sandbox/linux/seccomp-bpf/sandbox_bpf_test_runner.cc

   1 // Copyright 2014 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #include "sandbox/linux/seccomp-bpf/sandbox_bpf_test_runner.h"
   6
   7 #include <fcntl.h>
   8 #include <linux/filter.h>
   9
  10 #include "base/logging.h"
  11 #include "base/memory/scoped_ptr.h"
  12 #include "sandbox/linux/bpf_dsl/policy.h"
  13 #include "sandbox/linux/seccomp-bpf/die.h"
  14 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
  15 #include "sandbox/linux/tests/unit_tests.h"
  16
  17 namespace sandbox {
  18
  19 SandboxBPFTestRunner::SandboxBPFTestRunner(
  20     BPFTesterDelegate* bpf_tester_delegate)
  21     : bpf_tester_delegate_(bpf_tester_delegate) {
  22 }
  23
  24 SandboxBPFTestRunner::~SandboxBPFTestRunner() {
  25 }
  26
  27 void SandboxBPFTestRunner::Run() {
  28   DCHECK(bpf_tester_delegate_);
  29   sandbox::Die::EnableSimpleExit();
  30
  31   scoped_ptr<bpf_dsl::Policy> policy =
  32       bpf_tester_delegate_->GetSandboxBPFPolicy();
  33
  34   if (sandbox::SandboxBPF::SupportsSeccompSandbox(-1) ==
  35       sandbox::SandboxBPF::STATUS_AVAILABLE) {
  36     // Ensure the the sandbox is actually available at this time
  37     int proc_fd;
  38     SANDBOX_ASSERT((proc_fd = open("/proc", O_RDONLY | O_DIRECTORY)) >= 0);
  39     SANDBOX_ASSERT(sandbox::SandboxBPF::SupportsSeccompSandbox(proc_fd) ==
  40                    sandbox::SandboxBPF::STATUS_AVAILABLE);
  41
  42     // Initialize and then start the sandbox with our custom policy
  43     sandbox::SandboxBPF sandbox;
  44     sandbox.set_proc_fd(proc_fd);
  45     sandbox.SetSandboxPolicy(policy.release());
  46     SANDBOX_ASSERT(
  47         sandbox.StartSandbox(sandbox::SandboxBPF::PROCESS_SINGLE_THREADED));
  48
  49     // Run the actual test.
  50     bpf_tester_delegate_->RunTestFunction();
  51   } else {
  52     printf("This BPF test is not fully running in this configuration!\n");
  53     // Android and Valgrind are the only configurations where we accept not
  54     // having kernel BPF support.
  55     if (!IsAndroid() && !IsRunningOnValgrind()) {
  56       const bool seccomp_bpf_is_supported = false;
  57       SANDBOX_ASSERT(seccomp_bpf_is_supported);
  58     }
  59     // Call the compiler and verify the policy. That's the least we can do,
  60     // if we don't have kernel support.
  61     sandbox::SandboxBPF sandbox;
  62     sandbox.SetSandboxPolicy(policy.release());
  63     sandbox.AssembleFilter(true /* force_verification */);
  64     sandbox::UnitTests::IgnoreThisTest();
  65   }
  66 }
  67
  68 bool SandboxBPFTestRunner::ShouldCheckForLeaks() const {
  69   // LSAN requires being able to use ptrace() and other system calls that could
  70   // be denied.
  71   return false;
  72 }
  73
  74 }  // namespace sandbox