aboutgitcodelistschat:MatrixIRC
Commit message (Collapse)AuthorAgeFilesLines
* tests: add act_call and saving return valueAlice Frosi2023-02-211-0/+22
|
* makefile: add variable to set temporary data sizeAlice Frosi2023-02-211-0/+1
|
* actions: cast data for temporary result to uint16_tAlice Frosi2023-02-211-1/+1
|
* tests: add test-action-call when running make test-unitAlice Frosi2023-02-211-2/+2
|
* test: add test for act_callAlice Frosi2023-02-211-1/+23
|
* test: add ignore_ret for checking test resultAlice Frosi2023-02-211-7/+9
|
* action: return error for act_callAlice Frosi2023-02-211-2/+2
|
* actions: set error on act_callAlice Frosi2023-02-211-0/+13
|
* actions: add data sectionAlice Frosi2023-02-213-8/+8
|
* gluten: add reference fieldsAlice Frosi2023-02-211-2/+4
|
* tests: remove unused variablesAlice Frosi2023-02-211-7/+2
|
* tests: test reference for a_returnAlice Frosi2023-02-161-1/+33
| | | | Signed-off-by: Alice Frosi <afrosi@redhat.com>
* actions: add reference to a_returnAlice Frosi2023-02-162-2/+19
| | | | | | | The action return can return either a constant value or a reference to a value. Signed-off-by: Alice Frosi <afrosi@redhat.com>
* tests: fix the suite with the wrong testAlice Frosi2023-02-161-1/+1
|
* tests: separate every action in its own test caseAlice Frosi2023-02-161-18/+33
| | | | | | Separating every action is in a test case enable filtering using check env variable. Like: sudo -E CK_RUN_CASE="a_inject_a" tests/unit/test-actions
* actiosn: fix intialization for a_inject_aAlice Frosi2023-02-161-0/+1
|
* actions: fix initialization for a_actionAlice Frosi2023-02-161-1/+1
|
* moved requirements.txt into tests/integrationAlice Frosi2023-02-161-3/+0
|
* test: add howto setup integration testsAlice Frosi2023-02-162-0/+60
| | | | Signed-off-by: Alice Frosi <afrosi@redhat.com>
* actions: fix flag intializationAlice Frosi2023-02-161-2/+3
| | | | Signed-off-by: Alice Frosi <afrosi@redhat.com>
* tests: add tests for inject actionsAlice Frosi2023-02-161-11/+89
| | | | | | | | The inject actions install a fd into the target. The tests for those actions create a temporary file and install the file descriptor into the target, and check for the existance of the new fd. Signed-off-by: Alice Frosi <afrosi@redhat.com>
* Rename field old to oldfdAlice Frosi2023-02-162-3/+3
| | | | Signed-off-by: Alice Frosi <afrosi@redhat.com>
* test: interrupt test on target process exitAlice Frosi2023-02-161-0/+13
| | | | | | | Catch if the target process has exited due to an error and interrupt the tests. Signed-off-by: Alice Frosi <afrosi@redhat.com>
* Unmap at struct on teardown if setAlice Frosi2023-02-151-1/+7
| | | | Signed-off-by: Alice Frosi <afrosi@redhat.com>
* Add test actionsAlice Frosi2023-02-152-1/+229
| | | | | | | | | Unit test for the action return, block and continue. The unit test installs a seccomp filter into the target for filter the getpid syscalls. Based on the action, the test checks the result of the syscall in the target to validate the correctness of the actions. Signed-off-by: Alice Frosi <afrosi@redhat.com>
* seitan: add injection actionsAlice Frosi2023-02-152-7/+18
| | | | | | | | | The inject actions install a new fd into the target. If the action is an atomic injection then the target is unblock after this action and the return value of the syscall will be the the file descriptor number that was allocated in the target Signed-off-by: Alice Frosi <afrosi@redhat.com>
* seitan: add continue actionAlice Frosi2023-02-151-0/+9
| | | | | | The continue action let the filtered syscall continue the execution. Signed-off-by: Alice Frosi <afrosi@redhat.com>
* seitan: add return actionAlice Frosi2023-02-152-0/+9
| | | | | | The return action return a value to the target. Signed-off-by: Alice Frosi <afrosi@redhat.com>
* seitan: add block actionAlice Frosi2023-02-151-0/+8
| | | | | | The block action returns a given error Signed-off-by: Alice Frosi <afrosi@redhat.com>
* test: add unit test for act callAlice Frosi2023-02-152-1/+231
| | | | | | | | | Tests: - getppid syscall - read syscall without context - opena and read syscalls with a mount namespace Signed-off-by: Alice Frosi <afrosi@redhat.com>
* seitan: action for the callAlice Frosi2023-02-153-0/+307
| | | | | | | | Perform the action action with the context. The action call executes a syscall in the given namespaces or in caller context if non is specified. Signed-off-by: Alice Frosi <afrosi@redhat.com>
* integration: create integration testsAlice Frosi2023-02-155-0/+161
| | | | | | | | | | | | | Create initial pytest suite for testing seitan and seitan-eater setup. The test suite includes: - 'test_simple' verifies the basic functionalities and the synchronization between seitan and the eater - 'test_restart_seitan' verifies when steitan needs to restart Seitan and eater are deployed in a container to control the environment where they run. Signed-off-by: Alice Frosi <afrosi@redhat.com>
