github-personal/firezone
1
0
Fork 0
mirror of https://github.com/outbackdingo/firezone.git synced 2026-01-27 18:18:55 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
adac8a22976531290293cdb3587a9fa40e9cc1d7
firezone/scripts/tests/linux-group.sh
Reactor Scram bc940784bd refactor(linux-client): remove FIREZONE_ID from example systemd file (#4714) 
For tests it doesn't hurt, but this will be used as a template for the
systemd service we ship to production, and that can't have the ID there.

So I'm also cleaning up a few other problems I noticed:
- I wanted to split the service files as part of #4531, so that the GUI
Client and headless Client can have separate sandbox rules. e.g, the
headless Client won't be allowed to create Unix domain sockets
- I'm punting more things to systemd, which allows us to tighten down
the sandbox further, e.g. creating `/var/lib/dev.firezone.client` and
`/run/dev.firezone.client` for us
- Closes #4461

---------

Signed-off-by: Reactor Scram <ReactorScram@users.noreply.github.com>
2024-04-25 23:08:06 +00:00

36 lines
1.2 KiB
Bash
Executable File
Raw Blame History

#!/usr/bin/env bash
# The integration tests call this to test security for Linux IPC.
# Only users in the `firezone` group should be able to control the privileged tunnel process.
source "./scripts/tests/lib.sh"
BINARY_NAME=firezone-linux-client
FZ_GROUP="firezone"
SERVICE_NAME=firezone-client-ipc
export RUST_LOG=info
# Copy the Linux Client out of the build dir
sudo cp "rust/target/debug/firezone-headless-client" "/usr/bin/$BINARY_NAME"
sudo cp "scripts/tests/systemd/$SERVICE_NAME.service" /usr/lib/systemd/system/
# The firezone group must exist before the daemon starts
sudo groupadd "$FZ_GROUP"
sudo systemctl start "$SERVICE_NAME" || systemctl status "$SERVICE_NAME"
# Add ourselves to the firezone group
sudo gpasswd --add "$USER" "$FZ_GROUP"
echo "# Expect Firezone to accept our commands if we run with 'su --login'"
sudo su --login "$USER" --command RUST_LOG="$RUST_LOG" "$BINARY_NAME" stub-ipc-client
echo "# Expect Firezone to reject our command if we run without 'su --login'"
"$BINARY_NAME" stub-ipc-client && exit 1
# Stop the service in case other tests run on the same VM
sudo systemctl stop "$SERVICE_NAME"
# Explicitly exiting is needed when we're intentionally having commands fail
exit 0
Reference in New Issue View Git Blame Copy Permalink