sandbox/linux/seccomp-bpf/syscall_unittest.cc

   1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #include <asm/unistd.h>
   6 #include <fcntl.h>
   7 #include <sys/mman.h>
   8 #include <sys/syscall.h>
   9 #include <unistd.h>
  10
  11 #include <vector>
  12
  13 #include "base/basictypes.h"
  14 #include "base/posix/eintr_wrapper.h"
  15 #include "sandbox/linux/seccomp-bpf/bpf_tests.h"
  16 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
  17 #include "sandbox/linux/seccomp-bpf/syscall.h"
  18 #include "sandbox/linux/tests/unit_tests.h"
  19 #include "testing/gtest/include/gtest/gtest.h"
  20
  21 using namespace playground2;
  22
  23 namespace {
  24
  25 // Different platforms use different symbols for the six-argument version
  26 // of the mmap() system call. Test for the correct symbol at compile time.
  27 #ifdef __NR_mmap2
  28 const int kMMapNr = __NR_mmap2;
  29 #else
  30 const int kMMapNr = __NR_mmap;
  31 #endif
  32
  33 TEST(Syscall, WellKnownEntryPoint) {
  34   // Test that SandboxSyscall(-1) is handled specially. Don't do this on ARM,
  35   // where syscall(-1) crashes with SIGILL. Not running the test is fine, as we
  36   // are still testing ARM code in the next set of tests.
  37 #if !defined(__arm__)
  38   EXPECT_NE(SandboxSyscall(-1), syscall(-1));
  39 #endif
  40
  41   // If possible, test that SandboxSyscall(-1) returns the address right after
  42   // a kernel entry point.
  43 #if defined(__i386__)
  44   EXPECT_EQ(0x80CDu, ((uint16_t *)SandboxSyscall(-1))[-1]);      // INT 0x80
  45 #elif defined(__x86_64__)
  46   EXPECT_EQ(0x050Fu, ((uint16_t *)SandboxSyscall(-1))[-1]);      // SYSCALL
  47 #elif defined(__arm__)
  48 #if defined(__thumb__)
  49   EXPECT_EQ(0xDF00u, ((uint16_t *)SandboxSyscall(-1))[-1]);      // SWI 0
  50 #else
  51   EXPECT_EQ(0xEF000000u, ((uint32_t *)SandboxSyscall(-1))[-1]);  // SVC 0
  52 #endif
  53 #else
  54   #warning Incomplete test case; need port for target platform
  55 #endif
  56 }
  57
  58 TEST(Syscall, TrivialSyscallNoArgs) {
  59   // Test that we can do basic system calls
  60   EXPECT_EQ(SandboxSyscall(__NR_getpid), syscall(__NR_getpid));
  61 }
  62
  63 TEST(Syscall, TrivialSyscallOneArg) {
  64   int new_fd;
  65   // Duplicate standard error and close it.
  66   ASSERT_GE(new_fd = SandboxSyscall(__NR_dup, 2), 0);
  67   int close_return_value = HANDLE_EINTR(SandboxSyscall(__NR_close, new_fd));
  68   ASSERT_EQ(close_return_value, 0);
  69 }
  70
  71 // SIGSYS trap handler that will be called on __NR_uname.
  72 intptr_t CopySyscallArgsToAux(const struct arch_seccomp_data& args, void *aux) {
  73   // |aux| is a pointer to our BPF_AUX.
  74   std::vector<uint64_t>* const seen_syscall_args =
  75       static_cast<std::vector<uint64_t>*>(aux);
  76   BPF_ASSERT(arraysize(args.args) == 6);
  77   seen_syscall_args->assign(args.args, args.args + arraysize(args.args));
  78   return -ENOMEM;
  79 }
  80
  81 ErrorCode CopyAllArgsOnUnamePolicy(Sandbox *sandbox, int sysno, void *aux) {
  82   if (!Sandbox::IsValidSyscallNumber(sysno)) {
  83     return ErrorCode(ENOSYS);
  84   }
  85   if (sysno == __NR_uname) {
  86     return sandbox->Trap(CopySyscallArgsToAux, aux);
  87   } else {
  88     return ErrorCode(ErrorCode::ERR_ALLOWED);
  89   }
  90 }
  91
  92 // We are testing SandboxSyscall() by making use of a BPF filter that allows us
  93 // to inspect the system call arguments that the kernel saw.
  94 BPF_TEST(Syscall, SyntheticSixArgs, CopyAllArgsOnUnamePolicy,
  95          std::vector<uint64_t> /* BPF_AUX */) {
  96   const int kExpectedValue = 42;
  97   // In this test we only pass integers to the kernel. We might want to make
  98   // additional tests to try other types. What we will see depends on
  99   // implementation details of kernel BPF filters and we will need to document
 100   // the expected behavior very clearly.
