snap-seccomp: add in-kernel bpf tests

[mvo5]

Based on #3431 - this adds extra tests by generating test binaries and run them against the in-kernel bpf VM.

[codecov-io]

Codecov Report

Merging #3502 into master will increase coverage by 0.01%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##           master    #3502      +/-   ##
==========================================
+ Coverage    75.7%   75.72%   +0.01%     
==========================================
  Files         409      409              
  Lines       35227    35227              
==========================================
+ Hits        26670    26677       +7     
+ Misses       6672     6667       -5     
+ Partials     1885     1883       -2

Impacted Files	Coverage Δ
overlord/snapstate/snapstate.go	80.7% <0%> (+0.25%)	⬆️
cmd/snap-seccomp/main.go	57.4% <0%> (+0.9%)	⬆️
cmd/snap/cmd_aliases.go	95% <0%> (+1.66%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 93c1d78...df89a28. Read the comment docs.

[jdstrand]

+1 assuming you agree with and address my comments

[jdstrand]

strtol() is best practice, but as test code this is ok since we control all the input.

[jdstrand]

This is racy and trying to pick a needle out of a potential kernel logging haystack. It might be better to use lastKmsg() only when you have an unexpected error and return something like:

Showing last 10 lines of dmesg:
show
your
last
10
lines
of
dmesg
output
right
here

[jdstrand]

Can you remove this newline?

[jdstrand]

You might need other on other architectures. If so, these can of easily be identified in the spread tests.

[zyga]

Yeah, I was about to write that this list is a great way to learn how linux userspace works across architectures. I don't mind having it but I bet this will bite us the first time this runs on s360 and you have to fix the tests.

[jdstrand]

That's ok, it's easy to fix. Note that this list is not very different from what was in the old snap-confine unit tests.

[jdstrand]

Looking at man syscall, it seems we may also want to skip on the following syscalls: fadvise64_64, ftruncate64, posix_fadvise, pread64, pwrite64, readahead, sync_file_range, and truncate64. Please add a comment here that we just skip syscalls with architecture-specific details and in seccompSyscallRunnerContent (right above the call to syscall()) indicating that there might be architecture-specific requirements and to see man syscall for details.

[jdstrand]

Now that you added this, can you adjust the comment above simulateBpf to have:

// simulateBpf first:
//  1. runs main.Compile() which will catch syntax errors and output to a file
//  2. takes the output file from main.Compile and loads it via
//     decodeBpfFromFile
//  3. parses the decoded bpf using the seccomp library and various
//     snapd functions
//  4. runs the parsed bpf through a bpf VM
//
// Then simulateBpf runs the policy through the kernel by calling
// runBpfInKernel() which:
//  1. runs main.Compile()
//  2. the program in seccompBpfLoaderContent with the output file as an
//     argument
//  3. the program in seccompBpfLoaderContent loads the output file BPF into
//     the kernel and executes the program in seccompBpfRunnerContent with the
//     syscall and arguments specified by the test
//
// In this manner, in addition to verifying policy syntax we are able to
// unit test the resulting bpf in several ways.
//
// Full testing of applied policy is done elsewhere via spread tests.

[mvo5]

Thanks @jdstrand ! I addressed all comments now.

[zyga]

A few comments, I probably missed the reason for some changes as this was done so long ago and some context is lost in my mind.

[zyga]

Does the -static matter here? I'm worried about another place that does static linking across the distro landscape.

[mvo5]

Yes, it explodes with: /usr/bin/ld: /usr/lib/gcc/x86_64-linux-gnu/6/../../../x86_64-linux-gnu/libc.a(libc-start.o): relocation R_X86_64_32 against undefined symbol _dl_starting_up' can not be used when making a shared object; recompile with -fPIC without that.

[zyga]

Aha, I don't know why this happens but it will be another thing that needs distro-patching as static linking to libseccomp is not a given. I'll investigate and see if I can make this nicer.

[jdstrand]

You might need other on other architectures. If so, these can of easily be identified in the spread tests.

[zyga]

Yeah, I was about to write that this list is a great way to learn how linux userspace works across architectures. I don't mind having it but I bet this will bite us the first time this runs on s360 and you have to fix the tests.

[jdstrand]

That's ok, it's easy to fix. Note that this list is not very different from what was in the old snap-confine unit tests.

[zyga]

The comment and the next code block seem unrelated. Am I missing anything?

[mvo5]

I updated it a bit to clarify it some more. It is essentially about that we cannot test some syscalls using the in-kernel VM because when we run them things explodes.

[zyga]

What's the point of this random value?

[mvo5]

Mostly to avoid that everything is set to "0" and we miss issues because we did not test other values.

[zyga]

Can you adjust the comment to explain this.

[zyga]

Why is this changed?

[mvo5]

Execve is now part of the common syscalls, i.e. it must be allowed so that we can actually run these tests here.

[zyga]

Why is this changed?

[niemeyer]

Thanks for adding the tests. I'm leaving the details for @zyga and @jdstrand. Only a trivial:

[niemeyer]

The indentation here is different from the one above. We have three spaces here and a tab above, apparently.

[niemeyer]

@zyga This is ready for another pass.

[jdstrand]

FYI, the changes since I approved this look fine (though I'm not sure we we chose 'webkit' for clang formatting, but not a blocker).

[mvo5]

@jdstrand I'm equally puzzled about the webkit formating but I agree its not a blocker.

[mvo5]

@jdstrand I'm equally puzzled about the webkit formating but I agree its not a blocker.

[niemeyer]

@jdstrand Can you please mark as an actual approval so it's more clear in the PR status?

[zyga]

:-)