diff options
author | Mike Frysinger <vapier@google.com> | 2018-08-16 17:29:12 -0700 |
---|---|---|
committer | android-build-merger <android-build-merger@google.com> | 2018-08-16 17:29:12 -0700 |
commit | 5a22a4088bea4905855f5760c9090bb4299c6b6e (patch) | |
tree | 5ddd239a82d8ec58606255a0ad81514621be0153 | |
parent | 49f881b97d2e9b5649bb2733b9bfb33bcb65abf8 (diff) | |
parent | 68a1b3ba4fe2393cba932cc28a3e7c5aec188b84 (diff) | |
download | minijail-5a22a4088bea4905855f5760c9090bb4299c6b6e.tar.gz |
syscall_filter_unittest: rewrite in C++
am: 68a1b3ba4f
Change-Id: I207daac47b9ff48814ad65d9dd5d08cd5a3b4151
-rw-r--r-- | syscall_filter_unittest.cc | 409 | ||||
-rw-r--r-- | syscall_filter_unittest_macros.h | 6 |
2 files changed, 216 insertions, 199 deletions
diff --git a/syscall_filter_unittest.cc b/syscall_filter_unittest.cc index b73a8f4..c374d4d 100644 --- a/syscall_filter_unittest.cc +++ b/syscall_filter_unittest.cc @@ -17,6 +17,56 @@ #include "syscall_filter_unittest_macros.h" #include "util.h" +namespace { + +// Simple C++ -> C wrappers to simplify test code. + +enum ret_trap { + USE_RET_KILL = 0, + USE_RET_TRAP = 1, +}; + +enum use_logging { + NO_LOGGING = 0, + USE_LOGGING = 1, +}; + +int test_compile_filter( + std::string filename, + FILE* policy_file, + struct sock_fprog* prog, + enum ret_trap do_ret_trap = USE_RET_KILL, + enum use_logging add_logging_syscalls = NO_LOGGING) { + return compile_filter(filename.c_str(), policy_file, prog, do_ret_trap, + add_logging_syscalls); +} + +int test_compile_file( + std::string filename, + FILE* policy_file, + struct filter_block* head, + struct filter_block** arg_blocks, + struct bpf_labels* labels, + enum ret_trap use_ret_trap = USE_RET_KILL, + enum use_logging allow_logging = NO_LOGGING, + unsigned int include_level = 0) { + return compile_file(filename.c_str(), policy_file, head, arg_blocks, labels, + use_ret_trap, allow_logging, include_level); +} + +struct filter_block* test_compile_policy_line( + struct parser_state* state, + int nr, + std::string policy_line, + unsigned int label_id, + struct bpf_labels* labels, + enum ret_trap do_ret_trap = USE_RET_KILL) { + return compile_policy_line(state, nr, policy_line.c_str(), label_id, labels, + do_ret_trap); +} + +} // namespace + TEST(util, parse_constant_unsigned) { char *end; long int c = 0; @@ -236,7 +286,7 @@ class BpfLabelTest : public ::testing::Test { }; TEST_F(BpfLabelTest, zero_length_filter) { - int res = bpf_resolve_jumps(&labels_, NULL, 0); + int res = bpf_resolve_jumps(&labels_, nullptr, 0); EXPECT_EQ(res, 0); EXPECT_EQ(labels_.count, 0U); @@ -339,42 +389,42 @@ class ArgFilterTest : public ::testing::Test { }; TEST_F(ArgFilterTest, empty_atom) { - const char* fragment = ""; + std::string fragment = ""; struct filter_block* block = - compile_policy_line(&state_, nr_, fragment, id_, &labels_, USE_RET_KILL); + test_compile_policy_line(&state_, nr_, fragment, id_, &labels_); ASSERT_EQ(block, nullptr); } TEST_F(ArgFilterTest, whitespace_atom) { - const char* fragment = "\t "; + std::string fragment = "\t "; struct filter_block* block = - compile_policy_line(&state_, nr_, fragment, id_, &labels_, USE_RET_KILL); + test_compile_policy_line(&state_, nr_, fragment, id_, &labels_); ASSERT_EQ(block, nullptr); } TEST_F(ArgFilterTest, no_comparison) { - const char* fragment = "arg0"; + std::string fragment = "arg0"; struct filter_block* block = - compile_policy_line(&state_, nr_, fragment, id_, &labels_, USE_RET_KILL); + test_compile_policy_line(&state_, nr_, fragment, id_, &labels_); ASSERT_EQ(block, nullptr); } TEST_F(ArgFilterTest, no_constant) { - const char* fragment = "arg0 =="; + std::string fragment = "arg0 =="; struct filter_block* block = - compile_policy_line(&state_, nr_, fragment, id_, &labels_, USE_RET_KILL); + test_compile_policy_line(&state_, nr_, fragment, id_, &labels_); ASSERT_EQ(block, nullptr); } TEST_F(ArgFilterTest, arg0_equals) { - const char *fragment = "arg0 == 0"; + std::string fragment = "arg0 == 0"; struct