Merge pull request #27644 from mrc0mmand/fuzz-nspawn

test: update nspawn's basic config file used for fuzzing

test/fuzz/fuzz-nspawn-settings/basic-config

@@ -1,6 +1,7 @@
 [Exec]
 Boot=off
 ProcessTwo=off
+Ephemeral=yes
 Parameters=/sbin/init -x=1
 Environment=THIS=that
 User=user
@@ -8,28 +9,56 @@ WorkingDirectory=/cwd
 PivotRoot=/newroot
 Capability=CAP_NET
 DropCapability=CAP_ADMIN
+AmbientCapability=CAP_SETUID
+NoNewPrivileges=yes
 KillSignal=SIGTERM
 Personality=shy
 MachineID=edbfea3309ba41ea83e2318c58a8d498
-PrivateUser=1:2
+PrivateUsers=1:2
 NotifyReady=no
 SystemCallFilters=write
+LimitCPU=10:20
+LimitFSIZE=5:10
+LimitDATA=100:200
+LimitSTACK=1024:2048
+LimitCore=0:1024
+LimitRSS=1024:4096
+LimitNOFILE=5:15
+LimitAS=2048:4096
+LimitNPROC=32:64
+LimitMEMLOCK=128:256
+LimitLOCKS=100:300
+LimitSIGPENDING=1:3
+LimitMSGQUEUE=16:32
+LimitNICE=4:5
+LimitRTPRIO=0:1
+LimitRTTIME=2:3
+OOMScoreAdjust=50
+CPUAffinity=1,2,3-4
+Hostname=foo.bar
+ResolvConf=copy-host
+Timezone=bind
+LinkJournal=try-guest
+SuppressSync=yes
 
 [Files]
 ReadOnly=no
 Volatile=no
 Bind=/bindthis
 BindReadOnly=/bindthisro
+BindUser=testuser
 TemporaryFileSystem=/thisismytmpfs:rw
+Inaccessible=yes
 Overlay=/thisisanoverlay:/thisisanoverlaytoo
-PrivateUsersChown=no
+OverlayReadOnly=/foo:/bar:/baz:/merged
+PrivateUsersOwnership=no
 
 [Network]
 Private=off
 VirtualEthernet=yes
 VirtualEthernetExtra=veth1:veth2
 Interface=eth1 enp0s1
-MacVLAN=eno1 eno2
+MACVLAN=eno1 eno2
 IPVLAN=eno3 enp2s124
 Bridge=bridge123 bridge125
 Zone=myzone

test/test-functions

@@ -1256,6 +1256,11 @@ install_systemd() {
         # the systemd-nspawn@.service unit.
         cp "$initdir/usr/lib/systemd/system/systemd-nspawn@.service" "$initdir/etc/systemd/system/systemd-nspawn@.service"
         sed -ri "s/^ExecStart=.+$/& --bind=${BUILD_DIR//\//\\\/}/" "$initdir/etc/systemd/system/systemd-nspawn@.service"
+        # Pass the $BUILD_DIR as $COVERAGE_BUILD_DIR env variable to the system
+        # manager, similarly to what we do with $ASAN_RT_PATH during sanitized
+        # builds
+        mkdir -p "$initdir/etc/systemd/system.conf.d/"
+        echo -ne "[Manager]\nDefaultEnvironment=COVERAGE_BUILD_DIR=$BUILD_DIR\n" >"$initdir/etc/systemd/system.conf.d/99-COVERAGE_BUILD_DIR.conf"
     fi
 
     # If we're built with -Dportabled=false, tests with systemd-analyze

test/units/testsuite-13.nspawn.sh

@@ -48,6 +48,7 @@ mount -t tmpfs tmpfs /var/lib/machines
 testcase_sanity_check() {
     local template root image oci uuid tmpdir
 
+    tmpdir="$(mktemp -d)"
     template="$(mktemp -d /tmp/nspawn-template.XXX)"
     "$CREATE_BB_CONTAINER" "$template"
     # Create a simple image from the just created container template
@@ -94,7 +95,10 @@ EOF
 
     systemd-nspawn --directory="$root" --ephemeral sh -xec 'touch /ephemeral'
     test ! -e "$root/ephemeral"
-    (! systemd-nspawn --directory="$root" --read-only sh -xec 'touch /nope')
+    (! systemd-nspawn --directory="$root" \
+                      --bind="${COVERAGE_BUILD_DIR:-$tmpdir}" \
+                      --read-only \
+                      sh -xec 'touch /nope')
     test ! -e "$root/nope"
     systemd-nspawn --image="$image" sh -xec 'echo hello'
     systemd-nspawn --oci-bundle="$oci" sh -xec 'mountpoint /root'
@@ -114,6 +118,7 @@ EOF
     test ! -e "$root/usr/read-only"
     # volatile=state: rootfs is read-only, /var/ is tmpfs
     systemd-nspawn --directory="$root" \
+                   --bind="${COVERAGE_BUILD_DIR:-$tmpdir}" \
                    --volatile=state \
                    sh -xec 'test -e /usr/has-usr; mountpoint /var; touch /read-only && exit 1; touch /var/nope'
     test ! -e "$root/read-only"
@@ -178,7 +183,6 @@ EOF
                    sh -xec "[[ \$container_uuid == $uuid ]]"
 
     # Mounts
-    tmpdir="$(mktemp -d)"
     mkdir "$tmpdir"/{1,2,3}
     touch "$tmpdir/1/one" "$tmpdir/2/two" "$tmpdir/3/three"
     touch "$tmpdir/foo"