Gitiles
Code Review Sign In
gerrit.openfyde.cn / chromium.googlesource.com / chromiumos / platform2 / 3388a03c27a0623a9664ba75f388d2bb18449c05 / . / patchpanel / minijailed_process_runner_test.cc
blob: 4887990ef12163ffbadee2caa130bf135bf43f6b [file] [log] [blame]
Garrick Evans64a2df32018-12-12 16:53:46 +0900[diff] [blame]1// Copyright 2019 The Chromium OS Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
Garrick Evans3388a032020-03-24 11:25:55 +0900[diff] [blame^]5#include "patchpanel/minijailed_process_runner.h"
Garrick Evans64a2df32018-12-12 16:53:46 +0900[diff] [blame]6
7#include <linux/capability.h>
8
9#include <brillo/minijail/mock_minijail.h>
10#include <gmock/gmock.h>
11#include <gtest/gtest.h>
12
Garrick Evans3388a032020-03-24 11:25:55 +0900[diff] [blame^]13#include "patchpanel/net_util.h"
Garrick Evans7a1a9ee2020-01-28 11:03:57 +0900[diff] [blame]14
Garrick Evans64a2df32018-12-12 16:53:46 +0900[diff] [blame]15using testing::_;
16using testing::DoAll;
17using testing::Eq;
18using testing::Return;
19using testing::SetArgPointee;
20using testing::StrEq;
21
Garrick Evans3388a032020-03-24 11:25:55 +0900[diff] [blame^]22namespace patchpanel {
Garrick Evans64a2df32018-12-12 16:53:46 +0900[diff] [blame]23
24class MinijailProcessRunnerTest : public testing::Test {
25 protected:
26 MinijailProcessRunnerTest() : runner_(&mj_) {}
27
28 void SetUp() override {
29 ON_CALL(mj_, DropRoot(_, _, _)).WillByDefault(Return(true));
30 ON_CALL(mj_, RunSyncAndDestroy(_, _, _))
31 .WillByDefault(DoAll(SetArgPointee<2>(0), Return(true)));
32 }
33
34 brillo::MockMinijail mj_;
35 MinijailedProcessRunner runner_;
36};
37
38// Special matcher needed for vector<char*> type.
39// Lifted from shill/process_manager_test.cc
40MATCHER_P2(IsProcessArgs, program, args, "") {
41 if (std::string(arg[0]) != program) {
42 return false;
43 }
44 int index = 1;
45 for (const auto& option : args) {
46 if (std::string(arg[index++]) != option) {
47 return false;
48 }
49 }
50 return arg[index] == nullptr;
51}
52
Garrick Evans2470caa2020-03-04 14:15:41 +0900[diff] [blame]53TEST_F(MinijailProcessRunnerTest, RestoreDefaultNamespace) {
54 const std::vector<std::string> args = {
55 "-t", "12345", "-n", "--", "/bin/ip", "link", "set", "foo", "netns", "1",
Garrick Evans64a2df32018-12-12 16:53:46 +0900[diff] [blame]56 };
Garrick Evans2470caa2020-03-04 14:15:41 +0900[diff] [blame]57 EXPECT_CALL(mj_, New());
Garrick Evans64a2df32018-12-12 16:53:46 +0900[diff] [blame]58 EXPECT_CALL(mj_, DropRoot(_, _, _)).Times(0);
Garrick Evans2470caa2020-03-04 14:15:41 +0900[diff] [blame]59 EXPECT_CALL(mj_,
60 RunSyncAndDestroy(_, IsProcessArgs("/usr/bin/nsenter", args), _));
61 runner_.RestoreDefaultNamespace("foo", 12345);
Garrick Evans64a2df32018-12-12 16:53:46 +0900[diff] [blame]62}
63
Garrick Evans3bd06372020-03-23 10:42:58 +0900[diff] [blame]64TEST_F(MinijailProcessRunnerTest, WriteSentinelToContainer) {
65 const std::vector<std::string> args = {
66 "-t",
67 "12345",
68 "--mount",
69 "--pid",
70 "--",
71 "/system/bin/touch",
72 "/dev/.arc_network_ready",
73 };
74 EXPECT_CALL(mj_, New());
75 EXPECT_CALL(mj_, DropRoot(_, _, _)).Times(0);
76 EXPECT_CALL(mj_,
77 RunSyncAndDestroy(_, IsProcessArgs("/usr/bin/nsenter", args), _));
78 runner_.WriteSentinelToContainer(12345);
79}
80
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]81TEST_F(MinijailProcessRunnerTest, modprobe_all) {
Garrick Evans78b414e2019-03-14 15:58:56 +0900[diff] [blame]82 uint64_t caps = CAP_TO_MASK(CAP_SYS_MODULE);
83
84 const std::vector<std::string> args = {"-a", "module1", "module2"};
85 EXPECT_CALL(mj_, New());
86 EXPECT_CALL(mj_, DropRoot(_, StrEq("nobody"), StrEq("nobody")));
