selftests/seccomp: Handle EINVAL on unshare(CLONE_NEWPID)

commit ecaaa55c9fa5e8058445a8b891070b12208cdb6d upstream.

unshare(CLONE_NEWPID) can return EINVAL if the kernel does not have the
CONFIG_PI

selftests/seccomp: Handle EINVAL on unshare(CLONE_NEWPID)

commit ecaaa55c9fa5e8058445a8b891070b12208cdb6d upstream.

unshare(CLONE_NEWPID) can return EINVAL if the kernel does not have the
CONFIG_PID_NS option enabled.

Add a check on these calls to skip the test if we receive EINVAL.

Signed-off-by: Terry Tritton <terry.tritton@linaro.org>
Link: https://lore.kernel.org/r/20240124141357.1243457-2-terry.tritton@linaro.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

show more ...

selftests/seccomp: Change the syscall used in KILL_THREAD test

commit 471dbc547612adeaa769e48498ef591c6c95a57a upstream.

The Bionic version of pthread_create used on Android calls the prctl
functio

selftests/seccomp: Change the syscall used in KILL_THREAD test

commit 471dbc547612adeaa769e48498ef591c6c95a57a upstream.

The Bionic version of pthread_create used on Android calls the prctl
function to give the stack and thread local storage a useful name. This
will cause the KILL_THREAD test to fail as it will kill the thread as
soon as it is created.

change the test to use getpid instead of prctl.

Signed-off-by: Terry Tritton <terry.tritton@linaro.org>
Link: https://lore.kernel.org/r/20240124141357.1243457-3-terry.tritton@linaro.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

show more ...

selftests/seccomp: user_notification_addfd check nextfd is available

commit 8e3c9f9f3a0742cd12b682a1766674253b33fcf0 upstream.

Currently the user_notification_addfd test checks what the next expect

selftests/seccomp: user_notification_addfd check nextfd is available

commit 8e3c9f9f3a0742cd12b682a1766674253b33fcf0 upstream.

Currently the user_notification_addfd test checks what the next expected
file descriptor will be by incrementing a variable nextfd. This does not
account for file descriptors that may already be open before the test is
started and will cause the test to fail if any exist.

Replace nextfd++ with a function get_next_fd which will check and return
the next available file descriptor.

Signed-off-by: Terry Tritton <terry.tritton@linaro.org>
Link: https://lore.kernel.org/r/20240124141357.1243457-4-terry.tritton@linaro.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

show more ...

selftests/seccomp: Handle EINVAL on unshare(CLONE_NEWPID)

commit ecaaa55c9fa5e8058445a8b891070b12208cdb6d upstream.

unshare(CLONE_NEWPID) can return EINVAL if the kernel does not have the
CONFIG_PI

selftests/seccomp: Handle EINVAL on unshare(CLONE_NEWPID)

commit ecaaa55c9fa5e8058445a8b891070b12208cdb6d upstream.

unshare(CLONE_NEWPID) can return EINVAL if the kernel does not have the
CONFIG_PID_NS option enabled.

Add a check on these calls to skip the test if we receive EINVAL.

Signed-off-by: Terry Tritton <terry.tritton@linaro.org>
Link: https://lore.kernel.org/r/20240124141357.1243457-2-terry.tritton@linaro.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

show more ...

selftests/seccomp: Change the syscall used in KILL_THREAD test

commit 471dbc547612adeaa769e48498ef591c6c95a57a upstream.

The Bionic version of pthread_create used on Android calls the prctl
functio

selftests/seccomp: Change the syscall used in KILL_THREAD test

commit 471dbc547612adeaa769e48498ef591c6c95a57a upstream.

The Bionic version of pthread_create used on Android calls the prctl
function to give the stack and thread local storage a useful name. This
will cause the KILL_THREAD test to fail as it will kill the thread as
soon as it is created.

change the test to use getpid instead of prctl.

Signed-off-by: Terry Tritton <terry.tritton@linaro.org>
Link: https://lore.kernel.org/r/20240124141357.1243457-3-terry.tritton@linaro.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

show more ...

selftests/seccomp: user_notification_addfd check nextfd is available

commit 8e3c9f9f3a0742cd12b682a1766674253b33fcf0 upstream.

Currently the user_notification_addfd test checks what the next expect

selftests/seccomp: user_notification_addfd check nextfd is available

commit 8e3c9f9f3a0742cd12b682a1766674253b33fcf0 upstream.

Currently the user_notification_addfd test checks what the next expected
file descriptor will be by incrementing a variable nextfd. This does not
account for file descriptors that may already be open before the test is
started and will cause the test to fail if any exist.

Replace nextfd++ with a function get_next_fd which will check and return
the next available file descriptor.

