import ./make-test-python.nix ({ pkgs, ...} : { name = "firejail"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ sgo ]; }; nodes.machine = { ... }: { imports = [ ./common/user-account.nix ]; programs.firejail = { enable = true; wrappedBinaries = { bash-jailed = "${pkgs.bash}/bin/bash"; }; }; systemd.services.setupFirejailTest = { wantedBy = [ "multi-user.target" ]; before = [ "multi-user.target" ]; environment = { HOME = "/home/alice"; }; unitConfig = { type = "oneshot"; RemainAfterExit = true; user = "alice"; }; script = '' cd $HOME mkdir .password-store && echo s3cret > .password-store/secret mkdir my-secrets && echo s3cret > my-secrets/secret echo publ1c > public mkdir -p .config/firejail echo 'blacklist ''${HOME}/my-secrets' > .config/firejail/globals.local ''; }; }; testScript = '' start_all() machine.wait_for_unit("multi-user.target") # Test path acl with wrapper machine.succeed("sudo -u alice bash-jailed -c 'cat ~/public' | grep -q publ1c") machine.fail( "sudo -u alice bash-jailed -c 'cat ~/.password-store/secret' | grep -q s3cret" ) machine.fail("sudo -u alice bash-jailed -c 'cat ~/my-secrets/secret' | grep -q s3cret") # Test path acl with firejail executable machine.succeed("sudo -u alice firejail -- bash -c 'cat ~/public' | grep -q publ1c") machine.fail( "sudo -u alice firejail -- bash -c 'cat ~/.password-store/secret' | grep -q s3cret" ) machine.fail( "sudo -u alice firejail -- bash -c 'cat ~/my-secrets/secret' | grep -q s3cret" ) # Disabling profiles machine.succeed( "sudo -u alice bash -c 'firejail --noprofile -- cat ~/.password-store/secret' | grep -q s3cret" ) # CVE-2020-17367 machine.fail( "sudo -u alice firejail --private-tmp id --output=/tmp/vuln1 && cat /tmp/vuln1" ) # CVE-2020-17368 machine.fail( "sudo -u alice firejail --private-tmp --output=/tmp/foo 'bash -c $(id>/tmp/vuln2;echo id)' && cat /tmp/vuln2" ) ''; })