sandbox: Convert remaining legacy tests to use policy classes

sandbox/linux/bpf_dsl/bpf_dsl_more_unittest.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "sandbox/linux/bpf_dsl/bpf_dsl.h"
 
 #include <errno.h>
+#include <fcntl.h>
 #include <pthread.h>
 #include <sched.h>
 #include <signal.h>
 #include <sys/prctl.h>
 #include <sys/ptrace.h>
 #include <sys/syscall.h>
 #include <sys/time.h>
 #include <sys/types.h>
 #include <sys/utsname.h>
 #include <unistd.h>
 #include <sys/socket.h>
 
 #if defined(ANDROID)
 // Work-around for buggy headers in Android's NDK
 #define __user
 #endif
 #include <linux/futex.h>
 
 #include "base/bind.h"
 #include "base/logging.h"
 #include "base/macros.h"
 #include "base/memory/scoped_ptr.h"
 #include "base/posix/eintr_wrapper.h"
 #include "base/synchronization/waitable_event.h"
 #include "base/threading/thread.h"
 #include "build/build_config.h"
 #include "sandbox/linux/seccomp-bpf/bpf_tests.h"
 #include "sandbox/linux/seccomp-bpf/die.h"
 #include "sandbox/linux/seccomp-bpf/linux_seccomp.h"
+#include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
 #include "sandbox/linux/seccomp-bpf/syscall.h"
 #include "sandbox/linux/seccomp-bpf/trap.h"
 #include "sandbox/linux/services/broker_process.h"
 #include "sandbox/linux/services/linux_syscalls.h"
 #include "sandbox/linux/tests/scoped_temporary_file.h"
 #include "sandbox/linux/tests/unit_tests.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
 // Workaround for Android's prctl.h file.
 #ifndef PR_GET_ENDIAN
@@ skipping 160 matching lines @@
 }
 
 // A simple blacklist policy, with a SIGSYS handler
 intptr_t EnomemHandler(const struct arch_seccomp_data& args, void* aux) {
   // We also check that the auxiliary data is correct
   SANDBOX_ASSERT(aux);
   *(static_cast<int*>(aux)) = kExpectedReturnValue;
   return -ENOMEM;
 }
 
-ErrorCode BlacklistNanosleepPolicySigsys(SandboxBPF* sandbox,
-                                         int sysno,
-                                         int* aux) {
-  DCHECK(SandboxBPF::IsValidSyscallNumber(sysno));
-  switch (sysno) {
-    case __NR_nanosleep:
-      return sandbox->Trap(EnomemHandler, aux);
-    default:
-      return ErrorCode(ErrorCode::ERR_ALLOWED);
+class BlacklistNanosleepTrapPolicy : public SandboxBPFDSLPolicy {
+ public:
+  BlacklistNanosleepTrapPolicy(int* aux) : aux_(aux) {}

[jln (very slow on Chromium), 2014/09/23 18:42:06]

nit: explicit

[mdempsky, 2014/09/23 18:50:20]

Done.

+  virtual ~BlacklistNanosleepTrapPolicy() {}
+
+  virtual ResultExpr EvaluateSyscall(int sysno) const OVERRIDE {
+    DCHECK(SandboxBPF::IsValidSyscallNumber(sysno));
+    switch (sysno) {
+      case __NR_nanosleep:
+        return Trap(EnomemHandler, aux_);
+      default:
+        return Allow();
+    }
   }
-}
+
+ private:
+  int* aux_;
+
+  DISALLOW_COPY_AND_ASSIGN(BlacklistNanosleepTrapPolicy);
+};
 
 BPF_TEST(SandboxBPF,
          BasicBlacklistWithSigsys,
-         BlacklistNanosleepPolicySigsys,
+         BlacklistNanosleepTrapPolicy,
          int /* (*BPF_AUX) */) {
   // getpid() should work properly
   errno = 0;
   BPF_ASSERT(syscall(__NR_getpid) > 0);
   BPF_ASSERT(errno == 0);
 
   // Our Auxiliary Data, should be reset by the signal handler
   *BPF_AUX = -1;
   const struct timespec ts = {0, 0};
   BPF_ASSERT(syscall(__NR_nanosleep, &ts, NULL) == -1);
@@ skipping 256 matching lines @@
 
   // Verify that within the callback function all filtering is temporarily
   // disabled.
   BPF_ASSERT(syscall(__NR_getpid) > 1);
 
   // Verify that we can now call the underlying system call without causing
   // infinite recursion.
   return SandboxBPF::ForwardSyscall(args);
 }
 
-ErrorCode GreyListedPolicy(SandboxBPF* sandbox, int sysno, int* aux) {
-  // Set the global environment for unsafe traps once.
-  if (sysno == MIN_SYSCALL) {
+class GreyListedPolicy : public SandboxBPFDSLPolicy {
+ public:
+  GreyListedPolicy(int* aux) : aux_(aux) {

[jln (very slow on Chromium), 2014/09/23 18:42:06]

Nit: explicit

[mdempsky, 2014/09/23 18:50:19]

Done.

+    // Set the global environment for unsafe traps once.
     EnableUnsafeTraps();
   }
+  virtual ~GreyListedPolicy() {}
 
-  // Some system calls must always be allowed, if our policy wants to make
-  // use of UnsafeTrap()
-  if (SandboxBPF::IsRequiredForUnsafeTrap(sysno)) {
-    return ErrorCode(ErrorCode::ERR_ALLOWED);
-  } else if (sysno == __NR_getpid) {
-    // Disallow getpid()
-    return ErrorCode(EPERM);
-  } else if (SandboxBPF::IsValidSyscallNumber(sysno)) {
-    // Allow (and count) all other system calls.
-    return sandbox->UnsafeTrap(CountSyscalls, aux);
-  } else {
-    return ErrorCode(ENOSYS);
+  virtual ResultExpr EvaluateSyscall(int sysno) const OVERRIDE {
+    DCHECK(SandboxBPF::IsValidSyscallNumber(sysno));
+    // Some system calls must always be allowed, if our policy wants to make
+    // use of UnsafeTrap()
+    if (SandboxBPF::IsRequiredForUnsafeTrap(sysno)) {
+      return Allow();
+    } else if (sysno == __NR_getpid) {
+      // Disallow getpid()
+      return Error(EPERM);
+    } else {
+      // Allow (and count) all other system calls.
+      return UnsafeTrap(CountSyscalls, aux_);
+    }
   }
-}
+
+ private:
+  int* aux_;
+
+  DISALLOW_COPY_AND_ASSIGN(GreyListedPolicy);
+};
 
 BPF_TEST(SandboxBPF, GreyListedPolicy, GreyListedPolicy, int /* (*BPF_AUX) */) {
   BPF_ASSERT(syscall(__NR_getpid) == -1);
   BPF_ASSERT(errno == EPERM);
   BPF_ASSERT(*BPF_AUX == 0);
   BPF_ASSERT(syscall(__NR_geteuid) == syscall(__NR_getuid));
   BPF_ASSERT(*BPF_AUX == 2);
   char name[17] = {};
   BPF_ASSERT(!syscall(__NR_prctl,
                       PR_GET_NAME,
@@ skipping 239 matching lines @@
       // the openat() system call.
       BPF_ASSERT(static_cast<int>(args.args[0]) == AT_FDCWD);
       return broker_process->Open(reinterpret_cast<const char*>(args.args[1]),
                                   static_cast<int>(args.args[2]));
     default:
       BPF_ASSERT(false);
       return -ENOSYS;
   }
 }
 
-ErrorCode DenyOpenPolicy(SandboxBPF* sandbox,
-                         int sysno,
-                         InitializedOpenBroker* iob) {
-  if (!SandboxBPF::IsValidSyscallNumber(sysno)) {
-    return ErrorCode(ENOSYS);
+class DenyOpenPolicy : public SandboxBPFDSLPolicy {
+ public:
+  DenyOpenPolicy(InitializedOpenBroker* iob) : iob_(iob) {}

[jln (very slow on Chromium), 2014/09/23 18:42:06]

nit: explicit

[mdempsky, 2014/09/23 18:50:19]

Done.

+  virtual ~DenyOpenPolicy() {}
+
+  virtual ResultExpr EvaluateSyscall(int sysno) const OVERRIDE {
+    DCHECK(SandboxBPF::IsValidSyscallNumber(sysno));
+
+    switch (sysno) {
+      case __NR_faccessat:
+#if defined(__NR_access)
+      case __NR_access:
+#endif
+#if defined(__NR_open)
+      case __NR_open:
+#endif
+      case __NR_openat:
+        // We get a InitializedOpenBroker class, but our trap handler wants
+        // the BrokerProcess object.
+        return Trap(BrokerOpenTrapHandler, iob_->broker_process());
+      default:
+        return Allow();
+    }
   }
 
-  switch (sysno) {
-    case __NR_faccessat:
-#if defined(__NR_access)
-    case __NR_access:
-#endif
-#if defined(__NR_open)
-    case __NR_open:
-#endif
-    case __NR_openat:
-      // We get a InitializedOpenBroker class, but our trap handler wants
-      // the BrokerProcess object.
-      return ErrorCode(
-          sandbox->Trap(BrokerOpenTrapHandler, iob->broker_process()));
-    default:
-      return ErrorCode(ErrorCode::ERR_ALLOWED);
-  }
-}
+ private:
+  InitializedOpenBroker* iob_;
+
+  DISALLOW_COPY_AND_ASSIGN(DenyOpenPolicy);
+};
 
 // We use a InitializedOpenBroker class, so that we can run unsandboxed
 // code in its constructor, which is the only way to do so in a BPF_TEST.
 BPF_TEST(SandboxBPF,
          UseOpenBroker,
          DenyOpenPolicy,
          InitializedOpenBroker /* (*BPF_AUX) */) {
   BPF_ASSERT(BPF_AUX->initialized());
   BrokerProcess* broker_process = BPF_AUX->broker_process();
   BPF_ASSERT(broker_process != NULL);
@@ skipping 128 matching lines @@
   }
 
   ~EqualityStressTest() {
     for (std::vector<ArgValue*>::iterator iter = arg_values_.begin();
          iter != arg_values_.end();
          ++iter) {
       DeleteArgValue(*iter);
     }
   }
 
-  ErrorCode Policy(SandboxBPF* sandbox, int sysno) {
-    if (!SandboxBPF::IsValidSyscallNumber(sysno)) {
-      // FIXME: we should really not have to do that in a trivial policy
-      return ErrorCode(ENOSYS);
-    } else if (sysno < 0 || sysno >= (int)arg_values_.size() ||
-               IsReservedSyscall(sysno)) {
+  ResultExpr Policy(int sysno) {
+    DCHECK(SandboxBPF::IsValidSyscallNumber(sysno));
+    if (sysno < 0 || sysno >= (int)arg_values_.size() ||
+        IsReservedSyscall(sysno)) {
       // We only return ErrorCode values for the system calls that
       // are part of our test data. Every other system call remains
       // allowed.
-      return ErrorCode(ErrorCode::ERR_ALLOWED);
+      return Allow();
     } else {
       // ToErrorCode() turns an ArgValue object into an ErrorCode that is
       // suitable for use by a sandbox policy.
-      return ToErrorCode(sandbox, arg_values_[sysno]);
+      return ToErrorCode(arg_values_[sysno]);
     }
   }
 
   void VerifyFilter() {
     // Iterate over all system calls. Skip the system calls that have
     // previously been determined as being reserved.
     for (int sysno = 0; sysno < (int)arg_values_.size(); ++sysno) {
       if (!arg_values_[sysno]) {
         // Skip reserved system calls.
         continue;
@@ skipping 126 matching lines @@
         }
         delete[] arg_value->tests;
       }
       if (!arg_value->err) {
         DeleteArgValue(arg_value->arg_value);
       }
       delete arg_value;
     }
   }
 
