diff options
| author | hamaji@chromium.org <hamaji@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2014-04-17 01:55:08 +0000 |
|---|---|---|
| committer | hamaji@chromium.org <hamaji@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2014-04-17 01:55:08 +0000 |
| commit | f918ba5c07ebdee7a9b3cfa3f30c13f8bb88dce8 (patch) | |
| tree | 4cb0e4a24cf889eceec7d8fe0ed5155753c67858 /sandbox | |
| parent | 0460b695737beaa0a7bd98bfc191a257aa5e1fda (diff) | |
| download | chromium_src-f918ba5c07ebdee7a9b3cfa3f30c13f8bb88dce8.zip chromium_src-f918ba5c07ebdee7a9b3cfa3f30c13f8bb88dce8.tar.gz chromium_src-f918ba5c07ebdee7a9b3cfa3f30c13f8bb88dce8.tar.bz2 | |
Add seccomp sandbox for non-SFI NaCl
All syscalls except whitelisted ones will cause SIGSYS.
We test the sandbox with BPF_TEST and BPF_TEST_DEATH, which appropriately fork the process so the main process of the test will never enable the sandbox.
TEST=Our app works with this sandbox on i686 and ARM
TEST=Build chrome and nacl_helper on i686, x86-64, and ARM
TEST=./out/Release/components_unittests --gtest_filter='NaClNonSfi*'
# on i686, x86-64, and ARM
TEST=SFI NaCl apps still work
TEST=trybots
BUG=359285
Review URL: https://codereview.chromium.org/196793023
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@264383 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'sandbox')
| -rw-r--r-- | sandbox/linux/sandbox_linux.gypi | 16 | ||||
| -rw-r--r-- | sandbox/linux/sandbox_linux_test_sources.gypi | 5 | ||||
| -rw-r--r-- | sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc | 29 | ||||
| -rw-r--r-- | sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h | 7 | ||||
| -rw-r--r-- | sandbox/linux/seccomp-bpf/bpf_tests.h | 6 |
5 files changed, 55 insertions, 8 deletions
diff --git a/sandbox/linux/sandbox_linux.gypi b/sandbox/linux/sandbox_linux.gypi index 75f37c9..7b516f7 100644 --- a/sandbox/linux/sandbox_linux.gypi +++ b/sandbox/linux/sandbox_linux.gypi @@ -57,6 +57,22 @@ ], }, { + 'target_name': 'sandbox_linux_test_utils', + 'type': 'static_library', + 'dependencies': [ + '../testing/gtest.gyp:gtest', + ], + 'include_dirs': [ + '../..', + ], + 'sources': [ + 'tests/test_utils.cc', + 'tests/test_utils.h', + 'tests/unit_tests.cc', + 'tests/unit_tests.h', + ], + }, + { # The main sandboxing test target. 'target_name': 'sandbox_linux_unittests', 'includes': [ diff --git a/sandbox/linux/sandbox_linux_test_sources.gypi b/sandbox/linux/sandbox_linux_test_sources.gypi index 01db0e9..ffbf9c6 100644 --- a/sandbox/linux/sandbox_linux_test_sources.gypi +++ b/sandbox/linux/sandbox_linux_test_sources.gypi @@ -7,6 +7,7 @@ { 'dependencies': [ 'sandbox', + 'sandbox_linux_test_utils', '../base/base.gyp:base', '../base/base.gyp:test_support_base', '../testing/gtest.gyp:gtest', @@ -16,10 +17,6 @@ ], 'sources': [ 'tests/main.cc', - 'tests/test_utils.cc', - 'tests/test_utils.h', - 'tests/unit_tests.cc', - 'tests/unit_tests.h', 'tests/unit_tests_unittest.cc', 'services/broker_process_unittest.cc', 'services/scoped_process_unittest.cc', diff --git a/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc b/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc index 4cefa4c..47c9989 100644 --- a/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc +++ b/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc @@ -13,6 +13,11 @@ #include "build/build_config.h" #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" +#define SECCOMP_MESSAGE_COMMON_CONTENT "seccomp-bpf failure" +#define SECCOMP_MESSAGE_CLONE_CONTENT "clone() failure" +#define SECCOMP_MESSAGE_PRCTL_CONTENT "prctl() failure" +#define SECCOMP_MESSAGE_IOCTL_CONTENT "ioctl() failure" + namespace { inline bool IsArchitectureX86_64() { @@ -54,7 +59,7 @@ void PrintSyscallError(uint32_t sysno) { sysno_base10[i] = '0' + mod; } static const char kSeccompErrorPrefix[] = - __FILE__":**CRASHING**:seccomp-bpf failure in syscall "; + __FILE__":**CRASHING**:" SECCOMP_MESSAGE_COMMON_CONTENT " in syscall "; static