OLD | NEW |
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h" | 5 #include "sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h" |
6 | 6 |
| 7 #include <errno.h> |
| 8 #include <sched.h> |
| 9 #include <sys/syscall.h> |
7 #include <time.h> | 10 #include <time.h> |
| 11 #include <unistd.h> |
8 | 12 |
| 13 #include "base/bind.h" |
| 14 #include "base/synchronization/waitable_event.h" |
9 #include "base/sys_info.h" | 15 #include "base/sys_info.h" |
| 16 #include "base/threading/thread.h" |
10 #include "base/time/time.h" | 17 #include "base/time/time.h" |
11 #include "build/build_config.h" | 18 #include "build/build_config.h" |
12 #include "sandbox/linux/bpf_dsl/bpf_dsl.h" | 19 #include "sandbox/linux/bpf_dsl/bpf_dsl.h" |
13 #include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h" | 20 #include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h" |
14 #include "sandbox/linux/seccomp-bpf/bpf_tests.h" | 21 #include "sandbox/linux/seccomp-bpf/bpf_tests.h" |
15 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" | 22 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" |
16 #include "sandbox/linux/seccomp-bpf/syscall.h" | 23 #include "sandbox/linux/seccomp-bpf/syscall.h" |
17 #include "sandbox/linux/services/linux_syscalls.h" | 24 #include "sandbox/linux/services/linux_syscalls.h" |
18 #include "sandbox/linux/tests/unit_tests.h" | 25 #include "sandbox/linux/tests/unit_tests.h" |
19 | 26 |
(...skipping 109 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
129 // and it might not work inside the sandbox anyway. | 136 // and it might not work inside the sandbox anyway. |
130 const pid_t kInitPID = 1; | 137 const pid_t kInitPID = 1; |
131 const clockid_t kInitCPUClockID = | 138 const clockid_t kInitCPUClockID = |
132 MAKE_PROCESS_CPUCLOCK(kInitPID, CPUCLOCK_SCHED); | 139 MAKE_PROCESS_CPUCLOCK(kInitPID, CPUCLOCK_SCHED); |
133 | 140 |
134 struct timespec ts; | 141 struct timespec ts; |
135 clock_gettime(kInitCPUClockID, &ts); | 142 clock_gettime(kInitCPUClockID, &ts); |
136 } | 143 } |
137 #endif // !defined(OS_ANDROID) | 144 #endif // !defined(OS_ANDROID) |
138 | 145 |
| 146 class RestrictSchedPolicy : public SandboxBPFDSLPolicy { |
| 147 public: |
| 148 RestrictSchedPolicy() {} |
| 149 virtual ~RestrictSchedPolicy() {} |
| 150 |
| 151 virtual ResultExpr EvaluateSyscall(int sysno) const OVERRIDE { |
| 152 switch (sysno) { |
| 153 case __NR_sched_getparam: |
| 154 return RestrictSchedTarget(getpid(), sysno); |
| 155 default: |
| 156 return Allow(); |
| 157 } |
| 158 } |
| 159 }; |
| 160 |
| 161 void CheckSchedGetParam(pid_t pid, struct sched_param* param) { |
| 162 BPF_ASSERT_EQ(0, sched_getparam(pid, param)); |
| 163 } |
| 164 |
| 165 void SchedGetParamThread(base::WaitableEvent* thread_run) { |
| 166 const pid_t pid = getpid(); |
| 167 const pid_t tid = syscall(__NR_gettid); |
| 168 BPF_ASSERT_NE(pid, tid); |
| 169 |
| 170 struct sched_param current_pid_param; |
| 171 CheckSchedGetParam(pid, ¤t_pid_param); |
| 172 |
| 173 struct sched_param zero_param; |
| 174 CheckSchedGetParam(0, &zero_param); |
| 175 |
| 176 struct sched_param tid_param; |
| 177 CheckSchedGetParam(tid, &tid_param); |
| 178 |
| 179 BPF_ASSERT_EQ(zero_param.sched_priority, tid_param.sched_priority); |
| 180 |
| 181 // Verify that the SIGSYS handler sets errno properly. |
| 182 errno = 0; |
| 183 BPF_ASSERT_EQ(-1, sched_getparam(tid, NULL)); |
| 184 BPF_ASSERT_EQ(EINVAL, errno); |
| 185 |
| 186 thread_run->Signal(); |
| 187 } |
| 188 |
| 189 BPF_TEST_C(ParameterRestrictions, |
| 190 sched_getparam_allowed, |
| 191 RestrictSchedPolicy) { |
| 192 base::WaitableEvent thread_run(true, false); |
| 193 // Run the actual test in a new thread so that the current pid and tid are |
| 194 // different. |
| 195 base::Thread getparam_thread("sched_getparam_thread"); |
| 196 BPF_ASSERT(getparam_thread.Start()); |
| 197 getparam_thread.message_loop()->PostTask( |
| 198 FROM_HERE, base::Bind(&SchedGetParamThread, &thread_run)); |
| 199 BPF_ASSERT(thread_run.TimedWait(base::TimeDelta::FromMilliseconds(5000))); |
| 200 getparam_thread.Stop(); |
| 201 } |
| 202 |
| 203 BPF_DEATH_TEST_C(ParameterRestrictions, |
| 204 sched_getparam_crash_non_zero, |
| 205 DEATH_SEGV_MESSAGE(sandbox::GetErrorMessageContentForTests()), |
| 206 RestrictSchedPolicy) { |
| 207 const pid_t kInitPID = 1; |
| 208 struct sched_param param; |
| 209 sched_getparam(kInitPID, ¶m); |
| 210 } |
| 211 |
139 } // namespace | 212 } // namespace |
140 | 213 |
141 } // namespace sandbox | 214 } // namespace sandbox |
OLD | NEW |