1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "sandbox/linux/syscall_broker/broker_process.h"
6
7 #include <errno.h>
8 #include <fcntl.h>
9 #include <poll.h>
10 #include <stddef.h>
11 #include <sys/resource.h>
12 #include <sys/stat.h>
13 #include <sys/types.h>
14 #include <sys/wait.h>
15 #include <unistd.h>
16
17 #include <algorithm>
18 #include <string>
19 #include <vector>
20
21 #include "base/bind.h"
22 #include "base/files/file_util.h"
23 #include "base/files/scoped_file.h"
24 #include "base/logging.h"
25 #include "base/macros.h"
26 #include "base/memory/scoped_ptr.h"
27 #include "base/posix/eintr_wrapper.h"
28 #include "base/posix/unix_domain_socket_linux.h"
29 #include "sandbox/linux/syscall_broker/broker_client.h"
30 #include "sandbox/linux/tests/scoped_temporary_file.h"
31 #include "sandbox/linux/tests/test_utils.h"
32 #include "sandbox/linux/tests/unit_tests.h"
33 #include "testing/gtest/include/gtest/gtest.h"
34
35 namespace sandbox {
36
37 namespace syscall_broker {
38
39 class BrokerProcessTestHelper {
40 public:
CloseChannel(BrokerProcess * broker)41 static void CloseChannel(BrokerProcess* broker) { broker->CloseChannel(); }
42 // Get the client's IPC descriptor to send IPC requests directly.
43 // TODO(jln): refator tests to get rid of this.
GetIPCDescriptor(const BrokerProcess * broker)44 static int GetIPCDescriptor(const BrokerProcess* broker) {
45 return broker->broker_client_->GetIPCDescriptor();
46 }
47 };
48
49 namespace {
50
NoOpCallback()51 bool NoOpCallback() {
52 return true;
53 }
54
55 } // namespace
56
TEST(BrokerProcess,CreateAndDestroy)57 TEST(BrokerProcess, CreateAndDestroy) {
58 std::vector<BrokerFilePermission> permissions;
59 permissions.push_back(BrokerFilePermission::ReadOnly("/proc/cpuinfo"));
60
61 scoped_ptr<BrokerProcess> open_broker(new BrokerProcess(EPERM, permissions));
62 ASSERT_TRUE(open_broker->Init(base::Bind(&NoOpCallback)));
63
64 ASSERT_TRUE(TestUtils::CurrentProcessHasChildren());
65 // Destroy the broker and check it has exited properly.
66 open_broker.reset();
67 ASSERT_FALSE(TestUtils::CurrentProcessHasChildren());
68 }
69
TEST(BrokerProcess,TestOpenAccessNull)70 TEST(BrokerProcess, TestOpenAccessNull) {
71 std::vector<BrokerFilePermission> empty;
72 BrokerProcess open_broker(EPERM, empty);
73 ASSERT_TRUE(open_broker.Init(base::Bind(&NoOpCallback)));
74
75 int fd = open_broker.Open(NULL, O_RDONLY);
76 ASSERT_EQ(fd, -EFAULT);
77
78 int ret = open_broker.Access(NULL, F_OK);
79 ASSERT_EQ(ret, -EFAULT);
80 }
81
TestOpenFilePerms(bool fast_check_in_client,int denied_errno)82 void TestOpenFilePerms(bool fast_check_in_client, int denied_errno) {
83 const char kR_WhiteListed[] = "/proc/DOESNOTEXIST1";
84 // We can't debug the init process, and shouldn't be able to access
85 // its auxv file.
