sandbox: Add Arm64 support for seccomp-BPF

sandbox/linux/seccomp-bpf/sandbox_bpf_unittest.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <errno.h>
 #include <pthread.h>
 #include <sched.h>
 #include <signal.h>
 #include <sys/prctl.h>
 #include <sys/ptrace.h>
@@ skipping 230 matching lines @@
   virtual ErrorCode EvaluateSyscall(SandboxBPF*, int sysno) const OVERRIDE;
 
  private:
   DISALLOW_COPY_AND_ASSIGN(ErrnoTestPolicy);
 };
 
 ErrorCode ErrnoTestPolicy::EvaluateSyscall(SandboxBPF*, int sysno) const {
   DCHECK(SandboxBPF::IsValidSyscallNumber(sysno));
   switch (sysno) {
     case __NR_dup3:    // dup2 is a wrapper of dup3 in android
+#if defined(__NR_dup2)
     case __NR_dup2:
+#endif
       // Pretend that dup2() worked, but don't actually do anything.
       return ErrorCode(0);
     case __NR_setuid:
 #if defined(__NR_setuid32)
     case __NR_setuid32:
 #endif
       // Return errno = 1.
       return ErrorCode(1);
     case __NR_setgid:
 #if defined(__NR_setgid32)
@@ skipping 493 matching lines @@
 
 intptr_t BrokerOpenTrapHandler(const struct arch_seccomp_data& args,
                                void* aux) {
   BPF_ASSERT(aux);
   BrokerProcess* broker_process = static_cast<BrokerProcess*>(aux);
   switch (args.nr) {
     case __NR_faccessat:    // access is a wrapper of faccessat in android
       BPF_ASSERT(static_cast<int>(args.args[0]) == AT_FDCWD);
       return broker_process->Access(reinterpret_cast<const char*>(args.args[1]),
                                     static_cast<int>(args.args[2]));
+#if defined(__NR_access)
     case __NR_access:
       return broker_process->Access(reinterpret_cast<const char*>(args.args[0]),
                                     static_cast<int>(args.args[1]));
+#endif
+#if defined(__NR_open)
     case __NR_open:
       return broker_process->Open(reinterpret_cast<const char*>(args.args[0]),
                                   static_cast<int>(args.args[1]));
+#endif
     case __NR_openat:
       // We only call open() so if we arrive here, it's because glibc uses
       // the openat() system call.
       BPF_ASSERT(static_cast<int>(args.args[0]) == AT_FDCWD);
       return broker_process->Open(reinterpret_cast<const char*>(args.args[1]),
                                   static_cast<int>(args.args[2]));
     default:
       BPF_ASSERT(false);
       return -ENOSYS;
   }
 }
 
 ErrorCode DenyOpenPolicy(SandboxBPF* sandbox,
                          int sysno,
                          InitializedOpenBroker* iob) {
   if (!SandboxBPF::IsValidSyscallNumber(sysno)) {
     return ErrorCode(ENOSYS);
   }
 
   switch (sysno) {
     case __NR_faccessat:
+#if defined(__NR_access)
     case __NR_access:
+#endif
+#if defined(__NR_open)
     case __NR_open:
+#endif
     case __NR_openat:
       // We get a InitializedOpenBroker class, but our trap handler wants
       // the BrokerProcess object.
       return ErrorCode(
           sandbox->Trap(BrokerOpenTrapHandler, iob->broker_process()));
     default:
       return ErrorCode(ErrorCode::ERR_ALLOWED);
   }
 }
 
@@ skipping 58 matching lines @@
 
 ErrorCode SimpleCondTestPolicy::EvaluateSyscall(SandboxBPF* sandbox,
                                                 int sysno) const {
   DCHECK(SandboxBPF::IsValidSyscallNumber(sysno));
 
