Convert a bunch of BPF_TEST tests to use BPF_TEST_C

sandbox/linux/seccomp-bpf/sandbox_bpf_unittest.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <errno.h>
 #include <pthread.h>
 #include <sched.h>
 #include <sys/prctl.h>
 #include <sys/syscall.h>
 #include <sys/time.h>
@@ skipping 106 matching lines @@
     BPF_ASSERT_EQ(2, pid);
 
     // N.B.: Any future call to getpid() would corrupt the stack.
     //       This is OK. The SANDBOX_TEST() macro is guaranteed to
     //       only ever call _exit() after the test completes.
   }
 }
 
 // A simple blacklist test
 
-ErrorCode BlacklistNanosleepPolicy(SandboxBPF*, int sysno, void* aux) {
-  // Since no type was specified in BPF_TEST as a fourth argument,
-  // |aux| must be NULL here.
-  BPF_ASSERT(NULL == aux);
-  if (!SandboxBPF::IsValidSyscallNumber(sysno)) {
-    // FIXME: we should really not have to do that in a trivial policy
-    return ErrorCode(ENOSYS);
+class BlacklistNanosleepPolicy : public SandboxBPFPolicy {
+ public:
+  virtual ErrorCode EvaluateSyscall(SandboxBPF*, int sysno) const OVERRIDE {
+    DCHECK(SandboxBPF::IsValidSyscallNumber(sysno));
+    switch (sysno) {
+      case __NR_nanosleep:
+        return ErrorCode(EACCES);
+      default:
+        return ErrorCode(ErrorCode::ERR_ALLOWED);
+    }
   }

[jln (very slow on Chromium), 2014/05/19 21:22:21]

It would be fine in C++11 to punt on DISALLOW_COPY_AND_ASSIGN() even though
strictly speaking the style guide requires it.
In C++03, the implicitly declared copy constructor has undefined behavior if the
base class has a private copy constructor, so it's a little more problematic.
Since we always build with Clang, our bots should catch this anyways.

I'm not sure what to do here. Maybe a question for chromium-dev?

+};
 
-  switch (sysno) {
-    case __NR_nanosleep:
-      return ErrorCode(EACCES);
-    default:
-      return ErrorCode(ErrorCode::ERR_ALLOWED);
-  }
-}
-
-BPF_TEST(SandboxBPF, ApplyBasicBlacklistPolicy, BlacklistNanosleepPolicy) {
+BPF_TEST_C(SandboxBPF, ApplyBasicBlacklistPolicy, BlacklistNanosleepPolicy) {
   // nanosleep() should be denied
   const struct timespec ts = {0, 0};
   errno = 0;
   BPF_ASSERT(syscall(__NR_nanosleep, &ts, NULL) == -1);
   BPF_ASSERT(errno == EACCES);
 }
+
 // Now do a simple whitelist test
 
-ErrorCode WhitelistGetpidPolicy(SandboxBPF*, int sysno, void*) {
-  switch (sysno) {
-    case __NR_getpid:
-    case __NR_exit_group:
-      return ErrorCode(ErrorCode::ERR_ALLOWED);
-    default:
-      return ErrorCode(ENOMEM);
+class WhitelistGetpidPolicy : public SandboxBPFPolicy {
+ public:
+  virtual ErrorCode EvaluateSyscall(SandboxBPF*, int sysno) const OVERRIDE {
+    DCHECK(SandboxBPF::IsValidSyscallNumber(sysno));
+    switch (sysno) {
+      case __NR_getpid:
+      case __NR_exit_group:
+        return ErrorCode(ErrorCode::ERR_ALLOWED);
+      default:
+        return ErrorCode(ENOMEM);
+    }
   }
-}
+};
 
-BPF_TEST(SandboxBPF, ApplyBasicWhitelistPolicy, WhitelistGetpidPolicy) {
+BPF_TEST_C(SandboxBPF, ApplyBasicWhitelistPolicy, WhitelistGetpidPolicy) {
   // getpid() should be allowed
   errno = 0;
   BPF_ASSERT(syscall(__NR_getpid) > 0);
   BPF_ASSERT(errno == 0);
 
   // getpgid() should be denied
   BPF_ASSERT(getpgid(0) == -1);
   BPF_ASSERT(errno == ENOMEM);
 }
 
 // A simple blacklist policy, with a SIGSYS handler
 intptr_t EnomemHandler(const struct arch_seccomp_data& args, void* aux) {
   // We also check that the auxiliary data is correct
   SANDBOX_ASSERT(aux);
   *(static_cast<int*>(aux)) = kExpectedReturnValue;
   return -ENOMEM;
 }
 
 ErrorCode BlacklistNanosleepPolicySigsys(SandboxBPF* sandbox,
                                          int sysno,
                                          int* aux) {
-  if (!SandboxBPF::IsValidSyscallNumber(sysno)) {
-    // FIXME: we should really not have to do that in a trivial policy
-    return ErrorCode(ENOSYS);
-  }
-
+  DCHECK(SandboxBPF::IsValidSyscallNumber(sysno));
   switch (sysno) {
     case __NR_nanosleep:
       return sandbox->Trap(EnomemHandler, aux);
     default:
       return ErrorCode(ErrorCode::ERR_ALLOWED);
   }
 }
 
 BPF_TEST(SandboxBPF,
          BasicBlacklistWithSigsys,
          BlacklistNanosleepPolicySigsys,
          int /* (*BPF_AUX) */) {
   // getpid() should work properly
   errno = 0;
   BPF_ASSERT(syscall(__NR_getpid) > 0);
   BPF_ASSERT(errno == 0);
 
   // Our Auxiliary Data, should be reset by the signal handler
   *BPF_AUX = -1;
   const struct timespec ts = {0, 0};
   BPF_ASSERT(syscall(__NR_nanosleep, &ts, NULL) == -1);
   BPF_ASSERT(errno == ENOMEM);
 
   // We expect the signal handler to modify AuxData
   BPF_ASSERT(*BPF_AUX == kExpectedReturnValue);
 }
 
 // A simple test that verifies we can return arbitrary errno values.
 
