1// Copyright 2014 The Chromium Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style license that can be 3// found in the LICENSE file. 4 5#include "sandbox/linux/bpf_dsl/bpf_dsl.h" 6 7#include <errno.h> 8#include <fcntl.h> 9#include <netinet/in.h> 10#include <sys/socket.h> 11#include <sys/syscall.h> 12#include <sys/utsname.h> 13#include <unistd.h> 14 15#include "base/files/scoped_file.h" 16#include "base/macros.h" 17#include "build/build_config.h" 18#include "sandbox/linux/seccomp-bpf/bpf_tests.h" 19#include "sandbox/linux/seccomp-bpf/errorcode.h" 20#include "sandbox/linux/seccomp-bpf/syscall.h" 21 22#define CASES SANDBOX_BPF_DSL_CASES 23 24// Helper macro to assert that invoking system call |sys| directly via 25// Syscall::Call with arguments |...| returns |res|. 26// Errors can be asserted by specifying a value like "-EINVAL". 27#define ASSERT_SYSCALL_RESULT(res, sys, ...) \ 28 BPF_ASSERT_EQ(res, Stubs::sys(__VA_ARGS__)) 29 30namespace sandbox { 31namespace bpf_dsl { 32namespace { 33 34// Type safe stubs for tested system calls. 35class Stubs { 36 public: 37 static int getpgid(pid_t pid) { return Syscall::Call(__NR_getpgid, pid); } 38 static int setuid(uid_t uid) { return Syscall::Call(__NR_setuid, uid); } 39 static int setgid(gid_t gid) { return Syscall::Call(__NR_setgid, gid); } 40 static int setpgid(pid_t pid, pid_t pgid) { 41 return Syscall::Call(__NR_setpgid, pid, pgid); 42 } 43 44 static int fcntl(int fd, int cmd, unsigned long arg = 0) { 45 return Syscall::Call(__NR_fcntl, fd, cmd, arg); 46 } 47 48 static int uname(struct utsname* buf) { 49 return Syscall::Call(__NR_uname, buf); 50 } 51 52 static int setresuid(uid_t ruid, uid_t euid, uid_t suid) { 53 return Syscall::Call(__NR_setresuid, ruid, euid, suid); 54 } 55 56#if !defined(ARCH_CPU_X86) 57 static int socketpair(int domain, int type, int protocol, int sv[2]) { 58 return Syscall::Call(__NR_socketpair, domain, type, protocol, sv); 59 } 60#endif 61}; 62 63class BasicPolicy : public SandboxBPFDSLPolicy { 64 public: 65 BasicPolicy() {} 66 virtual ~BasicPolicy() {} 67 virtual ResultExpr EvaluateSyscall(int sysno) const OVERRIDE { 68 if (sysno == __NR_getpgid) { 69 const Arg<pid_t> pid(0); 70 return If(pid == 0, Error(EPERM)).Else(Error(EINVAL)); 71 } 72 if (sysno == __NR_setuid) { 73 const Arg<uid_t> uid(0); 74 return If(uid != 42, Error(ESRCH)).Else(Error(ENOMEM)); 75 } 76 return Allow(); 77 } 78 79 private: 80 DISALLOW_COPY_AND_ASSIGN(BasicPolicy); 81}; 82 83BPF_TEST_C(BPFDSL, Basic, BasicPolicy) { 84 ASSERT_SYSCALL_RESULT(-EPERM, getpgid, 0); 85 ASSERT_SYSCALL_RESULT(-EINVAL, getpgid, 1); 86 87 ASSERT_SYSCALL_RESULT(-ENOMEM, setuid, 42); 88 ASSERT_SYSCALL_RESULT(-ESRCH, setuid, 43); 89} 90 91/* On IA-32, socketpair() is implemented via socketcall(). :-( */ 92#if !defined(ARCH_CPU_X86) 93class BooleanLogicPolicy : public SandboxBPFDSLPolicy { 94 public: 95 BooleanLogicPolicy() {} 96 virtual ~BooleanLogicPolicy() {} 97 virtual ResultExpr EvaluateSyscall(int sysno) const OVERRIDE { 98 if (sysno == __NR_socketpair) { 99 const Arg<int> domain(0), type(1), protocol(2); 100 return If(domain == AF_UNIX && 101 (type == SOCK_STREAM || type == SOCK_DGRAM) && 102 protocol == 0, 103 Error(EPERM)).Else(Error(EINVAL)); 104 } 105 return Allow(); 106 } 107 108 private: 109 DISALLOW_COPY_AND_ASSIGN(BooleanLogicPolicy); 110}; 111 112BPF_TEST_C(BPFDSL, BooleanLogic, BooleanLogicPolicy) { 113 int sv[2]; 114 115 // Acceptable combinations that should return EPERM. 116 ASSERT_SYSCALL_RESULT(-EPERM, socketpair, AF_UNIX, SOCK_STREAM, 0, sv); 117 ASSERT_SYSCALL_RESULT(-EPERM, socketpair, AF_UNIX, SOCK_DGRAM, 0, sv); 118 119 // Combinations that are invalid for only one reason; should return EINVAL. 120 ASSERT_SYSCALL_RESULT(-EINVAL, socketpair, AF_INET, SOCK_STREAM, 0, sv); 121 ASSERT_SYSCALL_RESULT(-EINVAL, socketpair, AF_UNIX, SOCK_SEQPACKET, 0, sv); 122 ASSERT_SYSCALL_RESULT( 123 -EINVAL, socketpair, AF_UNIX, SOCK_STREAM, IPPROTO_TCP, sv); 124 125 // Completely unacceptable combination; should also return EINVAL. 126 ASSERT_SYSCALL_RESULT( 127 -EINVAL, socketpair, AF_INET, SOCK_SEQPACKET, IPPROTO_UDP, sv); 128} 129#endif // !ARCH_CPU_X86 130 131class MoreBooleanLogicPolicy : public SandboxBPFDSLPolicy { 132 public: 133 MoreBooleanLogicPolicy() {} 134 virtual ~MoreBooleanLogicPolicy() {} 135 virtual ResultExpr EvaluateSyscall(int sysno) const OVERRIDE { 136 if (sysno == __NR_setresuid) { 137 const Arg<uid_t> ruid(0), euid(1), suid(2); 138 return If(ruid == 0 || euid == 0 || suid == 0, Error(EPERM)) 139 .ElseIf(ruid == 1 && euid == 1 && suid == 1, Error(EAGAIN)) 140 .Else(Error(EINVAL)); 141 } 142 return Allow(); 143 } 144 145 private: 146 DISALLOW_COPY_AND_ASSIGN(MoreBooleanLogicPolicy); 147}; 148 149BPF_TEST_C(BPFDSL, MoreBooleanLogic, MoreBooleanLogicPolicy) { 150 // Expect EPERM if any set to 0. 151 ASSERT_SYSCALL_RESULT(-EPERM, setresuid, 0, 5, 5); 152 ASSERT_SYSCALL_RESULT(-EPERM, setresuid, 5, 0, 5); 153 ASSERT_SYSCALL_RESULT(-EPERM, setresuid, 5, 5, 0); 154 155 // Expect EAGAIN if all set to 1. 156 ASSERT_SYSCALL_RESULT(-EAGAIN, setresuid, 1, 1, 1); 157 158 // Expect EINVAL for anything else. 159 ASSERT_SYSCALL_RESULT(-EINVAL, setresuid, 5, 1, 1); 160 ASSERT_SYSCALL_RESULT(-EINVAL, setresuid, 1, 5, 1); 161 ASSERT_SYSCALL_RESULT(-EINVAL, setresuid, 1, 1, 5); 162 ASSERT_SYSCALL_RESULT(-EINVAL, setresuid, 3, 4, 5); 163} 164 165static const uintptr_t kDeadBeefAddr = 166 static_cast<uintptr_t>(0xdeadbeefdeadbeefULL); 167 168class ArgSizePolicy : public SandboxBPFDSLPolicy { 169 public: 170 ArgSizePolicy() {} 171 virtual ~ArgSizePolicy() {} 172 virtual ResultExpr EvaluateSyscall(int sysno) const OVERRIDE { 173 if (sysno == __NR_uname) { 174 const Arg<uintptr_t> addr(0); 175 return If(addr == kDeadBeefAddr, Error(EPERM)).Else(Allow()); 176 } 177 return Allow(); 178 } 179 180 private: 181 DISALLOW_COPY_AND_ASSIGN(ArgSizePolicy); 182}; 183 184BPF_TEST_C(BPFDSL, ArgSizeTest, ArgSizePolicy) { 185 struct utsname buf; 186 ASSERT_SYSCALL_RESULT(0, uname, &buf); 187 ASSERT_SYSCALL_RESULT( 188 -EPERM, uname, reinterpret_cast<struct utsname*>(kDeadBeefAddr)); 189} 190 191class TrappingPolicy : public SandboxBPFDSLPolicy { 192 public: 193 TrappingPolicy() {} 194 virtual ~TrappingPolicy() {} 195 virtual ResultExpr EvaluateSyscall(int sysno) const OVERRIDE { 196 if (sysno == __NR_uname) { 197 return Trap(UnameTrap, &count_); 198 } 199 return Allow(); 200 } 201 202 private: 203 static intptr_t count_; 204 205 static intptr_t UnameTrap(const struct arch_seccomp_data& data, void* aux) { 206 BPF_ASSERT_EQ(&count_, aux); 207 return ++count_; 208 } 209 210 DISALLOW_COPY_AND_ASSIGN(TrappingPolicy); 211}; 212 213intptr_t TrappingPolicy::count_; 214 215BPF_TEST_C(BPFDSL, TrapTest, TrappingPolicy) { 216 ASSERT_SYSCALL_RESULT(1, uname, NULL); 217 ASSERT_SYSCALL_RESULT(2, uname, NULL); 218 ASSERT_SYSCALL_RESULT(3, uname, NULL); 219} 220 221class MaskingPolicy : public SandboxBPFDSLPolicy { 222 public: 223 MaskingPolicy() {} 224 virtual ~MaskingPolicy() {} 225 virtual ResultExpr EvaluateSyscall(int sysno) const OVERRIDE { 226 if (sysno == __NR_setuid) { 227 const Arg<uid_t> uid(0); 228 return If((uid & 0xf) == 0, Error(EINVAL)).Else(Error(EACCES)); 229 } 230 if (sysno == __NR_setgid) { 231 const Arg<gid_t> gid(0); 232 return If((gid & 0xf0) == 0xf0, Error(EINVAL)).Else(Error(EACCES)); 233 } 234 if (sysno == __NR_setpgid) { 235 const Arg<pid_t> pid(0); 236 return If((pid & 0xa5) == 0xa0, Error(EINVAL)).Else(Error(EACCES)); 237 } 238 return Allow(); 239 } 240 241 private: 242 DISALLOW_COPY_AND_ASSIGN(MaskingPolicy); 243}; 244 245BPF_TEST_C(BPFDSL, MaskTest, MaskingPolicy) { 246 for (uid_t uid = 0; uid < 0x100; ++uid) { 247 const int expect_errno = (uid & 0xf) == 0 ? EINVAL : EACCES; 248 ASSERT_SYSCALL_RESULT(-expect_errno, setuid, uid); 