|
9 | 9 | outputs = |
10 | 10 | { nixpkgs, flake-utils, ... }: |
11 | 11 | flake-utils.lib.eachDefaultSystem ( |
| 12 | + # TODO: explicitly define linux systems, not darwin |
12 | 13 | system: |
| 14 | + |
13 | 15 | let |
14 | 16 | pkgs = nixpkgs.legacyPackages.${system}; |
| 17 | + |
15 | 18 | in |
16 | 19 | rec { |
17 | | - |
18 | | - lib = import ./lib.nix { inherit pkgs; }; |
19 | | - |
20 | 20 | packages = rec { |
21 | 21 | wrap = pkgs.callPackage ./package.nix { }; |
22 | 22 | default = wrap; |
23 | 23 | }; |
24 | 24 |
|
25 | | - devShells.default = import ./shell.nix { inherit pkgs; }; |
26 | | - |
27 | | - checks = |
28 | | - let |
29 | | - wrap-bin = "${packages.wrap}/bin/wrap"; |
30 | | - bash-bin = "${pkgs.bash}/bin/bash"; |
31 | | - |
32 | | - tests = [ |
33 | | - { |
34 | | - name = "env-home-is-always-exposed"; |
35 | | - test = ''HOME=/homedir ${wrap-bin} ${bash-bin} -c 'echo $HOME' | grep homedir > $out''; |
36 | | - } |
37 | | - { |
38 | | - name = "env-editor-is-always-exposed"; |
39 | | - test = ''EDITOR=myeditor ${wrap-bin} ${bash-bin} -c 'echo $EDITOR' | grep myeditor > $out''; |
40 | | - } |
41 | | - { |
42 | | - name = "user-name-is-hidden"; |
43 | | - test = '' |
44 | | - ${wrap-bin} whoami 2> error-msg || true |
45 | | - cat error-msg | grep "cannot find name for user ID" > $out |
46 | | - ''; |
47 | | - } |
48 | | - { |
49 | | - name = "u-exposes-user-name"; |
50 | | - test = ''${wrap-bin} -u whoami > $out''; |
51 | | - } |
52 | | - { |
53 | | - name = "env-wayland-display-is-hidden"; |
54 | | - test = '' |
55 | | - WAYLAND_DISPLAY=wl-0 ${wrap-bin} ${bash-bin} -c 'set -u; echo $WAYLAND_DISPLAY' 2> error-msg || true |
56 | | - cat error-msg | grep "WAYLAND_DISPLAY: unbound variable" > $out |
57 | | - ''; |
58 | | - } |
59 | | - { |
60 | | - name = "d-exposes-env-wayland-display"; |
61 | | - test = '' |
62 | | - export XDG_RUNTIME_DIR="/tmp" |
63 | | - export WAYLAND_DISPLAY="wl-0" |
64 | | - mkdir -p $XDG_RUNTIME_DIR |
65 | | - touch $XDG_RUNTIME_DIR/$WAYLAND_DISPLAY |
66 | | - ${wrap-bin} -d ${bash-bin} -c 'echo $WAYLAND_DISPLAY' | grep wl-0 > $out |
67 | | - ''; |
68 | | - } |
69 | | - { |
70 | | - name = "d-exposes-env-x11-display"; |
71 | | - test = '' |
72 | | - export DISPLAY=":0" |
73 | | - ${wrap-bin} -d ${bash-bin} -c 'echo $DISPLAY' | grep ":0" > $out |
74 | | - ''; |
75 | | - } |
76 | | - { |
77 | | - name = "d-exposes-socket-x11"; |
78 | | - test = '' |
79 | | - mkdir -p /tmp/.X11-unix |
80 | | - touch /tmp/.X11-unix/X12345 |
81 | | - export DISPLAY=":12345" |
82 | | - ${wrap-bin} -d ${bash-bin} -c 'ls /tmp/.X11-unix/X12345' > $out |
83 | | - rm /tmp/.X11-unix/X12345 |
84 | | - ''; |
85 | | - } |
86 | | - { |
87 | | - name = "d-exposes-xauthority"; |
88 | | - test = '' |
89 | | - export DISPLAY=":12345" |
90 | | - export HOME=/tmp/home |
91 | | - mkdir -p $HOME |
92 | | - touch $HOME/.Xauthority |
93 | | - ${wrap-bin} -d ${bash-bin} -c 'cat $HOME/.Xauthority' > $out |
94 | | - ''; |
95 | | - } |
96 | | - { |
97 | | - name = "d-exposes-custom-xauthority"; |
98 | | - test = '' |
99 | | - export DISPLAY=":12345" |
100 | | - export XAUTHORITY="myxauthfile" |
101 | | - export HOME=/tmp/home |
102 | | - mkdir -p $HOME |
103 | | - touch $HOME/$XAUTHORITY |
104 | | - ${wrap-bin} -d ${bash-bin} -c 'cat $HOME/.Xauthority' > $out |
105 | | - ''; |
106 | | - } |
