macOS Sandbox: Add unit test that renderer cannot write to homedir.

This adds a unit test that the V2 renderer sandbox profile cannot write to the homedir. Bug: 902597 Change-Id: I6b8c850bdafcb377070e22ed2a1459bcd631b69c Reviewed-on: https://chromium-review.googlesource.com/c/1321862Reviewed-by: Pavel Feldman <pfeldman@chromium.org> Reviewed-by: Robert Sesek <rsesek@chromium.org> Commit-Queue: Greg Kerr <kerrnel@chromium.org> Cr-Commit-Position: refs/heads/master@{#606956}

macOS Sandbox: Add unit test that renderer cannot write to homedir.
This adds a unit test that the V2 renderer sandbox profile cannot write to the homedir. Bug: 902597 Change-Id: I6b8c850bdafcb377070e22ed2a1459bcd631b69c Reviewed-on: https://chromium-review.googlesource.com/c/1321862Reviewed-by: Pavel Feldman <pfeldman@chromium.org> Reviewed-by: Robert Sesek <rsesek@chromium.org> Commit-Queue: Greg Kerr <kerrnel@chromium.org> Cr-Commit-Position: refs/heads/master@{#606956}
65f314fb · Greg Kerr · Commit Bot · e9d6060f · 65f314fb · 65f314fb
Commit 65f314fb authored Nov 09, 2018 by Greg Kerr Committed by Commit Bot Nov 09, 2018
4 changed files
--- a/content/browser/OWNERS
+++ b/content/browser/OWNERS
@@ -19,13 +19,9 @@ per-file host_zoom_*=wjmaclean@chromium.org
 per-file find_request_manager*=paulmeyer@chromium.org
 per-file site_per_process_*=kenrb@chromium.org

-# Mac Sandbox profiles.
-per-file *.sb=set noparent
-per-file *.sb=rsesek@chromium.org
-
-# Mac Sandbox parameters.
-per-file sandbox_parameters_mac.*=rsesek@chromium.org
-per-file sandbox_parameters_mac.*=kerrnel@chromium.org
+# Mac Sandbox parameters and unit tests.
+per-file sandbox_parameters_mac.*=file://sandbox/mac/OWNERS
+per-file sandbox_mac_unittest.*=file://sandbox/mac/OWNERS

