From 086c044dc34dfc0f74fbe41f4ecb402b2cd34884 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Fri, 19 Apr 2024 03:13:33 +0200 Subject: Merging upstream version 125.0.1. Signed-off-by: Daniel Baumann --- .../test/browser_content_sandbox_fs_snap.js | 2 +- .../sandbox/test/browser_content_sandbox_fs_xdg.js | 2 +- .../test/browser_content_sandbox_syscalls.js | 41 ++++++++++++++-------- .../sandbox/test/browser_content_sandbox_utils.js | 22 +++++++----- 4 files changed, 42 insertions(+), 25 deletions(-) (limited to 'security/sandbox/test') diff --git a/security/sandbox/test/browser_content_sandbox_fs_snap.js b/security/sandbox/test/browser_content_sandbox_fs_snap.js index a8b26a1e31..06f04c1d33 100644 --- a/security/sandbox/test/browser_content_sandbox_fs_snap.js +++ b/security/sandbox/test/browser_content_sandbox_fs_snap.js @@ -18,7 +18,7 @@ Services.scriptloader.loadSubScript( add_task(async function () { // Ensure that SNAP is there const snap = Services.env.get("SNAP"); - ok(snap.length > 1, "SNAP is defined"); + Assert.greater(snap.length, 1, "SNAP is defined"); // If it is there, do actual testing sanityChecks(); diff --git a/security/sandbox/test/browser_content_sandbox_fs_xdg.js b/security/sandbox/test/browser_content_sandbox_fs_xdg.js index f5150fc329..34dee9d1a0 100644 --- a/security/sandbox/test/browser_content_sandbox_fs_xdg.js +++ b/security/sandbox/test/browser_content_sandbox_fs_xdg.js @@ -18,7 +18,7 @@ Services.scriptloader.loadSubScript( add_task(async function () { // Ensure that XDG_CONFIG_HOME is there const xdgConfigHome = Services.env.get("XDG_CONFIG_HOME"); - ok(xdgConfigHome.length > 1, "XDG_CONFIG_HOME is defined"); + Assert.greater(xdgConfigHome.length, 1, "XDG_CONFIG_HOME is defined"); // If it is there, do actual testing sanityChecks(); diff --git a/security/sandbox/test/browser_content_sandbox_syscalls.js b/security/sandbox/test/browser_content_sandbox_syscalls.js index dab47cf356..71d3c7ad12 100644 --- a/security/sandbox/test/browser_content_sandbox_syscalls.js +++ b/security/sandbox/test/browser_content_sandbox_syscalls.js @@ -262,7 +262,7 @@ add_task(async function () { } info(`security.sandbox.content.level=${level}`); - ok(level > 0, "content sandbox is enabled."); + Assert.greater(level, 0, "content sandbox is enabled."); let areSyscallsSandboxed = areContentSyscallsSandboxed(level); @@ -282,7 +282,7 @@ add_task(async function () { // exec something harmless, this should fail let cmd = getOSExecCmd(); let rv = await SpecialPowers.spawn(browser, [{ lib, cmd }], callExec); - ok(rv == -1, `exec(${cmd}) is not permitted`); + Assert.equal(rv, -1, `exec(${cmd}) is not permitted`); } // use open syscall @@ -295,7 +295,7 @@ add_task(async function () { [{ lib, path, flags }], callOpen ); - ok(fd < 0, "opening a file for writing in home is not permitted"); + Assert.less(fd, 0, "opening a file for writing in home is not permitted"); } // use open syscall @@ -311,19 +311,24 @@ add_task(async function () { callOpen ); if (isMac()) { - ok( - fd === -1, + Assert.strictEqual( + fd, + -1, "opening a file for writing in content temp is not permitted" ); } else { - ok(fd >= 0, "opening a file for writing in content temp is permitted"); + Assert.greaterOrEqual( + fd, + 0, + "opening a file for writing in content temp is permitted" + ); } } // use fork syscall if (isLinux() || isMac()) { let rv = await SpecialPowers.spawn(browser, [{ lib }], callFork); - ok(rv == -1, "calling fork is not permitted"); + Assert.equal(rv, -1, "calling fork is not permitted"); } // On macOS before 10.10 the |sysctl-name| predicate didn't exist for @@ -336,21 +341,21 @@ add_task(async function () { [{ lib, name: "kern.boottime" }], callSysctl ); - ok(rv == -1, "calling sysctl('kern.boottime') is not permitted"); + Assert.equal(rv, -1, "calling sysctl('kern.boottime') is not permitted"); rv = await SpecialPowers.spawn( browser, [{ lib, name: "net.inet.ip.ttl" }], callSysctl ); - ok(rv == -1, "calling sysctl('net.inet.ip.ttl') is not permitted"); + Assert.equal(rv, -1, "calling sysctl('net.inet.ip.ttl') is not permitted"); rv = await SpecialPowers.spawn( browser, [{ lib, name: "hw.ncpu" }], callSysctl ); - ok(rv == 0, "calling sysctl('hw.ncpu') is permitted"); + Assert.equal(rv, 0, "calling sysctl('hw.ncpu') is permitted"); } if (isLinux()) { @@ -359,7 +364,11 @@ add_task(async function () { // verify we block PR_CAPBSET_READ with EINVAL let option = lazy.LIBC.PR_CAPBSET_READ; let rv = await SpecialPowers.spawn(browser, [{ lib, option }], callPrctl); - ok(rv === lazy.LIBC.EINVAL, "prctl(PR_CAPBSET_READ) is blocked"); + Assert.strictEqual( + rv, + lazy.LIBC.EINVAL, + "prctl(PR_CAPBSET_READ) is blocked" + ); const kernelVersion = await getKernelVersion(); const glibcVersion = getGlibcVersion(); @@ -375,8 +384,9 @@ add_task(async function () { [{ lib, dirfd, path, mode, flag: 0x01 }], callFaccessat2 ); - ok( - rv === lazy.LIBC.ENOSYS, + Assert.strictEqual( + rv, + lazy.LIBC.ENOSYS, "faccessat2 (flag=0x01) was blocked with ENOSYS" ); @@ -385,8 +395,9 @@ add_task(async function () { [{ lib, dirfd, path, mode, flag: lazy.LIBC.AT_EACCESS }], callFaccessat2 ); - ok( - rv === lazy.LIBC.EACCES, + Assert.strictEqual( + rv, + lazy.LIBC.EACCES, "faccessat2 (flag=0x200) was allowed, errno=EACCES" ); } else { diff --git a/security/sandbox/test/browser_content_sandbox_utils.js b/security/sandbox/test/browser_content_sandbox_utils.js index ce6ed39ff6..9b4c4af70a 100644 --- a/security/sandbox/test/browser_content_sandbox_utils.js +++ b/security/sandbox/test/browser_content_sandbox_utils.js @@ -33,7 +33,7 @@ function sanityChecks() { } info(`security.sandbox.content.level=${level}`); - ok(level > 0, "content sandbox is enabled."); + Assert.greater(level, 0, "content sandbox is enabled."); let isFileIOSandboxed = isContentFileIOSandboxed(level); @@ -234,7 +234,7 @@ function isContentFileIOSandboxed(level) { // Returns the lowest sandbox level where blanket reading of the profile // directory from the content process should be blocked by the sandbox. -function minProfileReadSandboxLevel(level) { +function minProfileReadSandboxLevel() { switch (Services.appinfo.OS) { case "WINNT": return 3; @@ -250,7 +250,7 @@ function minProfileReadSandboxLevel(level) { // Returns the lowest sandbox level where blanket reading of the home // directory from the content process should be blocked by the sandbox. -function minHomeReadSandboxLevel(level) { +function minHomeReadSandboxLevel() { switch (Services.appinfo.OS) { case "WINNT": return 3; @@ -391,8 +391,9 @@ function GetBrowserType(type) { } browserType = GetBrowserType[type]; - ok( - browserType.remoteType === type, + Assert.strictEqual( + browserType.remoteType, + type, `GetBrowserType(${type}) returns a ${type} process` ); return browserType; @@ -445,8 +446,9 @@ async function runTestsList(tests) { test.func ); - ok( - result.ok == test.ok, + Assert.equal( + result.ok, + test.ok, `reading ${test.desc} from a ${processType} process ` + `is ${okString} (${test.file.path})` ); @@ -454,7 +456,11 @@ async function runTestsList(tests) { // if the directory is not expected to be readable, // ensure the listing has zero entries if (test.func === readDir && !test.ok) { - ok(result.numEntries == 0, `directory list is empty (${test.file.path})`); + Assert.equal( + result.numEntries, + 0, + `directory list is empty (${test.file.path})` + ); } if (test.cleanup != undefined) { -- cgit v1.2.3