| OLD | NEW |
|---|
| (Empty) |
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | |
| 2 // Use of this source code is governed by a BSD-style license that can be | |
| 3 // found in the LICENSE file. | |
| 4 | |
| 5 #include <sched.h> | |
| 6 #include <stdio.h> | |
| 7 #include <string.h> | |
| 8 #include <sys/socket.h> | |
| 9 #include <sys/syscall.h> | |
| 10 #include <sys/wait.h> | |
| 11 #include <unistd.h> | |
| 12 | |
| 13 #include <vector> | |
| 14 | |
| 15 #include "base/files/scoped_file.h" | |
| 16 #include "base/logging.h" | |
| 17 #include "base/memory/scoped_vector.h" | |
| 18 #include "base/posix/eintr_wrapper.h" | |
| 19 #include "base/posix/unix_domain_socket_linux.h" | |
| 20 #include "base/process/process.h" | |
| 21 #include "sandbox/linux/services/syscall_wrappers.h" | |
| 22 #include "sandbox/linux/tests/unit_tests.h" | |
| 23 | |
| 24 // Additional tests for base's UnixDomainSocket to make sure it behaves | |
| 25 // correctly in the presence of sandboxing functionality (e.g., receiving | |
| 26 // PIDs across namespaces). | |
| 27 | |
| 28 namespace sandbox { | |
| 29 | |
| 30 namespace { | |
| 31 | |
| 32 const char kHello[] = "hello"; | |
| 33 | |
| 34 // If the calling process isn't root, then try using unshare(CLONE_NEWUSER) | |
| 35 // to fake it. | |
| 36 void FakeRoot() { | |
| 37 // If we're already root, then allow test to proceed. | |
| 38 if (geteuid() == 0) | |
| 39 return; | |
| 40 | |
| 41 // Otherwise hope the kernel supports unprivileged namespaces. | |
| 42 if (unshare(CLONE_NEWUSER) == 0) | |
| 43 return; | |
| 44 | |
| 45 printf("Permission to use CLONE_NEWPID missing; skipping test.\n"); | |
| 46 UnitTests::IgnoreThisTest(); | |
| 47 } | |
| 48 | |
| 49 void WaitForExit(pid_t pid) { | |
| 50 int status; | |
| 51 CHECK_EQ(pid, HANDLE_EINTR(waitpid(pid, &status, 0))); | |
| 52 CHECK(WIFEXITED(status)); | |
| 53 CHECK_EQ(0, WEXITSTATUS(status)); | |
| 54 } | |
| 55 | |
| 56 base::ProcessId GetParentProcessId(base::ProcessId pid) { | |
| 57 // base::GetParentProcessId() is defined as taking a ProcessHandle instead of | |
| 58 // a ProcessId, even though it's a POSIX-only function and IDs and Handles | |
| 59 // are both simply pid_t on POSIX... :/ | |
| 60 base::Process process = base::Process::Open(pid); | |
| 61 CHECK(process.IsValid()); | |
| 62 base::ProcessId ret = base::GetParentProcessId(process.Handle()); | |
| 63 return ret; | |
| 64 } | |
| 65 | |
| 66 // SendHello sends a "hello" to socket fd, and then blocks until the recipient | |
| 67 // acknowledges it by calling RecvHello. | |
| 68 void SendHello(int fd) { | |
| 69 int pipe_fds[2]; | |
| 70 CHECK_EQ(0, pipe(pipe_fds)); | |
| 71 base::ScopedFD read_pipe(pipe_fds[0]); | |
| 72 base::ScopedFD write_pipe(pipe_fds[1]); | |
| 73 | |
| 74 std::vector<int> send_fds; | |
| 75 send_fds.push_back(write_pipe.get()); | |
| 76 CHECK(UnixDomainSocket::SendMsg(fd, kHello, sizeof(kHello), send_fds)); | |
| 77 | |
| 78 write_pipe.reset(); | |
| 79 | |
| 80 // Block until receiver closes their end of the pipe. | |
| 81 char ch; | |
| 82 CHECK_EQ(0, HANDLE_EINTR(read(read_pipe.get(), &ch, 1))); | |
| 83 } | |
| 84 | |
| 85 // RecvHello receives and acknowledges a "hello" on socket fd, and returns the | |
| 86 // process ID of the sender in sender_pid. Optionally, write_pipe can be used | |
| 87 // to return a file descriptor, and the acknowledgement will be delayed until | |
| 88 // the descriptor is closed. | |
| 89 // (Implementation details: SendHello allocates a new pipe, sends us the writing | |
| 90 // end alongside the "hello" message, and then blocks until we close the writing | |
| 91 // end of the pipe.) | |
| 92 void RecvHello(int fd, | |
| 93 base::ProcessId* sender_pid, | |
| 94 base::ScopedFD* write_pipe = NULL) { | |
| 95 // Extra receiving buffer space to make sure we really received only | |
| 96 // sizeof(kHello) bytes and it wasn't just truncated to fit the buffer. | |
| 97 char buf[sizeof(kHello) + 1]; | |
| 98 ScopedVector<base::ScopedFD> message_fds; | |
| 99 ssize_t n = UnixDomainSocket::RecvMsgWithPid( | |
| 100 fd, buf, sizeof(buf), &message_fds, sender_pid); | |
| 101 CHECK_EQ(sizeof(kHello), static_cast<size_t>(n)); | |
| 102 CHECK_EQ(0, memcmp(buf, kHello, sizeof(kHello))); | |
| 103 CHECK_EQ(1U, message_fds.size()); | |
| 104 if (write_pipe) | |
| 105 write_pipe->swap(*message_fds[0]); | |
| 106 } | |
| 107 | |
| 108 // Check that receiving PIDs works across a fork(). | |
| 109 SANDBOX_TEST(UnixDomainSocketTest, Fork) { | |
| 110 int fds[2]; | |
| 111 CHECK_EQ(0, socketpair(AF_UNIX, SOCK_SEQPACKET, 0, fds)); | |
| 112 base::ScopedFD recv_sock(fds[0]); | |
| 113 base::ScopedFD send_sock(fds[1]); | |
| 114 | |
| 115 CHECK(UnixDomainSocket::EnableReceiveProcessId(recv_sock.get())); | |
| 116 | |
| 117 const pid_t pid = fork(); | |
| 118 CHECK_NE(-1, pid); | |
| 119 if (pid == 0) { | |
| 120 // Child process. | |
| 121 recv_sock.reset(); | |
| 122 SendHello(send_sock.get()); | |
| 123 _exit(0); | |
| 124 } | |
| 125 | |
| 126 // Parent process. | |
| 127 send_sock.reset(); | |
| 128 | |
| 129 base::ProcessId sender_pid; | |
| 130 RecvHello(recv_sock.get(), &sender_pid); | |
| 131 CHECK_EQ(pid, sender_pid); | |
| 132 | |
| 133 WaitForExit(pid); | |
| 134 } | |
| 135 | |
| 136 // Similar to Fork above, but forking the child into a new pid namespace. | |
| 137 SANDBOX_TEST(UnixDomainSocketTest, Namespace) { | |
| 138 FakeRoot(); | |
| 139 | |
| 140 int fds[2]; | |
| 141 CHECK_EQ(0, socketpair(AF_UNIX, SOCK_SEQPACKET, 0, fds)); | |
| 142 base::ScopedFD recv_sock(fds[0]); | |
| 143 base::ScopedFD send_sock(fds[1]); | |
| 144 | |
| 145 CHECK(UnixDomainSocket::EnableReceiveProcessId(recv_sock.get())); | |
| 146 | |
| 147 const pid_t pid = sys_clone(CLONE_NEWPID | SIGCHLD, 0, 0, 0, 0); | |
| 148 CHECK_NE(-1, pid); | |
| 149 if (pid == 0) { | |
| 150 // Child process. | |
| 151 recv_sock.reset(); | |
| 152 | |
| 153 // Check that we think we're pid 1 in our new namespace. | |
| 154 CHECK_EQ(1, sys_getpid()); | |
| 155 | |
| 156 SendHello(send_sock.get()); | |
| 157 _exit(0); | |
| 158 } | |
| 159 | |
| 160 // Parent process. | |
| 161 send_sock.reset(); | |
| 162 | |
| 163 base::ProcessId sender_pid; | |
| 164 RecvHello(recv_sock.get(), &sender_pid); | |
| 165 CHECK_EQ(pid, sender_pid); | |
| 166 | |
| 167 WaitForExit(pid); | |
| 168 } | |
| 169 | |
| 170 // Again similar to Fork, but now with nested PID namespaces. | |
| 171 SANDBOX_TEST(UnixDomainSocketTest, DoubleNamespace) { | |
| 172 FakeRoot(); | |
| 173 | |
| 174 int fds[2]; | |
| 175 CHECK_EQ(0, socketpair(AF_UNIX, SOCK_SEQPACKET, 0, fds)); | |
