[systemd-devel] [PATCH v2 1/2] test: add basic seccomp tests

Ronny Chevalier chevalier.ronny at gmail.com
Wed Feb 12 08:28:52 PST 2014


---
 test/TEST-04-SECCOMP/Makefile               |  1 +
 test/TEST-04-SECCOMP/test-seccomp.sh        | 13 +++++
 test/TEST-04-SECCOMP/test.sh                | 79 +++++++++++++++++++++++++++++
 test/TEST-04-SECCOMP/will-fail.service      |  8 +++
 test/TEST-04-SECCOMP/will-fail2.service     |  6 +++
 test/TEST-04-SECCOMP/will-not-fail.service  |  9 ++++
 test/TEST-04-SECCOMP/will-not-fail2.service |  6 +++
 7 files changed, 122 insertions(+)
 create mode 120000 test/TEST-04-SECCOMP/Makefile
 create mode 100755 test/TEST-04-SECCOMP/test-seccomp.sh
 create mode 100755 test/TEST-04-SECCOMP/test.sh
 create mode 100644 test/TEST-04-SECCOMP/will-fail.service
 create mode 100644 test/TEST-04-SECCOMP/will-fail2.service
 create mode 100644 test/TEST-04-SECCOMP/will-not-fail.service
 create mode 100644 test/TEST-04-SECCOMP/will-not-fail2.service

diff --git a/test/TEST-04-SECCOMP/Makefile b/test/TEST-04-SECCOMP/Makefile
new file mode 120000
index 0000000..e9f93b1
--- /dev/null
+++ b/test/TEST-04-SECCOMP/Makefile
@@ -0,0 +1 @@
+../TEST-01-BASIC/Makefile
\ No newline at end of file
diff --git a/test/TEST-04-SECCOMP/test-seccomp.sh b/test/TEST-04-SECCOMP/test-seccomp.sh
new file mode 100755
index 0000000..efe5c11
--- /dev/null
+++ b/test/TEST-04-SECCOMP/test-seccomp.sh
@@ -0,0 +1,13 @@
+#!/bin/bash -x
+
+systemctl start will-fail.service
+systemctl start will-fail2.service
+systemctl start will-not-fail.service
+systemctl start will-not-fail2.service
+systemctl is-failed will-fail.service | grep failed || exit 1
+systemctl is-failed will-fail2.service | grep failed || exit 1
+systemctl is-failed will-not-fail.service | grep failed && exit 1
+systemctl is-failed will-not-fail2.service | grep failed && exit 1
+
+touch /testok
+exit 0
diff --git a/test/TEST-04-SECCOMP/test.sh b/test/TEST-04-SECCOMP/test.sh
new file mode 100755
index 0000000..a85b50c
--- /dev/null
+++ b/test/TEST-04-SECCOMP/test.sh
@@ -0,0 +1,79 @@
+#!/bin/bash
+# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
+# ex: ts=8 sw=4 sts=4 et filetype=sh
+TEST_DESCRIPTION="seccomp tests"
+
+. $TEST_BASE_DIR/test-functions
+
+check_result_qemu() {
+    ret=1
+    mkdir -p $TESTDIR/root
+    mount ${LOOPDEV}p1 $TESTDIR/root
+    [[ -e $TESTDIR/root/testok ]] && ret=0
+    [[ -f $TESTDIR/root/failed ]] && cp -a $TESTDIR/root/failed $TESTDIR
+    cp -a $TESTDIR/root/var/log/journal $TESTDIR
+    umount $TESTDIR/root
+    [[ -f $TESTDIR/failed ]] && cat $TESTDIR/failed
+    ls -l $TESTDIR/journal/*/*.journal
+    test -s $TESTDIR/failed && ret=$(($ret+1))
+    return $ret
+}
+
+test_run() {
+    if run_qemu; then
+        check_result_qemu || return 1
+    else
+        dwarn "can't run QEMU, skipping"
+    fi
+    if check_nspawn; then
+        run_nspawn
+        check_result_nspawn || return 1
+    else
+        dwarn "can't run systemd-nspawn, skipping"
+    fi
+    return 0
+}
+
+test_setup() {
+    create_empty_image
+    mkdir -p $TESTDIR/root
+    mount ${LOOPDEV}p1 $TESTDIR/root
+
+    # Create what will eventually be our root filesystem onto an overlay
+    (
+        LOG_LEVEL=5
+        eval $(udevadm info --export --query=env --name=${LOOPDEV}p2)
+
+        setup_basic_environment
+
+        # setup the testsuite service
+        cat >$initdir/etc/systemd/system/testsuite.service <<EOF
+[Unit]
+Description=Testsuite service
+After=multi-user.target
+
+[Service]
+ExecStart=/test-seccomp.sh
+Type=oneshot
+EOF
+
+        # copy the units used by this test
+        cp {will-fail,will-fail2,will-not-fail,will-not-fail2}.service \
+            $initdir/etc/systemd/system
+        cp test-seccomp.sh $initdir/
+
+        setup_testsuite
+    )
+    setup_nspawn_root
+
+    ddebug "umount $TESTDIR/root"
+    umount $TESTDIR/root
+}
+
+test_cleanup() {
+    umount $TESTDIR/root 2>/dev/null
+    [[ $LOOPDEV ]] && losetup -d $LOOPDEV
+    return 0
+}
+
+do_test "$@"
diff --git a/test/TEST-04-SECCOMP/will-fail.service b/test/TEST-04-SECCOMP/will-fail.service
new file mode 100644
index 0000000..c4e0be9
--- /dev/null
+++ b/test/TEST-04-SECCOMP/will-fail.service
@@ -0,0 +1,8 @@
+[Unit]
+Description=Will fail
+
+[Service]
+ExecStart=/bin/echo "This should not be seen"
+SystemCallFilter=ioperm
+SystemCallFilter=~ioperm
+SystemCallFilter=ioperm
diff --git a/test/TEST-04-SECCOMP/will-fail2.service b/test/TEST-04-SECCOMP/will-fail2.service
new file mode 100644
index 0000000..1bfaeaa
--- /dev/null
+++ b/test/TEST-04-SECCOMP/will-fail2.service
@@ -0,0 +1,6 @@
+[Unit]
+Description=Will fail 2
+
+[Service]
+ExecStart=/bin/echo "This should not be seen"
+SystemCallFilter=~write open execve exit_group close mmap munmap fstat DONOTEXIST
diff --git a/test/TEST-04-SECCOMP/will-not-fail.service b/test/TEST-04-SECCOMP/will-not-fail.service
new file mode 100644
index 0000000..5c1b594
--- /dev/null
+++ b/test/TEST-04-SECCOMP/will-not-fail.service
@@ -0,0 +1,9 @@
+[Unit]
+Description=Will not fail
+
+[Service]
+ExecStart=/bin/echo "Foo bar"
+SystemCallFilter=~read write open execve ioperm
+SystemCallFilter=ioctl
+SystemCallFilter=read write open execve
+SystemCallFilter=~ioperm
diff --git a/test/TEST-04-SECCOMP/will-not-fail2.service b/test/TEST-04-SECCOMP/will-not-fail2.service
new file mode 100644
index 0000000..2df05e3
--- /dev/null
+++ b/test/TEST-04-SECCOMP/will-not-fail2.service
@@ -0,0 +1,6 @@
+[Unit]
+Description=Reset SystemCallFilter
+
+[Service]
+ExecStart=/bin/echo "Foo bar"
+SystemCallFilter=
-- 
1.8.5.4



More information about the systemd-devel mailing list