basic-api_level.tests \ + 40-sim-log.tests \ + 41-sim-syscall_priority_arch.tests \ + 42-sim-adv_chains.tests \ + 43-sim-a2_order.tests \ + 44-live-a2_order.tests \ + 45-sim-chain_code_coverage.tests \ + 46-sim-kill_process.tests \ + 47-live-kill_process.tests \ + 48-sim-32b_args.tests \ + 49-sim-64b_comparisons.tests \ + 50-sim-hash_collision.tests \ + 51-live-user_notification.tests \ + 52-basic-load.tests \ + 53-sim-binary_tree.tests \ + 54-live-binary_tree.tests \ + 55-basic-pfc_binary_tree.tests \ + 56-basic-iterate_syscalls.tests \ + 57-basic-rawsysrc.tests \ + 58-live-tsync_notify.tests \ + 59-basic-empty_binary_tree.tests + +EXTRA_DIST_TESTSCRIPTS = \ + 38-basic-pfc_coverage.sh 38-basic-pfc_coverage.pfc \ + 55-basic-pfc_binary_tree.sh 55-basic-pfc_binary_tree.pfc + +EXTRA_DIST_TESTTOOLS = regression testdiff testgen + +EXTRA_DIST_TESTVALGRIND = valgrind_test.supp + +EXTRA_DIST = \ + ${EXTRA_DIST_TESTCFGS} \ + ${EXTRA_DIST_TESTPYTHON} \ + ${EXTRA_DIST_TESTSCRIPTS} \ + ${EXTRA_DIST_TESTTOOLS} \ + ${EXTRA_DIST_TESTVALGRIND} + +nodist_00_test_SOURCES = 00-test.c +EXTRA_PROGRAMS = 00-test + +check-build: + ${MAKE} ${AM_MAKEFLAGS} ${check_PROGRAMS} + +clean-local: + ${RM} -f 00-test *.pyc diff --git a/tests/Makefile.in b/tests/Makefile.in new file mode 100644 index 0000000..499342f --- /dev/null +++ b/tests/Makefile.in @@ -0,0 +1,1805 @@ +# Makefile.in generated by automake 1.16.5 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994-2021 Free Software Foundation, Inc. + +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +#### +# Seccomp Library Tests +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License +# as published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser +# General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# +VPATH = @srcdir@ +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} +am__make_running_with_option = \ + case $${target_option-} in \ + ?) ;; \ + *) echo "am__make_running_with_option: internal error: invalid" \ + "target option '$${target_option-}' specified" >&2; \ + exit 1;; \ + esac; \ + has_opt=no; \ + sane_makeflags=$$MAKEFLAGS; \ + if $(am__is_gnu_make); then \ + sane_makeflags=$$MFLAGS; \ + else \ + case $$MAKEFLAGS in \ + *\\[\ \ ]*) \ + bs=\\; \ + sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ + | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ + esac; \ + fi; \ + skip_next=no; \ + strip_trailopt () \ + { \ + flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ + }; \ + for flg in $$sane_makeflags; do \ + test $$skip_next = yes && { skip_next=no; continue; }; \ + case $$flg in \ + *=*|--*) continue;; \ + -*I) strip_trailopt 'I'; skip_next=yes;; \ + -*I?*) strip_trailopt 'I';; \ + -*O) strip_trailopt 'O'; skip_next=yes;; \ + -*O?*) strip_trailopt 'O';; \ + -*l) strip_trailopt 'l'; skip_next=yes;; \ + -*l?*) strip_trailopt 'l';; \ + -[dEDm]) skip_next=yes;; \ + -[JT]) skip_next=yes;; \ + esac; \ + case $$flg in \ + *$$target_option*) has_opt=yes; break;; \ + esac; \ + done; \ + test $$has_opt = yes +am__make_dryrun = (target_option=n; $(am__make_running_with_option)) +am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +check_PROGRAMS = miniseq$(EXEEXT) 01-sim-allow$(EXEEXT) \ + 02-sim-basic$(EXEEXT) 03-sim-basic_chains$(EXEEXT) \ + 04-sim-multilevel_chains$(EXEEXT) 05-sim-long_jumps$(EXEEXT) \ + 06-sim-actions$(EXEEXT) 07-sim-db_bug_looping$(EXEEXT) \ + 08-sim-subtree_checks$(EXEEXT) \ + 09-sim-syscall_priority_pre$(EXEEXT) \ + 10-sim-syscall_priority_post$(EXEEXT) \ + 11-basic-basic_errors$(EXEEXT) \ + 12-sim-basic_masked_ops$(EXEEXT) 13-basic-attrs$(EXEEXT) \ + 14-sim-reset$(EXEEXT) 15-basic-resolver$(EXEEXT) \ + 16-sim-arch_basic$(EXEEXT) 17-sim-arch_merge$(EXEEXT) \ + 18-sim-basic_allowlist$(EXEEXT) \ + 19-sim-missing_syscalls$(EXEEXT) 20-live-basic_die$(EXEEXT) \ + 21-live-basic_allow$(EXEEXT) \ + 22-sim-basic_chains_array$(EXEEXT) \ + 23-sim-arch_all_le_basic$(EXEEXT) 24-live-arg_allow$(EXEEXT) \ + 25-sim-multilevel_chains_adv$(EXEEXT) \ + 26-sim-arch_all_be_basic$(EXEEXT) \ + 27-sim-bpf_blk_state$(EXEEXT) 28-sim-arch_x86$(EXEEXT) \ + 29-sim-pseudo_syscall$(EXEEXT) 30-sim-socket_syscalls$(EXEEXT) \ + 31-basic-version_check$(EXEEXT) 32-live-tsync_allow$(EXEEXT) \ + 33-sim-socket_syscalls_be$(EXEEXT) \ + 34-sim-basic_denylist$(EXEEXT) 35-sim-negative_one$(EXEEXT) \ + 36-sim-ipc_syscalls$(EXEEXT) 37-sim-ipc_syscalls_be$(EXEEXT) \ + 38-basic-pfc_coverage$(EXEEXT) 39-basic-api_level$(EXEEXT) \ + 40-sim-log$(EXEEXT) 41-sim-syscall_priority_arch$(EXEEXT) \ + 42-sim-adv_chains$(EXEEXT) 43-sim-a2_order$(EXEEXT) \ + 44-live-a2_order$(EXEEXT) 45-sim-chain_code_coverage$(EXEEXT) \ + 46-sim-kill_process$(EXEEXT) 47-live-kill_process$(EXEEXT) \ + 48-sim-32b_args$(EXEEXT) 49-sim-64b_comparisons$(EXEEXT) \ + 50-sim-hash_collision$(EXEEXT) \ + 51-live-user_notification$(EXEEXT) 52-basic-load$(EXEEXT) \ + 53-sim-binary_tree$(EXEEXT) 54-live-binary_tree$(EXEEXT) \ + 55-basic-pfc_binary_tree$(EXEEXT) \ + 56-basic-iterate_syscalls$(EXEEXT) 57-basic-rawsysrc$(EXEEXT) \ + 58-live-tsync_notify$(EXEEXT) \ + 59-basic-empty_binary_tree$(EXEEXT) +EXTRA_PROGRAMS = 00-test$(EXEEXT) +subdir = tests +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/ax_code_coverage.m4 \ + $(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \ + $(top_srcdir)/m4/ltsugar.m4 $(top_srcdir)/m4/ltversion.m4 \ + $(top_srcdir)/m4/lt~obsolete.m4 $(top_srcdir)/configure.ac +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON) +mkinstalldirs = $(install_sh) -d +CONFIG_HEADER = $(top_builddir)/configure.h +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +util_la_LIBADD = +am_util_la_OBJECTS = util.lo +util_la_OBJECTS = $(am_util_la_OBJECTS) +AM_V_lt = $(am__v_lt_@AM_V@) +am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) +am__v_lt_0 = --silent +am__v_lt_1 = +util_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(util_la_LDFLAGS) $(LDFLAGS) -o $@ +nodist_00_test_OBJECTS = 00-test.$(OBJEXT) +00_test_OBJECTS = $(nodist_00_test_OBJECTS) +00_test_LDADD = $(LDADD) +am__DEPENDENCIES_1 = +00_test_DEPENDENCIES = util.la ../src/libseccomp.la \ + $(am__DEPENDENCIES_1) +01_sim_allow_SOURCES = 01-sim-allow.c +01_sim_allow_OBJECTS = 01-sim-allow.$(OBJEXT) +01_sim_allow_LDADD = $(LDADD) +01_sim_allow_DEPENDENCIES = util.la ../src/libseccomp.la \ + $(am__DEPENDENCIES_1) +02_sim_basic_SOURCES = 02-sim-basic.c +02_sim_basic_OBJECTS = 02-sim-basic.$(OBJEXT) +02_sim_basic_LDADD = $(LDADD) +02_sim_basic_DEPENDENCIES = util.la ../src/libseccomp.la \ + $(am__DEPENDENCIES_1) +03_sim_basic_chains_SOURCES = 03-sim-basic_chains.c +03_sim_basic_chains_OBJECTS = 03-sim-basic_chains.$(OBJEXT) +03_sim_basic_chains_LDADD = $(LDADD) +03_sim_basic_chains_DEPENDENCIES = util.la ../src/libseccomp.la \ + $(am__DEPENDENCIES_1) +04_sim_multilevel_chains_SOURCES = 04-sim-multilevel_chains.c +04_sim_multilevel_chains_OBJECTS = 04-sim-multilevel_chains.$(OBJEXT) +04_sim_multilevel_chains_LDADD = $(LDADD) +04_sim_multilevel_chains_DEPENDENCIES = util.la ../src/libseccomp.la \ + $(am__DEPENDENCIES_1) +05_sim_long_jumps_SOURCES = 05-sim-long_jumps.c +05_sim_long_jumps_OBJECTS = 05-sim-long_jumps.$(OBJEXT) +05_sim_long_jumps_LDADD = $(LDADD) +05_sim_long_jumps_DEPENDENCIES = util.la ../src/libseccomp.la \ + $(am__DEPENDENCIES_1) +06_sim_actions_SOURCES = 06-sim-actions.c +06_sim_actions_OBJECTS = 06-sim-actions.$(OBJEXT) +06_sim_actions_LDADD = $(LDADD) +06_sim_actions_DEPENDENCIES = util.la ../src/libseccomp.la \ + $(am__DEPENDENCIES_1) +07_sim_db_bug_looping_SOURCES = 07-sim-db_bug_looping.c +07_sim_db_bug_looping_OBJECTS = 07-sim-db_bug_looping.$(OBJEXT) +07_sim_db_bug_looping_LDADD = $(LDADD) +07_sim_db_bug_looping_DEPENDENCIES = util.la ../src/libseccomp.la \ + $(am__DEPENDENCIES_1) +08_sim_subtree_checks_SOURCES = 08-sim-subtree_checks.c +08_sim_subtree_checks_OBJECTS = 08-sim-subtree_checks.$(OBJEXT) +08_sim_subtree_checks_LDADD = $(LDADD) +08_sim_subtree_checks_DEPENDENCIES = util.la ../src/libseccomp.la \ + $(am__DEPENDENCIES_1) +09_sim_syscall_priority_pre_SOURCES = 09-sim-syscall_priority_pre.c +09_sim_syscall_priority_pre_OBJECTS = \ + 09-sim-syscall_priority_pre.$(OBJEXT) +09_sim_syscall_priority_pre_LDADD = $(LDADD) +09_sim_syscall_priority_pre_DEPENDENCIES = util.la \ + ../src/libseccomp.la $(am__DEPENDENCIES_1) +10_sim_syscall_priority_post_SOURCES = 10-sim-syscall_priority_post.c +10_sim_syscall_priority_post_OBJECTS = \ + 10-sim-syscall_priority_post.$(OBJEXT) +10_sim_syscall_priority_post_LDADD = $(LDADD) +10_sim_syscall_priority_post_DEPENDENCIES = util.la \ + ../src/libseccomp.la $(am__DEPENDENCIES_1) +11_basic_basic_errors_SOURCES = 11-basic-basic_errors.c +11_basic_basic_errors_OBJECTS = 11-basic-basic_errors.$(OBJEXT) +11_basic_basic_errors_LDADD = $(LDADD) +11_basic_basic_errors_DEPENDENCIES = util.la ../src/libseccomp.la \ + $(am__DEPENDENCIES_1) +12_sim_basic_masked_ops_SOURCES = 12-sim-basic_masked_ops.c +12_sim_basic_masked_ops_OBJECTS = 12-sim-basic_masked_ops.$(OBJEXT) +12_sim_basic_masked_ops_LDADD = $(LDADD) +12_sim_basic_masked_ops_DEPENDENCIES = util.la ../src/libseccomp.la \ + $(am__DEPENDENCIES_1) +13_basic_attrs_SOURCES = 13-basic-attrs.c +13_basic_attrs_OBJECTS = 13-basic-attrs.$(OBJEXT) +13_basic_attrs_LDADD = $(LDADD) +13_basic_attrs_DEPENDENCIES = util.la ../src/libseccomp.la \ + $(am__DEPENDENCIES_1) +14_sim_reset_SOURCES = 14-sim-reset.c +14_sim_reset_OBJECTS = 14-sim-reset.$(OBJEXT) +14_sim_reset_LDADD = $(LDADD) +14_sim_reset_DEPENDENCIES = util.la ../src/libseccomp.la \ + $(am__DEPENDENCIES_1) +15_basic_resolver_SOURCES = 15-basic-resolver.c +15_basic_resolver_OBJECTS = 15-basic-resolver.$(OBJEXT) +15_basic_resolver_LDADD = $(LDADD) +15_basic_resolver_DEPENDENCIES = util.la ../src/libseccomp.la \ + $(am__DEPENDENCIES_1) +16_sim_arch_basic_SOURCES = 16-sim-arch_basic.c +16_sim_arch_basic_OBJECTS = 16-sim-arch_basic.$(OBJEXT) +16_sim_arch_basic_LDADD = $(LDADD) +16_sim_arch_basic_DEPENDENCIES = util.la ../src/libseccomp.la \ + $(am__DEPENDENCIES_1) +17_sim_arch_merge_SOURCES = 17-sim-arch_merge.c +17_sim_arch_merge_OBJECTS = 17-sim-arch_merge.$(OBJEXT) +17_sim_arch_merge_LDADD = $(LDADD) +17_sim_arch_merge_DEPENDENCIES = util.la ../src/libseccomp.la \ + $(am__DEPENDENCIES_1) +18_sim_basic_allowlist_SOURCES = 18-sim-basic_allowlist.c +18_sim_basic_allowlist_OBJECTS = 18-sim-basic_allowlist.$(OBJEXT) +18_sim_basic_allowlist_LDADD = $(LDADD) +18_sim_basic_allowlist_DEPENDENCIES = util.la ../src/libseccomp.la \ + $(am__DEPENDENCIES_1) +19_sim_missing_syscalls_SOURCES = 19-sim-missing_syscalls.c +19_sim_missing_syscalls_OBJECTS = 19-sim-missing_syscalls.$(OBJEXT) +19_sim_missing_syscalls_LDADD = $(LDADD) +19_sim_missing_syscalls_DEPENDENCIES = util.la ../src/libseccomp.la \ + $(am__DEPENDENCIES_1) +20_live_basic_die_SOURCES = 20-live-basic_die.c +20_live_basic_die_OBJECTS = 20-live-basic_die.$(OBJEXT) +20_live_basic_die_LDADD = $(LDADD) +20_live_basic_die_DEPENDENCIES = util.la ../src/libseccomp.la \ + $(am__DEPENDENCIES_1) +21_live_basic_allow_SOURCES = 21-live-basic_allow.c +21_live_basic_allow_OBJECTS = 21-live-basic_allow.$(OBJEXT) +21_live_basic_allow_LDADD = $(LDADD) +21_live_basic_allow_DEPENDENCIES = util.la ../src/libseccomp.la \ + $(am__DEPENDENCIES_1) +22_sim_basic_chains_array_SOURCES = 22-sim-basic_chains_array.c +22_sim_basic_chains_array_OBJECTS = \ + 22-sim-basic_chains_array.$(OBJEXT) +22_sim_basic_chains_array_LDADD = $(LDADD) +22_sim_basic_chains_array_DEPENDENCIES = util.la ../src/libseccomp.la \ + $(am__DEPENDENCIES_1) +23_sim_arch_all_le_basic_SOURCES = 23-sim-arch_all_le_basic.c +23_sim_arch_all_le_basic_OBJECTS = 23-sim-arch_all_le_basic.$(OBJEXT) +23_sim_arch_all_le_basic_LDADD = $(LDADD) +23_sim_arch_all_le_basic_DEPENDENCIES = util.la ../src/libseccomp.la \ + $(am__DEPENDENCIES_1) +24_live_arg_allow_SOURCES = 24-live-arg_allow.c +24_live_arg_allow_OBJECTS = 24-live-arg_allow.$(OBJEXT) +24_live_arg_allow_LDADD = $(LDADD) +24_live_arg_allow_DEPENDENCIES = util.la ../src/libseccomp.la \ + $(am__DEPENDENCIES_1) +25_sim_multilevel_chains_adv_SOURCES = 25-sim-multilevel_chains_adv.c +25_sim_multilevel_chains_adv_OBJECTS = \ + 25-sim-multilevel_chains_adv.$(OBJEXT) +25_sim_multilevel_chains_adv_LDADD = $(LDADD) +25_sim_multilevel_chains_adv_DEPENDENCIES = util.la \ + ../src/libseccomp.la $(am__DEPENDENCIES_1) +26_sim_arch_all_be_basic_SOURCES = 26-sim-arch_all_be_basic.c +26_sim_arch_all_be_basic_OBJECTS = 26-sim-arch_all_be_basic.$(OBJEXT) +26_sim_arch_all_be_basic_LDADD = $(LDADD) +26_sim_arch_all_be_basic_DEPENDENCIES = util.la ../src/libseccomp.la \ + $(am__DEPENDENCIES_1) +27_sim_bpf_blk_state_SOURCES = 27-sim-bpf_blk_state.c +27_sim_bpf_blk_state_OBJECTS = 27-sim-bpf_blk_state.$(OBJEXT) +27_sim_bpf_blk_state_LDADD = $(LDADD) +27_sim_bpf_blk_state_DEPENDENCIES = util.la ../src/libseccomp.la \ + $(am__DEPENDENCIES_1) +28_sim_arch_x86_SOURCES = 28-sim-arch_x86.c +28_sim_arch_x86_OBJECTS = 28-sim-arch_x86.$(OBJEXT) +28_sim_arch_x86_LDADD = $(LDADD) +28_sim_arch_x86_DEPENDENCIES = util.la ../src/libseccomp.la \ + $(am__DEPENDENCIES_1) +29_sim_pseudo_syscall_SOURCES = 29-sim-pseudo_syscall.c +29_sim_pseudo_syscall_OBJECTS = 29-sim-pseudo_syscall.$(OBJEXT) +29_sim_pseudo_syscall_LDADD = $(LDADD) +29_sim_pseudo_syscall_DEPENDENCIES = util.la ../src/libseccomp.la \ + $(am__DEPENDENCIES_1) +30_sim_socket_syscalls_SOURCES = 30-sim-socket_syscalls.c +30_sim_socket_syscalls_OBJECTS = 30-sim-socket_syscalls.$(OBJEXT) +30_sim_socket_syscalls_LDADD = $(LDADD) +30_sim_socket_syscalls_DEPENDENCIES = util.la ../src/libseccomp.la \ + $(am__DEPENDENCIES_1) +31_basic_version_check_SOURCES = 31-basic-version_check.c +31_basic_version_check_OBJECTS = 31-basic-version_check.$(OBJEXT) +31_basic_version_check_LDADD = $(LDADD) +31_basic_version_check_DEPENDENCIES = util.la ../src/libseccomp.la \ + $(am__DEPENDENCIES_1) +32_live_tsync_allow_SOURCES = 32-live-tsync_allow.c +32_live_tsync_allow_OBJECTS = 32-live-tsync_allow.$(OBJEXT) +32_live_tsync_allow_LDADD = $(LDADD) +32_live_tsync_allow_DEPENDENCIES = util.la ../src/libseccomp.la \ + $(am__DEPENDENCIES_1) +33_sim_socket_syscalls_be_SOURCES = 33-sim-socket_syscalls_be.c +33_sim_socket_syscalls_be_OBJECTS = \ + 33-sim-socket_syscalls_be.$(OBJEXT) +33_sim_socket_syscalls_be_LDADD = $(LDADD) +33_sim_socket_syscalls_be_DEPENDENCIES = util.la ../src/libseccomp.la \ + $(am__DEPENDENCIES_1) +34_sim_basic_denylist_SOURCES = 34-sim-basic_denylist.c +34_sim_basic_denylist_OBJECTS = 34-sim-basic_denylist.$(OBJEXT) +34_sim_basic_denylist_LDADD = $(LDADD) +34_sim_basic_denylist_DEPENDENCIES = util.la ../src/libseccomp.la \ + $(am__DEPENDENCIES_1) +35_sim_negative_one_SOURCES = 35-sim-negative_one.c +35_sim_negative_one_OBJECTS = 35-sim-negative_one.