colin/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

nixos/isolate: add tests

Browse Source
This commit is contained in:
Vir Chaudhury 2024-04-22 05:58:48 +08:00
parent 4ca92fb6ec
commit 4a0a12efc2
3 changed files with 44 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
nixos/tests/all-tests.nix
View File

@ -399,6 +399,7 @@ in {
honk = runTest ./honk.nix;
installed-tests = pkgs.recurseIntoAttrs (handleTest ./installed-tests {});
invidious = handleTest ./invidious.nix {};
isolate = handleTest ./isolate.nix {};
livebook-service = handleTest ./livebook-service.nix {};
pyload = handleTest ./pyload.nix {};
oci-containers = handleTestOn ["aarch64-linux" "x86_64-linux"] ./oci-containers.nix {};

38
nixos/tests/isolate.nix Normal file
View File

@ -0,0 +1,38 @@
import ./make-test-python.nix ({ lib, ... }:
{
name = "isolate";
meta.maintainers = with lib.maintainers; [ virchau13 ];
nodes.machine =
{ ... }:
{
security.isolate = {
enable = true;
};
};
testScript = ''
bash_path = machine.succeed('realpath $(which bash)').strip()
sleep_path = machine.succeed('realpath $(which sleep)').strip()
def sleep_test(walltime, sleeptime):
return f'isolate --no-default-dirs --wall-time {walltime} ' + \
f'--dir=/box={box_path} --dir=/nix=/nix --run -- ' + \
f"{bash_path} -c 'exec -a sleep {sleep_path} {sleeptime}'"
def sleep_test_cg(walltime, sleeptime):
return f'isolate --cg --no-default-dirs --wall-time {walltime} ' + \
f'--dir=/box={box_path} --dir=/nix=/nix --processes=2 --run -- ' + \
f"{bash_path} -c '( exec -a sleep {sleep_path} {sleeptime} )'"
with subtest("without cgroups"):
box_path = machine.succeed('isolate --init').strip()
machine.succeed(sleep_test(1, 0.5))
machine.fail(sleep_test(0.5, 1))
machine.succeed('isolate --cleanup')
with subtest("with cgroups"):
box_path = machine.succeed('isolate --cg --init').strip()
machine.succeed(sleep_test_cg(1, 0.5))
machine.fail(sleep_test_cg(0.5, 1))
machine.succeed('isolate --cg --cleanup')
'';
})

5
pkgs/tools/security/isolate/default.nix
View File

@ -6,6 +6,7 @@
, pkg-config
, systemdLibs
, installShellFiles
, nixosTests
}:
stdenv.mkDerivation rec {
@ -45,6 +46,10 @@ stdenv.mkDerivation rec {
runHook postInstall
'';
passthru.tests = {
isolate = nixosTests.isolate;
};
meta = {
description = "Sandbox for securely executing untrusted programs";
mainProgram = "isolate";