add test for clean panic with FC seccomp filters

Signed-off-by: George Pisaltu <gpl@amazon.com>

tests/conftest.py

@@ -351,11 +351,18 @@ def bin_seccomp_paths(test_fc_session_root_path):
             'demo_malicious'
         )
     )
+    demo_panic = os.path.normpath(
+        os.path.join(
+            release_binaries_path,
+            'demo_panic'
+        )
+    )
 
     yield {
         'demo_jailer': demo_jailer,
         'demo_harmless': demo_harmless,
-        'demo_malicious': demo_malicious
+        'demo_malicious': demo_malicious,
+        'demo_panic': demo_panic
     }
 
 

tests/integration_tests/security/demo_seccomp/Cargo.toml

@@ -10,3 +10,9 @@ libc = ">=0.2.39"
 seccompiler = { path = "../../../../src/seccompiler" }
 
 [workspace]
+
+[profile.dev]
+panic = "abort"
+
+[profile.release]
+panic = "abort"

tests/integration_tests/security/demo_seccomp/src/bin/demo_panic.rs

@@ -0,0 +1,17 @@
+// Copyright 2021 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+use std::env::args;
+use std::fs::File;
+
+use seccompiler::{apply_filter, deserialize_binary};
+
+fn main() {
+    let args: Vec<String> = args().collect();
+    let bpf_path = &args[1];
+    let filter_thread = &args[2];
+
+    let filter_file = File::open(bpf_path).unwrap();
+    let map = deserialize_binary(&filter_file, None).unwrap();
+    apply_filter(map.get(filter_thread).unwrap()).unwrap();
+    panic!("Expected panic.");
+}

tests/integration_tests/security/test_seccomp.py

@@ -2,6 +2,7 @@
 # SPDX-License-Identifier: Apache-2.0
 """Tests that the seccomp filters don't let denied syscalls through."""
 
+import json as json_lib
 import os
 import tempfile
 import platform
@@ -283,3 +284,47 @@ def test_seccomp_level(test_microvm_with_api, level):
             assert "You are using a deprecated parameter: --seccomp-level " \
                 f"{level}, that will be removed in a future version." \
                 in log_data
+
+
+def test_seccomp_rust_panic(bin_seccomp_paths):
+    """
+    Test seccompiler-bin with `demo_panic`.
+
+    Test that the Firecracker filters allow a Rust panic to run its
+    course without triggering a seccomp violation.
+    """
+    # pylint: disable=redefined-outer-name
+    # pylint: disable=subprocess-run-check
+    # The fixture pattern causes a pylint false positive for that rule.
+
+    demo_panic = bin_seccomp_paths['demo_panic']
+    assert os.path.exists(demo_panic)
+
+    fc_filters_path = "../resources/seccomp/{}-unknown-linux-musl.json".format(
+        platform.machine()
+    )
+    with open(fc_filters_path, "r") as fc_filters:
+        filter_threads = list(json_lib.loads(fc_filters.read()))
+
+    bpf_temp = tempfile.NamedTemporaryFile(delete=False)
+    run_seccompiler_bin(bpf_path=bpf_temp.name,
+                        json_path=fc_filters_path)
+    bpf_path = bpf_temp.name
+
+    # Run the panic binary with all filters.
+    for thread in filter_threads:
+        code, _, _ = utils.run_cmd(
+            [demo_panic, bpf_path, thread],
+            no_shell=True,
+            ignore_return_code=True
+        )
+        # The demo panic binary should have terminated with SIGABRT
+        # and not with a seccomp violation.
+        # On a seccomp violation, the program exits with code -31 for
+        # SIGSYS. Here, we make sure the program exits with -6, which
+        # is for SIGABRT.
+        assert code == -6, \
+            "Panic binary failed with exit code {} on {} "\
+            "filters.".format(code, thread)
+
+    os.unlink(bpf_path)