sandbox/linux/integration_tests/seccomp_broker_process_unittest.cc - Issue 935333002: Update from https://crrev.com/316786

Side by Side Diff: sandbox/linux/integration_tests/seccomp_broker_process_unittest.cc

Issue 935333002: Update from https://crrev.com/316786 (Closed) Base URL: git@github.com:domokit/mojo.git@master

Patch Set: Created 5 years, 10 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

OLD	NEW
(Empty)
	1 // Copyright 2015 The Chromium Authors. All rights reserved.

	2 // Use of this source code is governed by a BSD-style license that can be

	3 // found in the LICENSE file.

	4

	5 #include <sys/types.h>

	6 #include <sys/stat.h>

	7 #include <fcntl.h>

	8 #include <unistd.h>

	9

	10 #include <vector>

	11

	12 #include "base/bind.h"

	13 #include "base/memory/scoped_ptr.h"

	14 #include "base/posix/eintr_wrapper.h"

	15 #include "build/build_config.h"

	16 #include "sandbox/linux/bpf_dsl/bpf_dsl.h"

	17 #include "sandbox/linux/bpf_dsl/policy.h"

	18 #include "sandbox/linux/bpf_dsl/seccomp_macros.h"

	19 #include "sandbox/linux/seccomp-bpf/bpf_tests.h"

	20 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"

	21 #include "sandbox/linux/syscall_broker/broker_file_permission.h"

	22 #include "sandbox/linux/syscall_broker/broker_process.h"

	23 #include "sandbox/linux/system_headers/linux_syscalls.h"

	24 #include "sandbox/linux/tests/unit_tests.h"

	25 #include "testing/gtest/include/gtest/gtest.h"

	26

	27 namespace sandbox {

	28

	29 namespace {

	30

	31 using bpf_dsl::Allow;

	32 using bpf_dsl::ResultExpr;

	33 using bpf_dsl::Trap;

	34

	35 bool NoOpCallback() {

	36 return true;

	37 }

	38

	39 // Test a trap handler that makes use of a broker process to open().

	40

	41 class InitializedOpenBroker {

	42 public:

	43 InitializedOpenBroker() : initialized_(false) {

	44 std::vector<syscall_broker::BrokerFilePermission> permissions;

	45 permissions.push_back(

	46 syscall_broker::BrokerFilePermission::ReadOnly("/proc/allowed"));

	47 permissions.push_back(

	48 syscall_broker::BrokerFilePermission::ReadOnly("/proc/cpuinfo"));

	49

	50 broker_process_.reset(

	51 new syscall_broker::BrokerProcess(EPERM, permissions));

	52 BPF_ASSERT(broker_process() != NULL);

	53 BPF_ASSERT(broker_process_->Init(base::Bind(&NoOpCallback)));

	54

	55 initialized_ = true;

	56 }

	57 bool initialized() { return initialized_; }

	58 class syscall_broker::BrokerProcess* broker_process() {

	59 return broker_process_.get();

	60 }

	61

	62 private:

	63 bool initialized_;

	64 scoped_ptr<class syscall_broker::BrokerProcess> broker_process_;

	65 DISALLOW_COPY_AND_ASSIGN(InitializedOpenBroker);

	66 };

	67

	68 intptr_t BrokerOpenTrapHandler(const struct arch_seccomp_data& args,

	69 void* aux) {

	70 BPF_ASSERT(aux);

	71 syscall_broker::BrokerProcess* broker_process =

	72 static_cast<syscall_broker::BrokerProcess*>(aux);

	73 switch (args.nr) {

	74 case __NR_faccessat: // access is a wrapper of faccessat in android

	75 BPF_ASSERT(static_cast<int>(args.args[0]) == AT_FDCWD);

	76 return broker_process->Access(reinterpret_cast<const char*>(args.args[1]),

	77 static_cast<int>(args.args[2]));

	78 #if defined(__NR_access)

	79 case __NR_access:

	80 return broker_process->Access(reinterpret_cast<const char*>(args.args[0]),

	81 static_cast<int>(args.args[1]));

	82 #endif

	83 #if defined(__NR_open)

	84 case __NR_open:

	85 return broker_process->Open(reinterpret_cast<const char*>(args.args[0]),

	86 static_cast<int>(args.args[1]));

	87 #endif

	88 case __NR_openat:

	89 // We only call open() so if we arrive here, it's because glibc uses

	90 // the openat() system call.

