OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include <sys/syscall.h> | 5 #include <sys/syscall.h> |
6 #include <sys/utsname.h> | 6 #include <sys/utsname.h> |
7 | 7 |
8 #include <ostream> | 8 #include <ostream> |
9 | 9 |
10 #include "base/memory/scoped_ptr.h" | 10 #include "base/memory/scoped_ptr.h" |
(...skipping 433 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
444 BPF_TEST(SandboxBpf, SigMask, RedirectAllSyscallsPolicy) { | 444 BPF_TEST(SandboxBpf, SigMask, RedirectAllSyscallsPolicy) { |
445 // Signal masks are potentially tricky to handle. For instance, if we | 445 // Signal masks are potentially tricky to handle. For instance, if we |
446 // ever tried to update them from inside a Trap() or UnsafeTrap() handler, | 446 // ever tried to update them from inside a Trap() or UnsafeTrap() handler, |
447 // the call to sigreturn() at the end of the signal handler would undo | 447 // the call to sigreturn() at the end of the signal handler would undo |
448 // all of our efforts. So, it makes sense to test that sigprocmask() | 448 // all of our efforts. So, it makes sense to test that sigprocmask() |
449 // works, even if we have a policy in place that makes use of UnsafeTrap(). | 449 // works, even if we have a policy in place that makes use of UnsafeTrap(). |
450 // In practice, this works because we force sigprocmask() to be handled | 450 // In practice, this works because we force sigprocmask() to be handled |
451 // entirely in the kernel. | 451 // entirely in the kernel. |
452 sigset_t mask0, mask1, mask2; | 452 sigset_t mask0, mask1, mask2; |
453 | 453 |
454 // Call sigprocmask() to verify that SIGUSR1 wasn't blocked, if we didn't | 454 // Call sigprocmask() to verify that SIGUSR2 wasn't blocked, if we didn't |
455 // change the mask (it shouldn't have been, as it isn't blocked by default | 455 // change the mask (it shouldn't have been, as it isn't blocked by default |
456 // in POSIX). | 456 // in POSIX). |
| 457 // |
| 458 // Use SIGUSR2 because Android seems to use SIGUSR1 for some purpose. |
457 sigemptyset(&mask0); | 459 sigemptyset(&mask0); |
458 BPF_ASSERT(!sigprocmask(SIG_BLOCK, &mask0, &mask1)); | 460 BPF_ASSERT(!sigprocmask(SIG_BLOCK, &mask0, &mask1)); |
459 BPF_ASSERT(!sigismember(&mask1, SIGUSR1)); | 461 BPF_ASSERT(!sigismember(&mask1, SIGUSR2)); |
460 | 462 |
461 // Try again, and this time we verify that we can block it. This | 463 // Try again, and this time we verify that we can block it. This |
462 // requires a second call to sigprocmask(). | 464 // requires a second call to sigprocmask(). |
463 sigaddset(&mask0, SIGUSR1); | 465 sigaddset(&mask0, SIGUSR2); |
464 BPF_ASSERT(!sigprocmask(SIG_BLOCK, &mask0, NULL)); | 466 BPF_ASSERT(!sigprocmask(SIG_BLOCK, &mask0, NULL)); |
465 BPF_ASSERT(!sigprocmask(SIG_BLOCK, NULL, &mask2)); | 467 BPF_ASSERT(!sigprocmask(SIG_BLOCK, NULL, &mask2)); |
466 BPF_ASSERT( sigismember(&mask2, SIGUSR1)); | 468 BPF_ASSERT( sigismember(&mask2, SIGUSR2)); |
467 } | 469 } |
468 | 470 |
469 BPF_TEST(SandboxBpf, UnsafeTrapWithErrno, RedirectAllSyscallsPolicy) { | 471 BPF_TEST(SandboxBpf, UnsafeTrapWithErrno, RedirectAllSyscallsPolicy) { |
470 // An UnsafeTrap() (or for that matter, a Trap()) has to report error | 472 // An UnsafeTrap() (or for that matter, a Trap()) has to report error |
471 // conditions by returning an exit code in the range -1..-4096. This | 473 // conditions by returning an exit code in the range -1..-4096. This |
472 // should happen automatically if using ForwardSyscall(). If the TrapFnc() | 474 // should happen automatically if using ForwardSyscall(). If the TrapFnc() |
473 // uses some other method to make system calls, then it is responsible | 475 // uses some other method to make system calls, then it is responsible |
474 // for computing the correct return code. | 476 // for computing the correct return code. |
475 // This test verifies that ForwardSyscall() does the correct thing. | 477 // This test verifies that ForwardSyscall() does the correct thing. |
476 | 478 |
(...skipping 484 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
961 DEATH_MESSAGE("Unexpected 64bit argument detected"), | 963 DEATH_MESSAGE("Unexpected 64bit argument detected"), |
962 EqualityWithNegativeArgumentsPolicy) { | 964 EqualityWithNegativeArgumentsPolicy) { |
963 // When expecting a 32bit system call argument, we look at the MSB of the | 965 // When expecting a 32bit system call argument, we look at the MSB of the |
964 // 64bit value and allow both "0" and "-1". But the latter is allowed only | 966 // 64bit value and allow both "0" and "-1". But the latter is allowed only |
965 // iff the LSB was negative. So, this death test should error out. | 967 // iff the LSB was negative. So, this death test should error out. |
966 BPF_ASSERT(SandboxSyscall(__NR_uname, 0xFFFFFFFF00000000ll) == -1); | 968 BPF_ASSERT(SandboxSyscall(__NR_uname, 0xFFFFFFFF00000000ll) == -1); |
967 } | 969 } |
968 #endif | 970 #endif |
969 | 971 |
970 } // namespace | 972 } // namespace |
OLD | NEW |