OLD | NEW |
(Empty) | |
| 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. |
| 4 |
| 5 #include "sandbox/linux/services/namespace_sandbox.h" |
| 6 |
| 7 #include <sys/syscall.h> |
| 8 #include <sys/types.h> |
| 9 #include <sys/wait.h> |
| 10 #include <unistd.h> |
| 11 |
| 12 #include <string> |
| 13 |
| 14 #include "base/command_line.h" |
| 15 #include "base/files/file_enumerator.h" |
| 16 #include "base/files/file_path.h" |
| 17 #include "base/logging.h" |
| 18 #include "base/memory/scoped_ptr.h" |
| 19 #include "base/process/launch.h" |
| 20 #include "base/process/process.h" |
| 21 #include "base/test/multiprocess_test.h" |
| 22 #include "sandbox/linux/services/credentials.h" |
| 23 #include "sandbox/linux/services/namespace_utils.h" |
| 24 #include "sandbox/linux/tests/unit_tests.h" |
| 25 #include "testing/gtest/include/gtest/gtest.h" |
| 26 #include "testing/multiprocess_func_list.h" |
| 27 |
| 28 namespace sandbox { |
| 29 |
| 30 namespace { |
| 31 |
| 32 bool RootDirectoryIsEmpty() { |
| 33 base::FilePath root("/"); |
| 34 int file_type = |
| 35 base::FileEnumerator::DIRECTORIES | base::FileEnumerator::FILES; |
| 36 base::FileEnumerator enumerator_before(root, false, file_type); |
| 37 return enumerator_before.Next().empty(); |
| 38 } |
| 39 |
| 40 class NamespaceSandboxTest : public base::MultiProcessTest { |
| 41 public: |
| 42 void TestProc(const std::string& procname) { |
| 43 if (!Credentials::CanCreateProcessInNewUserNS()) { |
| 44 return; |
| 45 } |
| 46 |
| 47 base::LaunchOptions options; |
| 48 |
| 49 base::FileHandleMappingVector fds_to_map; |
| 50 fds_to_map.push_back(std::make_pair(STDOUT_FILENO, STDOUT_FILENO)); |
| 51 fds_to_map.push_back(std::make_pair(STDERR_FILENO, STDERR_FILENO)); |
| 52 options.fds_to_remap = &fds_to_map; |
| 53 |
| 54 NamespaceSandbox namespace_sandbox; |
| 55 namespace_sandbox.SetupLaunchOptions(&options, &fds_to_map); |
| 56 |
| 57 base::Process process(SpawnChildWithOptions(procname, options)); |
| 58 ASSERT_TRUE(process.IsValid()); |
| 59 namespace_sandbox.PrepareSandboxedProcess(process.Pid()); |
| 60 |
| 61 const int kDummyExitCode = 42; |
| 62 int exit_code = kDummyExitCode; |
| 63 EXPECT_TRUE(process.WaitForExit(&exit_code)); |
| 64 EXPECT_EQ(0, exit_code); |
| 65 } |
| 66 }; |
| 67 |
| 68 MULTIPROCESS_TEST_MAIN(SimpleChildProcess) { |
| 69 scoped_ptr<base::Environment> env(base::Environment::Create()); |
| 70 bool in_user_ns = NamespaceSandbox::InNewUserNamespace(); |
| 71 bool in_pid_ns = NamespaceSandbox::InNewPidNamespace(); |
| 72 bool in_net_ns = NamespaceSandbox::InNewNetNamespace(); |
| 73 CHECK(in_user_ns); |
| 74 CHECK_EQ(in_pid_ns, |
| 75 NamespaceUtils::KernelSupportsUnprivilegedNamespace(CLONE_NEWPID)); |
| 76 CHECK_EQ(in_net_ns, |
| 77 NamespaceUtils::KernelSupportsUnprivilegedNamespace(CLONE_NEWNET)); |
| 78 if (in_pid_ns) { |
| 79 CHECK_EQ(1, getpid()); |
| 80 } |
| 81 return 0; |
| 82 } |
| 83 |
| 84 TEST_F(NamespaceSandboxTest, BasicUsage) { |
| 85 TestProc("SimpleChildProcess"); |
| 86 } |
| 87 |
| 88 MULTIPROCESS_TEST_MAIN(ChrootMe) { |
| 89 CHECK(!RootDirectoryIsEmpty()); |
| 90 CHECK(sandbox::Credentials::MoveToNewUserNS()); |
| 91 CHECK(sandbox::Credentials::DropFileSystemAccess()); |
| 92 CHECK(RootDirectoryIsEmpty()); |
| 93 return 0; |
| 94 } |
| 95 |
| 96 TEST_F(NamespaceSandboxTest, ChrootAndDropCapabilities) { |
| 97 TestProc("ChrootMe"); |
| 98 } |
| 99 |
| 100 MULTIPROCESS_TEST_MAIN(NestedNamespaceSandbox) { |
| 101 base::LaunchOptions options; |
| 102 |
| 103 base::FileHandleMappingVector fds_to_map; |
| 104 fds_to_map.push_back(std::make_pair(STDOUT_FILENO, STDOUT_FILENO)); |
| 105 fds_to_map.push_back(std::make_pair(STDERR_FILENO, STDERR_FILENO)); |
| 106 options.fds_to_remap = &fds_to_map; |
| 107 |
| 108 NamespaceSandbox namespace_sandbox; |
| 109 namespace_sandbox.SetupLaunchOptions(&options, &fds_to_map); |
| 110 |
| 111 base::CommandLine command_line(base::FilePath("/bin/true")); |
| 112 base::Process process(base::LaunchProcess(command_line, options)); |
| 113 CHECK(process.IsValid()); |
| 114 namespace_sandbox.PrepareSandboxedProcess(process.Pid()); |
| 115 |
| 116 const int kDummyExitCode = 42; |
| 117 int exit_code = kDummyExitCode; |
| 118 CHECK(process.WaitForExit(&exit_code)); |
| 119 CHECK_EQ(0, exit_code); |
| 120 return 0; |
| 121 } |
| 122 |
| 123 TEST_F(NamespaceSandboxTest, NestedNamespaceSandbox) { |
| 124 TestProc("NestedNamespaceSandbox"); |
| 125 } |
| 126 |
| 127 } // namespace |
| 128 |
| 129 } // namespace sandbox |
OLD | NEW |