filter_block* block = - compile_policy_line(&state_, nr_, fragment, id_, &labels_, USE_RET_KILL); + test_compile_policy_line(&state_, nr_, fragment, id_, &labels_); ASSERT_NE(block, nullptr); size_t exp_total_len = 1 + (BPF_ARG_COMP_LEN + 1) + 2 + 1 + 2; @@ -411,11 +461,10 @@ TEST_F(ArgFilterTest, arg0_equals) { } TEST_F(ArgFilterTest, arg0_short_gt_ge_comparisons) { - for (const char* fragment : + for (std::string fragment : {"arg1 < 0xff", "arg1 <= 0xff", "arg1 > 0xff", "arg1 >= 0xff"}) { struct filter_block* block = - compile_policy_line(&state_, nr_, fragment, id_, &labels_, - USE_RET_KILL); + test_compile_policy_line(&state_, nr_, fragment, id_, &labels_); ASSERT_NE(block, nullptr); size_t exp_total_len = 1 + (BPF_ARG_SHORT_GT_GE_COMP_LEN + 1) + 2 + 1 + 2; @@ -454,12 +503,11 @@ TEST_F(ArgFilterTest, arg0_short_gt_ge_comparisons) { #if defined(BITS64) TEST_F(ArgFilterTest, arg0_long_gt_ge_comparisons) { - for (const char* fragment : + for (std::string fragment : {"arg1 < 0xbadc0ffee0ddf00d", "arg1 <= 0xbadc0ffee0ddf00d", "arg1 > 0xbadc0ffee0ddf00d", "arg1 >= 0xbadc0ffee0ddf00d"}) { struct filter_block* block = - compile_policy_line(&state_, nr_, fragment, id_, &labels_, - USE_RET_KILL); + test_compile_policy_line(&state_, nr_, fragment, id_, &labels_); ASSERT_NE(block, nullptr); size_t exp_total_len = 1 + (BPF_ARG_GT_GE_COMP_LEN + 1) + 2 + 1 + 2; @@ -498,10 +546,10 @@ TEST_F(ArgFilterTest, arg0_long_gt_ge_comparisons) { #endif TEST_F(ArgFilterTest, arg0_mask) { - const char *fragment = "arg1 & O_RDWR"; + std::string fragment = "arg1 & O_RDWR"; struct filter_block* block = - compile_policy_line(&state_, nr_, fragment, id_, &labels_, USE_RET_KILL); + test_compile_policy_line(&state_, nr_, fragment, id_, &labels_); ASSERT_NE(block, nullptr); size_t exp_total_len = 1 + (BPF_ARG_COMP_LEN + 1) + 2 + 1 + 2; @@ -538,10 +586,10 @@ TEST_F(ArgFilterTest, arg0_mask) { } TEST_F(ArgFilterTest, arg0_flag_set_inclusion) { - const char *fragment = "arg0 in O_RDONLY|O_CREAT"; + std::string fragment = "arg0 in O_RDONLY|O_CREAT"; struct filter_block* block = - compile_policy_line(&state_, nr_, fragment, id_, &labels_, USE_RET_KILL); + test_compile_policy_line(&state_, nr_, fragment, id_, &labels_); ASSERT_NE(block, nullptr); size_t exp_total_len = 1 + (BPF_ARG_COMP_LEN + 1) + 2 + 1 + 2; @@ -579,10 +627,10 @@ TEST_F(ArgFilterTest, arg0_flag_set_inclusion) { } TEST_F(ArgFilterTest, arg0_eq_mask) { - const char *fragment = "arg1 == O_WRONLY|O_CREAT"; + std::string fragment = "arg1 == O_WRONLY|O_CREAT"; struct filter_block* block = - compile_policy_line(&state_, nr_, fragment, id_, &labels_, USE_RET_KILL); + test_compile_policy_line(&state_, nr_, fragment, id_, &labels_); ASSERT_NE(block, nullptr); size_t exp_total_len = 1 + (BPF_ARG_COMP_LEN + 1) + 2 + 1 + 2; @@ -622,10 +670,10 @@ TEST_F(ArgFilterTest, arg0_eq_mask) { } TEST_F(ArgFilterTest, and_or) { - const char *fragment = "arg0 == 0 && arg1 == 0 || arg0 == 1"; + std::string fragment = "arg0 == 0 && arg1 == 0 || arg0 == 1"; struct filter_block* block = - compile_policy_line(&state_, nr_, fragment, id_, &labels_, USE_RET_KILL); + test_compile_policy_line(&state_, nr_, fragment, id_, &labels_); ASSERT_NE(block, nullptr); size_t exp_total_len = 1 + 3 * (BPF_ARG_COMP_LEN + 1) + 2 + 2 + 1 + 2; EXPECT_EQ(block->total_len, exp_total_len); @@ -677,10 +725,10 @@ TEST_F(ArgFilterTest, and_or) { } TEST_F(ArgFilterTest, ret_errno) { - const char *fragment = "arg0 == 0 || arg0 == 1; return 1"; + std::string fragment = "arg0 == 0 || arg0 == 1; return 1"; struct filter_block* block = - compile_policy_line(&state_, nr_, fragment, id_, &labels_, USE_RET_KILL); + test_compile_policy_line(&state_, nr_, fragment, id_, &labels_); ASSERT_NE(block, nullptr); size_t exp_total_len = 1 + 2 * (BPF_ARG_COMP_LEN + 1) + 2 + 2 + 1 + 2; EXPECT_EQ(block->total_len, exp_total_len); @@ -730,10 +778,10 @@ TEST_F(ArgFilterTest, ret_errno) { } TEST_F(ArgFilterTest, unconditional_errno) { - const char *fragment = "return 