NonSFI sandbox: restrict futex(2) operations.

components/nacl/loader/nonsfi/nonsfi_sandbox_unittest.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // Sanitizers internally use some syscalls which non-SFI NaCl disallows.
 #if !defined(ADDRESS_SANITIZER) && !defined(THREAD_SANITIZER) && \
     !defined(MEMORY_SANITIZER) && !defined(LEAK_SANITIZER)
 
 #include "components/nacl/loader/nonsfi/nonsfi_sandbox.h"
 
 #include <errno.h>
 #include <fcntl.h>
+#include <linux/futex.h>
 #include <pthread.h>
 #include <sched.h>
 #include <signal.h>
 #include <stdlib.h>
 #include <string.h>
 #include <sys/mman.h>
 #include <sys/prctl.h>
 #include <sys/ptrace.h>
 #include <sys/socket.h>
 #include <sys/syscall.h>
 #include <sys/types.h>
 #include <sys/wait.h>
 #include <time.h>
 #include <unistd.h>
 
 #include "base/bind.h"
 #include "base/callback.h"
 #include "base/compiler_specific.h"
 #include "base/files/scoped_file.h"
 #include "base/logging.h"
 #include "base/posix/eintr_wrapper.h"
 #include "base/sys_info.h"
+#include "base/threading/thread.h"
 #include "base/time/time.h"
 #include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h"
 #include "sandbox/linux/seccomp-bpf/bpf_tests.h"
 #include "sandbox/linux/seccomp-bpf/syscall.h"
 #include "sandbox/linux/services/linux_syscalls.h"
 #include "third_party/lss/linux_syscall_support.h"  // for MAKE_PROCESS_CPUCLOCK
 
 namespace {
 
 void DoPipe(base::ScopedFD* fds) {
@@ skipping 254 matching lines @@
   fcntl(0, F_DUPFD);
 }
 
 BPF_DEATH_TEST_C(NaClNonSfiSandboxTest,
                  fcntl_DUPFD_CLOEXEC,
                  DEATH_MESSAGE(sandbox::GetErrorMessageContentForTests()),
                  nacl::nonsfi::NaClNonSfiBPFSandboxPolicy) {
   fcntl(0, F_DUPFD_CLOEXEC);
 }
 
+BPF_DEATH_TEST_C(NaClNonSfiSandboxTest,
+                 FutexWithRequeuePriorityInheritence,
+                 DEATH_MESSAGE(sandbox::GetFutexErrorMessageContentForTests()),
+                 nacl::nonsfi::NaClNonSfiBPFSandboxPolicy) {
+  syscall(__NR_futex, NULL, FUTEX_CMP_REQUEUE_PI, 0, NULL, NULL, 0);
+  _exit(1);
+}
+
+BPF_DEATH_TEST_C(NaClNonSfiSandboxTest,
+                 FutexWithRequeuePriorityInheritencePrivate,
+                 DEATH_MESSAGE(sandbox::GetFutexErrorMessageContentForTests()),
+                 nacl::nonsfi::NaClNonSfiBPFSandboxPolicy) {
+  syscall(__NR_futex, NULL, FUTEX_CMP_REQUEUE_PI_PRIVATE, 0, NULL, NULL, 0);
+  _exit(1);
+}
+
+BPF_TEST_C(NaClNonSfiSandboxTest,
+           StartingAndJoiningThreadWorks,
+           nacl::nonsfi::NaClNonSfiBPFSandboxPolicy) {
+    base::Thread thread("sandbox_tests");

[Mark Seaborn, 2014/09/06 00:36:47]

Nit: fix indentation.

You might want to comment that the dtor joins the thread.  It's not obvious.

[jln (very slow on Chromium), 2014/09/06 00:45:37]

Done.

+  BPF_ASSERT(thread.Start());
+}
+
+BPF_DEATH_TEST_C(NaClNonSfiSandboxTest,
+                 FutexWithUnlockPIPrivate,
+                 DEATH_MESSAGE(sandbox::GetFutexErrorMessageContentForTests()),
+                 nacl::nonsfi::NaClNonSfiBPFSandboxPolicy) {
+  syscall(__NR_futex, NULL, FUTEX_UNLOCK_PI_PRIVATE, 0, NULL, NULL, 0);
+  _exit(1);
+}
+
 void* DoAllowedAnonymousMmap() {
   return mmap(NULL, getpagesize(), PROT_READ | PROT_WRITE,
               MAP_ANONYMOUS | MAP_SHARED, -1, 0);
 }
 
 BPF_TEST_C(NaClNonSfiSandboxTest,
            mmap_allowed,
            nacl::nonsfi::NaClNonSfiBPFSandboxPolicy) {
   void* ptr = DoAllowedAnonymousMmap();
   BPF_ASSERT_NE(MAP_FAILED, ptr);
@@ skipping 199 matching lines @@
 RESTRICT_SYSCALL_EPERM_TEST(ptrace);
 RESTRICT_SYSCALL_EPERM_TEST(set_robust_list);
 #if defined(__i386__) || defined(__x86_64__)
 RESTRICT_SYSCALL_EPERM_TEST(time);
 #endif
 
 }  // namespace
 
 #endif  // !ADDRESS_SANITIZER && !THREAD_SANITIZER &&
         // !MEMORY_SANITIZER && !LEAK_SANITIZER