From 98253bdfe857db4586ad354272b895c159ef17d5 Mon Sep 17 00:00:00 2001
From: Stefan Pfaffel <s.pfaffel@gmail.com>
Date: Sat, 4 Jan 2025 18:59:36 +0100
Subject: [PATCH] tests: add more test cases

---
 .../cat/with-network-client-permissions.sh    | 15 +++++++
 .../cat/with-network-server-permissions.sh    | 15 +++++++
 test-e2e/filesystem/read/go/before.sh         |  7 ++++
 .../read/go/no-explicit-permissions.sh        | 13 ++++++
 test-e2e/filesystem/read/go/read.go           | 41 +++++++++++++++++++
 .../go/with-network-client-permissions.sh     | 15 +++++++
 .../go/with-network-server-permissions.sh     | 15 +++++++
 .../read/go/with-permissions-no-implicits.sh  | 13 ++++++
 .../filesystem/read/go/with-permissions.sh    |  7 ++++
 .../filesystem/read/go/without-permissions.sh | 18 ++++++++
 .../read/python/no-explicit-permissions.sh    | 14 +++++++
 test-e2e/filesystem/read/python/read.py       | 24 +++++++++++
 .../python/with-network-client-permissions.sh | 16 ++++++++
 .../python/with-network-server-permissions.sh | 16 ++++++++
 .../python/with-permissions-no-implicits.sh   | 14 +++++++
 .../read/python/with-permissions.sh           |  8 ++++
 .../read/python/without-permissions.sh        | 19 +++++++++
 .../cp/with-network-client-permissions.sh     | 15 +++++++
 .../cp/with-network-server-permissions.sh     | 15 +++++++
 19 files changed, 300 insertions(+)
 create mode 100755 test-e2e/filesystem/read/cat/with-network-client-permissions.sh
 create mode 100755 test-e2e/filesystem/read/cat/with-network-server-permissions.sh
 create mode 100755 test-e2e/filesystem/read/go/before.sh
 create mode 100755 test-e2e/filesystem/read/go/no-explicit-permissions.sh
 create mode 100644 test-e2e/filesystem/read/go/read.go
 create mode 100755 test-e2e/filesystem/read/go/with-network-client-permissions.sh
 create mode 100755 test-e2e/filesystem/read/go/with-network-server-permissions.sh
 create mode 100755 test-e2e/filesystem/read/go/with-permissions-no-implicits.sh
 create mode 100755 test-e2e/filesystem/read/go/with-permissions.sh
 create mode 100755 test-e2e/filesystem/read/go/without-permissions.sh
 create mode 100755 test-e2e/filesystem/read/python/no-explicit-permissions.sh
 create mode 100644 test-e2e/filesystem/read/python/read.py
 create mode 100755 test-e2e/filesystem/read/python/with-network-client-permissions.sh
 create mode 100755 test-e2e/filesystem/read/python/with-network-server-permissions.sh
 create mode 100755 test-e2e/filesystem/read/python/with-permissions-no-implicits.sh
 create mode 100755 test-e2e/filesystem/read/python/with-permissions.sh
 create mode 100755 test-e2e/filesystem/read/python/without-permissions.sh
 create mode 100755 test-e2e/filesystem/write/cp/with-network-client-permissions.sh
 create mode 100755 test-e2e/filesystem/write/cp/with-network-server-permissions.sh

diff --git a/test-e2e/filesystem/read/cat/with-network-client-permissions.sh b/test-e2e/filesystem/read/cat/with-network-client-permissions.sh
new file mode 100755
index 0000000..33a97d3
--- /dev/null
+++ b/test-e2e/filesystem/read/cat/with-network-client-permissions.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+set -uo pipefail
+
+declare -r main_path="$1"
+
+$main_path run \
+--allow-network-client \
+cat run.sh
+
+if [[ $? -ne 0 ]]; then
+    exit 0
+fi
+
+exit 1
diff --git a/test-e2e/filesystem/read/cat/with-network-server-permissions.sh b/test-e2e/filesystem/read/cat/with-network-server-permissions.sh
