Hi,
This refactors the seccomp selftest macros used in change_syscall(),
in an effort to remove special cases for mips, arm, arm64, and xtensa,
which paves the way for powerpc fixes.
I'm not entirely done testing, but all-arch build tests and x86_64
selftests pass. I'll be doing arm, arm64, and i386 selftests shortly,
but I currently don't have an easy way to check xtensa, mips, nor
powerpc. Any help there would be appreciated!
(FWIW, I expect to take these via the seccomp tree.)
Thanks,
-Kees
Kees Cook (15):
selftests/seccomp: Refactor arch register macros to avoid xtensa
special case
selftests/seccomp: Provide generic syscall setting macro
selftests/seccomp: mips: Define SYSCALL_NUM_SET macro
selftests/seccomp: arm: Define SYSCALL_NUM_SET macro
selftests/seccomp: arm64: Define SYSCALL_NUM_SET macro
selftests/seccomp: mips: Remove O32-specific macro
selftests/seccomp: Remove syscall setting #ifdefs
selftests/seccomp: Convert HAVE_GETREG into ARCH_GETREG/ARCH_SETREG
selftests/seccomp: Convert REGSET calls into ARCH_GETREG/ARCH_SETREG
selftests/seccomp: Avoid redundant register flushes
selftests/seccomp: Remove SYSCALL_NUM_RET_SHARE_REG in favor of
SYSCALL_RET_SET
selftests/seccomp: powerpc: Fix seccomp return value testing
selftests/seccomp: powerpc: Set syscall return during ptrace syscall
exit
selftests/clone3: Avoid OS-defined clone_args
selftests/seccomp: Use __NR_mknodat instead of __NR_mknod
.../selftests/clone3/clone3_selftests.h | 16 +-
tools/testing/selftests/seccomp/seccomp_bpf.c | 313 ++++++++++--------
2 files changed, 184 insertions(+), 145 deletions(-)
--
2.25.1
In order to avoid "#ifdef"s in the main function bodies, create a new
macro, SYSCALL_NUM_SET(), where arch-specific logic can live.
Signed-off-by: Kees Cook <[email protected]>
---
tools/testing/selftests/seccomp/seccomp_bpf.c | 15 +++++++++++++--
1 file changed, 13 insertions(+), 2 deletions(-)
diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c
index fef15080b575..1c83e743bfb1 100644
--- a/tools/testing/selftests/seccomp/seccomp_bpf.c
+++ b/tools/testing/selftests/seccomp/seccomp_bpf.c
@@ -1760,6 +1760,17 @@ TEST_F(TRACE_poke, getpid_runs_normally)
# error "Do not know how to find your architecture's registers and syscalls"
#endif
+/*
+ * Most architectures can change the syscall by just updating the
+ * associated register. This is the default if not defined above.
+ */
+#ifndef SYSCALL_NUM_SET
+# define SYSCALL_NUM_SET(_regs, _nr) \
+ do { \
+ SYSCALL_NUM(_regs) = (_nr); \
+ } while (0)
+#endif
+
/* When the syscall return can't be changed, stub out the tests for it. */
#ifdef SYSCALL_NUM_RET_SHARE_REG
# define EXPECT_SYSCALL_RETURN(val, action) EXPECT_EQ(-1, action)
@@ -1830,14 +1841,14 @@ void change_syscall(struct __test_metadata *_metadata,
defined(__s390__) || defined(__hppa__) || defined(__riscv) || \
defined(__xtensa__) || defined(__csky__) || defined(__sh__)
{
- SYSCALL_NUM(regs) = syscall;
+ SYSCALL_NUM_SET(regs, syscall);
}
#elif defined(__mips__)
{
if (SYSCALL_NUM(regs) == __NR_O32_Linux)
regs.SYSCALL_SYSCALL_NUM = syscall;
else
- SYSCALL_NUM(regs) = syscall;
+ SYSCALL_NUM_SET(regs, syscall);
}
#elif defined(__arm__)
--
2.25.1
Instead of special-casing the get/set-registers routines, move the
HAVE_GETREG logic into the new ARCH_GETREG() and ARCH_SETREG() macros.
Signed-off-by: Kees Cook <[email protected]>
---
tools/testing/selftests/seccomp/seccomp_bpf.c | 27 ++++++++++---------
1 file changed, 15 insertions(+), 12 deletions(-)
diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c
index 3b77bdbe7125..a986f2332327 100644
--- a/tools/testing/selftests/seccomp/seccomp_bpf.c
+++ b/tools/testing/selftests/seccomp/seccomp_bpf.c
@@ -1821,20 +1821,21 @@ TEST_F(TRACE_poke, getpid_runs_normally)
} while (0)
#endif
-/* Use PTRACE_GETREGS and PTRACE_SETREGS when available. This is useful for
+/*
+ * Use PTRACE_GETREGS and PTRACE_SETREGS when available. This is useful for
* architectures without HAVE_ARCH_TRACEHOOK (e.g. User-mode Linux).
*/
#if defined(__x86_64__) || defined(__i386__) || defined(__mips__)
-#define HAVE_GETREGS
+# define ARCH_GETREGS(_regs) ptrace(PTRACE_GETREGS, tracee, 0, &(_regs))
+# define ARCH_SETREGS(_regs) ptrace(PTRACE_SETREGS, tracee, 0, &(_regs))
#endif
/* Architecture-specific syscall fetching routine. */
int get_syscall(struct __test_metadata *_metadata, pid_t tracee)
{
ARCH_REGS regs;
-#ifdef HAVE_GETREGS
- EXPECT_EQ(0, ptrace(PTRACE_GETREGS, tracee, 0, ®s)) {
- TH_LOG("PTRACE_GETREGS failed");
+#ifdef ARCH_GETREGS
+ EXPECT_EQ(0, ARCH_GETREGS(regs)) {
return -1;
}
#else
@@ -1855,17 +1856,19 @@ int get_syscall(struct __test_metadata *_metadata, pid_t tracee)
void change_syscall(struct __test_metadata *_metadata,
pid_t tracee, int syscall, int result)
{
- int ret;
ARCH_REGS regs;
-#ifdef HAVE_GETREGS
- ret = ptrace(PTRACE_GETREGS, tracee, 0, ®s);
+#ifdef ARCH_GETREGS
+ EXPECT_EQ(0, ARCH_GETREGS(regs)) {
+ return;
+ }
#else
+ int ret;
struct iovec iov;
iov.iov_base = ®s;
iov.iov_len = sizeof(regs);
ret = ptrace(PTRACE_GETREGSET, tracee, NT_PRSTATUS, &iov);
-#endif
EXPECT_EQ(0, ret);
+#endif
SYSCALL_NUM_SET(regs, syscall);
@@ -1878,14 +1881,14 @@ void change_syscall(struct __test_metadata *_metadata,
#endif
/* Flush any register changes made. */
-#ifdef HAVE_GETREGS
- ret = ptrace(PTRACE_SETREGS, tracee, 0, ®s);
+#ifdef ARCH_SETREGS
+ EXPECT_EQ(0, ARCH_SETREGS(regs));
#else
iov.iov_base = ®s;
iov.iov_len = sizeof(regs);
ret = ptrace(PTRACE_SETREGSET, tracee, NT_PRSTATUS, &iov);
-#endif
EXPECT_EQ(0, ret);
+#endif
}
void tracer_seccomp(struct __test_metadata *_metadata, pid_t tracee,
--
2.25.1
On powerpc, the errno is not inverted, and depends on ccr.so being
set. Add this to a powerpc definition of SYSCALL_RET_SET().
Co-developed-by: Thadeu Lima de Souza Cascardo <[email protected]>
Signed-off-by: Thadeu Lima de Souza Cascardo <[email protected]>
Link: https://lore.kernel.org/linux-kselftest/[email protected]/
Fixes: 5d83c2b37d43 ("selftests/seccomp: Add powerpc support")
Signed-off-by: Kees Cook <[email protected]>
---
tools/testing/selftests/seccomp/seccomp_bpf.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c
index 623953a53032..bbab2420d708 100644
--- a/tools/testing/selftests/seccomp/seccomp_bpf.c
+++ b/tools/testing/selftests/seccomp/seccomp_bpf.c
@@ -1750,6 +1750,21 @@ TEST_F(TRACE_poke, getpid_runs_normally)
# define ARCH_REGS struct pt_regs
# define SYSCALL_NUM(_regs) (_regs).gpr[0]
# define SYSCALL_RET(_regs) (_regs).gpr[3]
+# define SYSCALL_RET_SET(_regs, _val) \
+ do { \
+ typeof(_val) _result = (_val); \
+ /* \
+ * A syscall error is signaled by CR0 SO bit \
+ * and the code is stored as a positive value. \
+ */ \
+ if (_result < 0) { \
+ SYSCALL_RET(_regs) = -result; \
+ (_regs).ccr |= 0x10000000; \
+ } else { \
+ SYSCALL_RET(_regs) = result; \
+ (_regs).ccr &= ~0x10000000; \
+ } \
+ } while (0)
#elif defined(__s390__)
# define ARCH_REGS s390_regs
# define SYSCALL_NUM(_regs) (_regs).gprs[2]
--
2.25.1
When none of the registers have changed, don't flush them back. This can
happen if the architecture uses a non-register way to change the syscall
(e.g. arm64) , and a return value hasn't been written.
Signed-off-by: Kees Cook <[email protected]>
---
tools/testing/selftests/seccomp/seccomp_bpf.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c
index d9346121b89b..2790d9cd50f4 100644
--- a/tools/testing/selftests/seccomp/seccomp_bpf.c
+++ b/tools/testing/selftests/seccomp/seccomp_bpf.c
@@ -1859,11 +1859,12 @@ int get_syscall(struct __test_metadata *_metadata, pid_t tracee)
void change_syscall(struct __test_metadata *_metadata,
pid_t tracee, int syscall, int result)
{
- ARCH_REGS regs;
+ ARCH_REGS orig, regs;
EXPECT_EQ(0, ARCH_GETREGS(regs)) {
return;
}
+ orig = regs;
SYSCALL_NUM_SET(regs, syscall);
@@ -1876,7 +1877,8 @@ void change_syscall(struct __test_metadata *_metadata,
#endif
/* Flush any register changes made. */
- EXPECT_EQ(0, ARCH_SETREGS(regs));
+ if (memcmp(&orig, ®s, sizeof(orig)) != 0)
+ EXPECT_EQ(0, ARCH_SETREGS(regs));
}
void tracer_seccomp(struct __test_metadata *_metadata, pid_t tracee,
--
2.25.1
Instead of special-casing the specific case of shared registers, create
a default SYSCALL_RET_SET() macro (mirroring SYSCALL_NUM_SET()), that
writes to the SYSCALL_RET register. For architectures that can't set the
return value (for whatever reason), they can define SYSCALL_RET_SET()
without an associated SYSCALL_RET() macro. This also paves the way for
architectures that need to do special things to set the return value
(e.g. powerpc).
Signed-off-by: Kees Cook <[email protected]>
---
tools/testing/selftests/seccomp/seccomp_bpf.c | 33 +++++++++++++------
1 file changed, 23 insertions(+), 10 deletions(-)
diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c
index 2790d9cd50f4..623953a53032 100644
--- a/tools/testing/selftests/seccomp/seccomp_bpf.c
+++ b/tools/testing/selftests/seccomp/seccomp_bpf.c
@@ -1753,8 +1753,8 @@ TEST_F(TRACE_poke, getpid_runs_normally)
#elif defined(__s390__)
# define ARCH_REGS s390_regs
# define SYSCALL_NUM(_regs) (_regs).gprs[2]
-# define SYSCALL_RET(_regs) (_regs).gprs[2]
-# define SYSCALL_NUM_RET_SHARE_REG
+# define SYSCALL_RET_SET(_regs, _val) \
+ TH_LOG("Can't modify syscall return on this architecture")
#elif defined(__mips__)
# include <asm/unistd_nr_n32.h>
# include <asm/unistd_nr_n64.h>
@@ -1776,8 +1776,8 @@ TEST_F(TRACE_poke, getpid_runs_normally)
else \
(_regs).regs[2] = _nr; \
} while (0)
-# define SYSCALL_RET(_regs) (_regs).regs[2]
-# define SYSCALL_NUM_RET_SHARE_REG
+# define SYSCALL_RET_SET(_regs, _val) \
+ TH_LOG("Can't modify syscall return on this architecture")
#elif defined(__xtensa__)
# define ARCH_REGS struct user_pt_regs
# define SYSCALL_NUM(_regs) (_regs).syscall
@@ -1804,9 +1804,26 @@ TEST_F(TRACE_poke, getpid_runs_normally)
SYSCALL_NUM(_regs) = (_nr); \
} while (0)
#endif
+/*
+ * Most architectures can change the syscall return value by just
+ * writing to the SYSCALL_RET register. This is the default if not
+ * defined above. If an architecture cannot set the return value
+ * (for example when the syscall and return value register is
+ * shared), report it with TH_LOG() in an arch-specific definition
+ * of SYSCALL_RET_SET() above, and leave SYSCALL_RET undefined.
+ */
+#if !defined(SYSCALL_RET) && !defined(SYSCALL_RET_SET)
+# error "One of SYSCALL_RET or SYSCALL_RET_SET is needed for this arch"
+#endif
+#ifndef SYSCALL_RET_SET
+# define SYSCALL_RET_SET(_regs, _val) \
+ do { \
+ SYSCALL_RET(_regs) = (_val); \
+ } while (0)
+#endif
/* When the syscall return can't be changed, stub out the tests for it. */
-#ifdef SYSCALL_NUM_RET_SHARE_REG
+#ifndef SYSCALL_RET
# define EXPECT_SYSCALL_RETURN(val, action) EXPECT_EQ(-1, action)
#else
# define EXPECT_SYSCALL_RETURN(val, action) \
@@ -1870,11 +1887,7 @@ void change_syscall(struct __test_metadata *_metadata,
/* If syscall is skipped, change return value. */
if (syscall == -1)
-#ifdef SYSCALL_NUM_RET_SHARE_REG
- TH_LOG("Can't modify syscall return on this architecture");
-#else
- SYSCALL_RET(regs) = result;
-#endif
+ SYSCALL_RET_SET(regs, result);
/* Flush any register changes made. */
if (memcmp(&orig, ®s, sizeof(orig)) != 0)
--
2.25.1
The __NR_mknod syscall doesn't exist on arm64 (only __NR_mknodat).
Switch to the modern syscall.
Fixes: ad5682184a81 ("selftests/seccomp: Check for EPOLLHUP for user_notif")
Signed-off-by: Kees Cook <[email protected]>
---
tools/testing/selftests/seccomp/seccomp_bpf.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c
index 26c712c6a575..b34ede28f314 100644
--- a/tools/testing/selftests/seccomp/seccomp_bpf.c
+++ b/tools/testing/selftests/seccomp/seccomp_bpf.c
@@ -3773,7 +3773,7 @@ TEST(user_notification_filter_empty)
if (pid == 0) {
int listener;
- listener = user_notif_syscall(__NR_mknod, SECCOMP_FILTER_FLAG_NEW_LISTENER);
+ listener = user_notif_syscall(__NR_mknodat, SECCOMP_FILTER_FLAG_NEW_LISTENER);
if (listener < 0)
_exit(EXIT_FAILURE);
--
2.25.1
Some archs (like ppc) only support changing the return code during
syscall exit when ptrace is used. As the syscall number might not
be available anymore during syscall exit, it needs to be saved
during syscall enter. Adjust the ptrace tests to do this.
Reported-by: Thadeu Lima de Souza Cascardo <[email protected]>
Suggested-by: Thadeu Lima de Souza Cascardo <[email protected]>
Link: https://lore.kernel.org/linux-kselftest/[email protected]/
Fixes: 58d0a862f573 ("seccomp: add tests for ptrace hole")
Signed-off-by: Kees Cook <[email protected]>
---
tools/testing/selftests/seccomp/seccomp_bpf.c | 34 +++++++++++--------
1 file changed, 20 insertions(+), 14 deletions(-)
diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c
index bbab2420d708..26c712c6a575 100644
--- a/tools/testing/selftests/seccomp/seccomp_bpf.c
+++ b/tools/testing/selftests/seccomp/seccomp_bpf.c
@@ -1949,12 +1949,19 @@ void tracer_seccomp(struct __test_metadata *_metadata, pid_t tracee,
}
+FIXTURE(TRACE_syscall) {
+ struct sock_fprog prog;
+ pid_t tracer, mytid, mypid, parent;
+ long syscall_nr;
+};
+
void tracer_ptrace(struct __test_metadata *_metadata, pid_t tracee,
int status, void *args)
{
- int ret, nr;
+ int ret;
unsigned long msg;
static bool entry;
+ FIXTURE_DATA(TRACE_syscall) *self = args;
/*
* The traditional way to tell PTRACE_SYSCALL entry/exit
@@ -1968,24 +1975,23 @@ void tracer_ptrace(struct __test_metadata *_metadata, pid_t tracee,
EXPECT_EQ(entry ? PTRACE_EVENTMSG_SYSCALL_ENTRY
: PTRACE_EVENTMSG_SYSCALL_EXIT, msg);
- if (!entry)
- return;
-
- nr = get_syscall(_metadata, tracee);
+ /*
+ * Some architectures only support setting return values during
+ * syscall exit under ptrace, and on exit the syscall number may
+ * no longer be available. Therefore, save it here, and call
+ * "change syscall and set return values" on both entry and exit.
+ */
+ if (entry)
+ self->syscall_nr = get_syscall(_metadata, tracee);
- if (nr == __NR_getpid)
+ if (self->syscall_nr == __NR_getpid)
change_syscall(_metadata, tracee, __NR_getppid, 0);
- if (nr == __NR_gettid)
+ if (self->syscall_nr == __NR_gettid)
change_syscall(_metadata, tracee, -1, 45000);
- if (nr == __NR_openat)
+ if (self->syscall_nr == __NR_openat)
change_syscall(_metadata, tracee, -1, -ESRCH);
}
-FIXTURE(TRACE_syscall) {
- struct sock_fprog prog;
- pid_t tracer, mytid, mypid, parent;
-};
-
FIXTURE_VARIANT(TRACE_syscall) {
/*
* All of the SECCOMP_RET_TRACE behaviors can be tested with either
@@ -2044,7 +2050,7 @@ FIXTURE_SETUP(TRACE_syscall)
self->tracer = setup_trace_fixture(_metadata,
variant->use_ptrace ? tracer_ptrace
: tracer_seccomp,
- NULL, variant->use_ptrace);
+ self, variant->use_ptrace);
ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
ASSERT_EQ(0, ret);
--
2.25.1
With all architectures now using the common SYSCALL_NUM_SET() macro, the
arch-specific #ifdef can be removed from change_syscall() itself.
Signed-off-by: Kees Cook <[email protected]>
---
tools/testing/selftests/seccomp/seccomp_bpf.c | 16 +++-------------
1 file changed, 3 insertions(+), 13 deletions(-)
diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c
index aa1c224371d1..3b77bdbe7125 100644
--- a/tools/testing/selftests/seccomp/seccomp_bpf.c
+++ b/tools/testing/selftests/seccomp/seccomp_bpf.c
@@ -1865,20 +1865,9 @@ void change_syscall(struct __test_metadata *_metadata,
iov.iov_len = sizeof(regs);
ret = ptrace(PTRACE_GETREGSET, tracee, NT_PRSTATUS, &iov);
#endif
- EXPECT_EQ(0, ret) {}
+ EXPECT_EQ(0, ret);
-#if defined(__x86_64__) || defined(__i386__) || defined(__powerpc__) || \
- defined(__s390__) || defined(__hppa__) || defined(__riscv) || \
- defined(__xtensa__) || defined(__csky__) || defined(__sh__) || \
- defined(__mips__) || defined(__arm__) || defined(__aarch64__)
- {
- SYSCALL_NUM_SET(regs, syscall);
- }
-#else
- ASSERT_EQ(1, 0) {
- TH_LOG("How is the syscall changed on this architecture?");
- }
-#endif
+ SYSCALL_NUM_SET(regs, syscall);
/* If syscall is skipped, change return value. */
if (syscall == -1)
@@ -1888,6 +1877,7 @@ void change_syscall(struct __test_metadata *_metadata,
SYSCALL_RET(regs) = result;
#endif
+ /* Flush any register changes made. */
#ifdef HAVE_GETREGS
ret = ptrace(PTRACE_SETREGS, tracee, 0, ®s);
#else
--
2.25.1
Remove the arm special-case in change_syscall().
