mirror of
https://github.com/google/sandboxed-api.git
synced 2024-03-22 13:11:30 +08:00
127176d72f
PiperOrigin-RevId: 559733768 Change-Id: Ia38f4c176e9f0abbfdb3a8f1109f482d8870eb0f
102 lines
3.1 KiB
C++
102 lines
3.1 KiB
C++
#include "sandboxed_api/sandbox2/regs.h"
|
|
|
|
#include <linux/filter.h>
|
|
#include <linux/seccomp.h>
|
|
#include <sys/prctl.h>
|
|
#include <sys/ptrace.h>
|
|
#include <sys/socket.h>
|
|
#include <sys/types.h>
|
|
#include <sys/wait.h>
|
|
#include <syscall.h>
|
|
#include <unistd.h>
|
|
|
|
#include <cerrno>
|
|
#include <cstdint>
|
|
#include <cstdlib>
|
|
#include <vector>
|
|
|
|
#include "gmock/gmock.h"
|
|
#include "gtest/gtest.h"
|
|
#include "absl/log/check.h"
|
|
#include "sandboxed_api/sandbox2/sanitizer.h"
|
|
#include "sandboxed_api/sandbox2/util.h"
|
|
#include "sandboxed_api/sandbox2/util/bpf_helper.h"
|
|
#include "sandboxed_api/util/status_matchers.h"
|
|
|
|
namespace sandbox2 {
|
|
namespace {
|
|
|
|
using ::sapi::IsOk;
|
|
|
|
#define __WPTRACEEVENT(x) ((x & 0xff0000) >> 16)
|
|
|
|
TEST(RegsTest, SkipSyscallWorks) {
|
|
std::vector<sock_filter> policy = {
|
|
LOAD_SYSCALL_NR,
|
|
JEQ32(__NR_getpid, TRACE(0)),
|
|
ALLOW,
|
|
};
|
|
sock_fprog prog = {
|
|
.len = static_cast<uint8_t>(policy.size()),
|
|
.filter = policy.data(),
|
|
};
|
|
// Create socketpair for synchronization
|
|
int sv[2];
|
|
ASSERT_EQ(socketpair(AF_UNIX, SOCK_STREAM, 0, sv), 0);
|
|
// Fork a child process to run the syscalls in.
|
|
pid_t ppid = util::Syscall(__NR_gettid);
|
|
pid_t pid = fork();
|
|
ASSERT_NE(pid, -1);
|
|
char c = 'C';
|
|
if (pid == 0) {
|
|
// Get ready for being ptraced.
|
|
sanitizer::WaitForSanitizer();
|
|
CHECK_EQ(prctl(PR_SET_DUMPABLE, 1), 0);
|
|
prctl(PR_SET_PTRACER, ppid);
|
|
CHECK_EQ(prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0), 0);
|
|
CHECK_EQ(prctl(PR_SET_KEEPCAPS, 0), 0);
|
|
// Notify parent that we're ready for ptrace.
|
|
CHECK_EQ(write(sv[0], &c, 1), 1);
|
|
// Apply seccomp policy
|
|
CHECK_EQ(util::Syscall(__NR_seccomp, SECCOMP_SET_MODE_FILTER, 0,
|
|
reinterpret_cast<uintptr_t>(&prog)),
|
|
0);
|
|
// Wait for tracer to be attached.
|
|
CHECK_EQ(read(sv[0], &c, 1), 1);
|
|
// Run the test syscall
|
|
errno = 0;
|
|
util::Syscall(__NR_getpid, 123, reinterpret_cast<uintptr_t>(&c), 1);
|
|
_Exit(errno == ENOENT ? 0 : 1);
|
|
}
|
|
// Wait for child to be ready for ptrace
|
|
ASSERT_EQ(read(sv[1], &c, 1), 1);
|
|
ASSERT_EQ(ptrace(PTRACE_SEIZE, pid, 0, PTRACE_O_TRACESECCOMP), 0);
|
|
// Notify child it has been ptraced.
|
|
ASSERT_EQ(write(sv[1], &c, 1), 1);
|
|
// Wait for seccomp TRACE stop
|
|
int status;
|
|
ASSERT_EQ(waitpid(pid, &status, __WNOTHREAD | __WALL | WUNTRACED), pid);
|
|
ASSERT_TRUE(WIFSTOPPED(status));
|
|
ASSERT_EQ(__WPTRACEEVENT(status), PTRACE_EVENT_SECCOMP);
|
|
// Fetch the registers
|
|
Regs regs(pid);
|
|
ASSERT_THAT(regs.Fetch(), IsOk());
|
|
// Check syscall arguments
|
|
Syscall syscall = regs.ToSyscall(sapi::host_cpu::Architecture());
|
|
EXPECT_EQ(syscall.nr(), __NR_getpid);
|
|
EXPECT_EQ(syscall.args()[0], 123);
|
|
EXPECT_EQ(syscall.args()[1], reinterpret_cast<uintptr_t>(&c));
|
|
EXPECT_EQ(syscall.args()[2], 1);
|
|
// Skip syscall
|
|
ASSERT_THAT(regs.SkipSyscallReturnValue(-ENOENT), IsOk());
|
|
// Continue&detach the child process
|
|
ASSERT_EQ(ptrace(PTRACE_DETACH, pid, 0, 0), 0);
|
|
// Wait for the child to exit
|
|
ASSERT_EQ(waitpid(pid, &status, __WNOTHREAD | __WALL | WUNTRACED), pid);
|
|
ASSERT_TRUE(WIFEXITED(status));
|
|
EXPECT_EQ(WEXITSTATUS(status), 0);
|
|
}
|
|
|
|
} // namespace
|
|
} // namespace sandbox2
|