[CRIU] [PATCH 5/5] test: Add a test for c/r of seccomp filters

Tycho Andersen tycho.andersen at canonical.com
Fri Sep 4 09:22:15 PDT 2015


From: Tycho Andersen <tycho at tycho.ws>

Signed-off-by: Tycho Andersen <tycho.andersen at canonical.com>
---
 test/zdtm.sh                           |   9 ++
 test/zdtm/.gitignore                   |   1 +
 test/zdtm/live/static/Makefile         |   1 +
 test/zdtm/live/static/seccomp_filter.c | 171 +++++++++++++++++++++++++++++++++
 4 files changed, 182 insertions(+)
 create mode 100644 test/zdtm/live/static/seccomp_filter.c

diff --git a/test/zdtm.sh b/test/zdtm.sh
index feece7c..e1d9cc7 100755
--- a/test/zdtm.sh
+++ b/test/zdtm.sh
@@ -238,6 +238,9 @@ generate_test_list()
 		static/seccomp_strict
 	"
 
+	TEST_SECCOMP_FILTERS="
+		static/seccomp_filter
+	"
 
 	$CRIU check -v0 --feature "mnt_id"
 	if [ $? -eq 0 ]; then
@@ -266,6 +269,11 @@ generate_test_list()
 		TEST_LIST="$TEST_LIST$TEST_SECCOMP_SUSPEND"
 	fi
 
+	$CRIU check -v0 --feature "seccomp_filters"
+	if [ $? -eq 0 ]; then
+		TEST_LIST="$TEST_LIST$TEST_SECCOMP_FILTERS"
+	fi
+
 	# ns/static/clean_mntns: proc can't be mounted in userns, if it isn't mounted yet
 
 	BLACKLIST_FOR_USERNS="
@@ -348,6 +356,7 @@ sockets00
 cow01
 apparmor
 seccomp_strict
+seccomp_filter
 different_creds
 "
 
diff --git a/test/zdtm/.gitignore b/test/zdtm/.gitignore
index 77c2d15..604ff12 100644
--- a/test/zdtm/.gitignore
+++ b/test/zdtm/.gitignore
@@ -102,6 +102,7 @@
 /live/static/rtc
 /live/static/sched_policy00
 /live/static/sched_prio00
+/live/static/seccomp_filter
 /live/static/seccomp_strict
 /live/static/selfexe00
 /live/static/sem
diff --git a/test/zdtm/live/static/Makefile b/test/zdtm/live/static/Makefile
index 67be675..632b1ab 100644
--- a/test/zdtm/live/static/Makefile
+++ b/test/zdtm/live/static/Makefile
@@ -127,6 +127,7 @@ TST_NOFILE	=				\
 		fd				\
 		apparmor				\
 		seccomp_strict			\
+		seccomp_filter			\
 		different_creds			\
 #		jobctl00			\
 
diff --git a/test/zdtm/live/static/seccomp_filter.c b/test/zdtm/live/static/seccomp_filter.c
new file mode 100644
index 0000000..ac8c267
--- /dev/null
+++ b/test/zdtm/live/static/seccomp_filter.c
@@ -0,0 +1,171 @@
+#include <unistd.h>
+#include <stdbool.h>
+#include <signal.h>
+#include <stddef.h>
+#include <sys/prctl.h>
+#include <sys/ptrace.h>
+#include <linux/seccomp.h>
+#include <linux/filter.h>
+#include <linux/limits.h>
+#include <linux/bpf.h>
+#include <stdlib.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/wait.h>
+#include <sys/syscall.h>
+#include "zdtmtst.h"
+
+const char *test_doc	= "Check that SECCOMP_MODE_FILTER is restored";
+const char *test_author	= "Tycho Andersen <tycho.andersen at canonical.com>";
+
+int get_seccomp_mode(pid_t pid)
+{
+	FILE *f;
+	char buf[PATH_MAX];
+
+	sprintf(buf, "/proc/%d/status", pid);
+	f = fopen(buf, "r+");
+	if (!f) {
+		err("fopen failed");
+		return -1;
+	}
+
+	while (NULL != fgets(buf, sizeof(buf), f)) {
+		int mode;
+
+		if (sscanf(buf, "Seccomp:\t%d", &mode) != 1)
+			continue;
+
+		fclose(f);
+		return mode;
+	}
+	fclose(f);
+
+	return -1;
+}
+
+int filter_syscall(int syscall_nr)
+{
+	struct sock_filter filter[] = {
+		BPF_STMT(BPF_LD+BPF_W+BPF_ABS, offsetof(struct seccomp_data, nr)),
+		BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, syscall_nr, 0, 1),
+		BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL),
+		BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW),
+	};
+
+	struct sock_fprog bpf_prog = {
+		.len = (unsigned short)(sizeof(filter)/sizeof(filter[0])),
+		.filter = filter,
+	};
+
+	if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &bpf_prog) < 0) {
+		err("prctl failed");
+		return -1;
+	}
+
+	return 0;
+}
+
+int main(int argc, char ** argv)
+{
+	pid_t pid;
+	int mode, status;
+	int sk_pair[2], sk, ret;
+	char c = 'K';
+
+	test_init(argc, argv);
+
+	if (socketpair(PF_LOCAL, SOCK_SEQPACKET, 0, sk_pair)) {
+		err("socketpair");
+		return -1;
+	}
+
+	pid = fork();
+	if (pid < 0) {
+		err("fork");
+		return -1;
+	}
+
+	if (pid == 0) {
+
+		sk = sk_pair[1];
+		close(sk_pair[0]);
+
+		/*
+		 * Let's install a few filters separately to make sure the
+		 * chaining actually works.
+		 */
+		if (filter_syscall(__NR_ptrace) < 0)
+			_exit(1);
+
+		if (filter_syscall(__NR_getpid) < 0)
+			_exit(1);
+
+		/* FIXME: seccomp requires a task to be root in its user ns in
+		 * order to install filters for security reasons, so that
+		 * unprivileged parents cannot take over privileged childen.
+		 * However, we restore euids before we restore seccomp filters,
+		 * so if someone does a setuid(1000) here, the restore will
+		 * fail. We need to reorder some things so that the other creds
+		 * restore takes place after seccomp state is set; except that
+		 * the tasks need to be ptraced so the seccomp filters
+		 * potentially don't kill the task for calling setuid().
+		 */
+
+		zdtm_seccomp = 1;
+		test_msg("SECCOMP_MODE_FILTER is enabled\n");
+
+		if (write(sk, &c, 1) != 1) {
+			err("write");
+			_exit(1);
+		}
+
+		if (read(sk, &c, 1) != 1) {
+			err("read");
+			_exit(1);
+		}
+
+		/* We expect to be killed by our policy above. */
+		ptrace(PTRACE_TRACEME);
+
+		syscall(__NR_exit, 0);
+	}
+
+	sk = sk_pair[0];
+	close(sk_pair[1]);
+
+	if ((ret = read(sk, &c, 1)) != 1) {
+		err("read %d", ret);
+		goto err;
+	}
+
+	test_daemon();
+	test_waitsig();
+
+	mode = get_seccomp_mode(pid);
+	if (write(sk, &c, 1) != 1) {
+		err("write");
+		goto err;
+	}
+	if (waitpid(pid, &status, 0) != pid) {
+		err("waitpid");
+		exit(1);
+	}
+
+	if (WTERMSIG(status) != SIGSYS) {
+		err("expected SIGSYS, got %d\n", WTERMSIG(status));
+		exit(1);
+	}
+
+	if (mode != SECCOMP_MODE_FILTER) {
+		fail("seccomp mode mismatch %d\n", mode);
+		return 1;
+	}
+
+	pass();
+
+	return 0;
+err:
+	kill(pid, SIGKILL);
+	return 1;
+}
-- 
2.5.0



More information about the CRIU mailing list