1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #include "sandbox/linux/syscall_broker/broker_process.h" 6 7 #include <errno.h> 8 #include <fcntl.h> 9 #include <poll.h> 10 #include <stddef.h> 11 #include <sys/resource.h> 12 #include <sys/stat.h> 13 #include <sys/types.h> 14 #include <sys/wait.h> 15 #include <unistd.h> 16 17 #include <algorithm> 18 #include <string> 19 #include <vector> 20 21 #include "base/bind.h" 22 #include "base/files/file_util.h" 23 #include "base/files/scoped_file.h" 24 #include "base/logging.h" 25 #include "base/macros.h" 26 #include "base/memory/scoped_ptr.h" 27 #include "base/posix/eintr_wrapper.h" 28 #include "base/posix/unix_domain_socket_linux.h" 29 #include "sandbox/linux/syscall_broker/broker_client.h" 30 #include "sandbox/linux/tests/scoped_temporary_file.h" 31 #include "sandbox/linux/tests/test_utils.h" 32 #include "sandbox/linux/tests/unit_tests.h" 33 #include "testing/gtest/include/gtest/gtest.h" 34 35 namespace sandbox { 36 37 namespace syscall_broker { 38 39 class BrokerProcessTestHelper { 40 public: 41 static void CloseChannel(BrokerProcess* broker) { broker->CloseChannel(); } 42 // Get the client's IPC descriptor to send IPC requests directly. 43 // TODO(jln): refator tests to get rid of this. 44 static int GetIPCDescriptor(const BrokerProcess* broker) { 45 return broker->broker_client_->GetIPCDescriptor(); 46 } 47 }; 48 49 namespace { 50 51 bool NoOpCallback() { 52 return true; 53 } 54 55 } // namespace 56 57 TEST(BrokerProcess, CreateAndDestroy) { 58 std::vector<BrokerFilePermission> permissions; 59 permissions.push_back(BrokerFilePermission::ReadOnly("/proc/cpuinfo")); 60 61 scoped_ptr<BrokerProcess> open_broker(new BrokerProcess(EPERM, permissions)); 62 ASSERT_TRUE(open_broker->Init(base::Bind(&NoOpCallback))); 63 64 ASSERT_TRUE(TestUtils::CurrentProcessHasChildren()); 65 // Destroy the broker and check it has exited properly. 66 open_broker.reset(); 67 ASSERT_FALSE(TestUtils::CurrentProcessHasChildren()); 68 } 69 70 TEST(BrokerProcess, TestOpenAccessNull) { 71 std::vector<BrokerFilePermission> empty; 72 BrokerProcess open_broker(EPERM, empty); 73 ASSERT_TRUE(open_broker.Init(base::Bind(&NoOpCallback))); 74 75 int fd = open_broker.Open(NULL, O_RDONLY); 76 ASSERT_EQ(fd, -EFAULT); 77 78 int ret = open_broker.Access(NULL, F_OK); 79 ASSERT_EQ(ret, -EFAULT); 80 } 81 82 void TestOpenFilePerms(bool fast_check_in_client, int denied_errno) { 83 const char kR_WhiteListed[] = "/proc/DOESNOTEXIST1"; 84 // We can't debug the init process, and shouldn't be able to access 85 // its auxv file. 86 const char kR_WhiteListedButDenied[] = "/proc/1/auxv"; 87 const char kW_WhiteListed[] = "/proc/DOESNOTEXIST2"; 88 const char kRW_WhiteListed[] = "/proc/DOESNOTEXIST3"; 89 const char k_NotWhitelisted[] = "/proc/DOESNOTEXIST4"; 90 91 std::vector<BrokerFilePermission> permissions; 92 permissions.push_back(BrokerFilePermission::ReadOnly(kR_WhiteListed)); 93 permissions.push_back( 94 BrokerFilePermission::ReadOnly(kR_WhiteListedButDenied)); 95 permissions.push_back(BrokerFilePermission::WriteOnly(kW_WhiteListed)); 96 