mirror of
https://git.in.rschanz.org/ryan77627/guix.git
synced 2025-01-26 04:29:25 -05:00
tests: pam-limits: Confirm actual ulimits are installed.
This revised system test is superior to the one accepted when #61744 was closed because it confirms whether the configured limits are actually being enforced upon login. The previous test merely validated the serialization of one particular config in the config file. * gnu/tests/pam.scm (pam-limits-service): Revise test to confirm limits on login. (%test-pam-limits)[description]: Update. (%test-pam-limits-deprecated): Remove. Signed-off-by: Ludovic Courtès <ludo@gnu.org>
This commit is contained in:
parent
6eb0070f08
commit
465c328c82
1 changed files with 38 additions and 32 deletions
|
@ -1,5 +1,6 @@
|
||||||
;;; GNU Guix --- Functional package management for GNU
|
;;; GNU Guix --- Functional package management for GNU
|
||||||
;;; Copyright © 2023 Bruno Victal <mirai@makinata.eu>
|
;;; Copyright © 2023 Bruno Victal <mirai@makinata.eu>
|
||||||
|
;;; Copyright © 2023 Felix Lechner <felix.lechner@lease-up.com>
|
||||||
;;;
|
;;;
|
||||||
;;; This file is part of GNU Guix.
|
;;; This file is part of GNU Guix.
|
||||||
;;;
|
;;;
|
||||||
|
@ -25,8 +26,7 @@ (define-module (gnu tests pam)
|
||||||
#:use-module (gnu system vm)
|
#:use-module (gnu system vm)
|
||||||
#:use-module (guix gexp)
|
#:use-module (guix gexp)
|
||||||
#:use-module (ice-9 format)
|
#:use-module (ice-9 format)
|
||||||
#:export (%test-pam-limits
|
#:export (%test-pam-limits))
|
||||||
%test-pam-limits-deprecated))
|
|
||||||
|
|
||||||
|
|
||||||
;;;
|
;;;
|
||||||
|
@ -35,26 +35,29 @@ (define-module (gnu tests pam)
|
||||||
|
|
||||||
(define pam-limit-entries
|
(define pam-limit-entries
|
||||||
(list
|
(list
|
||||||
(pam-limits-entry "@realtime" 'both 'rtprio 99)
|
;; make sure the limits apply to root (uid 0)
|
||||||
(pam-limits-entry "@realtime" 'both 'memlock 'unlimited)))
|
(pam-limits-entry ":0" 'both 'rtprio 99) ;default is 0
|
||||||
|
(pam-limits-entry ":0" 'both 'memlock 'unlimited))) ;default is 8192 kbytes
|
||||||
|
|
||||||
(define (run-test-pam-limits config)
|
(define (run-test-pam-limits config)
|
||||||
"Run tests in a os with pam-limits-service-type configured."
|
"Run tests in a os with pam-limits-service-type configured."
|
||||||
(define os
|
(define os
|
||||||
(marionette-operating-system
|
(marionette-operating-system
|
||||||
(simple-operating-system
|
(simple-operating-system
|
||||||
(service pam-limits-service-type config))))
|
(service pam-limits-service-type config))
|
||||||
|
#:imported-modules '((gnu services herd))))
|
||||||
|
|
||||||
(define vm
|
(define vm
|
||||||
(virtual-machine os))
|
(virtual-machine os))
|
||||||
|
|
||||||
(define name (format #f "pam-limit-service~:[~;-deprecated~]"
|
(define name "pam-limits-service")
|
||||||
(file-like? config)))
|
|
||||||
|
|
||||||
(define test
|
(define test
|
||||||
(with-imported-modules '((gnu build marionette))
|
(with-imported-modules '((gnu build marionette)
|
||||||
|
(guix build syscalls))
|
||||||
#~(begin
|
#~(begin
|
||||||
(use-modules (gnu build marionette)
|
(use-modules (gnu build marionette)
|
||||||
|
(guix build syscalls)
|
||||||
(srfi srfi-64))
|
(srfi srfi-64))
|
||||||
|
|
||||||
(let ((marionette (make-marionette (list #$vm))))
|
(let ((marionette (make-marionette (list #$vm))))
|
||||||
|
@ -63,18 +66,32 @@ (define test
|
||||||
|
|
||||||
(test-begin #$name)
|
(test-begin #$name)
|
||||||
|
|
||||||
(test-assert "/etc/security/limits.conf ready"
|
(test-equal "log in on tty1 and read limits"
|
||||||
(wait-for-file "/etc/security/limits.conf" marionette))
|
'(("99") ;real-time priority
|
||||||
|
("unlimited")) ;max locked memory
|
||||||
|
|
||||||
(test-equal "/etc/security/limits.conf content matches"
|
(begin
|
||||||
#$(string-join (map pam-limits-entry->string pam-limit-entries)
|
;; Wait for tty1.
|
||||||
"\n" 'suffix)
|
(marionette-eval '(begin
|
||||||
(marionette-eval
|
(use-modules (gnu services herd))
|
||||||
'(begin
|
(start-service 'term-tty1))
|
||||||
(use-modules (rnrs io ports))
|
marionette)
|
||||||
(call-with-input-file "/etc/security/limits.conf"
|
|
||||||
get-string-all))
|
(marionette-control "sendkey ctrl-alt-f1" marionette)
|
||||||
marionette))
|
|
||||||
|
;; Now we can type.
|
||||||
|
(marionette-type "root\n" marionette)
|
||||||
|
(marionette-type "ulimit -r > real-time-priority\n" marionette)
|
||||||
|
(marionette-type "ulimit -l > max-locked-memory\n" marionette)
|
||||||
|
|
||||||
|
;; Read the two files.
|
||||||
|
(marionette-eval '(use-modules (rnrs io ports)) marionette)
|
||||||
|
(let ((guest-file (lambda (file)
|
||||||
|
(string-tokenize
|
||||||
|
(wait-for-file file marionette
|
||||||
|
#:read 'get-string-all)))))
|
||||||
|
(list (guest-file "/root/real-time-priority")
|
||||||
|
(guest-file "/root/max-locked-memory")))))
|
||||||
|
|
||||||
(test-end)))))
|
(test-end)))))
|
||||||
|
|
||||||
|
@ -83,17 +100,6 @@ (define test
|
||||||
(define %test-pam-limits
|
(define %test-pam-limits
|
||||||
(system-test
|
(system-test
|
||||||
(name "pam-limits-service")
|
(name "pam-limits-service")
|
||||||
(description "Test that pam-limits-service can serialize its config
|
(description "Test that pam-limits-service actually sets the limits as
|
||||||
(as a list) to @file{limits.conf}.")
|
configured.")
|
||||||
(value (run-test-pam-limits pam-limit-entries))))
|
(value (run-test-pam-limits pam-limit-entries))))
|
||||||
|
|
||||||
(define %test-pam-limits-deprecated
|
|
||||||
(system-test
|
|
||||||
(name "pam-limits-service-deprecated")
|
|
||||||
(description "Test that pam-limits-service can serialize its config
|
|
||||||
(as a file-like object) to @file{limits.conf}.")
|
|
||||||
(value (run-test-pam-limits
|
|
||||||
(plain-file "limits.conf"
|
|
||||||
(string-join (map pam-limits-entry->string
|
|
||||||
pam-limit-entries)
|
|
||||||
"\n" 'suffix))))))
|
|
||||||
|
|
Loading…
Reference in a new issue