From: Luca Boccassi Date: Wed, 15 Oct 2025 14:27:54 +0000 (+0100) Subject: test: move checks around in TEST-50-DISSECT so that they can be used from multiple... X-Git-Tag: v258.2~44 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=27ed3f4c2eda3091ec9d3adf6403caccbd51236a;p=thirdparty%2Fsystemd.git test: move checks around in TEST-50-DISSECT so that they can be used from multiple subtests Also set it up so that unprivileged tests can be done (cherry picked from commit e8d1a26d9c0920c4d190629e239d94e0edcf11a1) --- diff --git a/test/units/TEST-50-DISSECT.dissect.sh b/test/units/TEST-50-DISSECT.dissect.sh index e8521f4d1c0..63609d6dbfc 100755 --- a/test/units/TEST-50-DISSECT.dissect.sh +++ b/test/units/TEST-50-DISSECT.dissect.sh @@ -9,18 +9,6 @@ set -o pipefail # shellcheck source=test/units/util.sh . "$(dirname "$0")"/util.sh -# Requires kernel built with certain kconfigs, as listed in README: -# https://oracle.github.io/kconfigs/?config=UTS_RELEASE&config=DM_VERITY_VERIFY_ROOTHASH_SIG&config=DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING&config=DM_VERITY_VERIFY_ROOTHASH_SIG_PLATFORM_KEYRING&config=IMA_ARCH_POLICY&config=INTEGRITY_MACHINE_KEYRING -if grep -q "$(openssl x509 -noout -subject -in /usr/share/mkosi.crt | sed 's/^.*CN=//')" /proc/keys && \ - ( . /etc/os-release; [ "$ID" != "centos" ] || systemd-analyze compare-versions "$VERSION_ID" ge 10 ) && \ - ( . /etc/os-release; [ "$ID" != "debian" ] || systemd-analyze compare-versions "$VERSION_ID" ge 13 ) && \ - ( . /etc/os-release; [ "$ID" != "ubuntu" ] || systemd-analyze compare-versions "$VERSION_ID" ge 24.04 ) && \ - systemd-analyze compare-versions "$(cryptsetup --version | sed 's/^cryptsetup \([0-9]*\.[0-9]*\.[0-9]*\) .*/\1/')" ge 2.3.0; then - verity_sig_supported=1 -else - verity_sig_supported=0 -fi - systemd-dissect --json=short "$MINIMAL_IMAGE.raw" | \ grep -q -F '{"rw":"ro","designator":"root","partition_uuid":null,"partition_label":null,"fstype":"squashfs","architecture":null,"verity":"external"' systemd-dissect "$MINIMAL_IMAGE.raw" | grep -q -F "MARKER=1" @@ -84,7 +72,7 @@ if [[ "$verity_count" -lt 1 ]]; then exit 1 fi # Ensure the kernel is verifying the signature if the mkosi key is in the keyring -if [ "$verity_sig_supported" -eq 1 ]; then +if [ "$VERITY_SIG_SUPPORTED" -eq 1 ]; then veritysetup status "$(cat "$MINIMAL_IMAGE.roothash")-verity" | grep -q "verified (with signature)" fi systemd-dissect --umount "$IMAGE_DIR/mount" @@ -746,7 +734,7 @@ EOF systemctl start testservice-50k.service systemctl is-active testservice-50k.service # Ensure the kernel is verifying the signature if the mkosi key is in the keyring -if [ "$verity_sig_supported" -eq 1 ]; then +if [ "$VERITY_SIG_SUPPORTED" -eq 1 ]; then veritysetup status "$(cat "$MINIMAL_IMAGE.roothash")-verity" | grep -q "verified (with signature)" fi # First reload should pick up the v1 marker diff --git a/test/units/TEST-50-DISSECT.sh b/test/units/TEST-50-DISSECT.sh index 0efea0fc180..033c818c880 100755 --- a/test/units/TEST-50-DISSECT.sh +++ b/test/units/TEST-50-DISSECT.sh @@ -25,10 +25,27 @@ at_exit() { done < <(find "${IMAGE_DIR}" -mindepth 1 -maxdepth 1 -type d) rm -rf "$IMAGE_DIR" + + loginctl disable-linger testuser } trap at_exit EXIT +# For unprivileged tests +loginctl enable-linger testuser + +# Requires kernel built with certain kconfigs, as listed in README: +# https://oracle.github.io/kconfigs/?config=UTS_RELEASE&config=DM_VERITY_VERIFY_ROOTHASH_SIG&config=DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING&config=DM_VERITY_VERIFY_ROOTHASH_SIG_PLATFORM_KEYRING&config=IMA_ARCH_POLICY&config=INTEGRITY_MACHINE_KEYRING +if grep -q "$(openssl x509 -noout -subject -in /usr/share/mkosi.crt | sed 's/^.*CN=//')" /proc/keys && \ + ( . /etc/os-release; [ "$ID" != "centos" ] || systemd-analyze compare-versions "$VERSION_ID" ge 10 ) && \ + ( . /etc/os-release; [ "$ID" != "debian" ] || systemd-analyze compare-versions "$VERSION_ID" ge 13 ) && \ + ( . /etc/os-release; [ "$ID" != "ubuntu" ] || systemd-analyze compare-versions "$VERSION_ID" ge 24.04 ) && \ + systemd-analyze compare-versions "$(cryptsetup --version | sed 's/^cryptsetup \([0-9]*\.[0-9]*\.[0-9]*\) .*/\1/')" ge 2.3.0; then + export VERITY_SIG_SUPPORTED=1 +else + export VERITY_SIG_SUPPORTED=0 +fi + : "Setup base images" export SYSTEMD_LOG_LEVEL=debug @@ -102,6 +119,7 @@ fi udevadm control --log-level=debug IMAGE_DIR="$(mktemp -d --tmpdir="" TEST-50-IMAGES.XXX)" +chmod go+rx "$IMAGE_DIR" cp -v /usr/share/minimal* "$IMAGE_DIR/" MINIMAL_IMAGE="$IMAGE_DIR/minimal_0" MINIMAL_IMAGE_ROOTHASH="$(<"$MINIMAL_IMAGE.roothash")"