security/hakurei
security/hakurei
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 2 Wiki Activity

Compare commits

base: security:6c1205106d7ac9702464e274502303d2b6df1dc3
Branches Tags
security:master
security:develop
security:staging
security:v0.1.1
security:v0.1.0
...
compare: security:43c3f9d8d590e696e61f32696b99727d4f97a8a1
Branches Tags
security:develop
security:master
security:staging
security:v0.1.1
security:v0.1.0

3 Commits
6c1205106d ... 43c3f9d8d5

Author SHA1 Message Date
Ophestra
43c3f9d8d5
nix: deduplicate home-manager merging
All checks were successful
Test / Create distribution (push) Successful in 24s
Details
Test / Fortify (push) Successful in 41s
Details
Test / Sandbox (push) Successful in 37s
Details
Test / Fortify (race detector) (push) Successful in 41s
Details
Test / Sandbox (race detector) (push) Successful in 37s
Details
Test / Fpkg (push) Successful in 39s
Details
Test / Flake checks (push) Successful in 1m6s
Details 
This becomes a problem when extraHomeConfig defines nixos module options.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-06-07 04:49:39 +09:00
Ophestra
9a7c81a44e
nix: go generate in src derivation
All checks were successful
Test / Sandbox (push) Successful in 40s
Details
Test / Fortify (race detector) (push) Successful in 49s
Details
Test / Fortify (push) Successful in 50s
Details
Test / Create distribution (push) Successful in 24s
Details
Test / Sandbox (race detector) (push) Successful in 45s
Details
Test / Fpkg (push) Successful in 39s
Details
Test / Flake checks (push) Successful in 1m12s
Details 
This saves the generated files in the nix store and exposes them for use by external tools.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-06-07 03:10:36 +09:00
Ophestra
b7e991de5b
nix: update flake lock
All checks were successful
Test / Create distribution (push) Successful in 51s
Details
Test / Sandbox (push) Successful in 15m56s
Details
Test / Sandbox (race detector) (push) Successful in 16m5s
Details
Test / Fpkg (push) Successful in 17m33s
Details
Test / Fortify (race detector) (push) Successful in 2m28s
Details
Test / Fortify (push) Successful in 40s
Details
Test / Flake checks (push) Successful in 2m58s
Details 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-06-05 04:05:39 +09:00
17 changed files with 124 additions and 55 deletions
Show Stats Expand all files Collapse all files

2
cmd/fsu/package.nix
View File

@ -10,7 +10,7 @@ buildGoModule {
src = ./.; src = ./.;
inherit (fortify) vendorHash; inherit (fortify) vendorHash;
CGO_ENABLED = 0; env.CGO_ENABLED = 0;
preBuild = '' preBuild = ''
go mod init fsu >& /dev/null go mod init fsu >& /dev/null

6
dbus/dbus_test.go
View File

@ -90,9 +90,9 @@ func testProxyFinaliseStartWaitCloseString(t *testing.T, useSandbox bool) {
t.Run("invalid start", func(t *testing.T) { t.Run("invalid start", func(t *testing.T) {
if !useSandbox { if !useSandbox {
p = dbus.NewDirect(context.TODO(), nil, nil) p = dbus.NewDirect(t.Context(), nil, nil)
} else { } else {
p = dbus.New(context.TODO(), nil, nil) p = dbus.New(t.Context(), nil, nil)
} }
if err := p.Start(); !errors.Is(err, syscall.ENOTRECOVERABLE) { if err := p.Start(); !errors.Is(err, syscall.ENOTRECOVERABLE) {
@ -120,7 +120,7 @@ func testProxyFinaliseStartWaitCloseString(t *testing.T, useSandbox bool) {
} }
}) })
ctx, cancel := context.WithTimeout(context.TODO(), 5*time.Second) ctx, cancel := context.WithTimeout(t.Context(), 5*time.Second)
defer cancel() defer cancel()
if !useSandbox { if !useSandbox {
p = dbus.NewDirect(ctx, final, nil) p = dbus.NewDirect(ctx, final, nil)

