Commit 8feae5ad authored by Andrei Vagin's avatar Andrei Vagin Committed by Kees Cook
Browse files

selftest/seccomp: add a new test for the sync mode of seccomp_user_notify 



Test output:
 #  RUN           global.user_notification_sync ...
 #            OK  global.user_notification_sync
 ok 51 global.user_notification_sync

Signed-off-by: default avatarAndrei Vagin <avagin@google.com>
Acked-by: default avatar"Peter Zijlstra (Intel)" <peterz@infradead.org>
Link: https://lore.kernel.org/r/20230308073201.3102738-6-avagin@google.com


Signed-off-by: default avatarKees Cook <keescook@chromium.org>
parent 48a1084a

tools/testing/selftests/seccomp/seccomp_bpf.c

+55 −0
Original line number Diff line number Diff line
@@ -4255,6 +4255,61 @@ TEST(user_notification_addfd_rlimit) 
	close(memfd);

}



#ifndef SECCOMP_USER_NOTIF_FD_SYNC_WAKE_UP

#define SECCOMP_USER_NOTIF_FD_SYNC_WAKE_UP (1UL << 0)

#define SECCOMP_IOCTL_NOTIF_SET_FLAGS  SECCOMP_IOW(4, __u64)

#endif



TEST(user_notification_sync)

{

	struct seccomp_notif req = {};

	struct seccomp_notif_resp resp = {};

	int status, listener;

	pid_t pid;

	long ret;



	ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);

	ASSERT_EQ(0, ret) {

		TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");

	}



	listener = user_notif_syscall(__NR_getppid,

				      SECCOMP_FILTER_FLAG_NEW_LISTENER);

	ASSERT_GE(listener, 0);



	/* Try to set invalid flags. */

	EXPECT_SYSCALL_RETURN(-EINVAL,

		ioctl(listener, SECCOMP_IOCTL_NOTIF_SET_FLAGS, 0xffffffff, 0));



	ASSERT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_SET_FLAGS,

			SECCOMP_USER_NOTIF_FD_SYNC_WAKE_UP, 0), 0);



	pid = fork();

	ASSERT_GE(pid, 0);

	if (pid == 0) {

		ret = syscall(__NR_getppid);

		ASSERT_EQ(ret, USER_NOTIF_MAGIC) {

			_exit(1);

		}

		_exit(0);

	}



	req.pid = 0;

	ASSERT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_RECV, &req), 0);



	ASSERT_EQ(req.data.nr,  __NR_getppid);



	resp.id = req.id;

	resp.error = 0;

	resp.val = USER_NOTIF_MAGIC;

	resp.flags = 0;

	ASSERT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_SEND, &resp), 0);



	ASSERT_EQ(waitpid(pid, &status, 0), pid);

	ASSERT_EQ(status, 0);

}





/* Make sure PTRACE_O_SUSPEND_SECCOMP requires CAP_SYS_ADMIN. */

FIXTURE(O_SUSPEND_SECCOMP) {

	pid_t pid;