| OLD | NEW |
|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "sandbox/linux/bpf_dsl/bpf_dsl.h" | 5 #include "sandbox/linux/bpf_dsl/bpf_dsl.h" |
| 6 | 6 |
| 7 #include <errno.h> | 7 #include <errno.h> |
| 8 #include <netinet/in.h> | 8 #include <netinet/in.h> |
| 9 #include <sys/socket.h> | 9 #include <sys/socket.h> |
| 10 #include <sys/utsname.h> | 10 #include <sys/utsname.h> |
| (...skipping 14 matching lines...) Expand all Loading... |
| 25 namespace sandbox { | 25 namespace sandbox { |
| 26 namespace bpf_dsl { | 26 namespace bpf_dsl { |
| 27 namespace { | 27 namespace { |
| 28 | 28 |
| 29 // Type safe stubs for tested system calls. | 29 // Type safe stubs for tested system calls. |
| 30 class Stubs { | 30 class Stubs { |
| 31 public: | 31 public: |
| 32 static int getpgid(pid_t pid) { return Syscall::Call(__NR_getpgid, pid); } | 32 static int getpgid(pid_t pid) { return Syscall::Call(__NR_getpgid, pid); } |
| 33 static int setuid(uid_t uid) { return Syscall::Call(__NR_setuid, uid); } | 33 static int setuid(uid_t uid) { return Syscall::Call(__NR_setuid, uid); } |
| 34 static int setgid(gid_t gid) { return Syscall::Call(__NR_setgid, gid); } | 34 static int setgid(gid_t gid) { return Syscall::Call(__NR_setgid, gid); } |
| 35 static int setpgid(pid_t pid, pid_t pgid) { |
| 36 return Syscall::Call(__NR_setpgid, pid, pgid); |
| 37 } |
| 35 | 38 |
| 36 static int uname(struct utsname* buf) { | 39 static int uname(struct utsname* buf) { |
| 37 return Syscall::Call(__NR_uname, buf); | 40 return Syscall::Call(__NR_uname, buf); |
| 38 } | 41 } |
| 39 | 42 |
| 40 static int setresuid(uid_t ruid, uid_t euid, uid_t suid) { | 43 static int setresuid(uid_t ruid, uid_t euid, uid_t suid) { |
| 41 return Syscall::Call(__NR_setresuid, ruid, euid, suid); | 44 return Syscall::Call(__NR_setresuid, ruid, euid, suid); |
| 42 } | 45 } |
| 43 | 46 |
| 44 #if !defined(ARCH_CPU_X86) | 47 #if !defined(ARCH_CPU_X86) |
| (...skipping 160 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 205 virtual ~MaskingPolicy() {} | 208 virtual ~MaskingPolicy() {} |
| 206 virtual ResultExpr EvaluateSyscall(int sysno) const OVERRIDE { | 209 virtual ResultExpr EvaluateSyscall(int sysno) const OVERRIDE { |
| 207 if (sysno == __NR_setuid) { | 210 if (sysno == __NR_setuid) { |
| 208 const Arg<uid_t> uid(0); | 211 const Arg<uid_t> uid(0); |
| 209 return If((uid & 0xf) == 0, Error(EINVAL)).Else(Error(EACCES)); | 212 return If((uid & 0xf) == 0, Error(EINVAL)).Else(Error(EACCES)); |
| 210 } | 213 } |
| 211 if (sysno == __NR_setgid) { | 214 if (sysno == __NR_setgid) { |
| 212 const Arg<gid_t> gid(0); | 215 const Arg<gid_t> gid(0); |
| 213 return If((gid & 0xf0) == 0xf0, Error(EINVAL)).Else(Error(EACCES)); | 216 return If((gid & 0xf0) == 0xf0, Error(EINVAL)).Else(Error(EACCES)); |
| 214 } | 217 } |
| 218 if (sysno == __NR_setpgid) { |
| 219 const Arg<pid_t> pid(0); |
