1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #include <errno.h> 6 #include <pthread.h> 7 #include <sched.h> 8 #include <signal.h> 9 #include <sys/prctl.h> 10 #include <sys/ptrace.h> 11 #include <sys/syscall.h> 12 #include <sys/time.h> 13 #include <sys/types.h> 14 #include <sys/utsname.h> 15 #include <unistd.h> 16 17 #if defined(ANDROID) 18 // Work-around for buggy headers in Android's NDK 19 #define __user 20 #endif 21 #include <linux/futex.h> 22 23 #include <ostream> 24 25 #include "base/bind.h" 26 #include "base/logging.h" 27 #include "base/macros.h" 28 #include "base/memory/scoped_ptr.h" 29 #include "base/posix/eintr_wrapper.h" 30 #include "build/build_config.h" 31 #include "sandbox/linux/seccomp-bpf/bpf_tests.h" 32 #include "sandbox/linux/seccomp-bpf/syscall.h" 33 #include "sandbox/linux/seccomp-bpf/trap.h" 34 #include "sandbox/linux/seccomp-bpf/verifier.h" 35 #include "sandbox/linux/services/broker_process.h" 36 #include "sandbox/linux/services/linux_syscalls.h" 37 #include "sandbox/linux/tests/unit_tests.h" 38 #include "testing/gtest/include/gtest/gtest.h" 39 40 // Workaround for Android's prctl.h file. 41 #ifndef PR_GET_ENDIAN 42 #define PR_GET_ENDIAN 19 43 #endif 44 #ifndef PR_CAPBSET_READ 45 #define PR_CAPBSET_READ 23 46 #define PR_CAPBSET_DROP 24 47 #endif 48 49 namespace sandbox { 50 51 namespace { 52 53 const int kExpectedReturnValue = 42; 54 const char kSandboxDebuggingEnv[] = "CHROME_SANDBOX_DEBUGGING"; 55 56 // This test should execute no matter whether we have kernel support. So, 57 // we make it a TEST() instead of a BPF_TEST(). 58 TEST(SandboxBPF, DISABLE_ON_TSAN(CallSupports)) { 59 // We check that we don't crash, but it's ok if the kernel doesn't 60 // support it. 61 bool seccomp_bpf_supported = 62 SandboxBPF::SupportsSeccompSandbox(-1) == SandboxBPF::STATUS_AVAILABLE; 63 // We want to log whether or not seccomp BPF is actually supported 64 // since actual test coverage depends on it. 65 RecordProperty("SeccompBPFSupported", 66 seccomp_bpf_supported ? "true." : "false."); 67 std::cout << "Seccomp BPF supported: " 68 << (seccomp_bpf_supported ? "true." : "false.") << "\n"; 69 RecordProperty("PointerSize", sizeof(void*)); 70 std::cout << "Pointer size: " << sizeof(void*) << "\n"; 71 } 72 73 SANDBOX_TEST(SandboxBPF, DISABLE_ON_TSAN(CallSupportsTwice)) { 74 SandboxBPF::SupportsSeccompSandbox(-1); 75 SandboxBPF::SupportsSeccompSandbox(-1); 76 } 77 78 // BPF_TEST does a lot of the boiler-plate code around setting up a 79 // policy and optional passing data between the caller, the policy and 80 // any Trap() handlers. This is great for writing short and concise tests, 81 // and it helps us accidentally forgetting any of the crucial steps in 82 // setting up the sandbox. But it wouldn't hurt to have at least one test 83 // that explicitly walks through all these steps. 84 85 intptr_t IncreaseCounter(const struct arch_seccomp_data& args, void* aux) { 86 BPF_ASSERT(aux); 87 int* counter = static_cast<int*>(aux); 88 return (*counter)++; 89 } 90 91 class VerboseAPITestingPolicy : public SandboxBPFPolicy { 92 public: 93 VerboseAPITestingPolicy(int* counter_ptr) : counter_ptr_(counter_ptr) {} 94 95 virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox, 96 int sysno) const OVERRIDE { 97 DCHECK(SandboxBPF::IsValidSyscallNumber(sysno)); 98 if (sysno == __NR_uname) { 99 return sandbox->Trap(IncreaseCounter, counter_ptr_); 100 } 101 return ErrorCode(ErrorCode::ERR_ALLOWED); 102 } 103 104 private: 105 int* counter_ptr_; 106 DISALLOW_COPY_AND_ASSIGN(VerboseAPITestingPolicy); 107 }; 108 109 SANDBOX_TEST(SandboxBPF, DISABLE_ON_TSAN(VerboseAPITesting)) { 110 if (SandboxBPF::SupportsSeccompSandbox(-1) == 111 sandbox::SandboxBPF::STATUS_AVAILABLE) { 112 static int counter = 0; 113 114 SandboxBPF sandbox; 115 sandbox.SetSandboxPolicy(new VerboseAPITestingPolicy(&counter)); 116 BPF_ASSERT(sandbox.StartSandbox(SandboxBPF::PROCESS_SINGLE_THREADED)); 117 118 BPF_ASSERT_EQ(0, counter); 119 BPF_ASSERT_EQ(0, syscall(__NR_uname, 0)); 120 BPF_ASSERT_EQ(1, counter); 121 BPF_ASSERT_EQ(1, syscall(__NR_uname, 0)); 122 BPF_ASSERT_EQ(2, counter); 123 } 124 } 125 126 // A simple blacklist test 127 128 class BlacklistNanosleepPolicy : public SandboxBPFPolicy { 129 public: 130 BlacklistNanosleepPolicy() {} 131 virtual ErrorCode EvaluateSyscall(SandboxBPF*, int sysno) const OVERRIDE { 132 DCHECK(SandboxBPF::IsValidSyscallNumber(sysno)); 133 switch (sysno) { 134 case __NR_nanosleep: 135 return ErrorCode(EACCES); 136 default: 137 return ErrorCode(ErrorCode::ERR_ALLOWED); 138 } 139 } 140 141 private: 142 DISALLOW_COPY_AND_ASSIGN(BlacklistNanosleepPolicy); 143 }; 144 145 BPF_TEST_C(SandboxBPF, ApplyBasicBlacklistPolicy, BlacklistNanosleepPolicy) { 146 // nanosleep() should be denied 147 const struct timespec ts = {0, 0}; 148 errno = 0; 149 BPF_ASSERT(syscall(__NR_nanosleep, &ts, NULL) == -1); 150 BPF_ASSERT(errno == EACCES); 151 } 152 153 // Now do a simple whitelist test 154 155 class WhitelistGetpidPolicy : public SandboxBPFPolicy { 156 public: 157 WhitelistGetpidPolicy() {} 158 virtual ErrorCode EvaluateSyscall(SandboxBPF*, int sysno) const OVERRIDE { 159 DCHECK(SandboxBPF::IsValidSyscallNumber(sysno)); 160 switch (sysno) { 161 case __NR_getpid: 162 case __NR_exit_group: 163 return ErrorCode(ErrorCode::ERR_ALLOWED); 164 default: 165 return ErrorCode(ENOMEM); 166 } 167 } 168 169 private: 170 DISALLOW_COPY_AND_ASSIGN(WhitelistGetpidPolicy); 171 }; 172 173 BPF_TEST_C(SandboxBPF, ApplyBasicWhitelistPolicy, WhitelistGetpidPolicy) { 174 // getpid() should be allowed 175 errno = 0; 176 BPF_ASSERT(syscall(__NR_getpid) > 0); 177 BPF_ASSERT(errno == 0); 178 179 // getpgid() should be denied 180 BPF_ASSERT(getpgid(0) == -1); 181 BPF_ASSERT(errno == ENOMEM); 182 } 183 184 // A simple blacklist policy, with a SIGSYS handler 185 intptr_t EnomemHandler(const struct arch_seccomp_data& args, void* aux) { 186 // We also check that the auxiliary data is correct 187 SANDBOX_ASSERT(aux); 188 *(static_cast<int*>(aux)) = kExpectedReturnValue; 189 return -ENOMEM; 190 } 191 192 ErrorCode BlacklistNanosleepPolicySigsys(SandboxBPF* sandbox, 193 int sysno, 194 int* aux) { 195 DCHECK(SandboxBPF::IsValidSyscallNumber(sysno)); 196 switch (sysno) { 197 case __NR_nanosleep: 198 return sandbox->Trap(EnomemHandler, aux); 199 default: 200 return ErrorCode(ErrorCode::ERR_ALLOWED); 201 } 202 } 203 204 BPF_TEST(SandboxBPF, 205 BasicBlacklistWithSigsys, 206 BlacklistNanosleepPolicySigsys, 207 int /* (*BPF_AUX) */) { 208 // getpid() should work properly 209 errno = 0; 210 BPF_ASSERT(syscall(__NR_getpid) > 0); 211 BPF_ASSERT(errno == 0); 212 213 // Our Auxiliary Data, should be reset by the signal handler 214 *BPF_AUX = -1; 215 const struct timespec ts = {0, 0}; 216 BPF_ASSERT(syscall(__NR_nanosleep, &ts, NULL) == -1); 217 BPF_ASSERT(errno == ENOMEM); 218 219 // We expect the signal handler to modify AuxData 220 BPF_ASSERT(*BPF_AUX == kExpectedReturnValue); 221 } 222 223 // A simple test that verifies we can return arbitrary errno values. 224 225 class ErrnoTestPolicy : public SandboxBPFPolicy { 226 public: 227 ErrnoTestPolicy() {} 228 virtual ErrorCode EvaluateSyscall(SandboxBPF*, int sysno) const OVERRIDE; 229 230 private: 231 DISALLOW_COPY_AND_ASSIGN(ErrnoTestPolicy); 232 }; 233 234 ErrorCode ErrnoTestPolicy::EvaluateSyscall(SandboxBPF*, int sysno) const { 235 DCHECK(SandboxBPF::IsValidSyscallNumber(sysno)); 236 switch (sysno) { 237 #if defined(ANDROID) 238 case __NR_dup3: // dup2 is a wrapper of dup3 in android 239 #else 240 case __NR_dup2: 241 #endif 242 // Pretend that dup2() worked, but don't actually do anything. 243 return ErrorCode(0); 244 case __NR_setuid: 245 #if defined(__NR_setuid32) 246 case __NR_setuid32: 247 #endif 248 // Return errno = 1. 249 return ErrorCode(1); 250 case __NR_setgid: 251 #if defined(__NR_setgid32) 252 case __NR_setgid32: 253 #endif 254 // Return maximum errno value (typically 4095). 255 return ErrorCode(ErrorCode::ERR_MAX_ERRNO); 256 case __NR_uname: 257 // Return errno = 42; 258 return ErrorCode(42); 259 default: 260 return ErrorCode(ErrorCode::ERR_ALLOWED); 261 } 262 } 263 264 BPF_TEST_C(SandboxBPF, ErrnoTest, ErrnoTestPolicy) { 265 // Verify that dup2() returns success, but doesn't actually run. 266 int fds[4]; 267 BPF_ASSERT(pipe(fds) == 0); 268 BPF_ASSERT(pipe(fds + 2) == 0); 269 BPF_ASSERT(dup2(fds[2], fds[0]) == 0); 270 char buf[1] = {}; 271 BPF_ASSERT(write(fds[1], "\x55", 1) == 1); 272 BPF_ASSERT(write(fds[3], "\xAA", 1) == 1); 273 BPF_ASSERT(read(fds[0], buf, 1) == 1); 274 275 // If dup2() executed, we will read \xAA, but it dup2() has been turned 276 // into a no-op by our policy, then we will read \x55. 277 BPF_ASSERT(buf[0] == '\x55'); 278 279 // Verify that we can return the minimum and maximum errno values. 280 errno = 0; 281 BPF_ASSERT(setuid(0) == -1); 282 BPF_ASSERT(errno == 1); 283 284 // On Android, errno is only supported up to 255, otherwise errno 285 // processing is skipped. 286 // We work around this (crbug.com/181647). 287 if (sandbox::IsAndroid() && setgid(0) != -1) { 288 errno = 0; 289 BPF_ASSERT(setgid(0) == -ErrorCode::ERR_MAX_ERRNO); 290 BPF_ASSERT(errno == 0); 291 } else { 292 errno = 0; 293 BPF_ASSERT(setgid(0) == -1); 294 BPF_ASSERT(errno == ErrorCode::ERR_MAX_ERRNO); 295 } 296 297 // Finally, test an errno in between the minimum and maximum. 