search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
ozone: evdev: Sync caps lock LED state to evdev
[chromium-blink-merge.git] / sandbox / linux / bpf_dsl / bpf_dsl_unittest.cc
blobcffadc5035e05fd42275cecfbf0384ffe1221235
1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "sandbox/linux/bpf_dsl/bpf_dsl.h"
6
7 #include <errno.h>
8 #include <fcntl.h>
9 #include <netinet/in.h>
10 #include <sys/socket.h>
11 #include <sys/syscall.h>
12 #include <sys/utsname.h>
13 #include <unistd.h>
14
15 #include "base/files/scoped_file.h"
16 #include "base/macros.h"
17 #include "build/build_config.h"
18 #include "sandbox/linux/bpf_dsl/bpf_dsl_impl.h"
19 #include "sandbox/linux/bpf_dsl/policy.h"
20 #include "sandbox/linux/seccomp-bpf/bpf_tests.h"
21 #include "sandbox/linux/seccomp-bpf/errorcode.h"
22 #include "sandbox/linux/seccomp-bpf/syscall.h"
23 #include "testing/gtest/include/gtest/gtest.h"
24
25 #define CASES SANDBOX_BPF_DSL_CASES
26
27 // Helper macro to assert that invoking system call |sys| directly via
28 // Syscall::Call with arguments |...| returns |res|.
29 // Errors can be asserted by specifying a value like "-EINVAL".
30 #define ASSERT_SYSCALL_RESULT(res, sys, ...) \
31 BPF_ASSERT_EQ(res, Stubs::sys(__VA_ARGS__))
32
33 namespace sandbox {
34 namespace bpf_dsl {
35 namespace {
36
37 // Type safe stubs for tested system calls.
38 class Stubs {
39 public:
40 static int getpgid(pid_t pid) { return Syscall::Call(__NR_getpgid, pid); }
41 static int setuid(uid_t uid) { return Syscall::Call(__NR_setuid, uid); }
42 static int setgid(gid_t gid) { return Syscall::Call(__NR_setgid, gid); }
43 static int setpgid(pid_t pid, pid_t pgid) {
44 return Syscall::Call(__NR_setpgid, pid, pgid);
45 }
46
47 static int fcntl(int fd, int cmd, unsigned long arg = 0) {
48 return Syscall::Call(__NR_fcntl, fd, cmd, arg);
49 }
50
51 static int uname(struct utsname* buf) {
52 return Syscall::Call(__NR_uname, buf);
53 }
54
55 static int setresuid(uid_t ruid, uid_t euid, uid_t suid) {
56 return Syscall::Call(__NR_setresuid, ruid, euid, suid);
57 }
58
59 #if !defined(ARCH_CPU_X86)
60 static int socketpair(int domain, int type, int protocol, int sv[2]) {
61 return Syscall::Call(__NR_socketpair, domain, type, protocol, sv);
62 }
63 #endif
64 };
65
66 class BasicPolicy : public Policy {
67 public:
68 BasicPolicy() {}
69 ~BasicPolicy() override {}
70 ResultExpr EvaluateSyscall(int sysno) const override {
71 if (sysno == __NR_getpgid) {
72 const Arg<pid_t> pid(0);
73 return If(pid == 0, Error(EPERM)).Else(Error(EINVAL));
74 }
75 if (sysno == __NR_setuid) {
76 const Arg<uid_t> uid(0);
77 return If(uid != 42, Error(ESRCH)).Else(Error(ENOMEM));
78 }
79 return Allow();
80 }
81
82 private:
83 DISALLOW_COPY_AND_ASSIGN(BasicPolicy);
84 };
85
86 BPF_TEST_C(BPFDSL, Basic, BasicPolicy) {
87 ASSERT_SYSCALL_RESULT(-EPERM, getpgid, 0);
88 ASSERT_SYSCALL_RESULT(-EINVAL, getpgid, 1);
89
90 ASSERT_SYSCALL_RESULT(-ENOMEM, setuid, 42);
91 ASSERT_SYSCALL_RESULT(-ESRCH, setuid, 43);
92 }
93
94 /* On IA-32, socketpair() is implemented via socketcall(). :-( */
95 #if !defined(ARCH_CPU_X86)
96 class BooleanLogicPolicy : public Policy {
97 public:
98 BooleanLogicPolicy() {}
99 ~BooleanLogicPolicy() override {}
100 ResultExpr EvaluateSyscall(int sysno) const override {
101 if (sysno == __NR_socketpair) {
102 const Arg<int> domain(0), type(1), protocol(2);
103 return If(domain == AF_UNIX &&
104 (type == SOCK_STREAM || type == SOCK_DGRAM) &&
105 protocol == 0,
106 Error(EPERM)).Else(Error(EINVAL));
107 }
108 return Allow();
109 }
110
111 private:
112 DISALLOW_COPY_AND_ASSIGN(BooleanLogicPolicy);
113 };
114
115 BPF_TEST_C(BPFDSL, BooleanLogic, BooleanLogicPolicy) {
116 int sv[2];
117
118 // Acceptable combinations that should return EPERM.
