Hi,
This refactors the seccomp selftest macros used in change_syscall(), in an effort to remove special cases for mips, arm, arm64, and xtensa, which paves the way for powerpc fixes.
I'm not entirely done testing, but all-arch build tests and x86_64 selftests pass. I'll be doing arm, arm64, and i386 selftests shortly, but I currently don't have an easy way to check xtensa, mips, nor powerpc. Any help there would be appreciated!
(FWIW, I expect to take these via the seccomp tree.)
Thanks,
-Kees
Kees Cook (15): selftests/seccomp: Refactor arch register macros to avoid xtensa special case selftests/seccomp: Provide generic syscall setting macro selftests/seccomp: mips: Define SYSCALL_NUM_SET macro selftests/seccomp: arm: Define SYSCALL_NUM_SET macro selftests/seccomp: arm64: Define SYSCALL_NUM_SET macro selftests/seccomp: mips: Remove O32-specific macro selftests/seccomp: Remove syscall setting #ifdefs selftests/seccomp: Convert HAVE_GETREG into ARCH_GETREG/ARCH_SETREG selftests/seccomp: Convert REGSET calls into ARCH_GETREG/ARCH_SETREG selftests/seccomp: Avoid redundant register flushes selftests/seccomp: Remove SYSCALL_NUM_RET_SHARE_REG in favor of SYSCALL_RET_SET selftests/seccomp: powerpc: Fix seccomp return value testing selftests/seccomp: powerpc: Set syscall return during ptrace syscall exit selftests/clone3: Avoid OS-defined clone_args selftests/seccomp: Use __NR_mknodat instead of __NR_mknod
.../selftests/clone3/clone3_selftests.h | 16 +- tools/testing/selftests/seccomp/seccomp_bpf.c | 313 ++++++++++-------- 2 files changed, 184 insertions(+), 145 deletions(-)
To avoid an xtensa special-case, refactor all arch register macros to take the register variable instead of depending on the macro expanding as a struct member name.
Signed-off-by: Kees Cook keescook@chromium.org --- tools/testing/selftests/seccomp/seccomp_bpf.c | 97 +++++++++---------- 1 file changed, 47 insertions(+), 50 deletions(-)
diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c index c5002fc25b00..fef15080b575 100644 --- a/tools/testing/selftests/seccomp/seccomp_bpf.c +++ b/tools/testing/selftests/seccomp/seccomp_bpf.c @@ -1698,64 +1698,64 @@ TEST_F(TRACE_poke, getpid_runs_normally) }
#if defined(__x86_64__) -# define ARCH_REGS struct user_regs_struct -# define SYSCALL_NUM orig_rax -# define SYSCALL_RET rax +# define ARCH_REGS struct user_regs_struct +# define SYSCALL_NUM(_regs) (_regs).orig_rax +# define SYSCALL_RET(_regs) (_regs).rax #elif defined(__i386__) -# define ARCH_REGS struct user_regs_struct -# define SYSCALL_NUM orig_eax -# define SYSCALL_RET eax +# define ARCH_REGS struct user_regs_struct +# define SYSCALL_NUM(_regs) (_regs).orig_eax +# define SYSCALL_RET(_regs) (_regs).eax #elif defined(__arm__) -# define ARCH_REGS struct pt_regs -# define SYSCALL_NUM ARM_r7 -# define SYSCALL_RET ARM_r0 +# define ARCH_REGS struct pt_regs +# define SYSCALL_NUM(_regs) (_regs).ARM_r7 +# define SYSCALL_RET(_regs) (_regs).ARM_r0 #elif defined(__aarch64__) -# define ARCH_REGS struct user_pt_regs -# define SYSCALL_NUM regs[8] -# define SYSCALL_RET regs[0] +# define ARCH_REGS struct user_pt_regs +# define SYSCALL_NUM(_regs) (_regs).regs[8] +# define SYSCALL_RET(_regs) (_regs).regs[0] #elif defined(__riscv) && __riscv_xlen == 64 -# define ARCH_REGS struct user_regs_struct -# define SYSCALL_NUM a7 -# define SYSCALL_RET a0 +# define ARCH_REGS struct user_regs_struct +# define SYSCALL_NUM(_regs) (_regs).a7 +# define SYSCALL_RET(_regs) (_regs).a0 #elif defined(__csky__) -# define ARCH_REGS struct pt_regs -#if defined(__CSKYABIV2__) -# define SYSCALL_NUM regs[3] -#else -# define SYSCALL_NUM regs[9] -#endif -# define SYSCALL_RET a0 +# define ARCH_REGS struct pt_regs +# if defined(__CSKYABIV2__) +# define SYSCALL_NUM(_regs) (_regs).regs[3] +# else +# define SYSCALL_NUM(_regs) (_regs).regs[9] +# endif +# define SYSCALL_RET(_regs) (_regs).a0 #elif defined(__hppa__) -# define ARCH_REGS struct user_regs_struct -# define SYSCALL_NUM gr[20] -# define SYSCALL_RET gr[28] +# define ARCH_REGS struct user_regs_struct +# define SYSCALL_NUM(_regs) (_regs).gr[20] +# define SYSCALL_RET(_regs) (_regs).gr[28] #elif defined(__powerpc__) -# define ARCH_REGS struct pt_regs -# define SYSCALL_NUM gpr[0] -# define SYSCALL_RET gpr[3] +# define ARCH_REGS struct pt_regs +# define SYSCALL_NUM(_regs) (_regs).gpr[0] +# define SYSCALL_RET(_regs) (_regs).gpr[3] #elif defined(__s390__) -# define ARCH_REGS s390_regs -# define SYSCALL_NUM gprs[2] -# define SYSCALL_RET gprs[2] +# define ARCH_REGS s390_regs +# define SYSCALL_NUM(_regs) (_regs).gprs[2] +# define SYSCALL_RET(_regs) (_regs).gprs[2] # define SYSCALL_NUM_RET_SHARE_REG #elif defined(__mips__) -# define ARCH_REGS struct pt_regs -# define SYSCALL_NUM regs[2] -# define SYSCALL_SYSCALL_NUM regs[4] -# define SYSCALL_RET regs[2] +# define ARCH_REGS struct pt_regs +# define SYSCALL_NUM(_regs) (_regs).regs[2] +# define SYSCALL_SYSCALL_NUM regs[4] +# define SYSCALL_RET(_regs) (_regs).regs[2] # define SYSCALL_NUM_RET_SHARE_REG #elif defined(__xtensa__) -# define ARCH_REGS struct user_pt_regs -# define SYSCALL_NUM syscall +# define ARCH_REGS struct user_pt_regs +# define SYSCALL_NUM(_regs) (_regs).syscall /* * On xtensa syscall return value is in the register * a2 of the current window which is not fixed. */ -#define SYSCALL_RET(reg) a[(reg).windowbase * 4 + 2] +#define SYSCALL_RET(_regs) (_regs).a[(_regs).windowbase * 4 + 2] #elif defined(__sh__) -# define ARCH_REGS struct pt_regs -# define SYSCALL_NUM gpr[3] -# define SYSCALL_RET gpr[0] +# define ARCH_REGS struct pt_regs +# define SYSCALL_NUM(_regs) (_regs).gpr[3] +# define SYSCALL_RET(_regs) (_regs).gpr[0] #else # error "Do not know how to find your architecture's registers and syscalls" #endif @@ -1804,10 +1804,10 @@ int get_syscall(struct __test_metadata *_metadata, pid_t tracee) #endif
#if defined(__mips__) - if (regs.SYSCALL_NUM == __NR_O32_Linux) + if (SYSCALL_NUM(regs) == __NR_O32_Linux) return regs.SYSCALL_SYSCALL_NUM; #endif - return regs.SYSCALL_NUM; + return SYSCALL_NUM(regs); }
/* Architecture-specific syscall changing routine. */ @@ -1830,14 +1830,14 @@ void change_syscall(struct __test_metadata *_metadata, defined(__s390__) || defined(__hppa__) || defined(__riscv) || \ defined(__xtensa__) || defined(__csky__) || defined(__sh__) { - regs.SYSCALL_NUM = syscall; + SYSCALL_NUM(regs) = syscall; } #elif defined(__mips__) { - if (regs.SYSCALL_NUM == __NR_O32_Linux) + if (SYSCALL_NUM(regs) == __NR_O32_Linux) regs.SYSCALL_SYSCALL_NUM = syscall; else - regs.SYSCALL_NUM = syscall; + SYSCALL_NUM(regs) = syscall; }
#elif defined(__arm__) @@ -1871,11 +1871,8 @@ void change_syscall(struct __test_metadata *_metadata, if (syscall == -1) #ifdef SYSCALL_NUM_RET_SHARE_REG TH_LOG("Can't modify syscall return on this architecture"); - -#elif defined(__xtensa__) - regs.SYSCALL_RET(regs) = result; #else - regs.SYSCALL_RET = result; + SYSCALL_RET(regs) = result; #endif
#ifdef HAVE_GETREGS
On Sat, Sep 12, 2020 at 04:08:06AM -0700, Kees Cook wrote:
To avoid an xtensa special-case, refactor all arch register macros to take the register variable instead of depending on the macro expanding as a struct member name.
Signed-off-by: Kees Cook keescook@chromium.org
Looks good! Acked-by: Christian Brauner christian.brauner@ubuntu.com
In order to avoid "#ifdef"s in the main function bodies, create a new macro, SYSCALL_NUM_SET(), where arch-specific logic can live.
Signed-off-by: Kees Cook keescook@chromium.org --- tools/testing/selftests/seccomp/seccomp_bpf.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-)
diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c index fef15080b575..1c83e743bfb1 100644 --- a/tools/testing/selftests/seccomp/seccomp_bpf.c +++ b/tools/testing/selftests/seccomp/seccomp_bpf.c @@ -1760,6 +1760,17 @@ TEST_F(TRACE_poke, getpid_runs_normally) # error "Do not know how to find your architecture's registers and syscalls" #endif
+/* + * Most architectures can change the syscall by just updating the + * associated register. This is the default if not defined above. + */ +#ifndef SYSCALL_NUM_SET +# define SYSCALL_NUM_SET(_regs, _nr) \ + do { \ + SYSCALL_NUM(_regs) = (_nr); \ + } while (0) +#endif + /* When the syscall return can't be changed, stub out the tests for it. */ #ifdef SYSCALL_NUM_RET_SHARE_REG # define EXPECT_SYSCALL_RETURN(val, action) EXPECT_EQ(-1, action) @@ -1830,14 +1841,14 @@ void change_syscall(struct __test_metadata *_metadata, defined(__s390__) || defined(__hppa__) || defined(__riscv) || \ defined(__xtensa__) || defined(__csky__) || defined(__sh__) { - SYSCALL_NUM(regs) = syscall; + SYSCALL_NUM_SET(regs, syscall); } #elif defined(__mips__) { if (SYSCALL_NUM(regs) == __NR_O32_Linux) regs.SYSCALL_SYSCALL_NUM = syscall; else - SYSCALL_NUM(regs) = syscall; + SYSCALL_NUM_SET(regs, syscall); }
#elif defined(__arm__)
On Sat, Sep 12, 2020 at 04:08:07AM -0700, Kees Cook wrote:
In order to avoid "#ifdef"s in the main function bodies, create a new macro, SYSCALL_NUM_SET(), where arch-specific logic can live.
Signed-off-by: Kees Cook keescook@chromium.org
SYSCALL_SWITCH(_regs, nr)?
But looks good either way! Acked-by: Christian Brauner christian.brauner@ubuntu.com
Remove the mips special-case in change_syscall().
Signed-off-by: Kees Cook keescook@chromium.org --- tools/testing/selftests/seccomp/seccomp_bpf.c | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-)
diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c index 1c83e743bfb1..02a9a6599746 100644 --- a/tools/testing/selftests/seccomp/seccomp_bpf.c +++ b/tools/testing/selftests/seccomp/seccomp_bpf.c @@ -1742,6 +1742,13 @@ TEST_F(TRACE_poke, getpid_runs_normally) # define ARCH_REGS struct pt_regs # define SYSCALL_NUM(_regs) (_regs).regs[2] # define SYSCALL_SYSCALL_NUM regs[4] +# define SYSCALL_NUM_SET(_regs, _nr) \ + do { \ + if ((_regs).regs[2] == __NR_O32_Linux) \ + (_regs).regs[4] = _nr; \ + else \ + (_regs).regs[2] = _nr; \ + } while (0) # define SYSCALL_RET(_regs) (_regs).regs[2] # define SYSCALL_NUM_RET_SHARE_REG #elif defined(__xtensa__) @@ -1839,17 +1846,11 @@ void change_syscall(struct __test_metadata *_metadata,
#if defined(__x86_64__) || defined(__i386__) || defined(__powerpc__) || \ defined(__s390__) || defined(__hppa__) || defined(__riscv) || \ - defined(__xtensa__) || defined(__csky__) || defined(__sh__) + defined(__xtensa__) || defined(__csky__) || defined(__sh__) || \ + defined(__mips__) { SYSCALL_NUM_SET(regs, syscall); } -#elif defined(__mips__) - { - if (SYSCALL_NUM(regs) == __NR_O32_Linux) - regs.SYSCALL_SYSCALL_NUM = syscall; - else - SYSCALL_NUM_SET(regs, syscall); - }
#elif defined(__arm__) # ifndef PTRACE_SET_SYSCALL
On Sat, Sep 12, 2020 at 04:08:08AM -0700, Kees Cook wrote:
Remove the mips special-case in change_syscall().
Signed-off-by: Kees Cook keescook@chromium.org
tools/testing/selftests/seccomp/seccomp_bpf.c | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-)
diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c index 1c83e743bfb1..02a9a6599746 100644 --- a/tools/testing/selftests/seccomp/seccomp_bpf.c +++ b/tools/testing/selftests/seccomp/seccomp_bpf.c @@ -1742,6 +1742,13 @@ TEST_F(TRACE_poke, getpid_runs_normally) # define ARCH_REGS struct pt_regs # define SYSCALL_NUM(_regs) (_regs).regs[2] # define SYSCALL_SYSCALL_NUM regs[4] +# define SYSCALL_NUM_SET(_regs, _nr) \
- do { \
if ((_regs).regs[2] == __NR_O32_Linux) \
(_regs).regs[4] = _nr; \
else \
(_regs).regs[2] = _nr; \
- } while (0)
I think that
# define SYSCALL_NUM_SET(_regs, _nr) \ do { \ if (SYSCALL_NUM(_regs) == __NR_O32_Linux) \ (_regs).regs[4] = _nr; \ else \ (_regs).regs[2] = _nr; \ } while (0)
would read better but that's just a matter of taste. :)
Looks good! Acked-by: Christian Brauner christian.brauner@ubuntu.com
On Tue, Sep 15, 2020 at 05:55:46PM +0200, Christian Brauner wrote:
On Sat, Sep 12, 2020 at 04:08:08AM -0700, Kees Cook wrote:
Remove the mips special-case in change_syscall().
Signed-off-by: Kees Cook keescook@chromium.org
tools/testing/selftests/seccomp/seccomp_bpf.c | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-)
diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c index 1c83e743bfb1..02a9a6599746 100644 --- a/tools/testing/selftests/seccomp/seccomp_bpf.c +++ b/tools/testing/selftests/seccomp/seccomp_bpf.c @@ -1742,6 +1742,13 @@ TEST_F(TRACE_poke, getpid_runs_normally) # define ARCH_REGS struct pt_regs # define SYSCALL_NUM(_regs) (_regs).regs[2] # define SYSCALL_SYSCALL_NUM regs[4] +# define SYSCALL_NUM_SET(_regs, _nr) \
- do { \
if ((_regs).regs[2] == __NR_O32_Linux) \
(_regs).regs[4] = _nr; \
else \
(_regs).regs[2] = _nr; \
- } while (0)
I think that
# define SYSCALL_NUM_SET(_regs, _nr) \ do { \ if (SYSCALL_NUM(_regs) == __NR_O32_Linux) \ (_regs).regs[4] = _nr; \ else \ (_regs).regs[2] = _nr; \ } while (0)
would read better but that's just a matter of taste. :)
That's how I started originally, but when I realized that I'd have to reorganize SYSCALL_NUM() too, it seem best to have minimal churn, so I left it open coded here, since that's how it needs to be in the end.
Looks good! Acked-by: Christian Brauner christian.brauner@ubuntu.com
Thanks for the reviews!
Remove the arm special-case in change_syscall().
Signed-off-by: Kees Cook keescook@chromium.org --- tools/testing/selftests/seccomp/seccomp_bpf.c | 16 ++++++---------- 1 file changed, 6 insertions(+), 10 deletions(-)
diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c index 02a9a6599746..610fc036e374 100644 --- a/tools/testing/selftests/seccomp/seccomp_bpf.c +++ b/tools/testing/selftests/seccomp/seccomp_bpf.c @@ -1708,6 +1708,11 @@ TEST_F(TRACE_poke, getpid_runs_normally) #elif defined(__arm__) # define ARCH_REGS struct pt_regs # define SYSCALL_NUM(_regs) (_regs).ARM_r7 +# ifndef PTRACE_SET_SYSCALL +# define PTRACE_SET_SYSCALL 23 +# endif +# define SYSCALL_NUM_SET(_regs, _nr) \ + EXPECT_EQ(0, ptrace(PTRACE_SET_SYSCALL, tracee, NULL, _nr)) # define SYSCALL_RET(_regs) (_regs).ARM_r0 #elif defined(__aarch64__) # define ARCH_REGS struct user_pt_regs @@ -1847,20 +1852,11 @@ void change_syscall(struct __test_metadata *_metadata, #if defined(__x86_64__) || defined(__i386__) || defined(__powerpc__) || \ defined(__s390__) || defined(__hppa__) || defined(__riscv) || \ defined(__xtensa__) || defined(__csky__) || defined(__sh__) || \ - defined(__mips__) + defined(__mips__) || defined(__arm__) { SYSCALL_NUM_SET(regs, syscall); }
-#elif defined(__arm__) -# ifndef PTRACE_SET_SYSCALL -# define PTRACE_SET_SYSCALL 23 -# endif - { - ret = ptrace(PTRACE_SET_SYSCALL, tracee, NULL, syscall); - EXPECT_EQ(0, ret); - } - #elif defined(__aarch64__) # ifndef NT_ARM_SYSTEM_CALL # define NT_ARM_SYSTEM_CALL 0x404
On Sat, Sep 12, 2020 at 04:08:09AM -0700, Kees Cook wrote:
Remove the arm special-case in change_syscall().
Signed-off-by: Kees Cook keescook@chromium.org
Looks good! Acked-by: Christian Brauner christian.brauner@ubuntu.com
Remove the arm64 special-case in change_syscall().
