[llvm-commits] [zorg] r153650 - /zorg/trunk/lnt/lnt/tests/nt.py

Daniel Dunbar daniel at zuster.org
Thu Mar 29 08:46:32 PDT 2012 

Author: ddunbar
Date: Thu Mar 29 10:46:32 2012
New Revision: 153650

URL: http://llvm.org/viewvc/llvm-project?rev=153650&view=rev
Log:
[lnt] lnt.tests.nt: Add a --use-isolation option, which supports running the
testsuite under sandbox-exec (OS X thing) which can be used to drop OS resource
privileges.
 - Useful for finding tests that are writing files where they shouldn't or
   hitting the network.

Modified:
    zorg/trunk/lnt/lnt/tests/nt.py

Modified: zorg/trunk/lnt/lnt/tests/nt.py
URL: http://llvm.org/viewvc/llvm-project/zorg/trunk/lnt/lnt/tests/nt.py?rev=153650&r1=153649&r2=153650&view=diff
==============================================================================
--- zorg/trunk/lnt/lnt/tests/nt.py (original)
+++ zorg/trunk/lnt/lnt/tests/nt.py Thu Mar 29 10:46:32 2012
@@ -196,6 +196,36 @@
     if opts.only_test is not None:
         common_args.extend(['-C',opts.only_test])
 
+    # If we are using isolation, run under sandbox-exec.
+    if opts.use_isolation:
+        # Write out the sandbox profile.
+        sandbox_profile_path = os.path.join(basedir, "isolation.sb")
+        print >>sys.stderr, "%s: creating sandbox profile %r" % (
+            timestamp(), sandbox_profile_path)
+        with open(sandbox_profile_path, 'w') as f:
+            print >>f, """
+;; Sandbox profile for isolation test access.
+(version 1)
+
+;; Allow everything by default, and log debug messages on deny.
+(allow default)
+(debug deny)
+
+;; Deny all file writes by default.        
+(deny file-write*)
+
+;; Deny all network access by default.
+(deny network*)
+
+;; Explicitly allow writes to temporary directories, /dev/, and the sandbox
+;; output directory.
+(allow file-write*      (regex #"^/private/var/tmp/")
+                        (regex #"^/private/tmp/")
+                        (regex #"^/private/var/folders/")
+                        (regex #"^/dev/")
+                        (regex #"^%s"))""" % (basedir,)
+        common_args = ['sandbox-exec', '-f', sandbox_profile_path] + common_args
+
     # Run a separate 'make build' step if --build-threads was given.
     if opts.build_threads > 0:
       args = common_args + ['-j', str(opts.build_threads), 'build']
@@ -1015,6 +1045,11 @@
                          help=("Execute using an iOS simulator SDK (using "
                                "environment overrides)"),
                          type=str, default=None, metavar="SDKPATH")
+        group.add_option("", "--use-isolation", dest="use_isolation",
+                         help=("Execute using a sandboxing profile to limit "
+                               "OS access (e.g., to the network or "
+                               "non-test directories)"),
+                         action="store_true", default=False)
 
         group.add_option("", "--multisample", dest="multisample",
                          help="Accumulate test data from multiple runs",

More information about the llvm-commits mailing list