sandboxed-api/sandboxed_api/sandbox2/testcases/policy.cc
Wiktor Garbacz 47c868e6b1 Merge block bpf/ptrace tests
PiperOrigin-RevId: 561338563
Change-Id: If2704835c75ca0ae367375212c2104289e7b5cb0
2023-08-30 07:47:15 -07:00

151 lines
3.6 KiB
C++

// Copyright 2019 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// https://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
// A binary that tries x86_64 compat syscalls, ptrace and clone untraced.
#include <sched.h>
#include <sys/ptrace.h>
#include <syscall.h>
#include <unistd.h>
#include <cerrno>
#include <cstdint>
#include <cstdio>
#include <cstdlib>
#include "absl/base/attributes.h"
#include "sandboxed_api/config.h"
#ifdef SAPI_X86_64
void TestAMD64SyscallMismatch() {
int64_t result;
// exit() is allowed, but not if called via 32-bit syscall.
asm("movq $1, %%rax\n" // __NR_exit: 1 in 32-bit (60 in 64-bit)
"movq $42, %%rbx\n" // int error_code: 42
"int $0x80\n"
"movq %%rax, %0\n"
: "=r"(result)
:
: "rax", "rbx");
exit(-result);
}
void TestAMD64SyscallMismatchFs() {
int64_t result;
char filename[] = "/etc/passwd";
// access("/etc/passwd") is allowed, but not if called via 32-bit syscall.
asm("movq $33, %%rax\n" // __NR_access: 33 in 32-bit (21 in 64-bit)
"movq %1, %%rbx\n" // const char* filename: /etc/passwd
"movq $0, %%rcx\n" // int mode: F_OK (0), test for existence
"int $0x80\n"
"movq %%rax, %0\n"
: "=r"(result)
: "g"(filename)
: "rax", "rbx", "rcx");
exit(-result);
}
#endif
void TestPtraceDenied() {
ptrace(PTRACE_SEIZE, getppid(), 0, 0);
printf("Syscall violation should have been discovered by now\n");
exit(EXIT_FAILURE);
}
void TestPtraceBlocked() {
int result = ptrace(PTRACE_SEIZE, getppid(), 0, 0);
if (result != -1 || errno != EPERM) {
printf("System call should have been blocked\n");
exit(EXIT_FAILURE);
}
}
void TestBpfBlocked() {
int result = syscall(__NR_bpf, 0, nullptr, 0);
if (result != -1 || errno != EPERM) {
printf("System call should have been blocked\n");
exit(EXIT_FAILURE);
}
}
void TestCloneUntraced() {
syscall(__NR_clone, static_cast<uintptr_t>(CLONE_UNTRACED), nullptr, nullptr,
nullptr, static_cast<uintptr_t>(0));
printf("Syscall violation should have been discovered by now\n");
exit(EXIT_FAILURE);
}
void TestBpf() {
syscall(__NR_bpf, 0, nullptr, 0);
printf("Syscall violation should have been discovered by now\n");
exit(EXIT_FAILURE);
}
void TestIsatty() { isatty(0); }
int main(int argc, char* argv[]) {
// Disable buffering.
setbuf(stdin, nullptr);
setbuf(stdout, nullptr);
setbuf(stderr, nullptr);
if (argc < 2) {
printf("argc < 3\n");
return EXIT_FAILURE;
}
int testno = atoi(argv[1]); // NOLINT
switch (testno) {
#ifdef SAPI_X86_64
case 1:
TestAMD64SyscallMismatch();
break;
case 2:
TestAMD64SyscallMismatchFs();
break;
#endif
case 3:
TestPtraceDenied();
break;
case 4:
TestCloneUntraced();
break;
case 5:
TestBpf();
break;
case 6:
TestIsatty();
break;
case 7:
TestPtraceBlocked();
ABSL_FALLTHROUGH_INTENDED;
case 8:
TestBpfBlocked();
break;
default:
printf("Unknown test: %d\n", testno);
return EXIT_FAILURE;
}
printf("OK: All tests went OK\n");
return EXIT_SUCCESS;
}