Chromium Code Reviews Chromium Code Reviews
Issue 935743003:
bpf_dsl: move Verifier into PolicyCompiler (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "sandbox/linux/bpf_dsl/bpf_dsl.h" | 5 #include "sandbox/linux/bpf_dsl/bpf_dsl.h" |
| 6 | 6 |
| 7 #include <errno.h> | 7 #include <errno.h> |
| 8 #include <fcntl.h> | 8 #include <fcntl.h> |
| 9 #include <netinet/in.h> | 9 #include <netinet/in.h> |
| 10 #include <sys/socket.h> | 10 #include <sys/socket.h> |
| 11 #include <sys/syscall.h> | 11 #include <sys/syscall.h> |
| 12 #include <sys/utsname.h> | 12 #include <sys/utsname.h> |
| 13 #include <unistd.h> | 13 #include <unistd.h> |
| 14 | 14 |
| 15 #include <map> | |
| 16 #include <utility> | |
| 17 | |
| 15 #include "base/files/scoped_file.h" | 18 #include "base/files/scoped_file.h" |
| 16 #include "base/macros.h" | 19 #include "base/macros.h" |
| 17 #include "build/build_config.h" | 20 #include "build/build_config.h" |
| 18 #include "sandbox/linux/bpf_dsl/bpf_dsl_impl.h" | 21 #include "sandbox/linux/bpf_dsl/bpf_dsl_impl.h" |
| 19 #include "sandbox/linux/bpf_dsl/codegen.h" | 22 #include "sandbox/linux/bpf_dsl/codegen.h" |
| 20 #include "sandbox/linux/bpf_dsl/policy.h" | 23 #include "sandbox/linux/bpf_dsl/policy.h" |
| 21 #include "sandbox/linux/bpf_dsl/policy_compiler.h" | 24 #include "sandbox/linux/bpf_dsl/policy_compiler.h" |
| 22 #include "sandbox/linux/bpf_dsl/seccomp_macros.h" | 25 #include "sandbox/linux/bpf_dsl/seccomp_macros.h" |
| 23 #include "sandbox/linux/bpf_dsl/trap_registry.h" | 26 #include "sandbox/linux/bpf_dsl/trap_registry.h" |
| 27 #include "sandbox/linux/bpf_dsl/verifier.h" | |
| 24 #include "sandbox/linux/seccomp-bpf/errorcode.h" | 28 #include "sandbox/linux/seccomp-bpf/errorcode.h" |
| 25 #include "sandbox/linux/seccomp-bpf/verifier.h" | |
| 26 #include "testing/gtest/include/gtest/gtest.h" | 29 #include "testing/gtest/include/gtest/gtest.h" |
| 27 | 30 |
| 28 #define CASES SANDBOX_BPF_DSL_CASES | 31 #define CASES SANDBOX_BPF_DSL_CASES |
| 29 | 32 |
| 30 namespace sandbox { | 33 namespace sandbox { |
| 31 namespace bpf_dsl { | 34 namespace bpf_dsl { |
| 32 namespace { | 35 namespace { |
| 33 | 36 |
| 34 // Helper function to construct fake arch_seccomp_data objects. | 37 // Helper function to construct fake arch_seccomp_data objects. |
| 35 struct arch_seccomp_data FakeSyscall(int nr, | 38 struct arch_seccomp_data FakeSyscall(int nr, |
| (...skipping 13 matching lines...) Expand all Loading... | |
| 49 { | 52 { |
| 50 p0, p1, p2, p3, p4, p5, | 53 p0, p1, p2, p3, p4, p5, |
| 51 }, | 54 }, |
| 52 }; | 55 }; |
| 53 | 56 |
| 54 return data; | 57 return data; |
| 55 } | 58 } |
| 56 | 59 |
| 57 class FakeTrapRegistry : public TrapRegistry { | 60 class FakeTrapRegistry : public TrapRegistry { |
| 58 public: | 61 public: |
| 59 FakeTrapRegistry() : next_id_(1) {} | 62 FakeTrapRegistry() : map_() {} |
| 60 virtual ~FakeTrapRegistry() {} | 63 virtual ~FakeTrapRegistry() {} |
| 61 | 64 |
| 62 uint16_t Add(TrapFnc fnc, const void* aux, bool safe) override { | 65 uint16_t Add(TrapFnc fnc, const void* aux, bool safe) override { |
| 63 EXPECT_NE(0U, next_id_); | 66 EXPECT_TRUE(safe); |
| 64 return next_id_++; | 67 |
| 68 const uint16_t next_id = map_.size() + 1; | |
