qssb_append_group_syscall_policy(): Make QSSB_SYSCGROUP_NONE an invalid group

Classify syscalls into groups, for x86_64 only for now.
Up to date for 5.15, generate some #ifndef for syscalls
introduced since 5.10. Only support x86_64 therefore at this point.

Switch from blacklisting to a default whitelist.

Makefile

@@ -0,0 +1,17 @@
+prefix = /usr/local
+bindir = $(prefix)/bin
+CFLAGS = -std=c99 -Wall -Wextra -pedantic
+
+.DEFAULT_GOAL := test
+
+
+clean:
+	rm -f test
+
+test: test.c
+	$(CC) test.c -g $(CFLAGS) -o test
+
+check: test
+	./test.sh
+
+.PHONY: check

README.md

@@ -1,61 +1,57 @@
-qssb.h (quite simple sandbox)
-=============================
-qssb.h is a simple header only library that provides an interface
-to sandbox applications on Linux. Using Seccomp and Linux Namespaces for that
-purpose requires some knowledge of annoying details which this library
-aims to abstract away as much as possible.
+# qssb.h (quite simple sandbox)
+`qssb.h` is a simple header-only library that provides an interface to sandbox processes on Linux. Using Seccomp and Linux Namespaces for that purpose requires some knowledge of annoying details which this library aims to abstract away as much as possible, when reasonable. Hence, the goal is to provide a convenient way for processes to restrict themselves in order to mitigate the effect of exploits. Currently, it utilizes technologies like Seccomp, Namespaces and Landlock to this end. 
 
-Status
-======
-No release yet, API is unstable.
+## Status
+No release yet, expiremental, API is unstable, builds will break on updates of this library. 
 
-Features
-========
-  - Systemcall filtering
-  - restricting file system access
+Currently, it's mainly evolving according to the needs of my other projects. 
+
+## Features
+
+  - Systemcall filtering (using seccomp-bpf)
+  - restricting file system access (using Landlock and/or Namespaces)
   - dropping privileges 
   - isolating the application from the network, etc.
 
-Requirements
-============
+## Requirements
+
 Kernel >=3.17
-sys/capabilities.h header. Depending on your system, libcap
+
+``sys/capabilities.h`` header. Depending on your distribution, libcap
 might be needed for this.
 
+While mostly transparent to users of this API, kernel >= 5.13 is required to take advantage of Landlock.
 
 
-FAQ
-===
 
-Does the process need to be priviliged to utilize the library?
-----------------------------------------------------------------
-No.
+## FAQ
 
-It doesn't work on Debian!
---------------------------
-You can thank a Debian-specific patch for that. In the future,
+
+### Does the process need to be priviliged to utilize the library?
+
+No. 
+
+### It doesn't work on Debian!
+
+You can thank a Debian-specific kernel patch for that. In the future,
 the library may check against that. Execute
-echo 1 > /proc/sys/kernel/unprivileged_userns_clone to disable that
-patch for now.
+`echo 1 > /proc/sys/kernel/unprivileged_userns_clone` to disable that patch for now.
 
-Documentation
-=============
-To be written
-
-Examples
-========
+### Examples
+  - looqs: https://gitea.quitesimple.org/crtxcr/looqs
   - qswiki: https://gitea.quitesimple.org/crtxcr/qswiki
   - cgit sandboxed: https://gitea.quitesimple.org/crtxcr/cgitsb
   - qpdfviewsb sandboxed (quick and dirty): https://gitea.quitesimple.org/crtxcr/qpdfviewsb
 
 
-Contributing
-============
+### Contributing
+
 Contributions are very welcome. Options: 
-1) Pull-Request: github.com/quitesimpleorg/qssb 
-2) Mail to qssb at quitesimple.org with instructions
-on where to pull the changes.
-3) Mailing a classic patch.
+
+1. Pull-Request on [github](https://github.com/quitesimpleorg/qssb.h)
+2. Mail to `qssb at quitesimple.org` with instructions on where to pull the changes from.
+3. Mailing a classic patch/diff to the same address.
+
 
 License
 =======

gengroup.py

@@ -0,0 +1,55 @@
+#!/usr/bin/python
+import sys
+import re
+if len(sys.argv) < 2:
+	print("Usage: gengroup groupfile")
+	sys.exit(1)
+fd = open(sys.argv[1], "r")
+
+lines = fd.read().splitlines()
+
+groupnames = set()
+ifndef = dict()	
+
+def print_ifndefs():
+	for name in ifndef:
+		print("#ifndef __NR_%s" % name)
+		print("#define __NR_%s %s" % (name, ifndef[name]))
+		print("#endif")
+
+def print_defines(names):
+	names = sorted(names)
+	i = 0
+	for name in names:
+		define = "#define %s ((uint64_t)1<<%s)" % (name, i)
+		print(define)
+		i = i + 1
+
+for line in lines:
+	if line[0] == '#':
+		continue
+
+	splitted = line.split(' ')
+	if len(splitted) < 2:
+		print("Misformated line:", line)
+		sys.exit(1)
+
+	currentsyscall = splitted[0]
+	currentgroups = splitted[1].split(',')
+	
+	flags = splitted[2] if len(splitted) > 2 else ""
+	if any( not s or s.isspace() for s in currentgroups ):
+		print("Misformated line (empty values):", line)
+		sys.exit(1)
+	groupnames.update(currentgroups)
+	
+	genifndef = re.match(r"genifndef\((\d+)*\)", flags)
+	if genifndef:
+		ifndef[currentsyscall] = genifndef.groups(1)[0]
+	
+	array_line = "{QSSB_SYS(%s), %s}," % (currentsyscall, '|'.join(currentgroups))
+	print(array_line)
+
+print_ifndefs()
+print_defines(groupnames)
+

