release.nix: Add a test for sandboxing
Right now it only tests whether seccomp correctly forges the return value of chown, but the long-term goal is to test the full sandboxing functionality at some point in the future. Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This commit is contained in:
parent
b90a435332
commit
651a18dd24
2 changed files with 57 additions and 0 deletions
|
@ -200,6 +200,10 @@ let
|
||||||
nix = build.x86_64-linux; system = "x86_64-linux";
|
nix = build.x86_64-linux; system = "x86_64-linux";
|
||||||
});
|
});
|
||||||
|
|
||||||
|
tests.sandbox = (import ./tests/sandbox.nix rec {
|
||||||
|
nix = build.x86_64-linux; system = "x86_64-linux";
|
||||||
|
});
|
||||||
|
|
||||||
tests.binaryTarball =
|
tests.binaryTarball =
|
||||||
with import <nixpkgs> { system = "x86_64-linux"; };
|
with import <nixpkgs> { system = "x86_64-linux"; };
|
||||||
vmTools.runInLinuxImage (runCommand "nix-binary-tarball-test"
|
vmTools.runInLinuxImage (runCommand "nix-binary-tarball-test"
|
||||||
|
|
53
tests/sandbox.nix
Normal file
53
tests/sandbox.nix
Normal file
|
@ -0,0 +1,53 @@
|
||||||
|
# Test Nix builder sandbox.
|
||||||
|
|
||||||
|
{ system, nix }:
|
||||||
|
|
||||||
|
with import <nixpkgs/nixos/lib/testing.nix> { inherit system; };
|
||||||
|
|
||||||
|
let
|
||||||
|
mkUtils = pkgs: pkgs.buildEnv {
|
||||||
|
name = "sandbox-utils";
|
||||||
|
paths = [ pkgs.coreutils pkgs.utillinux pkgs.bash ];
|
||||||
|
pathsToLink = [ "/bin" "/sbin" ];
|
||||||
|
};
|
||||||
|
|
||||||
|
utils32 = mkUtils pkgs.pkgsi686Linux;
|
||||||
|
utils64 = mkUtils pkgs;
|
||||||
|
|
||||||
|
sandboxTestScript = pkgs.writeText "sandbox-testscript.sh" ''
|
||||||
|
[ $(id -u) -eq 0 ]
|
||||||
|
touch foo
|
||||||
|
chown 1024:1024 foo
|
||||||
|
touch "$out"
|
||||||
|
'';
|
||||||
|
|
||||||
|
testExpr = arch: pkgs.writeText "sandbox-test.nix" ''
|
||||||
|
let
|
||||||
|
utils = builtins.storePath
|
||||||
|
${if arch == "i686-linux" then utils32 else utils64};
|
||||||
|
in derivation {
|
||||||
|
name = "sandbox-test";
|
||||||
|
system = "${arch}";
|
||||||
|
builder = "''${utils}/bin/bash";
|
||||||
|
args = ["-e" ${sandboxTestScript}];
|
||||||
|
PATH = "''${utils}/bin";
|
||||||
|
}
|
||||||
|
'';
|
||||||
|
|
||||||
|
in makeTest {
|
||||||
|
name = "nix-sandbox";
|
||||||
|
|
||||||
|
machine = { pkgs, ... }: {
|
||||||
|
nix.package = nix;
|
||||||
|
nix.useSandbox = true;
|
||||||
|
nix.binaryCaches = [];
|
||||||
|
virtualisation.writableStore = true;
|
||||||
|
virtualisation.pathsInNixDB = [ utils32 utils64 ];
|
||||||
|
};
|
||||||
|
|
||||||
|
testScript = ''
|
||||||
|
$machine->waitForUnit("multi-user.target");
|
||||||
|
$machine->succeed("nix-build ${testExpr "x86_64-linux"}");
|
||||||
|
$machine->succeed("nix-build ${testExpr "i686-linux"}");
|
||||||
|
'';
|
||||||
|
}
|
Loading…
Reference in a new issue