1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include <errno.h>
6 #include <pthread.h>
7 #include <sched.h>
8 #include <signal.h>
9 #include <sys/prctl.h>
10 #include <sys/ptrace.h>
11 #include <sys/syscall.h>
12 #include <sys/time.h>
13 #include <sys/types.h>
14 #include <sys/utsname.h>
15 #include <unistd.h>
16
17 #if defined(ANDROID)
18 // Work-around for buggy headers in Android's NDK
19 #define __user
20 #endif
21 #include <linux/futex.h>
22
23 #include <ostream>
24
25 #include "base/bind.h"
26 #include "base/logging.h"
27 #include "base/macros.h"
28 #include "base/memory/scoped_ptr.h"
29 #include "base/posix/eintr_wrapper.h"
30 #include "build/build_config.h"
31 #include "sandbox/linux/seccomp-bpf/bpf_tests.h"
32 #include "sandbox/linux/seccomp-bpf/syscall.h"
33 #include "sandbox/linux/seccomp-bpf/trap.h"
34 #include "sandbox/linux/seccomp-bpf/verifier.h"
35 #include "sandbox/linux/services/broker_process.h"
36 #include "sandbox/linux/services/linux_syscalls.h"
37 #include "sandbox/linux/tests/unit_tests.h"
38 #include "testing/gtest/include/gtest/gtest.h"
39
40 // Workaround for Android's prctl.h file.
41 #ifndef PR_GET_ENDIAN
42 #define PR_GET_ENDIAN 19
43 #endif
44 #ifndef PR_CAPBSET_READ
45 #define PR_CAPBSET_READ 23
46 #define PR_CAPBSET_DROP 24
47 #endif
48
49 namespace sandbox {
50
51 namespace {
52
53 const int kExpectedReturnValue = 42;
54 const char kSandboxDebuggingEnv[] = "CHROME_SANDBOX_DEBUGGING";
55
56 // This test should execute no matter whether we have kernel support. So,
57 // we make it a TEST() instead of a BPF_TEST().
TEST(SandboxBPF,DISABLE_ON_TSAN (CallSupports))58 TEST(SandboxBPF, DISABLE_ON_TSAN(CallSupports)) {
59 // We check that we don't crash, but it's ok if the kernel doesn't
60 // support it.
61 bool seccomp_bpf_supported =
62 SandboxBPF::SupportsSeccompSandbox(-1) == SandboxBPF::STATUS_AVAILABLE;
63 // We want to log whether or not seccomp BPF is actually supported
64 // since actual test coverage depends on it.
65 RecordProperty("SeccompBPFSupported",
66 seccomp_bpf_supported ? "true." : "false.");
67 std::cout << "Seccomp BPF supported: "
68 << (seccomp_bpf_supported ? "true." : "false.") << "\n";
69 RecordProperty("PointerSize", sizeof(void*));
70 std::cout << "Pointer size: " << sizeof(void*) << "\n";
71 }
72
SANDBOX_TEST(SandboxBPF,DISABLE_ON_TSAN (CallSupportsTwice))73 SANDBOX_TEST(SandboxBPF, DISABLE_ON_TSAN(CallSupportsTwice)) {
74 SandboxBPF::SupportsSeccompSandbox(-1);
75 SandboxBPF::SupportsSeccompSandbox(-1);
76 }
77
78 // BPF_TEST does a lot of the boiler-plate code around setting up a
79 // policy and optional passing data between the caller, the policy and
80 // any Trap() handlers. This is great for writing short and concise tests,
81 // and it helps us accidentally forgetting any of the crucial steps in
82 // setting up the sandbox. But it wouldn't hurt to have at least one test
83 // that explicitly walks through all these steps.
84
IncreaseCounter(const struct arch_seccomp_data & args,void * aux)85 intptr_t IncreaseCounter(const struct arch_seccomp_data& args, void* aux) {
86 BPF_ASSERT(aux);
87 int* counter = static_cast<int*>(aux);
88 return (*counter)++;
89 }
90
91 class VerboseAPITestingPolicy : public SandboxBPFPolicy {
92 public:
VerboseAPITestingPolicy(int * counter_ptr)93 VerboseAPITestingPolicy(int* counter_ptr) : counter_ptr_(counter_ptr) {}
94
EvaluateSyscall(SandboxBPF * sandbox,int sysno) const95 virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox,
96 int sysno) const OVERRIDE {
97 DCHECK(SandboxBPF::IsValidSyscallNumber(sysno));
98 if (sysno == __NR_uname) {
99 return sandbox->Trap(IncreaseCounter, counter_ptr_);
100 }
101 return ErrorCode(ErrorCode::ERR_ALLOWED);
102 }
103
104 private:
105 int* counter_ptr_;
106 DISALLOW_COPY_AND_ASSIGN(VerboseAPITestingPolicy);
107 };
108
SANDBOX_TEST(SandboxBPF,DISABLE_ON_TSAN (VerboseAPITesting))109 SANDBOX_TEST(SandboxBPF, DISABLE_ON_TSAN(VerboseAPITesting)) {
110 if (SandboxBPF::SupportsSeccompSandbox(-1) ==
111 sandbox::SandboxBPF::STATUS_AVAILABLE) {
112 static int counter = 0;
113
114 SandboxBPF sandbox;
115 sandbox.SetSandboxPolicy(new VerboseAPITestingPolicy(&counter));
116 BPF_ASSERT(sandbox.StartSandbox(SandboxBPF::PROCESS_SINGLE_THREADED));
117
118 BPF_ASSERT_EQ(0, counter);
119 BPF_ASSERT_EQ(0, syscall(__NR_uname, 0));
120 BPF_ASSERT_EQ(1, counter);
121 BPF_ASSERT_EQ(1, syscall(__NR_uname, 0));
122 BPF_ASSERT_EQ(2, counter);
123 }
124 }
125
126 // A simple blacklist test
127
128 class BlacklistNanosleepPolicy : public SandboxBPFPolicy {
129 public:
BlacklistNanosleepPolicy()130 BlacklistNanosleepPolicy() {}
EvaluateSyscall(SandboxBPF *,int sysno) const131 virtual ErrorCode EvaluateSyscall(SandboxBPF*, int sysno) const OVERRIDE {
132 DCHECK(SandboxBPF::IsValidSyscallNumber(sysno));
133 switch (sysno) {
134 case __NR_nanosleep:
135 return ErrorCode(EACCES);
136 default:
137 return ErrorCode(ErrorCode::ERR_ALLOWED);
138 }
139 }
140
141 private:
142 DISALLOW_COPY_AND_ASSIGN(BlacklistNanosleepPolicy);
143 };
144
BPF_TEST_C(SandboxBPF,ApplyBasicBlacklistPolicy,BlacklistNanosleepPolicy)145 BPF_TEST_C(SandboxBPF, ApplyBasicBlacklistPolicy, BlacklistNanosleepPolicy) {
146 // nanosleep() should be denied
147 const struct timespec ts = {0, 0};
148 errno = 0;
149 BPF_ASSERT(syscall(__NR_nanosleep, &ts, NULL) == -1);
150 BPF_ASSERT(errno == EACCES);
151 }
152
153 // Now do a simple whitelist test
154
155 class WhitelistGetpidPolicy : public SandboxBPFPolicy {
156 public:
WhitelistGetpidPolicy()157 WhitelistGetpidPolicy() {}
EvaluateSyscall(SandboxBPF *,int sysno) const158 virtual ErrorCode EvaluateSyscall(SandboxBPF*, int sysno) const OVERRIDE {
159 DCHECK(SandboxBPF::IsValidSyscallNumber(sysno));
160 switch (sysno) {
161 case __NR_getpid:
162 case __NR_exit_group:
163 return ErrorCode(ErrorCode::ERR_ALLOWED);
164 default:
165 return ErrorCode(ENOMEM);
166 }
167 }
168
169 private:
170 DISALLOW_COPY_AND_ASSIGN(WhitelistGetpidPolicy);
171 };
172
BPF_TEST_C(SandboxBPF,ApplyBasicWhitelistPolicy,WhitelistGetpidPolicy)173 BPF_TEST_C(SandboxBPF, ApplyBasicWhitelistPolicy, WhitelistGetpidPolicy) {
174 // getpid() should be allowed
175 errno = 0;
176 BPF_ASSERT(syscall(__NR_getpid) > 0);
177 BPF_ASSERT(errno == 0);
178
179 // getpgid() should be denied
180 BPF_ASSERT(getpgid(0) == -1);
181 BPF_ASSERT(errno == ENOMEM);
182 }
183
184 // A simple blacklist policy, with a SIGSYS handler
EnomemHandler(const struct arch_seccomp_data & args,void * aux)185 intptr_t EnomemHandler(const struct arch_seccomp_data& args, void* aux) {
186 // We also check that the auxiliary data is correct
187 SANDBOX_ASSERT(aux);
188 *(static_cast<int*>(aux)) = kExpectedReturnValue;
189 return -ENOMEM;
190 }
191
BlacklistNanosleepPolicySigsys(SandboxBPF * sandbox,int sysno,int * aux)192 ErrorCode BlacklistNanosleepPolicySigsys(SandboxBPF* sandbox,
193 int sysno,
194 int* aux) {
195 DCHECK(SandboxBPF::IsValidSyscallNumber(sysno));
196 switch (sysno) {
197 case __NR_nanosleep:
198 return sandbox->Trap(EnomemHandler, aux);
199 default:
200 return ErrorCode(ErrorCode::ERR_ALLOWED);
201 }
202 }
203
BPF_TEST(SandboxBPF,BasicBlacklistWithSigsys,BlacklistNanosleepPolicySigsys,int)204 BPF_TEST(SandboxBPF,
205 BasicBlacklistWithSigsys,
206 BlacklistNanosleepPolicySigsys,
207 int /* (*BPF_AUX) */) {
208 // getpid() should work properly
209 errno = 0;
210 BPF_ASSERT(syscall(__NR_getpid) > 0);
211 BPF_ASSERT(errno == 0);
212
213 // Our Auxiliary Data, should be reset by the signal handler
214 *BPF_AUX = -1;
215 const struct timespec ts = {0, 0};
216 BPF_ASSERT(syscall(__NR_nanosleep, &ts, NULL) == -1);
217 BPF_ASSERT(errno == ENOMEM);
218
219 // We expect the signal handler to modify AuxData
220 BPF_ASSERT(*BPF_AUX == kExpectedReturnValue);
221 }
222
223 // A simple test that verifies we can return arbitrary errno values.
224
225 class ErrnoTestPolicy : public SandboxBPFPolicy {
226 public:
ErrnoTestPolicy()227 ErrnoTestPolicy() {}
228 virtual ErrorCode EvaluateSyscall(SandboxBPF*, int sysno) const OVERRIDE;
229
230 private:
231 DISALLOW_COPY_AND_ASSIGN(ErrnoTestPolicy);
232 };
233
EvaluateSyscall(SandboxBPF *,int sysno) const234 ErrorCode ErrnoTestPolicy::EvaluateSyscall(SandboxBPF*, int sysno) const {
235 DCHECK(SandboxBPF::IsValidSyscallNumber(sysno));
236 switch (sysno) {
237 #if defined(ANDROID)
238 case __NR_dup3: // dup2 is a wrapper of dup3 in android
239 #else
240 case __NR_dup2:
241 #endif
242 // Pretend that dup2() worked, but don't actually do anything.
243 return ErrorCode(0);
244 case __NR_setuid:
245 #if defined(__NR_setuid32)
246 case __NR_setuid32:
247 #endif
248 // Return errno = 1.
249 return ErrorCode(1);
250 case __NR_setgid:
251 #if defined(__NR_setgid32)
252 case __NR_setgid32:
253 #endif
254 // Return maximum errno value (typically 4095).
255 return ErrorCode(ErrorCode::ERR_MAX_ERRNO);
256 case __NR_uname:
257 // Return errno = 42;
258 return ErrorCode(42);
259 default:
260 return ErrorCode(ErrorCode::ERR_ALLOWED);
261 }
262 }
263
BPF_TEST_C(SandboxBPF,ErrnoTest,ErrnoTestPolicy)264 BPF_TEST_C(SandboxBPF, ErrnoTest, ErrnoTestPolicy) {
265 // Verify that dup2() returns success, but doesn't actually run.
266 int fds[4];
267 BPF_ASSERT(pipe(fds) == 0);
268 BPF_ASSERT(pipe(fds + 2) == 0);
269 BPF_ASSERT(dup2(fds[2], fds[0]) == 0);
270 char buf[1] = {};
271 BPF_ASSERT(write(fds[1], "\x55", 1) == 1);
272 BPF_ASSERT(write(fds[3], "\xAA", 1) == 1);
273 BPF_ASSERT(read(fds[0], buf, 1) == 1);
274
275 // If dup2() executed, we will read \xAA, but it dup2() has been turned
276 // into a no-op by our policy, then we will read \x55.
277 BPF_ASSERT(buf[0] == '\x55');
278
279 // Verify that we can return the minimum and maximum errno values.
280 errno = 0;
281 BPF_ASSERT(setuid(0) == -1);
282 BPF_ASSERT(errno == 1);
283
284 // On Android, errno is only supported up to 255, otherwise errno
285 // processing is skipped.
286 // We work around this (crbug.com/181647).
287 if (sandbox::IsAndroid() && setgid(0) != -1) {
288 errno = 0;
289 BPF_ASSERT(setgid(0) == -ErrorCode::ERR_MAX_ERRNO);
290 BPF_ASSERT(errno == 0);
291 } else {
292 errno = 0;
293 BPF_ASSERT(setgid(0) == -1);
294 BPF_ASSERT(errno == ErrorCode::ERR_MAX_ERRNO);
295 }
296
297 // Finally, test an errno in between the minimum and maximum.
298 errno = 0;
299 struct utsname uts_buf;
300 BPF_ASSERT(uname(&uts_buf) == -1);
301 BPF_ASSERT(errno == 42);
302 }
303
304 // Testing the stacking of two sandboxes
305
306 class StackingPolicyPartOne : public SandboxBPFPolicy {
307 public:
StackingPolicyPartOne()308 StackingPolicyPartOne() {}
EvaluateSyscall(SandboxBPF * sandbox,int sysno) const309 virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox,
310 int sysno) const OVERRIDE {
311 DCHECK(SandboxBPF::IsValidSyscallNumber(sysno));
312 switch (sysno) {
313 case __NR_getppid:
314 return sandbox->Cond(0,
315 ErrorCode::TP_32BIT,
316 ErrorCode::OP_EQUAL,
317 0,
318 ErrorCode(ErrorCode::ERR_ALLOWED),
319 ErrorCode(EPERM));
320 default:
321 return ErrorCode(ErrorCode::ERR_ALLOWED);
322 }
323 }
324
325 private:
326 DISALLOW_COPY_AND_ASSIGN(StackingPolicyPartOne);
327 };
328
329 class StackingPolicyPartTwo : public SandboxBPFPolicy {
330 public:
StackingPolicyPartTwo()331 StackingPolicyPartTwo() {}
EvaluateSyscall(SandboxBPF * sandbox,int sysno) const332 virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox,
333 int sysno) const OVERRIDE {
334 DCHECK(SandboxBPF::IsValidSyscallNumber(sysno));
335 switch (sysno) {
336 case __NR_getppid:
337 return sandbox->Cond(0,
338 ErrorCode::TP_32BIT,
339 ErrorCode::OP_EQUAL,
340 0,
341 ErrorCode(EINVAL),
342 ErrorCode(ErrorCode::ERR_ALLOWED));
343 default:
344 return ErrorCode(ErrorCode::ERR_ALLOWED);
345 }
346 }
347
348 private:
349 DISALLOW_COPY_AND_ASSIGN(StackingPolicyPartTwo);
350 };
351
BPF_TEST_C(SandboxBPF,StackingPolicy,StackingPolicyPartOne)352 BPF_TEST_C(SandboxBPF, StackingPolicy, StackingPolicyPartOne) {
353 errno = 0;
354 BPF_ASSERT(syscall(__NR_getppid, 0) > 0);
355 BPF_ASSERT(errno == 0);
356
357 BPF_ASSERT(syscall(__NR_getppid, 1) == -1);
358 BPF_ASSERT(errno == EPERM);
359
360 // Stack a second sandbox with its own policy. Verify that we can further
361 // restrict filters, but we cannot relax existing filters.
362 SandboxBPF sandbox;
363 sandbox.SetSandboxPolicy(new StackingPolicyPartTwo());
364 BPF_ASSERT(sandbox.StartSandbox(SandboxBPF::PROCESS_SINGLE_THREADED));
365
366 errno = 0;
367 BPF_ASSERT(syscall(__NR_getppid, 0) == -1);
368 BPF_ASSERT(errno == EINVAL);
369
370 BPF_ASSERT(syscall(__NR_getppid, 1) == -1);
371 BPF_ASSERT(errno == EPERM);
372 }
373
374 // A more complex, but synthetic policy. This tests the correctness of the BPF
375 // program by iterating through all syscalls and checking for an errno that
376 // depends on the syscall number. Unlike the Verifier, this exercises the BPF
377 // interpreter in the kernel.
378
379 // We try to make sure we exercise optimizations in the BPF compiler. We make
380 // sure that the compiler can have an opportunity to coalesce syscalls with
381 // contiguous numbers and we also make sure that disjoint sets can return the
382 // same errno.
SysnoToRandomErrno(int sysno)383 int SysnoToRandomErrno(int sysno) {
384 // Small contiguous sets of 3 system calls return an errno equal to the
385 // index of that set + 1 (so that we never return a NUL errno).
386 return ((sysno & ~3) >> 2) % 29 + 1;
387 }
388
389 class SyntheticPolicy : public SandboxBPFPolicy {
390 public:
SyntheticPolicy()391 SyntheticPolicy() {}
EvaluateSyscall(SandboxBPF *,int sysno) const392 virtual ErrorCode EvaluateSyscall(SandboxBPF*, int sysno) const OVERRIDE {
393 DCHECK(SandboxBPF::IsValidSyscallNumber(sysno));
394 if (sysno == __NR_exit_group || sysno == __NR_write) {
395 // exit_group() is special, we really need it to work.
396 // write() is needed for BPF_ASSERT() to report a useful error message.
397 return ErrorCode(ErrorCode::ERR_ALLOWED);
398 }
399 return ErrorCode(SysnoToRandomErrno(sysno));
400 }
401
402 private:
403 DISALLOW_COPY_AND_ASSIGN(SyntheticPolicy);
404 };
405
BPF_TEST_C(SandboxBPF,SyntheticPolicy,SyntheticPolicy)406 BPF_TEST_C(SandboxBPF, SyntheticPolicy, SyntheticPolicy) {
407 // Ensure that that kExpectedReturnValue + syscallnumber + 1 does not int
408 // overflow.
409 BPF_ASSERT(std::numeric_limits<int>::max() - kExpectedReturnValue - 1 >=
410 static_cast<int>(MAX_PUBLIC_SYSCALL));
411
412 for (int syscall_number = static_cast<int>(MIN_SYSCALL);
413 syscall_number <= static_cast<int>(MAX_PUBLIC_SYSCALL);
414 ++syscall_number) {
415 if (syscall_number == __NR_exit_group || syscall_number == __NR_write) {
416 // exit_group() is special
417 continue;
418 }
419 errno = 0;
420 BPF_ASSERT(syscall(syscall_number) == -1);
421 BPF_ASSERT(errno == SysnoToRandomErrno(syscall_number));
422 }
423 }
424
425 #if defined(__arm__)
426 // A simple policy that tests whether ARM private system calls are supported
427 // by our BPF compiler and by the BPF interpreter in the kernel.
428
429 // For ARM private system calls, return an errno equal to their offset from
430 // MIN_PRIVATE_SYSCALL plus 1 (to avoid NUL errno).
ArmPrivateSysnoToErrno(int sysno)431 int ArmPrivateSysnoToErrno(int sysno) {
432 if (sysno >= static_cast<int>(MIN_PRIVATE_SYSCALL) &&
433 sysno <= static_cast<int>(MAX_PRIVATE_SYSCALL)) {
434 return (sysno - MIN_PRIVATE_SYSCALL) + 1;
435 } else {
436 return ENOSYS;
437 }
438 }
439
440 class ArmPrivatePolicy : public SandboxBPFPolicy {
441 public:
ArmPrivatePolicy()442 ArmPrivatePolicy() {}
EvaluateSyscall(SandboxBPF *,int sysno) const443 virtual ErrorCode EvaluateSyscall(SandboxBPF*, int sysno) const OVERRIDE {
444 DCHECK(SandboxBPF::IsValidSyscallNumber(sysno));
445 // Start from |__ARM_NR_set_tls + 1| so as not to mess with actual
446 // ARM private system calls.
447 if (sysno >= static_cast<int>(__ARM_NR_set_tls + 1) &&
448 sysno <= static_cast<int>(MAX_PRIVATE_SYSCALL)) {
449 return ErrorCode(ArmPrivateSysnoToErrno(sysno));
450 }
451 return ErrorCode(ErrorCode::ERR_ALLOWED);
452 }
453
454 private:
455 DISALLOW_COPY_AND_ASSIGN(ArmPrivatePolicy);
456 };
457
BPF_TEST_C(SandboxBPF,ArmPrivatePolicy,ArmPrivatePolicy)458 BPF_TEST_C(SandboxBPF, ArmPrivatePolicy, ArmPrivatePolicy) {
459 for (int syscall_number = static_cast<int>(__ARM_NR_set_tls + 1);
460 syscall_number <= static_cast<int>(MAX_PRIVATE_SYSCALL);
461 ++syscall_number) {
462 errno = 0;
463 BPF_ASSERT(syscall(syscall_number) == -1);
464 BPF_ASSERT(errno == ArmPrivateSysnoToErrno(syscall_number));
465 }
466 }
467 #endif // defined(__arm__)
468
CountSyscalls(const struct arch_seccomp_data & args,void * aux)469 intptr_t CountSyscalls(const struct arch_seccomp_data& args, void* aux) {
470 // Count all invocations of our callback function.
471 ++*reinterpret_cast<int*>(aux);
472
473 // Verify that within the callback function all filtering is temporarily
474 // disabled.
475 BPF_ASSERT(syscall(__NR_getpid) > 1);
476
477 // Verify that we can now call the underlying system call without causing
478 // infinite recursion.
479 return SandboxBPF::ForwardSyscall(args);
480 }
481
GreyListedPolicy(SandboxBPF * sandbox,int sysno,int * aux)482 ErrorCode GreyListedPolicy(SandboxBPF* sandbox, int sysno, int* aux) {
483 // The use of UnsafeTrap() causes us to print a warning message. This is
484 // generally desirable, but it results in the unittest failing, as it doesn't
485 // expect any messages on "stderr". So, temporarily disable messages. The
486 // BPF_TEST() is guaranteed to turn messages back on, after the policy
487 // function has completed.
488 setenv(kSandboxDebuggingEnv, "t", 0);
489 Die::SuppressInfoMessages(true);
490
491 // Some system calls must always be allowed, if our policy wants to make
492 // use of UnsafeTrap()
493 if (sysno == __NR_rt_sigprocmask || sysno == __NR_rt_sigreturn
494 #if defined(__NR_sigprocmask)
495 ||
496 sysno == __NR_sigprocmask
497 #endif
498 #if defined(__NR_sigreturn)
499 ||
500 sysno == __NR_sigreturn
501 #endif
502 ) {
503 return ErrorCode(ErrorCode::ERR_ALLOWED);
504 } else if (sysno == __NR_getpid) {
505 // Disallow getpid()
506 return ErrorCode(EPERM);
507 } else if (SandboxBPF::IsValidSyscallNumber(sysno)) {
508 // Allow (and count) all other system calls.
509 return sandbox->UnsafeTrap(CountSyscalls, aux);
510 } else {
511 return ErrorCode(ENOSYS);
512 }
513 }
514
BPF_TEST(SandboxBPF,GreyListedPolicy,GreyListedPolicy,int)515 BPF_TEST(SandboxBPF, GreyListedPolicy, GreyListedPolicy, int /* (*BPF_AUX) */) {
516 BPF_ASSERT(syscall(__NR_getpid) == -1);
517 BPF_ASSERT(errno == EPERM);
518 BPF_ASSERT(*BPF_AUX == 0);
519 BPF_ASSERT(syscall(__NR_geteuid) == syscall(__NR_getuid));
520 BPF_ASSERT(*BPF_AUX == 2);
521 char name[17] = {};
522 BPF_ASSERT(!syscall(__NR_prctl,
523 PR_GET_NAME,
524 name,
525 (void*)NULL,
526 (void*)NULL,
527 (void*)NULL));
528 BPF_ASSERT(*BPF_AUX == 3);
529 BPF_ASSERT(*name);
530 }
531
SANDBOX_TEST(SandboxBPF,EnableUnsafeTrapsInSigSysHandler)532 SANDBOX_TEST(SandboxBPF, EnableUnsafeTrapsInSigSysHandler) {
533 // Disabling warning messages that could confuse our test framework.
534 setenv(kSandboxDebuggingEnv, "t", 0);
535 Die::SuppressInfoMessages(true);
536
537 unsetenv(kSandboxDebuggingEnv);
538 SANDBOX_ASSERT(Trap::EnableUnsafeTrapsInSigSysHandler() == false);
539 setenv(kSandboxDebuggingEnv, "", 1);
540 SANDBOX_ASSERT(Trap::EnableUnsafeTrapsInSigSysHandler() == false);
541 setenv(kSandboxDebuggingEnv, "t", 1);
542 SANDBOX_ASSERT(Trap::EnableUnsafeTrapsInSigSysHandler() == true);
543 }
544
PrctlHandler(const struct arch_seccomp_data & args,void *)545 intptr_t PrctlHandler(const struct arch_seccomp_data& args, void*) {
546 if (args.args[0] == PR_CAPBSET_DROP && static_cast<int>(args.args[1]) == -1) {
547 // prctl(PR_CAPBSET_DROP, -1) is never valid. The kernel will always
548 // return an error. But our handler allows this call.
549 return 0;
550 } else {
551 return SandboxBPF::ForwardSyscall(args);
552 }
553 }
554
555 class PrctlPolicy : public SandboxBPFPolicy {
556 public:
PrctlPolicy()557 PrctlPolicy() {}
EvaluateSyscall(SandboxBPF * sandbox,int sysno) const558 virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox,
559 int sysno) const OVERRIDE {
560 DCHECK(SandboxBPF::IsValidSyscallNumber(sysno));
561 setenv(kSandboxDebuggingEnv, "t", 0);
562 Die::SuppressInfoMessages(true);
563
564 if (sysno == __NR_prctl) {
565 // Handle prctl() inside an UnsafeTrap()
566 return sandbox->UnsafeTrap(PrctlHandler, NULL);
567 }
568
569 // Allow all other system calls.
570 return ErrorCode(ErrorCode::ERR_ALLOWED);
571 }
572
573 private:
574 DISALLOW_COPY_AND_ASSIGN(PrctlPolicy);
575 };
576
BPF_TEST_C(SandboxBPF,ForwardSyscall,PrctlPolicy)577 BPF_TEST_C(SandboxBPF, ForwardSyscall, PrctlPolicy) {
578 // This call should never be allowed. But our policy will intercept it and
579 // let it pass successfully.
580 BPF_ASSERT(
581 !prctl(PR_CAPBSET_DROP, -1, (void*)NULL, (void*)NULL, (void*)NULL));
582
583 // Verify that the call will fail, if it makes it all the way to the kernel.
584 BPF_ASSERT(
585 prctl(PR_CAPBSET_DROP, -2, (void*)NULL, (void*)NULL, (void*)NULL) == -1);
586
587 // And verify that other uses of prctl() work just fine.
588 char name[17] = {};
589 BPF_ASSERT(!syscall(__NR_prctl,
590 PR_GET_NAME,
591 name,
592 (void*)NULL,
593 (void*)NULL,
594 (void*)NULL));
595 BPF_ASSERT(*name);
596
597 // Finally, verify that system calls other than prctl() are completely
598 // unaffected by our policy.
599 struct utsname uts = {};
600 BPF_ASSERT(!uname(&uts));
601 BPF_ASSERT(!strcmp(uts.sysname, "Linux"));
602 }
603
AllowRedirectedSyscall(const struct arch_seccomp_data & args,void *)604 intptr_t AllowRedirectedSyscall(const struct arch_seccomp_data& args, void*) {
605 return SandboxBPF::ForwardSyscall(args);
606 }
607
608 class RedirectAllSyscallsPolicy : public SandboxBPFPolicy {
609 public:
RedirectAllSyscallsPolicy()610 RedirectAllSyscallsPolicy() {}
611 virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox,
612 int sysno) const OVERRIDE;
613
614 private:
615 DISALLOW_COPY_AND_ASSIGN(RedirectAllSyscallsPolicy);
616 };
617
EvaluateSyscall(SandboxBPF * sandbox,int sysno) const618 ErrorCode RedirectAllSyscallsPolicy::EvaluateSyscall(SandboxBPF* sandbox,
619 int sysno) const {
620 DCHECK(SandboxBPF::IsValidSyscallNumber(sysno));
621 setenv(kSandboxDebuggingEnv, "t", 0);
622 Die::SuppressInfoMessages(true);
623
624 // Some system calls must always be allowed, if our policy wants to make
625 // use of UnsafeTrap()
626 if (sysno == __NR_rt_sigprocmask || sysno == __NR_rt_sigreturn
627 #if defined(__NR_sigprocmask)
628 ||
629 sysno == __NR_sigprocmask
630 #endif
631 #if defined(__NR_sigreturn)
632 ||
633 sysno == __NR_sigreturn
634 #endif
635 ) {
636 return ErrorCode(ErrorCode::ERR_ALLOWED);
637 }
638 return sandbox->UnsafeTrap(AllowRedirectedSyscall, NULL);
639 }
640
641 int bus_handler_fd_ = -1;
642
SigBusHandler(int,siginfo_t * info,void * void_context)643 void SigBusHandler(int, siginfo_t* info, void* void_context) {
644 BPF_ASSERT(write(bus_handler_fd_, "\x55", 1) == 1);
645 }
646
BPF_TEST_C(SandboxBPF,SigBus,RedirectAllSyscallsPolicy)647 BPF_TEST_C(SandboxBPF, SigBus, RedirectAllSyscallsPolicy) {
648 // We use the SIGBUS bit in the signal mask as a thread-local boolean
649 // value in the implementation of UnsafeTrap(). This is obviously a bit
650 // of a hack that could conceivably interfere with code that uses SIGBUS
651 // in more traditional ways. This test verifies that basic functionality
652 // of SIGBUS is not impacted, but it is certainly possibly to construe
653 // more complex uses of signals where our use of the SIGBUS mask is not
654 // 100% transparent. This is expected behavior.
655 int fds[2];
656 BPF_ASSERT(pipe(fds) == 0);
657 bus_handler_fd_ = fds[1];
658 struct sigaction sa = {};
659 sa.sa_sigaction = SigBusHandler;
660 sa.sa_flags = SA_SIGINFO;
661 BPF_ASSERT(sigaction(SIGBUS, &sa, NULL) == 0);
662 raise(SIGBUS);
663 char c = '\000';
664 BPF_ASSERT(read(fds[0], &c, 1) == 1);
665 BPF_ASSERT(close(fds[0]) == 0);
666 BPF_ASSERT(close(fds[1]) == 0);
667 BPF_ASSERT(c == 0x55);
668 }
669
BPF_TEST_C(SandboxBPF,SigMask,RedirectAllSyscallsPolicy)670 BPF_TEST_C(SandboxBPF, SigMask, RedirectAllSyscallsPolicy) {
671 // Signal masks are potentially tricky to handle. For instance, if we
672 // ever tried to update them from inside a Trap() or UnsafeTrap() handler,
673 // the call to sigreturn() at the end of the signal handler would undo
674 // all of our efforts. So, it makes sense to test that sigprocmask()
675 // works, even if we have a policy in place that makes use of UnsafeTrap().
676 // In practice, this works because we force sigprocmask() to be handled
677 // entirely in the kernel.
678 sigset_t mask0, mask1, mask2;
679
680 // Call sigprocmask() to verify that SIGUSR2 wasn't blocked, if we didn't
681 // change the mask (it shouldn't have been, as it isn't blocked by default
682 // in POSIX).
683 //
684 // Use SIGUSR2 because Android seems to use SIGUSR1 for some purpose.
685 sigemptyset(&mask0);
686 BPF_ASSERT(!sigprocmask(SIG_BLOCK, &mask0, &mask1));
687 BPF_ASSERT(!sigismember(&mask1, SIGUSR2));
688
689 // Try again, and this time we verify that we can block it. This
690 // requires a second call to sigprocmask().
691 sigaddset(&mask0, SIGUSR2);
692 BPF_ASSERT(!sigprocmask(SIG_BLOCK, &mask0, NULL));
693 BPF_ASSERT(!sigprocmask(SIG_BLOCK, NULL, &mask2));
694 BPF_ASSERT(sigismember(&mask2, SIGUSR2));
695 }
696
BPF_TEST_C(SandboxBPF,UnsafeTrapWithErrno,RedirectAllSyscallsPolicy)697 BPF_TEST_C(SandboxBPF, UnsafeTrapWithErrno, RedirectAllSyscallsPolicy) {
698 // An UnsafeTrap() (or for that matter, a Trap()) has to report error
699 // conditions by returning an exit code in the range -1..-4096. This
700 // should happen automatically if using ForwardSyscall(). If the TrapFnc()
701 // uses some other method to make system calls, then it is responsible
702 // for computing the correct return code.
703 // This test verifies that ForwardSyscall() does the correct thing.
704
705 // The glibc system wrapper will ultimately set errno for us. So, from normal
706 // userspace, all of this should be completely transparent.
707 errno = 0;
708 BPF_ASSERT(close(-1) == -1);
709 BPF_ASSERT(errno == EBADF);
710
711 // Explicitly avoid the glibc wrapper. This is not normally the way anybody
712 // would make system calls, but it allows us to verify that we don't
713 // accidentally mess with errno, when we shouldn't.
714 errno = 0;
715 struct arch_seccomp_data args = {};
716 args.nr = __NR_close;
717 args.args[0] = -1;
718 BPF_ASSERT(SandboxBPF::ForwardSyscall(args) == -EBADF);
719 BPF_ASSERT(errno == 0);
720 }
721
NoOpCallback()722 bool NoOpCallback() { return true; }
723
724 // Test a trap handler that makes use of a broker process to open().
725
726 class InitializedOpenBroker {
727 public:
InitializedOpenBroker()728 InitializedOpenBroker() : initialized_(false) {
729 std::vector<std::string> allowed_files;
730 allowed_files.push_back("/proc/allowed");
731 allowed_files.push_back("/proc/cpuinfo");
732
733 broker_process_.reset(
734 new BrokerProcess(EPERM, allowed_files, std::vector<std::string>()));
735 BPF_ASSERT(broker_process() != NULL);
736 BPF_ASSERT(broker_process_->Init(base::Bind(&NoOpCallback)));
737
738 initialized_ = true;
739 }
initialized()740 bool initialized() { return initialized_; }
broker_process()741 class BrokerProcess* broker_process() { return broker_process_.get(); }
742
743 private:
744 bool initialized_;
745 scoped_ptr<class BrokerProcess> broker_process_;
746 DISALLOW_COPY_AND_ASSIGN(InitializedOpenBroker);
747 };
748
BrokerOpenTrapHandler(const struct arch_seccomp_data & args,void * aux)749 intptr_t BrokerOpenTrapHandler(const struct arch_seccomp_data& args,
750 void* aux) {
751 BPF_ASSERT(aux);
752 BrokerProcess* broker_process = static_cast<BrokerProcess*>(aux);
753 switch (args.nr) {
754 #if defined(ANDROID)
755 case __NR_faccessat: // access is a wrapper of faccessat in android
756 return broker_process->Access(reinterpret_cast<const char*>(args.args[1]),
757 static_cast<int>(args.args[2]));
758 #else
759 case __NR_access:
760 return broker_process->Access(reinterpret_cast<const char*>(args.args[0]),
761 static_cast<int>(args.args[1]));
762 #endif
763 case __NR_open:
764 return broker_process->Open(reinterpret_cast<const char*>(args.args[0]),
765 static_cast<int>(args.args[1]));
766 case __NR_openat:
767 // We only call open() so if we arrive here, it's because glibc uses
768 // the openat() system call.
769 BPF_ASSERT(static_cast<int>(args.args[0]) == AT_FDCWD);
770 return broker_process->Open(reinterpret_cast<const char*>(args.args[1]),
771 static_cast<int>(args.args[2]));
772 default:
773 BPF_ASSERT(false);
774 return -ENOSYS;
775 }
776 }
777
DenyOpenPolicy(SandboxBPF * sandbox,int sysno,InitializedOpenBroker * iob)778 ErrorCode DenyOpenPolicy(SandboxBPF* sandbox,
779 int sysno,
780 InitializedOpenBroker* iob) {
781 if (!SandboxBPF::IsValidSyscallNumber(sysno)) {
782 return ErrorCode(ENOSYS);
783 }
784
785 switch (sysno) {
786 #if defined(ANDROID)
787 case __NR_faccessat:
788 #else
789 case __NR_access:
790 #endif
791 case __NR_open:
792 case __NR_openat:
793 // We get a InitializedOpenBroker class, but our trap handler wants
794 // the BrokerProcess object.
795 return ErrorCode(
796 sandbox->Trap(BrokerOpenTrapHandler, iob->broker_process()));
797 default:
798 return ErrorCode(ErrorCode::ERR_ALLOWED);
799 }
800 }
801
802 // We use a InitializedOpenBroker class, so that we can run unsandboxed
803 // code in its constructor, which is the only way to do so in a BPF_TEST.
BPF_TEST(SandboxBPF,UseOpenBroker,DenyOpenPolicy,InitializedOpenBroker)804 BPF_TEST(SandboxBPF,
805 UseOpenBroker,
806 DenyOpenPolicy,
807 InitializedOpenBroker /* (*BPF_AUX) */) {
808 BPF_ASSERT(BPF_AUX->initialized());
809 BrokerProcess* broker_process = BPF_AUX->broker_process();
810 BPF_ASSERT(broker_process != NULL);
811
812 // First, use the broker "manually"
813 BPF_ASSERT(broker_process->Open("/proc/denied", O_RDONLY) == -EPERM);
814 BPF_ASSERT(broker_process->Access("/proc/denied", R_OK) == -EPERM);
815 BPF_ASSERT(broker_process->Open("/proc/allowed", O_RDONLY) == -ENOENT);
816 BPF_ASSERT(broker_process->Access("/proc/allowed", R_OK) == -ENOENT);
817
818 // Now use glibc's open() as an external library would.
819 BPF_ASSERT(open("/proc/denied", O_RDONLY) == -1);
820 BPF_ASSERT(errno == EPERM);
821
822 BPF_ASSERT(open("/proc/allowed", O_RDONLY) == -1);
823 BPF_ASSERT(errno == ENOENT);
824
825 // Also test glibc's openat(), some versions of libc use it transparently
826 // instead of open().
827 BPF_ASSERT(openat(AT_FDCWD, "/proc/denied", O_RDONLY) == -1);
828 BPF_ASSERT(errno == EPERM);
829
830 BPF_ASSERT(openat(AT_FDCWD, "/proc/allowed", O_RDONLY) == -1);
831 BPF_ASSERT(errno == ENOENT);
832
833 // And test glibc's access().
834 BPF_ASSERT(access("/proc/denied", R_OK) == -1);
835 BPF_ASSERT(errno == EPERM);
836
837 BPF_ASSERT(access("/proc/allowed", R_OK) == -1);
838 BPF_ASSERT(errno == ENOENT);
839
840 // This is also white listed and does exist.
841 int cpu_info_access = access("/proc/cpuinfo", R_OK);
842 BPF_ASSERT(cpu_info_access == 0);
843 int cpu_info_fd = open("/proc/cpuinfo", O_RDONLY);
844 BPF_ASSERT(cpu_info_fd >= 0);
845 char buf[1024];
846 BPF_ASSERT(read(cpu_info_fd, buf, sizeof(buf)) > 0);
847 }
848
849 // Simple test demonstrating how to use SandboxBPF::Cond()
850
851 class SimpleCondTestPolicy : public SandboxBPFPolicy {
852 public:
SimpleCondTestPolicy()853 SimpleCondTestPolicy() {}
854 virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox,
855 int sysno) const OVERRIDE;
856
857 private:
858 DISALLOW_COPY_AND_ASSIGN(SimpleCondTestPolicy);
859 };
860
EvaluateSyscall(SandboxBPF * sandbox,int sysno) const861 ErrorCode SimpleCondTestPolicy::EvaluateSyscall(SandboxBPF* sandbox,
862 int sysno) const {
863 DCHECK(SandboxBPF::IsValidSyscallNumber(sysno));
864
865 // We deliberately return unusual errno values upon failure, so that we
866 // can uniquely test for these values. In a "real" policy, you would want
867 // to return more traditional values.
