treewide: rename to hakurei
All checks were successful
Test / Create distribution (push) Successful in 43s
Test / Sandbox (push) Successful in 2m18s
Test / Hakurei (push) Successful in 3m10s
Test / Sandbox (race detector) (push) Successful in 3m30s
Test / Hakurei (race detector) (push) Successful in 4m43s
Test / Fpkg (push) Successful in 5m4s
Test / Flake checks (push) Successful in 1m12s
All checks were successful
Test / Create distribution (push) Successful in 43s
Test / Sandbox (push) Successful in 2m18s
Test / Hakurei (push) Successful in 3m10s
Test / Sandbox (race detector) (push) Successful in 3m30s
Test / Hakurei (race detector) (push) Successful in 4m43s
Test / Fpkg (push) Successful in 5m4s
Test / Flake checks (push) Successful in 1m12s
Fortify makes little sense for a container tool. Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
@@ -46,14 +46,14 @@ let
|
||||
;
|
||||
share = testProgram;
|
||||
packages = [ ];
|
||||
path = "${testProgram}/bin/fortify-test";
|
||||
path = "${testProgram}/bin/hakurei-test";
|
||||
args = [
|
||||
"test"
|
||||
(toString (builtins.toFile "fortify-${tc.name}-want.json" (builtins.toJSON tc.want)))
|
||||
(toString (builtins.toFile "hakurei-${tc.name}-want.json" (builtins.toJSON tc.want)))
|
||||
];
|
||||
};
|
||||
|
||||
testCaseName = name: "cat.gensokyo.fortify.test." + name;
|
||||
testCaseName = name: "cat.gensokyo.hakurei.test." + name;
|
||||
in
|
||||
{
|
||||
${testCaseName "preset"} = callTestCase ./preset.nix 1;
|
||||
|
||||
@@ -13,7 +13,7 @@
|
||||
want = {
|
||||
env = [
|
||||
"DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/65534/bus"
|
||||
"HOME=/var/lib/fortify/u0/a4"
|
||||
"HOME=/var/lib/hakurei/u0/a4"
|
||||
"PULSE_SERVER=unix:/run/user/65534/pulse/native"
|
||||
"SHELL=/run/current-system/sw/bin/bash"
|
||||
"TERM=linux"
|
||||
@@ -25,7 +25,7 @@
|
||||
];
|
||||
|
||||
fs = fs "dead" {
|
||||
".fortify" = fs "800001ed" { } null;
|
||||
".hakurei" = fs "800001ed" { } null;
|
||||
bin = fs "800001ed" { sh = fs "80001ff" null null; } null;
|
||||
dev = fs "800001ed" null null;
|
||||
etc = fs "800001ed" {
|
||||
@@ -43,9 +43,9 @@
|
||||
"dhcpcd.exit-hook" = fs "80001ff" null null;
|
||||
"fonts" = fs "80001ff" null null;
|
||||
"fstab" = fs "80001ff" null null;
|
||||
"fsurc" = fs "80001ff" null null;
|
||||
"hsurc" = fs "80001ff" null null;
|
||||
"fuse.conf" = fs "80001ff" null null;
|
||||
"group" = fs "180" null "fortify:x:65534:\n";
|
||||
"group" = fs "180" null "hakurei:x:65534:\n";
|
||||
"host.conf" = fs "80001ff" null null;
|
||||
"hostname" = fs "80001ff" null null;
|
||||
"hosts" = fs "80001ff" null null;
|
||||
@@ -70,7 +70,7 @@
|
||||
"os-release" = fs "80001ff" null null;
|
||||
"pam" = fs "80001ff" null null;
|
||||
"pam.d" = fs "80001ff" null null;
|
||||
"passwd" = fs "180" null "u0_a4:x:65534:65534:Fortify:/var/lib/fortify/u0/a4:/run/current-system/sw/bin/bash\n";
|
||||
"passwd" = fs "180" null "u0_a4:x:65534:65534:Hakurei:/var/lib/hakurei/u0/a4:/run/current-system/sw/bin/bash\n";
|
||||
"pipewire" = fs "80001ff" null null;
|
||||
"pki" = fs "80001ff" null null;
|
||||
"polkit-1" = fs "80001ff" null null;
|
||||
@@ -138,7 +138,7 @@
|
||||
usr = fs "800001c0" { bin = fs "800001ed" { env = fs "80001ff" null null; } null; } null;
|
||||
var = fs "800001c0" {
|
||||
lib = fs "800001c0" {
|
||||
fortify = fs "800001c0" {
|
||||
hakurei = fs "800001c0" {
|
||||
u0 = fs "800001c0" {
|
||||
a4 = fs "800001c0" {
|
||||
".cache" = fs "800001ed" { ".keep" = fs "80001ff" null ""; } null;
|
||||
@@ -186,7 +186,7 @@
|
||||
mount = [
|
||||
(ent "/sysroot" "/" "rw,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=1000004,gid=1000004")
|
||||
(ent "/" "/proc" "rw,nosuid,nodev,noexec,relatime" "proc" "proc" "rw")
|
||||
(ent "/" "/.fortify" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=4k,mode=755,uid=1000004,gid=1000004")
|
||||
(ent "/" "/.hakurei" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=4k,mode=755,uid=1000004,gid=1000004")
|
||||
(ent "/" "/dev" "rw,nosuid" "devtmpfs" "devtmpfs" ignore)
|
||||
(ent "/" "/dev/pts" "rw,nosuid,noexec,relatime" "devpts" "devpts" "rw,gid=3,mode=620,ptmxmode=666")
|
||||
(ent "/" "/dev/shm" "rw,nosuid,nodev" "tmpfs" "tmpfs" ignore)
|
||||
@@ -204,9 +204,9 @@
|
||||
(ent "/var/cache" "/var/cache" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
|
||||
(ent "/etc" ignore "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
|
||||
(ent "/" "/run/user" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=4k,mode=755,uid=1000004,gid=1000004")
|
||||
(ent "/tmp/fortify.1000/runtime/4" "/run/user/65534" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
|
||||
(ent "/tmp/fortify.1000/tmpdir/4" "/tmp" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
|
||||
(ent "/var/lib/fortify/u0/a4" "/var/lib/fortify/u0/a4" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
|
||||
(ent "/tmp/hakurei.1000/runtime/4" "/run/user/65534" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
|
||||
(ent "/tmp/hakurei.1000/tmpdir/4" "/tmp" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
|
||||
(ent "/var/lib/hakurei/u0/a4" "/var/lib/hakurei/u0/a4" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
|
||||
(ent ignore "/etc/passwd" "ro,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=1000004,gid=1000004")
|
||||
(ent ignore "/etc/group" "ro,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=1000004,gid=1000004")
|
||||
(ent ignore "/run/user/65534/wayland-0" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
|
||||
|
||||
@@ -13,7 +13,7 @@
|
||||
want = {
|
||||
env = [
|
||||
"DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus"
|
||||
"HOME=/var/lib/fortify/u0/a3"
|
||||
"HOME=/var/lib/hakurei/u0/a3"
|
||||
"PULSE_SERVER=unix:/run/user/1000/pulse/native"
|
||||
"SHELL=/run/current-system/sw/bin/bash"
|
||||
"TERM=linux"
|
||||
@@ -25,7 +25,7 @@
|
||||
];
|
||||
|
||||
fs = fs "dead" {
|
||||
".fortify" = fs "800001ed" { } null;
|
||||
".hakurei" = fs "800001ed" { } null;
|
||||
bin = fs "800001ed" { sh = fs "80001ff" null null; } null;
|
||||
dev = fs "800001ed" {
|
||||
core = fs "80001ff" null null;
|
||||
@@ -67,9 +67,9 @@
|
||||
"dhcpcd.exit-hook" = fs "80001ff" null null;
|
||||
"fonts" = fs "80001ff" null null;
|
||||
"fstab" = fs "80001ff" null null;
|
||||
"fsurc" = fs "80001ff" null null;
|
||||
"hsurc" = fs "80001ff" null null;
|
||||
"fuse.conf" = fs "80001ff" null null;
|
||||
"group" = fs "180" null "fortify:x:100:\n";
|
||||
"group" = fs "180" null "hakurei:x:100:\n";
|
||||
"host.conf" = fs "80001ff" null null;
|
||||
"hostname" = fs "80001ff" null null;
|
||||
"hosts" = fs "80001ff" null null;
|
||||
@@ -94,7 +94,7 @@
|
||||
"os-release" = fs "80001ff" null null;
|
||||
"pam" = fs "80001ff" null null;
|
||||
"pam.d" = fs "80001ff" null null;
|
||||
"passwd" = fs "180" null "u0_a3:x:1000:100:Fortify:/var/lib/fortify/u0/a3:/run/current-system/sw/bin/bash\n";
|
||||
"passwd" = fs "180" null "u0_a3:x:1000:100:Hakurei:/var/lib/hakurei/u0/a3:/run/current-system/sw/bin/bash\n";
|
||||
"pipewire" = fs "80001ff" null null;
