tcell_agent 1.1.12 → 2.0.0

data/spec/lib/tcell_agent/instrumentation/cmdi/kernel_cmdi_spec.rb

@@ -0,0 +1,435 @@
+require 'spec_helper'
+
+describe Kernel do
+  before(:each) do
+    native_agent = double('native_agent')
+    @command_injection_policy = TCellAgent::Policies::CommandInjectionPolicy.new(
+      native_agent, {}
+    )
+  end
+
+  describe '.backtick' do
+    context 'empty command' do
+      it 'should raise Errno::ENOENT' do
+        expect do
+          ``
+        end.to raise_error(Errno::ENOENT)
+      end
+    end
+
+    context 'with a non blocked command present' do
+      before(:each) do
+        allow_any_instance_of(TCellAgent::Agent).to receive(:safe_to_check_cmdi).and_return(true)
+      end
+
+      context 'with command injection disabled' do
+        it 'should execute the command' do
+          expect(TCellAgent).to receive(:policy).with(
+            TCellAgent::PolicyTypes::COMMANDINJECTION
+          ).and_return(@command_injection_policy)
+          expect(@command_injection_policy).to receive(:enabled).and_return(false)
+          expect(@command_injection_policy).to_not receive(:block_command?)
+
+          `echo test`
+        end
+      end
+
+      context 'with command injection enabled' do
+        it 'should execute the command' do
+          expect(TCellAgent).to receive(:policy).with(
+            TCellAgent::PolicyTypes::COMMANDINJECTION
+          ).and_return(@command_injection_policy)
+          expect(@command_injection_policy).to receive(:enabled).and_return(true)
+          expect(@command_injection_policy).to receive(:block_command?).with('echo test', nil).and_return(false)
+
+          `echo test`
+        end
+      end
+    end
+
+    context 'with a blocked command present' do
+      context 'with command injection enabled' do
+        it 'should raise a RuntimeError' do
+          allow_any_instance_of(TCellAgent::Agent).to receive(:safe_to_check_cmdi).and_return(true)
+          expect(TCellAgent).to receive(:policy).with(
+            TCellAgent::PolicyTypes::COMMANDINJECTION
+          ).and_return(@command_injection_policy)
+          expect(@command_injection_policy).to receive(:enabled).and_return(true)
+          expect(@command_injection_policy).to receive(:block_command?).with('echo test', nil).and_return(true)
+
+          expect do
+            `echo test`
+          end.to raise_error(RuntimeError)
+        end
+      end
+    end
+  end
+
+  describe '%x methods' do
+    context 'empty command' do
+      it 'should raise RuntimeError' do
+        expect do
+          ``
+        end.to raise_error(Errno::ENOENT)
+      end
+    end
+
+    context 'with a non blocked command present' do
+      before(:each) do
+        allow_any_instance_of(TCellAgent::Agent).to receive(:safe_to_check_cmdi).and_return(true)
+      end
+
+      context 'with command injection disabled' do
+        it 'should execute the command' do
+          expect(TCellAgent).to receive(:policy).with(
+            TCellAgent::PolicyTypes::COMMANDINJECTION
+          ).and_return(@command_injection_policy)
+          expect(@command_injection_policy).to receive(:enabled).and_return(false)
+          expect(@command_injection_policy).to_not receive(:block_command?)
