StarMirror/sandboxed-api
1
0
Fork 0
mirror of https://github.com/google/sandboxed-api.git synced 2024-03-22 13:11:30 +08:00
Code Issues Projects Releases Wiki Activity

Run more tests with coverage and sanitizers contd

Browse Source 
PiperOrigin-RevId: 513815467
Change-Id: I31d0df2c69b20eb126aaa8dde7f45fa7c0e1e6a8
This commit is contained in:
Wiktor Garbacz 2023-03-03 06:50:17 -08:00 committed by Copybara-Service
parent 6827dc0059
commit e09c2bc215
14 changed files with 138 additions and 273 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
sandboxed_api/sandbox2/BUILD.bazel
View File

@ -668,7 +668,6 @@ cc_test(
"//sandboxed_api/sandbox2/testcases:namespace",
],
deps = [
":comms",
":namespace",
":sandbox2",
":testonly_allow_all_syscalls",
@ -747,7 +746,6 @@ cc_test(
":buffer",
":comms",
":sandbox2",
"//sandboxed_api:config",
"//sandboxed_api:testing",
"//sandboxed_api/util:status_matchers",
"@com_google_absl//absl/log",
@ -821,7 +819,6 @@ cc_test(
data = ["//sandboxed_api/sandbox2/testcases:minimal"],
tags = ["no_qemu_user_mode"],
deps = [
":comms",
":forkserver",
":forkserver_cc_proto",
":global_forkserver",
@ -842,7 +839,6 @@ cc_test(
deps = [
":limits",
":sandbox2",
":testonly_allow_all_syscalls",
"//sandboxed_api:config",
"//sandboxed_api:testing",
"//sandboxed_api/util:status_matchers",
@ -889,6 +885,7 @@ cc_test(
"//sandboxed_api:config",
"//sandboxed_api:testing",
"//sandboxed_api/sandbox2/util:bpf_helper",
"//sandboxed_api/util:status_matchers",
"@com_google_absl//absl/strings",
"@com_google_googletest//:gtest_main",
],
@ -932,7 +929,6 @@ cc_test(
":comms",
":sandbox2",
":sanitizer",
":testonly_allow_all_syscalls",
":util",
"//sandboxed_api:testing",
"//sandboxed_api/util:status_matchers",
@ -967,7 +963,6 @@ cc_test(
":regs",
":sandbox2",
":stack_trace",
":testonly_allow_all_syscalls",
"//sandboxed_api:testing",
"//sandboxed_api/util:fileops",
"//sandboxed_api/util:status_matchers",
@ -989,9 +984,7 @@ cc_test(
deps = [
":comms",
":sandbox2",
":testonly_allow_all_syscalls",
"//sandboxed_api:testing",
"//sandboxed_api/sandbox2/util:bpf_helper",
"//sandboxed_api/util:status_matchers",
"@com_google_googletest//:gtest_main",
],

9
sandboxed_api/sandbox2/CMakeLists.txt
View File

@ -806,7 +806,6 @@ if(BUILD_TESTING AND SAPI_BUILD_TESTING)
target_link_libraries(sandbox2_namespace_test PRIVATE
absl::strings
sandbox2::allow_all_syscalls
sandbox2::comms
sapi::config
sapi::fileops
sandbox2::namespace
@ -834,7 +833,6 @@ if(BUILD_TESTING AND SAPI_BUILD_TESTING)
target_link_libraries(sandbox2_buffer_test PRIVATE
sandbox2::buffer
sandbox2::comms
sapi::config
sandbox2::ipc
sandbox2::sandbox2
sapi::testing
@ -890,7 +888,6 @@ if(BUILD_TESTING AND SAPI_BUILD_TESTING)
target_link_libraries(sandbox2_forkserver_test PRIVATE
absl::check
absl::strings
sandbox2::comms
sandbox2::forkserver
sandbox2::forkserver_proto
sandbox2::sandbox2
@ -915,7 +912,6 @@ if(BUILD_TESTING AND SAPI_BUILD_TESTING)
sandbox2::testcase_minimal
)
target_link_libraries(sandbox2_limits_test PRIVATE
sandbox2::allow_all_syscalls
sandbox2::bpf_helper
sapi::config
sandbox2::limits
@ -975,6 +971,7 @@ if(BUILD_TESTING AND SAPI_BUILD_TESTING)
sandbox2::limits
sandbox2::regs
sandbox2::sandbox2
sapi::status_matchers
sapi::testing
sapi::test_main
)
@ -1022,7 +1019,6 @@ if(BUILD_TESTING AND SAPI_BUILD_TESTING)
)
target_link_libraries(sandbox2_sanitizer_test PRIVATE
absl::strings
sandbox2::allow_all_syscalls
sandbox2::bpf_helper
sandbox2::client
sandbox2::comms
@ -1066,7 +1062,6 @@ if(BUILD_TESTING AND SAPI_BUILD_TESTING)
absl::status
absl::strings
absl::time
sandbox2::allow_all_syscalls
sandbox2::global_forkserver
sandbox2::namespace
sandbox2::sandbox2
@ -1093,8 +1088,6 @@ if(BUILD_TESTING AND SAPI_BUILD_TESTING)
sandbox2::testcase_ipc
)
target_link_libraries(sandbox2_ipc_test PRIVATE
sandbox2::allow_all_syscalls
sandbox2::bpf_helper
sandbox2::comms
sandbox2::ipc
sandbox2::sandbox2

52
sandboxed_api/sandbox2/buffer_test.cc
View File

@ -27,12 +27,10 @@
#include "gmock/gmock.h"
#include "gtest/gtest.h"
#include "absl/log/log.h"
#include "sandboxed_api/config.h"
#include "sandboxed_api/sandbox2/comms.h"
#include "sandboxed_api/sandbox2/executor.h"
#include "sandboxed_api/sandbox2/ipc.h"
#include "sandboxed_api/sandbox2/policy.h"
#include "sandboxed_api/sandbox2/policybuilder.h"
#include "sandboxed_api/sandbox2/result.h"
#include "sandboxed_api/sandbox2/sandbox2.h"
#include "sandboxed_api/testing.h"
@ -41,6 +39,7 @@
namespace sandbox2 {
namespace {
using ::sapi::CreateDefaultPermissiveTestPolicy;
using ::sapi::GetTestSourcePath;
using ::testing::Eq;
using ::testing::IsTrue;
@ -62,52 +61,13 @@ TEST(BufferTest, TestImplementation) {
}
}
std::unique_ptr<Policy> BufferTestcasePolicy() {
auto s2p = PolicyBuilder()
.AllowDynamicStartup()
.AllowExit()
.AllowSafeFcntl()
.AllowTime()
.AllowSystemMalloc()
.AllowRead()
.AllowWrite()
.AllowMmap()
.AllowStat()
.AllowOpen()
.AllowSyscalls({
__NR_dup,
__NR_futex,
__NR_getpid,
__NR_gettid,
__NR_nanosleep,
__NR_rt_sigprocmask,
__NR_recvmsg,
__NR_lseek,
__NR_close,
})
.BlockSyscallsWithErrno(
{
#ifdef __NR_access
// On Debian, even static binaries check existence of
// /etc/ld.so.nohwcap.
__NR_access,
#endif
__NR_faccessat,
},
ENOENT)
.BlockSyscallWithErrno(__NR_prlimit64, EPERM)
.BuildOrDie();
return s2p;
}
// Test sharing of buffer between executor/sandboxee using dup/MapFd.
TEST(BufferTest, TestWithSandboxeeMapFd) {
SKIP_SANITIZERS_AND_COVERAGE;
const std::string path = GetTestSourcePath("sandbox2/testcases/buffer");
std::vector<std::string> args = {path, "1"};
auto executor = std::make_unique<Executor>(path, args);
auto policy = BufferTestcasePolicy();
SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
CreateDefaultPermissiveTestPolicy(path).TryBuild());
SAPI_ASSERT_OK_AND_ASSIGN(auto buffer,
Buffer::CreateWithSize(1ULL << 20 /* 1MiB */));
@ -136,12 +96,14 @@ TEST(BufferTest, TestWithSandboxeeMapFd) {
// Test sharing of buffer between executor/sandboxee using SendFD/RecvFD.
TEST(BufferTest, TestWithSandboxeeSendRecv) {
SKIP_SANITIZERS_AND_COVERAGE;
const std::string path = GetTestSourcePath("sandbox2/testcases/buffer");
std::vector<std::string> args = {path, "2"};
auto executor = std::make_unique<Executor>(path, args);
Sandbox2 s2(std::move(executor), BufferTestcasePolicy());
SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
CreateDefaultPermissiveTestPolicy(path).TryBuild());
Sandbox2 s2(std::move(executor), std::move(policy));
ASSERT_THAT(s2.RunAsync(), IsTrue());
Comms* comms = s2.comms();

1
sandboxed_api/sandbox2/forkserver_test.cc
View File

@ -24,7 +24,6 @@
#include "gtest/gtest.h"
#include "absl/log/check.h"
#include "absl/strings/str_cat.h"
#include "sandboxed_api/sandbox2/comms.h"
#include "sandboxed_api/sandbox2/forkserver.pb.h"
#include "sandboxed_api/sandbox2/global_forkclient.h"
#include "sandboxed_api/sandbox2/ipc.h"

20
sandboxed_api/sandbox2/ipc_test.cc
View File

@ -19,20 +19,18 @@
#include "gmock/gmock.h"
#include "gtest/gtest.h"
#include "sandboxed_api/sandbox2/allow_all_syscalls.h"
#include "sandboxed_api/sandbox2/comms.h"
#include "sandboxed_api/sandbox2/executor.h"
#include "sandboxed_api/sandbox2/policy.h"
#include "sandboxed_api/sandbox2/policybuilder.h"
#include "sandboxed_api/sandbox2/result.h"
#include "sandboxed_api/sandbox2/sandbox2.h"
#include "sandboxed_api/sandbox2/util/bpf_helper.h"
#include "sandboxed_api/testing.h"
#include "sandboxed_api/util/status_matchers.h"
namespace sandbox2 {
namespace {
using ::sapi::CreateDefaultPermissiveTestPolicy;
using ::sapi::GetTestSourcePath;
constexpr int kPreferredIpcFd = 812;
@ -43,7 +41,6 @@ class IPCTest : public testing::Test,
// This test verifies that mapping fds by name works if the sandbox is enabled
// before execve.
TEST_P(IPCTest, MapFDByNamePreExecve) {
SKIP_SANITIZERS_AND_COVERAGE;
const int fd = GetParam();
const std::string path = GetTestSourcePath("sandbox2/testcases/ipc");
std::vector<std::string> args = {path, "1", std::to_string(fd)};
@ -51,10 +48,7 @@ TEST_P(IPCTest, MapFDByNamePreExecve) {
Comms comms(executor->ipc()->ReceiveFd(fd, "ipc_test"));
SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
PolicyBuilder()
// Don't restrict the syscalls at all.
.DefaultAction(AllowAllSyscalls())
.TryBuild());
CreateDefaultPermissiveTestPolicy(path).TryBuild());
Sandbox2 s2(std::move(executor), std::move(policy));
s2.RunAsync();
@ -88,10 +82,7 @@ TEST_P(IPCTest, MapFDByNamePostExecve) {
Comms comms(executor->ipc()->ReceiveFd(fd, "ipc_test"));
SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
PolicyBuilder()
// Don't restrict the syscalls at all.
.DefaultAction(AllowAllSyscalls())
.TryBuild());
CreateDefaultPermissiveTestPolicy(path).TryBuild());
Sandbox2 s2(std::move(executor), std::move(policy));
s2.RunAsync();
@ -120,10 +111,7 @@ TEST(IPCTest, NoMappedFDsPreExecve) {
auto executor = std::make_unique<Executor>(path, args);
SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
PolicyBuilder()
// Don't restrict the syscalls at all.
.DefaultAction(AllowAllSyscalls())
.TryBuild());
CreateDefaultPermissiveTestPolicy(path).TryBuild());
Sandbox2 s2(std::move(executor), std::move(policy));
auto result = s2.Run();

