test: add tests for syscall:errno style in SystemCallFilter=

author Yu Watanabe <watanabe.yu+github@gmail.com>

Sat, 11 Nov 2017 12:39:02 +0000 (21:39 +0900)

committer Yu Watanabe <watanabe.yu+github@gmail.com>

Sat, 11 Nov 2017 12:54:20 +0000 (21:54 +0900)
author Yu Watanabe <watanabe.yu+github@gmail.com>
Sat, 11 Nov 2017 12:39:02 +0000 (21:39 +0900)
committer Yu Watanabe <watanabe.yu+github@gmail.com>
Sat, 11 Nov 2017 12:54:20 +0000 (21:54 +0900)
diff --git a/src/test/test-execute.c b/src/test/test-execute.c

index 0468d11fe892f709e138539fac66a805a3e92742..c86e074e9d438782bb95cba57e7fa6399346820c 100644 (file)
--- a/src/test/test-execute.c
+++ b/src/test/test-execute.c
@@ -23,6 +23,7 @@
  #include <sys/prctl.h>
  #include <sys/types.h>
  
+#include "errno-list.h"
  #include "fileio.h"
  #include "fs-util.h"
  #include "macro.h"
@@ -261,6 +262,8 @@ static void test_exec_systemcallfilter(Manager *m) {
          test(m, "exec-systemcallfilter-not-failing2.service", 0, CLD_EXITED);
          test(m, "exec-systemcallfilter-failing.service", SIGSYS, CLD_KILLED);
          test(m, "exec-systemcallfilter-failing2.service", SIGSYS, CLD_KILLED);
+        test(m, "exec-systemcallfilter-with-errno-name.service", errno_from_name("EILSEQ"), CLD_EXITED);
+        test(m, "exec-systemcallfilter-with-errno-number.service", 255, CLD_EXITED);
  
  #endif
  }
diff --git a/src/test/test-seccomp.c b/src/test/test-seccomp.c

index e5f97894b7de7b7015f8cdbde77738d2322c3f02..a1d3c6280e1dbee61f037d0efe62cc3f6234a5c4 100644 (file)
--- a/src/test/test-seccomp.c
+++ b/src/test/test-seccomp.c
@@ -519,7 +519,7 @@ static void test_load_syscall_filter_set_raw(void) {
          assert_se(pid >= 0);
  
          if (pid == 0) {
-                _cleanup_set_free_ Set *s = NULL;
+                _cleanup_hashmap_free_ Hashmap *s = NULL;
  
                  assert_se(access("/", F_OK) >= 0);
                  assert_se(poll(NULL, 0, 0) == 0);
@@ -528,11 +528,11 @@ static void test_load_syscall_filter_set_raw(void) {
                  assert_se(access("/", F_OK) >= 0);
                  assert_se(poll(NULL, 0, 0) == 0);
  
-                assert_se(s = set_new(NULL));
+                assert_se(s = hashmap_new(NULL));
  #if SCMP_SYS(access) >= 0
-                assert_se(set_put(s, UINT32_TO_PTR(__NR_access + 1)) >= 0);
+                assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_access + 1), INT_TO_PTR(-1)) >= 0);
  #else
-                assert_se(set_put(s, UINT32_TO_PTR(__NR_faccessat + 1)) >= 0);
+                assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_faccessat + 1), INT_TO_PTR(-1)) >= 0);
  #endif
  
                  assert_se(seccomp_load_syscall_filter_set_raw(SCMP_ACT_ALLOW, s, SCMP_ACT_ERRNO(EUCLEAN)) >= 0);
@@ -542,23 +542,56 @@ static void test_load_syscall_filter_set_raw(void) {
  
                  assert_se(poll(NULL, 0, 0) == 0);
  
-                s = set_free(s);
+                s = hashmap_free(s);
  
-                assert_se(s = set_new(NULL));
+                assert_se(s = hashmap_new(NULL));
+#if SCMP_SYS(access) >= 0
+                assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_access + 1), INT_TO_PTR(EILSEQ)) >= 0);
+#else
+                assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_faccessat + 1), INT_TO_PTR(EILSEQ)) >= 0);
+#endif
+
+                assert_se(seccomp_load_syscall_filter_set_raw(SCMP_ACT_ALLOW, s, SCMP_ACT_ERRNO(EUCLEAN)) >= 0);
+
+                assert_se(access("/", F_OK) < 0);
+                assert_se(errno == EILSEQ);
+
+                assert_se(poll(NULL, 0, 0) == 0);
+
+                s = hashmap_free(s);
+
+                assert_se(s = hashmap_new(NULL));
  #if SCMP_SYS(poll) >= 0
-                assert_se(set_put(s, UINT32_TO_PTR(__NR_poll + 1)) >= 0);
+                assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_poll + 1), INT_TO_PTR(-1)) >= 0);
  #else
-                assert_se(set_put(s, UINT32_TO_PTR(__NR_ppoll + 1)) >= 0);
+                assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_ppoll + 1), INT_TO_PTR(-1)) >= 0);
  #endif
  
