summaryrefslogtreecommitdiffstats
path: root/security/sandbox/test
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-19 01:13:27 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-19 01:13:27 +0000
commit40a355a42d4a9444dc753c04c6608dade2f06a23 (patch)
tree871fc667d2de662f171103ce5ec067014ef85e61 /security/sandbox/test
parentAdding upstream version 124.0.1. (diff)
downloadfirefox-40a355a42d4a9444dc753c04c6608dade2f06a23.tar.xz
firefox-40a355a42d4a9444dc753c04c6608dade2f06a23.zip
Adding upstream version 125.0.1.upstream/125.0.1
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'security/sandbox/test')
-rw-r--r--security/sandbox/test/browser_content_sandbox_fs_snap.js2
-rw-r--r--security/sandbox/test/browser_content_sandbox_fs_xdg.js2
-rw-r--r--security/sandbox/test/browser_content_sandbox_syscalls.js41
-rw-r--r--security/sandbox/test/browser_content_sandbox_utils.js22
4 files changed, 42 insertions, 25 deletions
diff --git a/security/sandbox/test/browser_content_sandbox_fs_snap.js b/security/sandbox/test/browser_content_sandbox_fs_snap.js
index a8b26a1e31..06f04c1d33 100644
--- a/security/sandbox/test/browser_content_sandbox_fs_snap.js
+++ b/security/sandbox/test/browser_content_sandbox_fs_snap.js
@@ -18,7 +18,7 @@ Services.scriptloader.loadSubScript(
add_task(async function () {
// Ensure that SNAP is there
const snap = Services.env.get("SNAP");
- ok(snap.length > 1, "SNAP is defined");
+ Assert.greater(snap.length, 1, "SNAP is defined");
// If it is there, do actual testing
sanityChecks();
diff --git a/security/sandbox/test/browser_content_sandbox_fs_xdg.js b/security/sandbox/test/browser_content_sandbox_fs_xdg.js
index f5150fc329..34dee9d1a0 100644
--- a/security/sandbox/test/browser_content_sandbox_fs_xdg.js
+++ b/security/sandbox/test/browser_content_sandbox_fs_xdg.js
@@ -18,7 +18,7 @@ Services.scriptloader.loadSubScript(
add_task(async function () {
// Ensure that XDG_CONFIG_HOME is there
const xdgConfigHome = Services.env.get("XDG_CONFIG_HOME");
- ok(xdgConfigHome.length > 1, "XDG_CONFIG_HOME is defined");
+ Assert.greater(xdgConfigHome.length, 1, "XDG_CONFIG_HOME is defined");
// If it is there, do actual testing
sanityChecks();
diff --git a/security/sandbox/test/browser_content_sandbox_syscalls.js b/security/sandbox/test/browser_content_sandbox_syscalls.js
index dab47cf356..71d3c7ad12 100644
--- a/security/sandbox/test/browser_content_sandbox_syscalls.js
+++ b/security/sandbox/test/browser_content_sandbox_syscalls.js
@@ -262,7 +262,7 @@ add_task(async function () {
}
info(`security.sandbox.content.level=${level}`);
- ok(level > 0, "content sandbox is enabled.");
+ Assert.greater(level, 0, "content sandbox is enabled.");
let areSyscallsSandboxed = areContentSyscallsSandboxed(level);
@@ -282,7 +282,7 @@ add_task(async function () {
// exec something harmless, this should fail
let cmd = getOSExecCmd();
let rv = await SpecialPowers.spawn(browser, [{ lib, cmd }], callExec);
- ok(rv == -1, `exec(${cmd}) is not permitted`);
+ Assert.equal(rv, -1, `exec(${cmd}) is not permitted`);
}
// use open syscall
@@ -295,7 +295,7 @@ add_task(async function () {
[{ lib, path, flags }],
callOpen
);
- ok(fd < 0, "opening a file for writing in home is not permitted");
+ Assert.less(fd, 0, "opening a file for writing in home is not permitted");
}
// use open syscall
@@ -311,19 +311,24 @@ add_task(async function () {
callOpen
);
if (isMac()) {
- ok(
- fd === -1,
+ Assert.strictEqual(
+ fd,
+ -1,
"opening a file for writing in content temp is not permitted"
);
} else {
- ok(fd >= 0, "opening a file for writing in content temp is permitted");
+ Assert.greaterOrEqual(
+ fd,
+ 0,
+ "opening a file for writing in content temp is permitted"
+ );
}
}
// use fork syscall
if (isLinux() || isMac()) {
let rv = await SpecialPowers.spawn(browser, [{ lib }], callFork);
- ok(rv == -1, "calling fork is not permitted");
+ Assert.equal(rv, -1, "calling fork is not permitted");
