]> git.ipfire.org Git - thirdparty/systemd.git/blame - src/test/test-seccomp.c
projects / thirdparty / systemd.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
test-seccomp: minor simpification
[thirdparty/systemd.git] / src / test / test-seccomp.c
CommitLineData
53e1b683 1/* SPDX-License-Identifier: LGPL-2.1+ */
f6281133 2
f5947a5e 3#include <fcntl.h>
d7e454ba 4#include <poll.h>
f6281133
LP		 5#include <stdlib.h>
6#include <sys/eventfd.h>
469830d1 7#include <sys/mman.h>
78e864e5 8#include <sys/personality.h>
2a65bd94 9#include <sys/shm.h>
dff6c629 10#include <sys/syscall.h>
2a65bd94
ZJS		 11#include <sys/types.h>
12#include <unistd.h>
f6281133 13
add00535 14#include "alloc-util.h"
f6281133 15#include "fd-util.h"
3c14dc61 16#include "fileio.h"
f6281133 17#include "macro.h"
0a970718 18#include "memory-util.h"
f5947a5e 19#include "missing_sched.h"
add00535 20#include "nsflags.h"
d8b4d14d 21#include "nulstr-util.h"
f6281133 22#include "process-util.h"
add00535 23#include "raw-clone.h"
167fc10c 24#include "rm-rf.h"
f6281133 25#include "seccomp-util.h"
469830d1 26#include "set.h"
aa34055f 27#include "string-util.h"
6d7c4033 28#include "tests.h"
167fc10c 29#include "tmpfile-util.h"
469830d1 30#include "virt.h"
f6281133 31
4df8fe84 32/* __NR_socket may be invalid due to libseccomp */
fb4b0465 33#if !defined(__NR_socket) || __NR_socket < 0 || defined(__i386__) || defined(__s390x__) || defined(__s390__)
da1921a5
ZJS		 34/* On these archs, socket() is implemented via the socketcall() syscall multiplexer,
35 * and we can't restrict it hence via seccomp. */
36# define SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN 1
37#else
38# define SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN 0
39#endif
40
f6281133
LP		 41static void test_seccomp_arch_to_string(void) {
42 uint32_t a, b;
43 const char *name;
44
f09da7cc
ZJS		 45 log_info("/* %s */", __func__);
46
f6281133
LP		 47 a = seccomp_arch_native();
48 assert_se(a > 0);
49 name = seccomp_arch_to_string(a);
50 assert_se(name);
51 assert_se(seccomp_arch_from_string(name, &b) >= 0);
52 assert_se(a == b);
53}
54
aa34055f
ZJS		 55static void test_architecture_table(void) {
56 const char *n, *n2;
57
f09da7cc
ZJS		 58 log_info("/* %s */", __func__);
59
aa34055f
ZJS		 60 NULSTR_FOREACH(n,
61 "native\0"
62 "x86\0"
63 "x86-64\0"
64 "x32\0"
65 "arm\0"
66 "arm64\0"
67 "mips\0"
68 "mips64\0"
69 "mips64-n32\0"
70 "mips-le\0"
71 "mips64-le\0"
72 "mips64-le-n32\0"
73 "ppc\0"
74 "ppc64\0"
75 "ppc64-le\0"
76 "s390\0"
77 "s390x\0") {
78 uint32_t c;
79
80 assert_se(seccomp_arch_from_string(n, &c) >= 0);
81 n2 = seccomp_arch_to_string(c);
82 log_info("seccomp-arch: %s → 0x%"PRIx32" → %s", n, c, n2);
83 assert_se(streq_ptr(n, n2));
84 }
85}
86
f6281133 87static void test_syscall_filter_set_find(void) {
f09da7cc
ZJS		 88 log_info("/* %s */", __func__);
89
f6281133
LP		 90 assert_se(!syscall_filter_set_find(NULL));
91 assert_se(!syscall_filter_set_find(""));
92 assert_se(!syscall_filter_set_find("quux"));
93 assert_se(!syscall_filter_set_find("@quux"));
94
95 assert_se(syscall_filter_set_find("@clock") == syscall_filter_sets + SYSCALL_FILTER_SET_CLOCK);
96 assert_se(syscall_filter_set_find("@default") == syscall_filter_sets + SYSCALL_FILTER_SET_DEFAULT);
97 assert_se(syscall_filter_set_find("@raw-io") == syscall_filter_sets + SYSCALL_FILTER_SET_RAW_IO);
98}
99
100static void test_filter_sets(void) {
f09da7cc
ZJS		 101 log_info("/* %s */", __func__);
102
cd90ec75
YW		 103 if (!is_seccomp_available()) {
104 log_notice("Seccomp not available, skipping %s", __func__);
f6281133 105 return;
cd90ec75
YW		 106 }
107 if (geteuid() != 0) {
108 log_notice("Not root, skipping %s", __func__);
f6281133 109 return;
cd90ec75 110 }
f6281133 111
604b163a 112 for (unsigned i = 0; i < _SYSCALL_FILTER_SET_MAX; i++) {
f6281133
LP		 113 pid_t pid;
114
115 log_info("Testing %s", syscall_filter_sets[i].name);
116
117 pid = fork();
118 assert_se(pid >= 0);
119
120 if (pid == 0) { /* Child? */
604b163a 121 int fd, r;
f6281133 122
6b000af4 123 /* If we look at the default set (or one that includes it), allow-list instead of deny-list */
70526841 124 if (IN_SET(i, SYSCALL_FILTER_SET_DEFAULT, SYSCALL_FILTER_SET_SYSTEM_SERVICE))
b54f36c6 125 r = seccomp_load_syscall_filter_set(SCMP_ACT_ERRNO(EUCLEAN), syscall_filter_sets + i, SCMP_ACT_ALLOW, true);
f6281133 126 else
b54f36c6 127 r = seccomp_load_syscall_filter_set(SCMP_ACT_ALLOW, syscall_filter_sets + i, SCMP_ACT_ERRNO(EUCLEAN), true);
f6281133
LP		 128 if (r < 0)
129 _exit(EXIT_FAILURE);
130
131 /* Test the sycall filter with one random system call */
132 fd = eventfd(0, EFD_NONBLOCK|EFD_CLOEXEC);
