• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #include "sandbox/linux/seccomp-bpf/sandbox_bpf_test_runner.h"
6 
7 #include <fcntl.h>
8 #include <linux/filter.h>
9 
10 #include "base/logging.h"
11 #include "base/memory/scoped_ptr.h"
12 #include "sandbox/linux/seccomp-bpf/die.h"
13 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
14 #include "sandbox/linux/tests/unit_tests.h"
15 
16 namespace sandbox {
17 
SandboxBPFTestRunner(BPFTesterDelegate * bpf_tester_delegate)18 SandboxBPFTestRunner::SandboxBPFTestRunner(
19     BPFTesterDelegate* bpf_tester_delegate)
20     : bpf_tester_delegate_(bpf_tester_delegate) {
21 }
22 
~SandboxBPFTestRunner()23 SandboxBPFTestRunner::~SandboxBPFTestRunner() {
24 }
25 
Run()26 void SandboxBPFTestRunner::Run() {
27   DCHECK(bpf_tester_delegate_);
28   sandbox::Die::EnableSimpleExit();
29 
30   scoped_ptr<SandboxBPFPolicy> policy =
31       bpf_tester_delegate_->GetSandboxBPFPolicy();
32 
33   if (sandbox::SandboxBPF::SupportsSeccompSandbox(-1) ==
34       sandbox::SandboxBPF::STATUS_AVAILABLE) {
35     // Ensure the the sandbox is actually available at this time
36     int proc_fd;
37     SANDBOX_ASSERT((proc_fd = open("/proc", O_RDONLY | O_DIRECTORY)) >= 0);
38     SANDBOX_ASSERT(sandbox::SandboxBPF::SupportsSeccompSandbox(proc_fd) ==
39                    sandbox::SandboxBPF::STATUS_AVAILABLE);
40 
41     // Initialize and then start the sandbox with our custom policy
42     sandbox::SandboxBPF sandbox;
43     sandbox.set_proc_fd(proc_fd);
44     sandbox.SetSandboxPolicy(policy.release());
45     SANDBOX_ASSERT(
46         sandbox.StartSandbox(sandbox::SandboxBPF::PROCESS_SINGLE_THREADED));
47 
48     // Run the actual test.
49     bpf_tester_delegate_->RunTestFunction();
50   } else {
51     printf("This BPF test is not fully running in this configuration!\n");
52     // Android and Valgrind are the only configurations where we accept not
53     // having kernel BPF support.
54     if (!IsAndroid() && !IsRunningOnValgrind()) {
55       const bool seccomp_bpf_is_supported = false;
56       SANDBOX_ASSERT(seccomp_bpf_is_supported);
57     }
58     // Call the compiler and verify the policy. That's the least we can do,
59     // if we don't have kernel support.
60     sandbox::SandboxBPF sandbox;
61     sandbox.SetSandboxPolicy(policy.release());
62     sandbox::SandboxBPF::Program* program =
63         sandbox.AssembleFilter(true /* force_verification */);
64     delete program;
65     sandbox::UnitTests::IgnoreThisTest();
66   }
67 }
68 
ShouldCheckForLeaks() const69 bool SandboxBPFTestRunner::ShouldCheckForLeaks() const {
70   // LSAN requires being able to use ptrace() and other system calls that could
71   // be denied.
72   return false;
73 }
74 
75 }  // namespace sandbox
76