Remove seccomp related tests

Signed-off-by: Doru Blânzeanu <dblnz@pm.me>

Author: dblnz

src/hyperlight_host/src/sandbox/initialized_multi_use.rs

@@ -655,163 +655,6 @@ mod tests {
         assert_eq!(res, 0);
     }
 
-    #[test]
-    // TODO: Investigate why this test fails with an incorrect error when run alongside other tests
-    #[ignore]
-    #[cfg(target_os = "linux")]
-    fn test_violate_seccomp_filters() -> Result<()> {
-        fn make_get_pid_syscall() -> Result<u64> {
-            let pid = unsafe { libc::syscall(libc::SYS_getpid) };
-            Ok(pid as u64)
-        }
-
-        // First, run  to make sure it fails.
-        {
-            let mut usbox = UninitializedSandbox::new(
-                GuestBinary::FilePath(simple_guest_as_string().expect("Guest Binary Missing")),
-                None,
-            )
-            .unwrap();
-
-            usbox.register("MakeGetpidSyscall", make_get_pid_syscall)?;
-
-            let mut sbox: MultiUseSandbox = usbox.evolve()?;
-
-            let res: Result<u64> = sbox.call("ViolateSeccompFilters", ());
-
-            #[cfg(seccomp)]
-            match res {
-                Ok(_) => panic!("Expected to fail due to seccomp violation"),
-                Err(e) => match e {
-                    HyperlightError::GuestError(t, msg)
-                        if t == ErrorCode::HostFunctionError
-                            && msg.contains("Seccomp filter trapped on disallowed syscall") => {}
-                    _ => panic!("Expected DisallowedSyscall error: {}", e),
-                },
-            }
-
-            #[cfg(not(seccomp))]
-            match res {
-                Ok(_) => (),
-                Err(e) => panic!("Expected to succeed without seccomp: {}", e),
-            }
-        }
-
-        // Second, run with allowing `SYS_getpid`
-        #[cfg(seccomp)]
-        {
-            let mut usbox = UninitializedSandbox::new(
-                GuestBinary::FilePath(simple_guest_as_string().expect("Guest Binary Missing")),
-                None,
-            )
-            .unwrap();
-
-            usbox.register_with_extra_allowed_syscalls(
-                "MakeGetpidSyscall",
-                make_get_pid_syscall,
-                vec![libc::SYS_getpid],
-            )?;
-            // ^^^ note, we are allowing SYS_getpid
-
-            let mut sbox: MultiUseSandbox = usbox.evolve()?;
-
-            let res: Result<u64> = sbox.call("ViolateSeccompFilters", ());
-
-            match res {
-                Ok(_) => {}
-                Err(e) => panic!("Expected to succeed due to seccomp violation: {}", e),
-            }
-        }
-
-        Ok(())
-    }
-
-    // We have a secomp specifically for `openat`, but we don't want to crash on `openat`, but rather make sure `openat` returns `EACCES`
-    #[test]
-    #[cfg(target_os = "linux")]
-    fn violate_seccomp_filters_openat() -> Result<()> {
-        // Hostcall to call `openat`.
-        fn make_openat_syscall() -> Result<i64> {
-            use std::ffi::CString;
-
-            let path = CString::new("/proc/sys/vm/overcommit_memory").unwrap();
-
-            let fd_or_err = unsafe {
-                libc::syscall(
-                    libc::SYS_openat,
-                    libc::AT_FDCWD,
-                    path.as_ptr(),
-                    libc::O_RDONLY,
-                )
-            };
-
-            if fd_or_err == -1 {
-                Ok((-std::io::Error::last_os_error().raw_os_error().unwrap()).into())
-            } else {
-                Ok(fd_or_err)
-            }
-        }
-        {
-            // First make sure a regular call to `openat` on /proc/sys/vm/overcommit_memory succeeds
-            let ret = make_openat_syscall()?;
-            assert!(
-                ret >= 0,
-                "Expected openat syscall to succeed, got: {:?}",
-                ret
-            );
-
-            let mut ubox = UninitializedSandbox::new(
-                GuestBinary::FilePath(simple_guest_as_string().expect("Guest Binary Missing")),
-                None,
-            )
-            .unwrap();
-            ubox.register("Openat_Hostfunc", make_openat_syscall)?;
-
-            let mut sbox = ubox.evolve().unwrap();
-            let host_func_result = sbox
-                .call::<i64>(
-                    "CallGivenParamlessHostFuncThatReturnsI64",
-                    "Openat_Hostfunc".to_string(),
-                )
-                .expect("Expected to call host function that returns i64");
-
-            if cfg!(seccomp) {
-                // If seccomp is enabled, we expect the syscall to return EACCES, as setup by our seccomp filter
-                assert_eq!(host_func_result, -libc::EACCES as i64);
-            } else {
-                // If seccomp is not enabled, we expect the syscall to succeed
-                assert!(host_func_result >= 0);
-            }
-        }
-
-        #[cfg(seccomp)]
-        {
-            // Now let's make sure if we register the `openat` syscall as an extra allowed syscall, it will succeed
-            let mut ubox = UninitializedSandbox::new(
-                GuestBinary::FilePath(simple_guest_as_string().expect("Guest Binary Missing")),
-                None,
-            )
-            .unwrap();
-            ubox.register_with_extra_allowed_syscalls(
-                "Openat_Hostfunc",
-                make_openat_syscall,
-                [libc::SYS_openat],
-            )?;
-            let mut sbox = ubox.evolve().unwrap();
-            let host_func_result: i64 = sbox
-                .call::<i64>(
-                    "CallGivenParamlessHostFuncThatReturnsI64",
-                    "Openat_Hostfunc".to_string(),
-                )
-                .expect("Expected to call host function that returns i64");
-
-            // should pass regardless of seccomp feature
-            assert!(host_func_result >= 0);
-        }
-
-        Ok(())
-    }
-
     #[test]
     fn test_trigger_exception_on_guest() {
         let usbox = UninitializedSandbox::new(

src/hyperlight_host/tests/integration_test.rs

@@ -49,14 +49,8 @@ fn interrupt_host_call() {
         Ok(())
     };
 
-    #[cfg(any(target_os = "windows", not(seccomp)))]
     usbox.register("Spin", spin).unwrap();
 
-    #[cfg(seccomp)]
-    usbox
-        .register_with_extra_allowed_syscalls("Spin", spin, vec![libc::SYS_clock_nanosleep])
-        .unwrap();
-
     let mut sandbox: MultiUseSandbox = usbox.evolve().unwrap();
     let interrupt_handle = sandbox.interrupt_handle();
     assert!(!interrupt_handle.dropped()); // not yet dropped

src/tests/rust_guests/simpleguest/src/main.rs

@@ -720,19 +720,6 @@ fn twenty_four_k_in_eight_k_out(function_call: &FunctionCall) -> Result<Vec<u8>>
     }
 }
 
-fn violate_seccomp_filters(function_call: &FunctionCall) -> Result<Vec<u8>> {
-    if function_call.parameters.is_none() {
-        let res = call_host_function::<u64>("MakeGetpidSyscall", None, ReturnType::ULong)?;
-
-        Ok(get_flatbuffer_result(res))
-    } else {
-        Err(HyperlightGuestError::new(
-            ErrorCode::GuestFunctionParameterTypeMismatch,
-            "Invalid parameters passed to violate_seccomp_filters".to_string(),
-        ))
-    }
-}
-
 fn call_given_paramless_hostfunc_that_returns_i64(function_call: &FunctionCall) -> Result<Vec<u8>> {
     if let ParameterValue::String(hostfuncname) =
         function_call.parameters.clone().unwrap()[0].clone()
@@ -1416,14 +1403,6 @@ pub extern "C" fn hyperlight_main() {
     );
     register_function(add_to_static_and_fail_def);
 
-    let violate_seccomp_filters_def = GuestFunctionDefinition::new(
-        "ViolateSeccompFilters".to_string(),
-        Vec::new(),
-        ReturnType::ULong,
-        violate_seccomp_filters as usize,
-    );
-    register_function(violate_seccomp_filters_def);
-
     let echo_float_def = GuestFunctionDefinition::new(
         "EchoFloat".to_string(),
         Vec::from(&[ParameterType::Float]),