Add tests for net filter without seccomp/namespace

phylum-dev · Sep 14, 2023 · 4a9f20a · 4a9f20a
1 parent 949b894
commit 4a9f20a
Show file tree

Hide file tree

Showing 3 changed files with 103 additions and 0 deletions.
diff --git a/Cargo.toml b/Cargo.toml
@@ -44,6 +44,16 @@ name = "net"
 path = "tests/net.rs"
 harness = false
 
+[[test]]
+name = "net_without_seccomp"
+path = "tests/net_without_seccomp.rs"
+harness = false
+
+[[test]]
+name = "net_without_namespaces"
+path = "tests/net_without_namespaces.rs"
+harness = false
+
 [target.'cfg(target_os = "linux")'.dependencies]
 seccompiler = "0.2.0"
 landlock = "0.2.0"

diff --git a/tests/net_without_namespaces.rs b/tests/net_without_namespaces.rs
@@ -0,0 +1,41 @@
+#[cfg(target_os = "linux")]
+use std::collections::BTreeMap;
+#[cfg(target_os = "linux")]
+use std::net::TcpStream;
+
+#[cfg(target_os = "linux")]
+use birdcage::{Birdcage, Sandbox};
+#[cfg(target_os = "linux")]
+use seccompiler::{BpfProgram, SeccompAction, SeccompFilter, TargetArch};
+
+#[cfg(target_os = "linux")]
+#[cfg(target_arch = "x86_64")]
+const ARCH: TargetArch = TargetArch::x86_64;
+#[cfg(target_os = "linux")]
+#[cfg(target_arch = "aarch64")]
+const ARCH: TargetArch = TargetArch::aarch64;
+
+#[cfg(target_os = "linux")]
+fn main() {
+    // Create seccomp filter blocking `unshare` syscall.
+    let mut rules = BTreeMap::new();
+    rules.insert(libc::SYS_unshare, Vec::new());
+    let filter = SeccompFilter::new(
+        rules,
+        SeccompAction::Allow,
+        SeccompAction::Errno(libc::EACCES as u32),
+        ARCH,
+    )
+    .unwrap();
+    let program: BpfProgram = filter.try_into().unwrap();
+    seccompiler::apply_filter(&program).unwrap();
+
+    let birdcage = Birdcage::new().unwrap();
+    birdcage.lock().unwrap();
+
+    let result = TcpStream::connect("8.8.8.8:443");
+    assert!(result.is_err());
+}
+
+#[cfg(not(target_os = "linux"))]
+fn main() {}
diff --git a/tests/net_without_seccomp.rs b/tests/net_without_seccomp.rs
@@ -0,0 +1,52 @@
+#[cfg(target_os = "linux")]
+use std::collections::BTreeMap;
+#[cfg(target_os = "linux")]
+use std::net::TcpStream;
+
+#[cfg(target_os = "linux")]
+use birdcage::{Birdcage, Sandbox};
+#[cfg(target_os = "linux")]
+use seccompiler::{
+    BpfProgram, SeccompAction, SeccompCmpArgLen, SeccompCmpOp, SeccompCondition, SeccompFilter,
+    SeccompRule, TargetArch,
+};
+
+#[cfg(target_os = "linux")]
+#[cfg(target_arch = "x86_64")]
+const ARCH: TargetArch = TargetArch::x86_64;
+#[cfg(target_os = "linux")]
+#[cfg(target_arch = "aarch64")]
+const ARCH: TargetArch = TargetArch::aarch64;
+
+#[cfg(target_os = "linux")]
+fn main() {
+    // Create seccomp filter blocking seccomp prctl syscall.
+    let mut rules = BTreeMap::new();
+    let seccomp_prctl = SeccompCondition::new(
+        0,
+        SeccompCmpArgLen::Dword,
+        SeccompCmpOp::Eq,
+        libc::PR_SET_SECCOMP as u64,
+    )
+    .unwrap();
+    let rule = SeccompRule::new(vec![seccomp_prctl]).unwrap();
+    rules.insert(libc::SYS_prctl, vec![rule]);
+    let filter = SeccompFilter::new(
+        rules,
+        SeccompAction::Allow,
+        SeccompAction::Errno(libc::EACCES as u32),
+        ARCH,
+    )
+    .unwrap();
+    let program: BpfProgram = filter.try_into().unwrap();
+    seccompiler::apply_filter(&program).unwrap();
+
+    let birdcage = Birdcage::new().unwrap();
+    birdcage.lock().unwrap();
+
+    let result = TcpStream::connect("8.8.8.8:443");
+    assert!(result.is_err());
+}
+
+#[cfg(not(target_os = "linux"))]
+fn main() {}