From patchwork Fri May 12 18:52:47 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Felix Lechner X-Patchwork-Id: 49970 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 01FF227BBF0; Fri, 12 May 2023 19:53:30 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-3.7 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS, URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 67D5027BBEE for ; Fri, 12 May 2023 19:53:27 +0100 (BST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pxXt5-0006w1-Dk; Fri, 12 May 2023 14:53:07 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pxXt1-0006uS-Oa for guix-patches@gnu.org; Fri, 12 May 2023 14:53:03 -0400 Received: from debbugs.gnu.org ([209.51.188.43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1pxXt1-0007lW-Fr for guix-patches@gnu.org; Fri, 12 May 2023 14:53:03 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1pxXt1-0003al-C7 for guix-patches@gnu.org; Fri, 12 May 2023 14:53:03 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#63383] [PATCH v2 1/4] In PAM test, confirm ulimits actually imposed instead of comparing config files. References: In-Reply-To: Resent-From: Felix Lechner Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Fri, 12 May 2023 18:53:03 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 63383 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 63383@debbugs.gnu.org Cc: Felix Lechner Received: via spool by 63383-submit@debbugs.gnu.org id=B63383.168391757613745 (code B ref 63383); Fri, 12 May 2023 18:53:03 +0000 Received: (at 63383) by debbugs.gnu.org; 12 May 2023 18:52:56 +0000 Received: from localhost ([127.0.0.1]:32977 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pxXst-0003Zc-Rb for submit@debbugs.gnu.org; Fri, 12 May 2023 14:52:56 -0400 Received: from sail-ipv4.us-core.com ([208.82.101.137]:38686) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pxXsr-0003ZR-Rk for 63383@debbugs.gnu.org; Fri, 12 May 2023 14:52:54 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=2017; bh=pBMlwsVShVtr65+ oqHkbzPSxaE9LhVN378V64plIAlc=; h=date:subject:cc:to:from; d=lease-up.com; b=epVbXEuTeSmsR/L8+MmNH3pKZi3VsoGNoRrYB93YsljAH4AmLV9b AW88YLNB6UEmwzESqN2AVCPewvOKwjGgikfzuKNEan2ONkEmRqVxKuyNbi8qPb8BJryZ3j HNdUeF22L7umMM4bZ4ftGORoC4ydNF7UsJy33wOYleEg7raU0= Received: by sail-ipv4.us-core.com (OpenSMTPD) with ESMTPSA id 305f4144 (TLSv1.3:TLS_CHACHA20_POLY1305_SHA256:256:NO); Fri, 12 May 2023 18:52:52 +0000 (UTC) Received: from localhost (localhost [local]) by localhost (OpenSMTPD) with ESMTPA id 5533b954; Fri, 12 May 2023 18:52:52 +0000 (UTC) Date: Fri, 12 May 2023 11:52:47 -0700 Message-Id: <1d5c51bdf283c808ff65a3cedbdd1078fb45a05b.1683917556.git.felix.lechner@lease-up.com> X-Mailer: git-send-email 2.40.1 MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-to: Felix Lechner X-ACL-Warn: , Felix Lechner via Guix-patches X-Patchwork-Original-From: Felix Lechner via Guix-patches via From: Felix Lechner Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches This revised system test is superior to the one accepted when Bug#61744 was closed because it confirms whether the configured limits are actually being enforced upon login. The previous test merely validated the serialization of one particular config in the config file. * gnu/tests/pam.scm (pam-limits-service): Revise test to confirm limits on login. --- gnu/tests/pam.scm | 70 +++++++++++++++++++++++++---------------------- 1 file changed, 38 insertions(+), 32 deletions(-) diff --git a/gnu/tests/pam.scm b/gnu/tests/pam.scm index 1654396e42..fa480e69ff 100644 --- a/gnu/tests/pam.scm +++ b/gnu/tests/pam.scm @@ -1,5 +1,6 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2023 Bruno Victal +;;; Copyright © 2023 Felix Lechner ;;; ;;; This file is part of GNU Guix. ;;; @@ -25,8 +26,7 @@ (define-module (gnu tests pam) #:use-module (gnu system vm) #:use-module (guix gexp) #:use-module (ice-9 format) - #:export (%test-pam-limits - %test-pam-limits-deprecated)) + #:export (%test-pam-limits)) ;;; @@ -35,26 +35,29 @@ (define-module (gnu tests pam) (define pam-limit-entries (list - (pam-limits-entry "@realtime" 'both 'rtprio 99) - (pam-limits-entry "@realtime" 'both 'memlock 'unlimited))) + ;; make sure the limits apply to root (uid 0) + (pam-limits-entry ":0" 'both 'rtprio 99) ;default is 0 + (pam-limits-entry ":0" 'both 'memlock 'unlimited))) ;default is 8192 kbytes (define (run-test-pam-limits config) "Run tests in a os with pam-limits-service-type configured." (define os (marionette-operating-system (simple-operating-system - (service pam-limits-service-type config)))) + (service pam-limits-service-type config)) + #:imported-modules '((gnu services herd)))) (define vm (virtual-machine os)) - (define name (format #f "pam-limit-service~:[~;-deprecated~]" - (file-like? config))) + (define name "pam-limits-service") (define test - (with-imported-modules '((gnu build marionette)) + (with-imported-modules '((gnu build marionette) + (guix build syscalls)) #~(begin (use-modules (gnu build marionette) + (guix build syscalls) (srfi srfi-64)) (let ((marionette (make-marionette (list #$vm)))) @@ -63,18 +66,32 @@ (define test (test-begin #$name) - (test-assert "/etc/security/limits.conf ready" - (wait-for-file "/etc/security/limits.conf" marionette)) + (test-equal "log in on tty1 and read limits" + '(("99") ;real-time priority + ("unlimited")) ;max locked memory - (test-equal "/etc/security/limits.conf content matches" - #$(string-join (map pam-limits-entry->string pam-limit-entries) - "\n" 'suffix) - (marionette-eval - '(begin - (use-modules (rnrs io ports)) - (call-with-input-file "/etc/security/limits.conf" - get-string-all)) - marionette)) + (begin + ;; Wait for tty1. + (marionette-eval '(begin + (use-modules (gnu services herd)) + (start-service 'term-tty1)) + marionette) + + (marionette-control "sendkey ctrl-alt-f1" marionette) + + ;; Now we can type. + (marionette-type "root\n" marionette) + (marionette-type "ulimit -r > real-time-priority\n" marionette) + (marionette-type "ulimit -l > max-locked-memory\n" marionette) + + ;; Read the two files. + (marionette-eval '(use-modules (rnrs io ports)) marionette) + (let ((guest-file (lambda (file) + (string-tokenize + (wait-for-file file marionette + #:read 'get-string-all))))) + (list (guest-file "/root/real-time-priority") + (guest-file "/root/max-locked-memory"))))) (test-end))))) @@ -83,17 +100,6 @@ (define test (define %test-pam-limits (system-test (name "pam-limits-service") - (description "Test that pam-limits-service can serialize its config -(as a list) to @file{limits.conf}.") + (description "Test that pam-limits-service actually sets the limits as +configured.") (value (run-test-pam-limits pam-limit-entries)))) - -(define %test-pam-limits-deprecated - (system-test - (name "pam-limits-service-deprecated") - (description "Test that pam-limits-service can serialize its config -(as a file-like object) to @file{limits.conf}.") - (value (run-test-pam-limits - (plain-file "limits.conf" - (string-join (map pam-limits-entry->string - pam-limit-entries) - "\n" 'suffix))))))