156 Commits

Author	SHA1	Message	Date
cat	f772940768	test/sandbox: treat ESRCH as temporary failure ... This is an ugly fix that makes various assumptions guaranteed to hold true in the testing vm. The test package is filtered by the build system so some ugliness is tolerable here. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-30 03:50:59 +09:00
cat	8886c40974	test/sandbox: separate check filter ... Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-30 02:15:08 +09:00
cat	8b62e08b44	test: build test program in nixos config ... Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-29 19:33:17 +09:00
cat	ff3cfbb437	test/sandbox: check seccomp outcome ... This is as ugly as it is because it has to have CAP_SYS_ADMIN and not be in seccomp mode. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-28 02:24:27 +09:00
cat	389402f955	test/sandbox/ptrace: generic filter block type ... Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-28 01:47:24 +09:00
cat	660a2898dc	test/sandbox/ptrace: dump seccomp bpf program ... Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-28 01:35:56 +09:00
cat	faf59e12c0	test/sandbox: expose test tool ... Some test elements implemented in the test tool might need to run outside the sandbox. This change allows that to happen. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-28 00:08:47 +09:00
cat	d97a03c7c6	test/sandbox: separate test tool source ... This improves readability and allows gofmt to format the file. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-27 23:43:13 +09:00
cat	f8502c3ece	test/sandbox: check environment ... Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-27 03:16:33 +09:00
cat	996b42634d	test/sandbox: invoke check program directly ... Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-27 03:11:50 +09:00
cat	d613257841	sandbox/init: clear inheritable set ... Inheritable should not be able to affect anything regardless of its value, due to no_new_privs. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-26 07:46:13 +09:00
cat	52fcc48ac1	sandbox/init: drop capabilities ... During development the syscall filter caused me to make an incorrect assumption about SysProcAttr. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-26 06:32:08 +09:00
cat	2dd49c437c	app: create XDG_RUNTIME_DIR with perm 0700 ... Many programs complain about this. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-26 02:49:37 +09:00
cat	371dd5b938	nix: create current-system symlink ... This is copied at runtime because it appears to be impossible to obtain this path in nix. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-26 02:06:11 +09:00
cat	4836d570ae	test: raise long timeout to 15 seconds ... The race detector really slows down container tooling. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-26 01:59:05 +09:00
cat	67eb28466d	nix: create opengl-driver symlink ... Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-25 20:52:20 +09:00
cat	c326c3f97d	fst/sandbox: do not create /etc in advance ... This is now handled by the setup op. This also gets rid of the hardcoded /etc path. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-25 20:00:34 +09:00
cat	ee51320abf	test: check revert type selection ... Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-25 04:37:58 +09:00
cat	5c4058d5ac	app: run in native sandbox ... Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-25 01:52:49 +09:00
cat	3dd4ff29c8	test/sandbox: check mount table length ... Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-24 16:36:53 +09:00
cat	61d86c5e10	test/sandbox: fix stdout tty check ... Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-24 16:23:50 +09:00
cat	d097eaa28f	test/sandbox: unquote fail messages ... Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-24 16:03:53 +09:00
cat	b989a4601a	test/sandbox: fail on mismatched mount entry ... Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-24 13:43:32 +09:00
cat	0eb1bc6301	test/sandbox: verify outcome via mountinfo ... Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-24 01:42:38 +09:00
cat	1eb837eab8	test/sandbox: warn about misuse in doc comment ... Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-23 23:28:28 +09:00
cat	806ce18c0a	test/sandbox: check mapuid outcome ... Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-23 17:56:07 +09:00
cat	b71d2bf534	test/sandbox: check tty outcome ... This makes no difference currently but has different behaviour in the native sandbox. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-23 17:28:57 +09:00
cat	46059b1840	test/sandbox: print mismatching file content ... Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-23 17:24:52 +09:00
cat	d2c329bcea	test: format path aid offsets ... Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-23 17:21:14 +09:00
cat	2d379b5a38	test/sandbox: pass want file as argument ... This avoids building the check program multiple times. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-23 15:00:59 +09:00
cat	75e0c5d406	test/sandbox: parse full test case ... This makes declaring multiple tests much cleaner. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-23 14:53:50 +09:00
cat	632b18addd	test/sandbox: rename misleading bind destination ... Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-21 12:56:11 +09:00
cat	a57a7a6a16	test/sandbox: check type handling host_passthrough ... Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-21 12:21:08 +09:00
cat	3385538142	nix: clean up flake outputs ... Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-17 12:26:19 +09:00
cat	5d3c8dcc92	test: raise timeout ... Native container tooling is severely slowed down by race detector. Raise timeout so it reliably completes. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-16 23:51:17 +09:00
cat	ae522ab364	test: run go tests with race detector ... Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-16 02:07:42 +09:00
cat	4133b555ba	internal/app: rename init to init0 ... This makes way for the new container init. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-13 21:57:54 +09:00
cat	beb3918809	test: run go test under regular user ... By default test vm commands run as root, this causes buildFHSEnv bwrap to cover some parts of /proc, making it impossible to mount proc in a mount namespace created under it. Running as a regular user gets around this issue. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-13 20:56:32 +09:00
cat	2871426df2	test: print output of failed test ... Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-13 16:40:15 +09:00
cat	f38ba7e923	test/sandbox: bypass fields ... A field is bypassed if it contains a single null byte. This will never appear in the text format so is safe to use. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-13 00:00:58 +09:00
cat	df266527f1	test/sandbox/mount: work around nondeterminism ... Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-12 15:16:51 +09:00
cat	61e58aa14d	helper/proc: expose setup file ... Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-09 17:22:31 +09:00
cat	f7bd6a5a41	test/sandbox: check seccomp outcome ... Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-04 13:30:16 +09:00
cat	ea853e21d9	test/sandbox: check fs outcome ... Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-03 01:02:09 +09:00
cat	0bd9b9e8fe	test/sandbox: assert filesystem json ... Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-02 23:23:04 +09:00
cat	39e32799b3	test/sandbox: compare filesystem hierarchy ... For checking deterministic aspects of fs outcome. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-02 22:59:04 +09:00
cat	9953768de5	test: rename session message identifier ... Labelling this as sway is misleading. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-02 22:47:33 +09:00
cat	0d3652b793	test/sandbox/assert: wrap printf ... Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-02 18:37:46 +09:00
cat	d8e9d71f87	test/sandbox: check mount outcome ... Do this at the beginning of the test for early failure. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-02-28 15:56:15 +09:00
cat	558974b996	test/sandbox: assert mntent json ... Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-02-28 15:40:58 +09:00