seccomp-tools icon indicating copy to clipboard operation
seccomp-tools copied to clipboard

Published 20 hours ago verified publisher icon david942j

Print error message on empty BPF

Open qua3k opened this issue 3 years ago • 6 comments

Apologies in advance if this is unwanted/breaks API, but I just found it nice to know when no seccomp filters were installed. I am not a Ruby dev by profession so this may be wrong (but it works on my machine)

qua3k avatar Jun 17 '22 17:06 qua3k

Thanks for the contribution!

For unknown reasons the test seems hang on CI, will see what happened when the job aborts.

david942j avatar Jun 18 '22 17:06 david942j

It looks really broken :P

qua3k avatar Jun 18 '22 21:06 qua3k

Weird, it seems caused by this PR: https://github.com/david942j/seccomp-tools/runs/6949456039?check_suite_focus=true

Randomized with seed 27005
Error: ............................................[ERROR] No seccomp filters installed
Error: The operation was canceled.

The last message before hang was the log

@qua3k did you try running tests with your change locally? You need to do something like

sudo bundle install; sudo bundle exec rake spec (sudo is required as dump_by_pid needs CAP_SYS_ADMIN)

david942j avatar Jun 19 '22 15:06 david942j

I've found the issue; at dump_spec.rb#L37 there is a test with a limit of 2, but the program only has one filter installed. This worked fine previously, but the change breaks it and it fails. I'm not sure how you want to proceed with this -- do you want to modify the test?

++ additionally, we could separate ENOENT and EINVAL to print unique messages (no filter at this index/no filters installed for process)

here's the error:

Failures:

  1) SeccompTools::CLI::Dump by pid
  Failure/Error: expect { described_class.new(['-l', '2', '-p', pid.to_s]).handle }.to output(@bpf_disasm).to_stdout

    expected block to output " line  CODE  JT   JF      K\n=================================\n 0000: 0x20 0x00 0x00 0x00000000  A ...17\n 0016: 0x06 0x00 0x00 0x00000000  return KILL\n 0017: 0x06 0x00 0x00 0x7fff0000  return ALLOW\n" to stdout, but output " line  CODE  JT   JF      K\n=================================\n 0000: 0x20 0x00 0x00 0x00000000  A ...return KILL\n 0017: 0x06 0x00 0x00 0x7fff0000  return ALLOW\n[ERROR] No seccomp filters installed\n"

qua3k avatar Jun 19 '22 19:06 qua3k

Thanks for the investigation!

no filters installed for process

Yes I prefer to differentiate the two cases. Like the test case shows if there is only one filter installed but set limit to 2, the output would look weird. So let's handle the case properly.

david942j avatar Jun 20 '22 14:06 david942j

I fixed the test failures but am unsure how to stop it from printing the "no filter exists at this index" on test runs

qua3k avatar Jun 28 '22 01:06 qua3k