Add a platform-specific syscall number iterator.

sandbox/linux/seccomp-bpf/sandbox_bpf_unittest.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <ostream>
 
 #include "sandbox/linux/seccomp-bpf/bpf_tests.h"
 #include "sandbox/linux/seccomp-bpf/verifier.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
 using namespace playground2;
 
 namespace {
 
 const int kExpectedReturnValue = 42;
 #if defined(__arm__)
 const int kArmPublicSysnoCeiling = __NR_SYSCALL_BASE + 1024;

[jln (very slow on Chromium), 2012/10/12 20:26:52]

I believe this can now be removed?

[Jorge Lucangeli Obes, 2012/10/13 01:39:30]

Done.

 #endif
 
 // This test should execute no matter whether we have kernel support. So,
 // we make it a TEST() instead of a BPF_TEST().
 TEST(SandboxBpf, CallSupports) {
   // We check that we don't crash, but it's ok if the kernel doesn't
   // support it.
   bool seccomp_bpf_supported =
       Sandbox::supportsSeccompSandbox(-1) == Sandbox::STATUS_AVAILABLE;
   // We want to log whether or not seccomp BPF is actually supported
   // since actual test coverage depends on it.
   RecordProperty("SeccompBPFSupported",
                  seccomp_bpf_supported ? "true." : "false.");
   std::cout << "Seccomp BPF supported: "
             << (seccomp_bpf_supported ? "true." : "false.")
             << "\n";
 }
 
 SANDBOX_TEST(SandboxBpf, CallSupportsTwice) {
   Sandbox::supportsSeccompSandbox(-1);
   Sandbox::supportsSeccompSandbox(-1);
 }
 
 // A simple blacklist test
 
 ErrorCode BlacklistNanosleepPolicy(int sysno) {
-  if (sysno < static_cast<int>(MIN_SYSCALL) ||
-      sysno > static_cast<int>(MAX_SYSCALL)) {
+  if (!Sandbox::isValidSyscallNumber(sysno)) {
     // FIXME: we should really not have to do that in a trivial policy
     return ErrorCode(ENOSYS);
   }
+
   switch (sysno) {
     case __NR_nanosleep:
       return ErrorCode(EACCES);
     default:
       return ErrorCode(ErrorCode::ERR_ALLOWED);
   }
 }
 
 BPF_TEST(SandboxBpf, ApplyBasicBlacklistPolicy, BlacklistNanosleepPolicy) {
   // nanosleep() should be denied
@@ skipping 34 matching lines @@
 static int BlacklistNanosleepPolicySigsysAuxData;
 
 intptr_t EnomemHandler(const struct arch_seccomp_data& args, void *aux) {
   // We also check that the auxiliary data is correct
   SANDBOX_ASSERT(aux);
   *(static_cast<int*>(aux)) = kExpectedReturnValue;
   return -ENOMEM;
 }
 
 ErrorCode BlacklistNanosleepPolicySigsys(int sysno) {
-  if (sysno < static_cast<int>(MIN_SYSCALL) ||
-      sysno > static_cast<int>(MAX_SYSCALL)) {
+  if (!Sandbox::isValidSyscallNumber(sysno)) {
     // FIXME: we should really not have to do that in a trivial policy
     return ErrorCode(ENOSYS);
   }
+
   switch (sysno) {
     case __NR_nanosleep:
       return Sandbox::Trap(EnomemHandler,
                  static_cast<void *>(&BlacklistNanosleepPolicySigsysAuxData));
     default:
       return ErrorCode(ErrorCode::ERR_ALLOWED);
   }
 }
 
 BPF_TEST(SandboxBpf, BasicBlacklistWithSigsys,
@@ skipping 23 matching lines @@
 // sure that the compiler can have an opportunity to coalesce syscalls with
 // contiguous numbers and we also make sure that disjoint sets can return the
 // same errno.
 int SysnoToRandomErrno(int sysno) {
   // Small contiguous sets of 3 system calls return an errno equal to the
   // index of that set + 1 (so that we never return a NUL errno).
   return ((sysno & ~3) >> 2) % 29 + 1;
 }
 
 ErrorCode SyntheticPolicy(int sysno) {
-  if (sysno < static_cast<int>(MIN_SYSCALL) ||
-      sysno > static_cast<int>(MAX_SYSCALL)) {
-    // FIXME: we should really not have to do that in a trivial policy.
+  if (!Sandbox::isValidSyscallNumber(sysno)) {
+    // FIXME: we should really not have to do that in a trivial policy
     return ErrorCode(ENOSYS);
   }
 
-  // TODO(jorgelo): remove this restriction once crbug.com/141694 is fixed.
+// TODO(jorgelo): remove this once the new code generator lands.
 #if defined(__arm__)
-  if (sysno > kArmPublicSysnoCeiling)
+  if (sysno > static_cast<int>(MAX_PUBLIC_SYSCALL)) {
     return ErrorCode(ENOSYS);
+  }
 #endif
 
