def test_openat(self):
fd = os.open("/dev", os.O_RDONLY)
cap.enter()
self.assertTrue(cap.sandboxed())
rightset = {
cap.READ, # to allow the openat(O_RDONLY)
cap.LOOKUP, # Also for openat()
cap.FSTAT, # Used by Python os.fdopen(), although non-fatal if
# denied. Attempts the syscall twice if denied,
# though.
cap.FCNTL, # Used by Python os.fdopen() for F_GETFL. Fatal if
# denied.
}
cap.limit(fd, cap.Rights(rightset))
# Since we permit fcntl(), restrict the set of valid fcntls.
cap.fcntls_limit(fd, cap.Fcntls({cap.fcntl.GETFL}))
# Ordinary open is not permitted in sandbox mode:
with self.assertRaises(EnvironmentError) as cm:
open("/dev/null")
self.assertEqual(cm.exception.errno, cap.ECAPMODE)
# But with at least the privileges granted above, we can openat() and
# read() from a file-like object:
f = cap.openat(fd, "null", os.O_RDONLY)
f.readlines()
def test_ioctls_limit(self):
fd = os.open("/dev/null", os.O_RDONLY)
cap.enter()
self.assertTrue(cap.sandboxed())
cap.ioctls_limit(fd, cap.Ioctls({termios.FIONREAD}))
try:
py_fcntl.ioctl(fd, termios.FIONREAD)
except EnvironmentError as ee:
# ENOTTY is fine, we're sending a stupid ioctl to a device
# that doesn't know about it. The point is that capsicum
# permitted it.
if ee.errno != errno.ENOTTY:
raise
# Capsicum rejects ioctls outside the set we've limited
# ourselves to above.
with self.assertRaises(EnvironmentError) as cm:
py_fcntl.ioctl(fd, termios.TIOCGETD)
self.assertEqual(cm.exception.errno, cap.ENOTCAPABLE)
# Capsicum rejects requests to increase privileges:
with self.assertRaises(EnvironmentError) as cm:
cap.ioctls_limit(fd,
cap.Ioctls({termios.FIONREAD, termios.TIOCGETD}))
self.assertEqual(cm.exception.errno, cap.ENOTCAPABLE)
self.assertItemsEqual(cap.Ioctls(fd)._ioctls, [termios.FIONREAD])
def test_limit_trivial(self):
fd = os.open("/dev/zero", os.O_RDONLY)
cap.enter()
self.assertTrue(cap.sandboxed())
# Unrestricted fds have full privileges after entering the
# sandbox:
os.read(fd, 1)
# After removing all privileges (principally, CAP_READ),
# read() is no longer permitted in sandbox mode:
cap.limit(fd, cap.right.NONE)
with self.assertRaises(EnvironmentError) as cm:
os.read(fd, 1)
self.assertEqual(cm.exception.errno, cap.ENOTCAPABLE)
def test_fcntls_limit_trivial(self):
fd = os.open("/dev/null", os.O_RDONLY)
cap.fcntls_limit(fd, cap.Fcntls([cap.fcntl.ALL]))
cap.enter()
self.assertTrue(cap.sandboxed())
# No-op, just verify no exception is raised.
flags = py_fcntl.fcntl(fd, py_fcntl.F_GETFL)
py_fcntl.fcntl(fd, py_fcntl.F_SETFL, flags)
# Restrict to no fcntl rights and except NOTCAPABLE.
cap.fcntls_limit(fd, cap.Fcntls())
with self.assertRaises(EnvironmentError) as cm:
py_fcntl.fcntl(fd, py_fcntl.F_GETFL)
self.assertEqual(cm.exception.errno, cap.ENOTCAPABLE)
def patch_write_file(self, filename):
if self._debug and self._debug.should('dataio'):
self._debug.write("Writing data to %r" % (filename,))
assert filename.startswith(state.dir_path)
fname = filename[len(state.dir_path) + 1:]
import cap
if cap.sandboxed():
print("\n ↳ Writing", fname, "in", state.dir_path, "(sandboxed test)")
# coverage.py expects a string-mode handle, unfortunately.
if sys.version_info < (3, 3):
myopen = cap.compat33.open
else:
myopen = os.open
rfd = myopen(fname, os.O_WRONLY | os.O_CREAT | os.O_TRUNC, 0o644,
dir_fd=state.dir_fd)
with os.fdopen(rfd, "wt") as fdata:
self.write_fileobj(fdata)
def test_sandbox_trivial(self):
self.assertFalse(cap.sandboxed())
cap.enter()
self.assertTrue(cap.sandboxed())