$(OBJEXT) +35_sim_negative_one_LDADD = $(LDADD) +35_sim_negative_one_DEPENDENCIES = util.la ../src/libseccomp.la \ + $(am__DEPENDENCIES_1) +36_sim_ipc_syscalls_SOURCES = 36-sim-ipc_syscalls.c +36_sim_ipc_syscalls_OBJECTS = 36-sim-ipc_syscalls.$(OBJEXT) +36_sim_ipc_syscalls_LDADD = $(LDADD) +36_sim_ipc_syscalls_DEPENDENCIES = util.la ../src/libseccomp.la \ + $(am__DEPENDENCIES_1) +37_sim_ipc_syscalls_be_SOURCES = 37-sim-ipc_syscalls_be.c +37_sim_ipc_syscalls_be_OBJECTS = 37-sim-ipc_syscalls_be.$(OBJEXT) +37_sim_ipc_syscalls_be_LDADD = $(LDADD) +37_sim_ipc_syscalls_be_DEPENDENCIES = util.la ../src/libseccomp.la \ + $(am__DEPENDENCIES_1) +38_basic_pfc_coverage_SOURCES = 38-basic-pfc_coverage.c +38_basic_pfc_coverage_OBJECTS = 38-basic-pfc_coverage.$(OBJEXT) +38_basic_pfc_coverage_LDADD = $(LDADD) +38_basic_pfc_coverage_DEPENDENCIES = util.la ../src/libseccomp.la \ + $(am__DEPENDENCIES_1) +39_basic_api_level_SOURCES = 39-basic-api_level.c +39_basic_api_level_OBJECTS = 39-basic-api_level.$(OBJEXT) +39_basic_api_level_LDADD = $(LDADD) +39_basic_api_level_DEPENDENCIES = util.la ../src/libseccomp.la \ + $(am__DEPENDENCIES_1) +40_sim_log_SOURCES = 40-sim-log.c +40_sim_log_OBJECTS = 40-sim-log.$(OBJEXT) +40_sim_log_LDADD = $(LDADD) +40_sim_log_DEPENDENCIES = util.la ../src/libseccomp.la \ + $(am__DEPENDENCIES_1) +41_sim_syscall_priority_arch_SOURCES = 41-sim-syscall_priority_arch.c +41_sim_syscall_priority_arch_OBJECTS = \ + 41-sim-syscall_priority_arch.$(OBJEXT) +41_sim_syscall_priority_arch_LDADD = $(LDADD) +41_sim_syscall_priority_arch_DEPENDENCIES = util.la \ + ../src/libseccomp.la $(am__DEPENDENCIES_1) +42_sim_adv_chains_SOURCES = 42-sim-adv_chains.c +42_sim_adv_chains_OBJECTS = 42-sim-adv_chains.$(OBJEXT) +42_sim_adv_chains_LDADD = $(LDADD) +42_sim_adv_chains_DEPENDENCIES = util.la ../src/libseccomp.la \ + $(am__DEPENDENCIES_1) +43_sim_a2_order_SOURCES = 43-sim-a2_order.c +43_sim_a2_order_OBJECTS = 43-sim-a2_order.$(OBJEXT) +43_sim_a2_order_LDADD = $(LDADD) +43_sim_a2_order_DEPENDENCIES = util.la ../src/libseccomp.la \ + $(am__DEPENDENCIES_1) +44_live_a2_order_SOURCES = 44-live-a2_order.c +44_live_a2_order_OBJECTS = 44-live-a2_order.$(OBJEXT) +44_live_a2_order_LDADD = $(LDADD) +44_live_a2_order_DEPENDENCIES = util.la ../src/libseccomp.la \ + $(am__DEPENDENCIES_1) +45_sim_chain_code_coverage_SOURCES = 45-sim-chain_code_coverage.c +45_sim_chain_code_coverage_OBJECTS = \ + 45-sim-chain_code_coverage.$(OBJEXT) +45_sim_chain_code_coverage_LDADD = $(LDADD) +45_sim_chain_code_coverage_DEPENDENCIES = util.la ../src/libseccomp.la \ + $(am__DEPENDENCIES_1) +46_sim_kill_process_SOURCES = 46-sim-kill_process.c +46_sim_kill_process_OBJECTS = 46-sim-kill_process.$(OBJEXT) +46_sim_kill_process_LDADD = $(LDADD) +46_sim_kill_process_DEPENDENCIES = util.la ../src/libseccomp.la \ + $(am__DEPENDENCIES_1) +47_live_kill_process_SOURCES = 47-live-kill_process.c +47_live_kill_process_OBJECTS = 47-live-kill_process.$(OBJEXT) +47_live_kill_process_LDADD = $(LDADD) +47_live_kill_process_DEPENDENCIES = util.la ../src/libseccomp.la \ + $(am__DEPENDENCIES_1) +48_sim_32b_args_SOURCES = 48-sim-32b_args.c +48_sim_32b_args_OBJECTS = 48-sim-32b_args.$(OBJEXT) +48_sim_32b_args_LDADD = $(LDADD) +48_sim_32b_args_DEPENDENCIES = util.la ../src/libseccomp.la \ + $(am__DEPENDENCIES_1) +49_sim_64b_comparisons_SOURCES = 49-sim-64b_comparisons.c +49_sim_64b_comparisons_OBJECTS = 49-sim-64b_comparisons.$(OBJEXT) +49_sim_64b_comparisons_LDADD = $(LDADD) +49_sim_64b_comparisons_DEPENDENCIES = util.la ../src/libseccomp.la \ + $(am__DEPENDENCIES_1) +50_sim_hash_collision_SOURCES = 50-sim-hash_collision.c +50_sim_hash_collision_OBJECTS = 50-sim-hash_collision.$(OBJEXT) +50_sim_hash_collision_LDADD = $(LDADD) +50_sim_hash_collision_DEPENDENCIES = util.la ../src/libseccomp.la \ + $(am__DEPENDENCIES_1) +51_live_user_notification_SOURCES = 51-live-user_notification.c +51_live_user_notification_OBJECTS = \ + 51-live-user_notification.$(OBJEXT) +51_live_user_notification_LDADD = $(LDADD) +51_live_user_notification_DEPENDENCIES = util.la ../src/libseccomp.la \ + $(am__DEPENDENCIES_1) +52_basic_load_SOURCES = 52-basic-load.c +52_basic_load_OBJECTS = 52-basic-load.$(OBJEXT) +52_basic_load_LDADD = $(LDADD) +52_basic_load_DEPENDENCIES = util.la ../src/libseccomp.la \ + $(am__DEPENDENCIES_1) +53_sim_binary_tree_SOURCES = 53-sim-binary_tree.c +53_sim_binary_tree_OBJECTS = 53-sim-binary_tree.$(OBJEXT) +53_sim_binary_tree_LDADD = $(LDADD) +53_sim_binary_tree_DEPENDENCIES = util.la ../src/libseccomp.la \ + $(am__DEPENDENCIES_1) +54_live_binary_tree_SOURCES = 54-live-binary_tree.c +54_live_binary_tree_OBJECTS = 54-live-binary_tree.$(OBJEXT) +54_live_binary_tree_LDADD = $(LDADD) +54_live_binary_tree_DEPENDENCIES = util.la ../src/libseccomp.la \ + $(am__DEPENDENCIES_1) +55_basic_pfc_binary_tree_SOURCES = 55-basic-pfc_binary_tree.c +55_basic_pfc_binary_tree_OBJECTS = 55-basic-pfc_binary_tree.$(OBJEXT) +55_basic_pfc_binary_tree_LDADD = $(LDADD) +55_basic_pfc_binary_tree_DEPENDENCIES = util.la ../src/libseccomp.la \ + $(am__DEPENDENCIES_1) +56_basic_iterate_syscalls_SOURCES = 56-basic-iterate_syscalls.c +56_basic_iterate_syscalls_OBJECTS = \ + 56-basic-iterate_syscalls.$(OBJEXT) +56_basic_iterate_syscalls_LDADD = $(LDADD) +56_basic_iterate_syscalls_DEPENDENCIES = util.la ../src/libseccomp.la \ + $(am__DEPENDENCIES_1) +57_basic_rawsysrc_SOURCES = 57-basic-rawsysrc.c +57_basic_rawsysrc_OBJECTS = 57-basic-rawsysrc.$(OBJEXT) +57_basic_rawsysrc_LDADD = $(LDADD) +57_basic_rawsysrc_DEPENDENCIES = util.la ../src/libseccomp.la \ + $(am__DEPENDENCIES_1) +58_live_tsync_notify_SOURCES = 58-live-tsync_notify.c +58_live_tsync_notify_OBJECTS = 58-live-tsync_notify.$(OBJEXT) +58_live_tsync_notify_LDADD = $(LDADD) +58_live_tsync_notify_DEPENDENCIES = util.la ../src/libseccomp.la \ + $(am__DEPENDENCIES_1) +59_basic_empty_binary_tree_SOURCES = 59-basic-empty_binary_tree.c +59_basic_empty_binary_tree_OBJECTS = \ + 59-basic-empty_binary_tree.$(OBJEXT) +59_basic_empty_binary_tree_LDADD = $(LDADD) +59_basic_empty_binary_tree_DEPENDENCIES = util.la ../src/libseccomp.la \ + $(am__DEPENDENCIES_1) +miniseq_SOURCES = miniseq.c +miniseq_OBJECTS = miniseq.$(OBJEXT) +miniseq_DEPENDENCIES = +AM_V_P = $(am__v_P_@AM_V@) +am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) +am__v_P_0 = false +am__v_P_1 = : +AM_V_GEN = $(am__v_GEN_@AM_V@) +am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) +am__v_GEN_0 = @echo " GEN " $@; +am__v_GEN_1 = +AM_V_at = $(am__v_at_@AM_V@) +am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) +am__v_at_0 = @ +am__v_at_1 = +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) +depcomp = $(SHELL) $(top_srcdir)/build-aux/depcomp +am__maybe_remake_depfiles = depfiles +am__depfiles_remade = ./$(DEPDIR)/00-test.Po \ + ./$(DEPDIR)/01-sim-allow.Po ./$(DEPDIR)/02-sim-basic.Po \ + ./$(DEPDIR)/03-sim-basic_chains.Po \ + ./$(DEPDIR)/04-sim-multilevel_chains.Po \ + ./$(DEPDIR)/05-sim-long_jumps.Po ./$(DEPDIR)/06-sim-actions.Po \ + ./$(DEPDIR)/07-sim-db_bug_looping.Po \ + ./$(DEPDIR)/08-sim-subtree_checks.Po \ + ./$(DEPDIR)/09-sim-syscall_priority_pre.Po \ + ./$(DEPDIR)/10-sim-syscall_priority_post.Po \ + ./$(DEPDIR)/11-basic-basic_errors.Po \ + ./$(DEPDIR)/12-sim-basic_masked_ops.Po \ + ./$(DEPDIR)/13-basic-attrs.Po ./$(DEPDIR)/14-sim-reset.Po \ + ./$(DEPDIR)/15-basic-resolver.Po \ + ./$(DEPDIR)/16-sim-arch_basic.Po \ + ./$(DEPDIR)/17-sim-arch_merge.Po \ + ./$(DEPDIR)/18-sim-basic_allowlist.Po \ + ./$(DEPDIR)/19-sim-missing_syscalls.Po \ + ./$(DEPDIR)/20-live-basic_die.Po \ + ./$(DEPDIR)/21-live-basic_allow.Po \ + ./$(DEPDIR)/22-sim-basic_chains_array.Po \ + ./$(DEPDIR)/23-sim-arch_all_le_basic.Po \ + ./$(DEPDIR)/24-live-arg_allow.Po \ + ./$(DEPDIR)/25-sim-multilevel_chains_adv.Po \ + ./$(DEPDIR)/26-sim-arch_all_be_basic.Po \ + ./$(DEPDIR)/27-sim-bpf_blk_state.Po \ + ./$(DEPDIR)/28-sim-arch_x86.Po \ + ./$(DEPDIR)/29-sim-pseudo_syscall.Po \ + ./$(DEPDIR)/30-sim-socket_syscalls.Po \ + ./$(DEPDIR)/31-basic-version_check.Po \ + ./$(DEPDIR)/32-live-tsync_allow.Po \ + ./$(DEPDIR)/33-sim-socket_syscalls_be.Po \ + ./$(DEPDIR)/34-sim-basic_denylist.Po \ + ./$(DEPDIR)/35-sim-negative_one.Po \ + ./$(DEPDIR)/36-sim-ipc_syscalls.Po \ + ./$(DEPDIR)/37-sim-ipc_syscalls_be.Po \ + ./$(DEPDIR)/38-basic-pfc_coverage.Po \ + ./$(DEPDIR)/39-basic-api_level.Po ./$(DEPDIR)/40-sim-log.Po \ + ./$(DEPDIR)/41-sim-syscall_priority_arch.Po \ + ./$(DEPDIR)/42-sim-adv_chains.Po \ + ./$(DEPDIR)/43-sim-a2_order.Po ./$(DEPDIR)/44-live-a2_order.Po \ + ./$(DEPDIR)/45-sim-chain_code_coverage.Po \ + ./$(DEPDIR)/46-sim-kill_process.Po \ + ./$(DEPDIR)/47-live-kill_process.Po \ + ./$(DEPDIR)/48-sim-32b_args.Po \ + ./$(DEPDIR)/49-sim-64b_comparisons.Po \ + ./$(DEPDIR)/50-sim-hash_collision.Po \ + ./$(DEPDIR)/51-live-user_notification.Po \ + ./$(DEPDIR)/52-basic-load.Po ./$(DEPDIR)/53-sim-binary_tree.Po \ + ./$(DEPDIR)/54-live-binary_tree.Po \ + ./$(DEPDIR)/55-basic-pfc_binary_tree.Po \ + ./$(DEPDIR)/56-basic-iterate_syscalls.Po \ + ./$(DEPDIR)/57-basic-rawsysrc.Po \ + ./$(DEPDIR)/58-live-tsync_notify.Po \ + ./$(DEPDIR)/59-basic-empty_binary_tree.Po \ + ./$(DEPDIR)/miniseq.Po ./$(DEPDIR)/util.Plo +am__mv = mv -f +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \ + $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ + $(AM_CFLAGS) $(CFLAGS) +AM_V_CC = $(am__v_CC_@AM_V@) +am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@) +am__v_CC_0 = @echo " CC " $@; +am__v_CC_1 = +CCLD = $(CC) +LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(AM_LDFLAGS) $(LDFLAGS) -o $@ +AM_V_CCLD = $(am__v_CCLD_@AM_V@) +am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) +am__v_CCLD_0 = @echo " CCLD " $@; +am__v_CCLD_1 = +SOURCES = $(util_la_SOURCES) $(nodist_00_test_SOURCES) 01-sim-allow.c \ + 02-sim-basic.c 03-sim-basic_chains.c \ + 04-sim-multilevel_chains.c 05-sim-long_jumps.c \ + 06-sim-actions.c 07-sim-db_bug_looping.c \ + 08-sim-subtree_checks.c 09-sim-syscall_priority_pre.c \ + 10-sim-syscall_priority_post.c 11-basic-basic_errors.c \ + 12-sim-basic_masked_ops.c 13-basic-attrs.c 14-sim-reset.c \ + 15-basic-resolver.c 16-sim-arch_basic.c 17-sim-arch_merge.c \ + 18-sim-basic_allowlist.c 19-sim-missing_syscalls.c \ + 20-live-basic_die.c 21-live-basic_allow.c \ + 22-sim-basic_chains_array.c 23-sim-arch_all_le_basic.c \ + 24-live-arg_allow.c 25-sim-multilevel_chains_adv.c \ + 26-sim-arch_all_be_basic.c 27-sim-bpf_blk_state.c \ + 28-sim-arch_x86.c 29-sim-pseudo_syscall.c \ + 30-sim-socket_syscalls.c 31-basic-version_check.c \ + 32-live-tsync_allow.c 33-sim-socket_syscalls_be.c \ + 34-sim-basic_denylist.c 35-sim-negative_one.c \ + 36-sim-ipc_syscalls.c 37-sim-ipc_syscalls_be.c \ + 38-basic-pfc_coverage.c 39-basic-api_level.c 40-sim-log.c \ + 41-sim-syscall_priority_arch.c 42-sim-adv_chains.c \ + 43-sim-a2_order.c 44-live-a2_order.c \ + 45-sim-chain_code_coverage.c 46-sim-kill_process.c \ + 47-live-kill_process.c 48-sim-32b_args.c \ + 49-sim-64b_comparisons.c 50-sim-hash_collision.c \ + 51-live-user_notification.c 52-basic-load.c \ + 53-sim-binary_tree.c 54-live-binary_tree.c \ + 55-basic-pfc_binary_tree.c 56-basic-iterate_syscalls.c \ + 57-basic-rawsysrc.c 58-live-tsync_notify.c \ + 59-basic-empty_binary_tree.c miniseq.c +DIST_SOURCES = $(util_la_SOURCES) 01-sim-allow.c 02-sim-basic.c \ + 03-sim-basic_chains.c 04-sim-multilevel_chains.c \ + 05-sim-long_jumps.c 06-sim-actions.c 07-sim-db_bug_looping.c \ + 08-sim-subtree_checks.c 09-sim-syscall_priority_pre.c \ + 10-sim-syscall_priority_post.c 11-basic-basic_errors.c \ + 12-sim-basic_masked_ops.c 13-basic-attrs.c 14-sim-reset.c \ + 15-basic-resolver.c 16-sim-arch_basic.c 17-sim-arch_merge.c \ + 18-sim-basic_allowlist.c 19-sim-missing_syscalls.c \ + 20-live-basic_die.c 21-live-basic_allow.c \ + 22-sim-basic_chains_array.c 23-sim-arch_all_le_basic.c \ + 24-live-arg_allow.c 25-sim-multilevel_chains_adv.c \ + 26-sim-arch_all_be_basic.c 27-sim-bpf_blk_state.c \ + 28-sim-arch_x86.c 29-sim-pseudo_syscall.c \ + 30-sim-socket_syscalls.c 31-basic-version_check.c \ + 32-live-tsync_allow.c 33-sim-socket_syscalls_be.c \ + 34-sim-basic_denylist.c 35-sim-negative_one.c \ + 36-sim-ipc_syscalls.c 37-sim-ipc_syscalls_be.c \ + 38-basic-pfc_coverage.c 39-basic-api_level.c 40-sim-log.c \ + 41-sim-syscall_priority_arch.c 42-sim-adv_chains.c \ + 43-sim-a2_order.c 44-live-a2_order.c \ + 45-sim-chain_code_coverage.c 46-sim-kill_process.c \ + 47-live-kill_process.c 48-sim-32b_args.c \ + 49-sim-64b_comparisons.c 50-sim-hash_collision.c \ + 51-live-user_notification.c 52-basic-load.c \ + 53-sim-binary_tree.c 54-live-binary_tree.c \ + 55-basic-pfc_binary_tree.c 56-basic-iterate_syscalls.c \ + 57-basic-rawsysrc.c 58-live-tsync_notify.c \ + 59-basic-empty_binary_tree.c miniseq.c +am__can_run_installinfo = \ + case $$AM_UPDATE_INFO_DIR in \ + n|no|NO) false;; \ + *) (install-info --version) >/dev/null 2>&1;; \ + esac +am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) +# Read a list of newline-separated strings from the standard input, +# and print each of them once, without duplicates. Input order is +# *not* preserved. +am__uniquify_input = $(AWK) '\ + BEGIN { nonempty = 0; } \ + { items[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in items) print i; }; } \ +' +# Make sure the list of sources is unique. This is necessary because, +# e.g., the same source file might be shared among _SOURCES variables +# for different programs/libraries. +am__define_uniq_tagged_files = \ + list='$(am__tagged_files)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | $(am__uniquify_input)` +am__tty_colors_dummy = \ + mgn= red= grn= lgn= blu= brg= std=; \ + am__color_tests=no +am__tty_colors = { \ + $(am__tty_colors_dummy); \ + if test "X$(AM_COLOR_TESTS)" = Xno; then \ + am__color_tests=no; \ + elif test "X$(AM_COLOR_TESTS)" = Xalways; then \ + am__color_tests=yes; \ + elif test "X$$TERM" != Xdumb && { test -t 1; } 2>/dev/null; then \ + am__color_tests=yes; \ + fi; \ + if test $$am__color_tests = yes; then \ + red='[0;31m'; \ + grn='[0;32m'; \ + lgn='[1;32m'; \ + blu='[1;34m'; \ + mgn='[0;35m'; \ + brg='[1m'; \ + std='[m'; \ + fi; \ +} +am__DIST_COMMON = $(srcdir)/Makefile.in \ + $(top_srcdir)/build-aux/depcomp +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +AMTAR = @AMTAR@ +AM_CFLAGS = @AM_CFLAGS@ +AM_CPPFLAGS = @AM_CPPFLAGS@ +AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ +AM_LDFLAGS = ${DBG_STATIC} -lpthread +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CODE_COVERAGE_CFLAGS = @CODE_COVERAGE_CFLAGS@ +CODE_COVERAGE_CPPFLAGS = @CODE_COVERAGE_CPPFLAGS@ +CODE_COVERAGE_CXXFLAGS = @CODE_COVERAGE_CXXFLAGS@ +CODE_COVERAGE_ENABLED = @CODE_COVERAGE_ENABLED@ +CODE_COVERAGE_LDFLAGS = @CODE_COVERAGE_LDFLAGS@ +CODE_COVERAGE_LIBS = @CODE_COVERAGE_LIBS@ +CPPFLAGS = @CPPFLAGS@ +CSCOPE = @CSCOPE@ +CTAGS = @CTAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DLLTOOL = @DLLTOOL@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +ETAGS = @ETAGS@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +FILECMD = @FILECMD@ +GCOV = @GCOV@ +GENHTML = @GENHTML@ +GPERF = @GPERF@ +GREP = @GREP@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LCOV = @LCOV@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ +MAKEINFO = @MAKEINFO@ +MANIFEST_TOOL = @MANIFEST_TOOL@ +MKDIR_P = @MKDIR_P@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PYTHON = @PYTHON@ +PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ +PYTHON_PLATFORM = @PYTHON_PLATFORM@ +PYTHON_PREFIX = @PYTHON_PREFIX@ +PYTHON_VERSION = @PYTHON_VERSION@ +RANLIB = @RANLIB@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +STRIP = @STRIP@ +VERSION = @VERSION@ +VERSION_MAJOR = @VERSION_MAJOR@ +VERSION_MICRO = @VERSION_MICRO@ +VERSION_MINOR = @VERSION_MINOR@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_AR = @ac_ct_AR@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +cython = @cython@ +datadir = @datadir@ +datarootdir = @datarootdir@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +have_coverity = @have_coverity@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +libdir = @libdir@ +libexecdir = @libexecdir@ +localedir = @localedir@ +localstatedir = @localstatedir@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +oldincludedir = @oldincludedir@ +pdfdir = @pdfdir@ +pkgpyexecdir = @pkgpyexecdir@ +pkgpythondir = @pkgpythondir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +pyexecdir = @pyexecdir@ +pythondir = @pythondir@ +runstatedir = @runstatedir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +@CODE_COVERAGE_ENABLED_FALSE@DBG_STATIC = -static +@CODE_COVERAGE_ENABLED_TRUE@DBG_STATIC = +LDADD = util.la ../src/libseccomp.la ${CODE_COVERAGE_LIBS} +check_LTLIBRARIES = util.la +util_la_SOURCES = util.c util.h +util_la_LDFLAGS = -module +miniseq_LDADD = +TESTS = regression +EXTRA_DIST_TESTPYTHON = \ + util.py \ + 01-sim-allow.py \ + 02-sim-basic.py \ + 03-sim-basic_chains.py \ + 04-sim-multilevel_chains.py \ + 05-sim-long_jumps.py \ + 06-sim-actions.py \ + 07-sim-db_bug_looping.py \ + 08-sim-subtree_checks.py \ + 09-sim-syscall_priority_pre.py \ + 10-sim-syscall_priority_post.py \ + 11-basic-basic_errors.py \ + 12-sim-basic_masked_ops.py \ + 13-basic-attrs.py \ + 14-sim-reset.py \ + 15-basic-resolver.py \ + 16-sim-arch_basic.py \ + 17-sim-arch_merge.py \ + 18-sim-basic_allowlist.py \ + 19-sim-missing_syscalls.py \ + 20-live-basic_die.py \ + 21-live-basic_allow.py \ + 22-sim-basic_chains_array.py \ + 23-sim-arch_all_le_basic.py \ + 24-live-arg_allow.py \ + 25-sim-multilevel_chains_adv.py \ + 26-sim-arch_all_be_basic.py \ + 27-sim-bpf_blk_state.py \ + 28-sim-arch_x86.py \ + 29-sim-pseudo_syscall.py \ + 30-sim-socket_syscalls.py \ + 31-basic-version_check.py \ + 32-live-tsync_allow.py \ + 33-sim-socket_syscalls_be.py \ + 34-sim-basic_denylist.py \ + 35-sim-negative_one.py \ + 36-sim-ipc_syscalls.py \ + 37-sim-ipc_syscalls_be.py \ + 39-basic-api_level.py \ + 40-sim-log.py \ + 41-sim-syscall_priority_arch.py \ + 42-sim-adv_chains.py \ + 43-sim-a2_order.py \ + 44-live-a2_order.py \ + 45-sim-chain_code_coverage.py \ + 46-sim-kill_process.py \ + 47-live-kill_process.py \ + 48-sim-32b_args.py \ + 49-sim-64b_comparisons.py \ + 50-sim-hash_collision.py \ + 51-live-user_notification.py \ + 52-basic-load.py \ + 53-sim-binary_tree.py \ + 54-live-binary_tree.py \ + 56-basic-iterate_syscalls.py \ + 57-basic-rawsysrc.py \ + 58-live-tsync_notify.py \ + 59-basic-empty_binary_tree.py + +EXTRA_DIST_TESTCFGS = \ + 01-sim-allow.tests \ + 02-sim-basic.tests \ + 03-sim-basic_chains.tests \ + 04-sim-multilevel_chains.tests \ + 05-sim-long_jumps.tests \ + 06-sim-actions.tests \ + 07-sim-db_bug_looping.tests \ + 08-sim-subtree_checks.tests \ + 09-sim-syscall_priority_pre.tests \ + 10-sim-syscall_priority_post.tests \ + 11-basic-basic_errors.tests \ + 12-sim-basic_masked_ops.tests \ + 13-basic-attrs.tests \ + 14-sim-reset.tests \ + 15-basic-resolver.tests \ + 16-sim-arch_basic.tests \ + 17-sim-arch_merge.tests \ + 18-sim-basic_allowlist.tests \ + 19-sim-missing_syscalls.tests \ + 20-live-basic_die.tests \ + 21-live-basic_allow.tests \ + 22-sim-basic_chains_array.tests \ + 23-sim-arch_all_le_basic.tests \ + 24-live-arg_allow.tests \ + 25-sim-multilevel_chains_adv.tests \ + 26-sim-arch_all_be_basic.tests \ + 27-sim-bpf_blk_state.tests \ + 28-sim-arch_x86.tests \ + 29-sim-pseudo_syscall.tests \ + 30-sim-socket_syscalls.tests \ + 31-basic-version_check.tests \ + 32-live-tsync_allow.tests \ + 33-sim-socket_syscalls_be.tests \ + 34-sim-basic_denylist.tests \ + 35-sim-negative_one.tests \ + 36-sim-ipc_syscalls.tests \ + 37-sim-ipc_syscalls_be.tests \ + 38-basic-pfc_coverage.tests \ + 39-basic-api_level.tests \ + 40-sim-log.tests \ + 41-sim-syscall_priority_arch.tests \ + 42-sim-adv_chains.tests \ + 43-sim-a2_order.tests \ + 44-live-a2_order.tests \ + 45-sim-chain_code_coverage.tests \ + 46-sim-kill_process.tests \ + 47-live-kill_process.tests \ + 48-sim-32b_args.tests \ + 49-sim-64b_comparisons.tests \ + 50-sim-hash_collision.tests \ + 51-live-user_notification.tests \ + 52-basic-load.tests \ + 53-sim-binary_tree.tests \ + 54-live-binary_tree.tests \ + 55-basic-pfc_binary_tree.tests \ + 56-basic-iterate_syscalls.tests \ + 57-basic-rawsysrc.tests \ + 58-live-tsync_notify.tests \ + 59-basic-empty_binary_tree.tests + +EXTRA_DIST_TESTSCRIPTS = \ + 38-basic-pfc_coverage.sh 38-basic-pfc_coverage.pfc \ + 55-basic-pfc_binary_tree.sh 55-basic-pfc_binary_tree.pfc + +EXTRA_DIST_TESTTOOLS = regression testdiff testgen +EXTRA_DIST_TESTVALGRIND = valgrind_test.supp +EXTRA_DIST = \ + ${EXTRA_DIST_TESTCFGS} \ + ${EXTRA_DIST_TESTPYTHON} \ + ${EXTRA_DIST_TESTSCRIPTS} \ + ${EXTRA_DIST_TESTTOOLS} \ + ${EXTRA_DIST_TESTVALGRIND} + +nodist_00_test_SOURCES = 00-test.c +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign tests/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --foreign tests/Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): + +clean-checkPROGRAMS: + @list='$(check_PROGRAMS)'; test -n "$$list" || exit 0; \ + echo " rm -f" $$list; \ + rm -f $$list || exit $$?; \ + test -n "$(EXEEXT)" || exit 0; \ + list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \ + echo " rm -f" $$list; \ + rm -f $$list + +clean-checkLTLIBRARIES: + -test -z "$(check_LTLIBRARIES)" || rm -f $(check_LTLIBRARIES) + @list='$(check_LTLIBRARIES)'; \ + locs=`for p in $$list; do echo $$p; done | \ + sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \ + sort -u`; \ + test -z "$$locs" || { \ + echo rm -f $${locs}; \ + rm -f $${locs}; \ + } + +util.la: $(util_la_OBJECTS) $(util_la_DEPENDENCIES) $(EXTRA_util_la_DEPENDENCIES) + $(AM_V_CCLD)$(util_la_LINK) $(util_la_OBJECTS) $(util_la_LIBADD) $(LIBS) + +00-test$(EXEEXT): $(00_test_OBJECTS) $(00_test_DEPENDENCIES) $(EXTRA_00_test_DEPENDENCIES) + @rm -f 00-test$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(00_test_OBJECTS) $(00_test_LDADD) $(LIBS) + +01-sim-allow$(EXEEXT): $(01_sim_allow_OBJECTS) $(01_sim_allow_DEPENDENCIES) $(EXTRA_01_sim_allow_DEPENDENCIES) + @rm -f 01-sim-allow$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(01_sim_allow_OBJECTS) $(01_sim_allow_LDADD) $(LIBS) + +02-sim-basic$(EXEEXT): $(02_sim_basic_OBJECTS) $(02_sim_basic_DEPENDENCIES) $(EXTRA_02_sim_basic_DEPENDENCIES) + @rm -f 02-sim-basic$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(02_sim_basic_OBJECTS) $(02_sim_basic_LDADD) $(LIBS) + +03-sim-basic_chains$(EXEEXT): $(03_sim_basic_chains_OBJECTS) $(03_sim_basic_chains_DEPENDENCIES) $(EXTRA_03_sim_basic_chains_DEPENDENCIES) + @rm -f 03-sim-basic_chains$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(03_sim_basic_chains_OBJECTS) $(03_sim_basic_chains_LDADD) $(LIBS) + +04-sim-multilevel_chains$(EXEEXT): $(04_sim_multilevel_chains_OBJECTS) $(04_sim_multilevel_chains_DEPENDENCIES) $(EXTRA_04_sim_multilevel_chains_DEPENDENCIES) + @rm -f 04-sim-multilevel_chains$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(04_sim_multilevel_chains_OBJECTS) $(04_sim_multilevel_chains_LDADD) $(LIBS) + +05-sim-long_jumps$(EXEEXT): $(05_sim_long_jumps_OBJECTS) $(05_sim_long_jumps_DEPENDENCIES) $(EXTRA_05_sim_long_jumps_DEPENDENCIES) + @rm -f 05-sim-long_jumps$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(05_sim_long_jumps_OBJECTS) $(05_sim_long_jumps_LDADD) $(LIBS) + +06-sim-actions$(EXEEXT): $(06_sim_actions_OBJECTS) $(06_sim_actions_DEPENDENCIES) $(EXTRA_06_sim_actions_DEPENDENCIES) + @rm -f 06-sim-actions$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(06_sim_actions_OBJECTS) $(06_sim_actions_LDADD) $(LIBS) + +07-sim-db_bug_looping$(EXEEXT): $(07_sim_db_bug_looping_OBJECTS) $(07_sim_db_bug_looping_DEPENDENCIES) $(EXTRA_07_sim_db_bug_looping_DEPENDENCIES) + @rm -f 07-sim-db_bug_looping$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(07_sim_db_bug_looping_OBJECTS) $(07_sim_db_bug_looping_LDADD) $(LIBS) + +08-sim-subtree_checks$(EXEEXT): $(08_sim_subtree_checks_OBJECTS) $(08_sim_subtree_checks_DEPENDENCIES) $(EXTRA_08_sim_subtree_checks_DEPENDENCIES) + @rm -f 08-sim-subtree_checks$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(08_sim_subtree_checks_OBJECTS) $(08_sim_subtree_checks_LDADD) $(LIBS) + +09-sim-syscall_priority_pre$(EXEEXT): $(09_sim_syscall_priority_pre_OBJECTS) $(09_sim_syscall_priority_pre_DEPENDENCIES) $(EXTRA_09_sim_syscall_priority_pre_DEPENDENCIES) + @rm -f 09-sim-syscall_priority_pre$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(09_sim_syscall_priority_pre_OBJECTS) $(09_sim_syscall_priority_pre_LDADD) $(LIBS) + +10-sim-syscall_priority_post$(EXEEXT): $(10_sim_syscall_priority_post_OBJECTS) $(10_sim_syscall_priority_post_DEPENDENCIES) $(EXTRA_10_sim_syscall_priority_post_DEPENDENCIES) + @rm -f 10-sim-syscall_priority_post$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(10_sim_syscall_priority_post_OBJECTS) $(10_sim_syscall_priority_post_LDADD) $(LIBS) + +11-basic-basic_errors$(EXEEXT): $(11_basic_basic_errors_OBJECTS) $(11_basic_basic_errors_DEPENDENCIES) $(EXTRA_11_basic_basic_errors_DEPENDENCIES) + @rm -f 11-basic-basic_errors$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(11_basic_basic_errors_OBJECTS) $(11_basic_basic_errors_LDADD) $(LIBS) + +12-sim-basic_masked_ops$(EXEEXT): $(12_sim_basic_masked_ops_OBJECTS) $(12_sim_basic_masked_ops_DEPENDENCIES) $(EXTRA_12_sim_basic_masked_ops_DEPENDENCIES) + @rm -f 12-sim-basic_masked_ops$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(12_sim_basic_masked_ops_OBJECTS) $(12_sim_basic_masked_ops_LDADD) $(LIBS) + +13-basic-attrs$(EXEEXT): $(13_basic_attrs_OBJECTS) $(13_basic_attrs_DEPENDENCIES) $(EXTRA_13_basic_attrs_DEPENDENCIES) + @rm -f 13-basic-attrs$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(13_basic_attrs_OBJECTS) $(13_basic_attrs_LDADD) $(LIBS) + +14-sim-reset$(EXEEXT): $(14_sim_reset_OBJECTS) $(14_sim_reset_DEPENDENCIES) $(EXTRA_14_sim_reset_DEPENDENCIES) + @rm -f 14-sim-reset$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(14_sim_reset_OBJECTS) $(14_sim_reset_LDADD) $(LIBS) + +15-basic-resolver$(EXEEXT): $(15_basic_resolver_OBJECTS) $(15_basic_resolver_DEPENDENCIES) $(EXTRA_15_basic_resolver_DEPENDENCIES) + @rm -f 15-basic-resolver$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(15_basic_resolver_OBJECTS) $(15_basic_resolver_LDADD) $(LIBS) + +16-sim-arch_basic$(EXEEXT): $(16_sim_arch_basic_OBJECTS) $(16_sim_arch_basic_DEPENDENCIES) $(EXTRA_16_sim_arch_basic_DEPENDENCIES) + @rm -f 16-sim-arch_basic$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(16_sim_arch_basic_OBJECTS) $(16_sim_arch_basic_LDADD) $(LIBS) + +17-sim-arch_merge$(EXEEXT): $(17_sim_arch_merge_OBJECTS) $(17_sim_arch_merge_DEPENDENCIES) $(EXTRA_17_sim_arch_merge_DEPENDENCIES) + @rm -f 17-sim-arch_merge$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(17_sim_arch_merge_OBJECTS) $(17_sim_arch_merge_LDADD) $(LIBS) + +18-sim-basic_allowlist$(EXEEXT): $(18_sim_basic_allowlist_OBJECTS) $(18_sim_basic_allowlist_DEPENDENCIES) $(EXTRA_18_sim_basic_allowlist_DEPENDENCIES) + @rm -f 18-sim-basic_allowlist$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(18_sim_basic_allowlist_OBJECTS) $(18_sim_basic_allowlist_LDADD) $(LIBS) + +19-sim-missing_syscalls$(EXEEXT): $(19_sim_missing_syscalls_OBJECTS) $(19_sim_missing_syscalls_DEPENDENCIES) $(EXTRA_19_sim_missing_syscalls_DEPENDENCIES) + @rm -f 19-sim-missing_syscalls$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(19_sim_missing_syscalls_OBJECTS) $(19_sim_missing_syscalls_LDADD) $(LIBS) + +20-live-basic_die$(EXEEXT): $(20_live_basic_die_OBJECTS) $(20_live_basic_die_DEPENDENCIES) $(EXTRA_20_live_basic_die_DEPENDENCIES) + @rm -f 20-live-basic_die$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(20_live_basic_die_OBJECTS) $(20_live_basic_die_LDADD) $(LIBS) + +21-live-basic_allow$(EXEEXT): $(21_live_basic_allow_OBJECTS) $(21_live_basic_allow_DEPENDENCIES) $(EXTRA_21_live_basic_allow_DEPENDENCIES) + @rm -f 21-live-basic_allow$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(21_live_basic_allow_OBJECTS) $(21_live_basic_allow_LDADD) $(LIBS) + +22-sim-basic_chains_array$(EXEEXT): $(22_sim_basic_chains_array_OBJECTS) $(22_sim_basic_chains_array_DEPENDENCIES) $(EXTRA_22_sim_basic_chains_array_DEPENDENCIES) + @rm -f 22-sim-basic_chains_array$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(22_sim_basic_chains_array_OBJECTS) $(22_sim_basic_chains_array_LDADD) $(LIBS) + +23-sim-arch_all_le_basic$(EXEEXT): $(23_sim_arch_all_le_basic_OBJECTS) $(23_sim_arch_all_le_basic_DEPENDENCIES) $(EXTRA_23_sim_arch_all_le_basic_DEPENDENCIES) + @rm -f 23-sim-arch_all_le_basic$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(23_sim_arch_all_le_basic_OBJECTS) $(23_sim_arch_all_le_basic_LDADD) $(LIBS) + +24-live-arg_allow$(EXEEXT): $(24_live_arg_allow_OBJECTS) $(24_live_arg_allow_DEPENDENCIES) $(EXTRA_24_live_arg_allow_DEPENDENCIES) + @rm -f 24-live-arg_allow$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(24_live_arg_allow_OBJECTS) $(24_live_arg_allow_LDADD) $(LIBS) + +25-sim-multilevel_chains_adv$(EXEEXT): $(25_sim_multilevel_chains_adv_OBJECTS) $(25_sim_multilevel_chains_adv_DEPENDENCIES) $(EXTRA_25_sim_multilevel_chains_adv_DEPENDENCIES) + @rm -f 25-sim-multilevel_chains_adv$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(25_sim_multilevel_chains_adv_OBJECTS) $(25_sim_multilevel_chains_adv_LDADD) $(LIBS) + +26-sim-arch_all_be_basic$(EXEEXT): $(26_sim_arch_all_be_basic_OBJECTS) $(26_sim_arch_all_be_basic_DEPENDENCIES) $(EXTRA_26_sim_arch_all_be_basic_DEPENDENCIES) + @rm -f 26-sim-arch_all_be_basic$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(26_sim_arch_all_be_basic_OBJECTS) $(26_sim_arch_all_be_basic_LDADD) $(LIBS) + +27-sim-bpf_blk_state$(EXEEXT): $(27_sim_bpf_blk_state_OBJECTS) $(27_sim_bpf_blk_state_DEPENDENCIES) $(EXTRA_27_sim_bpf_blk_state_DEPENDENCIES) + @rm -f 27-sim-bpf_blk_state$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(27_sim_bpf_blk_state_OBJECTS) $(27_sim_bpf_blk_state_LDADD) $(LIBS) + +28-sim-arch_x86$(EXEEXT): $(28_sim_arch_x86_OBJECTS) $(28_sim_arch_x86_DEPENDENCIES) $(EXTRA_28_sim_arch_x86_DEPENDENCIES) + @rm -f 28-sim-arch_x86$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(28_sim_arch_x86_OBJECTS) $(28_sim_arch_x86_LDADD) $(LIBS) + +29-sim-pseudo_syscall$(EXEEXT): $(29_sim_pseudo_syscall_OBJECTS) $(29_sim_pseudo_syscall_DEPENDENCIES) $(EXTRA_29_sim_pseudo_syscall_DEPENDENCIES) + @rm -f 29-sim-pseudo_syscall$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(29_sim_pseudo_syscall_OBJECTS) $(29_sim_pseudo_syscall_LDADD) $(LIBS) + +30-sim-socket_syscalls$(EXEEXT): $(30_sim_socket_syscalls_OBJECTS) $(30_sim_socket_syscalls_DEPENDENCIES) $(EXTRA_30_sim_socket_syscalls_DEPENDENCIES) + @rm -f 30-sim-socket_syscalls$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(30_sim_socket_syscalls_OBJECTS) $(30_sim_socket_syscalls_LDADD) $(LIBS) + +31-basic-version_check$(EXEEXT): $(31_basic_version_check_OBJECTS) $(31_basic_version_check_DEPENDENCIES) $(EXTRA_31_basic_version_check_DEPENDENCIES) + @rm -f 31-basic-version_check$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(31_basic_version_check_OBJECTS) $(31_basic_version_check_LDADD) $(LIBS) + +32-live-tsync_allow$(EXEEXT): $(32_live_tsync_allow_OBJECTS) $(32_live_tsync_allow_DEPENDENCIES) $(EXTRA_32_live_tsync_allow_DEPENDENCIES) + @rm -f 32-live-tsync_allow$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(32_live_tsync_allow_OBJECTS) $(32_live_tsync_allow_LDADD) $(LIBS) + +33-sim-socket_syscalls_be$(EXEEXT): $(33_sim_socket_syscalls_be_OBJECTS) $(33_sim_socket_syscalls_be_DEPENDENCIES) $(EXTRA_33_sim_socket_syscalls_be_DEPENDENCIES) + @rm -f 33-sim-socket_syscalls_be$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(33_sim_socket_syscalls_be_OBJECTS) $(33_sim_socket_syscalls_be_LDADD) $(LIBS) + +34-sim-basic_denylist$(EXEEXT): $(34_sim_basic_denylist_OBJECTS) $(34_sim_basic_denylist_DEPENDENCIES) $(EXTRA_34_sim_basic_denylist_DEPENDENCIES) + @rm -f 34-sim-basic_denylist$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(34_sim_basic_denylist_OBJECTS) $(34_sim_basic_denylist_LDADD) $(LIBS) + +35-sim-negative_one$(EXEEXT): $(35_sim_negative_one_OBJECTS) $(35_sim_negative_one_DEPENDENCIES) $(EXTRA_35_sim_negative_one_DEPENDENCIES) + @rm -f 35-sim-negative_one$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(35_sim_negative_one_OBJECTS) $(35_sim_negative_one_LDADD) $(LIBS) + +36-sim-ipc_syscalls$(EXEEXT): $(36_sim_ipc_syscalls_OBJECTS) $(36_sim_ipc_syscalls_DEPENDENCIES) $(EXTRA_36_sim_ipc_syscalls_DEPENDENCIES) + @rm -f 36-sim-ipc_syscalls$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(36_sim_ipc_syscalls_OBJECTS) $(36_sim_ipc_syscalls_LDADD) $(LIBS) + +37-sim-ipc_syscalls_be$(EXEEXT): $(37_sim_ipc_syscalls_be_OBJECTS) $(37_sim_ipc_syscalls_be_DEPENDENCIES) $(EXTRA_37_sim_ipc_syscalls_be_DEPENDENCIES) + @rm -f 37-sim-ipc_syscalls_be$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(37_sim_ipc_syscalls_be_OBJECTS) $(37_sim_ipc_syscalls_be_LDADD) $(LIBS) + +38-basic-pfc_coverage$(EXEEXT): $(38_basic_pfc_coverage_OBJECTS) $(38_basic_pfc_coverage_DEPENDENCIES) $(EXTRA_38_basic_pfc_coverage_DEPENDENCIES) + @rm -f 38-basic-pfc_coverage$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(38_basic_pfc_coverage_OBJECTS) $(38_basic_pfc_coverage_LDADD) $(LIBS) + +39-basic-api_level$(EXEEXT): $(39_basic_api_level_OBJECTS) $(39_basic_api_level_DEPENDENCIES) $(EXTRA_39_basic_api_level_DEPENDENCIES) + @rm -f 39-basic-api_level$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(39_basic_api_level_OBJECTS) $(39_basic_api_level_LDADD) $(LIBS) + +40-sim-log$(EXEEXT): $(40_sim_log_OBJECTS) $(40_sim_log_DEPENDENCIES) $(EXTRA_40_sim_log_DEPENDENCIES) + @rm -f 40-sim-log$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(40_sim_log_OBJECTS) $(40_sim_log_LDADD) $(LIBS) + +41-sim-syscall_priority_arch$(EXEEXT): $(41_sim_syscall_priority_arch_OBJECTS) $(41_sim_syscall_priority_arch_DEPENDENCIES) $(EXTRA_41_sim_syscall_priority_arch_DEPENDENCIES) + @rm -f 41-sim-syscall_priority_arch$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(41_sim_syscall_priority_arch_OBJECTS) $(41_sim_syscall_priority_arch_LDADD) $(LIBS) + +42-sim-adv_chains$(EXEEXT): $(42_sim_adv_chains_OBJECTS) $(42_sim_adv_chains_DEPENDENCIES) $(EXTRA_42_sim_adv_chains_DEPENDENCIES) + @rm -f 42-sim-adv_chains$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(42_sim_adv_chains_OBJECTS) $(42_sim_adv_chains_LDADD) $(LIBS) + +43-sim-a2_order$(EXEEXT): $(43_sim_a2_order_OBJECTS) $(43_sim_a2_order_DEPENDENCIES) $(EXTRA_43_sim_a2_order_DEPENDENCIES) + @rm -f 43-sim-a2_order$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(43_sim_a2_order_OBJECTS) $(43_sim_a2_order_LDADD) $(LIBS) + +44-live-a2_order$(EXEEXT): $(44_live_a2_order_OBJECTS) $(44_live_a2_order_DEPENDENCIES) $(EXTRA_44_live_a2_order_DEPENDENCIES) + @rm -f 44-live-a2_order$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(44_live_a2_order_OBJECTS) $(44_live_a2_order_LDADD) $(LIBS) + +45-sim-chain_code_coverage$(EXEEXT): $(45_sim_chain_code_coverage_OBJECTS) $(45_sim_chain_code_coverage_DEPENDENCIES) $(EXTRA_45_sim_chain_code_coverage_DEPENDENCIES) + @rm -f 45-sim-chain_code_coverage$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(45_sim_chain_code_coverage_OBJECTS) $(45_sim_chain_code_coverage_LDADD) $(LIBS) + +46-sim-kill_process$(EXEEXT): $(46_sim_kill_process_OBJECTS) $(46_sim_kill_process_DEPENDENCIES) $(EXTRA_46_sim_kill_process_DEPENDENCIES) + @rm -f 46-sim-kill_process$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(46_sim_kill_process_OBJECTS) $(46_sim_kill_process_LDADD) $(LIBS) + +47-live-kill_process$(EXEEXT): $(47_live_kill_process_OBJECTS) $(47_live_kill_process_DEPENDENCIES) $(EXTRA_47_live_kill_process_DEPENDENCIES) + @rm -f 47-live-kill_process$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(47_live_kill_process_OBJECTS) $(47_live_kill_process_LDADD) $(LIBS) + +48-sim-32b_args$(EXEEXT): $(48_sim_32b_args_OBJECTS) $(48_sim_32b_args_DEPENDENCIES) $(EXTRA_48_sim_32b_args_DEPENDENCIES) + @rm -f 48-sim-32b_args$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(48_sim_32b_args_OBJECTS) $(48_sim_32b_args_LDADD) $(LIBS) + +49-sim-64b_comparisons$(EXEEXT): $(49_sim_64b_comparisons_OBJECTS) $(49_sim_64b_comparisons_DEPENDENCIES) $(EXTRA_49_sim_64b_comparisons_DEPENDENCIES) + @rm -f 49-sim-64b_comparisons$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(49_sim_64b_comparisons_OBJECTS) $(49_sim_64b_comparisons_LDADD) $(LIBS) + +50-sim-hash_collision$(EXEEXT): $(50_sim_hash_collision_OBJECTS) $(50_sim_hash_collision_DEPENDENCIES) $(EXTRA_50_sim_hash_collision_DEPENDENCIES) + @rm -f 50-sim-hash_collision$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(50_sim_hash_collision_OBJECTS) $(50_sim_hash_collision_LDADD) $(LIBS) + +51-live-user_notification$(EXEEXT): $(51_live_user_notification_OBJECTS) $(51_live_user_notification_DEPENDENCIES) $(EXTRA_51_live_user_notification_DEPENDENCIES) + @rm -f 51-live-user_notification$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(51_live_user_notification_OBJECTS) $(51_live_user_notification_LDADD) $(LIBS) + +52-basic-load$(EXEEXT): $(52_basic_load_OBJECTS) $(52_basic_load_DEPENDENCIES) $(EXTRA_52_basic_load_DEPENDENCIES) + @rm -f 52-basic-load$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(52_basic_load_OBJECTS) $(52_basic_load_LDADD) $(LIBS) + +53-sim-binary_tree$(EXEEXT): $(53_sim_binary_tree_OBJECTS) $(53_sim_binary_tree_DEPENDENCIES) $(EXTRA_53_sim_binary_tree_DEPENDENCIES) + @rm -f 53-sim-binary_tree$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(53_sim_binary_tree_OBJECTS) $(53_sim_binary_tree_LDADD) $(LIBS) + +54-live-binary_tree$(EXEEXT): $(54_live_binary_tree_OBJECTS) $(54_live_binary_tree_DEPENDENCIES) $(EXTRA_54_live_binary_tree_DEPENDENCIES) + @rm -f 54-live-binary_tree$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(54_live_binary_tree_OBJECTS) $(54_live_binary_tree_LDADD) $(LIBS) + +55-basic-pfc_binary_tree$(EXEEXT): $(55_basic_pfc_binary_tree_OBJECTS) $(55_basic_pfc_binary_tree_DEPENDENCIES) $(EXTRA_55_basic_pfc_binary_tree_DEPENDENCIES) + @rm -f 55-basic-pfc_binary_tree$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(55_basic_pfc_binary_tree_OBJECTS) $(55_basic_pfc_binary_tree_LDADD) $(LIBS) + +56-basic-iterate_syscalls$(EXEEXT): $(56_basic_iterate_syscalls_OBJECTS) $(56_basic_iterate_syscalls_DEPENDENCIES) $(EXTRA_56_basic_iterate_syscalls_DEPENDENCIES) + @rm -f 56-basic-iterate_syscalls$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(56_basic_iterate_syscalls_OBJECTS) $(56_basic_iterate_syscalls_LDADD) $(LIBS) + +57-basic-rawsysrc$(EXEEXT): $(57_basic_rawsysrc_OBJECTS) $(57_basic_rawsysrc_DEPENDENCIES) $(EXTRA_57_basic_rawsysrc_DEPENDENCIES) + @rm -f 57-basic-rawsysrc$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(57_basic_rawsysrc_OBJECTS) $(57_basic_rawsysrc_LDADD) $(LIBS) + +58-live-tsync_notify$(EXEEXT): $(58_live_tsync_notify_OBJECTS) $(58_live_tsync_notify_DEPENDENCIES) $(EXTRA_58_live_tsync_notify_DEPENDENCIES) + @rm -f 58-live-tsync_notify$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(58_live_tsync_notify_OBJECTS) $(58_live_tsync_notify_LDADD) $(LIBS) + +59-basic-empty_binary_tree$(EXEEXT): $(59_basic_empty_binary_tree_OBJECTS) $(59_basic_empty_binary_tree_DEPENDENCIES) $(EXTRA_59_basic_empty_binary_tree_DEPENDENCIES) + @rm -f 59-basic-empty_binary_tree$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(59_basic_empty_binary_tree_OBJECTS) $(59_basic_empty_binary_tree_LDADD) $(LIBS) + +miniseq$(EXEEXT): $(miniseq_OBJECTS) $(miniseq_DEPENDENCIES) $(EXTRA_miniseq_DEPENDENCIES) + @rm -f miniseq$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(miniseq_OBJECTS) $(miniseq_LDADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/00-test.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/01-sim-allow.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/02-sim-basic.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/03-sim-basic_chains.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/04-sim-multilevel_chains.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/05-sim-long_jumps.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/06-sim-actions.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/07-sim-db_bug_looping.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/08-sim-subtree_checks.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/09-sim-syscall_priority_pre.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/10-sim-syscall_priority_post.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/11-basic-basic_errors.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/12-sim-basic_masked_ops.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/13-basic-attrs.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/14-sim-reset.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/15-basic-resolver.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/16-sim-arch_basic.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/17-sim-arch_merge.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/18-sim-basic_allowlist.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/19-sim-missing_syscalls.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/20-live-basic_die.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/21-live-basic_allow.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/22-sim-basic_chains_array.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/23-sim-arch_all_le_basic.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/24-live-arg_allow.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/25-sim-multilevel_chains_adv.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/26-sim-arch_all_be_basic.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/27-sim-bpf_blk_state.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/28-sim-arch_x86.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/29-sim-pseudo_syscall.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/30-sim-socket_syscalls.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/31-basic-version_check.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/32-live-tsync_allow.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/33-sim-socket_syscalls_be.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/34-sim-basic_denylist.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/35-sim-negative_one.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/36-sim-ipc_syscalls.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/37-sim-ipc_syscalls_be.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/38-basic-pfc_coverage.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/39-basic-api_level.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/40-sim-log.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/41-sim-syscall_priority_arch.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/42-sim-adv_chains.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/43-sim-a2_order.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/44-live-a2_order.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/45-sim-chain_code_coverage.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/46-sim-kill_process.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/47-live-kill_process.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/48-sim-32b_args.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/49-sim-64b_comparisons.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/50-sim-hash_collision.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/51-live-user_notification.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/52-basic-load.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/53-sim-binary_tree.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/54-live-binary_tree.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/55-basic-pfc_binary_tree.