5  * Test code for seccomp bpf.
30 #include <linux/seccomp.h>
146 #  warning "seccomp syscall number unknown for this architecture"
201 /* Flags for seccomp notification fd ioctl. */
282 #ifndef seccomp
283 int seccomp(unsigned int op, unsigned int flags, void *args)
781 /* This is a thread task to die via seccomp filter violation. */
835 	ASSERT_EQ(0, seccomp(SECCOMP_SET_MODE_FILTER, 0,
844 		ASSERT_EQ(0, seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog_thread));
996  * 580c57f10768 ("seccomp: cap SECCOMP_RET_ERRNO data to MAX_ERRNO").
2123 FIXTURE_VARIANT_ADD(TRACE_syscall, seccomp) {
2172 	/* Do not install seccomp rewrite filters, as we'll use ptrace instead. */
2322 	ret = seccomp(-1, 0, &prog);
2324 		TH_LOG("Kernel does not support seccomp syscall!");
2331 	ret = seccomp(SECCOMP_SET_MODE_STRICT, -1, NULL);
2335 	ret = seccomp(SECCOMP_SET_MODE_STRICT, 0, &prog);
2341 	ret = seccomp(SECCOMP_SET_MODE_FILTER, -1, &prog);
2345 	ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, NULL);
2350 	ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog);
2373 	ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog);
2375 		TH_LOG("Kernel does not support seccomp syscall!");
2387 	ret = seccomp(SECCOMP_SET_MODE_STRICT, 0, NULL);
2428 		ret = seccomp(SECCOMP_SET_MODE_FILTER, flag, NULL);
2430 			TH_LOG("Kernel does not support seccomp syscall!");
2453 		ret = seccomp(SECCOMP_SET_MODE_FILTER, flag, NULL);
2464 	ret = seccomp(SECCOMP_SET_MODE_FILTER, flag, NULL);
2476 	ret = seccomp(SECCOMP_SET_MODE_FILTER, flag, NULL);
2500 	ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC,
2503 		TH_LOG("Kernel does not support seccomp syscall!");
2680 	ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog);
2682 		TH_LOG("Kernel does not support seccomp syscall!");
2720 	ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &self->root_prog);
2722 		TH_LOG("Kernel does not support seccomp syscall!");
2735 	ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC,
2796 	ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC,
2799 		TH_LOG("Kernel does not support seccomp syscall!");
2828 	ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &self->root_prog);
2830 		TH_LOG("Kernel does not support seccomp syscall!");
2844 	ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC,
2873 	ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &self->root_prog);
2875 		TH_LOG("Kernel does not support seccomp syscall!");
2891 	ret = seccomp(SECCOMP_SET_MODE_FILTER, flags, &self->apply_prog);
2924 	 * Sibling 0 will have its own seccomp policy
2925 	 * and Sibling 1 will not be under seccomp at
2926 	 * all. Sibling 1 will enter seccomp and 0
2938 	ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &self->root_prog);
2940 		TH_LOG("Kernel does not support seccomp syscall!");
2946 	ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC,
2975 	ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC,
2998 	ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC,
3119 	/* Verify signal delivery came from child (seccomp-triggered). */
3206 	ret = seccomp(SECCOMP_SET_MODE_STRICT, SECCOMP_FILTER_FLAG_LOG,
3209 		TH_LOG("Kernel does not support seccomp syscall!");
3219 	ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &allow_prog);
3223 	ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_LOG,
3231 	ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_LOG,
3249 	ret = seccomp(SECCOMP_GET_ACTION_AVAIL, 0, &actions[0]);
3251 		TH_LOG("Kernel does not support seccomp syscall!");
3259 		ret = seccomp(SECCOMP_GET_ACTION_AVAIL, 0, &actions[i]);
3267 	ret = seccomp(SECCOMP_GET_ACTION_AVAIL, 0, &unknown_action);
3300 		EXPECT_EQ(0, seccomp(SECCOMP_SET_MODE_FILTER,
3302 		EXPECT_EQ(0, seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog));
3356 	return seccomp(SECCOMP_SET_MODE_FILTER, flags, &prog);
3398 	EXPECT_EQ(seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog), 0);
3399 	EXPECT_EQ(seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog), 0);
3400 	EXPECT_EQ(seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog), 0);
3401 	EXPECT_EQ(seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog), 0);
3814 	ASSERT_EQ(seccomp(SECCOMP_GET_NOTIF_SIZES, 0, &sizes), 0);
3947 	 * The seccomp filter has become unused so we should be notified once
4036 	 * The seccomp filter has become unused so we should be notified once
4611 	 * Make sure we've gotten to the seccomp user notification wait

Indexes created Sat May 11 20:17:00 MDT 2024