Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(76)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: sandbox/linux/bpf_dsl/bpf_dsl_unittest.cc

Issue 628233002: replace OVERRIDE and FINAL with override and final in sandbox/ (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Created 6 years, 2 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « sandbox/linux/bpf_dsl/bpf_dsl_more_unittest.cc ('k') | sandbox/linux/seccomp-bpf-helpers/baseline_policy.h » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2014 The Chromium Authors. All rights reserved. 1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "sandbox/linux/bpf_dsl/bpf_dsl.h" 5 #include "sandbox/linux/bpf_dsl/bpf_dsl.h"
6 6
7 #include <errno.h> 7 #include <errno.h>
8 #include <fcntl.h> 8 #include <fcntl.h>
9 #include <netinet/in.h> 9 #include <netinet/in.h>
10 #include <sys/socket.h> 10 #include <sys/socket.h>
(...skipping 46 matching lines...) Expand 10 before | Expand all | Expand 10 after
57 static int socketpair(int domain, int type, int protocol, int sv[2]) { 57 static int socketpair(int domain, int type, int protocol, int sv[2]) {
58 return Syscall::Call(__NR_socketpair, domain, type, protocol, sv); 58 return Syscall::Call(__NR_socketpair, domain, type, protocol, sv);
59 } 59 }
60 #endif 60 #endif
61 }; 61 };
62 62
63 class BasicPolicy : public SandboxBPFDSLPolicy { 63 class BasicPolicy : public SandboxBPFDSLPolicy {
64 public: 64 public:
65 BasicPolicy() {} 65 BasicPolicy() {}
66 virtual ~BasicPolicy() {} 66 virtual ~BasicPolicy() {}
67 virtual ResultExpr EvaluateSyscall(int sysno) const OVERRIDE { 67 virtual ResultExpr EvaluateSyscall(int sysno) const override {
68 if (sysno == __NR_getpgid) { 68 if (sysno == __NR_getpgid) {
69 const Arg<pid_t> pid(0); 69 const Arg<pid_t> pid(0);
70 return If(pid == 0, Error(EPERM)).Else(Error(EINVAL)); 70 return If(pid == 0, Error(EPERM)).Else(Error(EINVAL));
71 } 71 }
72 if (sysno == __NR_setuid) { 72 if (sysno == __NR_setuid) {
73 const Arg<uid_t> uid(0); 73 const Arg<uid_t> uid(0);
74 return If(uid != 42, Error(ESRCH)).Else(Error(ENOMEM)); 74 return If(uid != 42, Error(ESRCH)).Else(Error(ENOMEM));
75 } 75 }
76 return Allow(); 76 return Allow();
77 } 77 }
78 78
79 private: 79 private:
80 DISALLOW_COPY_AND_ASSIGN(BasicPolicy); 80 DISALLOW_COPY_AND_ASSIGN(BasicPolicy);
81 }; 81 };
82 82
83 BPF_TEST_C(BPFDSL, Basic, BasicPolicy) { 83 BPF_TEST_C(BPFDSL, Basic, BasicPolicy) {
84 ASSERT_SYSCALL_RESULT(-EPERM, getpgid, 0); 84 ASSERT_SYSCALL_RESULT(-EPERM, getpgid, 0);
85 ASSERT_SYSCALL_RESULT(-EINVAL, getpgid, 1); 85 ASSERT_SYSCALL_RESULT(-EINVAL, getpgid, 1);
86 86
87 ASSERT_SYSCALL_RESULT(-ENOMEM, setuid, 42); 87 ASSERT_SYSCALL_RESULT(-ENOMEM, setuid, 42);
88 ASSERT_SYSCALL_RESULT(-ESRCH, setuid, 43); 88 ASSERT_SYSCALL_RESULT(-ESRCH, setuid, 43);
89 } 89 }
90 90
91 /* On IA-32, socketpair() is implemented via socketcall(). :-( */ 91 /* On IA-32, socketpair() is implemented via socketcall(). :-( */
92 #if !defined(ARCH_CPU_X86) 92 #if !defined(ARCH_CPU_X86)
93 class BooleanLogicPolicy : public SandboxBPFDSLPolicy { 93 class BooleanLogicPolicy : public SandboxBPFDSLPolicy {
94 public: 94 public:
95 BooleanLogicPolicy() {} 95 BooleanLogicPolicy() {}
96 virtual ~BooleanLogicPolicy() {} 96 virtual ~BooleanLogicPolicy() {}
97 virtual ResultExpr EvaluateSyscall(int sysno) const OVERRIDE { 97 virtual ResultExpr EvaluateSyscall(int sysno) const override {
98 if (sysno == __NR_socketpair) { 98 if (sysno == __NR_socketpair) {
99 const Arg<int> domain(0), type(1), protocol(2); 99 const Arg<int> domain(0), type(1), protocol(2);
100 return If(domain == AF_UNIX && 100 return If(domain == AF_UNIX &&
101 (type == SOCK_STREAM || type == SOCK_DGRAM) && 101 (type == SOCK_STREAM || type == SOCK_DGRAM) &&
102 protocol == 0, 102 protocol == 0,
103 Error(EPERM)).Else(Error(EINVAL)); 103 Error(EPERM)).Else(Error(EINVAL));
104 } 104 }
105 return Allow(); 105 return Allow();
106 } 106 }
107 107
(...skipping 17 matching lines...) Expand all
125 // Completely unacceptable combination; should also return EINVAL. 125 // Completely unacceptable combination; should also return EINVAL.
