1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #include <errno.h> 6 #include <pthread.h> 7 #include <sched.h> 8 #include <sys/prctl.h> 9 #include <sys/syscall.h> 10 #include <sys/time.h> 11 #include <sys/types.h> 12 #include <sys/utsname.h> 13 #include <unistd.h> 14 15 #if defined(ANDROID) 16 // Work-around for buggy headers in Android's NDK 17 #define __user 18 #endif 19 #include <linux/futex.h> 20 21 #include <ostream> 22 23 #include "base/memory/scoped_ptr.h" 24 #include "build/build_config.h" 25 #include "sandbox/linux/seccomp-bpf/bpf_tests.h" 26 #include "sandbox/linux/seccomp-bpf/syscall.h" 27 #include "sandbox/linux/seccomp-bpf/trap.h" 28 #include "sandbox/linux/seccomp-bpf/verifier.h" 29 #include "sandbox/linux/services/broker_process.h" 30 #include "sandbox/linux/services/linux_syscalls.h" 31 #include "sandbox/linux/tests/unit_tests.h" 32 #include "testing/gtest/include/gtest/gtest.h" 33 34 // Workaround for Android's prctl.h file. 35 #ifndef PR_GET_ENDIAN 36 #define PR_GET_ENDIAN 19 37 #endif 38 #ifndef PR_CAPBSET_READ 39 #define PR_CAPBSET_READ 23 40 #define PR_CAPBSET_DROP 24 41 #endif 42 43 using namespace playground2; 44 using sandbox::BrokerProcess; 45 46 namespace { 47 48 const int kExpectedReturnValue = 42; 49 const char kSandboxDebuggingEnv[] = "CHROME_SANDBOX_DEBUGGING"; 50 51 // This test should execute no matter whether we have kernel support. So, 52 // we make it a TEST() instead of a BPF_TEST(). 53 TEST(SandboxBpf, CallSupports) { 54 // We check that we don't crash, but it's ok if the kernel doesn't 55 // support it. 56 bool seccomp_bpf_supported = 57 Sandbox::SupportsSeccompSandbox(-1) == Sandbox::STATUS_AVAILABLE; 58 // We want to log whether or not seccomp BPF is actually supported 59 // since actual test coverage depends on it. 60 RecordProperty("SeccompBPFSupported", 61 seccomp_bpf_supported ? "true." : "false."); 62 std::cout << "Seccomp BPF supported: " 63 << (seccomp_bpf_supported ? "true." : "false.") 64 << "\n"; 65 RecordProperty("PointerSize", sizeof(void*)); 66 std::cout << "Pointer size: " << sizeof(void*) << "\n"; 67 } 68 69 SANDBOX_TEST(SandboxBpf, CallSupportsTwice) { 70 Sandbox::SupportsSeccompSandbox(-1); 71 Sandbox::SupportsSeccompSandbox(-1); 72 } 73 74 // BPF_TEST does a lot of the boiler-plate code around setting up a 75 // policy and optional passing data between the caller, the policy and 76 // any Trap() handlers. This is great for writing short and concise tests, 77 // and it helps us accidentally forgetting any of the crucial steps in 78 // setting up the sandbox. But it wouldn't hurt to have at least one test 79 // that explicitly walks through all these steps. 80 81 intptr_t FakeGetPid(const struct arch_seccomp_data& args, void *aux) { 82 BPF_ASSERT(aux); 83 pid_t *pid_ptr = static_cast<pid_t *>(aux); 84 return (*pid_ptr)++; 85 } 86 87 ErrorCode VerboseAPITestingPolicy(Sandbox *sandbox, int sysno, void *aux) { 88 if (!Sandbox::IsValidSyscallNumber(sysno)) { 89 return ErrorCode(ENOSYS); 90 } else if (sysno == __NR_getpid) { 91 return sandbox->Trap(FakeGetPid, aux); 92 } else { 93 return ErrorCode(ErrorCode::ERR_ALLOWED); 94 } 95 } 96 97 SANDBOX_TEST(SandboxBpf, DISABLE_ON_TSAN(VerboseAPITesting)) { 98 if (Sandbox::SupportsSeccompSandbox(-1) == 99 playground2::Sandbox::STATUS_AVAILABLE) { 100 pid_t test_var = 0; 101 Sandbox sandbox; 102 sandbox.SetSandboxPolicy(VerboseAPITestingPolicy, &test_var); 103 sandbox.StartSandbox(); 104 105 BPF_ASSERT(test_var == 0); 106 BPF_ASSERT(syscall(__NR_getpid) == 0); 107 BPF_ASSERT(test_var == 1); 108 BPF_ASSERT(syscall(__NR_getpid) == 1); 109 BPF_ASSERT(test_var == 2); 110 111 // N.B.: Any future call to getpid() would corrupt the stack. 112 // This is OK. The SANDBOX_TEST() macro is guaranteed to 113 // only ever call _exit() after the test completes. 114 } 115 } 116 117 // A simple blacklist test 118 119 ErrorCode BlacklistNanosleepPolicy(Sandbox *, int sysno, void *) { 120 if (!Sandbox::IsValidSyscallNumber(sysno)) { 121 // FIXME: we should really not have to do that in a trivial policy 122 return ErrorCode(ENOSYS); 123 } 124 125 switch (sysno) { 126 case __NR_nanosleep: 127 return ErrorCode(EACCES); 128 default: 129 return ErrorCode(ErrorCode::ERR_ALLOWED); 130 } 131 } 132 133 BPF_TEST(SandboxBpf, ApplyBasicBlacklistPolicy, BlacklistNanosleepPolicy) { 134 // nanosleep() should be denied 135 const struct timespec ts = {0, 0}; 136 errno = 0; 137 BPF_ASSERT(syscall(__NR_nanosleep, &ts, NULL) == -1); 138 BPF_ASSERT(errno == EACCES); 139 } 140 141 // Now do a simple whitelist test 142 143 ErrorCode WhitelistGetpidPolicy(Sandbox *, int sysno, void *) { 144 switch (sysno) { 145 case __NR_getpid: 146 case __NR_exit_group: 147 return ErrorCode(ErrorCode::ERR_ALLOWED); 148 default: 149 return ErrorCode(ENOMEM); 150 } 151 } 152 153 BPF_TEST(SandboxBpf, ApplyBasicWhitelistPolicy, WhitelistGetpidPolicy) { 154 // getpid() should be allowed 155 errno = 0; 156 BPF_ASSERT(syscall(__NR_getpid) > 0); 157 BPF_ASSERT(errno == 0); 158 159 // getpgid() should be denied 160 BPF_ASSERT(getpgid(0) == -1); 161 BPF_ASSERT(errno == ENOMEM); 162 } 163 164 // A simple blacklist policy, with a SIGSYS handler 165 166 intptr_t EnomemHandler(const struct arch_seccomp_data& args, void *aux) { 167 // We also check that the auxiliary data is correct 168 SANDBOX_ASSERT(aux); 169 *(static_cast<int*>(aux)) = kExpectedReturnValue; 170 return -ENOMEM; 171 } 172 173 ErrorCode BlacklistNanosleepPolicySigsys(Sandbox *sandbox, int sysno, 174 void *aux) { 175 if (!Sandbox::IsValidSyscallNumber(sysno)) { 176 // FIXME: we should really not have to do that in a trivial policy 177 return ErrorCode(ENOSYS); 178 } 179 180 switch (sysno) { 181 case __NR_nanosleep: 182 return sandbox->Trap(EnomemHandler, aux); 183 default: 184 return ErrorCode(ErrorCode::ERR_ALLOWED); 185 } 186 } 187 188 BPF_TEST(SandboxBpf, BasicBlacklistWithSigsys, 189 BlacklistNanosleepPolicySigsys, int /* BPF_AUX */) { 190 // getpid() should work properly 191 errno = 0; 192 BPF_ASSERT(syscall(__NR_getpid) > 0); 193 BPF_ASSERT(errno == 0); 194 195 // Our Auxiliary Data, should be reset by the signal handler 196 BPF_AUX = -1; 197 const struct timespec ts = {0, 0}; 198 BPF_ASSERT(syscall(__NR_nanosleep, &ts, NULL) == -1); 199 BPF_ASSERT(errno == ENOMEM); 200 201 // We expect the signal handler to modify AuxData 202 BPF_ASSERT(BPF_AUX == kExpectedReturnValue); 203 } 204 205 // A simple test that verifies we can return arbitrary errno values. 206 207 ErrorCode ErrnoTestPolicy(Sandbox *, int sysno, void *) { 208 if (!Sandbox::IsValidSyscallNumber(sysno)) { 209 // FIXME: we should really not have to do that in a trivial policy 210 return ErrorCode(ENOSYS); 211 } 212 213 switch (sysno) { 214 case __NR_dup2: 215 // Pretend that dup2() worked, but don't actually do anything. 216 return ErrorCode(0); 217 case __NR_setuid: 218 #if defined(__NR_setuid32) 219 case __NR_setuid32: 220 #endif 221 // Return errno = 1. 222 return ErrorCode(1); 223 case __NR_setgid: 224 #if defined(__NR_setgid32) 225 case __NR_setgid32: 226 #endif 227 // Return maximum errno value (typically 4095). 228 return ErrorCode(ErrorCode::ERR_MAX_ERRNO); 229 case __NR_uname: 230 // Return errno = 42; 231 return ErrorCode(42); 232 default: 233 return ErrorCode(ErrorCode::ERR_ALLOWED); 234 } 235 } 236 237 BPF_TEST(SandboxBpf, ErrnoTest, ErrnoTestPolicy) { 238 // Verify that dup2() returns success, but doesn't actually run. 239 int fds[4]; 240 BPF_ASSERT(pipe(fds) == 0); 241 BPF_ASSERT(pipe(fds+2) == 0); 242 BPF_ASSERT(dup2(fds[2], fds[0]) == 0); 243 char buf[1] = { }; 244 BPF_ASSERT(write(fds[1], "\x55", 1) == 1); 245 BPF_ASSERT(write(fds[3], "\xAA", 1) == 1); 246 BPF_ASSERT(read(fds[0], buf, 1) == 1); 247 248 // If dup2() executed, we will read \xAA, but it dup2() has been turned 249 // into a no-op by our policy, then we will read \x55. 250 BPF_ASSERT(buf[0] == '\x55'); 251 252 // Verify that we can return the minimum and maximum errno values. 253 errno = 0; 254 BPF_ASSERT(setuid(0) == -1); 255 BPF_ASSERT(errno == 1); 256 257 // On Android, errno is only supported up to 255, otherwise errno 258 // processing is skipped. 259 // We work around this (crbug.com/181647). 260 if (sandbox::IsAndroid() && setgid(0) != -1) { 261 errno = 0; 262 BPF_ASSERT(setgid(0) == -ErrorCode::ERR_MAX_ERRNO); 263 BPF_ASSERT(errno == 0); 264 } else { 265 errno = 0; 266 BPF_ASSERT(setgid(0) == -1); 267 BPF_ASSERT(errno == ErrorCode::ERR_MAX_ERRNO); 268 } 269 270 // Finally, test an errno in between the minimum and maximum. 271 errno = 0; 272 struct utsname uts_buf; 273 BPF_ASSERT(uname(&uts_buf) == -1); 274 BPF_ASSERT(errno == 42); 275 } 276 277 // Testing the stacking of two sandboxes 278 279 ErrorCode StackingPolicyPartOne(Sandbox *sandbox, int sysno, void *) { 280 if (!Sandbox::IsValidSyscallNumber(sysno)) { 281 return ErrorCode(ENOSYS); 282 } 283 284 switch (sysno) { 285 case __NR_getppid: 286 return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 0, 287 ErrorCode(ErrorCode::ERR_ALLOWED), 288 ErrorCode(EPERM)); 289 default: 290 return ErrorCode(ErrorCode::ERR_ALLOWED); 291 } 292 } 293 294 ErrorCode StackingPolicyPartTwo(Sandbox *sandbox, int sysno, void *) { 295 if (!Sandbox::IsValidSyscallNumber(sysno)) { 296 return ErrorCode(ENOSYS); 297 } 298 299 switch (sysno) { 300 case __NR_getppid: 301 return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 0, 302 ErrorCode(EINVAL), 303 ErrorCode(ErrorCode::ERR_ALLOWED)); 304 default: 305 return ErrorCode(ErrorCode::ERR_ALLOWED); 306 } 307 } 308 309 BPF_TEST(SandboxBpf, StackingPolicy, StackingPolicyPartOne) { 310 errno = 0; 311 BPF_ASSERT(syscall(__NR_getppid, 0) > 0); 312 BPF_ASSERT(errno == 0); 313 314 BPF_ASSERT(syscall(__NR_getppid, 1) == -1); 315 BPF_ASSERT(errno == EPERM); 316 317 // Stack a second sandbox with its own policy. Verify that we can further 318 // restrict filters, but we cannot relax existing filters. 319 Sandbox sandbox; 320 sandbox.SetSandboxPolicy(StackingPolicyPartTwo, NULL); 321 sandbox.StartSandbox(); 322 323 errno = 0; 324 BPF_ASSERT(syscall(__NR_getppid, 0) == -1); 325 BPF_ASSERT(errno == EINVAL); 326 327 BPF_ASSERT(syscall(__NR_getppid, 1) == -1); 328 BPF_ASSERT(errno == EPERM); 329 } 330 331 // A more complex, but synthetic policy. This tests the correctness of the BPF 332 // program by iterating through all syscalls and checking for an errno that 333 // depends on the syscall number. Unlike the Verifier, this exercises the BPF 334 // interpreter in the kernel. 335 336 // We try to make sure we exercise optimizations in the BPF compiler. We make 337 // sure that the compiler can have an opportunity to coalesce syscalls with 338 // contiguous numbers and we also make sure that disjoint sets can return the 339 // same errno. 340 int SysnoToRandomErrno(int sysno) { 341 // Small contiguous sets of 3 system calls return an errno equal to the 342 // index of that set + 1 (so that we never return a NUL errno). 343 return ((sysno & ~3) >> 2) % 29 + 1; 344 } 345 346 ErrorCode SyntheticPolicy(Sandbox *, int sysno, void *) { 347 if (!Sandbox::IsValidSyscallNumber(sysno)) { 348 // FIXME: we should really not have to do that in a trivial policy 349 return ErrorCode(ENOSYS); 350 } 351 352 // TODO(jorgelo): remove this once the new code generator lands. 353 #if defined(__arm__) 354 if (sysno > static_cast<int>(MAX_PUBLIC_SYSCALL)) { 355 return ErrorCode(ENOSYS); 356 } 357 #endif 358 359 if (sysno == __NR_exit_group || sysno == __NR_write) { 360 // exit_group() is special, we really need it to work. 361 // write() is needed for BPF_ASSERT() to report a useful error message. 362 return ErrorCode(ErrorCode::ERR_ALLOWED); 363 } else { 364 return ErrorCode(SysnoToRandomErrno(sysno)); 365 } 366 } 367 368 BPF_TEST(SandboxBpf, SyntheticPolicy, SyntheticPolicy) { 369 // Ensure that that kExpectedReturnValue + syscallnumber + 1 does not int 370 // overflow. 371 BPF_ASSERT( 372 std::numeric_limits<int>::max() - kExpectedReturnValue - 1 >= 373 static_cast<int>(MAX_PUBLIC_SYSCALL)); 374 375 for (int syscall_number = static_cast<int>(MIN_SYSCALL); 376 syscall_number <= static_cast<int>(MAX_PUBLIC_SYSCALL); 377 ++syscall_number) { 378 if (syscall_number == __NR_exit_group || 379 syscall_number == __NR_write) { 380 // exit_group() is special 381 continue; 382 } 383 errno = 0; 384 BPF_ASSERT(syscall(syscall_number) == -1); 385 BPF_ASSERT(errno == SysnoToRandomErrno(syscall_number)); 386 } 387 } 388 389 #if defined(__arm__) 390 // A simple policy that tests whether ARM private system calls are supported 391 // by our BPF compiler and by the BPF interpreter in the kernel. 392 393 // For ARM private system calls, return an errno equal to their offset from 394 // MIN_PRIVATE_SYSCALL plus 1 (to avoid NUL errno). 395 int ArmPrivateSysnoToErrno(int sysno) { 396 if (sysno >= static_cast<int>(MIN_PRIVATE_SYSCALL) && 397 sysno <= static_cast<int>(MAX_PRIVATE_SYSCALL)) { 398 return (sysno - MIN_PRIVATE_SYSCALL) + 1; 399 } else { 400 return ENOSYS; 401 } 402 } 403 404 ErrorCode ArmPrivatePolicy(Sandbox *, int sysno, void *) { 405 if (!Sandbox::IsValidSyscallNumber(sysno)) { 406 // FIXME: we should really not have to do that in a trivial policy. 407 return ErrorCode(ENOSYS); 408 } 409 410 // Start from |__ARM_NR_set_tls + 1| so as not to mess with actual 411 // ARM private system calls. 412 if (sysno >= static_cast<int>(__ARM_NR_set_tls + 1) && 413 sysno <= static_cast<int>(MAX_PRIVATE_SYSCALL)) { 414 return ErrorCode(ArmPrivateSysnoToErrno(sysno)); 415 } else { 416 return ErrorCode(ErrorCode::ERR_ALLOWED); 417 } 418 } 419 420 BPF_TEST(SandboxBpf, ArmPrivatePolicy, ArmPrivatePolicy) { 421 for (int syscall_number = static_cast<int>(__ARM_NR_set_tls + 1); 422 syscall_number <= static_cast<int>(MAX_PRIVATE_SYSCALL); 423 ++syscall_number) { 424 errno = 0; 425 BPF_ASSERT(syscall(syscall_number) == -1); 426 BPF_ASSERT(errno == ArmPrivateSysnoToErrno(syscall_number)); 427 } 428 } 429 #endif // defined(__arm__) 430 431 intptr_t CountSyscalls(const struct arch_seccomp_data& args, void *aux) { 432 // Count all invocations of our callback function. 433 ++*reinterpret_cast<int *>(aux); 434 435 // Verify that within the callback function all filtering is temporarily 436 // disabled. 437 BPF_ASSERT(syscall(__NR_getpid) > 1); 438 439 // Verify that we can now call the underlying system call without causing 440 // infinite recursion. 441 return Sandbox::ForwardSyscall(args); 442 } 443 444 ErrorCode GreyListedPolicy(Sandbox *sandbox, int sysno, void *aux) { 445 // The use of UnsafeTrap() causes us to print a warning message. This is 446 // generally desirable, but it results in the unittest failing, as it doesn't 447 // expect any messages on "stderr". So, temporarily disable messages. The 448 // BPF_TEST() is guaranteed to turn messages back on, after the policy 449 // function has completed. 450 setenv(kSandboxDebuggingEnv, "t", 0); 451 Die::SuppressInfoMessages(true); 452 453 // Some system calls must always be allowed, if our policy wants to make 454 // use of UnsafeTrap() 455 if (sysno == __NR_rt_sigprocmask || 456 sysno == __NR_rt_sigreturn 457 #if defined(__NR_sigprocmask) 458 || sysno == __NR_sigprocmask 459 #endif 460 #if defined(__NR_sigreturn) 461 || sysno == __NR_sigreturn 462 #endif 463 ) { 464 return ErrorCode(ErrorCode::ERR_ALLOWED); 465 } else if (sysno == __NR_getpid) { 466 // Disallow getpid() 467 return ErrorCode(EPERM); 468 } else if (Sandbox::IsValidSyscallNumber(sysno)) { 469 // Allow (and count) all other system calls. 470 return sandbox->UnsafeTrap(CountSyscalls, aux); 471 } else { 472 return ErrorCode(ENOSYS); 473 } 474 } 475 476 BPF_TEST(SandboxBpf, GreyListedPolicy, 477 GreyListedPolicy, int /* BPF_AUX */) { 478 BPF_ASSERT(syscall(__NR_getpid) == -1); 479 BPF_ASSERT(errno == EPERM); 480 BPF_ASSERT(BPF_AUX == 0); 481 BPF_ASSERT(syscall(__NR_geteuid) == syscall(__NR_getuid)); 482 BPF_ASSERT(BPF_AUX == 2); 483 char name[17] = { }; 484 BPF_ASSERT(!syscall(__NR_prctl, PR_GET_NAME, name, (void *)NULL, 485 (void *)NULL, (void *)NULL)); 486 BPF_ASSERT(BPF_AUX == 3); 487 BPF_ASSERT(*name); 488 } 489 490 SANDBOX_TEST(SandboxBpf, EnableUnsafeTrapsInSigSysHandler) { 491 // Disabling warning messages that could confuse our test framework. 492 setenv(kSandboxDebuggingEnv, "t", 0); 493 Die::SuppressInfoMessages(true); 494 495 unsetenv(kSandboxDebuggingEnv); 496 SANDBOX_ASSERT(Trap::EnableUnsafeTrapsInSigSysHandler() == false); 497 setenv(kSandboxDebuggingEnv, "", 1); 498 SANDBOX_ASSERT(Trap::EnableUnsafeTrapsInSigSysHandler() == false); 499 setenv(kSandboxDebuggingEnv, "t", 1); 500 SANDBOX_ASSERT(Trap::EnableUnsafeTrapsInSigSysHandler() == true); 501 } 502 503 intptr_t PrctlHandler(const struct arch_seccomp_data& args, void *) { 504 if (args.args[0] == PR_CAPBSET_DROP && 505 static_cast<int>(args.args[1]) == -1) { 506 // prctl(PR_CAPBSET_DROP, -1) is never valid. The kernel will always 507 // return an error. But our handler allows this call. 508 return 0; 509 } else { 510 return Sandbox::ForwardSyscall(args); 511 } 512 } 513 514 ErrorCode PrctlPolicy(Sandbox *sandbox, int sysno, void *aux) { 515 setenv(kSandboxDebuggingEnv, "t", 0); 516 Die::SuppressInfoMessages(true); 517 518 if (sysno == __NR_prctl) { 519 // Handle prctl() inside an UnsafeTrap() 520 return sandbox->UnsafeTrap(PrctlHandler, NULL); 521 } else if (Sandbox::IsValidSyscallNumber(sysno)) { 522 // Allow all other system calls. 523 return ErrorCode(ErrorCode::ERR_ALLOWED); 524 } else { 525 return ErrorCode(ENOSYS); 526 } 527 } 528 529 BPF_TEST(SandboxBpf, ForwardSyscall, PrctlPolicy) { 530 // This call should never be allowed. But our policy will intercept it and 531 // let it pass successfully. 532 BPF_ASSERT(!prctl(PR_CAPBSET_DROP, -1, (void *)NULL, (void *)NULL, 533 (void *)NULL)); 534 535 // Verify that the call will fail, if it makes it all the way to the kernel. 536 BPF_ASSERT(prctl(PR_CAPBSET_DROP, -2, (void *)NULL, (void *)NULL, 537 (void *)NULL) == -1); 538 539 // And verify that other uses of prctl() work just fine. 540 char name[17] = { }; 541 BPF_ASSERT(!syscall(__NR_prctl, PR_GET_NAME, name, (void *)NULL, 542 (void *)NULL, (void *)NULL)); 543 BPF_ASSERT(*name); 544 545 // Finally, verify that system calls other than prctl() are completely 546 // unaffected by our policy. 547 struct utsname uts = { }; 548 BPF_ASSERT(!uname(&uts)); 549 BPF_ASSERT(!strcmp(uts.sysname, "Linux")); 550 } 551 552 intptr_t AllowRedirectedSyscall(const struct arch_seccomp_data& args, void *) { 553 return Sandbox::ForwardSyscall(args); 554 } 555 556 ErrorCode RedirectAllSyscallsPolicy(Sandbox *sandbox, int sysno, void *aux) { 557 setenv(kSandboxDebuggingEnv, "t", 0); 558 Die::SuppressInfoMessages(true); 559 560 // Some system calls must always be allowed, if our policy wants to make 561 // use of UnsafeTrap() 562 if (sysno == __NR_rt_sigprocmask || 563 sysno == __NR_rt_sigreturn 564 #if defined(__NR_sigprocmask) 565 || sysno == __NR_sigprocmask 566 #endif 567 #if defined(__NR_sigreturn) 568 || sysno == __NR_sigreturn 569 #endif 570 ) { 571 return ErrorCode(ErrorCode::ERR_ALLOWED); 572 } else if (Sandbox::IsValidSyscallNumber(sysno)) { 573 return sandbox->UnsafeTrap(AllowRedirectedSyscall, aux); 574 } else { 575 return ErrorCode(ENOSYS); 576 } 577 } 578 579 int bus_handler_fd_ = -1; 580 581 void SigBusHandler(int, siginfo_t *info, void *void_context) { 582 BPF_ASSERT(write(bus_handler_fd_, "\x55", 1) == 1); 583 } 584 585 BPF_TEST(SandboxBpf, SigBus, RedirectAllSyscallsPolicy) { 586 // We use the SIGBUS bit in the signal mask as a thread-local boolean 587 // value in the implementation of UnsafeTrap(). This is obviously a bit 588 // of a hack that could conceivably interfere with code that uses SIGBUS 589 // in more traditional ways. This test verifies that basic functionality 590 // of SIGBUS is not impacted, but it is certainly possibly to construe 591 // more complex uses of signals where our use of the SIGBUS mask is not 592 // 100% transparent. This is expected behavior. 593 int fds[2]; 594 BPF_ASSERT(pipe(fds) == 0); 595 bus_handler_fd_ = fds[1]; 596 struct sigaction sa = { }; 597 sa.sa_sigaction = SigBusHandler; 598 sa.sa_flags = SA_SIGINFO; 599 BPF_ASSERT(sigaction(SIGBUS, &sa, NULL) == 0); 600 raise(SIGBUS); 601 char c = '\000'; 602 BPF_ASSERT(read(fds[0], &c, 1) == 1); 603 BPF_ASSERT(close(fds[0]) == 0); 604 BPF_ASSERT(close(fds[1]) == 0); 605 BPF_ASSERT(c == 0x55); 606 } 607 608 BPF_TEST(SandboxBpf, SigMask, RedirectAllSyscallsPolicy) { 609 // Signal masks are potentially tricky to handle. For instance, if we 610 // ever tried to update them from inside a Trap() or UnsafeTrap() handler, 611 // the call to sigreturn() at the end of the signal handler would undo 612 // all of our efforts. So, it makes sense to test that sigprocmask() 613 // works, even if we have a policy in place that makes use of UnsafeTrap(). 614 // In practice, this works because we force sigprocmask() to be handled 615 // entirely in the kernel. 616 sigset_t mask0, mask1, mask2; 617 618 // Call sigprocmask() to verify that SIGUSR2 wasn't blocked, if we didn't 619 // change the mask (it shouldn't have been, as it isn't blocked by default 620 // in POSIX). 621 // 622 // Use SIGUSR2 because Android seems to use SIGUSR1 for some purpose. 623 sigemptyset(&mask0); 624 BPF_ASSERT(!sigprocmask(SIG_BLOCK, &mask0, &mask1)); 625 BPF_ASSERT(!sigismember(&mask1, SIGUSR2)); 626 627 // Try again, and this time we verify that we can block it. This 628 // requires a second call to sigprocmask(). 629 sigaddset(&mask0, SIGUSR2); 630 BPF_ASSERT(!sigprocmask(SIG_BLOCK, &mask0, NULL)); 631 BPF_ASSERT(!sigprocmask(SIG_BLOCK, NULL, &mask2)); 632 BPF_ASSERT( sigismember(&mask2, SIGUSR2)); 633 } 634 635 BPF_TEST(SandboxBpf, UnsafeTrapWithErrno, RedirectAllSyscallsPolicy) { 636 // An UnsafeTrap() (or for that matter, a Trap()) has to report error 637 // conditions by returning an exit code in the range -1..-4096. This 638 // should happen automatically if using ForwardSyscall(). If the TrapFnc() 639 // uses some other method to make system calls, then it is responsible 640 // for computing the correct return code. 641 // This test verifies that ForwardSyscall() does the correct thing. 642 643 // The glibc system wrapper will ultimately set errno for us. So, from normal 644 // userspace, all of this should be completely transparent. 645 errno = 0; 646 BPF_ASSERT(close(-1) == -1); 647 BPF_ASSERT(errno == EBADF); 648 649 // Explicitly avoid the glibc wrapper. This is not normally the way anybody 650 // would make system calls, but it allows us to verify that we don't 651 // accidentally mess with errno, when we shouldn't. 652 errno = 0; 653 struct arch_seccomp_data args = { }; 654 args.nr = __NR_close; 655 args.args[0] = -1; 656 BPF_ASSERT(Sandbox::ForwardSyscall(args) == -EBADF); 657 BPF_ASSERT(errno == 0); 658 } 659 660 // Test a trap handler that makes use of a broker process to open(). 661 662 class InitializedOpenBroker { 663 public: 664 InitializedOpenBroker() : initialized_(false) { 665 std::vector<std::string> allowed_files; 666 allowed_files.push_back("/proc/allowed"); 667 allowed_files.push_back("/proc/cpuinfo"); 668 669 broker_process_.reset(new BrokerProcess(allowed_files, 670 std::vector<std::string>())); 671 BPF_ASSERT(broker_process() != NULL); 672 BPF_ASSERT(broker_process_->Init(NULL)); 673 674 initialized_ = true; 675 } 676 bool initialized() { return initialized_; } 677 class BrokerProcess* broker_process() { return broker_process_.get(); } 678 private: 679 bool initialized_; 680 scoped_ptr<class BrokerProcess> broker_process_; 681 DISALLOW_COPY_AND_ASSIGN(InitializedOpenBroker); 682 }; 683 684 intptr_t BrokerOpenTrapHandler(const struct arch_seccomp_data& args, 685 void *aux) { 686 BPF_ASSERT(aux); 687 BrokerProcess* broker_process = static_cast<BrokerProcess*>(aux); 688 switch(args.nr) { 689 case __NR_access: 690 return broker_process->Access(reinterpret_cast<const char*>(args.args[0]), 691 static_cast<int>(args.args[1])); 692 case __NR_open: 693 return broker_process->Open(reinterpret_cast<const char*>(args.args[0]), 694 static_cast<int>(args.args[1])); 695 case __NR_openat: 696 // We only call open() so if we arrive here, it's because glibc uses 697 // the openat() system call. 698 BPF_ASSERT(static_cast<int>(args.args[0]) == AT_FDCWD); 699 return broker_process->Open(reinterpret_cast<const char*>(args.args[1]), 700 static_cast<int>(args.args[2])); 701 default: 702 BPF_ASSERT(false); 703 return -ENOSYS; 704 } 705 } 706 707 ErrorCode DenyOpenPolicy(Sandbox *sandbox, int sysno, void *aux) { 708 InitializedOpenBroker* iob = static_cast<InitializedOpenBroker*>(aux); 709 if (!Sandbox::IsValidSyscallNumber(sysno)) { 710 return ErrorCode(ENOSYS); 711 } 712 713 switch (sysno) { 714 case __NR_access: 715 case __NR_open: 716 case __NR_openat: 717 // We get a InitializedOpenBroker class, but our trap handler wants 718 // the BrokerProcess object. 719 return ErrorCode(sandbox->Trap(BrokerOpenTrapHandler, 720 iob->broker_process())); 721 default: 722 return ErrorCode(ErrorCode::ERR_ALLOWED); 723 } 724 } 725 726 // We use a InitializedOpenBroker class, so that we can run unsandboxed 727 // code in its constructor, which is the only way to do so in a BPF_TEST. 728 BPF_TEST(SandboxBpf, UseOpenBroker, DenyOpenPolicy, 729 InitializedOpenBroker /* BPF_AUX */) { 730 BPF_ASSERT(BPF_AUX.initialized()); 731 BrokerProcess* broker_process = BPF_AUX.broker_process(); 732 BPF_ASSERT(broker_process != NULL); 733 734 // First, use the broker "manually" 735 BPF_ASSERT(broker_process->Open("/proc/denied", O_RDONLY) == -EPERM); 736 BPF_ASSERT(broker_process->Access("/proc/denied", R_OK) == -EPERM); 737 BPF_ASSERT(broker_process->Open("/proc/allowed", O_RDONLY) == -ENOENT); 738 BPF_ASSERT(broker_process->Access("/proc/allowed", R_OK) == -ENOENT); 739 740 // Now use glibc's open() as an external library would. 741 BPF_ASSERT(open("/proc/denied", O_RDONLY) == -1); 742 BPF_ASSERT(errno == EPERM); 743 744 BPF_ASSERT(open("/proc/allowed", O_RDONLY) == -1); 745 BPF_ASSERT(errno == ENOENT); 746 747 // Also test glibc's openat(), some versions of libc use it transparently 748 // instead of open(). 749 BPF_ASSERT(openat(AT_FDCWD, "/proc/denied", O_RDONLY) == -1); 750 BPF_ASSERT(errno == EPERM); 751 752 BPF_ASSERT(openat(AT_FDCWD, "/proc/allowed", O_RDONLY) == -1); 753 BPF_ASSERT(errno == ENOENT); 754 755 // And test glibc's access(). 