| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
| |
|
|
|
|
| |
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
|
|
|
|
|
|
| |
The action return can return either a constant value or a reference to a
value.
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
| |
|
|
|
|
|
|
| |
Separating every action is in a test case enable filtering using
check env variable. Like:
sudo -E CK_RUN_CASE="a_inject_a" tests/unit/test-actions
|
| |
|
| |
|
| |
|
|
|
|
| |
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
|
|
|
| |
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
|
|
|
|
|
|
|
| |
The inject actions install a fd into the target. The tests for those
actions create a temporary file and install the file descriptor into the
target, and check for the existance of the new fd.
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
|
|
|
| |
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
|
|
|
|
|
|
| |
Catch if the target process has exited due to an error and interrupt
the tests.
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
|
|
|
| |
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Unit test for the action return, block and continue. The unit test
installs a seccomp filter into the target for filter the getpid syscalls.
Based on the action, the test checks the result of the syscall in the
target to validate the correctness of the actions.
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
|
|
|
|
|
|
|
|
| |
The inject actions install a new fd into the target. If the action is an
atomic injection then the target is unblock after this action and the
return value of the syscall will be the the file descriptor number that
was allocated in the target
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
|
|
|
|
|
| |
The continue action let the filtered syscall continue the execution.
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
|
|
|
|
|
| |
The return action return a value to the target.
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
|
|
|
|
|
| |
The block action returns a given error
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Tests:
- getppid syscall
- read syscall without context
- opena and read syscalls with a mount namespace
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
|
|
|
|
|
|
|
| |
Perform the action action with the context. The action call executes a
syscall in the given namespaces or in caller context if non is
specified.
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Create initial pytest suite for testing seitan and seitan-eater setup.
The test suite includes:
- 'test_simple' verifies the basic functionalities and the
synchronization between seitan and the eater
- 'test_restart_seitan' verifies when steitan needs to restart
Seitan and eater are deployed in a container to control the environment
where they run.
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
|
|
|
|
|
|
| |
For now, just testing the connect syscalls with a client/server small
test program.
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
|
|
|
|
|
|
|
| |
Preserve the seccomp notifier fd after the exec. In this way, if seitan
needs to restat is able to retrive the fd from /proc/<pid>/fd of the
target.
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
|
|
|
|
|
|
| |
Move find_fd_seccomp_notifier to common.c to be reused
in other places.
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
|
|
|
|
|
|
| |
Instead of assuming that the fd of the notifier is always 3, find the
correct fd from procfs.
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
The connect syscall was used to synchronize seitan and the eater for the
seccomp installation filter and notifier initialization. However, we
assume that the fd 0 is always free, and this might not always be the
case.
Try to implement an alternative and more robust solution.
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
|
|
|
|
|
| |
Check for errors for prctl and seccomp syscall.
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
|
|
|
|
|
| |
Repeatedly listen for seccomp notification events using epoll.
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
|
|
|
| |
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
|
|
|
|
|
| |
The action file needs to be set from the seitan command line.
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
|
|
|
|
|
|
|
| |
Avoid hardcoded values and set the option from command line:
Example:
./seitan -i action -p 1234
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
|
|
|
|
|
|
|
| |
Extend seitan-eatar for launching a generich program with arguments.
Example:
./seitan-eater -i input.json -- ls
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
|
|
|
| |
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
|
|
|
| |
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The test-filter verifies that the create_bfp_program builds the filter
correctly.
The test suite includes the tests for checking a filter with:
* a single instruction
* a single instruction with arguments
* 2 instructions
* multiple instructions
* multiple instructions with arguments
* multiple instructions with multiple instance of the same instruction
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The bpf_dbg binary prints the instructions included in the BPF filter.
This is particurarly useful for debugging and verifing the generated
filter. E.g:
./bpf_dbg test.bpf
Read 7 entries
l0: ld [4]
l1: jeq #0xc000003e, l2, l5
l2: ld [0]
l3: jeq #0x2a, l4, l5
l4: ja 5
l5: ret #0x7fff0000
l6: ret #0x7fc00000
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
|
|
|
| |
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The build binary creates the bpf filter based on the syscalls defined in
struct bpf_call. E.g:
./build test.bpf
First, a table with the filtered syscalls is built in ascending order of
syscall number and including the amount of syscalls of that type.
After, the BPF filter with a binary search tree is constructed with:
1. the nodes for the tree search
2. the leaves with all the syscall numbers
3. every syscall arguments if present
Then, the BPF instructions are written in the input file.
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
|
|
|
|
|
| |
The flags aren't necessary anymore as the filter is built at runtime.
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Refactor filter.sh script by:
* renaming the filter.sh to nr_syscalls.sh
* removing the BPF filter generation
* simplifying the syscall number and header generation
Signed-off-by: Alice Frosi <afrosi@redhat.com>
|
|
|
|
| |
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
|
|
|
|
|
|
| |
...the PROC_EVENT_EXEC we're looking for might be hiding there. Also,
avoid a possible endless loop on NLMSG_NOOP.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
|
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|