From patchwork Tue May 9 00:58:06 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Felix Lechner X-Patchwork-Id: 49887 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id B7A4C27BBEA; Tue, 9 May 2023 01:59:36 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-3.7 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 3B08F27BBEC for ; Tue, 9 May 2023 01:59:32 +0100 (BST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pwBh2-0004eU-OA; Mon, 08 May 2023 20:59:04 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pwBh0-0004dt-84 for guix-patches@gnu.org; Mon, 08 May 2023 20:59:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1pwBgz-0002K5-VN for guix-patches@gnu.org; Mon, 08 May 2023 20:59:01 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1pwBgz-00065M-Qy for guix-patches@gnu.org; Mon, 08 May 2023 20:59:01 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#63383] [PATCH 1/4] In PAM test, confirm ulimits actually imposed instead of comparing config files. Resent-From: Felix Lechner Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Tue, 09 May 2023 00:59:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 63383 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 63383@debbugs.gnu.org Cc: Felix Lechner Received: via spool by 63383-submit@debbugs.gnu.org id=B63383.168359389923292 (code B ref 63383); Tue, 09 May 2023 00:59:01 +0000 Received: (at 63383) by debbugs.gnu.org; 9 May 2023 00:58:19 +0000 Received: from localhost ([127.0.0.1]:41960 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pwBgJ-00063c-84 for submit@debbugs.gnu.org; Mon, 08 May 2023 20:58:19 -0400 Received: from sail-ipv4.us-core.com ([208.82.101.137]:34338) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pwBgH-00063S-OK for 63383@debbugs.gnu.org; Mon, 08 May 2023 20:58:18 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=2017; bh=ZxUSorVWTRXnXxD c9S9j3OUlEN8jlw3cPvZ6YIlMIFs=; h=references:in-reply-to:date:subject: cc:to:from; d=lease-up.com; b=mrfVeG7tQRjIgbyBslKAfxMT+YuFlZE8/h1cINuW QBVWIhRmu2AWOLMe+AvB0eYc9oOJRr+RrSyLjK+kSe0HK558PVW0CNJRZSk6ADHQ9GycK6 dNkp8qT66dDf+i1Fme1DllCfhNu6myAdn5X1TVeS1bf4YmUrR6M66ClFloZ18= Received: by sail-ipv4.us-core.com (OpenSMTPD) with ESMTPSA id facd70fc (TLSv1.3:TLS_CHACHA20_POLY1305_SHA256:256:NO); Tue, 9 May 2023 00:58:16 +0000 (UTC) Received: from localhost (localhost [local]) by localhost (OpenSMTPD) with ESMTPA id 02ff15ea; Tue, 9 May 2023 00:58:16 +0000 (UTC) Date: Mon, 8 May 2023 17:58:06 -0700 Message-Id: <7d190e341e90198108b783f2b2c1b0654c48b049.1683593547.git.felix.lechner@lease-up.com> X-Mailer: git-send-email 2.39.2 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-to: Felix Lechner X-ACL-Warn: , Felix Lechner via Guix-patches X-Patchwork-Original-From: Felix Lechner via Guix-patches via From: Felix Lechner Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches This revised system test is superior to the one accepted when Bug#61744 was closed because it confirms whether the configured limits are actually being enforced upon login. The previous test merely validated the serialization of one particular config in the config file. * gnu/tests/pam.scm (pam-limits-service): Revise test to confirm limits on login. --- gnu/tests/pam.scm | 70 +++++++++++++++++++++++++---------------------- 1 file changed, 38 insertions(+), 32 deletions(-) diff --git a/gnu/tests/pam.scm b/gnu/tests/pam.scm index 1654396e42..fa480e69ff 100644 --- a/gnu/tests/pam.scm +++ b/gnu/tests/pam.scm @@ -1,5 +1,6 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2023 Bruno Victal +;;; Copyright © 2023 Felix Lechner ;;; ;;; This file is part of GNU Guix. ;;; @@ -25,8 +26,7 @@ (define-module (gnu tests pam) #:use-module (gnu system vm) #:use-module (guix gexp) #:use-module (ice-9 format) - #:export (%test-pam-limits - %test-pam-limits-deprecated)) + #:export (%test-pam-limits)) ;;; @@ -35,26 +35,29 @@ (define-module (gnu tests pam) (define pam-limit-entries (list - (pam-limits-entry "@realtime" 'both 'rtprio 99) - (pam-limits-entry "@realtime" 'both 'memlock 'unlimited))) + ;; make sure the limits apply to root (uid 0) + (pam-limits-entry ":0" 'both 'rtprio 99) ;default is 0 + (pam-limits-entry ":0" 'both 'memlock 'unlimited))) ;default is 8192 kbytes (define (run-test-pam-limits config) "Run tests in a os with pam-limits-service-type configured." (define os (marionette-operating-system (simple-operating-system - (service pam-limits-service-type config)))) + (service pam-limits-service-type config)) + #:imported-modules '((gnu services herd)))) (define vm (virtual-machine os)) - (define name (format #f "pam-limit-service~:[~;-deprecated~]" - (file-like? config))) + (define name "pam-limits-service") (define test - (with-imported-modules '((gnu build marionette)) + (with-imported-modules '((gnu build marionette) + (guix build syscalls)) #~(begin (use-modules (gnu build marionette) + (guix build syscalls) (srfi srfi-64)) (let ((marionette (make-marionette (list #$vm)))) @@ -63,18 +66,32 @@ (define test (test-begin #$name) - (test-assert "/etc/security/limits.conf ready" - (wait-for-file "/etc/security/limits.conf" marionette)) + (test-equal "log in on tty1 and read limits" + '(("99") ;real-time priority + ("unlimited")) ;max locked memory - (test-equal "/etc/security/limits.conf content matches" - #$(string-join (map pam-limits-entry->string pam-limit-entries) - "\n" 'suffix) - (marionette-eval - '(begin - (use-modules (rnrs io ports)) - (call-with-input-file "/etc/security/limits.conf" - get-string-all)) - marionette)) + (begin + ;; Wait for tty1. + (marionette-eval '(begin + (use-modules (gnu services herd)) + (start-service 'term-tty1)) + marionette) + + (marionette-control "sendkey ctrl-alt-f1" marionette) + + ;; Now we can type. + (marionette-type "root\n" marionette) + (marionette-type "ulimit -r > real-time-priority\n" marionette) + (marionette-type "ulimit -l > max-locked-memory\n" marionette) + + ;; Read the two files. + (marionette-eval '(use-modules (rnrs io ports)) marionette) + (let ((guest-file (lambda (file) + (string-tokenize + (wait-for-file file marionette + #:read 'get-string-all))))) + (list (guest-file "/root/real-time-priority") + (guest-file "/root/max-locked-memory"))))) (test-end))))) @@ -83,17 +100,6 @@ (define test (define %test-pam-limits (system-test (name "pam-limits-service") - (description "Test that pam-limits-service can serialize its config -(as a list) to @file{limits.conf}.") + (description "Test that pam-limits-service actually sets the limits as +configured.") (value (run-test-pam-limits pam-limit-entries)))) - -(define %test-pam-limits-deprecated - (system-test - (name "pam-limits-service-deprecated") - (description "Test that pam-limits-service can serialize its config -(as a file-like object) to @file{limits.conf}.") - (value (run-test-pam-limits - (plain-file "limits.conf" - (string-join (map pam-limits-entry->string - pam-limit-entries) - "\n" 'suffix))))))