Run more tests with coverage and sanitizers contd

PiperOrigin-RevId: 513815467
Change-Id: I31d0df2c69b20eb126aaa8dde7f45fa7c0e1e6a8

sandboxed_api/sandbox2/BUILD.bazel

@@ -668,7 +668,6 @@ cc_test(
         "//sandboxed_api/sandbox2/testcases:namespace",
     ],
     deps = [
-        ":comms",
         ":namespace",
         ":sandbox2",
         ":testonly_allow_all_syscalls",
@@ -747,7 +746,6 @@ cc_test(
         ":buffer",
         ":comms",
         ":sandbox2",
-        "//sandboxed_api:config",
         "//sandboxed_api:testing",
         "//sandboxed_api/util:status_matchers",
         "@com_google_absl//absl/log",
@@ -821,7 +819,6 @@ cc_test(
     data = ["//sandboxed_api/sandbox2/testcases:minimal"],
     tags = ["no_qemu_user_mode"],
     deps = [
-        ":comms",
         ":forkserver",
         ":forkserver_cc_proto",
         ":global_forkserver",
@@ -842,7 +839,6 @@ cc_test(
     deps = [
         ":limits",
         ":sandbox2",
-        ":testonly_allow_all_syscalls",
         "//sandboxed_api:config",
         "//sandboxed_api:testing",
         "//sandboxed_api/util:status_matchers",
@@ -889,6 +885,7 @@ cc_test(
         "//sandboxed_api:config",
         "//sandboxed_api:testing",
         "//sandboxed_api/sandbox2/util:bpf_helper",
+        "//sandboxed_api/util:status_matchers",
         "@com_google_absl//absl/strings",
         "@com_google_googletest//:gtest_main",
     ],
@@ -932,7 +929,6 @@ cc_test(
         ":comms",
         ":sandbox2",
         ":sanitizer",
-        ":testonly_allow_all_syscalls",
         ":util",
         "//sandboxed_api:testing",
         "//sandboxed_api/util:status_matchers",
@@ -967,7 +963,6 @@ cc_test(
         ":regs",
         ":sandbox2",
         ":stack_trace",
-        ":testonly_allow_all_syscalls",
         "//sandboxed_api:testing",
         "//sandboxed_api/util:fileops",
         "//sandboxed_api/util:status_matchers",
@@ -989,9 +984,7 @@ cc_test(
     deps = [
         ":comms",
         ":sandbox2",
-        ":testonly_allow_all_syscalls",
         "//sandboxed_api:testing",
-        "//sandboxed_api/sandbox2/util:bpf_helper",
         "//sandboxed_api/util:status_matchers",
         "@com_google_googletest//:gtest_main",
     ],

sandboxed_api/sandbox2/CMakeLists.txt

@@ -806,7 +806,6 @@ if(BUILD_TESTING AND SAPI_BUILD_TESTING)
   target_link_libraries(sandbox2_namespace_test PRIVATE
     absl::strings
     sandbox2::allow_all_syscalls
-    sandbox2::comms
     sapi::config
     sapi::fileops
     sandbox2::namespace
@@ -834,7 +833,6 @@ if(BUILD_TESTING AND SAPI_BUILD_TESTING)
   target_link_libraries(sandbox2_buffer_test PRIVATE
     sandbox2::buffer
     sandbox2::comms
-    sapi::config
     sandbox2::ipc
     sandbox2::sandbox2
     sapi::testing
@@ -890,7 +888,6 @@ if(BUILD_TESTING AND SAPI_BUILD_TESTING)
   target_link_libraries(sandbox2_forkserver_test PRIVATE
     absl::check
     absl::strings
-    sandbox2::comms
     sandbox2::forkserver
     sandbox2::forkserver_proto
     sandbox2::sandbox2
@@ -915,7 +912,6 @@ if(BUILD_TESTING AND SAPI_BUILD_TESTING)
     sandbox2::testcase_minimal
   )
   target_link_libraries(sandbox2_limits_test PRIVATE
-    sandbox2::allow_all_syscalls
     sandbox2::bpf_helper
     sapi::config
     sandbox2::limits
@@ -975,6 +971,7 @@ if(BUILD_TESTING AND SAPI_BUILD_TESTING)
     sandbox2::limits
     sandbox2::regs
     sandbox2::sandbox2
+    sapi::status_matchers
     sapi::testing
     sapi::test_main
   )
@@ -1022,7 +1019,6 @@ if(BUILD_TESTING AND SAPI_BUILD_TESTING)
   )
   target_link_libraries(sandbox2_sanitizer_test PRIVATE
     absl::strings
-    sandbox2::allow_all_syscalls
     sandbox2::bpf_helper
     sandbox2::client
     sandbox2::comms
@@ -1066,7 +1062,6 @@ if(BUILD_TESTING AND SAPI_BUILD_TESTING)
     absl::status
     absl::strings
     absl::time
-    sandbox2::allow_all_syscalls
     sandbox2::global_forkserver
     sandbox2::namespace
     sandbox2::sandbox2
@@ -1093,8 +1088,6 @@ if(BUILD_TESTING AND SAPI_BUILD_TESTING)
     sandbox2::testcase_ipc
   )
   target_link_libraries(sandbox2_ipc_test PRIVATE
-    sandbox2::allow_all_syscalls
-    sandbox2::bpf_helper
     sandbox2::comms
     sandbox2::ipc
     sandbox2::sandbox2

sandboxed_api/sandbox2/buffer_test.cc

@@ -27,12 +27,10 @@
 #include "gmock/gmock.h"
 #include "gtest/gtest.h"
 #include "absl/log/log.h"
-#include "sandboxed_api/config.h"
 #include "sandboxed_api/sandbox2/comms.h"
 #include "sandboxed_api/sandbox2/executor.h"
 #include "sandboxed_api/sandbox2/ipc.h"
 #include "sandboxed_api/sandbox2/policy.h"
-#include "sandboxed_api/sandbox2/policybuilder.h"
 #include "sandboxed_api/sandbox2/result.h"
 #include "sandboxed_api/sandbox2/sandbox2.h"
 #include "sandboxed_api/testing.h"
@@ -41,6 +39,7 @@
 namespace sandbox2 {
 namespace {
 
