Simplified unit testing of sandboxing code.

sandbox/linux/seccomp-bpf/sandbox_bpf.h

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef SANDBOX_BPF_H__
 #define SANDBOX_BPF_H__
 
 #include <endian.h>
 #include <errno.h>
 #include <fcntl.h>
@@ skipping 126 matching lines @@
 #define SECCOMP_PARM3(_ctx)      SECCOMP_REG(_ctx, r2)
 #define SECCOMP_PARM4(_ctx)      SECCOMP_REG(_ctx, r3)
 #define SECCOMP_PARM5(_ctx)      SECCOMP_REG(_ctx, r4)
 #define SECCOMP_PARM6(_ctx)      SECCOMP_REG(_ctx, r5)
 
 #else
 #error Unsupported target platform
 
 #endif
 
+#include "sandbox/linux/seccomp-bpf/die.h"
+
+
 struct arch_seccomp_data {
   int      nr;
   uint32_t arch;
   uint64_t instruction_pointer;
   uint64_t args[6];
 };
 
 struct arch_sigsys {
   void         *ip;
   int          nr;
@@ skipping 59 matching lines @@
           fnc_(NULL),
           aux_(NULL) {
       switch (err) {
       case SB_INVALID:
         err_ = SECCOMP_RET_INVALID;
         break;
       case SB_ALLOWED:
         err_ = SECCOMP_RET_ALLOW;
         break;
       case SB_INSPECT_ARG_1...SB_INSPECT_ARG_6:
-        die("Not implemented");
+        SANDBOX_DIE("Not implemented");
         break;
       case 1 ... 4095:
         err_ = SECCOMP_RET_ERRNO + err;
         break;
       default:
-        die("Invalid use of ErrorCode object");
+        SANDBOX_DIE("Invalid use of ErrorCode object");
       }
     }
 
     // If we are wrapping a callback, we must assign a unique id. This id is
     // how the kernel tells us which one of our different SECCOMP_RET_TRAP
     // cases has been triggered.
     // The getTrapId() function assigns one unique id (starting at 1) for
     // each distinct pair of TrapFnc and auxiliary data.
     ErrorCode(TrapFnc fnc, const void *aux, int id = 0) :
       id_(id ? id : getTrapId(fnc, aux)),
@@ skipping 61 matching lines @@
   // constraints for the system call arguments. In the vast majority of
   // cases, it will set a "Constraint" that forces a new "errno" value.
   // But for more complex filters, it is possible to return another mask
   // of SB_INSPECT_ARG_x bits.
   static void setSandboxPolicy(EvaluateSyscall syscallEvaluator,
                                EvaluateArguments argumentEvaluator);
 
   // This is the main public entry point. It finds all system calls that
   // need rewriting, sets up the resources needed by the sandbox, and
   // enters Seccomp mode.
-  static void startSandbox();
+  static void startSandbox() { startSandboxInternal(false); }
 
  protected:
-  // Print an error message and terminate the program. Used for fatal errors.
-  static void die(const char *msg) __attribute__((noreturn)) {
-    if (msg) {
-#ifndef SECCOMP_BPF_STANDALONE
-      if (!dryRun_) {
-        // LOG(FATAL) is not neccessarily async-signal safe. It would be
-        // better to always use the code for the SECCOMP_BPF_STANDALONE case.
-        // But that prevents the logging and reporting infrastructure from
-        // picking up sandbox related crashes.
-        // For now, in picking between two evils, we decided in favor of
-        // LOG(FATAL). In the long run, we probably want to rewrite this code
-        // to be async-signal safe.
-        LOG(FATAL) << msg;
-      } else
-#endif
-      {
-        // If there is no logging infrastructure in place, we just write error
-        // messages to stderr.
-        // We also write to stderr, if we are called in a child process from
-        // supportsSeccompSandbox(). This makes sure we can actually do the
-        // correct logging from the parent process, which is more likely to
-        // have access to logging infrastructure.
-        if (HANDLE_EINTR(write(2, msg, strlen(msg)))) { }
-        if (HANDLE_EINTR(write(2, "\n", 1))) { }
-      }
-    }
-    for (;;) {
-      // exit_group() should exit our program. After all, it is defined as a
-      // function that doesn't return. But things can theoretically go wrong.
-      // Especially, since we are dealing with system call filters. Continuing
-      // execution would be very bad in most cases where die() gets called.
-      // So, if there is no way for us to ask for the program to exit, the next
-      // best thing we can do is to loop indefinitely. Maybe, somebody will
-      // notice and file a bug...
-      syscall(__NR_exit_group, 1);
-      _exit(1);
-    }
-  }
-
   // Get a file descriptor pointing to "/proc", if currently available.
   static int getProcFd() { return proc_fd_; }
 
  private:
   friend class Util;
   friend class Verifier;
   struct Range {
     Range(uint32_t f, uint32_t t, const ErrorCode& e) :
       from(f),
       to(t),
@@ skipping 15 matching lines @@
   typedef std::map<std::pair<TrapFnc, const void *>, int> TrapIds;
 
   static ErrorCode probeEvaluator(int signo) __attribute__((const));
   static void      probeProcess(void);
   static ErrorCode allowAllEvaluator(int signo);
   static void      tryVsyscallProcess(void);
   static bool      kernelSupportSeccompBPF(int proc_fd);
   static bool      RunFunctionInPolicy(void (*function)(),
                                        EvaluateSyscall syscallEvaluator,
                                        int proc_fd);
+  static void      startSandboxInternal(bool quiet);
   static bool      isSingleThreaded(int proc_fd);
   static bool      disableFilesystem();
   static void      policySanityChecks(EvaluateSyscall syscallEvaluator,
                                       EvaluateArguments argumentEvaluator);
-  static void      installFilter();
+  static void      installFilter(bool quiet);
   static void      findRanges(Ranges *ranges);
   static void      emitJumpStatements(Program *program, RetInsns *rets,
                                       Ranges::const_iterator start,
                                       Ranges::const_iterator stop);
   static void      emitReturnStatements(Program *prog, const RetInsns& rets);
   static void      sigSys(int nr, siginfo_t *info, void *void_context);
   static intptr_t  bpfFailure(const struct arch_seccomp_data& data, void *aux);
   static int       getTrapId(TrapFnc fnc, const void *aux);
 
-  static bool          dryRun_;
   static SandboxStatus status_;
   static int           proc_fd_;
   static Evaluators    evaluators_;
   static Traps         *traps_;
   static TrapIds       trapIds_;
   static ErrorCode     *trapArray_;
   static size_t        trapArraySize_;
   DISALLOW_IMPLICIT_CONSTRUCTORS(Sandbox);
 };
 
 }  // namespace
 
 #endif  // SANDBOX_BPF_H__