src/test/test-seccomp.c

   1 /***
   2   This file is part of systemd.
   3
   4   Copyright 2016 Lennart Poettering
   5
   6   systemd is free software; you can redistribute it and/or modify it
   7   under the terms of the GNU Lesser General Public License as published by
   8   the Free Software Foundation; either version 2.1 of the License, or
   9   (at your option) any later version.
  10
  11   systemd is distributed in the hope that it will be useful, but
  12   WITHOUT ANY WARRANTY; without even the implied warranty of
  13   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  14   Lesser General Public License for more details.
  15
  16   You should have received a copy of the GNU Lesser General Public License
  17   along with systemd; If not, see <http://www.gnu.org/licenses/>.
  18 ***/
  19
  20 #include <stdlib.h>
  21 #include <sys/eventfd.h>
  22 #include <unistd.h>
  23
  24 #include "fd-util.h"
  25 #include "macro.h"
  26 #include "process-util.h"
  27 #include "seccomp-util.h"
  28 #include "string-util.h"
  29 #include "util.h"
  30
  31 static void test_seccomp_arch_to_string(void) {
  32         uint32_t a, b;
  33         const char *name;
  34
  35         a = seccomp_arch_native();
  36         assert_se(a > 0);
  37         name = seccomp_arch_to_string(a);
  38         assert_se(name);
  39         assert_se(seccomp_arch_from_string(name, &b) >= 0);
  40         assert_se(a == b);
  41 }
  42
  43 static void test_architecture_table(void) {
  44         const char *n, *n2;
  45
  46         NULSTR_FOREACH(n,
  47                        "native\0"
  48                        "x86\0"
  49                        "x86-64\0"
  50                        "x32\0"
  51                        "arm\0"
  52                        "arm64\0"
  53                        "mips\0"
  54                        "mips64\0"
  55                        "mips64-n32\0"
  56                        "mips-le\0"
  57                        "mips64-le\0"
  58                        "mips64-le-n32\0"
  59                        "ppc\0"
  60                        "ppc64\0"
  61                        "ppc64-le\0"
  62                        "s390\0"
  63                        "s390x\0") {
  64                 uint32_t c;
  65
  66                 assert_se(seccomp_arch_from_string(n, &c) >= 0);
  67                 n2 = seccomp_arch_to_string(c);
  68                 log_info("seccomp-arch: %s → 0x%"PRIx32" → %s", n, c, n2);
  69                 assert_se(streq_ptr(n, n2));
  70         }
  71 }
  72
  73 static void test_syscall_filter_set_find(void) {
  74         assert_se(!syscall_filter_set_find(NULL));
  75         assert_se(!syscall_filter_set_find(""));
  76         assert_se(!syscall_filter_set_find("quux"));
  77         assert_se(!syscall_filter_set_find("@quux"));
  78
  79         assert_se(syscall_filter_set_find("@clock") == syscall_filter_sets + SYSCALL_FILTER_SET_CLOCK);
  80         assert_se(syscall_filter_set_find("@default") == syscall_filter_sets + SYSCALL_FILTER_SET_DEFAULT);
  81         assert_se(syscall_filter_set_find("@raw-io") == syscall_filter_sets + SYSCALL_FILTER_SET_RAW_IO);
  82 }
  83
  84 static void test_filter_sets(void) {
  85         unsigned i;
  86         int r;
  87
  88         if (!is_seccomp_available())
  89                 return;
  90
  91         if (geteuid() != 0)
  92                 return;
  93
  94         for (i = 0; i < _SYSCALL_FILTER_SET_MAX; i++) {
  95                 pid_t pid;
  96
  97                 log_info("Testing %s", syscall_filter_sets[i].name);
  98
  99                 pid = fork();
 100                 assert_se(pid >= 0);
 101
 102                 if (pid == 0) { /* Child? */
 103                         int fd;
 104
 105                         if (i == SYSCALL_FILTER_SET_DEFAULT) /* if we look at the default set, whitelist instead of blacklist */
 106                                 r = seccomp_load_filter_set(SCMP_ACT_ERRNO(EPERM), syscall_filter_sets + i, SCMP_ACT_ALLOW);
 107                         else
 108                                 r = seccomp_load_filter_set(SCMP_ACT_ALLOW, syscall_filter_sets + i, SCMP_ACT_ERRNO(EPERM));
 109                         if (r < 0)
 110                                 _exit(EXIT_FAILURE);
 111
 112                         /* Test the sycall filter with one random system call */
 113                         fd = eventfd(0, EFD_NONBLOCK|EFD_CLOEXEC);
 114                         if (IN_SET(i, SYSCALL_FILTER_SET_IO_EVENT, SYSCALL_FILTER_SET_DEFAULT))
 115                                 assert_se(fd < 0 && errno == EPERM);
 116                         else {
 117                                 assert_se(fd >= 0);
 118                                 safe_close(fd);
 119                         }
 120
 121                         _exit(EXIT_SUCCESS);
 122                 }
 123
 124                 assert_se(wait_for_terminate_and_warn(syscall_filter_sets[i].name, pid, true) == EXIT_SUCCESS);
 125         }
 126 }
 127
 128 int main(int argc, char *argv[]) {
 129
 130         test_seccomp_arch_to_string();
 131         test_architecture_table();
 132         test_syscall_filter_set_find();
 133         test_filter_sets();
 134
 135         return 0;
 136 }