search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Updating XTBs based on .GRDs from branch master
[chromium-blink-merge.git] / sandbox / linux / bpf_dsl / bpf_dsl_unittest.cc
blob26675792fb0b63b0a6758a9c9a670fa87ee81618
1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "sandbox/linux/bpf_dsl/bpf_dsl.h"
6
7 #include <errno.h>
8 #include <fcntl.h>
9 #include <netinet/in.h>
10 #include <sys/socket.h>
11 #include <sys/syscall.h>
12 #include <sys/utsname.h>
13 #include <unistd.h>
14
15 #include <map>
16 #include <utility>
17
18 #include "base/files/scoped_file.h"
19 #include "base/macros.h"
20 #include "build/build_config.h"
21 #include "sandbox/linux/bpf_dsl/bpf_dsl_impl.h"
22 #include "sandbox/linux/bpf_dsl/codegen.h"
23 #include "sandbox/linux/bpf_dsl/policy.h"
24 #include "sandbox/linux/bpf_dsl/policy_compiler.h"
25 #include "sandbox/linux/bpf_dsl/seccomp_macros.h"
26 #include "sandbox/linux/bpf_dsl/trap_registry.h"
27 #include "sandbox/linux/bpf_dsl/verifier.h"
28 #include "sandbox/linux/seccomp-bpf/errorcode.h"
29 #include "sandbox/linux/system_headers/linux_filter.h"
30 #include "testing/gtest/include/gtest/gtest.h"
31
32 #define CASES SANDBOX_BPF_DSL_CASES
33
34 namespace sandbox {
35 namespace bpf_dsl {
36 namespace {
37
38 // Helper function to construct fake arch_seccomp_data objects.
39 struct arch_seccomp_data FakeSyscall(int nr,
40 uintptr_t p0 = 0,
41 uintptr_t p1 = 0,
42 uintptr_t p2 = 0,
43 uintptr_t p3 = 0,
44 uintptr_t p4 = 0,
45 uintptr_t p5 = 0) {
46 // Made up program counter for syscall address.
47 const uint64_t kFakePC = 0x543210;
48
49 struct arch_seccomp_data data = {
50 nr,
51 SECCOMP_ARCH,
52 kFakePC,
53 {
54 p0, p1, p2, p3, p4, p5,
55 },
56 };
57
58 return data;
59 }
60
61 class FakeTrapRegistry : public TrapRegistry {
62 public:
63 FakeTrapRegistry() : map_() {}
64 virtual ~FakeTrapRegistry() {}
65
66 uint16_t Add(TrapFnc fnc, const void* aux, bool safe) override {
67 EXPECT_TRUE(safe);
68
69 const uint16_t next_id = map_.size() + 1;
70 return map_.insert(std::make_pair(Key(fnc, aux), next_id)).first->second;
71 }
72
73 bool EnableUnsafeTraps() override {
74 ADD_FAILURE() << "Unimplemented";
75 return false;
76 }
77
78 private:
79 using Key = std::pair<TrapFnc, const void*>;
80
81 std::map<Key, uint16_t> map_;
82
83 DISALLOW_COPY_AND_ASSIGN(FakeTrapRegistry);
84 };
85
86 intptr_t FakeTrapFuncOne(const arch_seccomp_data& data, void* aux) { return 1; }
87 intptr_t FakeTrapFuncTwo(const arch_seccomp_data& data, void* aux) { return 2; }
88
89 // Test that FakeTrapRegistry correctly assigns trap IDs to trap handlers.
90 TEST(FakeTrapRegistry, TrapIDs) {
91 struct {
92 TrapRegistry::TrapFnc fnc;
93 const void* aux;
94 } funcs[] = {
95 {FakeTrapFuncOne, nullptr},
96 {FakeTrapFuncTwo, nullptr},
97 {FakeTrapFuncOne, funcs},
98 {FakeTrapFuncTwo, funcs},
99 };
100
101 FakeTrapRegistry traps;
102
103 // Add traps twice to test that IDs are reused correctly.
104 for (int i = 0; i < 2; ++i) {
105 for (size_t j = 0; j < arraysize(funcs); ++j) {
106 // Trap IDs start at 1.