Signed-off-by: Kees Cook <[email protected]>
---
tools/testing/selftests/seccomp/seccomp_bpf.c | 16 ++++++----------
1 file changed, 6 insertions(+), 10 deletions(-)
diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c
index 02a9a6599746..610fc036e374 100644
--- a/tools/testing/selftests/seccomp/seccomp_bpf.c
+++ b/tools/testing/selftests/seccomp/seccomp_bpf.c
@@ -1708,6 +1708,11 @@ TEST_F(TRACE_poke, getpid_runs_normally)
#elif defined(__arm__)
# define ARCH_REGS struct pt_regs
# define SYSCALL_NUM(_regs) (_regs).ARM_r7
+# ifndef PTRACE_SET_SYSCALL
+# define PTRACE_SET_SYSCALL 23
+# endif
+# define SYSCALL_NUM_SET(_regs, _nr) \
+ EXPECT_EQ(0, ptrace(PTRACE_SET_SYSCALL, tracee, NULL, _nr))
# define SYSCALL_RET(_regs) (_regs).ARM_r0
#elif defined(__aarch64__)
# define ARCH_REGS struct user_pt_regs
@@ -1847,20 +1852,11 @@ void change_syscall(struct __test_metadata *_metadata,
#if defined(__x86_64__) || defined(__i386__) || defined(__powerpc__) || \
defined(__s390__) || defined(__hppa__) || defined(__riscv) || \
defined(__xtensa__) || defined(__csky__) || defined(__sh__) || \
- defined(__mips__)
+ defined(__mips__) || defined(__arm__)
{
SYSCALL_NUM_SET(regs, syscall);
}
-#elif defined(__arm__)
-# ifndef PTRACE_SET_SYSCALL
-# define PTRACE_SET_SYSCALL 23
-# endif
- {
- ret = ptrace(PTRACE_SET_SYSCALL, tracee, NULL, syscall);
- EXPECT_EQ(0, ret);
- }
-
#elif defined(__aarch64__)
# ifndef NT_ARM_SYSTEM_CALL
# define NT_ARM_SYSTEM_CALL 0x404
--
2.25.1
Instead of having the mips O32 macro special-cased, pull the logic into
the SYSCALL_NUM() macro. Additionally include the ABI headers, since
these appear to have been missing, leaving __NR_O32_Linux undefined.
Signed-off-by: Kees Cook <[email protected]>
---
tools/testing/selftests/seccomp/seccomp_bpf.c | 18 ++++++++++++------
1 file changed, 12 insertions(+), 6 deletions(-)
diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c
index cfa606d96086..aa1c224371d1 100644
--- a/tools/testing/selftests/seccomp/seccomp_bpf.c
+++ b/tools/testing/selftests/seccomp/seccomp_bpf.c
@@ -1756,9 +1756,19 @@ TEST_F(TRACE_poke, getpid_runs_normally)
# define SYSCALL_RET(_regs) (_regs).gprs[2]
# define SYSCALL_NUM_RET_SHARE_REG
#elif defined(__mips__)
+# include <asm/unistd_nr_n32.h>
+# include <asm/unistd_nr_n64.h>
+# include <asm/unistd_nr_o32.h>
# define ARCH_REGS struct pt_regs
-# define SYSCALL_NUM(_regs) (_regs).regs[2]
-# define SYSCALL_SYSCALL_NUM regs[4]
+# define SYSCALL_NUM(_regs) \
+ ({ \
+ typeof((_regs).regs[2]) _nr; \
+ if ((_regs).regs[2] == __NR_O32_Linux) \
+ _nr = (_regs).regs[4]; \
+ else \
+ _nr = (_regs).regs[2]; \
+ _nr; \
+ })
# define SYSCALL_NUM_SET(_regs, _nr) \
do { \
if ((_regs).regs[2] == __NR_O32_Linux) \
@@ -1838,10 +1848,6 @@ int get_syscall(struct __test_metadata *_metadata, pid_t tracee)
}
#endif
-#if defined(__mips__)
- if (SYSCALL_NUM(regs) == __NR_O32_Linux)
- return regs.SYSCALL_SYSCALL_NUM;
-#endif
return SYSCALL_NUM(regs);
}
--
2.25.1
To avoid an xtensa special-case, refactor all arch register macros to
take the register variable instead of depending on the macro expanding
as a struct member name.
Signed-off-by: Kees Cook <[email protected]>
---
tools/testing/selftests/seccomp/seccomp_bpf.c | 97 +++++++++----------
1 file changed, 47 insertions(+), 50 deletions(-)
diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c
index c5002fc25b00..fef15080b575 100644
--- a/tools/testing/selftests/seccomp/seccomp_bpf.c
+++ b/tools/testing/selftests/seccomp/seccomp_bpf.c
@@ -1698,64 +1698,64 @@ TEST_F(TRACE_poke, getpid_runs_normally)
}
#if defined(__x86_64__)
-# define ARCH_REGS struct user_regs_struct
-# define SYSCALL_NUM orig_rax
-# define SYSCALL_RET rax
+# define ARCH_REGS struct user_regs_struct
+# define SYSCALL_NUM(_regs) (_regs).orig_rax
+# define SYSCALL_RET(_regs) (_regs).rax
#elif defined(__i386__)
-# define ARCH_REGS struct user_regs_struct
-# define SYSCALL_NUM orig_eax
-# define SYSCALL_RET eax
+# define ARCH_REGS struct user_regs_struct
+# define SYSCALL_NUM(_regs) (_regs).orig_eax
+# define SYSCALL_RET(_regs) (_regs).eax
#elif defined(__arm__)
-# define ARCH_REGS struct pt_regs
-# define SYSCALL_NUM ARM_r7
-# define SYSCALL_RET ARM_r0
+# define ARCH_REGS struct pt_regs
+# define SYSCALL_NUM(_regs) (_regs).ARM_r7
+# define SYSCALL_RET(_regs) (_regs).ARM_r0
#elif defined(__aarch64__)
-# define ARCH_REGS struct user_pt_regs
-# define SYSCALL_NUM regs[8]
-# define SYSCALL_RET regs[0]
+# define ARCH_REGS struct user_pt_regs
+# define SYSCALL_NUM(_regs) (_regs).regs[8]
+# define SYSCALL_RET(_regs) (_regs).regs[0]
#elif defined(__riscv) && __riscv_xlen == 64
-# define ARCH_REGS struct user_regs_struct
-# define SYSCALL_NUM a7
-# define SYSCALL_RET a0
+# define ARCH_REGS struct user_regs_struct
+# define SYSCALL_NUM(_regs) (_regs).a7
+# define SYSCALL_RET(_regs) (_regs).a0
#elif defined(__csky__)
-# define ARCH_REGS struct pt_regs
-#if defined(__CSKYABIV2__)
-# define SYSCALL_NUM regs[3]
-#else
-# define SYSCALL_NUM regs[9]
-#endif
-# define SYSCALL_RET a0
+# define ARCH_REGS struct pt_regs
+# if defined(__CSKYABIV2__)
+# define SYSCALL_NUM(_regs) (_regs).regs[3]
+# else
+# define SYSCALL_NUM(_regs) (_regs).regs[9]
+# endif
+# define SYSCALL_RET(_regs) (_regs).a0
#elif defined(__hppa__)
-# define ARCH_REGS struct user_regs_struct
-# define SYSCALL_NUM gr[20]
-# define SYSCALL_RET gr[28]
+# define ARCH_REGS struct user_regs_struct
+# define SYSCALL_NUM(_regs) (_regs).gr[20]
+# define SYSCALL_RET(_regs) (_regs).gr[28]
#elif defined(__powerpc__)
-# define ARCH_REGS struct pt_regs
-# define SYSCALL_NUM gpr[0]
-# define SYSCALL_RET gpr[3]
+# define ARCH_REGS struct pt_regs
+# define SYSCALL_NUM(_regs) (_regs).gpr[0]
+# define SYSCALL_RET(_regs) (_regs).gpr[3]
#elif defined(__s390__)
-# define ARCH_REGS s390_regs
-# define SYSCALL_NUM gprs[2]
-# define SYSCALL_RET gprs[2]
+# define ARCH_REGS s390_regs
+# define SYSCALL_NUM(_regs) (_regs).gprs[2]
+# define SYSCALL_RET(_regs) (_regs).gprs[2]
# define SYSCALL_NUM_RET_SHARE_REG
#elif defined(__mips__)
-# define ARCH_REGS struct pt_regs
-# define SYSCALL_NUM regs[2]
-# define SYSCALL_SYSCALL_NUM regs[4]
-# define SYSCALL_RET regs[2]
+# define ARCH_REGS struct pt_regs
+# define SYSCALL_NUM(_regs) (_regs).regs[2]
+# define SYSCALL_SYSCALL_NUM regs[4]
+# define SYSCALL_RET(_regs) (_regs).regs[2]
# define SYSCALL_NUM_RET_SHARE_REG
#elif defined(__xtensa__)
-# define ARCH_REGS struct user_pt_regs
-# define SYSCALL_NUM syscall
+# define ARCH_REGS struct user_pt_regs
+# define SYSCALL_NUM(_regs) (_regs).syscall
/*
* On xtensa syscall return value is in the register
* a2 of the current window which is not fixed.
*/
-#define SYSCALL_RET(reg) a[(reg).windowbase * 4 + 2]
+#define SYSCALL_RET(_regs) (_regs).a[(_regs).windowbase * 4 + 2]
#elif defined(__sh__)
-# define ARCH_REGS struct pt_regs
-# define SYSCALL_NUM gpr[3]
-# define SYSCALL_RET gpr[0]
+# define ARCH_REGS struct pt_regs
+# define SYSCALL_NUM(_regs) (_regs).gpr[3]
+# define SYSCALL_RET(_regs) (_regs).gpr[0]
#else
# error "Do not know how to find your architecture's registers and syscalls"
#endif
@@ -1804,10 +1804,10 @@ int get_syscall(struct __test_metadata *_metadata, pid_t tracee)
#endif
#if defined(__mips__)
- if (regs.SYSCALL_NUM == __NR_O32_Linux)
+ if (SYSCALL_NUM(regs) == __NR_O32_Linux)
return regs.SYSCALL_SYSCALL_NUM;
#endif
- return regs.SYSCALL_NUM;
+ return SYSCALL_NUM(regs);
}
/* Architecture-specific syscall changing routine. */
@@ -1830,14 +1830,14 @@ void change_syscall(struct __test_metadata *_metadata,
defined(__s390__) || defined(__hppa__) || defined(__riscv) || \
defined(__xtensa__) || defined(__csky__) || defined(__sh__)
{
- regs.SYSCALL_NUM = syscall;
+ SYSCALL_NUM(regs) = syscall;
}
#elif defined(__mips__)
{
- if (regs.SYSCALL_NUM == __NR_O32_Linux)
+ if (SYSCALL_NUM(regs) == __NR_O32_Linux)
regs.SYSCALL_SYSCALL_NUM = syscall;
else
- regs.SYSCALL_NUM = syscall;
+ SYSCALL_NUM(regs) = syscall;
}
#elif defined(__arm__)
@@ -1871,11 +1871,8 @@ void change_syscall(struct __test_metadata *_metadata,
if (syscall == -1)
#ifdef SYSCALL_NUM_RET_SHARE_REG
TH_LOG("Can't modify syscall return on this architecture");
-
-#elif defined(__xtensa__)
- regs.SYSCALL_RET(regs) = result;
#else
- regs.SYSCALL_RET = result;
+ SYSCALL_RET(regs) = result;
#endif
#ifdef HAVE_GETREGS
--
2.25.1
Remove the mips special-case in change_syscall().
Signed-off-by: Kees Cook <[email protected]>
---
tools/testing/selftests/seccomp/seccomp_bpf.c | 17 +++++++++--------
1 file changed, 9 insertions(+), 8 deletions(-)
diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c
index 1c83e743bfb1..02a9a6599746 100644
--- a/tools/testing/selftests/seccomp/seccomp_bpf.c
+++ b/tools/testing/selftests/seccomp/seccomp_bpf.c
@@ -1742,6 +1742,13 @@ TEST_F(TRACE_poke, getpid_runs_normally)
# define ARCH_REGS struct pt_regs
# define SYSCALL_NUM(_regs) (_regs).regs[2]
# define SYSCALL_SYSCALL_NUM regs[4]
+# define SYSCALL_NUM_SET(_regs, _nr) \
+ do { \
+ if ((_regs).regs[2] == __NR_O32_Linux) \
+ (_regs).regs[4] = _nr; \
+ else \
+ (_regs).regs[2] = _nr; \
+ } while (0)
# define SYSCALL_RET(_regs) (_regs).regs[2]
# define SYSCALL_NUM_RET_SHARE_REG
#elif defined(__xtensa__)
@@ -1839,17 +1846,11 @@ void change_syscall(struct __test_metadata *_metadata,
#if defined(__x86_64__) || defined(__i386__) || defined(__powerpc__) || \
defined(__s390__) || defined(__hppa__) || defined(__riscv) || \
- defined(__xtensa__) || defined(__csky__) || defined(__sh__)
+ defined(__xtensa__) || defined(__csky__) || defined(__sh__) || \
+ defined(__mips__)
{
SYSCALL_NUM_SET(regs, syscall);
}
-#elif defined(__mips__)
- {
- if (SYSCALL_NUM(regs) == __NR_O32_Linux)
- regs.SYSCALL_SYSCALL_NUM = syscall;
- else
- SYSCALL_NUM_SET(regs, syscall);
- }
#elif defined(__arm__)
# ifndef PTRACE_SET_SYSCALL
--
2.25.1
Consolidate the REGSET logic into the new ARCH_GETREG() and
ARCH_SETREG() macros, avoiding more #ifdef code in function bodies.
Signed-off-by: Kees Cook <[email protected]>
---
tools/testing/selftests/seccomp/seccomp_bpf.c | 42 +++++++------------
1 file changed, 15 insertions(+), 27 deletions(-)
diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c
index a986f2332327..d9346121b89b 100644
--- a/tools/testing/selftests/seccomp/seccomp_bpf.c
+++ b/tools/testing/selftests/seccomp/seccomp_bpf.c
@@ -1828,26 +1828,29 @@ TEST_F(TRACE_poke, getpid_runs_normally)
#if defined(__x86_64__) || defined(__i386__) || defined(__mips__)
# define ARCH_GETREGS(_regs) ptrace(PTRACE_GETREGS, tracee, 0, &(_regs))
# define ARCH_SETREGS(_regs) ptrace(PTRACE_SETREGS, tracee, 0, &(_regs))
+#else
+# define ARCH_GETREGS(_regs) ({ \
+ struct iovec __v; \
+ __v.iov_base = &(_regs); \
+ __v.iov_len = sizeof(_regs); \
+ ptrace(PTRACE_GETREGSET, tracee, NT_PRSTATUS, &__v); \
+ })
+# define ARCH_SETREGS(_regs) ({ \
+ struct iovec __v; \
+ __v.iov_base = &(_regs); \
+ __v.iov_len = sizeof(_regs); \
+ ptrace(PTRACE_SETREGSET, tracee, NT_PRSTATUS, &__v); \
+ })
#endif
/* Architecture-specific syscall fetching routine. */
int get_syscall(struct __test_metadata *_metadata, pid_t tracee)
{
ARCH_REGS regs;
-#ifdef ARCH_GETREGS
- EXPECT_EQ(0, ARCH_GETREGS(regs)) {
- return -1;
- }
-#else
- struct iovec iov;
- iov.iov_base = ®s;
- iov.iov_len = sizeof(regs);
- EXPECT_EQ(0, ptrace(PTRACE_GETREGSET, tracee, NT_PRSTATUS, &iov)) {
- TH_LOG("PTRACE_GETREGSET failed");
+ EXPECT_EQ(0, ARCH_GETREGS(regs)) {
return -1;
}
-#endif
return SYSCALL_NUM(regs);
}
@@ -1857,18 +1860,10 @@ void change_syscall(struct __test_metadata *_metadata,
pid_t tracee, int syscall, int result)
{
ARCH_REGS regs;
-#ifdef ARCH_GETREGS
+
EXPECT_EQ(0, ARCH_GETREGS(regs)) {
return;
}
-#else
- int ret;
- struct iovec iov;
- iov.iov_base = ®s;
- iov.iov_len = sizeof(regs);
- ret = ptrace(PTRACE_GETREGSET, tracee, NT_PRSTATUS, &iov);
- EXPECT_EQ(0, ret);
-#endif
SYSCALL_NUM_SET(regs, syscall);
@@ -1881,14 +1876,7 @@ void change_syscall(struct __test_metadata *_metadata,
#endif
/* Flush any register changes made. */
-#ifdef ARCH_SETREGS
EXPECT_EQ(0, ARCH_SETREGS(regs));
-#else
- iov.iov_base = ®s;
- iov.iov_len = sizeof(regs);
- ret = ptrace(PTRACE_SETREGSET, tracee, NT_PRSTATUS, &iov);
- EXPECT_EQ(0, ret);
-#endif
}
void tracer_seccomp(struct __test_metadata *_metadata, pid_t tracee,
--
2.25.1
As the UAPI headers start to appear in distros, we need to avoid
outdated versions of struct clone_args to be able to test modern
features. Additionally pull in the syscall numbers correctly.
Signed-off-by: Kees Cook <[email protected]>
---
I needed to fix this to get MIPS to build the seccomp selftests.
---
.../testing/selftests/clone3/clone3_selftests.h | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)
diff --git a/tools/testing/selftests/clone3/clone3_selftests.h b/tools/testing/selftests/clone3/clone3_selftests.h
index 91c1a78ddb39..bc0f34e37ae1 100644
--- a/tools/testing/selftests/clone3/clone3_selftests.h
+++ b/tools/testing/selftests/clone3/clone3_selftests.h
@@ -4,11 +4,19 @@
#define _CLONE3_SELFTESTS_H
#define _GNU_SOURCE
+
+/* Pull in syscall numbers. */
+#include <unistd.h>
+#include <sys/syscall.h>
+
+/* Avoid old OS versions of "struct clone_args". */
+#define clone_args old_clone_args
#include <sched.h>
#include <linux/sched.h>
+#undef clone_args
+
#include <linux/types.h>
#include <stdint.h>
-#include <syscall.h>
#include <sys/wait.h>
#include "../kselftest.h"
@@ -25,6 +33,7 @@
#ifndef __NR_clone3
#define __NR_clone3 -1
+#endif
struct clone_args {
__aligned_u64 flags;
__aligned_u64 pidfd;
@@ -34,13 +43,16 @@ struct clone_args {
__aligned_u64 stack;
__aligned_u64 stack_size;
__aligned_u64 tls;
+#ifndef CLONE_ARGS_SIZE_VER1
#define CLONE_ARGS_SIZE_VER1 80
+#endif
__aligned_u64 set_tid;
__aligned_u64 set_tid_size;
+#ifndef CLONE_ARGS_SIZE_VER2
#define CLONE_ARGS_SIZE_VER2 88
+#endif
__aligned_u64 cgroup;
};
-#endif /* __NR_clone3 */
static pid_t sys_clone3(struct clone_args *args, size_t size)
{
--
2.25.1
Remove the arm64 special-case in change_syscall().
Signed-off-by: Kees Cook <[email protected]>
---
tools/testing/selftests/seccomp/seccomp_bpf.c | 27 +++++++++----------
1 file changed, 13 insertions(+), 14 deletions(-)
diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c
index 610fc036e374..cfa606d96086 100644
--- a/tools/testing/selftests/seccomp/seccomp_bpf.c
+++ b/tools/testing/selftests/seccomp/seccomp_bpf.c
@@ -1717,6 +1717,18 @@ TEST_F(TRACE_poke, getpid_runs_normally)
#elif defined(__aarch64__)
# define ARCH_REGS struct user_pt_regs
# define SYSCALL_NUM(_regs) (_regs).regs[8]
+# ifndef NT_ARM_SYSTEM_CALL
+# define NT_ARM_SYSTEM_CALL 0x404
+# endif
+# define SYSCALL_NUM_SET(_regs, _nr) \
+ do { \
+ struct iovec __v; \
+ typeof(_nr) __nr = (_nr); \
+ __v.iov_base = &__nr; \
+ __v.iov_len = sizeof(__nr); \
+ EXPECT_EQ(0, ptrace(PTRACE_SETREGSET, tracee, \
+ NT_ARM_SYSTEM_CALL, &__v)); \
+ } while (0)
# define SYSCALL_RET(_regs) (_regs).regs[0]
#elif defined(__riscv) && __riscv_xlen == 64
# define ARCH_REGS struct user_regs_struct
@@ -1852,23 +1864,10 @@ void change_syscall(struct __test_metadata *_metadata,
#if defined(__x86_64__) || defined(__i386__) || defined(__powerpc__) || \
defined(__s390__) || defined(__hppa__) || defined(__riscv) || \
defined(__xtensa__) || defined(__csky__) || defined(__sh__) || \
- defined(__mips__) || defined(__arm__)
+ defined(__mips__) || defined(__arm__) || defined(__aarch64__)
{
SYSCALL_NUM_SET(regs, syscall);
}
-
-#elif defined(__aarch64__)
-# ifndef NT_ARM_SYSTEM_CALL
-# define NT_ARM_SYSTEM_CALL 0x404
-# endif
- {
- iov.iov_base = &syscall;
- iov.iov_len = sizeof(syscall);
- ret = ptrace(PTRACE_SETREGSET, tracee, NT_ARM_SYSTEM_CALL,
- &iov);
- EXPECT_EQ(0, ret);
- }
-
#else
ASSERT_EQ(1, 0) {
TH_LOG("How is the syscall changed on this architecture?");
--
2.25.1
Kees Cook <[email protected]> writes:
> On powerpc, the errno is not inverted, and depends on ccr.so being
> set. Add this to a powerpc definition of SYSCALL_RET_SET().
