diff options
| author | Robert Obryk <robryk@gmail.com> | 2022-11-14 15:09:25 +0100 |
|---|---|---|
| committer | Robert Obryk <robryk@gmail.com> | 2023-08-16 11:33:22 +0200 |
| commit | 46c9aed62b25cc98460a623dfa3680cca5fbf91b (patch) | |
| tree | 3c0e47bd887fe87ba01cd0d7416793357774fc66 /nixos/tests/wrappers.nix | |
| parent | ff204ca32b7b393caa1d33fc8a795f45f5c118e5 (diff) | |
nixos/security/wrappers: add one regression test for #98863
Note that this regression test checks only s[gu]id wrappers. The issue for capability wrappers is not fixed yet.
Diffstat (limited to 'nixos/tests/wrappers.nix')
| -rw-r--r-- | nixos/tests/wrappers.nix | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/nixos/tests/wrappers.nix b/nixos/tests/wrappers.nix index 391e9b42b45bd..1f5f43286384c 100644 --- a/nixos/tests/wrappers.nix +++ b/nixos/tests/wrappers.nix @@ -84,6 +84,17 @@ in test_as_regular_in_userns_mapped_as_root('/run/wrappers/bin/sgid_root_busybox id -g', '0') test_as_regular_in_userns_mapped_as_root('/run/wrappers/bin/sgid_root_busybox id -rg', '0') + # Test that in nonewprivs environment the wrappers simply exec their target. + test_as_regular('${pkgs.util-linux}/bin/setpriv --no-new-privs /run/wrappers/bin/suid_root_busybox id -u', '${toString userUid}') + test_as_regular('${pkgs.util-linux}/bin/setpriv --no-new-privs /run/wrappers/bin/suid_root_busybox id -ru', '${toString userUid}') + test_as_regular('${pkgs.util-linux}/bin/setpriv --no-new-privs /run/wrappers/bin/suid_root_busybox id -g', '${toString usersGid}') + test_as_regular('${pkgs.util-linux}/bin/setpriv --no-new-privs /run/wrappers/bin/suid_root_busybox id -rg', '${toString usersGid}') + + test_as_regular('${pkgs.util-linux}/bin/setpriv --no-new-privs /run/wrappers/bin/sgid_root_busybox id -u', '${toString userUid}') + test_as_regular('${pkgs.util-linux}/bin/setpriv --no-new-privs /run/wrappers/bin/sgid_root_busybox id -ru', '${toString userUid}') + test_as_regular('${pkgs.util-linux}/bin/setpriv --no-new-privs /run/wrappers/bin/sgid_root_busybox id -g', '${toString usersGid}') + test_as_regular('${pkgs.util-linux}/bin/setpriv --no-new-privs /run/wrappers/bin/sgid_root_busybox id -rg', '${toString usersGid}') + # We are only testing the permitted set, because it's easiest to look at with capsh. machine.fail(cmd_as_regular('${pkgs.libcap}/bin/capsh --has-p=CAP_CHOWN')) machine.fail(cmd_as_regular('${pkgs.libcap}/bin/capsh --has-p=CAP_SYS_ADMIN')) |