Lines Matching +full:self +full:- +full:test
1 // SPDX-License-Identifier: GPL-2.0-only
5 * Test code for seccomp bpf.
58 /* Attempt to de-conflict with the selftests tree. */
311 return -1; in __filecmp()
322 TH_LOG("kcmp() syscall missing (test is less accurate)");\
328 TEST(kcmp) in TEST() function
338 TEST(mode_strict_support) in TEST() function
364 /* Note! This doesn't test no new privs behavior */
365 TEST(no_new_privs_support) in TEST() function
376 TEST(mode_filter_support) in TEST() function
385 EXPECT_EQ(-1, ret); in TEST()
391 TEST(mode_filter_without_nnp) in TEST() function
413 EXPECT_EQ(-1, ret); in TEST()
422 TEST(filter_size_limits) in TEST() function
452 prog.len -= 1; in TEST()
459 TEST(filter_chain_limits) in TEST() function
494 TH_LOG("Allowed %d %d-insn filters (total with penalties:%d)", in TEST()
499 TEST(mode_filter_cannot_move_to_strict) in TEST() function
517 EXPECT_EQ(-1, ret); in TEST()
522 TEST(mode_filter_get_seccomp) in TEST() function
547 TEST(ALLOW_all) in TEST() function
565 TEST(empty_prog) in TEST() function
579 EXPECT_EQ(-1, ret); in TEST()
583 TEST(log_all) in TEST() function
701 /* Only both with lower 32-bit for now. */ in TEST_SIGNAL()
741 /* Only both with lower 32-bit for now. */ in TEST_SIGNAL()
766 ASSERT_NE(-1, fd); in TEST_SIGNAL()
777 /* The test failed, so clean up the resources. */ in TEST_SIGNAL()
866 TEST(KILL_thread) in TEST() function
885 TEST(KILL_process) in TEST() function
904 TEST(KILL_unknown) in TEST() function
925 /* TODO(wad) add 64-bit versus 32-bit arg tests. */
926 TEST(arg_out_of_range) in TEST() function
942 EXPECT_EQ(-1, ret); in TEST()
960 TEST(ERRNO_valid) in TEST() function
973 EXPECT_EQ(-1, read(-1, NULL, 0)); in TEST()
978 TEST(ERRNO_zero) in TEST() function
992 EXPECT_EQ(0, read(-1, NULL, 0)); in TEST()
1000 TEST(ERRNO_capped) in TEST() function
1013 EXPECT_EQ(-1, read(-1, NULL, 0)); in TEST()
1023 TEST(ERRNO_order) in TEST() function
1044 EXPECT_EQ(-1, read(-1, NULL, 0)); in TEST()
1062 memset(&self->prog, 0, sizeof(self->prog)); in FIXTURE_SETUP()
1063 self->prog.filter = malloc(sizeof(filter)); in FIXTURE_SETUP()
1064 ASSERT_NE(NULL, self->prog.filter); in FIXTURE_SETUP()
1065 memcpy(self->prog.filter, filter, sizeof(filter)); in FIXTURE_SETUP()
1066 self->prog.len = (unsigned short)ARRAY_SIZE(filter); in FIXTURE_SETUP()
1071 if (self->prog.filter) in FIXTURE_TEARDOWN()
1072 free(self->prog.filter); in FIXTURE_TEARDOWN()
1082 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->prog); in TEST_F_SIGNAL()
1097 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->prog); in TEST_F_SIGNAL()
1112 int ret, test; in TEST_F() local
1133 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->prog); in TEST_F()
1141 test = TRAP_nr; in TEST_F()
1142 EXPECT_EQ(SIGSYS, test); in TEST_F()
1153 EXPECT_EQ(__NR_getpid, sigsys->_syscall); in TEST_F()
1154 /* Make sure arch is non-zero. */ in TEST_F()
1155 EXPECT_NE(0, sigsys->_arch); in TEST_F()
1156 EXPECT_NE(0, (unsigned long)sigsys->_call_addr); in TEST_F()
1209 memset(self, 0, sizeof(*self)); in FIXTURE_SETUP()
1211 self->_x.filter = malloc(sizeof(_x##_insns)); \ in FIXTURE_SETUP()
1212 ASSERT_NE(NULL, self->_x.filter); \ in FIXTURE_SETUP()
1213 memcpy(self->_x.filter, &_x##_insns, sizeof(_x##_insns)); \ in FIXTURE_SETUP()
1214 self->_x.len = (unsigned short)ARRAY_SIZE(_x##_insns) in FIXTURE_SETUP()
1225 #define FILTER_FREE(_x) if (self->_x.filter) free(self->_x.filter) in FIXTURE_TEARDOWN()
1243 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow); in TEST_F()
1245 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->log); in TEST_F()
1247 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trace); in TEST_F()
1249 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->error); in TEST_F()
1251 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trap); in TEST_F()
1253 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->kill); in TEST_F()
1269 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow); in TEST_F_SIGNAL()
1271 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->log); in TEST_F_SIGNAL()
1273 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trace); in TEST_F_SIGNAL()
1275 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->error); in TEST_F_SIGNAL()
1277 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trap); in TEST_F_SIGNAL()
1279 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->kill); in TEST_F_SIGNAL()
1298 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow); in TEST_F_SIGNAL()
1300 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->kill); in TEST_F_SIGNAL()
