1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
|
// Copyright 2014 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
#include <fcntl.h>
#include <unistd.h>
#include <iostream>
#include <utility>
#include "base/files/scoped_file.h"
#include "base/posix/eintr_wrapper.h"
#include "sandbox/linux/tests/unit_tests.h"
#include "testing/gtest/include/gtest/gtest.h"
namespace sandbox {
namespace {
// NOTE: most tests for the SandboxBPF class are currently in
// integration_tests/.
TEST(SandboxBPF, CreateDestroy) {
// Give an opportunity to dynamic tools to perform some simple testing.
SandboxBPF sandbox(nullptr);
SandboxBPF* sandbox_ptr = new SandboxBPF(nullptr);
delete sandbox_ptr;
}
// This test should execute no matter whether we have kernel support. So,
// we make it a TEST() instead of a BPF_TEST().
TEST(SandboxBPF, DISABLE_ON_TSAN(CallSupports)) {
// We check that we don't crash, but it's ok if the kernel doesn't
// support it.
bool seccomp_bpf_supported = SandboxBPF::SupportsSeccompSandbox(
SandboxBPF::SeccompLevel::SINGLE_THREADED);
bool seccomp_bpf_tsync_supported = SandboxBPF::SupportsSeccompSandbox(
SandboxBPF::SeccompLevel::MULTI_THREADED);
// We want to log whether or not seccomp BPF is actually supported
// since actual test coverage depends on it.
std::cout << "Seccomp BPF supported (single thread): "
<< (seccomp_bpf_supported ? "true." : "false.") << "\n";
std::cout << "Seccomp BPF supported (multi thread): "
<< (seccomp_bpf_tsync_supported ? "true." : "false.") << "\n";
std::cout << "Pointer size: " << sizeof(void*) << "\n";
}
SANDBOX_TEST(SandboxBPF, DISABLE_ON_TSAN(CallSupportsTwice)) {
bool single1 = SandboxBPF::SupportsSeccompSandbox(
SandboxBPF::SeccompLevel::SINGLE_THREADED);
bool single2 = SandboxBPF::SupportsSeccompSandbox(
SandboxBPF::SeccompLevel::SINGLE_THREADED);
ASSERT_EQ(single1, single2);
bool multi1 = SandboxBPF::SupportsSeccompSandbox(
SandboxBPF::SeccompLevel::MULTI_THREADED);
bool multi2 = SandboxBPF::SupportsSeccompSandbox(
SandboxBPF::SeccompLevel::MULTI_THREADED);
ASSERT_EQ(multi1, multi2);
// Multi threaded support implies single threaded support.
if (multi1) {
ASSERT_TRUE(single1);
}
}
TEST(SandboxBPF, ProcTaskFdDescriptorGetsClosed) {
int pipe_fds[2];
ASSERT_EQ(0, pipe(pipe_fds));
base::ScopedFD read_end(pipe_fds[0]);
base::ScopedFD write_end(pipe_fds[1]);
{
SandboxBPF sandbox(nullptr);
sandbox.SetProcFd(std::move(write_end));
}
ASSERT_EQ(0, fcntl(read_end.get(), F_SETFL, O_NONBLOCK));
char c;
// Check that the sandbox closed the write_end (read will EOF instead of
// returning EWOULDBLOCK).
ASSERT_EQ(0, read(read_end.get(), &c, 1));
}
} // namespace
} // sandbox
|