1"; + std::string fragment = "return 1"; struct filter_block* block = - compile_policy_line(&state_, nr_, fragment, id_, &labels_, USE_RET_KILL); + test_compile_policy_line(&state_, nr_, fragment, id_, &labels_); ASSERT_NE(block, nullptr); size_t exp_total_len = 2; EXPECT_EQ(block->total_len, exp_total_len); @@ -758,66 +806,67 @@ TEST_F(ArgFilterTest, unconditional_errno) { } TEST_F(ArgFilterTest, invalid_arg_token) { - const char *fragment = "org0 == 0"; + std::string fragment = "org0 == 0"; struct filter_block* block = - compile_policy_line(&state_, nr_, fragment, id_, &labels_, USE_RET_KILL); + test_compile_policy_line(&state_, nr_, fragment, id_, &labels_); ASSERT_EQ(block, nullptr); } TEST_F(ArgFilterTest, invalid_arg_number) { - const char *fragment = "argnn == 0"; + std::string fragment = "argnn == 0"; struct filter_block* block = - compile_policy_line(&state_, nr_, fragment, id_, &labels_, USE_RET_KILL); + test_compile_policy_line(&state_, nr_, fragment, id_, &labels_); ASSERT_EQ(block, nullptr); } TEST_F(ArgFilterTest, extra_chars_in_arg_token) { - const char* fragment = "arg0n == 0"; + std::string fragment = "arg0n == 0"; struct filter_block* block = - compile_policy_line(&state_, nr_, fragment, id_, &labels_, USE_RET_KILL); + test_compile_policy_line(&state_, nr_, fragment, id_, &labels_); ASSERT_EQ(block, nullptr); } TEST_F(ArgFilterTest, invalid_operator) { - const char* fragment = "arg0 invalidop 0"; + std::string fragment = "arg0 invalidop 0"; struct filter_block* block = - compile_policy_line(&state_, nr_, fragment, id_, &labels_, USE_RET_KILL); + test_compile_policy_line(&state_, nr_, fragment, id_, &labels_); ASSERT_EQ(block, nullptr); } TEST_F(ArgFilterTest, invalid_constant) { - const char *fragment = "arg0 == INVALIDCONSTANT"; + std::string fragment = "arg0 == INVALIDCONSTANT"; struct filter_block* block = - compile_policy_line(&state_, nr_, fragment, id_, &labels_, USE_RET_KILL); + test_compile_policy_line(&state_, nr_, fragment, id_, &labels_); ASSERT_EQ(block, nullptr); } TEST_F(ArgFilterTest, extra_tokens) { - const char* fragment = "arg0 == 0 EXTRATOKEN"; + std::string fragment = "arg0 == 0 EXTRATOKEN"; struct filter_block* block = - compile_policy_line(&state_, nr_, fragment, id_, &labels_, USE_RET_KILL); + test_compile_policy_line(&state_, nr_, fragment, id_, &labels_); ASSERT_EQ(block, nullptr); } TEST_F(ArgFilterTest, invalid_errno) { - const char *fragment = "arg0 == 0 && arg1 == 1; return errno"; + std::string fragment = "arg0 == 0 && arg1 == 1; return errno"; struct filter_block* block = - compile_policy_line(&state_, nr_, fragment, id_, &labels_, USE_RET_KILL); + test_compile_policy_line(&state_, nr_, fragment, id_, &labels_); ASSERT_EQ(block, nullptr); } TEST_F(ArgFilterTest, log_no_ret_error) { - const char *fragment = "arg0 == 0"; + std::string fragment = "arg0 == 0"; struct filter_block* block = - compile_policy_line(&state_, nr_, fragment, id_, &labels_, USE_RET_TRAP); + test_compile_policy_line(&state_, nr_, fragment, id_, &labels_, + USE_RET_TRAP); ASSERT_NE(block, nullptr); size_t exp_total_len = 1 + (BPF_ARG_COMP_LEN + 1) + 2 + 1 + 2; @@ -855,10 +904,10 @@ TEST_F(ArgFilterTest, log_no_ret_error) { } TEST_F(ArgFilterTest, log_bad_ret_error) { - const char *fragment = "arg0 == 0; return"; + std::string fragment = "arg0 == 0; return"; struct filter_block* block = - compile_policy_line(&state_, nr_, fragment, id_, &labels_, USE_RET_KILL); + test_compile_policy_line(&state_, nr_, fragment, id_, &labels_); ASSERT_NE(block, nullptr); size_t exp_total_len = 1 + (BPF_ARG_COMP_LEN + 1) + 2 + 1 + 2; EXPECT_EQ(block->total_len, exp_total_len); @@ -897,10 +946,11 @@ TEST_F(ArgFilterTest, log_bad_ret_error) { } TEST_F(ArgFilterTest, no_log_bad_ret_error) { - const char *fragment = "arg0 == 0; return"; + std::string fragment = "arg0 == 0; return"; struct filter_block* block = - compile_policy_line(&state_, nr_, fragment, id_, &labels_, USE_RET_TRAP); + test_compile_policy_line(&state_, nr_, fragment, id_, &labels_, + USE_RET_TRAP); ASSERT_NE(block, nullptr); size_t