Chromium Code Reviews Chromium Code Reviews
Issue 299743002:
Add domain-specific language for BPF policies (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| Index: sandbox/linux/seccomp-bpf-helpers/bpf_dsl_unittest.cc |
| diff --git a/sandbox/linux/seccomp-bpf-helpers/bpf_dsl_unittest.cc b/sandbox/linux/seccomp-bpf-helpers/bpf_dsl_unittest.cc |
| new file mode 100644 |
| index 0000000000000000000000000000000000000000..6f27d1096a17d3c8a8bc0f15cb3d72d4b5be6115 |
| --- /dev/null |
| +++ b/sandbox/linux/seccomp-bpf-helpers/bpf_dsl_unittest.cc |
| @@ -0,0 +1,212 @@ |
| +// Copyright 2014 The Chromium Authors. All rights reserved. |
| +// Use of this source code is governed by a BSD-style license that can be |
| +// found in the LICENSE file. |
| + |
| +#include "sandbox/linux/seccomp-bpf-helpers/bpf_dsl.h" |
| + |
| +#include <errno.h> |
| +#include <netinet/in.h> |
| +#include <sys/socket.h> |
| +#include <sys/utsname.h> |
| + |
| +#include "base/macros.h" |
| +#include "sandbox/linux/seccomp-bpf/bpf_tests.h" |
| +#include "sandbox/linux/seccomp-bpf/errorcode.h" |
| +#include "sandbox/linux/seccomp-bpf/sandbox_bpf_policy.h" |
| + |
| +using namespace sandbox::bpf_dsl; |
| + |
| +// Helper macro to assert that expression |expr| returns -1 and sets |
| +// errno to |err|. |
| +#define BPF_ASSERT_ERROR(err, expr) \ |
| + do { \ |
| + errno = 0; \ |
| + BPF_ASSERT_EQ(-1, expr); \ |
| + BPF_ASSERT_EQ(err, errno); \ |
| + } while (0) |
| + |
| +namespace sandbox { |
| + |
| +namespace { |
| + |
| +class BasicPolicy : public SandboxBPFDSLPolicy { |
| + public: |
| + BasicPolicy() {} |
| + virtual ~BasicPolicy() {} |
| + virtual ResultExpr EvaluateSyscall(int sysno) const OVERRIDE { |
| + if (sysno == __NR_getpgid) { |
| + const Arg<pid_t> pid(0); |
| + return If(pid == 0, Error(EPERM)).Else(Error(EINVAL)); |
| + } |
| + return Allow(); |
| + } |
| + |
| + private: |
| + DISALLOW_COPY_AND_ASSIGN(BasicPolicy); |
| +}; |
| + |
| +BPF_TEST_C(BPFDSL, Basic, BasicPolicy) { |
| + BPF_ASSERT_ERROR(EPERM, getpgid(0)); |
| + BPF_ASSERT_ERROR(EINVAL, getpgid(1)); |
| +} |
| + |
| +class BooleanLogicPolicy : public SandboxBPFDSLPolicy { |
| + public: |
| + BooleanLogicPolicy() {} |
| + virtual ~BooleanLogicPolicy() {} |
| + virtual ResultExpr EvaluateSyscall(int sysno) const OVERRIDE { |
| + if (sysno == __NR_socketpair) { |
|
jln (very slow on Chromium)
2014/06/27 01:45:50
x86 32 bits is unhappy with this since it's multip
mdempsky
2014/06/28 00:36:42
Ah, right.
|
| + const Arg<int> domain(0), type(1), protocol(2); |
| + return If(domain == AF_UNIX && |
| + (type == SOCK_STREAM || type == SOCK_DGRAM) && |
| + protocol == 0, |
| + Error(EPERM)).Else(Error(EINVAL)); |
| + } |
| + return Allow(); |
| + } |
| + |
| + private: |
| + DISALLOW_COPY_AND_ASSIGN(BooleanLogicPolicy); |
| +}; |
| + |
| +BPF_TEST_C(BPFDSL, BooleanLogic, BooleanLogicPolicy) { |
| + int sv[2]; |
| + |
| + // Acceptable combinations that should return EPERM. |
| + BPF_ASSERT_ERROR(EPERM, socketpair(AF_UNIX, SOCK_STREAM, 0, sv)); |
| + BPF_ASSERT_ERROR(EPERM, socketpair(AF_UNIX, SOCK_DGRAM, 0, sv)); |
| + |
| + // Combinations that are invalid for only one reason; should return EINVAL. |
| + BPF_ASSERT_ERROR(EINVAL, socketpair(AF_INET, SOCK_STREAM, 0, sv)); |
| + BPF_ASSERT_ERROR(EINVAL, socketpair(AF_UNIX, SOCK_SEQPACKET, 0, sv)); |
| + BPF_ASSERT_ERROR(EINVAL, socketpair(AF_UNIX, SOCK_STREAM, IPPROTO_TCP, sv)); |
| + |
| + // Completely unacceptable combination; should also return EINVAL. |
| + BPF_ASSERT_ERROR(EINVAL, |
| + socketpair(AF_INET, SOCK_SEQPACKET, IPPROTO_UDP, sv)); |
| +} |
| + |
