hakurei

Author	SHA1	Message	Date
Ophestra	83a1c75f1a	app: set up acl on X11 socket The socket is typically owned by the priv-user, and inaccessible by the target user, so just allowing access to the directory is not enough. This change fixes this oversight and add checks that will also be useful for merging security/hakurei#1. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-08-18 11:30:58 +09:00
Ophestra	e574042d76	test/sandbox: verify seccomp on all test cases This change also makes seccomp hashes cross-platform. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-07-09 04:21:35 +09:00
Ophestra	2b44493e8a	test/sandbox: guard on testtool tag This tool should not show up when building hakurei normally. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-07-07 20:11:29 +09:00
Ophestra	f772940768	test/sandbox: treat ESRCH as temporary failure This is an ugly fix that makes various assumptions guaranteed to hold true in the testing vm. The test package is filtered by the build system so some ugliness is tolerable here. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-30 03:50:59 +09:00
Ophestra	8886c40974	test/sandbox: separate check filter Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-30 02:15:08 +09:00
Ophestra	ff3cfbb437	test/sandbox: check seccomp outcome This is as ugly as it is because it has to have CAP_SYS_ADMIN and not be in seccomp mode. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-28 02:24:27 +09:00
Ophestra	660a2898dc	test/sandbox/ptrace: dump seccomp bpf program Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-28 01:35:56 +09:00
Ophestra	f8502c3ece	test/sandbox: check environment Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-27 03:16:33 +09:00
Ophestra	996b42634d	test/sandbox: invoke check program directly Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-27 03:11:50 +09:00
Ophestra	3dd4ff29c8	test/sandbox: check mount table length Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-24 16:36:53 +09:00
Ophestra	b989a4601a	test/sandbox: fail on mismatched mount entry Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-24 13:43:32 +09:00
Ophestra	0eb1bc6301	test/sandbox: verify outcome via mountinfo Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-24 01:42:38 +09:00
Ophestra	1eb837eab8	test/sandbox: warn about misuse in doc comment Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-23 23:28:28 +09:00
Ophestra	75e0c5d406	test/sandbox: parse full test case This makes declaring multiple tests much cleaner. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-23 14:53:50 +09:00
Ophestra	a57a7a6a16	test/sandbox: check type handling host_passthrough Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-21 12:21:08 +09:00
Ophestra	f38ba7e923	test/sandbox: bypass fields A field is bypassed if it contains a single null byte. This will never appear in the text format so is safe to use. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-13 00:00:58 +09:00
Ophestra	df266527f1	test/sandbox/mount: work around nondeterminism Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-12 15:16:51 +09:00
Ophestra	f7bd6a5a41	test/sandbox: check seccomp outcome Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-04 13:30:16 +09:00
Ophestra	0bd9b9e8fe	test/sandbox: assert filesystem json Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-02 23:23:04 +09:00
Ophestra	0d3652b793	test/sandbox/assert: wrap printf Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-02 18:37:46 +09:00
Ophestra	558974b996	test/sandbox: assert mntent json Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-02-28 15:40:58 +09:00

21 Commits