| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include <errno.h> | 5 #include <errno.h> |
| 6 #include <pthread.h> | 6 #include <pthread.h> |
| 7 #include <sched.h> | 7 #include <sched.h> |
| 8 #include <sys/prctl.h> | 8 #include <sys/prctl.h> |
| 9 #include <sys/syscall.h> | 9 #include <sys/syscall.h> |
| 10 #include <sys/time.h> | 10 #include <sys/time.h> |
| 11 #include <sys/types.h> |
| 11 #include <sys/utsname.h> | 12 #include <sys/utsname.h> |
| 13 #include <unistd.h> |
| 12 | 14 |
| 13 #if defined(ANDROID) | 15 #if defined(ANDROID) |
| 14 // Work-around for buggy headers in Android's NDK | 16 // Work-around for buggy headers in Android's NDK |
| 15 #define __user | 17 #define __user |
| 16 #endif | 18 #endif |
| 17 #include <linux/futex.h> | 19 #include <linux/futex.h> |
| 18 | 20 |
| 19 #include <ostream> | 21 #include <ostream> |
| 20 | 22 |
| 21 #include "base/memory/scoped_ptr.h" | 23 #include "base/memory/scoped_ptr.h" |
| 24 #include "build/build_config.h" |
| 22 #include "sandbox/linux/seccomp-bpf/bpf_tests.h" | 25 #include "sandbox/linux/seccomp-bpf/bpf_tests.h" |
| 23 #include "sandbox/linux/seccomp-bpf/syscall.h" | 26 #include "sandbox/linux/seccomp-bpf/syscall.h" |
| 24 #include "sandbox/linux/seccomp-bpf/trap.h" | 27 #include "sandbox/linux/seccomp-bpf/trap.h" |
| 25 #include "sandbox/linux/seccomp-bpf/verifier.h" | 28 #include "sandbox/linux/seccomp-bpf/verifier.h" |
| 26 #include "sandbox/linux/services/broker_process.h" | 29 #include "sandbox/linux/services/broker_process.h" |
| 27 #include "sandbox/linux/services/linux_syscalls.h" | 30 #include "sandbox/linux/services/linux_syscalls.h" |
| 28 #include "testing/gtest/include/gtest/gtest.h" | 31 #include "testing/gtest/include/gtest/gtest.h" |
| 29 | 32 |
| 30 // Workaround for Android's prctl.h file. | 33 // Workaround for Android's prctl.h file. |
| 31 #ifndef PR_GET_ENDIAN | 34 #ifndef PR_GET_ENDIAN |
| 32 #define PR_GET_ENDIAN 19 | 35 #define PR_GET_ENDIAN 19 |
| 33 #endif | 36 #endif |
| 34 #ifndef PR_CAPBSET_READ | 37 #ifndef PR_CAPBSET_READ |
| 35 #define PR_CAPBSET_READ 23 | 38 #define PR_CAPBSET_READ 23 |
| 36 #define PR_CAPBSET_DROP 24 | 39 #define PR_CAPBSET_DROP 24 |
| 37 #endif | 40 #endif |
| 38 | 41 |
| 39 using namespace playground2; | 42 using namespace playground2; |
| 40 using sandbox::BrokerProcess; | 43 using sandbox::BrokerProcess; |
| 41 | 44 |
| 42 namespace { | 45 namespace { |
| 43 | 46 |
| 44 const int kExpectedReturnValue = 42; | 47 const int kExpectedReturnValue = 42; |
| 45 const char kSandboxDebuggingEnv[] = "CHROME_SANDBOX_DEBUGGING"; | 48 const char kSandboxDebuggingEnv[] = "CHROME_SANDBOX_DEBUGGING"; |
| 46 | 49 |
| 50 inline bool IsAndroid() { |
| 51 #if defined(OS_ANDROID) |
| 52 return true; |
| 53 #else |
| 54 return false; |
| 55 #endif |
| 56 } |
| 57 |
| 47 // This test should execute no matter whether we have kernel support. So, | 58 // This test should execute no matter whether we have kernel support. So, |
| 48 // we make it a TEST() instead of a BPF_TEST(). | 59 // we make it a TEST() instead of a BPF_TEST(). |
| 49 TEST(SandboxBpf, CallSupports) { | 60 TEST(SandboxBpf, CallSupports) { |
| 50 // We check that we don't crash, but it's ok if the kernel doesn't | 61 // We check that we don't crash, but it's ok if the kernel doesn't |
| 51 // support it. | 62 // support it. |
| 52 bool seccomp_bpf_supported = | 63 bool seccomp_bpf_supported = |
| 53 Sandbox::SupportsSeccompSandbox(-1) == Sandbox::STATUS_AVAILABLE; | 64 Sandbox::SupportsSeccompSandbox(-1) == Sandbox::STATUS_AVAILABLE; |
| 54 // We want to log whether or not seccomp BPF is actually supported | 65 // We want to log whether or not seccomp BPF is actually supported |
| 55 // since actual test coverage depends on it. | 66 // since actual test coverage depends on it. |
| 56 RecordProperty("SeccompBPFSupported", | 67 RecordProperty("SeccompBPFSupported", |
| (...skipping 150 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 207 } | 218 } |
| 208 | 219 |
| 209 switch (sysno) { | 220 switch (sysno) { |
| 210 case __NR_dup2: | 221 case __NR_dup2: |
| 211 // Pretend that dup2() worked, but don't actually do anything. | 222 // Pretend that dup2() worked, but don't actually do anything. |
| 212 return ErrorCode(0); | 223 return ErrorCode(0); |
| 213 case __NR_setuid: | 224 case __NR_setuid: |
| 214 #if defined(__NR_setuid32) | 225 #if defined(__NR_setuid32) |
| 215 case __NR_setuid32: | 226 case __NR_setuid32: |
| 216 #endif | 227 #endif |
| 217 // Return errno = 1 | 228 // Return errno = 1. |
| 218 return ErrorCode(1); | 229 return ErrorCode(1); |
| 219 case __NR_setgid: | 230 case __NR_setgid: |
| 220 #if defined(__NR_setgid32) | 231 #if defined(__NR_setgid32) |
| 221 case __NR_setgid32: | 232 case __NR_setgid32: |
| 222 #endif | 233 #endif |
| 223 // Return maximum errno value (typically 4095). | 234 // Return maximum errno value (typically 4095). |
| 224 return ErrorCode(ErrorCode::ERR_MAX_ERRNO); | 235 return ErrorCode(ErrorCode::ERR_MAX_ERRNO); |
| 236 case __NR_uname: |
| 237 // Return errno = 42; |
| 238 return ErrorCode(42); |
| 225 default: | 239 default: |
| 226 return ErrorCode(ErrorCode::ERR_ALLOWED); | 240 return ErrorCode(ErrorCode::ERR_ALLOWED); |
| 227 } | 241 } |
| 228 } | 242 } |
| 229 | 243 |
| 230 BPF_TEST(SandboxBpf, ErrnoTest, ErrnoTestPolicy) { | 244 BPF_TEST(SandboxBpf, ErrnoTest, ErrnoTestPolicy) { |
| 231 // Verify that dup2() returns success, but doesn't actually run. | 245 // Verify that dup2() returns success, but doesn't actually run. |
| 232 int fds[4]; | 246 int fds[4]; |
| 233 BPF_ASSERT(pipe(fds) == 0); | 247 BPF_ASSERT(pipe(fds) == 0); |
| 234 BPF_ASSERT(pipe(fds+2) == 0); | 248 BPF_ASSERT(pipe(fds+2) == 0); |
| 235 BPF_ASSERT(dup2(fds[2], fds[0]) == 0); | 249 BPF_ASSERT(dup2(fds[2], fds[0]) == 0); |
| 236 char buf[1] = { }; | 250 char buf[1] = { }; |
| 237 BPF_ASSERT(write(fds[1], "\x55", 1) == 1); | 251 BPF_ASSERT(write(fds[1], "\x55", 1) == 1); |
