run.sh raw

   1  #!/bin/bash
   2  # Milestone-3 verification: first-class spawn lockdown channel.
   3  #
   4  # Builds tests/secalloc-spawn-builtin/main.go and runs the binary.
   5  # The parent uses the actual `spawn` keyword (not bare fork) to launch
   6  # a child. spawnDomain auto-creates a lockdown pipe and routes the
   7  # child's secalloc handler to the write end. The parent retrieves the
   8  # read end via runtime.LastSpawnedLockdownFd() and reads the byte the
   9  # signal handler writes when the child trips a guard page.
  10  #
  11  # Verifies:
  12  #   - parent exit status is 0
  13  #   - parent stdout contains LOCKDOWN_VIA_SPAWN_RECEIVED
  14  #   - the raw secret pattern does NOT appear anywhere
  15  #   - parent stderr does NOT contain MOXIE_SECALLOC_LOCKDOWN
  16  #     (the byte must travel via the inherited pipe, not stderr)
  17  set -euo pipefail
  18  
  19  MOXIEROOT="${MOXIEROOT:-$(cd "$(dirname "$0")/../.." && pwd)}"
  20  MOXIE="${MOXIE:-$MOXIEROOT/moxie}"
  21  TMPDIR=$(mktemp -d)
  22  trap "rm -rf $TMPDIR" EXIT
  23  
  24  export PATH="/usr/lib/llvm19/bin:$PATH"
  25  export MOXIEROOT
  26  
  27  BIN="$TMPDIR/secalloc_spawn_builtin_test"
  28  
  29  cd "$MOXIEROOT"
  30  
  31  if ! "$MOXIE" build -o "$BIN" ./tests/secalloc-spawn-builtin 2>"$TMPDIR/build.err"; then
  32      echo "FAIL secalloc-spawn-builtin: compilation failed"
  33      cat "$TMPDIR/build.err"
  34      exit 1
  35  fi
  36  
  37  set +e
  38  bash -c "\"$BIN\" >\"$TMPDIR/stdout\" 2>\"$TMPDIR/stderr\"" 2>/dev/null
  39  rc=$?
  40  set -e
  41  
  42  stdout=$(cat "$TMPDIR/stdout")
  43  stderr=$(cat "$TMPDIR/stderr")
  44  
  45  fail=0
  46  
  47  if [ "$rc" -ne 0 ]; then
  48      echo "FAIL secalloc-spawn-builtin: parent exited non-zero (got $rc)"
  49      fail=1
  50  fi
  51  
  52  if ! echo "$stdout" | grep -q "LOCKDOWN_VIA_SPAWN_RECEIVED"; then
  53      echo "FAIL secalloc-spawn-builtin: lockdown marker did not arrive via spawn pipe"
  54      fail=1
  55  fi
  56  
  57  if echo "$stdout$stderr" | grep -q "MOXIE_SECRET_PAYLOAD"; then
  58      echo "FAIL secalloc-spawn-builtin: raw secret pattern leaked"
  59      fail=1
  60  fi
  61  
  62  if echo "$stderr" | grep -q "MOXIE_SECALLOC_LOCKDOWN"; then
  63      echo "FAIL secalloc-spawn-builtin: marker leaked to stderr instead of pipe"
  64      fail=1
  65  fi
  66  
  67  if [ "$fail" -eq 0 ]; then
  68      echo "OK   secalloc-spawn-builtin (lockdown auto-routed via spawn keyword)"
  69      exit 0
  70  fi
  71  
  72  echo "--- stdout ---"
  73  echo "$stdout"
  74  echo "--- stderr ---"
  75  echo "$stderr"
  76  exit 1
  77