Chromium Code Reviews Chromium Code Reviews
Issue 330723003:
Clean-up the SandboxSyscall interface (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include <asm/unistd.h> | 5 #include <asm/unistd.h> |
| 6 #include <fcntl.h> | 6 #include <fcntl.h> |
| 7 #include <sys/mman.h> | 7 #include <sys/mman.h> |
| 8 #include <sys/syscall.h> | 8 #include <sys/syscall.h> |
| 9 #include <unistd.h> | 9 #include <unistd.h> |
| 10 | 10 |
| 11 #include <vector> | 11 #include <vector> |
| 12 | 12 |
| 13 #include "base/basictypes.h" | 13 #include "base/basictypes.h" |
| 14 #include "base/posix/eintr_wrapper.h" | 14 #include "base/posix/eintr_wrapper.h" |
| 15 #include "build/build_config.h" | |
| 15 #include "sandbox/linux/seccomp-bpf/bpf_tests.h" | 16 #include "sandbox/linux/seccomp-bpf/bpf_tests.h" |
| 16 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" | 17 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" |
| 17 #include "sandbox/linux/seccomp-bpf/syscall.h" | 18 #include "sandbox/linux/seccomp-bpf/syscall.h" |
| 18 #include "sandbox/linux/tests/unit_tests.h" | 19 #include "sandbox/linux/tests/unit_tests.h" |
| 19 #include "testing/gtest/include/gtest/gtest.h" | 20 #include "testing/gtest/include/gtest/gtest.h" |
| 20 | 21 |
| 21 namespace sandbox { | 22 namespace sandbox { |
| 22 | 23 |
| 23 namespace { | 24 namespace { |
| 24 | 25 |
| 25 // Different platforms use different symbols for the six-argument version | 26 // Different platforms use different symbols for the six-argument version |
| 26 // of the mmap() system call. Test for the correct symbol at compile time. | 27 // of the mmap() system call. Test for the correct symbol at compile time. |
| 27 #ifdef __NR_mmap2 | 28 #ifdef __NR_mmap2 |
| 28 const int kMMapNr = __NR_mmap2; | 29 const int kMMapNr = __NR_mmap2; |
| 29 #else | 30 #else |
| 30 const int kMMapNr = __NR_mmap; | 31 const int kMMapNr = __NR_mmap; |
| 31 #endif | 32 #endif |
| 32 | 33 |
| 33 TEST(Syscall, WellKnownEntryPoint) { | 34 TEST(Syscall, WellKnownEntryPoint) { |
| 34 // Test that SandboxSyscall(-1) is handled specially. Don't do this on ARM, | 35 // Test that Syscall::Call(-1) is handled specially. Don't do this on ARM, |
| 35 // where syscall(-1) crashes with SIGILL. Not running the test is fine, as we | 36 // where syscall(-1) crashes with SIGILL. Not running the test is fine, as we |
| 36 // are still testing ARM code in the next set of tests. | 37 // are still testing ARM code in the next set of tests. |
| 37 #if !defined(__arm__) | 38 #if !defined(__arm__) |
| 38 EXPECT_NE(SandboxSyscall(-1), syscall(-1)); | 39 EXPECT_NE(Syscall::Call(-1), syscall(-1)); |
| 39 #endif | 40 #endif |
| 40 | 41 |
| 41 // If possible, test that SandboxSyscall(-1) returns the address right after | 42 // If possible, test that Syscall::Call(-1) returns the address right |
| 43 // after | |
| 42 // a kernel entry point. | 44 // a kernel entry point. |
| 43 #if defined(__i386__) | 45 #if defined(__i386__) |
| 44 EXPECT_EQ(0x80CDu, ((uint16_t*)SandboxSyscall(-1))[-1]); // INT 0x80 | 46 EXPECT_EQ(0x80CDu, ((uint16_t*)Syscall::Call(-1))[-1]); // INT 0x80 |