>
> Co-developed-by: Thadeu Lima de Souza Cascardo <[email protected]>
> Signed-off-by: Thadeu Lima de Souza Cascardo <[email protected]>
> Link: https://lore.kernel.org/linux-kselftest/[email protected]/
> Fixes: 5d83c2b37d43 ("selftests/seccomp: Add powerpc support")
> Signed-off-by: Kees Cook <[email protected]>
> ---
> tools/testing/selftests/seccomp/seccomp_bpf.c | 15 +++++++++++++++
> 1 file changed, 15 insertions(+)
This looks right to me, and matches what strace does AFAICS.
Reviewed-by: Michael Ellerman <[email protected]>
cheers
> diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c
> index 623953a53032..bbab2420d708 100644
> --- a/tools/testing/selftests/seccomp/seccomp_bpf.c
> +++ b/tools/testing/selftests/seccomp/seccomp_bpf.c
> @@ -1750,6 +1750,21 @@ TEST_F(TRACE_poke, getpid_runs_normally)
> # define ARCH_REGS struct pt_regs
> # define SYSCALL_NUM(_regs) (_regs).gpr[0]
> # define SYSCALL_RET(_regs) (_regs).gpr[3]
> +# define SYSCALL_RET_SET(_regs, _val) \
> + do { \
> + typeof(_val) _result = (_val); \
> + /* \
> + * A syscall error is signaled by CR0 SO bit \
> + * and the code is stored as a positive value. \
> + */ \
> + if (_result < 0) { \
> + SYSCALL_RET(_regs) = -result; \
> + (_regs).ccr |= 0x10000000; \
> + } else { \
> + SYSCALL_RET(_regs) = result; \
> + (_regs).ccr &= ~0x10000000; \
> + } \
> + } while (0)
> #elif defined(__s390__)
> # define ARCH_REGS s390_regs
> # define SYSCALL_NUM(_regs) (_regs).gprs[2]
> --
> 2.25.1
Kees Cook <[email protected]> writes:
> Some archs (like ppc) only support changing the return code during
> syscall exit when ptrace is used. As the syscall number might not
> be available anymore during syscall exit, it needs to be saved
> during syscall enter. Adjust the ptrace tests to do this.
I'm not that across all the fixture stuff, but if I'm reading it right
you're now calling change_syscall() on both entry and exit for all
arches.
That should work, but it no longer tests changing the return code on
entry on the arches that support it, which seems like a backward step?
cheers
> Reported-by: Thadeu Lima de Souza Cascardo <[email protected]>
> Suggested-by: Thadeu Lima de Souza Cascardo <[email protected]>
> Link: https://lore.kernel.org/linux-kselftest/[email protected]/
> Fixes: 58d0a862f573 ("seccomp: add tests for ptrace hole")
> Signed-off-by: Kees Cook <[email protected]>
> ---
> tools/testing/selftests/seccomp/seccomp_bpf.c | 34 +++++++++++--------
> 1 file changed, 20 insertions(+), 14 deletions(-)
>
> diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c
> index bbab2420d708..26c712c6a575 100644
> --- a/tools/testing/selftests/seccomp/seccomp_bpf.c
> +++ b/tools/testing/selftests/seccomp/seccomp_bpf.c
> @@ -1949,12 +1949,19 @@ void tracer_seccomp(struct __test_metadata *_metadata, pid_t tracee,
>
> }
>
> +FIXTURE(TRACE_syscall) {
> + struct sock_fprog prog;
> + pid_t tracer, mytid, mypid, parent;
> + long syscall_nr;
> +};
> +
> void tracer_ptrace(struct __test_metadata *_metadata, pid_t tracee,
> int status, void *args)
> {
> - int ret, nr;
> + int ret;
> unsigned long msg;
> static bool entry;
> + FIXTURE_DATA(TRACE_syscall) *self = args;
>
> /*
> * The traditional way to tell PTRACE_SYSCALL entry/exit
> @@ -1968,24 +1975,23 @@ void tracer_ptrace(struct __test_metadata *_metadata, pid_t tracee,
> EXPECT_EQ(entry ? PTRACE_EVENTMSG_SYSCALL_ENTRY
> : PTRACE_EVENTMSG_SYSCALL_EXIT, msg);
>
> - if (!entry)
> - return;
> -
> - nr = get_syscall(_metadata, tracee);
> + /*
> + * Some architectures only support setting return values during
> + * syscall exit under ptrace, and on exit the syscall number may
> + * no longer be available. Therefore, save it here, and call
> + * "change syscall and set return values" on both entry and exit.
> + */
> + if (entry)
> + self->syscall_nr = get_syscall(_metadata, tracee);
>
> - if (nr == __NR_getpid)
> + if (self->syscall_nr == __NR_getpid)
> change_syscall(_metadata, tracee, __NR_getppid, 0);
> - if (nr == __NR_gettid)
> + if (self->syscall_nr == __NR_gettid)
> change_syscall(_metadata, tracee, -1, 45000);
> - if (nr == __NR_openat)
> + if (self->syscall_nr == __NR_openat)
> change_syscall(_metadata, tracee, -1, -ESRCH);
> }
>
> -FIXTURE(TRACE_syscall) {
> - struct sock_fprog prog;
> - pid_t tracer, mytid, mypid, parent;
> -};
> -
> FIXTURE_VARIANT(TRACE_syscall) {
> /*
> * All of the SECCOMP_RET_TRACE behaviors can be tested with either
> @@ -2044,7 +2050,7 @@ FIXTURE_SETUP(TRACE_syscall)
> self->tracer = setup_trace_fixture(_metadata,
> variant->use_ptrace ? tracer_ptrace
> : tracer_seccomp,
> - NULL, variant->use_ptrace);
> + self, variant->use_ptrace);
>
> ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
> ASSERT_EQ(0, ret);
> --
> 2.25.1
Kees Cook <[email protected]> writes:
> Hi,
>
> This refactors the seccomp selftest macros used in change_syscall(),
> in an effort to remove special cases for mips, arm, arm64, and xtensa,
> which paves the way for powerpc fixes.
>
> I'm not entirely done testing, but all-arch build tests and x86_64
> selftests pass. I'll be doing arm, arm64, and i386 selftests shortly,
> but I currently don't have an easy way to check xtensa, mips, nor
> powerpc. Any help there would be appreciated!
The series builds fine for me, and all the tests pass (see below).
Thanks for picking up those changes to deal with powerpc being oddball.
Tested-by: Michael Ellerman <[email protected]> (powerpc)
