search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Fix link in German terms of service.
[chromium-blink-merge.git] / sandbox / linux / bpf_dsl / bpf_dsl_unittest.cc
blob398ec59ef1f1eb4e2d3e681ae2a02fa1ca43b284
1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "sandbox/linux/bpf_dsl/bpf_dsl.h"
6
7 #include <errno.h>
8 #include <fcntl.h>
9 #include <netinet/in.h>
10 #include <sys/socket.h>
11 #include <sys/syscall.h>
12 #include <sys/utsname.h>
13 #include <unistd.h>
14
15 #include <map>
16 #include <utility>
17
18 #include "base/files/scoped_file.h"
19 #include "base/macros.h"
20 #include "build/build_config.h"
21 #include "sandbox/linux/bpf_dsl/bpf_dsl_impl.h"
22 #include "sandbox/linux/bpf_dsl/codegen.h"
23 #include "sandbox/linux/bpf_dsl/policy.h"
24 #include "sandbox/linux/bpf_dsl/policy_compiler.h"
25 #include "sandbox/linux/bpf_dsl/seccomp_macros.h"
26 #include "sandbox/linux/bpf_dsl/trap_registry.h"
27 #include "sandbox/linux/bpf_dsl/verifier.h"
28 #include "sandbox/linux/seccomp-bpf/errorcode.h"
29 #include "sandbox/linux/system_headers/linux_filter.h"
30 #include "testing/gtest/include/gtest/gtest.h"
31
32 #define CASES SANDBOX_BPF_DSL_CASES
33
34 namespace sandbox {
35 namespace bpf_dsl {
36 namespace {
37
38 // Helper function to construct fake arch_seccomp_data objects.
39 struct arch_seccomp_data FakeSyscall(int nr,
40 uint64_t p0 = 0,
41 uint64_t p1 = 0,
42 uint64_t p2 = 0,
43 uint64_t p3 = 0,
44 uint64_t p4 = 0,
45 uint64_t p5 = 0) {
46 // Made up program counter for syscall address.
47 const uint64_t kFakePC = 0x543210;
48
49 struct arch_seccomp_data data = {
50 nr,
51 SECCOMP_ARCH,
52 kFakePC,
53 {
54 p0, p1, p2, p3, p4, p5,
55 },
56 };
57
58 return data;
59 }
60
61 class FakeTrapRegistry : public TrapRegistry {
62 public:
63 FakeTrapRegistry() : map_() {}
64 virtual ~FakeTrapRegistry() {}
65
66 uint16_t Add(TrapFnc fnc, const void* aux, bool safe) override {
67 EXPECT_TRUE(safe);
68
69 const uint16_t next_id = map_.size() + 1;
70 return map_.insert(std::make_pair(Key(fnc, aux), next_id)).first->second;
71 }
72
73 bool EnableUnsafeTraps() override {
74 ADD_FAILURE() << "Unimplemented";
75 return false;
76 }
77
78 private:
79 using Key = std::pair<TrapFnc, const void*>;
80
81 std::map<Key, uint16_t> map_;
82
83 DISALLOW_COPY_AND_ASSIGN(FakeTrapRegistry);
84 };
85
86 intptr_t FakeTrapFuncOne(const arch_seccomp_data& data, void* aux) { return 1; }
87 intptr_t FakeTrapFuncTwo(const arch_seccomp_data& data, void* aux) { return 2; }
88
89 // Test that FakeTrapRegistry correctly assigns trap IDs to trap handlers.
90 TEST(FakeTrapRegistry, TrapIDs) {
91 struct {
92 TrapRegistry::TrapFnc fnc;
93 const void* aux;
94 } funcs[] = {
95 {FakeTrapFuncOne, nullptr},
96 {FakeTrapFuncTwo, nullptr},
97 {FakeTrapFuncOne, funcs},
98 {FakeTrapFuncTwo, funcs},
99 };
100
101 FakeTrapRegistry traps;
102
103 // Add traps twice to test that IDs are reused correctly.
104 for (int i = 0; i < 2; ++i) {
105 for (size_t j = 0; j < arraysize(funcs); ++j) {
106 // Trap IDs start at 1.