+
+          `echo test`
+        end
+      end
+
+      context 'with command injection enabled' do
+        it 'should execute the command' do
+          expect(TCellAgent).to receive(:policy).with(
+            TCellAgent::PolicyTypes::COMMANDINJECTION
+          ).and_return(@command_injection_policy)
+          expect(@command_injection_policy).to receive(:enabled).and_return(true)
+          expect(@command_injection_policy).to receive(:block_command?).with('echo test', nil).and_return(false)
+
+          `echo test`
+        end
+      end
+    end
+
+    context 'with a blocked command present' do
+      context 'with command injection enabled' do
+        it 'should raise a RuntimeError' do
+          allow_any_instance_of(TCellAgent::Agent).to receive(:safe_to_check_cmdi).and_return(true)
+          expect(TCellAgent).to receive(:policy).with(
+            TCellAgent::PolicyTypes::COMMANDINJECTION
+          ).and_return(@command_injection_policy)
+          expect(@command_injection_policy).to receive(:enabled).and_return(true)
+          expect(@command_injection_policy).to receive(:block_command?).with('echo test', nil).and_return(true)
+
+          expect do
+            `echo test`
+          end.to raise_error(RuntimeError)
+        end
+      end
+    end
+  end
+
+  describe '::open and #open' do
+    context 'empty command' do
+      it 'should raise an error' do
+        expect do
+          Kernel.open
+        end.to raise_error(ArgumentError)
+        expect do
+          Kernel.open(nil)
+        end.to raise_error(TypeError)
+        expect do
+          Kernel.open('')
+        end.to raise_error(Errno::ENOENT)
+      end
+    end
+
+    context 'name starts with a | operator' do
+      context 'with an empty or invalid command' do
+        it 'should raise an error' do
+          expect do
+            Kernel.open('|')
+          end.to raise_error(Errno::ENOENT)
+
+          expect do
+            Kernel.open('|invalid command')
+          end.to raise_error(Errno::ENOENT)
+
+          expect do
+            Kernel.open('|invalid command', 10)
+          end.to raise_error(Errno::ENOENT)
+        end
+      end
+      context 'with a valid command' do
+        it 'should execute the command' do
+          expect(Kernel.open('|echo test').read).to eq("test\n")
+        end
+      end
+      context 'with a non blocked command present' do
+        before(:each) do
+          allow_any_instance_of(TCellAgent::Agent).to receive(:safe_to_check_cmdi).and_return(true)
+        end
+        context 'with command injection disabled' do
+          it 'should execute the command' do
+            expect(@command_injection_policy.enabled).to eq(false)
+
+            expect(TCellAgent).to receive(:policy).with(
+              TCellAgent::PolicyTypes::COMMANDINJECTION
+            ).and_return(@command_injection_policy)
+            expect(@command_injection_policy).to receive(:enabled).and_call_original
+            expect(@command_injection_policy).to_not receive(:block_command?)
+
+            expect(Kernel.open('|echo test').read).to eq("test\n")
+          end
+        end
+
+        context 'with command injection enabled' do
+          it 'should execute the command' do
+            expect(TCellAgent).to receive(:policy).with(
+              TCellAgent::PolicyTypes::COMMANDINJECTION
+            ).and_return(@command_injection_policy)
+            expect(@command_injection_policy).to receive(:enabled).and_return(true)
+            expect(@command_injection_policy).to receive(:block_command?).with('echo test', nil).and_return(false)
+
+            expect(Kernel.open('|echo test').read).to eq("test\n")
+          end
+        end
+      end
+
+      context 'with a blocked command present' do
+        context 'with command injection enabled' do
+          it 'should raise a RuntimeError' do
+            allow_any_instance_of(TCellAgent::Agent).to receive(:safe_to_check_cmdi).and_return(true)
+
+            expect(TCellAgent).to receive(:policy).with(
+              TCellAgent::PolicyTypes::COMMANDINJECTION
+            ).and_return(@command_injection_policy)
+            expect(@command_injection_policy).to receive(:enabled).and_return(true)
+            expect(@command_injection_policy).to receive(:block_command?).with('echo test', nil).and_return(true)
+
+            expect do
+              Kernel.open('|echo test')
+            end.to raise_error(RuntimeError)
+          end
+        end
+      end
+    end
+  end
+  describe '.spawn and Kernel.spawn' do
+    context 'empty command' do
+      it 'should raise an error' do
+        expect do
+          spawn
+        end.to raise_error(ArgumentError)
+        expect do
+          Kernel.spawn
+        end.to raise_error(ArgumentError)
+        expect do
+          spawn(nil)
+        end.to raise_error(TypeError)
+        expect do
+          Kernel.spawn(nil)
+        end.to raise_error(TypeError)
+        expect do
+          spawn('')
+        end.to raise_error(Errno::ENOENT)
+        expect do
+          Kernel.spawn('')
+        end.to raise_error(Errno::ENOENT)
+      end
+    end
+
+    context 'non existent command' do
+      it 'should raise error' do
+        expect do
+          spawn('foobar')
+        end.to raise_error(Errno::ENOENT)
+        expect do
+          Kernel.spawn('foobar')
+        end.to raise_error(Errno::ENOENT)
+      end
+    end
+
+    context 'with a valid command' do
+      it 'should execute command' do
+        pid = spawn('echo test > /dev/null 2>&1')
+        expect(pid).to_not be_nil
+
+        pid = spawn(RbConfig.ruby, "-e'Hello World!'", '>', '/dev/null', '2>&1')
+        expect(pid).to_not be_nil
+
+        pid = Kernel.spawn('echo test > /dev/null 2>&1')
+        expect(pid).to_not be_nil
+
+        pid = Kernel.spawn(RbConfig.ruby, "-e'Hello World!'", '>', '/dev/null', '2>&1')
+        expect(pid).to_not be_nil
+      end
+    end
+
+    context 'with a non blocked command present' do
+      before(:each) do
+        allow_any_instance_of(TCellAgent::Agent).to receive(:safe_to_check_cmdi).and_return(true)
+      end
+
+      context 'with command injection disabled' do
+        it 'should execute the command' do
+          expect(TCellAgent).to receive(:policy).with(
+            TCellAgent::PolicyTypes::COMMANDINJECTION
+          ).and_return(@command_injection_policy, @command_injection_policy)
+          expect(@command_injection_policy).to receive(:enabled).and_return(false, false)
+          expect(@command_injection_policy).to_not receive(:block_command?)
+
+          spawn('echo test > /dev/null 2>&1')
+          Kernel.spawn('echo test > /dev/null 2>&1')
+        end
+      end
+
+      context 'with command injection enabled' do
+        it 'should execute the command' do
+          expect(TCellAgent).to receive(:policy).with(
+            TCellAgent::PolicyTypes::COMMANDINJECTION
+          ).and_return(@command_injection_policy, @command_injection_policy)
+          expect(@command_injection_policy).to receive(:enabled).and_return(true, true)
+          expect(@command_injection_policy).to receive(:block_command?).with('echo test > /dev/null 2>&1', nil).and_return(false, false)
+
+          spawn('echo test > /dev/null 2>&1')
+          Kernel.spawn('echo test > /dev/null 2>&1')
+        end
+      end
+    end
+
+    context 'with a blocked command present' do
+      context 'with command injection enabled' do
+        it 'should raise a RuntimeError' do
+          allow_any_instance_of(TCellAgent::Agent).to receive(:safe_to_check_cmdi).and_return(true)
+          expect(TCellAgent).to receive(:policy).with(
+            TCellAgent::PolicyTypes::COMMANDINJECTION
+          ).and_return(@command_injection_policy, @command_injection_policy)
+          expect(@command_injection_policy).to receive(:enabled).and_return(true, true)
+          expect(@command_injection_policy).to receive(:block_command?).with('echo test', nil).and_return(true, true)
+
+          expect do
+            spawn('echo test')
+          end.to raise_error(RuntimeError)
+          expect do
+            Kernel.spawn('echo test')
+          end.to raise_error(RuntimeError)
+        end
+      end
+    end
+  end
+
+  describe '.system and Kernel.system' do
