[LTP] [PATCH] syscalls/prctl04.c: New test for prctl() with PR_{SET, GET}_SECCOMP

[LTP] [PATCH] syscalls/prctl04.c: New test for prctl() with PR_{SET, GET}_SECCOMP

[Yang Xu]

Signed-off-by: Yang Xu <xuyang2018.jy@cn.fujitsu.com>
---
 configure.ac                               |   1 +
 include/lapi/prctl.h                       |   5 +
 include/lapi/seccomp.h                     |  36 +++
 runtest/syscalls                           |   1 +
 testcases/kernel/syscalls/prctl/.gitignore |   1 +
 testcases/kernel/syscalls/prctl/prctl04.c  | 262 +++++++++++++++++++++
 6 files changed, 306 insertions(+)
 create mode 100644 include/lapi/seccomp.h
 create mode 100644 testcases/kernel/syscalls/prctl/prctl04.c

diff --git a/configure.ac b/configure.ac
index fad8f8396..c858aff42 100644
--- a/configure.ac
+++ b/configure.ac
@@ -46,6 +46,7 @@ AC_CHECK_HEADERS([ \
     linux/mempolicy.h \
     linux/module.h \
     linux/netlink.h \
+    linux/seccomp.h \
     linux/userfaultfd.h \
     mm.h \
     netinet/sctp.h \
diff --git a/include/lapi/prctl.h b/include/lapi/prctl.h
index 6db8a6480..c3612e643 100644
--- a/include/lapi/prctl.h
+++ b/include/lapi/prctl.h
@@ -14,4 +14,9 @@
 # define PR_GET_CHILD_SUBREAPER	37
 #endif
 
+#ifndef PR_SET_SECCOMP
+# define PR_GET_SECCOMP  21
+# define PR_SET_SECCOMP  22
+#endif
+
 #endif /* LAPI_PRCTL_H__ */
diff --git a/include/lapi/seccomp.h b/include/lapi/seccomp.h
new file mode 100644
index 000000000..1e5bc3933
--- /dev/null
+++ b/include/lapi/seccomp.h
@@ -0,0 +1,36 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * Copyright (c) 2019 FUJITSU LIMITED. All rights reserved.
+ * Author: Yang Xu <xuyang2018.jy@cn.fujitsu.com>
+ */
+#ifndef LAPI_SECCOMP_H__
+# define _LAPI_SECCOMP_H
+
+#include <linux/types.h>
+
+/* Valid values for seccomp.mode and prctl(PR_SET_SECCOMP, <mode>) */
+#define SECCOMP_MODE_DISABLED   0
+#define SECCOMP_MODE_STRICT     1
+#define SECCOMP_MODE_FILTER     2
+
+#define SECCOMP_RET_KILL_THREAD  0x00000000U /* kill the thread */
+#define SECCOMP_RET_KILL         SECCOMP_RET_KILL_THREAD
+#define SECCOMP_RET_ALLOW        0x7fff0000U /* allow */
+
+/**
+ * struct seccomp_data - the format the BPF program executes over.
+ * @nr: the system call number
+ * @arch: indicates system call convention as an AUDIT_ARCH_* value
+ *        as defined in <linux/audit.h>.
+ * @instruction_pointer: at the time of the system call.
+ * @args: up to 6 system call arguments always stored as 64-bit values
+ * regardless of the architecture.
+ */
+struct seccomp_data {
+	int nr;
+	__u32 arch;
+	__u64 instruction_pointer;
+	__u64 args[6];
+};
+
+#endif /* _LAPI_SECCOMP_H */
diff --git a/runtest/syscalls b/runtest/syscalls
index 2b8ca719b..51bff2990 100644
--- a/runtest/syscalls
+++ b/runtest/syscalls
@@ -863,6 +863,7 @@ ppoll01 ppoll01
 prctl01 prctl01
 prctl02 prctl02
 prctl03 prctl03
+prctl04 prctl04
 
 pread01 pread01
 pread01_64 pread01_64
diff --git a/testcases/kernel/syscalls/prctl/.gitignore b/testcases/kernel/syscalls/prctl/.gitignore
index 2f46a9a12..1c3da3052 100644
--- a/testcases/kernel/syscalls/prctl/.gitignore
+++ b/testcases/kernel/syscalls/prctl/.gitignore
@@ -1,3 +1,4 @@
 /prctl01
 /prctl02
 /prctl03
+/prctl04
diff --git a/testcases/kernel/syscalls/prctl/prctl04.c b/testcases/kernel/syscalls/prctl/prctl04.c
new file mode 100644
index 000000000..e3ba69af3
--- /dev/null
+++ b/testcases/kernel/syscalls/prctl/prctl04.c
@@ -0,0 +1,262 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * Copyright (c) 2019 FUJITSU LIMITED. All rights reserved.
+ * Author: Yang Xu <xuyang2018.jy@cn.fujitsu.com>
+ *
+ * Test PR_GET_SECCOMP and PR_SET_SECCOMP of prctl(2).
+ * 1) If PR_SET_SECCOMP sets the SECCOMP_MODE_STRICT for the calling thread,
+ *    the only system call that the thread is permitted to make are read(2),
+ *    write(2),_exit(2)(but not exit_group(2)), and sigreturn(2).  Other
+ *    system calls result in the delivery of a SIGKILL signal. This operation
+ *    is available only if the kernel is configured with CONFIG_SECCOMP enabled.
+ * 2) If PR_SET_SECCOMP sets the SECCOMP_MODE_FILTER for the calling thread,
+ *    the system calls allowed are defined by a pointer to a Berkeley Packet
+ *    Filter. Other system calls result int the delivery of a SIGSYS signal
+ *    with SECCOMP_RET_KILL. The SECCOMP_SET_MODE_FILTER operation is available
+ *    only if the kernel is configured with CONFIG_SECCOMP_FILTER enabled.
+ * 3) If SECCOMP_MODE_FILTER filters permit fork(2), then the seccomp mode
+ *    is inherited by children created by fork(2).
+ */
+
+#include <errno.h>
+#include <signal.h>
+#include <sys/prctl.h>
+#include <sys/wait.h>
+#include <sys/types.h>
+#include <linux/filter.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <stddef.h>
+#include "tst_test.h"
+#include "lapi/syscalls.h"
+#include "lapi/prctl.h"
+#include "config.h"
+#ifdef HAVE_LINUX_SECCOMP_H
+#include <linux/seccomp.h>
+#else
+#include <lapi/seccomp.h>
+#endif
+
+#define FNAME "filename"
+
+static const struct sock_filter  strict_filter[] = {
+	BPF_STMT(BPF_LD | BPF_W | BPF_ABS, (offsetof (struct seccomp_data, nr))),
+
+	BPF_JUMP(BPF_JMP | BPF_JEQ, __NR_close, 5, 0),
+	BPF_JUMP(BPF_JMP | BPF_JEQ, __NR_exit,  4, 0),
+	BPF_JUMP(BPF_JMP | BPF_JEQ, __NR_wait4, 3, 0),
+	BPF_JUMP(BPF_JMP | BPF_JEQ, __NR_write, 2, 0),
+	BPF_JUMP(BPF_JMP | BPF_JEQ, __NR_clone, 1, 0),
+
+	BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_KILL),
+	BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW)
+};
+
+static const struct sock_fprog  strict = {
+	.len = (unsigned short)ARRAY_SIZE(strict_filter),
+	.filter = (struct sock_filter *)strict_filter
+};
+
+static void check_strict_mode(int val)
+{
+	int fd;
+	char buf[2];
+
+	fd = SAFE_OPEN(FNAME, O_RDWR | O_CREAT, 0666);
+
+	TEST(prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT));
+	if (TST_RET == -1) {
+		if (TST_ERR == EINVAL) {
+			tst_res(TCONF,
+				"prctl(PR_SET_SECCOMP) doesn't support "
+				"SECCOMP_MODE_STRICT");
+		} else {
+			tst_res(TFAIL | TTERRNO,
+				"prctl(PR_SET_SECCOMP) sets "
+				"SECCOMP_MODE_STRICT failed");
+		}
+		return;
+	}
+	if (val == 1) {
+		tst_res(TPASS,
+			"prctl(PR_SET_SECCOMP) sets SECCOMP_MODE_STRICT "
+			"succeed");
+		prctl(PR_GET_SECCOMP);
+		tst_res(TFAIL, "prctl(PR_GET_SECCOMP) succeed unexpectedly");
+	}
+	if (val == 2) {
+		SAFE_WRITE(1, fd, "a", 1);
+		SAFE_READ(0, fd, buf, 1);
+		tst_res(TPASS,
+			"SECCOMP_MODE_STRICT permits read(2) write(2) "
+			"and _exit(2)");
+	}
+	if (val == 3) {
+		close(fd);
+		tst_res(TFAIL,
+			"SECCOMP_MODE_STRICT permits close(2) unexpectdly");
+	}
+
+	tst_syscall(__NR_exit, 0);
+}
+
+static void check_filter_mode(int val)
+{
+	int childpid;
+	int childstatus;
+	int fd;
+
+	fd = SAFE_OPEN(FNAME, O_RDWR | O_CREAT, 0666);
+
+	TEST(prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &strict));
+	if (TST_RET == -1) {
+		if (TST_ERR == EFAULT)
+			tst_res(TFAIL, "the strict prog is an invalid address");
+		else
+			tst_res(TFAIL | TERRNO,
+				"prctl(PR_SET_SECCOMP) sets strict filter "
+				"failed");
+		return;
+	}
+	if (val == 1) {
+		tst_res(TPASS,
+			"prctl(PR_SET_SECCOMP) sets strict filter succeed");
+		prctl(PR_GET_SECCOMP);
+		tst_res(TFAIL, "prctl(PR_GET_SECCOMP) succeed unexpectedly");
+	}
+	if (val == 2) {
+		close(fd);
+		tst_res(TPASS, "SECCOMP_MODE_FILTER permits close(2)");
+	}
+	if (val == 3)
+		exit(0);
+	if (val == 4) {
+		childpid = fork();
+		if (childpid == 0) {
+			tst_res(TPASS, "SECCOMP_MODE_FILTER permits fork(2)");
+			exit(0);
+		} else {
+			wait4(childpid, &childstatus, 0, NULL);
+			if (WIFSIGNALED(childstatus) &&
+					WTERMSIG(childstatus) == SIGSYS)
+				tst_res(TPASS,
+					"SECCOMP_MODE_FILTER has been "
+					"inherited by child");
+			else
+				tst_res(TFAIL,
+					"SECCOMP_MODE_FILTER isn't been "
+					"inherited by child");
+		}
+	}
+	tst_syscall(__NR_exit, 0);
+}
+
+static void verify_prctl(void)
+{
+	int pid;
+	int status;
+
+	TEST(prctl(PR_GET_SECCOMP));
+	if (TST_RET == -1) {
+		if (TST_ERR == EINVAL) {
+			tst_res(TCONF,
+				"prctl() doesn't support PR_GET_SECCOMP");
+		} else {
+			tst_res(TFAIL | TTERRNO,
+				"prctl(PR_GET_SECCOMP) failed");
+		}
+		return;
+	}
+	tst_res(TPASS, "prctl(PR_GET_SECCOMP) succeed");
+
+	/*call get_seccomp when in stric mode ,it should be killed*/
+	pid = SAFE_FORK();
+	if (pid == 0) {
+		check_strict_mode(1);
+	} else {
+		SAFE_WAITPID(pid, &status, 0);
+		if (WIFSIGNALED(status) && WTERMSIG(status) == SIGKILL)
+			tst_res(TPASS,
+				"SECCOMP_MODE_STRICT doesn't permit "
+				"GET_SECCOMP call");
+	}
+
+	/*positive check in secure computing mode*/
+	pid = SAFE_FORK();
+	if (pid == 0) {
+		check_strict_mode(2);
+	} else {
+		SAFE_WAITPID(pid, &status, 0);
+		if (WIFSIGNALED(status) && WTERMSIG(status) == SIGKILL)
+			tst_res(TFAIL,
+				"SECCOMP_MODE_STRICT doesn't permit "
+				"read(2) write(2) and _exit(2)");
+	}
+
+	/*negative check in secure computing mode*/
+	pid = SAFE_FORK();
+	if (pid == 0) {
+		check_strict_mode(3);
+	} else {
+		SAFE_WAITPID(pid, &status, 0);
+		if (WIFSIGNALED(status) && WTERMSIG(status) == SIGKILL)
+			tst_res(TPASS,
+				"SECCOMP_MODE_STRICT doesn't permit close(2)");
+	}
+
+	/*call get_seccomp in filter mode should be killed by SIGSYS signal*/
+	pid = SAFE_FORK();
+	if (pid == 0) {
+		check_filter_mode(1);
+	} else {
+		SAFE_WAITPID(pid, &status, 0);
+		if (WIFSIGNALED(status) && WTERMSIG(status) == SIGSYS)
+			tst_res(TPASS,
+				"SECCOMP_MODE_FILTER doestn't permit "
+				"GET_SECCOMP call");
+	}
+
+	/*positive check in SECCOMP_MODE_FILTER*/
+	pid = SAFE_FORK();
+	if (pid == 0) {
+		check_filter_mode(2);
+	} else {
+		SAFE_WAITPID(pid, &status, 0);
+		if (WIFSIGNALED(status) && WTERMSIG(status) == SIGSYS)
+			tst_res(TFAIL,
+				"SECCOMP_MODE_FILTER doesn't permit close(2)");
+	}
+
+	/*negative check in SECCOMP_MODE_FILTER*/
+	pid = SAFE_FORK();
+	if (pid == 0) {
+		check_filter_mode(3);
+	} else {
+		SAFE_WAITPID(pid, &status, 0);
+		if (WIFSIGNALED(status) && WTERMSIG(status) == SIGSYS)
+			tst_res(TPASS,
+				"SECCOMP_MODE_FILTER doesn't permit exit()");
+		else
+			tst_res(TFAIL,
+				"SECCOMP_MODE_FILTER permits exit() "
+				"unexpectdly");
+	}
+
+	pid = SAFE_FORK();
+	if (pid == 0) {
+		check_filter_mode(4);
+	} else {
+		SAFE_WAITPID(pid, &status, 0);
+		if (WIFSIGNALED(status) && WTERMSIG(status) == SIGSYS)
+			tst_res(TFAIL,
+				"SECCOMP_MODE_FILTER fork failed "
+				"unexpectdly");
+	}
+}
+
+static struct tst_test test = {
+	.test_all = verify_prctl,
+	.forks_child = 1,
+	.needs_tmpdir = 1,
+	.needs_root = 1,
+};
-- 
2.18.1

[LTP] [PATCH] syscalls/prctl04.c: New test for prctl() with PR_{SET, GET}_SECCOMP

[Cyril Hrubis]

Hi!
> diff --git a/configure.ac b/configure.ac
> index fad8f8396..c858aff42 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -46,6 +46,7 @@ AC_CHECK_HEADERS([ \
>      linux/mempolicy.h \
>      linux/module.h \
>      linux/netlink.h \
> +    linux/seccomp.h \
>      linux/userfaultfd.h \
>      mm.h \
>      netinet/sctp.h \
> diff --git a/include/lapi/prctl.h b/include/lapi/prctl.h
> index 6db8a6480..c3612e643 100644
> --- a/include/lapi/prctl.h
> +++ b/include/lapi/prctl.h
> @@ -14,4 +14,9 @@
>  # define PR_GET_CHILD_SUBREAPER	37
>  #endif
>  
> +#ifndef PR_SET_SECCOMP
> +# define PR_GET_SECCOMP  21
> +# define PR_SET_SECCOMP  22
> +#endif
> +
>  #endif /* LAPI_PRCTL_H__ */
> diff --git a/include/lapi/seccomp.h b/include/lapi/seccomp.h
> new file mode 100644
> index 000000000..1e5bc3933
> --- /dev/null
> +++ b/include/lapi/seccomp.h
> @@ -0,0 +1,36 @@
> +// SPDX-License-Identifier: GPL-2.0-or-later
> +/*
> + * Copyright (c) 2019 FUJITSU LIMITED. All rights reserved.
> + * Author: Yang Xu <xuyang2018.jy@cn.fujitsu.com>
> + */
> +#ifndef LAPI_SECCOMP_H__
> +# define _LAPI_SECCOMP_H
> +
> +#include <linux/types.h>
> +
> +/* Valid values for seccomp.mode and prctl(PR_SET_SECCOMP, <mode>) */
> +#define SECCOMP_MODE_DISABLED   0
> +#define SECCOMP_MODE_STRICT     1
> +#define SECCOMP_MODE_FILTER     2
> +
> +#define SECCOMP_RET_KILL_THREAD  0x00000000U /* kill the thread */
> +#define SECCOMP_RET_KILL         SECCOMP_RET_KILL_THREAD
> +#define SECCOMP_RET_ALLOW        0x7fff0000U /* allow */
> +
> +/**
> + * struct seccomp_data - the format the BPF program executes over.
> + * @nr: the system call number
> + * @arch: indicates system call convention as an AUDIT_ARCH_* value
> + *        as defined in <linux/audit.h>.
> + * @instruction_pointer: at the time of the system call.
> + * @args: up to 6 system call arguments always stored as 64-bit values
> + * regardless of the architecture.
> + */
> +struct seccomp_data {
> +	int nr;
> +	__u32 arch;
> +	__u64 instruction_pointer;
> +	__u64 args[6];
> +};
> +
> +#endif /* _LAPI_SECCOMP_H */
> diff --git a/runtest/syscalls b/runtest/syscalls
> index 2b8ca719b..51bff2990 100644
> --- a/runtest/syscalls
> +++ b/runtest/syscalls
> @@ -863,6 +863,7 @@ ppoll01 ppoll01
>  prctl01 prctl01
>  prctl02 prctl02
>  prctl03 prctl03
> +prctl04 prctl04
>  
>  pread01 pread01
>  pread01_64 pread01_64
> diff --git a/testcases/kernel/syscalls/prctl/.gitignore b/testcases/kernel/syscalls/prctl/.gitignore
> index 2f46a9a12..1c3da3052 100644
> --- a/testcases/kernel/syscalls/prctl/.gitignore
> +++ b/testcases/kernel/syscalls/prctl/.gitignore
> @@ -1,3 +1,4 @@
>  /prctl01
>  /prctl02
>  /prctl03
> +/prctl04
> diff --git a/testcases/kernel/syscalls/prctl/prctl04.c b/testcases/kernel/syscalls/prctl/prctl04.c
> new file mode 100644
> index 000000000..e3ba69af3
> --- /dev/null
> +++ b/testcases/kernel/syscalls/prctl/prctl04.c
> @@ -0,0 +1,262 @@
> +// SPDX-License-Identifier: GPL-2.0-or-later
> +/*
> + * Copyright (c) 2019 FUJITSU LIMITED. All rights reserved.
> + * Author: Yang Xu <xuyang2018.jy@cn.fujitsu.com>
> + *
> + * Test PR_GET_SECCOMP and PR_SET_SECCOMP of prctl(2).
> + * 1) If PR_SET_SECCOMP sets the SECCOMP_MODE_STRICT for the calling thread,
> + *    the only system call that the thread is permitted to make are read(2),
> + *    write(2),_exit(2)(but not exit_group(2)), and sigreturn(2).  Other
> + *    system calls result in the delivery of a SIGKILL signal. This operation
> + *    is available only if the kernel is configured with CONFIG_SECCOMP enabled.
> + * 2) If PR_SET_SECCOMP sets the SECCOMP_MODE_FILTER for the calling thread,
> + *    the system calls allowed are defined by a pointer to a Berkeley Packet
> + *    Filter. Other system calls result int the delivery of a SIGSYS signal
> + *    with SECCOMP_RET_KILL. The SECCOMP_SET_MODE_FILTER operation is available
> + *    only if the kernel is configured with CONFIG_SECCOMP_FILTER enabled.
> + * 3) If SECCOMP_MODE_FILTER filters permit fork(2), then the seccomp mode
> + *    is inherited by children created by fork(2).
> + */
> +
> +#include <errno.h>
> +#include <signal.h>
> +#include <sys/prctl.h>
> +#include <sys/wait.h>
> +#include <sys/types.h>
> +#include <linux/filter.h>
> +#include <unistd.h>
> +#include <stdlib.h>
> +#include <stddef.h>
> +#include "tst_test.h"
> +#include "lapi/syscalls.h"
> +#include "lapi/prctl.h"
> +#include "config.h"
> +#ifdef HAVE_LINUX_SECCOMP_H
> +#include <linux/seccomp.h>
> +#else
> +#include <lapi/seccomp.h>
> +#endif

This ifdef should be in the lapi/seccomp.h instead.

I.e. the test should only include lapi/seccomp.h and should not care if
linux/seccomp.h is present or not.

> +#define FNAME "filename"
> +
> +static const struct sock_filter  strict_filter[] = {
> +	BPF_STMT(BPF_LD | BPF_W | BPF_ABS, (offsetof (struct seccomp_data, nr))),
> +
> +	BPF_JUMP(BPF_JMP | BPF_JEQ, __NR_close, 5, 0),
> +	BPF_JUMP(BPF_JMP | BPF_JEQ, __NR_exit,  4, 0),
> +	BPF_JUMP(BPF_JMP | BPF_JEQ, __NR_wait4, 3, 0),
> +	BPF_JUMP(BPF_JMP | BPF_JEQ, __NR_write, 2, 0),
> +	BPF_JUMP(BPF_JMP | BPF_JEQ, __NR_clone, 1, 0),
> +
> +	BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_KILL),
> +	BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW)
> +};
> +
> +static const struct sock_fprog  strict = {
> +	.len = (unsigned short)ARRAY_SIZE(strict_filter),
> +	.filter = (struct sock_filter *)strict_filter
> +};
> +
> +static void check_strict_mode(int val)
> +{
> +	int fd;
> +	char buf[2];
> +
> +	fd = SAFE_OPEN(FNAME, O_RDWR | O_CREAT, 0666);
> +
> +	TEST(prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT));
> +	if (TST_RET == -1) {
> +		if (TST_ERR == EINVAL) {
> +			tst_res(TCONF,
> +				"prctl(PR_SET_SECCOMP) doesn't support "
> +				"SECCOMP_MODE_STRICT");
> +		} else {
> +			tst_res(TFAIL | TTERRNO,
> +				"prctl(PR_SET_SECCOMP) sets "
> +				"SECCOMP_MODE_STRICT failed");
> +		}
> +		return;
> +	}
> +	if (val == 1) {
> +		tst_res(TPASS,
> +			"prctl(PR_SET_SECCOMP) sets SECCOMP_MODE_STRICT "
> +			"succeed");
> +		prctl(PR_GET_SECCOMP);
> +		tst_res(TFAIL, "prctl(PR_GET_SECCOMP) succeed unexpectedly");
> +	}
> +	if (val == 2) {
> +		SAFE_WRITE(1, fd, "a", 1);
> +		SAFE_READ(0, fd, buf, 1);
> +		tst_res(TPASS,
> +			"SECCOMP_MODE_STRICT permits read(2) write(2) "
> +			"and _exit(2)");
> +	}
> +	if (val == 3) {
> +		close(fd);
> +		tst_res(TFAIL,
> +			"SECCOMP_MODE_STRICT permits close(2) unexpectdly");
> +	}

This is way too ugly, if nothing else we should use switch() here.


> +	tst_syscall(__NR_exit, 0);
> +}
> +
> +static void check_filter_mode(int val)
> +{
> +	int childpid;
> +	int childstatus;
> +	int fd;
> +
> +	fd = SAFE_OPEN(FNAME, O_RDWR | O_CREAT, 0666);
> +
> +	TEST(prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &strict));
> +	if (TST_RET == -1) {
> +		if (TST_ERR == EFAULT)
> +			tst_res(TFAIL, "the strict prog is an invalid address");
> +		else
> +			tst_res(TFAIL | TERRNO,
> +				"prctl(PR_SET_SECCOMP) sets strict filter "
> +				"failed");
> +		return;
> +	}
> +	if (val == 1) {
> +		tst_res(TPASS,
> +			"prctl(PR_SET_SECCOMP) sets strict filter succeed");
> +		prctl(PR_GET_SECCOMP);
> +		tst_res(TFAIL, "prctl(PR_GET_SECCOMP) succeed unexpectedly");
> +	}
> +	if (val == 2) {
> +		close(fd);
> +		tst_res(TPASS, "SECCOMP_MODE_FILTER permits close(2)");
> +	}
> +	if (val == 3)
> +		exit(0);
> +	if (val == 4) {
> +		childpid = fork();
> +		if (childpid == 0) {
> +			tst_res(TPASS, "SECCOMP_MODE_FILTER permits fork(2)");
> +			exit(0);
> +		} else {
> +			wait4(childpid, &childstatus, 0, NULL);
> +			if (WIFSIGNALED(childstatus) &&
> +					WTERMSIG(childstatus) == SIGSYS)
> +				tst_res(TPASS,
> +					"SECCOMP_MODE_FILTER has been "
> +					"inherited by child");
> +			else
> +				tst_res(TFAIL,
> +					"SECCOMP_MODE_FILTER isn't been "
> +					"inherited by child");
> +		}
> +	}

Here as well, use switch().

Also it would make sense to put the more complicated bodies, for
instance case val == 4 into a separate function.

> +	tst_syscall(__NR_exit, 0);
> +}
> +
> +static void verify_prctl(void)
> +{
> +	int pid;
> +	int status;
> +
> +	TEST(prctl(PR_GET_SECCOMP));
> +	if (TST_RET == -1) {
> +		if (TST_ERR == EINVAL) {
> +			tst_res(TCONF,
> +				"prctl() doesn't support PR_GET_SECCOMP");
> +		} else {
> +			tst_res(TFAIL | TTERRNO,
> +				"prctl(PR_GET_SECCOMP) failed");
> +		}
> +		return;
> +	}
> +	tst_res(TPASS, "prctl(PR_GET_SECCOMP) succeed");
> +
> +	/*call get_seccomp when in stric mode ,it should be killed*/
> +	pid = SAFE_FORK();
> +	if (pid == 0) {
> +		check_strict_mode(1);
> +	} else {
> +		SAFE_WAITPID(pid, &status, 0);
> +		if (WIFSIGNALED(status) && WTERMSIG(status) == SIGKILL)
> +			tst_res(TPASS,
> +				"SECCOMP_MODE_STRICT doesn't permit "
> +				"GET_SECCOMP call");
> +	}
> +
> +	/*positive check in secure computing mode*/
> +	pid = SAFE_FORK();
> +	if (pid == 0) {
> +		check_strict_mode(2);
> +	} else {
> +		SAFE_WAITPID(pid, &status, 0);
> +		if (WIFSIGNALED(status) && WTERMSIG(status) == SIGKILL)
> +			tst_res(TFAIL,
> +				"SECCOMP_MODE_STRICT doesn't permit "
> +				"read(2) write(2) and _exit(2)");
> +	}
> +
> +	/*negative check in secure computing mode*/
> +	pid = SAFE_FORK();
> +	if (pid == 0) {
> +		check_strict_mode(3);
> +	} else {
> +		SAFE_WAITPID(pid, &status, 0);
> +		if (WIFSIGNALED(status) && WTERMSIG(status) == SIGKILL)
> +			tst_res(TPASS,
> +				"SECCOMP_MODE_STRICT doesn't permit close(2)");
> +	}
> +
> +	/*call get_seccomp in filter mode should be killed by SIGSYS signal*/
> +	pid = SAFE_FORK();
> +	if (pid == 0) {
> +		check_filter_mode(1);
> +	} else {
> +		SAFE_WAITPID(pid, &status, 0);
> +		if (WIFSIGNALED(status) && WTERMSIG(status) == SIGSYS)
> +			tst_res(TPASS,
> +				"SECCOMP_MODE_FILTER doestn't permit "
> +				"GET_SECCOMP call");
> +	}
> +
> +	/*positive check in SECCOMP_MODE_FILTER*/
> +	pid = SAFE_FORK();
> +	if (pid == 0) {
> +		check_filter_mode(2);
> +	} else {
> +		SAFE_WAITPID(pid, &status, 0);
> +		if (WIFSIGNALED(status) && WTERMSIG(status) == SIGSYS)
> +			tst_res(TFAIL,
> +				"SECCOMP_MODE_FILTER doesn't permit close(2)");
> +	}
> +
> +	/*negative check in SECCOMP_MODE_FILTER*/
> +	pid = SAFE_FORK();
> +	if (pid == 0) {
> +		check_filter_mode(3);
> +	} else {
> +		SAFE_WAITPID(pid, &status, 0);
> +		if (WIFSIGNALED(status) && WTERMSIG(status) == SIGSYS)
> +			tst_res(TPASS,
> +				"SECCOMP_MODE_FILTER doesn't permit exit()");
> +		else
> +			tst_res(TFAIL,
> +				"SECCOMP_MODE_FILTER permits exit() "
> +				"unexpectdly");
> +	}
> +
> +	pid = SAFE_FORK();
> +	if (pid == 0) {
> +		check_filter_mode(4);
> +	} else {
> +		SAFE_WAITPID(pid, &status, 0);
> +		if (WIFSIGNALED(status) && WTERMSIG(status) == SIGSYS)
> +			tst_res(TFAIL,
> +				"SECCOMP_MODE_FILTER fork failed "
> +				"unexpectdly");

This is a minor, but multiline statements should be enclosed in a curly
braces accodingly to LKML and also string constants shouldn't be split
into multiple lines, so this should be:

		if (WIFSIGNALED(status) && WTERMSIG(status) == SIGSYS) {
			tst_res(TFAIL,
			        "SECCOMP_MODE_FILTER fork failed unexpectdly");
		}

Also the else branch is useless since the function check_filter_mode()
calls exit.

So we can simply do:

	pid = SAFE_FORK();
	if (pid == 0)
		check_fitler_mode(4);

	SAFE_WAITPID(...);

> +	}
> +}

You are doing several different tests in this function, can we split
this and use .test and .tcnt instead of .test_all?

> +static struct tst_test test = {
> +	.test_all = verify_prctl,
> +	.forks_child = 1,
> +	.needs_tmpdir = 1,
> +	.needs_root = 1,
> +};

Otherwise it looks good.

-- 
Cyril Hrubis
chrubis@suse.cz

[LTP] [PATCH v2] syscalls/prctl04.c: New test for prctl() with PR_{SET, GET}_SECCOMP

[Yang Xu]

Signed-off-by: Yang Xu <xuyang2018.jy@cn.fujitsu.com>
---
 configure.ac                               |   1 +
 include/lapi/prctl.h                       |   5 +
 include/lapi/seccomp.h                     |  40 ++++
 runtest/syscalls                           |   1 +
 testcases/kernel/syscalls/prctl/.gitignore |   1 +
 testcases/kernel/syscalls/prctl/prctl04.c  | 229 +++++++++++++++++++++
 6 files changed, 277 insertions(+)
 create mode 100644 include/lapi/seccomp.h
 create mode 100644 testcases/kernel/syscalls/prctl/prctl04.c

diff --git a/configure.ac b/configure.ac
index fad8f8396..c858aff42 100644
--- a/configure.ac
+++ b/configure.ac
@@ -46,6 +46,7 @@ AC_CHECK_HEADERS([ \
     linux/mempolicy.h \
     linux/module.h \
     linux/netlink.h \
+    linux/seccomp.h \
     linux/userfaultfd.h \
     mm.h \
     netinet/sctp.h \
diff --git a/include/lapi/prctl.h b/include/lapi/prctl.h
index 6db8a6480..f42bd6459 100644
--- a/include/lapi/prctl.h
+++ b/include/lapi/prctl.h
@@ -9,6 +9,11 @@
 
 #include <sys/prctl.h>
 
+#ifndef PR_SET_SECCOMP
+# define PR_GET_SECCOMP  21
+# define PR_SET_SECCOMP  22
+#endif
+
 #ifndef PR_SET_CHILD_SUBREAPER
 # define PR_SET_CHILD_SUBREAPER	36
 # define PR_GET_CHILD_SUBREAPER	37
diff --git a/include/lapi/seccomp.h b/include/lapi/seccomp.h
new file mode 100644
index 000000000..eead53c48
--- /dev/null
+++ b/include/lapi/seccomp.h
@@ -0,0 +1,40 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * Copyright (c) 2019 FUJITSU LIMITED. All rights reserved.
+ * Author: Yang Xu <xuyang2018.jy@cn.fujitsu.com>
+ */
+#ifndef LAPI_SECCOMP_H__
+# define _LAPI_SECCOMP_H
+
+#include <linux/types.h>
+
+#ifdef HAVE_LINUX_SECCOMP_H
+#include <linux/seccomp.h>
+#else
+/* Valid values for seccomp.mode and prctl(PR_SET_SECCOMP, <mode>) */
+#define SECCOMP_MODE_DISABLED   0
+#define SECCOMP_MODE_STRICT     1
+#define SECCOMP_MODE_FILTER     2
+
+#define SECCOMP_RET_KILL_THREAD  0x00000000U /* kill the thread */
+#define SECCOMP_RET_KILL         SECCOMP_RET_KILL_THREAD
+#define SECCOMP_RET_ALLOW        0x7fff0000U /* allow */
+
+/**
+ * struct seccomp_data - the format the BPF program executes over.
+ * @nr: the system call number
+ * @arch: indicates system call convention as an AUDIT_ARCH_* value
+ *        as defined in <linux/audit.h>.
+ * @instruction_pointer: at the time of the system call.
+ * @args: up to 6 system call arguments always stored as 64-bit values
+ * regardless of the architecture.
+ */
+struct seccomp_data {
+	int nr;
+	__u32 arch;
+	__u64 instruction_pointer;
+	__u64 args[6];
+};
+
+#endif /* HAVE_LINUX_SECCOMP_H*/
+#endif /* _LAPI_SECCOMP_H */
diff --git a/runtest/syscalls b/runtest/syscalls
index 2b8ca719b..51bff2990 100644
--- a/runtest/syscalls
+++ b/runtest/syscalls
@@ -863,6 +863,7 @@ ppoll01 ppoll01
 prctl01 prctl01
 prctl02 prctl02
 prctl03 prctl03
+prctl04 prctl04
 
 pread01 pread01
 pread01_64 pread01_64
diff --git a/testcases/kernel/syscalls/prctl/.gitignore b/testcases/kernel/syscalls/prctl/.gitignore
index 2f46a9a12..1c3da3052 100644
--- a/testcases/kernel/syscalls/prctl/.gitignore
+++ b/testcases/kernel/syscalls/prctl/.gitignore
@@ -1,3 +1,4 @@
 /prctl01
 /prctl02
 /prctl03
+/prctl04
diff --git a/testcases/kernel/syscalls/prctl/prctl04.c b/testcases/kernel/syscalls/prctl/prctl04.c
new file mode 100644
index 000000000..9acd2c6fb
--- /dev/null
+++ b/testcases/kernel/syscalls/prctl/prctl04.c
@@ -0,0 +1,229 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * Copyright (c) 2019 FUJITSU LIMITED. All rights reserved.
+ * Author: Yang Xu <xuyang2018.jy@cn.fujitsu.com>
+ *
+ * Test PR_GET_SECCOMP and PR_SET_SECCOMP of prctl(2).
+ * 1) If PR_SET_SECCOMP sets the SECCOMP_MODE_STRICT for the calling thread,
+ *    the only system call that the thread is permitted to make are read(2),
+ *    write(2),_exit(2)(but not exit_group(2)), and sigreturn(2).  Other
+ *    system calls result in the delivery of a SIGKILL signal. This operation
+ *    is available only if the kernel is configured with CONFIG_SECCOMP enabled.
+ * 2) If PR_SET_SECCOMP sets the SECCOMP_MODE_FILTER for the calling thread,
+ *    the system calls allowed are defined by a pointer to a Berkeley Packet
+ *    Filter. Other system calls result int the delivery of a SIGSYS signal
+ *    with SECCOMP_RET_KILL. The SECCOMP_SET_MODE_FILTER operation is available
+ *    only if the kernel is configured with CONFIG_SECCOMP_FILTER enabled.
+ * 3) If SECCOMP_MODE_FILTER filters permit fork(2), then the seccomp mode
+ *    is inherited by children created by fork(2).
+ */
+
+#include <errno.h>
+#include <signal.h>
+#include <sys/prctl.h>
+#include <sys/wait.h>
+#include <sys/types.h>
+#include <linux/filter.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <stddef.h>
+#include "tst_test.h"
+#include "lapi/syscalls.h"
+#include "lapi/prctl.h"
+#include "config.h"
+#include "lapi/seccomp.h"
+
+#define FNAME "filename"
+
+static const struct sock_filter  strict_filter[] = {
+	BPF_STMT(BPF_LD | BPF_W | BPF_ABS, (offsetof (struct seccomp_data, nr))),
+
+	BPF_JUMP(BPF_JMP | BPF_JEQ, __NR_close, 5, 0),
+	BPF_JUMP(BPF_JMP | BPF_JEQ, __NR_exit,  4, 0),
+	BPF_JUMP(BPF_JMP | BPF_JEQ, __NR_wait4, 3, 0),
+	BPF_JUMP(BPF_JMP | BPF_JEQ, __NR_write, 2, 0),
+	BPF_JUMP(BPF_JMP | BPF_JEQ, __NR_clone, 1, 0),
+
+	BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_KILL),
+	BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW)
+};
+
+static const struct sock_fprog  strict = {
+	.len = (unsigned short)ARRAY_SIZE(strict_filter),
+	.filter = (struct sock_filter *)strict_filter
+};
+
+static void check_strict_mode(int);
+static void check_filter_mode(int);
+
+static struct tcase {
+	void (*func_check)();
+	int pass_flag;
+	int val;
+	int exp_signal;
+	char *message;
+} tcases[] = {
+	{check_strict_mode, 1, 1, SIGKILL,
+	"SECCOMP_MODE_STRICT doesn't permit GET_SECCOMP call"},
+
+	{check_strict_mode, 0, 2, SIGKILL,
+	"SECCOMP_MODE_STRICT doesn't permit read(2) write(2) and _exit(2)"},
+
+	{check_strict_mode, 1, 3, SIGKILL,
+	"SECCOMP_MODE_STRICT doesn't permit close(2)"},
+
+	{check_filter_mode, 1, 1, SIGSYS,
+	"SECCOMP_MODE_FILTER doestn't permit GET_SECCOMP call"},
+
+	{check_filter_mode, 0, 2, SIGSYS,
+	"SECCOMP_MODE_FILTER doesn't permit close(2)"},
+
+	{check_filter_mode, 1, 3, SIGSYS,
+	"SECCOMP_MODE_FILTER doesn't permit exit()"},
+
+	{check_filter_mode, 0, 4, SIGSYS,
+	"SECCOMP_MODE_FILTER doesn't permit exit()"}
+};
+
+static void check_filter_mode_inherit(void)
+{
+	int childpid;
+	int childstatus;
+
+	childpid = fork();
+	if (childpid == 0) {
+		tst_res(TPASS, "SECCOMP_MODE_FILTER permits fork(2)");
+		exit(0);
+	}
+
+	wait4(childpid, &childstatus, 0, NULL);
+	if (WIFSIGNALED(childstatus) && WTERMSIG(childstatus) == SIGSYS)
+		tst_res(TPASS,
+			"SECCOMP_MODE_FILTER has been inherited by child");
+	else
+		tst_res(TFAIL,
+			"SECCOMP_MODE_FILTER isn't been inherited by child");
+}
+
+static void check_strict_mode(int val)
+{
+	int fd;
+	char buf[2];
+
+	fd = SAFE_OPEN(FNAME, O_RDWR | O_CREAT, 0666);
+
+	TEST(prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT));
+	if (TST_RET == -1) {
+		tst_res(TFAIL | TTERRNO,
+			"prctl(PR_SET_SECCOMP) sets SECCOMP_MODE_STRICT failed");
+		return;
+	}
+
+	switch (val) {
+	case 1:	{
+		tst_res(TPASS,
+			"prctl(PR_SET_SECCOMP) sets SECCOMP_MODE_STRICT succeed");
+		prctl(PR_GET_SECCOMP);
+		tst_res(TFAIL, "prctl(PR_GET_SECCOMP) succeed unexpectedly");
+	break;
+	}
+	case 2: {
+		SAFE_WRITE(1, fd, "a", 1);
+		SAFE_READ(0, fd, buf, 1);
+		tst_res(TPASS,
+			"SECCOMP_MODE_STRICT permits read(2) write(2) and _exit(2)");
+	break;
+	}
+	case 3: {
+		close(fd);
+		tst_res(TFAIL,
+			"SECCOMP_MODE_STRICT permits close(2) unexpectdly");
+	break;
+	}
+	}
+
+	tst_syscall(__NR_exit, 0);
+}
+
+static void check_filter_mode(int val)
+{
+	int fd;
+
+	fd = SAFE_OPEN(FNAME, O_RDWR | O_CREAT, 0666);
+
+	TEST(prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &strict));
+	if (TST_RET == -1) {
+		if (TST_ERR == EINVAL)
+			tst_res(TCONF,
+				"kernel doesn't support SECCOMP_MODE_FILTER");
+		else
+			tst_res(TFAIL | TERRNO,
+				"prctl(PR_SET_SECCOMP) sets strict filter failed");
+		return;
+	}
+
+	switch (val) {
+	case 1: {
+		tst_res(TPASS,
+			"prctl(PR_SET_SECCOMP) sets strict filter succeed");
+		prctl(PR_GET_SECCOMP);
+		tst_res(TFAIL, "prctl(PR_GET_SECCOMP) succeed unexpectedly");
+	break;
+	}
+	case 2: {
+		close(fd);
+		tst_res(TPASS, "SECCOMP_MODE_FILTER permits close(2)");
+	break;
+	}
+	case 3:
+		exit(0);
+	break;
+	case 4:
+		check_filter_mode_inherit();
+	break;
+	}
+	tst_syscall(__NR_exit, 0);
+}
+
+static void verify_prctl(unsigned int n)
+{
+	int pid;
+	int status;
+	struct tcase *tc = &tcases[n];
+
+	pid = SAFE_FORK();
+	if (pid == 0) {
+		tc->func_check(tc->val);
+	} else {
+		SAFE_WAITPID(pid, &status, 0);
+		if (WIFSIGNALED(status) && WTERMSIG(status) == tc->exp_signal) {
+			if (tc->pass_flag)
+				tst_res(TPASS, "%s", tc->message);
+			else
+				tst_res(TFAIL, "%s", tc->message);
+			return;
+		}
+
+		if (n == 5)
+			tst_res(TFAIL,
+				"SECCOMP_MODE_FILTER permits exit() unexpectdly");
+	}
+}
+
+static void setup(void)
+{
+	TEST(prctl(PR_GET_SECCOMP));
+	if (TST_RET == 0)
+		tst_res(TINFO, "kernel support PR_GET/SET_SECCOMP");
+	if (TST_ERR == EINVAL)
+		tst_brk(TBROK, "kernel doesn't support PR_GET/SET_SECCOMP");
+}
+
+static struct tst_test test = {
+	.setup = setup,
+	.test = verify_prctl,
+	.tcnt = ARRAY_SIZE(tcases),
+	.forks_child = 1,
+	.needs_tmpdir = 1,
+	.needs_root = 1,
+};
-- 
2.18.1

