Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(tests): run handlers integration tests in landlock sandbox #1129

Merged
merged 3 commits into from
Feb 12, 2025
Merged

fix(tests): run handlers integration tests in landlock sandbox #1129

merged 3 commits into from
Feb 12, 2025

Conversation

qkaiser
Copy link
Contributor

@qkaiser qkaiser commented Feb 11, 2025

Handlers tests were not previously run within the landlock sandbox, and even if it was they would have full access to the filesystem since our is_sandbox_available() was checking for landlock's API availability by requesting read-write access to '/'.

It's now fixed by:

  • running is_sandbox_available() within its own thread, not to pollute the main thread
  • run integration tests within the sandbox, one sandboxed thread per handler

The objective is to identify early any issues we may get into when running extraction within the sandbox.

@qkaiser qkaiser added the enhancement New feature or request label Feb 11, 2025
@qkaiser qkaiser self-assigned this Feb 11, 2025
@qkaiser qkaiser linked an issue Feb 11, 2025 that may be closed by this pull request
landlock sandboxing is too permissive in tests #1086
Closed
github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 11, 2025
View reviewed changes
vlaci
vlaci reviewed Feb 12, 2025
View reviewed changes
@qkaiser qkaiser force-pushed the sandbox-handlers-tests branch from a841190 to 7ad8cd2 Compare February 12, 2025 12:04
vlaci
vlaci reviewed Feb 12, 2025
View reviewed changes
@qkaiser qkaiser force-pushed the sandbox-handlers-tests branch from 7ad8cd2 to bef4fd4 Compare February 12, 2025 15:49
@qkaiser qkaiser force-pushed the sandbox-handlers-tests branch from bef4fd4 to 154e90f Compare February 12, 2025 18:15
@qkaiser
fix(tests): replace is_sandbox_available() with landlock_supported()
963f868 
It's cleaner to check for Landlock's availability by executing a syscall
with an empty ruleset. Plus it was already used by the rust part of our
python library.
@qkaiser
fix(tests): run handlers integration tests in landlock sandbox
b009fe7
@qkaiser
chore(devenv): ignore .devenv when running pyright
46a2f85
@qkaiser qkaiser force-pushed the sandbox-handlers-tests branch from 154e90f to 46a2f85 Compare February 12, 2025 18:15
@qkaiser qkaiser enabled auto-merge February 12, 2025 18:16
@qkaiser qkaiser added this pull request to the merge queue Feb 12, 2025
Merged via the queue into main with commit 5abed8f Feb 12, 2025
22 checks passed
@qkaiser qkaiser deleted the sandbox-handlers-tests branch February 12, 2025 18:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vlaci vlaci vlaci approved these changes

Assignees

@qkaiser qkaiser

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

landlock sandboxing is too permissive in tests
2 participants
@qkaiser @vlaci