nixos/security/wrappers: add test

This is a small smoke test of each piece (setuid, setgid, caps) of
wrappers' functionality. It doesn't try to check for combinations of
functionalities or anything more complicated.
This commit is contained in:
Robert Obryk 2022-11-05 12:38:11 +01:00
parent 8982f61dd3
commit 3628ad0a9e
2 changed files with 80 additions and 0 deletions

View File

@ -691,6 +691,7 @@ in {
wmderland = handleTest ./wmderland.nix {};
wpa_supplicant = handleTest ./wpa_supplicant.nix {};
wordpress = handleTest ./wordpress.nix {};
wrappers = handleTest ./wrappers.nix {};
writefreely = handleTest ./web-apps/writefreely.nix {};
xandikos = handleTest ./xandikos.nix {};
xautolock = handleTest ./xautolock.nix {};

79
nixos/tests/wrappers.nix Normal file
View File

@ -0,0 +1,79 @@
import ./make-test-python.nix ({ pkgs, ... }:
let
userUid = 1000;
usersGid = 100;
busybox = pkgs : pkgs.busybox.override {
# Without this, the busybox binary drops euid to ruid for most applets, including id.
# See https://bugs.busybox.net/show_bug.cgi?id=15101
extraConfig = "CONFIG_FEATURE_SUID n";
};
in
{
name = "wrappers";
nodes.machine = { config, pkgs, ... }: {
ids.gids.users = usersGid;
users.users = {
regular = {
uid = userUid;
isNormalUser = true;
};
};
security.wrappers = {
suidRoot = {
owner = "root";
group = "root";
setuid = true;
source = "${busybox pkgs}/bin/busybox";
program = "suid_root_busybox";
};
sgidRoot = {
owner = "root";
group = "root";
setgid = true;
source = "${busybox pkgs}/bin/busybox";
program = "sgid_root_busybox";
};
withChown = {
owner = "root";
group = "root";
source = "${pkgs.libcap}/bin/capsh";
program = "capsh_with_chown";
capabilities = "cap_chown+ep";
};
};
};
testScript =
''
def cmd_as_regular(cmd):
return "su -l regular -c '{0}'".format(cmd)
def test_as_regular(cmd, expected):
out = machine.succeed(cmd_as_regular(cmd)).strip()
assert out == expected, "Expected {0} to output {1}, but got {2}".format(cmd, expected, out)
test_as_regular('${busybox pkgs}/bin/busybox id -u', '${toString userUid}')
test_as_regular('${busybox pkgs}/bin/busybox id -ru', '${toString userUid}')
test_as_regular('${busybox pkgs}/bin/busybox id -g', '${toString usersGid}')
test_as_regular('${busybox pkgs}/bin/busybox id -rg', '${toString usersGid}')
test_as_regular('/run/wrappers/bin/suid_root_busybox id -u', '0')
test_as_regular('/run/wrappers/bin/suid_root_busybox id -ru', '${toString userUid}')
test_as_regular('/run/wrappers/bin/suid_root_busybox id -g', '${toString usersGid}')
test_as_regular('/run/wrappers/bin/suid_root_busybox id -rg', '${toString usersGid}')
test_as_regular('/run/wrappers/bin/sgid_root_busybox id -u', '${toString userUid}')
test_as_regular('/run/wrappers/bin/sgid_root_busybox id -ru', '${toString userUid}')
test_as_regular('/run/wrappers/bin/sgid_root_busybox id -g', '0')
test_as_regular('/run/wrappers/bin/sgid_root_busybox id -rg', '${toString usersGid}')
# We are only testing the permitted set, because it's easiest to look at with capsh.
machine.fail(cmd_as_regular('${pkgs.libcap}/bin/capsh --has-p=CAP_CHOWN'))
machine.fail(cmd_as_regular('${pkgs.libcap}/bin/capsh --has-p=CAP_SYS_ADMIN'))
machine.succeed(cmd_as_regular('/run/wrappers/bin/capsh_with_chown --has-p=CAP_CHOWN'))
machine.fail(cmd_as_regular('/run/wrappers/bin/capsh_with_chown --has-p=CAP_SYS_ADMIN'))
'';
})