| OLD | NEW |
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h" | 5 #include "sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h" |
| 6 | 6 |
| 7 #include <errno.h> | 7 #include <errno.h> |
| 8 #include <sched.h> | 8 #include <sched.h> |
| 9 #include <sys/syscall.h> | 9 #include <sys/syscall.h> |
| 10 #include <time.h> | 10 #include <time.h> |
| 11 #include <unistd.h> | 11 #include <unistd.h> |
| 12 | 12 |
| 13 #include "base/bind.h" | 13 #include "base/bind.h" |
| 14 #include "base/synchronization/waitable_event.h" | 14 #include "base/synchronization/waitable_event.h" |
| 15 #include "base/sys_info.h" | 15 #include "base/sys_info.h" |
| 16 #include "base/threading/thread.h" | 16 #include "base/threading/thread.h" |
| 17 #include "base/time/time.h" | 17 #include "base/time/time.h" |
| 18 #include "build/build_config.h" | 18 #include "build/build_config.h" |
| 19 #include "sandbox/linux/bpf_dsl/bpf_dsl.h" | 19 #include "sandbox/linux/bpf_dsl/bpf_dsl.h" |
| 20 #include "sandbox/linux/bpf_dsl/policy.h" |
| 20 #include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h" | 21 #include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h" |
| 21 #include "sandbox/linux/seccomp-bpf/bpf_tests.h" | 22 #include "sandbox/linux/seccomp-bpf/bpf_tests.h" |
| 22 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" | 23 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" |
| 23 #include "sandbox/linux/seccomp-bpf/syscall.h" | 24 #include "sandbox/linux/seccomp-bpf/syscall.h" |
| 24 #include "sandbox/linux/services/linux_syscalls.h" | 25 #include "sandbox/linux/services/linux_syscalls.h" |
| 25 #include "sandbox/linux/tests/unit_tests.h" | 26 #include "sandbox/linux/tests/unit_tests.h" |
| 26 | 27 |
| 27 #if !defined(OS_ANDROID) | 28 #if !defined(OS_ANDROID) |
| 28 #include "third_party/lss/linux_syscall_support.h" // for MAKE_PROCESS_CPUCLOCK | 29 #include "third_party/lss/linux_syscall_support.h" // for MAKE_PROCESS_CPUCLOCK |
| 29 #endif | 30 #endif |
| 30 | 31 |
| 31 namespace sandbox { | 32 namespace sandbox { |
| 32 | 33 |
| 33 namespace { | 34 namespace { |
| 34 | 35 |
| 35 // NOTE: most of the parameter restrictions are tested in | 36 // NOTE: most of the parameter restrictions are tested in |
| 36 // baseline_policy_unittest.cc as a more end-to-end test. | 37 // baseline_policy_unittest.cc as a more end-to-end test. |
| 37 | 38 |
| 38 using sandbox::bpf_dsl::Allow; | 39 using sandbox::bpf_dsl::Allow; |
| 39 using sandbox::bpf_dsl::ResultExpr; | 40 using sandbox::bpf_dsl::ResultExpr; |
| 40 using sandbox::bpf_dsl::SandboxBPFDSLPolicy; | |
| 41 | 41 |
| 42 class RestrictClockIdPolicy : public SandboxBPFDSLPolicy { | 42 class RestrictClockIdPolicy : public bpf_dsl::Policy { |
| 43 public: | 43 public: |
| 44 RestrictClockIdPolicy() {} | 44 RestrictClockIdPolicy() {} |
| 45 virtual ~RestrictClockIdPolicy() {} | 45 virtual ~RestrictClockIdPolicy() {} |
| 46 | 46 |
| 47 virtual ResultExpr EvaluateSyscall(int sysno) const override { | 47 virtual ResultExpr EvaluateSyscall(int sysno) const override { |
| 48 switch (sysno) { | 48 switch (sysno) { |
| 49 case __NR_clock_gettime: | 49 case __NR_clock_gettime: |
| 50 case __NR_clock_getres: | 50 case __NR_clock_getres: |
| 51 return RestrictClockID(); | 51 return RestrictClockID(); |
| 52 default: | 52 default: |
| (...skipping 31 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 84 | 84 |
| 85 // A custom BPF tester delegate to run IsRunningOnChromeOS() before | 85 // A custom BPF tester delegate to run IsRunningOnChromeOS() before |
| 86 // the sandbox is enabled because we cannot run it with non-SFI BPF | 86 // the sandbox is enabled because we cannot run it with non-SFI BPF |
| 87 // sandbox enabled. | 87 // sandbox enabled. |