[LTP] [PATCH v2] syscalls/prctl04.c: New test for prctl() with PR_{SET, GET}_SECCOMP

[Cyril Hrubis]

Hi!
> diff --git a/include/lapi/seccomp.h b/include/lapi/seccomp.h
> new file mode 100644
> index 000000000..eead53c48
> --- /dev/null
> +++ b/include/lapi/seccomp.h
> @@ -0,0 +1,40 @@
> +// SPDX-License-Identifier: GPL-2.0-or-later
> +/*
> + * Copyright (c) 2019 FUJITSU LIMITED. All rights reserved.
> + * Author: Yang Xu <xuyang2018.jy@cn.fujitsu.com>
> + */
> +#ifndef LAPI_SECCOMP_H__
> +# define _LAPI_SECCOMP_H
> +
> +#include <linux/types.h>
> +
> +#ifdef HAVE_LINUX_SECCOMP_H
> +#include <linux/seccomp.h>
> +#else
> +/* Valid values for seccomp.mode and prctl(PR_SET_SECCOMP, <mode>) */
> +#define SECCOMP_MODE_DISABLED   0
> +#define SECCOMP_MODE_STRICT     1
> +#define SECCOMP_MODE_FILTER     2
> +
> +#define SECCOMP_RET_KILL_THREAD  0x00000000U /* kill the thread */
> +#define SECCOMP_RET_KILL         SECCOMP_RET_KILL_THREAD
> +#define SECCOMP_RET_ALLOW        0x7fff0000U /* allow */
> +
> +/**
> + * struct seccomp_data - the format the BPF program executes over.
> + * @nr: the system call number
> + * @arch: indicates system call convention as an AUDIT_ARCH_* value
> + *        as defined in <linux/audit.h>.
> + * @instruction_pointer: at the time of the system call.
> + * @args: up to 6 system call arguments always stored as 64-bit values
> + * regardless of the architecture.
> + */
> +struct seccomp_data {
> +	int nr;
> +	__u32 arch;
> +	__u64 instruction_pointer;
> +	__u64 args[6];
> +};
> +
> +#endif /* HAVE_LINUX_SECCOMP_H*/
> +#endif /* _LAPI_SECCOMP_H */

The ifdefs could be made a bit more readable by proper indentation as:

#ifndef FOO_H__
#define FOO_H__

# include <header.h>

# ifdef HAVE_BAR
#  include <bar.h>
# else
#  define BAR1
#  define BAR2

# endif
#endif /* FOO_H__ */

But that is very minor.

> diff --git a/runtest/syscalls b/runtest/syscalls
> index 2b8ca719b..51bff2990 100644
> --- a/runtest/syscalls
> +++ b/runtest/syscalls
> @@ -863,6 +863,7 @@ ppoll01 ppoll01
>  prctl01 prctl01
>  prctl02 prctl02
>  prctl03 prctl03
> +prctl04 prctl04
>  
>  pread01 pread01
>  pread01_64 pread01_64
> diff --git a/testcases/kernel/syscalls/prctl/.gitignore b/testcases/kernel/syscalls/prctl/.gitignore
> index 2f46a9a12..1c3da3052 100644
> --- a/testcases/kernel/syscalls/prctl/.gitignore
> +++ b/testcases/kernel/syscalls/prctl/.gitignore
> @@ -1,3 +1,4 @@
>  /prctl01
>  /prctl02
>  /prctl03
> +/prctl04
> diff --git a/testcases/kernel/syscalls/prctl/prctl04.c b/testcases/kernel/syscalls/prctl/prctl04.c
> new file mode 100644
> index 000000000..9acd2c6fb
> --- /dev/null
> +++ b/testcases/kernel/syscalls/prctl/prctl04.c
> @@ -0,0 +1,229 @@
> +// SPDX-License-Identifier: GPL-2.0-or-later
> +/*
> + * Copyright (c) 2019 FUJITSU LIMITED. All rights reserved.
> + * Author: Yang Xu <xuyang2018.jy@cn.fujitsu.com>
> + *
> + * Test PR_GET_SECCOMP and PR_SET_SECCOMP of prctl(2).
> + * 1) If PR_SET_SECCOMP sets the SECCOMP_MODE_STRICT for the calling thread,
> + *    the only system call that the thread is permitted to make are read(2),
> + *    write(2),_exit(2)(but not exit_group(2)), and sigreturn(2).  Other
> + *    system calls result in the delivery of a SIGKILL signal. This operation
> + *    is available only if the kernel is configured with CONFIG_SECCOMP enabled.
> + * 2) If PR_SET_SECCOMP sets the SECCOMP_MODE_FILTER for the calling thread,
> + *    the system calls allowed are defined by a pointer to a Berkeley Packet
> + *    Filter. Other system calls result int the delivery of a SIGSYS signal
> + *    with SECCOMP_RET_KILL. The SECCOMP_SET_MODE_FILTER operation is available
> + *    only if the kernel is configured with CONFIG_SECCOMP_FILTER enabled.
> + * 3) If SECCOMP_MODE_FILTER filters permit fork(2), then the seccomp mode
> + *    is inherited by children created by fork(2).
> + */
> +
> +#include <errno.h>
> +#include <signal.h>
> +#include <sys/prctl.h>
> +#include <sys/wait.h>
> +#include <sys/types.h>
> +#include <linux/filter.h>
> +#include <unistd.h>
> +#include <stdlib.h>
> +#include <stddef.h>
> +#include "tst_test.h"
> +#include "lapi/syscalls.h"
> +#include "lapi/prctl.h"
> +#include "config.h"
> +#include "lapi/seccomp.h"
> +
> +#define FNAME "filename"
> +
> +static const struct sock_filter  strict_filter[] = {
> +	BPF_STMT(BPF_LD | BPF_W | BPF_ABS, (offsetof (struct seccomp_data, nr))),
> +
> +	BPF_JUMP(BPF_JMP | BPF_JEQ, __NR_close, 5, 0),
> +	BPF_JUMP(BPF_JMP | BPF_JEQ, __NR_exit,  4, 0),
> +	BPF_JUMP(BPF_JMP | BPF_JEQ, __NR_wait4, 3, 0),
> +	BPF_JUMP(BPF_JMP | BPF_JEQ, __NR_write, 2, 0),
> +	BPF_JUMP(BPF_JMP | BPF_JEQ, __NR_clone, 1, 0),
> +
> +	BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_KILL),
> +	BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW)
> +};
> +
> +static const struct sock_fprog  strict = {
> +	.len = (unsigned short)ARRAY_SIZE(strict_filter),
> +	.filter = (struct sock_filter *)strict_filter
> +};
> +
> +static void check_strict_mode(int);
> +static void check_filter_mode(int);
> +
> +static struct tcase {
> +	void (*func_check)();
> +	int pass_flag;
> +	int val;
> +	int exp_signal;
> +	char *message;
> +} tcases[] = {
> +	{check_strict_mode, 1, 1, SIGKILL,
> +	"SECCOMP_MODE_STRICT doesn't permit GET_SECCOMP call"},
> +
> +	{check_strict_mode, 0, 2, SIGKILL,
> +	"SECCOMP_MODE_STRICT doesn't permit read(2) write(2) and _exit(2)"},
> +
> +	{check_strict_mode, 1, 3, SIGKILL,
> +	"SECCOMP_MODE_STRICT doesn't permit close(2)"},
> +
> +	{check_filter_mode, 1, 1, SIGSYS,
> +	"SECCOMP_MODE_FILTER doestn't permit GET_SECCOMP call"},
> +
> +	{check_filter_mode, 0, 2, SIGSYS,
> +	"SECCOMP_MODE_FILTER doesn't permit close(2)"},
> +
> +	{check_filter_mode, 1, 3, SIGSYS,
> +	"SECCOMP_MODE_FILTER doesn't permit exit()"},
> +
> +	{check_filter_mode, 0, 4, SIGSYS,
> +	"SECCOMP_MODE_FILTER doesn't permit exit()"}
> +};
> +
> +static void check_filter_mode_inherit(void)
> +{
> +	int childpid;
> +	int childstatus;
> +
> +	childpid = fork();
> +	if (childpid == 0) {
> +		tst_res(TPASS, "SECCOMP_MODE_FILTER permits fork(2)");
> +		exit(0);
> +	}
> +
> +	wait4(childpid, &childstatus, 0, NULL);
> +	if (WIFSIGNALED(childstatus) && WTERMSIG(childstatus) == SIGSYS)
> +		tst_res(TPASS,
> +			"SECCOMP_MODE_FILTER has been inherited by child");
> +	else
> +		tst_res(TFAIL,
> +			"SECCOMP_MODE_FILTER isn't been inherited by child");
> +}
> +
> +static void check_strict_mode(int val)
> +{
> +	int fd;
> +	char buf[2];
> +
> +	fd = SAFE_OPEN(FNAME, O_RDWR | O_CREAT, 0666);
> +
> +	TEST(prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT));
> +	if (TST_RET == -1) {
> +		tst_res(TFAIL | TTERRNO,
> +			"prctl(PR_SET_SECCOMP) sets SECCOMP_MODE_STRICT failed");
> +		return;
> +	}
> +
> +	switch (val) {
> +	case 1:	{
> +		tst_res(TPASS,
> +			"prctl(PR_SET_SECCOMP) sets SECCOMP_MODE_STRICT succeed");
> +		prctl(PR_GET_SECCOMP);
> +		tst_res(TFAIL, "prctl(PR_GET_SECCOMP) succeed unexpectedly");
> +	break;
> +	}

There is no need to enclose the case switches between curly braces
unless you need to declare variables there.

