sk4nz/skz-sloptrap
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Cleanup capabilities

Browse Source
This commit is contained in:
Samuel Aubertin
2026-03-10 16:51:17 +01:00
parent b080f06613
commit 87d1577546
10 changed files with 466 additions and 165 deletions
Download Patch File Download Diff File Expand all files Collapse all files

235
tests/run_tests.sh
View File

@@ -97,6 +97,47 @@ verify_secret_mounts() {
return 0
}
maybe_create_helper_pidfile() {
local -a args=("$@")
local codex_source=""
local helper_dir=""
local idx=0
while (( idx < ${#args[@]} )); do
local arg=${args[$idx]}
case "$arg" in
-v)
idx=$((idx + 1))
if (( idx < ${#args[@]} )); then
local spec=${args[$idx]}
case "$spec" in
*:/codex|*:/codex:* )
codex_source=${spec%%:/codex*}
;;
esac
fi
;;
-e)
idx=$((idx + 1))
if (( idx < ${#args[@]} )); then
local envspec=${args[$idx]}
case "$envspec" in
SLOPTRAP_HELPER_DIR=*)
helper_dir=${envspec#SLOPTRAP_HELPER_DIR=}
;;
esac
fi
;;
esac
idx=$((idx + 1))
done
if [[ -z $codex_source || $helper_dir != /codex/* ]]; then
return 0
fi
local helper_host=${codex_source}/${helper_dir#/codex/}
mkdir -p "$helper_host"
printf '12345\n' >"$helper_host/helperd.pid"
}
if [[ ${1-} == "image" && ${2-} == "inspect" && ${FAKE_PODMAN_INSPECT_FAIL:-0} == 1 ]]; then
if [[ " $* " == *" --format "* ]]; then
printf 'fake-image-id\n'
@@ -113,10 +154,16 @@ if [[ ${SECRET_MASK_VERIFY:-0} == 1 && ${1-} == "run" ]]; then
fi
fi
if [[ ${1-} == "run" ]]; then
maybe_create_helper_pidfile "$@"
fi
echo "FAKE PODMAN: $*" >>"$FAKE_PODMAN_LOG"
exit 0
EOF
chmod +x "$STUB_BIN/podman"
cp "$STUB_BIN/podman" "$STUB_BIN/docker"
chmod +x "$STUB_BIN/docker"
cat >"$STUB_BIN/curl" <<'EOF'
#!/usr/bin/env bash
set -euo pipefail
@@ -367,7 +414,7 @@ run_resume_target() {
}
run_runtime_context_prompt() {
local scenario_dir="$TEST_ROOT/capability_repo"
local scenario_dir="$TEST_ROOT/host_network_repo"
printf '==> runtime_context_prompt\n'
setup_stub_env
if ! PATH="$STUB_BIN:$PATH" HOME="$STUB_HOME" FAKE_PODMAN_LOG="$STUB_LOG" FAKE_PODMAN_INSPECT_FAIL=1 \
@@ -382,8 +429,8 @@ run_runtime_context_prompt() {
if [[ -z $run_line || $run_line != *"You are running inside sloptrap"* ]]; then
record_failure "runtime_context_prompt: startup prompt missing from fresh run"
fi
if ! grep -q -- "name=capability-repo" "$STUB_LOG" \
|| ! grep -q -- "enabled_capabilities=apt-install packet-capture" "$STUB_LOG" \
if ! grep -q -- "name=host-network-repo" "$STUB_LOG" \
|| ! grep -q -- "enabled_capabilities=apt-install" "$STUB_LOG" \
|| ! grep -q -- "network_mode=host" "$STUB_LOG"; then
record_failure "runtime_context_prompt: runtime summary missing manifest or capability state"
fi
@@ -394,7 +441,7 @@ run_runtime_context_prompt() {
}
run_sh_reexec() {
local scenario_dir="$TEST_ROOT/capability_repo"
local scenario_dir="$TEST_ROOT/host_network_repo"
printf '==> sh_reexec\n'
setup_stub_env
if ! PATH="$STUB_BIN:$PATH" HOME="$STUB_HOME" FAKE_PODMAN_LOG="$STUB_LOG" FAKE_PODMAN_INSPECT_FAIL=1 \
@@ -410,7 +457,7 @@ run_sh_reexec() {
}
run_resume_omits_runtime_context() {
local scenario_dir="$TEST_ROOT/capability_repo"
local scenario_dir="$TEST_ROOT/host_network_repo"
local session_id="019a81b7-32d2-7622-8639-6698c6579625"
printf '==> resume_omits_runtime_context\n'
setup_stub_env
@@ -442,8 +489,8 @@ run_auth_file_mount() {
teardown_stub_env
return
fi
if ! grep -q -- "-v ${STUB_HOME}/.codex/auth.json:/codex/auth.json:Z" "$STUB_LOG"; then
record_failure "auth_file_mount: missing auth file bind mount"
if ! grep -q -- "-v ${STUB_HOME}/.codex/auth.json:/codex/auth.json:Z,ro" "$STUB_LOG"; then
record_failure "auth_file_mount: auth file should be mounted read-only for normal runs"
fi
if ! grep -q -- "-v ${STUB_HOME}/.codex/sloptrap/state/" "$STUB_LOG"; then
record_failure "auth_file_mount: missing project state bind mount"
@@ -466,8 +513,8 @@ run_codex_home_override() {
teardown_stub_env
return
fi
if ! grep -q -- "-v ${codex_root}/auth.json:/codex/auth.json:Z" "$STUB_LOG"; then
record_failure "codex_home_override: missing CODEX_HOME auth file mount"
if ! grep -q -- "-v ${codex_root}/auth.json:/codex/auth.json:Z,ro" "$STUB_LOG"; then
record_failure "codex_home_override: CODEX_HOME auth file should be mounted read-only for normal runs"
fi
if ! grep -q -- "-v ${codex_root}/sloptrap/state/" "$STUB_LOG"; then
record_failure "codex_home_override: missing CODEX_HOME project state bind mount"
@@ -564,8 +611,11 @@ run_auto_login_empty_auth() {
if [[ -z $first_run || $first_run != *" login" ]]; then
record_failure "auto_login_empty_auth: expected login before primary run"
fi
if ! grep -q -- "-v ${STUB_HOME}/.codex/auth.json:/codex/auth.json:Z" "$STUB_LOG"; then
record_failure "auto_login_empty_auth: missing auth file bind mount"
if [[ -z $first_run || $first_run != *"-v ${STUB_HOME}/.codex/auth.json:/codex/auth.json:Z "* ]]; then
record_failure "auto_login_empty_auth: login target should keep auth file writable"
fi
if ! grep -q -- "-v ${STUB_HOME}/.codex/auth.json:/codex/auth.json:Z,ro" "$STUB_LOG"; then
record_failure "auto_login_empty_auth: post-login runtime should remount auth file read-only"
fi
teardown_stub_env
}
@@ -687,6 +737,53 @@ run_invalid_allow_host_network() {
fi
}
run_host_network_packet_capture_ack_required() {
local scenario_dir="$TEST_ROOT/host_network_packet_capture"
printf '==> host_network_packet_capture_ack_required\n'
local output_log
output_log=$(mktemp)
setup_stub_env
if PATH="$STUB_BIN:$PATH" HOME="$STUB_HOME" FAKE_PODMAN_LOG="$STUB_LOG" FAKE_PODMAN_INSPECT_FAIL=1 \
"$SLOPTRAP_BIN" --trust-capabilities "$scenario_dir" </dev/null >"$output_log" 2>&1; then
record_failure "host_network_packet_capture_ack_required: expected failure without interactive acknowledgement"
fi
if grep -q -- "FAKE PODMAN: run " "$STUB_LOG"; then
record_failure "host_network_packet_capture_ack_required: runtime container should not start without acknowledgement"
fi
teardown_stub_env
rm -f "$output_log"
}
run_host_network_packet_capture_ack_prompt() {
local scenario_dir="$TEST_ROOT/host_network_packet_capture"
printf '==> host_network_packet_capture_ack_prompt\n'
if ! can_run_script_pty; then
printf 'skipping host_network_packet_capture_ack_prompt: script PTY support not available\n'
return
fi
local output_log
output_log=$(mktemp)
setup_stub_env
if ! printf 'y\n' | script -q -c "env PATH=\"$STUB_BIN:$PATH\" HOME=\"$STUB_HOME\" FAKE_PODMAN_LOG=\"$STUB_LOG\" FAKE_PODMAN_INSPECT_FAIL=1 \"$SLOPTRAP_BIN\" --trust-capabilities \"$scenario_dir\"" "$output_log" >/dev/null 2>&1; then
record_failure "host_network_packet_capture_ack_prompt: interactive acknowledgement should allow the run"
teardown_stub_env
rm -f "$output_log"
return
fi
if [[ $(grep -c -- 'Continue with host-network packet capture for this run' "$output_log" || true) -ne 1 ]]; then
record_failure "host_network_packet_capture_ack_prompt: expected a single runtime acknowledgement prompt"
fi
if ! grep -q -- 'capture host-network traffic' "$output_log" \
|| ! grep -q -- 'transmit spoofed packets' "$output_log"; then
record_failure "host_network_packet_capture_ack_prompt: warning should describe concrete consequences"
fi
if ! grep -q -- "--network host" "$STUB_LOG"; then
record_failure "host_network_packet_capture_ack_prompt: host networking run did not reach the container engine"
fi
teardown_stub_env
rm -f "$output_log"
}
run_wizard_create_manifest() {
local scenario_dir="$TEST_ROOT/wizard_empty"
printf '==> wizard_create_manifest\n'
@@ -736,7 +833,7 @@ run_wizard_existing_defaults() {
if ! grep -qx "packages_extra=make git" "$scenario_dir/.sloptrap"; then
record_failure "wizard_existing_defaults: packages_extra not preserved"
fi
if ! grep -qx "capabilities=apt-install packet-capture" "$scenario_dir/.sloptrap"; then
if ! grep -qx "capabilities=apt-install" "$scenario_dir/.sloptrap"; then
record_failure "wizard_existing_defaults: capabilities not preserved"
fi
if ! grep -qx "allow_host_network=true" "$scenario_dir/.sloptrap"; then
@@ -779,10 +876,31 @@ run_capability_trust_required() {
teardown_stub_env
}
run_capabilities_require_podman() {
local scenario_dir="$TEST_ROOT/capability_repo"
printf '==> capabilities_require_podman\n'
local output_log
output_log=$(mktemp)
setup_stub_env
if PATH="$STUB_BIN:$PATH" HOME="$STUB_HOME" SLOPTRAP_CONTAINER_ENGINE=docker \
"$SLOPTRAP_BIN" --dry-run "$scenario_dir" >"$output_log" 2>&1; then
record_failure "capabilities_require_podman: expected docker capability run to be rejected"
elif ! grep -q -- 'capability-enabled runs require podman' "$output_log"; then
record_failure "capabilities_require_podman: missing explicit podman requirement"
fi
teardown_stub_env
rm -f "$output_log"
}
run_capability_profiles() {
local scenario_dir="$TEST_ROOT/capability_repo"
printf '==> capability_profiles\n'
setup_stub_env
local main_lines capture_lines pod_lines
local expected_build_network="bridge"
if command -v slirp4netns >/dev/null 2>&1; then
expected_build_network="slirp4netns"
fi
if ! PATH="$STUB_BIN:$PATH" HOME="$STUB_HOME" FAKE_PODMAN_LOG="$STUB_LOG" FAKE_PODMAN_INSPECT_FAIL=1 \
"$SLOPTRAP_BIN" --trust-capabilities "$scenario_dir" </dev/null >/dev/null 2>&1; then
record_failure "capability_profiles: sloptrap exited non-zero"
@@ -792,44 +910,65 @@ run_capability_profiles() {
if ! grep -q -- "CAPABILITY_PACKAGES=tcpdump" "$STUB_LOG"; then
record_failure "capability_profiles: build arg for capability packages missing"
fi
if ! grep -q -- "FAKE PODMAN: build --quiet -t capability-repo-sloptrap-image -f .* --network host " "$STUB_LOG"; then
record_failure "capability_profiles: build should inherit host networking"
if ! grep -q -- "FAKE PODMAN: build --quiet -t capability-repo-sloptrap-image -f .* --network $expected_build_network " "$STUB_LOG"; then