+using ::sapi::CreateDefaultPermissiveTestPolicy;
 using ::sapi::GetTestSourcePath;
 using ::testing::Eq;
 using ::testing::IsTrue;
@@ -62,52 +61,13 @@ TEST(BufferTest, TestImplementation) {
   }
 }
 
-std::unique_ptr<Policy> BufferTestcasePolicy() {
-  auto s2p = PolicyBuilder()
-                 .AllowDynamicStartup()
-                 .AllowExit()
-                 .AllowSafeFcntl()
-                 .AllowTime()
-                 .AllowSystemMalloc()
-                 .AllowRead()
-                 .AllowWrite()
-                 .AllowMmap()
-                 .AllowStat()
-                 .AllowOpen()
-                 .AllowSyscalls({
-                     __NR_dup,
-                     __NR_futex,
-                     __NR_getpid,
-                     __NR_gettid,
-                     __NR_nanosleep,
-                     __NR_rt_sigprocmask,
-                     __NR_recvmsg,
-                     __NR_lseek,
-                     __NR_close,
-                 })
-                 .BlockSyscallsWithErrno(
-                     {
-#ifdef __NR_access
-                         // On Debian, even static binaries check existence of
-                         // /etc/ld.so.nohwcap.
-                         __NR_access,
-#endif
-                         __NR_faccessat,
-                     },
-                     ENOENT)
-                 .BlockSyscallWithErrno(__NR_prlimit64, EPERM)
-                 .BuildOrDie();
-
-  return s2p;
-}
-
 // Test sharing of buffer between executor/sandboxee using dup/MapFd.
 TEST(BufferTest, TestWithSandboxeeMapFd) {
-  SKIP_SANITIZERS_AND_COVERAGE;
   const std::string path = GetTestSourcePath("sandbox2/testcases/buffer");
   std::vector<std::string> args = {path, "1"};
   auto executor = std::make_unique<Executor>(path, args);
-  auto policy = BufferTestcasePolicy();
+  SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
+                            CreateDefaultPermissiveTestPolicy(path).TryBuild());
 
   SAPI_ASSERT_OK_AND_ASSIGN(auto buffer,
                             Buffer::CreateWithSize(1ULL << 20 /* 1MiB */));
@@ -136,12 +96,14 @@ TEST(BufferTest, TestWithSandboxeeMapFd) {
 
 // Test sharing of buffer between executor/sandboxee using SendFD/RecvFD.
 TEST(BufferTest, TestWithSandboxeeSendRecv) {
-  SKIP_SANITIZERS_AND_COVERAGE;
   const std::string path = GetTestSourcePath("sandbox2/testcases/buffer");
   std::vector<std::string> args = {path, "2"};
   auto executor = std::make_unique<Executor>(path, args);
 
-  Sandbox2 s2(std::move(executor), BufferTestcasePolicy());
+  SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
+                            CreateDefaultPermissiveTestPolicy(path).TryBuild());
+
+  Sandbox2 s2(std::move(executor), std::move(policy));
   ASSERT_THAT(s2.RunAsync(), IsTrue());
   Comms* comms = s2.comms();
 

sandboxed_api/sandbox2/forkserver_test.cc

@@ -24,7 +24,6 @@
 #include "gtest/gtest.h"
 #include "absl/log/check.h"
 #include "absl/strings/str_cat.h"
-#include "sandboxed_api/sandbox2/comms.h"
 #include "sandboxed_api/sandbox2/forkserver.pb.h"
 #include "sandboxed_api/sandbox2/global_forkclient.h"
 #include "sandboxed_api/sandbox2/ipc.h"

sandboxed_api/sandbox2/ipc_test.cc

@@ -19,20 +19,18 @@
 
 #include "gmock/gmock.h"
 #include "gtest/gtest.h"
-#include "sandboxed_api/sandbox2/allow_all_syscalls.h"
 #include "sandboxed_api/sandbox2/comms.h"
 #include "sandboxed_api/sandbox2/executor.h"
 #include "sandboxed_api/sandbox2/policy.h"
-#include "sandboxed_api/sandbox2/policybuilder.h"
 #include "sandboxed_api/sandbox2/result.h"
 #include "sandboxed_api/sandbox2/sandbox2.h"
-#include "sandboxed_api/sandbox2/util/bpf_helper.h"
 #include "sandboxed_api/testing.h"
 #include "sandboxed_api/util/status_matchers.h"
 
 namespace sandbox2 {
 namespace {
 
+using ::sapi::CreateDefaultPermissiveTestPolicy;
 using ::sapi::GetTestSourcePath;
 
 constexpr int kPreferredIpcFd = 812;
@@ -43,7 +41,6 @@ class IPCTest : public testing::Test,
 // This test verifies that mapping fds by name works if the sandbox is enabled
 // before execve.
 TEST_P(IPCTest, MapFDByNamePreExecve) {
-  SKIP_SANITIZERS_AND_COVERAGE;
   const int fd = GetParam();
   const std::string path = GetTestSourcePath("sandbox2/testcases/ipc");
   std::vector<std::string> args = {path, "1", std::to_string(fd)};
@@ -51,10 +48,7 @@ TEST_P(IPCTest, MapFDByNamePreExecve) {
   Comms comms(executor->ipc()->ReceiveFd(fd, "ipc_test"));
 
   SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
-                            PolicyBuilder()
+                            CreateDefaultPermissiveTestPolicy(path).TryBuild());
-                                // Don't restrict the syscalls at all.
-                                .DefaultAction(AllowAllSyscalls())
-                                .TryBuild());
 
   Sandbox2 s2(std::move(executor), std::move(policy));
   s2.RunAsync();
@@ -88,10 +82,7 @@ TEST_P(IPCTest, MapFDByNamePostExecve) {
   Comms comms(executor->ipc()->ReceiveFd(fd, "ipc_test"));
 
   SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
-                            PolicyBuilder()
+                            CreateDefaultPermissiveTestPolicy(path).TryBuild());
-                                // Don't restrict the syscalls at all.
-                                .DefaultAction(AllowAllSyscalls())
-                                .TryBuild());
 
