mirror of
https://github.com/google/sandboxed-api.git
synced 2024-03-22 13:11:30 +08:00
Use namespaced policy in most tests
Drive-by some test cleanups. PiperOrigin-RevId: 510134967 Change-Id: I40328a644690865c5cc0a0eb265222ebf7ff83e0
This commit is contained in:
parent
71692bb50b
commit
6db17e7ab3
@ -614,7 +614,6 @@ cc_test(
|
|||||||
":mounts",
|
":mounts",
|
||||||
"//sandboxed_api:testing",
|
"//sandboxed_api:testing",
|
||||||
"//sandboxed_api/util:file_base",
|
"//sandboxed_api/util:file_base",
|
||||||
"//sandboxed_api/util:file_helpers",
|
|
||||||
"//sandboxed_api/util:status_matchers",
|
"//sandboxed_api/util:status_matchers",
|
||||||
"//sandboxed_api/util:temp_file",
|
"//sandboxed_api/util:temp_file",
|
||||||
"@com_google_absl//absl/strings",
|
"@com_google_absl//absl/strings",
|
||||||
@ -826,7 +825,6 @@ cc_test(
|
|||||||
":sandbox2",
|
":sandbox2",
|
||||||
"//sandboxed_api:config",
|
"//sandboxed_api:config",
|
||||||
"//sandboxed_api:testing",
|
"//sandboxed_api:testing",
|
||||||
"//sandboxed_api/sandbox2/util:bpf_helper",
|
|
||||||
"//sandboxed_api/util:status_matchers",
|
"//sandboxed_api/util:status_matchers",
|
||||||
"@com_google_googletest//:gtest_main",
|
"@com_google_googletest//:gtest_main",
|
||||||
],
|
],
|
||||||
@ -916,7 +914,6 @@ cc_test(
|
|||||||
":sanitizer",
|
":sanitizer",
|
||||||
":util",
|
":util",
|
||||||
"//sandboxed_api:testing",
|
"//sandboxed_api:testing",
|
||||||
"//sandboxed_api/sandbox2/util:bpf_helper",
|
|
||||||
"//sandboxed_api/util:status_matchers",
|
"//sandboxed_api/util:status_matchers",
|
||||||
"@com_google_absl//absl/container:flat_hash_set",
|
"@com_google_absl//absl/container:flat_hash_set",
|
||||||
"@com_google_absl//absl/log",
|
"@com_google_absl//absl/log",
|
||||||
@ -932,7 +929,6 @@ cc_test(
|
|||||||
deps = [
|
deps = [
|
||||||
":util",
|
":util",
|
||||||
"//sandboxed_api:testing",
|
"//sandboxed_api:testing",
|
||||||
"//sandboxed_api/util:file_base",
|
|
||||||
"@com_google_googletest//:gtest_main",
|
"@com_google_googletest//:gtest_main",
|
||||||
],
|
],
|
||||||
)
|
)
|
||||||
|
@ -988,7 +988,6 @@ if(BUILD_TESTING AND SAPI_BUILD_TESTING)
|
|||||||
)
|
)
|
||||||
target_link_libraries(sandbox2_sandbox2_test PRIVATE
|
target_link_libraries(sandbox2_sandbox2_test PRIVATE
|
||||||
absl::strings
|
absl::strings
|
||||||
sandbox2::bpf_helper
|
|
||||||
sapi::config
|
sapi::config
|
||||||
sandbox2::sandbox2
|
sandbox2::sandbox2
|
||||||
sapi::testing
|
sapi::testing
|
||||||
@ -1036,7 +1035,6 @@ if(BUILD_TESTING AND SAPI_BUILD_TESTING)
|
|||||||
OUTPUT_NAME util_test
|
OUTPUT_NAME util_test
|
||||||
)
|
)
|
||||||
target_link_libraries(sandbox2_util_test PRIVATE
|
target_link_libraries(sandbox2_util_test PRIVATE
|
||||||
sapi::file_base
|
|
||||||
sapi::testing
|
sapi::testing
|
||||||
sandbox2::util
|
sandbox2::util
|
||||||
sapi::test_main
|
sapi::test_main
|
||||||
|
@ -64,7 +64,6 @@ TEST(BufferTest, TestImplementation) {
|
|||||||
|
|
||||||
std::unique_ptr<Policy> BufferTestcasePolicy() {
|
std::unique_ptr<Policy> BufferTestcasePolicy() {
|
||||||
auto s2p = PolicyBuilder()
|
auto s2p = PolicyBuilder()
|
||||||
.DisableNamespaces()
|
|
||||||
.AllowDynamicStartup()
|
.AllowDynamicStartup()
|
||||||
.AllowExit()
|
.AllowExit()
|
||||||
.AllowSafeFcntl()
|
.AllowSafeFcntl()
|
||||||
|
@ -51,7 +51,6 @@ TEST_P(IPCTest, MapFDByNamePreExecve) {
|
|||||||
|
|
||||||
SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
|
SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
|
||||||
PolicyBuilder()
|
PolicyBuilder()
|
||||||
.DisableNamespaces()
|
|
||||||
// Don't restrict the syscalls at all.
|
// Don't restrict the syscalls at all.
|
||||||
.DangerDefaultAllowAll()
|
.DangerDefaultAllowAll()
|
||||||
.TryBuild());
|
.TryBuild());
|
||||||
@ -89,7 +88,6 @@ TEST_P(IPCTest, MapFDByNamePostExecve) {
|
|||||||
|
|
||||||
SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
|
SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
|
||||||
PolicyBuilder()
|
PolicyBuilder()
|
||||||
.DisableNamespaces()
|
|
||||||
// Don't restrict the syscalls at all.
|
// Don't restrict the syscalls at all.
|
||||||
.DangerDefaultAllowAll()
|
.DangerDefaultAllowAll()
|
||||||
.TryBuild());
|
.TryBuild());
|
||||||
@ -122,7 +120,6 @@ TEST(IPCTest, NoMappedFDsPreExecve) {
|
|||||||
|
|
||||||
SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
|
SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
|
||||||
PolicyBuilder()
|
PolicyBuilder()
|
||||||
.DisableNamespaces()
|
|
||||||
// Don't restrict the syscalls at all.
|
// Don't restrict the syscalls at all.
|
||||||
.DangerDefaultAllowAll()
|
.DangerDefaultAllowAll()
|
||||||
.TryBuild());
|
.TryBuild());
|
||||||
|
@ -28,7 +28,6 @@
|
|||||||
#include "sandboxed_api/sandbox2/policybuilder.h"
|
#include "sandboxed_api/sandbox2/policybuilder.h"
|
||||||
#include "sandboxed_api/sandbox2/result.h"
|
#include "sandboxed_api/sandbox2/result.h"
|
||||||
#include "sandboxed_api/sandbox2/sandbox2.h"
|
#include "sandboxed_api/sandbox2/sandbox2.h"
|
||||||
#include "sandboxed_api/sandbox2/util/bpf_helper.h"
|
|
||||||
#include "sandboxed_api/testing.h"
|
#include "sandboxed_api/testing.h"
|
||||||
#include "sandboxed_api/util/status_matchers.h"
|
#include "sandboxed_api/util/status_matchers.h"
|
||||||
|
|
||||||
@ -45,7 +44,6 @@ TEST(LimitsTest, RLimitASMmapUnderLimit) {
|
|||||||
|
|
||||||
SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
|
SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
|
||||||
sandbox2::PolicyBuilder()
|
sandbox2::PolicyBuilder()
|
||||||
.DisableNamespaces()
|
|
||||||
// Don't restrict the syscalls at all.
|
// Don't restrict the syscalls at all.
|
||||||
.DangerDefaultAllowAll()
|
.DangerDefaultAllowAll()
|
||||||
.TryBuild());
|
.TryBuild());
|
||||||
@ -64,7 +62,6 @@ TEST(LimitsTest, RLimitASMmapAboveLimit) {
|
|||||||
|
|
||||||
SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
|
SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
|
||||||
sandbox2::PolicyBuilder()
|
sandbox2::PolicyBuilder()
|
||||||
.DisableNamespaces()
|
|
||||||
// Don't restrict the syscalls at all.
|
// Don't restrict the syscalls at all.
|
||||||
.DangerDefaultAllowAll()
|
.DangerDefaultAllowAll()
|
||||||
.TryBuild());
|
.TryBuild());
|
||||||
@ -83,7 +80,6 @@ TEST(LimitsTest, RLimitASAllocaSmallUnderLimit) {
|
|||||||
|
|
||||||
SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
|
SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
|
||||||
sandbox2::PolicyBuilder()
|
sandbox2::PolicyBuilder()
|
||||||
.DisableNamespaces()
|
|
||||||
// Don't restrict the syscalls at all.
|
// Don't restrict the syscalls at all.
|
||||||
.DangerDefaultAllowAll()
|
.DangerDefaultAllowAll()
|
||||||
.TryBuild());
|
.TryBuild());
|
||||||
@ -102,7 +98,6 @@ TEST(LimitsTest, RLimitASAllocaBigUnderLimit) {
|
|||||||
|
|
||||||
SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
|
SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
|
||||||
sandbox2::PolicyBuilder()
|
sandbox2::PolicyBuilder()
|
||||||
.DisableNamespaces()
|
|
||||||
// Don't restrict the syscalls at all.
|
// Don't restrict the syscalls at all.
|
||||||
.DangerDefaultAllowAll()
|
.DangerDefaultAllowAll()
|
||||||
.TryBuild());
|
.TryBuild());
|
||||||
@ -121,7 +116,6 @@ TEST(LimitsTest, RLimitASAllocaBigAboveLimit) {
|
|||||||
|
|
||||||
SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
|
SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
|
||||||
sandbox2::PolicyBuilder()
|
sandbox2::PolicyBuilder()
|
||||||
.DisableNamespaces()
|
|
||||||
// Don't restrict the syscalls at all.
|
// Don't restrict the syscalls at all.
|
||||||
.DangerDefaultAllowAll()
|
.DangerDefaultAllowAll()
|
||||||
.TryBuild());
|
.TryBuild());
|
||||||
|
@ -23,7 +23,6 @@
|
|||||||
#include "absl/strings/match.h"
|
#include "absl/strings/match.h"
|
||||||
#include "absl/strings/str_cat.h"
|
#include "absl/strings/str_cat.h"
|
||||||
#include "sandboxed_api/testing.h"
|
#include "sandboxed_api/testing.h"
|
||||||
#include "sandboxed_api/util/file_helpers.h"
|
|
||||||
#include "sandboxed_api/util/path.h"
|
#include "sandboxed_api/util/path.h"
|
||||||
#include "sandboxed_api/util/status_matchers.h"
|
#include "sandboxed_api/util/status_matchers.h"
|
||||||
#include "sandboxed_api/util/temp_file.h"
|
#include "sandboxed_api/util/temp_file.h"
|
||||||
|
@ -44,7 +44,6 @@ using ::testing::Eq;
|
|||||||
// chosen because unlikely to be called by a regular program.
|
// chosen because unlikely to be called by a regular program.
|
||||||
std::unique_ptr<Policy> NotifyTestcasePolicy() {
|
std::unique_ptr<Policy> NotifyTestcasePolicy() {
|
||||||
return PolicyBuilder()
|
return PolicyBuilder()
|
||||||
.DisableNamespaces()
|
|
||||||
.AllowDynamicStartup() // For PrintPidAndComms and includes
|
.AllowDynamicStartup() // For PrintPidAndComms and includes
|
||||||
// AllowStaticStartup
|
// AllowStaticStartup
|
||||||
.AllowExit()
|
.AllowExit()
|
||||||
|
@ -57,7 +57,6 @@ class Policy final {
|
|||||||
friend class MonitorBase;
|
friend class MonitorBase;
|
||||||
friend class PtraceMonitor;
|
friend class PtraceMonitor;
|
||||||
friend class PolicyBuilder;
|
friend class PolicyBuilder;
|
||||||
friend class PolicyBuilderPeer; // For testing
|
|
||||||
friend class StackTracePeer;
|
friend class StackTracePeer;
|
||||||
|
|
||||||
// Private constructor only called by the PolicyBuilder.
|
// Private constructor only called by the PolicyBuilder.
|
||||||
|
@ -32,7 +32,6 @@
|
|||||||
#include "sandboxed_api/sandbox2/policybuilder.h"
|
#include "sandboxed_api/sandbox2/policybuilder.h"
|
||||||
#include "sandboxed_api/sandbox2/result.h"
|
#include "sandboxed_api/sandbox2/result.h"
|
||||||
#include "sandboxed_api/sandbox2/sandbox2.h"
|
#include "sandboxed_api/sandbox2/sandbox2.h"
|
||||||
#include "sandboxed_api/sandbox2/syscall.h"
|
|
||||||
#include "sandboxed_api/sandbox2/util/bpf_helper.h"
|
#include "sandboxed_api/sandbox2/util/bpf_helper.h"
|
||||||
#include "sandboxed_api/testing.h"
|
#include "sandboxed_api/testing.h"
|
||||||
|
|
||||||
@ -46,11 +45,10 @@ PolicyBuilder CreatePolicyTestPolicyBuilder() {
|
|||||||
sandbox2::PolicyBuilder builder;
|
sandbox2::PolicyBuilder builder;
|
||||||
|
|
||||||
if constexpr (sapi::host_os::IsAndroid()) {
|
if constexpr (sapi::host_os::IsAndroid()) {
|
||||||
builder.AllowDynamicStartup();
|
builder.DisableNamespaces().AllowDynamicStartup();
|
||||||
}
|
}
|
||||||
|
|
||||||
builder.DisableNamespaces()
|
builder.AllowStaticStartup()
|
||||||
.AllowStaticStartup()
|
|
||||||
.AllowExit()
|
.AllowExit()
|
||||||
.AllowRead()
|
.AllowRead()
|
||||||
.AllowWrite()
|
.AllowWrite()
|
||||||
|
@ -37,6 +37,19 @@
|
|||||||
namespace sandbox2 {
|
namespace sandbox2 {
|
||||||
namespace {
|
namespace {
|
||||||
|
|
||||||
|
PolicyBuilder CreateDefaultPolicyBuilder(absl::string_view path) {
|
||||||
|
PolicyBuilder builder;
|
||||||
|
// Don't restrict the syscalls at all.
|
||||||
|
builder.DangerDefaultAllowAll();
|
||||||
|
if constexpr (sapi::sanitizers::IsAny()) {
|
||||||
|
builder.AddLibrariesForBinary(path);
|
||||||
|
}
|
||||||
|
if constexpr (sapi::sanitizers::IsAny()) {
|
||||||
|
builder.AddDirectory("/proc");
|
||||||
|
}
|
||||||
|
return builder;
|
||||||
|
}
|
||||||
|
|
||||||
using ::sapi::GetTestSourcePath;
|
using ::sapi::GetTestSourcePath;
|
||||||
using ::testing::Eq;
|
using ::testing::Eq;
|
||||||
using ::testing::HasSubstr;
|
using ::testing::HasSubstr;
|
||||||
@ -54,12 +67,8 @@ TEST(SandboxCoreDumpTest, AbortWithoutCoreDumpReturnsSignaled) {
|
|||||||
};
|
};
|
||||||
auto executor = std::make_unique<Executor>(path, args);
|
auto executor = std::make_unique<Executor>(path, args);
|
||||||
|
|
||||||
SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
|
SAPI_ASSERT_OK_AND_ASSIGN(auto policy, CreateDefaultPolicyBuilder(path)
|
||||||
PolicyBuilder()
|
.TryBuild());
|
||||||
.DisableNamespaces()
|
|
||||||
// Don't restrict the syscalls at all.
|
|
||||||
.DangerDefaultAllowAll()
|
|
||||||
.TryBuild());
|
|
||||||
Sandbox2 sandbox(std::move(executor), std::move(policy));
|
Sandbox2 sandbox(std::move(executor), std::move(policy));
|
||||||
auto result = sandbox.Run();
|
auto result = sandbox.Run();
|
||||||
|
|
||||||
@ -78,11 +87,7 @@ TEST(TsyncTest, TsyncNoMemoryChecks) {
|
|||||||
executor->set_enable_sandbox_before_exec(false);
|
executor->set_enable_sandbox_before_exec(false);
|
||||||
|
|
||||||
SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
|
SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
|
||||||
PolicyBuilder()
|
CreateDefaultPolicyBuilder(path).TryBuild());
|
||||||
.DisableNamespaces()
|
|
||||||
// Don't restrict the syscalls at all.
|
|
||||||
.DangerDefaultAllowAll()
|
|
||||||
.TryBuild());
|
|
||||||
Sandbox2 sandbox(std::move(executor), std::move(policy));
|
Sandbox2 sandbox(std::move(executor), std::move(policy));
|
||||||
auto result = sandbox.Run();
|
auto result = sandbox.Run();
|
||||||
|
|
||||||
@ -105,42 +110,15 @@ TEST(ExecutorTest, ExecutorFdConstructor) {
|
|||||||
auto executor = std::make_unique<Executor>(fd, args, envs);
|
auto executor = std::make_unique<Executor>(fd, args, envs);
|
||||||
|
|
||||||
SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
|
SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
|
||||||
PolicyBuilder()
|
CreateDefaultPolicyBuilder(path).TryBuild());
|
||||||
.DisableNamespaces()
|
|
||||||
// Don't restrict the syscalls at all.
|
|
||||||
.DangerDefaultAllowAll()
|
|
||||||
.TryBuild());
|
|
||||||
Sandbox2 sandbox(std::move(executor), std::move(policy));
|
Sandbox2 sandbox(std::move(executor), std::move(policy));
|
||||||
auto result = sandbox.Run();
|
auto result = sandbox.Run();
|
||||||
|
|
||||||
ASSERT_EQ(result.final_status(), Result::OK);
|
ASSERT_EQ(result.final_status(), Result::OK);
|
||||||
}
|
}
|
||||||
|
|
||||||
// Tests that we return the correct state when the sandboxee was killed by an
|
|
||||||
// external signal. Also make sure that we do not have the stack trace.
|
|
||||||
TEST(RunAsyncTest, SandboxeeExternalKill) {
|
|
||||||
const std::string path = GetTestSourcePath("sandbox2/testcases/sleep");
|
|
||||||
|
|
||||||
std::vector<std::string> args = {path};
|
|
||||||
std::vector<std::string> envs;
|
|
||||||
auto executor = std::make_unique<Executor>(path, args, envs);
|
|
||||||
|
|
||||||
SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
|
|
||||||
PolicyBuilder()
|
|
||||||
// Don't restrict the syscalls at all.
|
|
||||||
.DangerDefaultAllowAll()
|
|
||||||
.TryBuild());
|
|
||||||
Sandbox2 sandbox(std::move(executor), std::move(policy));
|
|
||||||
ASSERT_TRUE(sandbox.RunAsync());
|
|
||||||
sleep(1);
|
|
||||||
sandbox.Kill();
|
|
||||||
auto result = sandbox.AwaitResult();
|
|
||||||
EXPECT_EQ(result.final_status(), Result::EXTERNAL_KILL);
|
|
||||||
EXPECT_THAT(result.GetStackTrace(), IsEmpty());
|
|
||||||
}
|
|
||||||
|
|
||||||
// Tests that we return the correct state when the sandboxee timed out.
|
// Tests that we return the correct state when the sandboxee timed out.
|
||||||
TEST(RunAsyncTest, SandboxeeTimeoutWithStacktraces) {
|
TEST(StackTraceTest, StackTraceOnTimeoutWorks) {
|
||||||
SKIP_ANDROID;
|
SKIP_ANDROID;
|
||||||
const std::string path = GetTestSourcePath("sandbox2/testcases/sleep");
|
const std::string path = GetTestSourcePath("sandbox2/testcases/sleep");
|
||||||
|
|
||||||
@ -161,6 +139,26 @@ TEST(RunAsyncTest, SandboxeeTimeoutWithStacktraces) {
|
|||||||
EXPECT_THAT(result.GetStackTrace(), HasSubstr("sleep"));
|
EXPECT_THAT(result.GetStackTrace(), HasSubstr("sleep"));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Tests that we return the correct state when the sandboxee was killed by an
|
||||||
|
// external signal. Also make sure that we do not have the stack trace.
|
||||||
|
TEST(RunAsyncTest, SandboxeeExternalKill) {
|
||||||
|
const std::string path = GetTestSourcePath("sandbox2/testcases/sleep");
|
||||||
|
|
||||||
|
std::vector<std::string> args = {path};
|
||||||
|
std::vector<std::string> envs;
|
||||||
|
auto executor = std::make_unique<Executor>(path, args, envs);
|
||||||
|
|
||||||
|
SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
|
||||||
|
CreateDefaultPolicyBuilder(path).TryBuild());
|
||||||
|
Sandbox2 sandbox(std::move(executor), std::move(policy));
|
||||||
|
ASSERT_TRUE(sandbox.RunAsync());
|
||||||
|
sleep(1);
|
||||||
|
sandbox.Kill();
|
||||||
|
auto result = sandbox.AwaitResult();
|
||||||
|
EXPECT_EQ(result.final_status(), Result::EXTERNAL_KILL);
|
||||||
|
EXPECT_THAT(result.GetStackTrace(), IsEmpty());
|
||||||
|
}
|
||||||
|
|
||||||
// Tests that we do not collect stack traces if it was disabled (signaled).
|
// Tests that we do not collect stack traces if it was disabled (signaled).
|
||||||
TEST(RunAsyncTest, SandboxeeTimeoutDisabledStacktraces) {
|
TEST(RunAsyncTest, SandboxeeTimeoutDisabledStacktraces) {
|
||||||
const std::string path = GetTestSourcePath("sandbox2/testcases/sleep");
|
const std::string path = GetTestSourcePath("sandbox2/testcases/sleep");
|
||||||
@ -169,10 +167,29 @@ TEST(RunAsyncTest, SandboxeeTimeoutDisabledStacktraces) {
|
|||||||
std::vector<std::string> envs;
|
std::vector<std::string> envs;
|
||||||
auto executor = std::make_unique<Executor>(path, args, envs);
|
auto executor = std::make_unique<Executor>(path, args, envs);
|
||||||
|
|
||||||
SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
|
SAPI_ASSERT_OK_AND_ASSIGN(auto policy, CreateDefaultPolicyBuilder(path)
|
||||||
PolicyBuilder()
|
.CollectStacktracesOnTimeout(false)
|
||||||
// Don't restrict the syscalls at all.
|
.TryBuild());
|
||||||
.DangerDefaultAllowAll()
|
Sandbox2 sandbox(std::move(executor), std::move(policy));
|
||||||
|
ASSERT_TRUE(sandbox.RunAsync());
|
||||||
|
sandbox.set_walltime_limit(absl::Seconds(1));
|
||||||
|
auto result = sandbox.AwaitResult();
|
||||||
|
EXPECT_EQ(result.final_status(), Result::TIMEOUT);
|
||||||
|
EXPECT_THAT(result.GetStackTrace(), IsEmpty());
|
||||||
|
}
|
||||||
|
|
||||||
|
// Tests that we do not collect stack traces if it was disabled (violation).
|
||||||
|
TEST(RunAsyncTest, SandboxeeViolationDisabledStacktraces) {
|
||||||
|
const std::string path = GetTestSourcePath("sandbox2/testcases/sleep");
|
||||||
|
|
||||||
|
std::vector<std::string> args = {path};
|
||||||
|
std::vector<std::string> envs;
|
||||||
|
auto executor = std::make_unique<Executor>(path, args, envs);
|
||||||
|
|
||||||
|
SAPI_ASSERT_OK_AND_ASSIGN(
|
||||||
|
auto policy, PolicyBuilder()
|
||||||
|
// Don't allow anything - Make sure that we'll crash.
|
||||||
|
.CollectStacktracesOnViolation(false)
|
||||||
.TryBuild());
|
.TryBuild());
|
||||||
Sandbox2 sandbox(std::move(executor), std::move(policy));
|
Sandbox2 sandbox(std::move(executor), std::move(policy));
|
||||||
ASSERT_TRUE(sandbox.RunAsync());
|
ASSERT_TRUE(sandbox.RunAsync());
|
||||||
@ -186,12 +203,9 @@ TEST(RunAsyncTest, SandboxeeNotKilledWhenStartingThreadFinishes) {
|
|||||||
std::vector<std::string> args = {path};
|
std::vector<std::string> args = {path};
|
||||||
auto executor = std::make_unique<Executor>(path, args);
|
auto executor = std::make_unique<Executor>(path, args);
|
||||||
|
|
||||||
SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
|
SAPI_ASSERT_OK_AND_ASSIGN(auto policy, CreateDefaultPolicyBuilder(path)
|
||||||
PolicyBuilder()
|
.CollectStacktracesOnExit(true)
|
||||||
// Don't restrict the syscalls at all.
|
.TryBuild());
|
||||||
.DangerDefaultAllowAll()
|
|
||||||
.CollectStacktracesOnExit(true)
|
|
||||||
.TryBuild());
|
|
||||||
Sandbox2 sandbox(std::move(executor), std::move(policy));
|
Sandbox2 sandbox(std::move(executor), std::move(policy));
|
||||||
std::thread sandbox_start_thread([&sandbox]() { sandbox.RunAsync(); });
|
std::thread sandbox_start_thread([&sandbox]() { sandbox.RunAsync(); });
|
||||||
sandbox_start_thread.join();
|
sandbox_start_thread.join();
|
||||||
@ -207,9 +221,8 @@ TEST(StarvationTest, MonitorIsNotStarvedByTheSandboxee) {
|
|||||||
auto executor = std::make_unique<Executor>(path, args, envs);
|
auto executor = std::make_unique<Executor>(path, args, envs);
|
||||||
executor->limits()->set_walltime_limit(absl::Seconds(5));
|
executor->limits()->set_walltime_limit(absl::Seconds(5));
|
||||||
|
|
||||||
SAPI_ASSERT_OK_AND_ASSIGN(
|
SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
|
||||||
auto policy,
|
CreateDefaultPolicyBuilder(path).TryBuild());
|
||||||
PolicyBuilder().DisableNamespaces().DangerDefaultAllowAll().TryBuild());
|
|
||||||
Sandbox2 sandbox(std::move(executor), std::move(policy));
|
Sandbox2 sandbox(std::move(executor), std::move(policy));
|
||||||
|
|
||||||
auto start = absl::Now();
|
auto start = absl::Now();
|
||||||
|
@ -28,7 +28,6 @@
|
|||||||
#include "gtest/gtest.h"
|
#include "gtest/gtest.h"
|
||||||
#include "absl/container/flat_hash_set.h"
|
#include "absl/container/flat_hash_set.h"
|
||||||
#include "absl/log/log.h"
|
#include "absl/log/log.h"
|
||||||
#include "absl/strings/numbers.h"
|
|
||||||
#include "absl/strings/str_cat.h"
|
#include "absl/strings/str_cat.h"
|
||||||
#include "sandboxed_api/sandbox2/comms.h"
|
#include "sandboxed_api/sandbox2/comms.h"
|
||||||
#include "sandboxed_api/sandbox2/executor.h"
|
#include "sandboxed_api/sandbox2/executor.h"
|
||||||
@ -37,7 +36,6 @@
|
|||||||
#include "sandboxed_api/sandbox2/result.h"
|
#include "sandboxed_api/sandbox2/result.h"
|
||||||
#include "sandboxed_api/sandbox2/sandbox2.h"
|
#include "sandboxed_api/sandbox2/sandbox2.h"
|
||||||
#include "sandboxed_api/sandbox2/util.h"
|
#include "sandboxed_api/sandbox2/util.h"
|
||||||
#include "sandboxed_api/sandbox2/util/bpf_helper.h"
|
|
||||||
#include "sandboxed_api/testing.h"
|
#include "sandboxed_api/testing.h"
|
||||||
#include "sandboxed_api/util/status_matchers.h"
|
#include "sandboxed_api/util/status_matchers.h"
|
||||||
|
|
||||||
@ -120,7 +118,6 @@ TEST(SanitizerTest, TestSandboxedBinary) {
|
|||||||
|
|
||||||
SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
|
SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
|
||||||
PolicyBuilder()
|
PolicyBuilder()
|
||||||
.DisableNamespaces()
|
|
||||||
// Don't restrict the syscalls at all.
|
// Don't restrict the syscalls at all.
|
||||||
.DangerDefaultAllowAll()
|
.DangerDefaultAllowAll()
|
||||||
.TryBuild());
|
.TryBuild());
|
||||||
|
@ -59,7 +59,7 @@ using ::testing::Not;
|
|||||||
|
|
||||||
// Test that symbolization of stack traces works.
|
// Test that symbolization of stack traces works.
|
||||||
void SymbolizationWorksCommon(
|
void SymbolizationWorksCommon(
|
||||||
const std::function<void(PolicyBuilder*)>& modify_policy) {
|
std::function<void(PolicyBuilder*)> modify_policy = {}) {
|
||||||
const std::string path = GetTestSourcePath("sandbox2/testcases/symbolize");
|
const std::string path = GetTestSourcePath("sandbox2/testcases/symbolize");
|
||||||
std::vector<std::string> args = {path, "1"};
|
std::vector<std::string> args = {path, "1"};
|
||||||
|
|
||||||
@ -78,7 +78,9 @@ void SymbolizationWorksCommon(
|
|||||||
.AddFile(path)
|
.AddFile(path)
|
||||||
.AddLibrariesForBinary(path)
|
.AddLibrariesForBinary(path)
|
||||||
.AddFileAt(temp_filename, "/proc/cpuinfo");
|
.AddFileAt(temp_filename, "/proc/cpuinfo");
|
||||||
modify_policy(&policybuilder);
|
if (modify_policy) {
|
||||||
|
modify_policy(&policybuilder);
|
||||||
|
}
|
||||||
SAPI_ASSERT_OK_AND_ASSIGN(auto policy, policybuilder.TryBuild());
|
SAPI_ASSERT_OK_AND_ASSIGN(auto policy, policybuilder.TryBuild());
|
||||||
|
|
||||||
Sandbox2 s2(std::make_unique<Executor>(path, args), std::move(policy));
|
Sandbox2 s2(std::make_unique<Executor>(path, args), std::move(policy));
|
||||||
@ -95,7 +97,7 @@ TEST(StackTraceTest, SymbolizationWorksNonSandboxedLibunwind) {
|
|||||||
absl::FlagSaver fs;
|
absl::FlagSaver fs;
|
||||||
absl::SetFlag(&FLAGS_sandbox_libunwind_crash_handler, false);
|
absl::SetFlag(&FLAGS_sandbox_libunwind_crash_handler, false);
|
||||||
|
|
||||||
SymbolizationWorksCommon([](PolicyBuilder*) {});
|
SymbolizationWorksCommon();
|
||||||
}
|
}
|
||||||
|
|
||||||
TEST(StackTraceTest, SymbolizationWorksSandboxedLibunwind) {
|
TEST(StackTraceTest, SymbolizationWorksSandboxedLibunwind) {
|
||||||
@ -103,7 +105,7 @@ TEST(StackTraceTest, SymbolizationWorksSandboxedLibunwind) {
|
|||||||
absl::FlagSaver fs;
|
absl::FlagSaver fs;
|
||||||
absl::SetFlag(&FLAGS_sandbox_libunwind_crash_handler, true);
|
absl::SetFlag(&FLAGS_sandbox_libunwind_crash_handler, true);
|
||||||
|
|
||||||
SymbolizationWorksCommon([](PolicyBuilder*) {});
|
SymbolizationWorksCommon();
|
||||||
}
|
}
|
||||||
|
|
||||||
TEST(StackTraceTest, SymbolizationWorksSandboxedLibunwindProcDirMounted) {
|
TEST(StackTraceTest, SymbolizationWorksSandboxedLibunwindProcDirMounted) {
|
||||||
|
@ -40,6 +40,7 @@ cc_binary(
|
|||||||
testonly = True,
|
testonly = True,
|
||||||
srcs = ["abort.cc"],
|
srcs = ["abort.cc"],
|
||||||
copts = sapi_platform_copts(),
|
copts = sapi_platform_copts(),
|
||||||
|
features = ["fully_static_link"],
|
||||||
deps = ["//sandboxed_api/util:raw_logging"],
|
deps = ["//sandboxed_api/util:raw_logging"],
|
||||||
)
|
)
|
||||||
|
|
||||||
@ -56,6 +57,7 @@ cc_binary(
|
|||||||
testonly = True,
|
testonly = True,
|
||||||
srcs = ["buffer.cc"],
|
srcs = ["buffer.cc"],
|
||||||
copts = sapi_platform_copts(),
|
copts = sapi_platform_copts(),
|
||||||
|
features = ["fully_static_link"],
|
||||||
deps = [
|
deps = [
|
||||||
"//sandboxed_api/sandbox2:buffer",
|
"//sandboxed_api/sandbox2:buffer",
|
||||||
"//sandboxed_api/sandbox2:comms",
|
"//sandboxed_api/sandbox2:comms",
|
||||||
@ -68,6 +70,7 @@ cc_binary(
|
|||||||
testonly = True,
|
testonly = True,
|
||||||
srcs = ["ipc.cc"],
|
srcs = ["ipc.cc"],
|
||||||
copts = sapi_platform_copts(),
|
copts = sapi_platform_copts(),
|
||||||
|
features = ["fully_static_link"],
|
||||||
deps = [
|
deps = [
|
||||||
"//sandboxed_api/sandbox2:client",
|
"//sandboxed_api/sandbox2:client",
|
||||||
"//sandboxed_api/sandbox2:comms",
|
"//sandboxed_api/sandbox2:comms",
|
||||||
@ -112,6 +115,7 @@ cc_binary(
|
|||||||
testonly = True,
|
testonly = True,
|
||||||
srcs = ["pidcomms.cc"],
|
srcs = ["pidcomms.cc"],
|
||||||
copts = sapi_platform_copts(),
|
copts = sapi_platform_copts(),
|
||||||
|
features = ["fully_static_link"],
|
||||||
deps = [
|
deps = [
|
||||||
"//sandboxed_api/sandbox2:client",
|
"//sandboxed_api/sandbox2:client",
|
||||||
"//sandboxed_api/sandbox2:comms",
|
"//sandboxed_api/sandbox2:comms",
|
||||||
@ -135,6 +139,7 @@ cc_binary(
|
|||||||
testonly = True,
|
testonly = True,
|
||||||
srcs = ["sanitizer.cc"],
|
srcs = ["sanitizer.cc"],
|
||||||
copts = sapi_platform_copts(),
|
copts = sapi_platform_copts(),
|
||||||
|
features = ["fully_static_link"],
|
||||||
)
|
)
|
||||||
|
|
||||||
cc_binary(
|
cc_binary(
|
||||||
@ -176,6 +181,7 @@ cc_binary(
|
|||||||
testonly = True,
|
testonly = True,
|
||||||
srcs = ["tsync.cc"],
|
srcs = ["tsync.cc"],
|
||||||
copts = sapi_platform_copts(),
|
copts = sapi_platform_copts(),
|
||||||
|
features = ["fully_static_link"],
|
||||||
deps = [
|
deps = [
|
||||||
"//sandboxed_api/sandbox2:client",
|
"//sandboxed_api/sandbox2:client",
|
||||||
"//sandboxed_api/sandbox2:comms",
|
"//sandboxed_api/sandbox2:comms",
|
||||||
@ -187,6 +193,7 @@ cc_binary(
|
|||||||
testonly = True,
|
testonly = True,
|
||||||
srcs = ["starve.cc"],
|
srcs = ["starve.cc"],
|
||||||
copts = sapi_platform_copts(),
|
copts = sapi_platform_copts(),
|
||||||
|
features = ["fully_static_link"],
|
||||||
)
|
)
|
||||||
|
|
||||||
cc_binary(
|
cc_binary(
|
||||||
|
@ -20,6 +20,7 @@ set_target_properties(sandbox2_testcase_abort PROPERTIES
|
|||||||
OUTPUT_NAME abort)
|
OUTPUT_NAME abort)
|
||||||
add_executable(sandbox2::testcase_abort ALIAS sandbox2_testcase_abort)
|
add_executable(sandbox2::testcase_abort ALIAS sandbox2_testcase_abort)
|
||||||
target_link_libraries(sandbox2_testcase_abort PRIVATE
|
target_link_libraries(sandbox2_testcase_abort PRIVATE
|
||||||
|
-static
|
||||||
sapi::base
|
sapi::base
|
||||||
sapi::raw_logging
|
sapi::raw_logging
|
||||||
)
|
)
|
||||||
@ -47,6 +48,7 @@ set_target_properties(sandbox2_testcase_buffer PROPERTIES
|
|||||||
OUTPUT_NAME buffer
|
OUTPUT_NAME buffer
|
||||||
)
|
)
|
||||||
target_link_libraries(sandbox2_testcase_buffer PRIVATE
|
target_link_libraries(sandbox2_testcase_buffer PRIVATE
|
||||||
|
-static
|
||||||
absl::str_format
|
absl::str_format
|
||||||
sandbox2::buffer
|
sandbox2::buffer
|
||||||
sandbox2::comms
|
sandbox2::comms
|
||||||
@ -62,6 +64,7 @@ set_target_properties(sandbox2_testcase_ipc PROPERTIES
|
|||||||
)
|
)
|
||||||
add_executable(sandbox2::testcase_ipc ALIAS sandbox2_testcase_ipc)
|
add_executable(sandbox2::testcase_ipc ALIAS sandbox2_testcase_ipc)
|
||||||
target_link_libraries(sandbox2_testcase_ipc PRIVATE
|
target_link_libraries(sandbox2_testcase_ipc PRIVATE
|
||||||
|
-static
|
||||||
absl::strings
|
absl::strings
|
||||||
sandbox2::client
|
sandbox2::client
|
||||||
sandbox2::comms
|
sandbox2::comms
|
||||||
@ -132,6 +135,7 @@ set_target_properties(sandbox2_testcase_pidcomms PROPERTIES
|
|||||||
OUTPUT_NAME pidcomms
|
OUTPUT_NAME pidcomms
|
||||||
)
|
)
|
||||||
target_link_libraries(sandbox2_testcase_pidcomms PRIVATE
|
target_link_libraries(sandbox2_testcase_pidcomms PRIVATE
|
||||||
|
-static
|
||||||
sandbox2::client
|
sandbox2::client
|
||||||
sandbox2::comms
|
sandbox2::comms
|
||||||
sapi::base
|
sapi::base
|
||||||
@ -161,6 +165,7 @@ set_target_properties(sandbox2_testcase_sanitizer PROPERTIES
|
|||||||
OUTPUT_NAME sanitizer
|
OUTPUT_NAME sanitizer
|
||||||
)
|
)
|
||||||
target_link_libraries(sandbox2_testcase_sanitizer PRIVATE
|
target_link_libraries(sandbox2_testcase_sanitizer PRIVATE
|
||||||
|
-static
|
||||||
sapi::base
|
sapi::base
|
||||||
)
|
)
|
||||||
|
|
||||||
@ -220,6 +225,7 @@ set_target_properties(sandbox2_testcase_starve PROPERTIES
|
|||||||
OUTPUT_NAME starve
|
OUTPUT_NAME starve
|
||||||
)
|
)
|
||||||
target_link_libraries(sandbox2_testcase_starve PRIVATE
|
target_link_libraries(sandbox2_testcase_starve PRIVATE
|
||||||
|
-static
|
||||||
sapi::base
|
sapi::base
|
||||||
)
|
)
|
||||||
|
|
||||||
@ -232,6 +238,7 @@ set_target_properties(sandbox2_testcase_tsync PROPERTIES
|
|||||||
OUTPUT_NAME tsync
|
OUTPUT_NAME tsync
|
||||||
)
|
)
|
||||||
target_link_libraries(sandbox2_testcase_tsync PRIVATE
|
target_link_libraries(sandbox2_testcase_tsync PRIVATE
|
||||||
|
-static
|
||||||
sandbox2::client
|
sandbox2::client
|
||||||
sandbox2::comms
|
sandbox2::comms
|
||||||
sapi::base
|
sapi::base
|
||||||
|
@ -21,7 +21,6 @@
|
|||||||
#include "gmock/gmock.h"
|
#include "gmock/gmock.h"
|
||||||
#include "gtest/gtest.h"
|
#include "gtest/gtest.h"
|
||||||
#include "sandboxed_api/testing.h"
|
#include "sandboxed_api/testing.h"
|
||||||
#include "sandboxed_api/util/path.h"
|
|
||||||
|
|
||||||
namespace sandbox2::util {
|
namespace sandbox2::util {
|
||||||
namespace {
|
namespace {
|
||||||
|
Loading…
x
Reference in New Issue
Block a user