slsm-tests.sh 16.7 KB
Newer Older
Simon Ruderich's avatar
Simon Ruderich committed
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
#!/bin/sh

# Tests for SLSM. Must be run on a system already using SLSM but it will
# _destroy_ the currently running rules! So don't run this on a production
# system.

# NOTE: All tests create and use /tmp/slsm and /tmp/slsm-security because we
# need absolute paths and this was the easiest way. If these directories
# already exist, the tests abort.


test_description="tests for SLSM"

. ./sharness.sh


setup() {
    # Ensure the files don't exists yet to prevent possible attacks when
    # running the tests.
    mkdir /tmp/slsm /tmp/slsm-security || exit 1
    chmod 0700 /tmp/slsm /tmp/slsm-security || exit 1
    mount -t securityfs securityfs /tmp/slsm-security || exit 1
}
cleanup() {
25
    rules 'p=/' 'm=7' # allow everything
Simon Ruderich's avatar
Simon Ruderich committed
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
    umount /tmp/slsm-security
    rm -rf /tmp/slsm /tmp/slsm-security
}
rules() {
    {
        for arg; do
            printf '%s\0' "$arg"
        done
        printf '\0'
    } >/tmp/slsm-security/slsm/profiles
}


absolute_path() {
    readlink -f "$(which "$1")"
}

LN="$(absolute_path ln)"
RM="$(absolute_path rm)"
CAT="$(absolute_path cat)"
BASH="$(absolute_path bash)"
HEAD="$(absolute_path head)"
PERL="$(absolute_path perl)"
TAIL="$(absolute_path tail)"
TOUCH="$(absolute_path touch)"


test_expect_success 'disallow all access to /' "
    test_when_finished cleanup && setup &&
\
56
    rules p=/ a=$CAT m=0 &&
Simon Ruderich's avatar
Simon Ruderich committed
57
58
59
60
61
    ! $CAT /dev/null # test_must_fail does not work here as the binary can't start
"
test_expect_success 'disallow read access to /' "
    test_when_finished cleanup && setup &&
\
62
    rules p=/ a=$CAT m=3 &&
Simon Ruderich's avatar
Simon Ruderich committed
63
64
65
66
67
68
    ! $CAT /dev/null # test_must_fail does not work here as the binary can't start
"
test_expect_success 'disallow write access to /' "
    test_when_finished cleanup && setup &&
    touch /tmp/slsm/test-me &&
\
69
70
    rules p=/ a=$RM m=5 '' \
          p=/ a=$LN m=5 &&
Simon Ruderich's avatar
Simon Ruderich committed
71
72
73
74
75
76
    test_must_fail $RM /tmp/slsm/test-me &&
    test_must_fail $LN -s y /tmp/slsm/x
"
test_expect_success 'disallow exec access to /' "
    test_when_finished cleanup && setup &&
\
77
    rules p=/ a=$PERL m=6 &&
Simon Ruderich's avatar
Simon Ruderich committed
78
79
80
81
82
83
84
    test_must_fail $PERL -e 'system(\"true\") == 0 or exit 1'
"

test_expect_success 'disallow all access to /tmp/slsm' "
    test_when_finished cleanup && setup &&
    touch /tmp/slsm/test-me &&
\
85
    rules p=/tmp/slsm a=$CAT m=0 &&
Simon Ruderich's avatar
Simon Ruderich committed
86
87
88
89
90
91
92
    test_must_fail $CAT /tmp/slsm/test-me &&
    $CAT /dev/null
"
test_expect_success 'disallow read access to /tmp/slsm' "
    test_when_finished cleanup && setup &&
    touch /tmp/slsm/test-me &&
\
93
    rules p=/tmp/slsm a=$CAT m=3 &&
Simon Ruderich's avatar
Simon Ruderich committed
94
95
96
97
98
99
    test_must_fail $CAT /tmp/slsm/test-me &&
    $CAT /dev/null
"
test_expect_success 'disallow write access to /tmp/slsm' "
    test_when_finished cleanup && setup &&
\
100
101
    rules p=/tmp/slsm a=$TOUCH m=5 '' \
          p=/tmp/slsm a=$LN m=5 &&
Simon Ruderich's avatar
Simon Ruderich committed
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
    test_must_fail $TOUCH /tmp/slsm/test-me &&
    test_must_fail $LN -s y /tmp/slsm/x &&
    $TOUCH /var/tmp/test-me &&
    $RM /var/tmp/test-me
"
test_expect_success 'disallow exec access to /tmp/slsm' "
    test_when_finished cleanup && setup &&
\
    echo '/tmp/slsm/test-me2' >/tmp/slsm/test-me &&
    echo '#!/bin/sh' >/tmp/slsm/test-me2 &&
    echo 'echo test' >>/tmp/slsm/test-me2 &&
    chmod +x /tmp/slsm/test-me2 &&
\
    echo test >expected &&
    /tmp/slsm/test-me2 >actual &&
    test_cmp expected actual &&
\
119
    rules p=/tmp/slsm a=$BASH m=6 &&
Simon Ruderich's avatar
Simon Ruderich committed
120
121
    test_must_fail $BASH /tmp/slsm/test-me
"
122

