From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Mon, 17 Mar 2025 15:20:00 +0000 (+0100)
Subject: TEST-07-PID1.delegate-namespaces: Make sure fully visible procfs is available
X-Git-Tag: v258-rc1~1041^2~8
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=aae4748464d3b8a810f88b3f1d65dd7d5b5ff396;p=thirdparty%2Fsystemd.git

TEST-07-PID1.delegate-namespaces: Make sure fully visible procfs is available

To be able to mount /proc inside an unprivileged user namespace, we have
to make sure a fully visible procfs is available on the host, so let's make
sure that's the case.
---

diff --git a/test/units/TEST-07-PID1.delegate-namespaces.sh b/test/units/TEST-07-PID1.delegate-namespaces.sh
index ed447f15081..8eb9956c2e7 100755
--- a/test/units/TEST-07-PID1.delegate-namespaces.sh
+++ b/test/units/TEST-07-PID1.delegate-namespaces.sh
@@ -9,6 +9,22 @@ set -o pipefail
 # shellcheck source=test/units/util.sh
 . "$(dirname "$0")"/util.sh
 
+# IMPORTANT: For /proc/ to be remounted in pid namespace within an unprivileged user namespace, there needs to
+# be at least 1 unmasked procfs mount in ANY directory. Otherwise, if /proc/ is masked (e.g. /proc/scsi is
+# over-mounted with tmpfs), then mounting a new /proc/ will fail.
+#
+# Thus, to guarantee PrivatePIDs=yes tests for unprivileged users pass, we mount a new procfs on a temporary
+# directory with no masking. This will guarantee an unprivileged user can mount a new /proc/ successfully.
+mkdir -p /tmp/TEST-07-PID1-delegate-namespaces-proc
+mount -t proc proc /tmp/TEST-07-PID1-delegate-namespaces-proc
+
+at_exit() {
+    umount /tmp/TEST-07-PID1-delegate-namespaces-proc
+    rm -rf /tmp/TEST-07-PID1-delegate-namespaces-proc
+}
+
+trap at_exit EXIT
+
 testcase_mount() {
     (! systemd-run -p PrivateUsersEx=self -p PrivateMounts=yes --wait --pipe -- mount --bind /usr /home)
     systemd-run -p PrivateUsersEx=self -p PrivateMounts=yes -p DelegateNamespaces=mnt --wait --pipe -- mount --bind /usr /home