 101   int syscall_args[6];
 102   for (size_t i = 0; i < arraysize(syscall_args); ++i) {
 103     syscall_args[i] = kExpectedValue + i;
 104   }
 105
 106   // We could use pretty much any system call we don't need here. uname() is
 107   // nice because it doesn't have any dangerous side effects.
 108   BPF_ASSERT(SandboxSyscall(__NR_uname, syscall_args[0],
 109                                         syscall_args[1],
 110                                         syscall_args[2],
 111                                         syscall_args[3],
 112                                         syscall_args[4],
 113                                         syscall_args[5]) == -ENOMEM);
 114
 115   // We expect the trap handler to have copied the 6 arguments.
 116   BPF_ASSERT(BPF_AUX.size() == 6);
 117
 118   // Don't loop here so that we can see which argument does cause the failure
 119   // easily from the failing line.
 120   // uint64_t is the type passed to our SIGSYS handler.
 121   BPF_ASSERT(BPF_AUX[0] == static_cast<uint64_t>(syscall_args[0]));
 122   BPF_ASSERT(BPF_AUX[1] == static_cast<uint64_t>(syscall_args[1]));
 123   BPF_ASSERT(BPF_AUX[2] == static_cast<uint64_t>(syscall_args[2]));
 124   BPF_ASSERT(BPF_AUX[3] == static_cast<uint64_t>(syscall_args[3]));
 125   BPF_ASSERT(BPF_AUX[4] == static_cast<uint64_t>(syscall_args[4]));
 126   BPF_ASSERT(BPF_AUX[5] == static_cast<uint64_t>(syscall_args[5]));
 127 }
 128
 129 TEST(Syscall, ComplexSyscallSixArgs) {
 130   int fd;
 131   ASSERT_LE(0, fd = SandboxSyscall(__NR_open, "/dev/null", O_RDWR, 0L));
 132
 133   // Use mmap() to allocate some read-only memory
 134   char *addr0;
 135   ASSERT_NE((char *)NULL,
 136             addr0 = reinterpret_cast<char *>(
 137               SandboxSyscall(kMMapNr, (void *)NULL, 4096, PROT_READ,
 138                              MAP_PRIVATE|MAP_ANONYMOUS, fd, 0L)));
 139
 140   // Try to replace the existing mapping with a read-write mapping
 141   char *addr1;
 142   ASSERT_EQ(addr0,
 143             addr1 = reinterpret_cast<char *>(
 144               SandboxSyscall(kMMapNr, addr0, 4096L, PROT_READ|PROT_WRITE,
 145                              MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED,
 146                              fd, 0L)));
 147   ++*addr1; // This should not seg fault
 148
 149   // Clean up
 150   EXPECT_EQ(0, SandboxSyscall(__NR_munmap, addr1, 4096L));
 151   EXPECT_EQ(0, HANDLE_EINTR(SandboxSyscall(__NR_close, fd)));
 152
 153   // Check that the offset argument (i.e. the sixth argument) is processed
 154   // correctly.
 155   ASSERT_GE(fd = SandboxSyscall(__NR_open, "/proc/self/exe", O_RDONLY, 0L), 0);
 156   char *addr2, *addr3;
 157   ASSERT_NE((char *)NULL,
 158             addr2 = reinterpret_cast<char *>(
 159               SandboxSyscall(kMMapNr, (void *)NULL, 8192L, PROT_READ,
 160                              MAP_PRIVATE, fd, 0L)));
 161   ASSERT_NE((char *)NULL,
 162             addr3 = reinterpret_cast<char *>(
 163               SandboxSyscall(kMMapNr, (void *)NULL, 4096L, PROT_READ,
 164                              MAP_PRIVATE, fd,
 165 #if defined(__NR_mmap2)
 166                       1L
 167 #else
 168                       4096L
 169 #endif
 170                       )));
 171   EXPECT_EQ(0, memcmp(addr2 + 4096, addr3, 4096));
 172
 173   // Just to be absolutely on the safe side, also verify that the file
 174   // contents matches what we are getting from a read() operation.
 175   char buf[8192];
 176   EXPECT_EQ(8192, SandboxSyscall(__NR_read, fd, buf, 8192L));
 177   EXPECT_EQ(0, memcmp(addr2, buf, 8192));
 178
 179   // Clean up
 180   EXPECT_EQ(0, SandboxSyscall(__NR_munmap, addr2, 8192L));
 181   EXPECT_EQ(0, SandboxSyscall(__NR_munmap, addr3, 4096L));
 182   EXPECT_EQ(0, HANDLE_EINTR(SandboxSyscall(__NR_close, fd)));
 183 }
 184
 185 } // namespace