From 26dc55ef1a56ea0279492a58c52636b549796510 Mon Sep 17 00:00:00 2001 From: Kir Kolyshkin Date: Tue, 30 Aug 2022 16:45:58 -0700 Subject: [PATCH] seccomp: fix flag test to actually check the value Add a debug print of seccomp flags value, so the test can check those (without using something like strace, that is). Amend the flags setting test with the numeric values expected, and the logic to check those. Signed-off-by: Kir Kolyshkin --- libcontainer/seccomp/patchbpf/enosys_linux.go | 3 + tests/integration/seccomp.bats | 60 ++++++++++++------- 2 files changed, 41 insertions(+), 22 deletions(-) diff --git a/libcontainer/seccomp/patchbpf/enosys_linux.go b/libcontainer/seccomp/patchbpf/enosys_linux.go index ab97726d457..b92eba8922e 100644 --- a/libcontainer/seccomp/patchbpf/enosys_linux.go +++ b/libcontainer/seccomp/patchbpf/enosys_linux.go @@ -665,6 +665,9 @@ func filterFlags(config *configs.Seccomp, filter *libseccomp.ScmpFilter) (flags } func sysSeccompSetFilter(flags uint, filter []unix.SockFilter) (fd int, err error) { + // This debug output is validated in tests/integration/seccomp.bats + // by the SECCOMP_FILTER_FLAG_* test. + logrus.Debugf("seccomp filter flags: %d", flags) fprog := unix.SockFprog{ Len: uint16(len(filter)), Filter: &filter[0], diff --git a/tests/integration/seccomp.bats b/tests/integration/seccomp.bats index 55e6dc817ab..f3e12bbce93 100644 --- a/tests/integration/seccomp.bats +++ b/tests/integration/seccomp.bats @@ -70,31 +70,47 @@ function teardown() { # Linux 4.14: SECCOMP_FILTER_FLAG_LOG # Linux 4.17: SECCOMP_FILTER_FLAG_SPEC_ALLOW requires_kernel 4.17 - SECCOMP_FILTER_FLAGS=( - '' # no flag - '"SECCOMP_FILTER_FLAG_LOG"' - '"SECCOMP_FILTER_FLAG_SPEC_ALLOW"' - '"SECCOMP_FILTER_FLAG_TSYNC"' - '"SECCOMP_FILTER_FLAG_LOG","SECCOMP_FILTER_FLAG_SPEC_ALLOW"' - '"SECCOMP_FILTER_FLAG_LOG","SECCOMP_FILTER_FLAG_TSYNC"' - '"SECCOMP_FILTER_FLAG_SPEC_ALLOW","SECCOMP_FILTER_FLAG_TSYNC"' - '"SECCOMP_FILTER_FLAG_LOG","SECCOMP_FILTER_FLAG_SPEC_ALLOW","SECCOMP_FILTER_FLAG_TSYNC"' + + update_config ' .process.args = ["/bin/sh", "-c", "mkdir /dev/shm/foo"] + | .process.noNewPrivileges = false + | .linux.seccomp = { + "defaultAction":"SCMP_ACT_ALLOW", + "architectures":["SCMP_ARCH_X86","SCMP_ARCH_X32","SCMP_ARCH_X86_64","SCMP_ARCH_AARCH64","SCMP_ARCH_ARM"], + "syscalls":[{"names":["mkdir"], "action":"SCMP_ACT_ERRNO"}] + }' + + declare -A FLAGS=( + ['REMOVE']=0 # No setting, use built-in default. + ['EMPTY']=0 # Empty set of flags. + ['"SECCOMP_FILTER_FLAG_LOG"']=2 + ['"SECCOMP_FILTER_FLAG_SPEC_ALLOW"']=4 + ['"SECCOMP_FILTER_FLAG_TSYNC"']=0 # tsync flag is ignored. + ['"SECCOMP_FILTER_FLAG_LOG","SECCOMP_FILTER_FLAG_SPEC_ALLOW"']=6 + ['"SECCOMP_FILTER_FLAG_LOG","SECCOMP_FILTER_FLAG_TSYNC"']=2 + ['"SECCOMP_FILTER_FLAG_SPEC_ALLOW","SECCOMP_FILTER_FLAG_TSYNC"']=4 + ['"SECCOMP_FILTER_FLAG_LOG","SECCOMP_FILTER_FLAG_SPEC_ALLOW","SECCOMP_FILTER_FLAG_TSYNC"']=6 ) - for flags in "${SECCOMP_FILTER_FLAGS[@]}"; do - update_config ' .process.args = ["/bin/sh", "-c", "mkdir /dev/shm/foo"] - | .process.noNewPrivileges = false - | .linux.seccomp = { - "defaultAction":"SCMP_ACT_ALLOW", - "architectures":["SCMP_ARCH_X86","SCMP_ARCH_X32","SCMP_ARCH_X86_64","SCMP_ARCH_AARCH64","SCMP_ARCH_ARM"], - "flags":['"${flags}"'], - "syscalls":[{"names":["mkdir"], "action":"SCMP_ACT_ERRNO"}] - }' - - # This test checks that the flags are accepted without errors but does - # not check they are effectively applied - runc run test_busybox + for key in "${!FLAGS[@]}"; do + case "$key" in + 'REMOVE') + update_config ' del(.linux.seccomp.flags)' + ;; + 'EMPTY') + update_config ' .linux.seccomp.flags = []' + ;; + *) + update_config ' .linux.seccomp.flags = [ '"${key}"' ]' + ;; + esac + + runc --debug run test_busybox [ "$status" -ne 0 ] [[ "$output" == *"mkdir:"*"/dev/shm/foo"*"Operation not permitted"* ]] + + # Check the numeric flags value, as printed in the debug log, is as expected. + exp="\"seccomp filter flags: ${FLAGS[$key]}\"" + echo "flags $key, expecting $exp" + [[ "$output" == *"$exp"* ]] done }