126 ASSERT_SYSCALL_RESULT( 126 ASSERT_SYSCALL_RESULT(
127 -EINVAL, socketpair, AF_INET, SOCK_SEQPACKET, IPPROTO_UDP, sv); 127 -EINVAL, socketpair, AF_INET, SOCK_SEQPACKET, IPPROTO_UDP, sv);
128 } 128 }
129 #endif // !ARCH_CPU_X86 129 #endif // !ARCH_CPU_X86
130 130
131 class MoreBooleanLogicPolicy : public SandboxBPFDSLPolicy { 131 class MoreBooleanLogicPolicy : public SandboxBPFDSLPolicy {
132 public: 132 public:
133 MoreBooleanLogicPolicy() {} 133 MoreBooleanLogicPolicy() {}
134 virtual ~MoreBooleanLogicPolicy() {} 134 virtual ~MoreBooleanLogicPolicy() {}
135 virtual ResultExpr EvaluateSyscall(int sysno) const OVERRIDE { 135 virtual ResultExpr EvaluateSyscall(int sysno) const override {
136 if (sysno == __NR_setresuid) { 136 if (sysno == __NR_setresuid) {
137 const Arg<uid_t> ruid(0), euid(1), suid(2); 137 const Arg<uid_t> ruid(0), euid(1), suid(2);
138 return If(ruid == 0 || euid == 0 || suid == 0, Error(EPERM)) 138 return If(ruid == 0 || euid == 0 || suid == 0, Error(EPERM))
139 .ElseIf(ruid == 1 && euid == 1 && suid == 1, Error(EAGAIN)) 139 .ElseIf(ruid == 1 && euid == 1 && suid == 1, Error(EAGAIN))
140 .Else(Error(EINVAL)); 140 .Else(Error(EINVAL));
141 } 141 }
142 return Allow(); 142 return Allow();
143 } 143 }
144 144
145 private: 145 private:
(...skipping 16 matching lines...) Expand all
162 ASSERT_SYSCALL_RESULT(-EINVAL, setresuid, 3, 4, 5); 162 ASSERT_SYSCALL_RESULT(-EINVAL, setresuid, 3, 4, 5);
163 } 163 }
164 164
165 static const uintptr_t kDeadBeefAddr = 165 static const uintptr_t kDeadBeefAddr =
166 static_cast<uintptr_t>(0xdeadbeefdeadbeefULL); 166 static_cast<uintptr_t>(0xdeadbeefdeadbeefULL);
167 167
168 class ArgSizePolicy : public SandboxBPFDSLPolicy { 168 class ArgSizePolicy : public SandboxBPFDSLPolicy {
169 public: 169 public:
170 ArgSizePolicy() {} 170 ArgSizePolicy() {}
171 virtual ~ArgSizePolicy() {} 171 virtual ~ArgSizePolicy() {}
172 virtual ResultExpr EvaluateSyscall(int sysno) const OVERRIDE { 172 virtual ResultExpr EvaluateSyscall(int sysno) const override {
173 if (sysno == __NR_uname) { 173 if (sysno == __NR_uname) {
174 const Arg<uintptr_t> addr(0); 174 const Arg<uintptr_t> addr(0);
175 return If(addr == kDeadBeefAddr, Error(EPERM)).Else(Allow()); 175 return If(addr == kDeadBeefAddr, Error(EPERM)).Else(Allow());
176 } 176 }
177 return Allow(); 177 return Allow();
178 } 178 }
179 179
180 private: 180 private:
181 DISALLOW_COPY_AND_ASSIGN(ArgSizePolicy); 181 DISALLOW_COPY_AND_ASSIGN(ArgSizePolicy);
182 }; 182 };
183 183
184 BPF_TEST_C(BPFDSL, ArgSizeTest, ArgSizePolicy) { 184 BPF_TEST_C(BPFDSL, ArgSizeTest, ArgSizePolicy) {
185 struct utsname buf; 185 struct utsname buf;
186 ASSERT_SYSCALL_RESULT(0, uname, &buf); 186 ASSERT_SYSCALL_RESULT(0, uname, &buf);
187 ASSERT_SYSCALL_RESULT( 187 ASSERT_SYSCALL_RESULT(
188 -EPERM, uname, reinterpret_cast<struct utsname*>(kDeadBeefAddr)); 188 -EPERM, uname, reinterpret_cast<struct utsname*>(kDeadBeefAddr));
189 } 189 }
190 190
191 class TrappingPolicy : public SandboxBPFDSLPolicy { 191 class TrappingPolicy : public SandboxBPFDSLPolicy {
