15821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Copyright (c) 2012 The Chromium Authors. All rights reserved. 25821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Use of this source code is governed by a BSD-style license that can be 35821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// found in the LICENSE file. 45821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 55821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include "base/environment.h" 65821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include "base/logging.h" 75821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include "base/memory/scoped_ptr.h" 8868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles)#include "base/strings/string_number_conversions.h" 95821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include "testing/gtest/include/gtest/gtest.h" 105821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 115821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include "sandbox/linux/suid/common/sandbox.h" 125821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include "setuid_sandbox_client.h" 135821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 145821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)namespace sandbox { 155821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 165821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)TEST(SetuidSandboxClient, SetupLaunchEnvironment) { 175821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) const char kTestValue[] = "This is a test"; 185821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) scoped_ptr<base::Environment> env(base::Environment::Create()); 195821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_TRUE(env != NULL); 205821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 215821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) std::string saved_ld_preload; 225821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) bool environment_had_ld_preload; 235821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // First, back-up the real LD_PRELOAD if any. 245821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) environment_had_ld_preload = env->GetVar("LD_PRELOAD", &saved_ld_preload); 255821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Setup environment variables to save or not save. 265821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_TRUE(env->SetVar("LD_PRELOAD", kTestValue)); 275821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_TRUE(env->UnSetVar("LD_ORIGIN_PATH")); 285821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 295821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) scoped_ptr<SetuidSandboxClient> 305821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) sandbox_client(SetuidSandboxClient::Create()); 315821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_TRUE(sandbox_client != NULL); 325821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 335821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Make sure the environment is clean. 345821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_TRUE(env->UnSetVar(kSandboxEnvironmentApiRequest)); 355821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_TRUE(env->UnSetVar(kSandboxEnvironmentApiProvides)); 365821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 375821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) sandbox_client->SetupLaunchEnvironment(); 385821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 395821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Check if the requested API environment was set. 405821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) std::string api_request; 415821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_TRUE(env->GetVar(kSandboxEnvironmentApiRequest, &api_request)); 425821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) int api_request_num; 435821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_TRUE(base::StringToInt(api_request, &api_request_num)); 445821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(api_request_num, kSUIDSandboxApiNumber); 455821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 465821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Now check if LD_PRELOAD was saved to SANDBOX_LD_PRELOAD. 475821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) std::string sandbox_ld_preload; 485821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_TRUE(env->GetVar("SANDBOX_LD_PRELOAD", &sandbox_ld_preload)); 495821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(sandbox_ld_preload, kTestValue); 505821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 515821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Check that LD_ORIGIN_PATH was not saved. 525821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_FALSE(env->HasVar("SANDBOX_LD_ORIGIN_PATH")); 535821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 545821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // We should not forget to restore LD_PRELOAD at the end, or this environment 555821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // variable will affect the next running tests! 565821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) if (environment_had_ld_preload) { 575821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_TRUE(env->SetVar("LD_PRELOAD", saved_ld_preload)); 585821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } else { 595821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_TRUE(env->UnSetVar("LD_PRELOAD")); 605821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 615821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 625821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 635821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)TEST(SetuidSandboxClient, SandboxedClientAPI) { 645821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) scoped_ptr<base::Environment> env(base::Environment::Create()); 655821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_TRUE(env != NULL); 665821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 675821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) scoped_ptr<SetuidSandboxClient> 685821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) sandbox_client(SetuidSandboxClient::Create()); 695821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_TRUE(sandbox_client != NULL); 705821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 715821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Set-up a fake environment as if we went through the setuid sandbox. 725821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_TRUE(env->SetVar(kSandboxEnvironmentApiProvides, 735821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) base::IntToString(kSUIDSandboxApiNumber))); 745821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_TRUE(env->SetVar(kSandboxDescriptorEnvironmentVarName, "1")); 755821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_TRUE(env->SetVar(kSandboxPIDNSEnvironmentVarName, "1")); 765821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_TRUE(env->UnSetVar(kSandboxNETNSEnvironmentVarName)); 775821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 785821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Check the API. 795821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_TRUE(sandbox_client->IsSuidSandboxUpToDate()); 805821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_TRUE(sandbox_client->IsSuidSandboxChild()); 815821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_TRUE(sandbox_client->IsInNewPIDNamespace()); 825821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_FALSE(sandbox_client->IsInNewNETNamespace()); 835821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 845821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Forge an incorrect API version and check. 855821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_TRUE(env->SetVar(kSandboxEnvironmentApiProvides, 865821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) base::IntToString(kSUIDSandboxApiNumber + 1))); 875821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_FALSE(sandbox_client->IsSuidSandboxUpToDate()); 885821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // We didn't go through the actual sandboxing mechanism as it is 895821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // very hard in a unit test. 905821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_FALSE(sandbox_client->IsSandboxed()); 915821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 925821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 935821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} // namespace sandbox 945821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 95