File: | build-scan/../src/test/test-seccomp.c |
Warning: | line 760, column 17 Value stored to 'k' is never read |
Press '?' to see keyboard shortcuts
Keyboard shortcuts:
1 | /* SPDX-License-Identifier: LGPL-2.1+ */ |
2 | |
3 | #include <poll.h> |
4 | #include <sched.h> |
5 | #include <stdlib.h> |
6 | #include <sys/eventfd.h> |
7 | #include <sys/mman.h> |
8 | #include <sys/personality.h> |
9 | #include <sys/shm.h> |
10 | #include <sys/types.h> |
11 | #include <unistd.h> |
12 | |
13 | #include "alloc-util.h" |
14 | #include "fd-util.h" |
15 | #include "macro.h" |
16 | #include "missing.h" |
17 | #include "nsflags.h" |
18 | #include "process-util.h" |
19 | #include "raw-clone.h" |
20 | #include "rm-rf.h" |
21 | #include "seccomp-util.h" |
22 | #include "set.h" |
23 | #include "string-util.h" |
24 | #include "umask-util.h" |
25 | #include "util.h" |
26 | #include "virt.h" |
27 | |
28 | #if SCMP_SYS(socket)(41) < 0 || defined(__i386__) || defined(__s390x__) || defined(__s390__) |
29 | /* On these archs, socket() is implemented via the socketcall() syscall multiplexer, |
30 | * and we can't restrict it hence via seccomp. */ |
31 | # define SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN0 1 |
32 | #else |
33 | # define SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN0 0 |
34 | #endif |
35 | |
36 | static void test_seccomp_arch_to_string(void) { |
37 | uint32_t a, b; |
38 | const char *name; |
39 | |
40 | a = seccomp_arch_native(); |
41 | assert_se(a > 0)do { if ((__builtin_expect(!!(!(a > 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("a > 0"), "../src/test/test-seccomp.c" , 41, __PRETTY_FUNCTION__); } while (0); |
42 | name = seccomp_arch_to_string(a); |
43 | assert_se(name)do { if ((__builtin_expect(!!(!(name)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("name"), "../src/test/test-seccomp.c", 43 , __PRETTY_FUNCTION__); } while (0); |
44 | assert_se(seccomp_arch_from_string(name, &b) >= 0)do { if ((__builtin_expect(!!(!(seccomp_arch_from_string(name , &b) >= 0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD , ("seccomp_arch_from_string(name, &b) >= 0"), "../src/test/test-seccomp.c" , 44, __PRETTY_FUNCTION__); } while (0); |
45 | assert_se(a == b)do { if ((__builtin_expect(!!(!(a == b)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("a == b"), "../src/test/test-seccomp.c", 45, __PRETTY_FUNCTION__); } while (0); |
46 | } |
47 | |
48 | static void test_architecture_table(void) { |
49 | const char *n, *n2; |
50 | |
51 | NULSTR_FOREACH(n,for ((n) = ("native\0" "x86\0" "x86-64\0" "x32\0" "arm\0" "arm64\0" "mips\0" "mips64\0" "mips64-n32\0" "mips-le\0" "mips64-le\0" "mips64-le-n32\0" "ppc\0" "ppc64\0" "ppc64-le\0" "s390\0" "s390x\0" ); (n) && *(n); (n) = strchr((n), 0)+1) |
52 | "native\0"for ((n) = ("native\0" "x86\0" "x86-64\0" "x32\0" "arm\0" "arm64\0" "mips\0" "mips64\0" "mips64-n32\0" "mips-le\0" "mips64-le\0" "mips64-le-n32\0" "ppc\0" "ppc64\0" "ppc64-le\0" "s390\0" "s390x\0" ); (n) && *(n); (n) = strchr((n), 0)+1) |
53 | "x86\0"for ((n) = ("native\0" "x86\0" "x86-64\0" "x32\0" "arm\0" "arm64\0" "mips\0" "mips64\0" "mips64-n32\0" "mips-le\0" "mips64-le\0" "mips64-le-n32\0" "ppc\0" "ppc64\0" "ppc64-le\0" "s390\0" "s390x\0" ); (n) && *(n); (n) = strchr((n), 0)+1) |
54 | "x86-64\0"for ((n) = ("native\0" "x86\0" "x86-64\0" "x32\0" "arm\0" "arm64\0" "mips\0" "mips64\0" "mips64-n32\0" "mips-le\0" "mips64-le\0" "mips64-le-n32\0" "ppc\0" "ppc64\0" "ppc64-le\0" "s390\0" "s390x\0" ); (n) && *(n); (n) = strchr((n), 0)+1) |
55 | "x32\0"for ((n) = ("native\0" "x86\0" "x86-64\0" "x32\0" "arm\0" "arm64\0" "mips\0" "mips64\0" "mips64-n32\0" "mips-le\0" "mips64-le\0" "mips64-le-n32\0" "ppc\0" "ppc64\0" "ppc64-le\0" "s390\0" "s390x\0" ); (n) && *(n); (n) = strchr((n), 0)+1) |
56 | "arm\0"for ((n) = ("native\0" "x86\0" "x86-64\0" "x32\0" "arm\0" "arm64\0" "mips\0" "mips64\0" "mips64-n32\0" "mips-le\0" "mips64-le\0" "mips64-le-n32\0" "ppc\0" "ppc64\0" "ppc64-le\0" "s390\0" "s390x\0" ); (n) && *(n); (n) = strchr((n), 0)+1) |
57 | "arm64\0"for ((n) = ("native\0" "x86\0" "x86-64\0" "x32\0" "arm\0" "arm64\0" "mips\0" "mips64\0" "mips64-n32\0" "mips-le\0" "mips64-le\0" "mips64-le-n32\0" "ppc\0" "ppc64\0" "ppc64-le\0" "s390\0" "s390x\0" ); (n) && *(n); (n) = strchr((n), 0)+1) |
58 | "mips\0"for ((n) = ("native\0" "x86\0" "x86-64\0" "x32\0" "arm\0" "arm64\0" "mips\0" "mips64\0" "mips64-n32\0" "mips-le\0" "mips64-le\0" "mips64-le-n32\0" "ppc\0" "ppc64\0" "ppc64-le\0" "s390\0" "s390x\0" ); (n) && *(n); (n) = strchr((n), 0)+1) |
59 | "mips64\0"for ((n) = ("native\0" "x86\0" "x86-64\0" "x32\0" "arm\0" "arm64\0" "mips\0" "mips64\0" "mips64-n32\0" "mips-le\0" "mips64-le\0" "mips64-le-n32\0" "ppc\0" "ppc64\0" "ppc64-le\0" "s390\0" "s390x\0" ); (n) && *(n); (n) = strchr((n), 0)+1) |
60 | "mips64-n32\0"for ((n) = ("native\0" "x86\0" "x86-64\0" "x32\0" "arm\0" "arm64\0" "mips\0" "mips64\0" "mips64-n32\0" "mips-le\0" "mips64-le\0" "mips64-le-n32\0" "ppc\0" "ppc64\0" "ppc64-le\0" "s390\0" "s390x\0" ); (n) && *(n); (n) = strchr((n), 0)+1) |
61 | "mips-le\0"for ((n) = ("native\0" "x86\0" "x86-64\0" "x32\0" "arm\0" "arm64\0" "mips\0" "mips64\0" "mips64-n32\0" "mips-le\0" "mips64-le\0" "mips64-le-n32\0" "ppc\0" "ppc64\0" "ppc64-le\0" "s390\0" "s390x\0" ); (n) && *(n); (n) = strchr((n), 0)+1) |
62 | "mips64-le\0"for ((n) = ("native\0" "x86\0" "x86-64\0" "x32\0" "arm\0" "arm64\0" "mips\0" "mips64\0" "mips64-n32\0" "mips-le\0" "mips64-le\0" "mips64-le-n32\0" "ppc\0" "ppc64\0" "ppc64-le\0" "s390\0" "s390x\0" ); (n) && *(n); (n) = strchr((n), 0)+1) |
63 | "mips64-le-n32\0"for ((n) = ("native\0" "x86\0" "x86-64\0" "x32\0" "arm\0" "arm64\0" "mips\0" "mips64\0" "mips64-n32\0" "mips-le\0" "mips64-le\0" "mips64-le-n32\0" "ppc\0" "ppc64\0" "ppc64-le\0" "s390\0" "s390x\0" ); (n) && *(n); (n) = strchr((n), 0)+1) |
64 | "ppc\0"for ((n) = ("native\0" "x86\0" "x86-64\0" "x32\0" "arm\0" "arm64\0" "mips\0" "mips64\0" "mips64-n32\0" "mips-le\0" "mips64-le\0" "mips64-le-n32\0" "ppc\0" "ppc64\0" "ppc64-le\0" "s390\0" "s390x\0" ); (n) && *(n); (n) = strchr((n), 0)+1) |
65 | "ppc64\0"for ((n) = ("native\0" "x86\0" "x86-64\0" "x32\0" "arm\0" "arm64\0" "mips\0" "mips64\0" "mips64-n32\0" "mips-le\0" "mips64-le\0" "mips64-le-n32\0" "ppc\0" "ppc64\0" "ppc64-le\0" "s390\0" "s390x\0" ); (n) && *(n); (n) = strchr((n), 0)+1) |
66 | "ppc64-le\0"for ((n) = ("native\0" "x86\0" "x86-64\0" "x32\0" "arm\0" "arm64\0" "mips\0" "mips64\0" "mips64-n32\0" "mips-le\0" "mips64-le\0" "mips64-le-n32\0" "ppc\0" "ppc64\0" "ppc64-le\0" "s390\0" "s390x\0" ); (n) && *(n); (n) = strchr((n), 0)+1) |
67 | "s390\0"for ((n) = ("native\0" "x86\0" "x86-64\0" "x32\0" "arm\0" "arm64\0" "mips\0" "mips64\0" "mips64-n32\0" "mips-le\0" "mips64-le\0" "mips64-le-n32\0" "ppc\0" "ppc64\0" "ppc64-le\0" "s390\0" "s390x\0" ); (n) && *(n); (n) = strchr((n), 0)+1) |
68 | "s390x\0")for ((n) = ("native\0" "x86\0" "x86-64\0" "x32\0" "arm\0" "arm64\0" "mips\0" "mips64\0" "mips64-n32\0" "mips-le\0" "mips64-le\0" "mips64-le-n32\0" "ppc\0" "ppc64\0" "ppc64-le\0" "s390\0" "s390x\0" ); (n) && *(n); (n) = strchr((n), 0)+1) { |
69 | uint32_t c; |
70 | |
71 | assert_se(seccomp_arch_from_string(n, &c) >= 0)do { if ((__builtin_expect(!!(!(seccomp_arch_from_string(n, & c) >= 0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ( "seccomp_arch_from_string(n, &c) >= 0"), "../src/test/test-seccomp.c" , 71, __PRETTY_FUNCTION__); } while (0); |
72 | n2 = seccomp_arch_to_string(c); |
73 | log_info("seccomp-arch: %s → 0x%"PRIx32" → %s", n, c, n2)({ int _level = (((6))), _e = ((0)), _realm = (LOG_REALM_SYSTEMD ); (log_get_max_level_realm(_realm) >= ((_level) & 0x07 )) ? log_internal_realm(((_realm) << 10 | (_level)), _e , "../src/test/test-seccomp.c", 73, __func__, "seccomp-arch: %s → 0x%" "x"" → %s", n, c, n2) : -abs(_e); }); |
74 | assert_se(streq_ptr(n, n2))do { if ((__builtin_expect(!!(!(streq_ptr(n, n2))),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("streq_ptr(n, n2)"), "../src/test/test-seccomp.c" , 74, __PRETTY_FUNCTION__); } while (0); |
75 | } |
76 | } |
77 | |
78 | static void test_syscall_filter_set_find(void) { |
79 | assert_se(!syscall_filter_set_find(NULL))do { if ((__builtin_expect(!!(!(!syscall_filter_set_find(((void *)0)))),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("!syscall_filter_set_find(NULL)" ), "../src/test/test-seccomp.c", 79, __PRETTY_FUNCTION__); } while (0); |
80 | assert_se(!syscall_filter_set_find(""))do { if ((__builtin_expect(!!(!(!syscall_filter_set_find("")) ),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("!syscall_filter_set_find(\"\")" ), "../src/test/test-seccomp.c", 80, __PRETTY_FUNCTION__); } while (0); |
81 | assert_se(!syscall_filter_set_find("quux"))do { if ((__builtin_expect(!!(!(!syscall_filter_set_find("quux" ))),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("!syscall_filter_set_find(\"quux\")" ), "../src/test/test-seccomp.c", 81, __PRETTY_FUNCTION__); } while (0); |
82 | assert_se(!syscall_filter_set_find("@quux"))do { if ((__builtin_expect(!!(!(!syscall_filter_set_find("@quux" ))),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("!syscall_filter_set_find(\"@quux\")" ), "../src/test/test-seccomp.c", 82, __PRETTY_FUNCTION__); } while (0); |
83 | |
84 | assert_se(syscall_filter_set_find("@clock") == syscall_filter_sets + SYSCALL_FILTER_SET_CLOCK)do { if ((__builtin_expect(!!(!(syscall_filter_set_find("@clock" ) == syscall_filter_sets + SYSCALL_FILTER_SET_CLOCK)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("syscall_filter_set_find(\"@clock\") == syscall_filter_sets + SYSCALL_FILTER_SET_CLOCK" ), "../src/test/test-seccomp.c", 84, __PRETTY_FUNCTION__); } while (0); |
85 | assert_se(syscall_filter_set_find("@default") == syscall_filter_sets + SYSCALL_FILTER_SET_DEFAULT)do { if ((__builtin_expect(!!(!(syscall_filter_set_find("@default" ) == syscall_filter_sets + SYSCALL_FILTER_SET_DEFAULT)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("syscall_filter_set_find(\"@default\") == syscall_filter_sets + SYSCALL_FILTER_SET_DEFAULT" ), "../src/test/test-seccomp.c", 85, __PRETTY_FUNCTION__); } while (0); |
86 | assert_se(syscall_filter_set_find("@raw-io") == syscall_filter_sets + SYSCALL_FILTER_SET_RAW_IO)do { if ((__builtin_expect(!!(!(syscall_filter_set_find("@raw-io" ) == syscall_filter_sets + SYSCALL_FILTER_SET_RAW_IO)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("syscall_filter_set_find(\"@raw-io\") == syscall_filter_sets + SYSCALL_FILTER_SET_RAW_IO" ), "../src/test/test-seccomp.c", 86, __PRETTY_FUNCTION__); } while (0); |
87 | } |
88 | |
89 | static void test_filter_sets(void) { |
90 | unsigned i; |
91 | int r; |
92 | |
93 | if (!is_seccomp_available()) |
94 | return; |
95 | if (geteuid() != 0) |
96 | return; |
97 | |
98 | for (i = 0; i < _SYSCALL_FILTER_SET_MAX; i++) { |
99 | pid_t pid; |
100 | |
101 | log_info("Testing %s", syscall_filter_sets[i].name)({ int _level = (((6))), _e = ((0)), _realm = (LOG_REALM_SYSTEMD ); (log_get_max_level_realm(_realm) >= ((_level) & 0x07 )) ? log_internal_realm(((_realm) << 10 | (_level)), _e , "../src/test/test-seccomp.c", 101, __func__, "Testing %s", syscall_filter_sets [i].name) : -abs(_e); }); |
102 | |
103 | pid = fork(); |
104 | assert_se(pid >= 0)do { if ((__builtin_expect(!!(!(pid >= 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("pid >= 0"), "../src/test/test-seccomp.c" , 104, __PRETTY_FUNCTION__); } while (0); |
105 | |
106 | if (pid == 0) { /* Child? */ |
107 | int fd; |
108 | |
109 | /* If we look at the default set (or one that includes it), whitelist instead of blacklist */ |
110 | if (IN_SET(i, SYSCALL_FILTER_SET_DEFAULT, SYSCALL_FILTER_SET_SYSTEM_SERVICE)({ _Bool _found = 0; static __attribute__ ((unused)) char _static_assert__macros_need_to_be_extended [20 - sizeof((int[]){SYSCALL_FILTER_SET_DEFAULT, SYSCALL_FILTER_SET_SYSTEM_SERVICE })/sizeof(int)]; switch(i) { case SYSCALL_FILTER_SET_DEFAULT: case SYSCALL_FILTER_SET_SYSTEM_SERVICE: _found = 1; break; default : break; } _found; })) |
111 | r = seccomp_load_syscall_filter_set(SCMP_ACT_ERRNO(EUCLEAN)(0x00050000U | ((117) & 0x0000ffffU)), syscall_filter_sets + i, SCMP_ACT_ALLOW0x7fff0000U, true1); |
112 | else |
113 | r = seccomp_load_syscall_filter_set(SCMP_ACT_ALLOW0x7fff0000U, syscall_filter_sets + i, SCMP_ACT_ERRNO(EUCLEAN)(0x00050000U | ((117) & 0x0000ffffU)), true1); |
114 | if (r < 0) |
115 | _exit(EXIT_FAILURE1); |
116 | |
117 | /* Test the sycall filter with one random system call */ |
118 | fd = eventfd(0, EFD_NONBLOCKEFD_NONBLOCK|EFD_CLOEXECEFD_CLOEXEC); |
119 | if (IN_SET(i, SYSCALL_FILTER_SET_IO_EVENT, SYSCALL_FILTER_SET_DEFAULT)({ _Bool _found = 0; static __attribute__ ((unused)) char _static_assert__macros_need_to_be_extended [20 - sizeof((int[]){SYSCALL_FILTER_SET_IO_EVENT, SYSCALL_FILTER_SET_DEFAULT })/sizeof(int)]; switch(i) { case SYSCALL_FILTER_SET_IO_EVENT : case SYSCALL_FILTER_SET_DEFAULT: _found = 1; break; default : break; } _found; })) |
120 | assert_se(fd < 0 && errno == EUCLEAN)do { if ((__builtin_expect(!!(!(fd < 0 && (*__errno_location ()) == 117)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("fd < 0 && errno == EUCLEAN"), "../src/test/test-seccomp.c" , 120, __PRETTY_FUNCTION__); } while (0); |
121 | else { |
122 | assert_se(fd >= 0)do { if ((__builtin_expect(!!(!(fd >= 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("fd >= 0"), "../src/test/test-seccomp.c" , 122, __PRETTY_FUNCTION__); } while (0); |
123 | safe_close(fd); |
124 | } |
125 | |
126 | _exit(EXIT_SUCCESS0); |
127 | } |
128 | |
129 | assert_se(wait_for_terminate_and_check(syscall_filter_sets[i].name, pid, WAIT_LOG) == EXIT_SUCCESS)do { if ((__builtin_expect(!!(!(wait_for_terminate_and_check( syscall_filter_sets[i].name, pid, WAIT_LOG) == 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("wait_for_terminate_and_check(syscall_filter_sets[i].name, pid, WAIT_LOG) == EXIT_SUCCESS" ), "../src/test/test-seccomp.c", 129, __PRETTY_FUNCTION__); } while (0); |
130 | } |
131 | } |
132 | |
133 | static void test_restrict_namespace(void) { |
134 | char *s = NULL((void*)0); |
135 | unsigned long ul; |
136 | pid_t pid; |
137 | |
138 | assert_se(namespace_flags_to_string(0, &s) == 0 && streq(s, ""))do { if ((__builtin_expect(!!(!(namespace_flags_to_string(0, & s) == 0 && (strcmp((s),("")) == 0))),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("namespace_flags_to_string(0, &s) == 0 && streq(s, \"\")" ), "../src/test/test-seccomp.c", 138, __PRETTY_FUNCTION__); } while (0); |
139 | s = mfree(s); |
140 | assert_se(namespace_flags_to_string(CLONE_NEWNS, &s) == 0 && streq(s, "mnt"))do { if ((__builtin_expect(!!(!(namespace_flags_to_string(0x00020000 , &s) == 0 && (strcmp((s),("mnt")) == 0))),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("namespace_flags_to_string(CLONE_NEWNS, &s) == 0 && streq(s, \"mnt\")" ), "../src/test/test-seccomp.c", 140, __PRETTY_FUNCTION__); } while (0); |
141 | s = mfree(s); |
142 | assert_se(namespace_flags_to_string(CLONE_NEWNS|CLONE_NEWIPC, &s) == 0 && streq(s, "ipc mnt"))do { if ((__builtin_expect(!!(!(namespace_flags_to_string(0x00020000 |0x08000000, &s) == 0 && (strcmp((s),("ipc mnt")) == 0))),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("namespace_flags_to_string(CLONE_NEWNS|CLONE_NEWIPC, &s) == 0 && streq(s, \"ipc mnt\")" ), "../src/test/test-seccomp.c", 142, __PRETTY_FUNCTION__); } while (0); |
143 | s = mfree(s); |
144 | assert_se(namespace_flags_to_string(CLONE_NEWCGROUP, &s) == 0 && streq(s, "cgroup"))do { if ((__builtin_expect(!!(!(namespace_flags_to_string(0x02000000 , &s) == 0 && (strcmp((s),("cgroup")) == 0))),0)) ) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("namespace_flags_to_string(CLONE_NEWCGROUP, &s) == 0 && streq(s, \"cgroup\")" ), "../src/test/test-seccomp.c", 144, __PRETTY_FUNCTION__); } while (0); |
145 | s = mfree(s); |
146 | |
147 | assert_se(namespace_flags_from_string("mnt", &ul) == 0 && ul == CLONE_NEWNS)do { if ((__builtin_expect(!!(!(namespace_flags_from_string("mnt" , &ul) == 0 && ul == 0x00020000)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("namespace_flags_from_string(\"mnt\", &ul) == 0 && ul == CLONE_NEWNS" ), "../src/test/test-seccomp.c", 147, __PRETTY_FUNCTION__); } while (0); |
148 | assert_se(namespace_flags_from_string(NULL, &ul) == 0 && ul == 0)do { if ((__builtin_expect(!!(!(namespace_flags_from_string(( (void*)0), &ul) == 0 && ul == 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("namespace_flags_from_string(NULL, &ul) == 0 && ul == 0" ), "../src/test/test-seccomp.c", 148, __PRETTY_FUNCTION__); } while (0); |
149 | assert_se(namespace_flags_from_string("", &ul) == 0 && ul == 0)do { if ((__builtin_expect(!!(!(namespace_flags_from_string("" , &ul) == 0 && ul == 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("namespace_flags_from_string(\"\", &ul) == 0 && ul == 0" ), "../src/test/test-seccomp.c", 149, __PRETTY_FUNCTION__); } while (0); |
150 | assert_se(namespace_flags_from_string("uts", &ul) == 0 && ul == CLONE_NEWUTS)do { if ((__builtin_expect(!!(!(namespace_flags_from_string("uts" , &ul) == 0 && ul == 0x04000000)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("namespace_flags_from_string(\"uts\", &ul) == 0 && ul == CLONE_NEWUTS" ), "../src/test/test-seccomp.c", 150, __PRETTY_FUNCTION__); } while (0); |
151 | assert_se(namespace_flags_from_string("mnt uts ipc", &ul) == 0 && ul == (CLONE_NEWNS|CLONE_NEWUTS|CLONE_NEWIPC))do { if ((__builtin_expect(!!(!(namespace_flags_from_string("mnt uts ipc" , &ul) == 0 && ul == (0x00020000|0x04000000|0x08000000 ))),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("namespace_flags_from_string(\"mnt uts ipc\", &ul) == 0 && ul == (CLONE_NEWNS|CLONE_NEWUTS|CLONE_NEWIPC)" ), "../src/test/test-seccomp.c", 151, __PRETTY_FUNCTION__); } while (0); |
152 | |
153 | assert_se(namespace_flags_to_string(CLONE_NEWUTS, &s) == 0 && streq(s, "uts"))do { if ((__builtin_expect(!!(!(namespace_flags_to_string(0x04000000 , &s) == 0 && (strcmp((s),("uts")) == 0))),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("namespace_flags_to_string(CLONE_NEWUTS, &s) == 0 && streq(s, \"uts\")" ), "../src/test/test-seccomp.c", 153, __PRETTY_FUNCTION__); } while (0); |
154 | assert_se(namespace_flags_from_string(s, &ul) == 0 && ul == CLONE_NEWUTS)do { if ((__builtin_expect(!!(!(namespace_flags_from_string(s , &ul) == 0 && ul == 0x04000000)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("namespace_flags_from_string(s, &ul) == 0 && ul == CLONE_NEWUTS" ), "../src/test/test-seccomp.c", 154, __PRETTY_FUNCTION__); } while (0); |
155 | s = mfree(s); |
156 | assert_se(namespace_flags_from_string("ipc", &ul) == 0 && ul == CLONE_NEWIPC)do { if ((__builtin_expect(!!(!(namespace_flags_from_string("ipc" , &ul) == 0 && ul == 0x08000000)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("namespace_flags_from_string(\"ipc\", &ul) == 0 && ul == CLONE_NEWIPC" ), "../src/test/test-seccomp.c", 156, __PRETTY_FUNCTION__); } while (0); |
157 | assert_se(namespace_flags_to_string(ul, &s) == 0 && streq(s, "ipc"))do { if ((__builtin_expect(!!(!(namespace_flags_to_string(ul, &s) == 0 && (strcmp((s),("ipc")) == 0))),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("namespace_flags_to_string(ul, &s) == 0 && streq(s, \"ipc\")" ), "../src/test/test-seccomp.c", 157, __PRETTY_FUNCTION__); } while (0); |
158 | s = mfree(s); |
159 | |
160 | assert_se(namespace_flags_to_string(NAMESPACE_FLAGS_ALL, &s) == 0)do { if ((__builtin_expect(!!(!(namespace_flags_to_string(((unsigned long) (0x02000000| 0x08000000| 0x40000000| 0x00020000| 0x20000000 | 0x10000000| 0x04000000)), &s) == 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("namespace_flags_to_string(NAMESPACE_FLAGS_ALL, &s) == 0" ), "../src/test/test-seccomp.c", 160, __PRETTY_FUNCTION__); } while (0); |
161 | assert_se(streq(s, "cgroup ipc net mnt pid user uts"))do { if ((__builtin_expect(!!(!((strcmp((s),("cgroup ipc net mnt pid user uts" )) == 0))),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("streq(s, \"cgroup ipc net mnt pid user uts\")" ), "../src/test/test-seccomp.c", 161, __PRETTY_FUNCTION__); } while (0); |
162 | assert_se(namespace_flags_from_string(s, &ul) == 0 && ul == NAMESPACE_FLAGS_ALL)do { if ((__builtin_expect(!!(!(namespace_flags_from_string(s , &ul) == 0 && ul == ((unsigned long) (0x02000000 | 0x08000000| 0x40000000| 0x00020000| 0x20000000| 0x10000000| 0x04000000)))),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD , ("namespace_flags_from_string(s, &ul) == 0 && ul == NAMESPACE_FLAGS_ALL" ), "../src/test/test-seccomp.c", 162, __PRETTY_FUNCTION__); } while (0); |
163 | s = mfree(s); |
164 | |
165 | if (!is_seccomp_available()) |
166 | return; |
167 | if (geteuid() != 0) |
168 | return; |
169 | |
170 | pid = fork(); |
171 | assert_se(pid >= 0)do { if ((__builtin_expect(!!(!(pid >= 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("pid >= 0"), "../src/test/test-seccomp.c" , 171, __PRETTY_FUNCTION__); } while (0); |
172 | |
173 | if (pid == 0) { |
174 | |
175 | assert_se(seccomp_restrict_namespaces(CLONE_NEWNS|CLONE_NEWNET) >= 0)do { if ((__builtin_expect(!!(!(seccomp_restrict_namespaces(0x00020000 |0x40000000) >= 0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD , ("seccomp_restrict_namespaces(CLONE_NEWNS|CLONE_NEWNET) >= 0" ), "../src/test/test-seccomp.c", 175, __PRETTY_FUNCTION__); } while (0); |
176 | |
177 | assert_se(unshare(CLONE_NEWNS) == 0)do { if ((__builtin_expect(!!(!(unshare(0x00020000) == 0)),0) )) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("unshare(CLONE_NEWNS) == 0" ), "../src/test/test-seccomp.c", 177, __PRETTY_FUNCTION__); } while (0); |
178 | assert_se(unshare(CLONE_NEWNET) == 0)do { if ((__builtin_expect(!!(!(unshare(0x40000000) == 0)),0) )) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("unshare(CLONE_NEWNET) == 0" ), "../src/test/test-seccomp.c", 178, __PRETTY_FUNCTION__); } while (0); |
179 | assert_se(unshare(CLONE_NEWUTS) == -1)do { if ((__builtin_expect(!!(!(unshare(0x04000000) == -1)),0 ))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("unshare(CLONE_NEWUTS) == -1" ), "../src/test/test-seccomp.c", 179, __PRETTY_FUNCTION__); } while (0); |
180 | assert_se(errno == EPERM)do { if ((__builtin_expect(!!(!((*__errno_location ()) == 1)) ,0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("errno == EPERM" ), "../src/test/test-seccomp.c", 180, __PRETTY_FUNCTION__); } while (0); |
181 | assert_se(unshare(CLONE_NEWIPC) == -1)do { if ((__builtin_expect(!!(!(unshare(0x08000000) == -1)),0 ))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("unshare(CLONE_NEWIPC) == -1" ), "../src/test/test-seccomp.c", 181, __PRETTY_FUNCTION__); } while (0); |
182 | assert_se(errno == EPERM)do { if ((__builtin_expect(!!(!((*__errno_location ()) == 1)) ,0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("errno == EPERM" ), "../src/test/test-seccomp.c", 182, __PRETTY_FUNCTION__); } while (0); |
183 | assert_se(unshare(CLONE_NEWNET|CLONE_NEWUTS) == -1)do { if ((__builtin_expect(!!(!(unshare(0x40000000|0x04000000 ) == -1)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("unshare(CLONE_NEWNET|CLONE_NEWUTS) == -1" ), "../src/test/test-seccomp.c", 183, __PRETTY_FUNCTION__); } while (0); |
184 | assert_se(errno == EPERM)do { if ((__builtin_expect(!!(!((*__errno_location ()) == 1)) ,0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("errno == EPERM" ), "../src/test/test-seccomp.c", 184, __PRETTY_FUNCTION__); } while (0); |
185 | |
186 | /* We use fd 0 (stdin) here, which of course will fail with EINVAL on setns(). Except of course our |
187 | * seccomp filter worked, and hits first and makes it return EPERM */ |
188 | assert_se(setns(0, CLONE_NEWNS) == -1)do { if ((__builtin_expect(!!(!(setns(0, 0x00020000) == -1)), 0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("setns(0, CLONE_NEWNS) == -1" ), "../src/test/test-seccomp.c", 188, __PRETTY_FUNCTION__); } while (0); |
189 | assert_se(errno == EINVAL)do { if ((__builtin_expect(!!(!((*__errno_location ()) == 22) ),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("errno == EINVAL" ), "../src/test/test-seccomp.c", 189, __PRETTY_FUNCTION__); } while (0); |
190 | assert_se(setns(0, CLONE_NEWNET) == -1)do { if ((__builtin_expect(!!(!(setns(0, 0x40000000) == -1)), 0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("setns(0, CLONE_NEWNET) == -1" ), "../src/test/test-seccomp.c", 190, __PRETTY_FUNCTION__); } while (0); |
191 | assert_se(errno == EINVAL)do { if ((__builtin_expect(!!(!((*__errno_location ()) == 22) ),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("errno == EINVAL" ), "../src/test/test-seccomp.c", 191, __PRETTY_FUNCTION__); } while (0); |
192 | assert_se(setns(0, CLONE_NEWUTS) == -1)do { if ((__builtin_expect(!!(!(setns(0, 0x04000000) == -1)), 0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("setns(0, CLONE_NEWUTS) == -1" ), "../src/test/test-seccomp.c", 192, __PRETTY_FUNCTION__); } while (0); |
193 | assert_se(errno == EPERM)do { if ((__builtin_expect(!!(!((*__errno_location ()) == 1)) ,0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("errno == EPERM" ), "../src/test/test-seccomp.c", 193, __PRETTY_FUNCTION__); } while (0); |
194 | assert_se(setns(0, CLONE_NEWIPC) == -1)do { if ((__builtin_expect(!!(!(setns(0, 0x08000000) == -1)), 0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("setns(0, CLONE_NEWIPC) == -1" ), "../src/test/test-seccomp.c", 194, __PRETTY_FUNCTION__); } while (0); |
195 | assert_se(errno == EPERM)do { if ((__builtin_expect(!!(!((*__errno_location ()) == 1)) ,0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("errno == EPERM" ), "../src/test/test-seccomp.c", 195, __PRETTY_FUNCTION__); } while (0); |
196 | assert_se(setns(0, CLONE_NEWNET|CLONE_NEWUTS) == -1)do { if ((__builtin_expect(!!(!(setns(0, 0x40000000|0x04000000 ) == -1)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("setns(0, CLONE_NEWNET|CLONE_NEWUTS) == -1" ), "../src/test/test-seccomp.c", 196, __PRETTY_FUNCTION__); } while (0); |
197 | assert_se(errno == EPERM)do { if ((__builtin_expect(!!(!((*__errno_location ()) == 1)) ,0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("errno == EPERM" ), "../src/test/test-seccomp.c", 197, __PRETTY_FUNCTION__); } while (0); |
198 | assert_se(setns(0, 0) == -1)do { if ((__builtin_expect(!!(!(setns(0, 0) == -1)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("setns(0, 0) == -1"), "../src/test/test-seccomp.c" , 198, __PRETTY_FUNCTION__); } while (0); |
199 | assert_se(errno == EPERM)do { if ((__builtin_expect(!!(!((*__errno_location ()) == 1)) ,0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("errno == EPERM" ), "../src/test/test-seccomp.c", 199, __PRETTY_FUNCTION__); } while (0); |
200 | |
201 | pid = raw_clone(CLONE_NEWNS0x00020000); |
202 | assert_se(pid >= 0)do { if ((__builtin_expect(!!(!(pid >= 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("pid >= 0"), "../src/test/test-seccomp.c" , 202, __PRETTY_FUNCTION__); } while (0); |
203 | if (pid == 0) |
204 | _exit(EXIT_SUCCESS0); |
205 | pid = raw_clone(CLONE_NEWNET0x40000000); |
206 | assert_se(pid >= 0)do { if ((__builtin_expect(!!(!(pid >= 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("pid >= 0"), "../src/test/test-seccomp.c" , 206, __PRETTY_FUNCTION__); } while (0); |
207 | if (pid == 0) |
208 | _exit(EXIT_SUCCESS0); |
209 | pid = raw_clone(CLONE_NEWUTS0x04000000); |
210 | assert_se(pid < 0)do { if ((__builtin_expect(!!(!(pid < 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("pid < 0"), "../src/test/test-seccomp.c" , 210, __PRETTY_FUNCTION__); } while (0); |
211 | assert_se(errno == EPERM)do { if ((__builtin_expect(!!(!((*__errno_location ()) == 1)) ,0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("errno == EPERM" ), "../src/test/test-seccomp.c", 211, __PRETTY_FUNCTION__); } while (0); |
212 | pid = raw_clone(CLONE_NEWIPC0x08000000); |
213 | assert_se(pid < 0)do { if ((__builtin_expect(!!(!(pid < 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("pid < 0"), "../src/test/test-seccomp.c" , 213, __PRETTY_FUNCTION__); } while (0); |
214 | assert_se(errno == EPERM)do { if ((__builtin_expect(!!(!((*__errno_location ()) == 1)) ,0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("errno == EPERM" ), "../src/test/test-seccomp.c", 214, __PRETTY_FUNCTION__); } while (0); |
215 | pid = raw_clone(CLONE_NEWNET0x40000000|CLONE_NEWUTS0x04000000); |
216 | assert_se(pid < 0)do { if ((__builtin_expect(!!(!(pid < 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("pid < 0"), "../src/test/test-seccomp.c" , 216, __PRETTY_FUNCTION__); } while (0); |
217 | assert_se(errno == EPERM)do { if ((__builtin_expect(!!(!((*__errno_location ()) == 1)) ,0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("errno == EPERM" ), "../src/test/test-seccomp.c", 217, __PRETTY_FUNCTION__); } while (0); |
218 | |
219 | _exit(EXIT_SUCCESS0); |
220 | } |
221 | |
222 | assert_se(wait_for_terminate_and_check("nsseccomp", pid, WAIT_LOG) == EXIT_SUCCESS)do { if ((__builtin_expect(!!(!(wait_for_terminate_and_check( "nsseccomp", pid, WAIT_LOG) == 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("wait_for_terminate_and_check(\"nsseccomp\", pid, WAIT_LOG) == EXIT_SUCCESS" ), "../src/test/test-seccomp.c", 222, __PRETTY_FUNCTION__); } while (0); |
223 | } |
224 | |
225 | static void test_protect_sysctl(void) { |
226 | pid_t pid; |
227 | |
228 | if (!is_seccomp_available()) |
229 | return; |
230 | if (geteuid() != 0) |
231 | return; |
232 | |
233 | if (detect_container() > 0) /* in containers _sysctl() is likely missing anyway */ |
234 | return; |
235 | |
236 | pid = fork(); |
237 | assert_se(pid >= 0)do { if ((__builtin_expect(!!(!(pid >= 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("pid >= 0"), "../src/test/test-seccomp.c" , 237, __PRETTY_FUNCTION__); } while (0); |
238 | |
239 | if (pid == 0) { |
240 | #if defined __NR__sysctl156 && __NR__sysctl156 >= 0 |
241 | assert_se(syscall(__NR__sysctl, NULL) < 0)do { if ((__builtin_expect(!!(!(syscall(156, ((void*)0)) < 0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("syscall(__NR__sysctl, NULL) < 0" ), "../src/test/test-seccomp.c", 241, __PRETTY_FUNCTION__); } while (0); |
242 | assert_se(errno == EFAULT)do { if ((__builtin_expect(!!(!((*__errno_location ()) == 14) ),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("errno == EFAULT" ), "../src/test/test-seccomp.c", 242, __PRETTY_FUNCTION__); } while (0); |
243 | #endif |
244 | |
245 | assert_se(seccomp_protect_sysctl() >= 0)do { if ((__builtin_expect(!!(!(seccomp_protect_sysctl() >= 0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("seccomp_protect_sysctl() >= 0" ), "../src/test/test-seccomp.c", 245, __PRETTY_FUNCTION__); } while (0); |
246 | |
247 | #if defined __NR__sysctl156 && __NR__sysctl156 >= 0 |
248 | assert_se(syscall(__NR__sysctl, 0, 0, 0) < 0)do { if ((__builtin_expect(!!(!(syscall(156, 0, 0, 0) < 0) ),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("syscall(__NR__sysctl, 0, 0, 0) < 0" ), "../src/test/test-seccomp.c", 248, __PRETTY_FUNCTION__); } while (0); |
249 | assert_se(errno == EPERM)do { if ((__builtin_expect(!!(!((*__errno_location ()) == 1)) ,0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("errno == EPERM" ), "../src/test/test-seccomp.c", 249, __PRETTY_FUNCTION__); } while (0); |
250 | #endif |
251 | |
252 | _exit(EXIT_SUCCESS0); |
253 | } |
254 | |
255 | assert_se(wait_for_terminate_and_check("sysctlseccomp", pid, WAIT_LOG) == EXIT_SUCCESS)do { if ((__builtin_expect(!!(!(wait_for_terminate_and_check( "sysctlseccomp", pid, WAIT_LOG) == 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("wait_for_terminate_and_check(\"sysctlseccomp\", pid, WAIT_LOG) == EXIT_SUCCESS" ), "../src/test/test-seccomp.c", 255, __PRETTY_FUNCTION__); } while (0); |
256 | } |
257 | |
258 | static void test_restrict_address_families(void) { |
259 | pid_t pid; |
260 | |
261 | if (!is_seccomp_available()) |
262 | return; |
263 | if (geteuid() != 0) |
264 | return; |
265 | |
266 | pid = fork(); |
267 | assert_se(pid >= 0)do { if ((__builtin_expect(!!(!(pid >= 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("pid >= 0"), "../src/test/test-seccomp.c" , 267, __PRETTY_FUNCTION__); } while (0); |
268 | |
269 | if (pid == 0) { |
270 | int fd; |
271 | Set *s; |
272 | |
273 | fd = socket(AF_INET2, SOCK_DGRAMSOCK_DGRAM, 0); |
274 | assert_se(fd >= 0)do { if ((__builtin_expect(!!(!(fd >= 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("fd >= 0"), "../src/test/test-seccomp.c" , 274, __PRETTY_FUNCTION__); } while (0); |
275 | safe_close(fd); |
276 | |
277 | fd = socket(AF_UNIX1, SOCK_DGRAMSOCK_DGRAM, 0); |
278 | assert_se(fd >= 0)do { if ((__builtin_expect(!!(!(fd >= 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("fd >= 0"), "../src/test/test-seccomp.c" , 278, __PRETTY_FUNCTION__); } while (0); |
279 | safe_close(fd); |
280 | |
281 | fd = socket(AF_NETLINK16, SOCK_DGRAMSOCK_DGRAM, 0); |
282 | assert_se(fd >= 0)do { if ((__builtin_expect(!!(!(fd >= 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("fd >= 0"), "../src/test/test-seccomp.c" , 282, __PRETTY_FUNCTION__); } while (0); |
283 | safe_close(fd); |
284 | |
285 | assert_se(s = set_new(NULL))do { if ((__builtin_expect(!!(!(s = internal_set_new(((void*) 0) ))),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("s = set_new(NULL)" ), "../src/test/test-seccomp.c", 285, __PRETTY_FUNCTION__); } while (0); |
286 | assert_se(set_put(s, INT_TO_PTR(AF_UNIX)) >= 0)do { if ((__builtin_expect(!!(!(set_put(s, ((void *) ((intptr_t ) (1)))) >= 0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD , ("set_put(s, INT_TO_PTR(AF_UNIX)) >= 0"), "../src/test/test-seccomp.c" , 286, __PRETTY_FUNCTION__); } while (0); |
287 | |
288 | assert_se(seccomp_restrict_address_families(s, false) >= 0)do { if ((__builtin_expect(!!(!(seccomp_restrict_address_families (s, 0) >= 0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD , ("seccomp_restrict_address_families(s, false) >= 0"), "../src/test/test-seccomp.c" , 288, __PRETTY_FUNCTION__); } while (0); |
289 | |
290 | fd = socket(AF_INET2, SOCK_DGRAMSOCK_DGRAM, 0); |
291 | assert_se(fd >= 0)do { if ((__builtin_expect(!!(!(fd >= 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("fd >= 0"), "../src/test/test-seccomp.c" , 291, __PRETTY_FUNCTION__); } while (0); |
292 | safe_close(fd); |
293 | |
294 | fd = socket(AF_UNIX1, SOCK_DGRAMSOCK_DGRAM, 0); |
295 | #if SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN0 |
296 | assert_se(fd >= 0)do { if ((__builtin_expect(!!(!(fd >= 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("fd >= 0"), "../src/test/test-seccomp.c" , 296, __PRETTY_FUNCTION__); } while (0); |
297 | safe_close(fd); |
298 | #else |
299 | assert_se(fd < 0)do { if ((__builtin_expect(!!(!(fd < 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("fd < 0"), "../src/test/test-seccomp.c" , 299, __PRETTY_FUNCTION__); } while (0); |
300 | assert_se(errno == EAFNOSUPPORT)do { if ((__builtin_expect(!!(!((*__errno_location ()) == 97) ),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("errno == EAFNOSUPPORT" ), "../src/test/test-seccomp.c", 300, __PRETTY_FUNCTION__); } while (0); |
301 | #endif |
302 | |
303 | fd = socket(AF_NETLINK16, SOCK_DGRAMSOCK_DGRAM, 0); |
304 | assert_se(fd >= 0)do { if ((__builtin_expect(!!(!(fd >= 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("fd >= 0"), "../src/test/test-seccomp.c" , 304, __PRETTY_FUNCTION__); } while (0); |
305 | safe_close(fd); |
306 | |
307 | set_clear(s); |
308 | |
309 | assert_se(set_put(s, INT_TO_PTR(AF_INET)) >= 0)do { if ((__builtin_expect(!!(!(set_put(s, ((void *) ((intptr_t ) (2)))) >= 0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD , ("set_put(s, INT_TO_PTR(AF_INET)) >= 0"), "../src/test/test-seccomp.c" , 309, __PRETTY_FUNCTION__); } while (0); |
310 | |
311 | assert_se(seccomp_restrict_address_families(s, true) >= 0)do { if ((__builtin_expect(!!(!(seccomp_restrict_address_families (s, 1) >= 0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD , ("seccomp_restrict_address_families(s, true) >= 0"), "../src/test/test-seccomp.c" , 311, __PRETTY_FUNCTION__); } while (0); |
312 | |
313 | fd = socket(AF_INET2, SOCK_DGRAMSOCK_DGRAM, 0); |
314 | assert_se(fd >= 0)do { if ((__builtin_expect(!!(!(fd >= 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("fd >= 0"), "../src/test/test-seccomp.c" , 314, __PRETTY_FUNCTION__); } while (0); |
315 | safe_close(fd); |
316 | |
317 | fd = socket(AF_UNIX1, SOCK_DGRAMSOCK_DGRAM, 0); |
318 | #if SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN0 |
319 | assert_se(fd >= 0)do { if ((__builtin_expect(!!(!(fd >= 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("fd >= 0"), "../src/test/test-seccomp.c" , 319, __PRETTY_FUNCTION__); } while (0); |
320 | safe_close(fd); |
321 | #else |
322 | assert_se(fd < 0)do { if ((__builtin_expect(!!(!(fd < 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("fd < 0"), "../src/test/test-seccomp.c" , 322, __PRETTY_FUNCTION__); } while (0); |
323 | assert_se(errno == EAFNOSUPPORT)do { if ((__builtin_expect(!!(!((*__errno_location ()) == 97) ),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("errno == EAFNOSUPPORT" ), "../src/test/test-seccomp.c", 323, __PRETTY_FUNCTION__); } while (0); |
324 | #endif |
325 | |
326 | fd = socket(AF_NETLINK16, SOCK_DGRAMSOCK_DGRAM, 0); |
327 | #if SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN0 |
328 | assert_se(fd >= 0)do { if ((__builtin_expect(!!(!(fd >= 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("fd >= 0"), "../src/test/test-seccomp.c" , 328, __PRETTY_FUNCTION__); } while (0); |
329 | safe_close(fd); |
330 | #else |
331 | assert_se(fd < 0)do { if ((__builtin_expect(!!(!(fd < 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("fd < 0"), "../src/test/test-seccomp.c" , 331, __PRETTY_FUNCTION__); } while (0); |
332 | assert_se(errno == EAFNOSUPPORT)do { if ((__builtin_expect(!!(!((*__errno_location ()) == 97) ),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("errno == EAFNOSUPPORT" ), "../src/test/test-seccomp.c", 332, __PRETTY_FUNCTION__); } while (0); |
333 | #endif |
334 | |
335 | _exit(EXIT_SUCCESS0); |
336 | } |
337 | |
338 | assert_se(wait_for_terminate_and_check("socketseccomp", pid, WAIT_LOG) == EXIT_SUCCESS)do { if ((__builtin_expect(!!(!(wait_for_terminate_and_check( "socketseccomp", pid, WAIT_LOG) == 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("wait_for_terminate_and_check(\"socketseccomp\", pid, WAIT_LOG) == EXIT_SUCCESS" ), "../src/test/test-seccomp.c", 338, __PRETTY_FUNCTION__); } while (0); |
339 | } |
340 | |
341 | static void test_restrict_realtime(void) { |
342 | pid_t pid; |
343 | |
344 | if (!is_seccomp_available()) |
345 | return; |
346 | if (geteuid() != 0) |
347 | return; |
348 | |
349 | if (detect_container() > 0) /* in containers RT privs are likely missing anyway */ |
350 | return; |
351 | |
352 | pid = fork(); |
353 | assert_se(pid >= 0)do { if ((__builtin_expect(!!(!(pid >= 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("pid >= 0"), "../src/test/test-seccomp.c" , 353, __PRETTY_FUNCTION__); } while (0); |
354 | |
355 | if (pid == 0) { |
356 | assert_se(sched_setscheduler(0, SCHED_FIFO, &(struct sched_param) { .sched_priority = 1 }) >= 0)do { if ((__builtin_expect(!!(!(sched_setscheduler(0, 1, & (struct sched_param) { .sched_priority = 1 }) >= 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("sched_setscheduler(0, SCHED_FIFO, &(struct sched_param) { .sched_priority = 1 }) >= 0" ), "../src/test/test-seccomp.c", 356, __PRETTY_FUNCTION__); } while (0); |
357 | assert_se(sched_setscheduler(0, SCHED_RR, &(struct sched_param) { .sched_priority = 1 }) >= 0)do { if ((__builtin_expect(!!(!(sched_setscheduler(0, 2, & (struct sched_param) { .sched_priority = 1 }) >= 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("sched_setscheduler(0, SCHED_RR, &(struct sched_param) { .sched_priority = 1 }) >= 0" ), "../src/test/test-seccomp.c", 357, __PRETTY_FUNCTION__); } while (0); |
358 | assert_se(sched_setscheduler(0, SCHED_IDLE, &(struct sched_param) { .sched_priority = 0 }) >= 0)do { if ((__builtin_expect(!!(!(sched_setscheduler(0, 5, & (struct sched_param) { .sched_priority = 0 }) >= 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("sched_setscheduler(0, SCHED_IDLE, &(struct sched_param) { .sched_priority = 0 }) >= 0" ), "../src/test/test-seccomp.c", 358, __PRETTY_FUNCTION__); } while (0); |
359 | assert_se(sched_setscheduler(0, SCHED_BATCH, &(struct sched_param) { .sched_priority = 0 }) >= 0)do { if ((__builtin_expect(!!(!(sched_setscheduler(0, 3, & (struct sched_param) { .sched_priority = 0 }) >= 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("sched_setscheduler(0, SCHED_BATCH, &(struct sched_param) { .sched_priority = 0 }) >= 0" ), "../src/test/test-seccomp.c", 359, __PRETTY_FUNCTION__); } while (0); |
360 | assert_se(sched_setscheduler(0, SCHED_OTHER, &(struct sched_param) {}) >= 0)do { if ((__builtin_expect(!!(!(sched_setscheduler(0, 0, & (struct sched_param) {}) >= 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("sched_setscheduler(0, SCHED_OTHER, &(struct sched_param) {}) >= 0" ), "../src/test/test-seccomp.c", 360, __PRETTY_FUNCTION__); } while (0); |
361 | |
362 | assert_se(seccomp_restrict_realtime() >= 0)do { if ((__builtin_expect(!!(!(seccomp_restrict_realtime() >= 0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("seccomp_restrict_realtime() >= 0" ), "../src/test/test-seccomp.c", 362, __PRETTY_FUNCTION__); } while (0); |
363 | |
364 | assert_se(sched_setscheduler(0, SCHED_IDLE, &(struct sched_param) { .sched_priority = 0 }) >= 0)do { if ((__builtin_expect(!!(!(sched_setscheduler(0, 5, & (struct sched_param) { .sched_priority = 0 }) >= 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("sched_setscheduler(0, SCHED_IDLE, &(struct sched_param) { .sched_priority = 0 }) >= 0" ), "../src/test/test-seccomp.c", 364, __PRETTY_FUNCTION__); } while (0); |
365 | assert_se(sched_setscheduler(0, SCHED_BATCH, &(struct sched_param) { .sched_priority = 0 }) >= 0)do { if ((__builtin_expect(!!(!(sched_setscheduler(0, 3, & (struct sched_param) { .sched_priority = 0 }) >= 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("sched_setscheduler(0, SCHED_BATCH, &(struct sched_param) { .sched_priority = 0 }) >= 0" ), "../src/test/test-seccomp.c", 365, __PRETTY_FUNCTION__); } while (0); |
366 | assert_se(sched_setscheduler(0, SCHED_OTHER, &(struct sched_param) {}) >= 0)do { if ((__builtin_expect(!!(!(sched_setscheduler(0, 0, & (struct sched_param) {}) >= 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("sched_setscheduler(0, SCHED_OTHER, &(struct sched_param) {}) >= 0" ), "../src/test/test-seccomp.c", 366, __PRETTY_FUNCTION__); } while (0); |
367 | |
368 | assert_se(sched_setscheduler(0, SCHED_FIFO, &(struct sched_param) { .sched_priority = 1 }) < 0)do { if ((__builtin_expect(!!(!(sched_setscheduler(0, 1, & (struct sched_param) { .sched_priority = 1 }) < 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("sched_setscheduler(0, SCHED_FIFO, &(struct sched_param) { .sched_priority = 1 }) < 0" ), "../src/test/test-seccomp.c", 368, __PRETTY_FUNCTION__); } while (0); |
369 | assert_se(errno == EPERM)do { if ((__builtin_expect(!!(!((*__errno_location ()) == 1)) ,0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("errno == EPERM" ), "../src/test/test-seccomp.c", 369, __PRETTY_FUNCTION__); } while (0); |
370 | assert_se(sched_setscheduler(0, SCHED_RR, &(struct sched_param) { .sched_priority = 1 }) < 0)do { if ((__builtin_expect(!!(!(sched_setscheduler(0, 2, & (struct sched_param) { .sched_priority = 1 }) < 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("sched_setscheduler(0, SCHED_RR, &(struct sched_param) { .sched_priority = 1 }) < 0" ), "../src/test/test-seccomp.c", 370, __PRETTY_FUNCTION__); } while (0); |
371 | assert_se(errno == EPERM)do { if ((__builtin_expect(!!(!((*__errno_location ()) == 1)) ,0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("errno == EPERM" ), "../src/test/test-seccomp.c", 371, __PRETTY_FUNCTION__); } while (0); |
372 | |
373 | _exit(EXIT_SUCCESS0); |
374 | } |
375 | |
376 | assert_se(wait_for_terminate_and_check("realtimeseccomp", pid, WAIT_LOG) == EXIT_SUCCESS)do { if ((__builtin_expect(!!(!(wait_for_terminate_and_check( "realtimeseccomp", pid, WAIT_LOG) == 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("wait_for_terminate_and_check(\"realtimeseccomp\", pid, WAIT_LOG) == EXIT_SUCCESS" ), "../src/test/test-seccomp.c", 376, __PRETTY_FUNCTION__); } while (0); |
377 | } |
378 | |
379 | static void test_memory_deny_write_execute_mmap(void) { |
380 | pid_t pid; |
381 | |
382 | if (!is_seccomp_available()) |
383 | return; |
384 | if (geteuid() != 0) |
385 | return; |
386 | |
387 | pid = fork(); |
388 | assert_se(pid >= 0)do { if ((__builtin_expect(!!(!(pid >= 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("pid >= 0"), "../src/test/test-seccomp.c" , 388, __PRETTY_FUNCTION__); } while (0); |
389 | |
390 | if (pid == 0) { |
391 | void *p; |
392 | |
393 | p = mmap(NULL((void*)0), page_size(), PROT_WRITE0x2|PROT_EXEC0x4, MAP_PRIVATE0x02|MAP_ANONYMOUS0x20, -1,0); |
394 | assert_se(p != MAP_FAILED)do { if ((__builtin_expect(!!(!(p != ((void *) -1))),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("p != MAP_FAILED"), "../src/test/test-seccomp.c" , 394, __PRETTY_FUNCTION__); } while (0); |
395 | assert_se(munmap(p, page_size()) >= 0)do { if ((__builtin_expect(!!(!(munmap(p, page_size()) >= 0 )),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("munmap(p, page_size()) >= 0" ), "../src/test/test-seccomp.c", 395, __PRETTY_FUNCTION__); } while (0); |
396 | |
397 | p = mmap(NULL((void*)0), page_size(), PROT_WRITE0x2|PROT_READ0x1, MAP_PRIVATE0x02|MAP_ANONYMOUS0x20, -1,0); |
398 | assert_se(p != MAP_FAILED)do { if ((__builtin_expect(!!(!(p != ((void *) -1))),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("p != MAP_FAILED"), "../src/test/test-seccomp.c" , 398, __PRETTY_FUNCTION__); } while (0); |
399 | assert_se(munmap(p, page_size()) >= 0)do { if ((__builtin_expect(!!(!(munmap(p, page_size()) >= 0 )),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("munmap(p, page_size()) >= 0" ), "../src/test/test-seccomp.c", 399, __PRETTY_FUNCTION__); } while (0); |
400 | |
401 | assert_se(seccomp_memory_deny_write_execute() >= 0)do { if ((__builtin_expect(!!(!(seccomp_memory_deny_write_execute () >= 0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ( "seccomp_memory_deny_write_execute() >= 0"), "../src/test/test-seccomp.c" , 401, __PRETTY_FUNCTION__); } while (0); |
402 | |
403 | p = mmap(NULL((void*)0), page_size(), PROT_WRITE0x2|PROT_EXEC0x4, MAP_PRIVATE0x02|MAP_ANONYMOUS0x20, -1,0); |
404 | #if defined(__x86_64__1) || defined(__i386__) || defined(__powerpc64__) || defined(__arm__) || defined(__aarch64__) |
405 | assert_se(p == MAP_FAILED)do { if ((__builtin_expect(!!(!(p == ((void *) -1))),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("p == MAP_FAILED"), "../src/test/test-seccomp.c" , 405, __PRETTY_FUNCTION__); } while (0); |
406 | assert_se(errno == EPERM)do { if ((__builtin_expect(!!(!((*__errno_location ()) == 1)) ,0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("errno == EPERM" ), "../src/test/test-seccomp.c", 406, __PRETTY_FUNCTION__); } while (0); |
407 | #else /* unknown architectures */ |
408 | assert_se(p != MAP_FAILED)do { if ((__builtin_expect(!!(!(p != ((void *) -1))),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("p != MAP_FAILED"), "../src/test/test-seccomp.c" , 408, __PRETTY_FUNCTION__); } while (0); |
409 | assert_se(munmap(p, page_size()) >= 0)do { if ((__builtin_expect(!!(!(munmap(p, page_size()) >= 0 )),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("munmap(p, page_size()) >= 0" ), "../src/test/test-seccomp.c", 409, __PRETTY_FUNCTION__); } while (0); |
410 | #endif |
411 | |
412 | p = mmap(NULL((void*)0), page_size(), PROT_WRITE0x2|PROT_READ0x1, MAP_PRIVATE0x02|MAP_ANONYMOUS0x20, -1,0); |
413 | assert_se(p != MAP_FAILED)do { if ((__builtin_expect(!!(!(p != ((void *) -1))),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("p != MAP_FAILED"), "../src/test/test-seccomp.c" , 413, __PRETTY_FUNCTION__); } while (0); |
414 | assert_se(munmap(p, page_size()) >= 0)do { if ((__builtin_expect(!!(!(munmap(p, page_size()) >= 0 )),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("munmap(p, page_size()) >= 0" ), "../src/test/test-seccomp.c", 414, __PRETTY_FUNCTION__); } while (0); |
415 | |
416 | _exit(EXIT_SUCCESS0); |
417 | } |
418 | |
419 | assert_se(wait_for_terminate_and_check("memoryseccomp-mmap", pid, WAIT_LOG) == EXIT_SUCCESS)do { if ((__builtin_expect(!!(!(wait_for_terminate_and_check( "memoryseccomp-mmap", pid, WAIT_LOG) == 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("wait_for_terminate_and_check(\"memoryseccomp-mmap\", pid, WAIT_LOG) == EXIT_SUCCESS" ), "../src/test/test-seccomp.c", 419, __PRETTY_FUNCTION__); } while (0); |
420 | } |
421 | |
422 | static void test_memory_deny_write_execute_shmat(void) { |
423 | int shmid; |
424 | pid_t pid; |
425 | |
426 | if (!is_seccomp_available()) |
427 | return; |
428 | if (geteuid() != 0) |
429 | return; |
430 | |
431 | shmid = shmget(IPC_PRIVATE((__key_t) 0), page_size(), 0); |
432 | assert_se(shmid >= 0)do { if ((__builtin_expect(!!(!(shmid >= 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("shmid >= 0"), "../src/test/test-seccomp.c" , 432, __PRETTY_FUNCTION__); } while (0); |
433 | |
434 | pid = fork(); |
435 | assert_se(pid >= 0)do { if ((__builtin_expect(!!(!(pid >= 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("pid >= 0"), "../src/test/test-seccomp.c" , 435, __PRETTY_FUNCTION__); } while (0); |
436 | |
437 | if (pid == 0) { |
438 | void *p; |
439 | |
440 | p = shmat(shmid, NULL((void*)0), 0); |
441 | assert_se(p != MAP_FAILED)do { if ((__builtin_expect(!!(!(p != ((void *) -1))),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("p != MAP_FAILED"), "../src/test/test-seccomp.c" , 441, __PRETTY_FUNCTION__); } while (0); |
442 | assert_se(shmdt(p) == 0)do { if ((__builtin_expect(!!(!(shmdt(p) == 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("shmdt(p) == 0"), "../src/test/test-seccomp.c" , 442, __PRETTY_FUNCTION__); } while (0); |
443 | |
444 | p = shmat(shmid, NULL((void*)0), SHM_EXEC0100000); |
445 | assert_se(p != MAP_FAILED)do { if ((__builtin_expect(!!(!(p != ((void *) -1))),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("p != MAP_FAILED"), "../src/test/test-seccomp.c" , 445, __PRETTY_FUNCTION__); } while (0); |
446 | assert_se(shmdt(p) == 0)do { if ((__builtin_expect(!!(!(shmdt(p) == 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("shmdt(p) == 0"), "../src/test/test-seccomp.c" , 446, __PRETTY_FUNCTION__); } while (0); |
447 | |
448 | assert_se(seccomp_memory_deny_write_execute() >= 0)do { if ((__builtin_expect(!!(!(seccomp_memory_deny_write_execute () >= 0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ( "seccomp_memory_deny_write_execute() >= 0"), "../src/test/test-seccomp.c" , 448, __PRETTY_FUNCTION__); } while (0); |
449 | |
450 | p = shmat(shmid, NULL((void*)0), SHM_EXEC0100000); |
451 | #if defined(__x86_64__1) || defined(__arm__) || defined(__aarch64__) |
452 | assert_se(p == MAP_FAILED)do { if ((__builtin_expect(!!(!(p == ((void *) -1))),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("p == MAP_FAILED"), "../src/test/test-seccomp.c" , 452, __PRETTY_FUNCTION__); } while (0); |
453 | assert_se(errno == EPERM)do { if ((__builtin_expect(!!(!((*__errno_location ()) == 1)) ,0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("errno == EPERM" ), "../src/test/test-seccomp.c", 453, __PRETTY_FUNCTION__); } while (0); |
454 | #else /* __i386__, __powerpc64__, and "unknown" architectures */ |
455 | assert_se(p != MAP_FAILED)do { if ((__builtin_expect(!!(!(p != ((void *) -1))),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("p != MAP_FAILED"), "../src/test/test-seccomp.c" , 455, __PRETTY_FUNCTION__); } while (0); |
456 | assert_se(shmdt(p) == 0)do { if ((__builtin_expect(!!(!(shmdt(p) == 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("shmdt(p) == 0"), "../src/test/test-seccomp.c" , 456, __PRETTY_FUNCTION__); } while (0); |
457 | #endif |
458 | |
459 | p = shmat(shmid, NULL((void*)0), 0); |
460 | assert_se(p != MAP_FAILED)do { if ((__builtin_expect(!!(!(p != ((void *) -1))),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("p != MAP_FAILED"), "../src/test/test-seccomp.c" , 460, __PRETTY_FUNCTION__); } while (0); |
461 | assert_se(shmdt(p) == 0)do { if ((__builtin_expect(!!(!(shmdt(p) == 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("shmdt(p) == 0"), "../src/test/test-seccomp.c" , 461, __PRETTY_FUNCTION__); } while (0); |
462 | |
463 | _exit(EXIT_SUCCESS0); |
464 | } |
465 | |
466 | assert_se(wait_for_terminate_and_check("memoryseccomp-shmat", pid, WAIT_LOG) == EXIT_SUCCESS)do { if ((__builtin_expect(!!(!(wait_for_terminate_and_check( "memoryseccomp-shmat", pid, WAIT_LOG) == 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("wait_for_terminate_and_check(\"memoryseccomp-shmat\", pid, WAIT_LOG) == EXIT_SUCCESS" ), "../src/test/test-seccomp.c", 466, __PRETTY_FUNCTION__); } while (0); |
467 | } |
468 | |
469 | static void test_restrict_archs(void) { |
470 | pid_t pid; |
471 | |
472 | if (!is_seccomp_available()) |
473 | return; |
474 | if (geteuid() != 0) |
475 | return; |
476 | |
477 | pid = fork(); |
478 | assert_se(pid >= 0)do { if ((__builtin_expect(!!(!(pid >= 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("pid >= 0"), "../src/test/test-seccomp.c" , 478, __PRETTY_FUNCTION__); } while (0); |
479 | |
480 | if (pid == 0) { |
481 | _cleanup_set_free___attribute__((cleanup(set_freep))) Set *s = NULL((void*)0); |
482 | |
483 | assert_se(access("/", F_OK) >= 0)do { if ((__builtin_expect(!!(!(access("/", 0) >= 0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("access(\"/\", F_OK) >= 0" ), "../src/test/test-seccomp.c", 483, __PRETTY_FUNCTION__); } while (0); |
484 | |
485 | assert_se(s = set_new(NULL))do { if ((__builtin_expect(!!(!(s = internal_set_new(((void*) 0) ))),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("s = set_new(NULL)" ), "../src/test/test-seccomp.c", 485, __PRETTY_FUNCTION__); } while (0); |
486 | |
487 | #ifdef __x86_64__1 |
488 | assert_se(set_put(s, UINT32_TO_PTR(SCMP_ARCH_X86+1)) >= 0)do { if ((__builtin_expect(!!(!(set_put(s, ((void *) ((uintptr_t ) ((3|0x40000000)+1)))) >= 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("set_put(s, UINT32_TO_PTR(SCMP_ARCH_X86+1)) >= 0" ), "../src/test/test-seccomp.c", 488, __PRETTY_FUNCTION__); } while (0); |
489 | #endif |
490 | assert_se(seccomp_restrict_archs(s) >= 0)do { if ((__builtin_expect(!!(!(seccomp_restrict_archs(s) >= 0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("seccomp_restrict_archs(s) >= 0" ), "../src/test/test-seccomp.c", 490, __PRETTY_FUNCTION__); } while (0); |
491 | |
492 | assert_se(access("/", F_OK) >= 0)do { if ((__builtin_expect(!!(!(access("/", 0) >= 0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("access(\"/\", F_OK) >= 0" ), "../src/test/test-seccomp.c", 492, __PRETTY_FUNCTION__); } while (0); |
493 | assert_se(seccomp_restrict_archs(NULL) >= 0)do { if ((__builtin_expect(!!(!(seccomp_restrict_archs(((void *)0)) >= 0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD , ("seccomp_restrict_archs(NULL) >= 0"), "../src/test/test-seccomp.c" , 493, __PRETTY_FUNCTION__); } while (0); |
494 | |
495 | assert_se(access("/", F_OK) >= 0)do { if ((__builtin_expect(!!(!(access("/", 0) >= 0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("access(\"/\", F_OK) >= 0" ), "../src/test/test-seccomp.c", 495, __PRETTY_FUNCTION__); } while (0); |
496 | |
497 | _exit(EXIT_SUCCESS0); |
498 | } |
499 | |
500 | assert_se(wait_for_terminate_and_check("archseccomp", pid, WAIT_LOG) == EXIT_SUCCESS)do { if ((__builtin_expect(!!(!(wait_for_terminate_and_check( "archseccomp", pid, WAIT_LOG) == 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("wait_for_terminate_and_check(\"archseccomp\", pid, WAIT_LOG) == EXIT_SUCCESS" ), "../src/test/test-seccomp.c", 500, __PRETTY_FUNCTION__); } while (0); |
501 | } |
502 | |
503 | static void test_load_syscall_filter_set_raw(void) { |
504 | pid_t pid; |
505 | |
506 | if (!is_seccomp_available()) |
507 | return; |
508 | if (geteuid() != 0) |
509 | return; |
510 | |
511 | pid = fork(); |
512 | assert_se(pid >= 0)do { if ((__builtin_expect(!!(!(pid >= 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("pid >= 0"), "../src/test/test-seccomp.c" , 512, __PRETTY_FUNCTION__); } while (0); |
513 | |
514 | if (pid == 0) { |
515 | _cleanup_hashmap_free___attribute__((cleanup(hashmap_freep))) Hashmap *s = NULL((void*)0); |
516 | |
517 | assert_se(access("/", F_OK) >= 0)do { if ((__builtin_expect(!!(!(access("/", 0) >= 0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("access(\"/\", F_OK) >= 0" ), "../src/test/test-seccomp.c", 517, __PRETTY_FUNCTION__); } while (0); |
518 | assert_se(poll(NULL, 0, 0) == 0)do { if ((__builtin_expect(!!(!(poll(((void*)0), 0, 0) == 0)) ,0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("poll(NULL, 0, 0) == 0" ), "../src/test/test-seccomp.c", 518, __PRETTY_FUNCTION__); } while (0); |
519 | |
520 | assert_se(seccomp_load_syscall_filter_set_raw(SCMP_ACT_ALLOW, NULL, SCMP_ACT_KILL, true) >= 0)do { if ((__builtin_expect(!!(!(seccomp_load_syscall_filter_set_raw (0x7fff0000U, ((void*)0), 0x00000000U, 1) >= 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("seccomp_load_syscall_filter_set_raw(SCMP_ACT_ALLOW, NULL, SCMP_ACT_KILL, true) >= 0" ), "../src/test/test-seccomp.c", 520, __PRETTY_FUNCTION__); } while (0); |
521 | assert_se(access("/", F_OK) >= 0)do { if ((__builtin_expect(!!(!(access("/", 0) >= 0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("access(\"/\", F_OK) >= 0" ), "../src/test/test-seccomp.c", 521, __PRETTY_FUNCTION__); } while (0); |
522 | assert_se(poll(NULL, 0, 0) == 0)do { if ((__builtin_expect(!!(!(poll(((void*)0), 0, 0) == 0)) ,0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("poll(NULL, 0, 0) == 0" ), "../src/test/test-seccomp.c", 522, __PRETTY_FUNCTION__); } while (0); |
523 | |
524 | assert_se(s = hashmap_new(NULL))do { if ((__builtin_expect(!!(!(s = internal_hashmap_new(((void *)0) ))),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("s = hashmap_new(NULL)" ), "../src/test/test-seccomp.c", 524, __PRETTY_FUNCTION__); } while (0); |
525 | #if SCMP_SYS(access)(21) >= 0 |
526 | assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_access + 1), INT_TO_PTR(-1)) >= 0)do { if ((__builtin_expect(!!(!(hashmap_put(s, ((void *) ((uintptr_t ) (21 + 1))), ((void *) ((intptr_t) (-1)))) >= 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("hashmap_put(s, UINT32_TO_PTR(__NR_access + 1), INT_TO_PTR(-1)) >= 0" ), "../src/test/test-seccomp.c", 526, __PRETTY_FUNCTION__); } while (0); |
527 | #else |
528 | assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_faccessat + 1), INT_TO_PTR(-1)) >= 0)do { if ((__builtin_expect(!!(!(hashmap_put(s, ((void *) ((uintptr_t ) (269 + 1))), ((void *) ((intptr_t) (-1)))) >= 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("hashmap_put(s, UINT32_TO_PTR(__NR_faccessat + 1), INT_TO_PTR(-1)) >= 0" ), "../src/test/test-seccomp.c", 528, __PRETTY_FUNCTION__); } while (0); |
529 | #endif |
530 | |
531 | assert_se(seccomp_load_syscall_filter_set_raw(SCMP_ACT_ALLOW, s, SCMP_ACT_ERRNO(EUCLEAN), true) >= 0)do { if ((__builtin_expect(!!(!(seccomp_load_syscall_filter_set_raw (0x7fff0000U, s, (0x00050000U | ((117) & 0x0000ffffU)), 1 ) >= 0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ( "seccomp_load_syscall_filter_set_raw(SCMP_ACT_ALLOW, s, SCMP_ACT_ERRNO(EUCLEAN), true) >= 0" ), "../src/test/test-seccomp.c", 531, __PRETTY_FUNCTION__); } while (0); |
532 | |
533 | assert_se(access("/", F_OK) < 0)do { if ((__builtin_expect(!!(!(access("/", 0) < 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("access(\"/\", F_OK) < 0"), "../src/test/test-seccomp.c" , 533, __PRETTY_FUNCTION__); } while (0); |
534 | assert_se(errno == EUCLEAN)do { if ((__builtin_expect(!!(!((*__errno_location ()) == 117 )),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("errno == EUCLEAN" ), "../src/test/test-seccomp.c", 534, __PRETTY_FUNCTION__); } while (0); |
535 | |
536 | assert_se(poll(NULL, 0, 0) == 0)do { if ((__builtin_expect(!!(!(poll(((void*)0), 0, 0) == 0)) ,0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("poll(NULL, 0, 0) == 0" ), "../src/test/test-seccomp.c", 536, __PRETTY_FUNCTION__); } while (0); |
537 | |
538 | s = hashmap_free(s); |
539 | |
540 | assert_se(s = hashmap_new(NULL))do { if ((__builtin_expect(!!(!(s = internal_hashmap_new(((void *)0) ))),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("s = hashmap_new(NULL)" ), "../src/test/test-seccomp.c", 540, __PRETTY_FUNCTION__); } while (0); |
541 | #if SCMP_SYS(access)(21) >= 0 |
542 | assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_access + 1), INT_TO_PTR(EILSEQ)) >= 0)do { if ((__builtin_expect(!!(!(hashmap_put(s, ((void *) ((uintptr_t ) (21 + 1))), ((void *) ((intptr_t) (84)))) >= 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("hashmap_put(s, UINT32_TO_PTR(__NR_access + 1), INT_TO_PTR(EILSEQ)) >= 0" ), "../src/test/test-seccomp.c", 542, __PRETTY_FUNCTION__); } while (0); |
543 | #else |
544 | assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_faccessat + 1), INT_TO_PTR(EILSEQ)) >= 0)do { if ((__builtin_expect(!!(!(hashmap_put(s, ((void *) ((uintptr_t ) (269 + 1))), ((void *) ((intptr_t) (84)))) >= 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("hashmap_put(s, UINT32_TO_PTR(__NR_faccessat + 1), INT_TO_PTR(EILSEQ)) >= 0" ), "../src/test/test-seccomp.c", 544, __PRETTY_FUNCTION__); } while (0); |
545 | #endif |
546 | |
547 | assert_se(seccomp_load_syscall_filter_set_raw(SCMP_ACT_ALLOW, s, SCMP_ACT_ERRNO(EUCLEAN), true) >= 0)do { if ((__builtin_expect(!!(!(seccomp_load_syscall_filter_set_raw (0x7fff0000U, s, (0x00050000U | ((117) & 0x0000ffffU)), 1 ) >= 0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ( "seccomp_load_syscall_filter_set_raw(SCMP_ACT_ALLOW, s, SCMP_ACT_ERRNO(EUCLEAN), true) >= 0" ), "../src/test/test-seccomp.c", 547, __PRETTY_FUNCTION__); } while (0); |
548 | |
549 | assert_se(access("/", F_OK) < 0)do { if ((__builtin_expect(!!(!(access("/", 0) < 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("access(\"/\", F_OK) < 0"), "../src/test/test-seccomp.c" , 549, __PRETTY_FUNCTION__); } while (0); |
550 | assert_se(errno == EILSEQ)do { if ((__builtin_expect(!!(!((*__errno_location ()) == 84) ),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("errno == EILSEQ" ), "../src/test/test-seccomp.c", 550, __PRETTY_FUNCTION__); } while (0); |
551 | |
552 | assert_se(poll(NULL, 0, 0) == 0)do { if ((__builtin_expect(!!(!(poll(((void*)0), 0, 0) == 0)) ,0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("poll(NULL, 0, 0) == 0" ), "../src/test/test-seccomp.c", 552, __PRETTY_FUNCTION__); } while (0); |
553 | |
554 | s = hashmap_free(s); |
555 | |
556 | assert_se(s = hashmap_new(NULL))do { if ((__builtin_expect(!!(!(s = internal_hashmap_new(((void *)0) ))),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("s = hashmap_new(NULL)" ), "../src/test/test-seccomp.c", 556, __PRETTY_FUNCTION__); } while (0); |
557 | #if SCMP_SYS(poll)(7) >= 0 |
558 | assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_poll + 1), INT_TO_PTR(-1)) >= 0)do { if ((__builtin_expect(!!(!(hashmap_put(s, ((void *) ((uintptr_t ) (7 + 1))), ((void *) ((intptr_t) (-1)))) >= 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("hashmap_put(s, UINT32_TO_PTR(__NR_poll + 1), INT_TO_PTR(-1)) >= 0" ), "../src/test/test-seccomp.c", 558, __PRETTY_FUNCTION__); } while (0); |
559 | #else |
560 | assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_ppoll + 1), INT_TO_PTR(-1)) >= 0)do { if ((__builtin_expect(!!(!(hashmap_put(s, ((void *) ((uintptr_t ) (271 + 1))), ((void *) ((intptr_t) (-1)))) >= 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("hashmap_put(s, UINT32_TO_PTR(__NR_ppoll + 1), INT_TO_PTR(-1)) >= 0" ), "../src/test/test-seccomp.c", 560, __PRETTY_FUNCTION__); } while (0); |
561 | #endif |
562 | |
563 | assert_se(seccomp_load_syscall_filter_set_raw(SCMP_ACT_ALLOW, s, SCMP_ACT_ERRNO(EUNATCH), true) >= 0)do { if ((__builtin_expect(!!(!(seccomp_load_syscall_filter_set_raw (0x7fff0000U, s, (0x00050000U | ((49) & 0x0000ffffU)), 1) >= 0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("seccomp_load_syscall_filter_set_raw(SCMP_ACT_ALLOW, s, SCMP_ACT_ERRNO(EUNATCH), true) >= 0" ), "../src/test/test-seccomp.c", 563, __PRETTY_FUNCTION__); } while (0); |
564 | |
565 | assert_se(access("/", F_OK) < 0)do { if ((__builtin_expect(!!(!(access("/", 0) < 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("access(\"/\", F_OK) < 0"), "../src/test/test-seccomp.c" , 565, __PRETTY_FUNCTION__); } while (0); |
566 | assert_se(errno == EILSEQ)do { if ((__builtin_expect(!!(!((*__errno_location ()) == 84) ),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("errno == EILSEQ" ), "../src/test/test-seccomp.c", 566, __PRETTY_FUNCTION__); } while (0); |
567 | |
568 | assert_se(poll(NULL, 0, 0) < 0)do { if ((__builtin_expect(!!(!(poll(((void*)0), 0, 0) < 0 )),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("poll(NULL, 0, 0) < 0" ), "../src/test/test-seccomp.c", 568, __PRETTY_FUNCTION__); } while (0); |
569 | assert_se(errno == EUNATCH)do { if ((__builtin_expect(!!(!((*__errno_location ()) == 49) ),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("errno == EUNATCH" ), "../src/test/test-seccomp.c", 569, __PRETTY_FUNCTION__); } while (0); |
570 | |
571 | s = hashmap_free(s); |
572 | |
573 | assert_se(s = hashmap_new(NULL))do { if ((__builtin_expect(!!(!(s = internal_hashmap_new(((void *)0) ))),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("s = hashmap_new(NULL)" ), "../src/test/test-seccomp.c", 573, __PRETTY_FUNCTION__); } while (0); |
574 | #if SCMP_SYS(poll)(7) >= 0 |
575 | assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_poll + 1), INT_TO_PTR(EILSEQ)) >= 0)do { if ((__builtin_expect(!!(!(hashmap_put(s, ((void *) ((uintptr_t ) (7 + 1))), ((void *) ((intptr_t) (84)))) >= 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("hashmap_put(s, UINT32_TO_PTR(__NR_poll + 1), INT_TO_PTR(EILSEQ)) >= 0" ), "../src/test/test-seccomp.c", 575, __PRETTY_FUNCTION__); } while (0); |
576 | #else |
577 | assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_ppoll + 1), INT_TO_PTR(EILSEQ)) >= 0)do { if ((__builtin_expect(!!(!(hashmap_put(s, ((void *) ((uintptr_t ) (271 + 1))), ((void *) ((intptr_t) (84)))) >= 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("hashmap_put(s, UINT32_TO_PTR(__NR_ppoll + 1), INT_TO_PTR(EILSEQ)) >= 0" ), "../src/test/test-seccomp.c", 577, __PRETTY_FUNCTION__); } while (0); |
578 | #endif |
579 | |
580 | assert_se(seccomp_load_syscall_filter_set_raw(SCMP_ACT_ALLOW, s, SCMP_ACT_ERRNO(EUNATCH), true) >= 0)do { if ((__builtin_expect(!!(!(seccomp_load_syscall_filter_set_raw (0x7fff0000U, s, (0x00050000U | ((49) & 0x0000ffffU)), 1) >= 0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("seccomp_load_syscall_filter_set_raw(SCMP_ACT_ALLOW, s, SCMP_ACT_ERRNO(EUNATCH), true) >= 0" ), "../src/test/test-seccomp.c", 580, __PRETTY_FUNCTION__); } while (0); |
581 | |
582 | assert_se(access("/", F_OK) < 0)do { if ((__builtin_expect(!!(!(access("/", 0) < 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("access(\"/\", F_OK) < 0"), "../src/test/test-seccomp.c" , 582, __PRETTY_FUNCTION__); } while (0); |
583 | assert_se(errno == EILSEQ)do { if ((__builtin_expect(!!(!((*__errno_location ()) == 84) ),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("errno == EILSEQ" ), "../src/test/test-seccomp.c", 583, __PRETTY_FUNCTION__); } while (0); |
584 | |
585 | assert_se(poll(NULL, 0, 0) < 0)do { if ((__builtin_expect(!!(!(poll(((void*)0), 0, 0) < 0 )),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("poll(NULL, 0, 0) < 0" ), "../src/test/test-seccomp.c", 585, __PRETTY_FUNCTION__); } while (0); |
586 | assert_se(errno == EILSEQ)do { if ((__builtin_expect(!!(!((*__errno_location ()) == 84) ),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("errno == EILSEQ" ), "../src/test/test-seccomp.c", 586, __PRETTY_FUNCTION__); } while (0); |
587 | |
588 | _exit(EXIT_SUCCESS0); |
589 | } |
590 | |
591 | assert_se(wait_for_terminate_and_check("syscallrawseccomp", pid, WAIT_LOG) == EXIT_SUCCESS)do { if ((__builtin_expect(!!(!(wait_for_terminate_and_check( "syscallrawseccomp", pid, WAIT_LOG) == 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("wait_for_terminate_and_check(\"syscallrawseccomp\", pid, WAIT_LOG) == EXIT_SUCCESS" ), "../src/test/test-seccomp.c", 591, __PRETTY_FUNCTION__); } while (0); |
592 | } |
593 | |
594 | static void test_lock_personality(void) { |
595 | unsigned long current; |
596 | pid_t pid; |
597 | |
598 | if (!is_seccomp_available()) |
599 | return; |
600 | if (geteuid() != 0) |
601 | return; |
602 | |
603 | assert_se(opinionated_personality(¤t) >= 0)do { if ((__builtin_expect(!!(!(opinionated_personality(& current) >= 0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD , ("opinionated_personality(¤t) >= 0"), "../src/test/test-seccomp.c" , 603, __PRETTY_FUNCTION__); } while (0); |
604 | |
605 | log_info("current personality=%lu", current)({ int _level = (((6))), _e = ((0)), _realm = (LOG_REALM_SYSTEMD ); (log_get_max_level_realm(_realm) >= ((_level) & 0x07 )) ? log_internal_realm(((_realm) << 10 | (_level)), _e , "../src/test/test-seccomp.c", 605, __func__, "current personality=%lu" , current) : -abs(_e); }); |
606 | |
607 | pid = fork(); |
608 | assert_se(pid >= 0)do { if ((__builtin_expect(!!(!(pid >= 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("pid >= 0"), "../src/test/test-seccomp.c" , 608, __PRETTY_FUNCTION__); } while (0); |
609 | |
610 | if (pid == 0) { |
611 | assert_se(seccomp_lock_personality(current) >= 0)do { if ((__builtin_expect(!!(!(seccomp_lock_personality(current ) >= 0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ( "seccomp_lock_personality(current) >= 0"), "../src/test/test-seccomp.c" , 611, __PRETTY_FUNCTION__); } while (0); |
612 | |
613 | assert_se((unsigned long) safe_personality(current) == current)do { if ((__builtin_expect(!!(!((unsigned long) safe_personality (current) == current)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD , ("(unsigned long) safe_personality(current) == current"), "../src/test/test-seccomp.c" , 613, __PRETTY_FUNCTION__); } while (0); |
614 | |
615 | /* Note, we also test that safe_personality() works correctly, by checkig whether errno is properly |
616 | * set, in addition to the return value */ |
617 | errno(*__errno_location ()) = 0; |
618 | assert_se(safe_personality(PER_LINUX | ADDR_NO_RANDOMIZE) == -EPERM)do { if ((__builtin_expect(!!(!(safe_personality(PER_LINUX | ADDR_NO_RANDOMIZE ) == -1)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("safe_personality(PER_LINUX | ADDR_NO_RANDOMIZE) == -EPERM" ), "../src/test/test-seccomp.c", 618, __PRETTY_FUNCTION__); } while (0); |
619 | assert_se(errno == EPERM)do { if ((__builtin_expect(!!(!((*__errno_location ()) == 1)) ,0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("errno == EPERM" ), "../src/test/test-seccomp.c", 619, __PRETTY_FUNCTION__); } while (0); |
620 | |
621 | assert_se(safe_personality(PER_LINUX | MMAP_PAGE_ZERO) == -EPERM)do { if ((__builtin_expect(!!(!(safe_personality(PER_LINUX | MMAP_PAGE_ZERO ) == -1)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("safe_personality(PER_LINUX | MMAP_PAGE_ZERO) == -EPERM" ), "../src/test/test-seccomp.c", 621, __PRETTY_FUNCTION__); } while (0); |
622 | assert_se(safe_personality(PER_LINUX | ADDR_COMPAT_LAYOUT) == -EPERM)do { if ((__builtin_expect(!!(!(safe_personality(PER_LINUX | ADDR_COMPAT_LAYOUT ) == -1)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("safe_personality(PER_LINUX | ADDR_COMPAT_LAYOUT) == -EPERM" ), "../src/test/test-seccomp.c", 622, __PRETTY_FUNCTION__); } while (0); |
623 | assert_se(safe_personality(PER_LINUX | READ_IMPLIES_EXEC) == -EPERM)do { if ((__builtin_expect(!!(!(safe_personality(PER_LINUX | READ_IMPLIES_EXEC ) == -1)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("safe_personality(PER_LINUX | READ_IMPLIES_EXEC) == -EPERM" ), "../src/test/test-seccomp.c", 623, __PRETTY_FUNCTION__); } while (0); |
624 | assert_se(safe_personality(PER_LINUX_32BIT) == -EPERM)do { if ((__builtin_expect(!!(!(safe_personality(PER_LINUX_32BIT ) == -1)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("safe_personality(PER_LINUX_32BIT) == -EPERM" ), "../src/test/test-seccomp.c", 624, __PRETTY_FUNCTION__); } while (0); |
625 | assert_se(safe_personality(PER_SVR4) == -EPERM)do { if ((__builtin_expect(!!(!(safe_personality(PER_SVR4) == -1)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("safe_personality(PER_SVR4) == -EPERM" ), "../src/test/test-seccomp.c", 625, __PRETTY_FUNCTION__); } while (0); |
626 | assert_se(safe_personality(PER_BSD) == -EPERM)do { if ((__builtin_expect(!!(!(safe_personality(PER_BSD) == - 1)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("safe_personality(PER_BSD) == -EPERM" ), "../src/test/test-seccomp.c", 626, __PRETTY_FUNCTION__); } while (0); |
627 | assert_se(safe_personality(current == PER_LINUX ? PER_LINUX32 : PER_LINUX) == -EPERM)do { if ((__builtin_expect(!!(!(safe_personality(current == PER_LINUX ? PER_LINUX32 : PER_LINUX) == -1)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("safe_personality(current == PER_LINUX ? PER_LINUX32 : PER_LINUX) == -EPERM" ), "../src/test/test-seccomp.c", 627, __PRETTY_FUNCTION__); } while (0); |
628 | assert_se(safe_personality(PER_LINUX32_3GB) == -EPERM)do { if ((__builtin_expect(!!(!(safe_personality(PER_LINUX32_3GB ) == -1)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("safe_personality(PER_LINUX32_3GB) == -EPERM" ), "../src/test/test-seccomp.c", 628, __PRETTY_FUNCTION__); } while (0); |
629 | assert_se(safe_personality(PER_UW7) == -EPERM)do { if ((__builtin_expect(!!(!(safe_personality(PER_UW7) == - 1)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("safe_personality(PER_UW7) == -EPERM" ), "../src/test/test-seccomp.c", 629, __PRETTY_FUNCTION__); } while (0); |
630 | assert_se(safe_personality(0x42) == -EPERM)do { if ((__builtin_expect(!!(!(safe_personality(0x42) == -1) ),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("safe_personality(0x42) == -EPERM" ), "../src/test/test-seccomp.c", 630, __PRETTY_FUNCTION__); } while (0); |
631 | |
632 | assert_se(safe_personality(PERSONALITY_INVALID) == -EPERM)do { if ((__builtin_expect(!!(!(safe_personality(0xffffffffLU ) == -1)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("safe_personality(PERSONALITY_INVALID) == -EPERM" ), "../src/test/test-seccomp.c", 632, __PRETTY_FUNCTION__); } while (0); /* maybe remove this later */ |
633 | |
634 | assert_se((unsigned long) personality(current) == current)do { if ((__builtin_expect(!!(!((unsigned long) personality(current ) == current)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD , ("(unsigned long) personality(current) == current"), "../src/test/test-seccomp.c" , 634, __PRETTY_FUNCTION__); } while (0); |
635 | _exit(EXIT_SUCCESS0); |
636 | } |
637 | |
638 | assert_se(wait_for_terminate_and_check("lockpersonalityseccomp", pid, WAIT_LOG) == EXIT_SUCCESS)do { if ((__builtin_expect(!!(!(wait_for_terminate_and_check( "lockpersonalityseccomp", pid, WAIT_LOG) == 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("wait_for_terminate_and_check(\"lockpersonalityseccomp\", pid, WAIT_LOG) == EXIT_SUCCESS" ), "../src/test/test-seccomp.c", 638, __PRETTY_FUNCTION__); } while (0); |
639 | } |
640 | |
641 | static void test_filter_sets_ordered(void) { |
642 | size_t i; |
643 | |
644 | /* Ensure "@default" always remains at the beginning of the list */ |
645 | assert_se(SYSCALL_FILTER_SET_DEFAULT == 0)do { if ((__builtin_expect(!!(!(SYSCALL_FILTER_SET_DEFAULT == 0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("SYSCALL_FILTER_SET_DEFAULT == 0" ), "../src/test/test-seccomp.c", 645, __PRETTY_FUNCTION__); } while (0); |
646 | assert_se(streq(syscall_filter_sets[0].name, "@default"))do { if ((__builtin_expect(!!(!((strcmp((syscall_filter_sets[ 0].name),("@default")) == 0))),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD , ("streq(syscall_filter_sets[0].name, \"@default\")"), "../src/test/test-seccomp.c" , 646, __PRETTY_FUNCTION__); } while (0); |
647 | |
648 | for (i = 0; i < _SYSCALL_FILTER_SET_MAX; i++) { |
649 | const char *k, *p = NULL((void*)0); |
650 | |
651 | /* Make sure each group has a description */ |
652 | assert_se(!isempty(syscall_filter_sets[0].help))do { if ((__builtin_expect(!!(!(!isempty(syscall_filter_sets[ 0].help))),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("!isempty(syscall_filter_sets[0].help)" ), "../src/test/test-seccomp.c", 652, __PRETTY_FUNCTION__); } while (0); |
653 | |
654 | /* Make sure the groups are ordered alphabetically, except for the first entry */ |
655 | assert_se(i < 2 || strcmp(syscall_filter_sets[i-1].name, syscall_filter_sets[i].name) < 0)do { if ((__builtin_expect(!!(!(i < 2 || strcmp(syscall_filter_sets [i-1].name, syscall_filter_sets[i].name) < 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("i < 2 || strcmp(syscall_filter_sets[i-1].name, syscall_filter_sets[i].name) < 0" ), "../src/test/test-seccomp.c", 655, __PRETTY_FUNCTION__); } while (0); |
656 | |
657 | NULSTR_FOREACH(k, syscall_filter_sets[i].value)for ((k) = (syscall_filter_sets[i].value); (k) && *(k ); (k) = strchr((k), 0)+1) { |
658 | |
659 | /* Ensure each syscall list is in itself ordered, but groups before names */ |
660 | assert_se(!p ||do { if ((__builtin_expect(!!(!(!p || (*p == '@' && * k != '@') || (((*p == '@' && *k == '@') || (*p != '@' && *k != '@')) && strcmp(p, k) < 0))),0)) ) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("!p || (*p == '@' && *k != '@') || (((*p == '@' && *k == '@') || (*p != '@' && *k != '@')) && strcmp(p, k) < 0)" ), "../src/test/test-seccomp.c", 664, __PRETTY_FUNCTION__); } while (0) |
661 | (*p == '@' && *k != '@') ||do { if ((__builtin_expect(!!(!(!p || (*p == '@' && * k != '@') || (((*p == '@' && *k == '@') || (*p != '@' && *k != '@')) && strcmp(p, k) < 0))),0)) ) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("!p || (*p == '@' && *k != '@') || (((*p == '@' && *k == '@') || (*p != '@' && *k != '@')) && strcmp(p, k) < 0)" ), "../src/test/test-seccomp.c", 664, __PRETTY_FUNCTION__); } while (0) |
662 | (((*p == '@' && *k == '@') ||do { if ((__builtin_expect(!!(!(!p || (*p == '@' && * k != '@') || (((*p == '@' && *k == '@') || (*p != '@' && *k != '@')) && strcmp(p, k) < 0))),0)) ) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("!p || (*p == '@' && *k != '@') || (((*p == '@' && *k == '@') || (*p != '@' && *k != '@')) && strcmp(p, k) < 0)" ), "../src/test/test-seccomp.c", 664, __PRETTY_FUNCTION__); } while (0) |
663 | (*p != '@' && *k != '@')) &&do { if ((__builtin_expect(!!(!(!p || (*p == '@' && * k != '@') || (((*p == '@' && *k == '@') || (*p != '@' && *k != '@')) && strcmp(p, k) < 0))),0)) ) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("!p || (*p == '@' && *k != '@') || (((*p == '@' && *k == '@') || (*p != '@' && *k != '@')) && strcmp(p, k) < 0)" ), "../src/test/test-seccomp.c", 664, __PRETTY_FUNCTION__); } while (0) |
664 | strcmp(p, k) < 0))do { if ((__builtin_expect(!!(!(!p || (*p == '@' && * k != '@') || (((*p == '@' && *k == '@') || (*p != '@' && *k != '@')) && strcmp(p, k) < 0))),0)) ) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("!p || (*p == '@' && *k != '@') || (((*p == '@' && *k == '@') || (*p != '@' && *k != '@')) && strcmp(p, k) < 0)" ), "../src/test/test-seccomp.c", 664, __PRETTY_FUNCTION__); } while (0); |
665 | |
666 | p = k; |
667 | } |
668 | } |
669 | } |
670 | |
671 | static int mkostemp_safe(char *pattern) { |
672 | _unused___attribute__ ((unused)) _cleanup_umask___attribute__((cleanup(umaskp))) mode_t u = umask(0077); |
673 | int fd; |
674 | |
675 | assert(pattern)do { if ((__builtin_expect(!!(!(pattern)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("pattern"), "../src/test/test-seccomp.c" , 675, __PRETTY_FUNCTION__); } while (0); |
676 | |
677 | fd = mkostemp(pattern, O_CLOEXEC02000000); |
678 | if (fd < 0) |
679 | return -errno(*__errno_location ()); |
680 | |
681 | return fd; |
682 | } |
683 | |
684 | static int real_open(const char *path, int flags, mode_t mode) { |
685 | /* glibc internally calls openat() when open() is requested. Let's hence define our own wrapper for |
686 | * testing purposes that calls the real syscall, on architectures where SYS_open is defined. On |
687 | * other architectures, let's just fall back to the glibc call. */ |
688 | |
689 | #ifdef SYS_open2 |
690 | return (int) syscall(SYS_open2, path, flags, mode); |
691 | #else |
692 | return open(path, flags, mode); |
693 | #endif |
694 | } |
695 | |
696 | static void test_restrict_suid_sgid(void) { |
697 | pid_t pid; |
698 | |
699 | log_info("/* %s */", __func__)({ int _level = (((6))), _e = ((0)), _realm = (LOG_REALM_SYSTEMD ); (log_get_max_level_realm(_realm) >= ((_level) & 0x07 )) ? log_internal_realm(((_realm) << 10 | (_level)), _e , "../src/test/test-seccomp.c", 699, __func__, "/* %s */", __func__ ) : -abs(_e); }); |
700 | |
701 | if (!is_seccomp_available()) { |
702 | log_notice("Seccomp not available, skipping %s", __func__)({ int _level = (((5))), _e = ((0)), _realm = (LOG_REALM_SYSTEMD ); (log_get_max_level_realm(_realm) >= ((_level) & 0x07 )) ? log_internal_realm(((_realm) << 10 | (_level)), _e , "../src/test/test-seccomp.c", 702, __func__, "Seccomp not available, skipping %s" , __func__) : -abs(_e); }); |
703 | return; |
704 | } |
705 | if (geteuid() != 0) { |
706 | log_notice("Not root, skipping %s", __func__)({ int _level = (((5))), _e = ((0)), _realm = (LOG_REALM_SYSTEMD ); (log_get_max_level_realm(_realm) >= ((_level) & 0x07 )) ? log_internal_realm(((_realm) << 10 | (_level)), _e , "../src/test/test-seccomp.c", 706, __func__, "Not root, skipping %s" , __func__) : -abs(_e); }); |
707 | return; |
708 | } |
709 | |
710 | pid = fork(); |
711 | assert_se(pid >= 0)do { if ((__builtin_expect(!!(!(pid >= 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("pid >= 0"), "../src/test/test-seccomp.c" , 711, __PRETTY_FUNCTION__); } while (0); |
712 | |
713 | if (pid == 0) { |
714 | char path[] = "/tmp/suidsgidXXXXXX", dir[] = "/tmp/suidsgiddirXXXXXX"; |
715 | int fd = -1, k = -1; |
716 | const char *z; |
717 | |
718 | fd = mkostemp_safe(path); |
719 | assert_se(fd >= 0)do { if ((__builtin_expect(!!(!(fd >= 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("fd >= 0"), "../src/test/test-seccomp.c" , 719, __PRETTY_FUNCTION__); } while (0); |
720 | |
721 | assert_se(mkdtemp(dir))do { if ((__builtin_expect(!!(!(mkdtemp(dir))),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("mkdtemp(dir)"), "../src/test/test-seccomp.c" , 721, __PRETTY_FUNCTION__); } while (0); |
722 | z = strjoina(dir, "/test")({ const char *_appendees_[] = { dir, "/test" }; char *_d_, * _p_; size_t _len_ = 0; size_t _i_; for (_i_ = 0; _i_ < __extension__ (__builtin_choose_expr( !__builtin_types_compatible_p(typeof (_appendees_), typeof(&*(_appendees_))), sizeof(_appendees_ )/sizeof((_appendees_)[0]), ((void)0))) && _appendees_ [_i_]; _i_++) _len_ += strlen(_appendees_[_i_]); _p_ = _d_ = __builtin_alloca (_len_ + 1); for (_i_ = 0; _i_ < __extension__ (__builtin_choose_expr ( !__builtin_types_compatible_p(typeof(_appendees_), typeof(& *(_appendees_))), sizeof(_appendees_)/sizeof((_appendees_)[0] ), ((void)0))) && _appendees_[_i_]; _i_++) _p_ = stpcpy (_p_, _appendees_[_i_]); *_p_ = 0; _d_; }); |
723 | |
724 | assert_se(chmod(path, 0755 | S_ISUID) >= 0)do { if ((__builtin_expect(!!(!(chmod(path, 0755 | 04000) >= 0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("chmod(path, 0755 | S_ISUID) >= 0" ), "../src/test/test-seccomp.c", 724, __PRETTY_FUNCTION__); } while (0); |
725 | assert_se(chmod(path, 0755 | S_ISGID) >= 0)do { if ((__builtin_expect(!!(!(chmod(path, 0755 | 02000) >= 0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("chmod(path, 0755 | S_ISGID) >= 0" ), "../src/test/test-seccomp.c", 725, __PRETTY_FUNCTION__); } while (0); |
726 | assert_se(chmod(path, 0755 | S_ISGID | S_ISUID) >= 0)do { if ((__builtin_expect(!!(!(chmod(path, 0755 | 02000 | 04000 ) >= 0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ( "chmod(path, 0755 | S_ISGID | S_ISUID) >= 0"), "../src/test/test-seccomp.c" , 726, __PRETTY_FUNCTION__); } while (0); |
727 | assert_se(chmod(path, 0755) >= 0)do { if ((__builtin_expect(!!(!(chmod(path, 0755) >= 0)),0 ))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("chmod(path, 0755) >= 0" ), "../src/test/test-seccomp.c", 727, __PRETTY_FUNCTION__); } while (0); |
728 | |
729 | assert_se(fchmod(fd, 0755 | S_ISUID) >= 0)do { if ((__builtin_expect(!!(!(fchmod(fd, 0755 | 04000) >= 0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("fchmod(fd, 0755 | S_ISUID) >= 0" ), "../src/test/test-seccomp.c", 729, __PRETTY_FUNCTION__); } while (0); |
730 | assert_se(fchmod(fd, 0755 | S_ISGID) >= 0)do { if ((__builtin_expect(!!(!(fchmod(fd, 0755 | 02000) >= 0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("fchmod(fd, 0755 | S_ISGID) >= 0" ), "../src/test/test-seccomp.c", 730, __PRETTY_FUNCTION__); } while (0); |
731 | assert_se(fchmod(fd, 0755 | S_ISGID | S_ISUID) >= 0)do { if ((__builtin_expect(!!(!(fchmod(fd, 0755 | 02000 | 04000 ) >= 0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ( "fchmod(fd, 0755 | S_ISGID | S_ISUID) >= 0"), "../src/test/test-seccomp.c" , 731, __PRETTY_FUNCTION__); } while (0); |
732 | assert_se(fchmod(fd, 0755) >= 0)do { if ((__builtin_expect(!!(!(fchmod(fd, 0755) >= 0)),0) )) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("fchmod(fd, 0755) >= 0" ), "../src/test/test-seccomp.c", 732, __PRETTY_FUNCTION__); } while (0); |
733 | |
734 | assert_se(fchmodat(AT_FDCWD, path, 0755 | S_ISUID, 0) >= 0)do { if ((__builtin_expect(!!(!(fchmodat(-100, path, 0755 | 04000 , 0) >= 0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD , ("fchmodat(AT_FDCWD, path, 0755 | S_ISUID, 0) >= 0"), "../src/test/test-seccomp.c" , 734, __PRETTY_FUNCTION__); } while (0); |
735 | assert_se(fchmodat(AT_FDCWD, path, 0755 | S_ISGID, 0) >= 0)do { if ((__builtin_expect(!!(!(fchmodat(-100, path, 0755 | 02000 , 0) >= 0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD , ("fchmodat(AT_FDCWD, path, 0755 | S_ISGID, 0) >= 0"), "../src/test/test-seccomp.c" , 735, __PRETTY_FUNCTION__); } while (0); |
736 | assert_se(fchmodat(AT_FDCWD, path, 0755 | S_ISGID | S_ISUID, 0) >= 0)do { if ((__builtin_expect(!!(!(fchmodat(-100, path, 0755 | 02000 | 04000, 0) >= 0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD , ("fchmodat(AT_FDCWD, path, 0755 | S_ISGID | S_ISUID, 0) >= 0" ), "../src/test/test-seccomp.c", 736, __PRETTY_FUNCTION__); } while (0); |
737 | assert_se(fchmodat(AT_FDCWD, path, 0755, 0) >= 0)do { if ((__builtin_expect(!!(!(fchmodat(-100, path, 0755, 0) >= 0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("fchmodat(AT_FDCWD, path, 0755, 0) >= 0" ), "../src/test/test-seccomp.c", 737, __PRETTY_FUNCTION__); } while (0); |
738 | |
739 | k = real_open(z, O_CREAT0100|O_RDWR02|O_CLOEXEC02000000|O_EXCL0200, 0644 | S_ISUID04000); |
740 | k = safe_close(k); |
741 | assert_se(unlink(z) >= 0)do { if ((__builtin_expect(!!(!(unlink(z) >= 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("unlink(z) >= 0"), "../src/test/test-seccomp.c" , 741, __PRETTY_FUNCTION__); } while (0); |
742 | |
743 | k = real_open(z, O_CREAT0100|O_RDWR02|O_CLOEXEC02000000|O_EXCL0200, 0644 | S_ISGID02000); |
744 | k = safe_close(k); |
745 | assert_se(unlink(z) >= 0)do { if ((__builtin_expect(!!(!(unlink(z) >= 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("unlink(z) >= 0"), "../src/test/test-seccomp.c" , 745, __PRETTY_FUNCTION__); } while (0); |
746 | |
747 | k = real_open(z, O_CREAT0100|O_RDWR02|O_CLOEXEC02000000|O_EXCL0200, 0644 | S_ISUID04000 | S_ISGID02000); |
748 | k = safe_close(k); |
749 | assert_se(unlink(z) >= 0)do { if ((__builtin_expect(!!(!(unlink(z) >= 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("unlink(z) >= 0"), "../src/test/test-seccomp.c" , 749, __PRETTY_FUNCTION__); } while (0); |
750 | |
751 | k = real_open(z, O_CREAT0100|O_RDWR02|O_CLOEXEC02000000|O_EXCL0200, 0644); |
752 | k = safe_close(k); |
753 | assert_se(unlink(z) >= 0)do { if ((__builtin_expect(!!(!(unlink(z) >= 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("unlink(z) >= 0"), "../src/test/test-seccomp.c" , 753, __PRETTY_FUNCTION__); } while (0); |
754 | |
755 | k = creat(z, 0644 | S_ISUID04000); |
756 | k = safe_close(k); |
757 | assert_se(unlink(z) >= 0)do { if ((__builtin_expect(!!(!(unlink(z) >= 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("unlink(z) >= 0"), "../src/test/test-seccomp.c" , 757, __PRETTY_FUNCTION__); } while (0); |
758 | |
759 | k = creat(z, 0644 | S_ISGID02000); |
760 | k = safe_close(k); |
Value stored to 'k' is never read | |
761 | assert_se(unlink(z) >= 0)do { if ((__builtin_expect(!!(!(unlink(z) >= 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("unlink(z) >= 0"), "../src/test/test-seccomp.c" , 761, __PRETTY_FUNCTION__); } while (0); |
762 | |
763 | k = creat(z, 0644 | S_ISUID04000 | S_ISGID02000); |
764 | k = safe_close(k); |
765 | assert_se(unlink(z) >= 0)do { if ((__builtin_expect(!!(!(unlink(z) >= 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("unlink(z) >= 0"), "../src/test/test-seccomp.c" , 765, __PRETTY_FUNCTION__); } while (0); |
766 | |
767 | k = creat(z, 0644); |
768 | k = safe_close(k); |
769 | assert_se(unlink(z) >= 0)do { if ((__builtin_expect(!!(!(unlink(z) >= 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("unlink(z) >= 0"), "../src/test/test-seccomp.c" , 769, __PRETTY_FUNCTION__); } while (0); |
770 | |
771 | k = openat(AT_FDCWD-100, z, O_CREAT0100|O_RDWR02|O_CLOEXEC02000000|O_EXCL0200, 0644 | S_ISUID04000); |
772 | k = safe_close(k); |
773 | assert_se(unlink(z) >= 0)do { if ((__builtin_expect(!!(!(unlink(z) >= 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("unlink(z) >= 0"), "../src/test/test-seccomp.c" , 773, __PRETTY_FUNCTION__); } while (0); |
774 | |
775 | k = openat(AT_FDCWD-100, z, O_CREAT0100|O_RDWR02|O_CLOEXEC02000000|O_EXCL0200, 0644 | S_ISGID02000); |
776 | k = safe_close(k); |
777 | assert_se(unlink(z) >= 0)do { if ((__builtin_expect(!!(!(unlink(z) >= 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("unlink(z) >= 0"), "../src/test/test-seccomp.c" , 777, __PRETTY_FUNCTION__); } while (0); |
778 | |
779 | k = openat(AT_FDCWD-100, z, O_CREAT0100|O_RDWR02|O_CLOEXEC02000000|O_EXCL0200, 0644 | S_ISUID04000 | S_ISGID02000); |
780 | k = safe_close(k); |
781 | assert_se(unlink(z) >= 0)do { if ((__builtin_expect(!!(!(unlink(z) >= 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("unlink(z) >= 0"), "../src/test/test-seccomp.c" , 781, __PRETTY_FUNCTION__); } while (0); |
782 | |
783 | k = openat(AT_FDCWD-100, z, O_CREAT0100|O_RDWR02|O_CLOEXEC02000000|O_EXCL0200, 0644); |
784 | k = safe_close(k); |
785 | assert_se(unlink(z) >= 0)do { if ((__builtin_expect(!!(!(unlink(z) >= 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("unlink(z) >= 0"), "../src/test/test-seccomp.c" , 785, __PRETTY_FUNCTION__); } while (0); |
786 | |
787 | assert_se(mkdir(z, 0755 | S_ISUID) >= 0)do { if ((__builtin_expect(!!(!(mkdir(z, 0755 | 04000) >= 0 )),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("mkdir(z, 0755 | S_ISUID) >= 0" ), "../src/test/test-seccomp.c", 787, __PRETTY_FUNCTION__); } while (0); |
788 | assert_se(rmdir(z) >= 0)do { if ((__builtin_expect(!!(!(rmdir(z) >= 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("rmdir(z) >= 0"), "../src/test/test-seccomp.c" , 788, __PRETTY_FUNCTION__); } while (0); |
789 | assert_se(mkdir(z, 0755 | S_ISGID) >= 0)do { if ((__builtin_expect(!!(!(mkdir(z, 0755 | 02000) >= 0 )),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("mkdir(z, 0755 | S_ISGID) >= 0" ), "../src/test/test-seccomp.c", 789, __PRETTY_FUNCTION__); } while (0); |
790 | assert_se(rmdir(z) >= 0)do { if ((__builtin_expect(!!(!(rmdir(z) >= 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("rmdir(z) >= 0"), "../src/test/test-seccomp.c" , 790, __PRETTY_FUNCTION__); } while (0); |
791 | assert_se(mkdir(z, 0755 | S_ISUID | S_ISGID) >= 0)do { if ((__builtin_expect(!!(!(mkdir(z, 0755 | 04000 | 02000 ) >= 0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ( "mkdir(z, 0755 | S_ISUID | S_ISGID) >= 0"), "../src/test/test-seccomp.c" , 791, __PRETTY_FUNCTION__); } while (0); |
792 | assert_se(rmdir(z) >= 0)do { if ((__builtin_expect(!!(!(rmdir(z) >= 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("rmdir(z) >= 0"), "../src/test/test-seccomp.c" , 792, __PRETTY_FUNCTION__); } while (0); |
793 | assert_se(mkdir(z, 0755) >= 0)do { if ((__builtin_expect(!!(!(mkdir(z, 0755) >= 0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("mkdir(z, 0755) >= 0" ), "../src/test/test-seccomp.c", 793, __PRETTY_FUNCTION__); } while (0); |
794 | assert_se(rmdir(z) >= 0)do { if ((__builtin_expect(!!(!(rmdir(z) >= 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("rmdir(z) >= 0"), "../src/test/test-seccomp.c" , 794, __PRETTY_FUNCTION__); } while (0); |
795 | |
796 | assert_se(mkdirat(AT_FDCWD, z, 0755 | S_ISUID) >= 0)do { if ((__builtin_expect(!!(!(mkdirat(-100, z, 0755 | 04000 ) >= 0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ( "mkdirat(AT_FDCWD, z, 0755 | S_ISUID) >= 0"), "../src/test/test-seccomp.c" , 796, __PRETTY_FUNCTION__); } while (0); |
797 | assert_se(rmdir(z) >= 0)do { if ((__builtin_expect(!!(!(rmdir(z) >= 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("rmdir(z) >= 0"), "../src/test/test-seccomp.c" , 797, __PRETTY_FUNCTION__); } while (0); |
798 | assert_se(mkdirat(AT_FDCWD, z, 0755 | S_ISGID) >= 0)do { if ((__builtin_expect(!!(!(mkdirat(-100, z, 0755 | 02000 ) >= 0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ( "mkdirat(AT_FDCWD, z, 0755 | S_ISGID) >= 0"), "../src/test/test-seccomp.c" , 798, __PRETTY_FUNCTION__); } while (0); |
799 | assert_se(rmdir(z) >= 0)do { if ((__builtin_expect(!!(!(rmdir(z) >= 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("rmdir(z) >= 0"), "../src/test/test-seccomp.c" , 799, __PRETTY_FUNCTION__); } while (0); |
800 | assert_se(mkdirat(AT_FDCWD, z, 0755 | S_ISUID | S_ISGID) >= 0)do { if ((__builtin_expect(!!(!(mkdirat(-100, z, 0755 | 04000 | 02000) >= 0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD , ("mkdirat(AT_FDCWD, z, 0755 | S_ISUID | S_ISGID) >= 0"), "../src/test/test-seccomp.c", 800, __PRETTY_FUNCTION__); } while (0); |
801 | assert_se(rmdir(z) >= 0)do { if ((__builtin_expect(!!(!(rmdir(z) >= 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("rmdir(z) >= 0"), "../src/test/test-seccomp.c" , 801, __PRETTY_FUNCTION__); } while (0); |
802 | assert_se(mkdirat(AT_FDCWD, z, 0755) >= 0)do { if ((__builtin_expect(!!(!(mkdirat(-100, z, 0755) >= 0 )),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("mkdirat(AT_FDCWD, z, 0755) >= 0" ), "../src/test/test-seccomp.c", 802, __PRETTY_FUNCTION__); } while (0); |
803 | assert_se(rmdir(z) >= 0)do { if ((__builtin_expect(!!(!(rmdir(z) >= 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("rmdir(z) >= 0"), "../src/test/test-seccomp.c" , 803, __PRETTY_FUNCTION__); } while (0); |
804 | |
805 | assert_se(mknod(z, S_IFREG | 0755 | S_ISUID, 0) >= 0)do { if ((__builtin_expect(!!(!(mknod(z, 0100000 | 0755 | 04000 , 0) >= 0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD , ("mknod(z, S_IFREG | 0755 | S_ISUID, 0) >= 0"), "../src/test/test-seccomp.c" , 805, __PRETTY_FUNCTION__); } while (0); |
806 | assert_se(unlink(z) >= 0)do { if ((__builtin_expect(!!(!(unlink(z) >= 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("unlink(z) >= 0"), "../src/test/test-seccomp.c" , 806, __PRETTY_FUNCTION__); } while (0); |
807 | assert_se(mknod(z, S_IFREG | 0755 | S_ISGID, 0) >= 0)do { if ((__builtin_expect(!!(!(mknod(z, 0100000 | 0755 | 02000 , 0) >= 0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD , ("mknod(z, S_IFREG | 0755 | S_ISGID, 0) >= 0"), "../src/test/test-seccomp.c" , 807, __PRETTY_FUNCTION__); } while (0); |
808 | assert_se(unlink(z) >= 0)do { if ((__builtin_expect(!!(!(unlink(z) >= 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("unlink(z) >= 0"), "../src/test/test-seccomp.c" , 808, __PRETTY_FUNCTION__); } while (0); |
809 | assert_se(mknod(z, S_IFREG | 0755 | S_ISUID | S_ISGID, 0) >= 0)do { if ((__builtin_expect(!!(!(mknod(z, 0100000 | 0755 | 04000 | 02000, 0) >= 0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD , ("mknod(z, S_IFREG | 0755 | S_ISUID | S_ISGID, 0) >= 0") , "../src/test/test-seccomp.c", 809, __PRETTY_FUNCTION__); } while (0); |
810 | assert_se(unlink(z) >= 0)do { if ((__builtin_expect(!!(!(unlink(z) >= 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("unlink(z) >= 0"), "../src/test/test-seccomp.c" , 810, __PRETTY_FUNCTION__); } while (0); |
811 | assert_se(mknod(z, S_IFREG | 0755, 0) >= 0)do { if ((__builtin_expect(!!(!(mknod(z, 0100000 | 0755, 0) >= 0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("mknod(z, S_IFREG | 0755, 0) >= 0" ), "../src/test/test-seccomp.c", 811, __PRETTY_FUNCTION__); } while (0); |
812 | assert_se(unlink(z) >= 0)do { if ((__builtin_expect(!!(!(unlink(z) >= 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("unlink(z) >= 0"), "../src/test/test-seccomp.c" , 812, __PRETTY_FUNCTION__); } while (0); |
813 | |
814 | assert_se(mknodat(AT_FDCWD, z, S_IFREG | 0755 | S_ISUID, 0) >= 0)do { if ((__builtin_expect(!!(!(mknodat(-100, z, 0100000 | 0755 | 04000, 0) >= 0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD , ("mknodat(AT_FDCWD, z, S_IFREG | 0755 | S_ISUID, 0) >= 0" ), "../src/test/test-seccomp.c", 814, __PRETTY_FUNCTION__); } while (0); |
815 | assert_se(unlink(z) >= 0)do { if ((__builtin_expect(!!(!(unlink(z) >= 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("unlink(z) >= 0"), "../src/test/test-seccomp.c" , 815, __PRETTY_FUNCTION__); } while (0); |
816 | assert_se(mknodat(AT_FDCWD, z, S_IFREG | 0755 | S_ISGID, 0) >= 0)do { if ((__builtin_expect(!!(!(mknodat(-100, z, 0100000 | 0755 | 02000, 0) >= 0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD , ("mknodat(AT_FDCWD, z, S_IFREG | 0755 | S_ISGID, 0) >= 0" ), "../src/test/test-seccomp.c", 816, __PRETTY_FUNCTION__); } while (0); |
817 | assert_se(unlink(z) >= 0)do { if ((__builtin_expect(!!(!(unlink(z) >= 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("unlink(z) >= 0"), "../src/test/test-seccomp.c" , 817, __PRETTY_FUNCTION__); } while (0); |
818 | assert_se(mknodat(AT_FDCWD, z, S_IFREG | 0755 | S_ISUID | S_ISGID, 0) >= 0)do { if ((__builtin_expect(!!(!(mknodat(-100, z, 0100000 | 0755 | 04000 | 02000, 0) >= 0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD , ("mknodat(AT_FDCWD, z, S_IFREG | 0755 | S_ISUID | S_ISGID, 0) >= 0" ), "../src/test/test-seccomp.c", 818, __PRETTY_FUNCTION__); } while (0); |
819 | assert_se(unlink(z) >= 0)do { if ((__builtin_expect(!!(!(unlink(z) >= 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("unlink(z) >= 0"), "../src/test/test-seccomp.c" , 819, __PRETTY_FUNCTION__); } while (0); |
820 | assert_se(mknodat(AT_FDCWD, z, S_IFREG | 0755, 0) >= 0)do { if ((__builtin_expect(!!(!(mknodat(-100, z, 0100000 | 0755 , 0) >= 0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD , ("mknodat(AT_FDCWD, z, S_IFREG | 0755, 0) >= 0"), "../src/test/test-seccomp.c" , 820, __PRETTY_FUNCTION__); } while (0); |
821 | assert_se(unlink(z) >= 0)do { if ((__builtin_expect(!!(!(unlink(z) >= 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("unlink(z) >= 0"), "../src/test/test-seccomp.c" , 821, __PRETTY_FUNCTION__); } while (0); |
822 | |
823 | assert_se(seccomp_restrict_suid_sgid() >= 0)do { if ((__builtin_expect(!!(!(seccomp_restrict_suid_sgid() >= 0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("seccomp_restrict_suid_sgid() >= 0" ), "../src/test/test-seccomp.c", 823, __PRETTY_FUNCTION__); } while (0); |
824 | |
825 | assert_se(chmod(path, 0775 | S_ISUID) < 0 && errno == EPERM)do { if ((__builtin_expect(!!(!(chmod(path, 0775 | 04000) < 0 && (*__errno_location ()) == 1)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("chmod(path, 0775 | S_ISUID) < 0 && errno == EPERM" ), "../src/test/test-seccomp.c", 825, __PRETTY_FUNCTION__); } while (0); |
826 | assert_se(chmod(path, 0775 | S_ISGID) < 0 && errno == EPERM)do { if ((__builtin_expect(!!(!(chmod(path, 0775 | 02000) < 0 && (*__errno_location ()) == 1)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("chmod(path, 0775 | S_ISGID) < 0 && errno == EPERM" ), "../src/test/test-seccomp.c", 826, __PRETTY_FUNCTION__); } while (0); |
827 | assert_se(chmod(path, 0775 | S_ISGID | S_ISUID) < 0 && errno == EPERM)do { if ((__builtin_expect(!!(!(chmod(path, 0775 | 02000 | 04000 ) < 0 && (*__errno_location ()) == 1)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("chmod(path, 0775 | S_ISGID | S_ISUID) < 0 && errno == EPERM" ), "../src/test/test-seccomp.c", 827, __PRETTY_FUNCTION__); } while (0); |
828 | assert_se(chmod(path, 0775) >= 0)do { if ((__builtin_expect(!!(!(chmod(path, 0775) >= 0)),0 ))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("chmod(path, 0775) >= 0" ), "../src/test/test-seccomp.c", 828, __PRETTY_FUNCTION__); } while (0); |
829 | |
830 | assert_se(fchmod(fd, 0775 | S_ISUID) < 0 && errno == EPERM)do { if ((__builtin_expect(!!(!(fchmod(fd, 0775 | 04000) < 0 && (*__errno_location ()) == 1)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("fchmod(fd, 0775 | S_ISUID) < 0 && errno == EPERM" ), "../src/test/test-seccomp.c", 830, __PRETTY_FUNCTION__); } while (0); |
831 | assert_se(fchmod(fd, 0775 | S_ISGID) < 0 && errno == EPERM)do { if ((__builtin_expect(!!(!(fchmod(fd, 0775 | 02000) < 0 && (*__errno_location ()) == 1)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("fchmod(fd, 0775 | S_ISGID) < 0 && errno == EPERM" ), "../src/test/test-seccomp.c", 831, __PRETTY_FUNCTION__); } while (0); |
832 | assert_se(fchmod(fd, 0775 | S_ISGID | S_ISUID) < 0 && errno == EPERM)do { if ((__builtin_expect(!!(!(fchmod(fd, 0775 | 02000 | 04000 ) < 0 && (*__errno_location ()) == 1)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("fchmod(fd, 0775 | S_ISGID | S_ISUID) < 0 && errno == EPERM" ), "../src/test/test-seccomp.c", 832, __PRETTY_FUNCTION__); } while (0); |
833 | assert_se(fchmod(fd, 0775) >= 0)do { if ((__builtin_expect(!!(!(fchmod(fd, 0775) >= 0)),0) )) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("fchmod(fd, 0775) >= 0" ), "../src/test/test-seccomp.c", 833, __PRETTY_FUNCTION__); } while (0); |
834 | |
835 | assert_se(fchmodat(AT_FDCWD, path, 0755 | S_ISUID, 0) < 0 && errno == EPERM)do { if ((__builtin_expect(!!(!(fchmodat(-100, path, 0755 | 04000 , 0) < 0 && (*__errno_location ()) == 1)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("fchmodat(AT_FDCWD, path, 0755 | S_ISUID, 0) < 0 && errno == EPERM" ), "../src/test/test-seccomp.c", 835, __PRETTY_FUNCTION__); } while (0); |
836 | assert_se(fchmodat(AT_FDCWD, path, 0755 | S_ISGID, 0) < 0 && errno == EPERM)do { if ((__builtin_expect(!!(!(fchmodat(-100, path, 0755 | 02000 , 0) < 0 && (*__errno_location ()) == 1)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("fchmodat(AT_FDCWD, path, 0755 | S_ISGID, 0) < 0 && errno == EPERM" ), "../src/test/test-seccomp.c", 836, __PRETTY_FUNCTION__); } while (0); |
837 | assert_se(fchmodat(AT_FDCWD, path, 0755 | S_ISGID | S_ISUID, 0) < 0 && errno == EPERM)do { if ((__builtin_expect(!!(!(fchmodat(-100, path, 0755 | 02000 | 04000, 0) < 0 && (*__errno_location ()) == 1)), 0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("fchmodat(AT_FDCWD, path, 0755 | S_ISGID | S_ISUID, 0) < 0 && errno == EPERM" ), "../src/test/test-seccomp.c", 837, __PRETTY_FUNCTION__); } while (0); |
838 | assert_se(fchmodat(AT_FDCWD, path, 0755, 0) >= 0)do { if ((__builtin_expect(!!(!(fchmodat(-100, path, 0755, 0) >= 0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("fchmodat(AT_FDCWD, path, 0755, 0) >= 0" ), "../src/test/test-seccomp.c", 838, __PRETTY_FUNCTION__); } while (0); |
839 | |
840 | assert_se(real_open(z, O_CREAT|O_RDWR|O_CLOEXEC|O_EXCL, 0644 | S_ISUID) < 0 && errno == EPERM)do { if ((__builtin_expect(!!(!(real_open(z, 0100|02|02000000 |0200, 0644 | 04000) < 0 && (*__errno_location ()) == 1)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("real_open(z, O_CREAT|O_RDWR|O_CLOEXEC|O_EXCL, 0644 | S_ISUID) < 0 && errno == EPERM" ), "../src/test/test-seccomp.c", 840, __PRETTY_FUNCTION__); } while (0); |
841 | assert_se(real_open(z, O_CREAT|O_RDWR|O_CLOEXEC|O_EXCL, 0644 | S_ISGID) < 0 && errno == EPERM)do { if ((__builtin_expect(!!(!(real_open(z, 0100|02|02000000 |0200, 0644 | 02000) < 0 && (*__errno_location ()) == 1)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("real_open(z, O_CREAT|O_RDWR|O_CLOEXEC|O_EXCL, 0644 | S_ISGID) < 0 && errno == EPERM" ), "../src/test/test-seccomp.c", 841, __PRETTY_FUNCTION__); } while (0); |
842 | assert_se(real_open(z, O_CREAT|O_RDWR|O_CLOEXEC|O_EXCL, 0644 | S_ISUID | S_ISGID) < 0 && errno == EPERM)do { if ((__builtin_expect(!!(!(real_open(z, 0100|02|02000000 |0200, 0644 | 04000 | 02000) < 0 && (*__errno_location ()) == 1)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ( "real_open(z, O_CREAT|O_RDWR|O_CLOEXEC|O_EXCL, 0644 | S_ISUID | S_ISGID) < 0 && errno == EPERM" ), "../src/test/test-seccomp.c", 842, __PRETTY_FUNCTION__); } while (0); |
843 | k = real_open(z, O_CREAT0100|O_RDWR02|O_CLOEXEC02000000|O_EXCL0200, 0644); |
844 | k = safe_close(k); |
845 | assert_se(unlink(z) >= 0)do { if ((__builtin_expect(!!(!(unlink(z) >= 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("unlink(z) >= 0"), "../src/test/test-seccomp.c" , 845, __PRETTY_FUNCTION__); } while (0); |
846 | |
847 | assert_se(creat(z, 0644 | S_ISUID) < 0 && errno == EPERM)do { if ((__builtin_expect(!!(!(creat(z, 0644 | 04000) < 0 && (*__errno_location ()) == 1)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("creat(z, 0644 | S_ISUID) < 0 && errno == EPERM" ), "../src/test/test-seccomp.c", 847, __PRETTY_FUNCTION__); } while (0); |
848 | assert_se(creat(z, 0644 | S_ISGID) < 0 && errno == EPERM)do { if ((__builtin_expect(!!(!(creat(z, 0644 | 02000) < 0 && (*__errno_location ()) == 1)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("creat(z, 0644 | S_ISGID) < 0 && errno == EPERM" ), "../src/test/test-seccomp.c", 848, __PRETTY_FUNCTION__); } while (0); |
849 | assert_se(creat(z, 0644 | S_ISUID | S_ISGID) < 0 && errno == EPERM)do { if ((__builtin_expect(!!(!(creat(z, 0644 | 04000 | 02000 ) < 0 && (*__errno_location ()) == 1)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("creat(z, 0644 | S_ISUID | S_ISGID) < 0 && errno == EPERM" ), "../src/test/test-seccomp.c", 849, __PRETTY_FUNCTION__); } while (0); |
850 | k = creat(z, 0644); |
851 | k = safe_close(k); |
852 | assert_se(unlink(z) >= 0)do { if ((__builtin_expect(!!(!(unlink(z) >= 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("unlink(z) >= 0"), "../src/test/test-seccomp.c" , 852, __PRETTY_FUNCTION__); } while (0); |
853 | |
854 | assert_se(openat(AT_FDCWD, z, O_CREAT|O_RDWR|O_CLOEXEC|O_EXCL, 0644 | S_ISUID) < 0 && errno == EPERM)do { if ((__builtin_expect(!!(!(openat(-100, z, 0100|02|02000000 |0200, 0644 | 04000) < 0 && (*__errno_location ()) == 1)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("openat(AT_FDCWD, z, O_CREAT|O_RDWR|O_CLOEXEC|O_EXCL, 0644 | S_ISUID) < 0 && errno == EPERM" ), "../src/test/test-seccomp.c", 854, __PRETTY_FUNCTION__); } while (0); |
855 | assert_se(openat(AT_FDCWD, z, O_CREAT|O_RDWR|O_CLOEXEC|O_EXCL, 0644 | S_ISGID) < 0 && errno == EPERM)do { if ((__builtin_expect(!!(!(openat(-100, z, 0100|02|02000000 |0200, 0644 | 02000) < 0 && (*__errno_location ()) == 1)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("openat(AT_FDCWD, z, O_CREAT|O_RDWR|O_CLOEXEC|O_EXCL, 0644 | S_ISGID) < 0 && errno == EPERM" ), "../src/test/test-seccomp.c", 855, __PRETTY_FUNCTION__); } while (0); |
856 | assert_se(openat(AT_FDCWD, z, O_CREAT|O_RDWR|O_CLOEXEC|O_EXCL, 0644 | S_ISUID | S_ISGID) < 0 && errno == EPERM)do { if ((__builtin_expect(!!(!(openat(-100, z, 0100|02|02000000 |0200, 0644 | 04000 | 02000) < 0 && (*__errno_location ()) == 1)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ( "openat(AT_FDCWD, z, O_CREAT|O_RDWR|O_CLOEXEC|O_EXCL, 0644 | S_ISUID | S_ISGID) < 0 && errno == EPERM" ), "../src/test/test-seccomp.c", 856, __PRETTY_FUNCTION__); } while (0); |
857 | k = openat(AT_FDCWD-100, z, O_CREAT0100|O_RDWR02|O_CLOEXEC02000000|O_EXCL0200, 0644); |
858 | k = safe_close(k); |
859 | assert_se(unlink(z) >= 0)do { if ((__builtin_expect(!!(!(unlink(z) >= 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("unlink(z) >= 0"), "../src/test/test-seccomp.c" , 859, __PRETTY_FUNCTION__); } while (0); |
860 | |
861 | assert_se(mkdir(z, 0755 | S_ISUID) < 0 && errno == EPERM)do { if ((__builtin_expect(!!(!(mkdir(z, 0755 | 04000) < 0 && (*__errno_location ()) == 1)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("mkdir(z, 0755 | S_ISUID) < 0 && errno == EPERM" ), "../src/test/test-seccomp.c", 861, __PRETTY_FUNCTION__); } while (0); |
862 | assert_se(mkdir(z, 0755 | S_ISGID) < 0 && errno == EPERM)do { if ((__builtin_expect(!!(!(mkdir(z, 0755 | 02000) < 0 && (*__errno_location ()) == 1)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("mkdir(z, 0755 | S_ISGID) < 0 && errno == EPERM" ), "../src/test/test-seccomp.c", 862, __PRETTY_FUNCTION__); } while (0); |
863 | assert_se(mkdir(z, 0755 | S_ISUID | S_ISGID) < 0 && errno == EPERM)do { if ((__builtin_expect(!!(!(mkdir(z, 0755 | 04000 | 02000 ) < 0 && (*__errno_location ()) == 1)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("mkdir(z, 0755 | S_ISUID | S_ISGID) < 0 && errno == EPERM" ), "../src/test/test-seccomp.c", 863, __PRETTY_FUNCTION__); } while (0); |
864 | assert_se(mkdir(z, 0755) >= 0)do { if ((__builtin_expect(!!(!(mkdir(z, 0755) >= 0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("mkdir(z, 0755) >= 0" ), "../src/test/test-seccomp.c", 864, __PRETTY_FUNCTION__); } while (0); |
865 | assert_se(rmdir(z) >= 0)do { if ((__builtin_expect(!!(!(rmdir(z) >= 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("rmdir(z) >= 0"), "../src/test/test-seccomp.c" , 865, __PRETTY_FUNCTION__); } while (0); |
866 | |
867 | assert_se(mkdirat(AT_FDCWD, z, 0755 | S_ISUID) < 0 && errno == EPERM)do { if ((__builtin_expect(!!(!(mkdirat(-100, z, 0755 | 04000 ) < 0 && (*__errno_location ()) == 1)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("mkdirat(AT_FDCWD, z, 0755 | S_ISUID) < 0 && errno == EPERM" ), "../src/test/test-seccomp.c", 867, __PRETTY_FUNCTION__); } while (0); |
868 | assert_se(mkdirat(AT_FDCWD, z, 0755 | S_ISGID) < 0 && errno == EPERM)do { if ((__builtin_expect(!!(!(mkdirat(-100, z, 0755 | 02000 ) < 0 && (*__errno_location ()) == 1)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("mkdirat(AT_FDCWD, z, 0755 | S_ISGID) < 0 && errno == EPERM" ), "../src/test/test-seccomp.c", 868, __PRETTY_FUNCTION__); } while (0); |
869 | assert_se(mkdirat(AT_FDCWD, z, 0755 | S_ISUID | S_ISGID) < 0 && errno == EPERM)do { if ((__builtin_expect(!!(!(mkdirat(-100, z, 0755 | 04000 | 02000) < 0 && (*__errno_location ()) == 1)),0)) ) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("mkdirat(AT_FDCWD, z, 0755 | S_ISUID | S_ISGID) < 0 && errno == EPERM" ), "../src/test/test-seccomp.c", 869, __PRETTY_FUNCTION__); } while (0); |
870 | assert_se(mkdirat(AT_FDCWD, z, 0755) >= 0)do { if ((__builtin_expect(!!(!(mkdirat(-100, z, 0755) >= 0 )),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("mkdirat(AT_FDCWD, z, 0755) >= 0" ), "../src/test/test-seccomp.c", 870, __PRETTY_FUNCTION__); } while (0); |
871 | assert_se(rmdir(z) >= 0)do { if ((__builtin_expect(!!(!(rmdir(z) >= 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("rmdir(z) >= 0"), "../src/test/test-seccomp.c" , 871, __PRETTY_FUNCTION__); } while (0); |
872 | |
873 | assert_se(mknod(z, S_IFREG | 0755 | S_ISUID, 0) < 0 && errno == EPERM)do { if ((__builtin_expect(!!(!(mknod(z, 0100000 | 0755 | 04000 , 0) < 0 && (*__errno_location ()) == 1)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("mknod(z, S_IFREG | 0755 | S_ISUID, 0) < 0 && errno == EPERM" ), "../src/test/test-seccomp.c", 873, __PRETTY_FUNCTION__); } while (0); |
874 | assert_se(mknod(z, S_IFREG | 0755 | S_ISGID, 0) < 0 && errno == EPERM)do { if ((__builtin_expect(!!(!(mknod(z, 0100000 | 0755 | 02000 , 0) < 0 && (*__errno_location ()) == 1)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("mknod(z, S_IFREG | 0755 | S_ISGID, 0) < 0 && errno == EPERM" ), "../src/test/test-seccomp.c", 874, __PRETTY_FUNCTION__); } while (0); |
875 | assert_se(mknod(z, S_IFREG | 0755 | S_ISUID | S_ISGID, 0) < 0 && errno == EPERM)do { if ((__builtin_expect(!!(!(mknod(z, 0100000 | 0755 | 04000 | 02000, 0) < 0 && (*__errno_location ()) == 1)), 0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("mknod(z, S_IFREG | 0755 | S_ISUID | S_ISGID, 0) < 0 && errno == EPERM" ), "../src/test/test-seccomp.c", 875, __PRETTY_FUNCTION__); } while (0); |
876 | assert_se(mknod(z, S_IFREG | 0755, 0) >= 0)do { if ((__builtin_expect(!!(!(mknod(z, 0100000 | 0755, 0) >= 0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("mknod(z, S_IFREG | 0755, 0) >= 0" ), "../src/test/test-seccomp.c", 876, __PRETTY_FUNCTION__); } while (0); |
877 | assert_se(unlink(z) >= 0)do { if ((__builtin_expect(!!(!(unlink(z) >= 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("unlink(z) >= 0"), "../src/test/test-seccomp.c" , 877, __PRETTY_FUNCTION__); } while (0); |
878 | |
879 | assert_se(mknodat(AT_FDCWD, z, S_IFREG | 0755 | S_ISUID, 0) < 0 && errno == EPERM)do { if ((__builtin_expect(!!(!(mknodat(-100, z, 0100000 | 0755 | 04000, 0) < 0 && (*__errno_location ()) == 1)), 0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("mknodat(AT_FDCWD, z, S_IFREG | 0755 | S_ISUID, 0) < 0 && errno == EPERM" ), "../src/test/test-seccomp.c", 879, __PRETTY_FUNCTION__); } while (0); |
880 | assert_se(mknodat(AT_FDCWD, z, S_IFREG | 0755 | S_ISGID, 0) < 0 && errno == EPERM)do { if ((__builtin_expect(!!(!(mknodat(-100, z, 0100000 | 0755 | 02000, 0) < 0 && (*__errno_location ()) == 1)), 0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("mknodat(AT_FDCWD, z, S_IFREG | 0755 | S_ISGID, 0) < 0 && errno == EPERM" ), "../src/test/test-seccomp.c", 880, __PRETTY_FUNCTION__); } while (0); |
881 | assert_se(mknodat(AT_FDCWD, z, S_IFREG | 0755 | S_ISUID | S_ISGID, 0) < 0 && errno == EPERM)do { if ((__builtin_expect(!!(!(mknodat(-100, z, 0100000 | 0755 | 04000 | 02000, 0) < 0 && (*__errno_location ()) == 1)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("mknodat(AT_FDCWD, z, S_IFREG | 0755 | S_ISUID | S_ISGID, 0) < 0 && errno == EPERM" ), "../src/test/test-seccomp.c", 881, __PRETTY_FUNCTION__); } while (0); |
882 | assert_se(mknodat(AT_FDCWD, z, S_IFREG | 0755, 0) >= 0)do { if ((__builtin_expect(!!(!(mknodat(-100, z, 0100000 | 0755 , 0) >= 0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD , ("mknodat(AT_FDCWD, z, S_IFREG | 0755, 0) >= 0"), "../src/test/test-seccomp.c" , 882, __PRETTY_FUNCTION__); } while (0); |
883 | assert_se(unlink(z) >= 0)do { if ((__builtin_expect(!!(!(unlink(z) >= 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("unlink(z) >= 0"), "../src/test/test-seccomp.c" , 883, __PRETTY_FUNCTION__); } while (0); |
884 | |
885 | assert_se(unlink(path) >= 0)do { if ((__builtin_expect(!!(!(unlink(path) >= 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("unlink(path) >= 0"), "../src/test/test-seccomp.c" , 885, __PRETTY_FUNCTION__); } while (0); |
886 | assert_se(rm_rf(dir, REMOVE_ROOT|REMOVE_PHYSICAL) >= 0)do { if ((__builtin_expect(!!(!(rm_rf(dir, REMOVE_ROOT|REMOVE_PHYSICAL ) >= 0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ( "rm_rf(dir, REMOVE_ROOT|REMOVE_PHYSICAL) >= 0"), "../src/test/test-seccomp.c" , 886, __PRETTY_FUNCTION__); } while (0); |
887 | |
888 | _exit(EXIT_SUCCESS0); |
889 | } |
890 | |
891 | assert_se(wait_for_terminate_and_check("suidsgidseccomp", pid, WAIT_LOG) == EXIT_SUCCESS)do { if ((__builtin_expect(!!(!(wait_for_terminate_and_check( "suidsgidseccomp", pid, WAIT_LOG) == 0)),0))) log_assert_failed_realm (LOG_REALM_SYSTEMD, ("wait_for_terminate_and_check(\"suidsgidseccomp\", pid, WAIT_LOG) == EXIT_SUCCESS" ), "../src/test/test-seccomp.c", 891, __PRETTY_FUNCTION__); } while (0); |
892 | } |
893 | |
894 | int main(int argc, char *argv[]) { |
895 | |
896 | log_set_max_level(LOG_DEBUG)log_set_max_level_realm(LOG_REALM_SYSTEMD, (7)); |
897 | |
898 | test_seccomp_arch_to_string(); |
899 | test_architecture_table(); |
900 | test_syscall_filter_set_find(); |
901 | test_filter_sets(); |
902 | test_restrict_namespace(); |
903 | test_protect_sysctl(); |
904 | test_restrict_address_families(); |
905 | test_restrict_realtime(); |
906 | test_memory_deny_write_execute_mmap(); |
907 | test_memory_deny_write_execute_shmat(); |
908 | test_restrict_archs(); |
909 | test_load_syscall_filter_set_raw(); |
910 | test_lock_personality(); |
911 | test_filter_sets_ordered(); |
912 | test_restrict_suid_sgid(); |
913 | |
914 | return 0; |
915 | } |