tests: add functional tests for seccomp

mauriciovasquezbernal · rata · commit 5ae831d9b3aa · 2021-09-07T13:04:24.000+02:00
Test KILL and ERRNO actions.

Signed-off-by: Mauricio Vásquez &lt;mauricio@kinvolk.io&gt;
diff --git a/tests/integration/seccomp.bats b/tests/integration/seccomp.bats
@@ -33,3 +33,69 @@ function teardown() {
 	runc run test_busybox
 	[ "$status" -eq 0 ]
 }
+
+# TODO:
+# - Test other actions like SCMP_ACT_TRAP, SCMP_ACT_TRACE, SCMP_ACT_LOG.
+# - Test args (index, value, valueTwo, etc).
+
+@test "runc run [seccomp] (SCMP_ACT_ERRNO default)" {
+	update_config '   .process.args = ["/bin/sh", "-c", "mkdir /dev/shm/foo"]
+			| .process.noNewPrivileges = false
+			| .linux.seccomp = {
+				"defaultAction":"SCMP_ACT_ALLOW",
+				"architectures":["SCMP_ARCH_X86","SCMP_ARCH_X32"],
+				"syscalls":[{"names":["mkdir"], "action":"SCMP_ACT_ERRNO"}]
+			}'
+
+	runc run test_busybox
+	[ "$status" -ne 0 ]
+	[[ "$output" == *"mkdir:"*"/dev/shm/foo"*"Operation not permitted"* ]]
+}
+
+@test "runc run [seccomp] (SCMP_ACT_ERRNO explicit errno)" {
+	update_config '   .process.args = ["/bin/sh", "-c", "mkdir /dev/shm/foo"]
+			| .process.noNewPrivileges = false
+			| .linux.seccomp = {
+				"defaultAction":"SCMP_ACT_ALLOW",
+				"architectures":["SCMP_ARCH_X86","SCMP_ARCH_X32"],
+				"syscalls":[{"names":["mkdir"], "action":"SCMP_ACT_ERRNO", "errnoRet": 100}]
+			}'
+
+	runc run test_busybox
+	[ "$status" -ne 0 ]
+	[[ "$output" == *"Network is down"* ]]
+}
+
+@test "runc run [seccomp] (SCMP_ACT_KILL)" {
+	update_config '  .process.args = ["/bin/sh", "-c", "mkdir /dev/shm/foo"]
+			| .process.noNewPrivileges = false
+			| .linux.seccomp = {
+				"defaultAction":"SCMP_ACT_ALLOW",
+				"architectures":["SCMP_ARCH_X86","SCMP_ARCH_X32"],
+				"syscalls":[{"names":["mkdir"], "action":"SCMP_ACT_KILL"}]
+			}'
+
+	runc run test_busybox
+	[ "$status" -ne 0 ]
+}
+
+# check that a startContainer hook is run with the seccomp filters applied
+@test "runc run [seccomp] (startContainer hook)" {
+	update_config '   .process.args = ["/bin/true"]
+			| .linux.seccomp = {
+				"defaultAction":"SCMP_ACT_ALLOW",
+				"architectures":["SCMP_ARCH_X86","SCMP_ARCH_X32"],
+				"syscalls":[{"names":["mkdir"], "action":"SCMP_ACT_KILL"}]
+			}
+			| .hooks = {
+				"startContainer": [ {
+						"path": "/bin/sh",
+						"args": ["sh", "-c", "mkdir /dev/shm/foo"]
+				} ]
+			}'
+
+	runc run test_busybox
+	[ "$status" -ne 0 ]
+	[[ "$output" == *"error running hook"* ]]
+	[[ "$output" == *"bad system call"* ]]
+}