   Sandbox2 s2(std::move(executor), std::move(policy));
   s2.RunAsync();
@@ -120,10 +111,7 @@ TEST(IPCTest, NoMappedFDsPreExecve) {
   auto executor = std::make_unique<Executor>(path, args);
 
   SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
-                            PolicyBuilder()
+                            CreateDefaultPermissiveTestPolicy(path).TryBuild());
-                                // Don't restrict the syscalls at all.
-                                .DefaultAction(AllowAllSyscalls())
-                                .TryBuild());
 
   Sandbox2 s2(std::move(executor), std::move(policy));
   auto result = s2.Run();

sandboxed_api/sandbox2/limits_test.cc

@@ -23,10 +23,7 @@
 #include "gmock/gmock.h"
 #include "gtest/gtest.h"
 #include "sandboxed_api/config.h"
-#include "sandboxed_api/sandbox2/allow_all_syscalls.h"
 #include "sandboxed_api/sandbox2/executor.h"
-#include "sandboxed_api/sandbox2/policy.h"
-#include "sandboxed_api/sandbox2/policybuilder.h"
 #include "sandboxed_api/sandbox2/result.h"
 #include "sandboxed_api/sandbox2/sandbox2.h"
 #include "sandboxed_api/testing.h"
@@ -35,19 +32,21 @@
 namespace sandbox2 {
 namespace {
 
+using ::sapi::CreateDefaultPermissiveTestPolicy;
 using ::sapi::GetTestSourcePath;
 
+std::string GetLimitsTestcaseBinPath() {
+  return GetTestSourcePath("sandbox2/testcases/limits");
+}
+
 TEST(LimitsTest, RLimitASMmapUnderLimit) {
-  const std::string path = GetTestSourcePath("sandbox2/testcases/limits");
+  const std::string path = GetLimitsTestcaseBinPath();
   std::vector<std::string> args = {path, "1"};  // mmap(1 MiB)
   auto executor = std::make_unique<sandbox2::Executor>(path, args);
   executor->limits()->set_rlimit_as(100ULL << 20);  // 100 MiB
 
   SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
-                            sandbox2::PolicyBuilder()
+                            CreateDefaultPermissiveTestPolicy(path).TryBuild());
-                                // Don't restrict the syscalls at all.
-                                .DefaultAction(AllowAllSyscalls())
-                                .TryBuild());
   sandbox2::Sandbox2 s2(std::move(executor), std::move(policy));
   auto result = s2.Run();
 
@@ -56,16 +55,13 @@ TEST(LimitsTest, RLimitASMmapUnderLimit) {
 }
 
 TEST(LimitsTest, RLimitASMmapAboveLimit) {
-  const std::string path = GetTestSourcePath("sandbox2/testcases/limits");
+  const std::string path = GetLimitsTestcaseBinPath();
   std::vector<std::string> args = {path, "2"};  // mmap(100 MiB)
   auto executor = std::make_unique<sandbox2::Executor>(path, args);
   executor->limits()->set_rlimit_as(100ULL << 20);  // 100 MiB
 
   SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
-                            sandbox2::PolicyBuilder()
+                            CreateDefaultPermissiveTestPolicy(path).TryBuild());
-                                // Don't restrict the syscalls at all.
-                                .DefaultAction(AllowAllSyscalls())
-                                .TryBuild());
   sandbox2::Sandbox2 s2(std::move(executor), std::move(policy));
   auto result = s2.Run();
 
@@ -74,16 +70,13 @@ TEST(LimitsTest, RLimitASMmapAboveLimit) {
 }
 
 TEST(LimitsTest, RLimitASAllocaSmallUnderLimit) {
-  const std::string path = GetTestSourcePath("sandbox2/testcases/limits");
+  const std::string path = GetLimitsTestcaseBinPath();
   std::vector<std::string> args = {path, "3"};  // alloca(1 MiB)
   auto executor = std::make_unique<sandbox2::Executor>(path, args);
   executor->limits()->set_rlimit_as(100ULL << 20);  // 100 MiB
 
   SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
-                            sandbox2::PolicyBuilder()
+                            CreateDefaultPermissiveTestPolicy(path).TryBuild());
-                                // Don't restrict the syscalls at all.
-                                .DefaultAction(AllowAllSyscalls())
-                                .TryBuild());
   sandbox2::Sandbox2 s2(std::move(executor), std::move(policy));
   auto result = s2.Run();
 
@@ -92,16 +85,13 @@ TEST(LimitsTest, RLimitASAllocaSmallUnderLimit) {
 }
 
 TEST(LimitsTest, RLimitASAllocaBigUnderLimit) {
-  const std::string path = GetTestSourcePath("sandbox2/testcases/limits");
+  const std::string path = GetLimitsTestcaseBinPath();
   std::vector<std::string> args = {path, "4"};  // alloca(8 MiB)
   auto executor = std::make_unique<sandbox2::Executor>(path, args);
   executor->limits()->set_rlimit_as(100ULL << 20);  // 100 MiB
 
   SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
-                            sandbox2::PolicyBuilder()
+                            CreateDefaultPermissiveTestPolicy(path).TryBuild());
-                                // Don't restrict the syscalls at all.
-                                .DefaultAction(AllowAllSyscalls())
-                                .TryBuild());
   sandbox2::Sandbox2 s2(std::move(executor), std::move(policy));
   auto result = s2.Run();
 
@@ -110,16 +100,13 @@ TEST(LimitsTest, RLimitASAllocaBigUnderLimit) {
 }
 
 TEST(LimitsTest, RLimitASAllocaBigAboveLimit) {
-  const std::string path = GetTestSourcePath("sandbox2/testcases/limits");
+  const std::string path = GetLimitsTestcaseBinPath();
   std::vector<std::string> args = {path, "5"};  // alloca(100 MiB)
   auto executor = std::make_unique<sandbox2::Executor>(path, args);
   executor->limits()->set_rlimit_as(100ULL << 20);  // 100 MiB
 
   SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
-                            sandbox2::PolicyBuilder()
+                            CreateDefaultPermissiveTestPolicy(path).TryBuild());
-                                // Don't restrict the syscalls at all.
-                                .DefaultAction(AllowAllSyscalls())
-                                .TryBuild());
   sandbox2::Sandbox2 s2(std::move(executor), std::move(policy));
   auto result = s2.Run();
 

sandboxed_api/sandbox2/namespace_test.cc

@@ -26,11 +26,9 @@
 #include "gmock/gmock.h"
 #include "gtest/gtest.h"
 #include "absl/log/log.h"
-#include "absl/strings/numbers.h"
 #include "absl/strings/str_cat.h"
 #include "sandboxed_api/config.h"
 #include "sandboxed_api/sandbox2/allow_all_syscalls.h"
-#include "sandboxed_api/sandbox2/comms.h"
 #include "sandboxed_api/sandbox2/executor.h"
 #include "sandboxed_api/sandbox2/policy.h"
 #include "sandboxed_api/sandbox2/policybuilder.h"
@@ -45,16 +43,24 @@ namespace sandbox2 {
 namespace {
 
 namespace file_util = ::sapi::file_util;
+using ::sapi::CreateDefaultPermissiveTestPolicy;
 using ::sapi::CreateNamedTempFile;
 using ::sapi::GetTestSourcePath;
 using ::sapi::GetTestTempPath;
 using ::testing::Eq;
 using ::testing::Ne;
 
-int RunSandboxeeWithArgsAndPolicy(const std::string& sandboxee,
+std::string GetTestcaseBinPath(absl::string_view bin_name) {
+  return GetTestSourcePath(absl::StrCat("sandbox2/testcases/", bin_name));
+}
+
+int RunSandboxeeWithArgsAndPolicy(const std::string& bin_path,
                                   std::initializer_list<std::string> args,
-                                  std::unique_ptr<Policy> policy) {
+                                  std::unique_ptr<Policy> policy = nullptr) {
-  Sandbox2 sandbox(std::make_unique<Executor>(sandboxee, args),
+  if (!policy) {
+    policy = CreateDefaultPermissiveTestPolicy(bin_path).BuildOrDie();
+  }
+  Sandbox2 sandbox(std::make_unique<Executor>(bin_path, args),
                    std::move(policy));
 
   Result result = sandbox.Run();
@@ -62,21 +68,18 @@ int RunSandboxeeWithArgsAndPolicy(const std::string& sandboxee,
   return result.reason_code();
 }
 
-constexpr absl::string_view kNamespaceTestBinary =
-    "sandbox2/testcases/namespace";
 constexpr absl::string_view kHostnameTestBinary = "sandbox2/testcases/hostname";
 
 TEST(NamespaceTest, FileNamespaceWorks) {
   // Mount /binary_path RO and check that it exists and is readable.
   // /etc/passwd should not exist.
 
-  const std::string path = GetTestSourcePath(kNamespaceTestBinary);
+  const std::string path = GetTestcaseBinPath("namespace");
-  int reason_code = RunSandboxeeWithArgsAndPolicy(
+  SAPI_ASSERT_OK_AND_ASSIGN(auto policy, CreateDefaultPermissiveTestPolicy(path)
-      path, {path, "0", "/binary_path", "/etc/passwd"},
-      PolicyBuilder()
-          .DefaultAction(AllowAllSyscalls())  // Do not restrict syscalls
                                              .AddFileAt(path, "/binary_path")
-          .BuildOrDie());
+                                             .TryBuild());
+  int reason_code = RunSandboxeeWithArgsAndPolicy(
+      path, {path, "0", "/binary_path", "/etc/passwd"}, std::move(policy));
   EXPECT_THAT(reason_code, Eq(2));
 }
 
@@ -85,39 +88,35 @@ TEST(NamespaceTest, ReadOnlyIsRespected) {
   auto [name, fd] = CreateNamedTempFile(GetTestTempPath("temp_file")).value();
   file_util::fileops::FDCloser temp_closer(fd);
 
-  const std::string path = GetTestSourcePath(kNamespaceTestBinary);
+  const std::string path = GetTestcaseBinPath("namespace");
   {
+    SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
+                              CreateDefaultPermissiveTestPolicy(path)
+                                  .AddFileAt(name, "/temp_file")
+                                  .TryBuild());
     // Check that it is readable
     int reason_code = RunSandboxeeWithArgsAndPolicy(
-        path, {path, "0", "/temp_file"},
+        path, {path, "0", "/temp_file"}, std::move(policy));
-        PolicyBuilder()
-            .DefaultAction(AllowAllSyscalls())  // Do not restrict syscalls
-            .AddFileAt(name, "/temp_file")
-            .BuildOrDie());
     EXPECT_THAT(reason_code, Eq(0));
   }
   {
+    SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
+                              CreateDefaultPermissiveTestPolicy(path)
+                                  .AddFileAt(name, "/temp_file")
+                                  .TryBuild());
     // Now check that it is not writeable
     int reason_code = RunSandboxeeWithArgsAndPolicy(
-        path, {path, "1", "/temp_file"},
+        path, {path, "1", "/temp_file"}, std::move(policy));
-        PolicyBuilder()
-            .DefaultAction(AllowAllSyscalls())  // Do not restrict syscalls
-            .AddFileAt(name, "/temp_file")
-            .BuildOrDie());
     EXPECT_THAT(reason_code, Eq(1));
   }
 }
 
 TEST(NamespaceTest, UserNamespaceWorks) {
-  const std::string path = GetTestSourcePath(kNamespaceTestBinary);
+  const std::string path = GetTestcaseBinPath("namespace");
 
   // Check that getpid() returns 2 (which is the case inside pid NS).
   {
-    int reason_code = RunSandboxeeWithArgsAndPolicy(
+    int reason_code = RunSandboxeeWithArgsAndPolicy(path, {path, "2"});
-        path, {path, "2"},
-        PolicyBuilder()
-            .DefaultAction(AllowAllSyscalls())  // Do not restrict syscalls
-            .BuildOrDie());
     EXPECT_THAT(reason_code, Eq(0));
   }
 
