From 0a202efab926fd125e5d0bf1f429faed548ccab5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mauricio=20V=C3=A1squez?= <mauricio@kinvolk.io>
Date: Thu, 19 Nov 2020 14:47:36 -0500
Subject: [PATCH] tests: add functional tests for seccomp
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Test KILL and ERRNO actions.

Signed-off-by: Mauricio Vásquez <mauricio@kinvolk.io>
---
 tests/integration/seccomp.bats | 68 ++++++++++++++++++++++++++++++++++
 1 file changed, 68 insertions(+)

diff --git a/tests/integration/seccomp.bats b/tests/integration/seccomp.bats
index 267c6837ab9..a83d9b6b461 100644
--- a/tests/integration/seccomp.bats
+++ b/tests/integration/seccomp.bats
@@ -22,3 +22,71 @@ function teardown() {
 	runc run test_busybox
 	[ "$status" -eq 0 ]
 }
+
+# TODO:
+# - Test other actions like SCMP_ACT_TRAP, SCMP_ACT_TRACE, SCMP_ACT_LOG.
+# - Test args (index, value, valueTwo, etc).
+
+@test "runc run [seccomp] (SCMP_ACT_ERRNO default)" {
+	update_config '.process.args = ["/bin/sh", "-c", "mkdir /dev/shm/foo"] |
+		.process.noNewPrivileges = false |
+		.linux.seccomp = {
+			"defaultAction":"SCMP_ACT_ALLOW",
+			"architectures":["SCMP_ARCH_X86","SCMP_ARCH_X32"],
+			"syscalls":[{"names":["mkdir"], "action":"SCMP_ACT_ERRNO"}]
+		}'
+
+	runc run test_busybox
+	[ "$status" -ne 0 ]
+	[[ "$output" == *"Operation not permitted"* ]]
+}
+
+@test "runc run [seccomp] (SCMP_ACT_ERRNO explicit errno)" {
+	update_config '.process.args = ["/bin/sh", "-c", "mkdir /dev/shm/foo"] |
+		.process.noNewPrivileges = false |
+		.linux.seccomp = {
+			"defaultAction":"SCMP_ACT_ALLOW",
+			"architectures":["SCMP_ARCH_X86","SCMP_ARCH_X32"],
+			"syscalls":[{"names":["mkdir"], "action":"SCMP_ACT_ERRNO", "errnoRet": 100}]
+		}'
+
+	runc run test_busybox
+	[ "$status" -ne 0 ]
+	[[ "$output" == *"Network is down"* ]]
+}
+
+@test "runc run [seccomp] (SCMP_ACT_KILL)" {
+	update_config '.process.args = ["/bin/sh", "-c", "mkdir /dev/shm/foo"] |
+		.process.noNewPrivileges = false |
+		.linux.seccomp = {
+			"defaultAction":"SCMP_ACT_ALLOW",
+			"architectures":["SCMP_ARCH_X86","SCMP_ARCH_X32"],
+			"syscalls":[{"names":["mkdir"], "action":"SCMP_ACT_KILL"}]
+		}'
+
+	runc run test_busybox
+	[ "$status" -ne 0 ]
+}
+
+# check that a startContainer hook is run with the seccomp filters applied
+@test "runc run [seccomp] (startContainer hook)" {
+	update_config '.process.args = ["/bin/true"] |
+		.linux.seccomp = {
+			"defaultAction":"SCMP_ACT_ALLOW",
+			"architectures":["SCMP_ARCH_X86","SCMP_ARCH_X32"],
+			"syscalls":[{"names":["mkdir"], "action":"SCMP_ACT_KILL"}]
+		} |
+		.hooks = {
+			"startContainer": [
+				{
+					"path": "/bin/sh",
+					"args": ["sh", "-c", "mkdir /dev/shm/foo"]
+				}
+			]
+		}'
+
+	runc run test_busybox
+	[ "$status" -ne 0 ]
+	[[ "$output" == *"error running hook"* ]]
+	[[ "$output" == *"bad system call"* ]]
+}