868 switch (sysno) {
869 #if defined(ANDROID)
870 case __NR_openat: // open is a wrapper of openat in android
871 // Allow opening files for reading, but don't allow writing.
872 COMPILE_ASSERT(O_RDONLY == 0, O_RDONLY_must_be_all_zero_bits);
873 return sandbox->Cond(2,
874 ErrorCode::TP_32BIT,
875 ErrorCode::OP_HAS_ANY_BITS,
876 O_ACCMODE /* 0x3 */,
877 ErrorCode(EROFS),
878 ErrorCode(ErrorCode::ERR_ALLOWED));
879 #else
880 case __NR_open:
881 // Allow opening files for reading, but don't allow writing.
882 COMPILE_ASSERT(O_RDONLY == 0, O_RDONLY_must_be_all_zero_bits);
883 return sandbox->Cond(1,
884 ErrorCode::TP_32BIT,
885 ErrorCode::OP_HAS_ANY_BITS,
886 O_ACCMODE /* 0x3 */,
887 ErrorCode(EROFS),
888 ErrorCode(ErrorCode::ERR_ALLOWED));
889 #endif
890 case __NR_prctl:
891 // Allow prctl(PR_SET_DUMPABLE) and prctl(PR_GET_DUMPABLE), but
892 // disallow everything else.
893 return sandbox->Cond(0,
894 ErrorCode::TP_32BIT,
895 ErrorCode::OP_EQUAL,
896 PR_SET_DUMPABLE,
897 ErrorCode(ErrorCode::ERR_ALLOWED),
898 sandbox->Cond(0,
899 ErrorCode::TP_32BIT,
900 ErrorCode::OP_EQUAL,
901 PR_GET_DUMPABLE,
902 ErrorCode(ErrorCode::ERR_ALLOWED),
903 ErrorCode(ENOMEM)));
904 default:
905 return ErrorCode(ErrorCode::ERR_ALLOWED);
906 }
907 }
908
BPF_TEST_C(SandboxBPF,SimpleCondTest,SimpleCondTestPolicy)909 BPF_TEST_C(SandboxBPF, SimpleCondTest, SimpleCondTestPolicy) {
910 int fd;
911 BPF_ASSERT((fd = open("/proc/self/comm", O_RDWR)) == -1);
912 BPF_ASSERT(errno == EROFS);
913 BPF_ASSERT((fd = open("/proc/self/comm", O_RDONLY)) >= 0);
914 close(fd);
915
916 int ret;
917 BPF_ASSERT((ret = prctl(PR_GET_DUMPABLE)) >= 0);
918 BPF_ASSERT(prctl(PR_SET_DUMPABLE, 1 - ret) == 0);
919 BPF_ASSERT(prctl(PR_GET_ENDIAN, &ret) == -1);
920 BPF_ASSERT(errno == ENOMEM);
921 }
922
923 // This test exercises the SandboxBPF::Cond() method by building a complex
924 // tree of conditional equality operations. It then makes system calls and
925 // verifies that they return the values that we expected from our BPF
926 // program.
927 class EqualityStressTest {
928 public:
EqualityStressTest()929 EqualityStressTest() {
930 // We want a deterministic test
931 srand(0);
932
933 // Iterates over system call numbers and builds a random tree of
934 // equality tests.
935 // We are actually constructing a graph of ArgValue objects. This
936 // graph will later be used to a) compute our sandbox policy, and
937 // b) drive the code that verifies the output from the BPF program.
938 COMPILE_ASSERT(
939 kNumTestCases < (int)(MAX_PUBLIC_SYSCALL - MIN_SYSCALL - 10),
940 num_test_cases_must_be_significantly_smaller_than_num_system_calls);
941 for (int sysno = MIN_SYSCALL, end = kNumTestCases; sysno < end; ++sysno) {
942 if (IsReservedSyscall(sysno)) {
943 // Skip reserved system calls. This ensures that our test frame
944 // work isn't impacted by the fact that we are overriding
945 // a lot of different system calls.
946 ++end;
947 arg_values_.push_back(NULL);
948 } else {
949 arg_values_.push_back(
950 RandomArgValue(rand() % kMaxArgs, 0, rand() % kMaxArgs));
951 }
952 }
953 }
954
~EqualityStressTest()955 ~EqualityStressTest() {
956 for (std::vector<ArgValue*>::iterator iter = arg_values_.begin();
957 iter != arg_values_.end();
958 ++iter) {
959 DeleteArgValue(*iter);
960 }
961 }
962
Policy(SandboxBPF * sandbox,int sysno)963 ErrorCode Policy(SandboxBPF* sandbox, int sysno) {
964 if (!SandboxBPF::IsValidSyscallNumber(sysno)) {
965 // FIXME: we should really not have to do that in a trivial policy
966 return ErrorCode(ENOSYS);
967 } else if (sysno < 0 || sysno >= (int)arg_values_.size() ||
968 IsReservedSyscall(sysno)) {
969 // We only return ErrorCode values for the system calls that
970 // are part of our test data. Every other system call remains
971 // allowed.
972 return ErrorCode(ErrorCode::ERR_ALLOWED);
973 } else {
974 // ToErrorCode() turns an ArgValue object into an ErrorCode that is
975 // suitable for use by a sandbox policy.
976 return ToErrorCode(sandbox, arg_values_[sysno]);
977 }
978 }
979
VerifyFilter()980 void VerifyFilter() {
981 // Iterate over all system calls. Skip the system calls that have
982 // previously been determined as being reserved.
983 for (int sysno = 0; sysno < (int)arg_values_.size(); ++sysno) {
984 if (!arg_values_[sysno]) {
985 // Skip reserved system calls.
986 continue;
987 }
988 // Verify that system calls return the values that we expect them to
989 // return. This involves passing different combinations of system call
990 // parameters in order to exercise all possible code paths through the
991 // BPF filter program.
992 // We arbitrarily start by setting all six system call arguments to
993 // zero. And we then recursive traverse our tree of ArgValues to
994 // determine the necessary combinations of parameters.
995 intptr_t args[6] = {};
996 Verify(sysno, args, *arg_values_[sysno]);
997 }
998 }
999
1000 private:
1001 struct ArgValue {
1002 int argno; // Argument number to inspect.
1003 int size; // Number of test cases (must be > 0).
1004 struct Tests {
1005 uint32_t k_value; // Value to compare syscall arg against.
1006 int err; // If non-zero, errno value to return.
1007 struct ArgValue* arg_value; // Otherwise, more args needs inspecting.
1008 }* tests;
1009 int err; // If none of the tests passed, this is what
1010 struct ArgValue* arg_value; // we'll return (this is the "else" branch).
1011 };
1012
IsReservedSyscall(int sysno)1013 bool IsReservedSyscall(int sysno) {
1014 // There are a handful of system calls that we should never use in our
1015 // test cases. These system calls are needed to allow the test framework
1016 // to run properly.
1017 // If we wanted to write fully generic code, there are more system calls
1018 // that could be listed here, and it is quite difficult to come up with a
1019 // truly comprehensive list. After all, we are deliberately making system
1020 // calls unavailable. In practice, we have a pretty good idea of the system
1021 // calls that will be made by this particular test. So, this small list is
1022 // sufficient. But if anybody copy'n'pasted this code for other uses, they
1023 // would have to review that the list.
1024 return sysno == __NR_read || sysno == __NR_write || sysno == __NR_exit ||
1025 sysno == __NR_exit_group || sysno == __NR_restart_syscall;
1026 }
1027
RandomArgValue(int argno,int args_mask,int remaining_args)1028 ArgValue* RandomArgValue(int argno, int args_mask, int remaining_args) {
1029 // Create a new ArgValue and fill it with random data. We use as bit mask
1030 // to keep track of the system call parameters that have previously been
1031 // set; this ensures that we won't accidentally define a contradictory
1032 // set of equality tests.
1033 struct ArgValue* arg_value = new ArgValue();
1034 args_mask |= 1 << argno;
1035 arg_value->argno = argno;
1036
1037 // Apply some restrictions on just how complex our tests can be.
1038 // Otherwise, we end up with a BPF program that is too complicated for
1039 // the kernel to load.
1040 int fan_out = kMaxFanOut;
1041 if (remaining_args > 3) {
1042 fan_out = 1;
1043 } else if (remaining_args > 2) {
1044 fan_out = 2;
1045 }
1046
1047 // Create a couple of different test cases with randomized values that
1048 // we want to use when comparing system call parameter number "argno".
1049 arg_value->size = rand() % fan_out + 1;
1050 arg_value->tests = new ArgValue::Tests[arg_value->size];
1051
1052 uint32_t k_value = rand();
1053 for (int n = 0; n < arg_value->size; ++n) {
1054 // Ensure that we have unique values
1055 k_value += rand() % (RAND_MAX / (kMaxFanOut + 1)) + 1;
1056
1057 // There are two possible types of nodes. Either this is a leaf node;
1058 // in that case, we have completed all the equality tests that we
1059 // wanted to perform, and we can now compute a random "errno" value that
1060 // we should return. Or this is part of a more complex boolean
1061 // expression; in that case, we have to recursively add tests for some
1062 // of system call parameters that we have not yet included in our
1063 // tests.
1064 arg_value->tests[n].k_value = k_value;
1065 if (!remaining_args || (rand() & 1)) {
1066 arg_value->tests[n].err = (rand() % 1000) + 1;
1067 arg_value->tests[n].arg_value = NULL;
1068 } else {
1069 arg_value->tests[n].err = 0;
1070 arg_value->tests[n].arg_value =
1071 RandomArgValue(RandomArg(args_mask), args_mask, remaining_args - 1);
1072 }
1073 }
1074 // Finally, we have to define what we should return if none of the
1075 // previous equality tests pass. Again, we can either deal with a leaf
1076 // node, or we can randomly add another couple of tests.
1077 if (!remaining_args || (rand() & 1)) {
1078 arg_value->err = (rand() % 1000) + 1;
1079 arg_value->arg_value = NULL;
1080 } else {
1081 arg_value->err = 0;
1082 arg_value->arg_value =
1083 RandomArgValue(RandomArg(args_mask), args_mask, remaining_args - 1);
1084 }
1085 // We have now built a new (sub-)tree of ArgValues defining a set of
1086 // boolean expressions for testing random system call arguments against
1087 // random values. Return this tree to our caller.
1088 return arg_value;
1089 }
1090
RandomArg(int args_mask)1091 int RandomArg(int args_mask) {
1092 // Compute a random system call parameter number.
1093 int argno = rand() % kMaxArgs;
1094
1095 // Make sure that this same parameter number has not previously been
1096 // used. Otherwise, we could end up with a test that is impossible to
1097 // satisfy (e.g. args[0] == 1 && args[0] == 2).
1098 while (args_mask & (1 << argno)) {
1099 argno = (argno + 1) % kMaxArgs;
1100 }
1101 return argno;
1102 }
1103
DeleteArgValue(ArgValue * arg_value)1104 void DeleteArgValue(ArgValue* arg_value) {
1105 // Delete an ArgValue and all of its child nodes. This requires
1106 // recursively descending into the tree.
1107 if (arg_value) {
1108 if (arg_value->size) {
1109 for (int n = 0; n < arg_value->size; ++n) {
1110 if (!arg_value->tests[n].err) {
1111 DeleteArgValue(arg_value->tests[n].arg_value);
1112 }
1113 }
1114 delete[] arg_value->tests;
1115 }
1116 if (!arg_value->err) {
1117 DeleteArgValue(arg_value->arg_value);
1118 }
1119 delete arg_value;
1120 }
1121 }
1122
ToErrorCode(SandboxBPF * sandbox,ArgValue * arg_value)1123 ErrorCode ToErrorCode(SandboxBPF* sandbox, ArgValue* arg_value) {
1124 // Compute the ErrorCode that should be returned, if none of our
1125 // tests succeed (i.e. the system call parameter doesn't match any
1126 // of the values in arg_value->tests[].k_value).
1127 ErrorCode err;
1128 if (arg_value->err) {
1129 // If this was a leaf node, return the errno value that we expect to
1130 // return from the BPF filter program.
1131 err = ErrorCode(arg_value->err);
1132 } else {
1133 // If this wasn't a leaf node yet, recursively descend into the rest
1134 // of the tree. This will end up adding a few more SandboxBPF::Cond()
1135 // tests to our ErrorCode.
1136 err = ToErrorCode(sandbox, arg_value->arg_value);
1137 }
1138
1139 // Now, iterate over all the test cases that we want to compare against.
1140 // This builds a chain of SandboxBPF::Cond() tests
1141 // (aka "if ... elif ... elif ... elif ... fi")
1142 for (int n = arg_value->size; n-- > 0;) {
1143 ErrorCode matched;
1144 // Again, we distinguish between leaf nodes and subtrees.
1145 if (arg_value->tests[n].err) {
1146 matched = ErrorCode(arg_value->tests[n].err);
1147 } else {
1148 matched = ToErrorCode(sandbox, arg_value->tests[n].arg_value);
1149 }
1150 // For now, all of our tests are limited to 32bit.
1151 // We have separate tests that check the behavior of 32bit vs. 64bit
1152 // conditional expressions.
1153 err = sandbox->Cond(arg_value->argno,
1154 ErrorCode::TP_32BIT,
1155 ErrorCode::OP_EQUAL,
1156 arg_value->tests[n].k_value,
1157 matched,
1158 err);
1159 }
1160 return err;
1161 }
1162
Verify(int sysno,intptr_t * args,const ArgValue & arg_value)1163 void Verify(int sysno, intptr_t* args, const ArgValue& arg_value) {
1164 uint32_t mismatched = 0;
1165 // Iterate over all the k_values in arg_value.tests[] and verify that
1166 // we see the expected return values from system calls, when we pass
1167 // the k_value as a parameter in a system call.