   // TODO(markus): allow calls to write(). This should start working as soon
   //   as we switch to the new code generator. Currently we are blowing up,
   //   because our jumptable is getting too big.
   if (sysno == __NR_exit_group /* || sysno == __NR_write */) {
     // exit_group() is special, we really need it to work.
     // write() is needed for BPF_ASSERT() to report a useful error message.
     return ErrorCode(ErrorCode::ERR_ALLOWED);
   } else {
     return ErrorCode(SysnoToRandomErrno(sysno));
   }
 }
 
 BPF_TEST(SandboxBpf, SyntheticPolicy, SyntheticPolicy) {
   // Ensure that that kExpectedReturnValue + syscallnumber + 1 does not int
   // overflow.
   BPF_ASSERT(
    std::numeric_limits<int>::max() - kExpectedReturnValue - 1 >=
-   static_cast<int>(MAX_SYSCALL));
-
-  // TODO(jorgelo): remove this limit once crbug.com/141694 is fixed.
-#if defined(__arm__)
-  const int sysno_ceiling = kArmPublicSysnoCeiling;
-#else
-  const int sysno_ceiling = static_cast<int>(MAX_SYSCALL);
-#endif
+   static_cast<int>(MAX_PUBLIC_SYSCALL));
 
   for (int syscall_number =  static_cast<int>(MIN_SYSCALL);
-           syscall_number <= sysno_ceiling;
+           syscall_number <= static_cast<int>(MAX_PUBLIC_SYSCALL);
          ++syscall_number) {
     if (syscall_number == __NR_exit_group ||
         syscall_number == __NR_write) {
       // exit_group() is special
       continue;
     }
     errno = 0;
     BPF_ASSERT(syscall(syscall_number) == -1);
     BPF_ASSERT(errno == SysnoToRandomErrno(syscall_number));
   }
 }
 
+#if defined(__arm__)
+// A simple policy that tests whether ARM private system calls are supported
+// by our BPF compiler and by the BPF interpreter in the kernel.
+
+// For ARM private system calls, return an errno equal to their offset from
+// __ARM_NR_BASE plus 1 (to avoid NUL errno).

[jln (very slow on Chromium), 2012/10/12 20:26:52]

You mean offset from MIN_PRIVATE_SYSCALL, no ?

[Jorge Lucangeli Obes, 2012/10/13 01:39:30]

It's the same thing:
#define MIN_PRIVATE_SYSCALL ((unsigned int)__ARM_NR_BASE)

But I agree it's confusing.

Done.

+int ArmPrivateSysnoToErrno(int sysno) {
+  if (sysno >= static_cast<int>(MIN_PRIVATE_SYSCALL) &&
+      sysno <= static_cast<int>(MAX_PRIVATE_SYSCALL)) {
+    return (sysno - MIN_PRIVATE_SYSCALL) + 1;
+  } else {
+    return ENOSYS;
+  }
+}
+
+ErrorCode ArmPrivatePolicy(int sysno) {

[jln (very slow on Chromium), 2012/10/12 20:26:52]

I'm a bit worried that this wouldn't be a viable policy. Does it work if you
blow it up on purpose ?

On error, BPF_ASSERT etc could end-up needing something such as set_tls or
cacheflush().

Perhaps you could start doing that after the last known private syscall only
(for which we don't have a good symbolic name, but since this is a test,
NR_set_tls + 1 wouldn't be horrifying) ?

You could even try calling cacheflush(), it should never do any harm.

[Jorge Lucangeli Obes, 2012/10/13 01:39:30]

Done.

+  if (!Sandbox::isValidSyscallNumber(sysno)) {
+    // FIXME: we should really not have to do that in a trivial policy.
+    return ErrorCode(ENOSYS);
+  }
+
+  if (sysno >= static_cast<int>(MIN_PRIVATE_SYSCALL) &&
+      sysno <= static_cast<int>(MAX_PRIVATE_SYSCALL)) {
+    return ErrorCode(ArmPrivateSysnoToErrno(sysno));
+  } else {
+    return ErrorCode(ErrorCode::ERR_ALLOWED);
+  }
+}
+
+BPF_TEST(SandboxBpf, ArmPrivatePolicy, ArmPrivatePolicy) {
+  for (int syscall_number =  static_cast<int>(MIN_PRIVATE_SYSCALL);
+           syscall_number <= static_cast<int>(MAX_PRIVATE_SYSCALL);
+         ++syscall_number) {
+    errno = 0;
+    BPF_ASSERT(syscall(syscall_number) == -1);
+    BPF_ASSERT(errno == ArmPrivateSysnoToErrno(syscall_number));
+  }
+}
+#endif  // defined(__arm__)
+
 } // namespace