tjh.dev / nixpkgs
nixpkgs mirror (for testing) github.com/NixOS/nixpkgs
nix
fork atom
nixpkgs / pkgs / by-name / sh / shh / fix_run_checks.patch
at python-updates 152 lines 12 kB view raw
1commit 3052c2c8be6a44aab2d4c5fa0d560a8109c5ed5e 2Author: 06kellyjac <dev@j-k.io> 3Date: Mon Sep 22 13:17:14 2025 +0100 4 5 fix(tests): add support for nix-build-system for tests 6 7 Co-authored-by: kuflierl <41301536+kuflierl@users.noreply.github.com> 8 9diff --git a/src/systemd/resolver.rs b/src/systemd/resolver.rs 10index 989f378..0629fb5 100644 11--- a/src/systemd/resolver.rs 12+++ b/src/systemd/resolver.rs 13@@ -650,17 +650,14 @@ mod tests { 14 let OptionValue::List(opt_list) = &candidates[0].value else { 15 panic!(); 16 }; 17- assert!(opt_list.values.contains(&"/boot".to_owned())); 18+ // information gathering 19+ // eprint!("{}\n", &candidates[0].to_string()); 20 assert!(opt_list.values.contains(&"/dev".to_owned())); 21 assert!(opt_list.values.contains(&"/etc".to_owned())); 22- assert!(opt_list.values.contains(&"/home".to_owned())); 23- assert!(opt_list.values.contains(&"/root".to_owned())); 24- assert!(opt_list.values.contains(&"/sys".to_owned())); 25+ assert!(opt_list.values.contains(&"/nix".to_owned())); 26+ assert!(opt_list.values.contains(&"/bin".to_owned())); 27+ assert!(opt_list.values.contains(&"/build".to_owned())); 28 assert!(opt_list.values.contains(&"/tmp".to_owned())); 29- assert!(opt_list.values.contains(&"/usr".to_owned())); 30- assert!(opt_list.values.contains(&"/var".to_owned())); 31- assert!(!opt_list.values.contains(&"/proc".to_owned())); 32- assert!(!opt_list.values.contains(&"/run".to_owned())); 33 34 let actions = vec![ProgramAction::Read("/var/data".into())]; 35 let candidates = resolve(&opts, &actions, &hardening_opts); 36diff --git a/tests/options.rs b/tests/options.rs 37index cf20ea0..ab9f389 100644 38--- a/tests/options.rs 39+++ b/tests/options.rs 40@@ -24,7 +24,7 @@ fn run_true() { 41 .assert() 42 .success() 43 .stdout(predicate::str::contains("ProtectSystem=strict\n").count(1)) 44- .stdout(if Uid::effective().is_root() { 45+ .stdout(if Uid::effective().is_root() || !env::current_exe().unwrap().starts_with("/home") { 46 BoxPredicate::new(predicate::str::contains("ProtectHome=true\n").count(1)) 47 } else { 48 BoxPredicate::new(predicate::str::contains("ProtectHome=").not()) 49@@ -50,7 +50,7 @@ fn run_true() { 50 .stdout(predicate::str::contains("LockPersonality=true\n").count(1)) 51 .stdout(predicate::str::contains("RestrictRealtime=true\n").count(1)) 52 .stdout(predicate::str::contains("ProtectClock=true\n").count(1)) 53- .stdout(predicate::str::contains("SystemCallFilter=~@aio:EPERM @chown:EPERM @clock:EPERM @cpu-emulation:EPERM @debug:EPERM @io-event:EPERM @ipc:EPERM @keyring:EPERM @memlock:EPERM @module:EPERM @mount:EPERM @network-io:EPERM @obsolete:EPERM @pkey:EPERM @privileged:EPERM @process:EPERM @raw-io:EPERM @reboot:EPERM @resources:EPERM @sandbox:EPERM @setuid:EPERM @signal:EPERM @swap:EPERM @sync:EPERM @timer:EPERM\n").count(1)) 54+ .stdout(predicate::str::contains("SystemCallFilter=~@aio:EPERM @chown:EPERM @clock:EPERM @cpu-emulation:EPERM @debug:EPERM @io-event:EPERM @ipc:EPERM @keyring:EPERM @memlock:EPERM @module:EPERM @mount:EPERM @network-io:EPERM @obsolete:EPERM @pkey:EPERM @privileged:EPERM @raw-io:EPERM @reboot:EPERM @resources:EPERM @sandbox:EPERM @setuid:EPERM @signal:EPERM @swap:EPERM @sync:EPERM @timer:EPERM\n").count(1)) 55 .stdout(predicate::str::contains("CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_BPF CAP_CHOWN CAP_IPC_LOCK CAP_KILL CAP_MKNOD CAP_NET_RAW CAP_PERFMON CAP_SYS_BOOT CAP_SYS_CHROOT CAP_SYS_MODULE CAP_SYS_NICE CAP_SYS_PACCT CAP_SYS_PTRACE CAP_SYS_TIME CAP_SYS_TTY_CONFIG CAP_SYSLOG CAP_WAKE_ALARM\n").count(1)); 56 } 57 58@@ -97,7 +97,7 @@ fn run_ls_dev() { 59 .assert() 60 .success() 61 .stdout(predicate::str::contains("ProtectSystem=strict\n").count(1)) 62- .stdout(if Uid::effective().is_root() { 63+ .stdout(if Uid::effective().is_root() || !env::current_exe().unwrap().starts_with("/home") { 64 BoxPredicate::new(predicate::str::contains("ProtectHome=true\n").count(1)) 65 } else { 66 BoxPredicate::new(predicate::str::contains("ProtectHome=").not()) 67@@ -130,12 +130,12 @@ fn run_ls_dev() { 68 fn run_ls_proc() { 69 Command::cargo_bin("shh") 70 .unwrap() 71- .args(["run", "--", "busybox", "ls", "/proc/1/"]) 72+ .args(["run", "--", "ls", "/proc/1/"]) 73 .unwrap() 74 .assert() 75 .success() 76 .stdout(predicate::str::contains("ProtectSystem=strict\n").count(1)) 77- .stdout(if Uid::effective().is_root() { 78+ .stdout(if Uid::effective().is_root() || !env::current_exe().unwrap().starts_with("/home") { 79 BoxPredicate::new(predicate::str::contains("ProtectHome=true\n").count(1)) 80 } else { 81 BoxPredicate::new(predicate::str::contains("ProtectHome=").not()) 82@@ -166,7 +166,7 @@ fn run_ls_proc() { 83 .assert() 84 .success() 85 .stdout(predicate::str::contains("ProtectSystem=strict\n").count(1)) 86- .stdout(if Uid::effective().is_root() { 87+ .stdout(if Uid::effective().is_root() || !env::current_exe().unwrap().starts_with("/home") { 88 BoxPredicate::new(predicate::str::contains("ProtectHome=true\n").count(1)) 89 } else { 90 BoxPredicate::new(predicate::str::contains("ProtectHome=").not()) 91@@ -188,7 +188,7 @@ fn run_ls_proc() { 92 .stdout(predicate::str::contains("LockPersonality=true\n").count(1)) 93 .stdout(predicate::str::contains("RestrictRealtime=true\n").count(1)) 94 .stdout(predicate::str::contains("ProtectClock=true\n").count(1)) 95- .stdout(predicate::str::contains("SystemCallFilter=~@aio:EPERM @chown:EPERM @clock:EPERM @cpu-emulation:EPERM @debug:EPERM @io-event:EPERM @ipc:EPERM @keyring:EPERM @memlock:EPERM @module:EPERM @mount:EPERM @network-io:EPERM @obsolete:EPERM @pkey:EPERM @privileged:EPERM @process:EPERM @raw-io:EPERM @reboot:EPERM @resources:EPERM @sandbox:EPERM @setuid:EPERM @signal:EPERM @swap:EPERM @sync:EPERM @timer:EPERM\n").count(1)) 96+ .stdout(predicate::str::contains("SystemCallFilter=~@aio:EPERM @chown:EPERM @clock:EPERM @cpu-emulation:EPERM @debug:EPERM @io-event:EPERM @ipc:EPERM @keyring:EPERM @memlock:EPERM @module:EPERM @mount:EPERM @network-io:EPERM @obsolete:EPERM @pkey:EPERM @privileged:EPERM @raw-io:EPERM @reboot:EPERM @resources:EPERM @sandbox:EPERM @setuid:EPERM @signal:EPERM @swap:EPERM @sync:EPERM @timer:EPERM\n").count(1)) 97 .stdout(predicate::str::contains("CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_BPF CAP_CHOWN CAP_IPC_LOCK CAP_KILL CAP_MKNOD CAP_NET_RAW CAP_PERFMON CAP_SYS_BOOT CAP_SYS_CHROOT CAP_SYS_MODULE CAP_SYS_NICE CAP_SYS_PACCT CAP_SYS_PTRACE CAP_SYS_TIME CAP_SYS_TTY_CONFIG CAP_SYSLOG CAP_WAKE_ALARM\n").count(1)); 98 } 99 100@@ -201,7 +201,7 @@ fn run_read_kallsyms() { 101 .assert() 102 .success() 103 .stdout(predicate::str::contains("ProtectSystem=strict\n").count(1)) 104- .stdout(if Uid::effective().is_root() { 105+ .stdout(if Uid::effective().is_root() || !env::current_exe().unwrap().starts_with("/home") { 106 BoxPredicate::new(predicate::str::contains("ProtectHome=true\n").count(1)) 107 } else { 108 BoxPredicate::new(predicate::str::contains("ProtectHome=").not()) 109@@ -227,7 +227,7 @@ fn run_read_kallsyms() { 110 .stdout(predicate::str::contains("LockPersonality=true\n").count(1)) 111 .stdout(predicate::str::contains("RestrictRealtime=true\n").count(1)) 112 .stdout(predicate::str::contains("ProtectClock=true\n").count(1)) 113- .stdout(predicate::str::contains("SystemCallFilter=~@aio:EPERM @chown:EPERM @clock:EPERM @cpu-emulation:EPERM @debug:EPERM @io-event:EPERM @ipc:EPERM @keyring:EPERM @memlock:EPERM @module:EPERM @mount:EPERM @network-io:EPERM @obsolete:EPERM @pkey:EPERM @privileged:EPERM @process:EPERM @raw-io:EPERM @reboot:EPERM @resources:EPERM @sandbox:EPERM @setuid:EPERM @signal:EPERM @swap:EPERM @sync:EPERM @timer:EPERM\n").count(1)) 114+ .stdout(predicate::str::contains("SystemCallFilter=~@aio:EPERM @chown:EPERM @clock:EPERM @cpu-emulation:EPERM @debug:EPERM @io-event:EPERM @ipc:EPERM @keyring:EPERM @memlock:EPERM @module:EPERM @mount:EPERM @network-io:EPERM @obsolete:EPERM @pkey:EPERM @privileged:EPERM @raw-io:EPERM @reboot:EPERM @resources:EPERM @sandbox:EPERM @setuid:EPERM @signal:EPERM @swap:EPERM @sync:EPERM @timer:EPERM\n").count(1)) 115 .stdout(predicate::str::contains("CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_BPF CAP_CHOWN CAP_IPC_LOCK CAP_KILL CAP_MKNOD CAP_NET_RAW CAP_PERFMON CAP_SYS_BOOT CAP_SYS_CHROOT CAP_SYS_MODULE CAP_SYS_NICE CAP_SYS_PACCT CAP_SYS_PTRACE CAP_SYS_TIME CAP_SYS_TTY_CONFIG CAP_SYSLOG CAP_WAKE_ALARM\n").count(1)); 116 } 117 118@@ -344,6 +344,7 @@ fn run_systemctl() { 119 .stdout(predicate::str::contains("CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_BPF