int syscall_from_name(const char *name) {
const struct syscall_name *sc;
assert(name);
sc = lookup_syscall(name, strlen(name));
if (!sc)
return -1;
return sc->id;
}
TEST_F(filter, log) {
struct sock_fprog actual;
FILE *policy = fopen("test/seccomp.policy", "r");
int res = compile_filter(policy, &actual, USE_LOGGING, LOG_INFO);
size_t i;
size_t index = 0;
/*
* Checks return value, filter length, and that the filter
* validates arch, loads syscall number, only allows expected syscalls,
* and returns TRAP on failure.
* NOTE(jorgelo): the filter is longer since we add the syscalls needed
* for logging.
*/
ASSERT_EQ(res, 0);
EXPECT_EQ(actual.len, 13 + 2 * log_syscalls_len);
EXPECT_ARCH_VALIDATION(actual.filter);
EXPECT_EQ_STMT(actual.filter + ARCH_VALIDATION_LEN,
BPF_LD+BPF_W+BPF_ABS, syscall_nr);
index = ARCH_VALIDATION_LEN + 1;
for (i = 0; i < log_syscalls_len; i++)
EXPECT_ALLOW_SYSCALL(actual.filter + (index + 2 * i),
lookup_syscall(log_syscalls[i]));
index += 2 * log_syscalls_len;
EXPECT_ALLOW_SYSCALL(actual.filter + index, __NR_read);
EXPECT_ALLOW_SYSCALL(actual.filter + index + 2, __NR_write);
EXPECT_ALLOW_SYSCALL(actual.filter + index + 4, __NR_rt_sigreturn);
EXPECT_ALLOW_SYSCALL(actual.filter + index + 6, __NR_exit);
EXPECT_EQ_STMT(actual.filter + index + 8, BPF_RET+BPF_K,
SECCOMP_RET_TRAP);
free(actual.filter);
fclose(policy);
}