From d90a7cf68d5cd5b625756ff258f3c99754d6880d Mon Sep 17 00:00:00 2001 From: aszlig Date: Sat, 23 Mar 2019 21:13:38 +0100 Subject: sandbox: Add an option to set up /bin/sh So far I mostly used this implementation for the games we have packaged, where we pretty much patch out all commands that execute external programs. However in order to be useful in a more generic way, it makes sense to provide a /bin/sh implementation, especially when you have to deal with scripting languages. I'm using dash here, because it's a more minimal implementation rather than the default shell (bash) we use in nixpkgs and it practically only needs to be able to run constructs like "/bin/sh -c foo". Signed-off-by: aszlig --- tests/sandbox.nix | 12 ++++++++++++ 1 file changed, 12 insertions(+) (limited to 'tests') diff --git a/tests/sandbox.nix b/tests/sandbox.nix index e92099bf..0a860793 100644 --- a/tests/sandbox.nix +++ b/tests/sandbox.nix @@ -37,6 +37,10 @@ # Should fail because we can't access the host's PATH ! echo foo | grep -qF foo + # No /bin/sh by default + test ! -e /bin + test ! -e /bin/sh + # Write PID information to files, so that we can later verify whether # we were in a PID namespace. echo $$ > /home/foo/.cache/xdg/ownpid @@ -105,6 +109,12 @@ paths.wanted = [ "/home/foo/nonexisting" ]; paths.runtimeVars = [ "COLLECT_ME" ]; }) + + (pkgs.vuizvui.buildSandbox (pkgs.writeScriptBin "test-sandbox2" '' + #!/bin/sh + # Another /bin/sh just to be sure :-) + /bin/sh -c 'echo /bin/sh works' + '') { allowBinSh = true; }) ]; users.users.foo.isNormalUser = true; }; @@ -124,5 +134,7 @@ $machine->succeed('test "$(< /home/foo/.cache/xdg/procpids)" = /proc/1'); $machine->succeed('test "$(< /home/foo/.cache/xdg/ownpid)" = 1'); + + $machine->succeed('test "$(su -c test-sandbox2 foo)" = "/bin/sh works"'); ''; } -- cgit 1.4.1