| 88 class ClockSystemTesterDelegate : public sandbox::BPFTesterDelegate { | 88 class ClockSystemTesterDelegate : public sandbox::BPFTesterDelegate { |
| 89 public: | 89 public: |
| 90 ClockSystemTesterDelegate() | 90 ClockSystemTesterDelegate() |
| 91 : is_running_on_chromeos_(base::SysInfo::IsRunningOnChromeOS()) {} | 91 : is_running_on_chromeos_(base::SysInfo::IsRunningOnChromeOS()) {} |
| 92 virtual ~ClockSystemTesterDelegate() {} | 92 virtual ~ClockSystemTesterDelegate() {} |
| 93 | 93 |
| 94 virtual scoped_ptr<sandbox::bpf_dsl::SandboxBPFDSLPolicy> | 94 virtual scoped_ptr<sandbox::bpf_dsl::Policy> GetSandboxBPFPolicy() override { |
| 95 GetSandboxBPFPolicy() override { | 95 return scoped_ptr<sandbox::bpf_dsl::Policy>(new RestrictClockIdPolicy()); |
| 96 return scoped_ptr<sandbox::bpf_dsl::SandboxBPFDSLPolicy>( | |
| 97 new RestrictClockIdPolicy()); | |
| 98 } | 96 } |
| 99 virtual void RunTestFunction() override { | 97 virtual void RunTestFunction() override { |
| 100 if (is_running_on_chromeos_) { | 98 if (is_running_on_chromeos_) { |
| 101 CheckClock(base::TimeTicks::kClockSystemTrace); | 99 CheckClock(base::TimeTicks::kClockSystemTrace); |
| 102 } else { | 100 } else { |
| 103 struct timespec ts; | 101 struct timespec ts; |
| 104 // kClockSystemTrace is 11, which is CLOCK_THREAD_CPUTIME_ID of | 102 // kClockSystemTrace is 11, which is CLOCK_THREAD_CPUTIME_ID of |
| 105 // the init process (pid=1). If kernel supports this feature, | 103 // the init process (pid=1). If kernel supports this feature, |
| 106 // this may succeed even if this is not running on Chrome OS. We | 104 // this may succeed even if this is not running on Chrome OS. We |
| 107 // just check this clock_gettime call does not crash. | 105 // just check this clock_gettime call does not crash. |
| (...skipping 29 matching lines...) Expand all Loading... |
| 137 // and it might not work inside the sandbox anyway. | 135 // and it might not work inside the sandbox anyway. |
| 138 const pid_t kInitPID = 1; | 136 const pid_t kInitPID = 1; |
| 139 const clockid_t kInitCPUClockID = | 137 const clockid_t kInitCPUClockID = |
| 140 MAKE_PROCESS_CPUCLOCK(kInitPID, CPUCLOCK_SCHED); | 138 MAKE_PROCESS_CPUCLOCK(kInitPID, CPUCLOCK_SCHED); |
| 141 | 139 |
| 142 struct timespec ts; | 140 struct timespec ts; |
| 143 clock_gettime(kInitCPUClockID, &ts); | 141 clock_gettime(kInitCPUClockID, &ts); |
| 144 } | 142 } |
| 145 #endif // !defined(OS_ANDROID) | 143 #endif // !defined(OS_ANDROID) |
| 146 | 144 |
| 147 class RestrictSchedPolicy : public SandboxBPFDSLPolicy { | 145 class RestrictSchedPolicy : public bpf_dsl::Policy { |
| 148 public: | 146 public: |
| 149 RestrictSchedPolicy() {} | 147 RestrictSchedPolicy() {} |
| 150 virtual ~RestrictSchedPolicy() {} | 148 virtual ~RestrictSchedPolicy() {} |
| 151 | 149 |
| 152 virtual ResultExpr EvaluateSyscall(int sysno) const override { | 150 virtual ResultExpr EvaluateSyscall(int sysno) const override { |
| 153 switch (sysno) { | 151 switch (sysno) { |
| 154 case __NR_sched_getparam: | 152 case __NR_sched_getparam: |
| 155 return RestrictSchedTarget(getpid(), sysno); | 153 return RestrictSchedTarget(getpid(), sysno); |
| 156 default: | 154 default: |
| 157 return Allow(); | 155 return Allow(); |
| (...skipping 48 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 206 DEATH_SEGV_MESSAGE(sandbox::GetErrorMessageContentForTests()), | 204 DEATH_SEGV_MESSAGE(sandbox::GetErrorMessageContentForTests()), |
| 207 RestrictSchedPolicy) { | 205 RestrictSchedPolicy) { |
| 208 const pid_t kInitPID = 1; | 206 const pid_t kInitPID = 1; |
| 209 struct sched_param param; | 207 struct sched_param param; |
| 210 sched_getparam(kInitPID, ¶m); | 208 sched_getparam(kInitPID, ¶m); |
| 211 } | 209 } |
| 212 | 210 |
| 213 } // namespace | 211 } // namespace |
| 214 | 212 |
| 215 } // namespace sandbox | 213 } // namespace sandbox |
| OLD | NEW |