-ErrorCode ErrnoTestPolicy(SandboxBPF*, int sysno, void*) {
-  if (!SandboxBPF::IsValidSyscallNumber(sysno)) {
-    // FIXME: we should really not have to do that in a trivial policy
-    return ErrorCode(ENOSYS);
-  }
+class ErrnoTestPolicy : public SandboxBPFPolicy {
+ public:
+  virtual ErrorCode EvaluateSyscall(SandboxBPF*, int sysno) const OVERRIDE;
+};
 
+ErrorCode ErrnoTestPolicy::EvaluateSyscall(SandboxBPF*, int sysno) const {
+  DCHECK(SandboxBPF::IsValidSyscallNumber(sysno));
   switch (sysno) {
 #if defined(ANDROID)
     case __NR_dup3:    // dup2 is a wrapper of dup3 in android
 #else
     case __NR_dup2:
 #endif
       // Pretend that dup2() worked, but don't actually do anything.
       return ErrorCode(0);
     case __NR_setuid:
 #if defined(__NR_setuid32)
     case __NR_setuid32:
 #endif
       // Return errno = 1.
       return ErrorCode(1);
     case __NR_setgid:
 #if defined(__NR_setgid32)
     case __NR_setgid32:
 #endif
       // Return maximum errno value (typically 4095).
       return ErrorCode(ErrorCode::ERR_MAX_ERRNO);
     case __NR_uname:
       // Return errno = 42;
       return ErrorCode(42);
     default:
       return ErrorCode(ErrorCode::ERR_ALLOWED);
   }
 }
 
-BPF_TEST(SandboxBPF, ErrnoTest, ErrnoTestPolicy) {
+BPF_TEST_C(SandboxBPF, ErrnoTest, ErrnoTestPolicy) {
   // Verify that dup2() returns success, but doesn't actually run.
   int fds[4];
   BPF_ASSERT(pipe(fds) == 0);
   BPF_ASSERT(pipe(fds + 2) == 0);
   BPF_ASSERT(dup2(fds[2], fds[0]) == 0);
   char buf[1] = {};
   BPF_ASSERT(write(fds[1], "\x55", 1) == 1);
   BPF_ASSERT(write(fds[3], "\xAA", 1) == 1);
   BPF_ASSERT(read(fds[0], buf, 1) == 1);
 
@@ skipping 96 matching lines @@
 // We try to make sure we exercise optimizations in the BPF compiler. We make
 // sure that the compiler can have an opportunity to coalesce syscalls with
 // contiguous numbers and we also make sure that disjoint sets can return the
 // same errno.
 int SysnoToRandomErrno(int sysno) {
   // Small contiguous sets of 3 system calls return an errno equal to the
   // index of that set + 1 (so that we never return a NUL errno).
   return ((sysno & ~3) >> 2) % 29 + 1;
 }
 
-ErrorCode SyntheticPolicy(SandboxBPF*, int sysno, void*) {
-  if (!SandboxBPF::IsValidSyscallNumber(sysno)) {
-    // FIXME: we should really not have to do that in a trivial policy
-    return ErrorCode(ENOSYS);
-  }
-
-  if (sysno == __NR_exit_group || sysno == __NR_write) {
-    // exit_group() is special, we really need it to work.
-    // write() is needed for BPF_ASSERT() to report a useful error message.
-    return ErrorCode(ErrorCode::ERR_ALLOWED);
-  } else {
+class SyntheticPolicy : public SandboxBPFPolicy {
+ public:
+  virtual ErrorCode EvaluateSyscall(SandboxBPF*, int sysno) const OVERRIDE {
+    DCHECK(SandboxBPF::IsValidSyscallNumber(sysno));
+    if (sysno == __NR_exit_group || sysno == __NR_write) {
+      // exit_group() is special, we really need it to work.
+      // write() is needed for BPF_ASSERT() to report a useful error message.
+      return ErrorCode(ErrorCode::ERR_ALLOWED);
+    }
     return ErrorCode(SysnoToRandomErrno(sysno));
   }
-}
+};
 
-BPF_TEST(SandboxBPF, SyntheticPolicy, SyntheticPolicy) {
+BPF_TEST_C(SandboxBPF, SyntheticPolicy, SyntheticPolicy) {
   // Ensure that that kExpectedReturnValue + syscallnumber + 1 does not int
   // overflow.
   BPF_ASSERT(std::numeric_limits<int>::max() - kExpectedReturnValue - 1 >=
              static_cast<int>(MAX_PUBLIC_SYSCALL));
 
   for (int syscall_number = static_cast<int>(MIN_SYSCALL);
        syscall_number <= static_cast<int>(MAX_PUBLIC_SYSCALL);
        ++syscall_number) {
     if (syscall_number == __NR_exit_group || syscall_number == __NR_write) {
       // exit_group() is special
@@ skipping 13 matching lines @@
 // MIN_PRIVATE_SYSCALL plus 1 (to avoid NUL errno).
 int ArmPrivateSysnoToErrno(int sysno) {
   if (sysno >= static_cast<int>(MIN_PRIVATE_SYSCALL) &&
       sysno <= static_cast<int>(MAX_PRIVATE_SYSCALL)) {
     return (sysno - MIN_PRIVATE_SYSCALL) + 1;
   } else {
     return ENOSYS;
   }
 }
 