1302 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->error); in TEST_F_SIGNAL()
1304 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->log); in TEST_F_SIGNAL()
1306 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trace); in TEST_F_SIGNAL()
1308 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trap); in TEST_F_SIGNAL()
1325 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow); in TEST_F_SIGNAL()
1327 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->log); in TEST_F_SIGNAL()
1329 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trace); in TEST_F_SIGNAL()
1331 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->error); in TEST_F_SIGNAL()
1333 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trap); in TEST_F_SIGNAL()
1350 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow); in TEST_F_SIGNAL()
1352 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trap); in TEST_F_SIGNAL()
1354 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->log); in TEST_F_SIGNAL()
1356 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trace); in TEST_F_SIGNAL()
1358 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->error); in TEST_F_SIGNAL()
1375 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow); in TEST_F()
1377 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->log); in TEST_F()
1379 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trace); in TEST_F()
1381 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->error); in TEST_F()
1397 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->log); in TEST_F()
1399 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->error); in TEST_F()
1401 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trace); in TEST_F()
1403 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow); in TEST_F()
1419 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow); in TEST_F()
1421 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->log); in TEST_F()
1423 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trace); in TEST_F()
1428 EXPECT_EQ(-1, syscall(__NR_getpid)); in TEST_F()
1440 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trace); in TEST_F()
1442 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow); in TEST_F()
1444 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->log); in TEST_F()
1449 EXPECT_EQ(-1, syscall(__NR_getpid)); in TEST_F()
1462 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow); in TEST_F()
1464 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->log); in TEST_F()
1482 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->log); in TEST_F()
1484 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow); in TEST_F()
1518 int ret = -1; in start_tracer()
1528 while (ret == -1 && errno != EINVAL) in start_tracer()
1580 /* Directly report the status of our test harness results. */ in start_tracer()
1581 syscall(__NR_exit, _metadata->exit_code); in start_tracer()
1628 _metadata->exit_code = KSFT_FAIL; in teardown_trace_fixture()
1655 ret = ptrace(PTRACE_POKEDATA, tracee, info->poke_addr, 0x1001); in tracer_poke()
1676 self->poked = 0; in FIXTURE_SETUP()
1677 memset(&self->prog, 0, sizeof(self->prog)); in FIXTURE_SETUP()
1678 self->prog.filter = malloc(sizeof(filter)); in FIXTURE_SETUP()
1679 ASSERT_NE(NULL, self->prog.filter); in FIXTURE_SETUP()
1680 memcpy(self->prog.filter, filter, sizeof(filter)); in FIXTURE_SETUP()
1681 self->prog.len = (unsigned short)ARRAY_SIZE(filter); in FIXTURE_SETUP()
1684 self->tracer_args.poke_addr = (unsigned long)&self->poked; in FIXTURE_SETUP()
1687 self->tracer = setup_trace_fixture(_metadata, tracer_poke, in FIXTURE_SETUP()
1688 &self->tracer_args, false); in FIXTURE_SETUP()
1693 teardown_trace_fixture(_metadata, self->tracer); in FIXTURE_TEARDOWN()
1694 if (self->prog.filter) in FIXTURE_TEARDOWN()
1695 free(self->prog.filter); in FIXTURE_TEARDOWN()
1705 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->prog, 0, 0); in TEST_F()
1708 EXPECT_EQ(0, self->poked); in TEST_F()
1709 ret = read(-1, NULL, 0); in TEST_F()
1710 EXPECT_EQ(-1, ret); in TEST_F()
1711 EXPECT_EQ(0x1001, self->poked); in TEST_F()
1721 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->prog, 0, 0); in TEST_F()
1724 EXPECT_EQ(0, self->poked); in TEST_F()
1726 EXPECT_EQ(0, self->poked); in TEST_F()
1791 * scv 0 system call uses -ve result \
1802 SYSCALL_RET(_regs) = -_result; \
1874 * shared), report it with TH_LOG() in an arch-specific definition
1889 # define EXPECT_SYSCALL_RETURN(val, action) EXPECT_EQ(-1, action)
1895 EXPECT_EQ(-1, action); \
1896 EXPECT_EQ(-(val), errno); \
1917 * architectures without HAVE_ARCH_TRACEHOOK (e.g. User-mode Linux).