107 EXPECT_EQ(j + 1, traps.Add(funcs[j].fnc, funcs[j].aux, true));
108 }
109 }
110 }
111
112 class PolicyEmulator {
113 public:
114 explicit PolicyEmulator(const Policy* policy) : program_(), traps_() {
115 program_ = *PolicyCompiler(policy, &traps_).Compile(true /* verify */);
116 }
117 ~PolicyEmulator() {}
118
119 uint32_t Emulate(const struct arch_seccomp_data& data) const {
120 const char* err = nullptr;
121 uint32_t res = Verifier::EvaluateBPF(program_, data, &err);
122 if (err) {
123 ADD_FAILURE() << err;
124 return 0;
125 }
126 return res;
127 }
128
129 void ExpectAllow(const struct arch_seccomp_data& data) const {
130 EXPECT_EQ(SECCOMP_RET_ALLOW, Emulate(data));
131 }
132
133 void ExpectErrno(uint16_t err, const struct arch_seccomp_data& data) const {
134 EXPECT_EQ(SECCOMP_RET_ERRNO | err, Emulate(data));
135 }
136
137 private:
138 CodeGen::Program program_;
139 FakeTrapRegistry traps_;
140
141 DISALLOW_COPY_AND_ASSIGN(PolicyEmulator);
142 };
143
144 class BasicPolicy : public Policy {
145 public:
146 BasicPolicy() {}
147 ~BasicPolicy() override {}
148 ResultExpr EvaluateSyscall(int sysno) const override {
149 if (sysno == __NR_getpgid) {
150 const Arg<pid_t> pid(0);
151 return If(pid == 0, Error(EPERM)).Else(Error(EINVAL));
152 }
153 if (sysno == __NR_setuid) {
154 const Arg<uid_t> uid(0);
155 return If(uid != 42, Error(ESRCH)).Else(Error(ENOMEM));
156 }
157 return Allow();
158 }
159
160 private:
161 DISALLOW_COPY_AND_ASSIGN(BasicPolicy);
162 };
163
164 TEST(BPFDSL, Basic) {
165 BasicPolicy policy;
166 PolicyEmulator emulator(&policy);
167
168 emulator.ExpectErrno(EPERM, FakeSyscall(__NR_getpgid, 0));
169 emulator.ExpectErrno(EINVAL, FakeSyscall(__NR_getpgid, 1));
170
171 emulator.ExpectErrno(ENOMEM, FakeSyscall(__NR_setuid, 42));
172 emulator.ExpectErrno(ESRCH, FakeSyscall(__NR_setuid, 43));
173 }
174
175 /* On IA-32, socketpair() is implemented via socketcall(). :-( */
176 #if !defined(ARCH_CPU_X86)
177 class BooleanLogicPolicy : public Policy {
178 public:
179 BooleanLogicPolicy() {}
180 ~BooleanLogicPolicy() override {}
181 ResultExpr EvaluateSyscall(int sysno) const override {
182 if (sysno == __NR_socketpair) {
183 const Arg<int> domain(0), type(1), protocol(2);
184 return If(domain == AF_UNIX &&
185 (type == SOCK_STREAM || type == SOCK_DGRAM) &&
186 protocol == 0,
187 Error(EPERM)).Else(Error(EINVAL));
188 }
189 return Allow();
190 }
191
192 private:
193 DISALLOW_COPY_AND_ASSIGN(BooleanLogicPolicy);
194 };
195
196 TEST(BPFDSL, BooleanLogic) {
197 BooleanLogicPolicy policy;
198 PolicyEmulator emulator(&policy);
199
200 const intptr_t kFakeSV = 0x12345;
201
202 // Acceptable combinations that should return EPERM.
203 emulator.ExpectErrno(
204 EPERM, FakeSyscall(__NR_socketpair, AF_UNIX, SOCK_STREAM, 0, kFakeSV));
205 emulator.ExpectErrno(
206 EPERM, FakeSyscall(__NR_socketpair, AF_UNIX, SOCK_DGRAM, 0, kFakeSV));
207
208 // Combinations that are invalid for only one reason; should return EINVAL.
