From 876a52e95a9d24a4b9fa37325d83bcb7d3c7b160 Mon Sep 17 00:00:00 2001 From: Alice Frosi Date: Fri, 30 Jun 2023 11:22:52 +0200 Subject: test: fix filter-build test and bugs The tests for checking the filter build recompile and are successfull. Changes: - spotted a couple of bugs for adding the arguments in the filter - readded function `filter_flush_args` to flush_args; this is needed to distinguish when the arguments belong to the same block or are different entries to the same syscall - build the filter in a way that CMP_EQ corresponds to BPF_JEQ and we don't need to awkwardly negate the operations (still TODO for AND_EQ) --- tests/unit/Makefile | 23 ++++---- tests/unit/test_filter_build.c | 121 +++++++++++++++++++++-------------------- tests/unit/testutil.h | 4 +- tests/unit/util.c | 19 ++++++- 4 files changed, 94 insertions(+), 73 deletions(-) (limited to 'tests') diff --git a/tests/unit/Makefile b/tests/unit/Makefile index 1a7f70a..76f815e 100644 --- a/tests/unit/Makefile +++ b/tests/unit/Makefile @@ -4,29 +4,30 @@ MAIN_DIR := ../../ COMMON_DIR := ../../common -OP_DIR := ../../ COOKER_DIR := ../../cooker DBG_DIR := ../../debug -SRCS_FILTER_BUILD := $(COOKER_DIR)/filter.c $(DBG_DIR)/disasm.c $(COMMON_DIR)/common.c -HEADERS_FILTER_BUILD := $(COOKER_DIR)/filter.h $(DBG_DIR)/disasm.h $(COMMON_DIR)/common.h +SRCS_FILTER_BUILD := $(COOKER_DIR)/filter.c $(DBG_DIR)/disasm.c $(COMMON_DIR)/common.c \ + $(COMMON_DIR)/util.c +HEADERS_FILTER_BUILD := $(COOKER_DIR)/filter.h $(DBG_DIR)/disasm.h $(COMMON_DIR)/common.h \ + $(COMMON_DIR)/util.h SRCS_FILTER := $(COOKER_DIR)/filter.c $(COMMON_DIR)/common.c util.c \ $(DBG_DIR)/disasm.c -HEADERS_FILTER := $(COOKER_DIR)/filter.h $(COMMON_DIR)/common.h \ +HEADERS_FILTER := $(COOKER_DIR)/filter.h $(COMMON_DIR)/common.h $(COMMON_DIR)/util.h \ $(DBG_DIR)/disasm.h testutil.h -HEADERS_OP_CALL := testutil.h $(COMMON_DIR)/gluten.h $(OP_DIR)/operations.h \ +HEADERS_OP_CALL := testutil.h $(COMMON_DIR)/gluten.h $(MAIN_DIR)/operations.h \ $(COMMON_DIR)/common.h $(COMMON_DIR)/util.h -SRCS_OP_CALL := $(COMMON_DIR)/common.c $(OP_DIR)/operations.c util.c $(COMMON_DIR)/util.c +SRCS_OP_CALL := $(COMMON_DIR)/common.c $(MAIN_DIR)/operations.c util.c $(COMMON_DIR)/util.c -HEADERS_OP := $(COMMON_DIR)/gluten.h $(OP_DIR)/operations.h \ +HEADERS_OP := $(COMMON_DIR)/gluten.h $(MAIN_DIR)/operations.h \ $(COMMON_DIR)/common.h testutil.h $(COMMON_DIR)/util.h -SRCS_OP := $(COMMON_DIR)/common.c $(OP_DIR)/operations.c util.c $(COMMON_DIR)/util.c +SRCS_OP := $(COMMON_DIR)/common.c $(MAIN_DIR)/operations.c util.c $(COMMON_DIR)/util.c -HEADERS_ERROR := $(COMMON_DIR)/gluten.h $(OP_DIR)/operations.h \ +HEADERS_ERROR := $(COMMON_DIR)/gluten.h $(MAIN_DIR)/operations.h \ $(COMMON_DIR)/common.h testutil.h $(COMMON_DIR)/util.h -SRCS_ERROR := $(COMMON_DIR)/common.c $(OP_DIR)/operations.c util.c $(COMMON_DIR)/util.c +SRCS_ERROR := $(COMMON_DIR)/common.c $(MAIN_DIR)/operations.c util.c $(COMMON_DIR)/util.c TARGET := $(shell $(CC) -dumpmachine) TARGET_ARCH := $(shell echo $(TARGET) | cut -f1 -d- | tr [A-Z] [a-z]) @@ -38,7 +39,7 @@ AUDIT_ARCH := $(shell echo $(AUDIT_ARCH) | sed 's/PPC64/PPC/') AUDIT_ARCH := $(shell echo $(AUDIT_ARCH) | sed 's/PPCLE/PPC64LE/') CFLAGS += -Wall -Wextra -pedantic -CFLAGS += -I$(MAIN_DIR) -I$(OP_DIR) -I$(DBG_DIR) +CFLAGS += -I$(MAIN_DIR) -I$(DBG_DIR) -I$(COMMON_DIR) -I$(COOKER_DIR) CFLAGS += -lcheck CFLAGS += -DSEITAN_AUDIT_ARCH=AUDIT_ARCH_$(AUDIT_ARCH) diff --git a/tests/unit/test_filter_build.c b/tests/unit/test_filter_build.c index f6d9ba5..52c1a82 100644 --- a/tests/unit/test_filter_build.c +++ b/tests/unit/test_filter_build.c @@ -35,7 +35,7 @@ static bool filter_eq(struct sock_filter *f1, struct sock_filter *f2, START_TEST(test_single_instr) { - struct sock_filter filter[10]; + struct sock_filter result[10]; unsigned int size; long nr = 42; struct sock_filter expected[] = { @@ -53,11 +53,13 @@ START_TEST(test_single_instr) }; filter_notify(nr); + filter_flush_args(nr); filter_write(tfilter); - size = read_filter(filter, tfilter); - ck_assert_uint_eq(size, ARRAY_SIZE(expected)); - ck_assert(filter_eq(expected, filter, ARRAY_SIZE(expected))); + size = read_filter(result, tfilter); + + bpf_disasm_all(result, size); + ck_assert(filter_eq(expected, result, ARRAY_SIZE(expected))); } END_TEST @@ -65,12 +67,12 @@ START_TEST(test_single_instr_two_args) { unsigned int size; long nr = 42; - struct bpf_arg a1 = { .cmp = EQ, - .value = { .v32 = 0x123 }, - .type = BPF_U32 }; - struct bpf_arg a2 = { .cmp = EQ, - .value = { .v32 = 0x321 }, - .type = BPF_U32 }; + struct bpf_field a1 = { + .arg = 1, .cmp = EQ, .value = { .v32 = 0x123 }, .type = BPF_U32 + }; + struct bpf_field a2 = { + .arg = 2, .cmp = EQ, .value = { .v32 = 0x321 }, .type = BPF_U32 + }; struct sock_filter result[20]; struct sock_filter expected[] = { /* l0 */ BPF_STMT(BPF_LD | BPF_W | BPF_ABS, @@ -85,7 +87,7 @@ START_TEST(test_single_instr_two_args) /* l5 */ BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW), /* l6 */ BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_USER_NOTIF), /* l7 */ LOAD(offsetof(struct seccomp_data, args[1])), - /* l8 */ EQ(0x123, 0, 2), + /* l8 */ EQ(0x123, 0, 3), /* l9 */ LOAD(offsetof(struct seccomp_data, args[2])), /* l10 */ EQ(0x321, 0, 1), /* l11 */ BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_USER_NOTIF), @@ -93,14 +95,14 @@ START_TEST(test_single_instr_two_args) }; filter_notify(nr); - filter_add_arg(1, a1); - filter_add_arg(2, a2); - filter_flush_args(); + filter_add_check(&a1); + filter_add_check(&a2); + filter_flush_args(nr); filter_write(tfilter); size = read_filter(result, tfilter); - ck_assert_uint_eq(size, ARRAY_SIZE(expected)); + bpf_disasm_all(result, size); ck_assert(filter_eq(expected, result, ARRAY_SIZE(expected))); } END_TEST @@ -127,18 +129,21 @@ START_TEST(test_two_instr) }; struct sock_filter result[30]; filter_notify(42); + filter_flush_args(42); filter_notify(49); + filter_flush_args(49); filter_write(tfilter); size = read_filter(result, tfilter); - ck_assert_uint_eq(size, ARRAY_SIZE(expected)); + bpf_disasm_all(result, size); ck_assert(filter_eq(expected, result, ARRAY_SIZE(expected))); } END_TEST START_TEST(test_multiple_instr_no_args) { + unsigned long nrs[] = { 42, 43, 44, 45, 46 }; unsigned int size; struct sock_filter expected[] = { /* l0 */ BPF_STMT(BPF_LD | BPF_W | BPF_ABS, @@ -170,16 +175,14 @@ START_TEST(test_multiple_instr_no_args) }; struct sock_filter result[sizeof(expected) / sizeof(expected[0]) + 10]; - filter_notify(42); - filter_notify(43); - filter_notify(44); - filter_notify(45); - filter_notify(46); - + for(unsigned int i = 0; i < ARRAY_SIZE(nrs); i++) { + filter_notify(nrs[i]); + filter_flush_args(nrs[i]); + } filter_write(tfilter); size = read_filter(result, tfilter); - ck_assert_uint_eq(size, ARRAY_SIZE(expected)); + bpf_disasm_all(result, size); ck_assert(filter_eq(expected, result, ARRAY_SIZE(expected))); } END_TEST @@ -187,12 +190,12 @@ END_TEST START_TEST(test_multiple_instr_with_args) { unsigned int size; - struct bpf_arg a1 = { .cmp = EQ, - .value = { .v32 = 0x123 }, - .type = BPF_U32 }; - struct bpf_arg a2 = { .cmp = EQ, - .value = { .v32 = 0x321 }, - .type = BPF_U32 }; + struct bpf_field a1 = { + .arg = 1, .cmp = EQ, .value = { .v32 = 0x123 }, .type = BPF_U32 + }; + struct bpf_field a2 = { + .arg = 2, .cmp = EQ, .value = { .v32 = 0x321 }, .type = BPF_U32 + }; struct sock_filter expected[] = { /* l0 */ BPF_STMT(BPF_LD | BPF_W | BPF_ABS, (offsetof(struct seccomp_data, arch))), @@ -222,14 +225,14 @@ START_TEST(test_multiple_instr_with_args) /* l17 */ BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_USER_NOTIF), /* ------- args ---------- */ /* l18 */ LOAD(offsetof(struct seccomp_data, args[1])), - /* l19 */ EQ(0x123, 0, 2), + /* l19 */ EQ(0x123, 0, 3), /* l20 */ LOAD(offsetof(struct seccomp_data, args[2])), /* l21 */ EQ(0x321, 0, 1), /* l22 */ BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_USER_NOTIF), /* l23 */ BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW), /* ----- end call42 ------ */ /* l24 */ LOAD(offsetof(struct seccomp_data, args[1])), - /* l25 */ EQ(0x123, 0, 2), + /* l25 */ EQ(0x123, 0, 3), /* l26 */ LOAD(offsetof(struct seccomp_data, args[2])), /* l27 */ EQ(0x321, 0, 1), /* l28 */ BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_USER_NOTIF), @@ -238,21 +241,21 @@ START_TEST(test_multiple_instr_with_args) }; struct sock_filter result[sizeof(expected) / sizeof(expected[0]) + 10]; filter_notify(42); - filter_add_arg(1, a1); - filter_add_arg(2, a2); - filter_flush_args(); + filter_add_check(&a1); + filter_add_check(&a2); + filter_flush_args(42); filter_notify(43); filter_notify(44); filter_notify(45); - filter_add_arg(1, a1); - filter_add_arg(2, a2); - filter_flush_args(); + filter_add_check(&a1); + filter_add_check(&a2); + filter_flush_args(45); filter_notify(46); filter_write(tfilter); size = read_filter(result, tfilter); - ck_assert_uint_eq(size, ARRAY_SIZE(expected)); + bpf_disasm_all(result, size); ck_assert(filter_eq(expected, result, ARRAY_SIZE(expected))); } END_TEST @@ -260,12 +263,12 @@ END_TEST START_TEST(test_multiple_instance_same_instr) { unsigned int size; - struct bpf_arg a1 = { .cmp = EQ, - .value = { .v32 = 0x123 }, - .type = BPF_U32 }; - struct bpf_arg a2 = { .cmp = EQ, - .value = { .v32 = 0x321 }, - .type = BPF_U32 }; + struct bpf_field a1 = { + .arg = 1, .cmp = EQ, .value = { .v32 = 0x123 }, .type = BPF_U32 + }; + struct bpf_field a2 = { + .arg = 2, .cmp = EQ, .value = { .v32 = 0x321 }, .type = BPF_U32 + }; struct sock_filter expected[] = { /* l0 */ BPF_STMT(BPF_LD | BPF_W | BPF_ABS, (offsetof(struct seccomp_data, arch))), @@ -299,38 +302,40 @@ START_TEST(test_multiple_instance_same_instr) /* l20 */ BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_USER_NOTIF), /* l21 */ LOAD(offsetof(struct seccomp_data, args[2])), /* l22 */ EQ(0x321, 0, 1), - /* l23 */ BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_USER_NOTIF), - /* l24 */ BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW), + /* l24 */ BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_USER_NOTIF), + /* l23 */ BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW), /* ----- end call42 ------ */ /* l25 */ LOAD(offsetof(struct seccomp_data, args[1])), /* l26 */ EQ(0x123, 0, 1), - /* l27 */ BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_USER_NOTIF), + /* l24 */ BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_USER_NOTIF), /* l28 */ LOAD(offsetof(struct seccomp_data, args[2])), /* l29 */ EQ(0x321, 0, 1), - /* l30 */ BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_USER_NOTIF), - /* l31 */ BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW), + /* l31 */ BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_USER_NOTIF), + /* l30 */ BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW), /* ----- end call45 ------ */ }; struct sock_filter result[sizeof(expected) / sizeof(expected[0]) + 10]; filter_notify(42); - filter_add_arg(1, a1); - filter_flush_args(); - filter_add_arg(2, a2); - filter_flush_args(); + filter_add_check(&a1); + filter_flush_args(42); + filter_notify(42); + filter_add_check(&a2); + filter_flush_args(42); filter_notify(43); filter_notify(44); filter_notify(45); - filter_add_arg(1, a1); - filter_flush_args(); - filter_add_arg(2, a2); - filter_flush_args(); + filter_add_check(&a1); + filter_flush_args(45); + filter_notify(45); + filter_add_check(&a2); + filter_flush_args(45); filter_notify(46); filter_write(tfilter); size = read_filter(result, tfilter); - ck_assert_uint_eq(size, ARRAY_SIZE(expected)); + bpf_disasm_all(result, size); ck_assert(filter_eq(expected, result, ARRAY_SIZE(expected))); } END_TEST diff --git a/tests/unit/testutil.h b/tests/unit/testutil.h index a0fa0b8..caccd44 100644 --- a/tests/unit/testutil.h +++ b/tests/unit/testutil.h @@ -58,7 +58,7 @@ static inline void *test_gluten_write_ptr(struct gluten *g, ck_assert_ptr_nonnull(p); \ memcpy(&ref, p, sizeof(ref)); \ } while (0) - +#define NS_NUM CONTEXT_TYPE_MAX - 3 struct args_target { long ret; int err; @@ -67,7 +67,7 @@ struct args_target { int fd; int nr; bool filter_args[6]; - struct bpf_arg args[6]; + struct bpf_field bpf_fields[6]; void *targs[6]; void *tclone; bool ns[NS_NUM]; diff --git a/tests/unit/util.c b/tests/unit/util.c index 96d6663..26f13e0 100644 --- a/tests/unit/util.c +++ b/tests/unit/util.c @@ -13,6 +13,7 @@ #include #include #include +#include #include #include #include @@ -38,6 +39,19 @@ struct gluten gluten; char stderr_buff[BUFSIZ]; char stdout_buff[BUFSIZ]; +#define logfn(name) \ +void name(const char *format, ...) { \ + va_list args; \ + \ + va_start(args, format); \ + (void)vfprintf(stderr, format, args); \ + va_end(args); \ + if (format[strlen(format)] != '\n') \ + fprintf(stderr, "\n"); \ +} + +logfn(debug) + int install_single_syscall(long nr) { /* filter a single syscall for the tests */ @@ -209,7 +223,7 @@ void mock_syscall_target() void set_args_no_check(struct args_target *at) { for (unsigned int i = 0; i < 6; i++) - at->args[i].cmp = NO_CHECK; + at->bpf_fields[i].cmp = NO_CHECK; } static int set_ns_flags(bool ns[], int flags) @@ -217,8 +231,9 @@ static int set_ns_flags(bool ns[], int flags) unsigned int i; for (i = 0; i < NS_NUM; i++) { - if (!ns[i] || i == NS_NONE) + if (!ns[i]) continue; + switch (i) { case NS_CGROUP: flags |= CLONE_NEWCGROUP; -- cgit v1.2.3