1937 /* Architecture-specific syscall fetching routine. */
1943 return -1; in get_syscall()
1949 /* Architecture-specific syscall changing routine. */
1982 /* Change syscall return value (and set syscall number to -1). */
1986 long syscall = -1; in change_syscall_ret()
2021 change_syscall_ret(_metadata, tracee, -ESRCH); in tracer_seccomp()
2050 FIXTURE_DATA(TRACE_syscall) *self = args; in tracer_ptrace()
2077 self->syscall_nr = get_syscall(_metadata, tracee); in tracer_ptrace()
2089 switch (self->syscall_nr) { in tracer_ptrace()
2096 syscall_nr_val = -1; in tracer_ptrace()
2100 syscall_nr_val = -1; in tracer_ptrace()
2101 syscall_ret_val = -ESRCH; in tracer_ptrace()
2151 self->mytid = syscall(__NR_gettid); in FIXTURE_SETUP()
2152 ASSERT_GT(self->mytid, 0); in FIXTURE_SETUP()
2153 ASSERT_NE(self->mytid, 1) { in FIXTURE_SETUP()
2154 TH_LOG("Running this test as init is not supported. :)"); in FIXTURE_SETUP()
2157 self->mypid = getpid(); in FIXTURE_SETUP()
2158 ASSERT_GT(self->mypid, 0); in FIXTURE_SETUP()
2159 ASSERT_EQ(self->mytid, self->mypid); in FIXTURE_SETUP()
2161 self->parent = getppid(); in FIXTURE_SETUP()
2162 ASSERT_GT(self->parent, 0); in FIXTURE_SETUP()
2163 ASSERT_NE(self->parent, self->mypid); in FIXTURE_SETUP()
2166 self->tracer = setup_trace_fixture(_metadata, in FIXTURE_SETUP()
2167 variant->use_ptrace ? tracer_ptrace in FIXTURE_SETUP()
2169 self, variant->use_ptrace); in FIXTURE_SETUP()
2175 if (variant->use_ptrace) in FIXTURE_SETUP()
2184 teardown_trace_fixture(_metadata, self->tracer); in FIXTURE_TEARDOWN()
2187 TEST(negative_ENOSYS) in TEST() function
2190 SKIP(return, "arm32 does not support calling syscall -1"); in TEST()
2194 * and userspace asking for syscall "-1". in TEST()
2197 EXPECT_EQ(-1, syscall(-1)); in TEST()
2199 /* And no difference for "still not valid but not -1". */ in TEST()
2201 EXPECT_EQ(-1, syscall(-101)); in TEST()
2213 EXPECT_EQ(self->parent, syscall(__NR_getppid)); in TEST_F()
2214 EXPECT_NE(self->mypid, syscall(__NR_getppid)); in TEST_F()
2220 EXPECT_EQ(self->parent, syscall(__NR_getpid)); in TEST_F()
2221 EXPECT_NE(self->mypid, syscall(__NR_getpid)); in TEST_F()
2227 EXPECT_SYSCALL_RETURN(-ESRCH, syscall(__NR_openat)); in TEST_F()
2256 EXPECT_EQ(-1, syscall(__NR_mknodat, -1, NULL, 0, 0)); in TEST_F_SIGNAL()
2280 EXPECT_EQ(-1, syscall(__NR_getpid)); in TEST_F()
2304 EXPECT_NE(self->mypid, syscall(__NR_getpid)); in TEST_F_SIGNAL()
2307 TEST(seccomp_syscall) in TEST() function
2324 ret = seccomp(-1, 0, &prog); in TEST()
2333 ret = seccomp(SECCOMP_SET_MODE_STRICT, -1, NULL); in TEST()
2343 ret = seccomp(SECCOMP_SET_MODE_FILTER, -1, &prog); in TEST()
2359 TEST(seccomp_syscall_mode_lock) in TEST() function
2396 * Test detection of known and unknown filter flags. Userspace needs to be able
2402 TEST(detect_seccomp_filter_flags) in TEST() function
2416 /* Test detection of individual known-good filter flags */ in TEST()
2434 EXPECT_EQ(-1, ret); in TEST()
2436 TH_LOG("Failed to detect that a known-good filter flag (0x%X) is supported!", in TEST()
2444 * Test detection of all known-good filter flags combined. But in TEST()
2456 EXPECT_EQ(-1, ret); in TEST()
2458 TH_LOG("Failed to detect that all known-good filter flags (0x%X) are supported!", in TEST()
2463 /* Test detection of an unknown filter flags, without exclusives. */ in TEST()
2464 flag = -1; in TEST()
2467 EXPECT_EQ(-1, ret); in TEST()
2474 * Test detection of an unknown filter flag that may simply need to be in TEST()
2475 * added to this test in TEST()
2477 flag = flags[ARRAY_SIZE(flags) - 1] << 1; in TEST()
2479 EXPECT_EQ(-1, ret); in TEST()
2481 …that an unknown filter flag (0x%X) is unsupported! Does a new flag need to be added to this test?", in TEST()
2486 TEST(TSYNC_first) in TEST() function
2564 memset(&self->root_prog, 0, sizeof(self->root_prog)); in FIXTURE_SETUP()
2565 memset(&self->apply_prog, 0, sizeof(self->apply_prog)); in FIXTURE_SETUP()
2566 memset(&self->sibling, 0, sizeof(self->sibling)); in FIXTURE_SETUP()
2567 self->root_prog.filter = malloc(sizeof(root_filter)); in FIXTURE_SETUP()
2568 ASSERT_NE(NULL, self->root_prog.filter); in FIXTURE_SETUP()
2569 memcpy(self->root_prog.filter, &root_filter, sizeof(root_filter)); in FIXTURE_SETUP()
2570 self->root_prog.len = (unsigned short)ARRAY_SIZE(root_filter); in FIXTURE_SETUP()
2572 self->apply_prog.filter = malloc(sizeof(apply_filter)); in FIXTURE_SETUP()
2573 ASSERT_NE(NULL, self->apply_prog.filter); in FIXTURE_SETUP()
2574 memcpy(self->apply_prog.filter, &apply_filter, sizeof(apply_filter)); in FIXTURE_SETUP()
2575 self->apply_prog.len = (unsigned short)ARRAY_SIZE(apply_filter); in FIXTURE_SETUP()
2577 self->sibling_count = 0; in FIXTURE_SETUP()
2578 pthread_mutex_init(&self->mutex, NULL); in FIXTURE_SETUP()
2579 pthread_cond_init(&self->cond, NULL); in FIXTURE_SETUP()
2580 sem_init(&self->started, 0, 0); in FIXTURE_SETUP()
2581 self->sibling[0].tid = 0; in FIXTURE_SETUP()
2582 self->sibling[0].cond = &self->cond; in FIXTURE_SETUP()
2583 self->sibling[0].started = &self->started; in FIXTURE_SETUP()
2584 self->sibling[0].mutex = &self->mutex; in FIXTURE_SETUP()
2585 self->sibling[0].diverge = 0; in FIXTURE_SETUP()
2586 self->sibling[0].num_waits = 1; in FIXTURE_SETUP()
2587 self->sibling[0].prog = &self->root_prog; in FIXTURE_SETUP()
2588 self->sibling[0].metadata = _metadata; in FIXTURE_SETUP()
2589 self->sibling[1].tid = 0; in FIXTURE_SETUP()
2590 self->sibling[1].cond = &self->cond; in FIXTURE_SETUP()
2591 self->sibling[1].started = &self->started; in FIXTURE_SETUP()
2592 self->sibling[1].mutex = &self->mutex; in FIXTURE_SETUP()
2593 self->sibling[1].diverge = 0; in FIXTURE_SETUP()
2594 self->sibling[1].prog = &self->root_prog; in FIXTURE_SETUP()
2595 self->sibling[1].num_waits = 1; in FIXTURE_SETUP()
2596 self->sibling[1].metadata = _metadata; in FIXTURE_SETUP()
2603 if (self->root_prog.filter) in FIXTURE_TEARDOWN()
2604 free(self->root_prog.filter); in FIXTURE_TEARDOWN()
2605 if (self->apply_prog.filter) in FIXTURE_TEARDOWN()
2606 free(self->apply_prog.filter); in FIXTURE_TEARDOWN()
2608 for ( ; sib < self->sibling_count; ++sib) { in FIXTURE_TEARDOWN()
2609 struct tsync_sibling *s = &self->sibling[sib]; in FIXTURE_TEARDOWN()
2611 if (!s->tid) in FIXTURE_TEARDOWN()
2617 pthread_kill(s->tid, 9); in FIXTURE_TEARDOWN()
2619 pthread_mutex_destroy(&self->mutex); in FIXTURE_TEARDOWN()
2620 pthread_cond_destroy(&self->cond); in FIXTURE_TEARDOWN()
2621 sem_destroy(&self->started); in FIXTURE_TEARDOWN()
2629 me->system_tid = syscall(__NR_gettid); in tsync_sibling()
2631 pthread_mutex_lock(me->mutex); in tsync_sibling()
2632 if (me->diverge) { in tsync_sibling()
2633 /* Just re-apply the root prog to fork the tree */ in tsync_sibling()
2635 me->prog, 0, 0); in tsync_sibling()
