| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include <sys/syscall.h> | 5 #include <sys/syscall.h> |
| 6 #include <sys/utsname.h> | 6 #include <sys/utsname.h> |
| 7 | 7 |
| 8 #include <ostream> | 8 #include <ostream> |
| 9 | 9 |
| 10 #include "base/memory/scoped_ptr.h" | 10 #include "base/memory/scoped_ptr.h" |
| (...skipping 433 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 444 BPF_TEST(SandboxBpf, SigMask, RedirectAllSyscallsPolicy) { | 444 BPF_TEST(SandboxBpf, SigMask, RedirectAllSyscallsPolicy) { |
| 445 // Signal masks are potentially tricky to handle. For instance, if we | 445 // Signal masks are potentially tricky to handle. For instance, if we |
| 446 // ever tried to update them from inside a Trap() or UnsafeTrap() handler, | 446 // ever tried to update them from inside a Trap() or UnsafeTrap() handler, |
| 447 // the call to sigreturn() at the end of the signal handler would undo | 447 // the call to sigreturn() at the end of the signal handler would undo |
| 448 // all of our efforts. So, it makes sense to test that sigprocmask() | 448 // all of our efforts. So, it makes sense to test that sigprocmask() |
| 449 // works, even if we have a policy in place that makes use of UnsafeTrap(). | 449 // works, even if we have a policy in place that makes use of UnsafeTrap(). |
| 450 // In practice, this works because we force sigprocmask() to be handled | 450 // In practice, this works because we force sigprocmask() to be handled |
| 451 // entirely in the kernel. | 451 // entirely in the kernel. |
| 452 sigset_t mask0, mask1, mask2; | 452 sigset_t mask0, mask1, mask2; |
| 453 | 453 |
| 454 // Call sigprocmask() to verify that SIGUSR1 wasn't blocked, if we didn't | 454 // Call sigprocmask() to verify that SIGUSR2 wasn't blocked, if we didn't |
| 455 // change the mask (it shouldn't have been, as it isn't blocked by default | 455 // change the mask (it shouldn't have been, as it isn't blocked by default |
| 456 // in POSIX). | 456 // in POSIX). |
| 457 // |
| 458 // Use SIGUSR2 because Android seems to use SIGUSR1 for some purpose. |
| 457 sigemptyset(&mask0); | 459 sigemptyset(&mask0); |
| 458 BPF_ASSERT(!sigprocmask(SIG_BLOCK, &mask0, &mask1)); | 460 BPF_ASSERT(!sigprocmask(SIG_BLOCK, &mask0, &mask1)); |
| 459 BPF_ASSERT(!sigismember(&mask1, SIGUSR1)); | 461 BPF_ASSERT(!sigismember(&mask1, SIGUSR2)); |
| 460 | 462 |
| 461 // Try again, and this time we verify that we can block it. This | 463 // Try again, and this time we verify that we can block it. This |
| 462 // requires a second call to sigprocmask(). | 464 // requires a second call to sigprocmask(). |
| 463 sigaddset(&mask0, SIGUSR1); | 465 sigaddset(&mask0, SIGUSR2); |
| 464 BPF_ASSERT(!sigprocmask(SIG_BLOCK, &mask0, NULL)); | 466 BPF_ASSERT(!sigprocmask(SIG_BLOCK, &mask0, NULL)); |
| 465 BPF_ASSERT(!sigprocmask(SIG_BLOCK, NULL, &mask2)); | 467 BPF_ASSERT(!sigprocmask(SIG_BLOCK, NULL, &mask2)); |
| 466 BPF_ASSERT( sigismember(&mask2, SIGUSR1)); | 468 BPF_ASSERT( sigismember(&mask2, SIGUSR2)); |
| 467 } | 469 } |
| 468 | 470 |
| 469 BPF_TEST(SandboxBpf, UnsafeTrapWithErrno, RedirectAllSyscallsPolicy) { | 471 BPF_TEST(SandboxBpf, UnsafeTrapWithErrno, RedirectAllSyscallsPolicy) { |
| 470 // An UnsafeTrap() (or for that matter, a Trap()) has to report error | 472 // An UnsafeTrap() (or for that matter, a Trap()) has to report error |
| 471 // conditions by returning an exit code in the range -1..-4096. This | 473 // conditions by returning an exit code in the range -1..-4096. This |
| 472 // should happen automatically if using ForwardSyscall(). If the TrapFnc() | 474 // should happen automatically if using ForwardSyscall(). If the TrapFnc() |
| 473 // uses some other method to make system calls, then it is responsible | 475 // uses some other method to make system calls, then it is responsible |
| 474 // for computing the correct return code. | 476 // for computing the correct return code. |
| 475 // This test verifies that ForwardSyscall() does the correct thing. | 477 // This test verifies that ForwardSyscall() does the correct thing. |
| 476 | 478 |
| (...skipping 484 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 961 DEATH_MESSAGE("Unexpected 64bit argument detected"), | 963 DEATH_MESSAGE("Unexpected 64bit argument detected"), |
| 962 EqualityWithNegativeArgumentsPolicy) { | 964 EqualityWithNegativeArgumentsPolicy) { |
| 963 // When expecting a 32bit system call argument, we look at the MSB of the | 965 // When expecting a 32bit system call argument, we look at the MSB of the |
| 964 // 64bit value and allow both "0" and "-1". But the latter is allowed only | 966 // 64bit value and allow both "0" and "-1". But the latter is allowed only |
| 965 // iff the LSB was negative. So, this death test should error out. | 967 // iff the LSB was negative. So, this death test should error out. |
| 966 BPF_ASSERT(SandboxSyscall(__NR_uname, 0xFFFFFFFF00000000ll) == -1); | 968 BPF_ASSERT(SandboxSyscall(__NR_uname, 0xFFFFFFFF00000000ll) == -1); |
| 967 } | 969 } |
| 968 #endif | 970 #endif |
| 969 | 971 |
| 970 } // namespace | 972 } // namespace |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 11647024:
Update Linux sandbox tests to pass on Android. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@seccomp-2