-ErrorCode ArmPrivatePolicy(SandboxBPF*, int sysno, void*) {
-  if (!SandboxBPF::IsValidSyscallNumber(sysno)) {
-    // FIXME: we should really not have to do that in a trivial policy.
-    return ErrorCode(ENOSYS);
-  }
-
-  // Start from |__ARM_NR_set_tls + 1| so as not to mess with actual
-  // ARM private system calls.
-  if (sysno >= static_cast<int>(__ARM_NR_set_tls + 1) &&
-      sysno <= static_cast<int>(MAX_PRIVATE_SYSCALL)) {
-    return ErrorCode(ArmPrivateSysnoToErrno(sysno));
-  } else {
+class ArmPrivatePolicy : public SandboxBPFPolicy {
+ public:
+  virtual ErrorCode EvaluateSyscall(SandboxBPF*, int sysno) const OVERRIDE {
+    DCHECK(SandboxBPF::IsValidSyscallNumber(sysno));
+    // Start from |__ARM_NR_set_tls + 1| so as not to mess with actual
+    // ARM private system calls.
+    if (sysno >= static_cast<int>(__ARM_NR_set_tls + 1) &&
+        sysno <= static_cast<int>(MAX_PRIVATE_SYSCALL)) {
+      return ErrorCode(ArmPrivateSysnoToErrno(sysno));
+    }
     return ErrorCode(ErrorCode::ERR_ALLOWED);
   }
-}
+};
 
-BPF_TEST(SandboxBPF, ArmPrivatePolicy, ArmPrivatePolicy) {
+BPF_TEST_C(SandboxBPF, ArmPrivatePolicy, ArmPrivatePolicy) {
   for (int syscall_number = static_cast<int>(__ARM_NR_set_tls + 1);
        syscall_number <= static_cast<int>(MAX_PRIVATE_SYSCALL);
        ++syscall_number) {
     errno = 0;
     BPF_ASSERT(syscall(syscall_number) == -1);
     BPF_ASSERT(errno == ArmPrivateSysnoToErrno(syscall_number));
   }
 }
 #endif  // defined(__arm__)
 
@@ skipping 76 matching lines @@
 intptr_t PrctlHandler(const struct arch_seccomp_data& args, void*) {
   if (args.args[0] == PR_CAPBSET_DROP && static_cast<int>(args.args[1]) == -1) {
     // prctl(PR_CAPBSET_DROP, -1) is never valid. The kernel will always
     // return an error. But our handler allows this call.
     return 0;
   } else {
     return SandboxBPF::ForwardSyscall(args);
   }
 }
 
-ErrorCode PrctlPolicy(SandboxBPF* sandbox, int sysno, void* aux) {
-  setenv(kSandboxDebuggingEnv, "t", 0);
-  Die::SuppressInfoMessages(true);
+class PrctlPolicy : public SandboxBPFPolicy {
+ public:
+  virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox,
+                                    int sysno) const OVERRIDE {
+    DCHECK(SandboxBPF::IsValidSyscallNumber(sysno));
+    setenv(kSandboxDebuggingEnv, "t", 0);
+    Die::SuppressInfoMessages(true);
 
-  if (sysno == __NR_prctl) {
-    // Handle prctl() inside an UnsafeTrap()
-    return sandbox->UnsafeTrap(PrctlHandler, NULL);
-  } else if (SandboxBPF::IsValidSyscallNumber(sysno)) {
+    if (sysno == __NR_prctl) {
+      // Handle prctl() inside an UnsafeTrap()
+      return sandbox->UnsafeTrap(PrctlHandler, NULL);
+    }
+
     // Allow all other system calls.
     return ErrorCode(ErrorCode::ERR_ALLOWED);
-  } else {
-    return ErrorCode(ENOSYS);
   }
-}
+};
 
-BPF_TEST(SandboxBPF, ForwardSyscall, PrctlPolicy) {
+BPF_TEST_C(SandboxBPF, ForwardSyscall, PrctlPolicy) {
   // This call should never be allowed. But our policy will intercept it and
   // let it pass successfully.
   BPF_ASSERT(
       !prctl(PR_CAPBSET_DROP, -1, (void*)NULL, (void*)NULL, (void*)NULL));
 
   // Verify that the call will fail, if it makes it all the way to the kernel.
   BPF_ASSERT(
       prctl(PR_CAPBSET_DROP, -2, (void*)NULL, (void*)NULL, (void*)NULL) == -1);
 
   // And verify that other uses of prctl() work just fine.
@@ skipping 10 matching lines @@
   // unaffected by our policy.
   struct utsname uts = {};
   BPF_ASSERT(!uname(&uts));
   BPF_ASSERT(!strcmp(uts.sysname, "Linux"));
 }
 
 intptr_t AllowRedirectedSyscall(const struct arch_seccomp_data& args, void*) {
   return SandboxBPF::ForwardSyscall(args);
 }
 
-ErrorCode RedirectAllSyscallsPolicy(SandboxBPF* sandbox, int sysno, void* aux) {
+class RedirectAllSyscallsPolicy : public SandboxBPFPolicy {
+ public:
+  virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox,
+                                    int sysno) const OVERRIDE;
+};
+
+ErrorCode RedirectAllSyscallsPolicy::EvaluateSyscall(SandboxBPF* sandbox,
+                                                     int sysno) const {
+  DCHECK(SandboxBPF::IsValidSyscallNumber(sysno));
   setenv(kSandboxDebuggingEnv, "t", 0);
   Die::SuppressInfoMessages(true);
 
   // Some system calls must always be allowed, if our policy wants to make
   // use of UnsafeTrap()
   if (sysno == __NR_rt_sigprocmask || sysno == __NR_rt_sigreturn
 #if defined(__NR_sigprocmask)
       ||
       sysno == __NR_sigprocmask
 #endif
 #if defined(__NR_sigreturn)
       ||
       sysno == __NR_sigreturn
 #endif
       ) {
     return ErrorCode(ErrorCode::ERR_ALLOWED);
-  } else if (SandboxBPF::IsValidSyscallNumber(sysno)) {
-    return sandbox->UnsafeTrap(AllowRedirectedSyscall, aux);
-  } else {
-    return ErrorCode(ENOSYS);
   }
+  return sandbox->UnsafeTrap(AllowRedirectedSyscall, NULL);
 }
 
 int bus_handler_fd_ = -1;
 
 void SigBusHandler(int, siginfo_t* info, void* void_context) {
   BPF_ASSERT(write(bus_handler_fd_, "\x55", 1) == 1);
 }
 