-  ErrorCode ToErrorCode(SandboxBPF* sandbox, ArgValue* arg_value) {
-    // Compute the ErrorCode that should be returned, if none of our
+  ResultExpr ToErrorCode(ArgValue* arg_value) {
+    // Compute the ResultExpr that should be returned, if none of our
     // tests succeed (i.e. the system call parameter doesn't match any
     // of the values in arg_value->tests[].k_value).
-    ErrorCode err;
+    ResultExpr err;
     if (arg_value->err) {
       // If this was a leaf node, return the errno value that we expect to
       // return from the BPF filter program.
-      err = ErrorCode(arg_value->err);
+      err = Error(arg_value->err);
     } else {
       // If this wasn't a leaf node yet, recursively descend into the rest
       // of the tree. This will end up adding a few more SandboxBPF::Cond()
       // tests to our ErrorCode.
-      err = ToErrorCode(sandbox, arg_value->arg_value);
+      err = ToErrorCode(arg_value->arg_value);
     }
 
     // Now, iterate over all the test cases that we want to compare against.
     // This builds a chain of SandboxBPF::Cond() tests
     // (aka "if ... elif ... elif ... elif ... fi")
     for (int n = arg_value->size; n-- > 0;) {
-      ErrorCode matched;
+      ResultExpr matched;
       // Again, we distinguish between leaf nodes and subtrees.
       if (arg_value->tests[n].err) {
-        matched = ErrorCode(arg_value->tests[n].err);
+        matched = Error(arg_value->tests[n].err);
       } else {
-        matched = ToErrorCode(sandbox, arg_value->tests[n].arg_value);
+        matched = ToErrorCode(arg_value->tests[n].arg_value);
       }
       // For now, all of our tests are limited to 32bit.
       // We have separate tests that check the behavior of 32bit vs. 64bit
       // conditional expressions.
-      err = sandbox->Cond(arg_value->argno,
-                          ErrorCode::TP_32BIT,
-                          ErrorCode::OP_EQUAL,
-                          arg_value->tests[n].k_value,
-                          matched,
-                          err);
+      const Arg<uint32_t> arg(arg_value->argno);
+      err = If(arg == arg_value->tests[n].k_value, matched).Else(err);
     }
     return err;
   }
 
   void Verify(int sysno, intptr_t* args, const ArgValue& arg_value) {
     uint32_t mismatched = 0;
     // Iterate over all the k_values in arg_value.tests[] and verify that
     // we see the expected return values from system calls, when we pass
     // the k_value as a parameter in a system call.
     for (int n = arg_value.size; n-- > 0;) {
@@ skipping 49 matching lines @@
   // increased too much, the test will start failing.
 #if defined(__aarch64__)
   static const int kNumTestCases = 30;
 #else
   static const int kNumTestCases = 40;
 #endif
   static const int kMaxFanOut = 3;
   static const int kMaxArgs = 6;
 };
 
-ErrorCode EqualityStressTestPolicy(SandboxBPF* sandbox,
-                                   int sysno,
-                                   EqualityStressTest* aux) {
-  DCHECK(aux);
-  return aux->Policy(sandbox, sysno);
-}
+class EqualityStressTestPolicy : public SandboxBPFDSLPolicy {
+ public:
+  EqualityStressTestPolicy(EqualityStressTest* aux) : aux_(aux) {}

[jln (very slow on Chromium), 2014/09/23 18:42:06]

nit: explicit

[mdempsky, 2014/09/23 18:50:19]

Done.

+  virtual ~EqualityStressTestPolicy() {}
+
+  virtual ResultExpr EvaluateSyscall(int sysno) const OVERRIDE {
+    return aux_->Policy(sysno);
+  }
+
+ private:
+  EqualityStressTest* aux_;
+
+  DISALLOW_COPY_AND_ASSIGN(EqualityStressTestPolicy);
+};
 
 BPF_TEST(SandboxBPF,
          EqualityTests,
          EqualityStressTestPolicy,
          EqualityStressTest /* (*BPF_AUX) */) {
   BPF_AUX->VerifyFilter();
 }
 
 class EqualityArgumentWidthPolicy : public SandboxBPFDSLPolicy {
  public:
@@ skipping 1122 matching lines @@
   BPF_ASSERT_EQ(ENOSYS, errno);
 
   BPF_ASSERT_EQ(-1, syscall(__NR_setgid, 300));
   BPF_ASSERT_EQ(EPERM, errno);
 }
 
 }  // namespace
 
 }  // namespace bpf_dsl
 }  // namespace sandbox