133 if (IN_SET(i, SYSCALL_FILTER_SET_IO_EVENT, SYSCALL_FILTER_SET_DEFAULT))
469830d1 134 assert_se(fd < 0 && errno == EUCLEAN);
f6281133
LP		 135 else {
136 assert_se(fd >= 0);
137 safe_close(fd);
138 }
139
140 _exit(EXIT_SUCCESS);
141 }
142
7d4904fe 143 assert_se(wait_for_terminate_and_check(syscall_filter_sets[i].name, pid, WAIT_LOG) == EXIT_SUCCESS);
f6281133
LP		 144 }
145}
146
23e12f8e
ZJS		 147static void test_filter_sets_ordered(void) {
148 size_t i;
149
f09da7cc
ZJS		 150 log_info("/* %s */", __func__);
151
23e12f8e
ZJS		 152 /* Ensure "@default" always remains at the beginning of the list */
153 assert_se(SYSCALL_FILTER_SET_DEFAULT == 0);
154 assert_se(streq(syscall_filter_sets[0].name, "@default"));
155
156 for (i = 0; i < _SYSCALL_FILTER_SET_MAX; i++) {
157 const char *k, *p = NULL;
158
159 /* Make sure each group has a description */
160 assert_se(!isempty(syscall_filter_sets[0].help));
161
162 /* Make sure the groups are ordered alphabetically, except for the first entry */
163 assert_se(i < 2 || strcmp(syscall_filter_sets[i-1].name, syscall_filter_sets[i].name) < 0);
164
165 NULSTR_FOREACH(k, syscall_filter_sets[i].value) {
166
167 /* Ensure each syscall list is in itself ordered, but groups before names */
168 assert_se(!p ||
169 (*p == '@' && *k != '@') ||
170 (((*p == '@' && *k == '@') ||
171 (*p != '@' && *k != '@')) &&
172 strcmp(p, k) < 0));
173
174 p = k;
175 }
176 }
177}
178
add00535 179static void test_restrict_namespace(void) {
86c2a9f1 180 char *s = NULL;
add00535 181 unsigned long ul;
469830d1 182 pid_t pid;
add00535 183
5f00dc4d
LP		 184 if (!have_namespaces()) {
185 log_notice("Testing without namespaces, skipping %s", __func__);
186 return;
187 }
188
f09da7cc
ZJS		 189 log_info("/* %s */", __func__);
190
dd0395b5 191 assert_se(namespace_flags_to_string(0, &s) == 0 && isempty(s));
86c2a9f1
YW		 192 s = mfree(s);
193 assert_se(namespace_flags_to_string(CLONE_NEWNS, &s) == 0 && streq(s, "mnt"));
194 s = mfree(s);
195 assert_se(namespace_flags_to_string(CLONE_NEWNS|CLONE_NEWIPC, &s) == 0 && streq(s, "ipc mnt"));
196 s = mfree(s);
197 assert_se(namespace_flags_to_string(CLONE_NEWCGROUP, &s) == 0 && streq(s, "cgroup"));
198 s = mfree(s);
199
200 assert_se(namespace_flags_from_string("mnt", &ul) == 0 && ul == CLONE_NEWNS);
201 assert_se(namespace_flags_from_string(NULL, &ul) == 0 && ul == 0);
202 assert_se(namespace_flags_from_string("", &ul) == 0 && ul == 0);
203 assert_se(namespace_flags_from_string("uts", &ul) == 0 && ul == CLONE_NEWUTS);
204 assert_se(namespace_flags_from_string("mnt uts ipc", &ul) == 0 && ul == (CLONE_NEWNS|CLONE_NEWUTS|CLONE_NEWIPC));
205
206 assert_se(namespace_flags_to_string(CLONE_NEWUTS, &s) == 0 && streq(s, "uts"));
207 assert_se(namespace_flags_from_string(s, &ul) == 0 && ul == CLONE_NEWUTS);
208 s = mfree(s);
209 assert_se(namespace_flags_from_string("ipc", &ul) == 0 && ul == CLONE_NEWIPC);
210 assert_se(namespace_flags_to_string(ul, &s) == 0 && streq(s, "ipc"));
211 s = mfree(s);
212
213 assert_se(namespace_flags_to_string(NAMESPACE_FLAGS_ALL, &s) == 0);
add00535 214 assert_se(streq(s, "cgroup ipc net mnt pid user uts"));
86c2a9f1
YW		 215 assert_se(namespace_flags_from_string(s, &ul) == 0 && ul == NAMESPACE_FLAGS_ALL);
216 s = mfree(s);
add00535 217
cd90ec75
YW		 218 if (!is_seccomp_available()) {
219 log_notice("Seccomp not available, skipping remaining tests in %s", __func__);
add00535 220 return;
cd90ec75
YW		 221 }
222 if (geteuid() != 0) {
223 log_notice("Not root, skipping remaining tests in %s", __func__);
add00535 224 return;
cd90ec75 225 }
add00535
LP		 226
227 pid = fork();
228 assert_se(pid >= 0);
229
230 if (pid == 0) {
231
232 assert_se(seccomp_restrict_namespaces(CLONE_NEWNS|CLONE_NEWNET) >= 0);
233
234 assert_se(unshare(CLONE_NEWNS) == 0);
235 assert_se(unshare(CLONE_NEWNET) == 0);
236 assert_se(unshare(CLONE_NEWUTS) == -1);
237 assert_se(errno == EPERM);
238 assert_se(unshare(CLONE_NEWIPC) == -1);
239 assert_se(errno == EPERM);
240 assert_se(unshare(CLONE_NEWNET|CLONE_NEWUTS) == -1);
241 assert_se(errno == EPERM);
242
243 /* We use fd 0 (stdin) here, which of course will fail with EINVAL on setns(). Except of course our
244 * seccomp filter worked, and hits first and makes it return EPERM */
245 assert_se(setns(0, CLONE_NEWNS) == -1);
246 assert_se(errno == EINVAL);
247 assert_se(setns(0, CLONE_NEWNET) == -1);
248 assert_se(errno == EINVAL);
249 assert_se(setns(0, CLONE_NEWUTS) == -1);
250 assert_se(errno == EPERM);
251 assert_se(setns(0, CLONE_NEWIPC) == -1);
252 assert_se(errno == EPERM);
253 assert_se(setns(0, CLONE_NEWNET|CLONE_NEWUTS) == -1);
254 assert_se(errno == EPERM);
255 assert_se(setns(0, 0) == -1);
