diff options
| author | Luke T. Shumaker <lukeshu@parabola.nu> | 2024-08-22 01:29:10 +0200 |
|---|---|---|
| committer | Luke T. Shumaker <lukeshu@parabola.nu> | 2024-09-07 02:33:50 +0200 |
| commit | 93c15c6d4354da9dc8a2f6e1fbb978004d1485c4 (patch) | |
| tree | 76eaadb0e4f5b990d223cc7af4e8f9fa6c8d9299 /test | |
| parent | nspawn: convert copy_devnodes():devnodes from nulstr to strv (diff) | |
| download | systemd-93c15c6d4354da9dc8a2f6e1fbb978004d1485c4.tar.xz systemd-93c15c6d4354da9dc8a2f6e1fbb978004d1485c4.zip | |
test: add a testcase for unprivileged nspawn
Right now it mostly duplicates a test that already exists in
TEST-50-DISSECT.mountfsd.sh, but it serves as a template for more unprivileged
nspawn tests.
Diffstat (limited to 'test')
| -rwxr-xr-x | test/TEST-13-NSPAWN/test.sh | 4 | ||||
| -rwxr-xr-x | test/units/TEST-13-NSPAWN.nspawn.sh | 81 |
2 files changed, 85 insertions, 0 deletions
diff --git a/test/TEST-13-NSPAWN/test.sh b/test/TEST-13-NSPAWN/test.sh index 3ab52d0eee..b1d9fb6c53 100755 --- a/test/TEST-13-NSPAWN/test.sh +++ b/test/TEST-13-NSPAWN/test.sh @@ -20,6 +20,10 @@ test_append_files() { # for IPMasquerade= instmods "=net/netfilter" generate_module_dependencies + # For unprivileged mountfsd. + if command -v openssl >/dev/null 2>&1; then + inst_binary openssl + fi # Create a dummy container "template" with a minimal toolset, which we can # then use as a base for our nspawn/machinectl tests diff --git a/test/units/TEST-13-NSPAWN.nspawn.sh b/test/units/TEST-13-NSPAWN.nspawn.sh index 339ad6b3c4..b0408e55b7 100755 --- a/test/units/TEST-13-NSPAWN.nspawn.sh +++ b/test/units/TEST-13-NSPAWN.nspawn.sh @@ -42,6 +42,9 @@ at_exit() { mountpoint -q /var/lib/machines && umount --recursive /var/lib/machines rm -f /run/systemd/nspawn/*.nspawn + + rm -fr /var/tmp/TEST-13-NSPAWN.* + rm -f /run/verity.d/test-13-nspawn-*.crt } trap at_exit EXIT @@ -1031,4 +1034,82 @@ EOF rm -fr "$root" } +can_do_rootless_nspawn() { + # Our create_dummy_ddi() uses squashfs and openssl. + command -v mksquashfs && + command -v openssl && + + # mountfsd must be enabled... + [[ -S /run/systemd/io.systemd.MountFileSystem ]] && + # ...and have pidfd support for unprivileged operation. + systemd-analyze compare-versions "$(uname -r)" ge 6.5 && + systemd-analyze compare-versions "$(pkcheck --version | awk '{print $3}')" ge 124 && + + # nsresourced must be enabled... + [[ -S /run/systemd/userdb/io.systemd.NamespaceResource ]] && + # ...and must support the UserNamespaceInterface. + ! (SYSTEMD_LOG_TARGET=console varlinkctl call \ + /run/systemd/userdb/io.systemd.NamespaceResource \ + io.systemd.NamespaceResource.AllocateUserRange \ + '{"name":"test-supported","size":65536,"userNamespaceFileDescriptor":0}' \ + 2>&1 || true) | + grep -q "io.systemd.NamespaceResource.UserNamespaceInterfaceNotSupported" +} + +create_dummy_ddi() { + local outdir="${1:?}" + local container_name="${2:?}" + + cat >"$outdir"/openssl.conf <<EOF +[ req ] +prompt = no +distinguished_name = req_distinguished_name + +[ req_distinguished_name ] +C = DE +ST = Test State +L = Test Locality +O = Org Name +OU = Org Unit Name +CN = Common Name +emailAddress = test@email.com +EOF + + openssl req -config "$outdir"/openssl.conf -subj="/CN=waldo" \ + -x509 -sha256 -nodes -days 365 -newkey rsa:4096 \ + -keyout "${outdir}/${container_name}.key" -out "${outdir}/${container_name}.crt" + + mkdir -p /run/verity.d + cp "${outdir}/${container_name}.crt" "/run/verity.d/test-13-nspawn-${container_name}.crt" + + SYSTEMD_REPART_OVERRIDE_FSTYPE=squashfs \ + systemd-repart --make-ddi=portable \ + --copy-source=/usr/share/TEST-13-NSPAWN-container-template \ + --certificate="${outdir}/${container_name}.crt" \ + --private-key="${outdir}/${container_name}.key" \ + "${outdir}/${container_name}.raw" +} + +testcase_unpriv() { + if ! can_do_rootless_nspawn; then + echo "Skipping rootless test..." + return 0 + fi + + local tmpdir name + tmpdir="$(mktemp -d /var/tmp/TEST-13-NSPAWN.unpriv.XXX)" + name="unpriv-${tmpdir##*.}" + trap 'rm -fr ${tmpdir@Q} || true; rm -f /run/verity.d/test-13-nspawn-${name@Q} || true' RETURN ERR + create_dummy_ddi "$tmpdir" "$name" + chown --recursive testuser: "$tmpdir" + + systemd-run \ + --pipe \ + --uid=testuser \ + --property=Delegate=yes \ + -- \ + systemd-nspawn --pipe --private-network --register=no --keep-unit --image="$tmpdir/$name.raw" echo hello >"$tmpdir/stdout.txt" + echo hello | cmp "$tmpdir/stdout.txt" - +} + run_testcases |