nixos/tests/firejail.nix at master · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / tests / firejail.nix
at master 2.7 kB view raw
 1{ pkgs, ... }:
 2{
 3  name = "firejail";
 4  meta = with pkgs.lib.maintainers; {
 5    maintainers = [ sgo ];
 6  };
 7
 8  nodes.machine =
 9    { ... }:
10    {
11      imports = [ ./common/user-account.nix ];
12
13      programs.firejail = {
14        enable = true;
15        wrappedBinaries = {
16          bash-jailed = "${pkgs.bash}/bin/bash";
17          bash-jailed2 = {
18            executable = "${pkgs.bash}/bin/bash";
19            extraArgs = [ "--private=~/firejail-home" ];
20          };
21        };
22      };
23
24      systemd.services.setupFirejailTest = {
25        wantedBy = [ "multi-user.target" ];
26        before = [ "multi-user.target" ];
27
28        environment = {
29          HOME = "/home/alice";
30        };
31
32        unitConfig = {
33          type = "oneshot";
34          RemainAfterExit = true;
35          user = "alice";
36        };
37
38        script = ''
39          cd $HOME
40
41          mkdir .password-store && echo s3cret > .password-store/secret
42          mkdir my-secrets && echo s3cret > my-secrets/secret
43
44          echo publ1c > public
45
46          mkdir -p .config/firejail
47          echo 'blacklist ''${HOME}/my-secrets' > .config/firejail/globals.local
48        '';
49      };
50    };
51
52  testScript = ''
53    start_all()
54    machine.wait_for_unit("multi-user.target")
55
56    # Test path acl with wrapper
57    machine.succeed("sudo -u alice bash-jailed -c 'cat ~/public' | grep -q publ1c")
58    machine.fail(
59        "sudo -u alice bash-jailed -c 'cat ~/.password-store/secret' | grep -q s3cret"
60    )
61    machine.fail("sudo -u alice bash-jailed -c 'cat ~/my-secrets/secret' | grep -q s3cret")
62
63    # Test extraArgs
64    machine.succeed("sudo -u alice mkdir /home/alice/firejail-home")
65    machine.succeed("sudo -u alice bash-jailed2 -c 'echo test > /home/alice/foo'")
66    machine.fail("sudo -u alice cat /home/alice/foo")
67    machine.succeed("sudo -u alice cat /home/alice/firejail-home/foo | grep test")
68
69    # Test path acl with firejail executable
70    machine.succeed("sudo -u alice firejail -- bash -c 'cat ~/public' | grep -q publ1c")
71    machine.fail(
72        "sudo -u alice firejail -- bash -c 'cat ~/.password-store/secret' | grep -q s3cret"
73    )
74    machine.fail(
75        "sudo -u alice firejail -- bash -c 'cat ~/my-secrets/secret' | grep -q s3cret"
76    )
77
78    # Disabling profiles
79    machine.succeed(
80        "sudo -u alice bash -c 'firejail --noprofile -- cat ~/.password-store/secret' | grep -q s3cret"
81    )
82
83    # CVE-2020-17367
84    machine.fail(
85        "sudo -u alice firejail --private-tmp id --output=/tmp/vuln1 && cat /tmp/vuln1"
86    )
87
88    # CVE-2020-17368
89    machine.fail(
90        "sudo -u alice firejail --private-tmp --output=/tmp/foo 'bash -c $(id>/tmp/vuln2;echo id)' && cat /tmp/vuln2"
91    )
92  '';
93}