107 EXPECT_EQ(j + 1, traps.Add(funcs[j].fnc, funcs[j].aux, true));
108 }
109 }
110 }
111
112 class PolicyEmulator {
113 public:
114 explicit PolicyEmulator(const Policy* policy) : program_(), traps_() {
115 program_ = *PolicyCompiler(policy, &traps_).Compile(true /* verify */);
116 }
117 ~PolicyEmulator() {}
118
119 uint32_t Emulate(const struct arch_seccomp_data& data) const {
120 const char* err = nullptr;
121 uint32_t res = Verifier::EvaluateBPF(program_, data, &err);
122 if (err) {
123 ADD_FAILURE() << err;
124 return 0;
125 }
126 return res;
127 }
128
129 void ExpectAllow(const struct arch_seccomp_data& data) const {
130 EXPECT_EQ(SECCOMP_RET_ALLOW, Emulate(data));
131 }
132
133 void ExpectErrno(uint16_t err, const struct arch_seccomp_data& data) const {
134 EXPECT_EQ(SECCOMP_RET_ERRNO | err, Emulate(data));
135 }
136
137 private:
138 CodeGen::Program program_;
139 FakeTrapRegistry traps_;
140
141 DISALLOW_COPY_AND_ASSIGN(PolicyEmulator);
142 };
143
144 class BasicPolicy : public Policy {
145 public:
146 BasicPolicy() {}
147 ~BasicPolicy() override {}
148 ResultExpr EvaluateSyscall(int sysno) const override {
149 if (sysno == __NR_getpgid) {
150 const Arg<pid_t> pid(0);
151 return If(pid == 0, Error(EPERM)).Else(Error(EINVAL));
152 }
153 if (sysno == __NR_setuid) {
154 const Arg<uid_t> uid(0);
155 return If(uid != 42, Error(ESRCH)).Else(Error(ENOMEM));
156 }
157 return Allow();
158 }
159
160 private:
161 DISALLOW_COPY_AND_ASSIGN(BasicPolicy);
162 };
163
164 TEST(BPFDSL, Basic) {
165 BasicPolicy policy;
166 PolicyEmulator emulator(&policy);
167
168 emulator.ExpectErrno(EPERM, FakeSyscall(__NR_getpgid, 0));
169 emulator.ExpectErrno(EINVAL, FakeSyscall(__NR_getpgid, 1));
170
171 emulator.ExpectErrno(ENOMEM, FakeSyscall(__NR_setuid, 42));
172 emulator.ExpectErrno(ESRCH, FakeSyscall(__NR_setuid, 43));
173 }
174
175 /* On IA-32, socketpair() is implemented via socketcall(). :-( */
176 #if !defined(ARCH_CPU_X86)
177 class BooleanLogicPolicy : public Policy {
178 public:
179 BooleanLogicPolicy() {}
180 ~BooleanLogicPolicy() override {}
181 ResultExpr EvaluateSyscall(int sysno) const override {
182 if (sysno == __NR_socketpair) {
183 const Arg<int> domain(0), type(1), protocol(2);
184 return If(domain == AF_UNIX &&
185 (type == SOCK_STREAM || type == SOCK_DGRAM) &&
186 protocol == 0,
187 Error(EPERM)).Else(Error(EINVAL));
188 }
189 return Allow();
190 }
191
192 private:
193 DISALLOW_COPY_AND_ASSIGN(BooleanLogicPolicy);
194 };
195
196 TEST(BPFDSL, BooleanLogic) {
197 BooleanLogicPolicy policy;
198 PolicyEmulator emulator(&policy);
199
200 const intptr_t kFakeSV = 0x12345;
201
202 // Acceptable combinations that should return EPERM.
203 emulator.ExpectErrno(
204 EPERM, FakeSyscall(__NR_socketpair, AF_UNIX, SOCK_STREAM, 0, kFakeSV));
205 emulator.ExpectErrno(
206 EPERM, FakeSyscall(__NR_socketpair, AF_UNIX, SOCK_DGRAM, 0, kFakeSV));
207
208 // Combinations that are invalid for only one reason; should return EINVAL.
209 emulator.ExpectErrno(
210 EINVAL, FakeSyscall(__NR_socketpair, AF_INET, SOCK_STREAM, 0, kFakeSV));
211 emulator.ExpectErrno(EINVAL, FakeSyscall(__NR_socketpair, AF_UNIX,
212 SOCK_SEQPACKET, 0, kFakeSV));
213 emulator.ExpectErrno(EINVAL, FakeSyscall(__NR_socketpair, AF_UNIX,
214 SOCK_STREAM, IPPROTO_TCP, kFakeSV));
215
216 // Completely unacceptable combination; should also return EINVAL.
