sandbox/linux/bpf_dsl/bpf_dsl_unittest.cc

   1 // Copyright 2014 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #include "sandbox/linux/bpf_dsl/bpf_dsl.h"
   6
   7 #include <errno.h>
   8 #include <netinet/in.h>
   9 #include <sys/socket.h>
  10 #include <sys/utsname.h>
  11
  12 #include "base/files/scoped_file.h"
  13 #include "base/macros.h"
  14 #include "build/build_config.h"
  15 #include "sandbox/linux/seccomp-bpf/bpf_tests.h"
  16 #include "sandbox/linux/seccomp-bpf/errorcode.h"
  17 #include "sandbox/linux/seccomp-bpf/sandbox_bpf_policy.h"
  18 #include "sandbox/linux/seccomp-bpf/syscall.h"
  19
  20 #define CASES SANDBOX_BPF_DSL_CASES
  21
  22 // Helper macro to assert that invoking system call |sys| directly via
  23 // Syscall::Call with arguments |...| returns |res|.
  24 // Errors can be asserted by specifying a value like "-EINVAL".
  25 #define ASSERT_SYSCALL_RESULT(res, sys, ...) \
  26   BPF_ASSERT_EQ(res, Stubs::sys(__VA_ARGS__))
  27
  28 namespace sandbox {
  29 namespace bpf_dsl {
  30 namespace {
  31
  32 // Type safe stubs for tested system calls.
  33 class Stubs {
  34  public:
  35   static int getpgid(pid_t pid) { return Syscall::Call(__NR_getpgid, pid); }
  36   static int setuid(uid_t uid) { return Syscall::Call(__NR_setuid, uid); }
  37   static int setgid(gid_t gid) { return Syscall::Call(__NR_setgid, gid); }
  38   static int setpgid(pid_t pid, pid_t pgid) {
  39     return Syscall::Call(__NR_setpgid, pid, pgid);
  40   }
  41
  42   static int fcntl(int fd, int cmd, unsigned long arg = 0) {
  43     return Syscall::Call(__NR_fcntl, fd, cmd, arg);
  44   }
  45
  46   static int uname(struct utsname* buf) {
  47     return Syscall::Call(__NR_uname, buf);
  48   }
  49
  50   static int setresuid(uid_t ruid, uid_t euid, uid_t suid) {
  51     return Syscall::Call(__NR_setresuid, ruid, euid, suid);
  52   }
  53
  54 #if !defined(ARCH_CPU_X86)
  55   static int socketpair(int domain, int type, int protocol, int sv[2]) {
  56     return Syscall::Call(__NR_socketpair, domain, type, protocol, sv);
  57   }
  58 #endif
  59 };
  60
  61 class BasicPolicy : public SandboxBPFDSLPolicy {
  62  public:
  63   BasicPolicy() {}
  64   virtual ~BasicPolicy() {}
  65   virtual ResultExpr EvaluateSyscall(int sysno) const OVERRIDE {
  66     if (sysno == __NR_getpgid) {
  67       const Arg<pid_t> pid(0);
  68       return If(pid == 0, Error(EPERM)).Else(Error(EINVAL));
  69     }
  70     if (sysno == __NR_setuid) {
  71       const Arg<uid_t> uid(0);
  72       return If(uid != 42, Error(ESRCH)).Else(Error(ENOMEM));
  73     }
  74     return Allow();
  75   }
  76
  77  private:
  78   DISALLOW_COPY_AND_ASSIGN(BasicPolicy);
  79 };
  80
  81 BPF_TEST_C(BPFDSL, Basic, BasicPolicy) {
  82   ASSERT_SYSCALL_RESULT(-EPERM, getpgid, 0);
  83   ASSERT_SYSCALL_RESULT(-EINVAL, getpgid, 1);
  84
  85   ASSERT_SYSCALL_RESULT(-ENOMEM, setuid, 42);
  86   ASSERT_SYSCALL_RESULT(-ESRCH, setuid, 43);
  87 }
  88
  89 /* On IA-32, socketpair() is implemented via socketcall(). :-( */
  90 #if !defined(ARCH_CPU_X86)
  91 class BooleanLogicPolicy : public SandboxBPFDSLPolicy {
  92  public:
  93   BooleanLogicPolicy() {}
  94   virtual ~BooleanLogicPolicy() {}
  95   virtual ResultExpr EvaluateSyscall(int sysno) const OVERRIDE {
  96     if (sysno == __NR_socketpair) {
  97       const Arg<int> domain(0), type(1), protocol(2);
  98       return If(domain == AF_UNIX &&
  99                     (type == SOCK_STREAM || type == SOCK_DGRAM) &&
 100                     protocol == 0,
 101                 Error(EPERM)).Else(Error(EINVAL));
 102     }
 103     return Allow();
 104   }
 105
 106  private:
 107   DISALLOW_COPY_AND_ASSIGN(BooleanLogicPolicy);
 108 };
 109
 110 BPF_TEST_C(BPFDSL, BooleanLogic, BooleanLogicPolicy) {
 111   int sv[2];
 112
 113   // Acceptable combinations that should return EPERM.
 114   ASSERT_SYSCALL_RESULT(-EPERM, socketpair, AF_UNIX, SOCK_STREAM, 0, sv);
 115   ASSERT_SYSCALL_RESULT(-EPERM, socketpair, AF_UNIX, SOCK_DGRAM, 0, sv);
 116
 117   // Combinations that are invalid for only one reason; should return EINVAL.
 118   ASSERT_SYSCALL_RESULT(-EINVAL, socketpair, AF_INET, SOCK_STREAM, 0, sv);
 119   ASSERT_SYSCALL_RESULT(-EINVAL, socketpair, AF_UNIX, SOCK_SEQPACKET, 0, sv);
 120   ASSERT_SYSCALL_RESULT(
 121       -EINVAL, socketpair, AF_UNIX, SOCK_STREAM, IPPROTO_TCP, sv);
 122
 123   // Completely unacceptable combination; should also return EINVAL.
 124   ASSERT_SYSCALL_RESULT(
 125       -EINVAL, socketpair, AF_INET, SOCK_SEQPACKET, IPPROTO_UDP, sv);
 126 }
 127 #endif  // !ARCH_CPU_X86
 128
 129 class MoreBooleanLogicPolicy : public SandboxBPFDSLPolicy {
 130  public:
 131   MoreBooleanLogicPolicy() {}
 132   virtual ~MoreBooleanLogicPolicy() {}
 133   virtual ResultExpr EvaluateSyscall(int sysno) const OVERRIDE {
 134     if (sysno == __NR_setresuid) {
 135       const Arg<uid_t> ruid(0), euid(1), suid(2);
 136       return If(ruid == 0 || euid == 0 || suid == 0, Error(EPERM))
 137           .ElseIf(ruid == 1 && euid == 1 && suid == 1, Error(EAGAIN))
 138           .Else(Error(EINVAL));
 139     }
 140     return Allow();
 141   }
 142
 143  private:
 144   DISALLOW_COPY_AND_ASSIGN(MoreBooleanLogicPolicy);
 145 };
 146
 147 BPF_TEST_C(BPFDSL, MoreBooleanLogic, MoreBooleanLogicPolicy) {
 148   // Expect EPERM if any set to 0.
 149   ASSERT_SYSCALL_RESULT(-EPERM, setresuid, 0, 5, 5);
 150   ASSERT_SYSCALL_RESULT(-EPERM, setresuid, 5, 0, 5);
 151   ASSERT_SYSCALL_RESULT(-EPERM, setresuid, 5, 5, 0);
 152
 153   // Expect EAGAIN if all set to 1.
 154   ASSERT_SYSCALL_RESULT(-EAGAIN, setresuid, 1, 1, 1);
 155
 156   // Expect EINVAL for anything else.