| 45 #elif defined(__x86_64__) | 47 #elif defined(__x86_64__) |
| 46 EXPECT_EQ(0x050Fu, ((uint16_t*)SandboxSyscall(-1))[-1]); // SYSCALL | 48 EXPECT_EQ(0x050Fu, ((uint16_t*)Syscall::Call(-1))[-1]); // SYSCALL |
| 47 #elif defined(__arm__) | 49 #elif defined(__arm__) |
| 48 #if defined(__thumb__) | 50 #if defined(__thumb__) |
| 49 EXPECT_EQ(0xDF00u, ((uint16_t*)SandboxSyscall(-1))[-1]); // SWI 0 | 51 EXPECT_EQ(0xDF00u, ((uint16_t*)Syscall::Call(-1))[-1]); // SWI 0 |
| 50 #else | 52 #else |
| 51 EXPECT_EQ(0xEF000000u, ((uint32_t*)SandboxSyscall(-1))[-1]); // SVC 0 | 53 EXPECT_EQ(0xEF000000u, ((uint32_t*)Syscall::Call(-1))[-1]); // SVC 0 |
| 52 #endif | 54 #endif |
| 53 #else | 55 #else |
| 54 #warning Incomplete test case; need port for target platform | 56 #warning Incomplete test case; need port for target platform |
| 55 #endif | 57 #endif |
| 56 } | 58 } |
| 57 | 59 |
| 58 TEST(Syscall, TrivialSyscallNoArgs) { | 60 TEST(Syscall, TrivialSyscallNoArgs) { |
| 59 // Test that we can do basic system calls | 61 // Test that we can do basic system calls |
| 60 EXPECT_EQ(SandboxSyscall(__NR_getpid), syscall(__NR_getpid)); | 62 EXPECT_EQ(Syscall::Call(__NR_getpid), syscall(__NR_getpid)); |
| 61 } | 63 } |
| 62 | 64 |
| 63 TEST(Syscall, TrivialSyscallOneArg) { | 65 TEST(Syscall, TrivialSyscallOneArg) { |
| 64 int new_fd; | 66 int new_fd; |
| 65 // Duplicate standard error and close it. | 67 // Duplicate standard error and close it. |
| 66 ASSERT_GE(new_fd = SandboxSyscall(__NR_dup, 2), 0); | 68 ASSERT_GE(new_fd = Syscall::Call(__NR_dup, 2), 0); |
| 67 int close_return_value = IGNORE_EINTR(SandboxSyscall(__NR_close, new_fd)); | 69 int close_return_value = IGNORE_EINTR(Syscall::Call(__NR_close, new_fd)); |
| 68 ASSERT_EQ(close_return_value, 0); | 70 ASSERT_EQ(close_return_value, 0); |
| 69 } | 71 } |
| 70 | 72 |
| 73 TEST(Syscall, TrivialFailingSyscall) { | |
| 74 errno = 42; | |
|
mdempsky
2014/06/13 03:01:46
Perhaps set this to a negative value instead? POS
jln (very slow on Chromium)
2014/06/13 06:39:58
Done.
| |
| 75 int ret = Syscall::Call(__NR_dup, -1); | |
| 76 ASSERT_EQ(-EBADF, ret); | |
| 77 // Verify that Syscall::Call does not touch errno. | |
| 78 ASSERT_EQ(42, errno); | |
| 79 } | |
| 80 | |
| 71 // SIGSYS trap handler that will be called on __NR_uname. | 81 // SIGSYS trap handler that will be called on __NR_uname. |
| 72 intptr_t CopySyscallArgsToAux(const struct arch_seccomp_data& args, void* aux) { | 82 intptr_t CopySyscallArgsToAux(const struct arch_seccomp_data& args, void* aux) { |
| 73 // |aux| is our BPF_AUX pointer. | 83 // |aux| is our BPF_AUX pointer. |
| 74 std::vector<uint64_t>* const seen_syscall_args = | 84 std::vector<uint64_t>* const seen_syscall_args = |
| 75 static_cast<std::vector<uint64_t>*>(aux); | 85 static_cast<std::vector<uint64_t>*>(aux); |
| 76 BPF_ASSERT(arraysize(args.args) == 6); | 86 BPF_ASSERT(arraysize(args.args) == 6); |
| 77 seen_syscall_args->assign(args.args, args.args + arraysize(args.args)); | 87 seen_syscall_args->assign(args.args, args.args + arraysize(args.args)); |
