search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Updating trunk VERSION from 2139.0 to 2140.0
[chromium-blink-merge.git] / sandbox / linux / seccomp-bpf-helpers / baseline_policy_unittest.cc
blob3d92af01e52c8e588a5e44c91b7db091d96d98fe
1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "sandbox/linux/seccomp-bpf-helpers/baseline_policy.h"
6
7 #include <errno.h>
8 #include <linux/futex.h>
9 #include <sched.h>
10 #include <signal.h>
11 #include <string.h>
12 #include <sys/prctl.h>
13 #include <sys/socket.h>
14 #include <sys/stat.h>
15 #include <sys/syscall.h>
16 #include <sys/time.h>
17 #include <sys/types.h>
18 #include <sys/wait.h>
19 #include <unistd.h>
20
21 #include "base/files/scoped_file.h"
22 #include "base/macros.h"
23 #include "base/posix/eintr_wrapper.h"
24 #include "base/threading/thread.h"
25 #include "build/build_config.h"
26 #include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h"
27 #include "sandbox/linux/seccomp-bpf/bpf_tests.h"
28 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
29 #include "sandbox/linux/seccomp-bpf/syscall.h"
30 #include "sandbox/linux/services/linux_syscalls.h"
31 #include "sandbox/linux/services/thread_helpers.h"
32 #include "sandbox/linux/tests/unit_tests.h"
33
34 namespace sandbox {
35
36 namespace {
37
38 // |pid| is the return value of a fork()-like call. This
39 // makes sure that if fork() succeeded the child exits
40 // and the parent waits for it.
41 void HandlePostForkReturn(pid_t pid) {
42 const int kChildExitCode = 1;
43 if (pid > 0) {
44 int status = 0;
45 PCHECK(pid == HANDLE_EINTR(waitpid(pid, &status, 0)));
46 CHECK(WIFEXITED(status));
47 CHECK_EQ(kChildExitCode, WEXITSTATUS(status));
48 } else if (pid == 0) {
49 _exit(kChildExitCode);
50 }
51 }
52
53 // Check that HandlePostForkReturn works.
54 TEST(BaselinePolicy, HandlePostForkReturn) {
55 pid_t pid = fork();
56 HandlePostForkReturn(pid);
57 }
58
59 // This also tests that read(), write() and fstat() are allowed.
60 void TestPipeOrSocketPair(base::ScopedFD read_end, base::ScopedFD write_end) {
61 BPF_ASSERT_LE(0, read_end.get());
62 BPF_ASSERT_LE(0, write_end.get());
63 struct stat stat_buf;
64 int sys_ret = fstat(read_end.get(), &stat_buf);
65 BPF_ASSERT_EQ(0, sys_ret);
66 BPF_ASSERT(S_ISFIFO(stat_buf.st_mode) || S_ISSOCK(stat_buf.st_mode));
67
68 const ssize_t kTestTransferSize = 4;
69 static const char kTestString[kTestTransferSize] = {'T', 'E', 'S', 'T'};
70 ssize_t transfered = 0;
71
72 transfered =
73 HANDLE_EINTR(write(write_end.get(), kTestString, kTestTransferSize));
74 BPF_ASSERT_EQ(kTestTransferSize, transfered);
75 char read_buf[kTestTransferSize + 1] = {0};
76 transfered = HANDLE_EINTR(read(read_end.get(), read_buf, sizeof(read_buf)));
77 BPF_ASSERT_EQ(kTestTransferSize, transfered);
78 BPF_ASSERT_EQ(0, memcmp(kTestString, read_buf, kTestTransferSize));
79 }
80
81 // Test that a few easy-to-test system calls are allowed.
82 BPF_TEST_C(BaselinePolicy, BaselinePolicyBasicAllowed, BaselinePolicy) {
83 BPF_ASSERT_EQ(0, sched_yield());
84
85 int pipefd[2];
86 int sys_ret = pipe(pipefd);
87 BPF_ASSERT_EQ(0, sys_ret);
88 TestPipeOrSocketPair(base::ScopedFD(pipefd[0]), base::ScopedFD(pipefd[1]));
89
90 BPF_ASSERT_LE(1, getpid());
91 BPF_ASSERT_LE(0, getuid());
92 }
93
94 BPF_TEST_C(BaselinePolicy, FchmodErrno, BaselinePolicy) {
95 int ret = fchmod(-1, 07777);
96 BPF_ASSERT_EQ(-1, ret);
97 // Without the sandbox, this would EBADF instead.
98 BPF_ASSERT_EQ(EPERM, errno);
99 }
100
101 BPF_TEST_C(BaselinePolicy, ForkErrno, BaselinePolicy) {
102 errno = 0;
103 pid_t pid = fork();
104 const int fork_errno = errno;
105 HandlePostForkReturn(pid);
106
107 BPF_ASSERT_EQ(-1, pid);
108 BPF_ASSERT_EQ(EPERM, fork_errno);
109 }
110
111 pid_t ForkX86Glibc() {
112 return syscall(__NR_clone, CLONE_PARENT_SETTID | SIGCHLD);
113 }
114
115 BPF_TEST_C(BaselinePolicy, ForkX86Eperm, BaselinePolicy) {
116 errno = 0;
117 pid_t pid = ForkX86Glibc();
118 const int fork_errno = errno;
119 HandlePostForkReturn(pid);
120
121 BPF_ASSERT_EQ(-1, pid);
122 BPF_ASSERT_EQ(EPERM, fork_errno);
123 }
124
125 pid_t ForkARMGlibc() {
126 return syscall(__NR_clone,
127 CLONE_CHILD_SETTID | CLONE_CHILD_CLEARTID | SIGCHLD);
128 }
129
130 BPF_TEST_C(BaselinePolicy, ForkArmEperm, BaselinePolicy) {
131 errno = 0;
132 pid_t pid = ForkARMGlibc();
133 const int fork_errno = errno;
134 HandlePostForkReturn(pid);
135
136 BPF_ASSERT_EQ(-1, pid);
137 BPF_ASSERT_EQ(EPERM, fork_errno);
138 }
139
140 BPF_TEST_C(BaselinePolicy, CreateThread, BaselinePolicy) {
141 base::Thread thread("sandbox_tests");
142 BPF_ASSERT(thread.Start());
143 }
144
145 BPF_DEATH_TEST_C(BaselinePolicy,
146 DisallowedCloneFlagCrashes,
147 DEATH_SEGV_MESSAGE(GetCloneErrorMessageContentForTests()),
148 BaselinePolicy) {
149 pid_t pid = syscall(__NR_clone, CLONE_THREAD | SIGCHLD);
150 HandlePostForkReturn(pid);
151 }
152
153 BPF_DEATH_TEST_C(BaselinePolicy,
154 DisallowedKillCrashes,
155 DEATH_SEGV_MESSAGE(GetKillErrorMessageContentForTests()),
156 BaselinePolicy) {
157 BPF_ASSERT_NE(1, getpid());
158 kill(1, 0);
159 _exit(0);
160 }
161
162 BPF_TEST_C(BaselinePolicy, CanKillSelf, BaselinePolicy) {
163 int sys_ret = kill(getpid(), 0);
164 BPF_ASSERT_EQ(0, sys_ret);
165 }
166
167 BPF_TEST_C(BaselinePolicy, Socketpair, BaselinePolicy) {
168 int sv[2];
169 int sys_ret = socketpair(AF_UNIX, SOCK_DGRAM, 0, sv);
170 BPF_ASSERT_EQ(0, sys_ret);
171 TestPipeOrSocketPair(base::ScopedFD(sv[0]), base::ScopedFD(sv[1]));
172
173 sys_ret = socketpair(AF_UNIX, SOCK_SEQPACKET, 0, sv);
174 BPF_ASSERT_EQ(0, sys_ret);
175 TestPipeOrSocketPair(base::ScopedFD(sv[0]), base::ScopedFD(sv[1]));
176 }
177
178 // Not all architectures can restrict the domain for socketpair().
179 #if defined(__x86_64__) || defined(__arm__) || defined(__aarch64__)
180 BPF_DEATH_TEST_C(BaselinePolicy,
181 SocketpairWrongDomain,
182 DEATH_SEGV_MESSAGE(GetErrorMessageContentForTests()),
183 BaselinePolicy) {
184 int sv[2];
185 ignore_result(socketpair(AF_INET, SOCK_STREAM, 0, sv));
186 _exit(1);
187 }
188 #endif // defined(__x86_64__) || defined(__arm__) || defined(__aarch64__)
189
190 BPF_TEST_C(BaselinePolicy, EPERM_open, BaselinePolicy) {
191 errno = 0;
192 int sys_ret = open("/proc/cpuinfo", O_RDONLY);
193 BPF_ASSERT_EQ(-1, sys_ret);
194 BPF_ASSERT_EQ(EPERM, errno);
195 }
196
197 BPF_TEST_C(BaselinePolicy, EPERM_access, BaselinePolicy) {
198 errno = 0;
199 int sys_ret = access("/proc/cpuinfo", R_OK);
200 BPF_ASSERT_EQ(-1, sys_ret);
201 BPF_ASSERT_EQ(EPERM, errno);
202 }
203
204 BPF_TEST_C(BaselinePolicy, EPERM_getcwd, BaselinePolicy) {
205 errno = 0;
206 char buf[1024];
207 char* cwd = getcwd(buf, sizeof(buf));
208 BPF_ASSERT_EQ(NULL, cwd);
209 BPF_ASSERT_EQ(EPERM, errno);
210 }
211
212 BPF_DEATH_TEST_C(BaselinePolicy,
213 SIGSYS_InvalidSyscall,
214 DEATH_SEGV_MESSAGE(GetErrorMessageContentForTests()),
215 BaselinePolicy) {
216 Syscall::InvalidCall();
217 }
218
219 // A failing test using this macro could be problematic since we perform
220 // system calls by passing "0" as every argument.
221 // The kernel could SIGSEGV the process or the system call itself could reboot
222 // the machine. Some thoughts have been given when hand-picking the system
223 // calls below to limit any potential side effects outside of the current
224 // process.
225 #define TEST_BASELINE_SIGSYS(sysno) \
226 BPF_DEATH_TEST_C(BaselinePolicy, \
227 SIGSYS_##sysno, \
228 DEATH_SEGV_MESSAGE(GetErrorMessageContentForTests()), \
229 BaselinePolicy) { \
230 syscall(sysno, 0, 0, 0, 0, 0, 0); \
231 _exit(1); \
232 }
233
234 TEST_BASELINE_SIGSYS(__NR_acct);
235 TEST_BASELINE_SIGSYS(__NR_chroot);
236 TEST_BASELINE_SIGSYS(__NR_fanotify_init);
237 TEST_BASELINE_SIGSYS(__NR_fgetxattr);
238 TEST_BASELINE_SIGSYS(__NR_getcpu);
239 TEST_BASELINE_SIGSYS(__NR_getitimer);
240 TEST_BASELINE_SIGSYS(__NR_init_module);
241 TEST_BASELINE_SIGSYS(__NR_io_cancel);
242 TEST_BASELINE_SIGSYS(__NR_keyctl);
243 TEST_BASELINE_SIGSYS(__NR_mq_open);
244 TEST_BASELINE_SIGSYS(__NR_ptrace);
245 TEST_BASELINE_SIGSYS(__NR_sched_setaffinity);
246 TEST_BASELINE_SIGSYS(__NR_setpgid);
247 TEST_BASELINE_SIGSYS(__NR_swapon);
248 TEST_BASELINE_SIGSYS(__NR_sysinfo);
249 TEST_BASELINE_SIGSYS(__NR_syslog);
250 TEST_BASELINE_SIGSYS(__NR_timer_create);
251
252 #if !defined(__aarch64__)
253 TEST_BASELINE_SIGSYS(__NR_eventfd);
254 TEST_BASELINE_SIGSYS(__NR_inotify_init);
255 TEST_BASELINE_SIGSYS(__NR_vserver);
256 #endif
257
258 #if !defined(OS_ANDROID)
259 BPF_DEATH_TEST_C(BaselinePolicy,
260 FutexWithRequeuePriorityInheritence,
261 DEATH_MESSAGE(GetFutexErrorMessageContentForTests()),
262 BaselinePolicy) {
263 syscall(__NR_futex, NULL, FUTEX_CMP_REQUEUE_PI, 0, NULL, NULL, 0);
264 _exit(1);
265 }
266
267 BPF_DEATH_TEST_C(BaselinePolicy,
268 FutexWithRequeuePriorityInheritencePrivate,
269 DEATH_MESSAGE(GetFutexErrorMessageContentForTests()),
270 BaselinePolicy) {
271 syscall(__NR_futex, NULL, FUTEX_CMP_REQUEUE_PI_PRIVATE, 0, NULL, NULL, 0);
272 _exit(1);
273 }
274 #endif // !defined(OS_ANDROID)
275
276 BPF_TEST_C(BaselinePolicy, PrctlDumpable, BaselinePolicy) {
277 const int is_dumpable = prctl(PR_GET_DUMPABLE, 0, 0, 0, 0);
278 BPF_ASSERT(is_dumpable == 1 || is_dumpable == 0);
279 const int prctl_ret = prctl(PR_SET_DUMPABLE, is_dumpable, 0, 0, 0, 0);
280 BPF_ASSERT_EQ(0, prctl_ret);
281 }
282
283 // Workaround incomplete Android headers.
284 #if !defined(PR_CAPBSET_READ)
285 #define PR_CAPBSET_READ 23
286 #endif
287
288 BPF_DEATH_TEST_C(BaselinePolicy,
289 PrctlSigsys,
290 DEATH_SEGV_MESSAGE(GetPrctlErrorMessageContentForTests()),
291 BaselinePolicy) {
292 prctl(PR_CAPBSET_READ, 0, 0, 0, 0);
293 _exit(1);
294 }
295
296 } // namespace
297
298 } // namespace sandbox