StarMirror/sandboxed-api
1
0
Fork 0
mirror of https://github.com/google/sandboxed-api.git synced 2024-03-22 13:11:30 +08:00
Code Issues Projects Releases Wiki Activity

PolicyBuilder: test error conditions for AddPolicyOnSyscalls

Browse Source 
PiperOrigin-RevId: 562768777
Change-Id: If756f83ea657cc6cd4c1283339a2909071a47493
This commit is contained in:
Wiktor Garbacz 2023-09-05 07:13:06 -07:00 committed by Copybara-Service
parent 02d770adcc
commit 92aeadddee
3 changed files with 19 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
sandboxed_api/sandbox2/BUILD.bazel
View File

@ -1073,7 +1073,9 @@ cc_test(
srcs = ["policybuilder_test.cc"], srcs = ["policybuilder_test.cc"],
copts = sapi_platform_copts(), copts = sapi_platform_copts(),
deps = [ deps = [
":policy",
":policybuilder", ":policybuilder",
":violation_cc_proto",
"//sandboxed_api/sandbox2/util:bpf_helper", "//sandboxed_api/sandbox2/util:bpf_helper",
"//sandboxed_api/util:status_matchers", "//sandboxed_api/util:status_matchers",
"@com_google_absl//absl/status", "@com_google_absl//absl/status",

2
sandboxed_api/sandbox2/CMakeLists.txt
View File

@ -1170,7 +1170,9 @@ if(BUILD_TESTING AND SAPI_BUILD_TESTING)
absl::status absl::status
absl::statusor absl::statusor
sandbox2::bpf_helper sandbox2::bpf_helper
sandbox2::policy
sandbox2::policybuilder sandbox2::policybuilder
sandbox2::violation_proto
sapi::testing sapi::testing
sapi::status_matchers sapi::status_matchers
sapi::test_main sapi::test_main

15
sandboxed_api/sandbox2/policybuilder_test.cc
View File

@ -27,7 +27,9 @@
#include "absl/status/status.h" #include "absl/status/status.h"
#include "absl/status/statusor.h" #include "absl/status/statusor.h"
#include "absl/strings/string_view.h" #include "absl/strings/string_view.h"
#include "sandboxed_api/sandbox2/policy.h"
#include "sandboxed_api/sandbox2/util/bpf_helper.h" #include "sandboxed_api/sandbox2/util/bpf_helper.h"
#include "sandboxed_api/sandbox2/violation.pb.h"
#include "sandboxed_api/util/status_matchers.h" #include "sandboxed_api/util/status_matchers.h"
namespace sandbox2 { namespace sandbox2 {
@ -160,5 +162,18 @@ TEST(PolicyBuilderTest, CanBypassPtrace) {
.BlockSyscallWithErrno(__NR_ptrace, ENOENT); .BlockSyscallWithErrno(__NR_ptrace, ENOENT);
EXPECT_THAT(builder.TryBuild(), Not(IsOk())); EXPECT_THAT(builder.TryBuild(), Not(IsOk()));
} }
TEST(PolicyBuilderTest, AddPolicyOnSyscallsNoEmptyList) {
PolicyBuilder builder;
builder.AddPolicyOnSyscalls({}, {ALLOW});
EXPECT_THAT(builder.TryBuild(), StatusIs(absl::StatusCode::kInvalidArgument));
}
TEST(PolicyBuilderTest, AddPolicyOnSyscallJumpOutOfBounds) {
PolicyBuilder builder;
builder.AddPolicyOnSyscall(__NR_write,
{BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, 1, 2, 0)});
EXPECT_THAT(builder.TryBuild(), StatusIs(absl::StatusCode::kInvalidArgument));
}
} // namespace } // namespace
} // namespace sandbox2 } // namespace sandbox2