* [LTP] [PATCH v4] syscalls/prctl04: Fix false positive report when SECCOMP_MODE_FILTER is not supported
@ 2022-11-24 6:17 He Zhe
2022-11-24 6:45 ` xuyang2018.jy
0 siblings, 1 reply; 2+ messages in thread
From: He Zhe @ 2022-11-24 6:17 UTC (permalink / raw)
To: ltp
The child process expectedly should not receive the expected siganl, SIGSYS,
when kernel does not support SECCOMP_MODE_FILTER. The original verify_prctl
does not realize it and gives a FAIL for not receiving the signal.
This patch tests if SECCOMP_MODE_FILTER is supported in setup and adds a
variable to record it and to inform verify_prctl later to skip the case.
Before this patch:
root@xilinx-zynq:~# /opt/ltp/testcases/bin/prctl04
tst_test.c:1431: TINFO: Timeout per run is 0h 05m 00s
prctl04.c:221: TINFO: kernel support PR_GET/SET_SECCOMP
prctl04.c:132: TPASS: prctl(PR_SET_SECCOMP) sets SECCOMP_MODE_STRICT succeed
prctl04.c:205: TPASS: SECCOMP_MODE_STRICT doesn't permit GET_SECCOMP call
prctl04.c:140: TPASS: SECCOMP_MODE_STRICT permits read(2) write(2) and _exit(2)
prctl04.c:205: TPASS: SECCOMP_MODE_STRICT doesn't permit close(2)
prctl04.c:162: TCONF: kernel doesn't support SECCOMP_MODE_FILTER
prctl04.c:162: TCONF: kernel doesn't support SECCOMP_MODE_FILTER
prctl04.c:162: TCONF: kernel doesn't support SECCOMP_MODE_FILTER
prctl04.c:212: TFAIL: SECCOMP_MODE_FILTER permits exit() unexpectedly
prctl04.c:162: TCONF: kernel doesn't support SECCOMP_MODE_FILTER
After this patch:
root@xilinx-zynq:~# /opt/ltp/testcases/bin/prctl04
tst_test.c:1431: TINFO: Timeout per run is 0h 05m 00s
prctl04.c:225: TINFO: kernel supports PR_GET/SET_SECCOMP
prctl04.c:135: TPASS: prctl(PR_SET_SECCOMP) sets SECCOMP_MODE_STRICT succeed
prctl04.c:209: TPASS: SECCOMP_MODE_STRICT doesn't permit GET_SECCOMP call
prctl04.c:143: TPASS: SECCOMP_MODE_STRICT permits read(2) write(2) and _exit(2)
prctl04.c:209: TPASS: SECCOMP_MODE_STRICT doesn't permit close(2)
prctl04.c:161: TCONF: kernel doesn't support SECCOMP_MODE_FILTER
prctl04.c:161: TCONF: kernel doesn't support SECCOMP_MODE_FILTER
prctl04.c:161: TCONF: kernel doesn't support SECCOMP_MODE_FILTER
prctl04.c:161: TCONF: kernel doesn't support SECCOMP_MODE_FILTER
Fixes: 3ddc217d7 ("syscalls/prctl04.c: New test for prctl() with PR_{SET,GET}_SECCOMP:)
Signed-off-by: He Zhe <zhe.he@windriver.com>
Reviewed-by: Yang Xu <xuyang2018.jy@fujitsu.com>
---
v2: Add a variable to record the support status instead of exit(1)
v3: Move mode_filter_not_supported check a bit upper to save a prctl call
v4: Update commit log, judge mode_filter_not_supported first
testcases/kernel/syscalls/prctl/prctl04.c | 30 +++++++++++++++++------
1 file changed, 22 insertions(+), 8 deletions(-)
diff --git a/testcases/kernel/syscalls/prctl/prctl04.c b/testcases/kernel/syscalls/prctl/prctl04.c
index b9f4c2a10..d3de4b0d6 100644
--- a/testcases/kernel/syscalls/prctl/prctl04.c
+++ b/testcases/kernel/syscalls/prctl/prctl04.c
@@ -93,6 +93,9 @@ static struct tcase {
"SECCOMP_MODE_FILTER doesn't permit exit()"}
};
+
+static int mode_filter_not_supported;
+
static void check_filter_mode_inherit(void)
{
int childpid;
@@ -154,16 +157,17 @@ static void check_filter_mode(int val)
{
int fd;
+ if (mode_filter_not_supported == 1) {
+ tst_res(TCONF, "kernel doesn't support SECCOMP_MODE_FILTER");
+ return;
+ }
+
fd = SAFE_OPEN(FNAME, O_RDWR | O_CREAT, 0666);
TEST(prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &strict));
if (TST_RET == -1) {
- if (TST_ERR == EINVAL)
- tst_res(TCONF,
- "kernel doesn't support SECCOMP_MODE_FILTER");
- else
- tst_res(TFAIL | TERRNO,
- "prctl(PR_SET_SECCOMP) sets SECCOMP_MODE_FILTER failed");
+ tst_res(TFAIL | TERRNO,
+ "prctl(PR_SET_SECCOMP) sets SECCOMP_MODE_FILTER failed");
return;
}
@@ -208,7 +212,7 @@ static void verify_prctl(unsigned int n)
return;
}
- if (tc->pass_flag == 2)
+ if (tc->pass_flag == 2 && mode_filter_not_supported == 0)
tst_res(TFAIL,
"SECCOMP_MODE_FILTER permits exit() unexpectedly");
}
@@ -218,7 +222,17 @@ static void setup(void)
{
TEST(prctl(PR_GET_SECCOMP));
if (TST_RET == 0) {
- tst_res(TINFO, "kernel support PR_GET/SET_SECCOMP");
+ tst_res(TINFO, "kernel supports PR_GET/SET_SECCOMP");
+
+ TEST(prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL));
+ if (TST_RET == -1)
+ if (TST_ERR == EINVAL) {
+ mode_filter_not_supported = 1;
+ return;
+ }
+
+ tst_res(TINFO, "kernel supports SECCOMP_MODE_FILTER");
+
return;
}
--
2.25.1
--
Mailing list info: https://lists.linux.it/listinfo/ltp
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [LTP] [PATCH v4] syscalls/prctl04: Fix false positive report when SECCOMP_MODE_FILTER is not supported
2022-11-24 6:17 [LTP] [PATCH v4] syscalls/prctl04: Fix false positive report when SECCOMP_MODE_FILTER is not supported He Zhe
@ 2022-11-24 6:45 ` xuyang2018.jy
0 siblings, 0 replies; 2+ messages in thread
From: xuyang2018.jy @ 2022-11-24 6:45 UTC (permalink / raw)
To: He Zhe, ltp@lists.linux.it
Hi He
> The child process expectedly should not receive the expected siganl, SIGSYS,
> when kernel does not support SECCOMP_MODE_FILTER. The original verify_prctl
> does not realize it and gives a FAIL for not receiving the signal.
>
> This patch tests if SECCOMP_MODE_FILTER is supported in setup and adds a
> variable to record it and to inform verify_prctl later to skip the case.
>
> Before this patch:
> root@xilinx-zynq:~# /opt/ltp/testcases/bin/prctl04
> tst_test.c:1431: TINFO: Timeout per run is 0h 05m 00s
> prctl04.c:221: TINFO: kernel support PR_GET/SET_SECCOMP
> prctl04.c:132: TPASS: prctl(PR_SET_SECCOMP) sets SECCOMP_MODE_STRICT succeed
> prctl04.c:205: TPASS: SECCOMP_MODE_STRICT doesn't permit GET_SECCOMP call
> prctl04.c:140: TPASS: SECCOMP_MODE_STRICT permits read(2) write(2) and _exit(2)
> prctl04.c:205: TPASS: SECCOMP_MODE_STRICT doesn't permit close(2)
> prctl04.c:162: TCONF: kernel doesn't support SECCOMP_MODE_FILTER
> prctl04.c:162: TCONF: kernel doesn't support SECCOMP_MODE_FILTER
> prctl04.c:162: TCONF: kernel doesn't support SECCOMP_MODE_FILTER
> prctl04.c:212: TFAIL: SECCOMP_MODE_FILTER permits exit() unexpectedly
> prctl04.c:162: TCONF: kernel doesn't support SECCOMP_MODE_FILTER
>
> After this patch:
> root@xilinx-zynq:~# /opt/ltp/testcases/bin/prctl04
> tst_test.c:1431: TINFO: Timeout per run is 0h 05m 00s
> prctl04.c:225: TINFO: kernel supports PR_GET/SET_SECCOMP
> prctl04.c:135: TPASS: prctl(PR_SET_SECCOMP) sets SECCOMP_MODE_STRICT succeed
> prctl04.c:209: TPASS: SECCOMP_MODE_STRICT doesn't permit GET_SECCOMP call
