test/sandbox: check mount outcome

Do this at the beginning of the test for early failure.

Signed-off-by: Ophestra <cat@gensokyo.uk>

test/test.py

@@ -104,6 +104,10 @@ if denyOutput != "fsu: uid 1001 is not in the fsurc file\n":
 if denyOutputVerbose != "fsu: uid 1001 is not in the fsurc file\nfortify: *cannot obtain uid from fsu: permission denied\n":
     raise Exception(f"unexpected deny verbose output:\n{denyOutputVerbose}")
 
+# Check sandbox state:
+swaymsg("exec check-sandbox")
+machine.wait_for_file("/tmp/fortify.1000/tmpdir/1/sandbox-ok")
+
 # Start fortify permissive defaults outside Wayland session:
 print(machine.succeed("sudo -u alice -i fortify -v run -a 0 touch /tmp/success-bare"))
 machine.wait_for_file("/tmp/fortify.1000/tmpdir/0/success-bare")
@@ -144,24 +148,24 @@ machine.succeed("pkill -9 mako")
 
 # Start app (foot) with Wayland enablement:
 swaymsg("exec ne-foot")
-wait_for_window("u0_a1@machine")
+wait_for_window("u0_a2@machine")
 machine.send_chars("clear; wayland-info && touch /tmp/success-client\n")
-machine.wait_for_file("/tmp/fortify.1000/tmpdir/1/success-client")
+machine.wait_for_file("/tmp/fortify.1000/tmpdir/2/success-client")
 collect_state_ui("foot_wayland")
 check_state("ne-foot", 1)
 # Verify acl on XDG_RUNTIME_DIR:
-print(machine.succeed("getfacl --absolute-names --omit-header --numeric /run/user/1000 | grep 1000001"))
+print(machine.succeed("getfacl --absolute-names --omit-header --numeric /run/user/1000 | grep 1000002"))
 machine.send_chars("exit\n")
 machine.wait_until_fails("pgrep foot")
 # Verify acl cleanup on XDG_RUNTIME_DIR:
-machine.wait_until_fails("getfacl --absolute-names --omit-header --numeric /run/user/1000 | grep 1000001")
+machine.wait_until_fails("getfacl --absolute-names --omit-header --numeric /run/user/1000 | grep 1000002")
 
 # Start app (foot) with Wayland enablement from a terminal:
 swaymsg(
     "exec foot $SHELL -c '(ne-foot) & sleep 1 && fortify show $(fortify ps --short) && touch /tmp/ps-show-ok && cat'")
-wait_for_window("u0_a1@machine")
+wait_for_window("u0_a2@machine")
 machine.send_chars("clear; wayland-info && touch /tmp/success-client-term\n")
-machine.wait_for_file("/tmp/fortify.1000/tmpdir/1/success-client-term")
+machine.wait_for_file("/tmp/fortify.1000/tmpdir/2/success-client-term")
 machine.wait_for_file("/tmp/ps-show-ok")
 collect_state_ui("foot_wayland_term")
 check_state("ne-foot", 1)
@@ -172,9 +176,9 @@ machine.wait_until_fails("pgrep foot")
 
 # Test PulseAudio (fortify does not support PipeWire yet):
 swaymsg("exec pa-foot")
-wait_for_window("u0_a2@machine")
+wait_for_window("u0_a3@machine")
 machine.send_chars("clear; pactl info && touch /tmp/success-pulse\n")
-machine.wait_for_file("/tmp/fortify.1000/tmpdir/2/success-pulse")
+machine.wait_for_file("/tmp/fortify.1000/tmpdir/3/success-pulse")
 collect_state_ui("pulse_wayland")
 check_state("pa-foot", 9)
 machine.send_chars("exit\n")
@@ -182,9 +186,9 @@ machine.wait_until_fails("pgrep foot")
 
 # Test XWayland (foot does not support X):
 swaymsg("exec x11-alacritty")
-wait_for_window("u0_a3@machine")
+wait_for_window("u0_a4@machine")
 machine.send_chars("clear; glinfo && touch /tmp/success-client-x11\n")
-machine.wait_for_file("/tmp/fortify.1000/tmpdir/3/success-client-x11")
+machine.wait_for_file("/tmp/fortify.1000/tmpdir/4/success-client-x11")
 collect_state_ui("alacritty_x11")
 check_state("x11-alacritty", 2)
 machine.send_chars("exit\n")
@@ -192,17 +196,17 @@ machine.wait_until_fails("pgrep alacritty")
 
 # Start app (foot) with direct Wayland access:
 swaymsg("exec da-foot")
-wait_for_window("u0_a4@machine")
+wait_for_window("u0_a5@machine")
 machine.send_chars("clear; wayland-info && touch /tmp/success-direct\n")
-machine.wait_for_file("/tmp/fortify.1000/tmpdir/4/success-direct")
+machine.wait_for_file("/tmp/fortify.1000/tmpdir/5/success-direct")
 collect_state_ui("foot_direct")
 check_state("da-foot", 1)
 # Verify acl on XDG_RUNTIME_DIR:
-print(machine.succeed("getfacl --absolute-names --omit-header --numeric /run/user/1000 | grep 1000004"))
+print(machine.succeed("getfacl --absolute-names --omit-header --numeric /run/user/1000 | grep 1000005"))
 machine.send_chars("exit\n")
 machine.wait_until_fails("pgrep foot")
 # Verify acl cleanup on XDG_RUNTIME_DIR:
-machine.wait_until_fails("getfacl --absolute-names --omit-header --numeric /run/user/1000 | grep 1000004")
+machine.wait_until_fails("getfacl --absolute-names --omit-header --numeric /run/user/1000 | grep 1000005")
 
 # Test syscall filter:
 print(machine.fail("sudo -u alice -i XDG_RUNTIME_DIR=/run/user/1000 strace-failure"))