107 | | - { |
108 | | - name = "r-exposes-path-readonly"; |
109 | | - test = '' |
110 | | - mkdir -p /tmp/some-dir |
111 | | - echo "file-content" > /tmp/some-dir/test-file |
112 | | - ${wrap-bin} -r /tmp/some-dir ${bash-bin} -c 'cat /tmp/some-dir/test-file' | grep "file-content" |
113 | | - ${wrap-bin} -r /tmp/some-dir ${bash-bin} -c 'echo more >> /tmp/some-dir/test-file' 2> error-msg || true |
114 | | - cat error-msg | grep "/tmp/some-dir/test-file: Read-only file system" > $out |
115 | | - ''; |
116 | | - } |
117 | | - { |
118 | | - name = "w-exposes-path-readwrite"; |
119 | | - test = '' |
120 | | - mkdir -p /tmp/some-dir |
121 | | - echo "file-content" > /tmp/some-dir/test-file |
122 | | - ${wrap-bin} -w /tmp/some-dir ${bash-bin} -c 'cat /tmp/some-dir/test-file' | grep "file-content" |
123 | | - ${wrap-bin} -w /tmp/some-dir ${bash-bin} -c 'echo more >> /tmp/some-dir/test-file' |
124 | | - cat /tmp/some-dir/test-file | grep "more" > $out |
125 | | - ''; |
126 | | - } |
127 | | - { |
128 | | - name = "cwd-exposed-by-default"; |
129 | | - test = '' |
130 | | - mkdir -p /tmp/some-dir |
131 | | - cd /tmp/some-dir |
132 | | - echo "file-content" > test-file |
133 | | - ${wrap-bin} ${bash-bin} -c 'cat test-file' | grep "file-content" > $out |
134 | | - ''; |
135 | | - } |
136 | | - { |
137 | | - name = "cwd-not-exposed-by-p"; |
138 | | - test = '' |
139 | | - mkdir -p /tmp/some-dir |
140 | | - cd /tmp/some-dir |
141 | | - echo "file-content" > test-file |
142 | | - ${wrap-bin} -p ${bash-bin} -c 'cat test-file; echo $?' | grep 1 > $out |
143 | | - ''; |
144 | | - } |
145 | | - { |
146 | | - name = "-p-cds-to-root"; |
147 | | - test = '' |
148 | | - mkdir -p /tmp/new-home |
149 | | - export HOME=/tmp/new-home |
150 | | - ${wrap-bin} -p ${bash-bin} -c 'pwd' | grep / > $out |
151 | | - ''; |
152 | | - } |
153 | | - |
154 | | - { |
155 | | - name = "cwd not shared implicitly for home directories"; |
156 | | - test = |
157 | | - # setup prerequisites |
158 | | - '' |
159 | | - # Setup a home directory and put something in. We expect |
160 | | - # this to NOT be visible in the sandbox because it was not |
161 | | - # shared explicitly and home directories are expluded from |
162 | | - # implicit sharing. |
163 | | - mkdir -p /tmp/new-home |
164 | | - export HOME=/tmp/new-home |
165 | | - touch /tmp/new-home/something-in-home |
166 | | -
|
167 | | - # Make the home directory the cwd |
168 | | - cd $HOME |
169 | | - '' + |
170 | | - |
171 | | - # prerequisite checks |
172 | | - '' |
173 | | - pwd | grep '^/tmp/new-home$' \ |
174 | | - || (echo 'Unexpected: Home directory is not cwd outside sandbox'; false) |
175 | | -
|
176 | | - ls -l /tmp | grep '[[:space:]]new-home$' \ |
177 | | - || (echo 'Unexpected: Home directory outside sandbox not found'; false) |
178 | | -
|
179 | | - ls -l $HOME | grep '[[:space:]]something-in-home$' \ |
180 | | - || (echo 'Unexpected: File in $HOME outside sandbox not found'; false) |
181 | | - '' + |
182 | | - |
183 | | - # test |
184 | | - '' |
185 | | - # expect the cwd to be /, because $HOME as cwd is excluded from implicit sharing |
186 | | - ${wrap-bin} ${bash-bin} -c 'pwd' | grep '^/$' \ |
187 | | - || (echo 'Unexpected: Cwd in sandbox is not /'; false) |
188 | | -
|
189 | | - ${wrap-bin} ${bash-bin} -c 'ls -l $HOME' | grep '^total 0$' \ |
