diff options
| author | Luca Boccassi <bluca@debian.org> | 2022-03-09 02:07:34 +0000 |
|---|---|---|
| committer | Luca Boccassi <bluca@debian.org> | 2022-03-10 10:21:03 +0000 |
| commit | ea63a260d43c27a6b5b5ae471a8d4617bb7be447 (patch) | |
| tree | e6295e1c86974caabcf656b2bd2a9d30f69e47e6 /test | |
| parent | 4c0ab40ab8e173062db0d36a6007a047deb5abde (diff) | |
| download | systemd-ea63a260d43c27a6b5b5ae471a8d4617bb7be447.tar.gz | |
core: support MountAPIVFS and RootDirectory in user manager
The only piece missing was to somehow make /proc appear in the
new user+mount namespace. It is not possible to mount a new
/proc instance, not even with hidepid=invisible,subset=pid, in
a user namespace unless a PID namespace is created too (and also
at the same time as the other namespaces, it is not possible to
mount a new /proc in a child process that creates a PID namespace
forked from a parent that created a user+mount namespace, it has
to happen at the same time).
Use the host's /proc with a bind-mount as a fallback for this
case. User session services would already run with it, so
nothing is lost.
Diffstat (limited to 'test')
| -rwxr-xr-x | test/TEST-43-PRIVATEUSER-UNPRIV/test.sh | 9 | ||||
| -rwxr-xr-x | test/units/testsuite-43.sh | 18 |
2 files changed, 27 insertions, 0 deletions
diff --git a/test/TEST-43-PRIVATEUSER-UNPRIV/test.sh b/test/TEST-43-PRIVATEUSER-UNPRIV/test.sh index bb8bc18697..dafcdb58fc 100755 --- a/test/TEST-43-PRIVATEUSER-UNPRIV/test.sh +++ b/test/TEST-43-PRIVATEUSER-UNPRIV/test.sh @@ -3,10 +3,19 @@ set -e TEST_DESCRIPTION="Test PrivateUsers=yes on user manager" +IMAGE_NAME="private-users" # shellcheck source=test/test-functions . "${TEST_BASE_DIR:?}/test-functions" has_user_dbus_socket || exit 0 +command -v mksquashfs >/dev/null 2>&1 || exit 0 + +test_append_files() { + ( + inst_binary unsquashfs + install_verity_minimal + ) +} do_test "$@" diff --git a/test/units/testsuite-43.sh b/test/units/testsuite-43.sh index 3efe419377..cda1fe1fda 100755 --- a/test/units/testsuite-43.sh +++ b/test/units/testsuite-43.sh @@ -68,6 +68,24 @@ runas testuser systemd-run --wait --user --unit=test-group-fail \ -P true \ && { echo 'unexpected success'; exit 1; } +# Check that with a new user namespace we can bind mount +# files and use a different root directory +runas testuser systemd-run --wait --user --unit=test-bind-mount \ + -p PrivateUsers=yes -p BindPaths=/dev/null:/etc/os-release \ + test ! -s /etc/os-release + +unsquashfs -no-xattrs -d /tmp/img /usr/share/minimal_0.raw +runas testuser systemd-run --wait --user --unit=test-root-dir \ + -p PrivateUsers=yes -p RootDirectory=/tmp/img \ + grep MARKER=1 /etc/os-release + +mkdir /tmp/img_bind +mount --bind /tmp/img /tmp/img_bind +runas testuser systemd-run --wait --user --unit=test-root-dir-bind \ + -p PrivateUsers=yes -p RootDirectory=/tmp/img_bind \ + grep MARKER=1 /etc/os-release +umount /tmp/img_bind + systemd-analyze log-level info echo OK >/testok |