|
||||
"pki" = fs "80001ff" null null;
|
||||
"polkit-1" = fs "80001ff" null null;
|
||||
@@ -162,7 +162,7 @@
|
||||
usr = fs "800001c0" { bin = fs "800001ed" { env = fs "80001ff" null null; } null; } null;
|
||||
var = fs "800001c0" {
|
||||
lib = fs "800001c0" {
|
||||
fortify = fs "800001c0" {
|
||||
hakurei = fs "800001c0" {
|
||||
u0 = fs "800001c0" {
|
||||
a3 = fs "800001c0" {
|
||||
".cache" = fs "800001ed" { ".keep" = fs "80001ff" null ""; } null;
|
||||
@@ -210,7 +210,7 @@
|
||||
mount = [
|
||||
(ent "/sysroot" "/" "rw,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=1000003,gid=1000003")
|
||||
(ent "/" "/proc" "rw,nosuid,nodev,noexec,relatime" "proc" "proc" "rw")
|
||||
(ent "/" "/.fortify" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=4k,mode=755,uid=1000003,gid=1000003")
|
||||
(ent "/" "/.hakurei" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=4k,mode=755,uid=1000003,gid=1000003")
|
||||
(ent "/" "/dev" "rw,nosuid,nodev,relatime" "tmpfs" "devtmpfs" "rw,mode=755,uid=1000003,gid=1000003")
|
||||
(ent "/null" "/dev/null" "rw,nosuid" "devtmpfs" "devtmpfs" ignore)
|
||||
(ent "/zero" "/dev/zero" "rw,nosuid" "devtmpfs" "devtmpfs" ignore)
|
||||
@@ -232,9 +232,9 @@
|
||||
(ent "/var/cache" "/var/cache" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
|
||||
(ent "/etc" ignore "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
|
||||
(ent "/" "/run/user" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=4k,mode=755,uid=1000003,gid=1000003")
|
||||
(ent "/tmp/fortify.1000/runtime/3" "/run/user/1000" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
|
||||
(ent "/tmp/fortify.1000/tmpdir/3" "/tmp" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
|
||||
(ent "/var/lib/fortify/u0/a3" "/var/lib/fortify/u0/a3" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
|
||||
(ent "/tmp/hakurei.1000/runtime/3" "/run/user/1000" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
|
||||
(ent "/tmp/hakurei.1000/tmpdir/3" "/tmp" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
|
||||
(ent "/var/lib/hakurei/u0/a3" "/var/lib/hakurei/u0/a3" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
|
||||
(ent ignore "/etc/passwd" "ro,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=1000003,gid=1000003")
|
||||
(ent ignore "/etc/group" "ro,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=1000003,gid=1000003")
|
||||
(ent ignore "/run/user/1000/wayland-0" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
|
||||
|
||||
@@ -13,7 +13,7 @@
|
||||
want = {
|
||||
env = [
|
||||
"DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/65534/bus"
|
||||
"HOME=/var/lib/fortify/u0/a1"
|
||||
"HOME=/var/lib/hakurei/u0/a1"
|
||||
"PULSE_SERVER=unix:/run/user/65534/pulse/native"
|
||||
"SHELL=/run/current-system/sw/bin/bash"
|
||||
"TERM=linux"
|
||||
@@ -25,7 +25,7 @@
|
||||
];
|
||||
|
||||
fs = fs "dead" {
|
||||
".fortify" = fs "800001ed" { } null;
|
||||
".hakurei" = fs "800001ed" { } null;
|
||||
bin = fs "800001ed" { sh = fs "80001ff" null null; } null;
|
||||
dev = fs "800001ed" {
|
||||
core = fs "80001ff" null null;
|
||||
@@ -67,9 +67,9 @@
|
||||
"dhcpcd.exit-hook" = fs "80001ff" null null;
|
||||
"fonts" = fs "80001ff" null null;
|
||||
"fstab" = fs "80001ff" null null;
|
||||
"fsurc" = fs "80001ff" null null;
|
||||
"hsurc" = fs "80001ff" null null;
|
||||
"fuse.conf" = fs "80001ff" null null;
|
||||
"group" = fs "180" null "fortify:x:65534:\n";
|
||||
"group" = fs "180" null "hakurei:x:65534:\n";
|
||||
"host.conf" = fs "80001ff" null null;
