From 806ce18c0a610254a957a4e11113d14b1095f911 Mon Sep 17 00:00:00 2001 From: Ophestra Date: Sun, 23 Mar 2025 17:40:02 +0900 Subject: [PATCH] test/sandbox: check mapuid outcome Signed-off-by: Ophestra --- test/configuration.nix | 1 + test/sandbox/case/default.nix | 3 +- test/sandbox/case/mapuid.nix | 225 ++++++++++++++++++++++++++++++++++ test/sandbox/case/preset.nix | 1 + test/sandbox/case/tty.nix | 1 + test/test.py | 3 +- 6 files changed, 232 insertions(+), 2 deletions(-) create mode 100644 test/sandbox/case/mapuid.nix diff --git a/test/configuration.nix b/test/configuration.nix index e15f78e..a4fa829 100644 --- a/test/configuration.nix +++ b/test/configuration.nix @@ -110,6 +110,7 @@ in apps = [ testCases.preset testCases.tty + testCases.mapuid { name = "ne-foot"; diff --git a/test/sandbox/case/default.nix b/test/sandbox/case/default.nix index 0ca4758..9057776 100644 --- a/test/sandbox/case/default.nix +++ b/test/sandbox/case/default.nix @@ -40,7 +40,7 @@ let { name = "check-sandbox-${tc.name}"; verbose = true; - inherit (tc) tty; + inherit (tc) tty mapRealUid; share = foot; packages = [ ]; command = "${checkSandbox tc.name tc.want} > /dev/console"; @@ -55,4 +55,5 @@ in { preset = callTestCase ./preset.nix; tty = callTestCase ./tty.nix; + mapuid = callTestCase ./mapuid.nix; } diff --git a/test/sandbox/case/mapuid.nix b/test/sandbox/case/mapuid.nix new file mode 100644 index 0000000..ac548f2 --- /dev/null +++ b/test/sandbox/case/mapuid.nix @@ -0,0 +1,225 @@ +{ fs, ent }: +{ + name = "mapuid"; + tty = false; + mapRealUid = true; + + want = { + fs = fs "dead" { + ".fortify" = fs "800001ed" { + etc = fs "800001ed" null null; + sbin = fs "800001c0" { + fortify = fs "16d" null null; + init0 = fs "80001ff" null null; + } null; + mounts = fs "124" null null; + } null; + bin = fs "800001ed" { sh = fs "80001ff" null null; } null; + dev = fs "800001ed" { + console = fs "1a4" null null; + core = fs "80001ff" null null; + dri = fs "800001ed" { + by-path = fs "800001ed" { + "pci-0000:00:09.0-card" = fs "80001ff" null null; + "pci-0000:00:09.0-render" = fs "80001ff" null null; + } null; + card0 = fs "42001b0" null null; + renderD128 = fs "42001b6" null null; + } null; + fd = fs "80001ff" null null; + full = fs "42001b6" null null; + mqueue = fs "801001ff" { } null; + null = fs "42001b6" null ""; + ptmx = fs "80001ff" null null; + pts = fs "800001ed" { ptmx = fs "42001b6" null null; } null; + random = fs "42001b6" null null; + shm = fs "800001ed" { } null; + stderr = fs "80001ff" null null; + stdin = fs "80001ff" null null; + stdout = fs "80001ff" null null; + tty = fs "42001b6" null null; + urandom = fs "42001b6" null null; + zero = fs "42001b6" null null; + } null; + etc = fs "800001c0" { + ".clean" = fs "80001ff" null null; + ".updated" = fs "80001ff" null null; + "NIXOS" = fs "80001ff" null null; + "X11" = fs "80001ff" null null; + "alsa" = fs "80001ff" null null; + "bashrc" = fs "80001ff" null null; + "binfmt.d" = fs "80001ff" null null; + "dbus-1" = fs "80001ff" null null; + "default" = fs "80001ff" null null; + "dhcpcd.exit-hook" = fs "80001ff" null null; + "fonts" = fs "80001ff" null null; + "fstab" = fs "80001ff" null null; + "fsurc" = fs "80001ff" null null; + "fuse.conf" = fs "80001ff" null null; + "group" = fs "180" null "fortify:x:1000:\n"; + "host.conf" = fs "80001ff" null null; + "hostname" = fs "80001ff" null null; + "hosts" = fs "80001ff" null null; + "inputrc" = fs "80001ff" null null; + "issue" = fs "80001ff" null null; + "kbd" = fs "80001ff" null null; + "locale.conf" = fs "80001ff" null null; + "login.defs" = fs "80001ff" null null; + "lsb-release" = fs "80001ff" null null; + "lvm" = fs "80001ff" null null; + "machine-id" = fs "80001ff" null null; + "man_db.conf" = fs "80001ff" null null; + "modprobe.d" = fs "80001ff" null null; + "modules-load.d" = fs "80001ff" null null; + "mtab" = fs "80001ff" null null; + "nanorc" = fs "80001ff" null null; + "netgroup" = fs "80001ff" null null; + "nix" = fs "80001ff" null null; + "nixos" = fs "80001ff" null null; + "nscd.conf" = fs "80001ff" null null; + "nsswitch.conf" = fs "80001ff" null null; + "os-release" = fs "80001ff" null null; + "pam" = fs "80001ff" null null; + "pam.d" = fs "80001ff" null null; + "passwd" = fs "180" null "u0_a3:x:1000:1000:Fortify:/var/lib/fortify/u0/a3:/run/current-system/sw/bin/bash\n"; + "pipewire" = fs "80001ff" null null; + "pki" = fs "80001ff" null null; + "polkit-1" = fs "80001ff" null null; + "profile" = fs "80001ff" null null; + "profiles" = fs "80001ff" null null; + "protocols" = fs "80001ff" null null; + "resolv.conf" = fs "80001ff" null null; + "resolvconf.conf" = fs "80001ff" null null; + "rpc" = fs "80001ff" null null; + "services" = fs "80001ff" null null; + "set-environment" = fs "80001ff" null null; + "shadow" = fs "80001ff" null null; + "shells" = fs "80001ff" null null; + "ssh" = fs "80001ff" null null; + "ssl" = fs "80001ff" null null; + "static" = fs "80001ff" null null; + "subgid" = fs "80001ff" null null; + "subuid" = fs "80001ff" null null; + "sudoers" = fs "80001ff" null null; + "sway" = fs "80001ff" null null; + "sysctl.d" = fs "80001ff" null null; + "systemd" = fs "80001ff" null null; + "terminfo" = fs "80001ff" null null; + "tmpfiles.d" = fs "80001ff" null null; + "udev" = fs "80001ff" null null; + "vconsole.conf" = fs "80001ff" null null; + "xdg" = fs "80001ff" null null; + "zoneinfo" = fs "80001ff" null null; + } null; + nix = fs "800001c0" { store = fs "801001fd" null null; } null; + proc = fs "8000016d" null null; + run = fs "800001c0" { + current-system = fs "8000016d" null null; + opengl-driver = fs "8000016d" null null; + user = fs "800001ed" { + "1000" = fs "800001ed" { + bus = fs "10001fd" null null; + pulse = fs "800001c0" { native = fs "10001b6" null null; } null; + wayland-0 = fs "1000038" null null; + } null; + } null; + } null; + sys = fs "800001c0" { + block = fs "800001ed" { + fd0 = fs "80001ff" null null; + loop0 = fs "80001ff" null null; + loop1 = fs "80001ff" null null; + loop2 = fs "80001ff" null null; + loop3 = fs "80001ff" null null; + loop4 = fs "80001ff" null null; + loop5 = fs "80001ff" null null; + loop6 = fs "80001ff" null null; + loop7 = fs "80001ff" null null; + sr0 = fs "80001ff" null null; + vda = fs "80001ff" null null; + } null; + bus = fs "800001ed" null null; + class = fs "800001ed" null null; + dev = fs "800001ed" { + block = fs "800001ed" null null; + char = fs "800001ed" null null; + } null; + devices = fs "800001ed" null null; + } null; + tmp = fs "800001f8" { } null; + usr = fs "800001c0" { bin = fs "800001ed" { env = fs "80001ff" null null; } null; } null; + var = fs "800001c0" { + lib = fs "800001c0" { + fortify = fs "800001c0" { + u0 = fs "800001c0" { + a3 = fs "800001c0" { + ".cache" = fs "800001ed" { ".keep" = fs "80001ff" null ""; } null; + ".config" = fs "800001ed" { "environment.d" = fs "800001ed" { "10-home-manager.conf" = fs "80001ff" null null; } null; } null; + ".local" = fs "800001ed" { + state = fs "800001ed" { + home-manager = fs "800001ed" { gcroots = fs "800001ed" { current-home = fs "80001ff" null null; } null; } null; + nix = fs "800001ed" { + profiles = fs "800001ed" { + home-manager = fs "80001ff" null null; + home-manager-1-link = fs "80001ff" null null; + profile = fs "80001ff" null null; + profile-1-link = fs "80001ff" null null; + } null; + } null; + } null; + } null; + ".nix-defexpr" = fs "800001ed" { + channels = fs "80001ff" null null; + channels_root = fs "80001ff" null null; + } null; + ".nix-profile" = fs "80001ff" null null; + } null; + } null; + } null; + } null; + run = fs "800001ed" { nscd = fs "800001ed" { } null; } null; + } null; + } null; + + mount = [ + (ent "tmpfs" "/" "tmpfs" "rw,nosuid,nodev,relatime,uid=1000003,gid=1000003" 0 0) + (ent "proc" "/proc" "proc" "rw,nosuid,nodev,noexec,relatime" 0 0) + (ent "tmpfs" "/.fortify" "tmpfs" "rw,nosuid,nodev,relatime,size=4k,mode=755,uid=1000003,gid=1000003" 0 0) + (ent "tmpfs" "/dev" "tmpfs" "rw,nosuid,nodev,relatime,mode=755,uid=1000003,gid=1000003" 0 0) + (ent "devtmpfs" "/dev/null" "devtmpfs" "host_passthrough" 0 0) + (ent "devtmpfs" "/dev/zero" "devtmpfs" "host_passthrough" 0 0) + (ent "devtmpfs" "/dev/full" "devtmpfs" "host_passthrough" 0 0) + (ent "devtmpfs" "/dev/random" "devtmpfs" "host_passthrough" 0 0) + (ent "devtmpfs" "/dev/urandom" "devtmpfs" "host_passthrough" 0 0) + (ent "devtmpfs" "/dev/tty" "devtmpfs" "host_passthrough" 0 0) + (ent "devpts" "/dev/pts" "devpts" "rw,nosuid,noexec,relatime,mode=620,ptmxmode=666" 0 0) + (ent "mqueue" "/dev/mqueue" "mqueue" "rw,relatime" 0 0) + (ent "/dev/disk/by-label/nixos" "/bin" "ext4" "ro,nosuid,nodev,relatime" 0 0) + (ent "/dev/disk/by-label/nixos" "/usr/bin" "ext4" "ro,nosuid,nodev,relatime" 0 0) + (ent "overlay" "/nix/store" "overlay" "ro,nosuid,nodev,relatime,lowerdir=/mnt-root/nix/.ro-store,upperdir=/mnt-root/nix/.rw-store/upper,workdir=/mnt-root/nix/.rw-store/work,uuid=on" 0 0) + (ent "overlay" "/run/current-system" "overlay" "ro,nosuid,nodev,relatime,lowerdir=/mnt-root/nix/.ro-store,upperdir=/mnt-root/nix/.rw-store/upper,workdir=/mnt-root/nix/.rw-store/work,uuid=on" 0 0) + (ent "sysfs" "/sys/block" "sysfs" "ro,nosuid,nodev,noexec,relatime" 0 0) + (ent "sysfs" "/sys/bus" "sysfs" "ro,nosuid,nodev,noexec,relatime" 0 0) + (ent "sysfs" "/sys/class" "sysfs" "ro,nosuid,nodev,noexec,relatime" 0 0) + (ent "sysfs" "/sys/dev" "sysfs" "ro,nosuid,nodev,noexec,relatime" 0 0) + (ent "sysfs" "/sys/devices" "sysfs" "ro,nosuid,nodev,noexec,relatime" 0 0) + (ent "overlay" "/run/opengl-driver" "overlay" "ro,nosuid,nodev,relatime,lowerdir=/mnt-root/nix/.ro-store,upperdir=/mnt-root/nix/.rw-store/upper,workdir=/mnt-root/nix/.rw-store/work,uuid=on" 0 0) + (ent "devtmpfs" "/dev/dri" "devtmpfs" "host_passthrough" 0 0) + (ent "proc" "/.fortify/mounts" "proc" "ro,nosuid,nodev,noexec,relatime" 0 0) + (ent "/dev/disk/by-label/nixos" "/.fortify/etc" "ext4" "ro,nosuid,nodev,relatime" 0 0) + (ent "tmpfs" "/run/user" "tmpfs" "rw,nosuid,nodev,relatime,size=1024k,mode=755,uid=1000003,gid=1000003" 0 0) + (ent "tmpfs" "/run/user/1000" "tmpfs" "rw,nosuid,nodev,relatime,size=8192k,mode=755,uid=1000003,gid=1000003" 0 0) + (ent "/dev/disk/by-label/nixos" "/tmp" "ext4" "rw,nosuid,nodev,relatime" 0 0) + (ent "/dev/disk/by-label/nixos" "/var/lib/fortify/u0/a3" "ext4" "rw,nosuid,nodev,relatime" 0 0) + (ent "tmpfs" "/etc/passwd" "tmpfs" "ro,nosuid,nodev,relatime,uid=1000003,gid=1000003" 0 0) + (ent "tmpfs" "/etc/group" "tmpfs" "ro,nosuid,nodev,relatime,uid=1000003,gid=1000003" 0 0) + (ent "/dev/disk/by-label/nixos" "/run/user/1000/wayland-0" "ext4" "ro,nosuid,nodev,relatime" 0 0) + (ent "tmpfs" "/run/user/1000/pulse/native" "tmpfs" "host_passthrough" 0 0) + (ent "/dev/disk/by-label/nixos" "/run/user/1000/bus" "ext4" "ro,nosuid,nodev,relatime" 0 0) + (ent "tmpfs" "/var/run/nscd" "tmpfs" "rw,nosuid,nodev,relatime,size=8k,mode=755,uid=1000003,gid=1000003" 0 0) + (ent "overlay" "/.fortify/sbin/fortify" "overlay" "ro,nosuid,nodev,relatime,lowerdir=/mnt-root/nix/.ro-store,upperdir=/mnt-root/nix/.rw-store/upper,workdir=/mnt-root/nix/.rw-store/work,uuid=on" 0 0) + ]; + + seccomp = true; + }; +} diff --git a/test/sandbox/case/preset.nix b/test/sandbox/case/preset.nix index 2ca3896..5401f32 100644 --- a/test/sandbox/case/preset.nix +++ b/test/sandbox/case/preset.nix @@ -2,6 +2,7 @@ { name = "preset"; tty = false; + mapRealUid = false; want = { fs = fs "dead" { diff --git a/test/sandbox/case/tty.nix b/test/sandbox/case/tty.nix index a0d7863..1cdb395 100644 --- a/test/sandbox/case/tty.nix +++ b/test/sandbox/case/tty.nix @@ -2,6 +2,7 @@ { name = "tty"; tty = true; + mapRealUid = false; want = { fs = fs "dead" { diff --git a/test/test.py b/test/test.py index d4ad51c..8d82545 100644 --- a/test/test.py +++ b/test/test.py @@ -113,6 +113,7 @@ def check_sandbox(name): check_sandbox("preset") check_sandbox("tty") +check_sandbox("mapuid") def aid(offset): return 1+check_offset+offset @@ -191,7 +192,7 @@ machine.wait_until_fails("pgrep foot", timeout=5) swaymsg("exec pa-foot") wait_for_window(f"u0_a{aid(1)}@machine") machine.send_chars("clear; pactl info && touch /tmp/pulse-ok\n") -machine.wait_for_file(tmpdir_path(1, "pulse-ok"), timeout=10) +machine.wait_for_file(tmpdir_path(1, "pulse-ok"), timeout=15) collect_state_ui("pulse_wayland") check_state("pa-foot", 9) machine.send_chars("exit\n")