256 assert_se(errno == EPERM);
257
258 pid = raw_clone(CLONE_NEWNS);
259 assert_se(pid >= 0);
260 if (pid == 0)
261 _exit(EXIT_SUCCESS);
262 pid = raw_clone(CLONE_NEWNET);
263 assert_se(pid >= 0);
264 if (pid == 0)
265 _exit(EXIT_SUCCESS);
266 pid = raw_clone(CLONE_NEWUTS);
267 assert_se(pid < 0);
268 assert_se(errno == EPERM);
269 pid = raw_clone(CLONE_NEWIPC);
270 assert_se(pid < 0);
271 assert_se(errno == EPERM);
272 pid = raw_clone(CLONE_NEWNET|CLONE_NEWUTS);
273 assert_se(pid < 0);
274 assert_se(errno == EPERM);
275
276 _exit(EXIT_SUCCESS);
277 }
278
7d4904fe 279 assert_se(wait_for_terminate_and_check("nsseccomp", pid, WAIT_LOG) == EXIT_SUCCESS);
add00535
LP		 280}
281
469830d1
LP		 282static void test_protect_sysctl(void) {
283 pid_t pid;
3c14dc61 284 _cleanup_free_ char *seccomp = NULL;
469830d1 285
f09da7cc
ZJS		 286 log_info("/* %s */", __func__);
287
cd90ec75
YW		 288 if (!is_seccomp_available()) {
289 log_notice("Seccomp not available, skipping %s", __func__);
469830d1 290 return;
cd90ec75
YW		 291 }
292 if (geteuid() != 0) {
293 log_notice("Not root, skipping %s", __func__);
469830d1 294 return;
cd90ec75 295 }
469830d1 296
cd90ec75
YW		 297 /* in containers _sysctl() is likely missing anyway */
298 if (detect_container() > 0) {
299 log_notice("Testing in container, skipping %s", __func__);
469830d1 300 return;
cd90ec75 301 }
469830d1 302
3c14dc61
TM		 303 assert_se(get_proc_field("/proc/self/status", "Seccomp", WHITESPACE, &seccomp) == 0);
304 if (!streq(seccomp, "0"))
305 log_warning("Warning: seccomp filter detected, results may be unreliable for %s", __func__);
306
469830d1
LP		 307 pid = fork();
308 assert_se(pid >= 0);
309
310 if (pid == 0) {
fb4b0465 311#if defined __NR__sysctl && __NR__sysctl >= 0
469830d1
LP		 312 assert_se(syscall(__NR__sysctl, NULL) < 0);
313 assert_se(errno == EFAULT);
2e64e8f4 314#endif
469830d1
LP		 315
316 assert_se(seccomp_protect_sysctl() >= 0);
317
fb4b0465 318#if defined __NR__sysctl && __NR__sysctl >= 0
469830d1
LP		 319 assert_se(syscall(__NR__sysctl, 0, 0, 0) < 0);
320 assert_se(errno == EPERM);
2e64e8f4 321#endif
469830d1
LP		 322
323 _exit(EXIT_SUCCESS);
324 }
325
7d4904fe 326 assert_se(wait_for_terminate_and_check("sysctlseccomp", pid, WAIT_LOG) == EXIT_SUCCESS);
469830d1
LP		 327}
328
97d05f3b
KK		 329static void test_protect_syslog(void) {
330 pid_t pid;
331
332 log_info("/* %s */", __func__);
333
334 if (!is_seccomp_available()) {
335 log_notice("Seccomp not available, skipping %s", __func__);
336 return;
337 }
338 if (geteuid() != 0) {
339 log_notice("Not root, skipping %s", __func__);
340 return;
341 }
342
343 /* in containers syslog() is likely missing anyway */
344 if (detect_container() > 0) {
345 log_notice("Testing in container, skipping %s", __func__);
346 return;
347 }
348
349 pid = fork();
350 assert_se(pid >= 0);
351
352 if (pid == 0) {
fb4b0465 353#if defined __NR_syslog && __NR_syslog >= 0
97d05f3b
KK		 354 assert_se(syscall(__NR_syslog, -1, NULL, 0) < 0);
355 assert_se(errno == EINVAL);
356#endif
357
358 assert_se(seccomp_protect_syslog() >= 0);
359
fb4b0465 360#if defined __NR_syslog && __NR_syslog >= 0
97d05f3b
KK		 361 assert_se(syscall(__NR_syslog, 0, 0, 0) < 0);
362 assert_se(errno == EPERM);
363#endif
364
365 _exit(EXIT_SUCCESS);
366 }
367
368 assert_se(wait_for_terminate_and_check("syslogseccomp", pid, WAIT_LOG) == EXIT_SUCCESS);
369}
370
469830d1
LP		 371static void test_restrict_address_families(void) {
372 pid_t pid;
373
f09da7cc
ZJS		 374 log_info("/* %s */", __func__);
375
cd90ec75
YW		 376 if (!is_seccomp_available()) {
377 log_notice("Seccomp not available, skipping %s", __func__);
469830d1 378 return;
cd90ec75
YW		 379 }
380 if (geteuid() != 0) {
381 log_notice("Not root, skipping %s", __func__);
469830d1 382 return;
cd90ec75 383 }
469830d1
LP		 384
385 pid = fork();
386 assert_se(pid >= 0);
387
388 if (pid == 0) {
389 int fd;
390 Set *s;
391
392 fd = socket(AF_INET, SOCK_DGRAM, 0);
393 assert_se(fd >= 0);
394 safe_close(fd);
395
396 fd = socket(AF_UNIX, SOCK_DGRAM, 0);
397 assert_se(fd >= 0);
398 safe_close(fd);
399
400 fd = socket(AF_NETLINK, SOCK_DGRAM, 0);
401 assert_se(fd >= 0);
402 safe_close(fd);
403
404 assert_se(s = set_new(NULL));
405 assert_se(set_put(s, INT_TO_PTR(AF_UNIX)) >= 0);
406
407 assert_se(seccomp_restrict_address_families(s, false) >= 0);
408
409 fd = socket(AF_INET, SOCK_DGRAM, 0);
410 assert_se(fd >= 0);
411 safe_close(fd);
412
ad8f1479 413 fd = socket(AF_UNIX, SOCK_DGRAM, 0);
dce0e620 414#if SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN
ad8f1479
LP		 415 assert_se(fd >= 0);
416 safe_close(fd);
417#else
dce0e620 418 assert_se(fd < 0);
469830d1 419 assert_se(errno == EAFNOSUPPORT);
