Google Git
Sign in
cos / mirrors / cros / chromiumos / platform2 / 5f95856451d40eb6db73f6c23a98971943a760d6 / . / permission_broker / firewall_test.cc
blob: 9d5e43454f8c520f1174cda6e63ff1aa92edcb6a [file] [log] [blame]
// Copyright 2017 The Chromium OS Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "permission_broker/firewall.h"
#include <gtest/gtest.h>
#include "permission_broker/mock_firewall.h"
namespace permission_broker {
using testing::_;
using testing::Return;
class FirewallTest : public testing::Test {
public:
FirewallTest() = default;
~FirewallTest() override = default;
protected:
void SetMockExpectations(MockFirewall* firewall, bool success) {
// Empty criterion matches all commands.
firewall->SetRunInMinijailFailCriterion(std::vector<std::string>(), true,
success);
}
void SetMockExpectationsPerExecutable(MockFirewall* firewall,
bool ip4_success,
bool ip6_success) {
if (!ip4_success)
firewall->SetRunInMinijailFailCriterion(
std::vector<std::string>({kIpTablesPath}), true /* repeat */,
false /* omit_failure */);
if (!ip6_success)
firewall->SetRunInMinijailFailCriterion(
std::vector<std::string>({kIp6TablesPath}), true, false);
}
private:
DISALLOW_COPY_AND_ASSIGN(FirewallTest);
};
TEST_F(FirewallTest, Port0Fails) {
MockFirewall mock_firewall;
// Don't fail on anything.
int id = mock_firewall.SetRunInMinijailFailCriterion(
std::vector<std::string>(), true, true);
// Try to punch hole for TCP port 0, port 0 is not a valid port.
EXPECT_FALSE(mock_firewall.AddAcceptRules(kProtocolTcp, 0, "iface"));
// Try to punch hole for UDP port 0, port 0 is not a valid port.
EXPECT_FALSE(mock_firewall.AddAcceptRules(kProtocolUdp, 0, "iface"));
// Try to plug hole for TCP port 0, port 0 is not a valid port.
EXPECT_FALSE(mock_firewall.DeleteAcceptRules(kProtocolTcp, 0, "iface"));
// Try to plug hole for UDP port 0, port 0 is not a valid port.
EXPECT_FALSE(mock_firewall.DeleteAcceptRules(kProtocolUdp, 0, "iface"));
// We should not be adding/removing any rules for port 0.
EXPECT_EQ(mock_firewall.GetRunInMinijailCriterionMatchCount(id), 0);
}
TEST_F(FirewallTest, ValidInterfaceName) {
MockFirewall mock_firewall;
SetMockExpectations(&mock_firewall, true /* success */);
EXPECT_TRUE(mock_firewall.AddAcceptRules(kProtocolTcp, 80, "shortname"));
EXPECT_TRUE(mock_firewall.AddAcceptRules(kProtocolUdp, 53, "shortname"));
EXPECT_TRUE(mock_firewall.AddAcceptRules(kProtocolTcp, 80, "middle-dash"));
EXPECT_TRUE(mock_firewall.AddAcceptRules(kProtocolUdp, 53, "middle-dash"));
EXPECT_TRUE(mock_firewall.AddAcceptRules(kProtocolTcp, 80, "middle.dot"));
EXPECT_TRUE(mock_firewall.AddAcceptRules(kProtocolUdp, 53, "middle.dot"));
}
TEST_F(FirewallTest, InvalidInterfaceName) {
MockFirewall mock_firewall;
int id = mock_firewall.SetRunInMinijailFailCriterion(
std::vector<std::string>(), true, true);
EXPECT_FALSE(mock_firewall.AddAcceptRules(kProtocolTcp, 80,
"reallylonginterfacename"));
EXPECT_FALSE(mock_firewall.AddAcceptRules(kProtocolTcp, 80, "with spaces"));
EXPECT_FALSE(mock_firewall.AddAcceptRules(kProtocolTcp, 80, "with$ymbols"));
EXPECT_FALSE(mock_firewall.AddAcceptRules(kProtocolTcp, 80, "-startdash"));
EXPECT_FALSE(mock_firewall.AddAcceptRules(kProtocolTcp, 80, "enddash-"));
EXPECT_FALSE(mock_firewall.AddAcceptRules(kProtocolTcp, 80, ".startdot"));
EXPECT_FALSE(mock_firewall.AddAcceptRules(kProtocolTcp, 80, "enddot."));
EXPECT_FALSE(mock_firewall.AddAcceptRules(kProtocolUdp, 53,
"reallylonginterfacename"));
EXPECT_FALSE(mock_firewall.AddAcceptRules(kProtocolUdp, 53, "with spaces"));
EXPECT_FALSE(mock_firewall.AddAcceptRules(kProtocolUdp, 53, "with$ymbols"));
EXPECT_FALSE(mock_firewall.AddAcceptRules(kProtocolUdp, 53, "-startdash"));
EXPECT_FALSE(mock_firewall.AddAcceptRules(kProtocolUdp, 53, "enddash-"));
EXPECT_FALSE(mock_firewall.AddAcceptRules(kProtocolUdp, 53, ".startdot"));
EXPECT_FALSE(mock_firewall.AddAcceptRules(kProtocolUdp, 53, "enddot."));
EXPECT_FALSE(mock_firewall.DeleteAcceptRules(kProtocolTcp, 80,
