| blob | 1eaf4c99fff6a7e10769982bd6e6a4050751783a |
1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "sandbox/mac/bootstrap_sandbox.h"
7 #include <CoreFoundation/CoreFoundation.h>
8 #import <Foundation/Foundation.h>
9 #include <mach/mach.h>
10 #include <servers/bootstrap.h>
12 #include "base/logging.h"
13 #include "base/mac/mac_util.h"
14 #include "base/mac/mach_logging.h"
15 #include "base/mac/scoped_mach_port.h"
16 #include "base/mac/scoped_nsobject.h"
17 #include "base/process/kill.h"
18 #include "base/strings/stringprintf.h"
19 #include "base/test/multiprocess_test.h"
20 #include "base/test/test_timeouts.h"
21 #include "sandbox/mac/xpc.h"
22 #import "testing/gtest_mac.h"
23 #include "testing/multiprocess_func_list.h"
25 NSString* const kTestNotification = @"org.chromium.bootstrap_sandbox_test";
27 @interface DistributedNotificationObserver : NSObject {
28 @private
29 int receivedCount_;
30 base::scoped_nsobject<NSString> object_;
31 }
32 - (int)receivedCount;
33 - (NSString*)object;
34 - (void)waitForNotification;
35 @end
37 @implementation DistributedNotificationObserver
38 - (id)init {
39 if ((self = [super init])) {
40 [[NSDistributedNotificationCenter defaultCenter]
41 addObserver:self
42 selector:@selector(observeNotification:)
43 name:kTestNotification
44 object:nil];
45 }
46 return self;
47 }
49 - (void)dealloc {
50 [[NSDistributedNotificationCenter defaultCenter]
51 removeObserver:self
52 name:kTestNotification
53 object:nil];
54 [super dealloc];
55 }
57 - (int)receivedCount {
58 return receivedCount_;
59 }
61 - (NSString*)object {
62 return object_.get();
63 }
65 - (void)waitForNotification {
66 object_.reset();
67 CFRunLoopRunInMode(kCFRunLoopDefaultMode,
68 TestTimeouts::action_timeout().InSeconds(), false);
69 }
71 - (void)observeNotification:(NSNotification*)notification {
72 ++receivedCount_;
73 object_.reset([[notification object] copy]);
74 CFRunLoopStop(CFRunLoopGetCurrent());
75 }
76 @end
78 ////////////////////////////////////////////////////////////////////////////////
80 namespace sandbox {
82 void InitializeXPCIfRequired() {
83 if (base::mac::IsOSYosemiteOrLater())
84 CHECK(InitializeXPC());
85 }
87 class BootstrapSandboxTest : public base::MultiProcessTest {
88 public:
89 void SetUp() override {
90 base::MultiProcessTest::SetUp();
92 sandbox_ = BootstrapSandbox::Create();
93 ASSERT_TRUE(sandbox_.get());
94 }
96 BootstrapSandboxPolicy BaselinePolicy() {
97 BootstrapSandboxPolicy policy;
98 policy.rules["com.apple.cfprefsd.daemon"] = Rule(POLICY_ALLOW);
99 if (base::mac::IsOSSnowLeopard())
100 policy.rules["com.apple.SecurityServer"] = Rule(POLICY_ALLOW);
101 return policy;
102 }
104 void RunChildWithPolicy(int policy_id,
105 const char* child_name,
106 base::ProcessHandle* out_pid) {
107 sandbox_->PrepareToForkWithPolicy(policy_id);
108 base::LaunchOptions options;
109 options.replacement_bootstrap_name = sandbox_->server_bootstrap_name();
110 base::Process process = SpawnChildWithOptions(child_name, options);
111 ASSERT_TRUE(process.IsValid());
112 sandbox_->FinishedFork(process.Handle());
113 int code = 0;
114 EXPECT_TRUE(process.WaitForExit(&code));
115 EXPECT_EQ(0, code);
116 if (out_pid)
117 *out_pid = process.Pid();
118 }
120 protected:
121 scoped_ptr<BootstrapSandbox> sandbox_;
122 };
124 const char kNotificationTestMain[] = "PostNotification";
126 // Run the test without the sandbox.
127 TEST_F(BootstrapSandboxTest, DistributedNotifications_Unsandboxed) {
128 base::scoped_nsobject<DistributedNotificationObserver> observer(
129 [[DistributedNotificationObserver alloc] init]);
131 base::Process process = SpawnChild(kNotificationTestMain);
132 ASSERT_TRUE(process.IsValid());
133 int code = 0;
134 EXPECT_TRUE(process.WaitForExit(&code));
135 EXPECT_EQ(0, code);
137 [observer waitForNotification];
138 EXPECT_EQ(1, [observer receivedCount]);
139 EXPECT_EQ(process.Pid(), [[observer object] intValue]);
140 }
142 // Run the test with the sandbox enabled without notifications on the policy
143 // whitelist.
144 TEST_F(BootstrapSandboxTest, DistributedNotifications_SandboxDeny) {
145 base::scoped_nsobject<DistributedNotificationObserver> observer(
146 [[DistributedNotificationObserver alloc] init]);
148 sandbox_->RegisterSandboxPolicy(1, BaselinePolicy());
149 RunChildWithPolicy(1, kNotificationTestMain, NULL);
151 [observer waitForNotification];
152 EXPECT_EQ(0, [observer receivedCount]);
153 EXPECT_EQ(nil, [observer object]);
154 }
156 // Run the test with notifications permitted.
157 TEST_F(BootstrapSandboxTest, DistributedNotifications_SandboxAllow) {
158 base::scoped_nsobject<DistributedNotificationObserver> observer(
159 [[DistributedNotificationObserver alloc] init]);
161 BootstrapSandboxPolicy policy(BaselinePolicy());
162 // 10.9:
163 policy.rules["com.apple.distributed_notifications@Uv3"] = Rule(POLICY_ALLOW);
164 policy.rules["com.apple.distributed_notifications@1v3"] = Rule(POLICY_ALLOW);
165 // 10.6:
166 policy.rules["com.apple.system.notification_center"] = Rule(POLICY_ALLOW);
167 policy.rules["com.apple.distributed_notifications.2"] = Rule(POLICY_ALLOW);
168 sandbox_->RegisterSandboxPolicy(2, policy);
170 base::ProcessHandle pid;
171 RunChildWithPolicy(2, kNotificationTestMain, &pid);
173 [observer waitForNotification];
174 EXPECT_EQ(1, [observer receivedCount]);
175 EXPECT_EQ(pid, [[observer object] intValue]);
176 }
178 MULTIPROCESS_TEST_MAIN(PostNotification) {
179 InitializeXPCIfRequired();
181 [[NSDistributedNotificationCenter defaultCenter]
182 postNotificationName:kTestNotification
183 object:[NSString stringWithFormat:@"%d", getpid()]];
184 return 0;
185 }
187 const char kTestServer[] = "org.chromium.test_bootstrap_server";
189 TEST_F(BootstrapSandboxTest, PolicyDenyError) {
190 BootstrapSandboxPolicy policy(BaselinePolicy());
191 policy.rules[kTestServer] = Rule(POLICY_DENY_ERROR);
192 sandbox_->RegisterSandboxPolicy(1, policy);
194 RunChildWithPolicy(1, "PolicyDenyError", NULL);
195 }
197 MULTIPROCESS_TEST_MAIN(PolicyDenyError) {
198 InitializeXPCIfRequired();
200 mach_port_t port = MACH_PORT_NULL;
201 kern_return_t kr = bootstrap_look_up(bootstrap_port, kTestServer,
202 &port);
203 CHECK_EQ(BOOTSTRAP_UNKNOWN_SERVICE, kr);
204 CHECK(port == MACH_PORT_NULL);
206 kr = bootstrap_look_up(bootstrap_port, "org.chromium.some_other_server",
207 &port);
208 CHECK_EQ(BOOTSTRAP_UNKNOWN_SERVICE, kr);
209 CHECK(port == MACH_PORT_NULL);
211 return 0;
212 }
214 TEST_F(BootstrapSandboxTest, PolicyDenyDummyPort) {
215 BootstrapSandboxPolicy policy(BaselinePolicy());
216 policy.rules[kTestServer] = Rule(POLICY_DENY_DUMMY_PORT);
217 sandbox_->RegisterSandboxPolicy(1, policy);
219 RunChildWithPolicy(1, "PolicyDenyDummyPort", NULL);
220 }
222 MULTIPROCESS_TEST_MAIN(PolicyDenyDummyPort) {
223 InitializeXPCIfRequired();
225 mach_port_t port = MACH_PORT_NULL;
226 kern_return_t kr = bootstrap_look_up(bootstrap_port, kTestServer,
227 &port);
228 CHECK_EQ(KERN_SUCCESS, kr);
229 CHECK(port != MACH_PORT_NULL);
230 return 0;
231 }
233 struct SubstitutePortAckSend {
234 mach_msg_header_t header;
235 char buf[32];
236 };
238 struct SubstitutePortAckRecv : public SubstitutePortAckSend {
239 mach_msg_trailer_t trailer;
240 };
242 const char kSubstituteAck[] = "Hello, this is doge!";
244 TEST_F(BootstrapSandboxTest, PolicySubstitutePort) {
245 mach_port_t task = mach_task_self();
247 mach_port_t port;
248 ASSERT_EQ(KERN_SUCCESS, mach_port_allocate(task, MACH_PORT_RIGHT_RECEIVE,
249 &port));
250 base::mac::ScopedMachReceiveRight scoped_port(port);
252 mach_port_urefs_t send_rights = 0;
253 ASSERT_EQ(KERN_SUCCESS, mach_port_get_refs(task, port, MACH_PORT_RIGHT_SEND,
254 &send_rights));
255 EXPECT_EQ(0u, send_rights);
257 ASSERT_EQ(KERN_SUCCESS, mach_port_insert_right(task, port, port,
258 MACH_MSG_TYPE_MAKE_SEND));
259 base::mac::ScopedMachSendRight scoped_port_send(port);
261 send_rights = 0;
262 ASSERT_EQ(KERN_SUCCESS, mach_port_get_refs(task, port, MACH_PORT_RIGHT_SEND,
263 &send_rights));
264 EXPECT_EQ(1u, send_rights);
266 BootstrapSandboxPolicy policy(BaselinePolicy());
267 policy.rules[kTestServer] = Rule(port);
268 sandbox_->RegisterSandboxPolicy(1, policy);
270 RunChildWithPolicy(1, "PolicySubstitutePort", NULL);
272 struct SubstitutePortAckRecv msg;
273 bzero(&msg, sizeof(msg));
274 msg.header.msgh_size = sizeof(msg);
275 msg.header.msgh_local_port = port;
276 kern_return_t kr = mach_msg(&msg.header, MACH_RCV_MSG, 0,
277 msg.header.msgh_size, port,
278 TestTimeouts::tiny_timeout().InMilliseconds(), MACH_PORT_NULL);
279 EXPECT_EQ(KERN_SUCCESS, kr);
281 send_rights = 0;
