Organize test code better

2026-04-25 15:10:42 +02:00
parent 0ea83b2af0
commit 7f9b21ef4f
16 changed files with 2852 additions and 2830 deletions
@@ -164,42 +164,5 @@ const BLACKLIST_DROP_SUFFIXES: &[&str] = &[
 ];

 #[cfg(test)]
-mod tests {
-    use super::*;
-
-    #[test]
-    fn keepenv_emits_setenv_for_present_key() {
-        let parent = vec![("XDG_RUNTIME_DIR".into(), "/run/user/1000".into())];
-        let args = keepenv_args(&["XDG_RUNTIME_DIR".into()], &parent);
-        assert_eq!(args, vec!["--setenv", "XDG_RUNTIME_DIR", "/run/user/1000"]);
-    }
-
-    #[test]
-    fn keepenv_skips_absent_keys() {
-        let parent = vec![("HOME".into(), "/home/me".into())];
-        let args = keepenv_args(&["XDG_RUNTIME_DIR".into()], &parent);
-        assert!(args.is_empty());
-    }
-
-    #[test]
-    fn keepenv_preserves_caller_key_order() {
-        let parent = vec![
-            ("B".into(), "2".into()),
-            ("A".into(), "1".into()),
-            ("C".into(), "3".into()),
-        ];
-        let args = keepenv_args(&["A".into(), "B".into(), "C".into()], &parent);
-        assert_eq!(
-            args,
-            vec![
-                "--setenv", "A", "1", "--setenv", "B", "2", "--setenv", "C", "3"
-            ]
-        );
-    }
-
-    #[test]
-    fn keepenv_empty_keys_yields_nothing() {
-        let parent = vec![("A".into(), "1".into())];
-        assert!(keepenv_args(&[], &parent).is_empty());
-    }
-}
+#[path = "../tests/unit/env.rs"]
+mod tests;
@@ -164,81 +164,5 @@ fn serialize(program: &[sock_filter]) -> Vec<u8> {
 }

 #[cfg(test)]
-mod tests {
-    use super::*;
-
-    #[test]
-    fn builds_on_supported_arch() {
-        let bytes = build_program_bytes().expect("seccomp program should build");
-        assert!(!bytes.is_empty(), "serialized BPF program is empty");
-        assert_eq!(bytes.len() % 8, 0, "BPF byte stream must be 8-byte aligned");
-    }
-
-    #[test]
-    fn allowlist_contains_essential_syscalls() {
-        for needed in &[
-            "read",
-            "write",
-            "openat",
-            "close",
-            "execve",
-            "exit_group",
-            "mmap",
-            "brk",
-            "clone",
-        ] {
-            assert!(
-                ALLOWED_SYSCALLS.contains(needed),
-                "allowlist missing essential syscall: {needed}"
-            );
-        }
-    }
-
-    #[test]
-    fn allowlist_excludes_dangerous_syscalls() {
-        for denied in &[
-            "bpf",
-            "perf_event_open",
-            "userfaultfd",
-            "kexec_load",
-            "kexec_file_load",
-            "init_module",
-            "finit_module",
-            "delete_module",
-            "mount",
-            "umount",
-            "umount2",
-            "unshare",
-            "setns",
-            "pivot_root",
-            "ptrace",
-            "process_vm_readv",
-            "process_vm_writev",
-            "keyctl",
-            "personality",
-            "clone3",
-            "io_uring_setup",
-            "io_uring_register",
-            "io_uring_enter",
-            "fanotify_init",
-            "fanotify_mark",
-            "open_by_handle_at",
-            "name_to_handle_at",
-            "fsopen",
-            "fsconfig",
-            "fsmount",
-            "fspick",
-            "open_tree",
-            "move_mount",
-            "mount_setattr",
-            "reboot",
-            "swapon",
-            "swapoff",
-        ] {
-            assert!(
-                !ALLOWED_SYSCALLS.contains(denied),
-                "allowlist must not contain dangerous syscall: {denied}"
-            );
-        }
-    }
-}
+#[path = "../tests/unit/seccomp.rs"]
+mod tests;