43
sandboxed_api/sandbox2/limits_test.cc
View File

@ -23,10 +23,7 @@
#include "gmock/gmock.h"
#include "gtest/gtest.h"
#include "sandboxed_api/config.h"
#include "sandboxed_api/sandbox2/allow_all_syscalls.h"
#include "sandboxed_api/sandbox2/executor.h"
#include "sandboxed_api/sandbox2/policy.h"
#include "sandboxed_api/sandbox2/policybuilder.h"
#include "sandboxed_api/sandbox2/result.h"
#include "sandboxed_api/sandbox2/sandbox2.h"
#include "sandboxed_api/testing.h"
@ -35,19 +32,21 @@
namespace sandbox2 {
namespace {
using ::sapi::CreateDefaultPermissiveTestPolicy;
using ::sapi::GetTestSourcePath;
std::string GetLimitsTestcaseBinPath() {
return GetTestSourcePath("sandbox2/testcases/limits");
}
TEST(LimitsTest, RLimitASMmapUnderLimit) {
const std::string path = GetTestSourcePath("sandbox2/testcases/limits");
const std::string path = GetLimitsTestcaseBinPath();
std::vector<std::string> args = {path, "1"}; // mmap(1 MiB)
auto executor = std::make_unique<sandbox2::Executor>(path, args);
executor->limits()->set_rlimit_as(100ULL << 20); // 100 MiB
SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
sandbox2::PolicyBuilder()
// Don't restrict the syscalls at all.
.DefaultAction(AllowAllSyscalls())
.TryBuild());
CreateDefaultPermissiveTestPolicy(path).TryBuild());
sandbox2::Sandbox2 s2(std::move(executor), std::move(policy));
auto result = s2.Run();
@ -56,16 +55,13 @@ TEST(LimitsTest, RLimitASMmapUnderLimit) {
}
TEST(LimitsTest, RLimitASMmapAboveLimit) {
const std::string path = GetTestSourcePath("sandbox2/testcases/limits");
const std::string path = GetLimitsTestcaseBinPath();
std::vector<std::string> args = {path, "2"}; // mmap(100 MiB)
auto executor = std::make_unique<sandbox2::Executor>(path, args);
executor->limits()->set_rlimit_as(100ULL << 20); // 100 MiB
SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
sandbox2::PolicyBuilder()
// Don't restrict the syscalls at all.
.DefaultAction(AllowAllSyscalls())
.TryBuild());
CreateDefaultPermissiveTestPolicy(path).TryBuild());
sandbox2::Sandbox2 s2(std::move(executor), std::move(policy));
auto result = s2.Run();
@ -74,16 +70,13 @@ TEST(LimitsTest, RLimitASMmapAboveLimit) {
}
TEST(LimitsTest, RLimitASAllocaSmallUnderLimit) {
const std::string path = GetTestSourcePath("sandbox2/testcases/limits");
const std::string path = GetLimitsTestcaseBinPath();
std::vector<std::string> args = {path, "3"}; // alloca(1 MiB)
auto executor = std::make_unique<sandbox2::Executor>(path, args);
executor->limits()->set_rlimit_as(100ULL << 20); // 100 MiB
SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
sandbox2::PolicyBuilder()
// Don't restrict the syscalls at all.
.DefaultAction(AllowAllSyscalls())
.TryBuild());
CreateDefaultPermissiveTestPolicy(path).TryBuild());
sandbox2::Sandbox2 s2(std::move(executor), std::move(policy));
auto result = s2.Run();
@ -92,16 +85,13 @@ TEST(LimitsTest, RLimitASAllocaSmallUnderLimit) {
}
TEST(LimitsTest, RLimitASAllocaBigUnderLimit) {
const std::string path = GetTestSourcePath("sandbox2/testcases/limits");
const std::string path = GetLimitsTestcaseBinPath();
std::vector<std::string> args = {path, "4"}; // alloca(8 MiB)
auto executor = std::make_unique<sandbox2::Executor>(path, args);
executor->limits()->set_rlimit_as(100ULL << 20); // 100 MiB
SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
sandbox2::PolicyBuilder()
// Don't restrict the syscalls at all.
.DefaultAction(AllowAllSyscalls())
.TryBuild());
CreateDefaultPermissiveTestPolicy(path).TryBuild());
sandbox2::Sandbox2 s2(std::move(executor), std::move(policy));
auto result = s2.Run();
@ -110,16 +100,13 @@ TEST(LimitsTest, RLimitASAllocaBigUnderLimit) {
}
TEST(LimitsTest, RLimitASAllocaBigAboveLimit) {
const std::string path = GetTestSourcePath("sandbox2/testcases/limits");
const std::string path = GetLimitsTestcaseBinPath();
std::vector<std::string> args = {path, "5"}; // alloca(100 MiB)
auto executor = std::make_unique<sandbox2::Executor>(path, args);
executor->limits()->set_rlimit_as(100ULL << 20); // 100 MiB
SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
sandbox2::PolicyBuilder()
// Don't restrict the syscalls at all.
.DefaultAction(AllowAllSyscalls())
.TryBuild());
CreateDefaultPermissiveTestPolicy(path).TryBuild());
sandbox2::Sandbox2 s2(std::move(executor), std::move(policy));
auto result = s2.Run();

114
sandboxed_api/sandbox2/namespace_test.cc
View File

@ -26,11 +26,9 @@
#include "gmock/gmock.h"
#include "gtest/gtest.h"
#include "absl/log/log.h"
#include "absl/strings/numbers.h"
#include "absl/strings/str_cat.h"
#include "sandboxed_api/config.h"
#include "sandboxed_api/sandbox2/allow_all_syscalls.h"
#include "sandboxed_api/sandbox2/comms.h"
#include "sandboxed_api/sandbox2/executor.h"
#include "sandboxed_api/sandbox2/policy.h"
#include "sandboxed_api/sandbox2/policybuilder.h"
@ -45,16 +43,24 @@ namespace sandbox2 {
namespace {
namespace file_util = ::sapi::file_util;
using ::sapi::CreateDefaultPermissiveTestPolicy;
using ::sapi::CreateNamedTempFile;
using ::sapi::GetTestSourcePath;
using ::sapi::GetTestTempPath;
using ::testing::Eq;
using ::testing::Ne;
int RunSandboxeeWithArgsAndPolicy(const std::string& sandboxee,
std::string GetTestcaseBinPath(absl::string_view bin_name) {
return GetTestSourcePath(absl::StrCat("sandbox2/testcases/", bin_name));
}
int RunSandboxeeWithArgsAndPolicy(const std::string& bin_path,
std::initializer_list<std::string> args,
std::unique_ptr<Policy> policy) {
Sandbox2 sandbox(std::make_unique<Executor>(sandboxee, args),
std::unique_ptr<Policy> policy = nullptr) {
if (!policy) {
policy = CreateDefaultPermissiveTestPolicy(bin_path).BuildOrDie();
}
Sandbox2 sandbox(std::make_unique<Executor>(bin_path, args),
std::move(policy));
Result result = sandbox.Run();
@ -62,21 +68,18 @@ int RunSandboxeeWithArgsAndPolicy(const std::string& sandboxee,
return result.reason_code();
}
constexpr absl::string_view kNamespaceTestBinary =
"sandbox2/testcases/namespace";
constexpr absl::string_view kHostnameTestBinary = "sandbox2/testcases/hostname";
TEST(NamespaceTest, FileNamespaceWorks) {
// Mount /binary_path RO and check that it exists and is readable.
// /etc/passwd should not exist.
const std::string path = GetTestSourcePath(kNamespaceTestBinary);
const std::string path = GetTestcaseBinPath("namespace");
SAPI_ASSERT_OK_AND_ASSIGN(auto policy, CreateDefaultPermissiveTestPolicy(path)
.AddFileAt(path, "/binary_path")
.TryBuild());
int reason_code = RunSandboxeeWithArgsAndPolicy(
path, {path, "0", "/binary_path", "/etc/passwd"},
PolicyBuilder()
.DefaultAction(AllowAllSyscalls()) // Do not restrict syscalls
.AddFileAt(path, "/binary_path")
.BuildOrDie());
path, {path, "0", "/binary_path", "/etc/passwd"}, std::move(policy));
EXPECT_THAT(reason_code, Eq(2));
}
@ -85,39 +88,35 @@ TEST(NamespaceTest, ReadOnlyIsRespected) {
auto [name, fd] = CreateNamedTempFile(GetTestTempPath("temp_file")).value();
file_util::fileops::FDCloser temp_closer(fd);
const std::string path = GetTestSourcePath(kNamespaceTestBinary);
const std::string path = GetTestcaseBinPath("namespace");
{
SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
CreateDefaultPermissiveTestPolicy(path)
.AddFileAt(name, "/temp_file")
.TryBuild());
// Check that it is readable
int reason_code = RunSandboxeeWithArgsAndPolicy(
path, {path, "0", "/temp_file"},
PolicyBuilder()
.DefaultAction(AllowAllSyscalls()) // Do not restrict syscalls
.AddFileAt(name, "/temp_file")
.BuildOrDie());
path, {path, "0", "/temp_file"}, std::move(policy));
EXPECT_THAT(reason_code, Eq(0));
}
{
SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
CreateDefaultPermissiveTestPolicy(path)
.AddFileAt(name, "/temp_file")
.TryBuild());
// Now check that it is not writeable
int reason_code = RunSandboxeeWithArgsAndPolicy(
path, {path, "1", "/temp_file"},
PolicyBuilder()
.DefaultAction(AllowAllSyscalls()) // Do not restrict syscalls
.AddFileAt(name, "/temp_file")
.BuildOrDie());
path, {path, "1", "/temp_file"}, std::move(policy));
EXPECT_THAT(reason_code, Eq(1));
}
}
TEST(NamespaceTest, UserNamespaceWorks) {
const std::string path = GetTestSourcePath(kNamespaceTestBinary);
const std::string path = GetTestcaseBinPath("namespace");
// Check that getpid() returns 2 (which is the case inside pid NS).
{
int reason_code = RunSandboxeeWithArgsAndPolicy(
path, {path, "2"},
PolicyBuilder()
.DefaultAction(AllowAllSyscalls()) // Do not restrict syscalls
.BuildOrDie());
int reason_code = RunSandboxeeWithArgsAndPolicy(path, {path, "2"});
EXPECT_THAT(reason_code, Eq(0));
}
@ -136,13 +135,10 @@ TEST(NamespaceTest, UserNamespaceWorks) {
TEST(NamespaceTest, UserNamespaceIDMapWritten) {
// Check that the idmap is initialized before the sandbox application is
// started.
const std::string path = GetTestSourcePath(kNamespaceTestBinary);
const std::string path = GetTestcaseBinPath("namespace");
{
int reason_code = RunSandboxeeWithArgsAndPolicy(
path, {path, "3", "1000", "1000"},
PolicyBuilder()
.DefaultAction(AllowAllSyscalls()) // Do not restrict syscalls
.BuildOrDie());
int reason_code =
RunSandboxeeWithArgsAndPolicy(path, {path, "3", "1000", "1000"});
EXPECT_THAT(reason_code, Eq(0));
}
@ -161,30 +157,29 @@ TEST(NamespaceTest, UserNamespaceIDMapWritten) {
TEST(NamespaceTest, RootReadOnly) {
// Mount rw tmpfs at /tmp and check it is RW.
// Check also that / is RO.
const std::string path = GetTestSourcePath(kNamespaceTestBinary);
const std::string path = GetTestcaseBinPath("namespace");
SAPI_ASSERT_OK_AND_ASSIGN(
auto policy, CreateDefaultPermissiveTestPolicy(path)
.AddTmpfs("/tmp", /*size=*/4ULL << 20 /* 4 MiB */)
.TryBuild());
int reason_code = RunSandboxeeWithArgsAndPolicy(
path, {path, "4", "/tmp/testfile", "/testfile"},
PolicyBuilder()
.DefaultAction(AllowAllSyscalls()) // Do not restrict syscalls
.AddTmpfs("/tmp", /*size=*/4ULL << 20 /* 4 MiB */)
.BuildOrDie());
path, {path, "4", "/tmp/testfile", "/testfile"}, std::move(policy));
EXPECT_THAT(reason_code, Eq(2));
}
TEST(NamespaceTest, RootWritable) {
// Mount root rw and check it
const std::string path = GetTestSourcePath(kNamespaceTestBinary);
const std::string path = GetTestcaseBinPath("namespace");
SAPI_ASSERT_OK_AND_ASSIGN(
auto policy,
CreateDefaultPermissiveTestPolicy(path).SetRootWritable().TryBuild());
int reason_code = RunSandboxeeWithArgsAndPolicy(
path, {path, "4", "/testfile"},
PolicyBuilder()
.DefaultAction(AllowAllSyscalls()) // Do not restrict syscalls
.SetRootWritable()
.BuildOrDie());
path, {path, "4", "/testfile"}, std::move(policy));
EXPECT_THAT(reason_code, Eq(0));
}
TEST(HostnameTest, None) {
const std::string path = GetTestSourcePath(kHostnameTestBinary);
const std::string path = GetTestcaseBinPath("hostname");
int reason_code = RunSandboxeeWithArgsAndPolicy(
path, {path, "sandbox2"},
PolicyBuilder()
@ -195,23 +190,18 @@ TEST(HostnameTest, None) {
}
TEST(HostnameTest, Default) {
const std::string path = GetTestSourcePath(kHostnameTestBinary);
int reason_code = RunSandboxeeWithArgsAndPolicy(
path, {path, "sandbox2"},
PolicyBuilder()
.DefaultAction(AllowAllSyscalls()) // Do not restrict syscalls
.BuildOrDie());
const std::string path = GetTestcaseBinPath("hostname");
int reason_code = RunSandboxeeWithArgsAndPolicy(path, {path, "sandbox2"});
EXPECT_THAT(reason_code, Eq(0));
}
TEST(HostnameTest, Configured) {
const std::string path = GetTestSourcePath(kHostnameTestBinary);
int reason_code = RunSandboxeeWithArgsAndPolicy(
path, {path, "configured"},
PolicyBuilder()
.DefaultAction(AllowAllSyscalls()) // Do not restrict syscalls
.SetHostname("configured")
.BuildOrDie());
const std::string path = GetTestcaseBinPath("hostname");
SAPI_ASSERT_OK_AND_ASSIGN(auto policy, CreateDefaultPermissiveTestPolicy(path)
.SetHostname("configured")
.TryBuild());
int reason_code = RunSandboxeeWithArgsAndPolicy(path, {path, "configured"},
std::move(policy));
EXPECT_THAT(reason_code, Eq(0));
}

35
sandboxed_api/sandbox2/notify_test.cc
View File

@ -25,6 +25,7 @@
#include "gtest/gtest.h"
#include "absl/log/log.h"
#include "absl/strings/str_join.h"
#include "absl/strings/string_view.h"
#include "sandboxed_api/sandbox2/comms.h"
#include "sandboxed_api/sandbox2/executor.h"
#include "sandboxed_api/sandbox2/policy.h"
@ -37,32 +38,15 @@
namespace sandbox2 {
namespace {
using ::sapi::CreateDefaultPermissiveTestPolicy;
using ::sapi::GetTestSourcePath;
using ::testing::Eq;
// Allow typical syscalls and call SECCOMP_RET_TRACE for personality syscall,
// chosen because unlikely to be called by a regular program.
std::unique_ptr<Policy> NotifyTestcasePolicy() {
return PolicyBuilder()
.AllowDynamicStartup() // For PrintPidAndComms and includes
// AllowStaticStartup
.AllowExit()
.AllowRead()
.AllowWrite()
.AllowSyscall(__NR_close)
std::unique_ptr<Policy> NotifyTestcasePolicy(absl::string_view path) {
return CreateDefaultPermissiveTestPolicy(path)
.AddPolicyOnSyscall(__NR_personality, {SANDBOX2_TRACE})
.BlockSyscallsWithErrno(
{
#ifdef __NR_open
__NR_open,
#endif
__NR_openat,
#ifdef __NR_access
__NR_access,
#endif
},
ENOENT)
.BlockSyscallWithErrno(__NR_prlimit64, EPERM)
.BuildOrDie();
}
@ -103,10 +87,10 @@ class PidCommsNotify : public Notify {
// Test EventSyscallTrap on personality syscall and allow it.
TEST(NotifyTest, AllowPersonality) {
SKIP_SANITIZERS_AND_COVERAGE;
const std::string path = GetTestSourcePath("sandbox2/testcases/personality");
std::vector<std::string> args = {path};
Sandbox2 s2(std::make_unique<Executor>(path, args), NotifyTestcasePolicy(),
Sandbox2 s2(std::make_unique<Executor>(path, args),
NotifyTestcasePolicy(path),
std::make_unique<PersonalityNotify>(/*allow=*/true));
auto result = s2.Run();
@ -116,10 +100,10 @@ TEST(NotifyTest, AllowPersonality) {
// Test EventSyscallTrap on personality syscall and disallow it.
TEST(NotifyTest, DisallowPersonality) {
SKIP_SANITIZERS_AND_COVERAGE;
const std::string path = GetTestSourcePath("sandbox2/testcases/personality");
std::vector<std::string> args = {path};
Sandbox2 s2(std::make_unique<Executor>(path, args), NotifyTestcasePolicy(),
Sandbox2 s2(std::make_unique<Executor>(path, args),
NotifyTestcasePolicy(path),
std::make_unique<PersonalityNotify>(/*allow=*/false));
auto result = s2.Run();
@ -129,13 +113,12 @@ TEST(NotifyTest, DisallowPersonality) {
// Test EventStarted by exchanging data after started but before sandboxed.
TEST(NotifyTest, PrintPidAndComms) {
SKIP_SANITIZERS_AND_COVERAGE;
const std::string path = GetTestSourcePath("sandbox2/testcases/pidcomms");
std::vector<std::string> args = {path};
auto executor = std::make_unique<Executor>(path, args);
executor->set_enable_sandbox_before_exec(false);
Sandbox2 s2(std::move(executor), NotifyTestcasePolicy(),
Sandbox2 s2(std::move(executor), NotifyTestcasePolicy(path),
std::make_unique<PidCommsNotify>());
auto result = s2.Run();

98
sandboxed_api/sandbox2/policy_test.cc
View File

@ -22,6 +22,7 @@
#include <cstdlib>
#include <memory>
#include <string>
#include <utility>
#include "gmock/gmock.h"
#include "gtest/gtest.h"
@ -34,58 +35,26 @@
#include "sandboxed_api/sandbox2/sandbox2.h"
#include "sandboxed_api/sandbox2/util/bpf_helper.h"
#include "sandboxed_api/testing.h"
#include "sandboxed_api/util/status_matchers.h"
namespace sandbox2 {
namespace {
using ::sapi::CreateDefaultPermissiveTestPolicy;
using ::sapi::GetTestSourcePath;
using ::testing::Eq;
PolicyBuilder CreatePolicyTestPolicyBuilder() {
sandbox2::PolicyBuilder builder;
if constexpr (sapi::host_os::IsAndroid()) {
builder.DisableNamespaces().AllowDynamicStartup();
}
builder.AllowStaticStartup()
.AllowExit()
.AllowRead()
.AllowWrite()
.AllowSyscall(__NR_close)
.AllowSyscall(__NR_getppid)
.AllowTCGETS()
.BlockSyscallsWithErrno(
{
#ifdef __NR_open
__NR_open,
#endif
__NR_openat,
#ifdef __NR_access
__NR_access,
#endif
#ifdef __NR_faccessat
__NR_faccessat,
#endif
},
ENOENT)
.BlockSyscallWithErrno(__NR_prlimit64, EPERM);
return builder;
}
std::unique_ptr<Policy> PolicyTestcasePolicy() {
return CreatePolicyTestPolicyBuilder().BuildOrDie();
}
#ifdef SAPI_X86_64
// Test that 32-bit syscalls from 64-bit are disallowed.
TEST(PolicyTest, AMD64Syscall32PolicyAllowed) {
SKIP_ANDROID;
SKIP_SANITIZERS_AND_COVERAGE;
const std::string path = GetTestSourcePath("sandbox2/testcases/policy");
std::vector<std::string> args = {path, "1"};
Sandbox2 s2(std::make_unique<Executor>(path, args), PolicyTestcasePolicy());
SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
CreateDefaultPermissiveTestPolicy(path).TryBuild());
Sandbox2 s2(std::make_unique<Executor>(path, args), std::move(policy));
auto result = s2.Run();
ASSERT_THAT(result.final_status(), Eq(Result::VIOLATION));
@ -96,10 +65,12 @@ TEST(PolicyTest, AMD64Syscall32PolicyAllowed) {
// Test that 32-bit syscalls from 64-bit for FS checks are disallowed.
TEST(PolicyTest, AMD64Syscall32FsAllowed) {
SKIP_ANDROID;
SKIP_SANITIZERS_AND_COVERAGE;
const std::string path = GetTestSourcePath("sandbox2/testcases/policy");
std::vector<std::string> args = {path, "2"};
Sandbox2 s2(std::make_unique<Executor>(path, args), PolicyTestcasePolicy());
SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
CreateDefaultPermissiveTestPolicy(path).TryBuild());
Sandbox2 s2(std::make_unique<Executor>(path, args), std::move(policy));
auto result = s2.Run();
ASSERT_THAT(result.final_status(), Eq(Result::VIOLATION));
@ -111,10 +82,12 @@ TEST(PolicyTest, AMD64Syscall32FsAllowed) {
// Test that ptrace(2) is disallowed.
TEST(PolicyTest, PtraceDisallowed) {
SKIP_SANITIZERS_AND_COVERAGE;
const std::string path = GetTestSourcePath("sandbox2/testcases/policy");
std::vector<std::string> args = {path, "3"};
Sandbox2 s2(std::make_unique<Executor>(path, args), PolicyTestcasePolicy());
SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
CreateDefaultPermissiveTestPolicy(path).TryBuild());
Sandbox2 s2(std::make_unique<Executor>(path, args), std::move(policy));
auto result = s2.Run();
ASSERT_THAT(result.final_status(), Eq(Result::VIOLATION));
@ -122,14 +95,14 @@ TEST(PolicyTest, PtraceDisallowed) {
}
TEST(PolicyTest, PtraceBlocked) {
SKIP_SANITIZERS_AND_COVERAGE;
const std::string path = GetTestSourcePath("sandbox2/testcases/policy");
std::vector<std::string> args = {path, "8"};
Sandbox2 s2(std::make_unique<Executor>(path, args),
CreatePolicyTestPolicyBuilder()
.BlockSyscallWithErrno(__NR_ptrace, EPERM)
.BuildOrDie());
SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
CreateDefaultPermissiveTestPolicy(path)
.BlockSyscallWithErrno(__NR_ptrace, EPERM)
.TryBuild());
Sandbox2 s2(std::make_unique<Executor>(path, args), std::move(policy));
auto result = s2.Run();
// The policy binary fails with an error if the system call is *not* blocked.
@ -138,10 +111,11 @@ TEST(PolicyTest, PtraceBlocked) {
// Test that clone(2) with flag CLONE_UNTRACED is disallowed.
