commit 51d3f3475c2fb35f0d9682ea600066b1cea459c6 · pyrox.dev/nixpkgs

+187

nixos/tests/systemd-confinement/checkperms.py

···

       1
       +
       import errno

     

       2
       +
       import os

     

       3
       +
       

     

       4
       +
       from enum import IntEnum

     

       5
       +
       from pathlib import Path

     

       6
       +
       

     

       7
       +
       

     

       8
       +
       class Accessibility(IntEnum):

     

       9
       +
           """

     

       10
       +
           The level of accessibility we have on a file or directory.

     

       11
       +
       

     

       12
       +
           This is needed to assess the attack surface on the file system namespace we

     

       13
       +
           have within a confined service. Higher levels mean more permissions for the

     

       14
       +
           user and thus a bigger attack surface.

     

       15
       +
           """

     

       16
       +
           NONE = 0

     

       17
       +
       

     

       18
       +
           # Directories can be listed or files can be read.

     

       19
       +
           READABLE = 1

     

       20
       +
       

     

       21
       +
           # This is for special file systems such as procfs and for stuff such as

     

       22
       +
           # FIFOs or character special files. The reason why this has a lower value

     

       23
       +
           # than WRITABLE is because those files are more restricted on what and how

     

       24
       +
           # they can be written to.

     

       25
       +
           SPECIAL = 2

     

       26
       +
       

     

       27
       +
           # Another special case are sticky directories, which do allow write access

     

       28
       +
           # but restrict deletion. This does *not* apply to sticky directories that

     

       29
       +
           # are read-only.

     

       30
       +
           STICKY = 3

     

       31
       +
       

     

       32
       +
           # Essentially full permissions, the kind of accessibility we want to avoid

     

       33
       +
           # in most cases.

     

       34
       +
           WRITABLE = 4

     

       35
       +
       

     

       36
       +
           def assert_on(self, path: Path) -> None:

     

       37
       +
               """

     

       38
       +
               Raise an AssertionError if the given 'path' allows for more

     

       39
       +
               accessibility than 'self'.

     

       40
       +
               """

     

       41
       +
               actual = self.NONE

     

       42
       +
       

     

       43
       +
               if path.is_symlink():

     

       44
       +
                   actual = self.READABLE

     

       45
       +
               elif path.is_dir():

     

       46
       +
                   writable = True

     

       47
       +
       

     

       48
       +
                   dummy_file = path / 'can_i_write'

     

       49
       +
                   try:

     

       50
       +
                       dummy_file.touch()

     

       51
       +
                   except OSError as e:

     

       52
       +
                       if e.errno in [errno.EROFS, errno.EACCES]:

     

       53
       +
                           writable = False

     

       54
       +
                       else:

     

       55
       +
                           raise

     

       56
       +
                   else:

     

       57
       +
                       dummy_file.unlink()

     

       58
       +
       

     

       59
       +
                   if writable:

     

       60
       +
                       # The reason why we test this *after* we made sure it's

     

       61
       +
                       # writable is because we could have a sticky directory where

     

       62
       +
                       # the current user doesn't have write access.

     

       63
       +
                       if path.stat().st_mode & 0o1000 == 0o1000:

     

       64
       +
                           actual = self.STICKY

     

       65
       +
                       else:

     

       66
       +
                           actual = self.WRITABLE

     

       67
       +
                   else:

     

       68
       +
                       actual = self.READABLE

     

       69
       +
               elif path.is_file():

     

       70
       +
                   try:

     

       71
       +
                       with path.open('rb') as fp:

     

       72
       +
                           fp.read(1)

     

       73
       +
                       actual = self.READABLE

     

       74
       +
                   except PermissionError:

     

       75
       +
                       pass

     

       76
       +
       

     

       77
       +
                   writable = True

     

       78
       +
                   try:

     

       79
       +
                       with path.open('ab') as fp:

     

       80
       +
                           fp.write('x')

     

       81
       +
                           size = fp.tell()

     

       82
       +
                           fp.truncate(size)

     

       83
       +
                   except PermissionError:

     

       84
       +
                       writable = False

     

       85
       +
                   except OSError as e:

     

       86
       +
                       if e.errno == errno.ETXTBSY:

     

       87
       +
                           writable = os.access(path, os.W_OK)

     

       88
       +
                       elif e.errno == errno.EROFS:

     

       89
       +
                           writable = False

     

       90
       +
                       else:

     

       91
       +
                           raise

     

       92
       +
       

     

       93
       +
                   # Let's always try to fail towards being writable, so if *either*

     

       94
       +
                   # access(2) or a real write is successful it's writable. This is to

     

       95
       +
                   # make sure we don't accidentally introduce no-ops if we have bugs

     

       96
       +
                   # in the more complicated real write code above.

     

       97
       +
                   if writable or os.access(path, os.W_OK):

     

       98
       +
                       actual = self.WRITABLE

     

       99
       +
               else:

     

       100
       +
                   # We need to be very careful when writing to or reading from

     

       101
       +
                   # special files (eg.  FIFOs), since they can possibly block. So if

     

       102
       +
                   # it's not a file, just trust that access(2) won't lie.

     

       103
       +
                   if os.access(path, os.R_OK):

     

       104
       +
                       actual = self.READABLE

     

       105
       +
       

     

       106
       +
                   if os.access(path, os.W_OK):

     

       107
       +
                       actual = self.SPECIAL

     

       108
       +
       

     

       109
       +
               if actual > self:

     

       110
       +
                   stat = path.stat()

     

       111
       +
                   details = ', '.join([

     

       112
       +
                       f'permissions: {stat.st_mode & 0o7777:o}',

     

       113
       +
                       f'uid: {stat.st_uid}',

     

       114
       +
                       f'group: {stat.st_gid}',

     

       115
       +
                   ])

     

       116
       +
       

     

       117
       +
                   raise AssertionError(

     

       118
       +
                       f'Expected at most {self!r} but got {actual!r} for path'

     

       119
       +
                       f' {path} ({details}).'

