From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp12.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms9.migadu.com with LMTPS id SC/mGvSaWWS8cQEASxT56A (envelope-from ) for ; Tue, 09 May 2023 02:59:32 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp12.migadu.com with LMTPS id EKXGGvSaWWRbSAEAauVa8A (envelope-from ) for ; Tue, 09 May 2023 02:59:32 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 33AE5F0C0 for ; Tue, 9 May 2023 02:59:32 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pwBh2-0004eU-OA; Mon, 08 May 2023 20:59:04 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pwBh0-0004dt-84 for guix-patches@gnu.org; Mon, 08 May 2023 20:59:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1pwBgz-0002K5-VN for guix-patches@gnu.org; Mon, 08 May 2023 20:59:01 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1pwBgz-00065M-Qy for guix-patches@gnu.org; Mon, 08 May 2023 20:59:01 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#63383] [PATCH 1/4] In PAM test, confirm ulimits actually imposed instead of comparing config files. Resent-From: Felix Lechner Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Tue, 09 May 2023 00:59:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 63383 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 63383@debbugs.gnu.org Cc: Felix Lechner Received: via spool by 63383-submit@debbugs.gnu.org id=B63383.168359389923292 (code B ref 63383); Tue, 09 May 2023 00:59:01 +0000 Received: (at 63383) by debbugs.gnu.org; 9 May 2023 00:58:19 +0000 Received: from localhost ([127.0.0.1]:41960 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pwBgJ-00063c-84 for submit@debbugs.gnu.org; Mon, 08 May 2023 20:58:19 -0400 Received: from sail-ipv4.us-core.com ([208.82.101.137]:34338) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pwBgH-00063S-OK for 63383@debbugs.gnu.org; Mon, 08 May 2023 20:58:18 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=2017; bh=ZxUSorVWTRXnXxD c9S9j3OUlEN8jlw3cPvZ6YIlMIFs=; h=references:in-reply-to:date:subject: cc:to:from; d=lease-up.com; b=mrfVeG7tQRjIgbyBslKAfxMT+YuFlZE8/h1cINuW QBVWIhRmu2AWOLMe+AvB0eYc9oOJRr+RrSyLjK+kSe0HK558PVW0CNJRZSk6ADHQ9GycK6 dNkp8qT66dDf+i1Fme1DllCfhNu6myAdn5X1TVeS1bf4YmUrR6M66ClFloZ18= Received: by sail-ipv4.us-core.com (OpenSMTPD) with ESMTPSA id facd70fc (TLSv1.3:TLS_CHACHA20_POLY1305_SHA256:256:NO); Tue, 9 May 2023 00:58:16 +0000 (UTC) Received: from localhost (localhost [local]) by localhost (OpenSMTPD) with ESMTPA id 02ff15ea; Tue, 9 May 2023 00:58:16 +0000 (UTC) Date: Mon, 8 May 2023 17:58:06 -0700 Message-Id: <7d190e341e90198108b783f2b2c1b0654c48b049.1683593547.git.felix.lechner@lease-up.com> X-Mailer: git-send-email 2.39.2 In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-to: Felix Lechner X-ACL-Warn: , Felix Lechner via Guix-patches From: Felix Lechner via Guix-patches via Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: guix-patches-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN ARC-Seal: i=1; s=key1; d=yhetil.org; t=1683593972; a=rsa-sha256; cv=none; b=rwhGVE+58iupK1z96syQPJMRHNLXBSntyVjI896SLDJokoGLNz+d9LB0Z3f84UMMfiDAab u5cp/iyydLMWxP/q8f/OKS3XcpT7s/jcz19baWRMRCOgs4Axnt4LQGRNlRcO0pSklYWB1s XpXnY11rDk69gD846kFWTzXL+6Ha4wS7s+vnjaeS3//+GKg7Nr3f7NBvEb/P1Cyd0bqcuL SJN46rsOnkFUIBj5Hz7J6KZlcxldP+O6n1x52XxzFwSjHjAJAt0WJ1wVatGvJ0xvoGVDqY Cei48MQif7kTE0YVNQ6cn/jnWZF2KBpHGDtJQJL3wffl0TQOMFnfho+sQPzzSQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=lease-up.com header.s=2017 header.b=mrfVeG7t; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1683593972; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=ARjtbIyjjjZaKmhTCN1lkjwuLBU2cd8t9SBriRzdyNo=; b=trd519ETvuLtNoT1oIJOLs04OvC2OIgkvd7ydmGBdkJpFfUMFgYiCtCchFnSUF5FP7klQN 5O/O2xuoLl/wLBRPkAeq/NNnDQbg7G/TTL7gAPlVYZCsJz09CPryFTqSlSWC/jBdEJthKr KdLR/85McE0ncXN4W1+eelKWKeHVfLdUqvaGCrZlZZRLsh6+CfNra3ZngRXRx0dL4aIhOc TDD3u/DPKQew1/BzObvliKFd6zgBtqo6Jd/qMGrQ0YCJymEoLhvEYPVd+gRy2avsUZStBq 9963xu8i7BEccWnEcs3TM0pBM56DvjQuI1jdC1oiqTJjYsWYwVTFxpqUc6hJFw== X-Migadu-Spam-Score: -2.69 X-Spam-Score: -2.69 X-Migadu-Queue-Id: 33AE5F0C0 X-Migadu-Scanner: scn0.migadu.com Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=lease-up.com