Skip to content

GitLab

T
tangled
Commit 815e402d authored by jln@chromium.org's avatar jln@chromium.org
Browse files
Options

Linux Sandbox: run all BaselinePolicy tests with sanitizers. 

- Allow ioctls TCGETS and FIONREAD with sanitizers.
- Allow sched_getaffinity() with sanitizers.
- Enable all BaselinePolicy unit tests with sanitizers.

BUG=372445
R=mdempsky@chromium.org

Review URL: https://codereview.chromium.org/296703007

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@271854 0039d316-1c4b-4281-b951-d872f2087c98
parent 78df54f2
Hide whitespace changes
Inline Side-by-side
Showing with 28 additions and 23 deletions
sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
View file @ 815e402d
...@@ -86,13 +86,25 @@ ErrorCode EvaluateSyscallImpl(int fs_denied_errno, ...@@ -86,13 +86,25 @@ ErrorCode EvaluateSyscallImpl(int fs_denied_errno,
pid_t current_pid, pid_t current_pid,
SandboxBPF* sandbox, SandboxBPF* sandbox,
int sysno) { int sysno) {
#if defined(ADDRESS_SANITIZER) #if defined(ADDRESS_SANITIZER) || defined(THREAD_SANITIZER) || \
defined(MEMORY_SANITIZER)
// TCGETS is required by the sanitizers on failure.
if (sysno == __NR_ioctl) {
return RestrictIoctl(sandbox);
}
if (sysno == __NR_sched_getaffinity) {
return ErrorCode(ErrorCode::ERR_ALLOWED);
}
if (sysno == __NR_sigaltstack) { if (sysno == __NR_sigaltstack) {
// Required for better stack overflow detection in ASan. Disallowed in // Required for better stack overflow detection in ASan. Disallowed in
// non-ASan builds. // non-ASan builds.
return ErrorCode(ErrorCode::ERR_ALLOWED); return ErrorCode(ErrorCode::ERR_ALLOWED);
} }
#endif #endif // defined(ADDRESS_SANITIZER) || defined(THREAD_SANITIZER) ||
// defined(MEMORY_SANITIZER)
if (IsBaselinePolicyAllowed(sysno)) { if (IsBaselinePolicyAllowed(sysno)) {
return ErrorCode(ErrorCode::ERR_ALLOWED); return ErrorCode(ErrorCode::ERR_ALLOWED);
} }
...@@ -101,14 +113,12 @@ ErrorCode EvaluateSyscallImpl(int fs_denied_errno, ...@@ -101,14 +113,12 @@ ErrorCode EvaluateSyscallImpl(int fs_denied_errno,
return RestrictCloneToThreadsAndEPERMFork(sandbox); return RestrictCloneToThreadsAndEPERMFork(sandbox);
} }
#if defined(__x86_64__) || defined(__arm__) if (sysno == __NR_fcntl)
if (sysno == __NR_socketpair) { return RestrictFcntlCommands(sandbox);
// Only allow AF_UNIX, PF_UNIX. Crash if anything else is seen.
COMPILE_ASSERT(AF_UNIX == PF_UNIX, af_unix_pf_unix_different); #if defined(__i386__) || defined(__arm__)
return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, AF_UNIX, if (sysno == __NR_fcntl64)
ErrorCode(ErrorCode::ERR_ALLOWED), return RestrictFcntlCommands(sandbox);
sandbox->Trap(CrashSIGSYS_Handler, NULL));
}
#endif #endif
if (sysno == __NR_madvise) { if (sysno == __NR_madvise) {
...@@ -132,12 +142,14 @@ ErrorCode EvaluateSyscallImpl(int fs_denied_errno, ...@@ -132,12 +142,14 @@ ErrorCode EvaluateSyscallImpl(int fs_denied_errno,
if (sysno == __NR_mprotect) if (sysno == __NR_mprotect)
return RestrictMprotectFlags(sandbox); return RestrictMprotectFlags(sandbox);
if (sysno == __NR_fcntl) #if defined(__x86_64__) || defined(__arm__)
return RestrictFcntlCommands(sandbox); if (sysno == __NR_socketpair) {
// Only allow AF_UNIX, PF_UNIX. Crash if anything else is seen.
#if defined(__i386__) || defined(__arm__) COMPILE_ASSERT(AF_UNIX == PF_UNIX, af_unix_pf_unix_different);
if (sysno == __NR_fcntl64) return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, AF_UNIX,
return RestrictFcntlCommands(sandbox); ErrorCode(ErrorCode::ERR_ALLOWED),
sandbox->Trap(CrashSIGSYS_Handler, NULL));
}
#endif #endif
if (SyscallSets::IsKill(sysno)) { if (SyscallSets::IsKill(sysno)) {
......
sandbox/linux/seccomp-bpf-helpers/baseline_policy_unittest.cc
View file @ 815e402d
...@@ -94,10 +94,6 @@ BPF_TEST_C(BaselinePolicy, FchmodErrno, BaselinePolicy) { ...@@ -94,10 +94,6 @@ BPF_TEST_C(BaselinePolicy, FchmodErrno, BaselinePolicy) {
BPF_ASSERT_EQ(EPERM, errno); BPF_ASSERT_EQ(EPERM, errno);
} }
// TODO(jln): make this work with the sanitizers.
#if !defined(ADDRESS_SANITIZER) && !defined(THREAD_SANITIZER) && \
!defined(MEMORY_SANITIZER)
BPF_TEST_C(BaselinePolicy, ForkErrno, BaselinePolicy) { BPF_TEST_C(BaselinePolicy, ForkErrno, BaselinePolicy) {
errno = 0; errno = 0;
pid_t pid = fork(); pid_t pid = fork();
...@@ -245,9 +241,6 @@ TEST_BASELINE_SIGSYS(__NR_getcpu); ...@@ -245,9 +241,6 @@ TEST_BASELINE_SIGSYS(__NR_getcpu);
TEST_BASELINE_SIGSYS(__NR_setpgid); TEST_BASELINE_SIGSYS(__NR_setpgid);
TEST_BASELINE_SIGSYS(__NR_getitimer); TEST_BASELINE_SIGSYS(__NR_getitimer);
#endif // !defined(ADDRESS_SANITIZER) && !defined(THREAD_SANITIZER) &&
// !defined(MEMORY_SANITIZER)
} // namespace } // namespace
} // namespace sandbox } // namespace sandbox
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment