Default to whitelist mode and parallelize tests
Flips the default sandbox mode from blacklist to whitelist and replaces the global RUST_TEST_THREADS=1 with a targeted RwLock that only serializes blacklist sandboxes against tests mutating glob-matching host paths. A new Sandbox newtype acquires the guard automatically when --blacklist is in args.
This commit is contained in:
@@ -2,7 +2,7 @@ use crate::common::*;
|
||||
|
||||
#[test]
|
||||
fn seccomp_on_by_default_blocks_unshare() {
|
||||
let output = sandbox(&[])
|
||||
let output = Sandbox::new(&[])
|
||||
.args(["--", "unshare", "--user", "--map-root-user", "/bin/true"])
|
||||
.output()
|
||||
.expect("agent-sandbox binary failed to execute");
|
||||
@@ -15,7 +15,7 @@ fn seccomp_on_by_default_blocks_unshare() {
|
||||
|
||||
#[test]
|
||||
fn seccomp_off_allows_blocked_syscall() {
|
||||
let output = sandbox(&["--no-seccomp"])
|
||||
let output = Sandbox::new(&["--no-seccomp"])
|
||||
.args(["--", "unshare", "--user", "--map-root-user", "/bin/true"])
|
||||
.output()
|
||||
.expect("agent-sandbox binary failed to execute");
|
||||
@@ -29,7 +29,7 @@ fn seccomp_off_allows_blocked_syscall() {
|
||||
|
||||
#[test]
|
||||
fn seccomp_dry_run_emits_seccomp_arg() {
|
||||
let output = sandbox(&["--dry-run"])
|
||||
let output = Sandbox::new(&["--dry-run"])
|
||||
.args(["--", "/bin/true"])
|
||||
.output()
|
||||
.expect("agent-sandbox binary failed to execute");
|
||||
@@ -43,7 +43,7 @@ fn seccomp_dry_run_emits_seccomp_arg() {
|
||||
|
||||
#[test]
|
||||
fn seccomp_dry_run_no_seccomp_omits_arg() {
|
||||
let output = sandbox(&["--dry-run", "--no-seccomp"])
|
||||
let output = Sandbox::new(&["--dry-run", "--no-seccomp"])
|
||||
.args(["--", "/bin/true"])
|
||||
.output()
|
||||
.expect("agent-sandbox binary failed to execute");
|
||||
@@ -57,7 +57,7 @@ fn seccomp_dry_run_no_seccomp_omits_arg() {
|
||||
|
||||
#[test]
|
||||
fn seccomp_normal_workload_succeeds() {
|
||||
let output = sandbox(&[])
|
||||
let output = Sandbox::new(&[])
|
||||
.args(["--", "bash", "-c", "ls /etc > /dev/null && date"])
|
||||
.output()
|
||||
.expect("agent-sandbox binary failed to execute");
|
||||
@@ -72,7 +72,7 @@ fn seccomp_normal_workload_succeeds() {
|
||||
fn seccomp_bash_pthread_fallback_works() {
|
||||
// Verifies the ENOSYS-not-EPERM choice for clone3 doesn't break libc's
|
||||
// clone3 -> clone fallback path that bash uses internally.
|
||||
let output = sandbox(&[])
|
||||
let output = Sandbox::new(&[])
|
||||
.args(["--", "bash", "-c", "true"])
|
||||
.output()
|
||||
.expect("agent-sandbox binary failed to execute");
|
||||
@@ -92,7 +92,7 @@ fn seccomp_blocks_tiocsti() {
|
||||
// On kernels >= 6.2 with CONFIG_LEGACY_TIOCSTI=n, the kernel blocks TIOCSTI
|
||||
// before seccomp sees it. We test with --no-seccomp first to detect that and
|
||||
// skip, so the test only asserts our filter's behaviour.
|
||||
let baseline = sandbox(&["--no-seccomp"])
|
||||
let baseline = Sandbox::new(&["--no-seccomp"])
|
||||
.args([
|
||||
"--",
|
||||
"python3",
|
||||
@@ -107,7 +107,7 @@ fn seccomp_blocks_tiocsti() {
|
||||
return;
|
||||
}
|
||||
|
||||
let output = sandbox(&[])
|
||||
let output = Sandbox::new(&[])
|
||||
.args([
|
||||
"--",
|
||||
"python3",
|
||||
|
||||
Reference in New Issue
Block a user