diff --git a/test/units/TEST-13-NSPAWN.nspawn.sh b/test/units/TEST-13-NSPAWN.nspawn.sh index 9e83137292..13ef96ad0a 100755 --- a/test/units/TEST-13-NSPAWN.nspawn.sh +++ b/test/units/TEST-13-NSPAWN.nspawn.sh @@ -1208,28 +1208,6 @@ EOF rm -fr "$root" } -can_do_rootless_nspawn() { - # Our create_dummy_ddi() uses squashfs and openssl. - command -v mksquashfs && - command -v openssl && - - # mountfsd must be enabled... - [[ -S /run/systemd/io.systemd.MountFileSystem ]] && - # ...and have pidfd support for unprivileged operation. - systemd-analyze compare-versions "$(uname -r)" ge 6.5 && - systemd-analyze compare-versions "$(pkcheck --version | awk '{print $3}')" ge 124 && - - # nsresourced must be enabled... - [[ -S /run/systemd/userdb/io.systemd.NamespaceResource ]] && - # ...and must support the UserNamespaceInterface. - ! (SYSTEMD_LOG_TARGET=console varlinkctl call \ - /run/systemd/userdb/io.systemd.NamespaceResource \ - io.systemd.NamespaceResource.AllocateUserRange \ - '{"name":"test-supported","size":65536,"userNamespaceFileDescriptor":0}' \ - 2>&1 || true) | - grep -q "io.systemd.NamespaceResource.UserNamespaceInterfaceNotSupported" -} - create_dummy_ddi() { local outdir="${1:?}" local container_name="${2:?}" diff --git a/test/units/TEST-13-NSPAWN.unpriv.sh b/test/units/TEST-13-NSPAWN.unpriv.sh index db58b09291..03af7ebc9c 100755 --- a/test/units/TEST-13-NSPAWN.unpriv.sh +++ b/test/units/TEST-13-NSPAWN.unpriv.sh @@ -7,12 +7,7 @@ set -o pipefail # shellcheck source=test/units/util.sh . "$(dirname "$0")"/util.sh -if [[ ! -f /usr/lib/systemd/system/systemd-mountfsd.socket ]] || - [[ ! -f /usr/lib/systemd/system/systemd-nsresourced.socket ]] || - ! grep -q bpf /sys/kernel/security/lsm || - ! find /usr/lib* -name libbpf.so.1 2>/dev/null | grep . || - systemd-analyze compare-versions "$(uname -r)" lt 6.5 || - systemd-analyze compare-versions "$(pkcheck --version | awk '{print $3}')" lt 124; then +if ! can_do_rootless_nspawn; then echo "Skipping unpriv nspawn test" exit 0 fi @@ -25,8 +20,6 @@ at_exit() { trap at_exit EXIT -systemctl start systemd-mountfsd.socket systemd-nsresourced.socket - run0 -u testuser mkdir -p .local/state/machines create_dummy_container /home/testuser/.local/state/machines/zurps diff --git a/test/units/util.sh b/test/units/util.sh index bc3c1651a7..65f2d0b2e3 100755 --- a/test/units/util.sh +++ b/test/units/util.sh @@ -186,6 +186,36 @@ create_dummy_container() { coverage_create_nspawn_dropin "$root" } +can_do_rootless_nspawn() { + # Our create_dummy_ddi() uses squashfs and openssl. + command -v mksquashfs && + command -v openssl && + + # Need to have bpf-lsm + grep -q bpf /sys/kernel/security/lsm && + # ...and libbpf installed + find /usr/lib* -name "libbpf.so.*" 2>/dev/null | grep -q . && + + # Ensure mountfsd/nsresourced are listening + systemctl start systemd-mountfsd.socket systemd-nsresourced.socket && + + # mountfsd must be enabled... + [[ -S /run/systemd/io.systemd.MountFileSystem ]] && + # ...and have pidfd support for unprivileged operation. + systemd-analyze compare-versions "$(uname -r)" ge 6.5 && + systemd-analyze compare-versions "$(pkcheck --version | awk '{print $3}')" ge 124 && + + # nsresourced must be enabled... + [[ -S /run/systemd/userdb/io.systemd.NamespaceResource ]] && + # ...and must support the UserNamespaceInterface. + ! (SYSTEMD_LOG_TARGET=console varlinkctl call \ + /run/systemd/userdb/io.systemd.NamespaceResource \ + io.systemd.NamespaceResource.AllocateUserRange \ + '{"name":"test-supported","size":65536,"userNamespaceFileDescriptor":0}' \ + 2>&1 || true) | + grep -q "io.systemd.NamespaceResource.UserNamespaceInterfaceNotSupported" +} + # Bump the reboot counter and call systemctl with the given arguments systemctl_final() { local counter