Open Bug 1338747 Opened 7 years ago Updated 2 years ago

Test the sandbox syscall reporter from bug 1286865

Categories

(Core :: Security: Process Sandboxing, defect, P3)

Unspecified
Linux
defect

Tracking

()

Tracking Status
firefox54 --- affected

People

(Reporter: jld, Assigned: jld)

References

Details

(Whiteboard: sb+)

Attachments

(1 file)

I have a patch that (1) uses the SandboxCrashOnError flag from bug 1286865 to allow security/sandbox/test/browser_content_sandbox_syscalls.js to do its execve test on Linux nightly without crashing the content process, and (2) also queries the syscall reporter to verify that the expected syscall was reporter.

Currently it's very ad-hoc and would need some cleanup to extend what it does to other tests, but it's a start.
Comment on attachment 8836299 [details]
Bug 1338747 - Adjust the existing sandbox tests to cover the syscall reporter.

https://reviewboard.mozilla.org/r/111762/#review113118

Looks good. I was just wondering if you verified the exec call does succeed when the sandbox is disabled. I think I checked that when adding the test, but it would be good to make sure.

::: security/sandbox/test/browser_content_sandbox_syscalls.js:228
(Diff revision 1)
> +    // On Linux, check that the syscall reporter picked up the failure.
> +    if (linux) {
> +      let snapshot = reporter.snapshot();
> +      let newSyscallCount = snapshot.end;
> +      ok(newSyscallCount == oldSyscallCount + 1,
> +	 "Exactly 1 rejected syscall reported during test");

If we ever encounter more than one rejected syscall, it could be useful to log all the syscall numbers in the snapshot so we know what happened, in case it's not easily reproducible.
Attachment #8836299 - Flags: review?(haftandilian) → review+
Comment on attachment 8836299 [details]
Bug 1338747 - Adjust the existing sandbox tests to cover the syscall reporter.

https://reviewboard.mozilla.org/r/111762/#review113304
Attachment #8836299 - Flags: review?(gpascutto) → review+
Whiteboard: sblc2
Whiteboard: sblc2 → sblc3
Priority: -- → P3
Whiteboard: sblc3 → sb+
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: