security/fortify
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 36 Wiki Activity

Compare commits

base: security:32c90ef4e737f25f57cfa9f493c9cd7f6950c508
Branches Tags
security:master
security:staging
security:develop
security:fpkg
security:fsu-bypass
security:v0.4.0
security:v0.3.3
security:v0.3.2
security:v0.3.1
security:v0.3.0
security:v0.2.18
security:v0.2.17
security:v0.2.16
security:v0.2.15
security:v0.2.14
security:v0.2.13
security:v0.2.12
security:v0.2.11
security:v0.2.10
security:v0.2.9
security:v0.2.8
security:v0.2.7
security:v0.2.6
security:v0.2.5
security:v0.2.4
security:v0.2.3
security:v0.2.2
security:v0.2.1
security:v0.2.0
security:v0.1.0
security:v0.0.11
security:v0.0.10
security:v0.0.9
security:v0.0.8
security:v0.0.7
security:v0.0.6
security:v0.0.5
security:v0.0.4
security:v0.0.3
security:v0.0.2
security:v0.0.1
..
compare: security:f8502c3ece1ff53b244326e341b166174f7f5d79
Branches Tags
security:staging
security:develop
security:master
security:fpkg
security:fsu-bypass
security:v0.4.0
security:v0.3.3
security:v0.3.2
security:v0.3.1
security:v0.3.0
security:v0.2.18
security:v0.2.17
security:v0.2.16
security:v0.2.15
security:v0.2.14
security:v0.2.13
security:v0.2.12
security:v0.2.11
security:v0.2.10
security:v0.2.9
security:v0.2.8
security:v0.2.7
security:v0.2.6
security:v0.2.5
security:v0.2.4
security:v0.2.3
security:v0.2.2
security:v0.2.1
security:v0.2.0
security:v0.1.0
security:v0.0.11
security:v0.0.10
security:v0.0.9
security:v0.0.8
security:v0.0.7
security:v0.0.6
security:v0.0.5
security:v0.0.4
security:v0.0.3
security:v0.0.2
security:v0.0.1

3 Commits
32c90ef4e7 ... f8502c3ece

Author SHA1 Message Date
Ophestra
f8502c3ece
test/sandbox: check environment
All checks were successful
Test / Create distribution (push) Successful in 19s
Details
Test / Fpkg (push) Successful in 34s
Details
Test / Fortify (push) Successful in 41s
Details
Test / Data race detector (push) Successful in 41s
Details
Test / Flake checks (push) Successful in 56s
Details 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-27 03:16:33 +09:00
Ophestra
996b42634d
test/sandbox: invoke check program directly
All checks were successful
Test / Create distribution (push) Successful in 26s
Details
Test / Fpkg (push) Successful in 34s
Details
Test / Fortify (push) Successful in 40s
Details
Test / Data race detector (push) Successful in 2m47s
Details
Test / Flake checks (push) Successful in 1m4s
Details 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-27 03:11:50 +09:00
Ophestra
300571af47
app: pass through $SHELL
All checks were successful
Test / Create distribution (push) Successful in 25s
Details
Test / Fpkg (push) Successful in 33s
Details
Test / Fortify (push) Successful in 39s
Details
Test / Data race detector (push) Successful in 39s
Details
Test / Flake checks (push) Successful in 55s
Details 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-03-27 01:22:40 +09:00
11 changed files with 93 additions and 20 deletions
Show Stats Expand all files Collapse all files

1
internal/app/app_nixos_test.go
View File

@ -101,6 +101,7 @@ var testCasesNixos = []sealTestCase{
"HOME=/var/lib/persist/module/fortify/0/1", "HOME=/var/lib/persist/module/fortify/0/1",
"PULSE_COOKIE=" + fst.Tmp + "/pulse-cookie", "PULSE_COOKIE=" + fst.Tmp + "/pulse-cookie",
"PULSE_SERVER=unix:/run/user/1971/pulse/native", "PULSE_SERVER=unix:/run/user/1971/pulse/native",
"SHELL=/run/current-system/sw/bin/zsh",
"TERM=xterm-256color", "TERM=xterm-256color",
"USER=u0_a1", "USER=u0_a1",
"WAYLAND_DISPLAY=wayland-0", "WAYLAND_DISPLAY=wayland-0",

2
internal/app/app_pd_test.go
View File

@ -41,6 +41,7 @@ var testCasesPd = []sealTestCase{
Args: []string{"/run/current-system/sw/bin/zsh"}, Args: []string{"/run/current-system/sw/bin/zsh"},
Env: []string{ Env: []string{
"HOME=/home/chronos", "HOME=/home/chronos",
"SHELL=/run/current-system/sw/bin/zsh",
"TERM=xterm-256color", "TERM=xterm-256color",
"USER=chronos", "USER=chronos",
"XDG_RUNTIME_DIR=/run/user/65534", "XDG_RUNTIME_DIR=/run/user/65534",
@ -259,6 +260,7 @@ var testCasesPd = []sealTestCase{
"HOME=/home/chronos", "HOME=/home/chronos",
"PULSE_COOKIE=" + fst.Tmp + "/pulse-cookie", "PULSE_COOKIE=" + fst.Tmp + "/pulse-cookie",
"PULSE_SERVER=unix:/run/user/65534/pulse/native", "PULSE_SERVER=unix:/run/user/65534/pulse/native",
"SHELL=/run/current-system/sw/bin/zsh",
"TERM=xterm-256color", "TERM=xterm-256color",
"USER=chronos", "USER=chronos",
"WAYLAND_DISPLAY=wayland-0", "WAYLAND_DISPLAY=wayland-0",

3
internal/app/seal.go
View File

@ -255,8 +255,9 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *fst.Co
mapuid = newInt(uid) mapuid = newInt(uid)
mapgid = newInt(gid) mapgid = newInt(gid)
if seal.env == nil { if seal.env == nil {
seal.env = make(map[string]string) seal.env = make(map[string]string, 1<<6)
} }
seal.env[shell] = shellPath
} }
/* /*

7
test/configuration.nix
View File

@ -6,7 +6,12 @@
}: }:
let let
testCases = import ./sandbox/case { testCases = import ./sandbox/case {
inherit (pkgs) lib callPackage foot; inherit (pkgs)
lib
callPackage
writeText
foot
;
inherit (config.environment.fortify.package) version; inherit (config.environment.fortify.package) version;
}; };
in in

36
test/sandbox/assert.go
View File

@ -23,6 +23,7 @@ func printf(format string, v ...any) { printfFunc(format, v...) }
func fatalf(format string, v ...any) { fatalfFunc(format, v...) } func fatalf(format string, v ...any) { fatalfFunc(format, v...) }
type TestCase struct { type TestCase struct {
Env []string `json:"env"`
FS *FS `json:"fs"` FS *FS `json:"fs"`
Mount []*MountinfoEntry `json:"mount"` Mount []*MountinfoEntry `json:"mount"`
Seccomp bool `json:"seccomp"` Seccomp bool `json:"seccomp"`
@ -34,13 +35,46 @@ type T struct {
MountsPath string MountsPath string
} }
func (t *T) MustCheckFile(wantFilePath string) { func (t *T) MustCheckFile(wantFilePath, markerPath string) {
var want *TestCase var want *TestCase
mustDecode(wantFilePath, &want) mustDecode(wantFilePath, &want)
t.MustCheck(want) t.MustCheck(want)
if _, err := os.Create(markerPath); err != nil {
fatalf("cannot create success marker: %v", err)
}
} }
func (t *T) MustCheck(want *TestCase) { func (t *T) MustCheck(want *TestCase) {
if want.Env != nil {
var (
fail bool
i int
got string
)
for i, got = range os.Environ() {
if i == len(want.Env) {
fatalf("got more than %d environment variables", len(want.Env))
}
if got != want.Env[i] {
fail = true
printf("[FAIL] %s", got)
} else {
printf("[ OK ] %s", got)
}
}
i++
if i != len(want.Env) {
fatalf("got %d environment variables, want %d", i, len(want.Env))
}
if fail {
fatalf("[FAIL] some environment variables did not match")
}
} else {
printf("[SKIP] skipping environ check")
}
if want.FS != nil && t.FS != nil { if want.FS != nil && t.FS != nil {
if err := want.FS.Compare(".", t.FS); err != nil { if err := want.FS.Compare(".", t.FS); err != nil {
fatalf("%v", err) fatalf("%v", err)

