From 10e48d54f13f9874bdc9168db911028c33de5c51 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 18 Aug 2017 17:30:36 -0400 Subject: seccomp testing --- src/fseccomp/seccomp_print.c | 64 +++++++++++++++++++++++++++++++++----------- test/filters/fseccomp.exp | 6 ++--- 2 files changed, 51 insertions(+), 19 deletions(-) diff --git a/src/fseccomp/seccomp_print.c b/src/fseccomp/seccomp_print.c index e10585a15..19fe7a545 100644 --- a/src/fseccomp/seccomp_print.c +++ b/src/fseccomp/seccomp_print.c @@ -63,13 +63,14 @@ errexit: exit(1); } -// debug filter -void filter_print(const char *fname) { - assert(fname); - load_seccomp(fname); +static int detect_filter_type(void) { + // the filter ishould already be load in filter variable + assert(filter); - // start filter - const struct sock_filter start[] = { + printf("SECCOMP Filter\n"); + + // testing for main seccomp filter, protocol, mdwe - platform architecture + const struct sock_filter start_main[] = { VALIDATE_ARCHITECTURE, #if defined(__x86_64__) EXAMINE_SYSCALL, @@ -78,25 +79,56 @@ void filter_print(const char *fname) { EXAMINE_SYSCALL #endif }; - - // print sizes - printf("SECCOMP Filter:\n"); - - // test the start of the filter - if (memcmp(&start[0], filter, sizeof(start)) == 0) { + + if (memcmp(&start_main[0], filter, sizeof(start_main)) == 0) { printf(" VALIDATE_ARCHITECTURE\n"); printf(" EXAMINE_SYSCALL\n"); #if defined(__x86_64__) printf(" HANDLE_X32\n"); #endif + return sizeof(start_main) / sizeof(struct sock_filter); } - else { + + + // testing for secondare amd64 filter + const struct sock_filter start_secondary_64[] = { + VALIDATE_ARCHITECTURE, + EXAMINE_SYSCALL, + }; + + if (memcmp(&start_secondary_64[0], filter, sizeof(start_secondary_64)) == 0) { + printf(" VALIDATE_ARCHITECTURE_64\n"); + printf(" EXAMINE_SYSCALL\n"); + return sizeof(start_secondary_64) / sizeof(struct sock_filter); + } + + // testing for secondare i386 filter + const struct sock_filter start_secondary_32[] = { + VALIDATE_ARCHITECTURE_32, + EXAMINE_SYSCALL, + }; + + if (memcmp(&start_secondary_32[0], filter, sizeof(start_secondary_32)) == 0) { + printf(" VALIDATE_ARCHITECTURE_32\n"); + printf(" EXAMINE_SYSCALL\n"); + return sizeof(start_secondary_32) / sizeof(struct sock_filter); + } + + return 0; // filter unrecognized +} + +// debug filter +void filter_print(const char *fname) { + assert(fname); + load_seccomp(fname); + + int i = detect_filter_type(); + if (i == 0) { printf("Invalid seccomp filter %s\n", fname); return; } - - // loop trough blacklists - int i = sizeof(start) / sizeof(struct sock_filter); + + // loop trough the rest of commands while (i < filter_cnt) { // minimal parsing! struct sock_filter *s = (struct sock_filter *) &filter[i]; diff --git a/test/filters/fseccomp.exp b/test/filters/fseccomp.exp index 95b7bfadd..a71c35302 100755 --- a/test/filters/fseccomp.exp +++ b/test/filters/fseccomp.exp @@ -72,7 +72,7 @@ expect { } after 100 -send -- "fseccomp drop seccomp-test-file chmod,chown\r" +send -- "fseccomp drop seccomp-test-file tmpfile chmod,chown\r" after 100 send -- "fseccomp print seccomp-test-file\r" expect { @@ -91,7 +91,7 @@ expect { } after 100 -send -- "fseccomp default drop seccomp-test-file chmod,chown\r" +send -- "fseccomp default drop seccomp-test-file tmpfile chmod,chown\r" after 100 send -- "fseccomp print seccomp-test-file\r" expect { @@ -115,7 +115,7 @@ expect { "RETURN_ALLOW" } after 100 -send -- "fseccomp keep seccomp-test-file chmod,chown\r" +send -- "fseccomp keep seccomp-test-file tmpfile chmod,chown\r" after 100 send -- "fseccomp print seccomp-test-file\r" expect { -- cgit v1.2.3-54-g00ecf