16
flake.lock generated
View File

@ -7,32 +7,32 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1746171682, "lastModified": 1748665073,
"narHash": "sha256-EyXUNSa+H+YvGVuQJP1nZskXAowxKYp79RNUsNdQTj4=", "narHash": "sha256-RMhjnPKWtCoIIHiuR9QKD7xfsKb3agxzMfJY8V9MOew=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "50eee705bbdbac942074a8c120e8194185633675", "rev": "282e1e029cb6ab4811114fc85110613d72771dea",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "nix-community", "owner": "nix-community",
"ref": "release-24.11", "ref": "release-25.05",
"repo": "home-manager", "repo": "home-manager",
"type": "github" "type": "github"
} }
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1746557022, "lastModified": 1749024892,
"narHash": "sha256-QkNoyEf6TbaTW5UZYX0OkwIJ/ZMeKSSoOMnSDPQuol0=", "narHash": "sha256-OGcDEz60TXQC+gVz5sdtgGJdKVYr6rwdzQKuZAJQpCA=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "1d3aeb5a193b9ff13f63f4d9cc169fb88129f860", "rev": "8f1b52b04f2cb6e5ead50bd28d76528a2f0380ef",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "NixOS", "owner": "NixOS",
"ref": "nixos-24.11", "ref": "nixos-25.05",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }

4
flake.nix
View File

@ -2,10 +2,10 @@
description = "fortify sandbox tool and nixos module"; description = "fortify sandbox tool and nixos module";
inputs = { inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11"; nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05";
home-manager = { home-manager = {
url = "github:nix-community/home-manager/release-24.11"; url = "github:nix-community/home-manager/release-25.05";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
}; };

4
helper/cmd_test.go
View File

@ -13,7 +13,7 @@ import (
func TestCmd(t *testing.T) { func TestCmd(t *testing.T) {
t.Run("start non-existent helper path", func(t *testing.T) { t.Run("start non-existent helper path", func(t *testing.T) {
h := helper.NewDirect(context.Background(), "/proc/nonexistent", argsWt, false, argF, nil, nil) h := helper.NewDirect(t.Context(), "/proc/nonexistent", argsWt, false, argF, nil, nil)
if err := h.Start(); !errors.Is(err, os.ErrNotExist) { if err := h.Start(); !errors.Is(err, os.ErrNotExist) {
t.Errorf("Start: error = %v, wantErr %v", t.Errorf("Start: error = %v, wantErr %v",
@ -22,7 +22,7 @@ func TestCmd(t *testing.T) {
}) })
t.Run("valid new helper nil check", func(t *testing.T) { t.Run("valid new helper nil check", func(t *testing.T) {
if got := helper.NewDirect(context.TODO(), "fortify", argsWt, false, argF, nil, nil); got == nil { if got := helper.NewDirect(t.Context(), "fortify", argsWt, false, argF, nil, nil); got == nil {
t.Errorf("NewDirect(%q, %q) got nil", t.Errorf("NewDirect(%q, %q) got nil",
argsWt, "fortify") argsWt, "fortify")
return return

4
helper/container_test.go
View File

@ -15,7 +15,7 @@ import (
func TestContainer(t *testing.T) { func TestContainer(t *testing.T) {
t.Run("start empty container", func(t *testing.T) { t.Run("start empty container", func(t *testing.T) {
h := helper.New(context.Background(), "/nonexistent", argsWt, false, argF, nil, nil) h := helper.New(t.Context(), "/nonexistent", argsWt, false, argF, nil, nil)
wantErr := "sandbox: starting an empty container" wantErr := "sandbox: starting an empty container"
if err := h.Start(); err == nil || err.Error() != wantErr { if err := h.Start(); err == nil || err.Error() != wantErr {
@ -25,7 +25,7 @@ func TestContainer(t *testing.T) {
}) })
t.Run("valid new helper nil check", func(t *testing.T) { t.Run("valid new helper nil check", func(t *testing.T) {
if got := helper.New(context.TODO(), "fortify", argsWt, false, argF, nil, nil); got == nil { if got := helper.New(t.Context(), "fortify", argsWt, false, argF, nil, nil); got == nil {
t.Errorf("New(%q, %q) got nil", t.Errorf("New(%q, %q) got nil",
argsWt, "fortify") argsWt, "fortify")
return return

