From: Kees Cook Date: Sun, 3 Oct 2021 21:26:59 +0000 (+0100) Subject: revert_various_additions_to_improve_code_coverage X-Git-Tag: archive/raspbian/2.5.2-2+rpi1^2~4 X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=a0e7b68480b427d5dd91aea19d965d3439598f3e;p=libseccomp.git revert_various_additions_to_improve_code_coverage REVERTS From aa0f858aa58d51c93a176c60a4c83a4a303bcffd Mon Sep 17 00:00:00 2001 From: Paul Moore Date: Tue, 3 Aug 2021 14:12:50 -0400 Subject: [PATCH] tests: various additions to improve code coverage Acked-by: Tom Hromatka Signed-off-by: Paul Moore (imported from commit fcc601279004a7f4c2f6ebf766acb4556b0f5e65) Gbp-Pq: Name revert_various_additions_to_improve_code_coverage.patch --- diff --git a/tests/11-basic-basic_errors.c b/tests/11-basic-basic_errors.c index 49d9eef..da059df 100644 --- a/tests/11-basic-basic_errors.c +++ b/tests/11-basic-basic_errors.c @@ -29,8 +29,6 @@ int main(int argc, char *argv[]) int rc; scmp_filter_ctx ctx; uint32_t attr; - struct seccomp_notif *req = NULL; - struct seccomp_notif_resp *resp = NULL; /* seccomp_init errors */ ctx = seccomp_init(SCMP_ACT_ALLOW + 1); @@ -125,9 +123,6 @@ int main(int argc, char *argv[]) return -1; rc = seccomp_rule_add_exact(ctx, SCMP_ACT_KILL, SCMP_SYS(socket), 1, SCMP_A0(SCMP_CMP_EQ, 2)); - if (rc != -EINVAL) - return -1; - rc = seccomp_rule_add_exact(ctx, 0xdeadbeef, SCMP_SYS(open), 0); if (rc != -EINVAL) return -1; seccomp_release(ctx); @@ -185,53 +180,6 @@ int main(int argc, char *argv[]) rc = seccomp_attr_set(ctx, 1000, 1); if (rc != -EINVAL) return -1; - seccomp_release(ctx); - ctx = NULL; - - /* seccomp_merge() errors */ - ctx = seccomp_init(SCMP_ACT_ALLOW); - if (ctx == NULL) - return -1; - rc = seccomp_merge(ctx, NULL); - if (rc == 0) - return -1; - seccomp_release(ctx); - ctx = NULL; - - /* seccomp notify errors */ - ctx = seccomp_init(SCMP_ACT_ALLOW); - if (ctx == NULL) - return -1; - rc = seccomp_notify_alloc(NULL, NULL); - if (rc != 0) - return -1; - rc = seccomp_notify_alloc(&req, NULL); - if (rc != 0) - return -1; - rc = seccomp_notify_alloc(NULL, &resp); - if (rc != 0) - return -1; - seccomp_notify_free(NULL, NULL); - seccomp_notify_free(req, resp); - req = NULL; - resp = NULL; - rc = seccomp_notify_receive(-1, NULL); - if (rc == 0) - return -1; - rc = seccomp_notify_respond(-1, NULL); - if (rc == 0) - return -1; - rc = seccomp_notify_id_valid(-1, 0); - if (rc == 0) - return -1; - rc = seccomp_notify_fd(NULL); - if (rc == 0) - return -1; - rc = seccomp_notify_fd(ctx); - if (rc == 0) - return -1; - seccomp_release(ctx); - ctx = NULL; return 0; } diff --git a/tests/15-basic-resolver.c b/tests/15-basic-resolver.c index 6db69e8..2679270 100644 --- a/tests/15-basic-resolver.c +++ b/tests/15-basic-resolver.c @@ -68,7 +68,6 @@ int main(int argc, char *argv[]) goto fail; while ((arch = arch_list[iter++]) != -1) { - int sys; int nr_open; int nr_read; int nr_socket; @@ -120,45 +119,6 @@ int main(int argc, char *argv[]) goto fail; free(name); name = NULL; - - /* socket pseudo-syscalls */ - if (seccomp_syscall_resolve_name_arch(arch, "socketcall") > 0) { - for (sys = -101; sys >= -120; sys--) { - name = seccomp_syscall_resolve_num_arch(arch, - sys); - if (name == NULL) - goto fail; - free(name); - name = NULL; - } - } - /* ipc pseudo-syscalls */ - if (seccomp_syscall_resolve_name_arch(arch, "ipc") > 0) { - for (sys = -201; sys >= -204; sys--) { - name = seccomp_syscall_resolve_num_arch(arch, - sys); - if (name == NULL) - goto fail; - free(name); - name = NULL; - } - for (sys = -211; sys >= -214; sys--) { - name = seccomp_syscall_resolve_num_arch(arch, - sys); - if (name == NULL) - goto fail; - free(name); - name = NULL; - } - for (sys = -221; sys >= -224; sys--) { - name = seccomp_syscall_resolve_num_arch(arch, - sys); - if (name == NULL) - goto fail; - free(name); - name = NULL; - } - } } return 0; diff --git a/tests/30-sim-socket_syscalls.c b/tests/30-sim-socket_syscalls.c index 900f0a3..7a193b2 100644 --- a/tests/30-sim-socket_syscalls.c +++ b/tests/30-sim-socket_syscalls.c @@ -61,79 +61,19 @@ int main(int argc, char *argv[]) if (rc != 0) goto out; - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(bind), 0); - if (rc != 0) - goto out; - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(connect), 0); if (rc != 0) goto out; - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(listen), 0); - if (rc != 0) - goto out; - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(accept), 0); if (rc != 0) goto out; - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockname), 0); - if (rc != 0) - goto out; - - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getpeername), 0); - if (rc != 0) - goto out; - - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socketpair), 0); - if (rc != 0) - goto out; - - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(send), 0); - if (rc != 0) - goto out; - - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(recv), 0); - if (rc != 0) - goto out; - - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(sendto), 0); - if (rc != 0) - goto out; - - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(recvfrom), 0); - if (rc != 0) - goto out; - - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(shutdown), 0); - if (rc != 0) - goto out; - - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt), 0); - if (rc != 0) - goto out; - - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockopt), 0); - if (rc != 0) - goto out; - - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(sendmsg), 0); - if (rc != 0) - goto out; - - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(recvmsg), 0); - if (rc != 0) - goto out; - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(accept4), 0); if (rc != 0) goto out; - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(sendmmsg), 0); - if (rc != 0) - goto out; - - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(recvmmsg), 0); + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(shutdown), 0); if (rc != 0) goto out; diff --git a/tests/33-sim-socket_syscalls_be.c b/tests/33-sim-socket_syscalls_be.c index e770771..7c4d788 100644 --- a/tests/33-sim-socket_syscalls_be.c +++ b/tests/33-sim-socket_syscalls_be.c @@ -48,9 +48,6 @@ int main(int argc, char *argv[]) if (rc != 0) goto out; rc = seccomp_arch_add(ctx, SCMP_ARCH_S390X); - if (rc != 0) - goto out; - rc = seccomp_arch_add(ctx, SCMP_ARCH_PPC); if (rc != 0) goto out; diff --git a/tests/33-sim-socket_syscalls_be.py b/tests/33-sim-socket_syscalls_be.py index c3cd628..416fb33 100755 --- a/tests/33-sim-socket_syscalls_be.py +++ b/tests/33-sim-socket_syscalls_be.py @@ -33,7 +33,6 @@ def test(args): f.remove_arch(Arch()) f.add_arch(Arch("s390")) f.add_arch(Arch("s390x")) - f.add_arch(Arch("ppc")) f.add_rule(ALLOW, "socket") f.add_rule(ALLOW, "connect") f.add_rule(ALLOW, "accept") diff --git a/tests/33-sim-socket_syscalls_be.tests b/tests/33-sim-socket_syscalls_be.tests index 11e2552..b2523af 100644 --- a/tests/33-sim-socket_syscalls_be.tests +++ b/tests/33-sim-socket_syscalls_be.tests @@ -7,23 +7,31 @@ test type: bpf-sim -# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result -33-sim-socket_syscalls_be +s390,+s390x,+ppc socketcall 1 N N N N N ALLOW -33-sim-socket_syscalls_be +s390,+s390x,+ppc socketcall 3 N N N N N ALLOW -33-sim-socket_syscalls_be +s390,+s390x,+ppc socketcall 5 N N N N N ALLOW -33-sim-socket_syscalls_be +s390,+s390x,+ppc socketcall 13 N N N N N ALLOW -33-sim-socket_syscalls_be +s390,+s390x 359 0 1 2 N N N ALLOW -33-sim-socket_syscalls_be +ppc 326 0 1 2 N N N ALLOW -33-sim-socket_syscalls_be +s390,+s390x 362 0 1 2 N N N ALLOW -33-sim-socket_syscalls_be +ppc 328 0 1 2 N N N ALLOW -33-sim-socket_syscalls_be +s390,+s390x 364 0 1 2 N N N ALLOW -33-sim-socket_syscalls_be +ppc 344 0 1 2 N N N ALLOW -33-sim-socket_syscalls_be +s390,+s390x 373 0 1 2 N N N ALLOW -33-sim-socket_syscalls_be +ppc 338 0 1 2 N N N ALLOW -33-sim-socket_syscalls_be +s390,+s390x,+ppc accept 5 N N N N N ALLOW -33-sim-socket_syscalls_be +s390,+s390x,+ppc accept 0 1 2 N N N KILL -33-sim-socket_syscalls_be +s390,+s390x,+ppc accept4 18 1 2 N N N ALLOW -33-sim-socket_syscalls_be +s390,+s390x,+ppc accept4 0 1 2 N N N KILL +# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result +33-sim-socket_syscalls_be +s390 socketcall 1 N N N N N ALLOW +33-sim-socket_syscalls_be +s390 socketcall 3 N N N N N ALLOW +33-sim-socket_syscalls_be +s390 socketcall 5 N N N N N ALLOW +33-sim-socket_syscalls_be +s390 socketcall 13 N N N N N ALLOW +33-sim-socket_syscalls_be +s390 359 0 1 2 N N N ALLOW +33-sim-socket_syscalls_be +s390 362 0 1 2 N N N ALLOW +33-sim-socket_syscalls_be +s390 364 0 1 2 N N N ALLOW +33-sim-socket_syscalls_be +s390 373 0 1 2 N N N ALLOW +33-sim-socket_syscalls_be +s390 accept 5 N N N N N ALLOW +33-sim-socket_syscalls_be +s390 accept 0 1 2 N N N KILL +33-sim-socket_syscalls_be +s390 accept4 18 1 2 N N N ALLOW +33-sim-socket_syscalls_be +s390 accept4 0 1 2 N N N KILL +33-sim-socket_syscalls_be +s390x socketcall 1 N N N N N ALLOW +33-sim-socket_syscalls_be +s390x socketcall 3 N N N N N ALLOW +33-sim-socket_syscalls_be +s390x socketcall 5 N N N N N ALLOW +33-sim-socket_syscalls_be +s390x socketcall 13 N N N N N ALLOW +33-sim-socket_syscalls_be +s390x 359 0 1 2 N N N ALLOW +33-sim-socket_syscalls_be +s390x 362 0 1 2 N N N ALLOW +33-sim-socket_syscalls_be +s390x 364 0 1 2 N N N ALLOW +33-sim-socket_syscalls_be +s390x 373 0 1 2 N N N ALLOW +33-sim-socket_syscalls_be +s390x accept 5 N N N N N ALLOW +33-sim-socket_syscalls_be +s390x accept 0 1 2 N N N KILL +33-sim-socket_syscalls_be +s390x accept4 18 1 2 N N N ALLOW +33-sim-socket_syscalls_be +s390x accept4 0 1 2 N N N KILL test type: bpf-valgrind diff --git a/tests/36-sim-ipc_syscalls.c b/tests/36-sim-ipc_syscalls.c index c9b575e..1437e43 100644 --- a/tests/36-sim-ipc_syscalls.c +++ b/tests/36-sim-ipc_syscalls.c @@ -54,9 +54,6 @@ int main(int argc, char *argv[]) if (rc != 0) goto out; rc = seccomp_arch_add(ctx, SCMP_ARCH_PPC64LE); - if (rc != 0) - goto out; - rc = seccomp_arch_add(ctx, SCMP_ARCH_MIPSEL); if (rc != 0) goto out; diff --git a/tests/36-sim-ipc_syscalls.py b/tests/36-sim-ipc_syscalls.py index 90a8e9f..2e223ff 100755 --- a/tests/36-sim-ipc_syscalls.py +++ b/tests/36-sim-ipc_syscalls.py @@ -35,7 +35,6 @@ def test(args): f.add_arch(Arch("x86_64")) f.add_arch(Arch("x32")) f.add_arch(Arch("ppc64le")) - f.add_arch(Arch("mipsel")) f.add_rule(ALLOW, "semop") f.add_rule(ALLOW, "semtimedop") f.add_rule(ALLOW, "semget") diff --git a/tests/36-sim-ipc_syscalls.tests b/tests/36-sim-ipc_syscalls.tests index 90e5445..8d83af7 100644 --- a/tests/36-sim-ipc_syscalls.tests +++ b/tests/36-sim-ipc_syscalls.tests @@ -7,31 +7,31 @@ test type: bpf-sim -# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result -36-sim-ipc_syscalls +x86,+ppc64le,+mipsel ipc 1 N N N N N ALLOW -36-sim-ipc_syscalls +x86,+ppc64le,+mipsel ipc 2 N N N N N ALLOW -36-sim-ipc_syscalls +x86,+ppc64le,+mipsel ipc 3 N N N N N ALLOW -36-sim-ipc_syscalls +x86,+ppc64le,+mipsel ipc 4 N N N N N ALLOW -36-sim-ipc_syscalls +x86,+ppc64le,+mipsel ipc 11 N N N N N ALLOW -36-sim-ipc_syscalls +x86,+ppc64le,+mipsel ipc 12 N N N N N ALLOW -36-sim-ipc_syscalls +x86,+ppc64le,+mipsel ipc 13 N N N N N ALLOW -36-sim-ipc_syscalls +x86,+ppc64le,+mipsel ipc 14 N N N N N ALLOW -36-sim-ipc_syscalls +x86,+ppc64le,+mipsel ipc 21 N N N N N ALLOW -36-sim-ipc_syscalls +x86,+ppc64le,+mipsel ipc 22 N N N N N ALLOW -36-sim-ipc_syscalls +x86,+ppc64le,+mipsel ipc 23 N N N N N ALLOW -36-sim-ipc_syscalls +x86,+ppc64le,+mipsel ipc 24 N N N N N ALLOW -36-sim-ipc_syscalls +x86_64 semop N N N N N N ALLOW -36-sim-ipc_syscalls +x86_64 semget N N N N N N ALLOW -36-sim-ipc_syscalls +x86_64 semctl N N N N N N ALLOW -36-sim-ipc_syscalls +x86_64 semtimedop N N N N N N ALLOW -36-sim-ipc_syscalls +x86_64 msgsnd N N N N N N ALLOW -36-sim-ipc_syscalls +x86_64 msgrcv N N N N N N ALLOW -36-sim-ipc_syscalls +x86_64 msgget N N N N N N ALLOW -36-sim-ipc_syscalls +x86_64 msgctl N N N N N N ALLOW -36-sim-ipc_syscalls +x86_64 shmat N N N N N N ALLOW -36-sim-ipc_syscalls +x86_64 shmdt N N N N N N ALLOW -36-sim-ipc_syscalls +x86_64 shmget N N N N N N ALLOW -36-sim-ipc_syscalls +x86_64 shmctl N N N N N N ALLOW +# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result +36-sim-ipc_syscalls +x86,+ppc64le ipc 1 N N N N N ALLOW +36-sim-ipc_syscalls +x86,+ppc64le ipc 2 N N N N N ALLOW +36-sim-ipc_syscalls +x86,+ppc64le ipc 3 N N N N N ALLOW +36-sim-ipc_syscalls +x86,+ppc64le ipc 4 N N N N N ALLOW +36-sim-ipc_syscalls +x86,+ppc64le ipc 11 N N N N N ALLOW +36-sim-ipc_syscalls +x86,+ppc64le ipc 12 N N N N N ALLOW +36-sim-ipc_syscalls +x86,+ppc64le ipc 13 N N N N N ALLOW +36-sim-ipc_syscalls +x86,+ppc64le ipc 14 N N N N N ALLOW +36-sim-ipc_syscalls +x86,+ppc64le ipc 21 N N N N N ALLOW +36-sim-ipc_syscalls +x86,+ppc64le ipc 22 N N N N N ALLOW +36-sim-ipc_syscalls +x86,+ppc64le ipc 23 N N N N N ALLOW +36-sim-ipc_syscalls +x86,+ppc64le ipc 24 N N N N N ALLOW +36-sim-ipc_syscalls +x86_64 semop N N N N N N ALLOW +36-sim-ipc_syscalls +x86_64 semget N N N N N N ALLOW +36-sim-ipc_syscalls +x86_64 semctl N N N N N N ALLOW +36-sim-ipc_syscalls +x86_64 semtimedop N N N N N N ALLOW +36-sim-ipc_syscalls +x86_64 msgsnd N N N N N N ALLOW +36-sim-ipc_syscalls +x86_64 msgrcv N N N N N N ALLOW +36-sim-ipc_syscalls +x86_64 msgget N N N N N N ALLOW +36-sim-ipc_syscalls +x86_64 msgctl N N N N N N ALLOW +36-sim-ipc_syscalls +x86_64 shmat N N N N N N ALLOW +36-sim-ipc_syscalls +x86_64 shmdt N N N N N N ALLOW +36-sim-ipc_syscalls +x86_64 shmget N N N N N N ALLOW +36-sim-ipc_syscalls +x86_64 shmctl N N N N N N ALLOW test type: bpf-valgrind diff --git a/tests/37-sim-ipc_syscalls_be.c b/tests/37-sim-ipc_syscalls_be.c index d1bd57e..e82a2aa 100644 --- a/tests/37-sim-ipc_syscalls_be.c +++ b/tests/37-sim-ipc_syscalls_be.c @@ -48,9 +48,6 @@ int main(int argc, char *argv[]) if (rc != 0) goto out; rc = seccomp_arch_add(ctx, SCMP_ARCH_S390X); - if (rc != 0) - goto out; - rc = seccomp_arch_add(ctx, SCMP_ARCH_PPC); if (rc != 0) goto out; diff --git a/tests/37-sim-ipc_syscalls_be.py b/tests/37-sim-ipc_syscalls_be.py index 18a09d0..40ae279 100755 --- a/tests/37-sim-ipc_syscalls_be.py +++ b/tests/37-sim-ipc_syscalls_be.py @@ -33,7 +33,6 @@ def test(args): f.remove_arch(Arch()) f.add_arch(Arch("s390")) f.add_arch(Arch("s390x")) - f.add_arch(Arch("ppc")) f.add_rule(ALLOW, "semop") f.add_rule(ALLOW, "semtimedop") f.add_rule(ALLOW, "semget") diff --git a/tests/37-sim-ipc_syscalls_be.tests b/tests/37-sim-ipc_syscalls_be.tests index 96a5c81..ff98cec 100644 --- a/tests/37-sim-ipc_syscalls_be.tests +++ b/tests/37-sim-ipc_syscalls_be.tests @@ -7,19 +7,19 @@ test type: bpf-sim -# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result -37-sim-ipc_syscalls_be +s390,+s390x,+ppc ipc 1 N N N N N ALLOW -37-sim-ipc_syscalls_be +s390,+s390x,+ppc ipc 2 N N N N N ALLOW -37-sim-ipc_syscalls_be +s390,+s390x,+ppc ipc 3 N N N N N ALLOW -37-sim-ipc_syscalls_be +s390,+s390x,+ppc ipc 4 N N N N N ALLOW -37-sim-ipc_syscalls_be +s390,+s390x,+ppc ipc 11 N N N N N ALLOW -37-sim-ipc_syscalls_be +s390,+s390x,+ppc ipc 12 N N N N N ALLOW -37-sim-ipc_syscalls_be +s390,+s390x,+ppc ipc 13 N N N N N ALLOW -37-sim-ipc_syscalls_be +s390,+s390x,+ppc ipc 14 N N N N N ALLOW -37-sim-ipc_syscalls_be +s390,+s390x,+ppc ipc 21 N N N N N ALLOW -37-sim-ipc_syscalls_be +s390,+s390x,+ppc ipc 22 N N N N N ALLOW -37-sim-ipc_syscalls_be +s390,+s390x,+ppc ipc 23 N N N N N ALLOW -37-sim-ipc_syscalls_be +s390,+s390x,+ppc ipc 24 N N N N N ALLOW +# Testname Arch Syscall Arg0 Arg1 Arg2 Arg3 Arg4 Arg5 Result +37-sim-ipc_syscalls_be +s390,+s390x ipc 1 N N N N N ALLOW +37-sim-ipc_syscalls_be +s390,+s390x ipc 2 N N N N N ALLOW +37-sim-ipc_syscalls_be +s390,+s390x ipc 3 N N N N N ALLOW +37-sim-ipc_syscalls_be +s390,+s390x ipc 4 N N N N N ALLOW +37-sim-ipc_syscalls_be +s390,+s390x ipc 11 N N N N N ALLOW +37-sim-ipc_syscalls_be +s390,+s390x ipc 12 N N N N N ALLOW +37-sim-ipc_syscalls_be +s390,+s390x ipc 13 N N N N N ALLOW +37-sim-ipc_syscalls_be +s390,+s390x ipc 14 N N N N N ALLOW +37-sim-ipc_syscalls_be +s390,+s390x ipc 21 N N N N N ALLOW +37-sim-ipc_syscalls_be +s390,+s390x ipc 22 N N N N N ALLOW +37-sim-ipc_syscalls_be +s390,+s390x ipc 23 N N N N N ALLOW +37-sim-ipc_syscalls_be +s390,+s390x ipc 24 N N N N N ALLOW test type: bpf-valgrind diff --git a/tests/38-basic-pfc_coverage.c b/tests/38-basic-pfc_coverage.c index c6829ac..e680afc 100644 --- a/tests/38-basic-pfc_coverage.c +++ b/tests/38-basic-pfc_coverage.c @@ -55,30 +55,6 @@ int main(int argc, char *argv[]) if (rc < 0) goto out; rc = seccomp_arch_add(ctx, SCMP_ARCH_X86); - if (rc < 0) - goto out; - rc = seccomp_arch_add(ctx, SCMP_ARCH_X32); - if (rc < 0) - goto out; - rc = seccomp_arch_add(ctx, SCMP_ARCH_ARM); - if (rc < 0) - goto out; - rc = seccomp_arch_add(ctx, SCMP_ARCH_AARCH64); - if (rc < 0) - goto out; - rc = seccomp_arch_add(ctx, SCMP_ARCH_MIPSEL); - if (rc < 0) - goto out; - rc = seccomp_arch_add(ctx, SCMP_ARCH_MIPSEL64); - if (rc < 0) - goto out; - rc = seccomp_arch_add(ctx, SCMP_ARCH_MIPSEL64N32); - if (rc < 0) - goto out; - rc = seccomp_arch_add(ctx, SCMP_ARCH_PPC64LE); - if (rc < 0) - goto out; - rc = seccomp_arch_add(ctx, SCMP_ARCH_RISCV64); if (rc < 0) goto out; @@ -109,9 +85,6 @@ int main(int argc, char *argv[]) if (rc < 0) goto out; rc = seccomp_rule_add(ctx, SCMP_ACT_KILL_PROCESS, SCMP_SYS(fstat), 0); - if (rc < 0) - goto out; - rc = seccomp_rule_add(ctx, SCMP_ACT_LOG, SCMP_SYS(exit_group), 0); if (rc < 0) goto out; diff --git a/tests/38-basic-pfc_coverage.pfc b/tests/38-basic-pfc_coverage.pfc index 3fb181b..8d3c53b 100644 --- a/tests/38-basic-pfc_coverage.pfc +++ b/tests/38-basic-pfc_coverage.pfc @@ -3,9 +3,6 @@ # # filter for arch x86_64 (3221225534) if ($arch == 3221225534) - # filter for syscall "exit_group" (231) [priority: 65535] - if ($syscall == 231) - action LOG; # filter for syscall "exit" (60) [priority: 65535] if ($syscall == 60) action TRACE(1); @@ -100,9 +97,6 @@ if ($arch == 3221225534) action ALLOW; # filter for arch x86 (1073741827) if ($arch == 1073741827) - # filter for syscall "exit_group" (252) [priority: 65535] - if ($syscall == 252) - action LOG; # filter for syscall "fstat" (108) [priority: 65535] if ($syscall == 108) action KILL_PROCESS; @@ -133,534 +127,6 @@ if ($arch == 1073741827) action KILL; # default action action ALLOW; -# filter for arch x32 (3221225534) -if ($arch == 3221225534) - # filter for syscall "exit_group" (1073742055) [priority: 65535] - if ($syscall == 1073742055) - action LOG; - # filter for syscall "exit" (1073741884) [priority: 65535] - if ($syscall == 1073741884) - action TRACE(1); - # filter for syscall "fstat" (1073741829) [priority: 65535] - if ($syscall == 1073741829) - action KILL_PROCESS; - # filter for syscall "close" (1073741827) [priority: 65535] - if ($syscall == 1073741827) - action ERRNO(1); - # filter for syscall "open" (1073741826) [priority: 65535] - if ($syscall == 1073741826) - action KILL; - # filter for syscall "write" (1073741825) [priority: 65532] - if ($syscall == 1073741825) - if ($a0 == 0) - else - if ($a1 > 1) - else - if ($a2 >= 2) - else - action TRAP; - # filter for syscall "read" (1073741824) [priority: 65531] - if ($syscall == 1073741824) - if ($a0 == 0) - if ($a1 >= 1) - if ($a2 > 2) - if ($a3 & 0x0000000f == 3) - action KILL; - # default action - action