OLD | NEW |
1 // Copyright (c) 2009 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2009 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #import <Cocoa/Cocoa.h> | 5 #import <Cocoa/Cocoa.h> |
6 #include <dirent.h> | 6 #include <dirent.h> |
7 | 7 |
8 extern "C" { | 8 extern "C" { |
9 #include <sandbox.h> | 9 #include <sandbox.h> |
10 } | 10 } |
11 | 11 |
12 #include "base/file_util.h" | 12 #include "base/file_util.h" |
13 #include "base/file_path.h" | 13 #include "base/file_path.h" |
14 #include "base/test/multiprocess_test.h" | 14 #include "base/test/multiprocess_test.h" |
15 #include "base/sys_string_conversions.h" | 15 #include "base/sys_string_conversions.h" |
16 #include "base/utf_string_conversions.h" | 16 #include "base/utf_string_conversions.h" |
17 #include "chrome/common/sandbox_mac.h" | 17 #include "chrome/common/sandbox_mac.h" |
18 #include "testing/gtest/include/gtest/gtest.h" | 18 #include "testing/gtest/include/gtest/gtest.h" |
19 #include "testing/multiprocess_func_list.h" | 19 #include "testing/multiprocess_func_list.h" |
20 | 20 |
21 // Tests to exercise directory-access-related restrictions of Mac sandbox. | 21 // Tests to exercise directory-access-related restrictions of Mac sandbox. |
22 | 22 |
23 namespace sandbox { | 23 namespace sandbox { |
24 | 24 |
25 bool QuotePlainString(const std::string& str_utf8, std::string* dst); | 25 bool QuotePlainString(const std::string& str_utf8, std::string* dst); |
26 bool QuoteStringForRegex(const std::string& str_utf8, std::string* dst); | 26 bool QuoteStringForRegex(const std::string& str_utf8, std::string* dst); |
| 27 NSString* BuildAllowDirectoryAccessSandboxString(const FilePath& allowed_dir); |
27 | 28 |
28 } // namespace sandbox | 29 } // namespace sandbox |
29 | 30 |
30 namespace { | 31 namespace { |
31 | 32 |
32 static const char* kSandboxAccessPathKey = "sandbox_dir"; | 33 static const char* kSandboxAccessPathKey = "sandbox_dir"; |
| 34 static const char* kDeniedSuffix = "_denied"; |
33 | 35 |
34 class MacDirAccessSandboxTest : public base::MultiProcessTest { | 36 class MacDirAccessSandboxTest : public base::MultiProcessTest { |
35 public: | 37 public: |
36 bool CheckSandbox(const std::string& directory_to_try) { | 38 bool CheckSandbox(const std::string& directory_to_try) { |
37 setenv(kSandboxAccessPathKey, directory_to_try.c_str(), 1); | 39 setenv(kSandboxAccessPathKey, directory_to_try.c_str(), 1); |
38 base::ProcessHandle child_process = SpawnChild("mac_sandbox_path_access", | 40 base::ProcessHandle child_process = SpawnChild("mac_sandbox_path_access", |
39 false); | 41 false); |
40 int code = -1; | 42 int code = -1; |
41 if (!base::WaitForExitCode(child_process, &code)) { | 43 if (!base::WaitForExitCode(child_process, &code)) { |
42 LOG(WARNING) << "base::WaitForExitCode failed"; | 44 LOG(WARNING) << "base::WaitForExitCode failed"; |
(...skipping 93 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
136 public: | 138 public: |
137 inline void operator()(FilePath* x) const { | 139 inline void operator()(FilePath* x) const { |
138 if (x) { | 140 if (x) { |
139 file_util::Delete(*x, true); | 141 file_util::Delete(*x, true); |
