From 7f1d92b59697ade838a9df980d4cfc93319de0c3 Mon Sep 17 00:00:00 2001
From: Florian Bruhin <me@the-compiler.org>
Date: Fri, 4 Mar 2022 12:06:07 +0100
Subject: Fix sandboxing test on Qt 5.12/QtWebKit/Windows

---
 tests/end2end/test_invocations.py | 67 ++++++++++++++++++++++++---------------
 tests/helpers/testutils.py        |  6 ++++
 2 files changed, 47 insertions(+), 26 deletions(-)

diff --git a/tests/end2end/test_invocations.py b/tests/end2end/test_invocations.py
index ca7e91df5..80a3c016b 100644
--- a/tests/end2end/test_invocations.py
+++ b/tests/end2end/test_invocations.py
@@ -831,15 +831,7 @@ def test_json_logging_without_debug(request, quteproc_new, runtime_tmpdir):
 @pytest.mark.qtwebkit_skip
 @pytest.mark.parametrize(
     'sandboxing, has_namespaces, has_seccomp, has_yama, expected_result', [
-        pytest.param(
-            'enable-all',
-            True, True, True,
-            "You are adequately sandboxed.",
-            marks=pytest.mark.skipif(
-                testutils.disable_seccomp_bpf_sandbox(),
-                reason="Full sandboxing not supported",
-            ),
-        ),
+        ('enable-all', True, True, True, "You are adequately sandboxed."),
         ('disable-seccomp-bpf', True, False, True, "You are NOT adequately sandboxed."),
         ('disable-all', False, False, False, "You are NOT adequately sandboxed."),
     ]
@@ -848,6 +840,11 @@ def test_sandboxing(
         request, quteproc_new, sandboxing,
         has_namespaces, has_seccomp, has_yama, expected_result,
 ):
+    if not request.config.webengine:
+        pytest.skip("Skipped with QtWebKit")
+    elif sandboxing == "enable-all" and testutils.disable_seccomp_bpf_sandbox():
+        pytest.skip("Full sandboxing not supported")
+
     args = _base_args(request.config) + [
         '--temp-basedir',
         '-s', 'qt.chromium.sandboxing', sandboxing,
@@ -860,30 +857,48 @@ def test_sandboxing(
 
     not_found_msg = ("The webpage at chrome://sandbox/ might be temporarily down or "
                      "it may have moved permanently to a new web address.")
-    if text.split()[-1] == not_found_msg:
+    if not_found_msg in text.split("\n"):
         pytest.skip("chrome://sandbox/ not supported")
 
-    header, *lines, empty, result = text.split("\n")
+    bpf_text = "Seccomp-BPF sandbox"
+    yama_text = "Ptrace Protection with Yama LSM"
+
+    if "\n\n\n" in text:
+        # Qt 5.12
+        header, rest = text.split("\n", maxsplit=1)
+        rest, result = rest.rsplit("\n\n", maxsplit=1)
+        lines = rest.replace("\t\n", "\t").split("\n\n\n")
 
-    assert header == "Sandbox Status"
-    assert not empty
+        expected_status = {
+            "Namespace Sandbox": "Yes" if has_namespaces else "No",
+            "Network namespaces": "Yes" if has_namespaces else "No",
+            "PID namespaces": "Yes" if has_namespaces else "No",
+            "SUID Sandbox": "No",
 
-    status = dict(line.split("\t") for line in lines)
+            bpf_text: "Yes" if has_seccomp else "No",
+            f"{bpf_text} supports TSYNC": "Yes" if has_seccomp else "No",
 
-    bpf_text = "Seccomp-BPF sandbox"
-    yama_text = "Ptrace Protection with Yama LSM"
-    expected_status = {
-        "Layer 1 Sandbox": "Namespace" if has_namespaces else "None",
+            "Yama LSM Enforcing": "Yes" if has_yama else "No",
+        }
+    else:
+        header, *lines, empty, result = text.split("\n")
+        assert not empty
 
-        "PID namespaces": "Yes" if has_namespaces else "No",
-        "Network namespaces": "Yes" if has_namespaces else "No",
+        expected_status = {
+            "Layer 1 Sandbox": "Namespace" if has_namespaces else "None",
 
-        bpf_text: "Yes" if has_seccomp else "No",
-        f"{bpf_text} supports TSYNC": "Yes" if has_seccomp else "No",
+            "PID namespaces": "Yes" if has_namespaces else "No",
+            "Network namespaces": "Yes" if has_namespaces else "No",
 
-        f"{yama_text} (Broker)": "Yes" if has_yama else "No",
-        f"{yama_text} (Non-broker)": "No",
-    }
+            bpf_text: "Yes" if has_seccomp else "No",
+            f"{bpf_text} supports TSYNC": "Yes" if has_seccomp else "No",
 
-    assert status == expected_status
+            f"{yama_text} (Broker)": "Yes" if has_yama else "No",
+            f"{yama_text} (Non-broker)": "No",
+        }
+
+    assert header == "Sandbox Status"
     assert result == expected_result
+
+    status = dict(line.split("\t") for line in lines)
+    assert status == expected_status
diff --git a/tests/helpers/testutils.py b/tests/helpers/testutils.py
index 4983da2cc..c607718ab 100644
--- a/tests/helpers/testutils.py
+++ b/tests/helpers/testutils.py
@@ -272,6 +272,12 @@ def disable_seccomp_bpf_sandbox():
     This is needed for some QtWebEngine setups, with older Qt versions but
     newer kernels.
     """
+    try:
+        from PyQt5 import QtWebEngine  # pylint: disable=unused-import
+    except ImportError:
+        # no QtWebEngine available
+        return False
+
     affected_versions = set()
     for base, patch_range in [
             # 5.12.0 to 5.12.10 (inclusive)
-- 
cgit v1.2.3-54-g00ecf