mir/criu
2
0
Fork 0
mirror of https://github.com/checkpoint-restore/criu synced 2025-09-01 14:55:39 +00:00
Code Issues Releases Wiki Activity

add a test for SECCOMP_MODE_STRICT

Browse Source 
Note that we don't add the test into the list of tests to run, because it will
fail without the associated kernel patch.

v2: spin lock until seccomp strict is set on the child

Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
This commit is contained in:
Tycho Andersen
2015-06-18 11:59:17 -06:00
committed by Pavel Emelyanov
parent 0d8aec0c3a
commit c03df1ba2d
4 changed files with 86 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
test/zdtm.sh
View File

@@ -333,6 +333,7 @@ netns-dev
sockets00 sockets00
cow01 cow01
apparmor apparmor
seccomp_strict
" "
CRIU_CPT=$CRIU CRIU_CPT=$CRIU

1
test/zdtm/.gitignore vendored
View File

@@ -101,6 +101,7 @@
/live/static/rtc /live/static/rtc
/live/static/sched_policy00 /live/static/sched_policy00
/live/static/sched_prio00 /live/static/sched_prio00
/live/static/seccomp_strict
/live/static/selfexe00 /live/static/selfexe00
/live/static/sem /live/static/sem
/live/static/session00 /live/static/session00

1
test/zdtm/live/static/Makefile
View File

@@ -123,6 +123,7 @@ TST_NOFILE = \
aio00 \ aio00 \
fd \ fd \
apparmor \ apparmor \
seccomp_strict \
# jobctl00 \ # jobctl00 \
TST_FILE = \ TST_FILE = \

83
test/zdtm/live/static/seccomp_strict.c Normal file
View File

@@ -0,0 +1,83 @@
#include <unistd.h>
#include <stdbool.h>
#include <signal.h>
#include <sys/prctl.h>
#include <linux/seccomp.h>
#include <linux/limits.h>
#include "zdtmtst.h"
const char *test_doc = "Check that SECCOMP_MODE_STRICT is restored";
const char *test_author = "Tycho Andersen <tycho.andersen@canonical.com>";
int get_seccomp_mode(pid_t pid, bool after_checkpoint)
{
FILE *f;
char buf[PATH_MAX];
sprintf(buf, "/proc/%d/status", pid);
f = fopen(buf, "r+");
if (!f) {
err("fopen failed");
return -1;
}
while (NULL != fgets(buf, sizeof(buf), f)) {
int mode;
char state;
if (after_checkpoint && sscanf(buf, "State: %c %*s", &state) == 1 && state != 'R') {
fail("resumed but state is not R (%c), seccomp killed the process during resume\n", state);
break;
}
if (sscanf(buf, "Seccomp:\t%d", &mode) != 1)
continue;
fclose(f);
return mode;
}
fclose(f);
return -1;
}
int main(int argc, char ** argv)
{
pid_t pid;
int ret = 1, mode;
test_init(argc, argv);
pid = fork();
if (pid < 0) {
err("fork");
return -1;
}
if (pid == 0) {
if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT) < 0) {
err("prctl failed");
return -1;
}
while(1)
/* can't sleep() here, seccomp kills us */;
}
while(get_seccomp_mode(pid, false) != SECCOMP_MODE_STRICT)
sleep(1);
test_daemon();
test_waitsig();
mode = get_seccomp_mode(pid, true);
if (mode != SECCOMP_MODE_STRICT) {
fail("seccomp mode mismatch %d\n", mode);
} else {
pass();
ret = 0;
}
kill(pid, SIGKILL);
return ret;
}