Add back io_uring tests

phylum-dev · Sep 13, 2023 · 62c3d31 · 62c3d31
1 parent 89d0f1b
commit 62c3d31
Show file tree

Hide file tree

Showing 2 changed files with 67 additions and 1 deletion.
diff --git a/src/linux/mod.rs b/src/linux/mod.rs
@@ -1,6 +1,6 @@
 //! Linux sandboxing.
 //!
-//! This module implements sandboxing on Linux based on the Landlock LSM, Linux
+//! This module implements sandboxing on Linux based on the Landlock LSM,
 //! namespaces, and seccomp.
 
 use std::fs;

diff --git a/src/linux/seccomp.rs b/src/linux/seccomp.rs
@@ -458,3 +458,69 @@ const SYSCALL_WHITELIST: &[libc::c_long] = &[
     libc::SYS_futex_waitv,
     libc::SYS_set_mempolicy_home_node,
 ];
+
+#[cfg(test)]
+mod tests {
+    use std::io::{Error as IoError, ErrorKind as IoErrorKind};
+
+    use super::*;
+
+    #[test]
+    fn block_io_uring() {
+        NetworkFilter::apply().unwrap();
+
+        let mut io_uring_params =
+            vec![IoUringParams { flags: 1, sq_entries: 32, cq_entries: 32, ..Default::default() }];
+
+        let result = unsafe {
+            libc::syscall(
+                libc::SYS_io_uring_setup,
+                io_uring_params.len(),
+                io_uring_params.as_mut_ptr(),
+            )
+        };
+
+        assert_eq!(result, -1);
+        assert_eq!(IoError::last_os_error().kind(), IoErrorKind::PermissionDenied);
+    }
+
+    #[test]
+    fn allow_local_sockets() {
+        NetworkFilter::apply().unwrap();
+
+        let fd = unsafe { libc::socket(libc::AF_UNIX, libc::SOCK_STREAM, 0) };
+        if fd < 0 {
+            panic!("AF_UNIX socket creation failed: {}", IoError::last_os_error());
+        }
+
+        unsafe { libc::close(fd) };
+    }
+
+    #[repr(C)]
+    #[derive(Default)]
+    struct IoUringParams {
+        sq_entries: u32,
+        cq_entries: u32,
+        flags: u32,
+        sq_thread_cpu: u32,
+        sq_thread_idle: u32,
+        features: u32,
+        wq_fd: u32,
+        resv: [u32; 3],
+        sq_off: IoSqringOffsets,
+        cq_off: IoSqringOffsets,
+    }
+
+    #[repr(C)]
+    #[derive(Default)]
+    struct IoSqringOffsets {
+        head: u32,
+        tail: u32,
+        ring_mask: u32,
+        ring_entries: u32,
+        flags: u32,
+        dropped: u32,
+        array: u32,
+        resv: [u32; 3],
+    }
+}