@@ -136,13 +135,10 @@ TEST(NamespaceTest, UserNamespaceWorks) {
 TEST(NamespaceTest, UserNamespaceIDMapWritten) {
   // Check that the idmap is initialized before the sandbox application is
   // started.
-  const std::string path = GetTestSourcePath(kNamespaceTestBinary);
+  const std::string path = GetTestcaseBinPath("namespace");
   {
-    int reason_code = RunSandboxeeWithArgsAndPolicy(
+    int reason_code =
-        path, {path, "3", "1000", "1000"},
+        RunSandboxeeWithArgsAndPolicy(path, {path, "3", "1000", "1000"});
-        PolicyBuilder()
-            .DefaultAction(AllowAllSyscalls())  // Do not restrict syscalls
-            .BuildOrDie());
     EXPECT_THAT(reason_code, Eq(0));
   }
 
@@ -161,30 +157,29 @@ TEST(NamespaceTest, UserNamespaceIDMapWritten) {
 TEST(NamespaceTest, RootReadOnly) {
   // Mount rw tmpfs at /tmp and check it is RW.
   // Check also that / is RO.
-  const std::string path = GetTestSourcePath(kNamespaceTestBinary);
+  const std::string path = GetTestcaseBinPath("namespace");
-  int reason_code = RunSandboxeeWithArgsAndPolicy(
+  SAPI_ASSERT_OK_AND_ASSIGN(
-      path, {path, "4", "/tmp/testfile", "/testfile"},
+      auto policy, CreateDefaultPermissiveTestPolicy(path)
-      PolicyBuilder()
-          .DefaultAction(AllowAllSyscalls())  // Do not restrict syscalls
                        .AddTmpfs("/tmp", /*size=*/4ULL << 20 /* 4 MiB */)
-          .BuildOrDie());
+                       .TryBuild());
+  int reason_code = RunSandboxeeWithArgsAndPolicy(
+      path, {path, "4", "/tmp/testfile", "/testfile"}, std::move(policy));
   EXPECT_THAT(reason_code, Eq(2));
 }
 
 TEST(NamespaceTest, RootWritable) {
   // Mount root rw and check it
-  const std::string path = GetTestSourcePath(kNamespaceTestBinary);
+  const std::string path = GetTestcaseBinPath("namespace");
+  SAPI_ASSERT_OK_AND_ASSIGN(
+      auto policy,
+      CreateDefaultPermissiveTestPolicy(path).SetRootWritable().TryBuild());
   int reason_code = RunSandboxeeWithArgsAndPolicy(
-      path, {path, "4", "/testfile"},
+      path, {path, "4", "/testfile"}, std::move(policy));
-      PolicyBuilder()
-          .DefaultAction(AllowAllSyscalls())  // Do not restrict syscalls
-          .SetRootWritable()
-          .BuildOrDie());
   EXPECT_THAT(reason_code, Eq(0));
 }
 
 TEST(HostnameTest, None) {
-  const std::string path = GetTestSourcePath(kHostnameTestBinary);
+  const std::string path = GetTestcaseBinPath("hostname");
   int reason_code = RunSandboxeeWithArgsAndPolicy(
       path, {path, "sandbox2"},
       PolicyBuilder()
@@ -195,23 +190,18 @@ TEST(HostnameTest, None) {
 }
 
 TEST(HostnameTest, Default) {
-  const std::string path = GetTestSourcePath(kHostnameTestBinary);
+  const std::string path = GetTestcaseBinPath("hostname");
-  int reason_code = RunSandboxeeWithArgsAndPolicy(
+  int reason_code = RunSandboxeeWithArgsAndPolicy(path, {path, "sandbox2"});
-      path, {path, "sandbox2"},
-      PolicyBuilder()
-          .DefaultAction(AllowAllSyscalls())  // Do not restrict syscalls
-          .BuildOrDie());
   EXPECT_THAT(reason_code, Eq(0));
 }
 
 TEST(HostnameTest, Configured) {
-  const std::string path = GetTestSourcePath(kHostnameTestBinary);
+  const std::string path = GetTestcaseBinPath("hostname");
-  int reason_code = RunSandboxeeWithArgsAndPolicy(
+  SAPI_ASSERT_OK_AND_ASSIGN(auto policy, CreateDefaultPermissiveTestPolicy(path)
-      path, {path, "configured"},
-      PolicyBuilder()
-          .DefaultAction(AllowAllSyscalls())  // Do not restrict syscalls
                                              .SetHostname("configured")
-          .BuildOrDie());
+                                             .TryBuild());
+  int reason_code = RunSandboxeeWithArgsAndPolicy(path, {path, "configured"},
+                                                  std::move(policy));
   EXPECT_THAT(reason_code, Eq(0));
 }
 

sandboxed_api/sandbox2/notify_test.cc

@@ -25,6 +25,7 @@
 #include "gtest/gtest.h"
 #include "absl/log/log.h"
 #include "absl/strings/str_join.h"
+#include "absl/strings/string_view.h"
 #include "sandboxed_api/sandbox2/comms.h"
 #include "sandboxed_api/sandbox2/executor.h"
 #include "sandboxed_api/sandbox2/policy.h"
@@ -37,32 +38,15 @@
 namespace sandbox2 {
 namespace {
 
+using ::sapi::CreateDefaultPermissiveTestPolicy;
 using ::sapi::GetTestSourcePath;
 using ::testing::Eq;
 
 // Allow typical syscalls and call SECCOMP_RET_TRACE for personality syscall,
 // chosen because unlikely to be called by a regular program.
-std::unique_ptr<Policy> NotifyTestcasePolicy() {
+std::unique_ptr<Policy> NotifyTestcasePolicy(absl::string_view path) {
-  return PolicyBuilder()
+  return CreateDefaultPermissiveTestPolicy(path)
-      .AllowDynamicStartup()  // For PrintPidAndComms and includes
-                              // AllowStaticStartup
-      .AllowExit()
-      .AllowRead()
-      .AllowWrite()
-      .AllowSyscall(__NR_close)
       .AddPolicyOnSyscall(__NR_personality, {SANDBOX2_TRACE})
-      .BlockSyscallsWithErrno(
-          {
-#ifdef __NR_open
-              __NR_open,
-#endif
-              __NR_openat,
-#ifdef __NR_access
-              __NR_access,
-#endif
-          },
-          ENOENT)
-      .BlockSyscallWithErrno(__NR_prlimit64, EPERM)
       .BuildOrDie();
 }
 
@@ -103,10 +87,10 @@ class PidCommsNotify : public Notify {
 
 // Test EventSyscallTrap on personality syscall and allow it.
 TEST(NotifyTest, AllowPersonality) {
-  SKIP_SANITIZERS_AND_COVERAGE;
   const std::string path = GetTestSourcePath("sandbox2/testcases/personality");
   std::vector<std::string> args = {path};
-  Sandbox2 s2(std::make_unique<Executor>(path, args), NotifyTestcasePolicy(),
+  Sandbox2 s2(std::make_unique<Executor>(path, args),
+              NotifyTestcasePolicy(path),
               std::make_unique<PersonalityNotify>(/*allow=*/true));
   auto result = s2.Run();
 
@@ -116,10 +100,10 @@ TEST(NotifyTest, AllowPersonality) {
 
 // Test EventSyscallTrap on personality syscall and disallow it.
 TEST(NotifyTest, DisallowPersonality) {
-  SKIP_SANITIZERS_AND_COVERAGE;
   const std::string path = GetTestSourcePath("sandbox2/testcases/personality");
   std::vector<std::string> args = {path};
-  Sandbox2 s2(std::make_unique<Executor>(path, args), NotifyTestcasePolicy(),
+  Sandbox2 s2(std::make_unique<Executor>(path, args),
+              NotifyTestcasePolicy(path),
               std::make_unique<PersonalityNotify>(/*allow=*/false));
   auto result = s2.Run();
 
@@ -129,13 +113,12 @@ TEST(NotifyTest, DisallowPersonality) {
 
 // Test EventStarted by exchanging data after started but before sandboxed.
 TEST(NotifyTest, PrintPidAndComms) {
-  SKIP_SANITIZERS_AND_COVERAGE;
   const std::string path = GetTestSourcePath("sandbox2/testcases/pidcomms");
   std::vector<std::string> args = {path};
   auto executor = std::make_unique<Executor>(path, args);
   executor->set_enable_sandbox_before_exec(false);
 
-  Sandbox2 s2(std::move(executor), NotifyTestcasePolicy(),
+  Sandbox2 s2(std::move(executor), NotifyTestcasePolicy(path),
               std::make_unique<PidCommsNotify>());
   auto result = s2.Run();
 

sandboxed_api/sandbox2/policy_test.cc

@@ -22,6 +22,7 @@
 #include <cstdlib>
 #include <memory>
 #include <string>
+#include <utility>
 
 #include "gmock/gmock.h"
 #include "gtest/gtest.h"
@@ -34,58 +35,26 @@
 #include "sandboxed_api/sandbox2/sandbox2.h"
 #include "sandboxed_api/sandbox2/util/bpf_helper.h"
 #include "sandboxed_api/testing.h"
+#include "sandboxed_api/util/status_matchers.h"
 
 namespace sandbox2 {
 namespace {
 
+using ::sapi::CreateDefaultPermissiveTestPolicy;
 using ::sapi::GetTestSourcePath;
 using ::testing::Eq;
 
-PolicyBuilder CreatePolicyTestPolicyBuilder() {
-  sandbox2::PolicyBuilder builder;
-
-  if constexpr (sapi::host_os::IsAndroid()) {
-    builder.DisableNamespaces().AllowDynamicStartup();
-  }
-
-  builder.AllowStaticStartup()
-      .AllowExit()
-      .AllowRead()
-      .AllowWrite()
-      .AllowSyscall(__NR_close)
-      .AllowSyscall(__NR_getppid)
-      .AllowTCGETS()
-      .BlockSyscallsWithErrno(
-          {
-#ifdef __NR_open
-              __NR_open,
-#endif
-              __NR_openat,
-#ifdef __NR_access
-              __NR_access,
-#endif
-#ifdef __NR_faccessat
-              __NR_faccessat,
-#endif
-          },
-          ENOENT)
-      .BlockSyscallWithErrno(__NR_prlimit64, EPERM);
-  return builder;
-}
-
-std::unique_ptr<Policy> PolicyTestcasePolicy() {
-  return CreatePolicyTestPolicyBuilder().BuildOrDie();
-}
-
 #ifdef SAPI_X86_64
 // Test that 32-bit syscalls from 64-bit are disallowed.
 TEST(PolicyTest, AMD64Syscall32PolicyAllowed) {
   SKIP_ANDROID;
-  SKIP_SANITIZERS_AND_COVERAGE;
   const std::string path = GetTestSourcePath("sandbox2/testcases/policy");
 
   std::vector<std::string> args = {path, "1"};
-  Sandbox2 s2(std::make_unique<Executor>(path, args), PolicyTestcasePolicy());
+
+  SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
+                            CreateDefaultPermissiveTestPolicy(path).TryBuild());
+  Sandbox2 s2(std::make_unique<Executor>(path, args), std::move(policy));
   auto result = s2.Run();
 
   ASSERT_THAT(result.final_status(), Eq(Result::VIOLATION));
@@ -96,10 +65,12 @@ TEST(PolicyTest, AMD64Syscall32PolicyAllowed) {
 // Test that 32-bit syscalls from 64-bit for FS checks are disallowed.
 TEST(PolicyTest, AMD64Syscall32FsAllowed) {
   SKIP_ANDROID;
-  SKIP_SANITIZERS_AND_COVERAGE;
   const std::string path = GetTestSourcePath("sandbox2/testcases/policy");
   std::vector<std::string> args = {path, "2"};
-  Sandbox2 s2(std::make_unique<Executor>(path, args), PolicyTestcasePolicy());
+
+  SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
+                            CreateDefaultPermissiveTestPolicy(path).TryBuild());
+  Sandbox2 s2(std::make_unique<Executor>(path, args), std::move(policy));
   auto result = s2.Run();
 
   ASSERT_THAT(result.final_status(), Eq(Result::VIOLATION));
@@ -111,10 +82,12 @@ TEST(PolicyTest, AMD64Syscall32FsAllowed) {
 
 // Test that ptrace(2) is disallowed.
 TEST(PolicyTest, PtraceDisallowed) {
-  SKIP_SANITIZERS_AND_COVERAGE;
   const std::string path = GetTestSourcePath("sandbox2/testcases/policy");
   std::vector<std::string> args = {path, "3"};
-  Sandbox2 s2(std::make_unique<Executor>(path, args), PolicyTestcasePolicy());
+
+  SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
+                            CreateDefaultPermissiveTestPolicy(path).TryBuild());
+  Sandbox2 s2(std::make_unique<Executor>(path, args), std::move(policy));
   auto result = s2.Run();
 
