diff --git a/tests/cl.rs b/tests/cl.rs index dcd7af1..cc4ab50 100644 --- a/tests/cl.rs +++ b/tests/cl.rs @@ -671,3 +671,67 @@ fn run_syslog() { .stdout(predicate::str::contains("SystemCallFilter=~@aio:EPERM @chown:EPERM @clock:EPERM @cpu-emulation:EPERM @debug:EPERM @io-event:EPERM @ipc:EPERM @keyring:EPERM @memlock:EPERM @module:EPERM @mount:EPERM @network-io:EPERM @obsolete:EPERM @pkey:EPERM @privileged:EPERM @process:EPERM @raw-io:EPERM @reboot:EPERM @resources:EPERM @sandbox:EPERM @setuid:EPERM @signal:EPERM @swap:EPERM @sync:EPERM @timer:EPERM\n").count(1)) .stdout(predicate::str::contains("CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_BPF CAP_CHOWN CAP_MKNOD CAP_NET_RAW CAP_PERFMON CAP_SYS_BOOT CAP_SYS_CHROOT CAP_SYS_MODULE CAP_SYS_NICE CAP_SYS_PACCT CAP_SYS_PTRACE CAP_SYS_TIME CAP_SYS_TTY_CONFIG CAP_WAKE_ALARM\n").count(1)); } + +#[test] +#[cfg_attr(not(feature = "as-root"), ignore)] +fn run_mknod() { + assert!(Uid::effective().is_root()); + + let tmp_dir = tempfile::tempdir().unwrap(); + + let pipe_path = tmp_dir.path().join("pipe"); + Command::cargo_bin(env!("CARGO_PKG_NAME")) + .unwrap() + .args(["run", "--", "mknod", pipe_path.as_os_str().to_str().unwrap(), "p"]) + .unwrap() + .assert() + .success() + .stdout(predicate::str::contains("ProtectSystem=strict\n").count(1)) + .stdout(predicate::str::contains("ProtectHome=tmpfs\n").count(1)) + .stdout(predicate::str::contains("PrivateTmp=true\n").count(1)) + .stdout(predicate::str::contains("PrivateDevices=true\n").count(1)) + .stdout(predicate::str::contains("ProtectKernelTunables=true\n").count(1)) + .stdout(predicate::str::contains("ProtectKernelModules=true\n").count(1)) + .stdout(predicate::str::contains("ProtectKernelLogs=true\n").count(1)) + .stdout(predicate::str::contains("ProtectControlGroups=true\n").count(1)) + .stdout(predicate::str::contains("ProtectProc=ptraceable\n").count(1)) + .stdout(predicate::str::contains("MemoryDenyWriteExecute=true\n").count(1)) + .stdout(predicate::str::contains("RestrictAddressFamilies=none\n").count(1)) + .stdout(predicate::str::contains("SocketBindDeny=ipv4:tcp\n").count(1)) + .stdout(predicate::str::contains("SocketBindDeny=ipv4:udp\n").count(1)) + .stdout(predicate::str::contains("SocketBindDeny=ipv6:tcp\n").count(1)) + .stdout(predicate::str::contains("SocketBindDeny=ipv6:udp\n").count(1)) + .stdout(predicate::str::contains("LockPersonality=true\n").count(1)) + .stdout(predicate::str::contains("RestrictRealtime=true").count(1)) + .stdout(predicate::str::contains("ProtectClock=true\n").count(1)) + .stdout(predicate::str::contains("SystemCallFilter=~@aio:EPERM @chown:EPERM @clock:EPERM @cpu-emulation:EPERM @debug:EPERM @io-event:EPERM @ipc:EPERM @keyring:EPERM @memlock:EPERM @module:EPERM @mount:EPERM @network-io:EPERM @obsolete:EPERM @pkey:EPERM @privileged:EPERM @process:EPERM @raw-io:EPERM @reboot:EPERM @resources:EPERM @sandbox:EPERM @setuid:EPERM @signal:EPERM @swap:EPERM @sync:EPERM @timer:EPERM\n").count(1)) + .stdout(predicate::str::contains("CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_BPF CAP_CHOWN CAP_MKNOD CAP_NET_RAW CAP_PERFMON CAP_SYS_BOOT CAP_SYS_CHROOT CAP_SYS_MODULE CAP_SYS_NICE CAP_SYS_PACCT CAP_SYS_PTRACE CAP_SYS_TIME CAP_SYS_TTY_CONFIG CAP_SYSLOG CAP_WAKE_ALARM\n").count(1)); + + let dev_path = tmp_dir.path().join("dev"); + Command::cargo_bin(env!("CARGO_PKG_NAME")) + .unwrap() + .args(["run", "--", "mknod", dev_path.as_os_str().to_str().unwrap(), "b", "255", "255"]) + .unwrap() + .assert() + .success() + .stdout(predicate::str::contains("ProtectSystem=strict\n").count(1)) + .stdout(predicate::str::contains("ProtectHome=tmpfs\n").count(1)) + .stdout(predicate::str::contains("PrivateTmp=true\n").count(1)) + .stdout(predicate::str::contains("PrivateDevices=true\n").count(1)) + .stdout(predicate::str::contains("ProtectKernelTunables=true\n").count(1)) + .stdout(predicate::str::contains("ProtectKernelModules=true\n").count(1)) + .stdout(predicate::str::contains("ProtectKernelLogs=true\n").count(1)) + .stdout(predicate::str::contains("ProtectControlGroups=true\n").count(1)) + .stdout(predicate::str::contains("ProtectProc=ptraceable\n").count(1)) + .stdout(predicate::str::contains("MemoryDenyWriteExecute=true\n").count(1)) + .stdout(predicate::str::contains("RestrictAddressFamilies=none\n").count(1)) + .stdout(predicate::str::contains("SocketBindDeny=ipv4:tcp\n").count(1)) + .stdout(predicate::str::contains("SocketBindDeny=ipv4:udp\n").count(1)) + .stdout(predicate::str::contains("SocketBindDeny=ipv6:tcp\n").count(1)) + .stdout(predicate::str::contains("SocketBindDeny=ipv6:udp\n").count(1)) + .stdout(predicate::str::contains("LockPersonality=true\n").count(1)) + .stdout(predicate::str::contains("RestrictRealtime=true").count(1)) + .stdout(predicate::str::contains("ProtectClock=true\n").count(1)) + .stdout(predicate::str::contains("SystemCallFilter=~@aio:EPERM @chown:EPERM @clock:EPERM @cpu-emulation:EPERM @debug:EPERM @io-event:EPERM @ipc:EPERM @keyring:EPERM @memlock:EPERM @module:EPERM @mount:EPERM @network-io:EPERM @obsolete:EPERM @pkey:EPERM @privileged:EPERM @process:EPERM @raw-io:EPERM @reboot:EPERM @resources:EPERM @sandbox:EPERM @setuid:EPERM @signal:EPERM @swap:EPERM @sync:EPERM @timer:EPERM\n").count(1)) + .stdout(predicate::str::contains("CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_BPF CAP_CHOWN CAP_NET_RAW CAP_PERFMON CAP_SYS_BOOT CAP_SYS_CHROOT CAP_SYS_MODULE CAP_SYS_NICE CAP_SYS_PACCT CAP_SYS_PTRACE CAP_SYS_TIME CAP_SYS_TTY_CONFIG CAP_SYSLOG CAP_WAKE_ALARM\n").count(1)); +}