Signed-off-by: Terry Tritton <terry.tritton@linaro.org>
Link: https://lore.kernel.org/r/20240124141357.1243457-4-terry.tritton@linaro.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

show more ...

selftests/seccomp: Handle EINVAL on unshare(CLONE_NEWPID)

commit ecaaa55c9fa5e8058445a8b891070b12208cdb6d upstream.

unshare(CLONE_NEWPID) can return EINVAL if the kernel does not have the
CONFIG_PI

selftests/seccomp: Handle EINVAL on unshare(CLONE_NEWPID)

commit ecaaa55c9fa5e8058445a8b891070b12208cdb6d upstream.

unshare(CLONE_NEWPID) can return EINVAL if the kernel does not have the
CONFIG_PID_NS option enabled.

Add a check on these calls to skip the test if we receive EINVAL.

Signed-off-by: Terry Tritton <terry.tritton@linaro.org>
Link: https://lore.kernel.org/r/20240124141357.1243457-2-terry.tritton@linaro.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

show more ...

selftests/seccomp: Change the syscall used in KILL_THREAD test

commit 471dbc547612adeaa769e48498ef591c6c95a57a upstream.

The Bionic version of pthread_create used on Android calls the prctl
functio

selftests/seccomp: Change the syscall used in KILL_THREAD test

commit 471dbc547612adeaa769e48498ef591c6c95a57a upstream.

The Bionic version of pthread_create used on Android calls the prctl
function to give the stack and thread local storage a useful name. This
will cause the KILL_THREAD test to fail as it will kill the thread as
soon as it is created.

change the test to use getpid instead of prctl.

Signed-off-by: Terry Tritton <terry.tritton@linaro.org>
Link: https://lore.kernel.org/r/20240124141357.1243457-3-terry.tritton@linaro.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

show more ...

selftests/seccomp: user_notification_addfd check nextfd is available

commit 8e3c9f9f3a0742cd12b682a1766674253b33fcf0 upstream.

Currently the user_notification_addfd test checks what the next expect

selftests/seccomp: user_notification_addfd check nextfd is available

commit 8e3c9f9f3a0742cd12b682a1766674253b33fcf0 upstream.

Currently the user_notification_addfd test checks what the next expected
file descriptor will be by incrementing a variable nextfd. This does not
account for file descriptors that may already be open before the test is
started and will cause the test to fail if any exist.

Replace nextfd++ with a function get_next_fd which will check and return
the next available file descriptor.

Signed-off-by: Terry Tritton <terry.tritton@linaro.org>
Link: https://lore.kernel.org/r/20240124141357.1243457-4-terry.tritton@linaro.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

show more ...

selftests/seccomp: Handle arm32 corner cases better

It turns out arm32 doesn't handle syscall -1 gracefully, so skip testing
for that. Additionally skip tests that depend on clone3 when it is not
av

selftests/seccomp: Handle arm32 corner cases better

It turns out arm32 doesn't handle syscall -1 gracefully, so skip testing
for that. Additionally skip tests that depend on clone3 when it is not
available (for example when building the seccomp selftests on an old arm
image without clone3 headers). And improve error reporting for when
nanosleep fails, as seen on arm32 since v5.15.

Cc: Lecopzer Chen <lecopzer.chen@mediatek.com>
Signed-off-by: Kees Cook <keescook@chromium.org>

show more ...

selftest/seccomp: add a new test for the sync mode of seccomp_user_notify

Test output:
# RUN global.user_notification_sync ...
# OK global.user_notification_sync
ok 51 glob

selftest/seccomp: add a new test for the sync mode of seccomp_user_notify

Test output:
# RUN global.user_notification_sync ...
# OK global.user_notification_sync
ok 51 global.user_notification_sync

Signed-off-by: Andrei Vagin <avagin@google.com>
Acked-by: "Peter Zijlstra (Intel)" <peterz@infradead.org>
Link: https://lore.kernel.org/r/20230308073201.3102738-6-avagin@google.com
Signed-off-by: Kees Cook <keescook@chromium.org>

show more ...

selftests/seccomp: Add LoongArch selftesting support

BPF for LoongArch is supported now, add the selftesting support in
seccomp_bpf.c.

Signed-off-by: Tiezhu Yang <yangtiezhu@loongson.cn>
Signed-off

selftests/seccomp: Add LoongArch selftesting support

BPF for LoongArch is supported now, add the selftesting support in
seccomp_bpf.c.

Signed-off-by: Tiezhu Yang <yangtiezhu@loongson.cn>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>

show more ...

selftests/seccomp: Add m68k support

Add m68k seccomp definitions to seccomp_bpf self test code.

Tested on ARAnyM.

