sandbox/linux/seccomp-bpf/sandbox_bpf_unittest.cc

   1 // Copyright 2014 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
   6
   7 #include <fcntl.h>
   8 #include <unistd.h>
   9
  10 #include <iostream>
  11
  12 #include "base/files/scoped_file.h"
  13 #include "base/posix/eintr_wrapper.h"
  14 #include "sandbox/linux/tests/unit_tests.h"
  15 #include "testing/gtest/include/gtest/gtest.h"
  16
  17 namespace sandbox {
  18 namespace {
  19
  20 // NOTE: most tests for the SandboxBPF class are currently in
  21 // integration_tests/.
  22
  23 TEST(SandboxBPF, CreateDestroy) {
  24   // Give an opportunity to dynamic tools to perform some simple testing.
  25   SandboxBPF sandbox(nullptr);
  26   SandboxBPF* sandbox_ptr = new SandboxBPF(nullptr);
  27   delete sandbox_ptr;
  28 }
  29
  30 // This test should execute no matter whether we have kernel support. So,
  31 // we make it a TEST() instead of a BPF_TEST().
  32 TEST(SandboxBPF, DISABLE_ON_TSAN(CallSupports)) {
  33   // We check that we don't crash, but it's ok if the kernel doesn't
  34   // support it.
  35   bool seccomp_bpf_supported = SandboxBPF::SupportsSeccompSandbox(
  36       SandboxBPF::SeccompLevel::SINGLE_THREADED);
  37   bool seccomp_bpf_tsync_supported = SandboxBPF::SupportsSeccompSandbox(
  38       SandboxBPF::SeccompLevel::MULTI_THREADED);
  39   // We want to log whether or not seccomp BPF is actually supported
  40   // since actual test coverage depends on it.
  41   std::cout << "Seccomp BPF supported (single thread): "
  42             << (seccomp_bpf_supported ? "true." : "false.") << "\n";
  43   std::cout << "Seccomp BPF supported (multi thread): "
  44             << (seccomp_bpf_tsync_supported ? "true." : "false.") << "\n";
  45   std::cout << "Pointer size: " << sizeof(void*) << "\n";
  46 }
  47
  48 SANDBOX_TEST(SandboxBPF, DISABLE_ON_TSAN(CallSupportsTwice)) {
  49   bool single1 = SandboxBPF::SupportsSeccompSandbox(
  50       SandboxBPF::SeccompLevel::SINGLE_THREADED);
  51   bool single2 = SandboxBPF::SupportsSeccompSandbox(
  52       SandboxBPF::SeccompLevel::SINGLE_THREADED);
  53   ASSERT_EQ(single1, single2);
  54   bool multi1 = SandboxBPF::SupportsSeccompSandbox(
  55       SandboxBPF::SeccompLevel::MULTI_THREADED);
  56   bool multi2 = SandboxBPF::SupportsSeccompSandbox(
  57       SandboxBPF::SeccompLevel::MULTI_THREADED);
  58   ASSERT_EQ(multi1, multi2);
  59
  60   // Multi threaded support implies single threaded support.
  61   if (multi1) {
  62     ASSERT_TRUE(single1);
  63   }
  64 }
  65
  66 TEST(SandboxBPF, ProcTaskFdDescriptorGetsClosed) {
  67   int pipe_fds[2];
  68   ASSERT_EQ(0, pipe(pipe_fds));
  69   base::ScopedFD read_end(pipe_fds[0]);
  70   base::ScopedFD write_end(pipe_fds[1]);
  71
  72   {
  73     SandboxBPF sandbox(nullptr);
  74     sandbox.SetProcFd(write_end.Pass());
  75   }
  76
  77   ASSERT_EQ(0, fcntl(read_end.get(), F_SETFL, O_NONBLOCK));
  78   char c;
  79   // Check that the sandbox closed the write_end (read will EOF instead of
  80   // returning EWOULDBLOCK).
  81   ASSERT_EQ(0, read(read_end.get(), &c, 1));
  82 }
  83
  84 }  // namespace
  85 }  // sandbox