• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #include "sandbox/linux/syscall_broker/broker_process.h"
6 
7 #include <errno.h>
8 #include <fcntl.h>
9 #include <poll.h>
10 #include <stddef.h>
11 #include <sys/resource.h>
12 #include <sys/stat.h>
13 #include <sys/types.h>
14 #include <sys/wait.h>
15 #include <unistd.h>
16 
17 #include <algorithm>
18 #include <string>
19 #include <vector>
20 
21 #include "base/bind.h"
22 #include "base/files/file_util.h"
23 #include "base/files/scoped_file.h"
24 #include "base/logging.h"
25 #include "base/macros.h"
26 #include "base/memory/scoped_ptr.h"
27 #include "base/posix/eintr_wrapper.h"
28 #include "base/posix/unix_domain_socket_linux.h"
29 #include "sandbox/linux/syscall_broker/broker_client.h"
30 #include "sandbox/linux/tests/scoped_temporary_file.h"
31 #include "sandbox/linux/tests/test_utils.h"
32 #include "sandbox/linux/tests/unit_tests.h"
33 #include "testing/gtest/include/gtest/gtest.h"
34 
35 namespace sandbox {
36 
37 namespace syscall_broker {
38 
39 class BrokerProcessTestHelper {
40  public:
CloseChannel(BrokerProcess * broker)41   static void CloseChannel(BrokerProcess* broker) { broker->CloseChannel(); }
42   // Get the client's IPC descriptor to send IPC requests directly.
43   // TODO(jln): refator tests to get rid of this.
GetIPCDescriptor(const BrokerProcess * broker)44   static int GetIPCDescriptor(const BrokerProcess* broker) {
45     return broker->broker_client_->GetIPCDescriptor();
46   }
47 };
48 
49 namespace {
50 
NoOpCallback()51 bool NoOpCallback() {
52   return true;
53 }
54 
55 }  // namespace
56 
TEST(BrokerProcess,CreateAndDestroy)57 TEST(BrokerProcess, CreateAndDestroy) {
58   std::vector<BrokerFilePermission> permissions;
59   permissions.push_back(BrokerFilePermission::ReadOnly("/proc/cpuinfo"));
60 
61   scoped_ptr<BrokerProcess> open_broker(new BrokerProcess(EPERM, permissions));
62   ASSERT_TRUE(open_broker->Init(base::Bind(&NoOpCallback)));
63 
64   ASSERT_TRUE(TestUtils::CurrentProcessHasChildren());
65   // Destroy the broker and check it has exited properly.
66   open_broker.reset();
67   ASSERT_FALSE(TestUtils::CurrentProcessHasChildren());
68 }
69 
TEST(BrokerProcess,TestOpenAccessNull)70 TEST(BrokerProcess, TestOpenAccessNull) {
71   std::vector<BrokerFilePermission> empty;
72   BrokerProcess open_broker(EPERM, empty);
73   ASSERT_TRUE(open_broker.Init(base::Bind(&NoOpCallback)));
74 
75   int fd = open_broker.Open(NULL, O_RDONLY);
76   ASSERT_EQ(fd, -EFAULT);
77 
78   int ret = open_broker.Access(NULL, F_OK);
79   ASSERT_EQ(ret, -EFAULT);
80 }
81 
TestOpenFilePerms(bool fast_check_in_client,int denied_errno)82 void TestOpenFilePerms(bool fast_check_in_client, int denied_errno) {
83   const char kR_WhiteListed[] = "/proc/DOESNOTEXIST1";
84   // We can't debug the init process, and shouldn't be able to access
85   // its auxv file.
