From: Felix Lechner via Guix-patches via <guix-patches@gnu.org>
To: 63383@debbugs.gnu.org
Cc: Felix Lechner <felix.lechner@lease-up.com>
Subject: [bug#63383] [PATCH v2 1/4] In PAM test, confirm ulimits actually imposed instead of comparing config files.
Date: Fri, 12 May 2023 11:52:47 -0700 [thread overview]
Message-ID: <1d5c51bdf283c808ff65a3cedbdd1078fb45a05b.1683917556.git.felix.lechner@lease-up.com> (raw)
In-Reply-To: <cover.1683593547.git.felix.lechner@lease-up.com>
This revised system test is superior to the one accepted when Bug#61744 was
closed because it confirms whether the configured limits are actually being
enforced upon login.
The previous test merely validated the serialization of one particular config
in the config file.
* gnu/tests/pam.scm (pam-limits-service): Revise test to confirm limits on
login.
---
gnu/tests/pam.scm | 70 +++++++++++++++++++++++++----------------------
1 file changed, 38 insertions(+), 32 deletions(-)
diff --git a/gnu/tests/pam.scm b/gnu/tests/pam.scm
index 1654396e42..fa480e69ff 100644
--- a/gnu/tests/pam.scm
+++ b/gnu/tests/pam.scm
@@ -1,5 +1,6 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2023 Bruno Victal <mirai@makinata.eu>
+;;; Copyright © 2023 Felix Lechner <felix.lechner@lease-up.com>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -25,8 +26,7 @@ (define-module (gnu tests pam)
#:use-module (gnu system vm)
#:use-module (guix gexp)
#:use-module (ice-9 format)
- #:export (%test-pam-limits
- %test-pam-limits-deprecated))
+ #:export (%test-pam-limits))
\f
;;;
@@ -35,26 +35,29 @@ (define-module (gnu tests pam)
(define pam-limit-entries
(list
- (pam-limits-entry "@realtime" 'both 'rtprio 99)
- (pam-limits-entry "@realtime" 'both 'memlock 'unlimited)))
+ ;; make sure the limits apply to root (uid 0)
+ (pam-limits-entry ":0" 'both 'rtprio 99) ;default is 0
+ (pam-limits-entry ":0" 'both 'memlock 'unlimited))) ;default is 8192 kbytes
(define (run-test-pam-limits config)
"Run tests in a os with pam-limits-service-type configured."
(define os
(marionette-operating-system
(simple-operating-system
- (service pam-limits-service-type config))))
+ (service pam-limits-service-type config))
+ #:imported-modules '((gnu services herd))))
(define vm
(virtual-machine os))
- (define name (format #f "pam-limit-service~:[~;-deprecated~]"
- (file-like? config)))
+ (define name "pam-limits-service")
(define test
- (with-imported-modules '((gnu build marionette))
+ (with-imported-modules '((gnu build marionette)
+ (guix build syscalls))
#~(begin
(use-modules (gnu build marionette)
+ (guix build syscalls)
(srfi srfi-64))
(let ((marionette (make-marionette (list #$vm))))
@@ -63,18 +66,32 @@ (define test
(test-begin #$name)
- (test-assert "/etc/security/limits.conf ready"
- (wait-for-file "/etc/security/limits.conf" marionette))
+ (test-equal "log in on tty1 and read limits"
+ '(("99") ;real-time priority
+ ("unlimited")) ;max locked memory
- (test-equal "/etc/security/limits.conf content matches"
- #$(string-join (map pam-limits-entry->string pam-limit-entries)
- "\n" 'suffix)
- (marionette-eval
- '(begin
- (use-modules (rnrs io ports))
- (call-with-input-file "/etc/security/limits.conf"
- get-string-all))
- marionette))
+ (begin
+ ;; Wait for tty1.
+ (marionette-eval '(begin
+ (use-modules (gnu services herd))
+ (start-service 'term-tty1))
+ marionette)
+
+ (marionette-control "sendkey ctrl-alt-f1" marionette)
+
+ ;; Now we can type.
+ (marionette-type "root\n" marionette)
+ (marionette-type "ulimit -r > real-time-priority\n" marionette)
+ (marionette-type "ulimit -l > max-locked-memory\n" marionette)
+
+ ;; Read the two files.
+ (marionette-eval '(use-modules (rnrs io ports)) marionette)
+ (let ((guest-file (lambda (file)
+ (string-tokenize
+ (wait-for-file file marionette
+ #:read 'get-string-all)))))
+ (list (guest-file "/root/real-time-priority")
+ (guest-file "/root/max-locked-memory")))))
(test-end)))))
@@ -83,17 +100,6 @@ (define test
(define %test-pam-limits
(system-test
(name "pam-limits-service")
- (description "Test that pam-limits-service can serialize its config
-(as a list) to @file{limits.conf}.")
+ (description "Test that pam-limits-service actually sets the limits as
+configured.")
(value (run-test-pam-limits pam-limit-entries))))
-
-(define %test-pam-limits-deprecated
- (system-test
- (name "pam-limits-service-deprecated")
- (description "Test that pam-limits-service can serialize its config
-(as a file-like object) to @file{limits.conf}.")
- (value (run-test-pam-limits
- (plain-file "limits.conf"
- (string-join (map pam-limits-entry->string
- pam-limit-entries)
- "\n" 'suffix))))))
--
2.40.1
next prev parent reply other threads:[~2023-05-12 18:53 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-09 0:56 [bug#63383] [PATCH 0/4] Various PAM improvements Felix Lechner via Guix-patches via
2023-05-09 0:58 ` [bug#63383] [PATCH 1/4] In PAM test, confirm ulimits actually imposed instead of comparing config files Felix Lechner via Guix-patches via
2023-05-09 0:58 ` [bug#63383] [PATCH 2/4] Drop limits.conf from /etc/security; use directly in pam-limits-service-type Felix Lechner via Guix-patches via
2023-05-09 0:58 ` [bug#63383] [PATCH 3/4] Refer to the built-in Linux-PAM modules by their absolute paths Felix Lechner via Guix-patches via
2023-05-09 0:58 ` [bug#63383] [PATCH 4/4] Use more file-append Felix Lechner via Guix-patches via
2023-05-12 18:51 ` [bug#63383] rebased Felix Lechner via Guix-patches via
2023-05-12 18:52 ` Felix Lechner via Guix-patches via [this message]
2023-05-12 18:52 ` [bug#63383] [PATCH v2 2/4] Drop limits.conf from /etc/security; use directly in pam-limits-service-type Felix Lechner via Guix-patches via
2023-05-12 18:52 ` [bug#63383] [PATCH v2 3/4] Refer to the built-in Linux-PAM modules by their absolute paths Felix Lechner via Guix-patches via
2023-05-12 18:52 ` [bug#63383] [PATCH v2 4/4] Use more file-append Felix Lechner via Guix-patches via
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1d5c51bdf283c808ff65a3cedbdd1078fb45a05b.1683917556.git.felix.lechner@lease-up.com \
--to=guix-patches@gnu.org \
--cc=63383@debbugs.gnu.org \
--cc=felix.lechner@lease-up.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.