infra/libkookie/nixpkgs/nixos/tests/firejail.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82

import ./make-test-python.nix ({ pkgs, ...} : {
  name = "firejail";
  meta = with pkgs.stdenv.lib.maintainers; {
    maintainers = [ sgo ];
  };

  nodes.machine = { ... }: {
    imports = [ ./common/user-account.nix ];

    programs.firejail = {
      enable = true;
      wrappedBinaries = {
        bash-jailed  = "${pkgs.bash}/bin/bash";
      };
    };

    systemd.services.setupFirejailTest = {
      wantedBy = [ "multi-user.target" ];
      before = [ "multi-user.target" ];

      environment = {
        HOME = "/home/alice";
      };

      unitConfig = {
        type = "oneshot";
        RemainAfterExit = true;
        user = "alice";
      };

      script = ''
        cd $HOME

        mkdir .password-store && echo s3cret > .password-store/secret
        mkdir my-secrets && echo s3cret > my-secrets/secret

        echo publ1c > public

        mkdir -p .config/firejail
        echo 'blacklist ''${HOME}/my-secrets' > .config/firejail/globals.local
      '';
    };
  };

  testScript = ''
    start_all()
    machine.wait_for_unit("multi-user.target")

    # Test path acl with wrapper
    machine.succeed("sudo -u alice bash-jailed -c 'cat ~/public' | grep -q publ1c")
    machine.fail(
        "sudo -u alice bash-jailed -c 'cat ~/.password-store/secret' | grep -q s3cret"
    )
    machine.fail("sudo -u alice bash-jailed -c 'cat ~/my-secrets/secret' | grep -q s3cret")


    # Test path acl with firejail executable
    machine.succeed("sudo -u alice firejail -- bash -c 'cat ~/public' | grep -q publ1c")
    machine.fail(
        "sudo -u alice firejail -- bash -c 'cat ~/.password-store/secret' | grep -q s3cret"
    )
    machine.fail(
        "sudo -u alice firejail -- bash -c 'cat ~/my-secrets/secret' | grep -q s3cret"
    )

    # Disabling profiles
    machine.succeed(
        "sudo -u alice bash -c 'firejail --noprofile -- cat ~/.password-store/secret' | grep -q s3cret"
    )

    # CVE-2020-17367
    machine.fail(
        "sudo -u alice firejail --private-tmp id --output=/tmp/vuln1 && cat /tmp/vuln1"
    )

    # CVE-2020-17368
    machine.fail(
        "sudo -u alice firejail --private-tmp --output=/tmp/foo 'bash -c $(id>/tmp/vuln2;echo id)' && cat /tmp/vuln2"
    )
  '';
})