[PATCH v3 4/4] tests: test cases for seccomp-assisted syscall filtering
Paul Chaignon
paul.chaignon at gmail.com
Mon Aug 26 15:19:34 UTC 2019
On Mon, Aug 26, 2019 at 05:50:41PM +0300, Dmitry V. Levin wrote:
> On Mon, Aug 26, 2019 at 04:08:13PM +0200, Paul Chaignon wrote:
> > On Fri, Aug 23, 2019 at 06:17:28PM +0300, Dmitry V. Levin wrote:
> > > On Thu, Aug 15, 2019 at 07:52:54PM +0200, Paul Chaignon wrote:
> [...]
> > > > +grep "seccomp-filter is requested but unavailable" "$OUT" > /dev/null
> > >
> > > I suppose the test should be skipped if seccomp filtering is unavailable.
> >
> > Do you mean it should implement the same prctl(PR_SET_SECCOMP,
> > SECCOMP_MODE_FILTER) + NOMMU_SYSTEM checks as check_seccomp_filter()?
>
> Not really.
> I suggest skipping the test in a way similar to tests/PTRACE_SEIZE.sh
Ah, I see. I'll make the change.
>
> > > > +if [ $? -ne 0 ] && [ "$nb_seccomp" -lt "$((10*nb_no_seccomp))" ]; then
> > > > + fail_ "Failed to enable seccomp-filter"
> > > > +fi
> > >
> > > Why 10?
> >
> > It's mostly an arbitrary number. On my system, filter_seccomp-perf
> > performs about 17-18x more chdir syscalls when seccomp-filter is enabled.
> > So using 10 should give us a little leeway. I'll add a small comment.
>
> Would you mind including the actual ratio (nb_no_seccomp/nb_seccomp)
> in the diagnostics message? It might help when this test gets a wider
> testing audience.
Sure, makes sense.
Paul
More information about the Strace-devel
mailing list