From a389925e44b5561383f5158722e6eec5c1cb0ebf Mon Sep 17 00:00:00 2001 From: sat0ken <15720506+sat0ken@users.noreply.github.com> Date: Thu, 17 Oct 2024 09:02:12 +0900 Subject: [PATCH 1/3] add test code Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com> --- experiment/seccomp/src/instruction/arch.rs | 19 +++++++++ experiment/seccomp/src/instruction/consts.rs | 2 +- experiment/seccomp/src/seccomp.rs | 44 ++++++++++++++++++++ 3 files changed, 64 insertions(+), 1 deletion(-) diff --git a/experiment/seccomp/src/instruction/arch.rs b/experiment/seccomp/src/instruction/arch.rs index 2883f5daa..8971cf066 100644 --- a/experiment/seccomp/src/instruction/arch.rs +++ b/experiment/seccomp/src/instruction/arch.rs @@ -18,3 +18,22 @@ pub fn gen_validate(arc: &Arch) -> Vec { Instruction::stmt(BPF_RET | BPF_K, SECCOMP_RET_KILL_PROCESS), ] } + +#[cfg(test)] +mod tests { + use super::*; + + #[test] + fn test_gen_validate() { + let bpf_prog = gen_validate(&Arch::X86); + if cfg!(target_arch = "x86_64") { + assert_eq!(bpf_prog[0], Instruction::stmt(BPF_LD | BPF_W | BPF_ABS, seccomp_data_arch_offset() as u32)); + assert_eq!(bpf_prog[1], Instruction::jump(BPF_JMP | BPF_JEQ | BPF_K, 1, 0, AUDIT_ARCH_X86_64)); + assert_eq!(bpf_prog[2], Instruction::stmt(BPF_RET | BPF_K, SECCOMP_RET_KILL_PROCESS)); + } else if cfg!(target_arch = "aarch64"){ + assert_eq!(bpf_prog[0], Instruction::stmt(BPF_LD | BPF_W | BPF_ABS, seccomp_data_arch_offset() as u32)); + assert_eq!(bpf_prog[1], Instruction::jump(BPF_JMP | BPF_JEQ | BPF_K, 1, 0, AUDIT_ARCH_AARCH64)); + assert_eq!(bpf_prog[2], Instruction::stmt(BPF_RET | BPF_K, SECCOMP_RET_KILL_PROCESS)); + } + } +} \ No newline at end of file diff --git a/experiment/seccomp/src/instruction/consts.rs b/experiment/seccomp/src/instruction/consts.rs index 4bd199363..da37651f2 100644 --- a/experiment/seccomp/src/instruction/consts.rs +++ b/experiment/seccomp/src/instruction/consts.rs @@ -95,7 +95,7 @@ mod tests { #[test] fn test_seccomp_data_arg_size_offset() { if cfg!(target_arch = "x86_64") { - assert_eq!(seccomp_data_arg_size_offset(), 8); + assert_eq!(seccomp_data_arg_size(), 8); } } diff --git a/experiment/seccomp/src/seccomp.rs b/experiment/seccomp/src/seccomp.rs index f5a83cf45..345748238 100644 --- a/experiment/seccomp/src/seccomp.rs +++ b/experiment/seccomp/src/seccomp.rs @@ -274,3 +274,47 @@ impl Rule { bpf_prog } } + +#[cfg(test)] +mod tests { + use syscalls::syscall_args; + use super::*; + + #[test] + fn test_get_syscall_number() { + if cfg!(target_arch = "x86_64") { + let sys_num = get_syscall_number(&Arch::X86, "read"); + assert_eq!(sys_num.unwrap(), 0); + } else if cfg!(target_arch = "aarch64"){ + let sys_num = get_syscall_number(&Arch::AArch64, "read"); + assert_eq!(sys_num.unwrap(), 63); + } + } + + #[test] + fn test_to_instruction() { + if cfg!(target_arch = "x86_64") { + let rule = Rule::new("getcwd".parse().unwrap(), 0, syscall_args!(), false); + let inst = Rule::to_instruction(&Arch::X86, SECCOMP_RET_KILL_PROCESS, &rule); + let bpf_prog = gen_validate(&Arch::X86); + assert_eq!(inst[0], bpf_prog[0]); + assert_eq!(inst[1], bpf_prog[1]); + assert_eq!(inst[2], bpf_prog[2]); + assert_eq!(inst[3], Instruction::stmt(BPF_LD | BPF_W | BPF_ABS, 0)); + assert_eq!(inst[4], Instruction::jump(BPF_JMP | BPF_JEQ | BPF_K, 0, 1, + get_syscall_number(&Arch::X86, "getcwd").unwrap() as c_uint)); + assert_eq!(inst[5], Instruction::stmt(BPF_RET | BPF_K, SECCOMP_RET_KILL_PROCESS)); + } else if cfg!(target_arch = "aarch64"){ + let rule = Rule::new("getcwd".parse().unwrap(), 0, syscall_args!(), false); + let inst = Rule::to_instruction(&Arch::AArch64, SECCOMP_RET_KILL_PROCESS, &rule); + let bpf_prog = gen_validate(&Arch::AArch64); + assert_eq!(inst[0], bpf_prog[0]); + assert_eq!(inst[1], bpf_prog[1]); + assert_eq!(inst[2], bpf_prog[2]); + assert_eq!(inst[3], Instruction::stmt(BPF_LD | BPF_W | BPF_ABS, 0)); + assert_eq!(inst[4], Instruction::jump(BPF_JMP | BPF_JEQ | BPF_K, 0, 1, + get_syscall_number(&Arch::AArch64, "getcwd").unwrap() as c_uint)); + assert_eq!(inst[5], Instruction::stmt(BPF_RET | BPF_K, SECCOMP_RET_KILL_PROCESS)); + } + } +} \ No newline at end of file From c496be7686512378b06043a83b5abe8e4f4caf87 Mon Sep 17 00:00:00 2001 From: sat0ken <15720506+sat0ken@users.noreply.github.com> Date: Fri, 18 Oct 2024 22:39:54 +0900 Subject: [PATCH 2/3] separate unittest code by arch Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com> --- experiment/seccomp/src/instruction/arch.rs | 22 +++---- experiment/seccomp/src/seccomp.rs | 67 +++++++++++----------- 2 files changed, 47 insertions(+), 42 deletions(-) diff --git a/experiment/seccomp/src/instruction/arch.rs b/experiment/seccomp/src/instruction/arch.rs index 8971cf066..f19d56499 100644 --- a/experiment/seccomp/src/instruction/arch.rs +++ b/experiment/seccomp/src/instruction/arch.rs @@ -24,16 +24,18 @@ mod tests { use super::*; #[test] - fn test_gen_validate() { + fn test_gen_validate_x86() { let bpf_prog = gen_validate(&Arch::X86); - if cfg!(target_arch = "x86_64") { - assert_eq!(bpf_prog[0], Instruction::stmt(BPF_LD | BPF_W | BPF_ABS, seccomp_data_arch_offset() as u32)); - assert_eq!(bpf_prog[1], Instruction::jump(BPF_JMP | BPF_JEQ | BPF_K, 1, 0, AUDIT_ARCH_X86_64)); - assert_eq!(bpf_prog[2], Instruction::stmt(BPF_RET | BPF_K, SECCOMP_RET_KILL_PROCESS)); - } else if cfg!(target_arch = "aarch64"){ - assert_eq!(bpf_prog[0], Instruction::stmt(BPF_LD | BPF_W | BPF_ABS, seccomp_data_arch_offset() as u32)); - assert_eq!(bpf_prog[1], Instruction::jump(BPF_JMP | BPF_JEQ | BPF_K, 1, 0, AUDIT_ARCH_AARCH64)); - assert_eq!(bpf_prog[2], Instruction::stmt(BPF_RET | BPF_K, SECCOMP_RET_KILL_PROCESS)); - } + assert_eq!(bpf_prog[0], Instruction::stmt(BPF_LD | BPF_W | BPF_ABS, seccomp_data_arch_offset() as u32)); + assert_eq!(bpf_prog[1], Instruction::jump(BPF_JMP | BPF_JEQ | BPF_K, 1, 0, AUDIT_ARCH_X86_64)); + assert_eq!(bpf_prog[2], Instruction::stmt(BPF_RET | BPF_K, SECCOMP_RET_KILL_PROCESS)); + } + + #[test] + fn test_gen_validate_aarch64() { + let bpf_prog = gen_validate(&Arch::AArch64); + assert_eq!(bpf_prog[0], Instruction::stmt(BPF_LD | BPF_W | BPF_ABS, seccomp_data_arch_offset() as u32)); + assert_eq!(bpf_prog[1], Instruction::jump(BPF_JMP | BPF_JEQ | BPF_K, 1, 0, AUDIT_ARCH_AARCH64)); + assert_eq!(bpf_prog[2], Instruction::stmt(BPF_RET | BPF_K, SECCOMP_RET_KILL_PROCESS)); } } \ No newline at end of file diff --git a/experiment/seccomp/src/seccomp.rs b/experiment/seccomp/src/seccomp.rs index 345748238..02e44368e 100644 --- a/experiment/seccomp/src/seccomp.rs +++ b/experiment/seccomp/src/seccomp.rs @@ -281,40 +281,43 @@ mod tests { use super::*; #[test] - fn test_get_syscall_number() { - if cfg!(target_arch = "x86_64") { - let sys_num = get_syscall_number(&Arch::X86, "read"); - assert_eq!(sys_num.unwrap(), 0); - } else if cfg!(target_arch = "aarch64"){ - let sys_num = get_syscall_number(&Arch::AArch64, "read"); - assert_eq!(sys_num.unwrap(), 63); - } + fn test_get_syscall_number_x86() { + let sys_num = get_syscall_number(&Arch::X86, "read"); + assert_eq!(sys_num.unwrap(), 0); } #[test] - fn test_to_instruction() { - if cfg!