exp_total_len = 1 + (BPF_ARG_COMP_LEN + 1) + 2 + 1 + 2; EXPECT_EQ(block->total_len, exp_total_len); @@ -939,22 +989,25 @@ TEST_F(ArgFilterTest, no_log_bad_ret_error) { free_block_list(block); } -FILE *write_policy_to_pipe(const char *policy, size_t len) { +namespace { + +FILE* write_policy_to_pipe(std::string policy) { int pipefd[2]; if (pipe(pipefd) == -1) { pwarn("pipe(pipefd) failed"); - return NULL; + return nullptr; } + size_t len = policy.length(); size_t i = 0; unsigned int attempts = 0; ssize_t ret; while (i < len) { - ret = write(pipefd[1], &policy[i], len - i); + ret = write(pipefd[1], policy.c_str() + i, len - i); if (ret == -1) { close(pipefd[0]); close(pipefd[1]); - return NULL; + return nullptr; } /* If we write 0 bytes three times in a row, fail. */ @@ -963,7 +1016,7 @@ FILE *write_policy_to_pipe(const char *policy, size_t len) { close(pipefd[0]); close(pipefd[1]); warn("write() returned 0 three times in a row"); - return NULL; + return nullptr; } continue; } @@ -981,7 +1034,7 @@ class FileTest : public ::testing::Test { virtual void SetUp() { labels_.count = 0; head_ = new_filter_block(); - arg_blocks_ = NULL; + arg_blocks_ = nullptr; } virtual void TearDown() { free_label_strings(&labels_); @@ -993,14 +1046,16 @@ class FileTest : public ::testing::Test { struct filter_block *arg_blocks_; }; +} // namespace + TEST_F(FileTest, malformed_policy) { - const char *policy = + std::string policy = "malformed"; - FILE *policy_file = write_policy_to_pipe(policy, strlen(policy)); + FILE* policy_file = write_policy_to_pipe(policy); ASSERT_NE(policy_file, nullptr); - int res = compile_file("policy", policy_file, head_, &arg_blocks_, &labels_, - USE_RET_KILL, NO_LOGGING, 0); + int res = test_compile_file("policy", policy_file, head_, &arg_blocks_, + &labels_); fclose(policy_file); /* @@ -1010,14 +1065,14 @@ TEST_F(FileTest, malformed_policy) { } TEST_F(FileTest, double_free_on_compile_error) { - const char *policy = + std::string policy = "read:arg0 == 0\n" "write:0"; - FILE *policy_file = write_policy_to_pipe(policy, strlen(policy)); + FILE* policy_file = write_policy_to_pipe(policy); ASSERT_NE(policy_file, nullptr); - int res = compile_file("policy", policy_file, head_, &arg_blocks_, &labels_, - USE_RET_KILL, NO_LOGGING, 0); + int res = test_compile_file("policy", policy_file, head_, &arg_blocks_, + &labels_); fclose(policy_file); /* @@ -1027,13 +1082,13 @@ TEST_F(FileTest, double_free_on_compile_error) { } TEST_F(FileTest, invalid_return) { - const char *policy = + std::string policy = "read:arg0 == 0; ;"; - FILE *policy_file = write_policy_to_pipe(policy, strlen(policy)); + FILE* policy_file = write_policy_to_pipe(policy); ASSERT_NE(policy_file, nullptr); - int res = compile_file("policy", policy_file, head_, &arg_blocks_, &labels_, - USE_RET_KILL, NO_LOGGING, 0); + int res = test_compile_file("policy", policy_file, head_, &arg_blocks_, + &labels_); fclose(policy_file); /* @@ -1043,16 +1098,16 @@ TEST_F(FileTest, invalid_return) { } TEST_F(FileTest, seccomp_mode1) { - const char *policy = + std::string policy = "read: 1\n" "write: 1\n" "rt_sigreturn: 1\n" "exit: 1\n"; - FILE *policy_file = write_policy_to_pipe(policy, strlen(policy)); + FILE* policy_file = write_policy_to_pipe(policy); ASSERT_NE(policy_file, nullptr); - int res = compile_file("policy", policy_file, head_, &arg_blocks_, &labels_, - USE_RET_KILL, NO_LOGGING, 0); + int res = test_compile_file("policy", policy_file, head_, &arg_blocks_, + &labels_); fclose(policy_file); /* @@ -1076,7 +1131,7 @@ TEST_F(FileTest, seccomp_mode1) { } TEST_F(FileTest, seccomp_read) { - const char *policy = + std::string policy = "read: arg0 == 0\n" "write: 1\n" "rt_sigreturn: 1\n" @@ -1084,10 +1139,10 @@ TEST_F(FileTest, seccomp_read) { const int LABEL_ID = 0; - FILE *policy_file = write_policy_to_pipe(policy, strlen(policy)); + FILE* policy_file = write_policy_to_pipe(policy); ASSERT_NE(policy_file, nullptr); - int