298 errno = 0; 299 struct utsname uts_buf; 300 BPF_ASSERT(uname(&uts_buf) == -1); 301 BPF_ASSERT(errno == 42); 302 } 303 304 // Testing the stacking of two sandboxes 305 306 class StackingPolicyPartOne : public SandboxBPFPolicy { 307 public: 308 StackingPolicyPartOne() {} 309 virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox, 310 int sysno) const OVERRIDE { 311 DCHECK(SandboxBPF::IsValidSyscallNumber(sysno)); 312 switch (sysno) { 313 case __NR_getppid: 314 return sandbox->Cond(0, 315 ErrorCode::TP_32BIT, 316 ErrorCode::OP_EQUAL, 317 0, 318 ErrorCode(ErrorCode::ERR_ALLOWED), 319 ErrorCode(EPERM)); 320 default: 321 return ErrorCode(ErrorCode::ERR_ALLOWED); 322 } 323 } 324 325 private: 326 DISALLOW_COPY_AND_ASSIGN(StackingPolicyPartOne); 327 }; 328 329 class StackingPolicyPartTwo : public SandboxBPFPolicy { 330 public: 331 StackingPolicyPartTwo() {} 332 virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox, 333 int sysno) const OVERRIDE { 334 DCHECK(SandboxBPF::IsValidSyscallNumber(sysno)); 335 switch (sysno) { 336 case __NR_getppid: 337 return sandbox->Cond(0, 338 ErrorCode::TP_32BIT, 339 ErrorCode::OP_EQUAL, 340 0, 341 ErrorCode(EINVAL), 342 ErrorCode(ErrorCode::ERR_ALLOWED)); 343 default: 344 return ErrorCode(ErrorCode::ERR_ALLOWED); 345 } 346 } 347 348 private: 349 DISALLOW_COPY_AND_ASSIGN(StackingPolicyPartTwo); 350 }; 351 352 BPF_TEST_C(SandboxBPF, StackingPolicy, StackingPolicyPartOne) { 353 errno = 0; 354 BPF_ASSERT(syscall(__NR_getppid, 0) > 0); 355 BPF_ASSERT(errno == 0); 356 357 BPF_ASSERT(syscall(__NR_getppid, 1) == -1); 358 BPF_ASSERT(errno == EPERM); 359 360 // Stack a second sandbox with its own policy. Verify that we can further 361 // restrict filters, but we cannot relax existing filters. 362 SandboxBPF sandbox; 363 sandbox.SetSandboxPolicy(new StackingPolicyPartTwo()); 364 BPF_ASSERT(sandbox.StartSandbox(SandboxBPF::PROCESS_SINGLE_THREADED)); 365 366 errno = 0; 367 BPF_ASSERT(syscall(__NR_getppid, 0) == -1); 368 BPF_ASSERT(errno == EINVAL); 369 370 BPF_ASSERT(syscall(__NR_getppid, 1) == -1); 371 BPF_ASSERT(errno == EPERM); 372 } 373 374 // A more complex, but synthetic policy. This tests the correctness of the BPF 375 // program by iterating through all syscalls and checking for an errno that 376 // depends on the syscall number. Unlike the Verifier, this exercises the BPF 377 // interpreter in the kernel. 378 379 // We try to make sure we exercise optimizations in the BPF compiler. We make 380 // sure that the compiler can have an opportunity to coalesce syscalls with 381 // contiguous numbers and we also make sure that disjoint sets can return the 382 // same errno. 383 int SysnoToRandomErrno(int sysno) { 384 // Small contiguous sets of 3 system calls return an errno equal to the 385 // index of that set + 1 (so that we never return a NUL errno). 386 return ((sysno & ~3) >> 2) % 29 + 1; 387 } 388 389 class SyntheticPolicy : public SandboxBPFPolicy { 390 public: 391 SyntheticPolicy() {} 392 virtual ErrorCode EvaluateSyscall(SandboxBPF*, int sysno) const OVERRIDE { 393 DCHECK(SandboxBPF::IsValidSyscallNumber(sysno)); 394 if (sysno == __NR_exit_group || sysno == __NR_write) { 395 // exit_group() is special, we really need it to work. 396 // write() is needed for BPF_ASSERT() to report a useful error message. 397 return ErrorCode(ErrorCode::ERR_ALLOWED); 398 } 399 return ErrorCode(SysnoToRandomErrno(sysno)); 400 } 401 402 private: 403 DISALLOW_COPY_AND_ASSIGN(SyntheticPolicy); 404 }; 405 406 BPF_TEST_C(SandboxBPF, SyntheticPolicy, SyntheticPolicy) { 407 // Ensure that that kExpectedReturnValue + syscallnumber + 1 does not int 408 // overflow. 409 BPF_ASSERT(std::numeric_limits<int>::max() - kExpectedReturnValue - 1 >= 410 static_cast<int>(MAX_PUBLIC_SYSCALL)); 411 412 for (int syscall_number = static_cast<int>(MIN_SYSCALL); 413 syscall_number <= static_cast<int>(MAX_PUBLIC_SYSCALL); 414 ++syscall_number) { 415 if (syscall_number == __NR_exit_group || syscall_number == __NR_write) { 416 // exit_group() is special 417 continue; 418 } 419 errno = 0; 420 BPF_ASSERT(syscall(syscall_number) == -1); 421 BPF_ASSERT(errno == SysnoToRandomErrno(syscall_number)); 422 } 423 } 424 425 #if defined(__arm__) 426 // A simple policy that tests whether ARM private system calls are supported 427 // by our BPF compiler and by the BPF interpreter in the kernel. 428 429 // For ARM private system calls, return an errno equal to their offset from 430 // MIN_PRIVATE_SYSCALL plus 1 (to avoid NUL errno). 431 int ArmPrivateSysnoToErrno(int sysno) { 432 if (sysno >= static_cast<int>(MIN_PRIVATE_SYSCALL) && 433 sysno <= static_cast<int>(MAX_PRIVATE_SYSCALL)) { 434 return (sysno - MIN_PRIVATE_SYSCALL) + 1; 435 } else { 436 return ENOSYS; 437 } 438 } 439 440 class ArmPrivatePolicy : public SandboxBPFPolicy { 441 public: 442 ArmPrivatePolicy() {} 443 virtual ErrorCode EvaluateSyscall(SandboxBPF*, int sysno) const OVERRIDE { 444 DCHECK(SandboxBPF::IsValidSyscallNumber(sysno)); 445 // Start from |__ARM_NR_set_tls + 1| so as not to mess with actual 446 // ARM private system calls. 447 if (sysno >= static_cast<int>(__ARM_NR_set_tls + 1) && 448 sysno <= static_cast<int>(MAX_PRIVATE_SYSCALL)) { 449 return ErrorCode(ArmPrivateSysnoToErrno(sysno)); 450 } 451 return ErrorCode(ErrorCode::ERR_ALLOWED); 452 } 453 454 private: 455 DISALLOW_COPY_AND_ASSIGN(ArmPrivatePolicy); 456 }; 457 458 BPF_TEST_C(SandboxBPF, ArmPrivatePolicy, ArmPrivatePolicy) { 459 for (int syscall_number = static_cast<int>(__ARM_NR_set_tls + 1); 460 syscall_number <= static_cast<int>(MAX_PRIVATE_SYSCALL); 461 ++syscall_number) { 462 errno = 0; 463 BPF_ASSERT(syscall(syscall_number) == -1); 464 BPF_ASSERT(errno == ArmPrivateSysnoToErrno(syscall_number)); 465 } 466 } 467 #endif // defined(__arm__) 468 469 intptr_t CountSyscalls(const struct arch_seccomp_data& args, void* aux) { 470 // Count all invocations of our callback function. 471 ++*reinterpret_cast<int*>(aux); 472 473 // Verify that within the callback function all filtering is temporarily 474 // disabled. 475 BPF_ASSERT(syscall(__NR_getpid) > 1); 476 477 // Verify that we can now call the underlying system call without causing 478 // infinite recursion. 479 return SandboxBPF::ForwardSyscall(args); 480 } 481 482 ErrorCode GreyListedPolicy(SandboxBPF* sandbox, int sysno, int* aux) { 483 // The use of UnsafeTrap() causes us to print a warning message. This is 484 // generally desirable, but it results in the unittest failing, as it doesn't 485 // expect any messages on "stderr". So, temporarily disable messages. The 486 // BPF_TEST() is guaranteed to turn messages back on, after the policy 487 // function has completed. 488 setenv(kSandboxDebuggingEnv, "t", 0); 489 Die::SuppressInfoMessages(true); 490 491 // Some system calls must always be allowed, if our policy wants to make 492 // use of UnsafeTrap() 493 if (sysno == __NR_rt_sigprocmask || sysno == __NR_rt_sigreturn 494 #if defined(__NR_sigprocmask) 495 || 496 sysno == __NR_sigprocmask 497 #endif 498 #if defined(__NR_sigreturn) 499 || 500 sysno == __NR_sigreturn 501 #endif 502 ) { 503 return ErrorCode(ErrorCode::ERR_ALLOWED); 504 } else if (sysno == __NR_getpid) { 505 // Disallow getpid() 506 return ErrorCode(EPERM); 507 } else if (SandboxBPF::IsValidSyscallNumber(sysno)) { 508 // Allow (and count) all other system calls. 509 return sandbox->UnsafeTrap(CountSyscalls, aux); 510 } else { 511 return ErrorCode(ENOSYS); 512 } 513 } 514 515 BPF_TEST(SandboxBPF, GreyListedPolicy, GreyListedPolicy, int /* (*BPF_AUX) */) { 516 BPF_ASSERT(syscall(__NR_getpid) == -1); 517 BPF_ASSERT(errno == EPERM); 518 BPF_ASSERT(*BPF_AUX == 0); 519 BPF_ASSERT(syscall(__NR_geteuid) == syscall(__NR_getuid)); 520 BPF_ASSERT(*BPF_AUX == 2); 521 char name[17] = {}; 522 BPF_ASSERT(!syscall(__NR_prctl, 523 PR_GET_NAME, 524 name, 525 (void*)NULL, 526 (void*)NULL, 527 (void*)NULL)); 528 BPF_ASSERT(*BPF_AUX == 3); 529 BPF_ASSERT(*name); 530 } 531 532 SANDBOX_TEST(SandboxBPF, EnableUnsafeTrapsInSigSysHandler) { 533 // Disabling warning messages that could confuse our test framework. 534 setenv(kSandboxDebuggingEnv, "t", 0); 535 Die::SuppressInfoMessages(true); 536 537 unsetenv(kSandboxDebuggingEnv); 538 SANDBOX_ASSERT(Trap::EnableUnsafeTrapsInSigSysHandler() == false); 539 setenv(kSandboxDebuggingEnv, "", 1); 540 SANDBOX_ASSERT(Trap::EnableUnsafeTrapsInSigSysHandler() == false); 541 setenv(kSandboxDebuggingEnv, "t", 1); 542 SANDBOX_ASSERT(Trap::EnableUnsafeTrapsInSigSysHandler() == true); 543 } 544 545 intptr_t PrctlHandler(const struct arch_seccomp_data& args, void*) { 546 if (args.args[0] == PR_CAPBSET_DROP && static_cast<int>(args.args[1]) == -1) { 547 // prctl(PR_CAPBSET_DROP, -1) is never valid. The kernel will always 548 // return an error. But our handler allows this call. 549 return 0; 550 } else { 551 return SandboxBPF::ForwardSyscall(args); 552 } 553 } 554 555 class PrctlPolicy : public SandboxBPFPolicy { 556 public: 557 PrctlPolicy() {} 558 virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox, 559 int sysno) const OVERRIDE { 560 DCHECK(SandboxBPF::IsValidSyscallNumber(sysno)); 561 setenv(kSandboxDebuggingEnv, "t", 0); 562 Die::SuppressInfoMessages(true); 563 564 if (sysno == __NR_prctl) { 565 // Handle prctl() inside an UnsafeTrap() 566 return sandbox->UnsafeTrap(PrctlHandler, NULL); 567 } 568 569 // Allow all other system calls. 570 return ErrorCode(ErrorCode::ERR_ALLOWED); 571 } 572 573 private: 574 DISALLOW_COPY_AND_ASSIGN(PrctlPolicy); 575 }; 576 577 BPF_TEST_C(SandboxBPF, ForwardSyscall, PrctlPolicy) { 578 // This call should never be allowed. But our policy will intercept it and 579 // let it pass successfully. 580 BPF_ASSERT( 581 !prctl(PR_CAPBSET_DROP, -1, (void*)NULL, (void*)NULL, (void*)NULL)); 582 583 // Verify that the call will fail, if it makes it all the way to the kernel. 584 BPF_ASSERT( 585 prctl(PR_CAPBSET_DROP, -2, (void*)NULL, (void*)NULL, (void*)NULL) == -1); 586 587 // And verify that other uses of prctl() work just fine. 588 char name[17] = {}; 589 BPF_ASSERT(!syscall(__NR_prctl, 590 PR_GET_NAME, 591 name, 592 (void*)NULL, 593 (void*)NULL, 594 (void*)NULL)); 595 BPF_ASSERT(*name); 596 597 // Finally, verify that system calls other than prctl() are completely 598 // unaffected by our policy. 599 struct utsname uts = {}; 600 BPF_ASSERT(!uname(&uts)); 601 BPF_ASSERT(!strcmp(uts.sysname, "Linux")); 602 } 603 604 intptr_t AllowRedirectedSyscall(const struct arch_seccomp_data& args, void*) { 605 return SandboxBPF::ForwardSyscall(args); 606 } 607 608 class RedirectAllSyscallsPolicy : public SandboxBPFPolicy { 609 public: 610 RedirectAllSyscallsPolicy() {} 611 virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox, 612 int sysno) const OVERRIDE; 613 614 private: 615 DISALLOW_COPY_AND_ASSIGN(RedirectAllSyscallsPolicy); 616 }; 617 618 ErrorCode RedirectAllSyscallsPolicy::EvaluateSyscall(SandboxBPF* sandbox, 619 int sysno) const { 620 DCHECK(SandboxBPF::IsValidSyscallNumber(sysno)); 621 setenv(kSandboxDebuggingEnv, "t", 0); 622 Die::SuppressInfoMessages(true); 623 624 // Some system calls must always be allowed, if our policy wants to make 625 // use of UnsafeTrap() 626 if (sysno == __NR_rt_sigprocmask || sysno == __NR_rt_sigreturn 627 #if defined(__NR_sigprocmask) 628 || 629 sysno == __NR_sigprocmask 630 #endif 631 #if defined(__NR_sigreturn) 632 || 633 sysno == __NR_sigreturn 634 #endif 635 ) { 636 return ErrorCode(ErrorCode::ERR_ALLOWED); 637 } 638 return sandbox->UnsafeTrap(AllowRedirectedSyscall, NULL); 639 } 640 641 int bus_handler_fd_ = -1; 642 643 void SigBusHandler(int, siginfo_t* info, void* void_context) { 644 BPF_ASSERT(write(bus_handler_fd_, "\x55", 1) == 1); 645 } 646 647 BPF_TEST_C(SandboxBPF, SigBus, RedirectAllSyscallsPolicy) { 648 // We use the SIGBUS bit in the signal mask as a thread-local boolean 649 // value in the implementation of UnsafeTrap(). This is obviously a bit 650 // of a hack that could conceivably interfere with code that uses SIGBUS 651 // in more traditional ways. This test verifies that basic functionality 652 // of SIGBUS is not impacted, but it is certainly possibly to construe 653 // more complex uses of signals where our use of the SIGBUS mask is not 654 // 100% transparent. This is expected behavior. 655 int fds[2]; 656 BPF_ASSERT(pipe(fds) == 0); 657 bus_handler_fd_ = fds[1]; 658 struct sigaction sa = {}; 659 sa.sa_sigaction = SigBusHandler; 660 sa.sa_flags = SA_SIGINFO; 661 BPF_ASSERT(sigaction(SIGBUS, &sa, NULL) == 0); 662 raise(SIGBUS); 663 char c = '\000'; 664 BPF_ASSERT(read(fds[0], &c, 1) == 1); 665 BPF_ASSERT(close(fds[0]) == 0); 666 BPF_ASSERT(close(fds[1]) == 0); 667 BPF_ASSERT(c == 0x55); 668 } 669 670 BPF_TEST_C(SandboxBPF, SigMask, RedirectAllSyscallsPolicy) { 671 // Signal masks are potentially tricky to handle. For instance, if we 672 // ever tried to update them from inside a Trap() or UnsafeTrap() handler, 673 // the call to sigreturn() at the end of the signal handler would undo 674 // all of our efforts. So, it makes sense to test that sigprocmask() 675 // works, even if we have a policy in place that makes use of UnsafeTrap(). 676 // In practice, this works because we force sigprocmask() to be handled 677 // entirely in the kernel. 678 sigset_t mask0, mask1, mask2; 679 680 // Call sigprocmask() to verify that SIGUSR2 wasn't blocked, if we didn't 681 // change the mask (it shouldn't have been, as it isn't blocked by default 682 // in POSIX). 683 // 684 // Use SIGUSR2 because Android seems to use SIGUSR1 for some purpose. 685 sigemptyset(&mask0); 686 BPF_ASSERT(!sigprocmask(SIG_BLOCK, &mask0, &mask1)); 687 BPF_ASSERT(!sigismember(&mask1, SIGUSR2)); 688 689 // Try again, and this time we verify that we can block it. This 690 // requires a second call to sigprocmask(). 691 sigaddset(&mask0, SIGUSR2); 692 BPF_ASSERT(!sigprocmask(SIG_BLOCK, &mask0, NULL)); 693 BPF_ASSERT(!sigprocmask(SIG_BLOCK, NULL, &mask2)); 694 BPF_ASSERT(sigismember(&mask2, SIGUSR2)); 695 } 696 697 BPF_TEST_C(SandboxBPF, UnsafeTrapWithErrno, RedirectAllSyscallsPolicy) { 698 // An UnsafeTrap() (or for that matter, a Trap()) has to report error 699 // conditions by returning an exit code in the range -1..-4096. This 700 // should happen automatically if using ForwardSyscall(). If the TrapFnc() 701 // uses some other method to make system calls, then it is responsible 702 // for computing the correct return code. 703 // This test verifies that ForwardSyscall() does the correct thing. 704 705 // The glibc system wrapper will ultimately set errno for us. So, from normal 706 // userspace, all of this should be completely transparent. 707 errno = 0; 708 BPF_ASSERT(close(-1) == -1); 709 BPF_ASSERT(errno == EBADF); 710 711 // Explicitly avoid the glibc wrapper. This is not normally the way anybody 712 // would make system calls, but it allows us to verify that we don't 713 // accidentally mess with errno, when we shouldn't. 714 errno = 0; 715 struct arch_seccomp_data args = {}; 716 args.nr = __NR_close; 717 args.args[0] = -1; 718 BPF_ASSERT(SandboxBPF::ForwardSyscall(args) == -EBADF); 719 BPF_ASSERT(errno == 0); 720 } 721 722 bool NoOpCallback() { return true; } 723 724 // Test a trap handler that makes use of a broker process to open(). 725 726 class InitializedOpenBroker { 727 public: 728 InitializedOpenBroker() : initialized_(false) { 729 std::vector<std::string> allowed_files; 730 allowed_files.push_back("/proc/allowed"); 731 allowed_files.push_back("/proc/cpuinfo"); 732 733 broker_process_.reset( 734 new BrokerProcess(EPERM, allowed_files, std::vector<std::string>())); 735 BPF_ASSERT(broker_process() != NULL); 736 BPF_ASSERT(broker_process_->Init(base::Bind(&NoOpCallback))); 737 738 initialized_ = true; 739 } 740 bool initialized() { return initialized_; } 741 class BrokerProcess* broker_process() { return broker_process_.get(); } 742 743 private: 744 bool initialized_; 745 scoped_ptr<class BrokerProcess> broker_process_; 746 DISALLOW_COPY_AND_ASSIGN(InitializedOpenBroker); 747 }; 748 749 intptr_t BrokerOpenTrapHandler(const struct arch_seccomp_data& args, 750 void* aux) { 751 BPF_ASSERT(aux); 752 BrokerProcess* broker_process = static_cast<BrokerProcess*>(aux); 753 switch (args.nr) { 754 #if defined(ANDROID) 755 case __NR_faccessat: // access is a wrapper of faccessat in android 756 return broker_process->Access(reinterpret_cast<const char*>(args.args[1]), 757 static_cast<int>(args.args[2])); 758 #else 759 case __NR_access: 760 return broker_process->Access(reinterpret_cast<const char*>(args.args[0]), 761 static_cast<int>(args.args[1])); 762 #endif 763 case __NR_open: 764 return broker_process->Open(reinterpret_cast<const char*>(args.args[0]), 765 static_cast<int>(args.args[1])); 766 case __NR_openat: 767 // We only call open() so if we arrive here, it's because glibc uses 768 // the openat() system call. 769 BPF_ASSERT(static_cast<int>(args.args[0]) == AT_FDCWD); 770 return broker_process->Open(reinterpret_cast<const char*>(args.args[1]), 771 static_cast<int>(args.args[2])); 772 default: 773 BPF_ASSERT(false); 774 return -ENOSYS; 775 } 776 } 777 778 ErrorCode DenyOpenPolicy(SandboxBPF* sandbox, 779 int sysno, 780 InitializedOpenBroker* iob) { 781 if (!SandboxBPF::IsValidSyscallNumber(sysno)) { 782 return ErrorCode(ENOSYS); 783 } 784 785 switch (sysno) { 786 #if defined(ANDROID) 787 case __NR_faccessat: 788 #else 789 case __NR_access: 790 #endif 791 case __NR_open: 792 case __NR_openat: 793 // We get a InitializedOpenBroker class, but our trap handler wants 794 // the BrokerProcess object. 795 return ErrorCode( 796 sandbox->Trap(BrokerOpenTrapHandler, iob->broker_process())); 797 default: 798 return ErrorCode(ErrorCode::ERR_ALLOWED); 799 } 800 } 801 802 // We use a InitializedOpenBroker class, so that we can run unsandboxed 803 // code in its constructor, which is the only way to do so in a BPF_TEST. 804 BPF_TEST(SandboxBPF, 805 UseOpenBroker, 806 DenyOpenPolicy, 807 InitializedOpenBroker /* (*BPF_AUX) */) { 808 BPF_ASSERT(BPF_AUX->initialized()); 809 BrokerProcess* broker_process = BPF_AUX->broker_process(); 810 BPF_ASSERT(broker_process != NULL); 811 812 // First, use the broker "manually" 813 BPF_ASSERT(broker_process->Open("/proc/denied", O_RDONLY) == -EPERM); 814 BPF_ASSERT(broker_process->Access("/proc/denied", R_OK) == -EPERM); 815 BPF_ASSERT(broker_process->Open("/proc/allowed", O_RDONLY) == -ENOENT); 816 BPF_ASSERT(broker_process->Access("/proc/allowed", R_OK) == -ENOENT); 817 818 // Now use glibc's open() as an external library would. 819 BPF_ASSERT(open("/proc/denied", O_RDONLY) == -1); 820 BPF_ASSERT(errno == EPERM); 821 822 BPF_ASSERT(open("/proc/allowed", O_RDONLY) == -1); 823 BPF_ASSERT(errno == ENOENT); 824 825 // Also test glibc's openat(), some versions of libc use it transparently 826 // instead of open(). 827 BPF_ASSERT(openat(AT_FDCWD, "/proc/denied", O_RDONLY) == -1); 828 BPF_ASSERT(errno == EPERM); 829 830 BPF_ASSERT(openat(AT_FDCWD, "/proc/allowed", O_RDONLY) == -1); 831 BPF_ASSERT(errno == ENOENT); 832 833 // And test glibc's access(). 834 BPF_ASSERT(access("/proc/denied", R_OK) == -1); 835 BPF_ASSERT(errno == EPERM); 836 837 BPF_ASSERT(access("/proc/allowed", R_OK) == -1); 838 BPF_ASSERT(errno == ENOENT); 839 840 // This is also white listed and does exist. 841 int cpu_info_access = access("/proc/cpuinfo", R_OK); 842 BPF_ASSERT(cpu_info_access == 0); 843 int cpu_info_fd = open("/proc/cpuinfo", O_RDONLY); 844 BPF_ASSERT(cpu_info_fd >= 0); 845 char buf[1024]; 846 BPF_ASSERT(read(cpu_info_fd, buf, sizeof(buf)) > 0); 847 } 848 849 // Simple test demonstrating how to use SandboxBPF::Cond() 850 851 class SimpleCondTestPolicy : public SandboxBPFPolicy { 852 public: 853 SimpleCondTestPolicy() {} 854 virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox, 855 int sysno) const OVERRIDE; 856 857 private: 858 DISALLOW_COPY_AND_ASSIGN(SimpleCondTestPolicy); 859 }; 860 861 ErrorCode SimpleCondTestPolicy::EvaluateSyscall(SandboxBPF* sandbox, 862 int sysno) const { 863 DCHECK(SandboxBPF::IsValidSyscallNumber(sysno)); 864 865 // We deliberately return unusual errno values upon failure, so that we 866 // can uniquely test for these values. In a "real" policy, you would want 867 // to return more traditional values. 868 switch (sysno) { 869 #if defined(ANDROID) 870 case __NR_openat: // open is a wrapper of openat in android 871 // Allow opening files for reading, but don't allow writing. 872 COMPILE_ASSERT(O_RDONLY == 0, O_RDONLY_must_be_all_zero_bits); 873 return sandbox->Cond(2, 874 ErrorCode::TP_32BIT, 875 ErrorCode::OP_HAS_ANY_BITS, 876 O_ACCMODE /* 0x3 */, 877 ErrorCode(EROFS), 878 ErrorCode(ErrorCode::ERR_ALLOWED)); 879 #else 880 case __NR_open: 881 // Allow opening files for reading, but don't allow writing. 