nix/tests/nixos
Théophane Hufschmitt 3481a9c41d Run the builds in a daemon-controled directory
Instead of running the builds under
`$TMPDIR/{unique-build-directory-owned-by-the-build-user}`, run them
under `$TMPDIR/{unique-build-directory-owned-by-the-daemon}/{subdir-owned-by-the-build-user}`
where the build directory is only readable and traversable by the daemon user.

This achieves two things:

1. It prevents builders from making their build directory world-readable
   (or even writeable), which would allow the outside world to interact
   with them.
2. It prevents external processes running as the build user (either
   because that somehow leaked, maybe as a consequence of 1., or because
   `build-users` isn't in use) from gaining access to the build
   directory.

fix: do not use unknown setting

tests: remove build-dir test
2024-04-22 18:37:52 -04:00
..
ca-fd-leak Add a NixOS test for the sandbox escape 2024-03-07 09:33:40 +01:00
containers Re-enable systemd-nspawn test 2023-09-20 17:03:47 +00:00
user-sandboxing Run the builds in a daemon-controled directory 2024-04-22 18:37:52 -04:00
authorization.nix Allow to sign path as unprivileged user 2023-06-27 18:31:31 +02:00
github-flakes.nix Use "touch -h" 2023-09-19 17:21:07 +02:00
nix-copy-closure.nix Use the official, documented NixOS runTest interface 2023-01-20 16:23:52 +01:00
nix-copy.nix Fix nix-copy test 2023-08-30 19:35:02 -04:00
nss-preload.nix Use the official, documented NixOS runTest interface 2023-01-20 16:23:52 +01:00
remote-builds.nix Add regression test 2023-02-10 17:51:44 +01:00
setuid.nix Use the official, documented NixOS runTest interface 2023-01-20 16:23:52 +01:00
sourcehut-flakes.nix Use "touch -h" 2023-09-19 17:21:07 +02:00
tarball-flakes.nix Use "touch -h" 2023-09-19 17:21:07 +02:00