summaryrefslogtreecommitdiffstats
path: root/security/sandbox/test
diff options
context:
space:
mode:
Diffstat (limited to 'security/sandbox/test')
-rw-r--r--security/sandbox/test/browser.ini11
-rw-r--r--security/sandbox/test/browser_content_sandbox_fs.js169
-rw-r--r--security/sandbox/test/browser_content_sandbox_syscalls.js223
-rw-r--r--security/sandbox/test/browser_content_sandbox_utils.js57
4 files changed, 0 insertions, 460 deletions
diff --git a/security/sandbox/test/browser.ini b/security/sandbox/test/browser.ini
deleted file mode 100644
index 7e3e96ea4..000000000
--- a/security/sandbox/test/browser.ini
+++ /dev/null
@@ -1,11 +0,0 @@
-# Any copyright is dedicated to the Public Domain.
-# http://creativecommons.org/publicdomain/zero/1.0/
-[DEFAULT]
-tags = contentsandbox
-support-files =
- browser_content_sandbox_utils.js
-
-skip-if = !e10s
-[browser_content_sandbox_fs.js]
-skip-if = !e10s
-[browser_content_sandbox_syscalls.js]
diff --git a/security/sandbox/test/browser_content_sandbox_fs.js b/security/sandbox/test/browser_content_sandbox_fs.js
deleted file mode 100644
index 946f86bb9..000000000
--- a/security/sandbox/test/browser_content_sandbox_fs.js
+++ /dev/null
@@ -1,169 +0,0 @@
-/* Any copyright is dedicated to the Public Domain.
- * http://creativecommons.org/publicdomain/zero/1.0/ */
-
-var prefs = Cc["@mozilla.org/preferences-service;1"]
- .getService(Ci.nsIPrefBranch);
-
-Services.scriptloader.loadSubScript("chrome://mochitests/content/browser/" +
- "security/sandbox/test/browser_content_sandbox_utils.js", this);
-
-/*
- * This test exercises file I/O from the content process using OS.File
- * methods to validate that calls that are meant to be blocked by content
- * sandboxing are blocked.
- */
-
-// Creates file at |path| and returns a promise that resolves with true
-// if the file was successfully created, otherwise false. Include imports
-// so this can be safely serialized and run remotely by ContentTask.spawn.
-function createFile(path) {
- Components.utils.import("resource://gre/modules/osfile.jsm");
- let encoder = new TextEncoder();
- let array = encoder.encode("WRITING FROM CONTENT PROCESS");
- return OS.File.writeAtomic(path, array).then(function(value) {
- return true;
- }, function(reason) {
- return false;
- });
-}
-
-// Deletes file at |path| and returns a promise that resolves with true
-// if the file was successfully deleted, otherwise false. Include imports
-// so this can be safely serialized and run remotely by ContentTask.spawn.
-function deleteFile(path) {
- Components.utils.import("resource://gre/modules/osfile.jsm");
- return OS.File.remove(path, {ignoreAbsent: false}).then(function(value) {
- return true;
- }).catch(function(err) {
- return false;
- });
-}
-
-// Returns true if the current content sandbox level, passed in
-// the |level| argument, supports filesystem sandboxing.
-function isContentFileIOSandboxed(level) {
- let fileIOSandboxMinLevel = 0;
-
- // Set fileIOSandboxMinLevel to the lowest level that has
- // content filesystem sandboxing enabled. For now, this
- // varies across Windows, Mac, Linux, other.
- switch (Services.appinfo.OS) {
- case "WINNT":
- fileIOSandboxMinLevel = 1;
- break;
- case "Darwin":
- fileIOSandboxMinLevel = 1;
- break;
- case "Linux":
- fileIOSandboxMinLevel = 2;
- break;
- default:
- Assert.ok(false, "Unknown OS");
- }
-
- return (level >= fileIOSandboxMinLevel);
-}
-
-//
-// Drive tests for a single content process.
-//
-// Tests attempting to write to a file in the home directory from the
-// content process--expected to fail.
-//
-// Tests attempting to write to a file in the content temp directory
-// from the content process--expected to succeed. On Mac and Windows,
-// use "ContentTmpD", but on Linux use "TmpD" until Linux uses the
-// content temp dir key.