| +static const uintptr_t kDeadBeefAddr = |
| + static_cast<uintptr_t>(0xdeadbeefdeadbeefULL); |
| + |
| +class ArgSizePolicy : public SandboxBPFDSLPolicy { |
| + public: |
| + ArgSizePolicy() {} |
| + virtual ~ArgSizePolicy() {} |
| + virtual ResultExpr EvaluateSyscall(int sysno) const OVERRIDE { |
| + if (sysno == __NR_uname) { |
| + const Arg<uintptr_t> addr(0); |
| + return If(addr == kDeadBeefAddr, Error(EPERM)).Else(Allow()); |
| + } |
| + return Allow(); |
| + } |
| + |
| + private: |
| + DISALLOW_COPY_AND_ASSIGN(ArgSizePolicy); |
| +}; |
| + |
| +BPF_TEST_C(BPFDSL, ArgSizeTest, ArgSizePolicy) { |
| + struct utsname buf; |
| + BPF_ASSERT_EQ(0, uname(&buf)); |
| + |
| + BPF_ASSERT_ERROR(EPERM, |
| + uname(reinterpret_cast<struct utsname*>(kDeadBeefAddr))); |
| +} |
| + |
| +class TrappingPolicy : public SandboxBPFDSLPolicy { |
| + public: |
| + TrappingPolicy() {} |
| + virtual ~TrappingPolicy() {} |
| + virtual ResultExpr EvaluateSyscall(int sysno) const OVERRIDE { |
| + if (sysno == __NR_uname) { |
| + return Trap(UnameTrap, &count_); |
| + } |
| + return Allow(); |
| + } |
| + |
| + private: |
| + static intptr_t count_; |
| + |
| + static intptr_t UnameTrap(const struct arch_seccomp_data& data, void* aux) { |
| + BPF_ASSERT_EQ(&count_, aux); |
| + return ++count_; |
| + } |
| + |
| + DISALLOW_COPY_AND_ASSIGN(TrappingPolicy); |
| +}; |
| + |
| +intptr_t TrappingPolicy::count_; |
| + |
| +BPF_TEST_C(BPFDSL, TrapTest, TrappingPolicy) { |
| + BPF_ASSERT_EQ(1, uname(NULL)); |
| + BPF_ASSERT_EQ(2, uname(NULL)); |
| + BPF_ASSERT_EQ(3, uname(NULL)); |
| +} |
| + |
| +class MaskingPolicy : public SandboxBPFDSLPolicy { |
| + public: |
| + MaskingPolicy() {} |
| + virtual ~MaskingPolicy() {} |
| + virtual ResultExpr EvaluateSyscall(int sysno) const OVERRIDE { |
| + if (sysno == __NR_setuid) { |
| + const Arg<uid_t> uid(0); |
| + return If((uid & 0xf) == 0, Error(EINVAL)).Else(Error(EACCES)); |
| + } |
| + if (sysno == __NR_setgid) { |
| + const Arg<gid_t> gid(0); |
| + return If((gid & 0xf0) == 0xf0, Error(EINVAL)).Else(Error(EACCES)); |
| + } |
| + return Allow(); |
| + } |
| + |
| + private: |
| + DISALLOW_COPY_AND_ASSIGN(MaskingPolicy); |
| +}; |
| + |
| +BPF_TEST_C(BPFDSL, MaskTest, MaskingPolicy) { |
| + for (uid_t uid = 0; uid < 0x100; ++uid) { |
| + const int expect_errno = (uid & 0xf) == 0 ? EINVAL : EACCES; |
| + BPF_ASSERT_ERROR(expect_errno, setuid(uid)); |
| + } |
| + |
| + for (gid_t gid = 0; gid < 0x100; ++gid) { |
| + const int expect_errno = (gid & 0xf0) == 0xf0 ? EINVAL : EACCES; |
| + BPF_ASSERT_ERROR(expect_errno, setgid(gid)); |
| + } |
| +} |
| + |
| +class ElseIfPolicy : public SandboxBPFDSLPolicy { |
| + public: |
| + ElseIfPolicy() {} |
| + virtual ~ElseIfPolicy() {} |
| + virtual ResultExpr EvaluateSyscall(int sysno) const OVERRIDE { |
| + if (sysno == __NR_setuid) { |
| + const Arg<uid_t> uid(0); |
| + return If((uid & 0xfff) == 0, Error(0)) |
| + .ElseIf((uid & 0xff0) == 0, Error(EINVAL)) |
| + .ElseIf((uid & 0xf00) == 0, Error(EEXIST)) |
| + .Else(Error(EACCES)); |
| + } |
| + return Allow(); |
| + } |
| + |
| + private: |
| + DISALLOW_COPY_AND_ASSIGN(ElseIfPolicy); |
| +}; |
| + |
| +BPF_TEST_C(BPFDSL, ElseIfTest, ElseIfPolicy) { |
| + BPF_ASSERT_EQ(0, setuid(0)); |
| + |
| + BPF_ASSERT_ERROR(EINVAL, setuid(0x0001)); |
| + BPF_ASSERT_ERROR(EINVAL, setuid(0x0002)); |
| + |
| + BPF_ASSERT_ERROR(EEXIST, setuid(0x0011)); |
| + BPF_ASSERT_ERROR(EEXIST, setuid(0x0022)); |
| + |
| + BPF_ASSERT_ERROR(EACCES, setuid(0x0111)); |
| + BPF_ASSERT_ERROR(EACCES, setuid(0x0222)); |
| +} |
| + |
| +} // namespace |
| + |
| +} // namespace sandbox |
