prtcl04 failed

[Martins3]

tst_test.c:1313: TINFO: Timeout per run is 0h 05m 00s
  Info: KVM_CREATE_VM
  Info: KVM_CREATE_VCPU
prctl04.c:213: TINFO: kernel support PR_GET/SET_SECCOMP
  Info: KVM_CREATE_VM
  Info: KVM_CREATE_VCPU
prctl04.c:197: TPASS: SECCOMP_MODE_STRICT doesn't permit GET_SECCOMP call
  Info: KVM_CREATE_VM
  Info: KVM_CREATE_VCPU
prctl04.c:199: TFAIL: SECCOMP_MODE_STRICT doesn't permit read(2) write(2) and _exit(2)
  Info: KVM_CREATE_VM
  Info: KVM_CREATE_VCPU
prctl04.c:197: TPASS: SECCOMP_MODE_STRICT doesn't permit close(2)
  Info: KVM_CREATE_VM
  Info: KVM_CREATE_VCPU
prctl04.c:197: TPASS: SECCOMP_MODE_FILTER doestn't permit GET_SECCOMP call
  Info: KVM_CREATE_VM
  Info: KVM_CREATE_VCPU
prctl04.c:199: TFAIL: SECCOMP_MODE_FILTER doesn't permit close(2)
  Info: KVM_CREATE_VM
  Info: KVM_CREATE_VCPU
prctl04.c:197: TPASS: SECCOMP_MODE_FILTER doesn't permit exit()
  Info: KVM_CREATE_VM
  Info: KVM_CREATE_VCPU
prctl04.c:199: TFAIL: SECCOMP_MODE_FILTER doesn't permit exit()

[Martins3]

不知道为什么上一次测试可以通过，很恐怖。

失败的原因都是因为 doesn't permit, 因为这些系统调用都是首先模拟，然后 ioctl 进入虚拟机，这些 ioctl 不能被满足

[Martins3]

static const struct sock_filter  strict_filter[] = {
    BPF_STMT(BPF_LD | BPF_W | BPF_ABS, (offsetof (struct seccomp_data, nr))),

    BPF_JUMP(BPF_JMP | BPF_JEQ, __NR_ioctl, 6, 0),
    BPF_JUMP(BPF_JMP | BPF_JEQ, __NR_close, 5, 0),
    BPF_JUMP(BPF_JMP | BPF_JEQ, __NR_exit,  4, 0),
    BPF_JUMP(BPF_JMP | BPF_JEQ, __NR_wait4, 3, 0),
    BPF_JUMP(BPF_JMP | BPF_JEQ, __NR_write, 2, 0),
    BPF_JUMP(BPF_JMP | BPF_JEQ, __NR_clone, 1, 0),

    BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_KILL),
    BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW)
};

如果让 ioctl 在 FILTER 模式下可以被运行，那么就只有下面的失败了:

prctl04.c:199: TFAIL: SECCOMP_MODE_STRICT doesn't permit read(2) write(2) and _exit(2)