[PATCH 5.0 001/122] selftests/seccomp: Prepare for exclusive seccomp flags

Mon, 06 May 2019 07:33:54 -0700 

From: Kees Cook <keesc...@chromium.org>

commit 4ee0776760af03f181e6b80baf5fb1cc1a980f50 upstream.

Some seccomp flags will become exclusive, so the selftest needs to
be adjusted to mask those out and test them individually for the "all
flags" tests.

Cc: sta...@vger.kernel.org # v5.0+
Signed-off-by: Kees Cook <keesc...@chromium.org>
Reviewed-by: Tycho Andersen <ty...@tycho.ws>
Acked-by: James Morris <jamor...@linux.microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---
 tools/testing/selftests/seccomp/seccomp_bpf.c |   34 +++++++++++++++++++-------
 1 file changed, 25 insertions(+), 9 deletions(-)

--- a/tools/testing/selftests/seccomp/seccomp_bpf.c
+++ b/tools/testing/selftests/seccomp/seccomp_bpf.c
@@ -2166,11 +2166,14 @@ TEST(detect_seccomp_filter_flags)
                                 SECCOMP_FILTER_FLAG_LOG,
                                 SECCOMP_FILTER_FLAG_SPEC_ALLOW,
                                 SECCOMP_FILTER_FLAG_NEW_LISTENER };
-       unsigned int flag, all_flags;
+       unsigned int exclusive[] = {
+                               SECCOMP_FILTER_FLAG_TSYNC,
+                               SECCOMP_FILTER_FLAG_NEW_LISTENER };
+       unsigned int flag, all_flags, exclusive_mask;
        int i;
        long ret;
 
-       /* Test detection of known-good filter flags */
+       /* Test detection of individual known-good filter flags */
        for (i = 0, all_flags = 0; i < ARRAY_SIZE(flags); i++) {
                int bits = 0;
 
@@ -2197,16 +2200,29 @@ TEST(detect_seccomp_filter_flags)
                all_flags |= flag;
        }
 
-       /* Test detection of all known-good filter flags */
-       ret = seccomp(SECCOMP_SET_MODE_FILTER, all_flags, NULL);
-       EXPECT_EQ(-1, ret);
-       EXPECT_EQ(EFAULT, errno) {
-               TH_LOG("Failed to detect that all known-good filter flags 
(0x%X) are supported!",
-                      all_flags);
+       /*
+        * Test detection of all known-good filter flags combined. But
+        * for the exclusive flags we need to mask them out and try them
+        * individually for the "all flags" testing.
+        */
+       exclusive_mask = 0;
+       for (i = 0; i < ARRAY_SIZE(exclusive); i++)
+               exclusive_mask |= exclusive[i];
+       for (i = 0; i < ARRAY_SIZE(exclusive); i++) {
+               flag = all_flags & ~exclusive_mask;
+               flag |= exclusive[i];
+
+               ret = seccomp(SECCOMP_SET_MODE_FILTER, flag, NULL);
+               EXPECT_EQ(-1, ret);
+               EXPECT_EQ(EFAULT, errno) {
+                       TH_LOG("Failed to detect that all known-good filter 
flags (0x%X) are supported!",
+                              flag);
+               }
        }
 
-       /* Test detection of an unknown filter flag */
+       /* Test detection of an unknown filter flags, without exclusives. */
        flag = -1;
+       flag &= ~exclusive_mask;
        ret = seccomp(SECCOMP_SET_MODE_FILTER, flag, NULL);
        EXPECT_EQ(-1, ret);
        EXPECT_EQ(EINVAL, errno) {

Reply via email to