140 } | 142 } |
141 } | 143 } |
142 }; | 144 }; |
143 | 145 |
144 typedef scoped_ptr_malloc<FilePath, ScopedDirectoryDelete> ScopedDirectory; | 146 typedef scoped_ptr_malloc<FilePath, ScopedDirectoryDelete> ScopedDirectory; |
145 | 147 |
146 // Crashy, http://crbug.com/56765. | 148 TEST_F(MacDirAccessSandboxTest, SandboxAccess) { |
147 TEST_F(MacDirAccessSandboxTest, DISABLED_SandboxAccess) { | 149 using file_util::CreateDirectory; |
| 150 |
148 FilePath tmp_dir; | 151 FilePath tmp_dir; |
149 ASSERT_TRUE(file_util::CreateNewTempDirectory("", &tmp_dir)); | 152 ASSERT_TRUE(file_util::CreateNewTempDirectory("", &tmp_dir)); |
150 // This step is important on OS X since the sandbox only understands "real" | 153 // This step is important on OS X since the sandbox only understands "real" |
151 // paths and the paths CreateNewTempDirectory() returns are empirically in | 154 // paths and the paths CreateNewTempDirectory() returns are empirically in |
152 // /var which is a symlink to /private/var . | 155 // /var which is a symlink to /private/var . |
153 sandbox::GetCanonicalSandboxPath(&tmp_dir); | 156 sandbox::GetCanonicalSandboxPath(&tmp_dir); |
154 ScopedDirectory cleanup(&tmp_dir); | 157 ScopedDirectory cleanup(&tmp_dir); |
155 | 158 |
156 const char* sandbox_dir_cases[] = { | 159 const char* sandbox_dir_cases[] = { |
157 "simple_dir_name", | 160 "simple_dir_name", |
158 "^hello++ $", // Regex. | 161 "^hello++ $", // Regex. |
159 "\\^.$|()[]*+?{}", // All regex characters. | 162 "\\^.$|()[]*+?{}", // All regex characters. |
160 }; | 163 }; |
161 | 164 |
162 for (size_t i = 0; i < ARRAYSIZE_UNSAFE(sandbox_dir_cases); ++i) { | 165 for (size_t i = 0; i < ARRAYSIZE_UNSAFE(sandbox_dir_cases); ++i) { |
163 const char* sandbox_dir_name = sandbox_dir_cases[i]; | 166 const char* sandbox_dir_name = sandbox_dir_cases[i]; |
164 FilePath sandbox_dir = tmp_dir.Append(sandbox_dir_name); | 167 FilePath sandbox_dir = tmp_dir.Append(sandbox_dir_name); |
165 ASSERT_TRUE(file_util::CreateDirectory(sandbox_dir)); | 168 ASSERT_TRUE(CreateDirectory(sandbox_dir)); |
166 ScopedDirectory cleanup_sandbox(&sandbox_dir); | 169 ScopedDirectory cleanup_sandbox(&sandbox_dir); |
| 170 |
| 171 // Create a sibling directory of the sandbox dir, whose name has sandbox dir |
| 172 // as a substring but to which access is denied. |
| 173 std::string sibling_sandbox_dir_name_denied = |
| 174 std::string(sandbox_dir_cases[i]) + kDeniedSuffix; |
| 175 FilePath sibling_sandbox_dir = tmp_dir.Append( |
| 176 sibling_sandbox_dir_name_denied.c_str()); |
| 177 ASSERT_TRUE(CreateDirectory(sibling_sandbox_dir)); |
| 178 ScopedDirectory cleanup_sandbox_sibling(&sibling_sandbox_dir); |
| 179 |
167 EXPECT_TRUE(CheckSandbox(sandbox_dir.value())); | 180 EXPECT_TRUE(CheckSandbox(sandbox_dir.value())); |
168 } | 181 } |
169 } | 182 } |
170 | 183 |
171 MULTIPROCESS_TEST_MAIN(mac_sandbox_path_access) { | 184 MULTIPROCESS_TEST_MAIN(mac_sandbox_path_access) { |
172 char *sandbox_allowed_dir = getenv(kSandboxAccessPathKey); | 185 char *sandbox_allowed_dir = getenv(kSandboxAccessPathKey); |
173 if (!sandbox_allowed_dir) | 186 if (!sandbox_allowed_dir) |
174 return -1; | 187 return -1; |
