tests: add tests for the binary tree

Large filters (>= 16 syscalls) now utilize a binary tree to
speed up filter processing time.  This commit adds tests to
ensure the validity of the binary tree and the resultant
pfc and bpf output.

Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>

tests/.gitignore

@@ -56,3 +56,6 @@ util.pyc
 48-sim-32b_args
 49-sim-64b_comparisons
 50-sim-hash_collision
+51-basic-pfc_binary_tree
+52-sim-binary_tree
+53-live-binary_tree

tests/51-basic-pfc_binary_tree.c

@@ -0,0 +1,91 @@
+/**
+ * Seccomp Library test program
+ *
+ * Copyright (c) 2018 Oracle and/or its affiliates.  All rights reserved.
+ * Author: Tom Hromatka <tom.hromatka@oracle.com>
+ */
+
+/*
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public License
+ * for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
+ */
+
+#include <errno.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+
+#include <seccomp.h>
+
+#include "util.h"
+
+#define MAX_SYSCALL		(330)
+
+#include <stdio.h>
+
+int main(int argc, char *argv[])
+{
+	int rc, fd, i;
+	scmp_filter_ctx ctx = NULL;
+
+	/* stdout */
+	fd = 1;
+
+	ctx = seccomp_init(SCMP_ACT_ALLOW);
+	if (ctx == NULL) {
+		rc = ENOMEM;
+		goto out;
+	}
+
+	rc = seccomp_arch_remove(ctx, SCMP_ARCH_NATIVE);
+	if (rc < 0)
+		goto out;
+	rc = seccomp_arch_add(ctx, SCMP_ARCH_X86_64);
+	if (rc < 0)
+		goto out;
+	rc = seccomp_arch_add(ctx, SCMP_ARCH_X86);
+	if (rc < 0)
+		goto out;
+
+	/* NOTE: this test is entirely fabricated and should not be
+	 * 	 replicated in the real world.
+	 *
+	 *	 The MAX_SYSCALL number (330) was chosen to force seccomp to
+	 *	 build an unbalanced binary tree - and it happens to be less
+	 *	 than the current syscall max.  The syscall numbers are
+	 *	 hardcoded to simplify the test.  A few syscalls have
+	 *	 argument chains to further complicate the filter.
+	 */
+
+	for (i = 0; i < MAX_SYSCALL; i++) {
+		/* arbitrarily make the filter more complex by filtering
+		 * on arguments for a few syscalls
+		 */
+		if (i == 10 || i == 53 || i == 61 || i == 255)
+			rc = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(i), i, 1,
+					      SCMP_A0(SCMP_CMP_EQ, i));
+		else
+			rc = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(i), i, 0);
+		if (rc < 0)
+			goto out;
+	}
+
+	rc = seccomp_export_pfc(ctx, fd);
+	if (rc < 0)
+		goto out;
+
+out:
+	seccomp_release(ctx);
+	close(fd);
+	return (rc < 0 ? -rc : rc);
+}

tests/51-basic-pfc_binary_tree.sh

@@ -0,0 +1,46 @@
+#!/bin/bash
+
+#
+# libseccomp regression test automation data
+#
+# Copyright (c) 2019 Oracle and/or its affiliates.  All rights reserved.
+# Author: Tom Hromatka <tom.hromatka@oracle.com>
+#
+
+####
+# functions
+
+#
+# Dependency check
+#
+# Arguments:
+#     1    Dependency to check for
+#
+function check_deps() {
+	[[ -z "$1" ]] && return
+	which "$1" >& /dev/null
+	return $?
+}
+
+#
+# Dependency verification
+#
+# Arguments:
+#     1    Dependency to check for
+#
+function verify_deps() {
+	[[ -z "$1" ]] && return
+	if ! check_deps "$1"; then
+		echo "error: install \"$1\" and include it in your \$PATH"
+		exit 1
+	fi
+}
+
+####
+# functions
+
+verify_deps diff
+
+# compare output to the known good output, fail if different
+./51-basic-pfc_binary_tree | \
+	diff -q ${srcdir:=.}/51-basic-pfc_binary_tree.pfc - > /dev/null

