Pin Chrome's shortcut to the Win10 Start menu on install and OS upgrade.
[chromium-blink-merge.git] / sandbox / linux / integration_tests / seccomp_broker_process_unittest.cc
blob9aa320997b3b43d0d33ccc077d496fe48ab1404f
1 // Copyright 2015 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include <sys/types.h>
6 #include <sys/stat.h>
7 #include <fcntl.h>
8 #include <unistd.h>
10 #include <vector>
12 #include "base/bind.h"
13 #include "base/memory/scoped_ptr.h"
14 #include "base/posix/eintr_wrapper.h"
15 #include "build/build_config.h"
16 #include "sandbox/linux/bpf_dsl/bpf_dsl.h"
17 #include "sandbox/linux/bpf_dsl/policy.h"
18 #include "sandbox/linux/bpf_dsl/seccomp_macros.h"
19 #include "sandbox/linux/seccomp-bpf/bpf_tests.h"
20 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
21 #include "sandbox/linux/syscall_broker/broker_file_permission.h"
22 #include "sandbox/linux/syscall_broker/broker_process.h"
23 #include "sandbox/linux/system_headers/linux_syscalls.h"
24 #include "sandbox/linux/tests/unit_tests.h"
25 #include "testing/gtest/include/gtest/gtest.h"
27 namespace sandbox {
29 namespace {
31 using bpf_dsl::Allow;
32 using bpf_dsl::ResultExpr;
33 using bpf_dsl::Trap;
35 bool NoOpCallback() {
36 return true;
39 // Test a trap handler that makes use of a broker process to open().
41 class InitializedOpenBroker {
42 public:
43 InitializedOpenBroker() : initialized_(false) {
44 std::vector<syscall_broker::BrokerFilePermission> permissions;
45 permissions.push_back(
46 syscall_broker::BrokerFilePermission::ReadOnly("/proc/allowed"));
47 permissions.push_back(
48 syscall_broker::BrokerFilePermission::ReadOnly("/proc/cpuinfo"));
50 broker_process_.reset(
51 new syscall_broker::BrokerProcess(EPERM, permissions));
52 BPF_ASSERT(broker_process() != NULL);
53 BPF_ASSERT(broker_process_->Init(base::Bind(&NoOpCallback)));
55 initialized_ = true;
57 bool initialized() { return initialized_; }
58 class syscall_broker::BrokerProcess* broker_process() {
59 return broker_process_.get();
62 private:
63 bool initialized_;
64 scoped_ptr<class syscall_broker::BrokerProcess> broker_process_;
65 DISALLOW_COPY_AND_ASSIGN(InitializedOpenBroker);
68 intptr_t BrokerOpenTrapHandler(const struct arch_seccomp_data& args,
69 void* aux) {
70 BPF_ASSERT(aux);
71 syscall_broker::BrokerProcess* broker_process =
72 static_cast<syscall_broker::BrokerProcess*>(aux);
73 switch (args.nr) {
74 case __NR_faccessat: // access is a wrapper of faccessat in android
75 BPF_ASSERT(static_cast<int>(args.args[0]) == AT_FDCWD);
76 return broker_process->Access(reinterpret_cast<const char*>(args.args[1]),
77 static_cast<int>(args.args[2]));
78 #if defined(__NR_access)
79 case __NR_access:
80 return broker_process->Access(reinterpret_cast<const char*>(args.args[0]),
81 static_cast<int>(args.args[1]));
82 #endif
83 #if defined(__NR_open)
84 case __NR_open:
85 return broker_process->Open(reinterpret_cast<const char*>(args.args[0]),
86 static_cast<int>(args.args[1]));
87 #endif
88 case __NR_openat:
89 // We only call open() so if we arrive here, it's because glibc uses
90 // the openat() system call.
91 BPF_ASSERT(static_cast<int>(args.args[0]) == AT_FDCWD);
92 return broker_process->Open(reinterpret_cast<const char*>(args.args[1]),
93 static_cast<int>(args.args[2]));
94 default:
95 BPF_ASSERT(false);
96 return -ENOSYS;
100 class DenyOpenPolicy : public bpf_dsl::Policy {
101 public:
102 explicit DenyOpenPolicy(InitializedOpenBroker* iob) : iob_(iob) {}
103 ~DenyOpenPolicy() override {}
105 ResultExpr EvaluateSyscall(int sysno) const override {
106 DCHECK(SandboxBPF::IsValidSyscallNumber(sysno));
108 switch (sysno) {
109 case __NR_faccessat:
110 #if defined(__NR_access)
111 case __NR_access:
112 #endif
113 #if defined(__NR_open)
114 case __NR_open:
115 #endif
116 case __NR_openat:
117 // We get a InitializedOpenBroker class, but our trap handler wants
118 // the syscall_broker::BrokerProcess object.
119 return Trap(BrokerOpenTrapHandler, iob_->broker_process());
120 default:
121 return Allow();
125 private:
126 InitializedOpenBroker* iob_;
128 DISALLOW_COPY_AND_ASSIGN(DenyOpenPolicy);
131 // We use a InitializedOpenBroker class, so that we can run unsandboxed
132 // code in its constructor, which is the only way to do so in a BPF_TEST.
133 BPF_TEST(SandboxBPF,
134 UseOpenBroker,
135 DenyOpenPolicy,
136 InitializedOpenBroker /* (*BPF_AUX) */) {
137 BPF_ASSERT(BPF_AUX->initialized());
138 syscall_broker::BrokerProcess* broker_process = BPF_AUX->broker_process();
139 BPF_ASSERT(broker_process != NULL);
141 // First, use the broker "manually"
142 BPF_ASSERT(broker_process->Open("/proc/denied", O_RDONLY) == -EPERM);
143 BPF_ASSERT(broker_process->Access("/proc/denied", R_OK) == -EPERM);
144 BPF_ASSERT(broker_process->Open("/proc/allowed", O_RDONLY) == -ENOENT);
145 BPF_ASSERT(broker_process->Access("/proc/allowed", R_OK) == -ENOENT);
147 // Now use glibc's open() as an external library would.
148 BPF_ASSERT(open("/proc/denied", O_RDONLY) == -1);
149 BPF_ASSERT(errno == EPERM);
151 BPF_ASSERT(open("/proc/allowed", O_RDONLY) == -1);
152 BPF_ASSERT(errno == ENOENT);
154 // Also test glibc's openat(), some versions of libc use it transparently
155 // instead of open().
156 BPF_ASSERT(openat(AT_FDCWD, "/proc/denied", O_RDONLY) == -1);
157 BPF_ASSERT(errno == EPERM);
159 BPF_ASSERT(openat(AT_FDCWD, "/proc/allowed", O_RDONLY) == -1);
160 BPF_ASSERT(errno == ENOENT);
162 // And test glibc's access().
163 BPF_ASSERT(access("/proc/denied", R_OK) == -1);
164 BPF_ASSERT(errno == EPERM);
166 BPF_ASSERT(access("/proc/allowed", R_OK) == -1);
167 BPF_ASSERT(errno == ENOENT);
169 // This is also white listed and does exist.
170 int cpu_info_access = access("/proc/cpuinfo", R_OK);
171 BPF_ASSERT(cpu_info_access == 0);
172 int cpu_info_fd = open("/proc/cpuinfo", O_RDONLY);
173 BPF_ASSERT(cpu_info_fd >= 0);
174 char buf[1024];
175 BPF_ASSERT(read(cpu_info_fd, buf, sizeof(buf)) > 0);
178 } // namespace
180 } // namespace sandbox