sandbox.lua 8.55 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21
--[[
Copyright 2016, CZ.NIC z.s.p.o. (http://www.nic.cz/)

This file is part of the turris updater.

Updater is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.

Updater is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with Updater.  If not, see <http://www.gnu.org/licenses/>.
]]--

require 'lunit'
local sandbox = require 'sandbox'
22
local utils = require 'utils'
23
local backend = require 'backend'
24 25 26 27 28

module("sandbox-tests", package.seeall, lunit.testcase)

-- Test creating brand new contexts (no inheritance)
function test_context_new()
29
	sandbox.load_state_vars()
30 31
	-- Set a state variable override for testing. Check it propagates.
	sandbox.state_vars.model = 'test'
32 33 34 35 36 37
	-- If we specify no parent and no security level, it fails
	assert_error(sandbox.new)
	-- If we specify an invalid security level, it fails
	assert_error(function () sandbox.new('Invalid level') end)
	-- We try creating a context for each level.
	for _, level in pairs({"Full", "Local", "Remote", "Restricted"}) do
38
		local context = sandbox.new(level, nil, "")
39 40 41 42 43 44
		assert(context:level_check("Restricted"))
		assert(context:level_check(level))
		assert(context:level_check(sandbox.level("Restricted")))
		if level ~= "Full" then
			assert_false(context:level_check("Full"))
		end
45 46
		assert_equal("table", type(context))
		assert_equal("table", type(context.env))
47
		assert_equal("table", type(context.exported))
48
		assert_equal("function", type(context.level_check))
49 50
		-- There're some common functions in all of them
		assert_equal(pairs, context.env.pairs)
51
		assert_table_equal(string, context.env.string)
52 53
		-- Some are just in some of the contexts
		if level == "Full" then
54 55
			assert_equal(utils, context.env.utils)
			assert_equal(getmetatable, context.env.getmetatable)
56
		else
57 58
			assert_nil(context.env.utils)
			assert_nil(context.env.getmetatable)
59
		end
60
		assert_equal("test", context.env.model)
61 62 63 64 65
		-- While we aren't sure to detect any other architecture, the all one should be there.
		assert_equal("all", context.env.architectures[1])
		-- And the change to the table doesn't propagate outside
		context.env.architectures[1] = 'changed'
		assert_equal(sandbox.state_vars.architectures[1], 'all')
66
		context.env = nil
67
		context.exported = nil
68
		context.level_check = nil
Karel Koci's avatar
Karel Koci committed
69
		local expected = {sec_level = sandbox.level(level), tp = "context"}
70
		assert_table_equal(expected, context)
71 72
	end
end
73 74 75 76 77 78

-- Create contexts by inheriting it from a parent
function test_context_inherit()
	local c1 = sandbox.new('Full')
	local c2 = sandbox.new(nil, c1)
	assert_equal(c1, c2.parent)
79
	assert_equal(sandbox.level('Full'), c2.sec_level)
80
	c2.parent = nil
81 82 83 84 85 86 87 88 89
	-- The environments are separate instances, but look the same (though some functions are generated, so they can't be compared directly)
	local function env_sanitize(context)
		return utils.map(context.env, function (n, v)
			return n, type(v)
		end)
	end
	assert_not_equal(env_sanitize(c1), env_sanitize(c2))
	c1.env = nil
	c2.env = nil
90 91
	c1.level_check = nil
	c2.level_check = nil
92 93 94 95 96
	assert_table_equal(c1, c2)
	c2 = sandbox.new(nil, c1)
	c2.test_field = "value"
	local c3 = sandbox.new('Remote', c2)
	assert_equal(c2, c3.parent)
97
	assert_equal(sandbox.level('Remote'), c3.sec_level)
98 99 100 101 102 103 104
	assert_nil(c3.env.io)
	assert_equal("value", c3.test_field)
	-- The lower-level permissions don't add anything to the higher ones.
	for k in pairs(c3.env) do
		assert(c2.env[k] ~= nil)
	end
end
105 106 107 108 109

-- Test running chunks in the sandbox
function test_sandbox_run()
	local chunk_ok = [[call()]]
	local chunk_io = [[io.open("/dev/zero")]]
110 111
	local chunk_meta = [[getmetatable({})]]
	local chunk_private = [[utils.private({})]]
112 113 114 115 116 117 118 119 120 121
	local chunk_parse = [[this is invalid lua code!!!!]]
	local chunk_runtime = [[error("Error!")]]
	local function test_do(chunk, sec_level, expected, result_called)
		local called
		local function call()
			called = true
		end
		local result = sandbox.run_sandboxed(chunk, "Chunk name", sec_level, nil, nil, function (context)
			context.env.call = call
		end)
122 123 124
		if expected then
			assert_table_equal(expected, result)
		end
125 126 127 128 129 130 131 132 133 134 135 136
		assert_equal(result_called, called)
	end
	-- We can add a function and it can access the local upvalues
	test_do(chunk_ok, "Restricted", nil, true)
	test_do(chunk_ok, "Full", nil, true)
	-- Some things are possible in some security levels but not on others
	test_do(chunk_io, "Restricted", {
		tp = "error",
		reason = "runtime",
		msg = "[string \"Chunk name\"]:1: attempt to index global 'io' (a nil value)"
	})
	test_do(chunk_io, "Full", nil)
137 138 139 140 141 142 143 144 145 146 147 148
	test_do(chunk_private, "Local", {
		tp = "error",
		reason = "runtime",
		msg = "[string \"Chunk name\"]:1: attempt to index global 'utils' (a nil value)"
	})
	test_do(chunk_private, "Full", nil)
	test_do(chunk_meta, "Local", {
		tp = "error",
		reason = "runtime",
		msg = "[string \"Chunk name\"]:1: attempt to call global 'getmetatable' (a nil value)"
	})
	test_do(chunk_meta, "Full", nil)
149 150 151 152 153 154 155 156 157 158 159
	test_do(chunk_parse, "Full", {
		tp = "error",
		reason = "compilation",
		msg = "[string \"Chunk name\"]:1: '=' expected near 'is'"
	})
	test_do(chunk_runtime, "Full", {
		tp = "error",
		reason = "runtime",
		msg = "[string \"Chunk name\"]:1: Error!"
	})
end
160

161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181
function test_exported()
	local chunk_export = [[test = 'testing text'
nontest = 'missing text'
Export 'test']]
	local c1 = sandbox.run_sandboxed(chunk_export, "Chunk name", "Full", nil, nil, nil)
	assert_not_equal('error', c1.tp)
	assert_equal('testing text', c1.env.test)
	assert_equal('missing text', c1.env.nontest)
	local c2 = sandbox.new("Full", c1)
	local c3 = sandbox.new("Restricted", c2)
	assert_equal(c1.env.test, c2.env.test)
	assert_equal(c1.env.test, c3.env.test)
	assert_nil(c2.env.nontest)
	assert_nil(c3.env.nontest)
	assert_table_equal({
		tp = "error",
		reason = "bad value",
		msg = "Trying to export predefined variable 'pairs'"
	}, sandbox.run_sandboxed("Export 'pairs'", "Chunk error", "Full", nil, nil, nil))
end

182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210
function test_level()
	-- Creation and comparisons
	local l1 = sandbox.level("Full")
	assert_equal("Full", tostring(l1))
	assert_equal(l1, l1)
	assert(l1 <= l1)
	assert_false(l1 ~= l1)
	assert_false(l1 < l1)
	local l2 = sandbox.level("Restricted")
	assert(l2 < l1)
	assert(l2 <= l1)
	assert_false(l1 < l2)
	assert_false(l1 <= l2)
	assert(l1 > l2)
	assert(l1 >= l2)
	-- Level is just passed through if it is already level
	local l3 = sandbox.level(l2)
	assert_equal(l2, l3)
	-- We may pass nil and get nil in return
	assert_nil(sandbox.level(nil))
	-- If it doesn't exist, it throws proper error
	local ok, err = pcall(sandbox.level, "Does not exist")
	assert_false(ok)
	assert_table_equal({
		tp = "error",
		reason = "bad value",
		msg = "No such level Does not exist"
	}, err)
end
211

212 213 214 215 216 217
-- Check the sandbox can't damage a system library
function test_syslib()
	-- Store the original
	local l = string.lower
	mock_gen("string.lower", function (...) return l(...) end)
	local result = sandbox.run_sandboxed([[string.lower = function () return "hello" end]], "Chunk name", "Local")
218
	assert_equal("context", result.tp, result.err)
219 220 221
	local str = "HI"
	assert_equal("hi", str:lower())
	-- Everything is allowed inside the full security level
222 223
	local result = sandbox.run_sandboxed([[string.lower = function () return "hello" end]], "Chunk name 2", "Full")
	assert_equal("context", result.tp, result.err)
224 225 226
	assert_equal("hello", str:lower())
end

227 228 229 230 231 232 233 234
-- Test the complex dep descriptions
function test_deps()
	for fun, tp in pairs({And = 'dep-and', Or = 'dep-or', Not = 'dep-not'}) do
		local env
		local result = sandbox.run_sandboxed("res = " .. fun .. "('a', 'b', 'c')", "Chunk name", "Restricted", nil, nil, function (context)
			-- Steal the context, so we can access the data stored there later on.
			env = context.env
		end)
235
		assert_equal("context", result.tp, result.err)
236 237 238 239 240 241 242 243 244 245 246 247
		assert_table_equal({
			tp = tp,
			sub = {'a', 'b', 'c'}
		}, env.res)
	end
	-- Test them together
	local env
	local result = sandbox.run_sandboxed([[
		res = Or('pkg1', And(Not('pkg2'), 'pkg3'))
	]], "Chunk name", 'Restricted', nil, nil, function (context)
		env = context.env
	end)
248
	assert_equal("context", result.tp, result.err)
249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268
	assert_table_equal({
		tp = 'dep-or',
		sub = {
			'pkg1',
			{
				tp = 'dep-and',
				sub = {
					{
						tp = 'dep-not',
						sub = {
							'pkg2'
						}
					},
					'pkg3'
				}
			}
		}
	}, env.res)
end

269 270 271
function teardown()
	mocks_reset()
end