script_core 0.2.2 → 0.2.7

data/ext/enterprise_script_service/libseccomp/tests/34-sim-basic_denylist.tests

@@ -0,0 +1,32 @@
+#
+# libseccomp regression test automation data
+#
+# Copyright (c) 2013 Red Hat <pmoore@redhat.com>
+# Author: Paul Moore <paul@paul-moore.com>
+#
+
+test type: bpf-sim
+
+# Testname		Arch	Syscall		Arg0		Arg1		Arg2	Arg3	Arg4	Arg5	Result
+34-sim-basic_denylist	all	read		0		0x856B008	10	N	N	N	KILL
+34-sim-basic_denylist	all	read		1-10		0x856B008	10	N	N	N	ALLOW
+34-sim-basic_denylist	all	write		1-2		0x856B008	10	N	N	N	KILL
+34-sim-basic_denylist	all	write		3-10		0x856B008	10	N	N	N	ALLOW
+34-sim-basic_denylist	all	close		N		N		N	N	N	N	KILL
+34-sim-basic_denylist	all	rt_sigreturn	N		N		N	N	N	N	KILL
+34-sim-basic_denylist	all	open		0x856B008	4		N	N	N	N	ALLOW
+34-sim-basic_denylist	x86	0-2		N		N		N	N	N	N	ALLOW
+34-sim-basic_denylist	x86	7-172		N		N		N	N	N	N	ALLOW
+34-sim-basic_denylist	x86	174-350		N		N		N	N	N	N	ALLOW
+34-sim-basic_denylist	x86_64	4-14		N		N		N	N	N	N	ALLOW
+34-sim-basic_denylist	x86_64	16-350		N		N		N	N	N	N	ALLOW
+
+test type: bpf-sim-fuzz
+
+# Testname		StressCount
+34-sim-basic_denylist	50
+
+test type: bpf-valgrind
+
+# Testname
+34-sim-basic_denylist

data/ext/enterprise_script_service/libseccomp/tests/36-sim-ipc_syscalls.c

@@ -51,6 +51,9 @@ int main(int argc, char *argv[])
 	if (rc != 0)
 		goto out;
 	rc = seccomp_arch_add(ctx, SCMP_ARCH_X32);
+	if (rc != 0)
+		goto out;
+	rc = seccomp_arch_add(ctx, SCMP_ARCH_PPC64LE);
 	if (rc != 0)
 		goto out;
 

data/ext/enterprise_script_service/libseccomp/tests/36-sim-ipc_syscalls.py

@@ -34,6 +34,7 @@ def test(args):
     f.add_arch(Arch("x86"))
     f.add_arch(Arch("x86_64"))
     f.add_arch(Arch("x32"))
+    f.add_arch(Arch("ppc64le"))
     f.add_rule(ALLOW, "semop")
     f.add_rule(ALLOW, "semtimedop")
     f.add_rule(ALLOW, "semget")

