From cc30d58c18353905154173bab850d3610c7d01bc Mon Sep 17 00:00:00 2001
From: Zach Reizner <zachr@google.com>
Date: Tue, 23 Jan 2018 21:16:42 -0800
Subject: crosvm: run plugin process in a jail by default

The plugin process is similar to a virtual device from the perspective
of crosvm. Therefore, the plugin process should be run in a jail,
similar to the other devices in crosvm.

TEST=cargo build --features plugin; ./build_test
BUG=chromium:800626

Change-Id: I881d7b0f8a11e2626f69a5fa0eee0aa59bb6b6be
Reviewed-on: https://chromium-review.googlesource.com/882131
Commit-Ready: Zach Reizner <zachr@chromium.org>
Tested-by: Zach Reizner <zachr@chromium.org>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
---
 tests/plugin.policy | 47 +++++++++++++++++++++++++++++++++++++++++++++++
 tests/plugins.rs    | 48 +++++++++++++++++++++++++++++++++---------------
 2 files changed, 80 insertions(+), 15 deletions(-)
 create mode 100644 tests/plugin.policy

(limited to 'tests')

diff --git a/tests/plugin.policy b/tests/plugin.policy
new file mode 100644
index 0000000..960c8e5
--- /dev/null
+++ b/tests/plugin.policy
@@ -0,0 +1,47 @@
+# Copyright 2017 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+close: 1
+dup: 1
+dup2: 1
+execve: 1
+exit_group: 1
+futex: 1
+lseek: 1
+mprotect: 1
+munmap: 1
+read: 1
+recvfrom: 1
+sched_getaffinity: 1
+set_robust_list: 1
+sigaltstack: 1
+# Disallow clone's other than new threads.
+clone: arg0 & 0x00010000
+write: 1
+eventfd2: 1
+poll: 1
+getpid: 1
+# Allow PR_SET_NAME only.
+prctl: arg0 == 15
+access: 1
+arch_prctl: 1
+brk: 1
+exit: 1
+fcntl: 1
+fstat: 1
+ftruncate: 1
+getcwd: 1
+getrlimit: 1
+madvise: 1
+memfd_create: 1
+mmap: 1
+open: 1
+recvmsg: 1
+restart_syscall: 1
+rt_sigaction: 1
+rt_sigprocmask: 1
+sendmsg: 1
+set_tid_address: 1
+stat: 1
+writev: 1
diff --git a/tests/plugins.rs b/tests/plugins.rs
index 349634d..94b0767 100644
--- a/tests/plugins.rs
+++ b/tests/plugins.rs
@@ -26,8 +26,8 @@ impl Drop for RemovePath {
     }
 }
 
-fn get_crosvm_path() -> PathBuf {
-    let mut crosvm_path = current_exe()
+fn get_target_path() -> PathBuf {
+    current_exe()
         .ok()
         .map(|mut path| {
                  path.pop();
@@ -36,24 +36,26 @@ fn get_crosvm_path() -> PathBuf {
                  }
                  path
              })
-        .expect("failed to get crosvm binary directory");
-    crosvm_path.push("crosvm");
-    crosvm_path
+        .expect("failed to get crosvm binary directory")
 }
 
 fn build_plugin(src: &str) -> RemovePath {
     let mut out_bin = PathBuf::from("target");
-    let mut libcrosvm_plugin = get_crosvm_path();
-    libcrosvm_plugin.set_file_name("libcrosvm_plugin.so");
+    let libcrosvm_plugin_dir = get_target_path();
     out_bin.push(thread_rng()
                      .gen_ascii_chars()
                      .take(10)
                      .collect::<String>());
     let mut child = Command::new(var_os("CC").unwrap_or(OsString::from("cc")))
-        .args(&["-Icrosvm_plugin", "-pthread", "-o"])
+        .args(&["-Icrosvm_plugin", "-pthread", "-o"]) // crosvm.h location and set output path.
         .arg(&out_bin)
-        .arg(libcrosvm_plugin)
-        .args(&["-xc", "-"])
+        .arg("-L") // Path of shared object to link to.
+        .arg(&libcrosvm_plugin_dir)
+        .arg("-lcrosvm_plugin")
+        .arg("-Wl,-rpath") // Search for shared object in the same path when exec'd.
+        .arg(&libcrosvm_plugin_dir)
+        .args(&["-Wl,-rpath", "."]) // Also check current directory in case of sandboxing.
+        .args(&["-xc", "-"]) // Read source code from piped stdin.
         .stdin(Stdio::piped())
         .spawn()
         .expect("failed to spawn compiler");
@@ -70,10 +72,24 @@ fn build_plugin(src: &str) -> RemovePath {
     RemovePath(PathBuf::from(out_bin))
 }
 
-fn run_plugin(bin_path: &Path) {
-    let mut child = Command::new(get_crosvm_path())
-        .args(&["run", "-c", "1", "--plugin"])
-        .arg(bin_path)
+fn run_plugin(bin_path: &Path, with_sandbox: bool) {
+    let mut crosvm_path = get_target_path();
+    crosvm_path.push("crosvm");
+    let mut cmd = Command::new(crosvm_path);
+    cmd.args(&["run",
+                "-c",
+                "1",
+                "--seccomp-policy-dir",
+                "tests",
+                "--plugin"])
+        .arg(bin_path
+                 .canonicalize()
+                 .expect("failed to canonicalize plugin path"));
+    if !with_sandbox {
+        cmd.arg("--disable-sandbox");
+    }
+
+    let mut child = cmd
         .spawn()
         .expect("failed to spawn crosvm");
     for _ in 0..12 {
@@ -91,7 +107,9 @@ fn run_plugin(bin_path: &Path) {
 
 fn test_plugin(src: &str) {
     let bin_path = build_plugin(src);
-    run_plugin(&bin_path.0);
+    // Run with and without the sandbox enabled.
+    run_plugin(&bin_path.0, false);
+    run_plugin(&bin_path.0, true);
 }
 
 #[test]
-- 
cgit 1.4.1