sandbox/linux/seccomp-bpf/sandbox_bpf_unittest.cc - Issue 530133003: bpf_dsl: support arbitrary (arg & mask) == val expressions

Side by Side Diff: sandbox/linux/seccomp-bpf/sandbox_bpf_unittest.cc

Issue 530133003: bpf_dsl: support arbitrary (arg & mask) == val expressions (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: Add unit tests to sandbox_bpf_unittest.cc Created 6 years, 3 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include <errno.h>	5 #include <errno.h>

6 #include <pthread.h>	6 #include <pthread.h>

7 #include <sched.h>	7 #include <sched.h>

8 #include <signal.h>	8 #include <signal.h>

9 #include <sys/prctl.h>	9 #include <sys/prctl.h>

10 #include <sys/ptrace.h>	10 #include <sys/ptrace.h>

(...skipping 1715 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
1726	1726

1727 // 64bit test: any of 0x100000001	1727 // 64bit test: any of 0x100000001

1728 BITMASK_TEST( 10, 0x000000000LL, ANYBITS64,0x100000001, EXPECT_FAILURE);	1728 BITMASK_TEST( 10, 0x000000000LL, ANYBITS64,0x100000001, EXPECT_FAILURE);

1729 BITMASK_TEST( 10, 0x000000001LL, ANYBITS64,0x100000001, EXPECT_SUCCESS);	1729 BITMASK_TEST( 10, 0x000000001LL, ANYBITS64,0x100000001, EXPECT_SUCCESS);

1730 BITMASK_TEST( 10, 0x100000000LL, ANYBITS64,0x100000001, EXPT64_SUCCESS);	1730 BITMASK_TEST( 10, 0x100000000LL, ANYBITS64,0x100000001, EXPT64_SUCCESS);

1731 BITMASK_TEST( 10, 0x100000001LL, ANYBITS64,0x100000001, EXPECT_SUCCESS);	1731 BITMASK_TEST( 10, 0x100000001LL, ANYBITS64,0x100000001, EXPECT_SUCCESS);

1732 BITMASK_TEST( 10, 0xFFFFFFFFU, ANYBITS64,0x100000001, EXPECT_SUCCESS);	1732 BITMASK_TEST( 10, 0xFFFFFFFFU, ANYBITS64,0x100000001, EXPECT_SUCCESS);

1733 BITMASK_TEST( 10, -1L, ANYBITS64,0x100000001, EXPECT_SUCCESS);	1733 BITMASK_TEST( 10, -1L, ANYBITS64,0x100000001, EXPECT_SUCCESS);

1734 }	1734 }

1735	1735

	1736 class MaskedEqualTestPolicy : public SandboxBPFPolicy {

	1737 public:

	1738 MaskedEqualTestPolicy() {}

	1739 virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox,

	1740 int sysno) const OVERRIDE;

	1741

	1742 private:

	1743 struct Rule {

	1744 ErrorCode::ArgType arg_type;

	1745 uint64_t mask;

	1746 uint64_t value;

	1747 };

	1748

	1749 static Rule rules[];

	1750

	1751 DISALLOW_COPY_AND_ASSIGN(MaskedEqualTestPolicy);

	1752 };

	1753

	1754 MaskedEqualTestPolicy::Rule MaskedEqualTestPolicy::rules[] = {

	1755 /* 0 = */ {ErrorCode::TP_32BIT, 0x0000000000ff00ff, 0x00000000005500aa},

	1756

	1757 #if __SIZEOF_POINTER__ > 4

	1758 /* 1 = */ {ErrorCode::TP_64BIT, 0x00ff00ff00000000, 0x005500aa00000000},

	1759 /* 2 = */ {ErrorCode::TP_64BIT, 0x00ff00ff00ff00ff, 0x005500aa005500aa},

	1760 #endif

	1761 };

