2020-08-07 17:45:20 +01:00
|
|
|
import ./make-test-python.nix ({ pkgs, ...} : {
|
|
|
|
name = "firejail";
|
|
|
|
meta = with pkgs.stdenv.lib.maintainers; {
|
|
|
|
maintainers = [ sgo ];
|
|
|
|
};
|
|
|
|
|
|
|
|
nodes.machine = { ... }: {
|
|
|
|
imports = [ ./common/user-account.nix ];
|
|
|
|
|
|
|
|
programs.firejail = {
|
|
|
|
enable = true;
|
|
|
|
wrappedBinaries = {
|
|
|
|
bash-jailed = "${pkgs.bash}/bin/bash";
|
2020-11-14 12:00:00 +00:00
|
|
|
bash-jailed2 = {
|
|
|
|
executable = "${pkgs.bash}/bin/bash";
|
|
|
|
extraArgs = [ "--private=~/firejail-home" ];
|
|
|
|
};
|
2020-08-07 17:45:20 +01:00
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
systemd.services.setupFirejailTest = {
|
|
|
|
wantedBy = [ "multi-user.target" ];
|
|
|
|
before = [ "multi-user.target" ];
|
|
|
|
|
|
|
|
environment = {
|
|
|
|
HOME = "/home/alice";
|
|
|
|
};
|
|
|
|
|
|
|
|
unitConfig = {
|
|
|
|
type = "oneshot";
|
|
|
|
RemainAfterExit = true;
|
|
|
|
user = "alice";
|
|
|
|
};
|
|
|
|
|
|
|
|
script = ''
|
|
|
|
cd $HOME
|
|
|
|
|
|
|
|
mkdir .password-store && echo s3cret > .password-store/secret
|
|
|
|
mkdir my-secrets && echo s3cret > my-secrets/secret
|
|
|
|
|
|
|
|
echo publ1c > public
|
|
|
|
|
|
|
|
mkdir -p .config/firejail
|
|
|
|
echo 'blacklist ''${HOME}/my-secrets' > .config/firejail/globals.local
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
testScript = ''
|
|
|
|
start_all()
|
|
|
|
machine.wait_for_unit("multi-user.target")
|
|
|
|
|
|
|
|
# Test path acl with wrapper
|
|
|
|
machine.succeed("sudo -u alice bash-jailed -c 'cat ~/public' | grep -q publ1c")
|
|
|
|
machine.fail(
|
|
|
|
"sudo -u alice bash-jailed -c 'cat ~/.password-store/secret' | grep -q s3cret"
|
|
|
|
)
|
|
|
|
machine.fail("sudo -u alice bash-jailed -c 'cat ~/my-secrets/secret' | grep -q s3cret")
|
|
|
|
|
2020-11-14 12:00:00 +00:00
|
|
|
# Test extraArgs
|
|
|
|
machine.succeed("sudo -u alice mkdir /home/alice/firejail-home")
|
|
|
|
machine.succeed("sudo -u alice bash-jailed2 -c 'echo test > /home/alice/foo'")
|
|
|
|
machine.fail("sudo -u alice cat /home/alice/foo")
|
|
|
|
machine.succeed("sudo -u alice cat /home/alice/firejail-home/foo | grep test")
|
2020-08-07 17:45:20 +01:00
|
|
|
|
|
|
|
# Test path acl with firejail executable
|
|
|
|
machine.succeed("sudo -u alice firejail -- bash -c 'cat ~/public' | grep -q publ1c")
|
|
|
|
machine.fail(
|
|
|
|
"sudo -u alice firejail -- bash -c 'cat ~/.password-store/secret' | grep -q s3cret"
|
|
|
|
)
|
|
|
|
machine.fail(
|
|
|
|
"sudo -u alice firejail -- bash -c 'cat ~/my-secrets/secret' | grep -q s3cret"
|
|
|
|
)
|
|
|
|
|
|
|
|
# Disabling profiles
|
|
|
|
machine.succeed(
|
|
|
|
"sudo -u alice bash -c 'firejail --noprofile -- cat ~/.password-store/secret' | grep -q s3cret"
|
|
|
|
)
|
|
|
|
|
|
|
|
# CVE-2020-17367
|
|
|
|
machine.fail(
|
|
|
|
"sudo -u alice firejail --private-tmp id --output=/tmp/vuln1 && cat /tmp/vuln1"
|
|
|
|
)
|
|
|
|
|
|
|
|
# CVE-2020-17368
|
|
|
|
machine.fail(
|
|
|
|
"sudo -u alice firejail --private-tmp --output=/tmp/foo 'bash -c $(id>/tmp/vuln2;echo id)' && cat /tmp/vuln2"
|
|
|
|
)
|
|
|
|
'';
|
|
|
|
})
|
|
|
|
|