mirror of
https://git.savannah.gnu.org/git/guix.git
synced 2025-01-22 10:16:45 +01:00
181 lines
6.2 KiB
Scheme
181 lines
6.2 KiB
Scheme
|
;;; GNU Guix --- Functional package management for GNU
|
|||
|
;;; Copyright © 2024 Giacomo Leidi <goodoldpaul@autistici.org>
|
|||
|
;;;
|
|||
|
;;; This file is part of GNU Guix.
|
|||
|
;;;
|
|||
|
;;; GNU Guix is free software; you can redistribute it and/or modify it
|
|||
|
;;; under the terms of the GNU General Public License as published by
|
|||
|
;;; the Free Software Foundation; either version 3 of the License, or (at
|
|||
|
;;; your option) any later version.
|
|||
|
;;;
|
|||
|
;;; GNU Guix is distributed in the hope that it will be useful, but
|
|||
|
;;; WITHOUT ANY WARRANTY; without even the implied warranty of
|
|||
|
;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|||
|
;;; GNU General Public License for more details.
|
|||
|
;;;
|
|||
|
;;; You should have received a copy of the GNU General Public License
|
|||
|
;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
|
|||
|
|
|||
|
(define-module (gnu tests shadow)
|
|||
|
#:use-module (gnu packages base)
|
|||
|
#:use-module (gnu packages containers)
|
|||
|
#:use-module (gnu tests)
|
|||
|
#:use-module (gnu services)
|
|||
|
#:use-module (gnu system)
|
|||
|
#:use-module (gnu system accounts)
|
|||
|
#:use-module (gnu system shadow)
|
|||
|
#:use-module (gnu system vm)
|
|||
|
#:use-module (guix gexp)
|
|||
|
#:export (%test-subids))
|
|||
|
|
|||
|
|
|||
|
(define %subids-os
|
|||
|
(simple-operating-system
|
|||
|
(simple-service
|
|||
|
'simple-profile
|
|||
|
profile-service-type
|
|||
|
(list podman))
|
|||
|
(simple-service
|
|||
|
'simple-subids
|
|||
|
subids-service-type
|
|||
|
(subids-extension
|
|||
|
(subgids
|
|||
|
(list
|
|||
|
(subid-range
|
|||
|
(name "alice"))
|
|||
|
(subid-range
|
|||
|
(name "bob")
|
|||
|
(start 100700))))
|
|||
|
(subuids
|
|||
|
(list
|
|||
|
(subid-range
|
|||
|
(name "alice"))))))))
|
|||
|
|
|||
|
(define (run-subids-test)
|
|||
|
"Run IMAGE as an OCI backed Shepherd service, inside OS."
|
|||
|
|
|||
|
(define os
|
|||
|
(marionette-operating-system
|
|||
|
(operating-system-with-gc-roots
|
|||
|
%subids-os
|
|||
|
(list))
|
|||
|
#:imported-modules '((gnu services herd)
|
|||
|
(guix combinators))))
|
|||
|
|
|||
|
(define vm
|
|||
|
(virtual-machine
|
|||
|
(operating-system os)
|
|||
|
(volatile? #f)
|
|||
|
(memory-size 1024)
|
|||
|
(disk-image-size (* 3000 (expt 2 20)))
|
|||
|
(port-forwardings '())))
|
|||
|
|
|||
|
(define test
|
|||
|
(with-imported-modules '((gnu build marionette))
|
|||
|
#~(begin
|
|||
|
(use-modules (srfi srfi-11) (srfi srfi-64)
|
|||
|
(gnu build marionette))
|
|||
|
|
|||
|
(define marionette
|
|||
|
;; Relax timeout to accommodate older systems and
|
|||
|
;; allow for pulling the image.
