Add a testcase to exercise BPF_PROG_TYPE_SECCOMP.
# ./test_progs -n 194
#194 seccomp:OK
Summary: 1/0 PASSED, 0 SKIPPED, 0 FAILED
Signed-off-by: Hengqi Chen <hengqi.chen@xxxxxxxxx>
---
tools/include/uapi/linux/bpf.h | 1 +
tools/include/uapi/linux/seccomp.h | 2 +
.../selftests/bpf/prog_tests/seccomp.c | 40 +++++++++++++++++++
.../selftests/bpf/progs/test_seccomp.c | 24 +++++++++++
4 files changed, 67 insertions(+)
create mode 100644 tools/testing/selftests/bpf/prog_tests/seccomp.c
create mode 100644 tools/testing/selftests/bpf/progs/test_seccomp.c
diff --git a/tools/include/uapi/linux/bpf.h b/tools/include/uapi/linux/bpf.h
index 0f6cdf52b1da..f0fcfe0ccb2e 100644
--- a/tools/include/uapi/linux/bpf.h
+++ b/tools/include/uapi/linux/bpf.h
@@ -995,6 +995,7 @@ enum bpf_prog_type {
BPF_PROG_TYPE_SK_LOOKUP,
BPF_PROG_TYPE_SYSCALL, /* a program that can execute syscalls */
BPF_PROG_TYPE_NETFILTER,
+ BPF_PROG_TYPE_SECCOMP,
};
enum bpf_attach_type {
diff --git a/tools/include/uapi/linux/seccomp.h b/tools/include/uapi/linux/seccomp.h
index dbfc9b37fcae..db792dc96b5a 100644
--- a/tools/include/uapi/linux/seccomp.h
+++ b/tools/include/uapi/linux/seccomp.h
@@ -25,6 +25,8 @@
#define SECCOMP_FILTER_FLAG_TSYNC_ESRCH (1UL << 4)
/* Received notifications wait in killable state (only respond to fatal signals) */
#define SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV (1UL << 5)
+/* Indicates that the filter is in form of bpf prog fd */
+#define SECCOMP_FILTER_FLAG_BPF_PROG_FD (1UL << 6)
/*
* All BPF programs must return a 32-bit value.
diff --git a/tools/testing/selftests/bpf/prog_tests/seccomp.c b/tools/testing/selftests/bpf/prog_tests/seccomp.c
new file mode 100644
index 000000000000..fc7db6af7d64
--- /dev/null
+++ b/tools/testing/selftests/bpf/prog_tests/seccomp.c
@@ -0,0 +1,40 @@
+// SPDX-License-Identifier: GPL-2.0
+/* Copyright (c) 2023 Hengqi Chen */
+
+#include <test_progs.h>
+#include <linux/seccomp.h>
+#include "test_seccomp.skel.h"
+
+static int seccomp(unsigned int op, unsigned int flags, void *args)
+{
+ errno = 0;
+ return syscall(__NR_seccomp, op, flags, args);
+}
+
+void test_seccomp(void)
+{
+ struct test_seccomp *skel;
+ int fd, flags, ret;
+
+ skel = test_seccomp__open();
+ if (!ASSERT_OK_PTR(skel, "skel_open"))
+ return;
+
+ skel->rodata->seccomp_syscall_nr = __NR_seccomp;
+ skel->rodata->seccomp_errno = 99;
+
+ ret = test_seccomp__load(skel);
+ if (!ASSERT_OK(ret, "skel_load"))
+ goto cleanup;
+
+ fd = bpf_program__fd(skel->progs.seccomp_prog);
+ flags = SECCOMP_FILTER_FLAG_BPF_PROG_FD;
+ ret = seccomp(SECCOMP_SET_MODE_FILTER, flags, &fd);
+ ASSERT_OK(ret, "seccomp_set_bpf_prog");
+ ret = seccomp(SECCOMP_SET_MODE_FILTER, flags, &fd);
+ ASSERT_EQ(ret, -1, "seccomp should fail");
+ ASSERT_EQ(errno, 99, "errno not equal to 99");
+
+cleanup:
+ test_seccomp__destroy(skel);
+}
diff --git a/tools/testing/selftests/bpf/progs/test_seccomp.c b/tools/testing/selftests/bpf/progs/test_seccomp.c
new file mode 100644
index 000000000000..c53e75b8c0ec
--- /dev/null
+++ b/tools/testing/selftests/bpf/progs/test_seccomp.c
@@ -0,0 +1,24 @@
+// SPDX-License-Identifier: GPL-2.0
+/* Copyright (c) 2023 Hengqi Chen */
+
+#include "vmlinux.h"
+#include <bpf/bpf_helpers.h>
+#include <bpf/bpf_tracing.h>
+
+#define SECCOMP_RET_ERRNO 0x00050000U
+#define SECCOMP_RET_ALLOW 0x7fff0000U
+#define SECCOMP_RET_DATA 0x0000ffffU
+
+const volatile int seccomp_syscall_nr = 0;
+const volatile __u32 seccomp_errno = 0;
+
+SEC("seccomp")
+int seccomp_prog(struct seccomp_data *ctx)
+{
+ if (ctx->nr != seccomp_syscall_nr)
+ return SECCOMP_RET_ALLOW;
+
+ return SECCOMP_RET_ERRNO | (seccomp_errno & SECCOMP_RET_DATA);
+}
+
+char _license[] SEC("license") = "GPL";
--
2.34.1