data/ext/enterprise_script_service/libseccomp/tests/36-sim-ipc_syscalls.tests

@@ -7,31 +7,31 @@
 
 test type: bpf-sim
 
-# Testname		Arch	Syscall		Arg0	Arg1	Arg2	Arg3	Arg4	Arg5	Result
-36-sim-ipc_syscalls	+x86	ipc		1	N	N	N	N	N	ALLOW
-36-sim-ipc_syscalls	+x86	ipc		2	N	N	N	N	N	ALLOW
-36-sim-ipc_syscalls	+x86	ipc		3	N	N	N	N	N	ALLOW
-36-sim-ipc_syscalls	+x86	ipc		4	N	N	N	N	N	ALLOW
-36-sim-ipc_syscalls	+x86	ipc		11	N	N	N	N	N	ALLOW
-36-sim-ipc_syscalls	+x86	ipc		12	N	N	N	N	N	ALLOW
-36-sim-ipc_syscalls	+x86	ipc		13	N	N	N	N	N	ALLOW
-36-sim-ipc_syscalls	+x86	ipc		14	N	N	N	N	N	ALLOW
-36-sim-ipc_syscalls	+x86	ipc		21	N	N	N	N	N	ALLOW
-36-sim-ipc_syscalls	+x86	ipc		22	N	N	N	N	N	ALLOW
-36-sim-ipc_syscalls	+x86	ipc		23	N	N	N	N	N	ALLOW
-36-sim-ipc_syscalls	+x86	ipc		24	N	N	N	N	N	ALLOW
-36-sim-ipc_syscalls	+x86_64	semop		N	N	N	N	N	N	ALLOW
-36-sim-ipc_syscalls	+x86_64	semget		N	N	N	N	N	N	ALLOW
-36-sim-ipc_syscalls	+x86_64	semctl		N	N	N	N	N	N	ALLOW
-36-sim-ipc_syscalls	+x86_64	semtimedop	N	N	N	N	N	N	ALLOW
-36-sim-ipc_syscalls	+x86_64	msgsnd		N	N	N	N	N	N	ALLOW
-36-sim-ipc_syscalls	+x86_64	msgrcv		N	N	N	N	N	N	ALLOW
-36-sim-ipc_syscalls	+x86_64	msgget		N	N	N	N	N	N	ALLOW
-36-sim-ipc_syscalls	+x86_64	msgctl		N	N	N	N	N	N	ALLOW
-36-sim-ipc_syscalls	+x86_64	shmat		N	N	N	N	N	N	ALLOW
-36-sim-ipc_syscalls	+x86_64	shmdt		N	N	N	N	N	N	ALLOW
-36-sim-ipc_syscalls	+x86_64	shmget		N	N	N	N	N	N	ALLOW
-36-sim-ipc_syscalls	+x86_64	shmctl		N	N	N	N	N	N	ALLOW
+# Testname		Arch		Syscall		Arg0	Arg1	Arg2	Arg3	Arg4	Arg5	Result
+36-sim-ipc_syscalls	+x86,+ppc64le	ipc		1	N	N	N	N	N	ALLOW
+36-sim-ipc_syscalls	+x86,+ppc64le	ipc		2	N	N	N	N	N	ALLOW
+36-sim-ipc_syscalls	+x86,+ppc64le	ipc		3	N	N	N	N	N	ALLOW
+36-sim-ipc_syscalls	+x86,+ppc64le	ipc		4	N	N	N	N	N	ALLOW
+36-sim-ipc_syscalls	+x86,+ppc64le	ipc		11	N	N	N	N	N	ALLOW
+36-sim-ipc_syscalls	+x86,+ppc64le	ipc		12	N	N	N	N	N	ALLOW
+36-sim-ipc_syscalls	+x86,+ppc64le	ipc		13	N	N	N	N	N	ALLOW
+36-sim-ipc_syscalls	+x86,+ppc64le	ipc		14	N	N	N	N	N	ALLOW
+36-sim-ipc_syscalls	+x86,+ppc64le	ipc		21	N	N	N	N	N	ALLOW
+36-sim-ipc_syscalls	+x86,+ppc64le	ipc		22	N	N	N	N	N	ALLOW
+36-sim-ipc_syscalls	+x86,+ppc64le	ipc		23	N	N	N	N	N	ALLOW
+36-sim-ipc_syscalls	+x86,+ppc64le	ipc		24	N	N	N	N	N	ALLOW
+36-sim-ipc_syscalls	+x86_64		semop		N	N	N	N	N	N	ALLOW
+36-sim-ipc_syscalls	+x86_64		semget		N	N	N	N	N	N	ALLOW
+36-sim-ipc_syscalls	+x86_64		semctl		N	N	N	N	N	N	ALLOW
+36-sim-ipc_syscalls	+x86_64		semtimedop	N	N	N	N	N	N	ALLOW
+36-sim-ipc_syscalls	+x86_64		msgsnd		N	N	N	N	N	N	ALLOW
+36-sim-ipc_syscalls	+x86_64		msgrcv		N	N	N	N	N	N	ALLOW
+36-sim-ipc_syscalls	+x86_64		msgget		N	N	N	N	N	N	ALLOW
+36-sim-ipc_syscalls	+x86_64		msgctl		N	N	N	N	N	N	ALLOW
+36-sim-ipc_syscalls	+x86_64		shmat		N	N	N	N	N	N	ALLOW
+36-sim-ipc_syscalls	+x86_64		shmdt		N	N	N	N	N	N	ALLOW
+36-sim-ipc_syscalls	+x86_64		shmget		N	N	N	N	N	N	ALLOW
+36-sim-ipc_syscalls	+x86_64		shmctl		N	N	N	N	N	N	ALLOW
 
 test type: bpf-valgrind
 

data/ext/enterprise_script_service/libseccomp/tests/39-basic-api_level.c

@@ -54,14 +54,35 @@ int main(int argc, char *argv[])
 	if (api != 3)
 		return -7;
 