> prctl04.c:143: TPASS: SECCOMP_MODE_STRICT permits read(2) write(2) and _exit(2)
> prctl04.c:209: TPASS: SECCOMP_MODE_STRICT doesn't permit close(2)
> prctl04.c:161: TCONF: kernel doesn't support SECCOMP_MODE_FILTER
> prctl04.c:161: TCONF: kernel doesn't support SECCOMP_MODE_FILTER
> prctl04.c:161: TCONF: kernel doesn't support SECCOMP_MODE_FILTER
> prctl04.c:161: TCONF: kernel doesn't support SECCOMP_MODE_FILTER
>
> Fixes: 3ddc217d7 ("syscalls/prctl04.c: New test for prctl() with PR_{SET,GET}_SECCOMP:)
>
> Signed-off-by: He Zhe <zhe.he@windriver.com>
> Reviewed-by: Yang Xu <xuyang2018.jy@fujitsu.com>
> ---
> v2: Add a variable to record the support status instead of exit(1)
> v3: Move mode_filter_not_supported check a bit upper to save a prctl call
> v4: Update commit log, judge mode_filter_not_supported first
>
> testcases/kernel/syscalls/prctl/prctl04.c | 30 +++++++++++++++++------
> 1 file changed, 22 insertions(+), 8 deletions(-)
>
> diff --git a/testcases/kernel/syscalls/prctl/prctl04.c b/testcases/kernel/syscalls/prctl/prctl04.c
> index b9f4c2a10..d3de4b0d6 100644
> --- a/testcases/kernel/syscalls/prctl/prctl04.c
> +++ b/testcases/kernel/syscalls/prctl/prctl04.c
> @@ -93,6 +93,9 @@ static struct tcase {
> "SECCOMP_MODE_FILTER doesn't permit exit()"}
> };
>
> +
> +static int mode_filter_not_supported;
> +
> static void check_filter_mode_inherit(void)
> {
> int childpid;
> @@ -154,16 +157,17 @@ static void check_filter_mode(int val)
> {
> int fd;
>
> + if (mode_filter_not_supported == 1) {
> + tst_res(TCONF, "kernel doesn't support SECCOMP_MODE_FILTER");
> + return;
> + }
> +
> fd = SAFE_OPEN(FNAME, O_RDWR | O_CREAT, 0666);
>
> TEST(prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &strict));
> if (TST_RET == -1) {
> - if (TST_ERR == EINVAL)
> - tst_res(TCONF,
> - "kernel doesn't support SECCOMP_MODE_FILTER");
> - else
> - tst_res(TFAIL | TERRNO,
> - "prctl(PR_SET_SECCOMP) sets SECCOMP_MODE_FILTER failed");
> + tst_res(TFAIL | TERRNO,
> + "prctl(PR_SET_SECCOMP) sets SECCOMP_MODE_FILTER failed");
> return;
> }
>
> @@ -208,7 +212,7 @@ static void verify_prctl(unsigned int n)
> return;
> }
>
> - if (tc->pass_flag == 2)
> + if (tc->pass_flag == 2 && mode_filter_not_supported == 0)
> tst_res(TFAIL,
> "SECCOMP_MODE_FILTER permits exit() unexpectedly");
> }
> @@ -218,7 +222,17 @@ static void setup(void)
> {
> TEST(prctl(PR_GET_SECCOMP));
> if (TST_RET == 0) {
> - tst_res(TINFO, "kernel support PR_GET/SET_SECCOMP");
> + tst_res(TINFO, "kernel supports PR_GET/SET_SECCOMP");
> +
> + TEST(prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL));
> + if (TST_RET == -1)
> + if (TST_ERR == EINVAL) {
> + mode_filter_not_supported = 1;
> + return;
> + }
I use "TST_RET == -1 && TST_ERR == EINVAL" instead, then merged.
Thanks for this fix.
Best Regards
Yang Xu
> +
> + tst_res(TINFO, "kernel supports SECCOMP_MODE_FILTER");
> +
> return;
> }
>
--
Mailing list info: https://lists.linux.it/listinfo/ltp
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2022-11-24 6:45 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-11-24 6:17 [LTP] [PATCH v4] syscalls/prctl04: Fix false positive report when SECCOMP_MODE_FILTER is not supported He Zhe
2022-11-24 6:45 ` xuyang2018.jy
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox