| Index: sandbox/linux/bpf_dsl/bpf_dsl_more_unittest.cc
|
| diff --git a/sandbox/linux/bpf_dsl/bpf_dsl_more_unittest.cc b/sandbox/linux/bpf_dsl/bpf_dsl_more_unittest.cc
|
| index 66669e796c69dbba717395c2a4772c96f5716aa3..df5dbd508f1892530a36c9896de280a6723618e2 100644
|
| --- a/sandbox/linux/bpf_dsl/bpf_dsl_more_unittest.cc
|
| +++ b/sandbox/linux/bpf_dsl/bpf_dsl_more_unittest.cc
|
| @@ -42,6 +42,7 @@
|
| #include "sandbox/linux/seccomp-bpf/trap.h"
|
| #include "sandbox/linux/services/linux_syscalls.h"
|
| #include "sandbox/linux/services/syscall_wrappers.h"
|
| +#include "sandbox/linux/syscall_broker/broker_file_permission.h"
|
| #include "sandbox/linux/syscall_broker/broker_process.h"
|
| #include "sandbox/linux/tests/scoped_temporary_file.h"
|
| #include "sandbox/linux/tests/unit_tests.h"
|
| @@ -75,28 +76,6 @@ void EnableUnsafeTraps() {
|
| Die::SuppressInfoMessages(true);
|
| }
|
|
|
| -// This test should execute no matter whether we have kernel support. So,
|
| -// we make it a TEST() instead of a BPF_TEST().
|
| -TEST(SandboxBPF, DISABLE_ON_TSAN(CallSupports)) {
|
| - // We check that we don't crash, but it's ok if the kernel doesn't
|
| - // support it.
|
| - bool seccomp_bpf_supported =
|
| - SandboxBPF::SupportsSeccompSandbox(-1) == SandboxBPF::STATUS_AVAILABLE;
|
| - // We want to log whether or not seccomp BPF is actually supported
|
| - // since actual test coverage depends on it.
|
| - RecordProperty("SeccompBPFSupported",
|
| - seccomp_bpf_supported ? "true." : "false.");
|
| - std::cout << "Seccomp BPF supported: "
|
| - << (seccomp_bpf_supported ? "true." : "false.") << "\n";
|
| - RecordProperty("PointerSize", sizeof(void*));
|
| - std::cout << "Pointer size: " << sizeof(void*) << "\n";
|
| -}
|
| -
|
| -SANDBOX_TEST(SandboxBPF, DISABLE_ON_TSAN(CallSupportsTwice)) {
|
| - SandboxBPF::SupportsSeccompSandbox(-1);
|
| - SandboxBPF::SupportsSeccompSandbox(-1);
|
| -}
|
| -
|
| // BPF_TEST does a lot of the boiler-plate code around setting up a
|
| // policy and optional passing data between the caller, the policy and
|
| // any Trap() handlers. This is great for writing short and concise tests,
|
| @@ -131,13 +110,12 @@ class VerboseAPITestingPolicy : public Policy {
|
| };
|
|
|
| SANDBOX_TEST(SandboxBPF, DISABLE_ON_TSAN(VerboseAPITesting)) {
|
| - if (SandboxBPF::SupportsSeccompSandbox(-1) ==
|
| - sandbox::SandboxBPF::STATUS_AVAILABLE) {
|
| + if (SandboxBPF::SupportsSeccompSandbox(
|
| + SandboxBPF::SeccompLevel::SINGLE_THREADED)) {
|
| static int counter = 0;
|
|
|
| - SandboxBPF sandbox;
|
| - sandbox.SetSandboxPolicy(new VerboseAPITestingPolicy(&counter));
|
| - BPF_ASSERT(sandbox.StartSandbox(SandboxBPF::PROCESS_SINGLE_THREADED));
|
| + SandboxBPF sandbox(new VerboseAPITestingPolicy(&counter));
|
| + BPF_ASSERT(sandbox.StartSandbox(SandboxBPF::SeccompLevel::SINGLE_THREADED));
|
|
|
| BPF_ASSERT_EQ(0, counter);
|
| BPF_ASSERT_EQ(0, syscall(__NR_uname, 0));
|
| @@ -179,6 +157,14 @@ BPF_TEST_C(SandboxBPF, ApplyBasicBlacklistPolicy, BlacklistNanosleepPolicy) {
|
| BlacklistNanosleepPolicy::AssertNanosleepFails();
|
| }
|
|
|
| +BPF_TEST_C(SandboxBPF, UseVsyscall, BlacklistNanosleepPolicy) {
|
| + time_t current_time;
|
| + // time() is implemented as a vsyscall. With an older glibc, with
|
| + // vsyscall=emulate and some versions of the seccomp BPF patch
|
| + // we may get SIGKILL-ed. Detect this!
