vmcheck: add test-layering-non-root-caps.sh

This new test exercises the new support for non-root file paths and
files with capabilities.

Closes: #561
Approved by: cgwalters

Makefile-tests.am

@@ -26,6 +26,7 @@ testpackages = \
 	tests/common/compose/yum/repo/packages/x86_64/foo-1.0-1.x86_64.rpm \
 	tests/common/compose/yum/repo/packages/x86_64/bar-1.0-1.x86_64.rpm \
 	tests/common/compose/yum/repo/packages/x86_64/scriptpkg1-1.0-1.x86_64.rpm \
+	tests/common/compose/yum/repo/packages/x86_64/nonrootcap-1.0-1.x86_64.rpm \
 	$(NULL)
 
 # Create a rule for each testpkg with their respective spec file as dep.

tests/common/compose/yum/nonrootcap.spec

@@ -0,0 +1,59 @@
+Summary: An app that uses has non-root files and caps
+Name: nonrootcap
+Version: 1.0
+Release: 1
+License: GPL+
+Group: Development/Tools
+URL: http://foo.bar.com
+BuildArch: x86_64
+
+%description
+%{summary}
+
+%prep
+
+%build
+cat > tmp << EOF
+#!/bin/sh
+echo "Hello!"
+EOF
+
+chmod a+x tmp
+cp tmp nrc-none.sh
+cp tmp nrc-user.sh
+cp tmp nrc-group.sh
+cp tmp nrc-caps.sh
+cp tmp nrc-caps-setuid.sh
+cp tmp nrc-usergroup.sh
+cp tmp nrc-usergroupcaps.sh
+cp tmp nrc-usergroupcaps-setuid.sh
+rm tmp
+
+%pre
+groupadd -r nrcgroup
+useradd -r nrcuser -g nrcgroup -s /sbin/nologin
+
+%install
+mkdir -p %{buildroot}/usr/bin
+install *.sh %{buildroot}/usr/bin
+mkdir -p %{buildroot}/var/lib/nonrootcap
+mkdir -p %{buildroot}/run/nonrootcap
+
+%clean
+rm -rf %{buildroot}
+
+%files
+/usr/bin/nrc-none.sh
+%attr(-, nrcuser, -) /usr/bin/nrc-user.sh
+%attr(-, -, nrcgroup) /usr/bin/nrc-group.sh
+%caps(cap_net_bind_service=ep) /usr/bin/nrc-caps.sh
+%attr(4775, -, -) %caps(cap_net_bind_service=ep) /usr/bin/nrc-caps-setuid.sh
+%attr(-, nrcuser, nrcgroup) /usr/bin/nrc-usergroup.sh
+%attr(-, nrcuser, nrcgroup) %caps(cap_net_bind_service=ep) /usr/bin/nrc-usergroupcaps.sh
+%attr(4775, nrcuser, nrcgroup) %caps(cap_net_bind_service=ep) /usr/bin/nrc-usergroupcaps-setuid.sh
+%attr(-, nrcuser, nrcgroup) /var/lib/nonrootcap
+%attr(-, nrcuser, nrcgroup) /run/nonrootcap
+
+%changelog
+* Wed Jan 05 2017 Jonathan Lebon <jlebon@redhat.com> 1.0-1
+- First Build

tests/common/libvm.sh

@@ -62,6 +62,7 @@ vm_send() {
 
 # copy the test repo to the vm
 vm_send_test_repo() {
+  vm_cmd rm -rf /tmp/vmcheck
   vm_send /tmp/vmcheck ${commondir}/compose/yum/repo
 
   cat > vmcheck.repo << EOF
@@ -103,8 +104,8 @@ vm_reboot() {
   vm_ssh_wait 120 $bootid
 }
 
-# check that the given files exist on the VM
-# - $@    packages to check for
+# check that the given files/dirs exist on the VM
+# - $@    files/dirs to check for
 vm_has_files() {
   for file in "$@"; do
     if ! vm_cmd test -e $file; then

tests/vmcheck/test-layering-non-root-caps.sh

@@ -0,0 +1,99 @@
+#!/bin/bash
+#
+# Copyright (C) 2016 Jonathan Lebon <jlebon@redhat.com>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library; if not, write to the
+# Free Software Foundation, Inc., 59 Temple Place - Suite 330,
+# Boston, MA 02111-1307, USA.
+
+set -e
+
+. ${commondir}/libtest.sh
+. ${commondir}/libvm.sh
+
+set -x
+
+# SUMMARY: check that RPM scripts are properly handled during package layering
+
+vm_send_test_repo
+
+# make sure the package is not already layered
+vm_assert_layered_pkg nonrootcap absent
+
+vm_cmd rpm-ostree install nonrootcap
+echo "ok install nonrootcap"
+
+vm_reboot
+
+vm_assert_layered_pkg nonrootcap present
+echo "ok pkg nonrootcap added"
+
+# let's check that the user and group were successfully added
+vm_cmd getent passwd nrcuser
+vm_cmd getent group nrcgroup
+echo "ok user and group added"
+
+if ! vm_has_files /usr/bin/nrc-none.sh \
+                  /usr/bin/nrc-user.sh \
+                  /usr/bin/nrc-group.sh \
+                  /usr/bin/nrc-caps.sh \
+                  /usr/bin/nrc-usergroup.sh \
+                  /usr/bin/nrc-usergroupcaps.sh \
+                  /var/lib/nonrootcap \
+                  /run/nonrootcap; then
+  assert_not_reached "not all files were layered"
+fi
+echo "ok all files layered"
+
+check_user() {
+  user=$(vm_cmd stat -c '%U' $1)
+  if [[ $user != $2 ]]; then
+    assert_not_reached "expected user $2 on file $1 but got $user"
+  fi
+}
+
+check_group() {
+  group=$(vm_cmd stat -c '%G' $1)
+  if [[ $group != $2 ]]; then
+    assert_not_reached "expected group $2 on file $1 but got $group"
+  fi
+}
+
+check_fcap() {
+  fcap=$(vm_cmd getcap $1)
+  fcap=${fcap#* = } # trim filename
+  if [[ $fcap != $2 ]]; then
+    assert_not_reached "expected fcaps $2 on file $1 but got $fcap"
+  fi
+}
+
+check_file() {
+  check_user $1 $2
+  check_group $1 $3
+  check_fcap $1 $4
+}
+
+check_file /usr/bin/nrc-none.sh root root ""
+check_file /usr/bin/nrc-user.sh nrcuser root ""
+check_file /usr/bin/nrc-group.sh root nrcgroup ""
+check_file /usr/bin/nrc-caps.sh root root "cap_net_bind_service+ep"
+check_file /usr/bin/nrc-caps-setuid.sh root root "cap_net_bind_service+ep"
+vm_cmd test -u /usr/bin/nrc-caps-setuid.sh
+check_file /usr/bin/nrc-usergroup.sh nrcuser nrcgroup ""
+check_file /usr/bin/nrc-usergroupcaps.sh nrcuser nrcgroup "cap_net_bind_service+ep"
+check_file /usr/bin/nrc-usergroupcaps-setuid.sh nrcuser nrcgroup "cap_net_bind_service+ep"
+vm_cmd test -u /usr/bin/nrc-usergroupcaps-setuid.sh
+check_file /var/lib/nonrootcap nrcuser nrcgroup
+check_file /run/nonrootcap nrcuser nrcgroup
+echo "ok correct user/group and fcaps"