Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(375)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: content/common/sandbox_mac_diraccess_unittest.mm

Issue 470693004: Revert of Fix Mac sandbox meta data access (reland) (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Created 6 years, 4 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « content/common/sandbox_mac.mm ('k') | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #import <Cocoa/Cocoa.h> 5 #import <Cocoa/Cocoa.h>
6 #include <dirent.h> 6 #include <dirent.h>
7 7
8 extern "C" { 8 extern "C" {
9 #include <sandbox.h> 9 #include <sandbox.h>
10 } 10 }
(...skipping 109 matching lines...) Expand 10 before | Expand all | Expand 10 after
120 expected.push_back('^'); 120 expected.push_back('^');
121 for (size_t i = 0; i < in_utf8.length(); ++i) { 121 for (size_t i = 0; i < in_utf8.length(); ++i) {
122 expected.push_back('\\'); 122 expected.push_back('\\');
123 expected.push_back(in_utf8[i]); 123 expected.push_back(in_utf8[i]);
124 } 124 }
125 expected.append(kSandboxEscapeSuffix); 125 expected.append(kSandboxEscapeSuffix);
126 126
127 std::string out; 127 std::string out;
128 EXPECT_TRUE(Sandbox::QuoteStringForRegex(in_utf8, &out)); 128 EXPECT_TRUE(Sandbox::QuoteStringForRegex(in_utf8, &out));
129 EXPECT_EQ(expected, out); 129 EXPECT_EQ(expected, out);
130
130 } 131 }
131 } 132 }
132 133
133 // A class to handle auto-deleting a directory. 134 // A class to handle auto-deleting a directory.
134 struct ScopedDirectoryDelete { 135 struct ScopedDirectoryDelete {
135 inline void operator()(base::FilePath* x) const { 136 inline void operator()(base::FilePath* x) const {
136 if (x) 137 if (x)
137 base::DeleteFile(*x, true); 138 base::DeleteFile(*x, true);
138 } 139 }
139 }; 140 };
(...skipping 30 matching lines...) Expand all
170 std::string(sandbox_dir_cases[i]) + kDeniedSuffix; 171 std::string(sandbox_dir_cases[i]) + kDeniedSuffix;
171 base::FilePath sibling_sandbox_dir = tmp_dir.Append( 172 base::FilePath sibling_sandbox_dir = tmp_dir.Append(
172 sibling_sandbox_dir_name_denied.c_str()); 173 sibling_sandbox_dir_name_denied.c_str());
173 ASSERT_TRUE(CreateDirectory(sibling_sandbox_dir)); 174 ASSERT_TRUE(CreateDirectory(sibling_sandbox_dir));
174 ScopedDirectory cleanup_sandbox_sibling(&sibling_sandbox_dir); 175 ScopedDirectory cleanup_sandbox_sibling(&sibling_sandbox_dir);
175 176
176 EXPECT_TRUE(CheckSandbox(sandbox_dir.value())); 177 EXPECT_TRUE(CheckSandbox(sandbox_dir.value()));
177 } 178 }
178 } 179 }
179 180
180 TEST_F(MacDirAccessSandboxTest, AllowMetadataForPath) {
181 {
182 std::string expected(
183 "(allow file-read-metadata (literal \"/\")(literal \"/System\")"
184 "(literal \"/System/Library\")"
185 "(literal \"/System/Library/Frameworks\"))");
186 NSString* sandbox_command = Sandbox::AllowMetadataForPath(
187 base::FilePath("/System/Library/Frameworks"));
188 EXPECT_EQ(base::SysNSStringToUTF8(sandbox_command), expected);
189 }
190 }
191
192 MULTIPROCESS_TEST_MAIN(mac_sandbox_path_access) { 181 MULTIPROCESS_TEST_MAIN(mac_sandbox_path_access) {
193 char *sandbox_allowed_dir = getenv(kSandboxAccessPathKey); 182 char *sandbox_allowed_dir = getenv(kSandboxAccessPathKey);
194 if (!sandbox_allowed_dir) 183 if (!sandbox_allowed_dir)
195 return -1; 184 return -1;
196 185
197 // Build up a sandbox profile that only allows access to a single directory. 186 // Build up a sandbox profile that only allows access to a single directory.
198 NSString *sandbox_profile = 187 NSString *sandbox_profile =
199 @"(version 1)" \ 188 @"(version 1)" \
200 "(deny default)" \ 189 "(deny default)" \
201 "(allow signal (target self))" \ 190 "(allow signal (target self))" \
(...skipping 109 matching lines...) Expand 10 before | Expand all | Expand 10 after
311 PLOG(ERROR) << "Sandbox breach: was able to write (" 300 PLOG(ERROR) << "Sandbox breach: was able to write ("
312 << denied_file2.value() 301 << denied_file2.value()
313 << ")"; 302 << ")";
314 return -1; 303 return -1;
315 } 304 }
316 305
317 return 0; 306 return 0;
318 } 307 }
319 308
320 } // namespace content 309 } // namespace content
OLDNEW
« no previous file with comments | « content/common/sandbox_mac.mm ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698