tests: add nspawn's rootidmap integration test

Add integration test to testsuite-13.sh to ensure rootidmap option map user IDs as expected.
2024-07-21 10:17:21 +00:00 · 2022-09-06 14:42:43 +01:00 · 2022-09-06 14:42:43 +01:00 · 961549ab41
parent 42fadfb168
commit 961549ab41
3 changed files with 42 additions and 2 deletions
--- a/test/create-busybox-container
+++ b/test/create-busybox-container
@ -25,6 +25,8 @@ ln -s busybox "$root/bin/seq"
 ln -s busybox "$root/bin/sleep"
 ln -s busybox "$root/bin/usleep"
 ln -s busybox "$root/bin/test"
+ln -s busybox "$root/bin/stat"
+ln -s busybox "$root/bin/touch"

 mkdir -p "$root/sbin"
 cat <<'EOF' >"$root/sbin/init"
--- a/test/test-functions
+++ b/test/test-functions
@ -2593,11 +2593,11 @@ inst_binary() {

    # Same as above, but we need to wrap certain libraries unconditionally
    #
-    # getent, login, su, useradd, userdel - dlopen()s (not only) systemd's PAM modules
+    # chown, getent, login, su, useradd, userdel - dlopen()s (not only) systemd's PAM modules
    # ls, stat - pulls in nss_systemd with certain options (like ls -l) when
    #            nsswitch.conf uses [SUCCESS=merge] (like on Arch Linux)
    # tar - called by machinectl in TEST-25
-    if get_bool "$IS_BUILT_WITH_ASAN" && [[ "$bin" =~ /(getent|login|ls|stat|su|tar|useradd|userdel)$ ]]; then
+    if get_bool "$IS_BUILT_WITH_ASAN" && [[ "$bin" =~ /(chown|getent|login|ls|stat|su|tar|useradd|userdel)$ ]]; then
        wrap_binary=1
    fi

--- a/test/units/testsuite-13.sh
+++ b/test/units/testsuite-13.sh
@ -53,6 +53,42 @@ function check_norbind {
    systemd-nspawn --register=no -D "$_root" --bind=/tmp/binddir:/mnt:norbind /bin/sh -c 'CONTENT=$(cat /mnt/subdir/file); if [[ $CONTENT != "outer" ]]; then echo "*** unexpected content: $CONTENT"; return 1; fi'
 }

+function check_rootidmap {
+    local _owner=1000
+    local _root="/var/lib/machines/testsuite-13.rootidmap-path"
+    local _command
+    rm -rf "$_root"
+
+    # Create ext4 image, as ext4 supports idmapped-mounts.
+    dd if=/dev/zero of=/tmp/ext4.img bs=4k count=2048
+    mkfs.ext4 /tmp/ext4.img
+    mkdir -p /tmp/rootidmapdir
+    mount /tmp/ext4.img /tmp/rootidmapdir
+
+    touch /tmp/rootidmapdir/file
+    chown -R $_owner:$_owner /tmp/rootidmapdir
+
+    /usr/lib/systemd/tests/testdata/create-busybox-container "$_root"
+    _command='PERMISSIONS=$(stat -c "%u:%g" /mnt/file); if [[ $PERMISSIONS != "0:0" ]]; then echo "*** wrong permissions: $PERMISSIONS"; return 1; fi; touch /mnt/other_file'
+    if ! SYSTEMD_LOG_TARGET=console systemd-nspawn \
+            --register=no -D "$_root" \
+            --bind=/tmp/rootidmapdir:/mnt:rootidmap \
+            /bin/sh -c "$_command" |& tee nspawn.out; then
+        if grep -q "Failed to map ids for bind mount.*: Function not implemented" nspawn.out; then
+            echo "idmapped mounts are not supported, skipping the test..."
+            return 0
+        fi
+
+        return 1
+    fi
+
+    PERMISSIONS=$(stat -c "%u:%g" /tmp/rootidmapdir/other_file)
+    if [[ $PERMISSIONS != "$_owner:$_owner" ]]; then
+        echo "*** wrong permissions: $PERMISSIONS"
+        [[ "$is_user_ns_supported" = "yes" ]] && return 1
+    fi
+}
+
 function check_notification_socket {
    # https://github.com/systemd/systemd/issues/4944
    local _cmd='echo a | $(busybox which nc) -U -u -w 1 /run/host/notify'
@ -210,6 +246,8 @@ check_bind_tmp_path

 check_norbind

+check_rootidmap
+
 check_notification_socket

 check_os_release