Browse Source

tests: check seccomp-assisted syscall filtering

Test filter_seccomp-perf checks whether seccomp-filter is actually
enabled by comparing the number of syscalls performed in a time interval
when seccomp-filter is enabled vs. disabled.  The number of syscalls
should be at least one order of magnitude higher when seccomp-filter
is enabled.

Test filter_seccomp-flag ensures the audit_arch_vec[].flag constants do
not conflict with syscall numbers.  If this test fails, then the number
of syscalls grew high enough that the code for seccomp-filter needs to
be updated.

* tests/init.sh (test_prog_set): New function.
* tests/status-none-f.c: New file.
* tests/filter_seccomp.in: Likewise.
* tests/filter_seccomp.sh: Likewise.
* tests/filter_seccomp-perf.c: Likewise.
* tests/filter_seccomp-flag.c: Likewise.
* tests/filter_seccomp-perf.test: New test.
* tests/Makefile.am (EXTRA_DIST): Add filter_seccomp.in and
filter_seccomp.sh.
(MISC_TESTS): Add filter_seccomp-perf.test.
(check_PROGRAMS): Add filter_seccomp-perf and filter_seccomp-flag.
* tests/pure_executables.list: Add status-none-f.
* tests/.gitignore: Add status-none-f, filter_seccomp-perf, and
filter_seccomp-flag.
* tests/gen_tests.in (filter_seccomp, filter_seccomp-flag): New entries.

Co-authored-by: Paul Chaignon <paul.chaignon@gmail.com>
Co-Authored-by: Dmitry V. Levin <ldv@altlinux.org>
Chen Jingpiao 1 year ago
parent
commit
3ecaff4fd1

+ 3
- 0
tests/.gitignore View File

@@ -93,6 +93,7 @@ fdatasync
93 93
 fflush
94 94
 file_handle
95 95
 file_ioctl
96
+filter_seccomp-perf
96 97
 filter-unavailable
97 98
 finit_module
98 99
 flock
@@ -523,6 +524,7 @@ sched_yield
523 524
 scm_rights
524 525
 scno.h
525 526
 seccomp-filter
527
+filter_seccomp-flag
526 528
 seccomp-filter-v
527 529
 seccomp-strict
528 530
 seccomp_get_action_avail
@@ -602,6 +604,7 @@ statfs64
602 604
 status-all
603 605
 status-failed
604 606
 status-none
607
+status-none-f
605 608
 status-none-threads
606 609
 status-successful
607 610
 status-unfinished

+ 5
- 0
tests/Makefile.am View File

@@ -96,6 +96,8 @@ check_PROGRAMS = $(PURE_EXECUTABLES) \
96 96
 	delay \
97 97
 	execve-v \
98 98
 	execveat-v \
99
+	filter_seccomp-flag \
100
+	filter_seccomp-perf \
99 101
 	filter-unavailable \
100 102
 	fork-f \
101 103
 	fsync-y \
@@ -324,6 +326,7 @@ MISC_TESTS = \
324 326
 	detach-sleeping.test \
325 327
 	detach-stopped.test \
326 328
 	fflush.test \
329
+	filter_seccomp-perf.test \
327 330
 	filter-unavailable.test \
328 331
 	filtering_fd-syntax.test \
329 332
 	filtering_syscall-syntax.test \
@@ -406,6 +409,8 @@ EXTRA_DIST = \
406 409
 	eventfd.expected \
407 410
 	fadvise.h \
408 411
 	fcntl-common.c \
412
+	filter_seccomp.in \
413
+	filter_seccomp.sh \
409 414
 	filter-unavailable.expected \
410 415
 	fstatat.c \
411 416
 	fstatx.c \

