[PATCH v2 3/3] selftest: seccomp: Adjust tests for using both STRICT and FILTER

[Jamie Hill-Daniel]

Update tests to reflect that applying STRICT after FILTER is now possible.

Signed-off-by: Jamie Hill-Daniel <jamie@xxxxxxxxxxxxxxxxx>
---
 tools/testing/selftests/seccomp/seccomp_bpf.c | 68 ++++++++++++---------------
 1 file changed, 29 insertions(+), 39 deletions(-)

diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c
index 874f17763536..f3b5e19b53a1 100644
--- a/tools/testing/selftests/seccomp/seccomp_bpf.c
+++ b/tools/testing/selftests/seccomp/seccomp_bpf.c
@@ -516,7 +516,7 @@ TEST(filter_chain_limits)
 	}
 }
 
-TEST(mode_filter_cannot_move_to_strict)
+TEST(mode_strict_upgrade)
 {
 	struct sock_filter filter[] = {
 		BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
@@ -534,8 +534,34 @@ TEST(mode_filter_cannot_move_to_strict)
 	ASSERT_EQ(0, ret);
 
 	ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT, NULL, 0, 0);
-	EXPECT_EQ(-1, ret);
-	EXPECT_EQ(EINVAL, errno);
+	ASSERT_EQ(0, ret);
+	syscall(__NR_exit, 0);
+}
+
+TEST_SIGNAL(mode_strict_upgrade_violation, SIGKILL)
+{
+	struct sock_filter filter[] = {
+		BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
+	};
+	struct sock_fprog prog = {
+		.len = (unsigned short)ARRAY_SIZE(filter),
+		.filter = filter,
+	};
+	long ret;
+
+	ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
+	ASSERT_EQ(0, ret);
+
+	ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog, 0, 0);
+	ASSERT_EQ(0, ret);
+
+	ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT, NULL, 0, 0);
+	ASSERT_EQ(0, ret);
+
+	syscall(__NR_getpid);
+	EXPECT_FALSE(true) {
+		TH_LOG("Unreachable!");
+	}
 }
 
 
@@ -2370,42 +2396,6 @@ TEST(seccomp_syscall)
 	}
 }
 
-TEST(seccomp_syscall_mode_lock)
-{
-	struct sock_filter filter[] = {
-		BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
-	};
-	struct sock_fprog prog = {
-		.len = (unsigned short)ARRAY_SIZE(filter),
-		.filter = filter,
-	};
-	long ret;
-
-	ret = prctl(PR_SET_NO_NEW_PRIVS, 1, NULL, 0, 0);
-	ASSERT_EQ(0, ret) {
-		TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
-	}
-
-	ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog);
-	ASSERT_NE(ENOSYS, errno) {
-		TH_LOG("Kernel does not support seccomp syscall!");
-	}
-	EXPECT_EQ(0, ret) {
-		TH_LOG("Could not install filter!");
-	}
-
-	/* Make sure neither entry point will switch to strict. */
-	ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT, 0, 0, 0);
-	EXPECT_EQ(EINVAL, errno) {
-		TH_LOG("Switched to mode strict!");
-	}
-
-	ret = seccomp(SECCOMP_SET_MODE_STRICT, 0, NULL);
-	EXPECT_EQ(EINVAL, errno) {
-		TH_LOG("Switched to mode strict!");
-	}
-}
-
 /*
  * Test detection of known and unknown filter flags. Userspace needs to be able
  * to check if a filter flag is supported by the current kernel and a good way

-- 
2.54.0