175 | 188 |
176 // Build up a sandbox profile that only allows access to DIR_TO_ALLOW_ACCESS. | 189 // Build up a sandbox profile that only allows access to a single directory. |
177 NSString *sandbox_profile = | 190 NSString *sandbox_profile = |
178 @"(version 1)" \ | 191 @"(version 1)" \ |
179 "(deny default)" \ | 192 "(deny default)" \ |
180 "(allow signal (target self))" \ | 193 "(allow signal (target self))" \ |
181 "(allow sysctl-read)" \ | 194 "(allow sysctl-read)" \ |
182 "(allow file-read-metadata)" \ | 195 ";ENABLE_DIRECTORY_ACCESS"; |
183 "(allow file-read* file-write* (regex #\"DIR_TO_ALLOW_ACCESS\"))"; | |
184 | 196 |
185 std::string allowed_dir(sandbox_allowed_dir); | 197 std::string allowed_dir(sandbox_allowed_dir); |
186 std::string allowed_dir_escaped; | 198 std::string allowed_dir_escaped; |
187 if (!sandbox::QuoteStringForRegex(allowed_dir, &allowed_dir_escaped)) { | 199 if (!sandbox::QuoteStringForRegex(allowed_dir, &allowed_dir_escaped)) { |
188 LOG(ERROR) << "Regex string quoting failed " << allowed_dir; | 200 LOG(ERROR) << "Regex string quoting failed " << allowed_dir; |
189 return -1; | 201 return -1; |
190 } | 202 } |
191 NSString* allowed_dir_escaped_ns = base::SysUTF8ToNSString( | 203 NSString* allow_dir_sandbox_code = |
192 allowed_dir_escaped.c_str()); | 204 sandbox::BuildAllowDirectoryAccessSandboxString( |
| 205 FilePath(sandbox_allowed_dir)); |
193 sandbox_profile = [sandbox_profile | 206 sandbox_profile = [sandbox_profile |
194 stringByReplacingOccurrencesOfString:@"DIR_TO_ALLOW_ACCESS" | 207 stringByReplacingOccurrencesOfString:@";ENABLE_DIRECTORY_ACCESS" |
195 withString:allowed_dir_escaped_ns]; | 208 withString:allow_dir_sandbox_code]; |
196 // Enable Sandbox. | 209 // Enable Sandbox. |
197 char* error_buff = NULL; | 210 char* error_buff = NULL; |
198 int error = sandbox_init([sandbox_profile UTF8String], 0, &error_buff); | 211 int error = sandbox_init([sandbox_profile UTF8String], 0, &error_buff); |
199 if (error == -1) { | 212 if (error == -1) { |
200 LOG(ERROR) << "Failed to Initialize Sandbox: " << error_buff; | 213 LOG(ERROR) << "Failed to Initialize Sandbox: " << error_buff; |
201 return -1; | 214 return -1; |
202 } | 215 } |
203 sandbox_free_error(error_buff); | 216 sandbox_free_error(error_buff); |
204 | 217 |
205 // Test Sandbox. | 218 // Test Sandbox. |
(...skipping 10 matching lines...) Expand all Loading... |
216 closedir(file_list); | 229 closedir(file_list); |
217 | 230 |
218 // Test restrictions on accessing files. | 231 // Test restrictions on accessing files. |
219 FilePath allowed_dir_path(sandbox_allowed_dir); | 232 FilePath allowed_dir_path(sandbox_allowed_dir); |
220 FilePath allowed_file = allowed_dir_path.Append("ok_to_write"); | 233 FilePath allowed_file = allowed_dir_path.Append("ok_to_write"); |
221 FilePath denied_file1 = allowed_dir_path.DirName().Append("cant_access"); | 234 FilePath denied_file1 = allowed_dir_path.DirName().Append("cant_access"); |
222 | 235 |
223 // Try to write a file who's name has the same prefix as the directory we | 236 // Try to write a file who's name has the same prefix as the directory we |
224 // allow access to. | 237 // allow access to. |