756 BPF_ASSERT(access("/proc/denied", R_OK) == -1); 757 BPF_ASSERT(errno == EPERM); 758 759 BPF_ASSERT(access("/proc/allowed", R_OK) == -1); 760 BPF_ASSERT(errno == ENOENT); 761 762 // This is also white listed and does exist. 763 int cpu_info_access = access("/proc/cpuinfo", R_OK); 764 BPF_ASSERT(cpu_info_access == 0); 765 int cpu_info_fd = open("/proc/cpuinfo", O_RDONLY); 766 BPF_ASSERT(cpu_info_fd >= 0); 767 char buf[1024]; 768 BPF_ASSERT(read(cpu_info_fd, buf, sizeof(buf)) > 0); 769 } 770 771 // Simple test demonstrating how to use Sandbox::Cond() 772 773 ErrorCode SimpleCondTestPolicy(Sandbox *sandbox, int sysno, void *) { 774 if (!Sandbox::IsValidSyscallNumber(sysno)) { 775 // FIXME: we should really not have to do that in a trivial policy 776 return ErrorCode(ENOSYS); 777 } 778 779 // We deliberately return unusual errno values upon failure, so that we 780 // can uniquely test for these values. In a "real" policy, you would want 781 // to return more traditional values. 782 switch (sysno) { 783 case __NR_open: 784 // Allow opening files for reading, but don't allow writing. 785 COMPILE_ASSERT(O_RDONLY == 0, O_RDONLY_must_be_all_zero_bits); 786 return sandbox->Cond(1, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ANY_BITS, 787 O_ACCMODE /* 0x3 */, 788 ErrorCode(EROFS), 789 ErrorCode(ErrorCode::ERR_ALLOWED)); 790 case __NR_prctl: 791 // Allow prctl(PR_SET_DUMPABLE) and prctl(PR_GET_DUMPABLE), but 792 // disallow everything else. 793 return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 794 PR_SET_DUMPABLE, 795 ErrorCode(ErrorCode::ERR_ALLOWED), 796 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 797 PR_GET_DUMPABLE, 798 ErrorCode(ErrorCode::ERR_ALLOWED), 799 ErrorCode(ENOMEM))); 800 default: 801 return ErrorCode(ErrorCode::ERR_ALLOWED); 802 } 803 } 804 805 BPF_TEST(SandboxBpf, SimpleCondTest, SimpleCondTestPolicy) { 806 int fd; 807 BPF_ASSERT((fd = open("/proc/self/comm", O_RDWR)) == -1); 808 BPF_ASSERT(errno == EROFS); 809 BPF_ASSERT((fd = open("/proc/self/comm", O_RDONLY)) >= 0); 810 close(fd); 811 812 int ret; 813 BPF_ASSERT((ret = prctl(PR_GET_DUMPABLE)) >= 0); 814 BPF_ASSERT(prctl(PR_SET_DUMPABLE, 1-ret) == 0); 815 BPF_ASSERT(prctl(PR_GET_ENDIAN, &ret) == -1); 816 BPF_ASSERT(errno == ENOMEM); 817 } 818 819 // This test exercises the Sandbox::Cond() method by building a complex 820 // tree of conditional equality operations. It then makes system calls and 821 // verifies that they return the values that we expected from our BPF 822 // program. 823 class EqualityStressTest { 824 public: 825 EqualityStressTest() { 826 // We want a deterministic test 827 srand(0); 828 829 // Iterates over system call numbers and builds a random tree of 830 // equality tests. 831 // We are actually constructing a graph of ArgValue objects. This 832 // graph will later be used to a) compute our sandbox policy, and 833 // b) drive the code that verifies the output from the BPF program. 834 COMPILE_ASSERT(kNumTestCases < (int)(MAX_PUBLIC_SYSCALL-MIN_SYSCALL-10), 835 num_test_cases_must_be_significantly_smaller_than_num_system_calls); 836 for (int sysno = MIN_SYSCALL, end = kNumTestCases; sysno < end; ++sysno) { 837 if (IsReservedSyscall(sysno)) { 838 // Skip reserved system calls. This ensures that our test frame 839 // work isn't impacted by the fact that we are overriding 840 // a lot of different system calls. 841 ++end; 842 arg_values_.push_back(NULL); 843 } else { 844 arg_values_.push_back(RandomArgValue(rand() % kMaxArgs, 0, 845 rand() % kMaxArgs)); 846 } 847 } 848 } 849 850 ~EqualityStressTest() { 851 for (std::vector<ArgValue *>::iterator iter = arg_values_.begin(); 852 iter != arg_values_.end(); 853 ++iter) { 854 DeleteArgValue(*iter); 855 } 856 } 857 858 ErrorCode Policy(Sandbox *sandbox, int sysno) { 859 if (!Sandbox::IsValidSyscallNumber(sysno)) { 860 // FIXME: we should really not have to do that in a trivial policy 861 return ErrorCode(ENOSYS); 862 } else if (sysno < 0 || sysno >= (int)arg_values_.size() || 863 IsReservedSyscall(sysno)) { 864 // We only return ErrorCode values for the system calls that 865 // are part of our test data. Every other system call remains 866 // allowed. 867 return ErrorCode(ErrorCode::ERR_ALLOWED); 868 } else { 869 // ToErrorCode() turns an ArgValue object into an ErrorCode that is 870 // suitable for use by a sandbox policy. 871 return ToErrorCode(sandbox, arg_values_[sysno]); 872 } 873 } 874 875 void VerifyFilter() { 876 // Iterate over all system calls. Skip the system calls that have 877 // previously been determined as being reserved. 878 for (int sysno = 0; sysno < (int)arg_values_.size(); ++sysno) { 879 if (!arg_values_[sysno]) { 880 // Skip reserved system calls. 881 continue; 882 } 883 // Verify that system calls return the values that we expect them to 884 // return. This involves passing different combinations of system call 885 // parameters in order to exercise all possible code paths through the 886 // BPF filter program. 887 // We arbitrarily start by setting all six system call arguments to 888 // zero. And we then recursive traverse our tree of ArgValues to 889 // determine the necessary combinations of parameters. 890 intptr_t args[6] = { }; 891 Verify(sysno, args, *arg_values_[sysno]); 892 } 893 } 894 895 private: 896 struct ArgValue { 897 int argno; // Argument number to inspect. 898 int size; // Number of test cases (must be > 0). 899 struct Tests { 900 uint32_t k_value; // Value to compare syscall arg against. 901 int err; // If non-zero, errno value to return. 902 struct ArgValue *arg_value; // Otherwise, more args needs inspecting. 903 } *tests; 904 int err; // If none of the tests passed, this is what 905 struct ArgValue *arg_value; // we'll return (this is the "else" branch). 906 }; 907 908 bool IsReservedSyscall(int sysno) { 909 // There are a handful of system calls that we should never use in our 910 // test cases. These system calls are needed to allow the test framework 911 // to run properly. 912 // If we wanted to write fully generic code, there are more system calls 913 // that could be listed here, and it is quite difficult to come up with a 914 // truly comprehensive list. After all, we are deliberately making system 915 // calls unavailable. In practice, we have a pretty good idea of the system 916 // calls that will be made by this particular test. So, this small list is 917 // sufficient. But if anybody copy'n'pasted this code for other uses, they 918 // would have to review that the list. 919 return sysno == __NR_read || 920 sysno == __NR_write || 921 sysno == __NR_exit || 922 sysno == __NR_exit_group || 923 sysno == __NR_restart_syscall; 924 } 925 926 ArgValue *RandomArgValue(int argno, int args_mask, int remaining_args) { 927 // Create a new ArgValue and fill it with random data. We use as bit mask 928 // to keep track of the system call parameters that have previously been 929 // set; this ensures that we won't accidentally define a contradictory 930 // set of equality tests. 931 struct ArgValue *arg_value = new ArgValue(); 932 args_mask |= 1 << argno; 933 arg_value->argno = argno; 934 935 // Apply some restrictions on just how complex our tests can be. 936 // Otherwise, we end up with a BPF program that is too complicated for 937 // the kernel to load. 938 int fan_out = kMaxFanOut; 939 if (remaining_args > 3) { 940 fan_out = 1; 941 } else if (remaining_args > 2) { 942 fan_out = 2; 943 } 944 945 // Create a couple of different test cases with randomized values that 946 // we want to use when comparing system call parameter number "argno". 947 arg_value->size = rand() % fan_out + 1; 948 arg_value->tests = new ArgValue::Tests[arg_value->size]; 949 950 uint32_t k_value = rand(); 951 for (int n = 0; n < arg_value->size; ++n) { 952 // Ensure that we have unique values 953 k_value += rand() % (RAND_MAX/(kMaxFanOut+1)) + 1; 954 955 // There are two possible types of nodes. Either this is a leaf node; 956 // in that case, we have completed all the equality tests that we 957 // wanted to perform, and we can now compute a random "errno" value that 958 // we should return. Or this is part of a more complex boolean 959 // expression; in that case, we have to recursively add tests for some 960 // of system call parameters that we have not yet included in our 961 // tests. 962 arg_value->tests[n].k_value = k_value; 963 if (!remaining_args || (rand() & 1)) { 964 arg_value->tests[n].err = (rand() % 1000) + 1; 965 arg_value->tests[n].arg_value = NULL; 966 } else { 967 arg_value->tests[n].err = 0; 968 arg_value->tests[n].arg_value = 969 RandomArgValue(RandomArg(args_mask), args_mask, remaining_args - 1); 970 } 971 } 972 // Finally, we have to define what we should return if none of the 973 // previous equality tests pass. Again, we can either deal with a leaf 974 // node, or we can randomly add another couple of tests. 