diff options
| author | Lennart Poettering <lennart@poettering.net> | 2017-08-09 20:40:26 +0200 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2017-08-29 15:56:57 +0200 |
| commit | e8132d63fea6986cb6bcb2b78d95b1ada3ada708 (patch) | |
| tree | c2ab745fa9c6cd35caab91fbac74c4009a5043c6 /src/test/test-seccomp.c | |
| parent | 78e864e5b3cc11b72ae663f49f42f158cafbfedf (diff) | |
| download | systemd-e8132d63fea6986cb6bcb2b78d95b1ada3ada708.tar.gz | |
seccomp: default to something resembling the current personality when locking it
Let's lock the personality to the currently set one, if nothing is
specifically specified. But do so with a grain of salt, and never
default to any exotic personality here, but only PER_LINUX or
PER_LINUX32.
Diffstat (limited to 'src/test/test-seccomp.c')
| -rw-r--r-- | src/test/test-seccomp.c | 38 |
1 files changed, 34 insertions, 4 deletions
diff --git a/src/test/test-seccomp.c b/src/test/test-seccomp.c index 7ffbc4754e..262d0b712b 100644 --- a/src/test/test-seccomp.c +++ b/src/test/test-seccomp.c @@ -567,6 +567,7 @@ static void test_load_syscall_filter_set_raw(void) { } static void test_lock_personality(void) { + unsigned long current; pid_t pid; if (!is_seccomp_available()) @@ -574,26 +575,55 @@ static void test_lock_personality(void) { if (geteuid() != 0) return; + assert_se(opinionated_personality(¤t) >= 0); + + log_info("current personality=%lu", current); + pid = fork(); assert_se(pid >= 0); if (pid == 0) { - assert_se(seccomp_lock_personality(PER_LINUX) >= 0); + assert_se(seccomp_lock_personality(current) >= 0); - assert_se(personality(PER_LINUX) == PER_LINUX); + assert_se((unsigned long) personality(current) == current); + + errno = EUCLEAN; assert_se(personality(PER_LINUX | ADDR_NO_RANDOMIZE) == -1 && errno == EPERM); + + errno = EUCLEAN; assert_se(personality(PER_LINUX | MMAP_PAGE_ZERO) == -1 && errno == EPERM); + + errno = EUCLEAN; assert_se(personality(PER_LINUX | ADDR_COMPAT_LAYOUT) == -1 && errno == EPERM); + + errno = EUCLEAN; assert_se(personality(PER_LINUX | READ_IMPLIES_EXEC) == -1 && errno == EPERM); + + errno = EUCLEAN; assert_se(personality(PER_LINUX_32BIT) == -1 && errno == EPERM); + + errno = EUCLEAN; assert_se(personality(PER_SVR4) == -1 && errno == EPERM); + + errno = EUCLEAN; assert_se(personality(PER_BSD) == -1 && errno == EPERM); - assert_se(personality(PER_LINUX32) == -1 && errno == EPERM); + + errno = EUCLEAN; + assert_se(personality(current == PER_LINUX ? PER_LINUX32 : PER_LINUX) == -1 && errno == EPERM); + + errno = EUCLEAN; assert_se(personality(PER_LINUX32_3GB) == -1 && errno == EPERM); + + errno = EUCLEAN; assert_se(personality(PER_UW7) == -1 && errno == EPERM); + + errno = EUCLEAN; assert_se(personality(0x42) == -1 && errno == EPERM); + + errno = EUCLEAN; assert_se(personality(PERSONALITY_INVALID) == -1 && errno == EPERM); /* maybe remove this later */ - assert_se(personality(PER_LINUX) == PER_LINUX); + + assert_se((unsigned long) personality(current) == current); _exit(EXIT_SUCCESS); } |