1import unittest, os, shutil
2from tempfile import mkdtemp
3from subprocess import Popen, PIPE
4
5class SandboxTests(unittest.TestCase):
6    def assertDenied(self, err):
7        self.assert_('Permission denied' in err,
8                     '"Permission denied" not found in %r' % err)
9    def assertNotFound(self, err):
10        self.assert_('not found' in err,
11                     '"not found" not found in %r' % err)
12
13    def assertFailure(self, status):
14        self.assert_(status != 0,
15                     '"Succeeded when it should have failed')
16
17    def assertSuccess(self, status, err):
18        self.assert_(status == 0,
19                     '"Sandbox should have succeeded for this test %r' %  err)
20
21    def test_simple_success(self):
22        "Verify that we can read file descriptors handed to sandbox"
23        p1 = Popen(['cat', '/etc/passwd'], stdout = PIPE)
24        p2 = Popen(['sandbox', 'grep', 'root'], stdin = p1.stdout, stdout=PIPE)
25        out, err = p2.communicate()
26        self.assert_('root' in out)
27
28    def test_cant_kill(self):
29        "Verify that we cannot send kill signal in the sandbox"
30        pid = os.getpid()
31        p = Popen(['sandbox', 'kill', '-HUP', str(pid)], stdout=PIPE, stderr=PIPE)
32        out, err = p.communicate()
33        self.assertDenied(err)
34
35    def test_cant_ping(self):
36        "Verify that we can't ping within the sandbox"
37        p = Popen(['sandbox', 'ping', '-c 1 ', '127.0.0.1'], stdout=PIPE, stderr=PIPE)
38        out, err = p.communicate()
39        self.assertDenied(err)
40
41    def test_cant_mkdir(self):
42        "Verify that we can't mkdir within the sandbox"
43        p = Popen(['sandbox', 'mkdir', '~/test'], stdout=PIPE, stderr=PIPE)
44        out, err = p.communicate()
45        self.assertFailure(p.returncode)
46
47    def test_cant_list_homedir(self):
48        "Verify that we can't list homedir within the sandbox"
49        p = Popen(['sandbox', 'ls', '~'], stdout=PIPE, stderr=PIPE)
50        out, err = p.communicate()
51        self.assertFailure(p.returncode)
52
53    def test_cant_send_mail(self):
54        "Verify that we can't send mail within the sandbox"
55        p = Popen(['sandbox', 'mail'], stdout=PIPE, stderr=PIPE)
56        out, err = p.communicate()
57        self.assertDenied(err)
58
59    def test_cant_sudo(self):
60        "Verify that we can't run sudo within the sandbox"
61        p = Popen(['sandbox', 'sudo'], stdout=PIPE, stderr=PIPE)
62        out, err = p.communicate()
63        self.assertFailure(p.returncode)
64
65    def test_mount(self):
66        "Verify that we mount a file system"
67        p = Popen(['sandbox', '-M', 'id'], stdout=PIPE, stderr=PIPE)
68        out, err = p.communicate()
69        self.assertSuccess(p.returncode, err)
70
71    def test_set_level(self):
72        "Verify that we set level a file system"
73        p = Popen(['sandbox', '-l', 's0', 'id'], stdout=PIPE, stderr=PIPE)
74        out, err = p.communicate()
75        self.assertSuccess(p.returncode, err)
76
77    def test_homedir(self):
78        "Verify that we set homedir a file system"
79        homedir = mkdtemp(dir=".", prefix=".sandbox_test")
80        p = Popen(['sandbox', '-H', homedir, '-M', 'id'], stdout=PIPE, stderr=PIPE)
81        out, err = p.communicate()
82        shutil.rmtree(homedir)
83        self.assertSuccess(p.returncode, err)
84
85    def test_tmpdir(self):
86        "Verify that we set tmpdir a file system"
87        tmpdir = mkdtemp(dir="/tmp", prefix=".sandbox_test")
88        p = Popen(['sandbox', '-T', tmpdir, '-M', 'id'], stdout=PIPE, stderr=PIPE)
89        out, err = p.communicate()
90        shutil.rmtree(tmpdir)
91        self.assertSuccess(p.returncode, err)
92
93if __name__ == "__main__":
94    import selinux
95    if selinux.security_getenforce() == 1:
96        unittest.main()
97    else:
98        print "SELinux must be in enforcing mode for this test"
99