Add a test for AllowSpeculation

PiperOrigin-RevId: 742178834
Change-Id: I9e2006586d101f91281e7bb367fa21a6461d691d

Author: happyCoder92

sandboxed_api/sandbox2/BUILD

@@ -959,6 +959,7 @@ cc_test(
         ":sandbox2",
         "//sandboxed_api:config",
         "//sandboxed_api:testing",
+        "//sandboxed_api/sandbox2/allowlists:seccomp_speculation",
         "//sandboxed_api/sandbox2/util:bpf_helper",
         "//sandboxed_api/util:file_base",
         "//sandboxed_api/util:status_matchers",

sandboxed_api/sandbox2/CMakeLists.txt

@@ -1038,6 +1038,7 @@ if(BUILD_TESTING AND SAPI_BUILD_TESTING)
   )
   target_link_libraries(sandbox2_policy_test PRIVATE
     absl::strings
+    sandbox2::allowlists_seccomp_speculation
     sandbox2::bpf_helper
     sapi::config
     sandbox2::sandbox2

sandboxed_api/sandbox2/policy_test.cc

@@ -29,6 +29,7 @@
 #include "absl/strings/match.h"
 #include "absl/strings/string_view.h"
 #include "sandboxed_api/config.h"
+#include "sandboxed_api/sandbox2/allowlists/seccomp_speculation.h"
 #include "sandboxed_api/sandbox2/executor.h"
 #include "sandboxed_api/sandbox2/policybuilder.h"
 #include "sandboxed_api/sandbox2/result.h"
@@ -410,6 +411,28 @@ TEST_P(PolicyTest, SecondExecveatNotAllowedByDefault) {
   EXPECT_THAT(result.reason_code(), Eq(0));
 }
 
+TEST_P(PolicyTest, SpeculationAllowed) {
+  const std::string path = GetTestSourcePath("sandbox2/testcases/policy");
+  std::unique_ptr<Sandbox2> s2 = CreateTestSandbox(
+      {"policy", "11"},  // Calls TestSpeculationAllowed()
+      CreateDefaultPermissiveTestPolicy(path).Allow(SeccompSpeculation()));
+  Result result = s2->Run();
+
+  ASSERT_THAT(result.final_status(), Eq(Result::OK));
+  EXPECT_THAT(result.reason_code(), Eq(0));
+}
+
+TEST_P(PolicyTest, SpeculationBlockedByDefault) {
+  const std::string path = GetTestSourcePath("sandbox2/testcases/policy");
+  std::unique_ptr<Sandbox2> s2 =
+      CreateTestSandbox({"policy", "12"},  // Calls TestSpeculationBlocked()
+                        CreateDefaultPermissiveTestPolicy(path));
+  Result result = s2->Run();
+
+  ASSERT_THAT(result.final_status(), Eq(Result::OK));
+  EXPECT_THAT(result.reason_code(), Eq(0));
+}
+
 INSTANTIATE_TEST_SUITE_P(Sandbox2, PolicyTest, ::testing::Values(false, true),
                          [](const ::testing::TestParamInfo<bool>& info) {
                            return info.param ? "UnotifyMonitor"

sandboxed_api/sandbox2/testcases/policy.cc

@@ -14,7 +14,9 @@
 
 // A binary that tries x86_64 compat syscalls, ptrace and clone untraced.
 
+#include <linux/prctl.h>
 #include <sched.h>
+#include <sys/prctl.h>
 #include <sys/ptrace.h>
 #include <syscall.h>
 #include <unistd.h>
@@ -113,6 +115,32 @@ void TestSafeBpf() {
 
 void TestIsatty() { isatty(0); }
 
+void TestSpeculationAllowed() {
+  int res = prctl(PR_GET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, 0, 0, 0);
+  if (res == PR_SPEC_ENABLE) {
+    printf("PR_SPEC_STORE_BYPASS enabled when it should not have been\n");
+    exit(EXIT_FAILURE);
+  }
+  res = prctl(PR_GET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, 0, 0, 0);
+  if (res == PR_SPEC_ENABLE) {
+    printf("PR_SPEC_INDIRECT_BRANCH enabled when it should not have been\n");
+    exit(EXIT_FAILURE);
+  }
+}
+
+void TestSpeculationBlocked() {
+  int res = prctl(PR_GET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, 0, 0, 0);
+  if ((res != -1 && errno == EINVAL) && res != PR_SPEC_ENABLE) {
+    printf("PR_SPEC_STORE_BYPASS disabled when it should not have been\n");
+    exit(EXIT_FAILURE);
+  }
+  res = prctl(PR_GET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, 0, 0, 0);
+  if ((res != -1 && errno == EINVAL) && res != PR_SPEC_ENABLE) {
+    printf("PR_SPEC_INDIRECT_BRANCH disabled when it should not have been\n");
+    exit(EXIT_FAILURE);
+  }
+}
+
 int main(int argc, char* argv[]) {
   // Disable buffering.
   setbuf(stdin, nullptr);
@@ -155,6 +183,12 @@ int main(int argc, char* argv[]) {
     case 9:
       TestSafeBpf();
       break;
+    case 11:
+      TestSpeculationAllowed();
+      break;
+    case 12:
+      TestSpeculationBlocked();
+      break;
     default:
       printf("Unknown test: %d\n", testno);
       return EXIT_FAILURE;