diff options
Diffstat (limited to 'nixos/tests/firejail.nix')
-rw-r--r-- | nixos/tests/firejail.nix | 91 |
1 files changed, 91 insertions, 0 deletions
diff --git a/nixos/tests/firejail.nix b/nixos/tests/firejail.nix new file mode 100644 index 00000000000..6c42c37b281 --- /dev/null +++ b/nixos/tests/firejail.nix @@ -0,0 +1,91 @@ +import ./make-test-python.nix ({ pkgs, ...} : { + name = "firejail"; + meta = with pkgs.lib.maintainers; { + maintainers = [ sgo ]; + }; + + nodes.machine = { ... }: { + imports = [ ./common/user-account.nix ]; + + programs.firejail = { + enable = true; + wrappedBinaries = { + bash-jailed = "${pkgs.bash}/bin/bash"; + bash-jailed2 = { + executable = "${pkgs.bash}/bin/bash"; + extraArgs = [ "--private=~/firejail-home" ]; + }; + }; + }; + + systemd.services.setupFirejailTest = { + wantedBy = [ "multi-user.target" ]; + before = [ "multi-user.target" ]; + + environment = { + HOME = "/home/alice"; + }; + + unitConfig = { + type = "oneshot"; + RemainAfterExit = true; + user = "alice"; + }; + + script = '' + cd $HOME + + mkdir .password-store && echo s3cret > .password-store/secret + mkdir my-secrets && echo s3cret > my-secrets/secret + + echo publ1c > public + + mkdir -p .config/firejail + echo 'blacklist ''${HOME}/my-secrets' > .config/firejail/globals.local + ''; + }; + }; + + testScript = '' + start_all() + machine.wait_for_unit("multi-user.target") + + # Test path acl with wrapper + machine.succeed("sudo -u alice bash-jailed -c 'cat ~/public' | grep -q publ1c") + machine.fail( + "sudo -u alice bash-jailed -c 'cat ~/.password-store/secret' | grep -q s3cret" + ) + machine.fail("sudo -u alice bash-jailed -c 'cat ~/my-secrets/secret' | grep -q s3cret") + + # Test extraArgs + machine.succeed("sudo -u alice mkdir /home/alice/firejail-home") + machine.succeed("sudo -u alice bash-jailed2 -c 'echo test > /home/alice/foo'") + machine.fail("sudo -u alice cat /home/alice/foo") + machine.succeed("sudo -u alice cat /home/alice/firejail-home/foo | grep test") + + # Test path acl with firejail executable + machine.succeed("sudo -u alice firejail -- bash -c 'cat ~/public' | grep -q publ1c") + machine.fail( + "sudo -u alice firejail -- bash -c 'cat ~/.password-store/secret' | grep -q s3cret" + ) + machine.fail( + "sudo -u alice firejail -- bash -c 'cat ~/my-secrets/secret' | grep -q s3cret" + ) + + # Disabling profiles + machine.succeed( + "sudo -u alice bash -c 'firejail --noprofile -- cat ~/.password-store/secret' | grep -q s3cret" + ) + + # CVE-2020-17367 + machine.fail( + "sudo -u alice firejail --private-tmp id --output=/tmp/vuln1 && cat /tmp/vuln1" + ) + + # CVE-2020-17368 + machine.fail( + "sudo -u alice firejail --private-tmp --output=/tmp/foo 'bash -c $(id>/tmp/vuln2;echo id)' && cat /tmp/vuln2" + ) + ''; +}) + |