Supervised users: Re-check ManagementPolicy when ProfileIsSupervised changes.
[chromium-blink-merge.git] / sandbox / linux / seccomp-bpf / bpf_tests_unittest.cc
blob63e1814c90bf0603f636ca8940fa045b012ae2bb
1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "sandbox/linux/seccomp-bpf/bpf_tests.h"
7 #include <errno.h>
8 #include <sys/ptrace.h>
9 #include <sys/syscall.h>
10 #include <sys/types.h>
11 #include <unistd.h>
13 #include "base/logging.h"
14 #include "base/memory/scoped_ptr.h"
15 #include "build/build_config.h"
16 #include "sandbox/linux/bpf_dsl/bpf_dsl.h"
17 #include "sandbox/linux/bpf_dsl/policy.h"
18 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
19 #include "sandbox/linux/services/syscall_wrappers.h"
20 #include "sandbox/linux/system_headers/linux_syscalls.h"
21 #include "sandbox/linux/tests/unit_tests.h"
22 #include "testing/gtest/include/gtest/gtest.h"
24 using sandbox::bpf_dsl::Allow;
25 using sandbox::bpf_dsl::Error;
26 using sandbox::bpf_dsl::ResultExpr;
28 namespace sandbox {
30 namespace {
32 class FourtyTwo {
33 public:
34 static const int kMagicValue = 42;
35 FourtyTwo() : value_(kMagicValue) {}
36 int value() { return value_; }
38 private:
39 int value_;
40 DISALLOW_COPY_AND_ASSIGN(FourtyTwo);
43 class EmptyClassTakingPolicy : public bpf_dsl::Policy {
44 public:
45 explicit EmptyClassTakingPolicy(FourtyTwo* fourty_two) {
46 BPF_ASSERT(fourty_two);
47 BPF_ASSERT(FourtyTwo::kMagicValue == fourty_two->value());
49 ~EmptyClassTakingPolicy() override {}
51 ResultExpr EvaluateSyscall(int sysno) const override {
52 DCHECK(SandboxBPF::IsValidSyscallNumber(sysno));
53 return Allow();
57 BPF_TEST(BPFTest,
58 BPFAUXPointsToClass,
59 EmptyClassTakingPolicy,
60 FourtyTwo /* *BPF_AUX */) {
61 // BPF_AUX should point to an instance of FourtyTwo.
62 BPF_ASSERT(BPF_AUX);
63 BPF_ASSERT(FourtyTwo::kMagicValue == BPF_AUX->value());
66 void DummyTestFunction(FourtyTwo *fourty_two) {
69 TEST(BPFTest, BPFTesterCompatibilityDelegateLeakTest) {
70 // Don't do anything, simply gives dynamic tools an opportunity to detect
71 // leaks.
73 BPFTesterCompatibilityDelegate<EmptyClassTakingPolicy, FourtyTwo>
74 simple_delegate(DummyTestFunction);
77 // Test polymorphism.
78 scoped_ptr<BPFTesterDelegate> simple_delegate(
79 new BPFTesterCompatibilityDelegate<EmptyClassTakingPolicy, FourtyTwo>(
80 DummyTestFunction));
84 class EnosysPtracePolicy : public bpf_dsl::Policy {
85 public:
86 EnosysPtracePolicy() { my_pid_ = sys_getpid(); }
87 ~EnosysPtracePolicy() override {
88 // Policies should be able to bind with the process on which they are
89 // created. They should never be created in a parent process.
90 BPF_ASSERT_EQ(my_pid_, sys_getpid());
93 ResultExpr EvaluateSyscall(int system_call_number) const override {
94 CHECK(SandboxBPF::IsValidSyscallNumber(system_call_number));
95 if (system_call_number == __NR_ptrace) {
96 // The EvaluateSyscall function should run in the process that created
97 // the current object.
98 BPF_ASSERT_EQ(my_pid_, sys_getpid());
99 return Error(ENOSYS);
100 } else {
101 return Allow();
105 private:
106 pid_t my_pid_;
107 DISALLOW_COPY_AND_ASSIGN(EnosysPtracePolicy);
110 class BasicBPFTesterDelegate : public BPFTesterDelegate {
111 public:
112 BasicBPFTesterDelegate() {}
113 ~BasicBPFTesterDelegate() override {}
115 scoped_ptr<bpf_dsl::Policy> GetSandboxBPFPolicy() override {
116 return scoped_ptr<bpf_dsl::Policy>(new EnosysPtracePolicy());
118 void RunTestFunction() override {
119 errno = 0;
120 int ret = ptrace(PTRACE_TRACEME, -1, NULL, NULL);
121 BPF_ASSERT(-1 == ret);
122 BPF_ASSERT(ENOSYS == errno);
125 private:
126 DISALLOW_COPY_AND_ASSIGN(BasicBPFTesterDelegate);
129 // This is the most powerful and complex way to create a BPF test, but it
130 // requires a full class definition (BasicBPFTesterDelegate).
131 BPF_TEST_D(BPFTest, BPFTestWithDelegateClass, BasicBPFTesterDelegate);
133 // This is the simplest form of BPF tests.
134 BPF_TEST_C(BPFTest, BPFTestWithInlineTest, EnosysPtracePolicy) {
135 errno = 0;
136 int ret = ptrace(PTRACE_TRACEME, -1, NULL, NULL);
137 BPF_ASSERT(-1 == ret);
138 BPF_ASSERT(ENOSYS == errno);
141 const char kHelloMessage[] = "Hello";
143 BPF_DEATH_TEST_C(BPFTest,
144 BPFDeathTestWithInlineTest,
145 DEATH_MESSAGE(kHelloMessage),
146 EnosysPtracePolicy) {
147 LOG(ERROR) << kHelloMessage;
148 _exit(1);
151 } // namespace
153 } // namespace sandbox