permissions.push_back(BrokerFilePermission::ReadWrite(kRW_WhiteListed)); 97 98 BrokerProcess open_broker(denied_errno, permissions, fast_check_in_client); 99 ASSERT_TRUE(open_broker.Init(base::Bind(&NoOpCallback))); 100 101 int fd = -1; 102 fd = open_broker.Open(kR_WhiteListed, O_RDONLY); 103 ASSERT_EQ(fd, -ENOENT); 104 fd = open_broker.Open(kR_WhiteListed, O_WRONLY); 105 ASSERT_EQ(fd, -denied_errno); 106 fd = open_broker.Open(kR_WhiteListed, O_RDWR); 107 ASSERT_EQ(fd, -denied_errno); 108 int ret = -1; 109 ret = open_broker.Access(kR_WhiteListed, F_OK); 110 ASSERT_EQ(ret, -ENOENT); 111 ret = open_broker.Access(kR_WhiteListed, R_OK); 112 ASSERT_EQ(ret, -ENOENT); 113 ret = open_broker.Access(kR_WhiteListed, W_OK); 114 ASSERT_EQ(ret, -denied_errno); 115 ret = open_broker.Access(kR_WhiteListed, R_OK | W_OK); 116 ASSERT_EQ(ret, -denied_errno); 117 ret = open_broker.Access(kR_WhiteListed, X_OK); 118 ASSERT_EQ(ret, -denied_errno); 119 ret = open_broker.Access(kR_WhiteListed, R_OK | X_OK); 120 ASSERT_EQ(ret, -denied_errno); 121 122 // Android sometimes runs tests as root. 123 // This part of the test requires a process that doesn't have 124 // CAP_DAC_OVERRIDE. We check against a root euid as a proxy for that. 125 if (geteuid()) { 126 fd = open_broker.Open(kR_WhiteListedButDenied, O_RDONLY); 127 // The broker process will allow this, but the normal permission system 128 // won't. 129 ASSERT_EQ(fd, -EACCES); 130 fd = open_broker.Open(kR_WhiteListedButDenied, O_WRONLY); 131 ASSERT_EQ(fd, -denied_errno); 132 fd = open_broker.Open(kR_WhiteListedButDenied, O_RDWR); 133 ASSERT_EQ(fd, -denied_errno); 134 ret = open_broker.Access(kR_WhiteListedButDenied, F_OK); 135 // The normal permission system will let us check that the file exists. 136 ASSERT_EQ(ret, 0); 137 ret = open_broker.Access(kR_WhiteListedButDenied, R_OK); 138 ASSERT_EQ(ret, -EACCES); 139 ret = open_broker.Access(kR_WhiteListedButDenied, W_OK); 140 ASSERT_EQ(ret, -denied_errno); 141 ret = open_broker.Access(kR_WhiteListedButDenied, R_OK | W_OK); 142 ASSERT_EQ(ret, -denied_errno); 143 ret = open_broker.Access(kR_WhiteListedButDenied, X_OK); 144 ASSERT_EQ(ret, -denied_errno); 145 ret = open_broker.Access(kR_WhiteListedButDenied, R_OK | X_OK); 146 ASSERT_EQ(ret, -denied_errno); 147 } 148 149 fd = open_broker.Open(kW_WhiteListed, O_RDONLY); 150 ASSERT_EQ(fd, -denied_errno); 151 fd = open_broker.Open(kW_WhiteListed, O_WRONLY); 152 ASSERT_EQ(fd, -ENOENT); 153 fd = open_broker.Open(kW_WhiteListed, O_RDWR); 154 ASSERT_EQ(fd, -denied_errno); 155 ret = open_broker.Access(kW_WhiteListed, F_OK); 156 ASSERT_EQ(ret, -ENOENT); 157 ret = open_broker.Access(kW_WhiteListed, R_OK); 158 ASSERT_EQ(ret, -denied_errno); 159 ret = open_broker.Access(kW_WhiteListed, W_OK); 160 ASSERT_EQ(ret, -ENOENT); 161 ret = open_broker.Access(kW_WhiteListed, R_OK | W_OK); 162 ASSERT_EQ(ret, -denied_errno); 163 ret = open_broker.Access(kW_WhiteListed, X_OK); 164 ASSERT_EQ(ret, -denied_errno); 165 ret = open_broker.Access(kW_WhiteListed, R_OK | X_OK); 166 ASSERT_EQ(ret, -denied_errno); 167 168 fd = open_broker.Open(kRW_WhiteListed, O_RDONLY); 169 ASSERT_EQ(fd, -ENOENT); 