Merge 8f38116 into e89d182

seccomp · Oct 10, 2017 · e56671f · e56671f
2 parents e89d182 + 8f38116
commit e56671f
Show file tree

Hide file tree

Showing 6 changed files with 77 additions and 4 deletions.
diff --git a/src/api.c b/src/api.c
@@ -99,7 +99,7 @@ static unsigned int _seccomp_api_update(void)
 
 	/* level 2 */
 	if (sys_chk_seccomp_syscall() &&
-	    sys_chk_seccomp_flag(SECCOMP_FILTER_FLAG_TSYNC))
+	    sys_chk_seccomp_flag(SECCOMP_FILTER_FLAG_TSYNC) == 1)
 		level = 2;
 
 	/* update the stored api level and return */

diff --git a/src/python/seccomp.pyx b/src/python/seccomp.pyx
@@ -150,6 +150,35 @@ def resolve_syscall(arch, syscall):
     else:
         raise TypeError("Syscall must either be an int or str type")
 
+def get_api():
+    """ Query the level of API support
+
+    Description:
+    Returns the API level value indicating the current supported
+    functionality.
+    """
+    level = libseccomp.seccomp_api_get()
+    if level < 0:
+        raise RuntimeError(str.format("Library error (errno = {0})", level))
+
+    return level
+
+def set_api(unsigned int level):
+    """ Set the level of API support
+
+    Arguments:
+    level - the API level
+
+    Description:
+    This function forcibly sets the API level at runtime.  General use
+    of this function is strongly discouraged.
+    """
+    rc = libseccomp.seccomp_api_set(level)
+    if rc == -errno.EINVAL:
+        raise ValueError("Invalid level")
+    elif rc != 0:
+        raise RuntimeError(str.format("Library error (errno = {0})", rc))
+
 cdef class Arch:
     """ Python object representing the SyscallFilter architecture values.
 

diff --git a/src/system.c b/src/system.c
@@ -138,6 +138,7 @@ int sys_chk_seccomp_flag(int flag)
 
 /**
  * Force a seccomp() syscall flag support setting
+ * @param flag the seccomp() flag
  * @param enable the intended support state
  *
  * This function overrides the current seccomp() syscall support setting for a

diff --git a/tests/.gitignore b/tests/.gitignore
@@ -44,3 +44,4 @@ util.pyc
 36-sim-ipc_syscalls
 37-sim-ipc_syscalls_be
 38-basic-pfc_coverage
+39-basic-api_level
diff --git a/tests/39-basic-api_level.c b/tests/39-basic-api_level.c
@@ -28,6 +28,7 @@ int main(int argc, char *argv[])
 {
 	int rc;
 	unsigned int api;
+	const unsigned int max_api = 2;
 
 	api = seccomp_api_get();
 	if (api < 1)
@@ -40,5 +41,20 @@ int main(int argc, char *argv[])
 	if (api != 1)
 		return -3;
 
+	rc = seccomp_api_set(max_api);
+	if (rc != 0)
+		return -4;
+	api = seccomp_api_get();
+	if (api != max_api)
+		return -5;
+
+	/* One higher than the currently supported max API level should fail */
+	rc = seccomp_api_set(max_api + 1);
+	if (rc != -EINVAL)
+		return -6;
+	api = seccomp_api_get();
+	if (api != max_api)
+		return -7;
+
 	return 0;
 }
diff --git a/tests/39-basic-api_level.py b/tests/39-basic-api_level.py
@@ -4,7 +4,9 @@
 # Seccomp Library test program
 #
 # Copyright (c) 2016 Red Hat <pmoore@redhat.com>
-# Author: Paul Moore <paul@paul-moore.com>
+# Copyright (c) 2017 Canonical Ltd.
+# Authors: Paul Moore <paul@paul-moore.com>
+#          Tyler Hicks <tyhicks@canonical.com>
 #
 
 #
@@ -28,8 +30,32 @@
 
 from seccomp import *
 
-# NOTE: this is a NULL test since we don't support the seccomp_version() API
-#       via the libseccomp python bindings
+def test():
+    api = get_api()
+    if (api < 1):
+        raise RuntimeError("Failed getting initial API level")
+
+    set_api(1)
+    api = get_api()
+    if api != 1:
+        raise RuntimeError("Failed getting API level 1")
+
+    set_api(2)
+    api = get_api()
+    if api != 2:
+        raise RuntimeError("Failed getting API level 2")
+
+    try:
+        set_api(3)
+    except ValueError:
+        pass
+    else:
+        raise RuntimeError("Missing failure when setting invalid API level")
+    api = get_api()
+    if api != 2:
+        raise RuntimeError("Failed getting API level 2 after setting an invalid API level")
+
+test()
 
 # kate: syntax python;
 # kate: indent-mode python; space-indent on; indent-width 4; mixedindent off;