cheers
./seccomp_bpf
TAP version 13
1..86
# Starting 86 tests from 7 test cases.
# RUN global.kcmp ...
# OK global.kcmp
ok 1 global.kcmp
# RUN global.mode_strict_support ...
# OK global.mode_strict_support
ok 2 global.mode_strict_support
# RUN global.mode_strict_cannot_call_prctl ...
# OK global.mode_strict_cannot_call_prctl
ok 3 global.mode_strict_cannot_call_prctl
# RUN global.no_new_privs_support ...
# OK global.no_new_privs_support
ok 4 global.no_new_privs_support
# RUN global.mode_filter_support ...
# OK global.mode_filter_support
ok 5 global.mode_filter_support
# RUN global.mode_filter_without_nnp ...
# OK global.mode_filter_without_nnp
ok 6 global.mode_filter_without_nnp
# RUN global.filter_size_limits ...
# OK global.filter_size_limits
ok 7 global.filter_size_limits
# RUN global.filter_chain_limits ...
# OK global.filter_chain_limits
ok 8 global.filter_chain_limits
# RUN global.mode_filter_cannot_move_to_strict ...
# OK global.mode_filter_cannot_move_to_strict
ok 9 global.mode_filter_cannot_move_to_strict
# RUN global.mode_filter_get_seccomp ...
# OK global.mode_filter_get_seccomp
ok 10 global.mode_filter_get_seccomp
# RUN global.ALLOW_all ...
# OK global.ALLOW_all
ok 11 global.ALLOW_all
# RUN global.empty_prog ...
# OK global.empty_prog
ok 12 global.empty_prog
# RUN global.log_all ...
# OK global.log_all
ok 13 global.log_all
# RUN global.unknown_ret_is_kill_inside ...
# OK global.unknown_ret_is_kill_inside
ok 14 global.unknown_ret_is_kill_inside
# RUN global.unknown_ret_is_kill_above_allow ...
# OK global.unknown_ret_is_kill_above_allow
ok 15 global.unknown_ret_is_kill_above_allow
# RUN global.KILL_all ...
# OK global.KILL_all
ok 16 global.KILL_all
# RUN global.KILL_one ...
# OK global.KILL_one
ok 17 global.KILL_one
# RUN global.KILL_one_arg_one ...
# OK global.KILL_one_arg_one
ok 18 global.KILL_one_arg_one
# RUN global.KILL_one_arg_six ...
# OK global.KILL_one_arg_six
ok 19 global.KILL_one_arg_six
# RUN global.KILL_thread ...
TAP version 13
1..86
# Starting 86 tests from 7 test cases.
# RUN global.kcmp ...
# OK global.kcmp
ok 1 global.kcmp
# RUN global.mode_strict_support ...
# OK global.mode_strict_support
ok 2 global.mode_strict_support
# RUN global.mode_strict_cannot_call_prctl ...
# OK global.mode_strict_cannot_call_prctl
ok 3 global.mode_strict_cannot_call_prctl
# RUN global.no_new_privs_support ...
# OK global.no_new_privs_support
ok 4 global.no_new_privs_support
# RUN global.mode_filter_support ...
# OK global.mode_filter_support
ok 5 global.mode_filter_support
# RUN global.mode_filter_without_nnp ...
# OK global.mode_filter_without_nnp
ok 6 global.mode_filter_without_nnp
# RUN global.filter_size_limits ...
# OK global.filter_size_limits
ok 7 global.filter_size_limits
# RUN global.filter_chain_limits ...
# OK global.filter_chain_limits
ok 8 global.filter_chain_limits
# RUN global.mode_filter_cannot_move_to_strict ...
# OK global.mode_filter_cannot_move_to_strict
ok 9 global.mode_filter_cannot_move_to_strict
# RUN global.mode_filter_get_seccomp ...
# OK global.mode_filter_get_seccomp
ok 10 global.mode_filter_get_seccomp
# RUN global.ALLOW_all ...
# OK global.ALLOW_all
ok 11 global.ALLOW_all
# RUN global.empty_prog ...
# OK global.empty_prog
ok 12 global.empty_prog
# RUN global.log_all ...
# OK global.log_all
ok 13 global.log_all
# RUN global.unknown_ret_is_kill_inside ...
# OK global.unknown_ret_is_kill_inside
ok 14 global.unknown_ret_is_kill_inside
# RUN global.unknown_ret_is_kill_above_allow ...
# OK global.unknown_ret_is_kill_above_allow
ok 15 global.unknown_ret_is_kill_above_allow
# RUN global.KILL_all ...
# OK global.KILL_all
ok 16 global.KILL_all
# RUN global.KILL_one ...
# OK global.KILL_one
ok 17 global.KILL_one
# RUN global.KILL_one_arg_one ...
# OK global.KILL_one_arg_one
ok 18 global.KILL_one_arg_one
# RUN global.KILL_one_arg_six ...
# OK global.KILL_one_arg_six
ok 19 global.KILL_one_arg_six
# RUN global.KILL_thread ...
# OK global.KILL_thread
ok 20 global.KILL_thread
# RUN global.KILL_process ...
# OK global.KILL_process
ok 21 global.KILL_process
# RUN global.arg_out_of_range ...
# OK global.arg_out_of_range
ok 22 global.arg_out_of_range
# RUN global.ERRNO_valid ...
# OK global.ERRNO_valid
ok 23 global.ERRNO_valid
# RUN global.ERRNO_zero ...
# OK global.ERRNO_zero
ok 24 global.ERRNO_zero
# RUN global.ERRNO_capped ...
# OK global.ERRNO_capped
ok 25 global.ERRNO_capped
# RUN global.ERRNO_order ...
# OK global.ERRNO_order
ok 26 global.ERRNO_order
# RUN global.negative_ENOSYS ...
# OK global.negative_ENOSYS
ok 27 global.negative_ENOSYS
# RUN global.seccomp_syscall ...
# OK global.seccomp_syscall
ok 28 global.seccomp_syscall
# RUN global.seccomp_syscall_mode_lock ...
# OK global.seccomp_syscall_mode_lock
ok 29 global.seccomp_syscall_mode_lock
# RUN global.detect_seccomp_filter_flags ...
# OK global.detect_seccomp_filter_flags
ok 30 global.detect_seccomp_filter_flags
# RUN global.TSYNC_first ...
# OK global.TSYNC_first
ok 31 global.TSYNC_first
# RUN global.syscall_restart ...
# OK global.syscall_restart
ok 32 global.syscall_restart
# RUN global.filter_flag_log ...
# OK global.filter_flag_log
ok 33 global.filter_flag_log
# RUN global.get_action_avail ...
# OK global.get_action_avail
ok 34 global.get_action_avail
# RUN global.get_metadata ...
# OK global.get_metadata
ok 35 global.get_metadata
# RUN global.user_notification_basic ...
TAP version 13
1..86
# Starting 86 tests from 7 test cases.
# RUN global.kcmp ...
# OK global.kcmp
ok 1 global.kcmp
# RUN global.mode_strict_support ...
# OK global.mode_strict_support
ok 2 global.mode_strict_support
# RUN global.mode_strict_cannot_call_prctl ...
# OK global.mode_strict_cannot_call_prctl
ok 3 global.mode_strict_cannot_call_prctl
# RUN global.no_new_privs_support ...
# OK global.no_new_privs_support
ok 4 global.no_new_privs_support
# RUN global.mode_filter_support ...
# OK global.mode_filter_support
ok 5 global.mode_filter_support
# RUN global.mode_filter_without_nnp ...
# OK global.mode_filter_without_nnp
ok 6 global.mode_filter_without_nnp
# RUN global.filter_size_limits ...
# OK global.filter_size_limits
ok 7 global.filter_size_limits
# RUN global.filter_chain_limits ...
# OK global.filter_chain_limits
ok 8 global.filter_chain_limits
# RUN global.mode_filter_cannot_move_to_strict ...
# OK global.mode_filter_cannot_move_to_strict
ok 9 global.mode_filter_cannot_move_to_strict
# RUN global.mode_filter_get_seccomp ...
# OK global.mode_filter_get_seccomp
ok 10 global.mode_filter_get_seccomp
# RUN global.ALLOW_all ...
# OK global.ALLOW_all
ok 11 global.ALLOW_all
# RUN global.empty_prog ...
# OK global.empty_prog
ok 12 global.empty_prog
# RUN global.log_all ...
# OK global.log_all
ok 13 global.log_all
# RUN global.unknown_ret_is_kill_inside ...
# OK global.unknown_ret_is_kill_inside
ok 14 global.unknown_ret_is_kill_inside
# RUN global.unknown_ret_is_kill_above_allow ...
# OK global.unknown_ret_is_kill_above_allow
ok 15 global.unknown_ret_is_kill_above_allow
# RUN global.KILL_all ...
# OK global.KILL_all
ok 16 global.KILL_all
# RUN global.KILL_one ...
# OK global.KILL_one
ok 17 global.KILL_one
# RUN global.KILL_one_arg_one ...
# OK global.KILL_one_arg_one
ok 18 global.KILL_one_arg_one
# RUN global.KILL_one_arg_six ...
# OK global.KILL_one_arg_six
ok 19 global.KILL_one_arg_six
# RUN global.KILL_thread ...
# OK global.KILL_thread
ok 20 global.KILL_thread
# RUN global.KILL_process ...
# OK global.KILL_process
ok 21 global.KILL_process
# RUN global.arg_out_of_range ...
# OK global.arg_out_of_range
ok 22 global.arg_out_of_range
# RUN global.ERRNO_valid ...
# OK global.ERRNO_valid
ok 23 global.ERRNO_valid
# RUN global.ERRNO_zero ...
# OK global.ERRNO_zero
ok 24 global.ERRNO_zero
# RUN global.ERRNO_capped ...
# OK global.ERRNO_capped
ok 25 global.ERRNO_capped
# RUN global.ERRNO_order ...
# OK global.ERRNO_order
ok 26 global.ERRNO_order
# RUN global.negative_ENOSYS ...
# OK global.negative_ENOSYS
ok 27 global.negative_ENOSYS
# RUN global.seccomp_syscall ...
# OK global.seccomp_syscall
ok 28 global.seccomp_syscall
# RUN global.seccomp_syscall_mode_lock ...
# OK global.seccomp_syscall_mode_lock
ok 29 global.seccomp_syscall_mode_lock
# RUN global.detect_seccomp_filter_flags ...
# OK global.detect_seccomp_filter_flags
ok 30 global.detect_seccomp_filter_flags
# RUN global.TSYNC_first ...
# OK global.TSYNC_first
ok 31 global.TSYNC_first
# RUN global.syscall_restart ...
# OK global.syscall_restart
ok 32 global.syscall_restart
# RUN global.filter_flag_log ...
# OK global.filter_flag_log
ok 33 global.filter_flag_log
# RUN global.get_action_avail ...
# OK global.get_action_avail
ok 34 global.get_action_avail
# RUN global.get_metadata ...
# OK global.get_metadata
ok 35 global.get_metadata
# RUN global.user_notification_basic ...
TAP version 13
1..86
# Starting 86 tests from 7 test cases.
# RUN global.kcmp ...
# OK global.kcmp
ok 1 global.kcmp
# RUN global.mode_strict_support ...
# OK global.mode_strict_support
ok 2 global.mode_strict_support
# RUN global.mode_strict_cannot_call_prctl ...
# OK global.mode_strict_cannot_call_prctl
ok 3 global.mode_strict_cannot_call_prctl
# RUN global.no_new_privs_support ...
# OK global.no_new_privs_support
ok 4 global.no_new_privs_support
# RUN global.mode_filter_support ...
# OK global.mode_filter_support
ok 5 global.mode_filter_support
# RUN global.mode_filter_without_nnp ...
# OK global.mode_filter_without_nnp
ok 6 global.mode_filter_without_nnp
# RUN global.filter_size_limits ...
# OK global.filter_size_limits
ok 7 global.filter_size_limits
# RUN global.filter_chain_limits ...
# OK global.filter_chain_limits
ok 8 global.filter_chain_limits
# RUN global.mode_filter_cannot_move_to_strict ...
# OK global.mode_filter_cannot_move_to_strict
ok 9 global.mode_filter_cannot_move_to_strict
# RUN global.mode_filter_get_seccomp ...
# OK global.mode_filter_get_seccomp
ok 10 global.mode_filter_get_seccomp
# RUN global.ALLOW_all ...
# OK global.ALLOW_all
ok 11 global.ALLOW_all
# RUN global.empty_prog ...
# OK global.empty_prog
ok 12 global.empty_prog
# RUN global.log_all ...
# OK global.log_all
ok 13 global.log_all
# RUN global.unknown_ret_is_kill_inside ...
# OK global.unknown_ret_is_kill_inside
ok 14 global.unknown_ret_is_kill_inside
# RUN global.unknown_ret_is_kill_above_allow ...
# OK global.unknown_ret_is_kill_above_allow
ok 15 global.unknown_ret_is_kill_above_allow
# RUN global.KILL_all ...
# OK global.KILL_all
ok 16 global.KILL_all
# RUN global.KILL_one ...
# OK global.KILL_one
ok 17 global.KILL_one
# RUN global.KILL_one_arg_one ...
# OK global.KILL_one_arg_one
ok 18 global.KILL_one_arg_one
# RUN global.KILL_one_arg_six ...
# OK global.KILL_one_arg_six
ok 19 global.KILL_one_arg_six
# RUN global.KILL_thread ...
# OK global.KILL_thread
ok 20 global.KILL_thread
# RUN global.KILL_process ...
# OK global.KILL_process
ok 21 global.KILL_process
# RUN global.arg_out_of_range ...
# OK global.arg_out_of_range
ok 22 global.arg_out_of_range
# RUN global.ERRNO_valid ...
# OK global.ERRNO_valid
ok 23 global.ERRNO_valid
# RUN global.ERRNO_zero ...
# OK global.ERRNO_zero
ok 24 global.ERRNO_zero
# RUN global.ERRNO_capped ...
# OK global.ERRNO_capped
ok 25 global.ERRNO_capped
# RUN global.ERRNO_order ...
# OK global.ERRNO_order
ok 26 global.ERRNO_order
# RUN global.negative_ENOSYS ...
# OK global.negative_ENOSYS
ok 27 global.negative_ENOSYS
# RUN global.seccomp_syscall ...
# OK global.seccomp_syscall
ok 28 global.seccomp_syscall
# RUN global.seccomp_syscall_mode_lock ...
# OK global.seccomp_syscall_mode_lock
ok 29 global.seccomp_syscall_mode_lock
# RUN global.detect_seccomp_filter_flags ...
# OK global.detect_seccomp_filter_flags
ok 30 global.detect_seccomp_filter_flags
# RUN global.TSYNC_first ...
# OK global.TSYNC_first
ok 31 global.TSYNC_first
# RUN global.syscall_restart ...
# OK global.syscall_restart
ok 32 global.syscall_restart
# RUN global.filter_flag_log ...
# OK global.filter_flag_log
ok 33 global.filter_flag_log
# RUN global.get_action_avail ...
# OK global.get_action_avail
ok 34 global.get_action_avail
# RUN global.get_metadata ...
# OK global.get_metadata
ok 35 global.get_metadata
# RUN global.user_notification_basic ...
# OK global.user_notification_basic
ok 36 global.user_notification_basic
# RUN global.user_notification_with_tsync ...
# OK global.user_notification_with_tsync
ok 37 global.user_notification_with_tsync
# RUN global.user_notification_kill_in_middle ...
# OK global.user_notification_kill_in_middle
ok 38 global.user_notification_kill_in_middle
# RUN global.user_notification_signal ...
TAP version 13
1..86
# Starting 86 tests from 7 test cases.
# RUN global.kcmp ...
# OK global.kcmp
ok 1 global.kcmp
# RUN global.mode_strict_support ...
# OK global.mode_strict_support
ok 2 global.mode_strict_support
# RUN global.mode_strict_cannot_call_prctl ...
# OK global.mode_strict_cannot_call_prctl
ok 3 global.mode_strict_cannot_call_prctl
# RUN global.no_new_privs_support ...
# OK global.no_new_privs_support
ok 4 global.no_new_privs_support
# RUN global.mode_filter_support ...
# OK global.mode_filter_support
ok 5 global.mode_filter_support
# RUN global.mode_filter_without_nnp ...
# OK global.mode_filter_without_nnp
ok 6 global.mode_filter_without_nnp
# RUN global.filter_size_limits ...
# OK global.filter_size_limits
ok 7 global.filter_size_limits
# RUN global.filter_chain_limits ...
# OK global.filter_chain_limits
ok 8 global.filter_chain_limits
# RUN global.mode_filter_cannot_move_to_strict ...
# OK global.mode_filter_cannot_move_to_strict
ok 9 global.mode_filter_cannot_move_to_strict
# RUN global.mode_filter_get_seccomp ...
# OK global.mode_filter_get_seccomp
ok 10 global.mode_filter_get_seccomp
# RUN global.ALLOW_all ...
# OK global.ALLOW_all
ok 11 global.ALLOW_all
# RUN global.empty_prog ...
# OK global.empty_prog
ok 12 global.empty_prog
# RUN global.log_all ...
# OK global.log_all
ok 13 global.log_all
# RUN global.unknown_ret_is_kill_inside ...
# OK global.unknown_ret_is_kill_inside
ok 14 global.unknown_ret_is_kill_inside
# RUN global.unknown_ret_is_kill_above_allow ...
# OK global.unknown_ret_is_kill_above_allow
ok 15 global.unknown_ret_is_kill_above_allow
# RUN global.KILL_all ...
# OK global.KILL_all
ok 16 global.KILL_all
# RUN global.KILL_one ...
# OK global.KILL_one
ok 17 global.KILL_one
# RUN global.KILL_one_arg_one ...
# OK global.KILL_one_arg_one
ok 18 global.KILL_one_arg_one
# RUN global.KILL_one_arg_six ...
# OK global.KILL_one_arg_six
ok 19 global.KILL_one_arg_six
# RUN global.KILL_thread ...
# OK global.KILL_thread
ok 20 global.KILL_thread
# RUN global.KILL_process ...
# OK global.KILL_process
ok 21 global.KILL_process
# RUN global.arg_out_of_range ...
# OK global.arg_out_of_range
ok 22 global.arg_out_of_range
# RUN global.ERRNO_valid ...
# OK global.ERRNO_valid
ok 23 global.ERRNO_valid
# RUN global.ERRNO_zero ...
# OK global.ERRNO_zero
ok 24 global.ERRNO_zero
# RUN global.ERRNO_capped ...
# OK global.ERRNO_capped
ok 25 global.ERRNO_capped
# RUN global.ERRNO_order ...
# OK global.ERRNO_order
ok 26 global.ERRNO_order
# RUN global.negative_ENOSYS ...
# OK global.negative_ENOSYS
ok 27 global.negative_ENOSYS
# RUN global.seccomp_syscall ...
# OK global.seccomp_syscall
ok 28 global.seccomp_syscall
# RUN global.seccomp_syscall_mode_lock ...
# OK global.seccomp_syscall_mode_lock
ok 29 global.seccomp_syscall_mode_lock
# RUN global.detect_seccomp_filter_flags ...
# OK global.detect_seccomp_filter_flags
ok 30 global.detect_seccomp_filter_flags
# RUN global.TSYNC_first ...
# OK global.TSYNC_first
ok 31 global.TSYNC_first
# RUN global.syscall_restart ...
# OK global.syscall_restart
ok 32 global.syscall_restart
# RUN global.filter_flag_log ...
# OK global.filter_flag_log
ok 33 global.filter_flag_log
# RUN global.get_action_avail ...
# OK global.get_action_avail
ok 34 global.get_action_avail
# RUN global.get_metadata ...
# OK global.get_metadata
ok 35 global.get_metadata
# RUN global.user_notification_basic ...
# OK global.user_notification_basic
ok 36 global.user_notification_basic
# RUN global.user_notification_with_tsync ...
# OK global.user_notification_with_tsync
ok 37 global.user_notification_with_tsync
# RUN global.user_notification_kill_in_middle ...
# OK global.user_notification_kill_in_middle
ok 38 global.user_notification_kill_in_middle
# RUN global.user_notification_signal ...
# OK global.user_notification_signal
ok 39 global.user_notification_signal
# RUN global.user_notification_closed_listener ...
TAP version 13
1..86
# Starting 86 tests from 7 test cases.
# RUN global.kcmp ...
# OK global.kcmp
ok 1 global.kcmp
# RUN global.mode_strict_support ...
# OK global.mode_strict_support
ok 2 global.mode_strict_support
# RUN global.mode_strict_cannot_call_prctl ...
# OK global.mode_strict_cannot_call_prctl
ok 3 global.mode_strict_cannot_call_prctl
# RUN global.no_new_privs_support ...
# OK global.no_new_privs_support
ok 4 global.no_new_privs_support
# RUN global.mode_filter_support ...
# OK global.mode_filter_support
ok 5 global.mode_filter_support
# RUN global.mode_filter_without_nnp ...
# OK global.mode_filter_without_nnp
ok 6 global.mode_filter_without_nnp
# RUN global.filter_size_limits ...
# OK global.filter_size_limits
ok 7 global.filter_size_limits
# RUN global.filter_chain_limits ...
# OK global.filter_chain_limits
ok 8 global.filter_chain_limits
# RUN global.mode_filter_cannot_move_to_strict ...
# OK global.mode_filter_cannot_move_to_strict
ok 9 global.mode_filter_cannot_move_to_strict
# RUN global.mode_filter_get_seccomp ...
# OK global.mode_filter_get_seccomp
ok 10 global.mode_filter_get_seccomp
# RUN global.ALLOW_all ...
# OK global.ALLOW_all
ok 11 global.ALLOW_all
# RUN global.empty_prog ...
# OK global.empty_prog
ok 12 global.empty_prog
# RUN global.log_all ...
# OK global.log_all
ok 13 global.log_all
# RUN global.unknown_ret_is_kill_inside ...
# OK global.unknown_ret_is_kill_inside
ok 14 global.unknown_ret_is_kill_inside
# RUN global.unknown_ret_is_kill_above_allow ...
# OK global.unknown_ret_is_kill_above_allow
ok 15 global.unknown_ret_is_kill_above_allow
# RUN global.KILL_all ...
# OK global.KILL_all
ok 16 global.KILL_all
# RUN global.KILL_one ...
# OK global.KILL_one
ok 17 global.KILL_one
# RUN global.KILL_one_arg_one ...
# OK global.KILL_one_arg_one
ok 18 global.KILL_one_arg_one
# RUN global.KILL_one_arg_six ...
# OK global.KILL_one_arg_six
ok 19 global.KILL_one_arg_six
# RUN global.KILL_thread ...
# OK global.KILL_thread
ok 20 global.KILL_thread
# RUN global.KILL_process ...
# OK global.KILL_process
ok 21 global.KILL_process
# RUN global.arg_out_of_range ...
# OK global.arg_out_of_range
ok 22 global.arg_out_of_range
# RUN global.ERRNO_valid ...
# OK global.ERRNO_valid
ok 23 global.ERRNO_valid
# RUN global.ERRNO_zero ...
# OK global.ERRNO_zero
ok 24 global.ERRNO_zero
# RUN global.ERRNO_capped ...
# OK global.ERRNO_capped
ok 25 global.ERRNO_capped
# RUN global.ERRNO_order ...
# OK global.ERRNO_order
ok 26 global.ERRNO_order
# RUN global.negative_ENOSYS ...
# OK global.negative_ENOSYS
ok 27 global.negative_ENOSYS
