test/sandbox: check environment

Signed-off-by: Ophestra <cat@gensokyo.uk>
test/sandbox: invoke check program directly
2025-03-27 03:16:33 +09:00 · 2025-03-27 03:11:50 +09:00 · 2025-03-27 01:22:40 +09:00
11 changed files with 93 additions and 20 deletions
--- a/internal/app/app_nixos_test.go
+++ b/internal/app/app_nixos_test.go
@ -101,6 +101,7 @@ var testCasesNixos = []sealTestCase{
 				"HOME=/var/lib/persist/module/fortify/0/1",
 				"PULSE_COOKIE=" + fst.Tmp + "/pulse-cookie",
 				"PULSE_SERVER=unix:/run/user/1971/pulse/native",
 				"SHELL=/run/current-system/sw/bin/zsh",
 				"TERM=xterm-256color",
 				"USER=u0_a1",
 				"WAYLAND_DISPLAY=wayland-0",
--- a/internal/app/app_pd_test.go
+++ b/internal/app/app_pd_test.go
@ -41,6 +41,7 @@ var testCasesPd = []sealTestCase{
 			Args:  []string{"/run/current-system/sw/bin/zsh"},
 			Env: []string{
 				"HOME=/home/chronos",
 				"SHELL=/run/current-system/sw/bin/zsh",
 				"TERM=xterm-256color",
 				"USER=chronos",
 				"XDG_RUNTIME_DIR=/run/user/65534",
@ -259,6 +260,7 @@ var testCasesPd = []sealTestCase{
 				"HOME=/home/chronos",
 				"PULSE_COOKIE=" + fst.Tmp + "/pulse-cookie",
 				"PULSE_SERVER=unix:/run/user/65534/pulse/native",
 				"SHELL=/run/current-system/sw/bin/zsh",
 				"TERM=xterm-256color",
 				"USER=chronos",
 				"WAYLAND_DISPLAY=wayland-0",
--- a/internal/app/seal.go
+++ b/internal/app/seal.go
@ -255,8 +255,9 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *fst.Co
 		mapuid = newInt(uid)
 		mapgid = newInt(gid)
 		if seal.env == nil {
-			seal.env = make(map[string]string)
+			seal.env = make(map[string]string, 1<<6)
 		}
 		seal.env[shell] = shellPath
 	}
 	/*
--- a/test/configuration.nix
+++ b/test/configuration.nix
@ -6,7 +6,12 @@
 }:
 let
  testCases = import ./sandbox/case {
-    inherit (pkgs) lib callPackage foot;
+    inherit (pkgs)
      lib
      callPackage
      writeText
      foot
      ;
    inherit (config.environment.fortify.package) version;
  };
 in
--- a/test/sandbox/assert.go
+++ b/test/sandbox/assert.go
@ -23,6 +23,7 @@ func printf(format string, v ...any) { printfFunc(format, v...) }
 func fatalf(format string, v ...any) { fatalfFunc(format, v...) }
 type TestCase struct {
 	Env     []string          `json:"env"`
 	FS      *FS               `json:"fs"`
 	Mount   []*MountinfoEntry `json:"mount"`
 	Seccomp bool              `json:"seccomp"`
@ -34,13 +35,46 @@ type T struct {
 	MountsPath string
 }
-func (t *T) MustCheckFile(wantFilePath string) {
+func (t *T) MustCheckFile(wantFilePath, markerPath string) {
 	var want *TestCase
 	mustDecode(wantFilePath, &want)
 	t.MustCheck(want)
 	if _, err := os.Create(markerPath); err != nil {
 		fatalf("cannot create success marker: %v", err)
 	}
 }
 func (t *T) MustCheck(want *TestCase) {
 	if want.Env != nil {
 		var (
 			fail bool
 			i    int
 			got  string
 		)
 		for i, got = range os.Environ() {
 			if i == len(want.Env) {
 				fatalf("got more than %d environment variables", len(want.Env))
 			}
 			if got != want.Env[i] {
 				fail = true
 				printf("[FAIL] %s", got)
 			} else {
 				printf("[ OK ] %s", got)
 			}
 		}
 		i++
 		if i != len(want.Env) {
 			fatalf("got %d environment variables, want %d", i, len(want.Env))
 		}
 		if fail {
 			fatalf("[FAIL] some environment variables did not match")
 		}
 	} else {
 		printf("[SKIP] skipping environ check")
 	}
 	if want.FS != nil && t.FS != nil {
 		if err := want.FS.Compare(".", t.FS); err != nil {
 			fatalf("%v", err)
--- a/test/sandbox/assert.nix
+++ b/test/sandbox/assert.nix
@ -24,7 +24,7 @@ buildGoModule {
      import "os"
      import "git.gensokyo.uk/security/fortify/test/sandbox"
-      func main() { (&sandbox.T{FS: os.DirFS("/")}).MustCheckFile(os.Args[1]) }
+      func main() { (&sandbox.T{FS: os.DirFS("/")}).MustCheckFile(os.Args[1], "/tmp/sandbox-ok") }
    ''} main.go
  '';
 }
--- a/test/sandbox/case/default.nix
+++ b/test/sandbox/case/default.nix
@ -1,6 +1,7 @@
 {
  lib,
  callPackage,
  writeText,
  foot,
  version,
@ -29,7 +30,7 @@ let
      ;
  };
-  checkSandbox = callPackage ../. { inherit version; };
+  checkSandbox = callPackage ../assert.nix { inherit version; };
  callTestCase =
    path:
@ -48,7 +49,11 @@ let
      inherit (tc) tty mapRealUid;
      share = foot;
      packages = [ ];
-      command = builtins.toString (checkSandbox tc.name tc.want);
+      path = "${checkSandbox}/bin/test";
      args = [
        "test"
        (toString (writeText "fortify-${tc.name}-want.json" (builtins.toJSON tc.want)))
      ];
    };
 in
 {
--- a/test/sandbox/case/mapuid.nix
+++ b/test/sandbox/case/mapuid.nix
@ -9,6 +9,19 @@
  mapRealUid = true;
  want = {
    env = [
      "DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus"
      "HOME=/var/lib/fortify/u0/a3"
      "PULSE_SERVER=unix:/run/user/1000/pulse/native"
      "SHELL=/run/current-system/sw/bin/bash"
      "TERM=linux"
      "USER=u0_a3"
      "WAYLAND_DISPLAY=wayland-0"
      "XDG_RUNTIME_DIR=/run/user/1000"
      "XDG_SESSION_CLASS=user"
      "XDG_SESSION_TYPE=tty"
    ];
    fs = fs "dead" {
      ".fortify" = fs "800001ed" {
        etc = fs "800001ed" null null;
--- a/test/sandbox/case/preset.nix
+++ b/test/sandbox/case/preset.nix
@ -9,6 +9,19 @@
  mapRealUid = false;
  want = {
    env = [
      "DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/65534/bus"
      "HOME=/var/lib/fortify/u0/a1"
      "PULSE_SERVER=unix:/run/user/65534/pulse/native"
      "SHELL=/run/current-system/sw/bin/bash"
      "TERM=linux"
      "USER=u0_a1"
      "WAYLAND_DISPLAY=wayland-0"
      "XDG_RUNTIME_DIR=/run/user/65534"
      "XDG_SESSION_CLASS=user"
      "XDG_SESSION_TYPE=tty"
    ];
    fs = fs "dead" {
      ".fortify" = fs "800001ed" {
        etc = fs "800001ed" null null;
--- a/test/sandbox/case/tty.nix
+++ b/test/sandbox/case/tty.nix
@ -9,6 +9,19 @@
  mapRealUid = false;
  want = {
    env = [
      "DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/65534/bus"
      "HOME=/var/lib/fortify/u0/a2"
      "PULSE_SERVER=unix:/run/user/65534/pulse/native"
      "SHELL=/run/current-system/sw/bin/bash"
      "TERM=linux"
      "USER=u0_a2"
      "WAYLAND_DISPLAY=wayland-0"
      "XDG_RUNTIME_DIR=/run/user/65534"
      "XDG_SESSION_CLASS=user"
      "XDG_SESSION_TYPE=tty"
    ];
    fs = fs "dead" {
      ".fortify" = fs "800001ed" {
        etc = fs "800001ed" null null;
--- a/test/sandbox/default.nix
+++ b/test/sandbox/default.nix
@ -1,14 +0,0 @@
 {
  writeShellScript,
  writeText,
  callPackage,
  version,
 }:
 name: want:
 writeShellScript "fortify-${name}-check-sandbox-script" ''
  set -e
  ${callPackage ./assert.nix { inherit version; }}/bin/test \
    ${writeText "fortify-${name}-want.json" (builtins.toJSON want)}
  touch /tmp/sandbox-ok
 ''
Author	SHA1	Message	Date
Ophestra	f8502c3ece	test/sandbox: check environment All checks were successful Test / Create distribution (push) Successful in 19s Details Test / Fpkg (push) Successful in 34s Details Test / Fortify (push) Successful in 41s Details Test / Data race detector (push) Successful in 41s Details Test / Flake checks (push) Successful in 56s Details Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-27 03:16:33 +09:00
Ophestra	996b42634d	test/sandbox: invoke check program directly All checks were successful Test / Create distribution (push) Successful in 26s Details Test / Fpkg (push) Successful in 34s Details Test / Fortify (push) Successful in 40s Details Test / Data race detector (push) Successful in 2m47s Details Test / Flake checks (push) Successful in 1m4s Details Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-27 03:11:50 +09:00
Ophestra	300571af47	app: pass through $SHELL All checks were successful Test / Create distribution (push) Successful in 25s Details Test / Fpkg (push) Successful in 33s Details Test / Fortify (push) Successful in 39s Details Test / Data race detector (push) Successful in 39s Details Test / Flake checks (push) Successful in 55s Details Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-03-27 01:22:40 +09:00