def test_seccomp_level(test_microvm_with_api, level):
"""
Compare Firecracker's --seccomp-level with the kernel-reported value.
@type: security
"""
test_microvm = test_microvm_with_api
test_microvm.jailer.daemonize = False
if level != "default":
test_microvm.jailer.extra_args.update({"seccomp-level": level})
test_microvm.spawn(create_logger=False)
test_microvm.basic_config()
test_microvm.start()
utils.assert_seccomp_level(test_microvm.jailer_clone_pid,
KERNEL_LEVEL[level])
# For seccomp-level, check that we output the deprecation warnings.
if level != "default":
time.sleep(0.5)
with open(test_microvm.screen_log, 'r') as file:
log_data = file.read()
assert "You are using a deprecated parameter: --seccomp-level " \
f"{level}, that will be removed in a future version." \
in log_data
def test_allow_all(test_microvm_with_api):
"""Test --seccomp-filter, allowing all syscalls."""
test_microvm = test_microvm_with_api
_custom_filter_setup(
test_microvm, """{
"Vmm": {
"default_action": "allow",
"filter_action": "trap",
"filter": []
},
"Api": {
"default_action": "allow",
"filter_action": "trap",
"filter": []
},
"Vcpu": {
"default_action": "allow",
"filter_action": "trap",
"filter": []
}
}""".encode('utf-8'))
test_microvm.spawn()
test_microvm.basic_config()
test_microvm.start()
# because Firecracker receives empty filters, the seccomp-level will
# remain 0
utils.assert_seccomp_level(test_microvm.jailer_clone_pid, "0")
def test_allow_all(test_microvm_with_api):
"""
Test --seccomp-filter, allowing all syscalls.
@type: security
"""
test_microvm = test_microvm_with_api
_custom_filter_setup(test_microvm, """{
"Vmm": {
"default_action": "allow",
"filter_action": "trap",
"filter": []
},
"Api": {
"default_action": "allow",
"filter_action": "trap",
"filter": []
},
"Vcpu": {
"default_action": "allow",
"filter_action": "trap",
"filter": []
}
}""".encode('utf-8'))
test_microvm.spawn()
test_microvm.basic_config()
test_microvm.start()
utils.assert_seccomp_level(test_microvm.jailer_clone_pid, "2")
def test_working_filter(test_microvm_with_api):
"""
Test --seccomp-filter, rejecting some dangerous syscalls.
@type: security
"""
test_microvm = test_microvm_with_api
_custom_filter_setup(
test_microvm,
"""{
"Vmm": {
"default_action": "allow",
"filter_action": "kill_process",
"filter": [
{
"syscall": "clone"
},
{
"syscall": "execve"
}
]
},
"Api": {
"default_action": "allow",
"filter_action": "kill_process",
"filter": [
{
"syscall": "clone"
},
{
"syscall": "execve"
}
]
},
"Vcpu": {
"default_action": "allow",
"filter_action": "kill_process",
"filter": [
{
"syscall": "clone"
},
{
"syscall": "execve",
"comment": "sample comment"
}
]
}
}""".encode("utf-8"),
)
test_microvm.spawn()
test_microvm.basic_config()
test_microvm.start()
# level should be 2, with no additional errors
utils.assert_seccomp_level(test_microvm.jailer_clone_pid, "2")
def test_no_seccomp(test_microvm_with_api):
"""Test Firecracker --no-seccomp."""
test_microvm = test_microvm_with_api
test_microvm.jailer.extra_args.update({"no-seccomp": None})
test_microvm.spawn()
test_microvm.basic_config()
test_microvm.start()
utils.assert_seccomp_level(test_microvm.jailer_clone_pid, "0")
def test_seccomp_level(test_microvm_with_api, level):
"""Test Firecracker --seccomp-level value."""
test_microvm = test_microvm_with_api
test_microvm.jailer.extra_args.update({"seccomp-level": level})
test_microvm.spawn()
test_microvm.basic_config()
test_microvm.start()
utils.assert_seccomp_level(
test_microvm.jailer_clone_pid, KERNEL_LEVEL[level])
def test_default_seccomp_level(test_microvm_with_api):
"""
Test that Firecracker installs a seccomp filter by default.
@type: security
"""
test_microvm = test_microvm_with_api
test_microvm.spawn()
test_microvm.basic_config()
test_microvm.start()
utils.assert_seccomp_level(test_microvm.jailer_clone_pid, "2")
def test_seccomp_applies_to_all_threads(test_microvm_with_api):
"""Test all Firecracker threads get default filters."""
test_microvm = test_microvm_with_api
test_microvm.spawn()
# Set up the microVM with 2 vCPUs, 256 MiB of RAM and
# a root file system with the rw permission.
test_microvm.basic_config()
test_microvm.start()
# Get Firecracker PID so we can count the number of threads.
firecracker_pid = test_microvm.jailer_clone_pid
utils.assert_seccomp_level(firecracker_pid, "2")
