• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #include "sandbox/linux/syscall_broker/broker_process.h"
6 
7 #include <errno.h>
8 #include <fcntl.h>
9 #include <poll.h>
10 #include <stddef.h>
11 #include <sys/resource.h>
12 #include <sys/stat.h>
13 #include <sys/types.h>
14 #include <sys/wait.h>
15 #include <unistd.h>
16 
17 #include <algorithm>
18 #include <memory>
19 #include <string>
20 #include <vector>
21 
22 #include "base/bind.h"
23 #include "base/files/file_util.h"
24 #include "base/files/scoped_file.h"
25 #include "base/logging.h"
26 #include "base/macros.h"
27 #include "base/posix/eintr_wrapper.h"
28 #include "base/posix/unix_domain_socket_linux.h"
29 #include "sandbox/linux/syscall_broker/broker_client.h"
30 #include "sandbox/linux/tests/scoped_temporary_file.h"
31 #include "sandbox/linux/tests/test_utils.h"
32 #include "sandbox/linux/tests/unit_tests.h"
33 #include "testing/gtest/include/gtest/gtest.h"
34 
35 namespace sandbox {
36 
37 namespace syscall_broker {
38 
39 class BrokerProcessTestHelper {
40  public:
CloseChannel(BrokerProcess * broker)41   static void CloseChannel(BrokerProcess* broker) { broker->CloseChannel(); }
42   // Get the client's IPC descriptor to send IPC requests directly.
43   // TODO(jln): refator tests to get rid of this.
GetIPCDescriptor(const BrokerProcess * broker)44   static int GetIPCDescriptor(const BrokerProcess* broker) {
45     return broker->broker_client_->GetIPCDescriptor();
46   }
47 };
48 
49 namespace {
50 
NoOpCallback()51 bool NoOpCallback() {
52   return true;
53 }
54 
55 }  // namespace
56 
TEST(BrokerProcess,CreateAndDestroy)57 TEST(BrokerProcess, CreateAndDestroy) {
58   std::vector<BrokerFilePermission> permissions;
59   permissions.push_back(BrokerFilePermission::ReadOnly("/proc/cpuinfo"));
60 
61   std::unique_ptr<BrokerProcess> open_broker(
62       new BrokerProcess(EPERM, permissions));
63   ASSERT_TRUE(open_broker->Init(base::Bind(&NoOpCallback)));
64 
65   ASSERT_TRUE(TestUtils::CurrentProcessHasChildren());
66   // Destroy the broker and check it has exited properly.
67   open_broker.reset();
68   ASSERT_FALSE(TestUtils::CurrentProcessHasChildren());
69 }
70 
TEST(BrokerProcess,TestOpenAccessNull)71 TEST(BrokerProcess, TestOpenAccessNull) {
72   std::vector<BrokerFilePermission> empty;
73   BrokerProcess open_broker(EPERM, empty);
74   ASSERT_TRUE(open_broker.Init(base::Bind(&NoOpCallback)));
75 
76   int fd = open_broker.Open(NULL, O_RDONLY);
77   ASSERT_EQ(fd, -EFAULT);
78 
79   int ret = open_broker.Access(NULL, F_OK);
80   ASSERT_EQ(ret, -EFAULT);
81 }
82 
TestOpenFilePerms(bool fast_check_in_client,int denied_errno)83 void TestOpenFilePerms(bool fast_check_in_client, int denied_errno) {
84   const char kR_WhiteListed[] = "/proc/DOESNOTEXIST1";
85   // We can't debug the init process, and shouldn't be able to access
86   // its auxv file.