975 if (!remaining_args || (rand() & 1)) { 976 arg_value->err = (rand() % 1000) + 1; 977 arg_value->arg_value = NULL; 978 } else { 979 arg_value->err = 0; 980 arg_value->arg_value = 981 RandomArgValue(RandomArg(args_mask), args_mask, remaining_args - 1); 982 } 983 // We have now built a new (sub-)tree of ArgValues defining a set of 984 // boolean expressions for testing random system call arguments against 985 // random values. Return this tree to our caller. 986 return arg_value; 987 } 988 989 int RandomArg(int args_mask) { 990 // Compute a random system call parameter number. 991 int argno = rand() % kMaxArgs; 992 993 // Make sure that this same parameter number has not previously been 994 // used. Otherwise, we could end up with a test that is impossible to 995 // satisfy (e.g. args[0] == 1 && args[0] == 2). 996 while (args_mask & (1 << argno)) { 997 argno = (argno + 1) % kMaxArgs; 998 } 999 return argno; 1000 } 1001 1002 void DeleteArgValue(ArgValue *arg_value) { 1003 // Delete an ArgValue and all of its child nodes. This requires 1004 // recursively descending into the tree. 1005 if (arg_value) { 1006 if (arg_value->size) { 1007 for (int n = 0; n < arg_value->size; ++n) { 1008 if (!arg_value->tests[n].err) { 1009 DeleteArgValue(arg_value->tests[n].arg_value); 1010 } 1011 } 1012 delete[] arg_value->tests; 1013 } 1014 if (!arg_value->err) { 1015 DeleteArgValue(arg_value->arg_value); 1016 } 1017 delete arg_value; 1018 } 1019 } 1020 1021 ErrorCode ToErrorCode(Sandbox *sandbox, ArgValue *arg_value) { 1022 // Compute the ErrorCode that should be returned, if none of our 1023 // tests succeed (i.e. the system call parameter doesn't match any 1024 // of the values in arg_value->tests[].k_value). 1025 ErrorCode err; 1026 if (arg_value->err) { 1027 // If this was a leaf node, return the errno value that we expect to 1028 // return from the BPF filter program. 1029 err = ErrorCode(arg_value->err); 1030 } else { 1031 // If this wasn't a leaf node yet, recursively descend into the rest 1032 // of the tree. This will end up adding a few more Sandbox::Cond() 1033 // tests to our ErrorCode. 1034 err = ToErrorCode(sandbox, arg_value->arg_value); 1035 } 1036 1037 // Now, iterate over all the test cases that we want to compare against. 1038 // This builds a chain of Sandbox::Cond() tests 1039 // (aka "if ... elif ... elif ... elif ... fi") 1040 for (int n = arg_value->size; n-- > 0; ) { 1041 ErrorCode matched; 1042 // Again, we distinguish between leaf nodes and subtrees. 1043 if (arg_value->tests[n].err) { 1044 matched = ErrorCode(arg_value->tests[n].err); 1045 } else { 1046 matched = ToErrorCode(sandbox, arg_value->tests[n].arg_value); 1047 } 1048 // For now, all of our tests are limited to 32bit. 1049 // We have separate tests that check the behavior of 32bit vs. 64bit 1050 // conditional expressions. 1051 err = sandbox->Cond(arg_value->argno, ErrorCode::TP_32BIT, 1052 ErrorCode::OP_EQUAL, arg_value->tests[n].k_value, 1053 matched, err); 1054 } 1055 return err; 1056 } 1057 1058 void Verify(int sysno, intptr_t *args, const ArgValue& arg_value) { 1059 uint32_t mismatched = 0; 1060 // Iterate over all the k_values in arg_value.tests[] and verify that 1061 // we see the expected return values from system calls, when we pass 1062 // the k_value as a parameter in a system call. 1063 for (int n = arg_value.size; n-- > 0; ) { 1064 mismatched += arg_value.tests[n].k_value; 1065 args[arg_value.argno] = arg_value.tests[n].k_value; 1066 if (arg_value.tests[n].err) { 1067 VerifyErrno(sysno, args, arg_value.tests[n].err); 1068 } else { 1069 Verify(sysno, args, *arg_value.tests[n].arg_value); 1070 } 1071 } 1072 // Find a k_value that doesn't match any of the k_values in 1073 // arg_value.tests[]. In most cases, the current value of "mismatched" 1074 // would fit this requirement. But on the off-chance that it happens 1075 // to collide, we double-check. 1076 try_again: 1077 for (int n = arg_value.size; n-- > 0; ) { 1078 if (mismatched == arg_value.tests[n].k_value) { 1079 ++mismatched; 1080 goto try_again; 1081 } 1082 } 1083 // Now verify that we see the expected return value from system calls, 1084 // if we pass a value that doesn't match any of the conditions (i.e. this 1085 // is testing the "else" clause of the conditions). 1086 args[arg_value.argno] = mismatched; 1087 if (arg_value.err) { 1088 VerifyErrno(sysno, args, arg_value.err); 1089 } else { 1090 Verify(sysno, args, *arg_value.arg_value); 1091 } 1092 // Reset args[arg_value.argno]. This is not technically needed, but it 1093 // makes it easier to reason about the correctness of our tests. 1094 args[arg_value.argno] = 0; 1095 } 1096 1097 void VerifyErrno(int sysno, intptr_t *args, int err) { 1098 // We installed BPF filters that return different errno values 1099 // based on the system call number and the parameters that we decided 1100 // to pass in. Verify that this condition holds true. 1101 BPF_ASSERT(SandboxSyscall(sysno, 1102 args[0], args[1], args[2], 1103 args[3], args[4], args[5]) == -err); 1104 } 1105 1106 // Vector of ArgValue trees. These trees define all the possible boolean 1107 // expressions that we want to turn into a BPF filter program. 1108 std::vector<ArgValue *> arg_values_; 1109 1110 // Don't increase these values. We are pushing the limits of the maximum 1111 // BPF program that the kernel will allow us to load. If the values are 1112 // increased too much, the test will start failing. 1113 static const int kNumIterations = 3; 1114 static const int kNumTestCases = 40; 1115 static const int kMaxFanOut = 3; 1116 static const int kMaxArgs = 6; 1117 }; 1118 1119 ErrorCode EqualityStressTestPolicy(Sandbox *sandbox, int sysno, void *aux) { 1120 return reinterpret_cast<EqualityStressTest *>(aux)->Policy(sandbox, sysno); 1121 } 1122 1123 BPF_TEST(SandboxBpf, EqualityTests, EqualityStressTestPolicy, 1124 EqualityStressTest /* BPF_AUX */) { 1125 BPF_AUX.VerifyFilter(); 1126 } 1127 1128 ErrorCode EqualityArgumentWidthPolicy(Sandbox *sandbox, int sysno, void *) { 1129 if (!Sandbox::IsValidSyscallNumber(sysno)) { 1130 // FIXME: we should really not have to do that in a trivial policy 1131 return ErrorCode(ENOSYS); 1132 } else if (sysno == __NR_uname) { 1133 return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 0, 1134 sandbox->Cond(1, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 1135 0x55555555, ErrorCode(1), ErrorCode(2)), 1136 // The BPF compiler and the BPF interpreter in the kernel are 1137 // (mostly) agnostic of the host platform's word size. The compiler 1138 // will happily generate code that tests a 64bit value, and the 1139 // interpreter will happily perform this test. 1140 // But unless there is a kernel bug, there is no way for us to pass 1141 // in a 64bit quantity on a 32bit platform. The upper 32bits should 1142 // always be zero. So, this test should always evaluate as false on 1143 // 32bit systems. 1144 sandbox->Cond(1, ErrorCode::TP_64BIT, ErrorCode::OP_EQUAL, 1145 0x55555555AAAAAAAAULL, ErrorCode(1), ErrorCode(2))); 1146 } else { 1147 return ErrorCode(ErrorCode::ERR_ALLOWED); 1148 } 1149 } 1150 1151 BPF_TEST(SandboxBpf, EqualityArgumentWidth, EqualityArgumentWidthPolicy) { 1152 BPF_ASSERT(SandboxSyscall(__NR_uname, 0, 0x55555555) == -1); 1153 BPF_ASSERT(SandboxSyscall(__NR_uname, 0, 0xAAAAAAAA) == -2); 1154 #if __SIZEOF_POINTER__ > 4 1155 // On 32bit machines, there is no way to pass a 64bit argument through the 1156 // syscall interface. So, we have to skip the part of the test that requires 1157 // 64bit arguments. 1158 BPF_ASSERT(SandboxSyscall(__NR_uname, 1, 0x55555555AAAAAAAAULL) == -1); 1159 BPF_ASSERT(SandboxSyscall(__NR_uname, 1, 0x5555555500000000ULL) == -2); 1160 BPF_ASSERT(SandboxSyscall(__NR_uname, 1, 0x5555555511111111ULL) == -2); 1161 BPF_ASSERT(SandboxSyscall(__NR_uname, 1, 0x11111111AAAAAAAAULL) == -2); 1162 #else 1163 BPF_ASSERT(SandboxSyscall(__NR_uname, 1, 0x55555555) == -2); 1164 #endif 1165 } 1166 1167 #if __SIZEOF_POINTER__ > 4 1168 // On 32bit machines, there is no way to pass a 64bit argument through the 1169 // syscall interface. So, we have to skip the part of the test that requires 1170 // 64bit arguments. 