diff mbox series

[v3,3/3] selftests/seccomp: Test seccomp filter load and attach

Message ID 20231129053440.41522-4-hengqi.chen@gmail.com
State New
Headers
Series seccomp: Make seccomp filter reusable |

Commit Message

Hengqi Chen Nov. 29, 2023, 5:34 a.m. UTC 
  Add testcases to exercise the newly added seccomp filter
load and attach functionalities.

Signed-off-by: Hengqi Chen <hengqi.chen@gmail.com>
---
 tools/testing/selftests/seccomp/seccomp_bpf.c | 71 +++++++++++++++++++
 1 file changed, 71 insertions(+)

Comments

kernel test robot Dec. 5, 2023, 8:48 a.m. UTC | #1 
Hello,

kernel test robot noticed "kernel-selftests.seccomp.seccomp_bpf.fail" on:

commit: 95084d9b2b5f0b593724819288f3cb4e2c585cb0 ("[PATCH v3 3/3] selftests/seccomp: Test seccomp filter load and attach")
url: https://github.com/intel-lab-lkp/linux/commits/Hengqi-Chen/seccomp-Introduce-SECCOMP_LOAD_FILTER-operation/20231129-134337
base: https://git.kernel.org/cgit/linux/kernel/git/kees/linux.git for-next/seccomp
patch link: https://lore.kernel.org/all/20231129053440.41522-4-hengqi.chen@gmail.com/
patch subject: [PATCH v3 3/3] selftests/seccomp: Test seccomp filter load and attach

in testcase: kernel-selftests
version: kernel-selftests-x86_64-60acb023-1_20230329
with following parameters:

	group: group-s



compiler: gcc-12
test machine: 36 threads 1 sockets Intel(R) Core(TM) i9-10980XE CPU @ 3.00GHz (Cascade Lake) with 32G memory

(please refer to attached dmesg/kmsg for entire log/backtrace)




If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <oliver.sang@intel.com>
| Closes: https://lore.kernel.org/oe-lkp/202312051652.ecd5fbc7-oliver.sang@intel.com


we noticed one test added in this commit can pass, but another will fail.


# #  RUN           global.seccomp_filter_load_and_attach ...
# #            OK  global.seccomp_filter_load_and_attach
# ok 56 global.seccomp_filter_load_and_attach
# #  RUN           global.seccomp_attach_fd_failed ...
# # seccomp_bpf.c:4792:seccomp_attach_fd_failed:Expected errno (22) == EFAULT (14)
# # seccomp_attach_fd_failed: Test terminated by assertion
# #          FAIL  global.seccomp_attach_fd_failed
# not ok 57 global.seccomp_attach_fd_failed

...

# # FAILED: 97 / 98 tests passed.
# # Totals: pass:97 fail:1 xfail:0 xpass:0 skip:0 error:0
not ok 1 selftests: seccomp: seccomp_bpf # exit=1


we applied the patch set upon 31c65705a8cfa like below:

95084d9b2b5f0 (linux-review/Hengqi-Chen/seccomp-Introduce-SECCOMP_LOAD_FILTER-operation/20231129-134337) selftests/seccomp: Test seccomp filter load and attach
8fcda1c36e519 seccomp: Introduce new flag SECCOMP_FILTER_FLAG_FILTER_FD
bd86f21cfe1e0 seccomp: Introduce SECCOMP_LOAD_FILTER operation
31c65705a8cfa (kees/for-next/seccomp, kees/for-linus/seccomp) perf/benchmark: fix seccomp_unotify benchmark for 32-bit
ce9ecca0238b1 (tag: v6.6-rc2, hyperv/hyperv-next) Linux 6.6-rc2


not sure if this is the correct base, or is there any other dependency to run
new test seccomp_attach_fd_failed?


The kernel config and materials to reproduce are available at:
https://download.01.org/0day-ci/archive/20231205/202312051652.ecd5fbc7-oliver.sang@intel.com
diff mbox series

Patch

diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c
index 38f651469968..66eb72e6c1a3 100644
--- a/tools/testing/selftests/seccomp/seccomp_bpf.c
+++ b/tools/testing/selftests/seccomp/seccomp_bpf.c
@@ -4735,6 +4735,77 @@  TEST(user_notification_wait_killable_fatal)
 	EXPECT_EQ(SIGTERM, WTERMSIG(status));
 }
 
+TEST(seccomp_filter_load_and_attach)
+{
+	struct sock_filter filter[] = {
+		BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
+	};
+	struct sock_fprog prog = {
+		.len = (unsigned short)ARRAY_SIZE(filter),
+		.filter = filter,
+	};
+	int fd, ret, flags;
+
+	ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
+	ASSERT_EQ(0, ret)
+	{
+		TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
+	}
+
+	flags = 0;
+	fd = seccomp(SECCOMP_LOAD_FILTER, flags, &prog);
+	ASSERT_GT(fd, -1);
+
+	flags = SECCOMP_FILTER_FLAG_FILTER_FD;
+	ret = seccomp(SECCOMP_SET_MODE_FILTER, flags, &fd);
+	ASSERT_EQ(ret, 0);
+
+	flags = SECCOMP_FILTER_FLAG_FILTER_FD;
+	ret = seccomp(SECCOMP_SET_MODE_FILTER, flags, &fd);
+	ASSERT_EQ(ret, -1);
+	ASSERT_EQ(errno, EEXIST);
+
+	flags = 0;
+	ret = seccomp(SECCOMP_SET_MODE_FILTER, flags, &prog);
+	ASSERT_EQ(ret, 0);
+
+	close(fd);
+}
+
+TEST(seccomp_attach_fd_failed)
+{
+	int fd, ret, flags;
+
+	ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
+	ASSERT_EQ(0, ret)
+	{
+		TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
+	}
+
+	fd = socket(AF_UNIX, SOCK_STREAM, 0);
+	ASSERT_GT(fd, -1);
+
+	/* copy a sock_fprog from a fd */
+	flags = 0;
+	ret = seccomp(SECCOMP_SET_MODE_FILTER, flags, &fd);
+	ASSERT_EQ(ret, -1);
+	ASSERT_EQ(errno, EFAULT);
+
+	/* pass a non seccomp filter fd */
+	flags = SECCOMP_FILTER_FLAG_FILTER_FD;
+	ret = seccomp(SECCOMP_SET_MODE_FILTER, flags, &fd);
+	ASSERT_EQ(ret, -1);
+	ASSERT_EQ(errno, EINVAL);
+	close(fd);
+
+	/* pass a invalid fd */
+	fd = -1;
+	flags = SECCOMP_FILTER_FLAG_FILTER_FD;
+	ret = seccomp(SECCOMP_SET_MODE_FILTER, flags, &fd);
+	ASSERT_EQ(ret, -1);
+	ASSERT_EQ(errno, EBADF);
+}
+
 /*
  * TODO:
  * - expand NNP testing