1168 for (int n = arg_value.size; n-- > 0;) {
1169 mismatched += arg_value.tests[n].k_value;
1170 args[arg_value.argno] = arg_value.tests[n].k_value;
1171 if (arg_value.tests[n].err) {
1172 VerifyErrno(sysno, args, arg_value.tests[n].err);
1173 } else {
1174 Verify(sysno, args, *arg_value.tests[n].arg_value);
1175 }
1176 }
1177 // Find a k_value that doesn't match any of the k_values in
1178 // arg_value.tests[]. In most cases, the current value of "mismatched"
1179 // would fit this requirement. But on the off-chance that it happens
1180 // to collide, we double-check.
1181 try_again:
1182 for (int n = arg_value.size; n-- > 0;) {
1183 if (mismatched == arg_value.tests[n].k_value) {
1184 ++mismatched;
1185 goto try_again;
1186 }
1187 }
1188 // Now verify that we see the expected return value from system calls,
1189 // if we pass a value that doesn't match any of the conditions (i.e. this
1190 // is testing the "else" clause of the conditions).
1191 args[arg_value.argno] = mismatched;
1192 if (arg_value.err) {
1193 VerifyErrno(sysno, args, arg_value.err);
1194 } else {
1195 Verify(sysno, args, *arg_value.arg_value);
1196 }
1197 // Reset args[arg_value.argno]. This is not technically needed, but it
1198 // makes it easier to reason about the correctness of our tests.
1199 args[arg_value.argno] = 0;
1200 }
1201
VerifyErrno(int sysno,intptr_t * args,int err)1202 void VerifyErrno(int sysno, intptr_t* args, int err) {
1203 // We installed BPF filters that return different errno values
1204 // based on the system call number and the parameters that we decided
1205 // to pass in. Verify that this condition holds true.
1206 BPF_ASSERT(
1207 Syscall::Call(
1208 sysno, args[0], args[1], args[2], args[3], args[4], args[5]) ==
1209 -err);
1210 }
1211
1212 // Vector of ArgValue trees. These trees define all the possible boolean
1213 // expressions that we want to turn into a BPF filter program.
1214 std::vector<ArgValue*> arg_values_;
1215
1216 // Don't increase these values. We are pushing the limits of the maximum
1217 // BPF program that the kernel will allow us to load. If the values are
1218 // increased too much, the test will start failing.
1219 static const int kNumTestCases = 40;
1220 static const int kMaxFanOut = 3;
1221 static const int kMaxArgs = 6;
1222 };
1223
EqualityStressTestPolicy(SandboxBPF * sandbox,int sysno,EqualityStressTest * aux)1224 ErrorCode EqualityStressTestPolicy(SandboxBPF* sandbox,
1225 int sysno,
1226 EqualityStressTest* aux) {
1227 DCHECK(aux);
1228 return aux->Policy(sandbox, sysno);
1229 }
1230
BPF_TEST(SandboxBPF,EqualityTests,EqualityStressTestPolicy,EqualityStressTest)1231 BPF_TEST(SandboxBPF,
1232 EqualityTests,
1233 EqualityStressTestPolicy,
1234 EqualityStressTest /* (*BPF_AUX) */) {
1235 BPF_AUX->VerifyFilter();
1236 }
1237
1238 class EqualityArgumentWidthPolicy : public SandboxBPFPolicy {
1239 public:
EqualityArgumentWidthPolicy()1240 EqualityArgumentWidthPolicy() {}
1241 virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox,
1242 int sysno) const OVERRIDE;
1243
1244 private:
1245 DISALLOW_COPY_AND_ASSIGN(EqualityArgumentWidthPolicy);
1246 };
1247
EvaluateSyscall(SandboxBPF * sandbox,int sysno) const1248 ErrorCode EqualityArgumentWidthPolicy::EvaluateSyscall(SandboxBPF* sandbox,
1249 int sysno) const {
1250 DCHECK(SandboxBPF::IsValidSyscallNumber(sysno));
1251 if (sysno == __NR_uname) {
1252 return sandbox->Cond(
1253 0,
1254 ErrorCode::TP_32BIT,
1255 ErrorCode::OP_EQUAL,
1256 0,
1257 sandbox->Cond(1,
1258 ErrorCode::TP_32BIT,
1259 ErrorCode::OP_EQUAL,
1260 0x55555555,
1261 ErrorCode(1),
1262 ErrorCode(2)),
1263 // The BPF compiler and the BPF interpreter in the kernel are
1264 // (mostly) agnostic of the host platform's word size. The compiler
1265 // will happily generate code that tests a 64bit value, and the
1266 // interpreter will happily perform this test.
1267 // But unless there is a kernel bug, there is no way for us to pass
1268 // in a 64bit quantity on a 32bit platform. The upper 32bits should
1269 // always be zero. So, this test should always evaluate as false on
1270 // 32bit systems.
1271 sandbox->Cond(1,
1272 ErrorCode::TP_64BIT,
1273 ErrorCode::OP_EQUAL,
1274 0x55555555AAAAAAAAULL,
1275 ErrorCode(1),
1276 ErrorCode(2)));
1277 }
1278 return ErrorCode(ErrorCode::ERR_ALLOWED);
1279 }
1280
BPF_TEST_C(SandboxBPF,EqualityArgumentWidth,EqualityArgumentWidthPolicy)1281 BPF_TEST_C(SandboxBPF, EqualityArgumentWidth, EqualityArgumentWidthPolicy) {
1282 BPF_ASSERT(Syscall::Call(__NR_uname, 0, 0x55555555) == -1);
1283 BPF_ASSERT(Syscall::Call(__NR_uname, 0, 0xAAAAAAAA) == -2);
1284 #if __SIZEOF_POINTER__ > 4
1285 // On 32bit machines, there is no way to pass a 64bit argument through the
1286 // syscall interface. So, we have to skip the part of the test that requires
1287 // 64bit arguments.
1288 BPF_ASSERT(Syscall::Call(__NR_uname, 1, 0x55555555AAAAAAAAULL) == -1);
1289 BPF_ASSERT(Syscall::Call(__NR_uname, 1, 0x5555555500000000ULL) == -2);
1290 BPF_ASSERT(Syscall::Call(__NR_uname, 1, 0x5555555511111111ULL) == -2);
1291 BPF_ASSERT(Syscall::Call(__NR_uname, 1, 0x11111111AAAAAAAAULL) == -2);
1292 #else
1293 BPF_ASSERT(Syscall::Call(__NR_uname, 1, 0x55555555) == -2);
1294 #endif
1295 }
1296
1297 #if __SIZEOF_POINTER__ > 4
1298 // On 32bit machines, there is no way to pass a 64bit argument through the
1299 // syscall interface. So, we have to skip the part of the test that requires
1300 // 64bit arguments.
1301 BPF_DEATH_TEST_C(SandboxBPF,
1302 EqualityArgumentUnallowed64bit,
1303 DEATH_MESSAGE("Unexpected 64bit argument detected"),
1304 EqualityArgumentWidthPolicy) {
1305 Syscall::Call(__NR_uname, 0, 0x5555555555555555ULL);
1306 }
1307 #endif
1308
1309 class EqualityWithNegativeArgumentsPolicy : public SandboxBPFPolicy {
1310 public:
EqualityWithNegativeArgumentsPolicy()1311 EqualityWithNegativeArgumentsPolicy() {}
EvaluateSyscall(SandboxBPF * sandbox,int sysno) const1312 virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox,
1313 int sysno) const OVERRIDE {
1314 DCHECK(SandboxBPF::IsValidSyscallNumber(sysno));
1315 if (sysno == __NR_uname) {
1316 return sandbox->Cond(0,
1317 ErrorCode::TP_32BIT,
1318 ErrorCode::OP_EQUAL,
1319 0xFFFFFFFF,
1320 ErrorCode(1),
1321 ErrorCode(2));
1322 }
1323 return ErrorCode(ErrorCode::ERR_ALLOWED);
1324 }
1325
1326 private:
1327 DISALLOW_COPY_AND_ASSIGN(EqualityWithNegativeArgumentsPolicy);
1328 };
1329
BPF_TEST_C(SandboxBPF,EqualityWithNegativeArguments,EqualityWithNegativeArgumentsPolicy)1330 BPF_TEST_C(SandboxBPF,
1331 EqualityWithNegativeArguments,
1332 EqualityWithNegativeArgumentsPolicy) {
1333 BPF_ASSERT(Syscall::Call(__NR_uname, 0xFFFFFFFF) == -1);
1334 BPF_ASSERT(Syscall::Call(__NR_uname, -1) == -1);
1335 BPF_ASSERT(Syscall::Call(__NR_uname, -1LL) == -1);
1336 }
1337
1338 #if __SIZEOF_POINTER__ > 4
1339 BPF_DEATH_TEST_C(SandboxBPF,
1340 EqualityWithNegative64bitArguments,
1341 DEATH_MESSAGE("Unexpected 64bit argument detected"),
1342 EqualityWithNegativeArgumentsPolicy) {
1343 // When expecting a 32bit system call argument, we look at the MSB of the
1344 // 64bit value and allow both "0" and "-1". But the latter is allowed only
1345 // iff the LSB was negative. So, this death test should error out.
1346 BPF_ASSERT(Syscall::Call(__NR_uname, 0xFFFFFFFF00000000LL) == -1);
1347 }
1348 #endif
1349 class AllBitTestPolicy : public SandboxBPFPolicy {
1350 public:
AllBitTestPolicy()1351 AllBitTestPolicy() {}
1352 virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox,
1353 int sysno) const OVERRIDE;
1354
1355 private:
1356 DISALLOW_COPY_AND_ASSIGN(AllBitTestPolicy);
1357 };
1358
EvaluateSyscall(SandboxBPF * sandbox,int sysno) const1359 ErrorCode AllBitTestPolicy::EvaluateSyscall(SandboxBPF* sandbox,
1360 int sysno) const {
1361 DCHECK(SandboxBPF::IsValidSyscallNumber(sysno));
1362 // Test the OP_HAS_ALL_BITS conditional test operator with a couple of
1363 // different bitmasks. We try to find bitmasks that could conceivably
1364 // touch corner cases.
1365 // For all of these tests, we override the uname(). We can make use with
1366 // a single system call number, as we use the first system call argument to
1367 // select the different bit masks that we want to test against.
1368 if (sysno == __NR_uname) {
1369 return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 0,
1370 sandbox->Cond(1, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ALL_BITS,
1371 0x0,
1372 ErrorCode(1), ErrorCode(0)),
1373
1374 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 1,
1375 sandbox->Cond(1, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ALL_BITS,
1376 0x1,
1377 ErrorCode(1), ErrorCode(0)),
1378
1379 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 2,
1380 sandbox->Cond(1, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ALL_BITS,
1381 0x3,
1382 ErrorCode(1), ErrorCode(0)),
1383
1384 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 3,
1385 sandbox->Cond(1, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ALL_BITS,
1386 0x80000000,
1387 ErrorCode(1), ErrorCode(0)),
1388 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 4,
1389 sandbox->Cond(1, ErrorCode::TP_64BIT, ErrorCode::OP_HAS_ALL_BITS,
1390 0x0,
1391 ErrorCode(1), ErrorCode(0)),
1392
1393 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 5,
1394 sandbox->Cond(1, ErrorCode::TP_64BIT, ErrorCode::OP_HAS_ALL_BITS,
1395 0x1,
1396 ErrorCode(1), ErrorCode(0)),
1397
1398 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 6,
1399 sandbox->Cond(1, ErrorCode::TP_64BIT, ErrorCode::OP_HAS_ALL_BITS,
1400 0x3,
1401 ErrorCode(1), ErrorCode(0)),
1402
1403 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 7,
1404 sandbox->Cond(1, ErrorCode::TP_64BIT, ErrorCode::OP_HAS_ALL_BITS,
1405 0x80000000,
1406 ErrorCode(1), ErrorCode(0)),
1407
1408 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 8,
1409 sandbox->Cond(1, ErrorCode::TP_64BIT, ErrorCode::OP_HAS_ALL_BITS,
1410 0x100000000ULL,
1411 ErrorCode(1), ErrorCode(0)),
1412
1413 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 9,
1414 sandbox->Cond(1, ErrorCode::TP_64BIT, ErrorCode::OP_HAS_ALL_BITS,
1415 0x300000000ULL,
1416 ErrorCode(1), ErrorCode(0)),
1417
1418 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 10,
1419 sandbox->Cond(1, ErrorCode::TP_64BIT, ErrorCode::OP_HAS_ALL_BITS,
1420 0x100000001ULL,
1421 ErrorCode(1), ErrorCode(0)),
1422
1423 sandbox->Kill("Invalid test case number"))))))))))));
1424 }
1425 return ErrorCode(ErrorCode::ERR_ALLOWED);
1426 }
1427
1428 // Define a macro that performs tests using our test policy.
1429 // NOTE: Not all of the arguments in this macro are actually used!
1430 // They are here just to serve as documentation of the conditions
1431 // implemented in the test policy.
1432 // Most notably, "op" and "mask" are unused by the macro. If you want
1433 // to make changes to these values, you will have to edit the
1434 // test policy instead.
1435 #define BITMASK_TEST(testcase, arg, op, mask, expected_value) \
1436 BPF_ASSERT(Syscall::Call(__NR_uname, (testcase), (arg)) == (expected_value))
1437
1438 // Our uname() system call returns ErrorCode(1) for success and
1439 // ErrorCode(0) for failure. Syscall::Call() turns this into an
1440 // exit code of -1 or 0.
1441 #define EXPECT_FAILURE 0
1442 #define EXPECT_SUCCESS -1
1443
1444 // A couple of our tests behave differently on 32bit and 64bit systems, as
1445 // there is no way for a 32bit system call to pass in a 64bit system call
1446 // argument "arg".
