From 6a8e29e0164bf4f4d2bf06595effa7e340f8e32f Mon Sep 17 00:00:00 2001
From: nixbitcoin <nixbitcoin@i2pmail.org>
Date: Mon, 27 Jul 2020 18:08:38 +0000
Subject: [PATCH] tests: add dbus-hardening and hideProcessInformation

---
 test/scenarios/default.py   | 7 +++++++
 test/scenarios/withnetns.py | 7 +++++++
 2 files changed, 14 insertions(+)

diff --git a/test/scenarios/default.py b/test/scenarios/default.py
index 19375a1..0d6c4c3 100644
--- a/test/scenarios/default.py
+++ b/test/scenarios/default.py
@@ -51,6 +51,13 @@ assert_matches("curl -L localhost/store", "tshirt")
 machine.wait_until_succeeds(log_has_string("bitcoind-import-banlist", "Importing node banlist"))
 assert_no_failure("bitcoind-import-banlist")
 
+# test that `systemctl status` can't leak credentials
+assert_matches(
+    "sudo -u electrs systemctl status clightning 2>&1 >/dev/null",
+    "Failed to dump process list for 'clightning.service', ignoring: Access denied",
+)
+machine.succeed("grep -Fq hidepid=2 /proc/mounts")
+
 ### Additional tests
 
 # Current time in µs
diff --git a/test/scenarios/withnetns.py b/test/scenarios/withnetns.py
index 99d8d73..d07480b 100644
--- a/test/scenarios/withnetns.py
+++ b/test/scenarios/withnetns.py
@@ -113,6 +113,13 @@ assert_matches_exactly(
 # test that netns-exec can not be executed by users that are not operator
 machine.fail("sudo -u clightning netns-exec nb-bitcoind ip a")
 
+# test that `systemctl status` can't leak credentials
+assert_matches(
+    "sudo -u electrs systemctl status clightning 2>&1 >/dev/null",
+    "Failed to dump process list for 'clightning.service', ignoring: Access denied",
+)
+machine.succeed("grep -Fq hidepid=2 /proc/mounts")
+
 ### Additional tests
 
 # Current time in µs