Seccomp_test.c 4.5 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148
  1. /* vim: set expandtab ts=4 sw=4: */
  2. /*
  3. * You may redistribute this program and/or modify it under the terms of
  4. * the GNU General Public License as published by the Free Software Foundation,
  5. * either version 3 of the License, or (at your option) any later version.
  6. *
  7. * This program is distributed in the hope that it will be useful,
  8. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  9. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  10. * GNU General Public License for more details.
  11. *
  12. * You should have received a copy of the GNU General Public License
  13. * along with this program. If not, see <https://www.gnu.org/licenses/>.
  14. */
  15. #include "benc/String.h"
  16. #include "util/log/FileWriterLog.h"
  17. #include "memory/Allocator.h"
  18. #include "memory/MallocAllocator.h"
  19. #include "util/Seccomp.h"
  20. #include "util/events/EventBase.h"
  21. #include "util/events/Process.h"
  22. #include "util/events/PipeServer.h"
  23. #include "util/events/Pipe.h"
  24. #include "util/events/Timeout.h"
  25. #include "util/CString.h"
  26. #include "crypto/random/Random.h"
  27. #include <unistd.h>
  28. struct Context
  29. {
  30. struct Iface iface;
  31. struct Allocator* alloc;
  32. struct EventBase* eventBase;
  33. Identity
  34. };
  35. static void childComplete(void* vEventBase)
  36. {
  37. EventBase_endLoop((struct EventBase*)vEventBase);
  38. }
  39. struct ChildCtx
  40. {
  41. struct EventBase* base;
  42. struct Log* log;
  43. struct Pipe* pipe;
  44. struct Allocator* alloc;
  45. Identity
  46. };
  47. static void onConnectionChild(struct Pipe* pipe, int status)
  48. {
  49. struct ChildCtx* child = Identity_check((struct ChildCtx*) pipe->userData);
  50. Er_assert(Seccomp_dropPermissions(child->alloc, child->log));
  51. Assert_true(Seccomp_isWorking());
  52. struct Message* ok = Message_new(0, 512, child->alloc);
  53. Er_assert(Message_epush(ok, "OK", 3));
  54. struct Iface iface = { .send = NULL };
  55. Iface_plumb(&pipe->iface, &iface);
  56. Iface_send(&iface, ok);
  57. // just set a timeout long enough that we're pretty sure the parent will get the message
  58. // before we quit.
  59. Timeout_setInterval(childComplete, child->base, 10, child->base, child->alloc);
  60. }
  61. static void timeout(void* vNULL)
  62. {
  63. Assert_true(!"timed out");
  64. }
  65. static void timeout2(void* vNULL)
  66. {
  67. Assert_true(!"time out 2");
  68. }
  69. static int child(char* pipeName, struct Allocator* alloc, struct Log* logger)
  70. {
  71. struct ChildCtx* ctx = Allocator_calloc(alloc, sizeof(struct ChildCtx), 1);
  72. ctx->base = EventBase_new(alloc);
  73. ctx->alloc = alloc;
  74. ctx->log = logger;
  75. ctx->pipe = Er_assert(Pipe_named(pipeName, ctx->base, logger, alloc));
  76. ctx->pipe->onConnection = onConnectionChild;
  77. ctx->pipe->userData = ctx;
  78. Identity_set(ctx);
  79. Timeout_setTimeout(timeout, ctx->base, 2000, ctx->base, alloc);
  80. EventBase_beginLoop(ctx->base);
  81. return 0;
  82. }
  83. static Iface_DEFUN receiveMessageParent(struct Message* msg, struct Iface* iface)
  84. {
  85. struct Context* ctx = Identity_check((struct Context*) iface);
  86. // PipeServer pushes a uint32 identifier of the client who sent the message
  87. Er_assert(AddrIface_popAddr(msg));
  88. Assert_true(Message_getLength(msg) == 3);
  89. Assert_true(!Bits_memcmp(msg->msgbytes, "OK", 3));
  90. EventBase_endLoop(ctx->eventBase);
  91. return NULL;
  92. }
  93. int main(int argc, char** argv)
  94. {
  95. struct Allocator* alloc = MallocAllocator_new(20000);
  96. struct Log* logger = FileWriterLog_new(stdout, alloc);
  97. if (!Seccomp_exists()) {
  98. Log_debug(logger, "Seccomp not supported on this system");
  99. return 0;
  100. }
  101. if (argc > 3 && !CString_strcmp("Seccomp_test", argv[1]) && !CString_strcmp("child", argv[2])) {
  102. child(argv[3], alloc, logger);
  103. Allocator_free(alloc);
  104. return 0;
  105. }
  106. struct EventBase* eb = EventBase_new(alloc);
  107. struct Random* rand = Random_new(alloc, logger, NULL);
  108. char randName[32] = {0};
  109. Random_base32(rand, (uint8_t*)randName, 31);
  110. String* name = String_printf(alloc, "%s%scjdns-test-%s", Pipe_PATH, Pipe_PATH_SEP, randName);
  111. struct Context* ctx = Allocator_calloc(alloc, sizeof(struct Context), 1);
  112. Identity_set(ctx);
  113. ctx->alloc = alloc;
  114. ctx->iface.send = receiveMessageParent;
  115. ctx->eventBase = eb;
  116. struct PipeServer* pipe = PipeServer_named(name->bytes, eb, NULL, logger, alloc);
  117. Iface_plumb(&ctx->iface, &pipe->iface.iface);
  118. char* path = Process_getPath(alloc);
  119. char* args[] = { "Seccomp_test", "child", name->bytes, NULL };
  120. Assert_true(!Process_spawn(path, args, alloc, NULL));
  121. Timeout_setTimeout(timeout2, NULL, 2000, eb, alloc);
  122. EventBase_beginLoop(eb);
  123. unlink(name->bytes);
  124. return 0;
  125. }