test: Add tests for exile_pledge()
このコミットが含まれているのは:
		
							
								
								
									
										49
									
								
								test.c
									
									
									
									
									
								
							
							
						
						
									
										49
									
								
								test.c
									
									
									
									
									
								
							| @@ -347,6 +347,54 @@ int test_seccomp_pledge() | ||||
| 	return 0; | ||||
| } | ||||
|  | ||||
| int test_seccomp_exile_pledge_multiple() | ||||
| { | ||||
|  | ||||
| 	int ret = exile_pledge(EXILE_SYSCALL_PLEDGE_STDIO | EXILE_SYSCALL_PLEDGE_UNIX | EXILE_SYSCALL_PLEDGE_SECCOMP_INSTALL | EXILE_SYSCALL_PLEDGE_DENY_ERROR); | ||||
| 	if(ret != 0) | ||||
| 	{ | ||||
| 		printf("Failed: exile_pledge() call 1 failed\n"); | ||||
| 		return 1; | ||||
| 	} | ||||
| 	int s = socket(AF_UNIX, SOCK_STREAM, 0); | ||||
| 	if(s == -1) | ||||
| 	{ | ||||
| 		printf("Failed: socket was expected to succeed, but returned %i\n", s); | ||||
| 		return 1; | ||||
| 	} | ||||
|  | ||||
| 	/* Let's take away unix sockets, so it should not be possible anymore */ | ||||
| 	ret = exile_pledge(EXILE_SYSCALL_PLEDGE_STDIO | EXILE_SYSCALL_PLEDGE_SECCOMP_INSTALL | EXILE_SYSCALL_PLEDGE_DENY_ERROR); | ||||
| 	if(ret != 0) | ||||
| 	{ | ||||
| 		printf("Failed: exile_pledge() call 2 failed\n"); | ||||
| 		return 1; | ||||
| 	} | ||||
| 	s = socket(AF_UNIX, SOCK_STREAM, 0); | ||||
| 	if(s != -1) | ||||
| 	{ | ||||
| 		printf("Failed: socket was expected to fail, but returned %i\n", s); | ||||
| 		return 1; | ||||
| 	} | ||||
|  | ||||
| 	/* Let's try to regain unix sockets again */ | ||||
| 	ret = exile_pledge(EXILE_SYSCALL_PLEDGE_STDIO | EXILE_SYSCALL_PLEDGE_UNIX | EXILE_SYSCALL_PLEDGE_SECCOMP_INSTALL | EXILE_SYSCALL_PLEDGE_DENY_ERROR); | ||||
| 	if(ret != 0) | ||||
| 	{ | ||||
| 		printf("Failed: exile_pledge() call 3 failed\n"); | ||||
| 		return 1; | ||||
| 	} | ||||
| 	s = socket(AF_UNIX, SOCK_STREAM, 0); | ||||
| 	if(s != -1) | ||||
| 	{ | ||||
| 		printf("Failed: socket was still expected to fail, but returned %i\n", s); | ||||
| 		return 1; | ||||
| 	} | ||||
|  | ||||
| 	return 0; | ||||
| } | ||||
|  | ||||
|  | ||||
| #if HAVE_LANDLOCK == 1 | ||||
| int test_landlock() | ||||
| { | ||||
| @@ -451,6 +499,7 @@ struct dispatcher dispatchers[] = { | ||||
| 	{ "seccomp-argfilter-filtered", &test_seccomp_argfilter_filtered}, | ||||
| 	{ "seccomp-argfilter-mixed", &test_seccomp_argfilter_mixed}, | ||||
| 	{ "seccomp-pledge", &test_seccomp_pledge}, | ||||
| 	{ "seccomp-pledge-exile_pledge-multi", &test_seccomp_exile_pledge_multiple}, | ||||
| 	{ "landlock", &test_landlock}, | ||||
| 	{ "landlock-deny-write", &test_landlock_deny_write }, | ||||
| 	{ "no_fs", &test_nofs}, | ||||
|   | ||||
		新しいイシューから参照
	
	ユーザーをブロックする