 # Linux sandboxing.
 per-file sandbox_host_linux.*=jln@chromium.org

--- a/content/browser/sandbox_mac_unittest.mm
+++ b/content/browser/sandbox_mac_unittest.mm
+// Copyright 2018 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#import <Foundation/Foundation.h>
+
+#include "base/command_line.h"
+#include "base/posix/eintr_wrapper.h"
+#include "base/process/kill.h"
+#include "base/strings/stringprintf.h"
+#include "base/strings/sys_string_conversions.h"
+#include "base/test/multiprocess_test.h"
+#include "base/test/test_timeouts.h"
+#include "content/browser/sandbox_parameters_mac.h"
+#include "sandbox/mac/seatbelt.h"
+#include "sandbox/mac/seatbelt_exec.h"
+#include "services/service_manager/sandbox/mac/common_v2.sb.h"
+#include "services/service_manager/sandbox/mac/renderer_v2.sb.h"
+#include "services/service_manager/sandbox/switches.h"
+#include "testing/gtest/include/gtest/gtest.h"
+#include "testing/multiprocess_func_list.h"
+
+namespace content {
+namespace {
+
+// crbug.com/740009: This allows the unit test to cleanup temporary directories,
+// and is safe since this is only a unit test.
+constexpr char kTempDirSuffix[] =
+    "(allow file* (subpath \"/private/var/folders/\"))";
+
+class SandboxMacTest : public base::MultiProcessTest {
+ protected:
+  base::CommandLine MakeCmdLine(const std::string& procname) override {
+    base::CommandLine cl = MultiProcessTest::MakeCmdLine(procname);
+    cl.AppendArg(
+        base::StringPrintf("%s%d", sandbox::switches::kSeatbeltClient, pipe_));
+    return cl;
+  }
+
+  int pipe_{0};
+};
+
+void CheckCreateSeatbeltServer() {
+  base::CommandLine* cl = base::CommandLine::ForCurrentProcess();
+  const base::CommandLine::StringVector& argv = cl->argv();
+  std::vector<char*> argv_cstr(argv.size());
+  for (size_t i = 0; i < argv.size(); ++i) {
+    argv_cstr[i] = const_cast<char*>(argv[i].c_str());
+  }
+  auto result = sandbox::SeatbeltExecServer::CreateFromArguments(
+      argv_cstr[0], argv_cstr.size(), argv_cstr.data());
+
+  CHECK(result.sandbox_required);
+  CHECK(result.server);
+  CHECK(result.server->InitializeSandbox());
+}
+
+}  // namespace
+
+MULTIPROCESS_TEST_MAIN(RendererWriteProcess) {
+  CheckCreateSeatbeltServer();
+
+  // Test that the renderer cannot write to the home directory.
+  NSString* test_file = [NSHomeDirectory()
+      stringByAppendingPathComponent:@"e539dd6f-6b38-4f6a-af2c-809a5ea96e1c"];
+  int fd = HANDLE_EINTR(
+      open(base::SysNSStringToUTF8(test_file).c_str(), O_CREAT | O_RDWR));
+  CHECK(-1 == fd);
+  CHECK_EQ(errno, EPERM);
+
+  return 0;
+}
+
+TEST_F(SandboxMacTest, RendererCannotWriteHomeDir) {
+  std::string profile =
+      std::string(service_manager::kSeatbeltPolicyString_common_v2) +
+      service_manager::kSeatbeltPolicyString_renderer_v2 + kTempDirSuffix;
+
+  sandbox::SeatbeltExecClient client;
+  client.SetProfile(profile);
+  content::SetupCommonSandboxParameters(&client);
+
+  pipe_ = client.GetReadFD();
+  ASSERT_GE(pipe_, 0);
+
+  base::LaunchOptions options;
+  options.fds_to_remap.push_back(std::make_pair(pipe_, pipe_));
+
+  base::Process process =
+      SpawnChildWithOptions("RendererWriteProcess", options);
+  ASSERT_TRUE(process.IsValid());
+  ASSERT_TRUE(client.SendProfile());
+
+  int rv = -1;
+  ASSERT_TRUE(base::WaitForMultiprocessTestChildExit(
+      process, TestTimeouts::action_timeout(), &rv));
+  EXPECT_EQ(0, rv);
+}
+
+}  // namespace content
--- a/content/browser/sandbox_parameters_mac.h
+++ b/content/browser/sandbox_parameters_mac.h
@@ -5,6 +5,8 @@
 #ifndef CONTENT_BROWSER_SANDBOX_PARAMETERS_MAC_H_
 #define CONTENT_BROWSER_SANDBOX_PARAMETERS_MAC_H_

+#include "content/common/content_export.h"
+
 namespace base {
 class CommandLine;
 }
@@ -18,14 +20,18 @@ namespace content {
 // All of the below functions populate the |client| with the parameters that the
 // sandbox needs to resolve information that cannot be known at build time, such
 // as the user's home directory.
-void SetupCommonSandboxParameters(sandbox::SeatbeltExecClient* client);
+CONTENT_EXPORT void SetupCommonSandboxParameters(
+    sandbox::SeatbeltExecClient* client);

-void SetupCDMSandboxParameters(sandbox::SeatbeltExecClient* client);
+CONTENT_EXPORT void SetupCDMSandboxParameters(
+    sandbox::SeatbeltExecClient* client);

-void SetupPPAPISandboxParameters(sandbox::SeatbeltExecClient* client);
+CONTENT_EXPORT void SetupPPAPISandboxParameters(
+    sandbox::SeatbeltExecClient* client);

-void SetupUtilitySandboxParameters(sandbox::SeatbeltExecClient* client,
-                                   const base::CommandLine& command_line);
+CONTENT_EXPORT void SetupUtilitySandboxParameters(
+    sandbox::SeatbeltExecClient* client,
+    const base::CommandLine& command_line);

 }  // namespace content


--- a/content/test/BUILD.gn
+++ b/content/test/BUILD.gn
@@ -1570,6 +1570,7 @@ test("content_unittests") {
    "../browser/renderer_host/text_input_client_mac_unittest.mm",
    "../browser/renderer_host/web_database_host_impl_unittest.cc",
    "../browser/resolve_proxy_msg_helper_unittest.cc",
+    "../browser/sandbox_mac_unittest.mm",
    "../browser/scheduler/browser_task_executor_unittest.cc",
    "../browser/scheduler/responsiveness/calculator_unittest.cc",
    "../browser/scheduler/responsiveness/watcher_unittest.cc",