ALLOW; -# filter for arch arm (1073741864) -if ($arch == 1073741864) - # filter for syscall "exit_group" (248) [priority: 65535] - if ($syscall == 248) - action LOG; - # filter for syscall "fstat" (108) [priority: 65535] - if ($syscall == 108) - action KILL_PROCESS; - # filter for syscall "close" (6) [priority: 65535] - if ($syscall == 6) - action ERRNO(1); - # filter for syscall "open" (5) [priority: 65535] - if ($syscall == 5) - action KILL; - # filter for syscall "exit" (1) [priority: 65535] - if ($syscall == 1) - action TRACE(1); - # filter for syscall "write" (4) [priority: 65532] - if ($syscall == 4) - if ($a0 == 0) - else - if ($a1 > 1) - else - if ($a2 >= 2) - else - action TRAP; - # filter for syscall "read" (3) [priority: 65531] - if ($syscall == 3) - if ($a0 == 0) - if ($a1 >= 1) - if ($a2 > 2) - if ($a3 & 0x0000000f == 3) - action KILL; - # default action - action ALLOW; -# filter for arch aarch64 (3221225655) -if ($arch == 3221225655) - # filter for syscall "open" (4294957130) [priority: 65535] - if ($syscall == 4294957130) - action KILL; - # filter for syscall "exit_group" (94) [priority: 65535] - if ($syscall == 94) - action LOG; - # filter for syscall "exit" (93) [priority: 65535] - if ($syscall == 93) - action TRACE(1); - # filter for syscall "fstat" (80) [priority: 65535] - if ($syscall == 80) - action KILL_PROCESS; - # filter for syscall "close" (57) [priority: 65535] - if ($syscall == 57) - action ERRNO(1); - # filter for syscall "write" (64) [priority: 65527] - if ($syscall == 64) - if ($a0.hi32 == 0) - if ($a0.lo32 == 0) - else - if ($a1.hi32 > 0) - else - if ($a1.hi32 == 0) - if ($a1.lo32 > 1) - else - if ($a2.hi32 > 0) - else - if ($a2.hi32 == 0) - if ($a2.lo32 >= 2) - else - action TRAP; - else - action TRAP; - else - if ($a2.hi32 > 0) - else - if ($a2.hi32 == 0) - if ($a2.lo32 >= 2) - else - action TRAP; - else - action TRAP; - else - if ($a1.hi32 > 0) - else - if ($a1.hi32 == 0) - if ($a1.lo32 > 1) - else - if ($a2.hi32 > 0) - else - if ($a2.hi32 == 0) - if ($a2.lo32 >= 2) - else - action TRAP; - else - action TRAP; - else - if ($a2.hi32 > 0) - else - if ($a2.hi32 == 0) - if ($a2.lo32 >= 2) - else - action TRAP; - else - action TRAP; - # filter for syscall "read" (63) [priority: 65525] - if ($syscall == 63) - if ($a0.hi32 == 0) - if ($a0.lo32 == 0) - if ($a1.hi32 > 0) - if ($a2.hi32 > 0) - if ($a3.hi32 & 0x00000000 == 0) - if ($a3.lo32 & 0x0000000f == 3) - action KILL; - else - if ($a2.hi32 == 0) - if ($a2.lo32 > 2) - if ($a3.hi32 & 0x00000000 == 0) - if ($a3.lo32 & 0x0000000f == 3) - action KILL; - else - if ($a1.hi32 == 0) - if ($a1.lo32 >= 1) - if ($a2.hi32 > 0) - if ($a3.hi32 & 0x00000000 == 0) - if ($a3.lo32 & 0x0000000f == 3) - action KILL; - else - if ($a2.hi32 == 0) - if ($a2.lo32 > 2) - if ($a3.hi32 & 0x00000000 == 0) - if ($a3.lo32 & 0x0000000f == 3) - action KILL; - # default action - action ALLOW; -# filter for arch mipsel (1073741832) -if ($arch == 1073741832) - # filter for syscall "exit_group" (246) [priority: 65535] - if ($syscall == 246) - action LOG; - # filter for syscall "fstat" (108) [priority: 65535] - if ($syscall == 108) - action KILL_PROCESS; - # filter for syscall "close" (6) [priority: 65535] - if ($syscall == 6) - action ERRNO(1); - # filter for syscall "open" (5) [priority: 65535] - if ($syscall == 5) - action KILL; - # filter for syscall "exit" (1) [priority: 65535] - if ($syscall == 1) - action TRACE(1); - # filter for syscall "write" (4) [priority: 65532] - if ($syscall == 4) - if ($a0 == 0) - else - if ($a1 > 1) - else - if ($a2 >= 2) - else - action TRAP; - # filter for syscall "read" (3) [priority: 65531] - if ($syscall == 3) - if ($a0 == 0) - if ($a1 >= 1) - if ($a2 > 2) - if ($a3 & 0x0000000f == 3) - action KILL; - # default action - action ALLOW; -# filter for arch mipsel64 (3221225480) -if ($arch == 3221225480) - # filter for