> +	case 2: {
> +		SAFE_WRITE(1, fd, "a", 1);
> +		SAFE_READ(0, fd, buf, 1);
> +		tst_res(TPASS,
> +			"SECCOMP_MODE_STRICT permits read(2) write(2) and _exit(2)");
> +	break;
> +	}
> +	case 3: {
> +		close(fd);
> +		tst_res(TFAIL,
> +			"SECCOMP_MODE_STRICT permits close(2) unexpectdly");
> +	break;
> +	}
> +	}
> +
> +	tst_syscall(__NR_exit, 0);
> +}
> +
> +static void check_filter_mode(int val)
> +{
> +	int fd;
> +
> +	fd = SAFE_OPEN(FNAME, O_RDWR | O_CREAT, 0666);
> +
> +	TEST(prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &strict));
> +	if (TST_RET == -1) {
> +		if (TST_ERR == EINVAL)
> +			tst_res(TCONF,
> +				"kernel doesn't support SECCOMP_MODE_FILTER");
> +		else
> +			tst_res(TFAIL | TERRNO,
> +				"prctl(PR_SET_SECCOMP) sets strict filter failed");
> +		return;
> +	}
> +
> +	switch (val) {
> +	case 1: {
> +		tst_res(TPASS,
> +			"prctl(PR_SET_SECCOMP) sets strict filter succeed");
> +		prctl(PR_GET_SECCOMP);
> +		tst_res(TFAIL, "prctl(PR_GET_SECCOMP) succeed unexpectedly");
> +	break;
> +	}
> +	case 2: {
> +		close(fd);
> +		tst_res(TPASS, "SECCOMP_MODE_FILTER permits close(2)");
> +	break;
> +	}
> +	case 3:
> +		exit(0);
> +	break;
> +	case 4:
> +		check_filter_mode_inherit();
> +	break;
> +	}
> +	tst_syscall(__NR_exit, 0);
> +}
> +
> +static void verify_prctl(unsigned int n)
> +{
> +	int pid;
> +	int status;
> +	struct tcase *tc = &tcases[n];
> +
> +	pid = SAFE_FORK();
> +	if (pid == 0) {
> +		tc->func_check(tc->val);
> +	} else {
> +		SAFE_WAITPID(pid, &status, 0);
> +		if (WIFSIGNALED(status) && WTERMSIG(status) == tc->exp_signal) {
> +			if (tc->pass_flag)
> +				tst_res(TPASS, "%s", tc->message);
> +			else
> +				tst_res(TFAIL, "%s", tc->message);
> +			return;
> +		}
> +
> +		if (n == 5)
> +			tst_res(TFAIL,
> +				"SECCOMP_MODE_FILTER permits exit() unexpectdly");
                                                                            ^
									   Typo

Depending on the value of n here is wrong, this code will unexpectedly
fail to work if someone adds testcases to the tcases array.

You can at least reuse the pass_flag and set it to 2 for this case, then
you can do if (tc->pass_flag == 2) here instead.

> +	}
> +}
> +
> +static void setup(void)
> +{
> +	TEST(prctl(PR_GET_SECCOMP));
> +	if (TST_RET == 0)
> +		tst_res(TINFO, "kernel support PR_GET/SET_SECCOMP");
> +	if (TST_ERR == EINVAL)
> +		tst_brk(TBROK, "kernel doesn't support PR_GET/SET_SECCOMP");
                          ^
			  Shouldn't this be TCONF?

Also we should handle other error cases, so maybe:

	if (TST_RET == 0) {
		tst_res(TINFO, ...);
		return;
	}

	if (TST_ERR == EINVAL)
		tst_brk(TCONF, ...);

	tst_brk(TBROK | TTERRNO, ...);

> +}
> +
> +static struct tst_test test = {
> +	.setup = setup,
> +	.test = verify_prctl,
> +	.tcnt = ARRAY_SIZE(tcases),
> +	.forks_child = 1,
> +	.needs_tmpdir = 1,
> +	.needs_root = 1,
> +};

Other than these minor nits the test looks good to me.

-- 
Cyril Hrubis
chrubis@suse.cz

[LTP] [PATCH v2] syscalls/prctl04.c: New test for prctl() with PR_{SET, GET}_SECCOMP

[xuyang]

Hi cyril
   I will send a v3 patch for this.  Thanks for your review.