217 emulator.ExpectErrno(
218 EINVAL, FakeSyscall(__NR_socketpair, AF_INET, SOCK_SEQPACKET, IPPROTO_UDP,
219 kFakeSV));
220 }
221 #endif // !ARCH_CPU_X86
222
223 class MoreBooleanLogicPolicy : public Policy {
224 public:
225 MoreBooleanLogicPolicy() {}
226 ~MoreBooleanLogicPolicy() override {}
227 ResultExpr EvaluateSyscall(int sysno) const override {
228 if (sysno == __NR_setresuid) {
229 const Arg<uid_t> ruid(0), euid(1), suid(2);
230 return If(ruid == 0 || euid == 0 || suid == 0, Error(EPERM))
231 .ElseIf(ruid == 1 && euid == 1 && suid == 1, Error(EAGAIN))
232 .Else(Error(EINVAL));
233 }
234 return Allow();
235 }
236
237 private:
238 DISALLOW_COPY_AND_ASSIGN(MoreBooleanLogicPolicy);
239 };
240
241 TEST(BPFDSL, MoreBooleanLogic) {
242 MoreBooleanLogicPolicy policy;
243 PolicyEmulator emulator(&policy);
244
245 // Expect EPERM if any set to 0.
246 emulator.ExpectErrno(EPERM, FakeSyscall(__NR_setresuid, 0, 5, 5));
247 emulator.ExpectErrno(EPERM, FakeSyscall(__NR_setresuid, 5, 0, 5));
248 emulator.ExpectErrno(EPERM, FakeSyscall(__NR_setresuid, 5, 5, 0));
249
250 // Expect EAGAIN if all set to 1.
251 emulator.ExpectErrno(EAGAIN, FakeSyscall(__NR_setresuid, 1, 1, 1));
252
253 // Expect EINVAL for anything else.
254 emulator.ExpectErrno(EINVAL, FakeSyscall(__NR_setresuid, 5, 1, 1));
255 emulator.ExpectErrno(EINVAL, FakeSyscall(__NR_setresuid, 1, 5, 1));
256 emulator.ExpectErrno(EINVAL, FakeSyscall(__NR_setresuid, 1, 1, 5));
257 emulator.ExpectErrno(EINVAL, FakeSyscall(__NR_setresuid, 3, 4, 5));
258 }
259
260 static const uintptr_t kDeadBeefAddr =
261 static_cast<uintptr_t>(0xdeadbeefdeadbeefULL);
262
263 class ArgSizePolicy : public Policy {
264 public:
265 ArgSizePolicy() {}
266 ~ArgSizePolicy() override {}
267 ResultExpr EvaluateSyscall(int sysno) const override {
268 if (sysno == __NR_uname) {
269 const Arg<uintptr_t> addr(0);
270 return If(addr == kDeadBeefAddr, Error(EPERM)).Else(Allow());
271 }
272 return Allow();
273 }
274
275 private:
276 DISALLOW_COPY_AND_ASSIGN(ArgSizePolicy);
277 };
278
279 TEST(BPFDSL, ArgSizeTest) {
280 ArgSizePolicy policy;
281 PolicyEmulator emulator(&policy);
282
283 emulator.ExpectAllow(FakeSyscall(__NR_uname, 0));
284 emulator.ExpectErrno(EPERM, FakeSyscall(__NR_uname, kDeadBeefAddr));
285 }
286
287 class NegativeConstantsPolicy : public Policy {
288 public:
289 NegativeConstantsPolicy() {}
290 ~NegativeConstantsPolicy() override {}
291 ResultExpr EvaluateSyscall(int sysno) const override {
292 if (sysno == __NR_fcntl) {
293 const Arg<int> fd(0);
294 return If(fd == -314, Error(EPERM)).Else(Allow());
295 }
296 return Allow();
297 }
298
299 private:
300 DISALLOW_COPY_AND_ASSIGN(NegativeConstantsPolicy);
301 };
302
303 TEST(BPFDSL, NegativeConstantsTest) {
304 NegativeConstantsPolicy policy;
305 PolicyEmulator emulator(&policy);
306
307 emulator.ExpectAllow(FakeSyscall(__NR_fcntl, -5, F_DUPFD));
308 emulator.ExpectAllow(FakeSyscall(__NR_fcntl, 20, F_DUPFD));
309 emulator.ExpectErrno(EPERM, FakeSyscall(__NR_fcntl, -314, F_DUPFD));
310 }
311
312 #if 0
313 // TODO(mdempsky): This is really an integration test.