225 FilePath basename = allowed_dir_path.BaseName(); | 238 FilePath basename = allowed_dir_path.BaseName(); |
| 239 FilePath allowed_parent_dir = allowed_dir_path.DirName(); |
226 std::string tricky_filename = basename.value() + "123"; | 240 std::string tricky_filename = basename.value() + "123"; |
227 FilePath denied_file2 = allowed_dir_path.DirName().Append(tricky_filename); | 241 FilePath denied_file2 = allowed_parent_dir.Append(tricky_filename); |
228 | 242 |
229 if (open(allowed_file.value().c_str(), O_WRONLY | O_CREAT) <= 0) { | 243 if (open(allowed_file.value().c_str(), O_WRONLY | O_CREAT) <= 0) { |
230 PLOG(ERROR) << "Sandbox overly restrictive: failed to write (" | 244 PLOG(ERROR) << "Sandbox overly restrictive: failed to write (" |
231 << allowed_file.value() | 245 << allowed_file.value() |
232 << ")"; | 246 << ")"; |
233 return -1; | 247 return -1; |
234 } | 248 } |
235 | 249 |
| 250 // Test that we deny access to a sibling of the sandboxed directory whose |
| 251 // name has the sandboxed directory name as a substring. e.g. if the sandbox |
| 252 // directory is /foo/baz then test /foo/baz_denied. |
| 253 { |
| 254 struct stat tmp_stat_info; |
| 255 std::string denied_sibling = |
| 256 std::string(sandbox_allowed_dir) + kDeniedSuffix; |
| 257 if (stat(denied_sibling.c_str(), &tmp_stat_info) > 0) { |
| 258 PLOG(ERROR) << "Sandbox breach: was able to stat (" |
| 259 << denied_sibling.c_str() |
| 260 << ")"; |
| 261 return -1; |
| 262 } |
| 263 } |
| 264 |
| 265 // Test that we can stat parent directories of the "allowed" directory. |
| 266 { |
| 267 struct stat tmp_stat_info; |
| 268 if (stat(allowed_parent_dir.value().c_str(), &tmp_stat_info) != 0) { |
| 269 PLOG(ERROR) << "Sandbox overly restrictive: unable to stat (" |
| 270 << allowed_parent_dir.value() |
| 271 << ")"; |
| 272 return -1; |
| 273 } |
| 274 } |
| 275 |
| 276 // Test that we can't stat files outside the "allowed" directory. |
| 277 { |
| 278 struct stat tmp_stat_info; |
| 279 if (stat(denied_file1.value().c_str(), &tmp_stat_info) > 0) { |
| 280 PLOG(ERROR) << "Sandbox breach: was able to stat (" |
| 281 << denied_file1.value() |
| 282 << ")"; |
| 283 return -1; |
| 284 } |
| 285 } |
| 286 |
236 if (open(denied_file1.value().c_str(), O_WRONLY | O_CREAT) > 0) { | 287 if (open(denied_file1.value().c_str(), O_WRONLY | O_CREAT) > 0) { |
237 PLOG(ERROR) << "Sandbox breach: was able to write (" | 288 PLOG(ERROR) << "Sandbox breach: was able to write (" |
238 << denied_file1.value() | 289 << denied_file1.value() |
239 << ")"; | 290 << ")"; |
240 return -1; | 291 return -1; |
241 } | 292 } |
242 | 293 |
243 if (open(denied_file2.value().c_str(), O_WRONLY | O_CREAT) > 0) { | 294 if (open(denied_file2.value().c_str(), O_WRONLY | O_CREAT) > 0) { |
244 PLOG(ERROR) << "Sandbox breach: was able to write (" | 295 PLOG(ERROR) << "Sandbox breach: was able to write (" |
245 << denied_file2.value() | 296 << denied_file2.value() |
246 << ")"; | 297 << ")"; |
247 return -1; | 298 return -1; |
248 } | 299 } |
249 | 300 |
250 return 0; | 301 return 0; |
251 } | 302 } |
252 | 303 |
253 } // namespace | 304 } // namespace |
OLD | NEW |