119 ASSERT_SYSCALL_RESULT(-EPERM, socketpair, AF_UNIX, SOCK_STREAM, 0, sv);
120 ASSERT_SYSCALL_RESULT(-EPERM, socketpair, AF_UNIX, SOCK_DGRAM, 0, sv);
121
122 // Combinations that are invalid for only one reason; should return EINVAL.
123 ASSERT_SYSCALL_RESULT(-EINVAL, socketpair, AF_INET, SOCK_STREAM, 0, sv);
124 ASSERT_SYSCALL_RESULT(-EINVAL, socketpair, AF_UNIX, SOCK_SEQPACKET, 0, sv);
125 ASSERT_SYSCALL_RESULT(
126 -EINVAL, socketpair, AF_UNIX, SOCK_STREAM, IPPROTO_TCP, sv);
127
128 // Completely unacceptable combination; should also return EINVAL.
129 ASSERT_SYSCALL_RESULT(
130 -EINVAL, socketpair, AF_INET, SOCK_SEQPACKET, IPPROTO_UDP, sv);
131 }
132 #endif // !ARCH_CPU_X86
133
134 class MoreBooleanLogicPolicy : public Policy {
135 public:
136 MoreBooleanLogicPolicy() {}
137 ~MoreBooleanLogicPolicy() override {}
138 ResultExpr EvaluateSyscall(int sysno) const override {
139 if (sysno == __NR_setresuid) {
140 const Arg<uid_t> ruid(0), euid(1), suid(2);
141 return If(ruid == 0 || euid == 0 || suid == 0, Error(EPERM))
142 .ElseIf(ruid == 1 && euid == 1 && suid == 1, Error(EAGAIN))
143 .Else(Error(EINVAL));
144 }
145 return Allow();
146 }
147
148 private:
149 DISALLOW_COPY_AND_ASSIGN(MoreBooleanLogicPolicy);
150 };
151
152 BPF_TEST_C(BPFDSL, MoreBooleanLogic, MoreBooleanLogicPolicy) {
153 // Expect EPERM if any set to 0.
154 ASSERT_SYSCALL_RESULT(-EPERM, setresuid, 0, 5, 5);
155 ASSERT_SYSCALL_RESULT(-EPERM, setresuid, 5, 0, 5);
156 ASSERT_SYSCALL_RESULT(-EPERM, setresuid, 5, 5, 0);
157
158 // Expect EAGAIN if all set to 1.
159 ASSERT_SYSCALL_RESULT(-EAGAIN, setresuid, 1, 1, 1);
160
161 // Expect EINVAL for anything else.
