Add domain-specific language for BPF policies

sandbox/linux/seccomp-bpf-helpers/bpf_dsl_unittest.cc

Index: sandbox/linux/seccomp-bpf-helpers/bpf_dsl_unittest.cc
diff --git a/sandbox/linux/seccomp-bpf-helpers/bpf_dsl_unittest.cc b/sandbox/linux/seccomp-bpf-helpers/bpf_dsl_unittest.cc
new file mode 100644
index 0000000000000000000000000000000000000000..31d9549b8bdb33a1d8ce9647247905f4849f8322
--- /dev/null
+++ b/sandbox/linux/seccomp-bpf-helpers/bpf_dsl_unittest.cc
@@ -0,0 +1,94 @@
+// Copyright 2014 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "sandbox/linux/seccomp-bpf-helpers/bpf_dsl.h"
+
+#include <netinet/in.h>
+#include <sys/socket.h>
+
+#include "base/macros.h"
+#include "sandbox/linux/seccomp-bpf/bpf_tests.h"
+#include "sandbox/linux/seccomp-bpf/errorcode.h"
+#include "sandbox/linux/seccomp-bpf/sandbox_bpf_policy.h"
+
+namespace sandbox {
+
+namespace {
+
+class BasicPolicy : public SandboxBPFPolicy {
+ public:
+  BasicPolicy() {}
+  virtual ErrorCode EvaluateSyscall(SandboxBPF* sb, int sysno) const OVERRIDE {
+    if (sysno == __NR_getpgid) {
+      const Arg<pid_t> pid(0);
+      return DSL(sb)
+          .If(pid == 0).Then(
+            ErrorCode(EPERM)
+          ).Else(
+            ErrorCode(EINVAL)
+          );
+    }
+    return ErrorCode(ErrorCode::ERR_ALLOWED);
+  }
+
+ private:
+  DISALLOW_COPY_AND_ASSIGN(BasicPolicy);
+};
+
+BPF_TEST_C(BPFDSL, Basic, BasicPolicy) {
+  BPF_ASSERT_EQ(-1, getpgid(0));
+  BPF_ASSERT_EQ(EPERM, errno);
+
+  BPF_ASSERT_EQ(-1, getpgid(1));
+  BPF_ASSERT_EQ(EINVAL, errno);
+}
+
+class FancyPolicy : public SandboxBPFPolicy {
+ public:
+  FancyPolicy() {}
+  virtual ErrorCode EvaluateSyscall(SandboxBPF* sb, int sysno) const OVERRIDE {
+    if (sysno == __NR_socketpair) {
+      const Arg<int> domain(0), type(1), protocol(2);
+      return DSL(sb)
+          .If(domain == AF_UNIX &&
+              (type == SOCK_STREAM || type == SOCK_DGRAM) &&
+              protocol == 0).Then(
+            ErrorCode(EPERM)
+          ).Else(
+            ErrorCode(EINVAL)
+          );
+    }
+    return ErrorCode(ErrorCode::ERR_ALLOWED);
+  }
+
+ private:
+  DISALLOW_COPY_AND_ASSIGN(FancyPolicy);
+};
+
+void AssertSocketPairError(int expected_errno,
+                           int domain,
+                           int type,
+                           int protocol) {
+  int sv[2];
+  BPF_ASSERT_EQ(-1, socketpair(domain, type, protocol, sv));
+  BPF_ASSERT_EQ(expected_errno, errno);
+}
+
+BPF_TEST_C(BPFDSL, Fancy, FancyPolicy) {
+  // Acceptable combinations that should return EPERM.
+  AssertSocketPairError(EPERM, AF_UNIX, SOCK_STREAM, 0);
+  AssertSocketPairError(EPERM, AF_UNIX, SOCK_DGRAM, 0);
+
+  // Combinations that are invalid for only one reason; should return EINVAL.
+  AssertSocketPairError(EINVAL, AF_INET, SOCK_STREAM, 0);
+  AssertSocketPairError(EINVAL, AF_UNIX, SOCK_SEQPACKET, 0);
+  AssertSocketPairError(EINVAL, AF_UNIX, SOCK_STREAM, IPPROTO_TCP);
+
+  // Completely unacceptable combination; should also return EINVAL.
+  AssertSocketPairError(EINVAL, AF_INET, SOCK_SEQPACKET, IPPROTO_UDP);
+}
+
+}  // namespace
+
+}  // namespace sandbox