tests: add test 63-live-notify_addfd

Add live test for seccomp_notify_addfd() that verifies fd injection capabilities by intercepting openat() syscalls and replacing the target's file descriptor for it's C and Python API.

Signed-off-by: Sudipta Pandit <sudpandit@microsoft.com>

Author: realsdx

tests/.gitignore

@@ -70,3 +70,4 @@ util.pyc
 60-sim-precompute
 61-sim-transactions
 62-sim-arch_transactions
+63-live-notify_addfd

tests/63-live-notify_addfd.c

@@ -0,0 +1,236 @@
+/**
+ * Seccomp Library test program
+ *
+ * Copyright (c) 2025 Microsoft Corporation <sudpandit@microsoft.com>
+ * Author: Sudipta Pandit <sudpandit@microsoft.com>
+ */
+
+/*
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public License
+ * for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
+ */
+
+#include <errno.h>
+#include <fcntl.h>
+#include <signal.h>
+#include <seccomp.h>
+#include <string.h>
+#include <sys/socket.h>
+#include <sys/wait.h>
+#include <unistd.h>
+
+
+int send_fd(int sock, int fd)
+{
+	struct iovec iov = {.iov_base = "F", .iov_len = 1};
+	char buffer[CMSG_SPACE(sizeof(fd))];
+	memset(buffer, 0, sizeof(buffer));
+
+	struct msghdr msg = {
+		.msg_iov = &iov,
+		.msg_iovlen = 1,
+		.msg_control = buffer,
+		.msg_controllen = sizeof(buffer)
+	};
+
+	struct cmsghdr *cmsg = CMSG_FIRSTHDR(&msg);
+	cmsg->cmsg_level = SOL_SOCKET;
+	cmsg->cmsg_type = SCM_RIGHTS;
+	cmsg->cmsg_len = CMSG_LEN(sizeof(fd));
+
+	memcpy(CMSG_DATA(cmsg), &fd, sizeof(fd));
+
+	return sendmsg(sock, &msg, 0);
+}
+
+int recv_fd(int sock)
+{
+	char m_buffer[1];
+	struct iovec iov = {.iov_base = m_buffer, .iov_len = 1};
+
+	char buffer[CMSG_SPACE(sizeof(int))];
+	struct msghdr msg = {
+		.msg_iov = &iov,
+		.msg_iovlen = 1,
+		.msg_control = buffer,
+		.msg_controllen = sizeof(buffer)
+	};
+	struct cmsghdr *cmsg = CMSG_FIRSTHDR(&msg);
+
+	if (recvmsg(sock, &msg, 0) < 0)
+		return -1;
+
+	int fd;
+	memcpy(&fd, CMSG_DATA(cmsg), sizeof(fd));
+	return fd;
+}
+
+void child_process(scmp_filter_ctx ctx, int sock_fd)
+{
+	int rc;
+	int ret = -1;
+	int notify_fd = -1;
+	char buf[128];
+	ssize_t bytes_read = -1;
+
+	rc = seccomp_load(ctx);
+	if (rc < 0)
+		goto out;
+
+	rc = seccomp_notify_fd(ctx);
+	if (rc < 0)
+		goto out;
+	notify_fd = rc;
+
+	rc = send_fd(sock_fd, notify_fd);
+	if (rc < 0) {
+		rc = -errno;
+		goto out;
+	}
+
+	ret = openat(AT_FDCWD, "/etc/hostname", O_RDONLY);
+	if (ret < 0) {
+		rc = -errno;
+		goto out;
+	}
+
+	bytes_read = read(ret, buf, sizeof(buf));
+	rc = bytes_read;
+
+out:
+	if (notify_fd >= 0)
+		close(notify_fd);
+	if (ret >= 0)
+		close(ret);
+	close(sock_fd);
+	exit(rc);
+}
+
+int parent_process(int sock_fd)
+{
+	int rc;
+	int notify_fd = -1;
+	int new_fd = -1;
+	int installed_fd = -1;
+	struct seccomp_notif *req = NULL;
+	struct seccomp_notif_resp *resp = NULL;
+	struct seccomp_notif_addfd addfd = {0};
+
+	rc = recv_fd(sock_fd);
+	if (rc < 0) {
+		rc = -errno;
+		goto out;
+	}
+	notify_fd = rc;
+
+	rc = seccomp_notify_alloc(&req, &resp);
+	if (rc)
+		goto out;
+
+	rc = seccomp_notify_receive(notify_fd, req);
+	if (rc)
+		goto out;
+	if (req->data.nr != __NR_openat) {
+		rc = -EFAULT;
+		goto out;
+	}
+
+	new_fd = openat(AT_FDCWD, "/dev/null", O_RDONLY);
+	if (new_fd < 0) {
+		rc = -errno;
+		goto out;
+	}
+
+	memset(&addfd, 0, sizeof(addfd));
+	addfd.id = req->id;
+	addfd.srcfd = new_fd;
+	addfd.newfd = 0;
+	addfd.flags = 0;
+	rc = seccomp_notify_addfd(notify_fd, &addfd);
+	if (rc < 0)
+		goto out;
+	installed_fd = rc;
+
+	rc = seccomp_notify_id_valid(notify_fd, req->id);
+	if (rc)
+		goto out;
+
+	resp->id = req->id;
+	resp->val = installed_fd;
+	resp->error = 0;
+	resp->flags = 0;
+	rc = seccomp_notify_respond(notify_fd, resp);
+
+out:
+	if (notify_fd >= 0)
+		close(notify_fd);
+	if (new_fd >= 0)
+		close(new_fd);
+	close(sock_fd);
+	seccomp_notify_free(req, resp);
+	return rc;
+}
+
+int main(int argc, char *argv[])
+{
+	int rc, status;
+	int sock_pair[2];
+	scmp_filter_ctx ctx = NULL;
+	pid_t pid = 0;
+
+	ctx = seccomp_init(SCMP_ACT_ALLOW);
+	if (ctx == NULL)
+		return ENOMEM;
+
+	rc = seccomp_rule_add(ctx, SCMP_ACT_NOTIFY, SCMP_SYS(openat), 0, NULL);
+	if (rc)
+		goto out;
+
+	/* set up socket pair for sending notify_fd */
+	rc = socketpair(AF_UNIX, SOCK_SEQPACKET, 0, sock_pair);
+	if (rc < 0) {
+		rc = -errno;
+		goto out;
+	}
+
+	pid = fork();
+	if (pid == 0) {
+		close(sock_pair[0]); /* close the parent's end */
+		child_process(ctx, sock_pair[1]);
+	} else {
+		close(sock_pair[1]); /* close the child's end */
+		rc = parent_process(sock_pair[0]);
+
+		if (waitpid(pid, &status, 0) != pid) {
+			rc = -EFAULT;
+			goto out;
+		}
+
+		if (!WIFEXITED(status)) {
+			rc = -EFAULT;
+			goto out;
+		}
+		if (WEXITSTATUS(status)) {
+			rc = -EFAULT;
+			goto out;
+		}
+	}
+
+out:
+	if (pid)
+		kill(pid, SIGKILL);
+	seccomp_release(ctx);
+
+	if (rc != 0)
+		return (rc < 0 ? -rc : rc);
+	return 160;
+}

tests/63-live-notify_addfd.py

@@ -0,0 +1,101 @@
+#!/usr/bin/env python
+
+#
+# Seccomp Library test program
+#
+# Copyright (c) 2025 Microsoft Corporation <sudpandit@microsoft.com>
+# Author: Sudipta Pandit <sudpandit@microsoft.com>
+
+
+#
+# This library is free software; you can redistribute it and/or modify it
+# under the terms of version 2.1 of the GNU Lesser General Public License as
+# published by the Free Software Foundation.
+#
+# This library is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public License
+# for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library; if not, see <http://www.gnu.org/licenses>.
+#
+
+import argparse
+import ctypes
+import ctypes.util
+import os
+import struct
+import socket
+
+import util
+
+from seccomp import *
+
+
+def send_fd(sock: socket.socket, fd: int):
+    sock.sendmsg([b' '], [(socket.SOL_SOCKET, socket.SCM_RIGHTS, struct.pack('i', fd))])
+
+def recv_fd(sock: socket.socket):
+    _msg, ancdata, _flags, _addr = sock.recvmsg(1, socket.CMSG_LEN(struct.calcsize('i')))
+    for cmsg_level, cmsg_type, cmsg_data in ancdata:
+        if cmsg_level == socket.SOL_SOCKET and cmsg_type == socket.SCM_RIGHTS:
+            return struct.unpack('i', cmsg_data)[0]
+    return None
+
+def test():
+    f = SyscallFilter(ALLOW)
+    f.add_rule(NOTIFY, "openat")
+    
+    # Socketpair for sending file descriptors
+    p_socket, c_socket = socket.socketpair(socket.AF_UNIX, socket.SOCK_STREAM)
+
+    pid = os.fork()
+    if pid == 0:
+        # load seccomp filter
+        f.load()
+        notify_fd = f.get_notify_fd()
+        send_fd(c_socket, notify_fd)
+
+        ret_fd = os.open("/etc/hostname", os.O_RDONLY)
+        if ret_fd < 0:
+            quit(ret_fd)
+
+        ret_bytes = os.read(ret_fd, 128)
+        os.close(ret_fd)
+        if len(ret_bytes) != 0:
+            # /dev/null should be empty
+            quit(1)
+
+        os.close(notify_fd)
+        c_socket.close()
+        quit(0)
+    else:
+        # get the notification fd from child
+        notify_fd = recv_fd(p_socket)
+        notify = f.receive_notify(fd=notify_fd)
+       
+        if notify.syscall != resolve_syscall(Arch(), "openat"):
+            raise RuntimeError("Notification failed")
+        
+        new_fd = os.open("/dev/null", os.O_RDONLY)
+        installed_fd = f.notify_addfd(NotificationAddfd(notify, 0, new_fd), fd=notify_fd)
+        f.respond_notify(NotificationResponse(notify, installed_fd, 0, 0), fd=notify_fd)
+
+        # No longer need the fds
+        os.close(new_fd)
+        os.close(notify_fd)
+        p_socket.close()
+
+        wpid, rc = os.waitpid(pid, 0)
+        if os.WIFEXITED(rc) == 0:
+            raise RuntimeError("Child process error")
+        if os.WEXITSTATUS(rc) != 0:
+            raise RuntimeError("Child process error")
+       
+        quit(160)
+
+test()
+
+# kate: syntax python;
+# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off;

tests/63-live-notify_addfd.tests

@@ -0,0 +1,11 @@
+#
+# libseccomp regression test automation data
+#
+# Copyright (c) 2025 Microsoft Corporation <sudpandit@microsoft.com>
+# Author: Sudipta Pandit <sudpandit@microsoft.com>
+#
+
+test type: live
+
+# Testname		API Result
+63-live-notify_addfd	5	ALLOW

tests/Makefile.am

@@ -97,7 +97,8 @@ check_PROGRAMS = \
 	59-basic-empty_binary_tree \
 	60-sim-precompute \
 	61-sim-transactions \
-	62-sim-arch_transactions
+	62-sim-arch_transactions \
+	63-live-notify_addfd
 
 EXTRA_DIST_TESTPYTHON = \
 	util.py \
@@ -160,7 +161,8 @@ EXTRA_DIST_TESTPYTHON = \
 	59-basic-empty_binary_tree.py \
 	60-sim-precompute.py \
 	61-sim-transactions.py \
-	62-sim-arch_transactions.py
+	62-sim-arch_transactions.py \
+	63-live-notify_addfd.py
 
 EXTRA_DIST_TESTCFGS = \
 	01-sim-allow.tests \
@@ -224,7 +226,8 @@ EXTRA_DIST_TESTCFGS = \
 	59-basic-empty_binary_tree.tests \
 	60-sim-precompute.tests \
 	61-sim-transactions.tests \
-	62-sim-arch_transactions.tests
+	62-sim-arch_transactions.tests \
+	63-live-notify_addfd.tests
 
 EXTRA_DIST_TESTSCRIPTS = \
 	38-basic-pfc_coverage.sh 38-basic-pfc_coverage.pfc \