def _custom_filter_setup(test_microvm): bpf_path = os.path.join(test_microvm.path, 'bpf.out') run_seccompiler_bin(bpf_path) test_microvm.create_jailed_resource(bpf_path) test_microvm.jailer.extra_args.update({"seccomp-filter": 'bpf.out'})
def _custom_filter_setup(test_microvm, json_filter): json_temp = tempfile.NamedTemporaryFile(delete=False) json_temp.write(json_filter) json_temp.flush() bpf_path = os.path.join(test_microvm.path, 'bpf.out') run_seccompiler_bin(bpf_path=bpf_path, json_path=json_temp.name) os.unlink(json_temp.name) test_microvm.create_jailed_resource(bpf_path) test_microvm.jailer.extra_args.update({"seccomp-filter": 'bpf.out'})
def _run_seccompiler_bin(json_data, basic=False): json_temp = tempfile.NamedTemporaryFile(delete=False) json_temp.write(json_data.encode('utf-8')) json_temp.flush() bpf_temp = tempfile.NamedTemporaryFile(delete=False) run_seccompiler_bin(bpf_path=bpf_temp.name, json_path=json_temp.name, basic=basic) os.unlink(json_temp.name) return bpf_temp.name
def test_seccomp_rust_panic(bin_seccomp_paths): """ Test seccompiler-bin with `demo_panic`. Test that the Firecracker filters allow a Rust panic to run its course without triggering a seccomp violation. @type: security """ # pylint: disable=redefined-outer-name # pylint: disable=subprocess-run-check # The fixture pattern causes a pylint false positive for that rule. demo_panic = bin_seccomp_paths['demo_panic'] assert os.path.exists(demo_panic) fc_filters_path = "../resources/seccomp/{}-unknown-linux-musl.json".format( platform.machine() ) with open(fc_filters_path, "r", encoding='utf-8') as fc_filters: filter_threads = list(json_lib.loads(fc_filters.read())) bpf_temp = tempfile.NamedTemporaryFile(delete=False) run_seccompiler_bin(bpf_path=bpf_temp.name, json_path=fc_filters_path) bpf_path = bpf_temp.name # Run the panic binary with all filters. for thread in filter_threads: code, _, _ = utils.run_cmd( [demo_panic, bpf_path, thread], no_shell=True, ignore_return_code=True ) # The demo panic binary should have terminated with SIGABRT # and not with a seccomp violation. # On a seccomp violation, the program exits with code -31 for # SIGSYS. Here, we make sure the program exits with -6, which # is for SIGABRT. assert code == -6, \ "Panic binary failed with exit code {} on {} "\ "filters.".format(code, thread) os.unlink(bpf_path)