-//
-add_task(function*() {
- // This test is only relevant in e10s
- if (!gMultiProcessBrowser) {
- ok(false, "e10s is enabled");
- info("e10s is not enabled, exiting");
- return;
- }
-
- let level = 0;
- let prefExists = true;
-
- // Read the security.sandbox.content.level pref.
- // If the pref isn't set and we're running on Linux on !isNightly(),
- // exit without failing. The Linux content sandbox is only enabled
- // on Nightly at this time.
- try {
- level = prefs.getIntPref("security.sandbox.content.level");
- } catch (e) {
- prefExists = false;
- }
-
- // Special case Linux on !isNightly
- if (isLinux() && !isNightly()) {
- todo(prefExists, "pref security.sandbox.content.level exists");
- if (!prefExists) {
- return;
- }
- }
-
- ok(prefExists, "pref security.sandbox.content.level exists");
- if (!prefExists) {
- return;
- }
-
- // Special case Linux on !isNightly
- if (isLinux() && !isNightly()) {
- todo(level > 0, "content sandbox enabled for !nightly.");
- return;
- }
-
- info(`security.sandbox.content.level=${level}`);
- ok(level > 0, "content sandbox is enabled.");
- if (level == 0) {
- info("content sandbox is not enabled, exiting");
- return;
- }
-
- let isFileIOSandboxed = isContentFileIOSandboxed(level);
-
- // Special case Linux on !isNightly
- if (isLinux() && !isNightly()) {
- todo(isFileIOSandboxed, "content file I/O sandbox enabled for !nightly.");
- return;
- }
-
- // Content sandbox enabled, but level doesn't include file I/O sandboxing.
- ok(isFileIOSandboxed, "content file I/O sandboxing is enabled.");
- if (!isFileIOSandboxed) {
- info("content sandbox level too low for file I/O tests, exiting\n");
- return;
- }
-
- let browser = gBrowser.selectedBrowser;
-
- {
- // test if the content process can create in $HOME, this should fail
- let homeFile = fileInHomeDir();
- let path = homeFile.path;
- let fileCreated = yield ContentTask.spawn(browser, path, createFile);
- ok(fileCreated == false, "creating a file in home dir is not permitted");
- if (fileCreated == true) {
- // content process successfully created the file, now remove it
- homeFile.remove(false);
- }
- }
-
- {
- // test if the content process can create a temp file, should pass
- let path = fileInTempDir().path;
- let fileCreated = yield ContentTask.spawn(browser, path, createFile);
- if (!fileCreated && isWin()) {
- // TODO: fix 1329294 and enable this test for Windows.
- // Not using todo() because this only fails on automation.
- info("ignoring failure to write to content temp due to 1329294\n");
- return;
- }
- ok(fileCreated == true, "creating a file in content temp is permitted");
- // now delete the file
- let fileDeleted = yield ContentTask.spawn(browser, path, deleteFile);
- ok(fileDeleted == true, "deleting a file in content temp is permitted");
- }
-});
diff --git a/security/sandbox/test/browser_content_sandbox_syscalls.js b/security/sandbox/test/browser_content_sandbox_syscalls.js
deleted file mode 100644
index d56456966..000000000
--- a/security/sandbox/test/browser_content_sandbox_syscalls.js
+++ /dev/null
@@ -1,223 +0,0 @@
-/* Any copyright is dedicated to the Public Domain.
- * http://creativecommons.org/publicdomain/zero/1.0/ */
-
-var prefs = Cc["@mozilla.org/preferences-service;1"]
- .getService(Ci.nsIPrefBranch);
-
-Services.scriptloader.loadSubScript("chrome://mochitests/content/browser/" +
- "security/sandbox/test/browser_content_sandbox_utils.js", this);
-
-/*
- * This test is for executing system calls in content processes to validate
- * that calls that are meant to be blocked by content sandboxing are blocked.
- * We use the term system calls loosely so that any OS API call such as
- * fopen could be included.
- */
-
-// Calls the native execv library function. Include imports so this can be
-// safely serialized and run remotely by ContentTask.spawn.
-function callExec(args) {
- Components.utils.import("resource://gre/modules/ctypes.jsm");
- let {lib, cmd} = args;
- let libc = ctypes.open(lib);
- let exec = libc.declare("execv", ctypes.default_abi,
- ctypes.int, ctypes.char.ptr);
- let rv = exec(cmd);
- libc.close();
- return (rv);
-}
-
-// Calls the native fork syscall.
