Merge tag 'seccomp-v4.16-rc3' of https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux into fixes-v4.16-rc3

- Fix seccomp GET_METADATA to deal with field sizes correctly (Tycho Andersen) - Add selftest to make sure GET_METADATA doesn't regress (Tycho Andersen)
author: James Morris <jmorris@namei.org> 2018-02-22 13:50:24 -0500
committer: James Morris <jmorris@namei.org> 2018-02-22 13:50:24 -0500
commit: 645ae5c51e85d7dbb25177866d5016a89d5243ad (patch)
tree: a4d638616c5db0bde980c6bf5b494f70b6bbef0c /tools
parent: af3e79d29555b97dd096e2f8e36a0f50213808a8 (diff)
parent: d057dc4e35e16050befa3dda943876dab39cbf80 (diff)
1 files changed, 61 insertions, 0 deletions
diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c
index 0b457e8e0f0c..5df609950a66 100644
--- a/tools/testing/selftests/seccomp/seccomp_bpf.c
+++ b/tools/testing/selftests/seccomp/seccomp_bpf.c
@@ -141,6 +141,15 @@ struct seccomp_data {
 #define SECCOMP_FILTER_FLAG_LOG 2
 #endif
+#ifndef PTRACE_SECCOMP_GET_METADATA
+#define PTRACE_SECCOMP_GET_METADATA     0x420d
+struct seccomp_metadata {
+        __u64 filter_off;       /* Input: which filter */
+        __u64 flags;             /* Output: filter's flags */
+};
+#endif
 #ifndef seccomp
 int seccomp(unsigned int op, unsigned int flags, void *args)
 {
@@ -2845,6 +2854,58 @@ TEST(get_action_avail)
        EXPECT_EQ(errno, EOPNOTSUPP);
 }
+TEST(get_metadata)
+{
+        pid_t pid;
+        int pipefd[2];
+        char buf;
+        struct seccomp_metadata md;
+        ASSERT_EQ(0, pipe(pipefd));
+        pid = fork();
+        ASSERT_GE(pid, 0);
+        if (pid == 0) {
+                struct sock_filter filter[] = {
+                        BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
+                };
+                struct sock_fprog prog = {
+                        .len = (unsigned short)ARRAY_SIZE(filter),
+                        .filter = filter,
+                };
+                /* one with log, one without */
+                ASSERT_EQ(0, seccomp(SECCOMP_SET_MODE_FILTER,
+                                     SECCOMP_FILTER_FLAG_LOG, &prog));
+                ASSERT_EQ(0, seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog));
+                ASSERT_EQ(0, close(pipefd[0]));
+                ASSERT_EQ(1, write(pipefd[1], "1", 1));
+                ASSERT_EQ(0, close(pipefd[1]));
+                while (1)
+                        sleep(100);
+        }
+        ASSERT_EQ(0, close(pipefd[1]));
+        ASSERT_EQ(1, read(pipefd[0], &buf, 1));
+        ASSERT_EQ(0, ptrace(PTRACE_ATTACH, pid));
+        ASSERT_EQ(pid, waitpid(pid, NULL, 0));
+        md.filter_off = 0;
+        ASSERT_EQ(sizeof(md), ptrace(PTRACE_SECCOMP_GET_METADATA, pid, sizeof(md), &md));
+        EXPECT_EQ(md.flags, SECCOMP_FILTER_FLAG_LOG);
+        EXPECT_EQ(md.filter_off, 0);
+        md.filter_off = 1;
+        ASSERT_EQ(sizeof(md), ptrace(PTRACE_SECCOMP_GET_METADATA, pid, sizeof(md), &md));
+        EXPECT_EQ(md.flags, 0);
+        EXPECT_EQ(md.filter_off, 1);
+        ASSERT_EQ(0, kill(pid, SIGKILL));
+}
 /*
 * TODO:
 * - add microbenchmarks
author	James Morris <jmorris@namei.org>	2018-02-22 13:50:24 -0500
committer	James Morris <jmorris@namei.org>	2018-02-22 13:50:24 -0500
commit	645ae5c51e85d7dbb25177866d5016a89d5243ad (patch)
tree	a4d638616c5db0bde980c6bf5b494f70b6bbef0c /tools
parent	af3e79d29555b97dd096e2f8e36a0f50213808a8 (diff)
parent	d057dc4e35e16050befa3dda943876dab39cbf80 (diff)

diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c index 0b457e8e0f0c..5df609950a66 100644 --- a/tools/testing/selftests/seccomp/seccomp_bpf.c +++ b/tools/testing/selftests/seccomp/seccomp_bpf.c
@@ -141,6 +141,15 @@ struct seccomp_data {
141	#define SECCOMP_FILTER_FLAG_LOG 2	141	#define SECCOMP_FILTER_FLAG_LOG 2
142	#endif	142	#endif
143		143
		144	#ifndef PTRACE_SECCOMP_GET_METADATA
		145	#define PTRACE_SECCOMP_GET_METADATA 0x420d
		146
		147	struct seccomp_metadata {
		148	__u64 filter_off; /* Input: which filter */
		149	__u64 flags; /* Output: filter's flags */
		150	};
		151	#endif
		152
144	#ifndef seccomp	153	#ifndef seccomp
145	int seccomp(unsigned int op, unsigned int flags, void *args)	154	int seccomp(unsigned int op, unsigned int flags, void *args)
146	{	155	{
@@ -2845,6 +2854,58 @@ TEST(get_action_avail)
2845	EXPECT_EQ(errno, EOPNOTSUPP);	2854	EXPECT_EQ(errno, EOPNOTSUPP);
2846	}	2855	}
2847		2856
		2857	TEST(get_metadata)
		2858	{
		2859	pid_t pid;
		2860	int pipefd[2];
		2861	char buf;
		2862	struct seccomp_metadata md;
		2863
		2864	ASSERT_EQ(0, pipe(pipefd));
		2865
		2866	pid = fork();
		2867	ASSERT_GE(pid, 0);
		2868	if (pid == 0) {
		2869	struct sock_filter filter[] = {
		2870	BPF_STMT(BPF_RET\|BPF_K, SECCOMP_RET_ALLOW),
		2871	};
		2872	struct sock_fprog prog = {
		2873	.len = (unsigned short)ARRAY_SIZE(filter),
		2874	.filter = filter,
		2875	};
		2876
		2877	/* one with log, one without */
		2878	ASSERT_EQ(0, seccomp(SECCOMP_SET_MODE_FILTER,
		2879	SECCOMP_FILTER_FLAG_LOG, &prog));
		2880	ASSERT_EQ(0, seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog));
		2881
		2882	ASSERT_EQ(0, close(pipefd[0]));
		2883	ASSERT_EQ(1, write(pipefd[1], "1", 1));
		2884	ASSERT_EQ(0, close(pipefd[1]));
		2885
		2886	while (1)
		2887	sleep(100);
		2888	}
		2889
		2890	ASSERT_EQ(0, close(pipefd[1]));
		2891	ASSERT_EQ(1, read(pipefd[0], &buf, 1));
		2892
		2893	ASSERT_EQ(0, ptrace(PTRACE_ATTACH, pid));
		2894	ASSERT_EQ(pid, waitpid(pid, NULL, 0));
		2895
		2896	md.filter_off = 0;
		2897	ASSERT_EQ(sizeof(md), ptrace(PTRACE_SECCOMP_GET_METADATA, pid, sizeof(md), &md));
		2898	EXPECT_EQ(md.flags, SECCOMP_FILTER_FLAG_LOG);
		2899	EXPECT_EQ(md.filter_off, 0);
		2900
		2901	md.filter_off = 1;
		2902	ASSERT_EQ(sizeof(md), ptrace(PTRACE_SECCOMP_GET_METADATA, pid, sizeof(md), &md));
		2903	EXPECT_EQ(md.flags, 0);
		2904	EXPECT_EQ(md.filter_off, 1);
		2905
		2906	ASSERT_EQ(0, kill(pid, SIGKILL));
		2907	}
		2908
2848	/*	2909	/*
2849	* TODO:	2910	* TODO:
2850	* - add microbenchmarks	2911	* - add microbenchmarks