1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "sandbox/linux/bpf_dsl/bpf_dsl.h"
8 #include <netinet/in.h>
9 #include <sys/socket.h>
10 #include <sys/utsname.h>
12 #include "base/macros.h"
13 #include "build/build_config.h"
14 #include "sandbox/linux/seccomp-bpf/bpf_tests.h"
15 #include "sandbox/linux/seccomp-bpf/errorcode.h"
16 #include "sandbox/linux/seccomp-bpf/sandbox_bpf_policy.h"
17 #include "sandbox/linux/seccomp-bpf/syscall.h"
19 using namespace sandbox::bpf_dsl;
21 // Helper macro to assert that invoking system call |sys| directly via
22 // Syscall::Call with arguments |...| returns |res|.
23 // Errors can be asserted by specifying a value like "-EINVAL".
24 #define ASSERT_SYSCALL_RESULT(res, sys, ...) \
25 BPF_ASSERT_EQ(res, Stubs::sys(__VA_ARGS__))
30 // Type safe stubs for tested system calls.
33 static int getpgid(pid_t pid) { return Syscall::Call(__NR_getpgid, pid); }
34 static int setuid(uid_t uid) { return Syscall::Call(__NR_setuid, uid); }
35 static int setgid(gid_t gid) { return Syscall::Call(__NR_setgid, gid); }
37 static int uname(struct utsname* buf) {
38 return Syscall::Call(__NR_uname, buf);
41 static int setresuid(uid_t ruid, uid_t euid, uid_t suid) {
42 return Syscall::Call(__NR_setresuid, ruid, euid, suid);
45 #if !defined(ARCH_CPU_X86)
46 static int socketpair(int domain, int type, int protocol, int sv[2]) {
47 return Syscall::Call(__NR_socketpair, domain, type, protocol, sv);
52 class BasicPolicy : public SandboxBPFDSLPolicy {
55 virtual ~BasicPolicy() {}
56 virtual ResultExpr EvaluateSyscall(int sysno) const OVERRIDE {
57 if (sysno == __NR_getpgid) {
58 const Arg<pid_t> pid(0);
59 return If(pid == 0, Error(EPERM)).Else(Error(EINVAL));
65 DISALLOW_COPY_AND_ASSIGN(BasicPolicy);
68 BPF_TEST_C(BPFDSL, Basic, BasicPolicy) {
69 ASSERT_SYSCALL_RESULT(-EPERM, getpgid, 0);
70 ASSERT_SYSCALL_RESULT(-EINVAL, getpgid, 1);
73 /* On IA-32, socketpair() is implemented via socketcall(). :-( */
74 #if !defined(ARCH_CPU_X86)
75 class BooleanLogicPolicy : public SandboxBPFDSLPolicy {
77 BooleanLogicPolicy() {}
78 virtual ~BooleanLogicPolicy() {}
79 virtual ResultExpr EvaluateSyscall(int sysno) const OVERRIDE {
80 if (sysno == __NR_socketpair) {
81 const Arg<int> domain(0), type(1), protocol(2);
82 return If(domain == AF_UNIX &&
83 (type == SOCK_STREAM || type == SOCK_DGRAM) &&
85 Error(EPERM)).Else(Error(EINVAL));
91 DISALLOW_COPY_AND_ASSIGN(BooleanLogicPolicy);
94 BPF_TEST_C(BPFDSL, BooleanLogic, BooleanLogicPolicy) {
97 // Acceptable combinations that should return EPERM.
98 ASSERT_SYSCALL_RESULT(-EPERM, socketpair, AF_UNIX, SOCK_STREAM, 0, sv);
99 ASSERT_SYSCALL_RESULT(-EPERM, socketpair, AF_UNIX, SOCK_DGRAM, 0, sv);
101 // Combinations that are invalid for only one reason; should return EINVAL.
102 ASSERT_SYSCALL_RESULT(-EINVAL, socketpair, AF_INET, SOCK_STREAM, 0, sv);
103 ASSERT_SYSCALL_RESULT(-EINVAL, socketpair, AF_UNIX, SOCK_SEQPACKET, 0, sv);
104 ASSERT_SYSCALL_RESULT(
105 -EINVAL, socketpair, AF_UNIX, SOCK_STREAM, IPPROTO_TCP, sv);
107 // Completely unacceptable combination; should also return EINVAL.
108 ASSERT_SYSCALL_RESULT(
109 -EINVAL, socketpair, AF_INET, SOCK_SEQPACKET, IPPROTO_UDP, sv);
111 #endif // !ARCH_CPU_X86
113 class MoreBooleanLogicPolicy : public SandboxBPFDSLPolicy {
115 MoreBooleanLogicPolicy() {}
116 virtual ~MoreBooleanLogicPolicy() {}
117 virtual ResultExpr EvaluateSyscall(int sysno) const OVERRIDE {
118 if (sysno == __NR_setresuid) {
119 const Arg<uid_t> ruid(0), euid(1), suid(2);
120 return If(ruid == 0 || euid == 0 || suid == 0, Error(EPERM))
121 .ElseIf(ruid == 1 && euid == 1 && suid == 1, Error(EAGAIN))
122 .Else(Error(EINVAL));
128 DISALLOW_COPY_AND_ASSIGN(MoreBooleanLogicPolicy);
131 BPF_TEST_C(BPFDSL, MoreBooleanLogic, MoreBooleanLogicPolicy) {
132 // Expect EPERM if any set to 0.