record_failure "capability_profiles: build should stay on isolated networking"
fi
if ! grep -q -- "--cap-add NET_RAW" "$STUB_LOG"; then
record_failure "capability_profiles: NET_RAW capability missing"
main_lines=$(grep "FAKE PODMAN: run " "$STUB_LOG" | grep -- "--name capability-repo-sloptrap-container" || true)
capture_lines=$(grep "FAKE PODMAN: run " "$STUB_LOG" | grep -- "--name capability-repo-sloptrap-capture" || true)
pod_lines=$(grep "FAKE PODMAN: pod create " "$STUB_LOG" | grep -- "--name capability-repo-sloptrap-pod" || true)
if [[ -z $main_lines ]]; then
record_failure "capability_profiles: main runtime container did not reach the container engine"
fi
if ! grep -q -- "--cap-add NET_ADMIN" "$STUB_LOG"; then
record_failure "capability_profiles: NET_ADMIN capability missing"
if [[ -z $pod_lines ]]; then
record_failure "capability_profiles: packet capture should create a dedicated pod"
fi
if ! grep -q -- "--cap-add SETUID" "$STUB_LOG"; then
if [[ -z $capture_lines || $capture_lines != *"--cap-add NET_RAW"* ]]; then
record_failure "capability_profiles: capture sidecar should receive NET_RAW"
fi
if [[ -n $main_lines && $main_lines == *"--cap-add NET_RAW"* ]]; then
record_failure "capability_profiles: main container should not receive NET_RAW"
fi
if grep -q -- "--cap-add NET_ADMIN" <<<"$capture_lines"; then
record_failure "capability_profiles: NET_ADMIN should not be granted"
fi
if [[ -z $capture_lines || $capture_lines != *"--cap-add SETUID"* ]]; then
record_failure "capability_profiles: SETUID capability missing"
fi
if ! grep -q -- "--cap-add SETGID" "$STUB_LOG"; then
if [[ -z $capture_lines || $capture_lines != *"--cap-add SETGID"* ]]; then
record_failure "capability_profiles: SETGID capability missing"
fi
if ! grep -q -- "--cap-add CHOWN" "$STUB_LOG"; then
if [[ -z $capture_lines || $capture_lines != *"--cap-add CHOWN"* ]]; then
record_failure "capability_profiles: CHOWN capability missing"
fi
if ! grep -q -- "--cap-add DAC_OVERRIDE" "$STUB_LOG"; then
record_failure "capability_profiles: DAC_OVERRIDE capability missing"
if grep -q -- "--cap-add DAC_OVERRIDE" <<<"$capture_lines$main_lines"; then
record_failure "capability_profiles: DAC_OVERRIDE should not be granted"
fi
if ! grep -q -- "--cap-add FOWNER" "$STUB_LOG"; then
record_failure "capability_profiles: FOWNER capability missing"
if grep -q -- "--cap-add FOWNER" <<<"$capture_lines$main_lines"; then
record_failure "capability_profiles: FOWNER should not be granted"
fi
if ! grep -q -- "--security-opt no-new-privileges" "$STUB_LOG"; then
if ! grep -q -- "--security-opt no-new-privileges" <<<"$capture_lines$main_lines"; then
record_failure "capability_profiles: no-new-privileges missing"
fi
if grep -q -- "--read-only" "$STUB_LOG"; then
if grep -q -- "--read-only" <<<"$main_lines"; then
record_failure "capability_profiles: apt profile should disable read-only rootfs"
fi
if grep -q -- "--user " "$STUB_LOG"; then
if grep -q -- "--user " <<<"$main_lines"; then
record_failure "capability_profiles: capability-enabled run should not force --user"
fi
if ! grep -q -- "--userns=keep-id:uid=$(id -u),gid=$(id -g)" "$STUB_LOG"; then
if ! grep -q -- "--userns=keep-id:uid=$(id -u),gid=$(id -g)" <<<"$capture_lines$main_lines"; then
