sandbox/linux/seccomp-bpf/sandbox_bpf_unittest.cc - Issue 524603002: sandbox: Fix RedirectToUserSpacePolicyWrapper

Side by Side Diff: sandbox/linux/seccomp-bpf/sandbox_bpf_unittest.cc

Issue 524603002: sandbox: Fix RedirectToUserSpacePolicyWrapper (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: better comments Created 6 years, 3 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include <errno.h>	5 #include <errno.h>

6 #include <pthread.h>	6 #include <pthread.h>

7 #include <sched.h>	7 #include <sched.h>

8 #include <signal.h>	8 #include <signal.h>

9 #include <sys/prctl.h>	9 #include <sys/prctl.h>

10 #include <sys/ptrace.h>	10 #include <sys/ptrace.h>

(...skipping 2243 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
2254 #if !defined(THREAD_SANITIZER)	2254 #if !defined(THREAD_SANITIZER)

2255 SANDBOX_DEATH_TEST(SandboxBPF, StartSingleThreadedAsMultiThreaded,	2255 SANDBOX_DEATH_TEST(SandboxBPF, StartSingleThreadedAsMultiThreaded,

2256 DEATH_MESSAGE("Cannot start sandbox; process may be single-threaded when "	2256 DEATH_MESSAGE("Cannot start sandbox; process may be single-threaded when "

2257 "reported as not")) {	2257 "reported as not")) {

2258 SandboxBPF sandbox;	2258 SandboxBPF sandbox;

2259 sandbox.SetSandboxPolicy(new AllowAllPolicy());	2259 sandbox.SetSandboxPolicy(new AllowAllPolicy());

2260 BPF_ASSERT(!sandbox.StartSandbox(SandboxBPF::PROCESS_MULTI_THREADED));	2260 BPF_ASSERT(!sandbox.StartSandbox(SandboxBPF::PROCESS_MULTI_THREADED));

2261 }	2261 }

2262 #endif // !defined(THREAD_SANITIZER)	2262 #endif // !defined(THREAD_SANITIZER)

2263	2263

	2264 intptr_t NopHandler(const struct arch_seccomp_data& args, void*) {
	jln (very slow on Chromium) 2014/08/29 20:40:05 Maybe NoOp rather than Nop? And/Or add a comment. Maybe NoOp rather than Nop? And/Or add a comment. leecam 2014/08/29 22:56:31 Done. Show quoted text On 2014/08/29 20:40:05, jln wrote: > Maybe NoOp rather than Nop? And/Or add a comment. Done.
	2265 return -1;

	2266 }

	2267

	2268 class UnsafeTrapWithCondPolicy : public SandboxBPFPolicy {

	2269 public:

	2270 UnsafeTrapWithCondPolicy() {}

	2271 virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox,

	2272 int sysno) const OVERRIDE {

	2273 DCHECK(SandboxBPF::IsValidSyscallNumber(sysno));

	2274 setenv(kSandboxDebuggingEnv, "t", 0);

	2275 Die::SuppressInfoMessages(true);

	2276

	2277 if (sysno == __NR_rt_sigprocmask \|\| sysno == __NR_rt_sigreturn
	jln (very slow on Chromium) 2014/08/29 20:40:05 Should we export a "IsRequiredForUnsafeTrapsSyscal Should we export a "IsRequiredForUnsafeTrapsSyscall()" or something along these lines? leecam 2014/08/29 22:56:31 Done. Show quoted text On 2014/08/29 20:40:05, jln wrote: > Should we export a "IsRequiredForUnsafeTrapsSyscall()" or something along these > lines? Done.
	2278 #if defined(__NR_sigprocmask)

	2279 \|\|

	2280 sysno == __NR_sigprocmask

	2281 #endif

	2282 #if defined(__NR_sigreturn)

	2283 \|\|

	2284 sysno == __NR_sigreturn

	2285 #endif

	2286 ) {

	2287 return ErrorCode(ErrorCode::ERR_ALLOWED);

	2288 }

	2289 switch (sysno) {

	2290 case __NR_setuid:

	2291 return sandbox->Cond(0,

	2292 ErrorCode::TP_32BIT,

	2293 ErrorCode::OP_EQUAL,

	2294 100,

	2295 ErrorCode(ErrorCode::ERR_ALLOWED),

	2296 ErrorCode(EPERM));

	2297 case __NR_setgid:

	2298 return sandbox->Cond(0,

	2299 ErrorCode::TP_32BIT,

	2300 ErrorCode::OP_EQUAL,

	2301 100,

	2302 ErrorCode(ErrorCode::ERR_ALLOWED),

	2303 sandbox->Cond(0,

	2304 ErrorCode::TP_32BIT,

	2305 ErrorCode::OP_EQUAL,

	2306 200,

	2307 ErrorCode(ENOSYS),

	2308 ErrorCode(EPERM)));

	2309 case __NR_exit_group:

	2310 return ErrorCode(ErrorCode::ERR_ALLOWED);

	2311 case __NR_getppid:

	2312 return sandbox->UnsafeTrap(NopHandler, NULL);

	2313 default:

	2314 return ErrorCode(EPERM);

	2315 }

	2316 }

	2317

	2318 private:

	2319 DISALLOW_COPY_AND_ASSIGN(UnsafeTrapWithCondPolicy);

	2320 };

	2321

	2322 BPF_TEST_C(SandboxBPF, UnsafeTrapWithCond, UnsafeTrapWithCondPolicy) {

	2323 // Nothing to do, just ensuring policy compiles and verifies.
	jln (very slow on Chromium) 2014/08/29 20:40:05 It would be worth checking that the policy does wh It would be worth checking that the policy does what it's supposed to do, no? It looks like it would be easy to actually call setuid/setgid and check (but it means you might want to default allow all other syscalls rather than restrict them). leecam 2014/08/29 22:56:31 Done. Show quoted text On 2014/08/29 20:40:05, jln wrote: > It would be worth checking that the policy does what it's supposed to do, no? It > looks like it would be easy to actually call setuid/setgid and check (but it > means you might want to default allow all other syscalls rather than restrict > them). Done.
	2324 }

	2325

2264 } // namespace	2326 } // namespace

2265	2327

2266 } // namespace sandbox	2328 } // namespace sandbox

OLD	NEW

« sandbox/linux/seccomp-bpf/sandbox_bpf.cc ('K') | « sandbox/linux/seccomp-bpf/sandbox_bpf.cc ('k') | no next file » | no next file with comments »