87   const char kR_WhiteListedButDenied[] = "/proc/1/auxv";
88   const char kW_WhiteListed[] = "/proc/DOESNOTEXIST2";
89   const char kRW_WhiteListed[] = "/proc/DOESNOTEXIST3";
90   const char k_NotWhitelisted[] = "/proc/DOESNOTEXIST4";
91 
92   std::vector<BrokerFilePermission> permissions;
93   permissions.push_back(BrokerFilePermission::ReadOnly(kR_WhiteListed));
94   permissions.push_back(
95       BrokerFilePermission::ReadOnly(kR_WhiteListedButDenied));
96   permissions.push_back(BrokerFilePermission::WriteOnly(kW_WhiteListed));
97   permissions.push_back(BrokerFilePermission::ReadWrite(kRW_WhiteListed));
98 
99   BrokerProcess open_broker(denied_errno, permissions, fast_check_in_client);
100   ASSERT_TRUE(open_broker.Init(base::Bind(&NoOpCallback)));
101 
102   int fd = -1;
103   fd = open_broker.Open(kR_WhiteListed, O_RDONLY);
104   ASSERT_EQ(fd, -ENOENT);
105   fd = open_broker.Open(kR_WhiteListed, O_WRONLY);
106   ASSERT_EQ(fd, -denied_errno);
107   fd = open_broker.Open(kR_WhiteListed, O_RDWR);
108   ASSERT_EQ(fd, -denied_errno);
109   int ret = -1;
110   ret = open_broker.Access(kR_WhiteListed, F_OK);
111   ASSERT_EQ(ret, -ENOENT);
112   ret = open_broker.Access(kR_WhiteListed, R_OK);
113   ASSERT_EQ(ret, -ENOENT);
114   ret = open_broker.Access(kR_WhiteListed, W_OK);
115   ASSERT_EQ(ret, -denied_errno);
116   ret = open_broker.Access(kR_WhiteListed, R_OK | W_OK);
117   ASSERT_EQ(ret, -denied_errno);
118   ret = open_broker.Access(kR_WhiteListed, X_OK);
119   ASSERT_EQ(ret, -denied_errno);
120   ret = open_broker.Access(kR_WhiteListed, R_OK | X_OK);
121   ASSERT_EQ(ret, -denied_errno);
122 
123   // Android sometimes runs tests as root.
124   // This part of the test requires a process that doesn't have
125   // CAP_DAC_OVERRIDE. We check against a root euid as a proxy for that.
126   if (geteuid()) {
127     fd = open_broker.Open(kR_WhiteListedButDenied, O_RDONLY);
128     // The broker process will allow this, but the normal permission system
129     // won't.
130     ASSERT_EQ(fd, -EACCES);
131     fd = open_broker.Open(kR_WhiteListedButDenied, O_WRONLY);
132     ASSERT_EQ(fd, -denied_errno);
133     fd = open_broker.Open(kR_WhiteListedButDenied, O_RDWR);
134     ASSERT_EQ(fd, -denied_errno);
135     ret = open_broker.Access(kR_WhiteListedButDenied, F_OK);
136     // The normal permission system will let us check that the file exists.
137     ASSERT_EQ(ret, 0);
138     ret = open_broker.Access(kR_WhiteListedButDenied, R_OK);
139     ASSERT_EQ(ret, -EACCES);
140     ret = open_broker.Access(kR_WhiteListedButDenied, W_OK);
141     ASSERT_EQ(ret, -denied_errno);
142     ret = open_broker.Access(kR_WhiteListedButDenied, R_OK | W_OK);
143     ASSERT_EQ(ret, -denied_errno);
144     ret = open_broker.Access(kR_WhiteListedButDenied, X_OK);
145     ASSERT_EQ(ret, -denied_errno);
146     ret = open_broker.Access(kR_WhiteListedButDenied, R_OK | X_OK);
147     ASSERT_EQ(ret, -denied_errno);
148   }
149 
150   fd = open_broker.Open(kW_WhiteListed, O_RDONLY);
151   ASSERT_EQ(fd, -denied_errno);
152   fd = open_broker.Open(kW_WhiteListed, O_WRONLY);
153   ASSERT_EQ(fd, -ENOENT);
154   fd = open_broker.Open(kW_WhiteListed, O_RDWR);
155   ASSERT_EQ(fd, -denied_errno);
156   ret = open_broker.Access(kW_WhiteListed, F_OK);
157   ASSERT_EQ(ret, -ENOENT);
158   ret = open_broker.Access(kW_WhiteListed, R_OK);
159   ASSERT_EQ(ret, -denied_errno);
160   ret = open_broker.Access(kW_WhiteListed, W_OK);
161   ASSERT_EQ(ret, -ENOENT);
162   ret = open_broker.Access(kW_WhiteListed, R_OK | W_OK);
163   ASSERT_EQ(ret, -denied_errno);
