| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include <errno.h> | 5 #include <errno.h> |
| 6 #include <pthread.h> | 6 #include <pthread.h> |
| 7 #include <sched.h> | 7 #include <sched.h> |
| 8 #include <signal.h> | 8 #include <signal.h> |
| 9 #include <sys/prctl.h> | 9 #include <sys/prctl.h> |
| 10 #include <sys/ptrace.h> | 10 #include <sys/ptrace.h> |
| 11 #include <sys/syscall.h> | 11 #include <sys/syscall.h> |
| 12 #include <sys/time.h> | 12 #include <sys/time.h> |
| 13 #include <sys/types.h> | 13 #include <sys/types.h> |
| 14 #include <sys/utsname.h> | 14 #include <sys/utsname.h> |
| 15 #include <unistd.h> | 15 #include <unistd.h> |
| 16 #include <sys/socket.h> |
| 16 | 17 |
| 17 #if defined(ANDROID) | 18 #if defined(ANDROID) |
| 18 // Work-around for buggy headers in Android's NDK | 19 // Work-around for buggy headers in Android's NDK |
| 19 #define __user | 20 #define __user |
| 20 #endif | 21 #endif |
| 21 #include <linux/futex.h> | 22 #include <linux/futex.h> |
| 22 | 23 |
| 23 #include <ostream> | 24 #include <ostream> |
| 24 | 25 |
| 25 #include "base/bind.h" | 26 #include "base/bind.h" |
| (...skipping 620 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 646 | 647 |
| 647 BPF_TEST_C(SandboxBPF, SigBus, RedirectAllSyscallsPolicy) { | 648 BPF_TEST_C(SandboxBPF, SigBus, RedirectAllSyscallsPolicy) { |
| 648 // We use the SIGBUS bit in the signal mask as a thread-local boolean | 649 // We use the SIGBUS bit in the signal mask as a thread-local boolean |
| 649 // value in the implementation of UnsafeTrap(). This is obviously a bit | 650 // value in the implementation of UnsafeTrap(). This is obviously a bit |
| 650 // of a hack that could conceivably interfere with code that uses SIGBUS | 651 // of a hack that could conceivably interfere with code that uses SIGBUS |
| 651 // in more traditional ways. This test verifies that basic functionality | 652 // in more traditional ways. This test verifies that basic functionality |
| 652 // of SIGBUS is not impacted, but it is certainly possibly to construe | 653 // of SIGBUS is not impacted, but it is certainly possibly to construe |
| 653 // more complex uses of signals where our use of the SIGBUS mask is not | 654 // more complex uses of signals where our use of the SIGBUS mask is not |
| 654 // 100% transparent. This is expected behavior. | 655 // 100% transparent. This is expected behavior. |
| 655 int fds[2]; | 656 int fds[2]; |
| 656 BPF_ASSERT(pipe(fds) == 0); | 657 BPF_ASSERT(socketpair(AF_UNIX, SOCK_STREAM, 0, fds) == 0); |
| 657 bus_handler_fd_ = fds[1]; | 658 bus_handler_fd_ = fds[1]; |
| 658 struct sigaction sa = {}; | 659 struct sigaction sa = {}; |
| 659 sa.sa_sigaction = SigBusHandler; | 660 sa.sa_sigaction = SigBusHandler; |
| 660 sa.sa_flags = SA_SIGINFO; | 661 sa.sa_flags = SA_SIGINFO; |
| 661 BPF_ASSERT(sigaction(SIGBUS, &sa, NULL) == 0); | 662 BPF_ASSERT(sigaction(SIGBUS, &sa, NULL) == 0); |
| 662 raise(SIGBUS); | 663 raise(SIGBUS); |
| 663 char c = '\000'; | 664 char c = '\000'; |
| 664 BPF_ASSERT(read(fds[0], &c, 1) == 1); | 665 BPF_ASSERT(read(fds[0], &c, 1) == 1); |
| 665 BPF_ASSERT(close(fds[0]) == 0); | 666 BPF_ASSERT(close(fds[0]) == 0); |
| 666 BPF_ASSERT(close(fds[1]) == 0); | 667 BPF_ASSERT(close(fds[1]) == 0); |
| (...skipping 1307 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1974 if (SandboxBPF::SupportsSeccompSandbox(-1) != | 1975 if (SandboxBPF::SupportsSeccompSandbox(-1) != |
| 1975 sandbox::SandboxBPF::STATUS_AVAILABLE) { | 1976 sandbox::SandboxBPF::STATUS_AVAILABLE) { |
| 1976 return; | 1977 return; |
| 1977 } | 1978 } |
| 1978 | 1979 |
| 1979 #if defined(__arm__) | 1980 #if defined(__arm__) |
| 1980 printf("This test is currently disabled on ARM due to a kernel bug."); | 1981 printf("This test is currently disabled on ARM due to a kernel bug."); |
| 1981 return; | 1982 return; |
| 1982 #endif | 1983 #endif |
| 1983 | 1984 |
| 1985 #if defined(__mips__) |
| 1986 // TODO: Figure out how to support specificity of handeling indirect syscalls |
| 1987 // in this test and enable it. |
| 1988 printf("This test is currently disabled on MIPS."); |
| 1989 return; |
| 1990 #endif |
| 1991 |
| 1984 pid_t pid = fork(); | 1992 pid_t pid = fork(); |
| 1985 BPF_ASSERT_NE(-1, pid); | 1993 BPF_ASSERT_NE(-1, pid); |
| 1986 if (pid == 0) { | 1994 if (pid == 0) { |
| 1987 pid_t my_pid = getpid(); | 1995 pid_t my_pid = getpid(); |
| 1988 BPF_ASSERT_NE(-1, ptrace(PTRACE_TRACEME, -1, NULL, NULL)); | 1996 BPF_ASSERT_NE(-1, ptrace(PTRACE_TRACEME, -1, NULL, NULL)); |
| 1989 BPF_ASSERT_EQ(0, raise(SIGSTOP)); | 1997 BPF_ASSERT_EQ(0, raise(SIGSTOP)); |
| 1990 SandboxBPF sandbox; | 1998 SandboxBPF sandbox; |
| 1991 sandbox.SetSandboxPolicy(new TraceAllPolicy); | 1999 sandbox.SetSandboxPolicy(new TraceAllPolicy); |
| 1992 BPF_ASSERT(sandbox.StartSandbox(SandboxBPF::PROCESS_SINGLE_THREADED)); | 2000 BPF_ASSERT(sandbox.StartSandbox(SandboxBPF::PROCESS_SINGLE_THREADED)); |
| 1993 | 2001 |
| (...skipping 61 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 2055 break; | 2063 break; |
| 2056 } | 2064 } |
| 2057 | 2065 |
| 2058 BPF_ASSERT_NE(-1, ptrace(PTRACE_CONT, pid, NULL, NULL)); | 2066 BPF_ASSERT_NE(-1, ptrace(PTRACE_CONT, pid, NULL, NULL)); |
| 2059 } | 2067 } |
| 2060 } | 2068 } |
| 2061 | 2069 |
| 2062 } // namespace | 2070 } // namespace |
| 2063 | 2071 |
| 2064 } // namespace sandbox | 2072 } // namespace sandbox |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 260793003:
[MIPS] Add seccomp bpf support (Closed)
Base URL: https://git.chromium.org/git/chromium/src.git@master