OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #import <Cocoa/Cocoa.h> | 5 #import <Cocoa/Cocoa.h> |
6 #include <dirent.h> | 6 #include <dirent.h> |
7 | 7 |
8 extern "C" { | 8 extern "C" { |
9 #include <sandbox.h> | 9 #include <sandbox.h> |
10 } | 10 } |
(...skipping 109 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
120 expected.push_back('^'); | 120 expected.push_back('^'); |
121 for (size_t i = 0; i < in_utf8.length(); ++i) { | 121 for (size_t i = 0; i < in_utf8.length(); ++i) { |
122 expected.push_back('\\'); | 122 expected.push_back('\\'); |
123 expected.push_back(in_utf8[i]); | 123 expected.push_back(in_utf8[i]); |
124 } | 124 } |
125 expected.append(kSandboxEscapeSuffix); | 125 expected.append(kSandboxEscapeSuffix); |
126 | 126 |
127 std::string out; | 127 std::string out; |
128 EXPECT_TRUE(Sandbox::QuoteStringForRegex(in_utf8, &out)); | 128 EXPECT_TRUE(Sandbox::QuoteStringForRegex(in_utf8, &out)); |
129 EXPECT_EQ(expected, out); | 129 EXPECT_EQ(expected, out); |
130 | |
131 } | 130 } |
132 } | 131 } |
133 | 132 |
134 // A class to handle auto-deleting a directory. | 133 // A class to handle auto-deleting a directory. |
135 struct ScopedDirectoryDelete { | 134 struct ScopedDirectoryDelete { |
136 inline void operator()(base::FilePath* x) const { | 135 inline void operator()(base::FilePath* x) const { |
137 if (x) | 136 if (x) |
138 base::DeleteFile(*x, true); | 137 base::DeleteFile(*x, true); |
139 } | 138 } |
140 }; | 139 }; |
(...skipping 30 matching lines...) Expand all Loading... |
171 std::string(sandbox_dir_cases[i]) + kDeniedSuffix; | 170 std::string(sandbox_dir_cases[i]) + kDeniedSuffix; |
172 base::FilePath sibling_sandbox_dir = tmp_dir.Append( | 171 base::FilePath sibling_sandbox_dir = tmp_dir.Append( |
173 sibling_sandbox_dir_name_denied.c_str()); | 172 sibling_sandbox_dir_name_denied.c_str()); |
174 ASSERT_TRUE(CreateDirectory(sibling_sandbox_dir)); | 173 ASSERT_TRUE(CreateDirectory(sibling_sandbox_dir)); |
175 ScopedDirectory cleanup_sandbox_sibling(&sibling_sandbox_dir); | 174 ScopedDirectory cleanup_sandbox_sibling(&sibling_sandbox_dir); |
176 | 175 |
177 EXPECT_TRUE(CheckSandbox(sandbox_dir.value())); | 176 EXPECT_TRUE(CheckSandbox(sandbox_dir.value())); |
178 } | 177 } |
179 } | 178 } |
180 | 179 |
| 180 TEST_F(MacDirAccessSandboxTest, AllowMetadataForPath) { |
| 181 { |
| 182 std::string expected( |
| 183 "(allow file-read-metadata (literal \"/\")(literal \"/System\")" |
| 184 "(literal \"/System/Library\")" |
| 185 "(literal \"/System/Library/Frameworks\"))"); |
| 186 NSString* sandbox_command = Sandbox::AllowMetadataForPath( |
| 187 base::FilePath("/System/Library/Frameworks")); |
| 188 EXPECT_EQ(base::SysNSStringToUTF8(sandbox_command), expected); |
| 189 } |
| 190 } |
| 191 |
181 MULTIPROCESS_TEST_MAIN(mac_sandbox_path_access) { | 192 MULTIPROCESS_TEST_MAIN(mac_sandbox_path_access) { |
182 char *sandbox_allowed_dir = getenv(kSandboxAccessPathKey); | 193 char *sandbox_allowed_dir = getenv(kSandboxAccessPathKey); |
183 if (!sandbox_allowed_dir) | 194 if (!sandbox_allowed_dir) |
184 return -1; | 195 return -1; |
185 | 196 |
186 // Build up a sandbox profile that only allows access to a single directory. | 197 // Build up a sandbox profile that only allows access to a single directory. |
187 NSString *sandbox_profile = | 198 NSString *sandbox_profile = |
188 @"(version 1)" \ | 199 @"(version 1)" \ |
189 "(deny default)" \ | 200 "(deny default)" \ |
190 "(allow signal (target self))" \ | 201 "(allow signal (target self))" \ |
(...skipping 109 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
300 PLOG(ERROR) << "Sandbox breach: was able to write (" | 311 PLOG(ERROR) << "Sandbox breach: was able to write (" |
301 << denied_file2.value() | 312 << denied_file2.value() |
302 << ")"; | 313 << ")"; |
303 return -1; | 314 return -1; |
304 } | 315 } |
305 | 316 |
306 return 0; | 317 return 0; |
307 } | 318 } |
308 | 319 |
309 } // namespace content | 320 } // namespace content |
OLD | NEW |