162 ASSERT_SYSCALL_RESULT(-EINVAL, setresuid, 5, 1, 1);
163 ASSERT_SYSCALL_RESULT(-EINVAL, setresuid, 1, 5, 1);
164 ASSERT_SYSCALL_RESULT(-EINVAL, setresuid, 1, 1, 5);
165 ASSERT_SYSCALL_RESULT(-EINVAL, setresuid, 3, 4, 5);
166 }
167
168 static const uintptr_t kDeadBeefAddr =
169 static_cast<uintptr_t>(0xdeadbeefdeadbeefULL);
170
171 class ArgSizePolicy : public Policy {
172 public:
173 ArgSizePolicy() {}
174 ~ArgSizePolicy() override {}
175 ResultExpr EvaluateSyscall(int sysno) const override {
176 if (sysno == __NR_uname) {
177 const Arg<uintptr_t> addr(0);
178 return If(addr == kDeadBeefAddr, Error(EPERM)).Else(Allow());
179 }
180 return Allow();
181 }
182
183 private:
184 DISALLOW_COPY_AND_ASSIGN(ArgSizePolicy);
185 };
186
187 BPF_TEST_C(BPFDSL, ArgSizeTest, ArgSizePolicy) {
188 struct utsname buf;
189 ASSERT_SYSCALL_RESULT(0, uname, &buf);
190 ASSERT_SYSCALL_RESULT(
191 -EPERM, uname, reinterpret_cast<struct utsname*>(kDeadBeefAddr));
192 }
193
194 class TrappingPolicy : public Policy {
195 public:
196 TrappingPolicy() {}
197 ~TrappingPolicy() override {}
198 ResultExpr EvaluateSyscall(int sysno) const override {
199 if (sysno == __NR_uname) {
200 return Trap(UnameTrap, &count_);
201 }
202 return Allow();
203 }
204
205 private:
206 static intptr_t count_;
207
208 static intptr_t UnameTrap(const struct arch_seccomp_data& data, void* aux) {
209 BPF_ASSERT_EQ(&count_, aux);
210 return ++count_;
211 }
212
213 DISALLOW_COPY_AND_ASSIGN(TrappingPolicy);
214 };
215
216 intptr_t TrappingPolicy::count_;
217
218 BPF_TEST_C(BPFDSL, TrapTest, TrappingPolicy) {
219 ASSERT_SYSCALL_RESULT(1, uname, NULL);
220 ASSERT_SYSCALL_RESULT(2, uname, NULL);
221 ASSERT_SYSCALL_RESULT(3, uname, NULL);
222 }
223
224 class MaskingPolicy : public Policy {
225 public:
226 MaskingPolicy() {}
227 ~MaskingPolicy() override {}
228 ResultExpr EvaluateSyscall(int sysno) const override {
229 if (sysno == __NR_setuid) {
230 const Arg<uid_t> uid(0);
231 return If((uid & 0xf) == 0, Error(EINVAL)).Else(Error(EACCES));
232 }
233 if (sysno == __NR_setgid) {
234 const Arg<gid_t> gid(0);
235 return If((gid & 0xf0) == 0xf0, Error(EINVAL)).Else(Error(EACCES));
236 }
237 if (sysno == __NR_setpgid) {
238 const Arg<pid_t> pid(0);
239 return If((pid & 0xa5) == 0xa0, Error(EINVAL)).Else(Error(EACCES));
240 }
241 return Allow();
242 }
243
244 private:
245 DISALLOW_COPY_AND_ASSIGN(MaskingPolicy);
246 };
247
248 BPF_TEST_C(BPFDSL, MaskTest, MaskingPolicy) {
249 for (uid_t uid = 0; uid < 0x100; ++uid) {
250 const int expect_errno = (uid & 0xf) == 0 ? EINVAL : EACCES;
251 ASSERT_SYSCALL_RESULT(-expect_errno, setuid, uid);
252 }
253
254 for (gid_t gid = 0; gid < 0x100; ++gid) {
255 const int expect_errno = (gid & 0xf0) == 0xf0 ? EINVAL : EACCES;
256 ASSERT_SYSCALL_RESULT(-expect_errno, setgid, gid);
257 }
258
259 for (pid_t pid = 0; pid < 0x100; ++pid) {
260 const int expect_errno = (pid & 0xa5) == 0xa0 ? EINVAL : EACCES;
261 ASSERT_SYSCALL_RESULT(-expect_errno, setpgid, pid, 0);
262 }
263 }
264
265 class ElseIfPolicy : public Policy {
266 public:
267 ElseIfPolicy() {}
268 ~ElseIfPolicy() override {}
269 ResultExpr EvaluateSyscall(int sysno) const override {
270 if (sysno == __NR_setuid) {
