nixos/tests/firejail.nix at 23.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / tests / firejail.nix
at 23.11-pre 2.7 kB view raw
 1import ./make-test-python.nix ({ pkgs, ...} : {
 2  name = "firejail";
 3  meta = with pkgs.lib.maintainers; {
 4    maintainers = [ sgo ];
 5  };
 6
 7  nodes.machine = { ... }: {
 8    imports = [ ./common/user-account.nix ];
 9
10    programs.firejail = {
11      enable = true;
12      wrappedBinaries = {
13        bash-jailed  = "${pkgs.bash}/bin/bash";
14        bash-jailed2  = {
15          executable = "${pkgs.bash}/bin/bash";
16          extraArgs = [ "--private=~/firejail-home" ];
17        };
18      };
19    };
20
21    systemd.services.setupFirejailTest = {
22      wantedBy = [ "multi-user.target" ];
23      before = [ "multi-user.target" ];
24
25      environment = {
26        HOME = "/home/alice";
27      };
28
29      unitConfig = {
30        type = "oneshot";
31        RemainAfterExit = true;
32        user = "alice";
33      };
34
35      script = ''
36        cd $HOME
37
38        mkdir .password-store && echo s3cret > .password-store/secret
39        mkdir my-secrets && echo s3cret > my-secrets/secret
40
41        echo publ1c > public
42
43        mkdir -p .config/firejail
44        echo 'blacklist ''${HOME}/my-secrets' > .config/firejail/globals.local
45      '';
46    };
47  };
48
49  testScript = ''
50    start_all()
51    machine.wait_for_unit("multi-user.target")
52
53    # Test path acl with wrapper
54    machine.succeed("sudo -u alice bash-jailed -c 'cat ~/public' | grep -q publ1c")
55    machine.fail(
56        "sudo -u alice bash-jailed -c 'cat ~/.password-store/secret' | grep -q s3cret"
57    )
58    machine.fail("sudo -u alice bash-jailed -c 'cat ~/my-secrets/secret' | grep -q s3cret")
59
60    # Test extraArgs
61    machine.succeed("sudo -u alice mkdir /home/alice/firejail-home")
62    machine.succeed("sudo -u alice bash-jailed2 -c 'echo test > /home/alice/foo'")
63    machine.fail("sudo -u alice cat /home/alice/foo")
64    machine.succeed("sudo -u alice cat /home/alice/firejail-home/foo | grep test")
65
66    # Test path acl with firejail executable
67    machine.succeed("sudo -u alice firejail -- bash -c 'cat ~/public' | grep -q publ1c")
68    machine.fail(
69        "sudo -u alice firejail -- bash -c 'cat ~/.password-store/secret' | grep -q s3cret"
70    )
71    machine.fail(
72        "sudo -u alice firejail -- bash -c 'cat ~/my-secrets/secret' | grep -q s3cret"
73    )
74
75    # Disabling profiles
76    machine.succeed(
77        "sudo -u alice bash -c 'firejail --noprofile -- cat ~/.password-store/secret' | grep -q s3cret"
78    )
79
80    # CVE-2020-17367
81    machine.fail(
82        "sudo -u alice firejail --private-tmp id --output=/tmp/vuln1 && cat /tmp/vuln1"
83    )
84
85    # CVE-2020-17368
86    machine.fail(
87        "sudo -u alice firejail --private-tmp --output=/tmp/foo 'bash -c $(id>/tmp/vuln2;echo id)' && cat /tmp/vuln2"
88    )
89  '';
90})
91