Update tests to reflect that applying STRICT after FILTER is now possible. Signed-off-by: Jamie Hill-Daniel --- tools/testing/selftests/seccomp/seccomp_bpf.c | 68 ++++++++++++--------------- 1 file changed, 29 insertions(+), 39 deletions(-) diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c index 874f17763536..f3b5e19b53a1 100644 --- a/tools/testing/selftests/seccomp/seccomp_bpf.c +++ b/tools/testing/selftests/seccomp/seccomp_bpf.c @@ -516,7 +516,7 @@ TEST(filter_chain_limits) } } -TEST(mode_filter_cannot_move_to_strict) +TEST(mode_strict_upgrade) { struct sock_filter filter[] = { BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW), @@ -534,8 +534,34 @@ TEST(mode_filter_cannot_move_to_strict) ASSERT_EQ(0, ret); ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT, NULL, 0, 0); - EXPECT_EQ(-1, ret); - EXPECT_EQ(EINVAL, errno); + ASSERT_EQ(0, ret); + syscall(__NR_exit, 0); +} + +TEST_SIGNAL(mode_strict_upgrade_violation, SIGKILL) +{ + struct sock_filter filter[] = { + BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW), + }; + struct sock_fprog prog = { + .len = (unsigned short)ARRAY_SIZE(filter), + .filter = filter, + }; + long ret; + + ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); + ASSERT_EQ(0, ret); + + ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0); + ASSERT_EQ(0, ret); + + ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT, NULL, 0, 0); + ASSERT_EQ(0, ret); + + syscall(__NR_getpid); + EXPECT_FALSE(true) { + TH_LOG("Unreachable!"); + } } @@ -2370,42 +2396,6 @@ TEST(seccomp_syscall) } } -TEST(seccomp_syscall_mode_lock) -{ - struct sock_filter filter[] = { - BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW), - }; - struct sock_fprog prog = { - .len = (unsigned short)ARRAY_SIZE(filter), - .filter = filter, - }; - long ret; - - ret = prctl(PR_SET_NO_NEW_PRIVS, 1, NULL, 0, 0); - ASSERT_EQ(0, ret) { - TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!"); - } - - ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog); - ASSERT_NE(ENOSYS, errno) { - TH_LOG("Kernel does not support seccomp syscall!"); - } - EXPECT_EQ(0, ret) { - TH_LOG("Could not install filter!"); - } - - /* Make sure neither entry point will switch to strict. */ - ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT, 0, 0, 0); - EXPECT_EQ(EINVAL, errno) { - TH_LOG("Switched to mode strict!"); - } - - ret = seccomp(SECCOMP_SET_MODE_STRICT, 0, NULL); - EXPECT_EQ(EINVAL, errno) { - TH_LOG("Switched to mode strict!"); - } -} - /* * Test detection of known and unknown filter flags. Userspace needs to be able * to check if a filter flag is supported by the current kernel and a good way -- 2.54.0