|
| + BPF_ASSERT_NE(static_cast<time_t>(-1), time(¤t_time));
|
| +}
|
| +
|
| // Now do a simple whitelist test
|
|
|
| class WhitelistGetpidPolicy : public Policy {
|
| @@ -396,9 +382,8 @@ BPF_TEST_C(SandboxBPF, StackingPolicy, StackingPolicyPartOne) {
|
|
|
| // Stack a second sandbox with its own policy. Verify that we can further
|
| // restrict filters, but we cannot relax existing filters.
|
| - SandboxBPF sandbox;
|
| - sandbox.SetSandboxPolicy(new StackingPolicyPartTwo());
|
| - BPF_ASSERT(sandbox.StartSandbox(SandboxBPF::PROCESS_SINGLE_THREADED));
|
| + SandboxBPF sandbox(new StackingPolicyPartTwo());
|
| + BPF_ASSERT(sandbox.StartSandbox(SandboxBPF::SeccompLevel::SINGLE_THREADED));
|
|
|
| errno = 0;
|
| BPF_ASSERT(syscall(__NR_getppid, 0) == -1);
|
| @@ -756,12 +741,14 @@ bool NoOpCallback() {
|
| class InitializedOpenBroker {
|
| public:
|
| InitializedOpenBroker() : initialized_(false) {
|
| - std::vector<std::string> allowed_files;
|
| - allowed_files.push_back("/proc/allowed");
|
| - allowed_files.push_back("/proc/cpuinfo");
|
| -
|
| - broker_process_.reset(new syscall_broker::BrokerProcess(
|
| - EPERM, allowed_files, std::vector<std::string>()));
|
| + std::vector<syscall_broker::BrokerFilePermission> permissions;
|
| + permissions.push_back(
|
| + syscall_broker::BrokerFilePermission::ReadOnly("/proc/allowed"));
|
| + permissions.push_back(
|
| + syscall_broker::BrokerFilePermission::ReadOnly("/proc/cpuinfo"));
|
| +
|
| + broker_process_.reset(
|
| + new syscall_broker::BrokerProcess(EPERM, permissions));
|
| BPF_ASSERT(broker_process() != NULL);
|
| BPF_ASSERT(broker_process_->Init(base::Bind(&NoOpCallback)));
|
|
|
| @@ -2069,8 +2056,8 @@ class TraceAllPolicy : public Policy {
|
| };
|
|
|
| SANDBOX_TEST(SandboxBPF, DISABLE_ON_TSAN(SeccompRetTrace)) {
|
| - if (SandboxBPF::SupportsSeccompSandbox(-1) !=
|
| - sandbox::SandboxBPF::STATUS_AVAILABLE) {
|
| + if (!SandboxBPF::SupportsSeccompSandbox(
|
| + SandboxBPF::SeccompLevel::SINGLE_THREADED)) {
|
| return;
|
| }
|
|
|
| @@ -2094,9 +2081,8 @@ SANDBOX_TEST(SandboxBPF, DISABLE_ON_TSAN(SeccompRetTrace)) {
|
| pid_t my_pid = getpid();
|
| BPF_ASSERT_NE(-1, ptrace(PTRACE_TRACEME, -1, NULL, NULL));
|
| BPF_ASSERT_EQ(0, raise(SIGSTOP));
|
| - SandboxBPF sandbox;
|
| - sandbox.SetSandboxPolicy(new TraceAllPolicy);
|
| - BPF_ASSERT(sandbox.StartSandbox(SandboxBPF::PROCESS_SINGLE_THREADED));
|
| + SandboxBPF sandbox(new TraceAllPolicy);
|
| + BPF_ASSERT(sandbox.StartSandbox(SandboxBPF::SeccompLevel::SINGLE_THREADED));
|
|
|
| // getpid is allowed.
