RubyGems - script_core - Versions diffs - 0.2.2 → 0.2.7 - Mend

script_core 0.2.2 → 0.2.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (376) hide show

data/ext/enterprise_script_service/libseccomp/tests/{34-sim-basic_blacklist.c → 34-sim-basic_denylist.c} RENAMED

File without changes

data/ext/enterprise_script_service/libseccomp/tests/{34-sim-basic_blacklist.py → 34-sim-basic_denylist.py} RENAMED

File without changes

data/ext/enterprise_script_service/libseccomp/tests/34-sim-basic_denylist.tests ADDED

@@ -0,0 +1,32 @@
+#
+# libseccomp regression test automation data
+#
+# Copyright (c) 2013 Red Hat <pmoore@redhat.com>
+# Author: Paul Moore <paul@paul-moore.com>
+#
+test type: bpf-sim
+# Testname		Arch	Syscall		Arg0		Arg1		Arg2	Arg3	Arg4	Arg5	Result
+34-sim-basic_denylist	all	read		0		0x856B008	10	N	N	N	KILL
+34-sim-basic_denylist	all	read		1-10		0x856B008	10	N	N	N	ALLOW
+34-sim-basic_denylist	all	write		1-2		0x856B008	10	N	N	N	KILL
+34-sim-basic_denylist	all	write		3-10		0x856B008	10	N	N	N	ALLOW
+34-sim-basic_denylist	all	close		N		N		N	N	N	N	KILL
+34-sim-basic_denylist	all	rt_sigreturn	N		N		N	N	N	N	KILL
+34-sim-basic_denylist	all	open		0x856B008	4		N	N	N	N	ALLOW
+34-sim-basic_denylist	x86	0-2		N		N		N	N	N	N	ALLOW
+34-sim-basic_denylist	x86	7-172		N		N		N	N	N	N	ALLOW
+34-sim-basic_denylist	x86	174-350		N		N		N	N	N	N	ALLOW
+34-sim-basic_denylist	x86_64	4-14		N		N		N	N	N	N	ALLOW
+34-sim-basic_denylist	x86_64	16-350		N		N		N	N	N	N	ALLOW
+test type: bpf-sim-fuzz
+# Testname		StressCount
+34-sim-basic_denylist	50
+test type: bpf-valgrind
+# Testname
+34-sim-basic_denylist

data/ext/enterprise_script_service/libseccomp/tests/36-sim-ipc_syscalls.c CHANGED

@@ -51,6 +51,9 @@ int main(int argc, char *argv[])
 	if (rc != 0)
 		goto out;
 	rc = seccomp_arch_add(ctx, SCMP_ARCH_X32);
+	if (rc != 0)
+		goto out;
+	rc = seccomp_arch_add(ctx, SCMP_ARCH_PPC64LE);
 	if (rc != 0)
 		goto out;

data/ext/enterprise_script_service/libseccomp/tests/36-sim-ipc_syscalls.py CHANGED

@@ -34,6 +34,7 @@ def test(args):
     f.add_arch(Arch("x86"))
     f.add_arch(Arch("x86_64"))
     f.add_arch(Arch("x32"))
+    f.add_arch(Arch("ppc64le"))
     f.add_rule(ALLOW, "semop")
     f.add_rule(ALLOW, "semtimedop")
     f.add_rule(ALLOW, "semget")

data/ext/enterprise_script_service/libseccomp/tests/36-sim-ipc_syscalls.tests CHANGED

@@ -7,31 +7,31 @@
 test type: bpf-sim
-# Testname		Arch	Syscall		Arg0	Arg1	Arg2	Arg3	Arg4	Arg5	Result
-36-sim-ipc_syscalls	+x86	ipc		1	N	N	N	N	N	ALLOW
-36-sim-ipc_syscalls	+x86	ipc		2	N	N	N	N	N	ALLOW
-36-sim-ipc_syscalls	+x86	ipc		3	N	N	N	N	N	ALLOW
-36-sim-ipc_syscalls	+x86	ipc		4	N	N	N	N	N	ALLOW
-36-sim-ipc_syscalls	+x86	ipc		11	N	N	N	N	N	ALLOW
-36-sim-ipc_syscalls	+x86	ipc		12	N	N	N	N	N	ALLOW
-36-sim-ipc_syscalls	+x86	ipc		13	N	N	N	N	N	ALLOW
-36-sim-ipc_syscalls	+x86	ipc		14	N	N	N	N	N	ALLOW
-36-sim-ipc_syscalls	+x86	ipc		21	N	N	N	N	N	ALLOW
-36-sim-ipc_syscalls	+x86	ipc		22	N	N	N	N	N	ALLOW
-36-sim-ipc_syscalls	+x86	ipc		23	N	N	N	N	N	ALLOW
-36-sim-ipc_syscalls	+x86	ipc		24	N	N	N	N	N	ALLOW
-36-sim-ipc_syscalls	+x86_64	semop		N	N	N	N	N	N	ALLOW
-36-sim-ipc_syscalls	+x86_64	semget		N	N	N	N	N	N	ALLOW
-36-sim-ipc_syscalls	+x86_64	semctl		N	N	N	N	N	N	ALLOW
-36-sim-ipc_syscalls	+x86_64	semtimedop	N	N	N	N	N	N	ALLOW
-36-sim-ipc_syscalls	+x86_64	msgsnd		N	N	N	N	N	N	ALLOW
-36-sim-ipc_syscalls	+x86_64	msgrcv		N	N	N	N	N	N	ALLOW
-36-sim-ipc_syscalls	+x86_64	msgget		N	N	N	N	N	N	ALLOW
-36-sim-ipc_syscalls	+x86_64	msgctl		N	N	N	N	N	N	ALLOW
-36-sim-ipc_syscalls	+x86_64	shmat		N	N	N	N	N	N	ALLOW
-36-sim-ipc_syscalls	+x86_64	shmdt		N	N	N	N	N	N	ALLOW
-36-sim-ipc_syscalls	+x86_64	shmget		N	N	N	N	N	N	ALLOW
-36-sim-ipc_syscalls	+x86_64	shmctl		N	N	N	N	N	N	ALLOW
+# Testname		Arch		Syscall		Arg0	Arg1	Arg2	Arg3	Arg4	Arg5	Result
+36-sim-ipc_syscalls	+x86,+ppc64le	ipc		1	N	N	N	N	N	ALLOW
+36-sim-ipc_syscalls	+x86,+ppc64le	ipc		2	N	N	N	N	N	ALLOW
+36-sim-ipc_syscalls	+x86,+ppc64le	ipc		3	N	N	N	N	N	ALLOW
+36-sim-ipc_syscalls	+x86,+ppc64le	ipc		4	N	N	N	N	N	ALLOW
+36-sim-ipc_syscalls	+x86,+ppc64le	ipc		11	N	N	N	N	N	ALLOW
+36-sim-ipc_syscalls	+x86,+ppc64le	ipc		12	N	N	N	N	N	ALLOW
+36-sim-ipc_syscalls	+x86,+ppc64le	ipc		13	N	N	N	N	N	ALLOW
+36-sim-ipc_syscalls	+x86,+ppc64le	ipc		14	N	N	N	N	N	ALLOW
+36-sim-ipc_syscalls	+x86,+ppc64le	ipc		21	N	N	N	N	N	ALLOW
+36-sim-ipc_syscalls	+x86,+ppc64le	ipc		22	N	N	N	N	N	ALLOW
+36-sim-ipc_syscalls	+x86,+ppc64le	ipc		23	N	N	N	N	N	ALLOW
+36-sim-ipc_syscalls	+x86,+ppc64le	ipc		24	N	N	N	N	N	ALLOW
+36-sim-ipc_syscalls	+x86_64		semop		N	N	N	N	N	N	ALLOW
+36-sim-ipc_syscalls	+x86_64		semget		N	N	N	N	N	N	ALLOW
+36-sim-ipc_syscalls	+x86_64		semctl		N	N	N	N	N	N	ALLOW
+36-sim-ipc_syscalls	+x86_64		semtimedop	N	N	N	N	N	N	ALLOW
+36-sim-ipc_syscalls	+x86_64		msgsnd		N	N	N	N	N	N	ALLOW
+36-sim-ipc_syscalls	+x86_64		msgrcv		N	N	N	N	N	N	ALLOW
+36-sim-ipc_syscalls	+x86_64		msgget		N	N	N	N	N	N	ALLOW
+36-sim-ipc_syscalls	+x86_64		msgctl		N	N	N	N	N	N	ALLOW
+36-sim-ipc_syscalls	+x86_64		shmat		N	N	N	N	N	N	ALLOW
+36-sim-ipc_syscalls	+x86_64		shmdt		N	N	N	N	N	N	ALLOW
+36-sim-ipc_syscalls	+x86_64		shmget		N	N	N	N	N	N	ALLOW
+36-sim-ipc_syscalls	+x86_64		shmctl		N	N	N	N	N	N	ALLOW
 test type: bpf-valgrind