# RUN global.seccomp_syscall ...
# OK global.seccomp_syscall
ok 28 global.seccomp_syscall
# RUN global.seccomp_syscall_mode_lock ...
# OK global.seccomp_syscall_mode_lock
ok 29 global.seccomp_syscall_mode_lock
# RUN global.detect_seccomp_filter_flags ...
# OK global.detect_seccomp_filter_flags
ok 30 global.detect_seccomp_filter_flags
# RUN global.TSYNC_first ...
# OK global.TSYNC_first
ok 31 global.TSYNC_first
# RUN global.syscall_restart ...
# OK global.syscall_restart
ok 32 global.syscall_restart
# RUN global.filter_flag_log ...
# OK global.filter_flag_log
ok 33 global.filter_flag_log
# RUN global.get_action_avail ...
# OK global.get_action_avail
ok 34 global.get_action_avail
# RUN global.get_metadata ...
# OK global.get_metadata
ok 35 global.get_metadata
# RUN global.user_notification_basic ...
# OK global.user_notification_basic
ok 36 global.user_notification_basic
# RUN global.user_notification_with_tsync ...
# OK global.user_notification_with_tsync
ok 37 global.user_notification_with_tsync
# RUN global.user_notification_kill_in_middle ...
# OK global.user_notification_kill_in_middle
ok 38 global.user_notification_kill_in_middle
# RUN global.user_notification_signal ...
# OK global.user_notification_signal
ok 39 global.user_notification_signal
# RUN global.user_notification_closed_listener ...
# OK global.user_notification_closed_listener
ok 40 global.user_notification_closed_listener
# RUN global.user_notification_child_pid_ns ...
TAP version 13
1..86
# Starting 86 tests from 7 test cases.
# RUN global.kcmp ...
# OK global.kcmp
ok 1 global.kcmp
# RUN global.mode_strict_support ...
# OK global.mode_strict_support
ok 2 global.mode_strict_support
# RUN global.mode_strict_cannot_call_prctl ...
# OK global.mode_strict_cannot_call_prctl
ok 3 global.mode_strict_cannot_call_prctl
# RUN global.no_new_privs_support ...
# OK global.no_new_privs_support
ok 4 global.no_new_privs_support
# RUN global.mode_filter_support ...
# OK global.mode_filter_support
ok 5 global.mode_filter_support
# RUN global.mode_filter_without_nnp ...
# OK global.mode_filter_without_nnp
ok 6 global.mode_filter_without_nnp
# RUN global.filter_size_limits ...
# OK global.filter_size_limits
ok 7 global.filter_size_limits
# RUN global.filter_chain_limits ...
# OK global.filter_chain_limits
ok 8 global.filter_chain_limits
# RUN global.mode_filter_cannot_move_to_strict ...
# OK global.mode_filter_cannot_move_to_strict
ok 9 global.mode_filter_cannot_move_to_strict
# RUN global.mode_filter_get_seccomp ...
# OK global.mode_filter_get_seccomp
ok 10 global.mode_filter_get_seccomp
# RUN global.ALLOW_all ...
# OK global.ALLOW_all
ok 11 global.ALLOW_all
# RUN global.empty_prog ...
# OK global.empty_prog
ok 12 global.empty_prog
# RUN global.log_all ...
# OK global.log_all
ok 13 global.log_all
# RUN global.unknown_ret_is_kill_inside ...
# OK global.unknown_ret_is_kill_inside
ok 14 global.unknown_ret_is_kill_inside
# RUN global.unknown_ret_is_kill_above_allow ...
# OK global.unknown_ret_is_kill_above_allow
ok 15 global.unknown_ret_is_kill_above_allow
# RUN global.KILL_all ...
# OK global.KILL_all
ok 16 global.KILL_all
# RUN global.KILL_one ...
# OK global.KILL_one
ok 17 global.KILL_one
# RUN global.KILL_one_arg_one ...
# OK global.KILL_one_arg_one
ok 18 global.KILL_one_arg_one
# RUN global.KILL_one_arg_six ...
# OK global.KILL_one_arg_six
ok 19 global.KILL_one_arg_six
# RUN global.KILL_thread ...
# OK global.KILL_thread
ok 20 global.KILL_thread
# RUN global.KILL_process ...
# OK global.KILL_process
ok 21 global.KILL_process
# RUN global.arg_out_of_range ...
# OK global.arg_out_of_range
ok 22 global.arg_out_of_range
# RUN global.ERRNO_valid ...
# OK global.ERRNO_valid
ok 23 global.ERRNO_valid
# RUN global.ERRNO_zero ...
# OK global.ERRNO_zero
ok 24 global.ERRNO_zero
# RUN global.ERRNO_capped ...
# OK global.ERRNO_capped
ok 25 global.ERRNO_capped
# RUN global.ERRNO_order ...
# OK global.ERRNO_order
ok 26 global.ERRNO_order
# RUN global.negative_ENOSYS ...
# OK global.negative_ENOSYS
ok 27 global.negative_ENOSYS
# RUN global.seccomp_syscall ...
# OK global.seccomp_syscall
ok 28 global.seccomp_syscall
# RUN global.seccomp_syscall_mode_lock ...
# OK global.seccomp_syscall_mode_lock
ok 29 global.seccomp_syscall_mode_lock
# RUN global.detect_seccomp_filter_flags ...
# OK global.detect_seccomp_filter_flags
ok 30 global.detect_seccomp_filter_flags
# RUN global.TSYNC_first ...
# OK global.TSYNC_first
ok 31 global.TSYNC_first
# RUN global.syscall_restart ...
# OK global.syscall_restart
ok 32 global.syscall_restart
# RUN global.filter_flag_log ...
# OK global.filter_flag_log
ok 33 global.filter_flag_log
# RUN global.get_action_avail ...
# OK global.get_action_avail
ok 34 global.get_action_avail
# RUN global.get_metadata ...
# OK global.get_metadata
ok 35 global.get_metadata
# RUN global.user_notification_basic ...
# OK global.user_notification_basic
ok 36 global.user_notification_basic
# RUN global.user_notification_with_tsync ...
# OK global.user_notification_with_tsync
ok 37 global.user_notification_with_tsync
# RUN global.user_notification_kill_in_middle ...
# OK global.user_notification_kill_in_middle
ok 38 global.user_notification_kill_in_middle
# RUN global.user_notification_signal ...
# OK global.user_notification_signal
ok 39 global.user_notification_signal
# RUN global.user_notification_closed_listener ...
# OK global.user_notification_closed_listener
ok 40 global.user_notification_closed_listener
# RUN global.user_notification_child_pid_ns ...
# OK global.user_notification_child_pid_ns
ok 41 global.user_notification_child_pid_ns
# RUN global.user_notification_sibling_pid_ns ...
TAP version 13
1..86
# Starting 86 tests from 7 test cases.
# RUN global.kcmp ...
# OK global.kcmp
ok 1 global.kcmp
# RUN global.mode_strict_support ...
# OK global.mode_strict_support
ok 2 global.mode_strict_support
# RUN global.mode_strict_cannot_call_prctl ...
# OK global.mode_strict_cannot_call_prctl
ok 3 global.mode_strict_cannot_call_prctl
# RUN global.no_new_privs_support ...
# OK global.no_new_privs_support
ok 4 global.no_new_privs_support
# RUN global.mode_filter_support ...
# OK global.mode_filter_support
ok 5 global.mode_filter_support
# RUN global.mode_filter_without_nnp ...
# OK global.mode_filter_without_nnp
ok 6 global.mode_filter_without_nnp
# RUN global.filter_size_limits ...
# OK global.filter_size_limits
ok 7 global.filter_size_limits
# RUN global.filter_chain_limits ...
# OK global.filter_chain_limits
ok 8 global.filter_chain_limits
# RUN global.mode_filter_cannot_move_to_strict ...
# OK global.mode_filter_cannot_move_to_strict
ok 9 global.mode_filter_cannot_move_to_strict
# RUN global.mode_filter_get_seccomp ...
# OK global.mode_filter_get_seccomp
ok 10 global.mode_filter_get_seccomp
# RUN global.ALLOW_all ...
# OK global.ALLOW_all
ok 11 global.ALLOW_all
# RUN global.empty_prog ...
# OK global.empty_prog
ok 12 global.empty_prog
# RUN global.log_all ...
# OK global.log_all
ok 13 global.log_all
# RUN global.unknown_ret_is_kill_inside ...
# OK global.unknown_ret_is_kill_inside
ok 14 global.unknown_ret_is_kill_inside
# RUN global.unknown_ret_is_kill_above_allow ...
# OK global.unknown_ret_is_kill_above_allow
ok 15 global.unknown_ret_is_kill_above_allow
# RUN global.KILL_all ...
# OK global.KILL_all
ok 16 global.KILL_all
# RUN global.KILL_one ...
# OK global.KILL_one
ok 17 global.KILL_one
# RUN global.KILL_one_arg_one ...
# OK global.KILL_one_arg_one
ok 18 global.KILL_one_arg_one
# RUN global.KILL_one_arg_six ...
# OK global.KILL_one_arg_six
ok 19 global.KILL_one_arg_six
# RUN global.KILL_thread ...
# OK global.KILL_thread
ok 20 global.KILL_thread
# RUN global.KILL_process ...
# OK global.KILL_process
ok 21 global.KILL_process
# RUN global.arg_out_of_range ...
# OK global.arg_out_of_range
ok 22 global.arg_out_of_range
# RUN global.ERRNO_valid ...
# OK global.ERRNO_valid
ok 23 global.ERRNO_valid
# RUN global.ERRNO_zero ...
# OK global.ERRNO_zero
ok 24 global.ERRNO_zero
# RUN global.ERRNO_capped ...
# OK global.ERRNO_capped
ok 25 global.ERRNO_capped
# RUN global.ERRNO_order ...
# OK global.ERRNO_order
ok 26 global.ERRNO_order
# RUN global.negative_ENOSYS ...
# OK global.negative_ENOSYS
ok 27 global.negative_ENOSYS
# RUN global.seccomp_syscall ...
# OK global.seccomp_syscall
ok 28 global.seccomp_syscall
# RUN global.seccomp_syscall_mode_lock ...
# OK global.seccomp_syscall_mode_lock
ok 29 global.seccomp_syscall_mode_lock
# RUN global.detect_seccomp_filter_flags ...
# OK global.detect_seccomp_filter_flags
ok 30 global.detect_seccomp_filter_flags
# RUN global.TSYNC_first ...
# OK global.TSYNC_first
ok 31 global.TSYNC_first
# RUN global.syscall_restart ...
# OK global.syscall_restart
ok 32 global.syscall_restart
# RUN global.filter_flag_log ...
# OK global.filter_flag_log
ok 33 global.filter_flag_log
# RUN global.get_action_avail ...
# OK global.get_action_avail
ok 34 global.get_action_avail
# RUN global.get_metadata ...
# OK global.get_metadata
ok 35 global.get_metadata
# RUN global.user_notification_basic ...
# OK global.user_notification_basic
ok 36 global.user_notification_basic
# RUN global.user_notification_with_tsync ...
# OK global.user_notification_with_tsync
ok 37 global.user_notification_with_tsync
# RUN global.user_notification_kill_in_middle ...
# OK global.user_notification_kill_in_middle
ok 38 global.user_notification_kill_in_middle
# RUN global.user_notification_signal ...
# OK global.user_notification_signal
ok 39 global.user_notification_signal
# RUN global.user_notification_closed_listener ...
# OK global.user_notification_closed_listener
ok 40 global.user_notification_closed_listener
# RUN global.user_notification_child_pid_ns ...
# OK global.user_notification_child_pid_ns
ok 41 global.user_notification_child_pid_ns
# RUN global.user_notification_sibling_pid_ns ...
TAP version 13
1..86
# Starting 86 tests from 7 test cases.
# RUN global.kcmp ...
# OK global.kcmp
ok 1 global.kcmp
# RUN global.mode_strict_support ...
# OK global.mode_strict_support
ok 2 global.mode_strict_support
# RUN global.mode_strict_cannot_call_prctl ...
# OK global.mode_strict_cannot_call_prctl
ok 3 global.mode_strict_cannot_call_prctl
# RUN global.no_new_privs_support ...
# OK global.no_new_privs_support
ok 4 global.no_new_privs_support
# RUN global.mode_filter_support ...
# OK global.mode_filter_support
ok 5 global.mode_filter_support
# RUN global.mode_filter_without_nnp ...
# OK global.mode_filter_without_nnp
ok 6 global.mode_filter_without_nnp
# RUN global.filter_size_limits ...
# OK global.filter_size_limits
ok 7 global.filter_size_limits
# RUN global.filter_chain_limits ...
# OK global.filter_chain_limits
ok 8 global.filter_chain_limits
# RUN global.mode_filter_cannot_move_to_strict ...
# OK global.mode_filter_cannot_move_to_strict
ok 9 global.mode_filter_cannot_move_to_strict
# RUN global.mode_filter_get_seccomp ...
# OK global.mode_filter_get_seccomp
ok 10 global.mode_filter_get_seccomp
# RUN global.ALLOW_all ...
# OK global.ALLOW_all
ok 11 global.ALLOW_all
# RUN global.empty_prog ...
# OK global.empty_prog
ok 12 global.empty_prog
# RUN global.log_all ...
# OK global.log_all
ok 13 global.log_all
# RUN global.unknown_ret_is_kill_inside ...
# OK global.unknown_ret_is_kill_inside
ok 14 global.unknown_ret_is_kill_inside
# RUN global.unknown_ret_is_kill_above_allow ...
# OK global.unknown_ret_is_kill_above_allow
ok 15 global.unknown_ret_is_kill_above_allow
# RUN global.KILL_all ...
# OK global.KILL_all
ok 16 global.KILL_all
# RUN global.KILL_one ...
# OK global.KILL_one
ok 17 global.KILL_one
# RUN global.KILL_one_arg_one ...
# OK global.KILL_one_arg_one
ok 18 global.KILL_one_arg_one
# RUN global.KILL_one_arg_six ...
# OK global.KILL_one_arg_six
ok 19 global.KILL_one_arg_six
# RUN global.KILL_thread ...
# OK global.KILL_thread
ok 20 global.KILL_thread
# RUN global.KILL_process ...
# OK global.KILL_process
ok 21 global.KILL_process
# RUN global.arg_out_of_range ...
# OK global.arg_out_of_range
ok 22 global.arg_out_of_range
# RUN global.ERRNO_valid ...
# OK global.ERRNO_valid
ok 23 global.ERRNO_valid
# RUN global.ERRNO_zero ...
# OK global.ERRNO_zero
ok 24 global.ERRNO_zero
# RUN global.ERRNO_capped ...
# OK global.ERRNO_capped
ok 25 global.ERRNO_capped
# RUN global.ERRNO_order ...
# OK global.ERRNO_order
ok 26 global.ERRNO_order
# RUN global.negative_ENOSYS ...
# OK global.negative_ENOSYS
ok 27 global.negative_ENOSYS
# RUN global.seccomp_syscall ...
# OK global.seccomp_syscall
ok 28 global.seccomp_syscall
# RUN global.seccomp_syscall_mode_lock ...
# OK global.seccomp_syscall_mode_lock
ok 29 global.seccomp_syscall_mode_lock
# RUN global.detect_seccomp_filter_flags ...
# OK global.detect_seccomp_filter_flags
ok 30 global.detect_seccomp_filter_flags
# RUN global.TSYNC_first ...
# OK global.TSYNC_first
ok 31 global.TSYNC_first
# RUN global.syscall_restart ...
# OK global.syscall_restart
ok 32 global.syscall_restart
# RUN global.filter_flag_log ...
# OK global.filter_flag_log
ok 33 global.filter_flag_log
# RUN global.get_action_avail ...
# OK global.get_action_avail
ok 34 global.get_action_avail
# RUN global.get_metadata ...
# OK global.get_metadata
ok 35 global.get_metadata
# RUN global.user_notification_basic ...
# OK global.user_notification_basic
ok 36 global.user_notification_basic
# RUN global.user_notification_with_tsync ...
# OK global.user_notification_with_tsync
ok 37 global.user_notification_with_tsync
# RUN global.user_notification_kill_in_middle ...
# OK global.user_notification_kill_in_middle
ok 38 global.user_notification_kill_in_middle
# RUN global.user_notification_signal ...
# OK global.user_notification_signal
ok 39 global.user_notification_signal
# RUN global.user_notification_closed_listener ...
# OK global.user_notification_closed_listener
ok 40 global.user_notification_closed_listener
# RUN global.user_notification_child_pid_ns ...
# OK global.user_notification_child_pid_ns
ok 41 global.user_notification_child_pid_ns
# RUN global.user_notification_sibling_pid_ns ...
TAP version 13
1..86
# Starting 86 tests from 7 test cases.
# RUN global.kcmp ...
# OK global.kcmp
ok 1 global.kcmp
# RUN global.mode_strict_support ...
# OK global.mode_strict_support
ok 2 global.mode_strict_support
# RUN global.mode_strict_cannot_call_prctl ...
# OK global.mode_strict_cannot_call_prctl
ok 3 global.mode_strict_cannot_call_prctl
# RUN global.no_new_privs_support ...
# OK global.no_new_privs_support
ok 4 global.no_new_privs_support
# RUN global.mode_filter_support ...
# OK global.mode_filter_support
ok 5 global.mode_filter_support
# RUN global.mode_filter_without_nnp ...
# OK global.mode_filter_without_nnp
ok 6 global.mode_filter_without_nnp
# RUN global.filter_size_limits ...
# OK global.filter_size_limits
ok 7 global.filter_size_limits
# RUN global.filter_chain_limits ...
# OK global.filter_chain_limits
ok 8 global.filter_chain_limits
# RUN global.mode_filter_cannot_move_to_strict ...
# OK global.mode_filter_cannot_move_to_strict
ok 9 global.mode_filter_cannot_move_to_strict
# RUN global.mode_filter_get_seccomp ...
# OK global.mode_filter_get_seccomp
ok 10 global.mode_filter_get_seccomp
# RUN global.ALLOW_all ...
# OK global.ALLOW_all
ok 11 global.ALLOW_all
# RUN global.empty_prog ...
# OK global.empty_prog
ok 12 global.empty_prog
# RUN global.log_all ...
# OK global.log_all
ok 13 global.log_all
# RUN global.unknown_ret_is_kill_inside ...
# OK global.unknown_ret_is_kill_inside
ok 14 global.unknown_ret_is_kill_inside
# RUN global.unknown_ret_is_kill_above_allow ...
# OK global.unknown_ret_is_kill_above_allow
ok 15 global.unknown_ret_is_kill_above_allow
# RUN global.KILL_all ...
# OK global.KILL_all
ok 16 global.KILL_all
# RUN global.KILL_one ...
# OK global.KILL_one
ok 17 global.KILL_one
# RUN global.KILL_one_arg_one ...
# OK global.KILL_one_arg_one
ok 18 global.KILL_one_arg_one
# RUN global.KILL_one_arg_six ...
# OK global.KILL_one_arg_six
ok 19 global.KILL_one_arg_six
# RUN global.KILL_thread ...
# OK global.KILL_thread
ok 20 global.KILL_thread
# RUN global.KILL_process ...
# OK global.KILL_process
ok 21 global.KILL_process
# RUN global.arg_out_of_range ...
# OK global.arg_out_of_range
ok 22 global.arg_out_of_range
# RUN global.ERRNO_valid ...
# OK global.ERRNO_valid
ok 23 global.ERRNO_valid
# RUN global.ERRNO_zero ...
# OK global.ERRNO_zero
ok 24 global.ERRNO_zero
# RUN global.ERRNO_capped ...
# OK global.ERRNO_capped
ok 25 global.ERRNO_capped
# RUN global.ERRNO_order ...
# OK global.ERRNO_order
ok 26 global.ERRNO_order
# RUN global.negative_ENOSYS ...
# OK global.negative_ENOSYS
ok 27 global.negative_ENOSYS
# RUN global.seccomp_syscall ...
# OK global.seccomp_syscall
ok 28 global.seccomp_syscall
# RUN global.seccomp_syscall_mode_lock ...
# OK global.seccomp_syscall_mode_lock
ok 29 global.seccomp_syscall_mode_lock
# RUN global.detect_seccomp_filter_flags ...
# OK global.detect_seccomp_filter_flags
ok 30 global.detect_seccomp_filter_flags
# RUN global.TSYNC_first ...
# OK global.TSYNC_first
ok 31 global.TSYNC_first
# RUN global.syscall_restart ...
# OK global.syscall_restart
ok 32 global.syscall_restart
# RUN global.filter_flag_log ...
# OK global.filter_flag_log
ok 33 global.filter_flag_log
# RUN global.get_action_avail ...
# OK global.get_action_avail
ok 34 global.get_action_avail
# RUN global.get_metadata ...
# OK global.get_metadata
ok 35 global.get_metadata
# RUN global.user_notification_basic ...
# OK global.user_notification_basic
ok 36 global.user_notification_basic
# RUN global.user_notification_with_tsync ...
# OK global.user_notification_with_tsync
ok 37 global.user_notification_with_tsync
# RUN global.user_notification_kill_in_middle ...
# OK global.user_notification_kill_in_middle
ok 38 global.user_notification_kill_in_middle
# RUN global.user_notification_signal ...
# OK global.user_notification_signal
ok 39 global.user_notification_signal
# RUN global.user_notification_closed_listener ...
# OK global.user_notification_closed_listener
ok 40 global.user_notification_closed_listener
# RUN global.user_notification_child_pid_ns ...
# OK global.user_notification_child_pid_ns
ok 41 global.user_notification_child_pid_ns
# RUN global.user_notification_sibling_pid_ns ...
# OK global.user_notification_sibling_pid_ns
ok 42 global.user_notification_sibling_pid_ns
# RUN global.user_notification_fault_recv ...
TAP version 13
1..86
# Starting 86 tests from 7 test cases.
# RUN global.kcmp ...
# OK global.kcmp
ok 1 global.kcmp
# RUN global.mode_strict_support ...
# OK global.mode_strict_support
ok 2 global.mode_strict_support
# RUN global.mode_strict_cannot_call_prctl ...
# OK global.mode_strict_cannot_call_prctl
ok 3 global.mode_strict_cannot_call_prctl
# RUN global.no_new_privs_support ...
# OK global.no_new_privs_support
ok 4 global.no_new_privs_support
# RUN global.mode_filter_support ...
# OK global.mode_filter_support
ok 5 global.mode_filter_support