1447 // We expect these tests to succeed on 64bit systems, but to tail on 32bit
1448 // systems.
1449 #define EXPT64_SUCCESS (sizeof(void*) > 4 ? EXPECT_SUCCESS : EXPECT_FAILURE)
BPF_TEST_C(SandboxBPF,AllBitTests,AllBitTestPolicy)1450 BPF_TEST_C(SandboxBPF, AllBitTests, AllBitTestPolicy) {
1451 // 32bit test: all of 0x0 (should always be true)
1452 BITMASK_TEST( 0, 0, ALLBITS32, 0, EXPECT_SUCCESS);
1453 BITMASK_TEST( 0, 1, ALLBITS32, 0, EXPECT_SUCCESS);
1454 BITMASK_TEST( 0, 3, ALLBITS32, 0, EXPECT_SUCCESS);
1455 BITMASK_TEST( 0, 0xFFFFFFFFU, ALLBITS32, 0, EXPECT_SUCCESS);
1456 BITMASK_TEST( 0, -1LL, ALLBITS32, 0, EXPECT_SUCCESS);
1457
1458 // 32bit test: all of 0x1
1459 BITMASK_TEST( 1, 0, ALLBITS32, 0x1, EXPECT_FAILURE);
1460 BITMASK_TEST( 1, 1, ALLBITS32, 0x1, EXPECT_SUCCESS);
1461 BITMASK_TEST( 1, 2, ALLBITS32, 0x1, EXPECT_FAILURE);
1462 BITMASK_TEST( 1, 3, ALLBITS32, 0x1, EXPECT_SUCCESS);
1463
1464 // 32bit test: all of 0x3
1465 BITMASK_TEST( 2, 0, ALLBITS32, 0x3, EXPECT_FAILURE);
1466 BITMASK_TEST( 2, 1, ALLBITS32, 0x3, EXPECT_FAILURE);
1467 BITMASK_TEST( 2, 2, ALLBITS32, 0x3, EXPECT_FAILURE);
1468 BITMASK_TEST( 2, 3, ALLBITS32, 0x3, EXPECT_SUCCESS);
1469 BITMASK_TEST( 2, 7, ALLBITS32, 0x3, EXPECT_SUCCESS);
1470
1471 // 32bit test: all of 0x80000000
1472 BITMASK_TEST( 3, 0, ALLBITS32, 0x80000000, EXPECT_FAILURE);
1473 BITMASK_TEST( 3, 0x40000000U, ALLBITS32, 0x80000000, EXPECT_FAILURE);
1474 BITMASK_TEST( 3, 0x80000000U, ALLBITS32, 0x80000000, EXPECT_SUCCESS);
1475 BITMASK_TEST( 3, 0xC0000000U, ALLBITS32, 0x80000000, EXPECT_SUCCESS);
1476 BITMASK_TEST( 3, -0x80000000LL, ALLBITS32, 0x80000000, EXPECT_SUCCESS);
1477
1478 // 64bit test: all of 0x0 (should always be true)
1479 BITMASK_TEST( 4, 0, ALLBITS64, 0, EXPECT_SUCCESS);
1480 BITMASK_TEST( 4, 1, ALLBITS64, 0, EXPECT_SUCCESS);
1481 BITMASK_TEST( 4, 3, ALLBITS64, 0, EXPECT_SUCCESS);
1482 BITMASK_TEST( 4, 0xFFFFFFFFU, ALLBITS64, 0, EXPECT_SUCCESS);
1483 BITMASK_TEST( 4, 0x100000000LL, ALLBITS64, 0, EXPECT_SUCCESS);
1484 BITMASK_TEST( 4, 0x300000000LL, ALLBITS64, 0, EXPECT_SUCCESS);
1485 BITMASK_TEST( 4,0x8000000000000000LL, ALLBITS64, 0, EXPECT_SUCCESS);
1486 BITMASK_TEST( 4, -1LL, ALLBITS64, 0, EXPECT_SUCCESS);
1487
1488 // 64bit test: all of 0x1
1489 BITMASK_TEST( 5, 0, ALLBITS64, 1, EXPECT_FAILURE);
1490 BITMASK_TEST( 5, 1, ALLBITS64, 1, EXPECT_SUCCESS);
1491 BITMASK_TEST( 5, 2, ALLBITS64, 1, EXPECT_FAILURE);
1492 BITMASK_TEST( 5, 3, ALLBITS64, 1, EXPECT_SUCCESS);
1493 BITMASK_TEST( 5, 0x100000000LL, ALLBITS64, 1, EXPECT_FAILURE);
1494 BITMASK_TEST( 5, 0x100000001LL, ALLBITS64, 1, EXPECT_SUCCESS);
1495 BITMASK_TEST( 5, 0x100000002LL, ALLBITS64, 1, EXPECT_FAILURE);
1496 BITMASK_TEST( 5, 0x100000003LL, ALLBITS64, 1, EXPECT_SUCCESS);
1497
1498 // 64bit test: all of 0x3
1499 BITMASK_TEST( 6, 0, ALLBITS64, 3, EXPECT_FAILURE);
1500 BITMASK_TEST( 6, 1, ALLBITS64, 3, EXPECT_FAILURE);
1501 BITMASK_TEST( 6, 2, ALLBITS64, 3, EXPECT_FAILURE);
1502 BITMASK_TEST( 6, 3, ALLBITS64, 3, EXPECT_SUCCESS);
1503 BITMASK_TEST( 6, 7, ALLBITS64, 3, EXPECT_SUCCESS);
1504 BITMASK_TEST( 6, 0x100000000LL, ALLBITS64, 3, EXPECT_FAILURE);
1505 BITMASK_TEST( 6, 0x100000001LL, ALLBITS64, 3, EXPECT_FAILURE);
1506 BITMASK_TEST( 6, 0x100000002LL, ALLBITS64, 3, EXPECT_FAILURE);
1507 BITMASK_TEST( 6, 0x100000003LL, ALLBITS64, 3, EXPECT_SUCCESS);
1508 BITMASK_TEST( 6, 0x100000007LL, ALLBITS64, 3, EXPECT_SUCCESS);
1509
1510 // 64bit test: all of 0x80000000
1511 BITMASK_TEST( 7, 0, ALLBITS64, 0x80000000, EXPECT_FAILURE);
1512 BITMASK_TEST( 7, 0x40000000U, ALLBITS64, 0x80000000, EXPECT_FAILURE);
1513 BITMASK_TEST( 7, 0x80000000U, ALLBITS64, 0x80000000, EXPECT_SUCCESS);
1514 BITMASK_TEST( 7, 0xC0000000U, ALLBITS64, 0x80000000, EXPECT_SUCCESS);
1515 BITMASK_TEST( 7, -0x80000000LL, ALLBITS64, 0x80000000, EXPECT_SUCCESS);
1516 BITMASK_TEST( 7, 0x100000000LL, ALLBITS64, 0x80000000, EXPECT_FAILURE);
1517 BITMASK_TEST( 7, 0x140000000LL, ALLBITS64, 0x80000000, EXPECT_FAILURE);
1518 BITMASK_TEST( 7, 0x180000000LL, ALLBITS64, 0x80000000, EXPECT_SUCCESS);
1519 BITMASK_TEST( 7, 0x1C0000000LL, ALLBITS64, 0x80000000, EXPECT_SUCCESS);
1520 BITMASK_TEST( 7, -0x180000000LL, ALLBITS64, 0x80000000, EXPECT_SUCCESS);
1521
1522 // 64bit test: all of 0x100000000
1523 BITMASK_TEST( 8, 0x000000000LL, ALLBITS64,0x100000000, EXPECT_FAILURE);
1524 BITMASK_TEST( 8, 0x100000000LL, ALLBITS64,0x100000000, EXPT64_SUCCESS);
1525 BITMASK_TEST( 8, 0x200000000LL, ALLBITS64,0x100000000, EXPECT_FAILURE);
1526 BITMASK_TEST( 8, 0x300000000LL, ALLBITS64,0x100000000, EXPT64_SUCCESS);
1527 BITMASK_TEST( 8, 0x000000001LL, ALLBITS64,0x100000000, EXPECT_FAILURE);
1528 BITMASK_TEST( 8, 0x100000001LL, ALLBITS64,0x100000000, EXPT64_SUCCESS);
1529 BITMASK_TEST( 8, 0x200000001LL, ALLBITS64,0x100000000, EXPECT_FAILURE);
1530 BITMASK_TEST( 8, 0x300000001LL, ALLBITS64,0x100000000, EXPT64_SUCCESS);
1531
1532 // 64bit test: all of 0x300000000
1533 BITMASK_TEST( 9, 0x000000000LL, ALLBITS64,0x300000000, EXPECT_FAILURE);
1534 BITMASK_TEST( 9, 0x100000000LL, ALLBITS64,0x300000000, EXPECT_FAILURE);
1535 BITMASK_TEST( 9, 0x200000000LL, ALLBITS64,0x300000000, EXPECT_FAILURE);
1536 BITMASK_TEST( 9, 0x300000000LL, ALLBITS64,0x300000000, EXPT64_SUCCESS);
1537 BITMASK_TEST( 9, 0x700000000LL, ALLBITS64,0x300000000, EXPT64_SUCCESS);
1538 BITMASK_TEST( 9, 0x000000001LL, ALLBITS64,0x300000000, EXPECT_FAILURE);
1539 BITMASK_TEST( 9, 0x100000001LL, ALLBITS64,0x300000000, EXPECT_FAILURE);
1540 BITMASK_TEST( 9, 0x200000001LL, ALLBITS64,0x300000000, EXPECT_FAILURE);
1541 BITMASK_TEST( 9, 0x300000001LL, ALLBITS64,0x300000000, EXPT64_SUCCESS);
1542 BITMASK_TEST( 9, 0x700000001LL, ALLBITS64,0x300000000, EXPT64_SUCCESS);
1543
1544 // 64bit test: all of 0x100000001
1545 BITMASK_TEST(10, 0x000000000LL, ALLBITS64,0x100000001, EXPECT_FAILURE);
1546 BITMASK_TEST(10, 0x000000001LL, ALLBITS64,0x100000001, EXPECT_FAILURE);
1547 BITMASK_TEST(10, 0x100000000LL, ALLBITS64,0x100000001, EXPECT_FAILURE);
1548 BITMASK_TEST(10, 0x100000001LL, ALLBITS64,0x100000001, EXPT64_SUCCESS);
1549 BITMASK_TEST(10, 0xFFFFFFFFU, ALLBITS64,0x100000001, EXPECT_FAILURE);
1550 BITMASK_TEST(10, -1L, ALLBITS64,0x100000001, EXPT64_SUCCESS);
1551 }
1552
1553 class AnyBitTestPolicy : public SandboxBPFPolicy {
1554 public:
AnyBitTestPolicy()1555 AnyBitTestPolicy() {}
1556 virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox,
1557 int sysno) const OVERRIDE;
1558
1559 private:
1560 DISALLOW_COPY_AND_ASSIGN(AnyBitTestPolicy);
1561 };
1562
EvaluateSyscall(SandboxBPF * sandbox,int sysno) const1563 ErrorCode AnyBitTestPolicy::EvaluateSyscall(SandboxBPF* sandbox,
1564 int sysno) const {
1565 DCHECK(SandboxBPF::IsValidSyscallNumber(sysno));
1566 // Test the OP_HAS_ANY_BITS conditional test operator with a couple of
1567 // different bitmasks. We try to find bitmasks that could conceivably
1568 // touch corner cases.
1569 // For all of these tests, we override the uname(). We can make use with
1570 // a single system call number, as we use the first system call argument to
1571 // select the different bit masks that we want to test against.
1572 if (sysno == __NR_uname) {
1573 return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 0,
1574 sandbox->Cond(1, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ANY_BITS,
1575 0x0,
1576 ErrorCode(1), ErrorCode(0)),
1577
1578 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 1,
1579 sandbox->Cond(1, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ANY_BITS,
1580 0x1,
1581 ErrorCode(1), ErrorCode(0)),
1582
1583 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 2,
1584 sandbox->Cond(1, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ANY_BITS,
1585 0x3,
1586 ErrorCode(1), ErrorCode(0)),
1587
1588 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 3,
1589 sandbox->Cond(1, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ANY_BITS,
1590 0x80000000,
1591 ErrorCode(1), ErrorCode(0)),
1592
1593 // All the following tests don't really make much sense on 32bit
1594 // systems. They will always evaluate as false.
