Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(127)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: sandbox/linux/services/yama_unittests.cc

Issue 1310773006: Update sandbox/linux from upstream (Closed) Base URL: ssh://ssh.github.com/domokit/mojo.git@master
Patch Set: Update to 3909ebfa69566f7374a6900e63cd4d3c73a35378 Created 5 years, 4 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « sandbox/linux/services/thread_helpers_unittests.cc ('k') | sandbox/linux/syscall_broker/broker_host_unittests.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2014 The Chromium Authors. All rights reserved. 1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include <errno.h> 5 #include <errno.h>
6 #include <fcntl.h> 6 #include <fcntl.h>
7 #include <sys/ptrace.h> 7 #include <sys/ptrace.h>
8 #include <sys/stat.h> 8 #include <sys/stat.h>
9 #include <sys/types.h> 9 #include <sys/types.h>
10 #include <unistd.h> 10 #include <unistd.h>
11 11
12 #include "base/bind.h" 12 #include "base/bind.h"
13 #include "base/bind_helpers.h"
13 #include "base/compiler_specific.h" 14 #include "base/compiler_specific.h"
14 #include "base/posix/eintr_wrapper.h" 15 #include "base/posix/eintr_wrapper.h"
15 #include "base/strings/string_util.h" 16 #include "base/strings/string_util.h"
16 #include "base/sys_info.h" 17 #include "base/sys_info.h"
17 #include "sandbox/linux/services/scoped_process.h" 18 #include "sandbox/linux/services/scoped_process.h"
18 #include "sandbox/linux/services/yama.h" 19 #include "sandbox/linux/services/yama.h"
19 #include "sandbox/linux/tests/unit_tests.h" 20 #include "sandbox/linux/tests/unit_tests.h"
20 #include "testing/gtest/include/gtest/gtest.h" 21 #include "testing/gtest/include/gtest/gtest.h"
21 22
22 namespace sandbox { 23 namespace sandbox {
23 24
24 namespace { 25 namespace {
25 26
26 bool HasLinux32Bug() { 27 bool HasLinux32Bug() {
27 #if defined(__i386__) 28 #if defined(__i386__)
28 // On 3.2 kernels, yama doesn't work for 32-bit binaries on 64-bit kernels. 29 // On 3.2 kernels, yama doesn't work for 32-bit binaries on 64-bit kernels.
29 // This is fixed in 3.4. 30 // This is fixed in 3.4.
30 bool is_kernel_64bit = 31 bool is_kernel_64bit =
31 base::SysInfo::OperatingSystemArchitecture() == "x86_64"; 32 base::SysInfo::OperatingSystemArchitecture() == "x86_64";
32 bool is_linux = base::SysInfo::OperatingSystemName() == "Linux"; 33 bool is_linux = base::SysInfo::OperatingSystemName() == "Linux";
33 bool is_3_dot_2 = StartsWithASCII( 34 bool is_3_dot_2 = base::StartsWith(
34 base::SysInfo::OperatingSystemVersion(), "3.2", /*case_sensitive=*/false); 35 base::SysInfo::OperatingSystemVersion(), "3.2",
36 base::CompareCase::INSENSITIVE_ASCII);
35 if (is_kernel_64bit && is_linux && is_3_dot_2) 37 if (is_kernel_64bit && is_linux && is_3_dot_2)
36 return true; 38 return true;
37 #endif // defined(__i386__) 39 #endif // defined(__i386__)
38 return false; 40 return false;
39 } 41 }
40 42
41 bool CanPtrace(pid_t pid) { 43 bool CanPtrace(pid_t pid) {
42 int ret; 44 int ret;
43 ret = ptrace(PTRACE_ATTACH, pid, NULL, NULL); 45 ret = ptrace(PTRACE_ATTACH, pid, NULL, NULL);
44 if (ret == -1) { 46 if (ret == -1) {
(...skipping 99 matching lines...) Expand 10 before | Expand all | Expand 10 after
144 // However, parent can ptrace process1. 146 // However, parent can ptrace process1.
145 ASSERT_TRUE(CanPtrace(process1.GetPid())); 147 ASSERT_TRUE(CanPtrace(process1.GetPid()));
146 148
147 // A sibling can ptrace process2 which disables any Yama protection. 149 // A sibling can ptrace process2 which disables any Yama protection.
148 ScopedProcess process2(base::Bind(&SetYamaRestrictions, false)); 150 ScopedProcess process2(base::Bind(&SetYamaRestrictions, false));
149 ASSERT_TRUE(process2.WaitForClosureToRun()); 151 ASSERT_TRUE(process2.WaitForClosureToRun());
150 ASSERT_TRUE(CanSubProcessPtrace(process2.GetPid())); 152 ASSERT_TRUE(CanSubProcessPtrace(process2.GetPid()));
151 } 153 }
152 } 154 }
153 155
154 void DoNothing() {}
155
156 SANDBOX_TEST(Yama, RestrictPtraceIsDefault) { 156 SANDBOX_TEST(Yama, RestrictPtraceIsDefault) {
157 if (!Yama::IsPresent() || HasLinux32Bug()) 157 if (!Yama::IsPresent() || HasLinux32Bug())
158 return; 158 return;
159 159
160 CHECK(Yama::DisableYamaRestrictions()); 160 CHECK(Yama::DisableYamaRestrictions());
161 ScopedProcess process1(base::Bind(&DoNothing)); 161 ScopedProcess process1(base::Bind(&base::DoNothing));
162 162
163 if (Yama::IsEnforcing()) { 163 if (Yama::IsEnforcing()) {
164 // Check that process1 is protected by Yama, even though it has 164 // Check that process1 is protected by Yama, even though it has
165 // been created from a process that disabled Yama. 165 // been created from a process that disabled Yama.
166 CHECK(!CanSubProcessPtrace(process1.GetPid())); 166 CHECK(!CanSubProcessPtrace(process1.GetPid()));
167 } 167 }
168 } 168 }
169 169
170 } // namespace 170 } // namespace
171 171
172 } // namespace sandbox 172 } // namespace sandbox
OLDNEW
« no previous file with comments | « sandbox/linux/services/thread_helpers_unittests.cc ('k') | sandbox/linux/syscall_broker/broker_host_unittests.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698