-function callFork(args) {
- Components.utils.import("resource://gre/modules/ctypes.jsm");
- let {lib} = args;
- let libc = ctypes.open(lib);
- let fork = libc.declare("fork", ctypes.default_abi, ctypes.int);
- let rv = fork();
- libc.close();
- return (rv);
-}
-
-// Calls the native open/close syscalls.
-function callOpen(args) {
- Components.utils.import("resource://gre/modules/ctypes.jsm");
- let {lib, path, flags} = args;
- let libc = ctypes.open(lib);
- let open = libc.declare("open", ctypes.default_abi,
- ctypes.int, ctypes.char.ptr, ctypes.int);
- let close = libc.declare("close", ctypes.default_abi,
- ctypes.int, ctypes.int);
- let fd = open(path, flags);
- close(fd);
- libc.close();
- return (fd);
-}
-
-// open syscall flags
-function openWriteCreateFlags() {
- Assert.ok(isMac() || isLinux());
- if (isMac()) {
- let O_WRONLY = 0x001;
- let O_CREAT = 0x200;
- return (O_WRONLY | O_CREAT);
- } else {
- // Linux
- let O_WRONLY = 0x01;
- let O_CREAT = 0x40;
- return (O_WRONLY | O_CREAT);
- }
-}
-
-// Returns the name of the native library needed for native syscalls
-function getOSLib() {
- switch (Services.appinfo.OS) {
- case "WINNT":
- return "kernel32.dll";
- case "Darwin":
- return "libc.dylib";
- case "Linux":
- return "libc.so.6";
- default:
- Assert.ok(false, "Unknown OS");
- }
-}
-
-// Returns a harmless command to execute with execv
-function getOSExecCmd() {
- Assert.ok(!isWin());
- return ("/bin/cat");
-}
-
-// Returns true if the current content sandbox level, passed in
-// the |level| argument, supports syscall sandboxing.
-function areContentSyscallsSandboxed(level) {
- let syscallsSandboxMinLevel = 0;
-
- // Set syscallsSandboxMinLevel to the lowest level that has
- // syscall sandboxing enabled. For now, this varies across
- // Windows, Mac, Linux, other.
- switch (Services.appinfo.OS) {
- case "WINNT":
- syscallsSandboxMinLevel = 1;
- break;
- case "Darwin":
- syscallsSandboxMinLevel = 1;
- break;
- case "Linux":
- syscallsSandboxMinLevel = 2;
- break;
- default:
- Assert.ok(false, "Unknown OS");
- }
-
- return (level >= syscallsSandboxMinLevel);
-}
-
-//
-// Drive tests for a single content process.
-//
-// Tests executing OS API calls in the content process. Limited to Mac
-// and Linux calls for now.
-//
-add_task(function*() {
- // This test is only relevant in e10s
- if (!gMultiProcessBrowser) {
- ok(false, "e10s is enabled");
- info("e10s is not enabled, exiting");
- return;
- }
-
- let level = 0;
- let prefExists = true;
-
- // Read the security.sandbox.content.level pref.
- // If the pref isn't set and we're running on Linux on !isNightly(),
- // exit without failing. The Linux content sandbox is only enabled
- // on Nightly at this time.
- try {
- level = prefs.getIntPref("security.sandbox.content.level");
- } catch (e) {
- prefExists = false;
- }
-
- // Special case Linux on !isNightly
- if (isLinux() && !isNightly()) {
- todo(prefExists, "pref security.sandbox.content.level exists");
- if (!prefExists) {
- return;
- }
- }
-
- ok(prefExists, "pref security.sandbox.content.level exists");
- if (!prefExists) {
- return;
- }
-
- // Special case Linux on !isNightly
- if (isLinux() && !isNightly()) {
- todo(level > 0, "content sandbox enabled for !nightly.");
- return;
- }
-
- info(`security.sandbox.content.level=${level}`);
- ok(level > 0, "content sandbox is enabled.");
- if (level == 0) {
- info("content sandbox is not enabled, exiting");
- return;
- }
-
- let areSyscallsSandboxed = areContentSyscallsSandboxed(level);
-
- // Special case Linux on !isNightly
- if (isLinux() && !isNightly()) {
- todo(areSyscallsSandboxed, "content syscall sandbox enabled for !nightly.");
- return;
- }
-
- // Content sandbox enabled, but level doesn't include syscall sandboxing.