# RUN global.mode_filter_without_nnp ...
# OK global.mode_filter_without_nnp
ok 6 global.mode_filter_without_nnp
# RUN global.filter_size_limits ...
# OK global.filter_size_limits
ok 7 global.filter_size_limits
# RUN global.filter_chain_limits ...
# OK global.filter_chain_limits
ok 8 global.filter_chain_limits
# RUN global.mode_filter_cannot_move_to_strict ...
# OK global.mode_filter_cannot_move_to_strict
ok 9 global.mode_filter_cannot_move_to_strict
# RUN global.mode_filter_get_seccomp ...
# OK global.mode_filter_get_seccomp
ok 10 global.mode_filter_get_seccomp
# RUN global.ALLOW_all ...
# OK global.ALLOW_all
ok 11 global.ALLOW_all
# RUN global.empty_prog ...
# OK global.empty_prog
ok 12 global.empty_prog
# RUN global.log_all ...
# OK global.log_all
ok 13 global.log_all
# RUN global.unknown_ret_is_kill_inside ...
# OK global.unknown_ret_is_kill_inside
ok 14 global.unknown_ret_is_kill_inside
# RUN global.unknown_ret_is_kill_above_allow ...
# OK global.unknown_ret_is_kill_above_allow
ok 15 global.unknown_ret_is_kill_above_allow
# RUN global.KILL_all ...
# OK global.KILL_all
ok 16 global.KILL_all
# RUN global.KILL_one ...
# OK global.KILL_one
ok 17 global.KILL_one
# RUN global.KILL_one_arg_one ...
# OK global.KILL_one_arg_one
ok 18 global.KILL_one_arg_one
# RUN global.KILL_one_arg_six ...
# OK global.KILL_one_arg_six
ok 19 global.KILL_one_arg_six
# RUN global.KILL_thread ...
# OK global.KILL_thread
ok 20 global.KILL_thread
# RUN global.KILL_process ...
# OK global.KILL_process
ok 21 global.KILL_process
# RUN global.arg_out_of_range ...
# OK global.arg_out_of_range
ok 22 global.arg_out_of_range
# RUN global.ERRNO_valid ...
# OK global.ERRNO_valid
ok 23 global.ERRNO_valid
# RUN global.ERRNO_zero ...
# OK global.ERRNO_zero
ok 24 global.ERRNO_zero
# RUN global.ERRNO_capped ...
# OK global.ERRNO_capped
ok 25 global.ERRNO_capped
# RUN global.ERRNO_order ...
# OK global.ERRNO_order
ok 26 global.ERRNO_order
# RUN global.negative_ENOSYS ...
# OK global.negative_ENOSYS
ok 27 global.negative_ENOSYS
# RUN global.seccomp_syscall ...
# OK global.seccomp_syscall
ok 28 global.seccomp_syscall
# RUN global.seccomp_syscall_mode_lock ...
# OK global.seccomp_syscall_mode_lock
ok 29 global.seccomp_syscall_mode_lock
# RUN global.detect_seccomp_filter_flags ...
# OK global.detect_seccomp_filter_flags
ok 30 global.detect_seccomp_filter_flags
# RUN global.TSYNC_first ...
# OK global.TSYNC_first
ok 31 global.TSYNC_first
# RUN global.syscall_restart ...
# OK global.syscall_restart
ok 32 global.syscall_restart
# RUN global.filter_flag_log ...
# OK global.filter_flag_log
ok 33 global.filter_flag_log
# RUN global.get_action_avail ...
# OK global.get_action_avail
ok 34 global.get_action_avail
# RUN global.get_metadata ...
# OK global.get_metadata
ok 35 global.get_metadata
# RUN global.user_notification_basic ...
# OK global.user_notification_basic
ok 36 global.user_notification_basic
# RUN global.user_notification_with_tsync ...
# OK global.user_notification_with_tsync
ok 37 global.user_notification_with_tsync
# RUN global.user_notification_kill_in_middle ...
# OK global.user_notification_kill_in_middle
ok 38 global.user_notification_kill_in_middle
# RUN global.user_notification_signal ...
# OK global.user_notification_signal
ok 39 global.user_notification_signal
# RUN global.user_notification_closed_listener ...
# OK global.user_notification_closed_listener
ok 40 global.user_notification_closed_listener
# RUN global.user_notification_child_pid_ns ...
# OK global.user_notification_child_pid_ns
ok 41 global.user_notification_child_pid_ns
# RUN global.user_notification_sibling_pid_ns ...
# OK global.user_notification_sibling_pid_ns
ok 42 global.user_notification_sibling_pid_ns
# RUN global.user_notification_fault_recv ...
# OK global.user_notification_fault_recv
ok 43 global.user_notification_fault_recv
# RUN global.seccomp_get_notif_sizes ...
# OK global.seccomp_get_notif_sizes
ok 44 global.seccomp_get_notif_sizes
# RUN global.user_notification_continue ...
TAP version 13
1..86
# Starting 86 tests from 7 test cases.
# RUN global.kcmp ...
# OK global.kcmp
ok 1 global.kcmp
# RUN global.mode_strict_support ...
# OK global.mode_strict_support
ok 2 global.mode_strict_support
# RUN global.mode_strict_cannot_call_prctl ...
# OK global.mode_strict_cannot_call_prctl
ok 3 global.mode_strict_cannot_call_prctl
# RUN global.no_new_privs_support ...
# OK global.no_new_privs_support
ok 4 global.no_new_privs_support
# RUN global.mode_filter_support ...
# OK global.mode_filter_support
ok 5 global.mode_filter_support
# RUN global.mode_filter_without_nnp ...
# OK global.mode_filter_without_nnp
ok 6 global.mode_filter_without_nnp
# RUN global.filter_size_limits ...
# OK global.filter_size_limits
ok 7 global.filter_size_limits
# RUN global.filter_chain_limits ...
# OK global.filter_chain_limits
ok 8 global.filter_chain_limits
# RUN global.mode_filter_cannot_move_to_strict ...
# OK global.mode_filter_cannot_move_to_strict
ok 9 global.mode_filter_cannot_move_to_strict
# RUN global.mode_filter_get_seccomp ...
# OK global.mode_filter_get_seccomp
ok 10 global.mode_filter_get_seccomp
# RUN global.ALLOW_all ...
# OK global.ALLOW_all
ok 11 global.ALLOW_all
# RUN global.empty_prog ...
# OK global.empty_prog
ok 12 global.empty_prog
# RUN global.log_all ...
# OK global.log_all
ok 13 global.log_all
# RUN global.unknown_ret_is_kill_inside ...
# OK global.unknown_ret_is_kill_inside
ok 14 global.unknown_ret_is_kill_inside
# RUN global.unknown_ret_is_kill_above_allow ...
# OK global.unknown_ret_is_kill_above_allow
ok 15 global.unknown_ret_is_kill_above_allow
# RUN global.KILL_all ...
# OK global.KILL_all
ok 16 global.KILL_all
# RUN global.KILL_one ...
# OK global.KILL_one
ok 17 global.KILL_one
# RUN global.KILL_one_arg_one ...
# OK global.KILL_one_arg_one
ok 18 global.KILL_one_arg_one
# RUN global.KILL_one_arg_six ...
# OK global.KILL_one_arg_six
ok 19 global.KILL_one_arg_six
# RUN global.KILL_thread ...
# OK global.KILL_thread
ok 20 global.KILL_thread
# RUN global.KILL_process ...
# OK global.KILL_process
ok 21 global.KILL_process
# RUN global.arg_out_of_range ...
# OK global.arg_out_of_range
ok 22 global.arg_out_of_range
# RUN global.ERRNO_valid ...
# OK global.ERRNO_valid
ok 23 global.ERRNO_valid
# RUN global.ERRNO_zero ...
# OK global.ERRNO_zero
ok 24 global.ERRNO_zero
# RUN global.ERRNO_capped ...
# OK global.ERRNO_capped
ok 25 global.ERRNO_capped
# RUN global.ERRNO_order ...
# OK global.ERRNO_order
ok 26 global.ERRNO_order
# RUN global.negative_ENOSYS ...
# OK global.negative_ENOSYS
ok 27 global.negative_ENOSYS
# RUN global.seccomp_syscall ...
# OK global.seccomp_syscall
ok 28 global.seccomp_syscall
# RUN global.seccomp_syscall_mode_lock ...
# OK global.seccomp_syscall_mode_lock
ok 29 global.seccomp_syscall_mode_lock
# RUN global.detect_seccomp_filter_flags ...
# OK global.detect_seccomp_filter_flags
ok 30 global.detect_seccomp_filter_flags
# RUN global.TSYNC_first ...
# OK global.TSYNC_first
ok 31 global.TSYNC_first
# RUN global.syscall_restart ...
# OK global.syscall_restart
ok 32 global.syscall_restart
# RUN global.filter_flag_log ...
# OK global.filter_flag_log
ok 33 global.filter_flag_log
# RUN global.get_action_avail ...
# OK global.get_action_avail
ok 34 global.get_action_avail
# RUN global.get_metadata ...
# OK global.get_metadata
ok 35 global.get_metadata
# RUN global.user_notification_basic ...
# OK global.user_notification_basic
ok 36 global.user_notification_basic
# RUN global.user_notification_with_tsync ...
# OK global.user_notification_with_tsync
ok 37 global.user_notification_with_tsync
# RUN global.user_notification_kill_in_middle ...
# OK global.user_notification_kill_in_middle
ok 38 global.user_notification_kill_in_middle
# RUN global.user_notification_signal ...
# OK global.user_notification_signal
ok 39 global.user_notification_signal
# RUN global.user_notification_closed_listener ...
# OK global.user_notification_closed_listener
ok 40 global.user_notification_closed_listener
# RUN global.user_notification_child_pid_ns ...
# OK global.user_notification_child_pid_ns
ok 41 global.user_notification_child_pid_ns
# RUN global.user_notification_sibling_pid_ns ...
# OK global.user_notification_sibling_pid_ns
ok 42 global.user_notification_sibling_pid_ns
# RUN global.user_notification_fault_recv ...
# OK global.user_notification_fault_recv
ok 43 global.user_notification_fault_recv
# RUN global.seccomp_get_notif_sizes ...
# OK global.seccomp_get_notif_sizes
ok 44 global.seccomp_get_notif_sizes
# RUN global.user_notification_continue ...
# OK global.user_notification_continue
ok 45 global.user_notification_continue
# RUN global.user_notification_filter_empty ...
TAP version 13
1..86
# Starting 86 tests from 7 test cases.
# RUN global.kcmp ...
# OK global.kcmp
ok 1 global.kcmp
# RUN global.mode_strict_support ...
# OK global.mode_strict_support
ok 2 global.mode_strict_support
# RUN global.mode_strict_cannot_call_prctl ...
# OK global.mode_strict_cannot_call_prctl
ok 3 global.mode_strict_cannot_call_prctl
# RUN global.no_new_privs_support ...
# OK global.no_new_privs_support
ok 4 global.no_new_privs_support
# RUN global.mode_filter_support ...
# OK global.mode_filter_support
ok 5 global.mode_filter_support
# RUN global.mode_filter_without_nnp ...
# OK global.mode_filter_without_nnp
ok 6 global.mode_filter_without_nnp
# RUN global.filter_size_limits ...
# OK global.filter_size_limits
ok 7 global.filter_size_limits
# RUN global.filter_chain_limits ...
# OK global.filter_chain_limits
ok 8 global.filter_chain_limits
# RUN global.mode_filter_cannot_move_to_strict ...
# OK global.mode_filter_cannot_move_to_strict
ok 9 global.mode_filter_cannot_move_to_strict
# RUN global.mode_filter_get_seccomp ...
# OK global.mode_filter_get_seccomp
ok 10 global.mode_filter_get_seccomp
# RUN global.ALLOW_all ...
# OK global.ALLOW_all
ok 11 global.ALLOW_all
# RUN global.empty_prog ...
# OK global.empty_prog
ok 12 global.empty_prog
# RUN global.log_all ...
# OK global.log_all
ok 13 global.log_all
# RUN global.unknown_ret_is_kill_inside ...
# OK global.unknown_ret_is_kill_inside
ok 14 global.unknown_ret_is_kill_inside
# RUN global.unknown_ret_is_kill_above_allow ...
# OK global.unknown_ret_is_kill_above_allow
ok 15 global.unknown_ret_is_kill_above_allow
# RUN global.KILL_all ...
# OK global.KILL_all
ok 16 global.KILL_all
# RUN global.KILL_one ...
# OK global.KILL_one
ok 17 global.KILL_one
# RUN global.KILL_one_arg_one ...
# OK global.KILL_one_arg_one
ok 18 global.KILL_one_arg_one
# RUN global.KILL_one_arg_six ...
# OK global.KILL_one_arg_six
ok 19 global.KILL_one_arg_six
# RUN global.KILL_thread ...
# OK global.KILL_thread
ok 20 global.KILL_thread
# RUN global.KILL_process ...
# OK global.KILL_process
ok 21 global.KILL_process
# RUN global.arg_out_of_range ...
# OK global.arg_out_of_range
ok 22 global.arg_out_of_range
# RUN global.ERRNO_valid ...
# OK global.ERRNO_valid
ok 23 global.ERRNO_valid
# RUN global.ERRNO_zero ...
# OK global.ERRNO_zero
ok 24 global.ERRNO_zero
# RUN global.ERRNO_capped ...
# OK global.ERRNO_capped
ok 25 global.ERRNO_capped
# RUN global.ERRNO_order ...
# OK global.ERRNO_order
ok 26 global.ERRNO_order
# RUN global.negative_ENOSYS ...
# OK global.negative_ENOSYS
ok 27 global.negative_ENOSYS
# RUN global.seccomp_syscall ...
# OK global.seccomp_syscall
ok 28 global.seccomp_syscall
# RUN global.seccomp_syscall_mode_lock ...
# OK global.seccomp_syscall_mode_lock
ok 29 global.seccomp_syscall_mode_lock
# RUN global.detect_seccomp_filter_flags ...
# OK global.detect_seccomp_filter_flags
ok 30 global.detect_seccomp_filter_flags
# RUN global.TSYNC_first ...
# OK global.TSYNC_first
ok 31 global.TSYNC_first
# RUN global.syscall_restart ...
# OK global.syscall_restart
ok 32 global.syscall_restart
# RUN global.filter_flag_log ...
# OK global.filter_flag_log
ok 33 global.filter_flag_log
# RUN global.get_action_avail ...
# OK global.get_action_avail
ok 34 global.get_action_avail
# RUN global.get_metadata ...
# OK global.get_metadata
ok 35 global.get_metadata
# RUN global.user_notification_basic ...
# OK global.user_notification_basic
ok 36 global.user_notification_basic
# RUN global.user_notification_with_tsync ...
# OK global.user_notification_with_tsync
ok 37 global.user_notification_with_tsync
# RUN global.user_notification_kill_in_middle ...
# OK global.user_notification_kill_in_middle
ok 38 global.user_notification_kill_in_middle
# RUN global.user_notification_signal ...
# OK global.user_notification_signal
ok 39 global.user_notification_signal
# RUN global.user_notification_closed_listener ...
# OK global.user_notification_closed_listener
ok 40 global.user_notification_closed_listener
# RUN global.user_notification_child_pid_ns ...
# OK global.user_notification_child_pid_ns
ok 41 global.user_notification_child_pid_ns
# RUN global.user_notification_sibling_pid_ns ...
# OK global.user_notification_sibling_pid_ns
ok 42 global.user_notification_sibling_pid_ns
# RUN global.user_notification_fault_recv ...
# OK global.user_notification_fault_recv
ok 43 global.user_notification_fault_recv
# RUN global.seccomp_get_notif_sizes ...
# OK global.seccomp_get_notif_sizes
ok 44 global.seccomp_get_notif_sizes
# RUN global.user_notification_continue ...
# OK global.user_notification_continue
ok 45 global.user_notification_continue
# RUN global.user_notification_filter_empty ...
# OK global.user_notification_filter_empty
ok 46 global.user_notification_filter_empty
# RUN global.user_notification_filter_empty_threaded ...
TAP version 13
1..86
# Starting 86 tests from 7 test cases.
# RUN global.kcmp ...
# OK global.kcmp
ok 1 global.kcmp
# RUN global.mode_strict_support ...
# OK global.mode_strict_support
ok 2 global.mode_strict_support
# RUN global.mode_strict_cannot_call_prctl ...
# OK global.mode_strict_cannot_call_prctl
ok 3 global.mode_strict_cannot_call_prctl
# RUN global.no_new_privs_support ...
# OK global.no_new_privs_support
ok 4 global.no_new_privs_support
# RUN global.mode_filter_support ...
# OK global.mode_filter_support
ok 5 global.mode_filter_support
# RUN global.mode_filter_without_nnp ...
# OK global.mode_filter_without_nnp
ok 6 global.mode_filter_without_nnp
# RUN global.filter_size_limits ...
# OK global.filter_size_limits
ok 7 global.filter_size_limits
# RUN global.filter_chain_limits ...
# OK global.filter_chain_limits
ok 8 global.filter_chain_limits
# RUN global.mode_filter_cannot_move_to_strict ...
# OK global.mode_filter_cannot_move_to_strict
ok 9 global.mode_filter_cannot_move_to_strict
# RUN global.mode_filter_get_seccomp ...
# OK global.mode_filter_get_seccomp
ok 10 global.mode_filter_get_seccomp
# RUN global.ALLOW_all ...
# OK global.ALLOW_all
ok 11 global.ALLOW_all
# RUN global.empty_prog ...
# OK global.empty_prog
ok 12 global.empty_prog
# RUN global.log_all ...
# OK global.log_all
ok 13 global.log_all
# RUN global.unknown_ret_is_kill_inside ...
# OK global.unknown_ret_is_kill_inside
ok 14 global.unknown_ret_is_kill_inside
# RUN global.unknown_ret_is_kill_above_allow ...
# OK global.unknown_ret_is_kill_above_allow
ok 15 global.unknown_ret_is_kill_above_allow
# RUN global.KILL_all ...
# OK global.KILL_all
ok 16 global.KILL_all
# RUN global.KILL_one ...
# OK global.KILL_one
ok 17 global.KILL_one
# RUN global.KILL_one_arg_one ...
# OK global.KILL_one_arg_one
ok 18 global.KILL_one_arg_one
# RUN global.KILL_one_arg_six ...
# OK global.KILL_one_arg_six
ok 19 global.KILL_one_arg_six
# RUN global.KILL_thread ...
# OK global.KILL_thread
ok 20 global.KILL_thread
# RUN global.KILL_process ...
# OK global.KILL_process
ok 21 global.KILL_process
# RUN global.arg_out_of_range ...
# OK global.arg_out_of_range
ok 22 global.arg_out_of_range
# RUN global.ERRNO_valid ...
# OK global.ERRNO_valid
ok 23 global.ERRNO_valid
# RUN global.ERRNO_zero ...
# OK global.ERRNO_zero
ok 24 global.ERRNO_zero
# RUN global.ERRNO_capped ...
# OK global.ERRNO_capped
ok 25 global.ERRNO_capped
# RUN global.ERRNO_order ...
# OK global.ERRNO_order
ok 26 global.ERRNO_order
# RUN global.negative_ENOSYS ...
# OK global.negative_ENOSYS
ok 27 global.negative_ENOSYS
# RUN global.seccomp_syscall ...
# OK global.seccomp_syscall
ok 28 global.seccomp_syscall
# RUN global.seccomp_syscall_mode_lock ...
# OK global.seccomp_syscall_mode_lock
ok 29 global.seccomp_syscall_mode_lock
# RUN global.detect_seccomp_filter_flags ...
# OK global.detect_seccomp_filter_flags
ok 30 global.detect_seccomp_filter_flags
# RUN global.TSYNC_first ...
# OK global.TSYNC_first
ok 31 global.TSYNC_first
# RUN global.syscall_restart ...
# OK global.syscall_restart
ok 32 global.syscall_restart
# RUN global.filter_flag_log ...
# OK global.filter_flag_log
ok 33 global.filter_flag_log
# RUN global.get_action_avail ...
# OK global.get_action_avail
ok 34 global.get_action_avail
# RUN global.get_metadata ...
# OK global.get_metadata
ok 35 global.get_metadata
# RUN global.user_notification_basic ...
# OK global.user_notification_basic
ok 36 global.user_notification_basic
# RUN global.user_notification_with_tsync ...
# OK global.user_notification_with_tsync
ok 37 global.user_notification_with_tsync
# RUN global.user_notification_kill_in_middle ...
# OK global.user_notification_kill_in_middle
ok 38 global.user_notification_kill_in_middle
# RUN global.user_notification_signal ...
# OK global.user_notification_signal
ok 39 global.user_notification_signal
# RUN global.user_notification_closed_listener ...
# OK global.user_notification_closed_listener
ok 40 global.user_notification_closed_listener
# RUN global.user_notification_child_pid_ns ...
# OK global.user_notification_child_pid_ns
ok 41 global.user_notification_child_pid_ns
# RUN global.user_notification_sibling_pid_ns ...
# OK global.user_notification_sibling_pid_ns
ok 42 global.user_notification_sibling_pid_ns
# RUN global.user_notification_fault_recv ...
# OK global.user_notification_fault_recv
ok 43 global.user_notification_fault_recv
# RUN global.seccomp_get_notif_sizes ...
# OK global.seccomp_get_notif_sizes
ok 44 global.seccomp_get_notif_sizes
# RUN global.user_notification_continue ...
# OK global.user_notification_continue
ok 45 global.user_notification_continue
# RUN global.user_notification_filter_empty ...
# OK global.user_notification_filter_empty
ok 46 global.user_notification_filter_empty
# RUN global.user_notification_filter_empty_threaded ...
# OK global.user_notification_filter_empty_threaded
ok 47 global.user_notification_filter_empty_threaded
# RUN global.user_notification_addfd ...
TAP version 13
1..86
# Starting 86 tests from 7 test cases.
# RUN global.kcmp ...
# OK global.kcmp
ok 1 global.kcmp
# RUN global.mode_strict_support ...
# OK global.mode_strict_support
ok 2 global.mode_strict_support
# RUN global.mode_strict_cannot_call_prctl ...
# OK global.mode_strict_cannot_call_prctl
ok 3 global.mode_strict_cannot_call_prctl
# RUN global.no_new_privs_support ...
# OK global.no_new_privs_support
ok 4 global.no_new_privs_support
# RUN global.mode_filter_support ...
# OK global.mode_filter_support
ok 5 global.mode_filter_support
