Linux sandbox: Allow restricting sched_* on other processes.

sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions_unittests.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h"
 
+#include <sched.h>
 #include <time.h>
 
+#include "base/bind.h"
 #include "base/sys_info.h"
+#include "base/threading/thread.h"
 #include "base/time/time.h"
 #include "build/build_config.h"
 #include "sandbox/linux/bpf_dsl/bpf_dsl.h"
 #include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h"
 #include "sandbox/linux/seccomp-bpf/bpf_tests.h"
 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
 #include "sandbox/linux/seccomp-bpf/syscall.h"
 #include "sandbox/linux/services/linux_syscalls.h"
 #include "sandbox/linux/tests/unit_tests.h"
 
@@ skipping 109 matching lines @@
   // and it might not work inside the sandbox anyway.
   const pid_t kInitPID = 1;
   const clockid_t kInitCPUClockID =
       MAKE_PROCESS_CPUCLOCK(kInitPID, CPUCLOCK_SCHED);
 
   struct timespec ts;
   clock_gettime(kInitCPUClockID, &ts);
 }
 #endif  // !defined(OS_ANDROID)
 
+class RestrictSchedPolicy : public SandboxBPFDSLPolicy {
+ public:
+  RestrictSchedPolicy() {}
+  virtual ~RestrictSchedPolicy() {}
+
+  virtual ResultExpr EvaluateSyscall(int sysno) const OVERRIDE {
+    switch (sysno) {
+      case __NR_sched_getaffinity:
+        return RestrictSchedTarget(getpid(), sysno);
+      default:
+        return Allow();
+    }
+  }
+};
+
+void CheckSchedGetAffinity(pid_t pid, cpu_set_t* mask) {
+  BPF_ASSERT_EQ(0, sched_getaffinity(pid, sizeof(*mask), mask));
+}
+
+void SchedGetAffinityThread() {
+  const pid_t pid = getpid();
+  const pid_t tid = syscall(__NR_gettid);
+  BPF_ASSERT_NE(pid, tid);
+
+  cpu_set_t current_pid_mask;
+  CheckSchedGetAffinity(pid, &current_pid_mask);
+
+  cpu_set_t zero_mask;
+  CheckSchedGetAffinity(0, &zero_mask);
+
+  cpu_set_t tid_mask;
+  CheckSchedGetAffinity(tid, &tid_mask);
+
+  BPF_ASSERT(CPU_EQUAL(&zero_mask, &tid_mask));

[jln (very slow on Chromium), 2014/09/22 21:56:44]

Could you add some testing of errno if you make some wrong call to
sched_getaffinity?

I would like a test that catches your current bug (of using Glibc's syscall())

[rickyz (no longer on Chrome), 2014/09/23 06:03:20]

Done.

+}
+
+BPF_TEST_C(ParameterRestrictions,
+           sched_getaffinity_allowed,
+           RestrictClockIdPolicy) {
+  // Run the actual test in a new thread so that the current pid and tid are
+  // different.
+  base::Thread getaffinity_thread("getaffinity_thread");
+  BPF_ASSERT(getaffinity_thread.Start());
+  getaffinity_thread.message_loop()->PostTask(
+      FROM_HERE, base::Bind(&SchedGetAffinityThread));
+  getaffinity_thread.Stop();

[jln (very slow on Chromium), 2014/09/22 21:56:44]

You need synchronization here to make sure that your thread has executed the
task posted.

You can take a look at the SendRecvMsgAbortOnReplyFDClose test in base/ for an
example of how to do that.

[rickyz (no longer on Chrome), 2014/09/23 06:03:20]

Done.

+}
+
+BPF_DEATH_TEST_C(ParameterRestrictions,
+                 sched_getaffinity_crash_non_zero,
+                 DEATH_SEGV_MESSAGE(sandbox::GetErrorMessageContentForTests()),
+                 RestrictSchedPolicy) {
+  const pid_t kInitPID = 1;
+  cpu_set_t mask;
+  sched_getaffinity(kInitPID, sizeof(mask), &mask);
+}
+
 }  // namespace
 
 }  // namespace sandbox