test: add integration test for image policy

author Lennart Poettering <lennart@poettering.net>

Fri, 2 Dec 2022 16:16:57 +0000 (17:16 +0100)

committer Lennart Poettering <lennart@poettering.net>

Wed, 5 Apr 2023 18:54:30 +0000 (20:54 +0200)
author Lennart Poettering <lennart@poettering.net>
Fri, 2 Dec 2022 16:16:57 +0000 (17:16 +0100)
committer Lennart Poettering <lennart@poettering.net>
Wed, 5 Apr 2023 18:54:30 +0000 (20:54 +0200)
diff --git a/test/units/testsuite-50.sh b/test/units/testsuite-50.sh

index 546a915a2e62adb797e551285c1ff9461e646c7e..02a02301912ff971ac86796fc161aa657c9b1982 100755 (executable)
--- a/test/units/testsuite-50.sh
+++ b/test/units/testsuite-50.sh
@@ -231,6 +231,33 @@ fi
  systemd-dissect --root-hash "${roothash}" "${image}.gpt" | grep -q -F "MARKER=1"
  systemd-dissect --root-hash "${roothash}" "${image}.gpt" | grep -q -F -f <(sed 's/"//g' "$os_release")
  
+# Test image policies
+systemd-dissect --validate "${image}.gpt"
+systemd-dissect --validate "${image}.gpt" --image-policy='*'
+(! systemd-dissect --validate "${image}.gpt" --image-policy='~')
+(! systemd-dissect --validate "${image}.gpt" --image-policy='-')
+(! systemd-dissect --validate "${image}.gpt" --image-policy=root=absent)
+(! systemd-dissect --validate "${image}.gpt" --image-policy=swap=unprotected+encrypted+verity)
+systemd-dissect --validate "${image}.gpt" --image-policy=root=unprotected
+systemd-dissect --validate "${image}.gpt" --image-policy=root=verity
+systemd-dissect --validate "${image}.gpt" --image-policy=root=verity:root-verity-sig=unused+absent
+systemd-dissect --validate "${image}.gpt" --image-policy=root=verity:swap=absent
+systemd-dissect --validate "${image}.gpt" --image-policy=root=verity:swap=absent+unprotected
+(! systemd-dissect --validate "${image}.gpt" --image-policy=root=verity:root-verity=unused+absent)
+systemd-dissect --validate "${image}.gpt" --image-policy=root=signed
+(! systemd-dissect --validate "${image}.gpt" --image-policy=root=signed:root-verity-sig=unused+absent)
+(! systemd-dissect --validate "${image}.gpt" --image-policy=root=signed:root-verity=unused+absent)
+
+# Test RootImagePolicy= unit file setting
+systemd-run --wait -P -p RootImage="${image}.gpt" -p RootHash="${roothash}" -p MountAPIVFS=yes cat /usr/lib/os-release | grep -q -F "MARKER=1"
+systemd-run --wait -P -p RootImage="${image}.gpt" -p RootHash="${roothash}" -p RootImagePolicy='*' -p MountAPIVFS=yes cat /usr/lib/os-release | grep -q -F "MARKER=1"
+(! systemd-run --wait -P -p RootImage="${image}.gpt" -p RootHash="${roothash}" -p RootImagePolicy='~' -p MountAPIVFS=yes cat /usr/lib/os-release | grep -q -F "MARKER=1")
+(! systemd-run --wait -P -p RootImage="${image}.gpt" -p RootHash="${roothash}" -p RootImagePolicy='-' -p MountAPIVFS=yes cat /usr/lib/os-release | grep -q -F "MARKER=1")
+(! systemd-run --wait -P -p RootImage="${image}.gpt" -p RootHash="${roothash}" -p RootImagePolicy='root=absent' -p MountAPIVFS=yes cat /usr/lib/os-release | grep -q -F "MARKER=1")
+systemd-run --wait -P -p RootImage="${image}.gpt" -p RootHash="${roothash}" -p RootImagePolicy='root=verity' -p MountAPIVFS=yes cat /usr/lib/os-release | grep -q -F "MARKER=1"
+systemd-run --wait -P -p RootImage="${image}.gpt" -p RootHash="${roothash}" -p RootImagePolicy='root=signed' -p MountAPIVFS=yes cat /usr/lib/os-release | grep -q -F "MARKER=1"
+(! systemd-run --wait -P -p RootImage="${image}.gpt" -p RootHash="${roothash}" -p RootImagePolicy='root=encrypted' -p MountAPIVFS=yes cat /usr/lib/os-release | grep -q -F "MARKER=1")
+
  systemd-dissect --root-hash "${roothash}" --mount "${image}.gpt" "${image_dir}/mount"
  grep -q -F -f "$os_release" "${image_dir}/mount/usr/lib/os-release"
  grep -q -F -f "$os_release" "${image_dir}/mount/etc/os-release"
author	Lennart Poettering <lennart@poettering.net>
	Fri, 2 Dec 2022 16:16:57 +0000 (17:16 +0100)
committer	Lennart Poettering <lennart@poettering.net>
	Wed, 5 Apr 2023 18:54:30 +0000 (20:54 +0200)