include java libraries in sandbox #9
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Sandbox Hardening Tests | |
| on: | |
| push: | |
| branches: | |
| - "**" | |
| pull_request: | |
| jobs: | |
| test-etc-write-denied-c: | |
| name: "Hardening: /etc Write Denied (C)" | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Setup Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version-file: go.mod | |
| - name: Install native dependencies | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y gcc libc6-dev python3 | |
| - name: Run hardening /etc write denied subtest (C) | |
| run: sudo -E go test -v -run '^TestSandboxHardeningC$/^sandbox cannot write to host /etc/passwd$' ./... | |
| test-etc-write-denied-python3: | |
| name: "Hardening: /etc Write Denied (Python3)" | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Setup Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version-file: go.mod | |
| - name: Install native dependencies | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y gcc libc6-dev python3 | |
| - name: Run hardening /etc write denied subtest (Python3) | |
| run: sudo -E go test -v -run '^TestSandboxHardeningPython3$/^sandbox cannot write to host /etc/passwd$' ./... | |
| test-remount-denied-c: | |
| name: "Hardening: /etc Remount Denied (C)" | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Setup Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version-file: go.mod | |
| - name: Install native dependencies | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y gcc libc6-dev python3 | |
| - name: Run hardening remount denied subtest (C) | |
| run: sudo -E go test -v -run '^TestSandboxHardeningC$/^remounting /etc read-write is denied$' ./... | |
| test-remount-denied-python3: | |
| name: "Hardening: /etc Remount Denied (Python3)" | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Setup Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version-file: go.mod | |
| - name: Install native dependencies | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y gcc libc6-dev python3 | |
| - name: Run hardening remount denied subtest (Python3) | |
| run: sudo -E go test -v -run '^TestSandboxHardeningPython3$/^remounting /etc read-write is denied$' ./... | |
| test-not-host-root-c: | |
| name: "Hardening: Not Host Root (C)" | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Setup Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version-file: go.mod | |
| - name: Install native dependencies | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y gcc libc6-dev python3 | |
| - name: Run hardening host-root separation subtest (C) | |
| run: sudo -E go test -v -run '^TestSandboxHardeningC$/^sandbox process uid is not host root$' ./... | |
| test-not-host-root-python3: | |
| name: "Hardening: Not Host Root (Python3)" | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Setup Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version-file: go.mod | |
| - name: Install native dependencies | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y gcc libc6-dev python3 | |
| - name: Run hardening host-root separation subtest (Python3) | |
| run: sudo -E go test -v -run '^TestSandboxHardeningPython3$/^sandbox process uid is not host root$' ./... | |
| test-seccomp-c: | |
| name: "Hardening: Seccomp Blocks Dangerous Syscalls (C)" | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Setup Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version-file: go.mod | |
| - name: Install native dependencies | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y gcc libc6-dev python3 | |
| - name: Run hardening seccomp subtest (C) | |
| run: sudo -E go test -v -run '^TestSandboxHardeningC$/^dangerous syscalls are blocked by seccomp$' ./... | |
| test-seccomp-python3: | |
| name: "Hardening: Seccomp Blocks Dangerous Syscalls (Python3)" | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Setup Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version-file: go.mod | |
| - name: Install native dependencies | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y gcc libc6-dev python3 | |
| - name: Run hardening seccomp subtest (Python3) | |
| run: sudo -E go test -v -run '^TestSandboxHardeningPython3$/^dangerous syscalls are blocked by seccomp$' ./... | |
| test-env-leak-c: | |
| name: "Hardening: Host Env Not Exposed (C)" | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Setup Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version-file: go.mod | |
| - name: Install native dependencies | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y gcc libc6-dev python3 | |
| - name: Run hardening env isolation subtest (C) | |
| run: sudo -E go test -v -run '^TestSandboxHardeningC$/^sandbox environment does not expose host$' ./... | |
| test-env-leak-python3: | |
| name: "Hardening: Host Env Not Exposed (Python3)" | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Setup Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version-file: go.mod | |
| - name: Install native dependencies | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y gcc libc6-dev python3 | |
| - name: Run hardening env isolation subtest (Python3) | |
| run: sudo -E go test -v -run '^TestSandboxHardeningPython3$/^sandbox environment does not expose host$' ./... | |
| test-regression-guards: | |
| name: "Hardening: Regression Guards" | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Setup Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version-file: go.mod | |
| - name: Run regression guard checks | |
| run: bash .github/scripts/check_regressions.sh |