Signed-off-by: Kees Cook keescook@chromium.org --- tools/testing/selftests/seccomp/seccomp_bpf.c | 27 +++++++++---------- 1 file changed, 13 insertions(+), 14 deletions(-)
diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c index 610fc036e374..cfa606d96086 100644 --- a/tools/testing/selftests/seccomp/seccomp_bpf.c +++ b/tools/testing/selftests/seccomp/seccomp_bpf.c @@ -1717,6 +1717,18 @@ TEST_F(TRACE_poke, getpid_runs_normally) #elif defined(__aarch64__) # define ARCH_REGS struct user_pt_regs # define SYSCALL_NUM(_regs) (_regs).regs[8] +# ifndef NT_ARM_SYSTEM_CALL +# define NT_ARM_SYSTEM_CALL 0x404 +# endif +# define SYSCALL_NUM_SET(_regs, _nr) \ + do { \ + struct iovec __v; \ + typeof(_nr) __nr = (_nr); \ + __v.iov_base = &__nr; \ + __v.iov_len = sizeof(__nr); \ + EXPECT_EQ(0, ptrace(PTRACE_SETREGSET, tracee, \ + NT_ARM_SYSTEM_CALL, &__v)); \ + } while (0) # define SYSCALL_RET(_regs) (_regs).regs[0] #elif defined(__riscv) && __riscv_xlen == 64 # define ARCH_REGS struct user_regs_struct @@ -1852,23 +1864,10 @@ void change_syscall(struct __test_metadata *_metadata, #if defined(__x86_64__) || defined(__i386__) || defined(__powerpc__) || \ defined(__s390__) || defined(__hppa__) || defined(__riscv) || \ defined(__xtensa__) || defined(__csky__) || defined(__sh__) || \ - defined(__mips__) || defined(__arm__) + defined(__mips__) || defined(__arm__) || defined(__aarch64__) { SYSCALL_NUM_SET(regs, syscall); } - -#elif defined(__aarch64__) -# ifndef NT_ARM_SYSTEM_CALL -# define NT_ARM_SYSTEM_CALL 0x404 -# endif - { - iov.iov_base = &syscall; - iov.iov_len = sizeof(syscall); - ret = ptrace(PTRACE_SETREGSET, tracee, NT_ARM_SYSTEM_CALL, - &iov); - EXPECT_EQ(0, ret); - } - #else ASSERT_EQ(1, 0) { TH_LOG("How is the syscall changed on this architecture?");
On Sat, Sep 12, 2020 at 04:08:10AM -0700, Kees Cook wrote:
Remove the arm64 special-case in change_syscall().
Signed-off-by: Kees Cook keescook@chromium.org
We're using iovecs in ptrace()??
Looks good! Acked-by: Christian Brauner christian.brauner@ubuntu.com
Instead of having the mips O32 macro special-cased, pull the logic into the SYSCALL_NUM() macro. Additionally include the ABI headers, since these appear to have been missing, leaving __NR_O32_Linux undefined.
Signed-off-by: Kees Cook keescook@chromium.org --- tools/testing/selftests/seccomp/seccomp_bpf.c | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-)
diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c index cfa606d96086..aa1c224371d1 100644 --- a/tools/testing/selftests/seccomp/seccomp_bpf.c +++ b/tools/testing/selftests/seccomp/seccomp_bpf.c @@ -1756,9 +1756,19 @@ TEST_F(TRACE_poke, getpid_runs_normally) # define SYSCALL_RET(_regs) (_regs).gprs[2] # define SYSCALL_NUM_RET_SHARE_REG #elif defined(__mips__) +# include <asm/unistd_nr_n32.h> +# include <asm/unistd_nr_n64.h> +# include <asm/unistd_nr_o32.h> # define ARCH_REGS struct pt_regs -# define SYSCALL_NUM(_regs) (_regs).regs[2] -# define SYSCALL_SYSCALL_NUM regs[4] +# define SYSCALL_NUM(_regs) \ + ({ \ + typeof((_regs).regs[2]) _nr; \ + if ((_regs).regs[2] == __NR_O32_Linux) \ + _nr = (_regs).regs[4]; \ + else \ + _nr = (_regs).regs[2]; \ + _nr; \ + }) # define SYSCALL_NUM_SET(_regs, _nr) \ do { \ if ((_regs).regs[2] == __NR_O32_Linux) \ @@ -1838,10 +1848,6 @@ int get_syscall(struct __test_metadata *_metadata, pid_t tracee) } #endif
-#if defined(__mips__) - if (SYSCALL_NUM(regs) == __NR_O32_Linux) - return regs.SYSCALL_SYSCALL_NUM; -#endif return SYSCALL_NUM(regs); }
On Sat, Sep 12, 2020 at 04:08:11AM -0700, Kees Cook wrote:
Instead of having the mips O32 macro special-cased, pull the logic into the SYSCALL_NUM() macro. Additionally include the ABI headers, since these appear to have been missing, leaving __NR_O32_Linux undefined.
Signed-off-by: Kees Cook keescook@chromium.org
Looks good! Acked-by: Christian Brauner christian.brauner@ubuntu.com
With all architectures now using the common SYSCALL_NUM_SET() macro, the arch-specific #ifdef can be removed from change_syscall() itself.
Signed-off-by: Kees Cook keescook@chromium.org --- tools/testing/selftests/seccomp/seccomp_bpf.c | 16 +++------------- 1 file changed, 3 insertions(+), 13 deletions(-)
diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c index aa1c224371d1..3b77bdbe7125 100644 --- a/tools/testing/selftests/seccomp/seccomp_bpf.c +++ b/tools/testing/selftests/seccomp/seccomp_bpf.c @@ -1865,20 +1865,9 @@ void change_syscall(struct __test_metadata *_metadata, iov.iov_len = sizeof(regs); ret = ptrace(PTRACE_GETREGSET, tracee, NT_PRSTATUS, &iov); #endif - EXPECT_EQ(0, ret) {} + EXPECT_EQ(0, ret);
-#if defined(__x86_64__) || defined(__i386__) || defined(__powerpc__) || \ - defined(__s390__) || defined(__hppa__) || defined(__riscv) || \ - defined(__xtensa__) || defined(__csky__) || defined(__sh__) || \ - defined(__mips__) || defined(__arm__) || defined(__aarch64__) - { - SYSCALL_NUM_SET(regs, syscall); - } -#else - ASSERT_EQ(1, 0) { - TH_LOG("How is the syscall changed on this architecture?"); - } -#endif + SYSCALL_NUM_SET(regs, syscall);
/* If syscall is skipped, change return value. */ if (syscall == -1) @@ -1888,6 +1877,7 @@ void change_syscall(struct __test_metadata *_metadata, SYSCALL_RET(regs) = result; #endif
+ /* Flush any register changes made. */ #ifdef HAVE_GETREGS ret = ptrace(PTRACE_SETREGS, tracee, 0, ®s); #else
On Sat, Sep 12, 2020 at 04:08:12AM -0700, Kees Cook wrote:
With all architectures now using the common SYSCALL_NUM_SET() macro, the arch-specific #ifdef can be removed from change_syscall() itself.
Signed-off-by: Kees Cook keescook@chromium.org
Looks good! Acked-by: Christian Brauner christian.brauner@ubuntu.com
Instead of special-casing the get/set-registers routines, move the HAVE_GETREG logic into the new ARCH_GETREG() and ARCH_SETREG() macros.
Signed-off-by: Kees Cook keescook@chromium.org --- tools/testing/selftests/seccomp/seccomp_bpf.c | 27 ++++++++++--------- 1 file changed, 15 insertions(+), 12 deletions(-)
diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c index 3b77bdbe7125..a986f2332327 100644 --- a/tools/testing/selftests/seccomp/seccomp_bpf.c +++ b/tools/testing/selftests/seccomp/seccomp_bpf.c @@ -1821,20 +1821,21 @@ TEST_F(TRACE_poke, getpid_runs_normally) } while (0) #endif
-/* Use PTRACE_GETREGS and PTRACE_SETREGS when available. This is useful for +/* + * Use PTRACE_GETREGS and PTRACE_SETREGS when available. This is useful for * architectures without HAVE_ARCH_TRACEHOOK (e.g. User-mode Linux). */ #if defined(__x86_64__) || defined(__i386__) || defined(__mips__) -#define HAVE_GETREGS +# define ARCH_GETREGS(_regs) ptrace(PTRACE_GETREGS, tracee, 0, &(_regs)) +# define ARCH_SETREGS(_regs) ptrace(PTRACE_SETREGS, tracee, 0, &(_regs)) #endif
/* Architecture-specific syscall fetching routine. */ int get_syscall(struct __test_metadata *_metadata, pid_t tracee) { ARCH_REGS regs; -#ifdef HAVE_GETREGS - EXPECT_EQ(0, ptrace(PTRACE_GETREGS, tracee, 0, ®s)) { - TH_LOG("PTRACE_GETREGS failed"); +#ifdef ARCH_GETREGS + EXPECT_EQ(0, ARCH_GETREGS(regs)) { return -1; } #else @@ -1855,17 +1856,19 @@ int get_syscall(struct __test_metadata *_metadata, pid_t tracee) void change_syscall(struct __test_metadata *_metadata, pid_t tracee, int syscall, int result) { - int ret; ARCH_REGS regs; -#ifdef HAVE_GETREGS - ret = ptrace(PTRACE_GETREGS, tracee, 0, ®s); +#ifdef ARCH_GETREGS + EXPECT_EQ(0, ARCH_GETREGS(regs)) { + return; + } #else + int ret; struct iovec iov; iov.iov_base = ®s; iov.iov_len = sizeof(regs); ret = ptrace(PTRACE_GETREGSET, tracee, NT_PRSTATUS, &iov); -#endif EXPECT_EQ(0, ret); +#endif
SYSCALL_NUM_SET(regs, syscall);
@@ -1878,14 +1881,14 @@ void change_syscall(struct __test_metadata *_metadata, #endif
/* Flush any register changes made. */ -#ifdef HAVE_GETREGS - ret = ptrace(PTRACE_SETREGS, tracee, 0, ®s); +#ifdef ARCH_SETREGS + EXPECT_EQ(0, ARCH_SETREGS(regs)); #else iov.iov_base = ®s; iov.iov_len = sizeof(regs); ret = ptrace(PTRACE_SETREGSET, tracee, NT_PRSTATUS, &iov); -#endif EXPECT_EQ(0, ret); +#endif }
void tracer_seccomp(struct __test_metadata *_metadata, pid_t tracee,
On Sat, Sep 12, 2020 at 04:08:13AM -0700, Kees Cook wrote:
Instead of special-casing the get/set-registers routines, move the HAVE_GETREG logic into the new ARCH_GETREG() and ARCH_SETREG() macros.
Signed-off-by: Kees Cook keescook@chromium.org
Looks good! Acked-by: Christian Brauner christian.brauner@ubuntu.com
Consolidate the REGSET logic into the new ARCH_GETREG() and ARCH_SETREG() macros, avoiding more #ifdef code in function bodies.
Signed-off-by: Kees Cook keescook@chromium.org --- tools/testing/selftests/seccomp/seccomp_bpf.c | 42 +++++++------------ 1 file changed, 15 insertions(+), 27 deletions(-)
diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c index a986f2332327..d9346121b89b 100644 --- a/tools/testing/selftests/seccomp/seccomp_bpf.c +++ b/tools/testing/selftests/seccomp/seccomp_bpf.c @@ -1828,26 +1828,29 @@ TEST_F(TRACE_poke, getpid_runs_normally) #if defined(__x86_64__) || defined(__i386__) || defined(__mips__) # define ARCH_GETREGS(_regs) ptrace(PTRACE_GETREGS, tracee, 0, &(_regs)) # define ARCH_SETREGS(_regs) ptrace(PTRACE_SETREGS, tracee, 0, &(_regs)) +#else +# define ARCH_GETREGS(_regs) ({ \ + struct iovec __v; \ + __v.iov_base = &(_regs); \ + __v.iov_len = sizeof(_regs); \ + ptrace(PTRACE_GETREGSET, tracee, NT_PRSTATUS, &__v); \ + }) +# define ARCH_SETREGS(_regs) ({ \ + struct iovec __v; \ + __v.iov_base = &(_regs); \ + __v.iov_len = sizeof(_regs); \ + ptrace(PTRACE_SETREGSET, tracee, NT_PRSTATUS, &__v); \ + }) #endif
/* Architecture-specific syscall fetching routine. */ int get_syscall(struct __test_metadata *_metadata, pid_t tracee) { ARCH_REGS regs; -#ifdef ARCH_GETREGS - EXPECT_EQ(0, ARCH_GETREGS(regs)) { - return -1; - } -#else - struct iovec iov;
- iov.iov_base = ®s; - iov.iov_len = sizeof(regs); - EXPECT_EQ(0, ptrace(PTRACE_GETREGSET, tracee, NT_PRSTATUS, &iov)) { - TH_LOG("PTRACE_GETREGSET failed"); + EXPECT_EQ(0, ARCH_GETREGS(regs)) { return -1; } -#endif
return SYSCALL_NUM(regs); } @@ -1857,18 +1860,10 @@ void change_syscall(struct __test_metadata *_metadata, pid_t tracee, int syscall, int result) { ARCH_REGS regs; -#ifdef ARCH_GETREGS + EXPECT_EQ(0, ARCH_GETREGS(regs)) { return; } -#else - int ret; - struct iovec iov; - iov.iov_base = ®s; - iov.iov_len = sizeof(regs); - ret = ptrace(PTRACE_GETREGSET, tracee, NT_PRSTATUS, &iov); - EXPECT_EQ(0, ret); -#endif
SYSCALL_NUM_SET(regs, syscall);
@@ -1881,14 +1876,7 @@ void change_syscall(struct __test_metadata *_metadata, #endif
/* Flush any register changes made. */ -#ifdef ARCH_SETREGS EXPECT_EQ(0, ARCH_SETREGS(regs)); -#else - iov.iov_base = ®s; - iov.iov_len = sizeof(regs); - ret = ptrace(PTRACE_SETREGSET, tracee, NT_PRSTATUS, &iov); - EXPECT_EQ(0, ret); -#endif }
void tracer_seccomp(struct __test_metadata *_metadata, pid_t tracee,
On Sat, Sep 12, 2020 at 04:08:14AM -0700, Kees Cook wrote:
Consolidate the REGSET logic into the new ARCH_GETREG() and ARCH_SETREG() macros, avoiding more #ifdef code in function bodies.
Signed-off-by: Kees Cook keescook@chromium.org
Looks good! Acked-by: Christian Brauner christian.brauner@ubuntu.com
When none of the registers have changed, don't flush them back. This can happen if the architecture uses a non-register way to change the syscall (e.g. arm64) , and a return value hasn't been written.
Signed-off-by: Kees Cook keescook@chromium.org --- tools/testing/selftests/seccomp/seccomp_bpf.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c index d9346121b89b..2790d9cd50f4 100644 --- a/tools/testing/selftests/seccomp/seccomp_bpf.c +++ b/tools/testing/selftests/seccomp/seccomp_bpf.c @@ -1859,11 +1859,12 @@ int get_syscall(struct __test_metadata *_metadata, pid_t tracee) void change_syscall(struct __test_metadata *_metadata, pid_t tracee, int syscall, int result) { - ARCH_REGS regs; + ARCH_REGS orig, regs;
EXPECT_EQ(0, ARCH_GETREGS(regs)) { return; } + orig = regs;
SYSCALL_NUM_SET(regs, syscall);
@@ -1876,7 +1877,8 @@ void change_syscall(struct __test_metadata *_metadata, #endif
/* Flush any register changes made. */ - EXPECT_EQ(0, ARCH_SETREGS(regs)); + if (memcmp(&orig, ®s, sizeof(orig)) != 0) + EXPECT_EQ(0, ARCH_SETREGS(regs)); }
void tracer_seccomp(struct __test_metadata *_metadata, pid_t tracee,
On Sat, Sep 12, 2020 at 04:08:15AM -0700, Kees Cook wrote:
When none of the registers have changed, don't flush them back. This can happen if the architecture uses a non-register way to change the syscall (e.g. arm64) , and a return value hasn't been written.
Signed-off-by: Kees Cook keescook@chromium.org
Looks good! Acked-by: Christian Brauner christian.brauner@ubuntu.com
Instead of special-casing the specific case of shared registers, create a default SYSCALL_RET_SET() macro (mirroring SYSCALL_NUM_SET()), that writes to the SYSCALL_RET register. For architectures that can't set the return value (for whatever reason), they can define SYSCALL_RET_SET() without an associated SYSCALL_RET() macro. This also paves the way for architectures that need to do special things to set the return value (e.g. powerpc).
Signed-off-by: Kees Cook keescook@chromium.org --- tools/testing/selftests/seccomp/seccomp_bpf.c | 33 +++++++++++++------ 1 file changed, 23 insertions(+), 10 deletions(-)
diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c index 2790d9cd50f4..623953a53032 100644 --- a/tools/testing/selftests/seccomp/seccomp_bpf.c +++ b/tools/testing/selftests/seccomp/seccomp_bpf.c @@ -1753,8 +1753,8 @@ TEST_F(TRACE_poke, getpid_runs_normally) #elif defined(__s390__) # define ARCH_REGS s390_regs # define SYSCALL_NUM(_regs) (_regs).gprs[2] -# define SYSCALL_RET(_regs) (_regs).gprs[2] -# define SYSCALL_NUM_RET_SHARE_REG +# define SYSCALL_RET_SET(_regs, _val) \ + TH_LOG("Can't modify syscall return on this architecture") #elif defined(__mips__) # include <asm/unistd_nr_n32.h> # include <asm/unistd_nr_n64.h> @@ -1776,8 +1776,8 @@ TEST_F(TRACE_poke, getpid_runs_normally) else \ (_regs).regs[2] = _nr; \ } while (0) -# define SYSCALL_RET(_regs) (_regs).regs[2] -# define SYSCALL_NUM_RET_SHARE_REG +# define SYSCALL_RET_SET(_regs, _val) \ + TH_LOG("Can't modify syscall return on this architecture") #elif defined(__xtensa__) # define ARCH_REGS struct user_pt_regs # define SYSCALL_NUM(_regs) (_regs).syscall @@ -1804,9 +1804,26 @@ TEST_F(TRACE_poke, getpid_runs_normally) SYSCALL_NUM(_regs) = (_nr); \ } while (0) #endif +/* + * Most architectures can change the syscall return value by just + * writing to the SYSCALL_RET register. This is the default if not + * defined above. If an architecture cannot set the return value + * (for example when the syscall and return value register is + * shared), report it with TH_LOG() in an arch-specific definition + * of SYSCALL_RET_SET() above, and leave SYSCALL_RET undefined. + */ +#if !defined(SYSCALL_RET) && !defined(SYSCALL_RET_SET) +# error "One of SYSCALL_RET or SYSCALL_RET_SET is needed for this arch" +#endif +#ifndef SYSCALL_RET_SET +# define SYSCALL_RET_SET(_regs, _val) \ + do { \ + SYSCALL_RET(_regs) = (_val); \ + } while (0) +#endif
/* When the syscall return can't be changed, stub out the tests for it. */ -#ifdef SYSCALL_NUM_RET_SHARE_REG +#ifndef SYSCALL_RET # define EXPECT_SYSCALL_RETURN(val, action) EXPECT_EQ(-1, action) #else # define EXPECT_SYSCALL_RETURN(val, action) \ @@ -1870,11 +1887,7 @@ void change_syscall(struct __test_metadata *_metadata,
/* If syscall is skipped, change return value. */ if (syscall == -1) -#ifdef SYSCALL_NUM_RET_SHARE_REG - TH_LOG("Can't modify syscall return on this architecture"); -#else - SYSCALL_RET(regs) = result; -#endif + SYSCALL_RET_SET(regs, result);
/* Flush any register changes made. */ if (memcmp(&orig, ®s, sizeof(orig)) != 0)
On Sat, Sep 12, 2020 at 04:08:16AM -0700, Kees Cook wrote:
Instead of special-casing the specific case of shared registers, create a default SYSCALL_RET_SET() macro (mirroring SYSCALL_NUM_SET()), that writes to the SYSCALL_RET register. For architectures that can't set the return value (for whatever reason), they can define SYSCALL_RET_SET() without an associated SYSCALL_RET() macro. This also paves the way for architectures that need to do special things to set the return value (e.g. powerpc).
Signed-off-by: Kees Cook keescook@chromium.org
Looks good! Acked-by: Christian Brauner christian.brauner@ubuntu.com
On powerpc, the errno is not inverted, and depends on ccr.so being set. Add this to a powerpc definition of SYSCALL_RET_SET().