|
||||
"hostname" = fs "80001ff" null null;
|
||||
"hosts" = fs "80001ff" null null;
|
||||
@@ -94,7 +94,7 @@
|
||||
"os-release" = fs "80001ff" null null;
|
||||
"pam" = fs "80001ff" null null;
|
||||
"pam.d" = fs "80001ff" null null;
|
||||
"passwd" = fs "180" null "u0_a1:x:65534:65534:Fortify:/var/lib/fortify/u0/a1:/run/current-system/sw/bin/bash\n";
|
||||
"passwd" = fs "180" null "u0_a1:x:65534:65534:Hakurei:/var/lib/hakurei/u0/a1:/run/current-system/sw/bin/bash\n";
|
||||
"pipewire" = fs "80001ff" null null;
|
||||
"pki" = fs "80001ff" null null;
|
||||
"polkit-1" = fs "80001ff" null null;
|
||||
@@ -162,7 +162,7 @@
|
||||
usr = fs "800001c0" { bin = fs "800001ed" { env = fs "80001ff" null null; } null; } null;
|
||||
var = fs "800001c0" {
|
||||
lib = fs "800001c0" {
|
||||
fortify = fs "800001c0" {
|
||||
hakurei = fs "800001c0" {
|
||||
u0 = fs "800001c0" {
|
||||
a1 = fs "800001c0" {
|
||||
".cache" = fs "800001ed" { ".keep" = fs "80001ff" null ""; } null;
|
||||
@@ -209,7 +209,7 @@
|
||||
mount = [
|
||||
(ent "/sysroot" "/" "rw,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=1000001,gid=1000001")
|
||||
(ent "/" "/proc" "rw,nosuid,nodev,noexec,relatime" "proc" "proc" "rw")
|
||||
(ent "/" "/.fortify" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=4k,mode=755,uid=1000001,gid=1000001")
|
||||
(ent "/" "/.hakurei" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=4k,mode=755,uid=1000001,gid=1000001")
|
||||
(ent "/" "/dev" "rw,nosuid,nodev,relatime" "tmpfs" "devtmpfs" "rw,mode=755,uid=1000001,gid=1000001")
|
||||
(ent "/null" "/dev/null" "rw,nosuid" "devtmpfs" "devtmpfs" ignore)
|
||||
(ent "/zero" "/dev/zero" "rw,nosuid" "devtmpfs" "devtmpfs" ignore)
|
||||
@@ -230,9 +230,9 @@
|
||||
(ent "/dri" "/dev/dri" "rw,nosuid" "devtmpfs" "devtmpfs" ignore)
|
||||
(ent "/etc" ignore "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
|
||||
(ent "/" "/run/user" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=4k,mode=755,uid=1000001,gid=1000001")
|
||||
(ent "/tmp/fortify.1000/runtime/1" "/run/user/65534" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
|
||||
(ent "/tmp/fortify.1000/tmpdir/1" "/tmp" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
|
||||
(ent "/var/lib/fortify/u0/a1" "/var/lib/fortify/u0/a1" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
|
||||
(ent "/tmp/hakurei.1000/runtime/1" "/run/user/65534" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
|
||||
(ent "/tmp/hakurei.1000/tmpdir/1" "/tmp" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
|
||||
(ent "/var/lib/hakurei/u0/a1" "/var/lib/hakurei/u0/a1" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
|
||||
(ent ignore "/etc/passwd" "ro,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=1000001,gid=1000001")
|
||||
(ent ignore "/etc/group" "ro,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=1000001,gid=1000001")
|
||||
(ent ignore "/run/user/65534/wayland-0" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
|
||||
|
||||
@@ -13,7 +13,7 @@
|
||||
want = {
|
||||
env = [
|
||||
"DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/65534/bus"
|
||||
"HOME=/var/lib/fortify/u0/a2"
|
||||
"HOME=/var/lib/hakurei/u0/a2"
|
||||
"PULSE_SERVER=unix:/run/user/65534/pulse/native"
|
||||
"SHELL=/run/current-system/sw/bin/bash"
|
||||
"TERM=linux"
|
||||
@@ -25,7 +25,7 @@
|
||||
];
|
||||
|
||||
fs = fs "dead" {
|
||||
".fortify" = fs "800001ed" { } null;
|
||||
".hakurei" = fs "800001ed" { } null;
|
||||
bin = fs "800001ed" { sh = fs "80001ff" null null; } null;
|
||||
