On Mon, Oct 09, 2023 at 12:40:46PM +0000, Hengqi Chen wrote:
> Add a testcase to exercise the newly added SECCOMP_LOAD_FILTER
> and SECCOMP_ATTACH_FILTER operations.
>
> Signed-off-by: Hengqi Chen <hengqi.chen@xxxxxxxxx>
> ---
> tools/testing/selftests/seccomp/seccomp_bpf.c | 20 +++++++++++++++++++
> 1 file changed, 20 insertions(+)
>
> diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c
> index 38f651469968..8f7010482194 100644
> --- a/tools/testing/selftests/seccomp/seccomp_bpf.c
> +++ b/tools/testing/selftests/seccomp/seccomp_bpf.c
> @@ -4735,6 +4735,26 @@ TEST(user_notification_wait_killable_fatal)
> EXPECT_EQ(SIGTERM, WTERMSIG(status));
> }
>
> +TEST(seccomp_filter_load_and_attach)
> +{
> + struct sock_filter filter[] = {
> + BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
> + };
> + struct sock_fprog prog = {
> + .len = (unsigned short)ARRAY_SIZE(filter),
> + .filter = filter,
> + };
> + int fd, ret;
> +
> + fd = seccomp(SECCOMP_LOAD_FILTER, 0, &prog);
> + ASSERT_GT(fd, -1);
> +
> + ret = seccomp(SECCOMP_ATTACH_FILTER, 0, &fd);
> + ASSERT_EQ(ret, 0);
> +
> + close(fd);
> +}
This is a good start -- please check all the error paths as well.
Thanks for continuing to work on this!
--
Kees Cook