4
helper/helper_test.go
View File

@ -55,7 +55,7 @@ func testHelper(t *testing.T, createHelper func(ctx context.Context, setOutput f
t.Cleanup(func() { helper.WaitDelay = oldWaitDelay }) t.Cleanup(func() { helper.WaitDelay = oldWaitDelay })
t.Run("start helper with status channel and wait", func(t *testing.T) { t.Run("start helper with status channel and wait", func(t *testing.T) {
ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second) ctx, cancel := context.WithTimeout(t.Context(), 5*time.Second)
stdout := new(strings.Builder) stdout := new(strings.Builder)
h := createHelper(ctx, func(stdoutP, stderrP *io.Writer) { *stdoutP, *stderrP = stdout, os.Stderr }, true) h := createHelper(ctx, func(stdoutP, stderrP *io.Writer) { *stdoutP, *stderrP = stdout, os.Stderr }, true)
@ -109,7 +109,7 @@ func testHelper(t *testing.T, createHelper func(ctx context.Context, setOutput f
}) })
t.Run("start helper and wait", func(t *testing.T) { t.Run("start helper and wait", func(t *testing.T) {
ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second) ctx, cancel := context.WithTimeout(t.Context(), 5*time.Second)
defer cancel() defer cancel()
stdout := new(strings.Builder) stdout := new(strings.Builder)
h := createHelper(ctx, func(stdoutP, stderrP *io.Writer) { *stdoutP, *stderrP = stdout, os.Stderr }, false) h := createHelper(ctx, func(stdoutP, stderrP *io.Writer) { *stdoutP, *stderrP = stdout, os.Stderr }, false)

26
nixos.nix
View File

@ -9,6 +9,7 @@ packages:
let let
inherit (lib) inherit (lib)
lists lists
attrsets
mkMerge mkMerge
mkIf mkIf
mapAttrs mapAttrs
@ -238,15 +239,22 @@ in
++ foldlAttrs ( ++ foldlAttrs (
acc': _: app: acc': _: app:
acc' acc'
++ [ ++ (
{ let
${getsubname fid app.identity} = mkMerge [ key = getsubname fid app.identity;
cfg.extraHomeConfig in
app.extraConfig [
{ home.packages = app.packages; } {
]; ${key} = mkMerge (
} [
] cfg.extraHomeConfig
{ home.packages = app.packages; }
]
++ (if (attrsets.hasAttrByPath [ key ] acc) then (if !app.shareUid then throw "unexpected username collision" else [ ]) else [ app.extraConfig ])
);
}
]
)
) [ { ${getsubname fid 0} = cfg.extraHomeConfig; } ] cfg.apps ) [ { ${getsubname fid 0} = cfg.extraHomeConfig; } ] cfg.apps
) [ privPackages ] cfg.users ) [ privPackages ] cfg.users
); );

33
package.nix
View File

@ -33,13 +33,34 @@ buildGoModule rec {
pname = "fortify"; pname = "fortify";
version = "0.4.1"; version = "0.4.1";
src = builtins.path { srcFiltered = builtins.path {
name = "${pname}-src"; name = "${pname}-src";
path = lib.cleanSource ./.; path = lib.cleanSource ./.;
filter = path: type: !(type == "regular" && (lib.hasSuffix ".nix" path || lib.hasSuffix ".py" path)) && !(type == "directory" && lib.hasSuffix "/test" path) && !(type == "directory" && lib.hasSuffix "/cmd/fsu" path); filter = path: type: !(type == "regular" && (lib.hasSuffix ".nix" path || lib.hasSuffix ".py" path)) && !(type == "directory" && lib.hasSuffix "/test" path) && !(type == "directory" && lib.hasSuffix "/cmd/fsu" path);
}; };
vendorHash = null; vendorHash = null;
src = stdenv.mkDerivation {
name = "${pname}-src-full";
inherit version;
enableParallelBuilding = true;
src = srcFiltered;
buildInputs = [
wayland
wayland-protocols
];
nativeBuildInputs = [
go
pkg-config
wayland-scanner
];
buildPhase = "GOCACHE=$(mktemp -d) go generate ./...";
installPhase = "cp -r . $out";
};
ldflags = ldflags =
lib.attrsets.foldlAttrs lib.attrsets.foldlAttrs
( (
@ -67,7 +88,6 @@ buildGoModule rec {
libseccomp libseccomp
acl acl
wayland wayland
wayland-protocols
] ]
++ (with xorg; [ ++ (with xorg; [
libxcb libxcb
@ -77,14 +97,9 @@ buildGoModule rec {
nativeBuildInputs = [ nativeBuildInputs = [
pkg-config pkg-config
wayland-scanner
makeBinaryWrapper makeBinaryWrapper
]; ];
preBuild = ''
HOME="$(mktemp -d)" PATH="${pkg-config}/bin:$PATH" go generate ./...
'';
postInstall = postInstall =
let let
appPackages = [ appPackages = [
@ -120,6 +135,10 @@ buildGoModule rec {
gcc gcc
xorg.xorgproto xorg.xorgproto
util-linux util-linux
# for go generate
wayland-protocols
wayland-scanner
] ]
++ buildInputs ++ buildInputs
++ nativeBuildInputs; ++ nativeBuildInputs;

4
sandbox/container_test.go
View File

@ -70,7 +70,7 @@ func TestContainer(t *testing.T) {
for _, tc := range testCases { for _, tc := range testCases {
t.Run(tc.name, func(t *testing.T) { t.Run(tc.name, func(t *testing.T) {
ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second) ctx, cancel := context.WithTimeout(t.Context(), 5*time.Second)
defer cancel() defer cancel()
container := sandbox.New(ctx, "/usr/bin/sandbox.test", "-test.v", container := sandbox.New(ctx, "/usr/bin/sandbox.test", "-test.v",
@ -162,7 +162,7 @@ func e(root, target, vfsOptstr, fsType, source, fsOptstr string) *vfs.MountInfoE
} }
func TestContainerString(t *testing.T) { func TestContainerString(t *testing.T) {
container := sandbox.New(context.TODO(), "ldd", "/usr/bin/env") container := sandbox.New(t.Context(), "ldd", "/usr/bin/env")
container.Flags |= sandbox.FAllowDevel container.Flags |= sandbox.FAllowDevel
container.Seccomp |= seccomp.FilterMultiarch container.Seccomp |= seccomp.FilterMultiarch
want := `argv: ["ldd" "/usr/bin/env"], flags: 0x2, seccomp: 0x2e` want := `argv: ["ldd" "/usr/bin/env"], flags: 0x2, seccomp: 0x2e`

11
test/configuration.nix
View File

@ -96,13 +96,19 @@
users.alice = 0; users.alice = 0;
extraHomeConfig = { extraHomeConfig = {
home.stateVersion = "23.05"; # To test merge deduplication:
options._fortify.noop = lib.mkEnableOption "nothing";
config = {
home.stateVersion = "23.05";
};
}; };
apps = { apps = {
"cat.gensokyo.extern.foot.noEnablements" = { "cat.gensokyo.extern.foot.noEnablements" = {
name = "ne-foot"; name = "ne-foot";
identity = 1; identity = 1;
shareUid = true;
verbose = true; verbose = true;
share = pkgs.foot; share = pkgs.foot;
packages = with pkgs; [ packages = with pkgs; [
@ -130,7 +136,8 @@
"cat.gensokyo.extern.Alacritty.x11" = { "cat.gensokyo.extern.Alacritty.x11" = {
name = "x11-alacritty"; name = "x11-alacritty";
identity = 3; identity = 1;
shareUid = true;
verbose = true; verbose = true;
share = pkgs.alacritty; share = pkgs.alacritty;
packages = with pkgs; [ packages = with pkgs; [

13
test/default.nix
View File

@ -31,14 +31,13 @@ nixosTest {
{ {
environment.systemPackages = [ environment.systemPackages = [
# For go tests: # For go tests:
(writeShellScriptBin "fortify-go-test" '' (writeShellScriptBin "fortify-test" ''
set -e cd ${self.packages.${system}.fortify.src}
WORK="$(mktemp -ud)"
cp -r "${self.packages.${system}.fortify.src}" "$WORK"
chmod -R +w "$WORK"
cd "$WORK"
${fhs}/bin/fortify-fhs -c \ ${fhs}/bin/fortify-fhs -c \
'go generate ./... && go test ${if withRace then "-race" else "-count 16"} ./... && touch /tmp/go-test-ok' 'go test ${if withRace then "-race" else "-count 16"} ./...' \
&> /tmp/fortify-test.log && \
touch /tmp/fortify-test-ok
touch /tmp/fortify-test-done
'') '')
]; ];

