PolicyBuilder: test error conditions for AddPolicyOnSyscalls

PiperOrigin-RevId: 562768777
Change-Id: If756f83ea657cc6cd4c1283339a2909071a47493

sandboxed_api/sandbox2/BUILD.bazel

@@ -1073,7 +1073,9 @@ cc_test(
     srcs = ["policybuilder_test.cc"],
     copts = sapi_platform_copts(),
     deps = [
+        ":policy",
         ":policybuilder",
+        ":violation_cc_proto",
         "//sandboxed_api/sandbox2/util:bpf_helper",
         "//sandboxed_api/util:status_matchers",
         "@com_google_absl//absl/status",

sandboxed_api/sandbox2/CMakeLists.txt

@@ -1170,7 +1170,9 @@ if(BUILD_TESTING AND SAPI_BUILD_TESTING)
             absl::status
             absl::statusor
             sandbox2::bpf_helper
+            sandbox2::policy
             sandbox2::policybuilder
+            sandbox2::violation_proto
             sapi::testing
             sapi::status_matchers
             sapi::test_main

sandboxed_api/sandbox2/policybuilder_test.cc

@@ -27,7 +27,9 @@
 #include "absl/status/status.h"
 #include "absl/status/statusor.h"
 #include "absl/strings/string_view.h"
+#include "sandboxed_api/sandbox2/policy.h"
 #include "sandboxed_api/sandbox2/util/bpf_helper.h"
+#include "sandboxed_api/sandbox2/violation.pb.h"
 #include "sandboxed_api/util/status_matchers.h"
 
 namespace sandbox2 {
@@ -160,5 +162,18 @@ TEST(PolicyBuilderTest, CanBypassPtrace) {
       .BlockSyscallWithErrno(__NR_ptrace, ENOENT);
   EXPECT_THAT(builder.TryBuild(), Not(IsOk()));
 }
+
+TEST(PolicyBuilderTest, AddPolicyOnSyscallsNoEmptyList) {
+  PolicyBuilder builder;
+  builder.AddPolicyOnSyscalls({}, {ALLOW});
+  EXPECT_THAT(builder.TryBuild(), StatusIs(absl::StatusCode::kInvalidArgument));
+}
+
+TEST(PolicyBuilderTest, AddPolicyOnSyscallJumpOutOfBounds) {
+  PolicyBuilder builder;
+  builder.AddPolicyOnSyscall(__NR_write,
+                             {BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, 1, 2, 0)});
+  EXPECT_THAT(builder.TryBuild(), StatusIs(absl::StatusCode::kInvalidArgument));
+}
 }  // namespace
 }  // namespace sandbox2