Merge pull request #33359 from bluca/test_apparmor_unpriv

mkosi: enable unprivileged user ns for integration tests

5 files changed, 9 insertions, 11 deletions

diff --git a/test/TEST-06-SELINUX/meson.build b/test/TEST-06-SELINUX/meson.build
index 7a850beb81..9261a49c49 100644
--- a/test/TEST-06-SELINUX/meson.build
+++ b/test/TEST-06-SELINUX/meson.build
@@ -5,7 +5,8 @@ integration_tests += [
                 'name' : fs.name(meson.current_source_dir()),
                 'cmdline' : integration_test_template['cmdline'] + ['selinux=1', 'lsm=selinux'],
                 # FIXME; Figure out why reboot sometimes hangs with 'linux' firmware.
-                'firmware' : 'uefi',
+                # Use 'auto' to automatically fallback on non-uefi architectures.
+                'firmware' : 'auto',
                 'vm' : true,
         },
 ]
diff --git a/test/TEST-09-REBOOT/meson.build b/test/TEST-09-REBOOT/meson.build
index c4b41bc97b..b7556189f5 100644
--- a/test/TEST-09-REBOOT/meson.build
+++ b/test/TEST-09-REBOOT/meson.build
@@ -4,7 +4,5 @@ integration_tests += [
         integration_test_template + {
                 'name' : fs.name(meson.current_source_dir()),
                 'storage' : 'persistent',
-                # FIXME; Figure out why reboot sometimes hangs with 'linux' firmware.
-                'firmware' : 'uefi',
         },
 ]
diff --git a/test/TEST-18-FAILUREACTION/meson.build b/test/TEST-18-FAILUREACTION/meson.build
index 5edfbcad1f..8dec5f37e7 100644
--- a/test/TEST-18-FAILUREACTION/meson.build
+++ b/test/TEST-18-FAILUREACTION/meson.build
@@ -3,7 +3,5 @@
 integration_tests += [
         integration_test_template + {
                 'name' : fs.name(meson.current_source_dir()),
-                # FIXME; Figure out why reboot sometimes hangs with 'linux' firmware.
-                'firmware' : 'uefi',
         },
 ]
diff --git a/test/integration-test-wrapper.py b/test/integration-test-wrapper.py
index 5b098a3e01..b6a16aa3ef 100755
--- a/test/integration-test-wrapper.py
+++ b/test/integration-test-wrapper.py
@@ -2,10 +2,6 @@
 # SPDX-License-Identifier: LGPL-2.1-or-later
 
 '''Test wrapper command for driving integration tests.
-
-Note: This is deliberately rough and only intended to drive existing tests
-with the expectation that as part of formally defining the API it will be tidy.
-
 '''
 
 import argparse
@@ -61,6 +57,10 @@ def main():
         print(f"SYSTEMD_SLOW_TESTS=1 not found in environment, skipping {args.name}", file=sys.stderr)
         exit(77)
 
+    if args.vm and bool(int(os.getenv("TEST_NO_QEMU", "0"))):
+        print(f"TEST_NO_QEMU=1, skipping {args.name}", file=sys.stderr)
+        exit(77)
+
     name = args.name + (f"-{i}" if (i := os.getenv("MESON_TEST_ITERATION")) else "")
 
     dropin = textwrap.dedent(
@@ -128,6 +128,7 @@ def main():
         *args.mkosi_args,
         '--append',
         '--qemu-firmware', args.firmware,
+        '--qemu-kvm', "auto" if not bool(int(os.getenv("TEST_NO_KVM", "0"))) else "no",
         '--kernel-command-line-extra',
         ' '.join([
             'systemd.hostname=H',
diff --git a/test/units/TEST-43-PRIVATEUSER-UNPRIV.sh b/test/units/TEST-43-PRIVATEUSER-UNPRIV.sh
index 165af47f15..f8a2a62467 100755
--- a/test/units/TEST-43-PRIVATEUSER-UNPRIV.sh
+++ b/test/units/TEST-43-PRIVATEUSER-UNPRIV.sh
@@ -6,13 +6,13 @@ set -o pipefail
 # shellcheck source=test/units/util.sh
 . "$(dirname "$0")"/util.sh
 
-install_extension_images
-
 if [[ "$(sysctl -ne kernel.apparmor_restrict_unprivileged_userns)" -eq 1 ]]; then
     echo "Cannot create unprivileged user namespaces" >/skipped
     exit 77
 fi
 
+install_extension_images
+
 systemd-analyze log-level debug
 
 runas testuser systemd-run --wait --user --unit=test-private-users \