Added support for greylisting of system calls.

sandbox/linux/seccomp-bpf/sandbox_bpf_unittest.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <ostream>
 
 #include "sandbox/linux/seccomp-bpf/bpf_tests.h"
+#include "sandbox/linux/seccomp-bpf/syscall.h"
 #include "sandbox/linux/seccomp-bpf/verifier.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
 using namespace playground2;
 
 namespace {
 
 const int kExpectedReturnValue = 42;
 
 // This test should execute no matter whether we have kernel support. So,
@@ skipping 239 matching lines @@
   for (int syscall_number =  static_cast<int>(__ARM_NR_set_tls + 1);
            syscall_number <= static_cast<int>(MAX_PRIVATE_SYSCALL);
          ++syscall_number) {
     errno = 0;
     BPF_ASSERT(syscall(syscall_number) == -1);
     BPF_ASSERT(errno == ArmPrivateSysnoToErrno(syscall_number));
   }
 }
 #endif  // defined(__arm__)
 
+intptr_t CountSyscalls(const struct arch_seccomp_data& args, void *aux) {
+  // Count all invocations of our callback function.
+  ++*reinterpret_cast<int *>(aux);
+
+  // Verify that within the callback function all filtering is temporarily
+  // disabled.
+  BPF_ASSERT(syscall(__NR_getpid) > 1);
+
+  // Verify that we can now call the underlying system call without causing
+  // infinite recursion.
+  return (intptr_t)(syscall(args.nr, args.args[0], args.args[1],
+                                     args.args[2], args.args[3],
+                                     args.args[4], args.args[5]));
+}
+
+ErrorCode GreyListedPolicy(int sysno, void *aux) {
+  // The use of UnsafeTrap() causes us to print a warning message. This is
+  // generally desirable, but it results in the unittest failing, as it doesn't
+  // expect any messages on "stderr". So, temporarily disable messages. The
+  // BPF_TEST() is guaranteed to turn messages back on, after the policy
+  // function has completed.
+  Die::SuppressInfoMessages(true);
+
+  // Some system calls must always be allowed, if our policy wants to make
+  // use of UnsafeTrap()
+  if (sysno == __NR_rt_sigprocmask ||
+      sysno == __NR_rt_sigreturn
+#if defined(__NR_sigprocmask)
+   || sysno == __NR_sigprocmask
+#endif
+#if defined(__NR_sigreturn)
+   || sysno == __NR_sigreturn
+#endif
+      ) {
+    return ErrorCode(ErrorCode::ERR_ALLOWED);
+  } else if (sysno == __NR_getpid) {
+    // Disallow getpid()
+    return ErrorCode(EPERM);
+  } else if (Sandbox::isValidSyscallNumber(sysno)) {
+    // Allow (and count) all other system calls.
+      return Sandbox::UnsafeTrap(CountSyscalls, aux);
+  } else {
+    return ErrorCode(ENOSYS);
+  }
+}
+
+BPF_TEST(SandboxBpf, GreyListedPolicy,
+         GreyListedPolicy, int /* BPF_AUX */) {
+  BPF_ASSERT(syscall(__NR_getpid) == -1);
+  BPF_ASSERT(errno == EPERM);
+  BPF_ASSERT(BPF_AUX == 0);
+  BPF_ASSERT(syscall(__NR_geteuid) == syscall(__NR_getuid));
+  BPF_ASSERT(BPF_AUX == 2);
+}
+
+intptr_t AllowRedirectedSyscall(const struct arch_seccomp_data& args, void *) {
+  return (intptr_t)(syscall(args.nr,
+                            (void *)args.args[0], (void *)args.args[1],
+                            (void *)args.args[2], (void *)args.args[3],
+                            (void *)args.args[4], (void *)args.args[5]));
+}
+
+ErrorCode RedirectAllSyscallsPolicy(int sysno, void *aux) {
+  Die::SuppressInfoMessages(true);
+
+  // Some system calls must always be allowed, if our policy wants to make
+  // use of UnsafeTrap()
+  if (sysno == __NR_rt_sigprocmask ||
+      sysno == __NR_rt_sigreturn
+#if defined(__NR_sigprocmask)
+   || sysno == __NR_sigprocmask
+#endif
+#if defined(__NR_sigreturn)
+   || sysno == __NR_sigreturn
+#endif
+      ) {
+    return ErrorCode(ErrorCode::ERR_ALLOWED);
+  } else if (Sandbox::isValidSyscallNumber(sysno)) {
+    return Sandbox::UnsafeTrap(AllowRedirectedSyscall, aux);
+  } else {
+    return ErrorCode(ENOSYS);
+  }
+}
+
+int bus_handler_fd_ = -1;
+
+void SigBusHandler(int, siginfo_t *info, void *void_context) {
+  BPF_ASSERT(write(bus_handler_fd_, "\x55", 1) == 1);
+}
+

[jln (very slow on Chromium), 2012/11/20 01:08:31]

Could you add a small explaination, saying that SIGBUS is used as a hack in the
implementation ?

+BPF_TEST(SandboxBpf, SigBus, RedirectAllSyscallsPolicy) {
+  int fds[2];
+  BPF_ASSERT(pipe(fds) == 0);
+  bus_handler_fd_ = fds[1];
+  struct sigaction sa = { };
+  sa.sa_sigaction = SigBusHandler;
+  sa.sa_flags = SA_SIGINFO;
+  BPF_ASSERT(sigaction(SIGBUS, &sa, NULL) == 0);
+  raise(SIGBUS);
+  char c = '\000';
+  BPF_ASSERT(read(fds[0], &c, 1) == 1);
+  BPF_ASSERT(close(fds[0]) == 0);
+  BPF_ASSERT(close(fds[1]) == 0);
+  BPF_ASSERT(c == 0x55);
+}
+

[jln (very slow on Chromium), 2012/11/20 01:08:31]

Same thing, please add a small note about what this is testing.

+BPF_TEST(SandboxBpf, SigMask, RedirectAllSyscallsPolicy) {
+  sigset_t mask0, mask1, mask2;
+  sigemptyset(&mask0);

[jln (very slow on Chromium), 2012/11/20 01:08:31]

Please add comments, to make this faster to read.

+  BPF_ASSERT(!sigprocmask(SIG_BLOCK, &mask0, &mask1));
+  BPF_ASSERT(!sigismember(&mask1, SIGUSR1));
+  sigaddset(&mask0, SIGUSR1);
+  BPF_ASSERT(!sigprocmask(SIG_BLOCK, &mask0, NULL));
+  BPF_ASSERT(!sigprocmask(SIG_BLOCK, &mask0, &mask2));
+  BPF_ASSERT( sigismember(&mask2, SIGUSR1));
+}
+
 } // namespace