1#!/bin/ksh -p 2# SPDX-License-Identifier: CDDL-1.0 3# 4# CDDL HEADER START 5# 6# The contents of this file are subject to the terms of the 7# Common Development and Distribution License (the "License"). 8# You may not use this file except in compliance with the License. 9# 10# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 11# or https://opensource.org/licenses/CDDL-1.0. 12# See the License for the specific language governing permissions 13# and limitations under the License. 14# 15# When distributing Covered Code, include this CDDL HEADER in each 16# file and include the License file at usr/src/OPENSOLARIS.LICENSE. 17# If applicable, add the following below this CDDL HEADER, with the 18# fields enclosed by brackets "[]" replaced with your own identifying 19# information: Portions Copyright [yyyy] [name of copyright owner] 20# 21# CDDL HEADER END 22# 23 24# 25# Copyright 2026 Colin K. Williams / LINK ORG LLC / LI-NK.SOCIAL. All rights reserved. 26# 27 28. $STF_SUITE/include/libtest.shlib 29. $STF_SUITE/tests/functional/zoned_uid/zoned_uid_common.kshlib 30 31# Only run on Linux - zoned_uid is Linux-specific 32if ! is_linux; then 33 log_unsupported "zoned_uid is only supported on Linux" 34fi 35 36# Check kernel supports user namespaces 37if ! [ -f /proc/self/uid_map ]; then 38 log_unsupported "The kernel doesn't support user namespaces." 39fi 40 41verify_runnable "global" 42 43DISK=${DISKS%% *} 44default_setup_noexit $DISK 45 46# Check if zoned_uid property is supported (requires pool to exist) 47if ! zoned_uid_supported; then 48 default_cleanup_noexit 49 log_unsupported "zoned_uid property not supported by this kernel" 50fi 51 52# 53# Provision test users if they don't exist. 54# Tests use "sudo -u #<uid>" which requires the UID to have a passwd entry. 55# CI environments (e.g. GitHub Actions QEMU VMs) typically don't have these. 56# 57for uid in "$ZONED_TEST_UID" "$ZONED_OTHER_UID"; do 58 if ! id "$uid" >/dev/null 2>&1; then 59 log_note "Creating test user for UID $uid" 60 log_must useradd -u "$uid" -M -N -s /usr/sbin/nologin \ 61 "zfs_test_$uid" 62 fi 63done 64 65# Some environments (e.g., Ubuntu with AppArmor) restrict unprivileged 66# user namespace creation. Try to relax the restriction for testing. 67APPARMOR_USERNS=/proc/sys/kernel/apparmor_restrict_unprivileged_userns 68APPARMOR_RESTORE=/tmp/zoned_uid_apparmor_restore 69if [ -f "$APPARMOR_USERNS" ]; then 70 orig=$(cat "$APPARMOR_USERNS") 71 if [ "$orig" != "0" ]; then 72 echo "$orig" > "$APPARMOR_RESTORE" 73 echo 0 > "$APPARMOR_USERNS" 74 log_note "Relaxed AppArmor user namespace restriction for testing" 75 fi 76fi 77 78# Verify user namespace creation works with the test UIDs. 79if ! sudo -u \#${ZONED_TEST_UID} unshare --user --map-root-user \ 80 true 2>/dev/null; then 81 default_cleanup_noexit 82 log_unsupported "Cannot create user namespaces as UID $ZONED_TEST_UID" 83fi 84 85# Verify capsh is available and works for capability control tests. 86# Tests 023+ use run_in_userns_caps which requires capsh. 87typeset _capsh_found 88_capsh_found="$(which capsh)" 89if [[ -z "$_capsh_found" ]]; then 90 log_note "WARNING: capsh not found; capability-tier tests will be skipped" 91else 92 if ! verify_capsh_works; then 93 log_note "WARNING: capsh cap control broken; capability-tier tests may fail" 94 else 95 log_note "capsh capability control verified" 96 fi 97fi 98 99log_pass 100