882 COMPILE_ASSERT(O_RDONLY == 0, O_RDONLY_must_be_all_zero_bits); 883 return sandbox->Cond(1, 884 ErrorCode::TP_32BIT, 885 ErrorCode::OP_HAS_ANY_BITS, 886 O_ACCMODE /* 0x3 */, 887 ErrorCode(EROFS), 888 ErrorCode(ErrorCode::ERR_ALLOWED)); 889 #endif 890 case __NR_prctl: 891 // Allow prctl(PR_SET_DUMPABLE) and prctl(PR_GET_DUMPABLE), but 892 // disallow everything else. 893 return sandbox->Cond(0, 894 ErrorCode::TP_32BIT, 895 ErrorCode::OP_EQUAL, 896 PR_SET_DUMPABLE, 897 ErrorCode(ErrorCode::ERR_ALLOWED), 898 sandbox->Cond(0, 899 ErrorCode::TP_32BIT, 900 ErrorCode::OP_EQUAL, 901 PR_GET_DUMPABLE, 902 ErrorCode(ErrorCode::ERR_ALLOWED), 903 ErrorCode(ENOMEM))); 904 default: 905 return ErrorCode(ErrorCode::ERR_ALLOWED); 906 } 907 } 908 909 BPF_TEST_C(SandboxBPF, SimpleCondTest, SimpleCondTestPolicy) { 910 int fd; 911 BPF_ASSERT((fd = open("/proc/self/comm", O_RDWR)) == -1); 912 BPF_ASSERT(errno == EROFS); 913 BPF_ASSERT((fd = open("/proc/self/comm", O_RDONLY)) >= 0); 914 close(fd); 915 916 int ret; 917 BPF_ASSERT((ret = prctl(PR_GET_DUMPABLE)) >= 0); 918 BPF_ASSERT(prctl(PR_SET_DUMPABLE, 1 - ret) == 0); 919 BPF_ASSERT(prctl(PR_GET_ENDIAN, &ret) == -1); 920 BPF_ASSERT(errno == ENOMEM); 921 } 922 923 // This test exercises the SandboxBPF::Cond() method by building a complex 924 // tree of conditional equality operations. It then makes system calls and 925 // verifies that they return the values that we expected from our BPF 926 // program. 927 class EqualityStressTest { 928 public: 929 EqualityStressTest() { 930 // We want a deterministic test 931 srand(0); 932 933 // Iterates over system call numbers and builds a random tree of 934 // equality tests. 935 // We are actually constructing a graph of ArgValue objects. This 936 // graph will later be used to a) compute our sandbox policy, and 937 // b) drive the code that verifies the output from the BPF program. 938 COMPILE_ASSERT( 939 kNumTestCases < (int)(MAX_PUBLIC_SYSCALL - MIN_SYSCALL - 10), 940 num_test_cases_must_be_significantly_smaller_than_num_system_calls); 941 for (int sysno = MIN_SYSCALL, end = kNumTestCases; sysno < end; ++sysno) { 942 if (IsReservedSyscall(sysno)) { 943 // Skip reserved system calls. This ensures that our test frame 944 // work isn't impacted by the fact that we are overriding 945 // a lot of different system calls. 946 ++end; 947 arg_values_.push_back(NULL); 948 } else { 949 arg_values_.push_back( 950 RandomArgValue(rand() % kMaxArgs, 0, rand() % kMaxArgs)); 951 } 952 } 953 } 954 955 ~EqualityStressTest() { 956 for (std::vector<ArgValue*>::iterator iter = arg_values_.begin(); 957 iter != arg_values_.end(); 958 ++iter) { 959 DeleteArgValue(*iter); 960 } 961 } 962 963 ErrorCode Policy(SandboxBPF* sandbox, int sysno) { 964 if (!SandboxBPF::IsValidSyscallNumber(sysno)) { 965 // FIXME: we should really not have to do that in a trivial policy 966 return ErrorCode(ENOSYS); 967 } else if (sysno < 0 || sysno >= (int)arg_values_.size() || 968 IsReservedSyscall(sysno)) { 969 // We only return ErrorCode values for the system calls that 970 // are part of our test data. Every other system call remains 971 // allowed. 972 return ErrorCode(ErrorCode::ERR_ALLOWED); 973 } else { 974 // ToErrorCode() turns an ArgValue object into an ErrorCode that is 975 // suitable for use by a sandbox policy. 976 return ToErrorCode(sandbox, arg_values_[sysno]); 977 } 978 } 979 980 void VerifyFilter() { 981 // Iterate over all system calls. Skip the system calls that have 982 // previously been determined as being reserved. 983 for (int sysno = 0; sysno < (int)arg_values_.size(); ++sysno) { 984 if (!arg_values_[sysno]) { 985 // Skip reserved system calls. 986 continue; 987 } 988 // Verify that system calls return the values that we expect them to 989 // return. This involves passing different combinations of system call 990 // parameters in order to exercise all possible code paths through the 991 // BPF filter program. 992 // We arbitrarily start by setting all six system call arguments to 993 // zero. And we then recursive traverse our tree of ArgValues to 994 // determine the necessary combinations of parameters. 995 intptr_t args[6] = {}; 996 Verify(sysno, args, *arg_values_[sysno]); 997 } 998 } 999 1000 private: 1001 struct ArgValue { 1002 int argno; // Argument number to inspect. 1003 int size; // Number of test cases (must be > 0). 1004 struct Tests { 1005 uint32_t k_value; // Value to compare syscall arg against. 1006 int err; // If non-zero, errno value to return. 1007 struct ArgValue* arg_value; // Otherwise, more args needs inspecting. 1008 }* tests; 1009 int err; // If none of the tests passed, this is what 1010 struct ArgValue* arg_value; // we'll return (this is the "else" branch). 1011 }; 1012 1013 bool IsReservedSyscall(int sysno) { 1014 // There are a handful of system calls that we should never use in our 1015 // test cases. These system calls are needed to allow the test framework 1016 // to run properly. 1017 // If we wanted to write fully generic code, there are more system calls 1018 // that could be listed here, and it is quite difficult to come up with a 1019 // truly comprehensive list. After all, we are deliberately making system 1020 // calls unavailable. In practice, we have a pretty good idea of the system 1021 // calls that will be made by this particular test. So, this small list is 1022 // sufficient. But if anybody copy'n'pasted this code for other uses, they 1023 // would have to review that the list. 1024 return sysno == __NR_read || sysno == __NR_write || sysno == __NR_exit || 1025 sysno == __NR_exit_group || sysno == __NR_restart_syscall; 1026 } 1027 1028 ArgValue* RandomArgValue(int argno, int args_mask, int remaining_args) { 1029 // Create a new ArgValue and fill it with random data. We use as bit mask 1030 // to keep track of the system call parameters that have previously been 1031 // set; this ensures that we won't accidentally define a contradictory 1032 // set of equality tests. 1033 struct ArgValue* arg_value = new ArgValue(); 1034 args_mask |= 1 << argno; 1035 arg_value->argno = argno; 1036 1037 // Apply some restrictions on just how complex our tests can be. 1038 // Otherwise, we end up with a BPF program that is too complicated for 1039 // the kernel to load. 1040 int fan_out = kMaxFanOut; 1041 if (remaining_args > 3) { 1042 fan_out = 1; 1043 } else if (remaining_args > 2) { 1044 fan_out = 2; 1045 } 1046 1047 // Create a couple of different test cases with randomized values that 1048 // we want to use when comparing system call parameter number "argno". 1049 arg_value->size = rand() % fan_out + 1; 1050 arg_value->tests = new ArgValue::Tests[arg_value->size]; 1051 1052 uint32_t k_value = rand(); 1053 for (int n = 0; n < arg_value->size; ++n) { 1054 // Ensure that we have unique values 1055 k_value += rand() % (RAND_MAX / (kMaxFanOut + 1)) + 1; 1056 1057 // There are two possible types of nodes. Either this is a leaf node; 1058 // in that case, we have completed all the equality tests that we 1059 // wanted to perform, and we can now compute a random "errno" value that 1060 // we should return. Or this is part of a more complex boolean 1061 // expression; in that case, we have to recursively add tests for some 1062 // of system call parameters that we have not yet included in our 1063 // tests. 1064 arg_value->tests[n].k_value = k_value; 1065 if (!remaining_args || (rand() & 1)) { 1066 arg_value->tests[n].err = (rand() % 1000) + 1; 1067 arg_value->tests[n].arg_value = NULL; 1068 } else { 1069 arg_value->tests[n].err = 0; 1070 arg_value->tests[n].arg_value = 1071 RandomArgValue(RandomArg(args_mask), args_mask, remaining_args - 1); 1072 } 1073 } 1074 // Finally, we have to define what we should return if none of the 1075 // previous equality tests pass. Again, we can either deal with a leaf 1076 // node, or we can randomly add another couple of tests. 1077 if (!remaining_args || (rand() & 1)) { 1078 arg_value->err = (rand() % 1000) + 1; 1079 arg_value->arg_value = NULL; 1080 } else { 1081 arg_value->err = 0; 1082 arg_value->arg_value = 1083 RandomArgValue(RandomArg(args_mask), args_mask, remaining_args - 1); 1084 } 1085 // We have now built a new (sub-)tree of ArgValues defining a set of 1086 // boolean expressions for testing random system call arguments against 1087 // random values. Return this tree to our caller. 1088 return arg_value; 1089 } 1090 1091 int RandomArg(int args_mask) { 1092 // Compute a random system call parameter number. 1093 int argno = rand() % kMaxArgs; 1094 1095 // Make sure that this same parameter number has not previously been 1096 // used. Otherwise, we could end up with a test that is impossible to 1097 // satisfy (e.g. args[0] == 1 && args[0] == 2). 1098 while (args_mask & (1 << argno)) { 1099 argno = (argno + 1) % kMaxArgs; 1100 } 1101 return argno; 1102 } 1103 1104 void DeleteArgValue(ArgValue* arg_value) { 1105 // Delete an ArgValue and all of its child nodes. This requires 1106 // recursively descending into the tree. 1107 if (arg_value) { 1108 if (arg_value->size) { 1109 for (int n = 0; n < arg_value->size; ++n) { 1110 if (!arg_value->tests[n].err) { 1111 DeleteArgValue(arg_value->tests[n].arg_value); 1112 } 1113 } 1114 delete[] arg_value->tests; 1115 } 1116 if (!arg_value->err) { 1117 DeleteArgValue(arg_value->arg_value); 1118 } 1119 delete arg_value; 1120 } 1121 } 1122 1123 ErrorCode ToErrorCode(SandboxBPF* sandbox, ArgValue* arg_value) { 1124 // Compute the ErrorCode that should be returned, if none of our 1125 // tests succeed (i.e. the system call parameter doesn't match any 1126 // of the values in arg_value->tests[].k_value). 1127 ErrorCode err; 1128 if (arg_value->err) { 1129 // If this was a leaf node, return the errno value that we expect to 1130 // return from the BPF filter program. 1131 err = ErrorCode(arg_value->err); 1132 } else { 1133 // If this wasn't a leaf node yet, recursively descend into the rest 1134 // of the tree. This will end up adding a few more SandboxBPF::Cond() 1135 // tests to our ErrorCode. 1136 err = ToErrorCode(sandbox, arg_value->arg_value); 1137 } 1138 1139 // Now, iterate over all the test cases that we want to compare against. 1140 // This builds a chain of SandboxBPF::Cond() tests 1141 // (aka "if ... elif ... elif ... elif ... fi") 1142 for (int n = arg_value->size; n-- > 0;) { 1143 ErrorCode matched; 1144 // Again, we distinguish between leaf nodes and subtrees. 1145 if (arg_value->tests[n].err) { 1146 matched = ErrorCode(arg_value->tests[n].err); 1147 } else { 1148 matched = ToErrorCode(sandbox, arg_value->tests[n].arg_value); 1149 } 1150 // For now, all of our tests are limited to 32bit. 1151 // We have separate tests that check the behavior of 32bit vs. 64bit 1152 // conditional expressions. 1153 err = sandbox->Cond(arg_value->argno, 1154 ErrorCode::TP_32BIT, 1155 ErrorCode::OP_EQUAL, 1156 arg_value->tests[n].k_value, 1157 matched, 1158 err); 1159 } 1160 return err; 1161 } 1162 1163 void Verify(int sysno, intptr_t* args, const ArgValue& arg_value) { 1164 uint32_t mismatched = 0; 1165 // Iterate over all the k_values in arg_value.tests[] and verify that 1166 // we see the expected return values from system calls, when we pass 1167 // the k_value as a parameter in a system call. 1168 for (int n = arg_value.size; n-- > 0;) { 1169 mismatched += arg_value.tests[n].k_value; 1170 args[arg_value.argno] = arg_value.tests[n].k_value; 1171 if (arg_value.tests[n].err) { 1172 VerifyErrno(sysno, args, arg_value.tests[n].err); 1173 } else { 1174 Verify(sysno, args, *arg_value.tests[n].arg_value); 1175 } 1176 } 1177 // Find a k_value that doesn't match any of the k_values in 1178 // arg_value.tests[]. In most cases, the current value of "mismatched" 1179 // would fit this requirement. But on the off-chance that it happens 1180 // to collide, we double-check. 1181 try_again: 1182 for (int n = arg_value.size; n-- > 0;) { 1183 if (mismatched == arg_value.tests[n].k_value) { 1184 ++mismatched; 1185 goto try_again; 1186 } 1187 } 1188 // Now verify that we see the expected return value from system calls, 1189 // if we pass a value that doesn't match any of the conditions (i.e. this 1190 // is testing the "else" clause of the conditions). 1191 args[arg_value.argno] = mismatched; 1192 if (arg_value.err) { 1193 VerifyErrno(sysno, args, arg_value.err); 1194 } else { 1195 Verify(sysno, args, *arg_value.arg_value); 1196 } 1197 // Reset args[arg_value.argno]. This is not technically needed, but it 1198 // makes it easier to reason about the correctness of our tests. 1199 args[arg_value.argno] = 0; 1200 } 1201 1202 void VerifyErrno(int sysno, intptr_t* args, int err) { 1203 // We installed BPF filters that return different errno values 1204 // based on the system call number and the parameters that we decided 1205 // to pass in. Verify that this condition holds true. 1206 BPF_ASSERT( 1207 Syscall::Call( 1208 sysno, args[0], args[1], args[2], args[3], args[4], args[5]) == 1209 -err); 1210 } 1211 1212 // Vector of ArgValue trees. These trees define all the possible boolean 1213 // expressions that we want to turn into a BPF filter program. 1214 std::vector<ArgValue*> arg_values_; 1215 1216 // Don't increase these values. We are pushing the limits of the maximum 1217 // BPF program that the kernel will allow us to load. If the values are 1218 // increased too much, the test will start failing. 1219 static const int kNumTestCases = 40; 1220 static const int kMaxFanOut = 3; 1221 static const int kMaxArgs = 6; 1222 }; 1223 1224 ErrorCode EqualityStressTestPolicy(SandboxBPF* sandbox, 1225 int sysno, 1226 EqualityStressTest* aux) { 1227 DCHECK(aux); 1228 return aux->Policy(sandbox, sysno); 1229 } 1230 1231 BPF_TEST(SandboxBPF, 1232 EqualityTests, 1233 EqualityStressTestPolicy, 1234 EqualityStressTest /* (*BPF_AUX) */) { 1235 BPF_AUX->VerifyFilter(); 1236 } 1237 1238 class EqualityArgumentWidthPolicy : public SandboxBPFPolicy { 1239 public: 1240 EqualityArgumentWidthPolicy() {} 1241 virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox, 1242 int sysno) const OVERRIDE; 1243 1244 private: 1245 DISALLOW_COPY_AND_ASSIGN(EqualityArgumentWidthPolicy); 1246 }; 1247 1248 ErrorCode EqualityArgumentWidthPolicy::EvaluateSyscall(SandboxBPF* sandbox, 1249 int sysno) const { 1250 DCHECK(SandboxBPF::IsValidSyscallNumber(sysno)); 1251 if (sysno == __NR_uname) { 1252 return sandbox->Cond( 1253 0, 1254 ErrorCode::TP_32BIT, 1255 ErrorCode::OP_EQUAL, 1256 0, 1257 sandbox->Cond(1, 1258 ErrorCode::TP_32BIT, 1259 ErrorCode::OP_EQUAL, 1260 0x55555555, 1261 ErrorCode(1), 1262 ErrorCode(2)), 1263 // The BPF compiler and the BPF interpreter in the kernel are 1264 // (mostly) agnostic of the host platform's word size. The compiler 1265 // will happily generate code that tests a 64bit value, and the 1266 // interpreter will happily perform this test. 1267 // But unless there is a kernel bug, there is no way for us to pass 1268 // in a 64bit quantity on a 32bit platform. The upper 32bits should 1269 // always be zero. So, this test should always evaluate as false on 1270 // 32bit systems. 1271 sandbox->Cond(1, 1272 ErrorCode::TP_64BIT, 1273 ErrorCode::OP_EQUAL, 1274 0x55555555AAAAAAAAULL, 1275 ErrorCode(1), 1276 ErrorCode(2))); 1277 } 1278 return ErrorCode(ErrorCode::ERR_ALLOWED); 1279 } 1280 1281 BPF_TEST_C(SandboxBPF, EqualityArgumentWidth, EqualityArgumentWidthPolicy) { 1282 BPF_ASSERT(Syscall::Call(__NR_uname, 0, 0x55555555) == -1); 1283 BPF_ASSERT(Syscall::Call(__NR_uname, 0, 0xAAAAAAAA) == -2); 1284 #if __SIZEOF_POINTER__ > 4 1285 // On 32bit machines, there is no way to pass a 64bit argument through the 1286 // syscall interface. So, we have to skip the part of the test that requires 1287 // 64bit arguments. 1288 BPF_ASSERT(Syscall::Call(__NR_uname, 1, 0x55555555AAAAAAAAULL) == -1); 1289 BPF_ASSERT(Syscall::Call(__NR_uname, 1, 0x5555555500000000ULL) == -2); 1290 BPF_ASSERT(Syscall::Call(__NR_uname, 1, 0x5555555511111111ULL) == -2); 1291 BPF_ASSERT(Syscall::Call(__NR_uname, 1, 0x11111111AAAAAAAAULL) == -2); 1292 #else 1293 BPF_ASSERT(Syscall::Call(__NR_uname, 1, 0x55555555) == -2); 1294 #endif 1295 } 1296 1297 #if __SIZEOF_POINTER__ > 4 1298 // On 32bit machines, there is no way to pass a 64bit argument through the 1299 // syscall interface. So, we have to skip the part of the test that requires 1300 // 64bit arguments. 1301 BPF_DEATH_TEST_C(SandboxBPF, 1302 EqualityArgumentUnallowed64bit, 1303 DEATH_MESSAGE("Unexpected 64bit argument detected"), 1304 EqualityArgumentWidthPolicy) { 1305 Syscall::Call(__NR_uname, 0, 0x5555555555555555ULL); 1306 } 1307 #endif 1308 1309 class EqualityWithNegativeArgumentsPolicy : public SandboxBPFPolicy { 1310 public: 1311 EqualityWithNegativeArgumentsPolicy() {} 1312 virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox, 1313 int sysno) const OVERRIDE { 1314 DCHECK(SandboxBPF::IsValidSyscallNumber(sysno)); 1315 if (sysno == __NR_uname) { 1316 return sandbox->Cond(0, 1317 ErrorCode::TP_32BIT, 1318 ErrorCode::OP_EQUAL, 1319 0xFFFFFFFF, 1320 ErrorCode(1), 1321 ErrorCode(2)); 1322 } 1323 return ErrorCode(ErrorCode::ERR_ALLOWED); 1324 } 1325 1326 private: 1327 DISALLOW_COPY_AND_ASSIGN(EqualityWithNegativeArgumentsPolicy); 1328 }; 1329 1330 BPF_TEST_C(SandboxBPF, 1331 EqualityWithNegativeArguments, 1332 EqualityWithNegativeArgumentsPolicy) { 1333 BPF_ASSERT(Syscall::Call(__NR_uname, 0xFFFFFFFF) == -1); 1334 BPF_ASSERT(Syscall::Call(__NR_uname, -1) == -1); 1335 BPF_ASSERT(Syscall::Call(__NR_uname, -1LL) == -1); 1336 } 1337 1338 #if __SIZEOF_POINTER__ > 4 1339 BPF_DEATH_TEST_C(SandboxBPF, 1340 EqualityWithNegative64bitArguments, 1341 DEATH_MESSAGE("Unexpected 64bit argument detected"), 1342 EqualityWithNegativeArgumentsPolicy) { 1343 // When expecting a 32bit system call argument, we look at the MSB of the 1344 // 64bit value and allow both "0" and "-1". But the latter is allowed only 1345 // iff the LSB was negative. So, this death test should error out. 1346 BPF_ASSERT(Syscall::Call(__NR_uname, 0xFFFFFFFF00000000LL) == -1); 1347 } 1348 #endif 1349 class AllBitTestPolicy : public SandboxBPFPolicy { 1350 public: 1351 AllBitTestPolicy() {} 1352 virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox, 1353 int sysno) const OVERRIDE; 1354 1355 private: 1356 DISALLOW_COPY_AND_ASSIGN(AllBitTestPolicy); 1357 }; 1358 1359 ErrorCode AllBitTestPolicy::EvaluateSyscall(SandboxBPF* sandbox, 1360 int sysno) const { 1361 DCHECK(SandboxBPF::IsValidSyscallNumber(sysno)); 1362 // Test the OP_HAS_ALL_BITS conditional test operator with a couple of 1363 // different bitmasks. We try to find bitmasks that could conceivably 1364 // touch corner cases. 1365 // For all of these tests, we override the uname(). We can make use with 1366 // a single system call number, as we use the first system call argument to 1367 // select the different bit masks that we want to test against. 