dev = fs "800001ed" {
|
||||
console = fs "4200190" null null;
|
||||
@@ -68,9 +68,9 @@
|
||||
"dhcpcd.exit-hook" = fs "80001ff" null null;
|
||||
"fonts" = fs "80001ff" null null;
|
||||
"fstab" = fs "80001ff" null null;
|
||||
"fsurc" = fs "80001ff" null null;
|
||||
"hsurc" = fs "80001ff" null null;
|
||||
"fuse.conf" = fs "80001ff" null null;
|
||||
"group" = fs "180" null "fortify:x:65534:\n";
|
||||
"group" = fs "180" null "hakurei:x:65534:\n";
|
||||
"host.conf" = fs "80001ff" null null;
|
||||
"hostname" = fs "80001ff" null null;
|
||||
"hosts" = fs "80001ff" null null;
|
||||
@@ -95,7 +95,7 @@
|
||||
"os-release" = fs "80001ff" null null;
|
||||
"pam" = fs "80001ff" null null;
|
||||
"pam.d" = fs "80001ff" null null;
|
||||
"passwd" = fs "180" null "u0_a2:x:65534:65534:Fortify:/var/lib/fortify/u0/a2:/run/current-system/sw/bin/bash\n";
|
||||
"passwd" = fs "180" null "u0_a2:x:65534:65534:Hakurei:/var/lib/hakurei/u0/a2:/run/current-system/sw/bin/bash\n";
|
||||
"pipewire" = fs "80001ff" null null;
|
||||
"pki" = fs "80001ff" null null;
|
||||
"polkit-1" = fs "80001ff" null null;
|
||||
@@ -163,7 +163,7 @@
|
||||
usr = fs "800001c0" { bin = fs "800001ed" { env = fs "80001ff" null null; } null; } null;
|
||||
var = fs "800001c0" {
|
||||
lib = fs "800001c0" {
|
||||
fortify = fs "800001c0" {
|
||||
hakurei = fs "800001c0" {
|
||||
u0 = fs "800001c0" {
|
||||
a2 = fs "800001c0" {
|
||||
".cache" = fs "800001ed" { ".keep" = fs "80001ff" null ""; } null;
|
||||
@@ -211,7 +211,7 @@
|
||||
mount = [
|
||||
(ent "/sysroot" "/" "rw,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=1000002,gid=1000002")
|
||||
(ent "/" "/proc" "rw,nosuid,nodev,noexec,relatime" "proc" "proc" "rw")
|
||||
(ent "/" "/.fortify" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=4k,mode=755,uid=1000002,gid=1000002")
|
||||
(ent "/" "/.hakurei" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=4k,mode=755,uid=1000002,gid=1000002")
|
||||
(ent "/" "/dev" "rw,nosuid,nodev,relatime" "tmpfs" "devtmpfs" "rw,mode=755,uid=1000002,gid=1000002")
|
||||
(ent "/null" "/dev/null" "rw,nosuid" "devtmpfs" "devtmpfs" ignore)
|
||||
(ent "/zero" "/dev/zero" "rw,nosuid" "devtmpfs" "devtmpfs" ignore)
|
||||
@@ -234,9 +234,9 @@
|
||||
(ent "/var/cache" "/var/cache" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
|
||||
(ent "/etc" ignore "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
|
||||
(ent "/" "/run/user" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=4k,mode=755,uid=1000002,gid=1000002")
|
||||
(ent "/tmp/fortify.1000/runtime/2" "/run/user/65534" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
|
||||
(ent "/tmp/fortify.1000/tmpdir/2" "/tmp" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
|
||||
(ent "/var/lib/fortify/u0/a2" "/var/lib/fortify/u0/a2" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
|
||||
(ent "/tmp/hakurei.1000/runtime/2" "/run/user/65534" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
|
||||
(ent "/tmp/hakurei.1000/tmpdir/2" "/tmp" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
|
||||
(ent "/var/lib/hakurei/u0/a2" "/var/lib/hakurei/u0/a2" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
|
||||
(ent ignore "/etc/passwd" "ro,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=1000002,gid=1000002")
|
||||
(ent ignore "/etc/group" "ro,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=1000002,gid=1000002")
|
||||
(ent ignore "/run/user/65534/wayland-0" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
|
||||
|
||||
@@ -5,7 +5,7 @@
|
||||
...
