| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include <asm/unistd.h> | 5 #include <asm/unistd.h> |
| 6 #include <fcntl.h> | 6 #include <fcntl.h> |
| 7 #include <sys/mman.h> | 7 #include <sys/mman.h> |
| 8 #include <sys/syscall.h> | 8 #include <sys/syscall.h> |
| 9 #include <unistd.h> | 9 #include <unistd.h> |
| 10 | 10 |
| (...skipping 32 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 43 #if defined(__i386__) | 43 #if defined(__i386__) |
| 44 EXPECT_EQ(0x80CDu, ((uint16_t*)SandboxSyscall(-1))[-1]); // INT 0x80 | 44 EXPECT_EQ(0x80CDu, ((uint16_t*)SandboxSyscall(-1))[-1]); // INT 0x80 |
| 45 #elif defined(__x86_64__) | 45 #elif defined(__x86_64__) |
| 46 EXPECT_EQ(0x050Fu, ((uint16_t*)SandboxSyscall(-1))[-1]); // SYSCALL | 46 EXPECT_EQ(0x050Fu, ((uint16_t*)SandboxSyscall(-1))[-1]); // SYSCALL |
| 47 #elif defined(__arm__) | 47 #elif defined(__arm__) |
| 48 #if defined(__thumb__) | 48 #if defined(__thumb__) |
| 49 EXPECT_EQ(0xDF00u, ((uint16_t*)SandboxSyscall(-1))[-1]); // SWI 0 | 49 EXPECT_EQ(0xDF00u, ((uint16_t*)SandboxSyscall(-1))[-1]); // SWI 0 |
| 50 #else | 50 #else |
| 51 EXPECT_EQ(0xEF000000u, ((uint32_t*)SandboxSyscall(-1))[-1]); // SVC 0 | 51 EXPECT_EQ(0xEF000000u, ((uint32_t*)SandboxSyscall(-1))[-1]); // SVC 0 |
| 52 #endif | 52 #endif |
| 53 #elif defined(__mips__) |
| 54 // Opcode for MIPS sycall is in the lower 16-bits |
| 55 EXPECT_EQ(0x0cu, (((uint32_t *)SandboxSyscall(-1))[-1])&0x0000FFFF); |
| 53 #else | 56 #else |
| 54 #warning Incomplete test case; need port for target platform | 57 #warning Incomplete test case; need port for target platform |
| 55 #endif | 58 #endif |
| 56 } | 59 } |
| 57 | 60 |
| 58 TEST(Syscall, TrivialSyscallNoArgs) { | 61 TEST(Syscall, TrivialSyscallNoArgs) { |
| 59 // Test that we can do basic system calls | 62 // Test that we can do basic system calls |
| 60 EXPECT_EQ(SandboxSyscall(__NR_getpid), syscall(__NR_getpid)); | 63 EXPECT_EQ(SandboxSyscall(__NR_getpid), syscall(__NR_getpid)); |
| 61 } | 64 } |
| 62 | 65 |
| 63 TEST(Syscall, TrivialSyscallOneArg) { | 66 TEST(Syscall, TrivialSyscallOneArg) { |
| 64 int new_fd; | 67 int new_fd; |
| 65 // Duplicate standard error and close it. | 68 // Duplicate standard error and close it. |
| 66 ASSERT_GE(new_fd = SandboxSyscall(__NR_dup, 2), 0); | 69 ASSERT_GE(new_fd = SandboxSyscall(__NR_dup, 2), 0); |
| 67 int close_return_value = IGNORE_EINTR(SandboxSyscall(__NR_close, new_fd)); | 70 int close_return_value = IGNORE_EINTR(SandboxSyscall(__NR_close, new_fd)); |
| 68 ASSERT_EQ(close_return_value, 0); | 71 ASSERT_EQ(close_return_value, 0); |
| 69 } | 72 } |
| 70 | 73 |
| 71 // SIGSYS trap handler that will be called on __NR_uname. | 74 // SIGSYS trap handler that will be called on __NR_uname. |
| 72 intptr_t CopySyscallArgsToAux(const struct arch_seccomp_data& args, void* aux) { | 75 intptr_t CopySyscallArgsToAux(const struct arch_seccomp_data& args, void* aux) { |
| 73 // |aux| is a pointer to our BPF_AUX. | 76 // |aux| is a pointer to our BPF_AUX. |
| 74 std::vector<uint64_t>* const seen_syscall_args = | 77 std::vector<uint64_t>* const seen_syscall_args = |
| 75 static_cast<std::vector<uint64_t>*>(aux); | 78 static_cast<std::vector<uint64_t>*>(aux); |
| 76 BPF_ASSERT(arraysize(args.args) == 6); | 79 BPF_ASSERT(arraysize(args.args) == 6); |
| 77 seen_syscall_args->assign(args.args, args.args + arraysize(args.args)); | 80 seen_syscall_args->assign(args.args, args.args + arraysize(args.args)); |
| 81 #if defined(__mips__) |
| 82 // On MIPS, kernel returns errno and not -errno |
| 83 return ENOMEM; |
| 84 #else |
| 78 return -ENOMEM; | 85 return -ENOMEM; |
| 86 #endif |
| 79 } | 87 } |
| 80 | 88 |
| 81 ErrorCode CopyAllArgsOnUnamePolicy(SandboxBPF* sandbox, int sysno, void* aux) { | 89 ErrorCode CopyAllArgsOnUnamePolicy(SandboxBPF* sandbox, int sysno, void* aux) { |
| 82 if (!SandboxBPF::IsValidSyscallNumber(sysno)) { | 90 if (!SandboxBPF::IsValidSyscallNumber(sysno)) { |
| 83 return ErrorCode(ENOSYS); | 91 return ErrorCode(ENOSYS); |