164   ret = open_broker.Access(kW_WhiteListed, X_OK);
165   ASSERT_EQ(ret, -denied_errno);
166   ret = open_broker.Access(kW_WhiteListed, R_OK | X_OK);
167   ASSERT_EQ(ret, -denied_errno);
168 
169   fd = open_broker.Open(kRW_WhiteListed, O_RDONLY);
170   ASSERT_EQ(fd, -ENOENT);
171   fd = open_broker.Open(kRW_WhiteListed, O_WRONLY);
172   ASSERT_EQ(fd, -ENOENT);
173   fd = open_broker.Open(kRW_WhiteListed, O_RDWR);
174   ASSERT_EQ(fd, -ENOENT);
175   ret = open_broker.Access(kRW_WhiteListed, F_OK);
176   ASSERT_EQ(ret, -ENOENT);
177   ret = open_broker.Access(kRW_WhiteListed, R_OK);
178   ASSERT_EQ(ret, -ENOENT);
179   ret = open_broker.Access(kRW_WhiteListed, W_OK);
180   ASSERT_EQ(ret, -ENOENT);
181   ret = open_broker.Access(kRW_WhiteListed, R_OK | W_OK);
182   ASSERT_EQ(ret, -ENOENT);
183   ret = open_broker.Access(kRW_WhiteListed, X_OK);
184   ASSERT_EQ(ret, -denied_errno);
185   ret = open_broker.Access(kRW_WhiteListed, R_OK | X_OK);
186   ASSERT_EQ(ret, -denied_errno);
187 
188   fd = open_broker.Open(k_NotWhitelisted, O_RDONLY);
189   ASSERT_EQ(fd, -denied_errno);
190   fd = open_broker.Open(k_NotWhitelisted, O_WRONLY);
191   ASSERT_EQ(fd, -denied_errno);
192   fd = open_broker.Open(k_NotWhitelisted, O_RDWR);
193   ASSERT_EQ(fd, -denied_errno);
194   ret = open_broker.Access(k_NotWhitelisted, F_OK);
195   ASSERT_EQ(ret, -denied_errno);
196   ret = open_broker.Access(k_NotWhitelisted, R_OK);
197   ASSERT_EQ(ret, -denied_errno);
198   ret = open_broker.Access(k_NotWhitelisted, W_OK);
199   ASSERT_EQ(ret, -denied_errno);
200   ret = open_broker.Access(k_NotWhitelisted, R_OK | W_OK);
201   ASSERT_EQ(ret, -denied_errno);
202   ret = open_broker.Access(k_NotWhitelisted, X_OK);
203   ASSERT_EQ(ret, -denied_errno);
204   ret = open_broker.Access(k_NotWhitelisted, R_OK | X_OK);
205   ASSERT_EQ(ret, -denied_errno);
206 
207   // We have some extra sanity check for clearly wrong values.
208   fd = open_broker.Open(kRW_WhiteListed, O_RDONLY | O_WRONLY | O_RDWR);
209   ASSERT_EQ(fd, -denied_errno);
210 
211   // It makes no sense to allow O_CREAT in a 2-parameters open. Ensure this
212   // is denied.
213   fd = open_broker.Open(kRW_WhiteListed, O_RDWR | O_CREAT);
214   ASSERT_EQ(fd, -denied_errno);
215 }
216 
217 // Run the same thing twice. The second time, we make sure that no security
218 // check is performed on the client.
TEST(BrokerProcess,OpenFilePermsWithClientCheck)219 TEST(BrokerProcess, OpenFilePermsWithClientCheck) {
220   TestOpenFilePerms(true /* fast_check_in_client */, EPERM);
221   // Don't do anything here, so that ASSERT works in the subfunction as
222   // expected.
223 }
224 
TEST(BrokerProcess,OpenOpenFilePermsNoClientCheck)225 TEST(BrokerProcess, OpenOpenFilePermsNoClientCheck) {
226   TestOpenFilePerms(false /* fast_check_in_client */, EPERM);
227   // Don't do anything here, so that ASSERT works in the subfunction as
228   // expected.
229 }
230 
231 // Run the same twice again, but with ENOENT instead of EPERM.
TEST(BrokerProcess,OpenFilePermsWithClientCheckNoEnt)232 TEST(BrokerProcess, OpenFilePermsWithClientCheckNoEnt) {
233   TestOpenFilePerms(true /* fast_check_in_client */, ENOENT);
234   // Don't do anything here, so that ASSERT works in the subfunction as
235   // expected.
236 }
237 
TEST(BrokerProcess,OpenOpenFilePermsNoClientCheckNoEnt)238 TEST(BrokerProcess, OpenOpenFilePermsNoClientCheckNoEnt) {
239   TestOpenFilePerms(false /* fast_check_in_client */, ENOENT);
240   // Don't do anything here, so that ASSERT works in the subfunction as
241   // expected.