87 EXPECT_CALL(mj_, UseCapabilities(_, Eq(caps)));
88 EXPECT_CALL(mj_,
89 RunSyncAndDestroy(_, IsProcessArgs("/sbin/modprobe", args), _));
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]90 runner_.modprobe_all({"module1", "module2"});
Garrick Evans78b414e2019-03-14 15:58:56 +0900[diff] [blame]91}
92
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]93TEST_F(MinijailProcessRunnerTest, sysctl_w) {
Garrick Evans6d227b92019-12-03 16:11:29 +0900[diff] [blame]94 const std::vector<std::string> args = {"-w", "a.b.c=1"};
95 EXPECT_CALL(mj_, New());
96 EXPECT_CALL(mj_,
97 RunSyncAndDestroy(_, IsProcessArgs("/usr/sbin/sysctl", args), _));
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]98 runner_.sysctl_w("a.b.c", "1");
Garrick Evans6d227b92019-12-03 16:11:29 +0900[diff] [blame]99}
100
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]101TEST_F(MinijailProcessRunnerTest, chown) {
Garrick Evans6d227b92019-12-03 16:11:29 +0900[diff] [blame]102 uint64_t caps = CAP_TO_MASK(CAP_CHOWN);
103
104 const std::vector<std::string> args = {"12345:23456", "foo"};
105 EXPECT_CALL(mj_, New());
106 EXPECT_CALL(mj_, DropRoot(_, StrEq("nobody"), StrEq("nobody")));
107 EXPECT_CALL(mj_, UseCapabilities(_, Eq(caps)));
108 EXPECT_CALL(mj_, RunSyncAndDestroy(_, IsProcessArgs("/bin/chown", args), _));
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]109 runner_.chown("12345", "23456", "foo");
110}
111
112TEST_F(MinijailProcessRunnerTest, brctl) {
113 uint64_t caps = CAP_TO_MASK(CAP_NET_ADMIN) | CAP_TO_MASK(CAP_NET_RAW);
114 const std::vector<std::string> args = {"cmd", "arg", "arg"};
115
116 EXPECT_CALL(mj_, New());
117 EXPECT_CALL(mj_, DropRoot(_, StrEq("nobody"), StrEq("nobody")));
118 EXPECT_CALL(mj_, UseCapabilities(_, Eq(caps)));
119 EXPECT_CALL(mj_, RunSyncAndDestroy(_, IsProcessArgs("/sbin/brctl", args), _));
120 runner_.brctl("cmd", {"arg", "arg"});
121}
122
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]123TEST_F(MinijailProcessRunnerTest, ip) {
124 uint64_t caps = CAP_TO_MASK(CAP_NET_ADMIN) | CAP_TO_MASK(CAP_NET_RAW);
125 const std::vector<std::string> args = {"obj", "cmd", "arg", "arg"};
126
127 EXPECT_CALL(mj_, New());
128 EXPECT_CALL(mj_, DropRoot(_, StrEq("nobody"), StrEq("nobody")));
129 EXPECT_CALL(mj_, UseCapabilities(_, Eq(caps)));
130 EXPECT_CALL(mj_, RunSyncAndDestroy(_, IsProcessArgs("/bin/ip", args), _));
131 runner_.ip("obj", "cmd", {"arg", "arg"});
132}
133
134TEST_F(MinijailProcessRunnerTest, ip6) {
135 uint64_t caps = CAP_TO_MASK(CAP_NET_ADMIN) | CAP_TO_MASK(CAP_NET_RAW);
136 const std::vector<std::string> args = {"-6", "obj", "cmd", "arg", "arg"};
137
138 EXPECT_CALL(mj_, New());
139 EXPECT_CALL(mj_, DropRoot(_, StrEq("nobody"), StrEq("nobody")));
140 EXPECT_CALL(mj_, UseCapabilities(_, Eq(caps)));
141 EXPECT_CALL(mj_, RunSyncAndDestroy(_, IsProcessArgs("/bin/ip", args), _));
142 runner_.ip6("obj", "cmd", {"arg", "arg"});
143}
144
145TEST_F(MinijailProcessRunnerTest, iptables) {
146 const std::vector<std::string> args = {"-t", "table", "arg", "arg"};
147
148 EXPECT_CALL(mj_, New());
149 EXPECT_CALL(mj_,
150 RunSyncAndDestroy(_, IsProcessArgs("/sbin/iptables", args), _));
151 runner_.iptables("table", {"arg", "arg"});
152}
153
154TEST_F(MinijailProcessRunnerTest, ip6tables) {
155 const std::vector<std::string> args = {"-t", "table", "arg", "arg"};
156
157 EXPECT_CALL(mj_, New());
158 EXPECT_CALL(mj_,
159 RunSyncAndDestroy(_, IsProcessArgs("/sbin/ip6tables", args), _));
160 runner_.ip6tables("table", {"arg", "arg"});
Garrick Evans6d227b92019-12-03 16:11:29 +0900[diff] [blame]161}
162
Garrick Evans3388a032020-03-24 11:25:55 +0900[diff] [blame^]163} // namespace patchpanel