data/ext/enterprise_script_service/libseccomp/tests/39-basic-api_level.c CHANGED

@@ -54,14 +54,35 @@ int main(int argc, char *argv[])
 	if (api != 3)
 		return -7;
+	rc = seccomp_api_set(4);
+	if (rc != 0)
+		return -8;
+	api = seccomp_api_get();
+	if (api != 4)
+		return -9;
+	rc = seccomp_api_set(5);
+	if (rc != 0)
+		return -10;
+	api = seccomp_api_get();
+	if (api != 5)
+		return -11;
+	rc = seccomp_api_set(6);
+	if (rc != 0)
+		return -12;
+	api = seccomp_api_get();
+	if (api != 6)
+		return -13;
 	/* Attempt to set a high, invalid API level */
 	rc = seccomp_api_set(1024);
 	if (rc != -EINVAL)
-		return -8;
+		return -1001;
 	/* Ensure that the previously set API level didn't change */
 	api = seccomp_api_get();
-	if (api != 3)
-		return -9;
+	if (api != 6)
+		return -1002;
 	return 0;
 }

data/ext/enterprise_script_service/libseccomp/tests/39-basic-api_level.py CHANGED

@@ -50,6 +50,21 @@ def test():
     if api != 3:
         raise RuntimeError("Failed getting API level 3")
+    set_api(4)
+    api = get_api()
+    if api != 4:
+        raise RuntimeError("Failed getting API level 4")
+    set_api(5)
+    api = get_api()
+    if api != 5:
+        raise RuntimeError("Failed getting API level 5")
+    set_api(6)
+    api = get_api()
+    if api != 6:
+        raise RuntimeError("Failed getting API level 6")
     # Attempt to set a high, invalid API level
     try:
         set_api(1024)
@@ -59,7 +74,7 @@ def test():
         raise RuntimeError("Missing failure when setting invalid API level")
     # Ensure that the previously set API level didn't change
     api = get_api()
-    if api != 3:
+    if api != 6:
         raise RuntimeError("Failed getting old API level after setting an invalid API level")
 test()

data/ext/enterprise_script_service/libseccomp/tests/47-live-kill_process.c CHANGED

@@ -31,7 +31,7 @@
 #include "util.h"
-static const unsigned int whitelist[] = {
+static const unsigned int allowlist[] = {
 	SCMP_SYS(clone),
 	SCMP_SYS(exit),
 	SCMP_SYS(exit_group),
@@ -75,8 +75,8 @@ int main(int argc, char *argv[])
 	if (ctx == NULL)
 		return ENOMEM;
-	for (i = 0; i < sizeof(whitelist) / sizeof(whitelist[0]); i++) {
-		rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, whitelist[i], 0);
+	for (i = 0; i < sizeof(allowlist) / sizeof(allowlist[0]); i++) {
+		rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, allowlist[i], 0);
 		if (rc != 0)
 			goto out;
 	}

data/ext/enterprise_script_service/libseccomp/tests/51-live-user_notification.c ADDED

@@ -0,0 +1,112 @@
+/**
+ * Seccomp Library test program
+ *
+ * Copyright (c) 2019 Cisco Systems, Inc. <pmoore2@cisco.com>
+ * Author: Paul Moore <paul@paul-moore.com>
+ */
+/*
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public License
+ * for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
+ */
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <unistd.h>
+#include <seccomp.h>
+#include <signal.h>
+#include <syscall.h>
+#include <errno.h>
+#include <stdlib.h>
+#include "util.h"
+#define MAGIC 0x1122334455667788UL
+int main(int argc, char *argv[])
+{
+	int rc, fd = -1, status;
+	struct seccomp_notif *req = NULL;
+	struct seccomp_notif_resp *resp = NULL;
+	scmp_filter_ctx ctx = NULL;
+	pid_t pid = 0;
+	ctx = seccomp_init(SCMP_ACT_ALLOW);
+	if (ctx == NULL)
+		return ENOMEM;
+	rc = seccomp_rule_add(ctx, SCMP_ACT_NOTIFY, SCMP_SYS(getpid), 0, NULL);
+	if (rc)
+		goto out;
+	rc  = seccomp_load(ctx);
+	if (rc < 0)
+		goto out;
+	rc = seccomp_notify_fd(ctx);
+	if (rc < 0)
+		goto out;
+	fd = rc;
+	pid = fork();
+	if (pid == 0)
+		exit(syscall(SCMP_SYS(getpid)) != MAGIC);
+	rc = seccomp_notify_alloc(&req, &resp);
+	if (rc)
+		goto out;
+	rc = seccomp_notify_receive(fd, req);
+	if (rc)
+		goto out;
+	if (req->data.nr != SCMP_SYS(getpid)) {
+		rc = -EFAULT;
+		goto out;
+	}
+	rc = seccomp_notify_id_valid(fd, req->id);
+	if (rc)
+		goto out;
+	resp->id = req->id;
+	resp->val = MAGIC;
+	resp->error = 0;
+	resp->flags = 0;
+	rc = seccomp_notify_respond(fd, resp);
+	if (rc)
+		goto out;
+	if (waitpid(pid, &status, 0) != pid) {
+		rc = -EFAULT;
+		goto out;
+	}
+	if (!WIFEXITED(status)) {
+		rc = -EFAULT;
+		goto out;
+	}
+	if (WEXITSTATUS(status)) {
+		rc = -EFAULT;
+		goto out;
+	}
+out:
+	if (fd >= 0)
+		close(fd);
+	if (pid)
+		kill(pid, SIGKILL);
+	seccomp_notify_free(req, resp);
+	seccomp_release(ctx);
+	if (rc != 0)
+		return (rc < 0 ? -rc : rc);
+	return 160;
+}

