From: sashiko-bot@kernel.org
To: "Jamie Hill-Daniel" <clubby789@gmail.com>
Cc: bpf@vger.kernel.org
Subject: Re: [PATCH v2 3/3] selftest: seccomp: Adjust tests for using both STRICT and FILTER
Date: Mon, 15 Jun 2026 16:32:22 +0000 [thread overview]
Message-ID: <20260615163223.112F61F00A3D@smtp.kernel.org> (raw)
In-Reply-To: <20260615-seccomp-combined-v2-3-41687a943ae0@hill-daniel.co.uk>
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
- [Medium] The `mode_strict_upgrade_violation` test has a logic flaw that causes it to incorrectly pass even if the kernel mistakenly allows the forbidden syscall.
- [Medium] The patch drops test coverage for upgrading to strict mode via the `seccomp()` syscall.
--
commit 8c0b993065641d6398baa9878008c2ec51b13bef
Author: Jamie Hill-Daniel <clubby789@gmail.com>
selftest: seccomp: Adjust tests for using both STRICT and FILTER
Update tests to reflect that applying STRICT after FILTER is now possible.
> diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c
> index 358b6c65e120e..17232591be590 100644
> --- a/tools/testing/selftests/seccomp/seccomp_bpf.c
> +++ b/tools/testing/selftests/seccomp/seccomp_bpf.c
[ ... ]
> @@ -540,8 +540,34 @@ TEST(mode_filter_cannot_move_to_strict)
> ASSERT_EQ(0, ret);
>
> ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT, NULL, 0, 0);
> - EXPECT_EQ(-1, ret);
> - EXPECT_EQ(EINVAL, errno);
> + ASSERT_EQ(0, ret);
> + syscall(__NR_exit, 0);
> +}
> +
> +TEST_SIGNAL(mode_strict_upgrade_violation, SIGKILL)
> +{
> + struct sock_filter filter[] = {
> + BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
> + };
> + struct sock_fprog prog = {
> + .len = (unsigned short)ARRAY_SIZE(filter),
> + .filter = filter,
> + };
> + long ret;
> +
> + ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
> + ASSERT_EQ(0, ret);
> +
> + ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0);
> + ASSERT_EQ(0, ret);
> +
> + ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT, NULL, 0, 0);
> + ASSERT_EQ(0, ret);
> +
> + syscall(__NR_getpid);
> + EXPECT_FALSE(true) {
> + TH_LOG("Unreachable!");
> + }
> }
[Severity: Medium]
If the kernel mistakenly allows __NR_getpid, will the implicit return from this
test function mask the failure?
Returning from a kselftest function invokes the harness wrapper which calls
the standard library's _exit(), invoking the __NR_exit_group syscall. Because
__NR_exit_group is also forbidden in strict seccomp mode (only __NR_exit is
allowed), the kernel kills the test process with SIGKILL.
Since the parent harness expects a SIGKILL (due to the TEST_SIGNAL macro), it
matches the expected signal and overrides the test state to PASSED, hiding the
EXPECT_FALSE failure.
Should we explicitly call syscall(__NR_exit, 1); after the assertion fails to
ensure the test exits normally and the harness correctly fails it?
[ ... ]
> @@ -2376,42 +2402,6 @@ TEST(seccomp_syscall)
> }
> }
>
> -TEST(seccomp_syscall_mode_lock)
> -{
> - struct sock_filter filter[] = {
> - BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
> - };
> - struct sock_fprog prog = {
> - .len = (unsigned short)ARRAY_SIZE(filter),
> - .filter = filter,
> - };
> - long ret;
> -
> - ret = prctl(PR_SET_NO_NEW_PRIVS, 1, NULL, 0, 0);
> - ASSERT_EQ(0, ret) {
> - TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
> - }
> -
> - ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog);
> - ASSERT_NE(ENOSYS, errno) {
> - TH_LOG("Kernel does not support seccomp syscall!");
> - }
> - EXPECT_EQ(0, ret) {
> - TH_LOG("Could not install filter!");
> - }
> -
> - /* Make sure neither entry point will switch to strict. */
> - ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT, 0, 0, 0);
> - EXPECT_EQ(EINVAL, errno) {
> - TH_LOG("Switched to mode strict!");
> - }
> -
> - ret = seccomp(SECCOMP_SET_MODE_STRICT, 0, NULL);
> - EXPECT_EQ(EINVAL, errno) {
> - TH_LOG("Switched to mode strict!");
> - }
> -}
[Severity: Medium]
Does dropping this test also drop test coverage for upgrading to strict mode
via the seccomp() syscall?
The new replacement tests (mode_strict_upgrade and
mode_strict_upgrade_violation) only validate the prctl() interface, leaving the
seccomp() syscall path untested for the newly allowed transition from
SECCOMP_MODE_FILTER to SECCOMP_MODE_STRICT.
Could we add tests to ensure the seccomp() syscall correctly enforces this ABI?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260615-seccomp-combined-v2-0-41687a943ae0@hill-daniel.co.uk?part=3
prev parent reply other threads:[~2026-06-15 16:32 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-15 16:20 [PATCH v2 0/3] seccomp: Allow using SECCOMP_MODE_STRICT with SECCOMP_MODE_FILTER Jamie Hill-Daniel
2026-06-15 16:20 ` [PATCH v2 1/3] seccomp: Store death as a separate field Jamie Hill-Daniel
2026-06-15 16:34 ` sashiko-bot
2026-06-15 16:20 ` [PATCH v2 2/3] seccomp: Allow upgrading to strict mode after enabling filters Jamie Hill-Daniel
2026-06-15 16:35 ` sashiko-bot
2026-06-15 16:20 ` [PATCH v2 3/3] selftest: seccomp: Adjust tests for using both STRICT and FILTER Jamie Hill-Daniel
2026-06-15 16:32 ` sashiko-bot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260615163223.112F61F00A3D@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=clubby789@gmail.com \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox