nixos/tests/firejail.nix at 25.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / tests / firejail.nix
at 25.11-pre 2.9 kB view raw
 1import ./make-test-python.nix (
 2  { pkgs, ... }:
 3  {
 4    name = "firejail";
 5    meta = with pkgs.lib.maintainers; {
 6      maintainers = [ sgo ];
 7    };
 8
 9    nodes.machine =
10      { ... }:
11      {
12        imports = [ ./common/user-account.nix ];
13
14        programs.firejail = {
15          enable = true;
16          wrappedBinaries = {
17            bash-jailed = "${pkgs.bash}/bin/bash";
18            bash-jailed2 = {
19              executable = "${pkgs.bash}/bin/bash";
20              extraArgs = [ "--private=~/firejail-home" ];
21            };
22          };
23        };
24
25        systemd.services.setupFirejailTest = {
26          wantedBy = [ "multi-user.target" ];
27          before = [ "multi-user.target" ];
28
29          environment = {
30            HOME = "/home/alice";
31          };
32
33          unitConfig = {
34            type = "oneshot";
35            RemainAfterExit = true;
36            user = "alice";
37          };
38
39          script = ''
40            cd $HOME
41
42            mkdir .password-store && echo s3cret > .password-store/secret
43            mkdir my-secrets && echo s3cret > my-secrets/secret
44
45            echo publ1c > public
46
47            mkdir -p .config/firejail
48            echo 'blacklist ''${HOME}/my-secrets' > .config/firejail/globals.local
49          '';
50        };
51      };
52
53    testScript = ''
54      start_all()
55      machine.wait_for_unit("multi-user.target")
56
57      # Test path acl with wrapper
58      machine.succeed("sudo -u alice bash-jailed -c 'cat ~/public' | grep -q publ1c")
59      machine.fail(
60          "sudo -u alice bash-jailed -c 'cat ~/.password-store/secret' | grep -q s3cret"
61      )
62      machine.fail("sudo -u alice bash-jailed -c 'cat ~/my-secrets/secret' | grep -q s3cret")
63
64      # Test extraArgs
65      machine.succeed("sudo -u alice mkdir /home/alice/firejail-home")
66      machine.succeed("sudo -u alice bash-jailed2 -c 'echo test > /home/alice/foo'")
67      machine.fail("sudo -u alice cat /home/alice/foo")
68      machine.succeed("sudo -u alice cat /home/alice/firejail-home/foo | grep test")
69
70      # Test path acl with firejail executable
71      machine.succeed("sudo -u alice firejail -- bash -c 'cat ~/public' | grep -q publ1c")
72      machine.fail(
73          "sudo -u alice firejail -- bash -c 'cat ~/.password-store/secret' | grep -q s3cret"
74      )
75      machine.fail(
76          "sudo -u alice firejail -- bash -c 'cat ~/my-secrets/secret' | grep -q s3cret"
77      )
78
79      # Disabling profiles
80      machine.succeed(
81          "sudo -u alice bash -c 'firejail --noprofile -- cat ~/.password-store/secret' | grep -q s3cret"
82      )
83
84      # CVE-2020-17367
85      machine.fail(
86          "sudo -u alice firejail --private-tmp id --output=/tmp/vuln1 && cat /tmp/vuln1"
87      )
88
89      # CVE-2020-17368
90      machine.fail(
91          "sudo -u alice firejail --private-tmp --output=/tmp/foo 'bash -c $(id>/tmp/vuln2;echo id)' && cat /tmp/vuln2"
92      )
93    '';
94  }
95)