     

       120
       +
                   )

     

       121
       +
       

     

       122
       +
       

     

       123
       +
       def is_special_fs(path: Path) -> bool:

     

       124
       +
           """

     

       125
       +
           Check whether the given path truly is a special file system such as procfs

     

       126
       +
           or sysfs.

     

       127
       +
           """

     

       128
       +
           try:

     

       129
       +
               if path == Path('/proc'):

     

       130
       +
                   return (path / 'version').read_text().startswith('Linux')

     

       131
       +
               elif path == Path('/sys'):

     

       132
       +
                   return b'Linux' in (path / 'kernel' / 'notes').read_bytes()

     

       133
       +
           except FileNotFoundError:

     

       134
       +
               pass

     

       135
       +
           return False

     

       136
       +
       

     

       137
       +
       

     

       138
       +
       def is_empty_dir(path: Path) -> bool:

     

       139
       +
           try:

     

       140
       +
               next(path.iterdir())

     

       141
       +
               return False

     

       142
       +
           except (StopIteration, PermissionError):

     

       143
       +
               return True

     

       144
       +
       

     

       145
       +
       

     

       146
       +
       def _assert_permissions_in_directory(

     

       147
       +
           directory: Path,

     

       148
       +
           accessibility: Accessibility,

     

       149
       +
           subdirs: dict[Path, Accessibility],

     

       150
       +
       ) -> None:

     

       151
       +
           accessibility.assert_on(directory)

     

       152
       +
       

     

       153
       +
           for file in directory.iterdir():

     

       154
       +
               if is_special_fs(file):

     

       155
       +
                   msg = f'Got unexpected special filesystem at {file}.'

     

       156
       +
                   assert subdirs.pop(file) == Accessibility.SPECIAL, msg

     

       157
       +
               elif not file.is_symlink() and file.is_dir():

     

       158
       +
                   subdir_access = subdirs.pop(file, accessibility)

     

       159
       +
                   if is_empty_dir(file):

     

       160
       +
                       # Whenever we got an empty directory, we check the permission

     

       161
       +
                       # constraints on the current directory (except if specified

     

       162
       +
                       # explicitly in subdirs) because for example if we're non-root

     

       163
       +
                       # (the constraints of the current directory are thus

     

       164
       +
                       # Accessibility.READABLE), we really have to make sure that

     

       165
       +
                       # empty directories are *never* writable.

     

       166
       +
                       subdir_access.assert_on(file)

     

       167
       +
                   else:

     

       168
       +
                       _assert_permissions_in_directory(file, subdir_access, subdirs)

     

       169
       +
               else:

     

       170
       +
                   subdirs.pop(file, accessibility).assert_on(file)

     

       171
       +
       

     

       172
       +
       

     

       173
       +
       def assert_permissions(subdirs: dict[str, Accessibility]) -> None:

     

       174
       +
           """

     

       175
       +
           Recursively check whether the file system conforms to the accessibility

     

       176
       +
           specification we specified via 'subdirs'.

     

       177
       +
           """

     

       178
       +
           root = Path('/')

     

       179
       +
           absolute_subdirs = {root / p: a for p, a in subdirs.items()}

     

       180
       +
           _assert_permissions_in_directory(

     

       181
       +
               root,

     

       182
       +
               Accessibility.WRITABLE if os.getuid() == 0 else Accessibility.READABLE,

     

       183
       +
               absolute_subdirs,

     

       184
       +
           )

     

       185
       +
           for file in absolute_subdirs.keys():

     

       186
       +
               msg = f'Expected {file} to exist, but it was nowwhere to be found.'

     

       187
       +
               raise AssertionError(msg)

+210 -221

nixos/tests/systemd-confinement/default.nix

···

       2
        
         name = "systemd-confinement";

     

       3
        
       

     

       4
        
         nodes.machine = { pkgs, lib, ... }: let

     

       5
       -
           testServer = pkgs.writeScript "testserver.sh" ''

     

       6
       -
             #!${pkgs.runtimeShell}

     

       7
       -
             export PATH=${lib.makeBinPath [ pkgs.coreutils pkgs.findutils ]}

     

       8
       -
             ${lib.escapeShellArg pkgs.runtimeShell} 2>&1

     

       9
       -
             echo "exit-status:$?"

     

       10
       -
           '';

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       11
        
       

     

       12
       -
           testClient = pkgs.writeScriptBin "chroot-exec" ''

     

       13
       -
             #!${pkgs.runtimeShell} -e

     

       14
       -
             output="$(echo "$@" | nc -NU "/run/test$(< /teststep).sock")"

     

       15
       -
             ret="$(echo "$output" | sed -nre '$s/^exit-status:([0-9]+)$/\1/p')"

     

       16
       -
             echo "$output" | head -n -1

     

       17
       -
             exit "''${ret:-1}"

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       18
        
           '';

     

       19
        
       

     

       20
        
           mkTestStep = num: {

     
···

       22
        
             testScript,

     

       23
        
             config ? {},

     

       24
        
             serviceName ? "test${toString num}",

     

       0
        
       
     

       25
        
           }: {

     

       26
       -
             systemd.sockets.${serviceName} = {

     

       27
       -
               description = "Socket for Test Service ${toString num}";

     

       28
       -
               wantedBy = [ "sockets.target" ];

     

       29
       -
               socketConfig.ListenStream = "/run/test${toString num}.sock";

     

       30
       -
               socketConfig.Accept = true;

     

       31
       -
             };

     

       32
        
       

     

       33
       -
             systemd.services."${serviceName}@" = {

     

       34
       -
               description = "Confined Test Service ${toString num}";

     

       0
        
       
     

       35
        
               confinement = (config.confinement or {}) // { enable = true; };

     

       36
        
               serviceConfig = (config.serviceConfig or {}) // {

     

       37
       -
                 ExecStart = testServer;

     

       38
       -
                 StandardInput = "socket";

     

       39
        
               };

     

       40
        
             } // removeAttrs config [ "confinement" "serviceConfig" ];

     

       41
       -
       

     

       42
       -
             __testSteps = lib.mkOrder num ''

     

       43
       -
               with subtest('${lib.escape ["'" "\\"] description}'):

     

       44
       -
                 machine.succeed("echo ${toString num} > /teststep")

     

       45
       -
                 ${lib.replaceStrings ["\n"] ["\n  "] testScript}

     

       46
       -
             '';

     

       47
        
           };

     

       48
        
       

     

       49
        
         in {

     
···

       51
        
             { description = "chroot-only confinement";

     

       52
        
               config.confinement.mode = "chroot-only";

     

       53
        
               testScript = ''

     

       54
       -
                 # chroot-exec starts a socket-activated service,

     

       55
       -
                 # but, upon starting, a systemd system service

     

       56
       -
                 # calls setup_namespace() which calls base_filesystem_create()

     

       57
       -
                 # which creates some usual top level directories.

     

       58
       -
                 # In chroot-only mode, without additional BindPaths= or the like,

     

       59
       -
                 # they must be empty and thus removable by rmdir.

     

       60
       -
                 paths = machine.succeed('chroot-exec rmdir /dev /etc /proc /root /sys /usr /var "&&" ls -Am /').strip()

     

       61
       -
                 assert_eq(paths, "bin, nix, run")

     

       62
       -
                 uid = machine.succeed('chroot-exec id -u').strip()

     

       63
       -
                 assert_eq(uid, "0")

     

       64
       -
                 machine.succeed("chroot-exec chown 65534 /bin")

     

       65
        
               '';

     

       66
        
             }

     

       67
        
             { description = "full confinement with APIVFS";

     

       68
        
               testScript = ''

     

       69
       -
                 machine.succeed('chroot-exec rmdir /etc')

     

       70
       -
                 machine.fail("chroot-exec chown 65534 /bin")

     

       71
       -
                 assert_eq(machine.succeed('chroot-exec id -u').strip(), "0")

     

       72
       -
                 machine.succeed("chroot-exec chown 0 /bin")

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       73
        
               '';

     

       74
        
             }

     

       75
        
             { description = "check existence of bind-mounted /etc";

     

       76
        
               config.serviceConfig.BindReadOnlyPaths = [ "/etc" ];

     

       77
        
               testScript = ''

     

       78
       -
                 passwd = machine.succeed('chroot-exec cat /etc/passwd').strip()

     

       79
       -
                 assert len(passwd) > 0, "/etc/passwd must not be empty"

     

       80
        
               '';

     

       81
        
             }

     

       82
        
             { description = "check if User/Group really runs as non-root";

     

       83
        
               config.serviceConfig.User = "chroot-testuser";

     

       84
        
               config.serviceConfig.Group = "chroot-testgroup";

     

       85
        
               testScript = ''

     

       86
       -
                 machine.succeed("chroot-exec ls -l /dev")

     

       87
       -
                 uid = machine.succeed('chroot-exec id -u').strip()

     

       88
       -
                 assert uid != "0", "UID of chroot-testuser shouldn't be 0"

     

       89
       -
                 machine.fail("chroot-exec touch /bin/test")

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       90
        
               '';

     

       91
        
             }

     

       92
        
             { description = "check if DynamicUser is working in full-apivfs mode";

     

       93
        
               config.confinement.mode = "full-apivfs";

     

       94
        
               config.serviceConfig.DynamicUser = true;

     

       95
        
               testScript = ''

     

       96
       -
                 machine.succeed("chroot-exec ls -l /dev")

     

       97
       -
                 paths = machine.succeed('chroot-exec find / -path /dev/"\\*" -prune -o -path /nix/"\\*" -prune -o -path /proc/"\\*" -prune -o -path /sys/"\\*" -prune -o -print || test $? = 1')

     

       98
       -
                 assert_eq(

     

       99
       -
                   '\n'.join(sorted(paths.split('\n'))),

     

       100
       -
                   dedent("""

     

       101
       -
                     /

     

       102
       -
                     /bin

     

       103
       -
                     /bin/sh

     

       104
       -
                     /dev

     

       105
       -
                     /etc

     

       106
       -
                     /nix

     

       107
       -
                     /proc

     

       108
       -
                     /root

     

       109
       -
                     /run

     

       110
       -
                     /run/host

     

       111
       -
                     /run/host/.os-release-stage

     

       112
       -
                     /run/host/.os-release-stage/os-release

     

       113
       -
                     /run/host/os-release

     

       114
       -
                     /run/systemd

     

       115
       -
                     /run/systemd/incoming

     

       116
       -
                     /sys

     

       117
       -
                     /tmp

     

       118
       -
                     /usr

     

       119
       -
                     /var

     

       120
       -
                     /var/tmp

     

       121
       -
                     find: '/root': Permission denied

     

       122
       -
                     find: '/run/systemd/incoming': Permission denied

     

       123
       -
                   """).rstrip()

     

       124
       -
                 )

     

       125
       -
                 uid = machine.succeed('chroot-exec id -u').strip()

     

       126
       -
                 assert uid != "0", "UID of a DynamicUser shouldn't be 0"

     

       127
       -
                 machine.fail("chroot-exec touch /bin/test")

     

       128
       -
                 # DynamicUser=true implies ProtectSystem=strict

     

       129
       -
                 machine.fail("chroot-exec touch /etc/test")

     

