Compare commits
No commits in common. "f8502c3ece1ff53b244326e341b166174f7f5d79" and "32c90ef4e737f25f57cfa9f493c9cd7f6950c508" have entirely different histories.
f8502c3ece
...
32c90ef4e7
@ -101,7 +101,6 @@ var testCasesNixos = []sealTestCase{
|
|||||||
"HOME=/var/lib/persist/module/fortify/0/1",
|
"HOME=/var/lib/persist/module/fortify/0/1",
|
||||||
"PULSE_COOKIE=" + fst.Tmp + "/pulse-cookie",
|
"PULSE_COOKIE=" + fst.Tmp + "/pulse-cookie",
|
||||||
"PULSE_SERVER=unix:/run/user/1971/pulse/native",
|
"PULSE_SERVER=unix:/run/user/1971/pulse/native",
|
||||||
"SHELL=/run/current-system/sw/bin/zsh",
|
|
||||||
"TERM=xterm-256color",
|
"TERM=xterm-256color",
|
||||||
"USER=u0_a1",
|
"USER=u0_a1",
|
||||||
"WAYLAND_DISPLAY=wayland-0",
|
"WAYLAND_DISPLAY=wayland-0",
|
||||||
|
|||||||
@ -41,7 +41,6 @@ var testCasesPd = []sealTestCase{
|
|||||||
Args: []string{"/run/current-system/sw/bin/zsh"},
|
Args: []string{"/run/current-system/sw/bin/zsh"},
|
||||||
Env: []string{
|
Env: []string{
|
||||||
"HOME=/home/chronos",
|
"HOME=/home/chronos",
|
||||||
"SHELL=/run/current-system/sw/bin/zsh",
|
|
||||||
"TERM=xterm-256color",
|
"TERM=xterm-256color",
|
||||||
"USER=chronos",
|
"USER=chronos",
|
||||||
"XDG_RUNTIME_DIR=/run/user/65534",
|
"XDG_RUNTIME_DIR=/run/user/65534",
|
||||||
@ -260,7 +259,6 @@ var testCasesPd = []sealTestCase{
|
|||||||
"HOME=/home/chronos",
|
"HOME=/home/chronos",
|
||||||
"PULSE_COOKIE=" + fst.Tmp + "/pulse-cookie",
|
"PULSE_COOKIE=" + fst.Tmp + "/pulse-cookie",
|
||||||
"PULSE_SERVER=unix:/run/user/65534/pulse/native",
|
"PULSE_SERVER=unix:/run/user/65534/pulse/native",
|
||||||
"SHELL=/run/current-system/sw/bin/zsh",
|
|
||||||
"TERM=xterm-256color",
|
"TERM=xterm-256color",
|
||||||
"USER=chronos",
|
"USER=chronos",
|
||||||
"WAYLAND_DISPLAY=wayland-0",
|
"WAYLAND_DISPLAY=wayland-0",
|
||||||
|
|||||||
@ -255,9 +255,8 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *fst.Co
|
|||||||
mapuid = newInt(uid)
|
mapuid = newInt(uid)
|
||||||
mapgid = newInt(gid)
|
mapgid = newInt(gid)
|
||||||
if seal.env == nil {
|
if seal.env == nil {
|
||||||
seal.env = make(map[string]string, 1<<6)
|
seal.env = make(map[string]string)
|
||||||
}
|
}
|
||||||
seal.env[shell] = shellPath
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|
|||||||
@ -6,12 +6,7 @@
|
|||||||
}:
|
}:
|
||||||
let
|
let
|
||||||
testCases = import ./sandbox/case {
|
testCases = import ./sandbox/case {
|
||||||
inherit (pkgs)
|
inherit (pkgs) lib callPackage foot;
|
||||||
lib
|
|
||||||
callPackage
|
|
||||||
writeText
|
|
||||||
foot
|
|
||||||
;
|
|
||||||
inherit (config.environment.fortify.package) version;
|
inherit (config.environment.fortify.package) version;
|
||||||
};
|
};
|
||||||
in
|
in
|
||||||
|
|||||||
@ -23,7 +23,6 @@ func printf(format string, v ...any) { printfFunc(format, v...) }
|
|||||||
func fatalf(format string, v ...any) { fatalfFunc(format, v...) }
|
func fatalf(format string, v ...any) { fatalfFunc(format, v...) }
|
||||||
|
|
||||||
type TestCase struct {
|
type TestCase struct {
|
||||||
Env []string `json:"env"`
|
|
||||||
FS *FS `json:"fs"`
|
FS *FS `json:"fs"`
|
||||||