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/56-basic-iterate_syscalls.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/57-basic-rawsysrc.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/58-live-tsync_notify.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/59-basic-empty_binary_tree.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/miniseq.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/util.Plo@am__quote@ # am--include-marker + +$(am__depfiles_remade): + @$(MKDIR_P) $(@D) + @echo '# dummy' >$@-t && $(am__mv) $@-t $@ + +am--depfiles: $(am__depfiles_remade) + +.c.o: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\ +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< + +.c.obj: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\ +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\ +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs + +ID: $(am__tagged_files) + $(am__define_uniq_tagged_files); mkid -fID $$unique +tags: tags-am +TAGS: tags + +tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) + set x; \ + here=`pwd`; \ + $(am__define_uniq_tagged_files); \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: ctags-am + +CTAGS: ctags +ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) + $(am__define_uniq_tagged_files); \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" +cscopelist: cscopelist-am + +cscopelist-am: $(am__tagged_files) + list='$(am__tagged_files)'; \ + case "$(srcdir)" in \ + [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \ + *) sdir=$(subdir)/$(srcdir) ;; \ + esac; \ + for i in $$list; do \ + if test -f "$$i"; then \ + echo "$(subdir)/$$i"; \ + else \ + echo "$$sdir/$$i"; \ + fi; \ + done >> $(top_builddir)/cscope.files + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +check-TESTS: $(TESTS) + @failed=0; all=0; xfail=0; xpass=0; skip=0; \ + srcdir=$(srcdir); export srcdir; \ + list=' $(TESTS) '; \ + $(am__tty_colors); \ + if test -n "$$list"; then \ + for tst in $$list; do \ + if test -f ./$$tst; then dir=./; \ + elif test -f $$tst; then dir=; \ + else dir="$(srcdir)/"; fi; \ + if $(TESTS_ENVIRONMENT) $${dir}$$tst $(AM_TESTS_FD_REDIRECT); then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *[\ \ ]$$tst[\ \ ]*) \ + xpass=`expr $$xpass + 1`; \ + failed=`expr $$failed + 1`; \ + col=$$red; res=XPASS; \ + ;; \ + *) \ + col=$$grn; res=PASS; \ + ;; \ + esac; \ + elif test $$? -ne 77; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *[\ \ ]$$tst[\ \ ]*) \ + xfail=`expr $$xfail + 1`; \ + col=$$lgn; res=XFAIL; \ + ;; \ + *) \ + failed=`expr $$failed + 1`; \ + col=$$red; res=FAIL; \ + ;; \ + esac; \ + else \ + skip=`expr $$skip + 1`; \ + col=$$blu; res=SKIP; \ + fi; \ + echo "$${col}$$res$${std}: $$tst"; \ + done; \ + if test "$$all" -eq 1; then \ + tests="test"; \ + All=""; \ + else \ + tests="tests"; \ + All="All "; \ + fi; \ + if test "$$failed" -eq 0; then \ + if test "$$xfail" -eq 0; then \ + banner="$$All$$all $$tests passed"; \ + else \ + if test "$$xfail" -eq 1; then failures=failure; else failures=failures; fi; \ + banner="$$All$$all $$tests behaved as expected ($$xfail expected $$failures)"; \ + fi; \ + else \ + if test "$$xpass" -eq 0; then \ + banner="$$failed of $$all $$tests failed"; \ + else \ + if test "$$xpass" -eq 1; then passes=pass; else passes=passes; fi; \ + banner="$$failed of $$all $$tests did not behave as expected ($$xpass unexpected $$passes)"; \ + fi; \ + fi; \ + dashes="$$banner"; \ + skipped=""; \ + if test "$$skip" -ne 0; then \ + if test "$$skip" -eq 1; then \ + skipped="($$skip test was not run)"; \ + else \ + skipped="($$skip tests were not run)"; \ + fi; \ + test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$skipped"; \ + fi; \ + report=""; \ + if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \ + report="Please report to $(PACKAGE_BUGREPORT)"; \ + test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$report"; \ + fi; \ + dashes=`echo "$$dashes" | sed s/./=/g`; \ + if test "$$failed" -eq 0; then \ + col="$$grn"; \ + else \ + col="$$red"; \ + fi; \ + echo "$${col}$$dashes$${std}"; \ + echo "$${col}$$banner$${std}"; \ + test -z "$$skipped" || echo "$${col}$$skipped$${std}"; \ + test -z "$$report" || echo "$${col}$$report$${std}"; \ + echo "$${col}$$dashes$${std}"; \ + test "$$failed" -eq 0; \ + else :; fi +distdir: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) distdir-am + +distdir-am: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS) $(check_LTLIBRARIES) + $(MAKE) $(AM_MAKEFLAGS) check-TESTS +check: check-am +all-am: Makefile +installdirs: +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + if test -z '$(STRIP)'; then \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + install; \ + else \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ + fi +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-checkLTLIBRARIES clean-checkPROGRAMS clean-generic \ + clean-libtool clean-local mostlyclean-am + +distclean: distclean-am + -rm -f ./$(DEPDIR)/00-test.Po + -rm -f ./$(DEPDIR)/01-sim-allow.Po + -rm -f ./$(DEPDIR)/02-sim-basic.Po + -rm -f ./$(DEPDIR)/03-sim-basic_chains.Po + -rm -f ./$(DEPDIR)/04-sim-multilevel_chains.Po + -rm -f ./$(DEPDIR)/05-sim-long_jumps.Po + -rm -f ./$(DEPDIR)/06-sim-actions.Po + -rm -f ./$(DEPDIR)/07-sim-db_bug_looping.Po + -rm -f ./$(DEPDIR)/08-sim-subtree_checks.Po + -rm -f ./$(DEPDIR)/09-sim-syscall_priority_pre.Po + -rm -f ./$(DEPDIR)/10-sim-syscall_priority_post.Po + -rm -f ./$(DEPDIR)/11-basic-basic_errors.Po + -rm -f ./$(DEPDIR)/12-sim-basic_masked_ops.Po + -rm -f ./$(DEPDIR)/13-basic-attrs.Po + -rm -f ./$(DEPDIR)/14-sim-reset.Po + -rm -f ./$(DEPDIR)/15-basic-resolver.Po + -rm -f ./$(DEPDIR)/16-sim-arch_basic.Po + -rm -f ./$(DEPDIR)/17-sim-arch_merge.Po + -rm -f ./$(DEPDIR)/18-sim-basic_allowlist.Po + -rm -f ./$(DEPDIR)/19-sim-missing_syscalls.Po + -rm -f ./$(DEPDIR)/20-live-basic_die.Po + -rm -f ./$(DEPDIR)/21-live-basic_allow.Po + -rm -f ./$(DEPDIR)/22-sim-basic_chains_array.Po + -rm -f ./$(DEPDIR)/23-sim-arch_all_le_basic.Po + -rm -f ./$(DEPDIR)/24-live-arg_allow.Po + -rm -f ./$(DEPDIR)/25-sim-multilevel_chains_adv.Po + -rm -f ./$(DEPDIR)/26-sim-arch_all_be_basic.Po + -rm -f ./$(DEPDIR)/27-sim-bpf_blk_state.Po + -rm -f ./$(DEPDIR)/28-sim-arch_x86.Po + -rm -f ./$(DEPDIR)/29-sim-pseudo_syscall.Po + -rm -f ./$(DEPDIR)/30-sim-socket_syscalls.Po + -rm -f ./$(DEPDIR)/31-basic-version_check.Po + -rm -f ./$(DEPDIR)/32-live-tsync_allow.Po + -rm -f ./$(DEPDIR)/33-sim-socket_syscalls_be.Po + -rm -f ./$(DEPDIR)/34-sim-basic_denylist.Po + -rm -f ./$(DEPDIR)/35-sim-negative_one.Po + -rm -f ./$(DEPDIR)/36-sim-ipc_syscalls.Po + -rm -f ./$(DEPDIR)/37-sim-ipc_syscalls_be.Po + -rm -f ./$(DEPDIR)/38-basic-pfc_coverage.Po + -rm -f ./$(DEPDIR)/39-basic-api_level.Po + -rm -f ./$(DEPDIR)/40-sim-log.Po + -rm -f ./$(DEPDIR)/41-sim-syscall_priority_arch.Po + -rm -f ./$(DEPDIR)/42-sim-adv_chains.Po + -rm -f ./$(DEPDIR)/43-sim-a2_order.Po + -rm -f ./$(DEPDIR)/44-live-a2_order.Po + -rm -f ./$(DEPDIR)/45-sim-chain_code_coverage.Po + -rm -f ./$(DEPDIR)/46-sim-kill_process.Po + -rm -f ./$(DEPDIR)/47-live-kill_process.Po + -rm -f ./$(DEPDIR)/48-sim-32b_args.Po + -rm -f ./$(DEPDIR)/49-sim-64b_comparisons.Po + -rm -f ./$(DEPDIR)/50-sim-hash_collision.Po + -rm -f ./$(DEPDIR)/51-live-user_notification.Po + -rm -f ./$(DEPDIR)/52-basic-load.Po + -rm -f ./$(DEPDIR)/53-sim-binary_tree.Po + -rm -f ./$(DEPDIR)/54-live-binary_tree.Po + -rm -f ./$(DEPDIR)/55-basic-pfc_binary_tree.Po + -rm -f ./$(DEPDIR)/56-basic-iterate_syscalls.Po + -rm -f ./$(DEPDIR)/57-basic-rawsysrc.Po + -rm -f ./$(DEPDIR)/58-live-tsync_notify.Po + -rm -f ./$(DEPDIR)/59-basic-empty_binary_tree.Po + -rm -f ./$(DEPDIR)/miniseq.Po + -rm -f ./$(DEPDIR)/util.Plo + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -f ./$(DEPDIR)/00-test.Po + -rm -f ./$(DEPDIR)/01-sim-allow.Po + -rm -f ./$(DEPDIR)/02-sim-basic.Po + -rm -f ./$(DEPDIR)/03-sim-basic_chains.Po + -rm -f ./$(DEPDIR)/04-sim-multilevel_chains.Po + -rm -f ./$(DEPDIR)/05-sim-long_jumps.Po + -rm -f ./$(DEPDIR)/06-sim-actions.Po + -rm -f ./$(DEPDIR)/07-sim-db_bug_looping.Po + -rm -f ./$(DEPDIR)/08-sim-subtree_checks.Po + -rm -f ./$(DEPDIR)/09-sim-syscall_priority_pre.Po + -rm -f ./$(DEPDIR)/10-sim-syscall_priority_post.Po + -rm -f ./$(DEPDIR)/11-basic-basic_errors.Po + -rm -f ./$(DEPDIR)/12-sim-basic_masked_ops.Po + -rm -f ./$(DEPDIR)/13-basic-attrs.Po + -rm -f ./$(DEPDIR)/14-sim-reset.Po + -rm -f ./$(DEPDIR)/15-basic-resolver.Po + -rm -f ./$(DEPDIR)/16-sim-arch_basic.Po + -rm -f ./$(DEPDIR)/17-sim-arch_merge.Po + -rm -f ./$(DEPDIR)/18-sim-basic_allowlist.Po + -rm -f ./$(DEPDIR)/19-sim-missing_syscalls.Po + -rm -f ./$(DEPDIR)/20-live-basic_die.Po + -rm -f ./$(DEPDIR)/21-live-basic_allow.Po + -rm -f ./$(DEPDIR)/22-sim-basic_chains_array.Po + -rm -f ./$(DEPDIR)/23-sim-arch_all_le_basic.Po + -rm -f ./$(DEPDIR)/24-live-arg_allow.Po + -rm -f ./$(DEPDIR)/25-sim-multilevel_chains_adv.Po + -rm -f ./$(DEPDIR)/26-sim-arch_all_be_basic.Po + -rm -f ./$(DEPDIR)/27-sim-bpf_blk_state.Po + -rm -f ./$(DEPDIR)/28-sim-arch_x86.Po + -rm -f ./$(DEPDIR)/29-sim-pseudo_syscall.Po + -rm -f ./$(DEPDIR)/30-sim-socket_syscalls.Po + -rm -f ./$(DEPDIR)/31-basic-version_check.Po + -rm -f ./$(DEPDIR)/32-live-tsync_allow.Po + -rm -f ./$(DEPDIR)/33-sim-socket_syscalls_be.Po + -rm -f ./$(DEPDIR)/34-sim-basic_denylist.Po + -rm -f ./$(DEPDIR)/35-sim-negative_one.Po + -rm -f ./$(DEPDIR)/36-sim-ipc_syscalls.Po + -rm -f ./$(DEPDIR)/37-sim-ipc_syscalls_be.Po + -rm -f ./$(DEPDIR)/38-basic-pfc_coverage.Po + -rm -f ./$(DEPDIR)/39-basic-api_level.Po + -rm -f ./$(DEPDIR)/40-sim-log.Po + -rm -f ./$(DEPDIR)/41-sim-syscall_priority_arch.Po + -rm -f ./$(DEPDIR)/42-sim-adv_chains.Po + -rm -f ./$(DEPDIR)/43-sim-a2_order.Po + -rm -f ./$(DEPDIR)/44-live-a2_order.Po + -rm -f ./$(DEPDIR)/45-sim-chain_code_coverage.Po + -rm -f ./$(DEPDIR)/46-sim-kill_process.Po + -rm -f ./$(DEPDIR)/47-live-kill_process.Po + -rm -f ./$(DEPDIR)/48-sim-32b_args.Po + -rm -f ./$(DEPDIR)/49-sim-64b_comparisons.Po + -rm -f ./$(DEPDIR)/50-sim-hash_collision.Po + -rm -f ./$(DEPDIR)/51-live-user_notification.Po + -rm -f ./$(DEPDIR)/52-basic-load.Po + -rm -f ./$(DEPDIR)/53-sim-binary_tree.Po + -rm -f ./$(DEPDIR)/54-live-binary_tree.Po + -rm -f ./$(DEPDIR)/55-basic-pfc_binary_tree.Po + -rm -f ./$(DEPDIR)/56-basic-iterate_syscalls.Po + -rm -f ./$(DEPDIR)/57-basic-rawsysrc.Po + -rm -f ./$(DEPDIR)/58-live-tsync_notify.Po + -rm -f ./$(DEPDIR)/59-basic-empty_binary_tree.Po + -rm -f ./$(DEPDIR)/miniseq.Po + -rm -f ./$(DEPDIR)/util.Plo + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: + +.MAKE: check-am install-am install-strip + +.PHONY: CTAGS GTAGS TAGS all all-am am--depfiles check check-TESTS \ + check-am clean clean-checkLTLIBRARIES clean-checkPROGRAMS \ + clean-generic clean-libtool clean-local cscopelist-am ctags \ + ctags-am distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-pdf install-pdf-am \ + install-ps install-ps-am install-strip installcheck \ + installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-compile \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags tags-am uninstall uninstall-am + +.PRECIOUS: Makefile + + +check-build: + ${MAKE} ${AM_MAKEFLAGS} ${check_PROGRAMS} + +clean-local: + ${RM} -f 00-test *.pyc + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/tests/miniseq.c b/tests/miniseq.c new file mode 100644 index 0000000..120fdb2 --- /dev/null +++ b/tests/miniseq.c @@ -0,0 +1,58 @@ +/** + * Seccomp Library test support program + * + * Copyright (c) 2015 Mathias Krause <minipli@googlemail.com> + */ + +/* + * This library is free software; you can redistribute it and/or modify it + * under the terms of version 2.1 of the GNU Lesser General Public License as + * published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License + * for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this library; if not, see <http://www.gnu.org/licenses>. + */ + +#include <inttypes.h> +#include <stdlib.h> +#include <stdint.h> +#include <stdio.h> +#include <errno.h> + +static int get_number(char *str, uint64_t *res) +{ + char *end = str; + + errno = 0; + *res = strtoull(str, &end, 0); + if (errno || *end != '\0') { + fprintf(stderr, "error: failed to convert '%s'\n", str); + return -1; + } + + return 0; +} + +int main(int argc, char *argv[]) +{ + uint64_t first, last, cur; + + if (argc != 3) { + fprintf(stderr, "usage: %s FIRST LAST\n", argv[0]); + return 1; + } + + if (get_number(argv[1], &first) || get_number(argv[2], &last)) + return 1; + + for (cur = first; cur != last; cur++) + printf("%" PRId64 "\n", cur); + printf("%" PRId64 "\n", cur); + + return 0; +} diff --git a/tests/regression b/tests/regression new file mode 100755 index 0000000..f938b1b --- /dev/null +++ b/tests/regression @@ -0,0 +1,1127 @@ +#!