From: Nick Rosbrook Date: Thu, 18 Jan 2024 20:29:46 +0000 (-0500) Subject: test: skip a systemd-run test if unprivileged userns is restricted X-Git-Tag: v256-rc1~1055^2~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6327d3022452c3c2ad408fbee9cdfbc2120753c9;p=thirdparty%2Fsystemd.git test: skip a systemd-run test if unprivileged userns is restricted With newer versions of AppArmor, unprivileged user namespace creation may be restricted by default, in which case user manager instances will not be able to apply PrivateUsers=yes, which is implied by PrivateTmp=yes in this systemd-run invocation. --- diff --git a/test/units/testsuite-74.run.sh b/test/units/testsuite-74.run.sh index 38cbca54ce3..a94776eadd1 100755 --- a/test/units/testsuite-74.run.sh +++ b/test/units/testsuite-74.run.sh @@ -80,11 +80,16 @@ systemd-run --wait --pipe --user --machine=testuser@ \ bash -xec '[[ "$(id -nu)" == testuser && "$(id -ng)" == testuser ]]' systemd-run --wait --pipe --user --machine=testuser@ \ bash -xec '[[ "$PWD" == /home/testuser && -n "$INVOCATION_ID" ]]' -systemd-run --wait --pipe --user --machine=testuser@ \ - --property=LimitCORE=1M:2M \ - --property=LimitCORE=16M:32M \ - --property=PrivateTmp=yes \ - bash -xec '[[ "$(ulimit -c -S)" -eq 16384 && "$(ulimit -c -H)" -eq 32768 && ! -e /tmp/public-marker ]]' + +# PrivateTmp=yes implies PrivateUsers=yes for user manager, so skip this if we +# don't have unprivileged user namespaces. +if [[ "$(sysctl -ne kernel.apparmor_restrict_unprivileged_userns)" -ne 1 ]]; then + systemd-run --wait --pipe --user --machine=testuser@ \ + --property=LimitCORE=1M:2M \ + --property=LimitCORE=16M:32M \ + --property=PrivateTmp=yes \ + bash -xec '[[ "$(ulimit -c -S)" -eq 16384 && "$(ulimit -c -H)" -eq 32768 && ! -e /tmp/public-marker ]]' +fi : "Transient scope (system daemon)" systemd-run --scope \