Ophestra
123d7fbfd5
All checks were successful
Test / Create distribution (push) Successful in 34s
Test / Sandbox (push) Successful in 2m11s
Test / Sandbox (race detector) (push) Successful in 4m2s
Test / Hpkg (push) Successful in 4m19s
Test / Hakurei (race detector) (push) Successful in 4m47s
Test / Hakurei (push) Successful in 2m13s
Test / Flake checks (push) Successful in 1m32s
This was only useful when wrapping bwrap. Signed-off-by: Ophestra <cat@gensokyo.uk>
131 lines
3.2 KiB
Go
131 lines
3.2 KiB
Go
package seccomp_test
|
|
|
|
import (
|
|
"crypto/sha512"
|
|
"errors"
|
|
"syscall"
|
|
"testing"
|
|
|
|
. "hakurei.app/container/bits"
|
|
. "hakurei.app/container/seccomp"
|
|
)
|
|
|
|
func TestLibraryError(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
testCases := []struct {
|
|
name string
|
|
sample *LibraryError
|
|
want string
|
|
wantIs bool
|
|
compare error
|
|
}{
|
|
{
|
|
"full",
|
|
&LibraryError{Prefix: "seccomp_export_bpf failed", Seccomp: syscall.ECANCELED, Errno: syscall.EBADF},
|
|
"seccomp_export_bpf failed: operation canceled (bad file descriptor)",
|
|
true,
|
|
&LibraryError{Prefix: "seccomp_export_bpf failed", Seccomp: syscall.ECANCELED, Errno: syscall.EBADF},
|
|
},
|
|
{
|
|
"errno only",
|
|
&LibraryError{Prefix: "seccomp_init failed", Errno: syscall.ENOMEM},
|
|
"seccomp_init failed: cannot allocate memory",
|
|
false,
|
|
nil,
|
|
},
|
|
{
|
|
"seccomp only",
|
|
&LibraryError{Prefix: "internal libseccomp failure", Seccomp: syscall.EFAULT},
|
|
"internal libseccomp failure: bad address",
|
|
true,
|
|
syscall.EFAULT,
|
|
},
|
|
}
|
|
for _, tc := range testCases {
|
|
t.Run(tc.name, func(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
if errors.Is(tc.sample, tc.compare) != tc.wantIs {
|
|
t.Errorf("errors.Is(%#v, %#v) did not return %v",
|
|
tc.sample, tc.compare, tc.wantIs)
|
|
}
|
|
|
|
if got := tc.sample.Error(); got != tc.want {
|
|
t.Errorf("Error: %q, want %q",
|
|
got, tc.want)
|
|
}
|
|
})
|
|
}
|
|
|
|
t.Run("invalid", func(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
wantPanic := "invalid libseccomp error"
|
|
defer func() {
|
|
if r := recover(); r != wantPanic {
|
|
t.Errorf("panic: %q, want %q", r, wantPanic)
|
|
}
|
|
}()
|
|
_ = new(LibraryError).Error()
|
|
})
|
|
}
|
|
|
|
func TestExport(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
testCases := []struct {
|
|
name string
|
|
flags ExportFlag
|
|
presets FilterPreset
|
|
wantErr bool
|
|
}{
|
|
{"everything", AllowMultiarch | AllowCAN |
|
|
AllowBluetooth, PresetExt |
|
|
PresetDenyNS | PresetDenyTTY | PresetDenyDevel |
|
|
PresetLinux32, false},
|
|
|
|
{"compat", 0, 0, false},
|
|
{"base", 0, PresetExt, false},
|
|
{"strict", 0, PresetStrict, false},
|
|
{"strict compat", 0, PresetDenyNS | PresetDenyTTY | PresetDenyDevel, false},
|
|
{"hakurei default", 0, PresetExt | PresetDenyDevel, false},
|
|
{"hakurei tty", 0, PresetExt | PresetDenyNS | PresetDenyDevel, false},
|
|
}
|
|
|
|
for _, tc := range testCases {
|
|
t.Run(tc.name, func(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
want := bpfExpected[bpfPreset{tc.flags, tc.presets}]
|
|
if data, err := Export(Preset(tc.presets, tc.flags), tc.flags); (err != nil) != tc.wantErr {
|
|
t.Errorf("Export: error = %v, wantErr %v", err, tc.wantErr)
|
|
return
|
|
} else if got := sha512.Sum512(data); got != want {
|
|
t.Fatalf("Export: hash = %x, want %x", got, want)
|
|
return
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func BenchmarkExport(b *testing.B) {
|
|
const exportFlags = AllowMultiarch | AllowCAN | AllowBluetooth
|
|
const presetFlags = PresetExt | PresetDenyNS | PresetDenyTTY | PresetDenyDevel | PresetLinux32
|
|
var want = bpfExpected[bpfPreset{exportFlags, presetFlags}]
|
|
|
|
for b.Loop() {
|
|
data, err := Export(Preset(presetFlags, exportFlags), exportFlags)
|
|
|
|
b.StopTimer()
|
|
if err != nil {
|
|
b.Fatalf("Export: error = %v", err)
|
|
}
|
|
if got := sha512.Sum512(data); got != want {
|
|
b.Fatalf("Export: hash = %x, want %x", got, want)
|
|
return
|
|
}
|
|
b.StartTimer()
|
|
}
|
|
}
|