From e264c9f83a7888db60f1bb157de047569c928acc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pablo=20Barb=C3=A1chano?= <pablob@amazon.com>
Date: Thu, 12 Dec 2024 19:04:00 +0100
Subject: [PATCH] tests: test_seccomp_validate: check for syscalls not in the
 filter
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

For each filter, we track which syscalls we have already seen, and at
the end we check for the ones we haven't seen.

Signed-off-by: Pablo Barbáchano <pablob@amazon.com>
---
 .../security/test_seccomp_validate.py             | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/tests/integration_tests/security/test_seccomp_validate.py b/tests/integration_tests/security/test_seccomp_validate.py
index b91c7590a2b..401f342cd32 100644
--- a/tests/integration_tests/security/test_seccomp_validate.py
+++ b/tests/integration_tests/security/test_seccomp_validate.py
@@ -94,6 +94,9 @@ def test_validate_filter(seccompiler, bin_test_syscall, monkeypatch, tmp_path):
     fc_filter_path = Path(f"../resources/seccomp/{ARCH}-unknown-linux-musl.json")
     fc_filter = json.loads(fc_filter_path.read_text(encoding="ascii"))
 
+    # As of linux v6.12 both x786_64 and aarch64 are below this number
+    syscall_id_max = 512
+
     # cd to a tmp dir because we may generate a bunch of intermediate files
     monkeypatch.chdir(tmp_path)
     # prevent coredumps
@@ -105,14 +108,16 @@ def test_validate_filter(seccompiler, bin_test_syscall, monkeypatch, tmp_path):
     for thread, filter_data in fc_filter.items():
         filter_path = Path(f"{thread}.bpf")
         filter_path.write_bytes(filters[thread])
+        seen_syscalls = set()
         # for each rule, run the helper program and execute a syscall
         for rule in filter_data["filter"]:
             print(filter_path, rule)
             syscall = rule["syscall"]
+            syscall_id = seccomp.resolve_syscall(arch, syscall)
+            seen_syscalls.add(syscall_id)
             # this one cannot be called directly
             if syscall in ["rt_sigreturn"]:
                 continue
-            syscall_id = seccomp.resolve_syscall(arch, syscall)
             cmd = f"{bin_test_syscall} {filter_path} {syscall_id}"
             if "args" not in rule:
                 # syscall should be allowed with any arguments and exit 0
@@ -136,3 +141,11 @@ def test_validate_filter(seccompiler, bin_test_syscall, monkeypatch, tmp_path):
                     # if we call it with unallowed args, it should exit 159
                     # 159 = 128 (abnormal termination) + 31 (SIGSYS)
                     assert outcome.returncode == 159
+        print("now we test syscalls we didn't see in the filter")
+        for syscall_id in range(syscall_id_max):
+            if syscall_id in seen_syscalls:
+              continue
+            cmd = f"{bin_test_syscall} {filter_path} {syscall_id}"
+            print(cmd)
+            # and they should all exit 159
+            assert utils.run_cmd(cmd).returncode == 159