Co-developed-by: Thadeu Lima de Souza Cascardo cascardo@canonical.com Signed-off-by: Thadeu Lima de Souza Cascardo cascardo@canonical.com Link: https://lore.kernel.org/linux-kselftest/20200911181012.171027-1-cascardo@can... Fixes: 5d83c2b37d43 ("selftests/seccomp: Add powerpc support") Signed-off-by: Kees Cook keescook@chromium.org --- tools/testing/selftests/seccomp/seccomp_bpf.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+)
diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c index 623953a53032..bbab2420d708 100644 --- a/tools/testing/selftests/seccomp/seccomp_bpf.c +++ b/tools/testing/selftests/seccomp/seccomp_bpf.c @@ -1750,6 +1750,21 @@ TEST_F(TRACE_poke, getpid_runs_normally) # define ARCH_REGS struct pt_regs # define SYSCALL_NUM(_regs) (_regs).gpr[0] # define SYSCALL_RET(_regs) (_regs).gpr[3] +# define SYSCALL_RET_SET(_regs, _val) \ + do { \ + typeof(_val) _result = (_val); \ + /* \ + * A syscall error is signaled by CR0 SO bit \ + * and the code is stored as a positive value. \ + */ \ + if (_result < 0) { \ + SYSCALL_RET(_regs) = -result; \ + (_regs).ccr |= 0x10000000; \ + } else { \ + SYSCALL_RET(_regs) = result; \ + (_regs).ccr &= ~0x10000000; \ + } \ + } while (0) #elif defined(__s390__) # define ARCH_REGS s390_regs # define SYSCALL_NUM(_regs) (_regs).gprs[2]
Kees Cook keescook@chromium.org writes:
On powerpc, the errno is not inverted, and depends on ccr.so being set. Add this to a powerpc definition of SYSCALL_RET_SET().
Co-developed-by: Thadeu Lima de Souza Cascardo cascardo@canonical.com Signed-off-by: Thadeu Lima de Souza Cascardo cascardo@canonical.com Link: https://lore.kernel.org/linux-kselftest/20200911181012.171027-1-cascardo@can... Fixes: 5d83c2b37d43 ("selftests/seccomp: Add powerpc support") Signed-off-by: Kees Cook keescook@chromium.org
tools/testing/selftests/seccomp/seccomp_bpf.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+)
This looks right to me, and matches what strace does AFAICS.
Reviewed-by: Michael Ellerman mpe@ellerman.id.au
cheers
diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c index 623953a53032..bbab2420d708 100644 --- a/tools/testing/selftests/seccomp/seccomp_bpf.c +++ b/tools/testing/selftests/seccomp/seccomp_bpf.c @@ -1750,6 +1750,21 @@ TEST_F(TRACE_poke, getpid_runs_normally) # define ARCH_REGS struct pt_regs # define SYSCALL_NUM(_regs) (_regs).gpr[0] # define SYSCALL_RET(_regs) (_regs).gpr[3] +# define SYSCALL_RET_SET(_regs, _val) \
- do { \
typeof(_val) _result = (_val); \
/* \
* A syscall error is signaled by CR0 SO bit \
* and the code is stored as a positive value. \
*/ \
if (_result < 0) { \
SYSCALL_RET(_regs) = -result; \
(_regs).ccr |= 0x10000000; \
} else { \
SYSCALL_RET(_regs) = result; \
(_regs).ccr &= ~0x10000000; \
} \
- } while (0)
#elif defined(__s390__) # define ARCH_REGS s390_regs
# define SYSCALL_NUM(_regs) (_regs).gprs[2]
2.25.1
Some archs (like ppc) only support changing the return code during syscall exit when ptrace is used. As the syscall number might not be available anymore during syscall exit, it needs to be saved during syscall enter. Adjust the ptrace tests to do this.
Reported-by: Thadeu Lima de Souza Cascardo cascardo@canonical.com Suggested-by: Thadeu Lima de Souza Cascardo cascardo@canonical.com Link: https://lore.kernel.org/linux-kselftest/20200911181012.171027-1-cascardo@can... Fixes: 58d0a862f573 ("seccomp: add tests for ptrace hole") Signed-off-by: Kees Cook keescook@chromium.org --- tools/testing/selftests/seccomp/seccomp_bpf.c | 34 +++++++++++-------- 1 file changed, 20 insertions(+), 14 deletions(-)
diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c index bbab2420d708..26c712c6a575 100644 --- a/tools/testing/selftests/seccomp/seccomp_bpf.c +++ b/tools/testing/selftests/seccomp/seccomp_bpf.c @@ -1949,12 +1949,19 @@ void tracer_seccomp(struct __test_metadata *_metadata, pid_t tracee,
}
+FIXTURE(TRACE_syscall) { + struct sock_fprog prog; + pid_t tracer, mytid, mypid, parent; + long syscall_nr; +}; + void tracer_ptrace(struct __test_metadata *_metadata, pid_t tracee, int status, void *args) { - int ret, nr; + int ret; unsigned long msg; static bool entry; + FIXTURE_DATA(TRACE_syscall) *self = args;
/* * The traditional way to tell PTRACE_SYSCALL entry/exit @@ -1968,24 +1975,23 @@ void tracer_ptrace(struct __test_metadata *_metadata, pid_t tracee, EXPECT_EQ(entry ? PTRACE_EVENTMSG_SYSCALL_ENTRY : PTRACE_EVENTMSG_SYSCALL_EXIT, msg);
- if (!entry) - return; - - nr = get_syscall(_metadata, tracee); + /* + * Some architectures only support setting return values during + * syscall exit under ptrace, and on exit the syscall number may + * no longer be available. Therefore, save it here, and call + * "change syscall and set return values" on both entry and exit. + */ + if (entry) + self->syscall_nr = get_syscall(_metadata, tracee);
- if (nr == __NR_getpid) + if (self->syscall_nr == __NR_getpid) change_syscall(_metadata, tracee, __NR_getppid, 0); - if (nr == __NR_gettid) + if (self->syscall_nr == __NR_gettid) change_syscall(_metadata, tracee, -1, 45000); - if (nr == __NR_openat) + if (self->syscall_nr == __NR_openat) change_syscall(_metadata, tracee, -1, -ESRCH); }
-FIXTURE(TRACE_syscall) { - struct sock_fprog prog; - pid_t tracer, mytid, mypid, parent; -}; - FIXTURE_VARIANT(TRACE_syscall) { /* * All of the SECCOMP_RET_TRACE behaviors can be tested with either @@ -2044,7 +2050,7 @@ FIXTURE_SETUP(TRACE_syscall) self->tracer = setup_trace_fixture(_metadata, variant->use_ptrace ? tracer_ptrace : tracer_seccomp, - NULL, variant->use_ptrace); + self, variant->use_ptrace);
ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); ASSERT_EQ(0, ret);
Kees Cook keescook@chromium.org writes:
Some archs (like ppc) only support changing the return code during syscall exit when ptrace is used. As the syscall number might not be available anymore during syscall exit, it needs to be saved during syscall enter. Adjust the ptrace tests to do this.
I'm not that across all the fixture stuff, but if I'm reading it right you're now calling change_syscall() on both entry and exit for all arches.
That should work, but it no longer tests changing the return code on entry on the arches that support it, which seems like a backward step?
cheers
Reported-by: Thadeu Lima de Souza Cascardo cascardo@canonical.com Suggested-by: Thadeu Lima de Souza Cascardo cascardo@canonical.com Link: https://lore.kernel.org/linux-kselftest/20200911181012.171027-1-cascardo@can... Fixes: 58d0a862f573 ("seccomp: add tests for ptrace hole") Signed-off-by: Kees Cook keescook@chromium.org
tools/testing/selftests/seccomp/seccomp_bpf.c | 34 +++++++++++-------- 1 file changed, 20 insertions(+), 14 deletions(-)
diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c index bbab2420d708..26c712c6a575 100644 --- a/tools/testing/selftests/seccomp/seccomp_bpf.c +++ b/tools/testing/selftests/seccomp/seccomp_bpf.c @@ -1949,12 +1949,19 @@ void tracer_seccomp(struct __test_metadata *_metadata, pid_t tracee, } +FIXTURE(TRACE_syscall) {
- struct sock_fprog prog;
- pid_t tracer, mytid, mypid, parent;
- long syscall_nr;
+};
void tracer_ptrace(struct __test_metadata *_metadata, pid_t tracee, int status, void *args) {
- int ret, nr;
- int ret; unsigned long msg; static bool entry;
- FIXTURE_DATA(TRACE_syscall) *self = args;
/* * The traditional way to tell PTRACE_SYSCALL entry/exit @@ -1968,24 +1975,23 @@ void tracer_ptrace(struct __test_metadata *_metadata, pid_t tracee, EXPECT_EQ(entry ? PTRACE_EVENTMSG_SYSCALL_ENTRY : PTRACE_EVENTMSG_SYSCALL_EXIT, msg);
- if (!entry)
return;
- nr = get_syscall(_metadata, tracee);
- /*
* Some architectures only support setting return values during
* syscall exit under ptrace, and on exit the syscall number may
* no longer be available. Therefore, save it here, and call
* "change syscall and set return values" on both entry and exit.
*/
- if (entry)
self->syscall_nr = get_syscall(_metadata, tracee);
- if (nr == __NR_getpid)
- if (self->syscall_nr == __NR_getpid) change_syscall(_metadata, tracee, __NR_getppid, 0);
- if (nr == __NR_gettid)
- if (self->syscall_nr == __NR_gettid) change_syscall(_metadata, tracee, -1, 45000);
- if (nr == __NR_openat)
- if (self->syscall_nr == __NR_openat) change_syscall(_metadata, tracee, -1, -ESRCH);
} -FIXTURE(TRACE_syscall) {
- struct sock_fprog prog;
- pid_t tracer, mytid, mypid, parent;
-};
FIXTURE_VARIANT(TRACE_syscall) { /* * All of the SECCOMP_RET_TRACE behaviors can be tested with either @@ -2044,7 +2050,7 @@ FIXTURE_SETUP(TRACE_syscall) self->tracer = setup_trace_fixture(_metadata, variant->use_ptrace ? tracer_ptrace : tracer_seccomp,
NULL, variant->use_ptrace);
self, variant->use_ptrace);
ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); ASSERT_EQ(0, ret); -- 2.25.1
On Mon, Sep 14, 2020 at 03:47:13PM +1000, Michael Ellerman wrote:
Kees Cook keescook@chromium.org writes:
Some archs (like ppc) only support changing the return code during syscall exit when ptrace is used. As the syscall number might not be available anymore during syscall exit, it needs to be saved during syscall enter. Adjust the ptrace tests to do this.
I'm not that across all the fixture stuff, but if I'm reading it right you're now calling change_syscall() on both entry and exit for all arches.
Correct.
That should work, but it no longer tests changing the return code on entry on the arches that support it, which seems like a backward step?
That's a good point. I wouldn't be in a position to notice a regression for the other architectures. I will refactor this one...
As the UAPI headers start to appear in distros, we need to avoid outdated versions of struct clone_args to be able to test modern features. Additionally pull in the syscall numbers correctly.
Signed-off-by: Kees Cook keescook@chromium.org --- I needed to fix this to get MIPS to build the seccomp selftests. --- .../testing/selftests/clone3/clone3_selftests.h | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-)
diff --git a/tools/testing/selftests/clone3/clone3_selftests.h b/tools/testing/selftests/clone3/clone3_selftests.h index 91c1a78ddb39..bc0f34e37ae1 100644 --- a/tools/testing/selftests/clone3/clone3_selftests.h +++ b/tools/testing/selftests/clone3/clone3_selftests.h @@ -4,11 +4,19 @@ #define _CLONE3_SELFTESTS_H
#define _GNU_SOURCE + +/* Pull in syscall numbers. */ +#include <unistd.h> +#include <sys/syscall.h> + +/* Avoid old OS versions of "struct clone_args". */ +#define clone_args old_clone_args #include <sched.h> #include <linux/sched.h> +#undef clone_args + #include <linux/types.h> #include <stdint.h> -#include <syscall.h> #include <sys/wait.h>
#include "../kselftest.h" @@ -25,6 +33,7 @@
#ifndef __NR_clone3 #define __NR_clone3 -1 +#endif struct clone_args { __aligned_u64 flags; __aligned_u64 pidfd; @@ -34,13 +43,16 @@ struct clone_args { __aligned_u64 stack; __aligned_u64 stack_size; __aligned_u64 tls; +#ifndef CLONE_ARGS_SIZE_VER1 #define CLONE_ARGS_SIZE_VER1 80 +#endif __aligned_u64 set_tid; __aligned_u64 set_tid_size; +#ifndef CLONE_ARGS_SIZE_VER2 #define CLONE_ARGS_SIZE_VER2 88 +#endif __aligned_u64 cgroup; }; -#endif /* __NR_clone3 */
static pid_t sys_clone3(struct clone_args *args, size_t size) {
On Sat, Sep 12, 2020 at 04:08:19AM -0700, Kees Cook wrote:
As the UAPI headers start to appear in distros, we need to avoid outdated versions of struct clone_args to be able to test modern features. Additionally pull in the syscall numbers correctly.
Signed-off-by: Kees Cook keescook@chromium.org
Hm, with this patch applied I'm getting:
gcc -g -I../../../../usr/include/ clone3_set_tid.c /home/brauner/src/git/linux/linux/tools/testing/selftests/kselftest_harness.h /home/brauner/src/git/linux/linux/tools/testing/selftests/kselftest.h -lcap -o /home/brauner/src/git/linux/linux/tools/testing/selftests/clone3/clone3_set_tid In file included from clone3_set_tid.c:24: clone3_selftests.h:37:8: error: redefinition of ‘struct clone_args’ 37 | struct clone_args { | ^~~~~~~~~~ In file included from clone3_set_tid.c:12: /usr/include/linux/sched.h:92:8: note: originally defined here 92 | struct clone_args { | ^~~~~~~~~~ make: *** [../lib.mk:140: /home/brauner/src/git/linux/linux/tools/testing/selftests/clone3/clone3_set_tid] Error 1
One trick to avoid this could be:
#ifndef CLONE_ARGS_SIZE_VER0 #define CLONE_ARGS_SIZE_VER0 64 /* sizeof first published struct */ #endif
#ifndef CLONE_ARGS_SIZE_VER1 #define CLONE_ARGS_SIZE_VER1 80 /* sizeof second published struct */ #endif
#ifndef CLONE_ARGS_SIZE_VER2 #define CLONE_ARGS_SIZE_VER2 88 /* sizeof third published struct */ #endif
struct __clone_args { __aligned_u64 flags; __aligned_u64 pidfd; __aligned_u64 child_tid; __aligned_u64 parent_tid; __aligned_u64 exit_signal; __aligned_u64 stack; __aligned_u64 stack_size; __aligned_u64 tls; __aligned_u64 set_tid; __aligned_u64 set_tid_size; __aligned_u64 cgroup; };
static pid_t sys_clone3(struct __clone_args *args, size_t size) { return syscall(__NR_clone3, args, size); }
Christian
On Tue, Sep 15, 2020 at 06:25:28PM +0200, Christian Brauner wrote:
On Sat, Sep 12, 2020 at 04:08:19AM -0700, Kees Cook wrote:
As the UAPI headers start to appear in distros, we need to avoid outdated versions of struct clone_args to be able to test modern features. Additionally pull in the syscall numbers correctly.
Signed-off-by: Kees Cook keescook@chromium.org
Hm, with this patch applied I'm getting:
gcc -g -I../../../../usr/include/ clone3_set_tid.c /home/brauner/src/git/linux/linux/tools/testing/selftests/kselftest_harness.h /home/brauner/src/git/linux/linux/tools/testing/selftests/kselftest.h -lcap -o /home/brauner/src/git/linux/linux/tools/testing/selftests/clone3/clone3_set_tid In file included from clone3_set_tid.c:24: clone3_selftests.h:37:8: error: redefinition of ‘struct clone_args’ 37 | struct clone_args { | ^~~~~~~~~~ In file included from clone3_set_tid.c:12: /usr/include/linux/sched.h:92:8: note: originally defined here 92 | struct clone_args { | ^~~~~~~~~~ make: *** [../lib.mk:140: /home/brauner/src/git/linux/linux/tools/testing/selftests/clone3/clone3_set_tid] Error 1
Hm, weird.
One trick to avoid this could be:
#ifndef CLONE_ARGS_SIZE_VER0 #define CLONE_ARGS_SIZE_VER0 64 /* sizeof first published struct */ #endif
#ifndef CLONE_ARGS_SIZE_VER1 #define CLONE_ARGS_SIZE_VER1 80 /* sizeof second published struct */ #endif
#ifndef CLONE_ARGS_SIZE_VER2 #define CLONE_ARGS_SIZE_VER2 88 /* sizeof third published struct */ #endif
struct __clone_args { __aligned_u64 flags; __aligned_u64 pidfd; __aligned_u64 child_tid; __aligned_u64 parent_tid; __aligned_u64 exit_signal; __aligned_u64 stack; __aligned_u64 stack_size; __aligned_u64 tls; __aligned_u64 set_tid; __aligned_u64 set_tid_size; __aligned_u64 cgroup; };
static pid_t sys_clone3(struct __clone_args *args, size_t size) { return syscall(__NR_clone3, args, size); }
Yeah, that has fewer down sides. I'll rework it.
The __NR_mknod syscall doesn't exist on arm64 (only __NR_mknodat). Switch to the modern syscall.
Fixes: ad5682184a81 ("selftests/seccomp: Check for EPOLLHUP for user_notif") Signed-off-by: Kees Cook keescook@chromium.org --- tools/testing/selftests/seccomp/seccomp_bpf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c index 26c712c6a575..b34ede28f314 100644 --- a/tools/testing/selftests/seccomp/seccomp_bpf.c +++ b/tools/testing/selftests/seccomp/seccomp_bpf.c @@ -3773,7 +3773,7 @@ TEST(user_notification_filter_empty) if (pid == 0) { int listener;
- listener = user_notif_syscall(__NR_mknod, SECCOMP_FILTER_FLAG_NEW_LISTENER); + listener = user_notif_syscall(__NR_mknodat, SECCOMP_FILTER_FLAG_NEW_LISTENER); if (listener < 0) _exit(EXIT_FAILURE);
On Sat, Sep 12, 2020 at 04:08:20AM -0700, Kees Cook wrote:
The __NR_mknod syscall doesn't exist on arm64 (only __NR_mknodat). Switch to the modern syscall.
Fixes: ad5682184a81 ("selftests/seccomp: Check for EPOLLHUP for user_notif") Signed-off-by: Kees Cook keescook@chromium.org
Thanks! Looks good. Acked-by: Christian Brauner christian.brauner@ubuntu.com
Kees Cook keescook@chromium.org writes:
Hi,
This refactors the seccomp selftest macros used in change_syscall(), in an effort to remove special cases for mips, arm, arm64, and xtensa, which paves the way for powerpc fixes.
I'm not entirely done testing, but all-arch build tests and x86_64 selftests pass. I'll be doing arm, arm64, and i386 selftests shortly, but I currently don't have an easy way to check xtensa, mips, nor powerpc. Any help there would be appreciated!
The series builds fine for me, and all the tests pass (see below).
Thanks for picking up those changes to deal with powerpc being oddball.
