From 877fb29635370f3ebbdfd0211460bc66347269ea Mon Sep 17 00:00:00 2001
From: aszlig <aszlig@nix.build>
Date: Fri, 11 Sep 2020 18:34:13 +0200
Subject: sandbox: Allow to enable/disable namespaces

While the sandbox was initially written for games, I now use the
implementation for other things, such as sandboxing database management
systems inside "nix develop".

However, both MariaDB and PostgreSQL do not like it very much if for
example IPC is too restricted and if the PID file contains the PID of
the process inside the namespace.

Additionally I always wanted to have a way to enable network namespaces
for games as well, so this is a good occasion to make them configurable.

Of course, since we need the mount and user namespaces to implement our
sandbox in the first place, we can't allow users to disable these
namespaces, but for everything else, we now have a new "namespaces"
attribute.

Signed-off-by: aszlig <aszlig@nix.build>
---
 tests/sandbox.nix | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

(limited to 'tests')

diff --git a/tests/sandbox.nix b/tests/sandbox.nix
index 63d8af6e..b9f087a0 100644
--- a/tests/sandbox.nix
+++ b/tests/sandbox.nix
@@ -17,6 +17,20 @@
     services.xserver.enable = true;
     systemd.services.display-manager.enable = false;
 
+    systemd.sockets.netnstest = {
+      description = "Host Socket for Testing Network Namespaces";
+      requiredBy = [ "sockets.target" ];
+
+      socketConfig.ListenStream = "3000";
+      socketConfig.Accept = true;
+    };
+
+    systemd.services."netnstest@" = {
+      description = "Host Service for Testing Network Namespaces";
+      serviceConfig.StandardInput = "socket";
+      serviceConfig.ExecStart = "${pkgs.coreutils}/bin/tee /tmp/netns.log";
+    };
+
     environment.systemPackages = let
       mkNestedLinksTo = drv: let
         mkLink = name: to: pkgs.runCommandLocal name { inherit to; } ''
@@ -115,6 +129,12 @@
         # Another /bin/sh just to be sure :-)
         /bin/sh -c 'echo /bin/sh works'
       '') { allowBinSh = true; })
+
+      (pkgs.vuizvui.buildSandbox (pkgs.writeScriptBin "test-sandbox3" ''
+        #!${pkgs.stdenv.shell}
+        echo hello network | ${pkgs.netcat-openbsd}/bin/nc -N 127.0.0.1 3000 \
+          || echo netcat has failed
+      '') { namespaces.net = true; })
     ];
     users.users.foo.isNormalUser = true;
   };
@@ -137,5 +157,10 @@
     machine.succeed('test "$(< /home/foo/.cache/xdg/ownpid)" = 1')
 
     machine.succeed('test "$(su -c test-sandbox2 foo)" = "/bin/sh works"')
+
+    machine.succeed('su -c "echo root netns | nc -N 127.0.0.1 3000" foo')
+    machine.succeed('test "$(su -c test-sandbox3 foo)" = "netcat has failed"')
+    machine.fail('grep -F "hello network" /tmp/netns.log')
+    machine.succeed('grep -F "root netns" /tmp/netns.log')
   '';
 }
-- 
cgit 1.4.1