[CRIU] [PATCH 2/6] add a test for SECCOMP_MODE_STRICT
Tycho Andersen
tycho.andersen at canonical.com
Thu Jun 18 10:59:17 PDT 2015
Note that we don't add the test into the list of tests to run, because it will
fail without the associated kernel patch.
v2: spin lock until seccomp strict is set on the child
Signed-off-by: Tycho Andersen <tycho.andersen at canonical.com>
---
test/zdtm.sh | 1 +
test/zdtm/.gitignore | 1 +
test/zdtm/live/static/Makefile | 1 +
test/zdtm/live/static/seccomp_strict.c | 83 ++++++++++++++++++++++++++++++++++
4 files changed, 86 insertions(+)
create mode 100644 test/zdtm/live/static/seccomp_strict.c
diff --git a/test/zdtm.sh b/test/zdtm.sh
index 12c43ee..f1653f9 100755
--- a/test/zdtm.sh
+++ b/test/zdtm.sh
@@ -333,6 +333,7 @@ netns-dev
sockets00
cow01
apparmor
+seccomp_strict
"
CRIU_CPT=$CRIU
diff --git a/test/zdtm/.gitignore b/test/zdtm/.gitignore
index 443e108..36f9e75 100644
--- a/test/zdtm/.gitignore
+++ b/test/zdtm/.gitignore
@@ -101,6 +101,7 @@
/live/static/rtc
/live/static/sched_policy00
/live/static/sched_prio00
+/live/static/seccomp_strict
/live/static/selfexe00
/live/static/sem
/live/static/session00
diff --git a/test/zdtm/live/static/Makefile b/test/zdtm/live/static/Makefile
index a968bbe..8ea8d82 100644
--- a/test/zdtm/live/static/Makefile
+++ b/test/zdtm/live/static/Makefile
@@ -123,6 +123,7 @@ TST_NOFILE = \
aio00 \
fd \
apparmor \
+ seccomp_strict \
# jobctl00 \
TST_FILE = \
diff --git a/test/zdtm/live/static/seccomp_strict.c b/test/zdtm/live/static/seccomp_strict.c
new file mode 100644
index 0000000..97db19b
--- /dev/null
+++ b/test/zdtm/live/static/seccomp_strict.c
@@ -0,0 +1,83 @@
+#include <unistd.h>
+#include <stdbool.h>
+#include <signal.h>
+#include <sys/prctl.h>
+#include <linux/seccomp.h>
+#include <linux/limits.h>
+#include "zdtmtst.h"
+
+const char *test_doc = "Check that SECCOMP_MODE_STRICT is restored";
+const char *test_author = "Tycho Andersen <tycho.andersen at canonical.com>";
+
+int get_seccomp_mode(pid_t pid, bool after_checkpoint)
+{
+ FILE *f;
+ char buf[PATH_MAX];
+
+ sprintf(buf, "/proc/%d/status", pid);
+ f = fopen(buf, "r+");
+ if (!f) {
+ err("fopen failed");
+ return -1;
+ }
+
+ while (NULL != fgets(buf, sizeof(buf), f)) {
+ int mode;
+ char state;
+
+ if (after_checkpoint && sscanf(buf, "State: %c %*s", &state) == 1 && state != 'R') {
+ fail("resumed but state is not R (%c), seccomp killed the process during resume\n", state);
+ break;
+ }
+
+ if (sscanf(buf, "Seccomp:\t%d", &mode) != 1)
+ continue;
+
+ fclose(f);
+ return mode;
+ }
+ fclose(f);
+
+ return -1;
+}
+
+int main(int argc, char ** argv)
+{
+ pid_t pid;
+ int ret = 1, mode;
+
+ test_init(argc, argv);
+
+ pid = fork();
+ if (pid < 0) {
+ err("fork");
+ return -1;
+ }
+
+ if (pid == 0) {
+ if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT) < 0) {
+ err("prctl failed");
+ return -1;
+ }
+
+ while(1)
+ /* can't sleep() here, seccomp kills us */;
+ }
+
+ while(get_seccomp_mode(pid, false) != SECCOMP_MODE_STRICT)
+ sleep(1);
+
+ test_daemon();
+ test_waitsig();
+
+ mode = get_seccomp_mode(pid, true);
+ if (mode != SECCOMP_MODE_STRICT) {
+ fail("seccomp mode mismatch %d\n", mode);
+ } else {
+ pass();
+ ret = 0;
+ }
+
+ kill(pid, SIGKILL);
+ return ret;
+}
--
2.1.4
More information about the CRIU
mailing list