1 // SPDX-License-Identifier: GPL-2.0-only
3 * Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
5 * Test code for seccomp bpf.
12 * glibc 2.26 and later have SIGSYS in siginfo_t. Before that,
13 * we need to use the kernel's siginfo.h file and trick glibc
16 #if !__GLIBC_PREREQ(2, 26)
17 # include <asm/siginfo.h>
18 # define __have_siginfo_t 1
19 # define __have_sigval_t 1
20 # define __have_sigevent_t 1
24 #include <linux/filter.h>
25 #include <sys/prctl.h>
26 #include <sys/ptrace.h>
28 #include <linux/prctl.h>
29 #include <linux/ptrace.h>
30 #include <linux/seccomp.h>
32 #include <semaphore.h>
39 #include <linux/elf.h>
41 #include <sys/utsname.h>
42 #include <sys/fcntl.h>
44 #include <sys/times.h>
45 #include <sys/socket.h>
46 #include <sys/ioctl.h>
47 #include <linux/kcmp.h>
48 #include <sys/resource.h>
51 #include <sys/syscall.h>
54 #include "../kselftest_harness.h"
55 #include "../clone3/clone3_selftests.h"
57 /* Attempt to de-conflict with the selftests tree. */
59 #define SKIP(s, ...) XFAIL(s, ##__VA_ARGS__)
62 #ifndef PR_SET_PTRACER
63 # define PR_SET_PTRACER 0x59616d61
66 #ifndef PR_SET_NO_NEW_PRIVS
67 #define PR_SET_NO_NEW_PRIVS 38
68 #define PR_GET_NO_NEW_PRIVS 39
71 #ifndef PR_SECCOMP_EXT
72 #define PR_SECCOMP_EXT 43
75 #ifndef SECCOMP_EXT_ACT
76 #define SECCOMP_EXT_ACT 1
79 #ifndef SECCOMP_EXT_ACT_TSYNC
80 #define SECCOMP_EXT_ACT_TSYNC 1
83 #ifndef SECCOMP_MODE_STRICT
84 #define SECCOMP_MODE_STRICT 1
87 #ifndef SECCOMP_MODE_FILTER
88 #define SECCOMP_MODE_FILTER 2
91 #ifndef SECCOMP_RET_ALLOW
95 __u64 instruction_pointer;
100 #ifndef SECCOMP_RET_KILL_PROCESS
101 #define SECCOMP_RET_KILL_PROCESS 0x80000000U /* kill the process */
102 #define SECCOMP_RET_KILL_THREAD 0x00000000U /* kill the thread */
104 #ifndef SECCOMP_RET_KILL
105 #define SECCOMP_RET_KILL SECCOMP_RET_KILL_THREAD
106 #define SECCOMP_RET_TRAP 0x00030000U /* disallow and force a SIGSYS */
107 #define SECCOMP_RET_ERRNO 0x00050000U /* returns an errno */
108 #define SECCOMP_RET_TRACE 0x7ff00000U /* pass to a tracer or disallow */
109 #define SECCOMP_RET_ALLOW 0x7fff0000U /* allow */
111 #ifndef SECCOMP_RET_LOG
112 #define SECCOMP_RET_LOG 0x7ffc0000U /* allow after logging */
116 # if defined(__i386__)
117 # define __NR_seccomp 354
118 # elif defined(__x86_64__)
119 # define __NR_seccomp 317
120 # elif defined(__arm__)
121 # define __NR_seccomp 383
122 # elif defined(__aarch64__)
123 # define __NR_seccomp 277
124 # elif defined(__riscv)
125 # define __NR_seccomp 277
126 # elif defined(__csky__)
127 # define __NR_seccomp 277
128 # elif defined(__hppa__)
129 # define __NR_seccomp 338
130 # elif defined(__powerpc__)
131 # define __NR_seccomp 358
132 # elif defined(__s390__)
133 # define __NR_seccomp 348
134 # elif defined(__xtensa__)
135 # define __NR_seccomp 337
136 # elif defined(__sh__)
137 # define __NR_seccomp 372
139 # warning "seccomp syscall number unknown for this architecture"
140 # define __NR_seccomp 0xffff
144 #ifndef SECCOMP_SET_MODE_STRICT
145 #define SECCOMP_SET_MODE_STRICT 0
148 #ifndef SECCOMP_SET_MODE_FILTER
149 #define SECCOMP_SET_MODE_FILTER 1
152 #ifndef SECCOMP_GET_ACTION_AVAIL
153 #define SECCOMP_GET_ACTION_AVAIL 2
156 #ifndef SECCOMP_GET_NOTIF_SIZES
157 #define SECCOMP_GET_NOTIF_SIZES 3
160 #ifndef SECCOMP_FILTER_FLAG_TSYNC
161 #define SECCOMP_FILTER_FLAG_TSYNC (1UL << 0)
164 #ifndef SECCOMP_FILTER_FLAG_LOG
165 #define SECCOMP_FILTER_FLAG_LOG (1UL << 1)
168 #ifndef SECCOMP_FILTER_FLAG_SPEC_ALLOW
169 #define SECCOMP_FILTER_FLAG_SPEC_ALLOW (1UL << 2)
172 #ifndef PTRACE_SECCOMP_GET_METADATA
173 #define PTRACE_SECCOMP_GET_METADATA 0x420d
175 struct seccomp_metadata {
176 __u64 filter_off; /* Input: which filter */
177 __u64 flags; /* Output: filter's flags */
181 #ifndef SECCOMP_FILTER_FLAG_NEW_LISTENER
182 #define SECCOMP_FILTER_FLAG_NEW_LISTENER (1UL << 3)
185 #ifndef SECCOMP_RET_USER_NOTIF
186 #define SECCOMP_RET_USER_NOTIF 0x7fc00000U
188 #define SECCOMP_IOC_MAGIC '!'
189 #define SECCOMP_IO(nr) _IO(SECCOMP_IOC_MAGIC, nr)
190 #define SECCOMP_IOR(nr, type) _IOR(SECCOMP_IOC_MAGIC, nr, type)
191 #define SECCOMP_IOW(nr, type) _IOW(SECCOMP_IOC_MAGIC, nr, type)
192 #define SECCOMP_IOWR(nr, type) _IOWR(SECCOMP_IOC_MAGIC, nr, type)
194 /* Flags for seccomp notification fd ioctl. */
195 #define SECCOMP_IOCTL_NOTIF_RECV SECCOMP_IOWR(0, struct seccomp_notif)
196 #define SECCOMP_IOCTL_NOTIF_SEND SECCOMP_IOWR(1, \
197 struct seccomp_notif_resp)
198 #define SECCOMP_IOCTL_NOTIF_ID_VALID SECCOMP_IOW(2, __u64)
200 struct seccomp_notif {
204 struct seccomp_data data;
207 struct seccomp_notif_resp {
214 struct seccomp_notif_sizes {
216 __u16 seccomp_notif_resp;
221 #ifndef SECCOMP_IOCTL_NOTIF_ADDFD
222 /* On success, the return value is the remote process's added fd number */
223 #define SECCOMP_IOCTL_NOTIF_ADDFD SECCOMP_IOW(3, \
224 struct seccomp_notif_addfd)
226 /* valid flags for seccomp_notif_addfd */
227 #define SECCOMP_ADDFD_FLAG_SETFD (1UL << 0) /* Specify remote fd */
229 struct seccomp_notif_addfd {
238 #ifndef SECCOMP_ADDFD_FLAG_SEND
239 #define SECCOMP_ADDFD_FLAG_SEND (1UL << 1) /* Addfd and return it, atomically */
242 struct seccomp_notif_addfd_small {
246 #define SECCOMP_IOCTL_NOTIF_ADDFD_SMALL \
247 SECCOMP_IOW(3, struct seccomp_notif_addfd_small)
249 struct seccomp_notif_addfd_big {
251 struct seccomp_notif_addfd addfd;
252 char buf[sizeof(struct seccomp_notif_addfd) + 8];
255 #define SECCOMP_IOCTL_NOTIF_ADDFD_BIG \
256 SECCOMP_IOWR(3, struct seccomp_notif_addfd_big)
258 #ifndef PTRACE_EVENTMSG_SYSCALL_ENTRY
259 #define PTRACE_EVENTMSG_SYSCALL_ENTRY 1
260 #define PTRACE_EVENTMSG_SYSCALL_EXIT 2
263 #ifndef SECCOMP_USER_NOTIF_FLAG_CONTINUE
264 #define SECCOMP_USER_NOTIF_FLAG_CONTINUE 0x00000001
267 #ifndef SECCOMP_FILTER_FLAG_TSYNC_ESRCH
268 #define SECCOMP_FILTER_FLAG_TSYNC_ESRCH (1UL << 4)
272 int seccomp(unsigned int op, unsigned int flags, void *args)
275 return syscall(__NR_seccomp, op, flags, args);
279 #if __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__
280 #define syscall_arg(_n) (offsetof(struct seccomp_data, args[_n]))
281 #elif __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__
282 #define syscall_arg(_n) (offsetof(struct seccomp_data, args[_n]) + sizeof(__u32))
284 #error "wut? Unknown __BYTE_ORDER__?!"
287 #define SIBLING_EXIT_UNKILLED 0xbadbeef
288 #define SIBLING_EXIT_FAILURE 0xbadface
289 #define SIBLING_EXIT_NEWPRIVS 0xbadfeed
291 static int __filecmp(pid_t pid1, pid_t pid2, int fd1, int fd2)
295 return syscall(__NR_kcmp, pid1, pid2, KCMP_FILE, fd1, fd2);
302 /* Have TH_LOG report actual location filecmp() is used. */
303 #define filecmp(pid1, pid2, fd1, fd2) ({ \
306 _ret = __filecmp(pid1, pid2, fd1, fd2); \
308 if (_ret < 0 && errno == ENOSYS) { \
309 TH_LOG("kcmp() syscall missing (test is less accurate)");\
319 ret = __filecmp(getpid(), getpid(), 1, 1);
321 if (ret != 0 && errno == ENOSYS)
322 SKIP(return, "Kernel does not support kcmp() (missing CONFIG_KCMP?)");
325 TEST(mode_strict_support)
329 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT, NULL, NULL, NULL);
331 TH_LOG("Kernel does not support CONFIG_SECCOMP");
333 syscall(__NR_exit, 0);
336 TEST_SIGNAL(mode_strict_cannot_call_prctl, SIGKILL)
340 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT, NULL, NULL, NULL);
342 TH_LOG("Kernel does not support CONFIG_SECCOMP");
344 syscall(__NR_prctl, PR_SET_SECCOMP, SECCOMP_MODE_FILTER,
347 TH_LOG("Unreachable!");
351 /* Note! This doesn't test no new privs behavior */
352 TEST(no_new_privs_support)
356 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
358 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
362 /* Tests kernel support by checking for a copy_from_user() fault on NULL. */
363 TEST(mode_filter_support)
367 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, NULL, 0, 0);
369 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
371 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, NULL, NULL);
373 EXPECT_EQ(EFAULT, errno) {
374 TH_LOG("Kernel does not support CONFIG_SECCOMP_FILTER!");
378 TEST(mode_filter_without_nnp)
380 struct sock_filter filter[] = {
381 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
383 struct sock_fprog prog = {
384 .len = (unsigned short)ARRAY_SIZE(filter),
389 ret = prctl(PR_GET_NO_NEW_PRIVS, 0, NULL, 0, 0);
391 TH_LOG("Expected 0 or unsupported for NO_NEW_PRIVS");
394 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0);
395 /* Succeeds with CAP_SYS_ADMIN, fails without */
396 /* TODO(wad) check caps not euid */
399 EXPECT_EQ(EACCES, errno);
405 #define MAX_INSNS_PER_PATH 32768
407 TEST(filter_size_limits)
410 int count = BPF_MAXINSNS + 1;
411 struct sock_filter allow[] = {
412 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
414 struct sock_filter *filter;
415 struct sock_fprog prog = { };
418 filter = calloc(count, sizeof(*filter));
419 ASSERT_NE(NULL, filter);
421 for (i = 0; i < count; i++)
422 filter[i] = allow[0];
424 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
427 prog.filter = filter;
430 /* Too many filter instructions in a single filter. */
431 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0);
433 TH_LOG("Installing %d insn filter was allowed", prog.len);
436 /* One less is okay, though. */
438 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0);
440 TH_LOG("Installing %d insn filter wasn't allowed", prog.len);
444 TEST(filter_chain_limits)
447 int count = BPF_MAXINSNS;
448 struct sock_filter allow[] = {
449 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
451 struct sock_filter *filter;
452 struct sock_fprog prog = { };
455 filter = calloc(count, sizeof(*filter));
456 ASSERT_NE(NULL, filter);
458 for (i = 0; i < count; i++)
459 filter[i] = allow[0];
461 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
464 prog.filter = filter;
467 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0);
472 /* Too many total filter instructions. */
473 for (i = 0; i < MAX_INSNS_PER_PATH; i++) {
474 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0);
479 TH_LOG("Allowed %d %d-insn filters (total with penalties:%d)",
480 i, count, i * (count + 4));
484 TEST(mode_filter_cannot_move_to_strict)
486 struct sock_filter filter[] = {
487 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
489 struct sock_fprog prog = {
490 .len = (unsigned short)ARRAY_SIZE(filter),
495 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
498 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0);
501 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT, NULL, 0, 0);
503 EXPECT_EQ(EINVAL, errno);
507 TEST(mode_filter_get_seccomp)
509 struct sock_filter filter[] = {
510 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
512 struct sock_fprog prog = {
513 .len = (unsigned short)ARRAY_SIZE(filter),
518 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
521 ret = prctl(PR_GET_SECCOMP, 0, 0, 0, 0);
524 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0);
527 ret = prctl(PR_GET_SECCOMP, 0, 0, 0, 0);
534 struct sock_filter filter[] = {
535 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
537 struct sock_fprog prog = {
538 .len = (unsigned short)ARRAY_SIZE(filter),
543 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
546 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
552 struct sock_filter filter[] = {
554 struct sock_fprog prog = {
555 .len = (unsigned short)ARRAY_SIZE(filter),
560 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
563 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
565 EXPECT_EQ(EINVAL, errno);
570 struct sock_filter filter[] = {
571 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_LOG),
573 struct sock_fprog prog = {
574 .len = (unsigned short)ARRAY_SIZE(filter),
578 pid_t parent = getppid();
580 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
583 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
586 /* getppid() should succeed and be logged (no check for logging) */
587 EXPECT_EQ(parent, syscall(__NR_getppid));
590 TEST_SIGNAL(unknown_ret_is_kill_inside, SIGSYS)
592 struct sock_filter filter[] = {
593 BPF_STMT(BPF_RET|BPF_K, 0x10000000U),
595 struct sock_fprog prog = {
596 .len = (unsigned short)ARRAY_SIZE(filter),
601 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
604 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
606 EXPECT_EQ(0, syscall(__NR_getpid)) {
607 TH_LOG("getpid() shouldn't ever return");
611 /* return code >= 0x80000000 is unused. */
612 TEST_SIGNAL(unknown_ret_is_kill_above_allow, SIGSYS)
614 struct sock_filter filter[] = {
615 BPF_STMT(BPF_RET|BPF_K, 0x90000000U),
617 struct sock_fprog prog = {
618 .len = (unsigned short)ARRAY_SIZE(filter),
623 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
626 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
628 EXPECT_EQ(0, syscall(__NR_getpid)) {
629 TH_LOG("getpid() shouldn't ever return");
633 TEST_SIGNAL(KILL_all, SIGSYS)
635 struct sock_filter filter[] = {
636 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL),
638 struct sock_fprog prog = {
639 .len = (unsigned short)ARRAY_SIZE(filter),
644 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
647 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
651 TEST_SIGNAL(KILL_one, SIGSYS)
653 struct sock_filter filter[] = {
654 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
655 offsetof(struct seccomp_data, nr)),
656 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getpid, 0, 1),
657 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL),
658 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
660 struct sock_fprog prog = {
661 .len = (unsigned short)ARRAY_SIZE(filter),
665 pid_t parent = getppid();
667 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
670 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
673 EXPECT_EQ(parent, syscall(__NR_getppid));
674 /* getpid() should never return. */
675 EXPECT_EQ(0, syscall(__NR_getpid));
678 TEST_SIGNAL(KILL_one_arg_one, SIGSYS)
681 struct sock_filter filter[] = {
682 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
683 offsetof(struct seccomp_data, nr)),
684 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_times, 1, 0),
685 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
686 /* Only both with lower 32-bit for now. */
687 BPF_STMT(BPF_LD|BPF_W|BPF_ABS, syscall_arg(0)),
