CI: add mprotect to the whitelist syscalls

dianpopa · luminitavoicu · commit 8553d64a0fa1 · 2020-12-09T16:48:19.000+02:00
Upon exec, a mprotect call is triggered. Since
this syscall is not whitelisted the CI would fail
with "Bad System Call". This is needed only in the CI.

Signed-off-by: Diana Popa &lt;dpopa@amazon.com&gt;
diff --git a/tests/integration_tests/security/demo_seccomp/src/bin/demo_malicious.rs b/tests/integration_tests/security/demo_seccomp/src/bin/demo_malicious.rs
@@ -2,7 +2,7 @@
 // SPDX-License-Identifier: Apache-2.0
 fn main() {
     unsafe {
-        // In this example, the malicious component is outputing to standard input.
+        // In this example, the malicious component is outputting to standard input.
         libc::syscall(libc::SYS_write, libc::STDIN_FILENO, "Hello, world!\n", 14);
     }
 }
diff --git a/tests/integration_tests/security/demo_seccomp/src/bin/seccomp_rules/mod.rs b/tests/integration_tests/security/demo_seccomp/src/bin/seccomp_rules/mod.rs
@@ -18,6 +18,7 @@ pub fn jailer_required_rules() -> Vec<SyscallRuleSet> {
         allow_syscall(libc::SYS_rt_sigaction),
         allow_syscall(libc::SYS_execve),
         allow_syscall(libc::SYS_mmap),
+        allow_syscall(libc::SYS_mprotect),
         #[cfg(target_arch = "x86_64")]
         allow_syscall(libc::SYS_arch_prctl),
         allow_syscall(libc::SYS_set_tid_address),

Original file line number	Diff line number	Diff line change
`@@ -2,7 +2,7 @@`
`2`	`2`	`// SPDX-License-Identifier: Apache-2.0`
`3`	`3`	`fn main() {`
`4`	`4`	`unsafe {`
`5`		`- // In this example, the malicious component is outputing to standard input.`
	`5`	`+ // In this example, the malicious component is outputting to standard input.`
`6`	`6`	`libc::syscall(libc::SYS_write, libc::STDIN_FILENO, "Hello, world!\n", 14);`
`7`	`7`	`}`
`8`	`8`	`}`