-
Notifications
You must be signed in to change notification settings - Fork 169
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
tests: improve 05-sim-long_jumps to work better across arch/ABIs
This patch primarily moves the test away from abstract syscall numbers to honest-to-goodness actual syscalls which are present on all currently supported arch/ABIs. This change should make it easier to support this test across different platforms now and moving forward. Signed-off-by: Paul Moore <[email protected]> Reviewed-by: Tom Hromatka <[email protected]> Signed-off-by: Tom Hromatka <[email protected]>
- Loading branch information
1 parent
ee3660f
commit 3c2da11
Showing
3 changed files
with
52 additions
and
43 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -2,6 +2,7 @@ | |
* Seccomp Library test program | ||
* | ||
* Copyright (c) 2012 Red Hat <[email protected]> | ||
* Copyright (c) 2021 Microsoft Corporation <[email protected]> | ||
* Author: Paul Moore <[email protected]> | ||
*/ | ||
|
||
|
@@ -30,7 +31,8 @@ | |
int main(int argc, char *argv[]) | ||
{ | ||
int rc; | ||
int iter; | ||
int iter, ctr; | ||
char *syscall; | ||
struct util_options opts; | ||
scmp_filter_ctx ctx = NULL; | ||
|
||
|
@@ -42,31 +44,37 @@ int main(int argc, char *argv[]) | |
if (ctx == NULL) | ||
return ENOMEM; | ||
|
||
/* NOTE - syscalls referenced by number to make the test simpler */ | ||
|
||
rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1, 0); | ||
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(brk), 0); | ||
if (rc != 0) | ||
goto out; | ||
|
||
/* same syscall, many chains */ | ||
for (iter = 0; iter < 100; iter++) { | ||
rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1000, 3, | ||
SCMP_A0(SCMP_CMP_EQ, iter), | ||
SCMP_A1(SCMP_CMP_NE, 0x0), | ||
SCMP_A2(SCMP_CMP_LT, SSIZE_MAX)); | ||
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(chdir), 3, | ||
SCMP_A0(SCMP_CMP_EQ, iter), | ||
SCMP_A1(SCMP_CMP_NE, 0x0), | ||
SCMP_A2(SCMP_CMP_LT, SSIZE_MAX)); | ||
if (rc != 0) | ||
goto out; | ||
} | ||
|
||
/* many syscalls, same chain */ | ||
for (iter = 100; iter < 200; iter++) { | ||
rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, iter, 1, | ||
SCMP_A0(SCMP_CMP_NE, 0)); | ||
if (rc != 0) | ||
goto out; | ||
for (iter = 0, ctr = 0; iter < 10000 && ctr < 100; iter++) { | ||
if (iter == SCMP_SYS(chdir)) | ||
continue; | ||
syscall = seccomp_syscall_resolve_num_arch(SCMP_ARCH_NATIVE, | ||
iter); | ||
if (syscall) { | ||
free(syscall); | ||
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, iter, 1, | ||
SCMP_A0(SCMP_CMP_NE, 0)); | ||
if (rc != 0) | ||
goto out; | ||
ctr++; | ||
} | ||
} | ||
|
||
rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 4, 0); | ||
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(close), 0); | ||
if (rc != 0) | ||
goto out; | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -4,6 +4,7 @@ | |
# Seccomp Library test program | ||
# | ||
# Copyright (c) 2012 Red Hat <[email protected]> | ||
# Copyright (c) 2021 Microsoft Corporation <[email protected]> | ||
# Author: Paul Moore <[email protected]> | ||
# | ||
|