/bin/bash + +# +# libseccomp regression test automation script +# +# Copyright IBM Corp. 2012 +# Author: Corey Bryant <coreyb@linux.vnet.ibm.com> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +GLBL_ARCH_LE_SUPPORT=" \ + x86 x86_64 x32 \ + arm aarch64 \ + mipsel mipsel64 mipsel64n32 \ + ppc64le \ + riscv64" +GLBL_ARCH_BE_SUPPORT=" \ + mips mips64 mips64n32 \ + parisc parisc64 \ + ppc ppc64 \ + s390 s390x" + +GLBL_ARCH_32B_SUPPORT=" \ + x86 x32 \ + arm \ + mips mipsel mips64n32 mipsel64n32 \ + parisc \ + ppc \ + s390" + +GLBL_ARCH_64B_SUPPORT=" \ + x86_64 \ + aarch64 \ + mips64 \ + parisc64 \ + ppc64 \ + riscv64 \ + s390x" + +GLBL_SYS_ARCH="../tools/scmp_arch_detect" +GLBL_SYS_RESOLVER="../tools/scmp_sys_resolver" +GLBL_SYS_SIM="../tools/scmp_bpf_sim" +GLBL_SYS_API="../tools/scmp_api_level" + +#### +# functions + +# +# Dependency check +# +# Arguments: +# 1 Dependency to check for +# +function check_deps() { + [[ -z "$1" ]] && return + which "$1" >& /dev/null + return $? +} + +# +# Dependency verification +# +# Arguments: +# 1 Dependency to check for +# +function verify_deps() { + [[ -z "$1" ]] && return + if ! check_deps "$1"; then + echo "error: install \"$1\" and include it in your \$PATH" + exit 1 + fi +} + +# +# Print out script usage details +# +function usage() { +cat << EOF +usage: regression [-h] [-v] [-m MODE] [-a] [-b BATCH_NAME] [-l <LOG>] + [-s SINGLE_TEST] [-t <TEMP_DIR>] [-T <TEST_TYPE>] + +libseccomp regression test automation script +optional arguments: + -h show this help message and exit + -m MODE specified the test mode [c (default), python] + can also be set via LIBSECCOMP_TSTCFG_MODE_LIST env variable + -a specifies all tests are to be run + -b BATCH_NAME specifies batch of tests to be run + can also be set via LIBSECCOMP_TSTCFG_BATCHES env variable + -l [LOG] specifies log file to write test results to + -s SINGLE_TEST specifies individual test number to be run + -t [TEMP_DIR] specifies directory to create temporary files in + -T [TEST_TYPE] only run tests matching the specified type + can also be set via LIBSECCOMP_TSTCFG_TYPE env variable + -v specifies that verbose output be provided +EOF +} + +# +# Match on a single word/column in a CSV string +# +# Arguments: +# 1 string containing the CSV +# 2 string containing the word to match +# +# Returns true/0 if a match is found false/1 otherwise. +# +function match_csv_word() { + [[ -z $1 || -z $2 ]] && return 1 + + echo "$1" | sed 's/,/ /g' | grep -w "$2" +} + +# +# Generate a string representing the test number +# +# Arguments: +# 1 string containing the batch name +# 2 value of the test number from the input test data file +# 3 value of the subtest number that corresponds to argument 1 +# +# The actual test number from the input test data file is 1 for the first +# test found in the file, 2 for the second, etc. +# +# The subtest number is useful for batches that generate multiple tests based +# on a single line of input from the test data file. The subtest number +# should be set to zero if the corresponding test data is actual test data +# that was read from the input file, and should be set to a value greater than +# zero if the corresponding test data is generated. +# +function generate_test_num() { + local testnumstr=$(printf '%s%%%%%03d-%05d' "$1" $2 $3) + echo "$testnumstr" +} + +# +# Print the test data to the log file +# +# Arguments: +# 1 string containing generated test number +# 2 string containing line of test data +# +function print_data() { + if [[ -n $verbose ]]; then + printf "Test %s data: %s\n" "$1" "$2" >&$logfd + fi +} + +# +# Print the test result to the log file +# +# Arguments: +# 1 string containing generated test number +# 2 string containing the test result (INFO, SUCCESS, ERROR, or FAILURE) +# 3 string containing addition details +# +function print_result() { + if [[ $2 == "INFO" && -z $verbose ]]; then + return + fi + if [[ $3 == "" ]]; then + printf "Test %s result: %s\n" "$1" "$2" >&$logfd + else + printf "Test %s result: %s %s\n" "$1" "$2" "$3" >&$logfd + fi +} + +# +# Print the valgrind header to the log file +# +# Arguments: +# 1 string containing generated test number +# +function print_valgrind() { + if [[ -n $verbose ]]; then + printf "Test %s valgrind output\n" "$1" >&$logfd + fi +} + +# +# Get the low or high range value from a range specification +# +# Arguments: +# 1 value specifying range value to retrieve: low (1) or high (2) +# 2 string containing dash-separated range or a single value +# +function get_range() { + if [[ $2 =~ ^[0-9a-fA-Fx]+-[0-9a-fA-Fx]+$ ]]; then + # if there's a dash, get the low or high range value + range_val=$(echo "$2" | cut -d'-' -f "$1") + else + # otherwise there should just be a single value + range_val="$2" + fi + echo "$range_val" +} + +# +# Get the number sequence for a given range with increments of 1, i.e. +# implement a specialized seq(1). +# +# We use our own implementation based on miniseq in favour to the standard seq +# tool as, at least, seq of coreutils v8.23 and v8.24 has problems on 32 bit +# ARM for large numbers (see the mailing thread at +# https://groups.google.com/forum/#!topic/libseccomp/VtrClkXxLGA). +# +# Arguments: +# 1 starting value +# 2 last value +# +function get_seq() { + # NOTE: this whole thing is a bit hacky, but we need to search around + # for miniseq to fix 'make distcheck', someday we should fix this + if [[ -x ./miniseq ]]; then + ./miniseq "$1" "$2" + elif [[ -x $basedir/miniseq ]]; then + $basedir/miniseq "$1" "$2" + else + # we're often run from a subshell, so we can't simply exit + echo "error: unable to find miniseq" >&2 + kill $pid + fi +} + +# +# Run the specified test command (with valgrind if requested) +# +# Arguments: +# 1 string containing generated test number +# 2 string containing command name +# 3 string containing command options +# 4 number for the stdout fd +# 5 number for the stderr fd +# +function run_test_command() { + local cmd + + if [[ $mode == "python" ]]; then + cmd="PYTHONPATH=$PYTHONPATH" + cmd="$cmd:$(cd $(pwd)/../src/python/build/lib.*; pwd)" + # check and adjust if we are doing a VPATH build + if [[ -e "./$2.py" ]]; then + cmd="$cmd /usr/bin/env python $2.py $3" + else + cmd="$cmd /usr/bin/env python ${srcdir}/$2.py $3" + fi + else + cmd="$2 $3" + fi + + # setup the stdout/stderr redirects + local stdout=$4 + local stderr=$5 + [[ -z $stdout ]] && stdout=$logfd + [[ -z $stderr ]] && stderr=$logfd + + # run the command + eval "$cmd" 1>&$stdout 2>&$stderr + + # return the command's return code + return $? +} + +# +# Generate pseudo-random string of alphanumeric characters +# +# The generated string will be no larger than the corresponding +# architecture's register size. +# +function generate_random_data() { + local rcount + local rdata + if [[ $arch == "x86_64" ]]; then + rcount=$[ ($RANDOM % 16) + 1 ] + else + rcount=$[ ($RANDOM % 8) + 1 ] + fi + rdata=$(dd if=/dev/urandom bs=64 count=1 status=none | \ + md5sum | awk '{ print $1 }' | head -c"$rcount") + echo "$rdata" +} + +# +# Run the specified "bpf-sim-fuzz" test +# +# Tests that belong to the "bpf-sim-fuzz" test type generate a BPF filter and +# then run a simulated system call test with pseudo-random fuzz data for the +# syscall and argument values. Tests that belong to this test type provide the +# following data on a single line in the input batch file: +# +# Testname - The executable test name (e.g. 01-allow, 02-basic, etc.) +# StressCount - The number of fuzz tests to run against the filter +# +# The following test data is output to the logfile for each generated test: +# +# Testname - The executable test name (e.g. 01-allow, 02-basic, etc.) +# Syscall - The fuzzed syscall value to be simulated against the filter +# Arg0-5 - The fuzzed syscall arg values to be simulated against the filter +# +# Arguments: +# 1 string containing the batch name +# 2 value of test number from batch file +# 3 string containing line of test data from batch file +# +function run_test_bpf_sim_fuzz() { + local rc + + # begin splitting the test data from the line into individual variables + local line=($3) + local testname=${line[0]} + local stress_count=${line[1]} + + # check for stress count configuration via environment variables + [[ -n $LIBSECCOMP_TSTCFG_STRESSCNT ]] && \ + stress_count=$LIBSECCOMP_TSTCFG_STRESSCNT + + for i in $(get_seq 1 $stress_count); do + local sys=$(generate_random_data) + local -a arg=($(generate_random_data) $(generate_random_data) \ + $(generate_random_data) $(generate_random_data) \ + $(generate_random_data) $(generate_random_data)) + + # get the generated sub-test num string + local testnumstr=$(generate_test_num "$1" $2 $i) + + # set up log file test data line for this individual test, + # spacing is added to align the output in the correct columns + local -a COL_WIDTH=(26 17 17 17 17 17 17) + local testdata=$(printf "%-${COL_WIDTH[0]}s" $testname) + testdata+=$(printf "%-${COL_WIDTH[1]}s" $sys) + testdata+=$(printf "%-${COL_WIDTH[2]}s" ${arg[0]}) + testdata+=$(printf "%-${COL_WIDTH[3]}s" ${arg[1]}) + testdata+=$(printf "%-${COL_WIDTH[4]}s" ${arg[2]}) + testdata+=$(printf "%-${COL_WIDTH[5]}s" ${arg[3]}) + testdata+=$(printf "%-${COL_WIDTH[6]}s" ${arg[4]}) + testdata+=$(printf "%s" ${arg[5]}) + + # print out the generated test data to the log file + print_data "$testnumstr" "$testdata" + + # set up the syscall argument values to be passed to bpf_sim + for i in {0..5}; do + arg[$i]=" -$i ${arg[$i]} " + done + + # run the test command and put the BPF filter in a temp file + exec 4>$tmpfile + run_test_command "$testnumstr" "./$testname" "-b" 4 "" + rc=$? + exec 4>&- + if [[ $rc -ne 0 ]]; then + print_result $testnumstr "ERROR" "$testname rc=$rc" + stats_error=$(($stats_error+1)) + return + fi + + # simulate the fuzzed syscall data against the BPF filter, we + # don't verify the resulting action since we're just testing for + # stability + allow=$($GLBL_SYS_SIM -f $tmpfile -s $sys \ + ${arg[0]} ${arg[1]} ${arg[2]} ${arg[3]} ${arg[4]} \ + ${arg[5]}) + rc=$? + if [[ $rc -ne 0 ]]; then + print_result $testnumstr "ERROR" "bpf_sim rc=$rc" + stats_error=$(($stats_error+1)) + else + print_result $testnumstr "SUCCESS" "" + stats_success=$(($stats_success+1)) + fi + stats_all=$(($stats_all+1)) + done +} + +# +# Run the specified "bpf-sim" test +# +# Tests that belong to the "bpf-sim" test type generate a BPF filter and then +# run a simulated system call test to validate the filter. Tests that belong to +# this test type provide the following data on a single line in the input batch +# file: +# +# Testname - The executable test name (e.g. 01-allow, 02-basic, etc.) +# Arch - The architecture that the test should be run on (all, x86, x86_64) +# Syscall - The syscall to simulate against the generated filter +# Arg0-5 - The syscall arguments to simulate against the generated filter +# Result - The expected simulation result (ALLOW, KILL, etc.) +# +# If a range of syscall or argument values are specified (e.g. 1-9), a test is +# generated for every combination of range values. Otherwise, the individual +# test is run. +# +# Arguments: +# 1 string containing the batch name +# 2 value of test number from batch file +# 3 string containing line of test data from batch file +# +function run_test_bpf_sim() { + local rc + local LOW=1 + local HIGH=2 + local -a arg_empty=(false false false false false false) + + # begin splitting the test data from the line into individual variables + local line=($3) + local testname=${line[0]} + local testarch=${line[1]} + local low_syscall #line[2] + local high_syscall #line[2] + local -a low_arg #line[3-8] + local -a high_arg #line[3-8] + local result=${line[9]} + + # expand the architecture list + local simarch_tmp + local simarch_avoid + simarch_tmp="" + simarch_avoid="" + for arch_i in $(echo $testarch | sed -e 's/,/ /g'); do + case $arch_i in + all) + # add the native arch + simarch_tmp+=" $arch" + ;; + all_le) + # add the native arch only if it is little endian + if echo "$GLBL_ARCH_LE_SUPPORT" | grep -qw "$arch"; then + simarch_tmp+=" $arch" + fi + ;; + +all_le) + # add all of the little endian architectures + simarch_tmp+=" $GLBL_ARCH_LE_SUPPORT" + ;; + all_be) + # add the native arch only if it is big endian + if echo "$GLBL_ARCH_BE_SUPPORT" | grep -qw "$arch"; then + simarch_tmp+=" $arch" + fi + ;; + +all_be) + # add all of the big endian architectures + simarch_tmp+=" $GLBL_ARCH_BE_SUPPORT" + ;; + all_32) + # add the native arch only if it is 32-bit + if echo "$GLBL_ARCH_32B_SUPPORT" | grep -qw "$arch"; then + simarch_tmp+=" $arch" + fi + ;; + +all_32) + # add all of the 32-bit architectures + simarch_tmp+=" $GLBL_ARCH_32B_SUPPORT" + ;; + all_64) + # add the native arch only if it is 64-bit + if echo "$GLBL_ARCH_64B_SUPPORT" | grep -qw "$arch"; then + simarch_tmp+=" $arch" + fi + ;; + +all_64) + # add all of the 64-bit architectures + simarch_tmp+=" $GLBL_ARCH_64B_SUPPORT" + ;; + +*) + # add the architecture specified + simarch_tmp+=" ${arch_i:1}" + ;; + -*) + # remove the architecture specified + simarch_avoid+=" ${arch_i:1}" + ;; + *) + # add the architecture specified if it is native + if [[ "$arch_i" == "$arch" ]]; then + simarch_tmp+=" $arch_i" + fi + ;; + esac + done + + # make sure we remove any undesired architectures + local simarch_list + simarch_list="" + for arch_i in $simarch_tmp; do + if echo "$simarch_avoid" | grep -q -v -w "$arch_i"; then + simarch_list+=" $arch_i" + fi + done + simarch_list=$(echo $simarch_list | sed -e 's/ / /g;s/^ //;') + + # do we have any architectures remaining in the list? + if [[ $simarch_list == "" ]]; then + print_result $(generate_test_num "$1" $2 1) "SKIPPED" \ + "(architecture difference)" + stats_skipped=$(($stats_skipped+1)) + return + fi + + # get low and high range arg values + line_i=3 + for arg_i in {0..5}; do + low_arg[$arg_i]=$(get_range $LOW "${line[$line_i]}") + high_arg[$arg_i]=$(get_range $HIGH "${line[$line_i]}") + + # fix up empty arg values so the nested loops work + if [[ ${low_arg[$arg_i]} == "N" ]]; then + arg_empty[$arg_i]=true + low_arg[$arg_i]=0 + high_arg[$arg_i]=0 + fi + + line_i=$(($line_i+1)) + done + + # loop through the selected architectures + for simarch in $simarch_list; do + # print architecture header if necessary + if [[ $simarch != $simarch_list ]]; then + echo " test arch: $simarch" >&$logfd + fi + + # reset the subtest number + local subtestnum=1 + + # get low and high syscall values and convert them to numbers + low_syscall=$(get_range $LOW "${line[2]}") + if [[ ! $low_syscall =~ ^\-?[0-9]+$ ]]; then + low_syscall=$($GLBL_SYS_RESOLVER -a $simarch -t \ + $low_syscall) + if [[ $? -ne 0 ]]; then + print_result $(generate_test_num "$1" $2 1) \ + "ERROR" "sys_resolver rc=$?" + stats_error=$(($stats_error+1)) + return + fi + fi + high_syscall=$(get_range $HIGH "${line[2]}") + if [[ ! $high_syscall =~ ^\-?