diff options
| author | jln@chromium.org <jln@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2014-04-17 02:16:28 +0000 |
|---|---|---|
| committer | jln@chromium.org <jln@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2014-04-17 02:16:28 +0000 |
| commit | 7682ae89e7fdc656b8c5499ceada4823d29f5f5a (patch) | |
| tree | d220953c64873a304f37d385b24bc8a9a9d313a5 | |
| parent | f918ba5c07ebdee7a9b3cfa3f30c13f8bb88dce8 (diff) | |
| download | chromium_src-7682ae89e7fdc656b8c5499ceada4823d29f5f5a.zip chromium_src-7682ae89e7fdc656b8c5499ceada4823d29f5f5a.tar.gz chromium_src-7682ae89e7fdc656b8c5499ceada4823d29f5f5a.tar.bz2 | |
Revert of Add seccomp sandbox for non-SFI NaCl (https://codereview.chromium.org/196793023/)
Reason for revert:
Broke ASAN on main WF.
/b/build/slave/Linux_ASan_LSan_Builder/build/src/third_party/binutils/Linux_x64/Release/bin/ld: error: obj/base/libsanitizer_options.a(obj/base/debug/sanitizer_options.sanitizer_options.o): multiple definition of '__asan_default_options'
/b/build/slave/Linux_ASan_LSan_Builder/build/src/third_party/binutils/Linux_x64/Release/bin/ld: obj/components/nacl/loader/nacl_helper.nacl_helper_linux.o: previous definition here
clang: error: linker command failed with exit code 1 (use -v to see invocation)
ninja: build stopped: subcommand failed.
Original issue's description:
> Add seccomp sandbox for non-SFI NaCl
>
> All syscalls except whitelisted ones will cause SIGSYS.
>
> We test the sandbox with BPF_TEST and BPF_TEST_DEATH, which appropriately fork the process so the main process of the test will never enable the sandbox.
>
> TEST=Our app works with this sandbox on i686 and ARM
> TEST=Build chrome and nacl_helper on i686, x86-64, and ARM
> TEST=./out/Release/components_unittests --gtest_filter='NaClNonSfi*'
> # on i686, x86-64, and ARM
> TEST=SFI NaCl apps still work
> TEST=trybots
> BUG=359285
>
> Committed: https://src.chromium.org/viewvc/chrome?view=rev&revision=264383
TBR=mseaborn@chromium.org,wad@chromium.org,jochen@chromium.org,hamaji@chromium.org
NOTREECHECKS=true
NOTRY=true
BUG=359285
Review URL: https://codereview.chromium.org/240613003
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@264384 0039d316-1c4b-4281-b951-d872f2087c98
| -rw-r--r-- | components/components_tests.gyp | 10 | ||||
| -rw-r--r-- | components/nacl.gyp | 40 | ||||
| -rw-r--r-- | components/nacl/loader/nacl_helper_linux.cc | 3 | ||||
| -rw-r--r-- | components/nacl/loader/nonsfi/DEPS | 1 | ||||
| -rw-r--r-- | components/nacl/loader/nonsfi/nonsfi_sandbox.cc | 315 | ||||
| -rw-r--r-- | components/nacl/loader/nonsfi/nonsfi_sandbox.h | 39 | ||||
| -rw-r--r-- | components/nacl/loader/nonsfi/nonsfi_sandbox_sigsys_unittest.cc | 609 | ||||
| -rw-r--r-- | components/nacl/loader/nonsfi/nonsfi_sandbox_unittest.cc | 461 | ||||
| -rw-r--r-- | sandbox/linux/sandbox_linux.gypi | 16 | ||||
| -rw-r--r-- | sandbox/linux/sandbox_linux_test_sources.gypi | 5 | ||||
| -rw-r--r-- | sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc | 29 | ||||
| -rw-r--r-- | sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h | 7 | ||||
| -rw-r--r-- | sandbox/linux/seccomp-bpf/bpf_tests.h | 6 |
13 files changed, 22 insertions, 1519 deletions
diff --git a/components/components_tests.gyp b/components/components_tests.gyp index d9d3a31..828c9abb 100644 --- a/components/components_tests.gyp +++ b/components/components_tests.gyp @@ -350,16 +350,6 @@ 'nacl.gyp:nacl_common', ], }], - ['disable_nacl==0 and OS=="linux"', { - 'sources': [ - 'nacl/loader/nonsfi/nonsfi_sandbox_unittest.cc', - 'nacl/loader/nonsfi/nonsfi_sandbox_sigsys_unittest.cc', - ], - 'dependencies': [ - 'nacl.gyp:nacl_loader', - '../sandbox/sandbox.gyp:sandbox_linux_test_utils', - ], - }], ['OS == "mac"', { 'link_settings': { 'libraries': [ diff --git a/components/nacl.gyp b/components/nacl.gyp index fe95adf..ccf9db4 100644 --- a/components/nacl.gyp +++ b/components/nacl.gyp @@ -189,22 +189,15 @@ 'include_dirs': [ '..', ], - 'sources': [ - 'nacl/loader/nacl_helper_linux.cc', - 'nacl/loader/nacl_helper_linux.h', - ], 'dependencies': [ - 'nacl_loader', - ], - 'cflags': ['-fPIE'], - 'link_settings': { - 'ldflags': ['-pie'], - }, - }, { - 'target_name': 'nacl_loader', - 'type': 'static_library', - 'include_dirs': [ - '..', + 'nacl', + 'nacl_common', + 'nacl_switches', + '../components/tracing.gyp:tracing', + '../crypto/crypto.gyp:crypto', + '../sandbox/sandbox.gyp:libc_urandom_override', + '../sandbox/sandbox.gyp:sandbox', + '../ppapi/ppapi_internal.gyp:ppapi_proxy', ], 'ldflags!': [ # Do not pick the default ASan options from @@ -219,6 +212,8 @@ 'IN_NACL_HELPER=1', ], 'sources': [ + 'nacl/loader/nacl_helper_linux.cc', + 'nacl/loader/nacl_helper_linux.h', 'nacl/loader/nacl_sandbox_linux.cc', 'nacl/loader/nonsfi/abi_conversion.cc', 'nacl/loader/nonsfi/abi_conversion.h', @@ -237,8 +232,6 @@ 'nacl/loader/nonsfi/irt_util.h', 'nacl/loader/nonsfi/nonsfi_main.cc', 'nacl/loader/nonsfi/nonsfi_main.h', - 'nacl/loader/nonsfi/nonsfi_sandbox.cc', - 'nacl/loader/nonsfi/nonsfi_sandbox.h', '../ppapi/nacl_irt/plugin_main.cc', '../ppapi/nacl_irt/plugin_main.h', '../ppapi/nacl_irt/plugin_startup.cc', @@ -246,16 +239,6 @@ '../ppapi/nacl_irt/ppapi_dispatcher.cc', '../ppapi/nacl_irt/ppapi_dispatcher.h', ], - 'dependencies': [ - 'nacl', - 'nacl_common', - 'nacl_switches', - '../components/tracing.gyp:tracing', - '../crypto/crypto.gyp:crypto', - '../sandbox/sandbox.gyp:libc_urandom_override', - '../sandbox/sandbox.gyp:sandbox', - '../ppapi/ppapi_internal.gyp:ppapi_proxy', - ], 'conditions': [ ['toolkit_uses_gtk == 1', { 'dependencies': [ @@ -287,6 +270,9 @@ }], ], 'cflags': ['-fPIE'], + 'link_settings': { + 'ldflags': ['-pie'], + }, }, ], }], diff --git a/components/nacl/loader/nacl_helper_linux.cc b/components/nacl/loader/nacl_helper_linux.cc index 1026feb..b03c885 100644 --- a/components/nacl/loader/nacl_helper_linux.cc +++ b/components/nacl/loader/nacl_helper_linux.cc @@ -32,7 +32,6 @@ #include "components/nacl/common/nacl_switches.h" #include "components/nacl/loader/nacl_listener.h" #include "components/nacl/loader/nacl_sandbox_linux.h" -#include "components/nacl/loader/nonsfi/nonsfi_sandbox.h" #include "content/public/common/zygote_fork_delegate_linux.h" #include "crypto/nss_util.h" #include "ipc/ipc_descriptors.h" @@ -93,7 +92,7 @@ void InitializeLayerTwoSandbox(bool uses_nonsfi_mode) { else LOG(FATAL) << "SUID sandbox is mandatory for non-SFI NaCl"; } - const bool bpf_sandbox_initialized = nacl::nonsfi::InitializeBPFSandbox(); + const bool bpf_sandbox_initialized = InitializeBPFSandbox(); if (!bpf_sandbox_initialized) { if (can_be_no_sandbox) { LOG(ERROR) diff --git a/components/nacl/loader/nonsfi/DEPS b/components/nacl/loader/nonsfi/DEPS index 18f97f5..fa6de5d 100644 --- a/components/nacl/loader/nonsfi/DEPS +++ b/components/nacl/loader/nonsfi/DEPS @@ -1,4 +1,3 @@ include_rules = [ "+ppapi/nacl_irt", - "+sandbox/linux/seccomp-bpf-helpers", ] diff --git a/components/nacl/loader/nonsfi/nonsfi_sandbox.cc b/components/nacl/loader/nonsfi/nonsfi_sandbox.cc deleted file mode 100644 index a58ba84..0000000 --- a/components/nacl/loader/nonsfi/nonsfi_sandbox.cc +++ /dev/null @@ -1,315 +0,0 @@ -// Copyright 2014 The Chromium Authors. All rights reserved. -// Use of this source code is governed by a BSD-style license that can be -// found in the LICENSE file. - -#include "components/nacl/loader/nonsfi/nonsfi_sandbox.h" - -#include <errno.h> -#include <fcntl.h> -#include <linux/net.h> -#include <sys/prctl.h> -#include <sys/ptrace.h> -#include <sys/mman.h> -#include <sys/socket.h> -#include <sys/syscall.h> - -#include "base/basictypes.h" -#include "base/logging.h" -#include "build/build_config.h" -#include "content/public/common/sandbox_init.h" -#include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h" -#include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" -#include "sandbox/linux/seccomp-bpf/sandbox_bpf_policy.h" -#include "sandbox/linux/seccomp-bpf/trap.h" -#include "sandbox/linux/services/linux_syscalls.h" - -#if defined(__arm__) && !defined(MAP_STACK) -// Chrome OS Daisy (ARM) build environment has old headers. -#define MAP_STACK 0x20000 -#endif - -using sandbox::ErrorCode; -using sandbox::SandboxBPF; - -namespace nacl { -namespace nonsfi { -namespace { - -ErrorCode RestrictFcntlCommands(SandboxBPF* sb) { - ErrorCode::ArgType mask_long_type; - if (sizeof(long) == 8) { - mask_long_type = ErrorCode::TP_64BIT; - } else if (sizeof(long) == 4) { - mask_long_type = ErrorCode::TP_32BIT; - } else { - NOTREACHED(); - } - // We allow following cases: - // 1. F_SETFD + FD_CLOEXEC: libevent's epoll_init uses this. - // 2. F_GETFL: Used by SetNonBlocking in - // message_pump_libevent.cc and Channel::ChannelImpl::CreatePipe - // in ipc_channel_posix.cc. Note that the latter does not work - // with EPERM. - // 3. F_SETFL: Used by evutil_make_socket_nonblocking in - // libevent and SetNonBlocking. As the latter mix O_NONBLOCK to - // the return value of F_GETFL, so we need to allow O_ACCMODE in - // addition to O_NONBLOCK. - const unsigned long denied_mask = ~(O_ACCMODE | O_NONBLOCK); - return sb->Cond(1, ErrorCode::TP_32BIT, - ErrorCode::OP_EQUAL, F_SETFD, - sb->Cond(2, mask_long_type, - ErrorCode::OP_EQUAL, FD_CLOEXEC, - ErrorCode(ErrorCode::ERR_ALLOWED), - sb->Trap(sandbox::CrashSIGSYS_Handler, NULL)), - sb->Cond(1, ErrorCode::TP_32BIT, - ErrorCode::OP_EQUAL, F_GETFL, - ErrorCode(ErrorCode::ERR_ALLOWED), - sb->Cond(1, ErrorCode::TP_32BIT, - ErrorCode::OP_EQUAL, F_SETFL, - sb->Cond(2, mask_long_type, - ErrorCode::OP_HAS_ANY_BITS, denied_mask, - sb->Trap(sandbox::CrashSIGSYS_Handler, NULL), - ErrorCode(ErrorCode::ERR_ALLOWED)), - sb->Trap(sandbox::CrashSIGSYS_Handler, NULL)))); -} - -ErrorCode RestrictClone(SandboxBPF* sb) { - // We allow clone only for new thread creation. - return sb->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, - CLONE_VM | CLONE_FS | CLONE_FILES | CLONE_SIGHAND | - CLONE_THREAD | CLONE_SYSVSEM | CLONE_SETTLS | - CLONE_PARENT_SETTID | CLONE_CHILD_CLEARTID, - ErrorCode(ErrorCode::ERR_ALLOWED), - sb->Trap(sandbox::SIGSYSCloneFailure, NULL)); -} - -ErrorCode RestrictPrctl(SandboxBPF* sb) { - // base::PlatformThread::SetName() uses PR_SET_NAME so we return - // EPERM for it. Otherwise, we will raise SIGSYS. - return sb->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, - PR_SET_NAME, ErrorCode(EPERM), - sb->Trap(sandbox::SIGSYSPrctlFailure, NULL)); -} - -#if defined(__i386__) -ErrorCode RestrictSocketcall(SandboxBPF* sb) { - // We only allow socketpair, sendmsg, and recvmsg. - return sb->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, - SYS_SOCKETPAIR, - ErrorCode(ErrorCode::ERR_ALLOWED), - sb->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, - SYS_SENDMSG, - ErrorCode(ErrorCode::ERR_ALLOWED), - sb->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, - SYS_RECVMSG, - ErrorCode(ErrorCode::ERR_ALLOWED), - sb->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, - SYS_SHUTDOWN, - ErrorCode(ErrorCode::ERR_ALLOWED), - sb->Trap(sandbox::CrashSIGSYS_Handler, NULL))))); -} -#endif - -ErrorCode RestrictMemoryProtection(SandboxBPF* sb, int argno) { - // TODO(jln, keescook, drewry): Limit the use of mmap/mprotect by - // adding some features to linux kernel. - const uint32_t denied_mask = ~(PROT_READ | PROT_WRITE | PROT_EXEC); - return sb->Cond(argno, ErrorCode::TP_32BIT, - ErrorCode::OP_HAS_ANY_BITS, - denied_mask, - sb->Trap(sandbox::CrashSIGSYS_Handler, NULL), - ErrorCode(ErrorCode::ERR_ALLOWED)); -} - -ErrorCode RestrictMmap(SandboxBPF* sb) { - const uint32_t denied_flag_mask = ~(MAP_SHARED | MAP_PRIVATE | - MAP_ANONYMOUS | MAP_STACK | MAP_FIXED); - // TODO(hamaji): Disallow RWX mmap. - return sb->Cond(3, ErrorCode::TP_32BIT, - ErrorCode::OP_HAS_ANY_BITS, - denied_flag_mask, - sb->Trap(sandbox::CrashSIGSYS_Handler, NULL), - RestrictMemoryProtection(sb, 2)); -} - -ErrorCode RestrictSocketpair(SandboxBPF* sb) { - // Only allow AF_UNIX, PF_UNIX. Crash if anything else is seen. - COMPILE_ASSERT(AF_UNIX == PF_UNIX, af_unix_pf_unix_different); - return sb->Cond(0, ErrorCode::TP_32BIT, - ErrorCode::OP_EQUAL, AF_UNIX, - ErrorCode(ErrorCode::ERR_ALLOWED), - sb->Trap(sandbox::CrashSIGSYS_Handler, NULL)); -} - -bool IsGracefullyDenied(int sysno) { - switch (sysno) { - // third_party/libevent uses them, but we can just return -1 from - // them as it is just checking getuid() != geteuid() and - // getgid() != getegid() -#if defined(__i386__) || defined(__arm__) - case __NR_getegid32: - case __NR_geteuid32: - case __NR_getgid32: - case __NR_getuid32: -#elif defined(__x86_64__) - case __NR_getegid: - case __NR_geteuid: - case __NR_getgid: - case __NR_getuid: -#endif - // tcmalloc calls madvise in TCMalloc_SystemRelease. - case __NR_madvise: - // EPERM instead of SIGSYS as glibc tries to open files in /proc. - // TODO(hamaji): Remove this when we switch to newlib. - case __NR_open: - // For RunSandboxSanityChecks(). - case __NR_ptrace: - // glibc uses this for its pthread implementation. If we return - // EPERM for this, glibc will stop using this. - // TODO(hamaji): newlib does not use this. Make this SIGTRAP once - // we have switched to newlib. - case __NR_set_robust_list: - // This is obsolete in ARM EABI, but x86 glibc indirectly calls - // this in sysconf. -#if defined(__i386__) || defined(__x86_64__) - case __NR_time: -#endif - return true; - - default: - return false; - } -} - -void RunSandboxSanityChecks() { - errno = 0; - // Make a ptrace request with an invalid PID. - long ptrace_ret = ptrace(PTRACE_PEEKUSER, -1 /* pid */, NULL, NULL); - CHECK_EQ(-1, ptrace_ret); - // Without the sandbox on, this ptrace call would ESRCH instead. - CHECK_EQ(EPERM, errno); -} - -} // namespace - -ErrorCode NaClNonSfiBPFSandboxPolicy::EvaluateSyscall( - SandboxBPF* sb, int sysno) const { - return EvaluateSyscallImpl(sb, sysno, NULL); -} - -ErrorCode NaClNonSfiBPFSandboxPolicy::EvaluateSyscallImpl( - SandboxBPF* sb, int sysno, void*) { - switch (sysno) { - // Allowed syscalls. -#if defined(__i386__) || defined(__arm__) - case __NR__llseek: -#elif defined(__x86_64__) - case __NR_lseek: -#endif - // NaCl runtime exposes clock_gettime and clock_getres to untrusted code. - case __NR_clock_getres: - case __NR_clock_gettime: - case __NR_close: - case __NR_dup: - case __NR_dup2: - case __NR_epoll_create: - case __NR_epoll_ctl: - case __NR_epoll_wait: - case __NR_exit: - case __NR_exit_group: -#if defined(__i386__) || defined(__arm__) - case __NR_fstat64: -#elif defined(__x86_64__) - case __NR_fstat: -#endif - // TODO(hamaji): Allow only FUTEX_PRIVATE_FLAG. - case __NR_futex: - // TODO(hamaji): Remove the need of gettid. Currently, this is - // called from PlatformThread::CurrentId(). - case __NR_gettid: - case __NR_gettimeofday: - case __NR_munmap: - case __NR_nanosleep: - // TODO(hamaji): Remove the need of pipe. Currently, this is - // called from base::MessagePumpLibevent::Init(). - case __NR_pipe: - case __NR_pread64: - case __NR_pwrite64: - case __NR_read: - case __NR_restart_syscall: - case __NR_sched_yield: - // __NR_times needed as clock() is called by CommandBufferHelper, which is - // used by NaCl applications that use Pepper's 3D interfaces. - // See crbug.com/264856 for details. - case __NR_times: - case __NR_write: -#if defined(__arm__) - case __ARM_NR_cacheflush: -#endif - return ErrorCode(ErrorCode::ERR_ALLOWED); - - case __NR_clone: - return RestrictClone(sb); - -#if defined(__x86_64__) - case __NR_fcntl: -#endif -#if defined(__i386__) || defined(__arm__) - case __NR_fcntl64: -#endif - return RestrictFcntlCommands(sb); - -#if defined(__x86_64__) - case __NR_mmap: -#endif -#if defined(__i386__) || defined(__arm__) - case __NR_mmap2: -#endif - return RestrictMmap(sb); - case __NR_mprotect: - return RestrictMemoryProtection(sb, 2); - - case __NR_prctl: - return RestrictPrctl(sb); - -#if defined(__i386__) - case __NR_socketcall: - return RestrictSocketcall(sb); -#endif -#if defined(__x86_64__) || defined(__arm__) - case __NR_recvmsg: - case __NR_sendmsg: - case __NR_shutdown: - return ErrorCode(ErrorCode::ERR_ALLOWED); - case __NR_socketpair: - return RestrictSocketpair(sb); -#endif - - case __NR_brk: - // The behavior of brk on Linux is different from other system - // calls. It does not return errno but the current break on - // failure. glibc thinks brk failed if the return value of brk - // is less than the requested address (i.e., brk(addr) < addr). - // So, glibc thinks brk succeeded if we return -EPERM and we - // need to return zero instead. - return ErrorCode(0); - - default: - if (IsGracefullyDenied(sysno)) - return ErrorCode(EPERM); - return sb->Trap(sandbox::CrashSIGSYS_Handler, NULL); - } -} - -bool InitializeBPFSandbox() { - bool sandbox_is_initialized = content::InitializeSandbox( - scoped_ptr<sandbox::SandboxBPFPolicy>( - new nacl::nonsfi::NaClNonSfiBPFSandboxPolicy())); - if (!sandbox_is_initialized) - return false; - RunSandboxSanityChecks(); - return true; -} - -} // namespace nonsfi -} // namespace nacl diff --git a/components/nacl/loader/nonsfi/nonsfi_sandbox.h b/components/nacl/loader/nonsfi/nonsfi_sandbox.h deleted file mode 100644 index 28e9cff..0000000 --- a/components/nacl/loader/nonsfi/nonsfi_sandbox.h +++ /dev/null @@ -1,39 +0,0 @@ -// Copyright 2014 The Chromium Authors. All rights reserved. -// Use of this source code is governed by a BSD-style license that can be -// found in the LICENSE file. - -#ifndef COMPONENTS_NACL_LOADER_NONSFI_NONSFI_SANDBOX_H_ -#define COMPONENTS_NACL_LOADER_NONSFI_NONSFI_SANDBOX_H_ - -#include "base/basictypes.h" -#include "sandbox/linux/seccomp-bpf/sandbox_bpf_policy.h" - -namespace nacl { -namespace nonsfi { - -// The seccomp sandbox policy for NaCl non-SFI mode. Note that this -// policy must be as strong as possible, as non-SFI mode heavily -// depends on seccomp sandbox. -class NaClNonSfiBPFSandboxPolicy : public sandbox::SandboxBPFPolicy { - public: - explicit NaClNonSfiBPFSandboxPolicy() {} - virtual ~NaClNonSfiBPFSandboxPolicy() {} - - virtual sandbox::ErrorCode EvaluateSyscall(sandbox::SandboxBPF* sb, - int sysno) const OVERRIDE; - - static sandbox::ErrorCode EvaluateSyscallImpl(sandbox::SandboxBPF* sb, - int sysno, void*); - - private: - DISALLOW_COPY_AND_ASSIGN(NaClNonSfiBPFSandboxPolicy); -}; - -// Initializes seccomp-bpf sandbox for non-SFI NaCl. Returns false on -// failure. -bool InitializeBPFSandbox(); - -} // namespace nonsfi -} // namespace nacl - -#endif // COMPONENTS_NACL_LOADER_NONSFI_NONSFI_SANDBOX_H_ diff --git a/components/nacl/loader/nonsfi/nonsfi_sandbox_sigsys_unittest.cc b/components/nacl/loader/nonsfi/nonsfi_sandbox_sigsys_unittest.cc deleted file mode 100644 index ad31b89..0000000 --- a/components/nacl/loader/nonsfi/nonsfi_sandbox_sigsys_unittest.cc +++ /dev/null @@ -1,609 +0,0 @@ -// Copyright 2014 The Chromium Authors. All rights reserved. -// Use of this source code is governed by a BSD-style license that can be -// found in the LICENSE file. - -#include "components/nacl/loader/nonsfi/nonsfi_sandbox.h" - -#include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h" -#include "sandbox/linux/seccomp-bpf/bpf_tests.h" - -namespace { - -// Test cases in this file just make sure not-whitelisted syscalls -// are appropriately disallowed. They should raise SIGSYS regardless -// of arguments. We always pass five zeros not to pass uninitialized -// values to syscalls. -#define RESTRICT_SYSCALL_DEATH_TEST_IMPL(name, sysno) \ - BPF_DEATH_TEST( \ - NaClNonSfiSandboxSIGSYSTest, name, \ - DEATH_MESSAGE(sandbox::GetErrorMessageContentForTests()), \ - nacl::nonsfi::NaClNonSfiBPFSandboxPolicy::EvaluateSyscallImpl) { \ - syscall(sysno, 0, 0, 0, 0, 0); \ - } - -#define RESTRICT_SYSCALL_DEATH_TEST(name) \ - RESTRICT_SYSCALL_DEATH_TEST_IMPL(name, __NR_ ## name) - -#define RESTRICT_ARM_SYSCALL_DEATH_TEST(name) \ - RESTRICT_SYSCALL_DEATH_TEST_IMPL(ARM_ ## name, __ARM_NR_ ## name) - -#if defined(__i386__) || defined(__arm__) -RESTRICT_SYSCALL_DEATH_TEST(_newselect); -#endif -RESTRICT_SYSCALL_DEATH_TEST(_sysctl); -#if defined(__x86_64__) || defined(__arm__) -RESTRICT_SYSCALL_DEATH_TEST(accept); -#endif -#if defined(__x86_64__) || defined(__arm__) -RESTRICT_SYSCALL_DEATH_TEST(accept4); -#endif -RESTRICT_SYSCALL_DEATH_TEST(access); -RESTRICT_SYSCALL_DEATH_TEST(acct); -RESTRICT_SYSCALL_DEATH_TEST(add_key); -RESTRICT_SYSCALL_DEATH_TEST(adjtimex); -#if defined(__i386__) || defined(__x86_64__) -RESTRICT_SYSCALL_DEATH_TEST(afs_syscall); -#endif -#if defined(__i386__) || defined(__x86_64__) -RESTRICT_SYSCALL_DEATH_TEST(alarm); -#endif -#if defined(__x86_64__) -RESTRICT_SYSCALL_DEATH_TEST(arch_prctl); -#endif -#if defined(__arm__) -RESTRICT_SYSCALL_DEATH_TEST(arm_fadvise64_64); -#endif -#if defined(__i386__) || defined(__arm__) -RESTRICT_SYSCALL_DEATH_TEST(bdflush); -#endif -#if defined(__x86_64__) || defined(__arm__) -RESTRICT_SYSCALL_DEATH_TEST(bind); -#endif -#if defined(__i386__) -RESTRICT_SYSCALL_DEATH_TEST(break); -#endif -RESTRICT_SYSCALL_DEATH_TEST(capget); -RESTRICT_SYSCALL_DEATH_TEST(capset); -RESTRICT_SYSCALL_DEATH_TEST(chdir); -RESTRICT_SYSCALL_DEATH_TEST(chmod); -RESTRICT_SYSCALL_DEATH_TEST(chown); -#if defined(__i386__) || defined(__arm__) -RESTRICT_SYSCALL_DEATH_TEST(chown32); -#endif -RESTRICT_SYSCALL_DEATH_TEST(chroot); -RESTRICT_SYSCALL_DEATH_TEST(clock_adjtime); -RESTRICT_SYSCALL_DEATH_TEST(clock_nanosleep); -RESTRICT_SYSCALL_DEATH_TEST(clock_settime); -#if defined(__x86_64__) || defined(__arm__) -RESTRICT_SYSCALL_DEATH_TEST(connect); -#endif -RESTRICT_SYSCALL_DEATH_TEST(creat); -#if defined(__i386__) || defined(__x86_64__) -RESTRICT_SYSCALL_DEATH_TEST(create_module); -#endif -RESTRICT_SYSCALL_DEATH_TEST(delete_module); -RESTRICT_SYSCALL_DEATH_TEST(dup3); -RESTRICT_SYSCALL_DEATH_TEST(epoll_create1); -#if defined(__x86_64__) -RESTRICT_SYSCALL_DEATH_TEST(epoll_ctl_old); -#endif -RESTRICT_SYSCALL_DEATH_TEST(epoll_pwait); -#if defined(__x86_64__) -RESTRICT_SYSCALL_DEATH_TEST(epoll_wait_old); -#endif -RESTRICT_SYSCALL_DEATH_TEST(eventfd); -RESTRICT_SYSCALL_DEATH_TEST(eventfd2); -RESTRICT_SYSCALL_DEATH_TEST(execve); -RESTRICT_SYSCALL_DEATH_TEST(faccessat); -#if defined(__i386__) || defined(__x86_64__) -RESTRICT_SYSCALL_DEATH_TEST(fadvise64); -#endif -#if defined(__i386__) -RESTRICT_SYSCALL_DEATH_TEST(fadvise64_64); -#endif -RESTRICT_SYSCALL_DEATH_TEST(fallocate); -RESTRICT_SYSCALL_DEATH_TEST(fanotify_init); -RESTRICT_SYSCALL_DEATH_TEST(fanotify_mark); -RESTRICT_SYSCALL_DEATH_TEST(fchdir); -RESTRICT_SYSCALL_DEATH_TEST(fchmod); -RESTRICT_SYSCALL_DEATH_TEST(fchmodat); -RESTRICT_SYSCALL_DEATH_TEST(fchown); -#if defined(__i386__) || defined(__arm__) -RESTRICT_SYSCALL_DEATH_TEST(fchown32); -#endif -RESTRICT_SYSCALL_DEATH_TEST(fchownat); -#if defined(__i386__) || defined(__arm__) -RESTRICT_SYSCALL_DEATH_TEST(fcntl); -#endif -RESTRICT_SYSCALL_DEATH_TEST(fdatasync); -RESTRICT_SYSCALL_DEATH_TEST(fgetxattr); -RESTRICT_SYSCALL_DEATH_TEST(flistxattr); -RESTRICT_SYSCALL_DEATH_TEST(flock); -RESTRICT_SYSCALL_DEATH_TEST(fork); -RESTRICT_SYSCALL_DEATH_TEST(fremovexattr); -RESTRICT_SYSCALL_DEATH_TEST(fsetxattr); -#if defined(__i386__) || defined(__arm__) -RESTRICT_SYSCALL_DEATH_TEST(fstat); -#endif -#if defined(__i386__) || defined(__arm__) -RESTRICT_SYSCALL_DEATH_TEST(fstatat64); -#endif -RESTRICT_SYSCALL_DEATH_TEST(fstatfs); -#if defined(__i386__) || defined(__arm__) -RESTRICT_SYSCALL_DEATH_TEST(fstatfs64); -#endif -RESTRICT_SYSCALL_DEATH_TEST(fsync); -#if defined(__i386__) -RESTRICT_SYSCALL_DEATH_TEST(ftime); -#endif -RESTRICT_SYSCALL_DEATH_TEST(ftruncate); -#if defined(__i386__) || defined(__arm__) -RESTRICT_SYSCALL_DEATH_TEST(ftruncate64); -#endif -RESTRICT_SYSCALL_DEATH_TEST(futimesat); -#if defined(__i386__) || defined(__x86_64__) -RESTRICT_SYSCALL_DEATH_TEST(get_kernel_syms); -#endif -RESTRICT_SYSCALL_DEATH_TEST(get_mempolicy); -RESTRICT_SYSCALL_DEATH_TEST(get_robust_list); -#if defined(__i386__) || defined(__x86_64__) -RESTRICT_SYSCALL_DEATH_TEST(get_thread_area); -#endif -RESTRICT_SYSCALL_DEATH_TEST(getcpu); -RESTRICT_SYSCALL_DEATH_TEST(getcwd); -RESTRICT_SYSCALL_DEATH_TEST(getdents); -RESTRICT_SYSCALL_DEATH_TEST(getdents64); -RESTRICT_SYSCALL_DEATH_TEST(getgroups); -#if defined(__i386__) || defined(__arm__) -RESTRICT_SYSCALL_DEATH_TEST(getgroups32); -#endif -RESTRICT_SYSCALL_DEATH_TEST(getitimer); -#if defined(__x86_64__) || defined(__arm__) -RESTRICT_SYSCALL_DEATH_TEST(getpeername); -#endif -RESTRICT_SYSCALL_DEATH_TEST(getpgid); -RESTRICT_SYSCALL_DEATH_TEST(getpgrp); -RESTRICT_SYSCALL_DEATH_TEST(getpid); -#if defined(__i386__) || defined(__x86_64__) -RESTRICT_SYSCALL_DEATH_TEST(getpmsg); -#endif -RESTRICT_SYSCALL_DEATH_TEST(getppid); -RESTRICT_SYSCALL_DEATH_TEST(getpriority); -RESTRICT_SYSCALL_DEATH_TEST(getresgid); -#if defined(__i386__) || defined(__arm__) -RESTRICT_SYSCALL_DEATH_TEST(getresgid32); -#endif -RESTRICT_SYSCALL_DEATH_TEST(getresuid); -#if defined(__i386__) || defined(__arm__) -RESTRICT_SYSCALL_DEATH_TEST(getresuid32); -#endif -#if defined(__i386__) || defined(__x86_64__) -RESTRICT_SYSCALL_DEATH_TEST(getrlimit); -#endif -RESTRICT_SYSCALL_DEATH_TEST(getrusage); -RESTRICT_SYSCALL_DEATH_TEST(getsid); -#if defined(__x86_64__) || defined(__arm__) -RESTRICT_SYSCALL_DEATH_TEST(getsockname); -#endif -#if defined(__x86_64__) || defined(__arm__) -RESTRICT_SYSCALL_DEATH_TEST(getsockopt); -#endif -RESTRICT_SYSCALL_DEATH_TEST(getxattr); -#if defined(__i386__) -RESTRICT_SYSCALL_DEATH_TEST(gtty); -#endif -#if defined(__i386__) -RESTRICT_SYSCALL_DEATH_TEST(idle); -#endif -RESTRICT_SYSCALL_DEATH_TEST(init_module); -RESTRICT_SYSCALL_DEATH_TEST(inotify_add_watch); -RESTRICT_SYSCALL_DEATH_TEST(inotify_init); -RESTRICT_SYSCALL_DEATH_TEST(inotify_init1); -RESTRICT_SYSCALL_DEATH_TEST(inotify_rm_watch); -RESTRICT_SYSCALL_DEATH_TEST(io_cancel); -RESTRICT_SYSCALL_DEATH_TEST(io_destroy); -RESTRICT_SYSCALL_DEATH_TEST(io_getevents); -RESTRICT_SYSCALL_DEATH_TEST(io_setup); -RESTRICT_SYSCALL_DEATH_TEST(io_submit); -RESTRICT_SYSCALL_DEATH_TEST(ioctl); -#if defined(__i386__) || defined(__x86_64__) -RESTRICT_SYSCALL_DEATH_TEST(ioperm); -#endif -#if defined(__i386__) || defined(__x86_64__) -RESTRICT_SYSCALL_DEATH_TEST(iopl); -#endif -RESTRICT_SYSCALL_DEATH_TEST(ioprio_get); -RESTRICT_SYSCALL_DEATH_TEST(ioprio_set); -#if defined(__i386__) -RESTRICT_SYSCALL_DEATH_TEST(ipc); -#endif -RESTRICT_SYSCALL_DEATH_TEST(kexec_load); -RESTRICT_SYSCALL_DEATH_TEST(keyctl); -RESTRICT_SYSCALL_DEATH_TEST(kill); -RESTRICT_SYSCALL_DEATH_TEST(lchown); -#if defined(__i386__) || defined(__arm__) -RESTRICT_SYSCALL_DEATH_TEST(lchown32); -#endif -RESTRICT_SYSCALL_DEATH_TEST(lgetxattr); -RESTRICT_SYSCALL_DEATH_TEST(link); -RESTRICT_SYSCALL_DEATH_TEST(linkat); -#if defined(__x86_64__) || defined(__arm__) -RESTRICT_SYSCALL_DEATH_TEST(listen); -#endif -RESTRICT_SYSCALL_DEATH_TEST(listxattr); -RESTRICT_SYSCALL_DEATH_TEST(llistxattr); -#if defined(__i386__) -RESTRICT_SYSCALL_DEATH_TEST(lock); -#endif -RESTRICT_SYSCALL_DEATH_TEST(lookup_dcookie); -RESTRICT_SYSCALL_DEATH_TEST(lremovexattr); -#if defined(__i386__) || defined(__arm__) -RESTRICT_SYSCALL_DEATH_TEST(lseek); -#endif -RESTRICT_SYSCALL_DEATH_TEST(lsetxattr); -RESTRICT_SYSCALL_DEATH_TEST(lstat); -#if defined(__i386__) || defined(__arm__) -RESTRICT_SYSCALL_DEATH_TEST(lstat64); -#endif -RESTRICT_SYSCALL_DEATH_TEST(mbind); -#if defined(__i386__) || defined(__x86_64__) -RESTRICT_SYSCALL_DEATH_TEST(migrate_pages); -#endif -RESTRICT_SYSCALL_DEATH_TEST(mincore); -RESTRICT_SYSCALL_DEATH_TEST(mkdir); -RESTRICT_SYSCALL_DEATH_TEST(mkdirat); -RESTRICT_SYSCALL_DEATH_TEST(mknod); -RESTRICT_SYSCALL_DEATH_TEST(mknodat); -RESTRICT_SYSCALL_DEATH_TEST(mlock); -RESTRICT_SYSCALL_DEATH_TEST(mlockall); -#if defined(__i386__) -RESTRICT_SYSCALL_DEATH_TEST(mmap); -#endif -#if defined(__i386__) || defined(__x86_64__) -RESTRICT_SYSCALL_DEATH_TEST(modify_ldt); -#endif -RESTRICT_SYSCALL_DEATH_TEST(mount); -RESTRICT_SYSCALL_DEATH_TEST(move_pages); -#if defined(__i386__) -RESTRICT_SYSCALL_DEATH_TEST(mpx); -#endif -RESTRICT_SYSCALL_DEATH_TEST(mq_getsetattr); -RESTRICT_SYSCALL_DEATH_TEST(mq_notify); -RESTRICT_SYSCALL_DEATH_TEST(mq_open); -RESTRICT_SYSCALL_DEATH_TEST(mq_timedreceive); -RESTRICT_SYSCALL_DEATH_TEST(mq_timedsend); -RESTRICT_SYSCALL_DEATH_TEST(mq_unlink); -RESTRICT_SYSCALL_DEATH_TEST(mremap); -#if defined(__x86_64__) || defined(__arm__) -RESTRICT_SYSCALL_DEATH_TEST(msgctl); -#endif -#if defined(__x86_64__) || defined(__arm__) -RESTRICT_SYSCALL_DEATH_TEST(msgget); -#endif -#if defined(__x86_64__) || defined(__arm__) -RESTRICT_SYSCALL_DEATH_TEST(msgrcv); -#endif -#if defined(__x86_64__) || defined(__arm__) -RESTRICT_SYSCALL_DEATH_TEST(msgsnd); -#endif -RESTRICT_SYSCALL_DEATH_TEST(msync); -RESTRICT_SYSCALL_DEATH_TEST(munlock); -RESTRICT_SYSCALL_DEATH_TEST(munlockall); -RESTRICT_SYSCALL_DEATH_TEST(name_to_handle_at); -#if defined(__x86_64__) -RESTRICT_SYSCALL_DEATH_TEST(newfstatat); -#endif -RESTRICT_SYSCALL_DEATH_TEST(nfsservctl); -#if defined(__i386__) || defined(__arm__) -RESTRICT_SYSCALL_DEATH_TEST(nice); -#endif -#if defined(__i386__) -RESTRICT_SYSCALL_DEATH_TEST(oldfstat); -#endif -#if defined(__i386__) -RESTRICT_SYSCALL_DEATH_TEST(oldlstat); -#endif -#if defined(__i386__) -RESTRICT_SYSCALL_DEATH_TEST(oldolduname); -#endif -#if defined(__i386__) -RESTRICT_SYSCALL_DEATH_TEST(oldstat); -#endif -#if defined(__i386__) -RESTRICT_SYSCALL_DEATH_TEST(olduname); -#endif -RESTRICT_SYSCALL_DEATH_TEST(open_by_handle_at); -RESTRICT_SYSCALL_DEATH_TEST(openat); -RESTRICT_SYSCALL_DEATH_TEST(pause); -#if defined(__arm__) -RESTRICT_SYSCALL_DEATH_TEST(pciconfig_iobase); -#endif -#if defined(__arm__) -RESTRICT_SYSCALL_DEATH_TEST(pciconfig_read); -#endif -#if defined(__arm__) -RESTRICT_SYSCALL_DEATH_TEST(pciconfig_write); -#endif -RESTRICT_SYSCALL_DEATH_TEST(perf_event_open); -RESTRICT_SYSCALL_DEATH_TEST(personality); -RESTRICT_SYSCALL_DEATH_TEST(pipe2); -RESTRICT_SYSCALL_DEATH_TEST(pivot_root); -RESTRICT_SYSCALL_DEATH_TEST(poll); -RESTRICT_SYSCALL_DEATH_TEST(ppoll); -RESTRICT_SYSCALL_DEATH_TEST(preadv); -RESTRICT_SYSCALL_DEATH_TEST(prlimit64); -RESTRICT_SYSCALL_DEATH_TEST(process_vm_readv); -RESTRICT_SYSCALL_DEATH_TEST(process_vm_writev); -#if defined(__i386__) -RESTRICT_SYSCALL_DEATH_TEST(prof); -#endif -#if defined(__i386__) -RESTRICT_SYSCALL_DEATH_TEST(profil); -#endif -RESTRICT_SYSCALL_DEATH_TEST(pselect6); -#if defined(__i386__) || defined(__x86_64__) -RESTRICT_SYSCALL_DEATH_TEST(putpmsg); -#endif -RESTRICT_SYSCALL_DEATH_TEST(pwritev); -#if defined(__i386__) || defined(__x86_64__) -RESTRICT_SYSCALL_DEATH_TEST(query_module); -#endif -RESTRICT_SYSCALL_DEATH_TEST(quotactl); -RESTRICT_SYSCALL_DEATH_TEST(readahead); -#if defined(__i386__) -RESTRICT_SYSCALL_DEATH_TEST(readdir); -#endif -RESTRICT_SYSCALL_DEATH_TEST(readlink); -RESTRICT_SYSCALL_DEATH_TEST(readlinkat); -RESTRICT_SYSCALL_DEATH_TEST(readv); -RESTRICT_SYSCALL_DEATH_TEST(reboot); -#if defined(__arm__) -RESTRICT_SYSCALL_DEATH_TEST(recv); -#endif -#if defined(__x86_64__) || defined(__arm__) -RESTRICT_SYSCALL_DEATH_TEST(recvfrom); -#endif -RESTRICT_SYSCALL_DEATH_TEST(recvmmsg); -RESTRICT_SYSCALL_DEATH_TEST(remap_file_pages); -RESTRICT_SYSCALL_DEATH_TEST(removexattr); -RESTRICT_SYSCALL_DEATH_TEST(rename); -RESTRICT_SYSCALL_DEATH_TEST(renameat); -RESTRICT_SYSCALL_DEATH_TEST(request_key); -RESTRICT_SYSCALL_DEATH_TEST(rmdir); -RESTRICT_SYSCALL_DEATH_TEST(rt_sigaction); -RESTRICT_SYSCALL_DEATH_TEST(rt_sigpending); -RESTRICT_SYSCALL_DEATH_TEST(rt_sigprocmask); -RESTRICT_SYSCALL_DEATH_TEST(rt_sigqueueinfo); -RESTRICT_SYSCALL_DEATH_TEST(rt_sigreturn); -RESTRICT_SYSCALL_DEATH_TEST(rt_sigsuspend); -RESTRICT_SYSCALL_DEATH_TEST(rt_sigtimedwait); -RESTRICT_SYSCALL_DEATH_TEST(rt_tgsigqueueinfo); -RESTRICT_SYSCALL_DEATH_TEST(sched_get_priority_max); -RESTRICT_SYSCALL_DEATH_TEST(sched_get_priority_min); -RESTRICT_SYSCALL_DEATH_TEST(sched_getaffinity); -RESTRICT_SYSCALL_DEATH_TEST(sched_getparam); -RESTRICT_SYSCALL_DEATH_TEST(sched_getscheduler); -RESTRICT_SYSCALL_DEATH_TEST(sched_rr_get_interval); -RESTRICT_SYSCALL_DEATH_TEST(sched_setaffinity); -RESTRICT_SYSCALL_DEATH_TEST(sched_setparam); -RESTRICT_SYSCALL_DEATH_TEST(sched_setscheduler); -#if defined(__x86_64__) -RESTRICT_SYSCALL_DEATH_TEST(security); -#endif -#if defined(__i386__) || defined(__x86_64__) -RESTRICT_SYSCALL_DEATH_TEST(select); -#endif -#if defined(__x86_64__) || defined(__arm__) -RESTRICT_SYSCALL_DEATH_TEST(semctl); -#endif -#if defined(__x86_64__) || defined(__arm__) -RESTRICT_SYSCALL_DEATH_TEST(semget); -#endif -#if defined(__x86_64__) || defined(__arm__) -RESTRICT_SYSCALL_DEATH_TEST(semop); -#endif -#if defined(__x86_64__) || defined(__arm__) -RESTRICT_SYSCALL_DEATH_TEST(semtimedop); -#endif -#if defined(__arm__) -RESTRICT_SYSCALL_DEATH_TEST(send); -#endif -RESTRICT_SYSCALL_DEATH_TEST(sendfile); -#if defined(__i386__) || defined(__arm__) -RESTRICT_SYSCALL_DEATH_TEST(sendfile64); -#endif -RESTRICT_SYSCALL_DEATH_TEST(sendmmsg); -#if defined(__x86_64__) || defined(__arm__) -RESTRICT_SYSCALL_DEATH_TEST(sendto); -#endif -RESTRICT_SYSCALL_DEATH_TEST(set_mempolicy); -#if defined(__i386__) || defined(__x86_64__) -RESTRICT_SYSCALL_DEATH_TEST(set_thread_area); -#endif -RESTRICT_SYSCALL_DEATH_TEST(set_tid_address); -RESTRICT_SYSCALL_DEATH_TEST(setdomainname); -RESTRICT_SYSCALL_DEATH_TEST(setfsgid); -#if defined(__i386__) || defined(__arm__) -RESTRICT_SYSCALL_DEATH_TEST(setfsgid32); -#endif -RESTRICT_SYSCALL_DEATH_TEST(setfsuid); -#if defined(__i386__) || defined(__arm__) -RESTRICT_SYSCALL_DEATH_TEST(setfsuid32); -#endif -RESTRICT_SYSCALL_DEATH_TEST(setgid); -#if defined(__i386__) || defined(__arm__) -RESTRICT_SYSCALL_DEATH_TEST(setgid32); -#endif -RESTRICT_SYSCALL_DEATH_TEST(setgroups); -#if defined(__i386__) || defined(__arm__) -RESTRICT_SYSCALL_DEATH_TEST(setgroups32); -#endif -RESTRICT_SYSCALL_DEATH_TEST(sethostname); -RESTRICT_SYSCALL_DEATH_TEST(setitimer); -RESTRICT_SYSCALL_DEATH_TEST(setns); -RESTRICT_SYSCALL_DEATH_TEST(setpgid); -RESTRICT_SYSCALL_DEATH_TEST(setpriority); -RESTRICT_SYSCALL_DEATH_TEST(setregid); -#if defined(__i386__) || defined(__arm__) -RESTRICT_SYSCALL_DEATH_TEST(setregid32); -#endif -RESTRICT_SYSCALL_DEATH_TEST(setresgid); -#if defined(__i386__) || defined(__arm__) -RESTRICT_SYSCALL_DEATH_TEST(setresgid32); -#endif -RESTRICT_SYSCALL_DEATH_TEST(setresuid); -#if defined(__i386__) || defined(__arm__) -RESTRICT_SYSCALL_DEATH_TEST(setresuid32); -#endif -RESTRICT_SYSCALL_DEATH_TEST(setreuid); -#if defined(__i386__) || defined(__arm__) -RESTRICT_SYSCALL_DEATH_TEST(setreuid32); -#endif -RESTRICT_SYSCALL_DEATH_TEST(setrlimit); -RESTRICT_SYSCALL_DEATH_TEST(setsid); -#if defined(__x86_64__) || defined(__arm__) -RESTRICT_SYSCALL_DEATH_TEST(setsockopt); -#endif -RESTRICT_SYSCALL_DEATH_TEST(settimeofday); -RESTRICT_SYSCALL_DEATH_TEST(setuid); -#if defined(__i386__) || defined(__arm__) -RESTRICT_SYSCALL_DEATH_TEST(setuid32); -#endif -RESTRICT_SYSCALL_DEATH_TEST(setxattr); -#if defined(__i386__) -RESTRICT_SYSCALL_DEATH_TEST(sgetmask); -#endif -#if defined(__x86_64__) || defined(__arm__) -RESTRICT_SYSCALL_DEATH_TEST(shmat); -#endif -#if defined(__x86_64__) || defined(__arm__) -RESTRICT_SYSCALL_DEATH_TEST(shmctl); -#endif -#if defined(__x86_64__) || defined(__arm__) -RESTRICT_SYSCALL_DEATH_TEST(shmdt); -#endif -#if defined(__x86_64__) || defined(__arm__) -RESTRICT_SYSCALL_DEATH_TEST(shmget); -#endif -#if defined(__i386__) || defined(__arm__) -RESTRICT_SYSCALL_DEATH_TEST(sigaction); -#endif -#if defined(__i386__) -RESTRICT_SYSCALL_DEATH_TEST(signal); -#endif -RESTRICT_SYSCALL_DEATH_TEST(signalfd); -RESTRICT_SYSCALL_DEATH_TEST(signalfd4); -#if defined(__i386__) || defined(__arm__) -RESTRICT_SYSCALL_DEATH_TEST(sigpending); -#endif -#if defined(__i386__) || defined(__arm__) -RESTRICT_SYSCALL_DEATH_TEST(sigprocmask); -#endif -#if defined(__i386__) || defined(__arm__) -RESTRICT_SYSCALL_DEATH_TEST(sigreturn); -#endif -#if defined(__i386__) || defined(__arm__) -RESTRICT_SYSCALL_DEATH_TEST(sigsuspend); -#endif -#if defined(__x86_64__) || defined(__arm__) -RESTRICT_SYSCALL_DEATH_TEST(socket); -#endif -RESTRICT_SYSCALL_DEATH_TEST(splice); -#if defined(__i386__) -RESTRICT_SYSCALL_DEATH_TEST(ssetmask); -#endif -RESTRICT_SYSCALL_DEATH_TEST(stat); -#if defined(__i386__) || defined(__arm__) -RESTRICT_SYSCALL_DEATH_TEST(stat64); -#endif -RESTRICT_SYSCALL_DEATH_TEST(statfs); -#if defined(__i386__) || defined(__arm__) -RESTRICT_SYSCALL_DEATH_TEST(statfs64); -#endif -#if defined(__i386__) -RESTRICT_SYSCALL_DEATH_TEST(stime); -#endif -#if defined(__i386__) -RESTRICT_SYSCALL_DEATH_TEST(stty); -#endif -RESTRICT_SYSCALL_DEATH_TEST(swapoff); -RESTRICT_SYSCALL_DEATH_TEST(swapon); -RESTRICT_SYSCALL_DEATH_TEST(symlink); -RESTRICT_SYSCALL_DEATH_TEST(symlinkat); -RESTRICT_SYSCALL_DEATH_TEST(sync); -#if defined(__i386__) || defined(__x86_64__) -RESTRICT_SYSCALL_DEATH_TEST(sync_file_range); -#endif -#if defined(__arm__) -RESTRICT_SYSCALL_DEATH_TEST(sync_file_range2); -#endif -RESTRICT_SYSCALL_DEATH_TEST(syncfs); -RESTRICT_SYSCALL_DEATH_TEST(sysfs); -RESTRICT_SYSCALL_DEATH_TEST(sysinfo); -RESTRICT_SYSCALL_DEATH_TEST(syslog); -RESTRICT_SYSCALL_DEATH_TEST(tee); -RESTRICT_SYSCALL_DEATH_TEST(tgkill); -RESTRICT_SYSCALL_DEATH_TEST(timer_create); -RESTRICT_SYSCALL_DEATH_TEST(timer_delete); -RESTRICT_SYSCALL_DEATH_TEST(timer_getoverrun); -RESTRICT_SYSCALL_DEATH_TEST(timer_gettime); -RESTRICT_SYSCALL_DEATH_TEST(timer_settime); -RESTRICT_SYSCALL_DEATH_TEST(timerfd_create); -RESTRICT_SYSCALL_DEATH_TEST(timerfd_gettime); -RESTRICT_SYSCALL_DEATH_TEST(timerfd_settime); -RESTRICT_SYSCALL_DEATH_TEST(tkill); -RESTRICT_SYSCALL_DEATH_TEST(truncate); -#if defined(__i386__) || defined(__arm__) -RESTRICT_SYSCALL_DEATH_TEST(truncate64); -#endif -#if defined(__x86_64__) -RESTRICT_SYSCALL_DEATH_TEST(tuxcall); -#endif -#if defined(__i386__) || defined(__arm__) -RESTRICT_SYSCALL_DEATH_TEST(ugetrlimit); -#endif -#if defined(__i386__) -RESTRICT_SYSCALL_DEATH_TEST(ulimit); -#endif -RESTRICT_SYSCALL_DEATH_TEST(umask); -#if defined(__i386__) -RESTRICT_SYSCALL_DEATH_TEST(umount); -#endif -RESTRICT_SYSCALL_DEATH_TEST(umount2); -RESTRICT_SYSCALL_DEATH_TEST(uname); -RESTRICT_SYSCALL_DEATH_TEST(unlink); -RESTRICT_SYSCALL_DEATH_TEST(unlinkat); -RESTRICT_SYSCALL_DEATH_TEST(unshare); -RESTRICT_SYSCALL_DEATH_TEST(uselib); -RESTRICT_SYSCALL_DEATH_TEST(ustat); -#if defined(__i386__) || defined(__x86_64__) -RESTRICT_SYSCALL_DEATH_TEST(utime); -#endif -RESTRICT_SYSCALL_DEATH_TEST(utimensat); -RESTRICT_SYSCALL_DEATH_TEST(utimes); -RESTRICT_SYSCALL_DEATH_TEST(vfork); -RESTRICT_SYSCALL_DEATH_TEST(vhangup); -#if defined(__i386__) -RESTRICT_SYSCALL_DEATH_TEST(vm86); -#endif -#if defined(__i386__) -RESTRICT_SYSCALL_DEATH_TEST(vm86old); -#endif -RESTRICT_SYSCALL_DEATH_TEST(vmsplice); -RESTRICT_SYSCALL_DEATH_TEST(vserver); -RESTRICT_SYSCALL_DEATH_TEST(wait4); -RESTRICT_SYSCALL_DEATH_TEST(waitid); -#if defined(__i386__) -RESTRICT_SYSCALL_DEATH_TEST(waitpid); -#endif -RESTRICT_SYSCALL_DEATH_TEST(writev); - -// ARM specific syscalls. -#if defined(__arm__) -RESTRICT_ARM_SYSCALL_DEATH_TEST(breakpoint); -RESTRICT_ARM_SYSCALL_DEATH_TEST(usr26); -RESTRICT_ARM_SYSCALL_DEATH_TEST(usr32); -RESTRICT_ARM_SYSCALL_DEATH_TEST(set_tls); -#endif - -} // namespace diff --git a/components/nacl/loader/nonsfi/nonsfi_sandbox_unittest.cc b/components/nacl/loader/nonsfi/nonsfi_sandbox_unittest.cc deleted file mode 100644 index 5b62ce6..0000000 --- a/components/nacl/loader/nonsfi/nonsfi_sandbox_unittest.cc +++ /dev/null @@ -1,461 +0,0 @@ -// Copyright 2014 The Chromium Authors. All rights reserved. -// Use of this source code is governed by a BSD-style license that can be -// found in the LICENSE file. - -#include "components/nacl/loader/nonsfi/nonsfi_sandbox.h" - -#include <errno.h> -#include <fcntl.h> -#include <pthread.h> -#include <sched.h> -#include <signal.h> -#include <stdlib.h> -#include <string.h> -#include <sys/mman.h> -#include <sys/prctl.h> -#include <sys/ptrace.h> -#include <sys/socket.h> -#include <sys/syscall.h> -#include <sys/types.h> -#include <sys/wait.h> -#include <unistd.h> - -#include "base/bind.h" -#include "base/callback.h" -#include "base/compiler_specific.h" -#include "base/files/scoped_file.h" -#include "base/logging.h" -#include "base/posix/eintr_wrapper.h" -#include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h" -#include "sandbox/linux/seccomp-bpf/bpf_tests.h" - -namespace { - -void DoPipe(base::ScopedFD* fds) { - int tmp_fds[2]; - BPF_ASSERT_EQ(0, pipe(tmp_fds)); - fds[0].reset(tmp_fds[0]); - fds[1].reset(tmp_fds[1]); -} - -void DoSocketpair(base::ScopedFD* fds) { - int tmp_fds[2]; - BPF_ASSERT_EQ(0, socketpair(AF_UNIX, SOCK_STREAM, 0, tmp_fds)); - fds[0].reset(tmp_fds[0]); - fds[1].reset(tmp_fds[1]); -} - -TEST(NaClNonSfiSandboxTest, BPFIsSupported) { - bool seccomp_bpf_supported = false; - // Seccomp-BPF tests die under TSAN v2. See http://crbug.com/356588 -#if !defined(THREAD_SANITIZER) - seccomp_bpf_supported = ( - sandbox::SandboxBPF::SupportsSeccompSandbox(-1) == - sandbox::SandboxBPF::STATUS_AVAILABLE); -#endif - - if (!seccomp_bpf_supported) { - LOG(ERROR) << "Seccomp BPF is not supported, these tests " - << "will pass without running"; - } -} - -BPF_DEATH_TEST(NaClNonSfiSandboxTest, invalid_sysno, - DEATH_MESSAGE(sandbox::GetErrorMessageContentForTests()), - nacl::nonsfi::NaClNonSfiBPFSandboxPolicy::EvaluateSyscallImpl) { - syscall(999); -} - -const int kExpectedValue = 123; - -void* SetValueInThread(void* test_val_ptr) { - *reinterpret_cast<int*>(test_val_ptr) = kExpectedValue; - return NULL; -} - -BPF_TEST(NaClNonSfiSandboxTest, clone_by_pthread_create, - nacl::nonsfi::NaClNonSfiBPFSandboxPolicy::EvaluateSyscallImpl) { - // clone call for thread creation is allowed. - pthread_t th; - int test_val = 42; - BPF_ASSERT_EQ(0, pthread_create(&th, NULL, &SetValueInThread, &test_val)); - BPF_ASSERT_EQ(0, pthread_join(th, NULL)); - BPF_ASSERT_EQ(kExpectedValue, test_val); -} - -int DoFork() { - // Call clone() to do a fork(). - const int pid = syscall(__NR_clone, SIGCHLD, NULL); - if (pid == 0) - _exit(0); - return pid; -} - -// The sanity check for DoFork without the sandbox. -TEST(NaClNonSfiSandboxTest, DoFork) { - const int pid = DoFork(); - ASSERT_LT(0, pid); - int status; - ASSERT_EQ(pid, HANDLE_EINTR(waitpid(pid, &status, 0))); - ASSERT_TRUE(WIFEXITED(status)); - ASSERT_EQ(0, WEXITSTATUS(status)); -} - -// Then, try this in the sandbox. -BPF_DEATH_TEST(NaClNonSfiSandboxTest, clone_for_fork, - DEATH_MESSAGE(sandbox::GetCloneErrorMessageContentForTests()), - nacl::nonsfi::NaClNonSfiBPFSandboxPolicy::EvaluateSyscallImpl) { - DoFork(); -} - -BPF_TEST(NaClNonSfiSandboxTest, prctl_SET_NAME, - nacl::nonsfi::NaClNonSfiBPFSandboxPolicy::EvaluateSyscallImpl) { - errno = 0; - BPF_ASSERT_EQ(-1, syscall(__NR_prctl, PR_SET_NAME, "foo")); - BPF_ASSERT_EQ(EPERM, errno); -} - -BPF_DEATH_TEST(NaClNonSfiSandboxTest, prctl_SET_DUMPABLE, - DEATH_MESSAGE(sandbox::GetPrctlErrorMessageContentForTests()), - nacl::nonsfi::NaClNonSfiBPFSandboxPolicy::EvaluateSyscallImpl) { - syscall(__NR_prctl, PR_SET_DUMPABLE, 1UL); -} - -BPF_TEST(NaClNonSfiSandboxTest, socketcall_allowed, - nacl::nonsfi::NaClNonSfiBPFSandboxPolicy::EvaluateSyscallImpl) { - base::ScopedFD fds[2]; - struct msghdr msg = {}; - struct iovec iov; - std::string payload("foo"); - iov.iov_base = &payload[0]; - iov.iov_len = payload.size(); - msg.msg_iov = &iov; - msg.msg_iovlen = 1; - DoSocketpair(fds); - BPF_ASSERT_EQ(static_cast<int>(payload.size()), - HANDLE_EINTR(sendmsg(fds[1].get(), &msg, 0))); - BPF_ASSERT_EQ(static_cast<int>(payload.size()), - HANDLE_EINTR(recvmsg(fds[0].get(), &msg, 0))); - BPF_ASSERT_EQ(0, shutdown(fds[0].get(), SHUT_RDWR)); -} - -BPF_DEATH_TEST(NaClNonSfiSandboxTest, accept, - DEATH_MESSAGE(sandbox::GetErrorMessageContentForTests()), - nacl::nonsfi::NaClNonSfiBPFSandboxPolicy::EvaluateSyscallImpl) { - accept(0, NULL, NULL); -} - -BPF_DEATH_TEST(NaClNonSfiSandboxTest, bind, - DEATH_MESSAGE(sandbox::GetErrorMessageContentForTests()), - nacl::nonsfi::NaClNonSfiBPFSandboxPolicy::EvaluateSyscallImpl) { - bind(0, NULL, 0); -} - -BPF_DEATH_TEST(NaClNonSfiSandboxTest, connect, - DEATH_MESSAGE(sandbox::GetErrorMessageContentForTests()), - nacl::nonsfi::NaClNonSfiBPFSandboxPolicy::EvaluateSyscallImpl) { - connect(0, NULL, 0); -} - -BPF_DEATH_TEST(NaClNonSfiSandboxTest, getpeername, - DEATH_MESSAGE(sandbox::GetErrorMessageContentForTests()), - nacl::nonsfi::NaClNonSfiBPFSandboxPolicy::EvaluateSyscallImpl) { - getpeername(0, NULL, NULL); -} - -BPF_DEATH_TEST(NaClNonSfiSandboxTest, getsockname, - DEATH_MESSAGE(sandbox::GetErrorMessageContentForTests()), - nacl::nonsfi::NaClNonSfiBPFSandboxPolicy::EvaluateSyscallImpl) { - getsockname(0, NULL, NULL); -} - -BPF_DEATH_TEST(NaClNonSfiSandboxTest, getsockopt, - DEATH_MESSAGE(sandbox::GetErrorMessageContentForTests()), - nacl::nonsfi::NaClNonSfiBPFSandboxPolicy::EvaluateSyscallImpl) { - getsockopt(0, 0, 0, NULL, NULL); -} - -BPF_DEATH_TEST(NaClNonSfiSandboxTest, listen, - DEATH_MESSAGE(sandbox::GetErrorMessageContentForTests()), - nacl::nonsfi::NaClNonSfiBPFSandboxPolicy::EvaluateSyscallImpl) { - listen(0, 0); -} - -BPF_DEATH_TEST(NaClNonSfiSandboxTest, recv, - DEATH_MESSAGE(sandbox::GetErrorMessageContentForTests()), - nacl::nonsfi::NaClNonSfiBPFSandboxPolicy::EvaluateSyscallImpl) { - recv(0, NULL, 0, 0); -} - -BPF_DEATH_TEST(NaClNonSfiSandboxTest, recvfrom, - DEATH_MESSAGE(sandbox::GetErrorMessageContentForTests()), - nacl::nonsfi::NaClNonSfiBPFSandboxPolicy::EvaluateSyscallImpl) { - recvfrom(0, NULL, 