| OLD | NEW |
|---|
| 1 // Copyright 2015 The Chromium Authors. All rights reserved. | 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include <fcntl.h> | 5 #include <fcntl.h> |
| 6 #include <stdint.h> | 6 #include <stdint.h> |
| 7 #include <sys/stat.h> | 7 #include <sys/stat.h> |
| 8 #include <unistd.h> | 8 #include <unistd.h> |
| 9 | 9 |
| 10 #include "base/process/kill.h" | 10 #include "base/process/kill.h" |
| 11 #include "base/test/multiprocess_test.h" | 11 #include "base/test/multiprocess_test.h" |
| 12 #include "base/test/test_timeouts.h" | 12 #include "base/test/test_timeouts.h" |
| 13 #include "sandbox/mac/sandbox_compiler.h" | 13 #include "sandbox/mac/sandbox_compiler.h" |
| 14 #include "testing/gtest/include/gtest/gtest.h" | 14 #include "testing/gtest/include/gtest/gtest.h" |
| 15 #include "testing/multiprocess_func_list.h" | 15 #include "testing/multiprocess_func_list.h" |
| 16 | 16 |
| 17 namespace sandbox { | 17 namespace sandbox { |
| 18 | 18 |
| 19 class SandboxMacCompilerTest : public base::MultiProcessTest {}; | 19 class SandboxMacCompilerTest : public base::MultiProcessTest {}; |
| 20 | 20 |
| 21 MULTIPROCESS_TEST_MAIN(BasicProfileProcess) { | 21 MULTIPROCESS_TEST_MAIN(BasicProfileProcess) { |
| 22 std::string profile = | 22 std::string profile = |
| 23 "(version 1)" | 23 "(version 1)" |
| 24 "(deny default (with no-log))" |
| 24 "(allow file-read* file-write* (literal \"/\"))"; | 25 "(allow file-read* file-write* (literal \"/\"))"; |
| 25 | 26 |
| 26 SandboxCompiler compiler(profile); | 27 SandboxCompiler compiler(profile); |
| 27 | 28 |
| 28 std::string error; | 29 std::string error; |
| 29 CHECK(compiler.CompileAndApplyProfile(&error)); | 30 CHECK(compiler.CompileAndApplyProfile(&error)); |
| 30 | 31 |
| 31 return 0; | 32 return 0; |
| 32 } | 33 } |
| 33 | 34 |
| 34 TEST_F(SandboxMacCompilerTest, BasicProfileTest) { | 35 TEST_F(SandboxMacCompilerTest, BasicProfileTest) { |
| 35 base::SpawnChildResult spawn_child = SpawnChild("BasicProfileProcess"); | 36 base::SpawnChildResult spawn_child = SpawnChild("BasicProfileProcess"); |
| 36 ASSERT_TRUE(spawn_child.process.IsValid()); | 37 ASSERT_TRUE(spawn_child.process.IsValid()); |
| 37 int exit_code = 42; | 38 int exit_code = 42; |
| 38 EXPECT_TRUE(spawn_child.process.WaitForExitWithTimeout( | 39 EXPECT_TRUE(spawn_child.process.WaitForExitWithTimeout( |
| 39 TestTimeouts::action_max_timeout(), &exit_code)); | 40 TestTimeouts::action_max_timeout(), &exit_code)); |
| 40 EXPECT_EQ(exit_code, 0); | 41 EXPECT_EQ(exit_code, 0); |
| 41 } | 42 } |
| 42 | 43 |
| 43 MULTIPROCESS_TEST_MAIN(BasicProfileWithParamProcess) { | 44 MULTIPROCESS_TEST_MAIN(BasicProfileWithParamProcess) { |
| 44 std::string profile = | 45 std::string profile = |
| 45 "(version 1)" | 46 "(version 1)" |
| 47 "(deny default (with no-log))" |
| 46 "(allow file-read* file-write* (literal (param \"DIR\")))"; | 48 "(allow file-read* file-write* (literal (param \"DIR\")))"; |
| 47 | 49 |
| 48 SandboxCompiler compiler(profile); | 50 SandboxCompiler compiler(profile); |
| 49 CHECK(compiler.InsertStringParam("DIR", "/")); | 51 CHECK(compiler.InsertStringParam("DIR", "/")); |
| 50 | 52 |
| 51 std::string error; | 53 std::string error; |
| 52 CHECK(compiler.CompileAndApplyProfile(&error)); | 54 CHECK(compiler.CompileAndApplyProfile(&error)); |
| 53 | 55 |
| 54 return 0; | 56 return 0; |
| 55 } | 57 } |
| 56 | 58 |
| 57 TEST_F(SandboxMacCompilerTest, BasicProfileTestWithParam) { | 59 TEST_F(SandboxMacCompilerTest, BasicProfileTestWithParam) { |
| 58 base::SpawnChildResult spawn_child = | 60 base::SpawnChildResult spawn_child = |
| 59 SpawnChild("BasicProfileWithParamProcess"); | 61 SpawnChild("BasicProfileWithParamProcess"); |
| 60 ASSERT_TRUE(spawn_child.process.IsValid()); | 62 ASSERT_TRUE(spawn_child.process.IsValid()); |
| 61 int exit_code = 42; | 63 int exit_code = 42; |