Lukas Braun's avatar
Lukas Braun committed
123
124
125
126
test_expect_success 'no circumvention via hardlinks' "
    test_when_finished cleanup && setup &&
    touch /tmp/slsm/test-me &&
\
127
128
    rules p=/tmp/slsm/test-me m=4 '' \
          p=/tmp/slsm/test-me2 m=0 &&
Lukas Braun's avatar
Lukas Braun committed
129
130
131
    ln /tmp/slsm/test-me /tmp/slsm/test-me2 &&
    test_must_fail ln /tmp/slsm/test-me /tmp/slsm/test-me3
"
132
133
134
135
136
137
138
139
test_expect_success 'no circumvention via hardlinks (inherit)' "
    test_when_finished cleanup && setup &&
    touch /tmp/slsm/test-me &&
\
    rules p=/tmp/slsm/test-me m=5 f=1 '' \
          p=/tmp/slsm/test-me2 m=5 &&
    test_must_fail ln /tmp/slsm/test-me /tmp/slsm/test-me2
"
Simon Ruderich's avatar
Simon Ruderich committed
140

141
142
143
144
145
146
147
148
149
test_expect_success 'no circumvention via hardlinks (confine)' "
    test_when_finished cleanup && setup &&
    touch /tmp/slsm/test-me &&
\
    rules p=/tmp/slsm/test-me m=5 f=2 '' \
          p=/tmp/slsm/test-me2 m=5 &&
    test_must_fail ln /tmp/slsm/test-me /tmp/slsm/test-me2
"

Simon Ruderich's avatar
Simon Ruderich committed
150
151
152
153
154
test_expect_success 'disallow all access to file' "
    test_when_finished cleanup && setup &&
    echo test-me >/tmp/slsm/test-me &&
    echo test-me2 >/tmp/slsm/test-me2 &&
\
155
    rules p=/tmp/slsm/test-me m=0 &&
Simon Ruderich's avatar
Simon Ruderich committed
156
157
158
159
160
161
162
163
164
165
166
    test_must_fail cat /tmp/slsm/test-me &&
    test_must_fail sh -c 'echo >/tmp/slsm/test-me' &&
    rm /tmp/slsm/test-me &&
    echo test-me2 >expected &&
    test_cmp expected /tmp/slsm/test-me2
"

test_expect_success 'disallow delete of file' "
    test_when_finished cleanup && setup &&
    echo test-me >/tmp/slsm/test-me &&
\
167
168
    rules p=/tmp/slsm         m=0 '' \
          p=/tmp/slsm/test-me m=7 &&
Simon Ruderich's avatar
Simon Ruderich committed
169
170
171
172
173
174
175
176
    test_must_fail rm /tmp/slsm/test-me &&
    echo test-me >expected &&
    test_cmp expected /tmp/slsm/test-me &&
    sh -c 'echo >/tmp/slsm/test-me' &&
    echo >expected &&
    test_cmp expected /tmp/slsm/test-me
"

Lukas Braun's avatar
Lukas Braun committed
177
178
179
180
181
182
183
184
185
186
187
188
189
190
test_expect_success 'confine process' "
    test_when_finished cleanup && setup &&
    echo data >/tmp/slsm/private &&
    echo '#!/bin/sh'                   >/tmp/slsm/script &&
    echo 'exec cat /tmp/slsm/private' >>/tmp/slsm/script &&
    chmod +x /tmp/slsm/script &&
\
    rules a=/tmp/slsm/script p=/tmp/slsm/private m=0 '' \
          p=/tmp/slsm/script m=5 f=2 &&
    test_must_fail /tmp/slsm/script &&
    echo data >expected &&
    test_cmp expected /tmp/slsm/private
"

