Merge pull request #199683 from robryk/wrappertests
nixos/security/wrappers: add test
This commit is contained in:
commit
dc03bcda57
2 changed files with 80 additions and 0 deletions
|
@ -691,6 +691,7 @@ in {
|
|||
wmderland = handleTest ./wmderland.nix {};
|
||||
wpa_supplicant = handleTest ./wpa_supplicant.nix {};
|
||||
wordpress = handleTest ./wordpress.nix {};
|
||||
wrappers = handleTest ./wrappers.nix {};
|
||||
writefreely = handleTest ./web-apps/writefreely.nix {};
|
||||
xandikos = handleTest ./xandikos.nix {};
|
||||
xautolock = handleTest ./xautolock.nix {};
|
||||
|
|
79
nixos/tests/wrappers.nix
Normal file
79
nixos/tests/wrappers.nix
Normal file
|
@ -0,0 +1,79 @@
|
|||
import ./make-test-python.nix ({ pkgs, ... }:
|
||||
let
|
||||
userUid = 1000;
|
||||
usersGid = 100;
|
||||
busybox = pkgs : pkgs.busybox.override {
|
||||
# Without this, the busybox binary drops euid to ruid for most applets, including id.
|
||||
# See https://bugs.busybox.net/show_bug.cgi?id=15101
|
||||
extraConfig = "CONFIG_FEATURE_SUID n";
|
||||
};
|
||||
in
|
||||
{
|
||||
name = "wrappers";
|
||||
|
||||
nodes.machine = { config, pkgs, ... }: {
|
||||
ids.gids.users = usersGid;
|
||||
|
||||
users.users = {
|
||||
regular = {
|
||||
uid = userUid;
|
||||
isNormalUser = true;
|
||||
};
|
||||
};
|
||||
|
||||
security.wrappers = {
|
||||
suidRoot = {
|
||||
owner = "root";
|
||||
group = "root";
|
||||
setuid = true;
|
||||
source = "${busybox pkgs}/bin/busybox";
|
||||
program = "suid_root_busybox";
|
||||
};
|
||||
sgidRoot = {
|
||||
owner = "root";
|
||||
group = "root";
|
||||
setgid = true;
|
||||
source = "${busybox pkgs}/bin/busybox";
|
||||
program = "sgid_root_busybox";
|
||||
};
|
||||
withChown = {
|
||||
owner = "root";
|
||||
group = "root";
|
||||
source = "${pkgs.libcap}/bin/capsh";
|
||||
program = "capsh_with_chown";
|
||||
capabilities = "cap_chown+ep";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
testScript =
|
||||
''
|
||||
def cmd_as_regular(cmd):
|
||||
return "su -l regular -c '{0}'".format(cmd)
|
||||
|
||||
def test_as_regular(cmd, expected):
|
||||
out = machine.succeed(cmd_as_regular(cmd)).strip()
|
||||
assert out == expected, "Expected {0} to output {1}, but got {2}".format(cmd, expected, out)
|
||||
|
||||
test_as_regular('${busybox pkgs}/bin/busybox id -u', '${toString userUid}')
|
||||
test_as_regular('${busybox pkgs}/bin/busybox id -ru', '${toString userUid}')
|
||||
test_as_regular('${busybox pkgs}/bin/busybox id -g', '${toString usersGid}')
|
||||
test_as_regular('${busybox pkgs}/bin/busybox id -rg', '${toString usersGid}')
|
||||
|
||||
test_as_regular('/run/wrappers/bin/suid_root_busybox id -u', '0')
|
||||
test_as_regular('/run/wrappers/bin/suid_root_busybox id -ru', '${toString userUid}')
|
||||
test_as_regular('/run/wrappers/bin/suid_root_busybox id -g', '${toString usersGid}')
|
||||
test_as_regular('/run/wrappers/bin/suid_root_busybox id -rg', '${toString usersGid}')
|
||||
|
||||
test_as_regular('/run/wrappers/bin/sgid_root_busybox id -u', '${toString userUid}')
|
||||
test_as_regular('/run/wrappers/bin/sgid_root_busybox id -ru', '${toString userUid}')
|
||||
test_as_regular('/run/wrappers/bin/sgid_root_busybox id -g', '0')
|
||||
test_as_regular('/run/wrappers/bin/sgid_root_busybox id -rg', '${toString usersGid}')
|
||||
|
||||
# We are only testing the permitted set, because it's easiest to look at with capsh.
|
||||
machine.fail(cmd_as_regular('${pkgs.libcap}/bin/capsh --has-p=CAP_CHOWN'))
|
||||
machine.fail(cmd_as_regular('${pkgs.libcap}/bin/capsh --has-p=CAP_SYS_ADMIN'))
|
||||
machine.succeed(cmd_as_regular('/run/wrappers/bin/capsh_with_chown --has-p=CAP_CHOWN'))
|
||||
machine.fail(cmd_as_regular('/run/wrappers/bin/capsh_with_chown --has-p=CAP_SYS_ADMIN'))
|
||||
'';
|
||||
})
|
Loading…
Reference in a new issue