parent
3a9145523a
commit
15c53cf0fa
@ -0,0 +1,82 @@ |
||||
import ./make-test-python.nix ({ pkgs, ...} : { |
||||
name = "firejail"; |
||||
meta = with pkgs.stdenv.lib.maintainers; { |
||||
maintainers = [ sgo ]; |
||||
}; |
||||
|
||||
nodes.machine = { ... }: { |
||||
imports = [ ./common/user-account.nix ]; |
||||
|
||||
programs.firejail = { |
||||
enable = true; |
||||
wrappedBinaries = { |
||||
bash-jailed = "${pkgs.bash}/bin/bash"; |
||||
}; |
||||
}; |
||||
|
||||
systemd.services.setupFirejailTest = { |
||||
wantedBy = [ "multi-user.target" ]; |
||||
before = [ "multi-user.target" ]; |
||||
|
||||
environment = { |
||||
HOME = "/home/alice"; |
||||
}; |
||||
|
||||
unitConfig = { |
||||
type = "oneshot"; |
||||
RemainAfterExit = true; |
||||
user = "alice"; |
||||
}; |
||||
|
||||
script = '' |
||||
cd $HOME |
||||
|
||||
mkdir .password-store && echo s3cret > .password-store/secret |
||||
mkdir my-secrets && echo s3cret > my-secrets/secret |
||||
|
||||
echo publ1c > public |
||||
|
||||
mkdir -p .config/firejail |
||||
echo 'blacklist ''${HOME}/my-secrets' > .config/firejail/globals.local |
||||
''; |
||||
}; |
||||
}; |
||||
|
||||
testScript = '' |
||||
start_all() |
||||
machine.wait_for_unit("multi-user.target") |
||||
|
||||
# Test path acl with wrapper |
||||
machine.succeed("sudo -u alice bash-jailed -c 'cat ~/public' | grep -q publ1c") |
||||
machine.fail( |
||||
"sudo -u alice bash-jailed -c 'cat ~/.password-store/secret' | grep -q s3cret" |
||||
) |
||||
machine.fail("sudo -u alice bash-jailed -c 'cat ~/my-secrets/secret' | grep -q s3cret") |
||||
|
||||
|
||||
# Test path acl with firejail executable |
||||
machine.succeed("sudo -u alice firejail -- bash -c 'cat ~/public' | grep -q publ1c") |
||||
machine.fail( |
||||
"sudo -u alice firejail -- bash -c 'cat ~/.password-store/secret' | grep -q s3cret" |
||||
) |
||||
machine.fail( |
||||
"sudo -u alice firejail -- bash -c 'cat ~/my-secrets/secret' | grep -q s3cret" |
||||
) |
||||
|
||||
# Disabling profiles |
||||
machine.succeed( |
||||
"sudo -u alice bash -c 'firejail --noprofile -- cat ~/.password-store/secret' | grep -q s3cret" |
||||
) |
||||
|
||||
# CVE-2020-17367 |
||||
machine.fail( |
||||
"sudo -u alice firejail --private-tmp id --output=/tmp/vuln1 && cat /tmp/vuln1" |
||||
) |
||||
|
||||
# CVE-2020-17368 |
||||
machine.fail( |
||||
"sudo -u alice firejail --private-tmp --output=/tmp/foo 'bash -c $(id>/tmp/vuln2;echo id)' && cat /tmp/vuln2" |
||||
) |
||||
''; |
||||
}) |
||||
|
Loading…
Reference in new issue