+    context 'empty command' do
+      it 'should raise an error' do
+        expect do
+          system
+        end.to raise_error(ArgumentError)
+        expect do
+          Kernel.system
+        end.to raise_error(ArgumentError)
+        expect do
+          system(nil)
+        end.to raise_error(TypeError)
+        expect do
+          Kernel.system(nil)
+        end.to raise_error(TypeError)
+        expect(system('')).to be_nil
+        expect(Kernel.system('')).to be_nil
+      end
+    end
+
+    context 'non existent command' do
+      it 'should return nil' do
+        expect(system('foobar')).to be_nil
+        expect(Kernel.system('foobar')).to be_nil
+      end
+    end
+
+    context 'with a valid command' do
+      it 'should execute command' do
+        pid = system('echo test > /dev/null 2>&1')
+        expect(pid).to eq(true)
+
+        pid = system(RbConfig.ruby, "-e'Hello World!'", '>', '/dev/null', '2>&1')
+        expect(pid).to eq(true)
+
+        pid = Kernel.system('echo test > /dev/null 2>&1')
+        expect(pid).to eq(true)
+
+        pid = Kernel.system(RbConfig.ruby, "-e'Hello World!'", '>', '/dev/null', '2>&1')
+        expect(pid).to eq(true)
+      end
+    end
+
+    context 'with a non blocked command present' do
+      before(:each) do
+        allow_any_instance_of(TCellAgent::Agent).to receive(:safe_to_check_cmdi).and_return(true)
+      end
+
+      context 'with command injection disabled' do
+        it 'should execute the command' do
+          expect(TCellAgent).to receive(:policy).with(
+            TCellAgent::PolicyTypes::COMMANDINJECTION
+          ).and_return(@command_injection_policy, @command_injection_policy)
+          expect(@command_injection_policy).to receive(:enabled).and_return(false, false)
+          expect(@command_injection_policy).to_not receive(:block_command?)
+
+          system('echo test > /dev/null 2>&1')
+          Kernel.system('echo test > /dev/null 2>&1')
+        end
+      end
+
+      context 'with command injection enabled' do
+        it 'should execute the command' do
+          expect(TCellAgent).to receive(:policy).with(
+            TCellAgent::PolicyTypes::COMMANDINJECTION
+          ).and_return(@command_injection_policy, @command_injection_policy)
+          expect(@command_injection_policy).to receive(:enabled).and_return(true, true)
+          expect(@command_injection_policy).to receive(:block_command?).with('echo test > /dev/null 2>&1', nil).and_return(false, false)
+
+          system('echo test > /dev/null 2>&1')
+          Kernel.system('echo test > /dev/null 2>&1')
+        end
+      end
+    end
+
+    context 'with a blocked command present' do
+      context 'with command injection enabled' do
+        it 'should raise a RuntimeError' do
+          allow_any_instance_of(TCellAgent::Agent).to receive(:safe_to_check_cmdi).and_return(true)
+
+          expect(TCellAgent).to receive(:policy).with(
+            TCellAgent::PolicyTypes::COMMANDINJECTION
+          ).and_return(@command_injection_policy, @command_injection_policy)
+          expect(@command_injection_policy).to receive(:enabled).and_return(true, true)
+          expect(@command_injection_policy).to receive(:block_command?).with('echo test', nil).and_return(true, true)
+
+          expect do
+            system('echo test')
+          end.to raise_error(RuntimeError)
+          expect do
+            Kernel.system('echo test')
+          end.to raise_error(RuntimeError)
+        end
+      end
+    end
+  end
+
+  describe '.exec' do
+    # can only test this case since exec replaces current process with new process
+    context 'with a blocked command present' do
+      context 'with command injection enabled' do
+        it 'should raise a RuntimeError' do
+          allow_any_instance_of(TCellAgent::Agent).to receive(:safe_to_check_cmdi).and_return(true)
+
+          expect(TCellAgent).to receive(:policy).with(
+            TCellAgent::PolicyTypes::COMMANDINJECTION
+          ).and_return(@command_injection_policy, @command_injection_policy)
+          expect(@command_injection_policy).to receive(:enabled).and_return(true, true)