 157   ASSERT_SYSCALL_RESULT(-EINVAL, setresuid, 5, 1, 1);
 158   ASSERT_SYSCALL_RESULT(-EINVAL, setresuid, 1, 5, 1);
 159   ASSERT_SYSCALL_RESULT(-EINVAL, setresuid, 1, 1, 5);
 160   ASSERT_SYSCALL_RESULT(-EINVAL, setresuid, 3, 4, 5);
 161 }
 162
 163 static const uintptr_t kDeadBeefAddr =
 164     static_cast<uintptr_t>(0xdeadbeefdeadbeefULL);
 165
 166 class ArgSizePolicy : public SandboxBPFDSLPolicy {
 167  public:
 168   ArgSizePolicy() {}
 169   virtual ~ArgSizePolicy() {}
 170   virtual ResultExpr EvaluateSyscall(int sysno) const OVERRIDE {
 171     if (sysno == __NR_uname) {
 172       const Arg<uintptr_t> addr(0);
 173       return If(addr == kDeadBeefAddr, Error(EPERM)).Else(Allow());
 174     }
 175     return Allow();
 176   }
 177
 178  private:
 179   DISALLOW_COPY_AND_ASSIGN(ArgSizePolicy);
 180 };
 181
 182 BPF_TEST_C(BPFDSL, ArgSizeTest, ArgSizePolicy) {
 183   struct utsname buf;
 184   ASSERT_SYSCALL_RESULT(0, uname, &buf);
 185   ASSERT_SYSCALL_RESULT(
 186       -EPERM, uname, reinterpret_cast<struct utsname*>(kDeadBeefAddr));
 187 }
 188
 189 class TrappingPolicy : public SandboxBPFDSLPolicy {
 190  public:
 191   TrappingPolicy() {}
 192   virtual ~TrappingPolicy() {}
 193   virtual ResultExpr EvaluateSyscall(int sysno) const OVERRIDE {
 194     if (sysno == __NR_uname) {
 195       return Trap(UnameTrap, &count_);
 196     }
 197     return Allow();
 198   }
 199
 200  private:
 201   static intptr_t count_;
 202
 203   static intptr_t UnameTrap(const struct arch_seccomp_data& data, void* aux) {
 204     BPF_ASSERT_EQ(&count_, aux);
 205     return ++count_;
 206   }
 207
 208   DISALLOW_COPY_AND_ASSIGN(TrappingPolicy);
 209 };
 210
 211 intptr_t TrappingPolicy::count_;
 212
 213 BPF_TEST_C(BPFDSL, TrapTest, TrappingPolicy) {
 214   ASSERT_SYSCALL_RESULT(1, uname, NULL);
 215   ASSERT_SYSCALL_RESULT(2, uname, NULL);
 216   ASSERT_SYSCALL_RESULT(3, uname, NULL);
 217 }
 218
 219 class MaskingPolicy : public SandboxBPFDSLPolicy {
 220  public:
 221   MaskingPolicy() {}
 222   virtual ~MaskingPolicy() {}
 223   virtual ResultExpr EvaluateSyscall(int sysno) const OVERRIDE {
 224     if (sysno == __NR_setuid) {
 225       const Arg<uid_t> uid(0);
 226       return If((uid & 0xf) == 0, Error(EINVAL)).Else(Error(EACCES));
 227     }
 228     if (sysno == __NR_setgid) {
 229       const Arg<gid_t> gid(0);
 230       return If((gid & 0xf0) == 0xf0, Error(EINVAL)).Else(Error(EACCES));
 231     }
 232     if (sysno == __NR_setpgid) {
 233       const Arg<pid_t> pid(0);
 234       return If((pid & 0xa5) == 0xa0, Error(EINVAL)).Else(Error(EACCES));
 235     }
 236     return Allow();
 237   }
 238
 239  private:
 240   DISALLOW_COPY_AND_ASSIGN(MaskingPolicy);
 241 };
 242
 243 BPF_TEST_C(BPFDSL, MaskTest, MaskingPolicy) {
 244   for (uid_t uid = 0; uid < 0x100; ++uid) {
 245     const int expect_errno = (uid & 0xf) == 0 ? EINVAL : EACCES;
