Merge block bpf/ptrace tests

PiperOrigin-RevId: 561338563
Change-Id: If2704835c75ca0ae367375212c2104289e7b5cb0

sandboxed_api/sandbox2/policy_test.cc

@@ -92,21 +92,6 @@ TEST(PolicyTest, PtraceDisallowed) {
   EXPECT_THAT(result.reason_code(), Eq(__NR_ptrace));
 }
 
-TEST(PolicyTest, PtraceBlocked) {
-  const std::string path = GetTestSourcePath("sandbox2/testcases/policy");
-  std::vector<std::string> args = {path, "8"};
-
-  SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
-                            CreateDefaultPermissiveTestPolicy(path)
-                                .BlockSyscallWithErrno(__NR_ptrace, EPERM)
-                                .TryBuild());
-  Sandbox2 s2(std::make_unique<Executor>(path, args), std::move(policy));
-  auto result = s2.Run();
-
-  // The policy binary fails with an error if the system call is *not* blocked.
-  ASSERT_THAT(result.final_status(), Eq(Result::OK));
-}
-
 // Test that clone(2) with flag CLONE_UNTRACED is disallowed.
 TEST(PolicyTest, CloneUntracedDisallowed) {
   const std::string path = GetTestSourcePath("sandbox2/testcases/policy");
@@ -133,21 +118,21 @@ TEST(PolicyTest, BpfDisallowed) {
   EXPECT_THAT(result.reason_code(), Eq(__NR_bpf));
 }
 
-// Test that bpf(2) can return EPERM.
+// Test that ptrace/bpf can return EPERM.
-TEST(PolicyTest, BpfPermissionDenied) {
+TEST(PolicyTest, BpfPtracePermissionDenied) {
   const std::string path = GetTestSourcePath("sandbox2/testcases/policy");
   std::vector<std::string> args = {path, "7"};
 
-  SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
+  SAPI_ASSERT_OK_AND_ASSIGN(
-                            CreateDefaultPermissiveTestPolicy(path)
+      auto policy, CreateDefaultPermissiveTestPolicy(path)
-                                .BlockSyscallWithErrno(__NR_bpf, EPERM)
+                       .BlockSyscallsWithErrno({__NR_ptrace, __NR_bpf}, EPERM)
                        .TryBuild());
   Sandbox2 s2(std::make_unique<Executor>(path, args), std::move(policy));
   auto result = s2.Run();
 
-  // bpf(2) is not a violation due to explicit policy.  EPERM is expected.
+  // ptrace/bpf is not a violation due to explicit policy.  EPERM is expected.
   ASSERT_THAT(result.final_status(), Eq(Result::OK));
-  EXPECT_THAT(result.reason_code(), Eq(EPERM));
+  EXPECT_THAT(result.reason_code(), Eq(0));
 }
 
 TEST(PolicyTest, IsattyAllowed) {

sandboxed_api/sandbox2/testcases/BUILD.bazel

@@ -129,6 +129,7 @@ cc_binary(
     features = ["fully_static_link"],
     deps = [
         "//sandboxed_api:config",
+        "@com_google_absl//absl/base:core_headers",
     ],
 )
 

sandboxed_api/sandbox2/testcases/CMakeLists.txt

@@ -150,6 +150,7 @@ set_target_properties(sandbox2_testcase_policy PROPERTIES
 )
 target_link_libraries(sandbox2_testcase_policy PRIVATE
   -static
+  absl::core_headers
   sapi::base
   sapi::config
 )

sandboxed_api/sandbox2/testcases/policy.cc

@@ -24,6 +24,7 @@
 #include <cstdio>
 #include <cstdlib>
 
+#include "absl/base/attributes.h"
 #include "sandboxed_api/config.h"
 
 #ifdef SAPI_X86_64
@@ -74,6 +75,15 @@ void TestPtraceBlocked() {
   }
 }
 
+void TestBpfBlocked() {
+  int result = syscall(__NR_bpf, 0, nullptr, 0);
+
+  if (result != -1 || errno != EPERM) {
+    printf("System call should have been blocked\n");
+    exit(EXIT_FAILURE);
+  }
+}
+
 void TestCloneUntraced() {
   syscall(__NR_clone, static_cast<uintptr_t>(CLONE_UNTRACED), nullptr, nullptr,
           nullptr, static_cast<uintptr_t>(0));
@@ -89,13 +99,7 @@ void TestBpf() {
   exit(EXIT_FAILURE);
 }
 
-void TestBpfError() {
+void TestIsatty() { isatty(0); }
-  exit(syscall(__NR_bpf, 0, nullptr, 0) == -1 ? errno : 0);
-}
-
-void TestIsatty() {
-  isatty(0);
-}
 
 int main(int argc, char* argv[]) {
   // Disable buffering.
@@ -131,10 +135,10 @@ int main(int argc, char* argv[]) {
       TestIsatty();
       break;
     case 7:
-      TestBpfError();
-      break;
-    case 8:
       TestPtraceBlocked();
+      ABSL_FALLTHROUGH_INTENDED;
+    case 8:
+      TestBpfBlocked();
       break;
     default:
       printf("Unknown test: %d\n", testno);