	91 BPF_ASSERT(static_cast<int>(args.args[0]) == AT_FDCWD);

	92 return broker_process->Open(reinterpret_cast<const char*>(args.args[1]),

	93 static_cast<int>(args.args[2]));

	94 default:

	95 BPF_ASSERT(false);

	96 return -ENOSYS;

	97 }

	98 }

	99

	100 class DenyOpenPolicy : public bpf_dsl::Policy {

	101 public:

	102 explicit DenyOpenPolicy(InitializedOpenBroker* iob) : iob_(iob) {}

	103 ~DenyOpenPolicy() override {}

	104

	105 ResultExpr EvaluateSyscall(int sysno) const override {

	106 DCHECK(SandboxBPF::IsValidSyscallNumber(sysno));

	107

	108 switch (sysno) {

	109 case __NR_faccessat:

	110 #if defined(__NR_access)

	111 case __NR_access:

	112 #endif

	113 #if defined(__NR_open)

	114 case __NR_open:

	115 #endif

	116 case __NR_openat:

	117 // We get a InitializedOpenBroker class, but our trap handler wants

	118 // the syscall_broker::BrokerProcess object.

	119 return Trap(BrokerOpenTrapHandler, iob_->broker_process());

	120 default:

	121 return Allow();

	122 }

	123 }

	124

	125 private:

	126 InitializedOpenBroker* iob_;

	127

	128 DISALLOW_COPY_AND_ASSIGN(DenyOpenPolicy);

	129 };

	130

	131 // We use a InitializedOpenBroker class, so that we can run unsandboxed

	132 // code in its constructor, which is the only way to do so in a BPF_TEST.

	133 BPF_TEST(SandboxBPF,

	134 UseOpenBroker,

	135 DenyOpenPolicy,

	136 InitializedOpenBroker /* (BPF_AUX) /) {

	137 BPF_ASSERT(BPF_AUX->initialized());

	138 syscall_broker::BrokerProcess* broker_process = BPF_AUX->broker_process();

	139 BPF_ASSERT(broker_process != NULL);

	140

	141 // First, use the broker "manually"

	142 BPF_ASSERT(broker_process->Open("/proc/denied", O_RDONLY) == -EPERM);

	143 BPF_ASSERT(broker_process->Access("/proc/denied", R_OK) == -EPERM);

	144 BPF_ASSERT(broker_process->Open("/proc/allowed", O_RDONLY) == -ENOENT);

	145 BPF_ASSERT(broker_process->Access("/proc/allowed", R_OK) == -ENOENT);

	146

	147 // Now use glibc's open() as an external library would.

	148 BPF_ASSERT(open("/proc/denied", O_RDONLY) == -1);

	149 BPF_ASSERT(errno == EPERM);

	150

	151 BPF_ASSERT(open("/proc/allowed", O_RDONLY) == -1);

	152 BPF_ASSERT(errno == ENOENT);

	153

	154 // Also test glibc's openat(), some versions of libc use it transparently

	155 // instead of open().

	156 BPF_ASSERT(openat(AT_FDCWD, "/proc/denied", O_RDONLY) == -1);

	157 BPF_ASSERT(errno == EPERM);

	158

	159 BPF_ASSERT(openat(AT_FDCWD, "/proc/allowed", O_RDONLY) == -1);

	160 BPF_ASSERT(errno == ENOENT);

	161

	162 // And test glibc's access().

	163 BPF_ASSERT(access("/proc/denied", R_OK) == -1);

	164 BPF_ASSERT(errno == EPERM);

	165

	166 BPF_ASSERT(access("/proc/allowed", R_OK) == -1);

	167 BPF_ASSERT(errno == ENOENT);

	168

	169 // This is also white listed and does exist.

	170 int cpu_info_access = access("/proc/cpuinfo", R_OK);

	171 BPF_ASSERT(cpu_info_access == 0);

	172 int cpu_info_fd = open("/proc/cpuinfo", O_RDONLY);

	173 BPF_ASSERT(cpu_info_fd >= 0);

	174 char buf[1024];

	175 BPF_ASSERT(read(cpu_info_fd, buf, sizeof(buf)) > 0);

	176 }

	177

	178 } // namespace

	179

	180 } // namespace sandbox

OLD	NEW

« no previous file with comments | « sandbox/linux/integration_tests/namespace_unix_domain_socket_unittest.cc ('k') | sandbox/linux/sandbox_linux.gypi » ('j') | no next file with comments »