Esempio n. 1
0
 def test_restricted_path_function_allowed(self):
     fake_function = self.mox.CreateMockAnything()
     fake_function('foo', bar='baz').AndReturn(1)
     stubs.FakeFile.is_file_accessible('foo', False).AndReturn(
         stubs.FakeFile.Visibility.OK)
     self.mox.ReplayAll()
     restricted_path_fake_function = stubs.RestrictedPathFunction(
         fake_function)
     self.assertEqual(1, restricted_path_fake_function('foo', bar='baz'))
     self.mox.VerifyAll()
Esempio n. 2
0
def _install_open_hooks():
  """Install open hooks for sandbox."""
  if _open_hooks:
    for install_open_hook in _open_hooks:
      install_open_hook()
    # Assume installed open hooks don't enforce the sandbox path restrictions
    # and install a final hook to do that (the goal of hooks is to allow
    # alternate open techniques, not to circumvent the sandbox). It does mean
    # that open requests that make it to FakeFile have their path checked
    # twice but that doesn't break anything.
    __builtin__.open = stubs.RestrictedPathFunction(__builtin__.open, IOError)
Esempio n. 3
0
 def test_static_access_message_restricted_path_function(self):
     fake_function = self.mox.CreateMockAnything()
     stubs.FakeFile.is_file_accessible('foo', False).AndReturn(
         stubs.FakeFile.Visibility.STATIC_BLOCK)
     logging.info('Sandbox prevented access to static file "%s"', 'foo')
     logging.info(
         'Check that `application_readable: true` is set in app.yaml')
     stubs.FakeFile.is_file_accessible('foo', False).AndReturn(
         stubs.FakeFile.Visibility.CACHED_BLOCK)
     self.mox.ReplayAll()
     # We'll try to access it twice here, the second time with the result cached.
     # Verify it only prints the message once.
     restricted_path_fake_function = stubs.RestrictedPathFunction(
         fake_function)
     with self.assertRaises(OSError) as cm:
         restricted_path_fake_function('foo', bar='baz')
     with self.assertRaises(OSError) as cm:
         restricted_path_fake_function('foo', bar='baz')
     self.mox.VerifyAll()
     e = cm.exception
     self.assertEqual(errno.EACCES, e.errno)
     self.assertEqual('path not accessible', e.strerror)
     self.assertEqual('foo', e.filename)
Esempio n. 4
0
_MODULE_OVERRIDE_POLICIES = {
    'os':
    ModuleOverridePolicy(
        default_stub=stubs.os_error_not_implemented,
        whitelist=[
            'altsep', 'chown', 'close', 'curdir', 'defpath', 'devnull',
            'environ', 'error', 'execv', 'fchmod', 'fchown', 'fdopen', 'fork',
            'fstat', 'ftruncate', 'getcwd', 'getcwdu', 'getenv',
            '_get_exports_list', 'kill', 'lchown', 'name', 'open', 'pardir',
            'path', 'pathsep', 'popen', 'readline', 'sep', 'setuid',
            'stat_float_times', 'stat_result', 'strerror', 'sys', 'waitpid',
            'walk', 'readlink'
        ],
        overrides={
            'access': stubs.fake_access,
            'chmod': stubs.RestrictedPathFunction(os.chmod, for_write=True),
            'listdir': stubs.make_fake_listdir(os.listdir),
            # Alias lstat() to stat() to match the behavior in production.
            'lstat': stubs.RestrictedPathFunction(os.stat),
            'makedirs': stubs.RestrictedPathFunction(os.makedirs,
                                                     for_write=True),
            'mkdir': stubs.RestrictedPathFunction(os.mkdir, for_write=True),
            'open': stubs.fake_open,
            'stat': stubs.RestrictedPathFunction(os.stat),
            'uname': stubs.fake_uname,
            'getpid': stubs.return_minus_one,
            'getppid': stubs.return_minus_one,
            'getpgrp': stubs.return_minus_one,
            'getgid': stubs.return_minus_one,
            'getegid': stubs.return_minus_one,
            'geteuid': stubs.return_minus_one,
Esempio n. 5
0
_MODULE_OVERRIDE_POLICIES = {
    'os':
    ModuleOverridePolicy(
        default_stub=stubs.os_error_not_implemented,
        whitelist=[
            'altsep', 'chown', 'curdir', 'defpath', 'devnull', 'environ',
            'error', 'execv', 'fchmod', 'fchown', 'fork', 'fstat', 'ftruncate',
            'getcwd', 'getcwdu', 'getenv', '_get_exports_list', 'kill',
            'lchown', 'lstat', 'name', 'open', 'pardir', 'path', 'pathsep',
            'readline', 'sep', 'setuid', 'stat', 'stat_float_times',
            'stat_result', 'strerror', 'sys', 'waitpid', 'walk', 'readlink'
        ],
        overrides={
            'access': stubs.fake_access,
            'listdir': stubs.RestrictedPathFunction(os.listdir),
            'open': stubs.fake_open,
            'uname': stubs.fake_uname,
            'getpid': stubs.return_minus_one,
            'getppid': stubs.return_minus_one,
            'getpgrp': stubs.return_minus_one,
            'getgid': stubs.return_minus_one,
            'getegid': stubs.return_minus_one,
            'geteuid': stubs.return_minus_one,
            'getuid': stubs.return_minus_one,
            'urandom': stubs.fake_urandom,
            'system': stubs.return_minus_one,
        },
        deletes=['execve']),
    'signal':
    ModuleOverridePolicy(overrides={'__doc__': None}),
Esempio n. 6
0
                    del module_dict[symbol]


_MODULE_OVERRIDE_POLICIES = {
    'os':
    ModuleOverridePolicy(
        default_stub=stubs.os_error_not_implemented,
        whitelist=[
            'altsep', 'curdir', 'defpath', 'devnull', 'environ', 'error',
            'fstat', 'getcwd', 'getcwdu', 'getenv', '_get_exports_list',
            'name', 'open', 'pardir', 'path', 'pathsep', 'sep',
            'stat_float_times', 'stat_result', 'strerror', 'sys', 'walk'
        ],
        overrides={
            'access': stubs.fake_access,
            'listdir': stubs.RestrictedPathFunction(os.listdir),
            # Alias lstat() to stat() to match the behavior in production.
            'lstat': stubs.RestrictedPathFunction(os.stat),
            'open': stubs.fake_open,
            'stat': stubs.RestrictedPathFunction(os.stat),
            'uname': stubs.fake_uname,
            'getpid': stubs.return_minus_one,
            'getppid': stubs.return_minus_one,
            'getpgrp': stubs.return_minus_one,
            'getgid': stubs.return_minus_one,
            'getegid': stubs.return_minus_one,
            'geteuid': stubs.return_minus_one,
            'getuid': stubs.return_minus_one,
            'urandom': stubs.fake_urandom,
            'system': stubs.return_minus_one,
        },