diff options
author | Ronny Chevalier <chevalier.ronny@gmail.com> | 2014-02-14 17:21:41 +0100 |
---|---|---|
committer | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2014-02-14 19:00:32 -0500 |
commit | f928d3263d788da8dec64f06c792988b6076e600 (patch) | |
tree | f8b7f989cc2315259b02a9556da7db08d381e931 /test/TEST-04-SECCOMP | |
parent | 8f9c6fe5ff1d59001aecbf3fbf9ca0ed7ff28ba7 (diff) |
test: add basic seccomp tests
Diffstat (limited to 'test/TEST-04-SECCOMP')
l--------- | test/TEST-04-SECCOMP/Makefile | 1 | ||||
-rwxr-xr-x | test/TEST-04-SECCOMP/test-seccomp.sh | 13 | ||||
-rwxr-xr-x | test/TEST-04-SECCOMP/test.sh | 79 | ||||
-rw-r--r-- | test/TEST-04-SECCOMP/will-fail.service | 8 | ||||
-rw-r--r-- | test/TEST-04-SECCOMP/will-fail2.service | 6 | ||||
-rw-r--r-- | test/TEST-04-SECCOMP/will-not-fail.service | 9 | ||||
-rw-r--r-- | test/TEST-04-SECCOMP/will-not-fail2.service | 6 |
7 files changed, 122 insertions, 0 deletions
diff --git a/test/TEST-04-SECCOMP/Makefile b/test/TEST-04-SECCOMP/Makefile new file mode 120000 index 0000000000..e9f93b1104 --- /dev/null +++ b/test/TEST-04-SECCOMP/Makefile @@ -0,0 +1 @@ +../TEST-01-BASIC/Makefile
\ No newline at end of file diff --git a/test/TEST-04-SECCOMP/test-seccomp.sh b/test/TEST-04-SECCOMP/test-seccomp.sh new file mode 100755 index 0000000000..2496190445 --- /dev/null +++ b/test/TEST-04-SECCOMP/test-seccomp.sh @@ -0,0 +1,13 @@ +#!/bin/bash -x + +systemctl start will-fail.service +systemctl start will-fail2.service +systemctl start will-not-fail.service +systemctl start will-not-fail2.service +systemctl is-failed will-fail.service || exit 1 +systemctl is-failed will-fail2.service || exit 1 +systemctl is-failed will-not-fail.service && exit 1 +systemctl is-failed will-not-fail2.service && exit 1 + +touch /testok +exit 0 diff --git a/test/TEST-04-SECCOMP/test.sh b/test/TEST-04-SECCOMP/test.sh new file mode 100755 index 0000000000..a85b50cca2 --- /dev/null +++ b/test/TEST-04-SECCOMP/test.sh @@ -0,0 +1,79 @@ +#!/bin/bash +# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*- +# ex: ts=8 sw=4 sts=4 et filetype=sh +TEST_DESCRIPTION="seccomp tests" + +. $TEST_BASE_DIR/test-functions + +check_result_qemu() { + ret=1 + mkdir -p $TESTDIR/root + mount ${LOOPDEV}p1 $TESTDIR/root + [[ -e $TESTDIR/root/testok ]] && ret=0 + [[ -f $TESTDIR/root/failed ]] && cp -a $TESTDIR/root/failed $TESTDIR + cp -a $TESTDIR/root/var/log/journal $TESTDIR + umount $TESTDIR/root + [[ -f $TESTDIR/failed ]] && cat $TESTDIR/failed + ls -l $TESTDIR/journal/*/*.journal + test -s $TESTDIR/failed && ret=$(($ret+1)) + return $ret +} + +test_run() { + if run_qemu; then + check_result_qemu || return 1 + else + dwarn "can't run QEMU, skipping" + fi + if check_nspawn; then + run_nspawn + check_result_nspawn || return 1 + else + dwarn "can't run systemd-nspawn, skipping" + fi + return 0 +} + +test_setup() { + create_empty_image + mkdir -p $TESTDIR/root + mount ${LOOPDEV}p1 $TESTDIR/root + + # Create what will eventually be our root filesystem onto an overlay + ( + LOG_LEVEL=5 + eval $(udevadm info --export --query=env --name=${LOOPDEV}p2) + + setup_basic_environment + + # setup the testsuite service + cat >$initdir/etc/systemd/system/testsuite.service <<EOF +[Unit] +Description=Testsuite service +After=multi-user.target + +[Service] +ExecStart=/test-seccomp.sh +Type=oneshot +EOF + + # copy the units used by this test + cp {will-fail,will-fail2,will-not-fail,will-not-fail2}.service \ + $initdir/etc/systemd/system + cp test-seccomp.sh $initdir/ + + setup_testsuite + ) + setup_nspawn_root + + ddebug "umount $TESTDIR/root" + umount $TESTDIR/root +} + +test_cleanup() { + umount $TESTDIR/root 2>/dev/null + [[ $LOOPDEV ]] && losetup -d $LOOPDEV + return 0 +} + +do_test "$@" diff --git a/test/TEST-04-SECCOMP/will-fail.service b/test/TEST-04-SECCOMP/will-fail.service new file mode 100644 index 0000000000..c4e0be90f2 --- /dev/null +++ b/test/TEST-04-SECCOMP/will-fail.service @@ -0,0 +1,8 @@ +[Unit] +Description=Will fail + +[Service] +ExecStart=/bin/echo "This should not be seen" +SystemCallFilter=ioperm +SystemCallFilter=~ioperm +SystemCallFilter=ioperm diff --git a/test/TEST-04-SECCOMP/will-fail2.service b/test/TEST-04-SECCOMP/will-fail2.service new file mode 100644 index 0000000000..f7f1ae9077 --- /dev/null +++ b/test/TEST-04-SECCOMP/will-fail2.service @@ -0,0 +1,6 @@ +[Unit] +Description=Will fail 2 + +[Service] +ExecStart=/bin/echo "This should not be seen" +SystemCallFilter=~write open execve exit_group close mmap munmap fstat DONOTEXIST diff --git a/test/TEST-04-SECCOMP/will-not-fail.service b/test/TEST-04-SECCOMP/will-not-fail.service new file mode 100644 index 0000000000..5c1b59456e --- /dev/null +++ b/test/TEST-04-SECCOMP/will-not-fail.service @@ -0,0 +1,9 @@ +[Unit] +Description=Will not fail + +[Service] +ExecStart=/bin/echo "Foo bar" +SystemCallFilter=~read write open execve ioperm +SystemCallFilter=ioctl +SystemCallFilter=read write open execve +SystemCallFilter=~ioperm diff --git a/test/TEST-04-SECCOMP/will-not-fail2.service b/test/TEST-04-SECCOMP/will-not-fail2.service new file mode 100644 index 0000000000..2df05e33e8 --- /dev/null +++ b/test/TEST-04-SECCOMP/will-not-fail2.service @@ -0,0 +1,6 @@ +[Unit] +Description=Reset SystemCallFilter + +[Service] +ExecStart=/bin/echo "Foo bar" +SystemCallFilter= |