190 | | - || (echo 'Unexpected: Sandbox $HOME is not empty'; false) |
191 | | -
|
192 | | - echo 'test-success' > $out |
193 | | - ''; |
194 | | - } |
195 | | - |
196 | | - { |
197 | | - name = "parameter -f forces to share the cwd $HOME, even though it is excluded from sharing as cwd implicitly"; |
198 | | - test = |
199 | | - # setup prerequisites |
200 | | - '' |
201 | | - # Setup a home directory and put something in. We expect |
202 | | - # this to be visible in the sandbox because it was shared |
203 | | - # explicitly implicit sharing. |
204 | | - mkdir -p /tmp/new-home |
205 | | - export HOME=/tmp/new-home |
206 | | - touch /tmp/new-home/something-in-home |
207 | | -
|
208 | | - # Make the home directory the cwd |
209 | | - cd $HOME |
210 | | - '' + |
211 | | - |
212 | | - # prerequisite checks |
213 | | - '' |
214 | | - pwd | grep '^/tmp/new-home$' \ |
215 | | - || (echo 'Unexpected: Home directory is not cwd outside sandbox'; false) |
216 | | -
|
217 | | - ls -l /tmp | grep '[[:space:]]new-home$' \ |
218 | | - || (echo 'Unexpected: Home directory outside sandbox not found'; false) |
219 | | -
|
220 | | - ls -l $HOME | grep '[[:space:]]something-in-home$' \ |
221 | | - || (echo 'Unexpected: File in $HOME outside sandbox not found'; false) |
222 | | - '' + |
223 | | - |
224 | | - # test |
225 | | - '' |
226 | | - # expect the cwd to be $HOME |
227 | | - ${wrap-bin} -f ${bash-bin} -c 'pwd' | grep '^/tmp/new-home$' \ |
228 | | - || (echo 'Unexpected: Cwd in sandbox is not $HOME'; false) |
| 25 | + lib = import ./lib.nix { |
| 26 | + inherit pkgs; |
| 27 | + }; |
229 | 28 |
|
230 | | - ${wrap-bin} -f ${bash-bin} -c 'ls $HOME' | grep '^something-in-home$' \ |
231 | | - || (echo 'Unexpected: Sandbox $HOME is empty'; false) |
| 29 | + devShells.default = import ./shell.nix { |
| 30 | + inherit pkgs; |
| 31 | + }; |
232 | 32 |
|
233 | | - echo 'test-success' > $out |
234 | | - ''; |
235 | | - } |
| 33 | + checks.default = import ./tests.nix { |
| 34 | + inherit pkgs; |
| 35 | + inherit (packages) wrap; |
| 36 | + }; |
236 | 37 |
|
237 | | - { |
238 | | - name = "parameter -f forces to share the cwd /, even though it is excluded from sharing as cwd implicitly"; |
239 | | - test = |
240 | | - # setup prerequisits |
241 | | - '' |
242 | | - # / is a directory expluded from implicit cwd sharing |
243 | | - cd / |
244 | | - '' + |
245 | | - # prerequisit checks |
246 | | - '' |
247 | | - pwd | grep "^/$" \ |
248 | | - || (echo 'Unexpected: Cwd to be / outside sandbox'; false) |
249 | | - ls -l | grep "[[:space:]]bin$" \ |
250 | | - || (echo 'Unexpected: Bin dir is missing in / outside sandbox'; false) |
251 | | - '' + |
252 | | - # test |
253 | | - '' |
254 | | - ${wrap-bin} -f ${bash-bin} -c 'pwd' | grep '^/$' 2> /dev/null \ |
255 | | - || (echo 'Unexpected: Cwd in sandbox is not /'; false) |
256 | | - ${wrap-bin} -f ${bash-bin} -c 'ls -l' | grep 'bin$' 2> /dev/null \ |
257 | | - || (echo 'Unexpected: Bin dir not in / inside sandbox'; false) |
258 | | - echo 'test-success' > $out |
259 | | - ''; |
260 | | - } |
261 | | - ]; |
262 | | - in |
263 | | - builtins.listToAttrs ( |
264 | | - map |
265 | | - (t: { |
266 | | - name = t.name; |
267 | | - value = pkgs.runCommand t.name { } t.test; |
268 | | - }) |
269 | | - tests |
270 | | - ); |
271 | 38 | } |
272 | 39 | ); |
273 | 40 | } |
0 commit comments