[CRIU] [PATCH 2/6] add a test for SECCOMP_MODE_STRICT

[Tycho Andersen]

Note that we don't add the test into the list of tests to run, because it will
fail without the associated kernel patch.

v2: spin lock until seccomp strict is set on the child

Signed-off-by: Tycho Andersen <tycho.andersen at canonical.com>
---
 test/zdtm.sh                           |  1 +
 test/zdtm/.gitignore                   |  1 +
 test/zdtm/live/static/Makefile         |  1 +
 test/zdtm/live/static/seccomp_strict.c | 83 ++++++++++++++++++++++++++++++++++
 4 files changed, 86 insertions(+)
 create mode 100644 test/zdtm/live/static/seccomp_strict.c

diff --git a/test/zdtm.sh b/test/zdtm.sh
index 12c43ee..f1653f9 100755
--- a/test/zdtm.sh
+++ b/test/zdtm.sh
@@ -333,6 +333,7 @@ netns-dev
 sockets00
 cow01
 apparmor
+seccomp_strict
 "
 
 CRIU_CPT=$CRIU
diff --git a/test/zdtm/.gitignore b/test/zdtm/.gitignore
index 443e108..36f9e75 100644
--- a/test/zdtm/.gitignore
+++ b/test/zdtm/.gitignore
@@ -101,6 +101,7 @@
 /live/static/rtc
 /live/static/sched_policy00
 /live/static/sched_prio00
+/live/static/seccomp_strict
 /live/static/selfexe00
 /live/static/sem
 /live/static/session00
diff --git a/test/zdtm/live/static/Makefile b/test/zdtm/live/static/Makefile
index a968bbe..8ea8d82 100644
--- a/test/zdtm/live/static/Makefile
+++ b/test/zdtm/live/static/Makefile
@@ -123,6 +123,7 @@ TST_NOFILE	=				\
 		aio00				\
 		fd				\
 		apparmor				\
+		seccomp_strict			\
 #		jobctl00			\
 
 TST_FILE	=				\
diff --git a/test/zdtm/live/static/seccomp_strict.c b/test/zdtm/live/static/seccomp_strict.c
new file mode 100644
index 0000000..97db19b
--- /dev/null
+++ b/test/zdtm/live/static/seccomp_strict.c
@@ -0,0 +1,83 @@
+#include <unistd.h>
+#include <stdbool.h>
+#include <signal.h>
+#include <sys/prctl.h>
+#include <linux/seccomp.h>
+#include <linux/limits.h>
+#include "zdtmtst.h"
+
+const char *test_doc	= "Check that SECCOMP_MODE_STRICT is restored";
+const char *test_author	= "Tycho Andersen <tycho.andersen at canonical.com>";
+
+int get_seccomp_mode(pid_t pid, bool after_checkpoint)
+{
+	FILE *f;
+	char buf[PATH_MAX];
+
+	sprintf(buf, "/proc/%d/status", pid);
+	f = fopen(buf, "r+");
+	if (!f) {
+		err("fopen failed");
+		return -1;
+	}
+
+	while (NULL != fgets(buf, sizeof(buf), f)) {
+		int mode;
+		char state;
+
+		if (after_checkpoint && sscanf(buf, "State: %c %*s", &state) == 1 && state != 'R') {
+			fail("resumed but state is not R (%c), seccomp killed the process during resume\n", state);
+			break;
+		}
+
+		if (sscanf(buf, "Seccomp:\t%d", &mode) != 1)
+			continue;
+
+		fclose(f);
+		return mode;
+	}
+	fclose(f);
+
+	return -1;
+}
+
+int main(int argc, char ** argv)
+{
+	pid_t pid;
+	int ret = 1, mode;
+
+	test_init(argc, argv);
+
+	pid = fork();
+	if (pid < 0) {
+		err("fork");
+		return -1;
+	}
+
+	if (pid == 0) {
+		if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT) < 0) {
+			err("prctl failed");
+			return -1;
+		}
+
+		while(1)
+			/* can't sleep() here, seccomp kills us */;
+	}
+
+	while(get_seccomp_mode(pid, false) != SECCOMP_MODE_STRICT)
+		sleep(1);
+
+	test_daemon();
+	test_waitsig();
+
+	mode = get_seccomp_mode(pid, true);
+	if (mode != SECCOMP_MODE_STRICT) {
+		fail("seccomp mode mismatch %d\n", mode);
+	} else {
+		pass();
+		ret = 0;
+	}
+
+	kill(pid, SIGKILL);
+	return ret;
+}
-- 
2.1.4