170 fd = open_broker.Open(kRW_WhiteListed, O_WRONLY); 171 ASSERT_EQ(fd, -ENOENT); 172 fd = open_broker.Open(kRW_WhiteListed, O_RDWR); 173 ASSERT_EQ(fd, -ENOENT); 174 ret = open_broker.Access(kRW_WhiteListed, F_OK); 175 ASSERT_EQ(ret, -ENOENT); 176 ret = open_broker.Access(kRW_WhiteListed, R_OK); 177 ASSERT_EQ(ret, -ENOENT); 178 ret = open_broker.Access(kRW_WhiteListed, W_OK); 179 ASSERT_EQ(ret, -ENOENT); 180 ret = open_broker.Access(kRW_WhiteListed, R_OK | W_OK); 181 ASSERT_EQ(ret, -ENOENT); 182 ret = open_broker.Access(kRW_WhiteListed, X_OK); 183 ASSERT_EQ(ret, -denied_errno); 184 ret = open_broker.Access(kRW_WhiteListed, R_OK | X_OK); 185 ASSERT_EQ(ret, -denied_errno); 186 187 fd = open_broker.Open(k_NotWhitelisted, O_RDONLY); 188 ASSERT_EQ(fd, -denied_errno); 189 fd = open_broker.Open(k_NotWhitelisted, O_WRONLY); 190 ASSERT_EQ(fd, -denied_errno); 191 fd = open_broker.Open(k_NotWhitelisted, O_RDWR); 192 ASSERT_EQ(fd, -denied_errno); 193 ret = open_broker.Access(k_NotWhitelisted, F_OK); 194 ASSERT_EQ(ret, -denied_errno); 195 ret = open_broker.Access(k_NotWhitelisted, R_OK); 196 ASSERT_EQ(ret, -denied_errno); 197 ret = open_broker.Access(k_NotWhitelisted, W_OK); 198 ASSERT_EQ(ret, -denied_errno); 199 ret = open_broker.Access(k_NotWhitelisted, R_OK | W_OK); 200 ASSERT_EQ(ret, -denied_errno); 201 ret = open_broker.Access(k_NotWhitelisted, X_OK); 202 ASSERT_EQ(ret, -denied_errno); 203 ret = open_broker.Access(k_NotWhitelisted, R_OK | X_OK); 204 ASSERT_EQ(ret, -denied_errno); 205 206 // We have some extra sanity check for clearly wrong values. 207 fd = open_broker.Open(kRW_WhiteListed, O_RDONLY | O_WRONLY | O_RDWR); 208 ASSERT_EQ(fd, -denied_errno); 209 210 // It makes no sense to allow O_CREAT in a 2-parameters open. Ensure this 211 // is denied. 212 fd = open_broker.Open(kRW_WhiteListed, O_RDWR | O_CREAT); 213 ASSERT_EQ(fd, -denied_errno); 214 } 215 216 // Run the same thing twice. The second time, we make sure that no security 217 // check is performed on the client. 218 TEST(BrokerProcess, OpenFilePermsWithClientCheck) { 219 TestOpenFilePerms(true /* fast_check_in_client */, EPERM); 220 // Don't do anything here, so that ASSERT works in the subfunction as 221 // expected. 222 } 223 224 TEST(BrokerProcess, OpenOpenFilePermsNoClientCheck) { 225 TestOpenFilePerms(false /* fast_check_in_client */, EPERM); 226 // Don't do anything here, so that ASSERT works in the subfunction as 227 // expected. 228 } 229 230 // Run the same twice again, but with ENOENT instead of EPERM. 231 TEST(BrokerProcess, OpenFilePermsWithClientCheckNoEnt) { 232 TestOpenFilePerms(true /* fast_check_in_client */, ENOENT); 233 // Don't do anything here, so that ASSERT works in the subfunction as 234 // expected. 235 } 236 237 TEST(BrokerProcess, OpenOpenFilePermsNoClientCheckNoEnt) { 238 TestOpenFilePerms(false /* fast_check_in_client */, ENOENT); 239 // Don't do anything here, so that ASSERT works in the subfunction as 240 // expected. 