+          expect(@command_injection_policy).to receive(:block_command?).with('echo test', nil).and_return(true, true)
+
+          expect do
+            exec('echo test')
+          end.to raise_error(RuntimeError)
+          expect do
+            Kernel.exec('echo test')
+          end.to raise_error(RuntimeError)
+        end
+      end
+    end
+  end
+end

data/spec/lib/tcell_agent/instrumentation/lfi/file_lfi_spec.rb

@@ -0,0 +1,326 @@
+require 'spec_helper'
+require 'securerandom'
+
+describe 'File' do
+  before(:all) do
+    native_agent = double('native_agent')
+    @local_files_policy = TCellAgent::Policies::LocalFileInclusion.new(
+      native_agent, {}
+    )
+    @system_enablements_policy = TCellAgent::Policies::SystemEnablements.new(
+      native_agent, {}
+    )
+    @filename = get_test_resource_path('lfi_sample_file.txt')
+    @file_contents = "This is line one.\nThis is line two.\n"
+    @new_file_name = '/tmp/' + SecureRandom.uuid
+  end
+
+  describe '.new' do
+    context 'empty path' do
+      it 'should raise an error' do
+        expect do
+          File.new
+        end.to raise_error(ArgumentError)
+        expect do
+          File.new(nil)
+        end.to raise_error(TypeError)
+        expect do
+          File.new('')
+        end.to raise_error(Errno::ENOENT)
+      end
+    end
+    context 'with a non-existent file' do
+      context 'with a directory not blocked for read/write' do
+        before(:each) do
+          expect(TCellAgent).to receive(:policy).with(
+            TCellAgent::PolicyTypes::LFI
+          ).and_return(@local_files_policy)
+          expect(@local_files_policy).to receive(:block_file_access?).and_return(false)
+        end
+        context 'with a filename and mode r' do
+          it 'should raise an ERRNO::ENOENT error' do
+            expect do
+              File.new(@new_file_name, 'r')
+            end.to raise_error(Errno::ENOENT)
+          end
+        end
+        context 'with a filename and mode w' do
+          it 'should create the file' do
+            File.new(@new_file_name, 'w')
+
+            expect(File.exist?(@new_file_name)).to be_truthy
+            File.delete(@new_file_name)
+          end
+        end
+        context 'with a filename and write mode and file permissions 644' do
+          it 'should create the file with the correct permissions' do
+            File.new(@new_file_name, 'w', 0o644)
+
+            expect(File.exist?(@new_file_name)).to be_truthy
+            expect(File.stat(@new_file_name).mode.to_s(8)[3..5]).to eq('644')
+            File.delete(@new_file_name)
+          end
+        end
+        context 'with a filename and write mode and file permissions 755' do
+          it 'should create the file with the correct permissions' do
+            File.new(@new_file_name, 'w', 0o755)
+
+            expect(File.exist?(@new_file_name)).to be_truthy
+            expect(File.stat(@new_file_name).mode.to_s(8)[3..5]).to eq('755')
+            File.delete(@new_file_name)
+          end
+        end
+        context 'with a filename and write mode and file permissions 777' do
+          it 'should create the file with permissions 755' do
+            File.new(@new_file_name, 'w', 0o777)
+
+            expect(File.exist?(@new_file_name)).to be_truthy
+            expect(File.stat(@new_file_name).mode.to_s(8)[3..5]).to eq('755')
+            File.delete(@new_file_name)
+          end
+        end
+      end
+      context 'with a filename blocked for read/write' do
+        before(:each) do
+          expect(TCellAgent).to receive(:policy).with(
+            TCellAgent::PolicyTypes::LFI
+          ).and_return(@local_files_policy)
+          expect(@local_files_policy).to receive(:block_file_access?).and_return(true)
+        end
+        context 'with a filename and write mode' do
+          it 'should raise an IOError' do
+            expect do
+              File.new(@new_file_name, 'w')
+            end.to raise_error(IOError)
+          end
+        end
+        context 'with a filename and write mode and file permissions 644' do
+          it 'should raise an IOError' do
+            expect do
