add a test for SECCOMP_MODE_STRICT

Note that we don't add the test into the list of tests to run, because it will fail without the associated kernel patch. v2: spin lock until seccomp strict is set on the child Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com> Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
2025-08-31 06:15:24 +00:00 · 2015-06-18 11:59:17 -06:00
parent 0d8aec0c3a
commit c03df1ba2d
4 changed files with 86 additions and 0 deletions
--- a/test/zdtm.sh
+++ b/test/zdtm.sh
@@ -333,6 +333,7 @@ netns-dev
 sockets00
 cow01
 apparmor
+seccomp_strict
 "

 CRIU_CPT=$CRIU
--- a/test/zdtm/.gitignore
+++ b/test/zdtm/.gitignore
@@ -101,6 +101,7 @@
 /live/static/rtc
 /live/static/sched_policy00
 /live/static/sched_prio00
+/live/static/seccomp_strict
 /live/static/selfexe00
 /live/static/sem
 /live/static/session00
--- a/test/zdtm/live/static/Makefile
+++ b/test/zdtm/live/static/Makefile
@@ -123,6 +123,7 @@ TST_NOFILE	=				\
 		aio00				\
 		fd				\
 		apparmor				\
+		seccomp_strict			\
 #		jobctl00			\

 TST_FILE	=				\
--- a/test/zdtm/live/static/seccomp_strict.c
+++ b/test/zdtm/live/static/seccomp_strict.c
@@ -0,0 +1,83 @@
+#include <unistd.h>
+#include <stdbool.h>
+#include <signal.h>
+#include <sys/prctl.h>
+#include <linux/seccomp.h>
+#include <linux/limits.h>
+#include "zdtmtst.h"
+
+const char *test_doc	= "Check that SECCOMP_MODE_STRICT is restored";
+const char *test_author	= "Tycho Andersen <tycho.andersen@canonical.com>";
+
+int get_seccomp_mode(pid_t pid, bool after_checkpoint)
+{
+	FILE *f;
+	char buf[PATH_MAX];
+
+	sprintf(buf, "/proc/%d/status", pid);
+	f = fopen(buf, "r+");
+	if (!f) {
+		err("fopen failed");
+		return -1;
+	}
+
+	while (NULL != fgets(buf, sizeof(buf), f)) {
+		int mode;
+		char state;
+
+		if (after_checkpoint && sscanf(buf, "State: %c %*s", &state) == 1 && state != 'R') {
+			fail("resumed but state is not R (%c), seccomp killed the process during resume\n", state);
+			break;
+		}
+
+		if (sscanf(buf, "Seccomp:\t%d", &mode) != 1)
+			continue;
+
+		fclose(f);
+		return mode;
+	}
+	fclose(f);
+
+	return -1;
+}
+
+int main(int argc, char ** argv)
+{
+	pid_t pid;
+	int ret = 1, mode;
+
+	test_init(argc, argv);
+
+	pid = fork();
+	if (pid < 0) {
+		err("fork");
+		return -1;
+	}
+
+	if (pid == 0) {
+		if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT) < 0) {
+			err("prctl failed");
+			return -1;
+		}
+
+		while(1)
+			/* can't sleep() here, seccomp kills us */;
+	}
+
+	while(get_seccomp_mode(pid, false) != SECCOMP_MODE_STRICT)
+		sleep(1);
+
+	test_daemon();
+	test_waitsig();
+
+	mode = get_seccomp_mode(pid, true);
+	if (mode != SECCOMP_MODE_STRICT) {
+		fail("seccomp mode mismatch %d\n", mode);
+	} else {
+		pass();
+		ret = 0;
+	}
+
+	kill(pid, SIGKILL);
+	return ret;
+}