133 ASSERT_SYSCALL_RESULT(-EPERM, setresuid, 0, 5, 5);
134 ASSERT_SYSCALL_RESULT(-EPERM, setresuid, 5, 0, 5);
135 ASSERT_SYSCALL_RESULT(-EPERM, setresuid, 5, 5, 0);
137 // Expect EAGAIN if all set to 1.
138 ASSERT_SYSCALL_RESULT(-EAGAIN, setresuid, 1, 1, 1);
140 // Expect EINVAL for anything else.
141 ASSERT_SYSCALL_RESULT(-EINVAL, setresuid, 5, 1, 1);
142 ASSERT_SYSCALL_RESULT(-EINVAL, setresuid, 1, 5, 1);
143 ASSERT_SYSCALL_RESULT(-EINVAL, setresuid, 1, 1, 5);
144 ASSERT_SYSCALL_RESULT(-EINVAL, setresuid, 3, 4, 5);
147 static const uintptr_t kDeadBeefAddr =
148 static_cast<uintptr_t>(0xdeadbeefdeadbeefULL);
150 class ArgSizePolicy : public SandboxBPFDSLPolicy {
153 virtual ~ArgSizePolicy() {}
154 virtual ResultExpr EvaluateSyscall(int sysno) const OVERRIDE {
155 if (sysno == __NR_uname) {
156 const Arg<uintptr_t> addr(0);
157 return If(addr == kDeadBeefAddr, Error(EPERM)).Else(Allow());
163 DISALLOW_COPY_AND_ASSIGN(ArgSizePolicy);
166 BPF_TEST_C(BPFDSL, ArgSizeTest, ArgSizePolicy) {
168 ASSERT_SYSCALL_RESULT(0, uname, &buf);
169 ASSERT_SYSCALL_RESULT(
170 -EPERM, uname, reinterpret_cast<struct utsname*>(kDeadBeefAddr));
173 class TrappingPolicy : public SandboxBPFDSLPolicy {
176 virtual ~TrappingPolicy() {}
177 virtual ResultExpr EvaluateSyscall(int sysno) const OVERRIDE {
178 if (sysno == __NR_uname) {
179 return Trap(UnameTrap, &count_);
185 static intptr_t count_;
187 static intptr_t UnameTrap(const struct arch_seccomp_data& data, void* aux) {
188 BPF_ASSERT_EQ(&count_, aux);
192 DISALLOW_COPY_AND_ASSIGN(TrappingPolicy);
195 intptr_t TrappingPolicy::count_;
197 BPF_TEST_C(BPFDSL, TrapTest, TrappingPolicy) {
198 ASSERT_SYSCALL_RESULT(1, uname, NULL);
199 ASSERT_SYSCALL_RESULT(2, uname, NULL);
200 ASSERT_SYSCALL_RESULT(3, uname, NULL);
203 class MaskingPolicy : public SandboxBPFDSLPolicy {
206 virtual ~MaskingPolicy() {}
207 virtual ResultExpr EvaluateSyscall(int sysno) const OVERRIDE {
208 if (sysno == __NR_setuid) {
209 const Arg<uid_t> uid(0);
210 return If((uid & 0xf) == 0, Error(EINVAL)).Else(Error(EACCES));
212 if (sysno == __NR_setgid) {
213 const Arg<gid_t> gid(0);
214 return If((gid & 0xf0) == 0xf0, Error(EINVAL)).Else(Error(EACCES));
220 DISALLOW_COPY_AND_ASSIGN(MaskingPolicy);
223 BPF_TEST_C(BPFDSL, MaskTest, MaskingPolicy) {
224 for (uid_t uid = 0; uid < 0x100; ++uid) {
225 const int expect_errno = (uid & 0xf) == 0 ? EINVAL : EACCES;
226 ASSERT_SYSCALL_RESULT(-expect_errno, setuid, uid);
229 for (gid_t gid = 0; gid < 0x100; ++gid) {
230 const int expect_errno = (gid & 0xf0) == 0xf0 ? EINVAL : EACCES;
231 ASSERT_SYSCALL_RESULT(-expect_errno, setgid, gid);
235 class ElseIfPolicy : public SandboxBPFDSLPolicy {
238 virtual ~ElseIfPolicy() {}
239 virtual ResultExpr EvaluateSyscall(int sysno) const OVERRIDE {
240 if (sysno == __NR_setuid) {
241 const Arg<uid_t> uid(0);
242 return If((uid & 0xfff) == 0, Error(0))
243 .ElseIf((uid & 0xff0) == 0, Error(EINVAL))
244 .ElseIf((uid & 0xf00) == 0, Error(EEXIST))
245 .Else(Error(EACCES));
251 DISALLOW_COPY_AND_ASSIGN(ElseIfPolicy);
254 BPF_TEST_C(BPFDSL, ElseIfTest, ElseIfPolicy) {
255 ASSERT_SYSCALL_RESULT(0, setuid, 0);
257 ASSERT_SYSCALL_RESULT(-EINVAL, setuid, 0x0001);
258 ASSERT_SYSCALL_RESULT(-EINVAL, setuid, 0x0002);
260 ASSERT_SYSCALL_RESULT(-EEXIST, setuid, 0x0011);
261 ASSERT_SYSCALL_RESULT(-EEXIST, setuid, 0x0022);
263 ASSERT_SYSCALL_RESULT(-EACCES, setuid, 0x0111);
264 ASSERT_SYSCALL_RESULT(-EACCES, setuid, 0x0222);
268 } // namespace sandbox