Re: [PATCH] selftests/seccomp: add support for s390

Kees Cook Wed, 09 Sep 2015 09:41:24 -0700

Re-ping. Can someone pull this into their tree?

-Kees


On Fri, Aug 21, 2015 at 11:22 AM, Kees Cook <keesc...@chromium.org> wrote:
> This adds support for s390 to the seccomp selftests. Some improvements
> were made to enhance the accuracy of failure reporting, and additional
> tests were added to validate assumptions about the currently traced
> syscall. Also adds early asserts for running on older kernels to avoid
> noise when the seccomp syscall is not implemented.
>
> Signed-off-by: Kees Cook <keesc...@chromium.org>
> ---
> This applies on top of -next, following the addition of the powerpc tests.
> ---
>  tools/testing/selftests/seccomp/seccomp_bpf.c  | 37 
> +++++++++++++++++++++++++-
>  tools/testing/selftests/seccomp/test_harness.h |  7 ++---
>  2 files changed, 38 insertions(+), 6 deletions(-)
>
> diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c 
> b/tools/testing/selftests/seccomp/seccomp_bpf.c
> index a004b4cce99e..770f47adf295 100644
> --- a/tools/testing/selftests/seccomp/seccomp_bpf.c
> +++ b/tools/testing/selftests/seccomp/seccomp_bpf.c
> @@ -1210,6 +1210,10 @@ TEST_F(TRACE_poke, getpid_runs_normally)
>  # define ARCH_REGS     struct pt_regs
>  # define SYSCALL_NUM   gpr[0]
>  # define SYSCALL_RET   gpr[3]
> +#elif defined(__s390__)
> +# define ARCH_REGS     s390_regs
> +# define SYSCALL_NUM   gprs[2]
> +# define SYSCALL_RET   gprs[2]
>  #else
>  # error "Do not know how to find your architecture's registers and syscalls"
>  #endif
> @@ -1243,7 +1247,8 @@ void change_syscall(struct __test_metadata *_metadata,
>         ret = ptrace(PTRACE_GETREGSET, tracee, NT_PRSTATUS, &iov);
>         EXPECT_EQ(0, ret);
>
> -#if defined(__x86_64__) || defined(__i386__) || defined(__aarch64__) || 
> defined(__powerpc__)
> +#if defined(__x86_64__) || defined(__i386__) || defined(__aarch64__) || \
> +    defined(__powerpc__) || defined(__s390__)
>         {
>                 regs.SYSCALL_NUM = syscall;
>         }
> @@ -1281,17 +1286,21 @@ void tracer_syscall(struct __test_metadata 
> *_metadata, pid_t tracee,
>         ret = ptrace(PTRACE_GETEVENTMSG, tracee, NULL, &msg);
>         EXPECT_EQ(0, ret);
>
> +       /* Validate and take action on expected syscalls. */
>         switch (msg) {
>         case 0x1002:
>                 /* change getpid to getppid. */
> +               EXPECT_EQ(__NR_getpid, get_syscall(_metadata, tracee));
>                 change_syscall(_metadata, tracee, __NR_getppid);
>                 break;
>         case 0x1003:
>                 /* skip gettid. */
> +               EXPECT_EQ(__NR_gettid, get_syscall(_metadata, tracee));
>                 change_syscall(_metadata, tracee, -1);
>                 break;
>         case 0x1004:
>                 /* do nothing (allow getppid) */
> +               EXPECT_EQ(__NR_getppid, get_syscall(_metadata, tracee));
>                 break;
>         default:
>                 EXPECT_EQ(0, msg) {
> @@ -1409,6 +1418,8 @@ TEST_F(TRACE_syscall, syscall_dropped)
>  #  define __NR_seccomp 277
>  # elif defined(__powerpc__)
>  #  define __NR_seccomp 358
> +# elif defined(__s390__)
> +#  define __NR_seccomp 348
>  # else
>  #  warning "seccomp syscall number unknown for this architecture"
>  #  define __NR_seccomp 0xffff
> @@ -1453,6 +1464,9 @@ TEST(seccomp_syscall)
>
>         /* Reject insane operation. */
>         ret = seccomp(-1, 0, &prog);
> +       ASSERT_NE(ENOSYS, errno) {
> +               TH_LOG("Kernel does not support seccomp syscall!");
> +       }
>         EXPECT_EQ(EINVAL, errno) {
>                 TH_LOG("Did not reject crazy op value!");
>         }
> @@ -1501,6 +1515,9 @@ TEST(seccomp_syscall_mode_lock)
>         }
>
>         ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog);
> +       ASSERT_NE(ENOSYS, errno) {
