def test_seccomp_level(test_microvm_with_api, level): """ Compare Firecracker's --seccomp-level with the kernel-reported value. @type: security """ test_microvm = test_microvm_with_api test_microvm.jailer.daemonize = False if level != "default": test_microvm.jailer.extra_args.update({"seccomp-level": level}) test_microvm.spawn(create_logger=False) test_microvm.basic_config() test_microvm.start() utils.assert_seccomp_level(test_microvm.jailer_clone_pid, KERNEL_LEVEL[level]) # For seccomp-level, check that we output the deprecation warnings. if level != "default": time.sleep(0.5) with open(test_microvm.screen_log, 'r') as file: log_data = file.read() assert "You are using a deprecated parameter: --seccomp-level " \ f"{level}, that will be removed in a future version." \ in log_data
def test_allow_all(test_microvm_with_api): """Test --seccomp-filter, allowing all syscalls.""" test_microvm = test_microvm_with_api _custom_filter_setup( test_microvm, """{ "Vmm": { "default_action": "allow", "filter_action": "trap", "filter": [] }, "Api": { "default_action": "allow", "filter_action": "trap", "filter": [] }, "Vcpu": { "default_action": "allow", "filter_action": "trap", "filter": [] } }""".encode('utf-8')) test_microvm.spawn() test_microvm.basic_config() test_microvm.start() # because Firecracker receives empty filters, the seccomp-level will # remain 0 utils.assert_seccomp_level(test_microvm.jailer_clone_pid, "0")
def test_allow_all(test_microvm_with_api): """ Test --seccomp-filter, allowing all syscalls. @type: security """ test_microvm = test_microvm_with_api _custom_filter_setup(test_microvm, """{ "Vmm": { "default_action": "allow", "filter_action": "trap", "filter": [] }, "Api": { "default_action": "allow", "filter_action": "trap", "filter": [] }, "Vcpu": { "default_action": "allow", "filter_action": "trap", "filter": [] } }""".encode('utf-8')) test_microvm.spawn() test_microvm.basic_config() test_microvm.start() utils.assert_seccomp_level(test_microvm.jailer_clone_pid, "2")
def test_working_filter(test_microvm_with_api): """ Test --seccomp-filter, rejecting some dangerous syscalls. @type: security """ test_microvm = test_microvm_with_api _custom_filter_setup( test_microvm, """{ "Vmm": { "default_action": "allow", "filter_action": "kill_process", "filter": [ { "syscall": "clone" }, { "syscall": "execve" } ] }, "Api": { "default_action": "allow", "filter_action": "kill_process", "filter": [ { "syscall": "clone" }, { "syscall": "execve" } ] }, "Vcpu": { "default_action": "allow", "filter_action": "kill_process", "filter": [ { "syscall": "clone" }, { "syscall": "execve", "comment": "sample comment" } ] } }""".encode("utf-8"), ) test_microvm.spawn() test_microvm.basic_config() test_microvm.start() # level should be 2, with no additional errors utils.assert_seccomp_level(test_microvm.jailer_clone_pid, "2")
def test_no_seccomp(test_microvm_with_api): """Test Firecracker --no-seccomp.""" test_microvm = test_microvm_with_api test_microvm.jailer.extra_args.update({"no-seccomp": None}) test_microvm.spawn() test_microvm.basic_config() test_microvm.start() utils.assert_seccomp_level(test_microvm.jailer_clone_pid, "0")
def test_seccomp_level(test_microvm_with_api, level): """Test Firecracker --seccomp-level value.""" test_microvm = test_microvm_with_api test_microvm.jailer.extra_args.update({"seccomp-level": level}) test_microvm.spawn() test_microvm.basic_config() test_microvm.start() utils.assert_seccomp_level( test_microvm.jailer_clone_pid, KERNEL_LEVEL[level])
def test_default_seccomp_level(test_microvm_with_api): """ Test that Firecracker installs a seccomp filter by default. @type: security """ test_microvm = test_microvm_with_api test_microvm.spawn() test_microvm.basic_config() test_microvm.start() utils.assert_seccomp_level(test_microvm.jailer_clone_pid, "2")
def test_seccomp_applies_to_all_threads(test_microvm_with_api): """Test all Firecracker threads get default filters.""" test_microvm = test_microvm_with_api test_microvm.spawn() # Set up the microVM with 2 vCPUs, 256 MiB of RAM and # a root file system with the rw permission. test_microvm.basic_config() test_microvm.start() # Get Firecracker PID so we can count the number of threads. firecracker_pid = test_microvm.jailer_clone_pid utils.assert_seccomp_level(firecracker_pid, "2")