From e2d057456d69906fab64984d93c51a839f2d8702 Mon Sep 17 00:00:00 2001
From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Thu, 10 Nov 2022 15:40:00 +0100
Subject: [PATCH] repart: Run most repart integration tests without root
 privileges

To make sure rootless mode keeps working, let's run all repart
integration tests that we can without root privileges. The only ones
we need to keep running with root privileges are the tests that operate
on a block/loop device and those that use --image=.
---
 test/TEST-58-REPART/test.sh |   9 +-
 test/units/testsuite-58.sh  | 305 +++++++++++++++++++-----------------
 2 files changed, 170 insertions(+), 144 deletions(-)

diff --git a/test/TEST-58-REPART/test.sh b/test/TEST-58-REPART/test.sh
index fb4a05fc774..0d513cf85bf 100755
--- a/test/TEST-58-REPART/test.sh
+++ b/test/TEST-58-REPART/test.sh
@@ -12,14 +12,15 @@ TEST_FORCE_NEWIMAGE=1
 test_append_files() {
     if ! get_bool "${TEST_NO_QEMU:=}"; then
         install_dmevent
-        if command -v openssl >/dev/null 2>&1; then
-            inst_binary openssl
-        fi
-        inst_binary mcopy
         instmods dm_verity =md
         generate_module_dependencies
         image_install -o /sbin/mksquashfs
     fi
+
+    inst_binary mcopy
+    if command -v openssl >/dev/null 2>&1; then
+        inst_binary openssl
+    fi
 }
 
 do_test "$@"
diff --git a/test/units/testsuite-58.sh b/test/units/testsuite-58.sh
index 121fabc0afe..a225ac8beec 100755
--- a/test/units/testsuite-58.sh
+++ b/test/units/testsuite-58.sh
@@ -3,6 +3,13 @@
 set -eux
 set -o pipefail
 
+runas() {
+    declare userid=$1
+    shift
+    # shellcheck disable=SC2016
+    su "$userid" -s /bin/sh -c 'XDG_RUNTIME_DIR=/run/user/$UID exec "$@"' -- sh "$@"
+}
+
 if ! command -v systemd-repart &>/dev/null; then
     echo "no systemd-repart" >/skipped
     exit 0
@@ -89,17 +96,17 @@ test_basic() {
     local defs imgs output
     local loop volume
 
-    defs="$(mktemp --directory "/tmp/test-repart.XXXXXXXXXX")"
-    imgs="$(mktemp --directory "/var/tmp/test-repart.XXXXXXXXXX")"
+    defs="$(runas testuser mktemp --directory "/tmp/test-repart.XXXXXXXXXX")"
+    imgs="$(runas testuser mktemp --directory "/var/tmp/test-repart.XXXXXXXXXX")"
     # shellcheck disable=SC2064
     trap "rm -rf '$defs' '$imgs'" RETURN
 
     # 1. create an empty image
 
-    systemd-repart --empty=create \
-                   --size=1G \
-                   --seed="$seed" \
-                   "$imgs/zzz"
+    runas testuser systemd-repart --empty=create \
+                                  --size=1G \
+                                  --seed="$seed" \
+                                  "$imgs/zzz"
 
     output=$(sfdisk -d "$imgs/zzz" | grep -v -e 'sector-size' -e '^$')
 
@@ -133,11 +140,11 @@ SizeMaxBytes=64M
 PaddingMinBytes=92M
 EOF
 
-    systemd-repart --definitions="$defs" \
-                   --dry-run=no \
-                   --seed="$seed" \
-                   --include-partitions=home,swap \
-                   "$imgs/zzz"
+    runas testuser systemd-repart --definitions="$defs" \
+                                  --dry-run=no \
+                                  --seed="$seed" \
+                                  --include-partitions=home,swap \
+                                  "$imgs/zzz"
 
     output=$(sfdisk -d "$imgs/zzz" | grep -v -e 'sector-size' -e '^$')
 
@@ -150,11 +157,11 @@ last-lba: 2097118
 $imgs/zzz1 : start=        2048, size=      591856, type=933AC7E1-2EB4-4F13-B844-0E14E2AEF915, uuid=4980595D-D74A-483A-AA9E-9903879A0EE5, name=\"home-first\", attrs=\"GUID:59\"
 $imgs/zzz4 : start=     1777624, size=      131072, type=0657FD6D-A4AB-43C4-84E5-0933C84B4F4F, uuid=78C92DB8-3D2B-4823-B0DC-792B78F66F1E, name=\"swap\""
 
-    systemd-repart --definitions="$defs" \
-                   --dry-run=no \
-                   --seed="$seed" \
-                   --exclude-partitions=root \
-                   "$imgs/zzz"
+    runas testuser systemd-repart --definitions="$defs" \
+                                  --dry-run=no \
+                                  --seed="$seed" \
+                                  --exclude-partitions=root \
+                                  "$imgs/zzz"
 
     output=$(sfdisk -d "$imgs/zzz" | grep -v -e 'sector-size' -e '^$')
 
@@ -167,10 +174,10 @@ last-lba: 2097118
 $imgs/zzz1 : start=        2048, size=      591856, type=933AC7E1-2EB4-4F13-B844-0E14E2AEF915, uuid=4980595D-D74A-483A-AA9E-9903879A0EE5, name=\"home-first\", attrs=\"GUID:59\"
 $imgs/zzz4 : start=     1777624, size=      131072, type=0657FD6D-A4AB-43C4-84E5-0933C84B4F4F, uuid=78C92DB8-3D2B-4823-B0DC-792B78F66F1E, name=\"swap\""
 
-    systemd-repart --definitions="$defs" \
-                   --dry-run=no \
-                   --seed="$seed" \
-                   "$imgs/zzz"
+    runas testuser systemd-repart --definitions="$defs" \
+                                  --dry-run=no \
+                                  --seed="$seed" \
+                                  "$imgs/zzz"
 
     output=$(sfdisk -d "$imgs/zzz" | grep -v -e 'sector-size' -e '^$')
 
@@ -203,10 +210,10 @@ EOF
     echo "Label=ignored_label" >>"$defs/home.conf"
     echo "UUID=b0b1b2b3b4b5b6b7b8b9babbbcbdbebf" >>"$defs/home.conf"
 
-    systemd-repart --definitions="$defs" \
-                   --dry-run=no \
-                   --seed="$seed" \
-                   "$imgs/zzz"
+    runas testuser systemd-repart --definitions="$defs" \
+                                  --dry-run=no \
+                                  --seed="$seed" \
+                                  "$imgs/zzz"
 
     output=$(sfdisk -d "$imgs/zzz" | grep -v -e 'sector-size' -e '^$')
 
@@ -224,11 +231,11 @@ $imgs/zzz5 : start=     1908696, size=      188416, type=0FC63DAF-8483-4772-8E79
 
     # 4. Resizing to 2G
 
-    systemd-repart --definitions="$defs" \
-                   --size=2G \
-                   --dry-run=no \
-                   --seed="$seed" \
-                   "$imgs/zzz"
+    runas testuser systemd-repart --definitions="$defs" \
+                                  --size=2G \
+                                  --dry-run=no \
+                                  --seed="$seed" \
+                                  "$imgs/zzz"
 
     output=$(sfdisk -d "$imgs/zzz" | grep -v -e 'sector-size' -e '^$')
 
@@ -256,11 +263,11 @@ UUID=2a1d97e1d0a346cca26eadc643926617
 CopyBlocks=$imgs/block-copy
 EOF
 
-    systemd-repart --definitions="$defs" \
-                   --size=3G \
-                   --dry-run=no \
-                   --seed="$seed" \
-                   "$imgs/zzz"
+    runas testuser systemd-repart --definitions="$defs" \
+                                  --size=3G \
+                                  --dry-run=no \
+                                  --seed="$seed" \
+                                  "$imgs/zzz"
 
     output=$(sfdisk -d "$imgs/zzz" | grep -v -e 'sector-size' -e '^$')
 
@@ -279,11 +286,6 @@ $imgs/zzz6 : start=     4194264, size=     2097152, type=0FC63DAF-8483-4772-8E79
 
     cmp --bytes=$((4096*10240)) --ignore-initial=0:$((512*4194264)) "$imgs/block-copy" "$imgs/zzz"
 
