sandbox/mac/sandbox_mac_seatbelt_exec_unittest.cc - Issue 2891933005: Plumb sandbox rules through the helper executable.

Side by Side Diff: sandbox/mac/sandbox_mac_seatbelt_exec_unittest.cc

Issue 2891933005: Plumb sandbox rules through the helper executable. (Closed)

Patch Set: Rebase patch Created 3 years, 7 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

« no previous file with comments | « chrome/app/chrome_exe_main_mac.cc ('k') | sandbox/mac/seatbelt_exec.h » ('j') | no next file with comments »

OLD	NEW
1 // Copyright 2017 The Chromium Authors. All rights reserved.	1 // Copyright 2017 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "sandbox/mac/seatbelt_exec.h"	5 #include "sandbox/mac/seatbelt_exec.h"

6	6

7 #include "base/process/kill.h"	7 #include "base/process/kill.h"

8 #include "base/test/multiprocess_test.h"	8 #include "base/test/multiprocess_test.h"

9 #include "base/test/test_timeouts.h"	9 #include "base/test/test_timeouts.h"

10 #include "testing/gtest/include/gtest/gtest.h"	10 #include "testing/gtest/include/gtest/gtest.h"

(...skipping 13 matching lines...) Expand all Loading...
24 "(allow file-read* (literal (param executable-path)))\n"	24 "(allow file-read* (literal (param executable-path)))\n"

25 "(allow file-read* (subpath (param allowed-dir)))\n";	25 "(allow file-read* (subpath (param allowed-dir)))\n";

26	26

27 SeatbeltExecServer exec_server(-1);	27 SeatbeltExecServer exec_server(-1);

28 std::string exec_path = "/bin/ls";	28 std::string exec_path = "/bin/ls";

29 std::string allowed_path = "/Applications";	29 std::string allowed_path = "/Applications";

30	30

31 mac::SandboxPolicy policy;	31 mac::SandboxPolicy policy;

32 google::protobuf::MapPair<std::string, std::string> allowed_pair(	32 google::protobuf::MapPair<std::string, std::string> allowed_pair(

33 "ALLOWED_READ_DIR", allowed_path);	33 "ALLOWED_READ_DIR", allowed_path);

34 google::protobuf::MapPair<std::string, std::string> exec_pair(

35 "EXECUTABLE_PATH", exec_path);

36 CHECK(policy.mutable_params()->insert(allowed_pair).second);	34 CHECK(policy.mutable_params()->insert(allowed_pair).second);

37 CHECK(policy.mutable_params()->insert(exec_pair).second);

38 policy.set_profile(profile);	35 policy.set_profile(profile);

39	36

	37 CHECK(exec_server.SetParameter("EXECUTABLE_PATH", exec_path));

40 CHECK(exec_server.ApplySandboxProfile(policy));	38 CHECK(exec_server.ApplySandboxProfile(policy));

41	39

42 // Test that the sandbox profile is actually applied.	40 // Test that the sandbox profile is actually applied.

43 struct stat sb;	41 struct stat sb;

44 CHECK_EQ(0, stat(allowed_path.c_str(), &sb));	42 CHECK_EQ(0, stat(allowed_path.c_str(), &sb));

45 CHECK_EQ(-1, stat("/", &sb));	43 CHECK_EQ(-1, stat("/", &sb));

46 CHECK_EQ(0, stat(exec_path.c_str(), &sb));	44 CHECK_EQ(0, stat(exec_path.c_str(), &sb));

47	45

48 return 0;	46 return 0;

49 }	47 }

(...skipping 27 matching lines...) Expand all Loading...
77 TEST_F(SeatbeltExecTest, ClientTest) {	75 TEST_F(SeatbeltExecTest, ClientTest) {

78 base::SpawnChildResult spawn_child = SpawnChild("ClientTest");	76 base::SpawnChildResult spawn_child = SpawnChild("ClientTest");

79 ASSERT_TRUE(spawn_child.process.IsValid());	77 ASSERT_TRUE(spawn_child.process.IsValid());

80 int exit_code = 42;	78 int exit_code = 42;

81 EXPECT_TRUE(spawn_child.process.WaitForExitWithTimeout(	79 EXPECT_TRUE(spawn_child.process.WaitForExitWithTimeout(

82 TestTimeouts::action_max_timeout(), &exit_code));	80 TestTimeouts::action_max_timeout(), &exit_code));

83 EXPECT_EQ(exit_code, 0);	81 EXPECT_EQ(exit_code, 0);

84 }	82 }

85	83

86 } // namespace sandbox	84 } // namespace sandbox

OLD	NEW