tools/compile_seccomp_policy: Add support for syscall groups
This change adds support for the 'function@libc' and 'group@systemd' syntax to
make writing policy files much easier.
Bug: chromium:856315
Test: ./tools/parser_unittest.py
Change-Id: Ia1d51d30c68346b4390b0e5c23d0f7e929f08c70
diff --git a/tools/parser_unittest.py b/tools/parser_unittest.py
index 4fba590..f13a109 100755
--- a/tools/parser_unittest.py
+++ b/tools/parser_unittest.py
@@ -398,6 +398,24 @@
), [
parser.Filter([[parser.Atom(0, '==', 0)]], bpf.Allow()),
]))
+ self.assertEqual(
+ self.parser.parse_filter_statement(
+ self._tokenize('io@libc: arg0 == 0')),
+ parser.ParsedFilterStatement((
+ parser.Syscall('read', 0),
+ parser.Syscall('write', 1),
+ ), [
+ parser.Filter([[parser.Atom(0, '==', 0)]], bpf.Allow()),
+ ]))
+ self.assertEqual(
+ self.parser.parse_filter_statement(
+ self._tokenize('file-io@systemd: arg0 == 0')),
+ parser.ParsedFilterStatement((
+ parser.Syscall('read', 0),
+ parser.Syscall('write', 1),
+ ), [
+ parser.Filter([[parser.Atom(0, '==', 0)]], bpf.Allow()),
+ ]))
def test_parse_metadata(self):
"""Accept valid filter statements with metadata."""
@@ -418,6 +436,11 @@
def test_parse_unclosed_brace(self):
"""Reject unclosed brace."""
with self.assertRaisesRegex(parser.ParseException, 'unclosed brace'):
+ self.parser.parse_filter(self._tokenize('{ allow'))
+
+ def test_parse_invalid_syscall_group(self):
+ """Reject invalid syscall groups."""
+ with self.assertRaisesRegex(parser.ParseException, 'unclosed brace'):
self.parser.parse_filter_statement(
self._tokenize('{ read, write: arg0 == 0'))
