seccomp: fix flag test to actually check the value

Add a debug print of seccomp flags value, so the test can check those (without using something like strace, that is). Amend the flags setting test with the numeric values expected, and the logic to check those. Signed-off-by: Kir Kolyshkin <[email protected]>
opencontainers · Aug 30, 2022 · edb41fc · edb41fc
1 parent c7dc8b1
commit edb41fc
Show file tree

Hide file tree

Showing 2 changed files with 39 additions and 22 deletions.
diff --git a/libcontainer/seccomp/patchbpf/enosys_linux.go b/libcontainer/seccomp/patchbpf/enosys_linux.go
@@ -665,6 +665,7 @@ func filterFlags(config *configs.Seccomp, filter *libseccomp.ScmpFilter) (flags
 }
 
 func sysSeccompSetFilter(flags uint, filter []unix.SockFilter) (fd int, err error) {
+ logrus.Debugf("seccomp filter flags: %d", flags)
  fprog := unix.SockFprog{
  Len: uint16(len(filter)),
  Filter: &filter[0],

diff --git a/tests/integration/seccomp.bats b/tests/integration/seccomp.bats
@@ -70,31 +70,47 @@ function teardown() {
  # Linux 4.14: SECCOMP_FILTER_FLAG_LOG
  # Linux 4.17: SECCOMP_FILTER_FLAG_SPEC_ALLOW
  requires_kernel 4.17
- SECCOMP_FILTER_FLAGS=(
- '' # no flag
- '"SECCOMP_FILTER_FLAG_LOG"'
- '"SECCOMP_FILTER_FLAG_SPEC_ALLOW"'
- '"SECCOMP_FILTER_FLAG_TSYNC"'
- '"SECCOMP_FILTER_FLAG_LOG","SECCOMP_FILTER_FLAG_SPEC_ALLOW"'
- '"SECCOMP_FILTER_FLAG_LOG","SECCOMP_FILTER_FLAG_TSYNC"'
- '"SECCOMP_FILTER_FLAG_SPEC_ALLOW","SECCOMP_FILTER_FLAG_TSYNC"'
- '"SECCOMP_FILTER_FLAG_LOG","SECCOMP_FILTER_FLAG_SPEC_ALLOW","SECCOMP_FILTER_FLAG_TSYNC"'
+
+ update_config ' .process.args = ["/bin/sh", "-c", "mkdir /dev/shm/foo"]
+ | .process.noNewPrivileges = false
+ | .linux.seccomp = {
+ "defaultAction":"SCMP_ACT_ALLOW",
+ "architectures":["SCMP_ARCH_X86","SCMP_ARCH_X32","SCMP_ARCH_X86_64","SCMP_ARCH_AARCH64","SCMP_ARCH_ARM"],
+ "syscalls":[{"names":["mkdir"], "action":"SCMP_ACT_ERRNO"}]
+ }'
+
+ declare -A FLAGS=(
+ ['REMOVE']=0 # No setting, use built-in default.
+ ['EMPTY']=0 # Empty set of flags.
+ ['"SECCOMP_FILTER_FLAG_LOG"']=2
+ ['"SECCOMP_FILTER_FLAG_SPEC_ALLOW"']=4
+ ['"SECCOMP_FILTER_FLAG_TSYNC"']=0 # tsync flag is ignored.
+ ['"SECCOMP_FILTER_FLAG_LOG","SECCOMP_FILTER_FLAG_SPEC_ALLOW"']=6
+ ['"SECCOMP_FILTER_FLAG_LOG","SECCOMP_FILTER_FLAG_TSYNC"']=2
+ ['"SECCOMP_FILTER_FLAG_SPEC_ALLOW","SECCOMP_FILTER_FLAG_TSYNC"']=4
+ ['"SECCOMP_FILTER_FLAG_LOG","SECCOMP_FILTER_FLAG_SPEC_ALLOW","SECCOMP_FILTER_FLAG_TSYNC"']=6
  )
- for flags in "${SECCOMP_FILTER_FLAGS[@]}"; do
- update_config ' .process.args = ["/bin/sh", "-c", "mkdir /dev/shm/foo"]
- | .process.noNewPrivileges = false
- | .linux.seccomp = {
- "defaultAction":"SCMP_ACT_ALLOW",
- "architectures":["SCMP_ARCH_X86","SCMP_ARCH_X32","SCMP_ARCH_X86_64","SCMP_ARCH_AARCH64","SCMP_ARCH_ARM"],
- "flags":['"${flags}"'],
- "syscalls":[{"names":["mkdir"], "action":"SCMP_ACT_ERRNO"}]
- }'
-
- # This test checks that the flags are accepted without errors but does
- # not check they are effectively applied
- runc run test_busybox
+ for key in "${!FLAGS[@]}"; do
+ case "$key" in
+ 'REMOVE')
+ update_config ' del(.linux.seccomp.flags)'
+ ;;
+ 'EMPTY')
+ update_config ' .linux.seccomp.flags = []'
+ ;;
+ *)
+ update_config ' .linux.seccomp.flags = [ '"${key}"' ]'
+ ;;
+ esac
+
+ runc --debug run test_busybox
  [ "$status" -ne 0 ]
  [[ "$output" == *"mkdir:"*"/dev/shm/foo"*"Operation not permitted"* ]]
+
+ # Check the numeric flags value is as expected.
+ exp="\"seccomp filter flags: ${FLAGS[$key]}\""
+ echo "flags $key, expecting $exp"
+ [[ "$output" == *"$exp"* ]]
  done
 }