[0-9]+$ ]]; then + high_syscall=$($GLBL_SYS_RESOLVER -a $simarch -t \ + $high_syscall) + if [[ $? -ne 0 ]]; then + print_result $(generate_test_num "$1" $2 1) \ + "ERROR" "sys_resolver rc=$?" + stats_error=$(($stats_error+1)) + return + fi + fi + + # if ranges exist, the following will loop through all syscall + # and arg ranges and generate/run every combination of requested + # tests; if no ranges were specifed, then the single test is + # run + for sys in $(get_seq $low_syscall $high_syscall); do + for arg0 in $(get_seq ${low_arg[0]} ${high_arg[0]}); do + for arg1 in $(get_seq ${low_arg[1]} ${high_arg[1]}); do + for arg2 in $(get_seq ${low_arg[2]} ${high_arg[2]}); do + for arg3 in $(get_seq ${low_arg[3]} ${high_arg[3]}); do + for arg4 in $(get_seq ${low_arg[4]} ${high_arg[4]}); do + for arg5 in $(get_seq ${low_arg[5]} ${high_arg[5]}); do + local -a arg=($arg0 $arg1 $arg2 $arg3 $arg4 $arg5) + + # Get the generated sub-test num string + local testnumstr=$(generate_test_num "$1" $2 \ + $subtestnum) + + # format any empty args to print to log file + for i in {0..5}; do + if ${arg_empty[$i]}; then + arg[$i]="N" + fi + done + + # set up log file test data line for this + # individual test, spacing is added to align + # the output in the correct columns + local -a COL_WIDTH=(26 08 14 11 17 21 09 06 06) + local testdata=$(printf "%-${COL_WIDTH[0]}s" $testname) + testdata+=$(printf "%-${COL_WIDTH[1]}s" $simarch) + testdata+=$(printf "%-${COL_WIDTH[2]}s" $sys) + testdata+=$(printf "%-${COL_WIDTH[3]}s" ${arg[0]}) + testdata+=$(printf "%-${COL_WIDTH[4]}s" ${arg[1]}) + testdata+=$(printf "%-${COL_WIDTH[5]}s" ${arg[2]}) + testdata+=$(printf "%-${COL_WIDTH[6]}s" ${arg[3]}) + testdata+=$(printf "%-${COL_WIDTH[7]}s" ${arg[4]}) + testdata+=$(printf "%-${COL_WIDTH[8]}s" ${arg[5]}) + testdata+=$(printf "%-${COL_WIDTH[9]}s" $result) + + # print out the test data to the log file + print_data "$testnumstr" "$testdata" + + # set up the syscall arguments to be passed to bpf_sim + for i in {0..5}; do + if ${arg_empty[$i]}; then + arg[$i]="" + else + arg[$i]=" -$i ${arg[$i]} " + fi + done + + # run the test command and put the BPF in a temp file + exec 4>$tmpfile + run_test_command "$testnumstr" "./$testname" "-b" 4 "" + rc=$? + exec 4>&- + if [[ $rc -ne 0 ]]; then + print_result $testnumstr \ + "ERROR" "$testname rc=$rc" + stats_error=$(($stats_error+1)) + return + fi + + # simulate the specifed syscall against the BPF filter + # and verify the results + action=$($GLBL_SYS_SIM -a $simarch -f $tmpfile \ + -s $sys ${arg[0]} ${arg[1]} ${arg[2]} \ + ${arg[3]} ${arg[4]} ${arg[5]}) + rc=$? + if [[ $rc -ne 0 ]]; then + print_result $testnumstr \ + "ERROR" "bpf_sim rc=$rc" + stats_error=$(($stats_error+1)) + elif [[ "$action" != "$result" ]]; then + print_result $testnumstr "FAILURE" \ + "bpf_sim resulted in $action" + stats_failure=$(($stats_failure+1)) + else + print_result $testnumstr "SUCCESS" "" + stats_success=$(($stats_success+1)) + fi + stats_all=$(($stats_all+1)) + + subtestnum=$(($subtestnum+1)) + done # syscall + done # arg0 + done # arg1 + done # arg2 + done # arg3 + done # arg4 + done # arg5 + done # architecture +} + +# +# Run the specified "basic" test +# +# Tests that belong to the "basic" test type will simply have the command +# specified in the input batch file. The command must return zero for success +# and non-zero for failure. +# +# Arguments: +# 1 value of test number from batch file +# 2 string containing line of test data from batch file +# +function run_test_basic() { + local rc + local cmd + + # if the test is a script, only run it in native/c mode + if [[ $mode != "c" && "$2" == *.sh ]]; then + print_result "$1" "SKIPPED" "(only valid in native/c mode)" + stats_skipped=$(($stats_skipped+1)) + return + fi + + # print out the input test data to the log file + print_data "$1" "$2" + + # check and adjust if we are doing a VPATH build + if [[ -x "./$2" ]]; then + cmd="./$2" + else + cmd="${srcdir}/$2" + fi + + # run the command + run_test_command "$1" "$cmd" "" "" "" + rc=$? + if [[ $rc -ne 0 ]]; then + print_result $1 "FAILURE" "$2 rc=$rc" + stats_failure=$(($stats_failure+1)) + else + print_result $1 "SUCCESS" "" + stats_success=$(($stats_success+1)) + fi + stats_all=$(($stats_all+1)) +} + +# +# Run the specified "bpf-valgrind" test +# +# Tests that belong to the "bpf-valgrind" test type generate a BPF filter +# while running under valgrind to detect any memory errors. +# +# Arguments: +# 1 value of test number from batch file +# 2 string containing line of test data from batch file +# +function run_test_bpf_valgrind() { + local rc + + # we only support the native/c test mode here + if [[ $mode != "c" ]]; then + print_result "$1" "SKIPPED" "(only valid in native/c mode)" + stats_skipped=$(($stats_skipped+1)) + return + fi + + # print out the input test data to the log file + print_data "$1" "$2" + + # build the command + testvalgrind="valgrind \ + --tool=memcheck \ + --error-exitcode=1 \ + --leak-check=full \ + --read-var-info=yes \ + --track-origins=yes \ + --suppressions=$basedir/valgrind_test.supp" + if [[ -n $logfile ]]; then + testvalgrind+=" --log-fd=$logfd" + fi + if [[ -z $verbose ]]; then + testvalgrind+=" --quiet --log-fd=4" + fi + + # run the command + exec 4>/dev/null + print_valgrind "$1" + run_test_command "$1" "$testvalgrind --" "./$2 -b" 4 2 + rc=$? + exec 4>&- + if [[ $rc -ne 0 ]]; then + print_result $1 "FAILURE" "$2 rc=$rc" + stats_failure=$(($stats_failure+1)) + else + print_result $1 "SUCCESS" "" + stats_success=$(($stats_success+1)) + fi + stats_all=$(($stats_all+1)) +} + +# +# Run the specified "live" test +# +# Tests that belong to the "live" test type will attempt to run a live test +# of the libseccomp library on the host system; for obvious reasons the host +# system must support seccomp mode 2 for this to work correctly. +# +# Arguments: +# 1 value of test number from batch file +# 2 string containing line of test data from batch file +# +function run_test_live() { + local rc + local api + local line=($2) + + # parse the test line + line_cmd=${line[0]} + line_api=${line[1]} + line_act=${line[2]} + line_test="$line_cmd $line_api $line_act" + + # check the api level + api=$($GLBL_SYS_API) + if [[ $api -lt $line_api ]]; then + # runtime api level is too low + print_result "$1" "SKIPPED" "(api level)" + stats_skipped=$(($stats_skipped+1)) + return + fi + + # print out the input test data to the log file + print_data "$1" "$2" + + # run the command + exec 4>/dev/null + run_test_command "$1" "./$line_cmd" "$line_act" "" 4 + rc=$? + exec 4>&- + stats_all=$(($stats_all+1)) + + # setup the arch specific return values + case "$arch" in + x86|x86_64|x32|arm|aarch64|parisc|parisc64|ppc|ppc64|ppc64le|ppc|s390|s390x|riscv64) + rc_kill_process=159 + rc_kill=159 + rc_allow=160 + rc_trap=161 + rc_trace=162 + rc_errno=163 + rc_log=164 + ;; + mips|mipsel|mips64|mips64n32|mipsel64|mipsel64n32) + rc_kill_process=140 + rc_kill=140 + rc_allow=160 + rc_trap=161 + rc_trace=162 + rc_errno=163 + rc_log=164 + ;; + *) + print_result $testnumstr "ERROR" "arch $arch not supported" + stats_error=$(($stats_error+1)) + return + ;; + esac + + # verify the results + if [[ $line_act == "KILL_PROCESS" && $rc -eq $rc_kill_process ]]; then + print_result $1 "SUCCESS" "" + stats_success=$(($stats_success+1)) + elif [[ $line_act == "KILL" && $rc -eq $rc_kill ]]; then + print_result $1 "SUCCESS" "" + stats_success=$(($stats_success+1)) + elif [[ $line_act == "ALLOW" && $rc -eq $rc_allow ]]; then + print_result $1 "SUCCESS" "" + stats_success=$(($stats_success+1)) + elif [[ $line_act == "TRAP" && $rc -eq $rc_trap ]]; then + print_result $1 "SUCCESS" "" + stats_success=$(($stats_success+1)) + elif [[ $line_act == "TRACE" ]]; then + print_result $1 "ERROR" "unsupported action \"$line_act\"" + stats_error=$(($stats_error+1)) + elif [[ $line_act == "ERRNO" && $rc -eq $rc_errno ]]; then + print_result $1 "SUCCESS" "" + stats_success=$(($stats_success+1)) + elif [[ $line_act == "LOG" && $rc -eq $rc_log ]]; then + print_result $1 "SUCCESS" "" + stats_success=$(($stats_success+1)) + else + print_result $1 "FAILURE" "$line_test rc=$rc" + stats_failure=$(($stats_failure+1)) + fi +} + +# +# Run a single test from the specified batch +# +# Arguments: +# 1 string containing the batch name +# 2 value of test number from batch file +# 3 string containing line of test data from batch file +# 4 string containing test type that this test belongs to +# +function run_test() { + # generate the test number string for the line of batch test data + local testnumstr=$(generate_test_num "$1" $2 1) + + # ensure we only run tests which match the specified type + match_csv_word "$type" "$4" + local type_match=$? + [[ -n $type && $type_match -eq 1 ]] && return + + # execute the function corresponding to the test type + if [[ "$4" == "basic" ]]; then + run_test_basic "$testnumstr" "$3" + elif [[ "$4" == "bpf-sim" ]]; then + run_test_bpf_sim "$1" $2 "$3" + elif [[ "$4" == "bpf-sim-fuzz" ]]; then + run_test_bpf_sim_fuzz "$1" $2 "$3" + elif [[ "$4" == "bpf-valgrind" ]]; then + # only run this test if valgrind is installed + if check_deps valgrind; then + run_test_bpf_valgrind "$testnumstr" "$3" + else + print_result $testnumstr "SKIPPED" \ + "(valgrind not installed)" + stats_skipped=$(($stats_skipped+1)) + fi + elif [[ "$4" == "live" ]]; then + # only run this test if explicitly requested + if [[ -n $type ]]; then + run_test_live "$testnumstr" "$3" + else + print_result $testnumstr "SKIPPED" \ + "(must specify live tests)" + stats_skipped=$(($stats_skipped+1)) + fi + else + print_result $testnumstr "ERROR" "test type $4 not supported" + stats_error=$(($stats_error+1)) + fi +} + +# +# Run the requested tests +# +function run_tests() { + # loop through all test files + for file in $basedir/*.tests; do + local testnum=1 + local batch_requested=false + local batch_name="" + + # extract the batch name from the file name + batch_name=$(basename $file .tests) + + # check if this batch was requested + if [[ ${batch_list[@]} ]]; then + for b in ${batch_list[@]}; do + if [[ $b == $batch_name ]]; then + batch_requested=true + break + fi + done + if ! $batch_requested; then + continue + fi + fi + + # print a test batch header + echo " batch name: $batch_name" >&$logfd + + # loop through each line and run the requested tests + while read line; do + # strip whitespace, comments, and blank lines + line=$(echo "$line" | \ + sed -e 's/^[\t ]*//;s/[\t ]*$//;' | \ + sed -e '/^[#].*$/d;/^$/d') + if [[ -z $line ]]; then + continue + fi + + if [[ $line =~ ^"test type": ]]; then + test_type=$(echo "$line" | \ + sed -e 's/^test type: //;') + # print a test mode and type header + echo " test mode: $mode" >&$logfd + echo " test type: $test_type" >&$logfd + continue + fi + + if [[ ${single_list[@]} ]]; then + for i in ${single_list[@]}; do + if [ $i -eq $testnum ]; then + # we're running a single test + run_test "$batch_name" \ + $testnum "$line" \ + "$test_type" + fi + done + else + # we're running a test from a batch + run_test "$batch_name" \ + $testnum "$line" "$test_type" + fi + testnum=$(($testnum+1)) + done < "$file" + done +} + +#### +# main + +# verify general script dependencies +verify_deps head +verify_deps sed +verify_deps awk +verify_deps tr + +# global variables +declare -a batch_list +declare -a single_list +arch= +batch_count=0 +logfile= +logfd= +mode_list="" +runall= +singlecount=0 +tmpfile="" +tmpdir="" +type= +verbose= +stats_all=0 +stats_skipped=0 +stats_success=0 +stats_failure=0 +stats_error=0 + +# set the test root directory +basedir=$(dirname $0) + +# set the test harness pid +pid=$$ + +# parse the command line +while getopts "ab:gl:m:s:t:T:vh" opt; do + case $opt in + a) + runall=1 + ;; + b) + batch_list[batch_count]="$OPTARG" + batch_count=$(($batch_count+1)) + ;; + l) + logfile="$OPTARG" + ;; + m) + case $OPTARG in + c) + mode_list="$mode_list c" + ;; + python) + verify_deps python + mode_list="$mode_list python" + ;; + *) + usage + exit 1 + esac + ;; + s) + single_list[single_count]=$OPTARG + single_count=$(($single_count+1)) + ;; + t) + tmpdir="$OPTARG" + ;; + T) + type="$OPTARG" + ;; + v) + verbose=1 + ;; + h|*) + usage + exit 1 + ;; + esac +done + +# use mode list from environment if provided +[[ -z $mode_list && -n $LIBSECCOMP_TSTCFG_MODE_LIST ]] && mode_list=$LIBSECCOMP_TSTCFG_MODE_LIST + +# determine the mode test automatically +if [[ -z $mode_list ]]; then + # always perform the native c tests + mode_list="c" + + # query the build configuration + if [[ -r "../configure.h" ]]; then + # python tests + [[ "$(grep "ENABLE_PYTHON" ../configure.h | \ + awk '{ print $3 }')" = "1" ]] && \ + mode_list="$mode_list python" + fi +fi + +# check if we specified a list of tests via the environment variable +if [[ -n $LIBSECCOMP_TSTCFG_BATCHES ]]; then + for i in $(echo "$LIBSECCOMP_TSTCFG_BATCHES" | sed 's/,/ /g'); do + batch_list[batch_count]="$i" + batch_count=$(($batch_count+1)) + done +fi + +# default to all tests if batch or single tests not requested +if [[ -z $batch_list ]] && [[ -z $single_list ]]; then + runall=1 +fi + +# drop any requested batch and single tests if all tests were requested +if [[ -n $runall ]]; then + batch_list=() + single_list=() +fi + +# check for configuration via environment variables +[[ -z $type && -n $LIBSECCOMP_TSTCFG_TYPE ]] && type=$LIBSECCOMP_TSTCFG_TYPE + +# open log file for append (default to stdout) +if [[ -n $logfile ]]; then + logfd=3 + exec 3>>"$logfile" +else + logfd=1 +fi + +# open temporary file +if [[ -n $tmpdir ]]; then + tmpfile=$(mktemp -t regression_XXXXXX --tmpdir=$tmpdir) +else + tmpfile=$(mktemp -t regression_XXXXXX) +fi + +# determine the current system's architecture +arch=$($GLBL_SYS_ARCH) + +# display the test output and run the requested tests +echo "=============== $(date) ===============" >&$logfd +echo "Regression Test Report (\"regression $*\")" >&$logfd +for mode in $mode_list; do + run_tests +done +echo "Regression Test Summary" >&$logfd +echo " tests run: $stats_all" >&$logfd +echo " tests skipped: $stats_skipped" >&$logfd +echo " tests passed: $stats_success" >&$logfd +echo " tests failed: $stats_failure" >&$logfd +echo " tests errored: $stats_error" >&$logfd +echo "============================================================" >&$logfd + +# cleanup and exit +rm -f $tmpfile +rc=0 +[[ $stats_failure -gt 0 ]] && rc=$(($rc + 2)) +[[ $stats_error -gt 0 ]] && rc=$(($rc + 4)) + +exit $rc diff --git a/tests/testdiff b/tests/testdiff new file mode 100755 index 0000000..927c754 --- /dev/null +++ b/tests/testdiff @@ -0,0 +1,126 @@ +#!/bin/bash + +# +# libseccomp test diff generator +# +# Copyright (c) 2013 Red Hat <pmoore@redhat.com> +# Author: Paul Moore <paul@paul-moore.com> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +#### +# functions + +# +# Print out script usage details +# +function usage() { +cat << EOF +usage: regression [-h] LABEL_1 LABEL_2 + +libseccomp test diff generator script +optional arguments: + -h show this help message and exit +EOF +} + +# +# Print the test header +# +# Arguments: +# 1 string containing generated test number +# +function print_test() { + printf "Test %s comparison:\n" "$1" +} + +# +# Compare the tests +# +# Arguments: +# 1 string containing first test label +# 2 string containing second test label +# +function diff_tests() { + local batch_name + local label_a + local label_b + local file_a + local file_b + + if [[ -n $1 ]]; then + label_a=".$1" + else + label_a="" + fi + + if [[ -n $2 ]]; then + label_b=".$2" + else + label_b="" + fi + + for file in *-sim-*.tests; do + # extract the batch name from the file name + batch_name=$(basename $file .tests) + + print_test "$batch_name" + + file_a="${batch_name}${label_a}" + file_b="${batch_name}${label_b}" + + if [[ -r "$file_a.pfc" && -r "$file_b.pfc" ]]; then + diff -pu "$file_a.pfc" "$file_b.pfc" + fi + + if [[ -r "$file_a.bpf" && -r "$file_b.bpf" ]]; then + diff -pu "$file_a.bpf" "$file_b.bpf" + fi + + if [[ -r "$file_a.bpfd" && -r "$file_b.bpfd" ]]; then + diff -pu "$file_a.bpfd" "$file_b.bpfd" + fi + done + + return +} + +#### +# main + +opt_label= +opt_disasm=0 + +while getopts "h" opt; do + case $opt in + h|*) + usage + exit 1 + ;; + esac +done + +stats_all=0 +stats_failure=0 + +# display the test output and run the requested tests +echo "=============== $(date) ===============" +echo "Comparing Test Output (\"testdiff $*\")" +diff_tests "$1" "$2" +echo "============================================================" + +# exit +exit 0 diff --git a/tests/testgen b/tests/testgen new file mode 100755 index 0000000..5a940e8 --- /dev/null +++ b/tests/testgen @@ -0,0 +1,207 @@ +#!