Home | History | Annotate | Download | only in seccomp-bpf 
      1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
      2 // Use of this source code is governed by a BSD-style license that can be
      3 // found in the LICENSE file.
      4 
      5 #ifndef SANDBOX_LINUX_SECCOMP_BPF_BPF_TESTS_H__
      6 #define SANDBOX_LINUX_SECCOMP_BPF_BPF_TESTS_H__
      7 
      8 #include <fcntl.h>
      9 #include <sys/stat.h>
     10 #include <sys/types.h>
     11 
     12 #include "build/build_config.h"
     13 #include "sandbox/linux/tests/unit_tests.h"
     14 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
     15 
     16 namespace sandbox {
     17 
     18 // A BPF_DEATH_TEST is just the same as a BPF_TEST, but it assumes that the
     19 // test will fail with a particular known error condition. Use the DEATH_XXX()
     20 // macros from unit_tests.h to specify the expected error condition.
     21 // A BPF_DEATH_TEST is always disabled under ThreadSanitizer, see
     22 // crbug.com/243968.
     23 #define BPF_DEATH_TEST(test_case_name, test_name, death, policy, aux...) \
     24   void BPF_TEST_##test_name(sandbox::BPFTests<aux>::AuxType& BPF_AUX);   \
     25   TEST(test_case_name, DISABLE_ON_TSAN(test_name)) {                     \
     26     sandbox::BPFTests<aux>::TestArgs arg(BPF_TEST_##test_name, policy);  \
     27     sandbox::BPFTests<aux>::RunTestInProcess(                            \
     28         sandbox::BPFTests<aux>::TestWrapper, &arg, death);               \
     29   }                                                                      \
     30   void BPF_TEST_##test_name(sandbox::BPFTests<aux>::AuxType& BPF_AUX)
     31 
     32 // BPF_TEST() is a special version of SANDBOX_TEST(). It turns into a no-op,
     33 // if the host does not have kernel support for running BPF filters.
     34 // Also, it takes advantage of the Die class to avoid calling LOG(FATAL), from
     35 // inside our tests, as we don't need or even want all the error handling that
     36 // LOG(FATAL) would do.
     37 // BPF_TEST() takes a C++ data type as an optional fourth parameter. If
     38 // present, this sets up a variable that can be accessed as "BPF_AUX". This
     39 // variable will be passed as an argument to the "policy" function. Policies
     40 // would typically use it as an argument to SandboxBPF::Trap(), if they want to
     41 // communicate data between the BPF_TEST() and a Trap() function.
     42 #define BPF_TEST(test_case_name, test_name, policy, aux...) \
     43   BPF_DEATH_TEST(test_case_name, test_name, DEATH_SUCCESS(), policy, aux)
     44 
     45 // Assertions are handled exactly the same as with a normal SANDBOX_TEST()
     46 #define BPF_ASSERT SANDBOX_ASSERT
     47 
     48 // The "Aux" type is optional. We use an "empty" type by default, so that if
     49 // the caller doesn't provide any type, all the BPF_AUX related data compiles
     50 // to nothing.
     51 template <class Aux = int[0]>
     52 class BPFTests : public UnitTests {
     53  public:
     54   typedef Aux AuxType;
     55 
     56   class TestArgs {
     57    public:
     58     TestArgs(void (*t)(AuxType&), sandbox::SandboxBPF::EvaluateSyscall p)
     59         : test_(t), policy_(p), aux_() {}
     60 
     61     void (*test() const)(AuxType&) { return test_; }
     62     sandbox::SandboxBPF::EvaluateSyscall policy() const { return policy_; }
     63 
     64    private:
     65     friend class BPFTests;
     66 
     67     void (*test_)(AuxType&);
     68     sandbox::SandboxBPF::EvaluateSyscall policy_;
     69     AuxType aux_;
     70   };
     71 
     72   static void TestWrapper(void* void_arg) {
     73     TestArgs* arg = reinterpret_cast<TestArgs*>(void_arg);
     74     sandbox::Die::EnableSimpleExit();
     75     if (sandbox::SandboxBPF::SupportsSeccompSandbox(-1) ==
     76         sandbox::SandboxBPF::STATUS_AVAILABLE) {
     77       // Ensure the the sandbox is actually available at this time
     78       int proc_fd;
     79       BPF_ASSERT((proc_fd = open("/proc", O_RDONLY | O_DIRECTORY)) >= 0);
     80       BPF_ASSERT(sandbox::SandboxBPF::SupportsSeccompSandbox(proc_fd) ==
     81                  sandbox::SandboxBPF::STATUS_AVAILABLE);
     82 
     83       // Initialize and then start the sandbox with our custom policy
     84       sandbox::SandboxBPF sandbox;
     85       sandbox.set_proc_fd(proc_fd);
     86       sandbox.SetSandboxPolicyDeprecated(arg->policy(), &arg->aux_);
     87       sandbox.SandboxBPF::StartSandbox();
     88 
     89       arg->test()(arg->aux_);
     90     } else {
     91       printf("This BPF test is not fully running in this configuration!\n");
     92       // Android, ARM and Valgrind are the three only configurations where we
     93       // accept not having kernel BPF support.
     94       // TODO(jln): remote ARM from this list when possible (crbug.com/243478).
     95       if (!IsAndroid() && !IsRunningOnValgrind() && !IsArchitectureArm()) {
     96         const bool seccomp_bpf_is_supported = false;
     97         BPF_ASSERT(seccomp_bpf_is_supported);
     98       }
     99       // Call the compiler and verify the policy. That's the least we can do,
    100       // if we don't have kernel support.
    101       sandbox::SandboxBPF sandbox;
    102       sandbox.SetSandboxPolicyDeprecated(arg->policy(), &arg->aux_);
    103       sandbox::SandboxBPF::Program* program =
    104           sandbox.AssembleFilter(true /* force_verification */);
    105       delete program;
    106       sandbox::UnitTests::IgnoreThisTest();
    107     }
    108   }
    109 
    110  private:
    111   DISALLOW_IMPLICIT_CONSTRUCTORS(BPFTests);
    112 };
    113 
    114 }  // namespace sandbox
    115 
    116 #endif  // SANDBOX_LINUX_SECCOMP_BPF_BPF_TESTS_H__
    117