2 This file is part of systemd.
4 Copyright 2016 Lennart Poettering
6 systemd is free software; you can redistribute it and/or modify it
7 under the terms of the GNU Lesser General Public License as published by
8 the Free Software Foundation; either version 2.1 of the License, or
9 (at your option) any later version.
11 systemd is distributed in the hope that it will be useful, but
12 WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 Lesser General Public License for more details.
16 You should have received a copy of the GNU Lesser General Public License
17 along with systemd; If not, see <http://www.gnu.org/licenses/>.
21 #include <sys/eventfd.h>
26 #include "process-util.h"
27 #include "seccomp-util.h"
28 #include "string-util.h"
31 static void test_seccomp_arch_to_string(void) {
35 a
= seccomp_arch_native();
37 name
= seccomp_arch_to_string(a
);
39 assert_se(seccomp_arch_from_string(name
, &b
) >= 0);
43 static void test_architecture_table(void) {
66 assert_se(seccomp_arch_from_string(n
, &c
) >= 0);
67 n2
= seccomp_arch_to_string(c
);
68 log_info("seccomp-arch: %s → 0x%"PRIx32
" → %s", n
, c
, n2
);
69 assert_se(streq_ptr(n
, n2
));
73 static void test_syscall_filter_set_find(void) {
74 assert_se(!syscall_filter_set_find(NULL
));
75 assert_se(!syscall_filter_set_find(""));
76 assert_se(!syscall_filter_set_find("quux"));
77 assert_se(!syscall_filter_set_find("@quux"));
79 assert_se(syscall_filter_set_find("@clock") == syscall_filter_sets
+ SYSCALL_FILTER_SET_CLOCK
);
80 assert_se(syscall_filter_set_find("@default") == syscall_filter_sets
+ SYSCALL_FILTER_SET_DEFAULT
);
81 assert_se(syscall_filter_set_find("@raw-io") == syscall_filter_sets
+ SYSCALL_FILTER_SET_RAW_IO
);
84 static void test_filter_sets(void) {
88 if (!is_seccomp_available())
94 for (i
= 0; i
< _SYSCALL_FILTER_SET_MAX
; i
++) {
97 log_info("Testing %s", syscall_filter_sets
[i
].name
);
102 if (pid
== 0) { /* Child? */
105 if (i
== SYSCALL_FILTER_SET_DEFAULT
) /* if we look at the default set, whitelist instead of blacklist */
106 r
= seccomp_load_filter_set(SCMP_ACT_ERRNO(EPERM
), syscall_filter_sets
+ i
, SCMP_ACT_ALLOW
);
108 r
= seccomp_load_filter_set(SCMP_ACT_ALLOW
, syscall_filter_sets
+ i
, SCMP_ACT_ERRNO(EPERM
));
112 /* Test the sycall filter with one random system call */
113 fd
= eventfd(0, EFD_NONBLOCK
|EFD_CLOEXEC
);
114 if (IN_SET(i
, SYSCALL_FILTER_SET_IO_EVENT
, SYSCALL_FILTER_SET_DEFAULT
))
115 assert_se(fd
< 0 && errno
== EPERM
);
124 assert_se(wait_for_terminate_and_warn(syscall_filter_sets
[i
].name
, pid
, true) == EXIT_SUCCESS
);
128 int main(int argc
, char *argv
[]) {
130 test_seccomp_arch_to_string();
131 test_architecture_table();
132 test_syscall_filter_set_find();