From 0bbb8354dc52f027f3301893d2b3c6a7bd6fd7ea Mon Sep 17 00:00:00 2001 From: Alexander Larsson Date: Mon, 19 Jun 2017 19:41:00 +0200 Subject: [PATCH] tests: Add tests for no world writable dirs & no setuid files --- tests/libtest.sh | 8 ++++++++ tests/test-run.sh | 32 +++++++++++++++++++++++++++++++- 2 files changed, 39 insertions(+), 1 deletion(-) diff --git a/tests/libtest.sh b/tests/libtest.sh index bb26c4c7..badc96d6 100644 --- a/tests/libtest.sh +++ b/tests/libtest.sh @@ -139,6 +139,14 @@ assert_not_file_has_content () { fi } +assert_file_has_mode () { + mode=$(stat -c '%a' $1) + if [ "$mode" != "$2" ]; then + echo 1>&2 "File '$1' has wrong mode: expected $2, but got $mode" + exit 1 + fi +} + assert_not_has_dir () { if test -d "$1"; then echo 1>&2 "Directory '$1' exists"; exit 1 diff --git a/tests/test-run.sh b/tests/test-run.sh index 0f0d3aa9..b9e2e7a7 100755 --- a/tests/test-run.sh +++ b/tests/test-run.sh @@ -24,7 +24,7 @@ set -euo pipefail skip_without_bwrap skip_without_user_xattrs -echo "1..10" +echo "1..12" setup_repo install_repo @@ -338,3 +338,33 @@ ${FLATPAK} build-export ${FL_GPGARGS} repos/test ${DIR} ${FLATPAK} ${U} update org.test.OldVersion echo "ok version checks" + +rm -rf app +flatpak build-init app org.test.Writable org.test.Platform org.test.Platform +mkdir -p app/files/a-dir +chmod a+rwx app/files/a-dir +flatpak build-finish --command=hello.sh app +ostree --repo=repos/test commit ${FL_GPGARGS} --branch=app/org.test.Writable/$ARCH/master app +update_repo + +${FLATPAK} ${U} install test-repo org.test.Writable + +assert_file_has_mode $FL_DIR/app/org.test.Writable/$ARCH/master/active/files/a-dir 775 + +echo "ok no world writable dir" + +rm -rf app +flatpak build-init app org.test.Setuid org.test.Platform org.test.Platform +mkdir -p app/files/ +touch app/files/exe +chmod u+s app/files/exe +flatpak build-finish --command=hello.sh app +ostree --repo=repos/test commit ${FL_GPGARGS} --branch=app/org.test.Setuid/$ARCH/master app +update_repo + +if ${FLATPAK} ${U} install test-repo org.test.Setuid &> err2.txt; then + assert_not_reached "Should not be able to install with setuid file" +fi +assert_file_has_content err2.txt [Ii]nvalid + +echo "ok no setuid"