sandbox/linux/bpf_dsl/bpf_dsl_unittest.cc

   1 // Copyright 2014 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #include "sandbox/linux/bpf_dsl/bpf_dsl.h"
   6
   7 #include <errno.h>
   8 #include <fcntl.h>
   9 #include <netinet/in.h>
  10 #include <sys/socket.h>
  11 #include <sys/syscall.h>
  12 #include <sys/utsname.h>
  13 #include <unistd.h>
  14
  15 #include "base/files/scoped_file.h"
  16 #include "base/macros.h"
  17 #include "build/build_config.h"
  18 #include "sandbox/linux/seccomp-bpf/bpf_tests.h"
  19 #include "sandbox/linux/seccomp-bpf/errorcode.h"
  20 #include "sandbox/linux/seccomp-bpf/syscall.h"
  21
  22 #define CASES SANDBOX_BPF_DSL_CASES
  23
  24 // Helper macro to assert that invoking system call |sys| directly via
  25 // Syscall::Call with arguments |...| returns |res|.
  26 // Errors can be asserted by specifying a value like "-EINVAL".
  27 #define ASSERT_SYSCALL_RESULT(res, sys, ...) \
  28   BPF_ASSERT_EQ(res, Stubs::sys(__VA_ARGS__))
  29
  30 namespace sandbox {
  31 namespace bpf_dsl {
  32 namespace {
  33
  34 // Type safe stubs for tested system calls.
  35 class Stubs {
  36  public:
  37   static int getpgid(pid_t pid) { return Syscall::Call(__NR_getpgid, pid); }
  38   static int setuid(uid_t uid) { return Syscall::Call(__NR_setuid, uid); }
  39   static int setgid(gid_t gid) { return Syscall::Call(__NR_setgid, gid); }
  40   static int setpgid(pid_t pid, pid_t pgid) {
  41     return Syscall::Call(__NR_setpgid, pid, pgid);
  42   }
  43
  44   static int fcntl(int fd, int cmd, unsigned long arg = 0) {
  45     return Syscall::Call(__NR_fcntl, fd, cmd, arg);
  46   }
  47
  48   static int uname(struct utsname* buf) {
  49     return Syscall::Call(__NR_uname, buf);
  50   }
  51
  52   static int setresuid(uid_t ruid, uid_t euid, uid_t suid) {
  53     return Syscall::Call(__NR_setresuid, ruid, euid, suid);
  54   }
  55
  56 #if !defined(ARCH_CPU_X86)
  57   static int socketpair(int domain, int type, int protocol, int sv[2]) {
  58     return Syscall::Call(__NR_socketpair, domain, type, protocol, sv);
  59   }
  60 #endif
  61 };
  62
  63 class BasicPolicy : public SandboxBPFDSLPolicy {
  64  public:
  65   BasicPolicy() {}
  66   virtual ~BasicPolicy() {}
  67   virtual ResultExpr EvaluateSyscall(int sysno) const OVERRIDE {
  68     if (sysno == __NR_getpgid) {
  69       const Arg<pid_t> pid(0);
  70       return If(pid == 0, Error(EPERM)).Else(Error(EINVAL));
  71     }
  72     if (sysno == __NR_setuid) {
  73       const Arg<uid_t> uid(0);
  74       return If(uid != 42, Error(ESRCH)).Else(Error(ENOMEM));
  75     }
  76     return Allow();
  77   }
  78
  79  private:
  80   DISALLOW_COPY_AND_ASSIGN(BasicPolicy);
  81 };
  82
  83 BPF_TEST_C(BPFDSL, Basic, BasicPolicy) {
  84   ASSERT_SYSCALL_RESULT(-EPERM, getpgid, 0);
  85   ASSERT_SYSCALL_RESULT(-EINVAL, getpgid, 1);
  86
  87   ASSERT_SYSCALL_RESULT(-ENOMEM, setuid, 42);
  88   ASSERT_SYSCALL_RESULT(-ESRCH, setuid, 43);
  89 }
  90
  91 /* On IA-32, socketpair() is implemented via socketcall(). :-( */
  92 #if !defined(ARCH_CPU_X86)
  93 class BooleanLogicPolicy : public SandboxBPFDSLPolicy {
  94  public:
  95   BooleanLogicPolicy() {}
  96   virtual ~BooleanLogicPolicy() {}
  97   virtual ResultExpr EvaluateSyscall(int sysno) const OVERRIDE {
  98     if (sysno == __NR_socketpair) {
  99       const Arg<int> domain(0), type(1), protocol(2);
 100       return If(domain == AF_UNIX &&
 101                     (type == SOCK_STREAM || type == SOCK_DGRAM) &&
 102                     protocol == 0,
 103                 Error(EPERM)).Else(Error(EINVAL));
 104     }
 105     return Allow();
 106   }
 107
 108  private:
 109   DISALLOW_COPY_AND_ASSIGN(BooleanLogicPolicy);
 110 };
 111
 112 BPF_TEST_C(BPFDSL, BooleanLogic, BooleanLogicPolicy) {
 113   int sv[2];
 114
 115   // Acceptable combinations that should return EPERM.
 116   ASSERT_SYSCALL_RESULT(-EPERM, socketpair, AF_UNIX, SOCK_STREAM, 0, sv);
 117   ASSERT_SYSCALL_RESULT(-EPERM, socketpair, AF_UNIX, SOCK_DGRAM, 0, sv);
 118
 119   // Combinations that are invalid for only one reason; should return EINVAL.
 120   ASSERT_SYSCALL_RESULT(-EINVAL, socketpair, AF_INET, SOCK_STREAM, 0, sv);
 121   ASSERT_SYSCALL_RESULT(-EINVAL, socketpair, AF_UNIX, SOCK_SEQPACKET, 0, sv);
 122   ASSERT_SYSCALL_RESULT(
 123       -EINVAL, socketpair, AF_UNIX, SOCK_STREAM, IPPROTO_TCP, sv);
 124
 125   // Completely unacceptable combination; should also return EINVAL.
 126   ASSERT_SYSCALL_RESULT(
 127       -EINVAL, socketpair, AF_INET, SOCK_SEQPACKET, IPPROTO_UDP, sv);
 128 }
 129 #endif  // !ARCH_CPU_X86
 130
 131 class MoreBooleanLogicPolicy : public SandboxBPFDSLPolicy {
 132  public:
 133   MoreBooleanLogicPolicy() {}
 134   virtual ~MoreBooleanLogicPolicy() {}
 135   virtual ResultExpr EvaluateSyscall(int sysno) const OVERRIDE {
 136     if (sysno == __NR_setresuid) {
 137       const Arg<uid_t> ruid(0), euid(1), suid(2);
 138       return If(ruid == 0 || euid == 0 || suid == 0, Error(EPERM))
 139           .ElseIf(ruid == 1 && euid == 1 && suid == 1, Error(EAGAIN))
 140           .Else(Error(EINVAL));
 141     }
 142     return Allow();
 143   }
 144
 145  private:
 146   DISALLOW_COPY_AND_ASSIGN(MoreBooleanLogicPolicy);
 147 };
 148
 149 BPF_TEST_C(BPFDSL, MoreBooleanLogic, MoreBooleanLogicPolicy) {
 150   // Expect EPERM if any set to 0.
 151   ASSERT_SYSCALL_RESULT(-EPERM, setresuid, 0, 5, 5);
 152   ASSERT_SYSCALL_RESULT(-EPERM, setresuid, 5, 0, 5);
 153   ASSERT_SYSCALL_RESULT(-EPERM, setresuid, 5, 5, 0);
 154
 155   // Expect EAGAIN if all set to 1.
 156   ASSERT_SYSCALL_RESULT(-EAGAIN, setresuid, 1, 1, 1);
 157
 158   // Expect EINVAL for anything else.