+              File.new(@new_file_name, 'w', 644)
+            end.to raise_error(IOError)
+          end
+        end
+      end
+    end
+    context 'with an existing file' do
+      context 'with a file not blocked for read/write' do
+        before(:each) do
+          expect(TCellAgent).to receive(:policy).with(
+            TCellAgent::PolicyTypes::LFI
+          ).and_return(@local_files_policy)
+          expect(@local_files_policy).to receive(:block_file_access?).and_return(false)
+        end
+        context 'with a filename' do
+          it 'should still be able to read the file' do
+            result = File.new(@filename).read
+            expect(result).to eq @file_contents
+          end
+        end
+        context 'with a filename and mode r' do
+          it 'should still be able to read the file' do
+            result = File.new(@filename, 'r').read
+            expect(result).to eq @file_contents
+          end
+        end
+        context 'with a filenname and mode w' do
+          it 'should still be able to write to a file' do
+            file = File.new('/dev/null', 'w')
+            expect(file.write('dummy message')).to eq 13
+          end
+        end
+        context 'with a filenname and mode a' do
+          it 'should still be able to write to a file' do
+            file = File.new('/dev/null', 'a')
+            expect(file.write('dummy message')).to eq 13
+          end
+        end
+      end
+      context 'with a file blocked for read/write' do
+        before(:each) do
+          expect(TCellAgent).to receive(:policy).with(
+            TCellAgent::PolicyTypes::LFI
+          ).and_return(@local_files_policy)
+          expect(@local_files_policy).to receive(:block_file_access?).and_return(true)
+        end
+        context 'with a filename' do
+          it 'should not be able to read the file' do
+            expect do
+              File.new(@filename)
+            end.to raise_error(IOError)
+          end
+        end
+        context 'with a filename and mode r' do
+          it 'should not be able to read the file' do
+            expect do
+              File.new(@filename, 'r')
+            end.to raise_error(IOError)
+          end
+        end
+        context 'with a filename and mode w' do
+          it 'should not be able to write to the file' do
+            expect do
+              File.new('/dev/null', 'w')
+            end.to raise_error(IOError)
+          end
+        end
+      end
+    end
+  end
+
+  describe '.open' do
+    context 'empty path' do
+      it 'should raise an error' do
+        expect do
+          File.open
+        end.to raise_error(ArgumentError)
+        expect do
+          File.open(nil)
+        end.to raise_error(TypeError)
+        expect do
+          File.open('')
+        end.to raise_error(Errno::ENOENT)
+      end
+    end
+    context 'with a non-existent file' do
+      before(:all) do
+        @new_file_name = '/tmp/' + SecureRandom.uuid
+      end
+      context 'with a directory not blocked for read/write' do
+        before(:each) do
+          expect(TCellAgent).to receive(:policy).with(
+            TCellAgent::PolicyTypes::LFI
+          ).and_return(@local_files_policy)
+          expect(@local_files_policy).to receive(:block_file_access?).and_return(false)
+        end
+        context 'with a filename and mode r' do
+          it 'should raise an ERRNO::ENOENT error' do
+            expect do
+              File.open(@new_file_name, 'r')
+            end.to raise_error(Errno::ENOENT)
+          end
+        end
+        context 'with a filename and mode w' do
+          it 'should create the file' do
+            File.open(@new_file_name, 'w')
+
+            expect(File.exist?(@new_file_name)).to be_truthy
+            File.delete(@new_file_name)
+          end
+        end
+        context 'with a filename and write mode and file permissions 644' do
+          it 'should create the file with the correct permissions' do
+            File.open(@new_file_name, 'w', 0o644)
+
+            expect(File.exist?(@new_file_name)).to be_truthy