| 220 return If((pid & 0xa5) == 0xa0, Error(EINVAL)).Else(Error(EACCES)); |
| 221 } |
| 215 return Allow(); | 222 return Allow(); |
| 216 } | 223 } |
| 217 | 224 |
| 218 private: | 225 private: |
| 219 DISALLOW_COPY_AND_ASSIGN(MaskingPolicy); | 226 DISALLOW_COPY_AND_ASSIGN(MaskingPolicy); |
| 220 }; | 227 }; |
| 221 | 228 |
| 222 BPF_TEST_C(BPFDSL, MaskTest, MaskingPolicy) { | 229 BPF_TEST_C(BPFDSL, MaskTest, MaskingPolicy) { |
| 223 for (uid_t uid = 0; uid < 0x100; ++uid) { | 230 for (uid_t uid = 0; uid < 0x100; ++uid) { |
| 224 const int expect_errno = (uid & 0xf) == 0 ? EINVAL : EACCES; | 231 const int expect_errno = (uid & 0xf) == 0 ? EINVAL : EACCES; |
| 225 ASSERT_SYSCALL_RESULT(-expect_errno, setuid, uid); | 232 ASSERT_SYSCALL_RESULT(-expect_errno, setuid, uid); |
| 226 } | 233 } |
| 227 | 234 |
| 228 for (gid_t gid = 0; gid < 0x100; ++gid) { | 235 for (gid_t gid = 0; gid < 0x100; ++gid) { |
| 229 const int expect_errno = (gid & 0xf0) == 0xf0 ? EINVAL : EACCES; | 236 const int expect_errno = (gid & 0xf0) == 0xf0 ? EINVAL : EACCES; |
| 230 ASSERT_SYSCALL_RESULT(-expect_errno, setgid, gid); | 237 ASSERT_SYSCALL_RESULT(-expect_errno, setgid, gid); |
| 231 } | 238 } |
| 239 |
| 240 for (pid_t pid = 0; pid < 0x100; ++pid) { |
| 241 const int expect_errno = (pid & 0xa5) == 0xa0 ? EINVAL : EACCES; |
| 242 ASSERT_SYSCALL_RESULT(-expect_errno, setpgid, pid, 0); |
| 243 } |
| 232 } | 244 } |
| 233 | 245 |
| 234 class ElseIfPolicy : public SandboxBPFDSLPolicy { | 246 class ElseIfPolicy : public SandboxBPFDSLPolicy { |
| 235 public: | 247 public: |
| 236 ElseIfPolicy() {} | 248 ElseIfPolicy() {} |
| 237 virtual ~ElseIfPolicy() {} | 249 virtual ~ElseIfPolicy() {} |
| 238 virtual ResultExpr EvaluateSyscall(int sysno) const OVERRIDE { | 250 virtual ResultExpr EvaluateSyscall(int sysno) const OVERRIDE { |
| 239 if (sysno == __NR_setuid) { | 251 if (sysno == __NR_setuid) { |
| 240 const Arg<uid_t> uid(0); | 252 const Arg<uid_t> uid(0); |
| 241 return If((uid & 0xfff) == 0, Error(0)) | 253 return If((uid & 0xfff) == 0, Error(0)) |
| (...skipping 17 matching lines...) Expand all Loading... |
| 259 ASSERT_SYSCALL_RESULT(-EEXIST, setuid, 0x0011); | 271 ASSERT_SYSCALL_RESULT(-EEXIST, setuid, 0x0011); |
| 260 ASSERT_SYSCALL_RESULT(-EEXIST, setuid, 0x0022); | 272 ASSERT_SYSCALL_RESULT(-EEXIST, setuid, 0x0022); |
| 261 | 273 |
| 262 ASSERT_SYSCALL_RESULT(-EACCES, setuid, 0x0111); | 274 ASSERT_SYSCALL_RESULT(-EACCES, setuid, 0x0111); |
| 263 ASSERT_SYSCALL_RESULT(-EACCES, setuid, 0x0222); | 275 ASSERT_SYSCALL_RESULT(-EACCES, setuid, 0x0222); |
| 264 } | 276 } |
| 265 | 277 |
| 266 } // namespace | 278 } // namespace |
| 267 } // namespace bpf_dsl | 279 } // namespace bpf_dsl |
| 268 } // namespace sandbox | 280 } // namespace sandbox |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 530133003:
bpf_dsl: support arbitrary (arg & mask) == val expressions (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master