@@ -14,64 +14,6 @@ pkgs.nixosTest {
1414 } ;
1515 } ;
1616
17- # let
18- # wrap-bin = "${packages.wrap}/bin/wrap";
19- # bash-bin = "${pkgs.bash}/bin/bash";
20- #
21- # tests = [
22- # {
23- # name = "env-home-is-always-exposed";
24- # test = ''HOME=/homedir ${wrap-bin} ${bash-bin} -c 'echo $HOME' | grep homedir > $out'';
25- # }
26- # {
27- # name = "env-editor-is-always-exposed";
28- # test = ''EDITOR=myeditor ${wrap-bin} ${bash-bin} -c 'echo $EDITOR' | grep myeditor > $out'';
29- # }
30- # {
31- # name = "user-name-is-hidden";
32- # test = ''
33- # ${wrap-bin} whoami 2> error-msg || true
34- # cat error-msg | grep "cannot find name for user ID" > $out
35- # '';
36- # }
37- # {
38- # name = "u-exposes-user-name";
39- # test = ''${wrap-bin} -u whoami > $out'';
40- # }
41- # {
42- # name = "env-wayland-display-is-hidden";
43- # test = ''
44- # WAYLAND_DISPLAY=wl-0 ${wrap-bin} ${bash-bin} -c 'set -u; echo $WAYLAND_DISPLAY' 2> error-msg || true
45- # cat error-msg | grep "WAYLAND_DISPLAY: unbound variable" > $out
46- # '';
47- # }
48- # {
49- # name = "d-exposes-env-wayland-display";
50- # test = ''
51- # export XDG_RUNTIME_DIR="/tmp"
52- # export WAYLAND_DISPLAY="wl-0"
53- # mkdir -p $XDG_RUNTIME_DIR
54- # touch $XDG_RUNTIME_DIR/$WAYLAND_DISPLAY
55- # ${wrap-bin} -d ${bash-bin} -c 'echo $WAYLAND_DISPLAY' | grep wl-0 > $out
56- # '';
57- # }
58- # {
59- # name = "d-exposes-env-x11-display";
60- # test = ''
61- # export DISPLAY=":0"
62- # ${wrap-bin} -d ${bash-bin} -c 'echo $DISPLAY' | grep ":0" > $out
63- # '';
64- # }
65- # {
66- # name = "d-exposes-socket-x11";
67- # test = ''
68- # mkdir -p /tmp/.X11-unix
69- # touch /tmp/.X11-unix/X12345
70- # export DISPLAY=":12345"
71- # ${wrap-bin} -d ${bash-bin} -c 'ls /tmp/.X11-unix/X12345' > $out
72- # rm /tmp/.X11-unix/X12345
73- # '';
74- # }
7517 # {
7618 # name = "d-exposes-xauthority";
7719 # test = ''
@@ -326,166 +268,96 @@ pkgs.nixosTest {
326268 wrap -u whoami ||
327269 (echo 'Unexpected: whoami does not work in sandbox'; false)
328270
271+ # ensure `whoami` returns username in sandbox
329272 wrap -u whoami | grep "^alice$" ||
330273 (echo 'Unexpected: whoami does not return username in sandbox'; false)
331274 """))
332275
333276
334- # with subtest("env-wayland-display-is-hidden"):
335- # print(machine.succeed(as_alice("""
336- # WAYLAND_DISPLAY=wl-0 wrap bash -c 'set -u; echo $WAYLAND_DISPLAY' 2> error-msg || true
337- # cat error-msg | grep "WAYLAND_DISPLAY: unbound variable"
338- # """)))
339- #
340- # with subtest("d-exposes-env-wayland-display"):
341- # print(machine.succeed(as_alice("""
342- # export XDG_RUNTIME_DIR="/tmp"
343- # export WAYLAND_DISPLAY="wl-0"
344- # mkdir -p $XDG_RUNTIME_DIR
345- # touch $XDG_RUNTIME_DIR/$WAYLAND_DISPLAY
346- # wrap -d bash -c 'echo $WAYLAND_DISPLAY' | grep wl-0
347- # """)))
348- #
349- # with subtest("d-exposes-env-x11-display"):
350- # print(machine.succeed(as_alice("""
351- # export DISPLAY=":0"
