1f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko// Copyright 2014 The Chromium Authors. All rights reserved. 2f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko// Use of this source code is governed by a BSD-style license that can be 3f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko// found in the LICENSE file. 4f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko 5f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko#include "sandbox/linux/seccomp-bpf-helpers/baseline_policy.h" 6f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko 7f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko#include <errno.h> 8f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko#include <fcntl.h> 924854748fba09df2a29f0d08d558c3acea70e7a1Alex Vakulenko#include <netinet/in.h> 10f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko#include <sched.h> 11f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko#include <signal.h> 1224854748fba09df2a29f0d08d558c3acea70e7a1Alex Vakulenko#include <stddef.h> 13f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko#include <string.h> 14f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko#include <sys/prctl.h> 15f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko#include <sys/resource.h> 16f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko#include <sys/socket.h> 17f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko#include <sys/stat.h> 18f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko#include <sys/syscall.h> 19f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko#include <sys/time.h> 20f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko#include <sys/types.h> 21f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko#include <sys/wait.h> 22f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko#include <time.h> 23f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko#include <unistd.h> 24f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko 25f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko#include "base/files/scoped_file.h" 26f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko#include "base/macros.h" 27f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko#include "base/posix/eintr_wrapper.h" 28f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko#include "base/threading/thread.h" 29f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko#include "build/build_config.h" 30f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko#include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h" 31f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko#include "sandbox/linux/seccomp-bpf/bpf_tests.h" 32f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko#include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" 33f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko#include "sandbox/linux/seccomp-bpf/syscall.h" 34f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko#include "sandbox/linux/services/syscall_wrappers.h" 35f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko#include "sandbox/linux/services/thread_helpers.h" 36f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko#include "sandbox/linux/system_headers/linux_futex.h" 37f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko#include "sandbox/linux/system_headers/linux_syscalls.h" 38f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko#include "sandbox/linux/tests/test_utils.h" 39f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko#include "sandbox/linux/tests/unit_tests.h" 40f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko 4124854748fba09df2a29f0d08d558c3acea70e7a1Alex Vakulenko#if !defined(SO_PEEK_OFF) 4224854748fba09df2a29f0d08d558c3acea70e7a1Alex Vakulenko#define SO_PEEK_OFF 42 4324854748fba09df2a29f0d08d558c3acea70e7a1Alex Vakulenko#endif 4424854748fba09df2a29f0d08d558c3acea70e7a1Alex Vakulenko 45f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenkonamespace sandbox { 46f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko 47f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenkonamespace { 48f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko 49f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko// This also tests that read(), write() and fstat() are allowed. 50f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenkovoid TestPipeOrSocketPair(base::ScopedFD read_end, base::ScopedFD write_end) { 51f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko BPF_ASSERT_LE(0, read_end.get()); 52f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko BPF_ASSERT_LE(0, write_end.get()); 53f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko struct stat stat_buf; 54f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko int sys_ret = fstat(read_end.get(), &stat_buf); 55f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko BPF_ASSERT_EQ(0, sys_ret); 56f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko BPF_ASSERT(S_ISFIFO(stat_buf.st_mode) || S_ISSOCK(stat_buf.st_mode)); 57f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko 58f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko const ssize_t kTestTransferSize = 4; 59f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko static const char kTestString[kTestTransferSize] = {'T', 'E', 'S', 'T'}; 60f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko ssize_t transfered = 0; 61f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko 62f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko transfered = 63f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko HANDLE_EINTR(write(write_end.get(), kTestString, kTestTransferSize)); 64f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko BPF_ASSERT_EQ(kTestTransferSize, transfered); 65f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko char read_buf[kTestTransferSize + 1] = {0}; 66f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko transfered = HANDLE_EINTR(read(read_end.get(), read_buf, sizeof(read_buf))); 67f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko BPF_ASSERT_EQ(kTestTransferSize, transfered); 68f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko BPF_ASSERT_EQ(0, memcmp(kTestString, read_buf, kTestTransferSize)); 69f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko} 70f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko 71f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko// Test that a few easy-to-test system calls are allowed. 72f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex VakulenkoBPF_TEST_C(BaselinePolicy, BaselinePolicyBasicAllowed, BaselinePolicy) { 73f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko BPF_ASSERT_EQ(0, sched_yield()); 74f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko 75f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko int pipefd[2]; 76f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko int sys_ret = pipe(pipefd); 77f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko BPF_ASSERT_EQ(0, sys_ret); 78f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko TestPipeOrSocketPair(base::ScopedFD(pipefd[0]), base::ScopedFD(pipefd[1])); 79f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko 80f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko BPF_ASSERT_LE(1, getpid()); 81f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko BPF_ASSERT_LE(0, getuid()); 82f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko} 83f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko 84f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex VakulenkoBPF_TEST_C(BaselinePolicy, FchmodErrno, BaselinePolicy) { 85f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko int ret = fchmod(-1, 07777); 86f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko BPF_ASSERT_EQ(-1, ret); 87f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko // Without the sandbox, this would EBADF instead. 88f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko BPF_ASSERT_EQ(EPERM, errno); 89f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko} 90f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko 91f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex VakulenkoBPF_TEST_C(BaselinePolicy, ForkErrno, BaselinePolicy) { 92f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko errno = 0; 93f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko pid_t pid = fork(); 94f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko const int fork_errno = errno; 95f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko TestUtils::HandlePostForkReturn(pid); 96f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko 97f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko BPF_ASSERT_EQ(-1, pid); 98f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko BPF_ASSERT_EQ(EPERM, fork_errno); 99f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko} 100f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko 101f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenkopid_t ForkX86Glibc() { 102f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko static pid_t ptid; 103f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko return sys_clone(CLONE_PARENT_SETTID | SIGCHLD, nullptr, &ptid, nullptr, 104f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko nullptr); 105f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko} 106f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko 107f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex VakulenkoBPF_TEST_C(BaselinePolicy, ForkX86Eperm, BaselinePolicy) { 108f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko errno = 0; 109f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko pid_t pid = ForkX86Glibc(); 110f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko const int fork_errno = errno; 111f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko TestUtils::HandlePostForkReturn(pid); 112f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko 113f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko BPF_ASSERT_EQ(-1, pid); 114f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko BPF_ASSERT_EQ(EPERM, fork_errno); 115f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko} 116f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko 117f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenkopid_t ForkARMGlibc() { 118f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko static pid_t ctid; 119f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko return sys_clone(CLONE_CHILD_SETTID | CLONE_CHILD_CLEARTID | SIGCHLD, nullptr, 120f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko nullptr, &ctid, nullptr); 121f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko} 122f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko 123f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex VakulenkoBPF_TEST_C(BaselinePolicy, ForkArmEperm, BaselinePolicy) { 124f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko errno = 0; 125f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko pid_t pid = ForkARMGlibc(); 126f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko const int fork_errno = errno; 127f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko TestUtils::HandlePostForkReturn(pid); 128f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko 129f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko BPF_ASSERT_EQ(-1, pid); 