test: test comprehensive tests for new (and old) nspawn userns modes

test/units/TEST-13-NSPAWN.nspawn.sh

@@ -914,7 +914,7 @@ matrix_run_one() {
                        --boot; then
         [[ "$IS_USERNS_SUPPORTED" == "yes" && "$api_vfs_writable" == "network" ]] && return 1
     else
-        [[ "$IS_USERNS_SUPPORTED" == "no" && "$api_vfs_writable" = "network" ]] && return 1
+        [[ "$IS_USERNS_SUPPORTED" == "no" && "$api_vfs_writable" == "network" ]] && return 1
     fi
 
     if SYSTEMD_NSPAWN_UNIFIED_HIERARCHY="$cgroupsv2" SYSTEMD_NSPAWN_USE_CGNS="$use_cgns" SYSTEMD_NSPAWN_API_VFS_WRITABLE="$api_vfs_writable" \
@@ -1277,4 +1277,37 @@ testcase_dev_net_tun() {
     rm -fr "$root"
 }
 
+testcase_unpriv_dir() {
+    root="$(mktemp -d /var/lib/machines/TEST-13-NSPAWN.unpriv.XXX)"
+    create_dummy_container "$root"
+
+    assert_eq "$(systemd-nspawn --pipe --register=no -D "$root" --private-users=no bash -c 'echo foobar')" "foobar"
+
+    # Use an image owned by some freshly acquired container user
+    assert_eq "$(systemd-nspawn --pipe --register=no -D "$root" --private-users=pick --private-users-ownership=chown bash -c 'echo foobar')" "foobar"
+    assert_eq "$(systemd-nspawn --pipe --register=no -D "$root" --private-users=yes --private-users-ownership=chown bash -c 'echo foobar')" "foobar"
+
+    # Now move back to root owned, and try to use fs idmapping
+    systemd-dissect --shift "$root" 0
+    assert_eq "$(systemd-nspawn --pipe --register=no -D "$root" --private-users=no --private-users-ownership=no bash -c 'echo foobar')" "foobar"
+    assert_eq "$(systemd-nspawn --pipe --register=no -D "$root" --private-users=pick --private-users-ownership=map bash -c 'echo foobar')" "foobar"
+
+    # Use an image owned by the foreign UID range first via direct mapping, and than via the managed uid logic
+    systemd-dissect --shift "$root" foreign
+    assert_eq "$(systemd-nspawn --pipe --register=no -D "$root" --private-users=pick --private-users-ownership=foreign bash -c 'echo foobar')" "foobar"
+    assert_eq "$(systemd-nspawn --pipe --register=no -D "$root" --private-users=managed --private-network bash -c 'echo foobar')" "foobar"
+
+    # Test unprivileged operation
+    chown testuser:testuser "$root/.."
+
+    ls -al "/var/lib/machines"
+    ls -al "$root"
+
+    assert_eq "$(run0 --pipe -u testuser systemd-nspawn --pipe --register=no -D "$root" --private-users=managed --private-network bash -c 'echo foobar')" "foobar"
+    assert_eq "$(run0 --pipe -u testuser systemd-nspawn --pipe --register=no -D "$root" --private-network bash -c 'echo foobar')" "foobar"
+    chown root:root "$root/.."
+
+    rm -rf "$root"
+}
+
 run_testcases

test/units/TEST-74-AUX-UTILS.userdbctl.sh

@@ -0,0 +1,39 @@
+#!/usr/bin/env bash
+# SPDX-License-Identifier: LGPL-2.1-or-later
+set -eux
+set -o pipefail
+
+# shellcheck source=test/units/util.sh
+. "$(dirname "$0")"/util.sh
+
+# Root
+userdbctl user root
+userdbctl user 0
+
+# Nobody
+userdbctl user 65534
+
+# The 16bit and 32bit -1 user cannot exist
+(! userdbctl user 65535)
+(! userdbctl user 4294967295)
+
+userdbctl user foreign-0
+userdbctl user 2147352576
+userdbctl user foreign-1
+userdbctl user 2147352577
+userdbctl user foreign-65534
+userdbctl user 2147418110
+(! userdbctl user foreign-65535)
+(! userdbctl user 2147418111)
+(! userdbctl user foreign-65536)
+(! userdbctl user 2147418112)
+
+assert_eq "$(userdbctl user root -j | jq .uid)" 0
+assert_eq "$(userdbctl user foreign-0 -j | jq .uid)" 2147352576
+assert_eq "$(userdbctl user foreign-1 -j | jq .uid)" 2147352577
+assert_eq "$(userdbctl user foreign-65534 -j | jq .uid)" 2147418110
+
+assert_eq "$(userdbctl user 0 -j | jq -r .userName)" root
+assert_eq "$(userdbctl user 2147352576 -j | jq -r .userName)" foreign-0
+assert_eq "$(userdbctl user 2147352577 -j | jq -r .userName)" foreign-1
+assert_eq "$(userdbctl user 2147418110 -j | jq -r .userName)" foreign-65534