1368 if (sysno == __NR_uname) { 1369 return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 0, 1370 sandbox->Cond(1, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ALL_BITS, 1371 0x0, 1372 ErrorCode(1), ErrorCode(0)), 1373 1374 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 1, 1375 sandbox->Cond(1, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ALL_BITS, 1376 0x1, 1377 ErrorCode(1), ErrorCode(0)), 1378 1379 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 2, 1380 sandbox->Cond(1, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ALL_BITS, 1381 0x3, 1382 ErrorCode(1), ErrorCode(0)), 1383 1384 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 3, 1385 sandbox->Cond(1, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ALL_BITS, 1386 0x80000000, 1387 ErrorCode(1), ErrorCode(0)), 1388 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 4, 1389 sandbox->Cond(1, ErrorCode::TP_64BIT, ErrorCode::OP_HAS_ALL_BITS, 1390 0x0, 1391 ErrorCode(1), ErrorCode(0)), 1392 1393 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 5, 1394 sandbox->Cond(1, ErrorCode::TP_64BIT, ErrorCode::OP_HAS_ALL_BITS, 1395 0x1, 1396 ErrorCode(1), ErrorCode(0)), 1397 1398 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 6, 1399 sandbox->Cond(1, ErrorCode::TP_64BIT, ErrorCode::OP_HAS_ALL_BITS, 1400 0x3, 1401 ErrorCode(1), ErrorCode(0)), 1402 1403 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 7, 1404 sandbox->Cond(1, ErrorCode::TP_64BIT, ErrorCode::OP_HAS_ALL_BITS, 1405 0x80000000, 1406 ErrorCode(1), ErrorCode(0)), 1407 1408 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 8, 1409 sandbox->Cond(1, ErrorCode::TP_64BIT, ErrorCode::OP_HAS_ALL_BITS, 1410 0x100000000ULL, 1411 ErrorCode(1), ErrorCode(0)), 1412 1413 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 9, 1414 sandbox->Cond(1, ErrorCode::TP_64BIT, ErrorCode::OP_HAS_ALL_BITS, 1415 0x300000000ULL, 1416 ErrorCode(1), ErrorCode(0)), 1417 1418 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 10, 1419 sandbox->Cond(1, ErrorCode::TP_64BIT, ErrorCode::OP_HAS_ALL_BITS, 1420 0x100000001ULL, 1421 ErrorCode(1), ErrorCode(0)), 1422 1423 sandbox->Kill("Invalid test case number")))))))))))); 1424 } 1425 return ErrorCode(ErrorCode::ERR_ALLOWED); 1426 } 1427 1428 // Define a macro that performs tests using our test policy. 1429 // NOTE: Not all of the arguments in this macro are actually used! 1430 // They are here just to serve as documentation of the conditions 1431 // implemented in the test policy. 1432 // Most notably, "op" and "mask" are unused by the macro. If you want 1433 // to make changes to these values, you will have to edit the 1434 // test policy instead. 1435 #define BITMASK_TEST(testcase, arg, op, mask, expected_value) \ 1436 BPF_ASSERT(Syscall::Call(__NR_uname, (testcase), (arg)) == (expected_value)) 1437 1438 // Our uname() system call returns ErrorCode(1) for success and 1439 // ErrorCode(0) for failure. Syscall::Call() turns this into an 1440 // exit code of -1 or 0. 1441 #define EXPECT_FAILURE 0 1442 #define EXPECT_SUCCESS -1 1443 1444 // A couple of our tests behave differently on 32bit and 64bit systems, as 1445 // there is no way for a 32bit system call to pass in a 64bit system call 1446 // argument "arg". 1447 // We expect these tests to succeed on 64bit systems, but to tail on 32bit 1448 // systems. 1449 #define EXPT64_SUCCESS (sizeof(void*) > 4 ? EXPECT_SUCCESS : EXPECT_FAILURE) 1450 BPF_TEST_C(SandboxBPF, AllBitTests, AllBitTestPolicy) { 1451 // 32bit test: all of 0x0 (should always be true) 1452 BITMASK_TEST( 0, 0, ALLBITS32, 0, EXPECT_SUCCESS); 1453 BITMASK_TEST( 0, 1, ALLBITS32, 0, EXPECT_SUCCESS); 1454 BITMASK_TEST( 0, 3, ALLBITS32, 0, EXPECT_SUCCESS); 1455 BITMASK_TEST( 0, 0xFFFFFFFFU, ALLBITS32, 0, EXPECT_SUCCESS); 1456 BITMASK_TEST( 0, -1LL, ALLBITS32, 0, EXPECT_SUCCESS); 1457 1458 // 32bit test: all of 0x1 1459 BITMASK_TEST( 1, 0, ALLBITS32, 0x1, EXPECT_FAILURE); 1460 BITMASK_TEST( 1, 1, ALLBITS32, 0x1, EXPECT_SUCCESS); 1461 BITMASK_TEST( 1, 2, ALLBITS32, 0x1, EXPECT_FAILURE); 1462 BITMASK_TEST( 1, 3, ALLBITS32, 0x1, EXPECT_SUCCESS); 1463 1464 // 32bit test: all of 0x3 1465 BITMASK_TEST( 2, 0, ALLBITS32, 0x3, EXPECT_FAILURE); 1466 BITMASK_TEST( 2, 1, ALLBITS32, 0x3, EXPECT_FAILURE); 1467 BITMASK_TEST( 2, 2, ALLBITS32, 0x3, EXPECT_FAILURE); 1468 BITMASK_TEST( 2, 3, ALLBITS32, 0x3, EXPECT_SUCCESS); 1469 BITMASK_TEST( 2, 7, ALLBITS32, 0x3, EXPECT_SUCCESS); 1470 1471 // 32bit test: all of 0x80000000 1472 BITMASK_TEST( 3, 0, ALLBITS32, 0x80000000, EXPECT_FAILURE); 1473 BITMASK_TEST( 3, 0x40000000U, ALLBITS32, 0x80000000, EXPECT_FAILURE); 1474 BITMASK_TEST( 3, 0x80000000U, ALLBITS32, 0x80000000, EXPECT_SUCCESS); 1475 BITMASK_TEST( 3, 0xC0000000U, ALLBITS32, 0x80000000, EXPECT_SUCCESS); 1476 BITMASK_TEST( 3, -0x80000000LL, ALLBITS32, 0x80000000, EXPECT_SUCCESS); 1477 1478 // 64bit test: all of 0x0 (should always be true) 1479 BITMASK_TEST( 4, 0, ALLBITS64, 0, EXPECT_SUCCESS); 1480 BITMASK_TEST( 4, 1, ALLBITS64, 0, EXPECT_SUCCESS); 1481 BITMASK_TEST( 4, 3, ALLBITS64, 0, EXPECT_SUCCESS); 1482 BITMASK_TEST( 4, 0xFFFFFFFFU, ALLBITS64, 0, EXPECT_SUCCESS); 1483 BITMASK_TEST( 4, 0x100000000LL, ALLBITS64, 0, EXPECT_SUCCESS); 1484 BITMASK_TEST( 4, 0x300000000LL, ALLBITS64, 0, EXPECT_SUCCESS); 1485 BITMASK_TEST( 4,0x8000000000000000LL, ALLBITS64, 0, EXPECT_SUCCESS); 1486 BITMASK_TEST( 4, -1LL, ALLBITS64, 0, EXPECT_SUCCESS); 1487 1488 // 64bit test: all of 0x1 1489 BITMASK_TEST( 5, 0, ALLBITS64, 1, EXPECT_FAILURE); 1490 BITMASK_TEST( 5, 1, ALLBITS64, 1, EXPECT_SUCCESS); 1491 BITMASK_TEST( 5, 2, ALLBITS64, 1, EXPECT_FAILURE); 1492 BITMASK_TEST( 5, 3, ALLBITS64, 1, EXPECT_SUCCESS); 1493 BITMASK_TEST( 5, 0x100000000LL, ALLBITS64, 1, EXPECT_FAILURE); 1494 BITMASK_TEST( 5, 0x100000001LL, ALLBITS64, 1, EXPECT_SUCCESS); 1495 BITMASK_TEST( 5, 0x100000002LL, ALLBITS64, 1, EXPECT_FAILURE); 1496 BITMASK_TEST( 5, 0x100000003LL, ALLBITS64, 1, EXPECT_SUCCESS); 1497 1498 // 64bit test: all of 0x3 1499 BITMASK_TEST( 6, 0, ALLBITS64, 3, EXPECT_FAILURE); 1500 BITMASK_TEST( 6, 1, ALLBITS64, 3, EXPECT_FAILURE); 1501 BITMASK_TEST( 6, 2, ALLBITS64, 3, EXPECT_FAILURE); 1502 BITMASK_TEST( 6, 3, ALLBITS64, 3, EXPECT_SUCCESS); 1503 BITMASK_TEST( 6, 7, ALLBITS64, 3, EXPECT_SUCCESS); 1504 BITMASK_TEST( 6, 0x100000000LL, ALLBITS64, 3, EXPECT_FAILURE); 1505 BITMASK_TEST( 6, 0x100000001LL, ALLBITS64, 3, EXPECT_FAILURE); 1506 BITMASK_TEST( 6, 0x100000002LL, ALLBITS64, 3, EXPECT_FAILURE); 1507 BITMASK_TEST( 6, 0x100000003LL, ALLBITS64, 3, EXPECT_SUCCESS); 1508 BITMASK_TEST( 6, 0x100000007LL, ALLBITS64, 3, EXPECT_SUCCESS); 1509 1510 // 64bit test: all of 0x80000000 1511 BITMASK_TEST( 7, 0, ALLBITS64, 0x80000000, EXPECT_FAILURE); 1512 BITMASK_TEST( 7, 0x40000000U, ALLBITS64, 0x80000000, EXPECT_FAILURE); 1513 BITMASK_TEST( 7, 0x80000000U, ALLBITS64, 0x80000000, EXPECT_SUCCESS); 1514 BITMASK_TEST( 7, 0xC0000000U, ALLBITS64, 0x80000000, EXPECT_SUCCESS); 1515 BITMASK_TEST( 7, -0x80000000LL, ALLBITS64, 0x80000000, EXPECT_SUCCESS); 1516 BITMASK_TEST( 7, 0x100000000LL, ALLBITS64, 0x80000000, EXPECT_FAILURE); 1517 BITMASK_TEST( 7, 0x140000000LL, ALLBITS64, 0x80000000, EXPECT_FAILURE); 1518 BITMASK_TEST( 7, 0x180000000LL, ALLBITS64, 0x80000000, EXPECT_SUCCESS); 1519 BITMASK_TEST( 7, 0x1C0000000LL, ALLBITS64, 0x80000000, EXPECT_SUCCESS); 1520 BITMASK_TEST( 7, -0x180000000LL, ALLBITS64, 0x80000000, EXPECT_SUCCESS); 1521 1522 // 64bit test: all of 0x100000000 1523 BITMASK_TEST( 8, 0x000000000LL, ALLBITS64,0x100000000, EXPECT_FAILURE); 1524 BITMASK_TEST( 8, 0x100000000LL, ALLBITS64,0x100000000, EXPT64_SUCCESS); 1525 BITMASK_TEST( 8, 0x200000000LL, ALLBITS64,0x100000000, EXPECT_FAILURE); 1526 BITMASK_TEST( 8, 0x300000000LL, ALLBITS64,0x100000000, EXPT64_SUCCESS); 1527 BITMASK_TEST( 8, 0x000000001LL, ALLBITS64,0x100000000, EXPECT_FAILURE); 1528 BITMASK_TEST( 8, 0x100000001LL, ALLBITS64,0x100000000, EXPT64_SUCCESS); 1529 BITMASK_TEST( 8, 0x200000001LL, ALLBITS64,0x100000000, EXPECT_FAILURE); 1530 BITMASK_TEST( 8, 0x300000001LL, ALLBITS64,0x100000000, EXPT64_SUCCESS); 1531 1532 // 64bit test: all of 0x300000000 1533 BITMASK_TEST( 9, 0x000000000LL, ALLBITS64,0x300000000, EXPECT_FAILURE); 1534 BITMASK_TEST( 9, 0x100000000LL, ALLBITS64,0x300000000, EXPECT_FAILURE); 1535 BITMASK_TEST( 9, 0x200000000LL, ALLBITS64,0x300000000, EXPECT_FAILURE); 1536 BITMASK_TEST( 9, 0x300000000LL, ALLBITS64,0x300000000, EXPT64_SUCCESS); 1537 BITMASK_TEST( 9, 0x700000000LL, ALLBITS64,0x300000000, EXPT64_SUCCESS); 1538 BITMASK_TEST( 9, 0x000000001LL, ALLBITS64,0x300000000, EXPECT_FAILURE); 1539 BITMASK_TEST( 9, 0x100000001LL, ALLBITS64,0x300000000, EXPECT_FAILURE); 1540 BITMASK_TEST( 9, 0x200000001LL, ALLBITS64,0x300000000, EXPECT_FAILURE); 1541 BITMASK_TEST( 9, 0x300000001LL, ALLBITS64,0x300000000, EXPT64_SUCCESS); 1542 BITMASK_TEST( 9, 0x700000001LL, ALLBITS64,0x300000000, EXPT64_SUCCESS); 1543 1544 // 64bit test: all of 0x100000001 1545 BITMASK_TEST(10, 0x000000000LL, ALLBITS64,0x100000001, EXPECT_FAILURE); 1546 BITMASK_TEST(10, 0x000000001LL, ALLBITS64,0x100000001, EXPECT_FAILURE); 1547 BITMASK_TEST(10, 0x100000000LL, ALLBITS64,0x100000001, EXPECT_FAILURE); 1548 BITMASK_TEST(10, 0x100000001LL, ALLBITS64,0x100000001, EXPT64_SUCCESS); 1549 BITMASK_TEST(10, 0xFFFFFFFFU, ALLBITS64,0x100000001, EXPECT_FAILURE); 1550 BITMASK_TEST(10, -1L, ALLBITS64,0x100000001, EXPT64_SUCCESS); 1551 } 1552 1553 class AnyBitTestPolicy : public SandboxBPFPolicy { 1554 public: 1555 AnyBitTestPolicy() {} 1556 virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox, 1557 int sysno) const OVERRIDE; 1558 1559 private: 1560 DISALLOW_COPY_AND_ASSIGN(AnyBitTestPolicy); 1561 }; 1562 1563 ErrorCode AnyBitTestPolicy::EvaluateSyscall(SandboxBPF* sandbox, 1564 int sysno) const { 1565 DCHECK(SandboxBPF::IsValidSyscallNumber(sysno)); 1566 // Test the OP_HAS_ANY_BITS conditional test operator with a couple of 1567 // different bitmasks. We try to find bitmasks that could conceivably 1568 // touch corner cases. 1569 // For all of these tests, we override the uname(). We can make use with 1570 // a single system call number, as we use the first system call argument to 1571 // select the different bit masks that we want to test against. 1572 if (sysno == __NR_uname) { 1573 return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 0, 1574 sandbox->Cond(1, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ANY_BITS, 1575 0x0, 1576 ErrorCode(1), ErrorCode(0)), 1577 1578 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 1, 1579 sandbox->Cond(1, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ANY_BITS, 1580 0x1, 1581 ErrorCode(1), ErrorCode(0)), 1582 1583 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 2, 1584 sandbox->Cond(1, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ANY_BITS, 1585 0x3, 1586 ErrorCode(1), ErrorCode(0)), 1587 1588 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 3, 1589 sandbox->Cond(1, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ANY_BITS, 1590 0x80000000, 1591 ErrorCode(1), ErrorCode(0)), 1592 1593 // All the following tests don't really make much sense on 32bit 1594 // systems. They will always evaluate as false. 