Include shell-based tests in OSS builds

These were previously dependent on an internal-only testing target.

For now, this only works with Bazel, but should enable us to have better test coverage in GitHub actions.
Eventually, all of these shell-based tests should be converted to `cc_test`s.

PiperOrigin-RevId: 400713615
Change-Id: I1cabb5b72977987ef4a1803480f699b58c4d56e9
This commit is contained in:
Christian Blichmann 2021-10-04 07:17:36 -07:00 committed by Copybara-Service
parent 98e590463b
commit 221e929018
15 changed files with 193 additions and 15 deletions

View File

@ -32,3 +32,10 @@ cc_binary(
"@com_google_absl//absl/strings", "@com_google_absl//absl/strings",
], ],
) )
# For now we only test exit status from the binary
sh_test(
name = "main_sum_test",
srcs = ["main_sum_test.sh"],
data = [":main_sum"],
)

View File

@ -1,7 +1,20 @@
#!/bin/bash #!/bin/bash
# Unit test for main_sum example. #
# Copyright 2021 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
source googletest.sh || exit 1 # Unit test for main_sum example.
[[ -n "$COVERAGE" ]] && exit 0 [[ -n "$COVERAGE" ]] && exit 0

View File

@ -46,3 +46,13 @@ cc_binary(
"@com_google_absl//absl/status:statusor", "@com_google_absl//absl/status:statusor",
], ],
) )
# Tests input/output conversion of zlib and compares with golden files
sh_test(
name = "main_zlib_test",
srcs = ["main_zlib_test.sh"],
data = [
":main_zlib",
],
tags = ["notsan"],
)

View File

@ -1,7 +1,25 @@
#!/bin/bash #!/bin/bash
#
# Copyright 2021 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Unit test for main_zlib example. # Unit test for main_zlib example.
source googletest.sh || exit 1 die() {
echo "$1" 1>&2
exit 1
}
[[ -n "$COVERAGE" ]] && exit 0 [[ -n "$COVERAGE" ]] && exit 0
@ -10,12 +28,9 @@ TESTDATA="$TEST_SRCDIR/com_google_sandboxed_api/sandboxed_api/examples/zlib/test
echo "aaaa" | "$BIN" || die 'FAILED: it should have exited with 0' echo "aaaa" | "$BIN" || die 'FAILED: it should have exited with 0'
capture_test_stdout echo "This is a test string" | "$BIN" | \
echo "This is a test string" | "$BIN" sha256sum --status -c \
diff_test_stdout "$TESTDATA/simple.out" <(echo 'fce569e9578b5aa56d9543866fea0beaed83c4959c898dbe4c31a543cd3ffe2b -') || \
die 'FAILED: it should match the golden SHA256'
capture_test_stdout
cat "$TESTDATA/zlib_main" | "$BIN"
diff_test_stdout "$TESTDATA/complex.out"
echo 'PASS' echo 'PASS'

View File

@ -49,3 +49,10 @@ cc_binary(
"//sandboxed_api/util:raw_logging", "//sandboxed_api/util:raw_logging",
], ],
) )
# Test
sh_test(
name = "custom_fork_sandbox_test",
srcs = ["custom_fork_sandbox_test.sh"],
data = [":custom_fork_sandbox"],
)

View File

@ -1,7 +1,25 @@
#!/bin/bash #!/bin/bash
#
# Copyright 2021 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Unit test for the custom_fork_sandbox example. # Unit test for the custom_fork_sandbox example.
source googletest.sh || exit 1 die() {
echo "$1" 1>&2
exit 1
}
[[ -n "$COVERAGE" ]] && exit 0 [[ -n "$COVERAGE" ]] && exit 0

View File

@ -52,3 +52,10 @@ cc_binary(
"@com_google_absl//absl/strings:str_format", "@com_google_absl//absl/strings:str_format",
], ],
) )
# Test
sh_test(
name = "network_sandbox_test",
srcs = ["network_sandbox_test.sh"],
data = [":network_sandbox"],
)

View File

@ -1,6 +1,23 @@
#!/bin/bash #!/bin/bash
#
# Copyright 2021 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
source googletest.sh || exit 1 die() {
echo "$1" 1>&2
exit 1
}
# Find input files # Find input files
BINDIR=$TEST_SRCDIR/com_google_sandboxed_api/sandboxed_api/sandbox2 BINDIR=$TEST_SRCDIR/com_google_sandboxed_api/sandboxed_api/sandbox2

View File

@ -55,3 +55,10 @@ cc_binary(
"@com_google_absl//absl/strings:str_format", "@com_google_absl//absl/strings:str_format",
], ],
) )
# Test
sh_test(
name = "networkproxy_sandbox_test",
srcs = ["networkproxy_sandbox_test.sh"],
data = [":networkproxy_sandbox"],
)

View File

@ -1,6 +1,23 @@
#!/bin/bash #!/bin/bash
#
# Copyright 2021 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
source googletest.sh || exit 1 die() {
echo "$1" 1>&2
exit 1
}
# Find input files # Find input files
BINDIR=$TEST_SRCDIR/com_google_sandboxed_api/sandboxed_api/sandbox2 BINDIR=$TEST_SRCDIR/com_google_sandboxed_api/sandboxed_api/sandbox2

View File

@ -51,3 +51,9 @@ cc_binary(
], ],
linkstatic = 1, linkstatic = 1,
) )
sh_test(
name = "static_sandbox_test",
srcs = ["static_sandbox_test.sh"],
data = [":static_sandbox"],
)

View File

@ -16,6 +16,7 @@
// Use: static_sandbox --logtostderr // Use: static_sandbox --logtostderr
#include <fcntl.h> #include <fcntl.h>
#include <sys/mman.h>
#include <sys/resource.h> #include <sys/resource.h>
#include <syscall.h> #include <syscall.h>
#include <unistd.h> #include <unistd.h>
@ -73,6 +74,16 @@ std::unique_ptr<sandbox2::Policy> GetPolicy() {
// write() calls with fd not in (1, 2) will continue evaluating the // write() calls with fd not in (1, 2) will continue evaluating the
// policy. This means that other rules might still allow them. // policy. This means that other rules might still allow them.
// Allow the dynamic loader to mark pages to never allow read-write-exec.
.AddPolicyOnSyscall(__NR_mprotect,
{
ARG_32(2),
JEQ32(PROT_READ, ALLOW),
JEQ32(PROT_NONE, ALLOW),
JEQ32(PROT_READ | PROT_WRITE, ALLOW),
JEQ32(PROT_READ | PROT_EXEC, ALLOW),
})
// Allow exit() only with an exit_code of 0. // Allow exit() only with an exit_code of 0.
// Explicitly jumping to KILL, thus the following rules can not // Explicitly jumping to KILL, thus the following rules can not
// override this rule. // override this rule.

View File

@ -1,7 +1,25 @@
#!/bin/bash #!/bin/bash
#
# Copyright 2021 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Unit test for static_sandbox example. # Unit test for static_sandbox example.
source googletest.sh || exit 1 die() {
echo "$1" 1>&2
exit 1
}
[[ -n "$COVERAGE" ]] && exit 0 [[ -n "$COVERAGE" ]] && exit 0

View File

@ -40,3 +40,10 @@ cc_binary(
"@com_google_absl//absl/strings:str_format", "@com_google_absl//absl/strings:str_format",
], ],
) )
# Test
sh_test(
name = "sandbox2tool_test",
srcs = ["sandbox2tool_test.sh"],
data = [":sandbox2tool"],
)

View File

@ -1,7 +1,25 @@
#!/bin/bash #!/bin/bash
#
# Copyright 2021 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Unit test for sandbox2tool example. # Unit test for sandbox2tool example.
source googletest.sh || exit 1 die() {
echo "$1" 1>&2
exit 1
}
BIN=$TEST_SRCDIR/com_google_sandboxed_api/sandboxed_api/sandbox2/examples/tool/sandbox2tool BIN=$TEST_SRCDIR/com_google_sandboxed_api/sandboxed_api/sandbox2/examples/tool/sandbox2tool