[systemd-devel] [PATCH 1/2] test: add basic seccomp tests

Dave Reisner d at falconindy.com
Wed Feb 12 18:34:38 PST 2014 

On Thu, Jan 23, 2014 at 01:34:57AM +0100, Ronny Chevalier wrote:
> ---
>  test/TEST-04-SECCOMP/Makefile               |  1 +
>  test/TEST-04-SECCOMP/test-seccomp.sh        | 11 ++++
>  test/TEST-04-SECCOMP/test.sh                | 79 +++++++++++++++++++++++++++++
>  test/TEST-04-SECCOMP/will-fail.service      |  6 +++
>  test/TEST-04-SECCOMP/will-not-fail.service  |  6 +++
>  test/TEST-04-SECCOMP/will-not-fail2.service |  6 +++
>  6 files changed, 109 insertions(+)
>  create mode 120000 test/TEST-04-SECCOMP/Makefile
>  create mode 100755 test/TEST-04-SECCOMP/test-seccomp.sh
>  create mode 100755 test/TEST-04-SECCOMP/test.sh
>  create mode 100644 test/TEST-04-SECCOMP/will-fail.service
>  create mode 100644 test/TEST-04-SECCOMP/will-not-fail.service
>  create mode 100644 test/TEST-04-SECCOMP/will-not-fail2.service
> 
> diff --git a/test/TEST-04-SECCOMP/Makefile b/test/TEST-04-SECCOMP/Makefile
> new file mode 120000
> index 0000000..e9f93b1
> --- /dev/null
> +++ b/test/TEST-04-SECCOMP/Makefile
> @@ -0,0 +1 @@
> +../TEST-01-BASIC/Makefile
> \ No newline at end of file
> diff --git a/test/TEST-04-SECCOMP/test-seccomp.sh b/test/TEST-04-SECCOMP/test-seccomp.sh
> new file mode 100755
> index 0000000..fef334e
> --- /dev/null
> +++ b/test/TEST-04-SECCOMP/test-seccomp.sh
> @@ -0,0 +1,11 @@
> +#!/bin/bash -x
> +
> +systemctl start will-fail.service
> +systemctl start will-not-fail.service
> +systemctl start will-not-fail2.service
> +systemctl is-failed will-fail.service | grep failed || exit 1
> +systemctl is-failed will-not-fail.service | grep failed && exit 1
> +systemctl is-failed will-not-fail2.service | grep failed && exit 1

This is weird. You should be able to rely on the exit code rather than
parsing the output, but it seems this was broken in e3e0314b.

> +
> +touch /testok
> +exit 0
> diff --git a/test/TEST-04-SECCOMP/test.sh b/test/TEST-04-SECCOMP/test.sh
> new file mode 100755
> index 0000000..c29192e
> --- /dev/null
> +++ b/test/TEST-04-SECCOMP/test.sh
> @@ -0,0 +1,79 @@
> +#!/bin/bash
> +# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
> +# ex: ts=8 sw=4 sts=4 et filetype=sh
> +TEST_DESCRIPTION="seccomp tests"
> +
> +. $TEST_BASE_DIR/test-functions
> +
> +check_result_qemu() {
> +    ret=1
> +    mkdir -p $TESTDIR/root
> +    mount ${LOOPDEV}p1 $TESTDIR/root
> +    [[ -e $TESTDIR/root/testok ]] && ret=0
> +    [[ -f $TESTDIR/root/failed ]] && cp -a $TESTDIR/root/failed $TESTDIR
> +    cp -a $TESTDIR/root/var/log/journal $TESTDIR
> +    umount $TESTDIR/root
> +    [[ -f $TESTDIR/failed ]] && cat $TESTDIR/failed
> +    ls -l $TESTDIR/journal/*/*.journal
> +    test -s $TESTDIR/failed && ret=$(($ret+1))
> +    return $ret
> +}
> +
> +test_run() {
> +    if run_qemu; then
> +        check_result_qemu || return 1
> +    else
> +        dwarn "can't run QEMU, skipping"
> +    fi
> +    if check_nspawn; then
> +        run_nspawn
> +        check_result_nspawn || return 1
> +    else
> +        dwarn "can't run systemd-nspawn, skipping"
> +    fi
> +    return 0
> +}
> +
> +test_setup() {
> +    create_empty_image
> +    mkdir -p $TESTDIR/root
> +    mount ${LOOPDEV}p1 $TESTDIR/root
> +
> +    # Create what will eventually be our root filesystem onto an overlay
> +    (
> +        LOG_LEVEL=5
> +        eval $(udevadm info --export --query=env --name=${LOOPDEV}p2)
> +
> +        setup_basic_environment
> +
> +        # setup the testsuite service
> +        cat >$initdir/etc/systemd/system/testsuite.service <<EOF
> +[Unit]
> +Description=Testsuite service
> +After=multi-user.target
> +
> +[Service]
> +ExecStart=/test-seccomp.sh
> +Type=oneshot
> +EOF
> +
> +        # copy the units used by this test
> +        cp {will-fail,will-not-fail,will-not-fail2}.service \
> +            $initdir/etc/systemd/system
> +        cp test-seccomp.sh $initdir/
> +
> +        setup_testsuite
> +    )
> +    setup_nspawn_root
> +
> +    ddebug "umount $TESTDIR/root"
> +    umount $TESTDIR/root
> +}
> +
> +test_cleanup() {
> +    umount $TESTDIR/root 2>/dev/null
> +    [[ $LOOPDEV ]] && losetup -d $LOOPDEV
> +    return 0
> +}
> +
> +do_test "$@"
> diff --git a/test/TEST-04-SECCOMP/will-fail.service b/test/TEST-04-SECCOMP/will-fail.service
> new file mode 100644
> index 0000000..18e034e
> --- /dev/null
> +++ b/test/TEST-04-SECCOMP/will-fail.service
> @@ -0,0 +1,6 @@
> +[Unit]
> +Description=Will fail
> +
> +[Service]
> +ExecStart=/bin/echo "This should not be seen"
> +SystemCallFilter=ioperm
> diff --git a/test/TEST-04-SECCOMP/will-not-fail.service b/test/TEST-04-SECCOMP/will-not-fail.service
> new file mode 100644
> index 0000000..c56797f
> --- /dev/null
> +++ b/test/TEST-04-SECCOMP/will-not-fail.service
> @@ -0,0 +1,6 @@
> +[Unit]
> +Description=Will not fail
> +
> +[Service]
> +ExecStart=/bin/echo "Foo bar"
> +SystemCallFilter=~ioctl
> diff --git a/test/TEST-04-SECCOMP/will-not-fail2.service b/test/TEST-04-SECCOMP/will-not-fail2.service
> new file mode 100644
> index 0000000..2df05e3
> --- /dev/null
> +++ b/test/TEST-04-SECCOMP/will-not-fail2.service
> @@ -0,0 +1,6 @@
> +[Unit]
> +Description=Reset SystemCallFilter
> +
> +[Service]
> +ExecStart=/bin/echo "Foo bar"
> +SystemCallFilter=
> -- 
> 1.8.5.3
> 
> _______________________________________________
> systemd-devel mailing list
> systemd-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/systemd-devel

More information about the systemd-devel mailing list