releases/5.0.14/selftests-seccomp-prepare-for-exclusive-seccomp-flags.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From 4ee0776760af03f181e6b80baf5fb1cc1a980f50 Mon Sep 17 00:00:00 2001
 From: Kees Cook <keescook@chromium.org>
 Date: Wed, 24 Apr 2019 09:32:55 -0700
 Subject: selftests/seccomp: Prepare for exclusive seccomp flags

 From: Kees Cook <keescook@chromium.org>

 commit 4ee0776760af03f181e6b80baf5fb1cc1a980f50 upstream.

 Some seccomp flags will become exclusive, so the selftest needs to
 be adjusted to mask those out and test them individually for the "all
 flags" tests.

 Cc: stable@vger.kernel.org # v5.0+
 Signed-off-by: Kees Cook <keescook@chromium.org>
 Reviewed-by: Tycho Andersen <tycho@tycho.ws>
 Acked-by: James Morris <jamorris@linux.microsoft.com>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 ---
  tools/testing/selftests/seccomp/seccomp_bpf.c |   34 +++++++++++++++++++-------
  1 file changed, 25 insertions(+), 9 deletions(-)

 --- a/tools/testing/selftests/seccomp/seccomp_bpf.c
 +++ b/tools/testing/selftests/seccomp/seccomp_bpf.c
 @@ -2166,11 +2166,14 @@ TEST(detect_seccomp_filter_flags)
  				 SECCOMP_FILTER_FLAG_LOG,
  				 SECCOMP_FILTER_FLAG_SPEC_ALLOW,
  				 SECCOMP_FILTER_FLAG_NEW_LISTENER };
 -	unsigned int flag, all_flags;
 +	unsigned int exclusive[] = {
 +				SECCOMP_FILTER_FLAG_TSYNC,
 +				SECCOMP_FILTER_FLAG_NEW_LISTENER };
 +	unsigned int flag, all_flags, exclusive_mask;
  	int i;
  	long ret;

 -	/* Test detection of known-good filter flags */
 +	/* Test detection of individual known-good filter flags */
  	for (i = 0, all_flags = 0; i < ARRAY_SIZE(flags); i++) {
  		int bits = 0;

 @@ -2197,16 +2200,29 @@ TEST(detect_seccomp_filter_flags)
  		all_flags |= flag;
  	}

 -	/* Test detection of all known-good filter flags */
 -	ret = seccomp(SECCOMP_SET_MODE_FILTER, all_flags, NULL);
 -	EXPECT_EQ(-1, ret);
 -	EXPECT_EQ(EFAULT, errno) {
 -		TH_LOG("Failed to detect that all known-good filter flags (0x%X) are supported!",
 -		       all_flags);
 +	/*
 +	 * Test detection of all known-good filter flags combined. But
 +	 * for the exclusive flags we need to mask them out and try them
 +	 * individually for the "all flags" testing.
 +	 */
 +	exclusive_mask = 0;
 +	for (i = 0; i < ARRAY_SIZE(exclusive); i++)
 +		exclusive_mask |= exclusive[i];
 +	for (i = 0; i < ARRAY_SIZE(exclusive); i++) {
 +		flag = all_flags & ~exclusive_mask;
 +		flag |= exclusive[i];
 +
 +		ret = seccomp(SECCOMP_SET_MODE_FILTER, flag, NULL);
 +		EXPECT_EQ(-1, ret);
 +		EXPECT_EQ(EFAULT, errno) {
 +			TH_LOG("Failed to detect that all known-good filter flags (0x%X) are supported!",
 +			       flag);
 +		}
  	}

 -	/* Test detection of an unknown filter flag */
 +	/* Test detection of an unknown filter flags, without exclusives. */
  	flag = -1;
 +	flag &= ~exclusive_mask;
  	ret = seccomp(SECCOMP_SET_MODE_FILTER, flag, NULL);
  	EXPECT_EQ(-1, ret);
  	EXPECT_EQ(EINVAL, errno) {
	From 4ee0776760af03f181e6b80baf5fb1cc1a980f50 Mon Sep 17 00:00:00 2001
	From: Kees Cook <keescook@chromium.org>
	Date: Wed, 24 Apr 2019 09:32:55 -0700
	Subject: selftests/seccomp: Prepare for exclusive seccomp flags

	From: Kees Cook <keescook@chromium.org>

	commit 4ee0776760af03f181e6b80baf5fb1cc1a980f50 upstream.