1171 BPF_DEATH_TEST(SandboxBpf, EqualityArgumentUnallowed64bit, 1172 DEATH_MESSAGE("Unexpected 64bit argument detected"), 1173 EqualityArgumentWidthPolicy) { 1174 SandboxSyscall(__NR_uname, 0, 0x5555555555555555ULL); 1175 } 1176 #endif 1177 1178 ErrorCode EqualityWithNegativeArgumentsPolicy(Sandbox *sandbox, int sysno, 1179 void *) { 1180 if (!Sandbox::IsValidSyscallNumber(sysno)) { 1181 // FIXME: we should really not have to do that in a trivial policy 1182 return ErrorCode(ENOSYS); 1183 } else if (sysno == __NR_uname) { 1184 return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 1185 0xFFFFFFFF, ErrorCode(1), ErrorCode(2)); 1186 } else { 1187 return ErrorCode(ErrorCode::ERR_ALLOWED); 1188 } 1189 } 1190 1191 BPF_TEST(SandboxBpf, EqualityWithNegativeArguments, 1192 EqualityWithNegativeArgumentsPolicy) { 1193 BPF_ASSERT(SandboxSyscall(__NR_uname, 0xFFFFFFFF) == -1); 1194 BPF_ASSERT(SandboxSyscall(__NR_uname, -1) == -1); 1195 BPF_ASSERT(SandboxSyscall(__NR_uname, -1LL) == -1); 1196 } 1197 1198 #if __SIZEOF_POINTER__ > 4 1199 BPF_DEATH_TEST(SandboxBpf, EqualityWithNegative64bitArguments, 1200 DEATH_MESSAGE("Unexpected 64bit argument detected"), 1201 EqualityWithNegativeArgumentsPolicy) { 1202 // When expecting a 32bit system call argument, we look at the MSB of the 1203 // 64bit value and allow both "0" and "-1". But the latter is allowed only 1204 // iff the LSB was negative. So, this death test should error out. 1205 BPF_ASSERT(SandboxSyscall(__NR_uname, 0xFFFFFFFF00000000LL) == -1); 1206 } 1207 #endif 1208 1209 ErrorCode AllBitTestPolicy(Sandbox *sandbox, int sysno, void *) { 1210 // Test the OP_HAS_ALL_BITS conditional test operator with a couple of 1211 // different bitmasks. We try to find bitmasks that could conceivably 1212 // touch corner cases. 1213 // For all of these tests, we override the uname(). We can make use with 1214 // a single system call number, as we use the first system call argument to 1215 // select the different bit masks that we want to test against. 1216 if (!Sandbox::IsValidSyscallNumber(sysno)) { 1217 // FIXME: we should really not have to do that in a trivial policy 1218 return ErrorCode(ENOSYS); 1219 } else if (sysno == __NR_uname) { 1220 return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 0, 1221 sandbox->Cond(1, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ALL_BITS, 1222 0x0, 1223 ErrorCode(1), ErrorCode(0)), 1224 1225 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 1, 1226 sandbox->Cond(1, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ALL_BITS, 1227 0x1, 1228 ErrorCode(1), ErrorCode(0)), 1229 1230 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 2, 1231 sandbox->Cond(1, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ALL_BITS, 1232 0x3, 1233 ErrorCode(1), ErrorCode(0)), 1234 1235 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 3, 1236 sandbox->Cond(1, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ALL_BITS, 1237 0x80000000, 1238 ErrorCode(1), ErrorCode(0)), 1239 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 4, 1240 sandbox->Cond(1, ErrorCode::TP_64BIT, ErrorCode::OP_HAS_ALL_BITS, 1241 0x0, 1242 ErrorCode(1), ErrorCode(0)), 1243 1244 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 5, 1245 sandbox->Cond(1, ErrorCode::TP_64BIT, ErrorCode::OP_HAS_ALL_BITS, 1246 0x1, 1247 ErrorCode(1), ErrorCode(0)), 1248 1249 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 6, 1250 sandbox->Cond(1, ErrorCode::TP_64BIT, ErrorCode::OP_HAS_ALL_BITS, 1251 0x3, 1252 ErrorCode(1), ErrorCode(0)), 1253 1254 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 7, 1255 sandbox->Cond(1, ErrorCode::TP_64BIT, ErrorCode::OP_HAS_ALL_BITS, 1256 0x80000000, 1257 ErrorCode(1), ErrorCode(0)), 1258 1259 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 8, 1260 sandbox->Cond(1, ErrorCode::TP_64BIT, ErrorCode::OP_HAS_ALL_BITS, 1261 0x100000000ULL, 1262 ErrorCode(1), ErrorCode(0)), 1263 1264 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 9, 1265 sandbox->Cond(1, ErrorCode::TP_64BIT, ErrorCode::OP_HAS_ALL_BITS, 1266 0x300000000ULL, 1267 ErrorCode(1), ErrorCode(0)), 1268 1269 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 10, 1270 sandbox->Cond(1, ErrorCode::TP_64BIT, ErrorCode::OP_HAS_ALL_BITS, 1271 0x100000001ULL, 1272 ErrorCode(1), ErrorCode(0)), 1273 1274 sandbox->Kill("Invalid test case number")))))))))))); 1275 } else { 1276 return ErrorCode(ErrorCode::ERR_ALLOWED); 1277 } 1278 } 1279 1280 // Define a macro that performs tests using our test policy. 1281 // NOTE: Not all of the arguments in this macro are actually used! 1282 // They are here just to serve as documentation of the conditions 1283 // implemented in the test policy. 1284 // Most notably, "op" and "mask" are unused by the macro. If you want 1285 // to make changes to these values, you will have to edit the 1286 // test policy instead. 1287 #define BITMASK_TEST(testcase, arg, op, mask, expected_value) \ 1288 BPF_ASSERT(SandboxSyscall(__NR_uname, (testcase), (arg)) == (expected_value)) 1289 1290 // Our uname() system call returns ErrorCode(1) for success and 1291 // ErrorCode(0) for failure. SandboxSyscall() turns this into an 1292 // exit code of -1 or 0. 1293 #define EXPECT_FAILURE 0 1294 #define EXPECT_SUCCESS -1 1295 1296 // A couple of our tests behave differently on 32bit and 64bit systems, as 1297 // there is no way for a 32bit system call to pass in a 64bit system call 1298 // argument "arg". 1299 // We expect these tests to succeed on 64bit systems, but to tail on 32bit 1300 // systems. 1301 #define EXPT64_SUCCESS \ 1302 (sizeof(void *) > 4 ? EXPECT_SUCCESS : EXPECT_FAILURE) 1303 1304 BPF_TEST(SandboxBpf, AllBitTests, AllBitTestPolicy) { 1305 // 32bit test: all of 0x0 (should always be true) 1306 BITMASK_TEST( 0, 0, ALLBITS32, 0, EXPECT_SUCCESS); 1307 BITMASK_TEST( 0, 1, ALLBITS32, 0, EXPECT_SUCCESS); 1308 BITMASK_TEST( 0, 3, ALLBITS32, 0, EXPECT_SUCCESS); 1309 BITMASK_TEST( 0, 0xFFFFFFFFU, ALLBITS32, 0, EXPECT_SUCCESS); 1310 BITMASK_TEST( 0, -1LL, ALLBITS32, 0, EXPECT_SUCCESS); 1311 1312 // 32bit test: all of 0x1 1313 BITMASK_TEST( 1, 0, ALLBITS32, 0x1, EXPECT_FAILURE); 1314 BITMASK_TEST( 1, 1, ALLBITS32, 0x1, EXPECT_SUCCESS); 1315 BITMASK_TEST( 1, 2, ALLBITS32, 0x1, EXPECT_FAILURE); 1316 BITMASK_TEST( 1, 3, ALLBITS32, 0x1, EXPECT_SUCCESS); 1317 1318 // 32bit test: all of 0x3 1319 BITMASK_TEST( 2, 0, ALLBITS32, 0x3, EXPECT_FAILURE); 1320 BITMASK_TEST( 2, 1, ALLBITS32, 0x3, EXPECT_FAILURE); 1321 BITMASK_TEST( 2, 2, ALLBITS32, 0x3, EXPECT_FAILURE); 1322 BITMASK_TEST( 2, 3, ALLBITS32, 0x3, EXPECT_SUCCESS); 1323 BITMASK_TEST( 2, 7, ALLBITS32, 0x3, EXPECT_SUCCESS); 1324 1325 // 32bit test: all of 0x80000000 1326 BITMASK_TEST( 3, 0, ALLBITS32, 0x80000000, EXPECT_FAILURE); 1327 BITMASK_TEST( 3, 0x40000000U, ALLBITS32, 0x80000000, EXPECT_FAILURE); 1328 BITMASK_TEST( 3, 0x80000000U, ALLBITS32, 0x80000000, EXPECT_SUCCESS); 1329 BITMASK_TEST( 3, 0xC0000000U, ALLBITS32, 0x80000000, EXPECT_SUCCESS); 1330 BITMASK_TEST( 3, -0x80000000LL, ALLBITS32, 0x80000000, EXPECT_SUCCESS); 1331 1332 // 64bit test: all of 0x0 (should always be true) 1333 BITMASK_TEST( 4, 0, ALLBITS64, 0, EXPECT_SUCCESS); 1334 BITMASK_TEST( 4, 1, ALLBITS64, 0, EXPECT_SUCCESS); 1335 BITMASK_TEST( 4, 3, ALLBITS64, 0, EXPECT_SUCCESS); 1336 BITMASK_TEST( 4, 0xFFFFFFFFU, ALLBITS64, 0, EXPECT_SUCCESS); 1337 BITMASK_TEST( 4, 0x100000000LL, ALLBITS64, 0, EXPECT_SUCCESS); 1338 BITMASK_TEST( 4, 0x300000000LL, ALLBITS64, 0, EXPECT_SUCCESS); 1339 BITMASK_TEST( 4,0x8000000000000000LL, ALLBITS64, 0, EXPECT_SUCCESS); 1340 BITMASK_TEST( 4, -1LL, ALLBITS64, 0, EXPECT_SUCCESS); 1341 1342 // 64bit test: all of 0x1 1343 BITMASK_TEST( 5, 0, ALLBITS64, 1, EXPECT_FAILURE); 1344 BITMASK_TEST( 5, 1, ALLBITS64, 1, EXPECT_SUCCESS); 1345 BITMASK_TEST( 5, 2, ALLBITS64, 1, EXPECT_FAILURE); 1346 BITMASK_TEST( 5, 3, ALLBITS64, 1, EXPECT_SUCCESS); 1347 BITMASK_TEST( 5, 0x100000000LL, ALLBITS64, 1, EXPECT_FAILURE); 1348 BITMASK_TEST( 5, 0x100000001LL, ALLBITS64, 1, EXPECT_SUCCESS); 1349 BITMASK_TEST( 5, 0x100000002LL, ALLBITS64, 1, EXPECT_FAILURE); 1350 BITMASK_TEST( 5, 0x100000003LL, ALLBITS64, 1, EXPECT_SUCCESS); 1351 1352 // 64bit test: all of 0x3 1353 BITMASK_TEST( 6, 0, ALLBITS64, 3, EXPECT_FAILURE); 1354 BITMASK_TEST( 6, 1, ALLBITS64, 3, EXPECT_FAILURE); 1355 BITMASK_TEST( 6, 2, ALLBITS64, 3, EXPECT_FAILURE); 1356 BITMASK_TEST( 6, 3, ALLBITS64, 3, EXPECT_SUCCESS); 1357 BITMASK_TEST( 6, 7, ALLBITS64, 3, EXPECT_SUCCESS); 1358 BITMASK_TEST( 6, 0x100000000LL, ALLBITS64, 3, EXPECT_FAILURE); 1359 BITMASK_TEST( 6, 0x100000001LL, ALLBITS64, 3, EXPECT_FAILURE); 1360 BITMASK_TEST( 6, 0x100000002LL, ALLBITS64, 3, EXPECT_FAILURE); 1361 BITMASK_TEST( 6, 0x100000003LL, ALLBITS64, 3, EXPECT_SUCCESS); 1362 BITMASK_TEST( 6, 0x100000007LL, ALLBITS64, 3, EXPECT_SUCCESS); 1363 1364 // 64bit test: all of 0x80000000 1365 BITMASK_TEST( 7, 0, ALLBITS64, 0x80000000, EXPECT_FAILURE); 1366 BITMASK_TEST( 7, 0x40000000U, ALLBITS64, 0x80000000, EXPECT_FAILURE); 1367 BITMASK_TEST( 7, 0x80000000U, ALLBITS64, 0x80000000, EXPECT_SUCCESS); 1368 BITMASK_TEST( 7, 0xC0000000U, ALLBITS64, 0x80000000, EXPECT_SUCCESS); 1369 BITMASK_TEST( 7, -0x80000000LL, ALLBITS64, 0x80000000, EXPECT_SUCCESS); 1370 BITMASK_TEST( 7, 0x100000000LL, ALLBITS64, 0x80000000, EXPECT_FAILURE); 1371 BITMASK_TEST( 7, 0x140000000LL, ALLBITS64, 0x80000000, EXPECT_FAILURE); 1372 BITMASK_TEST( 7, 0x180000000LL, ALLBITS64, 0x80000000, EXPECT_SUCCESS); 1373 BITMASK_TEST( 7, 0x1C0000000LL, ALLBITS64, 0x80000000, EXPECT_SUCCESS); 1374 BITMASK_TEST( 7, -0x180000000LL, ALLBITS64, 