[systemd-devel] [PATCH 1/2] test: add basic seccomp tests

Ronny Chevalier chevalier.ronny at gmail.com
Thu Feb 13 00:58:53 PST 2014 

2014-02-13 3:34 GMT+01:00 Dave Reisner <d at falconindy.com>:
> On Thu, Jan 23, 2014 at 01:34:57AM +0100, Ronny Chevalier wrote:
>> ---
>>  test/TEST-04-SECCOMP/Makefile               |  1 +
>>  test/TEST-04-SECCOMP/test-seccomp.sh        | 11 ++++
>>  test/TEST-04-SECCOMP/test.sh                | 79 +++++++++++++++++++++++++++++
>>  test/TEST-04-SECCOMP/will-fail.service      |  6 +++
>>  test/TEST-04-SECCOMP/will-not-fail.service  |  6 +++
>>  test/TEST-04-SECCOMP/will-not-fail2.service |  6 +++
>>  6 files changed, 109 insertions(+)
>>  create mode 120000 test/TEST-04-SECCOMP/Makefile
>>  create mode 100755 test/TEST-04-SECCOMP/test-seccomp.sh
>>  create mode 100755 test/TEST-04-SECCOMP/test.sh
>>  create mode 100644 test/TEST-04-SECCOMP/will-fail.service
>>  create mode 100644 test/TEST-04-SECCOMP/will-not-fail.service
>>  create mode 100644 test/TEST-04-SECCOMP/will-not-fail2.service
>>
>> diff --git a/test/TEST-04-SECCOMP/Makefile b/test/TEST-04-SECCOMP/Makefile
>> new file mode 120000
>> index 0000000..e9f93b1
>> --- /dev/null
>> +++ b/test/TEST-04-SECCOMP/Makefile
>> @@ -0,0 +1 @@
>> +../TEST-01-BASIC/Makefile
>> \ No newline at end of file
>> diff --git a/test/TEST-04-SECCOMP/test-seccomp.sh b/test/TEST-04-SECCOMP/test-seccomp.sh
>> new file mode 100755
>> index 0000000..fef334e
>> --- /dev/null
>> +++ b/test/TEST-04-SECCOMP/test-seccomp.sh
>> @@ -0,0 +1,11 @@
>> +#!/bin/bash -x
>> +
>> +systemctl start will-fail.service
>> +systemctl start will-not-fail.service
>> +systemctl start will-not-fail2.service
>> +systemctl is-failed will-fail.service | grep failed || exit 1
>> +systemctl is-failed will-not-fail.service | grep failed && exit 1
>> +systemctl is-failed will-not-fail2.service | grep failed && exit 1
>
> This is weird. You should be able to rely on the exit code rather than
> parsing the output, but it seems this was broken in e3e0314b.
>
Yes, this is why I did this.

