Re: [PATCH] selftests/seccomp: add support for s390

From: Kees Cook
Date: Wed Sep 09 2015 - 12:40:12 EST

Next message: Jon Hunter: "Re: [PATCH] mmc: block: Add new ioctl to send multi commands"
Previous message: Murali Karicheri: "Re: [PATCH v1 1/2] soc: ti: display firmware file name as part of boot log"
Next in thread: Shuah Khan: "Re: [PATCH] selftests/seccomp: add support for s390"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Re-ping. Can someone pull this into their tree?

-Kees

On Fri, Aug 21, 2015 at 11:22 AM, Kees Cook <keescook@xxxxxxxxxxxx> wrote:
> This adds support for s390 to the seccomp selftests. Some improvements
> were made to enhance the accuracy of failure reporting, and additional
> tests were added to validate assumptions about the currently traced
> syscall. Also adds early asserts for running on older kernels to avoid
> noise when the seccomp syscall is not implemented.
>
> Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx>
> ---
> This applies on top of -next, following the addition of the powerpc tests.
> ---
> tools/testing/selftests/seccomp/seccomp_bpf.c | 37 +++++++++++++++++++++++++-
> tools/testing/selftests/seccomp/test_harness.h | 7 ++---
> 2 files changed, 38 insertions(+), 6 deletions(-)
>
> diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c
> index a004b4cce99e..770f47adf295 100644
> --- a/tools/testing/selftests/seccomp/seccomp_bpf.c
> +++ b/tools/testing/selftests/seccomp/seccomp_bpf.c
> @@ -1210,6 +1210,10 @@ TEST_F(TRACE_poke, getpid_runs_normally)
> # define ARCH_REGS struct pt_regs
> # define SYSCALL_NUM gpr[0]
> # define SYSCALL_RET gpr[3]
> +#elif defined(__s390__)
> +# define ARCH_REGS s390_regs
> +# define SYSCALL_NUM gprs[2]
> +# define SYSCALL_RET gprs[2]
> #else
> # error "Do not know how to find your architecture's registers and syscalls"
> #endif
> @@ -1243,7 +1247,8 @@ void change_syscall(struct __test_metadata *_metadata,
> ret = ptrace(PTRACE_GETREGSET, tracee, NT_PRSTATUS, &iov);
> EXPECT_EQ(0, ret);
>
> -#if defined(__x86_64__) || defined(__i386__) || defined(__aarch64__) || defined(__powerpc__)
> +#if defined(__x86_64__) || defined(__i386__) || defined(__aarch64__) || \
> + defined(__powerpc__) || defined(__s390__)
> {
> regs.SYSCALL_NUM = syscall;
> }
> @@ -1281,17 +1286,21 @@ void tracer_syscall(struct __test_metadata *_metadata, pid_t tracee,
> ret = ptrace(PTRACE_GETEVENTMSG, tracee, NULL, &msg);
> EXPECT_EQ(0, ret);
>
> + /* Validate and take action on expected syscalls. */
> switch (msg) {
> case 0x1002:
> /* change getpid to getppid. */
> + EXPECT_EQ(__NR_getpid, get_syscall(_metadata, tracee));
> change_syscall(_metadata, tracee, __NR_getppid);
> break;
> case 0x1003:
> /* skip gettid. */
> + EXPECT_EQ(__NR_gettid, get_syscall(_metadata, tracee));
> change_syscall(_metadata, tracee, -1);
> break;
> case 0x1004:
> /* do nothing (allow getppid) */
> + EXPECT_EQ(__NR_getppid, get_syscall(_metadata, tracee));
> break;
> default:
> EXPECT_EQ(0, msg) {
> @@ -1409,6 +1418,8 @@ TEST_F(TRACE_syscall, syscall_dropped)
> # define __NR_seccomp 277
> # elif defined(__powerpc__)
> # define __NR_seccomp 358
> +# elif defined(__s390__)
> +# define __NR_seccomp 348
> # else
> # warning "seccomp syscall number unknown for this architecture"
> # define __NR_seccomp 0xffff
> @@ -1453,6 +1464,9 @@ TEST(seccomp_syscall)
>
> /* Reject insane operation. */
> ret = seccomp(-1, 0, &prog);
> + ASSERT_NE(ENOSYS, errno) {
> + TH_LOG("Kernel does not support seccomp syscall!");
> + }
> EXPECT_EQ(EINVAL, errno) {
> TH_LOG("Did not reject crazy op value!");
> }