ad8f1479 420#endif
469830d1
LP		 421
422 fd = socket(AF_NETLINK, SOCK_DGRAM, 0);
423 assert_se(fd >= 0);
424 safe_close(fd);
425
426 set_clear(s);
427
428 assert_se(set_put(s, INT_TO_PTR(AF_INET)) >= 0);
429
430 assert_se(seccomp_restrict_address_families(s, true) >= 0);
431
432 fd = socket(AF_INET, SOCK_DGRAM, 0);
433 assert_se(fd >= 0);
434 safe_close(fd);
435
ad8f1479 436 fd = socket(AF_UNIX, SOCK_DGRAM, 0);
dce0e620 437#if SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN
ad8f1479
LP		 438 assert_se(fd >= 0);
439 safe_close(fd);
dce0e620
ZJS		 440#else
441 assert_se(fd < 0);
442 assert_se(errno == EAFNOSUPPORT);
443#endif
ad8f1479
LP		 444
445 fd = socket(AF_NETLINK, SOCK_DGRAM, 0);
dce0e620 446#if SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN
ad8f1479
LP		 447 assert_se(fd >= 0);
448 safe_close(fd);
449#else
dce0e620 450 assert_se(fd < 0);
469830d1 451 assert_se(errno == EAFNOSUPPORT);
ad8f1479 452#endif
469830d1
LP		 453
454 _exit(EXIT_SUCCESS);
455 }
456
7d4904fe 457 assert_se(wait_for_terminate_and_check("socketseccomp", pid, WAIT_LOG) == EXIT_SUCCESS);
469830d1
LP		 458}
459
460static void test_restrict_realtime(void) {
461 pid_t pid;
462
f09da7cc
ZJS		 463 log_info("/* %s */", __func__);
464
cd90ec75
YW		 465 if (!is_seccomp_available()) {
466 log_notice("Seccomp not available, skipping %s", __func__);
469830d1 467 return;
cd90ec75
YW		 468 }
469 if (geteuid() != 0) {
470 log_notice("Not root, skipping %s", __func__);
469830d1 471 return;
cd90ec75 472 }
469830d1 473
cd90ec75
YW		 474 /* in containers RT privs are likely missing anyway */
475 if (detect_container() > 0) {
476 log_notice("Testing in container, skipping %s", __func__);
469830d1 477 return;
cd90ec75 478 }
469830d1
LP		 479
480 pid = fork();
481 assert_se(pid >= 0);
482
483 if (pid == 0) {
484 assert_se(sched_setscheduler(0, SCHED_FIFO, &(struct sched_param) { .sched_priority = 1 }) >= 0);
485 assert_se(sched_setscheduler(0, SCHED_RR, &(struct sched_param) { .sched_priority = 1 }) >= 0);
486 assert_se(sched_setscheduler(0, SCHED_IDLE, &(struct sched_param) { .sched_priority = 0 }) >= 0);
487 assert_se(sched_setscheduler(0, SCHED_BATCH, &(struct sched_param) { .sched_priority = 0 }) >= 0);
488 assert_se(sched_setscheduler(0, SCHED_OTHER, &(struct sched_param) {}) >= 0);
489
490 assert_se(seccomp_restrict_realtime() >= 0);
491
492 assert_se(sched_setscheduler(0, SCHED_IDLE, &(struct sched_param) { .sched_priority = 0 }) >= 0);
493 assert_se(sched_setscheduler(0, SCHED_BATCH, &(struct sched_param) { .sched_priority = 0 }) >= 0);
494 assert_se(sched_setscheduler(0, SCHED_OTHER, &(struct sched_param) {}) >= 0);
495
496 assert_se(sched_setscheduler(0, SCHED_FIFO, &(struct sched_param) { .sched_priority = 1 }) < 0);
497 assert_se(errno == EPERM);
498 assert_se(sched_setscheduler(0, SCHED_RR, &(struct sched_param) { .sched_priority = 1 }) < 0);
499 assert_se(errno == EPERM);
500
501 _exit(EXIT_SUCCESS);
502 }
503
7d4904fe 504 assert_se(wait_for_terminate_and_check("realtimeseccomp", pid, WAIT_LOG) == EXIT_SUCCESS);
469830d1
LP		 505}
506
2a65bd94 507static void test_memory_deny_write_execute_mmap(void) {
469830d1
LP		 508 pid_t pid;
509
f09da7cc
ZJS		 510 log_info("/* %s */", __func__);
511
cd90ec75
YW		 512 if (!is_seccomp_available()) {
513 log_notice("Seccomp not available, skipping %s", __func__);
469830d1 514 return;
cd90ec75
YW		 515 }
516 if (geteuid() != 0) {
517 log_notice("Not root, skipping %s", __func__);
469830d1 518 return;
cd90ec75 519 }
469830d1
LP		 520
521 pid = fork();
522 assert_se(pid >= 0);
523
524 if (pid == 0) {
525 void *p;
526
527 p = mmap(NULL, page_size(), PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS, -1,0);
528 assert_se(p != MAP_FAILED);
529 assert_se(munmap(p, page_size()) >= 0);
530
8a50cf69
LP		 531 p = mmap(NULL, page_size(), PROT_WRITE|PROT_READ, MAP_PRIVATE|MAP_ANONYMOUS, -1,0);
532 assert_se(p != MAP_FAILED);
533 assert_se(munmap(p, page_size()) >= 0);
469830d1 534
8a50cf69
LP		 535 assert_se(seccomp_memory_deny_write_execute() >= 0);
536
8a50cf69 537 p = mmap(NULL, page_size(), PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS, -1,0);
4278d1f5 538#if defined(__x86_64__) || defined(__i386__) || defined(__powerpc64__) || defined(__arm__) || defined(__aarch64__)
469830d1
LP		 539 assert_se(p == MAP_FAILED);
540 assert_se(errno == EPERM);
8a50cf69 541#endif
49219b5c
CE		 542 /* Depending on kernel, libseccomp, and glibc versions, other architectures
543 * might fail or not. Let's not assert success. */
544 if (p != MAP_FAILED)
545 assert_se(munmap(p, page_size()) == 0);
469830d1
LP		 546
