Loading nixos/tests/all-tests.nix +1 −0 Original line number Diff line number Diff line Loading @@ -399,6 +399,7 @@ in { honk = runTest ./honk.nix; installed-tests = pkgs.recurseIntoAttrs (handleTest ./installed-tests {}); invidious = handleTest ./invidious.nix {}; isolate = handleTest ./isolate.nix {}; livebook-service = handleTest ./livebook-service.nix {}; pyload = handleTest ./pyload.nix {}; oci-containers = handleTestOn ["aarch64-linux" "x86_64-linux"] ./oci-containers.nix {}; Loading nixos/tests/isolate.nix 0 → 100644 +38 −0 Original line number Diff line number Diff line import ./make-test-python.nix ({ lib, ... }: { name = "isolate"; meta.maintainers = with lib.maintainers; [ virchau13 ]; nodes.machine = { ... }: { security.isolate = { enable = true; }; }; testScript = '' bash_path = machine.succeed('realpath $(which bash)').strip() sleep_path = machine.succeed('realpath $(which sleep)').strip() def sleep_test(walltime, sleeptime): return f'isolate --no-default-dirs --wall-time {walltime} ' + \ f'--dir=/box={box_path} --dir=/nix=/nix --run -- ' + \ f"{bash_path} -c 'exec -a sleep {sleep_path} {sleeptime}'" def sleep_test_cg(walltime, sleeptime): return f'isolate --cg --no-default-dirs --wall-time {walltime} ' + \ f'--dir=/box={box_path} --dir=/nix=/nix --processes=2 --run -- ' + \ f"{bash_path} -c '( exec -a sleep {sleep_path} {sleeptime} )'" with subtest("without cgroups"): box_path = machine.succeed('isolate --init').strip() machine.succeed(sleep_test(1, 0.5)) machine.fail(sleep_test(0.5, 1)) machine.succeed('isolate --cleanup') with subtest("with cgroups"): box_path = machine.succeed('isolate --cg --init').strip() machine.succeed(sleep_test_cg(1, 0.5)) machine.fail(sleep_test_cg(0.5, 1)) machine.succeed('isolate --cg --cleanup') ''; }) pkgs/tools/security/isolate/default.nix +5 −0 Original line number Diff line number Diff line Loading @@ -6,6 +6,7 @@ , pkg-config , systemdLibs , installShellFiles , nixosTests }: stdenv.mkDerivation rec { Loading Loading @@ -45,6 +46,10 @@ stdenv.mkDerivation rec { runHook postInstall ''; passthru.tests = { isolate = nixosTests.isolate; }; meta = { description = "Sandbox for securely executing untrusted programs"; mainProgram = "isolate"; Loading Loading
nixos/tests/all-tests.nix +1 −0 Original line number Diff line number Diff line Loading @@ -399,6 +399,7 @@ in { honk = runTest ./honk.nix; installed-tests = pkgs.recurseIntoAttrs (handleTest ./installed-tests {}); invidious = handleTest ./invidious.nix {}; isolate = handleTest ./isolate.nix {}; livebook-service = handleTest ./livebook-service.nix {}; pyload = handleTest ./pyload.nix {}; oci-containers = handleTestOn ["aarch64-linux" "x86_64-linux"] ./oci-containers.nix {}; Loading
nixos/tests/isolate.nix 0 → 100644 +38 −0 Original line number Diff line number Diff line import ./make-test-python.nix ({ lib, ... }: { name = "isolate"; meta.maintainers = with lib.maintainers; [ virchau13 ]; nodes.machine = { ... }: { security.isolate = { enable = true; }; }; testScript = '' bash_path = machine.succeed('realpath $(which bash)').strip() sleep_path = machine.succeed('realpath $(which sleep)').strip() def sleep_test(walltime, sleeptime): return f'isolate --no-default-dirs --wall-time {walltime} ' + \ f'--dir=/box={box_path} --dir=/nix=/nix --run -- ' + \ f"{bash_path} -c 'exec -a sleep {sleep_path} {sleeptime}'" def sleep_test_cg(walltime, sleeptime): return f'isolate --cg --no-default-dirs --wall-time {walltime} ' + \ f'--dir=/box={box_path} --dir=/nix=/nix --processes=2 --run -- ' + \ f"{bash_path} -c '( exec -a sleep {sleep_path} {sleeptime} )'" with subtest("without cgroups"): box_path = machine.succeed('isolate --init').strip() machine.succeed(sleep_test(1, 0.5)) machine.fail(sleep_test(0.5, 1)) machine.succeed('isolate --cleanup') with subtest("with cgroups"): box_path = machine.succeed('isolate --cg --init').strip() machine.succeed(sleep_test_cg(1, 0.5)) machine.fail(sleep_test_cg(0.5, 1)) machine.succeed('isolate --cg --cleanup') ''; })
pkgs/tools/security/isolate/default.nix +5 −0 Original line number Diff line number Diff line Loading @@ -6,6 +6,7 @@ , pkg-config , systemdLibs , installShellFiles , nixosTests }: stdenv.mkDerivation rec { Loading Loading @@ -45,6 +46,10 @@ stdenv.mkDerivation rec { runHook postInstall ''; passthru.tests = { isolate = nixosTests.isolate; }; meta = { description = "Sandbox for securely executing untrusted programs"; mainProgram = "isolate"; Loading