130f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko BPF_ASSERT_EQ(EPERM, fork_errno); 131f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko} 132f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko 133f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex VakulenkoBPF_TEST_C(BaselinePolicy, CreateThread, BaselinePolicy) { 134f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko base::Thread thread("sandbox_tests"); 135f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko BPF_ASSERT(thread.Start()); 136f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko} 137f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko 138f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex VakulenkoBPF_DEATH_TEST_C(BaselinePolicy, 139f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko DisallowedCloneFlagCrashes, 140f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko DEATH_SEGV_MESSAGE(GetCloneErrorMessageContentForTests()), 141f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko BaselinePolicy) { 142f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko pid_t pid = sys_clone(CLONE_THREAD | SIGCHLD); 143f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko TestUtils::HandlePostForkReturn(pid); 144f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko} 145f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko 146f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex VakulenkoBPF_DEATH_TEST_C(BaselinePolicy, 147f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko DisallowedKillCrashes, 148f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko DEATH_SEGV_MESSAGE(GetKillErrorMessageContentForTests()), 149f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko BaselinePolicy) { 150f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko BPF_ASSERT_NE(1, getpid()); 151f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko kill(1, 0); 152f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko _exit(0); 153f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko} 154f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko 155f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex VakulenkoBPF_TEST_C(BaselinePolicy, CanKillSelf, BaselinePolicy) { 156f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko int sys_ret = kill(getpid(), 0); 157f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko BPF_ASSERT_EQ(0, sys_ret); 158f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko} 159f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko 160f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex VakulenkoBPF_TEST_C(BaselinePolicy, Socketpair, BaselinePolicy) { 161f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko int sv[2]; 162f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko int sys_ret = socketpair(AF_UNIX, SOCK_DGRAM, 0, sv); 163f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko BPF_ASSERT_EQ(0, sys_ret); 164f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko TestPipeOrSocketPair(base::ScopedFD(sv[0]), base::ScopedFD(sv[1])); 165f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko 166f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko sys_ret = socketpair(AF_UNIX, SOCK_SEQPACKET, 0, sv); 167f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko BPF_ASSERT_EQ(0, sys_ret); 168f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko TestPipeOrSocketPair(base::ScopedFD(sv[0]), base::ScopedFD(sv[1])); 169f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko} 170f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko 171f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko// Not all architectures can restrict the domain for socketpair(). 172f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko#if defined(__x86_64__) || defined(__arm__) || defined(__aarch64__) 173f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex VakulenkoBPF_DEATH_TEST_C(BaselinePolicy, 174f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko SocketpairWrongDomain, 175f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko DEATH_SEGV_MESSAGE(GetErrorMessageContentForTests()), 176f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko BaselinePolicy) { 177f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko int sv[2]; 178f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko ignore_result(socketpair(AF_INET, SOCK_STREAM, 0, sv)); 179f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko _exit(1); 180f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko} 181f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko#endif // defined(__x86_64__) || defined(__arm__) || defined(__aarch64__) 182f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko 183f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex VakulenkoBPF_TEST_C(BaselinePolicy, EPERM_open, BaselinePolicy) { 184f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko errno = 0; 185f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko int sys_ret = open("/proc/cpuinfo", O_RDONLY); 186f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko BPF_ASSERT_EQ(-1, sys_ret); 187f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko BPF_ASSERT_EQ(EPERM, errno); 188f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko} 189f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko 190f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex VakulenkoBPF_TEST_C(BaselinePolicy, EPERM_access, BaselinePolicy) { 191f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko errno = 0; 192f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko int sys_ret = access("/proc/cpuinfo", R_OK); 193f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko BPF_ASSERT_EQ(-1, sys_ret); 194f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko BPF_ASSERT_EQ(EPERM, errno); 195f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko} 196f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko 197f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex VakulenkoBPF_TEST_C(BaselinePolicy, EPERM_getcwd, BaselinePolicy) { 198f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko errno = 0; 199f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko char buf[1024]; 200f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko char* cwd = getcwd(buf, sizeof(buf)); 201f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko BPF_ASSERT_EQ(NULL, cwd); 202f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko BPF_ASSERT_EQ(EPERM, errno); 203f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko} 204f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko 205f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex VakulenkoBPF_DEATH_TEST_C(BaselinePolicy, 206f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko SIGSYS_InvalidSyscall, 207f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko DEATH_SEGV_MESSAGE(GetErrorMessageContentForTests()), 208f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko BaselinePolicy) { 209f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko Syscall::InvalidCall(); 210f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko} 211f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko 212f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko// A failing test using this macro could be problematic since we perform 213f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko// system calls by passing "0" as every argument. 214f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko// The kernel could SIGSEGV the process or the system call itself could reboot 215f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko// the machine. Some thoughts have been given when hand-picking the system 216f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko// calls below to limit any potential side effects outside of the current 217f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko// process. 218f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko#define TEST_BASELINE_SIGSYS(sysno) \ 219f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko BPF_DEATH_TEST_C(BaselinePolicy, \ 220f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko SIGSYS_##sysno, \ 221f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko DEATH_SEGV_MESSAGE(GetErrorMessageContentForTests()), \ 222f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko BaselinePolicy) { \ 223f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko syscall(sysno, 0, 0, 0, 0, 0, 0); \ 224f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko _exit(1); \ 225f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko } 226f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko 227f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex VakulenkoTEST_BASELINE_SIGSYS(__NR_acct); 228f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex VakulenkoTEST_BASELINE_SIGSYS(__NR_chroot); 229f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex VakulenkoTEST_BASELINE_SIGSYS(__NR_fanotify_init); 230f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex VakulenkoTEST_BASELINE_SIGSYS(__NR_fgetxattr); 231f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex VakulenkoTEST_BASELINE_SIGSYS(__NR_getcpu); 232f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex VakulenkoTEST_BASELINE_SIGSYS(__NR_getitimer); 233f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex VakulenkoTEST_BASELINE_SIGSYS(__NR_init_module); 234f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex VakulenkoTEST_BASELINE_SIGSYS(__NR_io_cancel); 235f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex VakulenkoTEST_BASELINE_SIGSYS(__NR_keyctl); 236f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex VakulenkoTEST_BASELINE_SIGSYS(__NR_mq_open); 237f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex VakulenkoTEST_BASELINE_SIGSYS(__NR_ptrace); 238f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex VakulenkoTEST_BASELINE_SIGSYS(__NR_sched_setaffinity); 239f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex VakulenkoTEST_BASELINE_SIGSYS(__NR_setpgid); 240f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex VakulenkoTEST_BASELINE_SIGSYS(__NR_swapon); 241f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex VakulenkoTEST_BASELINE_SIGSYS(__NR_sysinfo); 242f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex VakulenkoTEST_BASELINE_SIGSYS(__NR_syslog); 243f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex VakulenkoTEST_BASELINE_SIGSYS(__NR_timer_create); 244f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko 245f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko#if !defined(__aarch64__) 246f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex VakulenkoTEST_BASELINE_SIGSYS(__NR_eventfd); 247f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex VakulenkoTEST_BASELINE_SIGSYS(__NR_inotify_init); 248f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex VakulenkoTEST_BASELINE_SIGSYS(__NR_vserver); 249f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko#endif 250f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko 251f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex VakulenkoBPF_DEATH_TEST_C(BaselinePolicy, 252f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko FutexWithRequeuePriorityInheritence, 253f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko DEATH_SEGV_MESSAGE(GetFutexErrorMessageContentForTests()), 254f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko BaselinePolicy) { 255f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko syscall(__NR_futex, NULL, FUTEX_CMP_REQUEUE_PI, 0, NULL, NULL, 0); 256f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko _exit(1); 257f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko} 258f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko 259f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex VakulenkoBPF_DEATH_TEST_C(BaselinePolicy, 260f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko FutexWithRequeuePriorityInheritencePrivate, 261f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko DEATH_SEGV_MESSAGE(GetFutexErrorMessageContentForTests()), 262f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko BaselinePolicy) { 263f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko syscall(__NR_futex, NULL, FUTEX_CMP_REQUEUE_PI_PRIVATE, 0, NULL, NULL, 0); 264f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko _exit(1); 265f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko} 266f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko 267f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex VakulenkoBPF_DEATH_TEST_C(BaselinePolicy, 268f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko FutexWithUnlockPIPrivate, 269f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko DEATH_SEGV_MESSAGE(GetFutexErrorMessageContentForTests()), 270f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko BaselinePolicy) { 271f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko syscall(__NR_futex, NULL, FUTEX_UNLOCK_PI_PRIVATE, 0, NULL, NULL, 0); 272f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko _exit(1); 273f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko} 274f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko 275f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex VakulenkoBPF_TEST_C(BaselinePolicy, PrctlDumpable, BaselinePolicy) { 276f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko const int is_dumpable = prctl(PR_GET_DUMPABLE, 0, 0, 0, 0); 277f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko BPF_ASSERT(is_dumpable == 1 || is_dumpable == 0); 278f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko const int prctl_ret = prctl(PR_SET_DUMPABLE, is_dumpable, 0, 0, 0, 0); 279f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko BPF_ASSERT_EQ(0, prctl_ret); 280f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko} 281f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko 282f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko// Workaround incomplete Android headers. 283f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko#if !defined(PR_CAPBSET_READ) 284f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko#define PR_CAPBSET_READ 23 285f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko#endif 286f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko 287f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex VakulenkoBPF_DEATH_TEST_C(BaselinePolicy, 288f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko PrctlSigsys, 289f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko DEATH_SEGV_MESSAGE(GetPrctlErrorMessageContentForTests()), 290f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko BaselinePolicy) { 291f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko prctl(PR_CAPBSET_READ, 0, 0, 0, 0); 292f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko _exit(1); 293f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko} 294f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko 295f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex VakulenkoBPF_TEST_C(BaselinePolicy, GetOrSetPriority, BaselinePolicy) { 296f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko errno = 0; 297f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko const int original_prio = getpriority(PRIO_PROCESS, 0); 298f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko // Check errno instead of the return value since this system call can return 299f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko // -1 as a valid value. 300f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko BPF_ASSERT_EQ(0, errno); 301f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko 302f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko errno = 0; 303f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko int rc = getpriority(PRIO_PROCESS, getpid()); 304f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko BPF_ASSERT_EQ(0, errno); 305f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko 306f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko rc = getpriority(PRIO_PROCESS, getpid() + 1); 307f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko BPF_ASSERT_EQ(-1, rc); 308f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko BPF_ASSERT_EQ(EPERM, errno); 309f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko 310f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko rc = setpriority(PRIO_PROCESS, 0, original_prio); 311f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko BPF_ASSERT_EQ(0, rc); 312f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko 313f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko rc = setpriority(PRIO_PROCESS, getpid(), original_prio); 314f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko BPF_ASSERT_EQ(0, rc); 315f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko 316f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko errno = 0; 317f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko rc = setpriority(PRIO_PROCESS, getpid() + 1, original_prio); 318f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko BPF_ASSERT_EQ(-1, rc); 319f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko BPF_ASSERT_EQ(EPERM, errno); 320f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko} 321f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko 322f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex VakulenkoBPF_DEATH_TEST_C(BaselinePolicy, 323f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko GetPrioritySigsys, 324f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko DEATH_SEGV_MESSAGE(GetErrorMessageContentForTests()), 325f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko BaselinePolicy) { 326f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko getpriority(PRIO_USER, 0); 327f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko _exit(1); 328f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko} 329f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko 330f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex VakulenkoBPF_DEATH_TEST_C(BaselinePolicy, 331f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko ClockGettimeWithDisallowedClockCrashes, 332f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko DEATH_SEGV_MESSAGE(sandbox::GetErrorMessageContentForTests()), 333f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko BaselinePolicy) { 334f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko struct timespec ts; 335f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko clock_gettime(CLOCK_MONOTONIC_RAW, &ts); 336f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko} 337f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko 33824854748fba09df2a29f0d08d558c3acea70e7a1Alex Vakulenko#if !defined(__i386__) 33924854748fba09df2a29f0d08d558c3acea70e7a1Alex VakulenkoBPF_DEATH_TEST_C(BaselinePolicy, 34024854748fba09df2a29f0d08d558c3acea70e7a1Alex Vakulenko GetSockOptWrongLevelSigsys, 34124854748fba09df2a29f0d08d558c3acea70e7a1Alex Vakulenko DEATH_SEGV_MESSAGE(sandbox::GetErrorMessageContentForTests()), 34224854748fba09df2a29f0d08d558c3acea70e7a1Alex Vakulenko BaselinePolicy) { 34324854748fba09df2a29f0d08d558c3acea70e7a1Alex Vakulenko int fds[2]; 34424854748fba09df2a29f0d08d558c3acea70e7a1Alex Vakulenko PCHECK(socketpair(AF_UNIX, SOCK_STREAM, 0, fds) == 0); 34524854748fba09df2a29f0d08d558c3acea70e7a1Alex Vakulenko int id; 34624854748fba09df2a29f0d08d558c3acea70e7a1Alex Vakulenko socklen_t peek_off_size = sizeof(id); 34724854748fba09df2a29f0d08d558c3acea70e7a1Alex Vakulenko getsockopt(fds[0], IPPROTO_TCP, SO_PEEK_OFF, &id, &peek_off_size); 34824854748fba09df2a29f0d08d558c3acea70e7a1Alex Vakulenko} 34924854748fba09df2a29f0d08d558c3acea70e7a1Alex Vakulenko 35024854748fba09df2a29f0d08d558c3acea70e7a1Alex VakulenkoBPF_DEATH_TEST_C(BaselinePolicy, 35124854748fba09df2a29f0d08d558c3acea70e7a1Alex Vakulenko GetSockOptWrongOptionSigsys, 35224854748fba09df2a29f0d08d558c3acea70e7a1Alex Vakulenko DEATH_SEGV_MESSAGE(sandbox::GetErrorMessageContentForTests()), 35324854748fba09df2a29f0d08d558c3acea70e7a1Alex Vakulenko BaselinePolicy) { 35424854748fba09df2a29f0d08d558c3acea70e7a1Alex Vakulenko int fds[2]; 35524854748fba09df2a29f0d08d558c3acea70e7a1Alex Vakulenko PCHECK(socketpair(AF_UNIX, SOCK_STREAM, 0, fds) == 0); 35624854748fba09df2a29f0d08d558c3acea70e7a1Alex Vakulenko int id; 35724854748fba09df2a29f0d08d558c3acea70e7a1Alex Vakulenko socklen_t peek_off_size = sizeof(id); 35824854748fba09df2a29f0d08d558c3acea70e7a1Alex Vakulenko getsockopt(fds[0], SOL_SOCKET, SO_DEBUG, &id, &peek_off_size); 35924854748fba09df2a29f0d08d558c3acea70e7a1Alex Vakulenko} 36024854748fba09df2a29f0d08d558c3acea70e7a1Alex Vakulenko 36124854748fba09df2a29f0d08d558c3acea70e7a1Alex VakulenkoBPF_DEATH_TEST_C(BaselinePolicy, 36224854748fba09df2a29f0d08d558c3acea70e7a1Alex Vakulenko SetSockOptWrongLevelSigsys, 36324854748fba09df2a29f0d08d558c3acea70e7a1Alex Vakulenko DEATH_SEGV_MESSAGE(sandbox::GetErrorMessageContentForTests()), 36424854748fba09df2a29f0d08d558c3acea70e7a1Alex Vakulenko BaselinePolicy) { 36524854748fba09df2a29f0d08d558c3acea70e7a1Alex Vakulenko int fds[2]; 36624854748fba09df2a29f0d08d558c3acea70e7a1Alex Vakulenko PCHECK(socketpair(AF_UNIX, SOCK_STREAM, 0, fds) == 0); 36724854748fba09df2a29f0d08d558c3acea70e7a1Alex Vakulenko int id; 36824854748fba09df2a29f0d08d558c3acea70e7a1Alex Vakulenko setsockopt(fds[0], IPPROTO_TCP, SO_PEEK_OFF, &id, sizeof(id)); 36924854748fba09df2a29f0d08d558c3acea70e7a1Alex Vakulenko} 37024854748fba09df2a29f0d08d558c3acea70e7a1Alex Vakulenko 37124854748fba09df2a29f0d08d558c3acea70e7a1Alex Vakulenko 37224854748fba09df2a29f0d08d558c3acea70e7a1Alex VakulenkoBPF_DEATH_TEST_C(BaselinePolicy, 37324854748fba09df2a29f0d08d558c3acea70e7a1Alex Vakulenko SetSockOptWrongOptionSigsys, 37424854748fba09df2a29f0d08d558c3acea70e7a1Alex Vakulenko DEATH_SEGV_MESSAGE(sandbox::GetErrorMessageContentForTests()), 37524854748fba09df2a29f0d08d558c3acea70e7a1Alex Vakulenko BaselinePolicy) { 37624854748fba09df2a29f0d08d558c3acea70e7a1Alex Vakulenko int fds[2]; 37724854748fba09df2a29f0d08d558c3acea70e7a1Alex Vakulenko PCHECK(socketpair(AF_UNIX, SOCK_STREAM, 0, fds) == 0); 37824854748fba09df2a29f0d08d558c3acea70e7a1Alex Vakulenko int id; 37924854748fba09df2a29f0d08d558c3acea70e7a1Alex Vakulenko setsockopt(fds[0], SOL_SOCKET, SO_DEBUG, &id, sizeof(id)); 38024854748fba09df2a29f0d08d558c3acea70e7a1Alex Vakulenko} 38124854748fba09df2a29f0d08d558c3acea70e7a1Alex Vakulenko#endif 38224854748fba09df2a29f0d08d558c3acea70e7a1Alex Vakulenko 383f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko} // namespace 384f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko 385f6024733c0d1eed88f68520b5e6a20b96e212ad6Alex Vakulenko} // namespace sandbox 386