-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathtest.sh
More file actions
executable file
·314 lines (251 loc) · 10.2 KB
/
test.sh
File metadata and controls
executable file
·314 lines (251 loc) · 10.2 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
#!/bin/bash
# Check if we should keep the binary
KEEP_BINARY=false
USE_SYSTEM_BINARY=false
NO_BUILD=false
# Whether we should try to do network calls during testing.
INTERNET_ACCESS=true
while [ "$#" -gt 0 ]; do
case "$1" in
"--keep-binary")
KEEP_BINARY=true
shift
;;
"--use-system")
USE_SYSTEM_BINARY=true
shift
;;
"--no-build")
NO_BUILD=true
shift
;;
"--offline")
INTERNET_ACCESS=false
shift
;;
*)
echo "Unknown parameter: $1"
exit 1
;;
esac
done
# Don't exit on error, we'll handle errors in the run_test function
set +e
# Colors for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m' # No Color
# Function to print colored output
print_status() {
echo -e "${YELLOW}[TEST]${NC} $1"
}
print_success() {
echo -e "${GREEN}[SUCCESS]${NC} $1"
}
print_error() {
echo -e "${RED}[ERROR]${NC} $1"
}
# Build the binary if not using system binary
if [ "$USE_SYSTEM_BINARY" = false ]; then
if [ "$NO_BUILD" = false ]; then
print_status "Building landrun binary..."
go build -o landrun cmd/landrun/main.go
if [ $? -ne 0 ]; then
print_error "Failed to build landrun binary"
exit 1
fi
print_success "Binary built successfully"
else
print_success "Using already built landrun binary"
fi
fi
# Create test directories
TEST_DIR="test_env"
RO_DIR="$TEST_DIR/ro"
RO_DIR_NESTED_RO="$RO_DIR/ro_nested_ro_1"
RO_DIR_NESTED_RW="$RO_DIR/ro_nested_rw_1"
RO_DIR_NESTED_EXEC="$RO_DIR/ro_nested_exec"
RW_DIR="$TEST_DIR/rw"
RW_DIR_NESTED_RO="$RW_DIR/rw_nested_ro_1"
RW_DIR_NESTED_RW="$RW_DIR/rw_nested_rw_1"
RW_DIR_NESTED_EXEC="$RW_DIR/rw_nested_exec"
EXEC_DIR="$TEST_DIR/exec"
NESTED_DIR="$TEST_DIR/nested/path/deep"
print_status "Setting up test environment..."
rm -rf "$TEST_DIR"
mkdir -p "$RO_DIR" "$RW_DIR" "$EXEC_DIR" "$NESTED_DIR" "$RO_DIR_NESTED_RO" "$RO_DIR_NESTED_RW" "$RO_DIR_NESTED_EXEC" "$RW_DIR_NESTED_RO" "$RW_DIR_NESTED_RW" "$RW_DIR_NESTED_EXEC"
# Create test files
echo "readonly content" > "$RO_DIR/test.txt"
echo "readwrite content" > "$RW_DIR/test.txt"
echo "nested content" > "$NESTED_DIR/test.txt"
echo "#!/bin/bash" > "$EXEC_DIR/test.sh"
echo "echo 'executable content'" >> "$EXEC_DIR/test.sh"
chmod +x "$EXEC_DIR/test.sh"
cp $EXEC_DIR/test.sh $EXEC_DIR/test2.sh
cp "$RO_DIR/test.txt" "$RO_DIR_NESTED_RO/test.txt"
cp "$RO_DIR/test.txt" "$RW_DIR_NESTED_RO/test.txt"
cp "$RW_DIR/test.txt" "$RO_DIR_NESTED_RW/test.txt"
cp "$RW_DIR/test.txt" "$RW_DIR_NESTED_RW/test.txt"
cp "$EXEC_DIR/test.sh" "$RO_DIR_NESTED_EXEC/test.sh"
cp "$EXEC_DIR/test.sh" "$RW_DIR_NESTED_EXEC/test.sh"
cp "$EXEC_DIR/test.sh" "$RO_DIR_NESTED_RO/test.sh"
cp "$EXEC_DIR/test.sh" "$RW_DIR_NESTED_RO/test.sh"
cp "$EXEC_DIR/test.sh" "$RO_DIR_NESTED_RW/test.sh"
cp "$EXEC_DIR/test.sh" "$RW_DIR_NESTED_RW/test.sh"
# Create a script in RW dir to test execution in RW dirs
echo "#!/bin/bash" > "$RW_DIR/rw_script.sh"
echo "echo 'this script is in a read-write directory'" >> "$RW_DIR/rw_script.sh"
chmod +x "$RW_DIR/rw_script.sh"
# Function to run a test case
run_test() {
local name="$1"
local cmd="$2"
local expected_exit="$3"
# Replace ./landrun with landrun if using system binary
if [ "$USE_SYSTEM_BINARY" = true ]; then
cmd="${cmd//.\/landrun/landrun}"
fi
print_status "Running test: $name"
eval "$cmd"
local exit_code=$?
