From aeb7573732347cd0bbf0e3d7e560a53f875313cf Mon Sep 17 00:00:00 2001
From: Alice Frosi <afrosi@redhat.com>
Date: Fri, 31 Mar 2023 11:10:42 +0200
Subject: tests: add tests for filtering the syscalls

---
 tests/unit/Makefile      | 16 +++++++--
 tests/unit/test_filter.c | 93 ++++++++++++++++++++++++++++++++++++++++++++++++
 tests/unit/testutil.h    |  1 +
 tests/unit/util.c        | 15 ++++++++
 4 files changed, 122 insertions(+), 3 deletions(-)
 create mode 100644 tests/unit/test_filter.c

diff --git a/tests/unit/Makefile b/tests/unit/Makefile
index 1c3a413..aeaf6ae 100644
--- a/tests/unit/Makefile
+++ b/tests/unit/Makefile
@@ -7,8 +7,13 @@ OP_DIR := ../../
 COOKER_DIR := ../../cooker
 DBG_DIR := ../../debug
 
-SRCS_FILTER := $(COOKER_DIR)/filter.c $(DBG_DIR)/disasm.c $(COMMON_DIR)/common.c
-HEADERS_FILTER := $(COOKER_DIR)/filter.h $(DBG_DIR)/disasm.h $(COMMON_DIR)/common.h
+SRCS_FILTER_BUILD := $(COOKER_DIR)/filter.c $(DBG_DIR)/disasm.c $(COMMON_DIR)/common.c
+HEADERS_FILTER_BUILD := $(COOKER_DIR)/filter.h $(DBG_DIR)/disasm.h $(COMMON_DIR)/common.h
+
+SRCS_FILTER := $(COOKER_DIR)/filter.c $(COMMON_DIR)/common.c util.c \
+	       $(DBG_DIR)/disasm.c
+HEADERS_FILTER := $(COOKER_DIR)/filter.h $(COMMON_DIR)/common.h \
+		  $(DBG_DIR)/disasm.h testutil.h
 
 HEADERS_OP_CALL := $(COMMON_DIR)/gluten.h  $(OP_DIR)/operations.h
 SRCS_OP_CALL := $(OP_DIR)/operations.c
@@ -33,11 +38,16 @@ CFLAGS += -DSEITAN_AUDIT_ARCH=AUDIT_ARCH_$(AUDIT_ARCH) -DTMP_DATA_SIZE=1000
 
 test: test-filter test-operations test-op-call
 
-test-filter-build: test_filter_build.c $(SRCS_FILTER) $(HEADERS_FILTER)
+test-filter-build: test_filter_build.c $(SRCS_FILTER_BUILD) $(HEADERS_FILTER_BUILD)
 	$(CC) $(CFLAGS) -o test-filter-build $(SRCS_FILTER) \
 		test_filter_build.c
 		./test-filter-build
 
+test-filter: test_filter.c $(SRCS_FILTER) $(HEADERS_FILTER)
+	        $(CC) $(CFLAGS) -o test-filter $(SRCS_FILTER) \
+                test_filter.c
+		./test-filter
+
 test-op-call: test_op_call.c $(SRCS_OP_CALL) $(HEADERS_OP_CALL)
 	$(CC) $(CFLAGS) -o test-op-call $(SRCS_OP_CALL) \
 		test_op_call.c
diff --git a/tests/unit/test_filter.c b/tests/unit/test_filter.c
new file mode 100644
index 0000000..5ff9d65
--- /dev/null
+++ b/tests/unit/test_filter.c
@@ -0,0 +1,93 @@
+/* SPDX-License-Identifier: GPL-3.0-or-later
+ * Copyright 2023 Red Hat GmbH
+ * Author: Alice Frosi <afrosi@redhat.com>
+ */
+
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sched.h>
+#include <unistd.h>
+#include <limits.h>
+#include <fcntl.h>
+#include <sys/prctl.h>
+#include <sys/syscall.h>
+#include <sys/ioctl.h>
+#include <sys/wait.h>
+#include <linux/audit.h>
+#include <linux/filter.h>
+#include <linux/seccomp.h>
+#include <sys/mman.h>
+#include <sys/un.h>
+#include <sys/socket.h>
+
+#include <check.h>
+
+#include "gluten.h"
+#include "common.h"
+#include "testutil.h"
+#include "filter.h"
+
+static int generate_install_filter(struct args_target *at)
+{
+	struct bpf_call calls[] = { {} };
+	struct syscall_entry table[] = {
+		{ .count = 1, .nr = at->nr, .entry = &calls[0] }
+	};
+	struct sock_filter filter[30];
+	unsigned int size;
+
+	size = create_bfp_program(table, filter, 1);
+	return install_filter(filter, size);
+}
+
+void setup_build_filter()
+{
+	at = mmap(NULL, sizeof(struct args_target), PROT_READ | PROT_WRITE,
+		  MAP_SHARED | MAP_ANONYMOUS, -1, 0);
+	at->check_fd = false;
+	at->nr = __NR_getpid;
+	at->args[0] = NULL;
+	at->install_filter = generate_install_filter;
+	setup();
+}
+
+START_TEST(filter)
+{
+	continue_target();
+}
+END_TEST
+
+
+Suite *op_call_suite(void)
+{
+	Suite *s;
+	int timeout = 30;
+	TCase *simple;
+
+	s = suite_create("Test filter with target");
+
+	simple = tcase_create("simple");
+	tcase_add_checked_fixture(simple, setup_build_filter, teardown);
+	tcase_set_timeout(simple, timeout);
+	tcase_add_test(simple, filter);
+	suite_add_tcase(s, simple);
+
+	return s;
+}
+
+int main(void)
+{
+	int no_failed = 0;
+	Suite *s;
+	SRunner *runner;
+
+	s = op_call_suite();
+	runner = srunner_create(s);
+
+	srunner_run_all(runner, CK_VERBOSE);
+	no_failed = srunner_ntests_failed(runner);
+	srunner_free(runner);
+	return (no_failed == 0) ? EXIT_SUCCESS : EXIT_FAILURE;
+}
diff --git a/tests/unit/testutil.h b/tests/unit/testutil.h
index 896d690..d4f83af 100644
--- a/tests/unit/testutil.h
+++ b/tests/unit/testutil.h
@@ -41,5 +41,6 @@ void check_target_result(long ret, int err, bool ignore_ret);
 void setup();
 void teardown();
 int install_notification_filter(struct args_target *at);
+void continue_target();
 
 #endif /* TESTUTIL_H */
diff --git a/tests/unit/util.c b/tests/unit/util.c
index d4109b0..c6fc3fb 100644
--- a/tests/unit/util.c
+++ b/tests/unit/util.c
@@ -155,6 +155,21 @@ void check_target_result(long ret, int err, bool ignore_ret)
 	ck_assert_int_eq(close(pipefd[0]), 0);
 }
 
+void continue_target()
+{
+	struct seccomp_notif_resp resp;
+	int ret;
+
+	ret = ioctl(notifyfd, SECCOMP_IOCTL_NOTIF_ID_VALID, &req.id);
+	ck_assert_msg(ret == 0, strerror(errno));
+	resp.id = req.id;
+	resp.flags = SECCOMP_USER_NOTIF_FLAG_CONTINUE;
+	resp.error = 0;
+	resp.val = 0;
+	ret = ioctl(notifyfd, SECCOMP_IOCTL_NOTIF_SEND, &resp);
+	ck_assert_msg(ret == 0, strerror(errno));
+}
+
 void setup()
 {
 	int ret;
-- 
cgit v1.2.3