>> +
>> +touch /testok
>> +exit 0
>> diff --git a/test/TEST-04-SECCOMP/test.sh b/test/TEST-04-SECCOMP/test.sh
>> new file mode 100755
>> index 0000000..c29192e
>> --- /dev/null
>> +++ b/test/TEST-04-SECCOMP/test.sh
>> @@ -0,0 +1,79 @@
>> +#!/bin/bash
>> +# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
>> +# ex: ts=8 sw=4 sts=4 et filetype=sh
>> +TEST_DESCRIPTION="seccomp tests"
>> +
>> +. $TEST_BASE_DIR/test-functions
>> +
>> +check_result_qemu() {
>> +    ret=1
>> +    mkdir -p $TESTDIR/root
>> +    mount ${LOOPDEV}p1 $TESTDIR/root
>> +    [[ -e $TESTDIR/root/testok ]] && ret=0
>> +    [[ -f $TESTDIR/root/failed ]] && cp -a $TESTDIR/root/failed $TESTDIR
>> +    cp -a $TESTDIR/root/var/log/journal $TESTDIR
>> +    umount $TESTDIR/root
>> +    [[ -f $TESTDIR/failed ]] && cat $TESTDIR/failed
>> +    ls -l $TESTDIR/journal/*/*.journal
>> +    test -s $TESTDIR/failed && ret=$(($ret+1))
>> +    return $ret
>> +}
>> +
>> +test_run() {
>> +    if run_qemu; then
>> +        check_result_qemu || return 1
>> +    else
>> +        dwarn "can't run QEMU, skipping"
>> +    fi
>> +    if check_nspawn; then
>> +        run_nspawn
>> +        check_result_nspawn || return 1
>> +    else
>> +        dwarn "can't run systemd-nspawn, skipping"
>> +    fi
>> +    return 0
>> +}
>> +
>> +test_setup() {
>> +    create_empty_image
>> +    mkdir -p $TESTDIR/root
>> +    mount ${LOOPDEV}p1 $TESTDIR/root
>> +
>> +    # Create what will eventually be our root filesystem onto an overlay
>> +    (
>> +        LOG_LEVEL=5
>> +        eval $(udevadm info --export --query=env --name=${LOOPDEV}p2)
>> +
>> +        setup_basic_environment
>> +
>> +        # setup the testsuite service
>> +        cat >$initdir/etc/systemd/system/testsuite.service <<EOF
>> +[Unit]
>> +Description=Testsuite service
>> +After=multi-user.target
>> +
>> +[Service]
>> +ExecStart=/test-seccomp.sh
>> +Type=oneshot
>> +EOF
>> +
>> +        # copy the units used by this test
>> +        cp {will-fail,will-not-fail,will-not-fail2}.service \
>> +            $initdir/etc/systemd/system
>> +        cp test-seccomp.sh $initdir/
>> +
>> +        setup_testsuite
>> +    )
>> +    setup_nspawn_root
>> +
>> +    ddebug "umount $TESTDIR/root"
>> +    umount $TESTDIR/root
>> +}
>> +
>> +test_cleanup() {
>> +    umount $TESTDIR/root 2>/dev/null
>> +    [[ $LOOPDEV ]] && losetup -d $LOOPDEV
>> +    return 0
>> +}
>> +
>> +do_test "$@"
>> diff --git a/test/TEST-04-SECCOMP/will-fail.service b/test/TEST-04-SECCOMP/will-fail.service
>> new file mode 100644
>> index 0000000..18e034e
>> --- /dev/null
>> +++ b/test/TEST-04-SECCOMP/will-fail.service
>> @@ -0,0 +1,6 @@
>> +[Unit]
>> +Description=Will fail
>> +
>> +[Service]
>> +ExecStart=/bin/echo "This should not be seen"
>> +SystemCallFilter=ioperm
>> diff --git a/test/TEST-04-SECCOMP/will-not-fail.service b/test/TEST-04-SECCOMP/will-not-fail.service
>> new file mode 100644
>> index 0000000..c56797f
>> --- /dev/null
>> +++ b/test/TEST-04-SECCOMP/will-not-fail.service
>> @@ -0,0 +1,6 @@
>> +[Unit]
>> +Description=Will not fail
>> +
>> +[Service]
>> +ExecStart=/bin/echo "Foo bar"
>> +SystemCallFilter=~ioctl
>> diff --git a/test/TEST-04-SECCOMP/will-not-fail2.service b/test/TEST-04-SECCOMP/will-not-fail2.service
>> new file mode 100644
>> index 0000000..2df05e3
>> --- /dev/null
>> +++ b/test/TEST-04-SECCOMP/will-not-fail2.service
>> @@ -0,0 +1,6 @@
>> +[Unit]
>> +Description=Reset SystemCallFilter
>> +
>> +[Service]
>> +ExecStart=/bin/echo "Foo bar"
>> +SystemCallFilter=
>> --
>> 1.8.5.3
>>
>> _______________________________________________
>> systemd-devel mailing list
>> systemd-devel at lists.freedesktop.org
>> http://lists.freedesktop.org/mailman/listinfo/systemd-devel

More information about the systemd-devel mailing list