sandbox/linux/bpf_dsl/bpf_dsl_unittest.cc

   1 // Copyright 2014 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #include "sandbox/linux/bpf_dsl/bpf_dsl.h"
   6
   7 #include <errno.h>
   8 #include <fcntl.h>
   9 #include <netinet/in.h>
  10 #include <sys/socket.h>
  11 #include <sys/syscall.h>
  12 #include <sys/utsname.h>
  13 #include <unistd.h>
  14
  15 #include "base/files/scoped_file.h"
  16 #include "base/macros.h"
  17 #include "build/build_config.h"
  18 #include "sandbox/linux/bpf_dsl/policy.h"
  19 #include "sandbox/linux/seccomp-bpf/bpf_tests.h"
  20 #include "sandbox/linux/seccomp-bpf/errorcode.h"
  21 #include "sandbox/linux/seccomp-bpf/syscall.h"
  22
  23 #define CASES SANDBOX_BPF_DSL_CASES
  24
  25 // Helper macro to assert that invoking system call |sys| directly via
  26 // Syscall::Call with arguments |...| returns |res|.
  27 // Errors can be asserted by specifying a value like "-EINVAL".
  28 #define ASSERT_SYSCALL_RESULT(res, sys, ...) \
  29   BPF_ASSERT_EQ(res, Stubs::sys(__VA_ARGS__))
  30
  31 namespace sandbox {
  32 namespace bpf_dsl {
  33 namespace {
  34
  35 // Type safe stubs for tested system calls.
  36 class Stubs {
  37  public:
  38   static int getpgid(pid_t pid) { return Syscall::Call(__NR_getpgid, pid); }
  39   static int setuid(uid_t uid) { return Syscall::Call(__NR_setuid, uid); }
  40   static int setgid(gid_t gid) { return Syscall::Call(__NR_setgid, gid); }
  41   static int setpgid(pid_t pid, pid_t pgid) {
  42     return Syscall::Call(__NR_setpgid, pid, pgid);
  43   }
  44
  45   static int fcntl(int fd, int cmd, unsigned long arg = 0) {
  46     return Syscall::Call(__NR_fcntl, fd, cmd, arg);
  47   }
  48
  49   static int uname(struct utsname* buf) {
  50     return Syscall::Call(__NR_uname, buf);
  51   }
  52
  53   static int setresuid(uid_t ruid, uid_t euid, uid_t suid) {
  54     return Syscall::Call(__NR_setresuid, ruid, euid, suid);
  55   }
  56
  57 #if !defined(ARCH_CPU_X86)
  58   static int socketpair(int domain, int type, int protocol, int sv[2]) {
  59     return Syscall::Call(__NR_socketpair, domain, type, protocol, sv);
  60   }
  61 #endif
  62 };
  63
  64 class BasicPolicy : public Policy {
  65  public:
  66   BasicPolicy() {}
  67   ~BasicPolicy() override {}
  68   ResultExpr EvaluateSyscall(int sysno) const override {
  69     if (sysno == __NR_getpgid) {
  70       const Arg<pid_t> pid(0);
  71       return If(pid == 0, Error(EPERM)).Else(Error(EINVAL));
  72     }
  73     if (sysno == __NR_setuid) {
  74       const Arg<uid_t> uid(0);
  75       return If(uid != 42, Error(ESRCH)).Else(Error(ENOMEM));
  76     }
  77     return Allow();
  78   }
  79
  80  private:
  81   DISALLOW_COPY_AND_ASSIGN(BasicPolicy);
  82 };
  83
  84 BPF_TEST_C(BPFDSL, Basic, BasicPolicy) {
  85   ASSERT_SYSCALL_RESULT(-EPERM, getpgid, 0);
  86   ASSERT_SYSCALL_RESULT(-EINVAL, getpgid, 1);
  87
  88   ASSERT_SYSCALL_RESULT(-ENOMEM, setuid, 42);
  89   ASSERT_SYSCALL_RESULT(-ESRCH, setuid, 43);
  90 }
  91
  92 /* On IA-32, socketpair() is implemented via socketcall(). :-( */
  93 #if !defined(ARCH_CPU_X86)
  94 class BooleanLogicPolicy : public Policy {
  95  public:
  96   BooleanLogicPolicy() {}
  97   ~BooleanLogicPolicy() override {}
  98   ResultExpr EvaluateSyscall(int sysno) const override {
  99     if (sysno == __NR_socketpair) {
 100       const Arg<int> domain(0), type(1), protocol(2);
 101       return If(domain == AF_UNIX &&
 102                     (type == SOCK_STREAM || type == SOCK_DGRAM) &&
 103                     protocol == 0,
 104                 Error(EPERM)).Else(Error(EINVAL));
 105     }
 106     return Allow();
 107   }
 108
 109  private:
 110   DISALLOW_COPY_AND_ASSIGN(BooleanLogicPolicy);
 111 };
 112
 113 BPF_TEST_C(BPFDSL, BooleanLogic, BooleanLogicPolicy) {
 114   int sv[2];
 115
 116   // Acceptable combinations that should return EPERM.
 117   ASSERT_SYSCALL_RESULT(-EPERM, socketpair, AF_UNIX, SOCK_STREAM, 0, sv);
 118   ASSERT_SYSCALL_RESULT(-EPERM, socketpair, AF_UNIX, SOCK_DGRAM, 0, sv);
 119
 120   // Combinations that are invalid for only one reason; should return EINVAL.
 121   ASSERT_SYSCALL_RESULT(-EINVAL, socketpair, AF_INET, SOCK_STREAM, 0, sv);
 122   ASSERT_SYSCALL_RESULT(-EINVAL, socketpair, AF_UNIX, SOCK_SEQPACKET, 0, sv);
 123   ASSERT_SYSCALL_RESULT(
 124       -EINVAL, socketpair, AF_UNIX, SOCK_STREAM, IPPROTO_TCP, sv);
 125
 126   // Completely unacceptable combination; should also return EINVAL.
 127   ASSERT_SYSCALL_RESULT(
 128       -EINVAL, socketpair, AF_INET, SOCK_SEQPACKET, IPPROTO_UDP, sv);
 129 }
 130 #endif  // !ARCH_CPU_X86
 131
 132 class MoreBooleanLogicPolicy : public Policy {
 133  public:
 134   MoreBooleanLogicPolicy() {}
 135   ~MoreBooleanLogicPolicy() override {}
 136   ResultExpr EvaluateSyscall(int sysno) const override {
 137     if (sysno == __NR_setresuid) {
 138       const Arg<uid_t> ruid(0), euid(1), suid(2);
 139       return If(ruid == 0 || euid == 0 || suid == 0, Error(EPERM))
 140           .ElseIf(ruid == 1 && euid == 1 && suid == 1, Error(EAGAIN))
 141           .Else(Error(EINVAL));
 142     }
 143     return Allow();
 144   }
 145
 146  private:
 147   DISALLOW_COPY_AND_ASSIGN(MoreBooleanLogicPolicy);
 148 };
 149
 150 BPF_TEST_C(BPFDSL, MoreBooleanLogic, MoreBooleanLogicPolicy) {
 151   // Expect EPERM if any set to 0.
 152   ASSERT_SYSCALL_RESULT(-EPERM, setresuid, 0, 5, 5);
 153   ASSERT_SYSCALL_RESULT(-EPERM, setresuid, 5, 0, 5);
 154   ASSERT_SYSCALL_RESULT(-EPERM, setresuid, 5, 5, 0);
 155
 156   // Expect EAGAIN if all set to 1.
 157   ASSERT_SYSCALL_RESULT(-EAGAIN, setresuid, 1, 1, 1);
 158
 159   // Expect EINVAL for anything else.