Tested-by: Michael Ellerman mpe@ellerman.id.au (powerpc)
cheers
./seccomp_bpf TAP version 13 1..86 # Starting 86 tests from 7 test cases. # RUN global.kcmp ... # OK global.kcmp ok 1 global.kcmp # RUN global.mode_strict_support ... # OK global.mode_strict_support ok 2 global.mode_strict_support # RUN global.mode_strict_cannot_call_prctl ... # OK global.mode_strict_cannot_call_prctl ok 3 global.mode_strict_cannot_call_prctl # RUN global.no_new_privs_support ... # OK global.no_new_privs_support ok 4 global.no_new_privs_support # RUN global.mode_filter_support ... # OK global.mode_filter_support ok 5 global.mode_filter_support # RUN global.mode_filter_without_nnp ... # OK global.mode_filter_without_nnp ok 6 global.mode_filter_without_nnp # RUN global.filter_size_limits ... # OK global.filter_size_limits ok 7 global.filter_size_limits # RUN global.filter_chain_limits ... # OK global.filter_chain_limits ok 8 global.filter_chain_limits # RUN global.mode_filter_cannot_move_to_strict ... # OK global.mode_filter_cannot_move_to_strict ok 9 global.mode_filter_cannot_move_to_strict # RUN global.mode_filter_get_seccomp ... # OK global.mode_filter_get_seccomp ok 10 global.mode_filter_get_seccomp # RUN global.ALLOW_all ... # OK global.ALLOW_all ok 11 global.ALLOW_all # RUN global.empty_prog ... # OK global.empty_prog ok 12 global.empty_prog # RUN global.log_all ... # OK global.log_all ok 13 global.log_all # RUN global.unknown_ret_is_kill_inside ... # OK global.unknown_ret_is_kill_inside ok 14 global.unknown_ret_is_kill_inside # RUN global.unknown_ret_is_kill_above_allow ... # OK global.unknown_ret_is_kill_above_allow ok 15 global.unknown_ret_is_kill_above_allow # RUN global.KILL_all ... # OK global.KILL_all ok 16 global.KILL_all # RUN global.KILL_one ... # OK global.KILL_one ok 17 global.KILL_one # RUN global.KILL_one_arg_one ... # OK global.KILL_one_arg_one ok 18 global.KILL_one_arg_one # RUN global.KILL_one_arg_six ... # OK global.KILL_one_arg_six ok 19 global.KILL_one_arg_six # RUN global.KILL_thread ... TAP version 13 1..86 # Starting 86 tests from 7 test cases. # RUN global.kcmp ... # OK global.kcmp ok 1 global.kcmp # RUN global.mode_strict_support ... # OK global.mode_strict_support ok 2 global.mode_strict_support # RUN global.mode_strict_cannot_call_prctl ... # OK global.mode_strict_cannot_call_prctl ok 3 global.mode_strict_cannot_call_prctl # RUN global.no_new_privs_support ... # OK global.no_new_privs_support ok 4 global.no_new_privs_support # RUN global.mode_filter_support ... # OK global.mode_filter_support ok 5 global.mode_filter_support # RUN global.mode_filter_without_nnp ... # OK global.mode_filter_without_nnp ok 6 global.mode_filter_without_nnp # RUN global.filter_size_limits ... # OK global.filter_size_limits ok 7 global.filter_size_limits # RUN global.filter_chain_limits ... # OK global.filter_chain_limits ok 8 global.filter_chain_limits # RUN global.mode_filter_cannot_move_to_strict ... # OK global.mode_filter_cannot_move_to_strict ok 9 global.mode_filter_cannot_move_to_strict # RUN global.mode_filter_get_seccomp ... # OK global.mode_filter_get_seccomp ok 10 global.mode_filter_get_seccomp # RUN global.ALLOW_all ... # OK global.ALLOW_all ok 11 global.ALLOW_all # RUN global.empty_prog ... # OK global.empty_prog ok 12 global.empty_prog # RUN global.log_all ... # OK global.log_all ok 13 global.log_all # RUN global.unknown_ret_is_kill_inside ... # OK global.unknown_ret_is_kill_inside ok 14 global.unknown_ret_is_kill_inside # RUN global.unknown_ret_is_kill_above_allow ... # OK global.unknown_ret_is_kill_above_allow ok 15 global.unknown_ret_is_kill_above_allow # RUN global.KILL_all ... # OK global.KILL_all ok 16 global.KILL_all # RUN global.KILL_one ... # OK global.KILL_one ok 17 global.KILL_one # RUN global.KILL_one_arg_one ... # OK global.KILL_one_arg_one ok 18 global.KILL_one_arg_one # RUN global.KILL_one_arg_six ... # OK global.KILL_one_arg_six ok 19 global.KILL_one_arg_six # RUN global.KILL_thread ... # OK global.KILL_thread ok 20 global.KILL_thread # RUN global.KILL_process ... # OK global.KILL_process ok 21 global.KILL_process # RUN global.arg_out_of_range ... # OK global.arg_out_of_range ok 22 global.arg_out_of_range # RUN global.ERRNO_valid ... # OK global.ERRNO_valid ok 23 global.ERRNO_valid # RUN global.ERRNO_zero ... # OK global.ERRNO_zero ok 24 global.ERRNO_zero # RUN global.ERRNO_capped ... # OK global.ERRNO_capped ok 25 global.ERRNO_capped # RUN global.ERRNO_order ... # OK global.ERRNO_order ok 26 global.ERRNO_order # RUN global.negative_ENOSYS ... # OK global.negative_ENOSYS ok 27 global.negative_ENOSYS # RUN global.seccomp_syscall ... # OK global.seccomp_syscall ok 28 global.seccomp_syscall # RUN global.seccomp_syscall_mode_lock ... # OK global.seccomp_syscall_mode_lock ok 29 global.seccomp_syscall_mode_lock # RUN global.detect_seccomp_filter_flags ... # OK global.detect_seccomp_filter_flags ok 30 global.detect_seccomp_filter_flags # RUN global.TSYNC_first ... # OK global.TSYNC_first ok 31 global.TSYNC_first # RUN global.syscall_restart ... # OK global.syscall_restart ok 32 global.syscall_restart # RUN global.filter_flag_log ... # OK global.filter_flag_log ok 33 global.filter_flag_log # RUN global.get_action_avail ... # OK global.get_action_avail ok 34 global.get_action_avail # RUN global.get_metadata ... # OK global.get_metadata ok 35 global.get_metadata # RUN global.user_notification_basic ... TAP version 13 1..86 # Starting 86 tests from 7 test cases. # RUN global.kcmp ... # OK global.kcmp ok 1 global.kcmp # RUN global.mode_strict_support ... # OK global.mode_strict_support ok 2 global.mode_strict_support # RUN global.mode_strict_cannot_call_prctl ... # OK global.mode_strict_cannot_call_prctl ok 3 global.mode_strict_cannot_call_prctl # RUN global.no_new_privs_support ... # OK global.no_new_privs_support ok 4 global.no_new_privs_support # RUN global.mode_filter_support ... # OK global.mode_filter_support ok 5 global.mode_filter_support # RUN global.mode_filter_without_nnp ... # OK global.mode_filter_without_nnp ok 6 global.mode_filter_without_nnp # RUN global.filter_size_limits ... # OK global.filter_size_limits ok 7 global.filter_size_limits # RUN global.filter_chain_limits ... # OK global.filter_chain_limits ok 8 global.filter_chain_limits # RUN global.mode_filter_cannot_move_to_strict ... # OK global.mode_filter_cannot_move_to_strict ok 9 global.mode_filter_cannot_move_to_strict # RUN global.mode_filter_get_seccomp ... # OK global.mode_filter_get_seccomp ok 10 global.mode_filter_get_seccomp # RUN global.ALLOW_all ... # OK global.ALLOW_all ok 11 global.ALLOW_all # RUN global.empty_prog ... # OK global.empty_prog ok 12 global.empty_prog # RUN global.log_all ... # OK global.log_all ok 13 global.log_all # RUN global.unknown_ret_is_kill_inside ... # OK global.unknown_ret_is_kill_inside ok 14 global.unknown_ret_is_kill_inside # RUN global.unknown_ret_is_kill_above_allow ... # OK global.unknown_ret_is_kill_above_allow ok 15 global.unknown_ret_is_kill_above_allow # RUN global.KILL_all ... # OK global.KILL_all ok 16 global.KILL_all # RUN global.KILL_one ... # OK global.KILL_one ok 17 global.KILL_one # RUN global.KILL_one_arg_one ... # OK global.KILL_one_arg_one ok 18 global.KILL_one_arg_one # RUN global.KILL_one_arg_six ... # OK global.KILL_one_arg_six ok 19 global.KILL_one_arg_six # RUN global.KILL_thread ... # OK global.KILL_thread ok 20 global.KILL_thread # RUN global.KILL_process ... # OK global.KILL_process ok 21 global.KILL_process # RUN global.arg_out_of_range ... # OK global.arg_out_of_range ok 22 global.arg_out_of_range # RUN global.ERRNO_valid ... # OK global.ERRNO_valid ok 23 global.ERRNO_valid # RUN global.ERRNO_zero ... # OK global.ERRNO_zero ok 24 global.ERRNO_zero # RUN global.ERRNO_capped ... # OK global.ERRNO_capped ok 25 global.ERRNO_capped # RUN global.ERRNO_order ... # OK global.ERRNO_order ok 26 global.ERRNO_order # RUN global.negative_ENOSYS ... # OK global.negative_ENOSYS ok 27 global.negative_ENOSYS # RUN global.seccomp_syscall ... # OK global.seccomp_syscall ok 28 global.seccomp_syscall # RUN global.seccomp_syscall_mode_lock ... # OK global.seccomp_syscall_mode_lock ok 29 global.seccomp_syscall_mode_lock # RUN global.detect_seccomp_filter_flags ... # OK global.detect_seccomp_filter_flags ok 30 global.detect_seccomp_filter_flags # RUN global.TSYNC_first ... # OK global.TSYNC_first ok 31 global.TSYNC_first # RUN global.syscall_restart ... # OK global.syscall_restart ok 32 global.syscall_restart # RUN global.filter_flag_log ... # OK global.filter_flag_log ok 33 global.filter_flag_log # RUN global.get_action_avail ... # OK global.get_action_avail ok 34 global.get_action_avail # RUN global.get_metadata ... # OK global.get_metadata ok 35 global.get_metadata # RUN global.user_notification_basic ... TAP version 13 1..86 # Starting 86 tests from 7 test cases. # RUN global.kcmp ... # OK global.kcmp ok 1 global.kcmp # RUN global.mode_strict_support ... # OK global.mode_strict_support ok 2 global.mode_strict_support # RUN global.mode_strict_cannot_call_prctl ... # OK global.mode_strict_cannot_call_prctl ok 3 global.mode_strict_cannot_call_prctl # RUN global.no_new_privs_support ... # OK global.no_new_privs_support ok 4 global.no_new_privs_support # RUN global.mode_filter_support ... # OK global.mode_filter_support ok 5 global.mode_filter_support # RUN global.mode_filter_without_nnp ... # OK global.mode_filter_without_nnp ok 6 global.mode_filter_without_nnp # RUN global.filter_size_limits ... # OK global.filter_size_limits ok 7 global.filter_size_limits # RUN global.filter_chain_limits ... # OK global.filter_chain_limits ok 8 global.filter_chain_limits # RUN global.mode_filter_cannot_move_to_strict ... # OK global.mode_filter_cannot_move_to_strict ok 9 global.mode_filter_cannot_move_to_strict # RUN global.mode_filter_get_seccomp ... # OK global.mode_filter_get_seccomp ok 10 global.mode_filter_get_seccomp # RUN global.ALLOW_all ... # OK global.ALLOW_all ok 11 global.ALLOW_all # RUN global.empty_prog ... # OK global.empty_prog ok 12 global.empty_prog # RUN global.log_all ... # OK global.log_all ok 13 global.log_all # RUN global.unknown_ret_is_kill_inside ... # OK global.unknown_ret_is_kill_inside ok 14 global.unknown_ret_is_kill_inside # RUN global.unknown_ret_is_kill_above_allow ... # OK global.unknown_ret_is_kill_above_allow ok 15 global.unknown_ret_is_kill_above_allow # RUN global.KILL_all ... # OK global.KILL_all ok 16 global.KILL_all # RUN global.KILL_one ... # OK global.KILL_one ok 17 global.KILL_one # RUN global.KILL_one_arg_one ... # OK global.KILL_one_arg_one ok 18 global.KILL_one_arg_one # RUN global.KILL_one_arg_six ... # OK global.KILL_one_arg_six ok 19 global.KILL_one_arg_six # RUN global.KILL_thread ... # OK global.KILL_thread ok 20 global.KILL_thread # RUN global.KILL_process ... # OK global.KILL_process ok 21 global.KILL_process # RUN global.arg_out_of_range ... # OK global.arg_out_of_range ok 22 global.arg_out_of_range # RUN global.ERRNO_valid ... # OK global.ERRNO_valid ok 23 global.ERRNO_valid # RUN global.ERRNO_zero ... # OK global.ERRNO_zero ok 24 global.ERRNO_zero # RUN global.ERRNO_capped ... # OK global.ERRNO_capped ok 25 global.ERRNO_capped # RUN global.ERRNO_order ... # OK global.ERRNO_order ok 26 global.ERRNO_order # RUN global.negative_ENOSYS ... # OK global.negative_ENOSYS ok 27 global.negative_ENOSYS # RUN global.seccomp_syscall ... # OK global.seccomp_syscall ok 28 global.seccomp_syscall # RUN global.seccomp_syscall_mode_lock ... # OK global.seccomp_syscall_mode_lock ok 29 global.seccomp_syscall_mode_lock # RUN global.detect_seccomp_filter_flags ... # OK global.detect_seccomp_filter_flags ok 30 global.detect_seccomp_filter_flags # RUN global.TSYNC_first ... # OK global.TSYNC_first ok 31 global.TSYNC_first # RUN global.syscall_restart ... # OK global.syscall_restart ok 32 global.syscall_restart # RUN global.filter_flag_log ... # OK global.filter_flag_log ok 33 global.filter_flag_log # RUN global.get_action_avail ... # OK global.get_action_avail ok 34 global.get_action_avail # RUN global.get_metadata ... # OK global.get_metadata ok 35 global.get_metadata # RUN global.user_notification_basic ... # OK global.user_notification_basic ok 36 global.user_notification_basic # RUN global.user_notification_with_tsync ... # OK global.user_notification_with_tsync ok 37 global.user_notification_with_tsync # RUN global.user_notification_kill_in_middle ... # OK global.user_notification_kill_in_middle ok 38 global.user_notification_kill_in_middle # RUN global.user_notification_signal ... TAP version 13 1..86 # Starting 86 tests from 7 test cases. # RUN global.kcmp ... # OK global.kcmp ok 1 global.kcmp # RUN global.mode_strict_support ... # OK global.mode_strict_support ok 2 global.mode_strict_support # RUN global.mode_strict_cannot_call_prctl ... # OK global.mode_strict_cannot_call_prctl ok 3 global.mode_strict_cannot_call_prctl # RUN global.no_new_privs_support ... # OK global.no_new_privs_support ok 4 global.no_new_privs_support # RUN global.mode_filter_support ... # OK global.mode_filter_support ok 5 global.mode_filter_support # RUN global.mode_filter_without_nnp ... # OK global.mode_filter_without_nnp ok 6 global.mode_filter_without_nnp # RUN global.filter_size_limits ... # OK global.filter_size_limits ok 7 global.filter_size_limits # RUN global.filter_chain_limits ... # OK global.filter_chain_limits ok 8 global.filter_chain_limits # RUN global.mode_filter_cannot_move_to_strict ... # OK global.mode_filter_cannot_move_to_strict ok 9 global.mode_filter_cannot_move_to_strict # RUN global.mode_filter_get_seccomp ... # OK global.mode_filter_get_seccomp ok 10 global.mode_filter_get_seccomp # RUN global.ALLOW_all ... # OK global.ALLOW_all ok 11 global.ALLOW_all # RUN global.empty_prog ... # OK global.empty_prog ok 12 global.empty_prog # RUN global.log_all ... # OK global.log_all ok 13 global.log_all # RUN global.unknown_ret_is_kill_inside ... # OK global.unknown_ret_is_kill_inside ok 14 global.unknown_ret_is_kill_inside # RUN global.unknown_ret_is_kill_above_allow ... # OK global.unknown_ret_is_kill_above_allow ok 15 global.unknown_ret_is_kill_above_allow # RUN global.KILL_all ... # OK global.KILL_all ok 16 global.KILL_all # RUN global.KILL_one ... # OK global.KILL_one ok 17 global.KILL_one # RUN global.KILL_one_arg_one ... # OK global.KILL_one_arg_one ok 18 global.KILL_one_arg_one # RUN global.KILL_one_arg_six ... # OK global.KILL_one_arg_six ok 19 global.KILL_one_arg_six # RUN global.KILL_thread ... # OK global.KILL_thread ok 20 global.KILL_thread # RUN global.KILL_process ... # OK global.KILL_process ok 21 global.KILL_process # RUN global.arg_out_of_range ... # OK global.arg_out_of_range ok 22 global.arg_out_of_range # RUN global.ERRNO_valid ... # OK global.ERRNO_valid ok 23 global.ERRNO_valid # RUN global.ERRNO_zero ... # OK global.ERRNO_zero ok 24 global.ERRNO_zero # RUN global.ERRNO_capped ... # OK global.ERRNO_capped ok 25 global.ERRNO_capped # RUN global.ERRNO_order ... # OK global.ERRNO_order ok 26 global.ERRNO_order # RUN global.negative_ENOSYS ... # OK global.negative_ENOSYS ok 27 global.negative_ENOSYS # RUN global.seccomp_syscall ... # OK global.seccomp_syscall ok 28 global.seccomp_syscall # RUN global.seccomp_syscall_mode_lock ... # OK global.seccomp_syscall_mode_lock ok 29 global.seccomp_syscall_mode_lock # RUN global.detect_seccomp_filter_flags ... # OK global.detect_seccomp_filter_flags ok 30 global.detect_seccomp_filter_flags # RUN global.TSYNC_first ... # OK global.TSYNC_first ok 31 global.TSYNC_first # RUN global.syscall_restart ... # OK global.syscall_restart ok 32 global.syscall_restart # RUN global.filter_flag_log ... # OK global.filter_flag_log ok 33 global.filter_flag_log # RUN global.get_action_avail ... # OK global.get_action_avail ok 34 global.get_action_avail # RUN global.get_metadata ... # OK global.get_metadata ok 35 global.get_metadata # RUN global.user_notification_basic ... # OK global.user_notification_basic ok 36 global.user_notification_basic # RUN global.user_notification_with_tsync ... # OK global.user_notification_with_tsync ok 37 global.user_notification_with_tsync # RUN global.user_notification_kill_in_middle ... # OK global.user_notification_kill_in_middle ok 38 global.user_notification_kill_in_middle # RUN global.user_notification_signal ... # OK global.user_notification_signal ok 39 global.user_notification_signal # RUN global.user_notification_closed_listener ... TAP version 13 1..86 # Starting 86 tests from 7 test cases. # RUN global.kcmp ... # OK global.kcmp ok 1 global.kcmp # RUN global.mode_strict_support ... # OK global.mode_strict_support ok 2 global.mode_strict_support # RUN global.mode_strict_cannot_call_prctl ... # OK global.mode_strict_cannot_call_prctl ok 3 global.mode_strict_cannot_call_prctl # RUN global.no_new_privs_support ... # OK global.no_new_privs_support ok 4 global.no_new_privs_support # RUN global.mode_filter_support ... # OK global.mode_filter_support ok 5 global.mode_filter_support # RUN global.mode_filter_without_nnp ... # OK global.mode_filter_without_nnp ok 6 global.mode_filter_without_nnp # RUN global.filter_size_limits ... # OK global.filter_size_limits ok 7 global.filter_size_limits # RUN global.filter_chain_limits ... # OK global.filter_chain_limits ok 8 global.filter_chain_limits # RUN global.mode_filter_cannot_move_to_strict ... # OK global.mode_filter_cannot_move_to_strict ok 9 global.mode_filter_cannot_move_to_strict # RUN global.mode_filter_get_seccomp ... # OK global.mode_filter_get_seccomp ok 10 global.mode_filter_get_seccomp # RUN global.ALLOW_all ... # OK global.ALLOW_all ok 11 global.ALLOW_all # RUN global.empty_prog ... # OK global.empty_prog ok 12 global.empty_prog # RUN global.log_all ... # OK global.log_all ok 13 global.log_all # RUN global.unknown_ret_is_kill_inside ... # OK global.unknown_ret_is_kill_inside ok 14 global.unknown_ret_is_kill_inside # RUN global.unknown_ret_is_kill_above_allow ... # OK global.unknown_ret_is_kill_above_allow ok 15 global.unknown_ret_is_kill_above_allow # RUN global.KILL_all ... # OK global.KILL_all ok 16 global.KILL_all # RUN global.KILL_one ... # OK global.KILL_one ok 17 global.KILL_one # RUN global.KILL_one_arg_one ... # OK global.KILL_one_arg_one ok 18 global.KILL_one_arg_one # RUN global.KILL_one_arg_six ... # OK global.KILL_one_arg_six ok 19 global.KILL_one_arg_six # RUN global.KILL_thread ... # OK global.KILL_thread ok 20 global.KILL_thread # RUN global.KILL_process ... # OK global.KILL_process ok 21 global.KILL_process # RUN global.arg_out_of_range ... # OK global.arg_out_of_range ok 22 global.arg_out_of_range # RUN global.ERRNO_valid ... # OK global.ERRNO_valid ok 23 global.ERRNO_valid # RUN global.ERRNO_zero ... # OK global.ERRNO_zero ok 24 global.ERRNO_zero # RUN global.ERRNO_capped ... # OK global.ERRNO_capped ok 25 global.ERRNO_capped # RUN global.ERRNO_order ... # OK global.ERRNO_order ok 26 global.ERRNO_order # RUN global.negative_ENOSYS ... # OK global.negative_ENOSYS ok 27 global.negative_ENOSYS # RUN global.seccomp_syscall ... # OK global.seccomp_syscall ok 28 global.seccomp_syscall # RUN global.seccomp_syscall_mode_lock ... # OK global.seccomp_syscall_mode_lock ok 29 global.seccomp_syscall_mode_lock # RUN global.detect_seccomp_filter_flags ... # OK global.detect_seccomp_filter_flags ok 30 global.detect_seccomp_filter_flags # RUN global.TSYNC_first ... # OK global.TSYNC_first ok 31 global.TSYNC_first # RUN global.syscall_restart ... # OK global.syscall_restart ok 32 global.syscall_restart # RUN global.filter_flag_log ... # OK global.filter_flag_log ok 33 global.filter_flag_log # RUN global.get_action_avail ... # OK global.get_action_avail ok 34 global.get_action_avail # RUN global.get_metadata ... # OK global.get_metadata ok 35 global.get_metadata # RUN global.user_notification_basic ... # OK global.user_notification_basic ok 36 global.user_notification_basic # RUN global.user_notification_with_tsync ... # OK global.user_notification_with_tsync ok 37 global.user_notification_with_tsync # RUN global.user_notification_kill_in_middle ... # OK global.user_notification_kill_in_middle ok 38 global.user_notification_kill_in_middle # RUN global.user_notification_signal ... # OK global.user_notification_signal ok 39 global.user_notification_signal # RUN global.user_notification_closed_listener ... # OK global.user_notification_closed_listener ok 40 global.user_notification_closed_listener # RUN global.user_notification_child_pid_ns ... TAP version 13 1..86 # Starting 86 tests from 7 test cases. # RUN global.kcmp ... # OK global.kcmp ok 1 global.kcmp # RUN global.mode_strict_support ... # OK global.mode_strict_support ok 2 global.mode_strict_support # RUN global.mode_strict_cannot_call_prctl ... # OK global.mode_strict_cannot_call_prctl ok 3 global.mode_strict_cannot_call_prctl # RUN global.no_new_privs_support ... # OK global.no_new_privs_support ok 4 global.no_new_privs_support # RUN global.mode_filter_support ... # OK global.mode_filter_support ok 5 global.mode_filter_support # RUN global.mode_filter_without_nnp ... # OK global.mode_filter_without_nnp ok 6 global.mode_filter_without_nnp # RUN global.filter_size_limits ... # OK global.filter_size_limits ok 7 global.filter_size_limits # RUN global.filter_chain_limits ... # OK global.filter_chain_limits ok 8 global.filter_chain_limits # RUN global.mode_filter_cannot_move_to_strict ... # OK global.mode_filter_cannot_move_to_strict ok 9 global.mode_filter_cannot_move_to_strict # RUN global.mode_filter_get_seccomp ... # OK global.mode_filter_get_seccomp ok 10 global.mode_filter_get_seccomp # RUN global.ALLOW_all ... # OK global.ALLOW_all ok 11 global.ALLOW_all # RUN global.empty_prog ... # OK global.empty_prog ok 12 global.empty_prog # RUN global.log_all ... # OK global.log_all ok 13 global.log_all # RUN global.unknown_ret_is_kill_inside ... # OK global.unknown_ret_is_kill_inside ok 14 global.unknown_ret_is_kill_inside # RUN global.unknown_ret_is_kill_above_allow ... # OK global.unknown_ret_is_kill_above_allow ok 15 global.unknown_ret_is_kill_above_allow # RUN global.KILL_all ... # OK global.KILL_all ok 16 global.KILL_all # RUN global.KILL_one ... # OK global.KILL_one ok 17 global.KILL_one # RUN global.KILL_one_arg_one ... # OK global.KILL_one_arg_one ok 18 global.KILL_one_arg_one # RUN global.KILL_one_arg_six ... # OK global.KILL_one_arg_six ok 19 global.KILL_one_arg_six # RUN global.KILL_thread ... # OK global.KILL_thread ok 20 global.KILL_thread # RUN global.KILL_process ... # OK global.KILL_process ok 21 global.KILL_process # RUN global.arg_out_of_range ... # OK global.arg_out_of_range ok 22 global.arg_out_of_range # RUN global.ERRNO_valid ... # OK global.ERRNO_valid ok 23 global.ERRNO_valid # RUN global.ERRNO_zero ... # OK global.ERRNO_zero ok 24 global.ERRNO_zero # RUN global.ERRNO_capped ... # OK global.ERRNO_capped ok 25 global.ERRNO_capped # RUN global.ERRNO_order ... # OK global.ERRNO_order ok 26 global.ERRNO_order # RUN global.negative_ENOSYS ... # OK global.negative_ENOSYS ok 27 global.negative_ENOSYS # RUN global.seccomp_syscall ... # OK global.seccomp_syscall ok 28 global.seccomp_syscall # RUN global.seccomp_syscall_mode_lock ... # OK global.seccomp_syscall_mode_lock ok 29 global.seccomp_syscall_mode_lock # RUN global.detect_seccomp_filter_flags ... # OK global.detect_seccomp_filter_flags ok 30 global.detect_seccomp_filter_flags # RUN global.TSYNC_first ... # OK global.TSYNC_first ok 31 global.TSYNC_first # RUN global.syscall_restart ... # OK global.syscall_restart ok 32 global.syscall_restart # RUN global.filter_flag_log ... # OK global.filter_flag_log ok 33 global.filter_flag_log # RUN global.get_action_avail ... # OK global.get_action_avail ok 34 global.get_action_avail # RUN global.get_metadata ... # OK global.get_metadata ok 35 global.get_metadata # RUN global.user_notification_basic ... # OK global.user_notification_basic ok 36 global.user_notification_basic # RUN global.user_notification_with_tsync ... # OK global.user_notification_with_tsync ok 37 global.user_notification_with_tsync # RUN global.user_notification_kill_in_middle ... # OK global.user_notification_kill_in_middle ok 38 global.user_notification_kill_in_middle # RUN global.user_notification_signal ... # OK global.user_notification_signal ok 39 global.user_notification_signal # RUN global.user_notification_closed_listener ... # OK global.user_notification_closed_listener ok 40 global.user_notification_closed_listener # RUN global.user_notification_child_pid_ns ... # OK global.user_notification_child_pid_ns ok 41 global.user_notification_child_pid_ns # RUN global.user_notification_sibling_pid_ns ... TAP version 13 1..86 # Starting 86 tests from 7 test cases. # RUN global.kcmp ... # OK global.kcmp ok 1 global.kcmp # RUN global.mode_strict_support ... # OK global.mode_strict_support ok 2 global.mode_strict_support # RUN global.mode_strict_cannot_call_prctl ... # OK global.mode_strict_cannot_call_prctl ok 3 global.mode_strict_cannot_call_prctl # RUN global.no_new_privs_support ... # OK global.no_new_privs_support ok 4 global.no_new_privs_support # RUN global.mode_filter_support ... # OK global.mode_filter_support ok 5 global.mode_filter_support # RUN global.mode_filter_without_nnp ... # OK global.mode_filter_without_nnp ok 6 global.mode_filter_without_nnp # RUN global.filter_size_limits ... # OK global.filter_size_limits ok 7 global.filter_size_limits # RUN global.filter_chain_limits ... # OK global.filter_chain_limits ok 8 global.filter_chain_limits # RUN global.mode_filter_cannot_move_to_strict ... # OK global.mode_filter_cannot_move_to_strict ok 9 global.mode_filter_cannot_move_to_strict # RUN global.mode_filter_get_seccomp ... # OK global.mode_filter_get_seccomp ok 10 global.mode_filter_get_seccomp # RUN global.ALLOW_all ... # OK global.ALLOW_all ok 11 global.ALLOW_all # RUN global.empty_prog ... # OK global.empty_prog ok 12 global.empty_prog # RUN global.log_all ... # OK global.log_all ok 13 global.log_all # RUN global.unknown_ret_is_kill_inside ... # OK global.unknown_ret_is_kill_inside ok 14 global.unknown_ret_is_kill_inside # RUN global.unknown_ret_is_kill_above_allow ... # OK global.unknown_ret_is_kill_above_allow ok 15 global.unknown_ret_is_kill_above_allow # RUN global.KILL_all ... # OK global.KILL_all ok 16 global.KILL_all # RUN global.KILL_one ... # OK global.KILL_one ok 17 global.KILL_one # RUN global.KILL_one_arg_one ... # OK global.KILL_one_arg_one ok 18 global.KILL_one_arg_one # RUN global.KILL_one_arg_six ... # OK global.KILL_one_arg_six ok 19 global.KILL_one_arg_six # RUN global.KILL_thread ... # OK global.KILL_thread ok 20 global.KILL_thread # RUN global.KILL_process ... # OK global.KILL_process ok 21 global.KILL_process # RUN global.arg_out_of_range ... # OK global.arg_out_of_range ok 22 global.arg_out_of_range # RUN global.ERRNO_valid ... # OK global.ERRNO_valid ok 23 global.ERRNO_valid # RUN global.ERRNO_zero ... # OK global.ERRNO_zero ok 24 global.ERRNO_zero # RUN global.ERRNO_capped ... # OK global.ERRNO_capped ok 25 global.ERRNO_capped # RUN global.ERRNO_order ... # OK global.ERRNO_order ok 26 global.ERRNO_order # RUN global.negative_ENOSYS ... # OK global.negative_ENOSYS ok 27 global.negative_ENOSYS # RUN global.seccomp_syscall ... # OK global.seccomp_syscall ok 28 global.seccomp_syscall # RUN global.seccomp_syscall_mode_lock ... # OK global.seccomp_syscall_mode_lock ok 29 global.seccomp_syscall_mode_lock # RUN global.detect_seccomp_filter_flags ... # OK global.detect_seccomp_filter_flags ok 30 global.detect_seccomp_filter_flags # RUN global.TSYNC_first ... # OK global.TSYNC_first ok 31 global.TSYNC_first # RUN global.syscall_restart ... # OK global.syscall_restart ok 32 global.syscall_restart # RUN global.filter_flag_log ... # OK global.filter_flag_log ok 33 global.filter_flag_log # RUN global.get_action_avail ... # OK global.get_action_avail ok 34 global.get_action_avail # RUN global.get_metadata ... # OK global.get_metadata ok 35 global.get_metadata # RUN global.user_notification_basic ... # OK global.user_notification_basic ok 36 global.user_notification_basic # RUN global.user_notification_with_tsync ... # OK global.user_notification_with_tsync ok 37 global.user_notification_with_tsync # RUN global.user_notification_kill_in_middle ... # OK global.user_notification_kill_in_middle ok 38 global.user_notification_kill_in_middle # RUN global.user_notification_signal ... # OK global.user_notification_signal ok 39 global.user_notification_signal # RUN global.user_notification_closed_listener ... # OK global.user_notification_closed_listener ok 40 global.user_notification_closed_listener # RUN global.user_notification_child_pid_ns ... # OK global.user_notification_child_pid_ns ok 41 global.user_notification_child_pid_ns # RUN global.user_notification_sibling_pid_ns ... TAP version 13 1..86 # Starting 86 tests from 7 test cases. # RUN global.kcmp ... # OK global.kcmp ok 1 global.kcmp # RUN global.mode_strict_support ... # OK global.mode_strict_support ok 2 global.mode_strict_support # RUN global.mode_strict_cannot_call_prctl ... # OK global.mode_strict_cannot_call_prctl ok 3 global.mode_strict_cannot_call_prctl # RUN global.no_new_privs_support ... # OK global.no_new_privs_support ok 4 global.no_new_privs_support # RUN global.mode_filter_support ... # OK global.mode_filter_support ok 5 global.mode_filter_support # RUN global.mode_filter_without_nnp ... # OK global.mode_filter_without_nnp ok 6 global.mode_filter_without_nnp # RUN global.filter_size_limits ... # OK global.filter_size_limits ok 7 global.filter_size_limits # RUN global.filter_chain_limits ... # OK global.filter_chain_limits ok 8 global.filter_chain_limits # RUN global.mode_filter_cannot_move_to_strict ... # OK global.mode_filter_cannot_move_to_strict ok 9 global.mode_filter_cannot_move_to_strict # RUN global.mode_filter_get_seccomp ... # OK global.mode_filter_get_seccomp ok 10 global.mode_filter_get_seccomp # RUN global.ALLOW_all ... # OK global.ALLOW_all ok 11 global.ALLOW_all # RUN global.empty_prog ... # OK global.empty_prog ok 12 global.empty_prog # RUN global.log_all ... # OK global.log_all ok 13 global.log_all # RUN global.unknown_ret_is_kill_inside ... # OK global.unknown_ret_is_kill_inside ok 14 global.unknown_ret_is_kill_inside # RUN global.unknown_ret_is_kill_above_allow ... # OK global.unknown_ret_is_kill_above_allow ok 15 global.unknown_ret_is_kill_above_allow # RUN global.KILL_all ... # OK global.KILL_all ok 16 global.KILL_all # RUN global.KILL_one ... # OK global.KILL_one ok 17 global.KILL_one # RUN global.KILL_one_arg_one ... # OK global.KILL_one_arg_one ok 18 global.KILL_one_arg_one # RUN global.KILL_one_arg_six ... # OK global.KILL_one_arg_six ok 19 global.KILL_one_arg_six # RUN global.KILL_thread ... # OK global.KILL_thread ok 20 global.KILL_thread # RUN global.KILL_process ... # OK global.KILL_process ok 21 global.KILL_process # RUN global.arg_out_of_range ... # OK global.arg_out_of_range ok 22 global.arg_out_of_range # RUN global.ERRNO_valid ... # OK global.ERRNO_valid ok 23 global.ERRNO_valid # RUN global.ERRNO_zero ... # OK global.ERRNO_zero ok 24 global.ERRNO_zero # RUN global.ERRNO_capped ... # OK global.ERRNO_capped ok 25 global.ERRNO_capped # RUN global.ERRNO_order ... # OK global.ERRNO_order ok 26 global.ERRNO_order # RUN global.negative_ENOSYS ... # OK global.negative_ENOSYS ok 27 global.negative_ENOSYS # RUN global.seccomp_syscall ... # OK global.seccomp_syscall ok 28 global.seccomp_syscall # RUN global.seccomp_syscall_mode_lock ... # OK global.seccomp_syscall_mode_lock ok 29 global.seccomp_syscall_mode_lock # RUN global.detect_seccomp_filter_flags ... # OK global.detect_seccomp_filter_flags ok 30 global.detect_seccomp_filter_flags # RUN global.TSYNC_first ... # OK global.TSYNC_first ok 31 global.TSYNC_first # RUN global.syscall_restart ... # OK global.syscall_restart ok 32 global.syscall_restart # RUN global.filter_flag_log ... # OK global.filter_flag_log ok 33 global.filter_flag_log # RUN global.get_action_avail ... # OK global.get_action_avail ok 34 global.get_action_avail # RUN global.get_metadata ... # OK global.get_metadata ok 35 global.get_metadata # RUN global.user_notification_basic ... # OK global.user_notification_basic ok 36 global.user_notification_basic # RUN global.user_notification_with_tsync ... # OK global.user_notification_with_tsync ok 37 global.user_notification_with_tsync # RUN global.user_notification_kill_in_middle ... # OK global.user_notification_kill_in_middle ok 38 global.user_notification_kill_in_middle # RUN global.user_notification_signal ... # OK global.user_notification_signal ok 39 global.user_notification_signal # RUN global.user_notification_closed_listener ... # OK global.user_notification_closed_listener ok 40 global.user_notification_closed_listener # RUN global.user_notification_child_pid_ns ... # OK global.user_notification_child_pid_ns ok 41 global.user_notification_child_pid_ns # RUN global.user_notification_sibling_pid_ns ... TAP version 13 1..86 # Starting 86 tests from 7 test cases. # RUN global.kcmp ... # OK global.kcmp ok 1 global.kcmp # RUN global.mode_strict_support ... # OK global.mode_strict_support ok 2 global.mode_strict_support # RUN global.mode_strict_cannot_call_prctl ... # OK global.mode_strict_cannot_call_prctl ok 3 global.mode_strict_cannot_call_prctl # RUN global.no_new_privs_support ... # OK global.no_new_privs_support ok 4 global.no_new_privs_support # RUN global.mode_filter_support ... # OK global.mode_filter_support ok 5 global.mode_filter_support # RUN global.mode_filter_without_nnp ... # OK global.mode_filter_without_nnp ok 6 global.mode_filter_without_nnp # RUN global.filter_size_limits ... # OK global.filter_size_limits ok 7 global.filter_size_limits # RUN global.filter_chain_limits ... # OK global.filter_chain_limits ok 8 global.filter_chain_limits # RUN global.mode_filter_cannot_move_to_strict ... # OK global.mode_filter_cannot_move_to_strict ok 9 global.mode_filter_cannot_move_to_strict # RUN global.mode_filter_get_seccomp ... # OK global.mode_filter_get_seccomp ok 10 global.mode_filter_get_seccomp # RUN global.ALLOW_all ... # OK global.ALLOW_all ok 11 global.ALLOW_all # RUN global.empty_prog ... # OK global.empty_prog ok 12 global.empty_prog # RUN global.log_all ... # OK global.log_all ok 13 global.log_all # RUN global.unknown_ret_is_kill_inside ... # OK global.unknown_ret_is_kill_inside ok 14 global.unknown_ret_is_kill_inside # RUN global.unknown_ret_is_kill_above_allow ... # OK global.unknown_ret_is_kill_above_allow ok 15 global.unknown_ret_is_kill_above_allow # RUN global.KILL_all ... # OK global.KILL_all ok 16 global.KILL_all # RUN global.KILL_one ... # OK global.KILL_one ok 17 global.KILL_one # RUN global.KILL_one_arg_one ... # OK global.KILL_one_arg_one ok 18 global.KILL_one_arg_one # RUN global.KILL_one_arg_six ... # OK global.KILL_one_arg_six ok 19 global.KILL_one_arg_six # RUN global.KILL_thread ... # OK global.KILL_thread ok 20 global.KILL_thread # RUN global.KILL_process ... # OK global.KILL_process ok 21 global.KILL_process # RUN global.arg_out_of_range ... # OK global.arg_out_of_range ok 22 global.arg_out_of_range # RUN global.ERRNO_valid ... # OK global.ERRNO_valid ok 23 global.ERRNO_valid # RUN global.ERRNO_zero ... # OK global.ERRNO_zero ok 24 global.ERRNO_zero # RUN global.ERRNO_capped ... # OK global.ERRNO_capped ok 25 global.ERRNO_capped # RUN global.ERRNO_order ... # OK global.ERRNO_order ok 26 global.ERRNO_order # RUN global.negative_ENOSYS ... # OK global.negative_ENOSYS ok 27 global.negative_ENOSYS # RUN global.seccomp_syscall ... # OK global.seccomp_syscall ok 28 global.seccomp_syscall # RUN global.seccomp_syscall_mode_lock ... # OK global.seccomp_syscall_mode_lock ok 29 global.seccomp_syscall_mode_lock # RUN global.detect_seccomp_filter_flags ... # OK global.detect_seccomp_filter_flags ok 30 global.detect_seccomp_filter_flags # RUN global.TSYNC_first ... # OK global.TSYNC_first ok 31 global.TSYNC_first # RUN global.syscall_restart ... # OK global.syscall_restart ok 32 global.syscall_restart # RUN global.filter_flag_log ... # OK global.filter_flag_log ok 33 global.filter_flag_log # RUN global.get_action_avail ... # OK global.get_action_avail ok 34 global.get_action_avail # RUN global.get_metadata ... # OK global.get_metadata ok 35 global.get_metadata # RUN global.user_notification_basic ... # OK global.user_notification_basic ok 36 global.user_notification_basic # RUN global.user_notification_with_tsync ... # OK global.user_notification_with_tsync ok 37 global.user_notification_with_tsync # RUN global.user_notification_kill_in_middle ... # OK global.user_notification_kill_in_middle ok 38 global.user_notification_kill_in_middle # RUN global.user_notification_signal ... # OK global.user_notification_signal ok 39 global.user_notification_signal # RUN global.user_notification_closed_listener ... # OK global.user_notification_closed_listener ok 40 global.user_notification_closed_listener # RUN global.user_notification_child_pid_ns ... # OK global.user_notification_child_pid_ns ok 41 global.user_notification_child_pid_ns # RUN global.user_notification_sibling_pid_ns ... # OK global.user_notification_sibling_pid_ns ok 42 global.user_notification_sibling_pid_ns # RUN global.user_notification_fault_recv ... TAP version 13 1..86 # Starting 86 tests from 7 test cases. # RUN global.kcmp ... # OK global.kcmp ok 1 global.kcmp # RUN global.mode_strict_support ... # OK global.mode_strict_support ok 2 global.mode_strict_support # RUN global.mode_strict_cannot_call_prctl ... # OK global.mode_strict_cannot_call_prctl ok 3 global.mode_strict_cannot_call_prctl # RUN global.no_new_privs_support ... # OK global.no_new_privs_support ok 4 global.no_new_privs_support # RUN global.mode_filter_support ... # OK global.mode_filter_support ok 5 global.mode_filter_support # RUN global.mode_filter_without_nnp ... # OK global.mode_filter_without_nnp ok 6 global.mode_filter_without_nnp # RUN global.filter_size_limits ... # OK global.filter_size_limits ok 7 global.filter_size_limits # RUN global.filter_chain_limits ... # OK global.filter_chain_limits ok 8 global.filter_chain_limits # RUN global.mode_filter_cannot_move_to_strict ... # OK global.mode_filter_cannot_move_to_strict ok 9 global.mode_filter_cannot_move_to_strict # RUN global.mode_filter_get_seccomp ... # OK global.mode_filter_get_seccomp ok 10 global.mode_filter_get_seccomp # RUN global.ALLOW_all ... # OK global.ALLOW_all ok 11 global.ALLOW_all # RUN global.empty_prog ... # OK global.empty_prog ok 12 global.empty_prog # RUN global.log_all ... # OK global.log_all ok 13 global.log_all # RUN global.unknown_ret_is_kill_inside ... # OK global.unknown_ret_is_kill_inside ok 14 global.unknown_ret_is_kill_inside # RUN global.unknown_ret_is_kill_above_allow ... # OK global.unknown_ret_is_kill_above_allow ok 15 global.unknown_ret_is_kill_above_allow # RUN global.KILL_all ... # OK global.KILL_all ok 16 global.KILL_all # RUN global.KILL_one ... # OK global.KILL_one ok 17 global.KILL_one # RUN global.KILL_one_arg_one ... # OK global.KILL_one_arg_one ok 18 global.KILL_one_arg_one # RUN global.KILL_one_arg_six ... # OK global.KILL_one_arg_six ok 19 global.KILL_one_arg_six # RUN global.KILL_thread ... # OK global.KILL_thread ok 20 global.KILL_thread # RUN global.KILL_process ... # OK global.KILL_process ok 21 global.KILL_process # RUN global.arg_out_of_range ... # OK global.arg_out_of_range ok 22 global.arg_out_of_range # RUN global.ERRNO_valid ... # OK global.ERRNO_valid ok 23 global.ERRNO_valid # RUN global.ERRNO_zero ... # OK global.ERRNO_zero ok 24 global.ERRNO_zero # RUN global.ERRNO_capped ... # OK global.ERRNO_capped ok 25 global.ERRNO_capped # RUN global.ERRNO_order ... # OK global.ERRNO_order ok 26 global.ERRNO_order # RUN global.negative_ENOSYS ... # OK global.negative_ENOSYS ok 27 global.negative_ENOSYS # RUN global.seccomp_syscall ... # OK global.seccomp_syscall ok 28 global.seccomp_syscall # RUN global.seccomp_syscall_mode_lock ... # OK global.seccomp_syscall_mode_lock ok 29 global.seccomp_syscall_mode_lock # RUN global.detect_seccomp_filter_flags ... # OK global.detect_seccomp_filter_flags ok 30 global.detect_seccomp_filter_flags # RUN global.TSYNC_first ... # OK global.TSYNC_first ok 31 global.TSYNC_first # RUN global.syscall_restart ... # OK global.syscall_restart ok 32 global.syscall_restart # RUN global.filter_flag_log ... # OK global.filter_flag_log ok 33 global.filter_flag_log # RUN global.get_action_avail ... # OK global.get_action_avail ok 34 global.get_action_avail # RUN global.get_metadata ... # OK global.get_metadata ok 35 global.get_metadata # RUN global.user_notification_basic ... # OK global.user_notification_basic ok 36 global.user_notification_basic # RUN global.user_notification_with_tsync ... # OK global.user_notification_with_tsync ok 37 global.user_notification_with_tsync # RUN global.user_notification_kill_in_middle ... # OK global.user_notification_kill_in_middle ok 38 global.user_notification_kill_in_middle # RUN global.user_notification_signal ... # OK global.user_notification_signal ok 39 global.user_notification_signal # RUN global.user_notification_closed_listener ... # OK global.user_notification_closed_listener ok 40 global.user_notification_closed_listener # RUN global.user_notification_child_pid_ns ... # OK global.user_notification_child_pid_ns ok 41 global.user_notification_child_pid_ns # RUN global.user_notification_sibling_pid_ns ... # OK global.user_notification_sibling_pid_ns ok 42 global.user_notification_sibling_pid_ns # RUN global.user_notification_fault_recv ... # OK global.user_notification_fault_recv ok 43 global.user_notification_fault_recv # RUN global.seccomp_get_notif_sizes ... # OK global.seccomp_get_notif_sizes ok 44 global.seccomp_get_notif_sizes # RUN global.user_notification_continue ... TAP version 13 1..86 # Starting 86 tests from 7 test cases. # RUN global.kcmp ... # OK global.kcmp ok 1 global.kcmp # RUN global.mode_strict_support ... # OK global.mode_strict_support ok 2 global.mode_strict_support # RUN global.mode_strict_cannot_call_prctl ... # OK global.mode_strict_cannot_call_prctl ok 3 global.mode_strict_cannot_call_prctl # RUN global.no_new_privs_support ... # OK global.no_new_privs_support ok 4 global.no_new_privs_support # RUN global.mode_filter_support ... # OK global.mode_filter_support ok 5 global.mode_filter_support # RUN global.mode_filter_without_nnp ... # OK global.mode_filter_without_nnp ok 6 global.mode_filter_without_nnp # RUN global.filter_size_limits ... # OK global.filter_size_limits ok 7 global.filter_size_limits # RUN global.filter_chain_limits ... # OK global.filter_chain_limits ok 8 global.filter_chain_limits # RUN global.mode_filter_cannot_move_to_strict ... # OK global.mode_filter_cannot_move_to_strict ok 9 global.mode_filter_cannot_move_to_strict # RUN global.mode_filter_get_seccomp ... # OK global.mode_filter_get_seccomp ok 10 global.mode_filter_get_seccomp # RUN global.ALLOW_all ... # OK global.ALLOW_all ok 11 global.ALLOW_all # RUN global.empty_prog ... # OK global.empty_prog ok 12 global.empty_prog # RUN global.log_all ... # OK global.log_all ok 13 global.log_all # RUN global.unknown_ret_is_kill_inside ... # OK global.unknown_ret_is_kill_inside ok 14 global.unknown_ret_is_kill_inside # RUN global.unknown_ret_is_kill_above_allow ... # OK global.unknown_ret_is_kill_above_allow ok 15 global.unknown_ret_is_kill_above_allow # RUN global.KILL_all ... # OK global.KILL_all ok 16 global.KILL_all # RUN global.KILL_one ... # OK global.KILL_one ok 17 global.KILL_one # RUN global.KILL_one_arg_one ... # OK global.KILL_one_arg_one ok 18 global.KILL_one_arg_one # RUN global.KILL_one_arg_six ... # OK global.KILL_one_arg_six ok 19 global.KILL_one_arg_six # RUN global.KILL_thread ... # OK global.KILL_thread ok 20 global.KILL_thread # RUN global.KILL_process ... # OK global.KILL_process ok 21 global.KILL_process # RUN global.arg_out_of_range ... # OK global.arg_out_of_range ok 22 global.arg_out_of_range # RUN global.ERRNO_valid ... # OK global.ERRNO_valid ok 23 global.ERRNO_valid # RUN global.ERRNO_zero ... # OK global.ERRNO_zero ok 24 global.ERRNO_zero # RUN global.ERRNO_capped ... # OK global.ERRNO_capped ok 25 global.ERRNO_capped # RUN global.ERRNO_order ... # OK global.ERRNO_order ok 26 global.ERRNO_order # RUN global.negative_ENOSYS ... # OK global.negative_ENOSYS ok 27 global.negative_ENOSYS # RUN global.seccomp_syscall ... # OK global.seccomp_syscall ok 28 global.seccomp_syscall # RUN global.seccomp_syscall_mode_lock ... # OK global.seccomp_syscall_mode_lock ok 29 global.seccomp_syscall_mode_lock # RUN global.detect_seccomp_filter_flags ... # OK global.detect_seccomp_filter_flags ok 30 global.detect_seccomp_filter_flags # RUN global.TSYNC_first ... # OK global.TSYNC_first ok 31 global.TSYNC_first # RUN global.syscall_restart ... # OK global.syscall_restart ok 32 global.syscall_restart # RUN global.filter_flag_log ... # OK global.filter_flag_log ok 33 global.filter_flag_log # RUN global.get_action_avail ... # OK global.get_action_avail ok 34 global.get_action_avail # RUN global.get_metadata ... # OK global.get_metadata ok 35 global.get_metadata # RUN global.user_notification_basic ... # OK global.user_notification_basic ok 36 global.user_notification_basic # RUN global.user_notification_with_tsync ... # OK global.user_notification_with_tsync ok 37 global.user_notification_with_tsync # RUN global.user_notification_kill_in_middle ... # OK global.user_notification_kill_in_middle ok 38 global.user_notification_kill_in_middle # RUN global.user_notification_signal ... # OK global.user_notification_signal ok 39 global.user_notification_signal # RUN global.user_notification_closed_listener ... # OK global.user_notification_closed_listener ok 40 global.user_notification_closed_listener # RUN global.user_notification_child_pid_ns ... # OK global.user_notification_child_pid_ns ok 41 global.user_notification_child_pid_ns # RUN global.user_notification_sibling_pid_ns ... # OK global.user_notification_sibling_pid_ns ok 42 global.user_notification_sibling_pid_ns # RUN global.user_notification_fault_recv ... # OK global.user_notification_fault_recv ok 43 global.user_notification_fault_recv # RUN global.seccomp_get_notif_sizes ... # OK global.seccomp_get_notif_sizes ok 44 global.seccomp_get_notif_sizes # RUN global.user_notification_continue ... # OK global.user_notification_continue ok 45 global.user_notification_continue # RUN global.user_notification_filter_empty ... TAP version 13 1..86 # Starting 86 tests from 7 test cases. # RUN global.kcmp ... # OK global.kcmp ok 1 global.kcmp # RUN global.mode_strict_support ... # OK global.mode_strict_support ok 2 global.mode_strict_support # RUN global.mode_strict_cannot_call_prctl ... # OK global.mode_strict_cannot_call_prctl ok 3 global.mode_strict_cannot_call_prctl # RUN global.no_new_privs_support ... # OK global.no_new_privs_support ok 4 global.no_new_privs_support # RUN global.mode_filter_support ... # OK global.mode_filter_support ok 5 global.mode_filter_support # RUN global.mode_filter_without_nnp ... # OK global.mode_filter_without_nnp ok 6 global.mode_filter_without_nnp # RUN global.filter_size_limits ... # OK global.filter_size_limits ok 7 global.filter_size_limits # RUN global.filter_chain_limits ... # OK global.filter_chain_limits ok 8 global.filter_chain_limits # RUN global.mode_filter_cannot_move_to_strict ... # OK global.mode_filter_cannot_move_to_strict ok 9 global.mode_filter_cannot_move_to_strict # RUN global.mode_filter_get_seccomp ... # OK global.mode_filter_get_seccomp ok 10 global.mode_filter_get_seccomp # RUN global.ALLOW_all ... # OK global.ALLOW_all ok 11 global.ALLOW_all # RUN global.empty_prog ... # OK global.empty_prog ok 12 global.empty_prog # RUN global.log_all ... # OK global.log_all ok 13 global.log_all # RUN global.unknown_ret_is_kill_inside ... # OK global.unknown_ret_is_kill_inside ok 14 global.unknown_ret_is_kill_inside # RUN global.unknown_ret_is_kill_above_allow ... # OK global.unknown_ret_is_kill_above_allow ok 15 global.unknown_ret_is_kill_above_allow # RUN global.KILL_all ... # OK global.KILL_all ok 16 global.KILL_all # RUN global.KILL_one ... # OK global.KILL_one ok 17 global.KILL_one # RUN global.KILL_one_arg_one ... # OK global.KILL_one_arg_one ok 18 global.KILL_one_arg_one # RUN global.KILL_one_arg_six ... # OK global.KILL_one_arg_six ok 19 global.KILL_one_arg_six # RUN global.KILL_thread ... # OK global.KILL_thread ok 20 global.KILL_thread # RUN global.KILL_process ... # OK global.KILL_process ok 21 global.KILL_process # RUN global.arg_out_of_range ... # OK global.arg_out_of_range ok 22 global.arg_out_of_range # RUN global.ERRNO_valid ... # OK global.ERRNO_valid ok 23 global.ERRNO_valid # RUN global.ERRNO_zero ... # OK global.ERRNO_zero ok 24 global.ERRNO_zero # RUN global.ERRNO_capped ... # OK global.ERRNO_capped ok 25 global.ERRNO_capped # RUN global.ERRNO_order ... # OK global.ERRNO_order ok 26 global.ERRNO_order # RUN global.negative_ENOSYS ... # OK global.negative_ENOSYS ok 27 global.negative_ENOSYS # RUN global.seccomp_syscall ... # OK global.seccomp_syscall ok 28 global.seccomp_syscall # RUN global.seccomp_syscall_mode_lock ... # OK global.seccomp_syscall_mode_lock ok 29 global.seccomp_syscall_mode_lock # RUN global.detect_seccomp_filter_flags ... # OK global.detect_seccomp_filter_flags ok 30 global.detect_seccomp_filter_flags # RUN global.TSYNC_first ... # OK global.TSYNC_first ok 31 global.TSYNC_first # RUN global.syscall_restart ... # OK global.syscall_restart ok 32 global.syscall_restart # RUN global.filter_flag_log ... # OK global.filter_flag_log ok 33 global.filter_flag_log # RUN global.get_action_avail ... # OK global.get_action_avail ok 34 global.get_action_avail # RUN global.get_metadata ... # OK global.get_metadata ok 35 global.get_metadata # RUN global.user_notification_basic ... # OK global.user_notification_basic ok 36 global.user_notification_basic # RUN global.user_notification_with_tsync ... # OK global.user_notification_with_tsync ok 37 global.user_notification_with_tsync # RUN global.user_notification_kill_in_middle ... # OK global.user_notification_kill_in_middle ok 38 global.user_notification_kill_in_middle # RUN global.user_notification_signal ... # OK global.user_notification_signal ok 39 global.user_notification_signal # RUN global.user_notification_closed_listener ... # OK global.user_notification_closed_listener ok 40 global.user_notification_closed_listener # RUN global.user_notification_child_pid_ns ... # OK global.user_notification_child_pid_ns ok 41 global.user_notification_child_pid_ns # RUN global.user_notification_sibling_pid_ns ... # OK global.user_notification_sibling_pid_ns ok 42 global.user_notification_sibling_pid_ns # RUN global.user_notification_fault_recv ... # OK global.user_notification_fault_recv ok 43 global.user_notification_fault_recv # RUN global.seccomp_get_notif_sizes ... # OK global.seccomp_get_notif_sizes ok 44 global.seccomp_get_notif_sizes # RUN global.user_notification_continue ... # OK global.user_notification_continue ok 45 global.user_notification_continue # RUN global.user_notification_filter_empty ... # OK global.user_notification_filter_empty ok 46 global.user_notification_filter_empty # RUN global.user_notification_filter_empty_threaded ... TAP version 13 1..86 # Starting 86 tests from 7 test cases. # RUN global.kcmp ... # OK global.kcmp ok 1 global.kcmp # RUN global.mode_strict_support ... # OK global.mode_strict_support ok 2 global.mode_strict_support # RUN global.mode_strict_cannot_call_prctl ... # OK global.mode_strict_cannot_call_prctl ok 3 global.mode_strict_cannot_call_prctl # RUN global.no_new_privs_support ... # OK global.no_new_privs_support ok 4 global.no_new_privs_support # RUN global.mode_filter_support ... # OK global.mode_filter_support ok 5 global.mode_filter_support # RUN global.mode_filter_without_nnp ... # OK global.mode_filter_without_nnp ok 6 global.mode_filter_without_nnp # RUN global.filter_size_limits ... # OK global.filter_size_limits ok 7 global.filter_size_limits # RUN global.filter_chain_limits ... # OK global.filter_chain_limits ok 8 global.filter_chain_limits # RUN global.mode_filter_cannot_move_to_strict ... # OK global.mode_filter_cannot_move_to_strict ok 9 global.mode_filter_cannot_move_to_strict # RUN global.mode_filter_get_seccomp ... # OK global.mode_filter_get_seccomp ok 10 global.mode_filter_get_seccomp # RUN global.ALLOW_all ... # OK global.ALLOW_all ok 11 global.ALLOW_all # RUN global.empty_prog ... # OK global.empty_prog ok 12 global.empty_prog # RUN global.log_all ... # OK global.log_all ok 13 global.log_all # RUN global.unknown_ret_is_kill_inside ... # OK global.unknown_ret_is_kill_inside ok 14 global.unknown_ret_is_kill_inside # RUN global.unknown_ret_is_kill_above_allow ... # OK global.unknown_ret_is_kill_above_allow ok 15 global.unknown_ret_is_kill_above_allow # RUN global.KILL_all ... # OK global.KILL_all ok 16 global.KILL_all # RUN global.KILL_one ... # OK global.KILL_one ok 17 global.KILL_one # RUN global.KILL_one_arg_one ... # OK global.KILL_one_arg_one ok 18 global.KILL_one_arg_one # RUN global.KILL_one_arg_six ... # OK global.KILL_one_arg_six ok 19 global.KILL_one_arg_six # RUN global.KILL_thread ... # OK global.KILL_thread ok 20 global.KILL_thread # RUN global.KILL_process ... # OK global.KILL_process ok 21 global.KILL_process # RUN global.arg_out_of_range ... # OK