Organize test code better
This commit is contained in:
@@ -0,0 +1,76 @@
|
||||
use super::*;
|
||||
|
||||
#[test]
|
||||
fn builds_on_supported_arch() {
|
||||
let bytes = build_program_bytes().expect("seccomp program should build");
|
||||
assert!(!bytes.is_empty(), "serialized BPF program is empty");
|
||||
assert_eq!(bytes.len() % 8, 0, "BPF byte stream must be 8-byte aligned");
|
||||
}
|
||||
|
||||
#[test]
|
||||
fn allowlist_contains_essential_syscalls() {
|
||||
for needed in &[
|
||||
"read",
|
||||
"write",
|
||||
"openat",
|
||||
"close",
|
||||
"execve",
|
||||
"exit_group",
|
||||
"mmap",
|
||||
"brk",
|
||||
"clone",
|
||||
] {
|
||||
assert!(
|
||||
ALLOWED_SYSCALLS.contains(needed),
|
||||
"allowlist missing essential syscall: {needed}"
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
#[test]
|
||||
fn allowlist_excludes_dangerous_syscalls() {
|
||||
for denied in &[
|
||||
"bpf",
|
||||
"perf_event_open",
|
||||
"userfaultfd",
|
||||
"kexec_load",
|
||||
"kexec_file_load",
|
||||
"init_module",
|
||||
"finit_module",
|
||||
"delete_module",
|
||||
"mount",
|
||||
"umount",
|
||||
"umount2",
|
||||
"unshare",
|
||||
"setns",
|
||||
"pivot_root",
|
||||
"ptrace",
|
||||
"process_vm_readv",
|
||||
"process_vm_writev",
|
||||
"keyctl",
|
||||
"personality",
|
||||
"clone3",
|
||||
"io_uring_setup",
|
||||
"io_uring_register",
|
||||
"io_uring_enter",
|
||||
"fanotify_init",
|
||||
"fanotify_mark",
|
||||
"open_by_handle_at",
|
||||
"name_to_handle_at",
|
||||
"fsopen",
|
||||
"fsconfig",
|
||||
"fsmount",
|
||||
"fspick",
|
||||
"open_tree",
|
||||
"move_mount",
|
||||
"mount_setattr",
|
||||
"reboot",
|
||||
"swapon",
|
||||
"swapoff",
|
||||
] {
|
||||
assert!(
|
||||
!ALLOWED_SYSCALLS.contains(denied),
|
||||
"allowlist must not contain dangerous syscall: {denied}"
|
||||
);
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user