Include shell-based tests in OSS builds

These were previously dependent on an internal-only testing target.

For now, this only works with Bazel, but should enable us to have better test coverage in GitHub actions.
Eventually, all of these shell-based tests should be converted to `cc_test`s.

PiperOrigin-RevId: 400713615
Change-Id: I1cabb5b72977987ef4a1803480f699b58c4d56e9

sandboxed_api/examples/sum/BUILD.bazel

@@ -32,3 +32,10 @@ cc_binary(
         "@com_google_absl//absl/strings",
     ],
 )
+
+# For now we only test exit status from the binary
+sh_test(
+    name = "main_sum_test",
+    srcs = ["main_sum_test.sh"],
+    data = [":main_sum"],
+)

sandboxed_api/examples/sum/main_sum_test.sh

@@ -1,7 +1,20 @@
 #!/bin/bash
-# Unit test for main_sum example.
+#
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
 
-source googletest.sh || exit 1
+# Unit test for main_sum example.
 
 [[ -n "$COVERAGE" ]] && exit 0
 

sandboxed_api/examples/zlib/BUILD.bazel

@@ -46,3 +46,13 @@ cc_binary(
         "@com_google_absl//absl/status:statusor",
     ],
 )
+
+# Tests input/output conversion of zlib and compares with golden files
+sh_test(
+    name = "main_zlib_test",
+    srcs = ["main_zlib_test.sh"],
+    data = [
+        ":main_zlib",
+    ],
+    tags = ["notsan"],
+)

sandboxed_api/examples/zlib/main_zlib_test.sh

@@ -1,7 +1,25 @@
 #!/bin/bash
+#
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 # Unit test for main_zlib example.
 
-source googletest.sh || exit 1
+die() {
+  echo "$1" 1>&2
+  exit 1
+}
 
 [[ -n "$COVERAGE" ]] && exit 0
 
@@ -10,12 +28,9 @@ TESTDATA="$TEST_SRCDIR/com_google_sandboxed_api/sandboxed_api/examples/zlib/test
 
 echo "aaaa" | "$BIN" || die 'FAILED: it should have exited with 0'
 
-capture_test_stdout
-echo "This is a test string" | "$BIN"
-diff_test_stdout "$TESTDATA/simple.out"
-
-capture_test_stdout
-cat "$TESTDATA/zlib_main" | "$BIN"
-diff_test_stdout "$TESTDATA/complex.out"
+echo "This is a test string" | "$BIN" | \
+  sha256sum --status -c \
+  <(echo 'fce569e9578b5aa56d9543866fea0beaed83c4959c898dbe4c31a543cd3ffe2b  -') || \
+  die 'FAILED: it should match the golden SHA256'
 
 echo 'PASS'

sandboxed_api/sandbox2/examples/custom_fork/BUILD.bazel

@@ -49,3 +49,10 @@ cc_binary(
         "//sandboxed_api/util:raw_logging",
     ],
 )
+
+# Test
+sh_test(
+    name = "custom_fork_sandbox_test",
+    srcs = ["custom_fork_sandbox_test.sh"],
+    data = [":custom_fork_sandbox"],
+)

sandboxed_api/sandbox2/examples/custom_fork/custom_fork_sandbox_test.sh

@@ -1,7 +1,25 @@
 #!/bin/bash
+#
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 # Unit test for the custom_fork_sandbox example.
 
-source googletest.sh || exit 1
+die() {
+  echo "$1" 1>&2
+  exit 1
+}
 
 [[ -n "$COVERAGE" ]] && exit 0
 

sandboxed_api/sandbox2/examples/network/BUILD.bazel

@@ -52,3 +52,10 @@ cc_binary(
         "@com_google_absl//absl/strings:str_format",
     ],
 )
+
+# Test
+sh_test(
+    name = "network_sandbox_test",
+    srcs = ["network_sandbox_test.sh"],
+    data = [":network_sandbox"],
+)

sandboxed_api/sandbox2/examples/network/network_sandbox_test.sh

@@ -1,6 +1,23 @@
 #!/bin/bash
+#
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
 
-source googletest.sh || exit 1
+die() {
+  echo "$1" 1>&2
+  exit 1
+}
 
 # Find input files
 BINDIR=$TEST_SRCDIR/com_google_sandboxed_api/sandboxed_api/sandbox2

sandboxed_api/sandbox2/examples/network_proxy/BUILD.bazel

@@ -55,3 +55,10 @@ cc_binary(
         "@com_google_absl//absl/strings:str_format",
     ],
 )
+
+# Test
+sh_test(
+    name = "networkproxy_sandbox_test",
+    srcs = ["networkproxy_sandbox_test.sh"],
+    data = [":networkproxy_sandbox"],
+)

sandboxed_api/sandbox2/examples/network_proxy/networkproxy_sandbox_test.sh

@@ -1,6 +1,23 @@
 #!/bin/bash
+#
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
 
-source googletest.sh || exit 1
+die() {
+  echo "$1" 1>&2
+  exit 1
+}
 
 # Find input files
 BINDIR=$TEST_SRCDIR/com_google_sandboxed_api/sandboxed_api/sandbox2

sandboxed_api/sandbox2/examples/static/BUILD.bazel

@@ -51,3 +51,9 @@ cc_binary(
     ],
     linkstatic = 1,
 )
+
+sh_test(
+    name = "static_sandbox_test",
+    srcs = ["static_sandbox_test.sh"],
+    data = [":static_sandbox"],
+)

sandboxed_api/sandbox2/examples/static/static_sandbox.cc

@@ -16,6 +16,7 @@
 // Use: static_sandbox --logtostderr
 
 #include <fcntl.h>
+#include <sys/mman.h>
 #include <sys/resource.h>
 #include <syscall.h>
 #include <unistd.h>
@@ -73,6 +74,16 @@ std::unique_ptr<sandbox2::Policy> GetPolicy() {
       // write() calls with fd not in (1, 2) will continue evaluating the
       // policy. This means that other rules might still allow them.
 
+      // Allow the dynamic loader to mark pages to never allow read-write-exec.
+      .AddPolicyOnSyscall(__NR_mprotect,
+                          {
+                              ARG_32(2),
+                              JEQ32(PROT_READ, ALLOW),
+                              JEQ32(PROT_NONE, ALLOW),
+                              JEQ32(PROT_READ | PROT_WRITE, ALLOW),
+                              JEQ32(PROT_READ | PROT_EXEC, ALLOW),
+                          })
+
       // Allow exit() only with an exit_code of 0.
       // Explicitly jumping to KILL, thus the following rules can not
       // override this rule.

sandboxed_api/sandbox2/examples/static/static_sandbox_test.sh

@@ -1,7 +1,25 @@
 #!/bin/bash
+#
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 # Unit test for static_sandbox example.
 
-source googletest.sh || exit 1
+die() {
+  echo "$1" 1>&2
+  exit 1
+}
 
 [[ -n "$COVERAGE" ]] && exit 0
 

sandboxed_api/sandbox2/examples/tool/BUILD.bazel

@@ -40,3 +40,10 @@ cc_binary(
         "@com_google_absl//absl/strings:str_format",
     ],
 )
+
+# Test
+sh_test(
+    name = "sandbox2tool_test",
+    srcs = ["sandbox2tool_test.sh"],
+    data = [":sandbox2tool"],
+)

sandboxed_api/sandbox2/examples/tool/sandbox2tool_test.sh

@@ -1,7 +1,25 @@
 #!/bin/bash
+#
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 # Unit test for sandbox2tool example.
 
-source googletest.sh || exit 1
+die() {
+  echo "$1" 1>&2
+  exit 1
+}
 
 BIN=$TEST_SRCDIR/com_google_sandboxed_api/sandboxed_api/sandbox2/examples/tool/sandbox2tool