|
||||
}:
|
||||
let
|
||||
testProgram = pkgs.callPackage ./tool/package.nix { inherit (config.environment.fortify.package) version; };
|
||||
testProgram = pkgs.callPackage ./tool/package.nix { inherit (config.environment.hakurei.package) version; };
|
||||
in
|
||||
{
|
||||
users.users = {
|
||||
@@ -23,7 +23,7 @@ in
|
||||
services.getty.autologinUser = "alice";
|
||||
|
||||
environment = {
|
||||
systemPackages = with pkgs; [
|
||||
systemPackages = [
|
||||
# For checking seccomp outcome:
|
||||
testProgram
|
||||
];
|
||||
@@ -59,9 +59,9 @@ in
|
||||
"-smp 8"
|
||||
];
|
||||
|
||||
environment.fortify = {
|
||||
environment.hakurei = {
|
||||
enable = true;
|
||||
stateDir = "/var/lib/fortify";
|
||||
stateDir = "/var/lib/hakurei";
|
||||
users.alice = 0;
|
||||
|
||||
extraHomeConfig = {
|
||||
|
||||
@@ -7,23 +7,23 @@
|
||||
}:
|
||||
|
||||
nixosTest {
|
||||
name = "fortify-sandbox" + (if withRace then "-race" else "");
|
||||
name = "hakurei-sandbox" + (if withRace then "-race" else "");
|
||||
nodes.machine =
|
||||
{ options, pkgs, ... }:
|
||||
{
|
||||
# Run with Go race detector:
|
||||
environment.fortify = lib.mkIf withRace rec {
|
||||
environment.hakurei = lib.mkIf withRace rec {
|
||||
# race detector does not support static linking
|
||||
package = (pkgs.callPackage ../../package.nix { }).overrideAttrs (previousAttrs: {
|
||||
GOFLAGS = previousAttrs.GOFLAGS ++ [ "-race" ];
|
||||
});
|
||||
fsuPackage = options.environment.fortify.fsuPackage.default.override { fortify = package; };
|
||||
hsuPackage = options.environment.hakurei.hsuPackage.default.override { hakurei = package; };
|
||||
};
|
||||
|
||||
imports = [
|
||||
./configuration.nix
|
||||
|
||||
self.nixosModules.fortify
|
||||
self.nixosModules.hakurei
|
||||
self.inputs.home-manager.nixosModules.home-manager
|
||||
];
|
||||
};
|
||||
|
||||
@@ -8,12 +8,12 @@ import (
|
||||
"testing"
|
||||
"testing/fstest"
|
||||
|
||||
"git.gensokyo.uk/security/fortify/test/sandbox"
|
||||
"git.gensokyo.uk/security/hakurei/test/sandbox"
|
||||
)
|
||||
|
||||
var (
|
||||
fsPasswdSample = "u0_a20:x:65534:65534:Fortify:/var/lib/persist/module/fortify/u0/a20:/run/current-system/sw/bin/zsh"
|
||||
fsGroupSample = "fortify:x:65534:"
|
||||
fsPasswdSample = "u0_a20:x:65534:65534:Hakurei:/var/lib/persist/module/hakurei/u0/a20:/run/current-system/sw/bin/zsh"
|
||||
fsGroupSample = "hakurei:x:65534:"
|
||||
)
|
||||
|
||||
func TestCompare(t *testing.T) {
|
||||
@@ -26,15 +26,15 @@ func TestCompare(t *testing.T) {
|
||||
wantErr error
|
||||
}{
|
||||
{"skip", fstest.MapFS{}, &sandbox.FS{}, "[ OK ] s .\x00", nil},
|
||||
{"simple pass", fstest.MapFS{".fortify": {Mode: 0x800001ed}},
|
||||
&sandbox.FS{Dir: map[string]*sandbox.FS{".fortify": {Mode: 0x800001ed}}},
|
||||
"[ OK ] s .fortify\x00[ OK ] d .\x00", nil},
|
||||
{"bad length", fstest.MapFS{".fortify": {Mode: 0x800001ed}},
|
||||
{"simple pass", fstest.MapFS{".hakurei": {Mode: 0x800001ed}},
|
||||
&sandbox.FS{Dir: map[string]*sandbox.FS{".hakurei": {Mode: 0x800001ed}}},
|
||||
"[ OK ] s .hakurei\x00[ OK ] d .\x00", nil},
|
||||
{"bad length", fstest.MapFS{".hakurei": {Mode: 0x800001ed}},
|
||||
&sandbox.FS{Dir: make(map[string]*sandbox.FS)},
