commit bea55603543a8bc6569524be0e8126be406157fb · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs

lol

fork atom

Merge pull request #94878 from stigtsp/package/firejail-test

nixos/tests: add test for firejail

authored by worldofpeace and committed by GitHub 5 years ago bea55603 3cc42af7

+86 -1

3 changed files

expand all

unified split

nixos

tests

all-tests.nix

firejail.nix

pkgs

os-specific

linux

firejail

default.nix

nixos/tests/all-tests.nix

··· 101 101 ferm = handleTest ./ferm.nix {}; 102 102 firefox = handleTest ./firefox.nix {}; 103 103 firefox-esr = handleTest ./firefox.nix { esr = true; }; 104 + firejail = handleTest ./firejail.nix {}; 104 105 firewall = handleTest ./firewall.nix {}; 105 106 fish = handleTest ./fish.nix {}; 106 107 flannel = handleTestOn ["x86_64-linux"] ./flannel.nix {};

+82

nixos/tests/firejail.nix

··· 1 + import ./make-test-python.nix ({ pkgs, ...} : { 2 + name = "firejail"; 3 + meta = with pkgs.stdenv.lib.maintainers; { 4 + maintainers = [ sgo ]; 5 + }; 6 + 7 + nodes.machine = { ... }: { 8 + imports = [ ./common/user-account.nix ]; 9 + 10 + programs.firejail = { 11 + enable = true; 12 + wrappedBinaries = { 13 + bash-jailed = "${pkgs.bash}/bin/bash"; 14 + }; 15 + }; 16 + 17 + systemd.services.setupFirejailTest = { 18 + wantedBy = [ "multi-user.target" ]; 19 + before = [ "multi-user.target" ]; 20 + 21 + environment = { 22 + HOME = "/home/alice"; 23 + }; 24 + 25 + unitConfig = { 26 + type = "oneshot"; 27 + RemainAfterExit = true; 28 + user = "alice"; 29 + }; 30 + 31 + script = '' 32 + cd $HOME 33 + 34 + mkdir .password-store && echo s3cret > .password-store/secret 35 + mkdir my-secrets && echo s3cret > my-secrets/secret 36 + 37 + echo publ1c > public 38 + 39 + mkdir -p .config/firejail 40 + echo 'blacklist ''${HOME}/my-secrets' > .config/firejail/globals.local 41 + ''; 42 + }; 43 + }; 44 + 45 + testScript = '' 46 + start_all() 47 + machine.wait_for_unit("multi-user.target") 48 + 49 + # Test path acl with wrapper 50 + machine.succeed("sudo -u alice bash-jailed -c 'cat ~/public' | grep -q publ1c") 51 + machine.fail( 52 + "sudo -u alice bash-jailed -c 'cat ~/.password-store/secret' | grep -q s3cret" 53 + ) 54 + machine.fail("sudo -u alice bash-jailed -c 'cat ~/my-secrets/secret' | grep -q s3cret") 55 + 56 + 57 + # Test path acl with firejail executable 58 + machine.succeed("sudo -u alice firejail -- bash -c 'cat ~/public' | grep -q publ1c") 59 + machine.fail( 60 + "sudo -u alice firejail -- bash -c 'cat ~/.password-store/secret' | grep -q s3cret" 61 + ) 62 + machine.fail( 63 + "sudo -u alice firejail -- bash -c 'cat ~/my-secrets/secret' | grep -q s3cret" 64 + ) 65 + 66 + # Disabling profiles 67 + machine.succeed( 68 + "sudo -u alice bash -c 'firejail --noprofile -- cat ~/.password-store/secret' | grep -q s3cret" 69 + ) 70 + 71 + # CVE-2020-17367 72 + machine.fail( 73 + "sudo -u alice firejail --private-tmp id --output=/tmp/vuln1 && cat /tmp/vuln1" 74 + ) 75 + 76 + # CVE-2020-17368 77 + machine.fail( 78 + "sudo -u alice firejail --private-tmp --output=/tmp/foo 'bash -c $(id>/tmp/vuln2;echo id)' && cat /tmp/vuln2" 79 + ) 80 + ''; 81 + }) 82 +

+3 -1

pkgs/os-specific/linux/firejail/default.nix

··· 1 - {stdenv, fetchurl, fetchpatch, which}: 1 + {stdenv, fetchurl, fetchpatch, which, nixosTests}: 2 2 let 3 3 s = # Generated upstream information 4 4 rec { ··· 75 75 # At high parallelism, the build sometimes fails with: 76 76 # bash: src/fsec-optimize/fsec-optimize: No such file or directory 77 77 enableParallelBuilding = false; 78 + 79 + passthru.tests = nixosTests.firejail; 78 80 79 81 meta = { 80 82 inherit (s) version;