aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorEelco Dolstra <edolstra@gmail.com>2017-05-29 14:19:11 +0200
committerEelco Dolstra <edolstra@gmail.com>2017-05-29 16:14:10 +0200
commit1d9ab273bad34b004dfcfd486273d0df5fed1eca (patch)
treeb18e5c90148418b461951da392f86f2237634316
parentcf93397d3f1d2a8165a100482d07b7f4b7e5bf7f (diff)
Add test for setuid seccomp filter
-rw-r--r--release.nix5
-rw-r--r--tests/setuid.nix108
2 files changed, 113 insertions, 0 deletions
diff --git a/release.nix b/release.nix
index 1e854a075..ec6bda995 100644
--- a/release.nix
+++ b/release.nix
@@ -219,6 +219,11 @@ let
nix = build.x86_64-linux; system = "x86_64-linux";
});
+ tests.setuid = pkgs.lib.genAttrs (pkgs.lib.filter (pkgs.lib.hasSuffix "-linux") systems) (system:
+ import ./tests/setuid.nix rec {
+ nix = build.${system}; inherit system;
+ });
+
tests.binaryTarball =
with import <nixpkgs> { system = "x86_64-linux"; };
vmTools.runInLinuxImage (runCommand "nix-binary-tarball-test"
diff --git a/tests/setuid.nix b/tests/setuid.nix
new file mode 100644
index 000000000..2508549c5
--- /dev/null
+++ b/tests/setuid.nix
@@ -0,0 +1,108 @@
+# Verify that Linux builds cannot create setuid or setgid binaries.
+
+{ system, nix }:
+
+with import <nixpkgs/nixos/lib/testing.nix> { inherit system; };
+
+makeTest {
+
+ machine =
+ { config, lib, pkgs, ... }:
+ { virtualisation.writableStore = true;
+ nix.package = nix;
+ nix.binaryCaches = [ ];
+ nix.nixPath = [ "nixpkgs=${lib.cleanSource pkgs.path}" ];
+ virtualisation.pathsInNixDB = [ pkgs.stdenv pkgs.pkgsi686Linux.stdenv ];
+ };
+
+ testScript = { nodes }:
+ ''
+ startAll;
+
+ # Copying to /tmp should succeed.
+ $machine->succeed('nix-build --option build-use-sandbox false -E \'(with import <nixpkgs> {}; runCommand "foo" {} "
+ mkdir -p $out
+ cp ${pkgs.coreutils}/bin/id /tmp/id
+ ")\' ');
+
+ $machine->succeed('[[ $(stat -c %a /tmp/id) = 555 ]]');
+
+ $machine->succeed("rm /tmp/id");
+
+ # Creating a setuid binary should fail.
+ $machine->fail('nix-build --option build-use-sandbox false -E \'(with import <nixpkgs> {}; runCommand "foo" {} "
+ mkdir -p $out
+ cp ${pkgs.coreutils}/bin/id /tmp/id
+ chmod 4755 /tmp/id
+ ")\' ');
+
+ $machine->succeed('[[ $(stat -c %a /tmp/id) = 555 ]]');
+
+ $machine->succeed("rm /tmp/id");
+
+ # Creating a setgid binary should fail.
+ $machine->fail('nix-build --option build-use-sandbox false -E \'(with import <nixpkgs> {}; runCommand "foo" {} "
+ mkdir -p $out
+ cp ${pkgs.coreutils}/bin/id /tmp/id
+ chmod 2755 /tmp/id
+ ")\' ');
+
+ $machine->succeed('[[ $(stat -c %a /tmp/id) = 555 ]]');
+
+ $machine->succeed("rm /tmp/id");
+
+ # The checks should also work on 32-bit binaries.
+ $machine->fail('nix-build --option build-use-sandbox false -E \'(with import <nixpkgs> { system = "i686-linux"; }; runCommand "foo" {} "
+ mkdir -p $out
+ cp ${pkgs.coreutils}/bin/id /tmp/id
+ chmod 2755 /tmp/id
+ ")\' ');
+
+ $machine->succeed('[[ $(stat -c %a /tmp/id) = 555 ]]');
+
+ $machine->succeed("rm /tmp/id");
+
+ # The tests above use fchmodat(). Test chmod() as well.
+ $machine->succeed('nix-build --option build-use-sandbox false -E \'(with import <nixpkgs> {}; runCommand "foo" { buildInputs = [ perl ]; } "
+ mkdir -p $out
+ cp ${pkgs.coreutils}/bin/id /tmp/id
+ perl -e \"chmod 0666, qw(/tmp/id) or die\"
+ ")\' ');
+
+ $machine->succeed('[[ $(stat -c %a /tmp/id) = 666 ]]');
+
+ $machine->succeed("rm /tmp/id");
+
+ $machine->fail('nix-build --option build-use-sandbox false -E \'(with import <nixpkgs> {}; runCommand "foo" { buildInputs = [ perl ]; } "
+ mkdir -p $out
+ cp ${pkgs.coreutils}/bin/id /tmp/id
+ perl -e \"chmod 04755, qw(/tmp/id) or die\"
+ ")\' ');
+
+ $machine->succeed('[[ $(stat -c %a /tmp/id) = 555 ]]');
+
+ $machine->succeed("rm /tmp/id");
+
+ # And test fchmod().
+ $machine->succeed('nix-build --option build-use-sandbox false -E \'(with import <nixpkgs> {}; runCommand "foo" { buildInputs = [ perl ]; } "
+ mkdir -p $out
+ cp ${pkgs.coreutils}/bin/id /tmp/id
+ perl -e \"my \\\$x; open \\\$x, qw(/tmp/id); chmod 01750, \\\$x or die\"
+ ")\' ');
+
+ $machine->succeed('[[ $(stat -c %a /tmp/id) = 1750 ]]');
+
+ $machine->succeed("rm /tmp/id");
+
+ $machine->fail('nix-build --option build-use-sandbox false -E \'(with import <nixpkgs> {}; runCommand "foo" { buildInputs = [ perl ]; } "
+ mkdir -p $out
+ cp ${pkgs.coreutils}/bin/id /tmp/id
+ perl -e \"my \\\$x; open \\\$x, qw(/tmp/id); chmod 04777, \\\$x or die\"
+ ")\' ');
+
+ $machine->succeed('[[ $(stat -c %a /tmp/id) = 555 ]]');
+
+ $machine->succeed("rm /tmp/id");
+ '';
+
+}