Update from https://crrev.com/306655

sandbox/linux/bpf_dsl/bpf_dsl_more_unittest.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "sandbox/linux/bpf_dsl/bpf_dsl.h"
 
 #include <errno.h>
 #include <fcntl.h>
 #include <pthread.h>
 #include <sched.h>
@@ skipping 24 matching lines @@
 #include "sandbox/linux/bpf_dsl/policy.h"
 #include "sandbox/linux/seccomp-bpf/bpf_tests.h"
 #include "sandbox/linux/seccomp-bpf/die.h"
 #include "sandbox/linux/seccomp-bpf/errorcode.h"
 #include "sandbox/linux/seccomp-bpf/linux_seccomp.h"
 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
 #include "sandbox/linux/seccomp-bpf/syscall.h"
 #include "sandbox/linux/seccomp-bpf/trap.h"
 #include "sandbox/linux/services/linux_syscalls.h"
 #include "sandbox/linux/services/syscall_wrappers.h"
+#include "sandbox/linux/syscall_broker/broker_file_permission.h"
 #include "sandbox/linux/syscall_broker/broker_process.h"
 #include "sandbox/linux/tests/scoped_temporary_file.h"
 #include "sandbox/linux/tests/unit_tests.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
 // Workaround for Android's prctl.h file.
 #ifndef PR_GET_ENDIAN
 #define PR_GET_ENDIAN 19
 #endif
 #ifndef PR_CAPBSET_READ
@@ skipping 13 matching lines @@
 void EnableUnsafeTraps() {
   // The use of UnsafeTrap() causes us to print a warning message. This is
   // generally desirable, but it results in the unittest failing, as it doesn't
   // expect any messages on "stderr". So, temporarily disable messages. The
   // BPF_TEST() is guaranteed to turn messages back on, after the policy
   // function has completed.
   setenv(kSandboxDebuggingEnv, "t", 0);
   Die::SuppressInfoMessages(true);
 }
 
-// This test should execute no matter whether we have kernel support. So,
-// we make it a TEST() instead of a BPF_TEST().
-TEST(SandboxBPF, DISABLE_ON_TSAN(CallSupports)) {
-  // We check that we don't crash, but it's ok if the kernel doesn't
-  // support it.
-  bool seccomp_bpf_supported =
-      SandboxBPF::SupportsSeccompSandbox(-1) == SandboxBPF::STATUS_AVAILABLE;
-  // We want to log whether or not seccomp BPF is actually supported
-  // since actual test coverage depends on it.
-  RecordProperty("SeccompBPFSupported",
-                 seccomp_bpf_supported ? "true." : "false.");
-  std::cout << "Seccomp BPF supported: "
-            << (seccomp_bpf_supported ? "true." : "false.") << "\n";
-  RecordProperty("PointerSize", sizeof(void*));
-  std::cout << "Pointer size: " << sizeof(void*) << "\n";
-}
-
-SANDBOX_TEST(SandboxBPF, DISABLE_ON_TSAN(CallSupportsTwice)) {
-  SandboxBPF::SupportsSeccompSandbox(-1);
-  SandboxBPF::SupportsSeccompSandbox(-1);
-}
-
 // BPF_TEST does a lot of the boiler-plate code around setting up a
 // policy and optional passing data between the caller, the policy and
 // any Trap() handlers. This is great for writing short and concise tests,
 // and it helps us accidentally forgetting any of the crucial steps in
 // setting up the sandbox. But it wouldn't hurt to have at least one test
 // that explicitly walks through all these steps.
 
 intptr_t IncreaseCounter(const struct arch_seccomp_data& args, void* aux) {
   BPF_ASSERT(aux);
   int* counter = static_cast<int*>(aux);
@@ skipping 14 matching lines @@
     return Allow();
   }
 
  private:
   int* counter_ptr_;
 
   DISALLOW_COPY_AND_ASSIGN(VerboseAPITestingPolicy);
 };
 