global.arg_out_of_range ok 22 global.arg_out_of_range # RUN global.ERRNO_valid ... # OK global.ERRNO_valid ok 23 global.ERRNO_valid # RUN global.ERRNO_zero ... # OK global.ERRNO_zero ok 24 global.ERRNO_zero # RUN global.ERRNO_capped ... # OK global.ERRNO_capped ok 25 global.ERRNO_capped # RUN global.ERRNO_order ... # OK global.ERRNO_order ok 26 global.ERRNO_order # RUN global.negative_ENOSYS ... # OK global.negative_ENOSYS ok 27 global.negative_ENOSYS # RUN global.seccomp_syscall ... # OK global.seccomp_syscall ok 28 global.seccomp_syscall # RUN global.seccomp_syscall_mode_lock ... # OK global.seccomp_syscall_mode_lock ok 29 global.seccomp_syscall_mode_lock # RUN global.detect_seccomp_filter_flags ... # OK global.detect_seccomp_filter_flags ok 30 global.detect_seccomp_filter_flags # RUN global.TSYNC_first ... # OK global.TSYNC_first ok 31 global.TSYNC_first # RUN global.syscall_restart ... # OK global.syscall_restart ok 32 global.syscall_restart # RUN global.filter_flag_log ... # OK global.filter_flag_log ok 33 global.filter_flag_log # RUN global.get_action_avail ... # OK global.get_action_avail ok 34 global.get_action_avail # RUN global.get_metadata ... # OK global.get_metadata ok 35 global.get_metadata # RUN global.user_notification_basic ... # OK global.user_notification_basic ok 36 global.user_notification_basic # RUN global.user_notification_with_tsync ... # OK global.user_notification_with_tsync ok 37 global.user_notification_with_tsync # RUN global.user_notification_kill_in_middle ... # OK global.user_notification_kill_in_middle ok 38 global.user_notification_kill_in_middle # RUN global.user_notification_signal ... # OK global.user_notification_signal ok 39 global.user_notification_signal # RUN global.user_notification_closed_listener ... # OK global.user_notification_closed_listener ok 40 global.user_notification_closed_listener # RUN global.user_notification_child_pid_ns ... # OK global.user_notification_child_pid_ns ok 41 global.user_notification_child_pid_ns # RUN global.user_notification_sibling_pid_ns ... # OK global.user_notification_sibling_pid_ns ok 42 global.user_notification_sibling_pid_ns # RUN global.user_notification_fault_recv ... # OK global.user_notification_fault_recv ok 43 global.user_notification_fault_recv # RUN global.seccomp_get_notif_sizes ... # OK global.seccomp_get_notif_sizes ok 44 global.seccomp_get_notif_sizes # RUN global.user_notification_continue ... # OK global.user_notification_continue ok 45 global.user_notification_continue # RUN global.user_notification_filter_empty ... # OK global.user_notification_filter_empty ok 46 global.user_notification_filter_empty # RUN global.user_notification_filter_empty_threaded ... # OK global.user_notification_filter_empty_threaded ok 47 global.user_notification_filter_empty_threaded # RUN global.user_notification_addfd ... TAP version 13 1..86 # Starting 86 tests from 7 test cases. # RUN global.kcmp ... # OK global.kcmp ok 1 global.kcmp # RUN global.mode_strict_support ... # OK global.mode_strict_support ok 2 global.mode_strict_support # RUN global.mode_strict_cannot_call_prctl ... # OK global.mode_strict_cannot_call_prctl ok 3 global.mode_strict_cannot_call_prctl # RUN global.no_new_privs_support ... # OK global.no_new_privs_support ok 4 global.no_new_privs_support # RUN global.mode_filter_support ... # OK global.mode_filter_support ok 5 global.mode_filter_support # RUN global.mode_filter_without_nnp ... # OK global.mode_filter_without_nnp ok 6 global.mode_filter_without_nnp # RUN global.filter_size_limits ... # OK global.filter_size_limits ok 7 global.filter_size_limits # RUN global.filter_chain_limits ... # OK global.filter_chain_limits ok 8 global.filter_chain_limits # RUN global.mode_filter_cannot_move_to_strict ... # OK global.mode_filter_cannot_move_to_strict ok 9 global.mode_filter_cannot_move_to_strict # RUN global.mode_filter_get_seccomp ... # OK global.mode_filter_get_seccomp ok 10 global.mode_filter_get_seccomp # RUN global.ALLOW_all ... # OK global.ALLOW_all ok 11 global.ALLOW_all # RUN global.empty_prog ... # OK global.empty_prog ok 12 global.empty_prog # RUN global.log_all ... # OK global.log_all ok 13 global.log_all # RUN global.unknown_ret_is_kill_inside ... # OK global.unknown_ret_is_kill_inside ok 14 global.unknown_ret_is_kill_inside # RUN global.unknown_ret_is_kill_above_allow ... # OK global.unknown_ret_is_kill_above_allow ok 15 global.unknown_ret_is_kill_above_allow # RUN global.KILL_all ... # OK global.KILL_all ok 16 global.KILL_all # RUN global.KILL_one ... # OK global.KILL_one ok 17 global.KILL_one # RUN global.KILL_one_arg_one ... # OK global.KILL_one_arg_one ok 18 global.KILL_one_arg_one # RUN global.KILL_one_arg_six ... # OK global.KILL_one_arg_six ok 19 global.KILL_one_arg_six # RUN global.KILL_thread ... # OK global.KILL_thread ok 20 global.KILL_thread # RUN global.KILL_process ... # OK global.KILL_process ok 21 global.KILL_process # RUN global.arg_out_of_range ... # OK global.arg_out_of_range ok 22 global.arg_out_of_range # RUN global.ERRNO_valid ... # OK global.ERRNO_valid ok 23 global.ERRNO_valid # RUN global.ERRNO_zero ... # OK global.ERRNO_zero ok 24 global.ERRNO_zero # RUN global.ERRNO_capped ... # OK global.ERRNO_capped ok 25 global.ERRNO_capped # RUN global.ERRNO_order ... # OK global.ERRNO_order ok 26 global.ERRNO_order # RUN global.negative_ENOSYS ... # OK global.negative_ENOSYS ok 27 global.negative_ENOSYS # RUN global.seccomp_syscall ... # OK global.seccomp_syscall ok 28 global.seccomp_syscall # RUN global.seccomp_syscall_mode_lock ... # OK global.seccomp_syscall_mode_lock ok 29 global.seccomp_syscall_mode_lock # RUN global.detect_seccomp_filter_flags ... # OK global.detect_seccomp_filter_flags ok 30 global.detect_seccomp_filter_flags # RUN global.TSYNC_first ... # OK global.TSYNC_first ok 31 global.TSYNC_first # RUN global.syscall_restart ... # OK global.syscall_restart ok 32 global.syscall_restart # RUN global.filter_flag_log ... # OK global.filter_flag_log ok 33 global.filter_flag_log # RUN global.get_action_avail ... # OK global.get_action_avail ok 34 global.get_action_avail # RUN global.get_metadata ... # OK global.get_metadata ok 35 global.get_metadata # RUN global.user_notification_basic ... # OK global.user_notification_basic ok 36 global.user_notification_basic # RUN global.user_notification_with_tsync ... # OK global.user_notification_with_tsync ok 37 global.user_notification_with_tsync # RUN global.user_notification_kill_in_middle ... # OK global.user_notification_kill_in_middle ok 38 global.user_notification_kill_in_middle # RUN global.user_notification_signal ... # OK global.user_notification_signal ok 39 global.user_notification_signal # RUN global.user_notification_closed_listener ... # OK global.user_notification_closed_listener ok 40 global.user_notification_closed_listener # RUN global.user_notification_child_pid_ns ... # OK global.user_notification_child_pid_ns ok 41 global.user_notification_child_pid_ns # RUN global.user_notification_sibling_pid_ns ... # OK global.user_notification_sibling_pid_ns ok 42 global.user_notification_sibling_pid_ns # RUN global.user_notification_fault_recv ... # OK global.user_notification_fault_recv ok 43 global.user_notification_fault_recv # RUN global.seccomp_get_notif_sizes ... # OK global.seccomp_get_notif_sizes ok 44 global.seccomp_get_notif_sizes # RUN global.user_notification_continue ... # OK global.user_notification_continue ok 45 global.user_notification_continue # RUN global.user_notification_filter_empty ... # OK global.user_notification_filter_empty ok 46 global.user_notification_filter_empty # RUN global.user_notification_filter_empty_threaded ... # OK global.user_notification_filter_empty_threaded ok 47 global.user_notification_filter_empty_threaded # RUN global.user_notification_addfd ... # OK global.user_notification_addfd ok 48 global.user_notification_addfd # RUN global.user_notification_addfd_rlimit ... TAP version 13 1..86 # Starting 86 tests from 7 test cases. # RUN global.kcmp ... # OK global.kcmp ok 1 global.kcmp # RUN global.mode_strict_support ... # OK global.mode_strict_support ok 2 global.mode_strict_support # RUN global.mode_strict_cannot_call_prctl ... # OK global.mode_strict_cannot_call_prctl ok 3 global.mode_strict_cannot_call_prctl # RUN global.no_new_privs_support ... # OK global.no_new_privs_support ok 4 global.no_new_privs_support # RUN global.mode_filter_support ... # OK global.mode_filter_support ok 5 global.mode_filter_support # RUN global.mode_filter_without_nnp ... # OK global.mode_filter_without_nnp ok 6 global.mode_filter_without_nnp # RUN global.filter_size_limits ... # OK global.filter_size_limits ok 7 global.filter_size_limits # RUN global.filter_chain_limits ... # OK global.filter_chain_limits ok 8 global.filter_chain_limits # RUN global.mode_filter_cannot_move_to_strict ... # OK global.mode_filter_cannot_move_to_strict ok 9 global.mode_filter_cannot_move_to_strict # RUN global.mode_filter_get_seccomp ... # OK global.mode_filter_get_seccomp ok 10 global.mode_filter_get_seccomp # RUN global.ALLOW_all ... # OK global.ALLOW_all ok 11 global.ALLOW_all # RUN global.empty_prog ... # OK global.empty_prog ok 12 global.empty_prog # RUN global.log_all ... # OK global.log_all ok 13 global.log_all # RUN global.unknown_ret_is_kill_inside ... # OK global.unknown_ret_is_kill_inside ok 14 global.unknown_ret_is_kill_inside # RUN global.unknown_ret_is_kill_above_allow ... # OK global.unknown_ret_is_kill_above_allow ok 15 global.unknown_ret_is_kill_above_allow # RUN global.KILL_all ... # OK global.KILL_all ok 16 global.KILL_all # RUN global.KILL_one ... # OK global.KILL_one ok 17 global.KILL_one # RUN global.KILL_one_arg_one ... # OK global.KILL_one_arg_one ok 18 global.KILL_one_arg_one # RUN global.KILL_one_arg_six ... # OK global.KILL_one_arg_six ok 19 global.KILL_one_arg_six # RUN global.KILL_thread ... # OK global.KILL_thread ok 20 global.KILL_thread # RUN global.KILL_process ... # OK global.KILL_process ok 21 global.KILL_process # RUN global.arg_out_of_range ... # OK global.arg_out_of_range ok 22 global.arg_out_of_range # RUN global.ERRNO_valid ... # OK global.ERRNO_valid ok 23 global.ERRNO_valid # RUN global.ERRNO_zero ... # OK global.ERRNO_zero ok 24 global.ERRNO_zero # RUN global.ERRNO_capped ... # OK global.ERRNO_capped ok 25 global.ERRNO_capped # RUN global.ERRNO_order ... # OK global.ERRNO_order ok 26 global.ERRNO_order # RUN global.negative_ENOSYS ... # OK global.negative_ENOSYS ok 27 global.negative_ENOSYS # RUN global.seccomp_syscall ... # OK global.seccomp_syscall ok 28 global.seccomp_syscall # RUN global.seccomp_syscall_mode_lock ... # OK global.seccomp_syscall_mode_lock ok 29 global.seccomp_syscall_mode_lock # RUN global.detect_seccomp_filter_flags ... # OK global.detect_seccomp_filter_flags ok 30 global.detect_seccomp_filter_flags # RUN global.TSYNC_first ... # OK global.TSYNC_first ok 31 global.TSYNC_first # RUN global.syscall_restart ... # OK global.syscall_restart ok 32 global.syscall_restart # RUN global.filter_flag_log ... # OK global.filter_flag_log ok 33 global.filter_flag_log # RUN global.get_action_avail ... # OK global.get_action_avail ok 34 global.get_action_avail # RUN global.get_metadata ... # OK global.get_metadata ok 35 global.get_metadata # RUN global.user_notification_basic ... # OK global.user_notification_basic ok 36 global.user_notification_basic # RUN global.user_notification_with_tsync ... # OK global.user_notification_with_tsync ok 37 global.user_notification_with_tsync # RUN global.user_notification_kill_in_middle ... # OK global.user_notification_kill_in_middle ok 38 global.user_notification_kill_in_middle # RUN global.user_notification_signal ... # OK global.user_notification_signal ok 39 global.user_notification_signal # RUN global.user_notification_closed_listener ... # OK global.user_notification_closed_listener ok 40 global.user_notification_closed_listener # RUN global.user_notification_child_pid_ns ... # OK global.user_notification_child_pid_ns ok 41 global.user_notification_child_pid_ns # RUN global.user_notification_sibling_pid_ns ... # OK global.user_notification_sibling_pid_ns ok 42 global.user_notification_sibling_pid_ns # RUN global.user_notification_fault_recv ... # OK global.user_notification_fault_recv ok 43 global.user_notification_fault_recv # RUN global.seccomp_get_notif_sizes ... # OK global.seccomp_get_notif_sizes ok 44 global.seccomp_get_notif_sizes # RUN global.user_notification_continue ... # OK global.user_notification_continue ok 45 global.user_notification_continue # RUN global.user_notification_filter_empty ... # OK global.user_notification_filter_empty ok 46 global.user_notification_filter_empty # RUN global.user_notification_filter_empty_threaded ... # OK global.user_notification_filter_empty_threaded ok 47 global.user_notification_filter_empty_threaded # RUN global.user_notification_addfd ... # OK global.user_notification_addfd ok 48 global.user_notification_addfd # RUN global.user_notification_addfd_rlimit ... # OK global.user_notification_addfd_rlimit ok 49 global.user_notification_addfd_rlimit # RUN TRAP.dfl ... # OK TRAP.dfl ok 50 TRAP.dfl # RUN TRAP.ign ... # OK TRAP.ign ok 51 TRAP.ign # RUN TRAP.handler ... # OK TRAP.handler ok 52 TRAP.handler # RUN precedence.allow_ok ... # OK precedence.allow_ok ok 53 precedence.allow_ok # RUN precedence.kill_is_highest ... # OK precedence.kill_is_highest ok 54 precedence.kill_is_highest # RUN precedence.kill_is_highest_in_any_order ... # OK precedence.kill_is_highest_in_any_order ok 55 precedence.kill_is_highest_in_any_order # RUN precedence.trap_is_second ... # OK precedence.trap_is_second ok 56 precedence.trap_is_second # RUN precedence.trap_is_second_in_any_order ... # OK precedence.trap_is_second_in_any_order ok 57 precedence.trap_is_second_in_any_order # RUN precedence.errno_is_third ... # OK precedence.errno_is_third ok 58 precedence.errno_is_third # RUN precedence.errno_is_third_in_any_order ... # OK precedence.errno_is_third_in_any_order ok 59 precedence.errno_is_third_in_any_order # RUN precedence.trace_is_fourth ... # OK precedence.trace_is_fourth ok 60 precedence.trace_is_fourth # RUN precedence.trace_is_fourth_in_any_order ... # OK precedence.trace_is_fourth_in_any_order ok 61 precedence.trace_is_fourth_in_any_order # RUN precedence.log_is_fifth ... # OK precedence.log_is_fifth ok 62 precedence.log_is_fifth # RUN precedence.log_is_fifth_in_any_order ... # OK precedence.log_is_fifth_in_any_order ok 63 precedence.log_is_fifth_in_any_order # RUN TRACE_poke.read_has_side_effects ... # OK TRACE_poke.read_has_side_effects ok 64 TRACE_poke.read_has_side_effects # RUN TRACE_poke.getpid_runs_normally ... # OK TRACE_poke.getpid_runs_normally ok 65 TRACE_poke.getpid_runs_normally # RUN TRACE_syscall.ptrace.negative_ENOSYS ... # OK TRACE_syscall.ptrace.negative_ENOSYS ok 66 TRACE_syscall.ptrace.negative_ENOSYS # RUN TRACE_syscall.ptrace.syscall_allowed ... # OK TRACE_syscall.ptrace.syscall_allowed ok 67 TRACE_syscall.ptrace.syscall_allowed # RUN TRACE_syscall.ptrace.syscall_redirected ... # OK TRACE_syscall.ptrace.syscall_redirected ok 68 TRACE_syscall.ptrace.syscall_redirected # RUN TRACE_syscall.ptrace.syscall_errno ... # OK TRACE_syscall.ptrace.syscall_errno ok 69 TRACE_syscall.ptrace.syscall_errno # RUN TRACE_syscall.ptrace.syscall_faked ... # OK TRACE_syscall.ptrace.syscall_faked ok 70 TRACE_syscall.ptrace.syscall_faked # RUN TRACE_syscall.ptrace.skip_after ... # OK TRACE_syscall.ptrace.skip_after ok 71 TRACE_syscall.ptrace.skip_after # RUN TRACE_syscall.ptrace.kill_after ... # OK TRACE_syscall.ptrace.kill_after ok 72 TRACE_syscall.ptrace.kill_after # RUN TRACE_syscall.seccomp.negative_ENOSYS ... # OK TRACE_syscall.seccomp.negative_ENOSYS ok 73 TRACE_syscall.seccomp.negative_ENOSYS # RUN TRACE_syscall.seccomp.syscall_allowed ... # OK TRACE_syscall.seccomp.syscall_allowed ok 74 TRACE_syscall.seccomp.syscall_allowed # RUN TRACE_syscall.seccomp.syscall_redirected ... # OK TRACE_syscall.seccomp.syscall_redirected ok 75 TRACE_syscall.seccomp.syscall_redirected # RUN TRACE_syscall.seccomp.syscall_errno ... # OK TRACE_syscall.seccomp.syscall_errno ok 76 TRACE_syscall.seccomp.syscall_errno # RUN TRACE_syscall.seccomp.syscall_faked ... # OK TRACE_syscall.seccomp.syscall_faked ok 77 TRACE_syscall.seccomp.syscall_faked # RUN TRACE_syscall.seccomp.skip_after ... # OK TRACE_syscall.seccomp.skip_after ok 78 TRACE_syscall.seccomp.skip_after # RUN TRACE_syscall.seccomp.kill_after ... # OK TRACE_syscall.seccomp.kill_after ok 79 TRACE_syscall.seccomp.kill_after # RUN TSYNC.siblings_fail_prctl ... # OK TSYNC.siblings_fail_prctl ok 80 TSYNC.siblings_fail_prctl # RUN TSYNC.two_siblings_with_ancestor ... # OK TSYNC.two_siblings_with_ancestor ok 81 TSYNC.two_siblings_with_ancestor # RUN TSYNC.two_sibling_want_nnp ... # OK TSYNC.two_sibling_want_nnp ok 82 TSYNC.two_sibling_want_nnp # RUN TSYNC.two_siblings_with_no_filter ... # OK TSYNC.two_siblings_with_no_filter ok 83 TSYNC.two_siblings_with_no_filter # RUN TSYNC.two_siblings_with_one_divergence ... # OK TSYNC.two_siblings_with_one_divergence ok 84 TSYNC.two_siblings_with_one_divergence # RUN TSYNC.two_siblings_with_one_divergence_no_tid_in_err ... # OK TSYNC.two_siblings_with_one_divergence_no_tid_in_err ok 85 TSYNC.two_siblings_with_one_divergence_no_tid_in_err # RUN TSYNC.two_siblings_not_under_filter ... # OK TSYNC.two_siblings_not_under_filter ok 86 TSYNC.two_siblings_not_under_filter # PASSED: 86 / 86 tests passed. # Totals: pass:86 fail:0 xfail:0 xpass:0 skip:0 error:0
On Mon, Sep 14, 2020 at 10:15:18PM +1000, Michael Ellerman wrote:
Kees Cook keescook@chromium.org writes:
Hi,
This refactors the seccomp selftest macros used in change_syscall(), in an effort to remove special cases for mips, arm, arm64, and xtensa, which paves the way for powerpc fixes.
