mirror of
https://github.com/NixOS/nix
synced 2025-06-30 07:33:16 +02:00
ca05f6d203
Test that we can't leverage abstract unix domain sockets to leak file descriptors out of the sandbox and modify the path after it has been registered.
45 lines
1.3 KiB
Nix
45 lines
1.3 KiB
Nix
{ lib, nixpkgs, nixpkgsFor }:
|
|
|
|
let
|
|
|
|
nixos-lib = import (nixpkgs + "/nixos/lib") { };
|
|
|
|
# https://nixos.org/manual/nixos/unstable/index.html#sec-calling-nixos-tests
|
|
runNixOSTestFor = system: test: nixos-lib.runTest {
|
|
imports = [ test ];
|
|
hostPkgs = nixpkgsFor.${system}.native;
|
|
defaults = {
|
|
nixpkgs.pkgs = nixpkgsFor.${system}.native;
|
|
};
|
|
_module.args.nixpkgs = nixpkgs;
|
|
};
|
|
|
|
in
|
|
|
|
{
|
|
authorization = runNixOSTestFor "x86_64-linux" ./authorization.nix;
|
|
|
|
remoteBuilds = runNixOSTestFor "x86_64-linux" ./remote-builds.nix;
|
|
|
|
remoteBuildsSshNg = runNixOSTestFor "x86_64-linux" ./remote-builds-ssh-ng.nix;
|
|
|
|
nix-copy-closure = runNixOSTestFor "x86_64-linux" ./nix-copy-closure.nix;
|
|
|
|
nix-copy = runNixOSTestFor "x86_64-linux" ./nix-copy.nix;
|
|
|
|
nssPreload = runNixOSTestFor "x86_64-linux" ./nss-preload.nix;
|
|
|
|
githubFlakes = runNixOSTestFor "x86_64-linux" ./github-flakes.nix;
|
|
|
|
sourcehutFlakes = runNixOSTestFor "x86_64-linux" ./sourcehut-flakes.nix;
|
|
|
|
tarballFlakes = runNixOSTestFor "x86_64-linux" ./tarball-flakes.nix;
|
|
|
|
containers = runNixOSTestFor "x86_64-linux" ./containers/containers.nix;
|
|
|
|
setuid = lib.genAttrs
|
|
["i686-linux" "x86_64-linux"]
|
|
(system: runNixOSTestFor system ./setuid.nix);
|
|
|
|
ca-fd-leak = runNixOSTestFor "x86_64-linux" ./ca-fd-leak;
|
|
}
|