selftests/seccomp: Refactor RET_ERRNO tests

This refactors the errno tests (since they all use the same pattern for
their filter) and adds a RET_DATA field ordering test.

Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Tyler Hicks <tyhicks@canonical.com>
This commit is contained in:
Kees Cook 2017-08-02 14:08:39 -07:00
parent 967d7ba841
commit f3f6e30669
1 changed files with 58 additions and 37 deletions

View File

@ -136,7 +136,7 @@ TEST(no_new_privs_support)
} }
} }
/* Tests kernel support by checking for a copy_from_user() fault on * NULL. */ /* Tests kernel support by checking for a copy_from_user() fault on NULL. */
TEST(mode_filter_support) TEST(mode_filter_support)
{ {
long ret; long ret;
@ -541,26 +541,30 @@ TEST(arg_out_of_range)
EXPECT_EQ(EINVAL, errno); EXPECT_EQ(EINVAL, errno);
} }
#define ERRNO_FILTER(name, errno) \
struct sock_filter _read_filter_##name[] = { \
BPF_STMT(BPF_LD|BPF_W|BPF_ABS, \
offsetof(struct seccomp_data, nr)), \
BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_read, 0, 1), \
BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ERRNO | errno), \
BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW), \
}; \
struct sock_fprog prog_##name = { \
.len = (unsigned short)ARRAY_SIZE(_read_filter_##name), \
.filter = _read_filter_##name, \
}
/* Make sure basic errno values are correctly passed through a filter. */
TEST(ERRNO_valid) TEST(ERRNO_valid)
{ {
struct sock_filter filter[] = { ERRNO_FILTER(valid, E2BIG);
BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
offsetof(struct seccomp_data, nr)),
BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_read, 0, 1),
BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ERRNO | E2BIG),
BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
};
struct sock_fprog prog = {
.len = (unsigned short)ARRAY_SIZE(filter),
.filter = filter,
};
long ret; long ret;
pid_t parent = getppid(); pid_t parent = getppid();
ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
ASSERT_EQ(0, ret); ASSERT_EQ(0, ret);
ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog); ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog_valid);
ASSERT_EQ(0, ret); ASSERT_EQ(0, ret);
EXPECT_EQ(parent, syscall(__NR_getppid)); EXPECT_EQ(parent, syscall(__NR_getppid));
@ -568,26 +572,17 @@ TEST(ERRNO_valid)
EXPECT_EQ(E2BIG, errno); EXPECT_EQ(E2BIG, errno);
} }
/* Make sure an errno of zero is correctly handled by the arch code. */
TEST(ERRNO_zero) TEST(ERRNO_zero)
{ {
struct sock_filter filter[] = { ERRNO_FILTER(zero, 0);
BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
offsetof(struct seccomp_data, nr)),
BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_read, 0, 1),
BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ERRNO | 0),
BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
};
struct sock_fprog prog = {
.len = (unsigned short)ARRAY_SIZE(filter),
.filter = filter,
};
long ret; long ret;
pid_t parent = getppid(); pid_t parent = getppid();
ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
ASSERT_EQ(0, ret); ASSERT_EQ(0, ret);
ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog); ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog_zero);
ASSERT_EQ(0, ret); ASSERT_EQ(0, ret);
EXPECT_EQ(parent, syscall(__NR_getppid)); EXPECT_EQ(parent, syscall(__NR_getppid));
@ -595,26 +590,21 @@ TEST(ERRNO_zero)
EXPECT_EQ(0, read(0, NULL, 0)); EXPECT_EQ(0, read(0, NULL, 0));
} }
/*
* The SECCOMP_RET_DATA mask is 16 bits wide, but errno is smaller.
* This tests that the errno value gets capped correctly, fixed by
* 580c57f10768 ("seccomp: cap SECCOMP_RET_ERRNO data to MAX_ERRNO").
*/
TEST(ERRNO_capped) TEST(ERRNO_capped)
{ {
struct sock_filter filter[] = { ERRNO_FILTER(capped, 4096);
BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
offsetof(struct seccomp_data, nr)),
BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_read, 0, 1),
BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ERRNO | 4096),
BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
};
struct sock_fprog prog = {
.len = (unsigned short)ARRAY_SIZE(filter),
.filter = filter,
};
long ret; long ret;
pid_t parent = getppid(); pid_t parent = getppid();
ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
ASSERT_EQ(0, ret); ASSERT_EQ(0, ret);
ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog); ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog_capped);
ASSERT_EQ(0, ret); ASSERT_EQ(0, ret);
EXPECT_EQ(parent, syscall(__NR_getppid)); EXPECT_EQ(parent, syscall(__NR_getppid));
@ -622,6 +612,37 @@ TEST(ERRNO_capped)
EXPECT_EQ(4095, errno); EXPECT_EQ(4095, errno);
} }
/*
* Filters are processed in reverse order: last applied is executed first.
* Since only the SECCOMP_RET_ACTION mask is tested for return values, the
* SECCOMP_RET_DATA mask results will follow the most recently applied
* matching filter return (and not the lowest or highest value).
*/
TEST(ERRNO_order)
{
ERRNO_FILTER(first, 11);
ERRNO_FILTER(second, 13);
ERRNO_FILTER(third, 12);
long ret;
pid_t parent = getppid();
ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
ASSERT_EQ(0, ret);
ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog_first);
ASSERT_EQ(0, ret);
ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog_second);
ASSERT_EQ(0, ret);
ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog_third);
ASSERT_EQ(0, ret);
EXPECT_EQ(parent, syscall(__NR_getppid));
EXPECT_EQ(-1, read(0, NULL, 0));
EXPECT_EQ(12, errno);
}
FIXTURE_DATA(TRAP) { FIXTURE_DATA(TRAP) {
struct sock_fprog prog; struct sock_fprog prog;
}; };