From f582e61bc3a956fb09af66bcd6778b4dd5058e40 Mon Sep 17 00:00:00 2001
From: Mike Yuan <me@yhndnzj.com>
Date: Thu, 9 Mar 2023 20:13:34 +0800
Subject: [PATCH] test: tmpfiles: add tests on conditionalized execute bit

---
 test/TEST-22-TMPFILES/test.sh |  2 ++
 test/test-systemd-tmpfiles.py | 24 +++++++++++++++++++++++
 test/units/testsuite-22.16.sh | 36 +++++++++++++++++++++++++++++++++++
 3 files changed, 62 insertions(+)
 create mode 100755 test/units/testsuite-22.16.sh

diff --git a/test/TEST-22-TMPFILES/test.sh b/test/TEST-22-TMPFILES/test.sh
index 46dd990f799..82d497d50f4 100755
--- a/test/TEST-22-TMPFILES/test.sh
+++ b/test/TEST-22-TMPFILES/test.sh
@@ -17,6 +17,8 @@ test_append_files() {
 
         sed -i "s/systemd//g" "$initdir/etc/nsswitch.conf"
     fi
+
+    image_install setfacl
 }
 
 do_test "$@"
diff --git a/test/test-systemd-tmpfiles.py b/test/test-systemd-tmpfiles.py
index 791a88497cc..369478d31ed 100755
--- a/test/test-systemd-tmpfiles.py
+++ b/test/test-systemd-tmpfiles.py
@@ -13,6 +13,7 @@ import subprocess
 import tempfile
 import pwd
 import grp
+from pathlib import Path
 
 try:
     from systemd import id128
@@ -202,6 +203,27 @@ def test_hard_cleanup(*, user):
 def test_base64():
     test_content('f~ {} - - - - UGlmZgpQYWZmClB1ZmYgCg==', "Piff\nPaff\nPuff \n", user=False)
 
+def test_conditionalized_execute_bit():
+    c = subprocess.run(exe_with_args + ['--version', '|', 'grep', '-F', '+ACL'], shell=True, stdout=subprocess.DEVNULL)
+    if c.returncode != 0:
+        return 0
+
+    d = tempfile.TemporaryDirectory(prefix='test-acl.', dir=temp_dir.name)
+    temp = Path(d.name) / "cond_exec"
+    temp.touch()
+    temp.chmod(0o644)
+
+    test_line(f"a {temp} - - - - u:root:Xwr", user=False, returncode=0)
+    c = subprocess.run(["getfacl", "-Ec", temp],
+                       stdout=subprocess.PIPE, check=True, text=True)
+    assert "user:root:rw-" in c.stdout
+
+    temp.chmod(0o755)
+    test_line(f"a+ {temp} - - - - u:root:Xwr,g:root:rX", user=False, returncode=0)
+    c = subprocess.run(["getfacl", "-Ec", temp],
+                       stdout=subprocess.PIPE, check=True, text=True)
+    assert "user:root:rwx" in c.stdout and "group:root:r-x" in c.stdout
+
 if __name__ == '__main__':
     test_invalids(user=False)
     test_invalids(user=True)
@@ -214,3 +236,5 @@ if __name__ == '__main__':
     test_hard_cleanup(user=True)
 
     test_base64()
+
+    test_conditionalized_execute_bit()
diff --git a/test/units/testsuite-22.16.sh b/test/units/testsuite-22.16.sh
new file mode 100755
index 00000000000..15387cddb82
--- /dev/null
+++ b/test/units/testsuite-22.16.sh
@@ -0,0 +1,36 @@
+#!/bin/bash
+# SPDX-License-Identifier: LGPL-2.1-or-later
+#
+# Test for conditionalized execute bit ('X' bit)
+set -eux
+set -o pipefail
+
+# shellcheck source=test/units/assert.sh
+. "$(dirname "$0")"/assert.sh
+
+rm -f /tmp/acl_exec
+touch /tmp/acl_exec
+
+# No ACL set yet
+systemd-tmpfiles --create - <<EOF
+a /tmp/acl_exec - - - - u:root:rwX
+EOF
+assert_in 'user:root:rw-' "$(getfacl -Ec /tmp/acl_exec)"
+
+# Set another ACL and append
+setfacl -m g:root:x /tmp/acl_exec
+
+systemd-tmpfiles --create - <<EOF
+a+ /tmp/acl_exec - - - - u:root:rwX
+EOF
+acl="$(getfacl -Ec /tmp/acl_exec)"
+assert_in 'user:root:rwx' "$acl"
+assert_in 'group:root:--x' "$acl"
+
+# Reset ACL (no append)
+systemd-tmpfiles --create - <<EOF
+a /tmp/acl_exec - - - - u:root:rwX
+EOF
+assert_in 'user:root:rw-' "$(getfacl -Ec /tmp/acl_exec)"
+
+rm -f /tmp/acl_exec
-- 
2.47.3