352- # wrap -d bash -c 'echo $DISPLAY' | grep ":0"
353- # """)))
354- #
355- # with subtest("d-exposes-socket-x11"):
356- # print(machine.succeed(as_alice("""
357- # mkdir -p /tmp/.X11-unix
358- # touch /tmp/.X11-unix/X12345
359- # export DISPLAY=":12345"
360- # wrap -d bash -c 'ls /tmp/.X11-unix/X12345'
361- # rm /tmp/.X11-unix/X12345
362- # """)))
363- #
364- # with subtest("d-exposes-xauthority"):
365- # print(machine.succeed(as_alice("""
366- # export DISPLAY=":12345"
367- # export HOME=/tmp/home
368- # mkdir -p $HOME
369- # touch $HOME/.Xauthority
370- # wrap -d bash -c 'cat $HOME/.Xauthority'
371- # """)))
372- #
373- # with subtest("d-exposes-custom-xauthority"):
374- # print(machine.succeed(as_alice("""
375- # export DISPLAY=":12345"
376- # export XAUTHORITY="myxauthfile"
377- # export HOME=/tmp/home
378- # mkdir -p $HOME
379- # touch $HOME/$XAUTHORITY
380- # wrap -d bash -c 'cat $HOME/.Xauthority'
381- # """)))
382- #
383- # with subtest("r-exposes-path-readonly"):
384- # print(machine.succeed(as_alice("""
385- # mkdir -p /tmp/some-dir
386- # echo "file-content" > /tmp/some-dir/test-file
387- # wrap -r /tmp/some-dir bash -c 'cat /tmp/some-dir/test-file' | grep "file-content"
388- # wrap -r /tmp/some-dir bash -c 'echo more >> /tmp/some-dir/test-file' 2> error-msg || true
389- # cat error-msg | grep "/tmp/some-dir/test-file: Read-only file system"
390- # """)))
391- #
392- # with subtest("w-exposes-path-readwrite"):
393- # print(machine.succeed(as_alice("""
394- # mkdir -p /tmp/some-dir
395- # echo "file-content" > /tmp/some-dir/test-file
396- # wrap -w /tmp/some-dir bash -c 'cat /tmp/some-dir/test-file' | grep "file-content"
397- # wrap -w /tmp/some-dir bash -c 'echo more >> /tmp/some-dir/test-file'
398- # cat /tmp/some-dir/test-file | grep "more"
399- # """)))
400- #
401- # with subtest("cwd-exposed-by-default"):
402- # print(machine.succeed(as_alice("""
403- # mkdir -p /tmp/some-dir
404- # cd /tmp/some-dir
405- # echo "file-content" > test-file
406- # wrap bash -c 'cat test-file' | grep "file-content"
407- # """)))
408- #
409- # with subtest("cwd-not-exposed-by-p"):
410- # print(machine.succeed(as_alice("""
411- # mkdir -p /tmp/some-dir
412- # cd /tmp/some-dir
413- # echo "file-content" > test-file
414- # wrap -p bash -c 'cat test-file; echo $?' | grep 1
415- # """)))
416- #
417- # with subtest("-p-cds-to-root"):
418- # print(machine.succeed(as_alice("""
419- # mkdir -p /tmp/new-home
420- # export HOME=/tmp/new-home
421- # wrap -p bash -c 'pwd' | grep /
422- # """)))
423- #
424- # with subtest("cwd not shared implicitly for home directories"):
425- # print(machine.succeed(as_alice("""
426- # mkdir -p /tmp/new-home
427- # export HOME=/tmp/new-home
428- # touch /tmp/new-home/something-in-home
429- # cd $HOME
430- #
431- # pwd | grep '^/tmp/new-home$' \
432- # || (echo 'Unexpected: Home directory is not cwd outside sandbox'; false)
433- #