   ASSERT_THAT(result.final_status(), Eq(Result::VIOLATION));
@@ -122,14 +95,14 @@ TEST(PolicyTest, PtraceDisallowed) {
 }
 
 TEST(PolicyTest, PtraceBlocked) {
-  SKIP_SANITIZERS_AND_COVERAGE;
   const std::string path = GetTestSourcePath("sandbox2/testcases/policy");
   std::vector<std::string> args = {path, "8"};
 
-  Sandbox2 s2(std::make_unique<Executor>(path, args),
+  SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
-              CreatePolicyTestPolicyBuilder()
+                            CreateDefaultPermissiveTestPolicy(path)
                                 .BlockSyscallWithErrno(__NR_ptrace, EPERM)
-                  .BuildOrDie());
+                                .TryBuild());
+  Sandbox2 s2(std::make_unique<Executor>(path, args), std::move(policy));
   auto result = s2.Run();
 
   // The policy binary fails with an error if the system call is *not* blocked.
@@ -138,10 +111,11 @@ TEST(PolicyTest, PtraceBlocked) {
 
 // Test that clone(2) with flag CLONE_UNTRACED is disallowed.
 TEST(PolicyTest, CloneUntracedDisallowed) {
-  SKIP_SANITIZERS_AND_COVERAGE;
   const std::string path = GetTestSourcePath("sandbox2/testcases/policy");
   std::vector<std::string> args = {path, "4"};
-  Sandbox2 s2(std::make_unique<Executor>(path, args), PolicyTestcasePolicy());
+  SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
+                            CreateDefaultPermissiveTestPolicy(path).TryBuild());
+  Sandbox2 s2(std::make_unique<Executor>(path, args), std::move(policy));
   auto result = s2.Run();
 
   ASSERT_THAT(result.final_status(), Eq(Result::VIOLATION));
@@ -150,10 +124,11 @@ TEST(PolicyTest, CloneUntracedDisallowed) {
 
 // Test that bpf(2) is disallowed.
 TEST(PolicyTest, BpfDisallowed) {
-  SKIP_SANITIZERS_AND_COVERAGE;
   const std::string path = GetTestSourcePath("sandbox2/testcases/policy");
   std::vector<std::string> args = {path, "5"};
-  Sandbox2 s2(std::make_unique<Executor>(path, args), PolicyTestcasePolicy());
+  SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
+                            CreateDefaultPermissiveTestPolicy(path).TryBuild());
+  Sandbox2 s2(std::make_unique<Executor>(path, args), std::move(policy));
   auto result = s2.Run();
 
   ASSERT_THAT(result.final_status(), Eq(Result::VIOLATION));
@@ -162,14 +137,13 @@ TEST(PolicyTest, BpfDisallowed) {
 
 // Test that bpf(2) can return EPERM.
 TEST(PolicyTest, BpfPermissionDenied) {
-  SKIP_SANITIZERS_AND_COVERAGE;
   const std::string path = GetTestSourcePath("sandbox2/testcases/policy");
   std::vector<std::string> args = {path, "7"};
 
-  auto policy = CreatePolicyTestPolicyBuilder()
+  SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
+                            CreateDefaultPermissiveTestPolicy(path)
                                 .BlockSyscallWithErrno(__NR_bpf, EPERM)
-                    .BuildOrDie();
+                                .TryBuild());
-
   Sandbox2 s2(std::make_unique<Executor>(path, args), std::move(policy));
   auto result = s2.Run();
 
@@ -180,9 +154,19 @@ TEST(PolicyTest, BpfPermissionDenied) {
 
 TEST(PolicyTest, IsattyAllowed) {
   SKIP_SANITIZERS_AND_COVERAGE;
+  sandbox2::PolicyBuilder builder;
+  if constexpr (sapi::host_os::IsAndroid()) {
+    builder.DisableNamespaces().AllowDynamicStartup();
+  }
+  builder.AllowStaticStartup()
+      .AllowExit()
+      .AllowRead()
+      .AllowWrite()
+      .AllowTCGETS();
   const std::string path = GetTestSourcePath("sandbox2/testcases/policy");
   std::vector<std::string> args = {path, "6"};
-  Sandbox2 s2(std::make_unique<Executor>(path, args), PolicyTestcasePolicy());
+  SAPI_ASSERT_OK_AND_ASSIGN(auto policy, builder.TryBuild());
+  Sandbox2 s2(std::make_unique<Executor>(path, args), std::move(policy));
   auto result = s2.Run();
 
   ASSERT_THAT(result.final_status(), Eq(Result::OK));

sandboxed_api/sandbox2/sanitizer_test.cc

@@ -29,7 +29,6 @@
 #include "absl/container/flat_hash_set.h"
 #include "absl/log/log.h"
 #include "absl/strings/str_cat.h"
-#include "sandboxed_api/sandbox2/allow_all_syscalls.h"
 #include "sandboxed_api/sandbox2/comms.h"
 #include "sandboxed_api/sandbox2/executor.h"
 #include "sandboxed_api/sandbox2/policy.h"
@@ -40,6 +39,7 @@
 #include "sandboxed_api/testing.h"
 #include "sandboxed_api/util/status_matchers.h"
 
+using ::sapi::CreateDefaultPermissiveTestPolicy;
 using ::sapi::GetTestSourcePath;
 using ::testing::Eq;
 using ::testing::Gt;
@@ -101,7 +101,6 @@ TEST(SanitizerTest, TestMarkFDsAsCOE) {
 // Test that default sanitizer leaves only 0/1/2 and 1023 (client comms FD)
 // open but closes the rest.
 TEST(SanitizerTest, TestSandboxedBinary) {
-  SKIP_SANITIZERS_AND_COVERAGE;
   // Open a few file descriptors in non-close-on-exec mode.
   int sock_fd[2];
   ASSERT_THAT(socketpair(AF_UNIX, SOCK_STREAM, 0, sock_fd), Ne(-1));
@@ -118,10 +117,7 @@ TEST(SanitizerTest, TestSandboxedBinary) {
   auto executor = std::make_unique<Executor>(path, args);
 
   SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
-                            PolicyBuilder()
+                            CreateDefaultPermissiveTestPolicy(path).TryBuild());
-                                // Don't restrict the syscalls at all.
-                                .DefaultAction(AllowAllSyscalls())
-                                .TryBuild());
 
   Sandbox2 s2(std::move(executor), std::move(policy));
   auto result = s2.Run();

sandboxed_api/sandbox2/stack_trace_test.cc

@@ -29,7 +29,6 @@
 #include "absl/flags/reflection.h"
 #include "absl/strings/str_cat.h"
 #include "absl/time/time.h"
-#include "sandboxed_api/sandbox2/allow_all_syscalls.h"
 #include "sandboxed_api/sandbox2/executor.h"
 #include "sandboxed_api/sandbox2/global_forkclient.h"
 #include "sandboxed_api/sandbox2/policy.h"
@@ -46,6 +45,7 @@ namespace sandbox2 {
 namespace {
 
 namespace file_util = ::sapi::file_util;
+using ::sapi::CreateDefaultPermissiveTestPolicy;
 using ::sapi::GetTestSourcePath;
 using ::testing::Contains;
 using ::testing::ElementsAre;
@@ -72,13 +72,11 @@ void SymbolizationWorksCommon(TestCase param) {
   std::vector<std::string> args = {path, absl::StrCat(param.testno),
                                    absl::StrCat(param.testmode)};
 
-  auto policybuilder = PolicyBuilder()
+  PolicyBuilder builder = CreateDefaultPermissiveTestPolicy(path);
-                           // Don't restrict the syscalls at all.
-                           .DefaultAction(AllowAllSyscalls());
   if (param.modify_policy) {
-    param.modify_policy(&policybuilder);
+    param.modify_policy(&builder);
   }
-  SAPI_ASSERT_OK_AND_ASSIGN(auto policy, policybuilder.TryBuild());
+  SAPI_ASSERT_OK_AND_ASSIGN(auto policy, builder.TryBuild());
 
   Sandbox2 s2(std::make_unique<Executor>(path, args), std::move(policy));
   ASSERT_TRUE(s2.RunAsync());
@@ -114,7 +112,6 @@ void SymbolizationWorksWithModifiedPolicy(
 }
 
 TEST_P(StackTraceTest, SymbolizationWorksNonSandboxedLibunwind) {
-  SKIP_SANITIZERS_AND_COVERAGE;
   absl::FlagSaver fs;
   absl::SetFlag(&FLAGS_sandbox_libunwind_crash_handler, false);
 
@@ -122,7 +119,6 @@ TEST_P(StackTraceTest, SymbolizationWorksNonSandboxedLibunwind) {
 }
 
 TEST_P(StackTraceTest, SymbolizationWorksSandboxedLibunwind) {
-  SKIP_SANITIZERS_AND_COVERAGE;
   absl::FlagSaver fs;
   absl::SetFlag(&FLAGS_sandbox_libunwind_crash_handler, true);
 
@@ -130,7 +126,6 @@ TEST_P(StackTraceTest, SymbolizationWorksSandboxedLibunwind) {
 }
 
 TEST(StackTraceTest, SymbolizationWorksSandboxedLibunwindProcDirMounted) {
-  SKIP_SANITIZERS_AND_COVERAGE;
   absl::FlagSaver fs;
   absl::SetFlag(&FLAGS_sandbox_libunwind_crash_handler, true);
 
@@ -139,7 +134,6 @@ TEST(StackTraceTest, SymbolizationWorksSandboxedLibunwindProcDirMounted) {
 }
 
 TEST(StackTraceTest, SymbolizationWorksSandboxedLibunwindProcFileMounted) {
-  SKIP_SANITIZERS_AND_COVERAGE;
   absl::FlagSaver fs;
   absl::SetFlag(&FLAGS_sandbox_libunwind_crash_handler, true);
 
@@ -149,7 +143,6 @@ TEST(StackTraceTest, SymbolizationWorksSandboxedLibunwindProcFileMounted) {
 }
 
 TEST(StackTraceTest, SymbolizationWorksSandboxedLibunwindSysDirMounted) {
-  SKIP_SANITIZERS_AND_COVERAGE;
   absl::FlagSaver fs;
   absl::SetFlag(&FLAGS_sandbox_libunwind_crash_handler, true);
 
@@ -158,7 +151,6 @@ TEST(StackTraceTest, SymbolizationWorksSandboxedLibunwindSysDirMounted) {
 }
 
 TEST(StackTraceTest, SymbolizationWorksSandboxedLibunwindSysFileMounted) {
-  SKIP_SANITIZERS_AND_COVERAGE;
   absl::FlagSaver fs;
   absl::SetFlag(&FLAGS_sandbox_libunwind_crash_handler, true);
 
@@ -175,7 +167,6 @@ size_t FileCountInDirectory(const std::string& path) {
 }
 
 TEST(StackTraceTest, ForkEnterNsLibunwindDoesNotLeakFDs) {
-  SKIP_SANITIZERS_AND_COVERAGE;
   absl::FlagSaver fs;
   absl::SetFlag(&FLAGS_sandbox_libunwind_crash_handler, true);
 

sandboxed_api/sandbox2/testcases/BUILD.bazel

@@ -226,6 +226,7 @@ cc_binary(
     testonly = True,
     srcs = ["limits.cc"],
     copts = sapi_platform_copts(),
+    features = ["fully_static_link"],
 )
 
 cc_binary(

sandboxed_api/sandbox2/testcases/CMakeLists.txt

@@ -283,6 +283,7 @@ set_target_properties(sandbox2_testcase_limits PROPERTIES
   OUTPUT_NAME limits
 )
 target_link_libraries(sandbox2_testcase_limits PRIVATE
+  -static
   sapi::base
 )
 

sandboxed_api/sandbox2/testcases/policy.cc

@@ -95,9 +95,6 @@ void TestBpfError() {
 
 void TestIsatty() {
   isatty(0);
-
-  printf("Syscall violation should have been discovered by now\n");
-  exit(EXIT_FAILURE);
 }
 
 int main(int argc, char* argv[]) {