sandbox: Extend BrokerPolicy to support file creation

sandbox/linux/syscall_broker/broker_process_unittest.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "sandbox/linux/syscall_broker/broker_process.h"
 
 #include <errno.h>
 #include <fcntl.h>
 #include <sys/resource.h>
 #include <sys/stat.h>
@@ skipping 12 matching lines @@
 #include "base/logging.h"
 #include "base/memory/scoped_ptr.h"
 #include "base/posix/eintr_wrapper.h"
 #include "base/posix/unix_domain_socket_linux.h"
 #include "sandbox/linux/tests/scoped_temporary_file.h"
 #include "sandbox/linux/tests/test_utils.h"
 #include "sandbox/linux/tests/unit_tests.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
 namespace sandbox {
+using syscall_broker::BrokerPermission;
 
 class BrokerProcessTestHelper {
  public:
   static int get_ipc_socketpair(const BrokerProcess* broker) {
     return broker->ipc_socketpair_;
   }
 };
 
 namespace {
 
 bool NoOpCallback() {
   return true;
 }
 
 }  // namespace
 
 TEST(BrokerProcess, CreateAndDestroy) {
-  std::vector<std::string> read_whitelist;
-  read_whitelist.push_back("/proc/cpuinfo");
+  std::vector<syscall_broker::BrokerPermission> permissions;
+  permissions.push_back(BROKER_PERM_READ_ONLY("/proc/cpuinfo"));
 
-  scoped_ptr<BrokerProcess> open_broker(
-      new BrokerProcess(EPERM, read_whitelist, std::vector<std::string>()));
+  scoped_ptr<BrokerProcess> open_broker(new BrokerProcess(EPERM, permissions));
   ASSERT_TRUE(open_broker->Init(base::Bind(&NoOpCallback)));
 
   ASSERT_TRUE(TestUtils::CurrentProcessHasChildren());
   // Destroy the broker and check it has exited properly.
   open_broker.reset();
   ASSERT_FALSE(TestUtils::CurrentProcessHasChildren());
 }
 
 TEST(BrokerProcess, TestOpenAccessNull) {
-  const std::vector<std::string> empty;
-  BrokerProcess open_broker(EPERM, empty, empty);
+  std::vector<syscall_broker::BrokerPermission> empty;
+  BrokerProcess open_broker(EPERM, empty);
   ASSERT_TRUE(open_broker.Init(base::Bind(&NoOpCallback)));
 
   int fd = open_broker.Open(NULL, O_RDONLY);
   ASSERT_EQ(fd, -EFAULT);
 
   int ret = open_broker.Access(NULL, F_OK);
   ASSERT_EQ(ret, -EFAULT);
 }
 
 void TestOpenFilePerms(bool fast_check_in_client, int denied_errno) {
   const char kR_WhiteListed[] = "/proc/DOESNOTEXIST1";
   // We can't debug the init process, and shouldn't be able to access
   // its auxv file.
   const char kR_WhiteListedButDenied[] = "/proc/1/auxv";
   const char kW_WhiteListed[] = "/proc/DOESNOTEXIST2";
   const char kRW_WhiteListed[] = "/proc/DOESNOTEXIST3";
   const char k_NotWhitelisted[] = "/proc/DOESNOTEXIST4";
 
-  std::vector<std::string> read_whitelist;
-  read_whitelist.push_back(kR_WhiteListed);
-  read_whitelist.push_back(kR_WhiteListedButDenied);
-  read_whitelist.push_back(kRW_WhiteListed);
+  std::vector<syscall_broker::BrokerPermission> permissions;
+  permissions.push_back(BROKER_PERM_READ_ONLY(kR_WhiteListed));
+  permissions.push_back(BROKER_PERM_READ_ONLY(kR_WhiteListedButDenied));
+  permissions.push_back(BROKER_PERM_WRITE_ONLY(kW_WhiteListed));
+  permissions.push_back(BROKER_PERM_READ_WRITE(kRW_WhiteListed));
 
-  std::vector<std::string> write_whitelist;
-  write_whitelist.push_back(kW_WhiteListed);
-  write_whitelist.push_back(kRW_WhiteListed);
-
-  BrokerProcess open_broker(
-      denied_errno, read_whitelist, write_whitelist, fast_check_in_client);
+  BrokerProcess open_broker(denied_errno, permissions, fast_check_in_client);
   ASSERT_TRUE(open_broker.Init(base::Bind(&NoOpCallback)));
 
   int fd = -1;
   fd = open_broker.Open(kR_WhiteListed, O_RDONLY);
   ASSERT_EQ(fd, -ENOENT);
   fd = open_broker.Open(kR_WhiteListed, O_WRONLY);
   ASSERT_EQ(fd, -denied_errno);
   fd = open_broker.Open(kR_WhiteListed, O_RDWR);
   ASSERT_EQ(fd, -denied_errno);
   int ret = -1;
@@ skipping 124 matching lines @@
   // Don't do anything here, so that ASSERT works in the subfunction as
   // expected.
 }
 
 TEST(BrokerProcess, OpenOpenFilePermsNoClientCheckNoEnt) {
   TestOpenFilePerms(false /* fast_check_in_client */, ENOENT);
   // Don't do anything here, so that ASSERT works in the subfunction as
   // expected.
 }
 
-void TestOpenCpuinfo(bool fast_check_in_client) {
+void TestBadPaths(bool fast_check_in_client) {
   const char kFileCpuInfo[] = "/proc/cpuinfo";
-  std::vector<std::string> read_whitelist;
-  read_whitelist.push_back(kFileCpuInfo);
+  const char kNotAbsPath[] = "proc/cpuinfo";
+  const char kDotDotStart[] = "/../proc/cpuinfo";
+  const char kDotDotMiddle[] = "/proc/self/../cpuinfo";
+  const char kDotDotEnd[] = "/proc/..";
+  const char kTrailingSlash[] = "/proc/";
 
-  scoped_ptr<BrokerProcess> open_broker(new BrokerProcess(
-      EPERM, read_whitelist, std::vector<std::string>(), fast_check_in_client));
+  std::vector<syscall_broker::BrokerPermission> permissions;
+
+  permissions.push_back(BROKER_PERM_READ_ONLY_RECURSIVE("/proc/"));
+  scoped_ptr<BrokerProcess> open_broker(
+      new BrokerProcess(EPERM, permissions, fast_check_in_client));
+  ASSERT_TRUE(open_broker->Init(base::Bind(&NoOpCallback)));
+  // Open cpuinfo via the broker.
+  int cpuinfo_fd = open_broker->Open(kFileCpuInfo, O_RDONLY);
+  base::ScopedFD cpuinfo_fd_closer(cpuinfo_fd);
+  ASSERT_GE(cpuinfo_fd, 0);
+
+  int fd = -1;
+  int can_access;
+
+  can_access = open_broker->Access(kNotAbsPath, R_OK);
+  ASSERT_EQ(can_access, -EPERM);
+  fd = open_broker->Open(kNotAbsPath, O_RDONLY);
+  ASSERT_EQ(fd, -EPERM);
+
+  can_access = open_broker->Access(kDotDotStart, R_OK);
+  ASSERT_EQ(can_access, -EPERM);
+  fd = open_broker->Open(kDotDotStart, O_RDONLY);
+  ASSERT_EQ(fd, -EPERM);
+
+  can_access = open_broker->Access(kDotDotMiddle, R_OK);
+  ASSERT_EQ(can_access, -EPERM);
+  fd = open_broker->Open(kDotDotMiddle, O_RDONLY);
+  ASSERT_EQ(fd, -EPERM);
+
+  can_access = open_broker->Access(kDotDotEnd, R_OK);
+  ASSERT_EQ(can_access, -EPERM);
+  fd = open_broker->Open(kDotDotEnd, O_RDONLY);
+  ASSERT_EQ(fd, -EPERM);
+
+  can_access = open_broker->Access(kTrailingSlash, R_OK);
+  ASSERT_EQ(can_access, -EPERM);
+  fd = open_broker->Open(kTrailingSlash, O_RDONLY);
+  ASSERT_EQ(fd, -EPERM);
+}
+
+TEST(BrokerProcess, BadPathsClientCheck) {
+  TestBadPaths(true /* fast_check_in_client */);
+  // Don't do anything here, so that ASSERT works in the subfunction as
+  // expected.
+}
+
+TEST(BrokerProcess, BadPathsNoClientCheck) {
+  TestBadPaths(false /* fast_check_in_client */);
+  // Don't do anything here, so that ASSERT works in the subfunction as
+  // expected.
+}
+
+void TestOpenCpuinfo(bool fast_check_in_client, bool recursive) {
+  const char kFileCpuInfo[] = "/proc/cpuinfo";
+  const char kDirProc[] = "/proc/";
+
+  std::vector<syscall_broker::BrokerPermission> permissions;
+  if (recursive)
+    permissions.push_back(BROKER_PERM_READ_ONLY_RECURSIVE(kDirProc));
+  else
+    permissions.push_back(BROKER_PERM_READ_ONLY(kFileCpuInfo));
+
+  scoped_ptr<BrokerProcess> open_broker(
+      new BrokerProcess(EPERM, permissions, fast_check_in_client));
   ASSERT_TRUE(open_broker->Init(base::Bind(&NoOpCallback)));
 
