test: move checks around in TEST-50-DISSECT so that they can be used from multiple subtests

Also set it up so that unprivileged tests can be done

test/units/TEST-50-DISSECT.dissect.sh

@@ -9,18 +9,6 @@ set -o pipefail
 # shellcheck source=test/units/util.sh
 . "$(dirname "$0")"/util.sh
 
-# Requires kernel built with certain kconfigs, as listed in README:
-# https://oracle.github.io/kconfigs/?config=UTS_RELEASE&config=DM_VERITY_VERIFY_ROOTHASH_SIG&config=DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING&config=DM_VERITY_VERIFY_ROOTHASH_SIG_PLATFORM_KEYRING&config=IMA_ARCH_POLICY&config=INTEGRITY_MACHINE_KEYRING
-if grep -q "$(openssl x509 -noout -subject -in /usr/share/mkosi.crt | sed 's/^.*CN=//')" /proc/keys && \
-        ( . /etc/os-release; [ "$ID" != "centos" ] || systemd-analyze compare-versions "$VERSION_ID" ge 10 ) && \
-        ( . /etc/os-release; [ "$ID" != "debian" ] || systemd-analyze compare-versions "$VERSION_ID" ge 13 ) && \
-        ( . /etc/os-release; [ "$ID" != "ubuntu" ] || systemd-analyze compare-versions "$VERSION_ID" ge 24.04 ) && \
-        systemd-analyze compare-versions "$(cryptsetup --version | sed 's/^cryptsetup \([0-9]*\.[0-9]*\.[0-9]*\) .*/\1/')" ge 2.3.0; then
-    verity_sig_supported=1
-else
-    verity_sig_supported=0
-fi
-
 systemd-dissect --json=short "$MINIMAL_IMAGE.raw" | \
     grep -q -F '{"rw":"ro","designator":"root","partition_uuid":null,"partition_label":null,"fstype":"squashfs","architecture":null,"verity":"external"'
 systemd-dissect "$MINIMAL_IMAGE.raw" | grep -q -F "MARKER=1"
@@ -84,7 +72,7 @@ if [[ "$verity_count" -lt 1 ]]; then
     exit 1
 fi
 # Ensure the kernel is verifying the signature if the mkosi key is in the keyring
-if [ "$verity_sig_supported" -eq 1 ]; then
+if [ "$VERITY_SIG_SUPPORTED" -eq 1 ]; then
     veritysetup status "$(cat "$MINIMAL_IMAGE.roothash")-verity" | grep -q "verified (with signature)"
 fi
 systemd-dissect --umount "$IMAGE_DIR/mount"
@@ -746,7 +734,7 @@ EOF
 systemctl start testservice-50k.service
 systemctl is-active testservice-50k.service
 # Ensure the kernel is verifying the signature if the mkosi key is in the keyring
-if [ "$verity_sig_supported" -eq 1 ]; then
+if [ "$VERITY_SIG_SUPPORTED" -eq 1 ]; then
     veritysetup status "$(cat "$MINIMAL_IMAGE.roothash")-verity" | grep -q "verified (with signature)"
 fi
 # First reload should pick up the v1 marker

test/units/TEST-50-DISSECT.sh

@@ -25,10 +25,27 @@ at_exit() {
     done < <(find "${IMAGE_DIR}" -mindepth 1 -maxdepth 1 -type d)
 
     rm -rf "$IMAGE_DIR"
+
+    loginctl disable-linger testuser
 }
 
 trap at_exit EXIT
 
+# For unprivileged tests
+loginctl enable-linger testuser
+
+# Requires kernel built with certain kconfigs, as listed in README:
+# https://oracle.github.io/kconfigs/?config=UTS_RELEASE&config=DM_VERITY_VERIFY_ROOTHASH_SIG&config=DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING&config=DM_VERITY_VERIFY_ROOTHASH_SIG_PLATFORM_KEYRING&config=IMA_ARCH_POLICY&config=INTEGRITY_MACHINE_KEYRING
+if grep -q "$(openssl x509 -noout -subject -in /usr/share/mkosi.crt | sed 's/^.*CN=//')" /proc/keys && \
+        ( . /etc/os-release; [ "$ID" != "centos" ] || systemd-analyze compare-versions "$VERSION_ID" ge 10 ) && \
+        ( . /etc/os-release; [ "$ID" != "debian" ] || systemd-analyze compare-versions "$VERSION_ID" ge 13 ) && \
+        ( . /etc/os-release; [ "$ID" != "ubuntu" ] || systemd-analyze compare-versions "$VERSION_ID" ge 24.04 ) && \
+        systemd-analyze compare-versions "$(cryptsetup --version | sed 's/^cryptsetup \([0-9]*\.[0-9]*\.[0-9]*\) .*/\1/')" ge 2.3.0; then
+    export VERITY_SIG_SUPPORTED=1
+else
+    export VERITY_SIG_SUPPORTED=0
+fi
+
 : "Setup base images"
 
 export SYSTEMD_LOG_LEVEL=debug
@@ -102,6 +119,7 @@ fi
 udevadm control --log-level=debug
 
 IMAGE_DIR="$(mktemp -d --tmpdir="" TEST-50-IMAGES.XXX)"
+chmod go+rx "$IMAGE_DIR"
 cp -v /usr/share/minimal* "$IMAGE_DIR/"
 MINIMAL_IMAGE="$IMAGE_DIR/minimal_0"
 MINIMAL_IMAGE_ROOTHASH="$(<"$MINIMAL_IMAGE.roothash")"