| Index: sandbox/linux/seccomp-bpf/bpf_tests.h
|
| diff --git a/sandbox/linux/seccomp-bpf/bpf_tests.h b/sandbox/linux/seccomp-bpf/bpf_tests.h
|
| index 8da25f99a5f8b9f0617b51d9f7043d803465b02d..3ac631ca4bec8ba485b32e58315aaebe280d25bb 100644
|
| --- a/sandbox/linux/seccomp-bpf/bpf_tests.h
|
| +++ b/sandbox/linux/seccomp-bpf/bpf_tests.h
|
| @@ -11,6 +11,19 @@
|
|
|
| namespace sandbox {
|
|
|
| +// A BPF_DEATH_TEST is just the same as a BPF_TEST, but it assumes that the
|
| +// test will fail with a particular known error condition. Use the DEATH_XXX()
|
| +// macros from unit_tests.h to specify the expected error condition.
|
| +#define BPF_DEATH_TEST(test_case_name, test_name, death, policy, aux...) \
|
| + void BPF_TEST_##test_name(sandbox::BpfTests<aux>::AuxType& BPF_AUX); \
|
| + TEST(test_case_name, test_name) { \
|
| + sandbox::BpfTests<aux>::TestArgs arg(BPF_TEST_##test_name, policy); \
|
| + sandbox::BpfTests<aux>::RunTestInProcess( \
|
| + sandbox::BpfTests<aux>::TestWrapper, &arg, \
|
| + death); \
|
| + } \
|
| + void BPF_TEST_##test_name(sandbox::BpfTests<aux>::AuxType& BPF_AUX)
|
| +
|
| // BPF_TEST() is a special version of SANDBOX_TEST(). It turns into a no-op,
|
| // if the host does not have kernel support for running BPF filters.
|
| // Also, it takes advantage of the Die class to avoid calling LOG(FATAL), from
|
| @@ -22,13 +35,8 @@ namespace sandbox {
|
| // would typically use it as an argument to Sandbox::Trap(), if they want to
|
| // communicate data between the BPF_TEST() and a Trap() function.
|
| #define BPF_TEST(test_case_name, test_name, policy, aux...) \
|
| - void BPF_TEST_##test_name(sandbox::BpfTests<aux>::AuxType& BPF_AUX); \
|
| - TEST(test_case_name, test_name) { \
|
| - sandbox::BpfTests<aux>::TestArgs arg(BPF_TEST_##test_name, policy); \
|
| - sandbox::BpfTests<aux>::RunTestInProcess( \
|
| - sandbox::BpfTests<aux>::TestWrapper, &arg);\
|
| - } \
|
| - void BPF_TEST_##test_name(sandbox::BpfTests<aux>::AuxType& BPF_AUX)
|
| + BPF_DEATH_TEST(test_case_name, test_name, DEATH_SUCCESS(), policy, aux)
|
| +
|
|
|
| // Assertions are handled exactly the same as with a normal SANDBOX_TEST()
|
| #define BPF_ASSERT SANDBOX_ASSERT
|
| @@ -64,24 +72,25 @@ class BpfTests : public UnitTests {
|
| static void TestWrapper(void *void_arg) {
|
| TestArgs *arg = reinterpret_cast<TestArgs *>(void_arg);
|
| playground2::Die::EnableSimpleExit();
|
| - if (playground2::Sandbox::supportsSeccompSandbox(-1) ==
|
| + if (playground2::Sandbox::SupportsSeccompSandbox(-1) ==
|
| playground2::Sandbox::STATUS_AVAILABLE) {
|
| // Ensure the the sandbox is actually available at this time
|
| int proc_fd;
|
| BPF_ASSERT((proc_fd = open("/proc", O_RDONLY|O_DIRECTORY)) >= 0);
|
| - BPF_ASSERT(playground2::Sandbox::supportsSeccompSandbox(proc_fd) ==
|
| + BPF_ASSERT(playground2::Sandbox::SupportsSeccompSandbox(proc_fd) ==
|
| playground2::Sandbox::STATUS_AVAILABLE);
|
|
|
| // Initialize and then start the sandbox with our custom policy
|
| - playground2::Sandbox::setProcFd(proc_fd);
|
| - playground2::Sandbox::setSandboxPolicy(arg->policy(), &arg->aux_);
|
| - playground2::Sandbox::startSandbox();
|
| + playground2::Sandbox::set_proc_fd(proc_fd);
|
| + playground2::Sandbox::SetSandboxPolicy(arg->policy(), &arg->aux_);
|
| + playground2::Sandbox::StartSandbox();
|
|
|
| arg->test()(arg->aux_);
|
| } else {
|
| // TODO(markus): (crbug.com/141545) Call the compiler and verify the
|
| // policy. That's the least we can do, if we don't have kernel support.
|
| - playground2::Sandbox::setSandboxPolicy(arg->policy(), NULL);
|
| + playground2::Sandbox::SetSandboxPolicy(arg->policy(), NULL);
|
| + sandbox::UnitTests::IgnoreThisTest();
|
| }
|
| }
|
|
|
|
|
Chromium Code Reviews
Issue 11411254:
SECCOMP-BPF: Added supported for inspection system call arguments from BPF filters. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src