From 18bcddaf925b366de86813ddf15131a2d132906e Mon Sep 17 00:00:00 2001 From: Tyler Hicks Date: Mon, 9 Oct 2017 04:55:15 +0000 Subject: [PATCH 1/2] tests: Improve seccomp_api_set() test coverage Test setting all of the valid API levels and then test an invalid API level to ensure that seccomp_api_set() fails. Signed-off-by: Tyler Hicks --- tests/39-basic-api_level.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/tests/39-basic-api_level.c b/tests/39-basic-api_level.c index f36a9377..18c082a9 100644 --- a/tests/39-basic-api_level.c +++ b/tests/39-basic-api_level.c @@ -40,5 +40,21 @@ int main(int argc, char *argv[]) if (api != 1) return -3; + rc = seccomp_api_set(2); + if (rc != 0) + return -4; + api = seccomp_api_get(); + if (api != 2) + return -5; + + /* Attempt to set a high, invalid API level */ + rc = seccomp_api_set(1024); + if (rc != -EINVAL) + return -6; + /* Ensure that the previously set API level didn't change */ + api = seccomp_api_get(); + if (api != 2) + return -7; + return 0; } From a54a57cb9065525e635cd6397e99a49b6f372815 Mon Sep 17 00:00:00 2001 From: Tyler Hicks Date: Tue, 10 Oct 2017 05:01:57 +0000 Subject: [PATCH 2/2] python: Expose API level functionality Allow Python applications to get and set the API level using global functions. Signed-off-by: Tyler Hicks --- src/python/seccomp.pyx | 29 +++++++++++++++++++++++++++++ tests/39-basic-api_level.py | 34 +++++++++++++++++++++++++++++++--- 2 files changed, 60 insertions(+), 3 deletions(-) diff --git a/src/python/seccomp.pyx b/src/python/seccomp.pyx index 275019a0..27e374f5 100644 --- a/src/python/seccomp.pyx +++ b/src/python/seccomp.pyx @@ -150,6 +150,35 @@ def resolve_syscall(arch, syscall): else: raise TypeError("Syscall must either be an int or str type") +def get_api(): + """ Query the level of API support + + Description: + Returns the API level value indicating the current supported + functionality. + """ + level = libseccomp.seccomp_api_get() + if level < 0: + raise RuntimeError(str.format("Library error (errno = {0})", level)) + + return level + +def set_api(unsigned int level): + """ Set the level of API support + + Arguments: + level - the API level + + Description: + This function forcibly sets the API level at runtime. General use + of this function is strongly discouraged. + """ + rc = libseccomp.seccomp_api_set(level) + if rc == -errno.EINVAL: + raise ValueError("Invalid level") + elif rc != 0: + raise RuntimeError(str.format("Library error (errno = {0})", rc)) + cdef class Arch: """ Python object representing the SyscallFilter architecture values. diff --git a/tests/39-basic-api_level.py b/tests/39-basic-api_level.py index e958bf1e..49d23f2a 100755 --- a/tests/39-basic-api_level.py +++ b/tests/39-basic-api_level.py @@ -4,7 +4,9 @@ # Seccomp Library test program # # Copyright (c) 2016 Red Hat -# Author: Paul Moore +# Copyright (c) 2017 Canonical Ltd. +# Authors: Paul Moore +# Tyler Hicks # # @@ -28,8 +30,34 @@ from seccomp import * -# NOTE: this is a NULL test since we don't support the seccomp_version() API -# via the libseccomp python bindings +def test(): + api = get_api() + if (api < 1): + raise RuntimeError("Failed getting initial API level") + + set_api(1) + api = get_api() + if api != 1: + raise RuntimeError("Failed getting API level 1") + + set_api(2) + api = get_api() + if api != 2: + raise RuntimeError("Failed getting API level 2") + + # Attempt to set a high, invalid API level + try: + set_api(1024) + except ValueError: + pass + else: + raise RuntimeError("Missing failure when setting invalid API level") + # Ensure that the previously set API level didn't change + api = get_api() + if api != 2: + raise RuntimeError("Failed getting old API level after setting an invalid API level") + +test() # kate: syntax python; # kate: indent-mode python; space-indent on; indent-width 4; mixedindent off;