 159   ASSERT_SYSCALL_RESULT(-EINVAL, setresuid, 5, 1, 1);
 160   ASSERT_SYSCALL_RESULT(-EINVAL, setresuid, 1, 5, 1);
 161   ASSERT_SYSCALL_RESULT(-EINVAL, setresuid, 1, 1, 5);
 162   ASSERT_SYSCALL_RESULT(-EINVAL, setresuid, 3, 4, 5);
 163 }
 164
 165 static const uintptr_t kDeadBeefAddr =
 166     static_cast<uintptr_t>(0xdeadbeefdeadbeefULL);
 167
 168 class ArgSizePolicy : public SandboxBPFDSLPolicy {
 169  public:
 170   ArgSizePolicy() {}
 171   virtual ~ArgSizePolicy() {}
 172   virtual ResultExpr EvaluateSyscall(int sysno) const OVERRIDE {
 173     if (sysno == __NR_uname) {
 174       const Arg<uintptr_t> addr(0);
 175       return If(addr == kDeadBeefAddr, Error(EPERM)).Else(Allow());
 176     }
 177     return Allow();
 178   }
 179
 180  private:
 181   DISALLOW_COPY_AND_ASSIGN(ArgSizePolicy);
 182 };
 183
 184 BPF_TEST_C(BPFDSL, ArgSizeTest, ArgSizePolicy) {
 185   struct utsname buf;
 186   ASSERT_SYSCALL_RESULT(0, uname, &buf);
 187   ASSERT_SYSCALL_RESULT(
 188       -EPERM, uname, reinterpret_cast<struct utsname*>(kDeadBeefAddr));
 189 }
 190
 191 class TrappingPolicy : public SandboxBPFDSLPolicy {
 192  public:
 193   TrappingPolicy() {}
 194   virtual ~TrappingPolicy() {}
 195   virtual ResultExpr EvaluateSyscall(int sysno) const OVERRIDE {
 196     if (sysno == __NR_uname) {
 197       return Trap(UnameTrap, &count_);
 198     }
 199     return Allow();
 200   }
 201
 202  private:
 203   static intptr_t count_;
 204
 205   static intptr_t UnameTrap(const struct arch_seccomp_data& data, void* aux) {
 206     BPF_ASSERT_EQ(&count_, aux);
 207     return ++count_;
 208   }
 209
 210   DISALLOW_COPY_AND_ASSIGN(TrappingPolicy);
 211 };
 212
 213 intptr_t TrappingPolicy::count_;
 214
 215 BPF_TEST_C(BPFDSL, TrapTest, TrappingPolicy) {
 216   ASSERT_SYSCALL_RESULT(1, uname, NULL);
 217   ASSERT_SYSCALL_RESULT(2, uname, NULL);
 218   ASSERT_SYSCALL_RESULT(3, uname, NULL);
 219 }
 220
 221 class MaskingPolicy : public SandboxBPFDSLPolicy {
 222  public:
 223   MaskingPolicy() {}
 224   virtual ~MaskingPolicy() {}
 225   virtual ResultExpr EvaluateSyscall(int sysno) const OVERRIDE {
 226     if (sysno == __NR_setuid) {
 227       const Arg<uid_t> uid(0);
 228       return If((uid & 0xf) == 0, Error(EINVAL)).Else(Error(EACCES));
 229     }
 230     if (sysno == __NR_setgid) {
 231       const Arg<gid_t> gid(0);
 232       return If((gid & 0xf0) == 0xf0, Error(EINVAL)).Else(Error(EACCES));
 233     }
 234     if (sysno == __NR_setpgid) {
 235       const Arg<pid_t> pid(0);
 236       return If((pid & 0xa5) == 0xa0, Error(EINVAL)).Else(Error(EACCES));
 237     }
 238     return Allow();
 239   }
 240
 241  private:
 242   DISALLOW_COPY_AND_ASSIGN(MaskingPolicy);
 243 };
 244
 245 BPF_TEST_C(BPFDSL, MaskTest, MaskingPolicy) {
 246   for (uid_t uid = 0; uid < 0x100; ++uid) {
 247     const int expect_errno = (uid & 0xf) == 0 ? EINVAL : EACCES;
