def testMarkBytecode(self): family, addr = random.choice([(AF_INET, "127.0.0.1"), (AF_INET6, "::1"), (AF_INET6, "::ffff:127.0.0.1")]) s1, s2 = net_test.CreateSocketPair(family, SOCK_STREAM, addr) s1.setsockopt(SOL_SOCKET, net_test.SO_MARK, 0xfff1234) s2.setsockopt(SOL_SOCKET, net_test.SO_MARK, 0xf0f1235) infos = self.FilterEstablishedSockets(0x1234, 0xffff) self.assertFoundSockets(infos, [s1]) infos = self.FilterEstablishedSockets(0x1234, 0xfffe) self.assertFoundSockets(infos, [s1, s2]) infos = self.FilterEstablishedSockets(0x1235, 0xffff) self.assertFoundSockets(infos, [s2]) infos = self.FilterEstablishedSockets(0x0, 0x0) self.assertFoundSockets(infos, [s1, s2]) infos = self.FilterEstablishedSockets(0xfff0000, 0xf0fed00) self.assertEquals(0, len(infos)) with net_test.RunAsUid(12345): self.assertRaisesErrno(EPERM, self.FilterEstablishedSockets, 0xfff0000, 0xf0fed00)
def CheckTCPConnection(self, mode, listensocket, netid, version, myaddr, remoteaddr, packet, reply, msg): establishing_ack = packets.ACK(version, remoteaddr, myaddr, reply)[1] # Attempt to confuse the kernel. self.InvalidateDstCache(version, remoteaddr, netid) self.ReceivePacketOn(netid, establishing_ack) # If we're using UID routing, the accept() call has to be run as a UID that # is routed to the specified netid, because the UID of the socket returned # by accept() is the effective UID of the process that calls it. It doesn't # need to be the same UID; any UID that selects the same interface will do. with net_test.RunAsUid(self.UidForNetid(netid)): s, _ = listensocket.accept() try: # Check that data sent on the connection goes out on the right interface. desc, data = packets.ACK(version, myaddr, remoteaddr, establishing_ack, payload=UDP_PAYLOAD) s.send(UDP_PAYLOAD) self.ExpectPacketOn(netid, msg + ": expecting %s" % desc, data) self.InvalidateDstCache(version, remoteaddr, netid) # Keep up our end of the conversation. ack = packets.ACK(version, remoteaddr, myaddr, data)[1] self.InvalidateDstCache(version, remoteaddr, netid) self.ReceivePacketOn(netid, ack) mark = self.GetSocketMark(s) finally: self.InvalidateDstCache(version, remoteaddr, netid) s.close() self.InvalidateDstCache(version, remoteaddr, netid) if mode == self.MODE_INCOMING_MARK: self.assertEquals(netid, mark, msg + ": Accepted socket: Expected mark %d, got %d" % ( netid, mark)) elif mode != self.MODE_EXPLICIT_MARK: self.assertEquals(0, self.GetSocketMark(listensocket)) # Check the FIN was sent on the right interface, and ack it. We don't expect # this to fail because by the time the connection is established things are # likely working, but a) extra tests are always good and b) extra packets # like the FIN (and retransmitted FINs) could cause later tests that expect # no packets to fail. desc, fin = packets.FIN(version, myaddr, remoteaddr, ack) self.ExpectPacketOn(netid, msg + ": expecting %s after close" % desc, fin) desc, finack = packets.FIN(version, remoteaddr, myaddr, fin) self.ReceivePacketOn(netid, finack) # Since we called close() earlier, the userspace socket object is gone, so # the socket has no UID. If we're doing UID routing, the ack might be routed # incorrectly. Not much we can do here. desc, finackack = packets.ACK(version, myaddr, remoteaddr, finack) self.ExpectPacketOn(netid, msg + ": expecting final ack", finackack)
def BuildSocket(self, version, constructor, netid, routing_mode): uid = self.UidForNetid(netid) if routing_mode == "uid" else None with net_test.RunAsUid(uid): family = self.GetProtocolFamily(version) s = constructor(family) if routing_mode not in [None, "uid"]: self.SelectInterface(s, netid, routing_mode) return s
def CheckPermissions(self, socktype): s = socket(AF_INET6, socktype, 0) self.SelectInterface(s, random.choice(self.NETIDS), "mark") if socktype == SOCK_STREAM: s.listen(1) expectedstate = tcp_test.TCP_LISTEN else: s.connect((self.GetRemoteAddress(6), 53)) expectedstate = tcp_test.TCP_ESTABLISHED with net_test.RunAsUid(12345): self.assertRaisesErrno(EPERM, self.sock_diag.CloseSocketFromFd, s) self.sock_diag.CloseSocketFromFd(s) self.assertRaises(ValueError, self.sock_diag.CloseSocketFromFd, s)
def testGetSocketUid(self): self.map_fd = CreateMap(BPF_MAP_TYPE_HASH, KEY_SIZE, VALUE_SIZE, TOTAL_ENTRIES) # Set up the instruction with uid at BPF_REG_0. instructions = [ BpfMov64Reg(BPF_REG_6, BPF_REG_1), BpfFuncCall(BPF_FUNC_get_socket_uid) ] # Concatenate the generic packet count bpf program to it. instructions += (INS_BPF_PARAM_STORE + BpfFuncCountPacketInit(self.map_fd) + INS_SK_FILTER_ACCEPT + INS_PACK_COUNT_UPDATE + INS_SK_FILTER_ACCEPT) self.prog_fd = BpfProgLoad(BPF_PROG_TYPE_SOCKET_FILTER, instructions) packet_count = 10 uid = 12345 with net_test.RunAsUid(uid): self.assertRaisesErrno(errno.ENOENT, LookupMap, self.map_fd, uid) SocketUDPLoopBack(packet_count, 4, self.prog_fd) self.assertEquals(packet_count, LookupMap(self.map_fd, uid).value) DeleteMap(self.map_fd, uid) SocketUDPLoopBack(packet_count, 6, self.prog_fd) self.assertEquals(packet_count, LookupMap(self.map_fd, uid).value)
def assertSocketMarkIs(self, s, mark): diag_msg, attrs = self.sock_diag.FindSockInfoFromFd(s) self.assertMarkIs(mark, attrs) with net_test.RunAsUid(12345): diag_msg, attrs = self.sock_diag.FindSockInfoFromFd(s) self.assertMarkIs(None, attrs)