Signed-off-by: Michael Schmitz <schmitzmic@gmail.com>
Reviewed-by: Geert Uytterhoe

selftests/seccomp: Add m68k support

Add m68k seccomp definitions to seccomp_bpf self test code.

Tested on ARAnyM.

Signed-off-by: Michael Schmitz <schmitzmic@gmail.com>
Reviewed-by: Geert Uytterhoeven <geert@linux-m68k.org>
Link: https://lore.kernel.org/r/20230112035529.13521-4-schmitzmic@gmail.com
Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>

show more ...

selftests/seccomp: Check CAP_SYS_ADMIN capability in the test mode_filter_without_nnp

In the "mode_filter_without_nnp" test in seccomp_bpf, there is currently
a TODO which asks to check the capabili

selftests/seccomp: Check CAP_SYS_ADMIN capability in the test mode_filter_without_nnp

In the "mode_filter_without_nnp" test in seccomp_bpf, there is currently
a TODO which asks to check the capability CAP_SYS_ADMIN instead of euid.
This patch adds support to check if the calling process has the flag
CAP_SYS_ADMIN, and also if this flag has CAP_EFFECTIVE set.

Signed-off-by: Gautam Menghani <gautammenghani201@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/20220731092529.28760-1-gautammenghani201@gmail.com

show more ...

selftests/seccomp: Fix compile warning when CC=clang

clang has -Wconstant-conversion by default, and the constant 0xAAAAAAAAA
(9 As) being converted to an int, which is generally 32 bits, results
in

selftests/seccomp: Fix compile warning when CC=clang

clang has -Wconstant-conversion by default, and the constant 0xAAAAAAAAA
(9 As) being converted to an int, which is generally 32 bits, results
in the compile warning:

clang -Wl,-no-as-needed -Wall -isystem ../../../../usr/include/ -lpthread seccomp_bpf.c -lcap -o seccomp_bpf
seccomp_bpf.c:812:67: warning: implicit conversion from 'long' to 'int' changes value from 45812984490 to -1431655766 [-Wconstant-conversion]
int kill = kill_how == KILL_PROCESS ? SECCOMP_RET_KILL_PROCESS : 0xAAAAAAAAA;
~~~~ ^~~~~~~~~~~
1 warning generated.

-1431655766 is the expected truncation, 0xAAAAAAAA (8 As), so use
this directly in the code to avoid the warning.

Fixes: 3932fcecd962 ("selftests/seccomp: Add test for unknown SECCOMP_RET kill behavior")
Signed-off-by: YiFei Zhu <zhuyifei@google.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/20220526223407.1686936-1-zhuyifei@google.com

show more ...

selftests/seccomp: Fix spelling mistake "Coud" -> "Could"

There is a spelling mistake in an error message. Fix it.

Signed-off-by: Colin Ian King <colin.i.king@gmail.com>
Signed-off-by: Kees Cook <k

selftests/seccomp: Fix spelling mistake "Coud" -> "Could"

There is a spelling mistake in an error message. Fix it.

Signed-off-by: Colin Ian King <colin.i.king@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/20220504155535.239180-1-colin.i.king@gmail.com

show more ...

selftests/seccomp: Add test for wait killable notifier

This verifies that if a filter is set up with the wait killable feature
that it obeys the semantics that non-fatal signals are ignored during
a

selftests/seccomp: Add test for wait killable notifier

This verifies that if a filter is set up with the wait killable feature
that it obeys the semantics that non-fatal signals are ignored during
a notification after the notification is received.

Cases tested:
* Non-fatal signal prior to receive
* Non-fatal signal during receive
* Fatal signal after receive

The normal signal handling is tested in user_notification_signal. That
behaviour remains unchanged.

On an unsupported kernel, these tests will immediately bail as it relies
on a new seccomp flag.

Signed-off-by: Sargun Dhillon <sargun@sargun.me>
Signed-off-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/20220503080958.20220-4-sargun@sargun.me

show more ...

selftests/seccomp: Refactor get_proc_stat to split out file reading code

This splits up the get_proc_stat function to make it so we can use it as a
generic helper to read the nth field from multiple

selftests/seccomp: Refactor get_proc_stat to split out file reading code

This splits up the get_proc_stat function to make it so we can use it as a
generic helper to read the nth field from multiple different files, versus
replicating the logic in multiple places.

Signed-off-by: Sargun Dhillon <sargun@sargun.me>
Cc: linux-kselftest@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/20220503080958.20220-3-sargun@sargun.me

show more ...

selftests/seccomp: Ensure that notifications come in FIFO order

When multiple notifications are waiting, ensure they show up in order, as
defined by the (predictable) seccomp notification ID. This e

selftests/seccomp: Ensure that notifications come in FIFO order

When multiple notifications are waiting, ensure they show up in order, as
defined by the (predictable) seccomp notification ID. This ensures FIFO
ordering of notification delivery as notification ids are monitonic and
decided when the notification is generated (as opposed to received).

Signed-off-by: Sargun Dhillon <sargun@sargun.me>
Cc: linux-kselftest@vger.kernel.org
Acked-by: Tycho Andersen <tycho@tycho.pizza>
Signed-off-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/20220428015447.13661-2-sargun@sargun.me

show more ...

selftests/seccomp: Add SKIP for failed unshare()

Running the seccomp tests under the kernel with "defconfig"
shouldn't fail. Because the CONFIG_USER_NS is not supported
in "defconfig". Skipping this

selftests/seccomp: Add SKIP for failed unshare()

Running the seccomp tests under the kernel with "defconfig"
shouldn't fail. Because the CONFIG_USER_NS is not supported
in "defconfig". Skipping this case instead of failing it is
better.

Signed-off-by: Yang Guang <yang.guang5@zte.com.cn>
Signed-off-by: David Yang <davidcomponentone@gmail.com>
Reviewed-by: Shuah Khan <skhan@linuxfoundation.org>
Signed-off-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/7f7687696a5c0a2d040a24474616e945c7cf2bb5.1648599460.git.yang.guang5@zte.com.cn

show more ...

selftests/seccomp: Test PTRACE_O_SUSPEND_SECCOMP without CAP_SYS_ADMIN

Add a test to check that PTRACE_O_SUSPEND_SECCOMP can't be set without
CAP_SYS_ADMIN through PTRACE_SEIZE or PTRACE_SETOPTIONS.

selftests/seccomp: Test PTRACE_O_SUSPEND_SECCOMP without CAP_SYS_ADMIN

Add a test to check that PTRACE_O_SUSPEND_SECCOMP can't be set without
CAP_SYS_ADMIN through PTRACE_SEIZE or PTRACE_SETOPTIONS.

Signed-off-by: Jann Horn <jannh@google.com>
Co-developed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Kees Cook <keescook@chromium.org>

show more ...

selftests/seccomp: Don't call read() on TTY from background pgrp

Since commit 92d25637a3a4 ("kselftest: signal all child processes"), tests
are executed in background process groups. This means that

selftests/seccomp: Don't call read() on TTY from background pgrp

Since commit 92d25637a3a4 ("kselftest: signal all child processes"), tests
are executed in background process groups. This means that trying to read
from stdin now throws SIGTTIN when stdin is a TTY, which breaks some
seccomp selftests that try to use read(0, NULL, 0) as a dummy syscall.

The simplest way to fix that is probably to just use -1 instead of 0 as
the dummy read()'s FD.

Fixes: 92d25637a3a4 ("kselftest: signal all child processes")
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/20220319010011.1374622-1-jannh@google.com

show more ...

selftests/seccomp: Report event mismatches more clearly

When running under tracer, more explicitly report the status and event
mismatches to help with debugging. Additionally add an "immediate kill"

selftests/seccomp: Report event mismatches more clearly

When running under tracer, more explicitly report the status and event
mismatches to help with debugging. Additionally add an "immediate kill"
test when under tracing to verify that fatal SIGSYS behaves the same
under ptrace or seccomp tracing.

Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Will Drewry <wad@chromium.org>
Cc: linux-kselftest@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: "Eric W. Biederman" <ebiederm@xmission.com>
Link: https://lore.kernel.org/r/20211103163039.2104830-3-keescook@chromium.org

show more ...

selftests/seccomp: Stop USER_NOTIF test if kcmp() fails

If kcmp() fails during the USER_NOTIF test, the test is likely to hang,
so switch from EXPECT to ASSERT.

Cc: Andy Lutomirski <luto@amacapital

selftests/seccomp: Stop USER_NOTIF test if kcmp() fails

If kcmp() fails during the USER_NOTIF test, the test is likely to hang,
so switch from EXPECT to ASSERT.

Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Will Drewry <wad@chromium.org>
Cc: linux-kselftest@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: "Eric W. Biederman" <ebiederm@xmission.com>
Link: https://lore.kernel.org/r/20211103163039.2104830-2-keescook@chromium.org

show more ...

selftests/seccomp: Use __BYTE_ORDER__

Use the compiler-defined __BYTE_ORDER__ instead of the libc-defined
__BYTE_ORDER for consistency.

Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
Signed-of

selftests/seccomp: Use __BYTE_ORDER__

Use the compiler-defined __BYTE_ORDER__ instead of the libc-defined
__BYTE_ORDER for consistency.

Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Link: https://lore.kernel.org/bpf/20211026010831.748682-6-iii@linux.ibm.com

show more ...