| 84 } | 92 } |
| 85 if (sysno == __NR_uname) { | 93 if (sysno == __NR_uname) { |
| 86 return sandbox->Trap(CopySyscallArgsToAux, aux); | 94 return sandbox->Trap(CopySyscallArgsToAux, aux); |
| 87 } else { | 95 } else { |
| 88 return ErrorCode(ErrorCode::ERR_ALLOWED); | 96 return ErrorCode(ErrorCode::ERR_ALLOWED); |
| (...skipping 11 matching lines...) Expand all Loading... |
| 100 // additional tests to try other types. What we will see depends on | 108 // additional tests to try other types. What we will see depends on |
| 101 // implementation details of kernel BPF filters and we will need to document | 109 // implementation details of kernel BPF filters and we will need to document |
| 102 // the expected behavior very clearly. | 110 // the expected behavior very clearly. |
| 103 int syscall_args[6]; | 111 int syscall_args[6]; |
| 104 for (size_t i = 0; i < arraysize(syscall_args); ++i) { | 112 for (size_t i = 0; i < arraysize(syscall_args); ++i) { |
| 105 syscall_args[i] = kExpectedValue + i; | 113 syscall_args[i] = kExpectedValue + i; |
| 106 } | 114 } |
| 107 | 115 |
| 108 // We could use pretty much any system call we don't need here. uname() is | 116 // We could use pretty much any system call we don't need here. uname() is |
| 109 // nice because it doesn't have any dangerous side effects. | 117 // nice because it doesn't have any dangerous side effects. |
| 118 #if defined(__mips__) |
| 110 BPF_ASSERT(SandboxSyscall(__NR_uname, | 119 BPF_ASSERT(SandboxSyscall(__NR_uname, |
| 111 syscall_args[0], | 120 syscall_args[0], |
| 112 syscall_args[1], | 121 syscall_args[1], |
| 122 syscall_args[2], |
| 123 syscall_args[3], |
| 124 syscall_args[4], |
| 125 syscall_args[5]) == ENOMEM); |
| 126 #else |
| 127 BPF_ASSERT(SandboxSyscall(__NR_uname, |
| 128 syscall_args[0], |
| 129 syscall_args[1], |
| 113 syscall_args[2], | 130 syscall_args[2], |
| 114 syscall_args[3], | 131 syscall_args[3], |
| 115 syscall_args[4], | 132 syscall_args[4], |
| 116 syscall_args[5]) == -ENOMEM); | 133 syscall_args[5]) == -ENOMEM); |
| 134 #endif |
| 117 | 135 |
| 118 // We expect the trap handler to have copied the 6 arguments. | 136 // We expect the trap handler to have copied the 6 arguments. |
| 119 BPF_ASSERT(BPF_AUX.size() == 6); | 137 BPF_ASSERT(BPF_AUX.size() == 6); |
| 120 | 138 |
| 121 // Don't loop here so that we can see which argument does cause the failure | 139 // Don't loop here so that we can see which argument does cause the failure |
| 122 // easily from the failing line. | 140 // easily from the failing line. |
| 123 // uint64_t is the type passed to our SIGSYS handler. | 141 // uint64_t is the type passed to our SIGSYS handler. |
| 124 BPF_ASSERT(BPF_AUX[0] == static_cast<uint64_t>(syscall_args[0])); | 142 BPF_ASSERT(BPF_AUX[0] == static_cast<uint64_t>(syscall_args[0])); |
| 125 BPF_ASSERT(BPF_AUX[1] == static_cast<uint64_t>(syscall_args[1])); | 143 BPF_ASSERT(BPF_AUX[1] == static_cast<uint64_t>(syscall_args[1])); |
| 126 BPF_ASSERT(BPF_AUX[2] == static_cast<uint64_t>(syscall_args[2])); | 144 BPF_ASSERT(BPF_AUX[2] == static_cast<uint64_t>(syscall_args[2])); |
| (...skipping 65 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 192 | 210 |
| 193 // Clean up | 211 // Clean up |
| 194 EXPECT_EQ(0, SandboxSyscall(__NR_munmap, addr2, 8192L)); | 212 EXPECT_EQ(0, SandboxSyscall(__NR_munmap, addr2, 8192L)); |
| 195 EXPECT_EQ(0, SandboxSyscall(__NR_munmap, addr3, 4096L)); | 213 EXPECT_EQ(0, SandboxSyscall(__NR_munmap, addr3, 4096L)); |
| 196 EXPECT_EQ(0, IGNORE_EINTR(SandboxSyscall(__NR_close, fd))); | 214 EXPECT_EQ(0, IGNORE_EINTR(SandboxSyscall(__NR_close, fd))); |
| 197 } | 215 } |
| 198 | 216 |
| 199 } // namespace | 217 } // namespace |
| 200 | 218 |
| 201 } // namespace sandbox | 219 } // namespace sandbox |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 260793003:
[MIPS] Add seccomp bpf support (Closed)
Base URL: https://git.chromium.org/git/chromium/src.git@master