1595 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 4, 1596 sandbox->Cond(1, ErrorCode::TP_64BIT, ErrorCode::OP_HAS_ANY_BITS, 1597 0x0, 1598 ErrorCode(1), ErrorCode(0)), 1599 1600 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 5, 1601 sandbox->Cond(1, ErrorCode::TP_64BIT, ErrorCode::OP_HAS_ANY_BITS, 1602 0x1, 1603 ErrorCode(1), ErrorCode(0)), 1604 1605 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 6, 1606 sandbox->Cond(1, ErrorCode::TP_64BIT, ErrorCode::OP_HAS_ANY_BITS, 1607 0x3, 1608 ErrorCode(1), ErrorCode(0)), 1609 1610 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 7, 1611 sandbox->Cond(1, ErrorCode::TP_64BIT, ErrorCode::OP_HAS_ANY_BITS, 1612 0x80000000, 1613 ErrorCode(1), ErrorCode(0)), 1614 1615 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 8, 1616 sandbox->Cond(1, ErrorCode::TP_64BIT, ErrorCode::OP_HAS_ANY_BITS, 1617 0x100000000ULL, 1618 ErrorCode(1), ErrorCode(0)), 1619 1620 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 9, 1621 sandbox->Cond(1, ErrorCode::TP_64BIT, ErrorCode::OP_HAS_ANY_BITS, 1622 0x300000000ULL, 1623 ErrorCode(1), ErrorCode(0)), 1624 1625 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 10, 1626 sandbox->Cond(1, ErrorCode::TP_64BIT, ErrorCode::OP_HAS_ANY_BITS, 1627 0x100000001ULL, 1628 ErrorCode(1), ErrorCode(0)), 1629 1630 sandbox->Kill("Invalid test case number")))))))))))); 1631 } 1632 return ErrorCode(ErrorCode::ERR_ALLOWED); 1633 } 1634 1635 BPF_TEST_C(SandboxBPF, AnyBitTests, AnyBitTestPolicy) { 1636 // 32bit test: any of 0x0 (should always be false) 1637 BITMASK_TEST( 0, 0, ANYBITS32, 0x0, EXPECT_FAILURE); 1638 BITMASK_TEST( 0, 1, ANYBITS32, 0x0, EXPECT_FAILURE); 1639 BITMASK_TEST( 0, 3, ANYBITS32, 0x0, EXPECT_FAILURE); 1640 BITMASK_TEST( 0, 0xFFFFFFFFU, ANYBITS32, 0x0, EXPECT_FAILURE); 1641 BITMASK_TEST( 0, -1LL, ANYBITS32, 0x0, EXPECT_FAILURE); 1642 1643 // 32bit test: any of 0x1 1644 BITMASK_TEST( 1, 0, ANYBITS32, 0x1, EXPECT_FAILURE); 1645 BITMASK_TEST( 1, 1, ANYBITS32, 0x1, EXPECT_SUCCESS); 1646 BITMASK_TEST( 1, 2, ANYBITS32, 0x1, EXPECT_FAILURE); 1647 BITMASK_TEST( 1, 3, ANYBITS32, 0x1, EXPECT_SUCCESS); 1648 1649 // 32bit test: any of 0x3 1650 BITMASK_TEST( 2, 0, ANYBITS32, 0x3, EXPECT_FAILURE); 1651 BITMASK_TEST( 2, 1, ANYBITS32, 0x3, EXPECT_SUCCESS); 1652 BITMASK_TEST( 2, 2, ANYBITS32, 0x3, EXPECT_SUCCESS); 1653 BITMASK_TEST( 2, 3, ANYBITS32, 0x3, EXPECT_SUCCESS); 1654 BITMASK_TEST( 2, 7, ANYBITS32, 0x3, EXPECT_SUCCESS); 1655 1656 // 32bit test: any of 0x80000000 1657 BITMASK_TEST( 3, 0, ANYBITS32, 0x80000000, EXPECT_FAILURE); 1658 BITMASK_TEST( 3, 0x40000000U, ANYBITS32, 0x80000000, EXPECT_FAILURE); 1659 BITMASK_TEST( 3, 0x80000000U, ANYBITS32, 0x80000000, EXPECT_SUCCESS); 1660 BITMASK_TEST( 3, 0xC0000000U, ANYBITS32, 0x80000000, EXPECT_SUCCESS); 1661 BITMASK_TEST( 3, -0x80000000LL, ANYBITS32, 0x80000000, EXPECT_SUCCESS); 1662 1663 // 64bit test: any of 0x0 (should always be false) 1664 BITMASK_TEST( 4, 0, ANYBITS64, 0x0, EXPECT_FAILURE); 1665 BITMASK_TEST( 4, 1, ANYBITS64, 0x0, EXPECT_FAILURE); 1666 BITMASK_TEST( 4, 3, ANYBITS64, 0x0, EXPECT_FAILURE); 1667 BITMASK_TEST( 4, 0xFFFFFFFFU, ANYBITS64, 0x0, EXPECT_FAILURE); 1668 BITMASK_TEST( 4, 0x100000000LL, ANYBITS64, 0x0, EXPECT_FAILURE); 1669 BITMASK_TEST( 4, 0x300000000LL, ANYBITS64, 0x0, EXPECT_FAILURE); 1670 BITMASK_TEST( 4,0x8000000000000000LL, ANYBITS64, 0x0, EXPECT_FAILURE); 1671 BITMASK_TEST( 4, -1LL, ANYBITS64, 0x0, EXPECT_FAILURE); 1672 1673 // 64bit test: any of 0x1 1674 BITMASK_TEST( 5, 0, ANYBITS64, 0x1, EXPECT_FAILURE); 1675 BITMASK_TEST( 5, 1, ANYBITS64, 0x1, EXPECT_SUCCESS); 1676 BITMASK_TEST( 5, 2, ANYBITS64, 0x1, EXPECT_FAILURE); 1677 BITMASK_TEST( 5, 3, ANYBITS64, 0x1, EXPECT_SUCCESS); 1678 BITMASK_TEST( 5, 0x100000001LL, ANYBITS64, 0x1, EXPECT_SUCCESS); 1679 BITMASK_TEST( 5, 0x100000000LL, ANYBITS64, 0x1, EXPECT_FAILURE); 1680 BITMASK_TEST( 5, 0x100000002LL, ANYBITS64, 0x1, EXPECT_FAILURE); 1681 BITMASK_TEST( 5, 0x100000003LL, ANYBITS64, 0x1, EXPECT_SUCCESS); 1682 1683 // 64bit test: any of 0x3 1684 BITMASK_TEST( 6, 0, ANYBITS64, 0x3, EXPECT_FAILURE); 1685 BITMASK_TEST( 6, 1, ANYBITS64, 0x3, EXPECT_SUCCESS); 1686 BITMASK_TEST( 6, 2, ANYBITS64, 0x3, EXPECT_SUCCESS); 1687 BITMASK_TEST( 6, 3, ANYBITS64, 0x3, EXPECT_SUCCESS); 1688 BITMASK_TEST( 6, 7, ANYBITS64, 0x3, EXPECT_SUCCESS); 1689 BITMASK_TEST( 6, 0x100000000LL, ANYBITS64, 0x3, EXPECT_FAILURE); 1690 BITMASK_TEST( 6, 0x100000001LL, ANYBITS64, 0x3, EXPECT_SUCCESS); 1691 BITMASK_TEST( 6, 0x100000002LL, ANYBITS64, 0x3, EXPECT_SUCCESS); 1692 BITMASK_TEST( 6, 0x100000003LL, ANYBITS64, 0x3, EXPECT_SUCCESS); 1693 BITMASK_TEST( 6, 0x100000007LL, ANYBITS64, 0x3, EXPECT_SUCCESS); 1694 1695 // 64bit test: any of 0x80000000 1696 BITMASK_TEST( 7, 0, ANYBITS64, 0x80000000, EXPECT_FAILURE); 1697 BITMASK_TEST( 7, 0x40000000U, ANYBITS64, 0x80000000, EXPECT_FAILURE); 1698 BITMASK_TEST( 7, 0x80000000U, ANYBITS64, 0x80000000, EXPECT_SUCCESS); 1699 BITMASK_TEST( 7, 0xC0000000U, ANYBITS64, 0x80000000, EXPECT_SUCCESS); 1700 BITMASK_TEST( 7, -0x80000000LL, ANYBITS64, 0x80000000, EXPECT_SUCCESS); 1701 BITMASK_TEST( 7, 0x100000000LL, ANYBITS64, 0x80000000, EXPECT_FAILURE); 1702 BITMASK_TEST( 7, 0x140000000LL, ANYBITS64, 0x80000000, EXPECT_FAILURE); 1703 BITMASK_TEST( 7, 0x180000000LL, ANYBITS64, 0x80000000, EXPECT_SUCCESS); 1704 BITMASK_TEST( 7, 0x1C0000000LL, ANYBITS64, 0x80000000, EXPECT_SUCCESS); 1705 BITMASK_TEST( 7, -0x180000000LL, ANYBITS64, 0x80000000, EXPECT_SUCCESS); 1706 1707 // 64bit test: any of 0x100000000 1708 BITMASK_TEST( 8, 0x000000000LL, ANYBITS64,0x100000000, EXPECT_FAILURE); 1709 BITMASK_TEST( 8, 0x100000000LL, ANYBITS64,0x100000000, EXPT64_SUCCESS); 1710 BITMASK_TEST( 8, 0x200000000LL, ANYBITS64,0x100000000, EXPECT_FAILURE); 1711 BITMASK_TEST( 8, 0x300000000LL, ANYBITS64,0x100000000, EXPT64_SUCCESS); 1712 BITMASK_TEST( 8, 0x000000001LL, ANYBITS64,0x100000000, EXPECT_FAILURE); 1713 BITMASK_TEST( 8, 0x100000001LL, ANYBITS64,0x100000000, EXPT64_SUCCESS); 1714 BITMASK_TEST( 8, 0x200000001LL, ANYBITS64,0x100000000, EXPECT_FAILURE); 1715 BITMASK_TEST( 8, 0x300000001LL, ANYBITS64,0x100000000, EXPT64_SUCCESS); 1716 1717 // 64bit test: any of 0x300000000 1718 BITMASK_TEST( 9, 0x000000000LL, ANYBITS64,0x300000000, EXPECT_FAILURE); 1719 BITMASK_TEST( 9, 0x100000000LL, ANYBITS64,0x300000000, EXPT64_SUCCESS); 1720 BITMASK_TEST( 9, 0x200000000LL, ANYBITS64,0x300000000, EXPT64_SUCCESS); 1721 BITMASK_TEST( 9, 0x300000000LL, ANYBITS64,0x300000000, EXPT64_SUCCESS); 1722 BITMASK_TEST( 9, 0x700000000LL, ANYBITS64,0x300000000, EXPT64_SUCCESS); 1723 BITMASK_TEST( 9, 0x000000001LL, ANYBITS64,0x300000000, EXPECT_FAILURE); 1724 BITMASK_TEST( 9, 0x100000001LL, ANYBITS64,0x300000000, EXPT64_SUCCESS); 1725 BITMASK_TEST( 9, 0x200000001LL, ANYBITS64,0x300000000, EXPT64_SUCCESS); 1726 BITMASK_TEST( 9, 0x300000001LL, ANYBITS64,0x300000000, EXPT64_SUCCESS); 1727 BITMASK_TEST( 9, 0x700000001LL, ANYBITS64,0x300000000, EXPT64_SUCCESS); 1728 1729 // 64bit test: any of 0x100000001 1730 BITMASK_TEST( 10, 0x000000000LL, ANYBITS64,0x100000001, EXPECT_FAILURE); 1731 BITMASK_TEST( 10, 0x000000001LL, ANYBITS64,0x100000001, EXPECT_SUCCESS); 1732 BITMASK_TEST( 10, 0x100000000LL, ANYBITS64,0x100000001, EXPT64_SUCCESS); 1733 BITMASK_TEST( 10, 0x100000001LL, ANYBITS64,0x100000001, EXPECT_SUCCESS); 1734 BITMASK_TEST( 10, 0xFFFFFFFFU, ANYBITS64,0x100000001, EXPECT_SUCCESS); 1735 BITMASK_TEST( 10, -1L, ANYBITS64,0x100000001, EXPECT_SUCCESS); 1736 } 1737 1738 intptr_t PthreadTrapHandler(const struct arch_seccomp_data& args, void* aux) { 1739 if (args.args[0] != (CLONE_CHILD_CLEARTID | CLONE_CHILD_SETTID | SIGCHLD)) { 1740 // We expect to get called for an attempt to fork(). No need to log that 1741 // call. But if we ever get called for anything else, we want to verbosely 1742 // print as much information as possible. 1743 const char* msg = (const char*)aux; 1744 printf( 1745 "Clone() was called with unexpected arguments\n" 1746 " nr: %d\n" 1747 " 1: 0x%llX\n" 1748 " 2: 0x%llX\n" 1749 " 3: 0x%llX\n" 1750 " 4: 0x%llX\n" 1751 " 5: 0x%llX\n" 1752 " 6: 0x%llX\n" 1753 "%s\n", 1754 args.nr, 1755 (long long)args.args[0], 1756 (long long)args.args[1], 1757 (long long)args.args[2], 1758 (long long)args.args[3], 1759 (long long)args.args[4], 1760 (long long)args.args[5], 1761 msg); 1762 } 1763 return -EPERM; 1764 } 1765 1766 class PthreadPolicyEquality : public SandboxBPFPolicy { 1767 public: 1768 PthreadPolicyEquality() {} 1769 virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox, 1770 int sysno) const OVERRIDE; 1771 1772 private: 1773 DISALLOW_COPY_AND_ASSIGN(PthreadPolicyEquality); 1774 }; 1775 1776 ErrorCode PthreadPolicyEquality::EvaluateSyscall(SandboxBPF* sandbox, 1777 int sysno) const { 1778 DCHECK(SandboxBPF::IsValidSyscallNumber(sysno)); 1779 // This policy allows creating threads with pthread_create(). But it 1780 // doesn't allow any other uses of clone(). Most notably, it does not 1781 // allow callers to implement fork() or vfork() by passing suitable flags 1782 // to the clone() system call. 1783 if (sysno == __NR_clone) { 1784 // We have seen two different valid combinations of flags. Glibc 1785 // uses the more modern flags, sets the TLS from the call to clone(), and 1786 // uses futexes to monitor threads. Android's C run-time library, doesn't 1787 // do any of this, but it sets the obsolete (and no-op) CLONE_DETACHED. 