|
| BPF_ASSERT_EQ(my_pid, sys_getpid());
|
| @@ -2267,8 +2253,8 @@ void* TsyncApplyToTwoThreadsFunc(void* cond_ptr) {
|
| }
|
|
|
| SANDBOX_TEST(SandboxBPF, Tsync) {
|
| - if (SandboxBPF::SupportsSeccompThreadFilterSynchronization() !=
|
| - SandboxBPF::STATUS_AVAILABLE) {
|
| + if (!(SandboxBPF::SupportsSeccompSandbox(
|
| + SandboxBPF::SeccompLevel::MULTI_THREADED))) {
|
| return;
|
| }
|
|
|
| @@ -2284,9 +2270,8 @@ SANDBOX_TEST(SandboxBPF, Tsync) {
|
| BPF_ASSERT_EQ(0, HANDLE_EINTR(syscall(__NR_nanosleep, &ts, NULL)));
|
|
|
| // Engage the sandbox.
|
| - SandboxBPF sandbox;
|
| - sandbox.SetSandboxPolicy(new BlacklistNanosleepPolicy());
|
| - BPF_ASSERT(sandbox.StartSandbox(SandboxBPF::PROCESS_MULTI_THREADED));
|
| + SandboxBPF sandbox(new BlacklistNanosleepPolicy());
|
| + BPF_ASSERT(sandbox.StartSandbox(SandboxBPF::SeccompLevel::MULTI_THREADED));
|
|
|
| // This thread should have the filter applied as well.
|
| BlacklistNanosleepPolicy::AssertNanosleepFails();
|
| @@ -2316,9 +2301,8 @@ SANDBOX_DEATH_TEST(
|
| base::Thread thread("sandbox.linux.StartMultiThreadedAsSingleThreaded");
|
| BPF_ASSERT(thread.Start());
|
|
|
| - SandboxBPF sandbox;
|
| - sandbox.SetSandboxPolicy(new AllowAllPolicy());
|
| - BPF_ASSERT(!sandbox.StartSandbox(SandboxBPF::PROCESS_SINGLE_THREADED));
|
| + SandboxBPF sandbox(new AllowAllPolicy());
|
| + BPF_ASSERT(!sandbox.StartSandbox(SandboxBPF::SeccompLevel::SINGLE_THREADED));
|
| }
|
|
|
| // http://crbug.com/407357
|
| @@ -2329,9 +2313,8 @@ SANDBOX_DEATH_TEST(
|
| DEATH_MESSAGE(
|
| "Cannot start sandbox; process may be single-threaded when "
|
| "reported as not")) {
|
| - SandboxBPF sandbox;
|
| - sandbox.SetSandboxPolicy(new AllowAllPolicy());
|
| - BPF_ASSERT(!sandbox.StartSandbox(SandboxBPF::PROCESS_MULTI_THREADED));
|
| + SandboxBPF sandbox(new AllowAllPolicy());
|
| + BPF_ASSERT(!sandbox.StartSandbox(SandboxBPF::SeccompLevel::MULTI_THREADED));
|
| }
|
| #endif // !defined(THREAD_SANITIZER)
|
|
|
|
|
Chromium Code Reviews
Issue 761903003:
Update from https://crrev.com/306655 (Closed)
Base URL: git@github.com:domokit/mojo.git@master