From: Yu Watanabe Date: Sat, 11 Nov 2017 12:39:02 +0000 (+0900) Subject: test: add tests for syscall:errno style in SystemCallFilter= X-Git-Tag: v236~238^2~2 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=b4891260b9e926c00276acf1924734f93b144a0d;p=thirdparty%2Fsystemd.git test: add tests for syscall:errno style in SystemCallFilter= --- diff --git a/src/test/test-execute.c b/src/test/test-execute.c index 0468d11fe89..c86e074e9d4 100644 --- a/src/test/test-execute.c +++ b/src/test/test-execute.c @@ -23,6 +23,7 @@ #include #include +#include "errno-list.h" #include "fileio.h" #include "fs-util.h" #include "macro.h" @@ -261,6 +262,8 @@ static void test_exec_systemcallfilter(Manager *m) { test(m, "exec-systemcallfilter-not-failing2.service", 0, CLD_EXITED); test(m, "exec-systemcallfilter-failing.service", SIGSYS, CLD_KILLED); test(m, "exec-systemcallfilter-failing2.service", SIGSYS, CLD_KILLED); + test(m, "exec-systemcallfilter-with-errno-name.service", errno_from_name("EILSEQ"), CLD_EXITED); + test(m, "exec-systemcallfilter-with-errno-number.service", 255, CLD_EXITED); #endif } diff --git a/src/test/test-seccomp.c b/src/test/test-seccomp.c index e5f97894b7d..a1d3c6280e1 100644 --- a/src/test/test-seccomp.c +++ b/src/test/test-seccomp.c @@ -519,7 +519,7 @@ static void test_load_syscall_filter_set_raw(void) { assert_se(pid >= 0); if (pid == 0) { - _cleanup_set_free_ Set *s = NULL; + _cleanup_hashmap_free_ Hashmap *s = NULL; assert_se(access("/", F_OK) >= 0); assert_se(poll(NULL, 0, 0) == 0); @@ -528,11 +528,11 @@ static void test_load_syscall_filter_set_raw(void) { assert_se(access("/", F_OK) >= 0); assert_se(poll(NULL, 0, 0) == 0); - assert_se(s = set_new(NULL)); + assert_se(s = hashmap_new(NULL)); #if SCMP_SYS(access) >= 0 - assert_se(set_put(s, UINT32_TO_PTR(__NR_access + 1)) >= 0); + assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_access + 1), INT_TO_PTR(-1)) >= 0); #else - assert_se(set_put(s, UINT32_TO_PTR(__NR_faccessat + 1)) >= 0); + assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_faccessat + 1), INT_TO_PTR(-1)) >= 0); #endif assert_se(seccomp_load_syscall_filter_set_raw(SCMP_ACT_ALLOW, s, SCMP_ACT_ERRNO(EUCLEAN)) >= 0); @@ -542,23 +542,56 @@ static void test_load_syscall_filter_set_raw(void) { assert_se(poll(NULL, 0, 0) == 0); - s = set_free(s); + s = hashmap_free(s); - assert_se(s = set_new(NULL)); + assert_se(s = hashmap_new(NULL)); +#if SCMP_SYS(access) >= 0 + assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_access + 1), INT_TO_PTR(EILSEQ)) >= 0); +#else + assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_faccessat + 1), INT_TO_PTR(EILSEQ)) >= 0); +#endif + + assert_se(seccomp_load_syscall_filter_set_raw(SCMP_ACT_ALLOW, s, SCMP_ACT_ERRNO(EUCLEAN)) >= 0); + + assert_se(access("/", F_OK) < 0); + assert_se(errno == EILSEQ); + + assert_se(poll(NULL, 0, 0) == 0); + + s = hashmap_free(s); + + assert_se(s = hashmap_new(NULL)); #if SCMP_SYS(poll) >= 0 - assert_se(set_put(s, UINT32_TO_PTR(__NR_poll + 1)) >= 0); + assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_poll + 1), INT_TO_PTR(-1)) >= 0); #else - assert_se(set_put(s, UINT32_TO_PTR(__NR_ppoll + 1)) >= 0); + assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_ppoll + 1), INT_TO_PTR(-1)) >= 0); #endif assert_se(seccomp_load_syscall_filter_set_raw(SCMP_ACT_ALLOW, s, SCMP_ACT_ERRNO(EUNATCH)) >= 0); assert_se(access("/", F_OK) < 0); - assert_se(errno == EUCLEAN); + assert_se(errno == EILSEQ); assert_se(poll(NULL, 0, 0) < 0); assert_se(errno == EUNATCH); + s = hashmap_free(s); + + assert_se(s = hashmap_new(NULL)); +#if SCMP_SYS(poll) >= 0 + assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_poll + 1), INT_TO_PTR(EILSEQ)) >= 0); +#else + assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_ppoll + 1), INT_TO_PTR(EILSEQ)) >= 0); +#endif + + assert_se(seccomp_load_syscall_filter_set_raw(SCMP_ACT_ALLOW, s, SCMP_ACT_ERRNO(EUNATCH)) >= 0); + + assert_se(access("/", F_OK) < 0); + assert_se(errno == EILSEQ); + + assert_se(poll(NULL, 0, 0) < 0); + assert_se(errno == EILSEQ); + _exit(EXIT_SUCCESS); } diff --git a/test/meson.build b/test/meson.build index bc37946bab0..941878dea4f 100644 --- a/test/meson.build +++ b/test/meson.build @@ -107,6 +107,8 @@ test_data_files = ''' test-execute/exec-systemcallfilter-not-failing2.service test-execute/exec-systemcallfilter-system-user-nfsnobody.service test-execute/exec-systemcallfilter-system-user.service + test-execute/exec-systemcallfilter-with-errno-name.service + test-execute/exec-systemcallfilter-with-errno-number.service test-execute/exec-umask-0177.service test-execute/exec-umask-default.service test-execute/exec-unset-environment.service diff --git a/test/test-execute/exec-systemcallfilter-with-errno-name.service b/test/test-execute/exec-systemcallfilter-with-errno-name.service new file mode 100644 index 00000000000..b9beb73b7e8 --- /dev/null +++ b/test/test-execute/exec-systemcallfilter-with-errno-name.service @@ -0,0 +1,8 @@ +[Unit] +Description=Test for SystemCallFilter with errno name + +[Service] +ExecStart=/bin/python3 -c 'import os\ntry: os.uname()\nexcept Exception as e: exit(e.errno)' +Type=oneshot +SystemCallFilter=~uname:EILSEQ +SystemCallErrorNumber=EACCES diff --git a/test/test-execute/exec-systemcallfilter-with-errno-number.service b/test/test-execute/exec-systemcallfilter-with-errno-number.service new file mode 100644 index 00000000000..6e5019d5932 --- /dev/null +++ b/test/test-execute/exec-systemcallfilter-with-errno-number.service @@ -0,0 +1,8 @@ +[Unit] +Description=Test for SystemCallFilter with errno number + +[Service] +ExecStart=/bin/python3 -c 'import os\ntry: os.uname()\nexcept Exception as e: exit(e.errno)' +Type=oneshot +SystemCallFilter=~uname:255 +SystemCallErrorNumber=EACCES