From: Ryan Wilson <ryantimwilson@meta.com>
Date: Fri, 8 Nov 2024 00:30:57 +0000 (-0800)
Subject: Fix PrivatePIDs=yes integration test for kernels with no /proc/scsi
X-Git-Tag: v257-rc2~58
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=d8091e12816356bfcccaeab51eb58991de0caa81;p=thirdparty%2Fsystemd.git

Fix PrivatePIDs=yes integration test for kernels with no /proc/scsi
---

diff --git a/test/units/TEST-07-PID1.private-pids.sh b/test/units/TEST-07-PID1.private-pids.sh
index 6f16820aeed..a64b124d93a 100755
--- a/test/units/TEST-07-PID1.private-pids.sh
+++ b/test/units/TEST-07-PID1.private-pids.sh
@@ -132,10 +132,12 @@ testcase_unpriv() {
         return 0
     fi
 
-    # The kernel has a restriction for unprivileged user namespaces where they cannot mount a less restrictive
-    # instance of /proc/. So if /proc/ is masked (e.g. /proc/kmsg is over-mounted with tmpfs as systemd-nspawn does),
-    # then mounting a new /proc/ will fail and we will still see the host's /proc/. Thus, to allow tests to run in
-    # a VM or nspawn, we mount a new proc on a temporary directory with no masking to bypass this kernel restriction.
+    # IMPORTANT: For /proc/ to be remounted in pid namespace within an unprivileged user namespace, there needs to
+    # be at least 1 unmasked procfs mount in ANY directory. Otherwise, if /proc/ is masked (e.g. /proc/scsi is
+    # over-mounted with tmpfs), then mounting a new /proc/ will fail.
+    #
+    # Thus, to guarantee PrivatePIDs=yes tests for unprivileged users pass, we mount a new procfs on a temporary
+    # directory with no masking. This will guarantee an unprivileged user can mount a new /proc/ successfully.
     mkdir -p /tmp/TEST-07-PID1-private-pids-proc
     mount -t proc proc /tmp/TEST-07-PID1-private-pids-proc
 
@@ -146,7 +148,16 @@ testcase_unpriv() {
     umount /tmp/TEST-07-PID1-private-pids-proc
     rm -rf /tmp/TEST-07-PID1-private-pids-proc
 
-    # Now verify the behavior with masking - units should fail as PrivatePIDs=yes has no graceful fallback.
+    # Now we will mask /proc/ by mounting tmpfs over /proc/scsi. This will guarantee that mounting /proc/ will fail
+    # for unprivileged users when using PrivatePIDs=yes. Now units should fail as PrivatePIDs=yes has no graceful
+    # fallback.
+    #
+    # Note some kernels do not have /proc/scsi so we verify the directory exists prior to running the test.
+    if [ ! -d /proc/scsi ]; then
+        echo "/proc/scsi does not exist, skipping unprivileged PrivatePIDs=yes test with masked /proc/"
+        return 0
+    fi
+
     if [[ "$HAS_EXISTING_SCSI_MOUNT" == "no" ]]; then
         mount -t tmpfs tmpfs /proc/scsi
     fi