   int fd = -1;
   fd = open_broker->Open(kFileCpuInfo, O_RDWR);
   base::ScopedFD fd_closer(fd);
   ASSERT_EQ(fd, -EPERM);
 
   // Check we can read /proc/cpuinfo.
   int can_access = open_broker->Access(kFileCpuInfo, R_OK);
   ASSERT_EQ(can_access, 0);
@@ skipping 23 matching lines @@
   ASSERT_EQ(read_len1, read_len2);
   // Compare the cpuinfo as returned by the broker with the one we opened
   // ourselves.
   ASSERT_EQ(memcmp(buf, buf2, read_len1), 0);
 
   ASSERT_TRUE(TestUtils::CurrentProcessHasChildren());
   open_broker.reset();
   ASSERT_FALSE(TestUtils::CurrentProcessHasChildren());
 }
 
-// Run the same thing twice. The second time, we make sure that no security
-// check is performed on the client.
+// Run this test 4 times. With and without the check in client
+// and using a recursive path.
 TEST(BrokerProcess, OpenCpuinfoWithClientCheck) {
-  TestOpenCpuinfo(true /* fast_check_in_client */);
+  TestOpenCpuinfo(true /* fast_check_in_client */, false /* not recursive */);
   // Don't do anything here, so that ASSERT works in the subfunction as
   // expected.
 }
 
 TEST(BrokerProcess, OpenCpuinfoNoClientCheck) {
-  TestOpenCpuinfo(false /* fast_check_in_client */);
+  TestOpenCpuinfo(false /* fast_check_in_client */, false /* not recursive */);
   // Don't do anything here, so that ASSERT works in the subfunction as
   // expected.
 }
+
+TEST(BrokerProcess, OpenCpuinfoWithClientCheckRecursive) {
+  TestOpenCpuinfo(true /* fast_check_in_client */, true /* recursive */);
+  // Don't do anything here, so that ASSERT works in the subfunction as
+  // expected.
+}
+
+TEST(BrokerProcess, OpenCpuinfoNoClientCheckRecursive) {
+  TestOpenCpuinfo(false /* fast_check_in_client */, true /* recursive */);
+  // Don't do anything here, so that ASSERT works in the subfunction as
+  // expected.
+}
 
 TEST(BrokerProcess, OpenFileRW) {
   ScopedTemporaryFile tempfile;
   const char* tempfile_name = tempfile.full_file_name();
 
-  std::vector<std::string> whitelist;
-  whitelist.push_back(tempfile_name);
+  std::vector<syscall_broker::BrokerPermission> permissions;
+  permissions.push_back(BROKER_PERM_READ_WRITE(tempfile_name));
 
-  BrokerProcess open_broker(EPERM, whitelist, whitelist);
+  BrokerProcess open_broker(EPERM, permissions);
   ASSERT_TRUE(open_broker.Init(base::Bind(&NoOpCallback)));
 
   // Check we can access that file with read or write.
   int can_access = open_broker.Access(tempfile_name, R_OK | W_OK);
   ASSERT_EQ(can_access, 0);
 
   int tempfile2 = -1;
   tempfile2 = open_broker.Open(tempfile_name, O_RDWR);
   ASSERT_GE(tempfile2, 0);
 
   // Write to the descriptor opened by the broker.
   char test_text[] = "TESTTESTTEST";
   ssize_t len = write(tempfile2, test_text, sizeof(test_text));
   ASSERT_EQ(len, static_cast<ssize_t>(sizeof(test_text)));
 
   // Read back from the original file descriptor what we wrote through
   // the descriptor provided by the broker.
   char buf[1024];
   len = read(tempfile.fd(), buf, sizeof(buf));
 
   ASSERT_EQ(len, static_cast<ssize_t>(sizeof(test_text)));
   ASSERT_EQ(memcmp(test_text, buf, sizeof(test_text)), 0);
 
   ASSERT_EQ(close(tempfile2), 0);
 }
 
 // SANDBOX_TEST because the process could die with a SIGPIPE
 // and we want this to happen in a subprocess.
 SANDBOX_TEST(BrokerProcess, BrokerDied) {
-  std::vector<std::string> read_whitelist;
-  read_whitelist.push_back("/proc/cpuinfo");
+  const char kCpuInfo[] = "/proc/cpuinfo";
+  std::vector<syscall_broker::BrokerPermission> permissions;
+  permissions.push_back(BROKER_PERM_READ_ONLY(kCpuInfo));
 
-  BrokerProcess open_broker(EPERM,
-                            read_whitelist,
-                            std::vector<std::string>(),
-                            true /* fast_check_in_client */,
+  BrokerProcess open_broker(EPERM, permissions, true /* fast_check_in_client */,
                             true /* quiet_failures_for_tests */);
   SANDBOX_ASSERT(open_broker.Init(base::Bind(&NoOpCallback)));
   const pid_t broker_pid = open_broker.broker_pid();
   SANDBOX_ASSERT(kill(broker_pid, SIGKILL) == 0);
 
   // Now we check that the broker has been signaled, but do not reap it.
   siginfo_t process_info;
   SANDBOX_ASSERT(HANDLE_EINTR(waitid(
                      P_PID, broker_pid, &process_info, WEXITED | WNOWAIT)) ==
                  0);
   SANDBOX_ASSERT(broker_pid == process_info.si_pid);
   SANDBOX_ASSERT(CLD_KILLED == process_info.si_code);
   SANDBOX_ASSERT(SIGKILL == process_info.si_status);
 
   // Check that doing Open with a dead broker won't SIGPIPE us.
-  SANDBOX_ASSERT(open_broker.Open("/proc/cpuinfo", O_RDONLY) == -ENOMEM);
-  SANDBOX_ASSERT(open_broker.Access("/proc/cpuinfo", O_RDONLY) == -ENOMEM);
+  SANDBOX_ASSERT(open_broker.Open(kCpuInfo, O_RDONLY) == -ENOMEM);
+  SANDBOX_ASSERT(open_broker.Access(kCpuInfo, O_RDONLY) == -ENOMEM);
 }
 
 void TestOpenComplexFlags(bool fast_check_in_client) {
   const char kCpuInfo[] = "/proc/cpuinfo";
-  std::vector<std::string> whitelist;
-  whitelist.push_back(kCpuInfo);
+  std::vector<syscall_broker::BrokerPermission> permissions;
+  permissions.push_back(BROKER_PERM_READ_ONLY(kCpuInfo));
 
-  BrokerProcess open_broker(EPERM, whitelist, whitelist, fast_check_in_client);
+  BrokerProcess open_broker(EPERM, permissions, fast_check_in_client);
   ASSERT_TRUE(open_broker.Init(base::Bind(&NoOpCallback)));
   // Test that we do the right thing for O_CLOEXEC and O_NONBLOCK.
   int fd = -1;
   int ret = 0;
   fd = open_broker.Open(kCpuInfo, O_RDONLY);
   ASSERT_GE(fd, 0);
   ret = fcntl(fd, F_GETFL);
   ASSERT_NE(-1, ret);
   // The descriptor shouldn't have the O_CLOEXEC attribute, nor O_NONBLOCK.
   ASSERT_EQ(0, ret & (O_CLOEXEC | O_NONBLOCK));
@@ skipping 58 matching lines @@
 
