[PATCH v3 4/4] tests: test cases for seccomp-assisted syscall filtering

Paul Chaignon paul.chaignon at gmail.com
Thu Aug 15 17:52:54 UTC 2019


From: Chen Jingpiao <chenjingpiao at gmail.com>

* tests/status-none-f.c: New file.
* tests/pure_executables.list: Add status-none-f.
* tests/.gitignore: Add status-none-f and filter_seccomp-perf.
* tests/init.sh (test_prog_set): New function.
* tests/filter_seccomp.in: New file.
* tests/filter_seccomp-perf.c: New file.
* tests/filter_seccomp-perf.test: New file.
* tests/Makefile.am (EXTRA_DIST): Add filter_seccomp.in.
(MISC_TESTS): Add filter_seccomp-perf.test.
(check_PROGRAMS): Add filter_seccomp-perf.
* tests/gen_tests.in: Add threads-execve test with -n and filter_seccomp
test_prog_set.

Co-authored-by: Paul Chaignon <paul.chaignon at gmail.com>
---
 tests/.gitignore               |  2 ++
 tests/Makefile.am              |  3 +++
 tests/filter_seccomp-perf.c    | 33 +++++++++++++++++++++++++++++++++
 tests/filter_seccomp-perf.test | 17 +++++++++++++++++
 tests/filter_seccomp.in        |  4 ++++
 tests/gen_tests.in             |  2 ++
 tests/init.sh                  |  5 +++++
 tests/pure_executables.list    |  1 +
 tests/status-none-f.c          | 19 +++++++++++++++++++
 9 files changed, 86 insertions(+)
 create mode 100644 tests/filter_seccomp-perf.c
 create mode 100755 tests/filter_seccomp-perf.test
 create mode 100644 tests/filter_seccomp.in
 create mode 100644 tests/status-none-f.c

