On Thu, Sep 19, 2019 at 11:13:46AM -0600, shuah wrote: > On 9/19/19 3:59 AM, Christian Brauner wrote: > > Test whether a syscall can be performed after having been intercepted by > > the seccomp notifier. The test uses dup() and kcmp() since it allows us to > > nicely test whether the dup() syscall actually succeeded by comparing whether > > the fds refer to the same underlying struct file. > > > > Signed-off-by: Christian Brauner <christian.brauner@xxxxxxxxxx> > > Cc: Kees Cook <keescook@xxxxxxxxxxxx> > > Cc: Andy Lutomirski <luto@xxxxxxxxxxxxxx> > > Cc: Will Drewry <wad@xxxxxxxxxxxx> > > Cc: Shuah Khan <shuah@xxxxxxxxxx> > > Cc: Alexei Starovoitov <ast@xxxxxxxxxx> > > Cc: Daniel Borkmann <daniel@xxxxxxxxxxxxx> > > Cc: Martin KaFai Lau <kafai@xxxxxx> > > Cc: Song Liu <songliubraving@xxxxxx> > > Cc: Yonghong Song <yhs@xxxxxx> > > Cc: Tycho Andersen <tycho@xxxxxxxx> > > CC: Tyler Hicks <tyhicks@xxxxxxxxxxxxx> > > Cc: stable@xxxxxxxxxxxxxxx > > Cc: linux-kselftest@xxxxxxxxxxxxxxx > > Cc: netdev@xxxxxxxxxxxxxxx > > Cc: bpf@xxxxxxxxxxxxxxx > > --- > > /* v1 */ > > - Christian Brauner <christian.brauner@xxxxxxxxxx>: > > - adapt to new flag name SECCOMP_USER_NOTIF_FLAG_CONTINUE > > > > /* v0 */ > > Link: https://lore.kernel.org/r/20190918084833.9369-5-christian.brauner@xxxxxxxxxx > > --- > > tools/testing/selftests/seccomp/seccomp_bpf.c | 102 ++++++++++++++++++ > > 1 file changed, 102 insertions(+) > > > > diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c > > index e996d7b7fd6e..b0966599acb5 100644 > > --- a/tools/testing/selftests/seccomp/seccomp_bpf.c > > +++ b/tools/testing/selftests/seccomp/seccomp_bpf.c > > @@ -44,6 +44,7 @@ > > #include <sys/times.h> > > #include <sys/socket.h> > > #include <sys/ioctl.h> > > +#include <linux/kcmp.h> > > #include <unistd.h> > > #include <sys/syscall.h> > > @@ -167,6 +168,10 @@ struct seccomp_metadata { > > #define SECCOMP_RET_USER_NOTIF 0x7fc00000U > > +#ifndef SECCOMP_USER_NOTIF_FLAG_CONTINUE > > +#define SECCOMP_USER_NOTIF_FLAG_CONTINUE 0x00000001 > > +#endif > > + > > #define SECCOMP_IOC_MAGIC '!' > > #define SECCOMP_IO(nr) _IO(SECCOMP_IOC_MAGIC, nr) > > #define SECCOMP_IOR(nr, type) _IOR(SECCOMP_IOC_MAGIC, nr, type) > > @@ -3481,6 +3486,103 @@ TEST(seccomp_get_notif_sizes) > > EXPECT_EQ(sizes.seccomp_notif_resp, sizeof(struct seccomp_notif_resp)); > > } > > +static int filecmp(pid_t pid1, pid_t pid2, int fd1, int fd2) > > +{ > > +#ifdef __NR_kcmp > > + return syscall(__NR_kcmp, pid1, pid2, KCMP_FILE, fd1, fd2); > > +#else > > + errno = ENOSYS; > > + return -1; > > This should be SKIP for kselftest so this isn't counted a failure. > In this case test can't be run because of a missing dependency. Right, I can just ifdef the whole test and report a skip.
