Non-SFI mode: Sandbox support for NaCl async-signals.

components/nacl/loader/nonsfi/nonsfi_sandbox_unittest.cc

Index: components/nacl/loader/nonsfi/nonsfi_sandbox_unittest.cc
diff --git a/components/nacl/loader/nonsfi/nonsfi_sandbox_unittest.cc b/components/nacl/loader/nonsfi/nonsfi_sandbox_unittest.cc
index 4338fb6fe295555f5f63aa4014aa9b78124f87bc..a95a6d016c5dd5e0f207058ad59992c326862429 100644
--- a/components/nacl/loader/nonsfi/nonsfi_sandbox_unittest.cc
+++ b/components/nacl/loader/nonsfi/nonsfi_sandbox_unittest.cc
@@ -641,6 +641,70 @@ BPF_DEATH_TEST_C(NaClNonSfiSandboxTest,
   sandbox::Syscall::InvalidCall();
 }
 
+// The following tests check for several restrictions in tgkill(). A delegate is
+// needed to be able to call getpid() from inside the process that will be
+// sandboxed, but before the sandbox is installed.
+template<void(*callback)(int pid, int tid)>
+class TgkillDelegate : public sandbox::BPFTesterDelegate {
+ public:
+  TgkillDelegate() {}
+  ~TgkillDelegate() override {}
+
+  scoped_ptr<sandbox::bpf_dsl::Policy> GetSandboxBPFPolicy() override {
+    // These two values must be obtained when running in the sandboxed process.
+    // They cannot be set in the constructor and are also not available from
+    // within |RunTestFunction|.
+    pid_ = getpid();
+    tid_ = syscall(__NR_gettid);
+
+    return scoped_ptr<sandbox::bpf_dsl::Policy>(
+        new nacl::nonsfi::NaClNonSfiBPFSandboxPolicy());
+  }
+
+  void RunTestFunction() override {
+    callback(pid_, tid_);
+  }
+
+  int pid_;
+  int tid_;
+
+ private:
+  DISALLOW_COPY_AND_ASSIGN(TgkillDelegate);
+};
+
+#define BPF_TGKILL_TEST(name)                                        \
+  void BPF_TEST_D_##name(int pid, int tid);                          \
+  BPF_TEST_D(NaClNonSfiSandboxTest,                                  \
+             name,                                                   \
+             TgkillDelegate<BPF_TEST_D_##name>);                     \
+  void BPF_TEST_D_##name(int pid, int tid)                           \
+
+#define BPF_TGKILL_DEATH_TEST(name)                                  \
+  void BPF_TEST_D_##name(int pid, int tid);                          \
+  BPF_DEATH_TEST_D(                                                  \
+      NaClNonSfiSandboxTest,                                         \
+      name,                                                          \
+      DEATH_SEGV_MESSAGE(sandbox::GetErrorMessageContentForTests()), \
+      TgkillDelegate<BPF_TEST_D_##name>);                            \
+  void BPF_TEST_D_##name(int pid, int tid)                           \
+
+BPF_TGKILL_DEATH_TEST(tgkill_with_invalid_signum) {

[jln (very slow on Chromium), 2015/08/17 21:21:11]

The complexity of BPF test is already considerable, and this is pushing it even
farther.

You should be able to do this with just a normal BPF_DEATH_TEST_D / BPF_TEST_D
taking a templated class at the |bpf_tester_delegate_class| argument, no?

Slightly more verbosity for improved readability and simplicity would be the
right choice here.

[Luis Héctor Chávez, 2015/08/17 22:13:07]

Done.

+  syscall(__NR_tgkill, pid, tid, SIGKILL);
+}
+
+BPF_TGKILL_DEATH_TEST(tgkill_with_invalid_tgid) {
+  syscall(__NR_tgkill, 1, tid, LINUX_SIGUSR1);
+}
+
+BPF_TGKILL_DEATH_TEST(tgkill_with_negative_tid) {
+  syscall(__NR_tgkill, pid, -1, LINUX_SIGUSR1);
+}
+
+BPF_TGKILL_TEST(tgkill_with_invalid_tid) {
+  BPF_ASSERT_EQ(-1, syscall(__NR_tgkill, pid, 1, LINUX_SIGUSR1));
+  BPF_ASSERT_EQ(ESRCH, errno);
+}
+
 // The following test cases check if syscalls return EPERM regardless
 // of arguments.
 #define RESTRICT_SYSCALL_EPERM_TEST(name)                      \