TEST(PolicyTest, CloneUntracedDisallowed) {
SKIP_SANITIZERS_AND_COVERAGE;
const std::string path = GetTestSourcePath("sandbox2/testcases/policy");
std::vector<std::string> args = {path, "4"};
Sandbox2 s2(std::make_unique<Executor>(path, args), PolicyTestcasePolicy());
SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
CreateDefaultPermissiveTestPolicy(path).TryBuild());
Sandbox2 s2(std::make_unique<Executor>(path, args), std::move(policy));
auto result = s2.Run();
ASSERT_THAT(result.final_status(), Eq(Result::VIOLATION));
@ -150,10 +124,11 @@ TEST(PolicyTest, CloneUntracedDisallowed) {
// Test that bpf(2) is disallowed.
TEST(PolicyTest, BpfDisallowed) {
SKIP_SANITIZERS_AND_COVERAGE;
const std::string path = GetTestSourcePath("sandbox2/testcases/policy");
std::vector<std::string> args = {path, "5"};
Sandbox2 s2(std::make_unique<Executor>(path, args), PolicyTestcasePolicy());
SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
CreateDefaultPermissiveTestPolicy(path).TryBuild());
Sandbox2 s2(std::make_unique<Executor>(path, args), std::move(policy));
auto result = s2.Run();
ASSERT_THAT(result.final_status(), Eq(Result::VIOLATION));
@ -162,14 +137,13 @@ TEST(PolicyTest, BpfDisallowed) {
// Test that bpf(2) can return EPERM.
TEST(PolicyTest, BpfPermissionDenied) {
SKIP_SANITIZERS_AND_COVERAGE;
const std::string path = GetTestSourcePath("sandbox2/testcases/policy");
std::vector<std::string> args = {path, "7"};
auto policy = CreatePolicyTestPolicyBuilder()
.BlockSyscallWithErrno(__NR_bpf, EPERM)
.BuildOrDie();
SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
CreateDefaultPermissiveTestPolicy(path)
.BlockSyscallWithErrno(__NR_bpf, EPERM)
.TryBuild());
Sandbox2 s2(std::make_unique<Executor>(path, args), std::move(policy));
auto result = s2.Run();
@ -180,9 +154,19 @@ TEST(PolicyTest, BpfPermissionDenied) {
TEST(PolicyTest, IsattyAllowed) {
SKIP_SANITIZERS_AND_COVERAGE;
sandbox2::PolicyBuilder builder;
if constexpr (sapi::host_os::IsAndroid()) {
builder.DisableNamespaces().AllowDynamicStartup();
}
builder.AllowStaticStartup()
.AllowExit()
.AllowRead()
.AllowWrite()
.AllowTCGETS();
const std::string path = GetTestSourcePath("sandbox2/testcases/policy");
std::vector<std::string> args = {path, "6"};
Sandbox2 s2(std::make_unique<Executor>(path, args), PolicyTestcasePolicy());
SAPI_ASSERT_OK_AND_ASSIGN(auto policy, builder.TryBuild());
Sandbox2 s2(std::make_unique<Executor>(path, args), std::move(policy));
auto result = s2.Run();
ASSERT_THAT(result.final_status(), Eq(Result::OK));

8
sandboxed_api/sandbox2/sanitizer_test.cc
View File

@ -29,7 +29,6 @@
#include "absl/container/flat_hash_set.h"
#include "absl/log/log.h"
#include "absl/strings/str_cat.h"
#include "sandboxed_api/sandbox2/allow_all_syscalls.h"
#include "sandboxed_api/sandbox2/comms.h"
#include "sandboxed_api/sandbox2/executor.h"
#include "sandboxed_api/sandbox2/policy.h"
@ -40,6 +39,7 @@
#include "sandboxed_api/testing.h"
#include "sandboxed_api/util/status_matchers.h"
using ::sapi::CreateDefaultPermissiveTestPolicy;
using ::sapi::GetTestSourcePath;
using ::testing::Eq;
using ::testing::Gt;
@ -101,7 +101,6 @@ TEST(SanitizerTest, TestMarkFDsAsCOE) {
// Test that default sanitizer leaves only 0/1/2 and 1023 (client comms FD)
// open but closes the rest.
TEST(SanitizerTest, TestSandboxedBinary) {
SKIP_SANITIZERS_AND_COVERAGE;
// Open a few file descriptors in non-close-on-exec mode.
int sock_fd[2];
ASSERT_THAT(socketpair(AF_UNIX, SOCK_STREAM, 0, sock_fd), Ne(-1));
@ -118,10 +117,7 @@ TEST(SanitizerTest, TestSandboxedBinary) {
auto executor = std::make_unique<Executor>(path, args);
SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
PolicyBuilder()
// Don't restrict the syscalls at all.
.DefaultAction(AllowAllSyscalls())
.TryBuild());
CreateDefaultPermissiveTestPolicy(path).TryBuild());
Sandbox2 s2(std::move(executor), std::move(policy));
auto result = s2.Run();

17
sandboxed_api/sandbox2/stack_trace_test.cc
View File

@ -29,7 +29,6 @@
#include "absl/flags/reflection.h"
#include "absl/strings/str_cat.h"
#include "absl/time/time.h"
#include "sandboxed_api/sandbox2/allow_all_syscalls.h"
#include "sandboxed_api/sandbox2/executor.h"
#include "sandboxed_api/sandbox2/global_forkclient.h"
#include "sandboxed_api/sandbox2/policy.h"
@ -46,6 +45,7 @@ namespace sandbox2 {
namespace {
namespace file_util = ::sapi::file_util;
using ::sapi::CreateDefaultPermissiveTestPolicy;
using ::sapi::GetTestSourcePath;
using ::testing::Contains;
using ::testing::ElementsAre;
@ -72,13 +72,11 @@ void SymbolizationWorksCommon(TestCase param) {
std::vector<std::string> args = {path, absl::StrCat(param.testno),
absl::StrCat(param.testmode)};
auto policybuilder = PolicyBuilder()
// Don't restrict the syscalls at all.
.DefaultAction(AllowAllSyscalls());
PolicyBuilder builder = CreateDefaultPermissiveTestPolicy(path);
if (param.modify_policy) {
param.modify_policy(&policybuilder);
param.modify_policy(&builder);
}
SAPI_ASSERT_OK_AND_ASSIGN(auto policy, policybuilder.TryBuild());
SAPI_ASSERT_OK_AND_ASSIGN(auto policy, builder.TryBuild());
Sandbox2 s2(std::make_unique<Executor>(path, args), std::move(policy));
ASSERT_TRUE(s2.RunAsync());
@ -114,7 +112,6 @@ void SymbolizationWorksWithModifiedPolicy(
}
TEST_P(StackTraceTest, SymbolizationWorksNonSandboxedLibunwind) {
SKIP_SANITIZERS_AND_COVERAGE;
absl::FlagSaver fs;
absl::SetFlag(&FLAGS_sandbox_libunwind_crash_handler, false);
@ -122,7 +119,6 @@ TEST_P(StackTraceTest, SymbolizationWorksNonSandboxedLibunwind) {
}
TEST_P(StackTraceTest, SymbolizationWorksSandboxedLibunwind) {
SKIP_SANITIZERS_AND_COVERAGE;
absl::FlagSaver fs;
absl::SetFlag(&FLAGS_sandbox_libunwind_crash_handler, true);
@ -130,7 +126,6 @@ TEST_P(StackTraceTest, SymbolizationWorksSandboxedLibunwind) {
}
TEST(StackTraceTest, SymbolizationWorksSandboxedLibunwindProcDirMounted) {
SKIP_SANITIZERS_AND_COVERAGE;
absl::FlagSaver fs;
absl::SetFlag(&FLAGS_sandbox_libunwind_crash_handler, true);
@ -139,7 +134,6 @@ TEST(StackTraceTest, SymbolizationWorksSandboxedLibunwindProcDirMounted) {
}
TEST(StackTraceTest, SymbolizationWorksSandboxedLibunwindProcFileMounted) {
SKIP_SANITIZERS_AND_COVERAGE;
absl::FlagSaver fs;
absl::SetFlag(&FLAGS_sandbox_libunwind_crash_handler, true);
@ -149,7 +143,6 @@ TEST(StackTraceTest, SymbolizationWorksSandboxedLibunwindProcFileMounted) {
}
TEST(StackTraceTest, SymbolizationWorksSandboxedLibunwindSysDirMounted) {
SKIP_SANITIZERS_AND_COVERAGE;
absl::FlagSaver fs;
absl::SetFlag(&FLAGS_sandbox_libunwind_crash_handler, true);
@ -158,7 +151,6 @@ TEST(StackTraceTest, SymbolizationWorksSandboxedLibunwindSysDirMounted) {
}
TEST(StackTraceTest, SymbolizationWorksSandboxedLibunwindSysFileMounted) {
SKIP_SANITIZERS_AND_COVERAGE;
absl::FlagSaver fs;
absl::SetFlag(&FLAGS_sandbox_libunwind_crash_handler, true);
@ -175,7 +167,6 @@ size_t FileCountInDirectory(const std::string& path) {
}
TEST(StackTraceTest, ForkEnterNsLibunwindDoesNotLeakFDs) {
SKIP_SANITIZERS_AND_COVERAGE;
absl::FlagSaver fs;
absl::SetFlag(&FLAGS_sandbox_libunwind_crash_handler, true);

1
sandboxed_api/sandbox2/testcases/BUILD.bazel
View File

@ -226,6 +226,7 @@ cc_binary(
testonly = True,
srcs = ["limits.cc"],
copts = sapi_platform_copts(),
features = ["fully_static_link"],
)
cc_binary(

1
sandboxed_api/sandbox2/testcases/CMakeLists.txt
View File

@ -283,6 +283,7 @@ set_target_properties(sandbox2_testcase_limits PROPERTIES
OUTPUT_NAME limits
)
target_link_libraries(sandbox2_testcase_limits PRIVATE
-static
sapi::base
)

3
sandboxed_api/sandbox2/testcases/policy.cc
View File

@ -95,9 +95,6 @@ void TestBpfError() {
void TestIsatty() {
isatty(0);
printf("Syscall violation should have been discovered by now\n");
exit(EXIT_FAILURE);
}
int main(int argc, char* argv[]) {