1import unittest 2import os 3import shutil 4from tempfile import mkdtemp 5from subprocess import Popen, PIPE 6 7 8class SandboxTests(unittest.TestCase): 9 10 def assertDenied(self, err): 11 self.assertTrue(b'Permission denied' in err, 12 '"Permission denied" not found in %r' % err) 13 14 def assertNotFound(self, err): 15 self.assertTrue(b'not found' in err, 16 '"not found" not found in %r' % err) 17 18 def assertFailure(self, status): 19 self.assertTrue(status != 0, 20 '"Succeeded when it should have failed') 21 22 def assertSuccess(self, status, err): 23 self.assertTrue(status == 0, 24 '"Sandbox should have succeeded for this test %r' % err) 25 26 def test_simple_success(self): 27 "Verify that we can read file descriptors handed to sandbox" 28 p1 = Popen(['cat', '/etc/passwd'], stdout=PIPE) 29 p2 = Popen(['sandbox', 'grep', 'root'], stdin=p1.stdout, stdout=PIPE) 30 out, err = p2.communicate() 31 self.assertTrue(b'root' in out) 32 33 def test_cant_kill(self): 34 "Verify that we cannot send kill signal in the sandbox" 35 pid = os.getpid() 36 p = Popen(['sandbox', 'kill', '-HUP', str(pid)], stdout=PIPE, stderr=PIPE) 37 out, err = p.communicate() 38 self.assertDenied(err) 39 40 def test_cant_ping(self): 41 "Verify that we can't ping within the sandbox" 42 p = Popen(['sandbox', 'ping', '-c 1 ', '127.0.0.1'], stdout=PIPE, stderr=PIPE) 43 out, err = p.communicate() 44 self.assertDenied(err) 45 46 def test_cant_mkdir(self): 47 "Verify that we can't mkdir within the sandbox" 48 p = Popen(['sandbox', 'mkdir', '~/test'], stdout=PIPE, stderr=PIPE) 49 out, err = p.communicate() 50 self.assertFailure(p.returncode) 51 52 def test_cant_list_homedir(self): 53 "Verify that we can't list homedir within the sandbox" 54 p = Popen(['sandbox', 'ls', '~'], stdout=PIPE, stderr=PIPE) 55 out, err = p.communicate() 56 self.assertFailure(p.returncode) 57 58 def test_cant_send_mail(self): 59 "Verify that we can't send mail within the sandbox" 60 p = Popen(['sandbox', 'mail'], stdout=PIPE, stderr=PIPE) 61 out, err = p.communicate() 62 self.assertDenied(err) 63 64 def test_cant_sudo(self): 65 "Verify that we can't run sudo within the sandbox" 66 p = Popen(['sandbox', 'sudo'], stdout=PIPE, stderr=PIPE) 67 out, err = p.communicate() 68 self.assertFailure(p.returncode) 69 70 def test_mount(self): 71 "Verify that we mount a file system" 72 p = Popen(['sandbox', '-M', 'id'], stdout=PIPE, stderr=PIPE) 73 out, err = p.communicate() 74 self.assertSuccess(p.returncode, err) 75 76 def test_set_level(self): 77 "Verify that we set level a file system" 78 p = Popen(['sandbox', '-l', 's0', 'id'], stdout=PIPE, stderr=PIPE) 79 out, err = p.communicate() 80 self.assertSuccess(p.returncode, err) 81 82 def test_homedir(self): 83 "Verify that we set homedir a file system" 84 homedir = mkdtemp(dir=".", prefix=".sandbox_test") 85 p = Popen(['sandbox', '-H', homedir, '-M', 'id'], stdout=PIPE, stderr=PIPE) 86 out, err = p.communicate() 87 shutil.rmtree(homedir) 88 self.assertSuccess(p.returncode, err) 89 90 def test_tmpdir(self): 91 "Verify that we set tmpdir a file system" 92 tmpdir = mkdtemp(dir="/tmp", prefix=".sandbox_test") 93 p = Popen(['sandbox', '-T', tmpdir, '-M', 'id'], stdout=PIPE, stderr=PIPE) 94 out, err = p.communicate() 95 shutil.rmtree(tmpdir) 96 self.assertSuccess(p.returncode, err) 97 98if __name__ == "__main__": 99 import selinux 100 if selinux.security_getenforce() == 1: 101 unittest.main() 102 else: 103 print("SELinux must be in enforcing mode for this test") 104