| OLD | NEW |
|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "sandbox/linux/bpf_dsl/bpf_dsl.h" | 5 #include "sandbox/linux/bpf_dsl/bpf_dsl.h" |
| 6 | 6 |
| 7 #include <errno.h> | 7 #include <errno.h> |
| 8 #include <fcntl.h> | 8 #include <fcntl.h> |
| 9 #include <netinet/in.h> | 9 #include <netinet/in.h> |
| 10 #include <sys/socket.h> | 10 #include <sys/socket.h> |
| 11 #include <sys/syscall.h> | 11 #include <sys/syscall.h> |
| 12 #include <sys/utsname.h> | 12 #include <sys/utsname.h> |
| 13 #include <unistd.h> | 13 #include <unistd.h> |
| 14 | 14 |
| 15 #include <map> | 15 #include <map> |
| 16 #include <utility> | 16 #include <utility> |
| 17 | 17 |
| 18 #include "base/files/scoped_file.h" | 18 #include "base/files/scoped_file.h" |
| 19 #include "base/macros.h" | 19 #include "base/macros.h" |
| 20 #include "build/build_config.h" | 20 #include "build/build_config.h" |
| 21 #include "sandbox/linux/bpf_dsl/bpf_dsl_impl.h" | 21 #include "sandbox/linux/bpf_dsl/bpf_dsl_impl.h" |
| 22 #include "sandbox/linux/bpf_dsl/codegen.h" | 22 #include "sandbox/linux/bpf_dsl/codegen.h" |
| 23 #include "sandbox/linux/bpf_dsl/policy.h" | 23 #include "sandbox/linux/bpf_dsl/policy.h" |
| 24 #include "sandbox/linux/bpf_dsl/policy_compiler.h" | 24 #include "sandbox/linux/bpf_dsl/policy_compiler.h" |
| 25 #include "sandbox/linux/bpf_dsl/seccomp_macros.h" | 25 #include "sandbox/linux/bpf_dsl/seccomp_macros.h" |
| 26 #include "sandbox/linux/bpf_dsl/trap_registry.h" | 26 #include "sandbox/linux/bpf_dsl/test_trap_registry.h" |
| 27 #include "sandbox/linux/bpf_dsl/verifier.h" | 27 #include "sandbox/linux/bpf_dsl/verifier.h" |
| 28 #include "sandbox/linux/seccomp-bpf/errorcode.h" | |
| 29 #include "sandbox/linux/system_headers/linux_filter.h" | 28 #include "sandbox/linux/system_headers/linux_filter.h" |
| 30 #include "testing/gtest/include/gtest/gtest.h" | 29 #include "testing/gtest/include/gtest/gtest.h" |
| 31 | 30 |
| 32 #define CASES SANDBOX_BPF_DSL_CASES | 31 #define CASES SANDBOX_BPF_DSL_CASES |
| 33 | 32 |
| 34 namespace sandbox { | 33 namespace sandbox { |
| 35 namespace bpf_dsl { | 34 namespace bpf_dsl { |
| 36 namespace { | 35 namespace { |
| 37 | 36 |
| 38 // Helper function to construct fake arch_seccomp_data objects. | 37 // Helper function to construct fake arch_seccomp_data objects. |
| (...skipping 12 matching lines...) Expand all Loading... |
| 51 SECCOMP_ARCH, | 50 SECCOMP_ARCH, |
| 52 kFakePC, | 51 kFakePC, |
| 53 { | 52 { |
| 54 p0, p1, p2, p3, p4, p5, | 53 p0, p1, p2, p3, p4, p5, |
| 55 }, | 54 }, |
| 56 }; | 55 }; |
| 57 | 56 |
| 58 return data; | 57 return data; |
| 59 } | 58 } |
| 60 | 59 |
| 61 class FakeTrapRegistry : public TrapRegistry { | |
| 62 public: | |
| 63 FakeTrapRegistry() : map_() {} | |
| 64 virtual ~FakeTrapRegistry() {} | |
| 65 | |
| 66 uint16_t Add(TrapFnc fnc, const void* aux, bool safe) override { | |
| 67 EXPECT_TRUE(safe); | |
| 68 | |
| 69 const uint16_t next_id = map_.size() + 1; | |
| 70 return map_.insert(std::make_pair(Key(fnc, aux), next_id)).first->second; | |
| 71 } | |
| 72 | |
| 73 bool EnableUnsafeTraps() override { | |
| 74 ADD_FAILURE() << "Unimplemented"; | |
| 75 return false; | |
| 76 } | |
| 77 | |
| 78 private: | |
| 79 using Key = std::pair<TrapFnc, const void*>; | |
| 80 | |
| 81 std::map<Key, uint16_t> map_; | |
| 82 | |
| 83 DISALLOW_COPY_AND_ASSIGN(FakeTrapRegistry); | |
| 84 }; | |
| 85 | |
| 86 intptr_t FakeTrapFuncOne(const arch_seccomp_data& data, void* aux) { return 1; } | |
| 87 intptr_t FakeTrapFuncTwo(const arch_seccomp_data& data, void* aux) { return 2; } | |
| 88 | |
| 89 // Test that FakeTrapRegistry correctly assigns trap IDs to trap handlers. | |
