diff options
| author | markus@chromium.org <markus@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2013-02-07 00:53:37 +0000 |
|---|---|---|
| committer | markus@chromium.org <markus@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2013-02-07 00:53:37 +0000 |
| commit | 8d4dceb4813d388a84df222d67ac0750e7f5278a (patch) | |
| tree | 6d1c635cef4f837448c851eb3861afc91b04274b /sandbox | |
| parent | fc5eaf21ed4c7802786576825c999b5a0a4f699a (diff) | |
| download | chromium_src-8d4dceb4813d388a84df222d67ac0750e7f5278a.zip chromium_src-8d4dceb4813d388a84df222d67ac0750e7f5278a.tar.gz chromium_src-8d4dceb4813d388a84df222d67ac0750e7f5278a.tar.bz2 | |
Added a unittest to check that we can restrict syscall(__NR_clone)
BUG=130662
TEST=sandbox_linux_unittests
Review URL: https://chromiumcodereview.appspot.com/12207029
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@181121 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'sandbox')
| -rw-r--r-- | sandbox/linux/seccomp-bpf/sandbox_bpf_unittest.cc | 55 |
1 files changed, 55 insertions, 0 deletions
diff --git a/sandbox/linux/seccomp-bpf/sandbox_bpf_unittest.cc b/sandbox/linux/seccomp-bpf/sandbox_bpf_unittest.cc index e9bbb34..3d15c77 100644 --- a/sandbox/linux/seccomp-bpf/sandbox_bpf_unittest.cc +++ b/sandbox/linux/seccomp-bpf/sandbox_bpf_unittest.cc @@ -2,6 +2,8 @@ // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. +#include <pthread.h> +#include <sched.h> #include <sys/syscall.h> #include <sys/utsname.h> @@ -987,4 +989,57 @@ BPF_DEATH_TEST(SandboxBpf, EqualityWithNegative64bitArguments, } #endif +intptr_t PthreadTrapHandler(const struct arch_seccomp_data& args, void *aux) { + printf("Clone() was called with unexpected arguments\n" + " nr: %d\n" + " 0: 0x%llX\n" + " 1: 0x%llX\n" + " 2: 0x%llX\n" + " 3: 0x%llX\n" + " 4: 0x%llX\n" + " 5: 0x%llX\n", + args.nr, + (long long)args.args[0], (long long)args.args[1], + (long long)args.args[2], (long long)args.args[2], + (long long)args.args[4], (long long)args.args[5]); + return -EPERM; +} + +ErrorCode PthreadPolicy(int sysno, void *aux) { + if (!Sandbox::IsValidSyscallNumber(sysno)) { + // FIXME: we should really not have to do that in a trivial policy + return ErrorCode(ENOSYS); + } else if (sysno == __NR_clone) { + // We have seen two different valid combinations of flags. Glibc + // uses the more modern flags, sets the TLS from the call to clone(), and + // uses futexes to monitor threads. Android's C run-time library, doesn't + // do any of this, but it sets the obsolete (and no-op) CLONE_DETACHED. + return Sandbox::Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, + CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND| + CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS| + CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, + ErrorCode(ErrorCode::ERR_ALLOWED), + Sandbox::Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, + CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND| + CLONE_THREAD|CLONE_SYSVSEM|CLONE_DETACHED, + ErrorCode(ErrorCode::ERR_ALLOWED), + Sandbox::Trap(PthreadTrapHandler, aux))); + } else { + return ErrorCode(ErrorCode::ERR_ALLOWED); + } +} + +static void *ThreadFnc(void *arg) { + ++*reinterpret_cast<int *>(arg); + return NULL; +} + +BPF_TEST(SandboxBpf, Pthread, PthreadPolicy) { + pthread_t thread; + int thread_ran = 0; + BPF_ASSERT(!pthread_create(&thread, NULL, ThreadFnc, &thread_ran)); + BPF_ASSERT(!pthread_join(thread, NULL)); + BPF_ASSERT(thread_ran); +} + } // namespace |