242 }
243 
TestBadPaths(bool fast_check_in_client)244 void TestBadPaths(bool fast_check_in_client) {
245   const char kFileCpuInfo[] = "/proc/cpuinfo";
246   const char kNotAbsPath[] = "proc/cpuinfo";
247   const char kDotDotStart[] = "/../proc/cpuinfo";
248   const char kDotDotMiddle[] = "/proc/self/../cpuinfo";
249   const char kDotDotEnd[] = "/proc/..";
250   const char kTrailingSlash[] = "/proc/";
251 
252   std::vector<BrokerFilePermission> permissions;
253 
254   permissions.push_back(BrokerFilePermission::ReadOnlyRecursive("/proc/"));
255   std::unique_ptr<BrokerProcess> open_broker(
256       new BrokerProcess(EPERM, permissions, fast_check_in_client));
257   ASSERT_TRUE(open_broker->Init(base::Bind(&NoOpCallback)));
258   // Open cpuinfo via the broker.
259   int cpuinfo_fd = open_broker->Open(kFileCpuInfo, O_RDONLY);
260   base::ScopedFD cpuinfo_fd_closer(cpuinfo_fd);
261   ASSERT_GE(cpuinfo_fd, 0);
262 
263   int fd = -1;
264   int can_access;
265 
266   can_access = open_broker->Access(kNotAbsPath, R_OK);
267   ASSERT_EQ(can_access, -EPERM);
268   fd = open_broker->Open(kNotAbsPath, O_RDONLY);
269   ASSERT_EQ(fd, -EPERM);
270 
271   can_access = open_broker->Access(kDotDotStart, R_OK);
272   ASSERT_EQ(can_access, -EPERM);
273   fd = open_broker->Open(kDotDotStart, O_RDONLY);
274   ASSERT_EQ(fd, -EPERM);
275 
276   can_access = open_broker->Access(kDotDotMiddle, R_OK);
277   ASSERT_EQ(can_access, -EPERM);
278   fd = open_broker->Open(kDotDotMiddle, O_RDONLY);
279   ASSERT_EQ(fd, -EPERM);
280 
281   can_access = open_broker->Access(kDotDotEnd, R_OK);
282   ASSERT_EQ(can_access, -EPERM);
283   fd = open_broker->Open(kDotDotEnd, O_RDONLY);
284   ASSERT_EQ(fd, -EPERM);
285 
286   can_access = open_broker->Access(kTrailingSlash, R_OK);
287   ASSERT_EQ(can_access, -EPERM);
288   fd = open_broker->Open(kTrailingSlash, O_RDONLY);
289   ASSERT_EQ(fd, -EPERM);
290 }
291 
TEST(BrokerProcess,BadPathsClientCheck)292 TEST(BrokerProcess, BadPathsClientCheck) {
293   TestBadPaths(true /* fast_check_in_client */);
294   // Don't do anything here, so that ASSERT works in the subfunction as
295   // expected.
296 }
297 
TEST(BrokerProcess,BadPathsNoClientCheck)298 TEST(BrokerProcess, BadPathsNoClientCheck) {
299   TestBadPaths(false /* fast_check_in_client */);
300   // Don't do anything here, so that ASSERT works in the subfunction as
301   // expected.
302 }
303 
TestOpenCpuinfo(bool fast_check_in_client,bool recursive)304 void TestOpenCpuinfo(bool fast_check_in_client, bool recursive) {
305   const char kFileCpuInfo[] = "/proc/cpuinfo";
306   const char kDirProc[] = "/proc/";
307 
308   std::vector<BrokerFilePermission> permissions;
309   if (recursive)
310     permissions.push_back(BrokerFilePermission::ReadOnlyRecursive(kDirProc));
311   else
312     permissions.push_back(BrokerFilePermission::ReadOnly(kFileCpuInfo));
313 
314   std::unique_ptr<BrokerProcess> open_broker(
315       new BrokerProcess(EPERM, permissions, fast_check_in_client));
316   ASSERT_TRUE(open_broker->Init(base::Bind(&NoOpCallback)));
317 
318   int fd = -1;
319   fd = open_broker->Open(kFileCpuInfo, O_RDWR);
320   base::ScopedFD fd_closer(fd);
321   ASSERT_EQ(fd, -EPERM);
322 
323   // Check we can read /proc/cpuinfo.
324   int can_access = open_broker->Access(kFileCpuInfo, R_OK);
325   ASSERT_EQ(can_access, 0);
326   can_access = open_broker->Access(kFileCpuInfo, W_OK);
327   ASSERT_EQ(can_access, -EPERM);
328   // Check we can not write /proc/cpuinfo.
329 
330   // Open cpuinfo via the broker.
331   int cpuinfo_fd = open_broker->Open(kFileCpuInfo, O_RDONLY);
332   base::ScopedFD cpuinfo_fd_closer(cpuinfo_fd);
333   ASSERT_GE(cpuinfo_fd, 0);
334   char buf[3];
335   memset(buf, 0, sizeof(buf));
336   int read_len1 = read(cpuinfo_fd, buf, sizeof(buf));
337   ASSERT_GT(read_len1, 0);
338 
339   // Open cpuinfo directly.
340   int cpuinfo_fd2 = open(kFileCpuInfo, O_RDONLY);
341   base::ScopedFD cpuinfo_fd2_closer(cpuinfo_fd2);
342   ASSERT_GE(cpuinfo_fd2, 0);
343   char buf2[3];
344   memset(buf2, 1, sizeof(buf2));
345   int read_len2 = read(cpuinfo_fd2, buf2, sizeof(buf2));
346   ASSERT_GT(read_len1, 0);
347 
348   // The following is not guaranteed true, but will be in practice.
349   ASSERT_EQ(read_len1, read_len2);
350   // Compare the cpuinfo as returned by the broker with the one we opened
351   // ourselves.
352   ASSERT_EQ(memcmp(buf, buf2, read_len1), 0);
353 
354   ASSERT_TRUE(TestUtils::CurrentProcessHasChildren());
355   open_broker.reset();
356   ASSERT_FALSE(TestUtils::CurrentProcessHasChildren());
357 }
358 
359 // Run this test 4 times. With and without the check in client
360 // and using a recursive path.
TEST(BrokerProcess,OpenCpuinfoWithClientCheck)361 TEST(BrokerProcess, OpenCpuinfoWithClientCheck) {
362   TestOpenCpuinfo(true /* fast_check_in_client */, false /* not recursive */);
363   // Don't do anything here, so that ASSERT works in the subfunction as
364   // expected.
365 }
366 
TEST(BrokerProcess,OpenCpuinfoNoClientCheck)367 TEST(BrokerProcess, OpenCpuinfoNoClientCheck) {
368   TestOpenCpuinfo(false /* fast_check_in_client */, false /* not recursive */);
369   // Don't do anything here, so that ASSERT works in the subfunction as
370   // expected.
371 }
372 
TEST(BrokerProcess,OpenCpuinfoWithClientCheckRecursive)373 TEST(BrokerProcess, OpenCpuinfoWithClientCheckRecursive) {
374   TestOpenCpuinfo(true /* fast_check_in_client */, true /* recursive */);
375   // Don't do anything here, so that ASSERT works in the subfunction as
376   // expected.
377 }
378 
TEST(BrokerProcess,OpenCpuinfoNoClientCheckRecursive)379 TEST(BrokerProcess, OpenCpuinfoNoClientCheckRecursive) {
380   TestOpenCpuinfo(false /* fast_check_in_client */, true /* recursive */);
381   // Don't do anything here, so that ASSERT works in the subfunction as
382   // expected.
383 }
384 
TEST(BrokerProcess,OpenFileRW)385 TEST(BrokerProcess, OpenFileRW) {
386   ScopedTemporaryFile tempfile;
387   const char* tempfile_name = tempfile.full_file_name();
388 
389   std::vector<BrokerFilePermission> permissions;
390   permissions.push_back(BrokerFilePermission::ReadWrite(tempfile_name));
391 
392   BrokerProcess open_broker(EPERM, permissions);
393   ASSERT_TRUE(open_broker.Init(base::Bind(&NoOpCallback)));
394 
395   // Check we can access that file with read or write.
396   int can_access = open_broker.Access(tempfile_name, R_OK | W_OK);
397   ASSERT_EQ(can_access, 0);
398 
399   int tempfile2 = -1;
400   tempfile2 = open_broker.Open(tempfile_name, O_RDWR);
401   ASSERT_GE(tempfile2, 0);
402 
403   // Write to the descriptor opened by the broker.
404   char test_text[] = "TESTTESTTEST";
405   ssize_t len = write(tempfile2, test_text, sizeof(test_text));
406   ASSERT_EQ(len, static_cast<ssize_t>(sizeof(test_text)));
407 
408   // Read back from the original file descriptor what we wrote through
409   // the descriptor provided by the broker.
410   char buf[1024];
411   len = read(tempfile.fd(), buf, sizeof(buf));
412 
413   ASSERT_EQ(len, static_cast<ssize_t>(sizeof(test_text)));
414   ASSERT_EQ(memcmp(test_text, buf, sizeof(test_text)), 0);
415 
416   ASSERT_EQ(close(tempfile2), 0);
417 }
418 
419 // SANDBOX_TEST because the process could die with a SIGPIPE
420 // and we want this to happen in a subprocess.
SANDBOX_TEST(BrokerProcess,BrokerDied)421 SANDBOX_TEST(BrokerProcess, BrokerDied) {
422   const char kCpuInfo[] = "/proc/cpuinfo";
423   std::vector<BrokerFilePermission> permissions;
424   permissions.push_back(BrokerFilePermission::ReadOnly(kCpuInfo));
425 
426   BrokerProcess open_broker(EPERM, permissions, true /* fast_check_in_client */,
427                             true /* quiet_failures_for_tests */);
428   SANDBOX_ASSERT(open_broker.Init(base::Bind(&NoOpCallback)));
429   const pid_t broker_pid = open_broker.broker_pid();
430   SANDBOX_ASSERT(kill(broker_pid, SIGKILL) == 0);
431 
432   // Now we check that the broker has been signaled, but do not reap it.
433   siginfo_t process_info;
434   SANDBOX_ASSERT(HANDLE_EINTR(waitid(
435                      P_PID, broker_pid, &process_info, WEXITED | WNOWAIT)) ==
436                  0);
437   SANDBOX_ASSERT(broker_pid == process_info.si_pid);
438   SANDBOX_ASSERT(CLD_KILLED == process_info.si_code);
439   SANDBOX_ASSERT(SIGKILL == process_info.si_status);
440 
441   // Check that doing Open with a dead broker won't SIGPIPE us.
442   SANDBOX_ASSERT(open_broker.Open(kCpuInfo, O_RDONLY) == -ENOMEM);
443   SANDBOX_ASSERT(open_broker.Access(kCpuInfo, O_RDONLY) == -ENOMEM);
444 }
445 
TestOpenComplexFlags(bool fast_check_in_client)446 void TestOpenComplexFlags(bool fast_check_in_client) {
447   const char kCpuInfo[] = "/proc/cpuinfo";
448   std::vector<BrokerFilePermission> permissions;
449   permissions.push_back(BrokerFilePermission::ReadOnly(kCpuInfo));
450 
451   BrokerProcess open_broker(EPERM, permissions, fast_check_in_client);
452   ASSERT_TRUE(open_broker.Init(base::Bind(&NoOpCallback)));
453   // Test that we do the right thing for O_CLOEXEC and O_NONBLOCK.
454   int fd = -1;
455   int ret = 0;
456   fd = open_broker.Open(kCpuInfo, O_RDONLY);
457   ASSERT_GE(fd, 0);
458   ret = fcntl(fd, F_GETFL);
459   ASSERT_NE(-1, ret);
460   // The descriptor shouldn't have the O_CLOEXEC attribute, nor O_NONBLOCK.
461   ASSERT_EQ(0, ret & (O_CLOEXEC | O_NONBLOCK));
462   ASSERT_EQ(0, close(fd));
463 
464   fd = open_broker.Open(kCpuInfo, O_RDONLY | O_CLOEXEC);
465   ASSERT_GE(fd, 0);
466   ret = fcntl(fd, F_GETFD);
467   ASSERT_NE(-1, ret);
468   // Important: use F_GETFD, not F_GETFL. The O_CLOEXEC flag in F_GETFL
469   // is actually not used by the kernel.
470   ASSERT_TRUE(FD_CLOEXEC & ret);
471   ASSERT_EQ(0, close(fd));
472 
473   fd = open_broker.Open(kCpuInfo, O_RDONLY | O_NONBLOCK);
474   ASSERT_GE(fd, 0);
475   ret = fcntl(fd, F_GETFL);
476   ASSERT_NE(-1, ret);
477   ASSERT_TRUE(O_NONBLOCK & ret);
478   ASSERT_EQ(0, close(fd));
479 }
480 
TEST(BrokerProcess,OpenComplexFlagsWithClientCheck)481 TEST(BrokerProcess, OpenComplexFlagsWithClientCheck) {
482   TestOpenComplexFlags(true /* fast_check_in_client */);
483   // Don't do anything here, so that ASSERT works in the subfunction as
484   // expected.
485 }
486 
TEST(BrokerProcess,OpenComplexFlagsNoClientCheck)487 TEST(BrokerProcess, OpenComplexFlagsNoClientCheck) {
488   TestOpenComplexFlags(false /* fast_check_in_client */);
489   // Don't do anything here, so that ASSERT works in the subfunction as
490   // expected.
491 }
492 
493 #if defined(OS_LINUX)
494 // Flaky on Linux NG bots: https://crbug.com/595199.
495 #define MAYBE_RecvMsgDescriptorLeak DISABLED_RecvMsgDescriptorLeak
496 #else
497 #define MAYBE_RecvMsgDescriptorLeak RecvMsgDescriptorLeak
498 #endif
499 
500 // We need to allow noise because the broker will log when it receives our
501 // bogus IPCs.
SANDBOX_TEST_ALLOW_NOISE(BrokerProcess,MAYBE_RecvMsgDescriptorLeak)502 SANDBOX_TEST_ALLOW_NOISE(BrokerProcess, MAYBE_RecvMsgDescriptorLeak) {
503   // Android creates a socket on first use of the LOG call.
504   // We need to ensure this socket is open before we
505   // begin the test.
506   LOG(INFO) << "Ensure Android LOG socket is allocated";
507 
508   // Find the four lowest available file descriptors.
509   int available_fds[4];
510   SANDBOX_ASSERT(0 == pipe(available_fds));
511   SANDBOX_ASSERT(0 == pipe(available_fds + 2));
512 
513   // Save one FD to send to the broker later, and close the others.
514   base::ScopedFD message_fd(available_fds[0]);
515   for (size_t i = 1; i < arraysize(available_fds); i++) {
516     SANDBOX_ASSERT(0 == IGNORE_EINTR(close(available_fds[i])));
517   }
518 
519   // Lower our file descriptor limit to just allow three more file descriptors
520   // to be allocated.  (N.B., RLIMIT_NOFILE doesn't limit the number of file
521   // descriptors a process can have: it only limits the highest value that can
522   // be assigned to newly-created descriptors allocated by the process.)
523   const rlim_t fd_limit =
524       1 +
525       *std::max_element(available_fds,
526                         available_fds + arraysize(available_fds));
527 
528   // Valgrind doesn't allow changing the hard descriptor limit, so we only
529   // change the soft descriptor limit here.
530   struct rlimit rlim;
531   SANDBOX_ASSERT(0 == getrlimit(RLIMIT_NOFILE, &rlim));
532   SANDBOX_ASSERT(fd_limit <= rlim.rlim_cur);
533   rlim.rlim_cur = fd_limit;
534   SANDBOX_ASSERT(0 == setrlimit(RLIMIT_NOFILE, &rlim));
535 
536   static const char kCpuInfo[] = "/proc/cpuinfo";
537   std::vector<BrokerFilePermission> permissions;
538   permissions.push_back(BrokerFilePermission::ReadOnly(kCpuInfo));
539 
540   BrokerProcess open_broker(EPERM, permissions);
541   SANDBOX_ASSERT(open_broker.Init(base::Bind(&NoOpCallback)));
542 
543   const int ipc_fd = BrokerProcessTestHelper::GetIPCDescriptor(&open_broker);
544   SANDBOX_ASSERT(ipc_fd >= 0);
545 
546   static const char kBogus[] = "not a pickle";
547   std::vector<int> fds;
548   fds.push_back(message_fd.get());
549 
550   // The broker process should only have a couple spare file descriptors
551   // available, but for good measure we send it fd_limit bogus IPCs anyway.
552   for (rlim_t i = 0; i < fd_limit; ++i) {
553     SANDBOX_ASSERT(
554         base::UnixDomainSocket::SendMsg(ipc_fd, kBogus, sizeof(kBogus), fds));
555   }
556 
557   const int fd = open_broker.Open(kCpuInfo, O_RDONLY);
558   SANDBOX_ASSERT(fd >= 0);
559   SANDBOX_ASSERT(0 == IGNORE_EINTR(close(fd)));
560 }
561 
CloseFD(int fd)562 bool CloseFD(int fd) {
563   PCHECK(0 == IGNORE_EINTR(close(fd)));
564   return true;
565 }
566 
567 // Return true if the other end of the |reader| pipe was closed,
568 // false if |timeout_in_seconds| was reached or another event
569 // or error occured.