-BPF_TEST(SandboxBPF, SigBus, RedirectAllSyscallsPolicy) {
+BPF_TEST_C(SandboxBPF, SigBus, RedirectAllSyscallsPolicy) {
   // We use the SIGBUS bit in the signal mask as a thread-local boolean
   // value in the implementation of UnsafeTrap(). This is obviously a bit
   // of a hack that could conceivably interfere with code that uses SIGBUS
   // in more traditional ways. This test verifies that basic functionality
   // of SIGBUS is not impacted, but it is certainly possibly to construe
   // more complex uses of signals where our use of the SIGBUS mask is not
   // 100% transparent. This is expected behavior.
   int fds[2];
   BPF_ASSERT(pipe(fds) == 0);
   bus_handler_fd_ = fds[1];
   struct sigaction sa = {};
   sa.sa_sigaction = SigBusHandler;
   sa.sa_flags = SA_SIGINFO;
   BPF_ASSERT(sigaction(SIGBUS, &sa, NULL) == 0);
   raise(SIGBUS);
   char c = '\000';
   BPF_ASSERT(read(fds[0], &c, 1) == 1);
   BPF_ASSERT(close(fds[0]) == 0);
   BPF_ASSERT(close(fds[1]) == 0);
   BPF_ASSERT(c == 0x55);
 }
 
-BPF_TEST(SandboxBPF, SigMask, RedirectAllSyscallsPolicy) {
+BPF_TEST_C(SandboxBPF, SigMask, RedirectAllSyscallsPolicy) {
   // Signal masks are potentially tricky to handle. For instance, if we
   // ever tried to update them from inside a Trap() or UnsafeTrap() handler,
   // the call to sigreturn() at the end of the signal handler would undo
   // all of our efforts. So, it makes sense to test that sigprocmask()
   // works, even if we have a policy in place that makes use of UnsafeTrap().
   // In practice, this works because we force sigprocmask() to be handled
   // entirely in the kernel.
   sigset_t mask0, mask1, mask2;
 
   // Call sigprocmask() to verify that SIGUSR2 wasn't blocked, if we didn't
   // change the mask (it shouldn't have been, as it isn't blocked by default
   // in POSIX).
   //
   // Use SIGUSR2 because Android seems to use SIGUSR1 for some purpose.
   sigemptyset(&mask0);
   BPF_ASSERT(!sigprocmask(SIG_BLOCK, &mask0, &mask1));
   BPF_ASSERT(!sigismember(&mask1, SIGUSR2));
 
   // Try again, and this time we verify that we can block it. This
   // requires a second call to sigprocmask().
   sigaddset(&mask0, SIGUSR2);
   BPF_ASSERT(!sigprocmask(SIG_BLOCK, &mask0, NULL));
   BPF_ASSERT(!sigprocmask(SIG_BLOCK, NULL, &mask2));
   BPF_ASSERT(sigismember(&mask2, SIGUSR2));
 }
 
-BPF_TEST(SandboxBPF, UnsafeTrapWithErrno, RedirectAllSyscallsPolicy) {
+BPF_TEST_C(SandboxBPF, UnsafeTrapWithErrno, RedirectAllSyscallsPolicy) {
   // An UnsafeTrap() (or for that matter, a Trap()) has to report error
   // conditions by returning an exit code in the range -1..-4096. This
   // should happen automatically if using ForwardSyscall(). If the TrapFnc()
   // uses some other method to make system calls, then it is responsible
   // for computing the correct return code.
   // This test verifies that ForwardSyscall() does the correct thing.
 
   // The glibc system wrapper will ultimately set errno for us. So, from normal
   // userspace, all of this should be completely transparent.
   errno = 0;
@@ skipping 133 matching lines @@
   int cpu_info_access = access("/proc/cpuinfo", R_OK);
   BPF_ASSERT(cpu_info_access == 0);
   int cpu_info_fd = open("/proc/cpuinfo", O_RDONLY);
   BPF_ASSERT(cpu_info_fd >= 0);
   char buf[1024];
   BPF_ASSERT(read(cpu_info_fd, buf, sizeof(buf)) > 0);
 }
 
 // Simple test demonstrating how to use SandboxBPF::Cond()
 
-ErrorCode SimpleCondTestPolicy(SandboxBPF* sandbox, int sysno, void*) {
-  if (!SandboxBPF::IsValidSyscallNumber(sysno)) {
-    // FIXME: we should really not have to do that in a trivial policy
-    return ErrorCode(ENOSYS);
-  }
+class SimpleCondTestPolicy : public SandboxBPFPolicy {
+ public:
+  virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox,
+                                    int sysno) const OVERRIDE;
+};
+
+ErrorCode SimpleCondTestPolicy::EvaluateSyscall(SandboxBPF* sandbox,
+                                                int sysno) const {
+  DCHECK(SandboxBPF::IsValidSyscallNumber(sysno));
 
   // We deliberately return unusual errno values upon failure, so that we
   // can uniquely test for these values. In a "real" policy, you would want
   // to return more traditional values.
   switch (sysno) {
 #if defined(ANDROID)
     case __NR_openat:    // open is a wrapper of openat in android
       // Allow opening files for reading, but don't allow writing.
       COMPILE_ASSERT(O_RDONLY == 0, O_RDONLY_must_be_all_zero_bits);
       return sandbox->Cond(2,
@@ skipping 25 matching lines @@
                                          ErrorCode::TP_32BIT,
                                          ErrorCode::OP_EQUAL,
                                          PR_GET_DUMPABLE,
                                          ErrorCode(ErrorCode::ERR_ALLOWED),
                                          ErrorCode(ENOMEM)));
     default:
       return ErrorCode(ErrorCode::ERR_ALLOWED);
   }
 }
 
