bullfrogsec · larose · Mar 11, 2026 · Mar 11, 2026
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -59,7 +59,7 @@ jobs:
         test-integration-block-dns-any,
         test-integration-docker-block,
       ]
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     timeout-minutes: 10
     permissions:
       contents: write

diff --git a/Makefile b/Makefile
@@ -21,19 +21,19 @@ test.integration: test.integration.block test.integration.audit test.integration
 
 .PHONY: test.integration.block
 test.integration.block:
-	sudo bash tests/block.sh
+	bash tests/block.sh
 
 .PHONY: test.integration.audit
 test.integration.audit:
-	sudo bash tests/audit.sh
+	bash tests/audit.sh
 
 .PHONY: test.integration.docker-block
 test.integration.docker-block:
-	sudo bash tests/docker-block.sh
+	bash tests/docker-block.sh
 
 .PHONY: test.integration.block-dns-any
 test.integration.block-dns-any:
-	sudo bash tests/block-dns-any.sh
+	bash tests/block-dns-any.sh
 
 # All tests - For local development with no agent running
 .PHONY: test

diff --git a/tests/audit.sh b/tests/audit.sh
@@ -6,10 +6,10 @@ set -x
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 PROJECT_DIR="$(cd "$SCRIPT_DIR/.." && pwd)"
 
-mkdir -p /var/log/gha-agent
+sudo mkdir -p /var/log/gha-agent
 
 # Start the agent in audit mode
-"$PROJECT_DIR/agent" \
+sudo "$PROJECT_DIR/agent" \
   --egress-policy=audit \
   --dns-policy=allowed-domains-only \
   --allowed-domains="*.google.com" \

diff --git a/tests/block-dns-any.sh b/tests/block-dns-any.sh
@@ -6,10 +6,10 @@ set -x
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 PROJECT_DIR="$(cd "$SCRIPT_DIR/.." && pwd)"
 
-mkdir -p /var/log/gha-agent
+sudo mkdir -p /var/log/gha-agent
 
 # Start the agent with dns-policy=any
-"$PROJECT_DIR/agent" \
+sudo "$PROJECT_DIR/agent" \
   --egress-policy=block \
   --dns-policy=any \
   --allowed-domains="*.google.com" \

diff --git a/tests/block.sh b/tests/block.sh
@@ -6,10 +6,10 @@ set -x
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 PROJECT_DIR="$(cd "$SCRIPT_DIR/.." && pwd)"
 
-mkdir -p /var/log/gha-agent
+sudo mkdir -p /var/log/gha-agent
 
 # Start the agent
-"$PROJECT_DIR/agent" \
+sudo "$PROJECT_DIR/agent" \
   --egress-policy=block \
   --dns-policy=allowed-domains-only \
   --allowed-domains="*.google.com" \
@@ -69,15 +69,15 @@ if ! timeout 5 dig @1.1.1.1 www.google.com; then
   exit 1
 fi
 
-# # === Sudo Tests ===
-# echo "=== Sudo Tests ==="
+# === Sudo Tests ===
+echo "=== Sudo Tests ==="
 
-# if sudo -n true 2>/dev/null; then
-#   echo "Expected sudo to fail, but it succeeded"
-#   exit 1
-# fi
+if sudo -n true 2>/dev/null; then
+  echo "Expected sudo to fail, but it succeeded"
+  exit 1
+fi
 
 echo ""
 echo "=========================================="
 echo "Block mode tests passed successfully!"
-echo "=========================================="
+echo "=========================================="
diff --git a/tests/docker-block.sh b/tests/docker-block.sh
@@ -6,10 +6,10 @@ set -x
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 PROJECT_DIR="$(cd "$SCRIPT_DIR/.." && pwd)"
 
-mkdir -p /var/log/gha-agent
+sudo mkdir -p /var/log/gha-agent
 
 # Start the agent
-"$PROJECT_DIR/agent" \
+sudo "$PROJECT_DIR/agent" \
   --egress-policy=block \
   --dns-policy=allowed-domains-only \
   --allowed-domains="*.docker.io,docker-images-prod.6aa30f8b08e16409b46e0173d6de2f56.r2.cloudflarestorage.com,production.cloudflare.docker.com,www.google.com" \