| 62 EXPECT_TRUE(spawn_child.process.WaitForExitWithTimeout( | 64 EXPECT_TRUE(spawn_child.process.WaitForExitWithTimeout( |
| 63 TestTimeouts::action_max_timeout(), &exit_code)); | 65 TestTimeouts::action_max_timeout(), &exit_code)); |
| 64 EXPECT_EQ(exit_code, 0); | 66 EXPECT_EQ(exit_code, 0); |
| 65 } | 67 } |
| 66 | 68 |
| 67 MULTIPROCESS_TEST_MAIN(ProfileFunctionalProcess) { | 69 MULTIPROCESS_TEST_MAIN(ProfileFunctionalProcess) { |
| 68 std::string profile = | 70 std::string profile = |
| 69 "(version 1)" | 71 "(version 1)" |
| 70 "(debug deny)" | 72 "(deny default (with no-log))" |
| 71 "(allow file-read-data file-read-metadata (literal \"/dev/urandom\"))"; | 73 "(allow file-read-data file-read-metadata (literal \"/dev/urandom\"))"; |
| 72 | 74 |
| 73 SandboxCompiler compiler(profile); | 75 SandboxCompiler compiler(profile); |
| 74 | 76 |
| 75 std::string error; | 77 std::string error; |
| 76 CHECK(compiler.CompileAndApplyProfile(&error)); | 78 CHECK(compiler.CompileAndApplyProfile(&error)); |
| 77 | 79 |
| 78 // The profile compiled and applied successfully, now try and read 1 byte from | 80 // The profile compiled and applied successfully, now try and read 1 byte from |
| 79 // /dev/urandom. | 81 // /dev/urandom. |
| 80 uint8_t byte; | 82 uint8_t byte; |
| (...skipping 10 matching lines...) Expand all Loading... |
| 91 ASSERT_TRUE(spawn_child.process.IsValid()); | 93 ASSERT_TRUE(spawn_child.process.IsValid()); |
| 92 int exit_code = 42; | 94 int exit_code = 42; |
| 93 EXPECT_TRUE(spawn_child.process.WaitForExitWithTimeout( | 95 EXPECT_TRUE(spawn_child.process.WaitForExitWithTimeout( |
| 94 TestTimeouts::action_max_timeout(), &exit_code)); | 96 TestTimeouts::action_max_timeout(), &exit_code)); |
| 95 EXPECT_EQ(exit_code, 0); | 97 EXPECT_EQ(exit_code, 0); |
| 96 } | 98 } |
| 97 | 99 |
| 98 MULTIPROCESS_TEST_MAIN(ProfileFunctionalTestWithParamsProcess) { | 100 MULTIPROCESS_TEST_MAIN(ProfileFunctionalTestWithParamsProcess) { |
| 99 std::string profile = | 101 std::string profile = |
| 100 "(version 1)" | 102 "(version 1)" |
| 101 "(debug deny)" | 103 "(deny default (with no-log))" |
| 102 "(if (string=? (param \"ALLOW_FILE\") \"TRUE\")" | 104 "(if (string=? (param \"ALLOW_FILE\") \"TRUE\")" |
| 103 " (allow file-read-data file-read-metadata (literal (param " | 105 " (allow file-read-data file-read-metadata (literal (param " |
| 104 "\"URANDOM\"))))"; | 106 "\"URANDOM\"))))"; |
| 105 | 107 |
| 106 SandboxCompiler compiler(profile); | 108 SandboxCompiler compiler(profile); |
| 107 | 109 |
| 108 CHECK(compiler.InsertBooleanParam("ALLOW_FILE", true)); | 110 CHECK(compiler.InsertBooleanParam("ALLOW_FILE", true)); |
| 109 CHECK(compiler.InsertStringParam("URANDOM", "/dev/urandom")); | 111 CHECK(compiler.InsertStringParam("URANDOM", "/dev/urandom")); |
| 110 | 112 |
| 111 std::string error; | 113 std::string error; |
| (...skipping 42 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 154 base::SpawnChildResult spawn_child = | 156 base::SpawnChildResult spawn_child = |
| 155 SpawnChild("ProfileFunctionalityTestErrorProcess"); | 157 SpawnChild("ProfileFunctionalityTestErrorProcess"); |
| 156 ASSERT_TRUE(spawn_child.process.IsValid()); | 158 ASSERT_TRUE(spawn_child.process.IsValid()); |
| 157 int exit_code = 42; | 159 int exit_code = 42; |
| 158 EXPECT_TRUE(spawn_child.process.WaitForExitWithTimeout( | 160 EXPECT_TRUE(spawn_child.process.WaitForExitWithTimeout( |
| 159 TestTimeouts::action_max_timeout(), &exit_code)); | 161 TestTimeouts::action_max_timeout(), &exit_code)); |
| 160 EXPECT_EQ(exit_code, 0); | 162 EXPECT_EQ(exit_code, 0); |
| 161 } | 163 } |
| 162 | 164 |
| 163 } // namespace sandbox | 165 } // namespace sandbox |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2869203003:
Add the SeatbeltExec classes to facilitate the V2 sandbox. (Closed)