| 69 return map_.insert(std::make_pair(Key(fnc, aux), next_id)).first->second; | |
| 65 } | 70 } |
| 66 | 71 |
| 67 bool EnableUnsafeTraps() override { | 72 bool EnableUnsafeTraps() override { |
| 68 ADD_FAILURE() << "Unimplemented"; | 73 ADD_FAILURE() << "Unimplemented"; |
| 69 return false; | 74 return false; |
| 70 } | 75 } |
| 71 | 76 |
| 72 private: | 77 private: |
| 73 uint16_t next_id_; | 78 using Key = std::pair<TrapFnc, const void*>; |
| 79 | |
| 80 std::map<Key, uint16_t> map_; | |
| 74 | 81 |
| 75 DISALLOW_COPY_AND_ASSIGN(FakeTrapRegistry); | 82 DISALLOW_COPY_AND_ASSIGN(FakeTrapRegistry); |
| 76 }; | 83 }; |
| 77 | 84 |
| 85 intptr_t FakeTrapFuncOne(const arch_seccomp_data& data, void* aux) { return 1; } | |
| 86 intptr_t FakeTrapFuncTwo(const arch_seccomp_data& data, void* aux) { return 2; } | |
| 87 | |
| 88 // Test that FakeTrapRegistry correctly assigns trap IDs to trap handlers. | |
| 89 TEST(FakeTrapRegistry, TrapIDs) { | |
| 90 struct { | |
| 91 TrapRegistry::TrapFnc fnc; | |
| 92 const void* aux; | |
| 93 } funcs[] = { | |
| 94 {FakeTrapFuncOne, nullptr}, | |
| 95 {FakeTrapFuncTwo, nullptr}, | |
| 96 {FakeTrapFuncOne, funcs}, | |
| 97 {FakeTrapFuncTwo, funcs}, | |
| 98 }; | |
| 99 | |
| 100 FakeTrapRegistry traps; | |
|
jln (very slow on Chromium)
2015/02/21 01:48:48
Maybe add a comment: run twice to check that Trap
mdempsky
2015/02/23 03:54:24
Done.
| |
| 101 for (int i = 0; i < 2; ++i) { | |
| 102 for (size_t j = 0; j < arraysize(funcs); ++j) { | |
| 103 // Trap IDs start at 1. | |
| 104 EXPECT_EQ(j + 1, traps.Add(funcs[j].fnc, funcs[j].aux, true)); | |
| 105 } | |
| 106 } | |
| 107 } | |
| 108 | |
| 78 class PolicyEmulator { | 109 class PolicyEmulator { |
| 79 public: | 110 public: |
| 80 explicit PolicyEmulator(const Policy* policy) : program_(), traps_() { | 111 explicit PolicyEmulator(const Policy* policy) : program_(), traps_() { |
| 81 program_ = *PolicyCompiler(policy, &traps_).Compile(); | 112 program_ = *PolicyCompiler(policy, &traps_).Compile(true /* verify */); |
| 82 } | 113 } |
| 83 ~PolicyEmulator() {} | 114 ~PolicyEmulator() {} |
| 84 | 115 |
| 85 uint32_t Emulate(const struct arch_seccomp_data& data) const { | 116 uint32_t Emulate(const struct arch_seccomp_data& data) const { |
| 86 const char* err = nullptr; | 117 const char* err = nullptr; |
| 87 uint32_t res = Verifier::EvaluateBPF(program_, data, &err); | 118 uint32_t res = Verifier::EvaluateBPF(program_, data, &err); |
| 88 if (err) { | 119 if (err) { |
| 89 ADD_FAILURE() << err; | 120 ADD_FAILURE() << err; |
| 90 return 0; | 121 return 0; |
| 91 } | 122 } |
| (...skipping 351 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 443 EXPECT_TRUE(unsafe->HasUnsafeTraps()); | 474 EXPECT_TRUE(unsafe->HasUnsafeTraps()); |
| 444 | 475 |
| 445 const Arg<int> arg(0); | 476 const Arg<int> arg(0); |
| 446 ResultExpr maybe = If(arg == 0, allow).Else(unsafe); | 477 ResultExpr maybe = If(arg == 0, allow).Else(unsafe); |
| 447 EXPECT_TRUE(maybe->HasUnsafeTraps()); | 478 EXPECT_TRUE(maybe->HasUnsafeTraps()); |
| 448 } | 479 } |
| 449 | 480 |
| 450 } // namespace | 481 } // namespace |
| 451 } // namespace bpf_dsl | 482 } // namespace bpf_dsl |
| 452 } // namespace sandbox | 483 } // namespace sandbox |
| OLD | NEW |