/bin/bash + +# +# libseccomp test output generator +# +# Copyright (c) 2013 Red Hat <pmoore@redhat.com> +# Author: Paul Moore <paul@paul-moore.com> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +#### +# functions + +# +# Dependency verification +# +# Arguments: +# 1 Dependency to check for +# +function verify_deps() { + [[ -z "$1" ]] && return + if ! which "$1" >& /dev/null; then + echo "error: install \"$1\" and include it in your \$PATH" + exit 1 + fi +} + +# +# Print out script usage details +# +function usage() { +cat << EOF +usage: regression [-h] [-d] [-l LABEL] + +libseccomp test output generator script +optional arguments: + -h show this help message and exit + -b generate BPF output + -d generate disassembled BPF output + -p generate PFC output + -v perform valgrind checks + -l [LABEL] specifies label for the test output +EOF +} + +# +# Print the test result +# +# Arguments: +# 1 string containing generated test number +# 2 string containing the test result +# +function print_result() { + printf "Test %s result: %s\n" "$1" "$2" +} + +# +# Run the tests +# +# Arguments: +# 1 string containing output label +# +function run_tests() { + local batch_name + local label + local rc + + if [[ -n $1 ]]; then + label=".$1" + else + label="" + fi + + for file in *-sim-*.tests; do + # extract the batch name from the file name + batch_name=$(basename $file .tests) + + if [[ -x "$batch_name" ]]; then + if [[ $opt_pfc -eq 1 ]]; then + ./$batch_name > ${batch_name}${label}.pfc + rc=$? + stats_all=$(($stats_all + 1)) + if [[ $rc -eq 0 ]]; then + print_result "$batch_name [pfc]" "SUCCESS" + else + stats_failure=$(($stats_failure + 1)) + print_result "$batch_name [pfc]" "FAILURE" + fi + fi + + if [[ $opt_bpf -eq 1 ]]; then + ./$batch_name -b > ${batch_name}${label}.bpf + rc=$? + stats_all=$(($stats_all + 1)) + if [[ $rc -eq 0 ]]; then + print_result "$batch_name [bpf]" "SUCCESS" + else + stats_failure=$(($stats_failure + 1)) + print_result "$batch_name [bpf]" "FAILURE" + fi + fi + + if [[ $opt_disasm -eq 1 ]]; then + ./$batch_name -b | \ + ../tools/scmp_bpf_disasm > ${batch_name}${label}.bpfd + rc=$? + stats_all=$(($stats_all + 1)) + if [[ $rc -eq 0 ]]; then + print_result "$batch_name [bpfd]" "SUCCESS" + else + stats_failure=$(($stats_failure + 1)) + print_result "$batch_name [bpfd]" "FAILURE" + fi + fi + + if [[ $opt_valgrind -eq 1 ]]; then + valgrind --tool=memcheck \ + --quiet --error-exitcode=1 \ + --leak-check=full \ + --read-var-info=yes \ + --track-origins=yes \ + --suppressions=valgrind_test.supp \ + -- ./$batch_name -b > /dev/null + rc=$? + stats_all=$(($stats_all + 1)) + if [[ $rc -eq 0 ]]; then + print_result "$batch_name [valgrind]" "SUCCESS" + else + stats_failure=$(($stats_failure + 1)) + print_result "$batch_name [valgrind]" "FAILURE" + fi + fi + else + stats_failure=$(($stats_failure + 1)) + print_result "$batch_name" "FAILURE" + fi + done + + return +} + +#### +# main + +opt_label= +opt_bpf=0 +opt_disasm=0 +opt_pfc=0 +opt_valgrind=0 + +while getopts "bphdl:v" opt; do + case $opt in + b) + opt_bpf=1 + ;; + d) + opt_disasm=1 + ;; + l) + opt_label="$OPTARG" + ;; + p) + opt_pfc=1 + ;; + v) + opt_valgrind=1 + ;; + h|*) + usage + exit 1 + ;; + esac +done + +# verify valgrind +[[ $opt_valgrind -eq 1 ]] && verify_deps valgrind + +stats_all=0 +stats_failure=0 + +# display the test output and run the requested tests +echo "=============== $(date) ===============" +echo "Collecting Test Output (\"testgen $*\")" +run_tests "$opt_label" +echo "Test Summary" +echo " tests run: $stats_all" +echo " tests failed: $stats_failure" +echo "============================================================" + +# cleanup and exit +rc=0 +[[ $stats_failure -gt 0 ]] && rc=$(($rc + 2)) + +exit $rc diff --git a/tests/util.c b/tests/util.c new file mode 100644 index 0000000..f978e8a --- /dev/null +++ b/tests/util.c @@ -0,0 +1,253 @@ +/** + * Seccomp Library utility code for tests + * + * Copyright (c) 2012 Red Hat <eparis@redhat.com> + * Author: Eric Paris <eparis@redhat.com> + */ + +/* + * This library is free software; you can redistribute it and/or modify it + * under the terms of version 2.1 of the GNU Lesser General Public License as + * published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License + * for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this library; if not, see <http://www.gnu.org/licenses>. + */ + +#include <errno.h> +#include <fcntl.h> +#include <getopt.h> +#include <signal.h> +#include <stdio.h> +#include <string.h> +#include <unistd.h> +#include <sys/types.h> +#include <sys/stat.h> + +#include <seccomp.h> + +#include "util.h" + +/** + * SIGSYS signal handler + * @param nr the signal number + * @param info siginfo_t pointer + * @param void_context handler context + * + * Simple signal handler for SIGSYS which exits with error code 161. + * + */ +static void _trap_handler(int signal, siginfo_t *info, void *ctx) +{ + _exit(161); +} + +/** + * Add rules for gcov/lcov + * @param ctx the filter context + * @param action the action for the rules + * + * This function is to make it easier for developers to temporarily add support + * for gcov/lcov to a test program; it likely should not be used in the normal + * regression tests. Further, this should only be necessary for the "live" + * tests. + * + */ +int util_gcov_rules(const scmp_filter_ctx ctx, int action) +{ + int rc; + + rc = seccomp_rule_add(ctx, action, SCMP_SYS(open), 0); + if (rc != 0) + return rc; + rc = seccomp_rule_add(ctx, action, SCMP_SYS(openat), 0); + if (rc != 0) + return rc; + rc = seccomp_rule_add(ctx, action, SCMP_SYS(fcntl), 0); + if (rc != 0) + return rc; + rc = seccomp_rule_add(ctx, action, SCMP_SYS(lseek), 0); + if (rc != 0) + return rc; + rc = seccomp_rule_add(ctx, action, SCMP_SYS(read), 0); + if (rc != 0) + return rc; + rc = seccomp_rule_add(ctx, action, SCMP_SYS(write), 0); + if (rc != 0) + return rc; + rc = seccomp_rule_add(ctx, action, SCMP_SYS(getpid), 0); + if (rc != 0) + return rc; + + return 0; +} + +/** + * Parse the arguments passed to main + * @param argc the argument count + * @param argv the argument pointer + * @param opts the options structure + * + * This function parses the arguments passed to the test from the command line. + * Returns zero on success and negative values on failure. + * + */ +int util_getopt(int argc, char *argv[], struct util_options *opts) +{ + int rc = 0; + + if (opts == NULL) + return -EFAULT; + + memset(opts, 0, sizeof(*opts)); + while (1) { + int c, option_index = 0; + const struct option long_options[] = { + {"bpf", no_argument, &(opts->bpf_flg), 1}, + {"pfc", no_argument, &(opts->bpf_flg), 0}, + {0, 0, 0, 0}, + }; + + c = getopt_long(argc, argv, "bp", + long_options, &option_index); + if (c == -1) + break; + + switch (c) { + case 0: + break; + case 'b': + opts->bpf_flg = 1; + break; + case 'p': + opts->bpf_flg = 0; + break; + default: + rc = -EINVAL; + break; + } + } + + if (rc == -EINVAL || optind < argc) { + fprintf(stderr, "usage %s: [--bpf,-b] [--pfc,-p]\n", argv[0]); + rc = -EINVAL; + } + + return rc; +} + +/** + * Output the filter in either BPF or PFC + * @param opts the options structure + * @param ctx the filter context + * + * This function outputs the seccomp filter to stdout in either BPF or PFC + * format depending on the test paramaeters supplied by @opts. + * + */ +int util_filter_output(const struct util_options *opts, + const scmp_filter_ctx ctx) +{ + int rc; + + if (opts == NULL) + return -EFAULT; + + if (opts->bpf_flg) + rc = seccomp_export_bpf(ctx, STDOUT_FILENO); + else + rc = seccomp_export_pfc(ctx, STDOUT_FILENO); + + return rc; +} + +/** + * Install a TRAP action signal handler + * + * This function installs the TRAP action signal handler and is based on + * examples from Will Drewry and Kees Cook. Returns zero on success, negative + * values on failure. + * + */ +int util_trap_install(void) +{ + struct sigaction signal_handler; + sigset_t signal_mask; + + memset(&signal_handler, 0, sizeof(signal_handler)); + sigemptyset(&signal_mask); + sigaddset(&signal_mask, SIGSYS); + + signal_handler.sa_sigaction = &_trap_handler; + signal_handler.sa_flags = SA_SIGINFO; + if (sigaction(SIGSYS, &signal_handler, NULL) < 0) + return -errno; + if (sigprocmask(SIG_UNBLOCK, &signal_mask, NULL)) + return -errno; + + return 0; +} + +/** + * Parse a filter action string into an action value + * @param action the action string + * + * Parse a seccomp action string into the associated integer value. Returns + * the correct value on success, -1 on failure. + * + */ +int util_action_parse(const char *action) +{ + if (action == NULL) + return -1; + + if (strcasecmp(action, "KILL") == 0) + return SCMP_ACT_KILL; + if (strcasecmp(action, "KILL_PROCESS") == 0) + return SCMP_ACT_KILL_PROCESS; + else if (strcasecmp(action, "TRAP") == 0) + return SCMP_ACT_TRAP; + else if (strcasecmp(action, "ERRNO") == 0) + return SCMP_ACT_ERRNO(163); + else if (strcasecmp(action, "TRACE") == 0) + return -1; /* not yet supported */ + else if (strcasecmp(action, "ALLOW") == 0) + return SCMP_ACT_ALLOW; + else if (strcasecmp(action, "LOG") == 0) + return SCMP_ACT_LOG; + + return -1; +} + +/** + * Write a string to a file + * @param path the file path + * + * Open the specified file, write a string to the file, and close the file. + * Return zero on success, negative values on error. + * + */ +int util_file_write(const char *path) +{ + int fd; + const char buf[] = "testing"; + ssize_t buf_len = strlen(buf); + + fd = open(path, O_WRONLY | O_CREAT, S_IRUSR | S_IWUSR); + if (fd < 0) + return -errno; + if (write(fd, buf, buf_len) < buf_len) { + int rc = -errno; + close(fd); + return rc; + } + if (close(fd) < 0) + return -errno; + + return 0; +} diff --git a/tests/util.h b/tests/util.h new file mode 100644 index 0000000..909bef5 --- /dev/null +++ b/tests/util.h @@ -0,0 +1,42 @@ +/** + * Seccomp Library utility code for tests + * + * Copyright IBM Corp. 2012 + * Author: Corey Bryant <coreyb@linux.vnet.ibm.com> + */ + +/* + * This library is free software; you can redistribute it and/or modify it + * under the terms of version 2.1 of the GNU Lesser General Public License as + * published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License + * for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this library; if not, see <http://www.gnu.org/licenses>. + */ + +#ifndef _UTIL_TEST_H +#define _UTIL_TEST_H + +struct util_options { + int bpf_flg; +}; + +int util_getopt(int argc, char *argv[], struct util_options *opts); + +int util_gcov_rules(const scmp_filter_ctx ctx, int action); + +int util_filter_output(const struct util_options *opts, + const scmp_filter_ctx ctx); + +int util_trap_install(void); + +int util_action_parse(const char *action); + +int util_file_write(const char *path); + +#endif diff --git a/tests/util.py b/tests/util.py new file mode 100755 index 0000000..e601f2d --- /dev/null +++ b/tests/util.py @@ -0,0 +1,109 @@ +# +# Seccomp Library utility code for tests +# +# Copyright (c) 2012 Red Hat <pmoore@redhat.com> +# Author: Paul Moore <paul@paul-moore.com> +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +""" Python utility code for the libseccomp test suite """ + +import argparse +import os +import sys +import signal + +from seccomp import * + +def trap_handler(signum, frame): + """ SIGSYS signal handler, internal use only + """ + os._exit(161) + +def get_opt(): + """ Parse the arguments passed to main + + Description: + Parse the arguments passed to the test from the command line. Returns + a parsed argparse object. + """ + parser = argparse.ArgumentParser() + parser.add_argument("-b", "--bpf", action="store_true") + parser.add_argument("-p", "--pfc", action="store_true") + return parser.parse_args() + +def filter_output(args, ctx): + """ Output the filter in either BPF or PFC + + Arguments: + args - an argparse object from UtilGetOpt() + ctx - a seccomp SyscallFilter object + + Description: + Output the SyscallFilter to stdout in either BPF or PFC format depending + on the test's command line arguments. + """ + if (args.bpf): + ctx.export_bpf(sys.stdout) + else: + ctx.export_pfc(sys.stdout) + +def install_trap(): + """ Install a TRAP action signal handler + + Description: + Install the TRAP action signal handler. + """ + signal.signal(signal.SIGSYS, trap_handler) + +def parse_action(action): + """ Parse a filter action string into an action value + + Arguments: + action - the action string + + Description: + Parse a seccomp action string into the associated integer value. + """ + if action == "KILL": + return KILL + elif action == "TRAP": + return TRAP + elif action == "ERRNO": + return ERRNO(163) + elif action == "TRACE": + raise RuntimeError("the TRACE action is not currently supported") + elif action == "ALLOW": + return ALLOW + raise RuntimeError("invalid action string") + + +def write_file(path): + """ Write a string to a file + + Arguments: + path - the file path + + Description: + Open the specified file, write a string to the file, and close the file. + """ + fd = os.open(str(path), os.O_WRONLY|os.O_CREAT) + if not os.write(fd, b"testing") == len("testing"): + raise IOError("failed to write the full test string in write_file()") + os.close(fd) + +# kate: syntax python; +# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off; diff --git a/tests/valgrind_test.supp b/tests/valgrind_test.supp new file mode 100644 index 0000000..6a13968 --- /dev/null +++ b/tests/valgrind_test.supp @@ -0,0 +1,27 @@ +# +# Valgrind suppression file for the libseccomp automated tests +# + +# information: +# to create entries run with the "--gen-suppressions=all" option, e.g. +# valgrind --gen-suppressions=all ... +# to use the suppressions run with the "--suppressions" options, e.g. +# valgrind --suppressions=<file> ... + +# Gentoo x86-64 system with valgrind-3.9.0 and glibc-2.19 +{ + gentoo-x86-64_valgrind-3.9.0_glibc-2.19_1 + Memcheck:Cond + fun:index + fun:expand_dynamic_string_token + fun:_dl_map_object + fun:map_doit + fun:_dl_catch_error + fun:do_preload + fun:dl_main + fun:_dl_sysdep_start + fun:_dl_start + obj:/lib64/ld-2.19.so + obj:* + obj:* +} |