diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-19 01:13:27 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-19 01:13:27 +0000 |
commit | 40a355a42d4a9444dc753c04c6608dade2f06a23 (patch) | |
tree | 871fc667d2de662f171103ce5ec067014ef85e61 /security/sandbox/test/browser_content_sandbox_syscalls.js | |
parent | Adding upstream version 124.0.1. (diff) | |
download | firefox-40a355a42d4a9444dc753c04c6608dade2f06a23.tar.xz firefox-40a355a42d4a9444dc753c04c6608dade2f06a23.zip |
Adding upstream version 125.0.1.upstream/125.0.1
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'security/sandbox/test/browser_content_sandbox_syscalls.js')
-rw-r--r-- | security/sandbox/test/browser_content_sandbox_syscalls.js | 41 |
1 files changed, 26 insertions, 15 deletions
diff --git a/security/sandbox/test/browser_content_sandbox_syscalls.js b/security/sandbox/test/browser_content_sandbox_syscalls.js index dab47cf356..71d3c7ad12 100644 --- a/security/sandbox/test/browser_content_sandbox_syscalls.js +++ b/security/sandbox/test/browser_content_sandbox_syscalls.js @@ -262,7 +262,7 @@ add_task(async function () { } info(`security.sandbox.content.level=${level}`); - ok(level > 0, "content sandbox is enabled."); + Assert.greater(level, 0, "content sandbox is enabled."); let areSyscallsSandboxed = areContentSyscallsSandboxed(level); @@ -282,7 +282,7 @@ add_task(async function () { // exec something harmless, this should fail let cmd = getOSExecCmd(); let rv = await SpecialPowers.spawn(browser, [{ lib, cmd }], callExec); - ok(rv == -1, `exec(${cmd}) is not permitted`); + Assert.equal(rv, -1, `exec(${cmd}) is not permitted`); } // use open syscall @@ -295,7 +295,7 @@ add_task(async function () { [{ lib, path, flags }], callOpen ); - ok(fd < 0, "opening a file for writing in home is not permitted"); + Assert.less(fd, 0, "opening a file for writing in home is not permitted"); } // use open syscall @@ -311,19 +311,24 @@ add_task(async function () { callOpen ); if (isMac()) { - ok( - fd === -1, + Assert.strictEqual( + fd, + -1, "opening a file for writing in content temp is not permitted" ); } else { - ok(fd >= 0, "opening a file for writing in content temp is permitted"); + Assert.greaterOrEqual( + fd, + 0, + "opening a file for writing in content temp is permitted" + ); } } // use fork syscall if (isLinux() || isMac()) { let rv = await SpecialPowers.spawn(browser, [{ lib }], callFork); - ok(rv == -1, "calling fork is not permitted"); + Assert.equal(rv, -1, "calling fork is not permitted"); } // On macOS before 10.10 the |sysctl-name| predicate didn't exist for @@ -336,21 +341,21 @@ add_task(async function () { [{ lib, name: "kern.boottime" }], callSysctl ); - ok(rv == -1, "calling sysctl('kern.boottime') is not permitted"); + Assert.equal(rv, -1, "calling sysctl('kern.boottime') is not permitted"); rv = await SpecialPowers.spawn( browser, [{ lib, name: "net.inet.ip.ttl" }], callSysctl ); - ok(rv == -1, "calling sysctl('net.inet.ip.ttl') is not permitted"); + Assert.equal(rv, -1, "calling sysctl('net.inet.ip.ttl') is not permitted"); rv = await SpecialPowers.spawn( browser, [{ lib, name: "hw.ncpu" }], callSysctl ); - ok(rv == 0, "calling sysctl('hw.ncpu') is permitted"); + Assert.equal(rv, 0, "calling sysctl('hw.ncpu') is permitted"); } if (isLinux()) { @@ -359,7 +364,11 @@ add_task(async function () { // verify we block PR_CAPBSET_READ with EINVAL let option = lazy.LIBC.PR_CAPBSET_READ; let rv = await SpecialPowers.spawn(browser, [{ lib, option }], callPrctl); - ok(rv === lazy.LIBC.EINVAL, "prctl(PR_CAPBSET_READ) is blocked"); + Assert.strictEqual( + rv, + lazy.LIBC.EINVAL, + "prctl(PR_CAPBSET_READ) is blocked" + ); const kernelVersion = await getKernelVersion(); const glibcVersion = getGlibcVersion(); @@ -375,8 +384,9 @@ add_task(async function () { [{ lib, dirfd, path, mode, flag: 0x01 }], callFaccessat2 ); - ok( - rv === lazy.LIBC.ENOSYS, + Assert.strictEqual( + rv, + lazy.LIBC.ENOSYS, "faccessat2 (flag=0x01) was blocked with ENOSYS" ); @@ -385,8 +395,9 @@ add_task(async function () { [{ lib, dirfd, path, mode, flag: lazy.LIBC.AT_EACCESS }], callFaccessat2 ); - ok( - rv === lazy.LIBC.EACCES, + Assert.strictEqual( + rv, + lazy.LIBC.EACCES, "faccessat2 (flag=0x200) was allowed, errno=EACCES" ); } else { |