9
test/sandbox/case/device.nix
View File

@ -35,6 +35,7 @@
"NIXOS" = fs "80001ff" null null; "NIXOS" = fs "80001ff" null null;
"X11" = fs "80001ff" null null; "X11" = fs "80001ff" null null;
"alsa" = fs "80001ff" null null; "alsa" = fs "80001ff" null null;
"bash_logout" = fs "80001ff" null null;
"bashrc" = fs "80001ff" null null; "bashrc" = fs "80001ff" null null;
"binfmt.d" = fs "80001ff" null null; "binfmt.d" = fs "80001ff" null null;
"dbus-1" = fs "80001ff" null null; "dbus-1" = fs "80001ff" null null;
@ -148,7 +149,15 @@
} null; } null;
} null; } null;
".local" = fs "800001ed" { ".local" = fs "800001ed" {
share = fs "800001ed" {
dbus-1 = fs "800001ed" {
services = fs "800001ed" {
"ca.desrt.dconf.service" = fs "80001ff" null null;
} null;
} null;
} null;
state = fs "800001ed" { state = fs "800001ed" {
".keep" = fs "80001ff" null "";
home-manager = fs "800001ed" { gcroots = fs "800001ed" { current-home = fs "80001ff" null null; } null; } null; home-manager = fs "800001ed" { gcroots = fs "800001ed" { current-home = fs "80001ff" null null; } null; } null;
nix = fs "800001ed" { nix = fs "800001ed" {
profiles = fs "800001ed" { profiles = fs "800001ed" {

9
test/sandbox/case/mapuid.nix
View File

@ -59,6 +59,7 @@
"NIXOS" = fs "80001ff" null null; "NIXOS" = fs "80001ff" null null;
"X11" = fs "80001ff" null null; "X11" = fs "80001ff" null null;
"alsa" = fs "80001ff" null null; "alsa" = fs "80001ff" null null;
"bash_logout" = fs "80001ff" null null;
"bashrc" = fs "80001ff" null null; "bashrc" = fs "80001ff" null null;
"binfmt.d" = fs "80001ff" null null; "binfmt.d" = fs "80001ff" null null;
"dbus-1" = fs "80001ff" null null; "dbus-1" = fs "80001ff" null null;
@ -172,7 +173,15 @@
} null; } null;
} null; } null;
".local" = fs "800001ed" { ".local" = fs "800001ed" {
share = fs "800001ed" {
dbus-1 = fs "800001ed" {
services = fs "800001ed" {
"ca.desrt.dconf.service" = fs "80001ff" null null;
} null;
} null;
} null;
state = fs "800001ed" { state = fs "800001ed" {
".keep" = fs "80001ff" null "";
home-manager = fs "800001ed" { gcroots = fs "800001ed" { current-home = fs "80001ff" null null; } null; } null; home-manager = fs "800001ed" { gcroots = fs "800001ed" { current-home = fs "80001ff" null null; } null; } null;
nix = fs "800001ed" { nix = fs "800001ed" {
profiles = fs "800001ed" { profiles = fs "800001ed" {

9
test/sandbox/case/preset.nix
View File

@ -59,6 +59,7 @@
"NIXOS" = fs "80001ff" null null; "NIXOS" = fs "80001ff" null null;
"X11" = fs "80001ff" null null; "X11" = fs "80001ff" null null;
"alsa" = fs "80001ff" null null; "alsa" = fs "80001ff" null null;
"bash_logout" = fs "80001ff" null null;
"bashrc" = fs "80001ff" null null; "bashrc" = fs "80001ff" null null;
"binfmt.d" = fs "80001ff" null null; "binfmt.d" = fs "80001ff" null null;
"dbus-1" = fs "80001ff" null null; "dbus-1" = fs "80001ff" null null;
@ -172,7 +173,15 @@
} null; } null;
} null; } null;
".local" = fs "800001ed" { ".local" = fs "800001ed" {
share = fs "800001ed" {
dbus-1 = fs "800001ed" {
services = fs "800001ed" {
"ca.desrt.dconf.service" = fs "80001ff" null null;
} null;
} null;
} null;
state = fs "800001ed" { state = fs "800001ed" {
".keep" = fs "80001ff" null "";
home-manager = fs "800001ed" { gcroots = fs "800001ed" { current-home = fs "80001ff" null null; } null; } null; home-manager = fs "800001ed" { gcroots = fs "800001ed" { current-home = fs "80001ff" null null; } null; } null;
nix = fs "800001ed" { nix = fs "800001ed" {
profiles = fs "800001ed" { profiles = fs "800001ed" {

