Skip to content

Commit

Permalink
test: add mknod integration test
Browse files Browse the repository at this point in the history
  • Loading branch information
desbma-s1n committed Nov 25, 2024
1 parent d59cfe3 commit c6284af
Showing 1 changed file with 64 additions and 0 deletions.
64 changes: 64 additions & 0 deletions tests/cl.rs
Original file line number Diff line number Diff line change
Expand Up @@ -671,3 +671,67 @@ fn run_syslog() {
.stdout(predicate::str::contains("SystemCallFilter=~@aio:EPERM @chown:EPERM @clock:EPERM @cpu-emulation:EPERM @debug:EPERM @io-event:EPERM @ipc:EPERM @keyring:EPERM @memlock:EPERM @module:EPERM @mount:EPERM @network-io:EPERM @obsolete:EPERM @pkey:EPERM @privileged:EPERM @process:EPERM @raw-io:EPERM @reboot:EPERM @resources:EPERM @sandbox:EPERM @setuid:EPERM @signal:EPERM @swap:EPERM @sync:EPERM @timer:EPERM\n").count(1))
.stdout(predicate::str::contains("CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_BPF CAP_CHOWN CAP_MKNOD CAP_NET_RAW CAP_PERFMON CAP_SYS_BOOT CAP_SYS_CHROOT CAP_SYS_MODULE CAP_SYS_NICE CAP_SYS_PACCT CAP_SYS_PTRACE CAP_SYS_TIME CAP_SYS_TTY_CONFIG CAP_WAKE_ALARM\n").count(1));
}

#[test]
#[cfg_attr(not(feature = "as-root"), ignore)]
fn run_mknod() {
assert!(Uid::effective().is_root());

let tmp_dir = tempfile::tempdir().unwrap();

let pipe_path = tmp_dir.path().join("pipe");
Command::cargo_bin(env!("CARGO_PKG_NAME"))
.unwrap()
.args(["run", "--", "mknod", pipe_path.as_os_str().to_str().unwrap(), "p"])
.unwrap()
.assert()
.success()
.stdout(predicate::str::contains("ProtectSystem=strict\n").count(1))
.stdout(predicate::str::contains("ProtectHome=tmpfs\n").count(1))
.stdout(predicate::str::contains("PrivateTmp=true\n").count(1))
.stdout(predicate::str::contains("PrivateDevices=true\n").count(1))
.stdout(predicate::str::contains("ProtectKernelTunables=true\n").count(1))
.stdout(predicate::str::contains("ProtectKernelModules=true\n").count(1))
.stdout(predicate::str::contains("ProtectKernelLogs=true\n").count(1))
.stdout(predicate::str::contains("ProtectControlGroups=true\n").count(1))
.stdout(predicate::str::contains("ProtectProc=ptraceable\n").count(1))
.stdout(predicate::str::contains("MemoryDenyWriteExecute=true\n").count(1))
.stdout(predicate::str::contains("RestrictAddressFamilies=none\n").count(1))
.stdout(predicate::str::contains("SocketBindDeny=ipv4:tcp\n").count(1))
.stdout(predicate::str::contains("SocketBindDeny=ipv4:udp\n").count(1))
.stdout(predicate::str::contains("SocketBindDeny=ipv6:tcp\n").count(1))
.stdout(predicate::str::contains("SocketBindDeny=ipv6:udp\n").count(1))
.stdout(predicate::str::contains("LockPersonality=true\n").count(1))
.stdout(predicate::str::contains("RestrictRealtime=true").count(1))
.stdout(predicate::str::contains("ProtectClock=true\n").count(1))
.stdout(predicate::str::contains("SystemCallFilter=~@aio:EPERM @chown:EPERM @clock:EPERM @cpu-emulation:EPERM @debug:EPERM @io-event:EPERM @ipc:EPERM @keyring:EPERM @memlock:EPERM @module:EPERM @mount:EPERM @network-io:EPERM @obsolete:EPERM @pkey:EPERM @privileged:EPERM @process:EPERM @raw-io:EPERM @reboot:EPERM @resources:EPERM @sandbox:EPERM @setuid:EPERM @signal:EPERM @swap:EPERM @sync:EPERM @timer:EPERM\n").count(1))
.stdout(predicate::str::contains("CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_BPF CAP_CHOWN CAP_MKNOD CAP_NET_RAW CAP_PERFMON CAP_SYS_BOOT CAP_SYS_CHROOT CAP_SYS_MODULE CAP_SYS_NICE CAP_SYS_PACCT CAP_SYS_PTRACE CAP_SYS_TIME CAP_SYS_TTY_CONFIG CAP_SYSLOG CAP_WAKE_ALARM\n").count(1));

let dev_path = tmp_dir.path().join("dev");
Command::cargo_bin(env!("CARGO_PKG_NAME"))
.unwrap()
.args(["run", "--", "mknod", dev_path.as_os_str().to_str().unwrap(), "b", "255", "255"])
.unwrap()
.assert()
.success()
.stdout(predicate::str::contains("ProtectSystem=strict\n").count(1))
.stdout(predicate::str::contains("ProtectHome=tmpfs\n").count(1))
.stdout(predicate::str::contains("PrivateTmp=true\n").count(1))
.stdout(predicate::str::contains("PrivateDevices=true\n").count(1))
.stdout(predicate::str::contains("ProtectKernelTunables=true\n").count(1))
.stdout(predicate::str::contains("ProtectKernelModules=true\n").count(1))
.stdout(predicate::str::contains("ProtectKernelLogs=true\n").count(1))
.stdout(predicate::str::contains("ProtectControlGroups=true\n").count(1))
.stdout(predicate::str::contains("ProtectProc=ptraceable\n").count(1))
.stdout(predicate::str::contains("MemoryDenyWriteExecute=true\n").count(1))
.stdout(predicate::str::contains("RestrictAddressFamilies=none\n").count(1))
.stdout(predicate::str::contains("SocketBindDeny=ipv4:tcp\n").count(1))
.stdout(predicate::str::contains("SocketBindDeny=ipv4:udp\n").count(1))
.stdout(predicate::str::contains("SocketBindDeny=ipv6:tcp\n").count(1))
.stdout(predicate::str::contains("SocketBindDeny=ipv6:udp\n").count(1))
.stdout(predicate::str::contains("LockPersonality=true\n").count(1))
.stdout(predicate::str::contains("RestrictRealtime=true").count(1))
.stdout(predicate::str::contains("ProtectClock=true\n").count(1))
.stdout(predicate::str::contains("SystemCallFilter=~@aio:EPERM @chown:EPERM @clock:EPERM @cpu-emulation:EPERM @debug:EPERM @io-event:EPERM @ipc:EPERM @keyring:EPERM @memlock:EPERM @module:EPERM @mount:EPERM @network-io:EPERM @obsolete:EPERM @pkey:EPERM @privileged:EPERM @process:EPERM @raw-io:EPERM @reboot:EPERM @resources:EPERM @sandbox:EPERM @setuid:EPERM @signal:EPERM @swap:EPERM @sync:EPERM @timer:EPERM\n").count(1))
.stdout(predicate::str::contains("CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_BPF CAP_CHOWN CAP_NET_RAW CAP_PERFMON CAP_SYS_BOOT CAP_SYS_CHROOT CAP_SYS_MODULE CAP_SYS_NICE CAP_SYS_PACCT CAP_SYS_PTRACE CAP_SYS_TIME CAP_SYS_TTY_CONFIG CAP_SYSLOG CAP_WAKE_ALARM\n").count(1));
}

0 comments on commit c6284af

Please sign in to comment.