| 176 base::ScopedFD recv_sock(fds[0]); | |
| 177 base::ScopedFD send_sock(fds[1]); | |
| 178 | |
| 179 CHECK(UnixDomainSocket::EnableReceiveProcessId(recv_sock.get())); | |
| 180 | |
| 181 const pid_t pid = sys_clone(CLONE_NEWPID | SIGCHLD, 0, 0, 0, 0); | |
| 182 CHECK_NE(-1, pid); | |
| 183 if (pid == 0) { | |
| 184 // Child process. | |
| 185 recv_sock.reset(); | |
| 186 | |
| 187 const pid_t pid2 = sys_clone(CLONE_NEWPID | SIGCHLD, 0, 0, 0, 0); | |
| 188 CHECK_NE(-1, pid2); | |
| 189 | |
| 190 if (pid2 != 0) { | |
| 191 // Wait for grandchild to run to completion; see comments below. | |
| 192 WaitForExit(pid2); | |
| 193 | |
| 194 // Fallthrough once grandchild has sent its hello and exited. | |
| 195 } | |
| 196 | |
| 197 // Check that we think we're pid 1. | |
| 198 CHECK_EQ(1, sys_getpid()); | |
| 199 | |
| 200 SendHello(send_sock.get()); | |
| 201 _exit(0); | |
| 202 } | |
| 203 | |
| 204 // Parent process. | |
| 205 send_sock.reset(); | |
| 206 | |
| 207 // We have two messages to receive: first from the grand-child, | |
| 208 // then from the child. | |
| 209 for (unsigned iteration = 0; iteration < 2; ++iteration) { | |
| 210 base::ProcessId sender_pid; | |
| 211 base::ScopedFD pipe_fd; | |
| 212 RecvHello(recv_sock.get(), &sender_pid, &pipe_fd); | |
| 213 | |
| 214 // We need our child and grandchild processes to both be alive for | |
| 215 // GetParentProcessId() to return a valid pid, hence the pipe trickery. | |
| 216 // (On the first iteration, grandchild is blocked reading from the pipe | |
| 217 // until we close it, and child is blocked waiting for grandchild to exit.) | |
| 218 switch (iteration) { | |
| 219 case 0: // Grandchild's message | |
| 220 // Check that sender_pid refers to our grandchild by checking that pid | |
| 221 // (our child) is its parent. | |
| 222 CHECK_EQ(pid, GetParentProcessId(sender_pid)); | |
| 223 break; | |
| 224 case 1: // Child's message | |
| 225 CHECK_EQ(pid, sender_pid); | |
| 226 break; | |
| 227 default: | |
| 228 NOTREACHED(); | |
| 229 } | |
| 230 } | |
| 231 | |
| 232 WaitForExit(pid); | |
| 233 } | |
| 234 | |
| 235 // Tests that GetPeerPid() returns 0 if the peer does not exist in caller's | |
| 236 // namespace. | |
| 237 SANDBOX_TEST(UnixDomainSocketTest, ImpossiblePid) { | |
| 238 FakeRoot(); | |
| 239 | |
| 240 int fds[2]; | |
| 241 CHECK_EQ(0, socketpair(AF_UNIX, SOCK_SEQPACKET, 0, fds)); | |
| 242 base::ScopedFD send_sock(fds[0]); | |
| 243 base::ScopedFD recv_sock(fds[1]); | |
| 244 | |
| 245 CHECK(UnixDomainSocket::EnableReceiveProcessId(recv_sock.get())); | |
| 246 | |
| 247 const pid_t pid = sys_clone(CLONE_NEWPID | SIGCHLD, 0, 0, 0, 0); | |
| 248 CHECK_NE(-1, pid); | |
| 249 if (pid == 0) { | |
| 250 // Child process. | |
| 251 send_sock.reset(); | |
| 252 | |
| 253 base::ProcessId sender_pid; | |
| 254 RecvHello(recv_sock.get(), &sender_pid); | |
| 255 CHECK_EQ(0, sender_pid); | |
| 256 _exit(0); | |
| 257 } | |
| 258 | |
| 259 // Parent process. | |
| 260 recv_sock.reset(); | |
| 261 SendHello(send_sock.get()); | |
| 262 WaitForExit(pid); | |
| 263 } | |
| 264 | |
| 265 } // namespace | |
| 266 | |
| 267 } // namespace sandbox | |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 935333002:
Update from https://crrev.com/316786 (Closed)
Base URL: git@github.com:domokit/mojo.git@master