mrtoth/agent-sandbox
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Default to whitelist mode and parallelize tests

Browse Source 
Flips the default sandbox mode from blacklist to whitelist and
replaces the global RUST_TEST_THREADS=1 with a targeted RwLock
that only serializes blacklist sandboxes against tests mutating
glob-matching host paths. A new Sandbox newtype acquires the
guard automatically when --blacklist is in args.
This commit is contained in:
Kristóf Tóth
2026-04-27 08:18:41 +02:00
parent c77dbc10c3
commit 6e81866226
12 changed files with 158 additions and 81 deletions
Download Patch File Download Diff File Expand all files Collapse all files
tests/e2e/namespaces.rs
+8 -8
View File
@@ -13,7 +13,7 @@ fn read_sid_from_stat(stat: &str) -> u32 {
}
fn read_sid_inside_sandbox(extra_args: &[&str]) -> u32 {
let output = sandbox(extra_args)
let output = Sandbox::new(extra_args)
.args(["--", "bash", "-c", "cat /proc/self/stat"])
.output()
.expect("agent-sandbox binary failed to execute");
@@ -26,7 +26,7 @@ fn read_sid_current_process() -> u32 {
}
#[test]
fn unshare_net_blocks_network() {
let output = sandbox(&["--unshare-net"])
let output = Sandbox::new(&["--unshare-net"])
.args([
"--",
"bash",
@@ -45,7 +45,7 @@ fn unshare_net_blocks_network() {
#[test]
fn hardened_pid_namespace() {
let output = sandbox(&["--hardened"])
let output = Sandbox::new(&["--hardened"])
.args(["--", "bash", "-c", "ls /proc | grep -cE '^[0-9]+$'"])
.output()
.expect("agent-sandbox binary failed to execute");
@@ -65,7 +65,7 @@ fn chdir_override() {
let dir = TempDir::new().expect("failed to create temp dir");
let dir_str = dir.path().to_str().unwrap();
let output = sandbox(&["--chdir", dir_str])
let output = Sandbox::new(&["--chdir", dir_str])
.args(["--", "bash", "-c", "pwd"])
.output()
.expect("agent-sandbox binary failed to execute");
@@ -82,7 +82,7 @@ fn chdir_under_hardened_tmp() {
let dir = TempDir::new().expect("failed to create temp dir");
let dir_str = dir.path().to_str().unwrap();
let output = sandbox(&["--hardened", "--chdir", dir_str])
let output = Sandbox::new(&["--hardened", "--chdir", dir_str])
.args(["--", "bash", "-c", "pwd && touch ./ok && echo done"])
.output()
.expect("agent-sandbox binary failed to execute");
@@ -106,12 +106,12 @@ fn hardened_isolates_sid() {
}
#[test]
fn default_mode_shares_session() {
let inner_sid = read_sid_inside_sandbox(&[]);
fn blacklist_mode_shares_session() {
let inner_sid = read_sid_inside_sandbox(&["--blacklist"]);
let outer_sid = read_sid_current_process();
assert_eq!(
inner_sid, outer_sid,
"default-mode sandbox should share the session ID (got {inner_sid} != {outer_sid})"
"blacklist-mode sandbox should share the session ID (got {inner_sid} != {outer_sid})"
);
}