	1762

	1763 ErrorCode MaskedEqualTestPolicy::EvaluateSyscall(SandboxBPF* sandbox,

	1764 int sysno) const {

	1765 DCHECK(SandboxBPF::IsValidSyscallNumber(sysno));

	1766

	1767 if (sysno == __NR_uname) {

	1768 ErrorCode err = sandbox->Kill("Invalid test case number");

	1769 for (size_t i = 0; i < arraysize(rules); i++) {

	1770 err = sandbox->Cond(0,

	1771 ErrorCode::TP_32BIT,

	1772 ErrorCode::OP_EQUAL,

	1773 i,

	1774 sandbox->CondMaskedEqual(1,

	1775 rules[i].arg_type,

	1776 rules[i].mask,

	1777 rules[i].value,

	1778 ErrorCode(1),

	1779 ErrorCode(0)),

	1780 err);

	1781 }

	1782 return err;

	1783 }

	1784 return ErrorCode(ErrorCode::ERR_ALLOWED);

	1785 }

	1786

	1787 #define MASKEQ_TEST(rulenum, arg, expected_result) \

	1788 BPF_ASSERT(Syscall::Call(__NR_uname, (rulenum), (arg)) == (expected_result))

	1789

	1790 BPF_TEST_C(SandboxBPF, MaskedEqualTests, MaskedEqualTestPolicy) {

	1791 // Allowed: 0x__55__aa

	1792 MASKEQ_TEST(0, 0x00000000, EXPECT_FAILURE);

	1793 MASKEQ_TEST(0, 0x00000001, EXPECT_FAILURE);

	1794 MASKEQ_TEST(0, 0x00000003, EXPECT_FAILURE);

	1795 MASKEQ_TEST(0, 0x00000100, EXPECT_FAILURE);

	1796 MASKEQ_TEST(0, 0x00000300, EXPECT_FAILURE);

	1797 MASKEQ_TEST(0, 0x005500aa, EXPECT_SUCCESS);

	1798 MASKEQ_TEST(0, 0x005500ab, EXPECT_FAILURE);

	1799 MASKEQ_TEST(0, 0x005600aa, EXPECT_FAILURE);

	1800 MASKEQ_TEST(0, 0x005501aa, EXPECT_SUCCESS);

	1801 MASKEQ_TEST(0, 0x005503aa, EXPECT_SUCCESS);

	1802 MASKEQ_TEST(0, 0x555500aa, EXPECT_SUCCESS);

	1803 MASKEQ_TEST(0, 0xaa5500aa, EXPECT_SUCCESS);

	1804

	1805 #if __SIZEOF_POINTER__ > 4

	1806 // Allowed: 0x__55__aa________

	1807 MASKEQ_TEST(1, 0x0000000000000000, EXPECT_FAILURE);

	1808 MASKEQ_TEST(1, 0x0000000000000010, EXPECT_FAILURE);

	1809 MASKEQ_TEST(1, 0x0000000000000050, EXPECT_FAILURE);

	1810 MASKEQ_TEST(1, 0x0000000100000000, EXPECT_FAILURE);

	1811 MASKEQ_TEST(1, 0x0000000300000000, EXPECT_FAILURE);

	1812 MASKEQ_TEST(1, 0x0000010000000000, EXPECT_FAILURE);

	1813 MASKEQ_TEST(1, 0x0000030000000000, EXPECT_FAILURE);

	1814 MASKEQ_TEST(1, 0x005500aa00000000, EXPECT_SUCCESS);

	1815 MASKEQ_TEST(1, 0x005500ab00000000, EXPECT_FAILURE);

	1816 MASKEQ_TEST(1, 0x005600aa00000000, EXPECT_FAILURE);

	1817 MASKEQ_TEST(1, 0x005501aa00000000, EXPECT_SUCCESS);

	1818 MASKEQ_TEST(1, 0x005503aa00000000, EXPECT_SUCCESS);

	1819 MASKEQ_TEST(1, 0x555500aa00000000, EXPECT_SUCCESS);

	1820 MASKEQ_TEST(1, 0xaa5500aa00000000, EXPECT_SUCCESS);

	1821 MASKEQ_TEST(1, 0xaa5500aa00000000, EXPECT_SUCCESS);

	1822 MASKEQ_TEST(1, 0xaa5500aa0000cafe, EXPECT_SUCCESS);

	1823

	1824 // Allowed: 0x__55__aa__55__aa

	1825 MASKEQ_TEST(2, 0x0000000000000000, EXPECT_FAILURE);

	1826 MASKEQ_TEST(2, 0x0000000000000010, EXPECT_FAILURE);