9
test/sandbox/case/tty.nix
View File

@ -60,6 +60,7 @@
"NIXOS" = fs "80001ff" null null; "NIXOS" = fs "80001ff" null null;
"X11" = fs "80001ff" null null; "X11" = fs "80001ff" null null;
"alsa" = fs "80001ff" null null; "alsa" = fs "80001ff" null null;
"bash_logout" = fs "80001ff" null null;
"bashrc" = fs "80001ff" null null; "bashrc" = fs "80001ff" null null;
"binfmt.d" = fs "80001ff" null null; "binfmt.d" = fs "80001ff" null null;
"dbus-1" = fs "80001ff" null null; "dbus-1" = fs "80001ff" null null;
@ -173,7 +174,15 @@
} null; } null;
} null; } null;
".local" = fs "800001ed" { ".local" = fs "800001ed" {
share = fs "800001ed" {
dbus-1 = fs "800001ed" {
services = fs "800001ed" {
"ca.desrt.dconf.service" = fs "80001ff" null null;
} null;
} null;
} null;
state = fs "800001ed" { state = fs "800001ed" {
".keep" = fs "80001ff" null "";
home-manager = fs "800001ed" { gcroots = fs "800001ed" { current-home = fs "80001ff" null null; } null; } null; home-manager = fs "800001ed" { gcroots = fs "800001ed" { current-home = fs "80001ff" null null; } null; } null;
nix = fs "800001ed" { nix = fs "800001ed" {
profiles = fs "800001ed" { profiles = fs "800001ed" {

16
test/test.py
View File

@ -80,9 +80,6 @@ def fortify(command):
start_all() start_all()
machine.wait_for_unit("multi-user.target") machine.wait_for_unit("multi-user.target")
# Run fortify Go tests outside of nix build in the background:
machine.succeed("sudo -u untrusted -i fortify-go-test &> /tmp/go-test &")
# To check fortify's version: # To check fortify's version:
print(machine.succeed("sudo -u alice -i fortify version")) print(machine.succeed("sudo -u alice -i fortify version"))
@ -90,6 +87,9 @@ print(machine.succeed("sudo -u alice -i fortify version"))
machine.wait_for_file("/run/user/1000/wayland-1") machine.wait_for_file("/run/user/1000/wayland-1")
machine.wait_for_file("/tmp/sway-ipc.sock") machine.wait_for_file("/tmp/sway-ipc.sock")
# Run fortify Go tests outside of nix build in the background:
swaymsg("exec fortify-test")
# Deny unmapped uid: # Deny unmapped uid:
denyOutput = machine.fail("sudo -u untrusted -i fortify run &>/dev/stdout") denyOutput = machine.fail("sudo -u untrusted -i fortify run &>/dev/stdout")
print(denyOutput) print(denyOutput)
@ -206,9 +206,9 @@ machine.wait_until_fails("pgrep foot", timeout=5)
# Test XWayland (foot does not support X): # Test XWayland (foot does not support X):
swaymsg("exec x11-alacritty") swaymsg("exec x11-alacritty")
wait_for_window(f"u0_a{aid(2)}@machine") wait_for_window(f"u0_a{aid(0)}@machine")
machine.send_chars("clear; glinfo && touch /tmp/x11-ok\n") machine.send_chars("clear; glinfo && touch /tmp/x11-ok\n")
machine.wait_for_file(tmpdir_path(2, "x11-ok"), timeout=15) machine.wait_for_file(tmpdir_path(0, "x11-ok"), timeout=15)
collect_state_ui("alacritty_x11") collect_state_ui("alacritty_x11")
check_state("x11-alacritty", 2) check_state("x11-alacritty", 2)
machine.send_chars("exit\n") machine.send_chars("exit\n")
@ -255,6 +255,6 @@ machine.wait_for_file("/tmp/sway-exit-ok")
print(machine.succeed("find /run/user/1000/fortify")) print(machine.succeed("find /run/user/1000/fortify"))
# Verify go test status: # Verify go test status:
machine.wait_for_file("/tmp/go-test", timeout=5) machine.wait_for_file("/tmp/fortify-test-done")
print(machine.succeed("cat /tmp/go-test")) print(machine.succeed("cat /tmp/fortify-test.log"))
machine.wait_for_file("/tmp/go-test-ok", timeout=5) machine.wait_for_file("/tmp/fortify-test-ok", timeout=2)