   // Valgrind doesn't allow changing the hard descriptor limit, so we only
   // change the soft descriptor limit here.
   struct rlimit rlim;
   SANDBOX_ASSERT(0 == getrlimit(RLIMIT_NOFILE, &rlim));
   SANDBOX_ASSERT(fd_limit <= rlim.rlim_cur);
   rlim.rlim_cur = fd_limit;
   SANDBOX_ASSERT(0 == setrlimit(RLIMIT_NOFILE, &rlim));
 
   static const char kCpuInfo[] = "/proc/cpuinfo";
-  std::vector<std::string> read_whitelist;
-  read_whitelist.push_back(kCpuInfo);
+  std::vector<syscall_broker::BrokerPermission> permissions;
+  permissions.push_back(BROKER_PERM_READ_ONLY(kCpuInfo));
 
-  BrokerProcess open_broker(EPERM, read_whitelist, std::vector<std::string>());
+  BrokerProcess open_broker(EPERM, permissions);
   SANDBOX_ASSERT(open_broker.Init(base::Bind(&NoOpCallback)));
 
   const int ipc_fd = BrokerProcessTestHelper::get_ipc_socketpair(&open_broker);
   SANDBOX_ASSERT(ipc_fd >= 0);
 
   static const char kBogus[] = "not a pickle";
   std::vector<int> fds;
   fds.push_back(message_fd.get());
 
   // The broker process should only have a couple spare file descriptors
   // available, but for good measure we send it fd_limit bogus IPCs anyway.
   for (rlim_t i = 0; i < fd_limit; ++i) {
     SANDBOX_ASSERT(
         UnixDomainSocket::SendMsg(ipc_fd, kBogus, sizeof(kBogus), fds));
   }
 
   const int fd = open_broker.Open(kCpuInfo, O_RDONLY);
   SANDBOX_ASSERT(fd >= 0);
   SANDBOX_ASSERT(0 == IGNORE_EINTR(close(fd)));
 }
 
+void GetTempFileName(char* name, size_t len) {
+#if defined(OS_ANDROID)
+  static const char file_template[] = "/data/local/tmp/BrokerTempFileXXXXXX";
+#else
+  static const char file_template[] = "/tmp/BrokerTempFileXXXXXX";
+#endif  // defined(OS_ANDROID)
+
+  ASSERT_GT(len, sizeof(file_template));
+
+  strncpy(name, file_template, len);
+  int fd = mkstemp(name);
+  ASSERT_GT(fd, 0);
+  ASSERT_EQ(0, unlink(name));
+  ASSERT_EQ(0, IGNORE_EINTR(close(fd)));
+}
+
+TEST(BrokerProcess, CreateFile) {
+  char tempfile_name[256] = "";
+
+  GetTempFileName(tempfile_name, sizeof(tempfile_name));
+
+  std::vector<syscall_broker::BrokerPermission> permissions;
+  permissions.push_back(BROKER_PERM_READ_WRITE_CREATE(tempfile_name));
+
+  BrokerProcess open_broker(EPERM, permissions);
+  ASSERT_TRUE(open_broker.Init(base::Bind(&NoOpCallback)));
+
+  int fd = -1;
+
+  // Try without O_EXCL
+  fd = open_broker.Open(tempfile_name, O_RDWR | O_CREAT);
+  ASSERT_EQ(fd, -1);
+
+  // Create a file
+  fd = open_broker.Open(tempfile_name, O_RDWR | O_CREAT | O_EXCL);
+  ASSERT_GE(fd, 0);
+
+  // Write to the descriptor opened by the broker.
+  char test_text[] = "TESTTESTTEST";
+  ssize_t len = write(fd, test_text, sizeof(test_text));
+  ASSERT_EQ(len, static_cast<ssize_t>(sizeof(test_text)));
+
+  ASSERT_EQ(close(fd), 0);
+
+  int fd_check = open(tempfile_name, O_RDONLY);
+  ASSERT_GE(fd_check, 0);
+  char buf[1024];
+  len = read(fd_check, buf, sizeof(buf));
+
+  ASSERT_EQ(len, static_cast<ssize_t>(sizeof(test_text)));
+  ASSERT_EQ(memcmp(test_text, buf, sizeof(test_text)), 0);
+
+  ASSERT_EQ(close(fd_check), 0);
+}
+
 }  // namespace sandbox