From 92aeadddee66ebe9e07371aa2566c75404a85c65 Mon Sep 17 00:00:00 2001
From: Wiktor Garbacz <wiktorg@google.com>
Date: Tue, 5 Sep 2023 07:13:06 -0700
Subject: [PATCH] PolicyBuilder: test error conditions for AddPolicyOnSyscalls

PiperOrigin-RevId: 562768777
Change-Id: If756f83ea657cc6cd4c1283339a2909071a47493
---
 sandboxed_api/sandbox2/BUILD.bazel           |  2 ++
 sandboxed_api/sandbox2/CMakeLists.txt        |  2 ++
 sandboxed_api/sandbox2/policybuilder_test.cc | 15 +++++++++++++++
 3 files changed, 19 insertions(+)

diff --git a/sandboxed_api/sandbox2/BUILD.bazel b/sandboxed_api/sandbox2/BUILD.bazel
index d2694a0..0668ee7 100644
--- a/sandboxed_api/sandbox2/BUILD.bazel
+++ b/sandboxed_api/sandbox2/BUILD.bazel
@@ -1073,7 +1073,9 @@ cc_test(
     srcs = ["policybuilder_test.cc"],
     copts = sapi_platform_copts(),
     deps = [
+        ":policy",
         ":policybuilder",
+        ":violation_cc_proto",
         "//sandboxed_api/sandbox2/util:bpf_helper",
         "//sandboxed_api/util:status_matchers",
         "@com_google_absl//absl/status",
diff --git a/sandboxed_api/sandbox2/CMakeLists.txt b/sandboxed_api/sandbox2/CMakeLists.txt
index 417e3f8..ccff2ea 100644
--- a/sandboxed_api/sandbox2/CMakeLists.txt
+++ b/sandboxed_api/sandbox2/CMakeLists.txt
@@ -1170,7 +1170,9 @@ if(BUILD_TESTING AND SAPI_BUILD_TESTING)
             absl::status
             absl::statusor
             sandbox2::bpf_helper
+            sandbox2::policy
             sandbox2::policybuilder
+            sandbox2::violation_proto
             sapi::testing
             sapi::status_matchers
             sapi::test_main
diff --git a/sandboxed_api/sandbox2/policybuilder_test.cc b/sandboxed_api/sandbox2/policybuilder_test.cc
index 06b398f..944eaa5 100644
--- a/sandboxed_api/sandbox2/policybuilder_test.cc
+++ b/sandboxed_api/sandbox2/policybuilder_test.cc
@@ -27,7 +27,9 @@
 #include "absl/status/status.h"
 #include "absl/status/statusor.h"
 #include "absl/strings/string_view.h"
+#include "sandboxed_api/sandbox2/policy.h"
 #include "sandboxed_api/sandbox2/util/bpf_helper.h"
+#include "sandboxed_api/sandbox2/violation.pb.h"
 #include "sandboxed_api/util/status_matchers.h"
 
 namespace sandbox2 {
@@ -160,5 +162,18 @@ TEST(PolicyBuilderTest, CanBypassPtrace) {
       .BlockSyscallWithErrno(__NR_ptrace, ENOENT);
   EXPECT_THAT(builder.TryBuild(), Not(IsOk()));
 }
+
+TEST(PolicyBuilderTest, AddPolicyOnSyscallsNoEmptyList) {
+  PolicyBuilder builder;
+  builder.AddPolicyOnSyscalls({}, {ALLOW});
+  EXPECT_THAT(builder.TryBuild(), StatusIs(absl::StatusCode::kInvalidArgument));
+}
+
+TEST(PolicyBuilderTest, AddPolicyOnSyscallJumpOutOfBounds) {
+  PolicyBuilder builder;
+  builder.AddPolicyOnSyscall(__NR_write,
+                             {BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, 1, 2, 0)});
+  EXPECT_THAT(builder.TryBuild(), StatusIs(absl::StatusCode::kInvalidArgument));
+}
 }  // namespace
 }  // namespace sandbox2