314
315 class TrappingPolicy : public Policy {
316 public:
317 TrappingPolicy() {}
318 ~TrappingPolicy() override {}
319 ResultExpr EvaluateSyscall(int sysno) const override {
320 if (sysno == __NR_uname) {
321 return Trap(UnameTrap, &count_);
322 }
323 return Allow();
324 }
325
326 private:
327 static intptr_t count_;
328
329 static intptr_t UnameTrap(const struct arch_seccomp_data& data, void* aux) {
330 BPF_ASSERT_EQ(&count_, aux);
331 return ++count_;
332 }
333
334 DISALLOW_COPY_AND_ASSIGN(TrappingPolicy);
335 };
336
337 intptr_t TrappingPolicy::count_;
338
339 BPF_TEST_C(BPFDSL, TrapTest, TrappingPolicy) {
340 ASSERT_SYSCALL_RESULT(1, uname, NULL);
341 ASSERT_SYSCALL_RESULT(2, uname, NULL);
342 ASSERT_SYSCALL_RESULT(3, uname, NULL);
343 }
344 #endif
345
346 class MaskingPolicy : public Policy {
347 public:
348 MaskingPolicy() {}
349 ~MaskingPolicy() override {}
350 ResultExpr EvaluateSyscall(int sysno) const override {
351 if (sysno == __NR_setuid) {
352 const Arg<uid_t> uid(0);
353 return If((uid & 0xf) == 0, Error(EINVAL)).Else(Error(EACCES));
354 }
355 if (sysno == __NR_setgid) {
356 const Arg<gid_t> gid(0);
357 return If((gid & 0xf0) == 0xf0, Error(EINVAL)).Else(Error(EACCES));
358 }
359 if (sysno == __NR_setpgid) {
360 const Arg<pid_t> pid(0);
361 return If((pid & 0xa5) == 0xa0, Error(EINVAL)).Else(Error(EACCES));
362 }
363 return Allow();
364 }
365
366 private:
367 DISALLOW_COPY_AND_ASSIGN(MaskingPolicy);
368 };
369
370 TEST(BPFDSL, MaskTest) {
371 MaskingPolicy policy;
372 PolicyEmulator emulator(&policy);
373
374 for (uid_t uid = 0; uid < 0x100; ++uid) {
375 const int expect_errno = (uid & 0xf) == 0 ? EINVAL : EACCES;
376 emulator.ExpectErrno(expect_errno, FakeSyscall(__NR_setuid, uid));
377 }
378
379 for (gid_t gid = 0; gid < 0x100; ++gid) {
380 const int expect_errno = (gid & 0xf0) == 0xf0 ? EINVAL : EACCES;
381 emulator.ExpectErrno(expect_errno, FakeSyscall(__NR_setgid, gid));
382 }
383
384 for (pid_t pid = 0; pid < 0x100; ++pid) {
385 const int expect_errno = (pid & 0xa5) == 0xa0 ? EINVAL : EACCES;
386 emulator.ExpectErrno(expect_errno, FakeSyscall(__NR_setpgid, pid, 0));
387 }
388 }
389
390 class ElseIfPolicy : public Policy {
391 public:
392 ElseIfPolicy() {}
393 ~ElseIfPolicy() override {}
394 ResultExpr EvaluateSyscall(int sysno) const override {
395 if (sysno == __NR_setuid) {
396 const Arg<uid_t> uid(0);
397 return If((uid & 0xfff) == 0, Error(0))
398 .ElseIf((uid & 0xff0) == 0, Error(EINVAL))
399 .ElseIf((uid & 0xf00) == 0, Error(EEXIST))
400 .Else(Error(EACCES));
401 }
402 return Allow();
403 }
404
405 private:
406 DISALLOW_COPY_AND_ASSIGN(ElseIfPolicy);
407 };
408
409 TEST(BPFDSL, ElseIfTest) {
410 ElseIfPolicy policy;
411 PolicyEmulator emulator(&policy);
412
413 emulator.ExpectErrno(0, FakeSyscall(__NR_setuid, 0));
414
415 emulator.ExpectErrno(EINVAL, FakeSyscall(__NR_setuid, 0x0001));