0x80000000, EXPECT_SUCCESS); 1375 1376 // 64bit test: all of 0x100000000 1377 BITMASK_TEST( 8, 0x000000000LL, ALLBITS64,0x100000000, EXPECT_FAILURE); 1378 BITMASK_TEST( 8, 0x100000000LL, ALLBITS64,0x100000000, EXPT64_SUCCESS); 1379 BITMASK_TEST( 8, 0x200000000LL, ALLBITS64,0x100000000, EXPECT_FAILURE); 1380 BITMASK_TEST( 8, 0x300000000LL, ALLBITS64,0x100000000, EXPT64_SUCCESS); 1381 BITMASK_TEST( 8, 0x000000001LL, ALLBITS64,0x100000000, EXPECT_FAILURE); 1382 BITMASK_TEST( 8, 0x100000001LL, ALLBITS64,0x100000000, EXPT64_SUCCESS); 1383 BITMASK_TEST( 8, 0x200000001LL, ALLBITS64,0x100000000, EXPECT_FAILURE); 1384 BITMASK_TEST( 8, 0x300000001LL, ALLBITS64,0x100000000, EXPT64_SUCCESS); 1385 1386 // 64bit test: all of 0x300000000 1387 BITMASK_TEST( 9, 0x000000000LL, ALLBITS64,0x300000000, EXPECT_FAILURE); 1388 BITMASK_TEST( 9, 0x100000000LL, ALLBITS64,0x300000000, EXPECT_FAILURE); 1389 BITMASK_TEST( 9, 0x200000000LL, ALLBITS64,0x300000000, EXPECT_FAILURE); 1390 BITMASK_TEST( 9, 0x300000000LL, ALLBITS64,0x300000000, EXPT64_SUCCESS); 1391 BITMASK_TEST( 9, 0x700000000LL, ALLBITS64,0x300000000, EXPT64_SUCCESS); 1392 BITMASK_TEST( 9, 0x000000001LL, ALLBITS64,0x300000000, EXPECT_FAILURE); 1393 BITMASK_TEST( 9, 0x100000001LL, ALLBITS64,0x300000000, EXPECT_FAILURE); 1394 BITMASK_TEST( 9, 0x200000001LL, ALLBITS64,0x300000000, EXPECT_FAILURE); 1395 BITMASK_TEST( 9, 0x300000001LL, ALLBITS64,0x300000000, EXPT64_SUCCESS); 1396 BITMASK_TEST( 9, 0x700000001LL, ALLBITS64,0x300000000, EXPT64_SUCCESS); 1397 1398 // 64bit test: all of 0x100000001 1399 BITMASK_TEST(10, 0x000000000LL, ALLBITS64,0x100000001, EXPECT_FAILURE); 1400 BITMASK_TEST(10, 0x000000001LL, ALLBITS64,0x100000001, EXPECT_FAILURE); 1401 BITMASK_TEST(10, 0x100000000LL, ALLBITS64,0x100000001, EXPECT_FAILURE); 1402 BITMASK_TEST(10, 0x100000001LL, ALLBITS64,0x100000001, EXPT64_SUCCESS); 1403 BITMASK_TEST(10, 0xFFFFFFFFU, ALLBITS64,0x100000001, EXPECT_FAILURE); 1404 BITMASK_TEST(10, -1L, ALLBITS64,0x100000001, EXPT64_SUCCESS); 1405 } 1406 1407 ErrorCode AnyBitTestPolicy(Sandbox *sandbox, int sysno, void *) { 1408 // Test the OP_HAS_ANY_BITS conditional test operator with a couple of 1409 // different bitmasks. We try to find bitmasks that could conceivably 1410 // touch corner cases. 1411 // For all of these tests, we override the uname(). We can make use with 1412 // a single system call number, as we use the first system call argument to 1413 // select the different bit masks that we want to test against. 1414 if (!Sandbox::IsValidSyscallNumber(sysno)) { 1415 // FIXME: we should really not have to do that in a trivial policy 1416 return ErrorCode(ENOSYS); 1417 } else if (sysno == __NR_uname) { 1418 return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 0, 1419 sandbox->Cond(1, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ANY_BITS, 1420 0x0, 1421 ErrorCode(1), ErrorCode(0)), 1422 1423 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 1, 1424 sandbox->Cond(1, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ANY_BITS, 1425 0x1, 1426 ErrorCode(1), ErrorCode(0)), 1427 1428 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 2, 1429 sandbox->Cond(1, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ANY_BITS, 1430 0x3, 1431 ErrorCode(1), ErrorCode(0)), 1432 1433 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 3, 1434 sandbox->Cond(1, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ANY_BITS, 1435 0x80000000, 1436 ErrorCode(1), ErrorCode(0)), 1437 1438 // All the following tests don't really make much sense on 32bit 1439 // systems. They will always evaluate as false. 1440 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 4, 1441 sandbox->Cond(1, ErrorCode::TP_64BIT, ErrorCode::OP_HAS_ANY_BITS, 1442 0x0, 1443 ErrorCode(1), ErrorCode(0)), 1444 1445 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 5, 1446 sandbox->Cond(1, ErrorCode::TP_64BIT, ErrorCode::OP_HAS_ANY_BITS, 1447 0x1, 1448 ErrorCode(1), ErrorCode(0)), 1449 1450 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 6, 1451 sandbox->Cond(1, ErrorCode::TP_64BIT, ErrorCode::OP_HAS_ANY_BITS, 1452 0x3, 1453 ErrorCode(1), ErrorCode(0)), 1454 1455 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 7, 1456 sandbox->Cond(1, ErrorCode::TP_64BIT, ErrorCode::OP_HAS_ANY_BITS, 1457 0x80000000, 1458 ErrorCode(1), ErrorCode(0)), 1459 1460 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 8, 1461 sandbox->Cond(1, ErrorCode::TP_64BIT, ErrorCode::OP_HAS_ANY_BITS, 1462 0x100000000ULL, 1463 ErrorCode(1), ErrorCode(0)), 1464 1465 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 9, 1466 sandbox->Cond(1, ErrorCode::TP_64BIT, ErrorCode::OP_HAS_ANY_BITS, 1467 0x300000000ULL, 1468 ErrorCode(1), ErrorCode(0)), 1469 1470 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 10, 1471 sandbox->Cond(1, ErrorCode::TP_64BIT, ErrorCode::OP_HAS_ANY_BITS, 1472 0x100000001ULL, 1473 ErrorCode(1), ErrorCode(0)), 1474 1475 sandbox->Kill("Invalid test case number")))))))))))); 1476 } else { 1477 return ErrorCode(ErrorCode::ERR_ALLOWED); 1478 } 1479 } 1480 1481 BPF_TEST(SandboxBpf, AnyBitTests, AnyBitTestPolicy) { 1482 // 32bit test: any of 0x0 (should always be false) 1483 BITMASK_TEST( 0, 0, ANYBITS32, 0x0, EXPECT_FAILURE); 1484 BITMASK_TEST( 0, 1, ANYBITS32, 0x0, EXPECT_FAILURE); 1485 BITMASK_TEST( 0, 3, ANYBITS32, 0x0, EXPECT_FAILURE); 1486 BITMASK_TEST( 0, 0xFFFFFFFFU, ANYBITS32, 0x0, EXPECT_FAILURE); 1487 BITMASK_TEST( 0, -1LL, ANYBITS32, 0x0, EXPECT_FAILURE); 1488 1489 // 32bit test: any of 0x1 1490 BITMASK_TEST( 1, 0, ANYBITS32, 0x1, EXPECT_FAILURE); 1491 BITMASK_TEST( 1, 1, ANYBITS32, 0x1, EXPECT_SUCCESS); 1492 BITMASK_TEST( 1, 2, ANYBITS32, 0x1, EXPECT_FAILURE); 1493 BITMASK_TEST( 1, 3, ANYBITS32, 0x1, EXPECT_SUCCESS); 1494 1495 // 32bit test: any of 0x3 1496 BITMASK_TEST( 2, 0, ANYBITS32, 0x3, EXPECT_FAILURE); 1497 BITMASK_TEST( 2, 1, ANYBITS32, 0x3, EXPECT_SUCCESS); 1498 BITMASK_TEST( 2, 2, ANYBITS32, 0x3, EXPECT_SUCCESS); 1499 BITMASK_TEST( 2, 3, ANYBITS32, 0x3, EXPECT_SUCCESS); 1500 BITMASK_TEST( 2, 7, ANYBITS32, 0x3, EXPECT_SUCCESS); 1501 1502 // 32bit test: any of 0x80000000 1503 BITMASK_TEST( 3, 0, ANYBITS32, 0x80000000, EXPECT_FAILURE); 1504 BITMASK_TEST( 3, 0x40000000U, ANYBITS32, 0x80000000, EXPECT_FAILURE); 1505 BITMASK_TEST( 3, 0x80000000U, ANYBITS32, 0x80000000, EXPECT_SUCCESS); 1506 BITMASK_TEST( 3, 0xC0000000U, ANYBITS32, 0x80000000, EXPECT_SUCCESS); 1507 BITMASK_TEST( 3, -0x80000000LL, ANYBITS32, 0x80000000, EXPECT_SUCCESS); 1508 1509 // 64bit test: any of 0x0 (should always be false) 1510 BITMASK_TEST( 4, 0, ANYBITS64, 0x0, EXPECT_FAILURE); 1511 BITMASK_TEST( 4, 1, ANYBITS64, 0x0, EXPECT_FAILURE); 1512 BITMASK_TEST( 4, 3, ANYBITS64, 0x0, EXPECT_FAILURE); 1513 BITMASK_TEST( 4, 0xFFFFFFFFU, ANYBITS64, 0x0, EXPECT_FAILURE); 1514 BITMASK_TEST( 4, 0x100000000LL, ANYBITS64, 0x0, EXPECT_FAILURE); 1515 BITMASK_TEST( 4, 0x300000000LL, ANYBITS64, 0x0, EXPECT_FAILURE); 1516 BITMASK_TEST( 4,0x8000000000000000LL, ANYBITS64, 0x0, EXPECT_FAILURE); 1517 BITMASK_TEST( 4, -1LL, ANYBITS64, 0x0, EXPECT_FAILURE); 1518 1519 // 64bit test: any of 0x1 1520 BITMASK_TEST( 5, 0, ANYBITS64, 0x1, EXPECT_FAILURE); 1521 BITMASK_TEST( 5, 1, ANYBITS64, 0x1, EXPECT_SUCCESS); 1522 BITMASK_TEST( 5, 2, ANYBITS64, 0x1, EXPECT_FAILURE); 1523 BITMASK_TEST( 5, 3, ANYBITS64, 0x1, EXPECT_SUCCESS); 1524 BITMASK_TEST( 5, 0x100000001LL, ANYBITS64, 0x1, EXPECT_SUCCESS); 1525 BITMASK_TEST( 5, 0x100000000LL, ANYBITS64, 0x1, EXPECT_FAILURE); 1526 BITMASK_TEST( 5, 0x100000002LL, ANYBITS64, 0x1, EXPECT_FAILURE); 1527 BITMASK_TEST( 5, 0x100000003LL, ANYBITS64, 0x1, EXPECT_SUCCESS); 1528 1529 // 64bit test: any of 0x3 1530 BITMASK_TEST( 6, 0, ANYBITS64, 0x3, EXPECT_FAILURE); 1531 BITMASK_TEST( 6, 1, ANYBITS64, 0x3, EXPECT_SUCCESS); 1532 BITMASK_TEST( 6, 2, ANYBITS64, 0x3, EXPECT_SUCCESS); 1533 BITMASK_TEST( 6, 3, ANYBITS64, 0x3, EXPECT_SUCCESS); 1534 BITMASK_TEST( 6, 7, ANYBITS64, 0x3, EXPECT_SUCCESS); 1535 BITMASK_TEST( 6, 0x100000000LL, ANYBITS64, 0x3, EXPECT_FAILURE); 1536 BITMASK_TEST( 6, 0x100000001LL, ANYBITS64, 0x3, EXPECT_SUCCESS); 1537 BITMASK_TEST( 6, 0x100000002LL, ANYBITS64, 0x3, EXPECT_SUCCESS); 1538 BITMASK_TEST( 6, 0x100000003LL, ANYBITS64, 0x3, EXPECT_SUCCESS); 1539 BITMASK_TEST( 6, 0x100000007LL, ANYBITS64, 0x3, EXPECT_SUCCESS); 1540 1541 // 64bit test: any of 0x80000000 1542 BITMASK_TEST( 7, 0, ANYBITS64, 0x80000000, EXPECT_FAILURE); 1543 BITMASK_TEST( 7, 0x40000000U, ANYBITS64, 0x80000000, EXPECT_FAILURE); 1544 BITMASK_TEST( 7, 0x80000000U, ANYBITS64, 0x80000000, EXPECT_SUCCESS); 1545 BITMASK_TEST( 7, 0xC0000000U, ANYBITS64, 0x80000000, EXPECT_SUCCESS); 1546 BITMASK_TEST( 7, -0x80000000LL, ANYBITS64, 0x80000000, EXPECT_SUCCESS); 1547 BITMASK_TEST( 7, 0x100000000LL, ANYBITS64, 0x80000000, EXPECT_FAILURE); 1548 BITMASK_TEST( 7, 0x140000000LL, ANYBITS64, 