shaba/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2025-03-29 06:50:16 +03:00
Code

Merge pull request #33359 from bluca/test_apparmor_unpriv

Browse Source 
mkosi: enable unprivileged user ns for integration tests
This commit is contained in:
Luca Boccassi 2024-06-18 00:13:15 +01:00 committed by GitHub
commit 3f4f065bab
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
13 changed files with 56 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.github/workflows/mkosi.yml vendored
View File

@ -92,7 +92,7 @@ jobs:
steps:
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
- uses: systemd/mkosi@0081ea66faf56a35353d6aeadfe42f9679c7d1cf
- uses: systemd/mkosi@6972f9efba5c8472d990be3783b7e7dbf76e109e
# Freeing up disk space with rm -rf can take multiple minutes. Since we don't need the extra free space
# immediately, we remove the files in the background. However, we first move them to a different location
@ -117,6 +117,8 @@ jobs:
- name: Configure
run: |
# XXX: drop after the HyperV bug that breaks secure boot KVM guests is solved
sed -i "s/'firmware'\s*:\s*'auto'/'firmware' : 'uefi'/g" test/*/meson.build
tee mkosi.local.conf <<EOF
[Distribution]
Distribution=${{ matrix.distro }}

3
mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf
View File

@ -20,8 +20,6 @@ VolatilePackages=
libsystemd-dev
libudev-dev
systemd
systemd-boot
systemd-boot-efi
systemd-container
systemd-coredump
systemd-dev
@ -74,7 +72,6 @@ Packages=
python3-pexpect
python3-psutil
quota
sbsigntool
softhsm2
squashfs-tools
stress

16
mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf.d/efi.conf Normal file
View File

@ -0,0 +1,16 @@
# SPDX-License-Identifier: LGPL-2.1-or-later
# sbsigntool exists only on UEFI architectures
[Match]
Architecture=|x86
Architecture=|x86-64
Architecture=|arm
Architecture=|arm64
Architecture=|riscv32
Architecture=|riscv64
[Content]
Packages=
sbsigntool
systemd-boot
systemd-boot-efi

3
mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf
View File

@ -3,9 +3,6 @@
[Match]
Distribution=ubuntu
[Distribution]
PackageManagerTrees=noble-backports.sources:/etc/apt/sources.list.d/noble-backports.sources
[Content]
Packages=
linux-image-generic

9
mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/non-x86.conf Normal file
View File

@ -0,0 +1,9 @@
# SPDX-License-Identifier: LGPL-2.1-or-later
# The ports Ubuntu archive is for non i386/amd64 repositories
[Match]
Architecture=!x86-64
Architecture=!x86
[Distribution]
PackageManagerTrees=noble-backports-ports.sources:/etc/apt/sources.list.d/noble-backports-ports.sources

9
mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/x86.conf Normal file
View File

@ -0,0 +1,9 @@
# SPDX-License-Identifier: LGPL-2.1-or-later
# The main Ubuntu archive is only for i386/amd64 repositories
[Match]
Architecture=|x86-64
Architecture=|x86
[Distribution]
PackageManagerTrees=noble-backports.sources:/etc/apt/sources.list.d/noble-backports.sources

6
mkosi.images/system/mkosi.conf.d/10-ubuntu/noble-backports-ports.sources Normal file
View File

@ -0,0 +1,6 @@
# SPDX-License-Identifier: LGPL-2.1-or-later
Types: deb
URIs: http://ports.ubuntu.com
Suites: noble-backports
Components: main universe
Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg

4
mkosi.images/system/mkosi.extra/usr/lib/sysctl.d/99-apparmor-unpriv-userns.conf Normal file
View File

@ -0,0 +1,4 @@
# Ubuntu since Noble disables unprivileged user namespaces by default, re-enable them as they are needed
# for integration tests
kernel.apparmor_restrict_unprivileged_unconfined = 0
kernel.apparmor_restrict_unprivileged_userns = 0

3
test/TEST-06-SELINUX/meson.build
View File

@ -5,7 +5,8 @@ integration_tests += [
'name' : fs.name(meson.current_source_dir()),
'cmdline' : integration_test_template['cmdline'] + ['selinux=1', 'lsm=selinux'],
# FIXME; Figure out why reboot sometimes hangs with 'linux' firmware.
'firmware' : 'uefi',
# Use 'auto' to automatically fallback on non-uefi architectures.
'firmware' : 'auto',
'vm' : true,
},
]

2
test/TEST-09-REBOOT/meson.build
View File

@ -4,7 +4,5 @@ integration_tests += [
integration_test_template + {
'name' : fs.name(meson.current_source_dir()),
'storage' : 'persistent',
# FIXME; Figure out why reboot sometimes hangs with 'linux' firmware.
'firmware' : 'uefi',
},
]

2
test/TEST-18-FAILUREACTION/meson.build
View File

@ -3,7 +3,5 @@
integration_tests += [
integration_test_template + {
'name' : fs.name(meson.current_source_dir()),
# FIXME; Figure out why reboot sometimes hangs with 'linux' firmware.
'firmware' : 'uefi',
},
]

9
test/integration-test-wrapper.py
View File

@ -2,10 +2,6 @@
# SPDX-License-Identifier: LGPL-2.1-or-later
'''Test wrapper command for driving integration tests.
Note: This is deliberately rough and only intended to drive existing tests
with the expectation that as part of formally defining the API it will be tidy.
'''
import argparse
@ -61,6 +57,10 @@ def main():
print(f"SYSTEMD_SLOW_TESTS=1 not found in environment, skipping {args.name}", file=sys.stderr)
exit(77)
if args.vm and bool(int(os.getenv("TEST_NO_QEMU", "0"))):
print(f"TEST_NO_QEMU=1, skipping {args.name}", file=sys.stderr)
exit(77)
name = args.name + (f"-{i}" if (i := os.getenv("MESON_TEST_ITERATION")) else "")
dropin = textwrap.dedent(
@ -128,6 +128,7 @@ def main():
*args.mkosi_args,
'--append',
'--qemu-firmware', args.firmware,
'--qemu-kvm', "auto" if not bool(int(os.getenv("TEST_NO_KVM", "0"))) else "no",
'--kernel-command-line-extra',
' '.join([
'systemd.hostname=H',

4
test/units/TEST-43-PRIVATEUSER-UNPRIV.sh
View File

@ -6,13 +6,13 @@ set -o pipefail
# shellcheck source=test/units/util.sh
. "$(dirname "$0")"/util.sh
install_extension_images
if [[ "$(sysctl -ne kernel.apparmor_restrict_unprivileged_userns)" -eq 1 ]]; then
echo "Cannot create unprivileged user namespaces" >/skipped
exit 77
fi
install_extension_images
systemd-analyze log-level debug
runas testuser systemd-run --wait --user --unit=test-private-users \