diff options
-rw-r--r-- | tests/unit/test_filter_build.c | 195 |
1 files changed, 101 insertions, 94 deletions
diff --git a/tests/unit/test_filter_build.c b/tests/unit/test_filter_build.c index 343d020..df9eef6 100644 --- a/tests/unit/test_filter_build.c +++ b/tests/unit/test_filter_build.c @@ -46,7 +46,8 @@ START_TEST(test_single_instr) /* l0 */ BPF_STMT(BPF_LD | BPF_W | BPF_ABS, (offsetof(struct seccomp_data, arch))), /* l1 */ - BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, SEITAN_AUDIT_ARCH, 0, 2), + BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, SEITAN_AUDIT_ARCH, 1, 0), + /* l10 */ BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW), /* l2 */ BPF_STMT(BPF_LD | BPF_W | BPF_ABS, (offsetof(struct seccomp_data, nr))), @@ -79,24 +80,25 @@ START_TEST(test_single_instr_two_args) struct syscall_entry table[] = { { .count = 1, .nr = nr, .entry = &calls[0] }, }; - struct sock_filter result[10]; + struct sock_filter result[20]; struct sock_filter expected[] = { /* l0 */ BPF_STMT(BPF_LD | BPF_W | BPF_ABS, (offsetof(struct seccomp_data, arch))), /* l1 */ - BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, SEITAN_AUDIT_ARCH, 0, 8), - /* l2 */ + BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, SEITAN_AUDIT_ARCH, 1, 0), + /* l2 */ BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW), + /* l3 */ BPF_STMT(BPF_LD | BPF_W | BPF_ABS, (offsetof(struct seccomp_data, nr))), - /* l3 */ EQ(nr, 0, 6), - /* l4 */ LOAD(offsetof(struct seccomp_data, args[1])), - /* l5 */ EQ(123, 0, 2), - /* l6 */ LOAD(offsetof(struct seccomp_data, args[2])), - /* l7 */ EQ(321, 0, 1), - /* l8 */ JUMPA(2), - /* l9 */ JUMPA(0), - /* l10 */ BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW), + /* l4 */ EQ(nr, 2, 0), + /* l5 */ BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW), + /* l6 */ BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_USER_NOTIF), + /* l7 */ LOAD(offsetof(struct seccomp_data, args[1])), + /* l8 */ EQ(123, 0, 2), + /* l9 */ LOAD(offsetof(struct seccomp_data, args[2])), + /* l10 */ EQ(321, 0, 1), /* l11 */ BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_USER_NOTIF), + /* l12 */ BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW), }; size = create_bfp_program(table, result, sizeof(table) / sizeof(table[0])); @@ -121,17 +123,18 @@ START_TEST(test_two_instr) /* l0 */ BPF_STMT(BPF_LD | BPF_W | BPF_ABS, (offsetof(struct seccomp_data, arch))), /* l1 */ - BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, SEITAN_AUDIT_ARCH, 0, 4), - /* l2 */ + BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, SEITAN_AUDIT_ARCH, 1, 0), + /* l2 */ BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW), + /* l3 */ BPF_STMT(BPF_LD | BPF_W | BPF_ABS, (offsetof(struct seccomp_data, nr))), /* ------- level0 -------- */ - /* l3 */ JGE(49, 1, 0), + /* l4 */ JGE(49, 1, 0), /* ------- leaves -------- */ - /* l4 */ EQ(42, 2, 1), - /* l5 */ EQ(49, 1, 0), - /* l6 */ BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW), - /* l7 */ BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_USER_NOTIF), + /* l5 */ EQ(42, 2, 1), + /* l6 */ EQ(49, 1, 0), + /* l7 */ BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW), + /* l8 */ BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_USER_NOTIF), }; struct sock_filter result[30]; @@ -161,28 +164,29 @@ START_TEST(test_multiple_instr_no_args) /* l0 */ BPF_STMT(BPF_LD | BPF_W | BPF_ABS, (offsetof(struct seccomp_data, arch))), /* l1 */ - BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, SEITAN_AUDIT_ARCH, 0, 13), - /* l2 */ + BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, SEITAN_AUDIT_ARCH, 1, 0), + /* l2 */ BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW), + /* l3 */ BPF_STMT(BPF_LD | BPF_W | BPF_ABS, (offsetof(struct seccomp_data, nr))), /* ------- level0 -------- */ - /* l3 */ JGE(46, 1, 0), + /* l4 */ JGE(46, 1, 0), /* ------- level1 -------- */ - /* l4 */ JGE(45, 2, 1), - /* l5 */ JGE(46, 3, 2), + /* l5 */ JGE(45, 2, 1), + /* l6 */ JGE(46, 3, 2), /* ------- level2 -------- */ - /* l6 */ JGE(43, 4, 3), - /* l7 */ JGE(45, 5, 4), - /* l8 */ JGE(46, 6, 5), - /* l9 */ JUMPA(5), + /* l7 */ JGE(43, 4, 3), + /* l8 */ JGE(45, 5, 4), + /* l9 */ JGE(46, 6, 5), + /* l10 */ JUMPA(5), /* -------- leaves ------- */ - /* l10 */ EQ(42, 5, 4), - /* l11 */ EQ(43, 4, 3), - /* l12 */ EQ(44, 3, 2), - /* l13 */ EQ(45, 2, 1), - /* l14 */ EQ(46, 1, 0), - /* l20 */ BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW), - /* l21 */ BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_USER_NOTIF), + /* l11 */ EQ(42, 5, 4), + /* l12 */ EQ(43, 4, 3), + /* l13 */ EQ(44, 3, 2), + /* l14 */ EQ(45, 2, 1), + /* l15 */ EQ(46, 1, 0), + /* l16 */ BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW), + /* l17 */ BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_USER_NOTIF), }; struct sock_filter result[sizeof(expected) / sizeof(expected[0]) + 10]; @@ -227,43 +231,44 @@ START_TEST(test_multiple_instr_with_args) /* l0 */ BPF_STMT(BPF_LD | BPF_W | BPF_ABS, (offsetof(struct seccomp_data, arch))), /* l1 */ - BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, SEITAN_AUDIT_ARCH, 0, 25), - /* l2 */ + BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, SEITAN_AUDIT_ARCH, 1, 0), + /* l2 */ BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW), + /* l3 */ BPF_STMT(BPF_LD | BPF_W | BPF_ABS, (offsetof(struct seccomp_data, nr))), /* ------- level0 -------- */ - /* l3 */ JGE(46, 1, 0), + /* l4 */ JGE(46, 1, 0), /* ------- level1 -------- */ - /* l4 */ JGE(45, 2, 1), - /* l5 */ JGE(46, 3, 2), + /* l5 */ JGE(45, 2, 1), + /* l6 */ JGE(46, 3, 2), /* ------- level2 -------- */ - /* l6 */ JGE(43, 4, 3), - /* l7 */ JGE(45, 5, 4), - /* l8 */ JGE(46, 6, 5), - /* l9 */ JUMPA(17), + /* l7 */ JGE(43, 4, 3), + /* l8 */ JGE(45, 5, 4), + /* l9 */ JGE(46, 6, 5), + /* l10 */ JUMPA(5), /* -------- leaves ------- */ - /* l10 */ EQ(42, 4, 16), - /* l11 */ EQ(43, 16, 15), - /* l12 */ EQ(44, 15, 14), - /* l13 */ EQ(45, 6, 13), - /* l14 */ EQ(46, 13, 12), + /* l11 */ EQ(42, 6, 4), + /* l12 */ EQ(43, 4, 3), + /* l13 */ EQ(44, 3, 2), + /* l14 */ EQ(45, 9, 1), + /* l15 */ EQ(46, 1, 0), + /* l16 */ BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW), + /* l17 */ BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_USER_NOTIF), /* ------- args ---------- */ - /* l15 */ LOAD(offsetof(struct seccomp_data, args[1])), - /* l16 */ EQ(123, 0, 2), - /* l17 */ LOAD(offsetof(struct seccomp_data, args[2])), - /* l18 */ EQ(321, 0, 1), - /* l19 */ JUMPA(8), /* notify */ - /* l20 */ JUMPA(6), - /* ----- end call44 ------ */ - /* l21 */ LOAD(offsetof(struct seccomp_data, args[1])), - /* l22 */ EQ(123, 0, 2), - /* l23 */ LOAD(offsetof(struct seccomp_data, args[2])), - /* l24 */ EQ(321, 0, 1), - /* l25 */ JUMPA(2), /* notify */ - /* l26 */ JUMPA(0), - /* ----- end call46 ------ */ - /* l27 */ BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW), + /* l18 */ LOAD(offsetof(struct seccomp_data, args[1])), + /* l19 */ EQ(123, 0, 2), + /* l20 */ LOAD(offsetof(struct seccomp_data, args[2])), + /* l21 */ EQ(321, 0, 1), + /* l22 */ BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_USER_NOTIF), + /* l23 */ BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW), + /* ----- end call42 ------ */ + /* l24 */ LOAD(offsetof(struct seccomp_data, args[1])), + /* l25 */ EQ(123, 0, 2), + /* l26 */ LOAD(offsetof(struct seccomp_data, args[2])), + /* l27 */ EQ(321, 0, 1), /* l28 */ BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_USER_NOTIF), + /* l29 */ BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW), + /* ----- end call45 ------ */ }; struct sock_filter result[sizeof(expected) / sizeof(expected[0]) + 10]; @@ -311,44 +316,46 @@ START_TEST(test_multiple_instance_same_instr) /* l0 */ BPF_STMT(BPF_LD | BPF_W | BPF_ABS, (offsetof(struct seccomp_data, arch))), /* l1 */ - BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, SEITAN_AUDIT_ARCH, 0, 27), - /* l2 */ + BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, SEITAN_AUDIT_ARCH, 1, 0), + /* l2 */ BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW), + /* l3 */ BPF_STMT(BPF_LD | BPF_W | BPF_ABS, (offsetof(struct seccomp_data, nr))), /* ------- level0 -------- */ - /* l3 */ JGE(46, 1, 0), + /* l4 */ JGE(46, 1, 0), /* ------- level1 -------- */ - /* l4 */ JGE(45, 2, 1), - /* l5 */ JGE(46, 3, 2), + /* l5 */ JGE(45, 2, 1), + /* l6 */ JGE(46, 3, 2), /* ------- level2 -------- */ - /* l6 */ JGE(43, 4, 3), - /* l7 */ JGE(45, 5, 4), - /* l8 */ JGE(46, 6, 5), - /* l9 */ JUMPA(19), + /* l7 */ JGE(43, 4, 3), + /* l8 */ JGE(45, 5, 4), + /* l9 */ JGE(46, 6, 5), + /* l10 */ JUMPA(5), /* -------- leaves ------- */ - /* l10 */ EQ(42, 4, 18), - /* l11 */ EQ(43, 18, 17), - /* l12 */ EQ(44, 17, 16), - /* l13 */ EQ(45, 6, 15), - /* l14 */ EQ(46, 15, 14), + /* l11 */ EQ(42, 6, 4), + /* l12 */ EQ(43, 4, 3), + /* l13 */ EQ(44, 3, 2), + /* l14 */ EQ(45, 10, 1), + /* l15 */ EQ(46, 1, 0), + /* l16 */ BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW), + /* l17 */ BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_USER_NOTIF), /* ------- args ---------- */ - /* l15 */ LOAD(offsetof(struct seccomp_data, args[1])), - /* l16 */ EQ(123, 0, 1), - /* l17 */ JUMPA(12), /* notify */ - /* l18 */ LOAD(offsetof(struct seccomp_data, args[2])), - /* l19 */ EQ(321, 0, 1), - /* l20 */ JUMPA(9), /* notify */ - /* l21 */ JUMPA(7), - /* ----- end call44 ------ */ - /* l22 */ LOAD(offsetof(struct seccomp_data, args[1])), - /* l23 */ EQ(123, 0, 1), - /* l24 */ JUMPA(5), /* notify */ - /* l25 */ LOAD(offsetof(struct seccomp_data, args[2])), - /* l26 */ EQ(321, 0, 1), - /* l27 */ JUMPA(2), /* notify */ - /* l28 */ JUMPA(0), - /* l29 */ BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW), + /* l18 */ LOAD(offsetof(struct seccomp_data, args[1])), + /* l19 */ EQ(123, 0, 1), + /* l20 */ BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_USER_NOTIF), + /* l21 */ LOAD(offsetof(struct seccomp_data, args[2])), + /* l22 */ EQ(321, 0, 1), + /* l23 */ BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_USER_NOTIF), + /* l24 */ BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW), + /* ----- end call42 ------ */ + /* l25 */ LOAD(offsetof(struct seccomp_data, args[1])), + /* l26 */ EQ(123, 0, 1), + /* l27 */ BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_USER_NOTIF), + /* l28 */ LOAD(offsetof(struct seccomp_data, args[2])), + /* l29 */ EQ(321, 0, 1), /* l30 */ BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_USER_NOTIF), + /* l31 */ BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW), + /* ----- end call44 ------ */ }; struct sock_filter result[sizeof(expected) / sizeof(expected[0]) + 10]; |