Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(117)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: content/common/sandbox_mac_diraccess_unittest.mm

Issue 472513002: Fix Mac sandbox meta data access (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Created 6 years, 4 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « content/common/sandbox_mac.mm ('k') | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #import <Cocoa/Cocoa.h> 5 #import <Cocoa/Cocoa.h>
6 #include <dirent.h> 6 #include <dirent.h>
7 7
8 extern "C" { 8 extern "C" {
9 #include <sandbox.h> 9 #include <sandbox.h>
10 } 10 }
(...skipping 109 matching lines...) Expand 10 before | Expand all | Expand 10 after
120 expected.push_back('^'); 120 expected.push_back('^');
121 for (size_t i = 0; i < in_utf8.length(); ++i) { 121 for (size_t i = 0; i < in_utf8.length(); ++i) {
122 expected.push_back('\\'); 122 expected.push_back('\\');
123 expected.push_back(in_utf8[i]); 123 expected.push_back(in_utf8[i]);
124 } 124 }
125 expected.append(kSandboxEscapeSuffix); 125 expected.append(kSandboxEscapeSuffix);
126 126
127 std::string out; 127 std::string out;
128 EXPECT_TRUE(Sandbox::QuoteStringForRegex(in_utf8, &out)); 128 EXPECT_TRUE(Sandbox::QuoteStringForRegex(in_utf8, &out));
129 EXPECT_EQ(expected, out); 129 EXPECT_EQ(expected, out);
130
131 } 130 }
132 } 131 }
133 132
134 // A class to handle auto-deleting a directory. 133 // A class to handle auto-deleting a directory.
135 struct ScopedDirectoryDelete { 134 struct ScopedDirectoryDelete {
136 inline void operator()(base::FilePath* x) const { 135 inline void operator()(base::FilePath* x) const {
137 if (x) 136 if (x)
138 base::DeleteFile(*x, true); 137 base::DeleteFile(*x, true);
139 } 138 }
140 }; 139 };
(...skipping 30 matching lines...) Expand all
171 std::string(sandbox_dir_cases[i]) + kDeniedSuffix; 170 std::string(sandbox_dir_cases[i]) + kDeniedSuffix;
172 base::FilePath sibling_sandbox_dir = tmp_dir.Append( 171 base::FilePath sibling_sandbox_dir = tmp_dir.Append(
173 sibling_sandbox_dir_name_denied.c_str()); 172 sibling_sandbox_dir_name_denied.c_str());
174 ASSERT_TRUE(CreateDirectory(sibling_sandbox_dir)); 173 ASSERT_TRUE(CreateDirectory(sibling_sandbox_dir));
175 ScopedDirectory cleanup_sandbox_sibling(&sibling_sandbox_dir); 174 ScopedDirectory cleanup_sandbox_sibling(&sibling_sandbox_dir);
176 175
177 EXPECT_TRUE(CheckSandbox(sandbox_dir.value())); 176 EXPECT_TRUE(CheckSandbox(sandbox_dir.value()));
178 } 177 }
179 } 178 }
180 179
180 TEST_F(MacDirAccessSandboxTest, AllowMetadataForPath) {
181 {
182 std::string expected(
183 "(allow file-read-metadata (literal \"/\")(literal \"/System\")"
184 "(literal \"/System/Library\")"
185 "(literal \"/System/Library/Frameworks\"))");
186 NSString* sandbox_command = Sandbox::AllowMetadataForPath(
187 base::FilePath("/System/Library/Frameworks"));
188 EXPECT_EQ(base::SysNSStringToUTF8(sandbox_command), expected);
189 }
190 }
191
181 MULTIPROCESS_TEST_MAIN(mac_sandbox_path_access) { 192 MULTIPROCESS_TEST_MAIN(mac_sandbox_path_access) {
182 char *sandbox_allowed_dir = getenv(kSandboxAccessPathKey); 193 char *sandbox_allowed_dir = getenv(kSandboxAccessPathKey);
183 if (!sandbox_allowed_dir) 194 if (!sandbox_allowed_dir)
184 return -1; 195 return -1;
185 196
186 // Build up a sandbox profile that only allows access to a single directory. 197 // Build up a sandbox profile that only allows access to a single directory.
187 NSString *sandbox_profile = 198 NSString *sandbox_profile =
188 @"(version 1)" \ 199 @"(version 1)" \
189 "(deny default)" \ 200 "(deny default)" \
190 "(allow signal (target self))" \ 201 "(allow signal (target self))" \
(...skipping 109 matching lines...) Expand 10 before | Expand all | Expand 10 after
300 PLOG(ERROR) << "Sandbox breach: was able to write (" 311 PLOG(ERROR) << "Sandbox breach: was able to write ("
301 << denied_file2.value() 312 << denied_file2.value()
302 << ")"; 313 << ")";
303 return -1; 314 return -1;
304 } 315 }
305 316
306 return 0; 317 return 0;
307 } 318 }
308 319
309 } // namespace content 320 } // namespace content
OLDNEW
« no previous file with comments | « content/common/sandbox_mac.mm ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698