Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(548)

Side by Side Diff: sandbox/linux/services/namespace_sandbox_unittest.cc

Issue 1158793003: Enable one PID namespace per process for NaCl processes. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Enable PID namespace per process for nonsfi newlib NaCl as well. Created 5 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « sandbox/linux/services/namespace_sandbox.cc ('k') | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2015 The Chromium Authors. All rights reserved. 1 // Copyright 2015 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "sandbox/linux/services/namespace_sandbox.h" 5 #include "sandbox/linux/services/namespace_sandbox.h"
6 6
7 #include <signal.h> 7 #include <signal.h>
8 #include <sys/types.h> 8 #include <sys/types.h>
9 #include <sys/wait.h> 9 #include <sys/wait.h>
10 #include <unistd.h> 10 #include <unistd.h>
(...skipping 102 matching lines...) Expand 10 before | Expand all | Expand 10 after
113 CHECK(process.WaitForExit(&exit_code)); 113 CHECK(process.WaitForExit(&exit_code));
114 CHECK_EQ(0, exit_code); 114 CHECK_EQ(0, exit_code);
115 return 0; 115 return 0;
116 } 116 }
117 117
118 TEST_F(NamespaceSandboxTest, NestedNamespaceSandbox) { 118 TEST_F(NamespaceSandboxTest, NestedNamespaceSandbox) {
119 TestProc("NestedNamespaceSandbox"); 119 TestProc("NestedNamespaceSandbox");
120 } 120 }
121 121
122 const int kNormalExitCode = 0; 122 const int kNormalExitCode = 0;
123 const int kSignalTerminationExitCode = 255;
124 123
125 // Ensure that CHECK(false) is distinguishable from _exit(kNormalExitCode). 124 // Ensure that CHECK(false) is distinguishable from _exit(kNormalExitCode).
126 // Allowing noise since CHECK(false) will write a stack trace to stderr. 125 // Allowing noise since CHECK(false) will write a stack trace to stderr.
127 SANDBOX_TEST_ALLOW_NOISE(ForkInNewPidNamespace, CheckDoesNotReturnZero) { 126 SANDBOX_TEST_ALLOW_NOISE(ForkInNewPidNamespace, CheckDoesNotReturnZero) {
128 if (!Credentials::CanCreateProcessInNewUserNS()) { 127 if (!Credentials::CanCreateProcessInNewUserNS()) {
129 return; 128 return;
130 } 129 }
131 130
132 CHECK(sandbox::Credentials::MoveToNewUserNS()); 131 CHECK(sandbox::Credentials::MoveToNewUserNS());
133 const pid_t pid = NamespaceSandbox::ForkInNewPidNamespace( 132 const pid_t pid = NamespaceSandbox::ForkInNewPidNamespace(
(...skipping 41 matching lines...) Expand 10 before | Expand all | Expand 10 after
175 174
176 CHECK(sandbox::Credentials::MoveToNewUserNS()); 175 CHECK(sandbox::Credentials::MoveToNewUserNS());
177 const pid_t pid = NamespaceSandbox::ForkInNewPidNamespace( 176 const pid_t pid = NamespaceSandbox::ForkInNewPidNamespace(
178 /*drop_capabilities_in_child=*/true); 177 /*drop_capabilities_in_child=*/true);
179 CHECK_GE(pid, 0); 178 CHECK_GE(pid, 0);
180 179
181 if (pid == 0) { 180 if (pid == 0) {
182 CHECK_EQ(1, getpid()); 181 CHECK_EQ(1, getpid());
183 CHECK(!Credentials::HasAnyCapability()); 182 CHECK(!Credentials::HasAnyCapability());
184 CHECK(NamespaceSandbox::InstallTerminationSignalHandler( 183 CHECK(NamespaceSandbox::InstallTerminationSignalHandler(
185 SIGTERM, kSignalTerminationExitCode)); 184 SIGTERM, NamespaceSandbox::SignalExitCode(SIGTERM)));
186 while (true) { 185 while (true) {
187 raise(SIGTERM); 186 raise(SIGTERM);
188 } 187 }
189 } 188 }
190 189
191 int status; 190 int status;
192 PCHECK(waitpid(pid, &status, 0) == pid); 191 PCHECK(waitpid(pid, &status, 0) == pid);
193 CHECK(WIFEXITED(status)); 192 CHECK(WIFEXITED(status));
194 CHECK_EQ(kSignalTerminationExitCode, WEXITSTATUS(status)); 193 CHECK_EQ(NamespaceSandbox::SignalExitCode(SIGTERM), WEXITSTATUS(status));
195 } 194 }
196 195
197 volatile sig_atomic_t signal_handler_called; 196 volatile sig_atomic_t signal_handler_called;
198 void ExitSuccessfully(int sig) { 197 void ExitSuccessfully(int sig) {
199 signal_handler_called = 1; 198 signal_handler_called = 1;
200 } 199 }
201 200
202 SANDBOX_TEST(InstallTerminationSignalHandler, DoesNotOverrideExistingHandlers) { 201 SANDBOX_TEST(InstallTerminationSignalHandler, DoesNotOverrideExistingHandlers) {
203 struct sigaction action = {}; 202 struct sigaction action = {};
204 action.sa_handler = &ExitSuccessfully; 203 action.sa_handler = &ExitSuccessfully;
205 PCHECK(sigaction(SIGUSR1, &action, nullptr) == 0); 204 PCHECK(sigaction(SIGUSR1, &action, nullptr) == 0);
206 205
207 NamespaceSandbox::InstallDefaultTerminationSignalHandlers(); 206 NamespaceSandbox::InstallDefaultTerminationSignalHandlers();
208 CHECK(!NamespaceSandbox::InstallTerminationSignalHandler( 207 CHECK(!NamespaceSandbox::InstallTerminationSignalHandler(
209 SIGUSR1, kSignalTerminationExitCode)); 208 SIGUSR1, NamespaceSandbox::SignalExitCode(SIGUSR1)));
210 209
211 raise(SIGUSR1); 210 raise(SIGUSR1);
212 CHECK_EQ(1, signal_handler_called); 211 CHECK_EQ(1, signal_handler_called);
213 } 212 }
214 213
215 } // namespace 214 } // namespace
216 215
217 } // namespace sandbox 216 } // namespace sandbox
OLDNEW
« no previous file with comments | « sandbox/linux/services/namespace_sandbox.cc ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698