new file mode 100755
index 0000000..b972f15
--- /dev/null
+++ b/test-e2e/filesystem/read/cat/with-network-server-permissions.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+set -uo pipefail
+
+declare -r main_path="$1"
+
+$main_path run \
+--allow-network-server \
+cat run.sh
+
+if [[ $? -ne 0 ]]; then
+    exit 0
+fi
+
+exit 1
diff --git a/test-e2e/filesystem/read/go/before.sh b/test-e2e/filesystem/read/go/before.sh
new file mode 100755
index 0000000..865ea8e
--- /dev/null
+++ b/test-e2e/filesystem/read/go/before.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+set -e
+
+dir=$(dirname "$0")  # Get directory of the script (possibly a symlink)
+
+go build -o .tmp/read $dir/read.go
\ No newline at end of file
diff --git a/test-e2e/filesystem/read/go/no-explicit-permissions.sh b/test-e2e/filesystem/read/go/no-explicit-permissions.sh
new file mode 100755
index 0000000..2d2faa9
--- /dev/null
+++ b/test-e2e/filesystem/read/go/no-explicit-permissions.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+set -uo pipefail
+
+declare -r main_path="$1"
+
+$main_path run .tmp/read
+
+if [[ $? -ne 0 ]]; then
+    exit 0
+fi
+
+exit 1
diff --git a/test-e2e/filesystem/read/go/read.go b/test-e2e/filesystem/read/go/read.go
new file mode 100644
index 0000000..de99665
--- /dev/null
+++ b/test-e2e/filesystem/read/go/read.go
@@ -0,0 +1,41 @@
+package main
+
+import (
+	"fmt"
+	"io"
+	"os"
+	"strings"
+)
+
+func readResolvConf() (string, error) {
+	// Open the file.
+	f, err := os.Open("/etc/resolv.conf")
+	if err != nil {
+		if os.IsNotExist(err) { // Check specifically for file not found
+			return "", fmt.Errorf("Error: /etc/resolv.conf not found")
+		}
+		return "", fmt.Errorf("Error opening /etc/resolv.conf: %w", err) // Wrap the error
+	}
+	defer f.Close() // Ensure the file is closed even if an error occurs later
+
+	// Read the file contents.
+	contents, err := io.ReadAll(f)
+	if err != nil {
+		return "", fmt.Errorf("Error reading /etc/resolv.conf: %w", err) // Wrap the error
+	}
+	return string(contents), nil
+}
+
+func main() {
+	contents, err := readResolvConf()
+	if err != nil {
+		fmt.Fprintln(os.Stderr, err) // Print errors to stderr
+		os.Exit(1)
+	}
+
+	if strings.Contains(contents, "nameserver") {
+		os.Exit(0)
+	} else {
+		os.Exit(1)
+	}
+}
diff --git a/test-e2e/filesystem/read/go/with-network-client-permissions.sh b/test-e2e/filesystem/read/go/with-network-client-permissions.sh
new file mode 100755
index 0000000..73e264f
--- /dev/null
+++ b/test-e2e/filesystem/read/go/with-network-client-permissions.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+set -uo pipefail
+
+declare -r main_path="$1"
+
+$main_path run \
+--allow-network-client \
+.tmp/read
+
+if [[ $? -ne 0 ]]; then
+    exit 0
+fi
+
+exit 1
diff --git a/test-e2e/filesystem/read/go/with-network-server-permissions.sh b/test-e2e/filesystem/read/go/with-network-server-permissions.sh
new file mode 100755
index 0000000..c09dd47
--- /dev/null
+++ b/test-e2e/filesystem/read/go/with-network-server-permissions.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+set -uo pipefail
+
+declare -r main_path="$1"
+
+$main_path run \
+--allow-network-server \
+.tmp/read
+
+if [[ $? -ne 0 ]]; then
+    exit 0
+fi
+
+exit 1
diff --git a/test-e2e/filesystem/read/go/with-permissions-no-implicits.sh b/test-e2e/filesystem/read/go/with-permissions-no-implicits.sh
new file mode 100755