688 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K,
689 (unsigned long)&fatal_address, 0, 1),
690 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL),
691 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
693 struct sock_fprog prog = {
694 .len = (unsigned short)ARRAY_SIZE(filter),
698 pid_t parent = getppid();
700 clock_t clock = times(&timebuf);
702 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
705 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
708 EXPECT_EQ(parent, syscall(__NR_getppid));
709 EXPECT_LE(clock, syscall(__NR_times, &timebuf));
710 /* times() should never return. */
711 EXPECT_EQ(0, syscall(__NR_times, &fatal_address));
714 TEST_SIGNAL(KILL_one_arg_six, SIGSYS)
717 int sysno = __NR_mmap;
719 int sysno = __NR_mmap2;
721 struct sock_filter filter[] = {
722 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
723 offsetof(struct seccomp_data, nr)),
724 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, sysno, 1, 0),
725 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
726 /* Only both with lower 32-bit for now. */
727 BPF_STMT(BPF_LD|BPF_W|BPF_ABS, syscall_arg(5)),
728 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, 0x0C0FFEE, 0, 1),
729 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL),
730 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
732 struct sock_fprog prog = {
733 .len = (unsigned short)ARRAY_SIZE(filter),
737 pid_t parent = getppid();
740 int page_size = sysconf(_SC_PAGESIZE);
742 ASSERT_LT(0, page_size);
744 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
747 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
750 fd = open("/dev/zero", O_RDONLY);
753 EXPECT_EQ(parent, syscall(__NR_getppid));
754 map1 = (void *)syscall(sysno,
755 NULL, page_size, PROT_READ, MAP_PRIVATE, fd, page_size);
756 EXPECT_NE(MAP_FAILED, map1);
757 /* mmap2() should never return. */
758 map2 = (void *)syscall(sysno,
759 NULL, page_size, PROT_READ, MAP_PRIVATE, fd, 0x0C0FFEE);
760 EXPECT_EQ(MAP_FAILED, map2);
762 /* The test failed, so clean up the resources. */
763 munmap(map1, page_size);
764 munmap(map2, page_size);
768 /* This is a thread task to die via seccomp filter violation. */
769 void *kill_thread(void *data)
771 bool die = (bool)data;
774 prctl(PR_GET_SECCOMP, 0, 0, 0, 0);
775 return (void *)SIBLING_EXIT_FAILURE;
778 return (void *)SIBLING_EXIT_UNKILLED;
787 /* Prepare a thread that will kill itself or both of us. */
788 void kill_thread_or_group(struct __test_metadata *_metadata,
789 enum kill_t kill_how)
793 /* Kill only when calling __NR_prctl. */
794 struct sock_filter filter_thread[] = {
795 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
796 offsetof(struct seccomp_data, nr)),
797 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_prctl, 0, 1),
798 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL_THREAD),
799 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
801 struct sock_fprog prog_thread = {
802 .len = (unsigned short)ARRAY_SIZE(filter_thread),
803 .filter = filter_thread,
805 int kill = kill_how == KILL_PROCESS ? SECCOMP_RET_KILL_PROCESS : 0xAAAAAAAAA;
806 struct sock_filter filter_process[] = {
807 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
808 offsetof(struct seccomp_data, nr)),
809 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_prctl, 0, 1),
810 BPF_STMT(BPF_RET|BPF_K, kill),
811 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
813 struct sock_fprog prog_process = {
814 .len = (unsigned short)ARRAY_SIZE(filter_process),
815 .filter = filter_process,
818 ASSERT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
819 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
822 ASSERT_EQ(0, seccomp(SECCOMP_SET_MODE_FILTER, 0,
823 kill_how == KILL_THREAD ? &prog_thread
827 * Add the KILL_THREAD rule again to make sure that the KILL_PROCESS
828 * flag cannot be downgraded by a new filter.
830 if (kill_how == KILL_PROCESS)
831 ASSERT_EQ(0, seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog_thread));
833 /* Start a thread that will exit immediately. */
834 ASSERT_EQ(0, pthread_create(&thread, NULL, kill_thread, (void *)false));
835 ASSERT_EQ(0, pthread_join(thread, &status));
836 ASSERT_EQ(SIBLING_EXIT_UNKILLED, (unsigned long)status);
838 /* Start a thread that will die immediately. */
839 ASSERT_EQ(0, pthread_create(&thread, NULL, kill_thread, (void *)true));
840 ASSERT_EQ(0, pthread_join(thread, &status));
841 ASSERT_NE(SIBLING_EXIT_FAILURE, (unsigned long)status);
844 * If we get here, only the spawned thread died. Let the parent know
845 * the whole process didn't die (i.e. this thread, the spawner,
857 ASSERT_LE(0, child_pid);
858 if (child_pid == 0) {
859 kill_thread_or_group(_metadata, KILL_THREAD);
863 ASSERT_EQ(child_pid, waitpid(child_pid, &status, 0));
865 /* If only the thread was killed, we'll see exit 42. */
866 ASSERT_TRUE(WIFEXITED(status));
867 ASSERT_EQ(42, WEXITSTATUS(status));
876 ASSERT_LE(0, child_pid);
877 if (child_pid == 0) {
878 kill_thread_or_group(_metadata, KILL_PROCESS);
882 ASSERT_EQ(child_pid, waitpid(child_pid, &status, 0));
884 /* If the entire process was killed, we'll see SIGSYS. */
885 ASSERT_TRUE(WIFSIGNALED(status));
886 ASSERT_EQ(SIGSYS, WTERMSIG(status));
895 ASSERT_LE(0, child_pid);
896 if (child_pid == 0) {
897 kill_thread_or_group(_metadata, RET_UNKNOWN);
901 ASSERT_EQ(child_pid, waitpid(child_pid, &status, 0));
903 /* If the entire process was killed, we'll see SIGSYS. */
904 EXPECT_TRUE(WIFSIGNALED(status)) {
905 TH_LOG("Unknown SECCOMP_RET is only killing the thread?");
907 ASSERT_EQ(SIGSYS, WTERMSIG(status));
910 /* TODO(wad) add 64-bit versus 32-bit arg tests. */
911 TEST(arg_out_of_range)
913 struct sock_filter filter[] = {
914 BPF_STMT(BPF_LD|BPF_W|BPF_ABS, syscall_arg(6)),
915 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
917 struct sock_fprog prog = {
918 .len = (unsigned short)ARRAY_SIZE(filter),
923 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
926 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
928 EXPECT_EQ(EINVAL, errno);
931 #define ERRNO_FILTER(name, errno) \
932 struct sock_filter _read_filter_##name[] = { \
933 BPF_STMT(BPF_LD|BPF_W|BPF_ABS, \
934 offsetof(struct seccomp_data, nr)), \
935 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_read, 0, 1), \
936 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ERRNO | errno), \
937 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW), \
939 struct sock_fprog prog_##name = { \
940 .len = (unsigned short)ARRAY_SIZE(_read_filter_##name), \
941 .filter = _read_filter_##name, \
944 /* Make sure basic errno values are correctly passed through a filter. */
947 ERRNO_FILTER(valid, E2BIG);
949 pid_t parent = getppid();
951 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
954 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog_valid);
957 EXPECT_EQ(parent, syscall(__NR_getppid));
958 EXPECT_EQ(-1, read(0, NULL, 0));
959 EXPECT_EQ(E2BIG, errno);
962 /* Make sure an errno of zero is correctly handled by the arch code. */
965 ERRNO_FILTER(zero, 0);
967 pid_t parent = getppid();
969 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
972 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog_zero);
975 EXPECT_EQ(parent, syscall(__NR_getppid));
976 /* "errno" of 0 is ok. */
977 EXPECT_EQ(0, read(0, NULL, 0));
981 * The SECCOMP_RET_DATA mask is 16 bits wide, but errno is smaller.
982 * This tests that the errno value gets capped correctly, fixed by
983 * 580c57f10768 ("seccomp: cap SECCOMP_RET_ERRNO data to MAX_ERRNO").
987 ERRNO_FILTER(capped, 4096);
989 pid_t parent = getppid();
991 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
994 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog_capped);
997 EXPECT_EQ(parent, syscall(__NR_getppid));
998 EXPECT_EQ(-1, read(0, NULL, 0));
999 EXPECT_EQ(4095, errno);
1003 * Filters are processed in reverse order: last applied is executed first.
1004 * Since only the SECCOMP_RET_ACTION mask is tested for return values, the
1005 * SECCOMP_RET_DATA mask results will follow the most recently applied
1006 * matching filter return (and not the lowest or highest value).
1010 ERRNO_FILTER(first, 11);
1011 ERRNO_FILTER(second, 13);
1012 ERRNO_FILTER(third, 12);
1014 pid_t parent = getppid();
1016 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1019 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog_first);
1022 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog_second);
1025 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog_third);
1028 EXPECT_EQ(parent, syscall(__NR_getppid));
1029 EXPECT_EQ(-1, read(0, NULL, 0));
1030 EXPECT_EQ(12, errno);
1034 struct sock_fprog prog;
1039 struct sock_filter filter[] = {
1040 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
1041 offsetof(struct seccomp_data, nr)),
1042 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getpid, 0, 1),
1043 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRAP),
1044 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
1047 memset(&self->prog, 0, sizeof(self->prog));
1048 self->prog.filter = malloc(sizeof(filter));
1049 ASSERT_NE(NULL, self->prog.filter);
1050 memcpy(self->prog.filter, filter, sizeof(filter));
1051 self->prog.len = (unsigned short)ARRAY_SIZE(filter);
1054 FIXTURE_TEARDOWN(TRAP)
1056 if (self->prog.filter)
1057 free(self->prog.filter);
1060 TEST_F_SIGNAL(TRAP, dfl, SIGSYS)
1064 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1067 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->prog);
1069 syscall(__NR_getpid);
1072 /* Ensure that SIGSYS overrides SIG_IGN */
1073 TEST_F_SIGNAL(TRAP, ign, SIGSYS)
1077 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1080 signal(SIGSYS, SIG_IGN);
1082 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->prog);
1084 syscall(__NR_getpid);
1087 static siginfo_t TRAP_info;
1088 static volatile int TRAP_nr;
1089 static void TRAP_action(int nr, siginfo_t *info, void *void_context)
1091 memcpy(&TRAP_info, info, sizeof(TRAP_info));
1095 TEST_F(TRAP, handler)
1098 struct sigaction act;
1101 memset(&act, 0, sizeof(act));
1103 sigaddset(&mask, SIGSYS);
1105 act.sa_sigaction = &TRAP_action;
1106 act.sa_flags = SA_SIGINFO;
1107 ret = sigaction(SIGSYS, &act, NULL);
1109 TH_LOG("sigaction failed");
1111 ret = sigprocmask(SIG_UNBLOCK, &mask, NULL);
1113 TH_LOG("sigprocmask failed");
1116 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1118 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->prog);
1121 memset(&TRAP_info, 0, sizeof(TRAP_info));
1122 /* Expect the registers to be rolled back. (nr = error) may vary
1124 ret = syscall(__NR_getpid);
1125 /* Silence gcc warning about volatile. */
1127 EXPECT_EQ(SIGSYS, test);
1128 struct local_sigsys {
1129 void *_call_addr; /* calling user insn */
1130 int _syscall; /* triggering system call number */
1131 unsigned int _arch; /* AUDIT_ARCH_* of syscall */
1132 } *sigsys = (struct local_sigsys *)
1134 &(TRAP_info.si_call_addr);
1138 EXPECT_EQ(__NR_getpid, sigsys->_syscall);
1139 /* Make sure arch is non-zero. */
1140 EXPECT_NE(0, sigsys->_arch);
1141 EXPECT_NE(0, (unsigned long)sigsys->_call_addr);
1144 FIXTURE(precedence) {
1145 struct sock_fprog allow;
1146 struct sock_fprog log;
1147 struct sock_fprog trace;
1148 struct sock_fprog error;
1149 struct sock_fprog trap;
1150 struct sock_fprog kill;
1153 FIXTURE_SETUP(precedence)
1155 struct sock_filter allow_insns[] = {
1156 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
1158 struct sock_filter log_insns[] = {
1159 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
1160 offsetof(struct seccomp_data, nr)),
1161 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getpid, 1, 0),
1162 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
1163 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_LOG),
1165 struct sock_filter trace_insns[] = {
1166 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
1167 offsetof(struct seccomp_data, nr)),
1168 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getpid, 1, 0),
1169 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
1170 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRACE),
1172 struct sock_filter error_insns[] = {
1173 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
1174 offsetof(struct seccomp_data, nr)),
1175 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getpid, 1, 0),
1176 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
1177 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ERRNO),
1179 struct sock_filter trap_insns[] = {
1180 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
1181 offsetof(struct seccomp_data, nr)),
1182 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getpid, 1, 0),
1183 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
1184 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRAP),
1186 struct sock_filter kill_insns[] = {
1187 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
1188 offsetof(struct seccomp_data, nr)),
1189 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getpid, 1, 0),
1190 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
1191 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL),
1194 memset(self, 0, sizeof(*self));
1195 #define FILTER_ALLOC(_x) \
1196 self->_x.filter = malloc(sizeof(_x##_insns)); \
1197 ASSERT_NE(NULL, self->_x.filter); \
1198 memcpy(self->_x.filter, &_x##_insns, sizeof(_x##_insns)); \
1199 self->_x.len = (unsigned short)ARRAY_SIZE(_x##_insns)
1200 FILTER_ALLOC(allow);
1202 FILTER_ALLOC(trace);
1203 FILTER_ALLOC(error);
1208 FIXTURE_TEARDOWN(precedence)
1210 #define FILTER_FREE(_x) if (self->_x.filter) free(self->_x.filter)
1219 TEST_F(precedence, allow_ok)
1221 pid_t parent, res = 0;
1225 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1228 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow);
1230 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->log);
1232 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trace);
1234 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->error);
1236 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trap);
1238 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->kill);
1240 /* Should work just fine. */
1241 res = syscall(__NR_getppid);
1242 EXPECT_EQ(parent, res);
