security/hakurei
security/hakurei
6
3
Fork 0
Code Issues 9 Pull Requests Actions Packages Projects Releases 7 Wiki Activity
hakurei/internal/app/spruntime_test.go
Ophestra e94acc424c
All checks were successful
Test / Create distribution (push) Successful in 32s
Details
Test / Sandbox (push) Successful in 2m19s
Details
Test / Hakurei (push) Successful in 3m9s
Details
Test / Hpkg (push) Successful in 3m53s
Details
Test / Sandbox (race detector) (push) Successful in 4m2s
Details
Test / Hakurei (race detector) (push) Successful in 4m43s
Details
Test / Flake checks (push) Successful in 1m23s
Details
container/comp: rename from bits 
This package will also hold syscall lookup tables for seccomp.

Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-10-21 20:54:03 +09:00

129 lines
4.9 KiB
Go
Raw Blame History

package app
import (
"testing"
"hakurei.app/container"
"hakurei.app/container/comp"
"hakurei.app/container/fhs"
"hakurei.app/container/stub"
"hakurei.app/hst"
"hakurei.app/system"
"hakurei.app/system/acl"
)
func TestSpRuntimeOp(t *testing.T) {
t.Parallel()
config := hst.Template()
checkOpBehaviour(t, []opBehaviourTestCase{
{"success zero", func(isShim bool, clearUnexported bool) outcomeOp {
if !isShim {
return new(spRuntimeOp)
}
op := &spRuntimeOp{sessionTypeTTY}
if clearUnexported {
op.SessionType = sessionTypeUnspec
}
return op
}, func() *hst.Config {
c := hst.Template()
*c.Enablements = 0
return c
}, nil, []stub.Call{
// this op configures the system state and does not make calls during toSystem
}, newI().
Ensure(m("/proc/nonexistent/tmp/hakurei.0/runtime"), 0700).
UpdatePermType(system.User, m("/proc/nonexistent/tmp/hakurei.0/runtime"), acl.Execute).
Ensure(m("/proc/nonexistent/tmp/hakurei.0/runtime/9"), 0700).
UpdatePermType(system.User, m("/proc/nonexistent/tmp/hakurei.0/runtime/9"), acl.Read, acl.Write, acl.Execute), nil, nil, insertsOps(nil), []stub.Call{
// this op configures the container state and does not make calls during toContainer
}, &container.Params{
Ops: new(container.Ops).
Tmpfs(fhs.AbsRunUser, 1<<12, 0755).
Bind(m("/proc/nonexistent/tmp/hakurei.0/runtime/9"), m("/run/user/1000"), comp.BindWritable),
}, paramsWantEnv(config, map[string]string{
"XDG_RUNTIME_DIR": "/run/user/1000",
"XDG_SESSION_CLASS": "user",
"XDG_SESSION_TYPE": "unspecified",
}, nil), nil},
{"success tty", func(isShim, _ bool) outcomeOp {
if !isShim {
return new(spRuntimeOp)
}
return &spRuntimeOp{sessionTypeTTY}
}, func() *hst.Config {
c := hst.Template()
*c.Enablements = 0
return c
}, nil, []stub.Call{
// this op configures the system state and does not make calls during toSystem
}, newI().
Ensure(m("/proc/nonexistent/tmp/hakurei.0/runtime"), 0700).
UpdatePermType(system.User, m("/proc/nonexistent/tmp/hakurei.0/runtime"), acl.Execute).
Ensure(m("/proc/nonexistent/tmp/hakurei.0/runtime/9"), 0700).
UpdatePermType(system.User, m("/proc/nonexistent/tmp/hakurei.0/runtime/9"), acl.Read, acl.Write, acl.Execute), nil, nil, insertsOps(nil), []stub.Call{
// this op configures the container state and does not make calls during toContainer
}, &container.Params{
Ops: new(container.Ops).
Tmpfs(fhs.AbsRunUser, 1<<12, 0755).
Bind(m("/proc/nonexistent/tmp/hakurei.0/runtime/9"), m("/run/user/1000"), comp.BindWritable),
}, paramsWantEnv(config, map[string]string{
"XDG_RUNTIME_DIR": "/run/user/1000",
"XDG_SESSION_CLASS": "user",
"XDG_SESSION_TYPE": "tty",
}, nil), nil},
{"success x11", func(isShim, _ bool) outcomeOp {
if !isShim {
return new(spRuntimeOp)
}
return &spRuntimeOp{sessionTypeX11}
}, func() *hst.Config {
c := hst.Template()
*c.Enablements = hst.Enablements(hst.EX11)
return c
}, nil, []stub.Call{
// this op configures the system state and does not make calls during toSystem
}, newI().
Ensure(m("/proc/nonexistent/tmp/hakurei.0/runtime"), 0700).
UpdatePermType(system.User, m("/proc/nonexistent/tmp/hakurei.0/runtime"), acl.Execute).
Ensure(m("/proc/nonexistent/tmp/hakurei.0/runtime/9"), 0700).
UpdatePermType(system.User, m("/proc/nonexistent/tmp/hakurei.0/runtime/9"), acl.Read, acl.Write, acl.Execute), nil, nil, insertsOps(nil), []stub.Call{
// this op configures the container state and does not make calls during toContainer
}, &container.Params{
Ops: new(container.Ops).
Tmpfs(fhs.AbsRunUser, 1<<12, 0755).
Bind(m("/proc/nonexistent/tmp/hakurei.0/runtime/9"), m("/run/user/1000"), comp.BindWritable),
}, paramsWantEnv(config, map[string]string{
"XDG_RUNTIME_DIR": "/run/user/1000",
"XDG_SESSION_CLASS": "user",
"XDG_SESSION_TYPE": "x11",
}, nil), nil},
{"success", func(isShim, _ bool) outcomeOp {
if !isShim {
return new(spRuntimeOp)
}
return &spRuntimeOp{sessionTypeWayland}
}, hst.Template, nil, []stub.Call{
// this op configures the system state and does not make calls during toSystem
}, newI().
Ensure(m("/proc/nonexistent/tmp/hakurei.0/runtime"), 0700).
UpdatePermType(system.User, m("/proc/nonexistent/tmp/hakurei.0/runtime"), acl.Execute).
Ensure(m("/proc/nonexistent/tmp/hakurei.0/runtime/9"), 0700).
UpdatePermType(system.User, m("/proc/nonexistent/tmp/hakurei.0/runtime/9"), acl.Read, acl.Write, acl.Execute), nil, nil, insertsOps(nil), []stub.Call{
// this op configures the container state and does not make calls during toContainer
}, &container.Params{
Ops: new(container.Ops).
Tmpfs(fhs.AbsRunUser, 1<<12, 0755).
Bind(m("/proc/nonexistent/tmp/hakurei.0/runtime/9"), m("/run/user/1000"), comp.BindWritable),
}, paramsWantEnv(config, map[string]string{
"XDG_RUNTIME_DIR": "/run/user/1000",
"XDG_SESSION_CLASS": "user",
"XDG_SESSION_TYPE": "wayland",
}, nil), nil},
})
}
Reference in New Issue View Git Blame Copy Permalink