#!/usr/bin/env python # Unit tests for genseccomp.py import cStringIO import textwrap import unittest import genseccomp class TestGenseccomp(unittest.TestCase): def setUp(self): genseccomp.set_dir() def get_config(self, arch): for i in genseccomp.POLICY_CONFIGS: if i[0] == arch: return i self.fail("No such architecture") def get_headers(self, arch): return self.get_config(arch)[1] def get_switches(self, arch): return self.get_config(arch)[2] def test_get_names(self): bionic = cStringIO.StringIO(textwrap.dedent("""\ int __llseek:_llseek(int, unsigned long, unsigned long, off64_t*, int) arm,mips,x86 int fchown:fchown(int, uid_t, gid_t) arm64,mips,mips64,x86_64 """)) whitelist = cStringIO.StringIO(textwrap.dedent("""\ ssize_t read(int, void*, size_t) all """)) empty = cStringIO.StringIO(textwrap.dedent("""\ """)) names = genseccomp.get_names([bionic, whitelist, empty], "arm") bionic.seek(0) whitelist.seek(0) empty.seek(0) names64 = genseccomp.get_names([bionic, whitelist, empty], "arm64") bionic.seek(0) whitelist.seek(0) empty.seek(0) self.assertIn("fchown", names64) self.assertNotIn("fchown", names) self.assertIn("_llseek", names) self.assertNotIn("_llseek", names64) self.assertIn("read", names) self.assertIn("read", names64) # Blacklist item must be in bionic blacklist = cStringIO.StringIO(textwrap.dedent("""\ int fchown2:fchown2(int, uid_t, gid_t) arm64,mips,mips64,x86_64 """)) with self.assertRaises(RuntimeError): genseccomp.get_names([bionic, whitelist, blacklist], "arm") bionic.seek(0) whitelist.seek(0) blacklist.seek(0) # Test blacklist item is removed blacklist = cStringIO.StringIO(textwrap.dedent("""\ int fchown:fchown(int, uid_t, gid_t) arm64,mips,mips64,x86_64 """)) names = genseccomp.get_names([bionic, whitelist, blacklist], "arm64") bionic.seek(0) whitelist.seek(0) blacklist.seek(0) self.assertIn("read", names) self.assertNotIn("fchown", names) # Blacklist item must not be in whitelist whitelist = cStringIO.StringIO(textwrap.dedent("""\ int fchown:fchown(int, uid_t, gid_t) arm64,mips,mips64,x86_64 """)) with self.assertRaises(RuntimeError): genseccomp.get_names([empty, whitelist, blacklist], "arm") empty.seek(0) whitelist.seek(0) blacklist.seek(0) # No dups in bionic and whitelist whitelist = cStringIO.StringIO(textwrap.dedent("""\ int __llseek:_llseek(int, unsigned long, unsigned long, off64_t*, int) arm,mips,x86 """)) with self.assertRaises(RuntimeError): genseccomp.get_names([bionic, whitelist, empty], "arm") bionic.seek(0) whitelist.seek(0) empty.seek(0) def test_convert_names_to_NRs(self): self.assertEquals(genseccomp.convert_names_to_NRs(["open"], self.get_headers("arm"), self.get_switches("arm")), [("open", 5)]) self.assertEquals(genseccomp.convert_names_to_NRs(["__ARM_NR_set_tls"], self.get_headers("arm"), self.get_switches("arm")), [('__ARM_NR_set_tls', 983045)]) self.assertEquals(genseccomp.convert_names_to_NRs(["openat"], self.get_headers("arm64"), self.get_switches("arm64")), [("openat", 56)]) self.assertEquals(genseccomp.convert_names_to_NRs(["openat"], self.get_headers("x86"), self.get_switches("x86")), [("openat", 295)]) self.assertEquals(genseccomp.convert_names_to_NRs(["openat"], self.get_headers("x86_64"), self.get_switches("x86_64")), [("openat", 257)]) self.assertEquals(genseccomp.convert_names_to_NRs(["openat"], self.get_headers("mips"), self.get_switches("mips")), [("openat", 4288)]) self.assertEquals(genseccomp.convert_names_to_NRs(["openat"], self.get_headers("mips64"), self.get_switches("mips64")), [("openat", 5247)]) def test_convert_NRs_to_ranges(self): ranges = genseccomp.convert_NRs_to_ranges([("b", 2), ("a", 1)]) self.assertEquals(len(ranges), 1) self.assertEquals(ranges[0].begin, 1) self.assertEquals(ranges[0].end, 3) self.assertItemsEqual(ranges[0].names, ["a", "b"]) ranges = genseccomp.convert_NRs_to_ranges([("b", 3), ("a", 1)]) self.assertEquals(len(ranges), 2) self.assertEquals(ranges[0].begin, 1) self.assertEquals(ranges[0].end, 2) self.assertItemsEqual(ranges[0].names, ["a"]) self.assertEquals(ranges[1].begin, 3) self.assertEquals(ranges[1].end, 4) self.assertItemsEqual(ranges[1].names, ["b"]) def test_convert_to_intermediate_bpf(self): ranges = genseccomp.convert_NRs_to_ranges([("b", 2), ("a", 1)]) bpf = genseccomp.convert_to_intermediate_bpf(ranges) self.assertEquals(bpf, ['BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 3, {fail}, {allow}), //a|b']) ranges = genseccomp.convert_NRs_to_ranges([("b", 3), ("a", 1)]) bpf = genseccomp.convert_to_intermediate_bpf(ranges) self.assertEquals(bpf, ['BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 3, 1, 0),', 'BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 2, {fail}, {allow}), //a', 'BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 4, {fail}, {allow}), //b']) def test_convert_ranges_to_bpf(self): ranges = genseccomp.convert_NRs_to_ranges([("b", 2), ("a", 1)]) bpf = genseccomp.convert_ranges_to_bpf(ranges) self.assertEquals(bpf, ['BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 1, 0, 2),', 'BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 3, 1, 0), //a|b', 'BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),']) ranges = genseccomp.convert_NRs_to_ranges([("b", 3), ("a", 1)]) bpf = genseccomp.convert_ranges_to_bpf(ranges) self.assertEquals(bpf, ['BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 1, 0, 4),', 'BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 3, 1, 0),', 'BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 2, 2, 1), //a', 'BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 4, 1, 0), //b', 'BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),']) def test_convert_bpf_to_output(self): output = genseccomp.convert_bpf_to_output(["line1", "line2"], "arm") expected_output = textwrap.dedent("""\ // Autogenerated file - edit at your peril!! #include #include #include "seccomp_bpfs.h" const sock_filter arm_filter[] = { line1 line2 }; const size_t arm_filter_size = sizeof(arm_filter) / sizeof(struct sock_filter); """) self.assertEquals(output, expected_output) def test_construct_bpf(self): syscalls = cStringIO.StringIO(textwrap.dedent("""\ int __llseek:_llseek(int, unsigned long, unsigned long, off64_t*, int) arm,mips,x86 int fchown:fchown(int, uid_t, gid_t) arm64,mips,mips64,x86_64 """)) whitelist = cStringIO.StringIO(textwrap.dedent("""\ ssize_t read(int, void*, size_t) all """)) blacklist = cStringIO.StringIO(textwrap.dedent("""\ """)) syscall_files = [syscalls, whitelist, blacklist] output = genseccomp.construct_bpf(syscall_files, "arm", self.get_headers("arm"), self.get_switches("arm")) expected_output = textwrap.dedent("""\ // Autogenerated file - edit at your peril!! #include #include #include "seccomp_bpfs.h" const sock_filter arm_filter[] = { BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 3, 0, 4), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 140, 1, 0), BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 4, 2, 1), //read BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 141, 1, 0), //_llseek BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW), }; const size_t arm_filter_size = sizeof(arm_filter) / sizeof(struct sock_filter); """) self.assertEquals(output, expected_output) if __name__ == '__main__': unittest.main()