From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Fri, 15 Aug 2025 05:44:13 +0000 (+0900)
Subject: test-nss-hosts: add test case for issue #38582
X-Git-Tag: v258-rc3~33^2
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F38586%2Fhead;p=thirdparty%2Fsystemd.git

test-nss-hosts: add test case for issue #38582
---

diff --git a/src/test/meson.build b/src/test/meson.build
index c65e73f487d..da04b82d476 100644
--- a/src/test/meson.build
+++ b/src/test/meson.build
@@ -376,7 +376,10 @@ executables += [
                         'nss-test-util.c',
                 ),
                 'extract' : files('nss-test-util.c'),
-                'dependencies' : libdl,
+                'dependencies' : [
+                        libdl,
+                        libseccomp,
+                ],
                 'conditions' : ['ENABLE_NSS'],
                 'timeout' : 120,
         },
diff --git a/src/test/test-nss-hosts.c b/src/test/test-nss-hosts.c
index 8756fcd3940..93de6d7add6 100644
--- a/src/test/test-nss-hosts.c
+++ b/src/test/test-nss-hosts.c
@@ -8,6 +8,7 @@
 #include "env-util.h"
 #include "errno-list.h"
 #include "format-ifname.h"
+#include "hashmap.h"
 #include "hexdecoct.h"
 #include "hostname-setup.h"
 #include "in-addr-util.h"
@@ -18,6 +19,8 @@
 #include "nss-util.h"
 #include "parse-util.h"
 #include "path-util.h"
+#include "process-util.h"
+#include "seccomp-util.h"
 #include "socket-util.h"
 #include "string-util.h"
 #include "strv.h"
@@ -472,7 +475,7 @@ static int run(int argc, char **argv) {
         int n_addresses = 0;
         int r;
 
-        test_setup_logging(LOG_INFO);
+        test_setup_logging(LOG_DEBUG);
 
         r = parse_argv(argc, argv, &modules, &names, &addresses, &n_addresses);
         if (r < 0)
@@ -480,6 +483,32 @@ static int run(int argc, char **argv) {
 
         assert_se(path_extract_directory(argv[0], &dir) >= 0);
 
+        if (geteuid() != 0 || !is_seccomp_available())
+                log_tests_skipped("Not privileged or seccomp is not available");
+        else {
+                /* Testing with several syscalls filtered, and check if the nss modules gracefully handle failures in
+                 * masked syscalls. See issue #38582. */
+
+                ASSERT_OK(r = safe_fork("(with-seccomp)", FORK_LOG | FORK_WAIT, /* ret_pid = */ NULL));
+                if (r == 0) {
+                        _cleanup_hashmap_free_ Hashmap *filter = NULL;
+                        ASSERT_NOT_NULL(filter = hashmap_new(NULL));
+                        FOREACH_STRING(s, "uname", "olduname", "oldolduname", "sigprocmask", "rt_sigprocmask", "osf_sigprocmask")
+                                ASSERT_OK(seccomp_filter_set_add_by_name(filter, /* add = */ true, s));
+                        ASSERT_OK(seccomp_load_syscall_filter_set_raw(SCMP_ACT_ALLOW, filter, SCMP_ACT_ERRNO(ENOSYS), /* log_missing = */ true));
+
+                        /* To make assert_return() and friends not call abort(), even built as developer mode. */
+                        ASSERT_OK_ERRNO(setenv("SYSTEMD_ASSERT_RETURN_IS_CRITICAL", "0", /* overwrite = */ true));
+                        /* Let's also make nss modules output debugging logs. */
+                        ASSERT_OK_ERRNO(setenv("SYSTEMD_LOG_LEVEL", "debug", /* overwrite = */ true));
+
+                        STRV_FOREACH(module, modules)
+                                ASSERT_OK(test_one_module(dir, *module, names, addresses, n_addresses));
+
+                        _exit(EXIT_SUCCESS);
+                }
+        }
+
         STRV_FOREACH(module, modules) {
                 r = test_one_module(dir, *module, names, addresses, n_addresses);
                 if (r < 0)