sandbox/linux/seccomp-bpf/syscall_unittest.cc

   1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #include "sandbox/linux/seccomp-bpf/syscall.h"
   6
   7 #include <asm/unistd.h>
   8 #include <fcntl.h>
   9 #include <sys/mman.h>
  10 #include <sys/syscall.h>
  11 #include <sys/types.h>
  12 #include <unistd.h>
  13
  14 #include <vector>
  15
  16 #include "base/basictypes.h"
  17 #include "base/posix/eintr_wrapper.h"
  18 #include "build/build_config.h"
  19 #include "sandbox/linux/bpf_dsl/bpf_dsl.h"
  20 #include "sandbox/linux/bpf_dsl/policy.h"
  21 #include "sandbox/linux/seccomp-bpf/bpf_tests.h"
  22 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
  23 #include "sandbox/linux/tests/unit_tests.h"
  24 #include "testing/gtest/include/gtest/gtest.h"
  25
  26 using sandbox::bpf_dsl::Allow;
  27 using sandbox::bpf_dsl::ResultExpr;
  28 using sandbox::bpf_dsl::Trap;
  29
  30 namespace sandbox {
  31
  32 namespace {
  33
  34 // Different platforms use different symbols for the six-argument version
  35 // of the mmap() system call. Test for the correct symbol at compile time.
  36 #ifdef __NR_mmap2
  37 const int kMMapNr = __NR_mmap2;
  38 #else
  39 const int kMMapNr = __NR_mmap;
  40 #endif
  41
  42 TEST(Syscall, InvalidCallReturnsENOSYS) {
  43   EXPECT_EQ(-ENOSYS, Syscall::InvalidCall());
  44 }
  45
  46 TEST(Syscall, WellKnownEntryPoint) {
  47 // Test that Syscall::Call(-1) is handled specially. Don't do this on ARM,
  48 // where syscall(-1) crashes with SIGILL. Not running the test is fine, as we
  49 // are still testing ARM code in the next set of tests.
  50 #if !defined(__arm__) && !defined(__aarch64__)
  51   EXPECT_NE(Syscall::Call(-1), syscall(-1));
  52 #endif
  53
  54 // If possible, test that Syscall::Call(-1) returns the address right
  55 // after
  56 // a kernel entry point.
  57 #if defined(__i386__)
  58   EXPECT_EQ(0x80CDu, ((uint16_t*)Syscall::Call(-1))[-1]);  // INT 0x80
  59 #elif defined(__x86_64__)
  60   EXPECT_EQ(0x050Fu, ((uint16_t*)Syscall::Call(-1))[-1]);  // SYSCALL
  61 #elif defined(__arm__)
  62 #if defined(__thumb__)
  63   EXPECT_EQ(0xDF00u, ((uint16_t*)Syscall::Call(-1))[-1]);  // SWI 0
  64 #else
  65   EXPECT_EQ(0xEF000000u, ((uint32_t*)Syscall::Call(-1))[-1]);  // SVC 0
  66 #endif
  67 #elif defined(__mips__)
  68   // Opcode for MIPS sycall is in the lower 16-bits
  69   EXPECT_EQ(0x0cu, (((uint32_t*)Syscall::Call(-1))[-1]) & 0x0000FFFF);
  70 #elif defined(__aarch64__)
  71   EXPECT_EQ(0xD4000001u, ((uint32_t*)Syscall::Call(-1))[-1]);  // SVC 0
  72 #else
  73 #warning Incomplete test case; need port for target platform
  74 #endif
  75 }
  76
  77 TEST(Syscall, TrivialSyscallNoArgs) {
  78   // Test that we can do basic system calls
  79   EXPECT_EQ(Syscall::Call(__NR_getpid), syscall(__NR_getpid));
  80 }
  81
  82 TEST(Syscall, TrivialSyscallOneArg) {
  83   int new_fd;
  84   // Duplicate standard error and close it.
  85   ASSERT_GE(new_fd = Syscall::Call(__NR_dup, 2), 0);
  86   int close_return_value = IGNORE_EINTR(Syscall::Call(__NR_close, new_fd));
  87   ASSERT_EQ(close_return_value, 0);
  88 }
  89
  90 TEST(Syscall, TrivialFailingSyscall) {
  91   errno = -42;
  92   int ret = Syscall::Call(__NR_dup, -1);
  93   ASSERT_EQ(-EBADF, ret);
  94   // Verify that Syscall::Call does not touch errno.
  95   ASSERT_EQ(-42, errno);
  96 }
  97
  98 // SIGSYS trap handler that will be called on __NR_uname.
  99 intptr_t CopySyscallArgsToAux(const struct arch_seccomp_data& args, void* aux) {
 100   // |aux| is our BPF_AUX pointer.
 101   std::vector<uint64_t>* const seen_syscall_args =
 102       static_cast<std::vector<uint64_t>*>(aux);
 103   BPF_ASSERT(arraysize(args.args) == 6);
 104   seen_syscall_args->assign(args.args, args.args + arraysize(args.args));
 105   return -ENOMEM;
 106 }
 107
 108 class CopyAllArgsOnUnamePolicy : public bpf_dsl::Policy {
 109  public:
 110   explicit CopyAllArgsOnUnamePolicy(std::vector<uint64_t>* aux) : aux_(aux) {}
 111   ~CopyAllArgsOnUnamePolicy() override {}
 112
 113   ResultExpr EvaluateSyscall(int sysno) const override {
 114     DCHECK(SandboxBPF::IsValidSyscallNumber(sysno));
 115     if (sysno == __NR_uname) {
 116       return Trap(CopySyscallArgsToAux, aux_);
 117     } else {
 118       return Allow();
 119     }
 120   }
 121
 122  private:
 123   std::vector<uint64_t>* aux_;
 124
 125   DISALLOW_COPY_AND_ASSIGN(CopyAllArgsOnUnamePolicy);
 126 };
 127
 128 // We are testing Syscall::Call() by making use of a BPF filter that
 129 // allows us
 130 // to inspect the system call arguments that the kernel saw.