Mount []*MountinfoEntry `json:"mount"`
|
Mount []*MountinfoEntry `json:"mount"`
|
||||||
Seccomp bool `json:"seccomp"`
|
Seccomp bool `json:"seccomp"`
|
||||||
@ -35,46 +34,13 @@ type T struct {
|
|||||||
MountsPath string
|
MountsPath string
|
||||||
}
|
}
|
||||||
|
|
||||||
func (t *T) MustCheckFile(wantFilePath, markerPath string) {
|
func (t *T) MustCheckFile(wantFilePath string) {
|
||||||
var want *TestCase
|
var want *TestCase
|
||||||
mustDecode(wantFilePath, &want)
|
mustDecode(wantFilePath, &want)
|
||||||
t.MustCheck(want)
|
t.MustCheck(want)
|
||||||
if _, err := os.Create(markerPath); err != nil {
|
|
||||||
fatalf("cannot create success marker: %v", err)
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func (t *T) MustCheck(want *TestCase) {
|
func (t *T) MustCheck(want *TestCase) {
|
||||||
if want.Env != nil {
|
|
||||||
var (
|
|
||||||
fail bool
|
|
||||||
i int
|
|
||||||
got string
|
|
||||||
)
|
|
||||||
for i, got = range os.Environ() {
|
|
||||||
if i == len(want.Env) {
|
|
||||||
fatalf("got more than %d environment variables", len(want.Env))
|
|
||||||
}
|
|
||||||
if got != want.Env[i] {
|
|
||||||
fail = true
|
|
||||||
printf("[FAIL] %s", got)
|
|
||||||
} else {
|
|
||||||
printf("[ OK ] %s", got)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
i++
|
|
||||||
if i != len(want.Env) {
|
|
||||||
fatalf("got %d environment variables, want %d", i, len(want.Env))
|
|
||||||
}
|
|
||||||
|
|
||||||
if fail {
|
|
||||||
fatalf("[FAIL] some environment variables did not match")
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
printf("[SKIP] skipping environ check")
|
|
||||||
}
|
|
||||||
|
|
||||||
if want.FS != nil && t.FS != nil {
|
if want.FS != nil && t.FS != nil {
|
||||||
if err := want.FS.Compare(".", t.FS); err != nil {
|
if err := want.FS.Compare(".", t.FS); err != nil {
|
||||||
fatalf("%v", err)
|
fatalf("%v", err)
|
||||||
|
|||||||
@ -24,7 +24,7 @@ buildGoModule {
|
|||||||
import "os"
|
import "os"
|
||||||
import "git.gensokyo.uk/security/fortify/test/sandbox"
|
import "git.gensokyo.uk/security/fortify/test/sandbox"
|
||||||
|
|
||||||
func main() { (&sandbox.T{FS: os.DirFS("/")}).MustCheckFile(os.Args[1], "/tmp/sandbox-ok") }
|
func main() { (&sandbox.T{FS: os.DirFS("/")}).MustCheckFile(os.Args[1]) }
|
||||||
''} main.go
|
''} main.go
|
||||||
'';
|
'';
|
||||||
}
|
}
|
||||||
|
|||||||
@ -1,7 +1,6 @@
|
|||||||
{
|
{
|
||||||
lib,
|
lib,
|
||||||
callPackage,
|
callPackage,
|
||||||
writeText,
|
|
||||||
foot,
|
foot,
|
||||||
|
|
||||||
version,
|
version,
|
||||||
@ -30,7 +29,7 @@ let
|
|||||||
;
|
;
|
||||||
};
|
};
|
||||||
|
|
||||||
checkSandbox = callPackage ../assert.nix { inherit version; };
|
checkSandbox = callPackage ../. { inherit version; };
|
||||||
|
|
||||||
callTestCase =
|
callTestCase =
|
||||||
path:
|
path:
|
||||||
@ -49,11 +48,7 @@ let
|
|||||||
inherit (tc) tty mapRealUid;
|
inherit (tc) tty mapRealUid;
|
||||||
share = foot;
|
share = foot;
|
||||||
packages = [ ];
|
packages = [ ];
|
||||||
path = "${checkSandbox}/bin/test";
|
command = builtins.toString (checkSandbox tc.name tc.want);
|
||||||
args = [
|
|
||||||
"test"
