script_core 0.2.6 → 0.2.7

data/ext/enterprise_script_service/libseccomp/tests/34-sim-basic_denylist.tests

@@ -0,0 +1,32 @@
+#
+# libseccomp regression test automation data
+#
+# Copyright (c) 2013 Red Hat <pmoore@redhat.com>
+# Author: Paul Moore <paul@paul-moore.com>
+#
+
+test type: bpf-sim
+
+# Testname		Arch	Syscall		Arg0		Arg1		Arg2	Arg3	Arg4	Arg5	Result
+34-sim-basic_denylist	all	read		0		0x856B008	10	N	N	N	KILL
+34-sim-basic_denylist	all	read		1-10		0x856B008	10	N	N	N	ALLOW
+34-sim-basic_denylist	all	write		1-2		0x856B008	10	N	N	N	KILL
+34-sim-basic_denylist	all	write		3-10		0x856B008	10	N	N	N	ALLOW
+34-sim-basic_denylist	all	close		N		N		N	N	N	N	KILL
+34-sim-basic_denylist	all	rt_sigreturn	N		N		N	N	N	N	KILL
+34-sim-basic_denylist	all	open		0x856B008	4		N	N	N	N	ALLOW
+34-sim-basic_denylist	x86	0-2		N		N		N	N	N	N	ALLOW
+34-sim-basic_denylist	x86	7-172		N		N		N	N	N	N	ALLOW
+34-sim-basic_denylist	x86	174-350		N		N		N	N	N	N	ALLOW
+34-sim-basic_denylist	x86_64	4-14		N		N		N	N	N	N	ALLOW
+34-sim-basic_denylist	x86_64	16-350		N		N		N	N	N	N	ALLOW
+
+test type: bpf-sim-fuzz
+
+# Testname		StressCount
+34-sim-basic_denylist	50
+
+test type: bpf-valgrind
+
+# Testname
+34-sim-basic_denylist

data/ext/enterprise_script_service/libseccomp/tests/36-sim-ipc_syscalls.c

@@ -51,6 +51,9 @@ int main(int argc, char *argv[])
 	if (rc != 0)
 		goto out;
 	rc = seccomp_arch_add(ctx, SCMP_ARCH_X32);
+	if (rc != 0)
+		goto out;
+	rc = seccomp_arch_add(ctx, SCMP_ARCH_PPC64LE);
 	if (rc != 0)
 		goto out;
 

data/ext/enterprise_script_service/libseccomp/tests/36-sim-ipc_syscalls.py

@@ -34,6 +34,7 @@ def test(args):
     f.add_arch(Arch("x86"))
     f.add_arch(Arch("x86_64"))
     f.add_arch(Arch("x32"))
+    f.add_arch(Arch("ppc64le"))
     f.add_rule(ALLOW, "semop")
     f.add_rule(ALLOW, "semtimedop")
     f.add_rule(ALLOW, "semget")