- ok(areSyscallsSandboxed, "content syscall sandboxing is enabled.");
- if (!areSyscallsSandboxed) {
- info("content sandbox level too low for syscall tests, exiting\n");
- return;
- }
-
- let browser = gBrowser.selectedBrowser;
- let lib = getOSLib();
-
- // use execv syscall
- // (causes content process to be killed on Linux)
- if (isMac()) {
- // exec something harmless, this should fail
- let cmd = getOSExecCmd();
- let rv = yield ContentTask.spawn(browser, {lib, cmd}, callExec);
- ok(rv == -1, `exec(${cmd}) is not permitted`);
- }
-
- // use open syscall
- if (isLinux() || isMac())
- {
- // open a file for writing in $HOME, this should fail
- let path = fileInHomeDir().path;
- let flags = openWriteCreateFlags();
- let fd = yield ContentTask.spawn(browser, {lib, path, flags}, callOpen);
- ok(fd < 0, "opening a file for writing in home is not permitted");
- }
-
- // use open syscall
- if (isLinux() || isMac())
- {
- // open a file for writing in the content temp dir, this should work
- // and the open handler in the content process closes the file for us
- let path = fileInTempDir().path;
- let flags = openWriteCreateFlags();
- let fd = yield ContentTask.spawn(browser, {lib, path, flags}, callOpen);
- ok(fd >= 0, "opening a file for writing in content temp is permitted");
- }
-
- // use fork syscall
- if (isLinux() || isMac())
- {
- let rv = yield ContentTask.spawn(browser, {lib}, callFork);
- ok(rv == -1, "calling fork is not permitted");
- }
-});
diff --git a/security/sandbox/test/browser_content_sandbox_utils.js b/security/sandbox/test/browser_content_sandbox_utils.js
deleted file mode 100644
index 0e9d01352..000000000
--- a/security/sandbox/test/browser_content_sandbox_utils.js
+++ /dev/null
@@ -1,57 +0,0 @@
-/* Any copyright is dedicated to the Public Domain.
- * http://creativecommons.org/publicdomain/zero/1.0/ */
-
-const uuidGenerator = Cc["@mozilla.org/uuid-generator;1"]
- .getService(Ci.nsIUUIDGenerator);
-
-/*
- * Utility functions for the browser content sandbox tests.
- */
-
-function isMac() { return Services.appinfo.OS == "Darwin" }
-function isWin() { return Services.appinfo.OS == "WINNT" }
-function isLinux() { return Services.appinfo.OS == "Linux" }
-
-function isNightly() {
- let version = SpecialPowers.Cc["@mozilla.org/xre/app-info;1"].
- getService(SpecialPowers.Ci.nsIXULAppInfo).version;
- return (version.endsWith("a1"));
-}
-
-function uuid() {
- return uuidGenerator.generateUUID().toString();
-}
-
-// Returns a file object for a new file in the home dir ($HOME/<UUID>).
-function fileInHomeDir() {
- // get home directory, make sure it exists
- let homeDir = Services.dirsvc.get("Home", Ci.nsILocalFile);
- Assert.ok(homeDir.exists(), "Home dir exists");
- Assert.ok(homeDir.isDirectory(), "Home dir is a directory");
-
- // build a file object for a new file named $HOME/<UUID>
- let homeFile = homeDir.clone();
- homeFile.appendRelativePath(uuid());
- Assert.ok(!homeFile.exists(), homeFile.path + " does not exist");
- return (homeFile);
-}
-
-// Returns a file object for a new file in the content temp dir (.../<UUID>).
-function fileInTempDir() {
- let contentTempKey = "ContentTmpD";
- if (Services.appinfo.OS == "Linux") {
- // Linux builds don't use the content-specific temp key
- contentTempKey = "TmpD";
- }
-
- // get the content temp dir, make sure it exists
- let ctmp = Services.dirsvc.get(contentTempKey, Ci.nsILocalFile);
- Assert.ok(ctmp.exists(), "Content temp dir exists");
- Assert.ok(ctmp.isDirectory(), "Content temp dir is a directory");
-
- // build a file object for a new file in content temp
- let tempFile = ctmp.clone();
- tempFile.appendRelativePath(uuid());
- Assert.ok(!tempFile.exists(), tempFile.path + " does not exist");
- return (tempFile);
-}