0, 0, NULL, NULL); -} - -BPF_DEATH_TEST(NaClNonSfiSandboxTest, send, - DEATH_MESSAGE(sandbox::GetErrorMessageContentForTests()), - nacl::nonsfi::NaClNonSfiBPFSandboxPolicy::EvaluateSyscallImpl) { - send(0, NULL, 0, 0); -} - -BPF_DEATH_TEST(NaClNonSfiSandboxTest, sendto, - DEATH_MESSAGE(sandbox::GetErrorMessageContentForTests()), - nacl::nonsfi::NaClNonSfiBPFSandboxPolicy::EvaluateSyscallImpl) { - sendto(0, NULL, 0, 0, NULL, 0); -} - -BPF_DEATH_TEST(NaClNonSfiSandboxTest, setsockopt, - DEATH_MESSAGE(sandbox::GetErrorMessageContentForTests()), - nacl::nonsfi::NaClNonSfiBPFSandboxPolicy::EvaluateSyscallImpl) { - setsockopt(0, 0, 0, NULL, 0); -} - -BPF_DEATH_TEST(NaClNonSfiSandboxTest, socket, - DEATH_MESSAGE(sandbox::GetErrorMessageContentForTests()), - nacl::nonsfi::NaClNonSfiBPFSandboxPolicy::EvaluateSyscallImpl) { - socket(0, 0, 0); -} - -#if defined(__x86_64__) || defined(__arm__) -BPF_DEATH_TEST(NaClNonSfiSandboxTest, socketpair, - DEATH_MESSAGE(sandbox::GetErrorMessageContentForTests()), - nacl::nonsfi::NaClNonSfiBPFSandboxPolicy::EvaluateSyscallImpl) { - int fds[2]; - socketpair(AF_INET, SOCK_STREAM, 0, fds); -} -#endif - -BPF_TEST(NaClNonSfiSandboxTest, fcntl_SETFD_allowed, - nacl::nonsfi::NaClNonSfiBPFSandboxPolicy::EvaluateSyscallImpl) { - base::ScopedFD fds[2]; - DoSocketpair(fds); - BPF_ASSERT_EQ(0, fcntl(fds[0].get(), F_SETFD, FD_CLOEXEC)); -} - -BPF_DEATH_TEST(NaClNonSfiSandboxTest, fcntl_SETFD, - DEATH_MESSAGE(sandbox::GetErrorMessageContentForTests()), - nacl::nonsfi::NaClNonSfiBPFSandboxPolicy::EvaluateSyscallImpl) { - base::ScopedFD fds[2]; - DoSocketpair(fds); - fcntl(fds[0].get(), F_SETFD, 99); -} - -BPF_TEST(NaClNonSfiSandboxTest, fcntl_GETFL_SETFL_allowed, - nacl::nonsfi::NaClNonSfiBPFSandboxPolicy::EvaluateSyscallImpl) { - base::ScopedFD fds[2]; - DoPipe(fds); - const int fd = fds[0].get(); - BPF_ASSERT_EQ(0, fcntl(fd, F_GETFL)); - BPF_ASSERT_EQ(0, fcntl(fd, F_SETFL, O_RDWR | O_NONBLOCK)); - BPF_ASSERT_EQ(O_NONBLOCK, fcntl(fd, F_GETFL)); -} - -BPF_DEATH_TEST(NaClNonSfiSandboxTest, fcntl_GETFL_SETFL, - DEATH_MESSAGE(sandbox::GetErrorMessageContentForTests()), - nacl::nonsfi::NaClNonSfiBPFSandboxPolicy::EvaluateSyscallImpl) { - base::ScopedFD fds[2]; - DoSocketpair(fds); - fcntl(fds[0].get(), F_SETFL, O_APPEND); -} - -BPF_DEATH_TEST(NaClNonSfiSandboxTest, fcntl_DUPFD, - DEATH_MESSAGE(sandbox::GetErrorMessageContentForTests()), - nacl::nonsfi::NaClNonSfiBPFSandboxPolicy::EvaluateSyscallImpl) { - fcntl(0, F_DUPFD); -} - -BPF_DEATH_TEST(NaClNonSfiSandboxTest, fcntl_DUPFD_CLOEXEC, - DEATH_MESSAGE(sandbox::GetErrorMessageContentForTests()), - nacl::nonsfi::NaClNonSfiBPFSandboxPolicy::EvaluateSyscallImpl) { - fcntl(0, F_DUPFD_CLOEXEC); -} - -void* DoAllowedAnonymousMmap() { - return mmap(NULL, getpagesize(), PROT_READ | PROT_WRITE, - MAP_ANONYMOUS | MAP_SHARED, -1, 0); -} - -BPF_TEST(NaClNonSfiSandboxTest, mmap_allowed, - nacl::nonsfi::NaClNonSfiBPFSandboxPolicy::EvaluateSyscallImpl) { - void* ptr = DoAllowedAnonymousMmap(); - BPF_ASSERT_NE(MAP_FAILED, ptr); - BPF_ASSERT_EQ(0, munmap(ptr, getpagesize())); -} - -BPF_DEATH_TEST(NaClNonSfiSandboxTest, mmap_unallowed_flag, - DEATH_MESSAGE(sandbox::GetErrorMessageContentForTests()), - nacl::nonsfi::NaClNonSfiBPFSandboxPolicy::EvaluateSyscallImpl) { - mmap(NULL, getpagesize(), PROT_READ | PROT_WRITE, - MAP_ANONYMOUS | MAP_POPULATE, -1, 0); -} - -BPF_DEATH_TEST(NaClNonSfiSandboxTest, mmap_unallowed_prot, - DEATH_MESSAGE(sandbox::GetErrorMessageContentForTests()), - nacl::nonsfi::NaClNonSfiBPFSandboxPolicy::EvaluateSyscallImpl) { - mmap(NULL, getpagesize(), PROT_READ | PROT_GROWSDOWN, - MAP_ANONYMOUS, -1, 0); -} - -// TODO(hamaji): Disallow RWX mmap. -#if 0 -BPF_DEATH_TEST(NaClNonSfiSandboxTest, mmap_rwx, - DEATH_MESSAGE(sandbox::GetErrorMessageContentForTests()), - nacl::nonsfi::NaClNonSfiBPFSandboxPolicy::EvaluateSyscallImpl) { - mmap(NULL, getpagesize(), PROT_READ | PROT_WRITE | PROT_EXEC, - MAP_ANONYMOUS, -1, 0); -} -#endif - -BPF_TEST(NaClNonSfiSandboxTest, mprotect_allowed, - nacl::nonsfi::NaClNonSfiBPFSandboxPolicy::EvaluateSyscallImpl) { - void* ptr = DoAllowedAnonymousMmap(); - BPF_ASSERT_NE(MAP_FAILED, ptr); - BPF_ASSERT_EQ(0, mprotect(ptr, getpagesize(), PROT_READ)); - BPF_ASSERT_EQ(0, munmap(ptr, getpagesize())); -} - -BPF_DEATH_TEST(NaClNonSfiSandboxTest, mprotect_unallowed_prot, - DEATH_MESSAGE(sandbox::GetErrorMessageContentForTests()), - nacl::nonsfi::NaClNonSfiBPFSandboxPolicy::EvaluateSyscallImpl) { - // We have tested DoAllowedAnonymousMmap is allowed in - // mmap_allowed, so we can make sure the following mprotect call - // kills the process. - void* ptr = DoAllowedAnonymousMmap(); - BPF_ASSERT_NE(MAP_FAILED, ptr); - mprotect(ptr, getpagesize(), PROT_READ | PROT_GROWSDOWN); -} - -BPF_TEST(NaClNonSfiSandboxTest, brk, - nacl::nonsfi::NaClNonSfiBPFSandboxPolicy::EvaluateSyscallImpl) { - char* next_brk = static_cast<char*>(sbrk(0)) + getpagesize(); - // The kernel interface must return zero for brk. - BPF_ASSERT_EQ(0, syscall(__NR_brk, next_brk)); - // The libc wrapper translates it to ENOMEM. - errno = 0; - BPF_ASSERT_EQ(-1, brk(next_brk)); - BPF_ASSERT_EQ(ENOMEM, errno); -} - -#if defined(__i386__) || defined(__arm__) -BPF_TEST(NaClNonSfiSandboxTest, getegid32_EPERM, - nacl::nonsfi::NaClNonSfiBPFSandboxPolicy::EvaluateSyscallImpl) { - errno = 0; - BPF_ASSERT_EQ(-1, syscall(__NR_getegid32)); - BPF_ASSERT_EQ(EPERM, errno); -} - -BPF_TEST(NaClNonSfiSandboxTest, geteuid32_EPERM, - nacl::nonsfi::NaClNonSfiBPFSandboxPolicy::EvaluateSyscallImpl) { - errno = 0; - BPF_ASSERT_EQ(-1, syscall(__NR_geteuid32)); - BPF_ASSERT_EQ(EPERM, errno); -} - -BPF_TEST(NaClNonSfiSandboxTest, getgid32_EPERM, - nacl::nonsfi::NaClNonSfiBPFSandboxPolicy::EvaluateSyscallImpl) { - errno = 0; - BPF_ASSERT_EQ(-1, syscall(__NR_getgid32)); - BPF_ASSERT_EQ(EPERM, errno); -} - -BPF_TEST(NaClNonSfiSandboxTest, getuid32_EPERM, - nacl::nonsfi::NaClNonSfiBPFSandboxPolicy::EvaluateSyscallImpl) { - errno = 0; - BPF_ASSERT_EQ(-1, syscall(__NR_getuid32)); - BPF_ASSERT_EQ(EPERM, errno); -} - -BPF_DEATH_TEST(NaClNonSfiSandboxTest, getegid_SIGSYS, - DEATH_MESSAGE(sandbox::GetErrorMessageContentForTests()), - nacl::nonsfi::NaClNonSfiBPFSandboxPolicy::EvaluateSyscallImpl) { - syscall(__NR_getegid); -} - -BPF_DEATH_TEST(NaClNonSfiSandboxTest, geteuid_SIGSYS, - DEATH_MESSAGE(sandbox::GetErrorMessageContentForTests()), - nacl::nonsfi::NaClNonSfiBPFSandboxPolicy::EvaluateSyscallImpl) { - syscall(__NR_geteuid); -} - -BPF_DEATH_TEST(NaClNonSfiSandboxTest, getgid_SIGSYS, - DEATH_MESSAGE(sandbox::GetErrorMessageContentForTests()), - nacl::nonsfi::NaClNonSfiBPFSandboxPolicy::EvaluateSyscallImpl) { - syscall(__NR_getgid); -} - -BPF_DEATH_TEST(NaClNonSfiSandboxTest, getuid_SIGSYS, - DEATH_MESSAGE(sandbox::GetErrorMessageContentForTests()), - nacl::nonsfi::NaClNonSfiBPFSandboxPolicy::EvaluateSyscallImpl) { - syscall(__NR_getuid); -} -#endif - -#if defined(__x86_64__) -BPF_TEST(NaClNonSfiSandboxTest, getegid_EPERM, - nacl::nonsfi::NaClNonSfiBPFSandboxPolicy::EvaluateSyscallImpl) { - errno = 0; - BPF_ASSERT_EQ(-1, syscall(__NR_getegid)); - BPF_ASSERT_EQ(EPERM, errno); -} - -BPF_TEST(NaClNonSfiSandboxTest, geteuid_EPERM, - nacl::nonsfi::NaClNonSfiBPFSandboxPolicy::EvaluateSyscallImpl) { - errno = 0; - BPF_ASSERT_EQ(-1, syscall(__NR_geteuid)); - BPF_ASSERT_EQ(EPERM, errno); -} - -BPF_TEST(NaClNonSfiSandboxTest, getgid_EPERM, - nacl::nonsfi::NaClNonSfiBPFSandboxPolicy::EvaluateSyscallImpl) { - errno = 0; - BPF_ASSERT_EQ(-1, syscall(__NR_getgid)); - BPF_ASSERT_EQ(EPERM, errno); -} - -BPF_TEST(NaClNonSfiSandboxTest, getuid_EPERM, - nacl::nonsfi::NaClNonSfiBPFSandboxPolicy::EvaluateSyscallImpl) { - errno = 0; - BPF_ASSERT_EQ(-1, syscall(__NR_getuid)); - BPF_ASSERT_EQ(EPERM, errno); -} -#endif - -BPF_TEST(NaClNonSfiSandboxTest, madvise_EPERM, - nacl::nonsfi::NaClNonSfiBPFSandboxPolicy::EvaluateSyscallImpl) { - errno = 0; - BPF_ASSERT_EQ(-1, syscall(__NR_madvise)); - BPF_ASSERT_EQ(EPERM, errno); -} - -BPF_TEST(NaClNonSfiSandboxTest, open_EPERM, - nacl::nonsfi::NaClNonSfiBPFSandboxPolicy::EvaluateSyscallImpl) { - errno = 0; - BPF_ASSERT_EQ(-1, syscall(__NR_open)); - BPF_ASSERT_EQ(EPERM, errno); -} - -BPF_TEST(NaClNonSfiSandboxTest, ptrace_EPERM, - nacl::nonsfi::NaClNonSfiBPFSandboxPolicy::EvaluateSyscallImpl) { - errno = 0; - BPF_ASSERT_EQ(-1, syscall(__NR_ptrace)); - BPF_ASSERT_EQ(EPERM, errno); -} - -BPF_TEST(NaClNonSfiSandboxTest, set_robust_list_EPERM, - nacl::nonsfi::NaClNonSfiBPFSandboxPolicy::EvaluateSyscallImpl) { - errno = 0; - BPF_ASSERT_EQ(-1, syscall(__NR_set_robust_list)); - BPF_ASSERT_EQ(EPERM, errno); -} - -#if defined(__i386__) || defined(__x86_64__) -BPF_TEST(NaClNonSfiSandboxTest, time_EPERM, - nacl::nonsfi::NaClNonSfiBPFSandboxPolicy::EvaluateSyscallImpl) { - errno = 0; - BPF_ASSERT_EQ(-1, syscall(__NR_time)); - BPF_ASSERT_EQ(EPERM, errno); -} -#endif - -} // namespace diff --git a/sandbox/linux/sandbox_linux.gypi b/sandbox/linux/sandbox_linux.gypi index 7b516f7..75f37c9 100644 --- a/sandbox/linux/sandbox_linux.gypi +++ b/sandbox/linux/sandbox_linux.gypi @@ -57,22 +57,6 @@ ], }, { - 'target_name': 'sandbox_linux_test_utils', - 'type': 'static_library', - 'dependencies': [ - '../testing/gtest.gyp:gtest', - ], - 'include_dirs': [ - '../..', - ], - 'sources': [ - 'tests/test_utils.cc', - 'tests/test_utils.h', - 'tests/unit_tests.cc', - 'tests/unit_tests.h', - ], - }, - { # The main sandboxing test target. 'target_name': 'sandbox_linux_unittests', 'includes': [ diff --git a/sandbox/linux/sandbox_linux_test_sources.gypi b/sandbox/linux/sandbox_linux_test_sources.gypi index ffbf9c6..01db0e9 100644 --- a/sandbox/linux/sandbox_linux_test_sources.gypi +++ b/sandbox/linux/sandbox_linux_test_sources.gypi @@ -7,7 +7,6 @@ { 'dependencies': [ 'sandbox', - 'sandbox_linux_test_utils', '../base/base.gyp:base', '../base/base.gyp:test_support_base', '../testing/gtest.gyp:gtest', @@ -17,6 +16,10 @@ ], 'sources': [ 'tests/main.cc', + 'tests/test_utils.cc', + 'tests/test_utils.h', + 'tests/unit_tests.cc', + 'tests/unit_tests.h', 'tests/unit_tests_unittest.cc', 'services/broker_process_unittest.cc', 'services/scoped_process_unittest.cc', diff --git a/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc b/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc index 47c9989..4cefa4c 100644 --- a/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc +++ b/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc @@ -13,11 +13,6 @@ #include "build/build_config.h" #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" -#define SECCOMP_MESSAGE_COMMON_CONTENT "seccomp-bpf failure" -#define SECCOMP_MESSAGE_CLONE_CONTENT "clone() failure" -#define SECCOMP_MESSAGE_PRCTL_CONTENT "prctl() failure" -#define SECCOMP_MESSAGE_IOCTL_CONTENT "ioctl() failure" - namespace { inline bool IsArchitectureX86_64() { @@ -59,7 +54,7 @@ void PrintSyscallError(uint32_t sysno) { sysno_base10[i] = '0' + mod; } static const char kSeccompErrorPrefix[] = - __FILE__":**CRASHING**:" SECCOMP_MESSAGE_COMMON_CONTENT " in syscall "; + __FILE__":**CRASHING**:seccomp-bpf failure in syscall "; static const char kSeccompErrorPostfix[] = "\n"; WriteToStdErr(kSeccompErrorPrefix, sizeof(kSeccompErrorPrefix) - 1); WriteToStdErr(sysno_base10, sizeof(sysno_base10)); @@ -100,7 +95,7 @@ intptr_t CrashSIGSYS_Handler(const struct arch_seccomp_data& args, void* aux) { intptr_t SIGSYSCloneFailure(const struct arch_seccomp_data& args, void* aux) { static const char kSeccompCloneError[] = - __FILE__":**CRASHING**:" SECCOMP_MESSAGE_CLONE_CONTENT "\n"; + __FILE__":**CRASHING**:clone() failure\n"; WriteToStdErr(kSeccompCloneError, sizeof(kSeccompCloneError) - 1); // "flags" is the first argument in the kernel's clone(). // Mark as volatile to be able to find the value on the stack in a minidump. @@ -120,7 +115,7 @@ intptr_t SIGSYSCloneFailure(const struct arch_seccomp_data& args, void* aux) { intptr_t SIGSYSPrctlFailure(const struct arch_seccomp_data& args, void* /* aux */) { static const char kSeccompPrctlError[] = - __FILE__":**CRASHING**:" SECCOMP_MESSAGE_PRCTL_CONTENT "\n"; + __FILE__":**CRASHING**:prctl() failure\n"; WriteToStdErr(kSeccompPrctlError, sizeof(kSeccompPrctlError) - 1); // Mark as volatile to be able to find the value on the stack in a minidump. volatile uint64_t option = args.args[0]; @@ -134,7 +129,7 @@ intptr_t SIGSYSPrctlFailure(const struct arch_seccomp_data& args, intptr_t SIGSYSIoctlFailure(const struct arch_seccomp_data& args, void* /* aux */) { static const char kSeccompIoctlError[] = - __FILE__":**CRASHING**:" SECCOMP_MESSAGE_IOCTL_CONTENT "\n"; + __FILE__":**CRASHING**:ioctl() failure\n"; WriteToStdErr(kSeccompIoctlError, sizeof(kSeccompIoctlError) - 1); // Make "request" volatile so that we can see it on the stack in a minidump. volatile uint64_t request = args.args[1]; @@ -147,20 +142,4 @@ intptr_t SIGSYSIoctlFailure(const struct arch_seccomp_data& args, _exit(1); } -const char* GetErrorMessageContentForTests() { - return SECCOMP_MESSAGE_COMMON_CONTENT; -} - -const char* GetCloneErrorMessageContentForTests() { - return SECCOMP_MESSAGE_CLONE_CONTENT; -} - -const char* GetPrctlErrorMessageContentForTests() { - return SECCOMP_MESSAGE_PRCTL_CONTENT; -} - -const char* GetIoctlErrorMessageContentForTests() { - return SECCOMP_MESSAGE_IOCTL_CONTENT; -} - } // namespace sandbox. diff --git a/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h b/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h index b8f626a..0bada37 100644 --- a/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h +++ b/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h @@ -39,13 +39,6 @@ SANDBOX_EXPORT intptr_t SANDBOX_EXPORT intptr_t SIGSYSIoctlFailure(const struct arch_seccomp_data& args, void* aux); -// Following four functions return substrings of error messages used -// in the above four functions. They are useful in death tests. -SANDBOX_EXPORT const char* GetErrorMessageContentForTests(); -SANDBOX_EXPORT const char* GetCloneErrorMessageContentForTests(); -SANDBOX_EXPORT const char* GetPrctlErrorMessageContentForTests(); -SANDBOX_EXPORT const char* GetIoctlErrorMessageContentForTests(); - } // namespace sandbox. #endif // SANDBOX_LINUX_SECCOMP_BPF_HELPERS_SIGSYS_HANDLERS_H_ diff --git a/sandbox/linux/seccomp-bpf/bpf_tests.h b/sandbox/linux/seccomp-bpf/bpf_tests.h index 357e29c..cc3fc25 100644 --- a/sandbox/linux/seccomp-bpf/bpf_tests.h +++ b/sandbox/linux/seccomp-bpf/bpf_tests.h @@ -44,12 +44,6 @@ namespace sandbox { // Assertions are handled exactly the same as with a normal SANDBOX_TEST() #define BPF_ASSERT SANDBOX_ASSERT -#define BPF_ASSERT_EQ(x, y) BPF_ASSERT((x) == (y)) -#define BPF_ASSERT_NE(x, y) BPF_ASSERT((x) != (y)) -#define BPF_ASSERT_LT(x, y) BPF_ASSERT((x) < (y)) -#define BPF_ASSERT_GT(x, y) BPF_ASSERT((x) > (y)) -#define BPF_ASSERT_LE(x, y) BPF_ASSERT((x) <= (y)) -#define BPF_ASSERT_GE(x, y) BPF_ASSERT((x) >= (y)) // The "Aux" type is optional. We use an "empty" type by default, so that if // the caller doesn't provide any type, all the BPF_AUX related data compiles |