aboutsummaryrefslogtreecommitdiff
path: root/gnu/tests/security-token.scm
diff options
context:
space:
mode:
Diffstat (limited to 'gnu/tests/security-token.scm')
0 files changed, 0 insertions, 0 deletions
tgid))))) #:guest-uid 42 #:guest-gid 77 #:namespaces '(user)))) (skip-if-unsupported) (test-assert "call-with-container, uts namespace" (zero? (call-with-container '() (lambda () ;; The user is root within the container and should be able to change ;; the hostname of that container. (sethostname "test-container") (primitive-exit 0)) #:namespaces '(user uts)))) (skip-if-unsupported) (test-assert "call-with-container, pid namespace" (zero? (call-with-container '() (lambda () (match (primitive-fork) (0 ;; The first forked process in the new pid namespace is pid 2. (assert-exit (= 2 (getpid)))) (pid (primitive-exit (match (waitpid pid) ((_ . status) (status:exit-val status))))))) #:namespaces '(user pid)))) (skip-if-unsupported) (test-assert "call-with-container, mnt namespace" (zero? (call-with-container (list (file-system (device "none") (mount-point "/testing") (type "tmpfs") (check? #f))) (lambda () (assert-exit (file-exists? "/testing"))) #:namespaces '(user mnt)))) (skip-if-unsupported) (test-equal "call-with-container, mnt namespace, wrong bind mount" `(system-error ,ENOENT) ;; An exception should be raised; see <http://bugs.gnu.org/23306>. (catch 'system-error (lambda () (call-with-container (list (file-system (device "/does-not-exist") (mount-point "/foo") (type "none") (flags '(bind-mount)) (check? #f))) (const #t) #:namespaces '(user mnt))) (lambda args (list 'system-error (system-error-errno args))))) (skip-if-unsupported) (test-assert "call-with-container, all namespaces" (zero? (call-with-container '() (lambda () (primitive-exit 0))))) (skip-if-unsupported) (test-assert "call-with-container, mnt namespace, root permissions" (zero? (call-with-container '() (lambda () (assert-exit (= #o755 (stat:perms (lstat "/"))))) #:namespaces '(user mnt)))) (skip-if-unsupported) (test-assert "container-excursion" (call-with-temporary-directory (lambda (root) ;; Two pipes: One for the container to signal that the test can begin, ;; and one for the parent to signal to the container that the test is ;; over. (match (list (pipe) (pipe)) (((start-in . start-out) (end-in . end-out)) (define (container) (close end-out) (close start-in) ;; Signal for the test to start. (write 'ready start-out) (close start-out) ;; Wait for test completion. (read end-in) (close end-in)) (define (namespaces pid) (let ((pid (number->string pid))) (map (lambda (ns) (readlink (string-append "/proc/" pid "/ns/" ns))) '("user" "ipc" "uts" "net" "pid" "mnt")))) (let* ((pid (run-container root '() %namespaces 1 container)) (container-namespaces (namespaces pid)) (result (begin (close start-out) ;; Wait for container to be ready. (read start-in) (close start-in) (container-excursion pid (lambda () ;; Check that all of the namespace identifiers are ;; the same as the container process. (assert-exit (equal? container-namespaces (namespaces (getpid))))))))) (close end-in) ;; Stop the container. (write 'done end-out) (close end-out) (waitpid pid) (zero? result))))))) (skip-if-unsupported) (test-equal "container-excursion, same namespaces" 42 ;; The parent and child are in the same namespaces. 'container-excursion' ;; should notice that and avoid calling 'setns' since that would fail. (status:exit-val (container-excursion (getpid) (lambda () (primitive-exit 42))))) (skip-if-unsupported) (test-assert "container-excursion*" (call-with-temporary-directory (lambda (root) (define (namespaces pid) (let ((pid (number->string pid))) (map (lambda (ns) (readlink (string-append "/proc/" pid "/ns/" ns))) '("user" "ipc" "uts" "net" "pid" "mnt")))) (let* ((pid (run-container root '() %namespaces 1 (lambda () (sleep 100)))) (expected (namespaces pid)) (result (container-excursion* pid (lambda () (namespaces 1))))) (kill pid SIGKILL) (equal? result expected))))) (skip-if-unsupported) (test-equal "container-excursion*, same namespaces" 42 (container-excursion* (getpid) (lambda () (* 6 7)))) (skip-if-unsupported) (test-equal "container-excursion*, /proc" '("1" "2") (call-with-temporary-directory (lambda (root) (let* ((pid (run-container root '() %namespaces 1 (lambda () (sleep 100)))) (result (container-excursion* pid (lambda () ;; We expect to see exactly two processes in this ;; namespace. (scandir "/proc" (lambda (file) (char-set-contains? char-set:digit (string-ref file 0)))))))) (kill pid SIGKILL) result)))) (skip-if-unsupported) (test-equal "eval/container, exit status" 42 (let* ((store (open-connection-for-tests)) (status (run-with-store store (eval/container #~(exit 42))))) (close-connection store) (status:exit-val status))) (skip-if-unsupported) (test-assert "eval/container, writable user mapping" (call-with-temporary-directory (lambda (directory) (define store (open-connection-for-tests)) (define result (string-append directory "/r")) (define requisites* (store-lift requisites)) (call-with-output-file result (const #t)) (run-with-store store (mlet %store-monad ((status (eval/container #~(begin (use-modules (ice-9 ftw)) (call-with-output-file "/result" (lambda (port) (write (scandir #$(%store-prefix)) port)))) #:mappings (list (file-system-mapping (source result) (target "/result") (writable? #t))))) (reqs (requisites* (list (derivation->output-path (%guile-for-build)))))) (close-connection store) (return (and (zero? (pk 'status status)) (lset= string=? (cons* "." ".." (map basename reqs)) (pk (call-with-input-file result read)))))))))) (skip-if-unsupported) (test-assert "eval/container, non-empty load path" (call-with-temporary-directory (lambda (directory) (define store (open-connection-for-tests)) (define result (string-append directory "/r")) (define requisites* (store-lift requisites)) (mkdir result) (run-with-store store (mlet %store-monad ((status (eval/container (with-imported-modules '((guix build utils)) #~(begin (use-modules (guix build utils)) (mkdir-p "/result/a/b/c"))) #:mappings (list (file-system-mapping (source result) (target "/result") (writable? #t)))))) (close-connection store) (return (and (zero? status) (file-is-directory? (string-append result "/a/b/c"))))))))) (test-end)