;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2018 Ludovic Courtès <ludo@gnu.org>
;;; Copyright © 2019 Mathieu Othacehe <m.othacehe@gmail.com>
;;;
;;; This file is part of GNU Guix.
;;;
;;; GNU Guix is free software; you can redistribute it and/or modify it
;;; under the terms of the GNU General Public License as published by
;;; the Free Software Foundation; either version 3 of the License, or (at
;;; your option) any later version.
;;;
;;; GNU Guix is distributed in the hope that it will be useful, but
;;; WITHOUT ANY WARRANTY; without even the implied warranty of
;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
;;; GNU General Public License for more details.
;;;
;;; You should have received a copy of the GNU General Public License
;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.

(define-module (test-processes)
  #:use-module (guix scripts processes)
  #:use-module (guix store)
  #:use-module (guix derivations)
  #:use-module (guix packages)
  #:use-module (guix gexp)
  #:use-module ((guix utils) #:select (call-with-temporary-directory))
  #:use-module (gnu packages bootstrap)
  #:use-module (guix tests)
  #:use-module (srfi srfi-1)
  #:use-module (srfi srfi-64)
  #:use-module (rnrs bytevectors)
  #:use-module (rnrs io ports)
  #:use-module (ice-9 match)
  #:use-module (ice-9 threads))

;; When using --system argument, binfmt-misc mechanism may be used. In that
;; case, (guix script processes) won't work because:
;;
;; * ARGV0 is qemu-user and not guix-daemon.
;; * Guix-daemon won't be able to stuff client PID in ARGV1 of forked
;;   processes.
;;
;; See: https://lists.gnu.org/archive/html/bug-guix/2019-12/msg00017.html.
;;
;; If we detect that we are running with binfmt emulation, all the following
;; tests must be skipped.

(define (binfmt-misc?)
  (let ((pid (getpid))
        (cmdline (call-with-input-file "/proc/self/cmdline" get-string-all)))
    (match (primitive-fork)
      (0 (dynamic-wind
           (const #t)
           (lambda ()
             (exit
              (not (equal?
                    (call-with-input-file (format #f "/proc/~a/cmdline" pid)
                      get-string-all)
                    cmdline))))
           (const #t)))
      (x (zero? (cdr (waitpid x)))))))

(define-syntax-rule (test-assert* description exp)
  (begin
    (when (binfmt-misc?)
      (test-skip 1))
    (test-assert description exp)))

(test-begin "processes")

(test-assert* "not a client"
  (not (find (lambda (session)
               (= (getpid)
                  (process-id (daemon-session-client session))))
             (daemon-sessions))))

(test-assert* "client"
  (with-store store
    (let* ((session (find (lambda (session)
                            (= (getpid)
                               (process-id (daemon-session-client session))))
                          (daemon-sessions)))
           (daemon  (daemon-session-process session)))
      (and (kill (process-id daemon) 0)
           (string-suffix? "guix-daemon" (first (process-command daemon)))))))

(test-assert* "client + lock"
  (with-store store
    (call-with-temporary-directory
     (lambda (directory)
       (let* ((token1  (string-append directory "/token1"))
              (token2  (string-append directory "/token2"))
              (exp     #~(begin #$(random-text)
                                (mkdir #$token1)
                                (let loop ()
                                  (unless (file-exists? #$token2)
                                    (sleep 1)
                                    (loop)))
                                (mkdir #$output)))
              (guile   (package-derivation store %bootstrap-guile))
              (drv     (run-with-store store
                         (gexp->derivation "foo" exp
                                           #:guile-for-build guile)))
              (thread  (call-with-new-thread
                        (lambda ()
                          (build-derivations store (list drv)))))
              (_       (let loop ()
                         (unless (file-exists? token1)
                           (usleep 200)
                           (loop))))
              (session (find (lambda (session)
                               (= (getpid)
                                  (process-id (daemon-session-client session))))
                             (daemon-sessions)))
              (locks   (daemon-session-locks-held (pk 'session session))))
         (call-with-output-file token2 (const #t))
         (equal? (list (string-append (derivation->output-path drv) ".lock"))
                 locks))))))

(test-end "processes")
<td><span title='2021-05-22 19:53:17 +0200'>2021-05-22</span></td><td><a href='/guix/commit/etc/guix-daemon.cil.in?id=35bd94a49257bbadcb3ca25342e5c1ec33f438f0'>etc: Add more SELinux permissions for the daemon.</a><span class='msg-avail'>...<span class='msg-tooltip'>* etc/guix-daemon.cil.in (guix_daemon): Add more permissions, necessary for
garbage collection.
</span></span></td><td>Marius Bakke</td></tr>
<tr><td><span title='2020-12-10 23:48:42 +0100'>2020-12-10</span></td><td><a href='/guix/commit/etc/guix-daemon.cil.in?id=d677f3d6231d352fdb65b70f67d85fb5744e912c'>etc: Add more SELinux permissions for the daemon.</a><span class='msg-avail'>...<span class='msg-tooltip'>* etc/guix-daemon.cil.in (guix_daemon): Permit file write, getattr, link and
unlink for the guix_daemon_exec_t type.
</span></span></td><td>Marius Bakke</td></tr>
<tr><td><span title='2020-11-27 21:33:59 +0100'>2020-11-27</span></td><td><a href='/guix/commit/etc/guix-daemon.cil.in?id=1807632393d0723f3085c457517965c32715717a'>etc: Add more SELinux permissions for the daemon.</a><span class='msg-avail'>...<span class='msg-tooltip'>* etc/guix-daemon.cil.in (guix_daemon): Permit more operations required for
various build jobs.
</span></span></td><td>Marius Bakke</td></tr>
<tr><td><span title='2020-11-26 00:31:47 +0100'>2020-11-26</span></td><td><a href='/guix/commit/etc/guix-daemon.cil.in?id=402ebffe195890c9826cfa7519034dd12a48ae6a'>etc: Add more SELinux permissions for the daemon.</a><span class='msg-avail'>...<span class='msg-tooltip'>* etc/guix-daemon.cil.in (guix_daemon): Permit file appending, setattr,
read/write UDP sockets, access to tmpfs and hugetlbfs, and connecting to
PostgreSQL.
</span></span></td><td>Marius Bakke</td></tr>
<tr><td><span title='2020-11-25 23:24:52 +0100'>2020-11-25</span></td><td><a href='/guix/commit/etc/guix-daemon.cil.in?id=d64e0261d0007413a795c4cf01f9d06b170da3f5'>etc: Add more SELinux permissions for the daemon.</a><span class='msg-avail'>...<span class='msg-tooltip'>This is needed for some package test suites.

* etc/guix-daemon.cil.in (guix_daemon): Permit unix_dgram_socket operations.
</span></span></td><td>Marius Bakke</td></tr>
<tr><td><span title='2020-11-15 16:08:47 +0100'>2020-11-15</span></td><td><a href='/guix/commit/etc/guix-daemon.cil.in?id=62343288ef6dc56027d268ef773ae699a4bbb76d'>etc: Updates for the guix-daemon SELinux policy.</a><span class='msg-avail'>...<span class='msg-tooltip'>* etc/guix-daemon.cil.in (guix_daemon): Specify more permissions for
guix-daemon to account for daemon updates and newer SELinux.

I can't promise that this is a complete list of everything that guix-daemon
needs, but it's probably most of them. It can search for, install, upgrade,
and remove packages, create virtual machines and containers, update itself,
and so on.

Signed-off-by: Marius Bakke &lt;marius@gnu.org&gt;
</span></span></td><td>Daniel Brooks</td></tr>