1245 TEST_F_SIGNAL(precedence, kill_is_highest, SIGSYS)
1247 pid_t parent, res = 0;
1251 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1254 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow);
1256 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->log);
1258 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trace);
1260 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->error);
1262 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trap);
1264 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->kill);
1266 /* Should work just fine. */
1267 res = syscall(__NR_getppid);
1268 EXPECT_EQ(parent, res);
1269 /* getpid() should never return. */
1270 res = syscall(__NR_getpid);
1274 TEST_F_SIGNAL(precedence, kill_is_highest_in_any_order, SIGSYS)
1280 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1283 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow);
1285 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->kill);
1287 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->error);
1289 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->log);
1291 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trace);
1293 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trap);
1295 /* Should work just fine. */
1296 EXPECT_EQ(parent, syscall(__NR_getppid));
1297 /* getpid() should never return. */
1298 EXPECT_EQ(0, syscall(__NR_getpid));
1301 TEST_F_SIGNAL(precedence, trap_is_second, SIGSYS)
1307 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1310 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow);
1312 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->log);
1314 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trace);
1316 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->error);
1318 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trap);
1320 /* Should work just fine. */
1321 EXPECT_EQ(parent, syscall(__NR_getppid));
1322 /* getpid() should never return. */
1323 EXPECT_EQ(0, syscall(__NR_getpid));
1326 TEST_F_SIGNAL(precedence, trap_is_second_in_any_order, SIGSYS)
1332 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1335 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow);
1337 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trap);
1339 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->log);
1341 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trace);
1343 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->error);
1345 /* Should work just fine. */
1346 EXPECT_EQ(parent, syscall(__NR_getppid));
1347 /* getpid() should never return. */
1348 EXPECT_EQ(0, syscall(__NR_getpid));
1351 TEST_F(precedence, errno_is_third)
1357 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1360 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow);
1362 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->log);
1364 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trace);
1366 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->error);
1368 /* Should work just fine. */
1369 EXPECT_EQ(parent, syscall(__NR_getppid));
1370 EXPECT_EQ(0, syscall(__NR_getpid));
1373 TEST_F(precedence, errno_is_third_in_any_order)
1379 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1382 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->log);
1384 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->error);
1386 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trace);
1388 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow);
1390 /* Should work just fine. */
1391 EXPECT_EQ(parent, syscall(__NR_getppid));
1392 EXPECT_EQ(0, syscall(__NR_getpid));
1395 TEST_F(precedence, trace_is_fourth)
1401 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1404 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow);
1406 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->log);
1408 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trace);
1410 /* Should work just fine. */
1411 EXPECT_EQ(parent, syscall(__NR_getppid));
1413 EXPECT_EQ(-1, syscall(__NR_getpid));
1416 TEST_F(precedence, trace_is_fourth_in_any_order)
1422 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1425 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->trace);
1427 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow);
1429 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->log);
1431 /* Should work just fine. */
1432 EXPECT_EQ(parent, syscall(__NR_getppid));
1434 EXPECT_EQ(-1, syscall(__NR_getpid));
1437 TEST_F(precedence, log_is_fifth)
1439 pid_t mypid, parent;
1444 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1447 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow);
1449 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->log);
1451 /* Should work just fine. */
1452 EXPECT_EQ(parent, syscall(__NR_getppid));
1453 /* Should also work just fine */
1454 EXPECT_EQ(mypid, syscall(__NR_getpid));
1457 TEST_F(precedence, log_is_fifth_in_any_order)
1459 pid_t mypid, parent;
1464 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1467 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->log);
1469 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->allow);
1471 /* Should work just fine. */
1472 EXPECT_EQ(parent, syscall(__NR_getppid));
1473 /* Should also work just fine */
1474 EXPECT_EQ(mypid, syscall(__NR_getpid));
1477 #ifndef PTRACE_O_TRACESECCOMP
1478 #define PTRACE_O_TRACESECCOMP 0x00000080
1481 /* Catch the Ubuntu 12.04 value error. */
1482 #if PTRACE_EVENT_SECCOMP != 7
1483 #undef PTRACE_EVENT_SECCOMP
1486 #ifndef PTRACE_EVENT_SECCOMP
1487 #define PTRACE_EVENT_SECCOMP 7
1490 #define PTRACE_EVENT_MASK(status) ((status) >> 16)
1491 bool tracer_running;
1492 void tracer_stop(int sig)
1494 tracer_running = false;
1497 typedef void tracer_func_t(struct __test_metadata *_metadata,
1498 pid_t tracee, int status, void *args);
1500 void start_tracer(struct __test_metadata *_metadata, int fd, pid_t tracee,
1501 tracer_func_t tracer_func, void *args, bool ptrace_syscall)
1504 struct sigaction action = {
1505 .sa_handler = tracer_stop,
1508 /* Allow external shutdown. */
1509 tracer_running = true;
1510 ASSERT_EQ(0, sigaction(SIGUSR1, &action, NULL));
1513 while (ret == -1 && errno != EINVAL)
1514 ret = ptrace(PTRACE_ATTACH, tracee, NULL, 0);
1516 kill(tracee, SIGKILL);
1518 /* Wait for attach stop */
1521 ret = ptrace(PTRACE_SETOPTIONS, tracee, NULL, ptrace_syscall ?
1522 PTRACE_O_TRACESYSGOOD :
1523 PTRACE_O_TRACESECCOMP);
1525 TH_LOG("Failed to set PTRACE_O_TRACESECCOMP");
1526 kill(tracee, SIGKILL);
1528 ret = ptrace(ptrace_syscall ? PTRACE_SYSCALL : PTRACE_CONT,
1532 /* Unblock the tracee */
1533 ASSERT_EQ(1, write(fd, "A", 1));
1534 ASSERT_EQ(0, close(fd));
1536 /* Run until we're shut down. Must assert to stop execution. */
1537 while (tracer_running) {
1540 if (wait(&status) != tracee)
1543 if (WIFSIGNALED(status)) {
1544 /* Child caught a fatal signal. */
1547 if (WIFEXITED(status)) {
1548 /* Child exited with code. */
1552 /* Check if we got an expected event. */
1553 ASSERT_EQ(WIFCONTINUED(status), false);
1554 ASSERT_EQ(WIFSTOPPED(status), true);
1555 ASSERT_EQ(WSTOPSIG(status) & SIGTRAP, SIGTRAP) {
1556 TH_LOG("Unexpected WSTOPSIG: %d", WSTOPSIG(status));
1559 tracer_func(_metadata, tracee, status, args);
1561 ret = ptrace(ptrace_syscall ? PTRACE_SYSCALL : PTRACE_CONT,
1565 /* Directly report the status of our test harness results. */
1566 syscall(__NR_exit, _metadata->passed ? EXIT_SUCCESS : EXIT_FAILURE);
1569 /* Common tracer setup/teardown functions. */
1570 void cont_handler(int num)
1572 pid_t setup_trace_fixture(struct __test_metadata *_metadata,
1573 tracer_func_t func, void *args, bool ptrace_syscall)
1578 pid_t tracee = getpid();
1580 /* Setup a pipe for clean synchronization. */
1581 ASSERT_EQ(0, pipe(pipefd));
1583 /* Fork a child which we'll promote to tracer */
1584 tracer_pid = fork();
1585 ASSERT_LE(0, tracer_pid);
1586 signal(SIGALRM, cont_handler);
1587 if (tracer_pid == 0) {
1589 start_tracer(_metadata, pipefd[1], tracee, func, args,
1591 syscall(__NR_exit, 0);
1594 prctl(PR_SET_PTRACER, tracer_pid, 0, 0, 0);
1595 read(pipefd[0], &sync, 1);
1601 void teardown_trace_fixture(struct __test_metadata *_metadata,
1607 * Extract the exit code from the other process and
1608 * adopt it for ourselves in case its asserts failed.
1610 ASSERT_EQ(0, kill(tracer, SIGUSR1));
1611 ASSERT_EQ(tracer, waitpid(tracer, &status, 0));
1612 if (WEXITSTATUS(status))
1613 _metadata->passed = 0;
1617 /* "poke" tracer arguments and function. */
1618 struct tracer_args_poke_t {
1619 unsigned long poke_addr;
1622 void tracer_poke(struct __test_metadata *_metadata, pid_t tracee, int status,
1627 struct tracer_args_poke_t *info = (struct tracer_args_poke_t *)args;
1629 ret = ptrace(PTRACE_GETEVENTMSG, tracee, NULL, &msg);
1631 /* If this fails, don't try to recover. */
1632 ASSERT_EQ(0x1001, msg) {
1633 kill(tracee, SIGKILL);
1636 * Poke in the message.
1637 * Registers are not touched to try to keep this relatively arch
1640 ret = ptrace(PTRACE_POKEDATA, tracee, info->poke_addr, 0x1001);
1644 FIXTURE(TRACE_poke) {
1645 struct sock_fprog prog;
1648 struct tracer_args_poke_t tracer_args;
1651 FIXTURE_SETUP(TRACE_poke)
1653 struct sock_filter filter[] = {
1654 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
1655 offsetof(struct seccomp_data, nr)),
1656 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_read, 0, 1),
1657 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRACE | 0x1001),
1658 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
1662 memset(&self->prog, 0, sizeof(self->prog));
1663 self->prog.filter = malloc(sizeof(filter));
1664 ASSERT_NE(NULL, self->prog.filter);
1665 memcpy(self->prog.filter, filter, sizeof(filter));
1666 self->prog.len = (unsigned short)ARRAY_SIZE(filter);
1668 /* Set up tracer args. */
1669 self->tracer_args.poke_addr = (unsigned long)&self->poked;
1671 /* Launch tracer. */
1672 self->tracer = setup_trace_fixture(_metadata, tracer_poke,
1673 &self->tracer_args, false);
1676 FIXTURE_TEARDOWN(TRACE_poke)
1678 teardown_trace_fixture(_metadata, self->tracer);
1679 if (self->prog.filter)
1680 free(self->prog.filter);
1683 TEST_F(TRACE_poke, read_has_side_effects)
1687 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1690 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->prog, 0, 0);
1693 EXPECT_EQ(0, self->poked);
1694 ret = read(-1, NULL, 0);
1696 EXPECT_EQ(0x1001, self->poked);
1699 TEST_F(TRACE_poke, getpid_runs_normally)
1703 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
1706 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->prog, 0, 0);
1709 EXPECT_EQ(0, self->poked);
1710 EXPECT_NE(0, syscall(__NR_getpid));
1711 EXPECT_EQ(0, self->poked);
1714 #if defined(__x86_64__)
1715 # define ARCH_REGS struct user_regs_struct
1716 # define SYSCALL_NUM(_regs) (_regs).orig_rax
1717 # define SYSCALL_RET(_regs) (_regs).rax
1718 #elif defined(__i386__)
1719 # define ARCH_REGS struct user_regs_struct
1720 # define SYSCALL_NUM(_regs) (_regs).orig_eax
1721 # define SYSCALL_RET(_regs) (_regs).eax
1722 #elif defined(__arm__)
1723 # define ARCH_REGS struct pt_regs
1724 # define SYSCALL_NUM(_regs) (_regs).ARM_r7
1725 # ifndef PTRACE_SET_SYSCALL
1726 # define PTRACE_SET_SYSCALL 23
1728 # define SYSCALL_NUM_SET(_regs, _nr) \
1729 EXPECT_EQ(0, ptrace(PTRACE_SET_SYSCALL, tracee, NULL, _nr))
1730 # define SYSCALL_RET(_regs) (_regs).ARM_r0
1731 #elif defined(__aarch64__)
1732 # define ARCH_REGS struct user_pt_regs
1733 # define SYSCALL_NUM(_regs) (_regs).regs[8]
1734 # ifndef NT_ARM_SYSTEM_CALL
1735 # define NT_ARM_SYSTEM_CALL 0x404
1737 # define SYSCALL_NUM_SET(_regs, _nr) \
1740 typeof(_nr) __nr = (_nr); \
1741 __v.iov_base = &__nr; \
1742 __v.iov_len = sizeof(__nr); \
1743 EXPECT_EQ(0, ptrace(PTRACE_SETREGSET, tracee, \
1744 NT_ARM_SYSTEM_CALL, &__v)); \
1746 # define SYSCALL_RET(_regs) (_regs).regs[0]
1747 #elif defined(__riscv) && __riscv_xlen == 64
1748 # define ARCH_REGS struct user_regs_struct
1749 # define SYSCALL_NUM(_regs) (_regs).a7
1750 # define SYSCALL_RET(_regs) (_regs).a0
1751 #elif defined(__csky__)
1752 # define ARCH_REGS struct pt_regs
1753 # if defined(__CSKYABIV2__)
1754 # define SYSCALL_NUM(_regs) (_regs).regs[3]
1756 # define SYSCALL_NUM(_regs) (_regs).regs[9]
1758 # define SYSCALL_RET(_regs) (_regs).a0
1759 #elif defined(__hppa__)
1760 # define ARCH_REGS struct user_regs_struct
1761 # define SYSCALL_NUM(_regs) (_regs).gr[20]
1762 # define SYSCALL_RET(_regs) (_regs).gr[28]
1763 #elif defined(__powerpc__)
1764 # define ARCH_REGS struct pt_regs
1765 # define SYSCALL_NUM(_regs) (_regs).gpr[0]
1766 # define SYSCALL_RET(_regs) (_regs).gpr[3]
1767 # define SYSCALL_RET_SET(_regs, _val) \
1769 typeof(_val) _result = (_val); \
1770 if ((_regs.trap & 0xfff0) == 0x3000) { \
1772 * scv 0 system call uses -ve result \
1773 * for error, so no need to adjust. \
1775 SYSCALL_RET(_regs) = _result; \
1778 * A syscall error is signaled by the \
1779 * CR0 SO bit and the code is stored as \
1780 * a positive value. \
1782 if (_result < 0) { \
1783 SYSCALL_RET(_regs) = -_result; \
1784 (_regs).ccr |= 0x10000000; \
1786 SYSCALL_RET(_regs) = _result; \
1787 (_regs).ccr &= ~0x10000000; \
1791 # define SYSCALL_RET_SET_ON_PTRACE_EXIT
1792 #elif defined(__s390__)
1793 # define ARCH_REGS s390_regs
1794 # define SYSCALL_NUM(_regs) (_regs).gprs[2]
1795 # define SYSCALL_RET_SET(_regs, _val) \
1796 TH_LOG("Can't modify syscall return on this architecture")
1797 #elif defined(__mips__)
1798 # include <asm/unistd_nr_n32.h>
1799 # include <asm/unistd_nr_n64.h>
1800 # include <asm/unistd_nr_o32.h>
1801 # define ARCH_REGS struct pt_regs
1802 # define SYSCALL_NUM(_regs) \
1804 typeof((_regs).regs[2]) _nr; \
1805 if ((_regs).regs[2] == __NR_O32_Linux) \
1806 _nr = (_regs).regs[4]; \
1808 _nr = (_regs).regs[2]; \
1811 # define SYSCALL_NUM_SET(_regs, _nr) \
1813 if ((_regs).regs[2] == __NR_O32_Linux) \
1814 (_regs).regs[4] = _nr; \
1816 (_regs).regs[2] = _nr; \
1818 # define SYSCALL_RET_SET(_regs, _val) \
1819 TH_LOG("Can't modify syscall return on this architecture")
1820 #elif defined(__xtensa__)
1821 # define ARCH_REGS struct user_pt_regs
1822 # define SYSCALL_NUM(_regs) (_regs).syscall
1824 * On xtensa syscall return value is in the register
1825 * a2 of the current window which is not fixed.
1827 #define SYSCALL_RET(_regs) (_regs).a[(_regs).windowbase * 4 + 2]
1828 #elif defined(__sh__)
1829 # define ARCH_REGS struct pt_regs
1830 # define SYSCALL_NUM(_regs) (_regs).regs[3]
1831 # define SYSCALL_RET(_regs) (_regs).regs[0]
1833 # error "Do not know how to find your architecture's registers and syscalls"
1837 * Most architectures can change the syscall by just updating the
1838 * associated register. This is the default if not defined above.
1840 #ifndef SYSCALL_NUM_SET
1841 # define SYSCALL_NUM_SET(_regs, _nr) \
1843 SYSCALL_NUM(_regs) = (_nr); \
1847 * Most architectures can change the syscall return value by just
1848 * writing to the SYSCALL_RET register. This is the default if not
1849 * defined above. If an architecture cannot set the return value
1850 * (for example when the syscall and return value register is
1851 * shared), report it with TH_LOG() in an arch-specific definition
1852 * of SYSCALL_RET_SET() above, and leave SYSCALL_RET undefined.
1854 #if !defined(SYSCALL_RET) && !defined(SYSCALL_RET_SET)
1855 # error "One of SYSCALL_RET or SYSCALL_RET_SET is needed for this arch"
1857 #ifndef SYSCALL_RET_SET
1858 # define SYSCALL_RET_SET(_regs, _val) \
1860 SYSCALL_RET(_regs) = (_val); \
1864 /* When the syscall return can't be changed, stub out the tests for it. */
1866 # define EXPECT_SYSCALL_RETURN(val, action) EXPECT_EQ(-1, action)
1868 # define EXPECT_SYSCALL_RETURN(val, action) \
1872 EXPECT_EQ(-1, action); \
1873 EXPECT_EQ(-(val), errno); \
1875 EXPECT_EQ(val, action); \
1881 * Some architectures (e.g. powerpc) can only set syscall
1882 * return values on syscall exit during ptrace.
1884 const bool ptrace_entry_set_syscall_nr = true;
1885 const bool ptrace_entry_set_syscall_ret =
1886 #ifndef SYSCALL_RET_SET_ON_PTRACE_EXIT
1893 * Use PTRACE_GETREGS and PTRACE_SETREGS when available. This is useful for
1894 * architectures without HAVE_ARCH_TRACEHOOK (e.g. User-mode Linux).
1896 #if defined(__x86_64__) || defined(__i386__) || defined(__mips__)
1897 # define ARCH_GETREGS(_regs) ptrace(PTRACE_GETREGS, tracee, 0, &(_regs))
1898 # define ARCH_SETREGS(_regs) ptrace(PTRACE_SETREGS, tracee, 0, &(_regs))
1900 # define ARCH_GETREGS(_regs) ({ \
1902 __v.iov_base = &(_regs); \
1903 __v.iov_len = sizeof(_regs); \
1904 ptrace(PTRACE_GETREGSET, tracee, NT_PRSTATUS, &__v); \
1906 # define ARCH_SETREGS(_regs) ({ \
1908 __v.iov_base = &(_regs); \
1909 __v.iov_len = sizeof(_regs); \
1910 ptrace(PTRACE_SETREGSET, tracee, NT_PRSTATUS, &__v); \
1914 /* Architecture-specific syscall fetching routine. */
1915 int get_syscall(struct __test_metadata *_metadata, pid_t tracee)
1919 EXPECT_EQ(0, ARCH_GETREGS(regs)) {
1923 return SYSCALL_NUM(regs);
1926 /* Architecture-specific syscall changing routine. */
1927 void __change_syscall(struct __test_metadata *_metadata,
1928 pid_t tracee, long *syscall, long *ret)
1930 ARCH_REGS orig, regs;
1932 /* Do not get/set registers if we have nothing to do. */
1933 if (!syscall && !ret)
1936 EXPECT_EQ(0, ARCH_GETREGS(regs)) {
1942 SYSCALL_NUM_SET(regs, *syscall);
1945 SYSCALL_RET_SET(regs, *ret);
1947 /* Flush any register changes made. */
1948 if (memcmp(&orig, ®s, sizeof(orig)) != 0)
1949 EXPECT_EQ(0, ARCH_SETREGS(regs));
1952 /* Change only syscall number. */
1953 void change_syscall_nr(struct __test_metadata *_metadata,
1954 pid_t tracee, long syscall)
1956 __change_syscall(_metadata, tracee, &syscall, NULL);
1959 /* Change syscall return value (and set syscall number to -1). */
1960 void change_syscall_ret(struct __test_metadata *_metadata,
1961 pid_t tracee, long ret)
1965 __change_syscall(_metadata, tracee, &syscall, &ret);
1968 void tracer_seccomp(struct __test_metadata *_metadata, pid_t tracee,
1969 int status, void *args)
1974 EXPECT_EQ(PTRACE_EVENT_MASK(status), PTRACE_EVENT_SECCOMP) {
1975 TH_LOG("Unexpected ptrace event: %d", PTRACE_EVENT_MASK(status));
1979 /* Make sure we got the right message. */
1980 ret = ptrace(PTRACE_GETEVENTMSG, tracee, NULL, &msg);
1983 /* Validate and take action on expected syscalls. */
1986 /* change getpid to getppid. */
1987 EXPECT_EQ(__NR_getpid, get_syscall(_metadata, tracee));
1988 change_syscall_nr(_metadata, tracee, __NR_getppid);
1991 /* skip gettid with valid return code. */
1992 EXPECT_EQ(__NR_gettid, get_syscall(_metadata, tracee));
1993 change_syscall_ret(_metadata, tracee, 45000);
1996 /* skip openat with error. */
1997 EXPECT_EQ(__NR_openat, get_syscall(_metadata, tracee));
1998 change_syscall_ret(_metadata, tracee, -ESRCH);
2001 /* do nothing (allow getppid) */
2002 EXPECT_EQ(__NR_getppid, get_syscall(_metadata, tracee));
2006 TH_LOG("Unknown PTRACE_GETEVENTMSG: 0x%lx", msg);
2007 kill(tracee, SIGKILL);
2013 FIXTURE(TRACE_syscall) {
2014 struct sock_fprog prog;
2015 pid_t tracer, mytid, mypid, parent;
2019 void tracer_ptrace(struct __test_metadata *_metadata, pid_t tracee,
2020 int status, void *args)
2025 long syscall_nr_val, syscall_ret_val;
2026 long *syscall_nr = NULL, *syscall_ret = NULL;
2027 FIXTURE_DATA(TRACE_syscall) *self = args;
2029 EXPECT_EQ(WSTOPSIG(status) & 0x80, 0x80) {
2030 TH_LOG("Unexpected WSTOPSIG: %d", WSTOPSIG(status));
2035 * The traditional way to tell PTRACE_SYSCALL entry/exit
2040 /* Make sure we got an appropriate message. */
2041 ret = ptrace(PTRACE_GETEVENTMSG, tracee, NULL, &msg);
2043 EXPECT_EQ(entry ? PTRACE_EVENTMSG_SYSCALL_ENTRY
2044 : PTRACE_EVENTMSG_SYSCALL_EXIT, msg);
2047 * Some architectures only support setting return values during
2048 * syscall exit under ptrace, and on exit the syscall number may
2049 * no longer be available. Therefore, save the initial sycall
2050 * number here, so it can be examined during both entry and exit
2054 self->syscall_nr = get_syscall(_metadata, tracee);
2057 * Depending on the architecture's syscall setting abilities, we
2058 * pick which things to set during this phase (entry or exit).
2060 if (entry == ptrace_entry_set_syscall_nr)
2061 syscall_nr = &syscall_nr_val;
2062 if (entry == ptrace_entry_set_syscall_ret)
2063 syscall_ret = &syscall_ret_val;
2065 /* Now handle the actual rewriting cases. */
2066 switch (self->syscall_nr) {
2068 syscall_nr_val = __NR_getppid;
2069 /* Never change syscall return for this case. */
2073 syscall_nr_val = -1;
2074 syscall_ret_val = 45000;
2077 syscall_nr_val = -1;
2078 syscall_ret_val = -ESRCH;
2081 /* Unhandled, do nothing. */
2085 __change_syscall(_metadata, tracee, syscall_nr, syscall_ret);
2088 FIXTURE_VARIANT(TRACE_syscall) {
2090 * All of the SECCOMP_RET_TRACE behaviors can be tested with either
2091 * SECCOMP_RET_TRACE+PTRACE_CONT or plain ptrace()+PTRACE_SYSCALL.
2092 * This indicates if we should use SECCOMP_RET_TRACE (false), or
2098 FIXTURE_VARIANT_ADD(TRACE_syscall, ptrace) {
2102 FIXTURE_VARIANT_ADD(TRACE_syscall, seccomp) {
2103 .use_ptrace = false,
2106 FIXTURE_SETUP(TRACE_syscall)
2108 struct sock_filter filter[] = {
2109 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
2110 offsetof(struct seccomp_data, nr)),
2111 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getpid, 0, 1),
2112 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRACE | 0x1002),
2113 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_gettid, 0, 1),
2114 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRACE | 0x1003),
2115 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_openat, 0, 1),
2116 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRACE | 0x1004),
2117 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getppid, 0, 1),
2118 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRACE | 0x1005),
2119 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
2121 struct sock_fprog prog = {
2122 .len = (unsigned short)ARRAY_SIZE(filter),
2127 /* Prepare some testable syscall results. */
2128 self->mytid = syscall(__NR_gettid);
2129 ASSERT_GT(self->mytid, 0);
2130 ASSERT_NE(self->mytid, 1) {
2131 TH_LOG("Running this test as init is not supported. :)");
2134 self->mypid = getpid();
2135 ASSERT_GT(self->mypid, 0);
2136 ASSERT_EQ(self->mytid, self->mypid);
2138 self->parent = getppid();
2139 ASSERT_GT(self->parent, 0);
2140 ASSERT_NE(self->parent, self->mypid);
2142 /* Launch tracer. */
2143 self->tracer = setup_trace_fixture(_metadata,
2144 variant->use_ptrace ? tracer_ptrace
2146 self, variant->use_ptrace);
2148 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
2151 /* Do not install seccomp rewrite filters, as we'll use ptrace instead. */
2152 if (variant->use_ptrace)
2155 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0);
2159 FIXTURE_TEARDOWN(TRACE_syscall)
2161 teardown_trace_fixture(_metadata, self->tracer);
2164 TEST(negative_ENOSYS)
2167 * There should be no difference between an "internal" skip
2168 * and userspace asking for syscall "-1".
2171 EXPECT_EQ(-1, syscall(-1));
2172 EXPECT_EQ(errno, ENOSYS);
2173 /* And no difference for "still not valid but not -1". */
2175 EXPECT_EQ(-1, syscall(-101));
2176 EXPECT_EQ(errno, ENOSYS);
2179 TEST_F(TRACE_syscall, negative_ENOSYS)
2181 negative_ENOSYS(_metadata);
2184 TEST_F(TRACE_syscall, syscall_allowed)
2186 /* getppid works as expected (no changes). */
2187 EXPECT_EQ(self->parent, syscall(__NR_getppid));
2188 EXPECT_NE(self->mypid, syscall(__NR_getppid));
2191 TEST_F(TRACE_syscall, syscall_redirected)
2193 /* getpid has been redirected to getppid as expected. */
2194 EXPECT_EQ(self->parent, syscall(__NR_getpid));
2195 EXPECT_NE(self->mypid, syscall(__NR_getpid));
2198 TEST_F(TRACE_syscall, syscall_errno)
2200 /* Tracer should skip the open syscall, resulting in ESRCH. */
2201 EXPECT_SYSCALL_RETURN(-ESRCH, syscall(__NR_openat));
2204 TEST_F(TRACE_syscall, syscall_faked)
2206 /* Tracer skips the gettid syscall and store altered return value. */
2207 EXPECT_SYSCALL_RETURN(45000, syscall(__NR_gettid));
2210 TEST_F_SIGNAL(TRACE_syscall, kill_immediate, SIGSYS)
2212 struct sock_filter filter[] = {
2213 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
2214 offsetof(struct seccomp_data, nr)),
2215 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_mknodat, 0, 1),
2216 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL_THREAD),
2217 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
2219 struct sock_fprog prog = {
2220 .len = (unsigned short)ARRAY_SIZE(filter),
2225 /* Install "kill on mknodat" filter. */
2226 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0);
2229 /* This should immediately die with SIGSYS, regardless of tracer. */
2230 EXPECT_EQ(-1, syscall(__NR_mknodat, -1, NULL, 0, 0));
2233 TEST_F(TRACE_syscall, skip_after)
2235 struct sock_filter filter[] = {
2236 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
2237 offsetof(struct seccomp_data, nr)),
2238 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getppid, 0, 1),
2239 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ERRNO | EPERM),
2240 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
2242 struct sock_fprog prog = {
2243 .len = (unsigned short)ARRAY_SIZE(filter),
2248 /* Install additional "errno on getppid" filter. */
2249 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0);
2252 /* Tracer will redirect getpid to getppid, and we should see EPERM. */
2254 EXPECT_EQ(-1, syscall(__NR_getpid));
2255 EXPECT_EQ(EPERM, errno);
2258 TEST_F_SIGNAL(TRACE_syscall, kill_after, SIGSYS)
2260 struct sock_filter filter[] = {
2261 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
2262 offsetof(struct seccomp_data, nr)),
2263 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getppid, 0, 1),
2264 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL),
2265 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
2267 struct sock_fprog prog = {
2268 .len = (unsigned short)ARRAY_SIZE(filter),
2273 /* Install additional "death on getppid" filter. */
2274 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0);
2277 /* Tracer will redirect getpid to getppid, and we should die. */
2278 EXPECT_NE(self->mypid, syscall(__NR_getpid));
2281 TEST(seccomp_syscall)
2283 struct sock_filter filter[] = {
2284 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
2286 struct sock_fprog prog = {
2287 .len = (unsigned short)ARRAY_SIZE(filter),
2292 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
2294 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
2297 /* Reject insane operation. */
2298 ret = seccomp(-1, 0, &prog);
2299 ASSERT_NE(ENOSYS, errno) {
2300 TH_LOG("Kernel does not support seccomp syscall!");
2302 EXPECT_EQ(EINVAL, errno) {
2303 TH_LOG("Did not reject crazy op value!");
2306 /* Reject strict with flags or pointer. */
2307 ret = seccomp(SECCOMP_SET_MODE_STRICT, -1, NULL);
2308 EXPECT_EQ(EINVAL, errno) {
2309 TH_LOG("Did not reject mode strict with flags!");
2311 ret = seccomp(SECCOMP_SET_MODE_STRICT, 0, &prog);
2312 EXPECT_EQ(EINVAL, errno) {
2313 TH_LOG("Did not reject mode strict with uargs!");
2316 /* Reject insane args for filter. */
2317 ret = seccomp(SECCOMP_SET_MODE_FILTER, -1, &prog);
2318 EXPECT_EQ(EINVAL, errno) {
2319 TH_LOG("Did not reject crazy filter flags!");
2321 ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, NULL);
2322 EXPECT_EQ(EFAULT, errno) {
2323 TH_LOG("Did not reject NULL filter!");
2326 ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog);
2327 EXPECT_EQ(0, errno) {
2328 TH_LOG("Kernel does not support SECCOMP_SET_MODE_FILTER: %s",
2333 TEST(seccomp_syscall_mode_lock)
2335 struct sock_filter filter[] = {
2336 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
2338 struct sock_fprog prog = {
2339 .len = (unsigned short)ARRAY_SIZE(filter),
2344 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, NULL, 0, 0);
2346 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
2349 ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog);
2350 ASSERT_NE(ENOSYS, errno) {
2351 TH_LOG("Kernel does not support seccomp syscall!");
2354 TH_LOG("Could not install filter!");
2357 /* Make sure neither entry point will switch to strict. */
2358 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT, 0, 0, 0);
2359 EXPECT_EQ(EINVAL, errno) {
2360 TH_LOG("Switched to mode strict!");
2363 ret = seccomp(SECCOMP_SET_MODE_STRICT, 0, NULL);
2364 EXPECT_EQ(EINVAL, errno) {
2365 TH_LOG("Switched to mode strict!");
2370 * Test detection of known and unknown filter flags. Userspace needs to be able
2371 * to check if a filter flag is supported by the current kernel and a good way
2372 * of doing that is by attempting to enter filter mode, with the flag bit in
2373 * question set, and a NULL pointer for the _args_ parameter. EFAULT indicates
2374 * that the flag is valid and EINVAL indicates that the flag is invalid.