Simon Ruderich's avatar
Simon Ruderich committed
191
192
193
194
195
test_expect_success 'last matching rule for a node is used' "
    test_when_finished cleanup && setup &&
    echo test-me >/tmp/slsm/test-me &&
    echo test-me2 >/tmp/slsm/test-me2 &&
\
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
    rules p=/tmp/slsm/test-me  a=$CAT m=7 '' \
          p=/tmp/slsm/test-me  a=$CAT m=7 '' \
          p=/tmp/slsm/test-me  a=$CAT m=7 '' \
          p=/tmp/slsm/test-me  a=$CAT m=6 '' \
          p=/tmp/slsm/test-me  a=$CAT m=6 '' \
          p=/tmp/slsm/test-me  a=$CAT m=6 '' \
          p=/tmp/slsm/test-me  a=$CAT m=5 '' \
          p=/tmp/slsm/test-me  a=$CAT m=5 '' \
          p=/tmp/slsm/test-me  a=$CAT m=5 '' \
          p=/tmp/slsm/test-me  a=$CAT m=4 '' \
          p=/tmp/slsm/test-me  a=$CAT m=4 '' \
          p=/tmp/slsm/test-me  a=$CAT m=4 '' \
          p=/tmp/slsm/test-me  a=$CAT m=3 '' \
          p=/tmp/slsm/test-me  a=$CAT m=3 '' \
          p=/tmp/slsm/test-me  a=$CAT m=3 '' \
          p=/tmp/slsm/test-me  a=$CAT m=2 '' \
          p=/tmp/slsm/test-me  a=$CAT m=2 '' \
          p=/tmp/slsm/test-me  a=$CAT m=2 '' \
          p=/tmp/slsm/test-me  a=$CAT m=1 '' \
          p=/tmp/slsm/test-me  a=$CAT m=1 '' \
          p=/tmp/slsm/test-me  a=$CAT m=1 '' \
          p=/tmp/slsm/test-me  a=$CAT m=0 '' \
          p=/tmp/slsm/test-me  a=$CAT m=0 '' \
          p=/tmp/slsm/test-me  a=$CAT m=0 '' \
          p=/tmp/slsm/test-me2 a=$CAT m=0 '' \
          p=/tmp/slsm/test-me2 a=$CAT m=2 '' \
          p=/tmp/slsm/test-me2 a=$CAT m=4 &&
Simon Ruderich's avatar
Simon Ruderich committed
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
    test_must_fail $CAT /tmp/slsm/test-me &&
    echo test-me2 >expected &&
    $CAT /tmp/slsm/test-me2 >actual &&
    test_cmp expected actual
"

