[PATCH v3 4/4] tests: test cases for seccomp-assisted syscall filtering
Dmitry V. Levin
ldv at altlinux.org
Mon Aug 26 14:50:41 UTC 2019
On Mon, Aug 26, 2019 at 04:08:13PM +0200, Paul Chaignon wrote:
> On Fri, Aug 23, 2019 at 06:17:28PM +0300, Dmitry V. Levin wrote:
> > On Thu, Aug 15, 2019 at 07:52:54PM +0200, Paul Chaignon wrote:
[...]
> > > +grep "seccomp-filter is requested but unavailable" "$OUT" > /dev/null
> >
> > I suppose the test should be skipped if seccomp filtering is unavailable.
>
> Do you mean it should implement the same prctl(PR_SET_SECCOMP,
> SECCOMP_MODE_FILTER) + NOMMU_SYSTEM checks as check_seccomp_filter()?
Not really.
I suggest skipping the test in a way similar to tests/PTRACE_SEIZE.sh
> > > +if [ $? -ne 0 ] && [ "$nb_seccomp" -lt "$((10*nb_no_seccomp))" ]; then
> > > + fail_ "Failed to enable seccomp-filter"
> > > +fi
> >
> > Why 10?
>
> It's mostly an arbitrary number. On my system, filter_seccomp-perf
> performs about 17-18x more chdir syscalls when seccomp-filter is enabled.
> So using 10 should give us a little leeway. I'll add a small comment.
Would you mind including the actual ratio (nb_no_seccomp/nb_seccomp)
in the diagnostics message? It might help when this test gets a wider
testing audience.
--
ldv
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <http://lists.strace.io/pipermail/strace-devel/attachments/20190826/296201da/attachment.bin>
More information about the Strace-devel
mailing list