Simplified unit testing of sandboxing code.

sandbox/linux/seccomp-bpf/sandbox_bpf.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <time.h>
 
 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
 #include "sandbox/linux/seccomp-bpf/verifier.h"
 
 // The kernel gives us a sandbox, we turn it into a playground :-)
@@ skipping 42 matching lines @@
 }
 
 bool Sandbox::RunFunctionInPolicy(void (*CodeInSandbox)(),
                                   EvaluateSyscall syscallEvaluator,
                                   int proc_fd) {
   // Block all signals before forking a child process. This prevents an
   // attacker from manipulating our test by sending us an unexpected signal.
   sigset_t oldMask, newMask;
   if (sigfillset(&newMask) ||
       sigprocmask(SIG_BLOCK, &newMask, &oldMask)) {
-    die("sigprocmask() failed");
+    SANDBOX_DIE("sigprocmask() failed");
   }
   int fds[2];
   if (pipe2(fds, O_NONBLOCK|O_CLOEXEC)) {
-    die("pipe() failed");
+    SANDBOX_DIE("pipe() failed");
   }
 
   pid_t pid = fork();
   if (pid < 0) {
     // Die if we cannot fork(). We would probably fail a little later
     // anyway, as the machine is likely very close to running out of
     // memory.
     // But what we don't want to do is return "false", as a crafty
     // attacker might cause fork() to fail at will and could trick us
     // into running without a sandbox.
     sigprocmask(SIG_SETMASK, &oldMask, NULL);  // OK, if it fails
-    die("fork() failed unexpectedly");
+    SANDBOX_DIE("fork() failed unexpectedly");
   }
 
   // In the child process
   if (!pid) {
     // Test a very simple sandbox policy to verify that we can
     // successfully turn on sandboxing.
-    dryRun_ = true;
+    Die::EnableSimpleExit();
     if (HANDLE_EINTR(close(fds[0])) ||
         dup2(fds[1], 2) != 2 ||
         HANDLE_EINTR(close(fds[1]))) {
       static const char msg[] = "Failed to set up stderr\n";
       if (HANDLE_EINTR(write(fds[1], msg, sizeof(msg)-1))) { }
     } else {
       evaluators_.clear();
       setSandboxPolicy(syscallEvaluator, NULL);
       setProcFd(proc_fd);
       startSandbox();
       // Run our code in the sandbox
       CodeInSandbox();
     }
-    die(NULL);
+    SANDBOX_DIE(NULL);
   }
 
   // In the parent process.
   if (HANDLE_EINTR(close(fds[1]))) {
-    die("close() failed");
+    SANDBOX_DIE("close() failed");
   }
   if (sigprocmask(SIG_SETMASK, &oldMask, NULL)) {
-    die("sigprocmask() failed");
+    SANDBOX_DIE("sigprocmask() failed");
   }
   int status;
   if (HANDLE_EINTR(waitpid(pid, &status, 0)) != pid) {
-    die("waitpid() failed unexpectedly");
+    SANDBOX_DIE("waitpid() failed unexpectedly");
   }
   bool rc = WIFEXITED(status) && WEXITSTATUS(status) == 100;
 
   // If we fail to support sandboxing, there might be an additional
   // error message. If so, this was an entirely unexpected and fatal
   // failure. We should report the failure and somebody most fix
   // things. This is probably a security-critical bug in the sandboxing
   // code.
   if (!rc) {
     char buf[4096];
     ssize_t len = HANDLE_EINTR(read(fds[0], buf, sizeof(buf) - 1));
     if (len > 0) {
       while (len > 1 && buf[len-1] == '\n') {
         --len;
       }
       buf[len] = '\000';
-      die(buf);
+      SANDBOX_DIE(buf);
     }
   }
   if (HANDLE_EINTR(close(fds[0]))) {
-    die("close() failed");
+    SANDBOX_DIE("close() failed");
   }
 
   return rc;
 
