77 lines
1.7 KiB
Rust
77 lines
1.7 KiB
Rust
use super::*;
|
|
|
|
#[test]
|
|
fn builds_on_supported_arch() {
|
|
let bytes = build_program_bytes().expect("seccomp program should build");
|
|
assert!(!bytes.is_empty(), "serialized BPF program is empty");
|
|
assert_eq!(bytes.len() % 8, 0, "BPF byte stream must be 8-byte aligned");
|
|
}
|
|
|
|
#[test]
|
|
fn allowlist_contains_essential_syscalls() {
|
|
for needed in &[
|
|
"read",
|
|
"write",
|
|
"openat",
|
|
"close",
|
|
"execve",
|
|
"exit_group",
|
|
"mmap",
|
|
"brk",
|
|
"clone",
|
|
] {
|
|
assert!(
|
|
ALLOWED_SYSCALLS.contains(needed),
|
|
"allowlist missing essential syscall: {needed}"
|
|
);
|
|
}
|
|
}
|
|
|
|
#[test]
|
|
fn allowlist_excludes_dangerous_syscalls() {
|
|
for denied in &[
|
|
"bpf",
|
|
"perf_event_open",
|
|
"userfaultfd",
|
|
"kexec_load",
|
|
"kexec_file_load",
|
|
"init_module",
|
|
"finit_module",
|
|
"delete_module",
|
|
"mount",
|
|
"umount",
|
|
"umount2",
|
|
"unshare",
|
|
"setns",
|
|
"pivot_root",
|
|
"ptrace",
|
|
"process_vm_readv",
|
|
"process_vm_writev",
|
|
"keyctl",
|
|
"personality",
|
|
"clone3",
|
|
"io_uring_setup",
|
|
"io_uring_register",
|
|
"io_uring_enter",
|
|
"fanotify_init",
|
|
"fanotify_mark",
|
|
"open_by_handle_at",
|
|
"name_to_handle_at",
|
|
"fsopen",
|
|
"fsconfig",
|
|
"fsmount",
|
|
"fspick",
|
|
"open_tree",
|
|
"move_mount",
|
|
"mount_setattr",
|
|
"reboot",
|
|
"swapon",
|
|
"swapoff",
|
|
] {
|
|
assert!(
|
|
!ALLOWED_SYSCALLS.contains(denied),
|
|
"allowlist must not contain dangerous syscall: {denied}"
|
|
);
|
|
}
|
|
}
|