mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-12-29 09:04:17 +00:00
4f0dadbf38
After final improvements to the official formatter implementation, this commit now performs the first treewide reformat of Nix files using it. This is part of the implementation of RFC 166. Only "inactive" files are reformatted, meaning only files that aren't being touched by any PR with activity in the past 2 months. This is to avoid conflicts for PRs that might soon be merged. Later we can do a full treewide reformat to get the rest, which should not cause as many conflicts. A CI check has already been running for some time to ensure that new and already-formatted files are formatted, so the files being reformatted here should also stay formatted. This commit was automatically created and can be verified using nix-builda08b3a4d19
.tar.gz \ --argstr baseRevb32a094368
result/bin/apply-formatting $NIXPKGS_PATH
118 lines
5.6 KiB
Nix
118 lines
5.6 KiB
Nix
import ./make-test-python.nix (
|
|
{ pkgs, ... }:
|
|
let
|
|
userUid = 1000;
|
|
usersGid = 100;
|
|
busybox =
|
|
pkgs:
|
|
pkgs.busybox.override {
|
|
# Without this, the busybox binary drops euid to ruid for most applets, including id.
|
|
# See https://bugs.busybox.net/show_bug.cgi?id=15101
|
|
extraConfig = "CONFIG_FEATURE_SUID n";
|
|
};
|
|
in
|
|
{
|
|
name = "wrappers";
|
|
|
|
nodes.machine =
|
|
{ config, pkgs, ... }:
|
|
{
|
|
ids.gids.users = usersGid;
|
|
|
|
users.users = {
|
|
regular = {
|
|
uid = userUid;
|
|
isNormalUser = true;
|
|
};
|
|
};
|
|
|
|
security.apparmor.enable = true;
|
|
|
|
security.wrappers = {
|
|
suidRoot = {
|
|
owner = "root";
|
|
group = "root";
|
|
setuid = true;
|
|
source = "${busybox pkgs}/bin/busybox";
|
|
program = "suid_root_busybox";
|
|
};
|
|
sgidRoot = {
|
|
owner = "root";
|
|
group = "root";
|
|
setgid = true;
|
|
source = "${busybox pkgs}/bin/busybox";
|
|
program = "sgid_root_busybox";
|
|
};
|
|
withChown = {
|
|
owner = "root";
|
|
group = "root";
|
|
source = "${pkgs.libcap}/bin/capsh";
|
|
program = "capsh_with_chown";
|
|
capabilities = "cap_chown+ep";
|
|
};
|
|
};
|
|
};
|
|
|
|
testScript = ''
|
|
def cmd_as_regular(cmd):
|
|
return "su -l regular -c '{0}'".format(cmd)
|
|
|
|
def test_as_regular(cmd, expected):
|
|
out = machine.succeed(cmd_as_regular(cmd)).strip()
|
|
assert out == expected, "Expected {0} to output {1}, but got {2}".format(cmd, expected, out)
|
|
|
|
def test_as_regular_in_userns_mapped_as_root(cmd, expected):
|
|
out = machine.succeed(f"su -l regular -c '${pkgs.util-linux}/bin/unshare -rm {cmd}'").strip()
|
|
assert out == expected, "Expected {0} to output {1}, but got {2}".format(cmd, expected, out)
|
|
|
|
test_as_regular('${busybox pkgs}/bin/busybox id -u', '${toString userUid}')
|
|
test_as_regular('${busybox pkgs}/bin/busybox id -ru', '${toString userUid}')
|
|
test_as_regular('${busybox pkgs}/bin/busybox id -g', '${toString usersGid}')
|
|
test_as_regular('${busybox pkgs}/bin/busybox id -rg', '${toString usersGid}')
|
|
|
|
test_as_regular('/run/wrappers/bin/suid_root_busybox id -u', '0')
|
|
test_as_regular('/run/wrappers/bin/suid_root_busybox id -ru', '${toString userUid}')
|
|
