From 961549ab4163c0873b72e6e40cb72b11ac493fd7 Mon Sep 17 00:00:00 2001 From: Quentin Deslandes Date: Tue, 6 Sep 2022 14:42:43 +0100 Subject: [PATCH] tests: add nspawn's rootidmap integration test Add integration test to testsuite-13.sh to ensure rootidmap option map user IDs as expected. --- test/create-busybox-container | 2 ++ test/test-functions | 4 ++-- test/units/testsuite-13.sh | 38 +++++++++++++++++++++++++++++++++++ 3 files changed, 42 insertions(+), 2 deletions(-) diff --git a/test/create-busybox-container b/test/create-busybox-container index 05ab2b11c9f..fca9d6150ac 100755 --- a/test/create-busybox-container +++ b/test/create-busybox-container @@ -25,6 +25,8 @@ ln -s busybox "$root/bin/seq" ln -s busybox "$root/bin/sleep" ln -s busybox "$root/bin/usleep" ln -s busybox "$root/bin/test" +ln -s busybox "$root/bin/stat" +ln -s busybox "$root/bin/touch" mkdir -p "$root/sbin" cat <<'EOF' >"$root/sbin/init" diff --git a/test/test-functions b/test/test-functions index bda04bca6b6..16d9da637bf 100644 --- a/test/test-functions +++ b/test/test-functions @@ -2593,11 +2593,11 @@ inst_binary() { # Same as above, but we need to wrap certain libraries unconditionally # - # getent, login, su, useradd, userdel - dlopen()s (not only) systemd's PAM modules + # chown, getent, login, su, useradd, userdel - dlopen()s (not only) systemd's PAM modules # ls, stat - pulls in nss_systemd with certain options (like ls -l) when # nsswitch.conf uses [SUCCESS=merge] (like on Arch Linux) # tar - called by machinectl in TEST-25 - if get_bool "$IS_BUILT_WITH_ASAN" && [[ "$bin" =~ /(getent|login|ls|stat|su|tar|useradd|userdel)$ ]]; then + if get_bool "$IS_BUILT_WITH_ASAN" && [[ "$bin" =~ /(chown|getent|login|ls|stat|su|tar|useradd|userdel)$ ]]; then wrap_binary=1 fi diff --git a/test/units/testsuite-13.sh b/test/units/testsuite-13.sh index fb0b3cda167..4ad7431e425 100755 --- a/test/units/testsuite-13.sh +++ b/test/units/testsuite-13.sh @@ -53,6 +53,42 @@ function check_norbind { systemd-nspawn --register=no -D "$_root" --bind=/tmp/binddir:/mnt:norbind /bin/sh -c 'CONTENT=$(cat /mnt/subdir/file); if [[ $CONTENT != "outer" ]]; then echo "*** unexpected content: $CONTENT"; return 1; fi' } +function check_rootidmap { + local _owner=1000 + local _root="/var/lib/machines/testsuite-13.rootidmap-path" + local _command + rm -rf "$_root" + + # Create ext4 image, as ext4 supports idmapped-mounts. + dd if=/dev/zero of=/tmp/ext4.img bs=4k count=2048 + mkfs.ext4 /tmp/ext4.img + mkdir -p /tmp/rootidmapdir + mount /tmp/ext4.img /tmp/rootidmapdir + + touch /tmp/rootidmapdir/file + chown -R $_owner:$_owner /tmp/rootidmapdir + + /usr/lib/systemd/tests/testdata/create-busybox-container "$_root" + _command='PERMISSIONS=$(stat -c "%u:%g" /mnt/file); if [[ $PERMISSIONS != "0:0" ]]; then echo "*** wrong permissions: $PERMISSIONS"; return 1; fi; touch /mnt/other_file' + if ! SYSTEMD_LOG_TARGET=console systemd-nspawn \ + --register=no -D "$_root" \ + --bind=/tmp/rootidmapdir:/mnt:rootidmap \ + /bin/sh -c "$_command" |& tee nspawn.out; then + if grep -q "Failed to map ids for bind mount.*: Function not implemented" nspawn.out; then + echo "idmapped mounts are not supported, skipping the test..." + return 0 + fi + + return 1 + fi + + PERMISSIONS=$(stat -c "%u:%g" /tmp/rootidmapdir/other_file) + if [[ $PERMISSIONS != "$_owner:$_owner" ]]; then + echo "*** wrong permissions: $PERMISSIONS" + [[ "$is_user_ns_supported" = "yes" ]] && return 1 + fi +} + function check_notification_socket { # https://github.com/systemd/systemd/issues/4944 local _cmd='echo a | $(busybox which nc) -U -u -w 1 /run/host/notify' @@ -210,6 +246,8 @@ check_bind_tmp_path check_norbind +check_rootidmap + check_notification_socket check_os_release