Kind Regards
Yang Xu

> Hi!
>> diff --git a/include/lapi/seccomp.h b/include/lapi/seccomp.h
>> new file mode 100644
>> index 000000000..eead53c48
>> --- /dev/null
>> +++ b/include/lapi/seccomp.h
>> @@ -0,0 +1,40 @@
>> +// SPDX-License-Identifier: GPL-2.0-or-later
>> +/*
>> + * Copyright (c) 2019 FUJITSU LIMITED. All rights reserved.
>> + * Author: Yang Xu<xuyang2018.jy@cn.fujitsu.com>
>> + */
>> +#ifndef LAPI_SECCOMP_H__
>> +# define _LAPI_SECCOMP_H
>> +
>> +#include<linux/types.h>
>> +
>> +#ifdef HAVE_LINUX_SECCOMP_H
>> +#include<linux/seccomp.h>
>> +#else
>> +/* Valid values for seccomp.mode and prctl(PR_SET_SECCOMP,<mode>) */
>> +#define SECCOMP_MODE_DISABLED   0
>> +#define SECCOMP_MODE_STRICT     1
>> +#define SECCOMP_MODE_FILTER     2
>> +
>> +#define SECCOMP_RET_KILL_THREAD  0x00000000U /* kill the thread */
>> +#define SECCOMP_RET_KILL         SECCOMP_RET_KILL_THREAD
>> +#define SECCOMP_RET_ALLOW        0x7fff0000U /* allow */
>> +
>> +/**
>> + * struct seccomp_data - the format the BPF program executes over.
>> + * @nr: the system call number
>> + * @arch: indicates system call convention as an AUDIT_ARCH_* value
>> + *        as defined in<linux/audit.h>.
>> + * @instruction_pointer: at the time of the system call.
>> + * @args: up to 6 system call arguments always stored as 64-bit values
>> + * regardless of the architecture.
>> + */
>> +struct seccomp_data {
>> +	int nr;
>> +	__u32 arch;
>> +	__u64 instruction_pointer;
>> +	__u64 args[6];
>> +};
>> +
>> +#endif /* HAVE_LINUX_SECCOMP_H*/
>> +#endif /* _LAPI_SECCOMP_H */
> The ifdefs could be made a bit more readable by proper indentation as:
>
> #ifndef FOO_H__
> #define FOO_H__
>
> # include<header.h>
>
> # ifdef HAVE_BAR
> #  include<bar.h>
> # else
> #  define BAR1
> #  define BAR2
>
> # endif
> #endif /* FOO_H__ */
>
> But that is very minor.
>
>> diff --git a/runtest/syscalls b/runtest/syscalls
>> index 2b8ca719b..51bff2990 100644
>> --- a/runtest/syscalls
>> +++ b/runtest/syscalls
>> @@ -863,6 +863,7 @@ ppoll01 ppoll01
>>   prctl01 prctl01
>>   prctl02 prctl02
>>   prctl03 prctl03
>> +prctl04 prctl04
>>
>>   pread01 pread01
>>   pread01_64 pread01_64
>> diff --git a/testcases/kernel/syscalls/prctl/.gitignore b/testcases/kernel/syscalls/prctl/.gitignore
>> index 2f46a9a12..1c3da3052 100644
>> --- a/testcases/kernel/syscalls/prctl/.gitignore
>> +++ b/testcases/kernel/syscalls/prctl/.gitignore
>> @@ -1,3 +1,4 @@
>>   /prctl01
>>   /prctl02
>>   /prctl03
>> +/prctl04
>> diff --git a/testcases/kernel/syscalls/prctl/prctl04.c b/testcases/kernel/syscalls/prctl/prctl04.c
>> new file mode 100644
>> index 000000000..9acd2c6fb
>> --- /dev/null
>> +++ b/testcases/kernel/syscalls/prctl/prctl04.c
>> @@ -0,0 +1,229 @@
>> +// SPDX-License-Identifier: GPL-2.0-or-later
>> +/*
>> + * Copyright (c) 2019 FUJITSU LIMITED. All rights reserved.
>> + * Author: Yang Xu<xuyang2018.jy@cn.fujitsu.com>
>> + *
>> + * Test PR_GET_SECCOMP and PR_SET_SECCOMP of prctl(2).
>> + * 1) If PR_SET_SECCOMP sets the SECCOMP_MODE_STRICT for the calling thread,
>> + *    the only system call that the thread is permitted to make are read(2),
>> + *    write(2),_exit(2)(but not exit_group(2)), and sigreturn(2).  Other
>> + *    system calls result in the delivery of a SIGKILL signal. This operation
>> + *    is available only if the kernel is configured with CONFIG_SECCOMP enabled.
>> + * 2) If PR_SET_SECCOMP sets the SECCOMP_MODE_FILTER for the calling thread,
>> + *    the system calls allowed are defined by a pointer to a Berkeley Packet
>> + *    Filter. Other system calls result int the delivery of a SIGSYS signal
>> + *    with SECCOMP_RET_KILL. The SECCOMP_SET_MODE_FILTER operation is available
>> + *    only if the kernel is configured with CONFIG_SECCOMP_FILTER enabled.
>> + * 3) If SECCOMP_MODE_FILTER filters permit fork(2), then the seccomp mode
>> + *    is inherited by children created by fork(2).
>> + */
>> +
>> +#include<errno.h>
>> +#include<signal.h>
>> +#include<sys/prctl.h>
>> +#include<sys/wait.h>
>> +#include<sys/types.h>
>> +#include<linux/filter.h>
>> +#include<unistd.h>
>> +#include<stdlib.h>
>> +#include<stddef.h>
>> +#include "tst_test.h"
>> +#include "lapi/syscalls.h"
>> +#include "lapi/prctl.h"
>> +#include "config.h"
>> +#include "lapi/seccomp.h"
>> +
>> +#define FNAME "filename"
>> +
>> +static const struct sock_filter  strict_filter[] = {
>> +	BPF_STMT(BPF_LD | BPF_W | BPF_ABS, (offsetof (struct seccomp_data, nr))),
>> +
>> +	BPF_JUMP(BPF_JMP | BPF_JEQ, __NR_close, 5, 0),
>> +	BPF_JUMP(BPF_JMP | BPF_JEQ, __NR_exit,  4, 0),
>> +	BPF_JUMP(BPF_JMP | BPF_JEQ, __NR_wait4, 3, 0),
>> +	BPF_JUMP(BPF_JMP | BPF_JEQ, __NR_write, 2, 0),
>> +	BPF_JUMP(BPF_JMP | BPF_JEQ, __NR_clone, 1, 0),
>> +
>> +	BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_KILL),
>> +	BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW)
>> +};
>> +
>> +static const struct sock_fprog  strict = {
>> +	.len = (unsigned short)ARRAY_SIZE(strict_filter),
>> +	.filter = (struct sock_filter *)strict_filter
>> +};
>> +
>> +static void check_strict_mode(int);
>> +static void check_filter_mode(int);
>> +
>> +static struct tcase {
>> +	void (*func_check)();
>> +	int pass_flag;
>> +	int val;
>> +	int exp_signal;
>> +	char *message;
>> +} tcases[] = {
>> +	{check_strict_mode, 1, 1, SIGKILL,
>> +	"SECCOMP_MODE_STRICT doesn't permit GET_SECCOMP call"},
>> +
>> +	{check_strict_mode, 0, 2, SIGKILL,
>> +	"SECCOMP_MODE_STRICT doesn't permit read(2) write(2) and _exit(2)"},
>> +
>> +	{check_strict_mode, 1, 3, SIGKILL,
>> +	"SECCOMP_MODE_STRICT doesn't permit close(2)"},
>> +
>> +	{check_filter_mode, 1, 1, SIGSYS,
>> +	"SECCOMP_MODE_FILTER doestn't permit GET_SECCOMP call"},
>> +
>> +	{check_filter_mode, 0, 2, SIGSYS,
>> +	"SECCOMP_MODE_FILTER doesn't permit close(2)"},
>> +
>> +	{check_filter_mode, 1, 3, SIGSYS,
>> +	"SECCOMP_MODE_FILTER doesn't permit exit()"},
>> +
>> +	{check_filter_mode, 0, 4, SIGSYS,
>> +	"SECCOMP_MODE_FILTER doesn't permit exit()"}
>> +};
>> +
>> +static void check_filter_mode_inherit(void)
>> +{
>> +	int childpid;
>> +	int childstatus;
>> +
>> +	childpid = fork();
>> +	if (childpid == 0) {
>> +		tst_res(TPASS, "SECCOMP_MODE_FILTER permits fork(2)");
>> +		exit(0);
>> +	}
>> +
>> +	wait4(childpid,&childstatus, 0, NULL);
>> +	if (WIFSIGNALED(childstatus)&&  WTERMSIG(childstatus) == SIGSYS)
>> +		tst_res(TPASS,
>> +			"SECCOMP_MODE_FILTER has been inherited by child");
>> +	else
>> +		tst_res(TFAIL,
>> +			"SECCOMP_MODE_FILTER isn't been inherited by child");
>> +}
>> +
>> +static void check_strict_mode(int val)
>> +{
>> +	int fd;
>> +	char buf[2];
>> +
>> +	fd = SAFE_OPEN(FNAME, O_RDWR | O_CREAT, 0666);
>> +
>> +	TEST(prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT));
>> +	if (TST_RET == -1) {
>> +		tst_res(TFAIL | TTERRNO,
>> +			"prctl(PR_SET_SECCOMP) sets SECCOMP_MODE_STRICT failed");
>> +		return;
>> +	}
>> +
>> +	switch (val) {
>> +	case 1:	{
>> +		tst_res(TPASS,
>> +			"prctl(PR_SET_SECCOMP) sets SECCOMP_MODE_STRICT succeed");
>> +		prctl(PR_GET_SECCOMP);
>> +		tst_res(TFAIL, "prctl(PR_GET_SECCOMP) succeed unexpectedly");
>> +	break;
>> +	}
> There is no need to enclose the case switches between curly braces
> unless you need to declare variables there.
>
>> +	case 2: {
>> +		SAFE_WRITE(1, fd, "a", 1);
>> +		SAFE_READ(0, fd, buf, 1);
>> +		tst_res(TPASS,
>> +			"SECCOMP_MODE_STRICT permits read(2) write(2) and _exit(2)");
>> +	break;
>> +	}
>> +	case 3: {
>> +		close(fd);
>> +		tst_res(TFAIL,
>> +			"SECCOMP_MODE_STRICT permits close(2) unexpectdly");
>> +	break;
>> +	}
>> +	}
>> +
>> +	tst_syscall(__NR_exit, 0);
>> +}
>> +
>> +static void check_filter_mode(int val)
>> +{
>> +	int fd;
>> +
>> +	fd = SAFE_OPEN(FNAME, O_RDWR | O_CREAT, 0666);
>> +
>> +	TEST(prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER,&strict));
>> +	if (TST_RET == -1) {
>> +		if (TST_ERR == EINVAL)
>> +			tst_res(TCONF,
>> +				"kernel doesn't support SECCOMP_MODE_FILTER");
>> +		else
>> +			tst_res(TFAIL | TERRNO,
>> +				"prctl(PR_SET_SECCOMP) sets strict filter failed");
>> +		return;
>> +	}
>> +
>> +	switch (val) {
>> +	case 1: {
>> +		tst_res(TPASS,
>> +			"prctl(PR_SET_SECCOMP) sets strict filter succeed");
>> +		prctl(PR_GET_SECCOMP);
>> +		tst_res(TFAIL, "prctl(PR_GET_SECCOMP) succeed unexpectedly");
>> +	break;
>> +	}
>> +	case 2: {
>> +		close(fd);
>> +		tst_res(TPASS, "SECCOMP_MODE_FILTER permits close(2)");
>> +	break;
>> +	}
>> +	case 3:
>> +		exit(0);
>> +	break;
>> +	case 4:
>> +		check_filter_mode_inherit();
>> +	break;
>> +	}
>> +	tst_syscall(__NR_exit, 0);
>> +}
>> +
>> +static void verify_prctl(unsigned int n)
>> +{
>> +	int pid;
>> +	int status;
>> +	struct tcase *tc =&tcases[n];
>> +
>> +	pid = SAFE_FORK();
>> +	if (pid == 0) {
>> +		tc->func_check(tc->val);
>> +	} else {
>> +		SAFE_WAITPID(pid,&status, 0);
>> +		if (WIFSIGNALED(status)&&  WTERMSIG(status) == tc->exp_signal) {
>> +			if (tc->pass_flag)
>> +				tst_res(TPASS, "%s", tc->message);
>> +			else
>> +				tst_res(TFAIL, "%s", tc->message);
>> +			return;
>> +		}
>> +
>> +		if (n == 5)
>> +			tst_res(TFAIL,
>> +				"SECCOMP_MODE_FILTER permits exit() unexpectdly");
>                                                                              ^
> 									   Typo
>
> Depending on the value of n here is wrong, this code will unexpectedly
> fail to work if someone adds testcases to the tcases array.
>
> You can at least reuse the pass_flag and set it to 2 for this case, then
> you can do if (tc->pass_flag == 2) here instead.
>
>> +	}
>> +}
>> +
>> +static void setup(void)
>> +{
>> +	TEST(prctl(PR_GET_SECCOMP));
>> +	if (TST_RET == 0)
>> +		tst_res(TINFO, "kernel support PR_GET/SET_SECCOMP");
>> +	if (TST_ERR == EINVAL)
>> +		tst_brk(TBROK, "kernel doesn't support PR_GET/SET_SECCOMP");
>                            ^
> 			  Shouldn't this be TCONF?
>
> Also we should handle other error cases, so maybe:
>
> 	if (TST_RET == 0) {
> 		tst_res(TINFO, ...);
> 		return;
> 	}
>
> 	if (TST_ERR == EINVAL)
> 		tst_brk(TCONF, ...);
>
> 	tst_brk(TBROK | TTERRNO, ...);
>
>> +}
>> +
>> +static struct tst_test test = {
>> +	.setup = setup,
>> +	.test = verify_prctl,
>> +	.tcnt = ARRAY_SIZE(tcases),
>> +	.forks_child = 1,
>> +	.needs_tmpdir = 1,
>> +	.needs_root = 1,
>> +};
> Other than these minor nits the test looks good to me.
>

[LTP] [PATCH v3] syscalls/prctl04.c: New test for prctl() with PR_{SET, GET}_SECCOMP

[Yang Xu]

Signed-off-by: Yang Xu <xuyang2018.jy@cn.fujitsu.com>
---
 configure.ac                               |   1 +
 include/lapi/prctl.h                       |   5 +
 include/lapi/seccomp.h                     |  40 ++++
 runtest/syscalls                           |   1 +
 testcases/kernel/syscalls/prctl/.gitignore |   1 +
 testcases/kernel/syscalls/prctl/prctl04.c  | 231 +++++++++++++++++++++
 6 files changed, 279 insertions(+)
 create mode 100644 include/lapi/seccomp.h
 create mode 100644 testcases/kernel/syscalls/prctl/prctl04.c

diff --git a/configure.ac b/configure.ac
index 5dc85728a..5a3dc5b62 100644
--- a/configure.ac
+++ b/configure.ac
@@ -46,6 +46,7 @@ AC_CHECK_HEADERS([ \
     linux/mempolicy.h \
     linux/module.h \
     linux/netlink.h \
+    linux/seccomp.h \
     linux/userfaultfd.h \
     mm.h \
     netinet/sctp.h \
diff --git a/include/lapi/prctl.h b/include/lapi/prctl.h
index 6db8a6480..f42bd6459 100644
--- a/include/lapi/prctl.h
+++ b/include/lapi/prctl.h
@@ -9,6 +9,11 @@
 