1788 // More recent versions of Android don't set CLONE_DETACHED anymore, so 1789 // the last case accounts for that. 1790 // The following policy is very strict. It only allows the exact masks 1791 // that we have seen in known implementations. It is probably somewhat 1792 // stricter than what we would want to do. 1793 const uint64_t kGlibcCloneMask = 1794 CLONE_VM | CLONE_FS | CLONE_FILES | CLONE_SIGHAND | 1795 CLONE_THREAD | CLONE_SYSVSEM | CLONE_SETTLS | 1796 CLONE_PARENT_SETTID | CLONE_CHILD_CLEARTID; 1797 const uint64_t kBaseAndroidCloneMask = 1798 CLONE_VM | CLONE_FS | CLONE_FILES | CLONE_SIGHAND | 1799 CLONE_THREAD | CLONE_SYSVSEM; 1800 return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 1801 kGlibcCloneMask, 1802 ErrorCode(ErrorCode::ERR_ALLOWED), 1803 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 1804 kBaseAndroidCloneMask | CLONE_DETACHED, 1805 ErrorCode(ErrorCode::ERR_ALLOWED), 1806 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 1807 kBaseAndroidCloneMask, 1808 ErrorCode(ErrorCode::ERR_ALLOWED), 1809 sandbox->Trap(PthreadTrapHandler, "Unknown mask")))); 1810 } 1811 return ErrorCode(ErrorCode::ERR_ALLOWED); 1812 } 1813 1814 class PthreadPolicyBitMask : public SandboxBPFPolicy { 1815 public: 1816 PthreadPolicyBitMask() {} 1817 virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox, 1818 int sysno) const OVERRIDE; 1819 1820 private: 1821 DISALLOW_COPY_AND_ASSIGN(PthreadPolicyBitMask); 1822 }; 1823 1824 ErrorCode PthreadPolicyBitMask::EvaluateSyscall(SandboxBPF* sandbox, 1825 int sysno) const { 1826 DCHECK(SandboxBPF::IsValidSyscallNumber(sysno)); 1827 // This policy allows creating threads with pthread_create(). But it 1828 // doesn't allow any other uses of clone(). Most notably, it does not 1829 // allow callers to implement fork() or vfork() by passing suitable flags 1830 // to the clone() system call. 1831 if (sysno == __NR_clone) { 1832 // We have seen two different valid combinations of flags. Glibc 1833 // uses the more modern flags, sets the TLS from the call to clone(), and 1834 // uses futexes to monitor threads. Android's C run-time library, doesn't 1835 // do any of this, but it sets the obsolete (and no-op) CLONE_DETACHED. 1836 // The following policy allows for either combination of flags, but it 1837 // is generally a little more conservative than strictly necessary. We 1838 // err on the side of rather safe than sorry. 1839 // Very noticeably though, we disallow fork() (which is often just a 1840 // wrapper around clone()). 1841 return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ANY_BITS, 1842 ~uint32(CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND| 1843 CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS| 1844 CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID| 1845 CLONE_DETACHED), 1846 sandbox->Trap(PthreadTrapHandler, 1847 "Unexpected CLONE_XXX flag found"), 1848 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ALL_BITS, 1849 CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND| 1850 CLONE_THREAD|CLONE_SYSVSEM, 1851 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ALL_BITS, 1852 CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, 1853 ErrorCode(ErrorCode::ERR_ALLOWED), 1854 sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ANY_BITS, 1855 CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, 1856 sandbox->Trap(PthreadTrapHandler, 1857 "Must set either all or none of the TLS" 1858 " and futex bits in call to clone()"), 1859 ErrorCode(ErrorCode::ERR_ALLOWED))), 1860 sandbox->Trap(PthreadTrapHandler, 1861 "Missing mandatory CLONE_XXX flags " 1862 "when creating new thread"))); 1863 } 1864 return ErrorCode(ErrorCode::ERR_ALLOWED); 1865 } 1866 1867 static void* ThreadFnc(void* arg) { 1868 ++*reinterpret_cast<int*>(arg); 1869 Syscall::Call(__NR_futex, arg, FUTEX_WAKE, 1, 0, 0, 0); 1870 return NULL; 1871 } 1872 1873 static void PthreadTest() { 1874 // Attempt to start a joinable thread. This should succeed. 1875 pthread_t thread; 1876 int thread_ran = 0; 1877 BPF_ASSERT(!pthread_create(&thread, NULL, ThreadFnc, &thread_ran)); 1878 BPF_ASSERT(!pthread_join(thread, NULL)); 1879 BPF_ASSERT(thread_ran); 1880 1881 // Attempt to start a detached thread. This should succeed. 1882 thread_ran = 0; 1883 pthread_attr_t attr; 1884 BPF_ASSERT(!pthread_attr_init(&attr)); 1885 BPF_ASSERT(!pthread_attr_setdetachstate(&attr, PTHREAD_CREATE_DETACHED)); 1886 BPF_ASSERT(!pthread_create(&thread, &attr, ThreadFnc, &thread_ran)); 1887 BPF_ASSERT(!pthread_attr_destroy(&attr)); 1888 while (Syscall::Call(__NR_futex, &thread_ran, FUTEX_WAIT, 0, 0, 0, 0) == 1889 -EINTR) { 1890 } 1891 BPF_ASSERT(thread_ran); 1892 1893 // Attempt to fork() a process using clone(). This should fail. We use the 1894 // same flags that glibc uses when calling fork(). But we don't actually 1895 // try calling the fork() implementation in the C run-time library, as 1896 // run-time libraries other than glibc might call __NR_fork instead of 1897 // __NR_clone, and that would introduce a bogus test failure. 1898 int pid; 1899 BPF_ASSERT(Syscall::Call(__NR_clone, 1900 CLONE_CHILD_CLEARTID | CLONE_CHILD_SETTID | SIGCHLD, 1901 0, 1902 0, 1903 &pid) == -EPERM); 1904 } 1905 1906 BPF_TEST_C(SandboxBPF, PthreadEquality, PthreadPolicyEquality) { 1907 PthreadTest(); 1908 } 1909 1910 BPF_TEST_C(SandboxBPF, PthreadBitMask, PthreadPolicyBitMask) { 1911 PthreadTest(); 1912 } 1913 1914 // libc might not define these even though the kernel supports it. 1915 #ifndef PTRACE_O_TRACESECCOMP 1916 #define PTRACE_O_TRACESECCOMP 0x00000080 1917 #endif 1918 1919 #ifdef PTRACE_EVENT_SECCOMP 1920 #define IS_SECCOMP_EVENT(status) ((status >> 16) == PTRACE_EVENT_SECCOMP) 1921 #else 1922 // When Debian/Ubuntu backported seccomp-bpf support into earlier kernels, they 1923 // changed the value of PTRACE_EVENT_SECCOMP from 7 to 8, since 7 was taken by 1924 // PTRACE_EVENT_STOP (upstream chose to renumber PTRACE_EVENT_STOP to 128). If 1925 // PTRACE_EVENT_SECCOMP isn't defined, we have no choice but to consider both 1926 // values here. 1927 #define IS_SECCOMP_EVENT(status) ((status >> 16) == 7 || (status >> 16) == 8) 1928 #endif 1929 1930 #if defined(__arm__) 1931 #ifndef PTRACE_SET_SYSCALL 1932 #define PTRACE_SET_SYSCALL 23 1933 #endif 1934 #endif 1935 1936 // Changes the syscall to run for a child being sandboxed using seccomp-bpf with 1937 // PTRACE_O_TRACESECCOMP. Should only be called when the child is stopped on 1938 // PTRACE_EVENT_SECCOMP. 1939 // 1940 // regs should contain the current set of registers of the child, obtained using 1941 // PTRACE_GETREGS. 1942 // 1943 // Depending on the architecture, this may modify regs, so the caller is 1944 // responsible for committing these changes using PTRACE_SETREGS. 1945 long SetSyscall(pid_t pid, regs_struct* regs, int syscall_number) { 1946 #if defined(__arm__) 1947 // On ARM, the syscall is changed using PTRACE_SET_SYSCALL. We cannot use the 1948 // libc ptrace call as the request parameter is an enum, and 1949 // PTRACE_SET_SYSCALL may not be in the enum. 1950 return syscall(__NR_ptrace, PTRACE_SET_SYSCALL, pid, NULL, syscall_number); 1951 #endif 1952 1953 SECCOMP_PT_SYSCALL(*regs) = syscall_number; 1954 return 0; 1955 } 1956 1957 const uint16_t kTraceData = 0xcc; 1958 1959 class TraceAllPolicy : public SandboxBPFPolicy { 1960 public: 1961 TraceAllPolicy() {} 1962 virtual ~TraceAllPolicy() {} 1963 1964 virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox_compiler, 1965 int system_call_number) const OVERRIDE { 1966 return ErrorCode(ErrorCode::ERR_TRACE + kTraceData); 1967 } 1968 1969 private: 1970 DISALLOW_COPY_AND_ASSIGN(TraceAllPolicy); 1971 }; 1972 1973 SANDBOX_TEST(SandboxBPF, DISABLE_ON_TSAN(SeccompRetTrace)) { 1974 if (SandboxBPF::SupportsSeccompSandbox(-1) != 1975 sandbox::SandboxBPF::STATUS_AVAILABLE) { 1976 return; 1977 } 1978 1979 #if defined(__arm__) 1980 printf("This test is currently disabled on ARM due to a kernel bug."); 1981 return; 1982 #endif 1983 1984 pid_t pid = fork(); 1985 BPF_ASSERT_NE(-1, pid); 1986 if (pid == 0) { 1987 pid_t my_pid = getpid(); 1988 BPF_ASSERT_NE(-1, ptrace(PTRACE_TRACEME, -1, NULL, NULL)); 1989 BPF_ASSERT_EQ(0, raise(SIGSTOP)); 1990 SandboxBPF sandbox; 1991 sandbox.SetSandboxPolicy(new TraceAllPolicy); 1992 BPF_ASSERT(sandbox.StartSandbox(SandboxBPF::PROCESS_SINGLE_THREADED)); 1993 1994 // getpid is allowed. 1995 BPF_ASSERT_EQ(my_pid, syscall(__NR_getpid)); 1996 1997 // write to stdout is skipped and returns a fake value. 1998 BPF_ASSERT_EQ(kExpectedReturnValue, 1999 syscall(__NR_write, STDOUT_FILENO, "A", 1)); 2000 2001 // kill is rewritten to exit(kExpectedReturnValue). 2002 syscall(__NR_kill, my_pid, SIGKILL); 2003 2004 // Should not be reached. 2005 BPF_ASSERT(false); 2006 } 2007 2008 int status; 2009 BPF_ASSERT(HANDLE_EINTR(waitpid(pid, &status, WUNTRACED)) != -1); 2010 BPF_ASSERT(WIFSTOPPED(status)); 2011 2012 BPF_ASSERT_NE(-1, ptrace(PTRACE_SETOPTIONS, pid, NULL, 2013 reinterpret_cast<void*>(PTRACE_O_TRACESECCOMP))); 2014 BPF_ASSERT_NE(-1, ptrace(PTRACE_CONT, pid, NULL, NULL)); 2015 while (true) { 2016 BPF_ASSERT(HANDLE_EINTR(waitpid(pid, &status, 0)) != -1); 2017 if (WIFEXITED(status) || WIFSIGNALED(status)) { 2018 BPF_ASSERT(WIFEXITED(status)); 2019 BPF_ASSERT_EQ(kExpectedReturnValue, WEXITSTATUS(status)); 2020 break; 2021 } 2022 2023 if (!WIFSTOPPED(status) || WSTOPSIG(status) != SIGTRAP || 2024 !IS_SECCOMP_EVENT(status)) { 2025 BPF_ASSERT_NE(-1, ptrace(PTRACE_CONT, pid, NULL, NULL)); 2026 continue; 2027 } 2028 2029 unsigned long data; 2030 BPF_ASSERT_NE(-1, ptrace(PTRACE_GETEVENTMSG, pid, NULL, &data)); 2031 BPF_ASSERT_EQ(kTraceData, data); 2032 2033 regs_struct regs; 2034 BPF_ASSERT_NE(-1, ptrace(PTRACE_GETREGS, pid, NULL, ®s)); 2035 switch (SECCOMP_PT_SYSCALL(regs)) { 2036 case __NR_write: 2037 // Skip writes to stdout, make it return kExpectedReturnValue. Allow 2038 // writes to stderr so that BPF_ASSERT messages show up. 2039 if (SECCOMP_PT_PARM1(regs) == STDOUT_FILENO) { 2040 BPF_ASSERT_NE(-1, SetSyscall(pid, ®s, -1)); 2041 SECCOMP_PT_RESULT(regs) = kExpectedReturnValue; 2042 BPF_ASSERT_NE(-1, ptrace(PTRACE_SETREGS, pid, NULL, ®s)); 2043 } 2044 break; 2045 2046 case __NR_kill: 2047 // Rewrite to exit(kExpectedReturnValue). 2048 BPF_ASSERT_NE(-1, SetSyscall(pid, ®s, __NR_exit)); 2049 SECCOMP_PT_PARM1(regs) = kExpectedReturnValue; 2050 BPF_ASSERT_NE(-1, ptrace(PTRACE_SETREGS, pid, NULL, ®s)); 2051 break; 2052 2053 default: 2054 // Allow all other syscalls. 2055 break; 2056 } 2057 2058 BPF_ASSERT_NE(-1, ptrace(PTRACE_CONT, pid, NULL, NULL)); 2059 } 2060 } 2061 2062 } // namespace 2063 2064 } // namespace sandbox 2065