       130
        
               '';

     

       131
        
             }

     

       132
        
             { description = "check if DynamicUser and PrivateTmp=false are working in full-apivfs mode";

     
···

       134
        
               config.serviceConfig.DynamicUser = true;

     

       135
        
               config.serviceConfig.PrivateTmp = false;

     

       136
        
               testScript = ''

     

       137
       -
                 machine.succeed("chroot-exec ls -l /dev")

     

       138
       -
                 paths = machine.succeed('chroot-exec find / -path /dev/"\\*" -prune -o -path /nix/"\\*" -prune -o -path /proc/"\\*" -prune -o -path /sys/"\\*" -prune -o -print || test $? = 1')

     

       139
       -
                 assert_eq(

     

       140
       -
                   '\n'.join(sorted(paths.split('\n'))),

     

       141
       -
                   dedent("""

     

       142
       -
                     /

     

       143
       -
                     /bin

     

       144
       -
                     /bin/sh

     

       145
       -
                     /dev

     

       146
       -
                     /etc

     

       147
       -
                     /nix

     

       148
       -
                     /proc

     

       149
       -
                     /root

     

       150
       -
                     /run

     

       151
       -
                     /run/host

     

       152
       -
                     /run/host/.os-release-stage

     

       153
       -
                     /run/host/.os-release-stage/os-release

     

       154
       -
                     /run/host/os-release

     

       155
       -
                     /run/systemd

     

       156
       -
                     /run/systemd/incoming

     

       157
       -
                     /sys

     

       158
       -
                     /usr

     

       159
       -
                     /var

     

       160
       -
                     find: '/root': Permission denied

     

       161
       -
                     find: '/run/systemd/incoming': Permission denied

     

       162
       -
                   """).rstrip()

     

       163
       -
                 )

     

       164
       -
                 uid = machine.succeed('chroot-exec id -u').strip()

     

       165
       -
                 assert uid != "0", "UID of a DynamicUser shouldn't be 0"

     

       166
       -
                 machine.fail("chroot-exec touch /bin/test")

     

       167
       -
                 # DynamicUser=true implies ProtectSystem=strict

     

       168
       -
                 machine.fail("chroot-exec touch /etc/test")

     

       169
        
               '';

     

       170
        
             }

     

       171
        
             { description = "check if DynamicUser is working in chroot-only mode";

     

       172
        
               config.confinement.mode = "chroot-only";

     

       173
        
               config.serviceConfig.DynamicUser = true;

     

       174
        
               testScript = ''

     

       175
       -
                 paths = machine.succeed('chroot-exec find / -path /nix/"\\*" -prune -o -print || test $? = 1')

     

       176
       -
                 assert_eq(

     

       177
       -
                   '\n'.join(sorted(paths.split('\n'))),

     

       178
       -
                   dedent("""

     

       179
       -
                     /

     

       180
       -
                     /bin

     

       181
       -
                     /bin/sh

     

       182
       -
                     /dev

     

       183
       -
                     /etc

     

       184
       -
                     /nix

     

       185
       -
                     /proc

     

       186
       -
                     /root

     

       187
       -
                     /run

     

       188
       -
                     /run/systemd

     

       189
       -
                     /run/systemd/incoming

     

       190
       -
                     /sys

     

       191
       -
                     /usr

     

       192
       -
                     /var

     

       193
       -
                     find: '/root': Permission denied

     

       194
       -
                     find: '/run/systemd/incoming': Permission denied

     

       195
       -
                   """).rstrip()

     

       196
       -
                 )

     

       197
       -
                 uid = machine.succeed('chroot-exec id -u').strip()

     

       198
       -
                 assert uid != "0", "UID of a DynamicUser shouldn't be 0"

     

       199
       -
                 machine.fail("chroot-exec touch /bin/test")

     

       200
        
               '';

     

       201
        
             }

     

       202
        
             { description = "check if DynamicUser and PrivateTmp=true are working in chroot-only mode";

     
···

       204
        
               config.serviceConfig.DynamicUser = true;

     

       205
        
               config.serviceConfig.PrivateTmp = true;

     

       206
        
               testScript = ''

     

       207
       -
                 paths = machine.succeed('chroot-exec find / -path /nix/"\\*" -prune -o -print || test $? = 1')

     

       208
       -
                 assert_eq(

     

       209
       -
                   '\n'.join(sorted(paths.split('\n'))),

     

       210
       -
                   dedent("""

     

       211
       -
                     /

     

       212
       -
                     /bin

     

       213
       -
                     /bin/sh

     

       214
       -
                     /dev

     

       215
       -
                     /etc

     

       216
       -
                     /nix

     

       217
       -
                     /proc

     

       218
       -
                     /root

     

       219
       -
                     /run

     

       220
       -
                     /run/systemd

     

       221
       -
                     /run/systemd/incoming

     

       222
       -
                     /sys

     

       223
       -
                     /tmp

     

       224
       -
                     /usr

     

       225
       -
                     /var

     

       226
       -
                     /var/tmp

     

       227
       -
                     find: '/root': Permission denied

     

       228
       -
                     find: '/run/systemd/incoming': Permission denied

     

       229
       -
                   """).rstrip()

     

       230
       -
                 )

     

       231
       -
                 uid = machine.succeed('chroot-exec id -u').strip()

     

       232
       -
                 assert uid != "0", "UID of a DynamicUser shouldn't be 0"

     

       233
       -
                 machine.fail("chroot-exec touch /bin/test")

     

       234
        
               '';

     

       235
        
             }

     

       236
        
             (let

     

       237
        
               symlink = pkgs.runCommand "symlink" {

     

       238
       -
                 target = pkgs.writeText "symlink-target" "got me\n";

     

       239
        
               } "ln -s \"$target\" \"$out\"";

     

       240
        
             in {

     