271 const Arg<uid_t> uid(0);
272 return If((uid & 0xfff) == 0, Error(0))
273 .ElseIf((uid & 0xff0) == 0, Error(EINVAL))
274 .ElseIf((uid & 0xf00) == 0, Error(EEXIST))
275 .Else(Error(EACCES));
276 }
277 return Allow();
278 }
279
280 private:
281 DISALLOW_COPY_AND_ASSIGN(ElseIfPolicy);
282 };
283
284 BPF_TEST_C(BPFDSL, ElseIfTest, ElseIfPolicy) {
285 ASSERT_SYSCALL_RESULT(0, setuid, 0);
286
287 ASSERT_SYSCALL_RESULT(-EINVAL, setuid, 0x0001);
288 ASSERT_SYSCALL_RESULT(-EINVAL, setuid, 0x0002);
289
290 ASSERT_SYSCALL_RESULT(-EEXIST, setuid, 0x0011);
291 ASSERT_SYSCALL_RESULT(-EEXIST, setuid, 0x0022);
292
293 ASSERT_SYSCALL_RESULT(-EACCES, setuid, 0x0111);
294 ASSERT_SYSCALL_RESULT(-EACCES, setuid, 0x0222);
295 }
296
297 class SwitchPolicy : public Policy {
298 public:
299 SwitchPolicy() {}
300 ~SwitchPolicy() override {}
301 ResultExpr EvaluateSyscall(int sysno) const override {
302 if (sysno == __NR_fcntl) {
303 const Arg<int> cmd(1);
304 const Arg<unsigned long> long_arg(2);
305 return Switch(cmd)
306 .CASES((F_GETFL, F_GETFD), Error(ENOENT))
307 .Case(F_SETFD, If(long_arg == O_CLOEXEC, Allow()).Else(Error(EINVAL)))
308 .Case(F_SETFL, Error(EPERM))
309 .Default(Error(EACCES));
310 }
311 return Allow();
312 }
313
314 private:
315 DISALLOW_COPY_AND_ASSIGN(SwitchPolicy);
316 };
317
318 BPF_TEST_C(BPFDSL, SwitchTest, SwitchPolicy) {
319 base::ScopedFD sock_fd(socket(AF_UNIX, SOCK_STREAM, 0));
320 BPF_ASSERT(sock_fd.is_valid());
321
322 ASSERT_SYSCALL_RESULT(-ENOENT, fcntl, sock_fd.get(), F_GETFD);
323 ASSERT_SYSCALL_RESULT(-ENOENT, fcntl, sock_fd.get(), F_GETFL);
324
325 ASSERT_SYSCALL_RESULT(0, fcntl, sock_fd.get(), F_SETFD, O_CLOEXEC);
326 ASSERT_SYSCALL_RESULT(-EINVAL, fcntl, sock_fd.get(), F_SETFD, 0);
327
328 ASSERT_SYSCALL_RESULT(-EPERM, fcntl, sock_fd.get(), F_SETFL, O_RDONLY);
329
330 ASSERT_SYSCALL_RESULT(-EACCES, fcntl, sock_fd.get(), F_DUPFD, 0);
331 }
332
333 static intptr_t DummyTrap(const struct arch_seccomp_data& data, void* aux) {
334 return 0;
335 }
336
337 TEST(BPFDSL, IsAllowDeny) {
338 ResultExpr allow = Allow();
339 EXPECT_TRUE(allow->IsAllow());
340 EXPECT_FALSE(allow->IsDeny());
341
342 ResultExpr error = Error(ENOENT);
343 EXPECT_FALSE(error->IsAllow());
344 EXPECT_TRUE(error->IsDeny());
345
346 ResultExpr trace = Trace(42);
347 EXPECT_FALSE(trace->IsAllow());
348 EXPECT_FALSE(trace->IsDeny());
349
350 ResultExpr trap = Trap(DummyTrap, nullptr);
351 EXPECT_FALSE(trap->IsAllow());
352 EXPECT_TRUE(trap->IsDeny());
353
354 const Arg<int> arg(0);
355 ResultExpr maybe = If(arg == 0, Allow()).Else(Error(EPERM));
356 EXPECT_FALSE(maybe->IsAllow());
357 EXPECT_FALSE(maybe->IsDeny());
358 }
359
360 TEST(BPFDSL, HasUnsafeTraps) {
361 ResultExpr allow = Allow();
362 EXPECT_FALSE(allow->HasUnsafeTraps());
363
364 ResultExpr safe = Trap(DummyTrap, nullptr);
365 EXPECT_FALSE(safe->HasUnsafeTraps());
366
367 ResultExpr unsafe = UnsafeTrap(DummyTrap, nullptr);
368 EXPECT_TRUE(unsafe->HasUnsafeTraps());
369
370 const Arg<int> arg(0);
371 ResultExpr maybe = If(arg == 0, allow).Else(unsafe);
372 EXPECT_TRUE(maybe->HasUnsafeTraps());
373 }
374
375 } // namespace
376 } // namespace bpf_dsl
377 } // namespace sandbox