Merge block bpf/ptrace tests

PiperOrigin-RevId: 561338563
Change-Id: If2704835c75ca0ae367375212c2104289e7b5cb0
This commit is contained in:
Wiktor Garbacz 2023-08-30 07:46:35 -07:00 committed by Copybara-Service
parent 5802d5b681
commit 47c868e6b1
4 changed files with 24 additions and 33 deletions

View File

@ -92,21 +92,6 @@ TEST(PolicyTest, PtraceDisallowed) {
EXPECT_THAT(result.reason_code(), Eq(__NR_ptrace));
}
TEST(PolicyTest, PtraceBlocked) {
const std::string path = GetTestSourcePath("sandbox2/testcases/policy");
std::vector<std::string> args = {path, "8"};
SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
CreateDefaultPermissiveTestPolicy(path)
.BlockSyscallWithErrno(__NR_ptrace, EPERM)
.TryBuild());
Sandbox2 s2(std::make_unique<Executor>(path, args), std::move(policy));
auto result = s2.Run();
// The policy binary fails with an error if the system call is *not* blocked.
ASSERT_THAT(result.final_status(), Eq(Result::OK));
}
// Test that clone(2) with flag CLONE_UNTRACED is disallowed.
TEST(PolicyTest, CloneUntracedDisallowed) {
const std::string path = GetTestSourcePath("sandbox2/testcases/policy");
@ -133,21 +118,21 @@ TEST(PolicyTest, BpfDisallowed) {
EXPECT_THAT(result.reason_code(), Eq(__NR_bpf));
}
// Test that bpf(2) can return EPERM.
TEST(PolicyTest, BpfPermissionDenied) {
// Test that ptrace/bpf can return EPERM.
TEST(PolicyTest, BpfPtracePermissionDenied) {
const std::string path = GetTestSourcePath("sandbox2/testcases/policy");
std::vector<std::string> args = {path, "7"};
SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
CreateDefaultPermissiveTestPolicy(path)
.BlockSyscallWithErrno(__NR_bpf, EPERM)
SAPI_ASSERT_OK_AND_ASSIGN(
auto policy, CreateDefaultPermissiveTestPolicy(path)
.BlockSyscallsWithErrno({__NR_ptrace, __NR_bpf}, EPERM)
.TryBuild());
Sandbox2 s2(std::make_unique<Executor>(path, args), std::move(policy));
auto result = s2.Run();
// bpf(2) is not a violation due to explicit policy. EPERM is expected.
// ptrace/bpf is not a violation due to explicit policy. EPERM is expected.
ASSERT_THAT(result.final_status(), Eq(Result::OK));
EXPECT_THAT(result.reason_code(), Eq(EPERM));
EXPECT_THAT(result.reason_code(), Eq(0));
}
TEST(PolicyTest, IsattyAllowed) {

View File

@ -129,6 +129,7 @@ cc_binary(
features = ["fully_static_link"],
deps = [
"//sandboxed_api:config",
"@com_google_absl//absl/base:core_headers",
],
)

View File

@ -150,6 +150,7 @@ set_target_properties(sandbox2_testcase_policy PROPERTIES
)
target_link_libraries(sandbox2_testcase_policy PRIVATE
-static
absl::core_headers
sapi::base
sapi::config
)

View File

@ -24,6 +24,7 @@
#include <cstdio>
#include <cstdlib>
#include "absl/base/attributes.h"
#include "sandboxed_api/config.h"
#ifdef SAPI_X86_64
@ -74,6 +75,15 @@ void TestPtraceBlocked() {
}
}
void TestBpfBlocked() {
int result = syscall(__NR_bpf, 0, nullptr, 0);
if (result != -1 || errno != EPERM) {
printf("System call should have been blocked\n");
exit(EXIT_FAILURE);
}
}
void TestCloneUntraced() {
syscall(__NR_clone, static_cast<uintptr_t>(CLONE_UNTRACED), nullptr, nullptr,
nullptr, static_cast<uintptr_t>(0));
@ -89,13 +99,7 @@ void TestBpf() {
exit(EXIT_FAILURE);
}
void TestBpfError() {
exit(syscall(__NR_bpf, 0, nullptr, 0) == -1 ? errno : 0);
}
void TestIsatty() {
isatty(0);
}
void TestIsatty() { isatty(0); }
int main(int argc, char* argv[]) {
// Disable buffering.
@ -131,10 +135,10 @@ int main(int argc, char* argv[]) {
TestIsatty();
break;
case 7:
TestBpfError();
break;
case 8:
TestPtraceBlocked();
ABSL_FALLTHROUGH_INTENDED;
case 8:
TestBpfBlocked();
break;
default:
printf("Unknown test: %d\n", testno);