| // Copyright 2016 The Chromium Authors. All rights reserved. |
| // Use of this source code is governed by a BSD-style license that can be |
| // found in the LICENSE file. |
| |
| #include <stdint.h> |
| #include <memory> |
| #include <utility> |
| |
| #include "base/bind.h" |
| #include "base/command_line.h" |
| #include "base/containers/span.h" |
| #include "base/macros.h" |
| #include "base/memory/read_only_shared_memory_region.h" |
| #include "base/memory/shared_memory_mapping.h" |
| #include "base/memory/unsafe_shared_memory_region.h" |
| #include "base/memory/writable_shared_memory_region.h" |
| #include "base/run_loop.h" |
| #include "base/strings/string_piece.h" |
| #include "base/test/bind_test_util.h" |
| #include "build/build_config.h" |
| #include "content/browser/utility_process_host.h" |
| #include "content/public/browser/browser_task_traits.h" |
| #include "content/public/browser/browser_thread.h" |
| #include "content/public/test/browser_test.h" |
| #include "content/public/test/content_browser_test.h" |
| #include "content/public/test/test_service.mojom.h" |
| #include "mojo/public/cpp/bindings/remote.h" |
| #include "sandbox/policy/sandbox.h" |
| #include "sandbox/policy/switches.h" |
| #include "services/service_manager/public/cpp/interface_provider.h" |
| |
| namespace content { |
| namespace { |
| |
| const std::string kTestMessage = "My hovercraft is full of eels!"; |
| |
| class MojoSandboxTest : public ContentBrowserTest { |
| public: |
| MojoSandboxTest() = default; |
| |
| using BeforeStartCallback = base::OnceCallback<void(UtilityProcessHost*)>; |
| |
| void StartProcess(BeforeStartCallback callback = BeforeStartCallback()) { |
| base::RunLoop run_loop; |
| GetIOThreadTaskRunner({})->PostTaskAndReply( |
| FROM_HERE, |
| base::BindOnce(&MojoSandboxTest::StartUtilityProcessOnIoThread, |
| base::Unretained(this), std::move(callback)), |
| run_loop.QuitClosure()); |
| run_loop.Run(); |
| } |
| |
| mojo::Remote<mojom::TestService> BindTestService() { |
| mojo::Remote<mojom::TestService> test_service; |
| GetIOThreadTaskRunner({})->PostTask( |
| FROM_HERE, base::BindOnce(&MojoSandboxTest::BindTestServiceOnIoThread, |
| base::Unretained(this), |
| test_service.BindNewPipeAndPassReceiver())); |
| return test_service; |
| } |
| |
| void TearDownOnMainThread() override { |
| base::RunLoop run_loop; |
| GetIOThreadTaskRunner({})->PostTaskAndReply( |
| FROM_HERE, |
| base::BindOnce(&MojoSandboxTest::StopUtilityProcessOnIoThread, |
| base::Unretained(this)), |
| run_loop.QuitClosure()); |
| run_loop.Run(); |
| } |
| |
| protected: |
| std::unique_ptr<UtilityProcessHost> host_; |
| |
| private: |
| void StartUtilityProcessOnIoThread(BeforeStartCallback callback) { |
| host_.reset(new UtilityProcessHost()); |
| host_->SetMetricsName("mojo_sandbox_test_process"); |
| if (callback) |
| std::move(callback).Run(host_.get()); |
| ASSERT_TRUE(host_->Start()); |
| } |
| |
| void BindTestServiceOnIoThread( |
| mojo::PendingReceiver<mojom::TestService> receiver) { |
| host_->GetChildProcess()->BindReceiver(std::move(receiver)); |
| } |
| |
| void StopUtilityProcessOnIoThread() { host_.reset(); } |
| |
| DISALLOW_COPY_AND_ASSIGN(MojoSandboxTest); |
| }; |
| |
| // Ensures that a read-only shared memory region can be created within a |
| // sandboxed process. |
| IN_PROC_BROWSER_TEST_F(MojoSandboxTest, SubprocessReadOnlySharedMemoryRegion) { |
| StartProcess(); |
| mojo::Remote<mojom::TestService> test_service = BindTestService(); |
| |
| bool got_response = false; |
| base::RunLoop run_loop; |
| test_service.set_disconnect_handler(run_loop.QuitClosure()); |
| test_service->CreateReadOnlySharedMemoryRegion( |
| kTestMessage, |
| base::BindLambdaForTesting([&](base::ReadOnlySharedMemoryRegion region) { |
| got_response = true; |
| ASSERT_TRUE(region.IsValid()); |
| base::ReadOnlySharedMemoryMapping mapping = region.Map(); |
| ASSERT_TRUE(mapping.IsValid()); |
| auto span = mapping.GetMemoryAsSpan<const char>(); |
| EXPECT_EQ(kTestMessage, base::StringPiece(span.data(), span.size())); |
| run_loop.Quit(); |
| })); |
| run_loop.Run(); |
| EXPECT_TRUE(got_response); |
| } |
| |
| // Ensures that a writable shared memory region can be created within a |
| // sandboxed process. |
| IN_PROC_BROWSER_TEST_F(MojoSandboxTest, SubprocessWritableSharedMemoryRegion) { |
| StartProcess(); |
| mojo::Remote<mojom::TestService> test_service = BindTestService(); |
| |
| bool got_response = false; |
| base::RunLoop run_loop; |
| test_service.set_disconnect_handler(run_loop.QuitClosure()); |
| test_service->CreateWritableSharedMemoryRegion( |
| kTestMessage, |
| base::BindLambdaForTesting([&](base::WritableSharedMemoryRegion region) { |
| got_response = true; |
| ASSERT_TRUE(region.IsValid()); |
| base::WritableSharedMemoryMapping mapping = region.Map(); |
| ASSERT_TRUE(mapping.IsValid()); |
| auto span = mapping.GetMemoryAsSpan<const char>(); |
| EXPECT_EQ(kTestMessage, base::StringPiece(span.data(), span.size())); |
| run_loop.Quit(); |
| })); |
| run_loop.Run(); |
| EXPECT_TRUE(got_response); |
| } |
| |
| // Ensures that an unsafe shared memory region can be created within a |
| // sandboxed process. |
| IN_PROC_BROWSER_TEST_F(MojoSandboxTest, SubprocessUnsafeSharedMemoryRegion) { |
| StartProcess(); |
| mojo::Remote<mojom::TestService> test_service = BindTestService(); |
| |
| bool got_response = false; |
| base::RunLoop run_loop; |
| test_service.set_disconnect_handler(run_loop.QuitClosure()); |
| test_service->CreateUnsafeSharedMemoryRegion( |
| kTestMessage, |
| base::BindLambdaForTesting([&](base::UnsafeSharedMemoryRegion region) { |
| got_response = true; |
| ASSERT_TRUE(region.IsValid()); |
| base::WritableSharedMemoryMapping mapping = region.Map(); |
| ASSERT_TRUE(mapping.IsValid()); |
| auto span = mapping.GetMemoryAsSpan<const char>(); |
| EXPECT_EQ(kTestMessage, base::StringPiece(span.data(), span.size())); |
| run_loop.Quit(); |
| })); |
| run_loop.Run(); |
| EXPECT_TRUE(got_response); |
| } |
| |
| // Test for sandbox::policy::IsProcessSandboxed(). |
| IN_PROC_BROWSER_TEST_F(MojoSandboxTest, IsProcessSandboxed) { |
| StartProcess(); |
| mojo::Remote<mojom::TestService> test_service = BindTestService(); |
| |
| // The browser should not be considered sandboxed. |
| EXPECT_FALSE(sandbox::policy::Sandbox::IsProcessSandboxed()); |
| |
| base::Optional<bool> maybe_is_sandboxed; |
| base::RunLoop run_loop; |
| test_service.set_disconnect_handler(run_loop.QuitClosure()); |
| test_service->IsProcessSandboxed( |
| base::BindLambdaForTesting([&](bool is_sandboxed) { |
| maybe_is_sandboxed = is_sandboxed; |
| run_loop.Quit(); |
| })); |
| run_loop.Run(); |
| ASSERT_TRUE(maybe_is_sandboxed.has_value()); |
| EXPECT_TRUE(maybe_is_sandboxed.value()); |
| } |
| |
| IN_PROC_BROWSER_TEST_F(MojoSandboxTest, NotIsProcessSandboxed) { |
| StartProcess(base::BindOnce([](UtilityProcessHost* host) { |
| host->SetSandboxType(sandbox::policy::SandboxType::kNoSandbox); |
| })); |
| mojo::Remote<mojom::TestService> test_service = BindTestService(); |
| |
| // The browser should not be considered sandboxed. |
| EXPECT_FALSE(sandbox::policy::Sandbox::IsProcessSandboxed()); |
| |
| base::Optional<bool> maybe_is_sandboxed; |
| base::RunLoop run_loop; |
| test_service.set_disconnect_handler(run_loop.QuitClosure()); |
| test_service->IsProcessSandboxed( |
| base::BindLambdaForTesting([&](bool is_sandboxed) { |
| maybe_is_sandboxed = is_sandboxed; |
| run_loop.Quit(); |
| })); |
| run_loop.Run(); |
| ASSERT_TRUE(maybe_is_sandboxed.has_value()); |
| #if defined(OS_ANDROID) |
| // Android does not support unsandboxed utility processes. See |
| // org.chromium.content.browser.ChildProcessLauncherHelperImpl#createAndStart |
| EXPECT_TRUE(maybe_is_sandboxed.value()); |
| #else |
| // If the content_browsertests is launched with --no-sandbox, that will |
| // get passed down to the browser and all child processes. In that case, |
| // IsProcessSandboxed() will report true, per the API. |
| bool no_sandbox = base::CommandLine::ForCurrentProcess()->HasSwitch( |
| sandbox::policy::switches::kNoSandbox); |
| EXPECT_EQ(no_sandbox, maybe_is_sandboxed.value()); |
| #endif |
| } |
| |
| } // namespace |
| } // namespace content |