Add privilege dropping tests and fix environment variable passing

ammario · claude · ammario · commit ac7d065e4dab · 2025-09-03T21:27:48.000-05:00
- Added shared test_jail_privilege_dropping to verify whoami reports the original user, not root, ensuring consistent setuid behavior across macOS and Linux platforms - Fixed environment variable passing in Linux jail when not dropping privileges (e.g., in CI without SUDO_USER). Now always uses shell wrapper to export env vars when needed, ensuring CA certificates are properly passed for TLS validation - Refactored platform integration tests to reduce duplication by using a macro to generate common test functions This ensures TLS tests work correctly in GitHub Actions where SUDO_USER isn't set. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
diff --git a/src/jail/linux/mod.rs b/src/jail/linux/mod.rs
@@ -656,16 +656,9 @@ impl Jail for LinuxJail {
         let mut cmd = Command::new("ip");
         cmd.args(["netns", "exec", &self.namespace_name]);
 
-        if let Some(user) = target_user {
-            // Use su to drop privileges to the original user
-            // We need to pass environment variables explicitly since su might not preserve them all
-            cmd.arg("su");
-            cmd.arg("-s"); // Specify shell explicitly
-            cmd.arg("/bin/sh"); // Use sh for compatibility
-            cmd.arg("-p"); // Preserve environment
-            cmd.arg(&user); // Username from SUDO_USER
-            cmd.arg("-c"); // Execute command
-
+        // When we have environment variables to pass OR need to drop privileges,
+        // use a shell wrapper to ensure proper environment handling
+        if target_user.is_some() || !extra_env.is_empty() {
             // Build shell command with explicit environment exports
             let mut shell_command = String::new();
 
@@ -676,7 +669,7 @@ impl Jail for LinuxJail {
                 shell_command.push_str(&format!("export {}='{}'; ", key, escaped_value));
             }
 
-            // Add the actual command
+            // Add the actual command with proper escaping
             shell_command.push_str(
                 &command
                     .iter()
@@ -692,9 +685,23 @@ impl Jail for LinuxJail {
                     .join(" "),
             );
 
-            cmd.arg(shell_command);
+            if let Some(user) = target_user {
+                // Use su to drop privileges to the original user
+                cmd.arg("su");
+                cmd.arg("-s"); // Specify shell explicitly
+                cmd.arg("/bin/sh"); // Use sh for compatibility
+                cmd.arg("-p"); // Preserve environment
+                cmd.arg(&user); // Username from SUDO_USER
+                cmd.arg("-c"); // Execute command
+                cmd.arg(shell_command);
+            } else {
+                // No privilege dropping but need shell for env vars
+                cmd.arg("sh");
+                cmd.arg("-c");
+                cmd.arg(shell_command);
+            }
         } else {
-            // No privilege dropping needed, execute directly
+            // No privilege dropping and no env vars, execute directly
             cmd.arg(&command[0]);
             for arg in &command[1..] {
                 cmd.arg(arg);
diff --git a/tests/linux_integration.rs b/tests/linux_integration.rs
@@ -7,7 +7,7 @@ mod platform_test_macro;
 #[cfg(target_os = "linux")]
 mod tests {
     use super::*;
-    use crate::system_integration::JailTestPlatform;
+    use crate::system_integration::{JailTestPlatform, httpjail_cmd};
 
     /// Linux-specific platform implementation
     struct LinuxPlatform;
@@ -58,7 +58,7 @@ mod tests {
             .count();
 
         // Run httpjail
-        let mut cmd = common::httpjail_cmd();
+        let mut cmd = httpjail_cmd();
         cmd.arg("-r")
             .arg("allow: .*")
             .arg("--")
@@ -91,12 +91,15 @@ mod tests {
     #[serial]
     fn test_concurrent_namespace_isolation() {
         LinuxPlatform::require_privileges();
-        use std::process::Command;
         use std::thread;
         use std::time::Duration;
 
-        // Start first httpjail instance that sleeps
-        let mut child1 = common::httpjail_cmd()
+        // Start first httpjail instance that sleeps (using std Command for spawn)
+        let httpjail_path = std::env::current_dir()
+            .unwrap()
+            .join("target/debug/httpjail");
+
+        let mut child1 = std::process::Command::new(&httpjail_path)
             .arg("-r")
             .arg("allow: .*")
             .arg("--")
@@ -110,7 +113,7 @@ mod tests {
         thread::sleep(Duration::from_millis(500));
 
         // Start second httpjail instance
-        let output2 = common::httpjail_cmd()
+        let output2 = std::process::Command::new(&httpjail_path)
             .arg("-r")
             .arg("allow: .*")
             .arg("--")
diff --git a/tests/platform_test_macro.rs b/tests/platform_test_macro.rs
@@ -2,76 +2,74 @@
 #[macro_export]
 macro_rules! platform_tests {
     ($platform:ty) => {
-        use serial_test::serial;
-
         #[test]
-        #[serial]
+        #[::serial_test::serial]
         fn test_jail_allows_matching_requests() {
             system_integration::test_jail_allows_matching_requests::<$platform>();
         }
 
         #[test]
-        #[serial]
+        #[::serial_test::serial]
         fn test_jail_denies_non_matching_requests() {
             system_integration::test_jail_denies_non_matching_requests::<$platform>();
         }
 
         #[test]
-        #[serial]
+        #[::serial_test::serial]
         fn test_jail_method_specific_rules() {
             system_integration::test_jail_method_specific_rules::<$platform>();
         }
 
         #[test]
-        #[serial]
+        #[::serial_test::serial]
         fn test_jail_log_only_mode() {
             system_integration::test_jail_log_only_mode::<$platform>();
         }
 
         #[test]
-        #[serial]
+        #[::serial_test::serial]
         fn test_jail_dry_run_mode() {
             system_integration::test_jail_dry_run_mode::<$platform>();
         }
 
         #[test]
-        #[serial]
+        #[::serial_test::serial]
         fn test_jail_requires_command() {
             system_integration::test_jail_requires_command::<$platform>();
         }
 
         #[test]
-        #[serial]
+        #[::serial_test::serial]
         fn test_jail_exit_code_propagation() {
             system_integration::test_jail_exit_code_propagation::<$platform>();
         }
 
         #[test]
-        #[serial]
+        #[::serial_test::serial]
         fn test_native_jail_allows_https() {
             system_integration::test_native_jail_allows_https::<$platform>();
         }
 
         #[test]
-        #[serial]
+        #[::serial_test::serial]
         fn test_native_jail_blocks_https() {
             system_integration::test_native_jail_blocks_https::<$platform>();
         }
 
         #[test]
-        #[serial]
+        #[::serial_test::serial]
         fn test_jail_https_connect_denied() {
             system_integration::test_jail_https_connect_denied::<$platform>();
         }
 
         #[test]
-        #[serial]
+        #[::serial_test::serial]
         fn test_jail_https_connect_allowed() {
             system_integration::test_jail_https_connect_allowed::<$platform>();
         }
 
         #[test]
-        #[serial]
+        #[::serial_test::serial]
         fn test_jail_privilege_dropping() {
             system_integration::test_jail_privilege_dropping::<$platform>();
         }