-    if systemd-detect-virt --quiet --container; then
-        echo "Skipping encrypt tests in container."
-        return
-    fi
-
     # 6. Testing Format=/Encrypt=/CopyFiles=
 
     cat >"$defs/extra3.conf" <<EOF
@@ -297,11 +299,11 @@ CopyFiles=$defs:/def
 SizeMinBytes=48M
 EOF
 
-    systemd-repart --definitions="$defs" \
-                   --size=auto \
-                   --dry-run=no \
-                   --seed="$seed" \
-                   "$imgs/zzz"
+    runas testuser systemd-repart --definitions="$defs" \
+                                  --size=auto \
+                                  --dry-run=no \
+                                  --seed="$seed" \
+                                  "$imgs/zzz"
 
     output=$(sfdisk -d "$imgs/zzz" | grep -v -e 'sector-size' -e '^$')
 
@@ -319,6 +321,11 @@ $imgs/zzz5 : start=     1908696, size=     2285568, type=0FC63DAF-8483-4772-8E79
 $imgs/zzz6 : start=     4194264, size=     2097152, type=0FC63DAF-8483-4772-8E79-3D69D8477DE4, uuid=2A1D97E1-D0A3-46CC-A26E-ADC643926617, name=\"block-copy\"
 $imgs/zzz7 : start=     6291416, size=       98304, type=0FC63DAF-8483-4772-8E79-3D69D8477DE4, uuid=7B93D1F2-595D-4CE3-B0B9-837FBD9E63B0, name=\"luks-format-copy\""
 
+    if systemd-detect-virt --quiet --container; then
+        echo "Skipping encrypt mount tests in container."
+        return
+    fi
+
     loop="$(losetup -P --show --find "$imgs/zzz")"
     udevadm wait --timeout 60 --settle "${loop:?}"
 
@@ -338,8 +345,8 @@ $imgs/zzz7 : start=     6291416, size=       98304, type=0FC63DAF-8483-4772-8E79
 test_dropin() {
     local defs imgs output
 
-    defs="$(mktemp --directory "/tmp/test-repart.XXXXXXXXXX")"
-    imgs="$(mktemp --directory "/var/tmp/test-repart.XXXXXXXXXX")"
+    defs="$(runas testuser mktemp --directory "/tmp/test-repart.XXXXXXXXXX")"
+    imgs="$(runas testuser mktemp --directory "/var/tmp/test-repart.XXXXXXXXXX")"
     # shellcheck disable=SC2064
     trap "rm -rf '$defs' '$imgs'" RETURN
 
@@ -362,7 +369,11 @@ EOF
 Label=label2
 EOF
 
-    output=$(systemd-repart --definitions="$defs" --empty=create --size=100M --json=pretty "$imgs/zzz")
+    output=$(runas testuser systemd-repart --definitions="$defs" \
+                                           --empty=create \
+                                           --size=100M \
+                                           --json=pretty \
+                                           "$imgs/zzz")
 
     diff -u <(echo "$output") - <<EOF
 [
@@ -392,8 +403,8 @@ EOF
 test_multiple_definitions() {
     local defs imgs output
 
-    defs="$(mktemp --directory "/tmp/test-repart.XXXXXXXXXX")"
-    imgs="$(mktemp --directory "/var/tmp/test-repart.XXXXXXXXXX")"
+    defs="$(runas testuser mktemp --directory "/tmp/test-repart.XXXXXXXXXX")"
+    imgs="$(runas testuser mktemp --directory "/var/tmp/test-repart.XXXXXXXXXX")"
     # shellcheck disable=SC2064
     trap "rm -rf '$defs' '$imgs'" RETURN
 
@@ -417,7 +428,12 @@ UUID=837c3d67-21b3-478e-be82-7e7f83bf96d3
 Label=label2
 EOF
 