| 78 return -ENOMEM; | 88 return -ENOMEM; |
| 79 } | 89 } |
| 80 | 90 |
| 81 ErrorCode CopyAllArgsOnUnamePolicy(SandboxBPF* sandbox, | 91 ErrorCode CopyAllArgsOnUnamePolicy(SandboxBPF* sandbox, |
| 82 int sysno, | 92 int sysno, |
| 83 std::vector<uint64_t>* aux) { | 93 std::vector<uint64_t>* aux) { |
| 84 if (!SandboxBPF::IsValidSyscallNumber(sysno)) { | 94 if (!SandboxBPF::IsValidSyscallNumber(sysno)) { |
| 85 return ErrorCode(ENOSYS); | 95 return ErrorCode(ENOSYS); |
| 86 } | 96 } |
| 87 if (sysno == __NR_uname) { | 97 if (sysno == __NR_uname) { |
| 88 return sandbox->Trap(CopySyscallArgsToAux, aux); | 98 return sandbox->Trap(CopySyscallArgsToAux, aux); |
| 89 } else { | 99 } else { |
| 90 return ErrorCode(ErrorCode::ERR_ALLOWED); | 100 return ErrorCode(ErrorCode::ERR_ALLOWED); |
| 91 } | 101 } |
| 92 } | 102 } |
| 93 | 103 |
| 94 // We are testing SandboxSyscall() by making use of a BPF filter that allows us | 104 // We are testing Syscall::Call() by making use of a BPF filter that |
| 105 // allows us | |
| 95 // to inspect the system call arguments that the kernel saw. | 106 // to inspect the system call arguments that the kernel saw. |
| 96 BPF_TEST(Syscall, | 107 BPF_TEST(Syscall, |
| 97 SyntheticSixArgs, | 108 SyntheticSixArgs, |
| 98 CopyAllArgsOnUnamePolicy, | 109 CopyAllArgsOnUnamePolicy, |
| 99 std::vector<uint64_t> /* (*BPF_AUX) */) { | 110 std::vector<uint64_t> /* (*BPF_AUX) */) { |
| 100 const int kExpectedValue = 42; | 111 const int kExpectedValue = 42; |
| 101 // In this test we only pass integers to the kernel. We might want to make | 112 // In this test we only pass integers to the kernel. We might want to make |
| 102 // additional tests to try other types. What we will see depends on | 113 // additional tests to try other types. What we will see depends on |
| 103 // implementation details of kernel BPF filters and we will need to document | 114 // implementation details of kernel BPF filters and we will need to document |
| 104 // the expected behavior very clearly. | 115 // the expected behavior very clearly. |
| 105 int syscall_args[6]; | 116 int syscall_args[6]; |
| 106 for (size_t i = 0; i < arraysize(syscall_args); ++i) { | 117 for (size_t i = 0; i < arraysize(syscall_args); ++i) { |
| 107 syscall_args[i] = kExpectedValue + i; | 118 syscall_args[i] = kExpectedValue + i; |
| 108 } | 119 } |
| 109 | 120 |
| 110 // We could use pretty much any system call we don't need here. uname() is | 121 // We could use pretty much any system call we don't need here. uname() is |
| 111 // nice because it doesn't have any dangerous side effects. | 122 // nice because it doesn't have any dangerous side effects. |
| 112 BPF_ASSERT(SandboxSyscall(__NR_uname, | 123 BPF_ASSERT(Syscall::Call(__NR_uname, |
| 113 syscall_args[0], | 124 syscall_args[0], |
| 114 syscall_args[1], | 125 syscall_args[1], |
| 115 syscall_args[2], | 126 syscall_args[2], |
| 116 syscall_args[3], | 127 syscall_args[3], |
| 117 syscall_args[4], | 128 syscall_args[4], |
