selftests/seccomp: add support for s390

This adds support for s390 to the seccomp selftests. Some improvements
were made to enhance the accuracy of failure reporting, and additional
tests were added to validate assumptions about the currently traced
syscall. Also adds early asserts for running on older kernels to avoid
noise when the seccomp syscall is not implemented.
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>

tools/testing/selftests/seccomp/seccomp_bpf.c

@@ -1210,6 +1210,10 @@ TEST_F(TRACE_poke, getpid_runs_normally)
 # define ARCH_REGS	struct pt_regs
 # define SYSCALL_NUM	gpr[0]
 # define SYSCALL_RET	gpr[3]
+#elif defined(__s390__)
+# define ARCH_REGS     s390_regs
+# define SYSCALL_NUM   gprs[2]
+# define SYSCALL_RET   gprs[2]
 #else
 # error "Do not know how to find your architecture's registers and syscalls"
 #endif
@@ -1243,7 +1247,8 @@ void change_syscall(struct __test_metadata *_metadata,
 	ret = ptrace(PTRACE_GETREGSET, tracee, NT_PRSTATUS, &iov);
 	EXPECT_EQ(0, ret);
 
-#if defined(__x86_64__) || defined(__i386__) || defined(__aarch64__) || defined(__powerpc__)
+#if defined(__x86_64__) || defined(__i386__) || defined(__aarch64__) || \
+    defined(__powerpc__) || defined(__s390__)
 	{
 		regs.SYSCALL_NUM = syscall;
 	}
@@ -1281,17 +1286,21 @@ void tracer_syscall(struct __test_metadata *_metadata, pid_t tracee,
 	ret = ptrace(PTRACE_GETEVENTMSG, tracee, NULL, &msg);
 	EXPECT_EQ(0, ret);
 
+	/* Validate and take action on expected syscalls. */
 	switch (msg) {
 	case 0x1002:
 		/* change getpid to getppid. */
+		EXPECT_EQ(__NR_getpid, get_syscall(_metadata, tracee));
 		change_syscall(_metadata, tracee, __NR_getppid);
 		break;
 	case 0x1003:
 		/* skip gettid. */
+		EXPECT_EQ(__NR_gettid, get_syscall(_metadata, tracee));
 		change_syscall(_metadata, tracee, -1);
 		break;
 	case 0x1004:
 		/* do nothing (allow getppid) */
+		EXPECT_EQ(__NR_getppid, get_syscall(_metadata, tracee));
 		break;
 	default:
 		EXPECT_EQ(0, msg) {
@@ -1409,6 +1418,8 @@ TEST_F(TRACE_syscall, syscall_dropped)
 #  define __NR_seccomp 277
 # elif defined(__powerpc__)
 #  define __NR_seccomp 358
+# elif defined(__s390__)
+#  define __NR_seccomp 348
 # else
 #  warning "seccomp syscall number unknown for this architecture"
 #  define __NR_seccomp 0xffff
@@ -1453,6 +1464,9 @@ TEST(seccomp_syscall)
 
 	/* Reject insane operation. */
 	ret = seccomp(-1, 0, &prog);
+	ASSERT_NE(ENOSYS, errno) {
+		TH_LOG("Kernel does not support seccomp syscall!");
+	}
 	EXPECT_EQ(EINVAL, errno) {
 		TH_LOG("Did not reject crazy op value!");
 	}
@@ -1501,6 +1515,9 @@ TEST(seccomp_syscall_mode_lock)
 	}
 
 	ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog);
+	ASSERT_NE(ENOSYS, errno) {
+		TH_LOG("Kernel does not support seccomp syscall!");
+	}
 	EXPECT_EQ(0, ret) {
 		TH_LOG("Could not install filter!");
 	}
@@ -1535,6 +1552,9 @@ TEST(TSYNC_first)
 
 	ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FLAG_FILTER_TSYNC,
 		      &prog);
+	ASSERT_NE(ENOSYS, errno) {
+		TH_LOG("Kernel does not support seccomp syscall!");
+	}
 	EXPECT_EQ(0, ret) {
 		TH_LOG("Could not install initial filter with TSYNC!");
 	}
@@ -1694,6 +1714,9 @@ TEST_F(TSYNC, siblings_fail_prctl)
 
 	/* Check prctl failure detection by requesting sib 0 diverge. */
 	ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog);
+	ASSERT_NE(ENOSYS, errno) {
+		TH_LOG("Kernel does not support seccomp syscall!");
+	}
 	ASSERT_EQ(0, ret) {
 		TH_LOG("setting filter failed");
 	}
@@ -1731,6 +1754,9 @@ TEST_F(TSYNC, two_siblings_with_ancestor)
 	}
 
 	ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &self->root_prog);
+	ASSERT_NE(ENOSYS, errno) {
+		TH_LOG("Kernel does not support seccomp syscall!");
+	}
 	ASSERT_EQ(0, ret) {
 		TH_LOG("Kernel does not support SECCOMP_SET_MODE_FILTER!");
 	}
@@ -1805,6 +1831,9 @@ TEST_F(TSYNC, two_siblings_with_no_filter)
 
 	ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FLAG_FILTER_TSYNC,
 		      &self->apply_prog);
+	ASSERT_NE(ENOSYS, errno) {
+		TH_LOG("Kernel does not support seccomp syscall!");
+	}
 	ASSERT_EQ(0, ret) {
 		TH_LOG("Could install filter on all threads!");
 	}
@@ -1833,6 +1862,9 @@ TEST_F(TSYNC, two_siblings_with_one_divergence)
 	}
 
 	ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &self->root_prog);
+	ASSERT_NE(ENOSYS, errno) {
+		TH_LOG("Kernel does not support seccomp syscall!");
+	}
 	ASSERT_EQ(0, ret) {
 		TH_LOG("Kernel does not support SECCOMP_SET_MODE_FILTER!");
 	}
@@ -1890,6 +1922,9 @@ TEST_F(TSYNC, two_siblings_not_under_filter)
 	}
 
 	ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &self->root_prog);
+	ASSERT_NE(ENOSYS, errno) {
+		TH_LOG("Kernel does not support seccomp syscall!");
+	}
 	ASSERT_EQ(0, ret) {
 		TH_LOG("Kernel does not support SECCOMP_SET_MODE_FILTER!");
 	}

tools/testing/selftests/seccomp/test_harness.h

@@ -370,11 +370,8 @@
 	__typeof__(_expected) __exp = (_expected); \
 	__typeof__(_seen) __seen = (_seen); \
 	if (!(__exp _t __seen)) { \
-		unsigned long long __exp_print = 0; \
-		unsigned long long __seen_print = 0; \
-		/* Avoid casting complaints the scariest way we can. */ \
-		memcpy(&__exp_print, &__exp, sizeof(__exp)); \
-		memcpy(&__seen_print, &__seen, sizeof(__seen)); \
+		unsigned long long __exp_print = (unsigned long long)__exp; \
+		unsigned long long __seen_print = (unsigned long long)__seen; \
 		__TH_LOG("Expected %s (%llu) %s %s (%llu)", \
 			 #_expected, __exp_print, #_t, \
 			 #_seen, __seen_print); \