 SANDBOX_TEST(SandboxBPF, DISABLE_ON_TSAN(VerboseAPITesting)) {
-  if (SandboxBPF::SupportsSeccompSandbox(-1) ==
-      sandbox::SandboxBPF::STATUS_AVAILABLE) {
+  if (SandboxBPF::SupportsSeccompSandbox(
+          SandboxBPF::SeccompLevel::SINGLE_THREADED)) {
     static int counter = 0;
 
-    SandboxBPF sandbox;
-    sandbox.SetSandboxPolicy(new VerboseAPITestingPolicy(&counter));
-    BPF_ASSERT(sandbox.StartSandbox(SandboxBPF::PROCESS_SINGLE_THREADED));
+    SandboxBPF sandbox(new VerboseAPITestingPolicy(&counter));
+    BPF_ASSERT(sandbox.StartSandbox(SandboxBPF::SeccompLevel::SINGLE_THREADED));
 
     BPF_ASSERT_EQ(0, counter);
     BPF_ASSERT_EQ(0, syscall(__NR_uname, 0));
     BPF_ASSERT_EQ(1, counter);
     BPF_ASSERT_EQ(1, syscall(__NR_uname, 0));
     BPF_ASSERT_EQ(2, counter);
   }
 }
 
 // A simple blacklist test
@@ skipping 21 matching lines @@
   }
 
  private:
   DISALLOW_COPY_AND_ASSIGN(BlacklistNanosleepPolicy);
 };
 
 BPF_TEST_C(SandboxBPF, ApplyBasicBlacklistPolicy, BlacklistNanosleepPolicy) {
   BlacklistNanosleepPolicy::AssertNanosleepFails();
 }
 
+BPF_TEST_C(SandboxBPF, UseVsyscall, BlacklistNanosleepPolicy) {
+  time_t current_time;
+  // time() is implemented as a vsyscall. With an older glibc, with
+  // vsyscall=emulate and some versions of the seccomp BPF patch
+  // we may get SIGKILL-ed. Detect this!
+  BPF_ASSERT_NE(static_cast<time_t>(-1), time(&current_time));
+}
+
 // Now do a simple whitelist test
 
 class WhitelistGetpidPolicy : public Policy {
  public:
   WhitelistGetpidPolicy() {}
   ~WhitelistGetpidPolicy() override {}
 
   ResultExpr EvaluateSyscall(int sysno) const override {
     DCHECK(SandboxBPF::IsValidSyscallNumber(sysno));
     switch (sysno) {
@@ skipping 197 matching lines @@
 BPF_TEST_C(SandboxBPF, StackingPolicy, StackingPolicyPartOne) {
   errno = 0;
   BPF_ASSERT(syscall(__NR_getppid, 0) > 0);
   BPF_ASSERT(errno == 0);
 
   BPF_ASSERT(syscall(__NR_getppid, 1) == -1);
   BPF_ASSERT(errno == EPERM);
 
   // Stack a second sandbox with its own policy. Verify that we can further
   // restrict filters, but we cannot relax existing filters.
-  SandboxBPF sandbox;
-  sandbox.SetSandboxPolicy(new StackingPolicyPartTwo());
-  BPF_ASSERT(sandbox.StartSandbox(SandboxBPF::PROCESS_SINGLE_THREADED));
+  SandboxBPF sandbox(new StackingPolicyPartTwo());
+  BPF_ASSERT(sandbox.StartSandbox(SandboxBPF::SeccompLevel::SINGLE_THREADED));
 
   errno = 0;
   BPF_ASSERT(syscall(__NR_getppid, 0) == -1);
   BPF_ASSERT(errno == EINVAL);
 
   BPF_ASSERT(syscall(__NR_getppid, 1) == -1);
   BPF_ASSERT(errno == EPERM);
 }
 
 // A more complex, but synthetic policy. This tests the correctness of the BPF
@@ skipping 337 matching lines @@
 
 bool NoOpCallback() {
   return true;
 }
 
 // Test a trap handler that makes use of a broker process to open().
 
 class InitializedOpenBroker {
  public:
   InitializedOpenBroker() : initialized_(false) {
-    std::vector<std::string> allowed_files;
-    allowed_files.push_back("/proc/allowed");
-    allowed_files.push_back("/proc/cpuinfo");
+    std::vector<syscall_broker::BrokerFilePermission> permissions;
+    permissions.push_back(
+        syscall_broker::BrokerFilePermission::ReadOnly("/proc/allowed"));
+    permissions.push_back(
+        syscall_broker::BrokerFilePermission::ReadOnly("/proc/cpuinfo"));
 
-    broker_process_.reset(new syscall_broker::BrokerProcess(
-        EPERM, allowed_files, std::vector<std::string>()));
+    broker_process_.reset(
+        new syscall_broker::BrokerProcess(EPERM, permissions));
     BPF_ASSERT(broker_process() != NULL);
     BPF_ASSERT(broker_process_->Init(base::Bind(&NoOpCallback)));
 
     initialized_ = true;
   }
   bool initialized() { return initialized_; }
   class syscall_broker::BrokerProcess* broker_process() {
     return broker_process_.get();
   }
 
@@ skipping 1287 matching lines @@
 
   ResultExpr EvaluateSyscall(int system_call_number) const override {
     return Trace(kTraceData);
   }
 
  private:
   DISALLOW_COPY_AND_ASSIGN(TraceAllPolicy);
 };
 
 SANDBOX_TEST(SandboxBPF, DISABLE_ON_TSAN(SeccompRetTrace)) {
-  if (SandboxBPF::SupportsSeccompSandbox(-1) !=
-      sandbox::SandboxBPF::STATUS_AVAILABLE) {
+  if (!SandboxBPF::SupportsSeccompSandbox(
+          SandboxBPF::SeccompLevel::SINGLE_THREADED)) {
     return;
   }
 
 // This test is disabled on arm due to a kernel bug.
 // See https://code.google.com/p/chromium/issues/detail?id=383977
 #if defined(__arm__) || defined(__aarch64__)
   printf("This test is currently disabled on ARM32/64 due to a kernel bug.");
   return;
 #endif
 
 #if defined(__mips__)
   // TODO: Figure out how to support specificity of handling indirect syscalls
   //        in this test and enable it.
   printf("This test is currently disabled on MIPS.");
   return;
 #endif
 
   pid_t pid = fork();
   BPF_ASSERT_NE(-1, pid);
   if (pid == 0) {
     pid_t my_pid = getpid();
     BPF_ASSERT_NE(-1, ptrace(PTRACE_TRACEME, -1, NULL, NULL));
     BPF_ASSERT_EQ(0, raise(SIGSTOP));
-    SandboxBPF sandbox;
-    sandbox.SetSandboxPolicy(new TraceAllPolicy);
-    BPF_ASSERT(sandbox.StartSandbox(SandboxBPF::PROCESS_SINGLE_THREADED));
+    SandboxBPF sandbox(new TraceAllPolicy);
+    BPF_ASSERT(sandbox.StartSandbox(SandboxBPF::SeccompLevel::SINGLE_THREADED));
 
     // getpid is allowed.
     BPF_ASSERT_EQ(my_pid, sys_getpid());
 
     // write to stdout is skipped and returns a fake value.
     BPF_ASSERT_EQ(kExpectedReturnValue,
                   syscall(__NR_write, STDOUT_FILENO, "A", 1));
 
     // kill is rewritten to exit(kExpectedReturnValue).
     syscall(__NR_kill, my_pid, SIGKILL);
@@ skipping 150 matching lines @@
   }
 
   BPF_ASSERT(event->IsSignaled());
 
   BlacklistNanosleepPolicy::AssertNanosleepFails();
 
   return NULL;
 }
 
 SANDBOX_TEST(SandboxBPF, Tsync) {
-  if (SandboxBPF::SupportsSeccompThreadFilterSynchronization() !=
-      SandboxBPF::STATUS_AVAILABLE) {
+  if (!(SandboxBPF::SupportsSeccompSandbox(
+          SandboxBPF::SeccompLevel::MULTI_THREADED))) {
     return;
   }
 
   base::WaitableEvent event(true, false);
 