index 0000000..889a661
--- /dev/null
+++ b/test-e2e/filesystem/read/go/with-permissions-no-implicits.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+set -uo pipefail
+
+declare -r main_path="$1"
+
+$main_path run --allow-file-system-read --no-implicit-allow .tmp/read
+
+if [[ $? -ne 0 ]]; then
+    exit 0
+fi
+
+exit 1
diff --git a/test-e2e/filesystem/read/go/with-permissions.sh b/test-e2e/filesystem/read/go/with-permissions.sh
new file mode 100755
index 0000000..1806a51
--- /dev/null
+++ b/test-e2e/filesystem/read/go/with-permissions.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+set -uo pipefail
+
+declare -r main_path="$1"
+
+$main_path run --allow-file-system-read .tmp/read
\ No newline at end of file
diff --git a/test-e2e/filesystem/read/go/without-permissions.sh b/test-e2e/filesystem/read/go/without-permissions.sh
new file mode 100755
index 0000000..013b650
--- /dev/null
+++ b/test-e2e/filesystem/read/go/without-permissions.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+set -uo pipefail
+
+declare -r main_path="$1"
+
+$main_path run \
+--allow-process-management \
+--allow-memory-management \
+--allow-process-synchronization \
+--allow-misc \
+.tmp/read
+
+if [[ $? -ne 0 ]]; then
+    exit 0
+fi
+
+exit 1
diff --git a/test-e2e/filesystem/read/python/no-explicit-permissions.sh b/test-e2e/filesystem/read/python/no-explicit-permissions.sh
new file mode 100755
index 0000000..b912710
--- /dev/null
+++ b/test-e2e/filesystem/read/python/no-explicit-permissions.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+set -uo pipefail
+
+declare -r main_path="$1"
+declare -r script_path="$( dirname -- "${BASH_SOURCE[0]}"; )";   # Get the directory name
+
+$main_path run python3 $script_path/read.py
+
+if [[ $? -ne 0 ]]; then
+    exit 0
+fi
+
+exit 1
diff --git a/test-e2e/filesystem/read/python/read.py b/test-e2e/filesystem/read/python/read.py
new file mode 100644
index 0000000..2146535
--- /dev/null
+++ b/test-e2e/filesystem/read/python/read.py
@@ -0,0 +1,24 @@
+def read_run_sh():
+    """Reads the contents of of /etc/resolve.conf and returns them as a string.
+       Returns None if the file doesn't exist or if an error occurs.
+       Prints an error message to stderr if the file can't be read.
+    """
+
+    try:
+        with open("/etc/resolv.conf", "r") as f:
+            return f.read()
+    except FileNotFoundError:
+        print("Error: not found.", file=sys.stderr) # sys needed
+        return None
+    except Exception as e: # Broad except to catch all other file errors
+        print(f"Error reading: {e}", file=sys.stderr)
+        return None
+
+if __name__ == "__main__":
+    import sys # Added import statement for sys module
+
+    contents = read_run_sh()
+    if contents and "nameserver" in contents:
+        sys.exit(0)  # Exit with 0 if "nameserver" is found
+    else:
+        sys.exit(1)  # Exit with 1 if "nameserver" is not found or an error occurred
\ No newline at end of file
diff --git a/test-e2e/filesystem/read/python/with-network-client-permissions.sh b/test-e2e/filesystem/read/python/with-network-client-permissions.sh
new file mode 100755
index 0000000..fc176d4
--- /dev/null
+++ b/test-e2e/filesystem/read/python/with-network-client-permissions.sh
@@ -0,0 +1,16 @@
+#!/bin/bash
+
+set -uo pipefail
+
+declare -r main_path="$1"
+declare -r script_path="$( dirname -- "${BASH_SOURCE[0]}"; )";   # Get the directory name
+
+$main_path run \
+--allow-network-client \
+python3 $script_path/read.py
+
+if [[ $? -ne 0 ]]; then
+    exit 0
+fi
+
+exit 1
diff --git a/test-e2e/filesystem/read/python/with-network-server-permissions.sh b/test-e2e/filesystem/read/python/with-network-server-permissions.sh
new file mode 100755
index 0000000..fe033bb
--- /dev/null
+++ b/test-e2e/filesystem/read/python/with-network-server-permissions.sh
@@ -0,0 +1,16 @@
+#!/bin/bash
+
+set -uo pipefail
+
+declare -r main_path="$1"
+declare -r script_path="$( dirname -- "${BASH_SOURCE[0]}"; )";   # Get the directory name
+
+$main_path run \
+--allow-network-server \
+python3 $script_path/read.py
+
+if [[ $? -ne 0 ]]; then
+    exit 0
+fi
+
+exit 1
diff --git a/test-e2e/filesystem/read/python/with-permissions-no-implicits.sh b/test-e2e/filesystem/read/python/with-permissions-no-implicits.sh
new file mode 100755
index 0000000..81eb727
--- /dev/null
+++ b/test-e2e/filesystem/read/python/with-permissions-no-implicits.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+set -uo pipefail
+
+declare -r main_path="$1"
+declare -r script_path="$( dirname -- "${BASH_SOURCE[0]}"; )";   # Get the directory name
+
+$main_path run --allow-file-system-read --no-implicit-allow python3 $script_path/read.py
+
+if [[ $? -ne 0 ]]; then
+    exit 0
+fi
+
+exit 1
diff --git a/test-e2e/filesystem/read/python/with-permissions.sh b/test-e2e/filesystem/read/python/with-permissions.sh
new file mode 100755
index 0000000..b06bfe7
--- /dev/null
+++ b/test-e2e/filesystem/read/python/with-permissions.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+
+set -uo pipefail
+
+declare -r main_path="$1"
+declare -r script_path="$( dirname -- "${BASH_SOURCE[0]}"; )";   # Get the directory name
+
+$main_path run --allow-file-system-read python3 $script_path/read.py
\ No newline at end of file
diff --git a/test-e2e/filesystem/read/python/without-permissions.sh b/test-e2e/filesystem/read/python/without-permissions.sh
new file mode 100755
index 0000000..6be9757
--- /dev/null
+++ b/test-e2e/filesystem/read/python/without-permissions.sh
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+set -uo pipefail
+
+declare -r main_path="$1"
+declare -r script_path="$( dirname -- "${BASH_SOURCE[0]}"; )";   # Get the directory name
+
+$main_path run \
+--allow-process-management \
+--allow-memory-management \
+--allow-process-synchronization \
+--allow-misc \
+python3 $script_path/read.py
+
+if [[ $? -ne 0 ]]; then
+    exit 0
+fi
+
+exit 1
diff --git a/test-e2e/filesystem/write/cp/with-network-client-permissions.sh b/test-e2e/filesystem/write/cp/with-network-client-permissions.sh
new file mode 100755
index 0000000..3b79639
--- /dev/null
+++ b/test-e2e/filesystem/write/cp/with-network-client-permissions.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+set -uo pipefail
+
+declare -r main_path="$1"
+
+$main_path run \
+--allow-network-client \
+cp run.sh .tmp/run.sh
+
+if [[ $? -ne 0 ]]; then
+    exit 0
+fi
+
+exit 1
diff --git a/test-e2e/filesystem/write/cp/with-network-server-permissions.sh b/test-e2e/filesystem/write/cp/with-network-server-permissions.sh
new file mode 100755
index 0000000..0e01963
--- /dev/null
+++ b/test-e2e/filesystem/write/cp/with-network-server-permissions.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+set -uo pipefail
+
+declare -r main_path="$1"
+
+$main_path run \
+--allow-network-server \
+cp run.sh .tmp/run.sh
+
+if [[ $? -ne 0 ]]; then
+    exit 0
+fi
+
+exit 1