security/fortify
2
1
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases 30 Wiki Activity

nix: test direct_wayland behaviour
All checks were successful
Test / Create distribution (push) Successful in 47s
Details
Test / Run NixOS test (push) Successful in 3m35s
Details

Browse Source 
This should never be used outside tests unless you absolutely know what you're doing or are using GNOME.

Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
Ophestra 2025-02-15 10:45:27 +09:00
parent 989fb5395f
commit 6ae02e72fa
Signed by: cat
SSH Key Fingerprint: SHA256:gQ67O0enBZ7UdZypgtspB2FDM1g3GVw8nX0XSdcFw8Q
3 changed files with 29 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
nixos.nix
View File

@ -118,6 +118,7 @@ in
}; };
map_real_uid = app.mapRealUid; map_real_uid = app.mapRealUid;
no_new_session = app.tty; no_new_session = app.tty;
direct_wayland = app.insecureWayland;
filesystem = filesystem =
let let
bind = src: { inherit src; }; bind = src: { inherit src; };

1
options.nix
View File

@ -146,6 +146,7 @@ in
mapRealUid = mkEnableOption "mapping to priv-user uid"; mapRealUid = mkEnableOption "mapping to priv-user uid";
dev = mkEnableOption "access to all devices"; dev = mkEnableOption "access to all devices";
tty = mkEnableOption "access to the controlling terminal"; tty = mkEnableOption "access to the controlling terminal";
insecureWayland = mkEnableOption "direct access to the Wayland socket";
net = mkEnableOption "network access" // { net = mkEnableOption "network access" // {
default = true; default = true;

28
test.nix
View File

@ -81,7 +81,7 @@ nixosTest {
mkdir -p ~/.config/sway mkdir -p ~/.config/sway
(sed s/Mod4/Mod1/ /etc/sway/config && (sed s/Mod4/Mod1/ /etc/sway/config &&
echo 'output * bg ${pkgs.nixos-artwork.wallpapers.simple-light-gray.gnomeFilePath} fill' && echo 'output * bg ${pkgs.nixos-artwork.wallpapers.simple-light-gray.gnomeFilePath} fill' &&
echo 'output Virtual-1 res 1280x768') > ~/.config/sway/config echo 'output Virtual-1 res 1680x1050') > ~/.config/sway/config
sway --validate sway --validate
systemd-cat --identifier=sway sway && touch /tmp/sway-exit-ok systemd-cat --identifier=sway sway && touch /tmp/sway-exit-ok
@ -148,6 +148,18 @@ nixosTest {
pulse = false; pulse = false;
}; };
} }
{
name = "da-foot";
verbose = true;
insecureWayland = true;
share = pkgs.foot;
packages = [ pkgs.foot ];
command = "foot";
capability = {
dbus = false;
pulse = false;
};
}
{ {
name = "strace-failure"; name = "strace-failure";
verbose = true; verbose = true;
@ -323,6 +335,20 @@ nixosTest {
machine.send_chars("exit\n") machine.send_chars("exit\n")
machine.wait_until_fails("pgrep alacritty") machine.wait_until_fails("pgrep alacritty")
# Start app (foot) with direct Wayland access:
swaymsg("exec da-foot")
wait_for_window("u0_a4@machine")
machine.send_chars("clear; wayland-info && touch /tmp/success-direct\n")
machine.wait_for_file("/tmp/fortify.1000/tmpdir/4/success-direct")
collect_state_ui("foot_direct")
check_state("da-foot", 1)
# Verify acl on XDG_RUNTIME_DIR:
print(machine.succeed("getfacl --absolute-names --omit-header --numeric /run/user/1000 | grep 1000004"))
machine.send_chars("exit\n")
machine.wait_until_fails("pgrep foot")
# Verify acl cleanup on XDG_RUNTIME_DIR:
machine.wait_until_fails("getfacl --absolute-names --omit-header --numeric /run/user/1000 | grep 1000004")
# Test syscall filter: # Test syscall filter:
print(machine.fail("sudo -u alice -i XDG_RUNTIME_DIR=/run/user/1000 strace-failure")) print(machine.fail("sudo -u alice -i XDG_RUNTIME_DIR=/run/user/1000 strace-failure"))