8000 rkt_seccomp_test: Fix arm64 stat tests by glevand · Pull Request #3804 · rkt/rkt · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content
This repository was archived by the owner on Feb 24, 2020. It is now read-only.

rkt_seccomp_test: Fix arm64 stat tests #3804

Merged
merged 1 commit into from
Sep 21, 2017
Merged

rkt_seccomp_test: Fix arm64 stat tests #3804

merged 1 commit into from
Sep 21, 2017

Conversation

glevand
Copy link
Contributor
@glevand glevand commented Sep 20, 2017
edited
Loading

The -stat-file option of rkt's inspect program uses the standard go
os.Stat() routine, which uses the syscall.Stat() routine for its
operation. For amd64 syscall.Stat() uses the SYS_STAT system call,
and so setting actool's --seccomp-set option to 'stat' works with
inspect's -stat-file option.

The arm64 linux kernel does not implement a SYS_STAT syscall, so for
arm64 syscall.Stat() is implemented as a wrapper around the
syscall.Fstatat() routine. Because of this actool's --seccomp-set
option needs to be set to 'newfstatat' for the '-stat-file' option
to work correctly on arm64 machines.

I put a small program that tests for valid seccomp syscall names here:
https://gist.github.com/glevand/4625adcef2c5d25c457eb308f76e5148 (seccomp-name-test.c)

See:
https://github.com/rkt/rkt/blob/master/tests/inspect/inspect.go
https://golang.org/src/syscall/syscall_linux_arm64.go

@glevand
rkt_seccomp_test: Fix arm64 stat tests
22bc4ba 
The -stat-file option of rkt's inspect program uses the standard go
os.Stat() routine, which uses the syscall.Stat() routine for its
operation.  For amd64 syscall.Stat() uses the SYS_STAT system call,
and so setting actool's --seccomp-set option to 'stat' works with
inspect's -stat-file option.

The arm64 linux kernel does not implement a SYS_STAT syscall, so for
arm64 syscall.Stat() is implemented as a wrapper around the
syscall.Fstatat() routine.  Because of this actool's --seccomp-set
option needs to be set to 'newfstatat' for the '-stat-file' option
to work correctly on arm64 machines.

Signed-off-by: Geoff Levand <geoff@infradead.org>
@lucab
Copy link
Member
lucab commented Sep 20, 2017

@glevand thanks for the detailed writeup! I like your PR, but I'm just wondering if we can make this architecture-independent by simply expanding the test-set to all stat-related syscalls (stat, fstatat64 and newfstatat)? I'm unsure if libseccomp/systemd rejects architecture-specific syscalls where they don't exist.

@lucab lucab added this to the 1.29.0 milestone Sep 20, 2017
@glevand
Copy link
Contributor Author
glevand commented Sep 21, 2017

@lucab I don't think it possible to test all stat related syscalls in a architecture-independent way since we either need to filter the tests to run (not include SYS_STAT tests on arm64), or vary the expected output (look for the error string on amd64 and success on arm64). I think the second better, but that seems like it will need seccompTestCases.expectedOutput to be a map with arch as the key. I'll look into setting that up. Any thoughts?

@lucab
Copy link
Member
lucab commented Sep 21, 2017

@glevand no worries, mine was just a wish item. In order to keep the test simple, I'm fine with your PR as it currently is. I've just re-triggered semaphoreci.

lucab
lucab approved these changes Sep 21, 2017
View reviewed changes
Copy link
Member
@lucab lucab left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@lucab lucab merged commit cee9119 into rkt:master Sep 21, 2017
@glevand glevand deleted the for-merge-seccomp branch September 21, 2017 16:03
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@lucab lucab lucab approved these changes

Assignees
No one assigned
Labels
area/testing reviewed/merge-on-green
Projects
None yet
Milestone
1.29.0
Development

Successfully merging this pull request may close these issues.
2 participants
@glevand @lucab
0