192 public: 192 public:
193 TrappingPolicy() {} 193 TrappingPolicy() {}
194 virtual ~TrappingPolicy() {} 194 virtual ~TrappingPolicy() {}
195 virtual ResultExpr EvaluateSyscall(int sysno) const OVERRIDE { 195 virtual ResultExpr EvaluateSyscall(int sysno) const override {
196 if (sysno == __NR_uname) { 196 if (sysno == __NR_uname) {
197 return Trap(UnameTrap, &count_); 197 return Trap(UnameTrap, &count_);
198 } 198 }
199 return Allow(); 199 return Allow();
200 } 200 }
201 201
202 private: 202 private:
203 static intptr_t count_; 203 static intptr_t count_;
204 204
205 static intptr_t UnameTrap(const struct arch_seccomp_data& data, void* aux) { 205 static intptr_t UnameTrap(const struct arch_seccomp_data& data, void* aux) {
206 BPF_ASSERT_EQ(&count_, aux); 206 BPF_ASSERT_EQ(&count_, aux);
207 return ++count_; 207 return ++count_;
208 } 208 }
209 209
210 DISALLOW_COPY_AND_ASSIGN(TrappingPolicy); 210 DISALLOW_COPY_AND_ASSIGN(TrappingPolicy);
211 }; 211 };
212 212
213 intptr_t TrappingPolicy::count_; 213 intptr_t TrappingPolicy::count_;
214 214
215 BPF_TEST_C(BPFDSL, TrapTest, TrappingPolicy) { 215 BPF_TEST_C(BPFDSL, TrapTest, TrappingPolicy) {
216 ASSERT_SYSCALL_RESULT(1, uname, NULL); 216 ASSERT_SYSCALL_RESULT(1, uname, NULL);
217 ASSERT_SYSCALL_RESULT(2, uname, NULL); 217 ASSERT_SYSCALL_RESULT(2, uname, NULL);
218 ASSERT_SYSCALL_RESULT(3, uname, NULL); 218 ASSERT_SYSCALL_RESULT(3, uname, NULL);
219 } 219 }
220 220
221 class MaskingPolicy : public SandboxBPFDSLPolicy { 221 class MaskingPolicy : public SandboxBPFDSLPolicy {
222 public: 222 public:
223 MaskingPolicy() {} 223 MaskingPolicy() {}
224 virtual ~MaskingPolicy() {} 224 virtual ~MaskingPolicy() {}
225 virtual ResultExpr EvaluateSyscall(int sysno) const OVERRIDE { 225 virtual ResultExpr EvaluateSyscall(int sysno) const override {
226 if (sysno == __NR_setuid) { 226 if (sysno == __NR_setuid) {
227 const Arg<uid_t> uid(0); 227 const Arg<uid_t> uid(0);
228 return If((uid & 0xf) == 0, Error(EINVAL)).Else(Error(EACCES)); 228 return If((uid & 0xf) == 0, Error(EINVAL)).Else(Error(EACCES));
229 } 229 }
230 if (sysno == __NR_setgid) { 230 if (sysno == __NR_setgid) {
231 const Arg<gid_t> gid(0); 231 const Arg<gid_t> gid(0);
232 return If((gid & 0xf0) == 0xf0, Error(EINVAL)).Else(Error(EACCES)); 232 return If((gid & 0xf0) == 0xf0, Error(EINVAL)).Else(Error(EACCES));
233 } 233 }
234 if (sysno == __NR_setpgid) { 234 if (sysno == __NR_setpgid) {
235 const Arg<pid_t> pid(0); 235 const Arg<pid_t> pid(0);
(...skipping 20 matching lines...) Expand all
256 for (pid_t pid = 0; pid < 0x100; ++pid) { 256 for (pid_t pid = 0; pid < 0x100; ++pid) {
257 const int expect_errno = (pid & 0xa5) == 0xa0 ? EINVAL : EACCES; 257 const int expect_errno = (pid & 0xa5) == 0xa0 ? EINVAL : EACCES;
258 ASSERT_SYSCALL_RESULT(-expect_errno, setpgid, pid, 0); 258 ASSERT_SYSCALL_RESULT(-expect_errno, setpgid, pid, 0);
259 } 259 }
260 } 260 }
261 261
262 class ElseIfPolicy : public SandboxBPFDSLPolicy { 262 class ElseIfPolicy : public SandboxBPFDSLPolicy {
263 public: 263 public:
