Blame - libc/tools/test_genseccomp.py - android_bionic

2017-02-14 13:32:23 -0800

[diff] [blame]

1

#!/usr/bin/env python

2

# Unit tests for genseccomp.py

import cStringIO

import textwrap

import unittest

import genseccomp

class TestGenseccomp(unittest.TestCase):

def setUp(self):

genseccomp.set_dir()

def get_config(self, arch):

15

for i in genseccomp.POLICY_CONFIGS:

16

if i[0] == arch:

17

return i

18

self.fail("No such architecture")

19

20

def get_headers(self, arch):

21

return self.get_config(arch)[1]

22

Paul Lawrence

2017-02-17 10:22:03 -0800

[diff] [blame]

23

def get_switches(self, arch):

24

return self.get_config(arch)[2]

25

Paul Lawrence

2017-02-14 13:32:23 -0800

[diff] [blame]

26

def test_get_names(self):

Paul Lawrence

2017-04-12 10:02:54 -0700

[diff] [blame]

27

bionic = cStringIO.StringIO(textwrap.dedent("""\

Elliott Hughes

2020-02-13 14:21:55 -0800

[diff] [blame]

28

int __llseek:_llseek(int, unsigned long, unsigned long, off64_t*, int) arm,x86

29

int fchown:fchown(int, uid_t, gid_t) arm64,x86_64

Paul Lawrence

2017-02-14 13:32:23 -0800

[diff] [blame]

30

"""))

31

Victor Hsieh

2020-06-15 09:29:07 -0700

[diff] [blame]

32

allowlist = cStringIO.StringIO(textwrap.dedent("""\

Paul Lawrence

2017-02-14 13:32:23 -0800

[diff] [blame]

33

ssize_t read(int, void*, size_t) all

34

"""))

35

Paul Lawrence

2017-04-12 10:02:54 -0700

[diff] [blame]

36

empty = cStringIO.StringIO(textwrap.dedent("""\

37

"""))

38

Victor Hsieh

2020-06-15 09:29:07 -0700

[diff] [blame]

39

names = genseccomp.get_names([bionic, allowlist, empty], "arm")

Paul Lawrence

2017-04-12 10:02:54 -0700

[diff] [blame]

40

bionic.seek(0)

Victor Hsieh

2020-06-15 09:29:07 -0700

[diff] [blame]

41

allowlist.seek(0)

Paul Lawrence

2017-04-12 10:02:54 -0700

[diff] [blame]

42

empty.seek(0)

Victor Hsieh

2020-06-15 09:29:07 -0700

[diff] [blame]

43

names64 = genseccomp.get_names([bionic, allowlist, empty], "arm64")

Paul Lawrence

2017-04-12 10:02:54 -0700

[diff] [blame]

44

bionic.seek(0)

Victor Hsieh

2020-06-15 09:29:07 -0700

[diff] [blame]

45

allowlist.seek(0)

Paul Lawrence

2017-04-12 10:02:54 -0700

[diff] [blame]

46

empty.seek(0)

Paul Lawrence

2017-02-14 13:32:23 -0800

[diff] [blame]

47

48

self.assertIn("fchown", names64)

49

self.assertNotIn("fchown", names)

50

self.assertIn("_llseek", names)

51

self.assertNotIn("_llseek", names64)

52

self.assertIn("read", names)

53

self.assertIn("read", names64)

54

Victor Hsieh

2020-06-15 09:29:07 -0700

[diff] [blame]

55

# Blocklist item must be in bionic

56

blocklist = cStringIO.StringIO(textwrap.dedent("""\

Elliott Hughes

2020-02-13 14:21:55 -0800

[diff] [blame]

57

int fchown2:fchown2(int, uid_t, gid_t) arm64,x86_64

Paul Lawrence

2017-04-12 10:02:54 -0700

[diff] [blame]

58

"""))

59

with self.assertRaises(RuntimeError):

Victor Hsieh

2020-06-15 09:29:07 -0700

[diff] [blame]

60

genseccomp.get_names([bionic, allowlist, blocklist], "arm")

Paul Lawrence

2017-04-12 10:02:54 -0700

[diff] [blame]

61

bionic.seek(0)

Victor Hsieh

2020-06-15 09:29:07 -0700

[diff] [blame]

62

allowlist.seek(0)

63

blocklist.seek(0)

Paul Lawrence

2017-04-12 10:02:54 -0700

[diff] [blame]

64

Victor Hsieh

2020-06-15 09:29:07 -0700

[diff] [blame]

65

# Test blocklist item is removed

66

blocklist = cStringIO.StringIO(textwrap.dedent("""\

Elliott Hughes

2020-02-13 14:21:55 -0800

[diff] [blame]

67

int fchown:fchown(int, uid_t, gid_t) arm64,x86_64

Paul Lawrence

2017-04-12 10:02:54 -0700

[diff] [blame]

68

"""))

Victor Hsieh

2020-06-15 09:29:07 -0700

[diff] [blame]

69

names = genseccomp.get_names([bionic, allowlist, blocklist], "arm64")