86 const char kR_WhiteListedButDenied[] = "/proc/1/auxv";
87 const char kW_WhiteListed[] = "/proc/DOESNOTEXIST2";
88 const char kRW_WhiteListed[] = "/proc/DOESNOTEXIST3";
89 const char k_NotWhitelisted[] = "/proc/DOESNOTEXIST4";
90
91 std::vector<BrokerFilePermission> permissions;
92 permissions.push_back(BrokerFilePermission::ReadOnly(kR_WhiteListed));
93 permissions.push_back(
94 BrokerFilePermission::ReadOnly(kR_WhiteListedButDenied));
95 permissions.push_back(BrokerFilePermission::WriteOnly(kW_WhiteListed));
96 permissions.push_back(BrokerFilePermission::ReadWrite(kRW_WhiteListed));
97
98 BrokerProcess open_broker(denied_errno, permissions, fast_check_in_client);
99 ASSERT_TRUE(open_broker.Init(base::Bind(&NoOpCallback)));
100
101 int fd = -1;
102 fd = open_broker.Open(kR_WhiteListed, O_RDONLY);
103 ASSERT_EQ(fd, -ENOENT);
104 fd = open_broker.Open(kR_WhiteListed, O_WRONLY);
105 ASSERT_EQ(fd, -denied_errno);
106 fd = open_broker.Open(kR_WhiteListed, O_RDWR);
107 ASSERT_EQ(fd, -denied_errno);
108 int ret = -1;
109 ret = open_broker.Access(kR_WhiteListed, F_OK);
110 ASSERT_EQ(ret, -ENOENT);
111 ret = open_broker.Access(kR_WhiteListed, R_OK);
112 ASSERT_EQ(ret, -ENOENT);
113 ret = open_broker.Access(kR_WhiteListed, W_OK);
114 ASSERT_EQ(ret, -denied_errno);
115 ret = open_broker.Access(kR_WhiteListed, R_OK | W_OK);
116 ASSERT_EQ(ret, -denied_errno);
117 ret = open_broker.Access(kR_WhiteListed, X_OK);
118 ASSERT_EQ(ret, -denied_errno);
119 ret = open_broker.Access(kR_WhiteListed, R_OK | X_OK);
120 ASSERT_EQ(ret, -denied_errno);
121
122 // Android sometimes runs tests as root.
123 // This part of the test requires a process that doesn't have
124 // CAP_DAC_OVERRIDE. We check against a root euid as a proxy for that.
125 if (geteuid()) {
126 fd = open_broker.Open(kR_WhiteListedButDenied, O_RDONLY);
127 // The broker process will allow this, but the normal permission system
128 // won't.
129 ASSERT_EQ(fd, -EACCES);
130 fd = open_broker.Open(kR_WhiteListedButDenied, O_WRONLY);
131 ASSERT_EQ(fd, -denied_errno);
132 fd = open_broker.Open(kR_WhiteListedButDenied, O_RDWR);
133 ASSERT_EQ(fd, -denied_errno);
134 ret = open_broker.Access(kR_WhiteListedButDenied, F_OK);
135 // The normal permission system will let us check that the file exists.
136 ASSERT_EQ(ret, 0);
137 ret = open_broker.Access(kR_WhiteListedButDenied, R_OK);
138 ASSERT_EQ(ret, -EACCES);
139 ret = open_broker.Access(kR_WhiteListedButDenied, W_OK);
140 ASSERT_EQ(ret, -denied_errno);
141 ret = open_broker.Access(kR_WhiteListedButDenied, R_OK | W_OK);
142 ASSERT_EQ(ret, -denied_errno);
143 ret = open_broker.Access(kR_WhiteListedButDenied, X_OK);
144 ASSERT_EQ(ret, -denied_errno);
145 ret = open_broker.Access(kR_WhiteListedButDenied, R_OK | X_OK);
146 ASSERT_EQ(ret, -denied_errno);
147 }
148
149 fd = open_broker.Open(kW_WhiteListed, O_RDONLY);
150 ASSERT_EQ(fd, -denied_errno);
151 fd = open_broker.Open(kW_WhiteListed, O_WRONLY);
152 ASSERT_EQ(fd, -ENOENT);
153 fd = open_broker.Open(kW_WhiteListed, O_RDWR);
154 ASSERT_EQ(fd, -denied_errno);
155 ret = open_broker.Access(kW_WhiteListed, F_OK);
156 ASSERT_EQ(ret, -ENOENT);
157 ret = open_broker.Access(kW_WhiteListed, R_OK);
158 ASSERT_EQ(ret, -denied_errno);
159 ret = open_broker.Access(kW_WhiteListed, W_OK);
160 ASSERT_EQ(ret, -ENOENT);
161 ret = open_broker.Access(kW_WhiteListed, R_OK | W_OK);
162 ASSERT_EQ(ret, -denied_errno);
