Properly test read-only mounts

PiperOrigin-RevId: 291337704
Change-Id: I806d0d09051ab205813d6626ea70e9e57a28a7a5
This commit is contained in:
Wiktor Garbacz 2020-01-24 02:37:32 -08:00 committed by Copybara-Service
parent e3d638466d
commit d74215d30d
3 changed files with 48 additions and 3 deletions

View File

@ -479,7 +479,8 @@ cc_test(
":namespace",
":sandbox2",
":testing",
"//sandboxed_api/sandbox2/util:bpf_helper",
"//sandboxed_api/sandbox2/util:fileops",
"//sandboxed_api/sandbox2/util:temp_file",
"//sandboxed_api/util:status_matchers",
"@com_google_absl//absl/memory",
"@com_google_absl//absl/strings",

View File

@ -600,9 +600,11 @@ if(SAPI_ENABLE_TESTS)
absl::memory
absl::strings
sandbox2::comms
sandbox2::fileops
sandbox2::namespace
sandbox2::sandbox2
sandbox2::testing
sandbox2::temp_file
sapi::status_matchers
sapi::test_main
)

View File

@ -34,14 +34,15 @@
#include "sandboxed_api/sandbox2/result.h"
#include "sandboxed_api/sandbox2/sandbox2.h"
#include "sandboxed_api/sandbox2/testing.h"
#include "sandboxed_api/sandbox2/util/bpf_helper.h"
#include "sandboxed_api/sandbox2/util/fileops.h"
#include "sandboxed_api/sandbox2/util/temp_file.h"
#include "sandboxed_api/util/status_matchers.h"
namespace sandbox2 {
namespace {
TEST(NamespaceTest, FileNamespaceWorks) {
// Mount /binary_path RO and check that it actually is RO.
// Mount /binary_path RO and check that it exists and is readable.
// /etc/passwd should not exist.
const std::string path = GetTestSourcePath("sandbox2/testcases/namespace");
std::vector<std::string> args = {path, "0", "/binary_path", "/etc/passwd"};
@ -59,6 +60,47 @@ TEST(NamespaceTest, FileNamespaceWorks) {
EXPECT_EQ(result.reason_code(), 2);
}
TEST(NamespaceTest, ReadOnlyIsRespected) {
// Mount temporary file as RO and check that it actually is RO.
auto [name, fd] =
CreateNamedTempFile(GetTestTempPath("temp_file")).ValueOrDie();
file_util::fileops::FDCloser temp_closer{fd};
const std::string path = GetTestSourcePath("sandbox2/testcases/namespace");
{
// First check that it is readable
std::vector<std::string> args = {path, "0", "/temp_file"};
auto executor = absl::make_unique<Executor>(path, args);
SAPI_ASSERT_OK_AND_ASSIGN(auto policy, PolicyBuilder()
// Don't restrict the syscalls at all
.DangerDefaultAllowAll()
.AddFileAt(name, "/temp_file")
.TryBuild());
Sandbox2 sandbox(std::move(executor), std::move(policy));
auto result = sandbox.Run();
ASSERT_EQ(result.final_status(), Result::OK);
EXPECT_EQ(result.reason_code(), 0);
}
{
// Then check that it is not writeable
std::vector<std::string> args = {path, "1", "/temp_file"};
auto executor = absl::make_unique<Executor>(path, args);
SAPI_ASSERT_OK_AND_ASSIGN(auto policy, PolicyBuilder()
// Don't restrict the syscalls at all
.DangerDefaultAllowAll()
.AddFileAt(name, "/temp_file")
.TryBuild());
Sandbox2 sandbox(std::move(executor), std::move(policy));
auto result = sandbox.Run();
ASSERT_EQ(result.final_status(), Result::OK);
EXPECT_EQ(result.reason_code(), 1);
}
}
TEST(NamespaceTest, UserNamespaceWorks) {
// Check that getpid() returns 2 (which is the case inside pid NS).
const std::string path = GetTestSourcePath("sandbox2/testcases/namespace");