test/sandbox: check environment

Signed-off-by: Ophestra <cat@gensokyo.uk>
test/sandbox: invoke check program directly
2025-03-27 03:16:33 +09:00 · 2025-03-27 03:11:50 +09:00 · 2025-03-27 01:22:40 +09:00
11 changed files with 93 additions and 20 deletions
--- a/internal/app/app_nixos_test.go
+++ b/internal/app/app_nixos_test.go
@ -101,6 +101,7 @@ var testCasesNixos = []sealTestCase{
 				"HOME=/var/lib/persist/module/fortify/0/1",
 				"PULSE_COOKIE=" + fst.Tmp + "/pulse-cookie",
 				"PULSE_SERVER=unix:/run/user/1971/pulse/native",
+				"SHELL=/run/current-system/sw/bin/zsh",
 				"TERM=xterm-256color",
 				"USER=u0_a1",
 				"WAYLAND_DISPLAY=wayland-0",
--- a/internal/app/app_pd_test.go
+++ b/internal/app/app_pd_test.go
@ -41,6 +41,7 @@ var testCasesPd = []sealTestCase{
 			Args:  []string{"/run/current-system/sw/bin/zsh"},
 			Env: []string{
 				"HOME=/home/chronos",
+				"SHELL=/run/current-system/sw/bin/zsh",
 				"TERM=xterm-256color",
 				"USER=chronos",
 				"XDG_RUNTIME_DIR=/run/user/65534",
@ -259,6 +260,7 @@ var testCasesPd = []sealTestCase{
 				"HOME=/home/chronos",
 				"PULSE_COOKIE=" + fst.Tmp + "/pulse-cookie",
 				"PULSE_SERVER=unix:/run/user/65534/pulse/native",
+				"SHELL=/run/current-system/sw/bin/zsh",
 				"TERM=xterm-256color",
 				"USER=chronos",
 				"WAYLAND_DISPLAY=wayland-0",
--- a/internal/app/seal.go
+++ b/internal/app/seal.go
@ -255,8 +255,9 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *fst.Co
 		mapuid = newInt(uid)
 		mapgid = newInt(gid)
 		if seal.env == nil {
-			seal.env = make(map[string]string)
+			seal.env = make(map[string]string, 1<<6)
 		}
+		seal.env[shell] = shellPath
 	}

 	/*
--- a/test/configuration.nix
+++ b/test/configuration.nix
@ -6,7 +6,12 @@
 }:
 let
  testCases = import ./sandbox/case {
-    inherit (pkgs) lib callPackage foot;
+    inherit (pkgs)
+      lib
+      callPackage
+      writeText
+      foot
+      ;
    inherit (config.environment.fortify.package) version;
  };
 in
--- a/test/sandbox/assert.go
+++ b/test/sandbox/assert.go
@ -23,6 +23,7 @@ func printf(format string, v ...any) { printfFunc(format, v...) }
 func fatalf(format string, v ...any) { fatalfFunc(format, v...) }

 type TestCase struct {
+	Env     []string          `json:"env"`
 	FS      *FS               `json:"fs"`
 	Mount   []*MountinfoEntry `json:"mount"`
 	Seccomp bool              `json:"seccomp"`
@ -34,13 +35,46 @@ type T struct {
 	MountsPath string
 }

-func (t *T) MustCheckFile(wantFilePath string) {
+func (t *T) MustCheckFile(wantFilePath, markerPath string) {
 	var want *TestCase
 	mustDecode(wantFilePath, &want)
 	t.MustCheck(want)
+	if _, err := os.Create(markerPath); err != nil {
+		fatalf("cannot create success marker: %v", err)
+	}
 }

 func (t *T) MustCheck(want *TestCase) {
+	if want.Env != nil {
+		var (
+			fail bool
+			i    int
+			got  string
+		)
+		for i, got = range os.Environ() {
+			if i == len(want.Env) {
+				fatalf("got more than %d environment variables", len(want.Env))
+			}
+			if got != want.Env[i] {
+				fail = true
+				printf("[FAIL] %s", got)
+			} else {
+				printf("[ OK ] %s", got)
+			}
+		}
+
+		i++
+		if i != len(want.Env) {
+			fatalf("got %d environment variables, want %d", i, len(want.Env))
+		}
+
+		if fail {
+			fatalf("[FAIL] some environment variables did not match")
+		}
+	} else {
+		printf("[SKIP] skipping environ check")
+	}
+
 	if want.FS != nil && t.FS != nil {
 		if err := want.FS.Compare(".", t.FS); err != nil {
 			fatalf("%v", err)
--- a/test/sandbox/assert.nix
+++ b/test/sandbox/assert.nix
@ -24,7 +24,7 @@ buildGoModule {
      import "os"
      import "git.gensokyo.uk/security/fortify/test/sandbox"

-      func main() { (&sandbox.T{FS: os.DirFS("/")}).MustCheckFile(os.Args[1]) }
+      func main() { (&sandbox.T{FS: os.DirFS("/")}).MustCheckFile(os.Args[1], "/tmp/sandbox-ok") }
    ''} main.go
  '';
 }
--- a/test/sandbox/case/default.nix
+++ b/test/sandbox/case/default.nix
@ -1,6 +1,7 @@
 {
  lib,
  callPackage,
+  writeText,
  foot,

  version,
@ -29,7 +30,7 @@ let
      ;
  };

-  checkSandbox = callPackage ../. { inherit version; };
+  checkSandbox = callPackage ../assert.nix { inherit version; };

  callTestCase =
    path:
@ -48,7 +49,11 @@ let
      inherit (tc) tty mapRealUid;
      share = foot;
      packages = [ ];
-      command = builtins.toString (checkSandbox tc.name tc.want);
+      path = "${checkSandbox}/bin/test";
+      args = [
+        "test"
+        (toString (writeText "fortify-${tc.name}-want.json" (builtins.toJSON tc.want)))
+      ];
    };
 in
 {
--- a/test/sandbox/case/mapuid.nix
+++ b/test/sandbox/case/mapuid.nix
@ -9,6 +9,19 @@
  mapRealUid = true;

  want = {
+    env = [
+      "DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus"
+      "HOME=/var/lib/fortify/u0/a3"
+      "PULSE_SERVER=unix:/run/user/1000/pulse/native"
+      "SHELL=/run/current-system/sw/bin/bash"
+      "TERM=linux"
+      "USER=u0_a3"
+      "WAYLAND_DISPLAY=wayland-0"
+      "XDG_RUNTIME_DIR=/run/user/1000"
+      "XDG_SESSION_CLASS=user"
+      "XDG_SESSION_TYPE=tty"
+    ];
+
    fs = fs "dead" {
      ".fortify" = fs "800001ed" {
        etc = fs "800001ed" null null;
--- a/test/sandbox/case/preset.nix
+++ b/test/sandbox/case/preset.nix
@ -9,6 +9,19 @@
  mapRealUid = false;

  want = {
+    env = [
+      "DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/65534/bus"
+      "HOME=/var/lib/fortify/u0/a1"
+      "PULSE_SERVER=unix:/run/user/65534/pulse/native"
+      "SHELL=/run/current-system/sw/bin/bash"
+      "TERM=linux"
+      "USER=u0_a1"
+      "WAYLAND_DISPLAY=wayland-0"
+      "XDG_RUNTIME_DIR=/run/user/65534"
+      "XDG_SESSION_CLASS=user"
+      "XDG_SESSION_TYPE=tty"
+    ];
+
    fs = fs "dead" {
      ".fortify" = fs "800001ed" {
        etc = fs "800001ed" null null;
--- a/test/sandbox/case/tty.nix
+++ b/test/sandbox/case/tty.nix
@ -9,6 +9,19 @@
  mapRealUid = false;

  want = {
+    env = [
+      "DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/65534/bus"
+      "HOME=/var/lib/fortify/u0/a2"
+      "PULSE_SERVER=unix:/run/user/65534/pulse/native"
+      "SHELL=/run/current-system/sw/bin/bash"
+      "TERM=linux"
+      "USER=u0_a2"
+      "WAYLAND_DISPLAY=wayland-0"
+      "XDG_RUNTIME_DIR=/run/user/65534"
+      "XDG_SESSION_CLASS=user"
+      "XDG_SESSION_TYPE=tty"
+    ];
+
    fs = fs "dead" {
      ".fortify" = fs "800001ed" {
        etc = fs "800001ed" null null;
--- a/test/sandbox/default.nix
+++ b/test/sandbox/default.nix
@ -1,14 +0,0 @@
-{
-  writeShellScript,
-  writeText,
-  callPackage,
-
-  version,
-}:
-name: want:
-writeShellScript "fortify-${name}-check-sandbox-script" ''
-  set -e
-  ${callPackage ./assert.nix { inherit version; }}/bin/test \
-    ${writeText "fortify-${name}-want.json" (builtins.toJSON want)}
-  touch /tmp/sandbox-ok
-''
Author	SHA1	Message	Date
Ophestra	f8502c3ece	test/sandbox: check environment All checks were successful Test / Create distribution (push) Successful in 19s Details Test / Fpkg (push) Successful in 34s Details Test / Fortify (push) Successful in 41s Details Test / Data race detector (push) Successful in 41s Details Test / Flake checks (push) Successful in 56s Details Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-27 03:16:33 +09:00
Ophestra	996b42634d	test/sandbox: invoke check program directly All checks were successful Test / Create distribution (push) Successful in 26s Details Test / Fpkg (push) Successful in 34s Details Test / Fortify (push) Successful in 40s Details Test / Data race detector (push) Successful in 2m47s Details Test / Flake checks (push) Successful in 1m4s Details Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-27 03:11:50 +09:00
Ophestra	300571af47	app: pass through $SHELL All checks were successful Test / Create distribution (push) Successful in 25s Details Test / Fpkg (push) Successful in 33s Details Test / Fortify (push) Successful in 39s Details Test / Data race detector (push) Successful in 39s Details Test / Flake checks (push) Successful in 55s Details Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-27 01:22:40 +09:00