2 This file is part of systemd.
4 Copyright 2016 Lennart Poettering
6 systemd is free software; you can redistribute it and/or modify it
7 under the terms of the GNU Lesser General Public License as published by
8 the Free Software Foundation; either version 2.1 of the License, or
9 (at your option) any later version.
11 systemd is distributed in the hope that it will be useful, but
12 WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 Lesser General Public License for more details.
16 You should have received a copy of the GNU Lesser General Public License
17 along with systemd; If not, see <http://www.gnu.org/licenses/>.
21 #include <sys/eventfd.h>
26 #include "process-util.h"
27 #include "seccomp-util.h"
29 static void test_seccomp_arch_to_string(void) {
33 a
= seccomp_arch_native();
35 name
= seccomp_arch_to_string(a
);
37 assert_se(seccomp_arch_from_string(name
, &b
) >= 0);
41 static void test_syscall_filter_set_find(void) {
42 assert_se(!syscall_filter_set_find(NULL
));
43 assert_se(!syscall_filter_set_find(""));
44 assert_se(!syscall_filter_set_find("quux"));
45 assert_se(!syscall_filter_set_find("@quux"));
47 assert_se(syscall_filter_set_find("@clock") == syscall_filter_sets
+ SYSCALL_FILTER_SET_CLOCK
);
48 assert_se(syscall_filter_set_find("@default") == syscall_filter_sets
+ SYSCALL_FILTER_SET_DEFAULT
);
49 assert_se(syscall_filter_set_find("@raw-io") == syscall_filter_sets
+ SYSCALL_FILTER_SET_RAW_IO
);
52 static void test_filter_sets(void) {
56 if (!is_seccomp_available())
62 for (i
= 0; i
< _SYSCALL_FILTER_SET_MAX
; i
++) {
65 log_info("Testing %s", syscall_filter_sets
[i
].name
);
70 if (pid
== 0) { /* Child? */
73 if (i
== SYSCALL_FILTER_SET_DEFAULT
) /* if we look at the default set, whitelist instead of blacklist */
74 r
= seccomp_load_filter_set(SCMP_ACT_ERRNO(EPERM
), syscall_filter_sets
+ i
, SCMP_ACT_ALLOW
);
76 r
= seccomp_load_filter_set(SCMP_ACT_ALLOW
, syscall_filter_sets
+ i
, SCMP_ACT_ERRNO(EPERM
));
80 /* Test the sycall filter with one random system call */
81 fd
= eventfd(0, EFD_NONBLOCK
|EFD_CLOEXEC
);
82 if (IN_SET(i
, SYSCALL_FILTER_SET_IO_EVENT
, SYSCALL_FILTER_SET_DEFAULT
))
83 assert_se(fd
< 0 && errno
== EPERM
);
92 assert_se(wait_for_terminate_and_warn(syscall_filter_sets
[i
].name
, pid
, true) == EXIT_SUCCESS
);
96 int main(int argc
, char *argv
[]) {
98 test_seccomp_arch_to_string();
99 test_syscall_filter_set_find();