282 ASSERT_EQ(KERN_SUCCESS, mach_port_get_refs(task, port, MACH_PORT_RIGHT_SEND,
283 &send_rights));
284 EXPECT_EQ(1u, send_rights);
286 EXPECT_EQ(0, strncmp(kSubstituteAck, msg.buf, sizeof(msg.buf)));
287 }
289 MULTIPROCESS_TEST_MAIN(PolicySubstitutePort) {
290 InitializeXPCIfRequired();
292 mach_port_t port = MACH_PORT_NULL;
293 kern_return_t kr = bootstrap_look_up(bootstrap_port, kTestServer, &port);
294 CHECK_EQ(KERN_SUCCESS, kr);
295 CHECK(port != MACH_PORT_NULL);
297 struct SubstitutePortAckSend msg;
298 bzero(&msg, sizeof(msg));
299 msg.header.msgh_size = sizeof(msg);
300 msg.header.msgh_remote_port = port;
301 msg.header.msgh_bits = MACH_MSGH_BITS_REMOTE(MACH_MSG_TYPE_MOVE_SEND);
302 strncpy(msg.buf, kSubstituteAck, sizeof(msg.buf));
304 CHECK_EQ(KERN_SUCCESS, mach_msg_send(&msg.header));
306 return 0;
307 }
309 TEST_F(BootstrapSandboxTest, ForwardMessageInProcess) {
310 mach_port_t task = mach_task_self();
312 mach_port_t port;
313 ASSERT_EQ(KERN_SUCCESS, mach_port_allocate(task, MACH_PORT_RIGHT_RECEIVE,
314 &port));
315 base::mac::ScopedMachReceiveRight scoped_port_recv(port);
317 mach_port_urefs_t send_rights = 0;
318 ASSERT_EQ(KERN_SUCCESS, mach_port_get_refs(task, port, MACH_PORT_RIGHT_SEND,
319 &send_rights));
320 EXPECT_EQ(0u, send_rights);
322 ASSERT_EQ(KERN_SUCCESS, mach_port_insert_right(task, port, port,
323 MACH_MSG_TYPE_MAKE_SEND));
324 base::mac::ScopedMachSendRight scoped_port_send(port);
326 send_rights = 0;
327 ASSERT_EQ(KERN_SUCCESS, mach_port_get_refs(task, port, MACH_PORT_RIGHT_SEND,
328 &send_rights));
329 EXPECT_EQ(1u, send_rights);
331 mach_port_t bp;
332 ASSERT_EQ(KERN_SUCCESS, task_get_bootstrap_port(task, &bp));
333 base::mac::ScopedMachSendRight scoped_bp(bp);
335 char service_name[] = "org.chromium.sandbox.test.ForwardMessageInProcess";
336 #pragma GCC diagnostic push
337 #pragma GCC diagnostic ignored "-Wdeprecated-declarations"
338 kern_return_t kr = bootstrap_register(bp, service_name, port);
339 #pragma GCC diagnostic pop
340 EXPECT_EQ(KERN_SUCCESS, kr);
342 send_rights = 0;
343 ASSERT_EQ(KERN_SUCCESS, mach_port_get_refs(task, port, MACH_PORT_RIGHT_SEND,
344 &send_rights));
345 EXPECT_EQ(1u, send_rights);
347 mach_port_t service_port;
348 EXPECT_EQ(KERN_SUCCESS, bootstrap_look_up(bp, service_name, &service_port));
349 base::mac::ScopedMachSendRight scoped_service_port(service_port);
351 send_rights = 0;
352 ASSERT_EQ(KERN_SUCCESS, mach_port_get_refs(task, port, MACH_PORT_RIGHT_SEND,
353 &send_rights));
354 // On 10.6, bootstrap_lookup2 may add an extra right to place it in a per-
355 // process cache.
356 if (base::mac::IsOSSnowLeopard())
357 EXPECT_TRUE(send_rights == 3u || send_rights == 2u) << send_rights;
358 else
359 EXPECT_EQ(2u, send_rights);
360 }
362 const char kDefaultRuleTestAllow[] =
363 "org.chromium.sandbox.test.DefaultRuleAllow";
364 const char kDefaultRuleTestDeny[] =
365 "org.chromium.sandbox.test.DefaultRuleAllow.Deny";
367 TEST_F(BootstrapSandboxTest, DefaultRuleAllow) {
368 mach_port_t task = mach_task_self();
370 mach_port_t port;
371 ASSERT_EQ(KERN_SUCCESS, mach_port_allocate(task, MACH_PORT_RIGHT_RECEIVE,
372 &port));
373 base::mac::ScopedMachReceiveRight scoped_port_recv(port);
375 ASSERT_EQ(KERN_SUCCESS, mach_port_insert_right(task, port, port,
376 MACH_MSG_TYPE_MAKE_SEND));
377 base::mac::ScopedMachSendRight scoped_port_send(port);
379 BootstrapSandboxPolicy policy;
380 policy.default_rule = Rule(POLICY_ALLOW);
381 policy.rules[kDefaultRuleTestAllow] = Rule(port);
382 policy.rules[kDefaultRuleTestDeny] = Rule(POLICY_DENY_ERROR);
383 sandbox_->RegisterSandboxPolicy(3, policy);
385 base::scoped_nsobject<DistributedNotificationObserver> observer(
386 [[DistributedNotificationObserver alloc] init]);
388 int pid = 0;
389 RunChildWithPolicy(3, "DefaultRuleAllow", &pid);
390 EXPECT_GT(pid, 0);
392 [observer waitForNotification];
393 EXPECT_EQ(1, [observer receivedCount]);
394 EXPECT_EQ(pid, [[observer object] intValue]);
396 struct SubstitutePortAckRecv msg;
397 bzero(&msg, sizeof(msg));
398 msg.header.msgh_size = sizeof(msg);
399 msg.header.msgh_local_port = port;
400 kern_return_t kr = mach_msg(&msg.header, MACH_RCV_MSG, 0,
401 msg.header.msgh_size, port,
402 TestTimeouts::tiny_timeout().InMilliseconds(), MACH_PORT_NULL);
403 EXPECT_EQ(KERN_SUCCESS, kr);
405 EXPECT_EQ(0, strncmp(kSubstituteAck, msg.buf, sizeof(msg.buf)));
406 }
408 MULTIPROCESS_TEST_MAIN(DefaultRuleAllow) {
409 InitializeXPCIfRequired();
411 [[NSDistributedNotificationCenter defaultCenter]
412 postNotificationName:kTestNotification
413 object:[NSString stringWithFormat:@"%d", getpid()]];
415 mach_port_t port = MACH_PORT_NULL;
416 CHECK_EQ(BOOTSTRAP_UNKNOWN_SERVICE, bootstrap_look_up(bootstrap_port,
417 const_cast<char*>(kDefaultRuleTestDeny), &port));
418 CHECK(port == MACH_PORT_NULL);
420 CHECK_EQ(KERN_SUCCESS, bootstrap_look_up(bootstrap_port,
421 const_cast<char*>(kDefaultRuleTestAllow), &port));
422 CHECK(port != MACH_PORT_NULL);
424 struct SubstitutePortAckSend msg;
425 bzero(&msg, sizeof(msg));
426 msg.header.msgh_size = sizeof(msg);
427 msg.header.msgh_remote_port = port;
428 msg.header.msgh_bits = MACH_MSGH_BITS_REMOTE(MACH_MSG_TYPE_MOVE_SEND);
429 strncpy(msg.buf, kSubstituteAck, sizeof(msg.buf));
431 CHECK_EQ(KERN_SUCCESS, mach_msg_send(&msg.header));
433 return 0;
434 }
436 TEST_F(BootstrapSandboxTest, ChildOutliveSandbox) {
437 const int kTestPolicyId = 1;
438 mach_port_t task = mach_task_self();
440 // Create a server port.
441 mach_port_t port;
442 ASSERT_EQ(KERN_SUCCESS, mach_port_allocate(task, MACH_PORT_RIGHT_RECEIVE,
443 &port));
444 base::mac::ScopedMachReceiveRight scoped_port_recv(port);
446 ASSERT_EQ(KERN_SUCCESS, mach_port_insert_right(task, port, port,
447 MACH_MSG_TYPE_MAKE_SEND));
448 base::mac::ScopedMachSendRight scoped_port_send(port);
450 // Set up the policy and register the port.
451 BootstrapSandboxPolicy policy(BaselinePolicy());
452 policy.rules["sync"] = Rule(port);
453 sandbox_->RegisterSandboxPolicy(kTestPolicyId, policy);
455 // Launch the child.
456 sandbox_->PrepareToForkWithPolicy(kTestPolicyId);
457 base::LaunchOptions options;
458 options.replacement_bootstrap_name = sandbox_->server_bootstrap_name();
459 base::Process process = SpawnChildWithOptions("ChildOutliveSandbox", options);
460 ASSERT_TRUE(process.IsValid());
461 sandbox_->FinishedFork(process.Handle());
463 // Synchronize with the child.
464 mach_msg_empty_rcv_t rcv_msg;
465 bzero(&rcv_msg, sizeof(rcv_msg));
466 kern_return_t kr = mach_msg(&rcv_msg.header, MACH_RCV_MSG, 0,
467 sizeof(rcv_msg), port,
468 TestTimeouts::tiny_timeout().InMilliseconds(), MACH_PORT_NULL);
469 ASSERT_EQ(KERN_SUCCESS, kr) << mach_error_string(kr);
471 // Destroy the sandbox.
472 sandbox_.reset();
474 // Synchronize again with the child.
475 mach_msg_empty_send_t send_msg;
476 bzero(&send_msg, sizeof(send_msg));
477 send_msg.header.msgh_size = sizeof(send_msg);
478 send_msg.header.msgh_remote_port = rcv_msg.header.msgh_remote_port;
479 send_msg.header.msgh_bits =
480 MACH_MSGH_BITS_REMOTE(MACH_MSG_TYPE_MOVE_SEND_ONCE);
481 kr = mach_msg(&send_msg.header, MACH_SEND_MSG, send_msg.header.msgh_size, 0,
482 MACH_PORT_NULL, TestTimeouts::tiny_timeout().InMilliseconds(),
483 MACH_PORT_NULL);
484 EXPECT_EQ(KERN_SUCCESS, kr) << mach_error_string(kr);
486 int code = 0;
487 EXPECT_TRUE(process.WaitForExit(&code));
488 EXPECT_EQ(0, code);
489 }
491 MULTIPROCESS_TEST_MAIN(ChildOutliveSandbox) {
492 InitializeXPCIfRequired();
494 // Get the synchronization channel.
495 mach_port_t port = MACH_PORT_NULL;
496 CHECK_EQ(KERN_SUCCESS, bootstrap_look_up(bootstrap_port, "sync", &port));
498 // Create a reply port.
499 mach_port_t reply_port;
500 CHECK_EQ(KERN_SUCCESS, mach_port_allocate(mach_task_self(),
501 MACH_PORT_RIGHT_RECEIVE, &reply_port));
502 base::mac::ScopedMachReceiveRight scoped_reply_port(reply_port);
504 // Send a message to shutdown the sandbox.
505 mach_msg_empty_send_t send_msg;
506 bzero(&send_msg, sizeof(send_msg));
507 send_msg.header.msgh_size = sizeof(send_msg);
508 send_msg.header.msgh_local_port = reply_port;
509 send_msg.header.msgh_remote_port = port;
510 send_msg.header.msgh_bits = MACH_MSGH_BITS(MACH_MSG_TYPE_MOVE_SEND,
511 MACH_MSG_TYPE_MAKE_SEND_ONCE);
512 kern_return_t kr = mach_msg_send(&send_msg.header);
513 MACH_CHECK(kr == KERN_SUCCESS, kr) << "mach_msg_send";
515 // Flood the server's message queue with messages. There should be some
516 // pending when the sandbox is destroyed.
517 for (int i = 0; i < 20; ++i) {
518 mach_port_t tmp = MACH_PORT_NULL;
519 std::string name = base::StringPrintf("test.%d", i);
520 bootstrap_look_up(bootstrap_port, const_cast<char*>(name.c_str()), &tmp);
521 }
523 // Ack that the sandbox has been shutdown.
524 mach_msg_empty_rcv_t rcv_msg;
525 bzero(&rcv_msg, sizeof(rcv_msg));
526 rcv_msg.header.msgh_size = sizeof(rcv_msg);
527 rcv_msg.header.msgh_local_port = reply_port;
528 kr = mach_msg_receive(&rcv_msg.header);
529 MACH_CHECK(kr == KERN_SUCCESS, kr) << "mach_msg_receive";
531 // Try to message the sandbox.
532 bootstrap_look_up(bootstrap_port, "test", &port);
534 return 0;
535 }
537 } // namespace sandbox