168 lines
4.6 KiB
Perl
168 lines
4.6 KiB
Perl
# $OpenBSD: OpenBSD-Unveil.t,v 1.2 2023/07/07 02:07:35 afresh1 Exp $ #
|
|
## no critic 'version'
|
|
## no critic 'package'
|
|
# Before 'make install' is performed this script should be runnable with
|
|
# 'make test'. After 'make install' it should work as 'perl OpenBSD-Unveil.t'
|
|
|
|
#########################
|
|
|
|
use strict;
|
|
use warnings;
|
|
|
|
use Test2::IPC;
|
|
use Test::More;
|
|
|
|
use Fcntl qw< O_RDONLY O_WRONLY >;
|
|
use File::Temp;
|
|
|
|
use POSIX qw< :errno_h >;
|
|
|
|
BEGIN { use_ok('OpenBSD::Unveil') }
|
|
|
|
#########################
|
|
# UNVEIL
|
|
#########################
|
|
{
|
|
my @calls;
|
|
no warnings 'redefine'; ## no critic 'warnings';
|
|
local *OpenBSD::Unveil::_unveil = sub { push @calls, \@_; return 1 };
|
|
use warnings 'redefine';
|
|
|
|
{
|
|
local $@;
|
|
eval { local $SIG{__DIE__};
|
|
OpenBSD::Unveil::unveil(qw< ab cx yz >) };
|
|
my $at = sprintf "at %s line %d.\n", __FILE__, __LINE__ - 1;
|
|
is $@,
|
|
"Usage: OpenBSD::Unveil::unveil([path, permissions]) $at",
|
|
"Expected exception when too many params"
|
|
}
|
|
|
|
{
|
|
local $@;
|
|
eval { local $SIG{__DIE__};
|
|
OpenBSD::Unveil::unveil(qw< ab >) };
|
|
my $at = sprintf "at %s line %d.\n", __FILE__, __LINE__ - 1;
|
|
is $@,
|
|
"Usage: OpenBSD::Unveil::unveil([path, permissions]) $at",
|
|
"Expected exception when not enough params"
|
|
}
|
|
|
|
ok OpenBSD::Unveil::unveil( qw< foo bar > ), "Used two args";
|
|
ok OpenBSD::Unveil::unveil(), "Used zero args";
|
|
|
|
is_deeply \@calls, [ [ qw< foo bar > ], [] ],
|
|
"No modification to params";
|
|
}
|
|
|
|
## no critic 'private'
|
|
## no critic 'punctuation'
|
|
#########################
|
|
# _UNVEIL
|
|
#########################
|
|
|
|
sub xsunveil_ok ($$) ## no critic 'prototypes'
|
|
{
|
|
my ( $name, $code ) = @_;
|
|
local $Test::Builder::Level =
|
|
$Test::Builder::Level + 1; ## no critic 'package variable'
|
|
|
|
my $pid = fork // die "Unable to fork for $name: $!\n";
|
|
|
|
if ( !$pid ) {
|
|
# for Test2::IPC
|
|
OpenBSD::Unveil::_unveil('/tmp', 'rwc') || die $!;
|
|
subtest $name, $code;
|
|
exit 0;
|
|
}
|
|
|
|
waitpid $pid, 0;
|
|
return $? >> 8;
|
|
}
|
|
|
|
|
|
xsunveil_ok "Basic Usage" => sub {
|
|
my $tmpfile = File::Temp->new("OpenBSD-Unveil-XXXXXXXXX", TMPDIR => 1);
|
|
$tmpfile->printflush("This is a test\n");
|
|
|
|
ok OpenBSD::Unveil::_unveil("$tmpfile", 'r'),
|
|
"Unveiled tempfile r";
|
|
ok OpenBSD::Unveil::_unveil('/dev/null', 'wc'),
|
|
"Unvailed /dev/null wc";
|
|
|
|
{
|
|
ok open(my $wfh, '>', '/dev/null'),
|
|
"Opened /dev/null for writing";
|
|
ok print($wfh "Test\n"), "Printed to /dev/null";
|
|
ok close($wfh), "Closed /dev/null";
|
|
}
|
|
|
|
ok OpenBSD::Unveil::_unveil('/dev/null', 'w'),
|
|
"Unvailed /dev/null w";
|
|
ok OpenBSD::Unveil::_unveil(),
|
|
"locked unveil";
|
|
|
|
ok !-e '/dev/zero', "Stat says we can't see /dev/zero";
|
|
ok -w $tmpfile, "Stat says we can write to tempfile";
|
|
ok !-r '/dev/null', "Stat says we can't read from /dev/null";
|
|
|
|
{
|
|
ok sysopen(my $wfh, '/dev/null', O_WRONLY),
|
|
"Sysopened /dev/null for writing";
|
|
ok syswrite($wfh, "Test\n"), "Wrote to /dev/null";
|
|
ok close($wfh), "Closed /dev/null";
|
|
}
|
|
|
|
{
|
|
ok open(my $rfh, '<', $tmpfile), "Opened tempfile for reading";
|
|
ok read( $rfh, my $data, 64), "Read from tempfile";
|
|
ok close($rfh), "Closed tempfile";
|
|
}
|
|
|
|
{
|
|
ok !open(my $wfh, '>', $tmpfile),
|
|
"Unable to 'open' tempfile for writing";
|
|
is $!, 'Permission denied', "Expected ERRNO from open";
|
|
}
|
|
|
|
{
|
|
ok !open(my $wfh, '>', '/dev/null'),
|
|
"Unable to 'open' /dev/null without 'create'";
|
|
is $!, 'Permission denied', "Expected ERRNO from open";
|
|
}
|
|
};
|
|
|
|
xsunveil_ok "Invalid Path" => sub {
|
|
my $dir = File::Temp->newdir('OpenBSD-Unveil-XXXXXXXXX', TMPDIR => 1);
|
|
ok !OpenBSD::Unveil::_unveil("$dir/nonexist/file", 'r'),
|
|
"Unable to unveil with incorrect permissions";
|
|
is $!, 'No such file or directory', "Expected ERRNO from _unveil";
|
|
};
|
|
|
|
xsunveil_ok "Invalid Permissions" => sub {
|
|
ok !OpenBSD::Unveil::_unveil('/dev/null', 'abc'),
|
|
"Unable to unveil with incorrect permissions";
|
|
is $!, 'Invalid argument', "Expected ERRNO from _unveil";
|
|
};
|
|
|
|
xsunveil_ok "Try to increase permissions" => sub {
|
|
ok OpenBSD::Unveil::_unveil('/dev/null', 'r'),
|
|
"Set /dev/null to r";
|
|
TODO: { local $TODO = "Not sure why this fails";
|
|
ok !OpenBSD::Unveil::_unveil('/dev/null', 'rwc'),
|
|
"Unable to increase permissions on /dev/null";
|
|
is $!, 'Operation not permitted', "Expected ERRNO from _unveil";
|
|
}
|
|
};
|
|
|
|
xsunveil_ok "Try to change veil after lock" => sub {
|
|
ok OpenBSD::Unveil::_unveil(), "Locked unveil";
|
|
ok !OpenBSD::Unveil::_unveil('/dev/null', 'r'),
|
|
"Unable to unveil after lock";
|
|
is $!, 'Operation not permitted', "Expected ERRNO from _unveil";
|
|
};
|
|
|
|
#########################
|
|
done_testing;
|
|
|
|
1; # to shut up critic
|