Merge pull request #1129 from onekey-sec/sandbox-handlers-tests

fix(tests): run handlers integration tests in landlock sandbox

Author: qkaiser

pyproject.toml

@@ -178,6 +178,7 @@ paths = ["python/", "vulture_whitelist.py"]
 
 [tool.pyright]
 exclude = [
+  ".devenv",
   ".venv",
   "build",
 ]

python/unblob/testing.py

@@ -1,7 +1,6 @@
 import binascii
 import glob
 import io
-import platform
 import shlex
 import subprocess
 from pathlib import Path
@@ -17,7 +16,6 @@
 from unblob.models import ProcessResult
 from unblob.processing import ExtractionConfig
 from unblob.report import ExtractCommandFailedReport
-from unblob.sandbox import AccessFS, SandboxError, restrict_access
 
 
 @pytest.fixture(scope="session", autouse=True)
@@ -219,17 +217,3 @@ def start(self, s):
             rv.write(line.data)
 
         return rv.getvalue()
-
-
-def is_sandbox_available():
-    is_sandbox_available = True
-
-    try:
-        restrict_access(AccessFS.read_write("/"))
-    except SandboxError:
-        is_sandbox_available = False
-
-    if platform.architecture == "x86_64" and platform.system == "linux":
-        assert is_sandbox_available, "Sandboxing should work at least on Linux-x86_64"
-
-    return is_sandbox_available

tests/test_cli.py

@@ -7,6 +7,7 @@
 from click.testing import CliRunner
 
 import unblob.cli
+from rust.test_sandbox import landlock_supported
 from unblob.extractors import Command
 from unblob.extractors.command import MultiFileCommand
 from unblob.handlers import BUILTIN_HANDLERS
@@ -18,7 +19,6 @@
     DEFAULT_SKIP_MAGIC,
     ExtractionConfig,
 )
-from unblob.testing import is_sandbox_available
 from unblob.ui import (
     NullProgressReporter,
     ProgressReporter,
@@ -431,7 +431,7 @@ def test_clear_skip_magics(
 
 
 @pytest.mark.skipif(
-    not is_sandbox_available(), reason="Sandboxing is only available on Linux"
+    not landlock_supported(), reason="Sandboxing is only available on Linux"
 )
 def test_sandbox_escape(tmp_path: Path):
     runner = CliRunner()

tests/test_handlers.py

@@ -15,6 +15,7 @@
 from unblob import handlers
 from unblob.models import Handler
 from unblob.processing import ExtractionConfig, process_file
+from unblob.sandbox import AccessFS, Sandbox
 from unblob.testing import (
     check_output_is_the_same,
     check_result,
@@ -29,10 +30,28 @@
     "input_dir, output_dir", gather_integration_tests(TEST_DATA_PATH)
 )
 def test_all_handlers(
-    input_dir: Path, output_dir: Path, extraction_config: ExtractionConfig
+    input_dir: Path,
+    output_dir: Path,
+    extraction_config: ExtractionConfig,
+    request: pytest.FixtureRequest,
 ):
+    log_path = Path("/dev/null")  # no logging
+    report_file = None  # no reporting
+
+    passthrough = [
+        # .pytest_cache
+        AccessFS.read_write(request.config.rootpath),
+    ]
+    junit_xmlpath = request.config.getvalue("xmlpath")
+    if junit_xmlpath:
+        passthrough += [
+            # junit reports are written to the argument of --junit-xml
+            AccessFS.read_write(junit_xmlpath)  # type: ignore
+        ]
+
+    sandbox = Sandbox(extraction_config, log_path, report_file, passthrough)
     for input_file in input_dir.iterdir():
-        reports = process_file(extraction_config, input_file)
+        reports = sandbox.run(process_file, extraction_config, input_file)
         check_result(reports)
 
     check_output_is_the_same(output_dir, extraction_config.extract_root)

tests/test_sandbox.py

@@ -2,12 +2,12 @@
 
 import pytest
 
+from rust.test_sandbox import landlock_supported
 from unblob.processing import ExtractionConfig
 from unblob.sandbox import Sandbox
-from unblob.testing import is_sandbox_available
 
 pytestmark = pytest.mark.skipif(
-    not is_sandbox_available(), reason="Sandboxing only works on Linux"
+    not landlock_supported(), reason="Sandboxing only works on Linux"
 )