mirror of
https://github.com/google/sandboxed-api.git
synced 2024-03-22 13:11:30 +08:00
Merge block bpf/ptrace tests
PiperOrigin-RevId: 561338563 Change-Id: If2704835c75ca0ae367375212c2104289e7b5cb0
This commit is contained in:
parent
5802d5b681
commit
47c868e6b1
|
@ -92,21 +92,6 @@ TEST(PolicyTest, PtraceDisallowed) {
|
|||
EXPECT_THAT(result.reason_code(), Eq(__NR_ptrace));
|
||||
}
|
||||
|
||||
TEST(PolicyTest, PtraceBlocked) {
|
||||
const std::string path = GetTestSourcePath("sandbox2/testcases/policy");
|
||||
std::vector<std::string> args = {path, "8"};
|
||||
|
||||
SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
|
||||
CreateDefaultPermissiveTestPolicy(path)
|
||||
.BlockSyscallWithErrno(__NR_ptrace, EPERM)
|
||||
.TryBuild());
|
||||
Sandbox2 s2(std::make_unique<Executor>(path, args), std::move(policy));
|
||||
auto result = s2.Run();
|
||||
|
||||
// The policy binary fails with an error if the system call is *not* blocked.
|
||||
ASSERT_THAT(result.final_status(), Eq(Result::OK));
|
||||
}
|
||||
|
||||
// Test that clone(2) with flag CLONE_UNTRACED is disallowed.
|
||||
TEST(PolicyTest, CloneUntracedDisallowed) {
|
||||
const std::string path = GetTestSourcePath("sandbox2/testcases/policy");
|
||||
|
@ -133,21 +118,21 @@ TEST(PolicyTest, BpfDisallowed) {
|
|||
EXPECT_THAT(result.reason_code(), Eq(__NR_bpf));
|
||||
}
|
||||
|
||||
// Test that bpf(2) can return EPERM.
|
||||
TEST(PolicyTest, BpfPermissionDenied) {
|
||||
// Test that ptrace/bpf can return EPERM.
|
||||
TEST(PolicyTest, BpfPtracePermissionDenied) {
|
||||
const std::string path = GetTestSourcePath("sandbox2/testcases/policy");
|
||||
std::vector<std::string> args = {path, "7"};
|
||||
|
||||
SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
|
||||
CreateDefaultPermissiveTestPolicy(path)
|
||||
.BlockSyscallWithErrno(__NR_bpf, EPERM)
|
||||
.TryBuild());
|
||||
SAPI_ASSERT_OK_AND_ASSIGN(
|
||||
auto policy, CreateDefaultPermissiveTestPolicy(path)
|
||||
.BlockSyscallsWithErrno({__NR_ptrace, __NR_bpf}, EPERM)
|
||||
.TryBuild());
|
||||
Sandbox2 s2(std::make_unique<Executor>(path, args), std::move(policy));
|
||||
auto result = s2.Run();
|
||||
|
||||
// bpf(2) is not a violation due to explicit policy. EPERM is expected.
|
||||
// ptrace/bpf is not a violation due to explicit policy. EPERM is expected.
|
||||
ASSERT_THAT(result.final_status(), Eq(Result::OK));
|
||||
EXPECT_THAT(result.reason_code(), Eq(EPERM));
|
||||
EXPECT_THAT(result.reason_code(), Eq(0));
|
||||
}
|
||||
|
||||
TEST(PolicyTest, IsattyAllowed) {
|
||||
|
|
|
@ -129,6 +129,7 @@ cc_binary(
|
|||
features = ["fully_static_link"],
|
||||
deps = [
|
||||
"//sandboxed_api:config",
|
||||
"@com_google_absl//absl/base:core_headers",
|
||||
],
|
||||
)
|
||||
|
||||
|
|
|
@ -150,6 +150,7 @@ set_target_properties(sandbox2_testcase_policy PROPERTIES
|
|||
)
|
||||
target_link_libraries(sandbox2_testcase_policy PRIVATE
|
||||
-static
|
||||
absl::core_headers
|
||||
sapi::base
|
||||
sapi::config
|
||||
)
|
||||
|
|
|
@ -24,6 +24,7 @@
|
|||
#include <cstdio>
|
||||
#include <cstdlib>
|
||||
|
||||
#include "absl/base/attributes.h"
|
||||
#include "sandboxed_api/config.h"
|
||||
|
||||
#ifdef SAPI_X86_64
|
||||
|
@ -74,6 +75,15 @@ void TestPtraceBlocked() {
|
|||
}
|
||||
}
|
||||
|
||||
void TestBpfBlocked() {
|
||||
int result = syscall(__NR_bpf, 0, nullptr, 0);
|
||||
|
||||
if (result != -1 || errno != EPERM) {
|
||||
printf("System call should have been blocked\n");
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
}
|
||||
|
||||
void TestCloneUntraced() {
|
||||
syscall(__NR_clone, static_cast<uintptr_t>(CLONE_UNTRACED), nullptr, nullptr,
|
||||
nullptr, static_cast<uintptr_t>(0));
|
||||
|
@ -89,13 +99,7 @@ void TestBpf() {
|
|||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
void TestBpfError() {
|
||||
exit(syscall(__NR_bpf, 0, nullptr, 0) == -1 ? errno : 0);
|
||||
}
|
||||
|
||||
void TestIsatty() {
|
||||
isatty(0);
|
||||
}
|
||||
void TestIsatty() { isatty(0); }
|
||||
|
||||
int main(int argc, char* argv[]) {
|
||||
// Disable buffering.
|
||||
|
@ -131,10 +135,10 @@ int main(int argc, char* argv[]) {
|
|||
TestIsatty();
|
||||
break;
|
||||
case 7:
|
||||
TestBpfError();
|
||||
break;
|
||||
case 8:
|
||||
TestPtraceBlocked();
|
||||
ABSL_FALLTHROUGH_INTENDED;
|
||||
case 8:
|
||||
TestBpfBlocked();
|
||||
break;
|
||||
default:
|
||||
printf("Unknown test: %d\n", testno);
|
||||
|
|
Loading…
Reference in New Issue
Block a user