data/ext/enterprise_script_service/libseccomp/tests/36-sim-ipc_syscalls.tests

@@ -7,31 +7,31 @@
 
 test type: bpf-sim
 
-# Testname		Arch	Syscall		Arg0	Arg1	Arg2	Arg3	Arg4	Arg5	Result
-36-sim-ipc_syscalls	+x86	ipc		1	N	N	N	N	N	ALLOW
-36-sim-ipc_syscalls	+x86	ipc		2	N	N	N	N	N	ALLOW
-36-sim-ipc_syscalls	+x86	ipc		3	N	N	N	N	N	ALLOW
-36-sim-ipc_syscalls	+x86	ipc		4	N	N	N	N	N	ALLOW
-36-sim-ipc_syscalls	+x86	ipc		11	N	N	N	N	N	ALLOW
-36-sim-ipc_syscalls	+x86	ipc		12	N	N	N	N	N	ALLOW
-36-sim-ipc_syscalls	+x86	ipc		13	N	N	N	N	N	ALLOW
-36-sim-ipc_syscalls	+x86	ipc		14	N	N	N	N	N	ALLOW
-36-sim-ipc_syscalls	+x86	ipc		21	N	N	N	N	N	ALLOW
-36-sim-ipc_syscalls	+x86	ipc		22	N	N	N	N	N	ALLOW
-36-sim-ipc_syscalls	+x86	ipc		23	N	N	N	N	N	ALLOW
-36-sim-ipc_syscalls	+x86	ipc		24	N	N	N	N	N	ALLOW
-36-sim-ipc_syscalls	+x86_64	semop		N	N	N	N	N	N	ALLOW
-36-sim-ipc_syscalls	+x86_64	semget		N	N	N	N	N	N	ALLOW
-36-sim-ipc_syscalls	+x86_64	semctl		N	N	N	N	N	N	ALLOW
-36-sim-ipc_syscalls	+x86_64	semtimedop	N	N	N	N	N	N	ALLOW
-36-sim-ipc_syscalls	+x86_64	msgsnd		N	N	N	N	N	N	ALLOW
-36-sim-ipc_syscalls	+x86_64	msgrcv		N	N	N	N	N	N	ALLOW
-36-sim-ipc_syscalls	+x86_64	msgget		N	N	N	N	N	N	ALLOW
-36-sim-ipc_syscalls	+x86_64	msgctl		N	N	N	N	N	N	ALLOW
-36-sim-ipc_syscalls	+x86_64	shmat		N	N	N	N	N	N	ALLOW
-36-sim-ipc_syscalls	+x86_64	shmdt		N	N	N	N	N	N	ALLOW
-36-sim-ipc_syscalls	+x86_64	shmget		N	N	N	N	N	N	ALLOW
-36-sim-ipc_syscalls	+x86_64	shmctl		N	N	N	N	N	N	ALLOW
+# Testname		Arch		Syscall		Arg0	Arg1	Arg2	Arg3	Arg4	Arg5	Result
+36-sim-ipc_syscalls	+x86,+ppc64le	ipc		1	N	N	N	N	N	ALLOW
+36-sim-ipc_syscalls	+x86,+ppc64le	ipc		2	N	N	N	N	N	ALLOW
+36-sim-ipc_syscalls	+x86,+ppc64le	ipc		3	N	N	N	N	N	ALLOW
+36-sim-ipc_syscalls	+x86,+ppc64le	ipc		4	N	N	N	N	N	ALLOW
+36-sim-ipc_syscalls	+x86,+ppc64le	ipc		11	N	N	N	N	N	ALLOW
+36-sim-ipc_syscalls	+x86,+ppc64le	ipc		12	N	N	N	N	N	ALLOW
+36-sim-ipc_syscalls	+x86,+ppc64le	ipc		13	N	N	N	N	N	ALLOW
+36-sim-ipc_syscalls	+x86,+ppc64le	ipc		14	N	N	N	N	N	ALLOW
+36-sim-ipc_syscalls	+x86,+ppc64le	ipc		21	N	N	N	N	N	ALLOW
+36-sim-ipc_syscalls	+x86,+ppc64le	ipc		22	N	N	N	N	N	ALLOW
+36-sim-ipc_syscalls	+x86,+ppc64le	ipc		23	N	N	N	N	N	ALLOW
+36-sim-ipc_syscalls	+x86,+ppc64le	ipc		24	N	N	N	N	N	ALLOW
+36-sim-ipc_syscalls	+x86_64		semop		N	N	N	N	N	N	ALLOW
+36-sim-ipc_syscalls	+x86_64		semget		N	N	N	N	N	N	ALLOW
+36-sim-ipc_syscalls	+x86_64		semctl		N	N	N	N	N	N	ALLOW
+36-sim-ipc_syscalls	+x86_64		semtimedop	N	N	N	N	N	N	ALLOW
+36-sim-ipc_syscalls	+x86_64		msgsnd		N	N	N	N	N	N	ALLOW
+36-sim-ipc_syscalls	+x86_64		msgrcv		N	N	N	N	N	N	ALLOW
+36-sim-ipc_syscalls	+x86_64		msgget		N	N	N	N	N	N	ALLOW
+36-sim-ipc_syscalls	+x86_64		msgctl		N	N	N	N	N	N	ALLOW
+36-sim-ipc_syscalls	+x86_64		shmat		N	N	N	N	N	N	ALLOW
+36-sim-ipc_syscalls	+x86_64		shmdt		N	N	N	N	N	N	ALLOW
+36-sim-ipc_syscalls	+x86_64		shmget		N	N	N	N	N	N	ALLOW
+36-sim-ipc_syscalls	+x86_64		shmctl		N	N	N	N	N	N	ALLOW
 
 test type: bpf-valgrind
 

data/ext/enterprise_script_service/libseccomp/tests/39-basic-api_level.c

@@ -54,14 +54,35 @@ int main(int argc, char *argv[])
 	if (api != 3)
 		return -7;
 
