RepoMirrors/selinux
1
0
Fork 0
mirror of https://github.com/SELinuxProject/selinux synced 2024-12-11 16:44:59 +00:00
Code Issues Packages Projects Releases Wiki Activity
82f994550f
selinux/policycoreutils/sandbox/test_sandbox.py
Petr Lautrbach 964bf69a65 sandbox: fix file labels on copied files 
Since python 3.3, shutil.copy2() tries to preserve extended file
system attributes. It means that when a user uses -i or -I, copied files
have the original labels and sandboxed process can't read them.

With this change, homedir and tmpdir is recursively relabeled with the
expected sandbox labels after all items are in their place.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1294020

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2016-09-15 13:47:25 -04:00

114 lines
4.3 KiB
Python
Raw Blame History

import unittest
import os
import shutil
import sys
from tempfile import mkdtemp
from subprocess import Popen, PIPE
class SandboxTests(unittest.TestCase):
def assertDenied(self, err):
self.assertTrue(b'Permission denied' in err,
'"Permission denied" not found in %r' % err)
def assertNotFound(self, err):
self.assertTrue(b'not found' in err,
'"not found" not found in %r' % err)
def assertFailure(self, status):
self.assertTrue(status != 0,
'"Succeeded when it should have failed')
def assertSuccess(self, status, err):
self.assertTrue(status == 0,
'"Sandbox should have succeeded for this test %r' % err)
def test_simple_success(self):
"Verify that we can read file descriptors handed to sandbox"
p1 = Popen(['cat', '/etc/passwd'], stdout=PIPE)
p2 = Popen([sys.executable, 'sandbox', 'grep', 'root'], stdin=p1.stdout, stdout=PIPE)
p1.stdout.close()
out, err = p2.communicate()
self.assertTrue(b'root' in out)
def test_cant_kill(self):
"Verify that we cannot send kill signal in the sandbox"
pid = os.getpid()
p = Popen([sys.executable, 'sandbox', 'kill', '-HUP', str(pid)], stdout=PIPE, stderr=PIPE)
out, err = p.communicate()
self.assertDenied(err)
def test_cant_ping(self):
"Verify that we can't ping within the sandbox"
p = Popen([sys.executable, 'sandbox', 'ping', '-c 1 ', '127.0.0.1'], stdout=PIPE, stderr=PIPE)
out, err = p.communicate()
self.assertDenied(err)
def test_cant_mkdir(self):
"Verify that we can't mkdir within the sandbox"
p = Popen([sys.executable, 'sandbox', 'mkdir', '~/test'], stdout=PIPE, stderr=PIPE)
out, err = p.communicate()
self.assertFailure(p.returncode)
def test_cant_list_homedir(self):
"Verify that we can't list homedir within the sandbox"
p = Popen([sys.executable, 'sandbox', 'ls', '~'], stdout=PIPE, stderr=PIPE)
out, err = p.communicate()
self.assertFailure(p.returncode)
def test_cant_send_mail(self):
"Verify that we can't send mail within the sandbox"
p = Popen([sys.executable, 'sandbox', 'mail'], stdout=PIPE, stderr=PIPE)
out, err = p.communicate()
self.assertDenied(err)
def test_cant_sudo(self):
"Verify that we can't run sudo within the sandbox"
p = Popen([sys.executable, 'sandbox', 'sudo'], stdout=PIPE, stderr=PIPE)
out, err = p.communicate()
self.assertFailure(p.returncode)
def test_mount(self):
"Verify that we mount a file system"
p = Popen([sys.executable, 'sandbox', '-M', 'id'], stdout=PIPE, stderr=PIPE)
out, err = p.communicate()
self.assertSuccess(p.returncode, err)
def test_set_level(self):
"Verify that we set level a file system"
p = Popen([sys.executable, 'sandbox', '-l', 's0', 'id'], stdout=PIPE, stderr=PIPE)
out, err = p.communicate()
self.assertSuccess(p.returncode, err)
def test_homedir(self):
"Verify that we set homedir a file system"
homedir = mkdtemp(dir=".", prefix=".sandbox_test")
p = Popen([sys.executable, 'sandbox', '-H', homedir, '-M', 'id'], stdout=PIPE, stderr=PIPE)
out, err = p.communicate()
shutil.rmtree(homedir)
self.assertSuccess(p.returncode, err)
def test_tmpdir(self):
"Verify that we set tmpdir a file system"
tmpdir = mkdtemp(dir="/tmp", prefix=".sandbox_test")
p = Popen([sys.executable, 'sandbox', '-T', tmpdir, '-M', 'id'], stdout=PIPE, stderr=PIPE)
out, err = p.communicate()
shutil.rmtree(tmpdir)
self.assertSuccess(p.returncode, err)
def test_include_file(self):
"Verify that sandbox can copy a file in the sandbox home and use it"
p = Popen([sys.executable, 'sandbox', '-i' ,'test_sandbox.py' , '-M', '/bin/cat', 'test_sandbox.py'],
stdout=PIPE, stderr=PIPE)
out, err = p.communicate()
self.assertSuccess(p.returncode, err)
if __name__ == "__main__":
import selinux
if selinux.security_getenforce() == 1:
unittest.main()
else:
print("SELinux must be in enforcing mode for this test")
Reference in New Issue View Git Blame Copy Permalink