 160   ASSERT_SYSCALL_RESULT(-EINVAL, setresuid, 5, 1, 1);
 161   ASSERT_SYSCALL_RESULT(-EINVAL, setresuid, 1, 5, 1);
 162   ASSERT_SYSCALL_RESULT(-EINVAL, setresuid, 1, 1, 5);
 163   ASSERT_SYSCALL_RESULT(-EINVAL, setresuid, 3, 4, 5);
 164 }
 165
 166 static const uintptr_t kDeadBeefAddr =
 167     static_cast<uintptr_t>(0xdeadbeefdeadbeefULL);
 168
 169 class ArgSizePolicy : public Policy {
 170  public:
 171   ArgSizePolicy() {}
 172   ~ArgSizePolicy() override {}
 173   ResultExpr EvaluateSyscall(int sysno) const override {
 174     if (sysno == __NR_uname) {
 175       const Arg<uintptr_t> addr(0);
 176       return If(addr == kDeadBeefAddr, Error(EPERM)).Else(Allow());
 177     }
 178     return Allow();
 179   }
 180
 181  private:
 182   DISALLOW_COPY_AND_ASSIGN(ArgSizePolicy);
 183 };
 184
 185 BPF_TEST_C(BPFDSL, ArgSizeTest, ArgSizePolicy) {
 186   struct utsname buf;
 187   ASSERT_SYSCALL_RESULT(0, uname, &buf);
 188   ASSERT_SYSCALL_RESULT(
 189       -EPERM, uname, reinterpret_cast<struct utsname*>(kDeadBeefAddr));
 190 }
 191
 192 class TrappingPolicy : public Policy {
 193  public:
 194   TrappingPolicy() {}
 195   ~TrappingPolicy() override {}
 196   ResultExpr EvaluateSyscall(int sysno) const override {
 197     if (sysno == __NR_uname) {
 198       return Trap(UnameTrap, &count_);
 199     }
 200     return Allow();
 201   }
 202
 203  private:
 204   static intptr_t count_;
 205
 206   static intptr_t UnameTrap(const struct arch_seccomp_data& data, void* aux) {
 207     BPF_ASSERT_EQ(&count_, aux);
 208     return ++count_;
 209   }
 210
 211   DISALLOW_COPY_AND_ASSIGN(TrappingPolicy);
 212 };
 213
 214 intptr_t TrappingPolicy::count_;
 215
 216 BPF_TEST_C(BPFDSL, TrapTest, TrappingPolicy) {
 217   ASSERT_SYSCALL_RESULT(1, uname, NULL);
 218   ASSERT_SYSCALL_RESULT(2, uname, NULL);
 219   ASSERT_SYSCALL_RESULT(3, uname, NULL);
 220 }
 221
 222 class MaskingPolicy : public Policy {
 223  public:
 224   MaskingPolicy() {}
 225   ~MaskingPolicy() override {}
 226   ResultExpr EvaluateSyscall(int sysno) const override {
 227     if (sysno == __NR_setuid) {
 228       const Arg<uid_t> uid(0);
 229       return If((uid & 0xf) == 0, Error(EINVAL)).Else(Error(EACCES));
 230     }
 231     if (sysno == __NR_setgid) {
 232       const Arg<gid_t> gid(0);
 233       return If((gid & 0xf0) == 0xf0, Error(EINVAL)).Else(Error(EACCES));
 234     }
 235     if (sysno == __NR_setpgid) {
 236       const Arg<pid_t> pid(0);
 237       return If((pid & 0xa5) == 0xa0, Error(EINVAL)).Else(Error(EACCES));
 238     }
 239     return Allow();
 240   }
 241
 242  private:
 243   DISALLOW_COPY_AND_ASSIGN(MaskingPolicy);
 244 };
 245
 246 BPF_TEST_C(BPFDSL, MaskTest, MaskingPolicy) {
 247   for (uid_t uid = 0; uid < 0x100; ++uid) {
 248     const int expect_errno = (uid & 0xf) == 0 ? EINVAL : EACCES;
