monadical/greywall
Archived
13
0
Fork 0
Code Issues Pull Requests 1 Actions 2 Packages Projects Releases Wiki Activity

test: add denyRead integration tests for files and directories (#15)

Browse Source
This commit is contained in:
priuatus
2026-01-23 20:22:17 +02:00
committed by GitHub
parent 9bb11a2f40
commit 27dfd1da93
2 changed files with 70 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
internal/sandbox/integration_linux_test.go
View File

@@ -228,6 +228,44 @@ func TestLinux_LandlockAllowsTmpFence(t *testing.T) {
assertFileExists(t, testFile) assertFileExists(t, testFile)
} }
// TestLinux_DenyReadBlocksFiles verifies that denyRead correctly blocks file access.
// This test ensures that when denyRead contains file paths (not directories),
// sandbox is properly set up and denies read access.
func TestLinux_DenyReadBlocksFiles(t *testing.T) {
skipIfAlreadySandboxed(t)
workspace := createTempWorkspace(t)
secretFile := createTestFile(t, workspace, "secret.txt", "secret content")
cfg := testConfigWithWorkspace(workspace)
cfg.Filesystem.DenyRead = []string{secretFile}
result := runUnderSandbox(t, cfg, "cat "+secretFile, workspace)
// File should be blocked (cannot be read)
assertBlocked(t, result)
}
// TestLinux_DenyReadBlocksDirectories verifies that denyRead correctly blocks directory access.
func TestLinux_DenyReadBlocksDirectories(t *testing.T) {
skipIfAlreadySandboxed(t)
workspace := createTempWorkspace(t)
secretDir := filepath.Join(workspace, "secret-dir")
if err := os.MkdirAll(secretDir, 0o750); err != nil {
t.Fatalf("failed to create secret directory: %v", err)
}
secretFile := createTestFile(t, secretDir, "data.txt", "secret data")
cfg := testConfigWithWorkspace(workspace)
cfg.Filesystem.DenyRead = []string{secretDir}
result := runUnderSandbox(t, cfg, "cat "+secretFile, workspace)
// Directory should be blocked (cannot read files inside)
assertBlocked(t, result)
}
// ============================================================================ // ============================================================================
// Network Blocking Tests // Network Blocking Tests
// ============================================================================ // ============================================================================

32
internal/sandbox/integration_test.go
View File

@@ -3,6 +3,7 @@ package sandbox
import ( import (
"bytes" "bytes"
"context" "context"
"fmt"
"os" "os"
"os/exec" "os/exec"
"path/filepath" "path/filepath"
@@ -63,6 +64,15 @@ func skipIfCommandNotFound(t *testing.T, cmd string) {
// assertBlocked verifies that a command was blocked by the sandbox. // assertBlocked verifies that a command was blocked by the sandbox.
func assertBlocked(t *testing.T, result *SandboxTestResult) { func assertBlocked(t *testing.T, result *SandboxTestResult) {
t.Helper() t.Helper()
// Check for initialization failures
// ExitError means the command ran but failed (non-zero exit code), not an initialization failure
if result.Error != nil && !strings.Contains(result.Error.Error(), "blocked") {
if _, isExitErr := result.Error.(*exec.ExitError); !isExitErr {
t.Errorf("sandbox initialization failed: %v", result.Error)
}
}
// Verify command was actually blocked
if result.Succeeded() { if result.Succeeded() {
t.Errorf("expected command to be blocked, but it succeeded\nstdout: %s\nstderr: %s", t.Errorf("expected command to be blocked, but it succeeded\nstdout: %s\nstderr: %s",
result.Stdout, result.Stderr) result.Stdout, result.Stderr)
@@ -72,6 +82,12 @@ func assertBlocked(t *testing.T, result *SandboxTestResult) {
// assertAllowed verifies that a command was allowed and succeeded. // assertAllowed verifies that a command was allowed and succeeded.
func assertAllowed(t *testing.T, result *SandboxTestResult) { func assertAllowed(t *testing.T, result *SandboxTestResult) {
t.Helper() t.Helper()
// Check for initialization failures
if result.Error != nil {
t.Errorf("sandbox initialization failed: %v", result.Error)
}
// Verify command succeeded
if result.Failed() { if result.Failed() {
t.Errorf("expected command to succeed, but it failed with exit code %d\nstdout: %s\nstderr: %s\nerror: %v", t.Errorf("expected command to succeed, but it failed with exit code %d\nstdout: %s\nstderr: %s\nerror: %v",
result.ExitCode, result.Stdout, result.Stderr, result.Error) result.ExitCode, result.Stdout, result.Stderr, result.Error)
@@ -251,6 +267,7 @@ func executeShellCommandWithTimeout(t *testing.T, command string, workDir string
if err != nil { if err != nil {
if exitErr, ok := err.(*exec.ExitError); ok { if exitErr, ok := err.(*exec.ExitError); ok {
result.ExitCode = exitErr.ExitCode() result.ExitCode = exitErr.ExitCode()
result.Error = exitErr
} else { } else {
result.Error = err result.Error = err
result.ExitCode = -1 result.ExitCode = -1
@@ -483,3 +500,18 @@ func TestIntegration_EnvWorks(t *testing.T) {
assertAllowed(t, result) assertAllowed(t, result)
assertContains(t, result.Stdout, "FENCE_SANDBOX=1") assertContains(t, result.Stdout, "FENCE_SANDBOX=1")
} }
func TestExecuteShellCommandBwrapError(t *testing.T) {
skipIfAlreadySandboxed(t)
skipIfCommandNotFound(t, "bwrap")
workspace := createTempWorkspace(t)
testFile := createTestFile(t, workspace, "testfile.txt", "test content")
bwrapCmd := fmt.Sprintf("bwrap --ro-bind / / --tmpfs %s -- /bin/true", testFile)
result := executeShellCommand(t, bwrapCmd, workspace)
if result.Error == nil || result.ExitCode == 0 {
t.Errorf("expected command to fail with an error")
}
}