| OLD | NEW |
|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "sandbox/linux/seccomp-bpf-helpers/baseline_policy.h" | 5 #include "sandbox/linux/seccomp-bpf-helpers/baseline_policy.h" |
| 6 | 6 |
| 7 #include <errno.h> | 7 #include <errno.h> |
| 8 #include <fcntl.h> | 8 #include <fcntl.h> |
| 9 #include <linux/futex.h> | 9 #include <linux/futex.h> |
| 10 #include <sched.h> | 10 #include <sched.h> |
| (...skipping 14 matching lines...) Expand all Loading... |
| 25 #include "base/macros.h" | 25 #include "base/macros.h" |
| 26 #include "base/posix/eintr_wrapper.h" | 26 #include "base/posix/eintr_wrapper.h" |
| 27 #include "base/threading/thread.h" | 27 #include "base/threading/thread.h" |
| 28 #include "build/build_config.h" | 28 #include "build/build_config.h" |
| 29 #include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h" | 29 #include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h" |
| 30 #include "sandbox/linux/seccomp-bpf/bpf_tests.h" | 30 #include "sandbox/linux/seccomp-bpf/bpf_tests.h" |
| 31 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" | 31 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" |
| 32 #include "sandbox/linux/seccomp-bpf/syscall.h" | 32 #include "sandbox/linux/seccomp-bpf/syscall.h" |
| 33 #include "sandbox/linux/services/android_futex.h" | 33 #include "sandbox/linux/services/android_futex.h" |
| 34 #include "sandbox/linux/services/linux_syscalls.h" | 34 #include "sandbox/linux/services/linux_syscalls.h" |
| 35 #include "sandbox/linux/services/syscall_wrappers.h" |
| 35 #include "sandbox/linux/services/thread_helpers.h" | 36 #include "sandbox/linux/services/thread_helpers.h" |
| 36 #include "sandbox/linux/tests/unit_tests.h" | 37 #include "sandbox/linux/tests/unit_tests.h" |
| 37 | 38 |
| 38 namespace sandbox { | 39 namespace sandbox { |
| 39 | 40 |
| 40 namespace { | 41 namespace { |
| 41 | 42 |
| 42 // |pid| is the return value of a fork()-like call. This | 43 // |pid| is the return value of a fork()-like call. This |
| 43 // makes sure that if fork() succeeded the child exits | 44 // makes sure that if fork() succeeded the child exits |
| 44 // and the parent waits for it. | 45 // and the parent waits for it. |
| (...skipping 61 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 106 errno = 0; | 107 errno = 0; |
| 107 pid_t pid = fork(); | 108 pid_t pid = fork(); |
| 108 const int fork_errno = errno; | 109 const int fork_errno = errno; |
| 109 HandlePostForkReturn(pid); | 110 HandlePostForkReturn(pid); |
| 110 | 111 |
| 111 BPF_ASSERT_EQ(-1, pid); | 112 BPF_ASSERT_EQ(-1, pid); |
| 112 BPF_ASSERT_EQ(EPERM, fork_errno); | 113 BPF_ASSERT_EQ(EPERM, fork_errno); |
| 113 } | 114 } |
| 114 | 115 |
| 115 pid_t ForkX86Glibc() { | 116 pid_t ForkX86Glibc() { |
| 116 return syscall(__NR_clone, CLONE_PARENT_SETTID | SIGCHLD); | 117 return sys_clone(CLONE_PARENT_SETTID | SIGCHLD, 0, 0, 0, 0); |
| 117 } | 118 } |
| 118 | 119 |
| 119 BPF_TEST_C(BaselinePolicy, ForkX86Eperm, BaselinePolicy) { | 120 BPF_TEST_C(BaselinePolicy, ForkX86Eperm, BaselinePolicy) { |
| 120 errno = 0; | 121 errno = 0; |
| 121 pid_t pid = ForkX86Glibc(); | 122 pid_t pid = ForkX86Glibc(); |
| 122 const int fork_errno = errno; | 123 const int fork_errno = errno; |
