seccomp tools #8
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI | |
on: | |
push: | |
pull_request: | |
merge_group: | |
schedule: | |
- cron: "21 3 * * 5" | |
jobs: | |
test-android: | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
include: | |
- target: x86_64-linux-android | |
emulator-arch: x86_64 | |
- target: i686-linux-android | |
emulator-arch: x86 | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
- name: Install JDK | |
uses: actions/setup-java@v3 | |
with: | |
distribution: 'zulu' | |
java-version: '21' | |
- name: Install Android SDK | |
uses: android-actions/setup-android@v2 | |
- name: Install Android NDK | |
run: sdkmanager --install "ndk;25.2.9519653" | |
- name: Install Rust | |
uses: dtolnay/rust-toolchain@stable | |
with: | |
toolchain: stable | |
target: ${{ matrix.target }} | |
- uses: Swatinem/rust-cache@v2 | |
- name: Install cargo-ndk | |
run: cargo install cargo-ndk | |
- name: Build unit tests for Android | |
run: cargo ndk -t ${{ matrix.target }} test --no-run | |
- name: Enable KVM group perms | |
run: | | |
echo 'KERNEL=="kvm", GROUP="kvm", MODE="0666", OPTIONS+="static_node=kvm"' | sudo tee /etc/udev/rules.d/99-kvm4all.rules | |
sudo udevadm control --reload-rules | |
sudo udevadm trigger --name-match=kvm | |
- name: Install seccomp-tools | |
run: sudo apt-get update && sudo apt-get install -y seccomp-tools | |
- name: Check for recvmmsg syscall | |
run: | | |
if seccomp-tools inspect $(pgrep -x emulator) | grep recvmmsg; then | |
echo "recvmmsg syscall is allowed" | |
else | |
echo "recvmmsg syscall is not allowed" | |
fi | |
- name: Create emulator script | |
run: | | |
echo '#!/bin/bash | |
set -e | |
adb wait-for-device | |
while [[ -z "$(adb shell getprop sys.boot_completed | tr -d '\r')" ]]; do sleep 1; done | |
adb shell su 0 getenforce | |
adb shell su 0 setenforce 1 | |
adb wait-for-device | |
while [[ -z "$(adb shell getprop sys.boot_completed | tr -d '\r')" ]]; do sleep 1; done | |
any_failures=0 | |
for test in $(find target/${{ matrix.target }}/debug/deps/ -type f -executable ! -name "*.so" -name "*-*"); do | |
adb push "$test" /data/local/tmp/ | |
adb shell chmod +x /data/local/tmp/$(basename "$test") | |
adb shell /data/local/tmp/$(basename "$test") || any_failures=1 | |
done | |
exit $any_failures' > run_tests_on_emulator.sh && chmod +x run_tests_on_emulator.sh | |
- name: Set up Android Emulator and run tests | |
uses: reactivecircus/android-emulator-runner@v2 | |
with: | |
api-level: 29 | |
target: google_apis | |
arch: ${{ matrix.emulator-arch }} | |
script: ./run_tests_on_emulator.sh |