416 emulator.ExpectErrno(EINVAL, FakeSyscall(__NR_setuid, 0x0002));
417
418 emulator.ExpectErrno(EEXIST, FakeSyscall(__NR_setuid, 0x0011));
419 emulator.ExpectErrno(EEXIST, FakeSyscall(__NR_setuid, 0x0022));
420
421 emulator.ExpectErrno(EACCES, FakeSyscall(__NR_setuid, 0x0111));
422 emulator.ExpectErrno(EACCES, FakeSyscall(__NR_setuid, 0x0222));
423 }
424
425 class SwitchPolicy : public Policy {
426 public:
427 SwitchPolicy() {}
428 ~SwitchPolicy() override {}
429 ResultExpr EvaluateSyscall(int sysno) const override {
430 if (sysno == __NR_fcntl) {
431 const Arg<int> cmd(1);
432 const Arg<unsigned long> long_arg(2);
433 return Switch(cmd)
434 .CASES((F_GETFL, F_GETFD), Error(ENOENT))
435 .Case(F_SETFD, If(long_arg == O_CLOEXEC, Allow()).Else(Error(EINVAL)))
436 .Case(F_SETFL, Error(EPERM))
437 .Default(Error(EACCES));
438 }
439 return Allow();
440 }
441
442 private:
443 DISALLOW_COPY_AND_ASSIGN(SwitchPolicy);
444 };
445
446 TEST(BPFDSL, SwitchTest) {
447 SwitchPolicy policy;
448 PolicyEmulator emulator(&policy);
449
450 const int kFakeSockFD = 42;
451
452 emulator.ExpectErrno(ENOENT, FakeSyscall(__NR_fcntl, kFakeSockFD, F_GETFD));
453 emulator.ExpectErrno(ENOENT, FakeSyscall(__NR_fcntl, kFakeSockFD, F_GETFL));
454
455 emulator.ExpectAllow(
456 FakeSyscall(__NR_fcntl, kFakeSockFD, F_SETFD, O_CLOEXEC));
457 emulator.ExpectErrno(EINVAL,
458 FakeSyscall(__NR_fcntl, kFakeSockFD, F_SETFD, 0));
459
460 emulator.ExpectErrno(EPERM,
461 FakeSyscall(__NR_fcntl, kFakeSockFD, F_SETFL, O_RDONLY));
462
463 emulator.ExpectErrno(EACCES,
464 FakeSyscall(__NR_fcntl, kFakeSockFD, F_DUPFD, 0));
465 }
466
467 static intptr_t DummyTrap(const struct arch_seccomp_data& data, void* aux) {
468 return 0;
469 }
470
471 TEST(BPFDSL, IsAllowDeny) {
472 ResultExpr allow = Allow();
473 EXPECT_TRUE(allow->IsAllow());
474 EXPECT_FALSE(allow->IsDeny());
475
476 ResultExpr error = Error(ENOENT);
477 EXPECT_FALSE(error->IsAllow());
478 EXPECT_TRUE(error->IsDeny());
479
480 ResultExpr trace = Trace(42);
481 EXPECT_FALSE(trace->IsAllow());
482 EXPECT_FALSE(trace->IsDeny());
483
484 ResultExpr trap = Trap(DummyTrap, nullptr);
485 EXPECT_FALSE(trap->IsAllow());
486 EXPECT_TRUE(trap->IsDeny());
487
488 const Arg<int> arg(0);
489 ResultExpr maybe = If(arg == 0, Allow()).Else(Error(EPERM));
490 EXPECT_FALSE(maybe->IsAllow());
491 EXPECT_FALSE(maybe->IsDeny());
492 }
493
494 TEST(BPFDSL, HasUnsafeTraps) {
495 ResultExpr allow = Allow();
496 EXPECT_FALSE(allow->HasUnsafeTraps());
497
498 ResultExpr safe = Trap(DummyTrap, nullptr);
499 EXPECT_FALSE(safe->HasUnsafeTraps());
500
501 ResultExpr unsafe = UnsafeTrap(DummyTrap, nullptr);
502 EXPECT_TRUE(unsafe->HasUnsafeTraps());
503
504 const Arg<int> arg(0);
505 ResultExpr maybe = If(arg == 0, allow).Else(unsafe);
506 EXPECT_TRUE(maybe->HasUnsafeTraps());
507 }
508
509 } // namespace
510 } // namespace bpf_dsl
511 } // namespace sandbox