+	rc = seccomp_api_set(4);
+	if (rc != 0)
+		return -8;
+	api = seccomp_api_get();
+	if (api != 4)
+		return -9;
+
+	rc = seccomp_api_set(5);
+	if (rc != 0)
+		return -10;
+	api = seccomp_api_get();
+	if (api != 5)
+		return -11;
+
+	rc = seccomp_api_set(6);
+	if (rc != 0)
+		return -12;
+	api = seccomp_api_get();
+	if (api != 6)
+		return -13;
+
 	/* Attempt to set a high, invalid API level */
 	rc = seccomp_api_set(1024);
 	if (rc != -EINVAL)
-		return -8;
+		return -1001;
 	/* Ensure that the previously set API level didn't change */
 	api = seccomp_api_get();
-	if (api != 3)
-		return -9;
+	if (api != 6)
+		return -1002;
 
 	return 0;
 }

data/ext/enterprise_script_service/libseccomp/tests/39-basic-api_level.py

@@ -50,6 +50,21 @@ def test():
     if api != 3:
         raise RuntimeError("Failed getting API level 3")
 
+    set_api(4)
+    api = get_api()
+    if api != 4:
+        raise RuntimeError("Failed getting API level 4")
+
+    set_api(5)
+    api = get_api()
+    if api != 5:
+        raise RuntimeError("Failed getting API level 5")
+
+    set_api(6)
+    api = get_api()
+    if api != 6:
+        raise RuntimeError("Failed getting API level 6")
+
     # Attempt to set a high, invalid API level
     try:
         set_api(1024)
@@ -59,7 +74,7 @@ def test():
         raise RuntimeError("Missing failure when setting invalid API level")
     # Ensure that the previously set API level didn't change
     api = get_api()
-    if api != 3:
+    if api != 6:
         raise RuntimeError("Failed getting old API level after setting an invalid API level")
 
 test()

data/ext/enterprise_script_service/libseccomp/tests/47-live-kill_process.c

@@ -31,7 +31,7 @@
 #include "util.h"
 
 
-static const unsigned int whitelist[] = {
+static const unsigned int allowlist[] = {
 	SCMP_SYS(clone),
 	SCMP_SYS(exit),
 	SCMP_SYS(exit_group),
@@ -75,8 +75,8 @@ int main(int argc, char *argv[])
 	if (ctx == NULL)
 		return ENOMEM;
 
-	for (i = 0; i < sizeof(whitelist) / sizeof(whitelist[0]); i++) {
-		rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, whitelist[i], 0);
+	for (i = 0; i < sizeof(allowlist) / sizeof(allowlist[0]); i++) {
+		rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, allowlist[i], 0);
 		if (rc != 0)
 			goto out;
 	}

data/ext/enterprise_script_service/libseccomp/tests/51-live-user_notification.c

@@ -0,0 +1,112 @@
+/**
+ * Seccomp Library test program
+ *
+ * Copyright (c) 2019 Cisco Systems, Inc. <pmoore2@cisco.com>
+ * Author: Paul Moore <paul@paul-moore.com>
+ */
+
+/*
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public License
+ * for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
+ */
+
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <unistd.h>
+#include <seccomp.h>
+#include <signal.h>
+#include <syscall.h>
+#include <errno.h>
+#include <stdlib.h>
+
+#include "util.h"
+
+#define MAGIC 0x1122334455667788UL
+
+int main(int argc, char *argv[])
+{
+	int rc, fd = -1, status;
+	struct seccomp_notif *req = NULL;
+	struct seccomp_notif_resp *resp = NULL;
+	scmp_filter_ctx ctx = NULL;
+	pid_t pid = 0;
+
+	ctx = seccomp_init(SCMP_ACT_ALLOW);
+	if (ctx == NULL)
+		return ENOMEM;
+
+	rc = seccomp_rule_add(ctx, SCMP_ACT_NOTIFY, SCMP_SYS(getpid), 0, NULL);
+	if (rc)
+		goto out;
+
+	rc  = seccomp_load(ctx);
+	if (rc < 0)
+		goto out;
+
+	rc = seccomp_notify_fd(ctx);
+	if (rc < 0)
+		goto out;
+	fd = rc;
+
+	pid = fork();
+	if (pid == 0)
+		exit(syscall(SCMP_SYS(getpid)) != MAGIC);
+
+	rc = seccomp_notify_alloc(&req, &resp);
+	if (rc)
+		goto out;
+
+	rc = seccomp_notify_receive(fd, req);
+	if (rc)
+		goto out;
+	if (req->data.nr != SCMP_SYS(getpid)) {
+		rc = -EFAULT;
+		goto out;
+	}
+	rc = seccomp_notify_id_valid(fd, req->id);
+	if (rc)
+		goto out;
+
+	resp->id = req->id;
+	resp->val = MAGIC;
+	resp->error = 0;
+	resp->flags = 0;
+	rc = seccomp_notify_respond(fd, resp);
+	if (rc)
+		goto out;
+
+	if (waitpid(pid, &status, 0) != pid) {
+		rc = -EFAULT;
+		goto out;
+	}
+
+	if (!WIFEXITED(status)) {
+		rc = -EFAULT;
+		goto out;
+	}
+	if (WEXITSTATUS(status)) {
+		rc = -EFAULT;
+		goto out;
+	}
+
+out:
+	if (fd >= 0)
+		close(fd);
+	if (pid)
+		kill(pid, SIGKILL);
+	seccomp_notify_free(req, resp);
+	seccomp_release(ctx);
+
+	if (rc != 0)
+		return (rc < 0 ? -rc : rc);
+	return 160;
+}