test_expect_success 'most specific path is used' "
    test_when_finished cleanup && setup &&
\
    mkdir -p /tmp/slsm/a/b/c/d/e/f/g &&
    p='' &&
    for x in a b c d e f g ''; do \
        echo data        >/tmp/slsm/\$p/x; \
        echo '#!/bin/sh' >/tmp/slsm/\$p/y; \
        echo 'true'     >>/tmp/slsm/\$p/y; \
        chmod +x          /tmp/slsm/\$p/y; \
        /tmp/slsm/\$p/y || exit 1; \
        p=\"\$p/\$x\"; \
    done &&
    find /tmp/slsm | sort &&
\
244
245
246
247
248
249
250
251
    rules p=/tmp/slsm               m=0 '' \
          p=/tmp/slsm/a             m=1 '' \
          p=/tmp/slsm/a/b           m=2 '' \
          p=/tmp/slsm/a/b/c         m=3 '' \
          p=/tmp/slsm/a/b/c/d       m=4 '' \
          p=/tmp/slsm/a/b/c/d/e     m=5 '' \
          p=/tmp/slsm/a/b/c/d/e/f   m=6 '' \
          p=/tmp/slsm/a/b/c/d/e/f/g m=7 &&
Simon Ruderich's avatar
Simon Ruderich committed
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
\
    test_must_fail cat   /tmp/slsm/x &&
    test_must_fail       /tmp/slsm/y &&
    test_must_fail touch /tmp/slsm/z &&
\
    test_must_fail cat   /tmp/slsm/x &&
    !                    /tmp/slsm/y && # not readable, can't exec
    test_must_fail touch /tmp/slsm/z &&
\
    test_must_fail cat   /tmp/slsm/a/b/x &&
    !                    /tmp/slsm/a/b/y && # not readable, can't exec
                   touch /tmp/slsm/a/b/z &&
\
    test_must_fail cat   /tmp/slsm/a/b/c/x &&
    !                    /tmp/slsm/a/b/c/y && # not readable, can't exec
                   touch /tmp/slsm/a/b/c/z &&
\
                   cat   /tmp/slsm/a/b/c/d/x &&
    !                    /tmp/slsm/a/b/c/d/y &&
    test_must_fail touch /tmp/slsm/a/b/c/d/z &&
\
                   cat   /tmp/slsm/a/b/c/d/e/x &&
                         /tmp/slsm/a/b/c/d/e/y &&
    test_must_fail touch /tmp/slsm/a/b/c/d/e/z &&
\
                   cat   /tmp/slsm/a/b/c/d/e/f/x &&
    !                    /tmp/slsm/a/b/c/d/e/f/y &&
                   touch /tmp/slsm/a/b/c/d/e/f/z &&
\
                   cat   /tmp/slsm/a/b/c/d/e/f/g/x &&
                         /tmp/slsm/a/b/c/d/e/f/g/y &&
                   touch /tmp/slsm/a/b/c/d/e/f/g/z &&
\
    rm -r /tmp/slsm/a/b/c/d/e/f/g
"

test_expect_success 'multiple rules per file' "
    test_when_finished cleanup && setup &&
    echo test-me >/tmp/slsm/test-me &&
\
292
293
294
295
296
    rules p=/tmp/slsm/test-me a=$CAT  m=0 '' \
          p=/tmp/slsm/test-me a=$HEAD m=0 '' \
          p=/tmp/slsm/test-me a=$TAIL m=0 '' \
          p=/tmp/slsm/test-me a=$PERL m=2 '' \
          p=/tmp/slsm/test-me a=$BASH m=0 &&
Simon Ruderich's avatar
Simon Ruderich committed
297
298
299
300
301
302
303
304
305
306
307
    test_must_fail $CAT /tmp/slsm/test-me &&
    test_must_fail $HEAD /tmp/slsm/test-me &&
    test_must_fail $TAIL /tmp/slsm/test-me &&
    test_must_fail $PERL -e 'print (<> or exit 1)' /tmp/slsm/test-me &&
    test_must_fail $BASH -c 'cat </tmp/slsm/test-me' &&
    $PERL -e 'open X, \">\", \"/tmp/slsm/test-me\" or exit 1; print X \"test\"'
"
test_expect_success 'multiple rules per file (argument order reversed)' "
    test_when_finished cleanup && setup &&
    echo test-me >/tmp/slsm/test-me &&
\
308
309
310
311
312
    rules p=/tmp/slsm/test-me m=0 a=$CAT  '' \
          p=/tmp/slsm/test-me m=0 a=$HEAD '' \
          p=/tmp/slsm/test-me m=0 a=$TAIL '' \
          p=/tmp/slsm/test-me m=2 a=$PERL '' \
          p=/tmp/slsm/test-me m=0 a=$BASH &&
Simon Ruderich's avatar
Simon Ruderich committed
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
    test_must_fail $CAT /tmp/slsm/test-me &&
    test_must_fail $HEAD /tmp/slsm/test-me &&
    test_must_fail $TAIL /tmp/slsm/test-me &&
    test_must_fail $PERL -e 'print (<> or exit 1)' /tmp/slsm/test-me &&
    test_must_fail $BASH -c 'cat </tmp/slsm/test-me' &&
    $PERL -e 'open X, \">\", \"/tmp/slsm/test-me\" or exit 1; print X \"test\"'
"