data/ext/enterprise_script_service/libseccomp/tests/51-live-user_notification.py ADDED

@@ -0,0 +1,60 @@
+#!/usr/bin/env python
+#
+# Seccomp Library test program
+#
+# Copyright (c) 2019 Cisco Systems, Inc. <pmoore2@cisco.com>
+# Author: Paul Moore <paul@paul-moore.com>
+#
+#
+# This library is free software; you can redistribute it and/or modify it
+# under the terms of version 2.1 of the GNU Lesser General Public License as
+# published by the Free Software Foundation.
+#
+# This library is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public License
+# for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library; if not, see <http://www.gnu.org/licenses>.
+#
+import argparse
+import os
+import signal
+import sys
+import util
+from seccomp import *
+def test():
+    magic = os.getuid() + 1
+    f = SyscallFilter(ALLOW)
+    f.add_rule(NOTIFY, "getuid")
+    f.load()
+    pid = os.fork()
+    if pid == 0:
+        val = os.getuid()
+        if val != magic:
+            raise RuntimeError("Response return value failed")
+            quit(1)
+        quit(0)
+    else:
+        notify = f.receive_notify()
+        if notify.syscall != resolve_syscall(Arch(), "getuid"):
+            raise RuntimeError("Notification failed")
+        f.respond_notify(NotificationResponse(notify, magic, 0, 0))
+        wpid, rc = os.waitpid(pid, 0)
+        if os.WIFEXITED(rc) == 0:
+            raise RuntimeError("Child process error")
+        if os.WEXITSTATUS(rc) != 0:
+            raise RuntimeError("Child process error")
+        quit(160)
+test()
+# kate: syntax python;
+# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off;

data/ext/enterprise_script_service/libseccomp/tests/51-live-user_notification.tests ADDED

@@ -0,0 +1,11 @@
+#
+# libseccomp regression test automation data
+#
+# Copyright Cisco Systems 2019
+# Author: Tycho Andersen <tycho@tycho.ws>
+#
+test type: live
+# Testname			API	Result
+51-live-user_notification	5	ALLOW

data/ext/enterprise_script_service/libseccomp/tests/52-basic-load.c ADDED

@@ -0,0 +1,48 @@
+/**
+ * Seccomp Library test program
+ *
+ * Copyright (c) 2019 Cisco Systems, Inc. <pmoore2@cisco.com>
+ * Author: Paul Moore <paul@paul-moore.com>
+ */
+/*
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public License
+ * for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
+ */
+#include <errno.h>
+#include <unistd.h>
+#include <seccomp.h>
+#include "util.h"
+int main(int argc, char *argv[])
+{
+	int rc;
+	struct util_options opts;
+	scmp_filter_ctx ctx = NULL;
+	rc = util_getopt(argc, argv, &opts);
+	if (rc < 0)
+		goto out;
+	ctx = seccomp_init(SCMP_ACT_ALLOW);
+	if (ctx == NULL)
+		return ENOMEM;
+	rc = seccomp_load(ctx);
+out:
+	seccomp_release(ctx);
+	return (rc < 0 ? -rc : rc);
+}

data/ext/enterprise_script_service/libseccomp/tests/52-basic-load.py ADDED

@@ -0,0 +1,38 @@
+#!/usr/bin/env python
+#
+# Seccomp Library test program
+#
+# Copyright (c) 2019 Cisco Systems, Inc. <pmoore2@cisco.com>
+# Author: Paul Moore <paul@paul-moore.com>
+#
+#
+# This library is free software; you can redistribute it and/or modify it
+# under the terms of version 2.1 of the GNU Lesser General Public License as
+# published by the Free Software Foundation.
+#
+# This library is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public License
+# for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library; if not, see <http://www.gnu.org/licenses>.
+#
+import argparse
+import sys
+import util
+from seccomp import *
+def test():
+    f = SyscallFilter(ALLOW)
+    f.load()
+test()
+# kate: syntax python;
+# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off;