sandbox: Add support for the new seccomp() system call in kernel 3.17.

sandbox/linux/seccomp-bpf/sandbox_bpf_unittest.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <errno.h>
 #include <pthread.h>
 #include <sched.h>
 #include <signal.h>
 #include <sys/prctl.h>
 #include <sys/ptrace.h>
@@ skipping 10 matching lines @@
 #endif
 #include <linux/futex.h>
 
 #include <ostream>
 
 #include "base/bind.h"
 #include "base/logging.h"
 #include "base/macros.h"
 #include "base/memory/scoped_ptr.h"
 #include "base/posix/eintr_wrapper.h"
+#include "base/synchronization/waitable_event.h"
 #include "build/build_config.h"
 #include "sandbox/linux/seccomp-bpf/bpf_tests.h"
 #include "sandbox/linux/seccomp-bpf/syscall.h"
 #include "sandbox/linux/seccomp-bpf/trap.h"
 #include "sandbox/linux/seccomp-bpf/verifier.h"
 #include "sandbox/linux/services/broker_process.h"
 #include "sandbox/linux/services/linux_syscalls.h"
 #include "sandbox/linux/tests/scoped_temporary_file.h"
 #include "sandbox/linux/tests/unit_tests.h"
 #include "testing/gtest/include/gtest/gtest.h"
@@ skipping 2097 matching lines @@
   BPF_ASSERT(FullPread64(temp_file.fd(),
                          read_test_string,
                          sizeof(read_test_string),
                          kLargeOffset));
   BPF_ASSERT_EQ(0, memcmp(kTestString, read_test_string, sizeof(kTestString)));
   BPF_ASSERT(pread_64_was_forwarded);
 }
 
 #endif  // !defined(OS_ANDROID)
 
+void* TsyncApplyToTwoThreadsFunc(void* cond_ptr) {
+  base::WaitableEvent* event = static_cast<base::WaitableEvent*>(cond_ptr);
+
+  // Wait for the main thread to signal that the filter has been applied.
+  if (!event->IsSignaled()) {
+    event->Wait();
+  }
+
+  BPF_ASSERT(event->IsSignaled());
+
+  // Nanosleep is now blacklisted, so this should fail.

[jln (very slow on Chromium), 2014/08/20 21:34:20]

I would split that into a separate NanoSleepFails() function. You can call it on
the main thread (before the policy is applied) and check that it's false (to
test the function itself) and re-use it here and check that it returns true.

It's a detail, so up to you.

[Robert Sesek, 2014/08/21 16:50:18]

Done.

+  const struct timespec ts = {0, 0};
+  errno = 0;
+  BPF_ASSERT(syscall(__NR_nanosleep, &ts, NULL) == -1);
+  BPF_ASSERT(errno == EACCES);
+
+  return NULL;
+}
+
+TEST(SandboxBPF, Tsync) {

[jln (very slow on Chromium), 2014/08/20 21:34:21]

We should not write tests that affects the current process (which can then run
other tests). Please, make this a SANDBOX_TEST instead
(sandbox/linux/tests/unit_tests.h).

Also using BPF_ASSERT would terminate the whole test suite if you're not inside
a SANDBOX_TEST.

[Robert Sesek, 2014/08/21 16:50:18]

Done.

+  if (SandboxBPF::SupportsSeccompThreadFilterSynchronization() !=
+          SandboxBPF::STATUS_AVAILABLE) {
+    LOG(INFO) << "Skipping test: tsync unavailable";
+    return;
+  }
+
+  base::WaitableEvent event(true, false);
+
+  // Create a thread on which to invoke the blocked syscall.
+  pthread_t thread;
+  BPF_ASSERT_EQ(0,
+      pthread_create(&thread, NULL, &TsyncApplyToTwoThreadsFunc, &event));
+
+  // Engage the sandbox.
+  SandboxBPF sandbox;
+  sandbox.SetSandboxPolicy(new BlacklistNanosleepPolicy());
+  BPF_ASSERT(sandbox.StartSandbox(SandboxBPF::PROCESS_MULTI_THREADED));
+
+  // Signal the condition to invoke the system call.
+  event.Signal();
+
+  // Wait for the thread to finish.
+  BPF_ASSERT_EQ(0, pthread_join(thread, NULL));
+}
+

[jln (very slow on Chromium), 2014/08/20 21:34:20]

If you feel like writing more tests, I think a death test checking that we crash
when passing PROCESS_SINGLE_THREADED on a multithreaded process could be useful.

[Robert Sesek, 2014/08/21 16:50:18]

Depending on the discussion around the other comment regarding
SandboxThreadState, I'll do this.

 }  // namespace
 
 }  // namespace sandbox