Tests/Kernel/TestKernelUnveil.cpp


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87

/*
 * Copyright (c) 2020, the SerenityOS developers.
 *
 * SPDX-License-Identifier: BSD-2-Clause
 */

#include <LibTest/TestCase.h>
#include <errno.h>
#include <unistd.h>

TEST_CASE(test_argument_validation)
{
    auto res = unveil("/etc", "aaaaaaaaaaaa");
    EXPECT_EQ(res, -1);
    EXPECT_EQ(errno, EINVAL);

    res = unveil(nullptr, "r");
    EXPECT_EQ(res, -1);
    EXPECT_EQ(errno, EINVAL);

    res = unveil("/etc", nullptr);
    EXPECT_EQ(res, -1);
    EXPECT_EQ(errno, EINVAL);

    res = unveil("", "r");
    EXPECT_EQ(res, -1);
    EXPECT_EQ(errno, EINVAL);

    res = unveil("test", "r");
    EXPECT_EQ(res, -1);
    EXPECT_EQ(errno, EINVAL);

    res = unveil("/etc", "f");
    EXPECT_EQ(res, -1);
    EXPECT_EQ(errno, EINVAL);
}

TEST_CASE(test_failures)
{
    auto res = unveil("/etc", "r");
    if (res < 0)
        FAIL("unveil read only failed");

    res = unveil("/etc", "w");
    if (res >= 0)
        FAIL("unveil write permitted after unveil read only");

    res = unveil("/etc", "x");
    if (res >= 0)
        FAIL("unveil execute permitted after unveil read only");

    res = unveil("/etc", "c");
    if (res >= 0)
        FAIL("unveil create permitted after unveil read only");

    res = unveil("/tmp/doesnotexist", "c");
    if (res < 0)
        FAIL("unveil create on non-existent path failed");

    res = unveil("/home", "b");
    if (res < 0)
        FAIL("unveil browse failed");

    res = unveil("/home", "w");
    if (res >= 0)
        FAIL("unveil write permitted after unveil browse only");

    res = unveil("/home", "x");
    if (res >= 0)
        FAIL("unveil execute permitted after unveil browse only");

    res = unveil("/home", "c");
    if (res >= 0)
        FAIL("unveil create permitted after unveil browse only");

    res = unveil(nullptr, nullptr);
    if (res < 0)
        FAIL("unveil state lock failed");

    res = unveil("/bin", "w");
    if (res >= 0)
        FAIL("unveil permitted after unveil state locked");

    res = access("/bin/id", F_OK);
    if (res == 0)
        FAIL("access(..., F_OK) permitted after locked veil without relevant unveil");
}