Linux Sandbox: Add support for SECCOMP_RET_TRACE.

sandbox/linux/seccomp-bpf/sandbox_bpf_unittest.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <errno.h>
 #include <pthread.h>
 #include <sched.h>
+#include <signal.h>
 #include <sys/prctl.h>
+#include <sys/ptrace.h>
 #include <sys/syscall.h>
 #include <sys/time.h>
 #include <sys/types.h>
 #include <sys/utsname.h>
 #include <unistd.h>
 
 #if defined(ANDROID)
 // Work-around for buggy headers in Android's NDK
 #define __user
 #endif
 #include <linux/futex.h>
 
 #include <ostream>
 
 #include "base/bind.h"
 #include "base/logging.h"
 #include "base/memory/scoped_ptr.h"
+#include "base/posix/eintr_wrapper.h"
 #include "build/build_config.h"
 #include "sandbox/linux/seccomp-bpf/bpf_tests.h"
 #include "sandbox/linux/seccomp-bpf/syscall.h"
 #include "sandbox/linux/seccomp-bpf/trap.h"
 #include "sandbox/linux/seccomp-bpf/verifier.h"
 #include "sandbox/linux/services/broker_process.h"
 #include "sandbox/linux/services/linux_syscalls.h"
 #include "sandbox/linux/tests/unit_tests.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
@@ skipping 1763 matching lines @@
                             CLONE_CHILD_CLEARTID | CLONE_CHILD_SETTID | SIGCHLD,
                             0,
                             0,
                             &pid) == -EPERM);
 }
 
 BPF_TEST(SandboxBPF, PthreadEquality, PthreadPolicyEquality) { PthreadTest(); }
 
 BPF_TEST(SandboxBPF, PthreadBitMask, PthreadPolicyBitMask) { PthreadTest(); }
 
+// It is possible that libc does not define these, but the kernel supports this.
+// We define them here anyway.  The test will give up silently if it gets an
+// EINVAL as a result of these not being supported.
+#ifndef PTRACE_O_TRACESECCOMP
+#define PTRACE_O_TRACESECCOMP 0x00000080
+#endif
+#ifndef PTRACE_EVENT_SECCOMP
+#define PTRACE_EVENT_SECCOMP 8
+#endif
+
+const uint16_t kTraceData = 0xcc;
+
+class TraceAllPolicy : public SandboxBPFPolicy {
+ public:
+  TraceAllPolicy() {}
+  virtual ~TraceAllPolicy() {}
+
+  virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox_compiler,
+                                    int system_call_number) const OVERRIDE {
+    if (!SandboxBPF::IsValidSyscallNumber(system_call_number)) {

[jln (very slow on Chromium), 2014/05/20 03:02:10]

This if is not needed anymore (due to a recent CL).

[rickyz (Google), 2014/05/20 22:34:01]

Done.

+      return ErrorCode(ENOSYS);
+    }
+    return ErrorCode(ErrorCode::ERR_TRACE + kTraceData);
+  }
+
+ private:
+  DISALLOW_COPY_AND_ASSIGN(TraceAllPolicy);
+};
+
+SANDBOX_TEST(SandboxBPF, DISABLE_ON_TSAN(SeccompRetTrace)) {
+  if (SandboxBPF::SupportsSeccompSandbox(-1) !=
+      sandbox::SandboxBPF::STATUS_AVAILABLE) {
+    return;
+  }
+
+  pid_t pid = fork();
+  BPF_ASSERT(pid != -1);

[jln (very slow on Chromium), 2014/05/20 03:02:10]

BPF_ASSERT_NE()

[rickyz (Google), 2014/05/20 22:34:01]

Done.

+  if (pid == 0) {
+    pid_t my_pid = getpid();
+    BPF_ASSERT(ptrace(PTRACE_TRACEME, -1, NULL, NULL) != -1);
+    BPF_ASSERT(raise(SIGSTOP) == 0);

[jln (very slow on Chromium), 2014/05/20 03:02:10]

BPF_ASSERT_EQ() (etc. for the rest of the test).

[rickyz (Google), 2014/05/20 22:34:01]

Done.