tests/51-basic-pfc_binary_tree.tests

@@ -0,0 +1,11 @@
+#
+# libseccomp regression test automation data
+#
+# Copyright (c) 2019 Oracle and/or its affiliates.  All rights reserved.
+# Author: Tom Hromatka <tom.hromatka@oracle.com>
+#
+
+test type: basic
+
+# Test command
+51-basic-pfc_binary_tree.sh

tests/52-sim-binary_tree.c

@@ -0,0 +1,92 @@
+/**
+ * Seccomp Library test program
+ *
+ * Copyright (c) 2018 Oracle and/or its affiliates.  All rights reserved.
+ * Author: Tom Hromatka <tom.hromatka@oracle.com>
+ */
+
+/*
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public License
+ * for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
+ */
+
+#include <errno.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+
+#include <seccomp.h>
+
+#include "util.h"
+
+#define MAX_SYSCALL		(330)
+
+#include <stdio.h>
+
+int main(int argc, char *argv[])
+{
+	int rc, i;
+	struct util_options opts;
+	scmp_filter_ctx ctx = NULL;
+
+	rc = util_getopt(argc, argv, &opts);
+	if (rc < 0)
+		goto out;
+
+	ctx = seccomp_init(SCMP_ACT_ALLOW);
+	if (ctx == NULL) {
+		rc = ENOMEM;
+		goto out;
+	}
+
+	rc = seccomp_arch_remove(ctx, SCMP_ARCH_NATIVE);
+	if (rc < 0)
+		goto out;
+	rc = seccomp_arch_add(ctx, SCMP_ARCH_X86_64);
+	if (rc < 0)
+		goto out;
+	rc = seccomp_arch_add(ctx, SCMP_ARCH_X86);
+	if (rc < 0)
+		goto out;
+
+	/* NOTE: this test is entirely fabricated and should not be
+	 * 	 replicated in the real world.
+	 *
+	 *	 The MAX_SYSCALL number (330) was chosen to force seccomp to
+	 *	 build an unbalanced binary tree - and it happens to be less
+	 *	 than the current syscall max.  The syscall numbers are
+	 *	 hardcoded to simplify the test.  A few syscalls have
+	 *	 argument chains to further complicate the filter.
+	 */
+
+	for (i = 0; i < MAX_SYSCALL; i++) {
+		/* arbitrarily make the filter more complex by filtering
+		 * on arguments for a few syscalls
+		 */
+		if (i == 10 || i == 53 || i == 61 || i == 255)
+			rc = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(i), i, 1,
+					      SCMP_A0(SCMP_CMP_EQ, i));
+		else
+			rc = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(i), i, 0);
+		if (rc < 0)
+			goto out;
+	}
+
+	rc = util_filter_output(&opts, ctx);
+	if (rc)
+		goto out;
+
+out:
+	seccomp_release(ctx);
+	return (rc < 0 ? -rc : rc);
+}

tests/52-sim-binary_tree.py

@@ -0,0 +1,51 @@
+#!/usr/bin/env python
+
+#
+# Seccomp Library test program
+#
+# Copyright (c) 2018 Oracle and/or its affiliates.  All rights reserved.
+# Author: Tom Hromatka <tom.hromatka@oracle.com>
+#
+
+#
+# This library is free software; you can redistribute it and/or modify it
+# under the terms of version 2.1 of the GNU Lesser General Public License as
+# published by the Free Software Foundation.
+#
+# This library is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public License
+# for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library; if not, see <http://www.gnu.org/licenses>.
+#
+
+import argparse
+import sys
+
+import util
+
+from seccomp import *
+
+def test(args):
+    f = SyscallFilter(ALLOW)
+
+    f.remove_arch(Arch())
+    f.add_arch(Arch("x86_64"))
+    f.add_arch(Arch("x86"))
+
+    for i in range(330):
+        if (i == 10 or i == 53 or i == 61 or i == 255):
+            f.add_rule(ERRNO(i), i, Arg(0, EQ, i))
+        else:
+            f.add_rule(ERRNO(i), i)
+
+    return f
+
+args = util.get_opt()
+ctx = test(args)
+util.filter_output(args, ctx)
+
+# kate: syntax python;
+# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off;