| OLD | NEW |
|---|
| (Empty) | |
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. |
| 4 |
| 5 #include "sandbox/linux/bpf_dsl/bpf_dsl.h" |
| 6 |
| 7 #include <errno.h> |
| 8 #include <netinet/in.h> |
| 9 #include <sys/socket.h> |
| 10 #include <sys/utsname.h> |
| 11 |
| 12 #include "base/macros.h" |
| 13 #include "build/build_config.h" |
| 14 #include "sandbox/linux/seccomp-bpf/bpf_tests.h" |
| 15 #include "sandbox/linux/seccomp-bpf/errorcode.h" |
| 16 #include "sandbox/linux/seccomp-bpf/sandbox_bpf_policy.h" |
| 17 #include "sandbox/linux/seccomp-bpf/syscall.h" |
| 18 |
| 19 using namespace sandbox::bpf_dsl; |
| 20 |
| 21 // Helper macro to assert that invoking system call |sys| directly via |
| 22 // Syscall::Call with arguments |...| returns |res|. |
| 23 // Errors can be asserted by specifying a value like "-EINVAL". |
| 24 #define ASSERT_SYSCALL_RESULT(res, sys, ...) \ |
| 25 BPF_ASSERT_EQ(res, Stubs::sys(__VA_ARGS__)) |
| 26 |
| 27 namespace sandbox { |
| 28 namespace { |
| 29 |
| 30 // Type safe stubs for tested system calls. |
| 31 class Stubs { |
| 32 public: |
| 33 static int getpgid(pid_t pid) { return Syscall::Call(__NR_getpgid, pid); } |
| 34 static int setuid(uid_t uid) { return Syscall::Call(__NR_setuid, uid); } |
| 35 static int setgid(gid_t gid) { return Syscall::Call(__NR_setgid, gid); } |
| 36 |
| 37 static int uname(struct utsname* buf) { |
| 38 return Syscall::Call(__NR_uname, buf); |
| 39 } |
| 40 |
| 41 static int setresuid(uid_t ruid, uid_t euid, uid_t suid) { |
| 42 return Syscall::Call(__NR_setresuid, ruid, euid, suid); |
| 43 } |
| 44 |
| 45 #if !defined(ARCH_CPU_X86) |
| 46 static int socketpair(int domain, int type, int protocol, int sv[2]) { |
| 47 return Syscall::Call(__NR_socketpair, domain, type, protocol, sv); |
| 48 } |
| 49 #endif |
| 50 }; |
| 51 |
| 52 class BasicPolicy : public SandboxBPFDSLPolicy { |
| 53 public: |
| 54 BasicPolicy() {} |
| 55 virtual ~BasicPolicy() {} |
| 56 virtual ResultExpr EvaluateSyscall(int sysno) const OVERRIDE { |
| 57 if (sysno == __NR_getpgid) { |
| 58 const Arg<pid_t> pid(0); |
| 59 return If(pid == 0, Error(EPERM)).Else(Error(EINVAL)); |
| 60 } |
| 61 return Allow(); |
| 62 } |
| 63 |
| 64 private: |
| 65 DISALLOW_COPY_AND_ASSIGN(BasicPolicy); |
| 66 }; |
| 67 |
| 68 BPF_TEST_C(BPFDSL, Basic, BasicPolicy) { |
| 69 ASSERT_SYSCALL_RESULT(-EPERM, getpgid, 0); |
| 70 ASSERT_SYSCALL_RESULT(-EINVAL, getpgid, 1); |
| 71 } |
| 72 |
| 73 /* On IA-32, socketpair() is implemented via socketcall(). :-( */ |
| 74 #if !defined(ARCH_CPU_X86) |
| 75 class BooleanLogicPolicy : public SandboxBPFDSLPolicy { |
| 76 public: |
| 77 BooleanLogicPolicy() {} |
| 78 virtual ~BooleanLogicPolicy() {} |
| 79 virtual ResultExpr EvaluateSyscall(int sysno) const OVERRIDE { |
| 80 if (sysno == __NR_socketpair) { |
| 81 const Arg<int> domain(0), type(1), protocol(2); |
| 82 return If(domain == AF_UNIX && |
| 83 (type == SOCK_STREAM || type == SOCK_DGRAM) && |
| 84 protocol == 0, |
| 85 Error(EPERM)).Else(Error(EINVAL)); |
| 86 } |
| 87 return Allow(); |
| 88 } |
| 89 |
| 90 private: |
| 91 DISALLOW_COPY_AND_ASSIGN(BooleanLogicPolicy); |
| 92 }; |
| 93 |
