From a36789b4685cad40725055f8e0a396fec7e1a03c Mon Sep 17 00:00:00 2001 From: Erik Arvstedt Date: Thu, 20 Aug 2020 13:11:09 +0200 Subject: [PATCH] test: move security tests to separate function --- test/scenarios/lib.py | 31 +++++++++++++++++++------------ 1 file changed, 19 insertions(+), 12 deletions(-) diff --git a/test/scenarios/lib.py b/test/scenarios/lib.py index 2ebda30..bffd4bb 100644 --- a/test/scenarios/lib.py +++ b/test/scenarios/lib.py @@ -38,9 +38,7 @@ if "is_interactive" in vars(): # The argument extra_tests is a dictionary from strings to functions. The string # determines at which point of run_tests the corresponding function is executed. def run_tests(extra_tests): - assert_running("setup-secrets") - # Unused secrets should be inaccessible - succeed('[[ $(stat -c "%U:%G %a" /secrets/dummy) = "root:root 440" ]]') + test_security() assert_running("bitcoind") machine.wait_until_succeeds("bitcoin-cli getnetworkinfo") @@ -103,15 +101,6 @@ def run_tests(extra_tests): machine.wait_until_succeeds(log_has_string("bitcoind-import-banlist", "Importing node banlist")) assert_no_failure("bitcoind-import-banlist") - # `systemctl status` run by unprivileged users shouldn't leak cgroup info - assert_matches( - "sudo -u electrs systemctl status clightning 2>&1 >/dev/null", - "Failed to dump process list for 'clightning.service', ignoring: Access denied", - ) - # The 'operator' with group 'proc' has full access - assert_full_match("sudo -u operator systemctl status clightning 2>&1 >/dev/null", "") - machine.succeed("grep -Fq hidepid=2 /proc/mounts") - ### Additional tests # Current time in µs @@ -157,3 +146,21 @@ def run_tests(extra_tests): ### Check that all extra_tests have been run assert len(extra_tests) == 0 + + +def test_security(): + assert_running("setup-secrets") + # Unused secrets should be inaccessible + succeed('[[ $(stat -c "%U:%G %a" /secrets/dummy) = "root:root 440" ]]') + + # Access to '/proc' should be restricted + machine.succeed("grep -Fq hidepid=2 /proc/mounts") + + machine.wait_for_unit("bitcoind") + # `systemctl status` run by unprivileged users shouldn't leak cgroup info + assert_matches( + "sudo -u electrs systemctl status bitcoind 2>&1 >/dev/null", + "Failed to dump process list for 'bitcoind.service', ignoring: Access denied", + ) + # The 'operator' with group 'proc' has full access + assert_full_match("sudo -u operator systemctl status bitcoind 2>&1 >/dev/null", "")