diff options
author | Robert Obryk <robryk@gmail.com> | 2022-11-14 15:09:25 +0100 |
---|---|---|
committer | Robert Obryk <robryk@gmail.com> | 2023-08-27 14:10:38 +0200 |
commit | 13d3b0c73350d1bcee16316a1d5c0f327f466f5c (patch) | |
tree | 5584a2768ab76d1df381a3a48f8765dba08daca7 /nixos/tests/wrappers.nix | |
parent | c64bbd4466fd00163d97e40eac0c7ec849dfb2a9 (diff) |
nixos/security/wrappers: add one regression test for #98863
Note that this regression test checks only s[gu]id wrappers. The issue for capability wrappers is not fixed yet.
Diffstat (limited to 'nixos/tests/wrappers.nix')
-rw-r--r-- | nixos/tests/wrappers.nix | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/nixos/tests/wrappers.nix b/nixos/tests/wrappers.nix index fc32ed4102608..1d4fa85d73993 100644 --- a/nixos/tests/wrappers.nix +++ b/nixos/tests/wrappers.nix @@ -86,6 +86,17 @@ in test_as_regular_in_userns_mapped_as_root('/run/wrappers/bin/sgid_root_busybox id -g', '0') test_as_regular_in_userns_mapped_as_root('/run/wrappers/bin/sgid_root_busybox id -rg', '0') + # Test that in nonewprivs environment the wrappers simply exec their target. + test_as_regular('${pkgs.util-linux}/bin/setpriv --no-new-privs /run/wrappers/bin/suid_root_busybox id -u', '${toString userUid}') + test_as_regular('${pkgs.util-linux}/bin/setpriv --no-new-privs /run/wrappers/bin/suid_root_busybox id -ru', '${toString userUid}') + test_as_regular('${pkgs.util-linux}/bin/setpriv --no-new-privs /run/wrappers/bin/suid_root_busybox id -g', '${toString usersGid}') + test_as_regular('${pkgs.util-linux}/bin/setpriv --no-new-privs /run/wrappers/bin/suid_root_busybox id -rg', '${toString usersGid}') + + test_as_regular('${pkgs.util-linux}/bin/setpriv --no-new-privs /run/wrappers/bin/sgid_root_busybox id -u', '${toString userUid}') + test_as_regular('${pkgs.util-linux}/bin/setpriv --no-new-privs /run/wrappers/bin/sgid_root_busybox id -ru', '${toString userUid}') + test_as_regular('${pkgs.util-linux}/bin/setpriv --no-new-privs /run/wrappers/bin/sgid_root_busybox id -g', '${toString usersGid}') + test_as_regular('${pkgs.util-linux}/bin/setpriv --no-new-privs /run/wrappers/bin/sgid_root_busybox id -rg', '${toString usersGid}') + # We are only testing the permitted set, because it's easiest to look at with capsh. machine.fail(cmd_as_regular('${pkgs.libcap}/bin/capsh --has-p=CAP_CHOWN')) machine.fail(cmd_as_regular('${pkgs.libcap}/bin/capsh --has-p=CAP_SYS_ADMIN')) |