BUG: misleading name of test 18-sim-basic_whitelist

[diekmann]

Hi,

I was reading tests/18-sim-basic_whitelist.c.

If I understand it correctly, it does the following:

• Disallow some read, write, close, and rt_sigreturn syscalls (only if they act on stdin, stdout, stderr).
• Allow everything else (in particular, reading/writing to any other file descriptor is allowed)

This is not whitelisting, this is blacklisting.

Should the file be renamed? Should all KILLs and ACCEPTs be swapped to achieve whitelisting?

It would be nice to have a true whitelisting example, since this is the strongly recommended use of seccomp.

[pcmoore]

Yes, it should probably be renamed, but to be honest, the name of these isn't very important, the content of the test is what matters.

[diekmann]

Enhancement suggestion: It would be nice to additionally have a whitelisting test. Test cases tend to be used by developers as reference or code example. 👍

I just found a library (not written by me) which had basically the same bug. It meant to do whitelisting with seccomp but actually did blacklisting. I cannot tell whether this was an independent bug or maybe subconsciously induced by this test case.

By the way: do you want me to delete this comment and open a separate issue for this?

[pcmoore]

Merged in 5e0a33f, thanks @lucab!