tests: add lxc.sysctls.* test

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

.gitignore

@@ -106,6 +106,7 @@ src/tests/lxc-test-state-server
 src/tests/lxc-test-basic
 src/tests/lxc-test-cve-2019-5736
 src/tests/lxc-test-mount-injection
+src/tests/lxc-test-sysctls
 src/tests/lxc-test-sys-mixed
 src/tests/lxc-test-rootfs-options
 src/tests/lxc-test-capabilities

src/tests/Makefile.am

@@ -1357,6 +1357,87 @@ lxc_test_capabilities_SOURCES += ../include/prlimit.c ../include/prlimit.h
 endif
 endif
 
+lxc_test_sysctls_SOURCES = sysctls.c \
+			  ../lxc/af_unix.c ../lxc/af_unix.h \
+			  ../lxc/caps.c ../lxc/caps.h \
+			  ../lxc/cgroups/cgfsng.c \
+			  ../lxc/cgroups/cgroup.c ../lxc/cgroups/cgroup.h \
+			  ../lxc/cgroups/cgroup2_devices.c ../lxc/cgroups/cgroup2_devices.h \
+			  ../lxc/cgroups/cgroup_utils.c ../lxc/cgroups/cgroup_utils.h \
+			  ../lxc/commands.c ../lxc/commands.h \
+			  ../lxc/commands_utils.c ../lxc/commands_utils.h \
+			  ../lxc/conf.c ../lxc/conf.h \
+			  ../lxc/confile.c ../lxc/confile.h \
+			  ../lxc/confile_utils.c ../lxc/confile_utils.h \
+			  ../lxc/error.c ../lxc/error.h \
+			  ../lxc/file_utils.c ../lxc/file_utils.h \
+			  ../include/netns_ifaddrs.c ../include/netns_ifaddrs.h \
+			  ../lxc/initutils.c ../lxc/initutils.h \
+			  ../lxc/log.c ../lxc/log.h \
+			  ../lxc/lxclock.c ../lxc/lxclock.h \
+			  ../lxc/mainloop.c ../lxc/mainloop.h \
+			  ../lxc/monitor.c ../lxc/monitor.h \
+			  ../lxc/mount_utils.c ../lxc/mount_utils.h \
+			  ../lxc/namespace.c ../lxc/namespace.h \
+			  ../lxc/network.c ../lxc/network.h \
+			  ../lxc/nl.c ../lxc/nl.h \
+			  ../lxc/parse.c ../lxc/parse.h \
+			  ../lxc/process_utils.c ../lxc/process_utils.h \
+			  ../lxc/ringbuf.c ../lxc/ringbuf.h \
+			  ../lxc/start.c ../lxc/start.h \
+			  ../lxc/state.c ../lxc/state.h \
+			  ../lxc/storage/btrfs.c ../lxc/storage/btrfs.h \
+			  ../lxc/storage/dir.c ../lxc/storage/dir.h \
+			  ../lxc/storage/loop.c ../lxc/storage/loop.h \
+			  ../lxc/storage/lvm.c ../lxc/storage/lvm.h \
+			  ../lxc/storage/nbd.c ../lxc/storage/nbd.h \
+			  ../lxc/storage/overlay.c ../lxc/storage/overlay.h \
+			  ../lxc/storage/rbd.c ../lxc/storage/rbd.h \
+			  ../lxc/storage/rsync.c ../lxc/storage/rsync.h \
+			  ../lxc/storage/storage.c ../lxc/storage/storage.h \
+			  ../lxc/storage/storage_utils.c ../lxc/storage/storage_utils.h \
+			  ../lxc/storage/zfs.c ../lxc/storage/zfs.h \
+			  ../lxc/sync.c ../lxc/sync.h \
+			  ../lxc/string_utils.c ../lxc/string_utils.h \
+			  ../lxc/terminal.c ../lxc/terminal.h \
+			  ../lxc/utils.c ../lxc/utils.h \
+			  ../lxc/uuid.c ../lxc/uuid.h \
+			  $(LSM_SOURCES)
+if ENABLE_SECCOMP
+lxc_test_sysctls_SOURCES += ../lxc/seccomp.c ../lxc/lxcseccomp.h
+endif
+
+if !HAVE_STRCHRNUL
+lxc_test_sysctls_SOURCES += ../include/strchrnul.c ../include/strchrnul.h
+endif
+
+if !HAVE_STRLCPY
+lxc_test_sysctls_SOURCES += ../include/strlcpy.c ../include/strlcpy.h
+endif
+
+if !HAVE_STRLCAT
+lxc_test_sysctls_SOURCES += ../include/strlcat.c ../include/strlcat.h
+endif
+
+if !HAVE_OPENPTY
+lxc_test_sysctls_SOURCES += ../include/openpty.c ../include/openpty.h
+endif
+
+if IS_BIONIC
+lxc_test_sysctls_SOURCES += ../include/fexecve.c ../include/fexecve.h \
+			    ../include/lxcmntent.c ../include/lxcmntent.h
+endif
+
+if !HAVE_GETGRGID_R
+lxc_test_sysctls_SOURCES += ../include/getgrgid_r.c ../include/getgrgid_r.h
+endif
+
+if !HAVE_PRLIMIT
+if HAVE_PRLIMIT64
+lxc_test_sysctls_SOURCES += ../include/prlimit.c ../include/prlimit.h
+endif
+endif
+
 AM_CFLAGS += -DLXCROOTFSMOUNT=\"$(LXCROOTFSMOUNT)\" \
 	     -DLXCPATH=\"$(LXCPATH)\" \
 	     -DLXC_GLOBAL_CONF=\"$(LXC_GLOBAL_CONF)\" \
@@ -1426,6 +1507,7 @@ bin_PROGRAMS = lxc-test-api-reboot \
 	       lxc-test-snapshot \
 	       lxc-test-startone \
 	       lxc-test-state-server \
+	       lxc-test-sysctls \
 	       lxc-test-sys-mixed \
 	       lxc-test-utils
 
