RepoMirrors/selinux
1
0
Fork 0
mirror of https://github.com/SELinuxProject/selinux synced 2024-12-13 17:44:54 +00:00
Code Issues Packages Projects Releases Wiki Activity
f8a46ac9b3
selinux/policycoreutils/sandbox/test_sandbox.py
Daniel J Walsh d6848ea77d Author: Daniel J Walsh 
Email: dwalsh@redhat.com
Subject: Updated sandbox patch.
Date: Wed, 19 May 2010 15:59:28 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Fixed patch that handles Spaces in homedir.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkv0QyAACgkQrlYvE4MpobNBXQCgmUu92HsN5PiksOTZoGxSp0W+
1noAoKoCujFPLHduJ9BP3hrveeXvGKXO
=iqC+
-----END PGP SIGNATURE-----

Signed-off-by: Chad Sellers <csellers@tresys.com>
2010-06-10 16:35:55 -04:00

99 lines
3.7 KiB
Python
Raw Blame History

import unittest, os, shutil
from tempfile import mkdtemp
from subprocess import Popen, PIPE
class SandboxTests(unittest.TestCase):
def assertDenied(self, err):
self.assert_('Permission denied' in err,
'"Permission denied" not found in %r' % err)
def assertNotFound(self, err):
self.assert_('not found' in err,
'"not found" not found in %r' % err)
def assertFailure(self, status):
self.assert_(status != 0,
'"Succeeded when it should have failed')
def assertSuccess(self, status, err):
self.assert_(status == 0,
'"Sandbox should have succeeded for this test %r' % err)
def test_simple_success(self):
"Verify that we can read file descriptors handed to sandbox"
p1 = Popen(['cat', '/etc/passwd'], stdout = PIPE)
p2 = Popen(['sandbox', 'grep', 'root'], stdin = p1.stdout, stdout=PIPE)
out, err = p2.communicate()
self.assert_('root' in out)
def test_cant_kill(self):
"Verify that we cannot send kill signal in the sandbox"
pid = os.getpid()
p = Popen(['sandbox', 'kill', '-HUP', str(pid)], stdout=PIPE, stderr=PIPE)
out, err = p.communicate()
self.assertDenied(err)
def test_cant_ping(self):
"Verify that we can't ping within the sandbox"
p = Popen(['sandbox', 'ping', '-c 1 ', '127.0.0.1'], stdout=PIPE, stderr=PIPE)
out, err = p.communicate()
self.assertDenied(err)
def test_cant_mkdir(self):
"Verify that we can't mkdir within the sandbox"
p = Popen(['sandbox', 'mkdir', '~/test'], stdout=PIPE, stderr=PIPE)
out, err = p.communicate()
self.assertFailure(p.returncode)
def test_cant_list_homedir(self):
"Verify that we can't list homedir within the sandbox"
p = Popen(['sandbox', 'ls', '~'], stdout=PIPE, stderr=PIPE)
out, err = p.communicate()
self.assertFailure(p.returncode)
def test_cant_send_mail(self):
"Verify that we can't send mail within the sandbox"
p = Popen(['sandbox', 'mail'], stdout=PIPE, stderr=PIPE)
out, err = p.communicate()
self.assertDenied(err)
def test_cant_sudo(self):
"Verify that we can't run sudo within the sandbox"
p = Popen(['sandbox', 'sudo'], stdout=PIPE, stderr=PIPE)
out, err = p.communicate()
self.assertFailure(p.returncode)
def test_mount(self):
"Verify that we mount a file system"
p = Popen(['sandbox', '-M', 'id'], stdout=PIPE, stderr=PIPE)
out, err = p.communicate()
self.assertSuccess(p.returncode, err)
def test_set_level(self):
"Verify that we set level a file system"
p = Popen(['sandbox', '-l', 's0', 'id'], stdout=PIPE, stderr=PIPE)
out, err = p.communicate()
self.assertSuccess(p.returncode, err)
def test_homedir(self):
"Verify that we set homedir a file system"
homedir = mkdtemp(dir=".", prefix=".sandbox_test")
p = Popen(['sandbox', '-H', homedir, '-M', 'id'], stdout=PIPE, stderr=PIPE)
out, err = p.communicate()
shutil.rmtree(homedir)
self.assertSuccess(p.returncode, err)
def test_tmpdir(self):
"Verify that we set tmpdir a file system"
tmpdir = mkdtemp(dir="/tmp", prefix=".sandbox_test")
p = Popen(['sandbox', '-T', tmpdir, '-M', 'id'], stdout=PIPE, stderr=PIPE)
out, err = p.communicate()
shutil.rmtree(tmpdir)
self.assertSuccess(p.returncode, err)
if __name__ == "__main__":
import selinux
if selinux.security_getenforce() == 1:
unittest.main()
else:
print "SELinux must be in enforcing mode for this test"
Reference in New Issue View Git Blame Copy Permalink