From 1f59ace540ec21aad2b99a6e50d1136448df23c9 Mon Sep 17 00:00:00 2001 From: "jorgelo@chromium.org" Date: Fri, 26 Jul 2013 13:36:06 +0000 Subject: Create Sandbox{Linux|Win}Test and add Linux SandboxStatus test. The resulting BrowserTest can be run on Chrome OS successfully. (Reland with fix for ASan.) BUG=None TEST=Passes TBR=sky Review URL: https://chromiumcodereview.appspot.com/20133003 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@213887 0039d316-1c4b-4281-b951-d872f2087c98 --- chrome/chrome_tests.gypi | 3 +- chrome/test/security_tests/sandbox_browsertest.cc | 27 ----------------- .../security_tests/sandbox_browsertest_linux.cc | 34 ++++++++++++++++++++++ .../test/security_tests/sandbox_browsertest_win.cc | 25 ++++++++++++++++ 4 files changed, 61 insertions(+), 28 deletions(-) delete mode 100644 chrome/test/security_tests/sandbox_browsertest.cc create mode 100644 chrome/test/security_tests/sandbox_browsertest_linux.cc create mode 100644 chrome/test/security_tests/sandbox_browsertest_win.cc diff --git a/chrome/chrome_tests.gypi b/chrome/chrome_tests.gypi index 791c930..7895407 100644 --- a/chrome/chrome_tests.gypi +++ b/chrome/chrome_tests.gypi @@ -1719,7 +1719,8 @@ 'test/gpu/gpu_feature_browsertest.cc', 'test/gpu/webgl_infobar_browsertest.cc', 'test/ppapi/ppapi_browsertest.cc', - 'test/security_tests/sandbox_browsertest.cc', + 'test/security_tests/sandbox_browsertest_linux.cc', + 'test/security_tests/sandbox_browsertest_win.cc', # TODO(craig): Rename this and run from base_unittests when the test # is safe to run there. See http://crbug.com/78722 for details. '../base/files/file_path_watcher_browsertest.cc', diff --git a/chrome/test/security_tests/sandbox_browsertest.cc b/chrome/test/security_tests/sandbox_browsertest.cc deleted file mode 100644 index 8b09a95..0000000 --- a/chrome/test/security_tests/sandbox_browsertest.cc +++ /dev/null @@ -1,27 +0,0 @@ -// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. -// Use of this source code is governed by a BSD-style license that can be -// found in the LICENSE file. - -#include "base/command_line.h" -#include "chrome/browser/ui/browser.h" -#include "chrome/browser/ui/tabs/tab_strip_model.h" -#include "chrome/common/chrome_switches.h" -#include "chrome/test/base/in_process_browser_test.h" - -class SandboxTest : public InProcessBrowserTest { - protected: - SandboxTest() : InProcessBrowserTest() {} - - virtual void SetUpCommandLine(CommandLine* command_line) OVERRIDE { - command_line->AppendSwitchASCII(switches::kTestSandbox, - "security_tests.dll"); - } -}; - -// Need a cross-platform test library: http://crbug.com/45771 -#if defined(OS_WIN) -// Verifies that chrome is running properly. -IN_PROC_BROWSER_TEST_F(SandboxTest, ExecuteDll) { - EXPECT_EQ(1, browser()->tab_strip_model()->count()); -} -#endif diff --git a/chrome/test/security_tests/sandbox_browsertest_linux.cc b/chrome/test/security_tests/sandbox_browsertest_linux.cc new file mode 100644 index 0000000..f9c26599 --- /dev/null +++ b/chrome/test/security_tests/sandbox_browsertest_linux.cc @@ -0,0 +1,34 @@ +// Copyright 2013 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include "chrome/test/base/in_process_browser_test.h" +#include "content/public/browser/zygote_host_linux.h" +#include "content/public/common/sandbox_linux.h" + +typedef InProcessBrowserTest SandboxLinuxTest; + +// Both the SUID sandbox (http://crbug.com/137653) and the Seccomp-BPF sandbox +// are currently incompatible with ASan. +#if defined(OS_LINUX) && !defined(ADDRESS_SANITIZER) +#define MAYBE_SandboxStatus \ + SandboxStatus +#else +#define MAYBE_SandboxStatus \ + DISABLED_SandboxStatus +#endif + +IN_PROC_BROWSER_TEST_F(SandboxLinuxTest, MAYBE_SandboxStatus) { + // Get expected sandboxing status of renderers. + const int status = content::ZygoteHost::GetInstance()->GetSandboxStatus(); + + // The setuid sandbox is required as our first-layer sandbox. + bool good_layer1 = status & content::kSandboxLinuxSUID && + status & content::kSandboxLinuxPIDNS && + status & content::kSandboxLinuxNetNS; + // A second-layer sandbox is also required to be adequately sandboxed. + bool good_layer2 = status & content::kSandboxLinuxSeccompBpf; + + EXPECT_TRUE(good_layer1); + EXPECT_TRUE(good_layer2); +} diff --git a/chrome/test/security_tests/sandbox_browsertest_win.cc b/chrome/test/security_tests/sandbox_browsertest_win.cc new file mode 100644 index 0000000..05c10bb --- /dev/null +++ b/chrome/test/security_tests/sandbox_browsertest_win.cc @@ -0,0 +1,25 @@ +// Copyright 2013 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include "base/command_line.h" +#include "chrome/browser/ui/browser.h" +#include "chrome/browser/ui/tabs/tab_strip_model.h" +#include "chrome/common/chrome_switches.h" +#include "chrome/test/base/in_process_browser_test.h" + +class SandboxWinTest : public InProcessBrowserTest { + protected: + SandboxWinTest() : InProcessBrowserTest() {} + + virtual void SetUpCommandLine(CommandLine* command_line) OVERRIDE { + command_line->AppendSwitchASCII(switches::kTestSandbox, + "security_tests.dll"); + } +}; + +// Need a cross-platform test library: http://crbug.com/45771 +// Verifies that chrome is running properly. +IN_PROC_BROWSER_TEST_F(SandboxWinTest, ExecuteDll) { + EXPECT_EQ(1, browser()->tab_strip_model()->count()); +} -- cgit v1.1