@@ -1535,6 +1617,7 @@ EXTRA_DIST = arch_parse.c \
 	     startone.c \
 	     state_server.c \
 	     share_ns.c \
+	     sysctls.c \
 	     sys_mixed.c
 
 clean-local:

src/tests/capabilities.c

@@ -85,8 +85,7 @@ static int capabilities_deny(void *payload)
 
 static int run(int (*test)(void *), bool allow)
 {
-	__do_close int fd_log = -EBADF;
-	int fret = -1;
+	int fd_log = -EBADF, fret = -1;
 	lxc_attach_options_t attach_options = LXC_ATTACH_OPTIONS_DEFAULT;
 	int ret;
 	pid_t pid;

src/tests/sysctls.c

@@ -0,0 +1,171 @@
+/* SPDX-License-Identifier: LGPL-2.1+ */
+
+#include "config.h"
+
+#include <stdio.h>
+#include <stdlib.h>
+
+#include "lxccontainer.h"
+#include "attach_options.h"
+
+#include "lxctest.h"
+#include "utils.h"
+
+#define CONTAINER_NAME "test-proc-sys"
+#define SYSCTL_PATH "/proc/sys/net/ipv4/ip_forward"
+#define SYSCTL_CONFIG_KEY "lxc.sysctl.net.ipv4.ip_forward"
+#define SYSCTL_CONFIG_VALUE "1"
+
+static int check_sysctls(void *payload)
+{
+	__do_close int fd = -EBADF;
+	char buf[INTTYPE_TO_STRLEN(__u64)];
+	ssize_t ret;
+
+	fd = open(SYSCTL_PATH, O_RDONLY | O_CLOEXEC | O_NOFOLLOW);
+	if (fd < 0) {
+		lxc_error("Failed to open " SYSCTL_PATH);
+		return EXIT_FAILURE;
+	}
+
+	ret = lxc_read_nointr(fd, buf, sizeof(buf));
+	if (ret < 0 || (size_t)ret >= sizeof(buf)) {
+		lxc_error("Failed to read " SYSCTL_PATH);
+		return EXIT_FAILURE;
+	}
+
+	buf[ret] = '\0';
+	remove_trailing_newlines(buf);
+
+	if (!strequal(buf,  SYSCTL_CONFIG_VALUE)) {
+		lxc_error("Unexpected value %s for " SYSCTL_PATH, buf);
+		return EXIT_FAILURE;
+	}
+
+	return EXIT_SUCCESS;
+}
+
+int main(int argc, char *argv[])
+{
+	int fd_log = -EBADF, fret = EXIT_FAILURE;
+	lxc_attach_options_t attach_options = LXC_ATTACH_OPTIONS_DEFAULT;
+	int ret;
+	pid_t pid;
+	struct lxc_container *c;
+	struct lxc_log log;
+	char template[sizeof(P_tmpdir "/" CONTAINER_NAME "_XXXXXX")];
+
+	if (!file_exists(SYSCTL_PATH)) {
+		lxc_debug("The sysctl path \"" SYSCTL_PATH "\" needed for this test does not exist. Skipping");
+		exit(EXIT_SUCCESS);
+	}
+
+	(void)strlcpy(template, P_tmpdir "/" CONTAINER_NAME "_XXXXXX", sizeof(template));
+
+	fd_log = lxc_make_tmpfile(template, false);
+	if (fd_log < 0) {
+		lxc_error("%s", "Failed to create temporary log file for container \"capabilities\"");
+		return fret;
+	}
+
+	log.name	= CONTAINER_NAME;
+	log.file	= template;
+	log.level	= "TRACE";
+	log.prefix	= CONTAINER_NAME;
+	log.quiet	= false;
+	log.lxcpath	= NULL;
+
+	if (lxc_log_init(&log))
+		exit(fret);
+
+	c = lxc_container_new(CONTAINER_NAME, NULL);
+	if (!c) {
+		lxc_error("%s", "Failed to create container " CONTAINER_NAME);
+		exit(fret);
+	}
+
+	if (c->is_defined(c)) {
+		lxc_error("%s\n", "Container " CONTAINER_NAME " is defined");
+		goto on_error_put;
+	}
+
+	if (!c->createl(c, "busybox", NULL, NULL, 0, NULL)) {
+		lxc_error("%s\n", "Failed to create busybox container " CONTAINER_NAME);
+		goto on_error_put;
+	}
+
+	if (!c->is_defined(c)) {
+		lxc_error("%s\n", "Container " CONTAINER_NAME " is not defined");
+		goto on_error_destroy;
+	}
+
+	if (!c->set_config_item(c, "lxc.mount.auto", "proc:rw")) {
+		lxc_error("%s\n", "Failed to set config item \"lxc.mount.auto=proc:rw\"");
+		goto on_error_destroy;
+	}
+
+	if (!c->clear_config_item(c, SYSCTL_CONFIG_KEY)) {
+		lxc_error("%s\n", "Failed to clear config item \"" SYSCTL_CONFIG_KEY "\"");
+		goto on_error_destroy;
+	}
+
+	if (!c->set_config_item(c, SYSCTL_CONFIG_KEY, SYSCTL_CONFIG_VALUE)) {
+		lxc_error("%s\n", "Failed to set config item \"" SYSCTL_CONFIG_KEY "\"");
+		goto on_error_destroy;
+	}
+
+	if (!c->want_daemonize(c, true)) {
+		lxc_error("%s\n", "Failed to mark container " CONTAINER_NAME " daemonized");
+		goto on_error_destroy;
+	}
+
+	if (!c->startl(c, 0, NULL)) {
+		lxc_error("%s\n", "Failed to start container " CONTAINER_NAME " daemonized");
+		goto on_error_destroy;
+	}
+
+	/* Leave some time for the container to write something to the log. */
+	sleep(2);
+
+	ret = c->attach(c, check_sysctls, NULL, &attach_options, &pid);
+	if (ret < 0) {
+		lxc_error("%s\n", "Failed to run function in container " CONTAINER_NAME);
+		goto on_error_stop;
+	}
+
+	ret = wait_for_pid(pid);
+	if (ret < 0) {
+		lxc_error("%s\n", "Function "CONTAINER_NAME" failed");
+		goto on_error_stop;
+	}
+
+	fret = 0;
+
+on_error_stop:
+	if (c->is_running(c) && !c->stop(c))
+		lxc_error("%s\n", "Failed to stop container " CONTAINER_NAME);
+
+on_error_destroy:
+	if (!c->destroy(c))
+		lxc_error("%s\n", "Failed to destroy container " CONTAINER_NAME);
+
+on_error_put:
+	lxc_container_put(c);
+
+	if (fret == EXIT_SUCCESS) {
+		lxc_debug("All sysctl tests passed\n");
+	} else {
+		char buf[4096];
+		ssize_t buflen;
+
+		while ((buflen = read(fd_log, buf, 1024)) > 0) {
+			buflen = write(STDERR_FILENO, buf, buflen);
+			if (buflen <= 0)
+				break;
+		}
+	}
+	close_prot_errno_disarm(fd_log);
+	(void)unlink(template);
+
+	exit(fret);
+}