1// Copyright (c) 2012 The Chromium Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5#include <asm/unistd.h>
6#include <fcntl.h>
7#include <sys/mman.h>
8#include <sys/syscall.h>
9#include <unistd.h>
10
11#include <vector>
12
13#include "base/basictypes.h"
14#include "base/posix/eintr_wrapper.h"
15#include "sandbox/linux/seccomp-bpf/bpf_tests.h"
16#include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
17#include "sandbox/linux/seccomp-bpf/syscall.h"
18#include "sandbox/linux/tests/unit_tests.h"
19#include "testing/gtest/include/gtest/gtest.h"
20
21namespace sandbox {
22
23namespace {
24
25// Different platforms use different symbols for the six-argument version
26// of the mmap() system call. Test for the correct symbol at compile time.
27#ifdef __NR_mmap2
28const int kMMapNr = __NR_mmap2;
29#else
30const int kMMapNr = __NR_mmap;
31#endif
32
33TEST(Syscall, WellKnownEntryPoint) {
34// Test that SandboxSyscall(-1) is handled specially. Don't do this on ARM,
35// where syscall(-1) crashes with SIGILL. Not running the test is fine, as we
36// are still testing ARM code in the next set of tests.
37#if !defined(__arm__)
38  EXPECT_NE(SandboxSyscall(-1), syscall(-1));
39#endif
40
41// If possible, test that SandboxSyscall(-1) returns the address right after
42// a kernel entry point.
43#if defined(__i386__)
44  EXPECT_EQ(0x80CDu, ((uint16_t*)SandboxSyscall(-1))[-1]);  // INT 0x80
45#elif defined(__x86_64__)
46  EXPECT_EQ(0x050Fu, ((uint16_t*)SandboxSyscall(-1))[-1]);  // SYSCALL
47#elif defined(__arm__)
48#if defined(__thumb__)
49  EXPECT_EQ(0xDF00u, ((uint16_t*)SandboxSyscall(-1))[-1]);  // SWI 0
50#else
51  EXPECT_EQ(0xEF000000u, ((uint32_t*)SandboxSyscall(-1))[-1]);  // SVC 0
52#endif
53#else
54#warning Incomplete test case; need port for target platform
55#endif
56}
57
58TEST(Syscall, TrivialSyscallNoArgs) {
59  // Test that we can do basic system calls
60  EXPECT_EQ(SandboxSyscall(__NR_getpid), syscall(__NR_getpid));
61}
62
63TEST(Syscall, TrivialSyscallOneArg) {
64  int new_fd;
65  // Duplicate standard error and close it.
66  ASSERT_GE(new_fd = SandboxSyscall(__NR_dup, 2), 0);
67  int close_return_value = IGNORE_EINTR(SandboxSyscall(__NR_close, new_fd));
68  ASSERT_EQ(close_return_value, 0);
69}
70
71// SIGSYS trap handler that will be called on __NR_uname.
72intptr_t CopySyscallArgsToAux(const struct arch_seccomp_data& args, void* aux) {
73  // |aux| is a pointer to our BPF_AUX.
74  std::vector<uint64_t>* const seen_syscall_args =
75      static_cast<std::vector<uint64_t>*>(aux);
76  BPF_ASSERT(arraysize(args.args) == 6);
77  seen_syscall_args->assign(args.args, args.args + arraysize(args.args));
78  return -ENOMEM;
79}
80
81ErrorCode CopyAllArgsOnUnamePolicy(SandboxBPF* sandbox, int sysno, void* aux) {
82  if (!SandboxBPF::IsValidSyscallNumber(sysno)) {
83    return ErrorCode(ENOSYS);
84  }
85  if (sysno == __NR_uname) {
86    return sandbox->Trap(CopySyscallArgsToAux, aux);
87  } else {
88    return ErrorCode(ErrorCode::ERR_ALLOWED);
89  }
90}
91
92// We are testing SandboxSyscall() by making use of a BPF filter that allows us
93// to inspect the system call arguments that the kernel saw.
94BPF_TEST(Syscall,
95         SyntheticSixArgs,
96         CopyAllArgsOnUnamePolicy,
97         std::vector<uint64_t> /* BPF_AUX */) {
98  const int kExpectedValue = 42;
99  // In this test we only pass integers to the kernel. We might want to make
100  // additional tests to try other types. What we will see depends on
101  // implementation details of kernel BPF filters and we will need to document
102  // the expected behavior very clearly.
