tools/compile_seccomp_policy: Increase the code coverage to 93%
This change adds a few more tests to improve the code coverage.
Bug: chromium:856315
Test: ./tools/compiler_unittest.py
Test: ./tools/parser_unittest.py
Change-Id: I55e0f1f97790fbce76c1080de23ae8f37fe3a4fe
diff --git a/tools/compiler_unittest.py b/tools/compiler_unittest.py
index ae00d7f..3cc0e6a 100755
--- a/tools/compiler_unittest.py
+++ b/tools/compiler_unittest.py
@@ -233,6 +233,14 @@
block.simulate(self.arch.arch_nr, self.arch.syscalls['read'], 1,
1)[1], 'ALLOW')
+ def test_trap(self):
+ """Accept lines that trap unconditionally."""
+ block = self._compile('read: trap')
+
+ self.assertEqual(
+ block.simulate(self.arch.arch_nr, self.arch.syscalls['read'],
+ 0)[1], 'TRAP')
+
def test_ret_errno(self):
"""Accept lines that return errno."""
block = self._compile('read : arg0 == 0 || arg0 == 1 ; return 1')
@@ -255,6 +263,22 @@
block.simulate(self.arch.arch_nr, self.arch.syscalls['read'],
0)[1:], ('ERRNO', 1))
+ def test_trace(self):
+ """Accept lines that trace unconditionally."""
+ block = self._compile('read: trace')
+
+ self.assertEqual(
+ block.simulate(self.arch.arch_nr, self.arch.syscalls['read'],
+ 0)[1], 'TRACE')
+
+ def test_log(self):
+ """Accept lines that log unconditionally."""
+ block = self._compile('read: log')
+
+ self.assertEqual(
+ block.simulate(self.arch.arch_nr, self.arch.syscalls['read'],
+ 0)[1], 'LOG')
+
def test_mmap_write_xor_exec(self):
"""Accept the idiomatic filter for mmap."""
block = self._compile(
@@ -369,7 +393,7 @@
"""Ensure policy reflects script by testing some random scripts."""
iterations = 5
for i in range(iterations):
- num_entries = len(self.arch.syscalls) * (i + 1) // iterations
+ num_entries = 64 * (i + 1) // iterations
syscalls = dict(
zip(
random.sample(self.arch.syscalls.keys(), num_entries),
@@ -399,6 +423,43 @@
'strategy: %s, policy:\n%s') %
(name, number, strategy, policy_contents))
+ @unittest.skipIf(not int(os.getenv('SLOW_TESTS', '0')), 'slow')
+ def test_compile_huge_policy(self):
+ """Ensure jumps while compiling a huge policy are still valid."""
+ # Given that the BST strategy is O(n^3), don't choose a crazy large
+ # value, but it still needs to be around 128 so that we exercise the
+ # codegen paths that depend on the length of the jump.
+ #
+ # Immediate jump offsets in BPF comparison instructions are limited to
+ # 256 instructions, so given that every syscall filter consists of a
+ # load and jump instructions, with 128 syscalls there will be at least
+ # one jump that's further than 256 instructions.
+ num_entries = 128
+ syscalls = dict(random.sample(self.arch.syscalls.items(), num_entries))
+ # Here we force every single filter to be distinct. Otherwise the
+ # codegen layer will coalesce filters that compile to the same
+ # instructions.
+ policy_contents = '\n'.join(
+ '%s: arg0 == %d' % s for s in syscalls.items())
+
+ path = self._write_file('test.policy', policy_contents)
+
+ program = self.compiler.compile_file(
+ path,
+ optimization_strategy=compiler.OptimizationStrategy.BST,
+ kill_action=bpf.KillProcess())
+ for name, number in self.arch.syscalls.items():
+ expected_result = ('ALLOW'
+ if name in syscalls else 'KILL_PROCESS')
+ self.assertEqual(
+ bpf.simulate(program.instructions, self.arch.arch_nr,
+ self.arch.syscalls[name], number)[1],
+ expected_result)
+ self.assertEqual(
+ bpf.simulate(program.instructions, self.arch.arch_nr,
+ self.arch.syscalls[name], number + 1)[1],
+ 'KILL_PROCESS')
+
if __name__ == '__main__':
unittest.main()