       241
        
               description = "check if symlinks are properly bind-mounted";

     

       242
        
               config.confinement.packages = lib.singleton symlink;

     

       243
        
               testScript = ''

     

       244
       -
                 machine.succeed("chroot-exec rmdir /etc")

     

       245
       -
                 text = machine.succeed('chroot-exec cat ${symlink}').strip()

     

       246
       -
                 assert_eq(text, "got me")

     

       247
        
               '';

     

       248
        
             })

     

       249
        
             { description = "check if StateDirectory works";

     

       250
        
               config.serviceConfig.User = "chroot-testuser";

     

       251
        
               config.serviceConfig.Group = "chroot-testgroup";

     

       252
        
               config.serviceConfig.StateDirectory = "testme";

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       253
        
               testScript = ''

     

       254
       -
                 machine.succeed("chroot-exec touch /tmp/canary")

     

       255
       -
                 machine.succeed('chroot-exec "echo works > /var/lib/testme/foo"')

     

       256
       -
                 machine.succeed('test "$(< /var/lib/testme/foo)" = works')

     

       257
       -
                 machine.succeed("test ! -e /tmp/canary")

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       258
        
               '';

     

       259
        
             }

     

       260
        
             { description = "check if /bin/sh works";

     

       261
        
               testScript = ''

     

       262
       -
                 machine.succeed(

     

       263
       -
                   "chroot-exec test -e /bin/sh",

     

       264
       -
                   'test "$(chroot-exec \'/bin/sh -c "echo bar"\')" = bar',

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       265
        
                 )

     

       0
        
       
     

       266
        
               '';

     

       267
        
             }

     

       268
        
             { description = "check if suppressing /bin/sh works";

     

       269
        
               config.confinement.binSh = null;

     

       270
        
               testScript = ''

     

       271
       -
                 machine.succeed(

     

       272
       -
                   'chroot-exec test ! -e /bin/sh',

     

       273
       -
                   'test "$(chroot-exec \'/bin/sh -c "echo foo"\')" != foo',

     

       274
       -
                 )

     

       275
        
               '';

     

       276
        
             }

     

       277
        
             { description = "check if we can set /bin/sh to something different";

     

       278
        
               config.confinement.binSh = "${pkgs.hello}/bin/hello";

     

       279
        
               testScript = ''

     

       280
       -
                 machine.succeed("chroot-exec test -e /bin/sh")

     

       281
       -
                 machine.succeed('test "$(chroot-exec /bin/sh -g foo)" = foo')

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       282
        
               '';

     

       283
        
             }

     

       284
        
             { description = "check if only Exec* dependencies are included";

     

       285
       -
               config.environment.FOOBAR = pkgs.writeText "foobar" "eek\n";

     

       286
        
               testScript = ''

     

       287
       -
                 machine.succeed('test "$(chroot-exec \'cat "$FOOBAR"\')" != eek')

     

       0
        
       
     

       288
        
               '';

     

       289
        
             }

     

       290
       -
             { description = "check if all unit dependencies are included";

     

       291
       -
               config.environment.FOOBAR = pkgs.writeText "foobar" "eek\n";

     

       292
        
               config.confinement.fullUnit = true;

     

       293
        
               testScript = ''

     

       294
       -
                 machine.succeed('test "$(chroot-exec \'cat "$FOOBAR"\')" = eek')

     

       295
        
               '';

     

       296
        
             }

     

       297
        
             { description = "check if shipped unit file still works";

     

       298
       -
               serviceName = "shipped-unitfile";

     

       299
        
               config.confinement.mode = "chroot-only";

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       300
        
               testScript = ''

     

       301
       -
                 machine.succeed(

     

       302
       -
                   'chroot-exec \'kill -9 $$ 2>&1 || :\' | '

     

       303
       -
                   'grep -q "Too many levels of symbolic links"'

     

       304
       -
                 )

     

       305
        
               '';

     

       306
        
             }

     

       307
        
           ];

     

       308
        
       

     

       309
       -
           options.__testSteps = lib.mkOption {

     

       310
       -
             type = lib.types.lines;

     

       311
       -
             description = "All of the test steps combined as a single script.";

     

       312
       -
           };

     

       313
       -
       

     

       314
       -
           config.environment.systemPackages = lib.singleton testClient;

     

       315
       -
           config.systemd.packages = lib.singleton (pkgs.writeTextFile {

     

       316
       -
             name = "shipped-unitfile";

     

       317
       -
             destination = "/etc/systemd/system/shipped-unitfile@.service";

     

       318
       -
             text = ''

     

       319
       -
               [Service]

     

       320
       -
               SystemCallFilter=~kill

     

       321
       -
               SystemCallErrorNumber=ELOOP

     

       322
       -
             '';

     

       323
       -
           });

     

       324
       -
       

     

       325
        
           config.users.groups.chroot-testgroup = {};

     

       326
        
           config.users.users.chroot-testuser = {

     

       327
        
             isSystemUser = true;

     
···

       330
        
           };

     

       331
        
         };

     

       332
        
       

     

       333
       -
         testScript = { nodes, ... }: ''

     

       334
       -
           from textwrap import dedent

     

       335
       -
           import difflib

     

       336
       -
       

     

       337
       -
           def assert_eq(got, expected):

     

       338
       -
             if got != expected:

     

       339
       -
               diff = difflib.unified_diff(got.splitlines(keepends=True), expected.splitlines(keepends=True))

     

       340
       -
               print("".join(diff))

     

       341
       -
             assert got == expected, f"{got} != {expected}"

     

       342
       -
       

     

       343
        
           machine.wait_for_unit("multi-user.target")

     

       344
       -
         '' + nodes.machine.__testSteps;

     

       345
        
       }

···

       2
        
         name = "systemd-confinement";

     

       3
        
       

