diff options
| author | Eelco Dolstra <edolstra@gmail.com> | 2023-02-14 14:41:59 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-02-14 14:41:59 +0100 |
| commit | 707ba52f2d1855f2613da3a576488f5040843915 (patch) | |
| tree | 756cb0de9292c3a54ff58bcfabb256a9227216b0 /tests | |
| parent | df9a71f6ea66f9ab1e4955d5fef62eacd817f976 (diff) | |
| parent | 49fd72a903b7bc2fdc4735111ca5569122cf55ee (diff) | |
Merge pull request #7830 from yorickvP/fix-writable-etc
Don't allow writing to /etc
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/linux-sandbox.sh | 3 | ||||
| -rw-r--r-- | tests/nixos/containers/systemd-nspawn.nix | 2 |
2 files changed, 4 insertions, 1 deletions
diff --git a/tests/linux-sandbox.sh b/tests/linux-sandbox.sh index 3f304ac2f..e62039567 100644 --- a/tests/linux-sandbox.sh +++ b/tests/linux-sandbox.sh @@ -37,3 +37,6 @@ nix-build check.nix -A nondeterministic --sandbox-paths /nix/store --no-out-link (! nix-build check.nix -A nondeterministic --sandbox-paths /nix/store --no-out-link --check -K 2> $TEST_ROOT/log) if grep -q 'error: renaming' $TEST_ROOT/log; then false; fi grep -q 'may not be deterministic' $TEST_ROOT/log + +# Test that sandboxed builds cannot write to /etc easily +(! nix-build -E 'with import ./config.nix; mkDerivation { name = "etc-write"; buildCommand = "echo > /etc/test"; }' --no-out-link --sandbox-paths /nix/store) diff --git a/tests/nixos/containers/systemd-nspawn.nix b/tests/nixos/containers/systemd-nspawn.nix index 424436b3f..f54f32f2a 100644 --- a/tests/nixos/containers/systemd-nspawn.nix +++ b/tests/nixos/containers/systemd-nspawn.nix @@ -56,12 +56,12 @@ runCommand "test" # Make /run a tmpfs to shut up a systemd warning. mkdir /run mount -t tmpfs none /run - chmod 0700 /run mount -t cgroup2 none /sys/fs/cgroup mkdir -p $out + chmod +w /etc touch /etc/os-release echo a5ea3f98dedc0278b6f3cc8c37eeaeac > /etc/machine-id |