2376 TEST(detect_seccomp_filter_flags)
2378 unsigned int flags[] = { SECCOMP_FILTER_FLAG_TSYNC,
2379 SECCOMP_FILTER_FLAG_LOG,
2380 SECCOMP_FILTER_FLAG_SPEC_ALLOW,
2381 SECCOMP_FILTER_FLAG_NEW_LISTENER,
2382 SECCOMP_FILTER_FLAG_TSYNC_ESRCH };
2383 unsigned int exclusive[] = {
2384 SECCOMP_FILTER_FLAG_TSYNC,
2385 SECCOMP_FILTER_FLAG_NEW_LISTENER };
2386 unsigned int flag, all_flags, exclusive_mask;
2390 /* Test detection of individual known-good filter flags */
2391 for (i = 0, all_flags = 0; i < ARRAY_SIZE(flags); i++) {
2395 /* Make sure the flag is a single bit! */
2404 ret = seccomp(SECCOMP_SET_MODE_FILTER, flag, NULL);
2405 ASSERT_NE(ENOSYS, errno) {
2406 TH_LOG("Kernel does not support seccomp syscall!");
2409 EXPECT_EQ(EFAULT, errno) {
2410 TH_LOG("Failed to detect that a known-good filter flag (0x%X) is supported!",
2418 * Test detection of all known-good filter flags combined. But
2419 * for the exclusive flags we need to mask them out and try them
2420 * individually for the "all flags" testing.
2423 for (i = 0; i < ARRAY_SIZE(exclusive); i++)
2424 exclusive_mask |= exclusive[i];
2425 for (i = 0; i < ARRAY_SIZE(exclusive); i++) {
2426 flag = all_flags & ~exclusive_mask;
2427 flag |= exclusive[i];
2429 ret = seccomp(SECCOMP_SET_MODE_FILTER, flag, NULL);
2431 EXPECT_EQ(EFAULT, errno) {
2432 TH_LOG("Failed to detect that all known-good filter flags (0x%X) are supported!",
2437 /* Test detection of an unknown filter flags, without exclusives. */
2439 flag &= ~exclusive_mask;
2440 ret = seccomp(SECCOMP_SET_MODE_FILTER, flag, NULL);
2442 EXPECT_EQ(EINVAL, errno) {
2443 TH_LOG("Failed to detect that an unknown filter flag (0x%X) is unsupported!",
2448 * Test detection of an unknown filter flag that may simply need to be
2449 * added to this test
2451 flag = flags[ARRAY_SIZE(flags) - 1] << 1;
2452 ret = seccomp(SECCOMP_SET_MODE_FILTER, flag, NULL);
2454 EXPECT_EQ(EINVAL, errno) {
2455 TH_LOG("Failed to detect that an unknown filter flag (0x%X) is unsupported! Does a new flag need to be added to this test?",
2462 struct sock_filter filter[] = {
2463 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
2465 struct sock_fprog prog = {
2466 .len = (unsigned short)ARRAY_SIZE(filter),
2471 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, NULL, 0, 0);
2473 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
2476 ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC,
2478 ASSERT_NE(ENOSYS, errno) {
2479 TH_LOG("Kernel does not support seccomp syscall!");
2482 TH_LOG("Could not install initial filter with TSYNC!");
2486 #define TSYNC_SIBLINGS 2
2487 struct tsync_sibling {
2491 pthread_cond_t *cond;
2492 pthread_mutex_t *mutex;
2495 struct sock_fprog *prog;
2496 struct __test_metadata *metadata;
2500 * To avoid joining joined threads (which is not allowed by Bionic),
2501 * make sure we both successfully join and clear the tid to skip a
2502 * later join attempt during fixture teardown. Any remaining threads
2503 * will be directly killed during teardown.
2505 #define PTHREAD_JOIN(tid, status) \
2507 int _rc = pthread_join(tid, status); \
2509 TH_LOG("pthread_join of tid %u failed: %d\n", \
2510 (unsigned int)tid, _rc); \
2517 struct sock_fprog root_prog, apply_prog;
2518 struct tsync_sibling sibling[TSYNC_SIBLINGS];
2520 pthread_cond_t cond;
2521 pthread_mutex_t mutex;
2525 FIXTURE_SETUP(TSYNC)
2527 struct sock_filter root_filter[] = {
2528 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
2530 struct sock_filter apply_filter[] = {
2531 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
2532 offsetof(struct seccomp_data, nr)),
2533 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_read, 0, 1),
2534 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL),
2535 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
2538 memset(&self->root_prog, 0, sizeof(self->root_prog));
2539 memset(&self->apply_prog, 0, sizeof(self->apply_prog));
2540 memset(&self->sibling, 0, sizeof(self->sibling));
2541 self->root_prog.filter = malloc(sizeof(root_filter));
2542 ASSERT_NE(NULL, self->root_prog.filter);
2543 memcpy(self->root_prog.filter, &root_filter, sizeof(root_filter));
2544 self->root_prog.len = (unsigned short)ARRAY_SIZE(root_filter);
2546 self->apply_prog.filter = malloc(sizeof(apply_filter));
2547 ASSERT_NE(NULL, self->apply_prog.filter);
2548 memcpy(self->apply_prog.filter, &apply_filter, sizeof(apply_filter));
2549 self->apply_prog.len = (unsigned short)ARRAY_SIZE(apply_filter);
2551 self->sibling_count = 0;
2552 pthread_mutex_init(&self->mutex, NULL);
2553 pthread_cond_init(&self->cond, NULL);
2554 sem_init(&self->started, 0, 0);
2555 self->sibling[0].tid = 0;
2556 self->sibling[0].cond = &self->cond;
2557 self->sibling[0].started = &self->started;
2558 self->sibling[0].mutex = &self->mutex;
2559 self->sibling[0].diverge = 0;
2560 self->sibling[0].num_waits = 1;
2561 self->sibling[0].prog = &self->root_prog;
2562 self->sibling[0].metadata = _metadata;
2563 self->sibling[1].tid = 0;
2564 self->sibling[1].cond = &self->cond;
2565 self->sibling[1].started = &self->started;
2566 self->sibling[1].mutex = &self->mutex;
2567 self->sibling[1].diverge = 0;
2568 self->sibling[1].prog = &self->root_prog;
2569 self->sibling[1].num_waits = 1;
2570 self->sibling[1].metadata = _metadata;
2573 FIXTURE_TEARDOWN(TSYNC)
2577 if (self->root_prog.filter)
2578 free(self->root_prog.filter);
2579 if (self->apply_prog.filter)
2580 free(self->apply_prog.filter);
2582 for ( ; sib < self->sibling_count; ++sib) {
2583 struct tsync_sibling *s = &self->sibling[sib];
2588 * If a thread is still running, it may be stuck, so hit
2589 * it over the head really hard.
2591 pthread_kill(s->tid, 9);
2593 pthread_mutex_destroy(&self->mutex);
2594 pthread_cond_destroy(&self->cond);
2595 sem_destroy(&self->started);
2598 void *tsync_sibling(void *data)
2601 struct tsync_sibling *me = data;
2603 me->system_tid = syscall(__NR_gettid);
2605 pthread_mutex_lock(me->mutex);
2607 /* Just re-apply the root prog to fork the tree */
2608 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER,
2611 sem_post(me->started);
2612 /* Return outside of started so parent notices failures. */
2614 pthread_mutex_unlock(me->mutex);
2615 return (void *)SIBLING_EXIT_FAILURE;
2618 pthread_cond_wait(me->cond, me->mutex);
2619 me->num_waits = me->num_waits - 1;
2620 } while (me->num_waits);
2621 pthread_mutex_unlock(me->mutex);
2623 ret = prctl(PR_GET_NO_NEW_PRIVS, 0, 0, 0, 0);
2625 return (void *)SIBLING_EXIT_NEWPRIVS;
2627 return (void *)SIBLING_EXIT_UNKILLED;
2630 void tsync_start_sibling(struct tsync_sibling *sibling)
2632 pthread_create(&sibling->tid, NULL, tsync_sibling, (void *)sibling);
2635 TEST_F(TSYNC, siblings_fail_prctl)
2639 struct sock_filter filter[] = {
2640 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
2641 offsetof(struct seccomp_data, nr)),
2642 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_prctl, 0, 1),
2643 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ERRNO | EINVAL),
2644 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
2646 struct sock_fprog prog = {
2647 .len = (unsigned short)ARRAY_SIZE(filter),
2651 ASSERT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
2652 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
2655 /* Check prctl failure detection by requesting sib 0 diverge. */
2656 ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog);
2657 ASSERT_NE(ENOSYS, errno) {
2658 TH_LOG("Kernel does not support seccomp syscall!");
2661 TH_LOG("setting filter failed");
2664 self->sibling[0].diverge = 1;
2665 tsync_start_sibling(&self->sibling[0]);
2666 tsync_start_sibling(&self->sibling[1]);
2668 while (self->sibling_count < TSYNC_SIBLINGS) {
2669 sem_wait(&self->started);
2670 self->sibling_count++;
2673 /* Signal the threads to clean up*/
2674 pthread_mutex_lock(&self->mutex);
2675 ASSERT_EQ(0, pthread_cond_broadcast(&self->cond)) {
2676 TH_LOG("cond broadcast non-zero");
2678 pthread_mutex_unlock(&self->mutex);
2680 /* Ensure diverging sibling failed to call prctl. */
2681 PTHREAD_JOIN(self->sibling[0].tid, &status);
2682 EXPECT_EQ(SIBLING_EXIT_FAILURE, (long)status);
2683 PTHREAD_JOIN(self->sibling[1].tid, &status);
2684 EXPECT_EQ(SIBLING_EXIT_UNKILLED, (long)status);
2687 TEST_F(TSYNC, two_siblings_with_ancestor)
2692 ASSERT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
2693 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
2696 ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &self->root_prog);
2697 ASSERT_NE(ENOSYS, errno) {
2698 TH_LOG("Kernel does not support seccomp syscall!");
2701 TH_LOG("Kernel does not support SECCOMP_SET_MODE_FILTER!");
2703 tsync_start_sibling(&self->sibling[0]);
2704 tsync_start_sibling(&self->sibling[1]);
2706 while (self->sibling_count < TSYNC_SIBLINGS) {
2707 sem_wait(&self->started);
2708 self->sibling_count++;
2711 ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC,
2714 TH_LOG("Could install filter on all threads!");
2716 /* Tell the siblings to test the policy */
2717 pthread_mutex_lock(&self->mutex);
2718 ASSERT_EQ(0, pthread_cond_broadcast(&self->cond)) {
2719 TH_LOG("cond broadcast non-zero");
2721 pthread_mutex_unlock(&self->mutex);
2722 /* Ensure they are both killed and don't exit cleanly. */
2723 PTHREAD_JOIN(self->sibling[0].tid, &status);
2724 EXPECT_EQ(0x0, (long)status);
2725 PTHREAD_JOIN(self->sibling[1].tid, &status);
2726 EXPECT_EQ(0x0, (long)status);
2729 TEST_F(TSYNC, two_sibling_want_nnp)
2733 /* start siblings before any prctl() operations */
2734 tsync_start_sibling(&self->sibling[0]);
2735 tsync_start_sibling(&self->sibling[1]);
2736 while (self->sibling_count < TSYNC_SIBLINGS) {
2737 sem_wait(&self->started);
2738 self->sibling_count++;
2741 /* Tell the siblings to test no policy */
2742 pthread_mutex_lock(&self->mutex);
2743 ASSERT_EQ(0, pthread_cond_broadcast(&self->cond)) {
2744 TH_LOG("cond broadcast non-zero");
2746 pthread_mutex_unlock(&self->mutex);
2748 /* Ensure they are both upset about lacking nnp. */
2749 PTHREAD_JOIN(self->sibling[0].tid, &status);
2750 EXPECT_EQ(SIBLING_EXIT_NEWPRIVS, (long)status);
2751 PTHREAD_JOIN(self->sibling[1].tid, &status);
2752 EXPECT_EQ(SIBLING_EXIT_NEWPRIVS, (long)status);
2755 TEST_F(TSYNC, two_siblings_with_no_filter)
2760 /* start siblings before any prctl() operations */
2761 tsync_start_sibling(&self->sibling[0]);
2762 tsync_start_sibling(&self->sibling[1]);
2763 while (self->sibling_count < TSYNC_SIBLINGS) {
2764 sem_wait(&self->started);
2765 self->sibling_count++;
2768 ASSERT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
2769 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
2772 ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC,
2774 ASSERT_NE(ENOSYS, errno) {
2775 TH_LOG("Kernel does not support seccomp syscall!");
2778 TH_LOG("Could install filter on all threads!");
2781 /* Tell the siblings to test the policy */
2782 pthread_mutex_lock(&self->mutex);
2783 ASSERT_EQ(0, pthread_cond_broadcast(&self->cond)) {
2784 TH_LOG("cond broadcast non-zero");
2786 pthread_mutex_unlock(&self->mutex);
2788 /* Ensure they are both killed and don't exit cleanly. */
2789 PTHREAD_JOIN(self->sibling[0].tid, &status);
2790 EXPECT_EQ(0x0, (long)status);
2791 PTHREAD_JOIN(self->sibling[1].tid, &status);
2792 EXPECT_EQ(0x0, (long)status);
2795 TEST_F(TSYNC, two_siblings_with_one_divergence)
2800 ASSERT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
2801 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
2804 ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &self->root_prog);
2805 ASSERT_NE(ENOSYS, errno) {
2806 TH_LOG("Kernel does not support seccomp syscall!");
2809 TH_LOG("Kernel does not support SECCOMP_SET_MODE_FILTER!");
2811 self->sibling[0].diverge = 1;
2812 tsync_start_sibling(&self->sibling[0]);
2813 tsync_start_sibling(&self->sibling[1]);
2815 while (self->sibling_count < TSYNC_SIBLINGS) {
2816 sem_wait(&self->started);
2817 self->sibling_count++;
2820 ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC,
2822 ASSERT_EQ(self->sibling[0].system_tid, ret) {
2823 TH_LOG("Did not fail on diverged sibling.");
2826 /* Wake the threads */
2827 pthread_mutex_lock(&self->mutex);
2828 ASSERT_EQ(0, pthread_cond_broadcast(&self->cond)) {
2829 TH_LOG("cond broadcast non-zero");
2831 pthread_mutex_unlock(&self->mutex);
2833 /* Ensure they are both unkilled. */
2834 PTHREAD_JOIN(self->sibling[0].tid, &status);
2835 EXPECT_EQ(SIBLING_EXIT_UNKILLED, (long)status);
2836 PTHREAD_JOIN(self->sibling[1].tid, &status);
2837 EXPECT_EQ(SIBLING_EXIT_UNKILLED, (long)status);
2840 TEST_F(TSYNC, two_siblings_with_one_divergence_no_tid_in_err)
2845 ASSERT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
2846 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
2849 ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &self->root_prog);
2850 ASSERT_NE(ENOSYS, errno) {
2851 TH_LOG("Kernel does not support seccomp syscall!");
2854 TH_LOG("Kernel does not support SECCOMP_SET_MODE_FILTER!");
2856 self->sibling[0].diverge = 1;
2857 tsync_start_sibling(&self->sibling[0]);
2858 tsync_start_sibling(&self->sibling[1]);
2860 while (self->sibling_count < TSYNC_SIBLINGS) {
2861 sem_wait(&self->started);
2862 self->sibling_count++;
2865 flags = SECCOMP_FILTER_FLAG_TSYNC | \
2866 SECCOMP_FILTER_FLAG_TSYNC_ESRCH;
2867 ret = seccomp(SECCOMP_SET_MODE_FILTER, flags, &self->apply_prog);
2868 ASSERT_EQ(ESRCH, errno) {
2869 TH_LOG("Did not return ESRCH for diverged sibling.");
2871 ASSERT_EQ(-1, ret) {
2872 TH_LOG("Did not fail on diverged sibling.");
2875 /* Wake the threads */
2876 pthread_mutex_lock(&self->mutex);
2877 ASSERT_EQ(0, pthread_cond_broadcast(&self->cond)) {
2878 TH_LOG("cond broadcast non-zero");
2880 pthread_mutex_unlock(&self->mutex);
2882 /* Ensure they are both unkilled. */
2883 PTHREAD_JOIN(self->sibling[0].tid, &status);
2884 EXPECT_EQ(SIBLING_EXIT_UNKILLED, (long)status);
2885 PTHREAD_JOIN(self->sibling[1].tid, &status);
2886 EXPECT_EQ(SIBLING_EXIT_UNKILLED, (long)status);
2889 TEST_F(TSYNC, two_siblings_not_under_filter)
2893 struct timespec delay = { .tv_nsec = 100000000 };
2895 ASSERT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
2896 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
2900 * Sibling 0 will have its own seccomp policy
2901 * and Sibling 1 will not be under seccomp at
2902 * all. Sibling 1 will enter seccomp and 0
2903 * will cause failure.
