0

Linux Sandbox: run all BaselinePolicy tests with sanitizers.

- Allow ioctls TCGETS and FIONREAD with sanitizers.
- Allow sched_getaffinity() with sanitizers.
- Enable all BaselinePolicy unit tests with sanitizers.

BUG=372445
R=mdempsky@chromium.org

Review URL: https://codereview.chromium.org/296703007

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@271854 0039d316-1c4b-4281-b951-d872f2087c98
This commit is contained in:
jln@chromium.org
2014-05-21 03:54:51 +00:00
parent 78df54f292
commit 815e402d3a
2 changed files with 28 additions and 23 deletions
sandbox/linux/seccomp-bpf-helpers

@ -86,13 +86,25 @@ ErrorCode EvaluateSyscallImpl(int fs_denied_errno,
pid_t current_pid,
SandboxBPF* sandbox,
int sysno) {
#if defined(ADDRESS_SANITIZER)
#if defined(ADDRESS_SANITIZER) || defined(THREAD_SANITIZER) || \
defined(MEMORY_SANITIZER)
// TCGETS is required by the sanitizers on failure.
if (sysno == __NR_ioctl) {
return RestrictIoctl(sandbox);
}
if (sysno == __NR_sched_getaffinity) {
return ErrorCode(ErrorCode::ERR_ALLOWED);
}
if (sysno == __NR_sigaltstack) {
// Required for better stack overflow detection in ASan. Disallowed in
// non-ASan builds.
return ErrorCode(ErrorCode::ERR_ALLOWED);
}
#endif
#endif // defined(ADDRESS_SANITIZER) || defined(THREAD_SANITIZER) ||
// defined(MEMORY_SANITIZER)
if (IsBaselinePolicyAllowed(sysno)) {
return ErrorCode(ErrorCode::ERR_ALLOWED);
}
@ -101,14 +113,12 @@ ErrorCode EvaluateSyscallImpl(int fs_denied_errno,
return RestrictCloneToThreadsAndEPERMFork(sandbox);
}
#if defined(__x86_64__) || defined(__arm__)
if (sysno == __NR_socketpair) {
// Only allow AF_UNIX, PF_UNIX. Crash if anything else is seen.
COMPILE_ASSERT(AF_UNIX == PF_UNIX, af_unix_pf_unix_different);
return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, AF_UNIX,
ErrorCode(ErrorCode::ERR_ALLOWED),
sandbox->Trap(CrashSIGSYS_Handler, NULL));
}
if (sysno == __NR_fcntl)
return RestrictFcntlCommands(sandbox);
#if defined(__i386__) || defined(__arm__)
if (sysno == __NR_fcntl64)
return RestrictFcntlCommands(sandbox);
#endif
if (sysno == __NR_madvise) {
@ -132,12 +142,14 @@ ErrorCode EvaluateSyscallImpl(int fs_denied_errno,
if (sysno == __NR_mprotect)
return RestrictMprotectFlags(sandbox);
if (sysno == __NR_fcntl)
return RestrictFcntlCommands(sandbox);
#if defined(__i386__) || defined(__arm__)
if (sysno == __NR_fcntl64)
return RestrictFcntlCommands(sandbox);
#if defined(__x86_64__) || defined(__arm__)
if (sysno == __NR_socketpair) {
// Only allow AF_UNIX, PF_UNIX. Crash if anything else is seen.
COMPILE_ASSERT(AF_UNIX == PF_UNIX, af_unix_pf_unix_different);
return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, AF_UNIX,
ErrorCode(ErrorCode::ERR_ALLOWED),
sandbox->Trap(CrashSIGSYS_Handler, NULL));
}
#endif
if (SyscallSets::IsKill(sysno)) {

@ -94,10 +94,6 @@ BPF_TEST_C(BaselinePolicy, FchmodErrno, BaselinePolicy) {
BPF_ASSERT_EQ(EPERM, errno);
}
// TODO(jln): make this work with the sanitizers.
#if !defined(ADDRESS_SANITIZER) && !defined(THREAD_SANITIZER) && \
!defined(MEMORY_SANITIZER)
BPF_TEST_C(BaselinePolicy, ForkErrno, BaselinePolicy) {
errno = 0;
pid_t pid = fork();
@ -245,9 +241,6 @@ TEST_BASELINE_SIGSYS(__NR_getcpu);
TEST_BASELINE_SIGSYS(__NR_setpgid);
TEST_BASELINE_SIGSYS(__NR_getitimer);
#endif // !defined(ADDRESS_SANITIZER) && !defined(THREAD_SANITIZER) &&
// !defined(MEMORY_SANITIZER)
} // namespace
} // namespace sandbox