1595 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 4,
1596 sandbox->Cond(1, ErrorCode::TP_64BIT, ErrorCode::OP_HAS_ANY_BITS,
1597 0x0,
1598 ErrorCode(1), ErrorCode(0)),
1599
1600 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 5,
1601 sandbox->Cond(1, ErrorCode::TP_64BIT, ErrorCode::OP_HAS_ANY_BITS,
1602 0x1,
1603 ErrorCode(1), ErrorCode(0)),
1604
1605 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 6,
1606 sandbox->Cond(1, ErrorCode::TP_64BIT, ErrorCode::OP_HAS_ANY_BITS,
1607 0x3,
1608 ErrorCode(1), ErrorCode(0)),
1609
1610 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 7,
1611 sandbox->Cond(1, ErrorCode::TP_64BIT, ErrorCode::OP_HAS_ANY_BITS,
1612 0x80000000,
1613 ErrorCode(1), ErrorCode(0)),
1614
1615 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 8,
1616 sandbox->Cond(1, ErrorCode::TP_64BIT, ErrorCode::OP_HAS_ANY_BITS,
1617 0x100000000ULL,
1618 ErrorCode(1), ErrorCode(0)),
1619
1620 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 9,
1621 sandbox->Cond(1, ErrorCode::TP_64BIT, ErrorCode::OP_HAS_ANY_BITS,
1622 0x300000000ULL,
1623 ErrorCode(1), ErrorCode(0)),
1624
1625 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 10,
1626 sandbox->Cond(1, ErrorCode::TP_64BIT, ErrorCode::OP_HAS_ANY_BITS,
1627 0x100000001ULL,
1628 ErrorCode(1), ErrorCode(0)),
1629
1630 sandbox->Kill("Invalid test case number"))))))))))));
1631 }
1632 return ErrorCode(ErrorCode::ERR_ALLOWED);
1633 }
1634
BPF_TEST_C(SandboxBPF,AnyBitTests,AnyBitTestPolicy)1635 BPF_TEST_C(SandboxBPF, AnyBitTests, AnyBitTestPolicy) {
1636 // 32bit test: any of 0x0 (should always be false)
1637 BITMASK_TEST( 0, 0, ANYBITS32, 0x0, EXPECT_FAILURE);
1638 BITMASK_TEST( 0, 1, ANYBITS32, 0x0, EXPECT_FAILURE);
1639 BITMASK_TEST( 0, 3, ANYBITS32, 0x0, EXPECT_FAILURE);
1640 BITMASK_TEST( 0, 0xFFFFFFFFU, ANYBITS32, 0x0, EXPECT_FAILURE);
1641 BITMASK_TEST( 0, -1LL, ANYBITS32, 0x0, EXPECT_FAILURE);
1642
1643 // 32bit test: any of 0x1
1644 BITMASK_TEST( 1, 0, ANYBITS32, 0x1, EXPECT_FAILURE);
1645 BITMASK_TEST( 1, 1, ANYBITS32, 0x1, EXPECT_SUCCESS);
1646 BITMASK_TEST( 1, 2, ANYBITS32, 0x1, EXPECT_FAILURE);
1647 BITMASK_TEST( 1, 3, ANYBITS32, 0x1, EXPECT_SUCCESS);
1648
1649 // 32bit test: any of 0x3
1650 BITMASK_TEST( 2, 0, ANYBITS32, 0x3, EXPECT_FAILURE);
1651 BITMASK_TEST( 2, 1, ANYBITS32, 0x3, EXPECT_SUCCESS);
1652 BITMASK_TEST( 2, 2, ANYBITS32, 0x3, EXPECT_SUCCESS);
1653 BITMASK_TEST( 2, 3, ANYBITS32, 0x3, EXPECT_SUCCESS);
1654 BITMASK_TEST( 2, 7, ANYBITS32, 0x3, EXPECT_SUCCESS);
1655
1656 // 32bit test: any of 0x80000000
1657 BITMASK_TEST( 3, 0, ANYBITS32, 0x80000000, EXPECT_FAILURE);
1658 BITMASK_TEST( 3, 0x40000000U, ANYBITS32, 0x80000000, EXPECT_FAILURE);
1659 BITMASK_TEST( 3, 0x80000000U, ANYBITS32, 0x80000000, EXPECT_SUCCESS);
1660 BITMASK_TEST( 3, 0xC0000000U, ANYBITS32, 0x80000000, EXPECT_SUCCESS);
1661 BITMASK_TEST( 3, -0x80000000LL, ANYBITS32, 0x80000000, EXPECT_SUCCESS);
1662
1663 // 64bit test: any of 0x0 (should always be false)
1664 BITMASK_TEST( 4, 0, ANYBITS64, 0x0, EXPECT_FAILURE);
1665 BITMASK_TEST( 4, 1, ANYBITS64, 0x0, EXPECT_FAILURE);
1666 BITMASK_TEST( 4, 3, ANYBITS64, 0x0, EXPECT_FAILURE);
1667 BITMASK_TEST( 4, 0xFFFFFFFFU, ANYBITS64, 0x0, EXPECT_FAILURE);
1668 BITMASK_TEST( 4, 0x100000000LL, ANYBITS64, 0x0, EXPECT_FAILURE);
1669 BITMASK_TEST( 4, 0x300000000LL, ANYBITS64, 0x0, EXPECT_FAILURE);
1670 BITMASK_TEST( 4,0x8000000000000000LL, ANYBITS64, 0x0, EXPECT_FAILURE);
1671 BITMASK_TEST( 4, -1LL, ANYBITS64, 0x0, EXPECT_FAILURE);
1672
1673 // 64bit test: any of 0x1
1674 BITMASK_TEST( 5, 0, ANYBITS64, 0x1, EXPECT_FAILURE);
1675 BITMASK_TEST( 5, 1, ANYBITS64, 0x1, EXPECT_SUCCESS);
1676 BITMASK_TEST( 5, 2, ANYBITS64, 0x1, EXPECT_FAILURE);
1677 BITMASK_TEST( 5, 3, ANYBITS64, 0x1, EXPECT_SUCCESS);
1678 BITMASK_TEST( 5, 0x100000001LL, ANYBITS64, 0x1, EXPECT_SUCCESS);
1679 BITMASK_TEST( 5, 0x100000000LL, ANYBITS64, 0x1, EXPECT_FAILURE);
1680 BITMASK_TEST( 5, 0x100000002LL, ANYBITS64, 0x1, EXPECT_FAILURE);
1681 BITMASK_TEST( 5, 0x100000003LL, ANYBITS64, 0x1, EXPECT_SUCCESS);
1682
1683 // 64bit test: any of 0x3
1684 BITMASK_TEST( 6, 0, ANYBITS64, 0x3, EXPECT_FAILURE);
1685 BITMASK_TEST( 6, 1, ANYBITS64, 0x3, EXPECT_SUCCESS);
1686 BITMASK_TEST( 6, 2, ANYBITS64, 0x3, EXPECT_SUCCESS);
1687 BITMASK_TEST( 6, 3, ANYBITS64, 0x3, EXPECT_SUCCESS);
1688 BITMASK_TEST( 6, 7, ANYBITS64, 0x3, EXPECT_SUCCESS);
1689 BITMASK_TEST( 6, 0x100000000LL, ANYBITS64, 0x3, EXPECT_FAILURE);
1690 BITMASK_TEST( 6, 0x100000001LL, ANYBITS64, 0x3, EXPECT_SUCCESS);
1691 BITMASK_TEST( 6, 0x100000002LL, ANYBITS64, 0x3, EXPECT_SUCCESS);
1692 BITMASK_TEST( 6, 0x100000003LL, ANYBITS64, 0x3, EXPECT_SUCCESS);
1693 BITMASK_TEST( 6, 0x100000007LL, ANYBITS64, 0x3, EXPECT_SUCCESS);
1694
1695 // 64bit test: any of 0x80000000
1696 BITMASK_TEST( 7, 0, ANYBITS64, 0x80000000, EXPECT_FAILURE);
1697 BITMASK_TEST( 7, 0x40000000U, ANYBITS64, 0x80000000, EXPECT_FAILURE);
1698 BITMASK_TEST( 7, 0x80000000U, ANYBITS64, 0x80000000, EXPECT_SUCCESS);
1699 BITMASK_TEST( 7, 0xC0000000U, ANYBITS64, 0x80000000, EXPECT_SUCCESS);
1700 BITMASK_TEST( 7, -0x80000000LL, ANYBITS64, 0x80000000, EXPECT_SUCCESS);
1701 BITMASK_TEST( 7, 0x100000000LL, ANYBITS64, 0x80000000, EXPECT_FAILURE);
1702 BITMASK_TEST( 7, 0x140000000LL, ANYBITS64, 0x80000000, EXPECT_FAILURE);
1703 BITMASK_TEST( 7, 0x180000000LL, ANYBITS64, 0x80000000, EXPECT_SUCCESS);
1704 BITMASK_TEST( 7, 0x1C0000000LL, ANYBITS64, 0x80000000, EXPECT_SUCCESS);
1705 BITMASK_TEST( 7, -0x180000000LL, ANYBITS64, 0x80000000, EXPECT_SUCCESS);
1706
1707 // 64bit test: any of 0x100000000
1708 BITMASK_TEST( 8, 0x000000000LL, ANYBITS64,0x100000000, EXPECT_FAILURE);
1709 BITMASK_TEST( 8, 0x100000000LL, ANYBITS64,0x100000000, EXPT64_SUCCESS);
1710 BITMASK_TEST( 8, 0x200000000LL, ANYBITS64,0x100000000, EXPECT_FAILURE);
1711 BITMASK_TEST( 8, 0x300000000LL, ANYBITS64,0x100000000, EXPT64_SUCCESS);
1712 BITMASK_TEST( 8, 0x000000001LL, ANYBITS64,0x100000000, EXPECT_FAILURE);
1713 BITMASK_TEST( 8, 0x100000001LL, ANYBITS64,0x100000000, EXPT64_SUCCESS);
1714 BITMASK_TEST( 8, 0x200000001LL, ANYBITS64,0x100000000, EXPECT_FAILURE);
1715 BITMASK_TEST( 8, 0x300000001LL, ANYBITS64,0x100000000, EXPT64_SUCCESS);
1716
1717 // 64bit test: any of 0x300000000
1718 BITMASK_TEST( 9, 0x000000000LL, ANYBITS64,0x300000000, EXPECT_FAILURE);
1719 BITMASK_TEST( 9, 0x100000000LL, ANYBITS64,0x300000000, EXPT64_SUCCESS);
1720 BITMASK_TEST( 9, 0x200000000LL, ANYBITS64,0x300000000, EXPT64_SUCCESS);
1721 BITMASK_TEST( 9, 0x300000000LL, ANYBITS64,0x300000000, EXPT64_SUCCESS);
1722 BITMASK_TEST( 9, 0x700000000LL, ANYBITS64,0x300000000, EXPT64_SUCCESS);
1723 BITMASK_TEST( 9, 0x000000001LL, ANYBITS64,0x300000000, EXPECT_FAILURE);
1724 BITMASK_TEST( 9, 0x100000001LL, ANYBITS64,0x300000000, EXPT64_SUCCESS);
1725 BITMASK_TEST( 9, 0x200000001LL, ANYBITS64,0x300000000, EXPT64_SUCCESS);
1726 BITMASK_TEST( 9, 0x300000001LL, ANYBITS64,0x300000000, EXPT64_SUCCESS);
1727 BITMASK_TEST( 9, 0x700000001LL, ANYBITS64,0x300000000, EXPT64_SUCCESS);
1728
1729 // 64bit test: any of 0x100000001
1730 BITMASK_TEST( 10, 0x000000000LL, ANYBITS64,0x100000001, EXPECT_FAILURE);
1731 BITMASK_TEST( 10, 0x000000001LL, ANYBITS64,0x100000001, EXPECT_SUCCESS);
1732 BITMASK_TEST( 10, 0x100000000LL, ANYBITS64,0x100000001, EXPT64_SUCCESS);
1733 BITMASK_TEST( 10, 0x100000001LL, ANYBITS64,0x100000001, EXPECT_SUCCESS);
1734 BITMASK_TEST( 10, 0xFFFFFFFFU, ANYBITS64,0x100000001, EXPECT_SUCCESS);
1735 BITMASK_TEST( 10, -1L, ANYBITS64,0x100000001, EXPECT_SUCCESS);
1736 }
1737
PthreadTrapHandler(const struct arch_seccomp_data & args,void * aux)1738 intptr_t PthreadTrapHandler(const struct arch_seccomp_data& args, void* aux) {
1739 if (args.args[0] != (CLONE_CHILD_CLEARTID | CLONE_CHILD_SETTID | SIGCHLD)) {
1740 // We expect to get called for an attempt to fork(). No need to log that
1741 // call. But if we ever get called for anything else, we want to verbosely
1742 // print as much information as possible.
1743 const char* msg = (const char*)aux;
1744 printf(
1745 "Clone() was called with unexpected arguments\n"
1746 " nr: %d\n"
1747 " 1: 0x%llX\n"
1748 " 2: 0x%llX\n"
1749 " 3: 0x%llX\n"
1750 " 4: 0x%llX\n"
1751 " 5: 0x%llX\n"
1752 " 6: 0x%llX\n"
1753 "%s\n",
1754 args.nr,
1755 (long long)args.args[0],
1756 (long long)args.args[1],
1757 (long long)args.args[2],
1758 (long long)args.args[3],
1759 (long long)args.args[4],
1760 (long long)args.args[5],
1761 msg);
1762 }
1763 return -EPERM;
1764 }
1765
1766 class PthreadPolicyEquality : public SandboxBPFPolicy {
1767 public:
PthreadPolicyEquality()1768 PthreadPolicyEquality() {}
1769 virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox,
1770 int sysno) const OVERRIDE;
1771
1772 private:
1773 DISALLOW_COPY_AND_ASSIGN(PthreadPolicyEquality);
1774 };
1775
EvaluateSyscall(SandboxBPF * sandbox,int sysno) const1776 ErrorCode PthreadPolicyEquality::EvaluateSyscall(SandboxBPF* sandbox,
1777 int sysno) const {
1778 DCHECK(SandboxBPF::IsValidSyscallNumber(sysno));
1779 // This policy allows creating threads with pthread_create(). But it
1780 // doesn't allow any other uses of clone(). Most notably, it does not
1781 // allow callers to implement fork() or vfork() by passing suitable flags
1782 // to the clone() system call.
1783 if (sysno == __NR_clone) {
1784 // We have seen two different valid combinations of flags. Glibc
1785 // uses the more modern flags, sets the TLS from the call to clone(), and
1786 // uses futexes to monitor threads. Android's C run-time library, doesn't
1787 // do any of this, but it sets the obsolete (and no-op) CLONE_DETACHED.
1788 // More recent versions of Android don't set CLONE_DETACHED anymore, so
1789 // the last case accounts for that.
1790 // The following policy is very strict. It only allows the exact masks
1791 // that we have seen in known implementations. It is probably somewhat
1792 // stricter than what we would want to do.
