diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..f7e56b4 --- /dev/null +++ b/Makefile @@ -0,0 +1,17 @@ +prefix = /usr/local +bindir = $(prefix)/bin +CFLAGS = -std=c99 -Wall -Wextra -pedantic + +.DEFAULT_GOAL := test + + +clean: + rm -f test + +test: test.c + $(CC) test.c -g $(CFLAGS) -o test + +check: test + ./test.sh + +.PHONY: check diff --git a/test.c b/test.c new file mode 100644 index 0000000..9dfad06 --- /dev/null +++ b/test.c @@ -0,0 +1,115 @@ +#include "qssb.h" +#include +int test_default_main(int argc, char *argv[]) +{ + struct qssb_policy *policy = qssb_init_policy(); + int ret = qssb_enable_policy(policy); + return ret; +} + +int test_both_syscalls(int argc, char *argv[]) +{ + struct qssb_policy *policy = qssb_init_policy(); + int bla[] = { 1,2,3}; + policy->blacklisted_syscalls = &bla; + policy->allowed_syscalls = &bla; + int ret = qssb_enable_policy(policy); + if(ret != 0) + { + return 0; + } + return 1; +} + +int test_seccomp_blacklisted(int argc, char *argv[]) +{ + struct qssb_policy *policy = qssb_init_policy(); + int blacklisted[] = { QSSB_SYS(getuid) }; + policy->blacklisted_syscalls = blacklisted; + int ret = qssb_enable_policy(policy); + uid_t pid = geteuid(); + pid = getuid(); + return 0; +} + +int test_seccomp_blacklisted_call_permitted(int argc, char *argv[]) +{ + struct qssb_policy *policy = qssb_init_policy(); + int blacklisted[] = { QSSB_SYS(getuid) }; + policy->blacklisted_syscalls = blacklisted; + int ret = qssb_enable_policy(policy); + //geteuid is not blacklisted, so must succeed + uid_t pid = geteuid(); + return 0; +} + +int test_landlock(int argc, char *argv[]) +{ + struct qssb_policy *policy = qssb_init_policy(); + qssb_append_path_policy(policy, QSSB_FS_ALLOW_READ, "/proc/self/fd"); + int ret = qssb_enable_policy(policy); + int fd = open("/", O_RDONLY | O_CLOEXEC); + if(fd < 0) + { + return 0; + } + return 1; +} + +int test_landlock_deny_write(int argc, char *argv[]) +{ + struct qssb_policy *policy = qssb_init_policy(); + qssb_append_path_policy(policy, QSSB_FS_ALLOW_READ, "/tmp/"); + int ret = qssb_enable_policy(policy); + int fd = open("/tmp/a", O_WRONLY | O_CLOEXEC); + if(fd < 0) + { + return 0; + } + return 1; +} + +struct dispatcher +{ + char *name; + int (*f)(int, char **); + bool must_exit_zero; +}; + +struct dispatcher dispatchers[] = { + { "default", &test_default_main, true }, + { "seccomp-blacklisted", &test_seccomp_blacklisted, false }, + { "seccomp-blacklisted-permitted", &test_seccomp_blacklisted_call_permitted, true }, + { "landlock", &test_landlock, true }, + { "landlock-deny-write", &test_landlock_deny_write, true } +}; + +int main(int argc, char *argv[]) +{ + + if(argc < 2) + { + fprintf(stderr, "Usage: %s [testname]\n", argv[0]); + return EXIT_FAILURE; + } + char *test = argv[1]; + if(strcmp(test, "--dumptests") == 0) + { + for(unsigned int i = 0; i < sizeof(dispatchers)/sizeof(dispatchers[0]); i++) + { + printf("%s:%i\n", dispatchers[i].name, dispatchers[i].must_exit_zero ? 1 : 0); + } + return EXIT_SUCCESS; + } + + for(unsigned int i = 0; i < sizeof(dispatchers)/sizeof(dispatchers[0]); i++) + { + struct dispatcher *current = &dispatchers[i]; + if(strcmp(current->name, test) == 0) + { + return current->f(argc, argv); + } + } + fprintf(stderr, "Unknown test\n"); + return EXIT_FAILURE; +} diff --git a/test.sh b/test.sh new file mode 100755 index 0000000..173faa0 --- /dev/null +++ b/test.sh @@ -0,0 +1,43 @@ +#!/bin/sh +GREEN='\033[0;32m' +RED='\033[0;31m' +NC='\033[0m' + +function fail() +{ + echo -e "${RED}$@${NC}" 1>&2 + #exit 1 +} + +function echogreen() +{ + echo -e "${GREEN}$@${NC}" +} + +function runtest() +{ + must_exit_zero=$2 + echo -n "Running $1... " + #exit 1 to suppress shell message like "./test.sh: line 18: pid Bad system call" + (./test $1 || exit 1) 2> /dev/null + ret=$? + if [ $must_exit_zero -eq 1 ] ; then + if [ $ret -eq 0 ] ; then + echogreen "ok" + else + fail "fail" + fi + else + if [ $ret -eq 0 ] ; then + fail "fail" + else + echogreen "ok" + fi + fi +} + +for test in $( ./test --dumptests ) ; do + testname=$( echo $test | cut -d":" -f1 ) + must_exit_zero=$( echo "$test" | cut -d":" -f2 ) + runtest "$testname" $must_exit_zero +done