monadical/greywall
Archived
13
0
Fork 0
Code Issues Pull Requests 1 Actions 2 Packages Projects Releases Wiki Activity

docs: add more information about nested sandboxing and integration test skip behavior

Browse Source
This commit is contained in:
JY Tan
2026-01-17 13:39:03 -08:00
parent 71c211c9ab
commit 3c3f28b32c
2 changed files with 42 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
docs/testing.md
View File

@@ -65,6 +65,34 @@ go test -v -run 'TestMacOS' ./internal/sandbox/...
go test -v -count=1 ./internal/sandbox/... go test -v -count=1 ./internal/sandbox/...
``` ```
#### Sandboxed Build Environments (Nix, etc.)
If you're packaging fence for a distribution (e.g., Nix, Homebrew, Debian), note that some integration tests will be skipped when running `go test` during the build.
Fence's Landlock integration on Linux uses a wrapper approach: the `fence` binary re-executes itself with `--landlock-apply` inside the sandbox. Test binaries (e.g., `sandbox.test`) don't have this handler, so Landlock-specific tests automatically skip when not running as the `fence` CLI.
Tests that skip include those calling `skipIfLandlockNotUsable()`:
- `TestLinux_LandlockBlocksWriteOutsideWorkspace`
- `TestLinux_LandlockProtectsGitHooks`
- `TestLinux_LandlockProtectsGitConfig`
- `TestLinux_LandlockProtectsBashrc`
- `TestLinux_LandlockAllowsTmpFence`
- `TestLinux_PathTraversalBlocked`
- `TestLinux_SeccompBlocksDangerousSyscalls`
| Test Type | What it tests | Landlock coverage |
|-----------|---------------|-------------------|
| `go test` (integration) | Go APIs, bwrap isolation, command blocking | Skipped (test binary can't use `--landlock-apply`) |
| `smoke_test.sh` | Actual `fence` CLI end-to-end | ✅ Full coverage |
For full test coverage including Landlock, run the smoke tests against the built binary (see "Smoke Tests" section below).
**Nested sandboxing limitations:**
- **macOS**: Nested Seatbelt sandboxing is not supported. If the build environment already uses `sandbox-exec` (like Nix's Darwin sandbox), fence's tests cannot create another sandbox. The kernel returns `forbidden-sandbox-reinit`. This is a macOS limitation.
- **Linux**: Tests should work in most build sandboxes, but Landlock tests will skip as explained above. Runtime functionality is unaffected.
### Smoke Tests ### Smoke Tests
Smoke tests verify the compiled `fence` binary works end-to-end. Unlike integration tests (which test internal Go APIs), smoke tests exercise the CLI interface. Smoke tests verify the compiled `fence` binary works end-to-end. Unlike integration tests (which test internal Go APIs), smoke tests exercise the CLI interface.

14
docs/troubleshooting.md
View File

@@ -1,5 +1,19 @@
# Troubleshooting # Troubleshooting
## Nested Sandboxing Not Supported
Fence cannot run inside another sandbox that uses the same underlying technology.
**macOS (Seatbelt)**: If you try to run fence inside an existing `sandbox-exec` sandbox (e.g., Nix's Darwin build sandbox), you'll see:
```text
Sandbox: sandbox-exec(...) deny(1) forbidden-sandbox-reinit
```
This is a macOS kernel limitation - nested Seatbelt sandboxes are not allowed. There is no workaround.
**Linux (Landlock)**: Landlock supports stacking (nested restrictions), but fence's test binaries cannot use the Landlock wrapper (see [Testing docs](testing.md#sandboxed-build-environments-nix-etc)).
## "bwrap: loopback: Failed RTM_NEWADDR: Operation not permitted" (Linux) ## "bwrap: loopback: Failed RTM_NEWADDR: Operation not permitted" (Linux)
This error occurs when fence tries to create a network namespace but the environment lacks the `CAP_NET_ADMIN` capability. This is common in: This error occurs when fence tries to create a network namespace but the environment lacks the `CAP_NET_ADMIN` capability. This is common in: