mirror of
https://github.com/systemd/systemd-stable.git
synced 2025-01-12 09:17:44 +03:00
Merge pull request #22934 from poettering/tls-test-fix-root
tests: make test-resolved-stream suceed even when run as root with restrictive access mode on build tree dir
This commit is contained in:
commit
ca782b85fc
@ -16,6 +16,7 @@
|
||||
#include "fd-util.h"
|
||||
#include "log.h"
|
||||
#include "macro.h"
|
||||
#include "path-util.h"
|
||||
#include "process-util.h"
|
||||
#include "resolved-dns-packet.h"
|
||||
#include "resolved-dns-question.h"
|
||||
@ -330,12 +331,37 @@ static void test_dns_stream(bool tls) {
|
||||
|
||||
static void try_isolate_network(void) {
|
||||
_cleanup_close_ int socket_fd = -1;
|
||||
int r;
|
||||
|
||||
/* First test if CLONE_NEWUSER/CLONE_NEWNET can actually work for us, i.e. we can open the namespaces
|
||||
* and then still access the build dir we are run from. We do that in a child process since it's
|
||||
* nasty if we have to go back from the namespace once we entered it and realized it cannot work. */
|
||||
r = safe_fork("(usernstest)", FORK_DEATHSIG|FORK_LOG|FORK_WAIT, NULL);
|
||||
if (r == 0) { /* child */
|
||||
_cleanup_free_ char *rt = NULL, *d = NULL;
|
||||
|
||||
if (unshare(CLONE_NEWUSER | CLONE_NEWNET) < 0) {
|
||||
log_warning("test-resolved-stream: Can't create user and network ns, running on host");
|
||||
return;
|
||||
log_warning_errno(errno, "test-resolved-stream: Can't create user and network ns, running on host: %m");
|
||||
_exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
assert_se(get_process_exe(0, &rt) >= 0);
|
||||
assert_se(path_extract_directory(rt, &d) >= 0);
|
||||
|
||||
if (access(d, F_OK) < 0) {
|
||||
log_warning_errno(errno, "test-resolved-stream: Can't access /proc/self/exe from user/network ns, running on host: %m");
|
||||
_exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
_exit(EXIT_SUCCESS);
|
||||
}
|
||||
if (r == -EPROTO) /* EPROTO means nonzero exit code of child, i.e. the tests in the child failed */
|
||||
return;
|
||||
assert_se(r > 0);
|
||||
|
||||
/* Now that we know that the unshare() is safe, let's actually do it */
|
||||
assert_se(unshare(CLONE_NEWUSER | CLONE_NEWNET) >= 0);
|
||||
|
||||
/* Bring up the loopback interfaceon the newly created network namespace */
|
||||
struct ifreq req = { .ifr_ifindex = 1 };
|
||||
assert_se((socket_fd = socket(AF_INET, SOCK_STREAM | SOCK_CLOEXEC, 0)) >= 0);
|
||||
|
@ -48,23 +48,26 @@ char* setup_fake_runtime_dir(void) {
|
||||
|
||||
static void load_testdata_env(void) {
|
||||
static bool called = false;
|
||||
_cleanup_free_ char *s = NULL;
|
||||
_cleanup_free_ char *envpath = NULL;
|
||||
_cleanup_free_ char *s = NULL, *d = NULL, *envpath = NULL;
|
||||
_cleanup_strv_free_ char **pairs = NULL;
|
||||
int r;
|
||||
|
||||
if (called)
|
||||
return;
|
||||
called = true;
|
||||
|
||||
assert_se(readlink_and_make_absolute("/proc/self/exe", &s) >= 0);
|
||||
dirname(s);
|
||||
assert_se(path_extract_directory(s, &d) >= 0);
|
||||
assert_se(envpath = path_join(d, "systemd-runtest.env"));
|
||||
|
||||
envpath = path_join(s, "systemd-runtest.env");
|
||||
if (load_env_file_pairs(NULL, envpath, &pairs) < 0)
|
||||
r = load_env_file_pairs(NULL, envpath, &pairs);
|
||||
if (r < 0) {
|
||||
log_debug_errno(r, "Reading %s failed: %m", envpath);
|
||||
return;
|
||||
}
|
||||
|
||||
STRV_FOREACH_PAIR(k, v, pairs)
|
||||
setenv(*k, *v, 0);
|
||||
assert_se(setenv(*k, *v, 0) >= 0);
|
||||
}
|
||||
|
||||
int get_testdata_dir(const char *suffix, char **ret) {
|
||||
|
Loading…
Reference in New Issue
Block a user