 249     ASSERT_SYSCALL_RESULT(-expect_errno, setuid, uid);
 250   }
 251
 252   for (gid_t gid = 0; gid < 0x100; ++gid) {
 253     const int expect_errno = (gid & 0xf0) == 0xf0 ? EINVAL : EACCES;
 254     ASSERT_SYSCALL_RESULT(-expect_errno, setgid, gid);
 255   }
 256
 257   for (pid_t pid = 0; pid < 0x100; ++pid) {
 258     const int expect_errno = (pid & 0xa5) == 0xa0 ? EINVAL : EACCES;
 259     ASSERT_SYSCALL_RESULT(-expect_errno, setpgid, pid, 0);
 260   }
 261 }
 262
 263 class ElseIfPolicy : public Policy {
 264  public:
 265   ElseIfPolicy() {}
 266   ~ElseIfPolicy() override {}
 267   ResultExpr EvaluateSyscall(int sysno) const override {
 268     if (sysno == __NR_setuid) {
 269       const Arg<uid_t> uid(0);
 270       return If((uid & 0xfff) == 0, Error(0))
 271           .ElseIf((uid & 0xff0) == 0, Error(EINVAL))
 272           .ElseIf((uid & 0xf00) == 0, Error(EEXIST))
 273           .Else(Error(EACCES));
 274     }
 275     return Allow();
 276   }
 277
 278  private:
 279   DISALLOW_COPY_AND_ASSIGN(ElseIfPolicy);
 280 };
 281
 282 BPF_TEST_C(BPFDSL, ElseIfTest, ElseIfPolicy) {
 283   ASSERT_SYSCALL_RESULT(0, setuid, 0);
 284
 285   ASSERT_SYSCALL_RESULT(-EINVAL, setuid, 0x0001);
 286   ASSERT_SYSCALL_RESULT(-EINVAL, setuid, 0x0002);
 287
 288   ASSERT_SYSCALL_RESULT(-EEXIST, setuid, 0x0011);
 289   ASSERT_SYSCALL_RESULT(-EEXIST, setuid, 0x0022);
 290
 291   ASSERT_SYSCALL_RESULT(-EACCES, setuid, 0x0111);
 292   ASSERT_SYSCALL_RESULT(-EACCES, setuid, 0x0222);
 293 }
 294
 295 class SwitchPolicy : public Policy {
 296  public:
 297   SwitchPolicy() {}
 298   ~SwitchPolicy() override {}
 299   ResultExpr EvaluateSyscall(int sysno) const override {
 300     if (sysno == __NR_fcntl) {
 301       const Arg<int> cmd(1);
 302       const Arg<unsigned long> long_arg(2);
 303       return Switch(cmd)
 304           .CASES((F_GETFL, F_GETFD), Error(ENOENT))
 305           .Case(F_SETFD, If(long_arg == O_CLOEXEC, Allow()).Else(Error(EINVAL)))
 306           .Case(F_SETFL, Error(EPERM))
 307           .Default(Error(EACCES));
 308     }
 309     return Allow();
 310   }
 311
 312  private:
 313   DISALLOW_COPY_AND_ASSIGN(SwitchPolicy);
 314 };
 315
 316 BPF_TEST_C(BPFDSL, SwitchTest, SwitchPolicy) {
 317   base::ScopedFD sock_fd(socket(AF_UNIX, SOCK_STREAM, 0));
 318   BPF_ASSERT(sock_fd.is_valid());
 319
 320   ASSERT_SYSCALL_RESULT(-ENOENT, fcntl, sock_fd.get(), F_GETFD);
 321   ASSERT_SYSCALL_RESULT(-ENOENT, fcntl, sock_fd.get(), F_GETFL);
 322
 323   ASSERT_SYSCALL_RESULT(0, fcntl, sock_fd.get(), F_SETFD, O_CLOEXEC);
 324   ASSERT_SYSCALL_RESULT(-EINVAL, fcntl, sock_fd.get(), F_SETFD, 0);
 325
 326   ASSERT_SYSCALL_RESULT(-EPERM, fcntl, sock_fd.get(), F_SETFL, O_RDONLY);
 327
 328   ASSERT_SYSCALL_RESULT(-EACCES, fcntl, sock_fd.get(), F_DUPFD, 0);
 329 }
 330
 331 }  // namespace
 332 }  // namespace bpf_dsl
 333 }  // namespace sandbox