|
||||
"[FAIL] d .: \".fortify/\"\x00", sandbox.ErrFSBadLength},
|
||||
{"top level bad mode", fstest.MapFS{".fortify": {Mode: 0x800001ed}},
|
||||
&sandbox.FS{Dir: map[string]*sandbox.FS{".fortify": {Mode: 0xdeadbeef}}},
|
||||
"[FAIL] m .fortify: 800001ed, want deadbeef\x00", sandbox.ErrFSBadMode},
|
||||
"[FAIL] d .: \".hakurei/\"\x00", sandbox.ErrFSBadLength},
|
||||
{"top level bad mode", fstest.MapFS{".hakurei": {Mode: 0x800001ed}},
|
||||
&sandbox.FS{Dir: map[string]*sandbox.FS{".hakurei": {Mode: 0xdeadbeef}}},
|
||||
"[FAIL] m .hakurei: 800001ed, want deadbeef\x00", sandbox.ErrFSBadMode},
|
||||
{"invalid entry condition", fstest.MapFS{"test": {Data: []byte{'0'}, Mode: 0644}},
|
||||
&sandbox.FS{Dir: map[string]*sandbox.FS{"test": {Dir: make(map[string]*sandbox.FS)}}},
|
||||
"[FAIL] d .: \"test\"\x00", sandbox.ErrFSInvalidEnt},
|
||||
@@ -54,7 +54,7 @@ func TestCompare(t *testing.T) {
|
||||
}, &sandbox.FS{Dir: map[string]*sandbox.FS{"etc": {Mode: 0x800001c0, Dir: map[string]*sandbox.FS{
|
||||
"passwd": {Mode: 0x1a4, Data: &fsGroupSample},
|
||||
"group": {Mode: 0x1a4, Data: &fsGroupSample},
|
||||
}}}}, "[ OK ] f etc/group\x00[FAIL] f etc/passwd\x00got: u0_a20:x:65534:65534:Fortify:/var/lib/persist/module/fortify/u0/a20:/run/current-system/sw/bin/zsh\x00want: fortify:x:65534:\x00", sandbox.ErrFSBadData},
|
||||
}}}}, "[ OK ] f etc/group\x00[FAIL] f etc/passwd\x00got: u0_a20:x:65534:65534:Hakurei:/var/lib/persist/module/hakurei/u0/a20:/run/current-system/sw/bin/zsh\x00want: hakurei:x:65534:\x00", sandbox.ErrFSBadData},
|
||||
}
|
||||
|
||||
for _, tc := range testCases {
|
||||
|
||||
@@ -7,7 +7,7 @@ package sandbox
|
||||
#include <stdio.h>
|
||||
#include <libmount.h>
|
||||
|
||||
const char *F_MOUNTINFO_PATH = "/proc/self/mountinfo";
|
||||
const char *HAKUREI_MOUNTINFO_PATH = "/proc/self/mountinfo";
|
||||
*/
|
||||
import "C"
|
||||
|
||||
@@ -86,7 +86,7 @@ func (m *Mountinfo) Parse() error {
|
||||
}
|
||||
|
||||
if m.p == "" {
|
||||
m.tb = C.mnt_new_table_from_file(C.F_MOUNTINFO_PATH)
|
||||
m.tb = C.mnt_new_table_from_file(C.HAKUREI_MOUNTINFO_PATH)
|
||||
} else {
|
||||
name := C.CString(m.p)
|
||||
m.tb = C.mnt_new_table_from_file(name)
|
||||
|
||||
@@ -5,7 +5,7 @@ import (
|
||||
"path"
|
||||
"testing"
|
||||
|
||||
"git.gensokyo.uk/security/fortify/test/sandbox"
|
||||
"git.gensokyo.uk/security/hakurei/test/sandbox"
|
||||
)
|
||||
|
||||
func TestMountinfo(t *testing.T) {
|
||||
|
||||
@@ -28,27 +28,27 @@ def swaymsg(command: str = "", succeed=True, type="command"):
|
||||
start_all()
|
||||
machine.wait_for_unit("multi-user.target")
|
||||
|
||||
# To check fortify's version:
|
||||
print(machine.succeed("sudo -u alice -i fortify version"))
|
||||
# To check hakurei's version:
|
||||
print(machine.succeed("sudo -u alice -i hakurei version"))
|
||||
|
||||
# Wait for Sway to complete startup:
|
||||
machine.wait_for_file("/run/user/1000/wayland-1")
|
||||
machine.wait_for_file("/tmp/sway-ipc.sock")
|
||||
|
||||
# Check seccomp outcome:
|
||||
swaymsg("exec fortify run cat")
|
||||
swaymsg("exec hakurei run cat")
|
||||
pid = int(machine.wait_until_succeeds("pgrep -U 1000000 -x cat", timeout=5))
|
||||