 }
 
 bool Sandbox::kernelSupportSeccompBPF(int proc_fd) {
   return RunFunctionInPolicy(probeProcess, Sandbox::probeEvaluator, proc_fd) &&
          RunFunctionInPolicy(tryVsyscallProcess, Sandbox::allowAllEvaluator,
                              proc_fd);
@@ skipping 42 matching lines @@
       status_ = STATUS_UNAVAILABLE;
     }
   }
   return status_;
 }
 
 void Sandbox::setProcFd(int proc_fd) {
   proc_fd_ = proc_fd;
 }
 
-void Sandbox::startSandbox() {
+void Sandbox::startSandboxInternal(bool quiet) {
   if (status_ == STATUS_UNSUPPORTED || status_ == STATUS_UNAVAILABLE) {
-    die("Trying to start sandbox, even though it is known to be unavailable");
+    SANDBOX_DIE("Trying to start sandbox, even though it is known to be "
+                "unavailable");
   } else if (status_ == STATUS_ENABLED) {
-    die("Cannot start sandbox recursively. Use multiple calls to "
-        "setSandboxPolicy() to stack policies instead");
+    SANDBOX_DIE("Cannot start sandbox recursively. Use multiple calls to "
+                "setSandboxPolicy() to stack policies instead");
   }
   if (proc_fd_ < 0) {
     proc_fd_ = open("/proc", O_RDONLY|O_DIRECTORY);
   }
   if (proc_fd_ < 0) {
     // For now, continue in degraded mode, if we can't access /proc.
     // In the future, we might want to tighten this requirement.
   }
   if (!isSingleThreaded(proc_fd_)) {
-    die("Cannot start sandbox, if process is already multi-threaded");
+    SANDBOX_DIE("Cannot start sandbox, if process is already multi-threaded");
   }
 
   // We no longer need access to any files in /proc. We want to do this
   // before installing the filters, just in case that our policy denies
   // close().
   if (proc_fd_ >= 0) {
     if (HANDLE_EINTR(close(proc_fd_))) {
-      die("Failed to close file descriptor for /proc");
+      SANDBOX_DIE("Failed to close file descriptor for /proc");
     }
     proc_fd_ = -1;
   }
 
   // Install the filters.
-  installFilter();
+  installFilter(quiet);
 
   // We are now inside the sandbox.
   status_ = STATUS_ENABLED;
 }
 
 bool Sandbox::isSingleThreaded(int proc_fd) {
   if (proc_fd < 0) {
     // Cannot determine whether program is single-threaded. Hope for
     // the best...
     return true;
@@ skipping 19 matching lines @@
           code <= (SECCOMP_RET_ERRNO + 4095));
 }
 
 void Sandbox::policySanityChecks(EvaluateSyscall syscallEvaluator,
                                  EvaluateArguments) {
   // Do some sanity checks on the policy. This will warn users if they do
   // things that are likely unsafe and unintended.
   // We also have similar checks later, when we actually compile the BPF
   // program. That catches problems with incorrectly stacked evaluators.
   if (!isDenied(syscallEvaluator(-1))) {
-    die("Negative system calls should always be disallowed by policy");
+    SANDBOX_DIE("Negative system calls should always be disallowed by policy");
   }
 #ifndef NDEBUG
 #if defined(__i386__) || defined(__x86_64__)
 #if defined(__x86_64__) && defined(__ILP32__)
   for (unsigned int sysnum = MIN_SYSCALL & ~0x40000000u;
        sysnum <= (MAX_SYSCALL & ~0x40000000u);
        ++sysnum) {
     if (!isDenied(syscallEvaluator(sysnum))) {
-      die("In x32 mode, you should not allow any non-x32 system calls");
+      SANDBOX_DIE("In x32 mode, you should not allow any non-x32 system calls");
     }
   }
 #else
   for (unsigned int sysnum = MIN_SYSCALL | 0x40000000u;
        sysnum <= (MAX_SYSCALL | 0x40000000u);
        ++sysnum) {
     if (!isDenied(syscallEvaluator(sysnum))) {
-      die("x32 system calls should be explicitly disallowed");
+      SANDBOX_DIE("x32 system calls should be explicitly disallowed");
     }
   }
 #endif
 #endif
 #endif
   // Check interesting boundary values just outside of the valid system call
   // range: 0x7FFFFFFF, 0x80000000, 0xFFFFFFFF, MIN_SYSCALL-1, MAX_SYSCALL+1.
   // They all should be denied.
   if (!isDenied(syscallEvaluator(std::numeric_limits<int>::max())) ||
       !isDenied(syscallEvaluator(std::numeric_limits<int>::min())) ||
       !isDenied(syscallEvaluator(-1)) ||
       !isDenied(syscallEvaluator(static_cast<int>(MIN_SYSCALL) - 1)) ||
       !isDenied(syscallEvaluator(static_cast<int>(MAX_SYSCALL) + 1))) {
-    die("Even for default-allow policies, you must never allow system calls "
-        "outside of the standard system call range");
+    SANDBOX_DIE("Even for default-allow policies, you must never allow system "
+                "calls outside of the standard system call range");
   }
   return;
 }
 
