github.com/criyle/go-sandbox@v0.10.3/pkg/seccomp/libseccomp/seccomp_linux_test.go

github.com/criyle/go-sandbox@v0.10.3/pkg/seccomp/libseccomp/seccomp_linux_test.go (about)

     1  package libseccomp
     2  
     3  import (
     4  	"testing"
     5  
     6  	"github.com/criyle/go-sandbox/pkg/seccomp"
     7  )
     8  
     9  var (
    10  	defaultSyscallAllows = []string{
    11  		"read", "write", "readv", "writev", "close", "fstat", "lseek", "dup", "dup2", "dup3", "ioctl", "fcntl", "fadvise64",
    12  		"mmap", "mprotect", "munmap", "brk", "mremap", "msync", "mincore", "madvise",
    13  		"rt_sigaction", "rt_sigprocmask", "rt_sigreturn", "rt_sigpending", "sigaltstack",
    14  		"getcwd", "exit", "exit_group", "arch_prctl",
    15  		"gettimeofday", "getrlimit", "getrusage", "times", "time", "clock_gettime", "restart_syscall",
    16  	}
    17  
    18  	defaultSyscallTraces = []string{
    19  		"execve", "open", "openat", "unlink", "unlinkat", "readlink", "readlinkat", "lstat", "stat", "access", "faccessat",
    20  	}
    21  )
    22  
    23  func TestBuildFilter(t *testing.T) {
    24  	_, err := buildFilterMock()
    25  	if err != nil {
    26  		t.Error("BuildFilter failed")
    27  	}
    28  }
    29  
    30  // BenchmarkBuildDefaultFilter is about 0.2ms/op
    31  func BenchmarkBuildDefaultFilter(b *testing.B) {
    32  	for i := 0; i < b.N; i++ {
    33  		builder := Builder{
    34  			Allow:   defaultSyscallAllows,
    35  			Trace:   defaultSyscallTraces,
    36  			Default: ActionTrace,
    37  		}
    38  		builder.Build()
    39  	}
    40  }
    41  
    42  func buildFilterMock() (seccomp.Filter, error) {
    43  	b := Builder{
    44  		Allow:   []string{"fork"},
    45  		Trace:   []string{"execve"},
    46  		Default: ActionTrace,
    47  	}
    48  	return b.Build()
    49  }