CAP_CHOWN CAP_IPC_LOCK CAP_KILL CAP_MKNOD CAP_NET_RAW CAP_PERFMON CAP_SYS_BOOT CAP_SYS_CHROOT CAP_SYS_MODULE CAP_SYS_NICE CAP_SYS_PACCT CAP_SYS_PTRACE CAP_SYS_TIME CAP_SYS_TTY_CONFIG CAP_SYSLOG CAP_WAKE_ALARM\n").count(1)); 120 } 121 122+// patched due to nix build isolation 123 #[test] 124 fn run_ss() { 125 Command::cargo_bin("shh") 126@@ -353,7 +354,7 @@ fn run_ss() { 127 .assert() 128 .success() 129 .stdout(predicate::str::contains("ProtectSystem=strict\n").count(1)) 130- .stdout(if Uid::effective().is_root() { 131+ .stdout(if Uid::effective().is_root() || !env::current_exe().unwrap().starts_with("/home") { 132 BoxPredicate::new(predicate::str::contains("ProtectHome=true\n").count(1)) 133 } else { 134 BoxPredicate::new(predicate::str::contains("ProtectHome=").not()) 135@@ -369,7 +370,7 @@ fn run_ss() { 136 .stdout(predicate::str::contains("ProtectKernelModules=true\n").count(1)) 137 .stdout(predicate::str::contains("ProtectKernelLogs=true\n").count(1)) 138 .stdout(predicate::str::contains("ProtectControlGroups=true\n").count(1)) 139- .stdout(predicate::str::contains("ProtectProc=").not()) 140+ //.stdout(predicate::str::contains("ProtectProc=").not()) 141 .stdout(predicate::str::contains("MemoryDenyWriteExecute=true\n").count(1)) 142 .stdout(predicate::str::contains("RestrictAddressFamilies=AF_NETLINK AF_UNIX\n").count(1).or(predicate::str::contains("RestrictAddressFamilies=AF_NETLINK\n").count(1))) 143 .stdout(predicate::str::contains("SocketBindDeny=ipv4:tcp\n").count(1)) 144@@ -379,7 +380,7 @@ fn run_ss() { 145 .stdout(predicate::str::contains("LockPersonality=true\n").count(1)) 146 .stdout(predicate::str::contains("RestrictRealtime=true\n").count(1)) 147 .stdout(predicate::str::contains("ProtectClock=true\n").count(1)) 148- .stdout(predicate::str::contains("SystemCallFilter=~@aio:EPERM @chown:EPERM @clock:EPERM @cpu-emulation:EPERM @debug:EPERM @io-event:EPERM @ipc:EPERM @keyring:EPERM @memlock:EPERM @module:EPERM @mount:EPERM @obsolete:EPERM @pkey:EPERM @privileged:EPERM @raw-io:EPERM @reboot:EPERM @resources:EPERM @sandbox:EPERM @setuid:EPERM @signal:EPERM @swap:EPERM @sync:EPERM @timer:EPERM\n").count(1)) 149+ .stdout(predicate::str::contains("SystemCallFilter=~@aio:EPERM @chown:EPERM @clock:EPERM @cpu-emulation:EPERM @debug:EPERM @io-event:EPERM @ipc:EPERM @keyring:EPERM @memlock:EPERM @module:EPERM @mount:EPERM @obsolete:EPERM @pkey:EPERM @privileged:EPERM @process:EPERM @raw-io:EPERM @reboot:EPERM @resources:EPERM @sandbox:EPERM @setuid:EPERM @signal:EPERM @swap:EPERM @sync:EPERM @timer:EPERM\n").count(1)) 150 .stdout(predicate::str::contains("CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_BPF CAP_CHOWN CAP_IPC_LOCK CAP_KILL CAP_MKNOD CAP_NET_RAW CAP_PERFMON CAP_SYS_BOOT CAP_SYS_CHROOT CAP_SYS_MODULE CAP_SYS_NICE CAP_SYS_PACCT CAP_SYS_PTRACE CAP_SYS_TIME CAP_SYS_TTY_CONFIG CAP_SYSLOG CAP_WAKE_ALARM\n").count(1)); 151 } 152