264 ElseIfPolicy() {} 264 ElseIfPolicy() {}
265 virtual ~ElseIfPolicy() {} 265 virtual ~ElseIfPolicy() {}
266 virtual ResultExpr EvaluateSyscall(int sysno) const OVERRIDE { 266 virtual ResultExpr EvaluateSyscall(int sysno) const override {
267 if (sysno == __NR_setuid) { 267 if (sysno == __NR_setuid) {
268 const Arg<uid_t> uid(0); 268 const Arg<uid_t> uid(0);
269 return If((uid & 0xfff) == 0, Error(0)) 269 return If((uid & 0xfff) == 0, Error(0))
270 .ElseIf((uid & 0xff0) == 0, Error(EINVAL)) 270 .ElseIf((uid & 0xff0) == 0, Error(EINVAL))
271 .ElseIf((uid & 0xf00) == 0, Error(EEXIST)) 271 .ElseIf((uid & 0xf00) == 0, Error(EEXIST))
272 .Else(Error(EACCES)); 272 .Else(Error(EACCES));
273 } 273 }
274 return Allow(); 274 return Allow();
275 } 275 }
276 276
(...skipping 11 matching lines...) Expand all
288 ASSERT_SYSCALL_RESULT(-EEXIST, setuid, 0x0022); 288 ASSERT_SYSCALL_RESULT(-EEXIST, setuid, 0x0022);
289 289
290 ASSERT_SYSCALL_RESULT(-EACCES, setuid, 0x0111); 290 ASSERT_SYSCALL_RESULT(-EACCES, setuid, 0x0111);
291 ASSERT_SYSCALL_RESULT(-EACCES, setuid, 0x0222); 291 ASSERT_SYSCALL_RESULT(-EACCES, setuid, 0x0222);
292 } 292 }
293 293
294 class SwitchPolicy : public SandboxBPFDSLPolicy { 294 class SwitchPolicy : public SandboxBPFDSLPolicy {
295 public: 295 public:
296 SwitchPolicy() {} 296 SwitchPolicy() {}
297 virtual ~SwitchPolicy() {} 297 virtual ~SwitchPolicy() {}
298 virtual ResultExpr EvaluateSyscall(int sysno) const OVERRIDE { 298 virtual ResultExpr EvaluateSyscall(int sysno) const override {
299 if (sysno == __NR_fcntl) { 299 if (sysno == __NR_fcntl) {
300 const Arg<int> cmd(1); 300 const Arg<int> cmd(1);
301 const Arg<unsigned long> long_arg(2); 301 const Arg<unsigned long> long_arg(2);
302 return Switch(cmd) 302 return Switch(cmd)
303 .CASES((F_GETFL, F_GETFD), Error(ENOENT)) 303 .CASES((F_GETFL, F_GETFD), Error(ENOENT))
304 .Case(F_SETFD, If(long_arg == O_CLOEXEC, Allow()).Else(Error(EINVAL))) 304 .Case(F_SETFD, If(long_arg == O_CLOEXEC, Allow()).Else(Error(EINVAL)))
305 .Case(F_SETFL, Error(EPERM)) 305 .Case(F_SETFL, Error(EPERM))
306 .Default(Error(EACCES)); 306 .Default(Error(EACCES));
307 } 307 }
308 return Allow(); 308 return Allow();
(...skipping 14 matching lines...) Expand all
323 ASSERT_SYSCALL_RESULT(-EINVAL, fcntl, sock_fd.get(), F_SETFD, 0); 323 ASSERT_SYSCALL_RESULT(-EINVAL, fcntl, sock_fd.get(), F_SETFD, 0);
324 324
325 ASSERT_SYSCALL_RESULT(-EPERM, fcntl, sock_fd.get(), F_SETFL, O_RDONLY); 325 ASSERT_SYSCALL_RESULT(-EPERM, fcntl, sock_fd.get(), F_SETFL, O_RDONLY);
326 326
327 ASSERT_SYSCALL_RESULT(-EACCES, fcntl, sock_fd.get(), F_DUPFD, 0); 327 ASSERT_SYSCALL_RESULT(-EACCES, fcntl, sock_fd.get(), F_DUPFD, 0);
328 } 328 }
329 329
330 } // namespace 330 } // namespace
331 } // namespace bpf_dsl 331 } // namespace bpf_dsl
332 } // namespace sandbox 332 } // namespace sandbox
OLDNEW
« no previous file with comments | « sandbox/linux/bpf_dsl/bpf_dsl_more_unittest.cc ('k') | sandbox/linux/seccomp-bpf-helpers/baseline_policy.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698