xref: /aosp_15_r20/external/sandboxed-api/sandboxed_api/sandbox2/examples/tool/sandbox2tool_test.sh (revision ec63e07ab9515d95e79c211197c445ef84cefa6a) 
1#!/bin/bash
2#
3# Copyright 2021 Google LLC
4#
5# Licensed under the Apache License, Version 2.0 (the "License");
6# you may not use this file except in compliance with the License.
7# You may obtain a copy of the License at
8#
9#     https://www.apache.org/licenses/LICENSE-2.0
10#
11# Unless required by applicable law or agreed to in writing, software
12# distributed under the License is distributed on an "AS IS" BASIS,
13# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14# See the License for the specific language governing permissions and
15# limitations under the License.
16
17# Unit test for sandbox2tool example.
18
19die() {
20  echo "$1" 1>&2
21  exit 1
22}
23
24BIN=$TEST_SRCDIR/com_google_sandboxed_api/sandboxed_api/sandbox2/examples/tool/sandbox2tool
25
26out=$("$BIN" \
27      --sandbox2tool_resolve_and_add_libraries \
28      --sandbox2tool_walltime_timeout=1 \
29      -- /bin/sleep 60 2>&1)
30result=$?
31if [[ $result -ne 2 ]]; then
32  echo "$out" >&2
33  die 'sleep 60 should hit walltime 1 and return 2 (sandbox violation)'
34fi
35if [[ "$out" != *"Process TIMEOUT"* ]]; then
36  echo "$out" >&2
37  die 'sleep 60 should hit walltime 1 and timeout'
38fi
39
40out=$("$BIN" -sandbox2tool_resolve_and_add_libraries -sandbox2tool_pause_kill -- /bin/sleep 5 2>&1)
41result=$?
42if [[ $result -ne 2 ]]; then
43  echo "$out" >&2
44  die 'pausing and then killing the command should return 2 (sandbox violation)'
45fi
46if [[ "$out" != *"Process terminated with a SIGNAL"* ]]; then
47  echo "$out" >&2
48  die 'pausing and killing sleep command should be terminated with SIGKILL'
49fi
50
51out=$("$BIN" \
52      --sandbox2tool_resolve_and_add_libraries \
53      --sandbox2tool_additional_bind_mounts '/etc,/proc' \
54      --sandbox2tool_mount_tmp \
55      -- /bin/cat /proc/1/cmdline 2>&1)
56result=$?
57if [[ $result -ne 0 ]]; then
58  echo "$out" >&2
59  die 'reading /proc/1/cmdline should not fail'
60fi
61
62out=$("$BIN" \
63      --sandbox2tool_resolve_and_add_libraries \
64      --sandbox2tool_additional_bind_mounts '/etc,/proc' \
65      --sandbox2tool_mount_tmp \
66      -- /bin/ls /proc/1/fd/ 2>&1)
67result=$?
68if [[ $result -ne 0 ]]; then
69  echo "$out" >&2
70  die 'listing /proc/1/fd  should work'
71fi
72
73out=$("$BIN" \
74      --sandbox2tool_resolve_and_add_libraries \
75      --sandbox2tool_additional_bind_mounts '/etc' \
76      -- /bin/ls /tmp 2>&1)
77result=$?
78if [[ $result -ne 1 ]]; then
79  echo "$out" >&2
80  die "ls /tmp should return 1 (child error) but was $result"
81fi
82
83out=$("$BIN" \
84      --sandbox2tool_resolve_and_add_libraries \
85      --sandbox2tool_additional_bind_mounts '/tmp' \
86      -- /bin/sh -c 'echo "test" > /tmp/sb2tool_test_file' 2>&1)
87result=$?
88if [[ $result -ne 1 ]]; then
89  echo "$out" >&2
90  die "it shouldn't be possible to write to a ro-mapping. Result was: $result"
91fi
92
93SB2_TMP_DIR="$TEST_TMPDIR/sb2tool_test_dir"
94mkdir "$SB2_TMP_DIR" || die "couldn't create tmp directory"
95
96out=$("$BIN" \
97      --sandbox2tool_resolve_and_add_libraries \
98      --sandbox2tool_additional_bind_mounts "$SB2_TMP_DIR" \
99      -sandbox2tool_mount_tmp \
100      -- /bin/sh -c "cd $SB2_TMP_DIR" 2>&1)
101result=$?
102if [[ $result -ne 0 ]]; then
103  echo "$out" >&2
104  die "Nested mounts under tmpfs should work. Result was: $result"
105fi
106
107
108echo 'hello world' > "$SB2_TMP_DIR/hello"
109out=$("$BIN" \
110      --sandbox2tool_resolve_and_add_libraries \
111      --sandbox2tool_additional_bind_mounts "/etc,$SB2_TMP_DIR/hello=>/etc/passwd" \
112      -sandbox2tool_mount_tmp \
113      -- /bin/grep "hello world" /etc/passwd)
114result=$?
115if [[ $result -ne 0 ]]; then
116  echo "$out" >&2
117  die "Nested mounts should work. Result was: $result"
118fi
119
120echo 'PASS'
121