     

       4
        
         nodes.machine = { pkgs, lib, ... }: let

     

       5
       +
           testLib = pkgs.python3Packages.buildPythonPackage {

     

       6
       +
             name = "confinement-testlib";

     

       7
       +
             unpackPhase = ''

     

       8
       +
               cat > setup.py <<EOF

     

       9
       +
               from setuptools import setup

     

       10
       +
               setup(name='confinement-testlib', py_modules=["checkperms"])

     

       11
       +
               EOF

     

       12
       +
               cp ${./checkperms.py} checkperms.py

     

       13
       +
             '';

     

       14
       +
           };

     

       15
        
       

     

       16
       +
           mkTest = name: testScript: pkgs.writers.writePython3 "${name}.py" {

     

       17
       +
             libraries = [ pkgs.python3Packages.pytest testLib ];

     

       18
       +
           } ''

     

       19
       +
             # This runs our test script by using pytest's assertion rewriting, so

     

       20
       +
             # that whenever we use "assert <something>", the actual values are

     

       21
       +
             # printed rather than getting a generic AssertionError or the need to

     

       22
       +
             # pass an explicit assertion error message.

     

       23
       +
             import ast

     

       24
       +
             from pathlib import Path

     

       25
       +
             from _pytest.assertion.rewrite import rewrite_asserts

     

       26
       +
       

     

       27
       +
             script = Path('${pkgs.writeText "${name}-main.py" ''

     

       28
       +
               import errno, os, pytest, signal

     

       29
       +
               from subprocess import run

     

       30
       +
               from checkperms import Accessibility, assert_permissions

     

       31
       +
       

     

       32
       +
               ${testScript}

     

       33
       +
             ''}') # noqa

     

       34
       +
             filename = str(script)

     

       35
       +
             source = script.read_bytes()

     

       36
       +
       

     

       37
       +
             tree = ast.parse(source, filename=filename)

     

       38
       +
             rewrite_asserts(tree, source, filename)

     

       39
       +
             exec(compile(tree, filename, 'exec', dont_inherit=True))

     

       40
        
           '';

     

       41
        
       

     

       42
        
           mkTestStep = num: {

     
···

       44
        
             testScript,

     

       45
        
             config ? {},

     

       46
        
             serviceName ? "test${toString num}",

     

       47
       +
             rawUnit ? null,

     

       48
        
           }: {

     

       49
       +
             systemd.packages = lib.optional (rawUnit != null) (pkgs.writeTextFile {

     

       50
       +
               name = serviceName;

     

       51
       +
               destination = "/etc/systemd/system/${serviceName}.service";

     

       52
       +
               text = rawUnit;

     

       53
       +
             });

     

       0
        
       
     

       54
        
       

     

       55
       +
             systemd.services.${serviceName} = {

     

       56
       +
               inherit description;

     

       57
       +
               requiredBy = [ "multi-user.target" ];

     

       58
        
               confinement = (config.confinement or {}) // { enable = true; };

     

       59
        
               serviceConfig = (config.serviceConfig or {}) // {

     

       60
       +
                 ExecStart = mkTest serviceName testScript;

     

       61
       +
                 Type = "oneshot";

     

       62
        
               };

     

       63
        
             } // removeAttrs config [ "confinement" "serviceConfig" ];

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       64
        
           };

     

       65
        
       

     

       66
        
         in {

     
···

       68
        
             { description = "chroot-only confinement";

     

       69
        
               config.confinement.mode = "chroot-only";

     

       70
        
               testScript = ''

     

       71
       +
                 assert_permissions({

     

       72
       +
                   'bin': Accessibility.WRITABLE,

     

       73
       +
                   'nix': Accessibility.WRITABLE,

     

       74
       +
                   'run': Accessibility.WRITABLE,

     

       75
       +
                 })

     

       76
       +
       

     

       77
       +
                 assert os.getuid() == 0

     

       78
       +
                 os.chown('/bin', 65534, 0)

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       79
        
               '';

     

       80
        
             }

     

       81
        
             { description = "full confinement with APIVFS";

     

       82
        
               testScript = ''

     

       83
       +
                 Path('/etc').rmdir()

     

       84
       +
       

     

       85
       +
                 assert_permissions({

     

       86
       +
                   'bin': Accessibility.WRITABLE,

     

       87
       +
                   'nix': Accessibility.WRITABLE,

     

       88
       +
                   'tmp': Accessibility.WRITABLE,

     

       89
       +
                   'run': Accessibility.WRITABLE,

     

       90
       +
       

     

       91
       +
                   'proc': Accessibility.SPECIAL,

     

       92
       +
                   'sys': Accessibility.SPECIAL,

     

       93
       +
                   'dev': Accessibility.WRITABLE,

     

       94
       +
                 })

     

       95
       +
       

     

       96
       +
                 bin_gid = Path('/bin').stat().st_gid

     

       97
       +
                 with pytest.raises(OSError) as excinfo:

     

       98
       +
                   os.chown('/bin', 65534, bin_gid)

     

       99
       +
                 assert excinfo.value.errno == errno.EINVAL

     

       100
       +
       

     

       101
       +
                 assert os.getuid() == 0

     

       102
       +
                 os.chown('/bin', 0, 0)

     

       103
        
               '';

     

       104
        
             }

     

       105
        
             { description = "check existence of bind-mounted /etc";

     

       106
        
               config.serviceConfig.BindReadOnlyPaths = [ "/etc" ];

     

       107
        
               testScript = ''

     

       108
       +
                 assert Path('/etc/passwd').read_text()

     

       0
        
       
     

       109
        
               '';

     

       110
        
             }

     

       111
        
             { description = "check if User/Group really runs as non-root";

     

       112
        
               config.serviceConfig.User = "chroot-testuser";

     

