Commit message (Collapse) | Author | Age | Files | Lines | ||
---|---|---|---|---|---|---|
... | ||||||
* | Remove filter dir | Alice Frosi | 2023-03-24 | 3 | -38320/+0 | |
| | ||||||
* | Re-organize project and add license header | Alice Frosi | 2023-03-24 | 44 | -208/+38478 | |
| | ||||||
* | filter: add logging mode | Alice Frosi | 2023-03-23 | 5 | -35/+64 | |
| | | | | | The logging mode creates a BPF filter where all the syscalls trigger a notification to the seccomp notifier. | |||||
* | seitan: receiving seccomp notifier with socket | Alice Frosi | 2023-03-23 | 1 | -22/+126 | |
| | | | | | | | | OCI spec and container runtimes expect to send the seccomp notifer fd through a unix socket. This mode is complementary of retrieving the file descriptor using the pid of the target process. Add option to log the syscalls. | |||||
* | cooker: Initial import of new implementation | Stefano Brivio | 2023-03-20 | 19 | -0/+3179 | |
| | | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com> | |||||
* | tests: add unit tests for op_resolvedfd | Alice Frosi | 2023-03-15 | 1 | -1/+77 | |
| | ||||||
* | seitan: add op_resolvedfd | Alice Frosi | 2023-03-15 | 2 | -0/+36 | |
| | | | | | | The op_resolvedfd verifies that the fd points to a path. Signed-off-by: Alice Frosi <afrosi@redhat.com> | |||||
* | tests: add test for op_cmp | Alice Frosi | 2023-02-27 | 1 | -1/+63 | |
| | ||||||
* | seitan: add op_cmp | Alice Frosi | 2023-02-27 | 2 | -0/+15 | |
| | | | | | The operation op_cmp allows to compare 2 areas of memory and if they don't match to jump to an operation. | |||||
* | seitan: add op_end | Alice Frosi | 2023-02-27 | 2 | -0/+4 | |
| | | | | | The op_end signal to terminate reading the operations. This is useful for the introductions of branches for the matches. | |||||
* | test: fix arguments and offsets | Alice Frosi | 2023-02-27 | 1 | -6/+7 | |
| | ||||||
* | seitan: copy immediate args with op_copy | Alice Frosi | 2023-02-27 | 3 | -12/+22 | |
| | ||||||
* | tests: add test for op_copy | Alice Frosi | 2023-02-23 | 1 | -0/+64 | |
| | | | | | | The target process tries to perform a connect syscall and we need to check that the struct sockaddr_un is correctly copied from the memory of the target process | |||||
* | operations: add op_copy | Alice Frosi | 2023-02-23 | 3 | -5/+62 | |
| | ||||||
* | tests: generalize the syscall of the target | Alice Frosi | 2023-02-23 | 1 | -12/+19 | |
| | | | | | Refactor the tests to pass the filtered syscall and setting the argument into the shared struct. | |||||
* | test: fix check of a_block | Alice Frosi | 2023-02-23 | 1 | -1/+5 | |
| | ||||||
* | tests: adjust do_operations signature | Alice Frosi | 2023-02-23 | 1 | -7/+7 | |
| | | | | Signed-off-by: Alice Frosi <afrosi@redhat.com> | |||||
* | Rename actions to operations | Alice Frosi | 2023-02-22 | 6 | -117/+117 | |
| | | | | | Replace all the action related names to operations to make them more generic. | |||||
* | fix formatting | Alice Frosi | 2023-02-22 | 8 | -155/+171 | |
| | ||||||
* | gluten: remove error type | Alice Frosi | 2023-02-22 | 1 | -1/+0 | |
| | | | | The error is always constant and not a reference | |||||
* | tests: add test for act_inject with the references | Alice Frosi | 2023-02-21 | 1 | -8/+35 | |
| | ||||||
* | actions: add reference for the fds | Alice Frosi | 2023-02-21 | 3 | -15/+40 | |
| | ||||||
* | actions: change pointer to offset | Alice Frosi | 2023-02-21 | 3 | -25/+11 | |
| | ||||||
* | tests: add act_call and saving return value | Alice Frosi | 2023-02-21 | 1 | -0/+22 | |
| | ||||||
* | makefile: add variable to set temporary data size | Alice Frosi | 2023-02-21 | 1 | -0/+1 | |
| | ||||||
* | actions: cast data for temporary result to uint16_t | Alice Frosi | 2023-02-21 | 1 | -1/+1 | |
| | ||||||
* | tests: add test-action-call when running make test-unit | Alice Frosi | 2023-02-21 | 1 | -2/+2 | |
