OLD | NEW |
---|---|
(Empty) | |
1 // Copyright 2014 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #include "sandbox/linux/seccomp-bpf-helpers/baseline_policy.h" | |
6 | |
7 #include <errno.h> | |
8 #include <sys/stat.h> | |
9 #include <sys/types.h> | |
10 #include <sys/wait.h> | |
11 #include <unistd.h> | |
12 | |
13 #include "base/posix/eintr_wrapper.h" | |
14 #include "base/threading/thread.h" | |
15 #include "build/build_config.h" | |
16 #include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h" | |
17 #include "sandbox/linux/seccomp-bpf/bpf_tests.h" | |
18 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" | |
19 #include "sandbox/linux/services/linux_syscalls.h" | |
20 #include "sandbox/linux/services/thread_helpers.h" | |
21 #include "sandbox/linux/tests/unit_tests.h" | |
22 | |
23 namespace sandbox { | |
24 | |
25 namespace { | |
26 | |
27 // |pid| is the return value of a fork()-like call. This | |
28 // makes sure that if fork() succeeded the child exits | |
29 // and the parent waits for it. | |
30 void HandlePostForkReturn(pid_t pid) { | |
31 if (pid > 0) { | |
32 int status = 0; | |
33 PCHECK(pid == HANDLE_EINTR(waitpid(pid, &status, 0))); | |
mdempsky
2014/05/08 21:42:42
Could additionally check
CHECK(WIFEXITED(status)
jln (very slow on Chromium)
2014/05/08 21:52:03
Done.
| |
34 } else if (pid == 0) { | |
35 _exit(1); | |
36 } | |
37 } | |
38 | |
39 // Check that HandlePostForkReturn works. | |
40 TEST(BaselinePolicy, HandlePostForkReturn) { | |
41 pid_t pid = fork(); | |
42 HandlePostForkReturn(pid); | |
43 } | |
44 | |
45 BPF_TEST_C(BaselinePolicy, FchmodErrno, BaselinePolicy) { | |
46 int ret = fchmod(-1, 07777); | |
47 BPF_ASSERT_EQ(-1, ret); | |
48 // Without the sandbox, this would EBADF instead. | |
49 BPF_ASSERT_EQ(EPERM, errno); | |
50 } | |
51 | |
52 // clone(2) is not restricted on ASAN. | |
53 #if !defined(ADDRESS_SANITIZER) | |
54 | |
55 BPF_TEST_C(BaselinePolicy, ForkErrno, BaselinePolicy) { | |
56 errno = 0; | |
57 pid_t pid = fork(); | |
58 const int fork_errno = errno; | |
59 HandlePostForkReturn(pid); | |
60 | |
61 BPF_ASSERT(-1 == pid); | |
mdempsky
2014/05/08 21:42:42
Use BPF_ASSERT_EQ (here and below) like in FchmodE
jln (very slow on Chromium)
2014/05/08 21:52:03
Done.
| |
62 BPF_ASSERT(EPERM == fork_errno); | |
63 } | |
64 | |
65 pid_t ForkX86Glibc() { | |
66 return syscall(__NR_clone, CLONE_PARENT_SETTID | SIGCHLD); | |
67 } | |
68 | |
69 BPF_TEST_C(BaselinePolicy, ForkX86Eperm, BaselinePolicy) { | |
70 errno = 0; | |
71 pid_t pid = ForkX86Glibc(); | |
72 const int fork_errno = errno; | |
73 HandlePostForkReturn(pid); | |
74 | |
75 BPF_ASSERT(-1 == pid); | |
76 BPF_ASSERT(EPERM == fork_errno); | |
77 } | |
78 | |
79 pid_t ForkARMGlibc() { | |
80 return syscall(__NR_clone, | |
81 CLONE_CHILD_SETTID | CLONE_CHILD_CLEARTID | SIGCHLD); | |
82 } | |
83 | |
84 BPF_TEST_C(BaselinePolicy, ForkArmEperm, BaselinePolicy) { | |
85 errno = 0; | |
86 pid_t pid = ForkARMGlibc(); | |
87 const int fork_errno = errno; | |
88 HandlePostForkReturn(pid); | |
89 | |
90 BPF_ASSERT(-1 == pid); | |
91 BPF_ASSERT(EPERM == fork_errno); | |
92 } | |
93 | |
94 BPF_TEST_C(BaselinePolicy, CreateThread, BaselinePolicy) { | |
95 base::Thread thread("sandbox_tests"); | |
96 BPF_ASSERT(thread.Start()); | |
97 } | |
98 | |
99 BPF_DEATH_TEST_C(BaselinePolicy, | |
100 DisallowedFlagCrashes, | |
101 DEATH_MESSAGE(GetCloneErrorMessageContentForTests()), | |
102 BaselinePolicy) { | |
103 pid_t pid = syscall(__NR_clone, CLONE_THREAD | SIGCHLD); | |
104 HandlePostForkReturn(pid); | |
105 } | |
106 | |
107 #endif // !defined(ADDRESS_SANITIZER) | |
108 | |
109 } // namespace | |
110 | |
111 } // namespace sandbox | |
OLD | NEW |