cmd/hakurei: rename app to run
All checks were successful
Test / Create distribution (push) Successful in 1m15s
Test / Sandbox (push) Successful in 3m7s
Test / Hakurei (push) Successful in 4m21s
Test / ShareFS (push) Successful in 4m20s
Test / Sandbox (race detector) (push) Successful in 5m39s
Test / Hakurei (race detector) (push) Successful in 6m36s
Test / Flake checks (push) Successful in 1m24s
All checks were successful
Test / Create distribution (push) Successful in 1m15s
Test / Sandbox (push) Successful in 3m7s
Test / Hakurei (push) Successful in 4m21s
Test / ShareFS (push) Successful in 4m20s
Test / Sandbox (race detector) (push) Successful in 5m39s
Test / Hakurei (race detector) (push) Successful in 6m36s
Test / Flake checks (push) Successful in 1m24s
The run command was a legacy holdover from very early days and is only useful for testing and demonstration these days. This change also renames it to exec. Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
@@ -30,7 +30,7 @@ in
|
||||
|
||||
# For checking pd outcome:
|
||||
(pkgs.writeShellScriptBin "check-sandbox-pd" ''
|
||||
hakurei -v run hakurei-test \
|
||||
hakurei -v exec hakurei-test \
|
||||
-p "/var/tmp/.hakurei-check-ok.0" \
|
||||
-t ${toString (builtins.toFile "hakurei-pd-want.json" (builtins.toJSON testCases.pd.want))} \
|
||||
-s ${testCases.pd.expectedFilter.${pkgs.stdenv.hostPlatform.system}} "$@"
|
||||
|
||||
@@ -42,23 +42,23 @@ machine.wait_for_file("/run/user/1000/wayland-1")
|
||||
machine.wait_for_file("/tmp/sway-ipc.sock")
|
||||
|
||||
# Check pd seccomp outcome:
|
||||
swaymsg("exec hakurei run cat")
|
||||
swaymsg("exec hakurei exec cat")
|
||||
check_filter(0, "pdlike", "cat")
|
||||
|
||||
# Check fd leak:
|
||||
swaymsg("exec exec 127</proc/cmdline && hakurei -v run sleep infinity")
|
||||
swaymsg("exec exec 127</proc/cmdline && hakurei -v exec sleep infinity")
|
||||
pd_identity0_sleep_pid = int(machine.wait_until_succeeds("pgrep -U 10000 -x sleep", timeout=60))
|
||||
print(machine.succeed(f"hakurei-test fd {pd_identity0_sleep_pid}"))
|
||||
machine.succeed(f"kill -INT {pd_identity0_sleep_pid}")
|
||||
|
||||
# Verify capabilities/securebits in user namespace:
|
||||
print(machine.succeed("sudo -u alice -i hakurei run capsh --print"))
|
||||
print(machine.succeed("sudo -u alice -i hakurei run capsh --has-no-new-privs"))
|
||||
print(machine.fail("sudo -u alice -i hakurei run capsh --has-a=CAP_SYS_ADMIN"))
|
||||
print(machine.fail("sudo -u alice -i hakurei run capsh --has-b=CAP_SYS_ADMIN"))
|
||||
print(machine.fail("sudo -u alice -i hakurei run capsh --has-i=CAP_SYS_ADMIN"))
|
||||
print(machine.fail("sudo -u alice -i hakurei run capsh --has-p=CAP_SYS_ADMIN"))
|
||||
print(machine.fail("sudo -u alice -i hakurei run umount -R /dev"))
|
||||
print(machine.succeed("sudo -u alice -i hakurei exec capsh --print"))
|
||||
print(machine.succeed("sudo -u alice -i hakurei exec capsh --has-no-new-privs"))
|
||||
print(machine.fail("sudo -u alice -i hakurei exec capsh --has-a=CAP_SYS_ADMIN"))
|
||||
print(machine.fail("sudo -u alice -i hakurei exec capsh --has-b=CAP_SYS_ADMIN"))
|
||||
print(machine.fail("sudo -u alice -i hakurei exec capsh --has-i=CAP_SYS_ADMIN"))
|
||||
print(machine.fail("sudo -u alice -i hakurei exec capsh --has-p=CAP_SYS_ADMIN"))
|
||||
print(machine.fail("sudo -u alice -i hakurei exec umount -R /dev"))
|
||||
|
||||
# Check sandbox outcome:
|
||||
machine.succeed("install -dm0777 /tmp/.hakurei-store-rw/{upper,work}")
|
||||
|
||||
Reference in New Issue
Block a user