[PATCH v3 4/4] tests: test cases for seccomp-assisted syscall filtering
Paul Chaignon
paul.chaignon at gmail.com
Thu Aug 15 17:52:54 UTC 2019
From: Chen Jingpiao <chenjingpiao at gmail.com>
* tests/status-none-f.c: New file.
* tests/pure_executables.list: Add status-none-f.
* tests/.gitignore: Add status-none-f and filter_seccomp-perf.
* tests/init.sh (test_prog_set): New function.
* tests/filter_seccomp.in: New file.
* tests/filter_seccomp-perf.c: New file.
* tests/filter_seccomp-perf.test: New file.
* tests/Makefile.am (EXTRA_DIST): Add filter_seccomp.in.
(MISC_TESTS): Add filter_seccomp-perf.test.
(check_PROGRAMS): Add filter_seccomp-perf.
* tests/gen_tests.in: Add threads-execve test with -n and filter_seccomp
test_prog_set.
Co-authored-by: Paul Chaignon <paul.chaignon at gmail.com>
---
tests/.gitignore | 2 ++
tests/Makefile.am | 3 +++
tests/filter_seccomp-perf.c | 33 +++++++++++++++++++++++++++++++++
tests/filter_seccomp-perf.test | 17 +++++++++++++++++
tests/filter_seccomp.in | 4 ++++
tests/gen_tests.in | 2 ++
tests/init.sh | 5 +++++
tests/pure_executables.list | 1 +
tests/status-none-f.c | 19 +++++++++++++++++++
9 files changed, 86 insertions(+)
create mode 100644 tests/filter_seccomp-perf.c
create mode 100755 tests/filter_seccomp-perf.test
create mode 100644 tests/filter_seccomp.in
create mode 100644 tests/status-none-f.c
diff --git a/tests/.gitignore b/tests/.gitignore
index f5133873..6738d873 100644
--- a/tests/.gitignore
+++ b/tests/.gitignore
@@ -85,6 +85,7 @@ fdatasync
fflush
file_handle
file_ioctl
+filter_seccomp-perf
filter-unavailable
finit_module
flock
@@ -584,6 +585,7 @@ statfs64
status-all
status-failed
status-none
+status-none-f
status-none-threads
status-successful
status-unfinished
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 156e359a..3035877d 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -90,6 +90,7 @@ check_PROGRAMS = $(PURE_EXECUTABLES) \
delay \
execve-v \
execveat-v \
+ filter_seccomp-perf \
filter-unavailable \
fork-f \
fsync-y \
@@ -313,6 +314,7 @@ MISC_TESTS = \
detach-sleeping.test \
detach-stopped.test \
fflush.test \
+ filter_seccomp-perf.test \
filter-unavailable.test \
filtering_fd-syntax.test \
filtering_syscall-syntax.test \
@@ -395,6 +397,7 @@ EXTRA_DIST = \
eventfd.expected \
fadvise.h \
fcntl-common.c \
+ filter_seccomp.in \
filter-unavailable.expected \
fstatat.c \
fstatx.c \
diff --git a/tests/filter_seccomp-perf.c b/tests/filter_seccomp-perf.c
new file mode 100644
index 00000000..dbc8dcd7
--- /dev/null
+++ b/tests/filter_seccomp-perf.c
@@ -0,0 +1,33 @@
+/*
+ * Check seccomp-filter is enabled.
+ *
+ * Copyright (c) 2019 Paul Chaignon <paul.chaignon at gmail.com>
+ * All rights reserved.
+ *
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ */
+
+#include "tests.h"
+#include <signal.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <unistd.h>
+
+static volatile bool stop = false;
+
+static void
+handler(int signo) {
+ stop = true;
+}
+
+int main(void) {
+ signal(SIGINT, handler);
+ unsigned int i = 0;
+ long rc = 0;
+ while (!stop) {
+ rc &= chdir(".");
+ i++;
+ }
+ printf("%d\n", i);
+ return rc;
+}
diff --git a/tests/filter_seccomp-perf.test b/tests/filter_seccomp-perf.test
new file mode 100755
index 00000000..eb60c107
--- /dev/null
+++ b/tests/filter_seccomp-perf.test
@@ -0,0 +1,17 @@
+#!/bin/sh
+#
+# Check seccomp-filter is enabled.
+#
+# Copyright (c) 2019 Paul Chaignon <paul.chaignon at gmail.com>
+# All rights reserved.
+#
+# SPDX-License-Identifier: GPL-2.0-or-later
+
+. "${srcdir=.}/init.sh"
+
+nb_no_seccomp=$(timeout -sINT 1s $STRACE -qf -e signal=none -efchdir ../$NAME)
+nb_seccomp=$(timeout -sINT 1s $STRACE -qfn -e signal=none -efchdir ../$NAME 2> "$OUT")
+grep "seccomp-filter is requested but unavailable" "$OUT" > /dev/null
+if [ $? -ne 0 ] && [ "$nb_seccomp" -lt "$((10*nb_no_seccomp))" ]; then
+ fail_ "Failed to enable seccomp-filter"
+fi
diff --git a/tests/filter_seccomp.in b/tests/filter_seccomp.in
new file mode 100644
index 00000000..dc741911
--- /dev/null
+++ b/tests/filter_seccomp.in
@@ -0,0 +1,4 @@
+fork-f -a26 -qq -f -e signal=none -e trace=chdir
+vfork-f -a26 -qq -f -e signal=none -e trace=chdir
+fork-f -a26 -qq -f -e signal=none -e trace=chdir,%memory,%ipc,%pure,%signal,%network -e status=failed
+status-none-f -f -e trace=!ptrace -e status=none
diff --git a/tests/gen_tests.in b/tests/gen_tests.in
index 8ad044a8..036e2c3b 100644
--- a/tests/gen_tests.in
+++ b/tests/gen_tests.in
@@ -65,6 +65,7 @@ fcntl64 -a8
fdatasync -a14
file_handle -e trace=name_to_handle_at,open_by_handle_at
file_ioctl +ioctl.test
+filter_seccomp test_prog_set -n
finit_module -a25
flock -a19
fork-f -a26 -qq -f -e signal=none -e trace=chdir
@@ -502,6 +503,7 @@ sync_file_range2
sysinfo -a14
syslog -a35
tee
+threads-execve +threads-execve.test -n
time -a10
timer_create
timer_xettime -e trace=timer_create,timer_settime,timer_gettime
diff --git a/tests/init.sh b/tests/init.sh
index 40e62188..4cd2d153 100644
--- a/tests/init.sh
+++ b/tests/init.sh
@@ -324,6 +324,11 @@ test_trace_expr()
< negative.list
}
+test_prog_set()
+{
+ test_pure_prog_set "$@" < "$srcdir/$NAME.in"
+}
+
check_prog cat
check_prog rm
diff --git a/tests/pure_executables.list b/tests/pure_executables.list
index f55ae8a8..953c2a7b 100755
--- a/tests/pure_executables.list
+++ b/tests/pure_executables.list
@@ -496,6 +496,7 @@ statfs64
status-all
status-failed
status-none
+status-none-f
status-successful
status-unfinished
statx
diff --git a/tests/status-none-f.c b/tests/status-none-f.c
new file mode 100644
index 00000000..33887a1b
--- /dev/null
+++ b/tests/status-none-f.c
@@ -0,0 +1,19 @@
+/*
+ * Check basic seccomp filtering with large number of traced syscalls.
+ *
+ * Copyright (c) 2019 The strace developers.
+ * All rights reserved.
+ *
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ */
+
+#include "tests.h"
+#include <stdio.h>
+#include <unistd.h>
+
+int
+main(void)
+{
+ printf("%-5d +++ exited with 0 +++\n", getpid());
+ return 0;
+}
--
2.17.1
More information about the Strace-devel
mailing list