| | ||||||
* | test: add test for act_call | Alice Frosi | 2023-02-21 | 1 | -1/+23 | |
| | ||||||
* | test: add ignore_ret for checking test result | Alice Frosi | 2023-02-21 | 1 | -7/+9 | |
| | ||||||
* | action: return error for act_call | Alice Frosi | 2023-02-21 | 1 | -2/+2 | |
| | ||||||
* | actions: set error on act_call | Alice Frosi | 2023-02-21 | 1 | -0/+13 | |
| | ||||||
* | actions: add data section | Alice Frosi | 2023-02-21 | 3 | -8/+8 | |
| | ||||||
* | gluten: add reference fields | Alice Frosi | 2023-02-21 | 1 | -2/+4 | |
| | ||||||
* | tests: remove unused variables | Alice Frosi | 2023-02-21 | 1 | -7/+2 | |
| | ||||||
* | tests: test reference for a_return | Alice Frosi | 2023-02-16 | 1 | -1/+33 | |
| | | | | Signed-off-by: Alice Frosi <afrosi@redhat.com> | |||||
* | actions: add reference to a_return | Alice Frosi | 2023-02-16 | 2 | -2/+19 | |
| | | | | | | | The action return can return either a constant value or a reference to a value. Signed-off-by: Alice Frosi <afrosi@redhat.com> | |||||
* | tests: fix the suite with the wrong test | Alice Frosi | 2023-02-16 | 1 | -1/+1 | |
| | ||||||
* | tests: separate every action in its own test case | Alice Frosi | 2023-02-16 | 1 | -18/+33 | |
| | | | | | | Separating every action is in a test case enable filtering using check env variable. Like: sudo -E CK_RUN_CASE="a_inject_a" tests/unit/test-actions | |||||
* | actiosn: fix intialization for a_inject_a | Alice Frosi | 2023-02-16 | 1 | -0/+1 | |
| | ||||||
* | actions: fix initialization for a_action | Alice Frosi | 2023-02-16 | 1 | -1/+1 | |
| | ||||||
* | moved requirements.txt into tests/integration | Alice Frosi | 2023-02-16 | 1 | -3/+0 | |
| | ||||||
* | test: add howto setup integration tests | Alice Frosi | 2023-02-16 | 2 | -0/+60 | |
| | | | | Signed-off-by: Alice Frosi <afrosi@redhat.com> | |||||
* | actions: fix flag intialization | Alice Frosi | 2023-02-16 | 1 | -2/+3 | |
| | | | | Signed-off-by: Alice Frosi <afrosi@redhat.com> | |||||
* | tests: add tests for inject actions | Alice Frosi | 2023-02-16 | 1 | -11/+89 | |
| | | | | | | | | The inject actions install a fd into the target. The tests for those actions create a temporary file and install the file descriptor into the target, and check for the existance of the new fd. Signed-off-by: Alice Frosi <afrosi@redhat.com> | |||||
* | Rename field old to oldfd | Alice Frosi | 2023-02-16 | 2 | -3/+3 | |
| | | | | Signed-off-by: Alice Frosi <afrosi@redhat.com> | |||||
* | test: interrupt test on target process exit | Alice Frosi | 2023-02-16 | 1 | -0/+13 | |
| | | | | | | | Catch if the target process has exited due to an error and interrupt the tests. Signed-off-by: Alice Frosi <afrosi@redhat.com> | |||||
* | Unmap at struct on teardown if set | Alice Frosi | 2023-02-15 | 1 | -1/+7 | |
| | | | | Signed-off-by: Alice Frosi <afrosi@redhat.com> | |||||
* | Add test actions | Alice Frosi | 2023-02-15 | 2 | -1/+229 | |
| | | | | | | | | | Unit test for the action return, block and continue. The unit test installs a seccomp filter into the target for filter the getpid syscalls. Based on the action, the test checks the result of the syscall in the target to validate the correctness of the actions. Signed-off-by: Alice Frosi <afrosi@redhat.com> | |||||
* | seitan: add injection actions | Alice Frosi | 2023-02-15 | 2 | -7/+18 | |
| | | | | | | | | | The inject actions install a new fd into the target. If the action is an atomic injection then the target is unblock after this action and the return value of the syscall will be the the file descriptor number that was allocated in the target Signed-off-by: Alice Frosi <afrosi@redhat.com> | |||||
* | seitan: add continue action | Alice Frosi | 2023-02-15 | 1 | -0/+9 | |
| | | | | | | The continue action let the filtered syscall continue the execution. Signed-off-by: Alice Frosi <afrosi@redhat.com> |