data/ext/enterprise_script_service/libseccomp/tests/51-live-user_notification.py

@@ -0,0 +1,60 @@
+#!/usr/bin/env python
+
+#
+# Seccomp Library test program
+#
+# Copyright (c) 2019 Cisco Systems, Inc. <pmoore2@cisco.com>
+# Author: Paul Moore <paul@paul-moore.com>
+#
+
+#
+# This library is free software; you can redistribute it and/or modify it
+# under the terms of version 2.1 of the GNU Lesser General Public License as
+# published by the Free Software Foundation.
+#
+# This library is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public License
+# for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library; if not, see <http://www.gnu.org/licenses>.
+#
+
+import argparse
+import os
+import signal
+import sys
+
+import util
+
+from seccomp import *
+
+def test():
+    magic = os.getuid() + 1
+    f = SyscallFilter(ALLOW)
+    f.add_rule(NOTIFY, "getuid")
+    f.load()
+    pid = os.fork()
+    if pid == 0:
+        val = os.getuid()
+        if val != magic:
+            raise RuntimeError("Response return value failed")
+            quit(1)
+        quit(0)
+    else:
+        notify = f.receive_notify()
+        if notify.syscall != resolve_syscall(Arch(), "getuid"):
+            raise RuntimeError("Notification failed")
+        f.respond_notify(NotificationResponse(notify, magic, 0, 0))
+        wpid, rc = os.waitpid(pid, 0)
+        if os.WIFEXITED(rc) == 0:
+            raise RuntimeError("Child process error")
+        if os.WEXITSTATUS(rc) != 0:
+            raise RuntimeError("Child process error")
+        quit(160)
+
+test()
+
+# kate: syntax python;
+# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off;

data/ext/enterprise_script_service/libseccomp/tests/51-live-user_notification.tests

@@ -0,0 +1,11 @@
+#
+# libseccomp regression test automation data
+#
+# Copyright Cisco Systems 2019
+# Author: Tycho Andersen <tycho@tycho.ws>
+#
+
+test type: live
+
+# Testname			API	Result
+51-live-user_notification	5	ALLOW

data/ext/enterprise_script_service/libseccomp/tests/53-sim-binary_tree.c

@@ -0,0 +1,156 @@
+/**
+ * Seccomp Library test program
+ *
+ * Copyright (c) 2018-2020 Oracle and/or its affiliates.
+ * Author: Tom Hromatka <tom.hromatka@oracle.com>
+ */
+
+/*
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public License
+ * for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
+ */
+
+#include <errno.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+
+#include <seccomp.h>
+
+#include "util.h"
+
+#define ARG_COUNT_MAX 2
+
+struct syscall_errno {
+	int syscall;
+	int error;
+	int arg_cnt;
+	/* To make the test more interesting, arguments are added to several
+	 * syscalls.  To keep the test simple, the arguments always use
+	 * SCMP_CMP_EQ.
+	 */
+	int args[ARG_COUNT_MAX];
+};
+
+struct syscall_errno table[] = {
+	{ SCMP_SYS(read), 0, 0, { 0, 0 } },
+	{ SCMP_SYS(write), 1, 0, { 0, 0 } },
+	{ SCMP_SYS(open), 2, 0, { 0, 0 } },
+	{ SCMP_SYS(close), 3, 2, { 100, 101 } },
+	{ SCMP_SYS(stat), 4, 0, { 0, 0 } },
+	{ SCMP_SYS(fstat), 5, 0, { 0, 0 } },
+	{ SCMP_SYS(lstat), 6, 0, { 0, 0 } },
+	{ SCMP_SYS(poll), 7, 1, { 102, 0 } },
+	{ SCMP_SYS(lseek), 8, 2, { 103, 104 } },
+	{ SCMP_SYS(mmap), 9, 0, { 0, 0 } },
+	{ SCMP_SYS(mprotect), 10, 0, { 0, 0 } },
+	{ SCMP_SYS(munmap), 11, 0, { 0, 0 } },
+	{ SCMP_SYS(brk), 12, 0, { 0, 0 } },
+	{ SCMP_SYS(rt_sigaction), 13, 0, { 0, 0 } },
+	{ SCMP_SYS(rt_sigprocmask), 14, 0, { 0, 0 } },
+	{ SCMP_SYS(rt_sigreturn), 15, 0, { 0, 0 } },
+	{ SCMP_SYS(ioctl), 16, 0, { 0, 0 } },
+	{ SCMP_SYS(pread64), 17, 1, { 105, 0 } },
+	{ SCMP_SYS(pwrite64), 18, 0, { 0, 0 } },
+	{ SCMP_SYS(readv), 19, 0, { 0, 0 } },
+	{ SCMP_SYS(writev), 20, 0, { 0, 0 } },
+	{ SCMP_SYS(access), 21, 0, { 0, 0 } },
+	{ SCMP_SYS(pipe), 22, 0, { 0, 0 } },
+	{ SCMP_SYS(select), 23, 2, { 106, 107 } },
+	{ SCMP_SYS(sched_yield), 24, 0, { 0, 0 } },
+	{ SCMP_SYS(mremap), 25, 2, { 108, 109 } },
+	{ SCMP_SYS(msync), 26, 0, { 0, 0 } },
+	{ SCMP_SYS(mincore), 27, 0, { 0, 0 } },
+	{ SCMP_SYS(madvise), 28, 0, { 0, 0 } },
+	{ SCMP_SYS(dup), 32, 1, { 112, 0 } },
+	{ SCMP_SYS(dup2), 33, 0, { 0, 0 } },
+	{ SCMP_SYS(pause), 34, 0, { 0, 0 } },
+	{ SCMP_SYS(nanosleep), 35, 0, { 0, 0 } },
+	{ SCMP_SYS(getitimer), 36, 0, { 0, 0 } },
+	{ SCMP_SYS(alarm), 37, 0, { 0, 0 } },
+};
+
+const int table_size = sizeof(table) / sizeof(table[0]);
+
+int main(int argc, char *argv[])
+{
+	int rc, i;
+	struct util_options opts;
+	scmp_filter_ctx ctx = NULL;
+
+	rc = util_getopt(argc, argv, &opts);
+	if (rc < 0)
+		goto out;
+
+	ctx = seccomp_init(SCMP_ACT_ALLOW);
+	if (ctx == NULL) {
+		rc = ENOMEM;
+		goto out;
+	}
+
+	rc = seccomp_arch_remove(ctx, SCMP_ARCH_NATIVE);
+	if (rc != 0)
+		goto out;
+
+	rc = seccomp_arch_add(ctx, SCMP_ARCH_AARCH64);
+	if (rc != 0)
+		goto out;
+	rc = seccomp_arch_add(ctx, SCMP_ARCH_PPC64LE);
+	if (rc != 0)
+		goto out;
+	rc = seccomp_arch_add(ctx, SCMP_ARCH_X86_64);
+	if (rc != 0)
+		goto out;
+
+	rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_OPTIMIZE, 2);
+	if (rc < 0)
+		goto out;
+
+	for (i = 0; i < table_size; i++) {
+		switch (table[i].arg_cnt) {
+		case 2:
+			rc = seccomp_rule_add(ctx,
+					      SCMP_ACT_ERRNO(table[i].error),
+					      table[i].syscall, 2,
+					      SCMP_A0(SCMP_CMP_EQ,
+						      table[i].args[0]),
+					      SCMP_A1(SCMP_CMP_EQ,
+						      table[i].args[1]));
+			break;
+		case 1:
+			rc = seccomp_rule_add(ctx,
+					      SCMP_ACT_ERRNO(table[i].error),
+					      table[i].syscall, 1,
+					      SCMP_A0(SCMP_CMP_EQ,
+						      table[i].args[0]));
+			break;
+		case 0:
+		default:
+			rc = seccomp_rule_add(ctx,
+					      SCMP_ACT_ERRNO(table[i].error),
+					      table[i].syscall, 0);
+			break;
+		}
+
+		if (rc < 0)
+			goto out;
+	}
+
+	rc = util_filter_output(&opts, ctx);
+	if (rc)
+		goto out;
+
+out:
+	seccomp_release(ctx);
+	return (rc < 0 ? -rc : rc);
+}