	Some seccomp flags will become exclusive, so the selftest needs to
	be adjusted to mask those out and test them individually for the "all
	flags" tests.

	Cc: stable@vger.kernel.org # v5.0+
	Signed-off-by: Kees Cook <keescook@chromium.org>
	Reviewed-by: Tycho Andersen <tycho@tycho.ws>
	Acked-by: James Morris <jamorris@linux.microsoft.com>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

	---
	tools/testing/selftests/seccomp/seccomp_bpf.c \| 34 +++++++++++++++++++-------
	1 file changed, 25 insertions(+), 9 deletions(-)

	--- a/tools/testing/selftests/seccomp/seccomp_bpf.c
	+++ b/tools/testing/selftests/seccomp/seccomp_bpf.c
	@@ -2166,11 +2166,14 @@ TEST(detect_seccomp_filter_flags)
	SECCOMP_FILTER_FLAG_LOG,
	SECCOMP_FILTER_FLAG_SPEC_ALLOW,
	SECCOMP_FILTER_FLAG_NEW_LISTENER };
	- unsigned int flag, all_flags;
	+ unsigned int exclusive[] = {
	+ SECCOMP_FILTER_FLAG_TSYNC,
	+ SECCOMP_FILTER_FLAG_NEW_LISTENER };
	+ unsigned int flag, all_flags, exclusive_mask;
	int i;
	long ret;

	- /* Test detection of known-good filter flags */
	+ /* Test detection of individual known-good filter flags */
	for (i = 0, all_flags = 0; i < ARRAY_SIZE(flags); i++) {
	int bits = 0;

	@@ -2197,16 +2200,29 @@ TEST(detect_seccomp_filter_flags)
	all_flags \|= flag;
	}

	- /* Test detection of all known-good filter flags */
	- ret = seccomp(SECCOMP_SET_MODE_FILTER, all_flags, NULL);
	- EXPECT_EQ(-1, ret);
	- EXPECT_EQ(EFAULT, errno) {
	- TH_LOG("Failed to detect that all known-good filter flags (0x%X) are supported!",
	- all_flags);
	+ /*
	+ * Test detection of all known-good filter flags combined. But
	+ * for the exclusive flags we need to mask them out and try them
	+ * individually for the "all flags" testing.
	+ */
	+ exclusive_mask = 0;
	+ for (i = 0; i < ARRAY_SIZE(exclusive); i++)
	+ exclusive_mask \|= exclusive[i];
	+ for (i = 0; i < ARRAY_SIZE(exclusive); i++) {
	+ flag = all_flags & ~exclusive_mask;
	+ flag \|= exclusive[i];
	+
	+ ret = seccomp(SECCOMP_SET_MODE_FILTER, flag, NULL);
	+ EXPECT_EQ(-1, ret);
	+ EXPECT_EQ(EFAULT, errno) {
	+ TH_LOG("Failed to detect that all known-good filter flags (0x%X) are supported!",
	+ flag);
	+ }
	}

	- /* Test detection of an unknown filter flag */
	+ /* Test detection of an unknown filter flags, without exclusives. */
	flag = -1;
	+ flag &= ~exclusive_mask;
	ret = seccomp(SECCOMP_SET_MODE_FILTER, flag, NULL);
	EXPECT_EQ(-1, ret);
	EXPECT_EQ(EINVAL, errno) {