| 238 BPF_ASSERT(write(fds[3], "\xAA", 1) == 1); | 252 BPF_ASSERT(write(fds[3], "\xAA", 1) == 1); |
| 239 BPF_ASSERT(read(fds[0], buf, 1) == 1); | 253 BPF_ASSERT(read(fds[0], buf, 1) == 1); |
| 240 | 254 |
| 241 // If dup2() executed, we will read \xAA, but it dup2() has been turned | 255 // If dup2() executed, we will read \xAA, but it dup2() has been turned |
| 242 // into a no-op by our policy, then we will read \x55. | 256 // into a no-op by our policy, then we will read \x55. |
| 243 BPF_ASSERT(buf[0] == '\x55'); | 257 BPF_ASSERT(buf[0] == '\x55'); |
| 244 | 258 |
| 245 // Verify that we can return the minimum and maximum errno values. | 259 // Verify that we can return the minimum and maximum errno values. |
| 260 errno = 0; |
| 246 BPF_ASSERT(setuid(0) == -1); | 261 BPF_ASSERT(setuid(0) == -1); |
| 247 BPF_ASSERT(errno == 1); | 262 BPF_ASSERT(errno == 1); |
| 248 BPF_ASSERT(setgid(0) == -1); | 263 |
| 249 BPF_ASSERT(errno == ErrorCode::ERR_MAX_ERRNO); | 264 // On Android, errno is only supported up to 255, otherwise errno |
| 265 // processing is skipped. |
| 266 // We work around this (crbug.com/181647). |
| 267 if (IsAndroid() && setgid(0) != -1) { |
| 268 errno = 0; |
| 269 BPF_ASSERT(setgid(0) == -ErrorCode::ERR_MAX_ERRNO); |
| 270 BPF_ASSERT(errno == 0); |
| 271 } else { |
| 272 errno = 0; |
| 273 BPF_ASSERT(setgid(0) == -1); |
| 274 BPF_ASSERT(errno == ErrorCode::ERR_MAX_ERRNO); |
| 275 } |
| 276 |
| 277 // Finally, test an errno in between the minimum and maximum. |
| 278 errno = 0; |
| 279 struct utsname uts_buf; |
| 280 BPF_ASSERT(uname(&uts_buf) == -1); |
| 281 BPF_ASSERT(errno == 42); |
| 250 } | 282 } |
| 251 | 283 |
| 252 // Testing the stacking of two sandboxes | 284 // Testing the stacking of two sandboxes |
| 253 | 285 |
| 254 ErrorCode StackingPolicyPartOne(Sandbox *sandbox, int sysno, void *) { | 286 ErrorCode StackingPolicyPartOne(Sandbox *sandbox, int sysno, void *) { |
| 255 if (!Sandbox::IsValidSyscallNumber(sysno)) { | 287 if (!Sandbox::IsValidSyscallNumber(sysno)) { |
| 256 return ErrorCode(ENOSYS); | 288 return ErrorCode(ENOSYS); |
| 257 } | 289 } |
| 258 | 290 |
| 259 switch (sysno) { | 291 switch (sysno) { |
| (...skipping 1421 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1681 | 1713 |
| 1682 BPF_TEST(SandboxBpf, PthreadEquality, PthreadPolicyEquality) { | 1714 BPF_TEST(SandboxBpf, PthreadEquality, PthreadPolicyEquality) { |
| 1683 PthreadTest(); | 1715 PthreadTest(); |
| 1684 } | 1716 } |
| 1685 | 1717 |
| 1686 BPF_TEST(SandboxBpf, PthreadBitMask, PthreadPolicyBitMask) { | 1718 BPF_TEST(SandboxBpf, PthreadBitMask, PthreadPolicyBitMask) { |
| 1687 PthreadTest(); | 1719 PthreadTest(); |
| 1688 } | 1720 } |
| 1689 | 1721 |
| 1690 } // namespace | 1722 } // namespace |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 12638015:
Android sandbox: workaround for restricted errno values. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src