1793 const uint64_t kGlibcCloneMask =
1794 CLONE_VM | CLONE_FS | CLONE_FILES | CLONE_SIGHAND |
1795 CLONE_THREAD | CLONE_SYSVSEM | CLONE_SETTLS |
1796 CLONE_PARENT_SETTID | CLONE_CHILD_CLEARTID;
1797 const uint64_t kBaseAndroidCloneMask =
1798 CLONE_VM | CLONE_FS | CLONE_FILES | CLONE_SIGHAND |
1799 CLONE_THREAD | CLONE_SYSVSEM;
1800 return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,
1801 kGlibcCloneMask,
1802 ErrorCode(ErrorCode::ERR_ALLOWED),
1803 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,
1804 kBaseAndroidCloneMask | CLONE_DETACHED,
1805 ErrorCode(ErrorCode::ERR_ALLOWED),
1806 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,
1807 kBaseAndroidCloneMask,
1808 ErrorCode(ErrorCode::ERR_ALLOWED),
1809 sandbox->Trap(PthreadTrapHandler, "Unknown mask"))));
1810 }
1811 return ErrorCode(ErrorCode::ERR_ALLOWED);
1812 }
1813
1814 class PthreadPolicyBitMask : public SandboxBPFPolicy {
1815 public:
PthreadPolicyBitMask()1816 PthreadPolicyBitMask() {}
1817 virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox,
1818 int sysno) const OVERRIDE;
1819
1820 private:
1821 DISALLOW_COPY_AND_ASSIGN(PthreadPolicyBitMask);
1822 };
1823
EvaluateSyscall(SandboxBPF * sandbox,int sysno) const1824 ErrorCode PthreadPolicyBitMask::EvaluateSyscall(SandboxBPF* sandbox,
1825 int sysno) const {
1826 DCHECK(SandboxBPF::IsValidSyscallNumber(sysno));
1827 // This policy allows creating threads with pthread_create(). But it
1828 // doesn't allow any other uses of clone(). Most notably, it does not
1829 // allow callers to implement fork() or vfork() by passing suitable flags
1830 // to the clone() system call.
1831 if (sysno == __NR_clone) {
1832 // We have seen two different valid combinations of flags. Glibc
1833 // uses the more modern flags, sets the TLS from the call to clone(), and
1834 // uses futexes to monitor threads. Android's C run-time library, doesn't
1835 // do any of this, but it sets the obsolete (and no-op) CLONE_DETACHED.
1836 // The following policy allows for either combination of flags, but it
1837 // is generally a little more conservative than strictly necessary. We
1838 // err on the side of rather safe than sorry.
1839 // Very noticeably though, we disallow fork() (which is often just a
1840 // wrapper around clone()).
1841 return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ANY_BITS,
1842 ~uint32(CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|
1843 CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|
1844 CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID|
1845 CLONE_DETACHED),
1846 sandbox->Trap(PthreadTrapHandler,
1847 "Unexpected CLONE_XXX flag found"),
1848 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ALL_BITS,
1849 CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|
1850 CLONE_THREAD|CLONE_SYSVSEM,
1851 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ALL_BITS,
1852 CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID,
1853 ErrorCode(ErrorCode::ERR_ALLOWED),
1854 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ANY_BITS,
1855 CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID,
1856 sandbox->Trap(PthreadTrapHandler,
1857 "Must set either all or none of the TLS"
1858 " and futex bits in call to clone()"),
1859 ErrorCode(ErrorCode::ERR_ALLOWED))),
1860 sandbox->Trap(PthreadTrapHandler,
1861 "Missing mandatory CLONE_XXX flags "
1862 "when creating new thread")));
1863 }
1864 return ErrorCode(ErrorCode::ERR_ALLOWED);
1865 }
1866
ThreadFnc(void * arg)1867 static void* ThreadFnc(void* arg) {
1868 ++*reinterpret_cast<int*>(arg);
1869 Syscall::Call(__NR_futex, arg, FUTEX_WAKE, 1, 0, 0, 0);
1870 return NULL;
1871 }
1872
PthreadTest()1873 static void PthreadTest() {
1874 // Attempt to start a joinable thread. This should succeed.
1875 pthread_t thread;
1876 int thread_ran = 0;
1877 BPF_ASSERT(!pthread_create(&thread, NULL, ThreadFnc, &thread_ran));
1878 BPF_ASSERT(!pthread_join(thread, NULL));
1879 BPF_ASSERT(thread_ran);
1880
1881 // Attempt to start a detached thread. This should succeed.
1882 thread_ran = 0;
1883 pthread_attr_t attr;
1884 BPF_ASSERT(!pthread_attr_init(&attr));
1885 BPF_ASSERT(!pthread_attr_setdetachstate(&attr, PTHREAD_CREATE_DETACHED));
1886 BPF_ASSERT(!pthread_create(&thread, &attr, ThreadFnc, &thread_ran));
1887 BPF_ASSERT(!pthread_attr_destroy(&attr));
1888 while (Syscall::Call(__NR_futex, &thread_ran, FUTEX_WAIT, 0, 0, 0, 0) ==
1889 -EINTR) {
1890 }
1891 BPF_ASSERT(thread_ran);
1892
1893 // Attempt to fork() a process using clone(). This should fail. We use the
1894 // same flags that glibc uses when calling fork(). But we don't actually
1895 // try calling the fork() implementation in the C run-time library, as
1896 // run-time libraries other than glibc might call __NR_fork instead of
1897 // __NR_clone, and that would introduce a bogus test failure.
1898 int pid;
1899 BPF_ASSERT(Syscall::Call(__NR_clone,
1900 CLONE_CHILD_CLEARTID | CLONE_CHILD_SETTID | SIGCHLD,
1901 0,
1902 0,
1903 &pid) == -EPERM);
1904 }
1905
BPF_TEST_C(SandboxBPF,PthreadEquality,PthreadPolicyEquality)1906 BPF_TEST_C(SandboxBPF, PthreadEquality, PthreadPolicyEquality) {
1907 PthreadTest();
1908 }
1909
BPF_TEST_C(SandboxBPF,PthreadBitMask,PthreadPolicyBitMask)1910 BPF_TEST_C(SandboxBPF, PthreadBitMask, PthreadPolicyBitMask) {
1911 PthreadTest();
1912 }
1913
1914 // libc might not define these even though the kernel supports it.
1915 #ifndef PTRACE_O_TRACESECCOMP
1916 #define PTRACE_O_TRACESECCOMP 0x00000080
1917 #endif
1918
1919 #ifdef PTRACE_EVENT_SECCOMP
1920 #define IS_SECCOMP_EVENT(status) ((status >> 16) == PTRACE_EVENT_SECCOMP)
1921 #else
1922 // When Debian/Ubuntu backported seccomp-bpf support into earlier kernels, they
1923 // changed the value of PTRACE_EVENT_SECCOMP from 7 to 8, since 7 was taken by
1924 // PTRACE_EVENT_STOP (upstream chose to renumber PTRACE_EVENT_STOP to 128). If
1925 // PTRACE_EVENT_SECCOMP isn't defined, we have no choice but to consider both
1926 // values here.
1927 #define IS_SECCOMP_EVENT(status) ((status >> 16) == 7 || (status >> 16) == 8)
1928 #endif
1929
1930 #if defined(__arm__)
1931 #ifndef PTRACE_SET_SYSCALL
1932 #define PTRACE_SET_SYSCALL 23
1933 #endif
1934 #endif
1935
1936 // Changes the syscall to run for a child being sandboxed using seccomp-bpf with
1937 // PTRACE_O_TRACESECCOMP. Should only be called when the child is stopped on
1938 // PTRACE_EVENT_SECCOMP.
1939 //
1940 // regs should contain the current set of registers of the child, obtained using
1941 // PTRACE_GETREGS.
1942 //
1943 // Depending on the architecture, this may modify regs, so the caller is
1944 // responsible for committing these changes using PTRACE_SETREGS.
SetSyscall(pid_t pid,regs_struct * regs,int syscall_number)1945 long SetSyscall(pid_t pid, regs_struct* regs, int syscall_number) {
1946 #if defined(__arm__)
1947 // On ARM, the syscall is changed using PTRACE_SET_SYSCALL. We cannot use the
1948 // libc ptrace call as the request parameter is an enum, and
1949 // PTRACE_SET_SYSCALL may not be in the enum.
1950 return syscall(__NR_ptrace, PTRACE_SET_SYSCALL, pid, NULL, syscall_number);
1951 #endif
1952
1953 SECCOMP_PT_SYSCALL(*regs) = syscall_number;
1954 return 0;
1955 }
1956
1957 const uint16_t kTraceData = 0xcc;
1958
1959 class TraceAllPolicy : public SandboxBPFPolicy {
1960 public:
TraceAllPolicy()1961 TraceAllPolicy() {}
~TraceAllPolicy()1962 virtual ~TraceAllPolicy() {}
1963
EvaluateSyscall(SandboxBPF * sandbox_compiler,int system_call_number) const1964 virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox_compiler,
1965 int system_call_number) const OVERRIDE {
1966 return ErrorCode(ErrorCode::ERR_TRACE + kTraceData);
1967 }
1968
1969 private:
1970 DISALLOW_COPY_AND_ASSIGN(TraceAllPolicy);
1971 };
1972
SANDBOX_TEST(SandboxBPF,DISABLE_ON_TSAN (SeccompRetTrace))1973 SANDBOX_TEST(SandboxBPF, DISABLE_ON_TSAN(SeccompRetTrace)) {
1974 if (SandboxBPF::SupportsSeccompSandbox(-1) !=
1975 sandbox::SandboxBPF::STATUS_AVAILABLE) {
1976 return;
1977 }
1978
1979 #if defined(__arm__)
1980 printf("This test is currently disabled on ARM due to a kernel bug.");
1981 return;
1982 #endif
1983
1984 pid_t pid = fork();
1985 BPF_ASSERT_NE(-1, pid);
1986 if (pid == 0) {
1987 pid_t my_pid = getpid();
1988 BPF_ASSERT_NE(-1, ptrace(PTRACE_TRACEME, -1, NULL, NULL));
1989 BPF_ASSERT_EQ(0, raise(SIGSTOP));
1990 SandboxBPF sandbox;
1991 sandbox.SetSandboxPolicy(new TraceAllPolicy);
1992 BPF_ASSERT(sandbox.StartSandbox(SandboxBPF::PROCESS_SINGLE_THREADED));
1993
1994 // getpid is allowed.
1995 BPF_ASSERT_EQ(my_pid, syscall(__NR_getpid));
1996
1997 // write to stdout is skipped and returns a fake value.
1998 BPF_ASSERT_EQ(kExpectedReturnValue,
1999 syscall(__NR_write, STDOUT_FILENO, "A", 1));
2000
2001 // kill is rewritten to exit(kExpectedReturnValue).
2002 syscall(__NR_kill, my_pid, SIGKILL);
2003
2004 // Should not be reached.
2005 BPF_ASSERT(false);
2006 }
2007
2008 int status;
2009 BPF_ASSERT(HANDLE_EINTR(waitpid(pid, &status, WUNTRACED)) != -1);
2010 BPF_ASSERT(WIFSTOPPED(status));
2011
2012 BPF_ASSERT_NE(-1, ptrace(PTRACE_SETOPTIONS, pid, NULL,
2013 reinterpret_cast<void*>(PTRACE_O_TRACESECCOMP)));
2014 BPF_ASSERT_NE(-1, ptrace(PTRACE_CONT, pid, NULL, NULL));
2015 while (true) {
2016 BPF_ASSERT(HANDLE_EINTR(waitpid(pid, &status, 0)) != -1);
2017 if (WIFEXITED(status) || WIFSIGNALED(status)) {
2018 BPF_ASSERT(WIFEXITED(status));
2019 BPF_ASSERT_EQ(kExpectedReturnValue, WEXITSTATUS(status));
2020 break;
2021 }
2022
2023 if (!WIFSTOPPED(status) || WSTOPSIG(status) != SIGTRAP ||
2024 !IS_SECCOMP_EVENT(status)) {
2025 BPF_ASSERT_NE(-1, ptrace(PTRACE_CONT, pid, NULL, NULL));
2026 continue;
2027 }
2028
2029 unsigned long data;
2030 BPF_ASSERT_NE(-1, ptrace(PTRACE_GETEVENTMSG, pid, NULL, &data));
2031 BPF_ASSERT_EQ(kTraceData, data);
2032
2033 regs_struct regs;
2034 BPF_ASSERT_NE(-1, ptrace(PTRACE_GETREGS, pid, NULL, ®s));
2035 switch (SECCOMP_PT_SYSCALL(regs)) {
2036 case __NR_write:
2037 // Skip writes to stdout, make it return kExpectedReturnValue. Allow
2038 // writes to stderr so that BPF_ASSERT messages show up.
2039 if (SECCOMP_PT_PARM1(regs) == STDOUT_FILENO) {
2040 BPF_ASSERT_NE(-1, SetSyscall(pid, ®s, -1));
2041 SECCOMP_PT_RESULT(regs) = kExpectedReturnValue;
2042 BPF_ASSERT_NE(-1, ptrace(PTRACE_SETREGS, pid, NULL, ®s));
2043 }
2044 break;
2045
2046 case __NR_kill:
2047 // Rewrite to exit(kExpectedReturnValue).
2048 BPF_ASSERT_NE(-1, SetSyscall(pid, ®s, __NR_exit));
2049 SECCOMP_PT_PARM1(regs) = kExpectedReturnValue;
2050 BPF_ASSERT_NE(-1, ptrace(PTRACE_SETREGS, pid, NULL, ®s));
2051 break;
2052
2053 default:
2054 // Allow all other syscalls.
2055 break;
2056 }
2057
2058 BPF_ASSERT_NE(-1, ptrace(PTRACE_CONT, pid, NULL, NULL));
2059 }
2060 }
2061
2062 } // namespace
2063
2064 } // namespace sandbox
2065