def uffd_handler_paths(test_fc_session_root_path):
"""Build UFFD handler binaries."""
# pylint: disable=redefined-outer-name
# The fixture pattern causes a pylint false positive for that rule.
uffd_build_path = os.path.join(test_fc_session_root_path,
build_tools.CARGO_RELEASE_REL_PATH)
extra_args = '--release --target {}-unknown-linux-musl'
extra_args = extra_args.format(platform.machine())
build_tools.cargo_build(uffd_build_path,
extra_args=extra_args,
src_dir='host_tools/uffd')
release_binaries_path = os.path.join(test_fc_session_root_path,
build_tools.CARGO_RELEASE_REL_PATH,
build_tools.RELEASE_BINARIES_REL_PATH)
valid_handler = os.path.normpath(
os.path.join(release_binaries_path, 'valid_handler'))
malicious_handler = os.path.normpath(
os.path.join(release_binaries_path, 'malicious_handler'))
yield {
'valid_handler': valid_handler,
'malicious_handler': malicious_handler,
}
def test_build(test_session_root_path, features, build_type, target):
"""
Test different builds.
This will generate build tests using the cartesian product of all
features, build types (release/debug) and build targets (musl/gnu).
"""
extra_args = "--target {} ".format(target)
if build_type == "release":
extra_args += "--release "
# The relative path of the binaries is computed using the build_type
# (either release or debug) and if any features are provided also using
# the features names.
# For example, a default release build with no features will end up in
# the relative directory "release", but for a vsock release build the
# relative directory will be "release-vsock".
rel_path = os.path.join(
host.CARGO_BUILD_REL_PATH,
build_type
)
if features:
rel_path += "-{}".format(features)
extra_args = "--features {} ".format(features)
build_path = os.path.join(
test_session_root_path,
rel_path
)
host.cargo_build(build_path, extra_args=extra_args)
def test_build_release(test_session_root_path):
"""Test if a release-mode build works."""
build_path = os.path.join(
test_session_root_path,
host.CARGO_RELEASE_REL_PATH
)
host.cargo_build(build_path, '--release')
def test_build(test_session_root_path, features, build_type, target):
"""
Test different builds.
This will generate build tests using the cartesian product of all
features, build types (release/debug) and build targets (musl/gnu).
"""
extra_env = ''
extra_args = "--target {} ".format(target)
if build_type == "release":
extra_args += "--release "
if "musl" in target:
extra_env += "TARGET_CC=musl-gcc"
# The relative path of the binaries is computed using the build_type
# (either release or debug) and if any features are provided also using
# the features names.
# For example, a default release build with no features will end up in
# the relative directory "release".
rel_path = os.path.join(host.CARGO_BUILD_REL_PATH, build_type)
if features:
rel_path += "-{}".format(features)
extra_args += "--features {} ".format(features)
build_path = os.path.join(test_session_root_path, rel_path)
host.cargo_build(build_path, extra_args=extra_args, extra_env=extra_env)
def bin_seccomp_paths(test_session_root_path):
"""Build jailers and jailed binaries to test seccomp.
They currently consist of:
* a jailer with a simple syscall whitelist;
* a jailer with a (syscall, arguments) advanced whitelist;
* a jailed binary that follows the seccomp rules;
* a jailed binary that breaks the seccomp rules.
"""
# pylint: disable=redefined-outer-name
# The fixture pattern causes a pylint false positive for that rule.
seccomp_build_path = os.path.join(
test_session_root_path,
build_tools.CARGO_RELEASE_REL_PATH
)
extra_args = '--release --target {}-unknown-linux-musl'
extra_args = extra_args.format(platform.machine())
build_tools.cargo_build(seccomp_build_path,
extra_args=extra_args,
src_dir='integration_tests/security/demo_seccomp')
release_binaries_path = os.path.join(
test_session_root_path,
build_tools.CARGO_RELEASE_REL_PATH,
build_tools.RELEASE_BINARIES_REL_PATH
)
demo_basic_jailer = os.path.normpath(
os.path.join(
release_binaries_path,
'demo_basic_jailer'
)
)
demo_advanced_jailer = os.path.normpath(
os.path.join(
release_binaries_path,
'demo_advanced_jailer'
)
)
demo_harmless = os.path.normpath(
os.path.join(
release_binaries_path,
'demo_harmless'
)
)
demo_malicious = os.path.normpath(
os.path.join(
release_binaries_path,
'demo_malicious'
)
)
yield {
'demo_basic_jailer': demo_basic_jailer,
'demo_advanced_jailer': demo_advanced_jailer,
'demo_harmless': demo_harmless,
'demo_malicious': demo_malicious
}
def test_build_debug(test_session_root_path):
"""Test if a debug-mode build works."""
build_path = os.path.join(
test_session_root_path,
CARGO_DEBUG_REL_PATH
)
host.cargo_build(build_path)
def test_build(test_session_root_path, features, build_type):
"""
Test different builds.