grouping_x86-64.txt

@@ -0,0 +1,363 @@
+# Assign system calls to groups. In the future, may also include simple arg filtering.
+read QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW
+write QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW
+open QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
+close QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW
+stat QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
+fstat QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
+lstat QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
+poll QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW
+lseek QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW
+mmap QSSB_SYSCGROUP_MEMORY,QSSB_SYSCGROUP_DEFAULT_ALLOW
+mprotect QSSB_SYSCGROUP_MEMORY,QSSB_SYSCGROUP_DEFAULT_ALLOW
+munmap QSSB_SYSCGROUP_MEMORY,QSSB_SYSCGROUP_DEFAULT_ALLOW
+brk QSSB_SYSCGROUP_MEMORY,QSSB_SYSCGROUP_DEFAULT_ALLOW
+rt_sigaction QSSB_SYSCGROUP_RT,QSSB_SYSCGROUP_DEFAULT_ALLOW
+rt_sigprocmask QSSB_SYSCGROUP_RT,QSSB_SYSCGROUP_DEFAULT_ALLOW
+rt_sigreturn QSSB_SYSCGROUP_RT,QSSB_SYSCGROUP_DEFAULT_ALLOW
+ioctl QSSB_SYSCGROUP_IOCTL,QSSB_SYSCGROUP_DEFAULT_ALLOW
+pread64 QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW
+pwrite64 QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW
+readv QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW
+writev QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW
+access QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
+pipe QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW
+select QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW
+sched_yield QSSB_SYSCGROUP_SCHED,QSSB_SYSCGROUP_DEFAULT_ALLOW
+mremap QSSB_SYSCGROUP_MEMORY,QSSB_SYSCGROUP_DEFAULT_ALLOW
+msync QSSB_SYSCGROUP_MEMORY,QSSB_SYSCGROUP_DEFAULT_ALLOW
+mincore QSSB_SYSCGROUP_MEMORY,QSSB_SYSCGROUP_DEFAULT_ALLOW
+madvise QSSB_SYSCGROUP_MEMORY,QSSB_SYSCGROUP_DEFAULT_ALLOW
+shmget QSSB_SYSCGROUP_MEMORY,QSSB_SYSCGROUP_DEFAULT_ALLOW
+shmat QSSB_SYSCGROUP_MEMORY,QSSB_SYSCGROUP_DEFAULT_ALLOW
+shmctl QSSB_SYSCGROUP_MEMORY,QSSB_SYSCGROUP_DEFAULT_ALLOW
+dup QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_FD,QSSB_SYSCGROUP_DEFAULT_ALLOW
+dup2 QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_FD,QSSB_SYSCGROUP_DEFAULT_ALLOW
+pause QSSB_SYSCGROUP_PAUSE,QSSB_SYSCGROUP_DEFAULT_ALLOW
+nanosleep QSSB_SYSCGROUP_TIMER,QSSB_SYSCGROUP_DEFAULT_ALLOW
+getitimer QSSB_SYSCGROUP_TIMER,QSSB_SYSCGROUP_DEFAULT_ALLOW
+alarm QSSB_SYSCGROUP_TIMER,QSSB_SYSCGROUP_DEFAULT_ALLOW
+setitimer QSSB_SYSCGROUP_TIMER,QSSB_SYSCGROUP_DEFAULT_ALLOW
+getpid QSSB_SYSCGROUP_PROCESS,QSSB_SYSCGROUP_ID,QSSB_SYSCGROUP_DEFAULT_ALLOW
+sendfile QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_FD,QSSB_SYSCGROUP_DEFAULT_ALLOW
+socket QSSB_SYSCGROUP_SOCKET
+connect QSSB_SYSCGROUP_SOCKET
+accept QSSB_SYSCGROUP_SOCKET
+sendto QSSB_SYSCGROUP_SOCKET
+recvfrom QSSB_SYSCGROUP_SOCKET
+sendmsg QSSB_SYSCGROUP_SOCKET
+recvmsg QSSB_SYSCGROUP_SOCKET
+shutdown QSSB_SYSCGROUP_SOCKET
+bind QSSB_SYSCGROUP_SOCKET
+listen QSSB_SYSCGROUP_SOCKET
+getsockname QSSB_SYSCGROUP_SOCKET
+getpeername QSSB_SYSCGROUP_SOCKET
+socketpair QSSB_SYSCGROUP_SOCKET,QSSB_SYSCGROUP_IPC
+setsockopt QSSB_SYSCGROUP_SOCKET
+getsockopt QSSB_SYSCGROUP_SOCKET
+clone QSSB_SYSCGROUP_CLONE,QSSB_SYSCGROUP_DEFAULT_ALLOW
+fork QSSB_SYSCGROUP_CLONE,QSSB_SYSCGROUP_DEFAULT_ALLOW
+vfork QSSB_SYSCGROUP_CLONE,QSSB_SYSCGROUP_DEFAULT_ALLOW
+execve QSSB_SYSCGROUP_CLONE,QSSB_SYSCGROUP_EXEC
+exit QSSB_SYSCGROUP_PROCESS,QSSB_SYSCGROUP_DEFAULT_ALLOW
+wait4 QSSB_SYSCGROUP_EXEC
+kill QSSB_SYSCGROUP_KILL
+uname QSSB_SYSCGROUP_SYS,QSSB_SYSCGROUP_DEFAULT_ALLOW
+semget QSSB_SYSCGROUP_SHM,QSSB_SYSCGROUP_IPC,QSSB_SYSCGROUP_DEFAULT_ALLOW
+semop QSSB_SYSCGROUP_SHM,QSSB_SYSCGROUP_IPC,QSSB_SYSCGROUP_DEFAULT_ALLOW
+semctl QSSB_SYSCGROUP_SHM,QSSB_SYSCGROUP_IPC,QSSB_SYSCGROUP_DEFAULT_ALLOW
+shmdt QSSB_SYSCGROUP_SHM,QSSB_SYSCGROUP_IPC,QSSB_SYSCGROUP_DEFAULT_ALLOW
+msgget QSSB_SYSCGROUP_IPC,QSSB_SYSCGROUP_DEFAULT_ALLOW
+msgsnd QSSB_SYSCGROUP_IPC,QSSB_SYSCGROUP_DEFAULT_ALLOW
+msgrcv QSSB_SYSCGROUP_IPC,QSSB_SYSCGROUP_DEFAULT_ALLOW
+msgctl QSSB_SYSCGROUP_IPC,QSSB_SYSCGROUP_DEFAULT_ALLOW
+fcntl QSSB_SYSCGROUP_FD,QSSB_SYSCGROUP_DEFAULT_ALLOW
+flock QSSB_SYSCGROUP_FD,QSSB_SYSCGROUP_DEFAULT_ALLOW
+fsync QSSB_SYSCGROUP_FD,QSSB_SYSCGROUP_DEFAULT_ALLOW
+fdatasync QSSB_SYSCGROUP_FD,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
+truncate QSSB_SYSCGROUP_FD,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
+ftruncate QSSB_SYSCGROUP_FD,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
+getdents QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
+getcwd QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
+chdir QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
+fchdir QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
+rename QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
+mkdir QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
+rmdir QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
+creat QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
+link QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
+unlink QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
+symlink QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
+readlink QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
+chmod QSSB_SYSCGROUP_PERMS,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
+fchmod QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
+chown QSSB_SYSCGROUP_PERMS,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
+fchown QSSB_SYSCGROUP_PERMS,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
+lchown QSSB_SYSCGROUP_PERMS,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
+umask QSSB_SYSCGROUP_PERMS,QSSB_SYSCGROUP_DEFAULT_ALLOW
+gettimeofday QSSB_SYSCGROUP_TIME,QSSB_SYSCGROUP_DEFAULT_ALLOW
+getrlimit QSSB_SYSCGROUP_RES,QSSB_SYSCGROUP_DEFAULT_ALLOW
+getrusage QSSB_SYSCGROUP_RES,QSSB_SYSCGROUP_DEFAULT_ALLOW
+sysinfo QSSB_SYSCGROUP_SYS,QSSB_SYSCGROUP_DEFAULT_ALLOW
+times QSSB_SYSCGROUP_TIME,QSSB_SYSCGROUP_DEFAULT_ALLOW
+ptrace QSSB_SYSCGROUP_PTRACE,QSSB_SYSCGROUP_DEFAULT_ALLOW
+getuid QSSB_SYSCGROUP_ID,QSSB_SYSCGROUP_DEFAULT_ALLOW
+syslog QSSB_SYSCGROUP_SYS
+getgid QSSB_SYSCGROUP_ID,QSSB_SYSCGROUP_DEFAULT_ALLOW
+setuid QSSB_SYSCGROUP_ID
+setgid QSSB_SYSCGROUP_ID
+geteuid QSSB_SYSCGROUP_ID,QSSB_SYSCGROUP_DEFAULT_ALLOW
+getegid QSSB_SYSCGROUP_ID,QSSB_SYSCGROUP_DEFAULT_ALLOW
+setpgid QSSB_SYSCGROUP_ID
+getppid QSSB_SYSCGROUP_ID,QSSB_SYSCGROUP_DEFAULT_ALLOW
+getpgrp QSSB_SYSCGROUP_ID,QSSB_SYSCGROUP_DEFAULT_ALLOW
+setsid QSSB_SYSCGROUP_ID
+setreuid QSSB_SYSCGROUP_ID
+setregid QSSB_SYSCGROUP_ID
+getgroups QSSB_SYSCGROUP_ID,QSSB_SYSCGROUP_DEFAULT_ALLOW
+setgroups QSSB_SYSCGROUP_ID
+setresuid QSSB_SYSCGROUP_ID
+getresuid QSSB_SYSCGROUP_ID,QSSB_SYSCGROUP_DEFAULT_ALLOW
+setresgid QSSB_SYSCGROUP_ID
+getresgid QSSB_SYSCGROUP_ID,QSSB_SYSCGROUP_DEFAULT_ALLOW
+getpgid QSSB_SYSCGROUP_ID,QSSB_SYSCGROUP_DEFAULT_ALLOW
+setfsuid QSSB_SYSCGROUP_ID
+setfsgid QSSB_SYSCGROUP_ID
+getsid QSSB_SYSCGROUP_ID,QSSB_SYSCGROUP_DEFAULT_ALLOW
+capget QSSB_SYSCGROUP_ID,QSSB_SYSCGROUP_DEFAULT_ALLOW
+capset QSSB_SYSCGROUP_ID
+rt_sigpending QSSB_SYSCGROUP_RT,QSSB_SYSCGROUP_DEFAULT_ALLOW
+rt_sigtimedwait QSSB_SYSCGROUP_RT,QSSB_SYSCGROUP_DEFAULT_ALLOW
+rt_sigqueueinfo QSSB_SYSCGROUP_RT,QSSB_SYSCGROUP_DEFAULT_ALLOW
+rt_sigsuspend QSSB_SYSCGROUP_RT,QSSB_SYSCGROUP_DEFAULT_ALLOW
+sigaltstack QSSB_SYSCGROUP_THREAD,QSSB_SYSCGROUP_SIGNAL
+utime QSSB_SYSCGROUP_TIME,QSSB_SYSCGROUP_FS
+mknod QSSB_SYSCGROUP_DEV,QSSB_SYSCGROUP_FS
+uselib QSSB_SYSCGROUP_LIB,QSSB_SYSCGROUP_DEFAULT_ALLOW
+personality QSSB_SYSCGROUP_PROCESS
+ustat QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_STAT,QSSB_SYSCGROUP_FS
+statfs QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_STAT,QSSB_SYSCGROUP_FS
+fstatfs QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_STAT,QSSB_SYSCGROUP_FS
+sysfs QSSB_SYSCGROUP_SYS,QSSB_SYSCGROUP_FS
+getpriority QSSB_SYSCGROUP_SCHED
+setpriority QSSB_SYSCGROUP_SCHED
+sched_setparam QSSB_SYSCGROUP_SCHED
+sched_getparam QSSB_SYSCGROUP_SCHED
+sched_setscheduler QSSB_SYSCGROUP_SCHED
+sched_getscheduler QSSB_SYSCGROUP_SCHED
+sched_get_priority_max QSSB_SYSCGROUP_SCHED
+sched_get_priority_min QSSB_SYSCGROUP_SCHED
+sched_rr_get_interval QSSB_SYSCGROUP_SCHED
+mlock QSSB_SYSCGROUP_MEMORY,QSSB_SYSCGROUP_DEFAULT_ALLOW
+munlock QSSB_SYSCGROUP_MEMORY,QSSB_SYSCGROUP_DEFAULT_ALLOW
+mlockall QSSB_SYSCGROUP_MEMORY
+munlockall QSSB_SYSCGROUP_MEMORY,QSSB_SYSCGROUP_DEFAULT_ALLOW
+vhangup QSSB_SYSCGROUP_TTY
+modify_ldt QSSB_SYSCGROUP_PROCESS
+pivot_root QSSB_SYSCGROUP_CHROOT
+_sysctl QSSB_SYSCGROUP_SYS
+prctl QSSB_SYSCGROUP_PROCESS
+arch_prctl QSSB_SYSCGROUP_PROCESS
+adjtimex QSSB_SYSCGROUP_CLOCK
+setrlimit QSSB_SYSCGROUP_RES
+chroot QSSB_SYSCGROUP_CHROOT,QSSB_SYSCGROUP_FS
+sync QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW
+acct QSSB_SYSCGROUP_PROCESS
+settimeofday QSSB_SYSCGROUP_TIME
+mount QSSB_SYSCGROUP_MOUNT,QSSB_SYSCGROUP_FS
+umount2 QSSB_SYSCGROUP_UMOUNT,QSSB_SYSCGROUP_FS
+swapon QSSB_SYSCGROUP_SWAP
+swapoff QSSB_SYSCGROUP_SWAP
+reboot QSSB_SYSCGROUP_POWER
+sethostname QSSB_SYSCGROUP_HOST
+setdomainname QSSB_SYSCGROUP_HOST
+iopl QSSB_SYSCGROUP_IOPL
+ioperm QSSB_SYSCGROUP_IOPL
+create_module QSSB_SYSCGROUP_KMOD
+init_module QSSB_SYSCGROUP_KMOD
+delete_module QSSB_SYSCGROUP_KMOD
+get_kernel_syms QSSB_SYSCGROUP_KMOD
+query_module QSSB_SYSCGROUP_KMOD
+quotactl QSSB_SYSCGROUP_QUOTA
+nfsservctl QSSB_SYSCGROUP_NONE
+getpmsg QSSB_SYSCGROUP_UNIMPLEMENTED
+putpmsg QSSB_SYSCGROUP_UNIMPLEMENTED
+afs_syscall QSSB_SYSCGROUP_UNIMPLEMENTED
+tuxcall QSSB_SYSCGROUP_UNIMPLEMENTED
+security QSSB_SYSCGROUP_UNIMPLEMENTED
+gettid QSSB_SYSCGROUP_ID,QSSB_SYSCGROUP_THREAD
+readahead QSSB_SYSCGROUP_FD,QSSB_SYSCGROUP_FS
+setxattr QSSB_SYSCGROUP_XATTR,QSSB_SYSCGROUP_FS
+lsetxattr QSSB_SYSCGROUP_XATTR,QSSB_SYSCGROUP_FS
+fsetxattr QSSB_SYSCGROUP_XATTR,QSSB_SYSCGROUP_FS
+getxattr QSSB_SYSCGROUP_XATTR,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
+lgetxattr QSSB_SYSCGROUP_XATTR,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
+fgetxattr QSSB_SYSCGROUP_XATTR,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
+listxattr QSSB_SYSCGROUP_XATTR,QSSB_SYSCGROUP_FS
+llistxattr QSSB_SYSCGROUP_XATTR,QSSB_SYSCGROUP_FS
+flistxattr QSSB_SYSCGROUP_XATTR,QSSB_SYSCGROUP_FS
+removexattr QSSB_SYSCGROUP_XATTR,QSSB_SYSCGROUP_FS
+lremovexattr QSSB_SYSCGROUP_XATTR,QSSB_SYSCGROUP_FS
+fremovexattr QSSB_SYSCGROUP_XATTR,QSSB_SYSCGROUP_FS
+tkill QSSB_SYSCGROUP_THREAD,QSSB_SYSCGROUP_SIGNAL
+time QSSB_SYSCGROUP_TIME
+futex QSSB_SYSCGROUP_THREAD,QSSB_SYSCGROUP_FUTEX
+sched_setaffinity QSSB_SYSCGROUP_SCHED
+sched_getaffinity QSSB_SYSCGROUP_SCHED
+set_thread_area QSSB_SYSCGROUP_THREAD
+io_setup QSSB_SYSCGROUP_IO
+io_destroy QSSB_SYSCGROUP_IO
+io_getevents QSSB_SYSCGROUP_IO
+io_submit QSSB_SYSCGROUP_IO
+io_cancel QSSB_SYSCGROUP_IO
+get_thread_area QSSB_SYSCGROUP_THREAD
+lookup_dcookie QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_FS
+epoll_create QSSB_SYSCGROUP_STDIO
+epoll_ctl_old QSSB_SYSCGROUP_STDIO
+epoll_wait_old QSSB_SYSCGROUP_STDIO
+remap_file_pages QSSB_SYSCGROUP_NONE
+getdents64 QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_FS
+set_tid_address QSSB_SYSCGROUP_THREAD
+restart_syscall QSSB_SYSCGROUP_SYSCALL
+semtimedop QSSB_SYSCGROUP_SEM
+fadvise64 QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_FD
+timer_create QSSB_SYSCGROUP_TIMER
+timer_settime QSSB_SYSCGROUP_TIMER
+timer_gettime QSSB_SYSCGROUP_TIMER
+timer_getoverrun QSSB_SYSCGROUP_TIMER
+timer_delete QSSB_SYSCGROUP_TIMER
+clock_settime QSSB_SYSCGROUP_TIME
+clock_gettime QSSB_SYSCGROUP_TIME
+clock_getres QSSB_SYSCGROUP_TIME
+clock_nanosleep QSSB_SYSCGROUP_TIME
+exit_group QSSB_SYSCGROUP_EXIT,QSSB_SYSCGROUP_DEFAULT_ALLOW
+epoll_wait QSSB_SYSCGROUP_FD
+epoll_ctl QSSB_SYSCGROUP_FD
+tgkill QSSB_SYSCGROUP_SIGNAL,QSSB_SYSCGROUP_THREAD
+utimes QSSB_SYSCGROUP_PATH
+vserver QSSB_SYSCGROUP_UNIMPLEMENTED
+mbind QSSB_SYSCGROUP_MEMORY
+set_mempolicy QSSB_SYSCGROUP_MEMORY
+get_mempolicy QSSB_SYSCGROUP_MEMORY
+mq_open QSSB_SYSCGROUP_MQ,QSSB_SYSCGROUP_IPC
+mq_unlink QSSB_SYSCGROUP_MQ,QSSB_SYSCGROUP_IPC
+mq_timedsend QSSB_SYSCGROUP_MQ,QSSB_SYSCGROUP_IPC
+mq_timedreceive QSSB_SYSCGROUP_MQ,QSSB_SYSCGROUP_IPC
+mq_notify QSSB_SYSCGROUP_MQ,QSSB_SYSCGROUP_IPC
+mq_getsetattr QSSB_SYSCGROUP_MQ,QSSB_SYSCGROUP_IPC
+kexec_load QSSB_SYSCGROUP_KEXEC
+waitid QSSB_SYSCGROUP_SIGNAL
+add_key QSSB_SYSCGROUP_KEYS
+request_key QSSB_SYSCGROUP_KEYS
+keyctl QSSB_SYSCGROUP_KEYS
+ioprio_set QSSB_SYSCGROUP_PRIO
+ioprio_get QSSB_SYSCGROUP_PRIO
+inotify_init QSSB_SYSCGROUP_INOTIFY
+inotify_add_watch QSSB_SYSCGROUP_INOTIFY
+inotify_rm_watch QSSB_SYSCGROUP_INOTIFY
+migrate_pages QSSB_SYSCGROUP_PROCESS
+openat QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
+mkdirat QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
+mknodat QSSB_SYSCGROUP_DEV,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
+fchownat QSSB_SYSCGROUP_PERMS,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
+futimesat QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
+newfstatat QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
+unlinkat QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
+renameat QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
+linkat QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
+symlinkat QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
+readlinkat QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
+fchmodat QSSB_SYSCGROUP_PERMS,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
+faccessat QSSB_SYSCGROUP_PERMS,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
+pselect6 QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
+ppoll QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW,QSSB_SYSCGROUP_FS
+unshare QSSB_SYSCGROUP_NS,QSSB_SYSCGROUP_FS
+set_robust_list QSSB_SYSCGROUP_FUTEX
+get_robust_list QSSB_SYSCGROUP_FUTEX
+splice QSSB_SYSCGROUP_FD
+tee QSSB_SYSCGROUP_FD,QSSB_SYSCGROUP_DEFAULT_ALLOW
+sync_file_range QSSB_SYSCGROUP_FD
+vmsplice QSSB_SYSCGROUP_FD
+move_pages QSSB_SYSCGROUP_PROCESS
+utimensat QSSB_SYSCGROUP_PATH
+epoll_pwait QSSB_SYSCGROUP_STDIO
+signalfd QSSB_SYSCGROUP_SIGNAL
+timerfd_create QSSB_SYSCGROUP_TIMER
+eventfd QSSB_SYSCGROUP_FD
+fallocate QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_FD
+timerfd_settime QSSB_SYSCGROUP_TIMER
+timerfd_gettime QSSB_SYSCGROUP_TIMER
+accept4 QSSB_SYSCGROUP_SOCKET
+signalfd4 QSSB_SYSCGROUP_FD
+eventfd2 QSSB_SYSCGROUP_FD
+epoll_create1 QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW
+dup3 QSSB_SYSCGROUP_FD,QSSB_SYSCGROUP_DEFAULT_ALLOW
+pipe2 QSSB_SYSCGROUP_FD,QSSB_SYSCGROUP_DEFAULT_ALLOW
+inotify_init1 QSSB_SYSCGROUP_INOTIFY
+preadv QSSB_SYSCGROUP_STDIO
+pwritev QSSB_SYSCGROUP_STDIO
+rt_tgsigqueueinfo QSSB_SYSCGROUP_RT
+perf_event_open QSSB_SYSCGROUP_PERF
+recvmmsg QSSB_SYSCGROUP_SOCKET
+fanotify_init QSSB_SYSCGROUP_FANOTIFY
+fanotify_mark QSSB_SYSCGROUP_FANOTIFY
+prlimit64 QSSB_SYSCGROUP_RES
+name_to_handle_at QSSB_SYSCGROUP_FD,QSSB_SYSCGROUP_FS
+open_by_handle_at QSSB_SYSCGROUP_FD,QSSB_SYSCGROUP_FS
+clock_adjtime QSSB_SYSCGROUP_CLOCK
+syncfs QSSB_SYSCGROUP_FD
+sendmmsg QSSB_SYSCGROUP_SOCKET
+setns QSSB_SYSCGROUP_NS
+getcpu QSSB_SYSCGROUP_SCHED
+#maybe IPC, but feels wrong
+process_vm_readv QSSB_SYSCGROUP_NONE
+process_vm_writev QSSB_SYSCGROUP_NONE
+kcmp QSSB_SYSCGROUP_NONE
+finit_module QSSB_SYSCGROUP_KMOD
+sched_setattr QSSB_SYSCGROUP_SCHED
+sched_getattr QSSB_SYSCGROUP_SCHED,QSSB_SYSCGROUP_DEFAULT_ALLOW
+renameat2 QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW
+seccomp QSSB_SYSCGROUP_NONE
+getrandom QSSB_SYSCGROUP_DEFAULT_ALLOW
+memfd_create QSSB_SYSCGROUP_MEMORY,QSSB_SYSCGROUP_DEFAULT_ALLOW
+kexec_file_load QSSB_SYSCGROUP_KEXEC
+bpf QSSB_SYSCGROUP_NONE
+execveat QSSB_SYSCGROUP_EXEC
+userfaultfd QSSB_SYSCGROUP_NONE
+membarrier QSSB_SYSCGROUP_NONE
+mlock2 QSSB_SYSCGROUP_MEMORY
+copy_file_range QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_FD,QSSB_SYSCGROUP_DEFAULT_ALLOW
+preadv2 QSSB_SYSCGROUP_STDIO
+pwritev2 QSSB_SYSCGROUP_STDIO
+#Those are newer than 5.10, wrap them in ifndef so we can compile on old systems
+pkey_mprotect QSSB_SYSCGROUP_PKEY genifndef(329)
+pkey_alloc QSSB_SYSCGROUP_PKEY genifndef(330)
+pkey_free QSSB_SYSCGROUP_PKEY genifndef(331)
+statx QSSB_SYSCGROUP_STAT,QSSB_SYSCGROUP_DEFAULT_ALLOW genifndef(332)
+io_pgetevents QSSB_SYSCGROUP_NONE genifndef(333)
+rseq QSSB_SYSCGROUP_THREAD genifndef(334)
+pidfd_send_signal QSSB_SYSCGROUP_PIDFD genifndef(424)
+io_uring_setup QSSB_SYSCGROUP_IOURING genifndef(425)
+io_uring_enter QSSB_SYSCGROUP_IOURING genifndef(426)
+io_uring_register QSSB_SYSCGROUP_IOURING genifndef(427)
+open_tree QSSB_SYSCGROUP_NEWMOUNT genifndef(428)
+move_mount QSSB_SYSCGROUP_NEWMOUNT genifndef(429)
+fsopen QSSB_SYSCGROUP_NEWMOUNT genifndef(430)
+fsconfig QSSB_SYSCGROUP_NEWMOUNT genifndef(431)
+fsmount QSSB_SYSCGROUP_NEWMOUNT genifndef(432)
+fspick QSSB_SYSCGROUP_NEWMOUNT genifndef(433)
+pidfd_open QSSB_SYSCGROUP_PIDFD genifndef(434)
+clone3 QSSB_SYSCGROUP_CLONE,QSSB_SYSCGROUP_DEFAULT_ALLOW genifndef(435)
+close_range QSSB_SYSCGROUP_STDIO,QSSB_SYSCGROUP_DEFAULT_ALLOW genifndef(436)
+openat2 QSSB_SYSCGROUP_FD,QSSB_SYSCGROUP_PATH,QSSB_SYSCGROUP_DEFAULT_ALLOW genifndef(437)
+pidfd_getfd QSSB_SYSCGROUP_PIDFD genifndef(438)
+faccessat2 QSSB_SYSCGROUP_PERMS,QSSB_SYSCGROUP_DEFAULT_ALLOW genifndef(439)
+process_madvise QSSB_SYSCGROUP_MEMORY genifndef(440)
+epoll_pwait2 QSSB_SYSCGROUP_STDIO genifndef(441)
+mount_setattr QSSB_SYSCGROUP_NONE genifndef(442)
+quotactl_fd QSSB_SYSCGROUP_QUOTA genifndef(443)
+landlock_create_ruleset QSSB_SYSCGROUP_LANDLOCK genifndef(444)
+landlock_add_rule QSSB_SYSCGROUP_LANDLOCK genifndef(445)
+landlock_restrict_self QSSB_SYSCGROUP_LANDLOCK genifndef(446)
+memfd_secret QSSB_SYSCGROUP_NONE genifndef(447)
+process_mrelease QSSB_SYSCGROUP_NONE genifndef(448)

test.c

@@ -0,0 +1,335 @@
+#include "qssb.h"
+#include <stdbool.h>
+#include <sys/types.h>
+#include <dirent.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/wait.h>
+
+int xqssb_enable_policy(struct qssb_policy *policy)
+{
+	int ret = qssb_enable_policy(policy);
+	if(ret != 0)
+	{
+		fprintf(stderr, "qssb_enable_policy() failed: %i\n", ret);
+		exit(EXIT_FAILURE);
+	}
+	return 0;
+}
+
+int test_default_main()
+{
+	struct qssb_policy *policy = qssb_init_policy();
+	int ret = qssb_enable_policy(policy);
+	return ret;
+}
+
+static int test_expected_kill(int (*f)())
+{
+	pid_t pid = fork();
+	if(pid == 0)
+	{
+		return f();
+	}
+	int status = 0;
+	waitpid(pid, &status, 0);
+
+	if(WIFSIGNALED(status))
+	{
+		int c = WTERMSIG(status);
+		if(c == SIGSYS)
+		{
+			printf("Got expected signal\n");
+			return 0;
+		}
+		printf("Unexpected status code: %i\n", c);
+		return 1;
+	}
+	else
+	{
+		int c = WEXITSTATUS(status);
+		printf("Process was not killed, test fails. Status code of exit: %i\n", c);
+		return 1;
+	}
+	return 0;
+}
+
+
+static int test_successful_exit(int (*f)())
+{
+	pid_t pid = fork();
+	if(pid == 0)
+	{
+		return f();
+	}
+	int status = 0;
+	waitpid(pid, &status, 0);
+
+	if(WIFSIGNALED(status))
+	{
+		int c = WTERMSIG(status);
+		printf("Received signal, which was not expected. Signal was: %i\n", c);
+		return 1;
+	}
+	else
+	{
+		int c = WEXITSTATUS(status);
+		if(c != 0)
+		{
+			printf("Process failed to exit properly. Status code is: %i\n", c);
+		}
+		return c;
+	}
+	printf("Process exited sucessfully as expected");
+	return 0;
+}
+
+
+static int do_test_seccomp_blacklisted()
+{
+	struct qssb_policy *policy = qssb_init_policy();
+	qssb_append_syscall_policy(policy, QSSB_SYSCALL_DENY_KILL_PROCESS, QSSB_SYS(getuid));
+	qssb_append_syscall_default_policy(policy, QSSB_SYSCALL_ALLOW);
+
+	xqssb_enable_policy(policy);
+
+	uid_t pid = geteuid();
+	pid = getuid();
+	return 0;
+
+
+}
+int test_seccomp_blacklisted()
+{
+	return test_expected_kill(&do_test_seccomp_blacklisted);
+}
+
+
+static int do_test_seccomp_blacklisted_call_permitted()
+{
+	struct qssb_policy *policy = qssb_init_policy();
+
+	qssb_append_syscall_policy(policy, QSSB_SYSCALL_DENY_KILL_PROCESS, QSSB_SYS(getuid));
+	qssb_append_syscall_default_policy(policy, QSSB_SYSCALL_ALLOW);
+
+	int ret = qssb_enable_policy(policy);
+	//geteuid is not blacklisted, so must succeed
+	uid_t pid = geteuid();
+	return 0;
+}
+
+
+int test_seccomp_blacklisted_call_permitted()
+{
+	return test_successful_exit(&do_test_seccomp_blacklisted_call_permitted);
+}
+
+static int do_test_seccomp_x32_kill()
+{
+	struct qssb_policy *policy = qssb_init_policy();
+
+	qssb_append_syscall_policy(policy, QSSB_SYSCALL_DENY_KILL_PROCESS, QSSB_SYS(getuid));
+	qssb_append_syscall_default_policy(policy, QSSB_SYSCALL_ALLOW);
+
+	xqssb_enable_policy(policy);
+
+	/* Attempt to bypass by falling back to x32 should be blocked */
+	syscall(QSSB_SYS(getuid)+__X32_SYSCALL_BIT);
+
+	return 0;
+}
+
+int test_seccomp_x32_kill()
+{
+	return test_expected_kill(&do_test_seccomp_x32_kill);
+}
+
+/* Tests whether seccomp rules end with a policy matching all syscalls */
+int test_seccomp_require_last_matchall()
+{
+	struct qssb_policy *policy = qssb_init_policy();
+
+	qssb_append_syscall_policy(policy, QSSB_SYSCALL_DENY_KILL_PROCESS, QSSB_SYS(getuid));
+
+	int status = qssb_enable_policy(policy);
+	if(status == 0)
+	{
+		printf("Failed. Should not have been enabled!");
+		return 1;
+	}
+	return 0;
+}
+
+static int do_test_seccomp_errno()
+{
+	struct qssb_policy *policy = qssb_init_policy();
+
+	qssb_append_syscall_policy(policy, QSSB_SYSCALL_DENY_RET_ERROR, QSSB_SYS(close));
+	qssb_append_syscall_default_policy(policy, QSSB_SYSCALL_ALLOW);
+
+	xqssb_enable_policy(policy);
+	uid_t id = getuid();
+
+	int fd = close(0);
+	printf("close() return code: %i, errno: %s\n", fd, strerror(errno));
+	return fd == -1 ? 0 : 1;
+}
+
+
+
+int test_seccomp_errno()
+{
+	return test_successful_exit(&do_test_seccomp_errno);
+}
+
+static int test_seccomp_group()
+{
+	struct qssb_policy *policy = qssb_init_policy();
+
+	qssb_append_group_syscall_policy(policy, QSSB_SYSCALL_DENY_RET_ERROR, QSSB_SYSCGROUP_SOCKET);
+	qssb_append_syscall_default_policy(policy, QSSB_SYSCALL_ALLOW);
+
+	xqssb_enable_policy(policy);
+
+	int s = socket(AF_INET,SOCK_STREAM,0);
+	if(s != -1)
+	{
+		printf("Failed: socket was expected to return error\n");
+		return 1;
+	}
+	return 0;
+}
+
+int test_landlock()
+{
+	struct qssb_policy *policy = qssb_init_policy();
+	qssb_append_path_policy(policy, QSSB_FS_ALLOW_READ, "/proc/self/fd");
+	int ret = qssb_enable_policy(policy);
+	int fd = open("/", O_RDONLY | O_CLOEXEC);
+	if(fd < 0)
+	{
+		return 0;
+	}
+	return 1;
+}
+
+int test_landlock_deny_write()
+{
+	struct qssb_policy *policy = qssb_init_policy();
+	qssb_append_path_policy(policy, QSSB_FS_ALLOW_READ, "/tmp/");
+	int ret = qssb_enable_policy(policy);
+	int fd = open("/tmp/a", O_WRONLY | O_CLOEXEC);
+	if(fd < 0)
+	{
+		return 0;
+	}
+	return 1;
+}
+
+int test_nofs()
+{
+	struct qssb_policy *policy = qssb_init_policy();
+	policy->no_fs = 1;
+
+	int ret = qssb_enable_policy(policy);
+	if(ret != 0)
+	{
+		fprintf(stderr, "Failed to activate nofs sandbox\n");
+		return -1;
+	}
+
+	int s = socket(AF_INET,SOCK_STREAM,0);
+	if(s == -1)
+	{
+		fprintf(stderr, "Failed to open socket but this was not requested by policy\n");
+		return 1;
+	}
+
+	/* Expect seccomp to take care of this */
+	if(open("/test", O_CREAT | O_WRONLY) >= 0)
+	{
+		fprintf(stderr, "Failed: We do not expect write access\n");
+		return 1;
+	}
+
+	return 0;
+}
+
+
+int test_no_new_fds()
+{
+	struct qssb_policy *policy = qssb_init_policy();
+	policy->no_new_fds = 1;
+
+	int ret = qssb_enable_policy(policy);
+	if(ret != 0)
+	{
+		fprintf(stderr, "Failed to activate no_new_fd sandbox\n");
+		return -1;
+	}
+
+	if(open("/tmp/test", O_CREAT | O_WRONLY) >= 0)
+	{
+		fprintf(stderr, "Failed: Could open new file descriptor\n");
+		return -1;
+	}
+
+	int s = socket(AF_INET,SOCK_STREAM,0);
+	if(s >= 0)
+	{
+		fprintf(stderr, "Failed: socket got opened but policy denied\n");
+		return -1;
+	}
+
+	return 0;
+
+}
+
+struct dispatcher
+{
+	char *name;
+	int (*f)();
+};
+
+struct dispatcher dispatchers[] = {
+	{ "default", &test_default_main },
+	{ "seccomp-blacklisted", &test_seccomp_blacklisted},
+	{ "seccomp-blacklisted-permitted", &test_seccomp_blacklisted_call_permitted},
+	{ "seccomp-x32-kill", &test_seccomp_x32_kill},
+	{ "seccomp-require-last-matchall", &test_seccomp_require_last_matchall},
+	{ "seccomp-errno", &test_seccomp_errno},
+	{ "seccomp-group", &test_seccomp_group},
+	{ "landlock", &test_landlock},
+	{ "landlock-deny-write", &test_landlock_deny_write },
+	{ "no_fs", &test_nofs},
+	{ "no_new_fds", &test_no_new_fds}
+};
+
+int main(int argc, char *argv[])
+{
+	if(argc < 2)
+	{
+		fprintf(stderr, "Usage: %s [testname]\n", argv[0]);
+		return EXIT_FAILURE;
+	}
+	char *test = argv[1];
+	if(strcmp(test, "--dumptests") == 0)
+	{
+		for(unsigned int i = 0; i < sizeof(dispatchers)/sizeof(dispatchers[0]); i++)
+		{
+			printf("%s\n", dispatchers[i].name);
+		}
+		return EXIT_SUCCESS;
+	}
+
+	for(unsigned int i = 0; i < sizeof(dispatchers)/sizeof(dispatchers[0]); i++)
+	{
+		struct dispatcher *current = &dispatchers[i];
+		if(strcmp(current->name, test) == 0)
+		{
+			return current->f();
+		}
+	}
+	fprintf(stderr, "Unknown test\n");
+	return EXIT_FAILURE;
+}

