security/hakurei
6
3
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases 11 Wiki Activity

nix: improve common usability
All checks were successful
Test / Create distribution (push) Successful in 19s
Details
Test / Sandbox (push) Successful in 31s
Details
Test / Fortify (push) Successful in 35s
Details
Test / Sandbox (race detector) (push) Successful in 31s
Details
Test / Fortify (race detector) (push) Successful in 35s
Details
Test / Fpkg (push) Successful in 33s
Details
Test / Flake checks (push) Successful in 1m7s
Details

Browse Source 
Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
Ophestra
2025-05-16 04:38:08 +09:00
parent 008e9e7fc5
commit f30a439bcd
10 changed files with 107 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
test/configuration.nix
View File

@@ -30,13 +30,9 @@
environment = {
systemPackages = with pkgs; [
# For glinfo and wayland-info:
mesa-demos
wayland-utils
# For D-Bus tests:
libnotify
mako
libnotify
];
variables = {
@@ -99,14 +95,21 @@
stateDir = "/var/lib/fortify";
users.alice = 0;
home-manager = _: _: { home.stateVersion = "23.05"; };
extraHomeConfig = {
home.stateVersion = "23.05";
};
apps = [
{
name = "ne-foot";
verbose = true;
share = pkgs.foot;
packages = [ pkgs.foot ];
packages = with pkgs; [
foot
# For wayland-info:
wayland-utils
];
command = "foot";
capability = {
dbus = false;
@@ -125,7 +128,13 @@
name = "x11-alacritty";
verbose = true;
share = pkgs.alacritty;
packages = [ pkgs.alacritty ];
packages = with pkgs; [
# For X11 terminal emulator:
alacritty
# For glinfo:
mesa-demos
];
command = "alacritty";
capability = {
wayland = false;
@@ -139,7 +148,12 @@
verbose = true;
insecureWayland = true;
share = pkgs.foot;
packages = [ pkgs.foot ];
packages = with pkgs; [
foot
# For wayland-info:
wayland-utils
];
command = "foot";
capability = {
dbus = false;

7
test/sandbox/case/default.nix
View File

@@ -37,7 +37,12 @@ let
{
name = "check-sandbox-${tc.name}";
verbose = true;
inherit (tc) tty device mapRealUid;
inherit (tc)
tty
device
mapRealUid
useCommonPaths
;
share = testProgram;
packages = [ ];
path = "${testProgram}/bin/fortify-test";

3
test/sandbox/case/device.nix
View File

@@ -8,6 +8,7 @@
tty = false;
device = true;
mapRealUid = false;
useCommonPaths = true;
want = {
env = [
@@ -169,6 +170,7 @@
} null;
} null;
run = fs "800001ed" { nscd = fs "800001ed" { } null; } null;
cache = fs "800001ed" { private = fs "800001c0" null null; } null;
} null;
} null;
@@ -190,6 +192,7 @@
(ent "/dev" "/sys/dev" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw")
(ent "/devices" "/sys/devices" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw")
(ent "/dri" "/dev/dri" "rw,nosuid" "devtmpfs" "devtmpfs" ignore)
(ent "/var/cache" "/var/cache" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
(ent "/etc" ignore "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
(ent "/" "/run/user" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=4k,mode=755,uid=1000004,gid=1000004")
(ent "/" "/run/user/65534" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=8192k,mode=700,uid=1000004,gid=1000004")

3
test/sandbox/case/mapuid.nix
View File

@@ -8,6 +8,7 @@
tty = false;
device = false;
mapRealUid = true;
useCommonPaths = true;
want = {
env = [
@@ -193,6 +194,7 @@
} null;
} null;
run = fs "800001ed" { nscd = fs "800001ed" { } null; } null;
cache = fs "800001ed" { private = fs "800001c0" null null; } null;
} null;
} null;
@@ -218,6 +220,7 @@
(ent "/dev" "/sys/dev" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw")
(ent "/devices" "/sys/devices" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw")
(ent "/dri" "/dev/dri" "rw,nosuid" "devtmpfs" "devtmpfs" ignore)
(ent "/var/cache" "/var/cache" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
(ent "/etc" ignore "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
(ent "/" "/run/user" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=4k,mode=755,uid=1000003,gid=1000003")
(ent "/" "/run/user/1000" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=8192k,mode=700,uid=1000003,gid=1000003")

1
test/sandbox/case/preset.nix
View File

@@ -8,6 +8,7 @@
tty = false;
device = false;
mapRealUid = false;
useCommonPaths = false;
want = {
env = [

3
test/sandbox/case/tty.nix
View File

@@ -8,6 +8,7 @@
tty = true;
device = false;
mapRealUid = false;
useCommonPaths = true;
want = {
env = [
@@ -194,6 +195,7 @@
} null;
} null;
run = fs "800001ed" { nscd = fs "800001ed" { } null; } null;
cache = fs "800001ed" { private = fs "800001c0" null null; } null;
} null;
} null;
@@ -220,6 +222,7 @@
(ent "/dev" "/sys/dev" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw")
(ent "/devices" "/sys/devices" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw")
(ent "/dri" "/dev/dri" "rw,nosuid" "devtmpfs" "devtmpfs" ignore)
(ent "/var/cache" "/var/cache" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
(ent "/etc" ignore "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
(ent "/" "/run/user" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=4k,mode=755,uid=1000002,gid=1000002")
(ent "/" "/run/user/65534" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=8192k,mode=700,uid=1000002,gid=1000002")

11
test/sandbox/configuration.nix
View File

@@ -65,7 +65,16 @@ in
stateDir = "/var/lib/fortify";
users.alice = 0;
home-manager = _: _: { home.stateVersion = "23.05"; };
extraHomeConfig = {
home.stateVersion = "23.05";
};
commonPaths = [
{
src = "/var/cache";
write = true;
}
];
apps = with testCases; [
preset