Test builds using a cartesian product of possible features and build
types.
"""
extra_args = ""
if build_type == "release":
extra_args += "--release "
# The relative path of the binaries is computed using the build_type
# (either release or debug) and if any features are provided also using
# the features names.
# For example, a default release build with no features will end up in
# the relative directory "release", but for a vsock release build the
# relative directory will be "release-vsock".
rel_path = os.path.join(host.CARGO_BUILD_REL_PATH, build_type)
if features:
rel_path += "-{}".format(features)
extra_args = "--features {} ".format(features)
build_path = os.path.join(test_session_root_path, rel_path)
host.cargo_build(build_path, extra_args=extra_args)
def test_build_debug_with_features(test_session_root_path):
"""Test if a debug-mode build works for supported features."""
build_path = os.path.join(test_session_root_path,
CARGO_DEBUG_REL_PATH_FEATURES)
# Building with multiple features is as simple as:
# cargo build --features "feature1 feature2". We are currently
# supporting only one features: vsock.
host.cargo_build(build_path, '--features "{}"'.format('vsock'))
def test_arm_build_release(test_session_root_path):
"""Test cross compilation for arm in release mode."""
build_path = os.path.join(
test_session_root_path,
'arm-build'
)
host.cargo_build(
build_path,
'--target aarch64-unknown-linux-musl --release'
)
def test_build_debug_with_features(test_session_root_path):
"""Test if a debug-mode build works for supported features."""
build_path = os.path.join(
test_session_root_path,
CARGO_DEBUG_REL_PATH_FEATURES
)
# Building with multiple features is as simple as:
# cargo build --features "feature1 feature2". We are currently
# supporting only one features: vsock.
host.cargo_build(build_path, '--features "{}"'.format('vsock'))
def test_build_release_with_features(test_session_root_path):
"""Test if a release-mode build works for supported features."""
build_path = os.path.join(
test_session_root_path,
CARGO_RELEASE_REL_PATH_FEATURES
)
host.cargo_build(
build_path,
'--features "{}"'.format('vsock'),
'--release'
)
def aux_bin_paths(test_session_root_path):
"""Build external tools.
They currently consist of:
* a binary that can properly use the `clone()` syscall;
* a very simple vsock client/server application;
* a jailer with a simple syscall whitelist;
* a jailer with a (syscall, arguments) advanced whitelist;
* a jailed binary that follows the seccomp rules;
* a jailed binary that breaks the seccomp rules.
"""
# pylint: disable=redefined-outer-name
# The fixture pattern causes a pylint false positive for that rule.
cloner_bin_path = os.path.join(test_session_root_path, 'newpid_cloner')
_gcc_compile('host_tools/newpid_cloner.c', cloner_bin_path)
test_vsock_bin_path = os.path.join(test_session_root_path, 'test_vsock')
_gcc_compile("host_tools/test_vsock.c", test_vsock_bin_path)
seccomp_build_path = os.path.join(test_session_root_path,
build_tools.CARGO_RELEASE_REL_PATH)
extra_args = '--release --target {}-unknown-linux-musl'
extra_args = extra_args.format(platform.machine())
build_tools.cargo_build(seccomp_build_path,
extra_args=extra_args,
src_dir='integration_tests/security/demo_seccomp')
release_binaries_path = os.path.join(test_session_root_path,
build_tools.CARGO_RELEASE_REL_PATH,
build_tools.RELEASE_BINARIES_REL_PATH)
demo_basic_jailer = os.path.normpath(
os.path.join(release_binaries_path, 'demo_basic_jailer'))
demo_advanced_jailer = os.path.normpath(
os.path.join(release_binaries_path, 'demo_advanced_jailer'))
demo_harmless = os.path.normpath(
os.path.join(release_binaries_path, 'demo_harmless'))
demo_malicious = os.path.normpath(
os.path.join(release_binaries_path, 'demo_malicious'))
yield {
'cloner': cloner_bin_path,
'test_vsock': test_vsock_bin_path,
'demo_basic_jailer': demo_basic_jailer,
'demo_advanced_jailer': demo_advanced_jailer,
'demo_harmless': demo_harmless,
'demo_malicious': demo_malicious
}
def bin_seccomp_paths(test_fc_session_root_path):
"""Build jailers and jailed binaries to test seccomp.
They currently consist of:
* a jailer that receives filter generated using seccompiler-bin;
* a jailed binary that follows the seccomp rules;
* a jailed binary that breaks the seccomp rules.
