sandbox: Add support for the new seccomp() system call in kernel 3.17.

sandbox/linux/seccomp-bpf/sandbox_bpf_unittest.cc

Index: sandbox/linux/seccomp-bpf/sandbox_bpf_unittest.cc
diff --git a/sandbox/linux/seccomp-bpf/sandbox_bpf_unittest.cc b/sandbox/linux/seccomp-bpf/sandbox_bpf_unittest.cc
index c25d6cf61141fceb8c933b0581cf2c57ac5d7dd6..30a1ffd7056f35589ecdaa4cc067072bd0d9e425 100644
--- a/sandbox/linux/seccomp-bpf/sandbox_bpf_unittest.cc
+++ b/sandbox/linux/seccomp-bpf/sandbox_bpf_unittest.cc
@@ -28,6 +28,7 @@
 #include "base/macros.h"
 #include "base/memory/scoped_ptr.h"
 #include "base/posix/eintr_wrapper.h"
+#include "base/synchronization/waitable_event.h"
 #include "build/build_config.h"
 #include "sandbox/linux/seccomp-bpf/bpf_tests.h"
 #include "sandbox/linux/seccomp-bpf/syscall.h"
@@ -151,16 +152,19 @@ class BlacklistNanosleepPolicy : public SandboxBPFPolicy {
     }
   }
 
+  static void AssertNanosleepFails() {
+    const struct timespec ts = {0, 0};
+    errno = 0;
+    BPF_ASSERT(syscall(__NR_nanosleep, &ts, NULL) == -1);

[jln (very slow on Chromium), 2014/08/21 18:47:09]

In theory despite the 0 time you should still handle EINTR.

[Robert Sesek, 2014/08/21 20:26:41]

Done.

+    BPF_ASSERT(errno == EACCES);
+  }
+
  private:
   DISALLOW_COPY_AND_ASSIGN(BlacklistNanosleepPolicy);
 };
 
 BPF_TEST_C(SandboxBPF, ApplyBasicBlacklistPolicy, BlacklistNanosleepPolicy) {
-  // nanosleep() should be denied
-  const struct timespec ts = {0, 0};
-  errno = 0;
-  BPF_ASSERT(syscall(__NR_nanosleep, &ts, NULL) == -1);
-  BPF_ASSERT(errno == EACCES);
+  BlacklistNanosleepPolicy::AssertNanosleepFails();
 }
 
 // Now do a simple whitelist test
@@ -2145,6 +2149,49 @@ BPF_TEST_C(SandboxBPF, Pread64, TrapPread64Policy) {
 
 #endif  // !defined(OS_ANDROID)
 
+void* TsyncApplyToTwoThreadsFunc(void* cond_ptr) {
+  base::WaitableEvent* event = static_cast<base::WaitableEvent*>(cond_ptr);
+
+  // Wait for the main thread to signal that the filter has been applied.
+  if (!event->IsSignaled()) {
+    event->Wait();
+  }
+
+  BPF_ASSERT(event->IsSignaled());
+
+  BlacklistNanosleepPolicy::AssertNanosleepFails();
+
+  return NULL;
+}
+
+SANDBOX_TEST(SandboxBPF, Tsync) {
+  if (SandboxBPF::SupportsSeccompThreadFilterSynchronization() !=
+          SandboxBPF::STATUS_AVAILABLE) {
+    return;
+  }
+
+  base::WaitableEvent event(true, false);
+
+  // Create a thread on which to invoke the blocked syscall.
+  pthread_t thread;
+  BPF_ASSERT_EQ(0,
+      pthread_create(&thread, NULL, &TsyncApplyToTwoThreadsFunc, &event));
+
+  // Engage the sandbox.
+  SandboxBPF sandbox;
+  sandbox.SetSandboxPolicy(new BlacklistNanosleepPolicy());
+  BPF_ASSERT(sandbox.StartSandbox(SandboxBPF::PROCESS_MULTI_THREADED));
+
+  // This thread should have the filter applied as well.
+  BlacklistNanosleepPolicy::AssertNanosleepFails();

[jln (very slow on Chromium), 2014/08/21 18:47:09]

What I was suggesting was to return a bool and run that function before engaging
the sandbox as well.

That way you can test the function itself: it returns true before the sandbox is
engaged, it returns false after the sandbox is engaged.

I've seen tests like this become no-op before because the function was always
failing due to invalid parameters.

It's a bit of a detail, so up to you.

[Robert Sesek, 2014/08/21 20:26:41]

I didn't turn it into a function, since I like being able to reuse
AssertNanosleepFails(), but I did add this piece of the test.

+
+  // Signal the condition to invoke the system call.
+  event.Signal();
+
+  // Wait for the thread to finish.
+  BPF_ASSERT_EQ(0, pthread_join(thread, NULL));
+}
+
 }  // namespace
 
 }  // namespace sandbox