547 p = mmap(NULL, page_size(), PROT_WRITE|PROT_READ, MAP_PRIVATE|MAP_ANONYMOUS, -1,0);
548 assert_se(p != MAP_FAILED);
549 assert_se(munmap(p, page_size()) >= 0);
550
551 _exit(EXIT_SUCCESS);
552 }
553
7d4904fe 554 assert_se(wait_for_terminate_and_check("memoryseccomp-mmap", pid, WAIT_LOG) == EXIT_SUCCESS);
2a65bd94
ZJS		 555}
556
557static void test_memory_deny_write_execute_shmat(void) {
558 int shmid;
559 pid_t pid;
e55bdf9b 560 uint32_t arch;
2a65bd94 561
f09da7cc
ZJS		 562 log_info("/* %s */", __func__);
563
e55bdf9b
ZJS		 564 SECCOMP_FOREACH_LOCAL_ARCH(arch) {
565 log_debug("arch %s: SCMP_SYS(mmap) = %d", seccomp_arch_to_string(arch), SCMP_SYS(mmap));
566 log_debug("arch %s: SCMP_SYS(mmap2) = %d", seccomp_arch_to_string(arch), SCMP_SYS(mmap2));
567 log_debug("arch %s: SCMP_SYS(shmget) = %d", seccomp_arch_to_string(arch), SCMP_SYS(shmget));
568 log_debug("arch %s: SCMP_SYS(shmat) = %d", seccomp_arch_to_string(arch), SCMP_SYS(shmat));
569 log_debug("arch %s: SCMP_SYS(shmdt) = %d", seccomp_arch_to_string(arch), SCMP_SYS(shmdt));
570 }
571
cd90ec75
YW		 572 if (!is_seccomp_available()) {
573 log_notice("Seccomp not available, skipping %s", __func__);
2a65bd94 574 return;
cd90ec75
YW		 575 }
576 if (geteuid() != 0) {
577 log_notice("Not root, skipping %s", __func__);
2a65bd94 578 return;
cd90ec75 579 }
2a65bd94
ZJS		 580
581 shmid = shmget(IPC_PRIVATE, page_size(), 0);
582 assert_se(shmid >= 0);
583
584 pid = fork();
585 assert_se(pid >= 0);
586
587 if (pid == 0) {
588 void *p;
589
590 p = shmat(shmid, NULL, 0);
591 assert_se(p != MAP_FAILED);
592 assert_se(shmdt(p) == 0);
593
594 p = shmat(shmid, NULL, SHM_EXEC);
595 assert_se(p != MAP_FAILED);
596 assert_se(shmdt(p) == 0);
597
598 assert_se(seccomp_memory_deny_write_execute() >= 0);
599
600 p = shmat(shmid, NULL, SHM_EXEC);
67fb5f33 601 log_debug_errno(p == MAP_FAILED ? errno : 0, "shmat(SHM_EXEC): %m");
4278d1f5 602#if defined(__x86_64__) || defined(__arm__) || defined(__aarch64__)
2a65bd94
ZJS		 603 assert_se(p == MAP_FAILED);
604 assert_se(errno == EPERM);
2a65bd94 605#endif
67fb5f33
ZJS		 606 /* Depending on kernel, libseccomp, and glibc versions, other architectures
607 * might fail or not. Let's not assert success. */
608 if (p != MAP_FAILED)
609 assert_se(shmdt(p) == 0);
2a65bd94
ZJS		 610
611 p = shmat(shmid, NULL, 0);
67fb5f33 612 log_debug_errno(p == MAP_FAILED ? errno : 0, "shmat(0): %m");
2a65bd94
ZJS		 613 assert_se(p != MAP_FAILED);
614 assert_se(shmdt(p) == 0);
615
616 _exit(EXIT_SUCCESS);
617 }
618
7d4904fe 619 assert_se(wait_for_terminate_and_check("memoryseccomp-shmat", pid, WAIT_LOG) == EXIT_SUCCESS);
469830d1
LP		 620}
621
622static void test_restrict_archs(void) {
623 pid_t pid;
624
f09da7cc
ZJS		 625 log_info("/* %s */", __func__);
626
cd90ec75
YW		 627 if (!is_seccomp_available()) {
628 log_notice("Seccomp not available, skipping %s", __func__);
469830d1 629 return;
cd90ec75
YW		 630 }
631 if (geteuid() != 0) {
632 log_notice("Not root, skipping %s", __func__);
469830d1 633 return;
cd90ec75 634 }
469830d1
LP		 635
636 pid = fork();
637 assert_se(pid >= 0);
638
639 if (pid == 0) {
640 _cleanup_set_free_ Set *s = NULL;
641
642 assert_se(access("/", F_OK) >= 0);
643
644 assert_se(s = set_new(NULL));
645
646#ifdef __x86_64__
647 assert_se(set_put(s, UINT32_TO_PTR(SCMP_ARCH_X86+1)) >= 0);
648#endif
649 assert_se(seccomp_restrict_archs(s) >= 0);
650
651 assert_se(access("/", F_OK) >= 0);
652 assert_se(seccomp_restrict_archs(NULL) >= 0);
653
654 assert_se(access("/", F_OK) >= 0);
655
656 _exit(EXIT_SUCCESS);
657 }
658
7d4904fe 659 assert_se(wait_for_terminate_and_check("archseccomp", pid, WAIT_LOG) == EXIT_SUCCESS);
469830d1
LP		 660}
661
662static void test_load_syscall_filter_set_raw(void) {
663 pid_t pid;
664
f09da7cc
ZJS		 665 log_info("/* %s */", __func__);
666
cd90ec75
YW		 667 if (!is_seccomp_available()) {
668 log_notice("Seccomp not available, skipping %s", __func__);
469830d1 669 return;
cd90ec75
YW		 670 }
671 if (geteuid() != 0) {
672 log_notice("Not root, skipping %s", __func__);
469830d1 673 return;
cd90ec75 674 }
469830d1
LP		 675
676 pid = fork();
677 assert_se(pid >= 0);
678
679 if (pid == 0) {
b4891260 680 _cleanup_hashmap_free_ Hashmap *s = NULL;
469830d1
LP		 681
682 assert_se(access("/", F_OK) >= 0);
683 assert_se(poll(NULL, 0, 0) == 0);
684
7bbc229c 685 assert_se(seccomp_load_syscall_filter_set_raw(SCMP_ACT_ALLOW, NULL, scmp_act_kill_process(), true) >= 0);
469830d1
LP		 686 assert_se(access("/", F_OK) >= 0);
687 assert_se(poll(NULL, 0, 0) == 0);
688
b4891260 689 assert_se(s = hashmap_new(NULL));
fb4b0465 690#if defined __NR_access && __NR_access >= 0
b4891260 691 assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_access + 1), INT_TO_PTR(-1)) >= 0);
