diff --git a/src/lib.rs b/src/lib.rs index 55e4493..33cb817 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -121,12 +121,15 @@ mod tests { check: F, error_if_abi_lt_partial: bool, ) where - F: Fn(Ruleset) -> Result, + F: Fn(Ruleset) -> Result + Send + Copy + 'static, { // If there is no partial support, it means that `full == partial`. assert!(partial <= full.unwrap_or(partial)); for abi in ABI::iter() { - let ret = check(Ruleset::from(abi)); + // Ensures restrict_self() is called on a dedicated thread to avoid inconsistent tests. + let ret = std::thread::spawn(move || check(Ruleset::from(abi))) + .join() + .unwrap(); // Useful for failed tests and with cargo test -- --show-output println!("Checking ABI {abi:?}: received {ret:#?}"); @@ -178,7 +181,7 @@ mod tests { check_ruleset_support( abi, Some(abi), - |ruleset: Ruleset| -> _ { + move |ruleset: Ruleset| -> _ { Ok(ruleset .handle_access(AccessFs::from_all(abi))? .create()? @@ -196,7 +199,7 @@ mod tests { check_ruleset_support( abi, Some(abi), - |ruleset: Ruleset| -> _ { + move |ruleset: Ruleset| -> _ { Ok(ruleset .handle_access(AccessFs::from_all(abi))? .create()? @@ -214,7 +217,7 @@ mod tests { check_ruleset_support( abi, None, - |ruleset: Ruleset| -> _ { + move |ruleset: Ruleset| -> _ { Ok(ruleset .handle_access(AccessFs::from_all(abi))? .create()? @@ -237,7 +240,7 @@ mod tests { check_ruleset_support( abi, Some(abi), - |ruleset: Ruleset| -> _ { + move |ruleset: Ruleset| -> _ { Ok(ruleset .handle_access(AccessFs::from_all(ABI::V1))? .create()? @@ -256,7 +259,7 @@ mod tests { check_ruleset_support( abi, Some(abi), - |ruleset: Ruleset| -> _ { + move |ruleset: Ruleset| -> _ { // Sets default support requirement: abort the whole sandboxing for any Landlock error. Ok(ruleset // Must have at least the execute checkā€¦ @@ -281,7 +284,7 @@ mod tests { check_ruleset_support( abi, Some(abi), - |ruleset: Ruleset| -> _ { + move |ruleset: Ruleset| -> _ { Ok(ruleset // Restricting without rule exceptions is legitimate to forbid a set of actions. .handle_access(AccessFs::Execute)? @@ -297,7 +300,7 @@ mod tests { check_ruleset_support( ABI::V1, Some(ABI::V2), - |ruleset: Ruleset| -> _ { + move |ruleset: Ruleset| -> _ { Ok(ruleset .handle_access(AccessFs::Execute)? // AccessFs::Refer is not supported by ABI::V1 (best-effort). @@ -315,7 +318,7 @@ mod tests { check_ruleset_support( ABI::V2, Some(ABI::V2), - |ruleset: Ruleset| -> _ { + move |ruleset: Ruleset| -> _ { Ok(ruleset .handle_access(AccessFs::Refer)? .create()? @@ -330,7 +333,7 @@ mod tests { check_ruleset_support( ABI::V2, Some(ABI::V3), - |ruleset: Ruleset| -> _ { + move |ruleset: Ruleset| -> _ { Ok(ruleset .handle_access(AccessFs::Refer)? .handle_access(AccessFs::Truncate)? diff --git a/src/ruleset.rs b/src/ruleset.rs index 6f7cff9..b444df5 100644 --- a/src/ruleset.rs +++ b/src/ruleset.rs @@ -663,20 +663,26 @@ fn ruleset_created_attr() { .unwrap(); // ...and finally restrict with the last rules (thanks to non-lexical lifetimes). - ruleset_created - .set_compatibility(CompatLevel::BestEffort) - .add_rule(PathBeneath::new( - PathFd::new("/tmp").unwrap(), - AccessFs::Execute, - )) - .unwrap() - .add_rule(PathBeneath::new( - PathFd::new("/var").unwrap(), - AccessFs::Execute, - )) - .unwrap() - .restrict_self() - .unwrap(); + assert_eq!( + ruleset_created + .set_compatibility(CompatLevel::BestEffort) + .add_rule(PathBeneath::new( + PathFd::new("/tmp").unwrap(), + AccessFs::Execute, + )) + .unwrap() + .add_rule(PathBeneath::new( + PathFd::new("/var").unwrap(), + AccessFs::Execute, + )) + .unwrap() + .restrict_self() + .unwrap(), + RestrictionStatus { + ruleset: RulesetStatus::NotEnforced, + no_new_privs: true, + } + ); } #[test]