2637 sem_post(me->started); in tsync_sibling()
2640 pthread_mutex_unlock(me->mutex); in tsync_sibling()
2644 pthread_cond_wait(me->cond, me->mutex); in tsync_sibling()
2645 me->num_waits = me->num_waits - 1; in tsync_sibling()
2646 } while (me->num_waits); in tsync_sibling()
2647 pthread_mutex_unlock(me->mutex); in tsync_sibling()
2652 read(-1, NULL, 0); in tsync_sibling()
2658 pthread_create(&sibling->tid, NULL, tsync_sibling, (void *)sibling); in tsync_start_sibling()
2690 self->sibling[0].diverge = 1; in TEST_F()
2691 tsync_start_sibling(&self->sibling[0]); in TEST_F()
2692 tsync_start_sibling(&self->sibling[1]); in TEST_F()
2694 while (self->sibling_count < TSYNC_SIBLINGS) { in TEST_F()
2695 sem_wait(&self->started); in TEST_F()
2696 self->sibling_count++; in TEST_F()
2700 pthread_mutex_lock(&self->mutex); in TEST_F()
2701 ASSERT_EQ(0, pthread_cond_broadcast(&self->cond)) { in TEST_F()
2702 TH_LOG("cond broadcast non-zero"); in TEST_F()
2704 pthread_mutex_unlock(&self->mutex); in TEST_F()
2707 PTHREAD_JOIN(self->sibling[0].tid, &status); in TEST_F()
2709 PTHREAD_JOIN(self->sibling[1].tid, &status); in TEST_F()
2722 ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &self->root_prog); in TEST_F()
2729 tsync_start_sibling(&self->sibling[0]); in TEST_F()
2730 tsync_start_sibling(&self->sibling[1]); in TEST_F()
2732 while (self->sibling_count < TSYNC_SIBLINGS) { in TEST_F()
2733 sem_wait(&self->started); in TEST_F()
2734 self->sibling_count++; in TEST_F()
2738 &self->apply_prog); in TEST_F()
2742 /* Tell the siblings to test the policy */ in TEST_F()
2743 pthread_mutex_lock(&self->mutex); in TEST_F()
2744 ASSERT_EQ(0, pthread_cond_broadcast(&self->cond)) { in TEST_F()
2745 TH_LOG("cond broadcast non-zero"); in TEST_F()
2747 pthread_mutex_unlock(&self->mutex); in TEST_F()
2749 PTHREAD_JOIN(self->sibling[0].tid, &status); in TEST_F()
2751 PTHREAD_JOIN(self->sibling[1].tid, &status); in TEST_F()
2760 tsync_start_sibling(&self->sibling[0]); in TEST_F()
2761 tsync_start_sibling(&self->sibling[1]); in TEST_F()
2762 while (self->sibling_count < TSYNC_SIBLINGS) { in TEST_F()
2763 sem_wait(&self->started); in TEST_F()
2764 self->sibling_count++; in TEST_F()
2767 /* Tell the siblings to test no policy */ in TEST_F()
2768 pthread_mutex_lock(&self->mutex); in TEST_F()
2769 ASSERT_EQ(0, pthread_cond_broadcast(&self->cond)) { in TEST_F()
2770 TH_LOG("cond broadcast non-zero"); in TEST_F()
2772 pthread_mutex_unlock(&self->mutex); in TEST_F()
2775 PTHREAD_JOIN(self->sibling[0].tid, &status); in TEST_F()
2777 PTHREAD_JOIN(self->sibling[1].tid, &status); in TEST_F()
2787 tsync_start_sibling(&self->sibling[0]); in TEST_F()
2788 tsync_start_sibling(&self->sibling[1]); in TEST_F()
2789 while (self->sibling_count < TSYNC_SIBLINGS) { in TEST_F()
2790 sem_wait(&self->started); in TEST_F()
2791 self->sibling_count++; in TEST_F()
2799 &self->apply_prog); in TEST_F()
2807 /* Tell the siblings to test the policy */ in TEST_F()
2808 pthread_mutex_lock(&self->mutex); in TEST_F()
2809 ASSERT_EQ(0, pthread_cond_broadcast(&self->cond)) { in TEST_F()
2810 TH_LOG("cond broadcast non-zero"); in TEST_F()
2812 pthread_mutex_unlock(&self->mutex); in TEST_F()
2815 PTHREAD_JOIN(self->sibling[0].tid, &status); in TEST_F()
2817 PTHREAD_JOIN(self->sibling[1].tid, &status); in TEST_F()
2830 ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &self->root_prog); in TEST_F()
2837 self->sibling[0].diverge = 1; in TEST_F()
2838 tsync_start_sibling(&self->sibling[0]); in TEST_F()
2839 tsync_start_sibling(&self->sibling[1]); in TEST_F()
2841 while (self->sibling_count < TSYNC_SIBLINGS) { in TEST_F()
2842 sem_wait(&self->started); in TEST_F()
2843 self->sibling_count++; in TEST_F()
2847 &self->apply_prog); in TEST_F()
2848 ASSERT_EQ(self->sibling[0].system_tid, ret) { in TEST_F()
2853 pthread_mutex_lock(&self->mutex); in TEST_F()
2854 ASSERT_EQ(0, pthread_cond_broadcast(&self->cond)) { in TEST_F()
2855 TH_LOG("cond broadcast non-zero"); in TEST_F()
2857 pthread_mutex_unlock(&self->mutex); in TEST_F()
2860 PTHREAD_JOIN(self->sibling[0].tid, &status); in TEST_F()
2862 PTHREAD_JOIN(self->sibling[1].tid, &status); in TEST_F()
2875 ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &self->root_prog); in TEST_F()
2882 self->sibling[0].diverge = 1; in TEST_F()
2883 tsync_start_sibling(&self->sibling[0]); in TEST_F()
2884 tsync_start_sibling(&self->sibling[1]); in TEST_F()
2886 while (self->sibling_count < TSYNC_SIBLINGS) { in TEST_F()
2887 sem_wait(&self->started); in TEST_F()
2888 self->sibling_count++; in TEST_F()
2893 ret = seccomp(SECCOMP_SET_MODE_FILTER, flags, &self->apply_prog); in TEST_F()
2897 ASSERT_EQ(-1, ret) { in TEST_F()
2902 pthread_mutex_lock(&self->mutex); in TEST_F()
2903 ASSERT_EQ(0, pthread_cond_broadcast(&self->cond)) { in TEST_F()
2904 TH_LOG("cond broadcast non-zero"); in TEST_F()
2906 pthread_mutex_unlock(&self->mutex); in TEST_F()
2909 PTHREAD_JOIN(self->sibling[0].tid, &status); in TEST_F()
2911 PTHREAD_JOIN(self->sibling[1].tid, &status); in TEST_F()
2931 self->sibling[0].diverge = 1; in TEST_F()
2932 tsync_start_sibling(&self->sibling[0]); in TEST_F()
2933 tsync_start_sibling(&self->sibling[1]); in TEST_F()
2935 while (self->sibling_count < TSYNC_SIBLINGS) { in TEST_F()
2936 sem_wait(&self->started); in TEST_F()
2937 self->sibling_count++; in TEST_F()
2940 ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &self->root_prog); in TEST_F()
2949 &self->apply_prog); in TEST_F()
2950 ASSERT_EQ(ret, self->sibling[0].system_tid) { in TEST_F()
2954 if (ret == self->sibling[0].system_tid) in TEST_F()
2957 pthread_mutex_lock(&self->mutex); in TEST_F()
2962 self->sibling[!sib].num_waits += 1; in TEST_F()
2965 ASSERT_EQ(0, pthread_cond_broadcast(&self->cond)) { in TEST_F()
2966 TH_LOG("cond broadcast non-zero"); in TEST_F()
2968 pthread_mutex_unlock(&self->mutex); in TEST_F()
2969 PTHREAD_JOIN(self->sibling[sib].tid, &status); in TEST_F()
2972 while (!kill(self->sibling[sib].system_tid, 0)) in TEST_F()
2978 &self->apply_prog); in TEST_F()
2983 pthread_mutex_lock(&self->mutex); in TEST_F()
2988 if (self->sibling[sib].num_waits > 1) in TEST_F()
2989 self->sibling[sib].num_waits = 1; in TEST_F()
2990 ASSERT_EQ(0, pthread_cond_broadcast(&self->cond)) { in TEST_F()
2991 TH_LOG("cond broadcast non-zero"); in TEST_F()
2993 pthread_mutex_unlock(&self->mutex); in TEST_F()
2994 PTHREAD_JOIN(self->sibling[sib].tid, &status); in TEST_F()
2997 while (!kill(self->sibling[sib].system_tid, 0)) in TEST_F()
3001 &self->apply_prog); in TEST_F()
3006 TEST(syscall_restart) in TEST() function
3092 /* Directly report the status of our test harness results. */ in TEST()
3093 syscall(__NR_exit, _metadata->exit_code); in TEST()
3121 /* Verify signal delivery came from child (seccomp-triggered). */ in TEST()
3159 * - native ARM registers do NOT expose true syscall. in TEST()
3160 * - compat ARM registers on ARM64 DO expose true syscall. in TEST()
3171 /* Write again to end test. */ in TEST()
3178 _metadata->exit_code = KSFT_FAIL; in TEST()
3242 TEST(get_action_avail) in TEST() function
3270 EXPECT_EQ(ret, -1); in TEST()
3274 TEST(get_metadata) in TEST() function
3362 TEST(user_notification_basic) in TEST() function
3387 /* Check that we get -ENOSYS with no listener attached */ in TEST()
3399 /* Add some no-op filters for grins. */ in TEST()
3413 -1); in TEST()
3427 EXPECT_GT(poll(&pollfd, 1, -1), 0); in TEST()
3430 /* Test that we can't pass garbage to the kernel. */ in TEST()
3432 req.pid = -1; in TEST()
3435 EXPECT_EQ(-1, ret); in TEST()
3446 EXPECT_GT(poll(&pollfd, 1, -1), 0); in TEST()
3457 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_SEND, &resp), -1); in TEST()
3468 TEST(user_notification_with_tsync) in TEST() function
3481 ASSERT_EQ(-1, user_notif_syscall(__NR_getppid, flags)); in TEST()
3491 TEST(user_notification_kill_in_middle) in TEST() function
3526 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_ID_VALID, &req.id), -1); in TEST()
3530 EXPECT_EQ(ret, -1); in TEST()
3534 static int handled = -1;
3542 TEST(user_notification_signal) in TEST() function
3573 * ERESTARTSYS behavior is a bit hard to test, because we need in TEST()
3579 exit(!(ret == -1 && errno == 512)); in TEST()
3597 resp.error = -EPERM; in TEST()
3600 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_SEND, &resp), -1); in TEST()
3607 resp.error = -512; /* -ERESTARTSYS */ in TEST()
3617 TEST(user_notification_closed_listener) in TEST() function
3640 exit(ret != -1 && errno != ENOSYS); in TEST()
3653 TEST(user_notification_child_pid_ns) in TEST() function
3694 TEST(user_notification_sibling_pid_ns) in TEST() function
3771 TEST(user_notification_fault_recv) in TEST() function
3794 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_RECV, NULL), -1); in TEST()
3812 TEST(seccomp_get_notif_sizes) in TEST() function
3821 TEST(user_notification_continue) in TEST() function
3843 pid_t self; in TEST() local
3851 self = getpid(); in TEST()
3852 ASSERT_EQ(filecmp(self, self, pipe_fds[0], dup_fd), 0); in TEST()
3859 EXPECT_GT(poll(&pollfd, 1, -1), 0); in TEST()
3867 EXPECT_GT(poll(&pollfd, 1, -1), 0); in TEST()
3881 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_SEND, &resp), -1); in TEST()
3886 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_SEND, &resp), -1); in TEST()
3907 TEST(user_notification_filter_empty) in TEST() function
3924 SKIP(return, "Test not built with clone3 support"); in TEST()
3959 TEST(user_ioctl_notification_filter_empty) in TEST() function
3976 SKIP(return, "Test not built with clone3 support"); in TEST()
4005 EXPECT_EQ(ioctl(200, SECCOMP_IOCTL_NOTIF_RECV, &req), -1); in TEST()
4018 TEST(user_notification_filter_empty_threaded) in TEST() function
4035 SKIP(return, "Test not built with clone3 support"); in TEST()
4106 if (fcntl(i, F_GETFD) == -1) in get_next_fd()
4112 TEST(user_notification_addfd) in TEST() function
4125 /* There may be arbitrary already-open fds at test start. */ in TEST()
4126 memfd = memfd_create("test", 0); in TEST()
4151 if (fcntl(syscall(__NR_getppid), F_GETFD) == -1) in TEST()
4166 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_ADDFD, &addfd), -1); in TEST()