+            expect(File.stat(@new_file_name).mode.to_s(8)[3..5]).to eq('644')
+            File.delete(@new_file_name)
+          end
+        end
+        context 'with a filename and write mode and file permissions 755' do
+          it 'should create the file with the correct permissions' do
+            File.open(@new_file_name, 'w', 0o755)
+
+            expect(File.exist?(@new_file_name)).to be_truthy
+            expect(File.stat(@new_file_name).mode.to_s(8)[3..5]).to eq('755')
+            File.delete(@new_file_name)
+          end
+        end
+        context 'with a filename and write mode and file permissions 777' do
+          it 'should create the file with permissions 755' do
+            File.open(@new_file_name, 'w', 0o777)
+
+            expect(File.exist?(@new_file_name)).to be_truthy
+            expect(File.stat(@new_file_name).mode.to_s(8)[3..5]).to eq('755')
+            File.delete(@new_file_name)
+          end
+        end
+      end
+      context 'with a filename blocked for read/write' do
+        before(:each) do
+          expect(TCellAgent).to receive(:policy).with(
+            TCellAgent::PolicyTypes::LFI
+          ).and_return(@local_files_policy)
+          expect(@local_files_policy).to receive(:block_file_access?).and_return(true)
+        end
+        context 'with a filename and write mode' do
+          it 'should raise an IOError' do
+            expect do
+              File.open(@new_file_name, 'w')
+            end.to raise_error(IOError)
+          end
+        end
+        context 'with a filename and write mode and file permissions 644' do
+          it 'should raise an IOError' do
+            expect do
+              File.open(@new_file_name, 'w', 644)
+            end.to raise_error(IOError)
+          end
+        end
+      end
+    end
+    context 'with an existing file' do
+      context 'with a file not blocked for read/write' do
+        before(:each) do
+          expect(TCellAgent).to receive(:policy).with(
+            TCellAgent::PolicyTypes::LFI
+          ).and_return(@local_files_policy)
+          expect(@local_files_policy).to receive(:block_file_access?).and_return(false)
+        end
+        context 'with a filename' do
+          it 'should still be able to read the file' do
+            result = File.open(@filename).read
+            expect(result).to eq @file_contents
+          end
+        end
+        context 'with a filename and mode r' do
+          it 'should still be able to read the file' do
+            result = File.open(@filename, 'r').read
+            expect(result).to eq @file_contents
+          end
+        end
+        context 'with a filenname and mode w' do
+          it 'should still be able to write to a file' do
+            file = File.open('/dev/null', 'w')
+            expect(file.write('dummy message')).to eq 13
+          end
+        end
+        context 'with a filenname and mode a' do
+          it 'should still be able to write to a file' do
+            file = File.open('/dev/null', 'a')
+            expect(file.write('dummy message')).to eq 13
+          end
+        end
+      end
+      context 'with a file blocked for read/write' do
+        before(:each) do
+          expect(TCellAgent).to receive(:policy).with(
+            TCellAgent::PolicyTypes::LFI
+          ).and_return(@local_files_policy)
+          expect(@local_files_policy).to receive(:block_file_access?).and_return(true)
+        end
+        context 'with a filename' do
+          it 'should not be able to read the file' do
+            expect do
+              File.open(@filename)
+            end.to raise_error(IOError)
+          end
+        end
+        context 'with a filename and mode r' do
+          it 'should not be able to read the file' do
+            expect do
+              File.open(@filename, 'r')
+            end.to raise_error(IOError)
+          end
+        end
+        context 'with a filename and mode w' do
+          it 'should not be able to write to the file' do
+            expect do
+              File.open('/dev/null', 'w')
+            end.to raise_error(IOError)
+          end
+        end
+      end
+    end
+  end
+end