res = compile_file("policy", policy_file, head_, &arg_blocks_, &labels_, - USE_RET_KILL, NO_LOGGING, 0); + int res = test_compile_file("policy", policy_file, head_, &arg_blocks_, + &labels_); fclose(policy_file); /* @@ -1146,17 +1201,16 @@ TEST_F(FileTest, seccomp_read) { TEST(FilterTest, seccomp_mode1) { struct sock_fprog actual; - const char *policy = + std::string policy = "read: 1\n" "write: 1\n" "rt_sigreturn: 1\n" "exit: 1\n"; - FILE *policy_file = write_policy_to_pipe(policy, strlen(policy)); + FILE* policy_file = write_policy_to_pipe(policy); ASSERT_NE(policy_file, nullptr); - int res = - compile_filter("policy", policy_file, &actual, USE_RET_KILL, NO_LOGGING); + int res = test_compile_filter("policy", policy_file, &actual); fclose(policy_file); /* @@ -1184,17 +1238,16 @@ TEST(FilterTest, seccomp_mode1) { TEST(FilterTest, seccomp_mode1_trap) { struct sock_fprog actual; - const char *policy = + std::string policy = "read: 1\n" "write: 1\n" "rt_sigreturn: 1\n" "exit: 1\n"; - FILE *policy_file = write_policy_to_pipe(policy, strlen(policy)); + FILE* policy_file = write_policy_to_pipe(policy); ASSERT_NE(policy_file, nullptr); - int res = - compile_filter("policy", policy_file, &actual, USE_RET_TRAP, NO_LOGGING); + int res = test_compile_filter("policy", policy_file, &actual, USE_RET_TRAP); fclose(policy_file); /* @@ -1223,17 +1276,16 @@ TEST(FilterTest, seccomp_mode1_trap) { TEST(FilterTest, seccomp_read_write) { struct sock_fprog actual; - const char *policy = + std::string policy = "read: arg0 == 0\n" "write: arg0 == 1 || arg0 == 2\n" "rt_sigreturn: 1\n" "exit: 1\n"; - FILE *policy_file = write_policy_to_pipe(policy, strlen(policy)); + FILE* policy_file = write_policy_to_pipe(policy); ASSERT_NE(policy_file, nullptr); - int res = - compile_filter("policy", policy_file, &actual, USE_RET_KILL, NO_LOGGING); + int res = test_compile_filter("policy", policy_file, &actual); fclose(policy_file); /* @@ -1269,13 +1321,12 @@ TEST(FilterTest, seccomp_read_write) { TEST(FilterTest, misplaced_whitespace) { struct sock_fprog actual; - const char *policy = "read :1\n"; + std::string policy = "read :1\n"; - FILE *policy_file = write_policy_to_pipe(policy, strlen(policy)); + FILE* policy_file = write_policy_to_pipe(policy); ASSERT_NE(policy_file, nullptr); - int res = - compile_filter("policy", policy_file, &actual, USE_RET_KILL, NO_LOGGING); + int res = test_compile_filter("policy", policy_file, &actual); fclose(policy_file); /* Checks return value and filter length. */ @@ -1288,88 +1339,83 @@ TEST(FilterTest, misplaced_whitespace) { TEST(FilterTest, missing_atom) { struct sock_fprog actual; - const char* policy = "open:\n"; + std::string policy = "open:\n"; - FILE *policy_file = write_policy_to_pipe(policy, strlen(policy)); + FILE* policy_file = write_policy_to_pipe(policy); ASSERT_NE(policy_file, nullptr); - int res = - compile_filter("policy", policy_file, &actual, USE_RET_KILL, NO_LOGGING); + int res = test_compile_filter("policy", policy_file, &actual); fclose(policy_file); ASSERT_NE(res, 0); } TEST(FilterTest, whitespace_atom) { struct sock_fprog actual; - const char* policy = "open:\t \n"; + std::string policy = "open:\t \n"; - FILE *policy_file = write_policy_to_pipe(policy, strlen(policy)); + FILE* policy_file = write_policy_to_pipe(policy); ASSERT_NE(policy_file, nullptr); - int res = - compile_filter("policy", policy_file, &actual, USE_RET_KILL, NO_LOGGING); + int res = test_compile_filter("policy", policy_file, &actual); fclose(policy_file); ASSERT_NE(res, 0); } TEST(FilterTest, invalid_name) { struct sock_fprog actual; - const char *policy = "notasyscall: 1\n"; + std::string policy = "notasyscall: 1\n"; - FILE *policy_file = write_policy_to_pipe(policy, strlen(policy)); + FILE* policy_file = write_policy_to_pipe(policy); ASSERT_NE(policy_file, nullptr); - int res = - compile_filter("policy", policy_file, &actual, USE_RET_KILL, NO_LOGGING); + int res = test_compile_filter("policy", policy_file, &actual); fclose(policy_file); ASSERT_NE(res, 