// Copyright 2014 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include "sandbox/linux/seccomp-bpf/sandbox_bpf_test_runner.h" #include #include "base/logging.h" #include "base/memory/scoped_ptr.h" #include "sandbox/linux/bpf_dsl/policy.h" #include "sandbox/linux/seccomp-bpf/die.h" #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" #include "sandbox/linux/system_headers/linux_filter.h" #include "sandbox/linux/tests/unit_tests.h" namespace sandbox { SandboxBPFTestRunner::SandboxBPFTestRunner( BPFTesterDelegate* bpf_tester_delegate) : bpf_tester_delegate_(bpf_tester_delegate) { } SandboxBPFTestRunner::~SandboxBPFTestRunner() { } void SandboxBPFTestRunner::Run() { DCHECK(bpf_tester_delegate_); sandbox::Die::EnableSimpleExit(); scoped_ptr policy = bpf_tester_delegate_->GetSandboxBPFPolicy(); if (sandbox::SandboxBPF::SupportsSeccompSandbox( SandboxBPF::SeccompLevel::SINGLE_THREADED)) { // Initialize and then start the sandbox with our custom policy sandbox::SandboxBPF sandbox(policy.release()); SANDBOX_ASSERT(sandbox.StartSandbox( sandbox::SandboxBPF::SeccompLevel::SINGLE_THREADED)); // Run the actual test. bpf_tester_delegate_->RunTestFunction(); } else { printf("This BPF test is not fully running in this configuration!\n"); // Android and Valgrind are the only configurations where we accept not // having kernel BPF support. if (!IsAndroid() && !IsRunningOnValgrind()) { const bool seccomp_bpf_is_supported = false; SANDBOX_ASSERT(seccomp_bpf_is_supported); } // Call the compiler and verify the policy. That's the least we can do, // if we don't have kernel support. sandbox::SandboxBPF sandbox(policy.release()); sandbox.AssembleFilter(true /* force_verification */); sandbox::UnitTests::IgnoreThisTest(); } } bool SandboxBPFTestRunner::ShouldCheckForLeaks() const { // LSAN requires being able to use ptrace() and other system calls that could // be denied. return false; } } // namespace sandbox