runtimetest: add validateSeccomp

[zhouhao3]

Signed-off-by: Zhou Hao zhouhao@cn.fujitsu.com

[wking]

I don't see any runtime-oriented RFC 2119 requirements for linux.seccomp, which means we only have the config-oriented SeccSyscallsNamesRequired in specerror, which means we have no grounds for making this a fatal error in compliance testing. I think the best we can do (at least for 1.0.x configs) is warn the caller that the runtime is skipping some not-strictly-required-but-probably-expected functionality.

[Mashimiao]

Before spec adds RFC requirements, we'd better just give a warn instead of error

[Mashimiao]

what are Index, Value used for in this case?

[zhouhao3]

According to the code in parse_action.go:

	action, _ := parseAction(arguments[0])
	if action == config.DefaultAction && args.argsAreEmpty() {
		// default already set, no need to make changes
		return nil
	}

If args is empty, you can't add syscall.

[Mashimiao]

If you really want to test the Action, you should change the defautAction not equal to the specified action.
Then, empty args will not be a problem.

[zhouhao3]

updated.

[Mashimiao]

I think the warning is not suitable, that's not what we really want to tell users.
We want to tell them even seccomp is configured but this runtime can not apply it or similar warning

[Mashimiao]

LGTM

[wking]

Can we write t.Skips for other names and actions? I don't want to give users the false impression that we're testing them by silently ignoring other values.

[wking]

Can we write t.Skips…

This is probably blocking on passing the TAP instance down into the validators, which I do in #308. I don't see a clean way to handle this case before #308 lands; if maintainers want a stub in the meantime that's fine, and I don't really care if/how this gets handled in the stub.

[zhouhao3]

Does that mean that all the action and name combinations will be exported as skipped information? Maybe I misunderstood.

[wking]

Does that mean that all the action and name combinations will be exported as skipped information?

Yes, but only if a configuration uses them. That would make it easy for folks writing tests in validation to see that runtimetest was ignoring something which the configuration had requested.

[wking]

This is a non-TAP warning that will be gobbled by RuntimeInsideValidate. I think you want something like:

t.Skip(1, fmt.Sprintf("%s syscall returns errno", sys.Name))
if err == nil {
  t.Diagnostic("did not return an error")
} else {
  t.Diagnosticf("returned %d (%s)", err.WhateverOtherErrno(), err.Error())
}

[zhouhao3]

I tried to modify it, what do you think?

[wking]

SCMP_ACT_ERRON → SCMP_ACT_ERRNO.

[wking]

This TAP-within-a-TAP approach is a bit strange, but I think it might work… We can drop this once #308 lands and the t instance is getting passed around.

[zhouhao3]

Some other modifications can wait until #308 land. Thank you for your advice.

[wking]

Maybe the diagnostic could be:

getcwd did not return an error

Once #308 lands with a local test, that test will be the %s syscall returns errno you have in the skip below, so the total output will be:

not ok … - getcwd syscall returns errno
# getcwd did not return an error

[wking]

This should be t.Skip(1, …), since we're only skipping one test.

[wking]

And here we want an else case saying that we're skipping the action:

} else {
    t.Skip(1, fmt.Sprintf("syscall action %s", sys.Action))
}

or similar.

[zhouhao3]

@liangchenye @Mashimiao PTAL

[Mashimiao]

LGTM

[zhouhao3]

ping @liangchenye

[liangchenye]

LGTM