# RUN global.mode_filter_without_nnp ...
# OK global.mode_filter_without_nnp
ok 6 global.mode_filter_without_nnp
# RUN global.filter_size_limits ...
# OK global.filter_size_limits
ok 7 global.filter_size_limits
# RUN global.filter_chain_limits ...
# OK global.filter_chain_limits
ok 8 global.filter_chain_limits
# RUN global.mode_filter_cannot_move_to_strict ...
# OK global.mode_filter_cannot_move_to_strict
ok 9 global.mode_filter_cannot_move_to_strict
# RUN global.mode_filter_get_seccomp ...
# OK global.mode_filter_get_seccomp
ok 10 global.mode_filter_get_seccomp
# RUN global.ALLOW_all ...
# OK global.ALLOW_all
ok 11 global.ALLOW_all
# RUN global.empty_prog ...
# OK global.empty_prog
ok 12 global.empty_prog
# RUN global.log_all ...
# OK global.log_all
ok 13 global.log_all
# RUN global.unknown_ret_is_kill_inside ...
# OK global.unknown_ret_is_kill_inside
ok 14 global.unknown_ret_is_kill_inside
# RUN global.unknown_ret_is_kill_above_allow ...
# OK global.unknown_ret_is_kill_above_allow
ok 15 global.unknown_ret_is_kill_above_allow
# RUN global.KILL_all ...
# OK global.KILL_all
ok 16 global.KILL_all
# RUN global.KILL_one ...
# OK global.KILL_one
ok 17 global.KILL_one
# RUN global.KILL_one_arg_one ...
# OK global.KILL_one_arg_one
ok 18 global.KILL_one_arg_one
# RUN global.KILL_one_arg_six ...
# OK global.KILL_one_arg_six
ok 19 global.KILL_one_arg_six
# RUN global.KILL_thread ...
# OK global.KILL_thread
ok 20 global.KILL_thread
# RUN global.KILL_process ...
# OK global.KILL_process
ok 21 global.KILL_process
# RUN global.arg_out_of_range ...
# OK global.arg_out_of_range
ok 22 global.arg_out_of_range
# RUN global.ERRNO_valid ...
# OK global.ERRNO_valid
ok 23 global.ERRNO_valid
# RUN global.ERRNO_zero ...
# OK global.ERRNO_zero
ok 24 global.ERRNO_zero
# RUN global.ERRNO_capped ...
# OK global.ERRNO_capped
ok 25 global.ERRNO_capped
# RUN global.ERRNO_order ...
# OK global.ERRNO_order
ok 26 global.ERRNO_order
# RUN global.negative_ENOSYS ...
# OK global.negative_ENOSYS
ok 27 global.negative_ENOSYS
# RUN global.seccomp_syscall ...
# OK global.seccomp_syscall
ok 28 global.seccomp_syscall
# RUN global.seccomp_syscall_mode_lock ...
# OK global.seccomp_syscall_mode_lock
ok 29 global.seccomp_syscall_mode_lock
# RUN global.detect_seccomp_filter_flags ...
# OK global.detect_seccomp_filter_flags
ok 30 global.detect_seccomp_filter_flags
# RUN global.TSYNC_first ...
# OK global.TSYNC_first
ok 31 global.TSYNC_first
# RUN global.syscall_restart ...
# OK global.syscall_restart
ok 32 global.syscall_restart
# RUN global.filter_flag_log ...
# OK global.filter_flag_log
ok 33 global.filter_flag_log
# RUN global.get_action_avail ...
# OK global.get_action_avail
ok 34 global.get_action_avail
# RUN global.get_metadata ...
# OK global.get_metadata
ok 35 global.get_metadata
# RUN global.user_notification_basic ...
# OK global.user_notification_basic
ok 36 global.user_notification_basic
# RUN global.user_notification_with_tsync ...
# OK global.user_notification_with_tsync
ok 37 global.user_notification_with_tsync
# RUN global.user_notification_kill_in_middle ...
# OK global.user_notification_kill_in_middle
ok 38 global.user_notification_kill_in_middle
# RUN global.user_notification_signal ...
# OK global.user_notification_signal
ok 39 global.user_notification_signal
# RUN global.user_notification_closed_listener ...
# OK global.user_notification_closed_listener
ok 40 global.user_notification_closed_listener
# RUN global.user_notification_child_pid_ns ...
# OK global.user_notification_child_pid_ns
ok 41 global.user_notification_child_pid_ns
# RUN global.user_notification_sibling_pid_ns ...
# OK global.user_notification_sibling_pid_ns
ok 42 global.user_notification_sibling_pid_ns
# RUN global.user_notification_fault_recv ...
# OK global.user_notification_fault_recv
ok 43 global.user_notification_fault_recv
# RUN global.seccomp_get_notif_sizes ...
# OK global.seccomp_get_notif_sizes
ok 44 global.seccomp_get_notif_sizes
# RUN global.user_notification_continue ...
# OK global.user_notification_continue
ok 45 global.user_notification_continue
# RUN global.user_notification_filter_empty ...
# OK global.user_notification_filter_empty
ok 46 global.user_notification_filter_empty
# RUN global.user_notification_filter_empty_threaded ...
# OK global.user_notification_filter_empty_threaded
ok 47 global.user_notification_filter_empty_threaded
# RUN global.user_notification_addfd ...
# OK global.user_notification_addfd
ok 48 global.user_notification_addfd
# RUN global.user_notification_addfd_rlimit ...
TAP version 13
1..86
# Starting 86 tests from 7 test cases.
# RUN global.kcmp ...
# OK global.kcmp
ok 1 global.kcmp
# RUN global.mode_strict_support ...
# OK global.mode_strict_support
ok 2 global.mode_strict_support
# RUN global.mode_strict_cannot_call_prctl ...
# OK global.mode_strict_cannot_call_prctl
ok 3 global.mode_strict_cannot_call_prctl
# RUN global.no_new_privs_support ...
# OK global.no_new_privs_support
ok 4 global.no_new_privs_support
# RUN global.mode_filter_support ...
# OK global.mode_filter_support
ok 5 global.mode_filter_support
# RUN global.mode_filter_without_nnp ...
# OK global.mode_filter_without_nnp
ok 6 global.mode_filter_without_nnp
# RUN global.filter_size_limits ...
# OK global.filter_size_limits
ok 7 global.filter_size_limits
# RUN global.filter_chain_limits ...
# OK global.filter_chain_limits
ok 8 global.filter_chain_limits
# RUN global.mode_filter_cannot_move_to_strict ...
# OK global.mode_filter_cannot_move_to_strict
ok 9 global.mode_filter_cannot_move_to_strict
# RUN global.mode_filter_get_seccomp ...
# OK global.mode_filter_get_seccomp
ok 10 global.mode_filter_get_seccomp
# RUN global.ALLOW_all ...
# OK global.ALLOW_all
ok 11 global.ALLOW_all
# RUN global.empty_prog ...
# OK global.empty_prog
ok 12 global.empty_prog
# RUN global.log_all ...
# OK global.log_all
ok 13 global.log_all
# RUN global.unknown_ret_is_kill_inside ...
# OK global.unknown_ret_is_kill_inside
ok 14 global.unknown_ret_is_kill_inside
# RUN global.unknown_ret_is_kill_above_allow ...
# OK global.unknown_ret_is_kill_above_allow
ok 15 global.unknown_ret_is_kill_above_allow
# RUN global.KILL_all ...
# OK global.KILL_all
ok 16 global.KILL_all
# RUN global.KILL_one ...
# OK global.KILL_one
ok 17 global.KILL_one
# RUN global.KILL_one_arg_one ...
# OK global.KILL_one_arg_one
ok 18 global.KILL_one_arg_one
# RUN global.KILL_one_arg_six ...
# OK global.KILL_one_arg_six
ok 19 global.KILL_one_arg_six
# RUN global.KILL_thread ...
# OK global.KILL_thread
ok 20 global.KILL_thread
# RUN global.KILL_process ...
# OK global.KILL_process
ok 21 global.KILL_process
# RUN global.arg_out_of_range ...
# OK global.arg_out_of_range
ok 22 global.arg_out_of_range
# RUN global.ERRNO_valid ...
# OK global.ERRNO_valid
ok 23 global.ERRNO_valid
# RUN global.ERRNO_zero ...
# OK global.ERRNO_zero
ok 24 global.ERRNO_zero
# RUN global.ERRNO_capped ...
# OK global.ERRNO_capped
ok 25 global.ERRNO_capped
# RUN global.ERRNO_order ...
# OK global.ERRNO_order
ok 26 global.ERRNO_order
# RUN global.negative_ENOSYS ...
# OK global.negative_ENOSYS
ok 27 global.negative_ENOSYS
# RUN global.seccomp_syscall ...
# OK global.seccomp_syscall
ok 28 global.seccomp_syscall
# RUN global.seccomp_syscall_mode_lock ...
# OK global.seccomp_syscall_mode_lock
ok 29 global.seccomp_syscall_mode_lock
# RUN global.detect_seccomp_filter_flags ...
# OK global.detect_seccomp_filter_flags
ok 30 global.detect_seccomp_filter_flags
# RUN global.TSYNC_first ...
# OK global.TSYNC_first
ok 31 global.TSYNC_first
# RUN global.syscall_restart ...
# OK global.syscall_restart
ok 32 global.syscall_restart
# RUN global.filter_flag_log ...
# OK global.filter_flag_log
ok 33 global.filter_flag_log
# RUN global.get_action_avail ...
# OK global.get_action_avail
ok 34 global.get_action_avail
# RUN global.get_metadata ...
# OK global.get_metadata
ok 35 global.get_metadata
# RUN global.user_notification_basic ...
# OK global.user_notification_basic
ok 36 global.user_notification_basic
# RUN global.user_notification_with_tsync ...
# OK global.user_notification_with_tsync
ok 37 global.user_notification_with_tsync
# RUN global.user_notification_kill_in_middle ...
# OK global.user_notification_kill_in_middle
ok 38 global.user_notification_kill_in_middle
# RUN global.user_notification_signal ...
# OK global.user_notification_signal
ok 39 global.user_notification_signal
# RUN global.user_notification_closed_listener ...
# OK global.user_notification_closed_listener
ok 40 global.user_notification_closed_listener
# RUN global.user_notification_child_pid_ns ...
# OK global.user_notification_child_pid_ns
ok 41 global.user_notification_child_pid_ns
# RUN global.user_notification_sibling_pid_ns ...
# OK global.user_notification_sibling_pid_ns
ok 42 global.user_notification_sibling_pid_ns
# RUN global.user_notification_fault_recv ...
# OK global.user_notification_fault_recv
ok 43 global.user_notification_fault_recv
# RUN global.seccomp_get_notif_sizes ...
# OK global.seccomp_get_notif_sizes
ok 44 global.seccomp_get_notif_sizes
# RUN global.user_notification_continue ...
# OK global.user_notification_continue
ok 45 global.user_notification_continue
# RUN global.user_notification_filter_empty ...
# OK global.user_notification_filter_empty
ok 46 global.user_notification_filter_empty
# RUN global.user_notification_filter_empty_threaded ...
# OK global.user_notification_filter_empty_threaded
ok 47 global.user_notification_filter_empty_threaded
# RUN global.user_notification_addfd ...
# OK global.user_notification_addfd
ok 48 global.user_notification_addfd
# RUN global.user_notification_addfd_rlimit ...
# OK global.user_notification_addfd_rlimit
ok 49 global.user_notification_addfd_rlimit
# RUN TRAP.dfl ...
# OK TRAP.dfl
ok 50 TRAP.dfl
# RUN TRAP.ign ...
# OK TRAP.ign
ok 51 TRAP.ign
# RUN TRAP.handler ...
# OK TRAP.handler
ok 52 TRAP.handler
# RUN precedence.allow_ok ...
# OK precedence.allow_ok
ok 53 precedence.allow_ok
# RUN precedence.kill_is_highest ...
# OK precedence.kill_is_highest
ok 54 precedence.kill_is_highest
# RUN precedence.kill_is_highest_in_any_order ...
# OK precedence.kill_is_highest_in_any_order
ok 55 precedence.kill_is_highest_in_any_order
# RUN precedence.trap_is_second ...
# OK precedence.trap_is_second
ok 56 precedence.trap_is_second
# RUN precedence.trap_is_second_in_any_order ...
# OK precedence.trap_is_second_in_any_order
ok 57 precedence.trap_is_second_in_any_order
# RUN precedence.errno_is_third ...
# OK precedence.errno_is_third
ok 58 precedence.errno_is_third
# RUN precedence.errno_is_third_in_any_order ...
# OK precedence.errno_is_third_in_any_order
ok 59 precedence.errno_is_third_in_any_order
# RUN precedence.trace_is_fourth ...
# OK precedence.trace_is_fourth
ok 60 precedence.trace_is_fourth
# RUN precedence.trace_is_fourth_in_any_order ...
# OK precedence.trace_is_fourth_in_any_order
ok 61 precedence.trace_is_fourth_in_any_order
# RUN precedence.log_is_fifth ...
# OK precedence.log_is_fifth
ok 62 precedence.log_is_fifth
# RUN precedence.log_is_fifth_in_any_order ...
# OK precedence.log_is_fifth_in_any_order
ok 63 precedence.log_is_fifth_in_any_order
# RUN TRACE_poke.read_has_side_effects ...
# OK TRACE_poke.read_has_side_effects
ok 64 TRACE_poke.read_has_side_effects
# RUN TRACE_poke.getpid_runs_normally ...
# OK TRACE_poke.getpid_runs_normally
ok 65 TRACE_poke.getpid_runs_normally
# RUN TRACE_syscall.ptrace.negative_ENOSYS ...
# OK TRACE_syscall.ptrace.negative_ENOSYS
ok 66 TRACE_syscall.ptrace.negative_ENOSYS
# RUN TRACE_syscall.ptrace.syscall_allowed ...
# OK TRACE_syscall.ptrace.syscall_allowed
ok 67 TRACE_syscall.ptrace.syscall_allowed
# RUN TRACE_syscall.ptrace.syscall_redirected ...
# OK TRACE_syscall.ptrace.syscall_redirected
ok 68 TRACE_syscall.ptrace.syscall_redirected
# RUN TRACE_syscall.ptrace.syscall_errno ...
# OK TRACE_syscall.ptrace.syscall_errno
ok 69 TRACE_syscall.ptrace.syscall_errno
# RUN TRACE_syscall.ptrace.syscall_faked ...
# OK TRACE_syscall.ptrace.syscall_faked
ok 70 TRACE_syscall.ptrace.syscall_faked
# RUN TRACE_syscall.ptrace.skip_after ...
# OK TRACE_syscall.ptrace.skip_after
ok 71 TRACE_syscall.ptrace.skip_after
# RUN TRACE_syscall.ptrace.kill_after ...
# OK TRACE_syscall.ptrace.kill_after
ok 72 TRACE_syscall.ptrace.kill_after
# RUN TRACE_syscall.seccomp.negative_ENOSYS ...
# OK TRACE_syscall.seccomp.negative_ENOSYS
ok 73 TRACE_syscall.seccomp.negative_ENOSYS
# RUN TRACE_syscall.seccomp.syscall_allowed ...
# OK TRACE_syscall.seccomp.syscall_allowed
ok 74 TRACE_syscall.seccomp.syscall_allowed
# RUN TRACE_syscall.seccomp.syscall_redirected ...
# OK TRACE_syscall.seccomp.syscall_redirected
ok 75 TRACE_syscall.seccomp.syscall_redirected
# RUN TRACE_syscall.seccomp.syscall_errno ...
# OK TRACE_syscall.seccomp.syscall_errno
ok 76 TRACE_syscall.seccomp.syscall_errno
# RUN TRACE_syscall.seccomp.syscall_faked ...
# OK TRACE_syscall.seccomp.syscall_faked
ok 77 TRACE_syscall.seccomp.syscall_faked
# RUN TRACE_syscall.seccomp.skip_after ...
# OK TRACE_syscall.seccomp.skip_after
ok 78 TRACE_syscall.seccomp.skip_after
# RUN TRACE_syscall.seccomp.kill_after ...
# OK TRACE_syscall.seccomp.kill_after
ok 79 TRACE_syscall.seccomp.kill_after
# RUN TSYNC.siblings_fail_prctl ...
# OK TSYNC.siblings_fail_prctl
ok 80 TSYNC.siblings_fail_prctl
# RUN TSYNC.two_siblings_with_ancestor ...
# OK TSYNC.two_siblings_with_ancestor
ok 81 TSYNC.two_siblings_with_ancestor
# RUN TSYNC.two_sibling_want_nnp ...
# OK TSYNC.two_sibling_want_nnp
ok 82 TSYNC.two_sibling_want_nnp
# RUN TSYNC.two_siblings_with_no_filter ...
# OK TSYNC.two_siblings_with_no_filter
ok 83 TSYNC.two_siblings_with_no_filter
# RUN TSYNC.two_siblings_with_one_divergence ...
# OK TSYNC.two_siblings_with_one_divergence
ok 84 TSYNC.two_siblings_with_one_divergence
# RUN TSYNC.two_siblings_with_one_divergence_no_tid_in_err ...
# OK TSYNC.two_siblings_with_one_divergence_no_tid_in_err
ok 85 TSYNC.two_siblings_with_one_divergence_no_tid_in_err
# RUN TSYNC.two_siblings_not_under_filter ...
# OK TSYNC.two_siblings_not_under_filter
ok 86 TSYNC.two_siblings_not_under_filter
# PASSED: 86 / 86 tests passed.
# Totals: pass:86 fail:0 xfail:0 xpass:0 skip:0 error:0
On Mon, Sep 14, 2020 at 03:47:13PM +1000, Michael Ellerman wrote:
> Kees Cook <[email protected]> writes:
> > Some archs (like ppc) only support changing the return code during
> > syscall exit when ptrace is used. As the syscall number might not
> > be available anymore during syscall exit, it needs to be saved
> > during syscall enter. Adjust the ptrace tests to do this.
>
> I'm not that across all the fixture stuff, but if I'm reading it right
> you're now calling change_syscall() on both entry and exit for all
> arches.
Correct.
> That should work, but it no longer tests changing the return code on
> entry on the arches that support it, which seems like a backward step?
That's a good point. I wouldn't be in a position to notice a regression
for the other architectures. I will refactor this one...
--
Kees Cook
On Mon, Sep 14, 2020 at 10:15:18PM +1000, Michael Ellerman wrote:
> Kees Cook <[email protected]> writes:
> > Hi,
> >
> > This refactors the seccomp selftest macros used in change_syscall(),
> > in an effort to remove special cases for mips, arm, arm64, and xtensa,
> > which paves the way for powerpc fixes.
> >
> > I'm not entirely done testing, but all-arch build tests and x86_64
> > selftests pass. I'll be doing arm, arm64, and i386 selftests shortly,
> > but I currently don't have an easy way to check xtensa, mips, nor
> > powerpc. Any help there would be appreciated!
>
> The series builds fine for me, and all the tests pass (see below).
>
> Thanks for picking up those changes to deal with powerpc being oddball.
>
> Tested-by: Michael Ellerman <[email protected]> (powerpc)
Awesome; thanks!
However...
>
> cheers
>
>
> ./seccomp_bpf
> TAP version 13
> 1..86
> # Starting 86 tests from 7 test cases.
> # RUN global.kcmp ...
> # OK global.kcmp
> ok 1 global.kcmp
> [...]
> # RUN global.KILL_thread ...
> TAP version 13
> 1..86
> # Starting 86 tests from 7 test cases.
Was this a mis-paste, or has something very very bad happened here in
global.KILL_one_arg_six finishes?
> # RUN global.kcmp ...
> # OK global.kcmp
> ok 1 global.kcmp
> [...]
> # RUN global.user_notification_basic ...
> TAP version 13
> 1..86
> # Starting 86 tests from 7 test cases.
> [...]
> # RUN global.user_notification_basic ...
> TAP version 13
> 1..86
> # Starting 86 tests from 7 test cases.
> [...]
> # RUN global.user_notification_signal ...
> TAP version 13
> 1..86
> # Starting 86 tests from 7 test cases.
> [...]
> # RUN global.user_notification_closed_listener ...
> TAP version 13
> 1..86
> # Starting 86 tests from 7 test cases.
> [...]
> # RUN global.user_notification_child_pid_ns ...
> TAP version 13
> 1..86
> # Starting 86 tests from 7 test cases.
> [...]
> # RUN global.user_notification_sibling_pid_ns ...
> TAP version 13
> 1..86
> # Starting 86 tests from 7 test cases.
> [...]
> # RUN global.user_notification_sibling_pid_ns ...
> TAP version 13
> 1..86
> # Starting 86 tests from 7 test cases.
> [...]
> # RUN global.user_notification_sibling_pid_ns ...
> TAP version 13
> 1..86
> # Starting 86 tests from 7 test cases.
> [...]
> # RUN global.user_notification_fault_recv ...
> TAP version 13
> 1..86
> # Starting 86 tests from 7 test cases.
> [...]
> # RUN global.user_notification_continue ...
> TAP version 13
> 1..86
> # Starting 86 tests from 7 test cases.
> [...]
> # RUN global.user_notification_filter_empty ...
> TAP version 13
> 1..86
> # Starting 86 tests from 7 test cases.
> [...]
> # RUN global.user_notification_filter_empty_threaded ...
> TAP version 13
> 1..86
> # Starting 86 tests from 7 test cases.
> [...]
> # RUN global.user_notification_addfd ...
> TAP version 13
> 1..86
> # Starting 86 tests from 7 test cases.
> [...]
> # RUN global.user_notification_addfd_rlimit ...
> TAP version 13
> 1..86
> # Starting 86 tests from 7 test cases.
> [...]
> # PASSED: 86 / 86 tests passed.
> # Totals: pass:86 fail:0 xfail:0 xpass:0 skip:0 error:0
And after every user_notification test? O_O
--
Kees Cook
Hello,
On Sat, Sep 12, 2020 at 4:08 AM Kees Cook <[email protected]> wrote:
> This refactors the seccomp selftest macros used in change_syscall(),
> in an effort to remove special cases for mips, arm, arm64, and xtensa,
> which paves the way for powerpc fixes.
>
> I'm not entirely done testing, but all-arch build tests and x86_64
> selftests pass. I'll be doing arm, arm64, and i386 selftests shortly,
> but I currently don't have an easy way to check xtensa, mips, nor
> powerpc. Any help there would be appreciated!
I've built and tested this series on xtensa. I had to disable two tests:
user_notification_addfd and user_notification_addfd_rlimit because
they use memfd_create and prlimit which are not available in uClibc.
With this change I've got all 86 tests passing with the following log:
./seccomp_bpf
TAP version 13
1..86
# Starting 86 tests from 7 test cases.
# RUN TRAP.dfl ...
# OK TRAP.dfl
ok 1 TRAP.dfl
# RUN TRAP.ign ...
# OK TRAP.ign
ok 2 TRAP.ign
# RUN TRAP.handler ...
# OK TRAP.handler
ok 3 TRAP.handler
# RUN precedence.allow_ok ...
# OK precedence.allow_ok
ok 4 precedence.allow_ok
# RUN precedence.kill_is_highest ...
# OK precedence.kill_is_highest
ok 5 precedence.kill_is_highest
# RUN precedence.kill_is_highest_in_any_order ...
# OK precedence.kill_is_highest_in_any_order
ok 6 precedence.kill_is_highest_in_any_order
# RUN precedence.trap_is_second ...
# OK precedence.trap_is_second
ok 7 precedence.trap_is_second
# RUN precedence.trap_is_second_in_any_order ...
# OK precedence.trap_is_second_in_any_order
ok 8 precedence.trap_is_second_in_any_order
# RUN precedence.errno_is_third ...
# OK precedence.errno_is_third
ok 9 precedence.errno_is_third
# RUN precedence.errno_is_third_in_any_order ...
# OK precedence.errno_is_third_in_any_order
ok 10 precedence.errno_is_third_in_any_order
# RUN precedence.trace_is_fourth ...
# OK precedence.trace_is_fourth
ok 11 precedence.trace_is_fourth
# RUN precedence.trace_is_fourth_in_any_order ...
# OK precedence.trace_is_fourth_in_any_order
ok 12 precedence.trace_is_fourth_in_any_order
# RUN precedence.log_is_fifth ...
# OK precedence.log_is_fifth
ok 13 precedence.log_is_fifth
# RUN precedence.log_is_fifth_in_any_order ...
# OK precedence.log_is_fifth_in_any_order
ok 14 precedence.log_is_fifth_in_any_order
# RUN TRACE_poke.read_has_side_effects ...
# OK TRACE_poke.read_has_side_effects
ok 15 TRACE_poke.read_has_side_effects
# RUN TRACE_poke.getpid_runs_normally ...
# OK TRACE_poke.getpid_runs_normally
ok 16 TRACE_poke.getpid_runs_normally
# RUN TRACE_syscall.ptrace.negative_ENOSYS ...
# OK TRACE_syscall.ptrace.negative_ENOSYS
ok 17 TRACE_syscall.ptrace.negative_ENOSYS
# RUN TRACE_syscall.ptrace.syscall_allowed ...
# OK TRACE_syscall.ptrace.syscall_allowed
ok 18 TRACE_syscall.ptrace.syscall_allowed
# RUN TRACE_syscall.ptrace.syscall_redirected ...
# OK TRACE_syscall.ptrace.syscall_redirected
ok 19 TRACE_syscall.ptrace.syscall_redirected
# RUN TRACE_syscall.ptrace.syscall_errno ...
# OK TRACE_syscall.ptrace.syscall_errno
ok 20 TRACE_syscall.ptrace.syscall_errno
# RUN TRACE_syscall.ptrace.syscall_faked ...
# OK TRACE_syscall.ptrace.syscall_faked
ok 21 TRACE_syscall.ptrace.syscall_faked
# RUN TRACE_syscall.ptrace.skip_after ...
# OK TRACE_syscall.ptrace.skip_after
ok 22 TRACE_syscall.ptrace.skip_after
# RUN TRACE_syscall.ptrace.kill_after ...
# OK TRACE_syscall.ptrace.kill_after
ok 23 TRACE_syscall.ptrace.kill_after
# RUN TRACE_syscall.seccomp.negative_ENOSYS ...
# OK TRACE_syscall.seccomp.negative_ENOSYS
ok 24 TRACE_syscall.seccomp.negative_ENOSYS
# RUN TRACE_syscall.seccomp.syscall_allowed ...
# OK TRACE_syscall.seccomp.syscall_allowed
ok 25 TRACE_syscall.seccomp.syscall_allowed
# RUN TRACE_syscall.seccomp.syscall_redirected ...
# OK TRACE_syscall.seccomp.syscall_redirected
ok 26 TRACE_syscall.seccomp.syscall_redirected
# RUN TRACE_syscall.seccomp.syscall_errno ...
# OK TRACE_syscall.seccomp.syscall_errno
ok 27 TRACE_syscall.seccomp.syscall_errno
# RUN TRACE_syscall.seccomp.syscall_faked ...
# OK TRACE_syscall.seccomp.syscall_faked
ok 28 TRACE_syscall.seccomp.syscall_faked
# RUN TRACE_syscall.seccomp.skip_after ...
# OK TRACE_syscall.seccomp.skip_after
ok 29 TRACE_syscall.seccomp.skip_after
# RUN TRACE_syscall.seccomp.kill_after ...
# OK TRACE_syscall.seccomp.kill_after
ok 30 TRACE_syscall.seccomp.kill_after
# RUN TSYNC.siblings_fail_prctl ...
# OK TSYNC.siblings_fail_prctl
ok 31 TSYNC.siblings_fail_prctl
# RUN TSYNC.two_siblings_with_ancestor ...
# OK TSYNC.two_siblings_with_ancestor
ok 32 TSYNC.two_siblings_with_ancestor
# RUN TSYNC.two_sibling_want_nnp ...
# OK TSYNC.two_sibling_want_nnp
ok 33 TSYNC.two_sibling_want_nnp
# RUN TSYNC.two_siblings_with_no_filter ...
# OK TSYNC.two_siblings_with_no_filter
ok 34 TSYNC.two_siblings_with_no_filter
# RUN TSYNC.two_siblings_with_one_divergence ...
# OK TSYNC.two_siblings_with_one_divergence
ok 35 TSYNC.two_siblings_with_one_divergence
# RUN TSYNC.two_siblings_with_one_divergence_no_tid_in_err ...
# OK TSYNC.two_siblings_with_one_divergence_no_tid_in_err
ok 36 TSYNC.two_siblings_with_one_divergence_no_tid_in_err
# RUN TSYNC.two_siblings_not_under_filter ...
# OK TSYNC.two_siblings_not_under_filter
ok 37 TSYNC.two_siblings_not_under_filter
# RUN global.kcmp ...
# OK global.kcmp
ok 38 global.kcmp
# RUN global.mode_strict_support ...
# OK global.mode_strict_support
ok 39 global.mode_strict_support
# RUN global.mode_strict_cannot_call_prctl ...
# OK global.mode_strict_cannot_call_prctl
ok 40 global.mode_strict_cannot_call_prctl
# RUN global.no_new_privs_support ...
# OK global.no_new_privs_support
ok 41 global.no_new_privs_support
# RUN global.mode_filter_support ...
# OK global.mode_filter_support
ok 42 global.mode_filter_support
# RUN global.mode_filter_without_nnp ...
# OK global.mode_filter_without_nnp
ok 43 global.mode_filter_without_nnp
# RUN global.filter_size_limits ...
# OK global.filter_size_limits
ok 44 global.filter_size_limits
# RUN global.filter_chain_limits ...
# OK global.filter_chain_limits
ok 45 global.filter_chain_limits
# RUN global.mode_filter_cannot_move_to_strict ...
# OK global.mode_filter_cannot_move_to_strict
ok 46 global.mode_filter_cannot_move_to_strict
# RUN global.mode_filter_get_seccomp ...
# OK global.mode_filter_get_seccomp
ok 47 global.mode_filter_get_seccomp
# RUN global.ALLOW_all ...
# OK global.ALLOW_all
ok 48 global.ALLOW_all
# RUN global.empty_prog ...
# OK global.empty_prog
ok 49 global.empty_prog
# RUN global.log_all ...
# OK global.log_all
ok 50 global.log_all
# RUN global.unknown_ret_is_kill_inside ...
# OK global.unknown_ret_is_kill_inside
ok 51 global.unknown_ret_is_kill_inside
# RUN global.unknown_ret_is_kill_above_allow ...
# OK global.unknown_ret_is_kill_above_allow
ok 52 global.unknown_ret_is_kill_above_allow
# RUN global.KILL_all ...
# OK global.KILL_all
ok 53 global.KILL_all
# RUN global.KILL_one ...
# OK global.KILL_one
ok 54 global.KILL_one
# RUN global.KILL_one_arg_one ...
# OK global.KILL_one_arg_one
ok 55 global.KILL_one_arg_one
# RUN global.KILL_one_arg_six ...
# OK global.KILL_one_arg_six
ok 56 global.KILL_one_arg_six
# RUN global.KILL_thread ...
# OK global.KILL_thread
ok 57 global.KILL_thread
# RUN global.KILL_process ...
# OK global.KILL_process
ok 58 global.KILL_process
# RUN global.arg_out_of_range ...
# OK global.arg_out_of_range
ok 59 global.arg_out_of_range
# RUN global.ERRNO_valid ...
# OK global.ERRNO_valid
ok 60 global.ERRNO_valid
# RUN global.ERRNO_zero ...
# OK global.ERRNO_zero
ok 61 global.ERRNO_zero
# RUN global.ERRNO_capped ...
# OK global.ERRNO_capped
ok 62 global.ERRNO_capped
# RUN global.ERRNO_order ...
# OK global.ERRNO_order
ok 63 global.ERRNO_order
# RUN global.negative_ENOSYS ...
# OK global.negative_ENOSYS
ok 64 global.negative_ENOSYS
# RUN global.seccomp_syscall ...
# OK global.seccomp_syscall
ok 65 global.seccomp_syscall
# RUN global.seccomp_syscall_mode_lock ...
# OK global.seccomp_syscall_mode_lock
ok 66 global.seccomp_syscall_mode_lock
# RUN global.detect_seccomp_filter_flags ...
# OK global.detect_seccomp_filter_flags
ok 67 global.detect_seccomp_filter_flags
# RUN global.TSYNC_first ...
# OK global.TSYNC_first
ok 68 global.TSYNC_first
# RUN global.syscall_restart ...
# OK global.syscall_restart
ok 69 global.syscall_restart
# RUN global.filter_flag_log ...
# OK global.filter_flag_log
ok 70 global.filter_flag_log
# RUN global.get_action_avail ...
# OK global.get_action_avail
ok 71 global.get_action_avail
# RUN global.get_metadata ...
# OK global.get_metadata
ok 72 global.get_metadata
# RUN global.user_notification_basic ...
# OK global.user_notification_basic
ok 73 global.user_notification_basic
# RUN global.user_notification_with_tsync ...
# OK global.user_notification_with_tsync
ok 74 global.user_notification_with_tsync
# RUN global.user_notification_kill_in_middle ...
# OK global.user_notification_kill_in_middle
ok 75 global.user_notification_kill_in_middle
# RUN global.user_notification_signal ...
# OK global.user_notification_signal
ok 76 global.user_notification_signal
# RUN global.user_notification_closed_listener ...
# OK global.user_notification_closed_listener
ok 77 global.user_notification_closed_listener
# RUN global.user_notification_child_pid_ns ...
# OK global.user_notification_child_pid_ns
ok 78 global.user_notification_child_pid_ns
# RUN global.user_notification_sibling_pid_ns ...
# OK global.user_notification_sibling_pid_ns
ok 79 global.user_notification_sibling_pid_ns
# RUN global.user_notification_fault_recv ...
# OK global.user_notification_fault_recv
ok 80 global.user_notification_fault_recv
# RUN global.seccomp_get_notif_sizes ...
# OK global.seccomp_get_notif_sizes
ok 81 global.seccomp_get_notif_sizes
# RUN global.user_notification_continue ...
# OK global.user_notification_continue
ok 82 global.user_notification_continue
# RUN global.user_notification_filter_empty ...
# OK global.user_notification_filter_empty
ok 83 global.user_notification_filter_empty
# RUN global.user_notification_filter_empty_threaded ...
# OK global.user_notification_filter_empty_threaded
ok 84 global.user_notification_filter_empty_threaded
# RUN global.user_notification_addfd ...
# OK global.user_notification_addfd
ok 85 global.user_notification_addfd
# RUN global.user_notification_addfd_rlimit ...
# OK global.user_notification_addfd_rlimit
ok 86 global.user_notification_addfd_rlimit
# PASSED: 86 / 86 tests passed.
# Totals: pass:86 fail:0 xfail:0 xpass:0 skip:0 error:0
--
Thanks.
-- Max
On Mon, Sep 14, 2020 at 1:32 PM Kees Cook <[email protected]> wrote:
> On Mon, Sep 14, 2020 at 10:15:18PM +1000, Michael Ellerman wrote:
> > Kees Cook <[email protected]> writes:
> However...
>
> >
> > cheers
> >
> >
> > ./seccomp_bpf
> > TAP version 13
> > 1..86
> > # Starting 86 tests from 7 test cases.
> > # RUN global.kcmp ...
> > # OK global.kcmp
> > ok 1 global.kcmp
> > [...]
> > # RUN global.KILL_thread ...
> > TAP version 13
> > 1..86
> > # Starting 86 tests from 7 test cases.
>
> Was this a mis-paste, or has something very very bad happened here in
> global.KILL_one_arg_six finishes?
I observe similar output corruption on xtensa when I redirect test output
into a file or pipe it to 'cat'. When it goes to the terminal it looks normal.
--
Thanks.
-- Max
Kees Cook <[email protected]> writes:
> On Mon, Sep 14, 2020 at 10:15:18PM +1000, Michael Ellerman wrote:
>> Kees Cook <[email protected]> writes:
>> > Hi,
>> >
>> > This refactors the seccomp selftest macros used in change_syscall(),
>> > in an effort to remove special cases for mips, arm, arm64, and xtensa,
>> > which paves the way for powerpc fixes.
>> >
>> > I'm not entirely done testing, but all-arch build tests and x86_64
>> > selftests pass. I'll be doing arm, arm64, and i386 selftests shortly,
>> > but I currently don't have an easy way to check xtensa, mips, nor
>> > powerpc. Any help there would be appreciated!
>>
>> The series builds fine for me, and all the tests pass (see below).
>>
>> Thanks for picking up those changes to deal with powerpc being oddball.
>>
>> Tested-by: Michael Ellerman <[email protected]> (powerpc)
>
> Awesome; thanks!
>
> However...
>
>> ./seccomp_bpf
>> TAP version 13
>> 1..86
>> # Starting 86 tests from 7 test cases.
>> # RUN global.kcmp ...
>> # OK global.kcmp
>> ok 1 global.kcmp
>> [...]
>> # RUN global.KILL_thread ...
>> TAP version 13
>> 1..86
>> # Starting 86 tests from 7 test cases.
>
> Was this a mis-paste, or has something very very bad happened here in
> global.KILL_one_arg_six finishes?
>
...
>> TAP version 13
>> 1..86
>> # Starting 86 tests from 7 test cases.
>> [...]
>> # PASSED: 86 / 86 tests passed.
>> # Totals: pass:86 fail:0 xfail:0 xpass:0 skip:0 error:0
>
> And after every user_notification test? O_O
Haha, I thought that was normal :)
It's because of redirection, I run the tests with:
find . -executable -type f -print -execdir '{}' ';' | tee test.log
If I just run it directly on the terminal everything is normal.
It'll be fork() vs libc buffering.
I can fix it with:
$ stdbuf -oL ./seccomp_bpf | tee test.log
Or the patch below.
I can send a proper patch for that tomorrow, I don't know that harness
code, but I think that's the right fix.
cheers
diff --git a/tools/testing/selftests/kselftest_harness.h b/tools/testing/selftests/kselftest_harness.h
index 4f78e4805633..b1bd00ff3d94 100644
--- a/tools/testing/selftests/kselftest_harness.h
+++ b/tools/testing/selftests/kselftest_harness.h
@@ -971,6 +971,7 @@ void __run_test(struct __fixture_metadata *f,
ksft_print_msg(" RUN %s%s%s.%s ...\n",
f->name, variant->name[0] ? "." : "", variant->name, t->name);
+ fflush(stdout);
t->pid = fork();
if (t->pid < 0) {
ksft_print_msg("ERROR SPAWNING TEST CHILD\n");
On Sat, Sep 12, 2020 at 04:08:10AM -0700, Kees Cook wrote:
> Remove the arm64 special-case in change_syscall().
>
> Signed-off-by: Kees Cook <[email protected]>
> ---
We're using iovecs in ptrace()??
Looks good!
Acked-by: Christian Brauner <[email protected]>
On Sat, Sep 12, 2020 at 04:08:16AM -0700, Kees Cook wrote:
> Instead of special-casing the specific case of shared registers, create
> a default SYSCALL_RET_SET() macro (mirroring SYSCALL_NUM_SET()), that
> writes to the SYSCALL_RET register. For architectures that can't set the
> return value (for whatever reason), they can define SYSCALL_RET_SET()
> without an associated SYSCALL_RET() macro. This also paves the way for
> architectures that need to do special things to set the return value
> (e.g. powerpc).
>
> Signed-off-by: Kees Cook <[email protected]>
> ---
Looks good!
Acked-by: Christian Brauner <[email protected]>
On Sat, Sep 12, 2020 at 04:08:13AM -0700, Kees Cook wrote:
> Instead of special-casing the get/set-registers routines, move the
> HAVE_GETREG logic into the new ARCH_GETREG() and ARCH_SETREG() macros.
>
> Signed-off-by: Kees Cook <[email protected]>
> ---
Looks good!
Acked-by: Christian Brauner <[email protected]>
On Sat, Sep 12, 2020 at 04:08:11AM -0700, Kees Cook wrote:
> Instead of having the mips O32 macro special-cased, pull the logic into
> the SYSCALL_NUM() macro. Additionally include the ABI headers, since
> these appear to have been missing, leaving __NR_O32_Linux undefined.
>
> Signed-off-by: Kees Cook <[email protected]>
> ---
Looks good!
Acked-by: Christian Brauner <[email protected]>
On Sat, Sep 12, 2020 at 04:08:19AM -0700, Kees Cook wrote:
> As the UAPI headers start to appear in distros, we need to avoid
> outdated versions of struct clone_args to be able to test modern
> features. Additionally pull in the syscall numbers correctly.
>
> Signed-off-by: Kees Cook <[email protected]>
> ---
Hm, with this patch applied I'm getting:
gcc -g -I../../../../usr/include/ clone3_set_tid.c /home/brauner/src/git/linux/linux/tools/testing/selftests/kselftest_harness.h /home/brauner/src/git/linux/linux/tools/testing/selftests/kselftest.h -lcap -o /home/brauner/src/git/linux/linux/tools/testing/selftests/clone3/clone3_set_tid
In file included from clone3_set_tid.c:24:
clone3_selftests.h:37:8: error: redefinition of ‘struct clone_args’
37 | struct clone_args {
| ^~~~~~~~~~
In file included from clone3_set_tid.c:12:
/usr/include/linux/sched.h:92:8: note: originally defined here
92 | struct clone_args {
| ^~~~~~~~~~
make: *** [../lib.mk:140: /home/brauner/src/git/linux/linux/tools/testing/selftests/clone3/clone3_set_tid] Error 1
One trick to avoid this could be:
#ifndef CLONE_ARGS_SIZE_VER0
#define CLONE_ARGS_SIZE_VER0 64 /* sizeof first published struct */
#endif
#ifndef CLONE_ARGS_SIZE_VER1
#define CLONE_ARGS_SIZE_VER1 80 /* sizeof second published struct */
#endif
#ifndef CLONE_ARGS_SIZE_VER2
#define CLONE_ARGS_SIZE_VER2 88 /* sizeof third published struct */
#endif
struct __clone_args {
__aligned_u64 flags;
__aligned_u64 pidfd;
__aligned_u64 child_tid;
__aligned_u64 parent_tid;
__aligned_u64 exit_signal;
__aligned_u64 stack;
__aligned_u64 stack_size;
__aligned_u64 tls;
__aligned_u64 set_tid;
__aligned_u64 set_tid_size;
__aligned_u64 cgroup;
};
static pid_t sys_clone3(struct __clone_args *args, size_t size)
{
return syscall(__NR_clone3, args, size);
}
Christian
On Sat, Sep 12, 2020 at 04:08:14AM -0700, Kees Cook wrote:
> Consolidate the REGSET logic into the new ARCH_GETREG() and
> ARCH_SETREG() macros, avoiding more #ifdef code in function bodies.
>
> Signed-off-by: Kees Cook <[email protected]>
> ---
Looks good!
Acked-by: Christian Brauner <[email protected]>
On Sat, Sep 12, 2020 at 04:08:12AM -0700, Kees Cook wrote:
> With all architectures now using the common SYSCALL_NUM_SET() macro, the
> arch-specific #ifdef can be removed from change_syscall() itself.
>
> Signed-off-by: Kees Cook <[email protected]>
> ---
Looks good!
Acked-by: Christian Brauner <[email protected]>
On Sat, Sep 12, 2020 at 04:08:15AM -0700, Kees Cook wrote:
> When none of the registers have changed, don't flush them back. This can
> happen if the architecture uses a non-register way to change the syscall
> (e.g. arm64) , and a return value hasn't been written.
>
> Signed-off-by: Kees Cook <[email protected]>
> ---
Looks good!
Acked-by: Christian Brauner <[email protected]>
On Sat, Sep 12, 2020 at 04:08:20AM -0700, Kees Cook wrote:
> The __NR_mknod syscall doesn't exist on arm64 (only __NR_mknodat).
> Switch to the modern syscall.
>
> Fixes: ad5682184a81 ("selftests/seccomp: Check for EPOLLHUP for user_notif")
> Signed-off-by: Kees Cook <[email protected]>
> ---
Thanks! Looks good.
Acked-by: Christian Brauner <[email protected]>
On Sat, Sep 12, 2020 at 04:08:09AM -0700, Kees Cook wrote:
> Remove the arm special-case in change_syscall().
>
> Signed-off-by: Kees Cook <[email protected]>
> ---
Looks good!
Acked-by: Christian Brauner <[email protected]>
On Sat, Sep 12, 2020 at 04:08:08AM -0700, Kees Cook wrote:
> Remove the mips special-case in change_syscall().
>
> Signed-off-by: Kees Cook <[email protected]>
> ---
> tools/testing/selftests/seccomp/seccomp_bpf.c | 17 +++++++++--------
> 1 file changed, 9 insertions(+), 8 deletions(-)
>
> diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c
> index 1c83e743bfb1..02a9a6599746 100644
> --- a/tools/testing/selftests/seccomp/seccomp_bpf.c
> +++ b/tools/testing/selftests/seccomp/seccomp_bpf.c
> @@ -1742,6 +1742,13 @@ TEST_F(TRACE_poke, getpid_runs_normally)
> # define ARCH_REGS struct pt_regs
> # define SYSCALL_NUM(_regs) (_regs).regs[2]
> # define SYSCALL_SYSCALL_NUM regs[4]
> +# define SYSCALL_NUM_SET(_regs, _nr) \
> + do { \
> + if ((_regs).regs[2] == __NR_O32_Linux) \
> + (_regs).regs[4] = _nr; \
> + else \
> + (_regs).regs[2] = _nr; \
> + } while (0)
I think that
# define SYSCALL_NUM_SET(_regs, _nr) \
do { \
if (SYSCALL_NUM(_regs) == __NR_O32_Linux) \
(_regs).regs[4] = _nr; \
else \
(_regs).regs[2] = _nr; \
} while (0)
would read better but that's just a matter of taste. :)
Looks good!
Acked-by: Christian Brauner <[email protected]>
On Sat, Sep 12, 2020 at 04:08:07AM -0700, Kees Cook wrote:
> In order to avoid "#ifdef"s in the main function bodies, create a new
> macro, SYSCALL_NUM_SET(), where arch-specific logic can live.
>
> Signed-off-by: Kees Cook <[email protected]>
> ---
SYSCALL_SWITCH(_regs, nr)?
But looks good either way!
Acked-by: Christian Brauner <[email protected]>
On Sat, Sep 12, 2020 at 04:08:06AM -0700, Kees Cook wrote:
> To avoid an xtensa special-case, refactor all arch register macros to
> take the register variable instead of depending on the macro expanding
> as a struct member name.
>
> Signed-off-by: Kees Cook <[email protected]>
> ---
Looks good!
Acked-by: Christian Brauner <[email protected]>
On Tue, Sep 15, 2020 at 05:55:46PM +0200, Christian Brauner wrote:
> On Sat, Sep 12, 2020 at 04:08:08AM -0700, Kees Cook wrote:
> > Remove the mips special-case in change_syscall().
> >
> > Signed-off-by: Kees Cook <[email protected]>
> > ---
> > tools/testing/selftests/seccomp/seccomp_bpf.c | 17 +++++++++--------
> > 1 file changed, 9 insertions(+), 8 deletions(-)
> >
> > diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c
> > index 1c83e743bfb1..02a9a6599746 100644
> > --- a/tools/testing/selftests/seccomp/seccomp_bpf.c
> > +++ b/tools/testing/selftests/seccomp/seccomp_bpf.c
> > @@ -1742,6 +1742,13 @@ TEST_F(TRACE_poke, getpid_runs_normally)
> > # define ARCH_REGS struct pt_regs
> > # define SYSCALL_NUM(_regs) (_regs).regs[2]
> > # define SYSCALL_SYSCALL_NUM regs[4]
> > +# define SYSCALL_NUM_SET(_regs, _nr) \
> > + do { \
> > + if ((_regs).regs[2] == __NR_O32_Linux) \
> > + (_regs).regs[4] = _nr; \
> > + else \
> > + (_regs).regs[2] = _nr; \
> > + } while (0)
>
> I think that
>
> # define SYSCALL_NUM_SET(_regs, _nr) \
> do { \
> if (SYSCALL_NUM(_regs) == __NR_O32_Linux) \
> (_regs).regs[4] = _nr; \
> else \
> (_regs).regs[2] = _nr; \
> } while (0)
>
> would read better but that's just a matter of taste. :)
That's how I started originally, but when I realized that I'd have to
reorganize SYSCALL_NUM() too, it seem best to have minimal churn, so I
left it open coded here, since that's how it needs to be in the end.
> Looks good!
> Acked-by: Christian Brauner <[email protected]>
Thanks for the reviews!
--
Kees Cook
On Tue, Sep 15, 2020 at 06:25:28PM +0200, Christian Brauner wrote:
> On Sat, Sep 12, 2020 at 04:08:19AM -0700, Kees Cook wrote:
> > As the UAPI headers start to appear in distros, we need to avoid
> > outdated versions of struct clone_args to be able to test modern
> > features. Additionally pull in the syscall numbers correctly.
> >
> > Signed-off-by: Kees Cook <[email protected]>
> > ---
>
> Hm, with this patch applied I'm getting:
>
> gcc -g -I../../../../usr/include/ clone3_set_tid.c /home/brauner/src/git/linux/linux/tools/testing/selftests/kselftest_harness.h /home/brauner/src/git/linux/linux/tools/testing/selftests/kselftest.h -lcap -o /home/brauner/src/git/linux/linux/tools/testing/selftests/clone3/clone3_set_tid
> In file included from clone3_set_tid.c:24:
> clone3_selftests.h:37:8: error: redefinition of ‘struct clone_args’
> 37 | struct clone_args {
> | ^~~~~~~~~~
> In file included from clone3_set_tid.c:12:
> /usr/include/linux/sched.h:92:8: note: originally defined here
> 92 | struct clone_args {
> | ^~~~~~~~~~
> make: *** [../lib.mk:140: /home/brauner/src/git/linux/linux/tools/testing/selftests/clone3/clone3_set_tid] Error 1
Hm, weird.
> One trick to avoid this could be:
>
> #ifndef CLONE_ARGS_SIZE_VER0
> #define CLONE_ARGS_SIZE_VER0 64 /* sizeof first published struct */
> #endif
>
> #ifndef CLONE_ARGS_SIZE_VER1
> #define CLONE_ARGS_SIZE_VER1 80 /* sizeof second published struct */
> #endif
>
> #ifndef CLONE_ARGS_SIZE_VER2
> #define CLONE_ARGS_SIZE_VER2 88 /* sizeof third published struct */
> #endif
>
> struct __clone_args {
> __aligned_u64 flags;
> __aligned_u64 pidfd;
> __aligned_u64 child_tid;
> __aligned_u64 parent_tid;
> __aligned_u64 exit_signal;
> __aligned_u64 stack;
> __aligned_u64 stack_size;
> __aligned_u64 tls;
> __aligned_u64 set_tid;
> __aligned_u64 set_tid_size;
> __aligned_u64 cgroup;
> };
>
> static pid_t sys_clone3(struct __clone_args *args, size_t size)
> {
> return syscall(__NR_clone3, args, size);
> }
Yeah, that has fewer down sides. I'll rework it.
--
Kees Cook