Simplified unit testing of sandboxing code.

sandbox/linux/seccomp-bpf/die.cc

Index: sandbox/linux/seccomp-bpf/die.cc
diff --git a/sandbox/linux/seccomp-bpf/die.cc b/sandbox/linux/seccomp-bpf/die.cc
new file mode 100644
index 0000000000000000000000000000000000000000..2d4b1d933583f8ad1647d8f3bb97906a572b1c73
--- /dev/null
+++ b/sandbox/linux/seccomp-bpf/die.cc
@@ -0,0 +1,50 @@
+// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include <string>
+
+#include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
+
+
+namespace playground2 {
+
+void Die::ExitGroup() {
+  // exit_group() should exit our program. After all, it is defined as a
+  // function that doesn't return. But things can theoretically go wrong.
+  // Especially, since we are dealing with system call filters. Continuing
+  // execution would be very bad in most cases where ExitGroup() gets called.
+  // So, we'll try a few other strategies too.
+  syscall(__NR_exit_group, 1);
+
+  // We have no idea what our run-time environment looks like. So, signal
+  // handlers might or might not do the right thing. Try to reset settings
+  // to a defined state; but we have not way to verify whether we actually
+  // succeeded in doing so. Nonetheless, triggering a fatal signal could help
+  // us terminate.
+  signal(SIGSEGV, SIG_DFL);

[jln (very slow on Chromium), 2012/08/23 22:53:09]

I think I would get rid of this complexity: realistically if we can't
exit_group, something is seriously wrong. I would just try to crash and then
spin.

+  syscall(__NR_prctl, PR_SET_DUMPABLE, (void *)0, (void *)0, (void *)0);
+  if (*(volatile char *)0) { }
+
+  // If there is no way for us to ask for the program to exit, the next
+  // best thing we can do is to loop indefinitely. Maybe, somebody will notice
+  // and file a bug...
+  // We in fact retry the system call inside of our loop so that it will
+  // stand out when somebody tries to diagnose the problem by using "strace".
+  for (;;) {
+    syscall(__NR_exit_group, 1);

[jln (very slow on Chromium), 2012/08/23 22:53:09]

I'm a bit worried this would really *flood* logs. For instance on Ubuntu, if
exit_group is set to return an errno, this would flood the audit logs by
default.

+  }
+}
+
+void Die::LogToStderr(const char *msg, const char *file, int line) {
+  if (msg) {
+    char buf[40];
+    sprintf(buf, "%d", line);

[jln (very slow on Chromium), 2012/08/23 22:53:09]

snprintf, please.

+    std::string s = std::string(file) + ":" + buf + ":" + msg + "\n";
+    if (HANDLE_EINTR(write(2, s.c_str(), s.length()))) { }

[jln (very slow on Chromium), 2012/08/23 22:53:09]

Depending on what stderr actually is, we may need a loop here since write could
return early. Is it overkill ? At least document it.

+  }
+}
+
+bool Die::simple_exit_ = false;
+
+}  // namespace