From cfc15df5f1669a26c805b91c229805ffe012ca5f Mon Sep 17 00:00:00 2001 From: Simon McVittie Date: Mon, 7 Nov 2022 18:26:21 +0000 Subject: test-run: If bubblewrap is setuid, assert that --size is not allowed Previously, this test would have failed for a setuid bubblewrap. Signed-off-by: Simon McVittie --- tests/test-run.sh | 49 ++++++++++++++++++++++++++++--------------------- 1 file changed, 28 insertions(+), 21 deletions(-) diff --git a/tests/test-run.sh b/tests/test-run.sh index 3e5e9e6..4aab01d 100755 --- a/tests/test-run.sh +++ b/tests/test-run.sh @@ -406,27 +406,34 @@ assert_file_has_content dir-permissions '^755$' echo "ok - tmpfs has expected permissions" # 1048576 = 1 MiB -$RUN \ - --size 1048576 --tmpfs "$(pwd -P)" \ - df --output=size --block-size=1K "$(pwd -P)" > dir-size -assert_file_has_content dir-size '^ *1024$' -$RUN \ - --size 1048576 --perms 01777 --tmpfs "$(pwd -P)" \ - stat -c '%a' "$(pwd -P)" > dir-permissions -assert_file_has_content dir-permissions '^1777$' -$RUN \ - --size 1048576 --perms 01777 --tmpfs "$(pwd -P)" \ - df --output=size --block-size=1K "$(pwd -P)" > dir-size -assert_file_has_content dir-size '^ *1024$' -$RUN \ - --perms 01777 --size 1048576 --tmpfs "$(pwd -P)" \ - stat -c '%a' "$(pwd -P)" > dir-permissions -assert_file_has_content dir-permissions '^1777$' -$RUN \ - --perms 01777 --size 1048576 --tmpfs "$(pwd -P)" \ - df --output=size --block-size=1K "$(pwd -P)" > dir-size -assert_file_has_content dir-size '^ *1024$' -echo "ok - tmpfs has expected size" +if test -n "${bwrap_is_suid:-}"; then + if $RUN --size 1048576 --tmpfs "$(pwd -P)" true; then + assert_not_reached "Should not allow --size --tmpfs when setuid" + fi + echo "ok - --size --tmpfs is not allowed when setuid" +else + $RUN \ + --size 1048576 --tmpfs "$(pwd -P)" \ + df --output=size --block-size=1K "$(pwd -P)" > dir-size + assert_file_has_content dir-size '^ *1024$' + $RUN \ + --size 1048576 --perms 01777 --tmpfs "$(pwd -P)" \ + stat -c '%a' "$(pwd -P)" > dir-permissions + assert_file_has_content dir-permissions '^1777$' + $RUN \ + --size 1048576 --perms 01777 --tmpfs "$(pwd -P)" \ + df --output=size --block-size=1K "$(pwd -P)" > dir-size + assert_file_has_content dir-size '^ *1024$' + $RUN \ + --perms 01777 --size 1048576 --tmpfs "$(pwd -P)" \ + stat -c '%a' "$(pwd -P)" > dir-permissions + assert_file_has_content dir-permissions '^1777$' + $RUN \ + --perms 01777 --size 1048576 --tmpfs "$(pwd -P)" \ + df --output=size --block-size=1K "$(pwd -P)" > dir-size + assert_file_has_content dir-size '^ *1024$' + echo "ok - tmpfs has expected size" +fi $RUN \ --file 0 /tmp/file \ -- cgit v1.2.1 From 5080b233faead1b7e9b1321d2897c204bcbab3b3 Mon Sep 17 00:00:00 2001 From: Simon McVittie Date: Mon, 7 Nov 2022 18:30:21 +0000 Subject: test-run: Don't rely on df supporting the --output=size option df --output was new in coreutils 8.21 (2013), and non-GNU implementations like busybox df don't have it. This avoids a test failure in Steam Runtime 1 'scout', which is based on Ubuntu 12.04 (2012). It'll also be helpful for anyone maintaining an OS with non-GNU shell utilities. Signed-off-by: Simon McVittie --- tests/test-run.sh | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/tests/test-run.sh b/tests/test-run.sh index 4aab01d..a08998b 100755 --- a/tests/test-run.sh +++ b/tests/test-run.sh @@ -411,7 +411,7 @@ if test -n "${bwrap_is_suid:-}"; then assert_not_reached "Should not allow --size --tmpfs when setuid" fi echo "ok - --size --tmpfs is not allowed when setuid" -else +elif df --output=size --block-size=1K "$(pwd -P)" >/dev/null 2>/dev/null; then $RUN \ --size 1048576 --tmpfs "$(pwd -P)" \ df --output=size --block-size=1K "$(pwd -P)" > dir-size @@ -433,6 +433,11 @@ else df --output=size --block-size=1K "$(pwd -P)" > dir-size assert_file_has_content dir-size '^ *1024$' echo "ok - tmpfs has expected size" +else + $RUN --size 1048576 --tmpfs "$(pwd -P)" true + $RUN --perms 01777 --size 1048576 --tmpfs "$(pwd -P)" true + $RUN --size 1048576 --perms 01777 --tmpfs "$(pwd -P)" true + echo "ok # SKIP df is too old, cannot test --size --tmpfs fully" fi $RUN \ -- cgit v1.2.1