-    output=$(systemd-repart --definitions="$defs/1" --definitions="$defs/2" --empty=create --size=100M --json=pretty "$imgs/zzz")
+    output=$(runas testuser systemd-repart --definitions="$defs/1" \
+                                           --definitions="$defs/2" \
+                                           --empty=create \
+                                           --size=100M \
+                                           --json=pretty \
+                                           "$imgs/zzz")
 
     diff -u <(echo "$output") - <<EOF
 [
@@ -458,13 +474,8 @@ EOF
 test_copy_blocks() {
     local defs imgs output
 
-    if systemd-detect-virt --quiet --container; then
-        echo "Skipping copy blocks tests in container."
-        return
-    fi
-
-    defs="$(mktemp --directory "/tmp/test-repart.XXXXXXXXXX")"
-    imgs="$(mktemp --directory "/var/tmp/test-repart.XXXXXXXXXX")"
+    defs="$(runas testuser mktemp --directory "/tmp/test-repart.XXXXXXXXXX")"
+    imgs="$(runas testuser mktemp --directory "/var/tmp/test-repart.XXXXXXXXXX")"
     # shellcheck disable=SC2064
     trap "rm -rf '$defs' '$imgs'" RETURN
 
@@ -493,11 +504,11 @@ Format=ext4
 MakeDirectories=/usr /efi
 EOF
 
-    systemd-repart --definitions="$defs" \
-                   --empty=create \
-                   --size=auto \
-                   --seed="$seed" \
-                   "$imgs/zzz"
+    runas testuser systemd-repart --definitions="$defs" \
+                                  --empty=create \
+                                  --size=auto \
+                                  --seed="$seed" \
+                                  "$imgs/zzz"
 
     output=$(sfdisk --dump "$imgs/zzz")
 
@@ -505,6 +516,11 @@ EOF
     assert_in "$imgs/zzz2 : start=       22528, size=       20480, type=${root_guid}, uuid=${root_uuid}, name=\"root-${architecture}\", attrs=\"GUID:59\"" "$output"
     assert_in "$imgs/zzz3 : start=       43008, size=       20480, type=${usr_guid}, uuid=${usr_uuid}, name=\"usr-${architecture}\", attrs=\"GUID:60\"" "$output"
 
+    if systemd-detect-virt --quiet --container; then
+        echo "Skipping second part of copy blocks tests in container."
+        return
+    fi
+
     # Then, create another image with CopyBlocks=auto
 
     cat >"$defs/esp.conf" <<EOF
@@ -526,6 +542,7 @@ Type=root-${architecture}
 CopyBlocks=auto
 EOF
 
+    # --image needs root privileges so skip runas testuser here.
     systemd-repart --definitions="$defs" \
                    --empty=create \
                    --size=auto \
@@ -539,8 +556,8 @@ EOF
 test_unaligned_partition() {
     local defs imgs output
 
-    defs="$(mktemp --directory "/tmp/test-repart.XXXXXXXXXX")"
-    imgs="$(mktemp --directory "/var/tmp/test-repart.XXXXXXXXXX")"
+    defs="$(runas testuser mktemp --directory "/tmp/test-repart.XXXXXXXXXX")"
+    imgs="$(runas testuser mktemp --directory "/var/tmp/test-repart.XXXXXXXXXX")"
     # shellcheck disable=SC2064
     trap "rm -rf '$defs' '$imgs'" RETURN
 
@@ -551,7 +568,7 @@ test_unaligned_partition() {
 Type=root-${architecture}
 EOF
 
-    truncate -s 10g "$imgs/unaligned"
+    runas testuser truncate -s 10g "$imgs/unaligned"
     sfdisk "$imgs/unaligned" <<EOF
 label: gpt
 
@@ -559,10 +576,10 @@ start=2048, size=69044
 start=71092, size=3591848
 EOF
 
-    systemd-repart --definitions="$defs" \
-                   --seed="$seed" \
-                   --dry-run=no \
-                   "$imgs/unaligned"
+    runas testuser systemd-repart --definitions="$defs" \
+                                  --seed="$seed" \
+                                  --dry-run=no \
+                                  "$imgs/unaligned"
 
     output=$(sfdisk --dump "$imgs/unaligned")
 
@@ -576,8 +593,8 @@ test_issue_21817() {
 
     # testcase for #21817
 
-    defs="$(mktemp --directory "/tmp/test-repart.XXXXXXXXXX")"
-    imgs="$(mktemp --directory "/var/tmp/test-repart.XXXXXXXXXX")"
+    defs="$(runas testuser mktemp --directory "/tmp/test-repart.XXXXXXXXXX")"
+    imgs="$(runas testuser mktemp --directory "/var/tmp/test-repart.XXXXXXXXXX")"
     # shellcheck disable=SC2064
     trap "rm -rf '$defs' '$imgs'" RETURN
 
@@ -586,7 +603,7 @@ test_issue_21817() {
 Type=root
 EOF
 
-    truncate -s 100m "$imgs/21817.img"
+    runas testuser truncate -s 100m "$imgs/21817.img"
     sfdisk "$imgs/21817.img" <<EOF
 label: gpt
 
@@ -594,11 +611,11 @@ size=50M, type=${root_guid}
 ,
 EOF
 
-    systemd-repart --pretty=yes \
-                   --definitions "$imgs" \
-                   --seed="$seed" \
-                   --dry-run=no \
-                   "$imgs/21817.img"
+    runas testuser systemd-repart --pretty=yes \
+                                  --definitions "$imgs" \
+                                  --seed="$seed" \
+                                  --dry-run=no \
+                                  "$imgs/21817.img"
 
     output=$(sfdisk --dump "$imgs/21817.img")
 
@@ -612,8 +629,8 @@ test_issue_24553() {
 
     # testcase for #24553
 
-    defs="$(mktemp --directory "/tmp/test-repart.XXXXXXXXXX")"
-    imgs="$(mktemp --directory "/var/tmp/test-repart.XXXXXXXXXX")"
+    defs="$(runas testuser mktemp --directory "/tmp/test-repart.XXXXXXXXXX")"
+    imgs="$(runas testuser mktemp --directory "/var/tmp/test-repart.XXXXXXXXXX")"
     # shellcheck disable=SC2064
     trap "rm -rf '$defs' '$imgs'" RETURN
 
@@ -635,28 +652,28 @@ start=524328, size=14848000, type=${root_guid}, uuid=${root_uuid}, name="root-${
 EOF
 
     # 1. Operate on a small image compared with SizeMinBytes=.
-    truncate -s 8g "$imgs/zzz"
+    runas testuser truncate -s 8g "$imgs/zzz"
     sfdisk "$imgs/zzz" <"$imgs/partscript"
 
     # This should fail, but not trigger assertions.
-    assert_rc 1 systemd-repart --definitions="$defs" \
-                               --seed="$seed" \
-                               --dry-run=no \
-                               "$imgs/zzz"
+    assert_rc 1 runas testuser systemd-repart --definitions="$defs" \
+                                              --seed="$seed" \
+                                              --dry-run=no \
+                                              "$imgs/zzz"
 
     output=$(sfdisk --dump "$imgs/zzz")
     assert_in "$imgs/zzz2 : start=      524328, size=    14848000, type=${root_guid}, uuid=${root_uuid}, name=\"root-${architecture}\"" "$output"
 
     # 2. Operate on an larger image compared with SizeMinBytes=.
     rm -f "$imgs/zzz"
-    truncate -s 12g "$imgs/zzz"
+    runas testuser truncate -s 12g "$imgs/zzz"
     sfdisk "$imgs/zzz" <"$imgs/partscript"
 
     # This should succeed.
-    systemd-repart --definitions="$defs" \
-                   --seed="$seed" \
-                   --dry-run=no \
-                   "$imgs/zzz"
+    runas testuser systemd-repart --definitions="$defs" \
+                                  --seed="$seed" \
+                                  --dry-run=no \
+                                  "$imgs/zzz"
 
     output=$(sfdisk --dump "$imgs/zzz")
     assert_in "$imgs/zzz2 : start=      524328, size=    24641456, type=${root_guid}, uuid=${root_uuid}, name=\"root-${architecture}\"" "$output"
@@ -678,14 +695,14 @@ Priority=10
 EOF
 
     rm -f "$imgs/zzz"
-    truncate -s 8g "$imgs/zzz"
+    runas testuser truncate -s 8g "$imgs/zzz"
     sfdisk "$imgs/zzz" <"$imgs/partscript"
 
     # This should also succeed, but root is not extended.
-    systemd-repart --definitions="$defs" \
-                   --seed="$seed" \
-                   --dry-run=no \
-                   "$imgs/zzz"
+    runas testuser systemd-repart --definitions="$defs" \
+                                  --seed="$seed" \
+                                  --dry-run=no \
+                                  "$imgs/zzz"
 
     output=$(sfdisk --dump "$imgs/zzz")
     assert_in "$imgs/zzz2 : start=      524328, size=    14848000, type=${root_guid}, uuid=${root_uuid}, name=\"root-${architecture}\"" "$output"
@@ -693,14 +710,14 @@ EOF
 
     # 4. Multiple partitions with Priority= (large disk)
     rm -f "$imgs/zzz"
-    truncate -s 12g "$imgs/zzz"
+    runas testuser truncate -s 12g "$imgs/zzz"
     sfdisk "$imgs/zzz" <"$imgs/partscript"
 
     # This should also succeed, and root is extended.
-    systemd-repart --definitions="$defs" \
-                   --seed="$seed" \
-                   --dry-run=no \
-                   "$imgs/zzz"
+    runas testuser systemd-repart --definitions="$defs" \
+                                  --seed="$seed" \
+                                  --dry-run=no \
+                                  "$imgs/zzz"
 
     output=$(sfdisk --dump "$imgs/zzz")
     assert_in "$imgs/zzz2 : start=      524328, size=    20971520, type=${root_guid}, uuid=${root_uuid}, name=\"root-${architecture}\"" "$output"
@@ -710,8 +727,8 @@ EOF
 test_zero_uuid() {
     local defs imgs output
 
-    defs="$(mktemp --directory "/tmp/test-repart.XXXXXXXXXX")"
-    imgs="$(mktemp --directory "/var/tmp/test-repart.XXXXXXXXXX")"
+    defs="$(runas testuser mktemp --directory "/tmp/test-repart.XXXXXXXXXX")"
+    imgs="$(runas testuser mktemp --directory "/var/tmp/test-repart.XXXXXXXXXX")"
     # shellcheck disable=SC2064
     trap "rm -rf '$defs' '$imgs'" RETURN
 
@@ -723,12 +740,12 @@ Type=root-${architecture}
 UUID=null
 EOF
 
-    systemd-repart --definitions="$defs" \
-                   --seed="$seed" \
-                   --dry-run=no \
-                   --empty=create \
-                   --size=auto \
-                   "$imgs/zero"
+    runas testuser systemd-repart --definitions="$defs" \
+                                  --seed="$seed" \
+                                  --dry-run=no \
+                                  --empty=create \
+                                  --size=auto \
+                                  "$imgs/zero"
 
     output=$(sfdisk --dump "$imgs/zero")
 
@@ -738,13 +755,8 @@ EOF
 test_verity() {
     local defs imgs output
 
-    if systemd-detect-virt --quiet --container; then
-        echo "Skipping verity test in container."
-        return
-    fi
-
-    defs="$(mktemp --directory "/tmp/test-repart.XXXXXXXXXX")"
-    imgs="$(mktemp --directory "/var/tmp/test-repart.XXXXXXXXXX")"
+    defs="$(runas testuser mktemp --directory "/tmp/test-repart.XXXXXXXXXX")"
+    imgs="$(runas testuser mktemp --directory "/var/tmp/test-repart.XXXXXXXXXX")"
     # shellcheck disable=SC2064
     trap "rm -rf '$defs' '$imgs'" RETURN
 
