#![cfg(target_os = "linux")]
mod linux {
use std::fs::File;
use std::io::Write;
use std::path::{Path, PathBuf};
use std::process::Command;
fn supervisor_exe() -> PathBuf {
if let Some(path) = std::env::var_os("CARGO_BIN_EXE_cellos_supervisor") {
return PathBuf::from(path);
}
let root = Path::new(env!("CARGO_MANIFEST_DIR"))
.parent()
.and_then(|p| p.parent())
.expect("cellos-supervisor crate under workspace root");
let profile = std::env::var("PROFILE").unwrap_or_else(|_| "debug".into());
root.join("target").join(profile).join("cellos-supervisor")
}
fn write_spec(dir: &Path, name: &str, argv_json: &str) -> PathBuf {
let spec_path = dir.join(format!("{name}.json"));
let json = format!(
r#"{{"apiVersion":"cellos.io/v1","kind":"ExecutionCell","spec":{{"id":"{name}","authority":{{"secretRefs":[]}},"lifetime":{{"ttlSeconds":60}},"run":{
"secretDelivery": "env",{"argv":{argv_json}}}}}}}"#
);
let mut file = File::create(&spec_path).expect("create spec");
file.write_all(json.as_bytes()).expect("write spec");
drop(file);
spec_path
}
#[test]
fn supervisor_runs_true_with_baseline_seccomp() {
let dir = tempfile::tempdir().expect("tempdir");
let spec_path = write_spec(dir.path(), "t-seccomp-true", r#"["/usr/bin/true"]"#);
let status = Command::new(supervisor_exe())
.env("CELLOS_DEPLOYMENT_PROFILE", "portable")
.env("CELL_OS_USE_NOOP_SINK", "1")
.env("CELLOS_CELL_BACKEND", "stub")
.env("CELLOS_SUBPROCESS_SECCOMP", "baseline")
.current_dir(env!("CARGO_MANIFEST_DIR"))
.arg(&spec_path)
.status()
.expect("spawn cellos-supervisor");
assert!(
status.success(),
"supervisor with baseline seccomp should run /usr/bin/true: {status:?}"
);
}
#[test]
fn supervisor_baseline_seccomp_blocks_unshare_syscall() {
let dir = tempfile::tempdir().expect("tempdir");
let script = r#"import ctypes, sys
libc = ctypes.CDLL(None, use_errno=True)
rc = libc.unshare(0)
err = ctypes.get_errno()
sys.exit(0 if rc == -1 and err == 1 else 1)
"#;
let argv_json =
serde_json::to_string(&["/usr/bin/python3", "-c", script]).expect("argv json");
let spec_path = write_spec(dir.path(), "t-seccomp-block-unshare", &argv_json);
let status = Command::new(supervisor_exe())
.env("CELLOS_DEPLOYMENT_PROFILE", "portable")
.env("CELL_OS_USE_NOOP_SINK", "1")
.env("CELLOS_CELL_BACKEND", "stub")
.env("CELLOS_SUBPROCESS_SECCOMP", "baseline")
.current_dir(env!("CARGO_MANIFEST_DIR"))
.arg(&spec_path)
.status()
.expect("spawn cellos-supervisor");
assert!(
status.success(),
"baseline seccomp should deny unshare with EPERM and let the helper exit zero: {status:?}"
);
}
#[test]
fn supervisor_rejects_invalid_seccomp_profile_value() {
let dir = tempfile::tempdir().expect("tempdir");
let spec_path = write_spec(
dir.path(),
"t-seccomp-invalid-profile",
r#"["/usr/bin/true"]"#,
);
let output = Command::new(supervisor_exe())
.env("CELLOS_DEPLOYMENT_PROFILE", "portable")
.env("CELL_OS_USE_NOOP_SINK", "1")
.env("CELLOS_CELL_BACKEND", "stub")
.env("CELLOS_SUBPROCESS_SECCOMP", "not-a-profile")
.current_dir(env!("CARGO_MANIFEST_DIR"))
.arg(&spec_path)
.output()
.expect("spawn cellos-supervisor");
assert!(!output.status.success(), "invalid profile should fail");
let stderr = String::from_utf8_lossy(&output.stderr);
assert!(
stderr.contains("CELLOS_SUBPROCESS_SECCOMP must be one of"),
"unexpected stderr: {stderr}"
);
}
}