Default to whitelist mode and parallelize tests

Flips the default sandbox mode from blacklist to whitelist and replaces the global RUST_TEST_THREADS=1 with a targeted RwLock that only serializes blacklist sandboxes against tests mutating glob-matching host paths. A new Sandbox newtype acquires the guard automatically when --blacklist is in args.
2026-04-27 08:18:41 +02:00
parent c77dbc10c3
commit 6e81866226
12 changed files with 158 additions and 81 deletions
@@ -2,7 +2,7 @@ use crate::common::*;

 #[test]
 fn whitelist_hides_home_contents() {
-    let output = sandbox(&["--whitelist"])
+    let output = Sandbox::new(&["--whitelist"])
        .args(["--", "bash", "-c", "ls ~/Documents 2>&1 || echo hidden"])
        .output()
        .expect("agent-sandbox binary failed to execute");
@@ -16,7 +16,7 @@ fn whitelist_hides_home_contents() {

 #[test]
 fn whitelist_sys_is_readable() {
-    let output = sandbox(&["--whitelist"])
+    let output = Sandbox::new(&["--whitelist"])
        .args(["--", "bash", "-c", "cat /sys/class/net/lo/address"])
        .output()
        .expect("agent-sandbox binary failed to execute");
@@ -30,7 +30,7 @@ fn whitelist_sys_is_readable() {

 #[test]
 fn blacklist_run_is_tmpfs() {
-    let output = sandbox(&[])
+    let output = Sandbox::new(&["--blacklist"])
        .args([
            "--",
            "bash",
@@ -49,7 +49,7 @@ fn blacklist_run_is_tmpfs() {

 #[test]
 fn blacklist_run_dbus_socket_accessible() {
-    let output = sandbox(&[])
+    let output = Sandbox::new(&["--blacklist"])
        .args([
            "--",
            "bash",
@@ -71,7 +71,7 @@ fn blacklist_runuser_is_tmpfs() {
    let run_user = agent_sandbox::require_run_user().expect("failed to determine XDG_RUNTIME_DIR");
    let script = format!("ls -A {} | grep -v '^bus$'", run_user);

-    let output = sandbox(&[])
+    let output = Sandbox::new(&["--blacklist"])
        .args(["--", "bash", "-c", &script])
        .output()
        .expect("agent-sandbox binary failed to execute");
@@ -86,7 +86,7 @@ fn blacklist_runuser_is_tmpfs() {

 #[test]
 fn blacklist_dev_input_hidden() {
-    let output = sandbox(&[])
+    let output = Sandbox::new(&["--blacklist"])
        .args(["--", "bash", "-c", "ls /dev/input/ 2>/dev/null | wc -l"])
        .output()
        .expect("agent-sandbox binary failed to execute");
@@ -100,7 +100,7 @@ fn blacklist_dev_input_hidden() {

 #[test]
 fn blacklist_root_is_readonly() {
-    let output = sandbox(&[])
+    let output = Sandbox::new(&["--blacklist"])
        .args([
            "--",
            "bash",
@@ -124,7 +124,7 @@ fn blacklist_root_is_readonly() {

 #[test]
 fn whitelist_root_is_readonly() {
-    let output = sandbox(&["--whitelist"])
+    let output = Sandbox::new(&["--whitelist"])
        .args([
            "--",
            "bash",
@@ -148,7 +148,7 @@ fn whitelist_root_is_readonly() {

 #[test]
 fn whitelist_mountpoint_parents_are_readonly() {
-    let output = sandbox(&["--whitelist"])
+    let output = Sandbox::new(&["--whitelist"])
        .args([
            "--",
            "bash",
@@ -177,7 +177,7 @@ fn whitelist_mountpoint_parents_are_readonly() {

 #[test]
 fn whitelist_tmp_still_writable() {
-    let output = sandbox(&["--whitelist"])
+    let output = Sandbox::new(&["--whitelist"])
        .args([
            "--",
            "bash",