0); } TEST(FilterTest, invalid_arg) { struct sock_fprog actual; - const char *policy = "open: argnn ==\n"; + std::string policy = "open: argnn ==\n"; - FILE *policy_file = write_policy_to_pipe(policy, strlen(policy)); + FILE* policy_file = write_policy_to_pipe(policy); ASSERT_NE(policy_file, nullptr); - int res = - compile_filter("policy", policy_file, &actual, USE_RET_KILL, NO_LOGGING); + int res = test_compile_filter("policy", policy_file, &actual); fclose(policy_file); ASSERT_NE(res, 0); } TEST(FilterTest, invalid_tokens) { struct sock_fprog actual; - const char *policy = "read: arg0 == 1 |||| arg0 == 2\n"; + std::string policy = "read: arg0 == 1 |||| arg0 == 2\n"; - FILE *policy_file = write_policy_to_pipe(policy, strlen(policy)); + FILE* policy_file = write_policy_to_pipe(policy); ASSERT_NE(policy_file, nullptr); - int res = - compile_filter("policy", policy_file, &actual, USE_RET_KILL, NO_LOGGING); + int res = test_compile_filter("policy", policy_file, &actual); fclose(policy_file); ASSERT_NE(res, 0); } TEST(FilterTest, nonexistent) { struct sock_fprog actual; - int res = compile_filter("policy", NULL, &actual, USE_RET_KILL, NO_LOGGING); + int res = test_compile_filter("policy", nullptr, &actual); ASSERT_NE(res, 0); } TEST(FilterTest, log) { struct sock_fprog actual; - const char *policy = + std::string policy = "read: 1\n" "write: 1\n" "rt_sigreturn: 1\n" "exit: 1\n"; - FILE *policy_file = write_policy_to_pipe(policy, strlen(policy)); + FILE* policy_file = write_policy_to_pipe(policy); ASSERT_NE(policy_file, nullptr); - int res = - compile_filter("policy", policy_file, &actual, USE_RET_TRAP, USE_LOGGING); + int res = test_compile_filter("policy", policy_file, &actual, USE_RET_TRAP, + USE_LOGGING); fclose(policy_file); size_t i; @@ -1406,17 +1452,17 @@ TEST(FilterTest, log) { TEST(FilterTest, allow_log_but_kill) { struct sock_fprog actual; - const char *policy = + std::string policy = "read: 1\n" "write: 1\n" "rt_sigreturn: 1\n" "exit: 1\n"; - FILE *policy_file = write_policy_to_pipe(policy, strlen(policy)); + FILE* policy_file = write_policy_to_pipe(policy); ASSERT_NE(policy_file, nullptr); - int res = - compile_filter("policy", policy_file, &actual, USE_RET_KILL, USE_LOGGING); + int res = test_compile_filter("policy", policy_file, &actual, USE_RET_KILL, + USE_LOGGING); fclose(policy_file); size_t i; @@ -1453,115 +1499,100 @@ TEST(FilterTest, allow_log_but_kill) { TEST(FilterTest, include_invalid_token) { struct sock_fprog actual; - const char *invalid_token = "@unclude ./test/seccomp.policy\n"; + std::string invalid_token = "@unclude ./test/seccomp.policy\n"; - FILE *policy_file = - write_policy_to_pipe(invalid_token, strlen(invalid_token)); + FILE* policy_file = write_policy_to_pipe(invalid_token); ASSERT_NE(policy_file, nullptr); - int res = - compile_filter("policy", policy_file, &actual, USE_RET_KILL, NO_LOGGING); + int res = test_compile_filter("policy", policy_file, &actual); fclose(policy_file); EXPECT_NE(res, 0); } TEST(FilterTest, include_no_space) { struct sock_fprog actual; - const char *no_space = "@includetest/seccomp.policy\n"; + std::string no_space = "@includetest/seccomp.policy\n"; - FILE *policy_file = write_policy_to_pipe(no_space, strlen(no_space)); + FILE* policy_file = write_policy_to_pipe(no_space); ASSERT_NE(policy_file, nullptr); - int res = - compile_filter("policy", policy_file, &actual, USE_RET_KILL, NO_LOGGING); + int res = test_compile_filter("policy", policy_file, &actual); fclose(policy_file); EXPECT_NE(res, 0); } TEST(FilterTest, include_double_token) { struct sock_fprog actual; - const char *double_token = "@includeinclude ./test/seccomp.policy\n"; + std::string double_token = "@includeinclude ./test/seccomp.policy\n"; - FILE *policy_file = write_policy_to_pipe(double_token, strlen(double_token)); + FILE* policy_file = write_policy_to_pipe(double_token); ASSERT_NE(policy_file, nullptr); - int res = - compile_filter("policy", policy_file, &actual, USE_RET_KILL, NO_LOGGING); + int