diff options
| author | Alice Frosi <afrosi@redhat.com> | 2023-03-31 11:48:40 +0200 |
|---|---|---|
| committer | Alice Frosi <afrosi@redhat.com> | 2023-04-03 14:43:21 +0200 |
| commit | 79aa938d899c451fed517005c22d00cb03f4bad2 (patch) | |
| tree | 646d8bcbe37024bfdb4a832ef9f21eb7dab6e50b /tests | |
| parent | b7350faf8e466184ac665730306c99f6612eb5fd (diff) | |
| download | seitan-79aa938d899c451fed517005c22d00cb03f4bad2.tar seitan-79aa938d899c451fed517005c22d00cb03f4bad2.tar.gz seitan-79aa938d899c451fed517005c22d00cb03f4bad2.tar.bz2 seitan-79aa938d899c451fed517005c22d00cb03f4bad2.tar.lz seitan-79aa938d899c451fed517005c22d00cb03f4bad2.tar.xz seitan-79aa938d899c451fed517005c22d00cb03f4bad2.tar.zst seitan-79aa938d899c451fed517005c22d00cb03f4bad2.zip | |
filter: fix filter
An additional notification is need either when we jump from an
instruction without arguments then at the end of the argument checks.
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/unit/test_filter.c | 74 | ||||
| -rw-r--r-- | tests/unit/testutil.h | 1 | ||||
| -rw-r--r-- | tests/unit/util.c | 15 |
3 files changed, 68 insertions, 22 deletions
diff --git a/tests/unit/test_filter.c b/tests/unit/test_filter.c index 5ff9d65..9583b56 100644 --- a/tests/unit/test_filter.c +++ b/tests/unit/test_filter.c @@ -6,21 +6,9 @@ #define _GNU_SOURCE #include <stdio.h> #include <stdlib.h> -#include <string.h> -#include <sched.h> -#include <unistd.h> -#include <limits.h> -#include <fcntl.h> -#include <sys/prctl.h> #include <sys/syscall.h> -#include <sys/ioctl.h> -#include <sys/wait.h> -#include <linux/audit.h> -#include <linux/filter.h> -#include <linux/seccomp.h> #include <sys/mman.h> -#include <sys/un.h> -#include <sys/socket.h> +#include <sys/resource.h> #include <check.h> @@ -28,52 +16,94 @@ #include "common.h" #include "testutil.h" #include "filter.h" +#include "disasm.h" static int generate_install_filter(struct args_target *at) { - struct bpf_call calls[] = { {} }; + unsigned int i; + struct bpf_call calls[1]; struct syscall_entry table[] = { { .count = 1, .nr = at->nr, .entry = &calls[0] } }; struct sock_filter filter[30]; unsigned int size; + for (i = 0; i < 6; i++) { + if (at->args[i] != NULL) { + calls[0].args[i] = (int)at->args[i]; + calls[0].check_arg[i] = true; + } else { + calls[0].check_arg[i] = false; + } + } size = create_bfp_program(table, filter, 1); + //bpf_disasm_all(filter, size); return install_filter(filter, size); } -void setup_build_filter() +START_TEST(no_args) { at = mmap(NULL, sizeof(struct args_target), PROT_READ | PROT_WRITE, MAP_SHARED | MAP_ANONYMOUS, -1, 0); at->check_fd = false; at->nr = __NR_getpid; - at->args[0] = NULL; at->install_filter = generate_install_filter; setup(); + mock_syscall_target(); } +END_TEST -START_TEST(filter) +START_TEST(with_getsid) { - continue_target(); + int id = 12345; + at = mmap(NULL, sizeof(struct args_target), PROT_READ | PROT_WRITE, + MAP_SHARED | MAP_ANONYMOUS, -1, 0); + at->check_fd = false; + at->nr = __NR_getsid; + at->args[0] = &id; + at->install_filter = generate_install_filter; + setup(); + mock_syscall_target(); } END_TEST +START_TEST(with_getpriority) +{ + int which = 12345; + id_t who = PRIO_PROCESS; + at = mmap(NULL, sizeof(struct args_target), PROT_READ | PROT_WRITE, + MAP_SHARED | MAP_ANONYMOUS, -1, 0); + at->check_fd = false; + at->nr = __NR_getpriority; + at->args[0] = &which; + at->args[1] = &who; + at->install_filter = generate_install_filter; + setup(); + mock_syscall_target(); +} +END_TEST Suite *op_call_suite(void) { Suite *s; int timeout = 30; - TCase *simple; + TCase *simple, *args32; s = suite_create("Test filter with target"); - simple = tcase_create("simple"); - tcase_add_checked_fixture(simple, setup_build_filter, teardown); + simple = tcase_create("no args"); + tcase_add_checked_fixture(simple, NULL, teardown); tcase_set_timeout(simple, timeout); - tcase_add_test(simple, filter); + tcase_add_test(simple, no_args); suite_add_tcase(s, simple); + args32 = tcase_create("with args 32 bit"); + tcase_add_checked_fixture(args32, NULL, teardown); + tcase_set_timeout(args32, timeout); + tcase_add_test(args32, with_getsid); + tcase_add_test(args32, with_getpriority); + suite_add_tcase(s, args32); + return s; } diff --git a/tests/unit/testutil.h b/tests/unit/testutil.h index d4f83af..dd4f1e9 100644 --- a/tests/unit/testutil.h +++ b/tests/unit/testutil.h @@ -42,5 +42,6 @@ void setup(); void teardown(); int install_notification_filter(struct args_target *at); void continue_target(); +void mock_syscall_target(); #endif /* TESTUTIL_H */ diff --git a/tests/unit/util.c b/tests/unit/util.c index c6fc3fb..5a1c5aa 100644 --- a/tests/unit/util.c +++ b/tests/unit/util.c @@ -170,6 +170,21 @@ void continue_target() ck_assert_msg(ret == 0, strerror(errno)); } +void mock_syscall_target() +{ + struct seccomp_notif_resp resp; + int ret; + + ret = ioctl(notifyfd, SECCOMP_IOCTL_NOTIF_ID_VALID, &req.id); + ck_assert_msg(ret == 0, strerror(errno)); + resp.id = req.id; + resp.flags = 0; + resp.error = 0; + resp.val = 0; + ret = ioctl(notifyfd, SECCOMP_IOCTL_NOTIF_SEND, &resp); + ck_assert_msg(ret == 0, strerror(errno)); +} + void setup() { int ret; |