Re: [PATCH 1/2] selftests/seccomp: Prepare for exclusive seccomp flags

Wed, 24 Apr 2019 22:30:28 -0700 

On Wed, 24 Apr 2019, Kees Cook wrote:

> Some seccomp flags will become exclusive, so the selftest needs to
> be adjusted to mask those out and test them individually for the "all
> flags" tests.
> 
> Cc: sta...@vger.kernel.org # v5.0+
> Signed-off-by: Kees Cook <keesc...@chromium.org>


Acked-by: James Morris <jamor...@linux.microsoft.com>

> ---
>  tools/testing/selftests/seccomp/seccomp_bpf.c | 34 ++++++++++++++-----
>  1 file changed, 25 insertions(+), 9 deletions(-)
> 
> diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c 
> b/tools/testing/selftests/seccomp/seccomp_bpf.c
> index f69d2ee29742..5019cdae5d0b 100644
> --- a/tools/testing/selftests/seccomp/seccomp_bpf.c
> +++ b/tools/testing/selftests/seccomp/seccomp_bpf.c
> @@ -2166,11 +2166,14 @@ TEST(detect_seccomp_filter_flags)
>                                SECCOMP_FILTER_FLAG_LOG,
>                                SECCOMP_FILTER_FLAG_SPEC_ALLOW,
>                                SECCOMP_FILTER_FLAG_NEW_LISTENER };
> -     unsigned int flag, all_flags;
> +     unsigned int exclusive[] = {
> +                             SECCOMP_FILTER_FLAG_TSYNC,
> +                             SECCOMP_FILTER_FLAG_NEW_LISTENER };
> +     unsigned int flag, all_flags, exclusive_mask;
>       int i;
>       long ret;
>  
> -     /* Test detection of known-good filter flags */
> +     /* Test detection of individual known-good filter flags */
>       for (i = 0, all_flags = 0; i < ARRAY_SIZE(flags); i++) {
>               int bits = 0;
>  
> @@ -2197,16 +2200,29 @@ TEST(detect_seccomp_filter_flags)
>               all_flags |= flag;
>       }
>  
> -     /* Test detection of all known-good filter flags */
> -     ret = seccomp(SECCOMP_SET_MODE_FILTER, all_flags, NULL);
> -     EXPECT_EQ(-1, ret);
> -     EXPECT_EQ(EFAULT, errno) {
> -             TH_LOG("Failed to detect that all known-good filter flags 
> (0x%X) are supported!",
> -                    all_flags);
> +     /*
> +      * Test detection of all known-good filter flags combined. But
> +      * for the exclusive flags we need to mask them out and try them
> +      * individually for the "all flags" testing.
> +      */
> +     exclusive_mask = 0;
> +     for (i = 0; i < ARRAY_SIZE(exclusive); i++)
> +             exclusive_mask |= exclusive[i];
> +     for (i = 0; i < ARRAY_SIZE(exclusive); i++) {
> +             flag = all_flags & ~exclusive_mask;
> +             flag |= exclusive[i];
> +
> +             ret = seccomp(SECCOMP_SET_MODE_FILTER, flag, NULL);
> +             EXPECT_EQ(-1, ret);
> +             EXPECT_EQ(EFAULT, errno) {
> +                     TH_LOG("Failed to detect that all known-good filter 
> flags (0x%X) are supported!",
> +                            flag);
> +             }
>       }
>  
> -     /* Test detection of an unknown filter flag */
> +     /* Test detection of an unknown filter flags, without exclusives. */
>       flag = -1;
> +     flag &= ~exclusive_mask;
>       ret = seccomp(SECCOMP_SET_MODE_FILTER, flag, NULL);
>       EXPECT_EQ(-1, ret);
>       EXPECT_EQ(EINVAL, errno) {
> 

-- 
James Morris
<jmor...@namei.org>

Reply via email to