test: Add tests for exile_pledge()

This commit is contained in:
Albert S. 2021-12-27 12:00:31 +01:00
parent bcab0377f1
commit 77adf09d34

49
test.c
Vedi File

@ -347,6 +347,54 @@ int test_seccomp_pledge()
return 0;
}
int test_seccomp_exile_pledge_multiple()
{
int ret = exile_pledge(EXILE_SYSCALL_PLEDGE_STDIO | EXILE_SYSCALL_PLEDGE_UNIX | EXILE_SYSCALL_PLEDGE_SECCOMP_INSTALL | EXILE_SYSCALL_PLEDGE_DENY_ERROR);
if(ret != 0)
{
printf("Failed: exile_pledge() call 1 failed\n");
return 1;
}
int s = socket(AF_UNIX, SOCK_STREAM, 0);
if(s == -1)
{
printf("Failed: socket was expected to succeed, but returned %i\n", s);
return 1;
}
/* Let's take away unix sockets, so it should not be possible anymore */
ret = exile_pledge(EXILE_SYSCALL_PLEDGE_STDIO | EXILE_SYSCALL_PLEDGE_SECCOMP_INSTALL | EXILE_SYSCALL_PLEDGE_DENY_ERROR);
if(ret != 0)
{
printf("Failed: exile_pledge() call 2 failed\n");
return 1;
}
s = socket(AF_UNIX, SOCK_STREAM, 0);
if(s != -1)
{
printf("Failed: socket was expected to fail, but returned %i\n", s);
return 1;
}
/* Let's try to regain unix sockets again */
ret = exile_pledge(EXILE_SYSCALL_PLEDGE_STDIO | EXILE_SYSCALL_PLEDGE_UNIX | EXILE_SYSCALL_PLEDGE_SECCOMP_INSTALL | EXILE_SYSCALL_PLEDGE_DENY_ERROR);
if(ret != 0)
{
printf("Failed: exile_pledge() call 3 failed\n");
return 1;
}
s = socket(AF_UNIX, SOCK_STREAM, 0);
if(s != -1)
{
printf("Failed: socket was still expected to fail, but returned %i\n", s);
return 1;
}
return 0;
}
#if HAVE_LANDLOCK == 1
int test_landlock()
{
@ -451,6 +499,7 @@ struct dispatcher dispatchers[] = {
{ "seccomp-argfilter-filtered", &test_seccomp_argfilter_filtered},
{ "seccomp-argfilter-mixed", &test_seccomp_argfilter_mixed},
{ "seccomp-pledge", &test_seccomp_pledge},
{ "seccomp-pledge-exile_pledge-multi", &test_seccomp_exile_pledge_multiple},
{ "landlock", &test_landlock},
{ "landlock-deny-write", &test_landlock_deny_write },
{ "no_fs", &test_nofs},