Gergő Tisza has uploaded a new change for review. (
https://gerrit.wikimedia.org/r/399767 )
Change subject: Integration tests for FirejailCommand
......................................................................
Integration tests for FirejailCommand
Change-Id: I8bb5f8ad528da55c4432928ffb124f9ac0c32518
---
A tests/integration/includes/shell/FirejailCommandTest.php
1 file changed, 58 insertions(+), 0 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/mediawiki/core
refs/changes/67/399767/1
diff --git a/tests/integration/includes/shell/FirejailCommandTest.php
b/tests/integration/includes/shell/FirejailCommandTest.php
new file mode 100644
index 0000000..3d6f1c3
--- /dev/null
+++ b/tests/integration/includes/shell/FirejailCommandTest.php
@@ -0,0 +1,58 @@
+<?php
+
+use MediaWiki\Shell\FirejailCommand;
+use MediaWiki\Shell\Shell;
+use Wikimedia\TestingAccessWrapper;
+
+/**
+* Integration tests to ensure that firejail actually prevents execution.
+* Meant to run on vagrant, although will probably work on other setups
+* as long as firejail and sudo has similar config.
+*/
+class FirejailCommandIntegrationTest extends PHPUnit_Framework_TestCase {
+
+ public function testSanity() {
+ // Make sure that firejail works at all.
+ $command = new FirejailCommand( 'firejail' );
+ $command
+ ->unsafeParams( 'ls .' )
+ ->restrict( Shell::RESTRICT_DEFAULT );
+ $result = $command->execute();
+ $this->assertSame( 0, $result->getExitCode() );
+ }
+
+ /**
+ * @coversNothing
+ * @dataProvider provideExecute
+ */
+ public function testExecute( $testCommand, $flag ) {
+ $command = new FirejailCommand( 'firejail' );
+ $command
+ ->unsafeParams( $testCommand )
+ // If we don't restrict at all, firejail won't be
invoked,
+ // so the test will give a false positive if firejail
breaks
+ // the command for some non-flag-related reason.
Instead,
+ // set some flag that won't get in the way.
+ ->restrict( $flag === Shell::NO_NETWORK ?
Shell::PRIVATE_DEV : Shell::NO_NETWORK );
+ $result = $command->execute();
+ $this->assertSame( 0, $result->getExitCode(), 'sanity check' );
+
+ $command = new FirejailCommand( 'firejail' );
+ $command
+ ->unsafeParams( $testCommand )
+ ->restrict( $flag );
+ $result = $command->execute();
+ $this->assertNotSame( 0, $result->getExitCode(), 'real check' );
+ }
+
+ public function provideExecute() {
+ return [
+ [ 'sudo ls /', Shell::NO_ROOT ],
+ [ 'sudo ls /', Shell::SECCOMP ], // not a great test ut
seems to work
+ [ 'ls /dev/cpu', Shell::PRIVATE_DEV ],
+ [ 'curl -fsSo /dev/null https://wikipedia.org/',
Shell::NO_NETWORK ],
+ [ 'exec ls /', Shell::NO_EXECVE ],
+ ];
+ }
+
+}
--
To view, visit https://gerrit.wikimedia.org/r/399767
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I8bb5f8ad528da55c4432928ffb124f9ac0c32518
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/core
Gerrit-Branch: master
Gerrit-Owner: Gergő Tisza <[email protected]>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