   // We deliberately return unusual errno values upon failure, so that we
   // can uniquely test for these values. In a "real" policy, you would want
   // to return more traditional values.
   int flags_argument_position = -1;
   switch (sysno) {
+#if defined(__NR_open)
     case __NR_open:
+      flags_argument_position = 1;
+#endif
     case __NR_openat:  // open can be a wrapper for openat(2).
-      if (sysno == __NR_open) {
-        flags_argument_position = 1;
-      } else if (sysno == __NR_openat) {
+      if (sysno == __NR_openat)
         flags_argument_position = 2;
-      }
+
       // Allow opening files for reading, but don't allow writing.
       COMPILE_ASSERT(O_RDONLY == 0, O_RDONLY_must_be_all_zero_bits);
       return sandbox->Cond(flags_argument_position,
                            ErrorCode::TP_32BIT,
                            ErrorCode::OP_HAS_ANY_BITS,
                            O_ACCMODE /* 0x3 */,
                            ErrorCode(EROFS),
                            ErrorCode(ErrorCode::ERR_ALLOWED));
     case __NR_prctl:
       // Allow prctl(PR_SET_DUMPABLE) and prctl(PR_GET_DUMPABLE), but
@@ skipping 317 matching lines @@
         -err);
   }
 
   // Vector of ArgValue trees. These trees define all the possible boolean
   // expressions that we want to turn into a BPF filter program.
   std::vector<ArgValue*> arg_values_;
 
   // Don't increase these values. We are pushing the limits of the maximum
   // BPF program that the kernel will allow us to load. If the values are
   // increased too much, the test will start failing.
-  static const int kNumTestCases = 40;
+  static const int kNumTestCases = 30;

[jln (very slow on Chromium), 2014/08/21 19:04:53]

Maybe let's change it depending on architecture?

I wouldn't want to reduce test coverage on existing archs.

[leecam, 2014/08/22 10:44:17]

Done.

   static const int kMaxFanOut = 3;
   static const int kMaxArgs = 6;
 };
 
 ErrorCode EqualityStressTestPolicy(SandboxBPF* sandbox,
                                    int sysno,
                                    EqualityStressTest* aux) {
   DCHECK(aux);
   return aux->Policy(sandbox, sysno);
 }
@@ skipping 696 matching lines @@
 // values here.
 #define IS_SECCOMP_EVENT(status) ((status >> 16) == 7 || (status >> 16) == 8)
 #endif
 
 #if defined(__arm__)
 #ifndef PTRACE_SET_SYSCALL
 #define PTRACE_SET_SYSCALL 23
 #endif
 #endif
 
+#if defined(__aarch64__)
+#ifndef PTRACE_GETREGS
+#define PTRACE_GETREGS 12
+#endif
+#endif
+
+#if defined(__aarch64__)
+#ifndef PTRACE_SETREGS
+#define PTRACE_SETREGS 13
+#endif
+#endif
+
 // Changes the syscall to run for a child being sandboxed using seccomp-bpf with
 // PTRACE_O_TRACESECCOMP.  Should only be called when the child is stopped on
 // PTRACE_EVENT_SECCOMP.
 //
 // regs should contain the current set of registers of the child, obtained using
 // PTRACE_GETREGS.
 //
 // Depending on the architecture, this may modify regs, so the caller is
 // responsible for committing these changes using PTRACE_SETREGS.
 long SetSyscall(pid_t pid, regs_struct* regs, int syscall_number) {
@@ skipping 28 matching lines @@
   if (SandboxBPF::SupportsSeccompSandbox(-1) !=
       sandbox::SandboxBPF::STATUS_AVAILABLE) {
     return;
   }
 
 #if defined(__arm__)
   printf("This test is currently disabled on ARM due to a kernel bug.");
   return;
 #endif
 
+#if defined(__aarch64__)
+  printf("This test is currently disabled on ARM64..");

[jln (very slow on Chromium), 2014/08/21 19:04:53]

Could you add a link to the open bug about this? (and above as well).

[leecam, 2014/08/22 10:44:17]

Done.

+  return;
+#endif
+
 #if defined(__mips__)
   // TODO: Figure out how to support specificity of handling indirect syscalls
   //        in this test and enable it.
   printf("This test is currently disabled on MIPS.");
   return;
 #endif
 
   pid_t pid = fork();
   BPF_ASSERT_NE(-1, pid);
   if (pid == 0) {
@@ skipping 150 matching lines @@
                          kLargeOffset));
   BPF_ASSERT_EQ(0, memcmp(kTestString, read_test_string, sizeof(kTestString)));
   BPF_ASSERT(pread_64_was_forwarded);
 }
 
 #endif  // !defined(OS_ANDROID)
 
 }  // namespace
 
 }  // namespace sandbox