4172 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_ADDFD, &addfd), -1); in TEST()
4178 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_ADDFD, &addfd), -1); in TEST()
4183 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_ADDFD_SMALL, &small), -1); in TEST()
4189 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_ADDFD_BIG, &big), -1); in TEST()
4226 while (ioctl(listener, SECCOMP_IOCTL_NOTIF_ADDFD, &addfd) != -1 && in TEST()
4227 errno != -EINPROGRESS) in TEST()
4253 while (ioctl(listener, SECCOMP_IOCTL_NOTIF_ADDFD, &addfd) != -1 && in TEST()
4254 errno != -EINPROGRESS) in TEST()
4274 TEST(user_notification_addfd_rlimit) in TEST() function
4287 memfd = memfd_create("test", 0); in TEST()
4317 /* Should probably spot check /proc/sys/fs/file-nr */ in TEST()
4318 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_ADDFD, &addfd), -1); in TEST()
4322 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_ADDFD, &addfd), -1); in TEST()
4327 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_ADDFD, &addfd), -1); in TEST()
4349 TEST(user_notification_sync) in TEST() function
4367 EXPECT_SYSCALL_RETURN(-EINVAL, in TEST()
4410 self->pid = 0; in FIXTURE_SETUP()
4422 self->pid = fork(); in FIXTURE_SETUP()
4423 ASSERT_GE(self->pid, 0); in FIXTURE_SETUP()
4425 if (self->pid == 0) { in FIXTURE_SETUP()
4434 if (self->pid) in FIXTURE_TEARDOWN()
4435 kill(self->pid, SIGKILL); in FIXTURE_TEARDOWN()
4442 ASSERT_EQ(0, ptrace(PTRACE_ATTACH, self->pid, NULL, 0)); in TEST_F()
4443 ASSERT_EQ(self->pid, wait(&wstatus)); in TEST_F()
4444 ASSERT_EQ(-1, ptrace(PTRACE_SETOPTIONS, self->pid, NULL, PTRACE_O_SUSPEND_SECCOMP)); in TEST_F()
4454 ret = ptrace(PTRACE_SEIZE, self->pid, NULL, PTRACE_O_SUSPEND_SECCOMP); in TEST_F()
4455 ASSERT_EQ(-1, ret); in TEST_F()
4462 * get_nth - Get the nth, space separated entry in a file.
4465 * Throws error if field is zero-lengthed.
4494 return nread - 1; in get_nth()
4513 TEST(user_notification_fifo) in TEST() function
4592 /* get_proc_syscall - Get the syscall in progress for a given pid
4595 * Returns -1 if not in syscall (running or blocked)
4600 long ret = -1; in get_proc_syscall()
4615 /* Ensure non-fatal signals prior to receive are unmodified */
4616 TEST(user_notification_wait_killable_pre_notification) in TEST() function
4655 /* Setup the non-fatal sigaction without SA_RESTART */ in TEST()
4663 exit(ret != -1 || errno != EINTR); in TEST()
4674 /* Send non-fatal kill signal */ in TEST()
4685 /* Ensure non-fatal signals after receive are blocked */
4686 TEST(user_notification_wait_killable) in TEST() function
4735 * non-preemptible (TASK_KILLABLE) state. in TEST()
4738 /* Send non-fatal kill signal */ in TEST()
4743 * D (Disk Sleep) state after receiving non-fatal signal. in TEST()
4765 TEST(user_notification_wait_killable_fatal) in TEST() function
4799 * non-preemptible (TASK_KILLABLE) state. in TEST()
4831 ret = pthread_join(args->leader, &retval); in tsync_vs_dead_thread_leader_sibling()
4847 TEST(tsync_vs_dead_thread_leader) in TEST() function
4874 args->leader = pthread_self(); in TEST()
4893 * - expand NNP testing
4894 * - better arch-specific TRACE and TRAP handlers.
4895 * - endianness checking when appropriate
4896 * - 64-bit arg prodding
4897 * - arch value testing (x86 modes especially)
4898 * - verify that FILTER_FLAG_LOG filters generate log messages
4899 * - verify that RET_LOG generates log messages