}
// On macOS before 10.10 the |sysctl-name| predicate didn't exist for
@@ -336,21 +341,21 @@ add_task(async function () {
[{ lib, name: "kern.boottime" }],
callSysctl
);
- ok(rv == -1, "calling sysctl('kern.boottime') is not permitted");
+ Assert.equal(rv, -1, "calling sysctl('kern.boottime') is not permitted");
rv = await SpecialPowers.spawn(
browser,
[{ lib, name: "net.inet.ip.ttl" }],
callSysctl
);
- ok(rv == -1, "calling sysctl('net.inet.ip.ttl') is not permitted");
+ Assert.equal(rv, -1, "calling sysctl('net.inet.ip.ttl') is not permitted");
rv = await SpecialPowers.spawn(
browser,
[{ lib, name: "hw.ncpu" }],
callSysctl
);
- ok(rv == 0, "calling sysctl('hw.ncpu') is permitted");
+ Assert.equal(rv, 0, "calling sysctl('hw.ncpu') is permitted");
}
if (isLinux()) {
@@ -359,7 +364,11 @@ add_task(async function () {
// verify we block PR_CAPBSET_READ with EINVAL
let option = lazy.LIBC.PR_CAPBSET_READ;
let rv = await SpecialPowers.spawn(browser, [{ lib, option }], callPrctl);
- ok(rv === lazy.LIBC.EINVAL, "prctl(PR_CAPBSET_READ) is blocked");
+ Assert.strictEqual(
+ rv,
+ lazy.LIBC.EINVAL,
+ "prctl(PR_CAPBSET_READ) is blocked"
+ );
const kernelVersion = await getKernelVersion();
const glibcVersion = getGlibcVersion();
@@ -375,8 +384,9 @@ add_task(async function () {
[{ lib, dirfd, path, mode, flag: 0x01 }],
callFaccessat2
);
- ok(
- rv === lazy.LIBC.ENOSYS,
+ Assert.strictEqual(
+ rv,
+ lazy.LIBC.ENOSYS,
"faccessat2 (flag=0x01) was blocked with ENOSYS"
);
@@ -385,8 +395,9 @@ add_task(async function () {
[{ lib, dirfd, path, mode, flag: lazy.LIBC.AT_EACCESS }],
callFaccessat2
);
- ok(
- rv === lazy.LIBC.EACCES,
+ Assert.strictEqual(
+ rv,
+ lazy.LIBC.EACCES,
"faccessat2 (flag=0x200) was allowed, errno=EACCES"
);
} else {
diff --git a/security/sandbox/test/browser_content_sandbox_utils.js b/security/sandbox/test/browser_content_sandbox_utils.js
index ce6ed39ff6..9b4c4af70a 100644
--- a/security/sandbox/test/browser_content_sandbox_utils.js
+++ b/security/sandbox/test/browser_content_sandbox_utils.js
@@ -33,7 +33,7 @@ function sanityChecks() {
}
info(`security.sandbox.content.level=${level}`);
- ok(level > 0, "content sandbox is enabled.");
+ Assert.greater(level, 0, "content sandbox is enabled.");
let isFileIOSandboxed = isContentFileIOSandboxed(level);
@@ -234,7 +234,7 @@ function isContentFileIOSandboxed(level) {
// Returns the lowest sandbox level where blanket reading of the profile
// directory from the content process should be blocked by the sandbox.
-function minProfileReadSandboxLevel(level) {
+function minProfileReadSandboxLevel() {
switch (Services.appinfo.OS) {
case "WINNT":
return 3;
@@ -250,7 +250,7 @@ function minProfileReadSandboxLevel(level) {
// Returns the lowest sandbox level where blanket reading of the home
// directory from the content process should be blocked by the sandbox.
-function minHomeReadSandboxLevel(level) {
+function minHomeReadSandboxLevel() {
switch (Services.appinfo.OS) {
case "WINNT":
return 3;
@@ -391,8 +391,9 @@ function GetBrowserType(type) {
}
browserType = GetBrowserType[type];
- ok(
- browserType.remoteType === type,
+ Assert.strictEqual(
+ browserType.remoteType,
+ type,
`GetBrowserType(${type}) returns a ${type} process`
);
return browserType;
@@ -445,8 +446,9 @@ async function runTestsList(tests) {
test.func
);
- ok(
- result.ok == test.ok,
+ Assert.equal(
+ result.ok,
+ test.ok,
`reading ${test.desc} from a ${processType} process ` +
`is ${okString} (${test.file.path})`
);
@@ -454,7 +456,11 @@ async function runTestsList(tests) {
// if the directory is not expected to be readable,
// ensure the listing has zero entries
if (test.func === readDir && !test.ok) {
- ok(result.numEntries == 0, `directory list is empty (${test.file.path})`);
+ Assert.equal(
+ result.numEntries,
+ 0,
+ `directory list is empty (${test.file.path})`
+ );
}
if (test.cleanup != undefined) {