| 123 HandlePostForkReturn(pid); | 124 HandlePostForkReturn(pid); |
| 124 | 125 |
| 125 BPF_ASSERT_EQ(-1, pid); | 126 BPF_ASSERT_EQ(-1, pid); |
| 126 BPF_ASSERT_EQ(EPERM, fork_errno); | 127 BPF_ASSERT_EQ(EPERM, fork_errno); |
| 127 } | 128 } |
| 128 | 129 |
| 129 pid_t ForkARMGlibc() { | 130 pid_t ForkARMGlibc() { |
| 130 return syscall(__NR_clone, | 131 return sys_clone(CLONE_CHILD_SETTID | CLONE_CHILD_CLEARTID | SIGCHLD, 0, 0, 0, |
| 131 CLONE_CHILD_SETTID | CLONE_CHILD_CLEARTID | SIGCHLD); | 132 0); |
| 132 } | 133 } |
| 133 | 134 |
| 134 BPF_TEST_C(BaselinePolicy, ForkArmEperm, BaselinePolicy) { | 135 BPF_TEST_C(BaselinePolicy, ForkArmEperm, BaselinePolicy) { |
| 135 errno = 0; | 136 errno = 0; |
| 136 pid_t pid = ForkARMGlibc(); | 137 pid_t pid = ForkARMGlibc(); |
| 137 const int fork_errno = errno; | 138 const int fork_errno = errno; |
| 138 HandlePostForkReturn(pid); | 139 HandlePostForkReturn(pid); |
| 139 | 140 |
| 140 BPF_ASSERT_EQ(-1, pid); | 141 BPF_ASSERT_EQ(-1, pid); |
| 141 BPF_ASSERT_EQ(EPERM, fork_errno); | 142 BPF_ASSERT_EQ(EPERM, fork_errno); |
| 142 } | 143 } |
| 143 | 144 |
| 144 BPF_TEST_C(BaselinePolicy, CreateThread, BaselinePolicy) { | 145 BPF_TEST_C(BaselinePolicy, CreateThread, BaselinePolicy) { |
| 145 base::Thread thread("sandbox_tests"); | 146 base::Thread thread("sandbox_tests"); |
| 146 BPF_ASSERT(thread.Start()); | 147 BPF_ASSERT(thread.Start()); |
| 147 } | 148 } |
| 148 | 149 |
| 149 BPF_DEATH_TEST_C(BaselinePolicy, | 150 BPF_DEATH_TEST_C(BaselinePolicy, |
| 150 DisallowedCloneFlagCrashes, | 151 DisallowedCloneFlagCrashes, |
| 151 DEATH_SEGV_MESSAGE(GetCloneErrorMessageContentForTests()), | 152 DEATH_SEGV_MESSAGE(GetCloneErrorMessageContentForTests()), |
| 152 BaselinePolicy) { | 153 BaselinePolicy) { |
| 153 pid_t pid = syscall(__NR_clone, CLONE_THREAD | SIGCHLD); | 154 pid_t pid = sys_clone(CLONE_THREAD | SIGCHLD, 0, 0, 0, 0); |
| 154 HandlePostForkReturn(pid); | 155 HandlePostForkReturn(pid); |
| 155 } | 156 } |
| 156 | 157 |
| 157 BPF_DEATH_TEST_C(BaselinePolicy, | 158 BPF_DEATH_TEST_C(BaselinePolicy, |
| 158 DisallowedKillCrashes, | 159 DisallowedKillCrashes, |
| 159 DEATH_SEGV_MESSAGE(GetKillErrorMessageContentForTests()), | 160 DEATH_SEGV_MESSAGE(GetKillErrorMessageContentForTests()), |
| 160 BaselinePolicy) { | 161 BaselinePolicy) { |
| 161 BPF_ASSERT_NE(1, getpid()); | 162 BPF_ASSERT_NE(1, getpid()); |
| 162 kill(1, 0); | 163 kill(1, 0); |
| 163 _exit(0); | 164 _exit(0); |
| (...skipping 178 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 342 ClockGettimeWithDisallowedClockCrashes, | 343 ClockGettimeWithDisallowedClockCrashes, |
| 343 DEATH_SEGV_MESSAGE(sandbox::GetErrorMessageContentForTests()), | 344 DEATH_SEGV_MESSAGE(sandbox::GetErrorMessageContentForTests()), |
| 344 BaselinePolicy) { | 345 BaselinePolicy) { |
| 345 struct timespec ts; | 346 struct timespec ts; |
| 346 clock_gettime(CLOCK_MONOTONIC_RAW, &ts); | 347 clock_gettime(CLOCK_MONOTONIC_RAW, &ts); |
| 347 } | 348 } |
| 348 | 349 |
| 349 } // namespace | 350 } // namespace |
| 350 | 351 |
| 351 } // namespace sandbox | 352 } // namespace sandbox |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 684993005:
Linux sandbox: start adding syscall wrappers (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master