       113
        
               config.serviceConfig.Group = "chroot-testgroup";

     

       114
        
               testScript = ''

     

       115
       +
                 assert list(Path('/dev').iterdir())

     

       116
       +
       

     

       117
       +
                 assert os.getuid() != 0

     

       118
       +
                 assert os.getgid() != 0

     

       119
       +
       

     

       120
       +
                 with pytest.raises(PermissionError):

     

       121
       +
                   Path('/bin/test').touch()

     

       122
        
               '';

     

       123
        
             }

     

       124
        
             { description = "check if DynamicUser is working in full-apivfs mode";

     

       125
        
               config.confinement.mode = "full-apivfs";

     

       126
        
               config.serviceConfig.DynamicUser = true;

     

       127
        
               testScript = ''

     

       128
       +
                 assert_permissions({

     

       129
       +
                   'bin': Accessibility.READABLE,

     

       130
       +
                   'nix': Accessibility.READABLE,

     

       131
       +
                   'tmp': Accessibility.WRITABLE,

     

       132
       +
                   'run': Accessibility.STICKY,

     

       133
       +
       

     

       134
       +
                   'proc': Accessibility.SPECIAL,

     

       135
       +
                   'sys': Accessibility.SPECIAL,

     

       136
       +
       

     

       137
       +
                   'dev': Accessibility.SPECIAL,

     

       138
       +
                   'dev/shm': Accessibility.STICKY,

     

       139
       +
                   'dev/mqueue': Accessibility.STICKY,

     

       140
       +
       

     

       141
       +
                   'var': Accessibility.READABLE,

     

       142
       +
                   'var/tmp': Accessibility.WRITABLE,

     

       143
       +
                 })

     

       144
       +
       

     

       145
       +
                 assert os.getuid() != 0

     

       146
       +
                 assert os.getgid() != 0

     

       147
       +
       

     

       148
       +
                 with pytest.raises(OSError) as excinfo:

     

       149
       +
                   Path('/bin/test').touch()

     

       150
       +
                 assert excinfo.value.errno == errno.EROFS

     

       151
       +
       

     

       152
       +
                 with pytest.raises(OSError) as excinfo:

     

       153
       +
                   Path('/etc/test').touch()

     

       154
       +
                 assert excinfo.value.errno == errno.EROFS

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       155
        
               '';

     

       156
        
             }

     

       157
        
             { description = "check if DynamicUser and PrivateTmp=false are working in full-apivfs mode";

     
···

       159
        
               config.serviceConfig.DynamicUser = true;

     

       160
        
               config.serviceConfig.PrivateTmp = false;

     

       161
        
               testScript = ''

     

       162
       +
                 assert_permissions({

     

       163
       +
                   'bin': Accessibility.READABLE,

     

       164
       +
                   'nix': Accessibility.READABLE,

     

       165
       +
                   'run': Accessibility.STICKY,

     

       166
       +
       

     

       167
       +
                   'proc': Accessibility.SPECIAL,

     

       168
       +
                   'sys': Accessibility.SPECIAL,

     

       169
       +
       

     

       170
       +
                   'dev': Accessibility.SPECIAL,

     

       171
       +
                   'dev/shm': Accessibility.STICKY,

     

       172
       +
                   'dev/mqueue': Accessibility.STICKY,

     

       173
       +
                 })

     

       174
       +
       

     

       175
       +
                 assert os.getuid() != 0

     

       176
       +
                 assert os.getgid() != 0

     

       177
       +
       

     

       178
       +
                 with pytest.raises(OSError) as excinfo:

     

       179
       +
                   Path('/bin/test').touch()

     

       180
       +
                 assert excinfo.value.errno == errno.EROFS

     

       181
       +
       

     

       182
       +
                 with pytest.raises(OSError) as excinfo:

     

       183
       +
                   Path('/etc/test').touch()

     

       184
       +
                 assert excinfo.value.errno == errno.EROFS

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       185
        
               '';

     

       186
        
             }

     

       187
        
             { description = "check if DynamicUser is working in chroot-only mode";

     

       188
        
               config.confinement.mode = "chroot-only";

     

       189
        
               config.serviceConfig.DynamicUser = true;

     

       190
        
               testScript = ''

     

       191
       +
                 assert_permissions({

     

       192
       +
                   'bin': Accessibility.READABLE,

     

       193
       +
                   'nix': Accessibility.READABLE,

     

       194
       +
                   'run': Accessibility.READABLE,

     

       195
       +
                 })

     

       196
       +
       

     

       197
       +
                 assert os.getuid() != 0

     

       198
       +
                 assert os.getgid() != 0

     

       199
       +
       

     

       200
       +
                 with pytest.raises(OSError) as excinfo:

     

       201
       +
                   Path('/bin/test').touch()

     

       202
       +
                 assert excinfo.value.errno == errno.EROFS

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       203
        
               '';

     

       204
        
             }

     

       205
        
             { description = "check if DynamicUser and PrivateTmp=true are working in chroot-only mode";

     
···

       207
        
               config.serviceConfig.DynamicUser = true;

     

       208
        
               config.serviceConfig.PrivateTmp = true;

     

       209
        
               testScript = ''

     

       210
       +
                 assert_permissions({

     

       211
       +
                   'bin': Accessibility.READABLE,

     

       212
       +
                   'nix': Accessibility.READABLE,

     

       213
       +
                   'run': Accessibility.READABLE,

     

       214
       +
                   'tmp': Accessibility.WRITABLE,

     

       215
       +
       

     

       216
       +
                   'var': Accessibility.READABLE,

     

       217
       +
                   'var/tmp': Accessibility.WRITABLE,

     

       218
       +
                 })

     

       219
       +
       

     

       220
       +
                 assert os.getuid() != 0

     

       221
       +
                 assert os.getgid() != 0

     