"reallylonginterfacename"));
EXPECT_FALSE(
mock_firewall.DeleteAcceptRules(kProtocolTcp, 80, "with spaces"));
EXPECT_FALSE(
mock_firewall.DeleteAcceptRules(kProtocolTcp, 80, "with$ymbols"));
EXPECT_FALSE(mock_firewall.DeleteAcceptRules(kProtocolTcp, 80, "-startdash"));
EXPECT_FALSE(mock_firewall.DeleteAcceptRules(kProtocolTcp, 80, "enddash-"));
EXPECT_FALSE(mock_firewall.DeleteAcceptRules(kProtocolTcp, 80, ".startdot"));
EXPECT_FALSE(mock_firewall.DeleteAcceptRules(kProtocolTcp, 80, "enddot."));
EXPECT_FALSE(mock_firewall.DeleteAcceptRules(kProtocolUdp, 53,
"reallylonginterfacename"));
EXPECT_FALSE(
mock_firewall.DeleteAcceptRules(kProtocolUdp, 53, "with spaces"));
EXPECT_FALSE(
mock_firewall.DeleteAcceptRules(kProtocolUdp, 53, "with$ymbols"));
EXPECT_FALSE(mock_firewall.DeleteAcceptRules(kProtocolUdp, 53, "-startdash"));
EXPECT_FALSE(mock_firewall.DeleteAcceptRules(kProtocolUdp, 53, "enddash-"));
EXPECT_FALSE(mock_firewall.DeleteAcceptRules(kProtocolUdp, 53, ".startdot"));
EXPECT_FALSE(mock_firewall.DeleteAcceptRules(kProtocolUdp, 53, "enddot."));
// We should not be adding/removing any rules for invalid interface names.
EXPECT_EQ(mock_firewall.GetRunInMinijailCriterionMatchCount(id), 0);
}
TEST_F(FirewallTest, AddAcceptRules_Fails) {
MockFirewall mock_firewall;
SetMockExpectations(&mock_firewall, false /* success */);
// Punch hole for TCP port 80, should fail.
ASSERT_FALSE(mock_firewall.AddAcceptRules(kProtocolTcp, 80, "iface"));
// Punch hole for UDP port 53, should fail.
ASSERT_FALSE(mock_firewall.AddAcceptRules(kProtocolUdp, 53, "iface"));
}
TEST_F(FirewallTest, AddAcceptRules_Ipv6Fails) {
MockFirewall mock_firewall;
SetMockExpectationsPerExecutable(
&mock_firewall, true /* ip4_success */, false /* ip6_success */);
// Punch hole for TCP port 80, should fail because 'ip6tables' fails.
ASSERT_FALSE(mock_firewall.AddAcceptRules(kProtocolTcp, 80, "iface"));
// Punch hole for UDP port 53, should fail because 'ip6tables' fails.
ASSERT_FALSE(mock_firewall.AddAcceptRules(kProtocolUdp, 53, "iface"));
}
TEST_F(FirewallTest, Port0LockdownFails) {
MockFirewall mock_firewall;
// Don't fail on anything.
int id = mock_firewall.SetRunInMinijailFailCriterion(
std::vector<std::string>(), true, true);
// Try to lock down TCP port 0, port 0 is not a valid port.
EXPECT_FALSE(mock_firewall.AddLoopbackLockdownRules(kProtocolTcp, 0));
// Try to lock down UDP port 0, port 0 is not a valid port.
EXPECT_FALSE(mock_firewall.AddLoopbackLockdownRules(kProtocolUdp, 0));
// We should not be adding/removing any rules for port 0.
EXPECT_EQ(mock_firewall.GetRunInMinijailCriterionMatchCount(id), 0);
}
TEST_F(FirewallTest, AddLoopbackLockdownRules_Success) {
MockFirewall mock_firewall;
SetMockExpectations(&mock_firewall, true /* success */);
ASSERT_TRUE(mock_firewall.AddLoopbackLockdownRules(kProtocolTcp, 80));
ASSERT_TRUE(mock_firewall.AddLoopbackLockdownRules(kProtocolUdp, 53));
ASSERT_TRUE(mock_firewall.AddLoopbackLockdownRules(kProtocolTcp, 1234));
ASSERT_TRUE(mock_firewall.AddLoopbackLockdownRules(kProtocolTcp, 8080));
}
TEST_F(FirewallTest, AddLoopbackLockdownRules_Fails) {
MockFirewall mock_firewall;
SetMockExpectations(&mock_firewall, false /* success */);
// Lock down TCP port 80, should fail.
ASSERT_FALSE(mock_firewall.AddLoopbackLockdownRules(kProtocolTcp, 80));
// Lock down UDP port 53, should fail.
ASSERT_FALSE(mock_firewall.AddLoopbackLockdownRules(kProtocolUdp, 53));
}
TEST_F(FirewallTest, AddLoopbackLockdownRules_Ipv6Fails) {
MockFirewall mock_firewall;
SetMockExpectationsPerExecutable(&mock_firewall, true /* ip4_success */,
false /* ip6_success */);
// Lock down TCP port 80, should fail because 'ip6tables' fails.
ASSERT_FALSE(mock_firewall.AddLoopbackLockdownRules(kProtocolTcp, 80));
// Lock down UDP port 53, should fail because 'ip6tables' fails.
ASSERT_FALSE(mock_firewall.AddLoopbackLockdownRules(kProtocolUdp, 53));
}
} // namespace permission_broker