record_failure "capability_profiles: podman keep-id user namespace missing"
fi
if ! grep -q -- "SLOPTRAP_ACTIVE_CAPABILITIES=apt-install packet-capture" "$STUB_LOG"; then
record_failure "capability_profiles: active capability environment missing"
if ! grep -q -- "SLOPTRAP_ACTIVE_CAPABILITIES=apt-install" <<<"$main_lines"; then
record_failure "capability_profiles: main helper capability environment missing"
fi
if ! grep -q -- "SLOPTRAP_PACKET_CAPTURE_ENABLED=1" <<<"$main_lines"; then
record_failure "capability_profiles: main container should advertise packet capture availability"
fi
if ! grep -q -- "SLOPTRAP_HELPER_DIR=/codex/state/capture-helper" <<<"$capture_lines"; then
record_failure "capability_profiles: capture sidecar helper dir missing"
fi
if ! grep -q -- "SLOPTRAP_ACTIVE_CAPABILITIES=packet-capture" <<<"$capture_lines"; then
record_failure "capability_profiles: capture sidecar capability environment missing"
fi
if ! grep -q -- "SLOPTRAP_HOST_UID=$(id -u)" "$STUB_LOG"; then
record_failure "capability_profiles: host uid environment missing"
@@ -926,28 +1065,29 @@ EOF
record_failure "embedded_capability_helpers: entrypoint did not expose helper queue to the dropped user"
fi
local autostart_helper_dir
autostart_helper_dir="$temp_root/helper-autostart"
if ! TEST_TOOL_LOG="$tool_log" PATH="$helper_bin:$PATH" SLOPTRAP_HELPER_DIR="$autostart_helper_dir" \
if grep -q -- "setpriv --reuid 0 --regid 0" "$helper_bin/slop-apt" \
|| grep -q -- "setpriv --reuid 0 --regid 0" "$helper_bin/slopcap"; then
record_failure "embedded_capability_helpers: helper clients should not attempt to regain root"
fi
if TEST_TOOL_LOG="$tool_log" PATH="$helper_bin:$PATH" SLOPTRAP_HELPER_DIR="$temp_root/helper-missing" \
SLOPTRAP_ACTIVE_CAPABILITIES="apt-install packet-capture" \
SLOPTRAP_CAPTURE_DIR="$capture_dir" SLOPTRAP_WORKDIR="$workspace_dir" \
SLOPTRAP_AUDIT_LOG="$temp_root/autostart-audit.log" \
SLOPTRAP_HOST_UID="$(id -u)" SLOPTRAP_HOST_GID="$(id -g)" \
"$helper_bin/slop-apt" install jq >/dev/null 2>&1; then
record_failure "embedded_capability_helpers: slop-apt did not self-bootstrap the helper daemon"
fi
if [[ ! -r $autostart_helper_dir/helperd.pid ]]; then
record_failure "embedded_capability_helpers: helper self-bootstrap did not create a pid file"
else
kill "$(cat "$autostart_helper_dir/helperd.pid")" >/dev/null 2>&1 || true
wait "$(cat "$autostart_helper_dir/helperd.pid")" >/dev/null 2>&1 || true
"$helper_bin/slop-apt" install jq >"$temp_root/missing-helper.out" 2>"$temp_root/missing-helper.err"; then
record_failure "embedded_capability_helpers: slop-apt should fail when the root helper is unavailable"
elif ! grep -q -- 'capability helper is unavailable' "$temp_root/missing-helper.err"; then
record_failure "embedded_capability_helpers: missing helper failure should explain the boundary"
fi
TEST_TOOL_LOG="$tool_log" PATH="$helper_bin:$PATH" SLOPTRAP_HELPER_DIR="$helper_dir" \
SLOPTRAP_ACTIVE_CAPABILITIES="apt-install packet-capture" \
SLOPTRAP_APT_GET_BIN="$helper_bin/apt-get" \
SLOPTRAP_TCPDUMP_BIN="$helper_bin/tcpdump" \
SLOPTRAP_CAPTURE_DIR="$capture_dir" SLOPTRAP_WORKDIR="$workspace_dir" \
SLOPTRAP_AUDIT_LOG="$temp_root/audit.log" "$helper_bin/sloptrap-helperd" >/dev/null 2>&1 &
helper_pid=$!