434- # ls -l /tmp | grep '[[:space:]]new-home$' \
435- # || (echo 'Unexpected: Home directory outside sandbox not found'; false)
436- #
437- # ls -l $HOME | grep '[[:space:]]something-in-home$' \
438- # || (echo 'Unexpected: File in $HOME outside sandbox not found'; false)
439- #
440- # wrap bash -c 'pwd' | grep '^/$' \
441- # || (echo 'Unexpected: Cwd in sandbox is not /'; false)
442- #
443- # wrap bash -c 'ls -l $HOME' | grep '^total 0$' \
444- # || (echo 'Unexpected: Sandbox $HOME is not empty'; false)
445- #
446- # true
447- # """)))
448- #
449- # with subtest("parameter -f forces to share the cwd $HOME, even though it is excluded from sharing as cwd implicitly"):
450- # print(machine.succeed(as_alice("""
451- # mkdir -p /tmp/new-home
452- # export HOME=/tmp/new-home
453- # touch /tmp/new-home/something-in-home
454- # cd $HOME
455- #
456- # pwd | grep '^/tmp/new-home$' \
457- # || (echo 'Unexpected: Home directory is not cwd outside sandbox'; false)
458- #
459- # ls -l /tmp | grep '[[:space:]]new-home$' \
460- # || (echo 'Unexpected: Home directory outside sandbox not found'; false)
461- #
462- # ls -l $HOME | grep '[[:space:]]something-in-home$' \
463- # || (echo 'Unexpected: File in $HOME outside sandbox not found'; false)
464- #
465- # wrap -f bash -c 'pwd' | grep '^/tmp/new-home$' \
466- # || (echo 'Unexpected: Cwd in sandbox is not $HOME'; false)
467- #
468- # wrap -f bash -c 'ls $HOME' | grep '^something-in-home$' \
469- # || (echo 'Unexpected: Sandbox $HOME is empty'; false)
470- #
471- # true
472- # """)))
473- #
474- # with subtest("parameter -f forces to share the cwd /, even though it is excluded from sharing as cwd implicitly"):
475- # print(machine.succeed(as_alice("""
476- # cd /
477- #
478- # pwd | grep "^/$" \
479- # || (echo 'Unexpected: Cwd to be / outside sandbox'; false)
480- # ls -l | grep "[[:space:]]bin$" \
481- # || (echo 'Unexpected: Bin dir is missing in / outside sandbox'; false)
482- #
483- # wrap -f bash -c 'pwd' | grep '^/$' 2> /dev/null \
484- # || (echo 'Unexpected: Cwd in sandbox is not /'; false)
485- # wrap -f bash -c 'ls -l' | grep 'bin$' 2> /dev/null \
486- # || (echo 'Unexpected: Bin dir not in / inside sandbox'; false)
487- #
488- # true
489- # """)))
277+ with subtest("Environment variable WAYLAND_DISPLAY is hidden by default"):
278+ machine.succeed(as_alice("""
279+ # ensure $WAYLAND_DISPLAY is set outside sandbox
280+ export WAYLAND_DISPLAY=wl-0
281+ echo $WAYLAND_DISPLAY | grep '^wl-0$' ||
282+ (echo 'Unexpected: WAYLAND_DISPLAY is not set outside sandbox'; false)
283+
284+ # ensure $WAYLAND_DISPLAY is unset in sandbox
285+ ! (wrap bash -c 'echo $WAYLAND_DISPLAY' | grep '^wl-0$') ||
286+ (echo 'Unexpected: WAYLAND_DISPLAY is set in sandbox'; false)
287+ """))
288+
289+ with subtest("-d exposes WAYLAND_DISPLAY in sandbox"):
290+ machine.succeed(as_alice("""
291+ # ensure $WAYLAND_DISPLAY is set outside sandbox
292+ export WAYLAND_DISPLAY=wl-0
