Skip to content

Commit

Permalink
Extend seccomp tests
Browse files Browse the repository at this point in the history
  • Loading branch information
cd-work committed Oct 6, 2023
1 parent 14c369b commit ad628fc
Showing 1 changed file with 19 additions and 0 deletions.
19 changes: 19 additions & 0 deletions tests/seccomp.rs
Original file line number Diff line number Diff line change
@@ -1,13 +1,32 @@
#[cfg(target_os = "linux")]
use birdcage::{Birdcage, Sandbox};
#[cfg(target_os = "linux")]
use std::ffi::CString;

#[cfg(target_os = "linux")]
fn main() {
// Activate our sandbox.
Birdcage::new().lock().unwrap();

// Ensure `chdir` is allowed.
let root_path = CString::new("/").unwrap();
let result = unsafe { libc::chdir(root_path.as_ptr()) };
assert_eq!(result, 0);

// Ensure `unshare` is always blocked.
let result = unsafe { libc::unshare(libc::CLONE_NEWUSER) };
assert_eq!(result, -1);

// Ensure `clone` is blocked with `CLONE_NEWUSER`.
let stack = unsafe { libc::malloc(4096) };
let flags = libc::CLONE_NEWUSER as libc::c_ulong;
let result = unsafe { libc::syscall(libc::SYS_clone, flags, stack) };
assert_eq!(result, -1);

// Ensure `clone` is allowed without flags.
let flags = 0;
let result = unsafe { libc::syscall(libc::SYS_clone, flags, stack) };
assert!(result > 0);
}

#[cfg(not(target_os = "linux"))]
Expand Down

0 comments on commit ad628fc

Please sign in to comment.