Add examples for composed configurations

Compose s1.toml with s2.toml and get s.toml, similar to s.json .

Add golden file to check the sandboxer --debug output.

These are the examples I used in my talk at Linux Security Summit Europe
2025: https://lsseu2025.sched.com/event/25GET

Signed-off-by: Mickaël Salaün <mic@digikod.net>

Author: l0kod

.github/workflows/ci.yml

@@ -74,6 +74,9 @@ jobs:
     - name: Check JSON scoped
       run: ./schema/check.sh examples/mini-scoped.json
 
+    - name: Check JSON compose
+      run: ./schema/check.sh tests/composition/s.json
+
   cache_cargo_index:
     runs-on: ubuntu-24.04
     steps:
@@ -220,6 +223,15 @@ jobs:
     - name: Run the sandboxer example with scope restrictions
       run: rustup run stable cargo run --example sandboxer -- --json examples/mini-scoped.json true
 
+    - name: Run the sandboxer example with composed configurations, and compare to golden file
+      run: |
+        diff -u "tests/composition/golden-debug.txt" \
+          <(rustup run stable cargo run --quiet --example sandboxer -- --toml tests/composition/source/s1.toml --toml tests/composition/source/s2.toml --debug true 2>&1)
+        diff -u "tests/composition/golden-debug.txt" \
+          <(rustup run stable cargo run --quiet --example sandboxer -- --toml tests/composition/s.toml --debug true 2>&1)
+        diff -u "tests/composition/golden-debug.txt" \
+          <(rustup run stable cargo run --quiet --example sandboxer -- --json tests/composition/s.json --debug true 2>&1)
+
     - name: Check format
       run: rustup run stable cargo fmt --all -- --check
 

tests/composition/README.md

@@ -0,0 +1,94 @@
+# Composition of configurations
+
+## [TOML source #1](source/s1.toml)
+
+```toml
+[[variable]]
+name = "rw"
+literal = ["/tmp", "/var/tmp"]
+
+# Main system file hierarchies can be read and executed.
+[[path_beneath]]
+allowed_access = ["v5.read_execute"]
+parent = ["/bin", "/lib", "/usr", "/dev", "/proc", "/etc"]
+
+# Only allow writing to temporary and home directories.
+[[path_beneath]]
+allowed_access = ["v5.read_write"]
+parent = ["${rw}"]
+```
+
+## [TOML source #2](source/s2.toml)
+
+```toml
+[[variable]]
+name = "rw"
+literal = ["/home/user/tmp"]
+
+[[ruleset]]
+handled_access_fs = ["v4.all"]
+
+# Custom apps.
+[[path_beneath]]
+allowed_access = ["v4.read_execute"]
+parent = ["/home/user/bin"]
+```
+
+## [TOML composition](s.toml)
+
+```toml
+[[variable]]
+name = "rw"
+literal = ["/tmp", "/var/tmp", "/home/user/tmp"]
+
+# Main system file hierarchies can be read and executed.
+[[path_beneath]]
+allowed_access = ["v4.read_execute"]
+parent = ["/bin", "/lib", "/usr", "/dev", "/proc", "/etc", "/home/user/bin"]
+
+# Only allow writing to temporary and home directories.
+[[path_beneath]]
+allowed_access = ["v4.read_write"]
+parent = ["${rw}"]
+```
+
+## [JSON composition](s.json)
+
+```json
+{
+  "variable": [
+    {
+      "name": "rw",
+      "literal": [
+        "/tmp",
+        "/var/tmp",
+        "/home/user/tmp"
+      ]
+    }
+  ],
+  "pathBeneath": [
+    {
+      "allowedAccess": [
+        "v4.read_execute"
+      ],
+      "parent": [
+        "/bin",
+        "/lib",
+        "/usr",
+        "/dev",
+        "/proc",
+        "/etc",
+        "/home/user/bin"
+      ]
+    },
+    {
+      "allowedAccess": [
+        "v4.read_write"
+      ],
+      "parent": [
+        "${rw}"
+      ]
+    }
+  ]
+}
+```