res = test_compile_filter("policy", policy_file, &actual); fclose(policy_file); EXPECT_NE(res, 0); } TEST(FilterTest, include_no_file) { struct sock_fprog actual; - const char *no_file = "@include\n"; + std::string no_file = "@include\n"; - FILE *policy_file = write_policy_to_pipe(no_file, strlen(no_file)); + FILE* policy_file = write_policy_to_pipe(no_file); ASSERT_NE(policy_file, nullptr); - int res = - compile_filter("policy", policy_file, &actual, USE_RET_KILL, NO_LOGGING); + int res = test_compile_filter("policy", policy_file, &actual); fclose(policy_file); EXPECT_NE(res, 0); } TEST(FilterTest, include_space_no_file) { struct sock_fprog actual; - const char *space_no_file = "@include \n"; + std::string space_no_file = "@include \n"; - FILE *policy_file = - write_policy_to_pipe(space_no_file, strlen(space_no_file)); + FILE* policy_file = write_policy_to_pipe(space_no_file); ASSERT_NE(policy_file, nullptr); - int res = - compile_filter("policy", policy_file, &actual, USE_RET_KILL, NO_LOGGING); + int res = test_compile_filter("policy", policy_file, &actual); fclose(policy_file); EXPECT_NE(res, 0); } TEST(FilterTest, include_implicit_relative_path) { struct sock_fprog actual; - const char *implicit_relative_path = "@include test/seccomp.policy\n"; + std::string implicit_relative_path = "@include test/seccomp.policy\n"; - FILE *policy_file = write_policy_to_pipe(implicit_relative_path, - strlen(implicit_relative_path)); + FILE* policy_file = write_policy_to_pipe(implicit_relative_path); ASSERT_NE(policy_file, nullptr); - int res = - compile_filter("policy", policy_file, &actual, USE_RET_KILL, NO_LOGGING); + int res = test_compile_filter("policy", policy_file, &actual); fclose(policy_file); EXPECT_NE(res, 0); } TEST(FilterTest, include_extra_text) { struct sock_fprog actual; - const char *extra_text = "@include /some/file: sneaky comment\n"; + std::string extra_text = "@include /some/file: sneaky comment\n"; - FILE *policy_file = - write_policy_to_pipe(extra_text, strlen(extra_text)); + FILE* policy_file = write_policy_to_pipe(extra_text); ASSERT_NE(policy_file, nullptr); - int res = - compile_filter("policy", policy_file, &actual, USE_RET_KILL, NO_LOGGING); + int res = test_compile_filter("policy", policy_file, &actual); fclose(policy_file); EXPECT_NE(res, 0); } TEST(FilterTest, include_split_filename) { struct sock_fprog actual; - const char *split_filename = "@include /some/file:colon.policy\n"; + std::string split_filename = "@include /some/file:colon.policy\n"; - FILE *policy_file = - write_policy_to_pipe(split_filename, strlen(split_filename)); + FILE* policy_file = write_policy_to_pipe(split_filename); ASSERT_NE(policy_file, nullptr); - int res = - compile_filter("policy", policy_file, &actual, USE_RET_KILL, NO_LOGGING); + int res = test_compile_filter("policy", policy_file, &actual); fclose(policy_file); EXPECT_NE(res, 0); } TEST(FilterTest, include_nonexistent_file) { struct sock_fprog actual; - const char *include_policy = "@include ./nonexistent.policy\n"; + std::string include_policy = "@include ./nonexistent.policy\n"; - FILE *policy_file = - write_policy_to_pipe(include_policy, strlen(include_policy)); + FILE* policy_file = write_policy_to_pipe(include_policy); ASSERT_NE(policy_file, nullptr); - int res = - compile_filter("policy", policy_file, &actual, USE_RET_KILL, NO_LOGGING); + int res = test_compile_filter("policy", policy_file, &actual); fclose(policy_file); ASSERT_NE(res, 0); @@ -1575,26 +1606,25 @@ TEST(FilterTest, include) { struct sock_fprog compiled_plain; struct sock_fprog compiled_with_include; - const char *policy_plain = + std::string policy_plain = "read: 1\n" "write: 1\n" "rt_sigreturn: 1\n" "exit: 1\n"; - const char *policy_with_include = "@include ./test/seccomp.policy\n"; - - FILE *file_plain = write_policy_to_pipe(policy_plain, strlen(policy_plain)); + FILE* file_plain = write_policy_to_pipe(policy_plain); ASSERT_NE(file_plain, nullptr); - int res_plain = compile_filter("policy", file_plain, &compiled_plain, - USE_RET_KILL, NO_LOGGING); + int res_plain = test_compile_filter("policy", file_plain, &compiled_plain, + USE_RET_KILL); fclose(file_plain); - FILE *file_with_include = - write_policy_to_pipe(policy_with_include, strlen(policy_with_include)); + std::string policy_with_include = "@include ./test/seccomp.policy\n"; + + FILE* file_with_include = write_policy_to_pipe(policy_with_include); ASSERT_NE(file_with_include, nullptr); int res_with_include = - compile_filter("policy", file_with_include, &compiled_with_include, - USE_RET_KILL, NO_LOGGING); + test_compile_filter("policy", file_with_include, &compiled_with_include, + USE_RET_KILL); fclose(file_with_include); /* @@ -1631,19 +1661,17 @@ TEST(FilterTest, include) { TEST(FilterTest, include_same_syscalls) { struct sock_fprog actual; - const char *policy = + std::string policy = "read: 1\n" "write: 1\n" "rt_sigreturn: 1\n" "exit: 1\n" "@include ./test/seccomp.policy\n"; - FILE *policy_file = - write_policy_to_pipe(policy, strlen(policy)); + FILE* policy_file = write_policy_to_pipe(policy); ASSERT_NE(policy_file, nullptr); - int res = - compile_filter("policy", policy_file, &actual, USE_RET_KILL, NO_LOGGING); + int res = test_compile_filter("policy", policy_file, &actual); fclose(policy_file); ASSERT_EQ(res, 0); @@ -1655,24 +1683,22 @@ TEST(FilterTest, include_same_syscalls) { TEST(FilterTest, include_invalid_policy) { struct sock_fprog actual; - const char *policy = + std::string policy = "read: 1\n" "write: 1\n" "rt_sigreturn: 1\n" "exit: 1\n" "@include ./test/invalid_syscall_name.policy\n"; - FILE *policy_file = - write_policy_to_pipe(policy, strlen(policy)); + FILE* policy_file = write_policy_to_pipe(policy); ASSERT_NE(policy_file, nullptr); /* Ensure the included (invalid) policy file exists. */ - FILE *included_file = fopen("./test/invalid_syscall_name.policy", "re"); + FILE* included_file = fopen("./test/invalid_syscall_name.policy", "re"); ASSERT_NE(included_file, nullptr); fclose(included_file); - int res = - compile_filter("policy", policy_file, &actual, USE_RET_KILL, NO_LOGGING); + int res = test_compile_filter("policy", policy_file, &actual); fclose(policy_file); ASSERT_NE(res, 0); @@ -1680,19 +1706,17 @@ TEST(FilterTest, include_invalid_policy) { TEST(FilterTest, include_nested) { struct sock_fprog actual; - const char *policy = "@include ./test/nested.policy\n"; + std::string policy = "@include ./test/nested.policy\n"; - FILE *policy_file = - write_policy_to_pipe(policy, strlen(policy)); + FILE* policy_file = write_policy_to_pipe(policy); ASSERT_NE(policy_file, nullptr); /* Ensure the policy file exists. */ - FILE *included_file = fopen("./test/nested.policy", "re"); + FILE* included_file = fopen("./test/nested.policy", "re"); ASSERT_NE(included_file, nullptr); fclose(included_file); - int res = - compile_filter("policy", policy_file, &actual, USE_RET_KILL, NO_LOGGING); + int res = test_compile_filter("policy", policy_file, &actual); fclose(policy_file); ASSERT_NE(res, 0); @@ -1700,14 +1724,13 @@ TEST(FilterTest, include_nested) { TEST(FilterTest, error_cleanup_leak) { struct sock_fprog actual; - const char *policy = + std::string policy = "read:&&\n" "read:&&"; - FILE *policy_file = write_policy_to_pipe(policy, strlen(policy)); + FILE* policy_file = write_policy_to_pipe(policy); ASSERT_NE(policy_file, nullptr); - int res = - compile_filter("policy", policy_file, &actual, USE_RET_KILL, NO_LOGGING); + int res = test_compile_filter("policy", policy_file, &actual); fclose(policy_file); /* diff --git a/syscall_filter_unittest_macros.h b/syscall_filter_unittest_macros.h index 85cedea..4923fc4 100644 --- a/syscall_filter_unittest_macros.h +++ b/syscall_filter_unittest_macros.h @@ -3,12 +3,6 @@ * found in the LICENSE file. */ -#define USE_RET_KILL 0 -#define USE_RET_TRAP 1 - -#define NO_LOGGING 0 -#define USE_LOGGING 1 - /* BPF testing macros. */ #define EXPECT_EQ_BLOCK(_block, _code, _k, _jt, _jf) \ do { \ |