"""
# pylint: disable=redefined-outer-name
# The fixture pattern causes a pylint false positive for that rule.
seccomp_build_path = os.path.join(
test_fc_session_root_path, build_tools.CARGO_RELEASE_REL_PATH
)
extra_args = "--release --target {}-unknown-linux-musl"
extra_args = extra_args.format(platform.machine())
build_tools.cargo_build(
seccomp_build_path,
extra_args=extra_args,
src_dir="integration_tests/security/demo_seccomp",
)
release_binaries_path = os.path.join(
test_fc_session_root_path,
build_tools.CARGO_RELEASE_REL_PATH,
build_tools.RELEASE_BINARIES_REL_PATH,
)
demo_jailer = os.path.normpath(os.path.join(release_binaries_path, "demo_jailer"))
demo_harmless = os.path.normpath(
os.path.join(release_binaries_path, "demo_harmless")
)
demo_malicious = os.path.normpath(
os.path.join(release_binaries_path, "demo_malicious")
)
demo_panic = os.path.normpath(os.path.join(release_binaries_path, "demo_panic"))
yield {
"demo_jailer": demo_jailer,
"demo_harmless": demo_harmless,
"demo_malicious": demo_malicious,
"demo_panic": demo_panic,
}
def test_build(test_session_root_path, features, target):
"""
Test different builds.
This will generate build tests using the cartesian product of all
features and build targets (musl/gnu).
"""
extra_env = ''
extra_args = "--target {} --release ".format(target)
if "musl" in target:
extra_env += "TARGET_CC=musl-gcc"
rel_path = host.CARGO_RELEASE_REL_PATH
if features:
rel_path += "-{}".format(features)
extra_args += "--features {} ".format(features)
build_path = os.path.join(test_session_root_path, rel_path)
host.cargo_build(build_path, extra_args=extra_args, extra_env=extra_env)
def aux_bin_paths(test_session_root_path):
"""Build external tools.
They currently consist of:
* a binary that can properly use the `clone()` syscall;
* a very simple vsock client/server application;
* a jailer with a simple syscall whitelist;
* a jailer with a (syscall, arguments) advanced whitelist;
* a jailed binary that follows the seccomp rules;
* a jailed binary that breaks the seccomp rules.
"""
# pylint: disable=redefined-outer-name
# The fixture pattern causes a pylint false positive for that rule.
cloner_bin_path = os.path.join(test_session_root_path, 'newpid_cloner')
_gcc_compile(
'host_tools/newpid_cloner.c',
cloner_bin_path
)
test_vsock_bin_path = os.path.join(test_session_root_path, 'test_vsock')
_gcc_compile(
"host_tools/test_vsock.c",
test_vsock_bin_path
)
seccomp_build_path = os.path.join(
test_session_root_path,
build_tools.CARGO_RELEASE_REL_PATH
)
build_tools.cargo_build(seccomp_build_path,
extra_args='--release',
src_dir='integration_tests/security/demo_seccomp')
release_binaries_path = os.path.join(
test_session_root_path,
build_tools.CARGO_RELEASE_REL_PATH,
build_tools.RELEASE_BINARIES_REL_PATH
)
demo_basic_jailer = os.path.normpath(
os.path.join(
release_binaries_path,
'demo_basic_jailer'
)
)
demo_advanced_jailer = os.path.normpath(
os.path.join(
release_binaries_path,
'demo_advanced_jailer'
)
)
demo_harmless = os.path.normpath(
os.path.join(
release_binaries_path,
'demo_harmless'
)
)
demo_malicious = os.path.normpath(
os.path.join(
release_binaries_path,
'demo_malicious'
)
)
yield {
'cloner': cloner_bin_path,
'test_vsock': test_vsock_bin_path,
'demo_basic_jailer': demo_basic_jailer,
'demo_advanced_jailer': demo_advanced_jailer,
'demo_harmless': demo_harmless,
'demo_malicious': demo_malicious
}
def test_build_debug(test_session_root_path):
"""Test if a debug-mode build works."""
build_path = os.path.join(test_session_root_path, CARGO_DEBUG_REL_PATH)
host.cargo_build(build_path)
def test_build_release(test_session_root_path):
"""Test if a release-mode build works."""
build_path = os.path.join(test_session_root_path,
host.CARGO_RELEASE_REL_PATH)
host.cargo_build(build_path, '--release')
def test_build_release_with_features(test_session_root_path):
"""Test if a release-mode build works for supported features."""
build_path = os.path.join(test_session_root_path,
CARGO_RELEASE_REL_PATH_FEATURES)
host.cargo_build(build_path, '--features "{}"'.format('vsock'),
'--release')
def test_arm_build_release(test_session_root_path):
"""Test cross compilation for arm in release mode."""
build_path = os.path.join(test_session_root_path, 'arm-build')
host.cargo_build(build_path,
'--target aarch64-unknown-linux-musl --release')