| 90 TEST(FakeTrapRegistry, TrapIDs) { | |
| 91 struct { | |
| 92 TrapRegistry::TrapFnc fnc; | |
| 93 const void* aux; | |
| 94 } funcs[] = { | |
| 95 {FakeTrapFuncOne, nullptr}, | |
| 96 {FakeTrapFuncTwo, nullptr}, | |
| 97 {FakeTrapFuncOne, funcs}, | |
| 98 {FakeTrapFuncTwo, funcs}, | |
| 99 }; | |
| 100 | |
| 101 FakeTrapRegistry traps; | |
| 102 | |
| 103 // Add traps twice to test that IDs are reused correctly. | |
| 104 for (int i = 0; i < 2; ++i) { | |
| 105 for (size_t j = 0; j < arraysize(funcs); ++j) { | |
| 106 // Trap IDs start at 1. | |
| 107 EXPECT_EQ(j + 1, traps.Add(funcs[j].fnc, funcs[j].aux, true)); | |
| 108 } | |
| 109 } | |
| 110 } | |
| 111 | |
| 112 class PolicyEmulator { | 60 class PolicyEmulator { |
| 113 public: | 61 public: |
| 114 explicit PolicyEmulator(const Policy* policy) : program_(), traps_() { | 62 explicit PolicyEmulator(const Policy* policy) : program_(), traps_() { |
| 115 program_ = *PolicyCompiler(policy, &traps_).Compile(true /* verify */); | 63 program_ = *PolicyCompiler(policy, &traps_).Compile(true /* verify */); |
| 116 } | 64 } |
| 117 ~PolicyEmulator() {} | 65 ~PolicyEmulator() {} |
| 118 | 66 |
| 119 uint32_t Emulate(const struct arch_seccomp_data& data) const { | 67 uint32_t Emulate(const struct arch_seccomp_data& data) const { |
| 120 const char* err = nullptr; | 68 const char* err = nullptr; |
| 121 uint32_t res = Verifier::EvaluateBPF(program_, data, &err); | 69 uint32_t res = Verifier::EvaluateBPF(program_, data, &err); |
| (...skipping 11 matching lines...) Expand all Loading... |
| 133 void ExpectErrno(uint16_t err, const struct arch_seccomp_data& data) const { | 81 void ExpectErrno(uint16_t err, const struct arch_seccomp_data& data) const { |
| 134 EXPECT_EQ(SECCOMP_RET_ERRNO | err, Emulate(data)); | 82 EXPECT_EQ(SECCOMP_RET_ERRNO | err, Emulate(data)); |
| 135 } | 83 } |
| 136 | 84 |
| 137 void ExpectKill(const struct arch_seccomp_data& data) const { | 85 void ExpectKill(const struct arch_seccomp_data& data) const { |
| 138 EXPECT_EQ(SECCOMP_RET_KILL, Emulate(data)); | 86 EXPECT_EQ(SECCOMP_RET_KILL, Emulate(data)); |
| 139 } | 87 } |
| 140 | 88 |
| 141 private: | 89 private: |
| 142 CodeGen::Program program_; | 90 CodeGen::Program program_; |
| 143 FakeTrapRegistry traps_; | 91 TestTrapRegistry traps_; |
| 144 | 92 |
| 145 DISALLOW_COPY_AND_ASSIGN(PolicyEmulator); | 93 DISALLOW_COPY_AND_ASSIGN(PolicyEmulator); |
| 146 }; | 94 }; |
| 147 | 95 |
| 148 class BasicPolicy : public Policy { | 96 class BasicPolicy : public Policy { |
| 149 public: | 97 public: |
| 150 BasicPolicy() {} | 98 BasicPolicy() {} |
| 151 ~BasicPolicy() override {} | 99 ~BasicPolicy() override {} |
| 152 ResultExpr EvaluateSyscall(int sysno) const override { | 100 ResultExpr EvaluateSyscall(int sysno) const override { |
| 153 if (sysno == __NR_getpgid) { | 101 if (sysno == __NR_getpgid) { |
| (...skipping 352 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 506 EXPECT_TRUE(unsafe->HasUnsafeTraps()); | 454 EXPECT_TRUE(unsafe->HasUnsafeTraps()); |
| 507 | 455 |
| 508 const Arg<int> arg(0); | 456 const Arg<int> arg(0); |
| 509 ResultExpr maybe = If(arg == 0, allow).Else(unsafe); | 457 ResultExpr maybe = If(arg == 0, allow).Else(unsafe); |
| 510 EXPECT_TRUE(maybe->HasUnsafeTraps()); | 458 EXPECT_TRUE(maybe->HasUnsafeTraps()); |
| 511 } | 459 } |
| 512 | 460 |
| 513 } // namespace | 461 } // namespace |
| 514 } // namespace bpf_dsl | 462 } // namespace bpf_dsl |
| 515 } // namespace sandbox | 463 } // namespace sandbox |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1292753009:
sandbox/linux: move ErrorCode into bpf_dsl (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@bpf_dsl-deps