241 } 242 243 void TestBadPaths(bool fast_check_in_client) { 244 const char kFileCpuInfo[] = "/proc/cpuinfo"; 245 const char kNotAbsPath[] = "proc/cpuinfo"; 246 const char kDotDotStart[] = "/../proc/cpuinfo"; 247 const char kDotDotMiddle[] = "/proc/self/../cpuinfo"; 248 const char kDotDotEnd[] = "/proc/.."; 249 const char kTrailingSlash[] = "/proc/"; 250 251 std::vector<BrokerFilePermission> permissions; 252 253 permissions.push_back(BrokerFilePermission::ReadOnlyRecursive("/proc/")); 254 scoped_ptr<BrokerProcess> open_broker( 255 new BrokerProcess(EPERM, permissions, fast_check_in_client)); 256 ASSERT_TRUE(open_broker->Init(base::Bind(&NoOpCallback))); 257 // Open cpuinfo via the broker. 258 int cpuinfo_fd = open_broker->Open(kFileCpuInfo, O_RDONLY); 259 base::ScopedFD cpuinfo_fd_closer(cpuinfo_fd); 260 ASSERT_GE(cpuinfo_fd, 0); 261 262 int fd = -1; 263 int can_access; 264 265 can_access = open_broker->Access(kNotAbsPath, R_OK); 266 ASSERT_EQ(can_access, -EPERM); 267 fd = open_broker->Open(kNotAbsPath, O_RDONLY); 268 ASSERT_EQ(fd, -EPERM); 269 270 can_access = open_broker->Access(kDotDotStart, R_OK); 271 ASSERT_EQ(can_access, -EPERM); 272 fd = open_broker->Open(kDotDotStart, O_RDONLY); 273 ASSERT_EQ(fd, -EPERM); 274 275 can_access = open_broker->Access(kDotDotMiddle, R_OK); 276 ASSERT_EQ(can_access, -EPERM); 277 fd = open_broker->Open(kDotDotMiddle, O_RDONLY); 278 ASSERT_EQ(fd, -EPERM); 279 280 can_access = open_broker->Access(kDotDotEnd, R_OK); 281 ASSERT_EQ(can_access, -EPERM); 282 fd = open_broker->Open(kDotDotEnd, O_RDONLY); 283 ASSERT_EQ(fd, -EPERM); 284 285 can_access = open_broker->Access(kTrailingSlash, R_OK); 286 ASSERT_EQ(can_access, -EPERM); 287 fd = open_broker->Open(kTrailingSlash, O_RDONLY); 288 ASSERT_EQ(fd, -EPERM); 289 } 290 291 TEST(BrokerProcess, BadPathsClientCheck) { 292 TestBadPaths(true /* fast_check_in_client */); 293 // Don't do anything here, so that ASSERT works in the subfunction as 294 // expected. 295 } 296 297 TEST(BrokerProcess, BadPathsNoClientCheck) { 298 TestBadPaths(false /* fast_check_in_client */); 299 // Don't do anything here, so that ASSERT works in the subfunction as 300 // expected. 301 } 302 303 void TestOpenCpuinfo(bool fast_check_in_client, bool recursive) { 304 const char kFileCpuInfo[] = "/proc/cpuinfo"; 305 const char kDirProc[] = "/proc/"; 306 307 std::vector<BrokerFilePermission> permissions; 308 if (recursive) 309 permissions.push_back(BrokerFilePermission::ReadOnlyRecursive(kDirProc)); 310 else 311 permissions.push_back(BrokerFilePermission::ReadOnly(kFileCpuInfo)); 312 313 scoped_ptr<BrokerProcess> open_broker( 314 new BrokerProcess(EPERM, permissions, fast_check_in_client)); 315 ASSERT_TRUE(open_broker->Init(base::Bind(&NoOpCallback))); 316 317 int fd = -1; 318 fd = open_broker->Open(kFileCpuInfo, O_RDWR); 319 base::ScopedFD fd_closer(fd); 320 ASSERT_EQ(fd, -EPERM); 321 322 // Check we can read /proc/cpuinfo. 323 int can_access = open_broker->Access(kFileCpuInfo, R_OK); 324 ASSERT_EQ(can_access, 0); 325 can_access = open_broker->Access(kFileCpuInfo, W_OK); 326 ASSERT_EQ(can_access, -EPERM); 327 // Check we can not write /proc/cpuinfo. 328 329 // Open cpuinfo via the broker. 