2
test/sandbox/assert.nix
View File

@ -24,7 +24,7 @@ buildGoModule {
import "os" import "os"
import "git.gensokyo.uk/security/fortify/test/sandbox" import "git.gensokyo.uk/security/fortify/test/sandbox"
func main() { (&sandbox.T{FS: os.DirFS("/")}).MustCheckFile(os.Args[1]) } func main() { (&sandbox.T{FS: os.DirFS("/")}).MustCheckFile(os.Args[1], "/tmp/sandbox-ok") }
''} main.go ''} main.go
''; '';
} }

9
test/sandbox/case/default.nix
View File

@ -1,6 +1,7 @@
{ {
lib, lib,
callPackage, callPackage,
writeText,
foot, foot,
version, version,
@ -29,7 +30,7 @@ let
; ;
}; };
checkSandbox = callPackage ../. { inherit version; }; checkSandbox = callPackage ../assert.nix { inherit version; };
callTestCase = callTestCase =
path: path:
@ -48,7 +49,11 @@ let
inherit (tc) tty mapRealUid; inherit (tc) tty mapRealUid;
share = foot; share = foot;
packages = [ ]; packages = [ ];
command = builtins.toString (checkSandbox tc.name tc.want); path = "${checkSandbox}/bin/test";
args = [
"test"
(toString (writeText "fortify-${tc.name}-want.json" (builtins.toJSON tc.want)))
];
}; };
in in
{ {

13
test/sandbox/case/mapuid.nix
View File

@ -9,6 +9,19 @@
mapRealUid = true; mapRealUid = true;
want = { want = {
env = [
"DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus"
"HOME=/var/lib/fortify/u0/a3"
"PULSE_SERVER=unix:/run/user/1000/pulse/native"
"SHELL=/run/current-system/sw/bin/bash"
"TERM=linux"
"USER=u0_a3"
"WAYLAND_DISPLAY=wayland-0"
"XDG_RUNTIME_DIR=/run/user/1000"
"XDG_SESSION_CLASS=user"
"XDG_SESSION_TYPE=tty"
];
fs = fs "dead" { fs = fs "dead" {
".fortify" = fs "800001ed" { ".fortify" = fs "800001ed" {
etc = fs "800001ed" null null; etc = fs "800001ed" null null;

13
test/sandbox/case/preset.nix
View File

@ -9,6 +9,19 @@
mapRealUid = false; mapRealUid = false;
want = { want = {
env = [
"DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/65534/bus"
"HOME=/var/lib/fortify/u0/a1"
"PULSE_SERVER=unix:/run/user/65534/pulse/native"
"SHELL=/run/current-system/sw/bin/bash"
"TERM=linux"
"USER=u0_a1"
"WAYLAND_DISPLAY=wayland-0"
"XDG_RUNTIME_DIR=/run/user/65534"
"XDG_SESSION_CLASS=user"
"XDG_SESSION_TYPE=tty"
];
fs = fs "dead" { fs = fs "dead" {
".fortify" = fs "800001ed" { ".fortify" = fs "800001ed" {
etc = fs "800001ed" null null; etc = fs "800001ed" null null;

13
test/sandbox/case/tty.nix
View File

@ -9,6 +9,19 @@
mapRealUid = false; mapRealUid = false;
want = { want = {
env = [
"DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/65534/bus"
"HOME=/var/lib/fortify/u0/a2"
"PULSE_SERVER=unix:/run/user/65534/pulse/native"
"SHELL=/run/current-system/sw/bin/bash"
"TERM=linux"
"USER=u0_a2"
"WAYLAND_DISPLAY=wayland-0"
"XDG_RUNTIME_DIR=/run/user/65534"
"XDG_SESSION_CLASS=user"
"XDG_SESSION_TYPE=tty"
];
fs = fs "dead" { fs = fs "dead" {
".fortify" = fs "800001ed" { ".fortify" = fs "800001ed" {
etc = fs "800001ed" null null; etc = fs "800001ed" null null;

14
test/sandbox/default.nix
View File

@ -1,14 +0,0 @@
{
writeShellScript,
writeText,
callPackage,
version,
}:
name: want:
writeShellScript "fortify-${name}-check-sandbox-script" ''
set -e
${callPackage ./assert.nix { inherit version; }}/bin/test \
${writeText "fortify-${name}-want.json" (builtins.toJSON want)}
touch /tmp/sandbox-ok
''