print(machine.succeed(f"fortify-test filter {pid} c698b081ff957afe17a6d94374537d37f2a63f6f9dd75da7546542407a9e32476ebda3312ba7785d7f618542bcfaf27ca27dcc2dddba852069d28bcfe8cad39a &>/dev/stdout", timeout=5))
|
||||
print(machine.succeed(f"hakurei-test filter {pid} c698b081ff957afe17a6d94374537d37f2a63f6f9dd75da7546542407a9e32476ebda3312ba7785d7f618542bcfaf27ca27dcc2dddba852069d28bcfe8cad39a &>/dev/stdout", timeout=5))
|
||||
machine.succeed(f"kill -TERM {pid}")
|
||||
|
||||
# Verify capabilities/securebits in user namespace:
|
||||
print(machine.succeed("sudo -u alice -i fortify run capsh --print"))
|
||||
print(machine.succeed("sudo -u alice -i fortify run capsh --has-no-new-privs"))
|
||||
print(machine.fail("sudo -u alice -i fortify run capsh --has-a=CAP_SYS_ADMIN"))
|
||||
print(machine.fail("sudo -u alice -i fortify run capsh --has-b=CAP_SYS_ADMIN"))
|
||||
print(machine.fail("sudo -u alice -i fortify run capsh --has-i=CAP_SYS_ADMIN"))
|
||||
print(machine.fail("sudo -u alice -i fortify run capsh --has-p=CAP_SYS_ADMIN"))
|
||||
print(machine.fail("sudo -u alice -i fortify run umount -R /dev"))
|
||||
print(machine.succeed("sudo -u alice -i hakurei run capsh --print"))
|
||||
print(machine.succeed("sudo -u alice -i hakurei run capsh --has-no-new-privs"))
|
||||
print(machine.fail("sudo -u alice -i hakurei run capsh --has-a=CAP_SYS_ADMIN"))
|
||||
print(machine.fail("sudo -u alice -i hakurei run capsh --has-b=CAP_SYS_ADMIN"))
|
||||
print(machine.fail("sudo -u alice -i hakurei run capsh --has-i=CAP_SYS_ADMIN"))
|
||||
print(machine.fail("sudo -u alice -i hakurei run capsh --has-p=CAP_SYS_ADMIN"))
|
||||
print(machine.fail("sudo -u alice -i hakurei run umount -R /dev"))
|
||||
|
||||
# Check sandbox outcome:
|
||||
check_offset = 0
|
||||
@@ -56,7 +56,7 @@ def check_sandbox(name):
|
||||
global check_offset
|
||||
check_offset += 1
|
||||
swaymsg(f"exec script /dev/null -E always -qec check-sandbox-{name}")
|
||||
machine.wait_for_file(f"/tmp/fortify.1000/tmpdir/{check_offset}/sandbox-ok", timeout=15)
|
||||
machine.wait_for_file(f"/tmp/hakurei.1000/tmpdir/{check_offset}/sandbox-ok", timeout=15)
|
||||
|
||||
|
||||
check_sandbox("preset")
|
||||
@@ -68,5 +68,5 @@ check_sandbox("device")
|
||||
swaymsg("exit", succeed=False)
|
||||
machine.wait_for_file("/tmp/sway-exit-ok")
|
||||
|
||||
# Print fortify runDir contents:
|
||||
print(machine.succeed("find /run/user/1000/fortify"))
|
||||
# Print hakurei runDir contents:
|
||||
print(machine.succeed("find /run/user/1000/hakurei"))
|
||||
|
||||
@@ -6,7 +6,7 @@ import (
|
||||
"strconv"
|
||||
"strings"
|
||||
|
||||
"git.gensokyo.uk/security/fortify/test/sandbox"
|
||||
"git.gensokyo.uk/security/hakurei/test/sandbox"
|
||||
)
|
||||
|
||||
func main() {
|
||||
|
||||
@@ -21,10 +21,10 @@ buildGoModule rec {
|
||||
nativeBuildInputs = [ pkg-config ];
|
||||
|
||||
preBuild = ''
|
||||
go mod init git.gensokyo.uk/security/fortify/test/sandbox >& /dev/null
|
||||
go mod init git.gensokyo.uk/security/hakurei/test/sandbox >& /dev/null
|
||||
'';
|
||||
|
||||
postInstall = ''
|
||||
mv $out/bin/tool $out/bin/fortify-test
|
||||
mv $out/bin/tool $out/bin/hakurei-test
|
||||
'';
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user