header.s=2017 header.b=mrfVeG7t; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" X-TUID: suMQpiqfBPVB This revised system test is superior to the one accepted when Bug#61744 was closed because it confirms whether the configured limits are actually being enforced upon login. The previous test merely validated the serialization of one particular config in the config file. * gnu/tests/pam.scm (pam-limits-service): Revise test to confirm limits on login. --- gnu/tests/pam.scm | 70 +++++++++++++++++++++++++---------------------- 1 file changed, 38 insertions(+), 32 deletions(-) diff --git a/gnu/tests/pam.scm b/gnu/tests/pam.scm index 1654396e42..fa480e69ff 100644 --- a/gnu/tests/pam.scm +++ b/gnu/tests/pam.scm @@ -1,5 +1,6 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2023 Bruno Victal +;;; Copyright © 2023 Felix Lechner ;;; ;;; This file is part of GNU Guix. ;;; @@ -25,8 +26,7 @@ (define-module (gnu tests pam) #:use-module (gnu system vm) #:use-module (guix gexp) #:use-module (ice-9 format) - #:export (%test-pam-limits - %test-pam-limits-deprecated)) + #:export (%test-pam-limits)) ;;; @@ -35,26 +35,29 @@ (define-module (gnu tests pam) (define pam-limit-entries (list - (pam-limits-entry "@realtime" 'both 'rtprio 99) - (pam-limits-entry "@realtime" 'both 'memlock 'unlimited))) + ;; make sure the limits apply to root (uid 0) + (pam-limits-entry ":0" 'both 'rtprio 99) ;default is 0 + (pam-limits-entry ":0" 'both 'memlock 'unlimited))) ;default is 8192 kbytes (define (run-test-pam-limits config) "Run tests in a os with pam-limits-service-type configured." (define os (marionette-operating-system (simple-operating-system - (service pam-limits-service-type config)))) + (service pam-limits-service-type config)) + #:imported-modules '((gnu services herd)))) (define vm (virtual-machine os)) - (define name (format #f "pam-limit-service~:[~;-deprecated~]" - (file-like? config))) + (define name "pam-limits-service") (define test - (with-imported-modules '((gnu build marionette)) + (with-imported-modules '((gnu build marionette) + (guix build syscalls)) #~(begin (use-modules (gnu build marionette) + (guix build syscalls) (srfi srfi-64)) (let ((marionette (make-marionette (list #$vm)))) @@ -63,18 +66,32 @@ (define test (test-begin #$name) - (test-assert "/etc/security/limits.conf ready" - (wait-for-file "/etc/security/limits.conf" marionette)) + (test-equal "log in on tty1 and read limits" + '(("99") ;real-time priority + ("unlimited")) ;max locked memory - (test-equal "/etc/security/limits.conf content matches" - #$(string-join (map pam-limits-entry->string pam-limit-entries) - "\n" 'suffix) - (marionette-eval - '(begin - (use-modules (rnrs io ports)) - (call-with-input-file "/etc/security/limits.conf" - get-string-all)) - marionette)) + (begin + ;; Wait for tty1. + (marionette-eval '(begin + (use-modules (gnu services herd)) + (start-service 'term-tty1)) + marionette) + + (marionette-control "sendkey ctrl-alt-f1" marionette) + + ;; Now we can type. + (marionette-type "root\n" marionette) + (marionette-type "ulimit -r > real-time-priority\n" marionette) + (marionette-type "ulimit -l > max-locked-memory\n" marionette) + + ;; Read the two files. + (marionette-eval '(use-modules (rnrs io ports)) marionette) + (let ((guest-file (lambda (file) + (string-tokenize + (wait-for-file file marionette + #:read 'get-string-all))))) + (list (guest-file "/root/real-time-priority") + (guest-file "/root/max-locked-memory"))))) (test-end))))) @@ -83,17 +100,6 @@ (define test (define %test-pam-limits (system-test (name "pam-limits-service") - (description "Test that pam-limits-service can serialize its config -(as a list) to @file{limits.conf}.") + (description "Test that pam-limits-service actually sets the limits as +configured.") (value (run-test-pam-limits pam-limit-entries)))) - -(define %test-pam-limits-deprecated - (system-test - (name "pam-limits-service-deprecated") - (description "Test that pam-limits-service can serialize its config -(as a file-like object) to @file{limits.conf}.") - (value (run-test-pam-limits - (plain-file "limits.conf" - (string-join (map pam-limits-entry->string - pam-limit-entries) - "\n" 'suffix)))))) -- 2.39.2