> +               TH_LOG("Kernel does not support seccomp syscall!");
> +       }
>         EXPECT_EQ(0, ret) {
>                 TH_LOG("Could not install filter!");
>         }
> @@ -1535,6 +1552,9 @@ TEST(TSYNC_first)
>
>         ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FLAG_FILTER_TSYNC,
>                       &prog);
> +       ASSERT_NE(ENOSYS, errno) {
> +               TH_LOG("Kernel does not support seccomp syscall!");
> +       }
>         EXPECT_EQ(0, ret) {
>                 TH_LOG("Could not install initial filter with TSYNC!");
>         }
> @@ -1694,6 +1714,9 @@ TEST_F(TSYNC, siblings_fail_prctl)
>
>         /* Check prctl failure detection by requesting sib 0 diverge. */
>         ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog);
> +       ASSERT_NE(ENOSYS, errno) {
> +               TH_LOG("Kernel does not support seccomp syscall!");
> +       }
>         ASSERT_EQ(0, ret) {
>                 TH_LOG("setting filter failed");
>         }
> @@ -1731,6 +1754,9 @@ TEST_F(TSYNC, two_siblings_with_ancestor)
>         }
>
>         ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &self->root_prog);
> +       ASSERT_NE(ENOSYS, errno) {
> +               TH_LOG("Kernel does not support seccomp syscall!");
> +       }
>         ASSERT_EQ(0, ret) {
>                 TH_LOG("Kernel does not support SECCOMP_SET_MODE_FILTER!");
>         }
> @@ -1805,6 +1831,9 @@ TEST_F(TSYNC, two_siblings_with_no_filter)
>
>         ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FLAG_FILTER_TSYNC,
>                       &self->apply_prog);
> +       ASSERT_NE(ENOSYS, errno) {
> +               TH_LOG("Kernel does not support seccomp syscall!");
> +       }
>         ASSERT_EQ(0, ret) {
>                 TH_LOG("Could install filter on all threads!");
>         }
> @@ -1833,6 +1862,9 @@ TEST_F(TSYNC, two_siblings_with_one_divergence)
>         }
>
>         ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &self->root_prog);
> +       ASSERT_NE(ENOSYS, errno) {
> +               TH_LOG("Kernel does not support seccomp syscall!");
> +       }
>         ASSERT_EQ(0, ret) {
>                 TH_LOG("Kernel does not support SECCOMP_SET_MODE_FILTER!");
>         }
> @@ -1890,6 +1922,9 @@ TEST_F(TSYNC, two_siblings_not_under_filter)
>         }
>
>         ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &self->root_prog);
> +       ASSERT_NE(ENOSYS, errno) {
> +               TH_LOG("Kernel does not support seccomp syscall!");
> +       }
>         ASSERT_EQ(0, ret) {
>                 TH_LOG("Kernel does not support SECCOMP_SET_MODE_FILTER!");
>         }
> diff --git a/tools/testing/selftests/seccomp/test_harness.h 
> b/tools/testing/selftests/seccomp/test_harness.h
> index 977a6afc4489..fb2841601f2f 100644
> --- a/tools/testing/selftests/seccomp/test_harness.h
> +++ b/tools/testing/selftests/seccomp/test_harness.h
> @@ -370,11 +370,8 @@
>         __typeof__(_expected) __exp = (_expected); \
>         __typeof__(_seen) __seen = (_seen); \
>         if (!(__exp _t __seen)) { \
> -               unsigned long long __exp_print = 0; \
> -               unsigned long long __seen_print = 0; \
> -               /* Avoid casting complaints the scariest way we can. */ \
> -               memcpy(&__exp_print, &__exp, sizeof(__exp)); \
> -               memcpy(&__seen_print, &__seen, sizeof(__seen)); \
> +               unsigned long long __exp_print = (unsigned long long)__exp; \
> +               unsigned long long __seen_print = (unsigned long long)__seen; 
> \
>                 __TH_LOG("Expected %s (%llu) %s %s (%llu)", \
>                          #_expected, __exp_print, #_t, \
>                          #_seen, __seen_print); \
> --
> 1.9.1
>
>
> --
> Kees Cook
> Chrome OS Security



-- 
Kees Cook
Chrome OS Security
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [PATCH] selftests/seccomp: add support for s390

Reply via email to