(target_arch = "x86_64") { - let rule = Rule::new("getcwd".parse().unwrap(), 0, syscall_args!(), false); - let inst = Rule::to_instruction(&Arch::X86, SECCOMP_RET_KILL_PROCESS, &rule); - let bpf_prog = gen_validate(&Arch::X86); - assert_eq!(inst[0], bpf_prog[0]); - assert_eq!(inst[1], bpf_prog[1]); - assert_eq!(inst[2], bpf_prog[2]); - assert_eq!(inst[3], Instruction::stmt(BPF_LD | BPF_W | BPF_ABS, 0)); - assert_eq!(inst[4], Instruction::jump(BPF_JMP | BPF_JEQ | BPF_K, 0, 1, - get_syscall_number(&Arch::X86, "getcwd").unwrap() as c_uint)); - assert_eq!(inst[5], Instruction::stmt(BPF_RET | BPF_K, SECCOMP_RET_KILL_PROCESS)); - } else if cfg!(target_arch = "aarch64"){ - let rule = Rule::new("getcwd".parse().unwrap(), 0, syscall_args!(), false); - let inst = Rule::to_instruction(&Arch::AArch64, SECCOMP_RET_KILL_PROCESS, &rule); - let bpf_prog = gen_validate(&Arch::AArch64); - assert_eq!(inst[0], bpf_prog[0]); - assert_eq!(inst[1], bpf_prog[1]); - assert_eq!(inst[2], bpf_prog[2]); - assert_eq!(inst[3], Instruction::stmt(BPF_LD | BPF_W | BPF_ABS, 0)); - assert_eq!(inst[4], Instruction::jump(BPF_JMP | BPF_JEQ | BPF_K, 0, 1, - get_syscall_number(&Arch::AArch64, "getcwd").unwrap() as c_uint)); - assert_eq!(inst[5], Instruction::stmt(BPF_RET | BPF_K, SECCOMP_RET_KILL_PROCESS)); - } + fn test_get_syscall_number_aarch64() { + let sys_num = get_syscall_number(&Arch::AArch64, "read"); + assert_eq!(sys_num.unwrap(), 63); + } + + #[test] + fn test_to_instruction_x86() { + let rule = Rule::new("getcwd".parse().unwrap(), 0, syscall_args!(), false); + let inst = Rule::to_instruction(&Arch::X86, SECCOMP_RET_KILL_PROCESS, &rule); + let bpf_prog = gen_validate(&Arch::X86); + assert_eq!(inst[0], bpf_prog[0]); + assert_eq!(inst[1], bpf_prog[1]); + assert_eq!(inst[2], bpf_prog[2]); + assert_eq!(inst[3], Instruction::stmt(BPF_LD | BPF_W | BPF_ABS, 0)); + assert_eq!(inst[4], Instruction::jump(BPF_JMP | BPF_JEQ | BPF_K, 0, 1, + get_syscall_number(&Arch::X86, "getcwd").unwrap() as c_uint)); + assert_eq!(inst[5], Instruction::stmt(BPF_RET | BPF_K, SECCOMP_RET_KILL_PROCESS)); + } + + #[test] + fn test_to_instruction_aarch64() { + + let rule = Rule::new("getcwd".parse().unwrap(), 0, syscall_args!(), false); + let inst = Rule::to_instruction(&Arch::AArch64, SECCOMP_RET_KILL_PROCESS, &rule); + let bpf_prog = gen_validate(&Arch::AArch64); + assert_eq!(inst[0], bpf_prog[0]); + assert_eq!(inst[1], bpf_prog[1]); + assert_eq!(inst[2], bpf_prog[2]); + assert_eq!(inst[3], Instruction::stmt(BPF_LD | BPF_W | BPF_ABS, 0)); + assert_eq!(inst[4], Instruction::jump(BPF_JMP | BPF_JEQ | BPF_K, 0, 1, + get_syscall_number(&Arch::AArch64, "getcwd").unwrap() as c_uint)); + assert_eq!(inst[5], Instruction::stmt(BPF_RET | BPF_K, SECCOMP_RET_KILL_PROCESS)); } } \ No newline at end of file From a9c80a30836314867024ac7b7c1f2187e99979cf Mon Sep 17 00:00:00 2001 From: sat0ken <15720506+sat0ken@users.noreply.github.com> Date: Fri, 18 Oct 2024 22:44:09 +0900 Subject: [PATCH 3/3] rm blank line Signed-off-by: sat0ken <15720506+sat0ken@users.noreply.github.com> --- experiment/seccomp/src/seccomp.rs | 1 - 1 file changed, 1 deletion(-) diff --git a/experiment/seccomp/src/seccomp.rs b/experiment/seccomp/src/seccomp.rs index 02e44368e..0ac2a871b 100644 --- a/experiment/seccomp/src/seccomp.rs +++ b/experiment/seccomp/src/seccomp.rs @@ -308,7 +308,6 @@ mod tests { #[test] fn test_to_instruction_aarch64() { - let rule = Rule::new("getcwd".parse().unwrap(), 0, syscall_args!(), false); let inst = Rule::to_instruction(&Arch::AArch64, SECCOMP_RET_KILL_PROCESS, &rule); let bpf_prog = gen_validate(&Arch::AArch64);