| 94 BPF_TEST_C(BPFDSL, BooleanLogic, BooleanLogicPolicy) { |
| 95 int sv[2]; |
| 96 |
| 97 // Acceptable combinations that should return EPERM. |
| 98 ASSERT_SYSCALL_RESULT(-EPERM, socketpair, AF_UNIX, SOCK_STREAM, 0, sv); |
| 99 ASSERT_SYSCALL_RESULT(-EPERM, socketpair, AF_UNIX, SOCK_DGRAM, 0, sv); |
| 100 |
| 101 // Combinations that are invalid for only one reason; should return EINVAL. |
| 102 ASSERT_SYSCALL_RESULT(-EINVAL, socketpair, AF_INET, SOCK_STREAM, 0, sv); |
| 103 ASSERT_SYSCALL_RESULT(-EINVAL, socketpair, AF_UNIX, SOCK_SEQPACKET, 0, sv); |
| 104 ASSERT_SYSCALL_RESULT( |
| 105 -EINVAL, socketpair, AF_UNIX, SOCK_STREAM, IPPROTO_TCP, sv); |
| 106 |
| 107 // Completely unacceptable combination; should also return EINVAL. |
| 108 ASSERT_SYSCALL_RESULT( |
| 109 -EINVAL, socketpair, AF_INET, SOCK_SEQPACKET, IPPROTO_UDP, sv); |
| 110 } |
| 111 #endif // !ARCH_CPU_X86 |
| 112 |
| 113 class MoreBooleanLogicPolicy : public SandboxBPFDSLPolicy { |
| 114 public: |
| 115 MoreBooleanLogicPolicy() {} |
| 116 virtual ~MoreBooleanLogicPolicy() {} |
| 117 virtual ResultExpr EvaluateSyscall(int sysno) const OVERRIDE { |
| 118 if (sysno == __NR_setresuid) { |
| 119 const Arg<uid_t> ruid(0), euid(1), suid(2); |
| 120 return If(ruid == 0 || euid == 0 || suid == 0, Error(EPERM)) |
| 121 .ElseIf(ruid == 1 && euid == 1 && suid == 1, Error(EAGAIN)) |
| 122 .Else(Error(EINVAL)); |
| 123 } |
| 124 return Allow(); |
| 125 } |
| 126 |
| 127 private: |
| 128 DISALLOW_COPY_AND_ASSIGN(MoreBooleanLogicPolicy); |
| 129 }; |
| 130 |
| 131 BPF_TEST_C(BPFDSL, MoreBooleanLogic, MoreBooleanLogicPolicy) { |
| 132 // Expect EPERM if any set to 0. |
| 133 ASSERT_SYSCALL_RESULT(-EPERM, setresuid, 0, 5, 5); |
| 134 ASSERT_SYSCALL_RESULT(-EPERM, setresuid, 5, 0, 5); |
| 135 ASSERT_SYSCALL_RESULT(-EPERM, setresuid, 5, 5, 0); |
| 136 |
| 137 // Expect EAGAIN if all set to 1. |
| 138 ASSERT_SYSCALL_RESULT(-EAGAIN, setresuid, 1, 1, 1); |
| 139 |
| 140 // Expect EINVAL for anything else. |
| 141 ASSERT_SYSCALL_RESULT(-EINVAL, setresuid, 5, 1, 1); |
| 142 ASSERT_SYSCALL_RESULT(-EINVAL, setresuid, 1, 5, 1); |
| 143 ASSERT_SYSCALL_RESULT(-EINVAL, setresuid, 1, 1, 5); |
| 144 ASSERT_SYSCALL_RESULT(-EINVAL, setresuid, 3, 4, 5); |
| 145 } |
| 146 |
| 147 static const uintptr_t kDeadBeefAddr = |
| 148 static_cast<uintptr_t>(0xdeadbeefdeadbeefULL); |
| 149 |
| 150 class ArgSizePolicy : public SandboxBPFDSLPolicy { |
| 151 public: |
| 152 ArgSizePolicy() {} |
| 153 virtual ~ArgSizePolicy() {} |
| 154 virtual ResultExpr EvaluateSyscall(int sysno) const OVERRIDE { |
| 155 if (sysno == __NR_uname) { |
| 156 const Arg<uintptr_t> addr(0); |
| 157 return If(addr == kDeadBeefAddr, Error(EPERM)).Else(Allow()); |
| 158 } |
| 159 return Allow(); |
| 160 } |
| 161 |
| 162 private: |
| 163 DISALLOW_COPY_AND_ASSIGN(ArgSizePolicy); |
| 164 }; |
| 165 |
| 166 BPF_TEST_C(BPFDSL, ArgSizeTest, ArgSizePolicy) { |
| 167 struct utsname buf; |
| 168 ASSERT_SYSCALL_RESULT(0, uname, &buf); |
| 169 ASSERT_SYSCALL_RESULT( |
| 170 -EPERM, uname, reinterpret_cast<struct utsname*>(kDeadBeefAddr)); |
| 171 } |
| 172 |
| 173 class TrappingPolicy : public SandboxBPFDSLPolicy { |
| 174 public: |
| 175 TrappingPolicy() {} |