	1827 MASKEQ_TEST(2, 0x0000000000000050, EXPECT_FAILURE);

	1828 MASKEQ_TEST(2, 0x0000000100000000, EXPECT_FAILURE);

	1829 MASKEQ_TEST(2, 0x0000000300000000, EXPECT_FAILURE);

	1830 MASKEQ_TEST(2, 0x0000010000000000, EXPECT_FAILURE);

	1831 MASKEQ_TEST(2, 0x0000030000000000, EXPECT_FAILURE);

	1832 MASKEQ_TEST(2, 0x00000000005500aa, EXPECT_FAILURE);

	1833 MASKEQ_TEST(2, 0x005500aa00000000, EXPECT_FAILURE);

	1834 MASKEQ_TEST(2, 0x005500aa005500aa, EXPECT_SUCCESS);

	1835 MASKEQ_TEST(2, 0x005500aa005700aa, EXPECT_FAILURE);

	1836 MASKEQ_TEST(2, 0x005700aa005500aa, EXPECT_FAILURE);

	1837 MASKEQ_TEST(2, 0x005500aa004500aa, EXPECT_FAILURE);

	1838 MASKEQ_TEST(2, 0x004500aa005500aa, EXPECT_FAILURE);

	1839 MASKEQ_TEST(2, 0x005512aa005500aa, EXPECT_SUCCESS);

	1840 MASKEQ_TEST(2, 0x005500aa005534aa, EXPECT_SUCCESS);

	1841 MASKEQ_TEST(2, 0xff5500aa0055ffaa, EXPECT_SUCCESS);

	1842 #endif

	1843 }

	1844

1736 intptr_t PthreadTrapHandler(const struct arch_seccomp_data& args, void* aux) {	1845 intptr_t PthreadTrapHandler(const struct arch_seccomp_data& args, void* aux) {

1737 if (args.args[0] != (CLONE_CHILD_CLEARTID \| CLONE_CHILD_SETTID \| SIGCHLD)) {	1846 if (args.args[0] != (CLONE_CHILD_CLEARTID \| CLONE_CHILD_SETTID \| SIGCHLD)) {

1738 // We expect to get called for an attempt to fork(). No need to log that	1847 // We expect to get called for an attempt to fork(). No need to log that

1739 // call. But if we ever get called for anything else, we want to verbosely	1848 // call. But if we ever get called for anything else, we want to verbosely

1740 // print as much information as possible.	1849 // print as much information as possible.

1741 const char* msg = (const char*)aux;	1850 const char* msg = (const char*)aux;

1742 printf(	1851 printf(

1743 "Clone() was called with unexpected arguments\n"	1852 "Clone() was called with unexpected arguments\n"

1744 " nr: %d\n"	1853 " nr: %d\n"

1745 " 1: 0x%llX\n"	1854 " 1: 0x%llX\n"

(...skipping 561 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
2307 BPF_ASSERT_EQ(-1, syscall(__NR_setgid, 200));	2416 BPF_ASSERT_EQ(-1, syscall(__NR_setgid, 200));

2308 BPF_ASSERT_EQ(ENOSYS, errno);	2417 BPF_ASSERT_EQ(ENOSYS, errno);

2309	2418

2310 BPF_ASSERT_EQ(-1, syscall(__NR_setgid, 300));	2419 BPF_ASSERT_EQ(-1, syscall(__NR_setgid, 300));

2311 BPF_ASSERT_EQ(EPERM, errno);	2420 BPF_ASSERT_EQ(EPERM, errno);

2312 }	2421 }

2313	2422

2314 } // namespace	2423 } // namespace

2315	2424

2316 } // namespace sandbox	2425 } // namespace sandbox

OLD	NEW

« sandbox/linux/seccomp-bpf/sandbox_bpf.cc ('K') | « sandbox/linux/seccomp-bpf/sandbox_bpf.cc ('k') | sandbox/linux/seccomp-bpf/verifier.cc » ('j') | no next file with comments »