diff --git a/tests/.gitignore b/tests/.gitignore
index f5133873..6738d873 100644
--- a/tests/.gitignore
+++ b/tests/.gitignore
@@ -85,6 +85,7 @@ fdatasync
 fflush
 file_handle
 file_ioctl
+filter_seccomp-perf
 filter-unavailable
 finit_module
 flock
@@ -584,6 +585,7 @@ statfs64
 status-all
 status-failed
 status-none
+status-none-f
 status-none-threads
 status-successful
 status-unfinished
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 156e359a..3035877d 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -90,6 +90,7 @@ check_PROGRAMS = $(PURE_EXECUTABLES) \
 	delay \
 	execve-v \
 	execveat-v \
+	filter_seccomp-perf \
 	filter-unavailable \
 	fork-f \
 	fsync-y \
@@ -313,6 +314,7 @@ MISC_TESTS = \
 	detach-sleeping.test \
 	detach-stopped.test \
 	fflush.test \
+	filter_seccomp-perf.test \
 	filter-unavailable.test \
 	filtering_fd-syntax.test \
 	filtering_syscall-syntax.test \
@@ -395,6 +397,7 @@ EXTRA_DIST = \
 	eventfd.expected \
 	fadvise.h \
 	fcntl-common.c \
+	filter_seccomp.in \
 	filter-unavailable.expected \
 	fstatat.c \
 	fstatx.c \
diff --git a/tests/filter_seccomp-perf.c b/tests/filter_seccomp-perf.c
new file mode 100644
index 00000000..dbc8dcd7
--- /dev/null
+++ b/tests/filter_seccomp-perf.c
@@ -0,0 +1,33 @@
+/*
+ * Check seccomp-filter is enabled.
+ *
+ * Copyright (c) 2019 Paul Chaignon <paul.chaignon at gmail.com>
+ * All rights reserved.
+ *
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ */
+
+#include "tests.h"
+#include <signal.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <unistd.h>
+
+static volatile bool stop = false;
+
+static void
+handler(int signo) {
+    stop = true;
+}
+
+int main(void) {
+	signal(SIGINT, handler);
+	unsigned int i = 0;
+	long rc = 0;
+	while (!stop) {
+		rc &= chdir(".");
+		i++;
+	}
+	printf("%d\n", i);
+	return rc;
+}
diff --git a/tests/filter_seccomp-perf.test b/tests/filter_seccomp-perf.test
new file mode 100755
index 00000000..eb60c107
--- /dev/null
+++ b/tests/filter_seccomp-perf.test
@@ -0,0 +1,17 @@
+#!/bin/sh
+#
+# Check seccomp-filter is enabled.
+#
+# Copyright (c) 2019 Paul Chaignon <paul.chaignon at gmail.com>
+# All rights reserved.
+#
+# SPDX-License-Identifier: GPL-2.0-or-later
+
+. "${srcdir=.}/init.sh"
+
+nb_no_seccomp=$(timeout -sINT 1s $STRACE -qf -e signal=none -efchdir ../$NAME)
+nb_seccomp=$(timeout -sINT 1s $STRACE -qfn -e signal=none -efchdir ../$NAME 2> "$OUT")
+grep "seccomp-filter is requested but unavailable" "$OUT" > /dev/null
+if [ $? -ne 0 ] && [ "$nb_seccomp" -lt "$((10*nb_no_seccomp))" ]; then
+	fail_ "Failed to enable seccomp-filter"
+fi
diff --git a/tests/filter_seccomp.in b/tests/filter_seccomp.in
new file mode 100644
index 00000000..dc741911
--- /dev/null
+++ b/tests/filter_seccomp.in
@@ -0,0 +1,4 @@
+fork-f	-a26 -qq -f -e signal=none -e trace=chdir
+vfork-f	-a26 -qq -f -e signal=none -e trace=chdir
+fork-f	-a26 -qq -f -e signal=none -e trace=chdir,%memory,%ipc,%pure,%signal,%network -e status=failed
+status-none-f	-f -e trace=!ptrace -e status=none
diff --git a/tests/gen_tests.in b/tests/gen_tests.in
index 8ad044a8..036e2c3b 100644
--- a/tests/gen_tests.in
+++ b/tests/gen_tests.in
@@ -65,6 +65,7 @@ fcntl64	-a8
 fdatasync	-a14
 file_handle	-e trace=name_to_handle_at,open_by_handle_at
 file_ioctl	+ioctl.test
+filter_seccomp test_prog_set -n
 finit_module	-a25
 flock	-a19
 fork-f	-a26 -qq -f -e signal=none -e trace=chdir
@@ -502,6 +503,7 @@ sync_file_range2
 sysinfo	-a14
 syslog	-a35
 tee
+threads-execve +threads-execve.test -n
 time	-a10
 timer_create
 timer_xettime	-e trace=timer_create,timer_settime,timer_gettime
diff --git a/tests/init.sh b/tests/init.sh
index 40e62188..4cd2d153 100644
--- a/tests/init.sh
+++ b/tests/init.sh
@@ -324,6 +324,11 @@ test_trace_expr()
 		< negative.list
 }
 
+test_prog_set()
+{
+	test_pure_prog_set "$@" < "$srcdir/$NAME.in"
+}
+
 check_prog cat
 check_prog rm
 
diff --git a/tests/pure_executables.list b/tests/pure_executables.list
index f55ae8a8..953c2a7b 100755
--- a/tests/pure_executables.list
+++ b/tests/pure_executables.list
@@ -496,6 +496,7 @@ statfs64
 status-all
 status-failed
 status-none
+status-none-f
 status-successful
 status-unfinished
 statx
diff --git a/tests/status-none-f.c b/tests/status-none-f.c
new file mode 100644
index 00000000..33887a1b
--- /dev/null
+++ b/tests/status-none-f.c
@@ -0,0 +1,19 @@
+/*
+ * Check basic seccomp filtering with large number of traced syscalls.
+ *
+ * Copyright (c) 2019 The strace developers.
+ * All rights reserved.
+ *
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ */
+
+#include "tests.h"
+#include <stdio.h>
+#include <unistd.h>
+
+int
+main(void)
+{
+	printf("%-5d +++ exited with 0 +++\n", getpid());
+	return 0;
+}
-- 
2.17.1



More information about the Strace-devel mailing list