guarddog/scripts/test-sandbox.sh at master · codedokode/guarddog · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
# !/bin/bash

# Test whether program can restrict allowed syscalls set
# set -e

function expect_string() {
    if [ "$1" != "$2" ]
    then
        echo "Test failed, expected:"
        echo "$1"
        echo "Got: "
        echo "$2"
        echo
        exit 1
    fi
}

# Returns result in global variable '$output'
function run_command() {
    local expect_zero="$1"
    shift
    local command="$@"
    echo "Command: $command"
    output=`$command`
    local code=$?

    if [ $expect_zero == "zero" ]
    then
        if [ "$code" -ne 0 ]
        then
            echo "Expected zero exit code, got $code"
            echo
            echo "Result of running under strace: "
            strace -f $command || true
            exit 1
        fi

        echo "Exit code of command was 0"
        return 0
    fi

    if [ "$expect_zero" == "nonzero" ]
    then
        if [ "$code" -eq 0 ]
        then
            echo "Expected non-zero exit code, got zero"
            echo
            echo "Result of running under strace: "
            strace -f $command
            exit 1
        fi

        echo "Exit code of command was $code"
        return 0
    fi

    echo "First argument must be 'zero' or 'nonzero', given '$expect_zero'"
    exit 2
}

# Minimal set of syscalls used by dynamic loader and standard library on i686 arch
# Obtained by running strace -f /bin/true
# execve() is needed to start the program
ALLOWED_CALLS=( execve brk access mmap2 open fstat64 close read set_thread_area mprotect munmap exit_group )

# Syscalls are different on different archs
ARCH=`uname -m`
if [ "$ARCH" == x86_64 ]
then
    ALLOWED_CALLS+=( fstat mmap arch_prctl )
fi

# ALLOWED_CALLS=( execve brk access mmap2 open fstat64 close read set_thread_area mprotect munmap exit_group )
BINARY="$1"
FLAGS=""

[ ! -f "$BINARY" ] && { echo "Fail: path to tested binary not given"; exit 1; }

allowed_options=()
for syscall in "${ALLOWED_CALLS[@]}"
do
    allowed_options+=("--allow=$syscall")
done

echo
echo "Test: execve works when no filtering is set"
command1="$BINARY $FLAGS -verbose -allow-any-syscalls -- /bin/echo yes"
run_command zero $command1
expect_string "yes" "$output"

echo
echo "Test: whether echo works with write allowed"
command1="$BINARY $FLAGS -verbose -trap ${allowed_options[@]} -allow=write -- /bin/echo yes"
run_command zero $command1
expect_string "yes" "$output"

echo
echo "Test: whether echo fails if write is not allowed"
command2="$BINARY $FLAGS -trap ${allowed_options[@]} -- /bin/echo no"
run_command nonzero $command2
expect_string "" "$output"

echo
echo "Functional tests finished OK"
exit 0