330 int cpuinfo_fd = open_broker->Open(kFileCpuInfo, O_RDONLY); 331 base::ScopedFD cpuinfo_fd_closer(cpuinfo_fd); 332 ASSERT_GE(cpuinfo_fd, 0); 333 char buf[3]; 334 memset(buf, 0, sizeof(buf)); 335 int read_len1 = read(cpuinfo_fd, buf, sizeof(buf)); 336 ASSERT_GT(read_len1, 0); 337 338 // Open cpuinfo directly. 339 int cpuinfo_fd2 = open(kFileCpuInfo, O_RDONLY); 340 base::ScopedFD cpuinfo_fd2_closer(cpuinfo_fd2); 341 ASSERT_GE(cpuinfo_fd2, 0); 342 char buf2[3]; 343 memset(buf2, 1, sizeof(buf2)); 344 int read_len2 = read(cpuinfo_fd2, buf2, sizeof(buf2)); 345 ASSERT_GT(read_len1, 0); 346 347 // The following is not guaranteed true, but will be in practice. 348 ASSERT_EQ(read_len1, read_len2); 349 // Compare the cpuinfo as returned by the broker with the one we opened 350 // ourselves. 351 ASSERT_EQ(memcmp(buf, buf2, read_len1), 0); 352 353 ASSERT_TRUE(TestUtils::CurrentProcessHasChildren()); 354 open_broker.reset(); 355 ASSERT_FALSE(TestUtils::CurrentProcessHasChildren()); 356 } 357 358 // Run this test 4 times. With and without the check in client 359 // and using a recursive path. 360 TEST(BrokerProcess, OpenCpuinfoWithClientCheck) { 361 TestOpenCpuinfo(true /* fast_check_in_client */, false /* not recursive */); 362 // Don't do anything here, so that ASSERT works in the subfunction as 363 // expected. 364 } 365 366 TEST(BrokerProcess, OpenCpuinfoNoClientCheck) { 367 TestOpenCpuinfo(false /* fast_check_in_client */, false /* not recursive */); 368 // Don't do anything here, so that ASSERT works in the subfunction as 369 // expected. 370 } 371 372 TEST(BrokerProcess, OpenCpuinfoWithClientCheckRecursive) { 373 TestOpenCpuinfo(true /* fast_check_in_client */, true /* recursive */); 374 // Don't do anything here, so that ASSERT works in the subfunction as 375 // expected. 376 } 377 378 TEST(BrokerProcess, OpenCpuinfoNoClientCheckRecursive) { 379 TestOpenCpuinfo(false /* fast_check_in_client */, true /* recursive */); 380 // Don't do anything here, so that ASSERT works in the subfunction as 381 // expected. 382 } 383 384 TEST(BrokerProcess, OpenFileRW) { 385 ScopedTemporaryFile tempfile; 386 const char* tempfile_name = tempfile.full_file_name(); 387 388 std::vector<BrokerFilePermission> permissions; 389 permissions.push_back(BrokerFilePermission::ReadWrite(tempfile_name)); 390 391 BrokerProcess open_broker(EPERM, permissions); 392 ASSERT_TRUE(open_broker.Init(base::Bind(&NoOpCallback))); 393 394 // Check we can access that file with read or write. 395 int can_access = open_broker.Access(tempfile_name, R_OK | W_OK); 396 ASSERT_EQ(can_access, 0); 397 398 int tempfile2 = -1; 399 tempfile2 = open_broker.Open(tempfile_name, O_RDWR); 400 ASSERT_GE(tempfile2, 0); 401 402 // Write to the descriptor opened by the broker. 403 char test_text[] = "TESTTESTTEST"; 404 ssize_t len = write(tempfile2, test_text, sizeof(test_text)); 405 ASSERT_EQ(len, static_cast<ssize_t>(sizeof(test_text))); 406 407 // Read back from the original file descriptor what we wrote through 408 // the descriptor provided by the broker. 