diff options
Diffstat (limited to 'plugin/rpcplugin/sandbox/seccomp_linux_test.go')
| -rw-r--r-- | plugin/rpcplugin/sandbox/seccomp_linux_test.go | 210 |
1 files changed, 0 insertions, 210 deletions
diff --git a/plugin/rpcplugin/sandbox/seccomp_linux_test.go b/plugin/rpcplugin/sandbox/seccomp_linux_test.go deleted file mode 100644 index 46fe38fe0..000000000 --- a/plugin/rpcplugin/sandbox/seccomp_linux_test.go +++ /dev/null @@ -1,210 +0,0 @@ -// Copyright (c) 2017-present Mattermost, Inc. All Rights Reserved. -// See License.txt for license information. - -package sandbox - -import ( - "encoding/binary" - "syscall" - "testing" - - "github.com/stretchr/testify/assert" - "github.com/stretchr/testify/require" - "golang.org/x/net/bpf" -) - -func seccompData(nr int32, arch uint32, ip uint64, args ...uint64) []byte { - var buf [64]byte - binary.BigEndian.PutUint32(buf[0:], uint32(nr)) - binary.BigEndian.PutUint32(buf[4:], arch) - binary.BigEndian.PutUint64(buf[8:], ip) - for i := 0; i < 6 && i < len(args); i++ { - binary.BigEndian.PutUint64(buf[16+i*8:], args[i]) - } - return buf[:] -} - -func TestSeccompFilter(t *testing.T) { - for name, tc := range map[string]struct { - Filter []bpf.Instruction - Data []byte - Expected bool - }{ - "Allowed": { - Filter: SeccompFilter(0xf00, []SeccompSyscall{ - {Syscall: syscall.SYS_READ}, - {Syscall: syscall.SYS_WRITE}, - }), - Data: seccompData(syscall.SYS_READ, 0xf00, 0), - Expected: true, - }, - "AllFail": { - Filter: SeccompFilter(0xf00, []SeccompSyscall{ - { - Syscall: syscall.SYS_READ, - Any: []SeccompConditions{ - {All: []SeccompCondition{ - &SeccompArgHasAnyBit{Arg: 0, Mask: 2}, - &SeccompArgHasAnyBit{Arg: 1, Mask: 2}, - &SeccompArgHasAnyBit{Arg: 2, Mask: 2}, - &SeccompArgHasAnyBit{Arg: 3, Mask: 2}, - }}, - }, - }, - {Syscall: syscall.SYS_WRITE}, - }), - Data: seccompData(syscall.SYS_READ, 0xf00, 0, 1, 2, 3, 4), - Expected: false, - }, - "AllPass": { - Filter: SeccompFilter(0xf00, []SeccompSyscall{ - { - Syscall: syscall.SYS_READ, - Any: []SeccompConditions{ - {All: []SeccompCondition{ - &SeccompArgHasAnyBit{Arg: 0, Mask: 7}, - &SeccompArgHasAnyBit{Arg: 1, Mask: 7}, - &SeccompArgHasAnyBit{Arg: 2, Mask: 7}, - &SeccompArgHasAnyBit{Arg: 3, Mask: 7}, - }}, - }, - }, - {Syscall: syscall.SYS_WRITE}, - }), - Data: seccompData(syscall.SYS_READ, 0xf00, 0, 1, 2, 3, 4), - Expected: true, - }, - "AnyFail": { - Filter: SeccompFilter(0xf00, []SeccompSyscall{ - { - Syscall: syscall.SYS_READ, - Any: []SeccompConditions{ - {All: []SeccompCondition{&SeccompArgHasAnyBit{Arg: 0, Mask: 8}}}, - {All: []SeccompCondition{&SeccompArgHasAnyBit{Arg: 1, Mask: 8}}}, - {All: []SeccompCondition{&SeccompArgHasAnyBit{Arg: 2, Mask: 8}}}, - {All: []SeccompCondition{&SeccompArgHasAnyBit{Arg: 3, Mask: 8}}}, - }, - }, - {Syscall: syscall.SYS_WRITE}, - }), - Data: seccompData(syscall.SYS_READ, 0xf00, 0, 1, 2, 3, 4), - Expected: false, - }, - "AnyPass": { - Filter: SeccompFilter(0xf00, []SeccompSyscall{ - { - Syscall: syscall.SYS_READ, - Any: []SeccompConditions{ - {All: []SeccompCondition{&SeccompArgHasAnyBit{Arg: 0, Mask: 2}}}, - {All: []SeccompCondition{&SeccompArgHasAnyBit{Arg: 1, Mask: 2}}}, - {All: []SeccompCondition{&SeccompArgHasAnyBit{Arg: 2, Mask: 2}}}, - {All: []SeccompCondition{&SeccompArgHasAnyBit{Arg: 3, Mask: 2}}}, - }, - }, - {Syscall: syscall.SYS_WRITE}, - }), - Data: seccompData(syscall.SYS_READ, 0xf00, 0, 1, 2, 3, 4), - Expected: true, - }, - "BadArch": { - Filter: SeccompFilter(0xf00, []SeccompSyscall{ - {Syscall: syscall.SYS_READ}, - {Syscall: syscall.SYS_WRITE}, - }), - Data: seccompData(syscall.SYS_MOUNT, 0xf01, 0), - Expected: false, - }, - "BadSyscall": { - Filter: SeccompFilter(0xf00, []SeccompSyscall{ - {Syscall: syscall.SYS_READ}, - {Syscall: syscall.SYS_WRITE}, - }), - Data: seccompData(syscall.SYS_MOUNT, 0xf00, 0), - Expected: false, - }, - } { - t.Run(name, func(t *testing.T) { - vm, err := bpf.NewVM(tc.Filter) - require.NoError(t, err) - result, err := vm.Run(tc.Data) - require.NoError(t, err) - if tc.Expected { - assert.Equal(t, SECCOMP_RET_ALLOW, result) - } else { - assert.Equal(t, int(SECCOMP_RET_ERRNO|syscall.EPERM), result) - } - }) - } -} - -func TestSeccompFilter_Conditions(t *testing.T) { - for name, tc := range map[string]struct { - Condition SeccompCondition - Args []uint64 - Expected bool - }{ - "ArgHasAnyBitFail": { - Condition: SeccompArgHasAnyBit{Arg: 0, Mask: 0x0004}, - Args: []uint64{0x0400008000}, - Expected: false, - }, - "ArgHasAnyBitPass1": { - Condition: SeccompArgHasAnyBit{Arg: 0, Mask: 0x400000004}, - Args: []uint64{0x8000008004}, - Expected: true, - }, - "ArgHasAnyBitPass2": { - Condition: SeccompArgHasAnyBit{Arg: 0, Mask: 0x400000004}, - Args: []uint64{0x8400008000}, - Expected: true, - }, - "ArgHasNoBitsFail1": { - Condition: SeccompArgHasNoBits{Arg: 0, Mask: 0x1100000011}, - Args: []uint64{0x0000008007}, - Expected: false, - }, - "ArgHasNoBitsFail2": { - Condition: SeccompArgHasNoBits{Arg: 0, Mask: 0x1100000011}, - Args: []uint64{0x0700008000}, - Expected: false, - }, - "ArgHasNoBitsPass": { - Condition: SeccompArgHasNoBits{Arg: 0, Mask: 0x400000004}, - Args: []uint64{0x8000008000}, - Expected: true, - }, - "ArgEqualsPass": { - Condition: SeccompArgEquals{Arg: 0, Value: 0x123456789ABCDEF}, - Args: []uint64{0x123456789ABCDEF}, - Expected: true, - }, - "ArgEqualsFail1": { - Condition: SeccompArgEquals{Arg: 0, Value: 0x123456789ABCDEF}, - Args: []uint64{0x023456789ABCDEF}, - Expected: false, - }, - "ArgEqualsFail2": { - Condition: SeccompArgEquals{Arg: 0, Value: 0x123456789ABCDEF}, - Args: []uint64{0x123456789ABCDE0}, - Expected: false, - }, - } { - t.Run(name, func(t *testing.T) { - filter := SeccompFilter(0xf00, []SeccompSyscall{ - { - Syscall: 1, - Any: []SeccompConditions{{All: []SeccompCondition{tc.Condition}}}, - }, - }) - vm, err := bpf.NewVM(filter) - require.NoError(t, err) - result, err := vm.Run(seccompData(1, 0xf00, 0, tc.Args...)) - require.NoError(t, err) - if tc.Expected { - assert.Equal(t, SECCOMP_RET_ALLOW, result) - } else { - assert.Equal(t, int(SECCOMP_RET_ERRNO|syscall.EPERM), result) - } - }) - } -} |