Rework handling of /run and ${RUNUSER} in blacklist mode

2026-03-25 22:48:39 +01:00
parent 0bd91ffad2
commit 82f84247f1
5 changed files with 115 additions and 3 deletions
--- a/tests/integration.rs
+++ b/tests/integration.rs
@@ -1,6 +1,7 @@
 use std::fs;
 use std::process::Command;

+use agent_sandbox::blacklist;
 use tempfile::TempDir;

 fn sandbox(extra_args: &[&str]) -> Command {
@@ -350,6 +351,62 @@ fn new_session_isolates_sid() {
    );
 }

+#[test]
+fn blacklist_run_is_tmpfs() {
+    let output = sandbox(&[])
+        .args([
+            "--",
+            "bash",
+            "-c",
+            "touch /run/test_canary 2>&1 && echo WRITABLE || echo BLOCKED",
+        ])
+        .output()
+        .expect("agent-sandbox binary failed to execute");
+
+    let stdout = String::from_utf8_lossy(&output.stdout);
+    assert!(
+        stdout.contains("WRITABLE"),
+        "expected /run to be a writable tmpfs in blacklist mode, got: {stdout}"
+    );
+}
+
+#[test]
+fn blacklist_run_dbus_socket_accessible() {
+    let output = sandbox(&[])
+        .args([
+            "--",
+            "bash",
+            "-c",
+            "test -e /run/dbus/system_bus_socket && echo EXISTS || echo MISSING",
+        ])
+        .output()
+        .expect("agent-sandbox binary failed to execute");
+
+    let stdout = String::from_utf8_lossy(&output.stdout).trim().to_string();
+    assert_eq!(
+        stdout, "EXISTS",
+        "expected /run/dbus/system_bus_socket to be accessible in blacklist mode"
+    );
+}
+
+#[test]
+fn blacklist_runuser_is_tmpfs() {
+    let ctx = blacklist::resolve_path_context().expect("failed to resolve path context");
+    let script = format!("ls -A {} | grep -v '^bus$'", ctx.run_user);
+
+    let output = sandbox(&[])
+        .args(["--", "bash", "-c", &script])
+        .output()
+        .expect("agent-sandbox binary failed to execute");
+
+    let stdout = String::from_utf8_lossy(&output.stdout).trim().to_string();
+    assert!(
+        stdout.is_empty(),
+        "expected only 'bus' (or empty) in {}, got unexpected entries: {stdout}",
+        ctx.run_user
+    );
+}
+
 #[test]
 fn rw_missing_path_errors() {
    let output = sandbox(&["--rw", "/nonexistent/xyz"])