209 emulator.ExpectErrno(
210 EINVAL, FakeSyscall(__NR_socketpair, AF_INET, SOCK_STREAM, 0, kFakeSV));
211 emulator.ExpectErrno(EINVAL, FakeSyscall(__NR_socketpair, AF_UNIX,
212 SOCK_SEQPACKET, 0, kFakeSV));
213 emulator.ExpectErrno(EINVAL, FakeSyscall(__NR_socketpair, AF_UNIX,
214 SOCK_STREAM, IPPROTO_TCP, kFakeSV));
215
216 // Completely unacceptable combination; should also return EINVAL.
217 emulator.ExpectErrno(
218 EINVAL, FakeSyscall(__NR_socketpair, AF_INET, SOCK_SEQPACKET, IPPROTO_UDP,
219 kFakeSV));
220 }
221 #endif // !ARCH_CPU_X86
222
223 class MoreBooleanLogicPolicy : public Policy {
224 public:
225 MoreBooleanLogicPolicy() {}
226 ~MoreBooleanLogicPolicy() override {}
227 ResultExpr EvaluateSyscall(int sysno) const override {
228 if (sysno == __NR_setresuid) {
229 const Arg<uid_t> ruid(0), euid(1), suid(2);
230 return If(ruid == 0 || euid == 0 || suid == 0, Error(EPERM))
231 .ElseIf(ruid == 1 && euid == 1 && suid == 1, Error(EAGAIN))
232 .Else(Error(EINVAL));
233 }
234 return Allow();
235 }
236
237 private:
238 DISALLOW_COPY_AND_ASSIGN(MoreBooleanLogicPolicy);
239 };
240
241 TEST(BPFDSL, MoreBooleanLogic) {
242 MoreBooleanLogicPolicy policy;
243 PolicyEmulator emulator(&policy);
244
245 // Expect EPERM if any set to 0.
246 emulator.ExpectErrno(EPERM, FakeSyscall(__NR_setresuid, 0, 5, 5));
247 emulator.ExpectErrno(EPERM, FakeSyscall(__NR_setresuid, 5, 0, 5));
248 emulator.ExpectErrno(EPERM, FakeSyscall(__NR_setresuid, 5, 5, 0));
249
250 // Expect EAGAIN if all set to 1.
251 emulator.ExpectErrno(EAGAIN, FakeSyscall(__NR_setresuid, 1, 1, 1));
252
253 // Expect EINVAL for anything else.
254 emulator.ExpectErrno(EINVAL, FakeSyscall(__NR_setresuid, 5, 1, 1));
255 emulator.ExpectErrno(EINVAL, FakeSyscall(__NR_setresuid, 1, 5, 1));
256 emulator.ExpectErrno(EINVAL, FakeSyscall(__NR_setresuid, 1, 1, 5));
257 emulator.ExpectErrno(EINVAL, FakeSyscall(__NR_setresuid, 3, 4, 5));
258 }
259
260 static const uintptr_t kDeadBeefAddr =
261 static_cast<uintptr_t>(0xdeadbeefdeadbeefULL);
262
263 class ArgSizePolicy : public Policy {
264 public:
265 ArgSizePolicy() {}
266 ~ArgSizePolicy() override {}
267 ResultExpr EvaluateSyscall(int sysno) const override {
268 if (sysno == __NR_uname) {
269 const Arg<uintptr_t> addr(0);
270 return If(addr == kDeadBeefAddr, Error(EPERM)).Else(Allow());
271 }
272 return Allow();
273 }
274
275 private:
276 DISALLOW_COPY_AND_ASSIGN(ArgSizePolicy);
277 };
278
279 TEST(BPFDSL, ArgSizeTest) {
280 ArgSizePolicy policy;
281 PolicyEmulator emulator(&policy);
282
283 emulator.ExpectAllow(FakeSyscall(__NR_uname, 0));
284 emulator.ExpectErrno(EPERM, FakeSyscall(__NR_uname, kDeadBeefAddr));
285 }
286
287 #if 0
288 // TODO(mdempsky): This is really an integration test.
289
290 class TrappingPolicy : public Policy {
291 public:
292 TrappingPolicy() {}
293 ~TrappingPolicy() override {}
294 ResultExpr EvaluateSyscall(int sysno) const override {
295 if (sysno == __NR_uname) {
296 return Trap(UnameTrap, &count_);
297 }
298 return Allow();
299 }
300
301 private:
302 static intptr_t count_;
303
304 static intptr_t UnameTrap(const struct arch_seccomp_data& data, void* aux) {
305 BPF_ASSERT_EQ(&count_, aux);
306 return ++count_;
307 }
308
309 DISALLOW_COPY_AND_ASSIGN(TrappingPolicy);
310 };
311
312 intptr_t TrappingPolicy::count_;
313
314 BPF_TEST_C(BPFDSL, TrapTest, TrappingPolicy) {
315 ASSERT_SYSCALL_RESULT(1, uname, NULL);
316 ASSERT_SYSCALL_RESULT(2, uname, NULL);
317 ASSERT_SYSCALL_RESULT(3, uname, NULL);
318 }
319 #endif
320
321 class MaskingPolicy : public Policy {
322 public:
323 MaskingPolicy() {}
324 ~MaskingPolicy() override {}
325 ResultExpr EvaluateSyscall(int sysno) const override {
326 if (sysno == __NR_setuid) {
327 const Arg<uid_t> uid(0);
328 return If((uid & 0xf) == 0, Error(EINVAL)).Else(Error(EACCES));
329 }
330 if (sysno == __NR_setgid) {
331 const Arg<gid_t> gid(0);
332 return If((gid & 0xf0) == 0xf0, Error(EINVAL)).Else(Error(EACCES));
333 }
334 if (sysno == __NR_setpgid) {
335 const Arg<pid_t> pid(0);
336 return If((pid & 0xa5) == 0xa0, Error(EINVAL)).Else(Error(EACCES));
337 }
338 return Allow();
339 }
340
341 private:
342 DISALLOW_COPY_AND_ASSIGN(MaskingPolicy);
343 };
344
345 TEST(BPFDSL, MaskTest) {
346 MaskingPolicy policy;
347 PolicyEmulator emulator(&policy);
348
349 for (uid_t uid = 0; uid < 0x100; ++uid) {
350 const int expect_errno = (uid & 0xf) == 0 ? EINVAL : EACCES;
351 emulator.ExpectErrno(expect_errno, FakeSyscall(__NR_setuid, uid));
352 }
353
354 for (gid_t gid = 0; gid < 0x100; ++gid) {
355 const int expect_errno = (gid & 0xf0) == 0xf0 ? EINVAL : EACCES;
356 emulator.ExpectErrno(expect_errno, FakeSyscall(__NR_setgid, gid));
357 }
358
359 for (pid_t pid = 0; pid < 0x100; ++pid) {
360 const int expect_errno = (pid & 0xa5) == 0xa0 ? EINVAL : EACCES;
361 emulator.ExpectErrno(expect_errno, FakeSyscall(__NR_setpgid, pid, 0));
362 }
363 }
364
365 class ElseIfPolicy : public Policy {
366 public:
367 ElseIfPolicy() {}
368 ~ElseIfPolicy() override {}
369 ResultExpr EvaluateSyscall(int sysno) const override {
370 if (sysno == __NR_setuid) {
371 const Arg<uid_t> uid(0);
372 return If((uid & 0xfff) == 0, Error(0))
373 .ElseIf((uid & 0xff0) == 0, Error(EINVAL))
374 .ElseIf((uid & 0xf00) == 0, Error(EEXIST))
375 .Else(Error(EACCES));
376 }
377 return Allow();
378 }
379
380 private:
381 DISALLOW_COPY_AND_ASSIGN(ElseIfPolicy);
382 };
383
384 TEST(BPFDSL, ElseIfTest) {
385 ElseIfPolicy policy;
386 PolicyEmulator emulator(&policy);
387
388 emulator.ExpectErrno(0, FakeSyscall(__NR_setuid, 0));
389
390 emulator.ExpectErrno(EINVAL, FakeSyscall(__NR_setuid, 0x0001));