* Create test utils for testing different syscallAlice Frosi2023-02-153-0/+96
| | | | | | | For now, just testing the connect syscalls with a client/server small test program. Signed-off-by: Alice Frosi <afrosi@redhat.com>
* eater: unset O_CLOEXEC for the seccomp notifier fdAlice Frosi2023-02-152-5/+22
| | | | | | | | Preserve the seccomp notifier fd after the exec. In this way, if seitan needs to restat is able to retrive the fd from /proc/<pid>/fd of the target. Signed-off-by: Alice Frosi <afrosi@redhat.com>
* seitan: separate function in commonAlice Frosi2023-02-154-52/+65
| | | | | | | Move find_fd_seccomp_notifier to common.c to be reused in other places. Signed-off-by: Alice Frosi <afrosi@redhat.com>
* seitan: find fd of seccomp noitifier from procAlice Frosi2023-01-191-1/+55
| | | | | | | Instead of assuming that the fd of the notifier is always 3, find the correct fd from procfs. Signed-off-by: Alice Frosi <afrosi@redhat.com>
* Use signals instead of connect for synchronizationAlice Frosi2023-01-172-1/+23
| | | | | | | | | | The connect syscall was used to synchronize seitan and the eater for the seccomp installation filter and notifier initialization. However, we assume that the fd 0 is always free, and this might not always be the case. Try to implement an alternative and more robust solution. Signed-off-by: Alice Frosi <afrosi@redhat.com>
* eater: add error handlingAlice Frosi2023-01-171-4/+10
| | | | | | Check for errors for prctl and seccomp syscall. Signed-off-by: Alice Frosi <afrosi@redhat.com>
* seitan: replace ioctl with epollAlice Frosi2023-01-171-14/+41
| | | | | | Repeatedly listen for seccomp notification events using epoll. Signed-off-by: Alice Frosi <afrosi@redhat.com>
* Add .gitignoreAlice Frosi2023-01-171-0/+6
| | | | Signed-off-by: Alice Frosi <afrosi@redhat.com>
* Remove t.outAlice Frosi2023-01-171-3/+2
| | | | | | The action file needs to be set from the seitan command line. Signed-off-by: Alice Frosi <afrosi@redhat.com>
* seitan: add flags for pid and input fileAlice Frosi2023-01-171-3/+51
| | | | | | | | Avoid hardcoded values and set the option from command line: Example: ./seitan -i action -p 1234 Signed-off-by: Alice Frosi <afrosi@redhat.com>
* eater: enable launching generic programAlice Frosi2023-01-171-34/+52
| | | | | | | | Extend seitan-eatar for launching a generich program with arguments. Example: ./seitan-eater -i input.json -- ls Signed-off-by: Alice Frosi <afrosi@redhat.com>
* Rename loader to eaterAlice Frosi2023-01-164-10/+10
| | | | Signed-off-by: Alice Frosi <afrosi@redhat.com>
* Remove filter.h and t.out rulesAlice Frosi2022-12-211-6/+0
| | | | Signed-off-by: Alice Frosi <afrosi@redhat.com>
* Add unit tests for the BPF filter generationAlice Frosi2022-12-213-0/+384
| | | | | | | | | | | | | | The test-filter verifies that the create_bfp_program builds the filter correctly. The test suite includes the tests for checking a filter with: * a single instruction * a single instruction with arguments * 2 instructions * multiple instructions * multiple instructions with arguments * multiple instructions with multiple instance of the same instruction Signed-off-by: Alice Frosi <afrosi@redhat.com>
* Create bpf_dbg program to disassemble BPF filtersAlice Frosi2022-12-214-0/+315
| | | | | | | | | | | | | | | | | The bpf_dbg binary prints the instructions included in the BPF filter. This is particurarly useful for debugging and verifing the generated filter. E.g: ./bpf_dbg test.bpf Read 7 entries l0: ld [4] l1: jeq #0xc000003e, l2, l5 l2: ld [0] l3: jeq #0x2a, l4, l5 l4: ja 5 l5: ret #0x7fff0000 l6: ret #0x7fc00000 Signed-off-by: Alice Frosi <afrosi@redhat.com>
* Remove build of bpf.outAlice Frosi2022-12-211-4/+1
| | | | Signed-off-by: Alice Frosi <afrosi@redhat.com>
* Generation of bpf programAlice Frosi2022-12-214-91/+342
| | | | | | | | | | | | | | | | | The build binary creates the bpf filter based on the syscalls defined in struct bpf_call. E.g: ./build test.bpf First, a table with the filtered syscalls is built in ascending order of syscall number and including the amount of syscalls of that type. After, the BPF filter with a binary search tree is constructed with: 1. the nodes for the tree search 2. the leaves with all the syscall numbers 3. every syscall arguments if present Then, the BPF instructions are written in the input file. Signed-off-by: Alice Frosi <afrosi@redhat.com>
* Remove unecessary flagsAlice Frosi2022-12-211-3/+1
| | | | | | The flags aren't necessary anymore as the filter is built at runtime. Signed-off-by: Alice Frosi <afrosi@redhat.com>
generated by cgit v1.2.3 (git 2.25.1) at 2024-09-05 01:29:55 +0000