libseccomp 0.4.0

Rust Language Bindings for the libseccomp Library
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137

use libc::{dup3, O_CLOEXEC};
use libseccomp::*;
use std::thread;

macro_rules! skip_if_not_supported {
    () => {
        if !check_api(6, ScmpVersion::from((2, 5, 0))).unwrap() {
            println!("Skip tests for userspace notification");
            return;
        }
    };
}

#[derive(Debug)]
struct TestData {
    syscall: ScmpSyscall,
    args: Vec<u64>,
    arch: ScmpArch,
    resp_val: i64,
    resp_err: i32,
    resp_flags: u32,
    expected_val: i64,
}

#[test]
fn test_user_notification() {
    skip_if_not_supported!();

    let mut ctx = ScmpFilterContext::new(ScmpAction::Allow).unwrap();
    let syscall = ScmpSyscall::from_name("dup3").unwrap();
    let arch = ScmpArch::native();

    ctx.add_arch(arch).unwrap();
    ctx.add_rule(ScmpAction::Notify, syscall).unwrap();

    let tests = &[
        TestData {
            syscall,
            args: vec![0, 100, O_CLOEXEC as u64],
            arch,
            resp_val: 10,
            resp_err: 0,
            resp_flags: 0,
            expected_val: 10,
        },
        TestData {
            syscall,
            args: vec![0, 100, O_CLOEXEC as u64],
            arch,
            resp_val: 0,
            resp_err: -1,
            resp_flags: 0,
            expected_val: -1,
        },
        TestData {
            syscall,
            args: vec![0, 100, O_CLOEXEC as u64],
            arch,
            resp_val: 0,
            resp_err: 0,
            resp_flags: ScmpNotifRespFlags::CONTINUE.bits(),
            expected_val: 100,
        },
    ];

    ctx.load().unwrap();

    let fd = ctx.get_notify_fd().unwrap();

    let mut handlers = vec![];

    for test in tests.iter() {
        let args: (i32, i32, i32) = (
            test.args[0] as i32,
            test.args[1] as i32,
            test.args[2] as i32,
        );

        handlers.push(thread::spawn(move || unsafe {
            dup3(args.0, args.1, args.2)
        }));

        let req = ScmpNotifReq::receive(fd).unwrap();

        // Checks architecture
        assert_eq!(req.data.arch, test.arch);

        // Checks the number of syscall
        assert_eq!(req.data.syscall, test.syscall);

        // Checks syscall arguments
        for (i, test_val) in test.args.iter().enumerate() {
            assert_eq!(&req.data.args[i], test_val);
        }

        // Checks TOCTOU
        assert!(notify_id_valid(fd, req.id).is_ok());

        let resp = ScmpNotifResp::new(req.id, test.resp_val, test.resp_err, test.resp_flags);
        resp.respond(fd).unwrap();
    }

    // Checks return value
    for (i, handler) in handlers.into_iter().enumerate() {
        let ret_val = handler.join().unwrap();
        assert_eq!(tests[i].expected_val as i32, ret_val);
    }
}

#[test]
fn test_resp_new() {
    assert_eq!(
        ScmpNotifResp::new_val(1234, 1, ScmpNotifRespFlags::empty()),
        ScmpNotifResp::new(1234, 1, 0, 0),
    );
    assert_eq!(
        ScmpNotifResp::new_error(1234, -2, ScmpNotifRespFlags::empty()),
        ScmpNotifResp::new(1234, 0, -2, 0),
    );
    assert_eq!(
        ScmpNotifResp::new_continue(1234, ScmpNotifRespFlags::empty()),
        ScmpNotifResp::new(1234, 0, 0, ScmpNotifRespFlags::CONTINUE.bits()),
    );
}

#[test]
fn test_error() {
    skip_if_not_supported!();

    let ctx = ScmpFilterContext::new(ScmpAction::Allow).unwrap();
    let resp = ScmpNotifResp::new(0, 0, 0, 0);

    assert!(ctx.get_notify_fd().is_err());
    assert!(ScmpNotifReq::receive(0).is_err());
    assert!(resp.respond(0).is_err());
    assert!(notify_id_valid(0, 0).is_err());
}