Added "infinite monkey"-style test (refs #26)

Supposing that any monkey hitting keys on a typewriter, serving as a hardcopy
SciTECO terminal, will sooner or later trigger bugs and crash the application,
the new monkey-test.apl script emulates such a monkey.
In fact it's a bit more elaborate as the generated macro follows the frequency
distribution extracted from the corpus of SciTECO macro files (via monkey-parse.apl).
This it is hoped, increases the chance to get into "interesting" parser states.

This also adds a new hidden --sandbox argument, but it works only on FreeBSD (via Capsicum)
so far. In sandbox mode, we cannot open any file or execute external commands.
It is made sure, that SciTECO cannot assert in sandbox mode for scripts that would
run without --sandbox, since assertions are the kind of things we would like to detect.
SciTECO must be sandboxed during "infinite monkey" tests, so it cannot accidentally
do any harm on the system running the tests.
All macros in sandbox mode must currently be passed via --eval.
Alternatively, we could add a test compilation unit and generate the test data
directly in memory via C code.

The new scripts are written in GNU APL 1.9 and will probably work only under FreeBSD.
These scripts are not meant to be run by everyone.

2 files changed, 36 insertions, 0 deletions

diff --git a/src/main.c b/src/main.c
index 5b3b8cf..45149e6 100644
--- a/src/main.c
+++ b/src/main.c
@@ -29,6 +29,10 @@
 #include <glib/gprintf.h>
 #include <glib/gstdio.h>
 
+#ifdef HAVE_SYS_CAPSICUM_H
+#include <sys/capsicum.h>
+#endif
+
 #include "sciteco.h"
 #include "file-utils.h"
 #include "cmdline.h"
@@ -106,6 +110,7 @@ static gchar *teco_eval_macro = NULL;
 static gboolean teco_mung_file = FALSE;
 static gboolean teco_mung_profile = TRUE;
 static gchar *teco_fake_cmdline = NULL;
+static gboolean teco_sandbox = FALSE;
 static gboolean teco_8bit_clean = FALSE;
 
 static gchar *
@@ -125,6 +130,9 @@ teco_process_options(gchar ***argv)
 		{"fake-cmdline", 0, G_OPTION_FLAG_HIDDEN,
 		 G_OPTION_ARG_STRING, &teco_fake_cmdline,
 		 "Emulate key presses in batch mode (for debugging)", "keys"},
+		{"sandbox", 0, G_OPTION_FLAG_HIDDEN,
+		 G_OPTION_ARG_NONE, &teco_sandbox,
+		 "Sandbox application (for debugging)"},
 		{"8bit", '8', 0, G_OPTION_ARG_NONE, &teco_8bit_clean,
 		 "Use ANSI encoding by default and disable automatic EOL conversion"},
 		{NULL}
@@ -336,6 +344,16 @@ main(int argc, char **argv)
 	 * to the macro or munged file.
 	 */
 
+#ifdef HAVE_CAP_ENTER
+	/*
+	 * In the sandbox, we cannot access files or execute external processes.
+	 * Effectively, munging won't work, so you can pass macros only via
+	 * --eval or --fake-cmdline.
+	 */
+	if (G_UNLIKELY(teco_sandbox))
+		cap_enter();
+#endif
+
 	if (teco_8bit_clean)
 		/* equivalent to 16,4ED but executed earlier */
 		teco_ed = (teco_ed & ~TECO_ED_AUTOEOL) | TECO_ED_DEFAULT_ANSI;
diff --git a/src/spawn.c b/src/spawn.c
index 7a5736c..9816975 100644
--- a/src/spawn.c
+++ b/src/spawn.c
@@ -30,6 +30,10 @@
 #include <windows.h>
 #endif
 
+#ifdef HAVE_SYS_CAPSICUM_H
+#include <sys/capsicum.h>
+#endif
+
 #include "sciteco.h"
 #include "interface.h"
 #include "undo.h"
@@ -268,6 +272,20 @@ teco_state_execute_done(teco_machine_main_t *ctx, const teco_string_t *str, GErr
 	g_autoptr(GIOChannel) stdin_chan = NULL, stdout_chan = NULL;
 	g_auto(GStrv) argv = NULL, envp = NULL;
 
+#ifdef HAVE_CAP_GETMODE
+	/*
+	 * If we don't explicitly check for sandboxing, glib could assert
+	 * internally and we want to detect all unexpected assertions
+	 * in "infinite monkey"-style tests.
+	 */
+	u_int sandbox_mode;
+	if (G_UNLIKELY(cap_getmode(&sandbox_mode) || sandbox_mode)) {
+		g_set_error(error, TECO_ERROR, TECO_ERROR_FAILED,
+		            "Forbidden in Capsicum sandbox");
+		goto gerror;
+	}
+#endif
+
 	if (!str->len || teco_string_contains(str, '\0')) {
 		g_set_error(error, TECO_ERROR, TECO_ERROR_FAILED,
 		            "Command line must not be empty or contain null-bytes");