                  assert_se(seccomp_load_syscall_filter_set_raw(SCMP_ACT_ALLOW, s, SCMP_ACT_ERRNO(EUNATCH)) >= 0);
  
                  assert_se(access("/", F_OK) < 0);
-                assert_se(errno == EUCLEAN);
+                assert_se(errno == EILSEQ);
  
                  assert_se(poll(NULL, 0, 0) < 0);
                  assert_se(errno == EUNATCH);
  
+                s = hashmap_free(s);
+
+                assert_se(s = hashmap_new(NULL));
+#if SCMP_SYS(poll) >= 0
+                assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_poll + 1), INT_TO_PTR(EILSEQ)) >= 0);
+#else
+                assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_ppoll + 1), INT_TO_PTR(EILSEQ)) >= 0);
+#endif
+
+                assert_se(seccomp_load_syscall_filter_set_raw(SCMP_ACT_ALLOW, s, SCMP_ACT_ERRNO(EUNATCH)) >= 0);
+
+                assert_se(access("/", F_OK) < 0);
+                assert_se(errno == EILSEQ);
+
+                assert_se(poll(NULL, 0, 0) < 0);
+                assert_se(errno == EILSEQ);
+
                  _exit(EXIT_SUCCESS);
          }
  
diff --git a/test/meson.build b/test/meson.build

index bc37946bab08630529aa49069c69387de7a4905e..941878dea4ff2d0251d7410ec27cff77a4feaf2c 100644 (file)
--- a/test/meson.build
+++ b/test/meson.build
@@ -107,6 +107,8 @@ test_data_files = '''
          test-execute/exec-systemcallfilter-not-failing2.service
          test-execute/exec-systemcallfilter-system-user-nfsnobody.service
          test-execute/exec-systemcallfilter-system-user.service
+        test-execute/exec-systemcallfilter-with-errno-name.service
+        test-execute/exec-systemcallfilter-with-errno-number.service
          test-execute/exec-umask-0177.service
          test-execute/exec-umask-default.service
          test-execute/exec-unset-environment.service
diff --git a/test/test-execute/exec-systemcallfilter-with-errno-name.service b/test/test-execute/exec-systemcallfilter-with-errno-name.service

new file mode 100644 (file)

index 0000000..b9beb73
--- /dev/null
+++ b/test/test-execute/exec-systemcallfilter-with-errno-name.service
@@ -0,0 +1,8 @@
+[Unit]
+Description=Test for SystemCallFilter with errno name
+
+[Service]
+ExecStart=/bin/python3 -c 'import os\ntry: os.uname()\nexcept Exception as e: exit(e.errno)'
+Type=oneshot
+SystemCallFilter=~uname:EILSEQ
+SystemCallErrorNumber=EACCES
diff --git a/test/test-execute/exec-systemcallfilter-with-errno-number.service b/test/test-execute/exec-systemcallfilter-with-errno-number.service

new file mode 100644 (file)

index 0000000..6e5019d
--- /dev/null
+++ b/test/test-execute/exec-systemcallfilter-with-errno-number.service
@@ -0,0 +1,8 @@
+[Unit]
+Description=Test for SystemCallFilter with errno number
+
+[Service]
+ExecStart=/bin/python3 -c 'import os\ntry: os.uname()\nexcept Exception as e: exit(e.errno)'
+Type=oneshot
+SystemCallFilter=~uname:255
+SystemCallErrorNumber=EACCES
author	Yu Watanabe <watanabe.yu+github@gmail.com>
	Sat, 11 Nov 2017 12:39:02 +0000 (21:39 +0900)
committer	Yu Watanabe <watanabe.yu+github@gmail.com>
	Sat, 11 Nov 2017 12:54:20 +0000 (21:54 +0900)
src/test/test-execute.c		patch \| blob \| blame \| history
src/test/test-seccomp.c		patch \| blob \| blame \| history
test/meson.build		patch \| blob \| blame \| history
test/test-execute/exec-systemcallfilter-with-errno-name.service	[new file with mode: 0644]	patch \| blob
test/test-execute/exec-systemcallfilter-with-errno-number.service	[new file with mode: 0644]	patch \| blob