 #include <sys/prctl.h>
 
+#ifndef PR_SET_SECCOMP
+# define PR_GET_SECCOMP  21
+# define PR_SET_SECCOMP  22
+#endif
+
 #ifndef PR_SET_CHILD_SUBREAPER
 # define PR_SET_CHILD_SUBREAPER	36
 # define PR_GET_CHILD_SUBREAPER	37
diff --git a/include/lapi/seccomp.h b/include/lapi/seccomp.h
new file mode 100644
index 000000000..a80d3d8cd
--- /dev/null
+++ b/include/lapi/seccomp.h
@@ -0,0 +1,40 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * Copyright (c) 2019 FUJITSU LIMITED. All rights reserved.
+ * Author: Yang Xu <xuyang2018.jy@cn.fujitsu.com>
+ */
+#ifndef LAPI_SECCOMP_H
+#define LAPI_SECCOMP_H
+
+# include <linux/types.h>
+
+# ifdef HAVE_LINUX_SECCOMP_H
+#  include <linux/seccomp.h>
+# else
+/* Valid values for seccomp.mode and prctl(PR_SET_SECCOMP, <mode>) */
+#  define SECCOMP_MODE_DISABLED   0
+#  define SECCOMP_MODE_STRICT     1
+#  define SECCOMP_MODE_FILTER     2
+
+#  define SECCOMP_RET_KILL_THREAD  0x00000000U /* kill the thread */
+#  define SECCOMP_RET_KILL         SECCOMP_RET_KILL_THREAD
+#  define SECCOMP_RET_ALLOW        0x7fff0000U /* allow */
+
+/**
+ * struct seccomp_data - the format the BPF program executes over.
+ * @nr: the system call number
+ * @arch: indicates system call convention as an AUDIT_ARCH_* value
+ *        as defined in <linux/audit.h>.
+ * @instruction_pointer: at the time of the system call.
+ * @args: up to 6 system call arguments always stored as 64-bit values
+ * regardless of the architecture.
+ */
+struct seccomp_data {
+	int nr;
+	__u32 arch;
+	__u64 instruction_pointer;
+	__u64 args[6];
+};
+
+# endif /* HAVE_LINUX_SECCOMP_H*/
+#endif /* LAPI_SECCOMP_H */
diff --git a/runtest/syscalls b/runtest/syscalls
index 30c132751..04558a580 100644
--- a/runtest/syscalls
+++ b/runtest/syscalls
@@ -861,6 +861,7 @@ ppoll01 ppoll01
 prctl01 prctl01
 prctl02 prctl02
 prctl03 prctl03
+prctl04 prctl04
 
 pread01 pread01
 pread01_64 pread01_64
diff --git a/testcases/kernel/syscalls/prctl/.gitignore b/testcases/kernel/syscalls/prctl/.gitignore
index 2f46a9a12..1c3da3052 100644
--- a/testcases/kernel/syscalls/prctl/.gitignore
+++ b/testcases/kernel/syscalls/prctl/.gitignore
@@ -1,3 +1,4 @@
 /prctl01
 /prctl02
 /prctl03
+/prctl04
diff --git a/testcases/kernel/syscalls/prctl/prctl04.c b/testcases/kernel/syscalls/prctl/prctl04.c
new file mode 100644
index 000000000..585274a8a
--- /dev/null
+++ b/testcases/kernel/syscalls/prctl/prctl04.c
@@ -0,0 +1,231 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * Copyright (c) 2019 FUJITSU LIMITED. All rights reserved.
+ * Author: Yang Xu <xuyang2018.jy@cn.fujitsu.com>
+ *
+ * Test PR_GET_SECCOMP and PR_SET_SECCOMP of prctl(2).
+ * 1) If PR_SET_SECCOMP sets the SECCOMP_MODE_STRICT for the calling thread,
+ *    the only system call that the thread is permitted to make are read(2),
+ *    write(2),_exit(2)(but not exit_group(2)), and sigreturn(2).  Other
+ *    system calls result in the delivery of a SIGKILL signal. This operation
+ *    is available only if the kernel is configured with CONFIG_SECCOMP enabled.
+ * 2) If PR_SET_SECCOMP sets the SECCOMP_MODE_FILTER for the calling thread,
+ *    the system calls allowed are defined by a pointer to a Berkeley Packet
+ *    Filter. Other system calls result int the delivery of a SIGSYS signal
+ *    with SECCOMP_RET_KILL. The SECCOMP_SET_MODE_FILTER operation is available
+ *    only if the kernel is configured with CONFIG_SECCOMP_FILTER enabled.
+ * 3) If SECCOMP_MODE_FILTER filters permit fork(2), then the seccomp mode
+ *    is inherited by children created by fork(2).
+ */
+
+#include <errno.h>
+#include <signal.h>
+#include <sys/prctl.h>
+#include <sys/wait.h>
+#include <sys/types.h>
+#include <linux/filter.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <stddef.h>
+#include "tst_test.h"
+#include "lapi/syscalls.h"
+#include "lapi/prctl.h"
+#include "config.h"
+#include "lapi/seccomp.h"
+
+#define FNAME "filename"
+
+static const struct sock_filter  strict_filter[] = {
+	BPF_STMT(BPF_LD | BPF_W | BPF_ABS, (offsetof (struct seccomp_data, nr))),
+
+	BPF_JUMP(BPF_JMP | BPF_JEQ, __NR_close, 5, 0),
+	BPF_JUMP(BPF_JMP | BPF_JEQ, __NR_exit,  4, 0),
+	BPF_JUMP(BPF_JMP | BPF_JEQ, __NR_wait4, 3, 0),
+	BPF_JUMP(BPF_JMP | BPF_JEQ, __NR_write, 2, 0),
+	BPF_JUMP(BPF_JMP | BPF_JEQ, __NR_clone, 1, 0),
+
+	BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_KILL),
+	BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW)
+};
+
+static const struct sock_fprog  strict = {
+	.len = (unsigned short)ARRAY_SIZE(strict_filter),
+	.filter = (struct sock_filter *)strict_filter
+};
+
+static void check_strict_mode(int);
+static void check_filter_mode(int);
+
+static struct tcase {
+	void (*func_check)();
+	int pass_flag;
+	int val;
+	int exp_signal;
+	char *message;
+} tcases[] = {
+	{check_strict_mode, 1, 1, SIGKILL,
+	"SECCOMP_MODE_STRICT doesn't permit GET_SECCOMP call"},
+
+	{check_strict_mode, 0, 2, SIGKILL,
+	"SECCOMP_MODE_STRICT doesn't permit read(2) write(2) and _exit(2)"},
+
+	{check_strict_mode, 1, 3, SIGKILL,
+	"SECCOMP_MODE_STRICT doesn't permit close(2)"},
+
+	{check_filter_mode, 1, 1, SIGSYS,
+	"SECCOMP_MODE_FILTER doestn't permit GET_SECCOMP call"},
+
+	{check_filter_mode, 0, 2, SIGSYS,
+	"SECCOMP_MODE_FILTER doesn't permit close(2)"},
+
+	{check_filter_mode, 2, 3, SIGSYS,
+	"SECCOMP_MODE_FILTER doesn't permit exit()"},
+
+	{check_filter_mode, 0, 4, SIGSYS,
+	"SECCOMP_MODE_FILTER doesn't permit exit()"}
+};
+
+static void check_filter_mode_inherit(void)
+{
+	int childpid;
+	int childstatus;
+
+	childpid = SAFE_FORK();
+	if (childpid == 0) {
+		tst_res(TPASS, "SECCOMP_MODE_FILTER permits fork(2)");
+		exit(0);
+	}
+
+	wait4(childpid, &childstatus, 0, NULL);
+	if (WIFSIGNALED(childstatus) && WTERMSIG(childstatus) == SIGSYS)
+		tst_res(TPASS,
+			"SECCOMP_MODE_FILTER has been inherited by child");
+	else
+		tst_res(TFAIL,
+			"SECCOMP_MODE_FILTER isn't been inherited by child");
+}
+
+static void check_strict_mode(int val)
+{
+	int fd;
+	char buf[2];
+
+	fd = SAFE_OPEN(FNAME, O_RDWR | O_CREAT, 0666);
+
+	TEST(prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT));
+	if (TST_RET == -1) {
+		tst_res(TFAIL | TTERRNO,
+			"prctl(PR_SET_SECCOMP) sets SECCOMP_MODE_STRICT failed");
+		return;
+	}
+
+	switch (val) {
+	case 1:
+		tst_res(TPASS,
+			"prctl(PR_SET_SECCOMP) sets SECCOMP_MODE_STRICT succeed");
+		prctl(PR_GET_SECCOMP);
+		tst_res(TFAIL, "prctl(PR_GET_SECCOMP) succeed unexpectedly");
+	break;
+	case 2:
+		SAFE_WRITE(1, fd, "a", 1);
+		SAFE_READ(0, fd, buf, 1);
+		tst_res(TPASS,
+			"SECCOMP_MODE_STRICT permits read(2) write(2) and _exit(2)");
+	break;
+	case 3:
+		close(fd);
+		tst_res(TFAIL,
+			"SECCOMP_MODE_STRICT permits close(2) unexpectdly");
+	break;
+	}
+
+	tst_syscall(__NR_exit, 0);
+}
+
+static void check_filter_mode(int val)
+{
+	int fd;
+
+	fd = SAFE_OPEN(FNAME, O_RDWR | O_CREAT, 0666);
+
+	TEST(prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &strict));
+	if (TST_RET == -1) {
+		if (TST_ERR == EINVAL)
+			tst_res(TCONF,
+				"kernel doesn't support SECCOMP_MODE_FILTER");
+		else
+			tst_res(TFAIL | TERRNO,
+				"prctl(PR_SET_SECCOMP) sets SECCOMP_MODE_FILTER failed");
+		return;
+	}
+
+	switch (val) {
+	case 1:
+		tst_res(TPASS,
+			"prctl(PR_SET_SECCOMP) sets SECCOMP_MODE_FILTER succeed");
+		prctl(PR_GET_SECCOMP);
+		tst_res(TFAIL, "prctl(PR_GET_SECCOMP) succeed unexpectedly");
+	break;
+	case 2:
+		close(fd);
+		tst_res(TPASS, "SECCOMP_MODE_FILTER permits close(2)");
+	break;
+	case 3:
+		exit(0);
+	break;
+	case 4:
+		check_filter_mode_inherit();
+	break;
+	}
+
+	tst_syscall(__NR_exit, 0);
+}
+
+static void verify_prctl(unsigned int n)
+{
+	int pid;
+	int status;
+	struct tcase *tc = &tcases[n];
+
+	pid = SAFE_FORK();
+	if (pid == 0) {
+		tc->func_check(tc->val);
+	} else {
+		SAFE_WAITPID(pid, &status, 0);
+		if (WIFSIGNALED(status) && WTERMSIG(status) == tc->exp_signal) {
+			if (tc->pass_flag)
+				tst_res(TPASS, "%s", tc->message);
+			else
+				tst_res(TFAIL, "%s", tc->message);
+			return;
+		}
+
+		if (tc->pass_flag == 2)
+			tst_res(TFAIL,
+				"SECCOMP_MODE_FILTER permits exit() unexpectedly");
+	}
+}
+
+static void setup(void)
+{
+	TEST(prctl(PR_GET_SECCOMP));
+	if (TST_RET == 0) {
+		tst_res(TINFO, "kernel support PR_GET/SET_SECCOMP");
+		return;
+	}
+
+	if (TST_ERR == EINVAL)
+		tst_brk(TCONF, "kernel doesn't support PR_GET/SET_SECCOMP");
+
+	tst_brk(TBROK | TTERRNO,
+		"current environment doesn't permit PR_GET/SET_SECCOMP");
+}
+
+static struct tst_test test = {
+	.setup = setup,
+	.test = verify_prctl,
+	.tcnt = ARRAY_SIZE(tcases),
+	.forks_child = 1,
+	.needs_tmpdir = 1,
+	.needs_root = 1,
+};
-- 
2.18.1

[LTP] [PATCH v3] syscalls/prctl04.c: New test for prctl() with PR_{SET, GET}_SECCOMP

[Cyril Hrubis]

Hi!
Pushed, thanks.

-- 
Cyril Hrubis
chrubis@suse.cz