sandbox/linux/bpf_dsl/bpf_dsl_more_unittest.cc - Issue 721553002: sandbox: Extend BrokerPolicy to support file creation

Side by Side Diff: sandbox/linux/bpf_dsl/bpf_dsl_more_unittest.cc

Issue 721553002: sandbox: Extend BrokerPolicy to support file creation (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: lame Created 6 years, 1 month ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "sandbox/linux/bpf_dsl/bpf_dsl.h"	5 #include "sandbox/linux/bpf_dsl/bpf_dsl.h"

6	6

7 #include <errno.h>	7 #include <errno.h>

8 #include <fcntl.h>	8 #include <fcntl.h>

9 #include <pthread.h>	9 #include <pthread.h>

10 #include <sched.h>	10 #include <sched.h>

(...skipping 23 matching lines...) Expand all Loading...
34 #include "build/build_config.h"	34 #include "build/build_config.h"

35 #include "sandbox/linux/bpf_dsl/policy.h"	35 #include "sandbox/linux/bpf_dsl/policy.h"

36 #include "sandbox/linux/seccomp-bpf/bpf_tests.h"	36 #include "sandbox/linux/seccomp-bpf/bpf_tests.h"

37 #include "sandbox/linux/seccomp-bpf/die.h"	37 #include "sandbox/linux/seccomp-bpf/die.h"

38 #include "sandbox/linux/seccomp-bpf/errorcode.h"	38 #include "sandbox/linux/seccomp-bpf/errorcode.h"

39 #include "sandbox/linux/seccomp-bpf/linux_seccomp.h"	39 #include "sandbox/linux/seccomp-bpf/linux_seccomp.h"

40 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"	40 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"

41 #include "sandbox/linux/seccomp-bpf/syscall.h"	41 #include "sandbox/linux/seccomp-bpf/syscall.h"

42 #include "sandbox/linux/seccomp-bpf/trap.h"	42 #include "sandbox/linux/seccomp-bpf/trap.h"

43 #include "sandbox/linux/services/linux_syscalls.h"	43 #include "sandbox/linux/services/linux_syscalls.h"

	44 #include "sandbox/linux/syscall_broker/broker_file_permission.h"

44 #include "sandbox/linux/syscall_broker/broker_process.h"	45 #include "sandbox/linux/syscall_broker/broker_process.h"

45 #include "sandbox/linux/tests/scoped_temporary_file.h"	46 #include "sandbox/linux/tests/scoped_temporary_file.h"

46 #include "sandbox/linux/tests/unit_tests.h"	47 #include "sandbox/linux/tests/unit_tests.h"

47 #include "testing/gtest/include/gtest/gtest.h"	48 #include "testing/gtest/include/gtest/gtest.h"

48	49

49 // Workaround for Android's prctl.h file.	50 // Workaround for Android's prctl.h file.

50 #ifndef PR_GET_ENDIAN	51 #ifndef PR_GET_ENDIAN

51 #define PR_GET_ENDIAN 19	52 #define PR_GET_ENDIAN 19

52 #endif	53 #endif

53 #ifndef PR_CAPBSET_READ	54 #ifndef PR_CAPBSET_READ

(...skipping 694 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
748	749

749 bool NoOpCallback() {	750 bool NoOpCallback() {

750 return true;	751 return true;

751 }	752 }

752	753

753 // Test a trap handler that makes use of a broker process to open().	754 // Test a trap handler that makes use of a broker process to open().

754	755

755 class InitializedOpenBroker {	756 class InitializedOpenBroker {

756 public:	757 public:

757 InitializedOpenBroker() : initialized_(false) {	758 InitializedOpenBroker() : initialized_(false) {

758 std::vector<std::string> allowed_files;	759 std::vector<syscall_broker::BrokerFilePermission> permissions;

759 allowed_files.push_back("/proc/allowed");	760 permissions.push_back(

760 allowed_files.push_back("/proc/cpuinfo");	761 syscall_broker::BrokerFilePermission::ReadOnly("/proc/allowed"));

	762 permissions.push_back(

	763 syscall_broker::BrokerFilePermission::ReadOnly("/proc/cpuinfo"));

761	764

762 broker_process_.reset(new syscall_broker::BrokerProcess(	765 broker_process_.reset(

763 EPERM, allowed_files, std::vector<std::string>()));	766 new syscall_broker::BrokerProcess(EPERM, permissions));

764 BPF_ASSERT(broker_process() != NULL);	767 BPF_ASSERT(broker_process() != NULL);

765 BPF_ASSERT(broker_process_->Init(base::Bind(&NoOpCallback)));	768 BPF_ASSERT(broker_process_->Init(base::Bind(&NoOpCallback)));

766	769

767 initialized_ = true;	770 initialized_ = true;

768 }	771 }

769 bool initialized() { return initialized_; }	772 bool initialized() { return initialized_; }

770 class syscall_broker::BrokerProcess* broker_process() {	773 class syscall_broker::BrokerProcess* broker_process() {

771 return broker_process_.get();	774 return broker_process_.get();

772 }	775 }

773	776

(...skipping 1619 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
2393 BPF_ASSERT_EQ(ENOSYS, errno);	2396 BPF_ASSERT_EQ(ENOSYS, errno);

2394	2397

2395 BPF_ASSERT_EQ(-1, syscall(__NR_setgid, 300));	2398 BPF_ASSERT_EQ(-1, syscall(__NR_setgid, 300));

2396 BPF_ASSERT_EQ(EPERM, errno);	2399 BPF_ASSERT_EQ(EPERM, errno);

2397 }	2400 }

2398	2401

2399 } // namespace	2402 } // namespace

2400	2403

2401 } // namespace bpf_dsl	2404 } // namespace bpf_dsl

2402 } // namespace sandbox	2405 } // namespace sandbox

OLD	NEW

« no previous file with comments | « sandbox/linux/BUILD.gn ('k') | sandbox/linux/sandbox_linux.gypi » ('j') | sandbox/linux/syscall_broker/broker_file_permission.h » ('J')