86   const char kR_WhiteListedButDenied[] = "/proc/1/auxv";
87   const char kW_WhiteListed[] = "/proc/DOESNOTEXIST2";
88   const char kRW_WhiteListed[] = "/proc/DOESNOTEXIST3";
89   const char k_NotWhitelisted[] = "/proc/DOESNOTEXIST4";
90 
91   std::vector<BrokerFilePermission> permissions;
92   permissions.push_back(BrokerFilePermission::ReadOnly(kR_WhiteListed));
93   permissions.push_back(
94       BrokerFilePermission::ReadOnly(kR_WhiteListedButDenied));
95   permissions.push_back(BrokerFilePermission::WriteOnly(kW_WhiteListed));
96   permissions.push_back(BrokerFilePermission::ReadWrite(kRW_WhiteListed));
97 
98   BrokerProcess open_broker(denied_errno, permissions, fast_check_in_client);
99   ASSERT_TRUE(open_broker.Init(base::Bind(&NoOpCallback)));
100 
101   int fd = -1;
102   fd = open_broker.Open(kR_WhiteListed, O_RDONLY);
103   ASSERT_EQ(fd, -ENOENT);
104   fd = open_broker.Open(kR_WhiteListed, O_WRONLY);
105   ASSERT_EQ(fd, -denied_errno);
106   fd = open_broker.Open(kR_WhiteListed, O_RDWR);
107   ASSERT_EQ(fd, -denied_errno);
108   int ret = -1;
109   ret = open_broker.Access(kR_WhiteListed, F_OK);
110   ASSERT_EQ(ret, -ENOENT);
111   ret = open_broker.Access(kR_WhiteListed, R_OK);
112   ASSERT_EQ(ret, -ENOENT);
113   ret = open_broker.Access(kR_WhiteListed, W_OK);
114   ASSERT_EQ(ret, -denied_errno);
115   ret = open_broker.Access(kR_WhiteListed, R_OK | W_OK);
116   ASSERT_EQ(ret, -denied_errno);
117   ret = open_broker.Access(kR_WhiteListed, X_OK);
118   ASSERT_EQ(ret, -denied_errno);
119   ret = open_broker.Access(kR_WhiteListed, R_OK | X_OK);
120   ASSERT_EQ(ret, -denied_errno);
121 
122   // Android sometimes runs tests as root.
123   // This part of the test requires a process that doesn't have
124   // CAP_DAC_OVERRIDE. We check against a root euid as a proxy for that.
125   if (geteuid()) {
126     fd = open_broker.Open(kR_WhiteListedButDenied, O_RDONLY);
127     // The broker process will allow this, but the normal permission system
128     // won't.
129     ASSERT_EQ(fd, -EACCES);
130     fd = open_broker.Open(kR_WhiteListedButDenied, O_WRONLY);
131     ASSERT_EQ(fd, -denied_errno);
132     fd = open_broker.Open(kR_WhiteListedButDenied, O_RDWR);
133     ASSERT_EQ(fd, -denied_errno);
134     ret = open_broker.Access(kR_WhiteListedButDenied, F_OK);
135     // The normal permission system will let us check that the file exists.
136     ASSERT_EQ(ret, 0);
137     ret = open_broker.Access(kR_WhiteListedButDenied, R_OK);
138     ASSERT_EQ(ret, -EACCES);
139     ret = open_broker.Access(kR_WhiteListedButDenied, W_OK);
140     ASSERT_EQ(ret, -denied_errno);
141     ret = open_broker.Access(kR_WhiteListedButDenied, R_OK | W_OK);
142     ASSERT_EQ(ret, -denied_errno);
143     ret = open_broker.Access(kR_WhiteListedButDenied, X_OK);
144     ASSERT_EQ(ret, -denied_errno);
145     ret = open_broker.Access(kR_WhiteListedButDenied, R_OK | X_OK);
146     ASSERT_EQ(ret, -denied_errno);
147   }
148 
149   fd = open_broker.Open(kW_WhiteListed, O_RDONLY);
150   ASSERT_EQ(fd, -denied_errno);
151   fd = open_broker.Open(kW_WhiteListed, O_WRONLY);
152   ASSERT_EQ(fd, -ENOENT);
153   fd = open_broker.Open(kW_WhiteListed, O_RDWR);
154   ASSERT_EQ(fd, -denied_errno);
155   ret = open_broker.Access(kW_WhiteListed, F_OK);
156   ASSERT_EQ(ret, -ENOENT);
157   ret = open_broker.Access(kW_WhiteListed, R_OK);
158   ASSERT_EQ(ret, -denied_errno);
159   ret = open_broker.Access(kW_WhiteListed, W_OK);
160   ASSERT_EQ(ret, -ENOENT);
161   ret = open_broker.Access(kW_WhiteListed, R_OK | W_OK);
162   ASSERT_EQ(ret, -denied_errno);
163   ret = open_broker.Access(kW_WhiteListed, X_OK);
164   ASSERT_EQ(ret, -denied_errno);
165   ret = open_broker.Access(kW_WhiteListed, R_OK | X_OK);
166   ASSERT_EQ(ret, -denied_errno);
167 
168   fd = open_broker.Open(kRW_WhiteListed, O_RDONLY);
169   ASSERT_EQ(fd, -ENOENT);
170   fd = open_broker.Open(kRW_WhiteListed, O_WRONLY);
171   ASSERT_EQ(fd, -ENOENT);
172   fd = open_broker.Open(kRW_WhiteListed, O_RDWR);
173   ASSERT_EQ(fd, -ENOENT);
174   ret = open_broker.Access(kRW_WhiteListed, F_OK);
175   ASSERT_EQ(ret, -ENOENT);
176   ret = open_broker.Access(kRW_WhiteListed, R_OK);
177   ASSERT_EQ(ret, -ENOENT);
178   ret = open_broker.Access(kRW_WhiteListed, W_OK);
179   ASSERT_EQ(ret, -ENOENT);
180   ret = open_broker.Access(kRW_WhiteListed, R_OK | W_OK);
181   ASSERT_EQ(ret, -ENOENT);
182   ret = open_broker.Access(kRW_WhiteListed, X_OK);
183   ASSERT_EQ(ret, -denied_errno);
184   ret = open_broker.Access(kRW_WhiteListed, R_OK | X_OK);
185   ASSERT_EQ(ret, -denied_errno);
186 
187   fd = open_broker.Open(k_NotWhitelisted, O_RDONLY);
188   ASSERT_EQ(fd, -denied_errno);
189   fd = open_broker.Open(k_NotWhitelisted, O_WRONLY);
190   ASSERT_EQ(fd, -denied_errno);
191   fd = open_broker.Open(k_NotWhitelisted, O_RDWR);
192   ASSERT_EQ(fd, -denied_errno);
193   ret = open_broker.Access(k_NotWhitelisted, F_OK);
194   ASSERT_EQ(ret, -denied_errno);
195   ret = open_broker.Access(k_NotWhitelisted, R_OK);
196   ASSERT_EQ(ret, -denied_errno);
197   ret = open_broker.Access(k_NotWhitelisted, W_OK);
198   ASSERT_EQ(ret, -denied_errno);
199   ret = open_broker.Access(k_NotWhitelisted, R_OK | W_OK);
200   ASSERT_EQ(ret, -denied_errno);
201   ret = open_broker.Access(k_NotWhitelisted, X_OK);
202   ASSERT_EQ(ret, -denied_errno);
203   ret = open_broker.Access(k_NotWhitelisted, R_OK | X_OK);
204   ASSERT_EQ(ret, -denied_errno);
205 
206   // We have some extra sanity check for clearly wrong values.
207   fd = open_broker.Open(kRW_WhiteListed, O_RDONLY | O_WRONLY | O_RDWR);
208   ASSERT_EQ(fd, -denied_errno);
209 
210   // It makes no sense to allow O_CREAT in a 2-parameters open. Ensure this
211   // is denied.
212   fd = open_broker.Open(kRW_WhiteListed, O_RDWR | O_CREAT);
213   ASSERT_EQ(fd, -denied_errno);
214 }
215 
216 // Run the same thing twice. The second time, we make sure that no security
217 // check is performed on the client.
TEST(BrokerProcess,OpenFilePermsWithClientCheck)218 TEST(BrokerProcess, OpenFilePermsWithClientCheck) {
219   TestOpenFilePerms(true /* fast_check_in_client */, EPERM);
220   // Don't do anything here, so that ASSERT works in the subfunction as
221   // expected.
222 }
223 
TEST(BrokerProcess,OpenOpenFilePermsNoClientCheck)224 TEST(BrokerProcess, OpenOpenFilePermsNoClientCheck) {
225   TestOpenFilePerms(false /* fast_check_in_client */, EPERM);
226   // Don't do anything here, so that ASSERT works in the subfunction as
227   // expected.
228 }
229 
230 // Run the same twice again, but with ENOENT instead of EPERM.
TEST(BrokerProcess,OpenFilePermsWithClientCheckNoEnt)231 TEST(BrokerProcess, OpenFilePermsWithClientCheckNoEnt) {
232   TestOpenFilePerms(true /* fast_check_in_client */, ENOENT);
233   // Don't do anything here, so that ASSERT works in the subfunction as
234   // expected.
235 }
236 
TEST(BrokerProcess,OpenOpenFilePermsNoClientCheckNoEnt)237 TEST(BrokerProcess, OpenOpenFilePermsNoClientCheckNoEnt) {
238   TestOpenFilePerms(false /* fast_check_in_client */, ENOENT);
239   // Don't do anything here, so that ASSERT works in the subfunction as
240   // expected.
241 }
242 
TestBadPaths(bool fast_check_in_client)243 void TestBadPaths(bool fast_check_in_client) {
244   const char kFileCpuInfo[] = "/proc/cpuinfo";
245   const char kNotAbsPath[] = "proc/cpuinfo";
246   const char kDotDotStart[] = "/../proc/cpuinfo";
247   const char kDotDotMiddle[] = "/proc/self/../cpuinfo";
248   const char kDotDotEnd[] = "/proc/..";
249   const char kTrailingSlash[] = "/proc/";
250 
251   std::vector<BrokerFilePermission> permissions;
252 
253   permissions.push_back(BrokerFilePermission::ReadOnlyRecursive("/proc/"));
254   scoped_ptr<BrokerProcess> open_broker(
255       new BrokerProcess(EPERM, permissions, fast_check_in_client));
256   ASSERT_TRUE(open_broker->Init(base::Bind(&NoOpCallback)));
257   // Open cpuinfo via the broker.
258   int cpuinfo_fd = open_broker->Open(kFileCpuInfo, O_RDONLY);
259   base::ScopedFD cpuinfo_fd_closer(cpuinfo_fd);
260   ASSERT_GE(cpuinfo_fd, 0);
261 
262   int fd = -1;
263   int can_access;
264 
265   can_access = open_broker->Access(kNotAbsPath, R_OK);
266   ASSERT_EQ(can_access, -EPERM);
267   fd = open_broker->Open(kNotAbsPath, O_RDONLY);
268   ASSERT_EQ(fd, -EPERM);
269 
270   can_access = open_broker->Access(kDotDotStart, R_OK);
271   ASSERT_EQ(can_access, -EPERM);
272   fd = open_broker->Open(kDotDotStart, O_RDONLY);
273   ASSERT_EQ(fd, -EPERM);
274 
275   can_access = open_broker->Access(kDotDotMiddle, R_OK);
276   ASSERT_EQ(can_access, -EPERM);
277   fd = open_broker->Open(kDotDotMiddle, O_RDONLY);
278   ASSERT_EQ(fd, -EPERM);
279 
280   can_access = open_broker->Access(kDotDotEnd, R_OK);
281   ASSERT_EQ(can_access, -EPERM);
282   fd = open_broker->Open(kDotDotEnd, O_RDONLY);
283   ASSERT_EQ(fd, -EPERM);
284 
285   can_access = open_broker->Access(kTrailingSlash, R_OK);
286   ASSERT_EQ(can_access, -EPERM);
287   fd = open_broker->Open(kTrailingSlash, O_RDONLY);
288   ASSERT_EQ(fd, -EPERM);
289 }
290 
TEST(BrokerProcess,BadPathsClientCheck)291 TEST(BrokerProcess, BadPathsClientCheck) {
292   TestBadPaths(true /* fast_check_in_client */);
293   // Don't do anything here, so that ASSERT works in the subfunction as
294   // expected.
295 }
296 
TEST(BrokerProcess,BadPathsNoClientCheck)297 TEST(BrokerProcess, BadPathsNoClientCheck) {
298   TestBadPaths(false /* fast_check_in_client */);
299   // Don't do anything here, so that ASSERT works in the subfunction as
300   // expected.
301 }
302 
TestOpenCpuinfo(bool fast_check_in_client,bool recursive)303 void TestOpenCpuinfo(bool fast_check_in_client, bool recursive) {
304   const char kFileCpuInfo[] = "/proc/cpuinfo";
305   const char kDirProc[] = "/proc/";
306 
307   std::vector<BrokerFilePermission> permissions;
308   if (recursive)
309     permissions.push_back(BrokerFilePermission::ReadOnlyRecursive(kDirProc));
310   else
311     permissions.push_back(BrokerFilePermission::ReadOnly(kFileCpuInfo));
312 
313   scoped_ptr<BrokerProcess> open_broker(
314       new BrokerProcess(EPERM, permissions, fast_check_in_client));
315   ASSERT_TRUE(open_broker->Init(base::Bind(&NoOpCallback)));
316 
317   int fd = -1;
318   fd = open_broker->Open(kFileCpuInfo, O_RDWR);
319   base::ScopedFD fd_closer(fd);
320   ASSERT_EQ(fd, -EPERM);
321 
322   // Check we can read /proc/cpuinfo.
323   int can_access = open_broker->Access(kFileCpuInfo, R_OK);
324   ASSERT_EQ(can_access, 0);
325   can_access = open_broker->Access(kFileCpuInfo, W_OK);
326   ASSERT_EQ(can_access, -EPERM);
327   // Check we can not write /proc/cpuinfo.
328 
329   // Open cpuinfo via the broker.
330   int cpuinfo_fd = open_broker->Open(kFileCpuInfo, O_RDONLY);
331   base::ScopedFD cpuinfo_fd_closer(cpuinfo_fd);
332   ASSERT_GE(cpuinfo_fd, 0);
333   char buf[3];
334   memset(buf, 0, sizeof(buf));
335   int read_len1 = read(cpuinfo_fd, buf, sizeof(buf));
336   ASSERT_GT(read_len1, 0);
337 
338   // Open cpuinfo directly.
339   int cpuinfo_fd2 = open(kFileCpuInfo, O_RDONLY);
340   base::ScopedFD cpuinfo_fd2_closer(cpuinfo_fd2);
341   ASSERT_GE(cpuinfo_fd2, 0);
342   char buf2[3];
343   memset(buf2, 1, sizeof(buf2));
344   int read_len2 = read(cpuinfo_fd2, buf2, sizeof(buf2));
345   ASSERT_GT(read_len1, 0);
346 
347   // The following is not guaranteed true, but will be in practice.
348   ASSERT_EQ(read_len1, read_len2);
349   // Compare the cpuinfo as returned by the broker with the one we opened
350   // ourselves.
351   ASSERT_EQ(memcmp(buf, buf2, read_len1), 0);
352 
353   ASSERT_TRUE(TestUtils::CurrentProcessHasChildren());
354   open_broker.reset();
355   ASSERT_FALSE(TestUtils::CurrentProcessHasChildren());
356 }
357 
358 // Run this test 4 times. With and without the check in client
359 // and using a recursive path.
TEST(BrokerProcess,OpenCpuinfoWithClientCheck)360 TEST(BrokerProcess, OpenCpuinfoWithClientCheck) {
361   TestOpenCpuinfo(true /* fast_check_in_client */, false /* not recursive */);
362   // Don't do anything here, so that ASSERT works in the subfunction as
363   // expected.
364 }
365 
TEST(BrokerProcess,OpenCpuinfoNoClientCheck)366 TEST(BrokerProcess, OpenCpuinfoNoClientCheck) {
367   TestOpenCpuinfo(false /* fast_check_in_client */, false /* not recursive */);
368   // Don't do anything here, so that ASSERT works in the subfunction as
369   // expected.
370 }
371 
TEST(BrokerProcess,OpenCpuinfoWithClientCheckRecursive)372 TEST(BrokerProcess, OpenCpuinfoWithClientCheckRecursive) {
373   TestOpenCpuinfo(true /* fast_check_in_client */, true /* recursive */);
374   // Don't do anything here, so that ASSERT works in the subfunction as
375   // expected.
376 }
377 
TEST(BrokerProcess,OpenCpuinfoNoClientCheckRecursive)378 TEST(BrokerProcess, OpenCpuinfoNoClientCheckRecursive) {
379   TestOpenCpuinfo(false /* fast_check_in_client */, true /* recursive */);
380   // Don't do anything here, so that ASSERT works in the subfunction as
381   // expected.
382 }
383 
TEST(BrokerProcess,OpenFileRW)384 TEST(BrokerProcess, OpenFileRW) {
385   ScopedTemporaryFile tempfile;
386   const char* tempfile_name = tempfile.full_file_name();
387 
388   std::vector<BrokerFilePermission> permissions;
389   permissions.push_back(BrokerFilePermission::ReadWrite(tempfile_name));
390 
391   BrokerProcess open_broker(EPERM, permissions);
392   ASSERT_TRUE(open_broker.Init(base::Bind(&NoOpCallback)));
393 
394   // Check we can access that file with read or write.
395   int can_access = open_broker.Access(tempfile_name, R_OK | W_OK);
396   ASSERT_EQ(can_access, 0);
397 
398   int tempfile2 = -1;
399   tempfile2 = open_broker.Open(tempfile_name, O_RDWR);
400   ASSERT_GE(tempfile2, 0);
401 
402   // Write to the descriptor opened by the broker.
403   char test_text[] = "TESTTESTTEST";
404   ssize_t len = write(tempfile2, test_text, sizeof(test_text));
405   ASSERT_EQ(len, static_cast<ssize_t>(sizeof(test_text)));
406 
407   // Read back from the original file descriptor what we wrote through
408   // the descriptor provided by the broker.
409   char buf[1024];
410   len = read(tempfile.fd(), buf, sizeof(buf));
411 
412   ASSERT_EQ(len, static_cast<ssize_t>(sizeof(test_text)));
413   ASSERT_EQ(memcmp(test_text, buf, sizeof(test_text)), 0);
414 
415   ASSERT_EQ(close(tempfile2), 0);
416 }
417 
418 // SANDBOX_TEST because the process could die with a SIGPIPE
419 // and we want this to happen in a subprocess.
SANDBOX_TEST(BrokerProcess,BrokerDied)420 SANDBOX_TEST(BrokerProcess, BrokerDied) {
421   const char kCpuInfo[] = "/proc/cpuinfo";
422   std::vector<BrokerFilePermission> permissions;
423   permissions.push_back(BrokerFilePermission::ReadOnly(kCpuInfo));
424 
425   BrokerProcess open_broker(EPERM, permissions, true /* fast_check_in_client */,
426                             true /* quiet_failures_for_tests */);
427   SANDBOX_ASSERT(open_broker.Init(base::Bind(&NoOpCallback)));
428   const pid_t broker_pid = open_broker.broker_pid();
429   SANDBOX_ASSERT(kill(broker_pid, SIGKILL) == 0);
430 
431   // Now we check that the broker has been signaled, but do not reap it.
432   siginfo_t process_info;
433   SANDBOX_ASSERT(HANDLE_EINTR(waitid(
434                      P_PID, broker_pid, &process_info, WEXITED | WNOWAIT)) ==
435                  0);
436   SANDBOX_ASSERT(broker_pid == process_info.si_pid);
437   SANDBOX_ASSERT(CLD_KILLED == process_info.si_code);
438   SANDBOX_ASSERT(SIGKILL == process_info.si_status);
439 
440   // Check that doing Open with a dead broker won't SIGPIPE us.
441   SANDBOX_ASSERT(open_broker.Open(kCpuInfo, O_RDONLY) == -ENOMEM);
442   SANDBOX_ASSERT(open_broker.Access(kCpuInfo, O_RDONLY) == -ENOMEM);
443 }
444 
TestOpenComplexFlags(bool fast_check_in_client)445 void TestOpenComplexFlags(bool fast_check_in_client) {
446   const char kCpuInfo[] = "/proc/cpuinfo";
447   std::vector<BrokerFilePermission> permissions;
448   permissions.push_back(BrokerFilePermission::ReadOnly(kCpuInfo));
449 
450   BrokerProcess open_broker(EPERM, permissions, fast_check_in_client);
451   ASSERT_TRUE(open_broker.Init(base::Bind(&NoOpCallback)));
452   // Test that we do the right thing for O_CLOEXEC and O_NONBLOCK.
453   int fd = -1;
454   int ret = 0;
455   fd = open_broker.Open(kCpuInfo, O_RDONLY);
456   ASSERT_GE(fd, 0);
457   ret = fcntl(fd, F_GETFL);
458   ASSERT_NE(-1, ret);
459   // The descriptor shouldn't have the O_CLOEXEC attribute, nor O_NONBLOCK.
460   ASSERT_EQ(0, ret & (O_CLOEXEC | O_NONBLOCK));
461   ASSERT_EQ(0, close(fd));
462 
463   fd = open_broker.Open(kCpuInfo, O_RDONLY | O_CLOEXEC);
464   ASSERT_GE(fd, 0);
465   ret = fcntl(fd, F_GETFD);
466   ASSERT_NE(-1, ret);
467   // Important: use F_GETFD, not F_GETFL. The O_CLOEXEC flag in F_GETFL
468   // is actually not used by the kernel.
469   ASSERT_TRUE(FD_CLOEXEC & ret);
470   ASSERT_EQ(0, close(fd));
471 
472   fd = open_broker.Open(kCpuInfo, O_RDONLY | O_NONBLOCK);
473   ASSERT_GE(fd, 0);
474   ret = fcntl(fd, F_GETFL);
475   ASSERT_NE(-1, ret);
476   ASSERT_TRUE(O_NONBLOCK & ret);
477   ASSERT_EQ(0, close(fd));
478 }
479 
TEST(BrokerProcess,OpenComplexFlagsWithClientCheck)480 TEST(BrokerProcess, OpenComplexFlagsWithClientCheck) {
481   TestOpenComplexFlags(true /* fast_check_in_client */);
482   // Don't do anything here, so that ASSERT works in the subfunction as
483   // expected.
484 }
485 
TEST(BrokerProcess,OpenComplexFlagsNoClientCheck)486 TEST(BrokerProcess, OpenComplexFlagsNoClientCheck) {
487   TestOpenComplexFlags(false /* fast_check_in_client */);
488   // Don't do anything here, so that ASSERT works in the subfunction as
489   // expected.
490 }
491 
492 // We need to allow noise because the broker will log when it receives our
493 // bogus IPCs.
SANDBOX_TEST_ALLOW_NOISE(BrokerProcess,RecvMsgDescriptorLeak)494 SANDBOX_TEST_ALLOW_NOISE(BrokerProcess, RecvMsgDescriptorLeak) {
495   // Android creates a socket on first use of the LOG call.
496   // We need to ensure this socket is open before we
497   // begin the test.
498   LOG(INFO) << "Ensure Android LOG socket is allocated";
499 
500   // Find the four lowest available file descriptors.
501   int available_fds[4];
502   SANDBOX_ASSERT(0 == pipe(available_fds));
503   SANDBOX_ASSERT(0 == pipe(available_fds + 2));
504 
505   // Save one FD to send to the broker later, and close the others.
506   base::ScopedFD message_fd(available_fds[0]);
507   for (size_t i = 1; i < arraysize(available_fds); i++) {
508     SANDBOX_ASSERT(0 == IGNORE_EINTR(close(available_fds[i])));
509   }
510 
511   // Lower our file descriptor limit to just allow three more file descriptors
512   // to be allocated.  (N.B., RLIMIT_NOFILE doesn't limit the number of file
513   // descriptors a process can have: it only limits the highest value that can
514   // be assigned to newly-created descriptors allocated by the process.)
515   const rlim_t fd_limit =
516       1 +
517       *std::max_element(available_fds,
518                         available_fds + arraysize(available_fds));
519 
520   // Valgrind doesn't allow changing the hard descriptor limit, so we only
521   // change the soft descriptor limit here.
522   struct rlimit rlim;
523   SANDBOX_ASSERT(0 == getrlimit(RLIMIT_NOFILE, &rlim));
524   SANDBOX_ASSERT(fd_limit <= rlim.rlim_cur);
525   rlim.rlim_cur = fd_limit;
526   SANDBOX_ASSERT(0 == setrlimit(RLIMIT_NOFILE, &rlim));
527 
528   static const char kCpuInfo[] = "/proc/cpuinfo";
529   std::vector<BrokerFilePermission> permissions;
530   permissions.push_back(BrokerFilePermission::ReadOnly(kCpuInfo));
531 
532   BrokerProcess open_broker(EPERM, permissions);
533   SANDBOX_ASSERT(open_broker.Init(base::Bind(&NoOpCallback)));
534 
535   const int ipc_fd = BrokerProcessTestHelper::GetIPCDescriptor(&open_broker);
536   SANDBOX_ASSERT(ipc_fd >= 0);
537 
538   static const char kBogus[] = "not a pickle";
539   std::vector<int> fds;
540   fds.push_back(message_fd.get());
541 
542   // The broker process should only have a couple spare file descriptors
543   // available, but for good measure we send it fd_limit bogus IPCs anyway.
544   for (rlim_t i = 0; i < fd_limit; ++i) {
545     SANDBOX_ASSERT(
546         base::UnixDomainSocket::SendMsg(ipc_fd, kBogus, sizeof(kBogus), fds));
547   }
548 
549   const int fd = open_broker.Open(kCpuInfo, O_RDONLY);
550   SANDBOX_ASSERT(fd >= 0);
551   SANDBOX_ASSERT(0 == IGNORE_EINTR(close(fd)));
552 }
553 
CloseFD(int fd)554 bool CloseFD(int fd) {
555   PCHECK(0 == IGNORE_EINTR(close(fd)));
556   return true;
557 }
558 
559 // Return true if the other end of the |reader| pipe was closed,
560 // false if |timeout_in_seconds| was reached or another event
561 // or error occured.
WaitForClosedPipeWriter(int reader,int timeout_in_ms)562 bool WaitForClosedPipeWriter(int reader, int timeout_in_ms) {
563   struct pollfd poll_fd = {reader, POLLIN | POLLRDHUP, 0};
564   const int num_events = HANDLE_EINTR(poll(&poll_fd, 1, timeout_in_ms));
565   if (1 == num_events && poll_fd.revents | POLLHUP)
566     return true;
567   return false;
568 }
569 
570 // Closing the broker client's IPC channel should terminate the broker
571 // process.
TEST(BrokerProcess,BrokerDiesOnClosedChannel)572 TEST(BrokerProcess, BrokerDiesOnClosedChannel) {
573   std::vector<BrokerFilePermission> permissions;
574   permissions.push_back(BrokerFilePermission::ReadOnly("/proc/cpuinfo"));
575 
576   // Get the writing end of a pipe into the broker (child) process so
577   // that we can reliably detect when it dies.
578   int lifeline_fds[2];
579   PCHECK(0 == pipe(lifeline_fds));
580 
581   BrokerProcess open_broker(EPERM, permissions, true /* fast_check_in_client */,
582                             false /* quiet_failures_for_tests */);
583   ASSERT_TRUE(open_broker.Init(base::Bind(&CloseFD, lifeline_fds[0])));
584   // Make sure the writing end only exists in the broker process.
585   CloseFD(lifeline_fds[1]);
586   base::ScopedFD reader(lifeline_fds[0]);
587 
588   const pid_t broker_pid = open_broker.broker_pid();
589 
590   // This should cause the broker process to exit.
591   BrokerProcessTestHelper::CloseChannel(&open_broker);
592 
593   const int kTimeoutInMilliseconds = 5000;
594   const bool broker_lifeline_closed =
595       WaitForClosedPipeWriter(reader.get(), kTimeoutInMilliseconds);
596   // If the broker exited, its lifeline fd should be closed.
597   ASSERT_TRUE(broker_lifeline_closed);
598   // Now check that the broker has exited, but do not reap it.
599   siginfo_t process_info;
600   ASSERT_EQ(0, HANDLE_EINTR(waitid(P_PID, broker_pid, &process_info,
601                                    WEXITED | WNOWAIT)));
602   EXPECT_EQ(broker_pid, process_info.si_pid);
603   EXPECT_EQ(CLD_EXITED, process_info.si_code);
604   EXPECT_EQ(1, process_info.si_status);
605 }
606 
TEST(BrokerProcess,CreateFile)607 TEST(BrokerProcess, CreateFile) {
608   std::string temp_str;
609   {
610     ScopedTemporaryFile tmp_file;
611     temp_str = tmp_file.full_file_name();
612   }
613   const char* tempfile_name = temp_str.c_str();
614 
615   std::vector<BrokerFilePermission> permissions;
616   permissions.push_back(BrokerFilePermission::ReadWriteCreate(tempfile_name));
617 
618   BrokerProcess open_broker(EPERM, permissions);
619   ASSERT_TRUE(open_broker.Init(base::Bind(&NoOpCallback)));
620 
621   int fd = -1;
622 
623   // Try without O_EXCL
624   fd = open_broker.Open(tempfile_name, O_RDWR | O_CREAT);
625   ASSERT_EQ(fd, -EPERM);
626 
627   const char kTestText[] = "TESTTESTTEST";
628   // Create a file
629   fd = open_broker.Open(tempfile_name, O_RDWR | O_CREAT | O_EXCL);
630   ASSERT_GE(fd, 0);
631   {
632     base::ScopedFD scoped_fd(fd);
633 
634     // Confirm fail if file exists
635     int bad_fd = open_broker.Open(tempfile_name, O_RDWR | O_CREAT | O_EXCL);
636     ASSERT_EQ(bad_fd, -EEXIST);
637 
638     // Write to the descriptor opened by the broker.
639 
640     ssize_t len = HANDLE_EINTR(write(fd, kTestText, sizeof(kTestText)));
641     ASSERT_EQ(len, static_cast<ssize_t>(sizeof(kTestText)));
642   }
643 
644   int fd_check = open(tempfile_name, O_RDONLY);
645   ASSERT_GE(fd_check, 0);
646   {
647     base::ScopedFD scoped_fd(fd_check);
648     char buf[1024];
649     ssize_t len = HANDLE_EINTR(read(fd_check, buf, sizeof(buf)));
650 
651     ASSERT_EQ(len, static_cast<ssize_t>(sizeof(kTestText)));
652     ASSERT_EQ(memcmp(kTestText, buf, sizeof(kTestText)), 0);
653   }
654 }
655 
656 }  // namespace syscall_broker
657 
658 }  // namespace sandbox
659