Add sandbox unit tests
Add a set of basic unit tests for the Linux seccomp sandbox, testing each filtered function to verify it both succeeds and fails where expected. Resolves issue #16803 (closed).
Among other things these tests are helpful for verifying the correct seccomp rules are generated for the target system, as the syscalls used by glibc vary between its versions and across the architectures it supports.
A few things I noticed while putting this together:
-
There is no
sandbox_cfg_free
function to matchsandbox_cfg_new
. Should there be? It may not matter much as I expect normally only a single sandbox configuration is generated for the life of the process, but without an appropriate way to deallocate this structure the test cases are definitely leaking memory. -
The sandbox allows all
stat
syscalls to succeed by default, regardless of its configuration, asSCMP_SYS(stat)
is included in thefilter_nopar_gen
array in src/lib/sandbox/sandbox.c. This meanssandbox_cfg_allow_stat_filename
is effectively a no-op on platforms that implement this legacy syscall, including x86-64. Is this intentional? -
The test cases impact the use of gcov, causing the unit-test driver to output a lot of lines like
profiling:tor/src/feature/relay/core_libtor_app_testing_a-relay_metrics.gcda:Cannot open profiling:tor/src/ext/lib_libtor_term_testing_a-readpassphrase.gcda:Cannot open profiling:tor/src/core/or/libtor_app_testing_a-or_periodic.gcda:Cannot open
while the coverage results still show most lines of sandbox.c unexecuted. I presume this is because the sandbox is still active when gcov runs but I haven't yet found a way around this.