From: Lennart Poettering Date: Mon, 25 Nov 2024 14:01:00 +0000 (+0100) Subject: test: test comprehensive tests for new (and old) nspawn userns modes X-Git-Tag: v258-rc1~1502^2~1 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=db5c4a45036366d7d6763a57119701c23280e953;p=thirdparty%2Fsystemd.git test: test comprehensive tests for new (and old) nspawn userns modes --- diff --git a/test/units/TEST-13-NSPAWN.nspawn.sh b/test/units/TEST-13-NSPAWN.nspawn.sh index cd37f4c65ec..076e94c7b11 100755 --- a/test/units/TEST-13-NSPAWN.nspawn.sh +++ b/test/units/TEST-13-NSPAWN.nspawn.sh @@ -916,7 +916,7 @@ matrix_run_one() { --boot; then [[ "$IS_USERNS_SUPPORTED" == "yes" && "$api_vfs_writable" == "network" ]] && return 1 else - [[ "$IS_USERNS_SUPPORTED" == "no" && "$api_vfs_writable" = "network" ]] && return 1 + [[ "$IS_USERNS_SUPPORTED" == "no" && "$api_vfs_writable" == "network" ]] && return 1 fi if SYSTEMD_NSPAWN_UNIFIED_HIERARCHY="$cgroupsv2" SYSTEMD_NSPAWN_USE_CGNS="$use_cgns" SYSTEMD_NSPAWN_API_VFS_WRITABLE="$api_vfs_writable" \ @@ -1282,4 +1282,42 @@ testcase_dev_net_tun() { rm -fr "$root" } +testcase_unpriv_dir() { + if ! can_do_rootless_nspawn; then + echo "Skipping rootless test..." + return 0 + fi + + root="$(mktemp -d /var/lib/machines/TEST-13-NSPAWN.unpriv.XXX)" + create_dummy_container "$root" + + assert_eq "$(systemd-nspawn --pipe --register=no -D "$root" --private-users=no bash -c 'echo foobar')" "foobar" + + # Use an image owned by some freshly acquired container user + assert_eq "$(systemd-nspawn --pipe --register=no -D "$root" --private-users=pick --private-users-ownership=chown bash -c 'echo foobar')" "foobar" + assert_eq "$(systemd-nspawn --pipe --register=no -D "$root" --private-users=yes --private-users-ownership=chown bash -c 'echo foobar')" "foobar" + + # Now move back to root owned, and try to use fs idmapping + systemd-dissect --shift "$root" 0 + assert_eq "$(systemd-nspawn --pipe --register=no -D "$root" --private-users=no --private-users-ownership=no bash -c 'echo foobar')" "foobar" + assert_eq "$(systemd-nspawn --pipe --register=no -D "$root" --private-users=pick --private-users-ownership=map bash -c 'echo foobar')" "foobar" + + # Use an image owned by the foreign UID range first via direct mapping, and than via the managed uid logic + systemd-dissect --shift "$root" foreign + assert_eq "$(systemd-nspawn --pipe --register=no -D "$root" --private-users=pick --private-users-ownership=foreign bash -c 'echo foobar')" "foobar" + assert_eq "$(systemd-nspawn --pipe --register=no -D "$root" --private-users=managed --private-network bash -c 'echo foobar')" "foobar" + + # Test unprivileged operation + chown testuser:testuser "$root/.." + + ls -al "/var/lib/machines" + ls -al "$root" + + assert_eq "$(run0 --pipe -u testuser systemd-nspawn --pipe --register=no -D "$root" --private-users=managed --private-network bash -c 'echo foobar')" "foobar" + assert_eq "$(run0 --pipe -u testuser systemd-nspawn --pipe --register=no -D "$root" --private-network bash -c 'echo foobar')" "foobar" + chown root:root "$root/.." + + rm -rf "$root" +} + run_testcases diff --git a/test/units/TEST-74-AUX-UTILS.userdbctl.sh b/test/units/TEST-74-AUX-UTILS.userdbctl.sh new file mode 100755 index 00000000000..b0b7472d617 --- /dev/null +++ b/test/units/TEST-74-AUX-UTILS.userdbctl.sh @@ -0,0 +1,39 @@ +#!/usr/bin/env bash +# SPDX-License-Identifier: LGPL-2.1-or-later +set -eux +set -o pipefail + +# shellcheck source=test/units/util.sh +. "$(dirname "$0")"/util.sh + +# Root +userdbctl user root +userdbctl user 0 + +# Nobody +userdbctl user 65534 + +# The 16bit and 32bit -1 user cannot exist +(! userdbctl user 65535) +(! userdbctl user 4294967295) + +userdbctl user foreign-0 +userdbctl user 2147352576 +userdbctl user foreign-1 +userdbctl user 2147352577 +userdbctl user foreign-65534 +userdbctl user 2147418110 +(! userdbctl user foreign-65535) +(! userdbctl user 2147418111) +(! userdbctl user foreign-65536) +(! userdbctl user 2147418112) + +assert_eq "$(userdbctl user root -j | jq .uid)" 0 +assert_eq "$(userdbctl user foreign-0 -j | jq .uid)" 2147352576 +assert_eq "$(userdbctl user foreign-1 -j | jq .uid)" 2147352577 +assert_eq "$(userdbctl user foreign-65534 -j | jq .uid)" 2147418110 + +assert_eq "$(userdbctl user 0 -j | jq -r .userName)" root +assert_eq "$(userdbctl user 2147352576 -j | jq -r .userName)" foreign-0 +assert_eq "$(userdbctl user 2147352577 -j | jq -r .userName)" foreign-1 +assert_eq "$(userdbctl user 2147418110 -j | jq -r .userName)" foreign-65534