> @@ -1501,6 +1515,9 @@ TEST(seccomp_syscall_mode_lock)
> }
>
> ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog);
> + ASSERT_NE(ENOSYS, errno) {
> + TH_LOG("Kernel does not support seccomp syscall!");
> + }
> EXPECT_EQ(0, ret) {
> TH_LOG("Could not install filter!");
> }
> @@ -1535,6 +1552,9 @@ TEST(TSYNC_first)
>
> ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FLAG_FILTER_TSYNC,
> &prog);
> + ASSERT_NE(ENOSYS, errno) {
> + TH_LOG("Kernel does not support seccomp syscall!");
> + }
> EXPECT_EQ(0, ret) {
> TH_LOG("Could not install initial filter with TSYNC!");
> }
> @@ -1694,6 +1714,9 @@ TEST_F(TSYNC, siblings_fail_prctl)
>
> /* Check prctl failure detection by requesting sib 0 diverge. */
> ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog);
> + ASSERT_NE(ENOSYS, errno) {
> + TH_LOG("Kernel does not support seccomp syscall!");
> + }
> ASSERT_EQ(0, ret) {
> TH_LOG("setting filter failed");
> }
> @@ -1731,6 +1754,9 @@ TEST_F(TSYNC, two_siblings_with_ancestor)
> }
>
> ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &self->root_prog);
> + ASSERT_NE(ENOSYS, errno) {
> + TH_LOG("Kernel does not support seccomp syscall!");
> + }
> ASSERT_EQ(0, ret) {
> TH_LOG("Kernel does not support SECCOMP_SET_MODE_FILTER!");
> }
> @@ -1805,6 +1831,9 @@ TEST_F(TSYNC, two_siblings_with_no_filter)
>
> ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FLAG_FILTER_TSYNC,
> &self->apply_prog);
> + ASSERT_NE(ENOSYS, errno) {
> + TH_LOG("Kernel does not support seccomp syscall!");
> + }
> ASSERT_EQ(0, ret) {
> TH_LOG("Could install filter on all threads!");
> }
> @@ -1833,6 +1862,9 @@ TEST_F(TSYNC, two_siblings_with_one_divergence)
> }
>
> ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &self->root_prog);
> + ASSERT_NE(ENOSYS, errno) {
> + TH_LOG("Kernel does not support seccomp syscall!");
> + }
> ASSERT_EQ(0, ret) {
> TH_LOG("Kernel does not support SECCOMP_SET_MODE_FILTER!");
> }
> @@ -1890,6 +1922,9 @@ TEST_F(TSYNC, two_siblings_not_under_filter)
> }
>
> ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &self->root_prog);
> + ASSERT_NE(ENOSYS, errno) {
> + TH_LOG("Kernel does not support seccomp syscall!");
> + }
> ASSERT_EQ(0, ret) {
> TH_LOG("Kernel does not support SECCOMP_SET_MODE_FILTER!");
> }
> diff --git a/tools/testing/selftests/seccomp/test_harness.h b/tools/testing/selftests/seccomp/test_harness.h
> index 977a6afc4489..fb2841601f2f 100644
> --- a/tools/testing/selftests/seccomp/test_harness.h
> +++ b/tools/testing/selftests/seccomp/test_harness.h
> @@ -370,11 +370,8 @@
> __typeof__(_expected) __exp = (_expected); \
> __typeof__(_seen) __seen = (_seen); \
> if (!(__exp _t __seen)) { \
> - unsigned long long __exp_print = 0; \
> - unsigned long long __seen_print = 0; \
> - /* Avoid casting complaints the scariest way we can. */ \
> - memcpy(&__exp_print, &__exp, sizeof(__exp)); \
> - memcpy(&__seen_print, &__seen, sizeof(__seen)); \
> + unsigned long long __exp_print = (unsigned long long)__exp; \
> + unsigned long long __seen_print = (unsigned long long)__seen; \
> __TH_LOG("Expected %s (%llu) %s %s (%llu)", \
> #_expected, __exp_print, #_t, \
> #_seen, __seen_print); \
> --
> 1.9.1
>
>
> --
> Kees Cook
> Chrome OS Security

--
Kees Cook
Chrome OS Security
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Jon Hunter: "Re: [PATCH] mmc: block: Add new ioctl to send multi commands"
Previous message: Murali Karicheri: "Re: [PATCH v1 1/2] soc: ti: display firmware file name as part of boot log"
Next in thread: Shuah Khan: "Re: [PATCH] selftests/seccomp: add support for s390"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]