tests: improve 05-sim-long_jumps to work better across arch/ABIs

This patch primarily moves the test away from abstract syscall numbers to honest-to-goodness actual syscalls which are present on all currently supported arch/ABIs. This change should make it easier to support this test across different platforms now and moving forward. Signed-off-by: Paul Moore <[email protected]> Reviewed-by: Tom Hromatka <[email protected]> Signed-off-by: Tom Hromatka <[email protected]>
seccomp · Nov 1, 2021 · 3c2da11 · 3c2da11
1 parent ee3660f
commit 3c2da11
Show file tree

Hide file tree

Showing 3 changed files with 52 additions and 43 deletions.
diff --git a/tests/05-sim-long_jumps.c b/tests/05-sim-long_jumps.c
@@ -2,6 +2,7 @@
  * Seccomp Library test program
  *
  * Copyright (c) 2012 Red Hat <[email protected]>
+ * Copyright (c) 2021 Microsoft Corporation <[email protected]>
  * Author: Paul Moore <[email protected]>
  */
 
@@ -30,7 +31,8 @@
 int main(int argc, char *argv[])
 {
  int rc;
- int iter;
+ int iter, ctr;
+ char *syscall;
  struct util_options opts;
  scmp_filter_ctx ctx = NULL;
 
@@ -42,31 +44,37 @@ int main(int argc, char *argv[])
  if (ctx == NULL)
  return ENOMEM;
 
- /* NOTE - syscalls referenced by number to make the test simpler */
-
- rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1, 0);
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(brk), 0);
  if (rc != 0)
  goto out;
 
  /* same syscall, many chains */
  for (iter = 0; iter < 100; iter++) {
- rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 1000, 3,
-   SCMP_A0(SCMP_CMP_EQ, iter),
-   SCMP_A1(SCMP_CMP_NE, 0x0),
-   SCMP_A2(SCMP_CMP_LT, SSIZE_MAX));
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(chdir), 3,
+   SCMP_A0(SCMP_CMP_EQ, iter),
+   SCMP_A1(SCMP_CMP_NE, 0x0),
+   SCMP_A2(SCMP_CMP_LT, SSIZE_MAX));
  if (rc != 0)
  goto out;
  }
 
  /* many syscalls, same chain */
- for (iter = 100; iter < 200; iter++) {
- rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, iter, 1,
- SCMP_A0(SCMP_CMP_NE, 0));
- if (rc != 0)
- goto out;
+ for (iter = 0, ctr = 0; iter < 10000 && ctr < 100; iter++) {
+ if (iter == SCMP_SYS(chdir))
+ continue;
+ syscall = seccomp_syscall_resolve_num_arch(SCMP_ARCH_NATIVE,
+ iter);
+ if (syscall) {
+ free(syscall);
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, iter, 1,
+ SCMP_A0(SCMP_CMP_NE, 0));
+ if (rc != 0)
+ goto out;
+ ctr++;
+ }
  }
 
- rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, 4, 0);
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(close), 0);
  if (rc != 0)
  goto out;
 

diff --git a/tests/05-sim-long_jumps.py b/tests/05-sim-long_jumps.py
@@ -4,6 +4,7 @@
 # Seccomp Library test program
 #
 # Copyright (c) 2012 Red Hat <[email protected]>
+# Copyright (c) 2021 Microsoft Corporation <[email protected]>
 # Author: Paul Moore <[email protected]>
 #
 
