Non-SFI NaCl: Disallow fancy clock IDs

components/nacl/loader/nonsfi/nonsfi_sandbox_unittest.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // ASan internally uses some syscalls which non-SFI NaCl disallows.
 // Seccomp-BPF tests die under TSan v2. See http://crbug.com/356588
 #if !defined(ADDRESS_SANITIZER) && !defined(THREAD_SANITIZER)
 
 #include "components/nacl/loader/nonsfi/nonsfi_sandbox.h"
 
 #include <errno.h>
 #include <fcntl.h>
 #include <pthread.h>
 #include <sched.h>
 #include <signal.h>
 #include <stdlib.h>
 #include <string.h>
 #include <sys/mman.h>
 #include <sys/prctl.h>
 #include <sys/ptrace.h>
 #include <sys/socket.h>
 #include <sys/syscall.h>
 #include <sys/types.h>
 #include <sys/wait.h>
+#include <time.h>
 #include <unistd.h>
 
 #include "base/bind.h"
 #include "base/callback.h"
 #include "base/compiler_specific.h"
 #include "base/files/scoped_file.h"
 #include "base/logging.h"
 #include "base/posix/eintr_wrapper.h"
 #include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h"
 #include "sandbox/linux/seccomp-bpf/bpf_tests.h"
+#include "third_party/lss/linux_syscall_support.h"  // for MAKE_PROCESS_CPUCLOCK
 
 namespace {
 
 void DoPipe(base::ScopedFD* fds) {
   int tmp_fds[2];
   BPF_ASSERT_EQ(0, pipe(tmp_fds));
   fds[0].reset(tmp_fds[0]);
   fds[1].reset(tmp_fds[1]);
 }
 
@@ skipping 339 matching lines @@
            nacl::nonsfi::NaClNonSfiBPFSandboxPolicy) {
   char* next_brk = static_cast<char*>(sbrk(0)) + getpagesize();
   // The kernel interface must return zero for brk.
   BPF_ASSERT_EQ(0, syscall(__NR_brk, next_brk));
   // The libc wrapper translates it to ENOMEM.
   errno = 0;
   BPF_ASSERT_EQ(-1, brk(next_brk));
   BPF_ASSERT_EQ(ENOMEM, errno);
 }
 
+void CheckClock(clockid_t clockid) {
+  struct timespec ts;
+  ts.tv_sec = ts.tv_nsec = -1;
+  BPF_ASSERT_EQ(0, clock_gettime(clockid, &ts));
+  BPF_ASSERT_LE(0, ts.tv_sec);
+  BPF_ASSERT_LE(0, ts.tv_nsec);
+}
+
+BPF_TEST_C(NaClNonSfiSandboxTest,
+           clock_gettime_allowed,
+           nacl::nonsfi::NaClNonSfiBPFSandboxPolicy) {
+  CheckClock(CLOCK_MONOTONIC);
+  CheckClock(CLOCK_PROCESS_CPUTIME_ID);
+  CheckClock(CLOCK_REALTIME);
+  CheckClock(CLOCK_THREAD_CPUTIME_ID);
+}
+
+BPF_DEATH_TEST_C(NaClNonSfiSandboxTest,
+                 clock_gettime_crash_monotonic_raw,
+                 DEATH_MESSAGE(sandbox::GetErrorMessageContentForTests()),
+                 nacl::nonsfi::NaClNonSfiBPFSandboxPolicy) {
+  struct timespec ts;
+  clock_gettime(CLOCK_MONOTONIC_RAW, &ts);
+}
+
+BPF_DEATH_TEST_C(NaClNonSfiSandboxTest,
+                 clock_gettime_crash_cpu_clock,
+                 DEATH_MESSAGE(sandbox::GetErrorMessageContentForTests()),
+                 nacl::nonsfi::NaClNonSfiBPFSandboxPolicy) {
+  // We can't use clock_getcpuclockid() because it's not implemented in newlib,
+  // and it might not work inside the sandbox anyway.
+  const pid_t kInitPID = 1;
+  const clockid_t kInitCPUClockID =
+      MAKE_PROCESS_CPUCLOCK(kInitPID, CPUCLOCK_SCHED);
+
+  struct timespec ts;
+  clock_gettime(kInitCPUClockID, &ts);
+}
+
 // The following test cases check if syscalls return EPERM regardless
 // of arguments.
 #define RESTRICT_SYSCALL_EPERM_TEST(name)                      \
   BPF_TEST_C(NaClNonSfiSandboxTest,                            \
              name##_EPERM,                                     \
              nacl::nonsfi::NaClNonSfiBPFSandboxPolicy) {       \
     errno = 0;                                                 \
     BPF_ASSERT_EQ(-1, syscall(__NR_##name, 0, 0, 0, 0, 0, 0)); \
     BPF_ASSERT_EQ(EPERM, errno);                               \
   }
@@ skipping 13 matching lines @@
 RESTRICT_SYSCALL_EPERM_TEST(open);
 RESTRICT_SYSCALL_EPERM_TEST(ptrace);
 RESTRICT_SYSCALL_EPERM_TEST(set_robust_list);
 #if defined(__i386__) || defined(__x86_64__)
 RESTRICT_SYSCALL_EPERM_TEST(time);
 #endif
 
 }  // namespace
 
 #endif  // !ADDRESS_SANITIZER && !THREAD_SANITIZER