if [ $exit_code -eq $expected_exit ]; then
print_success "Test passed: $name"
return 0
else
print_error "Test failed: $name (expected exit $expected_exit, got $exit_code)"
exit 1
fi
}
# Test cases
print_status "Starting test cases..."
# Basic access tests
run_test "Read-only access to file" \
"./landrun --log-level debug --rox /usr --ro /lib --ro /lib64 --ro $RO_DIR -- cat $RO_DIR/test.txt" \
0
run_test "Read-only access to nested file" \
"./landrun --log-level debug --rox /usr --ro /lib --ro /lib64 --ro $RO_DIR -- cat $RO_DIR_NESTED_RO/test.txt" \
0
run_test "Write access to nested directory writable nested in read-only directory" \
"./landrun --log-level debug --rox /usr --ro /lib --ro /lib64 --ro $RO_DIR --rw $RO_DIR_NESTED_RW -- touch $RO_DIR_NESTED_RW/created_file" \
0
run_test "Write access to nested file writable nested in read-only directory" \
"./landrun --log-level debug --rox /usr --ro /lib --ro /lib64 --ro $RO_DIR --rw $RO_DIR_NESTED_RW/created_file -- touch $RO_DIR_NESTED_RW/created_file" \
0
run_test "Read-write access to file" \
"./landrun --log-level debug --rox /usr --ro /lib --ro /lib64 --ro $RO_DIR --rw $RW_DIR touch $RW_DIR/new.txt" \
0
run_test "No write access to read-only directory" \
"./landrun --log-level debug --rox /usr --ro /lib --ro /lib64 --ro $RO_DIR --rw $RW_DIR touch $RO_DIR/new.txt" \
1
# Executable permission tests
run_test "Execute access with rox flag" \
"./landrun --log-level debug --rox /usr --ro /lib --ro /lib64 --rox $EXEC_DIR -- $EXEC_DIR/test.sh" \
0
run_test "Execute access with rox flag on file" \
"./landrun --log-level debug --rox /usr --ro /lib --ro /lib64 --rox $EXEC_DIR/test.sh -- $EXEC_DIR/test.sh" \
0
run_test "Execute access with rox flag on a file that is executable in same directory that one is allowed" \
"./landrun --log-level debug --rox /usr --ro /lib --ro /lib64 --rox $EXEC_DIR/test.sh -- $EXEC_DIR/test2.sh" \
1
run_test "Execute a file with --add-exec flag" \
"./landrun --log-level debug --add-exec --rox /usr --ro /lib --ro /lib64 --rox $EXEC_DIR/test.sh -- $EXEC_DIR/test2.sh" \
0
run_test "Execute a file with --add-exec and --ldd flag" \
"./landrun --log-level debug --add-exec --ldd -- $(which true)" \
0
run_test "No execute access with just ro flag" \
"./landrun --log-level debug --rox /usr --ro /lib --ro /lib64 --ro $EXEC_DIR -- $EXEC_DIR/test.sh" \
1
run_test "Execute access in read-write directory" \
"./landrun --log-level debug --rox /usr --ro /lib --ro /lib64 --rwx $RW_DIR -- $RW_DIR/rw_script.sh" \
0
run_test "No execute access in read-write directory without rwx" \
"./landrun --log-level debug --rox /usr --ro /lib --ro /lib64 --rw $RW_DIR -- $RW_DIR/rw_script.sh" \
1
# Directory traversal tests
run_test "Directory traversal with root access" \
"./landrun --log-level debug --rox / -- ls /usr" \
0
run_test "Deep directory traversal" \
"./landrun --log-level debug --rox / -- ls $NESTED_DIR" \
0
# Multiple paths and complex specifications
run_test "Multiple read paths" \
"./landrun --log-level debug --rox /usr --ro /lib --ro /lib64 --ro $RO_DIR --ro $NESTED_DIR -- cat $NESTED_DIR/test.txt" \
0
run_test "Comma-separated paths" \
"./landrun --log-level debug --rox /usr --ro /lib,/lib64,$RO_DIR -- cat $RO_DIR/test.txt" \
0
