[CRIU] [PATCH 5/5] test: Add a test for c/r of seccomp filters
Tycho Andersen
tycho.andersen at canonical.com
Fri Sep 4 09:22:15 PDT 2015
From: Tycho Andersen <tycho at tycho.ws>
Signed-off-by: Tycho Andersen <tycho.andersen at canonical.com>
---
test/zdtm.sh | 9 ++
test/zdtm/.gitignore | 1 +
test/zdtm/live/static/Makefile | 1 +
test/zdtm/live/static/seccomp_filter.c | 171 +++++++++++++++++++++++++++++++++
4 files changed, 182 insertions(+)
create mode 100644 test/zdtm/live/static/seccomp_filter.c
diff --git a/test/zdtm.sh b/test/zdtm.sh
index feece7c..e1d9cc7 100755
--- a/test/zdtm.sh
+++ b/test/zdtm.sh
@@ -238,6 +238,9 @@ generate_test_list()
static/seccomp_strict
"
+ TEST_SECCOMP_FILTERS="
+ static/seccomp_filter
+ "
$CRIU check -v0 --feature "mnt_id"
if [ $? -eq 0 ]; then
@@ -266,6 +269,11 @@ generate_test_list()
TEST_LIST="$TEST_LIST$TEST_SECCOMP_SUSPEND"
fi
+ $CRIU check -v0 --feature "seccomp_filters"
+ if [ $? -eq 0 ]; then
+ TEST_LIST="$TEST_LIST$TEST_SECCOMP_FILTERS"
+ fi
+
# ns/static/clean_mntns: proc can't be mounted in userns, if it isn't mounted yet
BLACKLIST_FOR_USERNS="
@@ -348,6 +356,7 @@ sockets00
cow01
apparmor
seccomp_strict
+seccomp_filter
different_creds
"
diff --git a/test/zdtm/.gitignore b/test/zdtm/.gitignore
index 77c2d15..604ff12 100644
--- a/test/zdtm/.gitignore
+++ b/test/zdtm/.gitignore
@@ -102,6 +102,7 @@
/live/static/rtc
/live/static/sched_policy00
/live/static/sched_prio00
+/live/static/seccomp_filter
/live/static/seccomp_strict
/live/static/selfexe00
/live/static/sem
diff --git a/test/zdtm/live/static/Makefile b/test/zdtm/live/static/Makefile
index 67be675..632b1ab 100644
--- a/test/zdtm/live/static/Makefile
+++ b/test/zdtm/live/static/Makefile
@@ -127,6 +127,7 @@ TST_NOFILE = \
fd \
apparmor \
seccomp_strict \
+ seccomp_filter \
different_creds \
# jobctl00 \
diff --git a/test/zdtm/live/static/seccomp_filter.c b/test/zdtm/live/static/seccomp_filter.c
new file mode 100644
index 0000000..ac8c267
--- /dev/null
+++ b/test/zdtm/live/static/seccomp_filter.c
@@ -0,0 +1,171 @@
+#include <unistd.h>
+#include <stdbool.h>
+#include <signal.h>
+#include <stddef.h>
+#include <sys/prctl.h>
+#include <sys/ptrace.h>
+#include <linux/seccomp.h>
+#include <linux/filter.h>
+#include <linux/limits.h>
+#include <linux/bpf.h>
+#include <stdlib.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/wait.h>
+#include <sys/syscall.h>
+#include "zdtmtst.h"
+
+const char *test_doc = "Check that SECCOMP_MODE_FILTER is restored";
+const char *test_author = "Tycho Andersen <tycho.andersen at canonical.com>";
+
+int get_seccomp_mode(pid_t pid)
+{
+ FILE *f;
+ char buf[PATH_MAX];
+
+ sprintf(buf, "/proc/%d/status", pid);
+ f = fopen(buf, "r+");
+ if (!f) {
+ err("fopen failed");
+ return -1;
+ }
+
+ while (NULL != fgets(buf, sizeof(buf), f)) {
+ int mode;
+
+ if (sscanf(buf, "Seccomp:\t%d", &mode) != 1)
+ continue;
+
+ fclose(f);
+ return mode;
+ }
+ fclose(f);
+
+ return -1;
+}
+
+int filter_syscall(int syscall_nr)
+{
+ struct sock_filter filter[] = {
+ BPF_STMT(BPF_LD+BPF_W+BPF_ABS, offsetof(struct seccomp_data, nr)),
+ BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, syscall_nr, 0, 1),
+ BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL),
+ BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW),
+ };
+
+ struct sock_fprog bpf_prog = {
+ .len = (unsigned short)(sizeof(filter)/sizeof(filter[0])),
+ .filter = filter,
+ };
+
+ if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &bpf_prog) < 0) {
+ err("prctl failed");
+ return -1;
+ }
+
+ return 0;
+}
+
+int main(int argc, char ** argv)
+{
+ pid_t pid;
+ int mode, status;
+ int sk_pair[2], sk, ret;
+ char c = 'K';
+
+ test_init(argc, argv);
+
+ if (socketpair(PF_LOCAL, SOCK_SEQPACKET, 0, sk_pair)) {
+ err("socketpair");
+ return -1;
+ }
+
+ pid = fork();
+ if (pid < 0) {
+ err("fork");
+ return -1;
+ }
+
+ if (pid == 0) {
+
+ sk = sk_pair[1];
+ close(sk_pair[0]);
+
+ /*
+ * Let's install a few filters separately to make sure the
+ * chaining actually works.
+ */
+ if (filter_syscall(__NR_ptrace) < 0)
+ _exit(1);
+
+ if (filter_syscall(__NR_getpid) < 0)
+ _exit(1);
+
+ /* FIXME: seccomp requires a task to be root in its user ns in
+ * order to install filters for security reasons, so that
+ * unprivileged parents cannot take over privileged childen.
+ * However, we restore euids before we restore seccomp filters,
+ * so if someone does a setuid(1000) here, the restore will
+ * fail. We need to reorder some things so that the other creds
+ * restore takes place after seccomp state is set; except that
+ * the tasks need to be ptraced so the seccomp filters
+ * potentially don't kill the task for calling setuid().
+ */
+
+ zdtm_seccomp = 1;
+ test_msg("SECCOMP_MODE_FILTER is enabled\n");
+
+ if (write(sk, &c, 1) != 1) {
+ err("write");
+ _exit(1);
+ }
+
+ if (read(sk, &c, 1) != 1) {
+ err("read");
+ _exit(1);
+ }
+
+ /* We expect to be killed by our policy above. */
+ ptrace(PTRACE_TRACEME);
+
+ syscall(__NR_exit, 0);
+ }
+
+ sk = sk_pair[0];
+ close(sk_pair[1]);
+
+ if ((ret = read(sk, &c, 1)) != 1) {
+ err("read %d", ret);
+ goto err;
+ }
+
+ test_daemon();
+ test_waitsig();
+
+ mode = get_seccomp_mode(pid);
+ if (write(sk, &c, 1) != 1) {
+ err("write");
+ goto err;
+ }
+ if (waitpid(pid, &status, 0) != pid) {
+ err("waitpid");
+ exit(1);
+ }
+
+ if (WTERMSIG(status) != SIGSYS) {
+ err("expected SIGSYS, got %d\n", WTERMSIG(status));
+ exit(1);
+ }
+
+ if (mode != SECCOMP_MODE_FILTER) {
+ fail("seccomp mode mismatch %d\n", mode);
+ return 1;
+ }
+
+ pass();
+
+ return 0;
+err:
+ kill(pid, SIGKILL);
+ return 1;
+}
--
2.5.0
More information about the CRIU
mailing list