@@ -786,25 +798,36 @@ CN = Common Name
 emailAddress = test@email.com
 EOF
 
-    openssl req -config "$defs/verity.openssl.cnf" -new -x509 -newkey rsa:1024 -keyout "$defs/verity.key" -out "$defs/verity.crt" -days 365 -nodes
+    runas testuser openssl req -config "$defs/verity.openssl.cnf" \
+                               -new -x509 \
+                               -newkey rsa:1024 \
+                               -keyout "$defs/verity.key" \
+                               -out "$defs/verity.crt" \
+                               -days 365 \
+                               -nodes
 
     mkdir -p /run/verity.d
     ln -s "$defs/verity.crt" /run/verity.d/ok.crt
 
-    output=$(systemd-repart --definitions="$defs" \
-                            --seed="$seed" \
-                            --dry-run=no \
-                            --empty=create \
-                            --size=auto \
-                            --json=pretty \
-                            --private-key="$defs/verity.key" \
-                            --certificate="$defs/verity.crt" \
-                            "$imgs/verity")
+    output=$(runas testuser systemd-repart --definitions="$defs" \
+                                           --seed="$seed" \
+                                           --dry-run=no \
+                                           --empty=create \
+                                           --size=auto \
+                                           --json=pretty \
+                                           --private-key="$defs/verity.key" \
+                                           --certificate="$defs/verity.crt" \
+                                           "$imgs/verity")
 
     roothash=$(jq -r ".[] | select(.type == \"root-${architecture}-verity\") | .roothash" <<< "$output")
 
     # Check that we can dissect, mount and unmount a repart verity image. (and that the image UUID is deterministic)
 
+    if systemd-detect-virt --quiet --container; then
+        echo "Skipping verity test dissect part in container."
+        return
+    fi
+
     systemd-dissect "$imgs/verity" --root-hash "$roothash"
     systemd-dissect "$imgs/verity" --root-hash "$roothash" --json=short | grep -q '"imageUuid":"1d2ce291-7cce-4f7d-bc83-fdb49ad74ebd"'
     systemd-dissect "$imgs/verity" --root-hash "$roothash" -M "$imgs/mnt"
@@ -814,14 +837,9 @@ EOF
 test_issue_24786() {
     local defs imgs root output
 
-    if systemd-detect-virt --quiet --container; then
-        echo "Skipping verity test in container."
-        return
-    fi
-
-    defs="$(mktemp --directory "/tmp/test-repart.XXXXXXXXXX")"
-    imgs="$(mktemp --directory "/var/tmp/test-repart.XXXXXXXXXX")"
-    root="$(mktemp --directory "/var/tmp/test-repart.XXXXXXXXXX")"
+    defs="$(runas testuser mktemp --directory "/tmp/test-repart.XXXXXXXXXX")"
+    imgs="$(runas testuser mktemp --directory "/var/tmp/test-repart.XXXXXXXXXX")"
+    root="$(runas testuser mktemp --directory "/var/tmp/test-repart.XXXXXXXXXX")"
     # shellcheck disable=SC2064
     trap "rm -rf '$defs' '$imgs' '$root'" RETURN
 
@@ -841,14 +859,19 @@ Type=usr-${architecture}
 CopyFiles=/usr:/
 EOF
 
-    output=$(systemd-repart --definitions="$defs" \
-                            --seed="$seed" \
-                            --dry-run=no \
-                            --empty=create \
-                            --size=auto \
-                            --json=pretty \
-                            --root="$root" \
-                            "$imgs/zzz")
+    output=$(runas testuser systemd-repart --definitions="$defs" \
+                                           --seed="$seed" \
+                                           --dry-run=no \
+                                           --empty=create \
+                                           --size=auto \
+                                           --json=pretty \
+                                           --root="$root" \
+                                           "$imgs/zzz")
+
+    if systemd-detect-virt --quiet --container; then
+        echo "Skipping issue 24786 test loop/mount parts in container."
+        return
+    fi
 
     loop=$(losetup -P --show -f "$imgs/zzz")
     udevadm wait --timeout 60 --settle "${loop:?}"
@@ -953,6 +976,8 @@ EOF
     truncate -s 100m "$imgs/$sector.img"
     loop=$(losetup -b "$sector" -P --show -f "$imgs/$sector.img" )
     udevadm wait --timeout 60 --settle "${loop:?}"
+    # This operates on a loop device which we don't support doing without root privileges so we skip runas
+    # here.
     systemd-repart --pretty=yes \
                    --definitions="$defs" \
                    --seed="$seed" \