tests/composition/golden-debug.txt

@@ -0,0 +1,78 @@
+ResolvedConfig {
+    handled_fs: BitFlags<AccessFs> {
+        bits: 0b111111111111111,
+        flags: Execute | WriteFile | ReadFile | ReadDir | RemoveDir | RemoveFile | MakeChar | MakeDir | MakeReg | MakeSock | MakeFifo | MakeBlock | MakeSym | Refer | Truncate,
+    },
+    handled_net: BitFlags<AccessNet> {
+        bits: 0b0,
+    },
+    scoped: BitFlags<Scope> {
+        bits: 0b0,
+    },
+    rules_path_beneath: {
+        "/bin": BitFlags<AccessFs> {
+            bits: 0b10000000001101,
+            flags: Execute | ReadFile | ReadDir | Refer,
+        },
+        "/dev": BitFlags<AccessFs> {
+            bits: 0b10000000001101,
+            flags: Execute | ReadFile | ReadDir | Refer,
+        },
+        "/etc": BitFlags<AccessFs> {
+            bits: 0b10000000001101,
+            flags: Execute | ReadFile | ReadDir | Refer,
+        },
+        "/home/user/bin": BitFlags<AccessFs> {
+            bits: 0b10000000001101,
+            flags: Execute | ReadFile | ReadDir | Refer,
+        },
+        "/home/user/tmp": BitFlags<AccessFs> {
+            bits: 0b111111111111110,
+            flags: WriteFile | ReadFile | ReadDir | RemoveDir | RemoveFile | MakeChar | MakeDir | MakeReg | MakeSock | MakeFifo | MakeBlock | MakeSym | Refer | Truncate,
+        },
+        "/lib": BitFlags<AccessFs> {
+            bits: 0b10000000001101,
+            flags: Execute | ReadFile | ReadDir | Refer,
+        },
+        "/proc": BitFlags<AccessFs> {
+            bits: 0b10000000001101,
+            flags: Execute | ReadFile | ReadDir | Refer,
+        },
+        "/tmp": BitFlags<AccessFs> {
+            bits: 0b111111111111110,
+            flags: WriteFile | ReadFile | ReadDir | RemoveDir | RemoveFile | MakeChar | MakeDir | MakeReg | MakeSock | MakeFifo | MakeBlock | MakeSym | Refer | Truncate,
+        },
+        "/usr": BitFlags<AccessFs> {
+            bits: 0b10000000001101,
+            flags: Execute | ReadFile | ReadDir | Refer,
+        },
+        "/var/tmp": BitFlags<AccessFs> {
+            bits: 0b111111111111110,
+            flags: WriteFile | ReadFile | ReadDir | RemoveDir | RemoveFile | MakeChar | MakeDir | MakeReg | MakeSock | MakeFifo | MakeBlock | MakeSym | Refer | Truncate,
+        },
+    },
+    rules_net_port: {},
+}
+Ignored rule errors: [
+    PathFd(
+        OpenCall {
+            source: Os {
+                code: 2,
+                kind: NotFound,
+                message: "No such file or directory",
+            },
+            path: "/home/user/bin",
+        },
+    ),
+    PathFd(
+        OpenCall {
+            source: Os {
+                code: 2,
+                kind: NotFound,
+                message: "No such file or directory",
+            },
+            path: "/home/user/tmp",
+        },
+    ),
+]
+Executing true in a sandbox...

tests/composition/s.json

@@ -0,0 +1,36 @@
+{
+  "variable": [
+    {
+      "name": "rw",
+      "literal": [
+        "/tmp",
+        "/var/tmp",
+        "/home/user/tmp"
+      ]
+    }
+  ],
+  "pathBeneath": [
+    {
+      "allowedAccess": [
+        "v4.read_execute"
+      ],
+      "parent": [
+        "/bin",
+        "/lib",
+        "/usr",
+        "/dev",
+        "/proc",
+        "/etc",
+        "/home/user/bin"
+      ]
+    },
+    {
+      "allowedAccess": [
+        "v4.read_write"
+      ],
+      "parent": [
+        "${rw}"
+      ]
+    }
+  ]
+}

tests/composition/s.toml

@@ -0,0 +1,13 @@
+[[variable]]
+name = "rw"
+literal = ["/tmp", "/var/tmp", "/home/user/tmp"]
+
+# Main system file hierarchies can be read and executed.
+[[path_beneath]]
+allowed_access = ["v4.read_execute"]
+parent = ["/bin", "/lib", "/usr", "/dev", "/proc", "/etc", "/home/user/bin"]
+
+# Only allow writing to temporary and home directories.
+[[path_beneath]]
+allowed_access = ["v4.read_write"]
+parent = ["${rw}"]

tests/composition/source/s1.toml

@@ -0,0 +1,13 @@
+[[variable]]
+name = "rw"
+literal = ["/tmp", "/var/tmp"]
+
+# Main system file hierarchies can be read and executed.
+[[path_beneath]]
+allowed_access = ["v5.read_execute"]
+parent = ["/bin", "/lib", "/usr", "/dev", "/proc", "/etc"]
+
+# Only allow writing to temporary and home directories.
+[[path_beneath]]
+allowed_access = ["v5.read_write"]
+parent = ["${rw}"]

tests/composition/source/s2.toml

@@ -0,0 +1,11 @@
+[[variable]]
+name = "rw"
+literal = ["/home/user/tmp"]
+
+[[ruleset]]
+handled_access_fs = ["v4.all"]
+
+# Custom apps.
+[[path_beneath]]
+allowed_access = ["v4.read_execute"]
+parent = ["/home/user/bin"]