249 } 250 251 for (gid_t gid = 0; gid < 0x100; ++gid) { 252 const int expect_errno = (gid & 0xf0) == 0xf0 ? EINVAL : EACCES; 253 ASSERT_SYSCALL_RESULT(-expect_errno, setgid, gid); 254 } 255 256 for (pid_t pid = 0; pid < 0x100; ++pid) { 257 const int expect_errno = (pid & 0xa5) == 0xa0 ? EINVAL : EACCES; 258 ASSERT_SYSCALL_RESULT(-expect_errno, setpgid, pid, 0); 259 } 260} 261 262class ElseIfPolicy : public SandboxBPFDSLPolicy { 263 public: 264 ElseIfPolicy() {} 265 virtual ~ElseIfPolicy() {} 266 virtual ResultExpr EvaluateSyscall(int sysno) const OVERRIDE { 267 if (sysno == __NR_setuid) { 268 const Arg<uid_t> uid(0); 269 return If((uid & 0xfff) == 0, Error(0)) 270 .ElseIf((uid & 0xff0) == 0, Error(EINVAL)) 271 .ElseIf((uid & 0xf00) == 0, Error(EEXIST)) 272 .Else(Error(EACCES)); 273 } 274 return Allow(); 275 } 276 277 private: 278 DISALLOW_COPY_AND_ASSIGN(ElseIfPolicy); 279}; 280 281BPF_TEST_C(BPFDSL, ElseIfTest, ElseIfPolicy) { 282 ASSERT_SYSCALL_RESULT(0, setuid, 0); 283 284 ASSERT_SYSCALL_RESULT(-EINVAL, setuid, 0x0001); 285 ASSERT_SYSCALL_RESULT(-EINVAL, setuid, 0x0002); 286 287 ASSERT_SYSCALL_RESULT(-EEXIST, setuid, 0x0011); 288 ASSERT_SYSCALL_RESULT(-EEXIST, setuid, 0x0022); 289 290 ASSERT_SYSCALL_RESULT(-EACCES, setuid, 0x0111); 291 ASSERT_SYSCALL_RESULT(-EACCES, setuid, 0x0222); 292} 293 294class SwitchPolicy : public SandboxBPFDSLPolicy { 295 public: 296 SwitchPolicy() {} 297 virtual ~SwitchPolicy() {} 298 virtual ResultExpr EvaluateSyscall(int sysno) const OVERRIDE { 299 if (sysno == __NR_fcntl) { 300 const Arg<int> cmd(1); 301 const Arg<unsigned long> long_arg(2); 302 return Switch(cmd) 303 .CASES((F_GETFL, F_GETFD), Error(ENOENT)) 304 .Case(F_SETFD, If(long_arg == O_CLOEXEC, Allow()).Else(Error(EINVAL))) 305 .Case(F_SETFL, Error(EPERM)) 306 .Default(Error(EACCES)); 307 } 308 return Allow(); 309 } 310 311 private: 312 DISALLOW_COPY_AND_ASSIGN(SwitchPolicy); 313}; 314 315BPF_TEST_C(BPFDSL, SwitchTest, SwitchPolicy) { 316 base::ScopedFD sock_fd(socket(AF_UNIX, SOCK_STREAM, 0)); 317 BPF_ASSERT(sock_fd.is_valid()); 318 319 ASSERT_SYSCALL_RESULT(-ENOENT, fcntl, sock_fd.get(), F_GETFD); 320 ASSERT_SYSCALL_RESULT(-ENOENT, fcntl, sock_fd.get(), F_GETFL); 321 322 ASSERT_SYSCALL_RESULT(0, fcntl, sock_fd.get(), F_SETFD, O_CLOEXEC); 323 ASSERT_SYSCALL_RESULT(-EINVAL, fcntl, sock_fd.get(), F_SETFD, 0); 324 325 ASSERT_SYSCALL_RESULT(-EPERM, fcntl, sock_fd.get(), F_SETFL, O_RDONLY); 326 327 ASSERT_SYSCALL_RESULT(-EACCES, fcntl, sock_fd.get(), F_DUPFD, 0); 328} 329 330} // namespace 331} // namespace bpf_dsl 332} // namespace sandbox 333