Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(530)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: sandbox/linux/seccomp-bpf-helpers/bpf_dsl_unittest.cc

Issue 299743002: Add domain-specific language for BPF policies (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Simplify slightly by making Cond into a typedef Created 6 years, 7 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« sandbox/linux/seccomp-bpf-helpers/bpf_dsl.h ('K') | « sandbox/linux/seccomp-bpf-helpers/bpf_dsl.cc ('k') | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
(Empty)
1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "sandbox/linux/seccomp-bpf-helpers/bpf_dsl.h"
6
7 #include <netinet/in.h>
8 #include <sys/socket.h>
9
10 #include "base/macros.h"
11 #include "sandbox/linux/seccomp-bpf/bpf_tests.h"
12 #include "sandbox/linux/seccomp-bpf/errorcode.h"
13 #include "sandbox/linux/seccomp-bpf/sandbox_bpf_policy.h"
14
15 namespace sandbox {
16
17 namespace {
18
19 class BasicPolicy : public SandboxBPFPolicy {
20 public:
21 BasicPolicy() {}
22 virtual ErrorCode EvaluateSyscall(SandboxBPF* sb, int sysno) const OVERRIDE {
23 if (sysno == __NR_getpgid) {
24 const Arg<pid_t> pid(0);
25 return DSL(sb)
26 .If(pid == 0).Then(
27 ErrorCode(EPERM)
28 ).Else(
29 ErrorCode(EINVAL)
30 );
31 }
32 return ErrorCode(ErrorCode::ERR_ALLOWED);
33 }
34
35 private:
36 DISALLOW_COPY_AND_ASSIGN(BasicPolicy);
37 };
38
39 BPF_TEST_C(BPFDSL, Basic, BasicPolicy) {
40 BPF_ASSERT_EQ(-1, getpgid(0));
41 BPF_ASSERT_EQ(EPERM, errno);
42
43 BPF_ASSERT_EQ(-1, getpgid(1));
44 BPF_ASSERT_EQ(EINVAL, errno);
45 }
46
47 class FancyPolicy : public SandboxBPFPolicy {
48 public:
49 FancyPolicy() {}
50 virtual ErrorCode EvaluateSyscall(SandboxBPF* sb, int sysno) const OVERRIDE {
51 if (sysno == __NR_socketpair) {
52 const Arg<int> domain(0), type(1), protocol(2);
53 return DSL(sb)
54 .If(domain == AF_UNIX &&
55 (type == SOCK_STREAM || type == SOCK_DGRAM) &&
56 protocol == 0).Then(
57 ErrorCode(EPERM)
58 ).Else(
59 ErrorCode(EINVAL)
60 );
61 }
62 return ErrorCode(ErrorCode::ERR_ALLOWED);
63 }
64
65 private:
66 DISALLOW_COPY_AND_ASSIGN(FancyPolicy);
67 };
68
69 void AssertSocketPairError(int expected_errno,
70 int domain,
71 int type,
72 int protocol) {
73 int sv[2];
74 BPF_ASSERT_EQ(-1, socketpair(domain, type, protocol, sv));
75 BPF_ASSERT_EQ(expected_errno, errno);
76 }
77
78 BPF_TEST_C(BPFDSL, Fancy, FancyPolicy) {
79 // Acceptable combinations that should return EPERM.
80 AssertSocketPairError(EPERM, AF_UNIX, SOCK_STREAM, 0);
81 AssertSocketPairError(EPERM, AF_UNIX, SOCK_DGRAM, 0);
82
83 // Combinations that are invalid for only one reason; should return EINVAL.
84 AssertSocketPairError(EINVAL, AF_INET, SOCK_STREAM, 0);
85 AssertSocketPairError(EINVAL, AF_UNIX, SOCK_SEQPACKET, 0);
86 AssertSocketPairError(EINVAL, AF_UNIX, SOCK_STREAM, IPPROTO_TCP);
87
88 // Completely unacceptable combination; should also return EINVAL.
89 AssertSocketPairError(EINVAL, AF_INET, SOCK_SEQPACKET, IPPROTO_UDP);
90 }
91
92 } // namespace
93
94 } // namespace sandbox
OLDNEW
« sandbox/linux/seccomp-bpf-helpers/bpf_dsl.h ('K') | « sandbox/linux/seccomp-bpf-helpers/bpf_dsl.cc ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698