From 79aa938d899c451fed517005c22d00cb03f4bad2 Mon Sep 17 00:00:00 2001
From: Alice Frosi <afrosi@redhat.com>
Date: Fri, 31 Mar 2023 11:48:40 +0200
Subject: filter: fix filter

An additional notification is need either when we jump from an
instruction without arguments then at the end of the argument checks.
---
 tests/unit/test_filter.c | 74 ++++++++++++++++++++++++++++++++++--------------
 tests/unit/testutil.h    |  1 +
 tests/unit/util.c        | 15 ++++++++++
 3 files changed, 68 insertions(+), 22 deletions(-)

(limited to 'tests')

diff --git a/tests/unit/test_filter.c b/tests/unit/test_filter.c
index 5ff9d65..9583b56 100644
--- a/tests/unit/test_filter.c
+++ b/tests/unit/test_filter.c
@@ -6,21 +6,9 @@
 #define _GNU_SOURCE
 #include <stdio.h>
 #include <stdlib.h>
-#include <string.h>
-#include <sched.h>
-#include <unistd.h>
-#include <limits.h>
-#include <fcntl.h>
-#include <sys/prctl.h>
 #include <sys/syscall.h>
-#include <sys/ioctl.h>
-#include <sys/wait.h>
-#include <linux/audit.h>
-#include <linux/filter.h>
-#include <linux/seccomp.h>
 #include <sys/mman.h>
-#include <sys/un.h>
-#include <sys/socket.h>
+#include <sys/resource.h>
 
 #include <check.h>
 
@@ -28,52 +16,94 @@
 #include "common.h"
 #include "testutil.h"
 #include "filter.h"
+#include "disasm.h"
 
 static int generate_install_filter(struct args_target *at)
 {
-	struct bpf_call calls[] = { {} };
+	unsigned int i;
+	struct bpf_call calls[1];
 	struct syscall_entry table[] = {
 		{ .count = 1, .nr = at->nr, .entry = &calls[0] }
 	};
 	struct sock_filter filter[30];
 	unsigned int size;
 
+	for (i = 0; i < 6; i++) {
+		if (at->args[i] != NULL) {
+			calls[0].args[i] = (int)at->args[i];
+			calls[0].check_arg[i] = true;
+		} else {
+			calls[0].check_arg[i] = false;
+		}
+	}
 	size = create_bfp_program(table, filter, 1);
+	//bpf_disasm_all(filter, size);
 	return install_filter(filter, size);
 }
 
-void setup_build_filter()
+START_TEST(no_args)
 {
 	at = mmap(NULL, sizeof(struct args_target), PROT_READ | PROT_WRITE,
 		  MAP_SHARED | MAP_ANONYMOUS, -1, 0);
 	at->check_fd = false;
 	at->nr = __NR_getpid;
-	at->args[0] = NULL;
 	at->install_filter = generate_install_filter;
 	setup();
+	mock_syscall_target();
 }
+END_TEST
 
-START_TEST(filter)
+START_TEST(with_getsid)
 {
-	continue_target();
+	int id = 12345;
+	at = mmap(NULL, sizeof(struct args_target), PROT_READ | PROT_WRITE,
+		  MAP_SHARED | MAP_ANONYMOUS, -1, 0);
+	at->check_fd = false;
+	at->nr = __NR_getsid;
+	at->args[0] = &id;
+	at->install_filter = generate_install_filter;
+	setup();
+	mock_syscall_target();
 }
 END_TEST
 
+START_TEST(with_getpriority)
+{
+	int which = 12345;
+	id_t who = PRIO_PROCESS;
+	at = mmap(NULL, sizeof(struct args_target), PROT_READ | PROT_WRITE,
+		  MAP_SHARED | MAP_ANONYMOUS, -1, 0);
+	at->check_fd = false;
+	at->nr = __NR_getpriority;
+	at->args[0] = &which;
+	at->args[1] = &who;
+	at->install_filter = generate_install_filter;
+	setup();
+	mock_syscall_target();
+}
+END_TEST
 
 Suite *op_call_suite(void)
 {
 	Suite *s;
 	int timeout = 30;
-	TCase *simple;
+	TCase *simple, *args32;
 
 	s = suite_create("Test filter with target");
 
-	simple = tcase_create("simple");
-	tcase_add_checked_fixture(simple, setup_build_filter, teardown);
+	simple = tcase_create("no args");
+	tcase_add_checked_fixture(simple, NULL, teardown);
 	tcase_set_timeout(simple, timeout);
-	tcase_add_test(simple, filter);
+	tcase_add_test(simple, no_args);
 	suite_add_tcase(s, simple);
 
+	args32 = tcase_create("with args 32 bit");
+	tcase_add_checked_fixture(args32, NULL, teardown);
+	tcase_set_timeout(args32, timeout);
+	tcase_add_test(args32, with_getsid);
+	tcase_add_test(args32, with_getpriority);
+	suite_add_tcase(s, args32);
+
 	return s;
 }
 
diff --git a/tests/unit/testutil.h b/tests/unit/testutil.h
index d4f83af..dd4f1e9 100644
--- a/tests/unit/testutil.h
+++ b/tests/unit/testutil.h
@@ -42,5 +42,6 @@ void setup();
 void teardown();
 int install_notification_filter(struct args_target *at);
 void continue_target();
+void mock_syscall_target();
 
 #endif /* TESTUTIL_H */
diff --git a/tests/unit/util.c b/tests/unit/util.c
index c6fc3fb..5a1c5aa 100644
--- a/tests/unit/util.c
+++ b/tests/unit/util.c
@@ -170,6 +170,21 @@ void continue_target()
 	ck_assert_msg(ret == 0, strerror(errno));
 }
 
+void mock_syscall_target()
+{
+	struct seccomp_notif_resp resp;
+	int ret;
+
+	ret = ioctl(notifyfd, SECCOMP_IOCTL_NOTIF_ID_VALID, &req.id);
+	ck_assert_msg(ret == 0, strerror(errno));
+	resp.id = req.id;
+	resp.flags = 0;
+	resp.error = 0;
+	resp.val = 0;
+	ret = ioctl(notifyfd, SECCOMP_IOCTL_NOTIF_SEND, &resp);
+	ck_assert_msg(ret == 0, strerror(errno));
+}
+
 void setup()
 {
 	int ret;
-- 
cgit v1.2.3