test_as_regular('/run/wrappers/bin/suid_root_busybox id -g', '${toString usersGid}')
|
|
test_as_regular('/run/wrappers/bin/suid_root_busybox id -rg', '${toString usersGid}')
|
|
|
|
test_as_regular('/run/wrappers/bin/sgid_root_busybox id -u', '${toString userUid}')
|
|
test_as_regular('/run/wrappers/bin/sgid_root_busybox id -ru', '${toString userUid}')
|
|
test_as_regular('/run/wrappers/bin/sgid_root_busybox id -g', '0')
|
|
test_as_regular('/run/wrappers/bin/sgid_root_busybox id -rg', '${toString usersGid}')
|
|
|
|
test_as_regular_in_userns_mapped_as_root('/run/wrappers/bin/suid_root_busybox id -u', '0')
|
|
test_as_regular_in_userns_mapped_as_root('/run/wrappers/bin/suid_root_busybox id -ru', '0')
|
|
test_as_regular_in_userns_mapped_as_root('/run/wrappers/bin/suid_root_busybox id -g', '0')
|
|
test_as_regular_in_userns_mapped_as_root('/run/wrappers/bin/suid_root_busybox id -rg', '0')
|
|
|
|
test_as_regular_in_userns_mapped_as_root('/run/wrappers/bin/sgid_root_busybox id -u', '0')
|
|
test_as_regular_in_userns_mapped_as_root('/run/wrappers/bin/sgid_root_busybox id -ru', '0')
|
|
test_as_regular_in_userns_mapped_as_root('/run/wrappers/bin/sgid_root_busybox id -g', '0')
|
|
test_as_regular_in_userns_mapped_as_root('/run/wrappers/bin/sgid_root_busybox id -rg', '0')
|
|
|
|
# Test that in nonewprivs environment the wrappers simply exec their target.
|
|
test_as_regular('${pkgs.util-linux}/bin/setpriv --no-new-privs /run/wrappers/bin/suid_root_busybox id -u', '${toString userUid}')
|
|
test_as_regular('${pkgs.util-linux}/bin/setpriv --no-new-privs /run/wrappers/bin/suid_root_busybox id -ru', '${toString userUid}')
|
|
test_as_regular('${pkgs.util-linux}/bin/setpriv --no-new-privs /run/wrappers/bin/suid_root_busybox id -g', '${toString usersGid}')
|
|
test_as_regular('${pkgs.util-linux}/bin/setpriv --no-new-privs /run/wrappers/bin/suid_root_busybox id -rg', '${toString usersGid}')
|
|
|
|
test_as_regular('${pkgs.util-linux}/bin/setpriv --no-new-privs /run/wrappers/bin/sgid_root_busybox id -u', '${toString userUid}')
|
|
test_as_regular('${pkgs.util-linux}/bin/setpriv --no-new-privs /run/wrappers/bin/sgid_root_busybox id -ru', '${toString userUid}')
|
|
test_as_regular('${pkgs.util-linux}/bin/setpriv --no-new-privs /run/wrappers/bin/sgid_root_busybox id -g', '${toString usersGid}')
|
|
test_as_regular('${pkgs.util-linux}/bin/setpriv --no-new-privs /run/wrappers/bin/sgid_root_busybox id -rg', '${toString usersGid}')
|
|
|
|
# We are only testing the permitted set, because it's easiest to look at with capsh.
|
|
machine.fail(cmd_as_regular('${pkgs.libcap}/bin/capsh --has-p=CAP_CHOWN'))
|
|
machine.fail(cmd_as_regular('${pkgs.libcap}/bin/capsh --has-p=CAP_SYS_ADMIN'))
|
|
machine.succeed(cmd_as_regular('/run/wrappers/bin/capsh_with_chown --has-p=CAP_CHOWN'))
|
|
machine.fail(cmd_as_regular('/run/wrappers/bin/capsh_with_chown --has-p=CAP_SYS_ADMIN'))
|
|
|
|
# Test that the only user of apparmor policy includes generated by
|
|
# wrappers works. Ideally this'd be located in a test for the module that
|
|
# actually makes the apparmor policy for ping, but there's no convenient
|
|
# test for that one.
|
|
machine.succeed("ping -c 1 127.0.0.1")
|
|
'';
|
|
}
|
|
)
|