nixos/isolate: add tests
This commit is contained in:
parent
4ca92fb6ec
commit
4a0a12efc2
@ -399,6 +399,7 @@ in {
|
||||
honk = runTest ./honk.nix;
|
||||
installed-tests = pkgs.recurseIntoAttrs (handleTest ./installed-tests {});
|
||||
invidious = handleTest ./invidious.nix {};
|
||||
isolate = handleTest ./isolate.nix {};
|
||||
livebook-service = handleTest ./livebook-service.nix {};
|
||||
pyload = handleTest ./pyload.nix {};
|
||||
oci-containers = handleTestOn ["aarch64-linux" "x86_64-linux"] ./oci-containers.nix {};
|
||||
|
38
nixos/tests/isolate.nix
Normal file
38
nixos/tests/isolate.nix
Normal file
@ -0,0 +1,38 @@
|
||||
import ./make-test-python.nix ({ lib, ... }:
|
||||
{
|
||||
name = "isolate";
|
||||
meta.maintainers = with lib.maintainers; [ virchau13 ];
|
||||
|
||||
nodes.machine =
|
||||
{ ... }:
|
||||
{
|
||||
security.isolate = {
|
||||
enable = true;
|
||||
};
|
||||
};
|
||||
|
||||
testScript = ''
|
||||
bash_path = machine.succeed('realpath $(which bash)').strip()
|
||||
sleep_path = machine.succeed('realpath $(which sleep)').strip()
|
||||
def sleep_test(walltime, sleeptime):
|
||||
return f'isolate --no-default-dirs --wall-time {walltime} ' + \
|
||||
f'--dir=/box={box_path} --dir=/nix=/nix --run -- ' + \
|
||||
f"{bash_path} -c 'exec -a sleep {sleep_path} {sleeptime}'"
|
||||
|
||||
def sleep_test_cg(walltime, sleeptime):
|
||||
return f'isolate --cg --no-default-dirs --wall-time {walltime} ' + \
|
||||
f'--dir=/box={box_path} --dir=/nix=/nix --processes=2 --run -- ' + \
|
||||
f"{bash_path} -c '( exec -a sleep {sleep_path} {sleeptime} )'"
|
||||
|
||||
with subtest("without cgroups"):
|
||||
box_path = machine.succeed('isolate --init').strip()
|
||||
machine.succeed(sleep_test(1, 0.5))
|
||||
machine.fail(sleep_test(0.5, 1))
|
||||
machine.succeed('isolate --cleanup')
|
||||
with subtest("with cgroups"):
|
||||
box_path = machine.succeed('isolate --cg --init').strip()
|
||||
machine.succeed(sleep_test_cg(1, 0.5))
|
||||
machine.fail(sleep_test_cg(0.5, 1))
|
||||
machine.succeed('isolate --cg --cleanup')
|
||||
'';
|
||||
})
|
@ -6,6 +6,7 @@
|
||||
, pkg-config
|
||||
, systemdLibs
|
||||
, installShellFiles
|
||||
, nixosTests
|
||||
}:
|
||||
|
||||
stdenv.mkDerivation rec {
|
||||
@ -45,6 +46,10 @@ stdenv.mkDerivation rec {
|
||||
runHook postInstall
|
||||
'';
|
||||
|
||||
passthru.tests = {
|
||||
isolate = nixosTests.isolate;
|
||||
};
|
||||
|
||||
meta = {
|
||||
description = "Sandbox for securely executing untrusted programs";
|
||||
mainProgram = "isolate";
|
||||
|
Loading…
Reference in New Issue
Block a user