| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
|
|
|
|
| |
Replace all the action related names to operations to make them more
generic.
|
| |
|
|
|
|
| |
The error is always constant and not a reference
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
|
|
|
|
|
|
| |
The action return can return either a constant value or a reference to a
value.
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
| |
|
|
|
|
|
|
| |
Separating every action is in a test case enable filtering using
check env variable. Like:
sudo -E CK_RUN_CASE="a_inject_a" tests/unit/test-actions
|
| |
|
| |
|
| |
|
|
|
|
| |
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
|
|
|
| |
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
|
|
|
|
|
|
|
| |
The inject actions install a fd into the target. The tests for those
actions create a temporary file and install the file descriptor into the
target, and check for the existance of the new fd.
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
|
|
|
| |
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
|
|
|
|
|
|
| |
Catch if the target process has exited due to an error and interrupt
the tests.
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
|
|
|
| |
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Unit test for the action return, block and continue. The unit test
installs a seccomp filter into the target for filter the getpid syscalls.
Based on the action, the test checks the result of the syscall in the
target to validate the correctness of the actions.
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
|
|
|
|
|
|
|
|
| |
The inject actions install a new fd into the target. If the action is an
atomic injection then the target is unblock after this action and the
return value of the syscall will be the the file descriptor number that
was allocated in the target
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
|
|
|
|
|
| |
The continue action let the filtered syscall continue the execution.
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
|
|
|
|
|
| |
The return action return a value to the target.
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
|
|
|
|
|
| |
The block action returns a given error
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Tests:
- getppid syscall
- read syscall without context
- opena and read syscalls with a mount namespace
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
|
|
|
|
|
|
|
| |
Perform the action action with the context. The action call executes a
syscall in the given namespaces or in caller context if non is
specified.
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Create initial pytest suite for testing seitan and seitan-eater setup.
The test suite includes:
- 'test_simple' verifies the basic functionalities and the
synchronization between seitan and the eater
- 'test_restart_seitan' verifies when steitan needs to restart
Seitan and eater are deployed in a container to control the environment
where they run.
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
|
|
|
|
|
|
| |
For now, just testing the connect syscalls with a client/server small
test program.
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
|
|
|
|
|
|
|
| |
Preserve the seccomp notifier fd after the exec. In this way, if seitan
needs to restat is able to retrive the fd from /proc/<pid>/fd of the
target.
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
|
|
|
|
|
|
| |
Move find_fd_seccomp_notifier to common.c to be reused
in other places.
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
|
|
|
|
|
|
| |
Instead of assuming that the fd of the notifier is always 3, find the
correct fd from procfs.
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
The connect syscall was used to synchronize seitan and the eater for the
seccomp installation filter and notifier initialization. However, we
assume that the fd 0 is always free, and this might not always be the
case.
Try to implement an alternative and more robust solution.
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
|
|
|
|
|
| |
Check for errors for prctl and seccomp syscall.
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
|
|
|
|
|
| |
Repeatedly listen for seccomp notification events using epoll.
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
|
|
|
| |
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
|
|
|
|
|
| |
The action file needs to be set from the seitan command line.
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
|
|
|
|
|
|
|
| |
Avoid hardcoded values and set the option from command line:
Example:
./seitan -i action -p 1234
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
|
|
|
|
|
|
|
| |
Extend seitan-eatar for launching a generich program with arguments.
Example:
./seitan-eater -i input.json -- ls
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|