 246     ASSERT_SYSCALL_RESULT(-expect_errno, setuid, uid);
 247   }
 248
 249   for (gid_t gid = 0; gid < 0x100; ++gid) {
 250     const int expect_errno = (gid & 0xf0) == 0xf0 ? EINVAL : EACCES;
 251     ASSERT_SYSCALL_RESULT(-expect_errno, setgid, gid);
 252   }
 253
 254   for (pid_t pid = 0; pid < 0x100; ++pid) {
 255     const int expect_errno = (pid & 0xa5) == 0xa0 ? EINVAL : EACCES;
 256     ASSERT_SYSCALL_RESULT(-expect_errno, setpgid, pid, 0);
 257   }
 258 }
 259
 260 class ElseIfPolicy : public SandboxBPFDSLPolicy {
 261  public:
 262   ElseIfPolicy() {}
 263   virtual ~ElseIfPolicy() {}
 264   virtual ResultExpr EvaluateSyscall(int sysno) const OVERRIDE {
 265     if (sysno == __NR_setuid) {
 266       const Arg<uid_t> uid(0);
 267       return If((uid & 0xfff) == 0, Error(0))
 268           .ElseIf((uid & 0xff0) == 0, Error(EINVAL))
 269           .ElseIf((uid & 0xf00) == 0, Error(EEXIST))
 270           .Else(Error(EACCES));
 271     }
 272     return Allow();
 273   }
 274
 275  private:
 276   DISALLOW_COPY_AND_ASSIGN(ElseIfPolicy);
 277 };
 278
 279 BPF_TEST_C(BPFDSL, ElseIfTest, ElseIfPolicy) {
 280   ASSERT_SYSCALL_RESULT(0, setuid, 0);
 281
 282   ASSERT_SYSCALL_RESULT(-EINVAL, setuid, 0x0001);
 283   ASSERT_SYSCALL_RESULT(-EINVAL, setuid, 0x0002);
 284
 285   ASSERT_SYSCALL_RESULT(-EEXIST, setuid, 0x0011);
 286   ASSERT_SYSCALL_RESULT(-EEXIST, setuid, 0x0022);
 287
 288   ASSERT_SYSCALL_RESULT(-EACCES, setuid, 0x0111);
 289   ASSERT_SYSCALL_RESULT(-EACCES, setuid, 0x0222);
 290 }
 291
 292 class SwitchPolicy : public SandboxBPFDSLPolicy {
 293  public:
 294   SwitchPolicy() {}
 295   virtual ~SwitchPolicy() {}
 296   virtual ResultExpr EvaluateSyscall(int sysno) const OVERRIDE {
 297     if (sysno == __NR_fcntl) {
 298       const Arg<int> cmd(1);
 299       const Arg<unsigned long> long_arg(2);
 300       return Switch(cmd)
 301           .CASES((F_GETFL, F_GETFD), Error(ENOENT))
 302           .Case(F_SETFD, If(long_arg == O_CLOEXEC, Allow()).Else(Error(EINVAL)))
 303           .Case(F_SETFL, Error(EPERM))
 304           .Default(Error(EACCES));
 305     }
 306     return Allow();
 307   }
 308
 309  private:
 310   DISALLOW_COPY_AND_ASSIGN(SwitchPolicy);
 311 };
 312
 313 BPF_TEST_C(BPFDSL, SwitchTest, SwitchPolicy) {
 314   base::ScopedFD sock_fd(socket(AF_UNIX, SOCK_STREAM, 0));
 315   BPF_ASSERT(sock_fd.is_valid());
 316
 317   ASSERT_SYSCALL_RESULT(-ENOENT, fcntl, sock_fd.get(), F_GETFD);
 318   ASSERT_SYSCALL_RESULT(-ENOENT, fcntl, sock_fd.get(), F_GETFL);
 319
 320   ASSERT_SYSCALL_RESULT(0, fcntl, sock_fd.get(), F_SETFD, O_CLOEXEC);
 321   ASSERT_SYSCALL_RESULT(-EINVAL, fcntl, sock_fd.get(), F_SETFD, 0);
 322
 323   ASSERT_SYSCALL_RESULT(-EPERM, fcntl, sock_fd.get(), F_SETFL, O_RDONLY);
 324
 325   ASSERT_SYSCALL_RESULT(-EACCES, fcntl, sock_fd.get(), F_DUPFD, 0);
 326 }
 327
 328 }  // namespace
 329 }  // namespace bpf_dsl
 330 }  // namespace sandbox