| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 19 Sep 2019 23:50:21 +0200
From: Christian Brauner <christian.brauner@...ntu.com>
To: shuah <shuah@...nel.org>
Cc: keescook@...omium.org, luto@...capital.net, jannh@...gle.com,
wad@...omium.org, ast@...nel.org, daniel@...earbox.net,
kafai@...com, songliubraving@...com, yhs@...com,
linux-kernel@...r.kernel.org, linux-kselftest@...r.kernel.org,
netdev@...r.kernel.org, bpf@...r.kernel.org,
Tycho Andersen <tycho@...ho.ws>,
Tyler Hicks <tyhicks@...onical.com>, stable@...r.kernel.org
Subject: Re: [PATCH v1 3/3] seccomp: test SECCOMP_USER_NOTIF_FLAG_CONTINUE
On Thu, Sep 19, 2019 at 11:13:46AM -0600, shuah wrote:
> On 9/19/19 3:59 AM, Christian Brauner wrote:
> > Test whether a syscall can be performed after having been intercepted by
> > the seccomp notifier. The test uses dup() and kcmp() since it allows us to
> > nicely test whether the dup() syscall actually succeeded by comparing whether
> > the fds refer to the same underlying struct file.
> >
> > Signed-off-by: Christian Brauner <christian.brauner@...ntu.com>
> > Cc: Kees Cook <keescook@...omium.org>
> > Cc: Andy Lutomirski <luto@...capital.net>
> > Cc: Will Drewry <wad@...omium.org>
> > Cc: Shuah Khan <shuah@...nel.org>
> > Cc: Alexei Starovoitov <ast@...nel.org>
> > Cc: Daniel Borkmann <daniel@...earbox.net>
> > Cc: Martin KaFai Lau <kafai@...com>
> > Cc: Song Liu <songliubraving@...com>
> > Cc: Yonghong Song <yhs@...com>
> > Cc: Tycho Andersen <tycho@...ho.ws>
> > CC: Tyler Hicks <tyhicks@...onical.com>
> > Cc: stable@...r.kernel.org
> > Cc: linux-kselftest@...r.kernel.org
> > Cc: netdev@...r.kernel.org
> > Cc: bpf@...r.kernel.org
> > ---
> > /* v1 */
> > - Christian Brauner <christian.brauner@...ntu.com>:
> > - adapt to new flag name SECCOMP_USER_NOTIF_FLAG_CONTINUE
> >
> > /* v0 */
> > Link: https://lore.kernel.org/r/20190918084833.9369-5-christian.brauner@ubuntu.com
> > ---
> > tools/testing/selftests/seccomp/seccomp_bpf.c | 102 ++++++++++++++++++
> > 1 file changed, 102 insertions(+)
> >
> > diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c
> > index e996d7b7fd6e..b0966599acb5 100644
> > --- a/tools/testing/selftests/seccomp/seccomp_bpf.c
> > +++ b/tools/testing/selftests/seccomp/seccomp_bpf.c
> > @@ -44,6 +44,7 @@
> > #include <sys/times.h>
> > #include <sys/socket.h>
> > #include <sys/ioctl.h>
> > +#include <linux/kcmp.h>
> > #include <unistd.h>
> > #include <sys/syscall.h>
> > @@ -167,6 +168,10 @@ struct seccomp_metadata {
> > #define SECCOMP_RET_USER_NOTIF 0x7fc00000U
> > +#ifndef SECCOMP_USER_NOTIF_FLAG_CONTINUE
> > +#define SECCOMP_USER_NOTIF_FLAG_CONTINUE 0x00000001
> > +#endif
> > +
> > #define SECCOMP_IOC_MAGIC '!'
> > #define SECCOMP_IO(nr) _IO(SECCOMP_IOC_MAGIC, nr)
> > #define SECCOMP_IOR(nr, type) _IOR(SECCOMP_IOC_MAGIC, nr, type)
> > @@ -3481,6 +3486,103 @@ TEST(seccomp_get_notif_sizes)
> > EXPECT_EQ(sizes.seccomp_notif_resp, sizeof(struct seccomp_notif_resp));
> > }
> > +static int filecmp(pid_t pid1, pid_t pid2, int fd1, int fd2)
> > +{
> > +#ifdef __NR_kcmp
> > + return syscall(__NR_kcmp, pid1, pid2, KCMP_FILE, fd1, fd2);
> > +#else
> > + errno = ENOSYS;
> > + return -1;
>
> This should be SKIP for kselftest so this isn't counted a failure.
> In this case test can't be run because of a missing dependency.
Right, I can just ifdef the whole test and report a skip.
Powered by blists - more mailing lists