163 ret = open_broker.Access(kW_WhiteListed, X_OK);
164 ASSERT_EQ(ret, -denied_errno);
165 ret = open_broker.Access(kW_WhiteListed, R_OK | X_OK);
166 ASSERT_EQ(ret, -denied_errno);
167
168 fd = open_broker.Open(kRW_WhiteListed, O_RDONLY);
169 ASSERT_EQ(fd, -ENOENT);
170 fd = open_broker.Open(kRW_WhiteListed, O_WRONLY);
171 ASSERT_EQ(fd, -ENOENT);
172 fd = open_broker.Open(kRW_WhiteListed, O_RDWR);
173 ASSERT_EQ(fd, -ENOENT);
174 ret = open_broker.Access(kRW_WhiteListed, F_OK);
175 ASSERT_EQ(ret, -ENOENT);
176 ret = open_broker.Access(kRW_WhiteListed, R_OK);
177 ASSERT_EQ(ret, -ENOENT);
178 ret = open_broker.Access(kRW_WhiteListed, W_OK);
179 ASSERT_EQ(ret, -ENOENT);
180 ret = open_broker.Access(kRW_WhiteListed, R_OK | W_OK);
181 ASSERT_EQ(ret, -ENOENT);
182 ret = open_broker.Access(kRW_WhiteListed, X_OK);
183 ASSERT_EQ(ret, -denied_errno);
184 ret = open_broker.Access(kRW_WhiteListed, R_OK | X_OK);
185 ASSERT_EQ(ret, -denied_errno);
186
187 fd = open_broker.Open(k_NotWhitelisted, O_RDONLY);
188 ASSERT_EQ(fd, -denied_errno);
189 fd = open_broker.Open(k_NotWhitelisted, O_WRONLY);
190 ASSERT_EQ(fd, -denied_errno);
191 fd = open_broker.Open(k_NotWhitelisted, O_RDWR);
192 ASSERT_EQ(fd, -denied_errno);
193 ret = open_broker.Access(k_NotWhitelisted, F_OK);
194 ASSERT_EQ(ret, -denied_errno);
195 ret = open_broker.Access(k_NotWhitelisted, R_OK);
196 ASSERT_EQ(ret, -denied_errno);
197 ret = open_broker.Access(k_NotWhitelisted, W_OK);
198 ASSERT_EQ(ret, -denied_errno);
199 ret = open_broker.Access(k_NotWhitelisted, R_OK | W_OK);
200 ASSERT_EQ(ret, -denied_errno);
201 ret = open_broker.Access(k_NotWhitelisted, X_OK);
202 ASSERT_EQ(ret, -denied_errno);
203 ret = open_broker.Access(k_NotWhitelisted, R_OK | X_OK);
204 ASSERT_EQ(ret, -denied_errno);
205
206 // We have some extra sanity check for clearly wrong values.
207 fd = open_broker.Open(kRW_WhiteListed, O_RDONLY | O_WRONLY | O_RDWR);
208 ASSERT_EQ(fd, -denied_errno);
209
210 // It makes no sense to allow O_CREAT in a 2-parameters open. Ensure this
211 // is denied.
212 fd = open_broker.Open(kRW_WhiteListed, O_RDWR | O_CREAT);
213 ASSERT_EQ(fd, -denied_errno);
214 }
215
216 // Run the same thing twice. The second time, we make sure that no security
217 // check is performed on the client.
TEST(BrokerProcess,OpenFilePermsWithClientCheck)218 TEST(BrokerProcess, OpenFilePermsWithClientCheck) {
219 TestOpenFilePerms(true /* fast_check_in_client */, EPERM);
220 // Don't do anything here, so that ASSERT works in the subfunction as
221 // expected.
222 }
223
TEST(BrokerProcess,OpenOpenFilePermsNoClientCheck)224 TEST(BrokerProcess, OpenOpenFilePermsNoClientCheck) {
225 TestOpenFilePerms(false /* fast_check_in_client */, EPERM);
226 // Don't do anything here, so that ASSERT works in the subfunction as
227 // expected.
228 }
229
230 // Run the same twice again, but with ENOENT instead of EPERM.
TEST(BrokerProcess,OpenFilePermsWithClientCheckNoEnt)231 TEST(BrokerProcess, OpenFilePermsWithClientCheckNoEnt) {
232 TestOpenFilePerms(true /* fast_check_in_client */, ENOENT);
233 // Don't do anything here, so that ASSERT works in the subfunction as
234 // expected.
235 }
236
TEST(BrokerProcess,OpenOpenFilePermsNoClientCheckNoEnt)237 TEST(BrokerProcess, OpenOpenFilePermsNoClientCheckNoEnt) {
238 TestOpenFilePerms(false /* fast_check_in_client */, ENOENT);
239 // Don't do anything here, so that ASSERT works in the subfunction as
240 // expected.
241 }
242
TestBadPaths(bool fast_check_in_client)243 void TestBadPaths(bool fast_check_in_client) {
244 const char kFileCpuInfo[] = "/proc/cpuinfo";
245 const char kNotAbsPath[] = "proc/cpuinfo";
246 const char kDotDotStart[] = "/../proc/cpuinfo";
247 const char kDotDotMiddle[] = "/proc/self/../cpuinfo";
248 const char kDotDotEnd[] = "/proc/..";
249 const char kTrailingSlash[] = "/proc/";
250
251 std::vector<BrokerFilePermission> permissions;
252
253 permissions.push_back(BrokerFilePermission::ReadOnlyRecursive("/proc/"));
254 scoped_ptr<BrokerProcess> open_broker(
255 new BrokerProcess(EPERM, permissions, fast_check_in_client));
256 ASSERT_TRUE(open_broker->Init(base::Bind(&NoOpCallback)));
257 // Open cpuinfo via the broker.
258 int cpuinfo_fd = open_broker->Open(kFileCpuInfo, O_RDONLY);
259 base::ScopedFD cpuinfo_fd_closer(cpuinfo_fd);
260 ASSERT_GE(cpuinfo_fd, 0);
261
262 int fd = -1;
263 int can_access;
264
265 can_access = open_broker->Access(kNotAbsPath, R_OK);
266 ASSERT_EQ(can_access, -EPERM);
267 fd = open_broker->Open(kNotAbsPath, O_RDONLY);
268 ASSERT_EQ(fd, -EPERM);
269
270 can_access = open_broker->Access(kDotDotStart, R_OK);
271 ASSERT_EQ(can_access, -EPERM);
272 fd = open_broker->Open(kDotDotStart, O_RDONLY);
273 ASSERT_EQ(fd, -EPERM);
274
275 can_access = open_broker->Access(kDotDotMiddle, R_OK);
276 ASSERT_EQ(can_access, -EPERM);
277 fd = open_broker->Open(kDotDotMiddle, O_RDONLY);
278 ASSERT_EQ(fd, -EPERM);
279
280 can_access = open_broker->Access(kDotDotEnd, R_OK);
281 ASSERT_EQ(can_access, -EPERM);
282 fd = open_broker->Open(kDotDotEnd, O_RDONLY);
283 ASSERT_EQ(fd, -EPERM);
284
285 can_access = open_broker->Access(kTrailingSlash, R_OK);
286 ASSERT_EQ(can_access, -EPERM);
287 fd = open_broker->Open(kTrailingSlash, O_RDONLY);
288 ASSERT_EQ(fd, -EPERM);
289 }
290
TEST(BrokerProcess,BadPathsClientCheck)291 TEST(BrokerProcess, BadPathsClientCheck) {
292 TestBadPaths(true /* fast_check_in_client */);
293 // Don't do anything here, so that ASSERT works in the subfunction as
294 // expected.
295 }
296
TEST(BrokerProcess,BadPathsNoClientCheck)297 TEST(BrokerProcess, BadPathsNoClientCheck) {
298 TestBadPaths(false /* fast_check_in_client */);
299 // Don't do anything here, so that ASSERT works in the subfunction as
300 // expected.
301 }
302
TestOpenCpuinfo(bool fast_check_in_client,bool recursive)303 void TestOpenCpuinfo(bool fast_check_in_client, bool recursive) {
304 const char kFileCpuInfo[] = "/proc/cpuinfo";
305 const char kDirProc[] = "/proc/";
306
307 std::vector<BrokerFilePermission> permissions;
308 if (recursive)
309 permissions.push_back(BrokerFilePermission::ReadOnlyRecursive(kDirProc));
310 else
311 permissions.push_back(BrokerFilePermission::ReadOnly(kFileCpuInfo));
312
313 scoped_ptr<BrokerProcess> open_broker(
314 new BrokerProcess(EPERM, permissions, fast_check_in_client));
315 ASSERT_TRUE(open_broker->Init(base::Bind(&NoOpCallback)));
316
317 int fd = -1;
318 fd = open_broker->Open(kFileCpuInfo, O_RDWR);
319 base::ScopedFD fd_closer(fd);
320 ASSERT_EQ(fd, -EPERM);
321
322 // Check we can read /proc/cpuinfo.
323 int can_access = open_broker->Access(kFileCpuInfo, R_OK);
324 ASSERT_EQ(can_access, 0);
325 can_access = open_broker->Access(kFileCpuInfo, W_OK);
326 ASSERT_EQ(can_access, -EPERM);
327 // Check we can not write /proc/cpuinfo.
328
329 // Open cpuinfo via the broker.
330 int cpuinfo_fd = open_broker->Open(kFileCpuInfo, O_RDONLY);
331 base::ScopedFD cpuinfo_fd_closer(cpuinfo_fd);
332 ASSERT_GE(cpuinfo_fd, 0);
333 char buf[3];
334 memset(buf, 0, sizeof(buf));
335 int read_len1 = read(cpuinfo_fd, buf, sizeof(buf));
336 ASSERT_GT(read_len1, 0);
337
338 // Open cpuinfo directly.
339 int cpuinfo_fd2 = open(kFileCpuInfo, O_RDONLY);
340 base::ScopedFD cpuinfo_fd2_closer(cpuinfo_fd2);
341 ASSERT_GE(cpuinfo_fd2, 0);
342 char buf2[3];
343 memset(buf2, 1, sizeof(buf2));
344 int read_len2 = read(cpuinfo_fd2, buf2, sizeof(buf2));
345 ASSERT_GT(read_len1, 0);
346
347 // The following is not guaranteed true, but will be in practice.
348 ASSERT_EQ(read_len1, read_len2);
349 // Compare the cpuinfo as returned by the broker with the one we opened
350 // ourselves.
351 ASSERT_EQ(memcmp(buf, buf2, read_len1), 0);
352
353 ASSERT_TRUE(TestUtils::CurrentProcessHasChildren());
354 open_broker.reset();
355 ASSERT_FALSE(TestUtils::CurrentProcessHasChildren());
356 }
357
358 // Run this test 4 times. With and without the check in client
359 // and using a recursive path.
TEST(BrokerProcess,OpenCpuinfoWithClientCheck)360 TEST(BrokerProcess, OpenCpuinfoWithClientCheck) {
361 TestOpenCpuinfo(true /* fast_check_in_client */, false /* not recursive */);
362 // Don't do anything here, so that ASSERT works in the subfunction as
363 // expected.
364 }
365
TEST(BrokerProcess,OpenCpuinfoNoClientCheck)366 TEST(BrokerProcess, OpenCpuinfoNoClientCheck) {
367 TestOpenCpuinfo(false /* fast_check_in_client */, false /* not recursive */);
368 // Don't do anything here, so that ASSERT works in the subfunction as
369 // expected.
370 }
371
TEST(BrokerProcess,OpenCpuinfoWithClientCheckRecursive)372 TEST(BrokerProcess, OpenCpuinfoWithClientCheckRecursive) {
373 TestOpenCpuinfo(true /* fast_check_in_client */, true /* recursive */);
374 // Don't do anything here, so that ASSERT works in the subfunction as
375 // expected.
376 }
377
TEST(BrokerProcess,OpenCpuinfoNoClientCheckRecursive)378 TEST(BrokerProcess, OpenCpuinfoNoClientCheckRecursive) {
379 TestOpenCpuinfo(false /* fast_check_in_client */, true /* recursive */);
380 // Don't do anything here, so that ASSERT works in the subfunction as
381 // expected.
382 }
383
TEST(BrokerProcess,OpenFileRW)384 TEST(BrokerProcess, OpenFileRW) {
385 ScopedTemporaryFile tempfile;
386 const char* tempfile_name = tempfile.full_file_name();
387
388 std::vector<BrokerFilePermission> permissions;
389 permissions.push_back(BrokerFilePermission::ReadWrite(tempfile_name));
390
391 BrokerProcess open_broker(EPERM, permissions);
392 ASSERT_TRUE(open_broker.Init(base::Bind(&NoOpCallback)));
393
394 // Check we can access that file with read or write.
395 int can_access = open_broker.Access(tempfile_name, R_OK | W_OK);
396 ASSERT_EQ(can_access, 0);
397
398 int tempfile2 = -1;
399 tempfile2 = open_broker.Open(tempfile_name, O_RDWR);
400 ASSERT_GE(tempfile2, 0);
401
402 // Write to the descriptor opened by the broker.
403 char test_text[] = "TESTTESTTEST";
404 ssize_t len = write(tempfile2, test_text, sizeof(test_text));
405 ASSERT_EQ(len, static_cast<ssize_t>(sizeof(test_text)));
406
407 // Read back from the original file descriptor what we wrote through
408 // the descriptor provided by the broker.
