diff options
| author | Ryan Wilson <ryantimwilson@meta.com> | 2024-11-08 01:30:57 +0100 |
|---|---|---|
| committer | Yu Watanabe <watanabe.yu+github@gmail.com> | 2024-11-08 05:38:35 +0100 |
| commit | d8091e12816356bfcccaeab51eb58991de0caa81 (patch) | |
| tree | da995746a9e4f29934b71c403c45fd13599b9df7 /test | |
| parent | sd-varlink: allow that method handles call sd_varlink_close() (diff) | |
| download | systemd-d8091e12816356bfcccaeab51eb58991de0caa81.tar.xz systemd-d8091e12816356bfcccaeab51eb58991de0caa81.zip | |
Fix PrivatePIDs=yes integration test for kernels with no /proc/scsi
Diffstat (limited to 'test')
| -rwxr-xr-x | test/units/TEST-07-PID1.private-pids.sh | 21 |
1 files changed, 16 insertions, 5 deletions
diff --git a/test/units/TEST-07-PID1.private-pids.sh b/test/units/TEST-07-PID1.private-pids.sh index 6f16820aee..a64b124d93 100755 --- a/test/units/TEST-07-PID1.private-pids.sh +++ b/test/units/TEST-07-PID1.private-pids.sh @@ -132,10 +132,12 @@ testcase_unpriv() { return 0 fi - # The kernel has a restriction for unprivileged user namespaces where they cannot mount a less restrictive - # instance of /proc/. So if /proc/ is masked (e.g. /proc/kmsg is over-mounted with tmpfs as systemd-nspawn does), - # then mounting a new /proc/ will fail and we will still see the host's /proc/. Thus, to allow tests to run in - # a VM or nspawn, we mount a new proc on a temporary directory with no masking to bypass this kernel restriction. + # IMPORTANT: For /proc/ to be remounted in pid namespace within an unprivileged user namespace, there needs to + # be at least 1 unmasked procfs mount in ANY directory. Otherwise, if /proc/ is masked (e.g. /proc/scsi is + # over-mounted with tmpfs), then mounting a new /proc/ will fail. + # + # Thus, to guarantee PrivatePIDs=yes tests for unprivileged users pass, we mount a new procfs on a temporary + # directory with no masking. This will guarantee an unprivileged user can mount a new /proc/ successfully. mkdir -p /tmp/TEST-07-PID1-private-pids-proc mount -t proc proc /tmp/TEST-07-PID1-private-pids-proc @@ -146,7 +148,16 @@ testcase_unpriv() { umount /tmp/TEST-07-PID1-private-pids-proc rm -rf /tmp/TEST-07-PID1-private-pids-proc - # Now verify the behavior with masking - units should fail as PrivatePIDs=yes has no graceful fallback. + # Now we will mask /proc/ by mounting tmpfs over /proc/scsi. This will guarantee that mounting /proc/ will fail + # for unprivileged users when using PrivatePIDs=yes. Now units should fail as PrivatePIDs=yes has no graceful + # fallback. + # + # Note some kernels do not have /proc/scsi so we verify the directory exists prior to running the test. + if [ ! -d /proc/scsi ]; then + echo "/proc/scsi does not exist, skipping unprivileged PrivatePIDs=yes test with masked /proc/" + return 0 + fi + if [[ "$HAS_EXISTING_SCSI_MOUNT" == "no" ]]; then mount -t tmpfs tmpfs /proc/scsi fi |