+	rc = seccomp_api_set(4);
+	if (rc != 0)
+		return -8;
+	api = seccomp_api_get();
+	if (api != 4)
+		return -9;
+
+	rc = seccomp_api_set(5);
+	if (rc != 0)
+		return -10;
+	api = seccomp_api_get();
+	if (api != 5)
+		return -11;
+
+	rc = seccomp_api_set(6);
+	if (rc != 0)
+		return -12;
+	api = seccomp_api_get();
+	if (api != 6)
+		return -13;
+
 	/* Attempt to set a high, invalid API level */
 	rc = seccomp_api_set(1024);
 	if (rc != -EINVAL)
-		return -8;
+		return -1001;
 	/* Ensure that the previously set API level didn't change */
 	api = seccomp_api_get();
-	if (api != 3)
-		return -9;
+	if (api != 6)
+		return -1002;
 
 	return 0;
 }

data/ext/enterprise_script_service/libseccomp/tests/39-basic-api_level.py

@@ -50,6 +50,21 @@ def test():
     if api != 3:
         raise RuntimeError("Failed getting API level 3")
 
+    set_api(4)
+    api = get_api()
+    if api != 4:
+        raise RuntimeError("Failed getting API level 4")
+
+    set_api(5)
+    api = get_api()
+    if api != 5:
+        raise RuntimeError("Failed getting API level 5")
+
+    set_api(6)
+    api = get_api()
+    if api != 6:
+        raise RuntimeError("Failed getting API level 6")
+
     # Attempt to set a high, invalid API level
     try:
         set_api(1024)
@@ -59,7 +74,7 @@ def test():
         raise RuntimeError("Missing failure when setting invalid API level")
     # Ensure that the previously set API level didn't change
     api = get_api()
-    if api != 3:
+    if api != 6:
         raise RuntimeError("Failed getting old API level after setting an invalid API level")
 
 test()

data/ext/enterprise_script_service/libseccomp/tests/47-live-kill_process.c

@@ -31,7 +31,7 @@
 #include "util.h"
 
 
-static const unsigned int whitelist[] = {
+static const unsigned int allowlist[] = {
 	SCMP_SYS(clone),
 	SCMP_SYS(exit),
 	SCMP_SYS(exit_group),
@@ -75,8 +75,8 @@ int main(int argc, char *argv[])
 	if (ctx == NULL)
 		return ENOMEM;
 
-	for (i = 0; i < sizeof(whitelist) / sizeof(whitelist[0]); i++) {
-		rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, whitelist[i], 0);
+	for (i = 0; i < sizeof(allowlist) / sizeof(allowlist[0]); i++) {
+		rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, allowlist[i], 0);
 		if (rc != 0)
 			goto out;
 	}

data/ext/enterprise_script_service/libseccomp/tests/51-live-user_notification.c

@@ -0,0 +1,112 @@
+/**
+ * Seccomp Library test program
+ *
+ * Copyright (c) 2019 Cisco Systems, Inc. <pmoore2@cisco.com>
+ * Author: Paul Moore <paul@paul-moore.com>
+ */
+
+/*
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public License
+ * for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
+ */
+
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <unistd.h>
+#include <seccomp.h>
+#include <signal.h>
+#include <syscall.h>
+#include <errno.h>
+#include <stdlib.h>
+
+#include "util.h"
+
+#define MAGIC 0x1122334455667788UL
+
+int main(int argc, char *argv[])
+{
+	int rc, fd = -1, status;
+	struct seccomp_notif *req = NULL;
+	struct seccomp_notif_resp *resp = NULL;
+	scmp_filter_ctx ctx = NULL;
+	pid_t pid = 0;
+
+	ctx = seccomp_init(SCMP_ACT_ALLOW);
+	if (ctx == NULL)
+		return ENOMEM;
+
+	rc = seccomp_rule_add(ctx, SCMP_ACT_NOTIFY, SCMP_SYS(getpid), 0, NULL);
+	if (rc)
+		goto out;
+
+	rc  = seccomp_load(ctx);
+	if (rc < 0)
+		goto out;
+
+	rc = seccomp_notify_fd(ctx);
+	if (rc < 0)
+		goto out;
+	fd = rc;
+
+	pid = fork();
+	if (pid == 0)
+		exit(syscall(SCMP_SYS(getpid)) != MAGIC);
+
+	rc = seccomp_notify_alloc(&req, &resp);
+	if (rc)
+		goto out;
+
+	rc = seccomp_notify_receive(fd, req);
+	if (rc)
+		goto out;
+	if (req->data.nr != SCMP_SYS(getpid)) {
+		rc = -EFAULT;
+		goto out;
+	}
+	rc = seccomp_notify_id_valid(fd, req->id);
+	if (rc)
+		goto out;
+
+	resp->id = req->id;
+	resp->val = MAGIC;
+	resp->error = 0;
+	resp->flags = 0;
+	rc = seccomp_notify_respond(fd, resp);
+	if (rc)
+		goto out;
+
+	if (waitpid(pid, &status, 0) != pid) {
+		rc = -EFAULT;
+		goto out;
+	}
+
+	if (!WIFEXITED(status)) {
+		rc = -EFAULT;
+		goto out;
+	}
+	if (WEXITSTATUS(status)) {
+		rc = -EFAULT;
+		goto out;
+	}
+
+out:
+	if (fd >= 0)
+		close(fd);
+	if (pid)
+		kill(pid, SIGKILL);
+	seccomp_notify_free(req, resp);
+	seccomp_release(ctx);
+
+	if (rc != 0)
+		return (rc < 0 ? -rc : rc);
+	return 160;
+}