| 118 syscall_args[5]) == -ENOMEM); | 129 syscall_args[5]) == -ENOMEM); |
| 119 | 130 |
| 120 // We expect the trap handler to have copied the 6 arguments. | 131 // We expect the trap handler to have copied the 6 arguments. |
| 121 BPF_ASSERT(BPF_AUX->size() == 6); | 132 BPF_ASSERT(BPF_AUX->size() == 6); |
| 122 | 133 |
| 123 // Don't loop here so that we can see which argument does cause the failure | 134 // Don't loop here so that we can see which argument does cause the failure |
| 124 // easily from the failing line. | 135 // easily from the failing line. |
| 125 // uint64_t is the type passed to our SIGSYS handler. | 136 // uint64_t is the type passed to our SIGSYS handler. |
| 126 BPF_ASSERT((*BPF_AUX)[0] == static_cast<uint64_t>(syscall_args[0])); | 137 BPF_ASSERT((*BPF_AUX)[0] == static_cast<uint64_t>(syscall_args[0])); |
| 127 BPF_ASSERT((*BPF_AUX)[1] == static_cast<uint64_t>(syscall_args[1])); | 138 BPF_ASSERT((*BPF_AUX)[1] == static_cast<uint64_t>(syscall_args[1])); |
| 128 BPF_ASSERT((*BPF_AUX)[2] == static_cast<uint64_t>(syscall_args[2])); | 139 BPF_ASSERT((*BPF_AUX)[2] == static_cast<uint64_t>(syscall_args[2])); |
| 129 BPF_ASSERT((*BPF_AUX)[3] == static_cast<uint64_t>(syscall_args[3])); | 140 BPF_ASSERT((*BPF_AUX)[3] == static_cast<uint64_t>(syscall_args[3])); |
| 130 BPF_ASSERT((*BPF_AUX)[4] == static_cast<uint64_t>(syscall_args[4])); | 141 BPF_ASSERT((*BPF_AUX)[4] == static_cast<uint64_t>(syscall_args[4])); |
| 131 BPF_ASSERT((*BPF_AUX)[5] == static_cast<uint64_t>(syscall_args[5])); | 142 BPF_ASSERT((*BPF_AUX)[5] == static_cast<uint64_t>(syscall_args[5])); |
| 132 } | 143 } |
| 133 | 144 |
| 134 TEST(Syscall, ComplexSyscallSixArgs) { | 145 TEST(Syscall, ComplexSyscallSixArgs) { |
| 135 int fd; | 146 int fd; |
| 136 ASSERT_LE(0, fd = SandboxSyscall(__NR_open, "/dev/null", O_RDWR, 0L)); | 147 ASSERT_LE(0, fd = Syscall::Call(__NR_open, "/dev/null", O_RDWR, 0L)); |
| 137 | 148 |
| 138 // Use mmap() to allocate some read-only memory | 149 // Use mmap() to allocate some read-only memory |
| 139 char* addr0; | 150 char* addr0; |
| 140 ASSERT_NE((char*)NULL, | 151 ASSERT_NE( |
| 141 addr0 = reinterpret_cast<char*>( | 152 (char*)NULL, |
| 142 SandboxSyscall(kMMapNr, | 153 addr0 = reinterpret_cast<char*>(Syscall::Call(kMMapNr, |
| 143 (void*)NULL, | 154 (void*)NULL, |
| 144 4096, | 155 4096, |
| 145 PROT_READ, | 156 PROT_READ, |
| 146 MAP_PRIVATE | MAP_ANONYMOUS, | 157 MAP_PRIVATE | MAP_ANONYMOUS, |
| 147 fd, | 158 fd, |
| 148 0L))); | 159 0L))); |
| 149 | 160 |
| 150 // Try to replace the existing mapping with a read-write mapping | 161 // Try to replace the existing mapping with a read-write mapping |
| 151 char* addr1; | 162 char* addr1; |
| 152 ASSERT_EQ(addr0, | 163 ASSERT_EQ(addr0, |
| 153 addr1 = reinterpret_cast<char*>( | 164 addr1 = reinterpret_cast<char*>( |
| 154 SandboxSyscall(kMMapNr, | 165 Syscall::Call(kMMapNr, |
| 155 addr0, | 166 addr0, |
| 156 4096L, | 167 4096L, |
| 157 PROT_READ | PROT_WRITE, | 168 PROT_READ | PROT_WRITE, |
| 158 MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, | 169 MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, |