409 char buf[1024];
410 len = read(tempfile.fd(), buf, sizeof(buf));
411
412 ASSERT_EQ(len, static_cast<ssize_t>(sizeof(test_text)));
413 ASSERT_EQ(memcmp(test_text, buf, sizeof(test_text)), 0);
414
415 ASSERT_EQ(close(tempfile2), 0);
416 }
417
418 // SANDBOX_TEST because the process could die with a SIGPIPE
419 // and we want this to happen in a subprocess.
SANDBOX_TEST(BrokerProcess,BrokerDied)420 SANDBOX_TEST(BrokerProcess, BrokerDied) {
421 const char kCpuInfo[] = "/proc/cpuinfo";
422 std::vector<BrokerFilePermission> permissions;
423 permissions.push_back(BrokerFilePermission::ReadOnly(kCpuInfo));
424
425 BrokerProcess open_broker(EPERM, permissions, true /* fast_check_in_client */,
426 true /* quiet_failures_for_tests */);
427 SANDBOX_ASSERT(open_broker.Init(base::Bind(&NoOpCallback)));
428 const pid_t broker_pid = open_broker.broker_pid();
429 SANDBOX_ASSERT(kill(broker_pid, SIGKILL) == 0);
430
431 // Now we check that the broker has been signaled, but do not reap it.
432 siginfo_t process_info;
433 SANDBOX_ASSERT(HANDLE_EINTR(waitid(
434 P_PID, broker_pid, &process_info, WEXITED | WNOWAIT)) ==
435 0);
436 SANDBOX_ASSERT(broker_pid == process_info.si_pid);
437 SANDBOX_ASSERT(CLD_KILLED == process_info.si_code);
438 SANDBOX_ASSERT(SIGKILL == process_info.si_status);
439
440 // Check that doing Open with a dead broker won't SIGPIPE us.
441 SANDBOX_ASSERT(open_broker.Open(kCpuInfo, O_RDONLY) == -ENOMEM);
442 SANDBOX_ASSERT(open_broker.Access(kCpuInfo, O_RDONLY) == -ENOMEM);
443 }
444
TestOpenComplexFlags(bool fast_check_in_client)445 void TestOpenComplexFlags(bool fast_check_in_client) {
446 const char kCpuInfo[] = "/proc/cpuinfo";
447 std::vector<BrokerFilePermission> permissions;
448 permissions.push_back(BrokerFilePermission::ReadOnly(kCpuInfo));
449
450 BrokerProcess open_broker(EPERM, permissions, fast_check_in_client);
451 ASSERT_TRUE(open_broker.Init(base::Bind(&NoOpCallback)));
452 // Test that we do the right thing for O_CLOEXEC and O_NONBLOCK.
453 int fd = -1;
454 int ret = 0;
455 fd = open_broker.Open(kCpuInfo, O_RDONLY);
456 ASSERT_GE(fd, 0);
457 ret = fcntl(fd, F_GETFL);
458 ASSERT_NE(-1, ret);
459 // The descriptor shouldn't have the O_CLOEXEC attribute, nor O_NONBLOCK.
460 ASSERT_EQ(0, ret & (O_CLOEXEC | O_NONBLOCK));
461 ASSERT_EQ(0, close(fd));
462
463 fd = open_broker.Open(kCpuInfo, O_RDONLY | O_CLOEXEC);
464 ASSERT_GE(fd, 0);
465 ret = fcntl(fd, F_GETFD);
466 ASSERT_NE(-1, ret);
467 // Important: use F_GETFD, not F_GETFL. The O_CLOEXEC flag in F_GETFL
468 // is actually not used by the kernel.
469 ASSERT_TRUE(FD_CLOEXEC & ret);
470 ASSERT_EQ(0, close(fd));
471
472 fd = open_broker.Open(kCpuInfo, O_RDONLY | O_NONBLOCK);
473 ASSERT_GE(fd, 0);
474 ret = fcntl(fd, F_GETFL);
475 ASSERT_NE(-1, ret);
476 ASSERT_TRUE(O_NONBLOCK & ret);
477 ASSERT_EQ(0, close(fd));
478 }
479
TEST(BrokerProcess,OpenComplexFlagsWithClientCheck)480 TEST(BrokerProcess, OpenComplexFlagsWithClientCheck) {
481 TestOpenComplexFlags(true /* fast_check_in_client */);
482 // Don't do anything here, so that ASSERT works in the subfunction as
483 // expected.
484 }
485
TEST(BrokerProcess,OpenComplexFlagsNoClientCheck)486 TEST(BrokerProcess, OpenComplexFlagsNoClientCheck) {
487 TestOpenComplexFlags(false /* fast_check_in_client */);
488 // Don't do anything here, so that ASSERT works in the subfunction as
489 // expected.
490 }
491
492 // We need to allow noise because the broker will log when it receives our
493 // bogus IPCs.
SANDBOX_TEST_ALLOW_NOISE(BrokerProcess,RecvMsgDescriptorLeak)494 SANDBOX_TEST_ALLOW_NOISE(BrokerProcess, RecvMsgDescriptorLeak) {
495 // Android creates a socket on first use of the LOG call.
496 // We need to ensure this socket is open before we
497 // begin the test.
498 LOG(INFO) << "Ensure Android LOG socket is allocated";
499
500 // Find the four lowest available file descriptors.
501 int available_fds[4];
502 SANDBOX_ASSERT(0 == pipe(available_fds));
503 SANDBOX_ASSERT(0 == pipe(available_fds + 2));
504
505 // Save one FD to send to the broker later, and close the others.
506 base::ScopedFD message_fd(available_fds[0]);
507 for (size_t i = 1; i < arraysize(available_fds); i++) {
508 SANDBOX_ASSERT(0 == IGNORE_EINTR(close(available_fds[i])));
509 }
510
511 // Lower our file descriptor limit to just allow three more file descriptors
512 // to be allocated. (N.B., RLIMIT_NOFILE doesn't limit the number of file
513 // descriptors a process can have: it only limits the highest value that can
514 // be assigned to newly-created descriptors allocated by the process.)
515 const rlim_t fd_limit =
516 1 +
517 *std::max_element(available_fds,
518 available_fds + arraysize(available_fds));
519
520 // Valgrind doesn't allow changing the hard descriptor limit, so we only
521 // change the soft descriptor limit here.
522 struct rlimit rlim;
523 SANDBOX_ASSERT(0 == getrlimit(RLIMIT_NOFILE, &rlim));
524 SANDBOX_ASSERT(fd_limit <= rlim.rlim_cur);
525 rlim.rlim_cur = fd_limit;
526 SANDBOX_ASSERT(0 == setrlimit(RLIMIT_NOFILE, &rlim));
527
528 static const char kCpuInfo[] = "/proc/cpuinfo";
529 std::vector<BrokerFilePermission> permissions;
530 permissions.push_back(BrokerFilePermission::ReadOnly(kCpuInfo));
531
532 BrokerProcess open_broker(EPERM, permissions);
533 SANDBOX_ASSERT(open_broker.Init(base::Bind(&NoOpCallback)));
534
535 const int ipc_fd = BrokerProcessTestHelper::GetIPCDescriptor(&open_broker);
536 SANDBOX_ASSERT(ipc_fd >= 0);
537
538 static const char kBogus[] = "not a pickle";
539 std::vector<int> fds;
540 fds.push_back(message_fd.get());
541
542 // The broker process should only have a couple spare file descriptors
543 // available, but for good measure we send it fd_limit bogus IPCs anyway.
544 for (rlim_t i = 0; i < fd_limit; ++i) {
545 SANDBOX_ASSERT(
546 base::UnixDomainSocket::SendMsg(ipc_fd, kBogus, sizeof(kBogus), fds));
547 }
548
549 const int fd = open_broker.Open(kCpuInfo, O_RDONLY);
550 SANDBOX_ASSERT(fd >= 0);
551 SANDBOX_ASSERT(0 == IGNORE_EINTR(close(fd)));
552 }
553
CloseFD(int fd)554 bool CloseFD(int fd) {
555 PCHECK(0 == IGNORE_EINTR(close(fd)));
556 return true;
557 }
558
559 // Return true if the other end of the |reader| pipe was closed,
560 // false if |timeout_in_seconds| was reached or another event
561 // or error occured.
WaitForClosedPipeWriter(int reader,int timeout_in_ms)562 bool WaitForClosedPipeWriter(int reader, int timeout_in_ms) {
563 struct pollfd poll_fd = {reader, POLLIN | POLLRDHUP, 0};
564 const int num_events = HANDLE_EINTR(poll(&poll_fd, 1, timeout_in_ms));
565 if (1 == num_events && poll_fd.revents | POLLHUP)
566 return true;
567 return false;
568 }
569
570 // Closing the broker client's IPC channel should terminate the broker
571 // process.
TEST(BrokerProcess,BrokerDiesOnClosedChannel)572 TEST(BrokerProcess, BrokerDiesOnClosedChannel) {
573 std::vector<BrokerFilePermission> permissions;
574 permissions.push_back(BrokerFilePermission::ReadOnly("/proc/cpuinfo"));
575
576 // Get the writing end of a pipe into the broker (child) process so
577 // that we can reliably detect when it dies.
578 int lifeline_fds[2];
579 PCHECK(0 == pipe(lifeline_fds));
580
581 BrokerProcess open_broker(EPERM, permissions, true /* fast_check_in_client */,
582 false /* quiet_failures_for_tests */);
583 ASSERT_TRUE(open_broker.Init(base::Bind(&CloseFD, lifeline_fds[0])));
584 // Make sure the writing end only exists in the broker process.
585 CloseFD(lifeline_fds[1]);
586 base::ScopedFD reader(lifeline_fds[0]);
587
588 const pid_t broker_pid = open_broker.broker_pid();
589
590 // This should cause the broker process to exit.
591 BrokerProcessTestHelper::CloseChannel(&open_broker);
592
593 const int kTimeoutInMilliseconds = 5000;
594 const bool broker_lifeline_closed =
595 WaitForClosedPipeWriter(reader.get(), kTimeoutInMilliseconds);
596 // If the broker exited, its lifeline fd should be closed.
597 ASSERT_TRUE(broker_lifeline_closed);
598 // Now check that the broker has exited, but do not reap it.
599 siginfo_t process_info;
600 ASSERT_EQ(0, HANDLE_EINTR(waitid(P_PID, broker_pid, &process_info,
601 WEXITED | WNOWAIT)));
602 EXPECT_EQ(broker_pid, process_info.si_pid);
603 EXPECT_EQ(CLD_EXITED, process_info.si_code);
604 EXPECT_EQ(1, process_info.si_status);
605 }
606
TEST(BrokerProcess,CreateFile)607 TEST(BrokerProcess, CreateFile) {
608 std::string temp_str;
609 {
610 ScopedTemporaryFile tmp_file;
611 temp_str = tmp_file.full_file_name();
612 }
613 const char* tempfile_name = temp_str.c_str();
614
615 std::vector<BrokerFilePermission> permissions;
616 permissions.push_back(BrokerFilePermission::ReadWriteCreate(tempfile_name));
617
618 BrokerProcess open_broker(EPERM, permissions);
619 ASSERT_TRUE(open_broker.Init(base::Bind(&NoOpCallback)));
620
621 int fd = -1;
622
623 // Try without O_EXCL
624 fd = open_broker.Open(tempfile_name, O_RDWR | O_CREAT);
625 ASSERT_EQ(fd, -EPERM);
626
627 const char kTestText[] = "TESTTESTTEST";
628 // Create a file
629 fd = open_broker.Open(tempfile_name, O_RDWR | O_CREAT | O_EXCL);
630 ASSERT_GE(fd, 0);
631 {
632 base::ScopedFD scoped_fd(fd);
633
634 // Confirm fail if file exists
635 int bad_fd = open_broker.Open(tempfile_name, O_RDWR | O_CREAT | O_EXCL);
636 ASSERT_EQ(bad_fd, -EEXIST);
637
638 // Write to the descriptor opened by the broker.
639
640 ssize_t len = HANDLE_EINTR(write(fd, kTestText, sizeof(kTestText)));
641 ASSERT_EQ(len, static_cast<ssize_t>(sizeof(kTestText)));
642 }
643
644 int fd_check = open(tempfile_name, O_RDONLY);
645 ASSERT_GE(fd_check, 0);
646 {
647 base::ScopedFD scoped_fd(fd_check);
648 char buf[1024];
649 ssize_t len = HANDLE_EINTR(read(fd_check, buf, sizeof(buf)));
650
651 ASSERT_EQ(len, static_cast<ssize_t>(sizeof(kTestText)));
652 ASSERT_EQ(memcmp(kTestText, buf, sizeof(kTestText)), 0);
653 }
654 }
655
656 } // namespace syscall_broker
657
658 } // namespace sandbox
659