maemachinebroke/hakurei
1
0
Fork 0
forked from security/hakurei
Code Pull Requests Activity
727 Commits 2 Branches 12 Tags
807d511c8b87b9a173bd89ee49c73330fa8b93c7
Commit Graph

44 Commits

Author SHA1 Message Date
Ophestra
807d511c8b test/sandbox: check device outcome 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-04-11 19:55:16 +09:00
Ophestra
9967909460 sandbox: relative autoetc links 
This allows nested containers to use autoetc, and increases compatibility with other implementations.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-04-11 18:54:00 +09:00
Ophestra
297b444dfb test: separate app and sandbox 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-30 22:09:46 +09:00
Ophestra
89a05909a4 test: move test program to sandbox directory 
This prepares for the separation of app and sandbox tests.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-30 21:09:16 +09:00
Ophestra
f772940768 test/sandbox: treat ESRCH as temporary failure 
This is an ugly fix that makes various assumptions guaranteed to hold true in the testing vm. The test package is filtered by the build system so some ugliness is tolerable here.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-30 03:50:59 +09:00
Ophestra
8886c40974 test/sandbox: separate check filter 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-30 02:15:08 +09:00
Ophestra
8b62e08b44 test: build test program in nixos config 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-29 19:33:17 +09:00
Ophestra
ff3cfbb437 test/sandbox: check seccomp outcome 
This is as ugly as it is because it has to have CAP_SYS_ADMIN and not be in seccomp mode.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-28 02:24:27 +09:00
Ophestra
389402f955 test/sandbox/ptrace: generic filter block type 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-28 01:47:24 +09:00
Ophestra
660a2898dc test/sandbox/ptrace: dump seccomp bpf program 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-28 01:35:56 +09:00
Ophestra
faf59e12c0 test/sandbox: expose test tool 
Some test elements implemented in the test tool might need to run outside the sandbox. This change allows that to happen.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-28 00:08:47 +09:00
Ophestra
d97a03c7c6 test/sandbox: separate test tool source 
This improves readability and allows gofmt to format the file.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-27 23:43:13 +09:00
Ophestra
f8502c3ece test/sandbox: check environment 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-27 03:16:33 +09:00
Ophestra
996b42634d test/sandbox: invoke check program directly 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-27 03:11:50 +09:00
Ophestra
2dd49c437c app: create XDG_RUNTIME_DIR with perm 0700 
Many programs complain about this.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-26 02:49:37 +09:00
Ophestra
371dd5b938 nix: create current-system symlink 
This is copied at runtime because it appears to be impossible to obtain this path in nix.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-26 02:06:11 +09:00
Ophestra
67eb28466d nix: create opengl-driver symlink 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-25 20:52:20 +09:00
Ophestra
c326c3f97d fst/sandbox: do not create /etc in advance 
This is now handled by the setup op. This also gets rid of the hardcoded /etc path.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-25 20:00:34 +09:00
Ophestra
5c4058d5ac app: run in native sandbox 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-25 01:52:49 +09:00
Ophestra
3dd4ff29c8 test/sandbox: check mount table length 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-24 16:36:53 +09:00
Ophestra
61d86c5e10 test/sandbox: fix stdout tty check 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-24 16:23:50 +09:00
Ophestra
d097eaa28f test/sandbox: unquote fail messages 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-24 16:03:53 +09:00
Ophestra
b989a4601a test/sandbox: fail on mismatched mount entry 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-24 13:43:32 +09:00
Ophestra
0eb1bc6301 test/sandbox: verify outcome via mountinfo 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-24 01:42:38 +09:00
Ophestra
1eb837eab8 test/sandbox: warn about misuse in doc comment 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-23 23:28:28 +09:00
Ophestra
806ce18c0a test/sandbox: check mapuid outcome 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-23 17:56:07 +09:00
Ophestra
b71d2bf534 test/sandbox: check tty outcome 
This makes no difference currently but has different behaviour in the native sandbox.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-23 17:28:57 +09:00
Ophestra
46059b1840 test/sandbox: print mismatching file content 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-23 17:24:52 +09:00
Ophestra
d2c329bcea test: format path aid offsets 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-23 17:21:14 +09:00
Ophestra
2d379b5a38 test/sandbox: pass want file as argument 
This avoids building the check program multiple times.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-23 15:00:59 +09:00
Ophestra
75e0c5d406 test/sandbox: parse full test case 
This makes declaring multiple tests much cleaner.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-23 14:53:50 +09:00
Ophestra
632b18addd test/sandbox: rename misleading bind destination 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-21 12:56:11 +09:00
Ophestra
a57a7a6a16 test/sandbox: check type handling host_passthrough 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-21 12:21:08 +09:00
Ophestra
4133b555ba internal/app: rename init to init0 
This makes way for the new container init.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-13 21:57:54 +09:00
Ophestra
f38ba7e923 test/sandbox: bypass fields 
A field is bypassed if it contains a single null byte. This will never appear in the text format so is safe to use.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-13 00:00:58 +09:00
Ophestra
df266527f1 test/sandbox/mount: work around nondeterminism 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-12 15:16:51 +09:00
Ophestra
f7bd6a5a41 test/sandbox: check seccomp outcome 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-04 13:30:16 +09:00
Ophestra
ea853e21d9 test/sandbox: check fs outcome 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-03 01:02:09 +09:00
Ophestra
0bd9b9e8fe test/sandbox: assert filesystem json 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-02 23:23:04 +09:00
Ophestra
39e32799b3 test/sandbox: compare filesystem hierarchy 
For checking deterministic aspects of fs outcome.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-02 22:59:04 +09:00
Ophestra
0d3652b793 test/sandbox/assert: wrap printf 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-02 18:37:46 +09:00
Ophestra
d8e9d71f87 test/sandbox: check mount outcome 
Do this at the beginning of the test for early failure.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-28 15:56:15 +09:00
Ophestra
558974b996 test/sandbox: assert mntent json 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-28 15:40:58 +09:00
Ophestra
4de4049713 test/sandbox: wrap libc getmntent 
For checking mounts outcome.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-02-28 14:56:08 +09:00