summaryrefslogtreecommitdiffstats
path: root/security/sandbox/test/browser_content_sandbox_syscalls.js
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-19 01:13:27 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-19 01:13:27 +0000
commit40a355a42d4a9444dc753c04c6608dade2f06a23 (patch)
tree871fc667d2de662f171103ce5ec067014ef85e61 /security/sandbox/test/browser_content_sandbox_syscalls.js
parentAdding upstream version 124.0.1. (diff)
downloadfirefox-40a355a42d4a9444dc753c04c6608dade2f06a23.tar.xz
firefox-40a355a42d4a9444dc753c04c6608dade2f06a23.zip
Adding upstream version 125.0.1.upstream/125.0.1
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'security/sandbox/test/browser_content_sandbox_syscalls.js')
-rw-r--r--security/sandbox/test/browser_content_sandbox_syscalls.js41
1 files changed, 26 insertions, 15 deletions
diff --git a/security/sandbox/test/browser_content_sandbox_syscalls.js b/security/sandbox/test/browser_content_sandbox_syscalls.js
index dab47cf356..71d3c7ad12 100644
--- a/security/sandbox/test/browser_content_sandbox_syscalls.js
+++ b/security/sandbox/test/browser_content_sandbox_syscalls.js
@@ -262,7 +262,7 @@ add_task(async function () {
}
info(`security.sandbox.content.level=${level}`);
- ok(level > 0, "content sandbox is enabled.");
+ Assert.greater(level, 0, "content sandbox is enabled.");
let areSyscallsSandboxed = areContentSyscallsSandboxed(level);
@@ -282,7 +282,7 @@ add_task(async function () {
// exec something harmless, this should fail
let cmd = getOSExecCmd();
let rv = await SpecialPowers.spawn(browser, [{ lib, cmd }], callExec);
- ok(rv == -1, `exec(${cmd}) is not permitted`);
+ Assert.equal(rv, -1, `exec(${cmd}) is not permitted`);
}
// use open syscall
@@ -295,7 +295,7 @@ add_task(async function () {
[{ lib, path, flags }],
callOpen
);
- ok(fd < 0, "opening a file for writing in home is not permitted");
+ Assert.less(fd, 0, "opening a file for writing in home is not permitted");
}
// use open syscall
@@ -311,19 +311,24 @@ add_task(async function () {
callOpen
);
if (isMac()) {
- ok(
- fd === -1,
+ Assert.strictEqual(
+ fd,
+ -1,
"opening a file for writing in content temp is not permitted"
);
} else {
- ok(fd >= 0, "opening a file for writing in content temp is permitted");
+ Assert.greaterOrEqual(
+ fd,
+ 0,
+ "opening a file for writing in content temp is permitted"
+ );
}
}
// use fork syscall
if (isLinux() || isMac()) {
let rv = await SpecialPowers.spawn(browser, [{ lib }], callFork);
- ok(rv == -1, "calling fork is not permitted");
+ Assert.equal(rv, -1, "calling fork is not permitted");
}
// On macOS before 10.10 the |sysctl-name| predicate didn't exist for
@@ -336,21 +341,21 @@ add_task(async function () {
[{ lib, name: "kern.boottime" }],
callSysctl
);
- ok(rv == -1, "calling sysctl('kern.boottime') is not permitted");
+ Assert.equal(rv, -1, "calling sysctl('kern.boottime') is not permitted");
rv = await SpecialPowers.spawn(
browser,
[{ lib, name: "net.inet.ip.ttl" }],
callSysctl
);
- ok(rv == -1, "calling sysctl('net.inet.ip.ttl') is not permitted");
+ Assert.equal(rv, -1, "calling sysctl('net.inet.ip.ttl') is not permitted");
rv = await SpecialPowers.spawn(
browser,
[{ lib, name: "hw.ncpu" }],
callSysctl
);
- ok(rv == 0, "calling sysctl('hw.ncpu') is permitted");
+ Assert.equal(rv, 0, "calling sysctl('hw.ncpu') is permitted");
}
if (isLinux()) {
@@ -359,7 +364,11 @@ add_task(async function () {
// verify we block PR_CAPBSET_READ with EINVAL
let option = lazy.LIBC.PR_CAPBSET_READ;
let rv = await SpecialPowers.spawn(browser, [{ lib, option }], callPrctl);
- ok(rv === lazy.LIBC.EINVAL, "prctl(PR_CAPBSET_READ) is blocked");
+ Assert.strictEqual(
+ rv,
+ lazy.LIBC.EINVAL,
+ "prctl(PR_CAPBSET_READ) is blocked"
+ );
const kernelVersion = await getKernelVersion();
const glibcVersion = getGlibcVersion();
@@ -375,8 +384,9 @@ add_task(async function () {
[{ lib, dirfd, path, mode, flag: 0x01 }],
callFaccessat2
);
- ok(
- rv === lazy.LIBC.ENOSYS,
+ Assert.strictEqual(
+ rv,
+ lazy.LIBC.ENOSYS,
"faccessat2 (flag=0x01) was blocked with ENOSYS"
);
@@ -385,8 +395,9 @@ add_task(async function () {
[{ lib, dirfd, path, mode, flag: lazy.LIBC.AT_EACCESS }],
callFaccessat2
);
- ok(
- rv === lazy.LIBC.EACCES,
+ Assert.strictEqual(
+ rv,
+ lazy.LIBC.EACCES,
"faccessat2 (flag=0x200) was allowed, errno=EACCES"
);
} else {