 248     ASSERT_SYSCALL_RESULT(-expect_errno, setuid, uid);
 249   }
 250
 251   for (gid_t gid = 0; gid < 0x100; ++gid) {
 252     const int expect_errno = (gid & 0xf0) == 0xf0 ? EINVAL : EACCES;
 253     ASSERT_SYSCALL_RESULT(-expect_errno, setgid, gid);
 254   }
 255
 256   for (pid_t pid = 0; pid < 0x100; ++pid) {
 257     const int expect_errno = (pid & 0xa5) == 0xa0 ? EINVAL : EACCES;
 258     ASSERT_SYSCALL_RESULT(-expect_errno, setpgid, pid, 0);
 259   }
 260 }
 261
 262 class ElseIfPolicy : public SandboxBPFDSLPolicy {
 263  public:
 264   ElseIfPolicy() {}
 265   virtual ~ElseIfPolicy() {}
 266   virtual ResultExpr EvaluateSyscall(int sysno) const OVERRIDE {
 267     if (sysno == __NR_setuid) {
 268       const Arg<uid_t> uid(0);
 269       return If((uid & 0xfff) == 0, Error(0))
 270           .ElseIf((uid & 0xff0) == 0, Error(EINVAL))
 271           .ElseIf((uid & 0xf00) == 0, Error(EEXIST))
 272           .Else(Error(EACCES));
 273     }
 274     return Allow();
 275   }
 276
 277  private:
 278   DISALLOW_COPY_AND_ASSIGN(ElseIfPolicy);
 279 };
 280
 281 BPF_TEST_C(BPFDSL, ElseIfTest, ElseIfPolicy) {
 282   ASSERT_SYSCALL_RESULT(0, setuid, 0);
 283
 284   ASSERT_SYSCALL_RESULT(-EINVAL, setuid, 0x0001);
 285   ASSERT_SYSCALL_RESULT(-EINVAL, setuid, 0x0002);
 286
 287   ASSERT_SYSCALL_RESULT(-EEXIST, setuid, 0x0011);
 288   ASSERT_SYSCALL_RESULT(-EEXIST, setuid, 0x0022);
 289
 290   ASSERT_SYSCALL_RESULT(-EACCES, setuid, 0x0111);
 291   ASSERT_SYSCALL_RESULT(-EACCES, setuid, 0x0222);
 292 }
 293
 294 class SwitchPolicy : public SandboxBPFDSLPolicy {
 295  public:
 296   SwitchPolicy() {}
 297   virtual ~SwitchPolicy() {}
 298   virtual ResultExpr EvaluateSyscall(int sysno) const OVERRIDE {
 299     if (sysno == __NR_fcntl) {
 300       const Arg<int> cmd(1);
 301       const Arg<unsigned long> long_arg(2);
 302       return Switch(cmd)
 303           .CASES((F_GETFL, F_GETFD), Error(ENOENT))
 304           .Case(F_SETFD, If(long_arg == O_CLOEXEC, Allow()).Else(Error(EINVAL)))
 305           .Case(F_SETFL, Error(EPERM))
 306           .Default(Error(EACCES));
 307     }
 308     return Allow();
 309   }
 310
 311  private:
 312   DISALLOW_COPY_AND_ASSIGN(SwitchPolicy);
 313 };
 314
 315 BPF_TEST_C(BPFDSL, SwitchTest, SwitchPolicy) {
 316   base::ScopedFD sock_fd(socket(AF_UNIX, SOCK_STREAM, 0));
 317   BPF_ASSERT(sock_fd.is_valid());
 318
 319   ASSERT_SYSCALL_RESULT(-ENOENT, fcntl, sock_fd.get(), F_GETFD);
 320   ASSERT_SYSCALL_RESULT(-ENOENT, fcntl, sock_fd.get(), F_GETFL);
 321
 322   ASSERT_SYSCALL_RESULT(0, fcntl, sock_fd.get(), F_SETFD, O_CLOEXEC);
 323   ASSERT_SYSCALL_RESULT(-EINVAL, fcntl, sock_fd.get(), F_SETFD, 0);
 324
 325   ASSERT_SYSCALL_RESULT(-EPERM, fcntl, sock_fd.get(), F_SETFL, O_RDONLY);
 326
 327   ASSERT_SYSCALL_RESULT(-EACCES, fcntl, sock_fd.get(), F_DUPFD, 0);
 328 }
 329
 330 }  // namespace
 331 }  // namespace bpf_dsl
 332 }  // namespace sandbox