From patchwork Wed Apr 24 16:37:55 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 10915207 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id E8F3913B5 for ; Wed, 24 Apr 2019 16:38:07 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D90EF28AB6 for ; Wed, 24 Apr 2019 16:38:07 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id CA98228AE6; Wed, 24 Apr 2019 16:38:07 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6B6BF28AB6 for ; Wed, 24 Apr 2019 16:38:07 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732585AbfDXQiG (ORCPT ); Wed, 24 Apr 2019 12:38:06 -0400 Received: from mail-pl1-f193.google.com ([209.85.214.193]:43055 "EHLO mail-pl1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731700AbfDXQiG (ORCPT ); Wed, 24 Apr 2019 12:38:06 -0400 Received: by mail-pl1-f193.google.com with SMTP id n8so9543984plp.10 for ; Wed, 24 Apr 2019 09:38:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=yK7KGyF6dcgyF8+VLqnKkfFFI5sTu/wy7hlOVceGxoo=; b=RBOirwOb3Ya7gk2LD0kWtKEUQ22WzVZqXR1xEvR2eCGtH4k8JLwqKMdgxsJYbG6vg7 WTrIghWf3KFQY4HJmf/07OjLu3nz07eZ0B5v/yXzl82fFcvm49lYscFgR+bLBB5wiF5f mQlhjmbSchiELaHYuSL+p1Imw3d2+cwJGUyoI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=yK7KGyF6dcgyF8+VLqnKkfFFI5sTu/wy7hlOVceGxoo=; b=S4dl1ooyz3bVN7FVftXNI4sJ/TH0/7MhOV4QVAji63SxT4H8QNAnv0/pg0LNWktIHX sJCg4+Tdj6tAY7rUprpMStFha9bcQhV4v/HGMLCZT0ecw78TkSSlcA5MVdXixwz/TpzK XpDEEBbgmcqMboBqjaEkcYqUp0jDtW/Q5wFHB5V39Ku88UN2IuJr26tWKggkR9BIyEEw 7fbjCFFSw5wClbHTr2tIMZ2lozlOJpFigxOjDBWJZ6riqbl+1iRoMp/fIkR8ePVozUvR xRrA0C8afRJcTU0uPS5DEy38UdykedkM4XF8DBYrpyThZK+9+E7/bTr/B8zMxen2NB1J 9+RQ== X-Gm-Message-State: APjAAAXCvvRhmZLt1ZesCca+jJpv9vWbglIlBUfN+n11R1hA4+5mLPZj MLSEmR0mx/RflD8nzLkk0uSTow== X-Google-Smtp-Source: APXvYqxxzUoDVfNqGEb9wutnoTpRSACF5noWmblLcg/Pb+2utXlEbmvHezmxGwUHOasMGQtVCUCRxw== X-Received: by 2002:a17:902:8bc3:: with SMTP id r3mr33857257plo.53.1556123886024; Wed, 24 Apr 2019 09:38:06 -0700 (PDT) Received: from www.outflux.net (173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133]) by smtp.gmail.com with ESMTPSA id j6sm24688302pfe.107.2019.04.24.09.38.04 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Wed, 24 Apr 2019 09:38:04 -0700 (PDT) From: Kees Cook To: Tycho Andersen Cc: Kees Cook , stable@vger.kernel.org, James Morris , Andy Lutomirski , Will Drewry , linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH 1/2] selftests/seccomp: Prepare for exclusive seccomp flags Date: Wed, 24 Apr 2019 09:37:55 -0700 Message-Id: <20190424163756.40001-2-keescook@chromium.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20190424163756.40001-1-keescook@chromium.org> References: <20190424163756.40001-1-keescook@chromium.org> Sender: linux-kselftest-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kselftest@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Some seccomp flags will become exclusive, so the selftest needs to be adjusted to mask those out and test them individually for the "all flags" tests. Cc: stable@vger.kernel.org # v5.0+ Signed-off-by: Kees Cook Reviewed-by: Tycho Andersen Acked-by: James Morris --- tools/testing/selftests/seccomp/seccomp_bpf.c | 34 ++++++++++++++----- 1 file changed, 25 insertions(+), 9 deletions(-) diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c index f69d2ee29742..5019cdae5d0b 100644 --- a/tools/testing/selftests/seccomp/seccomp_bpf.c +++ b/tools/testing/selftests/seccomp/seccomp_bpf.c @@ -2166,11 +2166,14 @@ TEST(detect_seccomp_filter_flags) SECCOMP_FILTER_FLAG_LOG, SECCOMP_FILTER_FLAG_SPEC_ALLOW, SECCOMP_FILTER_FLAG_NEW_LISTENER }; - unsigned int flag, all_flags; + unsigned int exclusive[] = { + SECCOMP_FILTER_FLAG_TSYNC, + SECCOMP_FILTER_FLAG_NEW_LISTENER }; + unsigned int flag, all_flags, exclusive_mask; int i; long ret; - /* Test detection of known-good filter flags */ + /* Test detection of individual known-good filter flags */ for (i = 0, all_flags = 0; i < ARRAY_SIZE(flags); i++) { int bits = 0; @@ -2197,16 +2200,29 @@ TEST(detect_seccomp_filter_flags) all_flags |= flag; } - /* Test detection of all known-good filter flags */ - ret = seccomp(SECCOMP_SET_MODE_FILTER, all_flags, NULL); - EXPECT_EQ(-1, ret); - EXPECT_EQ(EFAULT, errno) { - TH_LOG("Failed to detect that all known-good filter flags (0x%X) are supported!", - all_flags); + /* + * Test detection of all known-good filter flags combined. But + * for the exclusive flags we need to mask them out and try them + * individually for the "all flags" testing. + */ + exclusive_mask = 0; + for (i = 0; i < ARRAY_SIZE(exclusive); i++) + exclusive_mask |= exclusive[i]; + for (i = 0; i < ARRAY_SIZE(exclusive); i++) { + flag = all_flags & ~exclusive_mask; + flag |= exclusive[i]; + + ret = seccomp(SECCOMP_SET_MODE_FILTER, flag, NULL); + EXPECT_EQ(-1, ret); + EXPECT_EQ(EFAULT, errno) { + TH_LOG("Failed to detect that all known-good filter flags (0x%X) are supported!", + flag); + } } - /* Test detection of an unknown filter flag */ + /* Test detection of an unknown filter flags, without exclusives. */ flag = -1; + flag &= ~exclusive_mask; ret = seccomp(SECCOMP_SET_MODE_FILTER, flag, NULL); EXPECT_EQ(-1, ret); EXPECT_EQ(EINVAL, errno) {