WaitForClosedPipeWriter(int reader,int timeout_in_ms)570 bool WaitForClosedPipeWriter(int reader, int timeout_in_ms) {
571   struct pollfd poll_fd = {reader, POLLIN | POLLRDHUP, 0};
572   const int num_events = HANDLE_EINTR(poll(&poll_fd, 1, timeout_in_ms));
573   if (1 == num_events && poll_fd.revents | POLLHUP)
574     return true;
575   return false;
576 }
577 
578 // Closing the broker client's IPC channel should terminate the broker
579 // process.
TEST(BrokerProcess,BrokerDiesOnClosedChannel)580 TEST(BrokerProcess, BrokerDiesOnClosedChannel) {
581   std::vector<BrokerFilePermission> permissions;
582   permissions.push_back(BrokerFilePermission::ReadOnly("/proc/cpuinfo"));
583 
584   // Get the writing end of a pipe into the broker (child) process so
585   // that we can reliably detect when it dies.
586   int lifeline_fds[2];
587   PCHECK(0 == pipe(lifeline_fds));
588 
589   BrokerProcess open_broker(EPERM, permissions, true /* fast_check_in_client */,
590                             false /* quiet_failures_for_tests */);
591   ASSERT_TRUE(open_broker.Init(base::Bind(&CloseFD, lifeline_fds[0])));
592   // Make sure the writing end only exists in the broker process.
593   CloseFD(lifeline_fds[1]);
594   base::ScopedFD reader(lifeline_fds[0]);
595 
596   const pid_t broker_pid = open_broker.broker_pid();
597 
598   // This should cause the broker process to exit.
599   BrokerProcessTestHelper::CloseChannel(&open_broker);
600 
601   const int kTimeoutInMilliseconds = 5000;
602   const bool broker_lifeline_closed =
603       WaitForClosedPipeWriter(reader.get(), kTimeoutInMilliseconds);
604   // If the broker exited, its lifeline fd should be closed.
605   ASSERT_TRUE(broker_lifeline_closed);
606   // Now check that the broker has exited, but do not reap it.
607   siginfo_t process_info;
608   ASSERT_EQ(0, HANDLE_EINTR(waitid(P_PID, broker_pid, &process_info,
609                                    WEXITED | WNOWAIT)));
610   EXPECT_EQ(broker_pid, process_info.si_pid);
611   EXPECT_EQ(CLD_EXITED, process_info.si_code);
612   EXPECT_EQ(1, process_info.si_status);
613 }
614 
TEST(BrokerProcess,CreateFile)615 TEST(BrokerProcess, CreateFile) {
616   std::string temp_str;
617   {
618     ScopedTemporaryFile tmp_file;
619     temp_str = tmp_file.full_file_name();
620   }
621   const char* tempfile_name = temp_str.c_str();
622 
623   std::vector<BrokerFilePermission> permissions;
624   permissions.push_back(BrokerFilePermission::ReadWriteCreate(tempfile_name));
625 
626   BrokerProcess open_broker(EPERM, permissions);
627   ASSERT_TRUE(open_broker.Init(base::Bind(&NoOpCallback)));
628 
629   int fd = -1;
630 
631   // Try without O_EXCL
632   fd = open_broker.Open(tempfile_name, O_RDWR | O_CREAT);
633   ASSERT_EQ(fd, -EPERM);
634 
635   const char kTestText[] = "TESTTESTTEST";
636   // Create a file
637   fd = open_broker.Open(tempfile_name, O_RDWR | O_CREAT | O_EXCL);
638   ASSERT_GE(fd, 0);
639   {
640     base::ScopedFD scoped_fd(fd);
641 
642     // Confirm fail if file exists
643     int bad_fd = open_broker.Open(tempfile_name, O_RDWR | O_CREAT | O_EXCL);
644     ASSERT_EQ(bad_fd, -EEXIST);
645 
646     // Write to the descriptor opened by the broker.
647 
648     ssize_t len = HANDLE_EINTR(write(fd, kTestText, sizeof(kTestText)));
649     ASSERT_EQ(len, static_cast<ssize_t>(sizeof(kTestText)));
650   }
651 
652   int fd_check = open(tempfile_name, O_RDONLY);
653   ASSERT_GE(fd_check, 0);
654   {
655     base::ScopedFD scoped_fd(fd_check);
656     char buf[1024];
657     ssize_t len = HANDLE_EINTR(read(fd_check, buf, sizeof(buf)));
658 
659     ASSERT_EQ(len, static_cast<ssize_t>(sizeof(kTestText)));
660     ASSERT_EQ(memcmp(kTestText, buf, sizeof(kTestText)), 0);
661   }
662 }
663 
664 }  // namespace syscall_broker
665 
666 }  // namespace sandbox
667