 void Sandbox::setSandboxPolicy(EvaluateSyscall syscallEvaluator,
                                EvaluateArguments argumentEvaluator) {
   if (status_ == STATUS_ENABLED) {
-    die("Cannot change policy after sandbox has started");
+    SANDBOX_DIE("Cannot change policy after sandbox has started");
   }
   policySanityChecks(syscallEvaluator, argumentEvaluator);
   evaluators_.push_back(std::make_pair(syscallEvaluator, argumentEvaluator));
 }
 
-void Sandbox::installFilter() {
+void Sandbox::installFilter(bool quiet) {
   // Verify that the user pushed a policy.
   if (evaluators_.empty()) {
   filter_failed:
-    die("Failed to configure system call filters");
+    SANDBOX_DIE("Failed to configure system call filters");
   }
 
   // Set new SIGSYS handler
   struct sigaction sa;
   memset(&sa, 0, sizeof(sa));
   sa.sa_sigaction = &sigSys;
   sa.sa_flags = SA_SIGINFO;
   if (sigaction(SIGSYS, &sa, NULL) < 0) {
     goto filter_failed;
   }
 
   // Unmask SIGSYS
   sigset_t mask;
   if (sigemptyset(&mask) ||
       sigaddset(&mask, SIGSYS) ||
       sigprocmask(SIG_UNBLOCK, &mask, NULL)) {
     goto filter_failed;
   }
 
   // We can't handle stacked evaluators, yet. We'll get there eventually
   // though. Hang tight.
   if (evaluators_.size() != 1) {
-    die("Not implemented");
+    SANDBOX_DIE("Not implemented");
   }
 
   // Assemble the BPF filter program.
   Program *program = new Program();
   if (!program) {
-    die("Out of memory");
+    SANDBOX_DIE("Out of memory");
   }
 
   // If the architecture doesn't match SECCOMP_ARCH, disallow the
   // system call.
   program->push_back((struct sock_filter)
     BPF_STMT(BPF_LD+BPF_W+BPF_ABS, offsetof(struct arch_seccomp_data, arch)));
   program->push_back((struct sock_filter)
     BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SECCOMP_ARCH, 1, 0));
 
   program->push_back((struct sock_filter)
@@ skipping 34 matching lines @@
     emitJumpStatements(program, &rets, ranges.begin(), ranges.end());
     emitReturnStatements(program, rets);
   }
 
   // Make sure compilation resulted in BPF program that executes
   // correctly. Otherwise, there is an internal error in our BPF compiler.
   // There is really nothing the caller can do until the bug is fixed.
 #ifndef NDEBUG
   const char *err = NULL;
   if (!Verifier::verifyBPF(*program, evaluators_, &err)) {
-    die(err);
+    SANDBOX_DIE(err);
   }
 #endif
 
   // We want to be very careful in not imposing any requirements on the
   // policies that are set with setSandboxPolicy(). This means, as soon as
   // the sandbox is active, we shouldn't be relying on libraries that could
   // be making system calls. This, for example, means we should avoid
   // using the heap and we should avoid using STL functions.
   // Temporarily copy the contents of the "program" vector into a
   // stack-allocated array; and then explicitly destroy that object.
   // This makes sure we don't ex- or implicitly call new/delete after we
   // installed the BPF filter program in the kernel. Depending on the
   // system memory allocator that is in effect, these operators can result
   // in system calls to things like munmap() or brk().
   struct sock_filter bpf[program->size()];
   const struct sock_fprog prog = {
     static_cast<unsigned short>(program->size()), bpf };
   memcpy(bpf, &(*program)[0], sizeof(bpf));
   delete program;
 
   // Release memory that is no longer needed
   evaluators_.clear();
 
