security/fortify
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 35 Wiki Activity

test/sandbox: separate check filter
All checks were successful
Test / Create distribution (push) Successful in 26s
Details
Test / Fpkg (push) Successful in 34s
Details
Test / Fortify (push) Successful in 2m29s
Details
Test / Data race detector (push) Successful in 3m12s
Details
Test / Flake checks (push) Successful in 54s
Details

Browse Source 
Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
Ophestra 2025-03-29 22:34:51 +09:00
parent 8b62e08b44
commit 8886c40974
Signed by: cat
SSH Key Fingerprint: SHA256:gQ67O0enBZ7UdZypgtspB2FDM1g3GVw8nX0XSdcFw8Q
1 changed files with 36 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
test/sandbox/assert.go
View File

@ -129,18 +129,43 @@ func (t *T) MustCheck(want *TestCase) {
} }
func MustCheckFilter(pid int, want string) { func MustCheckFilter(pid int, want string) {
if err := ptraceAttach(pid); err != nil { err := CheckFilter(pid, want)
if err == nil {
return
}
var perr *ptraceError
if !errors.As(err, &perr) {
fatalf("%s", err)
}
switch perr.op {
case "PTRACE_ATTACH":
fatalf("cannot attach to process %d: %v", pid, err) fatalf("cannot attach to process %d: %v", pid, err)
} case "PTRACE_SECCOMP_GET_FILTER":
buf, err := getFilter[[8]byte](pid, 0) if perr.errno == syscall.ENOENT {
if err0 := ptraceDetach(pid); err0 != nil {
printf("cannot detach from process %d: %v", pid, err0)
}
if err != nil {
if errors.Is(err, syscall.ENOENT) {
fatalf("seccomp filter not installed for process %d", pid) fatalf("seccomp filter not installed for process %d", pid)
} }
fatalf("cannot get filter: %v", err) fatalf("cannot get filter: %v", err)
default:
fatalf("cannot check filter: %v", err)
}
*(*int)(nil) = 0 // not reached
}
func CheckFilter(pid int, want string) error {
if err := ptraceAttach(pid); err != nil {
return err
}
defer func() {
if err := ptraceDetach(pid); err != nil {
printf("cannot detach from process %d: %v", pid, err)
}
}()
buf, err := getFilter[[8]byte](pid, 0)
if err != nil {
return err
} }
h := sha512.New() h := sha512.New()
@ -149,9 +174,11 @@ func MustCheckFilter(pid int, want string) {
} }
if got := hex.EncodeToString(h.Sum(nil)); got != want { if got := hex.EncodeToString(h.Sum(nil)); got != want {
fatalf("[FAIL] %s", got) printf("[FAIL] %s", got)
return syscall.ENOTRECOVERABLE
} else { } else {
printf("[ OK ] %s", got) printf("[ OK ] %s", got)
return nil
} }
} }