   // Create a thread on which to invoke the blocked syscall.
   pthread_t thread;
   BPF_ASSERT_EQ(
       0, pthread_create(&thread, NULL, &TsyncApplyToTwoThreadsFunc, &event));
 
   // Test that nanoseelp success.
   const struct timespec ts = {0, 0};
   BPF_ASSERT_EQ(0, HANDLE_EINTR(syscall(__NR_nanosleep, &ts, NULL)));
 
   // Engage the sandbox.
-  SandboxBPF sandbox;
-  sandbox.SetSandboxPolicy(new BlacklistNanosleepPolicy());
-  BPF_ASSERT(sandbox.StartSandbox(SandboxBPF::PROCESS_MULTI_THREADED));
+  SandboxBPF sandbox(new BlacklistNanosleepPolicy());
+  BPF_ASSERT(sandbox.StartSandbox(SandboxBPF::SeccompLevel::MULTI_THREADED));
 
   // This thread should have the filter applied as well.
   BlacklistNanosleepPolicy::AssertNanosleepFails();
 
   // Signal the condition to invoke the system call.
   event.Signal();
 
   // Wait for the thread to finish.
   BPF_ASSERT_EQ(0, pthread_join(thread, NULL));
 }
 
 class AllowAllPolicy : public Policy {
  public:
   AllowAllPolicy() {}
   ~AllowAllPolicy() override {}
 
   ResultExpr EvaluateSyscall(int sysno) const override { return Allow(); }
 
  private:
   DISALLOW_COPY_AND_ASSIGN(AllowAllPolicy);
 };
 
 SANDBOX_DEATH_TEST(
     SandboxBPF,
     StartMultiThreadedAsSingleThreaded,
     DEATH_MESSAGE("Cannot start sandbox; process is already multi-threaded")) {
   base::Thread thread("sandbox.linux.StartMultiThreadedAsSingleThreaded");
   BPF_ASSERT(thread.Start());
 
-  SandboxBPF sandbox;
-  sandbox.SetSandboxPolicy(new AllowAllPolicy());
-  BPF_ASSERT(!sandbox.StartSandbox(SandboxBPF::PROCESS_SINGLE_THREADED));
+  SandboxBPF sandbox(new AllowAllPolicy());
+  BPF_ASSERT(!sandbox.StartSandbox(SandboxBPF::SeccompLevel::SINGLE_THREADED));
 }
 
 // http://crbug.com/407357
 #if !defined(THREAD_SANITIZER)
 SANDBOX_DEATH_TEST(
     SandboxBPF,
     StartSingleThreadedAsMultiThreaded,
     DEATH_MESSAGE(
         "Cannot start sandbox; process may be single-threaded when "
         "reported as not")) {
-  SandboxBPF sandbox;
-  sandbox.SetSandboxPolicy(new AllowAllPolicy());
-  BPF_ASSERT(!sandbox.StartSandbox(SandboxBPF::PROCESS_MULTI_THREADED));
+  SandboxBPF sandbox(new AllowAllPolicy());
+  BPF_ASSERT(!sandbox.StartSandbox(SandboxBPF::SeccompLevel::MULTI_THREADED));
 }
 #endif  // !defined(THREAD_SANITIZER)
 
 // A stub handler for the UnsafeTrap. Never called.
 intptr_t NoOpHandler(const struct arch_seccomp_data& args, void*) {
   return -1;
 }
 
 class UnsafeTrapWithCondPolicy : public Policy {
  public:
@@ skipping 49 matching lines @@
   BPF_ASSERT_EQ(ENOSYS, errno);
 
   BPF_ASSERT_EQ(-1, syscall(__NR_setgid, 300));
   BPF_ASSERT_EQ(EPERM, errno);
 }
 
 }  // namespace
 
 }  // namespace bpf_dsl
 }  // namespace sandbox