From: Kevin Kuehler Date: Mon, 11 Nov 2019 04:37:20 +0000 (-0800) Subject: test/test-seccomp: add test_protect_syslog X-Git-Tag: v244-rc1~47^2~4 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=97d05f3b709c39acebc53749b1d9eb29a24690b1;p=thirdparty%2Fsystemd.git test/test-seccomp: add test_protect_syslog --- diff --git a/src/test/test-seccomp.c b/src/test/test-seccomp.c index 018c20f8be2..ca3f37344a5 100644 --- a/src/test/test-seccomp.c +++ b/src/test/test-seccomp.c @@ -322,6 +322,48 @@ static void test_protect_sysctl(void) { assert_se(wait_for_terminate_and_check("sysctlseccomp", pid, WAIT_LOG) == EXIT_SUCCESS); } +static void test_protect_syslog(void) { + pid_t pid; + + log_info("/* %s */", __func__); + + if (!is_seccomp_available()) { + log_notice("Seccomp not available, skipping %s", __func__); + return; + } + if (geteuid() != 0) { + log_notice("Not root, skipping %s", __func__); + return; + } + + /* in containers syslog() is likely missing anyway */ + if (detect_container() > 0) { + log_notice("Testing in container, skipping %s", __func__); + return; + } + + pid = fork(); + assert_se(pid >= 0); + + if (pid == 0) { +#if defined __NR_syslog && __NR_syslog > 0 + assert_se(syscall(__NR_syslog, -1, NULL, 0) < 0); + assert_se(errno == EINVAL); +#endif + + assert_se(seccomp_protect_syslog() >= 0); + +#if defined __NR_syslog && __NR_syslog > 0 + assert_se(syscall(__NR_syslog, 0, 0, 0) < 0); + assert_se(errno == EPERM); +#endif + + _exit(EXIT_SUCCESS); + } + + assert_se(wait_for_terminate_and_check("syslogseccomp", pid, WAIT_LOG) == EXIT_SUCCESS); +} + static void test_restrict_address_families(void) { pid_t pid; @@ -982,6 +1024,7 @@ int main(int argc, char *argv[]) { test_filter_sets_ordered(); test_restrict_namespace(); test_protect_sysctl(); + test_protect_syslog(); test_restrict_address_families(); test_restrict_realtime(); test_memory_deny_write_execute_mmap();