seccomp: allow to filter syscalls by instruction pointer

PiperOrigin-RevId: 293029446
author: Andrei Vagin <avagin@google.com> 2020-02-03 16:15:16 -0800
committer: gVisor bot <gvisor-bot@google.com> 2020-02-03 16:16:18 -0800
commit: f37e913a358820ea98013772dd2880cc8a3c9218 (patch)
tree: 2183d87c138de6d200c38cfc0ad6702828e11e3f /pkg/seccomp/seccomp_test.go
parent: 6cd7901d7d5f9639e95fff3d8927ba8856a83f91 (diff)
1 files changed, 27 insertions, 0 deletions
diff --git a/pkg/seccomp/seccomp_test.go b/pkg/seccomp/seccomp_test.go
index abbee7051..da5a5e4b2 100644
--- a/pkg/seccomp/seccomp_test.go
+++ b/pkg/seccomp/seccomp_test.go
@@ -388,6 +388,33 @@ func TestBasic(t *testing.T) {
 				},
 			},
 		},
+		{
+			ruleSets: []RuleSet{
+				{
+					Rules: SyscallRules{
+						1: []Rule{
+							{
+								RuleIP: AllowValue(0x7aabbccdd),
+							},
+						},
+					},
+					Action: linux.SECCOMP_RET_ALLOW,
+				},
+			},
+			defaultAction: linux.SECCOMP_RET_TRAP,
+			specs: []spec{
+				{
+					desc: "IP: Syscall instruction pointer allowed",
+					data: seccompData{nr: 1, arch: linux.AUDIT_ARCH_X86_64, args: [6]uint64{}, instructionPointer: 0x7aabbccdd},
+					want: linux.SECCOMP_RET_ALLOW,
+				},
+				{
+					desc: "IP: Syscall instruction pointer disallowed",
+					data: seccompData{nr: 1, arch: linux.AUDIT_ARCH_X86_64, args: [6]uint64{}, instructionPointer: 0x711223344},
+					want: linux.SECCOMP_RET_TRAP,
+				},
+			},
+		},
 	} {
 		instrs, err := BuildProgram(test.ruleSets, test.defaultAction)
 		if err != nil {
author	Andrei Vagin <avagin@google.com>	2020-02-03 16:15:16 -0800
committer	gVisor bot <gvisor-bot@google.com>	2020-02-03 16:16:18 -0800
commit	f37e913a358820ea98013772dd2880cc8a3c9218 (patch)
tree	2183d87c138de6d200c38cfc0ad6702828e11e3f /pkg/seccomp/seccomp_test.go
parent	6cd7901d7d5f9639e95fff3d8927ba8856a83f91 (diff)