f60a865a 692#else
b4891260 693 assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_faccessat + 1), INT_TO_PTR(-1)) >= 0);
f60a865a 694#endif
469830d1 695
b54f36c6 696 assert_se(seccomp_load_syscall_filter_set_raw(SCMP_ACT_ALLOW, s, SCMP_ACT_ERRNO(EUCLEAN), true) >= 0);
469830d1
LP		 697
698 assert_se(access("/", F_OK) < 0);
699 assert_se(errno == EUCLEAN);
700
701 assert_se(poll(NULL, 0, 0) == 0);
702
b4891260 703 s = hashmap_free(s);
469830d1 704
b4891260 705 assert_se(s = hashmap_new(NULL));
fb4b0465 706#if defined __NR_access && __NR_access >= 0
b4891260
YW		 707 assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_access + 1), INT_TO_PTR(EILSEQ)) >= 0);
708#else
709 assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_faccessat + 1), INT_TO_PTR(EILSEQ)) >= 0);
710#endif
711
b54f36c6 712 assert_se(seccomp_load_syscall_filter_set_raw(SCMP_ACT_ALLOW, s, SCMP_ACT_ERRNO(EUCLEAN), true) >= 0);
b4891260
YW		 713
714 assert_se(access("/", F_OK) < 0);
715 assert_se(errno == EILSEQ);
716
717 assert_se(poll(NULL, 0, 0) == 0);
718
719 s = hashmap_free(s);
720
721 assert_se(s = hashmap_new(NULL));
fb4b0465 722#if defined __NR_poll && __NR_poll >= 0
b4891260 723 assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_poll + 1), INT_TO_PTR(-1)) >= 0);
f60a865a 724#else
b4891260 725 assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_ppoll + 1), INT_TO_PTR(-1)) >= 0);
f60a865a 726#endif
469830d1 727
b54f36c6 728 assert_se(seccomp_load_syscall_filter_set_raw(SCMP_ACT_ALLOW, s, SCMP_ACT_ERRNO(EUNATCH), true) >= 0);
469830d1
LP		 729
730 assert_se(access("/", F_OK) < 0);
b4891260 731 assert_se(errno == EILSEQ);
469830d1
LP		 732
733 assert_se(poll(NULL, 0, 0) < 0);
734 assert_se(errno == EUNATCH);
735
b4891260
YW		 736 s = hashmap_free(s);
737
738 assert_se(s = hashmap_new(NULL));
fb4b0465 739#if defined __NR_poll && __NR_poll >= 0
b4891260
YW		 740 assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_poll + 1), INT_TO_PTR(EILSEQ)) >= 0);
741#else
742 assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_ppoll + 1), INT_TO_PTR(EILSEQ)) >= 0);
743#endif
744
b54f36c6 745 assert_se(seccomp_load_syscall_filter_set_raw(SCMP_ACT_ALLOW, s, SCMP_ACT_ERRNO(EUNATCH), true) >= 0);
b4891260
YW		 746
747 assert_se(access("/", F_OK) < 0);
748 assert_se(errno == EILSEQ);
749
750 assert_se(poll(NULL, 0, 0) < 0);
751 assert_se(errno == EILSEQ);
752
469830d1
LP		 753 _exit(EXIT_SUCCESS);
754 }
755
7d4904fe 756 assert_se(wait_for_terminate_and_check("syscallrawseccomp", pid, WAIT_LOG) == EXIT_SUCCESS);
469830d1
LP		 757}
758
78e864e5 759static void test_lock_personality(void) {
e8132d63 760 unsigned long current;
78e864e5
TM		 761 pid_t pid;
762
f09da7cc
ZJS		 763 log_info("/* %s */", __func__);
764
cd90ec75
YW		 765 if (!is_seccomp_available()) {
766 log_notice("Seccomp not available, skipping %s", __func__);
78e864e5 767 return;
cd90ec75
YW		 768 }
769 if (geteuid() != 0) {
770 log_notice("Not root, skipping %s", __func__);
78e864e5 771 return;
cd90ec75 772 }
78e864e5 773
e8132d63
LP		 774 assert_se(opinionated_personality(&current) >= 0);
775
776 log_info("current personality=%lu", current);
777
78e864e5
TM		 778 pid = fork();
779 assert_se(pid >= 0);
780
781 if (pid == 0) {
e8132d63 782 assert_se(seccomp_lock_personality(current) >= 0);
78e864e5 783
21022b9d 784 assert_se((unsigned long) safe_personality(current) == current);
e8132d63 785
21022b9d
LP		 786 /* Note, we also test that safe_personality() works correctly, by checkig whether errno is properly
787 * set, in addition to the return value */
788 errno = 0;
789 assert_se(safe_personality(PER_LINUX | ADDR_NO_RANDOMIZE) == -EPERM);
790 assert_se(errno == EPERM);
e8132d63 791
21022b9d
LP		 792 assert_se(safe_personality(PER_LINUX | MMAP_PAGE_ZERO) == -EPERM);
793 assert_se(safe_personality(PER_LINUX | ADDR_COMPAT_LAYOUT) == -EPERM);
794 assert_se(safe_personality(PER_LINUX | READ_IMPLIES_EXEC) == -EPERM);
795 assert_se(safe_personality(PER_LINUX_32BIT) == -EPERM);
796 assert_se(safe_personality(PER_SVR4) == -EPERM);
797 assert_se(safe_personality(PER_BSD) == -EPERM);
798 assert_se(safe_personality(current == PER_LINUX ? PER_LINUX32 : PER_LINUX) == -EPERM);
799 assert_se(safe_personality(PER_LINUX32_3GB) == -EPERM);
800 assert_se(safe_personality(PER_UW7) == -EPERM);
801 assert_se(safe_personality(0x42) == -EPERM);
802
803 assert_se(safe_personality(PERSONALITY_INVALID) == -EPERM); /* maybe remove this later */
e8132d63
LP		 804
805 assert_se((unsigned long) personality(current) == current);
78e864e5
TM		 806 _exit(EXIT_SUCCESS);
807 }
808