0x80000000, EXPECT_FAILURE); 1549 BITMASK_TEST( 7, 0x180000000LL, ANYBITS64, 0x80000000, EXPECT_SUCCESS); 1550 BITMASK_TEST( 7, 0x1C0000000LL, ANYBITS64, 0x80000000, EXPECT_SUCCESS); 1551 BITMASK_TEST( 7, -0x180000000LL, ANYBITS64, 0x80000000, EXPECT_SUCCESS); 1552 1553 // 64bit test: any of 0x100000000 1554 BITMASK_TEST( 8, 0x000000000LL, ANYBITS64,0x100000000, EXPECT_FAILURE); 1555 BITMASK_TEST( 8, 0x100000000LL, ANYBITS64,0x100000000, EXPT64_SUCCESS); 1556 BITMASK_TEST( 8, 0x200000000LL, ANYBITS64,0x100000000, EXPECT_FAILURE); 1557 BITMASK_TEST( 8, 0x300000000LL, ANYBITS64,0x100000000, EXPT64_SUCCESS); 1558 BITMASK_TEST( 8, 0x000000001LL, ANYBITS64,0x100000000, EXPECT_FAILURE); 1559 BITMASK_TEST( 8, 0x100000001LL, ANYBITS64,0x100000000, EXPT64_SUCCESS); 1560 BITMASK_TEST( 8, 0x200000001LL, ANYBITS64,0x100000000, EXPECT_FAILURE); 1561 BITMASK_TEST( 8, 0x300000001LL, ANYBITS64,0x100000000, EXPT64_SUCCESS); 1562 1563 // 64bit test: any of 0x300000000 1564 BITMASK_TEST( 9, 0x000000000LL, ANYBITS64,0x300000000, EXPECT_FAILURE); 1565 BITMASK_TEST( 9, 0x100000000LL, ANYBITS64,0x300000000, EXPT64_SUCCESS); 1566 BITMASK_TEST( 9, 0x200000000LL, ANYBITS64,0x300000000, EXPT64_SUCCESS); 1567 BITMASK_TEST( 9, 0x300000000LL, ANYBITS64,0x300000000, EXPT64_SUCCESS); 1568 BITMASK_TEST( 9, 0x700000000LL, ANYBITS64,0x300000000, EXPT64_SUCCESS); 1569 BITMASK_TEST( 9, 0x000000001LL, ANYBITS64,0x300000000, EXPECT_FAILURE); 1570 BITMASK_TEST( 9, 0x100000001LL, ANYBITS64,0x300000000, EXPT64_SUCCESS); 1571 BITMASK_TEST( 9, 0x200000001LL, ANYBITS64,0x300000000, EXPT64_SUCCESS); 1572 BITMASK_TEST( 9, 0x300000001LL, ANYBITS64,0x300000000, EXPT64_SUCCESS); 1573 BITMASK_TEST( 9, 0x700000001LL, ANYBITS64,0x300000000, EXPT64_SUCCESS); 1574 1575 // 64bit test: any of 0x100000001 1576 BITMASK_TEST( 10, 0x000000000LL, ANYBITS64,0x100000001, EXPECT_FAILURE); 1577 BITMASK_TEST( 10, 0x000000001LL, ANYBITS64,0x100000001, EXPECT_SUCCESS); 1578 BITMASK_TEST( 10, 0x100000000LL, ANYBITS64,0x100000001, EXPT64_SUCCESS); 1579 BITMASK_TEST( 10, 0x100000001LL, ANYBITS64,0x100000001, EXPECT_SUCCESS); 1580 BITMASK_TEST( 10, 0xFFFFFFFFU, ANYBITS64,0x100000001, EXPECT_SUCCESS); 1581 BITMASK_TEST( 10, -1L, ANYBITS64,0x100000001, EXPECT_SUCCESS); 1582 } 1583 1584 intptr_t PthreadTrapHandler(const struct arch_seccomp_data& args, void *aux) { 1585 if (args.args[0] != (CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD)) { 1586 // We expect to get called for an attempt to fork(). No need to log that 1587 // call. But if we ever get called for anything else, we want to verbosely 1588 // print as much information as possible. 1589 const char *msg = (const char *)aux; 1590 printf("Clone() was called with unexpected arguments\n" 1591 " nr: %d\n" 1592 " 1: 0x%llX\n" 1593 " 2: 0x%llX\n" 1594 " 3: 0x%llX\n" 1595 " 4: 0x%llX\n" 1596 " 5: 0x%llX\n" 1597 " 6: 0x%llX\n" 1598 "%s\n", 1599 args.nr, 1600 (long long)args.args[0], (long long)args.args[1], 1601 (long long)args.args[2], (long long)args.args[3], 1602 (long long)args.args[4], (long long)args.args[5], 1603 msg); 1604 } 1605 return -EPERM; 1606 } 1607 1608 ErrorCode PthreadPolicyEquality(Sandbox *sandbox, int sysno, void *aux) { 1609 // This policy allows creating threads with pthread_create(). But it 1610 // doesn't allow any other uses of clone(). Most notably, it does not 1611 // allow callers to implement fork() or vfork() by passing suitable flags 1612 // to the clone() system call. 1613 if (!Sandbox::IsValidSyscallNumber(sysno)) { 1614 // FIXME: we should really not have to do that in a trivial policy 1615 return ErrorCode(ENOSYS); 1616 } else if (sysno == __NR_clone) { 1617 // We have seen two different valid combinations of flags. Glibc 1618 // uses the more modern flags, sets the TLS from the call to clone(), and 1619 // uses futexes to monitor threads. Android's C run-time library, doesn't 1620 // do any of this, but it sets the obsolete (and no-op) CLONE_DETACHED. 1621 // The following policy is very strict. It only allows the exact masks 1622 // that we have seen in known implementations. It is probably somewhat 1623 // stricter than what we would want to do. 1624 return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 1625 CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND| 1626 CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS| 1627 CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, 1628 ErrorCode(ErrorCode::ERR_ALLOWED), 1629 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 1630 CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND| 1631 CLONE_THREAD|CLONE_SYSVSEM|CLONE_DETACHED, 1632 ErrorCode(ErrorCode::ERR_ALLOWED), 1633 sandbox->Trap(PthreadTrapHandler, aux))); 1634 } else { 1635 return ErrorCode(ErrorCode::ERR_ALLOWED); 1636 } 1637 } 1638 1639 ErrorCode PthreadPolicyBitMask(Sandbox *sandbox, int sysno, void *aux) { 1640 // This policy allows creating threads with pthread_create(). But it 1641 // doesn't allow any other uses of clone(). Most notably, it does not 1642 // allow callers to implement fork() or vfork() by passing suitable flags 1643 // to the clone() system call. 1644 if (!Sandbox::IsValidSyscallNumber(sysno)) { 1645 // FIXME: we should really not have to do that in a trivial policy 1646 return ErrorCode(ENOSYS); 1647 } else if (sysno == __NR_clone) { 1648 // We have seen two different valid combinations of flags. Glibc 1649 // uses the more modern flags, sets the TLS from the call to clone(), and 1650 // uses futexes to monitor threads. Android's C run-time library, doesn't 1651 // do any of this, but it sets the obsolete (and no-op) CLONE_DETACHED. 1652 // The following policy allows for either combination of flags, but it 1653 // is generally a little more conservative than strictly necessary. We 1654 // err on the side of rather safe than sorry. 1655 // Very noticeably though, we disallow fork() (which is often just a 1656 // wrapper around clone()). 1657 return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ANY_BITS, 1658 ~uint32(CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND| 1659 CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS| 1660 CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID| 1661 CLONE_DETACHED), 1662 sandbox->Trap(PthreadTrapHandler, 1663 "Unexpected CLONE_XXX flag found"), 1664 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ALL_BITS, 1665 CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND| 1666 CLONE_THREAD|CLONE_SYSVSEM, 1667 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ALL_BITS, 1668 CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, 1669 ErrorCode(ErrorCode::ERR_ALLOWED), 1670 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ANY_BITS, 1671 CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, 1672 sandbox->Trap(PthreadTrapHandler, 1673 "Must set either all or none of the TLS" 1674 " and futex bits in call to clone()"), 1675 ErrorCode(ErrorCode::ERR_ALLOWED))), 1676 sandbox->Trap(PthreadTrapHandler, 1677 "Missing mandatory CLONE_XXX flags " 1678 "when creating new thread"))); 1679 } else { 1680 return ErrorCode(ErrorCode::ERR_ALLOWED); 1681 } 1682 } 1683 1684 static void *ThreadFnc(void *arg) { 1685 ++*reinterpret_cast<int *>(arg); 1686 SandboxSyscall(__NR_futex, arg, FUTEX_WAKE, 1, 0, 0, 0); 1687 return NULL; 1688 } 1689 1690 static void PthreadTest() { 1691 // Attempt to start a joinable thread. This should succeed. 1692 pthread_t thread; 1693 int thread_ran = 0; 1694 BPF_ASSERT(!pthread_create(&thread, NULL, ThreadFnc, &thread_ran)); 1695 BPF_ASSERT(!pthread_join(thread, NULL)); 1696 BPF_ASSERT(thread_ran); 1697 1698 // Attempt to start a detached thread. This should succeed. 1699 thread_ran = 0; 1700 pthread_attr_t attr; 1701 BPF_ASSERT(!pthread_attr_init(&attr)); 1702 BPF_ASSERT(!pthread_attr_setdetachstate(&attr, PTHREAD_CREATE_DETACHED)); 1703 BPF_ASSERT(!pthread_create(&thread, &attr, ThreadFnc, &thread_ran)); 1704 BPF_ASSERT(!pthread_attr_destroy(&attr)); 1705 while (SandboxSyscall(__NR_futex, &thread_ran, FUTEX_WAIT, 1706 0, 0, 0, 0) == -EINTR) { 1707 } 1708 BPF_ASSERT(thread_ran); 1709 1710 // Attempt to fork() a process using clone(). This should fail. We use the 1711 // same flags that glibc uses when calling fork(). But we don't actually 1712 // try calling the fork() implementation in the C run-time library, as 1713 // run-time libraries other than glibc might call __NR_fork instead of 1714 // __NR_clone, and that would introduce a bogus test failure. 1715 int pid; 1716 BPF_ASSERT(SandboxSyscall(__NR_clone, 1717 CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, 1718 0, 0, &pid) == -EPERM); 1719 } 1720 1721 BPF_TEST(SandboxBpf, PthreadEquality, PthreadPolicyEquality) { 1722 PthreadTest(); 1723 } 1724 1725 BPF_TEST(SandboxBpf, PthreadBitMask, PthreadPolicyBitMask) { 1726 PthreadTest(); 1727 } 1728 1729 } // namespace 1730