409 char buf[1024]; 410 len = read(tempfile.fd(), buf, sizeof(buf)); 411 412 ASSERT_EQ(len, static_cast<ssize_t>(sizeof(test_text))); 413 ASSERT_EQ(memcmp(test_text, buf, sizeof(test_text)), 0); 414 415 ASSERT_EQ(close(tempfile2), 0); 416 } 417 418 // SANDBOX_TEST because the process could die with a SIGPIPE 419 // and we want this to happen in a subprocess. 420 SANDBOX_TEST(BrokerProcess, BrokerDied) { 421 const char kCpuInfo[] = "/proc/cpuinfo"; 422 std::vector<BrokerFilePermission> permissions; 423 permissions.push_back(BrokerFilePermission::ReadOnly(kCpuInfo)); 424 425 BrokerProcess open_broker(EPERM, permissions, true /* fast_check_in_client */, 426 true /* quiet_failures_for_tests */); 427 SANDBOX_ASSERT(open_broker.Init(base::Bind(&NoOpCallback))); 428 const pid_t broker_pid = open_broker.broker_pid(); 429 SANDBOX_ASSERT(kill(broker_pid, SIGKILL) == 0); 430 431 // Now we check that the broker has been signaled, but do not reap it. 432 siginfo_t process_info; 433 SANDBOX_ASSERT(HANDLE_EINTR(waitid( 434 P_PID, broker_pid, &process_info, WEXITED | WNOWAIT)) == 435 0); 436 SANDBOX_ASSERT(broker_pid == process_info.si_pid); 437 SANDBOX_ASSERT(CLD_KILLED == process_info.si_code); 438 SANDBOX_ASSERT(SIGKILL == process_info.si_status); 439 440 // Check that doing Open with a dead broker won't SIGPIPE us. 441 SANDBOX_ASSERT(open_broker.Open(kCpuInfo, O_RDONLY) == -ENOMEM); 442 SANDBOX_ASSERT(open_broker.Access(kCpuInfo, O_RDONLY) == -ENOMEM); 443 } 444 445 void TestOpenComplexFlags(bool fast_check_in_client) { 446 const char kCpuInfo[] = "/proc/cpuinfo"; 447 std::vector<BrokerFilePermission> permissions; 448 permissions.push_back(BrokerFilePermission::ReadOnly(kCpuInfo)); 449 450 BrokerProcess open_broker(EPERM, permissions, fast_check_in_client); 451 ASSERT_TRUE(open_broker.Init(base::Bind(&NoOpCallback))); 452 // Test that we do the right thing for O_CLOEXEC and O_NONBLOCK. 453 int fd = -1; 454 int ret = 0; 455 fd = open_broker.Open(kCpuInfo, O_RDONLY); 456 ASSERT_GE(fd, 0); 457 ret = fcntl(fd, F_GETFL); 458 ASSERT_NE(-1, ret); 459 // The descriptor shouldn't have the O_CLOEXEC attribute, nor O_NONBLOCK. 460 ASSERT_EQ(0, ret & (O_CLOEXEC | O_NONBLOCK)); 461 ASSERT_EQ(0, close(fd)); 462 463 fd = open_broker.Open(kCpuInfo, O_RDONLY | O_CLOEXEC); 464 ASSERT_GE(fd, 0); 465 ret = fcntl(fd, F_GETFD); 466 ASSERT_NE(-1, ret); 467 // Important: use F_GETFD, not F_GETFL. The O_CLOEXEC flag in F_GETFL 468 // is actually not used by the kernel. 469 ASSERT_TRUE(FD_CLOEXEC & ret); 470 ASSERT_EQ(0, close(fd)); 471 472 fd = open_broker.Open(kCpuInfo, O_RDONLY | O_NONBLOCK); 473 ASSERT_GE(fd, 0); 474 ret = fcntl(fd, F_GETFL); 475 ASSERT_NE(-1, ret); 476 ASSERT_TRUE(O_NONBLOCK & ret); 477 ASSERT_EQ(0, close(fd)); 478 } 479 480 TEST(BrokerProcess, OpenComplexFlagsWithClientCheck) { 481 TestOpenComplexFlags(true /* fast_check_in_client */); 482 // Don't do anything here, so that ASSERT works in the subfunction as 483 // expected. 484 } 485 486 TEST(BrokerProcess, OpenComplexFlagsNoClientCheck) { 487 TestOpenComplexFlags(false /* fast_check_in_client */); 488 // Don't do anything here, so that ASSERT works in the subfunction as 489 // expected. 