103  int syscall_args[6];
104  for (size_t i = 0; i < arraysize(syscall_args); ++i) {
105    syscall_args[i] = kExpectedValue + i;
106  }
107
108  // We could use pretty much any system call we don't need here. uname() is
109  // nice because it doesn't have any dangerous side effects.
110  BPF_ASSERT(SandboxSyscall(__NR_uname,
111                            syscall_args[0],
112                            syscall_args[1],
113                            syscall_args[2],
114                            syscall_args[3],
115                            syscall_args[4],
116                            syscall_args[5]) == -ENOMEM);
117
118  // We expect the trap handler to have copied the 6 arguments.
119  BPF_ASSERT(BPF_AUX.size() == 6);
120
121  // Don't loop here so that we can see which argument does cause the failure
122  // easily from the failing line.
123  // uint64_t is the type passed to our SIGSYS handler.
124  BPF_ASSERT(BPF_AUX[0] == static_cast<uint64_t>(syscall_args[0]));
125  BPF_ASSERT(BPF_AUX[1] == static_cast<uint64_t>(syscall_args[1]));
126  BPF_ASSERT(BPF_AUX[2] == static_cast<uint64_t>(syscall_args[2]));
127  BPF_ASSERT(BPF_AUX[3] == static_cast<uint64_t>(syscall_args[3]));
128  BPF_ASSERT(BPF_AUX[4] == static_cast<uint64_t>(syscall_args[4]));
129  BPF_ASSERT(BPF_AUX[5] == static_cast<uint64_t>(syscall_args[5]));
130}
131
132TEST(Syscall, ComplexSyscallSixArgs) {
133  int fd;
134  ASSERT_LE(0, fd = SandboxSyscall(__NR_open, "/dev/null", O_RDWR, 0L));
135
136  // Use mmap() to allocate some read-only memory
137  char* addr0;
138  ASSERT_NE((char*)NULL,
139            addr0 = reinterpret_cast<char*>(
140                SandboxSyscall(kMMapNr,
141                               (void*)NULL,
142                               4096,
143                               PROT_READ,
144                               MAP_PRIVATE | MAP_ANONYMOUS,
145                               fd,
146                               0L)));
147
148  // Try to replace the existing mapping with a read-write mapping
149  char* addr1;
150  ASSERT_EQ(addr0,
151            addr1 = reinterpret_cast<char*>(
152                SandboxSyscall(kMMapNr,
153                               addr0,
154                               4096L,
155                               PROT_READ | PROT_WRITE,
156                               MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED,
157                               fd,
158                               0L)));
159  ++*addr1;  // This should not seg fault
160
161  // Clean up
162  EXPECT_EQ(0, SandboxSyscall(__NR_munmap, addr1, 4096L));
163  EXPECT_EQ(0, IGNORE_EINTR(SandboxSyscall(__NR_close, fd)));
164
165  // Check that the offset argument (i.e. the sixth argument) is processed
166  // correctly.
167  ASSERT_GE(fd = SandboxSyscall(__NR_open, "/proc/self/exe", O_RDONLY, 0L), 0);
168  char* addr2, *addr3;
169  ASSERT_NE((char*)NULL,
170            addr2 = reinterpret_cast<char*>(SandboxSyscall(
171                kMMapNr, (void*)NULL, 8192L, PROT_READ, MAP_PRIVATE, fd, 0L)));
172  ASSERT_NE((char*)NULL,
173            addr3 = reinterpret_cast<char*>(SandboxSyscall(kMMapNr,
174                                                           (void*)NULL,
175                                                           4096L,
176                                                           PROT_READ,
177                                                           MAP_PRIVATE,
178                                                           fd,
179#if defined(__NR_mmap2)
180                                                           1L
181#else
182                                                           4096L
183#endif
184                                                           )));
185  EXPECT_EQ(0, memcmp(addr2 + 4096, addr3, 4096));
186
187  // Just to be absolutely on the safe side, also verify that the file
188  // contents matches what we are getting from a read() operation.
189  char buf[8192];
190  EXPECT_EQ(8192, SandboxSyscall(__NR_read, fd, buf, 8192L));
191  EXPECT_EQ(0, memcmp(addr2, buf, 8192));
192
193  // Clean up
194  EXPECT_EQ(0, SandboxSyscall(__NR_munmap, addr2, 8192L));
195  EXPECT_EQ(0, SandboxSyscall(__NR_munmap, addr3, 4096L));
196  EXPECT_EQ(0, IGNORE_EINTR(SandboxSyscall(__NR_close, fd)));
197}
198
199}  // namespace
200
201}  // namespace sandbox
202