-BPF_TEST(SandboxBPF, SimpleCondTest, SimpleCondTestPolicy) {
+BPF_TEST_C(SandboxBPF, SimpleCondTest, SimpleCondTestPolicy) {
   int fd;
   BPF_ASSERT((fd = open("/proc/self/comm", O_RDWR)) == -1);
   BPF_ASSERT(errno == EROFS);
   BPF_ASSERT((fd = open("/proc/self/comm", O_RDONLY)) >= 0);
   close(fd);
 
   int ret;
   BPF_ASSERT((ret = prctl(PR_GET_DUMPABLE)) >= 0);
   BPF_ASSERT(prctl(PR_SET_DUMPABLE, 1 - ret) == 0);
   BPF_ASSERT(prctl(PR_GET_ENDIAN, &ret) == -1);
@@ skipping 308 matching lines @@
   return aux->Policy(sandbox, sysno);
 }
 
 BPF_TEST(SandboxBPF,
          EqualityTests,
          EqualityStressTestPolicy,
          EqualityStressTest /* (*BPF_AUX) */) {
   BPF_AUX->VerifyFilter();
 }
 
-ErrorCode EqualityArgumentWidthPolicy(SandboxBPF* sandbox, int sysno, void*) {
-  if (!SandboxBPF::IsValidSyscallNumber(sysno)) {
-    // FIXME: we should really not have to do that in a trivial policy
-    return ErrorCode(ENOSYS);
-  } else if (sysno == __NR_uname) {
+class EqualityArgumentWidthPolicy : public SandboxBPFPolicy {
+ public:
+  virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox,
+                                    int sysno) const OVERRIDE;
+};
+
+ErrorCode EqualityArgumentWidthPolicy::EvaluateSyscall(SandboxBPF* sandbox,
+                                                       int sysno) const {
+  DCHECK(SandboxBPF::IsValidSyscallNumber(sysno));
+  if (sysno == __NR_uname) {
     return sandbox->Cond(
         0,
         ErrorCode::TP_32BIT,
         ErrorCode::OP_EQUAL,
         0,
         sandbox->Cond(1,
                       ErrorCode::TP_32BIT,
                       ErrorCode::OP_EQUAL,
                       0x55555555,
                       ErrorCode(1),
                       ErrorCode(2)),
         // The BPF compiler and the BPF interpreter in the kernel are
         // (mostly) agnostic of the host platform's word size. The compiler
         // will happily generate code that tests a 64bit value, and the
         // interpreter will happily perform this test.
         // But unless there is a kernel bug, there is no way for us to pass
         // in a 64bit quantity on a 32bit platform. The upper 32bits should
         // always be zero. So, this test should always evaluate as false on
         // 32bit systems.
         sandbox->Cond(1,
                       ErrorCode::TP_64BIT,
                       ErrorCode::OP_EQUAL,
                       0x55555555AAAAAAAAULL,
                       ErrorCode(1),
                       ErrorCode(2)));
-  } else {
-    return ErrorCode(ErrorCode::ERR_ALLOWED);
   }
+  return ErrorCode(ErrorCode::ERR_ALLOWED);
 }
 
-BPF_TEST(SandboxBPF, EqualityArgumentWidth, EqualityArgumentWidthPolicy) {
+BPF_TEST_C(SandboxBPF, EqualityArgumentWidth, EqualityArgumentWidthPolicy) {
   BPF_ASSERT(SandboxSyscall(__NR_uname, 0, 0x55555555) == -1);
   BPF_ASSERT(SandboxSyscall(__NR_uname, 0, 0xAAAAAAAA) == -2);
 #if __SIZEOF_POINTER__ > 4
   // On 32bit machines, there is no way to pass a 64bit argument through the
   // syscall interface. So, we have to skip the part of the test that requires
   // 64bit arguments.
   BPF_ASSERT(SandboxSyscall(__NR_uname, 1, 0x55555555AAAAAAAAULL) == -1);
   BPF_ASSERT(SandboxSyscall(__NR_uname, 1, 0x5555555500000000ULL) == -2);
   BPF_ASSERT(SandboxSyscall(__NR_uname, 1, 0x5555555511111111ULL) == -2);
   BPF_ASSERT(SandboxSyscall(__NR_uname, 1, 0x11111111AAAAAAAAULL) == -2);
 #else
   BPF_ASSERT(SandboxSyscall(__NR_uname, 1, 0x55555555) == -2);
 #endif
 }
 
 #if __SIZEOF_POINTER__ > 4
 // On 32bit machines, there is no way to pass a 64bit argument through the
 // syscall interface. So, we have to skip the part of the test that requires
 // 64bit arguments.
-BPF_DEATH_TEST(SandboxBPF,
-               EqualityArgumentUnallowed64bit,
-               DEATH_MESSAGE("Unexpected 64bit argument detected"),
-               EqualityArgumentWidthPolicy) {
+BPF_DEATH_TEST_C(SandboxBPF,
+                 EqualityArgumentUnallowed64bit,
+                 DEATH_MESSAGE("Unexpected 64bit argument detected"),
+                 EqualityArgumentWidthPolicy) {
   SandboxSyscall(__NR_uname, 0, 0x5555555555555555ULL);
 }
 #endif
 
-ErrorCode EqualityWithNegativeArgumentsPolicy(SandboxBPF* sandbox,
-                                              int sysno,
-                                              void*) {
-  if (!SandboxBPF::IsValidSyscallNumber(sysno)) {
-    // FIXME: we should really not have to do that in a trivial policy
-    return ErrorCode(ENOSYS);
-  } else if (sysno == __NR_uname) {
-    return sandbox->Cond(0,
-                         ErrorCode::TP_32BIT,
-                         ErrorCode::OP_EQUAL,
-                         0xFFFFFFFF,
-                         ErrorCode(1),
-                         ErrorCode(2));
-  } else {
+class EqualityWithNegativeArgumentsPolicy : public SandboxBPFPolicy {
+ public:
+  virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox,
+                                    int sysno) const OVERRIDE {
+    DCHECK(SandboxBPF::IsValidSyscallNumber(sysno));
+    if (sysno == __NR_uname) {
+      return sandbox->Cond(0,
+                           ErrorCode::TP_32BIT,
+                           ErrorCode::OP_EQUAL,
+                           0xFFFFFFFF,
+                           ErrorCode(1),
+                           ErrorCode(2));
+    }
     return ErrorCode(ErrorCode::ERR_ALLOWED);
   }
-}
+};
 
-BPF_TEST(SandboxBPF,
-         EqualityWithNegativeArguments,
-         EqualityWithNegativeArgumentsPolicy) {
+BPF_TEST_C(SandboxBPF,
+           EqualityWithNegativeArguments,
+           EqualityWithNegativeArgumentsPolicy) {
   BPF_ASSERT(SandboxSyscall(__NR_uname, 0xFFFFFFFF) == -1);
   BPF_ASSERT(SandboxSyscall(__NR_uname, -1) == -1);
   BPF_ASSERT(SandboxSyscall(__NR_uname, -1LL) == -1);
 }
 
 #if __SIZEOF_POINTER__ > 4
-BPF_DEATH_TEST(SandboxBPF,
-               EqualityWithNegative64bitArguments,
-               DEATH_MESSAGE("Unexpected 64bit argument detected"),
-               EqualityWithNegativeArgumentsPolicy) {
+BPF_DEATH_TEST_C(SandboxBPF,
+                 EqualityWithNegative64bitArguments,
+                 DEATH_MESSAGE("Unexpected 64bit argument detected"),
+                 EqualityWithNegativeArgumentsPolicy) {
   // When expecting a 32bit system call argument, we look at the MSB of the
   // 64bit value and allow both "0" and "-1". But the latter is allowed only
   // iff the LSB was negative. So, this death test should error out.
   BPF_ASSERT(SandboxSyscall(__NR_uname, 0xFFFFFFFF00000000LL) == -1);
 }
 #endif
-ErrorCode AllBitTestPolicy(SandboxBPF* sandbox, int sysno, void *) {
+class AllBitTestPolicy : public SandboxBPFPolicy {
+ public:
+  virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox,
+                                    int sysno) const OVERRIDE;
+};
+
+ErrorCode AllBitTestPolicy::EvaluateSyscall(SandboxBPF* sandbox,
+                                            int sysno) const {
+  DCHECK(SandboxBPF::IsValidSyscallNumber(sysno));
   // Test the OP_HAS_ALL_BITS conditional test operator with a couple of
   // different bitmasks. We try to find bitmasks that could conceivably
   // touch corner cases.
   // For all of these tests, we override the uname(). We can make use with
   // a single system call number, as we use the first system call argument to
   // select the different bit masks that we want to test against.
-  if (!SandboxBPF::IsValidSyscallNumber(sysno)) {
-    // FIXME: we should really not have to do that in a trivial policy
-    return ErrorCode(ENOSYS);
-  } else if (sysno == __NR_uname) {
+  if (sysno == __NR_uname) {
     return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 0,
            sandbox->Cond(1, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ALL_BITS,
                          0x0,
                          ErrorCode(1), ErrorCode(0)),
 
            sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 1,
            sandbox->Cond(1, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ALL_BITS,
                          0x1,
                          ErrorCode(1), ErrorCode(0)),
 
@@ skipping 35 matching lines @@
            sandbox->Cond(1, ErrorCode::TP_64BIT, ErrorCode::OP_HAS_ALL_BITS,
                          0x300000000ULL,
                          ErrorCode(1), ErrorCode(0)),
 
            sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 10,
            sandbox->Cond(1, ErrorCode::TP_64BIT, ErrorCode::OP_HAS_ALL_BITS,
                          0x100000001ULL,
                          ErrorCode(1), ErrorCode(0)),
 
                          sandbox->Kill("Invalid test case number"))))))))))));
-  } else {
-    return ErrorCode(ErrorCode::ERR_ALLOWED);
   }
+  return ErrorCode(ErrorCode::ERR_ALLOWED);
 }
 
 // Define a macro that performs tests using our test policy.
 // NOTE: Not all of the arguments in this macro are actually used!
 //       They are here just to serve as documentation of the conditions
 //       implemented in the test policy.
 //       Most notably, "op" and "mask" are unused by the macro. If you want
 //       to make changes to these values, you will have to edit the
 //       test policy instead.
 #define BITMASK_TEST(testcase, arg, op, mask, expected_value) \
   BPF_ASSERT(SandboxSyscall(__NR_uname, (testcase), (arg)) == (expected_value))
 
 // Our uname() system call returns ErrorCode(1) for success and
 // ErrorCode(0) for failure. SandboxSyscall() turns this into an
 // exit code of -1 or 0.
 #define EXPECT_FAILURE 0
 #define EXPECT_SUCCESS -1
 
