diff options
| author |  netblue30 <netblue30@yahoo.com> | 2017-08-18 17:30:36 -0400 |
|---|---|---|
| committer | netblue30 <netblue30@yahoo.com> | 2017-08-18 17:30:36 -0400 |
| commit | 10e48d54f13f9874bdc9168db911028c33de5c51 (patch) | |
| tree | 21c75d466e75e47692bcb15950dae4969d5fa884 | |
| parent | testing: memwrexe runs only on x86_64 (diff) | |
| download | firejail-10e48d54f13f9874bdc9168db911028c33de5c51.tar.gz firejail-10e48d54f13f9874bdc9168db911028c33de5c51.tar.zst firejail-10e48d54f13f9874bdc9168db911028c33de5c51.zip | |
seccomp testing
| -rw-r--r-- | src/fseccomp/seccomp_print.c | 64 | ||||
| -rwxr-xr-x | test/filters/fseccomp.exp | 6 |
2 files changed, 51 insertions, 19 deletions
diff --git a/src/fseccomp/seccomp_print.c b/src/fseccomp/seccomp_print.c index e10585a15..19fe7a545 100644 --- a/src/fseccomp/seccomp_print.c +++ b/src/fseccomp/seccomp_print.c | |||
| @@ -63,13 +63,14 @@ errexit: | |||
| 63 | exit(1); | 63 | exit(1); |
| 64 | } | 64 | } |
| 65 | 65 | ||
| 66 | // debug filter | 66 | static int detect_filter_type(void) { |
| 67 | void filter_print(const char *fname) { | 67 | // the filter ishould already be load in filter variable |
| 68 | assert(fname); | 68 | assert(filter); |
| 69 | load_seccomp(fname); | ||
| 70 | 69 | ||
| 71 | // start filter | 70 | printf("SECCOMP Filter\n"); |
| 72 | const struct sock_filter start[] = { | 71 | |
| 72 | // testing for main seccomp filter, protocol, mdwe - platform architecture | ||
| 73 | const struct sock_filter start_main[] = { | ||
| 73 | VALIDATE_ARCHITECTURE, | 74 | VALIDATE_ARCHITECTURE, |
| 74 | #if defined(__x86_64__) | 75 | #if defined(__x86_64__) |
| 75 | EXAMINE_SYSCALL, | 76 | EXAMINE_SYSCALL, |
| @@ -78,25 +79,56 @@ void filter_print(const char *fname) { | |||
| 78 | EXAMINE_SYSCALL | 79 | EXAMINE_SYSCALL |
| 79 | #endif | 80 | #endif |
| 80 | }; | 81 | }; |
| 81 | 82 | ||
| 82 | // print sizes | 83 | if (memcmp(&start_main[0], filter, sizeof(start_main)) == 0) { |
| 83 | printf("SECCOMP Filter:\n"); | ||
| 84 | |||
| 85 | // test the start of the filter | ||
| 86 | if (memcmp(&start[0], filter, sizeof(start)) == 0) { | ||
| 87 | printf(" VALIDATE_ARCHITECTURE\n"); | 84 | printf(" VALIDATE_ARCHITECTURE\n"); |
| 88 | printf(" EXAMINE_SYSCALL\n"); | 85 | printf(" EXAMINE_SYSCALL\n"); |
| 89 | #if defined(__x86_64__) | 86 | #if defined(__x86_64__) |
| 90 | printf(" HANDLE_X32\n"); | 87 | printf(" HANDLE_X32\n"); |
| 91 | #endif | 88 | #endif |
| 89 | return sizeof(start_main) / sizeof(struct sock_filter); | ||
| 92 | } | 90 | } |
| 93 | else { | 91 | |
| 92 | |||
| 93 | // testing for secondare amd64 filter | ||
| 94 | const struct sock_filter start_secondary_64[] = { | ||
| 95 | VALIDATE_ARCHITECTURE, | ||
| 96 | EXAMINE_SYSCALL, | ||
| 97 | }; | ||
| 98 | |||
| 99 | if (memcmp(&start_secondary_64[0], filter, sizeof(start_secondary_64)) == 0) { | ||
| 100 | printf(" VALIDATE_ARCHITECTURE_64\n"); | ||
| 101 | printf(" EXAMINE_SYSCALL\n"); | ||
| 102 | return sizeof(start_secondary_64) / sizeof(struct sock_filter); | ||
| 103 | } | ||
| 104 | |||
| 105 | // testing for secondare i386 filter | ||
| 106 | const struct sock_filter start_secondary_32[] = { | ||
| 107 | VALIDATE_ARCHITECTURE_32, | ||
| 108 | EXAMINE_SYSCALL, | ||
| 109 | }; | ||
| 110 | |||
| 111 | if (memcmp(&start_secondary_32[0], filter, sizeof(start_secondary_32)) == 0) { | ||
| 112 | printf(" VALIDATE_ARCHITECTURE_32\n"); | ||
| 113 | printf(" EXAMINE_SYSCALL\n"); | ||
| 114 | return sizeof(start_secondary_32) / sizeof(struct sock_filter); | ||
| 115 | } | ||
| 116 | |||
| 117 | return 0; // filter unrecognized | ||
| 118 | } | ||
| 119 | |||
| 120 | // debug filter | ||
| 121 | void filter_print(const char *fname) { | ||
| 122 | assert(fname); | ||
| 123 | load_seccomp(fname); | ||
| 124 | |||
| 125 | int i = detect_filter_type(); | ||
| 126 | if (i == 0) { | ||
| 94 | printf("Invalid seccomp filter %s\n", fname); | 127 | printf("Invalid seccomp filter %s\n", fname); |
| 95 | return; | 128 | return; |
| 96 | } | 129 | } |
| 97 | 130 | ||
| 98 | // loop trough blacklists | 131 | // loop trough the rest of commands |
| 99 | int i = sizeof(start) / sizeof(struct sock_filter); | ||
| 100 | while (i < filter_cnt) { | 132 | while (i < filter_cnt) { |
| 101 | // minimal parsing! | 133 | // minimal parsing! |
| 102 | struct sock_filter *s = (struct sock_filter *) &filter[i]; | 134 | struct sock_filter *s = (struct sock_filter *) &filter[i]; |
diff --git a/test/filters/fseccomp.exp b/test/filters/fseccomp.exp index 95b7bfadd..a71c35302 100755 --- a/test/filters/fseccomp.exp +++ b/test/filters/fseccomp.exp | |||
| @@ -72,7 +72,7 @@ expect { | |||
| 72 | } | 72 | } |
| 73 | 73 | ||
| 74 | after 100 | 74 | after 100 |
| 75 | send -- "fseccomp drop seccomp-test-file chmod,chown\r" | 75 | send -- "fseccomp drop seccomp-test-file tmpfile chmod,chown\r" |
| 76 | after 100 | 76 | after 100 |
| 77 | send -- "fseccomp print seccomp-test-file\r" | 77 | send -- "fseccomp print seccomp-test-file\r" |
| 78 | expect { | 78 | expect { |
| @@ -91,7 +91,7 @@ expect { | |||
| 91 | } | 91 | } |
| 92 | 92 | ||
| 93 | after 100 | 93 | after 100 |
| 94 | send -- "fseccomp default drop seccomp-test-file chmod,chown\r" | 94 | send -- "fseccomp default drop seccomp-test-file tmpfile chmod,chown\r" |
| 95 | after 100 | 95 | after 100 |
| 96 | send -- "fseccomp print seccomp-test-file\r" | 96 | send -- "fseccomp print seccomp-test-file\r" |
| 97 | expect { | 97 | expect { |
| @@ -115,7 +115,7 @@ expect { | |||
| 115 | "RETURN_ALLOW" | 115 | "RETURN_ALLOW" |
| 116 | } | 116 | } |
| 117 | after 100 | 117 | after 100 |
| 118 | send -- "fseccomp keep seccomp-test-file chmod,chown\r" | 118 | send -- "fseccomp keep seccomp-test-file tmpfile chmod,chown\r" |
| 119 | after 100 | 119 | after 100 |
| 120 | send -- "fseccomp print seccomp-test-file\r" | 120 | send -- "fseccomp print seccomp-test-file\r" |
| 121 | expect { | 121 | expect { |