| 176 virtual ~TrappingPolicy() {} |
| 177 virtual ResultExpr EvaluateSyscall(int sysno) const OVERRIDE { |
| 178 if (sysno == __NR_uname) { |
| 179 return Trap(UnameTrap, &count_); |
| 180 } |
| 181 return Allow(); |
| 182 } |
| 183 |
| 184 private: |
| 185 static intptr_t count_; |
| 186 |
| 187 static intptr_t UnameTrap(const struct arch_seccomp_data& data, void* aux) { |
| 188 BPF_ASSERT_EQ(&count_, aux); |
| 189 return ++count_; |
| 190 } |
| 191 |
| 192 DISALLOW_COPY_AND_ASSIGN(TrappingPolicy); |
| 193 }; |
| 194 |
| 195 intptr_t TrappingPolicy::count_; |
| 196 |
| 197 BPF_TEST_C(BPFDSL, TrapTest, TrappingPolicy) { |
| 198 ASSERT_SYSCALL_RESULT(1, uname, NULL); |
| 199 ASSERT_SYSCALL_RESULT(2, uname, NULL); |
| 200 ASSERT_SYSCALL_RESULT(3, uname, NULL); |
| 201 } |
| 202 |
| 203 class MaskingPolicy : public SandboxBPFDSLPolicy { |
| 204 public: |
| 205 MaskingPolicy() {} |
| 206 virtual ~MaskingPolicy() {} |
| 207 virtual ResultExpr EvaluateSyscall(int sysno) const OVERRIDE { |
| 208 if (sysno == __NR_setuid) { |
| 209 const Arg<uid_t> uid(0); |
| 210 return If((uid & 0xf) == 0, Error(EINVAL)).Else(Error(EACCES)); |
| 211 } |
| 212 if (sysno == __NR_setgid) { |
| 213 const Arg<gid_t> gid(0); |
| 214 return If((gid & 0xf0) == 0xf0, Error(EINVAL)).Else(Error(EACCES)); |
| 215 } |
| 216 return Allow(); |
| 217 } |
| 218 |
| 219 private: |
| 220 DISALLOW_COPY_AND_ASSIGN(MaskingPolicy); |
| 221 }; |
| 222 |
| 223 BPF_TEST_C(BPFDSL, MaskTest, MaskingPolicy) { |
| 224 for (uid_t uid = 0; uid < 0x100; ++uid) { |
| 225 const int expect_errno = (uid & 0xf) == 0 ? EINVAL : EACCES; |
| 226 ASSERT_SYSCALL_RESULT(-expect_errno, setuid, uid); |
| 227 } |
| 228 |
| 229 for (gid_t gid = 0; gid < 0x100; ++gid) { |
| 230 const int expect_errno = (gid & 0xf0) == 0xf0 ? EINVAL : EACCES; |
| 231 ASSERT_SYSCALL_RESULT(-expect_errno, setgid, gid); |
| 232 } |
| 233 } |
| 234 |
| 235 class ElseIfPolicy : public SandboxBPFDSLPolicy { |
| 236 public: |
| 237 ElseIfPolicy() {} |
| 238 virtual ~ElseIfPolicy() {} |
| 239 virtual ResultExpr EvaluateSyscall(int sysno) const OVERRIDE { |
| 240 if (sysno == __NR_setuid) { |
| 241 const Arg<uid_t> uid(0); |
| 242 return If((uid & 0xfff) == 0, Error(0)) |
| 243 .ElseIf((uid & 0xff0) == 0, Error(EINVAL)) |
| 244 .ElseIf((uid & 0xf00) == 0, Error(EEXIST)) |
| 245 .Else(Error(EACCES)); |
| 246 } |
| 247 return Allow(); |
| 248 } |
| 249 |
| 250 private: |
| 251 DISALLOW_COPY_AND_ASSIGN(ElseIfPolicy); |
| 252 }; |
| 253 |
| 254 BPF_TEST_C(BPFDSL, ElseIfTest, ElseIfPolicy) { |
| 255 ASSERT_SYSCALL_RESULT(0, setuid, 0); |
| 256 |
| 257 ASSERT_SYSCALL_RESULT(-EINVAL, setuid, 0x0001); |
| 258 ASSERT_SYSCALL_RESULT(-EINVAL, setuid, 0x0002); |
| 259 |
| 260 ASSERT_SYSCALL_RESULT(-EEXIST, setuid, 0x0011); |
| 261 ASSERT_SYSCALL_RESULT(-EEXIST, setuid, 0x0022); |
| 262 |
| 263 ASSERT_SYSCALL_RESULT(-EACCES, setuid, 0x0111); |
| 264 ASSERT_SYSCALL_RESULT(-EACCES, setuid, 0x0222); |
| 265 } |
| 266 |
| 267 } // namespace |
| 268 } // namespace sandbox |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 396323002:
Add domain-specific language for BPF policies (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src