mirror of
https://github.com/NixOS/nix
synced 2025-07-08 02:43:54 +02:00
Convert VM tests to Python
Perl-based tests are deprecated since NixOS 20.03 and subsequently got removed in NixOS 20.09, which effectively means that tests are going to fail as soon as we build it with NixOS 20.09 or anything newer. I've put "# fmt: off" at the start of every testScript, because formatting with Black really messes up indentation and I don't think it really adds anything in value or readability for inlined Python scripts. Signed-off-by: aszlig <aszlig@nix.build>
This commit is contained in:
aszlig
parent
2a37c35650
commit
5cfdf16dd6
4 changed files with 178 additions and 155 deletions
149
tests/setuid.nix
149
tests/setuid.nix
|
|
@ -2,7 +2,7 @@
|
|||
|
||||
{ nixpkgs, system, overlay }:
|
||||
|
||||
with import (nixpkgs + "/nixos/lib/testing.nix") {
|
||||
with import (nixpkgs + "/nixos/lib/testing-python.nix") {
|
||||
inherit system;
|
||||
extraConfigurations = [ { nixpkgs.overlays = [ overlay ]; } ];
|
||||
};
|
||||
|
|
@ -17,94 +17,109 @@ makeTest {
|
|||
virtualisation.pathsInNixDB = [ pkgs.stdenv pkgs.pkgsi686Linux.stdenv ];
|
||||
};
|
||||
|
||||
testScript = { nodes }:
|
||||
''
|
||||
startAll;
|
||||
testScript = { nodes }: ''
|
||||
# fmt: off
|
||||
start_all()
|
||||
|
||||
# Copying to /tmp should succeed.
|
||||
$machine->succeed('nix-build --no-sandbox -E \'(with import <nixpkgs> {}; runCommand "foo" {} "
|
||||
mkdir -p $out
|
||||
cp ${pkgs.coreutils}/bin/id /tmp/id
|
||||
")\' ');
|
||||
# Copying to /tmp should succeed.
|
||||
machine.succeed(r"""
|
||||
nix-build --no-sandbox -E '(with import <nixpkgs> {}; runCommand "foo" {} "
|
||||
mkdir -p $out
|
||||
cp ${pkgs.coreutils}/bin/id /tmp/id
|
||||
")'
|
||||
""".strip())
|
||||
|
||||
$machine->succeed('[[ $(stat -c %a /tmp/id) = 555 ]]');
|
||||
machine.succeed('[[ $(stat -c %a /tmp/id) = 555 ]]')
|
||||
|
||||
$machine->succeed("rm /tmp/id");
|
||||
machine.succeed("rm /tmp/id")
|
||||
|
||||
# Creating a setuid binary should fail.
|
||||
$machine->fail('nix-build --no-sandbox -E \'(with import <nixpkgs> {}; runCommand "foo" {} "
|
||||
mkdir -p $out
|
||||
cp ${pkgs.coreutils}/bin/id /tmp/id
|
||||
chmod 4755 /tmp/id
|
||||
")\' ');
|
||||
# Creating a setuid binary should fail.
|
||||
machine.fail(r"""
|
||||
nix-build --no-sandbox -E '(with import <nixpkgs> {}; runCommand "foo" {} "
|
||||
mkdir -p $out
|
||||
cp ${pkgs.coreutils}/bin/id /tmp/id
|
||||
chmod 4755 /tmp/id
|
||||
")'
|
||||
""".strip())
|
||||
|
||||
$machine->succeed('[[ $(stat -c %a /tmp/id) = 555 ]]');
|
||||
machine.succeed('[[ $(stat -c %a /tmp/id) = 555 ]]')
|
||||
|
||||
$machine->succeed("rm /tmp/id");
|
||||
machine.succeed("rm /tmp/id")
|
||||
|
||||
# Creating a setgid binary should fail.
|
||||
$machine->fail('nix-build --no-sandbox -E \'(with import <nixpkgs> {}; runCommand "foo" {} "
|
||||
mkdir -p $out
|
||||
cp ${pkgs.coreutils}/bin/id /tmp/id
|
||||
chmod 2755 /tmp/id
|
||||
")\' ');
|
||||
# Creating a setgid binary should fail.
|
||||
machine.fail(r"""
|
||||
nix-build --no-sandbox -E '(with import <nixpkgs> {}; runCommand "foo" {} "
|
||||
mkdir -p $out
|
||||
cp ${pkgs.coreutils}/bin/id /tmp/id
|
||||
chmod 2755 /tmp/id
|
||||
")'
|
||||
""".strip())
|
||||
|
||||
$machine->succeed('[[ $(stat -c %a /tmp/id) = 555 ]]');
|
||||
machine.succeed('[[ $(stat -c %a /tmp/id) = 555 ]]')
|
||||
|
||||
$machine->succeed("rm /tmp/id");
|
||||
machine.succeed("rm /tmp/id")
|
||||
|
||||
# The checks should also work on 32-bit binaries.
|
||||
$machine->fail('nix-build --no-sandbox -E \'(with import <nixpkgs> { system = "i686-linux"; }; runCommand "foo" {} "
|
||||
mkdir -p $out
|
||||
cp ${pkgs.coreutils}/bin/id /tmp/id
|
||||
chmod 2755 /tmp/id
|
||||
")\' ');
|
||||
# The checks should also work on 32-bit binaries.
|
||||
machine.fail(r"""
|
||||
nix-build --no-sandbox -E '(with import <nixpkgs> { system = "i686-linux"; }; runCommand "foo" {} "
|
||||
mkdir -p $out
|
||||
cp ${pkgs.coreutils}/bin/id /tmp/id
|
||||
chmod 2755 /tmp/id
|
||||
")'
|
||||
""".strip())
|
||||
|
||||
$machine->succeed('[[ $(stat -c %a /tmp/id) = 555 ]]');
|
||||
machine.succeed('[[ $(stat -c %a /tmp/id) = 555 ]]')
|
||||
|
||||
$machine->succeed("rm /tmp/id");
|
||||
machine.succeed("rm /tmp/id")
|
||||
|
||||
# The tests above use fchmodat(). Test chmod() as well.
|
||||
$machine->succeed('nix-build --no-sandbox -E \'(with import <nixpkgs> {}; runCommand "foo" { buildInputs = [ perl ]; } "
|
||||
mkdir -p $out
|
||||
cp ${pkgs.coreutils}/bin/id /tmp/id
|
||||
perl -e \"chmod 0666, qw(/tmp/id) or die\"
|
||||
")\' ');
|
||||
# The tests above use fchmodat(). Test chmod() as well.
|
||||
machine.succeed(r"""
|
||||
nix-build --no-sandbox -E '(with import <nixpkgs> {}; runCommand "foo" { buildInputs = [ perl ]; } "
|
||||
mkdir -p $out
|
||||
cp ${pkgs.coreutils}/bin/id /tmp/id
|
||||
perl -e \"chmod 0666, qw(/tmp/id) or die\"
|
||||
")'
|
||||
""".strip())
|
||||
|
||||
$machine->succeed('[[ $(stat -c %a /tmp/id) = 666 ]]');
|
||||
machine.succeed('[[ $(stat -c %a /tmp/id) = 666 ]]')
|
||||
|
||||
$machine->succeed("rm /tmp/id");
|
||||
machine.succeed("rm /tmp/id")
|
||||
|
||||
$machine->fail('nix-build --no-sandbox -E \'(with import <nixpkgs> {}; runCommand "foo" { buildInputs = [ perl ]; } "
|
||||
mkdir -p $out
|
||||
cp ${pkgs.coreutils}/bin/id /tmp/id
|
||||
perl -e \"chmod 04755, qw(/tmp/id) or die\"
|
||||
")\' ');
|
||||
machine.fail(r"""
|
||||
nix-build --no-sandbox -E '(with import <nixpkgs> {}; runCommand "foo" { buildInputs = [ perl ]; } "
|
||||
mkdir -p $out
|
||||
cp ${pkgs.coreutils}/bin/id /tmp/id
|
||||
perl -e \"chmod 04755, qw(/tmp/id) or die\"
|
||||
")'
|
||||
""".strip())
|
||||
|
||||
$machine->succeed('[[ $(stat -c %a /tmp/id) = 555 ]]');
|
||||
machine.succeed('[[ $(stat -c %a /tmp/id) = 555 ]]')
|
||||
|
||||
$machine->succeed("rm /tmp/id");
|
||||
machine.succeed("rm /tmp/id")
|
||||
|
||||
# And test fchmod().
|
||||
$machine->succeed('nix-build --no-sandbox -E \'(with import <nixpkgs> {}; runCommand "foo" { buildInputs = [ perl ]; } "
|
||||
mkdir -p $out
|
||||
cp ${pkgs.coreutils}/bin/id /tmp/id
|
||||
perl -e \"my \\\$x; open \\\$x, qw(/tmp/id); chmod 01750, \\\$x or die\"
|
||||
")\' ');
|
||||
# And test fchmod().
|
||||
machine.succeed(r"""
|
||||
nix-build --no-sandbox -E '(with import <nixpkgs> {}; runCommand "foo" { buildInputs = [ perl ]; } "
|
||||
mkdir -p $out
|
||||
cp ${pkgs.coreutils}/bin/id /tmp/id
|
||||
perl -e \"my \\\$x; open \\\$x, qw(/tmp/id); chmod 01750, \\\$x or die\"
|
||||
")'
|
||||
""".strip())
|
||||
|
||||
$machine->succeed('[[ $(stat -c %a /tmp/id) = 1750 ]]');
|
||||
machine.succeed('[[ $(stat -c %a /tmp/id) = 1750 ]]')
|
||||
|
||||
$machine->succeed("rm /tmp/id");
|
||||
machine.succeed("rm /tmp/id")
|
||||
|
||||
$machine->fail('nix-build --no-sandbox -E \'(with import <nixpkgs> {}; runCommand "foo" { buildInputs = [ perl ]; } "
|
||||
mkdir -p $out
|
||||
cp ${pkgs.coreutils}/bin/id /tmp/id
|
||||
perl -e \"my \\\$x; open \\\$x, qw(/tmp/id); chmod 04777, \\\$x or die\"
|
||||
")\' ');
|
||||
machine.fail(r"""
|
||||
nix-build --no-sandbox -E '(with import <nixpkgs> {}; runCommand "foo" { buildInputs = [ perl ]; } "
|
||||
mkdir -p $out
|
||||
cp ${pkgs.coreutils}/bin/id /tmp/id
|
||||
perl -e \"my \\\$x; open \\\$x, qw(/tmp/id); chmod 04777, \\\$x or die\"
|
||||
")'
|
||||
""".strip())
|
||||
|
||||
$machine->succeed('[[ $(stat -c %a /tmp/id) = 555 ]]');
|
||||
|
||||
$machine->succeed("rm /tmp/id");
|
||||
'';
|
||||
machine.succeed('[[ $(stat -c %a /tmp/id) = 555 ]]')
|
||||
|
||||
machine.succeed("rm /tmp/id")
|
||||
'';
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue