2024-12-16 22:56:10 +09:00
|
|
|
{
|
2024-12-17 21:16:55 +09:00
|
|
|
system,
|
2024-12-16 22:56:10 +09:00
|
|
|
self,
|
|
|
|
home-manager,
|
|
|
|
nixosTest,
|
|
|
|
}:
|
|
|
|
|
|
|
|
nixosTest {
|
2024-12-17 13:02:12 +09:00
|
|
|
name = "fortify";
|
2024-12-16 22:56:10 +09:00
|
|
|
|
|
|
|
# adapted from nixos sway integration tests
|
|
|
|
|
|
|
|
# testScriptWithTypes:49: error: Cannot call function of unknown type
|
|
|
|
# (machine.succeed if succeed else machine.execute)(
|
|
|
|
# ^
|
|
|
|
# Found 1 error in 1 file (checked 1 source file)
|
|
|
|
skipTypeCheck = true;
|
|
|
|
|
|
|
|
nodes.machine =
|
|
|
|
{ lib, pkgs, ... }:
|
|
|
|
{
|
|
|
|
users.users.alice = {
|
|
|
|
isNormalUser = true;
|
|
|
|
description = "Alice Foobar";
|
|
|
|
password = "foobar";
|
|
|
|
uid = 1000;
|
|
|
|
};
|
|
|
|
|
|
|
|
home-manager.users.alice.home.stateVersion = "24.11";
|
|
|
|
|
|
|
|
# Automatically login on tty1 as a normal user:
|
|
|
|
services.getty.autologinUser = "alice";
|
|
|
|
|
|
|
|
environment = {
|
2024-12-17 12:40:18 +09:00
|
|
|
systemPackages = with pkgs; [
|
2024-12-17 21:16:55 +09:00
|
|
|
# For glinfo and wayland-info:
|
2024-12-17 12:40:18 +09:00
|
|
|
mesa-demos
|
|
|
|
wayland-utils
|
|
|
|
alacritty
|
2024-12-17 21:16:55 +09:00
|
|
|
|
2024-12-22 11:31:12 +09:00
|
|
|
# For D-Bus tests:
|
|
|
|
libnotify
|
|
|
|
mako
|
|
|
|
|
2024-12-17 21:16:55 +09:00
|
|
|
# For go tests:
|
|
|
|
self.devShells.${system}.fhs
|
2024-12-17 12:40:18 +09:00
|
|
|
];
|
|
|
|
|
2024-12-16 22:56:10 +09:00
|
|
|
variables = {
|
|
|
|
SWAYSOCK = "/tmp/sway-ipc.sock";
|
|
|
|
WLR_RENDERER = "pixman";
|
|
|
|
};
|
|
|
|
|
|
|
|
# To help with OCR:
|
|
|
|
etc."xdg/foot/foot.ini".text = lib.generators.toINI { } {
|
|
|
|
main = {
|
|
|
|
font = "inconsolata:size=14";
|
|
|
|
};
|
|
|
|
colors = rec {
|
|
|
|
foreground = "000000";
|
|
|
|
background = "ffffff";
|
|
|
|
regular2 = foreground;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
fonts.packages = [ pkgs.inconsolata ];
|
|
|
|
|
|
|
|
# Automatically configure and start Sway when logging in on tty1:
|
|
|
|
programs.bash.loginShellInit = ''
|
|
|
|
if [ "$(tty)" = "/dev/tty1" ]; then
|
|
|
|
set -e
|
|
|
|
|
|
|
|
mkdir -p ~/.config/sway
|
|
|
|
sed s/Mod4/Mod1/ /etc/sway/config > ~/.config/sway/config
|
|
|
|
|
|
|
|
sway --validate
|
|
|
|
sway && touch /tmp/sway-exit-ok
|
|
|
|
fi
|
|
|
|
'';
|
|
|
|
|
|
|
|
programs.sway.enable = true;
|
|
|
|
|
2024-12-21 17:58:14 +09:00
|
|
|
# For PulseAudio tests:
|
|
|
|
security.rtkit.enable = true;
|
|
|
|
services.pipewire = {
|
|
|
|
enable = true;
|
|
|
|
alsa.enable = true;
|
|
|
|
alsa.support32Bit = true;
|
|
|
|
pulse.enable = true;
|
|
|
|
jack.enable = true;
|
|
|
|
};
|
|
|
|
|
2024-12-18 15:32:52 +09:00
|
|
|
virtualisation.qemu.options = [
|
|
|
|
# Need to switch to a different GPU driver than the default one (-vga std) so that Sway can launch:
|
|
|
|
"-vga none -device virtio-gpu-pci"
|
|
|
|
|
|
|
|
# Increase Go test compiler performance:
|
|
|
|
"-smp 8"
|
|
|
|
];
|
2024-12-16 22:56:10 +09:00
|
|
|
|
|
|
|
environment.fortify = {
|
|
|
|
enable = true;
|
|
|
|
stateDir = "/var/lib/fortify";
|
|
|
|
users.alice = 0;
|
|
|
|
};
|
|
|
|
|
|
|
|
imports = [
|
|
|
|
self.nixosModules.fortify
|
|
|
|
home-manager.nixosModules.home-manager
|
|
|
|
];
|
|
|
|
};
|
|
|
|
|
|
|
|
testScript = ''
|
|
|
|
import shlex
|
|
|
|
import json
|
|
|
|
|
|
|
|
q = shlex.quote
|
|
|
|
NODE_GROUPS = ["nodes", "floating_nodes"]
|
|
|
|
|
|
|
|
|
|
|
|
def swaymsg(command: str = "", succeed=True, type="command"):
|
|
|
|
assert command != "" or type != "command", "Must specify command or type"
|
|
|
|
shell = q(f"swaymsg -t {q(type)} -- {q(command)}")
|
|
|
|
with machine.nested(
|
|
|
|
f"sending swaymsg {shell!r}" + " (allowed to fail)" * (not succeed)
|
|
|
|
):
|
|
|
|
ret = (machine.succeed if succeed else machine.execute)(
|
|
|
|
f"su - alice -c {shell}"
|
|
|
|
)
|
|
|
|
|
|
|
|
# execute also returns a status code, but disregard.
|
|
|
|
if not succeed:
|
|
|
|
_, ret = ret
|
|
|
|
|
|
|
|
if not succeed and not ret:
|
|
|
|
return None
|
|
|
|
|
|
|
|
parsed = json.loads(ret)
|
|
|
|
return parsed
|
|
|
|
|
|
|
|
|
|
|
|
def walk(tree):
|
|
|
|
yield tree
|
|
|
|
for group in NODE_GROUPS:
|
|
|
|
for node in tree.get(group, []):
|
|
|
|
yield from walk(node)
|
|
|
|
|
|
|
|
|
|
|
|
def wait_for_window(pattern):
|
|
|
|
def func(last_chance):
|
|
|
|
nodes = (node["name"] for node in walk(swaymsg(type="get_tree")))
|
|
|
|
|
|
|
|
if last_chance:
|
|
|
|
nodes = list(nodes)
|
|
|
|
machine.log(f"Last call! Current list of windows: {nodes}")
|
|
|
|
|
|
|
|
return any(pattern in name for name in nodes)
|
|
|
|
|
|
|
|
retry(func)
|
|
|
|
|
2024-12-22 01:10:48 +09:00
|
|
|
|
2024-12-18 13:48:39 +09:00
|
|
|
def collect_state_ui(name):
|
|
|
|
swaymsg(f"exec fortify ps > '/tmp/{name}.ps'")
|
|
|
|
machine.copy_from_vm(f"/tmp/{name}.ps", "")
|
2024-12-22 01:10:48 +09:00
|
|
|
swaymsg(f"exec fortify --json ps > '/tmp/{name}.json'")
|
|
|
|
machine.copy_from_vm(f"/tmp/{name}.json", "")
|
2024-12-18 13:48:39 +09:00
|
|
|
machine.screenshot(name)
|
|
|
|
|
2024-12-22 01:10:48 +09:00
|
|
|
|
|
|
|
def check_state(command, enablements):
|
|
|
|
instances = json.loads(machine.succeed("sudo -u alice -i XDG_RUNTIME_DIR=/run/user/1000 fortify --json ps"))
|
|
|
|
if len(instances) != 1:
|
|
|
|
raise Exception(f"unexpected state length {len(instances)}")
|
|
|
|
instance = next(iter(instances.values()))
|
|
|
|
|
|
|
|
if instance['config']['command'] != command:
|
|
|
|
raise Exception(f"unexpected command {instance['config']['command']}")
|
|
|
|
|
|
|
|
if instance['config']['confinement']['enablements'] != enablements:
|
|
|
|
raise Exception(f"unexpected enablements {instance['config']['confinement']['enablements']}")
|
|
|
|
|
2024-12-22 11:31:12 +09:00
|
|
|
|
|
|
|
def fortify(command):
|
|
|
|
swaymsg(f"exec fortify {command}")
|
|
|
|
|
2024-12-16 22:56:10 +09:00
|
|
|
start_all()
|
|
|
|
machine.wait_for_unit("multi-user.target")
|
|
|
|
|
2024-12-21 13:58:57 +09:00
|
|
|
# Run fortify Go tests outside of nix build in the background:
|
2024-12-17 21:16:55 +09:00
|
|
|
machine.succeed("rm -rf /tmp/src && cp -a '${self.packages.${system}.fortify.src}' /tmp/src")
|
2024-12-21 13:58:57 +09:00
|
|
|
machine.succeed("fortify-fhs -c '(cd /tmp/src && go generate ./... && go test ./... && touch /tmp/success-gotest)' &> /tmp/gotest &")
|
2024-12-17 21:16:55 +09:00
|
|
|
|
|
|
|
# To check sway's version:
|
2024-12-16 22:56:10 +09:00
|
|
|
print(machine.succeed("sway --version"))
|
|
|
|
|
|
|
|
# Wait for Sway to complete startup:
|
|
|
|
machine.wait_for_file("/run/user/1000/wayland-1")
|
|
|
|
machine.wait_for_file("/tmp/sway-ipc.sock")
|
|
|
|
|
|
|
|
# Create fortify aid 0 home directory:
|
|
|
|
machine.succeed("install -dm 0700 -o 1000000 -g 1000000 /var/lib/fortify/u0/a0")
|
|
|
|
|
|
|
|
# Start fortify outside Wayland session:
|
|
|
|
print(machine.succeed("sudo -u alice -i fortify -v run -a 0 touch /tmp/success-bare"))
|
|
|
|
machine.wait_for_file("/tmp/fortify.1000/tmpdir/0/success-bare")
|
|
|
|
|
|
|
|
# Start fortify within Wayland session:
|
2024-12-22 11:31:12 +09:00
|
|
|
fortify('-v run --wayland --dbus notify-send -a "NixOS Tests" "Test notification" "Notification from within sandbox." && touch /tmp/dbus-done')
|
|
|
|
machine.wait_for_file("/tmp/dbus-done")
|
|
|
|
collect_state_ui("dbus_notify_exited")
|
|
|
|
machine.succeed("pkill -9 mako")
|
2024-12-16 22:56:10 +09:00
|
|
|
|
2024-12-21 13:52:05 +09:00
|
|
|
# Start a terminal (foot) within fortify:
|
2024-12-16 22:56:10 +09:00
|
|
|
swaymsg("exec fortify run --wayland foot")
|
|
|
|
wait_for_window("u0_a0@machine")
|
2024-12-21 18:04:17 +09:00
|
|
|
machine.send_chars("clear; wayland-info && touch /tmp/success-client\n")
|
2024-12-16 22:56:10 +09:00
|
|
|
machine.wait_for_file("/tmp/fortify.1000/tmpdir/0/success-client")
|
2024-12-18 13:48:39 +09:00
|
|
|
collect_state_ui("foot_wayland_permissive")
|
2024-12-22 01:10:48 +09:00
|
|
|
check_state(["foot"], 1)
|
2024-12-18 12:49:32 +09:00
|
|
|
# Verify acl on XDG_RUNTIME_DIR:
|
|
|
|
print(machine.succeed("getfacl --absolute-names --omit-header --numeric /run/user/1000 | grep 1000000"))
|
2024-12-16 22:56:10 +09:00
|
|
|
machine.send_chars("exit\n")
|
|
|
|
machine.wait_until_fails("pgrep foot")
|
2024-12-18 12:49:32 +09:00
|
|
|
# Verify acl cleanup on XDG_RUNTIME_DIR:
|
|
|
|
machine.wait_until_fails("getfacl --absolute-names --omit-header --numeric /run/user/1000 | grep 1000000")
|
2024-12-16 22:56:10 +09:00
|
|
|
|
2024-12-21 13:52:05 +09:00
|
|
|
# Start a terminal (foot) within fortify from a terminal:
|
2024-12-16 22:56:10 +09:00
|
|
|
swaymsg("exec foot fortify run --wayland foot")
|
|
|
|
wait_for_window("u0_a0@machine")
|
2024-12-21 18:04:17 +09:00
|
|
|
machine.send_chars("clear; wayland-info && touch /tmp/success-client-term\n")
|
2024-12-16 22:56:10 +09:00
|
|
|
machine.wait_for_file("/tmp/fortify.1000/tmpdir/0/success-client-term")
|
2024-12-18 13:48:39 +09:00
|
|
|
collect_state_ui("foot_wayland_permissive_term")
|
2024-12-22 01:10:48 +09:00
|
|
|
check_state(["foot"], 1)
|
2024-12-16 22:56:10 +09:00
|
|
|
machine.send_chars("exit\n")
|
|
|
|
machine.wait_until_fails("pgrep foot")
|
|
|
|
|
2024-12-21 17:58:14 +09:00
|
|
|
# Test PulseAudio (fortify does not support PipeWire yet):
|
|
|
|
swaymsg("exec fortify run --wayland --pulse foot")
|
|
|
|
wait_for_window("u0_a0@machine")
|
2024-12-21 18:04:17 +09:00
|
|
|
machine.send_chars("clear; pactl info && touch /tmp/success-pulse\n")
|
2024-12-21 17:58:14 +09:00
|
|
|
machine.wait_for_file("/tmp/fortify.1000/tmpdir/0/success-pulse")
|
|
|
|
collect_state_ui("pulse_wayland")
|
2024-12-22 01:10:48 +09:00
|
|
|
check_state(["foot"], 9)
|
2024-12-21 17:58:14 +09:00
|
|
|
machine.send_chars("exit\n")
|
|
|
|
machine.wait_until_fails("pgrep foot")
|
|
|
|
|
2024-12-17 12:40:18 +09:00
|
|
|
# Test XWayland (foot does not support X):
|
|
|
|
swaymsg("exec fortify run -X alacritty")
|
|
|
|
wait_for_window("u0_a0@machine")
|
2024-12-21 18:04:17 +09:00
|
|
|
machine.send_chars("clear; glinfo && touch /tmp/success-client-x11\n")
|
2024-12-17 12:40:18 +09:00
|
|
|
machine.wait_for_file("/tmp/fortify.1000/tmpdir/0/success-client-x11")
|
2024-12-18 13:48:39 +09:00
|
|
|
collect_state_ui("alacritty_x11_permissive")
|
2024-12-22 01:10:48 +09:00
|
|
|
check_state(["alacritty"], 2)
|
2024-12-17 21:16:55 +09:00
|
|
|
machine.send_chars("exit\n")
|
|
|
|
machine.wait_until_fails("pgrep alacritty")
|
2024-12-17 12:40:18 +09:00
|
|
|
|
2024-12-16 22:56:10 +09:00
|
|
|
# Exit Sway and verify process exit status 0:
|
|
|
|
swaymsg("exit", succeed=False)
|
|
|
|
machine.wait_until_fails("pgrep -x sway")
|
|
|
|
machine.wait_for_file("/tmp/sway-exit-ok")
|
2024-12-19 21:36:17 +09:00
|
|
|
|
|
|
|
# Print fortify runDir contents:
|
|
|
|
print(machine.succeed("find /run/user/1000/fortify"))
|
2024-12-21 13:58:57 +09:00
|
|
|
|
|
|
|
# Verify go test status:
|
|
|
|
machine.wait_for_file("/tmp/gotest")
|
|
|
|
print(machine.succeed("cat /tmp/gotest"))
|
|
|
|
machine.wait_for_file("/tmp/success-gotest")
|
2024-12-16 22:56:10 +09:00
|
|
|
'';
|
|
|
|
}
|