From 4cac89bd7c449dad262e4b306b76611b80fb51cc Mon Sep 17 00:00:00 2001
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Tue, 20 Feb 2018 16:50:12 +0900
Subject: [PATCH] test: add tests for TemporaryFileSystem=

---
 src/test/test-execute.c                       |  9 +++++
 test/meson.build                              |  4 +++
 .../exec-temporaryfilesystem-options.service  | 11 +++++++
 .../exec-temporaryfilesystem-ro.service       | 33 +++++++++++++++++++
 .../exec-temporaryfilesystem-rw.service       | 33 +++++++++++++++++++
 .../exec-temporaryfilesystem-usr.service      | 15 +++++++++
 6 files changed, 105 insertions(+)
 create mode 100644 test/test-execute/exec-temporaryfilesystem-options.service
 create mode 100644 test/test-execute/exec-temporaryfilesystem-ro.service
 create mode 100644 test/test-execute/exec-temporaryfilesystem-rw.service
 create mode 100644 test/test-execute/exec-temporaryfilesystem-usr.service

diff --git a/src/test/test-execute.c b/src/test/test-execute.c
index fba798e22b..f2223e1d3a 100644
--- a/src/test/test-execute.c
+++ b/src/test/test-execute.c
@@ -276,6 +276,14 @@ static void test_exec_inaccessiblepaths(Manager *m) {
         test(m, "exec-inaccessiblepaths-mount-propagation.service", 0, CLD_EXITED);
 }
 
+static void test_exec_temporaryfilesystem(Manager *m) {
+
+        test(m, "exec-temporaryfilesystem-options.service", 0, CLD_EXITED);
+        test(m, "exec-temporaryfilesystem-ro.service", 0, CLD_EXITED);
+        test(m, "exec-temporaryfilesystem-rw.service", 0, CLD_EXITED);
+        test(m, "exec-temporaryfilesystem-usr.service", 0, CLD_EXITED);
+}
+
 static void test_exec_systemcallfilter(Manager *m) {
 #if HAVE_SECCOMP
         if (!is_seccomp_available()) {
@@ -569,6 +577,7 @@ int main(int argc, char *argv[]) {
                 test_exec_supplementarygroups,
                 test_exec_systemcallerrornumber,
                 test_exec_systemcallfilter,
+                test_exec_temporaryfilesystem,
                 test_exec_umask,
                 test_exec_unsetenvironment,
                 test_exec_user,
diff --git a/test/meson.build b/test/meson.build
index 4667628b24..060e7ee73d 100644
--- a/test/meson.build
+++ b/test/meson.build
@@ -136,6 +136,10 @@ test_data_files = '''
         test-execute/exec-systemcallfilter-system-user.service
         test-execute/exec-systemcallfilter-with-errno-name.service
         test-execute/exec-systemcallfilter-with-errno-number.service
+        test-execute/exec-temporaryfilesystem-options.service
+        test-execute/exec-temporaryfilesystem-ro.service
+        test-execute/exec-temporaryfilesystem-rw.service
+        test-execute/exec-temporaryfilesystem-usr.service
         test-execute/exec-umask-0177.service
         test-execute/exec-umask-default.service
         test-execute/exec-unsetenvironment.service
diff --git a/test/test-execute/exec-temporaryfilesystem-options.service b/test/test-execute/exec-temporaryfilesystem-options.service
new file mode 100644
index 0000000000..1d5d76c81c
--- /dev/null
+++ b/test/test-execute/exec-temporaryfilesystem-options.service
@@ -0,0 +1,11 @@
+[Unit]
+Description=Test for TemporaryFileSystem with mount options
+
+[Service]
+Type=oneshot
+
+# Check /proc/self/mountinfo
+ExecStart=/bin/sh -c 'test $$(awk \'$$5 == "/var" { print $$6 }\' /proc/self/mountinfo) = "ro,nodev,relatime"'
+ExecStart=/bin/sh -c 'test $$(awk \'$$5 == "/var" { print $$11 }\' /proc/self/mountinfo) = "ro,mode=700"'
+
+TemporaryFileSystem=/var:ro,mode=0700,nostrictatime
diff --git a/test/test-execute/exec-temporaryfilesystem-ro.service b/test/test-execute/exec-temporaryfilesystem-ro.service
new file mode 100644
index 0000000000..c0e3721a01
--- /dev/null
+++ b/test/test-execute/exec-temporaryfilesystem-ro.service
@@ -0,0 +1,33 @@
+[Unit]
+Description=Test for TemporaryFileSystem with read-only mode
+
+[Service]
+Type=oneshot
+
+# Check directories exist
+ExecStart=/bin/sh -c 'test -d /var/test-exec-temporaryfilesystem/rw && test -d /var/test-exec-temporaryfilesystem/ro'
+
+# Check TemporaryFileSystem= are empty
+ExecStart=/bin/sh -c 'for i in $$(ls -A /var); do test $$i = test-exec-temporaryfilesystem || false; done'
+
+# Cannot create a file in /var
+ExecStart=/bin/sh -c '! touch /var/hoge'
+
+# Create a file in /var/test-exec-temporaryfilesystem/rw
+ExecStart=/bin/sh -c 'touch /var/test-exec-temporaryfilesystem/rw/thisisasimpletest-temporaryfilesystem'
+
+# Then, the file can be access through /tmp
+ExecStart=/bin/sh -c 'test -f /tmp/thisisasimpletest-temporaryfilesystem'
+
+# Also, through /var/test-exec-temporaryfilesystem/ro
+ExecStart=/bin/sh -c 'test -f /var/test-exec-temporaryfilesystem/ro/thisisasimpletest-temporaryfilesystem'
+
+# The file cannot modify through /var/test-exec-temporaryfilesystem/ro
+ExecStart=/bin/sh -c '! touch /var/test-exec-temporaryfilesystem/ro/thisisasimpletest-temporaryfilesystem'
+
+# Cleanup
+ExecStart=/bin/sh -c 'rm /tmp/thisisasimpletest-temporaryfilesystem'
+
+TemporaryFileSystem=/var:ro
+BindPaths=/tmp:/var/test-exec-temporaryfilesystem/rw
+BindReadOnlyPaths=/tmp:/var/test-exec-temporaryfilesystem/ro
diff --git a/test/test-execute/exec-temporaryfilesystem-rw.service b/test/test-execute/exec-temporaryfilesystem-rw.service
new file mode 100644
index 0000000000..fc02ceab1c
--- /dev/null
+++ b/test/test-execute/exec-temporaryfilesystem-rw.service
@@ -0,0 +1,33 @@
+[Unit]
+Description=Test for TemporaryFileSystem
+
+[Service]
+Type=oneshot
+
+# Check directories exist
+ExecStart=/bin/sh -c 'test -d /var/test-exec-temporaryfilesystem/rw && test -d /var/test-exec-temporaryfilesystem/ro'
+
+# Check TemporaryFileSystem= are empty
+ExecStart=/bin/sh -c 'for i in $$(ls -A /var); do test $$i = test-exec-temporaryfilesystem || false; done'
+
+# Create a file in /var
+ExecStart=/bin/sh -c 'touch /var/hoge'
+
+# Create a file in /var/test-exec-temporaryfilesystem/rw
+ExecStart=/bin/sh -c 'touch /var/test-exec-temporaryfilesystem/rw/thisisasimpletest-temporaryfilesystem'
+
+# Then, the file can be access through /tmp
+ExecStart=/bin/sh -c 'test -f /tmp/thisisasimpletest-temporaryfilesystem'
+
+# Also, through /var/test-exec-temporaryfilesystem/ro
+ExecStart=/bin/sh -c 'test -f /var/test-exec-temporaryfilesystem/ro/thisisasimpletest-temporaryfilesystem'
+
+# The file cannot modify through /var/test-exec-temporaryfilesystem/ro
+ExecStart=/bin/sh -c '! touch /var/test-exec-temporaryfilesystem/ro/thisisasimpletest-temporaryfilesystem'
+
+# Cleanup
+ExecStart=/bin/sh -c 'rm /tmp/thisisasimpletest-temporaryfilesystem'
+
+TemporaryFileSystem=/var
+BindPaths=/tmp:/var/test-exec-temporaryfilesystem/rw
+BindReadOnlyPaths=/tmp:/var/test-exec-temporaryfilesystem/ro
diff --git a/test/test-execute/exec-temporaryfilesystem-usr.service b/test/test-execute/exec-temporaryfilesystem-usr.service
new file mode 100644
index 0000000000..05c1ec0694
--- /dev/null
+++ b/test/test-execute/exec-temporaryfilesystem-usr.service
@@ -0,0 +1,15 @@
+[Unit]
+Description=Test for TemporaryFileSystem on /usr
+
+[Service]
+Type=oneshot
+
+# Check TemporaryFileSystem= are empty
+ExecStart=/bin/sh -c 'for i in $$(ls -A /usr); do test $$i = lib -o $$i = lib64 -o $$i = bin -o $$i = sbin || false; done'
+
+# Cannot create files under /usr
+ExecStart=/bin/sh -c '! touch /usr/hoge'
+ExecStart=/bin/sh -c '! touch /usr/bin/hoge'
+
+TemporaryFileSystem=/usr:ro
+BindReadOnlyPaths=-/usr/lib -/usr/lib64 /usr/bin /usr/sbin