@@ -30,21 +31,28 @@
 
 def test(args):
  f = SyscallFilter(KILL)
- # syscalls referenced by number to make the test simpler
- f.add_rule_exactly(ALLOW, 1)
+ f.add_rule(ALLOW, "brk")
  i = 0
  while i < 100:
- f.add_rule_exactly(ALLOW, 1000,
-  Arg(0, EQ, i),
-  Arg(1, NE, 0),
-  Arg(2, LT, sys.maxsize))
+ f.add_rule(ALLOW, "chdir",
+ Arg(0, EQ, i),
+ Arg(1, NE, 0),
+ Arg(2, LT, sys.maxsize))
  i += 1
- i = 100
- while i < 200:
-  f.add_rule_exactly(ALLOW, i,
-  Arg(0, NE, 0))
+ i = 0
+ ctr = 0
+ while i < 10000 and ctr < 100:
+ sc = i
  i += 1
- f.add_rule_exactly(ALLOW, 4)
+ if sc == resolve_syscall(Arch(), "chdir"):
+ continue
+ try:
+ resolve_syscall(Arch(), sc)
+ except ValueError:
+ continue
+ f.add_rule(ALLOW, sc, Arg(0, NE, 0))
+ ctr += 1
+ f.add_rule(ALLOW, "close")
  return f
 
 args = util.get_opt()

diff --git a/tests/05-sim-long_jumps.tests b/tests/05-sim-long_jumps.tests
@@ -1,30 +1,23 @@
 #
 # libseccomp regression test automation data
 #
-# Copyright IBM Corp. 2012
+# Copyright (c) 2012 IBM Corp.
+# Copyright (c) 2021 Microsoft Corporation <[email protected]>
 # Author: Corey Bryant <[email protected]>
 #
 
 test type: bpf-sim
 
 # Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result
-05-sim-long_jumps all,-x32 1 1 2 3 4 5 6 ALLOW
-05-sim-long_jumps all,-x32 2 N N N N N N KILL
-05-sim-long_jumps all,-x32 999 N N N N N N KILL
-05-sim-long_jumps x86 1000 0-5 0x856B008 0x7FFFFFFE N N N ALLOW
-05-sim-long_jumps x86_64 1000 0-5 0x856B008 0x7FFFFFFFFFFFFFFE N N N ALLOW
-05-sim-long_jumps x86 1000 95-99 0x856B008 0x7FFFFFFE N N N ALLOW
-05-sim-long_jumps x86_64 1000 95-99 0x856B008 0x7FFFFFFFFFFFFFFE N N N ALLOW
-05-sim-long_jumps x86 1000 100 0x856B008 0x7FFFFFFE N N N KILL
-05-sim-long_jumps x86_64 1000 100 0x856B008 0x7FFFFFFFFFFFFFFE N N N KILL
-05-sim-long_jumps all,-x32 1001 N N N N N N KILL
-05-sim-long_jumps all,-x32 99 1 N N N N N KILL
-05-sim-long_jumps all,-x32 100-105 1 N N N N N ALLOW
-05-sim-long_jumps all,-x32 195-199 1 N N N N N ALLOW
-05-sim-long_jumps all,-x32 200 1 N N N N N KILL
-05-sim-long_jumps all,-x32 3 N N N N N N KILL
-05-sim-long_jumps all,-x32 4 1 2 3 4 5 6 ALLOW
-05-sim-long_jumps all,-x32 5 N N N N N N KILL
+05-sim-long_jumps all,-x32 brk 1 2 3 4 5 6 ALLOW
+05-sim-long_jumps all,-x32 9999 N N N N N N KILL
+05-sim-long_jumps x86 chdir 0-5 0x856B008 0x7FFFFFFE N N N ALLOW
+05-sim-long_jumps x86_64 chdir 0-5 0x856B008 0x7FFFFFFFFFFFFFFE N N N ALLOW
+05-sim-long_jumps x86 chdir 95-99 0x856B008 0x7FFFFFFE N N N ALLOW
+05-sim-long_jumps x86_64 chdir 95-99 0x856B008 0x7FFFFFFFFFFFFFFE N N N ALLOW
+05-sim-long_jumps x86 chdir 100 0x856B008 0x7FFFFFFE N N N KILL
+05-sim-long_jumps x86_64 chdir 100 0x856B008 0x7FFFFFFFFFFFFFFE N N N KILL
+05-sim-long_jumps all,-x32 close 1 N N N N N ALLOW
 
 test type: bpf-sim-fuzz