if ! wait_for_path "$helper_dir/helperd.pid"; then
record_failure "embedded_capability_helpers: helper daemon did not publish its pid file"
fi
if ! TEST_TOOL_LOG="$tool_log" PATH="$helper_bin:$PATH" SLOPTRAP_HELPER_DIR="$helper_dir" \
"$helper_bin/slop-apt" install jq >/dev/null 2>&1; then
@@ -972,17 +1112,19 @@ EOF
if TEST_TOOL_LOG="$tool_log" PATH="$helper_bin:$PATH" SLOPTRAP_HELPER_DIR="$helper_dir" \
SLOPTRAP_CAPTURE_DIR="$capture_dir" SLOPTRAP_WORKDIR="$workspace_dir" \
SLOPTRAP_CAPTURE_HELPER_DIR="$helper_dir" SLOPTRAP_PACKET_CAPTURE_ENABLED=1 \
"$helper_bin/slopcap" capture --interface eth0 --output /tmp/escape.pcap >/dev/null 2>&1; then
record_failure "embedded_capability_helpers: slopcap accepted an out-of-bounds output path"
fi
if ! TEST_TOOL_LOG="$tool_log" PATH="$helper_bin:$PATH" SLOPTRAP_HELPER_DIR="$helper_dir" \
SLOPTRAP_CAPTURE_DIR="$capture_dir" SLOPTRAP_WORKDIR="$workspace_dir" \
SLOPTRAP_CAPTURE_HELPER_DIR="$helper_dir" SLOPTRAP_PACKET_CAPTURE_ENABLED=1 \
"$helper_bin/slopcap" capture --interface eth0 --filter 'tcp port 80' \
--output "$workspace_dir/capture.pcap" >/dev/null 2>&1; then
record_failure "embedded_capability_helpers: slopcap failed for a workspace-local capture file"
fi
if ! grep -q -- "tcpdump -i eth0 -w $workspace_dir/capture.pcap -- tcp port 80" "$tool_log"; then
if ! grep -q -- "tcpdump -p -i eth0 -w $workspace_dir/capture.pcap -- tcp port 80" "$tool_log"; then
record_failure "embedded_capability_helpers: slopcap did not invoke tcpdump with the expected guarded arguments"
fi
@@ -1080,11 +1222,14 @@ run_invalid_manifest_sandbox
run_invalid_manifest_packages
run_invalid_manifest_capabilities
run_invalid_allow_host_network
run_host_network_packet_capture_ack_required
run_host_network_packet_capture_ack_prompt
run_removed_nested_podman_manifest
run_wizard_create_manifest
run_wizard_existing_defaults
run_wizard_build_trigger
run_capability_trust_required
run_capabilities_require_podman
run_capability_profiles
run_embedded_capability_helpers
run_make_install_single_file