Paul Lawrence

2017-04-12 10:02:54 -0700

[diff] [blame]

70

bionic.seek(0)

Victor Hsieh

2020-06-15 09:29:07 -0700

[diff] [blame]

71

allowlist.seek(0)

72

blocklist.seek(0)

Paul Lawrence

2017-04-12 10:02:54 -0700

[diff] [blame]

73

self.assertIn("read", names)

74

self.assertNotIn("fchown", names)

75

Victor Hsieh

2020-06-15 09:29:07 -0700

[diff] [blame]

76

# Blocklist item must not be in allowlist

77

allowlist = cStringIO.StringIO(textwrap.dedent("""\

Elliott Hughes

2020-02-13 14:21:55 -0800

[diff] [blame]

78

int fchown:fchown(int, uid_t, gid_t) arm64,x86_64

Paul Lawrence

2017-04-12 10:02:54 -0700

[diff] [blame]

79

"""))

80

with self.assertRaises(RuntimeError):

Victor Hsieh

2020-06-15 09:29:07 -0700

[diff] [blame]

81

genseccomp.get_names([empty, allowlist, blocklist], "arm")

Paul Lawrence

2017-04-12 10:02:54 -0700

[diff] [blame]

82

empty.seek(0)

Victor Hsieh

2020-06-15 09:29:07 -0700

[diff] [blame]

83

allowlist.seek(0)

84

blocklist.seek(0)

Paul Lawrence

2017-04-12 10:02:54 -0700

[diff] [blame]

85

Victor Hsieh

2020-06-15 09:29:07 -0700

[diff] [blame]

86

# No dups in bionic and allowlist

87

allowlist = cStringIO.StringIO(textwrap.dedent("""\

Elliott Hughes

2020-02-13 14:21:55 -0800

[diff] [blame]

88

int __llseek:_llseek(int, unsigned long, unsigned long, off64_t*, int) arm,x86

Paul Lawrence

2017-04-12 10:02:54 -0700

[diff] [blame]

89

"""))

90

with self.assertRaises(RuntimeError):

Victor Hsieh

2020-06-15 09:29:07 -0700

[diff] [blame]

91

genseccomp.get_names([bionic, allowlist, empty], "arm")

Paul Lawrence

2017-04-12 10:02:54 -0700

[diff] [blame]

92

bionic.seek(0)

Victor Hsieh

2020-06-15 09:29:07 -0700

[diff] [blame]

93

allowlist.seek(0)

Paul Lawrence

2017-04-12 10:02:54 -0700

[diff] [blame]

94

empty.seek(0)

95

Paul Lawrence

2017-02-14 13:32:23 -0800

[diff] [blame]

96

def test_convert_names_to_NRs(self):

97

self.assertEquals(genseccomp.convert_names_to_NRs(["open"],

Paul Lawrence

2017-02-17 10:22:03 -0800

[diff] [blame]

98

self.get_headers("arm"),

99

self.get_switches("arm")),

Paul Lawrence

2017-02-14 13:32:23 -0800

[diff] [blame]

100

[("open", 5)])

101

102

self.assertEquals(genseccomp.convert_names_to_NRs(["__ARM_NR_set_tls"],

Paul Lawrence

2017-02-17 10:22:03 -0800

[diff] [blame]

103

self.get_headers("arm"),

104

self.get_switches("arm")),

Paul Lawrence

2017-02-14 13:32:23 -0800

[diff] [blame]

105

[('__ARM_NR_set_tls', 983045)])

106

107

self.assertEquals(genseccomp.convert_names_to_NRs(["openat"],

Paul Lawrence

2017-02-17 10:22:03 -0800

[diff] [blame]

108

self.get_headers("arm64"),

109

self.get_switches("arm64")),

Paul Lawrence

2017-02-14 13:32:23 -0800

[diff] [blame]

110

[("openat", 56)])

111

Paul Lawrence

2017-02-17 10:22:03 -0800

[diff] [blame]

112

self.assertEquals(genseccomp.convert_names_to_NRs(["openat"],

113

self.get_headers("x86"),

114

self.get_switches("x86")),

115

[("openat", 295)])

116

117

self.assertEquals(genseccomp.convert_names_to_NRs(["openat"],

118

self.get_headers("x86_64"),

119

self.get_switches("x86_64")),

120

[("openat", 257)])

121

Paul Lawrence

2017-02-14 13:32:23 -0800

[diff] [blame]

122

123

def test_convert_NRs_to_ranges(self):

124

ranges = genseccomp.convert_NRs_to_ranges([("b", 2), ("a", 1)])

125

self.assertEquals(len(ranges), 1)

126

self.assertEquals(ranges[0].begin, 1)

127

self.assertEquals(ranges[0].end, 3)

128

self.assertItemsEqual(ranges[0].names, ["a", "b"])

129

130

ranges = genseccomp.convert_NRs_to_ranges([("b", 3), ("a", 1)])

131

self.assertEquals(len(ranges), 2)

132

self.assertEquals(ranges[0].begin, 1)