391 emulator.ExpectErrno(EINVAL, FakeSyscall(__NR_setuid, 0x0002));
392
393 emulator.ExpectErrno(EEXIST, FakeSyscall(__NR_setuid, 0x0011));
394 emulator.ExpectErrno(EEXIST, FakeSyscall(__NR_setuid, 0x0022));
395
396 emulator.ExpectErrno(EACCES, FakeSyscall(__NR_setuid, 0x0111));
397 emulator.ExpectErrno(EACCES, FakeSyscall(__NR_setuid, 0x0222));
398 }
399
400 class SwitchPolicy : public Policy {
401 public:
402 SwitchPolicy() {}
403 ~SwitchPolicy() override {}
404 ResultExpr EvaluateSyscall(int sysno) const override {
405 if (sysno == __NR_fcntl) {
406 const Arg<int> cmd(1);
407 const Arg<unsigned long> long_arg(2);
408 return Switch(cmd)
409 .CASES((F_GETFL, F_GETFD), Error(ENOENT))
410 .Case(F_SETFD, If(long_arg == O_CLOEXEC, Allow()).Else(Error(EINVAL)))
411 .Case(F_SETFL, Error(EPERM))
412 .Default(Error(EACCES));
413 }
414 return Allow();
415 }
416
417 private:
418 DISALLOW_COPY_AND_ASSIGN(SwitchPolicy);
419 };
420
421 TEST(BPFDSL, SwitchTest) {
422 SwitchPolicy policy;
423 PolicyEmulator emulator(&policy);
424
425 const int kFakeSockFD = 42;
426
427 emulator.ExpectErrno(ENOENT, FakeSyscall(__NR_fcntl, kFakeSockFD, F_GETFD));
428 emulator.ExpectErrno(ENOENT, FakeSyscall(__NR_fcntl, kFakeSockFD, F_GETFL));
429
430 emulator.ExpectAllow(
431 FakeSyscall(__NR_fcntl, kFakeSockFD, F_SETFD, O_CLOEXEC));
432 emulator.ExpectErrno(EINVAL,
433 FakeSyscall(__NR_fcntl, kFakeSockFD, F_SETFD, 0));
434
435 emulator.ExpectErrno(EPERM,
436 FakeSyscall(__NR_fcntl, kFakeSockFD, F_SETFL, O_RDONLY));
437
438 emulator.ExpectErrno(EACCES,
439 FakeSyscall(__NR_fcntl, kFakeSockFD, F_DUPFD, 0));
440 }
441
442 static intptr_t DummyTrap(const struct arch_seccomp_data& data, void* aux) {
443 return 0;
444 }
445
446 TEST(BPFDSL, IsAllowDeny) {
447 ResultExpr allow = Allow();
448 EXPECT_TRUE(allow->IsAllow());
449 EXPECT_FALSE(allow->IsDeny());
450
451 ResultExpr error = Error(ENOENT);
452 EXPECT_FALSE(error->IsAllow());
453 EXPECT_TRUE(error->IsDeny());
454
455 ResultExpr trace = Trace(42);
456 EXPECT_FALSE(trace->IsAllow());
457 EXPECT_FALSE(trace->IsDeny());
458
459 ResultExpr trap = Trap(DummyTrap, nullptr);
460 EXPECT_FALSE(trap->IsAllow());
461 EXPECT_TRUE(trap->IsDeny());
462
463 const Arg<int> arg(0);
464 ResultExpr maybe = If(arg == 0, Allow()).Else(Error(EPERM));
465 EXPECT_FALSE(maybe->IsAllow());
466 EXPECT_FALSE(maybe->IsDeny());
467 }
468
469 TEST(BPFDSL, HasUnsafeTraps) {
470 ResultExpr allow = Allow();
471 EXPECT_FALSE(allow->HasUnsafeTraps());
472
473 ResultExpr safe = Trap(DummyTrap, nullptr);
474 EXPECT_FALSE(safe->HasUnsafeTraps());
475
476 ResultExpr unsafe = UnsafeTrap(DummyTrap, nullptr);
477 EXPECT_TRUE(unsafe->HasUnsafeTraps());
478
479 const Arg<int> arg(0);
480 ResultExpr maybe = If(arg == 0, allow).Else(unsafe);
481 EXPECT_TRUE(maybe->HasUnsafeTraps());
482 }
483
484 } // namespace
485 } // namespace bpf_dsl
486 } // namespace sandbox