Start implementing tests

Makefile

@@ -0,0 +1,17 @@
+prefix = /usr/local
+bindir = $(prefix)/bin
+CFLAGS = -std=c99 -Wall -Wextra -pedantic
+
+.DEFAULT_GOAL := test
+
+
+clean:
+	rm -f test
+
+test: test.c
+	$(CC) test.c -g $(CFLAGS) -o test
+
+check: test
+	./test.sh
+
+.PHONY: check

test.c

@@ -0,0 +1,115 @@
+#include "qssb.h"
+#include <stdbool.h>
+int test_default_main(int argc, char *argv[])
+{
+	struct qssb_policy *policy = qssb_init_policy();
+	int ret = qssb_enable_policy(policy);
+	return ret;
+}
+
+int test_both_syscalls(int argc, char *argv[])
+{
+	struct qssb_policy *policy = qssb_init_policy();
+	int bla[] = { 1,2,3};
+	policy->blacklisted_syscalls = &bla;
+	policy->allowed_syscalls = &bla;
+	int ret = qssb_enable_policy(policy);
+	if(ret != 0)
+	{
+		return 0;
+	}
+	return 1;
+}
+
+int test_seccomp_blacklisted(int argc, char *argv[])
+{
+	struct qssb_policy *policy = qssb_init_policy();
+	int blacklisted[] = { QSSB_SYS(getuid) };
+	policy->blacklisted_syscalls = blacklisted;
+	int ret = qssb_enable_policy(policy);
+	uid_t pid = geteuid();
+	pid = getuid();
+	return 0;
+}
+
+int test_seccomp_blacklisted_call_permitted(int argc, char *argv[])
+{
+	struct qssb_policy *policy = qssb_init_policy();
+	int blacklisted[] = { QSSB_SYS(getuid) };
+	policy->blacklisted_syscalls = blacklisted;
+	int ret = qssb_enable_policy(policy);
+	//geteuid is not blacklisted, so must succeed
+	uid_t pid = geteuid();
+	return 0;
+}
+
+int test_landlock(int argc, char *argv[])
+{
+	struct qssb_policy *policy = qssb_init_policy();
+	qssb_append_path_policy(policy, QSSB_FS_ALLOW_READ, "/proc/self/fd");
+	int ret = qssb_enable_policy(policy);
+	int fd = open("/", O_RDONLY | O_CLOEXEC);
+	if(fd < 0)
+	{
+		return 0;
+	}
+	return 1;
+}
+
+int test_landlock_deny_write(int argc, char *argv[])
+{
+	struct qssb_policy *policy = qssb_init_policy();
+	qssb_append_path_policy(policy, QSSB_FS_ALLOW_READ, "/tmp/");
+	int ret = qssb_enable_policy(policy);
+	int fd = open("/tmp/a", O_WRONLY | O_CLOEXEC);
+	if(fd < 0)
+	{
+		return 0;
+	}
+	return 1;
+}
+
+struct dispatcher
+{
+	char *name;
+	int (*f)(int, char **);
+	bool must_exit_zero;
+};
+
+struct dispatcher dispatchers[] = {
+	{ "default", &test_default_main, true },
+	{ "seccomp-blacklisted", &test_seccomp_blacklisted, false },
+	{ "seccomp-blacklisted-permitted", &test_seccomp_blacklisted_call_permitted, true },
+	{ "landlock", &test_landlock, true },
+	{ "landlock-deny-write", &test_landlock_deny_write, true }
+};
+
+int main(int argc, char *argv[])
+{
+
+	if(argc < 2)
+	{
+		fprintf(stderr, "Usage: %s [testname]\n", argv[0]);
+		return EXIT_FAILURE;
+	}
+	char *test = argv[1];
+	if(strcmp(test, "--dumptests") == 0)
+	{
+		for(unsigned int i = 0; i < sizeof(dispatchers)/sizeof(dispatchers[0]); i++)
+		{
+			printf("%s:%i\n", dispatchers[i].name, dispatchers[i].must_exit_zero ? 1 : 0);
+		}
+		return EXIT_SUCCESS;
+	}
+
+	for(unsigned int i = 0; i < sizeof(dispatchers)/sizeof(dispatchers[0]); i++)
+	{
+		struct dispatcher *current = &dispatchers[i];
+		if(strcmp(current->name, test) == 0)
+		{
+			return current->f(argc, argv);
+		}
+	}
+	fprintf(stderr, "Unknown test\n");
+	return EXIT_FAILURE;
+}

test.sh

@@ -0,0 +1,43 @@
+#!/bin/sh
+GREEN='\033[0;32m'
+RED='\033[0;31m'
+NC='\033[0m'
+
+function fail()
+{
+	echo -e "${RED}$@${NC}" 1>&2
+	#exit 1
+}
+
+function echogreen()
+{
+	echo -e "${GREEN}$@${NC}"
+}
+
+function runtest()
+{
+	must_exit_zero=$2
+	echo -n "Running $1... "
+	#exit 1 to suppress shell message like "./test.sh: line 18: pid Bad system call"
+	(./test $1 || exit 1) 2> /dev/null
+	ret=$?
+	if [ $must_exit_zero -eq 1 ] ; then
+		if [ $ret -eq 0 ] ; then
+			echogreen "ok"
+		else
+			fail "fail"
+		fi
+	else
+		if [ $ret -eq 0 ] ; then
+			fail "fail"
+		else
+			echogreen "ok"
+		fi
+	fi
+}
+
+for test in $( ./test --dumptests ) ; do
+	testname=$( echo $test | cut -d":" -f1 )
+	must_exit_zero=$( echo "$test" | cut -d":" -f2 )
+	runtest "$testname" $must_exit_zero
+done