 // A couple of our tests behave differently on 32bit and 64bit systems, as
 // there is no way for a 32bit system call to pass in a 64bit system call
 // argument "arg".
 // We expect these tests to succeed on 64bit systems, but to tail on 32bit
 // systems.
 #define EXPT64_SUCCESS (sizeof(void*) > 4 ? EXPECT_SUCCESS : EXPECT_FAILURE)
-BPF_TEST(SandboxBPF, AllBitTests, AllBitTestPolicy) {
+BPF_TEST_C(SandboxBPF, AllBitTests, AllBitTestPolicy) {
   // 32bit test: all of 0x0 (should always be true)
   BITMASK_TEST( 0,                   0, ALLBITS32,          0, EXPECT_SUCCESS);
   BITMASK_TEST( 0,                   1, ALLBITS32,          0, EXPECT_SUCCESS);
   BITMASK_TEST( 0,                   3, ALLBITS32,          0, EXPECT_SUCCESS);
   BITMASK_TEST( 0,         0xFFFFFFFFU, ALLBITS32,          0, EXPECT_SUCCESS);
   BITMASK_TEST( 0,                -1LL, ALLBITS32,          0, EXPECT_SUCCESS);
 
   // 32bit test: all of 0x1
   BITMASK_TEST( 1,                   0, ALLBITS32,        0x1, EXPECT_FAILURE);
   BITMASK_TEST( 1,                   1, ALLBITS32,        0x1, EXPECT_SUCCESS);
@@ skipping 82 matching lines @@
 
   // 64bit test: all of 0x100000001
   BITMASK_TEST(10,       0x000000000LL, ALLBITS64,0x100000001, EXPECT_FAILURE);
   BITMASK_TEST(10,       0x000000001LL, ALLBITS64,0x100000001, EXPECT_FAILURE);
   BITMASK_TEST(10,       0x100000000LL, ALLBITS64,0x100000001, EXPECT_FAILURE);
   BITMASK_TEST(10,       0x100000001LL, ALLBITS64,0x100000001, EXPT64_SUCCESS);
   BITMASK_TEST(10,         0xFFFFFFFFU, ALLBITS64,0x100000001, EXPECT_FAILURE);
   BITMASK_TEST(10,                 -1L, ALLBITS64,0x100000001, EXPT64_SUCCESS);
 }
 
-ErrorCode AnyBitTestPolicy(SandboxBPF* sandbox, int sysno, void*) {
+class AnyBitTestPolicy : public SandboxBPFPolicy {
+ public:
+  virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox,
+                                    int sysno) const OVERRIDE;
+};
+
+ErrorCode AnyBitTestPolicy::EvaluateSyscall(SandboxBPF* sandbox,
+                                            int sysno) const {
+  DCHECK(SandboxBPF::IsValidSyscallNumber(sysno));
   // Test the OP_HAS_ANY_BITS conditional test operator with a couple of
   // different bitmasks. We try to find bitmasks that could conceivably
   // touch corner cases.
   // For all of these tests, we override the uname(). We can make use with
   // a single system call number, as we use the first system call argument to
   // select the different bit masks that we want to test against.
-  if (!SandboxBPF::IsValidSyscallNumber(sysno)) {
-    // FIXME: we should really not have to do that in a trivial policy
-    return ErrorCode(ENOSYS);
-  } else if (sysno == __NR_uname) {
+  if (sysno == __NR_uname) {
     return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 0,
            sandbox->Cond(1, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ANY_BITS,
                          0x0,
                          ErrorCode(1), ErrorCode(0)),
 
            sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 1,
            sandbox->Cond(1, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ANY_BITS,
                          0x1,
                          ErrorCode(1), ErrorCode(0)),
 
@@ skipping 38 matching lines @@
            sandbox->Cond(1, ErrorCode::TP_64BIT, ErrorCode::OP_HAS_ANY_BITS,
                          0x300000000ULL,
                          ErrorCode(1), ErrorCode(0)),
 
            sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 10,
            sandbox->Cond(1, ErrorCode::TP_64BIT, ErrorCode::OP_HAS_ANY_BITS,
                          0x100000001ULL,
                          ErrorCode(1), ErrorCode(0)),
 
                          sandbox->Kill("Invalid test case number"))))))))))));
-  } else {
-    return ErrorCode(ErrorCode::ERR_ALLOWED);
   }
+  return ErrorCode(ErrorCode::ERR_ALLOWED);
 }
 
-BPF_TEST(SandboxBPF, AnyBitTests, AnyBitTestPolicy) {
+BPF_TEST_C(SandboxBPF, AnyBitTests, AnyBitTestPolicy) {
   // 32bit test: any of 0x0 (should always be false)
   BITMASK_TEST( 0,                   0, ANYBITS32,        0x0, EXPECT_FAILURE);
   BITMASK_TEST( 0,                   1, ANYBITS32,        0x0, EXPECT_FAILURE);
   BITMASK_TEST( 0,                   3, ANYBITS32,        0x0, EXPECT_FAILURE);
   BITMASK_TEST( 0,         0xFFFFFFFFU, ANYBITS32,        0x0, EXPECT_FAILURE);
   BITMASK_TEST( 0,                -1LL, ANYBITS32,        0x0, EXPECT_FAILURE);
 