syscall "exit_group" (5205) [priority: 65535] - if ($syscall == 5205) - action LOG; - # filter for syscall "exit" (5058) [priority: 65535] - if ($syscall == 5058) - action TRACE(1); - # filter for syscall "fstat" (5005) [priority: 65535] - if ($syscall == 5005) - action KILL_PROCESS; - # filter for syscall "close" (5003) [priority: 65535] - if ($syscall == 5003) - action ERRNO(1); - # filter for syscall "open" (5002) [priority: 65535] - if ($syscall == 5002) - action KILL; - # filter for syscall "write" (5001) [priority: 65527] - if ($syscall == 5001) - if ($a0.hi32 == 0) - if ($a0.lo32 == 0) - else - if ($a1.hi32 > 0) - else - if ($a1.hi32 == 0) - if ($a1.lo32 > 1) - else - if ($a2.hi32 > 0) - else - if ($a2.hi32 == 0) - if ($a2.lo32 >= 2) - else - action TRAP; - else - action TRAP; - else - if ($a2.hi32 > 0) - else - if ($a2.hi32 == 0) - if ($a2.lo32 >= 2) - else - action TRAP; - else - action TRAP; - else - if ($a1.hi32 > 0) - else - if ($a1.hi32 == 0) - if ($a1.lo32 > 1) - else - if ($a2.hi32 > 0) - else - if ($a2.hi32 == 0) - if ($a2.lo32 >= 2) - else - action TRAP; - else - action TRAP; - else - if ($a2.hi32 > 0) - else - if ($a2.hi32 == 0) - if ($a2.lo32 >= 2) - else - action TRAP; - else - action TRAP; - # filter for syscall "read" (5000) [priority: 65525] - if ($syscall == 5000) - if ($a0.hi32 == 0) - if ($a0.lo32 == 0) - if ($a1.hi32 > 0) - if ($a2.hi32 > 0) - if ($a3.hi32 & 0x00000000 == 0) - if ($a3.lo32 & 0x0000000f == 3) - action KILL; - else - if ($a2.hi32 == 0) - if ($a2.lo32 > 2) - if ($a3.hi32 & 0x00000000 == 0) - if ($a3.lo32 & 0x0000000f == 3) - action KILL; - else - if ($a1.hi32 == 0) - if ($a1.lo32 >= 1) - if ($a2.hi32 > 0) - if ($a3.hi32 & 0x00000000 == 0) - if ($a3.lo32 & 0x0000000f == 3) - action KILL; - else - if ($a2.hi32 == 0) - if ($a2.lo32 > 2) - if ($a3.hi32 & 0x00000000 == 0) - if ($a3.lo32 & 0x0000000f == 3) - action KILL; - # default action - action ALLOW; -# filter for arch mipsel64n32 (3758096392) -if ($arch == 3758096392) - # filter for syscall "exit_group" (6205) [priority: 65535] - if ($syscall == 6205) - action LOG; - # filter for syscall "exit" (6058) [priority: 65535] - if ($syscall == 6058) - action TRACE(1); - # filter for syscall "fstat" (6005) [priority: 65535] - if ($syscall == 6005) - action KILL_PROCESS; - # filter for syscall "close" (6003) [priority: 65535] - if ($syscall == 6003) - action ERRNO(1); - # filter for syscall "open" (6002) [priority: 65535] - if ($syscall == 6002) - action KILL; - # filter for syscall "write" (6001) [priority: 65532] - if ($syscall == 6001) - if ($a0 == 0) - else - if ($a1 > 1) - else - if ($a2 >= 2) - else - action TRAP; - # filter for syscall "read" (6000) [priority: 65531] - if ($syscall == 6000) - if ($a0 == 0) - if ($a1 >= 1) - if ($a2 > 2) - if ($a3 & 0x0000000f == 3) - action KILL; - # default action - action ALLOW; -# filter for arch ppc64le (3221225493) -if ($arch == 3221225493) - # filter for syscall "exit_group" (234) [priority: 65535] - if ($syscall == 234) - action LOG; - # filter for syscall "fstat" (108) [priority: 65535] - if ($syscall == 108) - action KILL_PROCESS; - # filter for syscall "close" (6) [priority: 65535] - if ($syscall == 6) - action ERRNO(1); - # filter for syscall "open" (5) [priority: 65535] - if ($syscall == 5) - action KILL; - # filter for syscall "exit" (1) [priority: 65535] - if ($syscall == 1) - action TRACE(1); - # filter for syscall "write" (4) [priority: 65527] - if ($syscall == 4) - if ($a0.hi32 == 0) - if ($a0.lo32 == 0) - else - if ($a1.hi32 > 0) - else - if ($a1.hi32 == 0) - if ($a1.lo32 > 1) - else - if ($a2.hi32 > 0) - else - if ($a2.hi32 == 0) - if ($a2.lo32 >= 2) - else - action TRAP; - else - action TRAP; - else - if ($a2.hi32 > 0) - else - if ($a2.hi32 == 0) - if ($a2.lo32 >= 2) - else - action TRAP; - else - action TRAP; - else - if ($a1.hi32 > 0) - else - if ($a1.hi32 == 0) - if ($a1.lo32 > 1) - else - if ($a2.hi32 > 0) - else - if ($a2.hi32 == 0) - if ($a2.lo32 >= 2) - else - action TRAP; - else - action TRAP; - else - if ($a2.hi32 > 0) - else - if ($a2.hi32 == 0) - if ($a2.lo32 >= 2) - else - action TRAP; - else - action TRAP; - # filter for syscall "read" (3) [priority: 65525] - if ($syscall == 3) - if ($a0.hi32 == 0) - if ($a0.lo32 == 0) - if ($a1.hi32 > 0) - if ($a2.hi32 > 0) - if ($a3.hi32 & 0x00000000 == 0) - if ($a3.lo32 & 0x0000000f == 3) - action KILL; - else - if ($a2.hi32 == 0) - if ($a2.lo32 > 2) - if ($a3.hi32 & 0x00000000 == 0) - if ($a3.lo32 & 0x0000000f == 3) - action KILL; - else - if ($a1.hi32 == 0) - if ($a1.lo32 >= 1) - if ($a2.hi32 > 0) - if ($a3.hi32 & 0x00000000 == 0) - if ($a3.lo32 & 0x0000000f == 3) - action KILL; - else - if ($a2.hi32 == 0) - if ($a2.lo32 > 2) - if ($a3.hi32 & 0x00000000 == 0) - if ($a3.lo32 & 0x0000000f == 3) - action KILL; - # default action - action ALLOW; -# filter for arch riscv64 (3221225715) -if ($arch == 3221225715) - # filter for syscall "open" (4294957130) [priority: 65535] - if ($syscall == 4294957130) - action KILL; - # filter for syscall "exit_group" (94) [priority: 65535] - if ($syscall == 94) - action LOG; - # filter for syscall "exit" (93) [priority: 65535] - if ($syscall == 93) - action TRACE(1); - # filter for syscall "fstat" (80) [priority: 65535] - if ($syscall == 80) - action KILL_PROCESS; - # filter for syscall "close" (57) [priority: 65535] - if ($syscall == 57) - action ERRNO(1); - # filter for syscall "write" (64) [priority: 65527] - if ($syscall == 64) - if ($a0.hi32 == 0) - if ($a0.lo32 == 0) - else - if ($a1.hi32 > 0) - else - if ($a1.hi32 == 0) - if ($a1.lo32 > 1) - else - if ($a2.hi32 > 0) - else - if ($a2.hi32 == 0) - if ($a2.lo32 >= 2) - else - action TRAP; - else - action TRAP; - else - if ($a2.hi32 > 0) - else - if ($a2.hi32 == 0) - if ($a2.lo32 >= 2) - else - action TRAP; - else - action TRAP; - else - if ($a1.hi32 > 0) - else - if ($a1.hi32 == 0) - if ($a1.lo32 > 1) - else - if ($a2.hi32 > 0) - else - if ($a2.hi32 == 0) - if ($a2.lo32 >= 2) - else - action TRAP; - else - action TRAP; - else - if ($a2.hi32 > 0) - else - if ($a2.hi32 == 0) - if ($a2.lo32 >= 2) - else - action TRAP; - else - action TRAP; - # filter for syscall "read" (63) [priority: 65525] - if ($syscall == 63) - if ($a0.hi32 == 0) - if ($a0.lo32 == 0) - if ($a1.hi32 > 0) - if ($a2.hi32 > 0) - if ($a3.hi32 & 0x00000000 == 0) - if ($a3.lo32 & 0x0000000f == 3) - action KILL; - else - if ($a2.hi32 == 0) - if ($a2.lo32 > 2) - if ($a3.hi32 & 0x00000000 == 0) - if ($a3.lo32 & 0x0000000f == 3) - action KILL; - else - if ($a1.hi32 == 0) - if ($a1.lo32 >= 1) - if ($a2.hi32 > 0) - if ($a3.hi32 & 0x00000000 == 0) - if ($a3.lo32 & 0x0000000f == 3) - action KILL; - else - if ($a2.hi32 == 0) - if ($a2.lo32 > 2) - if ($a3.hi32 & 0x00000000 == 0) - if ($a3.lo32 & 0x0000000f == 3) - action KILL; - # default action - action ALLOW; # invalid architecture action action KILL; # diff --git a/tests/52-basic-load.c b/tests/52-basic-load.c index de3cb8f..2f2b516 100644 --- a/tests/52-basic-load.c +++ b/tests/52-basic-load.c @@ -31,38 +31,15 @@ int main(int argc, char *argv[]) int rc; struct util_options opts; scmp_filter_ctx ctx = NULL; - unsigned int api; rc = util_getopt(argc, argv, &opts); if (rc < 0) goto out; - api = seccomp_api_get(); - if (api == 0) { - rc = -EFAULT; - goto out; - } - ctx = seccomp_init(SCMP_ACT_ALLOW); if (ctx == NULL) return ENOMEM; - if (api >= 2) { - rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_TSYNC, 1); - if (rc != 0) - goto out; - } - if (api >= 3) { - rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_LOG, 1); - if (rc != 0) - goto out; - } - if (api >= 4) { - rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_SSB, 1); - if (rc != 0) - goto out; - } - rc = seccomp_load(ctx); out: