selftests/seccomp: Prepare for exclusive seccomp flags [Linux 5.1]

selftests/seccomp: Prepare for exclusive seccomp flags [Linux 5.1]

This Linux kernel change "selftests/seccomp: Prepare for exclusive seccomp flags" is included in the Linux 5.1 release. This change is authored by Kees Cook <keescook [at] chromium.org> on Wed Apr 24 09:32:55 2019 -0700. The commit for this change in Linux stable tree is 4ee0776 (patch).

selftests/seccomp: Prepare for exclusive seccomp flags

Some seccomp flags will become exclusive, so the selftest needs to
be adjusted to mask those out and test them individually for the "all
flags" tests.

Cc: [email protected] # v5.0+
Signed-off-by: Kees Cook <[email protected]>
Reviewed-by: Tycho Andersen <[email protected]>
Acked-by: James Morris <[email protected]>

There are 34 lines of Linux source code added/deleted in this change. Code changes to Linux kernel are as follows.

 tools/testing/selftests/seccomp/seccomp_bpf.c | 34 ++++++++++++++++++++-------
 1 file changed, 25 insertions(+), 9 deletions(-)

diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c
index f69d2ee..5019cda 100644
--- a/tools/testing/selftests/seccomp/seccomp_bpf.c
+++ b/tools/testing/selftests/seccomp/seccomp_bpf.c
@@ -2166,11 +2166,14 @@ void tracer_ptrace(struct __test_metadata *_metadata, pid_t tracee,
                 SECCOMP_FILTER_FLAG_LOG,
                 SECCOMP_FILTER_FLAG_SPEC_ALLOW,
                 SECCOMP_FILTER_FLAG_NEW_LISTENER };
-   unsigned int flag, all_flags;
+   unsigned int exclusive[] = {
+               SECCOMP_FILTER_FLAG_TSYNC,
+               SECCOMP_FILTER_FLAG_NEW_LISTENER };
+   unsigned int flag, all_flags, exclusive_mask;
    int i;
    long ret;

-   /* Test detection of known-good filter flags */
+   /* Test detection of individual known-good filter flags */
    for (i = 0, all_flags = 0; i < ARRAY_SIZE(flags); i++) {
        int bits = 0;

@@ -2197,16 +2200,29 @@ void tracer_ptrace(struct __test_metadata *_metadata, pid_t tracee,
        all_flags |= flag;
    }

-   /* Test detection of all known-good filter flags */
-   ret = seccomp(SECCOMP_SET_MODE_FILTER, all_flags, NULL);
-   EXPECT_EQ(-1, ret);
-   EXPECT_EQ(EFAULT, errno) {
-       TH_LOG("Failed to detect that all known-good filter flags (0x%X) are supported!",
-              all_flags);
+   /*
+    * Test detection of all known-good filter flags combined. But
+    * for the exclusive flags we need to mask them out and try them
+    * individually for the "all flags" testing.
+    */
+   exclusive_mask = 0;
+   for (i = 0; i < ARRAY_SIZE(exclusive); i++)
+       exclusive_mask |= exclusive[i];
+   for (i = 0; i < ARRAY_SIZE(exclusive); i++) {
+       flag = all_flags & ~exclusive_mask;
+       flag |= exclusive[i];
+
+       ret = seccomp(SECCOMP_SET_MODE_FILTER, flag, NULL);
+       EXPECT_EQ(-1, ret);
+       EXPECT_EQ(EFAULT, errno) {
+           TH_LOG("Failed to detect that all known-good filter flags (0x%X) are supported!",
+                  flag);
+       }
    }

-   /* Test detection of an unknown filter flag */
+   /* Test detection of an unknown filter flags, without exclusives. */
    flag = -1;
+   flag &= ~exclusive_mask;
    ret = seccomp(SECCOMP_SET_MODE_FILTER, flag, NULL);
    EXPECT_EQ(-1, ret);
    EXPECT_EQ(EINVAL, errno) {

Leave a Reply

Your email address will not be published. Required fields are marked *