test.sh

@@ -0,0 +1,77 @@
+#!/bin/sh
+GREEN='\033[0;32m'
+RED='\033[0;31m'
+NC='\033[0m'
+
+COUNT_SUCCEEDED=0
+COUNT_FAILED=0
+
+function print_fail()
+{
+	echo -e "${RED}$@${NC}" 1>&2
+}
+
+function print_success()
+{
+	echo -e "${GREEN}$@${NC}"
+}
+
+function runtest_fail()
+{
+	print_fail "failed"
+	COUNT_FAILED=$(($COUNT_FAILED+1))
+}
+
+function runtest_success()
+{
+	print_success "ok"
+	COUNT_SUCCEEDED=$((COUNT_SUCCEEDED+1))
+}
+
+
+function runtest()
+{
+	testname="$1"
+	test_log_file="$2"
+
+	echo "Running: $testname. Date: $(date)" > "${test_log_file}"
+
+	echo -n "Running $1... "
+	#exit $? to suppress shell message like "./test.sh: line 18: pid Bad system call"
+	(./test $1 || exit $?) &>> "${test_log_file}"
+	ret=$?
+	SUCCESS="no"
+	if [ $ret -eq 0 ] ; then
+		runtest_success
+		SUCCESS="yes"
+	else
+		runtest_fail
+	fi
+
+	echo "Finished: ${testname}. Date: $(date). Success: $SUCCESS" >> "${test_log_file}"
+}
+
+GIT_ID=$( git log --pretty="format:%h" -n1 )
+TIMESTAMP=$(date +%s)
+LOG_OUTPUT_DIR=$1
+if [ -z "$LOG_OUTPUT_DIR" ] ; then
+LOG_OUTPUT_DIR="./logs/"
+fi
+
+LOG_OUTPUT_DIR_PATH="${LOG_OUTPUT_DIR}/qssb_test_${GIT_ID}_${TIMESTAMP}"
+[ -d "$LOG_OUTPUT_DIR_PATH" ] || mkdir -p "$LOG_OUTPUT_DIR_PATH"
+
+for test in $( ./test --dumptests ) ; do
+	testname=$( echo $test )
+	runtest "$testname" "${LOG_OUTPUT_DIR_PATH}/log.${testname}"
+done
+echo
+echo "Tests finished. Logs in $(realpath ${LOG_OUTPUT_DIR_PATH})"
+echo "Succeeded: $COUNT_SUCCEEDED"
+echo "Failed: $COUNT_FAILED"
+
+
+if [ $COUNT_FAILED -gt 0 ] ; then
+	exit 1
+fi
+exit 0