const char kSeccompErrorPostfix[] = "\n"; WriteToStdErr(kSeccompErrorPrefix, sizeof(kSeccompErrorPrefix) - 1); WriteToStdErr(sysno_base10, sizeof(sysno_base10)); @@ -95,7 +100,7 @@ intptr_t CrashSIGSYS_Handler(const struct arch_seccomp_data& args, void* aux) { intptr_t SIGSYSCloneFailure(const struct arch_seccomp_data& args, void* aux) { static const char kSeccompCloneError[] = - __FILE__":**CRASHING**:clone() failure\n"; + __FILE__":**CRASHING**:" SECCOMP_MESSAGE_CLONE_CONTENT "\n"; WriteToStdErr(kSeccompCloneError, sizeof(kSeccompCloneError) - 1); // "flags" is the first argument in the kernel's clone(). // Mark as volatile to be able to find the value on the stack in a minidump. @@ -115,7 +120,7 @@ intptr_t SIGSYSCloneFailure(const struct arch_seccomp_data& args, void* aux) { intptr_t SIGSYSPrctlFailure(const struct arch_seccomp_data& args, void* /* aux */) { static const char kSeccompPrctlError[] = - __FILE__":**CRASHING**:prctl() failure\n"; + __FILE__":**CRASHING**:" SECCOMP_MESSAGE_PRCTL_CONTENT "\n"; WriteToStdErr(kSeccompPrctlError, sizeof(kSeccompPrctlError) - 1); // Mark as volatile to be able to find the value on the stack in a minidump. volatile uint64_t option = args.args[0]; @@ -129,7 +134,7 @@ intptr_t SIGSYSPrctlFailure(const struct arch_seccomp_data& args, intptr_t SIGSYSIoctlFailure(const struct arch_seccomp_data& args, void* /* aux */) { static const char kSeccompIoctlError[] = - __FILE__":**CRASHING**:ioctl() failure\n"; + __FILE__":**CRASHING**:" SECCOMP_MESSAGE_IOCTL_CONTENT "\n"; WriteToStdErr(kSeccompIoctlError, sizeof(kSeccompIoctlError) - 1); // Make "request" volatile so that we can see it on the stack in a minidump. volatile uint64_t request = args.args[1]; @@ -142,4 +147,20 @@ intptr_t SIGSYSIoctlFailure(const struct arch_seccomp_data& args, _exit(1); } +const char* GetErrorMessageContentForTests() { + return SECCOMP_MESSAGE_COMMON_CONTENT; +} + +const char* GetCloneErrorMessageContentForTests() { + return SECCOMP_MESSAGE_CLONE_CONTENT; +} + +const char* GetPrctlErrorMessageContentForTests() { + return SECCOMP_MESSAGE_PRCTL_CONTENT; +} + +const char* GetIoctlErrorMessageContentForTests() { + return SECCOMP_MESSAGE_IOCTL_CONTENT; +} + } // namespace sandbox. diff --git a/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h b/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h index 0bada37..b8f626a 100644 --- a/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h +++ b/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h @@ -39,6 +39,13 @@ SANDBOX_EXPORT intptr_t SANDBOX_EXPORT intptr_t SIGSYSIoctlFailure(const struct arch_seccomp_data& args, void* aux); +// Following four functions return substrings of error messages used +// in the above four functions. They are useful in death tests. +SANDBOX_EXPORT const char* GetErrorMessageContentForTests(); +SANDBOX_EXPORT const char* GetCloneErrorMessageContentForTests(); +SANDBOX_EXPORT const char* GetPrctlErrorMessageContentForTests(); +SANDBOX_EXPORT const char* GetIoctlErrorMessageContentForTests(); + } // namespace sandbox. #endif // SANDBOX_LINUX_SECCOMP_BPF_HELPERS_SIGSYS_HANDLERS_H_ diff --git a/sandbox/linux/seccomp-bpf/bpf_tests.h b/sandbox/linux/seccomp-bpf/bpf_tests.h index cc3fc25..357e29c 100644 --- a/sandbox/linux/seccomp-bpf/bpf_tests.h +++ b/sandbox/linux/seccomp-bpf/bpf_tests.h @@ -44,6 +44,12 @@ namespace sandbox { // Assertions are handled exactly the same as with a normal SANDBOX_TEST() #define BPF_ASSERT SANDBOX_ASSERT +#define BPF_ASSERT_EQ(x, y) BPF_ASSERT((x) == (y)) +#define BPF_ASSERT_NE(x, y) BPF_ASSERT((x) != (y)) +#define BPF_ASSERT_LT(x, y) BPF_ASSERT((x) < (y)) +#define BPF_ASSERT_GT(x, y) BPF_ASSERT((x) > (y)) +#define BPF_ASSERT_LE(x, y) BPF_ASSERT((x) <= (y)) +#define BPF_ASSERT_GE(x, y) BPF_ASSERT((x) >= (y)) // The "Aux" type is optional. We use an "empty" type by default, so that if // the caller doesn't provide any type, all the BPF_AUX related data compiles |