runtimetest: add validateSeccomp

Signed-off-by: Zhou Hao <zhouhao@cn.fujitsu.com>

Author: Zhou Hao

cmd/runtimetest/main.go

@@ -493,6 +493,25 @@ func validateMaskedPaths(spec *rspec.Spec) error {
 	return nil
 }
 
+func validateSeccomp(spec *rspec.Spec) error {
+	if spec.Linux == nil || spec.Linux.Seccomp == nil {
+		return nil
+	}
+	for _, sys := range spec.Linux.Seccomp.Syscalls {
+		if sys.Action == "SCMP_ACT_ERRON" {
+			for _, name := range sys.Names {
+				if name == "getcwd" {
+					_, err := os.Getwd()
+					if err == nil {
+						return fmt.Errorf("when action is %v, return value should being passed to user space as the errno value without executing the system call", sys.Action)
+					}
+				}
+			}
+		}
+	}
+	return nil
+}
+
 func validateROPaths(spec *rspec.Spec) error {
 	if spec.Linux == nil {
 		return nil
@@ -772,6 +791,10 @@ func run(context *cli.Context) error {
 			test:        validateOOMScoreAdj,
 			description: "oom score adj",
 		},
+		{
+			test:        validateSeccomp,
+			description: "seccomp",
+		},
 		{
 			test:        validateROPaths,
 			description: "read only paths",

validation/validation_test.go

@@ -15,6 +15,7 @@ import (
 	"github.com/stretchr/testify/assert"
 
 	"github.com/opencontainers/runtime-tools/generate"
+	"github.com/opencontainers/runtime-tools/generate/seccomp"
 	"github.com/opencontainers/runtime-tools/specerror"
 )
 
@@ -88,6 +89,18 @@ func TestValidateBasic(t *testing.T) {
 	assert.Nil(t, runtimeInsideValidate(g))
 }
 
+func TestValidateSeccomp(t *testing.T) {
+	g := getDefaultGenerator()
+	syscallArgs := seccomp.SyscallOpts{
+		Action:  "errno",
+		Syscall: "getcwd",
+	}
+	g.SetDefaultSeccompAction("allow")
+	g.SetSyscallAction(syscallArgs)
+
+	assert.Nil(t, runtimeInsideValidate(g))
+}
+
 func TestValidateSysctls(t *testing.T) {
 	g := getDefaultGenerator()
 	g.AddLinuxSysctl("net.ipv4.ip_forward", "1")