   // Install BPF filter program
   if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
-    die(dryRun_ ? NULL : "Kernel refuses to enable no-new-privs");
+    SANDBOX_DIE(quiet
+                ? NULL : "Kernel refuses to enable no-new-privs");
   } else {
     if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog)) {
-      die(dryRun_ ? NULL : "Kernel refuses to turn on BPF filters");
+      SANDBOX_DIE(quiet
+                  ? NULL : "Kernel refuses to turn on BPF filters");
     }
   }
 
   return;
 }
 
 void Sandbox::findRanges(Ranges *ranges) {
   // Please note that "struct seccomp_data" defines system calls as a signed
   // int32_t, but BPF instructions always operate on unsigned quantities. We
   // deal with this disparity by enumerating from MIN_SYSCALL to MAX_SYSCALL,
@@ skipping 17 matching lines @@
   // "oldErr" should at this point be the "default" policy for all system  call
   // numbers that don't have an explicit handler in the system call evaluator.
   // But as we are quite paranoid, we perform some more sanity checks to verify
   // that there actually is a consistent "default" policy in the first place.
   // We don't actually iterate over all possible 2^32 values, though. We just
   // perform spot checks at the boundaries.
   // The cases that we test are:  0x7FFFFFFF, 0x80000000, 0xFFFFFFFF.
   if (oldErr != evaluateSyscall(std::numeric_limits<int>::max()) ||
       oldErr != evaluateSyscall(std::numeric_limits<int>::min()) ||
       oldErr != evaluateSyscall(-1)) {
-    die("Invalid seccomp policy");
+    SANDBOX_DIE("Invalid seccomp policy");
   }
   ranges->push_back(
     Range(oldSysnum, std::numeric_limits<unsigned>::max(), oldErr));
 }
 
 void Sandbox::emitJumpStatements(Program *program, RetInsns *rets,
                                  Ranges::const_iterator start,
                                  Ranges::const_iterator stop) {
   // We convert the list of system call ranges into jump table that performs
   // a binary search over the ranges.
   // As a sanity check, we need to have at least two distinct ranges for us
   // to be able to build a jump table.
   if (stop - start <= 1) {
-    die("Invalid set of system call ranges");
+    SANDBOX_DIE("Invalid set of system call ranges");
   }
 
   // Pick the range object that is located at the mid point of our list.
   // We compare our system call number against the lowest valid system call
   // number in this range object. If our number is lower, it is outside of
   // this range object. If it is greater or equal, it might be inside.
   Ranges::const_iterator mid = start + (stop - start)/2;
   Program::size_type jmp = program->size();
   if (jmp >= SECCOMP_MAX_PROGRAM_SIZE) {
   compiler_err:
-    die("Internal compiler error; failed to compile jump table");
+    SANDBOX_DIE("Internal compiler error; failed to compile jump table");
   }
   program->push_back((struct sock_filter)
     BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, mid->from,
              // Jump targets are place-holders that will be fixed up later.
              0, 0));
 
   // The comparison turned out to be false; i.e. our system call number is
   // less than the range object at the mid point of the list.
   if (mid - start == 1) {
     // If we have narrowed things down to a single range object, we can
@@ skipping 33 matching lines @@
 }
 
 void Sandbox::emitReturnStatements(Program *program, const RetInsns& rets) {
   // Iterate over the list of distinct exit codes from our BPF filter
   // program and emit the BPF_RET statements.
   for (RetInsns::const_iterator ret_iter = rets.begin();
        ret_iter != rets.end();
        ++ret_iter) {
     Program::size_type ip = program->size();
     if (ip >= SECCOMP_MAX_PROGRAM_SIZE) {
-      die("Internal compiler error; failed to compile jump table");
+      SANDBOX_DIE("Internal compiler error; failed to compile jump table");
     }
     program->push_back((struct sock_filter)
       BPF_STMT(BPF_RET+BPF_K, ret_iter->first));
 
     // Iterate over the instruction pointers for the BPF_JMP instructions
     // that need to be patched up.
     for (std::vector<FixUp>::const_iterator insn_iter=ret_iter->second.begin();
          insn_iter != ret_iter->second.end();
          ++insn_iter) {
       // Jumps are always relative and they are always forward.
       int distance = ip - insn_iter->addr - 1;
       if (distance < 0 || distance > 255) {
-        die("Internal compiler error; failed to compile jump table");
+        SANDBOX_DIE("Internal compiler error; failed to compile jump table");
       }
 