|
|||
|
(make-marionette (list #$vm) #:timeout 60))
|
|||
|
|
|||
|
(test-runner-current (system-test-runner #$output))
|
|||
|
(test-begin "subids")
|
|||
|
|
|||
|
(test-equal "/etc/subid and /etc/subgid are created and their content is sound"
|
|||
|
'("root:100000:700\nbob:100700:65536\nalice:166236:65536\n"
|
|||
|
"root:100000:65536\nalice:165536:65536\n")
|
|||
|
(marionette-eval
|
|||
|
`(begin
|
|||
|
(use-modules (ice-9 textual-ports))
|
|||
|
|
|||
|
(define (read-file file-name)
|
|||
|
(call-with-input-file file-name get-string-all))
|
|||
|
|
|||
|
(let* ((response1 (read-file "/etc/subgid"))
|
|||
|
(response2 (read-file "/etc/subuid")))
|
|||
|
(list response1 response2)))
|
|||
|
marionette))
|
|||
|
|
|||
|
(test-equal "podman unshare runs for unprivileged users"
|
|||
|
" 0 1000 1\n 1 165536 65536"
|
|||
|
(marionette-eval
|
|||
|
`(begin
|
|||
|
(use-modules (srfi srfi-1)
|
|||
|
(ice-9 popen)
|
|||
|
(ice-9 match)
|
|||
|
(ice-9 rdelim)
|
|||
|
(ice-9 textual-ports))
|
|||
|
(define out-dir "/tmp")
|
|||
|
(define (read-file file-name)
|
|||
|
(call-with-input-file file-name get-string-all))
|
|||
|
|
|||
|
(define (wait-for-file file)
|
|||
|
;; Wait until FILE shows up.
|
|||
|
(let loop ((i 60))
|
|||
|
(cond ((file-exists? file)
|
|||
|
#t)
|
|||
|
((zero? i)
|
|||
|
(error "file didn't show up" file))
|
|||
|
(else
|
|||
|
(sleep 1)
|
|||
|
(loop (- i 1))))))
|
|||
|
|
|||
|
(define (read-lines file-or-port)
|
|||
|
(define (loop-lines port)
|
|||
|
(let loop ((lines '()))
|
|||
|
(match (read-line port)
|
|||
|
((? eof-object?)
|
|||
|
(reverse lines))
|
|||
|
(line
|
|||
|
(loop (cons line lines))))))
|
|||
|
|
|||
|
(if (port? file-or-port)
|
|||
|
(loop-lines file-or-port)
|
|||
|
(call-with-input-file file-or-port
|
|||
|
loop-lines)))
|
|||
|
|
|||
|
(define slurp
|
|||
|
(lambda args
|
|||
|
(let* ((port (apply open-pipe* OPEN_READ
|
|||
|
(list "sh" "-l" "-c"
|
|||
|
(string-join
|
|||
|
args
|
|||
|
" "))))
|
|||
|
(output (read-lines port))
|
|||
|
(status (close-pipe port)))
|
|||
|
output)))
|
|||
|
|
|||
|
(match (primitive-fork)
|
|||
|
(0
|
|||
|
(dynamic-wind
|
|||
|
(const #f)
|
|||
|
(lambda ()
|
|||
|
(setgid (passwd:gid (getpwnam "alice")))
|
|||
|
(setuid (passwd:uid (getpw "alice")))
|
|||
|
|
|||
|
(let* ((response1 (slurp
|
|||
|
"podman" "unshare" "cat" "/proc/self/uid_map")))
|
|||
|
(call-with-output-file (string-append out-dir "/response1")
|
|||
|
(lambda (port)
|
|||
|
(display (string-join response1 "\n") port)))))
|
|||
|
(lambda ()
|
|||
|
(primitive-exit 127))))
|
|||
|
(pid
|
|||
|
(cdr (waitpid pid))))
|
|||
|
(wait-for-file (string-append out-dir "/response1"))
|
|||
|
(read-file (string-append out-dir "/response1")))
|
|||
|
marionette))
|
|||
|
|
|||
|
(test-end))))
|
|||
|
|
|||
|
(gexp->derivation "subids-test" test))
|
|||
|
|
|||
|
(define %test-subids
|
|||
|
(system-test
|
|||
|
(name "subids")
|
|||
|
(description "Test sub UIDs and sub GIDs provisioning service.")
|
|||
|
(value (run-subids-test))))
|