test_expect_success 'multiple files per node' "
    test_when_finished cleanup && setup &&
    echo a >/tmp/slsm/a &&
    echo b >/tmp/slsm/b &&
    echo c >/tmp/slsm/c &&
    echo d >/tmp/slsm/d &&
    echo e >/tmp/slsm/e &&
    echo f >/tmp/slsm/f &&
\
330
331
332
333
334
335
336
337
338
    rules p=/tmp/slsm/c a=$CAT  m=0 '' \
          p=/tmp/slsm/b a=$CAT  m=0 '' \
          p=/tmp/slsm/a a=$CAT  m=0 '' \
          p=/tmp/slsm/f a=$HEAD m=0 '' \
          p=/tmp/slsm/e a=$HEAD m=0 '' \
          p=/tmp/slsm/d a=$HEAD m=0 '' \
          p=/tmp/slsm/e a=$PERL m=2 '' \
          p=/tmp/slsm/d a=$PERL m=0 '' \
          p=/tmp/slsm/f a=$PERL m=0 &&
Simon Ruderich's avatar
Simon Ruderich committed
339
340
341
342
343
344
345
346
347
348
349
350
351
352
    test_must_fail $CAT /tmp/slsm/a &&
    test_must_fail $CAT /tmp/slsm/b &&
    test_must_fail $CAT /tmp/slsm/c &&
    test_must_fail $HEAD /tmp/slsm/d &&
    test_must_fail $HEAD /tmp/slsm/e &&
    test_must_fail $HEAD /tmp/slsm/f &&
    test_must_fail $PERL -e 'print (<> or exit 1)' /tmp/slsm/d &&
    test_must_fail $PERL -e 'print (<> or exit 1)' /tmp/slsm/e &&
    test_must_fail $PERL -e 'print (<> or exit 1)' /tmp/slsm/f &&
    printf test >expected &&
    $PERL -e 'open X, \">\", \"/tmp/slsm/e\" or exit 1; print X \"test\"' &&
    test_cmp expected /tmp/slsm/e
"

353
354
test_expect_success 'symlinks and hardlinks' "
    test_when_finished cleanup && setup &&
Simon Ruderich's avatar
Simon Ruderich committed
355
    touch /tmp/slsm/x &&
356
357
358
359
360
361
\
    rules p=/tmp/slsm a=$LN m=5 &&
    test_must_fail $LN -s y /tmp/slsm/y &&
    test_must_fail $LN /tmp/slsm/x /tmp/slsm/y
"

Simon Ruderich's avatar
Simon Ruderich committed
362
363
364
365
366
367
368
369
370
371
372
373
# The idea here is that ~/.ssh/private contains the private keys, symlinks in
# ~/.ssh point to those files. Access to ~/.ssh/private is restricted for all
# programs except `ssh-agent` (`head` in the test). The rules must be
# temporary disabled to create new/list existing keys.
test_expect_success 'example SSH private key setup' "
    test_when_finished cleanup && setup &&
    mkdir -p /tmp/slsm/home/user/.ssh/private &&
    ln -s private/id_rsa /tmp/slsm/home/user/.ssh/id_rsa &&
    echo key >/tmp/slsm/home/user/.ssh/private/id_rsa &&
    echo pub >/tmp/slsm/home/user/.ssh/id_rsa.pub &&
    echo cfg >/tmp/slsm/home/user/.ssh/config &&
\
374
    rules p=/tmp/slsm/home/user/.ssh/private            m=0 '' \
Lukas Braun's avatar
Lukas Braun committed
375
376
          p=/tmp/slsm/home/user/.ssh/private    f=4     m=4 '' \
          p=/tmp/slsm/home/user/.ssh/private    a=$HEAD m=4 &&
Simon Ruderich's avatar
Simon Ruderich committed
377
378
379
380
381
382
    echo cfg >expected &&
    test_cmp expected /tmp/slsm/home/user/.ssh/config &&
    rm /tmp/slsm/home/user/.ssh/config &&
    echo cfg >/tmp/slsm/home/user/.ssh/config &&
    test_cmp expected /tmp/slsm/home/user/.ssh/config &&
    test_must_fail cat /tmp/slsm/home/user/.ssh/id_rsa &&
Lukas Braun's avatar
Lukas Braun committed
383
    ls /tmp/slsm/home/user/.ssh/private &&
Simon Ruderich's avatar
Simon Ruderich committed
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
    echo key >expected &&
    $HEAD /tmp/slsm/home/user/.ssh/id_rsa >actual &&
    test_cmp expected actual
"