       222
       +
       

     

       223
       +
                 with pytest.raises(OSError) as excinfo:

     

       224
       +
                   Path('/bin/test').touch()

     

       225
       +
                 assert excinfo.value.errno == errno.EROFS

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       226
        
               '';

     

       227
        
             }

     

       228
        
             (let

     

       229
        
               symlink = pkgs.runCommand "symlink" {

     

       230
       +
                 target = pkgs.writeText "symlink-target" "got me";

     

       231
        
               } "ln -s \"$target\" \"$out\"";

     

       232
        
             in {

     

       233
        
               description = "check if symlinks are properly bind-mounted";

     

       234
        
               config.confinement.packages = lib.singleton symlink;

     

       235
        
               testScript = ''

     

       236
       +
                 Path('/etc').rmdir()

     

       237
       +
                 assert Path('${symlink}').read_text() == 'got me'

     

       0
        
       
     

       238
        
               '';

     

       239
        
             })

     

       240
        
             { description = "check if StateDirectory works";

     

       241
        
               config.serviceConfig.User = "chroot-testuser";

     

       242
        
               config.serviceConfig.Group = "chroot-testgroup";

     

       243
        
               config.serviceConfig.StateDirectory = "testme";

     

       244
       +
       

     

       245
       +
               # We restart on purpose here since we want to check whether the state

     

       246
       +
               # directory actually persists.

     

       247
       +
               config.serviceConfig.Restart = "on-failure";

     

       248
       +
               config.serviceConfig.RestartMode = "direct";

     

       249
       +
       

     

       250
        
               testScript = ''

     

       251
       +
                 assert not Path('/tmp/canary').exists()

     

       252
       +
                 Path('/tmp/canary').touch()

     

       253
       +
       

     

       254
       +
                 if (foo := Path('/var/lib/testme/foo')).exists():

     

       255
       +
                   assert Path('/var/lib/testme/foo').read_text() == 'works'

     

       256
       +
                 else:

     

       257
       +
                   Path('/var/lib/testme/foo').write_text('works')

     

       258
       +
                   print('<4>Exiting with failure to check persistence on restart.')

     

       259
       +
                   raise SystemExit(1)

     

       260
        
               '';

     

       261
        
             }

     

       262
        
             { description = "check if /bin/sh works";

     

       263
        
               testScript = ''

     

       264
       +
                 assert Path('/bin/sh').exists()

     

       265
       +
       

     

       266
       +
                 result = run(

     

       267
       +
                   ['/bin/sh', '-c', 'echo -n bar'],

     

       268
       +
                   capture_output=True,

     

       269
       +
                   check=True,

     

       270
        
                 )

     

       271
       +
                 assert result.stdout == b'bar'

     

       272
        
               '';

     

       273
        
             }

     

       274
        
             { description = "check if suppressing /bin/sh works";

     

       275
        
               config.confinement.binSh = null;

     

       276
        
               testScript = ''

     

       277
       +
                 assert not Path('/bin/sh').exists()

     

       278
       +
                 with pytest.raises(FileNotFoundError):

     

       279
       +
                   run(['/bin/sh', '-c', 'echo foo'])

     

       0
        
       
     

       280
        
               '';

     

       281
        
             }

     

       282
        
             { description = "check if we can set /bin/sh to something different";

     

       283
        
               config.confinement.binSh = "${pkgs.hello}/bin/hello";

     

       284
        
               testScript = ''

     

       285
       +
                 assert Path('/bin/sh').exists()

     

       286
       +
                 result = run(

     

       287
       +
                   ['/bin/sh', '-g', 'foo'],

     

       288
       +
                   capture_output=True,

     

       289
       +
                   check=True,

     

       290
       +
                 )

     

       291
       +
                 assert result.stdout == b'foo\n'

     

       292
        
               '';

     

       293
        
             }

     

       294
        
             { description = "check if only Exec* dependencies are included";

     

       295
       +
               config.environment.FOOBAR = pkgs.writeText "foobar" "eek";

     

       296
        
               testScript = ''

     

       297
       +
                 with pytest.raises(FileNotFoundError):

     

       298
       +
                   Path(os.environ['FOOBAR']).read_text()

     

       299
        
               '';

     

       300
        
             }

     

       301
       +
             { description = "check if fullUnit includes all dependencies";

     

       302
       +
               config.environment.FOOBAR = pkgs.writeText "foobar" "eek";

     

       303
        
               config.confinement.fullUnit = true;

     

       304
        
               testScript = ''

     

       305
       +
                 assert Path(os.environ['FOOBAR']).read_text() == 'eek'

     

       306
        
               '';

     

       307
        
             }

     

       308
        
             { description = "check if shipped unit file still works";

     

       0
        
       
     

       309
        
               config.confinement.mode = "chroot-only";

     

       310
       +
               rawUnit = ''

     

       311
       +
                 [Service]

     

       312
       +
                 SystemCallFilter=~kill

     

       313
       +
                 SystemCallErrorNumber=ELOOP

     

       314
       +
               '';

     

       315
        
               testScript = ''

     

       316
       +
                 with pytest.raises(OSError) as excinfo:

     

       317
       +
                   os.kill(os.getpid(), signal.SIGKILL)

     

       318
       +
                 assert excinfo.value.errno == errno.ELOOP

     

       0
        
       
     

       319
        
               '';

     

       320
        
             }

     

       321
        
           ];

     

       322
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       323
        
           config.users.groups.chroot-testgroup = {};

     

       324
        
           config.users.users.chroot-testuser = {

     

       325
        
             isSystemUser = true;

     
···

       328
        
           };

     

       329
        
         };

     

       330
        
       

     

       331
       +
         testScript = ''

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       332
        
           machine.wait_for_unit("multi-user.target")

     

       333
       +
         '';

     

       334
        
       }