293+ echo $WAYLAND_DISPLAY | grep '^wl-0$' ||
294+ (echo 'Unexpected: WAYLAND_DISPLAY is not set outside sandbox'; false)
295+
296+ # ensure $WAYLAND_DISPLAY is set in sandbox
297+ wrap -d bash -c 'echo $WAYLAND_DISPLAY' | grep '^wl-0$' ||
298+ (echo 'Unexpected: WAYLAND_DISPLAY is not set in sandbox'; false)
299+ """))
300+
301+ with subtest("-d exposes WAYLAND socket in sandbox"):
302+ machine.succeed(as_alice("""
303+ # ensure $WAYLAND_DISPLAY is set outside sandbox
304+ export WAYLAND_DISPLAY=wl-12345
305+ echo $WAYLAND_DISPLAY | grep '^wl-12345$' ||
306+ (echo 'Unexpected: WAYLAND_DISPLAY is not set outside sandbox'; false)
307+
308+ # create WAYLAND socket mock
309+ export XDG_RUNTIME_DIR=/tmp/wayland
310+ mkdir -p $XDG_RUNTIME_DIR
311+ touch $XDG_RUNTIME_DIR/$WAYLAND_DISPLAY
312+ echo $XDG_RUNTIME_DIR/$WAYLAND_DISPLAY | grep '^/tmp/wayland/wl-12345$' ||
313+ (echo 'Unexpected: WAYLAND socket mock does not exist outside sandbox'; false)
314+
315+ # ensure $XDG_RUNTIME_DIR/$WAYLAND_DISPLAY is set in sandbox
316+ wrap -d bash -c 'echo $XDG_RUNTIME_DIR/$WAYLAND_DISPLAY' | grep '^/tmp/wayland/wl-12345$' ||
317+ (echo 'Unexpected: $XDG_RUNTIME_DIR/$WAYLAND_DISPLAY is not set in sandbox'; false)
318+
319+ # ensure WAYLAND socket mock exists in sandbox
320+ wrap -d bash -c 'ls $XDG_RUNTIME_DIR/$WAYLAND_DISPLAY' | grep '^/tmp/wayland/wl-12345$' ||
321+ (echo 'Unexpected: WAYLAND socket mock does not exist in sandbox'; false)
322+ """))
323+
324+ with subtest("Environment variable DISPLAY is hidden by default"):
325+ machine.succeed(as_alice("""
326+ # ensure $DISPLAY is set outside sandbox
327+ export DISPLAY=:0
328+ echo $DISPLAY | grep '^:0$' ||
329+ (echo 'Unexpected: DISPLAY is not set outside sandbox'; false)
330+
331+ # ensure $DISPLAY is unset in sandbox
332+ ! (wrap bash -c 'echo $DISPLAY' | grep '^:0$') ||
333+ (echo 'Unexpected: DISPLAY is set in sandbox'; false)
334+ """))
335+
336+ with subtest("-d exposes DISPLAY in sandbox"):
337+ machine.succeed(as_alice("""
338+ # ensure $DISPLAY is set outside sandbox
339+ export DISPLAY=:0
340+ echo $DISPLAY | grep '^:0$' ||
341+ (echo 'Unexpected: DISPLAY is not set outside sandbox'; false)
342+
343+ # ensure $DISPLAY is set in sandbox
344+ wrap -d bash -c 'echo $DISPLAY' | grep '^:0$' ||
345+ (echo 'Unexpected: DISPLAY is not set in sandbox'; false)
346+ """))
347+
348+ with subtest("-d exposes X11 socket in sandbox"):
349+ machine.succeed(as_alice("""
350+ mkdir -p /tmp/.X11-unix
351+ touch /tmp/.X11-unix/X12345
352+
353+ # ensure $DISPLAY is set outside sandbox
354+ export DISPLAY=:12345
355+ echo $DISPLAY | grep '^:12345$' ||
356+ (echo 'Unexpected: DISPLAY is not set outside sandbox'; false)
357+
358+ # ensure $DISPLAY socket is visible in sandbox
359+ wrap -d bash -c 'ls /tmp/.X11-unix/X12345' | grep 'X12345' ||
360+ (echo 'Unexpected: DISPLAY socket is not visible in sandbox'; false)
361+ """))
490362 '' ;
491363}
0 commit comments