       // Decide whether we need to patch up the "true" or the "false" jump
       // target.
       if (insn_iter->jt) {
         (*program)[insn_iter->addr].jt = distance;
       } else {
         (*program)[insn_iter->addr].jf = distance;
       }
     }
   }
 }
 
 void Sandbox::sigSys(int nr, siginfo_t *info, void *void_context) {
   // Various sanity checks to make sure we actually received a signal
   // triggered by a BPF filter. If something else triggered SIGSYS
   // (e.g. kill()), there is really nothing we can do with this signal.
   if (nr != SIGSYS || info->si_code != SYS_SECCOMP || !void_context ||
       info->si_errno <= 0 ||
       static_cast<size_t>(info->si_errno) > trapArraySize_) {
-    // die() can call LOG(FATAL). This is not normally async-signal safe
+    // SANDBOX_DIE() can call LOG(FATAL). This is not normally async-signal safe
     // and can lead to bugs. We should eventually implement a different
     // logging and reporting mechanism that is safe to be called from
     // the sigSys() handler.
     // TODO: If we feel confident that our code otherwise works correctly, we
     //       could actually make an argument that spurious SIGSYS should
     //       just get silently ignored. TBD
   sigsys_err:
-    die("Unexpected SIGSYS received");
+    SANDBOX_DIE("Unexpected SIGSYS received");
   }
 
   // Signal handlers should always preserve "errno". Otherwise, we could
   // trigger really subtle bugs.
   int old_errno   = errno;
 
   // Obtain the signal context. This, most notably, gives us access to
   // all CPU registers at the time of the signal.
   ucontext_t *ctx = reinterpret_cast<ucontext_t *>(void_context);
 
@@ skipping 35 matching lines @@
   // Update the CPU register that stores the return code of the system call
   // that we just handled, and restore "errno" to the value that it had
   // before entering the signal handler.
   SECCOMP_RESULT(ctx) = static_cast<greg_t>(rc);
   errno               = old_errno;
 
   return;
 }
 
 intptr_t Sandbox::bpfFailure(const struct arch_seccomp_data&, void *aux) {
-  die(static_cast<char *>(aux));
+  SANDBOX_DIE(static_cast<char *>(aux));
 }
 
 int Sandbox::getTrapId(Sandbox::TrapFnc fnc, const void *aux) {
   // Each unique pair of TrapFnc and auxiliary data make up a distinct instance
   // of a SECCOMP_RET_TRAP.
   std::pair<TrapFnc, const void *> key(fnc, aux);
   TrapIds::const_iterator iter = trapIds_.find(key);
   if (iter != trapIds_.end()) {
     // We have seen this pair before. Return the same id that we assigned
     // earlier.
     return iter->second;
   } else {
     // This is a new pair. Remember it and assign a new id.
     // Please note that we have to store traps in memory that doesn't get
     // deallocated when the program is shutting down. A memory leak is
     // intentional, because we might otherwise not be able to execute
     // system calls part way through the program shutting down
     if (!traps_) {
       traps_ = new Traps();
     }
     Traps::size_type id = traps_->size() + 1;
     if (id > SECCOMP_RET_DATA) {
       // In practice, this is pretty much impossible to trigger, as there
       // are other kernel limitations that restrict overall BPF program sizes.
-      die("Too many SECCOMP_RET_TRAP callback instances");
+      SANDBOX_DIE("Too many SECCOMP_RET_TRAP callback instances");
     }
 
     traps_->push_back(ErrorCode(fnc, aux, id));
     trapIds_[key] = id;
 
     // We want to access the traps_ vector from our signal handler. But
     // we are not assured that doing so is async-signal safe. On the other
     // hand, C++ guarantees that the contents of a vector is stored in a
     // contiguous C-style array.
     // So, we look up the address and size of this array outside of the
     // signal handler, where we can safely do so.
     trapArray_     = &(*traps_)[0];
     trapArraySize_ = id;
     return id;
   }
 }
 
-bool Sandbox::dryRun_                   = false;
 Sandbox::SandboxStatus Sandbox::status_ = STATUS_UNKNOWN;
 int    Sandbox::proc_fd_                = -1;
 Sandbox::Evaluators Sandbox::evaluators_;
 Sandbox::Traps *Sandbox::traps_         = NULL;
 Sandbox::TrapIds Sandbox::trapIds_;
 Sandbox::ErrorCode *Sandbox::trapArray_ = NULL;
 size_t Sandbox::trapArraySize_          = 0;
 
 }  // namespace