Start implementing tests
Dieser Commit ist enthalten in:
Ursprung
0b13f551f4
Commit
85c01899a9
17
Makefile
Normale Datei
17
Makefile
Normale Datei
@ -0,0 +1,17 @@
|
||||
prefix = /usr/local
|
||||
bindir = $(prefix)/bin
|
||||
CFLAGS = -std=c99 -Wall -Wextra -pedantic
|
||||
|
||||
.DEFAULT_GOAL := test
|
||||
|
||||
|
||||
clean:
|
||||
rm -f test
|
||||
|
||||
test: test.c
|
||||
$(CC) test.c -g $(CFLAGS) -o test
|
||||
|
||||
check: test
|
||||
./test.sh
|
||||
|
||||
.PHONY: check
|
115
test.c
Normale Datei
115
test.c
Normale Datei
@ -0,0 +1,115 @@
|
||||
#include "qssb.h"
|
||||
#include <stdbool.h>
|
||||
int test_default_main(int argc, char *argv[])
|
||||
{
|
||||
struct qssb_policy *policy = qssb_init_policy();
|
||||
int ret = qssb_enable_policy(policy);
|
||||
return ret;
|
||||
}
|
||||
|
||||
int test_both_syscalls(int argc, char *argv[])
|
||||
{
|
||||
struct qssb_policy *policy = qssb_init_policy();
|
||||
int bla[] = { 1,2,3};
|
||||
policy->blacklisted_syscalls = &bla;
|
||||
policy->allowed_syscalls = &bla;
|
||||
int ret = qssb_enable_policy(policy);
|
||||
if(ret != 0)
|
||||
{
|
||||
return 0;
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
int test_seccomp_blacklisted(int argc, char *argv[])
|
||||
{
|
||||
struct qssb_policy *policy = qssb_init_policy();
|
||||
int blacklisted[] = { QSSB_SYS(getuid) };
|
||||
policy->blacklisted_syscalls = blacklisted;
|
||||
int ret = qssb_enable_policy(policy);
|
||||
uid_t pid = geteuid();
|
||||
pid = getuid();
|
||||
return 0;
|
||||
}
|
||||
|
||||
int test_seccomp_blacklisted_call_permitted(int argc, char *argv[])
|
||||
{
|
||||
struct qssb_policy *policy = qssb_init_policy();
|
||||
int blacklisted[] = { QSSB_SYS(getuid) };
|
||||
policy->blacklisted_syscalls = blacklisted;
|
||||
int ret = qssb_enable_policy(policy);
|
||||
//geteuid is not blacklisted, so must succeed
|
||||
uid_t pid = geteuid();
|
||||
return 0;
|
||||
}
|
||||
|
||||
int test_landlock(int argc, char *argv[])
|
||||
{
|
||||
struct qssb_policy *policy = qssb_init_policy();
|
||||
qssb_append_path_policy(policy, QSSB_FS_ALLOW_READ, "/proc/self/fd");
|
||||
int ret = qssb_enable_policy(policy);
|
||||
int fd = open("/", O_RDONLY | O_CLOEXEC);
|
||||
if(fd < 0)
|
||||
{
|
||||
return 0;
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
int test_landlock_deny_write(int argc, char *argv[])
|
||||
{
|
||||
struct qssb_policy *policy = qssb_init_policy();
|
||||
qssb_append_path_policy(policy, QSSB_FS_ALLOW_READ, "/tmp/");
|
||||
int ret = qssb_enable_policy(policy);
|
||||
int fd = open("/tmp/a", O_WRONLY | O_CLOEXEC);
|
||||
if(fd < 0)
|
||||
{
|
||||
return 0;
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
struct dispatcher
|
||||
{
|
||||
char *name;
|
||||
int (*f)(int, char **);
|
||||
bool must_exit_zero;
|
||||
};
|
||||
|
||||
struct dispatcher dispatchers[] = {
|
||||
{ "default", &test_default_main, true },
|
||||
{ "seccomp-blacklisted", &test_seccomp_blacklisted, false },
|
||||
{ "seccomp-blacklisted-permitted", &test_seccomp_blacklisted_call_permitted, true },
|
||||
{ "landlock", &test_landlock, true },
|
||||
{ "landlock-deny-write", &test_landlock_deny_write, true }
|
||||
};
|
||||
|
||||
int main(int argc, char *argv[])
|
||||
{
|
||||
|
||||
if(argc < 2)
|
||||
{
|
||||
fprintf(stderr, "Usage: %s [testname]\n", argv[0]);
|
||||
return EXIT_FAILURE;
|
||||
}
|
||||
char *test = argv[1];
|
||||
if(strcmp(test, "--dumptests") == 0)
|
||||
{
|
||||
for(unsigned int i = 0; i < sizeof(dispatchers)/sizeof(dispatchers[0]); i++)
|
||||
{
|
||||
printf("%s:%i\n", dispatchers[i].name, dispatchers[i].must_exit_zero ? 1 : 0);
|
||||
}
|
||||
return EXIT_SUCCESS;
|
||||
}
|
||||
|
||||
for(unsigned int i = 0; i < sizeof(dispatchers)/sizeof(dispatchers[0]); i++)
|
||||
{
|
||||
struct dispatcher *current = &dispatchers[i];
|
||||
if(strcmp(current->name, test) == 0)
|
||||
{
|
||||
return current->f(argc, argv);
|
||||
}
|
||||
}
|
||||
fprintf(stderr, "Unknown test\n");
|
||||
return EXIT_FAILURE;
|
||||
}
|
43
test.sh
Ausführbare Datei
43
test.sh
Ausführbare Datei
@ -0,0 +1,43 @@
|
||||
#!/bin/sh
|
||||
GREEN='\033[0;32m'
|
||||
RED='\033[0;31m'
|
||||
NC='\033[0m'
|
||||
|
||||
function fail()
|
||||
{
|
||||
echo -e "${RED}$@${NC}" 1>&2
|
||||
#exit 1
|
||||
}
|
||||
|
||||
function echogreen()
|
||||
{
|
||||
echo -e "${GREEN}$@${NC}"
|
||||
}
|
||||
|
||||
function runtest()
|
||||
{
|
||||
must_exit_zero=$2
|
||||
echo -n "Running $1... "
|
||||
#exit 1 to suppress shell message like "./test.sh: line 18: pid Bad system call"
|
||||
(./test $1 || exit 1) 2> /dev/null
|
||||
ret=$?
|
||||
if [ $must_exit_zero -eq 1 ] ; then
|
||||
if [ $ret -eq 0 ] ; then
|
||||
echogreen "ok"
|
||||
else
|
||||
fail "fail"
|
||||
fi
|
||||
else
|
||||
if [ $ret -eq 0 ] ; then
|
||||
fail "fail"
|
||||
else
|
||||
echogreen "ok"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
for test in $( ./test --dumptests ) ; do
|
||||
testname=$( echo $test | cut -d":" -f1 )
|
||||
must_exit_zero=$( echo "$test" | cut -d":" -f2 )
|
||||
runtest "$testname" $must_exit_zero
|
||||
done
|
Laden…
In neuem Issue referenzieren
Einen Benutzer sperren