I'm not entirely done testing, but all-arch build tests and x86_64 selftests pass. I'll be doing arm, arm64, and i386 selftests shortly, but I currently don't have an easy way to check xtensa, mips, nor powerpc. Any help there would be appreciated!
The series builds fine for me, and all the tests pass (see below).
Thanks for picking up those changes to deal with powerpc being oddball.
Tested-by: Michael Ellerman mpe@ellerman.id.au (powerpc)
Awesome; thanks!
However...
cheers
./seccomp_bpf TAP version 13 1..86 # Starting 86 tests from 7 test cases. # RUN global.kcmp ... # OK global.kcmp ok 1 global.kcmp [...] # RUN global.KILL_thread ... TAP version 13 1..86 # Starting 86 tests from 7 test cases.
Was this a mis-paste, or has something very very bad happened here in global.KILL_one_arg_six finishes?
# RUN global.kcmp ... # OK global.kcmp ok 1 global.kcmp [...] # RUN global.user_notification_basic ... TAP version 13 1..86 # Starting 86 tests from 7 test cases. [...] # RUN global.user_notification_basic ... TAP version 13 1..86 # Starting 86 tests from 7 test cases. [...] # RUN global.user_notification_signal ... TAP version 13 1..86 # Starting 86 tests from 7 test cases. [...] # RUN global.user_notification_closed_listener ... TAP version 13 1..86 # Starting 86 tests from 7 test cases. [...] # RUN global.user_notification_child_pid_ns ... TAP version 13 1..86 # Starting 86 tests from 7 test cases. [...] # RUN global.user_notification_sibling_pid_ns ... TAP version 13 1..86 # Starting 86 tests from 7 test cases. [...] # RUN global.user_notification_sibling_pid_ns ... TAP version 13 1..86 # Starting 86 tests from 7 test cases. [...] # RUN global.user_notification_sibling_pid_ns ... TAP version 13 1..86 # Starting 86 tests from 7 test cases. [...] # RUN global.user_notification_fault_recv ... TAP version 13 1..86 # Starting 86 tests from 7 test cases. [...] # RUN global.user_notification_continue ... TAP version 13 1..86 # Starting 86 tests from 7 test cases. [...] # RUN global.user_notification_filter_empty ... TAP version 13 1..86 # Starting 86 tests from 7 test cases. [...] # RUN global.user_notification_filter_empty_threaded ... TAP version 13 1..86 # Starting 86 tests from 7 test cases. [...] # RUN global.user_notification_addfd ... TAP version 13 1..86 # Starting 86 tests from 7 test cases. [...] # RUN global.user_notification_addfd_rlimit ... TAP version 13 1..86 # Starting 86 tests from 7 test cases. [...] # PASSED: 86 / 86 tests passed. # Totals: pass:86 fail:0 xfail:0 xpass:0 skip:0 error:0
And after every user_notification test? O_O
On Mon, Sep 14, 2020 at 1:32 PM Kees Cook keescook@chromium.org wrote:
On Mon, Sep 14, 2020 at 10:15:18PM +1000, Michael Ellerman wrote:
Kees Cook keescook@chromium.org writes:
However...
cheers
./seccomp_bpf TAP version 13 1..86 # Starting 86 tests from 7 test cases. # RUN global.kcmp ... # OK global.kcmp ok 1 global.kcmp [...] # RUN global.KILL_thread ... TAP version 13 1..86 # Starting 86 tests from 7 test cases.
Was this a mis-paste, or has something very very bad happened here in global.KILL_one_arg_six finishes?
I observe similar output corruption on xtensa when I redirect test output into a file or pipe it to 'cat'. When it goes to the terminal it looks normal.
Kees Cook keescook@chromium.org writes:
On Mon, Sep 14, 2020 at 10:15:18PM +1000, Michael Ellerman wrote:
Kees Cook keescook@chromium.org writes:
Hi,
This refactors the seccomp selftest macros used in change_syscall(), in an effort to remove special cases for mips, arm, arm64, and xtensa, which paves the way for powerpc fixes.
I'm not entirely done testing, but all-arch build tests and x86_64 selftests pass. I'll be doing arm, arm64, and i386 selftests shortly, but I currently don't have an easy way to check xtensa, mips, nor powerpc. Any help there would be appreciated!
The series builds fine for me, and all the tests pass (see below).
Thanks for picking up those changes to deal with powerpc being oddball.
Tested-by: Michael Ellerman mpe@ellerman.id.au (powerpc)
Awesome; thanks!
However...
./seccomp_bpf TAP version 13 1..86 # Starting 86 tests from 7 test cases. # RUN global.kcmp ... # OK global.kcmp ok 1 global.kcmp [...] # RUN global.KILL_thread ... TAP version 13 1..86 # Starting 86 tests from 7 test cases.
Was this a mis-paste, or has something very very bad happened here in global.KILL_one_arg_six finishes?
...
TAP version 13 1..86 # Starting 86 tests from 7 test cases. [...] # PASSED: 86 / 86 tests passed. # Totals: pass:86 fail:0 xfail:0 xpass:0 skip:0 error:0
And after every user_notification test? O_O
Haha, I thought that was normal :)
It's because of redirection, I run the tests with:
find . -executable -type f -print -execdir '{}' ';' | tee test.log
If I just run it directly on the terminal everything is normal.
It'll be fork() vs libc buffering.
I can fix it with:
$ stdbuf -oL ./seccomp_bpf | tee test.log
Or the patch below.
I can send a proper patch for that tomorrow, I don't know that harness code, but I think that's the right fix.
cheers
diff --git a/tools/testing/selftests/kselftest_harness.h b/tools/testing/selftests/kselftest_harness.h index 4f78e4805633..b1bd00ff3d94 100644 --- a/tools/testing/selftests/kselftest_harness.h +++ b/tools/testing/selftests/kselftest_harness.h @@ -971,6 +971,7 @@ void __run_test(struct __fixture_metadata *f,
ksft_print_msg(" RUN %s%s%s.%s ...\n", f->name, variant->name[0] ? "." : "", variant->name, t->name); + fflush(stdout); t->pid = fork(); if (t->pid < 0) { ksft_print_msg("ERROR SPAWNING TEST CHILD\n");
Hello,
On Sat, Sep 12, 2020 at 4:08 AM Kees Cook keescook@chromium.org wrote:
This refactors the seccomp selftest macros used in change_syscall(), in an effort to remove special cases for mips, arm, arm64, and xtensa, which paves the way for powerpc fixes.
I'm not entirely done testing, but all-arch build tests and x86_64 selftests pass. I'll be doing arm, arm64, and i386 selftests shortly, but I currently don't have an easy way to check xtensa, mips, nor powerpc. Any help there would be appreciated!
I've built and tested this series on xtensa. I had to disable two tests: user_notification_addfd and user_notification_addfd_rlimit because they use memfd_create and prlimit which are not available in uClibc. With this change I've got all 86 tests passing with the following log:
./seccomp_bpf TAP version 13 1..86 # Starting 86 tests from 7 test cases. # RUN TRAP.dfl ... # OK TRAP.dfl ok 1 TRAP.dfl # RUN TRAP.ign ... # OK TRAP.ign ok 2 TRAP.ign # RUN TRAP.handler ... # OK TRAP.handler ok 3 TRAP.handler # RUN precedence.allow_ok ... # OK precedence.allow_ok ok 4 precedence.allow_ok # RUN precedence.kill_is_highest ... # OK precedence.kill_is_highest ok 5 precedence.kill_is_highest # RUN precedence.kill_is_highest_in_any_order ... # OK precedence.kill_is_highest_in_any_order ok 6 precedence.kill_is_highest_in_any_order # RUN precedence.trap_is_second ... # OK precedence.trap_is_second ok 7 precedence.trap_is_second # RUN precedence.trap_is_second_in_any_order ... # OK precedence.trap_is_second_in_any_order ok 8 precedence.trap_is_second_in_any_order # RUN precedence.errno_is_third ... # OK precedence.errno_is_third ok 9 precedence.errno_is_third # RUN precedence.errno_is_third_in_any_order ... # OK precedence.errno_is_third_in_any_order ok 10 precedence.errno_is_third_in_any_order # RUN precedence.trace_is_fourth ... # OK precedence.trace_is_fourth ok 11 precedence.trace_is_fourth # RUN precedence.trace_is_fourth_in_any_order ... # OK precedence.trace_is_fourth_in_any_order ok 12 precedence.trace_is_fourth_in_any_order # RUN precedence.log_is_fifth ... # OK precedence.log_is_fifth ok 13 precedence.log_is_fifth # RUN precedence.log_is_fifth_in_any_order ... # OK precedence.log_is_fifth_in_any_order ok 14 precedence.log_is_fifth_in_any_order # RUN TRACE_poke.read_has_side_effects ... # OK TRACE_poke.read_has_side_effects ok 15 TRACE_poke.read_has_side_effects # RUN TRACE_poke.getpid_runs_normally ... # OK TRACE_poke.getpid_runs_normally ok 16 TRACE_poke.getpid_runs_normally # RUN TRACE_syscall.ptrace.negative_ENOSYS ... # OK TRACE_syscall.ptrace.negative_ENOSYS ok 17 TRACE_syscall.ptrace.negative_ENOSYS # RUN TRACE_syscall.ptrace.syscall_allowed ... # OK TRACE_syscall.ptrace.syscall_allowed ok 18 TRACE_syscall.ptrace.syscall_allowed # RUN TRACE_syscall.ptrace.syscall_redirected ... # OK TRACE_syscall.ptrace.syscall_redirected ok 19 TRACE_syscall.ptrace.syscall_redirected # RUN TRACE_syscall.ptrace.syscall_errno ... # OK TRACE_syscall.ptrace.syscall_errno ok 20 TRACE_syscall.ptrace.syscall_errno # RUN TRACE_syscall.ptrace.syscall_faked ... # OK TRACE_syscall.ptrace.syscall_faked ok 21 TRACE_syscall.ptrace.syscall_faked # RUN TRACE_syscall.ptrace.skip_after ... # OK TRACE_syscall.ptrace.skip_after ok 22 TRACE_syscall.ptrace.skip_after # RUN TRACE_syscall.ptrace.kill_after ... # OK TRACE_syscall.ptrace.kill_after ok 23 TRACE_syscall.ptrace.kill_after # RUN TRACE_syscall.seccomp.negative_ENOSYS ... # OK TRACE_syscall.seccomp.negative_ENOSYS ok 24 TRACE_syscall.seccomp.negative_ENOSYS # RUN TRACE_syscall.seccomp.syscall_allowed ... # OK TRACE_syscall.seccomp.syscall_allowed ok 25 TRACE_syscall.seccomp.syscall_allowed # RUN TRACE_syscall.seccomp.syscall_redirected ... # OK TRACE_syscall.seccomp.syscall_redirected ok 26 TRACE_syscall.seccomp.syscall_redirected # RUN TRACE_syscall.seccomp.syscall_errno ... # OK TRACE_syscall.seccomp.syscall_errno ok 27 TRACE_syscall.seccomp.syscall_errno # RUN TRACE_syscall.seccomp.syscall_faked ... # OK TRACE_syscall.seccomp.syscall_faked ok 28 TRACE_syscall.seccomp.syscall_faked # RUN TRACE_syscall.seccomp.skip_after ... # OK TRACE_syscall.seccomp.skip_after ok 29 TRACE_syscall.seccomp.skip_after # RUN TRACE_syscall.seccomp.kill_after ... # OK TRACE_syscall.seccomp.kill_after ok 30 TRACE_syscall.seccomp.kill_after # RUN TSYNC.siblings_fail_prctl ... # OK TSYNC.siblings_fail_prctl ok 31 TSYNC.siblings_fail_prctl # RUN TSYNC.two_siblings_with_ancestor ... # OK TSYNC.two_siblings_with_ancestor ok 32 TSYNC.two_siblings_with_ancestor # RUN TSYNC.two_sibling_want_nnp ... # OK TSYNC.two_sibling_want_nnp ok 33 TSYNC.two_sibling_want_nnp # RUN TSYNC.two_siblings_with_no_filter ... # OK TSYNC.two_siblings_with_no_filter ok 34 TSYNC.two_siblings_with_no_filter # RUN TSYNC.two_siblings_with_one_divergence ... # OK TSYNC.two_siblings_with_one_divergence ok 35 TSYNC.two_siblings_with_one_divergence # RUN TSYNC.two_siblings_with_one_divergence_no_tid_in_err ... # OK TSYNC.two_siblings_with_one_divergence_no_tid_in_err ok 36 TSYNC.two_siblings_with_one_divergence_no_tid_in_err # RUN TSYNC.two_siblings_not_under_filter ... # OK TSYNC.two_siblings_not_under_filter ok 37 TSYNC.two_siblings_not_under_filter # RUN global.kcmp ... # OK global.kcmp ok 38 global.kcmp # RUN global.mode_strict_support ... # OK global.mode_strict_support ok 39 global.mode_strict_support # RUN global.mode_strict_cannot_call_prctl ... # OK global.mode_strict_cannot_call_prctl ok 40 global.mode_strict_cannot_call_prctl # RUN global.no_new_privs_support ... # OK global.no_new_privs_support ok 41 global.no_new_privs_support # RUN global.mode_filter_support ... # OK global.mode_filter_support ok 42 global.mode_filter_support # RUN global.mode_filter_without_nnp ... # OK global.mode_filter_without_nnp ok 43 global.mode_filter_without_nnp # RUN global.filter_size_limits ... # OK global.filter_size_limits ok 44 global.filter_size_limits # RUN global.filter_chain_limits ... # OK global.filter_chain_limits ok 45 global.filter_chain_limits # RUN global.mode_filter_cannot_move_to_strict ... # OK global.mode_filter_cannot_move_to_strict ok 46 global.mode_filter_cannot_move_to_strict # RUN global.mode_filter_get_seccomp ... # OK global.mode_filter_get_seccomp ok 47 global.mode_filter_get_seccomp # RUN global.ALLOW_all ... # OK global.ALLOW_all ok 48 global.ALLOW_all # RUN global.empty_prog ... # OK global.empty_prog ok 49 global.empty_prog # RUN global.log_all ... # OK global.log_all ok 50 global.log_all # RUN global.unknown_ret_is_kill_inside ... # OK global.unknown_ret_is_kill_inside ok 51 global.unknown_ret_is_kill_inside # RUN global.unknown_ret_is_kill_above_allow ... # OK global.unknown_ret_is_kill_above_allow ok 52 global.unknown_ret_is_kill_above_allow # RUN global.KILL_all ... # OK global.KILL_all ok 53 global.KILL_all # RUN global.KILL_one ... # OK global.KILL_one ok 54 global.KILL_one # RUN global.KILL_one_arg_one ... # OK global.KILL_one_arg_one ok 55 global.KILL_one_arg_one # RUN global.KILL_one_arg_six ... # OK global.KILL_one_arg_six ok 56 global.KILL_one_arg_six # RUN global.KILL_thread ... # OK global.KILL_thread ok 57 global.KILL_thread # RUN global.KILL_process ... # OK global.KILL_process ok 58 global.KILL_process # RUN global.arg_out_of_range ... # OK global.arg_out_of_range ok 59 global.arg_out_of_range # RUN global.ERRNO_valid ... # OK global.ERRNO_valid ok 60 global.ERRNO_valid # RUN global.ERRNO_zero ... # OK global.ERRNO_zero ok 61 global.ERRNO_zero # RUN global.ERRNO_capped ... # OK global.ERRNO_capped ok 62 global.ERRNO_capped # RUN global.ERRNO_order ... # OK global.ERRNO_order ok 63 global.ERRNO_order # RUN global.negative_ENOSYS ... # OK global.negative_ENOSYS ok 64 global.negative_ENOSYS # RUN global.seccomp_syscall ... # OK global.seccomp_syscall ok 65 global.seccomp_syscall # RUN global.seccomp_syscall_mode_lock ... # OK global.seccomp_syscall_mode_lock ok 66 global.seccomp_syscall_mode_lock # RUN global.detect_seccomp_filter_flags ... # OK global.detect_seccomp_filter_flags ok 67 global.detect_seccomp_filter_flags # RUN global.TSYNC_first ... # OK global.TSYNC_first ok 68 global.TSYNC_first # RUN global.syscall_restart ... # OK global.syscall_restart ok 69 global.syscall_restart # RUN global.filter_flag_log ... # OK global.filter_flag_log ok 70 global.filter_flag_log # RUN global.get_action_avail ... # OK global.get_action_avail ok 71 global.get_action_avail # RUN global.get_metadata ... # OK global.get_metadata ok 72 global.get_metadata # RUN global.user_notification_basic ... # OK global.user_notification_basic ok 73 global.user_notification_basic # RUN global.user_notification_with_tsync ... # OK global.user_notification_with_tsync ok 74 global.user_notification_with_tsync # RUN global.user_notification_kill_in_middle ... # OK global.user_notification_kill_in_middle ok 75 global.user_notification_kill_in_middle # RUN global.user_notification_signal ... # OK global.user_notification_signal ok 76 global.user_notification_signal # RUN global.user_notification_closed_listener ... # OK global.user_notification_closed_listener ok 77 global.user_notification_closed_listener # RUN global.user_notification_child_pid_ns ... # OK global.user_notification_child_pid_ns ok 78 global.user_notification_child_pid_ns # RUN global.user_notification_sibling_pid_ns ... # OK global.user_notification_sibling_pid_ns ok 79 global.user_notification_sibling_pid_ns # RUN global.user_notification_fault_recv ... # OK global.user_notification_fault_recv ok 80 global.user_notification_fault_recv # RUN global.seccomp_get_notif_sizes ... # OK global.seccomp_get_notif_sizes ok 81 global.seccomp_get_notif_sizes # RUN global.user_notification_continue ... # OK global.user_notification_continue ok 82 global.user_notification_continue # RUN global.user_notification_filter_empty ... # OK global.user_notification_filter_empty ok 83 global.user_notification_filter_empty # RUN global.user_notification_filter_empty_threaded ... # OK global.user_notification_filter_empty_threaded ok 84 global.user_notification_filter_empty_threaded # RUN global.user_notification_addfd ... # OK global.user_notification_addfd ok 85 global.user_notification_addfd # RUN global.user_notification_addfd_rlimit ... # OK global.user_notification_addfd_rlimit ok 86 global.user_notification_addfd_rlimit # PASSED: 86 / 86 tests passed. # Totals: pass:86 fail:0 xfail:0 xpass:0 skip:0 error:0
linux-kselftest-mirror@lists.linaro.org