On Thu, Feb 2, 2017 at 9:37 PM, Tyler Hicks <[email protected]> wrote: > Extend the kernel selftests for seccomp to test the newly added > SECCOMP_RET_LOG action. The added tests follow the example of existing > tests. > > Unfortunately, the tests are not capable of inspecting the audit log to > verify that the syscall was logged. > > Signed-off-by: Tyler Hicks <[email protected]> > --- > tools/testing/selftests/seccomp/seccomp_bpf.c | 94 > +++++++++++++++++++++++++++ > 1 file changed, 94 insertions(+) > > diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c > b/tools/testing/selftests/seccomp/seccomp_bpf.c > index 03f1fa4..a39f620 100644 > --- a/tools/testing/selftests/seccomp/seccomp_bpf.c > +++ b/tools/testing/selftests/seccomp/seccomp_bpf.c > @@ -87,6 +87,10 @@ struct seccomp_data { > }; > #endif > > +#ifndef SECCOMP_RET_LOG > +#define SECCOMP_RET_LOG 0x7ffe0000U /* allow after logging */
Except changing this to match my suggested tweak, this all looks great. (Though it would be fun to find a clean way to actually examine the dmesg buffer...) -Kees -- Kees Cook Pixel Security
