1*ec63e07aSXin Li // Copyright 2019 Google LLC
2*ec63e07aSXin Li //
3*ec63e07aSXin Li // Licensed under the Apache License, Version 2.0 (the "License");
4*ec63e07aSXin Li // you may not use this file except in compliance with the License.
5*ec63e07aSXin Li // You may obtain a copy of the License at
6*ec63e07aSXin Li //
7*ec63e07aSXin Li // https://www.apache.org/licenses/LICENSE-2.0
8*ec63e07aSXin Li //
9*ec63e07aSXin Li // Unless required by applicable law or agreed to in writing, software
10*ec63e07aSXin Li // distributed under the License is distributed on an "AS IS" BASIS,
11*ec63e07aSXin Li // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12*ec63e07aSXin Li // See the License for the specific language governing permissions and
13*ec63e07aSXin Li // limitations under the License.
14*ec63e07aSXin Li
15*ec63e07aSXin Li #include "sandboxed_api/sandbox2/ipc.h"
16*ec63e07aSXin Li
17*ec63e07aSXin Li #include <memory>
18*ec63e07aSXin Li #include <string>
19*ec63e07aSXin Li #include <utility>
20*ec63e07aSXin Li #include <vector>
21*ec63e07aSXin Li
22*ec63e07aSXin Li #include "gtest/gtest.h"
23*ec63e07aSXin Li #include "sandboxed_api/sandbox2/comms.h"
24*ec63e07aSXin Li #include "sandboxed_api/sandbox2/executor.h"
25*ec63e07aSXin Li #include "sandboxed_api/sandbox2/policy.h"
26*ec63e07aSXin Li #include "sandboxed_api/sandbox2/result.h"
27*ec63e07aSXin Li #include "sandboxed_api/sandbox2/sandbox2.h"
28*ec63e07aSXin Li #include "sandboxed_api/testing.h"
29*ec63e07aSXin Li #include "sandboxed_api/util/status_matchers.h"
30*ec63e07aSXin Li
31*ec63e07aSXin Li namespace sandbox2 {
32*ec63e07aSXin Li namespace {
33*ec63e07aSXin Li
34*ec63e07aSXin Li using ::sapi::CreateDefaultPermissiveTestPolicy;
35*ec63e07aSXin Li using ::sapi::GetTestSourcePath;
36*ec63e07aSXin Li
37*ec63e07aSXin Li constexpr int kPreferredIpcFd = 812;
38*ec63e07aSXin Li
39*ec63e07aSXin Li class IPCTest : public testing::Test,
40*ec63e07aSXin Li public testing::WithParamInterface<int> {};
41*ec63e07aSXin Li
42*ec63e07aSXin Li // This test verifies that mapping fds by name works if the sandbox is enabled
43*ec63e07aSXin Li // before execve.
TEST_P(IPCTest,MapFDByNamePreExecve)44*ec63e07aSXin Li TEST_P(IPCTest, MapFDByNamePreExecve) {
45*ec63e07aSXin Li const int fd = GetParam();
46*ec63e07aSXin Li const std::string path = GetTestSourcePath("sandbox2/testcases/ipc");
47*ec63e07aSXin Li std::vector<std::string> args = {path, "1", std::to_string(fd)};
48*ec63e07aSXin Li auto executor = std::make_unique<Executor>(path, args);
49*ec63e07aSXin Li Comms comms(executor->ipc()->ReceiveFd(fd, "ipc_test"));
50*ec63e07aSXin Li
51*ec63e07aSXin Li SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
52*ec63e07aSXin Li CreateDefaultPermissiveTestPolicy(path).TryBuild());
53*ec63e07aSXin Li
54*ec63e07aSXin Li Sandbox2 s2(std::move(executor), std::move(policy));
55*ec63e07aSXin Li s2.RunAsync();
56*ec63e07aSXin Li
57*ec63e07aSXin Li ASSERT_TRUE(comms.SendString("hello"));
58*ec63e07aSXin Li std::string resp;
59*ec63e07aSXin Li ASSERT_TRUE(s2.comms()->RecvString(&resp));
60*ec63e07aSXin Li ASSERT_EQ(resp, "start");
61*ec63e07aSXin Li ASSERT_TRUE(s2.comms()->SendString("started"));
62*ec63e07aSXin Li ASSERT_TRUE(comms.RecvString(&resp));
63*ec63e07aSXin Li ASSERT_EQ(resp, "world");
64*ec63e07aSXin Li ASSERT_TRUE(s2.comms()->RecvString(&resp));
65*ec63e07aSXin Li ASSERT_EQ(resp, "finish");
66*ec63e07aSXin Li ASSERT_TRUE(s2.comms()->SendString("finished"));
67*ec63e07aSXin Li
68*ec63e07aSXin Li auto result = s2.AwaitResult();
69*ec63e07aSXin Li
70*ec63e07aSXin Li ASSERT_EQ(result.final_status(), Result::OK);
71*ec63e07aSXin Li ASSERT_EQ(result.reason_code(), 0);
72*ec63e07aSXin Li }
73*ec63e07aSXin Li
74*ec63e07aSXin Li // This test verifies that mapping fds by name works if SandboxMeHere() is
75*ec63e07aSXin Li // called by the sandboxee.