7d4904fe 809 assert_se(wait_for_terminate_and_check("lockpersonalityseccomp", pid, WAIT_LOG) == EXIT_SUCCESS);
78e864e5
TM		 810}
811
167fc10c
LP		 812static int real_open(const char *path, int flags, mode_t mode) {
813 /* glibc internally calls openat() when open() is requested. Let's hence define our own wrapper for
dff6c629
ZJS		 814 * testing purposes that calls the real syscall, on architectures where SYS_open is defined. On
815 * other architectures, let's just fall back to the glibc call. */
167fc10c 816
fb4b0465 817#if defined __NR_open && __NR_open >= 0
4df8fe84 818 return (int) syscall(__NR_open, path, flags, mode);
dff6c629
ZJS		 819#else
820 return open(path, flags, mode);
821#endif
167fc10c
LP		 822}
823
824static void test_restrict_suid_sgid(void) {
825 pid_t pid;
826
827 log_info("/* %s */", __func__);
828
829 if (!is_seccomp_available()) {
830 log_notice("Seccomp not available, skipping %s", __func__);
831 return;
832 }
833 if (geteuid() != 0) {
834 log_notice("Not root, skipping %s", __func__);
835 return;
836 }
837
838 pid = fork();
839 assert_se(pid >= 0);
840
841 if (pid == 0) {
842 char path[] = "/tmp/suidsgidXXXXXX", dir[] = "/tmp/suidsgiddirXXXXXX";
843 int fd = -1, k = -1;
844 const char *z;
845
846 fd = mkostemp_safe(path);
847 assert_se(fd >= 0);
848
849 assert_se(mkdtemp(dir));
850 z = strjoina(dir, "/test");
851
852 assert_se(chmod(path, 0755 | S_ISUID) >= 0);
853 assert_se(chmod(path, 0755 | S_ISGID) >= 0);
854 assert_se(chmod(path, 0755 | S_ISGID | S_ISUID) >= 0);
855 assert_se(chmod(path, 0755) >= 0);
856
857 assert_se(fchmod(fd, 0755 | S_ISUID) >= 0);
858 assert_se(fchmod(fd, 0755 | S_ISGID) >= 0);
859 assert_se(fchmod(fd, 0755 | S_ISGID | S_ISUID) >= 0);
860 assert_se(fchmod(fd, 0755) >= 0);
861
862 assert_se(fchmodat(AT_FDCWD, path, 0755 | S_ISUID, 0) >= 0);
863 assert_se(fchmodat(AT_FDCWD, path, 0755 | S_ISGID, 0) >= 0);
864 assert_se(fchmodat(AT_FDCWD, path, 0755 | S_ISGID | S_ISUID, 0) >= 0);
865 assert_se(fchmodat(AT_FDCWD, path, 0755, 0) >= 0);
866
867 k = real_open(z, O_CREAT|O_RDWR|O_CLOEXEC|O_EXCL, 0644 | S_ISUID);
868 k = safe_close(k);
869 assert_se(unlink(z) >= 0);
870
871 k = real_open(z, O_CREAT|O_RDWR|O_CLOEXEC|O_EXCL, 0644 | S_ISGID);
872 k = safe_close(k);
873 assert_se(unlink(z) >= 0);
874
875 k = real_open(z, O_CREAT|O_RDWR|O_CLOEXEC|O_EXCL, 0644 | S_ISUID | S_ISGID);
876 k = safe_close(k);
877 assert_se(unlink(z) >= 0);
878
879 k = real_open(z, O_CREAT|O_RDWR|O_CLOEXEC|O_EXCL, 0644);
880 k = safe_close(k);
881 assert_se(unlink(z) >= 0);
882
883 k = creat(z, 0644 | S_ISUID);
884 k = safe_close(k);
885 assert_se(unlink(z) >= 0);
886
887 k = creat(z, 0644 | S_ISGID);
888 k = safe_close(k);
889 assert_se(unlink(z) >= 0);
890
891 k = creat(z, 0644 | S_ISUID | S_ISGID);
892 k = safe_close(k);
893 assert_se(unlink(z) >= 0);
894
895 k = creat(z, 0644);
896 k = safe_close(k);
897 assert_se(unlink(z) >= 0);
898
899 k = openat(AT_FDCWD, z, O_CREAT|O_RDWR|O_CLOEXEC|O_EXCL, 0644 | S_ISUID);
900 k = safe_close(k);
901 assert_se(unlink(z) >= 0);
902
903 k = openat(AT_FDCWD, z, O_CREAT|O_RDWR|O_CLOEXEC|O_EXCL, 0644 | S_ISGID);
904 k = safe_close(k);
905 assert_se(unlink(z) >= 0);
906
907 k = openat(AT_FDCWD, z, O_CREAT|O_RDWR|O_CLOEXEC|O_EXCL, 0644 | S_ISUID | S_ISGID);
908 k = safe_close(k);
909 assert_se(unlink(z) >= 0);
910
911 k = openat(AT_FDCWD, z, O_CREAT|O_RDWR|O_CLOEXEC|O_EXCL, 0644);
912 k = safe_close(k);
913 assert_se(unlink(z) >= 0);
914
915 assert_se(mkdir(z, 0755 | S_ISUID) >= 0);
916 assert_se(rmdir(z) >= 0);
917 assert_se(mkdir(z, 0755 | S_ISGID) >= 0);
918 assert_se(rmdir(z) >= 0);
919 assert_se(mkdir(z, 0755 | S_ISUID | S_ISGID) >= 0);
920 assert_se(rmdir(z) >= 0);
921 assert_se(mkdir(z, 0755) >= 0);
922 assert_se(rmdir(z) >= 0);
923
924 assert_se(mkdirat(AT_FDCWD, z, 0755 | S_ISUID) >= 0);
925 assert_se(rmdir(z) >= 0);
926 assert_se(mkdirat(AT_FDCWD, z, 0755 | S_ISGID) >= 0);
927 assert_se(rmdir(z) >= 0);
928 assert_se(mkdirat(AT_FDCWD, z, 0755 | S_ISUID | S_ISGID) >= 0);
929 assert_se(rmdir(z) >= 0);
930 assert_se(mkdirat(AT_FDCWD, z, 0755) >= 0);
931 assert_se(rmdir(z) >= 0);
932
933 assert_se(mknod(z, S_IFREG | 0755 | S_ISUID, 0) >= 0);
934 assert_se(unlink(z) >= 0);
935 assert_se(mknod(z, S_IFREG | 0755 | S_ISGID, 0) >= 0);
936 assert_se(unlink(z) >= 0);
937 assert_se(mknod(z, S_IFREG | 0755 | S_ISUID | S_ISGID, 0) >= 0);
938 assert_se(unlink(z) >= 0);
939 assert_se(mknod(z, S_IFREG | 0755, 0) >= 0);
940 assert_se(unlink(z) >= 0);
941
942 assert_se(mknodat(AT_FDCWD, z, S_IFREG | 0755 | S_ISUID, 0) >= 0);
943 assert_se(unlink(z) >= 0);
944 assert_se(mknodat(AT_FDCWD, z, S_IFREG | 0755 | S_ISGID, 0) >= 0);
945 assert_se(unlink(z) >= 0);
