| OLD | NEW |
|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h" | 5 #include "sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h" |
| 6 | 6 |
| 7 #include <errno.h> | 7 #include <errno.h> |
| 8 #include <sched.h> | 8 #include <sched.h> |
| 9 #include <sys/resource.h> |
| 9 #include <sys/syscall.h> | 10 #include <sys/syscall.h> |
| 11 #include <sys/types.h> |
| 10 #include <time.h> | 12 #include <time.h> |
| 11 #include <unistd.h> | 13 #include <unistd.h> |
| 12 | 14 |
| 13 #include "base/bind.h" | 15 #include "base/bind.h" |
| 14 #include "base/synchronization/waitable_event.h" | 16 #include "base/synchronization/waitable_event.h" |
| 15 #include "base/sys_info.h" | 17 #include "base/sys_info.h" |
| 16 #include "base/threading/thread.h" | 18 #include "base/threading/thread.h" |
| 17 #include "base/time/time.h" | 19 #include "base/time/time.h" |
| 18 #include "build/build_config.h" | 20 #include "build/build_config.h" |
| 19 #include "sandbox/linux/bpf_dsl/bpf_dsl.h" | 21 #include "sandbox/linux/bpf_dsl/bpf_dsl.h" |
| 20 #include "sandbox/linux/bpf_dsl/policy.h" | 22 #include "sandbox/linux/bpf_dsl/policy.h" |
| 21 #include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h" | 23 #include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h" |
| 22 #include "sandbox/linux/seccomp-bpf/bpf_tests.h" | 24 #include "sandbox/linux/seccomp-bpf/bpf_tests.h" |
| 23 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" | 25 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" |
| 24 #include "sandbox/linux/seccomp-bpf/syscall.h" | 26 #include "sandbox/linux/seccomp-bpf/syscall.h" |
| 25 #include "sandbox/linux/services/linux_syscalls.h" | 27 #include "sandbox/linux/services/linux_syscalls.h" |
| 28 #include "sandbox/linux/services/syscall_wrappers.h" |
| 26 #include "sandbox/linux/tests/unit_tests.h" | 29 #include "sandbox/linux/tests/unit_tests.h" |
| 27 | 30 |
| 28 #if !defined(OS_ANDROID) | 31 #if !defined(OS_ANDROID) |
| 29 #include "third_party/lss/linux_syscall_support.h" // for MAKE_PROCESS_CPUCLOCK | 32 #include "third_party/lss/linux_syscall_support.h" // for MAKE_PROCESS_CPUCLOCK |
| 30 #endif | 33 #endif |
| 31 | 34 |
| 32 namespace sandbox { | 35 namespace sandbox { |
| 33 | 36 |
| 34 namespace { | 37 namespace { |
| 35 | 38 |
| (...skipping 120 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 156 } | 159 } |
| 157 } | 160 } |
| 158 }; | 161 }; |
| 159 | 162 |
| 160 void CheckSchedGetParam(pid_t pid, struct sched_param* param) { | 163 void CheckSchedGetParam(pid_t pid, struct sched_param* param) { |
| 161 BPF_ASSERT_EQ(0, sched_getparam(pid, param)); | 164 BPF_ASSERT_EQ(0, sched_getparam(pid, param)); |
| 162 } | 165 } |
| 163 | 166 |
| 164 void SchedGetParamThread(base::WaitableEvent* thread_run) { | 167 void SchedGetParamThread(base::WaitableEvent* thread_run) { |
| 165 const pid_t pid = getpid(); | 168 const pid_t pid = getpid(); |
| 166 const pid_t tid = syscall(__NR_gettid); | 169 const pid_t tid = sys_gettid(); |
| 167 BPF_ASSERT_NE(pid, tid); | 170 BPF_ASSERT_NE(pid, tid); |
| 168 | 171 |
| 169 struct sched_param current_pid_param; | 172 struct sched_param current_pid_param; |
| 170 CheckSchedGetParam(pid, ¤t_pid_param); | 173 CheckSchedGetParam(pid, ¤t_pid_param); |
| 171 | 174 |
| 172 struct sched_param zero_param; | 175 struct sched_param zero_param; |
| 173 CheckSchedGetParam(0, &zero_param); | 176 CheckSchedGetParam(0, &zero_param); |
| 174 | 177 |
| 175 struct sched_param tid_param; | 178 struct sched_param tid_param; |
| 176 CheckSchedGetParam(tid, &tid_param); | 179 CheckSchedGetParam(tid, &tid_param); |
| (...skipping 24 matching lines...) Expand all Loading... |
| 201 | 204 |
| 202 BPF_DEATH_TEST_C(ParameterRestrictions, | 205 BPF_DEATH_TEST_C(ParameterRestrictions, |
| 203 sched_getparam_crash_non_zero, | 206 sched_getparam_crash_non_zero, |
| 204 DEATH_SEGV_MESSAGE(sandbox::GetErrorMessageContentForTests()), | 207 DEATH_SEGV_MESSAGE(sandbox::GetErrorMessageContentForTests()), |
| 205 RestrictSchedPolicy) { | 208 RestrictSchedPolicy) { |
| 206 const pid_t kInitPID = 1; | 209 const pid_t kInitPID = 1; |
| 207 struct sched_param param; | 210 struct sched_param param; |
| 208 sched_getparam(kInitPID, ¶m); | 211 sched_getparam(kInitPID, ¶m); |
| 209 } | 212 } |
| 210 | 213 |
| 214 class RestrictPrlimit64Policy : public bpf_dsl::Policy { |
| 215 public: |
| 216 RestrictPrlimit64Policy() {} |
| 217 ~RestrictPrlimit64Policy() override {} |
| 218 |
| 219 ResultExpr EvaluateSyscall(int sysno) const override { |
| 220 switch (sysno) { |
| 221 case __NR_prlimit64: |
| 222 return RestrictPrlimit64(getpid()); |
| 223 default: |
| 224 return Allow(); |
| 225 } |
| 226 } |
| 227 }; |
| 228 |
| 229 BPF_TEST_C(ParameterRestrictions, prlimit64_allowed, RestrictPrlimit64Policy) { |
| 230 BPF_ASSERT_EQ(0, syscall(__NR_prlimit64, 0, RLIMIT_AS, NULL, NULL)); |
| 231 BPF_ASSERT_EQ(0, syscall(__NR_prlimit64, getpid(), RLIMIT_AS, NULL, NULL)); |
| 232 } |
| 233 |
| 234 BPF_DEATH_TEST_C(ParameterRestrictions, |
| 235 prlimit64_crash_not_self, |
| 236 DEATH_SEGV_MESSAGE(sandbox::GetErrorMessageContentForTests()), |
| 237 RestrictPrlimit64Policy) { |
| 238 const pid_t kInitPID = 1; |
| 239 BPF_ASSERT_NE(kInitPID, getpid()); |
| 240 syscall(__NR_prlimit64, kInitPID, RLIMIT_AS, NULL, NULL); |
| 241 } |
| 242 |
| 211 } // namespace | 243 } // namespace |
| 212 | 244 |
| 213 } // namespace sandbox | 245 } // namespace sandbox |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 754433003:
Update from https://crrev.com/305340 (Closed)
Base URL: git@github.com:domokit/mojo.git@master