Home | History | Annotate | Download | only in seccomp-bpf 
      1 // Copyright 2014 The Chromium Authors. All rights reserved.
      2 // Use of this source code is governed by a BSD-style license that can be
      3 // found in the LICENSE file.
      4 
      5 #include "sandbox/linux/seccomp-bpf/sandbox_bpf_test_runner.h"
      6 
      7 #include <fcntl.h>
      8 #include <linux/filter.h>
      9 
     10 #include "base/logging.h"
     11 #include "base/memory/scoped_ptr.h"
     12 #include "sandbox/linux/seccomp-bpf/die.h"
     13 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
     14 #include "sandbox/linux/tests/unit_tests.h"
     15 
     16 namespace sandbox {
     17 
     18 SandboxBPFTestRunner::SandboxBPFTestRunner(
     19     BPFTesterDelegate* bpf_tester_delegate)
     20     : bpf_tester_delegate_(bpf_tester_delegate) {
     21 }
     22 
     23 SandboxBPFTestRunner::~SandboxBPFTestRunner() {
     24 }
     25 
     26 void SandboxBPFTestRunner::Run() {
     27   DCHECK(bpf_tester_delegate_);
     28   sandbox::Die::EnableSimpleExit();
     29 
     30   scoped_ptr<SandboxBPFPolicy> policy =
     31       bpf_tester_delegate_->GetSandboxBPFPolicy();
     32 
     33   if (sandbox::SandboxBPF::SupportsSeccompSandbox(-1) ==
     34       sandbox::SandboxBPF::STATUS_AVAILABLE) {
     35     // Ensure the the sandbox is actually available at this time
     36     int proc_fd;
     37     SANDBOX_ASSERT((proc_fd = open("/proc", O_RDONLY | O_DIRECTORY)) >= 0);
     38     SANDBOX_ASSERT(sandbox::SandboxBPF::SupportsSeccompSandbox(proc_fd) ==
     39                    sandbox::SandboxBPF::STATUS_AVAILABLE);
     40 
     41     // Initialize and then start the sandbox with our custom policy
     42     sandbox::SandboxBPF sandbox;
     43     sandbox.set_proc_fd(proc_fd);
     44     sandbox.SetSandboxPolicy(policy.release());
     45     SANDBOX_ASSERT(
     46         sandbox.StartSandbox(sandbox::SandboxBPF::PROCESS_SINGLE_THREADED));
     47 
     48     // Run the actual test.
     49     bpf_tester_delegate_->RunTestFunction();
     50   } else {
     51     printf("This BPF test is not fully running in this configuration!\n");
     52     // Android and Valgrind are the only configurations where we accept not
     53     // having kernel BPF support.
     54     if (!IsAndroid() && !IsRunningOnValgrind()) {
     55       const bool seccomp_bpf_is_supported = false;
     56       SANDBOX_ASSERT(seccomp_bpf_is_supported);
     57     }
     58     // Call the compiler and verify the policy. That's the least we can do,
     59     // if we don't have kernel support.
     60     sandbox::SandboxBPF sandbox;
     61     sandbox.SetSandboxPolicy(policy.release());
     62     sandbox::SandboxBPF::Program* program =
     63         sandbox.AssembleFilter(true /* force_verification */);
     64     delete program;
     65     sandbox::UnitTests::IgnoreThisTest();
     66   }
     67 }
     68 
     69 bool SandboxBPFTestRunner::ShouldCheckForLeaks() const {
     70   // LSAN requires being able to use ptrace() and other system calls that could
     71   // be denied.
     72   return false;
     73 }
     74 
     75 }  // namespace sandbox
     76