chromium/sandbox/linux/seccomp-bpf/bpf_tests.h


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116

// Copyright (c) 2012 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#ifndef SANDBOX_LINUX_SECCOMP_BPF_BPF_TESTS_H__
#define SANDBOX_LINUX_SECCOMP_BPF_BPF_TESTS_H__

#include <fcntl.h>
#include <sys/stat.h>
#include <sys/types.h>

#include "build/build_config.h"
#include "sandbox/linux/tests/unit_tests.h"
#include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"

namespace sandbox {

// A BPF_DEATH_TEST is just the same as a BPF_TEST, but it assumes that the
// test will fail with a particular known error condition. Use the DEATH_XXX()
// macros from unit_tests.h to specify the expected error condition.
// A BPF_DEATH_TEST is always disabled under ThreadSanitizer, see
// crbug.com/243968.
#define BPF_DEATH_TEST(test_case_name, test_name, death, policy, aux...) \
  void BPF_TEST_##test_name(sandbox::BPFTests<aux>::AuxType& BPF_AUX);   \
  TEST(test_case_name, DISABLE_ON_TSAN(test_name)) {                     \
    sandbox::BPFTests<aux>::TestArgs arg(BPF_TEST_##test_name, policy);  \
    sandbox::BPFTests<aux>::RunTestInProcess(                            \
        sandbox::BPFTests<aux>::TestWrapper, &arg, death);               \
  }                                                                      \
  void BPF_TEST_##test_name(sandbox::BPFTests<aux>::AuxType& BPF_AUX)

// BPF_TEST() is a special version of SANDBOX_TEST(). It turns into a no-op,
// if the host does not have kernel support for running BPF filters.
// Also, it takes advantage of the Die class to avoid calling LOG(FATAL), from
// inside our tests, as we don't need or even want all the error handling that
// LOG(FATAL) would do.
// BPF_TEST() takes a C++ data type as an optional fourth parameter. If
// present, this sets up a variable that can be accessed as "BPF_AUX". This
// variable will be passed as an argument to the "policy" function. Policies
// would typically use it as an argument to SandboxBPF::Trap(), if they want to
// communicate data between the BPF_TEST() and a Trap() function.
#define BPF_TEST(test_case_name, test_name, policy, aux...) \
  BPF_DEATH_TEST(test_case_name, test_name, DEATH_SUCCESS(), policy, aux)

// Assertions are handled exactly the same as with a normal SANDBOX_TEST()
#define BPF_ASSERT SANDBOX_ASSERT

// The "Aux" type is optional. We use an "empty" type by default, so that if
// the caller doesn't provide any type, all the BPF_AUX related data compiles
// to nothing.
template <class Aux = int[0]>
class BPFTests : public UnitTests {
 public:
  typedef Aux AuxType;

  class TestArgs {
   public:
    TestArgs(void (*t)(AuxType&), sandbox::SandboxBPF::EvaluateSyscall p)
        : test_(t), policy_(p), aux_() {}

    void (*test() const)(AuxType&) { return test_; }
    sandbox::SandboxBPF::EvaluateSyscall policy() const { return policy_; }

   private:
    friend class BPFTests;

    void (*test_)(AuxType&);
    sandbox::SandboxBPF::EvaluateSyscall policy_;
    AuxType aux_;
  };

  static void TestWrapper(void* void_arg) {
    TestArgs* arg = reinterpret_cast<TestArgs*>(void_arg);
    sandbox::Die::EnableSimpleExit();
    if (sandbox::SandboxBPF::SupportsSeccompSandbox(-1) ==
        sandbox::SandboxBPF::STATUS_AVAILABLE) {
      // Ensure the the sandbox is actually available at this time
      int proc_fd;
      BPF_ASSERT((proc_fd = open("/proc", O_RDONLY | O_DIRECTORY)) >= 0);
      BPF_ASSERT(sandbox::SandboxBPF::SupportsSeccompSandbox(proc_fd) ==
                 sandbox::SandboxBPF::STATUS_AVAILABLE);

      // Initialize and then start the sandbox with our custom policy
      sandbox::SandboxBPF sandbox;
      sandbox.set_proc_fd(proc_fd);
      sandbox.SetSandboxPolicyDeprecated(arg->policy(), &arg->aux_);
      sandbox.SandboxBPF::StartSandbox();

      arg->test()(arg->aux_);
    } else {
      printf("This BPF test is not fully running in this configuration!\n");
      // Android, ARM and Valgrind are the three only configurations where we
      // accept not having kernel BPF support.
      // TODO(jln): remote ARM from this list when possible (crbug.com/243478).
      if (!IsAndroid() && !IsRunningOnValgrind() && !IsArchitectureArm()) {
        const bool seccomp_bpf_is_supported = false;
        BPF_ASSERT(seccomp_bpf_is_supported);
      }
      // Call the compiler and verify the policy. That's the least we can do,
      // if we don't have kernel support.
      sandbox::SandboxBPF sandbox;
      sandbox.SetSandboxPolicyDeprecated(arg->policy(), &arg->aux_);
      sandbox::SandboxBPF::Program* program =
          sandbox.AssembleFilter(true /* force_verification */);
      delete program;
      sandbox::UnitTests::IgnoreThisTest();
    }
  }

 private:
  DISALLOW_IMPLICIT_CONSTRUCTORS(BPFTests);
};

}  // namespace sandbox

#endif  // SANDBOX_LINUX_SECCOMP_BPF_BPF_TESTS_H__