2905 self->sibling[0].diverge = 1;
2906 tsync_start_sibling(&self->sibling[0]);
2907 tsync_start_sibling(&self->sibling[1]);
2909 while (self->sibling_count < TSYNC_SIBLINGS) {
2910 sem_wait(&self->started);
2911 self->sibling_count++;
2914 ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &self->root_prog);
2915 ASSERT_NE(ENOSYS, errno) {
2916 TH_LOG("Kernel does not support seccomp syscall!");
2919 TH_LOG("Kernel does not support SECCOMP_SET_MODE_FILTER!");
2922 ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC,
2924 ASSERT_EQ(ret, self->sibling[0].system_tid) {
2925 TH_LOG("Did not fail on diverged sibling.");
2928 if (ret == self->sibling[0].system_tid)
2931 pthread_mutex_lock(&self->mutex);
2933 /* Increment the other siblings num_waits so we can clean up
2934 * the one we just saw.
2936 self->sibling[!sib].num_waits += 1;
2938 /* Signal the thread to clean up*/
2939 ASSERT_EQ(0, pthread_cond_broadcast(&self->cond)) {
2940 TH_LOG("cond broadcast non-zero");
2942 pthread_mutex_unlock(&self->mutex);
2943 PTHREAD_JOIN(self->sibling[sib].tid, &status);
2944 EXPECT_EQ(SIBLING_EXIT_UNKILLED, (long)status);
2945 /* Poll for actual task death. pthread_join doesn't guarantee it. */
2946 while (!kill(self->sibling[sib].system_tid, 0))
2947 nanosleep(&delay, NULL);
2948 /* Switch to the remaining sibling */
2951 ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC,
2954 TH_LOG("Expected the remaining sibling to sync");
2957 pthread_mutex_lock(&self->mutex);
2959 /* If remaining sibling didn't have a chance to wake up during
2960 * the first broadcast, manually reduce the num_waits now.
2962 if (self->sibling[sib].num_waits > 1)
2963 self->sibling[sib].num_waits = 1;
2964 ASSERT_EQ(0, pthread_cond_broadcast(&self->cond)) {
2965 TH_LOG("cond broadcast non-zero");
2967 pthread_mutex_unlock(&self->mutex);
2968 PTHREAD_JOIN(self->sibling[sib].tid, &status);
2969 EXPECT_EQ(0, (long)status);
2970 /* Poll for actual task death. pthread_join doesn't guarantee it. */
2971 while (!kill(self->sibling[sib].system_tid, 0))
2972 nanosleep(&delay, NULL);
2974 ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC,
2976 ASSERT_EQ(0, ret); /* just us chickens */
2979 /* Make sure restarted syscalls are seen directly as "restart_syscall". */
2980 TEST(syscall_restart)
2987 siginfo_t info = { };
2988 struct sock_filter filter[] = {
2989 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
2990 offsetof(struct seccomp_data, nr)),
2992 #ifdef __NR_sigreturn
2993 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_sigreturn, 7, 0),
2995 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_read, 6, 0),
2996 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_exit, 5, 0),
2997 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_rt_sigreturn, 4, 0),
2998 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_nanosleep, 5, 0),
2999 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_clock_nanosleep, 4, 0),
3000 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_restart_syscall, 4, 0),
3002 /* Allow __NR_write for easy logging. */
3003 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_write, 0, 1),
3004 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
3005 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL),
3006 /* The nanosleep jump target. */
3007 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRACE|0x100),
3008 /* The restart_syscall jump target. */
3009 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRACE|0x200),
3011 struct sock_fprog prog = {
3012 .len = (unsigned short)ARRAY_SIZE(filter),
3015 #if defined(__arm__)
3016 struct utsname utsbuf;
3019 ASSERT_EQ(0, pipe(pipefd));
3022 ASSERT_LE(0, child_pid);
3023 if (child_pid == 0) {
3024 /* Child uses EXPECT not ASSERT to deliver status correctly. */
3026 struct timespec timeout = { };
3028 /* Attach parent as tracer and stop. */
3029 EXPECT_EQ(0, ptrace(PTRACE_TRACEME));
3030 EXPECT_EQ(0, raise(SIGSTOP));
3032 EXPECT_EQ(0, close(pipefd[1]));
3034 EXPECT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
3035 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
3038 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0);
3040 TH_LOG("Failed to install filter!");
3043 EXPECT_EQ(1, read(pipefd[0], &buf, 1)) {
3044 TH_LOG("Failed to read() sync from parent");
3046 EXPECT_EQ('.', buf) {
3047 TH_LOG("Failed to get sync data from read()");
3050 /* Start nanosleep to be interrupted. */
3053 EXPECT_EQ(0, nanosleep(&timeout, NULL)) {
3054 TH_LOG("Call to nanosleep() failed (errno %d)", errno);
3057 /* Read final sync from parent. */
3058 EXPECT_EQ(1, read(pipefd[0], &buf, 1)) {
3059 TH_LOG("Failed final read() from parent");
3061 EXPECT_EQ('!', buf) {
3062 TH_LOG("Failed to get final data from read()");
3065 /* Directly report the status of our test harness results. */
3066 syscall(__NR_exit, _metadata->passed ? EXIT_SUCCESS
3069 EXPECT_EQ(0, close(pipefd[0]));
3071 /* Attach to child, setup options, and release. */
3072 ASSERT_EQ(child_pid, waitpid(child_pid, &status, 0));
3073 ASSERT_EQ(true, WIFSTOPPED(status));
3074 ASSERT_EQ(0, ptrace(PTRACE_SETOPTIONS, child_pid, NULL,
3075 PTRACE_O_TRACESECCOMP));
3076 ASSERT_EQ(0, ptrace(PTRACE_CONT, child_pid, NULL, 0));
3077 ASSERT_EQ(1, write(pipefd[1], ".", 1));
3079 /* Wait for nanosleep() to start. */
3080 ASSERT_EQ(child_pid, waitpid(child_pid, &status, 0));
3081 ASSERT_EQ(true, WIFSTOPPED(status));
3082 ASSERT_EQ(SIGTRAP, WSTOPSIG(status));
3083 ASSERT_EQ(PTRACE_EVENT_SECCOMP, (status >> 16));
3084 ASSERT_EQ(0, ptrace(PTRACE_GETEVENTMSG, child_pid, NULL, &msg));
3085 ASSERT_EQ(0x100, msg);
3086 ret = get_syscall(_metadata, child_pid);
3087 EXPECT_TRUE(ret == __NR_nanosleep || ret == __NR_clock_nanosleep);
3089 /* Might as well check siginfo for sanity while we're here. */
3090 ASSERT_EQ(0, ptrace(PTRACE_GETSIGINFO, child_pid, NULL, &info));
3091 ASSERT_EQ(SIGTRAP, info.si_signo);
3092 ASSERT_EQ(SIGTRAP | (PTRACE_EVENT_SECCOMP << 8), info.si_code);
3093 EXPECT_EQ(0, info.si_errno);
3094 EXPECT_EQ(getuid(), info.si_uid);
3095 /* Verify signal delivery came from child (seccomp-triggered). */
3096 EXPECT_EQ(child_pid, info.si_pid);
3098 /* Interrupt nanosleep with SIGSTOP (which we'll need to handle). */
3099 ASSERT_EQ(0, kill(child_pid, SIGSTOP));
3100 ASSERT_EQ(0, ptrace(PTRACE_CONT, child_pid, NULL, 0));
3101 ASSERT_EQ(child_pid, waitpid(child_pid, &status, 0));
3102 ASSERT_EQ(true, WIFSTOPPED(status));
3103 ASSERT_EQ(SIGSTOP, WSTOPSIG(status));
3104 ASSERT_EQ(0, ptrace(PTRACE_GETSIGINFO, child_pid, NULL, &info));
3106 * There is no siginfo on SIGSTOP any more, so we can't verify
3107 * signal delivery came from parent now (getpid() == info.si_pid).
3108 * https://lkml.kernel.org/r/CAGXu5jJaZAOzP1qFz66tYrtbuywqb+UN2SOA1VLHpCCOiYvYeg@mail.gmail.com
3109 * At least verify the SIGSTOP via PTRACE_GETSIGINFO.
3111 EXPECT_EQ(SIGSTOP, info.si_signo);
3113 /* Restart nanosleep with SIGCONT, which triggers restart_syscall. */
3114 ASSERT_EQ(0, kill(child_pid, SIGCONT));
3115 ASSERT_EQ(0, ptrace(PTRACE_CONT, child_pid, NULL, 0));
3116 ASSERT_EQ(child_pid, waitpid(child_pid, &status, 0));
3117 ASSERT_EQ(true, WIFSTOPPED(status));
3118 ASSERT_EQ(SIGCONT, WSTOPSIG(status));
3119 ASSERT_EQ(0, ptrace(PTRACE_CONT, child_pid, NULL, 0));
3121 /* Wait for restart_syscall() to start. */
3122 ASSERT_EQ(child_pid, waitpid(child_pid, &status, 0));
3123 ASSERT_EQ(true, WIFSTOPPED(status));
3124 ASSERT_EQ(SIGTRAP, WSTOPSIG(status));
3125 ASSERT_EQ(PTRACE_EVENT_SECCOMP, (status >> 16));
3126 ASSERT_EQ(0, ptrace(PTRACE_GETEVENTMSG, child_pid, NULL, &msg));
3128 ASSERT_EQ(0x200, msg);
3129 ret = get_syscall(_metadata, child_pid);
3130 #if defined(__arm__)
3133 * - native ARM registers do NOT expose true syscall.
3134 * - compat ARM registers on ARM64 DO expose true syscall.
