selftests/seccomp: Prepare for exclusive seccomp flags

Some seccomp flags will become exclusive, so the selftest needs to
be adjusted to mask those out and test them individually for the "all
flags" tests.

Cc: stable@vger.kernel.org # v5.0+
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Tycho Andersen <tycho@tycho.ws>
Acked-by: James Morris <jamorris@linux.microsoft.com>

diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c
index f69d2ee29742808600d406c47f283d743b0aa7c8..5019cdae5d0b8ca8a47692c71956d9f824812466 100644 (file)
--- a/tools/testing/selftests/seccomp/seccomp_bpf.c
+++ b/tools/testing/selftests/seccomp/seccomp_bpf.c
@@ -2166,11 +2166,14 @@ TEST(detect_seccomp_filter_flags)
                                 SECCOMP_FILTER_FLAG_LOG,
                                 SECCOMP_FILTER_FLAG_SPEC_ALLOW,
                                 SECCOMP_FILTER_FLAG_NEW_LISTENER };
-       unsigned int flag, all_flags;
+       unsigned int exclusive[] = {
+                               SECCOMP_FILTER_FLAG_TSYNC,
+                               SECCOMP_FILTER_FLAG_NEW_LISTENER };
+       unsigned int flag, all_flags, exclusive_mask;
        int i;
        long ret;
 
-       /* Test detection of known-good filter flags */
+       /* Test detection of individual known-good filter flags */
        for (i = 0, all_flags = 0; i < ARRAY_SIZE(flags); i++) {
                int bits = 0;
 
@@ -2197,16 +2200,29 @@ TEST(detect_seccomp_filter_flags)
                all_flags |= flag;
        }
 
-       /* Test detection of all known-good filter flags */
-       ret = seccomp(SECCOMP_SET_MODE_FILTER, all_flags, NULL);
-       EXPECT_EQ(-1, ret);
-       EXPECT_EQ(EFAULT, errno) {
-               TH_LOG("Failed to detect that all known-good filter flags (0x%X) are supported!",
-                      all_flags);
+       /*
+        * Test detection of all known-good filter flags combined. But
+        * for the exclusive flags we need to mask them out and try them
+        * individually for the "all flags" testing.
+        */
+       exclusive_mask = 0;
+       for (i = 0; i < ARRAY_SIZE(exclusive); i++)
+               exclusive_mask |= exclusive[i];
+       for (i = 0; i < ARRAY_SIZE(exclusive); i++) {
+               flag = all_flags & ~exclusive_mask;
+               flag |= exclusive[i];
+
+               ret = seccomp(SECCOMP_SET_MODE_FILTER, flag, NULL);
+               EXPECT_EQ(-1, ret);
+               EXPECT_EQ(EFAULT, errno) {
+                       TH_LOG("Failed to detect that all known-good filter flags (0x%X) are supported!",
+                              flag);
+               }
        }
 
-       /* Test detection of an unknown filter flag */
+       /* Test detection of an unknown filter flags, without exclusives. */
        flag = -1;
+       flag &= ~exclusive_mask;
        ret = seccomp(SECCOMP_SET_MODE_FILTER, flag, NULL);
        EXPECT_EQ(-1, ret);
        EXPECT_EQ(EINVAL, errno) {