TEST_P(IPCTest,MapFDByNamePostExecve)76*ec63e07aSXin Li TEST_P(IPCTest, MapFDByNamePostExecve) {
77*ec63e07aSXin Li const int fd = GetParam();
78*ec63e07aSXin Li const std::string path = GetTestSourcePath("sandbox2/testcases/ipc");
79*ec63e07aSXin Li std::vector<std::string> args = {path, "2", std::to_string(fd)};
80*ec63e07aSXin Li auto executor = std::make_unique<Executor>(path, args);
81*ec63e07aSXin Li executor->set_enable_sandbox_before_exec(false);
82*ec63e07aSXin Li Comms comms(executor->ipc()->ReceiveFd(fd, "ipc_test"));
83*ec63e07aSXin Li
84*ec63e07aSXin Li SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
85*ec63e07aSXin Li CreateDefaultPermissiveTestPolicy(path).TryBuild());
86*ec63e07aSXin Li
87*ec63e07aSXin Li Sandbox2 s2(std::move(executor), std::move(policy));
88*ec63e07aSXin Li s2.RunAsync();
89*ec63e07aSXin Li
90*ec63e07aSXin Li ASSERT_TRUE(comms.SendString("hello"));
91*ec63e07aSXin Li std::string resp;
92*ec63e07aSXin Li ASSERT_TRUE(s2.comms()->RecvString(&resp));
93*ec63e07aSXin Li ASSERT_EQ(resp, "start");
94*ec63e07aSXin Li ASSERT_TRUE(s2.comms()->SendString("started"));
95*ec63e07aSXin Li ASSERT_TRUE(comms.RecvString(&resp));
96*ec63e07aSXin Li ASSERT_EQ(resp, "world");
97*ec63e07aSXin Li ASSERT_TRUE(s2.comms()->RecvString(&resp));
98*ec63e07aSXin Li ASSERT_EQ(resp, "finish");
99*ec63e07aSXin Li ASSERT_TRUE(s2.comms()->SendString("finished"));
100*ec63e07aSXin Li
101*ec63e07aSXin Li auto result = s2.AwaitResult();
102*ec63e07aSXin Li
103*ec63e07aSXin Li ASSERT_EQ(result.final_status(), Result::OK);
104*ec63e07aSXin Li ASSERT_EQ(result.reason_code(), 0);
105*ec63e07aSXin Li }
106*ec63e07aSXin Li
TEST(IPCTest,NoMappedFDsPreExecve)107*ec63e07aSXin Li TEST(IPCTest, NoMappedFDsPreExecve) {
108*ec63e07aSXin Li const std::string path = GetTestSourcePath("sandbox2/testcases/ipc");
109*ec63e07aSXin Li std::vector<std::string> args = {path, "3"};
110*ec63e07aSXin Li auto executor = std::make_unique<Executor>(path, args);
111*ec63e07aSXin Li
112*ec63e07aSXin Li SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
113*ec63e07aSXin Li CreateDefaultPermissiveTestPolicy(path).TryBuild());
114*ec63e07aSXin Li
115*ec63e07aSXin Li Sandbox2 s2(std::move(executor), std::move(policy));
116*ec63e07aSXin Li auto result = s2.Run();
117*ec63e07aSXin Li
118*ec63e07aSXin Li ASSERT_EQ(result.final_status(), Result::OK);
119*ec63e07aSXin Li ASSERT_EQ(result.reason_code(), 0);
120*ec63e07aSXin Li }
121*ec63e07aSXin Li
122*ec63e07aSXin Li INSTANTIATE_TEST_SUITE_P(NormalFds, IPCTest, testing::Values(kPreferredIpcFd));
123*ec63e07aSXin Li
124*ec63e07aSXin Li INSTANTIATE_TEST_SUITE_P(RestrictedFds, IPCTest,
125*ec63e07aSXin Li testing::Values(Comms::kSandbox2ClientCommsFD,
126*ec63e07aSXin Li Comms::kSandbox2TargetExecFD));
127*ec63e07aSXin Li
128*ec63e07aSXin Li } // namespace
129*ec63e07aSXin Li } // namespace sandbox2
130