   // 32bit test: any of 0x1
   BITMASK_TEST( 1,                   0, ANYBITS32,        0x1, EXPECT_FAILURE);
   BITMASK_TEST( 1,                   1, ANYBITS32,        0x1, EXPECT_SUCCESS);
@@ skipping 109 matching lines @@
         (long long)args.args[0],
         (long long)args.args[1],
         (long long)args.args[2],
         (long long)args.args[3],
         (long long)args.args[4],
         (long long)args.args[5],
         msg);
   }
   return -EPERM;
 }
-ErrorCode PthreadPolicyEquality(SandboxBPF* sandbox, int sysno, void* aux) {
+
+class PthreadPolicyEquality : public SandboxBPFPolicy {
+ public:
+  virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox,
+                                    int sysno) const OVERRIDE;
+};
+
+ErrorCode PthreadPolicyEquality::EvaluateSyscall(SandboxBPF* sandbox,
+                                                 int sysno) const {
+  DCHECK(SandboxBPF::IsValidSyscallNumber(sysno));
   // This policy allows creating threads with pthread_create(). But it
   // doesn't allow any other uses of clone(). Most notably, it does not
   // allow callers to implement fork() or vfork() by passing suitable flags
   // to the clone() system call.
-  if (!SandboxBPF::IsValidSyscallNumber(sysno)) {
-    // FIXME: we should really not have to do that in a trivial policy
-    return ErrorCode(ENOSYS);
-  } else if (sysno == __NR_clone) {
+  if (sysno == __NR_clone) {
     // We have seen two different valid combinations of flags. Glibc
     // uses the more modern flags, sets the TLS from the call to clone(), and
     // uses futexes to monitor threads. Android's C run-time library, doesn't
     // do any of this, but it sets the obsolete (and no-op) CLONE_DETACHED.
     // More recent versions of Android don't set CLONE_DETACHED anymore, so
     // the last case accounts for that.
     // The following policy is very strict. It only allows the exact masks
     // that we have seen in known implementations. It is probably somewhat
     // stricter than what we would want to do.
     const uint64_t kGlibcCloneMask =
         CLONE_VM | CLONE_FS | CLONE_FILES | CLONE_SIGHAND |
         CLONE_THREAD | CLONE_SYSVSEM | CLONE_SETTLS |
         CLONE_PARENT_SETTID | CLONE_CHILD_CLEARTID;
     const uint64_t kBaseAndroidCloneMask =
         CLONE_VM | CLONE_FS | CLONE_FILES | CLONE_SIGHAND |
         CLONE_THREAD | CLONE_SYSVSEM;
     return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,
                          kGlibcCloneMask,
                          ErrorCode(ErrorCode::ERR_ALLOWED),
            sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,
                          kBaseAndroidCloneMask | CLONE_DETACHED,
                          ErrorCode(ErrorCode::ERR_ALLOWED),
            sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,
                          kBaseAndroidCloneMask,
                          ErrorCode(ErrorCode::ERR_ALLOWED),
                          sandbox->Trap(PthreadTrapHandler, "Unknown mask"))));
-  } else {
-    return ErrorCode(ErrorCode::ERR_ALLOWED);
   }
+  return ErrorCode(ErrorCode::ERR_ALLOWED);
 }
 
-ErrorCode PthreadPolicyBitMask(SandboxBPF* sandbox, int sysno, void* aux) {
+class PthreadPolicyBitMask : public SandboxBPFPolicy {
+ public:
+  virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox,
+                                    int sysno) const OVERRIDE;
+};
+
+ErrorCode PthreadPolicyBitMask::EvaluateSyscall(SandboxBPF* sandbox,
+                                                int sysno) const {
+  DCHECK(SandboxBPF::IsValidSyscallNumber(sysno));
   // This policy allows creating threads with pthread_create(). But it
   // doesn't allow any other uses of clone(). Most notably, it does not
   // allow callers to implement fork() or vfork() by passing suitable flags
   // to the clone() system call.
-  if (!SandboxBPF::IsValidSyscallNumber(sysno)) {
-    // FIXME: we should really not have to do that in a trivial policy
-    return ErrorCode(ENOSYS);
-  } else if (sysno == __NR_clone) {
+  if (sysno == __NR_clone) {
     // We have seen two different valid combinations of flags. Glibc
     // uses the more modern flags, sets the TLS from the call to clone(), and
     // uses futexes to monitor threads. Android's C run-time library, doesn't
     // do any of this, but it sets the obsolete (and no-op) CLONE_DETACHED.
     // The following policy allows for either combination of flags, but it
     // is generally a little more conservative than strictly necessary. We
     // err on the side of rather safe than sorry.
     // Very noticeably though, we disallow fork() (which is often just a
     // wrapper around clone()).
     return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ANY_BITS,
@@ skipping 11 matching lines @@
                          ErrorCode(ErrorCode::ERR_ALLOWED),
            sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ANY_BITS,
                          CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID,
                          sandbox->Trap(PthreadTrapHandler,
                                        "Must set either all or none of the TLS"
                                        " and futex bits in call to clone()"),
                          ErrorCode(ErrorCode::ERR_ALLOWED))),
                          sandbox->Trap(PthreadTrapHandler,
                                        "Missing mandatory CLONE_XXX flags "
                                        "when creating new thread")));
-  } else {
-    return ErrorCode(ErrorCode::ERR_ALLOWED);
   }
+  return ErrorCode(ErrorCode::ERR_ALLOWED);
 }
 
 static void* ThreadFnc(void* arg) {
   ++*reinterpret_cast<int*>(arg);
   SandboxSyscall(__NR_futex, arg, FUTEX_WAKE, 1, 0, 0, 0);
   return NULL;
 }
 
 static void PthreadTest() {
   // Attempt to start a joinable thread. This should succeed.
@@ skipping 21 matching lines @@
   // run-time libraries other than glibc might call __NR_fork instead of
   // __NR_clone, and that would introduce a bogus test failure.
   int pid;
   BPF_ASSERT(SandboxSyscall(__NR_clone,
                             CLONE_CHILD_CLEARTID | CLONE_CHILD_SETTID | SIGCHLD,
                             0,
                             0,
                             &pid) == -EPERM);
 }
 
-BPF_TEST(SandboxBPF, PthreadEquality, PthreadPolicyEquality) { PthreadTest(); }
+BPF_TEST_C(SandboxBPF, PthreadEquality, PthreadPolicyEquality) {
+  PthreadTest();
+}
 
-BPF_TEST(SandboxBPF, PthreadBitMask, PthreadPolicyBitMask) { PthreadTest(); }
+BPF_TEST_C(SandboxBPF, PthreadBitMask, PthreadPolicyBitMask) {
+  PthreadTest();
+}
 
 }  // namespace
 
 }  // namespace sandbox