||
|
@@ -30,21 +31,28 @@ | |
|
||
def test(args): | ||
f = SyscallFilter(KILL) | ||
# syscalls referenced by number to make the test simpler | ||
f.add_rule_exactly(ALLOW, 1) | ||
f.add_rule(ALLOW, "brk") | ||
i = 0 | ||
while i < 100: | ||
f.add_rule_exactly(ALLOW, 1000, | ||
Arg(0, EQ, i), | ||
Arg(1, NE, 0), | ||
Arg(2, LT, sys.maxsize)) | ||
f.add_rule(ALLOW, "chdir", | ||
Arg(0, EQ, i), | ||
Arg(1, NE, 0), | ||
Arg(2, LT, sys.maxsize)) | ||
i += 1 | ||
i = 100 | ||
while i < 200: | ||
f.add_rule_exactly(ALLOW, i, | ||
Arg(0, NE, 0)) | ||
i = 0 | ||
ctr = 0 | ||
while i < 10000 and ctr < 100: | ||
sc = i | ||
i += 1 | ||
f.add_rule_exactly(ALLOW, 4) | ||
if sc == resolve_syscall(Arch(), "chdir"): | ||
continue | ||
try: | ||
resolve_syscall(Arch(), sc) | ||
except ValueError: | ||
continue | ||
f.add_rule(ALLOW, sc, Arg(0, NE, 0)) | ||
ctr += 1 | ||
f.add_rule(ALLOW, "close") | ||
return f | ||
|
||
args = util.get_opt() | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,30 +1,23 @@ | ||
# | ||
# libseccomp regression test automation data | ||
# | ||
# Copyright IBM Corp. 2012 | ||
# Copyright (c) 2012 IBM Corp. | ||
# Copyright (c) 2021 Microsoft Corporation <[email protected]> | ||
# Author: Corey Bryant <[email protected]> | ||
# | ||
|
||
test type: bpf-sim | ||
|
||
# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result | ||
05-sim-long_jumps all,-x32 1 1 2 3 4 5 6 ALLOW | ||
05-sim-long_jumps all,-x32 2 N N N N N N KILL | ||
05-sim-long_jumps all,-x32 999 N N N N N N KILL | ||
05-sim-long_jumps x86 1000 0-5 0x856B008 0x7FFFFFFE N N N ALLOW | ||
05-sim-long_jumps x86_64 1000 0-5 0x856B008 0x7FFFFFFFFFFFFFFE N N N ALLOW | ||
05-sim-long_jumps x86 1000 95-99 0x856B008 0x7FFFFFFE N N N ALLOW | ||
05-sim-long_jumps x86_64 1000 95-99 0x856B008 0x7FFFFFFFFFFFFFFE N N N ALLOW | ||
05-sim-long_jumps x86 1000 100 0x856B008 0x7FFFFFFE N N N KILL | ||
05-sim-long_jumps x86_64 1000 100 0x856B008 0x7FFFFFFFFFFFFFFE N N N KILL | ||
05-sim-long_jumps all,-x32 1001 N N N N N N KILL | ||
05-sim-long_jumps all,-x32 99 1 N N N N N KILL | ||
05-sim-long_jumps all,-x32 100-105 1 N N N N N ALLOW | ||
05-sim-long_jumps all,-x32 195-199 1 N N N N N ALLOW | ||
05-sim-long_jumps all,-x32 200 1 N N N N N KILL | ||
05-sim-long_jumps all,-x32 3 N N N N N N KILL | ||
05-sim-long_jumps all,-x32 4 1 2 3 4 5 6 ALLOW | ||
05-sim-long_jumps all,-x32 5 N N N N N N KILL | ||
05-sim-long_jumps all,-x32 brk 1 2 3 4 5 6 ALLOW | ||
05-sim-long_jumps all,-x32 9999 N N N N N N KILL | ||
05-sim-long_jumps x86 chdir 0-5 0x856B008 0x7FFFFFFE N N N ALLOW | ||
05-sim-long_jumps x86_64 chdir 0-5 0x856B008 0x7FFFFFFFFFFFFFFE N N N ALLOW | ||
05-sim-long_jumps x86 chdir 95-99 0x856B008 0x7FFFFFFE N N N ALLOW | ||
05-sim-long_jumps x86_64 chdir 95-99 0x856B008 0x7FFFFFFFFFFFFFFE N N N ALLOW | ||
05-sim-long_jumps x86 chdir 100 0x856B008 0x7FFFFFFE N N N KILL | ||
05-sim-long_jumps x86_64 chdir 100 0x856B008 0x7FFFFFFFFFFFFFFE N N N KILL | ||
05-sim-long_jumps all,-x32 close 1 N N N N N ALLOW | ||
|
||
test type: bpf-sim-fuzz | ||
|
||
|