Bug Summary

File:build-scan/../src/test/test-seccomp.c
Warning:line 784, column 17
Value stored to 'k' is never read

Annotated Source Code

Press '?' to see keyboard shortcuts

clang -cc1 -cc1 -triple x86_64-unknown-linux-gnu -analyze -disable-free -disable-llvm-verifier -discard-value-names -main-file-name test-seccomp.c -analyzer-store=region -analyzer-opt-analyze-nested-blocks -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model static -mframe-pointer=all -relaxed-aliasing -menable-no-infs -menable-no-nans -menable-unsafe-fp-math -fno-signed-zeros -mreassociate -freciprocal-math -fdenormal-fp-math=preserve-sign,preserve-sign -ffp-contract=fast -fno-rounding-math -ffast-math -ffinite-math-only -mconstructor-aliases -munwind-tables -target-cpu x86-64 -tune-cpu generic -fno-split-dwarf-inlining -debugger-tuning=gdb -resource-dir /usr/lib64/clang/12.0.0 -include config.h -I test-seccomp.p -I . -I .. -I src/basic -I ../src/basic -I src/shared -I ../src/shared -I src/systemd -I ../src/systemd -I src/journal -I ../src/journal -I src/journal-remote -I ../src/journal-remote -I src/nspawn -I ../src/nspawn -I src/resolve -I ../src/resolve -I src/timesync -I ../src/timesync -I ../src/time-wait-sync -I src/login -I ../src/login -I src/udev -I ../src/udev -I src/libudev -I ../src/libudev -I src/core -I ../src/core -I ../src/libsystemd/sd-bus -I ../src/libsystemd/sd-device -I ../src/libsystemd/sd-hwdb -I ../src/libsystemd/sd-id128 -I ../src/libsystemd/sd-netlink -I ../src/libsystemd/sd-network -I src/libsystemd-network -I ../src/libsystemd-network -D _FILE_OFFSET_BITS=64 -internal-isystem /usr/local/include -internal-isystem /usr/lib64/clang/12.0.0/include -internal-externc-isystem /include -internal-externc-isystem /usr/include -Wwrite-strings -Wno-unused-parameter -Wno-missing-field-initializers -Wno-unused-result -Wno-format-signedness -Wno-error=nonnull -std=gnu99 -fconst-strings -fdebug-compilation-dir /home/mrc0mmand/repos/@redhat-plumbers/systemd-rhel8/build-scan -ferror-limit 19 -fvisibility hidden -stack-protector 2 -fgnuc-version=4.2.1 -fcolor-diagnostics -analyzer-output=html -faddrsig -o /tmp/scan-build-2021-07-16-221226-1465241-1 -x c ../src/test/test-seccomp.c
1/* SPDX-License-Identifier: LGPL-2.1+ */
2
3#include <poll.h>
4#include <sched.h>
5#include <stdlib.h>
6#include <sys/eventfd.h>
7#include <sys/mman.h>
8#include <sys/personality.h>
9#include <sys/shm.h>
10#include <sys/types.h>
11#include <unistd.h>
12
13#include "alloc-util.h"
14#include "fd-util.h"
15#include "macro.h"
16#include "missing.h"
17#include "nsflags.h"
18#include "process-util.h"
19#include "raw-clone.h"
20#include "rm-rf.h"
21#include "seccomp-util.h"
22#include "set.h"
23#include "string-util.h"
24#include "umask-util.h"
25#include "util.h"
26#include "virt.h"
27
28#if SCMP_SYS(socket)(41) < 0 || defined(__i386__) || defined(__s390x__) || defined(__s390__)
29/* On these archs, socket() is implemented via the socketcall() syscall multiplexer,
30 * and we can't restrict it hence via seccomp. */
31# define SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN0 1
32#else
33# define SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN0 0
34#endif
35
36static void test_seccomp_arch_to_string(void) {
37 uint32_t a, b;
38 const char *name;
39
40 a = seccomp_arch_native();
41 assert_se(a > 0)do { if ((__builtin_expect(!!(!(a > 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("a > 0"), "../src/test/test-seccomp.c"
, 41, __PRETTY_FUNCTION__); } while (0);
42 name = seccomp_arch_to_string(a);
43 assert_se(name)do { if ((__builtin_expect(!!(!(name)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("name"), "../src/test/test-seccomp.c", 43
, __PRETTY_FUNCTION__); } while (0);
44 assert_se(seccomp_arch_from_string(name, &b) >= 0)do { if ((__builtin_expect(!!(!(seccomp_arch_from_string(name
, &b) >= 0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD
, ("seccomp_arch_from_string(name, &b) >= 0"), "../src/test/test-seccomp.c"
, 44, __PRETTY_FUNCTION__); } while (0);
45 assert_se(a == b)do { if ((__builtin_expect(!!(!(a == b)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("a == b"), "../src/test/test-seccomp.c",
45, __PRETTY_FUNCTION__); } while (0);
46}
47
48static void test_architecture_table(void) {
49 const char *n, *n2;
50
51 NULSTR_FOREACH(n,for ((n) = ("native\0" "x86\0" "x86-64\0" "x32\0" "arm\0" "arm64\0"
"mips\0" "mips64\0" "mips64-n32\0" "mips-le\0" "mips64-le\0"
"mips64-le-n32\0" "ppc\0" "ppc64\0" "ppc64-le\0" "s390\0" "s390x\0"
); (n) && *(n); (n) = strchr((n), 0)+1)
52 "native\0"for ((n) = ("native\0" "x86\0" "x86-64\0" "x32\0" "arm\0" "arm64\0"
"mips\0" "mips64\0" "mips64-n32\0" "mips-le\0" "mips64-le\0"
"mips64-le-n32\0" "ppc\0" "ppc64\0" "ppc64-le\0" "s390\0" "s390x\0"
); (n) && *(n); (n) = strchr((n), 0)+1)
53 "x86\0"for ((n) = ("native\0" "x86\0" "x86-64\0" "x32\0" "arm\0" "arm64\0"
"mips\0" "mips64\0" "mips64-n32\0" "mips-le\0" "mips64-le\0"
"mips64-le-n32\0" "ppc\0" "ppc64\0" "ppc64-le\0" "s390\0" "s390x\0"
); (n) && *(n); (n) = strchr((n), 0)+1)
54 "x86-64\0"for ((n) = ("native\0" "x86\0" "x86-64\0" "x32\0" "arm\0" "arm64\0"
"mips\0" "mips64\0" "mips64-n32\0" "mips-le\0" "mips64-le\0"
"mips64-le-n32\0" "ppc\0" "ppc64\0" "ppc64-le\0" "s390\0" "s390x\0"
); (n) && *(n); (n) = strchr((n), 0)+1)
55 "x32\0"for ((n) = ("native\0" "x86\0" "x86-64\0" "x32\0" "arm\0" "arm64\0"
"mips\0" "mips64\0" "mips64-n32\0" "mips-le\0" "mips64-le\0"
"mips64-le-n32\0" "ppc\0" "ppc64\0" "ppc64-le\0" "s390\0" "s390x\0"
); (n) && *(n); (n) = strchr((n), 0)+1)
56 "arm\0"for ((n) = ("native\0" "x86\0" "x86-64\0" "x32\0" "arm\0" "arm64\0"
"mips\0" "mips64\0" "mips64-n32\0" "mips-le\0" "mips64-le\0"
"mips64-le-n32\0" "ppc\0" "ppc64\0" "ppc64-le\0" "s390\0" "s390x\0"
); (n) && *(n); (n) = strchr((n), 0)+1)
57 "arm64\0"for ((n) = ("native\0" "x86\0" "x86-64\0" "x32\0" "arm\0" "arm64\0"
"mips\0" "mips64\0" "mips64-n32\0" "mips-le\0" "mips64-le\0"
"mips64-le-n32\0" "ppc\0" "ppc64\0" "ppc64-le\0" "s390\0" "s390x\0"
); (n) && *(n); (n) = strchr((n), 0)+1)
58 "mips\0"for ((n) = ("native\0" "x86\0" "x86-64\0" "x32\0" "arm\0" "arm64\0"
"mips\0" "mips64\0" "mips64-n32\0" "mips-le\0" "mips64-le\0"
"mips64-le-n32\0" "ppc\0" "ppc64\0" "ppc64-le\0" "s390\0" "s390x\0"
); (n) && *(n); (n) = strchr((n), 0)+1)
59 "mips64\0"for ((n) = ("native\0" "x86\0" "x86-64\0" "x32\0" "arm\0" "arm64\0"
"mips\0" "mips64\0" "mips64-n32\0" "mips-le\0" "mips64-le\0"
"mips64-le-n32\0" "ppc\0" "ppc64\0" "ppc64-le\0" "s390\0" "s390x\0"
); (n) && *(n); (n) = strchr((n), 0)+1)
60 "mips64-n32\0"for ((n) = ("native\0" "x86\0" "x86-64\0" "x32\0" "arm\0" "arm64\0"
"mips\0" "mips64\0" "mips64-n32\0" "mips-le\0" "mips64-le\0"
"mips64-le-n32\0" "ppc\0" "ppc64\0" "ppc64-le\0" "s390\0" "s390x\0"
); (n) && *(n); (n) = strchr((n), 0)+1)
61 "mips-le\0"for ((n) = ("native\0" "x86\0" "x86-64\0" "x32\0" "arm\0" "arm64\0"
"mips\0" "mips64\0" "mips64-n32\0" "mips-le\0" "mips64-le\0"
"mips64-le-n32\0" "ppc\0" "ppc64\0" "ppc64-le\0" "s390\0" "s390x\0"
); (n) && *(n); (n) = strchr((n), 0)+1)
62 "mips64-le\0"for ((n) = ("native\0" "x86\0" "x86-64\0" "x32\0" "arm\0" "arm64\0"
"mips\0" "mips64\0" "mips64-n32\0" "mips-le\0" "mips64-le\0"
"mips64-le-n32\0" "ppc\0" "ppc64\0" "ppc64-le\0" "s390\0" "s390x\0"
); (n) && *(n); (n) = strchr((n), 0)+1)
63 "mips64-le-n32\0"for ((n) = ("native\0" "x86\0" "x86-64\0" "x32\0" "arm\0" "arm64\0"
"mips\0" "mips64\0" "mips64-n32\0" "mips-le\0" "mips64-le\0"
"mips64-le-n32\0" "ppc\0" "ppc64\0" "ppc64-le\0" "s390\0" "s390x\0"
); (n) && *(n); (n) = strchr((n), 0)+1)
64 "ppc\0"for ((n) = ("native\0" "x86\0" "x86-64\0" "x32\0" "arm\0" "arm64\0"
"mips\0" "mips64\0" "mips64-n32\0" "mips-le\0" "mips64-le\0"
"mips64-le-n32\0" "ppc\0" "ppc64\0" "ppc64-le\0" "s390\0" "s390x\0"
); (n) && *(n); (n) = strchr((n), 0)+1)
65 "ppc64\0"for ((n) = ("native\0" "x86\0" "x86-64\0" "x32\0" "arm\0" "arm64\0"
"mips\0" "mips64\0" "mips64-n32\0" "mips-le\0" "mips64-le\0"
"mips64-le-n32\0" "ppc\0" "ppc64\0" "ppc64-le\0" "s390\0" "s390x\0"
); (n) && *(n); (n) = strchr((n), 0)+1)
66 "ppc64-le\0"for ((n) = ("native\0" "x86\0" "x86-64\0" "x32\0" "arm\0" "arm64\0"
"mips\0" "mips64\0" "mips64-n32\0" "mips-le\0" "mips64-le\0"
"mips64-le-n32\0" "ppc\0" "ppc64\0" "ppc64-le\0" "s390\0" "s390x\0"
); (n) && *(n); (n) = strchr((n), 0)+1)
67 "s390\0"for ((n) = ("native\0" "x86\0" "x86-64\0" "x32\0" "arm\0" "arm64\0"
"mips\0" "mips64\0" "mips64-n32\0" "mips-le\0" "mips64-le\0"
"mips64-le-n32\0" "ppc\0" "ppc64\0" "ppc64-le\0" "s390\0" "s390x\0"
); (n) && *(n); (n) = strchr((n), 0)+1)
68 "s390x\0")for ((n) = ("native\0" "x86\0" "x86-64\0" "x32\0" "arm\0" "arm64\0"
"mips\0" "mips64\0" "mips64-n32\0" "mips-le\0" "mips64-le\0"
"mips64-le-n32\0" "ppc\0" "ppc64\0" "ppc64-le\0" "s390\0" "s390x\0"
); (n) && *(n); (n) = strchr((n), 0)+1) {
69 uint32_t c;
70
71 assert_se(seccomp_arch_from_string(n, &c) >= 0)do { if ((__builtin_expect(!!(!(seccomp_arch_from_string(n, &
c) >= 0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, (
"seccomp_arch_from_string(n, &c) >= 0"), "../src/test/test-seccomp.c"
, 71, __PRETTY_FUNCTION__); } while (0);
72 n2 = seccomp_arch_to_string(c);
73 log_info("seccomp-arch: %s → 0x%"PRIx32" → %s", n, c, n2)({ int _level = (((6))), _e = ((0)), _realm = (LOG_REALM_SYSTEMD
); (log_get_max_level_realm(_realm) >= ((_level) & 0x07
)) ? log_internal_realm(((_realm) << 10 | (_level)), _e
, "../src/test/test-seccomp.c", 73, __func__, "seccomp-arch: %s → 0x%"
"x"" → %s", n, c, n2) : -abs(_e); });
74 assert_se(streq_ptr(n, n2))do { if ((__builtin_expect(!!(!(streq_ptr(n, n2))),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("streq_ptr(n, n2)"), "../src/test/test-seccomp.c"
, 74, __PRETTY_FUNCTION__); } while (0);
75 }
76}
77
78static void test_syscall_filter_set_find(void) {
79 assert_se(!syscall_filter_set_find(NULL))do { if ((__builtin_expect(!!(!(!syscall_filter_set_find(((void
*)0)))),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("!syscall_filter_set_find(NULL)"
), "../src/test/test-seccomp.c", 79, __PRETTY_FUNCTION__); } while
(0);
80 assert_se(!syscall_filter_set_find(""))do { if ((__builtin_expect(!!(!(!syscall_filter_set_find(""))
),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("!syscall_filter_set_find(\"\")"
), "../src/test/test-seccomp.c", 80, __PRETTY_FUNCTION__); } while
(0);
81 assert_se(!syscall_filter_set_find("quux"))do { if ((__builtin_expect(!!(!(!syscall_filter_set_find("quux"
))),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("!syscall_filter_set_find(\"quux\")"
), "../src/test/test-seccomp.c", 81, __PRETTY_FUNCTION__); } while
(0);
82 assert_se(!syscall_filter_set_find("@quux"))do { if ((__builtin_expect(!!(!(!syscall_filter_set_find("@quux"
))),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("!syscall_filter_set_find(\"@quux\")"
), "../src/test/test-seccomp.c", 82, __PRETTY_FUNCTION__); } while
(0);
83
84 assert_se(syscall_filter_set_find("@clock") == syscall_filter_sets + SYSCALL_FILTER_SET_CLOCK)do { if ((__builtin_expect(!!(!(syscall_filter_set_find("@clock"
) == syscall_filter_sets + SYSCALL_FILTER_SET_CLOCK)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("syscall_filter_set_find(\"@clock\") == syscall_filter_sets + SYSCALL_FILTER_SET_CLOCK"
), "../src/test/test-seccomp.c", 84, __PRETTY_FUNCTION__); } while
(0);
85 assert_se(syscall_filter_set_find("@default") == syscall_filter_sets + SYSCALL_FILTER_SET_DEFAULT)do { if ((__builtin_expect(!!(!(syscall_filter_set_find("@default"
) == syscall_filter_sets + SYSCALL_FILTER_SET_DEFAULT)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("syscall_filter_set_find(\"@default\") == syscall_filter_sets + SYSCALL_FILTER_SET_DEFAULT"
), "../src/test/test-seccomp.c", 85, __PRETTY_FUNCTION__); } while
(0);
86 assert_se(syscall_filter_set_find("@raw-io") == syscall_filter_sets + SYSCALL_FILTER_SET_RAW_IO)do { if ((__builtin_expect(!!(!(syscall_filter_set_find("@raw-io"
) == syscall_filter_sets + SYSCALL_FILTER_SET_RAW_IO)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("syscall_filter_set_find(\"@raw-io\") == syscall_filter_sets + SYSCALL_FILTER_SET_RAW_IO"
), "../src/test/test-seccomp.c", 86, __PRETTY_FUNCTION__); } while
(0);
87}
88
89static void test_filter_sets(void) {
90 unsigned i;
91 int r;
92
93 if (!is_seccomp_available())
94 return;
95 if (geteuid() != 0)
96 return;
97
98 for (i = 0; i < _SYSCALL_FILTER_SET_MAX; i++) {
99 pid_t pid;
100
101 log_info("Testing %s", syscall_filter_sets[i].name)({ int _level = (((6))), _e = ((0)), _realm = (LOG_REALM_SYSTEMD
); (log_get_max_level_realm(_realm) >= ((_level) & 0x07
)) ? log_internal_realm(((_realm) << 10 | (_level)), _e
, "../src/test/test-seccomp.c", 101, __func__, "Testing %s", syscall_filter_sets
[i].name) : -abs(_e); });
102
103 pid = fork();
104 assert_se(pid >= 0)do { if ((__builtin_expect(!!(!(pid >= 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("pid >= 0"), "../src/test/test-seccomp.c"
, 104, __PRETTY_FUNCTION__); } while (0);
105
106 if (pid == 0) { /* Child? */
107 int fd;
108
109 /* If we look at the default set (or one that includes it), whitelist instead of blacklist */
110 if (IN_SET(i, SYSCALL_FILTER_SET_DEFAULT, SYSCALL_FILTER_SET_SYSTEM_SERVICE)({ _Bool _found = 0; static __attribute__ ((unused)) char _static_assert__macros_need_to_be_extended
[20 - sizeof((int[]){SYSCALL_FILTER_SET_DEFAULT, SYSCALL_FILTER_SET_SYSTEM_SERVICE
})/sizeof(int)]; switch(i) { case SYSCALL_FILTER_SET_DEFAULT:
case SYSCALL_FILTER_SET_SYSTEM_SERVICE: _found = 1; break; default
: break; } _found; }))
111 r = seccomp_load_syscall_filter_set(SCMP_ACT_ERRNO(EUCLEAN)(0x00050000U | ((117) & 0x0000ffffU)), syscall_filter_sets + i, SCMP_ACT_ALLOW0x7fff0000U, true1);
112 else
113 r = seccomp_load_syscall_filter_set(SCMP_ACT_ALLOW0x7fff0000U, syscall_filter_sets + i, SCMP_ACT_ERRNO(EUCLEAN)(0x00050000U | ((117) & 0x0000ffffU)), true1);
114 if (r < 0)
115 _exit(EXIT_FAILURE1);
116
117 /* Test the sycall filter with one random system call */
118 fd = eventfd(0, EFD_NONBLOCKEFD_NONBLOCK|EFD_CLOEXECEFD_CLOEXEC);
119 if (IN_SET(i, SYSCALL_FILTER_SET_IO_EVENT, SYSCALL_FILTER_SET_DEFAULT)({ _Bool _found = 0; static __attribute__ ((unused)) char _static_assert__macros_need_to_be_extended
[20 - sizeof((int[]){SYSCALL_FILTER_SET_IO_EVENT, SYSCALL_FILTER_SET_DEFAULT
})/sizeof(int)]; switch(i) { case SYSCALL_FILTER_SET_IO_EVENT
: case SYSCALL_FILTER_SET_DEFAULT: _found = 1; break; default
: break; } _found; }))
120 assert_se(fd < 0 && errno == EUCLEAN)do { if ((__builtin_expect(!!(!(fd < 0 && (*__errno_location
()) == 117)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD,
("fd < 0 && errno == EUCLEAN"), "../src/test/test-seccomp.c"
, 120, __PRETTY_FUNCTION__); } while (0);
121 else {
122 assert_se(fd >= 0)do { if ((__builtin_expect(!!(!(fd >= 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("fd >= 0"), "../src/test/test-seccomp.c"
, 122, __PRETTY_FUNCTION__); } while (0);
123 safe_close(fd);
124 }
125
126 _exit(EXIT_SUCCESS0);
127 }
128
129 assert_se(wait_for_terminate_and_check(syscall_filter_sets[i].name, pid, WAIT_LOG) == EXIT_SUCCESS)do { if ((__builtin_expect(!!(!(wait_for_terminate_and_check(
syscall_filter_sets[i].name, pid, WAIT_LOG) == 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("wait_for_terminate_and_check(syscall_filter_sets[i].name, pid, WAIT_LOG) == EXIT_SUCCESS"
), "../src/test/test-seccomp.c", 129, __PRETTY_FUNCTION__); }
while (0);
130 }
131}
132
133static void test_restrict_namespace(void) {
134 char *s = NULL((void*)0);
135 unsigned long ul;
136 pid_t pid;
137
138 assert_se(namespace_flags_to_string(0, &s) == 0 && streq(s, ""))do { if ((__builtin_expect(!!(!(namespace_flags_to_string(0, &
s) == 0 && (strcmp((s),("")) == 0))),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("namespace_flags_to_string(0, &s) == 0 && streq(s, \"\")"
), "../src/test/test-seccomp.c", 138, __PRETTY_FUNCTION__); }
while (0);
139 s = mfree(s);
140 assert_se(namespace_flags_to_string(CLONE_NEWNS, &s) == 0 && streq(s, "mnt"))do { if ((__builtin_expect(!!(!(namespace_flags_to_string(0x00020000
, &s) == 0 && (strcmp((s),("mnt")) == 0))),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("namespace_flags_to_string(CLONE_NEWNS, &s) == 0 && streq(s, \"mnt\")"
), "../src/test/test-seccomp.c", 140, __PRETTY_FUNCTION__); }
while (0);
141 s = mfree(s);
142 assert_se(namespace_flags_to_string(CLONE_NEWNS|CLONE_NEWIPC, &s) == 0 && streq(s, "ipc mnt"))do { if ((__builtin_expect(!!(!(namespace_flags_to_string(0x00020000
|0x08000000, &s) == 0 && (strcmp((s),("ipc mnt"))
== 0))),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("namespace_flags_to_string(CLONE_NEWNS|CLONE_NEWIPC, &s) == 0 && streq(s, \"ipc mnt\")"
), "../src/test/test-seccomp.c", 142, __PRETTY_FUNCTION__); }
while (0);
143 s = mfree(s);
144 assert_se(namespace_flags_to_string(CLONE_NEWCGROUP, &s) == 0 && streq(s, "cgroup"))do { if ((__builtin_expect(!!(!(namespace_flags_to_string(0x02000000
, &s) == 0 && (strcmp((s),("cgroup")) == 0))),0))
) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("namespace_flags_to_string(CLONE_NEWCGROUP, &s) == 0 && streq(s, \"cgroup\")"
), "../src/test/test-seccomp.c", 144, __PRETTY_FUNCTION__); }
while (0);
145 s = mfree(s);
146
147 assert_se(namespace_flags_from_string("mnt", &ul) == 0 && ul == CLONE_NEWNS)do { if ((__builtin_expect(!!(!(namespace_flags_from_string("mnt"
, &ul) == 0 && ul == 0x00020000)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("namespace_flags_from_string(\"mnt\", &ul) == 0 && ul == CLONE_NEWNS"
), "../src/test/test-seccomp.c", 147, __PRETTY_FUNCTION__); }
while (0);
148 assert_se(namespace_flags_from_string(NULL, &ul) == 0 && ul == 0)do { if ((__builtin_expect(!!(!(namespace_flags_from_string((
(void*)0), &ul) == 0 && ul == 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("namespace_flags_from_string(NULL, &ul) == 0 && ul == 0"
), "../src/test/test-seccomp.c", 148, __PRETTY_FUNCTION__); }
while (0);
149 assert_se(namespace_flags_from_string("", &ul) == 0 && ul == 0)do { if ((__builtin_expect(!!(!(namespace_flags_from_string(""
, &ul) == 0 && ul == 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("namespace_flags_from_string(\"\", &ul) == 0 && ul == 0"
), "../src/test/test-seccomp.c", 149, __PRETTY_FUNCTION__); }
while (0);
150 assert_se(namespace_flags_from_string("uts", &ul) == 0 && ul == CLONE_NEWUTS)do { if ((__builtin_expect(!!(!(namespace_flags_from_string("uts"
, &ul) == 0 && ul == 0x04000000)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("namespace_flags_from_string(\"uts\", &ul) == 0 && ul == CLONE_NEWUTS"
), "../src/test/test-seccomp.c", 150, __PRETTY_FUNCTION__); }
while (0);
151 assert_se(namespace_flags_from_string("mnt uts ipc", &ul) == 0 && ul == (CLONE_NEWNS|CLONE_NEWUTS|CLONE_NEWIPC))do { if ((__builtin_expect(!!(!(namespace_flags_from_string("mnt uts ipc"
, &ul) == 0 && ul == (0x00020000|0x04000000|0x08000000
))),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("namespace_flags_from_string(\"mnt uts ipc\", &ul) == 0 && ul == (CLONE_NEWNS|CLONE_NEWUTS|CLONE_NEWIPC)"
), "../src/test/test-seccomp.c", 151, __PRETTY_FUNCTION__); }
while (0);
152
153 assert_se(namespace_flags_to_string(CLONE_NEWUTS, &s) == 0 && streq(s, "uts"))do { if ((__builtin_expect(!!(!(namespace_flags_to_string(0x04000000
, &s) == 0 && (strcmp((s),("uts")) == 0))),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("namespace_flags_to_string(CLONE_NEWUTS, &s) == 0 && streq(s, \"uts\")"
), "../src/test/test-seccomp.c", 153, __PRETTY_FUNCTION__); }
while (0);
154 assert_se(namespace_flags_from_string(s, &ul) == 0 && ul == CLONE_NEWUTS)do { if ((__builtin_expect(!!(!(namespace_flags_from_string(s
, &ul) == 0 && ul == 0x04000000)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("namespace_flags_from_string(s, &ul) == 0 && ul == CLONE_NEWUTS"
), "../src/test/test-seccomp.c", 154, __PRETTY_FUNCTION__); }
while (0);
155 s = mfree(s);
156 assert_se(namespace_flags_from_string("ipc", &ul) == 0 && ul == CLONE_NEWIPC)do { if ((__builtin_expect(!!(!(namespace_flags_from_string("ipc"
, &ul) == 0 && ul == 0x08000000)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("namespace_flags_from_string(\"ipc\", &ul) == 0 && ul == CLONE_NEWIPC"
), "../src/test/test-seccomp.c", 156, __PRETTY_FUNCTION__); }
while (0);
157 assert_se(namespace_flags_to_string(ul, &s) == 0 && streq(s, "ipc"))do { if ((__builtin_expect(!!(!(namespace_flags_to_string(ul,
&s) == 0 && (strcmp((s),("ipc")) == 0))),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("namespace_flags_to_string(ul, &s) == 0 && streq(s, \"ipc\")"
), "../src/test/test-seccomp.c", 157, __PRETTY_FUNCTION__); }
while (0);
158 s = mfree(s);
159
160 assert_se(namespace_flags_to_string(NAMESPACE_FLAGS_ALL, &s) == 0)do { if ((__builtin_expect(!!(!(namespace_flags_to_string(((unsigned
long) (0x02000000| 0x08000000| 0x40000000| 0x00020000| 0x20000000
| 0x10000000| 0x04000000)), &s) == 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("namespace_flags_to_string(NAMESPACE_FLAGS_ALL, &s) == 0"
), "../src/test/test-seccomp.c", 160, __PRETTY_FUNCTION__); }
while (0);
161 assert_se(streq(s, "cgroup ipc net mnt pid user uts"))do { if ((__builtin_expect(!!(!((strcmp((s),("cgroup ipc net mnt pid user uts"
)) == 0))),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("streq(s, \"cgroup ipc net mnt pid user uts\")"
), "../src/test/test-seccomp.c", 161, __PRETTY_FUNCTION__); }
while (0);
162 assert_se(namespace_flags_from_string(s, &ul) == 0 && ul == NAMESPACE_FLAGS_ALL)do { if ((__builtin_expect(!!(!(namespace_flags_from_string(s
, &ul) == 0 && ul == ((unsigned long) (0x02000000
| 0x08000000| 0x40000000| 0x00020000| 0x20000000| 0x10000000|
0x04000000)))),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD
, ("namespace_flags_from_string(s, &ul) == 0 && ul == NAMESPACE_FLAGS_ALL"
), "../src/test/test-seccomp.c", 162, __PRETTY_FUNCTION__); }
while (0);
163 s = mfree(s);
164
165 if (!is_seccomp_available())
166 return;
167 if (geteuid() != 0)
168 return;
169
170 pid = fork();
171 assert_se(pid >= 0)do { if ((__builtin_expect(!!(!(pid >= 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("pid >= 0"), "../src/test/test-seccomp.c"
, 171, __PRETTY_FUNCTION__); } while (0);
172
173 if (pid == 0) {
174
175 assert_se(seccomp_restrict_namespaces(CLONE_NEWNS|CLONE_NEWNET) >= 0)do { if ((__builtin_expect(!!(!(seccomp_restrict_namespaces(0x00020000
|0x40000000) >= 0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD
, ("seccomp_restrict_namespaces(CLONE_NEWNS|CLONE_NEWNET) >= 0"
), "../src/test/test-seccomp.c", 175, __PRETTY_FUNCTION__); }
while (0);
176
177 assert_se(unshare(CLONE_NEWNS) == 0)do { if ((__builtin_expect(!!(!(unshare(0x00020000) == 0)),0)
)) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("unshare(CLONE_NEWNS) == 0"
), "../src/test/test-seccomp.c", 177, __PRETTY_FUNCTION__); }
while (0);
178 assert_se(unshare(CLONE_NEWNET) == 0)do { if ((__builtin_expect(!!(!(unshare(0x40000000) == 0)),0)
)) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("unshare(CLONE_NEWNET) == 0"
), "../src/test/test-seccomp.c", 178, __PRETTY_FUNCTION__); }
while (0);
179 assert_se(unshare(CLONE_NEWUTS) == -1)do { if ((__builtin_expect(!!(!(unshare(0x04000000) == -1)),0
))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("unshare(CLONE_NEWUTS) == -1"
), "../src/test/test-seccomp.c", 179, __PRETTY_FUNCTION__); }
while (0);
180 assert_se(errno == EPERM)do { if ((__builtin_expect(!!(!((*__errno_location ()) == 1))
,0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("errno == EPERM"
), "../src/test/test-seccomp.c", 180, __PRETTY_FUNCTION__); }
while (0);
181 assert_se(unshare(CLONE_NEWIPC) == -1)do { if ((__builtin_expect(!!(!(unshare(0x08000000) == -1)),0
))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("unshare(CLONE_NEWIPC) == -1"
), "../src/test/test-seccomp.c", 181, __PRETTY_FUNCTION__); }
while (0);
182 assert_se(errno == EPERM)do { if ((__builtin_expect(!!(!((*__errno_location ()) == 1))
,0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("errno == EPERM"
), "../src/test/test-seccomp.c", 182, __PRETTY_FUNCTION__); }
while (0);
183 assert_se(unshare(CLONE_NEWNET|CLONE_NEWUTS) == -1)do { if ((__builtin_expect(!!(!(unshare(0x40000000|0x04000000
) == -1)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("unshare(CLONE_NEWNET|CLONE_NEWUTS) == -1"
), "../src/test/test-seccomp.c", 183, __PRETTY_FUNCTION__); }
while (0);
184 assert_se(errno == EPERM)do { if ((__builtin_expect(!!(!((*__errno_location ()) == 1))
,0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("errno == EPERM"
), "../src/test/test-seccomp.c", 184, __PRETTY_FUNCTION__); }
while (0);
185
186 /* We use fd 0 (stdin) here, which of course will fail with EINVAL on setns(). Except of course our
187 * seccomp filter worked, and hits first and makes it return EPERM */
188 assert_se(setns(0, CLONE_NEWNS) == -1)do { if ((__builtin_expect(!!(!(setns(0, 0x00020000) == -1)),
0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("setns(0, CLONE_NEWNS) == -1"
), "../src/test/test-seccomp.c", 188, __PRETTY_FUNCTION__); }
while (0);
189 assert_se(errno == EINVAL)do { if ((__builtin_expect(!!(!((*__errno_location ()) == 22)
),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("errno == EINVAL"
), "../src/test/test-seccomp.c", 189, __PRETTY_FUNCTION__); }
while (0);
190 assert_se(setns(0, CLONE_NEWNET) == -1)do { if ((__builtin_expect(!!(!(setns(0, 0x40000000) == -1)),
0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("setns(0, CLONE_NEWNET) == -1"
), "../src/test/test-seccomp.c", 190, __PRETTY_FUNCTION__); }
while (0);
191 assert_se(errno == EINVAL)do { if ((__builtin_expect(!!(!((*__errno_location ()) == 22)
),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("errno == EINVAL"
), "../src/test/test-seccomp.c", 191, __PRETTY_FUNCTION__); }
while (0);
192 assert_se(setns(0, CLONE_NEWUTS) == -1)do { if ((__builtin_expect(!!(!(setns(0, 0x04000000) == -1)),
0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("setns(0, CLONE_NEWUTS) == -1"
), "../src/test/test-seccomp.c", 192, __PRETTY_FUNCTION__); }
while (0);
193 assert_se(errno == EPERM)do { if ((__builtin_expect(!!(!((*__errno_location ()) == 1))
,0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("errno == EPERM"
), "../src/test/test-seccomp.c", 193, __PRETTY_FUNCTION__); }
while (0);
194 assert_se(setns(0, CLONE_NEWIPC) == -1)do { if ((__builtin_expect(!!(!(setns(0, 0x08000000) == -1)),
0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("setns(0, CLONE_NEWIPC) == -1"
), "../src/test/test-seccomp.c", 194, __PRETTY_FUNCTION__); }
while (0);
195 assert_se(errno == EPERM)do { if ((__builtin_expect(!!(!((*__errno_location ()) == 1))
,0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("errno == EPERM"
), "../src/test/test-seccomp.c", 195, __PRETTY_FUNCTION__); }
while (0);
196 assert_se(setns(0, CLONE_NEWNET|CLONE_NEWUTS) == -1)do { if ((__builtin_expect(!!(!(setns(0, 0x40000000|0x04000000
) == -1)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("setns(0, CLONE_NEWNET|CLONE_NEWUTS) == -1"
), "../src/test/test-seccomp.c", 196, __PRETTY_FUNCTION__); }
while (0);
197 assert_se(errno == EPERM)do { if ((__builtin_expect(!!(!((*__errno_location ()) == 1))
,0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("errno == EPERM"
), "../src/test/test-seccomp.c", 197, __PRETTY_FUNCTION__); }
while (0);
198 assert_se(setns(0, 0) == -1)do { if ((__builtin_expect(!!(!(setns(0, 0) == -1)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("setns(0, 0) == -1"), "../src/test/test-seccomp.c"
, 198, __PRETTY_FUNCTION__); } while (0);
199 assert_se(errno == EPERM)do { if ((__builtin_expect(!!(!((*__errno_location ()) == 1))
,0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("errno == EPERM"
), "../src/test/test-seccomp.c", 199, __PRETTY_FUNCTION__); }
while (0);
200
201 pid = raw_clone(CLONE_NEWNS0x00020000);
202 assert_se(pid >= 0)do { if ((__builtin_expect(!!(!(pid >= 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("pid >= 0"), "../src/test/test-seccomp.c"
, 202, __PRETTY_FUNCTION__); } while (0);
203 if (pid == 0)
204 _exit(EXIT_SUCCESS0);
205 pid = raw_clone(CLONE_NEWNET0x40000000);
206 assert_se(pid >= 0)do { if ((__builtin_expect(!!(!(pid >= 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("pid >= 0"), "../src/test/test-seccomp.c"
, 206, __PRETTY_FUNCTION__); } while (0);
207 if (pid == 0)
208 _exit(EXIT_SUCCESS0);
209 pid = raw_clone(CLONE_NEWUTS0x04000000);
210 assert_se(pid < 0)do { if ((__builtin_expect(!!(!(pid < 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("pid < 0"), "../src/test/test-seccomp.c"
, 210, __PRETTY_FUNCTION__); } while (0);
211 assert_se(errno == EPERM)do { if ((__builtin_expect(!!(!((*__errno_location ()) == 1))
,0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("errno == EPERM"
), "../src/test/test-seccomp.c", 211, __PRETTY_FUNCTION__); }
while (0);
212 pid = raw_clone(CLONE_NEWIPC0x08000000);
213 assert_se(pid < 0)do { if ((__builtin_expect(!!(!(pid < 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("pid < 0"), "../src/test/test-seccomp.c"
, 213, __PRETTY_FUNCTION__); } while (0);
214 assert_se(errno == EPERM)do { if ((__builtin_expect(!!(!((*__errno_location ()) == 1))
,0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("errno == EPERM"
), "../src/test/test-seccomp.c", 214, __PRETTY_FUNCTION__); }
while (0);
215 pid = raw_clone(CLONE_NEWNET0x40000000|CLONE_NEWUTS0x04000000);
216 assert_se(pid < 0)do { if ((__builtin_expect(!!(!(pid < 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("pid < 0"), "../src/test/test-seccomp.c"
, 216, __PRETTY_FUNCTION__); } while (0);
217 assert_se(errno == EPERM)do { if ((__builtin_expect(!!(!((*__errno_location ()) == 1))
,0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("errno == EPERM"
), "../src/test/test-seccomp.c", 217, __PRETTY_FUNCTION__); }
while (0);
218
219 _exit(EXIT_SUCCESS0);
220 }
221
222 assert_se(wait_for_terminate_and_check("nsseccomp", pid, WAIT_LOG) == EXIT_SUCCESS)do { if ((__builtin_expect(!!(!(wait_for_terminate_and_check(
"nsseccomp", pid, WAIT_LOG) == 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("wait_for_terminate_and_check(\"nsseccomp\", pid, WAIT_LOG) == EXIT_SUCCESS"
), "../src/test/test-seccomp.c", 222, __PRETTY_FUNCTION__); }
while (0);
223}
224
225static void test_protect_sysctl(void) {
226 pid_t pid;
227
228 if (!is_seccomp_available())
229 return;
230 if (geteuid() != 0)
231 return;
232
233 if (detect_container() > 0) /* in containers _sysctl() is likely missing anyway */
234 return;
235
236 pid = fork();
237 assert_se(pid >= 0)do { if ((__builtin_expect(!!(!(pid >= 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("pid >= 0"), "../src/test/test-seccomp.c"
, 237, __PRETTY_FUNCTION__); } while (0);
238
239 if (pid == 0) {
240#if defined __NR__sysctl156 && __NR__sysctl156 >= 0
241 assert_se(syscall(__NR__sysctl, NULL) < 0)do { if ((__builtin_expect(!!(!(syscall(156, ((void*)0)) <
0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("syscall(__NR__sysctl, NULL) < 0"
), "../src/test/test-seccomp.c", 241, __PRETTY_FUNCTION__); }
while (0);
242 assert_se(errno == EFAULT)do { if ((__builtin_expect(!!(!((*__errno_location ()) == 14)
),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("errno == EFAULT"
), "../src/test/test-seccomp.c", 242, __PRETTY_FUNCTION__); }
while (0);
243#endif
244
245 assert_se(seccomp_protect_sysctl() >= 0)do { if ((__builtin_expect(!!(!(seccomp_protect_sysctl() >=
0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("seccomp_protect_sysctl() >= 0"
), "../src/test/test-seccomp.c", 245, __PRETTY_FUNCTION__); }
while (0);
246
247#if defined __NR__sysctl156 && __NR__sysctl156 >= 0
248 assert_se(syscall(__NR__sysctl, 0, 0, 0) < 0)do { if ((__builtin_expect(!!(!(syscall(156, 0, 0, 0) < 0)
),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("syscall(__NR__sysctl, 0, 0, 0) < 0"
), "../src/test/test-seccomp.c", 248, __PRETTY_FUNCTION__); }
while (0);
249 assert_se(errno == EPERM)do { if ((__builtin_expect(!!(!((*__errno_location ()) == 1))
,0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("errno == EPERM"
), "../src/test/test-seccomp.c", 249, __PRETTY_FUNCTION__); }
while (0);
250#endif
251
252 _exit(EXIT_SUCCESS0);
253 }
254
255 assert_se(wait_for_terminate_and_check("sysctlseccomp", pid, WAIT_LOG) == EXIT_SUCCESS)do { if ((__builtin_expect(!!(!(wait_for_terminate_and_check(
"sysctlseccomp", pid, WAIT_LOG) == 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("wait_for_terminate_and_check(\"sysctlseccomp\", pid, WAIT_LOG) == EXIT_SUCCESS"
), "../src/test/test-seccomp.c", 255, __PRETTY_FUNCTION__); }
while (0);
256}
257
258static void test_restrict_address_families(void) {
259 pid_t pid;
260
261 if (!is_seccomp_available())
262 return;
263 if (geteuid() != 0)
264 return;
265
266 pid = fork();
267 assert_se(pid >= 0)do { if ((__builtin_expect(!!(!(pid >= 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("pid >= 0"), "../src/test/test-seccomp.c"
, 267, __PRETTY_FUNCTION__); } while (0);
268
269 if (pid == 0) {
270 int fd;
271 Set *s;
272
273 fd = socket(AF_INET2, SOCK_DGRAMSOCK_DGRAM, 0);
274 assert_se(fd >= 0)do { if ((__builtin_expect(!!(!(fd >= 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("fd >= 0"), "../src/test/test-seccomp.c"
, 274, __PRETTY_FUNCTION__); } while (0);
275 safe_close(fd);
276
277 fd = socket(AF_UNIX1, SOCK_DGRAMSOCK_DGRAM, 0);
278 assert_se(fd >= 0)do { if ((__builtin_expect(!!(!(fd >= 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("fd >= 0"), "../src/test/test-seccomp.c"
, 278, __PRETTY_FUNCTION__); } while (0);
279 safe_close(fd);
280
281 fd = socket(AF_NETLINK16, SOCK_DGRAMSOCK_DGRAM, 0);
282 assert_se(fd >= 0)do { if ((__builtin_expect(!!(!(fd >= 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("fd >= 0"), "../src/test/test-seccomp.c"
, 282, __PRETTY_FUNCTION__); } while (0);
283 safe_close(fd);
284
285 assert_se(s = set_new(NULL))do { if ((__builtin_expect(!!(!(s = internal_set_new(((void*)
0) ))),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("s = set_new(NULL)"
), "../src/test/test-seccomp.c", 285, __PRETTY_FUNCTION__); }
while (0);
286 assert_se(set_put(s, INT_TO_PTR(AF_UNIX)) >= 0)do { if ((__builtin_expect(!!(!(set_put(s, ((void *) ((intptr_t
) (1)))) >= 0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD
, ("set_put(s, INT_TO_PTR(AF_UNIX)) >= 0"), "../src/test/test-seccomp.c"
, 286, __PRETTY_FUNCTION__); } while (0);
287
288 assert_se(seccomp_restrict_address_families(s, false) >= 0)do { if ((__builtin_expect(!!(!(seccomp_restrict_address_families
(s, 0) >= 0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD
, ("seccomp_restrict_address_families(s, false) >= 0"), "../src/test/test-seccomp.c"
, 288, __PRETTY_FUNCTION__); } while (0);
289
290 fd = socket(AF_INET2, SOCK_DGRAMSOCK_DGRAM, 0);
291 assert_se(fd >= 0)do { if ((__builtin_expect(!!(!(fd >= 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("fd >= 0"), "../src/test/test-seccomp.c"
, 291, __PRETTY_FUNCTION__); } while (0);
292 safe_close(fd);
293
294 fd = socket(AF_UNIX1, SOCK_DGRAMSOCK_DGRAM, 0);
295#if SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN0
296 assert_se(fd >= 0)do { if ((__builtin_expect(!!(!(fd >= 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("fd >= 0"), "../src/test/test-seccomp.c"
, 296, __PRETTY_FUNCTION__); } while (0);
297 safe_close(fd);
298#else
299 assert_se(fd < 0)do { if ((__builtin_expect(!!(!(fd < 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("fd < 0"), "../src/test/test-seccomp.c"
, 299, __PRETTY_FUNCTION__); } while (0);
300 assert_se(errno == EAFNOSUPPORT)do { if ((__builtin_expect(!!(!((*__errno_location ()) == 97)
),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("errno == EAFNOSUPPORT"
), "../src/test/test-seccomp.c", 300, __PRETTY_FUNCTION__); }
while (0);
301#endif
302
303 fd = socket(AF_NETLINK16, SOCK_DGRAMSOCK_DGRAM, 0);
304 assert_se(fd >= 0)do { if ((__builtin_expect(!!(!(fd >= 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("fd >= 0"), "../src/test/test-seccomp.c"
, 304, __PRETTY_FUNCTION__); } while (0);
305 safe_close(fd);
306
307 set_clear(s);
308
309 assert_se(set_put(s, INT_TO_PTR(AF_INET)) >= 0)do { if ((__builtin_expect(!!(!(set_put(s, ((void *) ((intptr_t
) (2)))) >= 0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD
, ("set_put(s, INT_TO_PTR(AF_INET)) >= 0"), "../src/test/test-seccomp.c"
, 309, __PRETTY_FUNCTION__); } while (0);
310
311 assert_se(seccomp_restrict_address_families(s, true) >= 0)do { if ((__builtin_expect(!!(!(seccomp_restrict_address_families
(s, 1) >= 0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD
, ("seccomp_restrict_address_families(s, true) >= 0"), "../src/test/test-seccomp.c"
, 311, __PRETTY_FUNCTION__); } while (0);
312
313 fd = socket(AF_INET2, SOCK_DGRAMSOCK_DGRAM, 0);
314 assert_se(fd >= 0)do { if ((__builtin_expect(!!(!(fd >= 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("fd >= 0"), "../src/test/test-seccomp.c"
, 314, __PRETTY_FUNCTION__); } while (0);
315 safe_close(fd);
316
317 fd = socket(AF_UNIX1, SOCK_DGRAMSOCK_DGRAM, 0);
318#if SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN0
319 assert_se(fd >= 0)do { if ((__builtin_expect(!!(!(fd >= 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("fd >= 0"), "../src/test/test-seccomp.c"
, 319, __PRETTY_FUNCTION__); } while (0);
320 safe_close(fd);
321#else
322 assert_se(fd < 0)do { if ((__builtin_expect(!!(!(fd < 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("fd < 0"), "../src/test/test-seccomp.c"
, 322, __PRETTY_FUNCTION__); } while (0);
323 assert_se(errno == EAFNOSUPPORT)do { if ((__builtin_expect(!!(!((*__errno_location ()) == 97)
),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("errno == EAFNOSUPPORT"
), "../src/test/test-seccomp.c", 323, __PRETTY_FUNCTION__); }
while (0);
324#endif
325
326 fd = socket(AF_NETLINK16, SOCK_DGRAMSOCK_DGRAM, 0);
327#if SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN0
328 assert_se(fd >= 0)do { if ((__builtin_expect(!!(!(fd >= 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("fd >= 0"), "../src/test/test-seccomp.c"
, 328, __PRETTY_FUNCTION__); } while (0);
329 safe_close(fd);
330#else
331 assert_se(fd < 0)do { if ((__builtin_expect(!!(!(fd < 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("fd < 0"), "../src/test/test-seccomp.c"
, 331, __PRETTY_FUNCTION__); } while (0);
332 assert_se(errno == EAFNOSUPPORT)do { if ((__builtin_expect(!!(!((*__errno_location ()) == 97)
),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("errno == EAFNOSUPPORT"
), "../src/test/test-seccomp.c", 332, __PRETTY_FUNCTION__); }
while (0);
333#endif
334
335 _exit(EXIT_SUCCESS0);
336 }
337
338 assert_se(wait_for_terminate_and_check("socketseccomp", pid, WAIT_LOG) == EXIT_SUCCESS)do { if ((__builtin_expect(!!(!(wait_for_terminate_and_check(
"socketseccomp", pid, WAIT_LOG) == 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("wait_for_terminate_and_check(\"socketseccomp\", pid, WAIT_LOG) == EXIT_SUCCESS"
), "../src/test/test-seccomp.c", 338, __PRETTY_FUNCTION__); }
while (0);
339}
340
341static void test_restrict_realtime(void) {
342 pid_t pid;
343
344 if (!is_seccomp_available())
345 return;
346 if (geteuid() != 0)
347 return;
348
349 if (detect_container() > 0) /* in containers RT privs are likely missing anyway */
350 return;
351
352 pid = fork();
353 assert_se(pid >= 0)do { if ((__builtin_expect(!!(!(pid >= 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("pid >= 0"), "../src/test/test-seccomp.c"
, 353, __PRETTY_FUNCTION__); } while (0);
354
355 if (pid == 0) {
356 assert_se(sched_setscheduler(0, SCHED_FIFO, &(struct sched_param) { .sched_priority = 1 }) >= 0)do { if ((__builtin_expect(!!(!(sched_setscheduler(0, 1, &
(struct sched_param) { .sched_priority = 1 }) >= 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("sched_setscheduler(0, SCHED_FIFO, &(struct sched_param) { .sched_priority = 1 }) >= 0"
), "../src/test/test-seccomp.c", 356, __PRETTY_FUNCTION__); }
while (0);
357 assert_se(sched_setscheduler(0, SCHED_RR, &(struct sched_param) { .sched_priority = 1 }) >= 0)do { if ((__builtin_expect(!!(!(sched_setscheduler(0, 2, &
(struct sched_param) { .sched_priority = 1 }) >= 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("sched_setscheduler(0, SCHED_RR, &(struct sched_param) { .sched_priority = 1 }) >= 0"
), "../src/test/test-seccomp.c", 357, __PRETTY_FUNCTION__); }
while (0);
358 assert_se(sched_setscheduler(0, SCHED_IDLE, &(struct sched_param) { .sched_priority = 0 }) >= 0)do { if ((__builtin_expect(!!(!(sched_setscheduler(0, 5, &
(struct sched_param) { .sched_priority = 0 }) >= 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("sched_setscheduler(0, SCHED_IDLE, &(struct sched_param) { .sched_priority = 0 }) >= 0"
), "../src/test/test-seccomp.c", 358, __PRETTY_FUNCTION__); }
while (0);
359 assert_se(sched_setscheduler(0, SCHED_BATCH, &(struct sched_param) { .sched_priority = 0 }) >= 0)do { if ((__builtin_expect(!!(!(sched_setscheduler(0, 3, &
(struct sched_param) { .sched_priority = 0 }) >= 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("sched_setscheduler(0, SCHED_BATCH, &(struct sched_param) { .sched_priority = 0 }) >= 0"
), "../src/test/test-seccomp.c", 359, __PRETTY_FUNCTION__); }
while (0);
360 assert_se(sched_setscheduler(0, SCHED_OTHER, &(struct sched_param) {}) >= 0)do { if ((__builtin_expect(!!(!(sched_setscheduler(0, 0, &
(struct sched_param) {}) >= 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("sched_setscheduler(0, SCHED_OTHER, &(struct sched_param) {}) >= 0"
), "../src/test/test-seccomp.c", 360, __PRETTY_FUNCTION__); }
while (0);
361
362 assert_se(seccomp_restrict_realtime() >= 0)do { if ((__builtin_expect(!!(!(seccomp_restrict_realtime() >=
0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("seccomp_restrict_realtime() >= 0"
), "../src/test/test-seccomp.c", 362, __PRETTY_FUNCTION__); }
while (0);
363
364 assert_se(sched_setscheduler(0, SCHED_IDLE, &(struct sched_param) { .sched_priority = 0 }) >= 0)do { if ((__builtin_expect(!!(!(sched_setscheduler(0, 5, &
(struct sched_param) { .sched_priority = 0 }) >= 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("sched_setscheduler(0, SCHED_IDLE, &(struct sched_param) { .sched_priority = 0 }) >= 0"
), "../src/test/test-seccomp.c", 364, __PRETTY_FUNCTION__); }
while (0);
365 assert_se(sched_setscheduler(0, SCHED_BATCH, &(struct sched_param) { .sched_priority = 0 }) >= 0)do { if ((__builtin_expect(!!(!(sched_setscheduler(0, 3, &
(struct sched_param) { .sched_priority = 0 }) >= 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("sched_setscheduler(0, SCHED_BATCH, &(struct sched_param) { .sched_priority = 0 }) >= 0"
), "../src/test/test-seccomp.c", 365, __PRETTY_FUNCTION__); }
while (0);
366 assert_se(sched_setscheduler(0, SCHED_OTHER, &(struct sched_param) {}) >= 0)do { if ((__builtin_expect(!!(!(sched_setscheduler(0, 0, &
(struct sched_param) {}) >= 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("sched_setscheduler(0, SCHED_OTHER, &(struct sched_param) {}) >= 0"
), "../src/test/test-seccomp.c", 366, __PRETTY_FUNCTION__); }
while (0);
367
368 assert_se(sched_setscheduler(0, SCHED_FIFO, &(struct sched_param) { .sched_priority = 1 }) < 0)do { if ((__builtin_expect(!!(!(sched_setscheduler(0, 1, &
(struct sched_param) { .sched_priority = 1 }) < 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("sched_setscheduler(0, SCHED_FIFO, &(struct sched_param) { .sched_priority = 1 }) < 0"
), "../src/test/test-seccomp.c", 368, __PRETTY_FUNCTION__); }
while (0);
369 assert_se(errno == EPERM)do { if ((__builtin_expect(!!(!((*__errno_location ()) == 1))
,0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("errno == EPERM"
), "../src/test/test-seccomp.c", 369, __PRETTY_FUNCTION__); }
while (0);
370 assert_se(sched_setscheduler(0, SCHED_RR, &(struct sched_param) { .sched_priority = 1 }) < 0)do { if ((__builtin_expect(!!(!(sched_setscheduler(0, 2, &
(struct sched_param) { .sched_priority = 1 }) < 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("sched_setscheduler(0, SCHED_RR, &(struct sched_param) { .sched_priority = 1 }) < 0"
), "../src/test/test-seccomp.c", 370, __PRETTY_FUNCTION__); }
while (0);
371 assert_se(errno == EPERM)do { if ((__builtin_expect(!!(!((*__errno_location ()) == 1))
,0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("errno == EPERM"
), "../src/test/test-seccomp.c", 371, __PRETTY_FUNCTION__); }
while (0);
372
373 _exit(EXIT_SUCCESS0);
374 }
375
376 assert_se(wait_for_terminate_and_check("realtimeseccomp", pid, WAIT_LOG) == EXIT_SUCCESS)do { if ((__builtin_expect(!!(!(wait_for_terminate_and_check(
"realtimeseccomp", pid, WAIT_LOG) == 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("wait_for_terminate_and_check(\"realtimeseccomp\", pid, WAIT_LOG) == EXIT_SUCCESS"
), "../src/test/test-seccomp.c", 376, __PRETTY_FUNCTION__); }
while (0);
377}
378
379static void test_memory_deny_write_execute_mmap(void) {
380 pid_t pid;
381
382 if (!is_seccomp_available())
383 return;
384 if (geteuid() != 0)
385 return;
386
387 pid = fork();
388 assert_se(pid >= 0)do { if ((__builtin_expect(!!(!(pid >= 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("pid >= 0"), "../src/test/test-seccomp.c"
, 388, __PRETTY_FUNCTION__); } while (0);
389
390 if (pid == 0) {
391 void *p;
392
393 p = mmap(NULL((void*)0), page_size(), PROT_WRITE0x2|PROT_EXEC0x4, MAP_PRIVATE0x02|MAP_ANONYMOUS0x20, -1,0);
394 assert_se(p != MAP_FAILED)do { if ((__builtin_expect(!!(!(p != ((void *) -1))),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("p != MAP_FAILED"), "../src/test/test-seccomp.c"
, 394, __PRETTY_FUNCTION__); } while (0);
395 assert_se(munmap(p, page_size()) >= 0)do { if ((__builtin_expect(!!(!(munmap(p, page_size()) >= 0
)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("munmap(p, page_size()) >= 0"
), "../src/test/test-seccomp.c", 395, __PRETTY_FUNCTION__); }
while (0);
396
397 p = mmap(NULL((void*)0), page_size(), PROT_WRITE0x2|PROT_READ0x1, MAP_PRIVATE0x02|MAP_ANONYMOUS0x20, -1,0);
398 assert_se(p != MAP_FAILED)do { if ((__builtin_expect(!!(!(p != ((void *) -1))),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("p != MAP_FAILED"), "../src/test/test-seccomp.c"
, 398, __PRETTY_FUNCTION__); } while (0);
399 assert_se(munmap(p, page_size()) >= 0)do { if ((__builtin_expect(!!(!(munmap(p, page_size()) >= 0
)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("munmap(p, page_size()) >= 0"
), "../src/test/test-seccomp.c", 399, __PRETTY_FUNCTION__); }
while (0);
400
401 assert_se(seccomp_memory_deny_write_execute() >= 0)do { if ((__builtin_expect(!!(!(seccomp_memory_deny_write_execute
() >= 0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, (
"seccomp_memory_deny_write_execute() >= 0"), "../src/test/test-seccomp.c"
, 401, __PRETTY_FUNCTION__); } while (0);
402
403 p = mmap(NULL((void*)0), page_size(), PROT_WRITE0x2|PROT_EXEC0x4, MAP_PRIVATE0x02|MAP_ANONYMOUS0x20, -1,0);
404#if defined(__x86_64__1) || defined(__i386__) || defined(__powerpc64__) || defined(__arm__) || defined(__aarch64__)
405 assert_se(p == MAP_FAILED)do { if ((__builtin_expect(!!(!(p == ((void *) -1))),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("p == MAP_FAILED"), "../src/test/test-seccomp.c"
, 405, __PRETTY_FUNCTION__); } while (0);
406 assert_se(errno == EPERM)do { if ((__builtin_expect(!!(!((*__errno_location ()) == 1))
,0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("errno == EPERM"
), "../src/test/test-seccomp.c", 406, __PRETTY_FUNCTION__); }
while (0);
407#else /* unknown architectures */
408 assert_se(p != MAP_FAILED)do { if ((__builtin_expect(!!(!(p != ((void *) -1))),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("p != MAP_FAILED"), "../src/test/test-seccomp.c"
, 408, __PRETTY_FUNCTION__); } while (0);
409 assert_se(munmap(p, page_size()) >= 0)do { if ((__builtin_expect(!!(!(munmap(p, page_size()) >= 0
)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("munmap(p, page_size()) >= 0"
), "../src/test/test-seccomp.c", 409, __PRETTY_FUNCTION__); }
while (0);
410#endif
411
412 p = mmap(NULL((void*)0), page_size(), PROT_WRITE0x2|PROT_READ0x1, MAP_PRIVATE0x02|MAP_ANONYMOUS0x20, -1,0);
413 assert_se(p != MAP_FAILED)do { if ((__builtin_expect(!!(!(p != ((void *) -1))),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("p != MAP_FAILED"), "../src/test/test-seccomp.c"
, 413, __PRETTY_FUNCTION__); } while (0);
414 assert_se(munmap(p, page_size()) >= 0)do { if ((__builtin_expect(!!(!(munmap(p, page_size()) >= 0
)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("munmap(p, page_size()) >= 0"
), "../src/test/test-seccomp.c", 414, __PRETTY_FUNCTION__); }
while (0);
415
416 _exit(EXIT_SUCCESS0);
417 }
418
419 assert_se(wait_for_terminate_and_check("memoryseccomp-mmap", pid, WAIT_LOG) == EXIT_SUCCESS)do { if ((__builtin_expect(!!(!(wait_for_terminate_and_check(
"memoryseccomp-mmap", pid, WAIT_LOG) == 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("wait_for_terminate_and_check(\"memoryseccomp-mmap\", pid, WAIT_LOG) == EXIT_SUCCESS"
), "../src/test/test-seccomp.c", 419, __PRETTY_FUNCTION__); }
while (0);
420}
421
422static void test_memory_deny_write_execute_shmat(void) {
423 int shmid;
424 pid_t pid;
425
426 if (!is_seccomp_available())
427 return;
428 if (geteuid() != 0)
429 return;
430
431 shmid = shmget(IPC_PRIVATE((__key_t) 0), page_size(), 0);
432 assert_se(shmid >= 0)do { if ((__builtin_expect(!!(!(shmid >= 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("shmid >= 0"), "../src/test/test-seccomp.c"
, 432, __PRETTY_FUNCTION__); } while (0);
433
434 pid = fork();
435 assert_se(pid >= 0)do { if ((__builtin_expect(!!(!(pid >= 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("pid >= 0"), "../src/test/test-seccomp.c"
, 435, __PRETTY_FUNCTION__); } while (0);
436
437 if (pid == 0) {
438 void *p;
439
440 p = shmat(shmid, NULL((void*)0), 0);
441 assert_se(p != MAP_FAILED)do { if ((__builtin_expect(!!(!(p != ((void *) -1))),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("p != MAP_FAILED"), "../src/test/test-seccomp.c"
, 441, __PRETTY_FUNCTION__); } while (0);
442 assert_se(shmdt(p) == 0)do { if ((__builtin_expect(!!(!(shmdt(p) == 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("shmdt(p) == 0"), "../src/test/test-seccomp.c"
, 442, __PRETTY_FUNCTION__); } while (0);
443
444 p = shmat(shmid, NULL((void*)0), SHM_EXEC0100000);
445 assert_se(p != MAP_FAILED)do { if ((__builtin_expect(!!(!(p != ((void *) -1))),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("p != MAP_FAILED"), "../src/test/test-seccomp.c"
, 445, __PRETTY_FUNCTION__); } while (0);
446 assert_se(shmdt(p) == 0)do { if ((__builtin_expect(!!(!(shmdt(p) == 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("shmdt(p) == 0"), "../src/test/test-seccomp.c"
, 446, __PRETTY_FUNCTION__); } while (0);
447
448 assert_se(seccomp_memory_deny_write_execute() >= 0)do { if ((__builtin_expect(!!(!(seccomp_memory_deny_write_execute
() >= 0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, (
"seccomp_memory_deny_write_execute() >= 0"), "../src/test/test-seccomp.c"
, 448, __PRETTY_FUNCTION__); } while (0);
449
450 p = shmat(shmid, NULL((void*)0), SHM_EXEC0100000);
451#if defined(__x86_64__1) || defined(__arm__) || defined(__aarch64__)
452 assert_se(p == MAP_FAILED)do { if ((__builtin_expect(!!(!(p == ((void *) -1))),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("p == MAP_FAILED"), "../src/test/test-seccomp.c"
, 452, __PRETTY_FUNCTION__); } while (0);
453 assert_se(errno == EPERM)do { if ((__builtin_expect(!!(!((*__errno_location ()) == 1))
,0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("errno == EPERM"
), "../src/test/test-seccomp.c", 453, __PRETTY_FUNCTION__); }
while (0);
454#else /* __i386__, __powerpc64__, and "unknown" architectures */
455 assert_se(p != MAP_FAILED)do { if ((__builtin_expect(!!(!(p != ((void *) -1))),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("p != MAP_FAILED"), "../src/test/test-seccomp.c"
, 455, __PRETTY_FUNCTION__); } while (0);
456 assert_se(shmdt(p) == 0)do { if ((__builtin_expect(!!(!(shmdt(p) == 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("shmdt(p) == 0"), "../src/test/test-seccomp.c"
, 456, __PRETTY_FUNCTION__); } while (0);
457#endif
458
459 p = shmat(shmid, NULL((void*)0), 0);
460 assert_se(p != MAP_FAILED)do { if ((__builtin_expect(!!(!(p != ((void *) -1))),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("p != MAP_FAILED"), "../src/test/test-seccomp.c"
, 460, __PRETTY_FUNCTION__); } while (0);
461 assert_se(shmdt(p) == 0)do { if ((__builtin_expect(!!(!(shmdt(p) == 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("shmdt(p) == 0"), "../src/test/test-seccomp.c"
, 461, __PRETTY_FUNCTION__); } while (0);
462
463 _exit(EXIT_SUCCESS0);
464 }
465
466 assert_se(wait_for_terminate_and_check("memoryseccomp-shmat", pid, WAIT_LOG) == EXIT_SUCCESS)do { if ((__builtin_expect(!!(!(wait_for_terminate_and_check(
"memoryseccomp-shmat", pid, WAIT_LOG) == 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("wait_for_terminate_and_check(\"memoryseccomp-shmat\", pid, WAIT_LOG) == EXIT_SUCCESS"
), "../src/test/test-seccomp.c", 466, __PRETTY_FUNCTION__); }
while (0);
467}
468
469static void test_restrict_archs(void) {
470 pid_t pid;
471
472 if (!is_seccomp_available())
473 return;
474 if (geteuid() != 0)
475 return;
476
477 pid = fork();
478 assert_se(pid >= 0)do { if ((__builtin_expect(!!(!(pid >= 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("pid >= 0"), "../src/test/test-seccomp.c"
, 478, __PRETTY_FUNCTION__); } while (0);
479
480 if (pid == 0) {
481 _cleanup_set_free___attribute__((cleanup(set_freep))) Set *s = NULL((void*)0);
482
483 assert_se(access("/", F_OK) >= 0)do { if ((__builtin_expect(!!(!(access("/", 0) >= 0)),0)))
log_assert_failed_realm(LOG_REALM_SYSTEMD, ("access(\"/\", F_OK) >= 0"
), "../src/test/test-seccomp.c", 483, __PRETTY_FUNCTION__); }
while (0);
484
485 assert_se(s = set_new(NULL))do { if ((__builtin_expect(!!(!(s = internal_set_new(((void*)
0) ))),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("s = set_new(NULL)"
), "../src/test/test-seccomp.c", 485, __PRETTY_FUNCTION__); }
while (0);
486
487#ifdef __x86_64__1
488 assert_se(set_put(s, UINT32_TO_PTR(SCMP_ARCH_X86+1)) >= 0)do { if ((__builtin_expect(!!(!(set_put(s, ((void *) ((uintptr_t
) ((3|0x40000000)+1)))) >= 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("set_put(s, UINT32_TO_PTR(SCMP_ARCH_X86+1)) >= 0"
), "../src/test/test-seccomp.c", 488, __PRETTY_FUNCTION__); }
while (0);
489#endif
490 assert_se(seccomp_restrict_archs(s) >= 0)do { if ((__builtin_expect(!!(!(seccomp_restrict_archs(s) >=
0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("seccomp_restrict_archs(s) >= 0"
), "../src/test/test-seccomp.c", 490, __PRETTY_FUNCTION__); }
while (0);
491
492 assert_se(access("/", F_OK) >= 0)do { if ((__builtin_expect(!!(!(access("/", 0) >= 0)),0)))
log_assert_failed_realm(LOG_REALM_SYSTEMD, ("access(\"/\", F_OK) >= 0"
), "../src/test/test-seccomp.c", 492, __PRETTY_FUNCTION__); }
while (0);
493 assert_se(seccomp_restrict_archs(NULL) >= 0)do { if ((__builtin_expect(!!(!(seccomp_restrict_archs(((void
*)0)) >= 0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD
, ("seccomp_restrict_archs(NULL) >= 0"), "../src/test/test-seccomp.c"
, 493, __PRETTY_FUNCTION__); } while (0);
494
495 assert_se(access("/", F_OK) >= 0)do { if ((__builtin_expect(!!(!(access("/", 0) >= 0)),0)))
log_assert_failed_realm(LOG_REALM_SYSTEMD, ("access(\"/\", F_OK) >= 0"
), "../src/test/test-seccomp.c", 495, __PRETTY_FUNCTION__); }
while (0);
496
497 _exit(EXIT_SUCCESS0);
498 }
499
500 assert_se(wait_for_terminate_and_check("archseccomp", pid, WAIT_LOG) == EXIT_SUCCESS)do { if ((__builtin_expect(!!(!(wait_for_terminate_and_check(
"archseccomp", pid, WAIT_LOG) == 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("wait_for_terminate_and_check(\"archseccomp\", pid, WAIT_LOG) == EXIT_SUCCESS"
), "../src/test/test-seccomp.c", 500, __PRETTY_FUNCTION__); }
while (0);
501}
502
503static void test_load_syscall_filter_set_raw(void) {
504 pid_t pid;
505
506 if (!is_seccomp_available())
507 return;
508 if (geteuid() != 0)
509 return;
510
511 pid = fork();
512 assert_se(pid >= 0)do { if ((__builtin_expect(!!(!(pid >= 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("pid >= 0"), "../src/test/test-seccomp.c"
, 512, __PRETTY_FUNCTION__); } while (0);
513
514 if (pid == 0) {
515 _cleanup_hashmap_free___attribute__((cleanup(hashmap_freep))) Hashmap *s = NULL((void*)0);
516
517 assert_se(access("/", F_OK) >= 0)do { if ((__builtin_expect(!!(!(access("/", 0) >= 0)),0)))
log_assert_failed_realm(LOG_REALM_SYSTEMD, ("access(\"/\", F_OK) >= 0"
), "../src/test/test-seccomp.c", 517, __PRETTY_FUNCTION__); }
while (0);
518 assert_se(poll(NULL, 0, 0) == 0)do { if ((__builtin_expect(!!(!(poll(((void*)0), 0, 0) == 0))
,0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("poll(NULL, 0, 0) == 0"
), "../src/test/test-seccomp.c", 518, __PRETTY_FUNCTION__); }
while (0);
519
520 assert_se(seccomp_load_syscall_filter_set_raw(SCMP_ACT_ALLOW, NULL, SCMP_ACT_KILL, true) >= 0)do { if ((__builtin_expect(!!(!(seccomp_load_syscall_filter_set_raw
(0x7fff0000U, ((void*)0), 0x00000000U, 1) >= 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("seccomp_load_syscall_filter_set_raw(SCMP_ACT_ALLOW, NULL, SCMP_ACT_KILL, true) >= 0"
), "../src/test/test-seccomp.c", 520, __PRETTY_FUNCTION__); }
while (0);
521 assert_se(access("/", F_OK) >= 0)do { if ((__builtin_expect(!!(!(access("/", 0) >= 0)),0)))
log_assert_failed_realm(LOG_REALM_SYSTEMD, ("access(\"/\", F_OK) >= 0"
), "../src/test/test-seccomp.c", 521, __PRETTY_FUNCTION__); }
while (0);
522 assert_se(poll(NULL, 0, 0) == 0)do { if ((__builtin_expect(!!(!(poll(((void*)0), 0, 0) == 0))
,0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("poll(NULL, 0, 0) == 0"
), "../src/test/test-seccomp.c", 522, __PRETTY_FUNCTION__); }
while (0);
523
524 assert_se(s = hashmap_new(NULL))do { if ((__builtin_expect(!!(!(s = internal_hashmap_new(((void
*)0) ))),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("s = hashmap_new(NULL)"
), "../src/test/test-seccomp.c", 524, __PRETTY_FUNCTION__); }
while (0);
525#if SCMP_SYS(access)(21) >= 0
526 assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_access + 1), INT_TO_PTR(-1)) >= 0)do { if ((__builtin_expect(!!(!(hashmap_put(s, ((void *) ((uintptr_t
) (21 + 1))), ((void *) ((intptr_t) (-1)))) >= 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("hashmap_put(s, UINT32_TO_PTR(__NR_access + 1), INT_TO_PTR(-1)) >= 0"
), "../src/test/test-seccomp.c", 526, __PRETTY_FUNCTION__); }
while (0);
527#else
528 assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_faccessat + 1), INT_TO_PTR(-1)) >= 0)do { if ((__builtin_expect(!!(!(hashmap_put(s, ((void *) ((uintptr_t
) (269 + 1))), ((void *) ((intptr_t) (-1)))) >= 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("hashmap_put(s, UINT32_TO_PTR(__NR_faccessat + 1), INT_TO_PTR(-1)) >= 0"
), "../src/test/test-seccomp.c", 528, __PRETTY_FUNCTION__); }
while (0);
529#endif
530
531 assert_se(seccomp_load_syscall_filter_set_raw(SCMP_ACT_ALLOW, s, SCMP_ACT_ERRNO(EUCLEAN), true) >= 0)do { if ((__builtin_expect(!!(!(seccomp_load_syscall_filter_set_raw
(0x7fff0000U, s, (0x00050000U | ((117) & 0x0000ffffU)), 1
) >= 0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, (
"seccomp_load_syscall_filter_set_raw(SCMP_ACT_ALLOW, s, SCMP_ACT_ERRNO(EUCLEAN), true) >= 0"
), "../src/test/test-seccomp.c", 531, __PRETTY_FUNCTION__); }
while (0);
532
533 assert_se(access("/", F_OK) < 0)do { if ((__builtin_expect(!!(!(access("/", 0) < 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("access(\"/\", F_OK) < 0"), "../src/test/test-seccomp.c"
, 533, __PRETTY_FUNCTION__); } while (0);
534 assert_se(errno == EUCLEAN)do { if ((__builtin_expect(!!(!((*__errno_location ()) == 117
)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("errno == EUCLEAN"
), "../src/test/test-seccomp.c", 534, __PRETTY_FUNCTION__); }
while (0);
535
536 assert_se(poll(NULL, 0, 0) == 0)do { if ((__builtin_expect(!!(!(poll(((void*)0), 0, 0) == 0))
,0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("poll(NULL, 0, 0) == 0"
), "../src/test/test-seccomp.c", 536, __PRETTY_FUNCTION__); }
while (0);
537
538 s = hashmap_free(s);
539
540 assert_se(s = hashmap_new(NULL))do { if ((__builtin_expect(!!(!(s = internal_hashmap_new(((void
*)0) ))),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("s = hashmap_new(NULL)"
), "../src/test/test-seccomp.c", 540, __PRETTY_FUNCTION__); }
while (0);
541#if SCMP_SYS(access)(21) >= 0
542 assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_access + 1), INT_TO_PTR(EILSEQ)) >= 0)do { if ((__builtin_expect(!!(!(hashmap_put(s, ((void *) ((uintptr_t
) (21 + 1))), ((void *) ((intptr_t) (84)))) >= 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("hashmap_put(s, UINT32_TO_PTR(__NR_access + 1), INT_TO_PTR(EILSEQ)) >= 0"
), "../src/test/test-seccomp.c", 542, __PRETTY_FUNCTION__); }
while (0);
543#else
544 assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_faccessat + 1), INT_TO_PTR(EILSEQ)) >= 0)do { if ((__builtin_expect(!!(!(hashmap_put(s, ((void *) ((uintptr_t
) (269 + 1))), ((void *) ((intptr_t) (84)))) >= 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("hashmap_put(s, UINT32_TO_PTR(__NR_faccessat + 1), INT_TO_PTR(EILSEQ)) >= 0"
), "../src/test/test-seccomp.c", 544, __PRETTY_FUNCTION__); }
while (0);
545#endif
546
547 assert_se(seccomp_load_syscall_filter_set_raw(SCMP_ACT_ALLOW, s, SCMP_ACT_ERRNO(EUCLEAN), true) >= 0)do { if ((__builtin_expect(!!(!(seccomp_load_syscall_filter_set_raw
(0x7fff0000U, s, (0x00050000U | ((117) & 0x0000ffffU)), 1
) >= 0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, (
"seccomp_load_syscall_filter_set_raw(SCMP_ACT_ALLOW, s, SCMP_ACT_ERRNO(EUCLEAN), true) >= 0"
), "../src/test/test-seccomp.c", 547, __PRETTY_FUNCTION__); }
while (0);
548
549 assert_se(access("/", F_OK) < 0)do { if ((__builtin_expect(!!(!(access("/", 0) < 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("access(\"/\", F_OK) < 0"), "../src/test/test-seccomp.c"
, 549, __PRETTY_FUNCTION__); } while (0);
550 assert_se(errno == EILSEQ)do { if ((__builtin_expect(!!(!((*__errno_location ()) == 84)
),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("errno == EILSEQ"
), "../src/test/test-seccomp.c", 550, __PRETTY_FUNCTION__); }
while (0);
551
552 assert_se(poll(NULL, 0, 0) == 0)do { if ((__builtin_expect(!!(!(poll(((void*)0), 0, 0) == 0))
,0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("poll(NULL, 0, 0) == 0"
), "../src/test/test-seccomp.c", 552, __PRETTY_FUNCTION__); }
while (0);
553
554 s = hashmap_free(s);
555
556 assert_se(s = hashmap_new(NULL))do { if ((__builtin_expect(!!(!(s = internal_hashmap_new(((void
*)0) ))),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("s = hashmap_new(NULL)"
), "../src/test/test-seccomp.c", 556, __PRETTY_FUNCTION__); }
while (0);
557#if SCMP_SYS(poll)(7) >= 0
558 assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_poll + 1), INT_TO_PTR(-1)) >= 0)do { if ((__builtin_expect(!!(!(hashmap_put(s, ((void *) ((uintptr_t
) (7 + 1))), ((void *) ((intptr_t) (-1)))) >= 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("hashmap_put(s, UINT32_TO_PTR(__NR_poll + 1), INT_TO_PTR(-1)) >= 0"
), "../src/test/test-seccomp.c", 558, __PRETTY_FUNCTION__); }
while (0);
559#else
560 assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_ppoll + 1), INT_TO_PTR(-1)) >= 0)do { if ((__builtin_expect(!!(!(hashmap_put(s, ((void *) ((uintptr_t
) (271 + 1))), ((void *) ((intptr_t) (-1)))) >= 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("hashmap_put(s, UINT32_TO_PTR(__NR_ppoll + 1), INT_TO_PTR(-1)) >= 0"
), "../src/test/test-seccomp.c", 560, __PRETTY_FUNCTION__); }
while (0);
561#endif
562
563 assert_se(seccomp_load_syscall_filter_set_raw(SCMP_ACT_ALLOW, s, SCMP_ACT_ERRNO(EUNATCH), true) >= 0)do { if ((__builtin_expect(!!(!(seccomp_load_syscall_filter_set_raw
(0x7fff0000U, s, (0x00050000U | ((49) & 0x0000ffffU)), 1)
>= 0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("seccomp_load_syscall_filter_set_raw(SCMP_ACT_ALLOW, s, SCMP_ACT_ERRNO(EUNATCH), true) >= 0"
), "../src/test/test-seccomp.c", 563, __PRETTY_FUNCTION__); }
while (0);
564
565 assert_se(access("/", F_OK) < 0)do { if ((__builtin_expect(!!(!(access("/", 0) < 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("access(\"/\", F_OK) < 0"), "../src/test/test-seccomp.c"
, 565, __PRETTY_FUNCTION__); } while (0);
566 assert_se(errno == EILSEQ)do { if ((__builtin_expect(!!(!((*__errno_location ()) == 84)
),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("errno == EILSEQ"
), "../src/test/test-seccomp.c", 566, __PRETTY_FUNCTION__); }
while (0);
567
568 assert_se(poll(NULL, 0, 0) < 0)do { if ((__builtin_expect(!!(!(poll(((void*)0), 0, 0) < 0
)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("poll(NULL, 0, 0) < 0"
), "../src/test/test-seccomp.c", 568, __PRETTY_FUNCTION__); }
while (0);
569 assert_se(errno == EUNATCH)do { if ((__builtin_expect(!!(!((*__errno_location ()) == 49)
),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("errno == EUNATCH"
), "../src/test/test-seccomp.c", 569, __PRETTY_FUNCTION__); }
while (0);
570
571 s = hashmap_free(s);
572
573 assert_se(s = hashmap_new(NULL))do { if ((__builtin_expect(!!(!(s = internal_hashmap_new(((void
*)0) ))),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("s = hashmap_new(NULL)"
), "../src/test/test-seccomp.c", 573, __PRETTY_FUNCTION__); }
while (0);
574#if SCMP_SYS(poll)(7) >= 0
575 assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_poll + 1), INT_TO_PTR(EILSEQ)) >= 0)do { if ((__builtin_expect(!!(!(hashmap_put(s, ((void *) ((uintptr_t
) (7 + 1))), ((void *) ((intptr_t) (84)))) >= 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("hashmap_put(s, UINT32_TO_PTR(__NR_poll + 1), INT_TO_PTR(EILSEQ)) >= 0"
), "../src/test/test-seccomp.c", 575, __PRETTY_FUNCTION__); }
while (0);
576#else
577 assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_ppoll + 1), INT_TO_PTR(EILSEQ)) >= 0)do { if ((__builtin_expect(!!(!(hashmap_put(s, ((void *) ((uintptr_t
) (271 + 1))), ((void *) ((intptr_t) (84)))) >= 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("hashmap_put(s, UINT32_TO_PTR(__NR_ppoll + 1), INT_TO_PTR(EILSEQ)) >= 0"
), "../src/test/test-seccomp.c", 577, __PRETTY_FUNCTION__); }
while (0);
578#endif
579
580 assert_se(seccomp_load_syscall_filter_set_raw(SCMP_ACT_ALLOW, s, SCMP_ACT_ERRNO(EUNATCH), true) >= 0)do { if ((__builtin_expect(!!(!(seccomp_load_syscall_filter_set_raw
(0x7fff0000U, s, (0x00050000U | ((49) & 0x0000ffffU)), 1)
>= 0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("seccomp_load_syscall_filter_set_raw(SCMP_ACT_ALLOW, s, SCMP_ACT_ERRNO(EUNATCH), true) >= 0"
), "../src/test/test-seccomp.c", 580, __PRETTY_FUNCTION__); }
while (0);
581
582 assert_se(access("/", F_OK) < 0)do { if ((__builtin_expect(!!(!(access("/", 0) < 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("access(\"/\", F_OK) < 0"), "../src/test/test-seccomp.c"
, 582, __PRETTY_FUNCTION__); } while (0);
583 assert_se(errno == EILSEQ)do { if ((__builtin_expect(!!(!((*__errno_location ()) == 84)
),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("errno == EILSEQ"
), "../src/test/test-seccomp.c", 583, __PRETTY_FUNCTION__); }
while (0);
584
585 assert_se(poll(NULL, 0, 0) < 0)do { if ((__builtin_expect(!!(!(poll(((void*)0), 0, 0) < 0
)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("poll(NULL, 0, 0) < 0"
), "../src/test/test-seccomp.c", 585, __PRETTY_FUNCTION__); }
while (0);
586 assert_se(errno == EILSEQ)do { if ((__builtin_expect(!!(!((*__errno_location ()) == 84)
),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("errno == EILSEQ"
), "../src/test/test-seccomp.c", 586, __PRETTY_FUNCTION__); }
while (0);
587
588 _exit(EXIT_SUCCESS0);
589 }
590
591 assert_se(wait_for_terminate_and_check("syscallrawseccomp", pid, WAIT_LOG) == EXIT_SUCCESS)do { if ((__builtin_expect(!!(!(wait_for_terminate_and_check(
"syscallrawseccomp", pid, WAIT_LOG) == 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("wait_for_terminate_and_check(\"syscallrawseccomp\", pid, WAIT_LOG) == EXIT_SUCCESS"
), "../src/test/test-seccomp.c", 591, __PRETTY_FUNCTION__); }
while (0);
592}
593
594static void test_lock_personality(void) {
595 unsigned long current;
596 pid_t pid;
597
598 if (!is_seccomp_available())
599 return;
600 if (geteuid() != 0)
601 return;
602
603 assert_se(opinionated_personality(&current) >= 0)do { if ((__builtin_expect(!!(!(opinionated_personality(&
current) >= 0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD
, ("opinionated_personality(&current) >= 0"), "../src/test/test-seccomp.c"
, 603, __PRETTY_FUNCTION__); } while (0);
604
605 log_info("current personality=%lu", current)({ int _level = (((6))), _e = ((0)), _realm = (LOG_REALM_SYSTEMD
); (log_get_max_level_realm(_realm) >= ((_level) & 0x07
)) ? log_internal_realm(((_realm) << 10 | (_level)), _e
, "../src/test/test-seccomp.c", 605, __func__, "current personality=%lu"
, current) : -abs(_e); });
606
607 pid = fork();
608 assert_se(pid >= 0)do { if ((__builtin_expect(!!(!(pid >= 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("pid >= 0"), "../src/test/test-seccomp.c"
, 608, __PRETTY_FUNCTION__); } while (0);
609
610 if (pid == 0) {
611 assert_se(seccomp_lock_personality(current) >= 0)do { if ((__builtin_expect(!!(!(seccomp_lock_personality(current
) >= 0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, (
"seccomp_lock_personality(current) >= 0"), "../src/test/test-seccomp.c"
, 611, __PRETTY_FUNCTION__); } while (0);
612
613 assert_se((unsigned long) safe_personality(current) == current)do { if ((__builtin_expect(!!(!((unsigned long) safe_personality
(current) == current)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD
, ("(unsigned long) safe_personality(current) == current"), "../src/test/test-seccomp.c"
, 613, __PRETTY_FUNCTION__); } while (0);
614
615 /* Note, we also test that safe_personality() works correctly, by checkig whether errno is properly
616 * set, in addition to the return value */
617 errno(*__errno_location ()) = 0;
618 assert_se(safe_personality(PER_LINUX | ADDR_NO_RANDOMIZE) == -EPERM)do { if ((__builtin_expect(!!(!(safe_personality(PER_LINUX | ADDR_NO_RANDOMIZE
) == -1)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("safe_personality(PER_LINUX | ADDR_NO_RANDOMIZE) == -EPERM"
), "../src/test/test-seccomp.c", 618, __PRETTY_FUNCTION__); }
while (0);
619 assert_se(errno == EPERM)do { if ((__builtin_expect(!!(!((*__errno_location ()) == 1))
,0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("errno == EPERM"
), "../src/test/test-seccomp.c", 619, __PRETTY_FUNCTION__); }
while (0);
620
621 assert_se(safe_personality(PER_LINUX | MMAP_PAGE_ZERO) == -EPERM)do { if ((__builtin_expect(!!(!(safe_personality(PER_LINUX | MMAP_PAGE_ZERO
) == -1)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("safe_personality(PER_LINUX | MMAP_PAGE_ZERO) == -EPERM"
), "../src/test/test-seccomp.c", 621, __PRETTY_FUNCTION__); }
while (0);
622 assert_se(safe_personality(PER_LINUX | ADDR_COMPAT_LAYOUT) == -EPERM)do { if ((__builtin_expect(!!(!(safe_personality(PER_LINUX | ADDR_COMPAT_LAYOUT
) == -1)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("safe_personality(PER_LINUX | ADDR_COMPAT_LAYOUT) == -EPERM"
), "../src/test/test-seccomp.c", 622, __PRETTY_FUNCTION__); }
while (0);
623 assert_se(safe_personality(PER_LINUX | READ_IMPLIES_EXEC) == -EPERM)do { if ((__builtin_expect(!!(!(safe_personality(PER_LINUX | READ_IMPLIES_EXEC
) == -1)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("safe_personality(PER_LINUX | READ_IMPLIES_EXEC) == -EPERM"
), "../src/test/test-seccomp.c", 623, __PRETTY_FUNCTION__); }
while (0);
624 assert_se(safe_personality(PER_LINUX_32BIT) == -EPERM)do { if ((__builtin_expect(!!(!(safe_personality(PER_LINUX_32BIT
) == -1)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("safe_personality(PER_LINUX_32BIT) == -EPERM"
), "../src/test/test-seccomp.c", 624, __PRETTY_FUNCTION__); }
while (0);
625 assert_se(safe_personality(PER_SVR4) == -EPERM)do { if ((__builtin_expect(!!(!(safe_personality(PER_SVR4) ==
-1)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("safe_personality(PER_SVR4) == -EPERM"
), "../src/test/test-seccomp.c", 625, __PRETTY_FUNCTION__); }
while (0);
626 assert_se(safe_personality(PER_BSD) == -EPERM)do { if ((__builtin_expect(!!(!(safe_personality(PER_BSD) == -
1)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("safe_personality(PER_BSD) == -EPERM"
), "../src/test/test-seccomp.c", 626, __PRETTY_FUNCTION__); }
while (0);
627 assert_se(safe_personality(current == PER_LINUX ? PER_LINUX32 : PER_LINUX) == -EPERM)do { if ((__builtin_expect(!!(!(safe_personality(current == PER_LINUX
? PER_LINUX32 : PER_LINUX) == -1)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("safe_personality(current == PER_LINUX ? PER_LINUX32 : PER_LINUX) == -EPERM"
), "../src/test/test-seccomp.c", 627, __PRETTY_FUNCTION__); }
while (0);
628 assert_se(safe_personality(PER_LINUX32_3GB) == -EPERM)do { if ((__builtin_expect(!!(!(safe_personality(PER_LINUX32_3GB
) == -1)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("safe_personality(PER_LINUX32_3GB) == -EPERM"
), "../src/test/test-seccomp.c", 628, __PRETTY_FUNCTION__); }
while (0);
629 assert_se(safe_personality(PER_UW7) == -EPERM)do { if ((__builtin_expect(!!(!(safe_personality(PER_UW7) == -
1)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("safe_personality(PER_UW7) == -EPERM"
), "../src/test/test-seccomp.c", 629, __PRETTY_FUNCTION__); }
while (0);
630 assert_se(safe_personality(0x42) == -EPERM)do { if ((__builtin_expect(!!(!(safe_personality(0x42) == -1)
),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("safe_personality(0x42) == -EPERM"
), "../src/test/test-seccomp.c", 630, __PRETTY_FUNCTION__); }
while (0);
631
632 assert_se(safe_personality(PERSONALITY_INVALID) == -EPERM)do { if ((__builtin_expect(!!(!(safe_personality(0xffffffffLU
) == -1)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("safe_personality(PERSONALITY_INVALID) == -EPERM"
), "../src/test/test-seccomp.c", 632, __PRETTY_FUNCTION__); }
while (0); /* maybe remove this later */
633
634 assert_se((unsigned long) personality(current) == current)do { if ((__builtin_expect(!!(!((unsigned long) personality(current
) == current)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD
, ("(unsigned long) personality(current) == current"), "../src/test/test-seccomp.c"
, 634, __PRETTY_FUNCTION__); } while (0);
635 _exit(EXIT_SUCCESS0);
636 }
637
638 assert_se(wait_for_terminate_and_check("lockpersonalityseccomp", pid, WAIT_LOG) == EXIT_SUCCESS)do { if ((__builtin_expect(!!(!(wait_for_terminate_and_check(
"lockpersonalityseccomp", pid, WAIT_LOG) == 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("wait_for_terminate_and_check(\"lockpersonalityseccomp\", pid, WAIT_LOG) == EXIT_SUCCESS"
), "../src/test/test-seccomp.c", 638, __PRETTY_FUNCTION__); }
while (0);
639}
640
641static void test_filter_sets_ordered(void) {
642 size_t i;
643
644 /* Ensure "@default" always remains at the beginning of the list */
645 assert_se(SYSCALL_FILTER_SET_DEFAULT == 0)do { if ((__builtin_expect(!!(!(SYSCALL_FILTER_SET_DEFAULT ==
0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("SYSCALL_FILTER_SET_DEFAULT == 0"
), "../src/test/test-seccomp.c", 645, __PRETTY_FUNCTION__); }
while (0);
646 assert_se(streq(syscall_filter_sets[0].name, "@default"))do { if ((__builtin_expect(!!(!((strcmp((syscall_filter_sets[
0].name),("@default")) == 0))),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD
, ("streq(syscall_filter_sets[0].name, \"@default\")"), "../src/test/test-seccomp.c"
, 646, __PRETTY_FUNCTION__); } while (0);
647
648 for (i = 0; i < _SYSCALL_FILTER_SET_MAX; i++) {
649 const char *k, *p = NULL((void*)0);
650
651 /* Make sure each group has a description */
652 assert_se(!isempty(syscall_filter_sets[0].help))do { if ((__builtin_expect(!!(!(!isempty(syscall_filter_sets[
0].help))),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("!isempty(syscall_filter_sets[0].help)"
), "../src/test/test-seccomp.c", 652, __PRETTY_FUNCTION__); }
while (0);
653
654 /* Make sure the groups are ordered alphabetically, except for the first entry */
655 assert_se(i < 2 || strcmp(syscall_filter_sets[i-1].name, syscall_filter_sets[i].name) < 0)do { if ((__builtin_expect(!!(!(i < 2 || strcmp(syscall_filter_sets
[i-1].name, syscall_filter_sets[i].name) < 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("i < 2 || strcmp(syscall_filter_sets[i-1].name, syscall_filter_sets[i].name) < 0"
), "../src/test/test-seccomp.c", 655, __PRETTY_FUNCTION__); }
while (0);
656
657 NULSTR_FOREACH(k, syscall_filter_sets[i].value)for ((k) = (syscall_filter_sets[i].value); (k) && *(k
); (k) = strchr((k), 0)+1) {
658
659 /* Ensure each syscall list is in itself ordered, but groups before names */
660 assert_se(!p ||do { if ((__builtin_expect(!!(!(!p || (*p == '@' && *
k != '@') || (((*p == '@' && *k == '@') || (*p != '@'
&& *k != '@')) && strcmp(p, k) < 0))),0))
) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("!p || (*p == '@' && *k != '@') || (((*p == '@' && *k == '@') || (*p != '@' && *k != '@')) && strcmp(p, k) < 0)"
), "../src/test/test-seccomp.c", 664, __PRETTY_FUNCTION__); }
while (0)
661 (*p == '@' && *k != '@') ||do { if ((__builtin_expect(!!(!(!p || (*p == '@' && *
k != '@') || (((*p == '@' && *k == '@') || (*p != '@'
&& *k != '@')) && strcmp(p, k) < 0))),0))
) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("!p || (*p == '@' && *k != '@') || (((*p == '@' && *k == '@') || (*p != '@' && *k != '@')) && strcmp(p, k) < 0)"
), "../src/test/test-seccomp.c", 664, __PRETTY_FUNCTION__); }
while (0)
662 (((*p == '@' && *k == '@') ||do { if ((__builtin_expect(!!(!(!p || (*p == '@' && *
k != '@') || (((*p == '@' && *k == '@') || (*p != '@'
&& *k != '@')) && strcmp(p, k) < 0))),0))
) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("!p || (*p == '@' && *k != '@') || (((*p == '@' && *k == '@') || (*p != '@' && *k != '@')) && strcmp(p, k) < 0)"
), "../src/test/test-seccomp.c", 664, __PRETTY_FUNCTION__); }
while (0)
663 (*p != '@' && *k != '@')) &&do { if ((__builtin_expect(!!(!(!p || (*p == '@' && *
k != '@') || (((*p == '@' && *k == '@') || (*p != '@'
&& *k != '@')) && strcmp(p, k) < 0))),0))
) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("!p || (*p == '@' && *k != '@') || (((*p == '@' && *k == '@') || (*p != '@' && *k != '@')) && strcmp(p, k) < 0)"
), "../src/test/test-seccomp.c", 664, __PRETTY_FUNCTION__); }
while (0)
664 strcmp(p, k) < 0))do { if ((__builtin_expect(!!(!(!p || (*p == '@' && *
k != '@') || (((*p == '@' && *k == '@') || (*p != '@'
&& *k != '@')) && strcmp(p, k) < 0))),0))
) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("!p || (*p == '@' && *k != '@') || (((*p == '@' && *k == '@') || (*p != '@' && *k != '@')) && strcmp(p, k) < 0)"
), "../src/test/test-seccomp.c", 664, __PRETTY_FUNCTION__); }
while (0);
665
666 p = k;
667 }
668 }
669}
670
671static int mkostemp_safe(char *pattern) {
672 _unused___attribute__ ((unused)) _cleanup_umask___attribute__((cleanup(umaskp))) mode_t u = umask(0077);
673 int fd;
674
675 assert(pattern)do { if ((__builtin_expect(!!(!(pattern)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("pattern"), "../src/test/test-seccomp.c"
, 675, __PRETTY_FUNCTION__); } while (0);
676
677 fd = mkostemp(pattern, O_CLOEXEC02000000);
678 if (fd < 0)
679 return -errno(*__errno_location ());
680
681 return fd;
682}
683
684static int real_open(const char *path, int flags, mode_t mode) {
685 /* glibc internally calls openat() when open() is requested. Let's hence define our own wrapper for
686 * testing purposes that calls the real syscall, on architectures where SYS_open is defined. On
687 * other architectures, let's just fall back to the glibc call. */
688
689#ifdef SYS_open2
690 return (int) syscall(SYS_open2, path, flags, mode);
691#else
692 return open(path, flags, mode);
693#endif
694}
695
696static void test_restrict_suid_sgid(void) {
697 pid_t pid;
698
699 log_info("/* %s */", __func__)({ int _level = (((6))), _e = ((0)), _realm = (LOG_REALM_SYSTEMD
); (log_get_max_level_realm(_realm) >= ((_level) & 0x07
)) ? log_internal_realm(((_realm) << 10 | (_level)), _e
, "../src/test/test-seccomp.c", 699, __func__, "/* %s */", __func__
) : -abs(_e); });
700
701 if (!is_seccomp_available()) {
702 log_notice("Seccomp not available, skipping %s", __func__)({ int _level = (((5))), _e = ((0)), _realm = (LOG_REALM_SYSTEMD
); (log_get_max_level_realm(_realm) >= ((_level) & 0x07
)) ? log_internal_realm(((_realm) << 10 | (_level)), _e
, "../src/test/test-seccomp.c", 702, __func__, "Seccomp not available, skipping %s"
, __func__) : -abs(_e); });
703 return;
704 }
705 if (geteuid() != 0) {
706 log_notice("Not root, skipping %s", __func__)({ int _level = (((5))), _e = ((0)), _realm = (LOG_REALM_SYSTEMD
); (log_get_max_level_realm(_realm) >= ((_level) & 0x07
)) ? log_internal_realm(((_realm) << 10 | (_level)), _e
, "../src/test/test-seccomp.c", 706, __func__, "Not root, skipping %s"
, __func__) : -abs(_e); });
707 return;
708 }
709
710 pid = fork();
711 assert_se(pid >= 0)do { if ((__builtin_expect(!!(!(pid >= 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("pid >= 0"), "../src/test/test-seccomp.c"
, 711, __PRETTY_FUNCTION__); } while (0);
712
713 if (pid == 0) {
714 char path[] = "/tmp/suidsgidXXXXXX", dir[] = "/tmp/suidsgiddirXXXXXX";
715 int fd = -1, k = -1;
716 const char *z;
717
718 fd = mkostemp_safe(path);
719 assert_se(fd >= 0)do { if ((__builtin_expect(!!(!(fd >= 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("fd >= 0"), "../src/test/test-seccomp.c"
, 719, __PRETTY_FUNCTION__); } while (0);
720
721 assert_se(mkdtemp(dir))do { if ((__builtin_expect(!!(!(mkdtemp(dir))),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("mkdtemp(dir)"), "../src/test/test-seccomp.c"
, 721, __PRETTY_FUNCTION__); } while (0);
722 z = strjoina(dir, "/test")({ const char *_appendees_[] = { dir, "/test" }; char *_d_, *
_p_; size_t _len_ = 0; size_t _i_; for (_i_ = 0; _i_ < __extension__
(__builtin_choose_expr( !__builtin_types_compatible_p(typeof
(_appendees_), typeof(&*(_appendees_))), sizeof(_appendees_
)/sizeof((_appendees_)[0]), ((void)0))) && _appendees_
[_i_]; _i_++) _len_ += strlen(_appendees_[_i_]); _p_ = _d_ = __builtin_alloca
(_len_ + 1); for (_i_ = 0; _i_ < __extension__ (__builtin_choose_expr
( !__builtin_types_compatible_p(typeof(_appendees_), typeof(&
*(_appendees_))), sizeof(_appendees_)/sizeof((_appendees_)[0]
), ((void)0))) && _appendees_[_i_]; _i_++) _p_ = stpcpy
(_p_, _appendees_[_i_]); *_p_ = 0; _d_; });
723
724 assert_se(chmod(path, 0755 | S_ISUID) >= 0)do { if ((__builtin_expect(!!(!(chmod(path, 0755 | 04000) >=
0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("chmod(path, 0755 | S_ISUID) >= 0"
), "../src/test/test-seccomp.c", 724, __PRETTY_FUNCTION__); }
while (0);
725 assert_se(chmod(path, 0755 | S_ISGID) >= 0)do { if ((__builtin_expect(!!(!(chmod(path, 0755 | 02000) >=
0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("chmod(path, 0755 | S_ISGID) >= 0"
), "../src/test/test-seccomp.c", 725, __PRETTY_FUNCTION__); }
while (0);
726 assert_se(chmod(path, 0755 | S_ISGID | S_ISUID) >= 0)do { if ((__builtin_expect(!!(!(chmod(path, 0755 | 02000 | 04000
) >= 0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, (
"chmod(path, 0755 | S_ISGID | S_ISUID) >= 0"), "../src/test/test-seccomp.c"
, 726, __PRETTY_FUNCTION__); } while (0);
727 assert_se(chmod(path, 0755) >= 0)do { if ((__builtin_expect(!!(!(chmod(path, 0755) >= 0)),0
))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("chmod(path, 0755) >= 0"
), "../src/test/test-seccomp.c", 727, __PRETTY_FUNCTION__); }
while (0);
728
729 assert_se(fchmod(fd, 0755 | S_ISUID) >= 0)do { if ((__builtin_expect(!!(!(fchmod(fd, 0755 | 04000) >=
0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("fchmod(fd, 0755 | S_ISUID) >= 0"
), "../src/test/test-seccomp.c", 729, __PRETTY_FUNCTION__); }
while (0);
730 assert_se(fchmod(fd, 0755 | S_ISGID) >= 0)do { if ((__builtin_expect(!!(!(fchmod(fd, 0755 | 02000) >=
0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("fchmod(fd, 0755 | S_ISGID) >= 0"
), "../src/test/test-seccomp.c", 730, __PRETTY_FUNCTION__); }
while (0);
731 assert_se(fchmod(fd, 0755 | S_ISGID | S_ISUID) >= 0)do { if ((__builtin_expect(!!(!(fchmod(fd, 0755 | 02000 | 04000
) >= 0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, (
"fchmod(fd, 0755 | S_ISGID | S_ISUID) >= 0"), "../src/test/test-seccomp.c"
, 731, __PRETTY_FUNCTION__); } while (0);
732 assert_se(fchmod(fd, 0755) >= 0)do { if ((__builtin_expect(!!(!(fchmod(fd, 0755) >= 0)),0)
)) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("fchmod(fd, 0755) >= 0"
), "../src/test/test-seccomp.c", 732, __PRETTY_FUNCTION__); }
while (0);
733
734 assert_se(fchmodat(AT_FDCWD, path, 0755 | S_ISUID, 0) >= 0)do { if ((__builtin_expect(!!(!(fchmodat(-100, path, 0755 | 04000
, 0) >= 0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD
, ("fchmodat(AT_FDCWD, path, 0755 | S_ISUID, 0) >= 0"), "../src/test/test-seccomp.c"
, 734, __PRETTY_FUNCTION__); } while (0);
735 assert_se(fchmodat(AT_FDCWD, path, 0755 | S_ISGID, 0) >= 0)do { if ((__builtin_expect(!!(!(fchmodat(-100, path, 0755 | 02000
, 0) >= 0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD
, ("fchmodat(AT_FDCWD, path, 0755 | S_ISGID, 0) >= 0"), "../src/test/test-seccomp.c"
, 735, __PRETTY_FUNCTION__); } while (0);
736 assert_se(fchmodat(AT_FDCWD, path, 0755 | S_ISGID | S_ISUID, 0) >= 0)do { if ((__builtin_expect(!!(!(fchmodat(-100, path, 0755 | 02000
| 04000, 0) >= 0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD
, ("fchmodat(AT_FDCWD, path, 0755 | S_ISGID | S_ISUID, 0) >= 0"
), "../src/test/test-seccomp.c", 736, __PRETTY_FUNCTION__); }
while (0);
737 assert_se(fchmodat(AT_FDCWD, path, 0755, 0) >= 0)do { if ((__builtin_expect(!!(!(fchmodat(-100, path, 0755, 0)
>= 0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("fchmodat(AT_FDCWD, path, 0755, 0) >= 0"
), "../src/test/test-seccomp.c", 737, __PRETTY_FUNCTION__); }
while (0);
738
739 k = real_open(z, O_CREAT0100|O_RDWR02|O_CLOEXEC02000000|O_EXCL0200, 0644 | S_ISUID04000);
740 k = safe_close(k);
741 assert_se(unlink(z) >= 0)do { if ((__builtin_expect(!!(!(unlink(z) >= 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("unlink(z) >= 0"), "../src/test/test-seccomp.c"
, 741, __PRETTY_FUNCTION__); } while (0);
742
743 k = real_open(z, O_CREAT0100|O_RDWR02|O_CLOEXEC02000000|O_EXCL0200, 0644 | S_ISGID02000);
744 k = safe_close(k);
745 assert_se(unlink(z) >= 0)do { if ((__builtin_expect(!!(!(unlink(z) >= 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("unlink(z) >= 0"), "../src/test/test-seccomp.c"
, 745, __PRETTY_FUNCTION__); } while (0);
746
747 k = real_open(z, O_CREAT0100|O_RDWR02|O_CLOEXEC02000000|O_EXCL0200, 0644 | S_ISUID04000 | S_ISGID02000);
748 k = safe_close(k);
749 assert_se(unlink(z) >= 0)do { if ((__builtin_expect(!!(!(unlink(z) >= 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("unlink(z) >= 0"), "../src/test/test-seccomp.c"
, 749, __PRETTY_FUNCTION__); } while (0);
750
751 k = real_open(z, O_CREAT0100|O_RDWR02|O_CLOEXEC02000000|O_EXCL0200, 0644);
752 k = safe_close(k);
753 assert_se(unlink(z) >= 0)do { if ((__builtin_expect(!!(!(unlink(z) >= 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("unlink(z) >= 0"), "../src/test/test-seccomp.c"
, 753, __PRETTY_FUNCTION__); } while (0);
754
755 k = creat(z, 0644 | S_ISUID04000);
756 k = safe_close(k);
757 assert_se(unlink(z) >= 0)do { if ((__builtin_expect(!!(!(unlink(z) >= 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("unlink(z) >= 0"), "../src/test/test-seccomp.c"
, 757, __PRETTY_FUNCTION__); } while (0);
758
759 k = creat(z, 0644 | S_ISGID02000);
760 k = safe_close(k);
761 assert_se(unlink(z) >= 0)do { if ((__builtin_expect(!!(!(unlink(z) >= 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("unlink(z) >= 0"), "../src/test/test-seccomp.c"
, 761, __PRETTY_FUNCTION__); } while (0);
762
763 k = creat(z, 0644 | S_ISUID04000 | S_ISGID02000);
764 k = safe_close(k);
765 assert_se(unlink(z) >= 0)do { if ((__builtin_expect(!!(!(unlink(z) >= 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("unlink(z) >= 0"), "../src/test/test-seccomp.c"
, 765, __PRETTY_FUNCTION__); } while (0);
766
767 k = creat(z, 0644);
768 k = safe_close(k);
769 assert_se(unlink(z) >= 0)do { if ((__builtin_expect(!!(!(unlink(z) >= 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("unlink(z) >= 0"), "../src/test/test-seccomp.c"
, 769, __PRETTY_FUNCTION__); } while (0);
770
771 k = openat(AT_FDCWD-100, z, O_CREAT0100|O_RDWR02|O_CLOEXEC02000000|O_EXCL0200, 0644 | S_ISUID04000);
772 k = safe_close(k);
773 assert_se(unlink(z) >= 0)do { if ((__builtin_expect(!!(!(unlink(z) >= 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("unlink(z) >= 0"), "../src/test/test-seccomp.c"
, 773, __PRETTY_FUNCTION__); } while (0);
774
775 k = openat(AT_FDCWD-100, z, O_CREAT0100|O_RDWR02|O_CLOEXEC02000000|O_EXCL0200, 0644 | S_ISGID02000);
776 k = safe_close(k);
777 assert_se(unlink(z) >= 0)do { if ((__builtin_expect(!!(!(unlink(z) >= 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("unlink(z) >= 0"), "../src/test/test-seccomp.c"
, 777, __PRETTY_FUNCTION__); } while (0);
778
779 k = openat(AT_FDCWD-100, z, O_CREAT0100|O_RDWR02|O_CLOEXEC02000000|O_EXCL0200, 0644 | S_ISUID04000 | S_ISGID02000);
780 k = safe_close(k);
781 assert_se(unlink(z) >= 0)do { if ((__builtin_expect(!!(!(unlink(z) >= 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("unlink(z) >= 0"), "../src/test/test-seccomp.c"
, 781, __PRETTY_FUNCTION__); } while (0);
782
783 k = openat(AT_FDCWD-100, z, O_CREAT0100|O_RDWR02|O_CLOEXEC02000000|O_EXCL0200, 0644);
784 k = safe_close(k);
Value stored to 'k' is never read
785 assert_se(unlink(z) >= 0)do { if ((__builtin_expect(!!(!(unlink(z) >= 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("unlink(z) >= 0"), "../src/test/test-seccomp.c"
, 785, __PRETTY_FUNCTION__); } while (0);
786
787 assert_se(mkdir(z, 0755 | S_ISUID) >= 0)do { if ((__builtin_expect(!!(!(mkdir(z, 0755 | 04000) >= 0
)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("mkdir(z, 0755 | S_ISUID) >= 0"
), "../src/test/test-seccomp.c", 787, __PRETTY_FUNCTION__); }
while (0);
788 assert_se(rmdir(z) >= 0)do { if ((__builtin_expect(!!(!(rmdir(z) >= 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("rmdir(z) >= 0"), "../src/test/test-seccomp.c"
, 788, __PRETTY_FUNCTION__); } while (0);
789 assert_se(mkdir(z, 0755 | S_ISGID) >= 0)do { if ((__builtin_expect(!!(!(mkdir(z, 0755 | 02000) >= 0
)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("mkdir(z, 0755 | S_ISGID) >= 0"
), "../src/test/test-seccomp.c", 789, __PRETTY_FUNCTION__); }
while (0);
790 assert_se(rmdir(z) >= 0)do { if ((__builtin_expect(!!(!(rmdir(z) >= 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("rmdir(z) >= 0"), "../src/test/test-seccomp.c"
, 790, __PRETTY_FUNCTION__); } while (0);
791 assert_se(mkdir(z, 0755 | S_ISUID | S_ISGID) >= 0)do { if ((__builtin_expect(!!(!(mkdir(z, 0755 | 04000 | 02000
) >= 0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, (
"mkdir(z, 0755 | S_ISUID | S_ISGID) >= 0"), "../src/test/test-seccomp.c"
, 791, __PRETTY_FUNCTION__); } while (0);
792 assert_se(rmdir(z) >= 0)do { if ((__builtin_expect(!!(!(rmdir(z) >= 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("rmdir(z) >= 0"), "../src/test/test-seccomp.c"
, 792, __PRETTY_FUNCTION__); } while (0);
793 assert_se(mkdir(z, 0755) >= 0)do { if ((__builtin_expect(!!(!(mkdir(z, 0755) >= 0)),0)))
log_assert_failed_realm(LOG_REALM_SYSTEMD, ("mkdir(z, 0755) >= 0"
), "../src/test/test-seccomp.c", 793, __PRETTY_FUNCTION__); }
while (0);
794 assert_se(rmdir(z) >= 0)do { if ((__builtin_expect(!!(!(rmdir(z) >= 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("rmdir(z) >= 0"), "../src/test/test-seccomp.c"
, 794, __PRETTY_FUNCTION__); } while (0);
795
796 assert_se(mkdirat(AT_FDCWD, z, 0755 | S_ISUID) >= 0)do { if ((__builtin_expect(!!(!(mkdirat(-100, z, 0755 | 04000
) >= 0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, (
"mkdirat(AT_FDCWD, z, 0755 | S_ISUID) >= 0"), "../src/test/test-seccomp.c"
, 796, __PRETTY_FUNCTION__); } while (0);
797 assert_se(rmdir(z) >= 0)do { if ((__builtin_expect(!!(!(rmdir(z) >= 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("rmdir(z) >= 0"), "../src/test/test-seccomp.c"
, 797, __PRETTY_FUNCTION__); } while (0);
798 assert_se(mkdirat(AT_FDCWD, z, 0755 | S_ISGID) >= 0)do { if ((__builtin_expect(!!(!(mkdirat(-100, z, 0755 | 02000
) >= 0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, (
"mkdirat(AT_FDCWD, z, 0755 | S_ISGID) >= 0"), "../src/test/test-seccomp.c"
, 798, __PRETTY_FUNCTION__); } while (0);
799 assert_se(rmdir(z) >= 0)do { if ((__builtin_expect(!!(!(rmdir(z) >= 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("rmdir(z) >= 0"), "../src/test/test-seccomp.c"
, 799, __PRETTY_FUNCTION__); } while (0);
800 assert_se(mkdirat(AT_FDCWD, z, 0755 | S_ISUID | S_ISGID) >= 0)do { if ((__builtin_expect(!!(!(mkdirat(-100, z, 0755 | 04000
| 02000) >= 0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD
, ("mkdirat(AT_FDCWD, z, 0755 | S_ISUID | S_ISGID) >= 0"),
"../src/test/test-seccomp.c", 800, __PRETTY_FUNCTION__); } while
(0);
801 assert_se(rmdir(z) >= 0)do { if ((__builtin_expect(!!(!(rmdir(z) >= 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("rmdir(z) >= 0"), "../src/test/test-seccomp.c"
, 801, __PRETTY_FUNCTION__); } while (0);
802 assert_se(mkdirat(AT_FDCWD, z, 0755) >= 0)do { if ((__builtin_expect(!!(!(mkdirat(-100, z, 0755) >= 0
)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("mkdirat(AT_FDCWD, z, 0755) >= 0"
), "../src/test/test-seccomp.c", 802, __PRETTY_FUNCTION__); }
while (0);
803 assert_se(rmdir(z) >= 0)do { if ((__builtin_expect(!!(!(rmdir(z) >= 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("rmdir(z) >= 0"), "../src/test/test-seccomp.c"
, 803, __PRETTY_FUNCTION__); } while (0);
804
805 assert_se(mknod(z, S_IFREG | 0755 | S_ISUID, 0) >= 0)do { if ((__builtin_expect(!!(!(mknod(z, 0100000 | 0755 | 04000
, 0) >= 0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD
, ("mknod(z, S_IFREG | 0755 | S_ISUID, 0) >= 0"), "../src/test/test-seccomp.c"
, 805, __PRETTY_FUNCTION__); } while (0);
806 assert_se(unlink(z) >= 0)do { if ((__builtin_expect(!!(!(unlink(z) >= 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("unlink(z) >= 0"), "../src/test/test-seccomp.c"
, 806, __PRETTY_FUNCTION__); } while (0);
807 assert_se(mknod(z, S_IFREG | 0755 | S_ISGID, 0) >= 0)do { if ((__builtin_expect(!!(!(mknod(z, 0100000 | 0755 | 02000
, 0) >= 0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD
, ("mknod(z, S_IFREG | 0755 | S_ISGID, 0) >= 0"), "../src/test/test-seccomp.c"
, 807, __PRETTY_FUNCTION__); } while (0);
808 assert_se(unlink(z) >= 0)do { if ((__builtin_expect(!!(!(unlink(z) >= 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("unlink(z) >= 0"), "../src/test/test-seccomp.c"
, 808, __PRETTY_FUNCTION__); } while (0);
809 assert_se(mknod(z, S_IFREG | 0755 | S_ISUID | S_ISGID, 0) >= 0)do { if ((__builtin_expect(!!(!(mknod(z, 0100000 | 0755 | 04000
| 02000, 0) >= 0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD
, ("mknod(z, S_IFREG | 0755 | S_ISUID | S_ISGID, 0) >= 0")
, "../src/test/test-seccomp.c", 809, __PRETTY_FUNCTION__); } while
(0);
810 assert_se(unlink(z) >= 0)do { if ((__builtin_expect(!!(!(unlink(z) >= 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("unlink(z) >= 0"), "../src/test/test-seccomp.c"
, 810, __PRETTY_FUNCTION__); } while (0);
811 assert_se(mknod(z, S_IFREG | 0755, 0) >= 0)do { if ((__builtin_expect(!!(!(mknod(z, 0100000 | 0755, 0) >=
0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("mknod(z, S_IFREG | 0755, 0) >= 0"
), "../src/test/test-seccomp.c", 811, __PRETTY_FUNCTION__); }
while (0);
812 assert_se(unlink(z) >= 0)do { if ((__builtin_expect(!!(!(unlink(z) >= 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("unlink(z) >= 0"), "../src/test/test-seccomp.c"
, 812, __PRETTY_FUNCTION__); } while (0);
813
814 assert_se(mknodat(AT_FDCWD, z, S_IFREG | 0755 | S_ISUID, 0) >= 0)do { if ((__builtin_expect(!!(!(mknodat(-100, z, 0100000 | 0755
| 04000, 0) >= 0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD
, ("mknodat(AT_FDCWD, z, S_IFREG | 0755 | S_ISUID, 0) >= 0"
), "../src/test/test-seccomp.c", 814, __PRETTY_FUNCTION__); }
while (0);
815 assert_se(unlink(z) >= 0)do { if ((__builtin_expect(!!(!(unlink(z) >= 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("unlink(z) >= 0"), "../src/test/test-seccomp.c"
, 815, __PRETTY_FUNCTION__); } while (0);
816 assert_se(mknodat(AT_FDCWD, z, S_IFREG | 0755 | S_ISGID, 0) >= 0)do { if ((__builtin_expect(!!(!(mknodat(-100, z, 0100000 | 0755
| 02000, 0) >= 0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD
, ("mknodat(AT_FDCWD, z, S_IFREG | 0755 | S_ISGID, 0) >= 0"
), "../src/test/test-seccomp.c", 816, __PRETTY_FUNCTION__); }
while (0);
817 assert_se(unlink(z) >= 0)do { if ((__builtin_expect(!!(!(unlink(z) >= 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("unlink(z) >= 0"), "../src/test/test-seccomp.c"
, 817, __PRETTY_FUNCTION__); } while (0);
818 assert_se(mknodat(AT_FDCWD, z, S_IFREG | 0755 | S_ISUID | S_ISGID, 0) >= 0)do { if ((__builtin_expect(!!(!(mknodat(-100, z, 0100000 | 0755
| 04000 | 02000, 0) >= 0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD
, ("mknodat(AT_FDCWD, z, S_IFREG | 0755 | S_ISUID | S_ISGID, 0) >= 0"
), "../src/test/test-seccomp.c", 818, __PRETTY_FUNCTION__); }
while (0);
819 assert_se(unlink(z) >= 0)do { if ((__builtin_expect(!!(!(unlink(z) >= 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("unlink(z) >= 0"), "../src/test/test-seccomp.c"
, 819, __PRETTY_FUNCTION__); } while (0);
820 assert_se(mknodat(AT_FDCWD, z, S_IFREG | 0755, 0) >= 0)do { if ((__builtin_expect(!!(!(mknodat(-100, z, 0100000 | 0755
, 0) >= 0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD
, ("mknodat(AT_FDCWD, z, S_IFREG | 0755, 0) >= 0"), "../src/test/test-seccomp.c"
, 820, __PRETTY_FUNCTION__); } while (0);
821 assert_se(unlink(z) >= 0)do { if ((__builtin_expect(!!(!(unlink(z) >= 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("unlink(z) >= 0"), "../src/test/test-seccomp.c"
, 821, __PRETTY_FUNCTION__); } while (0);
822
823 assert_se(seccomp_restrict_suid_sgid() >= 0)do { if ((__builtin_expect(!!(!(seccomp_restrict_suid_sgid() >=
0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("seccomp_restrict_suid_sgid() >= 0"
), "../src/test/test-seccomp.c", 823, __PRETTY_FUNCTION__); }
while (0);
824
825 assert_se(chmod(path, 0775 | S_ISUID) < 0 && errno == EPERM)do { if ((__builtin_expect(!!(!(chmod(path, 0775 | 04000) <
0 && (*__errno_location ()) == 1)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("chmod(path, 0775 | S_ISUID) < 0 && errno == EPERM"
), "../src/test/test-seccomp.c", 825, __PRETTY_FUNCTION__); }
while (0);
826 assert_se(chmod(path, 0775 | S_ISGID) < 0 && errno == EPERM)do { if ((__builtin_expect(!!(!(chmod(path, 0775 | 02000) <
0 && (*__errno_location ()) == 1)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("chmod(path, 0775 | S_ISGID) < 0 && errno == EPERM"
), "../src/test/test-seccomp.c", 826, __PRETTY_FUNCTION__); }
while (0);
827 assert_se(chmod(path, 0775 | S_ISGID | S_ISUID) < 0 && errno == EPERM)do { if ((__builtin_expect(!!(!(chmod(path, 0775 | 02000 | 04000
) < 0 && (*__errno_location ()) == 1)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("chmod(path, 0775 | S_ISGID | S_ISUID) < 0 && errno == EPERM"
), "../src/test/test-seccomp.c", 827, __PRETTY_FUNCTION__); }
while (0);
828 assert_se(chmod(path, 0775) >= 0)do { if ((__builtin_expect(!!(!(chmod(path, 0775) >= 0)),0
))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("chmod(path, 0775) >= 0"
), "../src/test/test-seccomp.c", 828, __PRETTY_FUNCTION__); }
while (0);
829
830 assert_se(fchmod(fd, 0775 | S_ISUID) < 0 && errno == EPERM)do { if ((__builtin_expect(!!(!(fchmod(fd, 0775 | 04000) <
0 && (*__errno_location ()) == 1)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("fchmod(fd, 0775 | S_ISUID) < 0 && errno == EPERM"
), "../src/test/test-seccomp.c", 830, __PRETTY_FUNCTION__); }
while (0);
831 assert_se(fchmod(fd, 0775 | S_ISGID) < 0 && errno == EPERM)do { if ((__builtin_expect(!!(!(fchmod(fd, 0775 | 02000) <
0 && (*__errno_location ()) == 1)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("fchmod(fd, 0775 | S_ISGID) < 0 && errno == EPERM"
), "../src/test/test-seccomp.c", 831, __PRETTY_FUNCTION__); }
while (0);
832 assert_se(fchmod(fd, 0775 | S_ISGID | S_ISUID) < 0 && errno == EPERM)do { if ((__builtin_expect(!!(!(fchmod(fd, 0775 | 02000 | 04000
) < 0 && (*__errno_location ()) == 1)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("fchmod(fd, 0775 | S_ISGID | S_ISUID) < 0 && errno == EPERM"
), "../src/test/test-seccomp.c", 832, __PRETTY_FUNCTION__); }
while (0);
833 assert_se(fchmod(fd, 0775) >= 0)do { if ((__builtin_expect(!!(!(fchmod(fd, 0775) >= 0)),0)
)) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("fchmod(fd, 0775) >= 0"
), "../src/test/test-seccomp.c", 833, __PRETTY_FUNCTION__); }
while (0);
834
835 assert_se(fchmodat(AT_FDCWD, path, 0755 | S_ISUID, 0) < 0 && errno == EPERM)do { if ((__builtin_expect(!!(!(fchmodat(-100, path, 0755 | 04000
, 0) < 0 && (*__errno_location ()) == 1)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("fchmodat(AT_FDCWD, path, 0755 | S_ISUID, 0) < 0 && errno == EPERM"
), "../src/test/test-seccomp.c", 835, __PRETTY_FUNCTION__); }
while (0);
836 assert_se(fchmodat(AT_FDCWD, path, 0755 | S_ISGID, 0) < 0 && errno == EPERM)do { if ((__builtin_expect(!!(!(fchmodat(-100, path, 0755 | 02000
, 0) < 0 && (*__errno_location ()) == 1)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("fchmodat(AT_FDCWD, path, 0755 | S_ISGID, 0) < 0 && errno == EPERM"
), "../src/test/test-seccomp.c", 836, __PRETTY_FUNCTION__); }
while (0);
837 assert_se(fchmodat(AT_FDCWD, path, 0755 | S_ISGID | S_ISUID, 0) < 0 && errno == EPERM)do { if ((__builtin_expect(!!(!(fchmodat(-100, path, 0755 | 02000
| 04000, 0) < 0 && (*__errno_location ()) == 1)),
0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("fchmodat(AT_FDCWD, path, 0755 | S_ISGID | S_ISUID, 0) < 0 && errno == EPERM"
), "../src/test/test-seccomp.c", 837, __PRETTY_FUNCTION__); }
while (0);
838 assert_se(fchmodat(AT_FDCWD, path, 0755, 0) >= 0)do { if ((__builtin_expect(!!(!(fchmodat(-100, path, 0755, 0)
>= 0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("fchmodat(AT_FDCWD, path, 0755, 0) >= 0"
), "../src/test/test-seccomp.c", 838, __PRETTY_FUNCTION__); }
while (0);
839
840 assert_se(real_open(z, O_CREAT|O_RDWR|O_CLOEXEC|O_EXCL, 0644 | S_ISUID) < 0 && errno == EPERM)do { if ((__builtin_expect(!!(!(real_open(z, 0100|02|02000000
|0200, 0644 | 04000) < 0 && (*__errno_location ())
== 1)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("real_open(z, O_CREAT|O_RDWR|O_CLOEXEC|O_EXCL, 0644 | S_ISUID) < 0 && errno == EPERM"
), "../src/test/test-seccomp.c", 840, __PRETTY_FUNCTION__); }
while (0);
841 assert_se(real_open(z, O_CREAT|O_RDWR|O_CLOEXEC|O_EXCL, 0644 | S_ISGID) < 0 && errno == EPERM)do { if ((__builtin_expect(!!(!(real_open(z, 0100|02|02000000
|0200, 0644 | 02000) < 0 && (*__errno_location ())
== 1)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("real_open(z, O_CREAT|O_RDWR|O_CLOEXEC|O_EXCL, 0644 | S_ISGID) < 0 && errno == EPERM"
), "../src/test/test-seccomp.c", 841, __PRETTY_FUNCTION__); }
while (0);
842 assert_se(real_open(z, O_CREAT|O_RDWR|O_CLOEXEC|O_EXCL, 0644 | S_ISUID | S_ISGID) < 0 && errno == EPERM)do { if ((__builtin_expect(!!(!(real_open(z, 0100|02|02000000
|0200, 0644 | 04000 | 02000) < 0 && (*__errno_location
()) == 1)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, (
"real_open(z, O_CREAT|O_RDWR|O_CLOEXEC|O_EXCL, 0644 | S_ISUID | S_ISGID) < 0 && errno == EPERM"
), "../src/test/test-seccomp.c", 842, __PRETTY_FUNCTION__); }
while (0);
843 k = real_open(z, O_CREAT0100|O_RDWR02|O_CLOEXEC02000000|O_EXCL0200, 0644);
844 k = safe_close(k);
845 assert_se(unlink(z) >= 0)do { if ((__builtin_expect(!!(!(unlink(z) >= 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("unlink(z) >= 0"), "../src/test/test-seccomp.c"
, 845, __PRETTY_FUNCTION__); } while (0);
846
847 assert_se(creat(z, 0644 | S_ISUID) < 0 && errno == EPERM)do { if ((__builtin_expect(!!(!(creat(z, 0644 | 04000) < 0
&& (*__errno_location ()) == 1)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("creat(z, 0644 | S_ISUID) < 0 && errno == EPERM"
), "../src/test/test-seccomp.c", 847, __PRETTY_FUNCTION__); }
while (0);
848 assert_se(creat(z, 0644 | S_ISGID) < 0 && errno == EPERM)do { if ((__builtin_expect(!!(!(creat(z, 0644 | 02000) < 0
&& (*__errno_location ()) == 1)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("creat(z, 0644 | S_ISGID) < 0 && errno == EPERM"
), "../src/test/test-seccomp.c", 848, __PRETTY_FUNCTION__); }
while (0);
849 assert_se(creat(z, 0644 | S_ISUID | S_ISGID) < 0 && errno == EPERM)do { if ((__builtin_expect(!!(!(creat(z, 0644 | 04000 | 02000
) < 0 && (*__errno_location ()) == 1)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("creat(z, 0644 | S_ISUID | S_ISGID) < 0 && errno == EPERM"
), "../src/test/test-seccomp.c", 849, __PRETTY_FUNCTION__); }
while (0);
850 k = creat(z, 0644);
851 k = safe_close(k);
852 assert_se(unlink(z) >= 0)do { if ((__builtin_expect(!!(!(unlink(z) >= 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("unlink(z) >= 0"), "../src/test/test-seccomp.c"
, 852, __PRETTY_FUNCTION__); } while (0);
853
854 assert_se(openat(AT_FDCWD, z, O_CREAT|O_RDWR|O_CLOEXEC|O_EXCL, 0644 | S_ISUID) < 0 && errno == EPERM)do { if ((__builtin_expect(!!(!(openat(-100, z, 0100|02|02000000
|0200, 0644 | 04000) < 0 && (*__errno_location ())
== 1)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("openat(AT_FDCWD, z, O_CREAT|O_RDWR|O_CLOEXEC|O_EXCL, 0644 | S_ISUID) < 0 && errno == EPERM"
), "../src/test/test-seccomp.c", 854, __PRETTY_FUNCTION__); }
while (0);
855 assert_se(openat(AT_FDCWD, z, O_CREAT|O_RDWR|O_CLOEXEC|O_EXCL, 0644 | S_ISGID) < 0 && errno == EPERM)do { if ((__builtin_expect(!!(!(openat(-100, z, 0100|02|02000000
|0200, 0644 | 02000) < 0 && (*__errno_location ())
== 1)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("openat(AT_FDCWD, z, O_CREAT|O_RDWR|O_CLOEXEC|O_EXCL, 0644 | S_ISGID) < 0 && errno == EPERM"
), "../src/test/test-seccomp.c", 855, __PRETTY_FUNCTION__); }
while (0);
856 assert_se(openat(AT_FDCWD, z, O_CREAT|O_RDWR|O_CLOEXEC|O_EXCL, 0644 | S_ISUID | S_ISGID) < 0 && errno == EPERM)do { if ((__builtin_expect(!!(!(openat(-100, z, 0100|02|02000000
|0200, 0644 | 04000 | 02000) < 0 && (*__errno_location
()) == 1)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, (
"openat(AT_FDCWD, z, O_CREAT|O_RDWR|O_CLOEXEC|O_EXCL, 0644 | S_ISUID | S_ISGID) < 0 && errno == EPERM"
), "../src/test/test-seccomp.c", 856, __PRETTY_FUNCTION__); }
while (0);
857 k = openat(AT_FDCWD-100, z, O_CREAT0100|O_RDWR02|O_CLOEXEC02000000|O_EXCL0200, 0644);
858 k = safe_close(k);
859 assert_se(unlink(z) >= 0)do { if ((__builtin_expect(!!(!(unlink(z) >= 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("unlink(z) >= 0"), "../src/test/test-seccomp.c"
, 859, __PRETTY_FUNCTION__); } while (0);
860
861 assert_se(mkdir(z, 0755 | S_ISUID) < 0 && errno == EPERM)do { if ((__builtin_expect(!!(!(mkdir(z, 0755 | 04000) < 0
&& (*__errno_location ()) == 1)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("mkdir(z, 0755 | S_ISUID) < 0 && errno == EPERM"
), "../src/test/test-seccomp.c", 861, __PRETTY_FUNCTION__); }
while (0);
862 assert_se(mkdir(z, 0755 | S_ISGID) < 0 && errno == EPERM)do { if ((__builtin_expect(!!(!(mkdir(z, 0755 | 02000) < 0
&& (*__errno_location ()) == 1)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("mkdir(z, 0755 | S_ISGID) < 0 && errno == EPERM"
), "../src/test/test-seccomp.c", 862, __PRETTY_FUNCTION__); }
while (0);
863 assert_se(mkdir(z, 0755 | S_ISUID | S_ISGID) < 0 && errno == EPERM)do { if ((__builtin_expect(!!(!(mkdir(z, 0755 | 04000 | 02000
) < 0 && (*__errno_location ()) == 1)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("mkdir(z, 0755 | S_ISUID | S_ISGID) < 0 && errno == EPERM"
), "../src/test/test-seccomp.c", 863, __PRETTY_FUNCTION__); }
while (0);
864 assert_se(mkdir(z, 0755) >= 0)do { if ((__builtin_expect(!!(!(mkdir(z, 0755) >= 0)),0)))
log_assert_failed_realm(LOG_REALM_SYSTEMD, ("mkdir(z, 0755) >= 0"
), "../src/test/test-seccomp.c", 864, __PRETTY_FUNCTION__); }
while (0);
865 assert_se(rmdir(z) >= 0)do { if ((__builtin_expect(!!(!(rmdir(z) >= 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("rmdir(z) >= 0"), "../src/test/test-seccomp.c"
, 865, __PRETTY_FUNCTION__); } while (0);
866
867 assert_se(mkdirat(AT_FDCWD, z, 0755 | S_ISUID) < 0 && errno == EPERM)do { if ((__builtin_expect(!!(!(mkdirat(-100, z, 0755 | 04000
) < 0 && (*__errno_location ()) == 1)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("mkdirat(AT_FDCWD, z, 0755 | S_ISUID) < 0 && errno == EPERM"
), "../src/test/test-seccomp.c", 867, __PRETTY_FUNCTION__); }
while (0);
868 assert_se(mkdirat(AT_FDCWD, z, 0755 | S_ISGID) < 0 && errno == EPERM)do { if ((__builtin_expect(!!(!(mkdirat(-100, z, 0755 | 02000
) < 0 && (*__errno_location ()) == 1)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("mkdirat(AT_FDCWD, z, 0755 | S_ISGID) < 0 && errno == EPERM"
), "../src/test/test-seccomp.c", 868, __PRETTY_FUNCTION__); }
while (0);
869 assert_se(mkdirat(AT_FDCWD, z, 0755 | S_ISUID | S_ISGID) < 0 && errno == EPERM)do { if ((__builtin_expect(!!(!(mkdirat(-100, z, 0755 | 04000
| 02000) < 0 && (*__errno_location ()) == 1)),0))
) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("mkdirat(AT_FDCWD, z, 0755 | S_ISUID | S_ISGID) < 0 && errno == EPERM"
), "../src/test/test-seccomp.c", 869, __PRETTY_FUNCTION__); }
while (0);
870 assert_se(mkdirat(AT_FDCWD, z, 0755) >= 0)do { if ((__builtin_expect(!!(!(mkdirat(-100, z, 0755) >= 0
)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("mkdirat(AT_FDCWD, z, 0755) >= 0"
), "../src/test/test-seccomp.c", 870, __PRETTY_FUNCTION__); }
while (0);
871 assert_se(rmdir(z) >= 0)do { if ((__builtin_expect(!!(!(rmdir(z) >= 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("rmdir(z) >= 0"), "../src/test/test-seccomp.c"
, 871, __PRETTY_FUNCTION__); } while (0);
872
873 assert_se(mknod(z, S_IFREG | 0755 | S_ISUID, 0) < 0 && errno == EPERM)do { if ((__builtin_expect(!!(!(mknod(z, 0100000 | 0755 | 04000
, 0) < 0 && (*__errno_location ()) == 1)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("mknod(z, S_IFREG | 0755 | S_ISUID, 0) < 0 && errno == EPERM"
), "../src/test/test-seccomp.c", 873, __PRETTY_FUNCTION__); }
while (0);
874 assert_se(mknod(z, S_IFREG | 0755 | S_ISGID, 0) < 0 && errno == EPERM)do { if ((__builtin_expect(!!(!(mknod(z, 0100000 | 0755 | 02000
, 0) < 0 && (*__errno_location ()) == 1)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("mknod(z, S_IFREG | 0755 | S_ISGID, 0) < 0 && errno == EPERM"
), "../src/test/test-seccomp.c", 874, __PRETTY_FUNCTION__); }
while (0);
875 assert_se(mknod(z, S_IFREG | 0755 | S_ISUID | S_ISGID, 0) < 0 && errno == EPERM)do { if ((__builtin_expect(!!(!(mknod(z, 0100000 | 0755 | 04000
| 02000, 0) < 0 && (*__errno_location ()) == 1)),
0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("mknod(z, S_IFREG | 0755 | S_ISUID | S_ISGID, 0) < 0 && errno == EPERM"
), "../src/test/test-seccomp.c", 875, __PRETTY_FUNCTION__); }
while (0);
876 assert_se(mknod(z, S_IFREG | 0755, 0) >= 0)do { if ((__builtin_expect(!!(!(mknod(z, 0100000 | 0755, 0) >=
0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("mknod(z, S_IFREG | 0755, 0) >= 0"
), "../src/test/test-seccomp.c", 876, __PRETTY_FUNCTION__); }
while (0);
877 assert_se(unlink(z) >= 0)do { if ((__builtin_expect(!!(!(unlink(z) >= 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("unlink(z) >= 0"), "../src/test/test-seccomp.c"
, 877, __PRETTY_FUNCTION__); } while (0);
878
879 assert_se(mknodat(AT_FDCWD, z, S_IFREG | 0755 | S_ISUID, 0) < 0 && errno == EPERM)do { if ((__builtin_expect(!!(!(mknodat(-100, z, 0100000 | 0755
| 04000, 0) < 0 && (*__errno_location ()) == 1)),
0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("mknodat(AT_FDCWD, z, S_IFREG | 0755 | S_ISUID, 0) < 0 && errno == EPERM"
), "../src/test/test-seccomp.c", 879, __PRETTY_FUNCTION__); }
while (0);
880 assert_se(mknodat(AT_FDCWD, z, S_IFREG | 0755 | S_ISGID, 0) < 0 && errno == EPERM)do { if ((__builtin_expect(!!(!(mknodat(-100, z, 0100000 | 0755
| 02000, 0) < 0 && (*__errno_location ()) == 1)),
0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("mknodat(AT_FDCWD, z, S_IFREG | 0755 | S_ISGID, 0) < 0 && errno == EPERM"
), "../src/test/test-seccomp.c", 880, __PRETTY_FUNCTION__); }
while (0);
881 assert_se(mknodat(AT_FDCWD, z, S_IFREG | 0755 | S_ISUID | S_ISGID, 0) < 0 && errno == EPERM)do { if ((__builtin_expect(!!(!(mknodat(-100, z, 0100000 | 0755
| 04000 | 02000, 0) < 0 && (*__errno_location ())
== 1)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("mknodat(AT_FDCWD, z, S_IFREG | 0755 | S_ISUID | S_ISGID, 0) < 0 && errno == EPERM"
), "../src/test/test-seccomp.c", 881, __PRETTY_FUNCTION__); }
while (0);
882 assert_se(mknodat(AT_FDCWD, z, S_IFREG | 0755, 0) >= 0)do { if ((__builtin_expect(!!(!(mknodat(-100, z, 0100000 | 0755
, 0) >= 0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD
, ("mknodat(AT_FDCWD, z, S_IFREG | 0755, 0) >= 0"), "../src/test/test-seccomp.c"
, 882, __PRETTY_FUNCTION__); } while (0);
883 assert_se(unlink(z) >= 0)do { if ((__builtin_expect(!!(!(unlink(z) >= 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("unlink(z) >= 0"), "../src/test/test-seccomp.c"
, 883, __PRETTY_FUNCTION__); } while (0);
884
885 assert_se(unlink(path) >= 0)do { if ((__builtin_expect(!!(!(unlink(path) >= 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("unlink(path) >= 0"), "../src/test/test-seccomp.c"
, 885, __PRETTY_FUNCTION__); } while (0);
886 assert_se(rm_rf(dir, REMOVE_ROOT|REMOVE_PHYSICAL) >= 0)do { if ((__builtin_expect(!!(!(rm_rf(dir, REMOVE_ROOT|REMOVE_PHYSICAL
) >= 0)),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, (
"rm_rf(dir, REMOVE_ROOT|REMOVE_PHYSICAL) >= 0"), "../src/test/test-seccomp.c"
, 886, __PRETTY_FUNCTION__); } while (0);
887
888 _exit(EXIT_SUCCESS0);
889 }
890
891 assert_se(wait_for_terminate_and_check("suidsgidseccomp", pid, WAIT_LOG) == EXIT_SUCCESS)do { if ((__builtin_expect(!!(!(wait_for_terminate_and_check(
"suidsgidseccomp", pid, WAIT_LOG) == 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("wait_for_terminate_and_check(\"suidsgidseccomp\", pid, WAIT_LOG) == EXIT_SUCCESS"
), "../src/test/test-seccomp.c", 891, __PRETTY_FUNCTION__); }
while (0);
892}
893
894int main(int argc, char *argv[]) {
895
896 log_set_max_level(LOG_DEBUG)log_set_max_level_realm(LOG_REALM_SYSTEMD, (7));
897
898 test_seccomp_arch_to_string();
899 test_architecture_table();
900 test_syscall_filter_set_find();
901 test_filter_sets();
902 test_restrict_namespace();
903 test_protect_sysctl();
904 test_restrict_address_families();
905 test_restrict_realtime();
906 test_memory_deny_write_execute_mmap();
907 test_memory_deny_write_execute_shmat();
908 test_restrict_archs();
909 test_load_syscall_filter_set_raw();
910 test_lock_personality();
911 test_filter_sets_ordered();
912 test_restrict_suid_sgid();
913
914 return 0;
915}