133

self.assertEquals(ranges[0].end, 2)

134

self.assertItemsEqual(ranges[0].names, ["a"])

135

self.assertEquals(ranges[1].begin, 3)

136

self.assertEquals(ranges[1].end, 4)

137

self.assertItemsEqual(ranges[1].names, ["b"])

138

139

def test_convert_to_intermediate_bpf(self):

140

ranges = genseccomp.convert_NRs_to_ranges([("b", 2), ("a", 1)])

141

bpf = genseccomp.convert_to_intermediate_bpf(ranges)

142

self.assertEquals(bpf, ['BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 3, {fail}, {allow}), //a|b'])

143

144

ranges = genseccomp.convert_NRs_to_ranges([("b", 3), ("a", 1)])

145

bpf = genseccomp.convert_to_intermediate_bpf(ranges)

146

self.assertEquals(bpf, ['BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 3, 1, 0),',

147

'BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 2, {fail}, {allow}), //a',

148

'BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 4, {fail}, {allow}), //b'])

149

150

def test_convert_ranges_to_bpf(self):

151

ranges = genseccomp.convert_NRs_to_ranges([("b", 2), ("a", 1)])

152

bpf = genseccomp.convert_ranges_to_bpf(ranges)

Paul Lawrence

65b47c9

2017-03-22 08:03:51 -0700

[diff] [blame]

153

self.assertEquals(bpf, ['BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 1, 0, 2),',

Paul Lawrence

2017-02-14 13:32:23 -0800

[diff] [blame]

154

'BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 3, 1, 0), //a|b',

155

'BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),'])

156

157

ranges = genseccomp.convert_NRs_to_ranges([("b", 3), ("a", 1)])

158

bpf = genseccomp.convert_ranges_to_bpf(ranges)

Paul Lawrence

65b47c9

2017-03-22 08:03:51 -0700

[diff] [blame]

159

self.assertEquals(bpf, ['BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 1, 0, 4),',

Paul Lawrence

2017-02-14 13:32:23 -0800

[diff] [blame]

160

'BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 3, 1, 0),',

161

'BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 2, 2, 1), //a',

162

'BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 4, 1, 0), //b',

163

'BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),'])

164

165

def test_convert_bpf_to_output(self):

166

output = genseccomp.convert_bpf_to_output(["line1", "line2"], "arm")

167

expected_output = textwrap.dedent("""\

168

// Autogenerated file - edit at your peril!!

169

170

#include <linux/filter.h>

171

#include <errno.h>

172

Paul Lawrence

dfe8434

2017-02-16 09:24:39 -0800

[diff] [blame]

173

#include "seccomp_bpfs.h"

174

const sock_filter arm_filter[] = {

Paul Lawrence

2017-02-14 13:32:23 -0800

[diff] [blame]

line1

line2

};

const size_t arm_filter_size = sizeof(arm_filter) / sizeof(struct sock_filter);

180

""")

181

self.assertEquals(output, expected_output)

182

183

def test_construct_bpf(self):

184

syscalls = cStringIO.StringIO(textwrap.dedent("""\

Elliott Hughes

2020-02-13 14:21:55 -0800

[diff] [blame]

185

int __llseek:_llseek(int, unsigned long, unsigned long, off64_t*, int) arm,x86

186

int fchown:fchown(int, uid_t, gid_t) arm64,x86_64

Paul Lawrence

2017-02-14 13:32:23 -0800

[diff] [blame]

187

"""))

188

Victor Hsieh

2020-06-15 09:29:07 -0700

[diff] [blame]

189

allowlist = cStringIO.StringIO(textwrap.dedent("""\

Paul Lawrence

2017-02-14 13:32:23 -0800

[diff] [blame]

190

ssize_t read(int, void*, size_t) all

191

"""))

192

Victor Hsieh

2020-06-15 09:29:07 -0700

[diff] [blame]

193

blocklist = cStringIO.StringIO(textwrap.dedent("""\

Paul Lawrence

2017-04-12 10:02:54 -0700

[diff] [blame]

194

"""))

195

Victor Hsieh

2020-06-15 09:29:07 -0700

[diff] [blame]

196

syscall_files = [syscalls, allowlist, blocklist]

Paul Lawrence

2017-02-17 10:22:03 -0800

[diff] [blame]

197

output = genseccomp.construct_bpf(syscall_files, "arm", self.get_headers("arm"),

198

self.get_switches("arm"))

Paul Lawrence

2017-02-14 13:32:23 -0800

[diff] [blame]

199

200

expected_output = textwrap.dedent("""\

201

// Autogenerated file - edit at your peril!!

202

203

#include <linux/filter.h>

204

#include <errno.h>

205

Paul Lawrence

dfe8434

2017-02-16 09:24:39 -0800

[diff] [blame]

206

#include "seccomp_bpfs.h"

207

const sock_filter arm_filter[] = {

Paul Lawrence

65b47c9

2017-03-22 08:03:51 -0700

[diff] [blame]

208

BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 3, 0, 4),

Paul Lawrence