 131 BPF_TEST(Syscall,
 132          SyntheticSixArgs,
 133          CopyAllArgsOnUnamePolicy,
 134          std::vector<uint64_t> /* (*BPF_AUX) */) {
 135   const int kExpectedValue = 42;
 136   // In this test we only pass integers to the kernel. We might want to make
 137   // additional tests to try other types. What we will see depends on
 138   // implementation details of kernel BPF filters and we will need to document
 139   // the expected behavior very clearly.
 140   int syscall_args[6];
 141   for (size_t i = 0; i < arraysize(syscall_args); ++i) {
 142     syscall_args[i] = kExpectedValue + i;
 143   }
 144
 145   // We could use pretty much any system call we don't need here. uname() is
 146   // nice because it doesn't have any dangerous side effects.
 147   BPF_ASSERT(Syscall::Call(__NR_uname,
 148                            syscall_args[0],
 149                            syscall_args[1],
 150                            syscall_args[2],
 151                            syscall_args[3],
 152                            syscall_args[4],
 153                            syscall_args[5]) == -ENOMEM);
 154
 155   // We expect the trap handler to have copied the 6 arguments.
 156   BPF_ASSERT(BPF_AUX->size() == 6);
 157
 158   // Don't loop here so that we can see which argument does cause the failure
 159   // easily from the failing line.
 160   // uint64_t is the type passed to our SIGSYS handler.
 161   BPF_ASSERT((*BPF_AUX)[0] == static_cast<uint64_t>(syscall_args[0]));
 162   BPF_ASSERT((*BPF_AUX)[1] == static_cast<uint64_t>(syscall_args[1]));
 163   BPF_ASSERT((*BPF_AUX)[2] == static_cast<uint64_t>(syscall_args[2]));
 164   BPF_ASSERT((*BPF_AUX)[3] == static_cast<uint64_t>(syscall_args[3]));
 165   BPF_ASSERT((*BPF_AUX)[4] == static_cast<uint64_t>(syscall_args[4]));
 166   BPF_ASSERT((*BPF_AUX)[5] == static_cast<uint64_t>(syscall_args[5]));
 167 }
 168
 169 TEST(Syscall, ComplexSyscallSixArgs) {
 170   int fd;
 171   ASSERT_LE(0,
 172             fd = Syscall::Call(__NR_openat, AT_FDCWD, "/dev/null", O_RDWR, 0L));
 173
 174   // Use mmap() to allocate some read-only memory
 175   char* addr0;
 176   ASSERT_NE(
 177       (char*)NULL,
 178       addr0 = reinterpret_cast<char*>(Syscall::Call(kMMapNr,
 179                                                     (void*)NULL,
 180                                                     4096,
 181                                                     PROT_READ,
 182                                                     MAP_PRIVATE | MAP_ANONYMOUS,
 183                                                     fd,
 184                                                     0L)));
 185
 186   // Try to replace the existing mapping with a read-write mapping
 187   char* addr1;
 188   ASSERT_EQ(addr0,
 189             addr1 = reinterpret_cast<char*>(
 190                 Syscall::Call(kMMapNr,
 191                               addr0,
 192                               4096L,
 193                               PROT_READ | PROT_WRITE,
 194                               MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED,
 195                               fd,
 196                               0L)));
 197   ++*addr1;  // This should not seg fault
 198
 199   // Clean up
 200   EXPECT_EQ(0, Syscall::Call(__NR_munmap, addr1, 4096L));
 201   EXPECT_EQ(0, IGNORE_EINTR(Syscall::Call(__NR_close, fd)));
 202
 203   // Check that the offset argument (i.e. the sixth argument) is processed
 204   // correctly.
 205   ASSERT_GE(
 206       fd = Syscall::Call(__NR_openat, AT_FDCWD, "/proc/self/exe", O_RDONLY, 0L),
 207       0);
 208   char* addr2, *addr3;
 209   ASSERT_NE((char*)NULL,
 210             addr2 = reinterpret_cast<char*>(Syscall::Call(
 211                 kMMapNr, (void*)NULL, 8192L, PROT_READ, MAP_PRIVATE, fd, 0L)));
 212   ASSERT_NE((char*)NULL,
 213             addr3 = reinterpret_cast<char*>(Syscall::Call(kMMapNr,
 214                                                           (void*)NULL,
 215                                                           4096L,
 216                                                           PROT_READ,
 217                                                           MAP_PRIVATE,
 218                                                           fd,
 219 #if defined(__NR_mmap2)
 220                                                           1L
 221 #else
 222                                                           4096L
 223 #endif
 224                                                           )));
 225   EXPECT_EQ(0, memcmp(addr2 + 4096, addr3, 4096));
 226
 227   // Just to be absolutely on the safe side, also verify that the file
 228   // contents matches what we are getting from a read() operation.
 229   char buf[8192];
 230   EXPECT_EQ(8192, Syscall::Call(__NR_read, fd, buf, 8192L));
 231   EXPECT_EQ(0, memcmp(addr2, buf, 8192));
 232
 233   // Clean up
 234   EXPECT_EQ(0, Syscall::Call(__NR_munmap, addr2, 8192L));
 235   EXPECT_EQ(0, Syscall::Call(__NR_munmap, addr3, 4096L));
 236   EXPECT_EQ(0, IGNORE_EINTR(Syscall::Call(__NR_close, fd)));
 237 }
 238
 239 }  // namespace
 240
 241 }  // namespace sandbox