3136 ASSERT_EQ(0, uname(&utsbuf));
3137 if (strncmp(utsbuf.machine, "arm", 3) == 0) {
3138 EXPECT_EQ(__NR_nanosleep, ret);
3142 EXPECT_EQ(__NR_restart_syscall, ret);
3145 /* Write again to end test. */
3146 ASSERT_EQ(0, ptrace(PTRACE_CONT, child_pid, NULL, 0));
3147 ASSERT_EQ(1, write(pipefd[1], "!", 1));
3148 EXPECT_EQ(0, close(pipefd[1]));
3150 ASSERT_EQ(child_pid, waitpid(child_pid, &status, 0));
3151 if (WIFSIGNALED(status) || WEXITSTATUS(status))
3152 _metadata->passed = 0;
3155 TEST_SIGNAL(filter_flag_log, SIGSYS)
3157 struct sock_filter allow_filter[] = {
3158 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
3160 struct sock_filter kill_filter[] = {
3161 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
3162 offsetof(struct seccomp_data, nr)),
3163 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getpid, 0, 1),
3164 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL),
3165 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
3167 struct sock_fprog allow_prog = {
3168 .len = (unsigned short)ARRAY_SIZE(allow_filter),
3169 .filter = allow_filter,
3171 struct sock_fprog kill_prog = {
3172 .len = (unsigned short)ARRAY_SIZE(kill_filter),
3173 .filter = kill_filter,
3176 pid_t parent = getppid();
3178 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
3181 /* Verify that the FILTER_FLAG_LOG flag isn't accepted in strict mode */
3182 ret = seccomp(SECCOMP_SET_MODE_STRICT, SECCOMP_FILTER_FLAG_LOG,
3184 ASSERT_NE(ENOSYS, errno) {
3185 TH_LOG("Kernel does not support seccomp syscall!");
3188 TH_LOG("Kernel accepted FILTER_FLAG_LOG flag in strict mode!");
3190 EXPECT_EQ(EINVAL, errno) {
3191 TH_LOG("Kernel returned unexpected errno for FILTER_FLAG_LOG flag in strict mode!");
3194 /* Verify that a simple, permissive filter can be added with no flags */
3195 ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &allow_prog);
3198 /* See if the same filter can be added with the FILTER_FLAG_LOG flag */
3199 ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_LOG,
3201 ASSERT_NE(EINVAL, errno) {
3202 TH_LOG("Kernel does not support the FILTER_FLAG_LOG flag!");
3206 /* Ensure that the kill filter works with the FILTER_FLAG_LOG flag */
3207 ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_LOG,
3211 EXPECT_EQ(parent, syscall(__NR_getppid));
3212 /* getpid() should never return. */
3213 EXPECT_EQ(0, syscall(__NR_getpid));
3216 TEST(get_action_avail)
3218 __u32 actions[] = { SECCOMP_RET_KILL_THREAD, SECCOMP_RET_TRAP,
3219 SECCOMP_RET_ERRNO, SECCOMP_RET_TRACE,
3220 SECCOMP_RET_LOG, SECCOMP_RET_ALLOW };
3221 __u32 unknown_action = 0x10000000U;
3225 ret = seccomp(SECCOMP_GET_ACTION_AVAIL, 0, &actions[0]);
3226 ASSERT_NE(ENOSYS, errno) {
3227 TH_LOG("Kernel does not support seccomp syscall!");
3229 ASSERT_NE(EINVAL, errno) {
3230 TH_LOG("Kernel does not support SECCOMP_GET_ACTION_AVAIL operation!");
3234 for (i = 0; i < ARRAY_SIZE(actions); i++) {
3235 ret = seccomp(SECCOMP_GET_ACTION_AVAIL, 0, &actions[i]);
3237 TH_LOG("Expected action (0x%X) not available!",
3242 /* Check that an unknown action is handled properly (EOPNOTSUPP) */
3243 ret = seccomp(SECCOMP_GET_ACTION_AVAIL, 0, &unknown_action);
3245 EXPECT_EQ(errno, EOPNOTSUPP);
3253 struct seccomp_metadata md;
3256 /* Only real root can get metadata. */
3258 SKIP(return, "get_metadata requires real root");
3262 ASSERT_EQ(0, pipe(pipefd));
3267 struct sock_filter filter[] = {
3268 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
3270 struct sock_fprog prog = {
3271 .len = (unsigned short)ARRAY_SIZE(filter),
3275 /* one with log, one without */
3276 EXPECT_EQ(0, seccomp(SECCOMP_SET_MODE_FILTER,
3277 SECCOMP_FILTER_FLAG_LOG, &prog));
3278 EXPECT_EQ(0, seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog));
3280 EXPECT_EQ(0, close(pipefd[0]));
3281 ASSERT_EQ(1, write(pipefd[1], "1", 1));
3282 ASSERT_EQ(0, close(pipefd[1]));
3288 ASSERT_EQ(0, close(pipefd[1]));
3289 ASSERT_EQ(1, read(pipefd[0], &buf, 1));
3291 ASSERT_EQ(0, ptrace(PTRACE_ATTACH, pid));
3292 ASSERT_EQ(pid, waitpid(pid, NULL, 0));
3294 /* Past here must not use ASSERT or child process is never killed. */
3298 ret = ptrace(PTRACE_SECCOMP_GET_METADATA, pid, sizeof(md), &md);
3299 EXPECT_EQ(sizeof(md), ret) {
3300 if (errno == EINVAL)
3301 SKIP(goto skip, "Kernel does not support PTRACE_SECCOMP_GET_METADATA (missing CONFIG_CHECKPOINT_RESTORE?)");
3304 EXPECT_EQ(md.flags, SECCOMP_FILTER_FLAG_LOG);
3305 EXPECT_EQ(md.filter_off, 0);
3308 ret = ptrace(PTRACE_SECCOMP_GET_METADATA, pid, sizeof(md), &md);
3309 EXPECT_EQ(sizeof(md), ret);
3310 EXPECT_EQ(md.flags, 0);
3311 EXPECT_EQ(md.filter_off, 1);
3314 ASSERT_EQ(0, kill(pid, SIGKILL));
3317 static int user_notif_syscall(int nr, unsigned int flags)
3319 struct sock_filter filter[] = {
3320 BPF_STMT(BPF_LD|BPF_W|BPF_ABS,
3321 offsetof(struct seccomp_data, nr)),
3322 BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, nr, 0, 1),
3323 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_USER_NOTIF),
3324 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
3327 struct sock_fprog prog = {
3328 .len = (unsigned short)ARRAY_SIZE(filter),
3332 return seccomp(SECCOMP_SET_MODE_FILTER, flags, &prog);
3335 #define USER_NOTIF_MAGIC INT_MAX
3336 TEST(user_notification_basic)
3340 int status, listener;
3341 struct seccomp_notif req = {};
3342 struct seccomp_notif_resp resp = {};
3343 struct pollfd pollfd;
3345 struct sock_filter filter[] = {
3346 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
3348 struct sock_fprog prog = {
3349 .len = (unsigned short)ARRAY_SIZE(filter),
3353 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
3355 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
3361 /* Check that we get -ENOSYS with no listener attached */
3363 if (user_notif_syscall(__NR_getppid, 0) < 0)
3365 ret = syscall(__NR_getppid);
3366 exit(ret >= 0 || errno != ENOSYS);
3369 EXPECT_EQ(waitpid(pid, &status, 0), pid);
3370 EXPECT_EQ(true, WIFEXITED(status));
3371 EXPECT_EQ(0, WEXITSTATUS(status));
3373 /* Add some no-op filters for grins. */
3374 EXPECT_EQ(seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog), 0);
3375 EXPECT_EQ(seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog), 0);
3376 EXPECT_EQ(seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog), 0);
3377 EXPECT_EQ(seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog), 0);
3379 /* Check that the basic notification machinery works */
3380 listener = user_notif_syscall(__NR_getppid,
3381 SECCOMP_FILTER_FLAG_NEW_LISTENER);
3382 ASSERT_GE(listener, 0);
3384 /* Installing a second listener in the chain should EBUSY */
3385 EXPECT_EQ(user_notif_syscall(__NR_getppid,
3386 SECCOMP_FILTER_FLAG_NEW_LISTENER),
3388 EXPECT_EQ(errno, EBUSY);
3394 ret = syscall(__NR_getppid);
3395 exit(ret != USER_NOTIF_MAGIC);
3398 pollfd.fd = listener;
3399 pollfd.events = POLLIN | POLLOUT;
3401 EXPECT_GT(poll(&pollfd, 1, -1), 0);
3402 EXPECT_EQ(pollfd.revents, POLLIN);
3404 /* Test that we can't pass garbage to the kernel. */
3405 memset(&req, 0, sizeof(req));
3408 ret = ioctl(listener, SECCOMP_IOCTL_NOTIF_RECV, &req);
3410 EXPECT_EQ(EINVAL, errno);
3414 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_RECV, &req), 0);
3417 pollfd.fd = listener;
3418 pollfd.events = POLLIN | POLLOUT;
3420 EXPECT_GT(poll(&pollfd, 1, -1), 0);
3421 EXPECT_EQ(pollfd.revents, POLLOUT);
3423 EXPECT_EQ(req.data.nr, __NR_getppid);
3427 resp.val = USER_NOTIF_MAGIC;
3429 /* check that we make sure flags == 0 */
3431 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_SEND, &resp), -1);
3432 EXPECT_EQ(errno, EINVAL);
3435 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_SEND, &resp), 0);
3437 EXPECT_EQ(waitpid(pid, &status, 0), pid);
3438 EXPECT_EQ(true, WIFEXITED(status));
3439 EXPECT_EQ(0, WEXITSTATUS(status));
3442 TEST(user_notification_with_tsync)
3447 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
3449 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
3452 /* these were exclusive */
3453 flags = SECCOMP_FILTER_FLAG_NEW_LISTENER |
3454 SECCOMP_FILTER_FLAG_TSYNC;
3455 ASSERT_EQ(-1, user_notif_syscall(__NR_getppid, flags));
3456 ASSERT_EQ(EINVAL, errno);
3458 /* but now they're not */
3459 flags |= SECCOMP_FILTER_FLAG_TSYNC_ESRCH;
3460 ret = user_notif_syscall(__NR_getppid, flags);
3465 TEST(user_notification_kill_in_middle)
3470 struct seccomp_notif req = {};
3471 struct seccomp_notif_resp resp = {};
3473 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
3475 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
3478 listener = user_notif_syscall(__NR_getppid,
3479 SECCOMP_FILTER_FLAG_NEW_LISTENER);
3480 ASSERT_GE(listener, 0);
3483 * Check that nothing bad happens when we kill the task in the middle
3490 ret = syscall(__NR_getppid);
3491 exit(ret != USER_NOTIF_MAGIC);
3494 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_RECV, &req), 0);
3495 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_ID_VALID, &req.id), 0);
3497 EXPECT_EQ(kill(pid, SIGKILL), 0);
3498 EXPECT_EQ(waitpid(pid, NULL, 0), pid);
3500 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_ID_VALID, &req.id), -1);
3503 ret = ioctl(listener, SECCOMP_IOCTL_NOTIF_SEND, &resp);
3505 EXPECT_EQ(errno, ENOENT);
3508 static int handled = -1;
3510 static void signal_handler(int signal)
3512 if (write(handled, "c", 1) != 1)
3513 perror("write from signal");
3516 TEST(user_notification_signal)
3520 int status, listener, sk_pair[2];
3521 struct seccomp_notif req = {};
3522 struct seccomp_notif_resp resp = {};
3525 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
3527 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
3530 ASSERT_EQ(socketpair(PF_LOCAL, SOCK_SEQPACKET, 0, sk_pair), 0);
3532 listener = user_notif_syscall(__NR_gettid,
3533 SECCOMP_FILTER_FLAG_NEW_LISTENER);
3534 ASSERT_GE(listener, 0);
3541 handled = sk_pair[1];
3542 if (signal(SIGUSR1, signal_handler) == SIG_ERR) {
3547 * ERESTARTSYS behavior is a bit hard to test, because we need
3548 * to rely on a signal that has not yet been handled. Let's at
3549 * least check that the error code gets propagated through, and
3550 * hope that it doesn't break when there is actually a signal :)
3552 ret = syscall(__NR_gettid);
3553 exit(!(ret == -1 && errno == 512));
3558 memset(&req, 0, sizeof(req));
3559 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_RECV, &req), 0);
3561 EXPECT_EQ(kill(pid, SIGUSR1), 0);
3564 * Make sure the signal really is delivered, which means we're not
3565 * stuck in the user notification code any more and the notification
3568 EXPECT_EQ(read(sk_pair[0], &c, 1), 1);
3571 resp.error = -EPERM;
3574 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_SEND, &resp), -1);
3575 EXPECT_EQ(errno, ENOENT);
3577 memset(&req, 0, sizeof(req));
3578 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_RECV, &req), 0);
3581 resp.error = -512; /* -ERESTARTSYS */
3584 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_SEND, &resp), 0);
3586 EXPECT_EQ(waitpid(pid, &status, 0), pid);
3587 EXPECT_EQ(true, WIFEXITED(status));
3588 EXPECT_EQ(0, WEXITSTATUS(status));
3591 TEST(user_notification_closed_listener)
3595 int status, listener;
3597 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
3599 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
3602 listener = user_notif_syscall(__NR_getppid,
3603 SECCOMP_FILTER_FLAG_NEW_LISTENER);
3604 ASSERT_GE(listener, 0);
3607 * Check that we get an ENOSYS when the listener is closed.
3613 ret = syscall(__NR_getppid);
3614 exit(ret != -1 && errno != ENOSYS);
3619 EXPECT_EQ(waitpid(pid, &status, 0), pid);
3620 EXPECT_EQ(true, WIFEXITED(status));
3621 EXPECT_EQ(0, WEXITSTATUS(status));
3625 * Check that a pid in a child namespace still shows up as valid in ours.
3627 TEST(user_notification_child_pid_ns)
3630 int status, listener;
3631 struct seccomp_notif req = {};
3632 struct seccomp_notif_resp resp = {};
3634 ASSERT_EQ(unshare(CLONE_NEWUSER | CLONE_NEWPID), 0) {
3635 if (errno == EINVAL)
3636 SKIP(return, "kernel missing CLONE_NEWUSER support");
3639 listener = user_notif_syscall(__NR_getppid,
3640 SECCOMP_FILTER_FLAG_NEW_LISTENER);
3641 ASSERT_GE(listener, 0);
3647 exit(syscall(__NR_getppid) != USER_NOTIF_MAGIC);
3649 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_RECV, &req), 0);
3650 EXPECT_EQ(req.pid, pid);
3654 resp.val = USER_NOTIF_MAGIC;
3656 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_SEND, &resp), 0);
3658 EXPECT_EQ(waitpid(pid, &status, 0), pid);
3659 EXPECT_EQ(true, WIFEXITED(status));
3660 EXPECT_EQ(0, WEXITSTATUS(status));
3665 * Check that a pid in a sibling (i.e. unrelated) namespace shows up as 0, i.e.
