test: add tests for syscall:errno style in SystemCallFilter=

2024-10-06 16:21:34 +00:00 · 2017-11-11 21:39:02 +09:00 · 2017-11-11 21:39:02 +09:00 · b4891260b9
parent 8cfa775f4f
commit b4891260b9
5 changed files with 64 additions and 10 deletions
--- a/src/test/test-execute.c
+++ b/src/test/test-execute.c
@ -23,6 +23,7 @@
 #include <sys/prctl.h>
 #include <sys/types.h>

+#include "errno-list.h"
 #include "fileio.h"
 #include "fs-util.h"
 #include "macro.h"
@ -261,6 +262,8 @@ static void test_exec_systemcallfilter(Manager *m) {
        test(m, "exec-systemcallfilter-not-failing2.service", 0, CLD_EXITED);
        test(m, "exec-systemcallfilter-failing.service", SIGSYS, CLD_KILLED);
        test(m, "exec-systemcallfilter-failing2.service", SIGSYS, CLD_KILLED);
+        test(m, "exec-systemcallfilter-with-errno-name.service", errno_from_name("EILSEQ"), CLD_EXITED);
+        test(m, "exec-systemcallfilter-with-errno-number.service", 255, CLD_EXITED);

 #endif
 }
--- a/src/test/test-seccomp.c
+++ b/src/test/test-seccomp.c
@ -519,7 +519,7 @@ static void test_load_syscall_filter_set_raw(void) {
        assert_se(pid >= 0);

        if (pid == 0) {
-                _cleanup_set_free_ Set *s = NULL;
+                _cleanup_hashmap_free_ Hashmap *s = NULL;

                assert_se(access("/", F_OK) >= 0);
                assert_se(poll(NULL, 0, 0) == 0);
@ -528,11 +528,11 @@ static void test_load_syscall_filter_set_raw(void) {
                assert_se(access("/", F_OK) >= 0);
                assert_se(poll(NULL, 0, 0) == 0);

-                assert_se(s = set_new(NULL));
+                assert_se(s = hashmap_new(NULL));
 #if SCMP_SYS(access) >= 0
-                assert_se(set_put(s, UINT32_TO_PTR(__NR_access + 1)) >= 0);
+                assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_access + 1), INT_TO_PTR(-1)) >= 0);
 #else
-                assert_se(set_put(s, UINT32_TO_PTR(__NR_faccessat + 1)) >= 0);
+                assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_faccessat + 1), INT_TO_PTR(-1)) >= 0);
 #endif

                assert_se(seccomp_load_syscall_filter_set_raw(SCMP_ACT_ALLOW, s, SCMP_ACT_ERRNO(EUCLEAN)) >= 0);
@ -542,23 +542,56 @@ static void test_load_syscall_filter_set_raw(void) {

                assert_se(poll(NULL, 0, 0) == 0);

-                s = set_free(s);
+                s = hashmap_free(s);

-                assert_se(s = set_new(NULL));
-#if SCMP_SYS(poll) >= 0
-                assert_se(set_put(s, UINT32_TO_PTR(__NR_poll + 1)) >= 0);
+                assert_se(s = hashmap_new(NULL));
+#if SCMP_SYS(access) >= 0
+                assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_access + 1), INT_TO_PTR(EILSEQ)) >= 0);
 #else
-                assert_se(set_put(s, UINT32_TO_PTR(__NR_ppoll + 1)) >= 0);
+                assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_faccessat + 1), INT_TO_PTR(EILSEQ)) >= 0);
+#endif
+
+                assert_se(seccomp_load_syscall_filter_set_raw(SCMP_ACT_ALLOW, s, SCMP_ACT_ERRNO(EUCLEAN)) >= 0);
+
+                assert_se(access("/", F_OK) < 0);
+                assert_se(errno == EILSEQ);
+
+                assert_se(poll(NULL, 0, 0) == 0);
+
+                s = hashmap_free(s);
+
+                assert_se(s = hashmap_new(NULL));
+#if SCMP_SYS(poll) >= 0
+                assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_poll + 1), INT_TO_PTR(-1)) >= 0);
+#else
+                assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_ppoll + 1), INT_TO_PTR(-1)) >= 0);
 #endif

                assert_se(seccomp_load_syscall_filter_set_raw(SCMP_ACT_ALLOW, s, SCMP_ACT_ERRNO(EUNATCH)) >= 0);

                assert_se(access("/", F_OK) < 0);
-                assert_se(errno == EUCLEAN);
+                assert_se(errno == EILSEQ);

                assert_se(poll(NULL, 0, 0) < 0);
                assert_se(errno == EUNATCH);

+                s = hashmap_free(s);
+
+                assert_se(s = hashmap_new(NULL));
+#if SCMP_SYS(poll) >= 0
+                assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_poll + 1), INT_TO_PTR(EILSEQ)) >= 0);
+#else
+                assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_ppoll + 1), INT_TO_PTR(EILSEQ)) >= 0);
+#endif
+
+                assert_se(seccomp_load_syscall_filter_set_raw(SCMP_ACT_ALLOW, s, SCMP_ACT_ERRNO(EUNATCH)) >= 0);
+
+                assert_se(access("/", F_OK) < 0);
+                assert_se(errno == EILSEQ);
+
+                assert_se(poll(NULL, 0, 0) < 0);
+                assert_se(errno == EILSEQ);
+
                _exit(EXIT_SUCCESS);
        }

--- a/test/meson.build
+++ b/test/meson.build
@ -107,6 +107,8 @@ test_data_files = '''
        test-execute/exec-systemcallfilter-not-failing2.service
        test-execute/exec-systemcallfilter-system-user-nfsnobody.service
        test-execute/exec-systemcallfilter-system-user.service
+        test-execute/exec-systemcallfilter-with-errno-name.service
+        test-execute/exec-systemcallfilter-with-errno-number.service
        test-execute/exec-umask-0177.service
        test-execute/exec-umask-default.service
        test-execute/exec-unset-environment.service
--- a/test/test-execute/exec-systemcallfilter-with-errno-name.service
+++ b/test/test-execute/exec-systemcallfilter-with-errno-name.service
@ -0,0 +1,8 @@
+[Unit]
+Description=Test for SystemCallFilter with errno name
+
+[Service]
+ExecStart=/bin/python3 -c 'import os\ntry: os.uname()\nexcept Exception as e: exit(e.errno)'
+Type=oneshot
+SystemCallFilter=~uname:EILSEQ
+SystemCallErrorNumber=EACCES
--- a/test/test-execute/exec-systemcallfilter-with-errno-number.service
+++ b/test/test-execute/exec-systemcallfilter-with-errno-number.service
@ -0,0 +1,8 @@
+[Unit]
+Description=Test for SystemCallFilter with errno number
+
+[Service]
+ExecStart=/bin/python3 -c 'import os\ntry: os.uname()\nexcept Exception as e: exit(e.errno)'
+Type=oneshot
+SystemCallFilter=~uname:255
+SystemCallErrorNumber=EACCES