data/ext/enterprise_script_service/libseccomp/tests/51-live-user_notification.py

@@ -0,0 +1,60 @@
+#!/usr/bin/env python
+
+#
+# Seccomp Library test program
+#
+# Copyright (c) 2019 Cisco Systems, Inc. <pmoore2@cisco.com>
+# Author: Paul Moore <paul@paul-moore.com>
+#
+
+#
+# This library is free software; you can redistribute it and/or modify it
+# under the terms of version 2.1 of the GNU Lesser General Public License as
+# published by the Free Software Foundation.
+#
+# This library is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public License
+# for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library; if not, see <http://www.gnu.org/licenses>.
+#
+
+import argparse
+import os
+import signal
+import sys
+
+import util
+
+from seccomp import *
+
+def test():
+    magic = os.getuid() + 1
+    f = SyscallFilter(ALLOW)
+    f.add_rule(NOTIFY, "getuid")
+    f.load()
+    pid = os.fork()
+    if pid == 0:
+        val = os.getuid()
+        if val != magic:
+            raise RuntimeError("Response return value failed")
+            quit(1)
+        quit(0)
+    else:
+        notify = f.receive_notify()
+        if notify.syscall != resolve_syscall(Arch(), "getuid"):
+            raise RuntimeError("Notification failed")
+        f.respond_notify(NotificationResponse(notify, magic, 0, 0))
+        wpid, rc = os.waitpid(pid, 0)
+        if os.WIFEXITED(rc) == 0:
+            raise RuntimeError("Child process error")
+        if os.WEXITSTATUS(rc) != 0:
+            raise RuntimeError("Child process error")
+        quit(160)
+
+test()
+
+# kate: syntax python;
+# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off;

data/ext/enterprise_script_service/libseccomp/tests/51-live-user_notification.tests

@@ -0,0 +1,11 @@
+#
+# libseccomp regression test automation data
+#
+# Copyright Cisco Systems 2019
+# Author: Tycho Andersen <tycho@tycho.ws>
+#
+
+test type: live
+
+# Testname			API	Result
+51-live-user_notification	5	ALLOW

data/ext/enterprise_script_service/libseccomp/tests/52-basic-load.c

@@ -0,0 +1,48 @@
+/**
+ * Seccomp Library test program
+ *
+ * Copyright (c) 2019 Cisco Systems, Inc. <pmoore2@cisco.com>
+ * Author: Paul Moore <paul@paul-moore.com>
+ */
+
+/*
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public License
+ * for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
+ */
+
+#include <errno.h>
+#include <unistd.h>
+
+#include <seccomp.h>
+
+#include "util.h"
+
+int main(int argc, char *argv[])
+{
+	int rc;
+	struct util_options opts;
+	scmp_filter_ctx ctx = NULL;
+
+	rc = util_getopt(argc, argv, &opts);
+	if (rc < 0)
+		goto out;
+
+	ctx = seccomp_init(SCMP_ACT_ALLOW);
+	if (ctx == NULL)
+		return ENOMEM;
+
+	rc = seccomp_load(ctx);
+
+out:
+	seccomp_release(ctx);
+	return (rc < 0 ? -rc : rc);
+}

data/ext/enterprise_script_service/libseccomp/tests/52-basic-load.py

@@ -0,0 +1,38 @@
+#!/usr/bin/env python
+
+#
+# Seccomp Library test program
+#
+# Copyright (c) 2019 Cisco Systems, Inc. <pmoore2@cisco.com>
+# Author: Paul Moore <paul@paul-moore.com>
+#
+
+#
+# This library is free software; you can redistribute it and/or modify it
+# under the terms of version 2.1 of the GNU Lesser General Public License as
+# published by the Free Software Foundation.
+#
+# This library is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public License
+# for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library; if not, see <http://www.gnu.org/licenses>.
+#
+
+import argparse
+import sys
+
+import util
+
+from seccomp import *
+
+def test():
+    f = SyscallFilter(ALLOW)
+    f.load()
+
+test()
+
+# kate: syntax python;
+# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off;