| 159 fd, | 170 fd, |
| 160 0L))); | 171 0L))); |
| 161 ++*addr1; // This should not seg fault | 172 ++*addr1; // This should not seg fault |
| 162 | 173 |
| 163 // Clean up | 174 // Clean up |
| 164 EXPECT_EQ(0, SandboxSyscall(__NR_munmap, addr1, 4096L)); | 175 EXPECT_EQ(0, Syscall::Call(__NR_munmap, addr1, 4096L)); |
| 165 EXPECT_EQ(0, IGNORE_EINTR(SandboxSyscall(__NR_close, fd))); | 176 EXPECT_EQ(0, IGNORE_EINTR(Syscall::Call(__NR_close, fd))); |
| 166 | 177 |
| 167 // Check that the offset argument (i.e. the sixth argument) is processed | 178 // Check that the offset argument (i.e. the sixth argument) is processed |
| 168 // correctly. | 179 // correctly. |
| 169 ASSERT_GE(fd = SandboxSyscall(__NR_open, "/proc/self/exe", O_RDONLY, 0L), 0); | 180 ASSERT_GE(fd = Syscall::Call(__NR_open, "/proc/self/exe", O_RDONLY, 0L), 0); |
| 170 char* addr2, *addr3; | 181 char* addr2, *addr3; |
| 171 ASSERT_NE((char*)NULL, | 182 ASSERT_NE((char*)NULL, |
| 172 addr2 = reinterpret_cast<char*>(SandboxSyscall( | 183 addr2 = reinterpret_cast<char*>(Syscall::Call( |
| 173 kMMapNr, (void*)NULL, 8192L, PROT_READ, MAP_PRIVATE, fd, 0L))); | 184 kMMapNr, (void*)NULL, 8192L, PROT_READ, MAP_PRIVATE, fd, 0L))); |
| 174 ASSERT_NE((char*)NULL, | 185 ASSERT_NE((char*)NULL, |
| 175 addr3 = reinterpret_cast<char*>(SandboxSyscall(kMMapNr, | 186 addr3 = reinterpret_cast<char*>(Syscall::Call(kMMapNr, |
| 176 (void*)NULL, | 187 (void*)NULL, |
| 177 4096L, | 188 4096L, |
| 178 PROT_READ, | 189 PROT_READ, |
| 179 MAP_PRIVATE, | 190 MAP_PRIVATE, |
| 180 fd, | 191 fd, |
| 181 #if defined(__NR_mmap2) | 192 #if defined(__NR_mmap2) |
| 182 1L | 193 1L |
| 183 #else | 194 #else |
| 184 4096L | 195 4096L |
| 185 #endif | 196 #endif |
| 186 ))); | 197 ))); |
| 187 EXPECT_EQ(0, memcmp(addr2 + 4096, addr3, 4096)); | 198 EXPECT_EQ(0, memcmp(addr2 + 4096, addr3, 4096)); |
| 188 | 199 |
| 189 // Just to be absolutely on the safe side, also verify that the file | 200 // Just to be absolutely on the safe side, also verify that the file |
| 190 // contents matches what we are getting from a read() operation. | 201 // contents matches what we are getting from a read() operation. |
| 191 char buf[8192]; | 202 char buf[8192]; |
| 192 EXPECT_EQ(8192, SandboxSyscall(__NR_read, fd, buf, 8192L)); | 203 EXPECT_EQ(8192, Syscall::Call(__NR_read, fd, buf, 8192L)); |
| 193 EXPECT_EQ(0, memcmp(addr2, buf, 8192)); | 204 EXPECT_EQ(0, memcmp(addr2, buf, 8192)); |
| 194 | 205 |
| 195 // Clean up | 206 // Clean up |
| 196 EXPECT_EQ(0, SandboxSyscall(__NR_munmap, addr2, 8192L)); | 207 EXPECT_EQ(0, Syscall::Call(__NR_munmap, addr2, 8192L)); |
| 197 EXPECT_EQ(0, SandboxSyscall(__NR_munmap, addr3, 4096L)); | 208 EXPECT_EQ(0, Syscall::Call(__NR_munmap, addr3, 4096L)); |
| 198 EXPECT_EQ(0, IGNORE_EINTR(SandboxSyscall(__NR_close, fd))); | 209 EXPECT_EQ(0, IGNORE_EINTR(Syscall::Call(__NR_close, fd))); |
| 199 } | 210 } |
| 200 | 211 |
| 201 } // namespace | 212 } // namespace |
| 202 | 213 |
| 203 } // namespace sandbox | 214 } // namespace sandbox |
| OLD | NEW |
