aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJanneke Nieuwenhuizen <janneke@gnu.org>2024-12-18 21:30:38 +0100
committerJanneke Nieuwenhuizen <janneke@gnu.org>2024-12-18 21:31:43 +0100
commita3163196680e32de81b058682f19de26c495196d (patch)
tree497bce66f21c54ad56cd0945272b42f392a14666
parent777fde8299d5b0050cae661d403374a7dd87f6ab (diff)
downloadguix-a3163196680e32de81b058682f19de26c495196d.tar.gz
guix-a3163196680e32de81b058682f19de26c495196d.zip
gnu: Add tests/shadow.scm
This is a follow-up to commit a1ecd7f56c4ffadc49d5501a0df7f4c4556120c2 system: Add /etc/subuid and /etc/subgid support. This file was already registered in gnu/local.mk. * gnu/tests/shadow.scm: New file. Change-Id: I1785206d56357f8262bd4277ef48f29183c47adc
-rw-r--r--gnu/tests/shadow.scm180
1 files changed, 180 insertions, 0 deletions
diff --git a/gnu/tests/shadow.scm b/gnu/tests/shadow.scm
new file mode 100644
index 0000000000..849b7b8af0
--- /dev/null
+++ b/gnu/tests/shadow.scm
@@ -0,0 +1,180 @@
+;;; GNU Guix --- Functional package management for GNU
+;;; Copyright © 2024 Giacomo Leidi <goodoldpaul@autistici.org>
+;;;
+;;; This file is part of GNU Guix.
+;;;
+;;; GNU Guix is free software; you can redistribute it and/or modify it
+;;; under the terms of the GNU General Public License as published by
+;;; the Free Software Foundation; either version 3 of the License, or (at
+;;; your option) any later version.
+;;;
+;;; GNU Guix is distributed in the hope that it will be useful, but
+;;; WITHOUT ANY WARRANTY; without even the implied warranty of
+;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+;;; GNU General Public License for more details.
+;;;
+;;; You should have received a copy of the GNU General Public License
+;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
+
+(define-module (gnu tests shadow)
+ #:use-module (gnu packages base)
+ #:use-module (gnu packages containers)
+ #:use-module (gnu tests)
+ #:use-module (gnu services)
+ #:use-module (gnu system)
+ #:use-module (gnu system accounts)
+ #:use-module (gnu system shadow)
+ #:use-module (gnu system vm)
+ #:use-module (guix gexp)
+ #:export (%test-subids))
+
+
+(define %subids-os
+ (simple-operating-system
+ (simple-service
+ 'simple-profile
+ profile-service-type
+ (list podman))
+ (simple-service
+ 'simple-subids
+ subids-service-type
+ (subids-extension
+ (subgids
+ (list
+ (subid-range
+ (name "alice"))
+ (subid-range
+ (name "bob")
+ (start 100700))))
+ (subuids
+ (list
+ (subid-range
+ (name "alice"))))))))
+
+(define (run-subids-test)
+ "Run IMAGE as an OCI backed Shepherd service, inside OS."
+
+ (define os
+ (marionette-operating-system
+ (operating-system-with-gc-roots
+ %subids-os
+ (list))
+ #:imported-modules '((gnu services herd)
+ (guix combinators))))
+
+ (define vm
+ (virtual-machine
+ (operating-system os)
+ (volatile? #f)
+ (memory-size 1024)
+ (disk-image-size (* 3000 (expt 2 20)))
+ (port-forwardings '())))
+
+ (define test
+ (with-imported-modules '((gnu build marionette))
+ #~(begin
+ (use-modules (srfi srfi-11) (srfi srfi-64)
+ (gnu build marionette))
+
+ (define marionette
+ ;; Relax timeout to accommodate older systems and
+ ;; allow for pulling the image.
+ (make-marionette (list #$vm) #:timeout 60))
+
+ (test-runner-current (system-test-runner #$output))
+ (test-begin "subids")
+
+ (test-equal "/etc/subid and /etc/subgid are created and their content is sound"
+ '("root:100000:700\nbob:100700:65536\nalice:166236:65536\n"
+ "root:100000:65536\nalice:165536:65536\n")
+ (marionette-eval
+ `(begin
+ (use-modules (ice-9 textual-ports))
+
+ (define (read-file file-name)
+ (call-with-input-file file-name get-string-all))
+
+ (let* ((response1 (read-file "/etc/subgid"))
+ (response2 (read-file "/etc/subuid")))
+ (list response1 response2)))
+ marionette))
+
+ (test-equal "podman unshare runs for unprivileged users"
+ " 0 1000 1\n 1 165536 65536"
+ (marionette-eval
+ `(begin
+ (use-modules (srfi srfi-1)
+ (ice-9 popen)
+ (ice-9 match)
+ (ice-9 rdelim)
+ (ice-9 textual-ports))
+ (define out-dir "/tmp")
+ (define (read-file file-name)
+ (call-with-input-file file-name get-string-all))
+
+ (define (wait-for-file file)
+ ;; Wait until FILE shows up.
+ (let loop ((i 60))
+ (cond ((file-exists? file)
+ #t)
+ ((zero? i)
+ (error "file didn't show up" file))
+ (else
+ (sleep 1)
+ (loop (- i 1))))))
+
+ (define (read-lines file-or-port)
+ (define (loop-lines port)
+ (let loop ((lines '()))
+ (match (read-line port)
+ ((? eof-object?)
+ (reverse lines))
+ (line
+ (loop (cons line lines))))))
+
+ (if (port? file-or-port)
+ (loop-lines file-or-port)
+ (call-with-input-file file-or-port
+ loop-lines)))
+
+ (define slurp
+ (lambda args
+ (let* ((port (apply open-pipe* OPEN_READ
+ (list "sh" "-l" "-c"
+ (string-join
+ args
+ " "))))
+ (output (read-lines port))
+ (status (close-pipe port)))
+ output)))
+
+ (match (primitive-fork)
+ (0
+ (dynamic-wind
+ (const #f)
+ (lambda ()
+ (setgid (passwd:gid (getpwnam "alice")))
+ (setuid (passwd:uid (getpw "alice")))
+
+ (let* ((response1 (slurp
+ "podman" "unshare" "cat" "/proc/self/uid_map")))
+ (call-with-output-file (string-append out-dir "/response1")
+ (lambda (port)
+ (display (string-join response1 "\n") port)))))
+ (lambda ()
+ (primitive-exit 127))))
+ (pid
+ (cdr (waitpid pid))))
+ (wait-for-file (string-append out-dir "/response1"))
+ (read-file (string-append out-dir "/response1")))
+ marionette))
+
+ (test-end))))
+
+ (gexp->derivation "subids-test" test))
+
+(define %test-subids
+ (system-test
+ (name "subids")
+ (description "Test sub UIDs and sub GIDs provisioning service.")
+ (value (run-subids-test))))