+    SandboxBPF sandbox;
+    sandbox.SetSandboxPolicy(new TraceAllPolicy);
+    BPF_ASSERT(sandbox.StartSandbox(SandboxBPF::PROCESS_SINGLE_THREADED));
+
+    // getpid is allowed.
+    BPF_ASSERT(syscall(__NR_getpid) == my_pid);
+
+    // write is skipped and returns a fake value.
+    BPF_ASSERT(write(STDERR_FILENO, "A", 1) == kExpectedReturnValue);
+
+    // kill is rewritten to exit(kExpectedReturnValue).
+    syscall(__NR_kill, my_pid, SIGKILL);
+
+    // Should not be reached.
+    BPF_ASSERT(0);

[jln (very slow on Chromium), 2014/05/20 03:02:10]

s/0/false/

[rickyz (Google), 2014/05/20 22:34:01]

Done.

+  }
+
+  int status;
+  BPF_ASSERT(HANDLE_EINTR(waitpid(pid, &status, WUNTRACED)) != -1);
+  BPF_ASSERT(WIFSTOPPED(status));
+
+  errno = 0;
+  if (ptrace(PTRACE_SETOPTIONS, pid, NULL, PTRACE_O_TRACESECCOMP) == -1) {
+    // Give up (but don't fail) if PTRACE_O_TRACESECCOMP is not supported.

[jln (very slow on Chromium), 2014/05/20 03:02:10]

It should now be supported anywhere seccomp-bpf is supported. I think it's ok to
not give up here. Did you notice anywhere where it's not true?

[rickyz (Google), 2014/05/20 22:34:01]

Yeah, I don't see any release with seccomp-bpf and without
PTRACE_O_TRACESECCOMP, so removing this.

+    BPF_ASSERT(errno == EINVAL);
+    BPF_ASSERT(ptrace(PTRACE_CONT, pid, NULL, SIGKILL) != -1);
+    return;
+  }
+
+  BPF_ASSERT(ptrace(PTRACE_CONT, pid, NULL, NULL) != -1);
+  while (true) {
+    BPF_ASSERT(HANDLE_EINTR(waitpid(pid, &status, 0)) != -1);
+    if (WIFEXITED(status) || WIFSIGNALED(status)) {
+      BPF_ASSERT(WIFEXITED(status) &&
+                 WEXITSTATUS(status) == kExpectedReturnValue);
+      break;
+    }
+
+    if (!WIFSTOPPED(status) || WSTOPSIG(status) != SIGTRAP ||
+        (status >> 16) != PTRACE_EVENT_SECCOMP) {
+      BPF_ASSERT(ptrace(PTRACE_CONT, pid, NULL, NULL) != -1);
+      continue;
+    }
+
+    unsigned long data;
+    BPF_ASSERT(ptrace(PTRACE_GETEVENTMSG, pid, NULL, &data) != -1);
+    BPF_ASSERT(data == kTraceData);
+
+    struct pt_regs regs;
+    BPF_ASSERT(ptrace(PTRACE_GETREGS, pid, NULL, &regs) != -1);
+    switch (SECCOMP_PT_SYSCALL(regs)) {
+      case __NR_write:
+        // Skip write, make it return kExpectedReturnValue.
+        SECCOMP_PT_SYSCALL(regs) = -1;
+        SECCOMP_PT_RESULT(regs) = kExpectedReturnValue;
+        BPF_ASSERT(ptrace(PTRACE_SETREGS, pid, NULL, &regs) != -1);
+        break;
+
+      case __NR_kill:
+        // Rewrite to exit(kExpectedReturnValue).
+        SECCOMP_PT_SYSCALL(regs) = __NR_exit;
+        SECCOMP_PT_PARM1(regs) = kExpectedReturnValue;
+        BPF_ASSERT(ptrace(PTRACE_SETREGS, pid, NULL, &regs) != -1);
+        break;
+
+      default:
+        // Allow all other syscalls.
+        break;
+    }
+
+    BPF_ASSERT(ptrace(PTRACE_CONT, pid, NULL, NULL) != -1);
+  }
+}
+
 }  // namespace
 
 }  // namespace sandbox