946 assert_se(mknodat(AT_FDCWD, z, S_IFREG | 0755 | S_ISUID | S_ISGID, 0) >= 0);
947 assert_se(unlink(z) >= 0);
948 assert_se(mknodat(AT_FDCWD, z, S_IFREG | 0755, 0) >= 0);
949 assert_se(unlink(z) >= 0);
950
951 assert_se(seccomp_restrict_suid_sgid() >= 0);
952
953 assert_se(chmod(path, 0775 | S_ISUID) < 0 && errno == EPERM);
954 assert_se(chmod(path, 0775 | S_ISGID) < 0 && errno == EPERM);
955 assert_se(chmod(path, 0775 | S_ISGID | S_ISUID) < 0 && errno == EPERM);
956 assert_se(chmod(path, 0775) >= 0);
957
958 assert_se(fchmod(fd, 0775 | S_ISUID) < 0 && errno == EPERM);
959 assert_se(fchmod(fd, 0775 | S_ISGID) < 0 && errno == EPERM);
960 assert_se(fchmod(fd, 0775 | S_ISGID | S_ISUID) < 0 && errno == EPERM);
961 assert_se(fchmod(fd, 0775) >= 0);
962
963 assert_se(fchmodat(AT_FDCWD, path, 0755 | S_ISUID, 0) < 0 && errno == EPERM);
964 assert_se(fchmodat(AT_FDCWD, path, 0755 | S_ISGID, 0) < 0 && errno == EPERM);
965 assert_se(fchmodat(AT_FDCWD, path, 0755 | S_ISGID | S_ISUID, 0) < 0 && errno == EPERM);
966 assert_se(fchmodat(AT_FDCWD, path, 0755, 0) >= 0);
967
968 assert_se(real_open(z, O_CREAT|O_RDWR|O_CLOEXEC|O_EXCL, 0644 | S_ISUID) < 0 && errno == EPERM);
969 assert_se(real_open(z, O_CREAT|O_RDWR|O_CLOEXEC|O_EXCL, 0644 | S_ISGID) < 0 && errno == EPERM);
970 assert_se(real_open(z, O_CREAT|O_RDWR|O_CLOEXEC|O_EXCL, 0644 | S_ISUID | S_ISGID) < 0 && errno == EPERM);
971 k = real_open(z, O_CREAT|O_RDWR|O_CLOEXEC|O_EXCL, 0644);
972 k = safe_close(k);
973 assert_se(unlink(z) >= 0);
974
975 assert_se(creat(z, 0644 | S_ISUID) < 0 && errno == EPERM);
976 assert_se(creat(z, 0644 | S_ISGID) < 0 && errno == EPERM);
977 assert_se(creat(z, 0644 | S_ISUID | S_ISGID) < 0 && errno == EPERM);
978 k = creat(z, 0644);
979 k = safe_close(k);
980 assert_se(unlink(z) >= 0);
981
982 assert_se(openat(AT_FDCWD, z, O_CREAT|O_RDWR|O_CLOEXEC|O_EXCL, 0644 | S_ISUID) < 0 && errno == EPERM);
983 assert_se(openat(AT_FDCWD, z, O_CREAT|O_RDWR|O_CLOEXEC|O_EXCL, 0644 | S_ISGID) < 0 && errno == EPERM);
984 assert_se(openat(AT_FDCWD, z, O_CREAT|O_RDWR|O_CLOEXEC|O_EXCL, 0644 | S_ISUID | S_ISGID) < 0 && errno == EPERM);
985 k = openat(AT_FDCWD, z, O_CREAT|O_RDWR|O_CLOEXEC|O_EXCL, 0644);
986 k = safe_close(k);
987 assert_se(unlink(z) >= 0);
988
989 assert_se(mkdir(z, 0755 | S_ISUID) < 0 && errno == EPERM);
990 assert_se(mkdir(z, 0755 | S_ISGID) < 0 && errno == EPERM);
991 assert_se(mkdir(z, 0755 | S_ISUID | S_ISGID) < 0 && errno == EPERM);
992 assert_se(mkdir(z, 0755) >= 0);
993 assert_se(rmdir(z) >= 0);
994
995 assert_se(mkdirat(AT_FDCWD, z, 0755 | S_ISUID) < 0 && errno == EPERM);
996 assert_se(mkdirat(AT_FDCWD, z, 0755 | S_ISGID) < 0 && errno == EPERM);
997 assert_se(mkdirat(AT_FDCWD, z, 0755 | S_ISUID | S_ISGID) < 0 && errno == EPERM);
998 assert_se(mkdirat(AT_FDCWD, z, 0755) >= 0);
999 assert_se(rmdir(z) >= 0);
1000
1001 assert_se(mknod(z, S_IFREG | 0755 | S_ISUID, 0) < 0 && errno == EPERM);
1002 assert_se(mknod(z, S_IFREG | 0755 | S_ISGID, 0) < 0 && errno == EPERM);
1003 assert_se(mknod(z, S_IFREG | 0755 | S_ISUID | S_ISGID, 0) < 0 && errno == EPERM);
1004 assert_se(mknod(z, S_IFREG | 0755, 0) >= 0);
1005 assert_se(unlink(z) >= 0);
1006
1007 assert_se(mknodat(AT_FDCWD, z, S_IFREG | 0755 | S_ISUID, 0) < 0 && errno == EPERM);
1008 assert_se(mknodat(AT_FDCWD, z, S_IFREG | 0755 | S_ISGID, 0) < 0 && errno == EPERM);
1009 assert_se(mknodat(AT_FDCWD, z, S_IFREG | 0755 | S_ISUID | S_ISGID, 0) < 0 && errno == EPERM);
1010 assert_se(mknodat(AT_FDCWD, z, S_IFREG | 0755, 0) >= 0);
1011 assert_se(unlink(z) >= 0);
1012
1013 assert_se(unlink(path) >= 0);
1014 assert_se(rm_rf(dir, REMOVE_ROOT|REMOVE_PHYSICAL) >= 0);
1015
1016 _exit(EXIT_SUCCESS);
1017 }
1018
1019 assert_se(wait_for_terminate_and_check("suidsgidseccomp", pid, WAIT_LOG) == EXIT_SUCCESS);
1020}
1021
f6281133 1022int main(int argc, char *argv[]) {
6d7c4033 1023 test_setup_logging(LOG_DEBUG);
add00535 1024
f6281133 1025 test_seccomp_arch_to_string();
aa34055f 1026 test_architecture_table();
f6281133
LP		 1027 test_syscall_filter_set_find();
1028 test_filter_sets();
23e12f8e 1029 test_filter_sets_ordered();
add00535 1030 test_restrict_namespace();
469830d1 1031 test_protect_sysctl();
97d05f3b 1032 test_protect_syslog();
469830d1
LP		 1033 test_restrict_address_families();
1034 test_restrict_realtime();
2a65bd94
ZJS		 1035 test_memory_deny_write_execute_mmap();
1036 test_memory_deny_write_execute_shmat();
469830d1
LP		 1037 test_restrict_archs();
1038 test_load_syscall_filter_set_raw();
78e864e5 1039 test_lock_personality();
167fc10c 1040 test_restrict_suid_sgid();
f6281133
LP		 1041
1042 return 0;
1043}
Unnamed repository; edit this file 'description' to name the repository.