Re-ping. Can someone pull this into their tree? -Kees
On Fri, Aug 21, 2015 at 11:22 AM, Kees Cook <keesc...@chromium.org> wrote: > This adds support for s390 to the seccomp selftests. Some improvements > were made to enhance the accuracy of failure reporting, and additional > tests were added to validate assumptions about the currently traced > syscall. Also adds early asserts for running on older kernels to avoid > noise when the seccomp syscall is not implemented. > > Signed-off-by: Kees Cook <keesc...@chromium.org> > --- > This applies on top of -next, following the addition of the powerpc tests. > --- > tools/testing/selftests/seccomp/seccomp_bpf.c | 37 > +++++++++++++++++++++++++- > tools/testing/selftests/seccomp/test_harness.h | 7 ++--- > 2 files changed, 38 insertions(+), 6 deletions(-) > > diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c > b/tools/testing/selftests/seccomp/seccomp_bpf.c > index a004b4cce99e..770f47adf295 100644 > --- a/tools/testing/selftests/seccomp/seccomp_bpf.c > +++ b/tools/testing/selftests/seccomp/seccomp_bpf.c > @@ -1210,6 +1210,10 @@ TEST_F(TRACE_poke, getpid_runs_normally) > # define ARCH_REGS struct pt_regs > # define SYSCALL_NUM gpr[0] > # define SYSCALL_RET gpr[3] > +#elif defined(__s390__) > +# define ARCH_REGS s390_regs > +# define SYSCALL_NUM gprs[2] > +# define SYSCALL_RET gprs[2] > #else > # error "Do not know how to find your architecture's registers and syscalls" > #endif > @@ -1243,7 +1247,8 @@ void change_syscall(struct __test_metadata *_metadata, > ret = ptrace(PTRACE_GETREGSET, tracee, NT_PRSTATUS, &iov); > EXPECT_EQ(0, ret); > > -#if defined(__x86_64__) || defined(__i386__) || defined(__aarch64__) || > defined(__powerpc__) > +#if defined(__x86_64__) || defined(__i386__) || defined(__aarch64__) || \ > + defined(__powerpc__) || defined(__s390__) > { > regs.SYSCALL_NUM = syscall; > } > @@ -1281,17 +1286,21 @@ void tracer_syscall(struct __test_metadata > *_metadata, pid_t tracee, > ret = ptrace(PTRACE_GETEVENTMSG, tracee, NULL, &msg); > EXPECT_EQ(0, ret); > > + /* Validate and take action on expected syscalls. */ > switch (msg) { > case 0x1002: > /* change getpid to getppid. */ > + EXPECT_EQ(__NR_getpid, get_syscall(_metadata, tracee)); > change_syscall(_metadata, tracee, __NR_getppid); > break; > case 0x1003: > /* skip gettid. */ > + EXPECT_EQ(__NR_gettid, get_syscall(_metadata, tracee)); > change_syscall(_metadata, tracee, -1); > break; > case 0x1004: > /* do nothing (allow getppid) */ > + EXPECT_EQ(__NR_getppid, get_syscall(_metadata, tracee)); > break; > default: > EXPECT_EQ(0, msg) { > @@ -1409,6 +1418,8 @@ TEST_F(TRACE_syscall, syscall_dropped) > # define __NR_seccomp 277 > # elif defined(__powerpc__) > # define __NR_seccomp 358 > +# elif defined(__s390__) > +# define __NR_seccomp 348 > # else > # warning "seccomp syscall number unknown for this architecture" > # define __NR_seccomp 0xffff > @@ -1453,6 +1464,9 @@ TEST(seccomp_syscall) > > /* Reject insane operation. */ > ret = seccomp(-1, 0, &prog); > + ASSERT_NE(ENOSYS, errno) { > + TH_LOG("Kernel does not support seccomp syscall!"); > + } > EXPECT_EQ(EINVAL, errno) { > TH_LOG("Did not reject crazy op value!"); > } > @@ -1501,6 +1515,9 @@ TEST(seccomp_syscall_mode_lock) > } > > ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog); > + ASSERT_NE(ENOSYS, errno) { > + TH_LOG("Kernel does not support seccomp syscall!"); > + } > EXPECT_EQ(0, ret) { > TH_LOG("Could not install filter!"); > } > @@ -1535,6 +1552,9 @@ TEST(TSYNC_first) > > ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FLAG_FILTER_TSYNC, > &prog); > + ASSERT_NE(ENOSYS, errno) { > + TH_LOG("Kernel does not support seccomp syscall!"); > + } > EXPECT_EQ(0, ret) { > TH_LOG("Could not install initial filter with TSYNC!"); > } > @@ -1694,6 +1714,9 @@ TEST_F(TSYNC, siblings_fail_prctl) > > /* Check prctl failure detection by requesting sib 0 diverge. */ > ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog); > + ASSERT_NE(ENOSYS, errno) { > + TH_LOG("Kernel does not support seccomp syscall!"); > + } > ASSERT_EQ(0, ret) { > TH_LOG("setting filter failed"); > } > @@ -1731,6 +1754,9 @@ TEST_F(TSYNC, two_siblings_with_ancestor) > } > > ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &self->root_prog); > + ASSERT_NE(ENOSYS, errno) { > + TH_LOG("Kernel does not support seccomp syscall!"); > + } > ASSERT_EQ(0, ret) { > TH_LOG("Kernel does not support SECCOMP_SET_MODE_FILTER!"); > } > @@ -1805,6 +1831,9 @@ TEST_F(TSYNC, two_siblings_with_no_filter) > > ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FLAG_FILTER_TSYNC, > &self->apply_prog); > + ASSERT_NE(ENOSYS, errno) { > + TH_LOG("Kernel does not support seccomp syscall!"); > + } > ASSERT_EQ(0, ret) { > TH_LOG("Could install filter on all threads!"); > } > @@ -1833,6 +1862,9 @@ TEST_F(TSYNC, two_siblings_with_one_divergence) > } > > ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &self->root_prog); > + ASSERT_NE(ENOSYS, errno) { > + TH_LOG("Kernel does not support seccomp syscall!"); > + } > ASSERT_EQ(0, ret) { > TH_LOG("Kernel does not support SECCOMP_SET_MODE_FILTER!"); > } > @@ -1890,6 +1922,9 @@ TEST_F(TSYNC, two_siblings_not_under_filter) > } > > ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &self->root_prog); > + ASSERT_NE(ENOSYS, errno) { > + TH_LOG("Kernel does not support seccomp syscall!"); > + } > ASSERT_EQ(0, ret) { > TH_LOG("Kernel does not support SECCOMP_SET_MODE_FILTER!"); > } > diff --git a/tools/testing/selftests/seccomp/test_harness.h > b/tools/testing/selftests/seccomp/test_harness.h > index 977a6afc4489..fb2841601f2f 100644 > --- a/tools/testing/selftests/seccomp/test_harness.h > +++ b/tools/testing/selftests/seccomp/test_harness.h > @@ -370,11 +370,8 @@ > __typeof__(_expected) __exp = (_expected); \ > __typeof__(_seen) __seen = (_seen); \ > if (!(__exp _t __seen)) { \ > - unsigned long long __exp_print = 0; \ > - unsigned long long __seen_print = 0; \ > - /* Avoid casting complaints the scariest way we can. */ \ > - memcpy(&__exp_print, &__exp, sizeof(__exp)); \ > - memcpy(&__seen_print, &__seen, sizeof(__seen)); \ > + unsigned long long __exp_print = (unsigned long long)__exp; \ > + unsigned long long __seen_print = (unsigned long long)__seen; > \ > __TH_LOG("Expected %s (%llu) %s %s (%llu)", \ > #_expected, __exp_print, #_t, \ > #_seen, __seen_print); \ > -- > 1.9.1 > > > -- > Kees Cook > Chrome OS Security -- Kees Cook Chrome OS Security -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/