+ 83
- 0
tests/filter_seccomp-flag.c View File

@@ -0,0 +1,83 @@
1
+/*
2
+ * Check that syscall numbers do not conflict with seccomp filter flags.
3
+ *
4
+ * Copyright (c) 2019 Paul Chaignon <paul.chaignon@gmail.com>
5
+ * Copyright (c) 2019 The strace developers.
6
+ * All rights reserved.
7
+ *
8
+ * SPDX-License-Identifier: GPL-2.0-or-later
9
+ */
10
+
11
+#include "tests.h"
12
+#include "arch_defs.h"
13
+#include "sysent.h"
14
+#include "scno.h"
15
+#include <linux/audit.h>
16
+
17
+#ifdef __x86_64__
18
+# ifndef __X32_SYSCALL_BIT
19
+#  define __X32_SYSCALL_BIT     0x40000000
20
+# endif
21
+#endif
22
+
23
+/* Define these shorthand notations to simplify the syscallent files. */
24
+#include "sysent_shorthand_defs.h"
25
+
26
+const struct_sysent sysent0[] = {
27
+#include "syscallent.h"
28
+};
29
+
30
+#if SUPPORTED_PERSONALITIES > 1
31
+static const struct_sysent sysent1[] = {
32
+# include "syscallent1.h"
33
+};
34
+#endif
35
+
36
+#if SUPPORTED_PERSONALITIES > 2
37
+static const struct_sysent sysent2[] = {
38
+# include "syscallent2.h"
39
+};
40
+#endif
41
+
42
+const unsigned int nsyscall_vec[SUPPORTED_PERSONALITIES] = {
43
+	ARRAY_SIZE(sysent0),
44
+#if SUPPORTED_PERSONALITIES > 1
45
+	ARRAY_SIZE(sysent1),
46
+#endif
47
+#if SUPPORTED_PERSONALITIES > 2
48
+	ARRAY_SIZE(sysent2),
49
+#endif
50
+};
51
+
52
+struct audit_arch_t {
53
+	unsigned int arch;
54
+	unsigned int flag;
55
+};
56
+
57
+static const struct audit_arch_t audit_arch_vec[SUPPORTED_PERSONALITIES] = {
58
+#if SUPPORTED_PERSONALITIES > 1
59
+	PERSONALITY0_AUDIT_ARCH,
60
+	PERSONALITY1_AUDIT_ARCH,
61
+# if SUPPORTED_PERSONALITIES > 2
62
+	PERSONALITY2_AUDIT_ARCH,
63
+# endif
64
+#endif
65
+};
66
+
67
+int
68
+main(void)
69
+{
70
+	for (unsigned int p = 0; p < SUPPORTED_PERSONALITIES; ++p) {
71
+		if (!audit_arch_vec[p].flag)
72
+			continue;
73
+		for (unsigned int nr = 1; nr < nsyscall_vec[p]; ++nr) {
74
+			if (!(audit_arch_vec[p].flag & nr))
75
+				continue;
76
+			error_msg_and_fail("system call number %u of"
77
+					   " personality %u conflicts with"
78
+					   " seccomp filter flag %#x",
79
+					   nr, p, audit_arch_vec[p].flag);
80
+		}
81
+	}
82
+	return 0;
83
+}

+ 39
- 0
tests/filter_seccomp-perf.c View File

@@ -0,0 +1,39 @@
1
+/*
2
+ * Check seccomp filter performance.
3
+ *
4
+ * Copyright (c) 2019 Paul Chaignon <paul.chaignon@gmail.com>
5
+ * Copyright (c) 2019 The strace developers.
6
+ * All rights reserved.
7
+ *
8
+ * SPDX-License-Identifier: GPL-2.0-or-later
9
+ */
10
+
11
+#include "tests.h"
12
+#include <signal.h>
13
+#include <stdbool.h>
14
+#include <stdio.h>
15
+#include <unistd.h>
16
+
17
+static volatile bool stop = false;
18
+
19
+static void
20
+handler(int signo)
21
+{
22
+	stop = true;
23
+}
24
+
25
+int
26
+main(void)
27
+{
28
+	unsigned int i;
29
+	int rc = 0;
30
+
31
+	signal(SIGALRM, handler);
32
+	alarm(1);
33
+
34
+	for (i = 0; !stop; i++) {
35
+		rc |= chdir(".");
36
+	}
37
+	printf("%d\n", i);
38
+	return rc;
39
+}

+ 27
- 0
tests/filter_seccomp-perf.test View File

@@ -0,0 +1,27 @@
1
+#!/bin/sh
2
+#
3
+# Check seccomp filter performance.
4
+#
5
+# Copyright (c) 2019 Paul Chaignon <paul.chaignon@gmail.com>
6
+# Copyright (c) 2019 The strace developers.
7
+# All rights reserved.
8
+#
9
+# SPDX-License-Identifier: GPL-2.0-or-later
10
+
11
+. "${srcdir=.}/init.sh"
12
+. "${srcdir=.}/filter_seccomp.sh"
13
+
14
+args="-f -qq -e signal=none -e trace=fchdir ../$NAME"
15
+num_regular="$(run_strace               $args)"
16
+mv "$LOG" "$LOG.regular"
17
+num_seccomp="$(run_strace --seccomp-bpf $args)"
18
+mv "$LOG" "$LOG.seccomp"
19
+match_diff "$LOG.regular" "$LOG.seccomp"
20
+
21
+min_ratio=8
22
+# With seccomp filter enabled, we should be able to complete
23
+# at least $min_ratio times more chdir system calls.
24
+ratio="$((num_seccomp / num_regular))"
25
+if [ "$ratio" -lt "$min_ratio" ]; then
26
+	fail_ "Only $ratio times more syscalls performed with seccomp filter enabled, expected at least $min_ratio times speedup"
27
+fi

+ 4
- 0
tests/filter_seccomp.in View File

@@ -0,0 +1,4 @@
1
+fork-f	-a26 -qq -e signal=none -e trace=chdir
2
+vfork-f	-a26 -qq -e signal=none -e trace=chdir
3
+fork-f	-a26 -qq -e signal=none -e trace=chdir,%memory,%ipc,%pure,%signal,%network -e status=failed
4
+status-none-f	-e trace=!ptrace -e status=none

+ 14
- 0
tests/filter_seccomp.sh View File

@@ -0,0 +1,14 @@
1
+#!/bin/sh
2
+#
3
+# Skip the test if seccomp filter is not available.
4
+#
5
+# Copyright (c) 2019 The strace developers.
6
+# All rights reserved.
7
+#
8
+# SPDX-License-Identifier: GPL-2.0-or-later
9
+
10
+$STRACE --seccomp-bpf -f -e trace=fchdir / > /dev/null 2> "$LOG" ||:
11
+if grep -x "[^:]*strace: seccomp filter is requested but unavailable" \
12
+   "$LOG" > /dev/null; then
13
+	skip_ 'seccomp filter is unavailable'
14
+fi

+ 2
- 0
tests/gen_tests.in View File

@@ -72,6 +72,8 @@ fcntl64	-a8
72 72
 fdatasync	-a14
73 73
 file_handle	-e trace=name_to_handle_at,open_by_handle_at
74 74
 file_ioctl	+ioctl.test
75
+filter_seccomp	. "${srcdir=.}/filter_seccomp.sh"; test_prog_set --seccomp-bpf -f
76
+filter_seccomp-flag	../$NAME
75 77
 finit_module	-a25
76 78
 flock	-a19
77 79
 fork-f	-a26 -qq -f -e signal=none -e trace=chdir

+ 5
- 0
tests/init.sh View File

@@ -324,6 +324,11 @@ test_trace_expr()
324 324
 		< negative.list
325 325
 }
326 326
 
327
+test_prog_set()
328
+{
329
+	test_pure_prog_set "$@" < "$srcdir/$NAME.in"
330
+}
331
+
327 332
 check_prog cat
328 333
 check_prog rm
329 334
 

+ 1
- 0
tests/pure_executables.list View File

@@ -511,6 +511,7 @@ statfs64
511 511
 status-all
512 512
 status-failed
513 513
 status-none
514
+status-none-f
514 515
 status-successful
515 516
 status-unfinished
516 517
 statx

+ 19
- 0
tests/status-none-f.c View File

@@ -0,0 +1,19 @@
1
+/*
2
+ * Check basic seccomp filtering with large number of traced syscalls.
3
+ *
4
+ * Copyright (c) 2019 The strace developers.
5
+ * All rights reserved.
6
+ *
7
+ * SPDX-License-Identifier: GPL-2.0-or-later
8
+ */
9
+
10
+#include "tests.h"
11
+#include <stdio.h>
12
+#include <unistd.h>
13
+
14
+int
15
+main(void)
16
+{
17
+	printf("%-5d +++ exited with 0 +++\n", getpid());
18
+	return 0;
19
+}

Loading…
Cancel
Save