# Allow `mpv` (`perl` in the test) to read only files from ~/Downloads,
# ~/Music, ~/Movies and ~/.config/mpv and write only to
# ~/.config/mpv/watch_later. Additionally it's not allowed to spawn any other
# processes, except for xscreensaver (`head`) which gets no additional
# privileges.
test_expect_success 'example mpv setup' "
    test_when_finished cleanup && setup &&
    mkdir -p /tmp/slsm/home/user/Downloads &&
    mkdir -p /tmp/slsm/home/user/Music &&
    mkdir -p /tmp/slsm/home/user/Movies &&
    mkdir -p /tmp/slsm/home/user/.config/mpv/watch_later &&
    echo nope  >/tmp/slsm/home/user/private &&
    echo file  >/tmp/slsm/home/user/Downloads/file &&
    echo music >/tmp/slsm/home/user/Music/music &&
    echo movie >/tmp/slsm/home/user/Movies/movie &&
    echo cfg   >/tmp/slsm/home/user/.config/mpv/mpv.conf &&
\
406
407
408
409
410
411
412
413
414
415
416
417
418
419
    rules p=/                                           a=$PERL m=0 '' \
          p=/etc                                        a=$PERL m=4 '' \
          p=/lib                                        a=$PERL m=4 '' \
          p=/proc                                       a=$PERL m=4 '' \
          p=/sys                                        a=$PERL m=4 '' \
          p=/usr                                        a=$PERL m=4 '' \
          p=/dev                                        a=$PERL m=6 '' \
          p=/usr/bin/head                               a=$PERL m=5 f=1 '' \
          p=/tmp/slsm/home/                             a=$PERL m=0 '' \
          p=/tmp/slsm/home/user/Downloads               a=$PERL m=4 '' \
          p=/tmp/slsm/home/user/Music                   a=$PERL m=4 '' \
          p=/tmp/slsm/home/user/Movies                  a=$PERL m=4 '' \
          p=/tmp/slsm/home/user/.config/mpv             a=$PERL m=4 '' \
          p=/tmp/slsm/home/user/.config/mpv/watch_later a=$PERL m=6 &&
Simon Ruderich's avatar
Simon Ruderich committed
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
    echo file >expected &&
    $PERL -e 'print (<> or exit 1)' /tmp/slsm/home/user/Downloads/file >actual &&
    test_cmp expected actual &&
    echo music >expected &&
    $PERL -e 'print (<> or exit 1)' /tmp/slsm/home/user/Music/music >actual &&
    test_cmp expected actual &&
    echo movie >expected &&
    $PERL -e 'print (<> or exit 1)' /tmp/slsm/home/user/Movies/movie >actual &&
    test_cmp expected actual &&
    echo cfg >expected &&
    $PERL -e 'print (<> or exit 1)' /tmp/slsm/home/user/.config/mpv/mpv.conf >actual &&
    test_cmp expected actual &&
    test_must_fail $PERL -e 'print (<> or exit 1)' /tmp/slsm/home/user/private &&
    test_must_fail $PERL -e 'open X, \">\", \"/tmp/slsm/home/user/Downloads/file\" or exit 1; print X \"test\"' &&
    test_must_fail $PERL -e 'open X, \">\", \"/tmp/slsm/home/user/Music/music\" or exit 1; print X \"test\"' &&
    test_must_fail $PERL -e 'open X, \">\", \"/tmp/slsm/home/user/Movies/movie\" or exit 1; print X \"test\"' &&
    test_must_fail $PERL -e 'open X, \">\", \"/tmp/slsm/home/user/Movies/movie-new\" or exit 1; print X \"test\"' &&
    test_must_fail $PERL -e 'open X, \">\", \"/tmp/slsm/home/user/.config/mpv/mpv.conf\" or exit 1; print X \"test\"' &&
    printf watch >expected &&
    $PERL -e 'open X, \">\", \"/tmp/slsm/home/user/.config/mpv/watch_later/watch\"; print X \"watch\"' &&
    test_cmp expected /tmp/slsm/home/user/.config/mpv/watch_later/watch &&
    test_must_fail $PERL -e 'system(\"true\") == 0 or exit 1' &&
    printf watch >expected &&
    $PERL -e 'system(\"/usr/bin/head /tmp/slsm/home/user/.config/mpv/watch_later/watch\") == 0 or exit 1' >actual &&
    test_cmp expected actual &&
    test_must_fail $PERL -e 'system(\"/usr/bin/head /tmp/slsm/home/user/private\") == 0 or exit 1'
"

test_done