|
|
||||||
(toString (writeText "fortify-${tc.name}-want.json" (builtins.toJSON tc.want)))
|
|
||||||
];
|
|
||||||
};
|
};
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
|
|||||||
@ -9,19 +9,6 @@
|
|||||||
mapRealUid = true;
|
mapRealUid = true;
|
||||||
|
|
||||||
want = {
|
want = {
|
||||||
env = [
|
|
||||||
"DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus"
|
|
||||||
"HOME=/var/lib/fortify/u0/a3"
|
|
||||||
"PULSE_SERVER=unix:/run/user/1000/pulse/native"
|
|
||||||
"SHELL=/run/current-system/sw/bin/bash"
|
|
||||||
"TERM=linux"
|
|
||||||
"USER=u0_a3"
|
|
||||||
"WAYLAND_DISPLAY=wayland-0"
|
|
||||||
"XDG_RUNTIME_DIR=/run/user/1000"
|
|
||||||
"XDG_SESSION_CLASS=user"
|
|
||||||
"XDG_SESSION_TYPE=tty"
|
|
||||||
];
|
|
||||||
|
|
||||||
fs = fs "dead" {
|
fs = fs "dead" {
|
||||||
".fortify" = fs "800001ed" {
|
".fortify" = fs "800001ed" {
|
||||||
etc = fs "800001ed" null null;
|
etc = fs "800001ed" null null;
|
||||||
|
|||||||
@ -9,19 +9,6 @@
|
|||||||
mapRealUid = false;
|
mapRealUid = false;
|
||||||
|
|
||||||
want = {
|
want = {
|
||||||
env = [
|
|
||||||
"DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/65534/bus"
|
|
||||||
"HOME=/var/lib/fortify/u0/a1"
|
|
||||||
"PULSE_SERVER=unix:/run/user/65534/pulse/native"
|
|
||||||
"SHELL=/run/current-system/sw/bin/bash"
|
|
||||||
"TERM=linux"
|
|
||||||
"USER=u0_a1"
|
|
||||||
"WAYLAND_DISPLAY=wayland-0"
|
|
||||||
"XDG_RUNTIME_DIR=/run/user/65534"
|
|
||||||
"XDG_SESSION_CLASS=user"
|
|
||||||
"XDG_SESSION_TYPE=tty"
|
|
||||||
];
|
|
||||||
|
|
||||||
fs = fs "dead" {
|
fs = fs "dead" {
|
||||||
".fortify" = fs "800001ed" {
|
".fortify" = fs "800001ed" {
|
||||||
etc = fs "800001ed" null null;
|
etc = fs "800001ed" null null;
|
||||||
|
|||||||
@ -9,19 +9,6 @@
|
|||||||
mapRealUid = false;
|
mapRealUid = false;
|
||||||
|
|
||||||
want = {
|
want = {
|
||||||
env = [
|
|
||||||
"DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/65534/bus"
|
|
||||||
"HOME=/var/lib/fortify/u0/a2"
|
|
||||||
"PULSE_SERVER=unix:/run/user/65534/pulse/native"
|
|
||||||
"SHELL=/run/current-system/sw/bin/bash"
|
|
||||||
"TERM=linux"
|
|
||||||
"USER=u0_a2"
|
|
||||||
"WAYLAND_DISPLAY=wayland-0"
|
|
||||||
"XDG_RUNTIME_DIR=/run/user/65534"
|
|
||||||
"XDG_SESSION_CLASS=user"
|
|
||||||
"XDG_SESSION_TYPE=tty"
|
|
||||||
];
|
|
||||||
|
|
||||||
fs = fs "dead" {
|
fs = fs "dead" {
|
||||||
".fortify" = fs "800001ed" {
|
".fortify" = fs "800001ed" {
|
||||||
etc = fs "800001ed" null null;
|
etc = fs "800001ed" null null;
|
||||||
|
|||||||
14
test/sandbox/default.nix
Normal file
14
test/sandbox/default.nix
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
{
|
||||||
|
writeShellScript,
|
||||||
|
writeText,
|
||||||
|
callPackage,
|
||||||
|
|
||||||
|
version,
|
||||||
|
}:
|
||||||
|
name: want:
|
||||||
|
writeShellScript "fortify-${name}-check-sandbox-script" ''
|
||||||
|
set -e
|
||||||
|
${callPackage ./assert.nix { inherit version; }}/bin/test \
|
||||||
|
${writeText "fortify-${name}-want.json" (builtins.toJSON want)}
|
||||||
|
touch /tmp/sandbox-ok
|
||||||
|
''
|
||||||
Loading…
Reference in New Issue
Block a user