# System command tests
run_test "Simple system command" \
"./landrun --log-level debug --rox /usr --ro /etc -- whoami" \
0
run_test "System command with arguments" \
"./landrun --log-level debug --rox / -- ls -la /usr/bin" \
0
# Edge cases
run_test "Non-existent read-only path" \
"./landrun --log-level debug --ro /usr --ro /lib --ro /lib64 --ro /nonexistent/path -- ls" \
1
run_test "No configuration" \
"./landrun --log-level debug -- ls /" \
1
# Process creation and redirection tests
run_test "Process creation with pipe" \
"./landrun --log-level debug --rox / --env PATH -- bash -c 'ls /usr | grep bin'" \
0
run_test "File redirection" \
"./landrun --log-level debug --rox / --rw $RW_DIR --env PATH -- bash -c 'ls /usr > $RW_DIR/output.txt && cat $RW_DIR/output.txt'" \
0
# Network restrictions tests (if kernel supports it)
$INTERNET_ACCESS && run_test "TCP connection without permission" \
"./landrun --log-level debug --rox /usr --ro / -- curl -s --connect-timeout 2 https://example.com" \
7
$INTERNET_ACCESS && run_test "TCP connection with permission" \
"./landrun --log-level debug --rox /usr --ro / --connect-tcp 443 -- curl -s --connect-timeout 2 https://example.com" \
0
# Environment isolation tests
export TEST_ENV_VAR="test_value_123"
run_test "Environment isolation" \
"./landrun --log-level debug --rox /usr --ro / -- bash -c 'echo \$TEST_ENV_VAR'" \
0
run_test "Environment isolation (no variables should be passed)" \
"./landrun --log-level debug --rox /usr --ro / -- bash -c '[[ -z \$TEST_ENV_VAR ]] && echo \"No env var\" || echo \$TEST_ENV_VAR'" \
0
run_test "Passing specific environment variable" \
"./landrun --log-level debug --rox /usr --ro / --env TEST_ENV_VAR --env PATH -- bash -c 'echo \$TEST_ENV_VAR | grep \"test_value_123\"'" \
0
run_test "Passing custom environment variable" \
"./landrun --log-level debug --rox /usr --ro / --env CUSTOM_VAR=custom_value --env PATH -- bash -c 'echo \$CUSTOM_VAR | grep \"custom_value\"'" \
0
# Combining different permission types
run_test "Mixed permissions" \
"./landrun --log-level debug --rox /usr --ro /lib --ro /lib64 --rox $EXEC_DIR --rwx $RW_DIR --env PATH -- bash -c '$EXEC_DIR/test.sh > $RW_DIR/output.txt && cat $RW_DIR/output.txt'" \
0
# Specific regression tests for bugs we fixed
run_test "Root path traversal regression test" \
"./landrun --log-level debug --rox /usr -- $(which ls) /usr" \
0
run_test "Execute from read-only paths regression test" \
"./landrun --log-level debug --rox /usr --ro /usr/bin -- $(which id)" \
0
run_test "Unrestricted filesystem access" \
"./landrun --log-level debug --unrestricted-filesystem ls /usr" \
0
$INTERNET_ACCESS && run_test "Unrestricted network access" \
"./landrun --log-level debug --unrestricted-network --rox /usr --ro /etc -- curl -s --connect-timeout 2 https://example.com" \
0
run_test "Restricted filesystem access" \
"./landrun --log-level debug ls /usr" \
1
$INTERNET_ACCESS && run_test "Restricted network access" \
"./landrun --log-level debug --rox /usr --ro /etc -- curl -s --connect-timeout 2 https://example.com" \
7
# Cleanup
print_status "Cleaning up..."
rm -rf "$TEST_DIR"
if [ "$KEEP_BINARY" = false ] && [ "$USE_SYSTEM_BINARY" = false ]; then
rm -f landrun
fi
print_success "All tests completed!"