tests: workaround kernel bugs in seccomp-strict.test and prctl-seccomp-strict.test
If kernel implementation of strict seccomp mode is buggy, test programs
will be killed by SIGKILL. This is a known problem at least on
x32 and mips. Skip affected tests if this is the case.
This change partially revert commit 9c1a72cd3f3d52d573876ce474b620a5f141fb1b.
* tests/seccomp-strict.c (main): Remove workaround for x32.
* tests/prctl-seccomp-strict.c: Likewise.
* tests/seccomp-strict.test: Skip the test if the test program
has been killed by SIGKILL.
* tests/prctl-seccomp-strict.test: Likewise.
diff --git a/tests/prctl-seccomp-strict.c b/tests/prctl-seccomp-strict.c
index 0a0d6a8..8d1fdfc 100644
--- a/tests/prctl-seccomp-strict.c
+++ b/tests/prctl-seccomp-strict.c
@@ -41,14 +41,6 @@
int
main(void)
{
-# if defined __x86_64__ && defined __ILP32__
- /*
- * Syscall numbers are hardcoded in
- * kernel/seccomp.c:__secure_computing_strict(),
- * but x32 syscall numbers are not supported.
- */
- error_msg_and_skip("SECCOMP_MODE_STRICT is not supported on x32");
-# else
static const char text1[] =
"prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT) = 0\n";
static const char text2[] = "+++ exited with 0 +++\n";
@@ -64,12 +56,15 @@
ENOSYS == errno ? "ENOSYS" : "EINVAL");
fflush(stdout);
} else {
+ /*
+ * If kernel implementaton of SECCOMP_MODE_STRICT is buggy,
+ * the following syscall will result to SIGKILL.
+ */
rc += write(1, text1, LENGTH_OF(text1)) != LENGTH_OF(text1);
}
rc += write(1, text2, LENGTH_OF(text2)) != LENGTH_OF(text2);
return !!syscall(__NR_exit, rc);
-# endif
}
#else
diff --git a/tests/prctl-seccomp-strict.test b/tests/prctl-seccomp-strict.test
index ff3c4f3..1f987df 100755
--- a/tests/prctl-seccomp-strict.test
+++ b/tests/prctl-seccomp-strict.test
@@ -5,9 +5,15 @@
. "${srcdir=.}/init.sh"
check_prog grep
-run_prog > /dev/null
-run_strace -eprctl $args > "$EXP"
+set -- "./$NAME"
+"$@" > /dev/null || {
+ case $? in
+ 77) skip_ "$* exited with code 77" ;;
+ 137) framework_skip_ "$* killed by SIGKILL, fix your kernel" ;;
+ *) fail_ "$args failed" ;;
+ esac
+}
+run_strace -eprctl "$@" > "$EXP"
grep -v '^prctl(PR_GET_' < "$LOG" > "$OUT"
match_diff "$OUT" "$EXP"
-
rm -f "$EXP" "$OUT"
diff --git a/tests/seccomp-strict.c b/tests/seccomp-strict.c
index f9fef96..f615aa1 100644
--- a/tests/seccomp-strict.c
+++ b/tests/seccomp-strict.c
@@ -40,14 +40,6 @@
int
main(void)
{
-# if defined __x86_64__ && defined __ILP32__
- /*
- * Syscall numbers are hardcoded in
- * kernel/seccomp.c:__secure_computing_strict(),
- * but x32 syscall numbers are not supported.
- */
- error_msg_and_skip("SECCOMP_SET_MODE_STRICT is not supported on x32");
-# else
static const char text1[] =
"seccomp(SECCOMP_SET_MODE_STRICT, 0, NULL) = 0\n";
static const char text2[] = "+++ exited with 0 +++\n";
@@ -64,12 +56,15 @@
ENOSYS == errno ? "ENOSYS" : "EINVAL");
fflush(stdout);
} else {
+ /*
+ * If kernel implementaton of SECCOMP_MODE_STRICT is buggy,
+ * the following syscall will result to SIGKILL.
+ */
rc += write(1, text1, LENGTH_OF(text1)) != LENGTH_OF(text1);
}
rc += write(1, text2, LENGTH_OF(text2)) != LENGTH_OF(text2);
return !!syscall(__NR_exit, rc);
-# endif
}
#else
diff --git a/tests/seccomp-strict.test b/tests/seccomp-strict.test
index 62f66b8..b354c6a 100755
--- a/tests/seccomp-strict.test
+++ b/tests/seccomp-strict.test
@@ -3,4 +3,15 @@
# Check how seccomp SECCOMP_SET_MODE_STRICT is decoded.
. "${srcdir=.}/init.sh"
-run_strace_match_diff -e trace=seccomp
+
+set -- "./$NAME"
+"$@" > /dev/null || {
+ case $? in
+ 77) skip_ "$* exited with code 77" ;;
+ 137) framework_skip_ "$* killed by SIGKILL, fix your kernel" ;;
+ *) fail_ "$args failed" ;;
+ esac
+}
+run_strace -eseccomp "$@" > "$EXP"
+match_diff "$LOG" "$EXP"
+rm -f "$EXP"