490 } 491 492 // We need to allow noise because the broker will log when it receives our 493 // bogus IPCs. 494 SANDBOX_TEST_ALLOW_NOISE(BrokerProcess, RecvMsgDescriptorLeak) { 495 // Android creates a socket on first use of the LOG call. 496 // We need to ensure this socket is open before we 497 // begin the test. 498 LOG(INFO) << "Ensure Android LOG socket is allocated"; 499 500 // Find the four lowest available file descriptors. 501 int available_fds[4]; 502 SANDBOX_ASSERT(0 == pipe(available_fds)); 503 SANDBOX_ASSERT(0 == pipe(available_fds + 2)); 504 505 // Save one FD to send to the broker later, and close the others. 506 base::ScopedFD message_fd(available_fds[0]); 507 for (size_t i = 1; i < arraysize(available_fds); i++) { 508 SANDBOX_ASSERT(0 == IGNORE_EINTR(close(available_fds[i]))); 509 } 510 511 // Lower our file descriptor limit to just allow three more file descriptors 512 // to be allocated. (N.B., RLIMIT_NOFILE doesn't limit the number of file 513 // descriptors a process can have: it only limits the highest value that can 514 // be assigned to newly-created descriptors allocated by the process.) 515 const rlim_t fd_limit = 516 1 + 517 *std::max_element(available_fds, 518 available_fds + arraysize(available_fds)); 519 520 // Valgrind doesn't allow changing the hard descriptor limit, so we only 521 // change the soft descriptor limit here. 522 struct rlimit rlim; 523 SANDBOX_ASSERT(0 == getrlimit(RLIMIT_NOFILE, &rlim)); 524 SANDBOX_ASSERT(fd_limit <= rlim.rlim_cur); 525 rlim.rlim_cur = fd_limit; 526 SANDBOX_ASSERT(0 == setrlimit(RLIMIT_NOFILE, &rlim)); 527 528 static const char kCpuInfo[] = "/proc/cpuinfo"; 529 std::vector<BrokerFilePermission> permissions; 530 permissions.push_back(BrokerFilePermission::ReadOnly(kCpuInfo)); 531 532 BrokerProcess open_broker(EPERM, permissions); 533 SANDBOX_ASSERT(open_broker.Init(base::Bind(&NoOpCallback))); 534 535 const int ipc_fd = BrokerProcessTestHelper::GetIPCDescriptor(&open_broker); 536 SANDBOX_ASSERT(ipc_fd >= 0); 537 538 static const char kBogus[] = "not a pickle"; 539 std::vector<int> fds; 540 fds.push_back(message_fd.get()); 541 542 // The broker process should only have a couple spare file descriptors 543 // available, but for good measure we send it fd_limit bogus IPCs anyway. 544 for (rlim_t i = 0; i < fd_limit; ++i) { 545 SANDBOX_ASSERT( 546 base::UnixDomainSocket::SendMsg(ipc_fd, kBogus, sizeof(kBogus), fds)); 547 } 548 549 const int fd = open_broker.Open(kCpuInfo, O_RDONLY); 550 SANDBOX_ASSERT(fd >= 0); 551 SANDBOX_ASSERT(0 == IGNORE_EINTR(close(fd))); 552 } 553 554 bool CloseFD(int fd) { 555 PCHECK(0 == IGNORE_EINTR(close(fd))); 556 return true; 557 } 558 559 // Return true if the other end of the |reader| pipe was closed, 560 // false if |timeout_in_seconds| was reached or another event 561 // or error occured. 562 bool WaitForClosedPipeWriter(int reader, int timeout_in_ms) { 563 struct pollfd poll_fd = {reader, POLLIN | POLLRDHUP, 0}; 564 const int num_events = HANDLE_EINTR(poll(&poll_fd, 1, timeout_in_ms)); 565 if (1 == num_events && poll_fd.revents | POLLHUP) 566 return true; 567 return false; 568 } 569 570 // Closing the broker client's IPC channel should terminate the broker 571 // process. 572 TEST(BrokerProcess, BrokerDiesOnClosedChannel) { 573 std::vector<BrokerFilePermission> permissions; 574 permissions.push_back(BrokerFilePermission::ReadOnly("/proc/cpuinfo")); 575 576 // Get the writing end of a pipe into the broker (child) process so 577 // that we can reliably detect when it dies. 578 int lifeline_fds[2]; 579 PCHECK(0 == pipe(lifeline_fds)); 580 581 BrokerProcess open_broker(EPERM, permissions, true /* fast_check_in_client */, 582 false /* quiet_failures_for_tests */); 583 ASSERT_TRUE(open_broker.Init(base::Bind(&CloseFD, lifeline_fds[0]))); 584 // Make sure the writing end only exists in the broker process. 585 CloseFD(lifeline_fds[1]); 586 base::ScopedFD reader(lifeline_fds[0]); 587 588 const pid_t broker_pid = open_broker.broker_pid(); 589 590 // This should cause the broker process to exit. 591 BrokerProcessTestHelper::CloseChannel(&open_broker); 592 593 const int kTimeoutInMilliseconds = 5000; 594 const bool broker_lifeline_closed = 595 WaitForClosedPipeWriter(reader.get(), kTimeoutInMilliseconds); 596 // If the broker exited, its lifeline fd should be closed. 597 ASSERT_TRUE(broker_lifeline_closed); 598 // Now check that the broker has exited, but do not reap it. 599 siginfo_t process_info; 600 ASSERT_EQ(0, HANDLE_EINTR(waitid(P_PID, broker_pid, &process_info, 601 WEXITED | WNOWAIT))); 602 EXPECT_EQ(broker_pid, process_info.si_pid); 603 EXPECT_EQ(CLD_EXITED, process_info.si_code); 604 EXPECT_EQ(1, process_info.si_status); 605 } 606 607 TEST(BrokerProcess, CreateFile) { 608 std::string temp_str; 609 { 610 ScopedTemporaryFile tmp_file; 611 temp_str = tmp_file.full_file_name(); 612 } 613 const char* tempfile_name = temp_str.c_str(); 614 615 std::vector<BrokerFilePermission> permissions; 616 permissions.push_back(BrokerFilePermission::ReadWriteCreate(tempfile_name)); 617 618 BrokerProcess open_broker(EPERM, permissions); 619 ASSERT_TRUE(open_broker.Init(base::Bind(&NoOpCallback))); 620 621 int fd = -1; 622 623 // Try without O_EXCL 624 fd = open_broker.Open(tempfile_name, O_RDWR | O_CREAT); 625 ASSERT_EQ(fd, -EPERM); 626 627 const char kTestText[] = "TESTTESTTEST"; 628 // Create a file 629 fd = open_broker.Open(tempfile_name, O_RDWR | O_CREAT | O_EXCL); 630 ASSERT_GE(fd, 0); 631 { 632 base::ScopedFD scoped_fd(fd); 633 634 // Confirm fail if file exists 635 int bad_fd = open_broker.Open(tempfile_name, O_RDWR | O_CREAT | O_EXCL); 636 ASSERT_EQ(bad_fd, -EEXIST); 637 638 // Write to the descriptor opened by the broker. 639 640 ssize_t len = HANDLE_EINTR(write(fd, kTestText, sizeof(kTestText))); 641 ASSERT_EQ(len, static_cast<ssize_t>(sizeof(kTestText))); 642 } 643 644 int fd_check = open(tempfile_name, O_RDONLY); 645 ASSERT_GE(fd_check, 0); 646 { 647 base::ScopedFD scoped_fd(fd_check); 648 char buf[1024]; 649 ssize_t len = HANDLE_EINTR(read(fd_check, buf, sizeof(buf))); 650 651 ASSERT_EQ(len, static_cast<ssize_t>(sizeof(kTestText))); 652 ASSERT_EQ(memcmp(kTestText, buf, sizeof(kTestText)), 0); 653 } 654 } 655 656 } // namespace syscall_broker 657 658 } // namespace sandbox 659