3668 TEST(user_notification_sibling_pid_ns)
3671 int status, listener;
3672 struct seccomp_notif req = {};
3673 struct seccomp_notif_resp resp = {};
3675 ASSERT_EQ(prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0), 0) {
3676 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
3679 listener = user_notif_syscall(__NR_getppid,
3680 SECCOMP_FILTER_FLAG_NEW_LISTENER);
3681 ASSERT_GE(listener, 0);
3687 ASSERT_EQ(unshare(CLONE_NEWPID), 0);
3693 exit(syscall(__NR_getppid) != USER_NOTIF_MAGIC);
3695 EXPECT_EQ(waitpid(pid2, &status, 0), pid2);
3696 EXPECT_EQ(true, WIFEXITED(status));
3697 EXPECT_EQ(0, WEXITSTATUS(status));
3698 exit(WEXITSTATUS(status));
3701 /* Create the sibling ns, and sibling in it. */
3702 ASSERT_EQ(unshare(CLONE_NEWPID), 0) {
3704 SKIP(return, "CLONE_NEWPID requires CAP_SYS_ADMIN");
3706 ASSERT_EQ(errno, 0);
3712 ASSERT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_RECV, &req), 0);
3714 * The pid should be 0, i.e. the task is in some namespace that
3717 EXPECT_EQ(req.pid, 0);
3721 resp.val = USER_NOTIF_MAGIC;
3723 ASSERT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_SEND, &resp), 0);
3729 EXPECT_EQ(waitpid(pid, &status, 0), pid);
3730 EXPECT_EQ(true, WIFEXITED(status));
3731 EXPECT_EQ(0, WEXITSTATUS(status));
3733 EXPECT_EQ(waitpid(pid2, &status, 0), pid2);
3734 EXPECT_EQ(true, WIFEXITED(status));
3735 EXPECT_EQ(0, WEXITSTATUS(status));
3738 TEST(user_notification_fault_recv)
3741 int status, listener;
3742 struct seccomp_notif req = {};
3743 struct seccomp_notif_resp resp = {};
3745 ASSERT_EQ(unshare(CLONE_NEWUSER), 0);
3747 listener = user_notif_syscall(__NR_getppid,
3748 SECCOMP_FILTER_FLAG_NEW_LISTENER);
3749 ASSERT_GE(listener, 0);
3755 exit(syscall(__NR_getppid) != USER_NOTIF_MAGIC);
3757 /* Do a bad recv() */
3758 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_RECV, NULL), -1);
3759 EXPECT_EQ(errno, EFAULT);
3761 /* We should still be able to receive this notification, though. */
3762 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_RECV, &req), 0);
3763 EXPECT_EQ(req.pid, pid);
3767 resp.val = USER_NOTIF_MAGIC;
3769 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_SEND, &resp), 0);
3771 EXPECT_EQ(waitpid(pid, &status, 0), pid);
3772 EXPECT_EQ(true, WIFEXITED(status));
3773 EXPECT_EQ(0, WEXITSTATUS(status));
3776 TEST(seccomp_get_notif_sizes)
3778 struct seccomp_notif_sizes sizes;
3780 ASSERT_EQ(seccomp(SECCOMP_GET_NOTIF_SIZES, 0, &sizes), 0);
3781 EXPECT_EQ(sizes.seccomp_notif, sizeof(struct seccomp_notif));
3782 EXPECT_EQ(sizes.seccomp_notif_resp, sizeof(struct seccomp_notif_resp));
3785 TEST(user_notification_continue)
3789 int status, listener;
3790 struct seccomp_notif req = {};
3791 struct seccomp_notif_resp resp = {};
3792 struct pollfd pollfd;
3794 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
3796 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
3799 listener = user_notif_syscall(__NR_dup, SECCOMP_FILTER_FLAG_NEW_LISTENER);
3800 ASSERT_GE(listener, 0);
3806 int dup_fd, pipe_fds[2];
3809 ASSERT_GE(pipe(pipe_fds), 0);
3811 dup_fd = dup(pipe_fds[0]);
3812 ASSERT_GE(dup_fd, 0);
3813 EXPECT_NE(pipe_fds[0], dup_fd);
3816 ASSERT_EQ(filecmp(self, self, pipe_fds[0], dup_fd), 0);
3820 pollfd.fd = listener;
3821 pollfd.events = POLLIN | POLLOUT;
3823 EXPECT_GT(poll(&pollfd, 1, -1), 0);
3824 EXPECT_EQ(pollfd.revents, POLLIN);
3826 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_RECV, &req), 0);
3828 pollfd.fd = listener;
3829 pollfd.events = POLLIN | POLLOUT;
3831 EXPECT_GT(poll(&pollfd, 1, -1), 0);
3832 EXPECT_EQ(pollfd.revents, POLLOUT);
3834 EXPECT_EQ(req.data.nr, __NR_dup);
3837 resp.flags = SECCOMP_USER_NOTIF_FLAG_CONTINUE;
3840 * Verify that setting SECCOMP_USER_NOTIF_FLAG_CONTINUE enforces other
3844 resp.val = USER_NOTIF_MAGIC;
3845 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_SEND, &resp), -1);
3846 EXPECT_EQ(errno, EINVAL);
3848 resp.error = USER_NOTIF_MAGIC;
3850 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_SEND, &resp), -1);
3851 EXPECT_EQ(errno, EINVAL);
3855 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_SEND, &resp), 0) {
3856 if (errno == EINVAL)
3857 SKIP(goto skip, "Kernel does not support SECCOMP_USER_NOTIF_FLAG_CONTINUE");
3861 EXPECT_EQ(waitpid(pid, &status, 0), pid);
3862 EXPECT_EQ(true, WIFEXITED(status));
3863 EXPECT_EQ(0, WEXITSTATUS(status)) {
3864 if (WEXITSTATUS(status) == 2) {
3865 SKIP(return, "Kernel does not support kcmp() syscall");
3871 TEST(user_notification_filter_empty)
3876 struct pollfd pollfd;
3877 struct __clone_args args = {
3878 .flags = CLONE_FILES,
3879 .exit_signal = SIGCHLD,
3882 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
3884 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
3887 pid = sys_clone3(&args, sizeof(args));
3893 listener = user_notif_syscall(__NR_mknodat, SECCOMP_FILTER_FLAG_NEW_LISTENER);
3895 _exit(EXIT_FAILURE);
3897 if (dup2(listener, 200) != 200)
3898 _exit(EXIT_FAILURE);
3902 _exit(EXIT_SUCCESS);
3905 EXPECT_EQ(waitpid(pid, &status, 0), pid);
3906 EXPECT_EQ(true, WIFEXITED(status));
3907 EXPECT_EQ(0, WEXITSTATUS(status));
3910 * The seccomp filter has become unused so we should be notified once
3911 * the kernel gets around to cleaning up task struct.
3914 pollfd.events = POLLHUP;
3916 EXPECT_GT(poll(&pollfd, 1, 2000), 0);
3917 EXPECT_GT((pollfd.revents & POLLHUP) ?: 0, 0);
3920 static void *do_thread(void *data)
3925 TEST(user_notification_filter_empty_threaded)
3930 struct pollfd pollfd;
3931 struct __clone_args args = {
3932 .flags = CLONE_FILES,
3933 .exit_signal = SIGCHLD,
3936 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
3938 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
3941 pid = sys_clone3(&args, sizeof(args));
3946 int listener, status;
3949 listener = user_notif_syscall(__NR_dup, SECCOMP_FILTER_FLAG_NEW_LISTENER);
3951 _exit(EXIT_FAILURE);
3953 if (dup2(listener, 200) != 200)
3954 _exit(EXIT_FAILURE);
3960 _exit(EXIT_FAILURE);
3963 _exit(EXIT_SUCCESS);
3967 _exit(EXIT_FAILURE);
3970 _exit(EXIT_SUCCESS);
3972 if (pthread_create(&thread, NULL, do_thread, NULL) ||
3973 pthread_join(thread, NULL))
3974 _exit(EXIT_FAILURE);
3976 if (pthread_create(&thread, NULL, do_thread, NULL) ||
3977 pthread_join(thread, NULL))
3978 _exit(EXIT_FAILURE);
3980 if (waitpid(pid1, &status, 0) != pid1 || !WIFEXITED(status) ||
3981 WEXITSTATUS(status))
3982 _exit(EXIT_FAILURE);
3984 if (waitpid(pid2, &status, 0) != pid2 || !WIFEXITED(status) ||
3985 WEXITSTATUS(status))
3986 _exit(EXIT_FAILURE);
3991 EXPECT_EQ(waitpid(pid, &status, 0), pid);
3992 EXPECT_EQ(true, WIFEXITED(status));
3993 EXPECT_EQ(0, WEXITSTATUS(status));
3996 * The seccomp filter has become unused so we should be notified once
3997 * the kernel gets around to cleaning up task struct.
4000 pollfd.events = POLLHUP;
4002 EXPECT_GT(poll(&pollfd, 1, 2000), 0);
4003 EXPECT_GT((pollfd.revents & POLLHUP) ?: 0, 0);
4006 TEST(user_notification_addfd)
4010 int status, listener, memfd, fd, nextfd;
4011 struct seccomp_notif_addfd addfd = {};
4012 struct seccomp_notif_addfd_small small = {};
4013 struct seccomp_notif_addfd_big big = {};
4014 struct seccomp_notif req = {};
4015 struct seccomp_notif_resp resp = {};
4017 struct timespec delay = { .tv_nsec = 100000000 };
4019 /* There may be arbitrary already-open fds at test start. */
4020 memfd = memfd_create("test", 0);
4021 ASSERT_GE(memfd, 0);
4024 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
4026 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
4030 /* Check that the basic notification machinery works */
4031 listener = user_notif_syscall(__NR_getppid,
4032 SECCOMP_FILTER_FLAG_NEW_LISTENER);
4033 ASSERT_EQ(listener, nextfd++);
4039 /* fds will be added and this value is expected */
4040 if (syscall(__NR_getppid) != USER_NOTIF_MAGIC)
4043 /* Atomic addfd+send is received here. Check it is a valid fd */
4044 if (fcntl(syscall(__NR_getppid), F_GETFD) == -1)
4047 exit(syscall(__NR_getppid) != USER_NOTIF_MAGIC);
4050 ASSERT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_RECV, &req), 0);
4052 addfd.srcfd = memfd;
4057 /* Verify bad newfd_flags cannot be set */
4058 addfd.newfd_flags = ~O_CLOEXEC;
4059 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_ADDFD, &addfd), -1);
4060 EXPECT_EQ(errno, EINVAL);
4061 addfd.newfd_flags = O_CLOEXEC;
4063 /* Verify bad flags cannot be set */
4065 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_ADDFD, &addfd), -1);
4066 EXPECT_EQ(errno, EINVAL);
4069 /* Verify that remote_fd cannot be set without setting flags */
4071 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_ADDFD, &addfd), -1);
4072 EXPECT_EQ(errno, EINVAL);
4075 /* Verify small size cannot be set */
4076 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_ADDFD_SMALL, &small), -1);
4077 EXPECT_EQ(errno, EINVAL);
4079 /* Verify we can't send bits filled in unknown buffer area */
4080 memset(&big, 0xAA, sizeof(big));
4082 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_ADDFD_BIG, &big), -1);
4083 EXPECT_EQ(errno, E2BIG);
4086 /* Verify we can set an arbitrary remote fd */
4087 fd = ioctl(listener, SECCOMP_IOCTL_NOTIF_ADDFD, &addfd);
4088 EXPECT_EQ(fd, nextfd++);
4089 EXPECT_EQ(filecmp(getpid(), pid, memfd, fd), 0);
4091 /* Verify we can set an arbitrary remote fd with large size */
4092 memset(&big, 0x0, sizeof(big));
4094 fd = ioctl(listener, SECCOMP_IOCTL_NOTIF_ADDFD_BIG, &big);
4095 EXPECT_EQ(fd, nextfd++);
4097 /* Verify we can set a specific remote fd */
4099 addfd.flags = SECCOMP_ADDFD_FLAG_SETFD;
4100 fd = ioctl(listener, SECCOMP_IOCTL_NOTIF_ADDFD, &addfd);
4102 EXPECT_EQ(filecmp(getpid(), pid, memfd, fd), 0);
4104 /* Resume syscall */
4107 resp.val = USER_NOTIF_MAGIC;
4108 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_SEND, &resp), 0);
4111 * This sets the ID of the ADD FD to the last request plus 1. The
4112 * notification ID increments 1 per notification.
4114 addfd.id = req.id + 1;
4116 /* This spins until the underlying notification is generated */
4117 while (ioctl(listener, SECCOMP_IOCTL_NOTIF_ADDFD, &addfd) != -1 &&
4118 errno != -EINPROGRESS)
4119 nanosleep(&delay, NULL);
4121 memset(&req, 0, sizeof(req));
4122 ASSERT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_RECV, &req), 0);
4123 ASSERT_EQ(addfd.id, req.id);
4125 /* Verify we can do an atomic addfd and send */
4127 addfd.flags = SECCOMP_ADDFD_FLAG_SEND;
4128 fd = ioctl(listener, SECCOMP_IOCTL_NOTIF_ADDFD, &addfd);
4130 * Child has earlier "low" fds and now 42, so we expect the next
4131 * lowest available fd to be assigned here.
4133 EXPECT_EQ(fd, nextfd++);
4134 ASSERT_EQ(filecmp(getpid(), pid, memfd, fd), 0);
4137 * This sets the ID of the ADD FD to the last request plus 1. The
4138 * notification ID increments 1 per notification.
4140 addfd.id = req.id + 1;
4142 /* This spins until the underlying notification is generated */
4143 while (ioctl(listener, SECCOMP_IOCTL_NOTIF_ADDFD, &addfd) != -1 &&
4144 errno != -EINPROGRESS)
4145 nanosleep(&delay, NULL);
4147 memset(&req, 0, sizeof(req));
4148 ASSERT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_RECV, &req), 0);
4149 ASSERT_EQ(addfd.id, req.id);
4153 resp.val = USER_NOTIF_MAGIC;
4154 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_SEND, &resp), 0);
4156 /* Wait for child to finish. */
4157 EXPECT_EQ(waitpid(pid, &status, 0), pid);
4158 EXPECT_EQ(true, WIFEXITED(status));
4159 EXPECT_EQ(0, WEXITSTATUS(status));
4164 TEST(user_notification_addfd_rlimit)
4168 int status, listener, memfd;
4169 struct seccomp_notif_addfd addfd = {};
4170 struct seccomp_notif req = {};
4171 struct seccomp_notif_resp resp = {};
4172 const struct rlimit lim = {
4177 memfd = memfd_create("test", 0);
4178 ASSERT_GE(memfd, 0);
4180 ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
4182 TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
4185 /* Check that the basic notification machinery works */
4186 listener = user_notif_syscall(__NR_getppid,
4187 SECCOMP_FILTER_FLAG_NEW_LISTENER);
4188 ASSERT_GE(listener, 0);
4194 exit(syscall(__NR_getppid) != USER_NOTIF_MAGIC);
4197 ASSERT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_RECV, &req), 0);
4199 ASSERT_EQ(prlimit(pid, RLIMIT_NOFILE, &lim, NULL), 0);
4201 addfd.srcfd = memfd;
4202 addfd.newfd_flags = O_CLOEXEC;
4207 /* Should probably spot check /proc/sys/fs/file-nr */
4208 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_ADDFD, &addfd), -1);
4209 EXPECT_EQ(errno, EMFILE);
4211 addfd.flags = SECCOMP_ADDFD_FLAG_SEND;
4212 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_ADDFD, &addfd), -1);
4213 EXPECT_EQ(errno, EMFILE);
4216 addfd.flags = SECCOMP_ADDFD_FLAG_SETFD;
4217 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_ADDFD, &addfd), -1);
4218 EXPECT_EQ(errno, EBADF);
4222 resp.val = USER_NOTIF_MAGIC;
4224 EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_SEND, &resp), 0);
4226 /* Wait for child to finish. */
4227 EXPECT_EQ(waitpid(pid, &status, 0), pid);
4228 EXPECT_EQ(true, WIFEXITED(status));
4229 EXPECT_EQ(0, WEXITSTATUS(status));
4236 * - expand NNP testing
4237 * - better arch-specific TRACE and TRAP handlers.
4238 * - endianness checking when appropriate
4239 * - 64-bit arg prodding
4240 * - arch value testing (x86 modes especially)
4241 * - verify that FILTER_FLAG_LOG filters generate log messages
4242 * - verify that RET_LOG generates log messages